pkg1: Fix PK11 component split in pkg1/2 dump tool

2020-07-14 23:29:48 +03:00
parent ab5b59e10d
commit 3ddd1c26ad
6 changed files with 131 additions and 101 deletions
--- a/nyx/nyx_gui/frontend/gui_tools.c
+++ b/nyx/nyx_gui/frontend/gui_tools.c
@@ -1081,12 +1081,12 @@ static lv_res_t _create_window_dump_pk12_tool(lv_obj_t *btn)

 	char path[128];

+	u8 kb = 0;
 	u8 *pkg1 = (u8 *)calloc(1, 0x40000);
 	u8 *warmboot = (u8 *)calloc(1, 0x40000);
 	u8 *secmon = (u8 *)calloc(1, 0x40000);
 	u8 *loader = (u8 *)calloc(1, 0x40000);
 	u8 *pkg2 = NULL;
-	u8 kb = 0;

 	char *txt_buf  = (char *)malloc(0x4000);

@@ -1132,8 +1132,6 @@ static lv_res_t _create_window_dump_pk12_tool(lv_obj_t *btn)
 		goto out_free;
 	}

-	const pk11_hdr_t *hdr = (pk11_hdr_t *)(pkg1 + pkg1_id->pkg11_off + 0x20);
-
 	kb = pkg1_id->kb;

 	if (!h_cfg.se_keygen_done)
@@ -1183,7 +1181,21 @@ static lv_res_t _create_window_dump_pk12_tool(lv_obj_t *btn)

 	if (kb <= KB_FIRMWARE_VERSION_620)
 	{
-		pkg1_unpack(warmboot, secmon, loader, pkg1_id, pkg1);
+		const u8 *sec_map = pkg1_unpack(warmboot, secmon, loader, pkg1_id, pkg1);
+
+		pk11_hdr_t *hdr_pk11 = (pk11_hdr_t *)(pkg1 + pkg1_id->pkg11_off + 0x20);
+
+		// Use correct sizes.
+		u32 sec_size[3] = { hdr_pk11->wb_size, hdr_pk11->ldr_size, hdr_pk11->sm_size };
+		for (u32 i = 0; i < 3; i++)
+		{
+			if (sec_map[i] == PK11_SECTION_WB)
+				hdr_pk11->wb_size = sec_size[i];
+			else if (sec_map[i] == PK11_SECTION_LD)
+				hdr_pk11->ldr_size = sec_size[i];
+			else if (sec_map[i] == PK11_SECTION_SM)
+				hdr_pk11->sm_size = sec_size[i];
+		}

 		// Display info.
 		s_printf(txt_buf + strlen(txt_buf),
@@ -1192,7 +1204,7 @@ static lv_res_t _create_window_dump_pk12_tool(lv_obj_t *btn)
 			"#C7EA46 Secure monitor size: #0x%05X\n"
 			"#C7EA46 Warmboot addr:       #0x%05X\n"
 			"#C7EA46 Warmboot size:       #0x%05X\n\n",
-			hdr->ldr_size, pkg1_id->secmon_base, hdr->sm_size, pkg1_id->warmboot_base, hdr->wb_size);
+			hdr_pk11->ldr_size, pkg1_id->secmon_base, hdr_pk11->sm_size, pkg1_id->warmboot_base, hdr_pk11->wb_size);

 		lv_label_set_text(lb_desc, txt_buf);
 		manual_system_maintenance(true);
@@ -1207,7 +1219,7 @@ static lv_res_t _create_window_dump_pk12_tool(lv_obj_t *btn)

 		// Dump nxbootloader.
 		emmcsn_path_impl(path, "/pkg1", "nxloader.bin", &storage);
-		if (sd_save_to_file(loader, hdr->ldr_size, path))
+		if (sd_save_to_file(loader, hdr_pk11->ldr_size, path))
 			goto out_free;
 		strcat(txt_buf, "NX Bootloader dumped to nxloader.bin\n");
 		lv_label_set_text(lb_desc, txt_buf);
@@ -1215,7 +1227,7 @@ static lv_res_t _create_window_dump_pk12_tool(lv_obj_t *btn)

 		// Dump secmon.
 		emmcsn_path_impl(path, "/pkg1", "secmon.bin", &storage);
-		if (sd_save_to_file(secmon, hdr->sm_size, path))
+		if (sd_save_to_file(secmon, hdr_pk11->sm_size, path))
 			goto out_free;
 		strcat(txt_buf, "Secure Monitor dumped to secmon.bin\n");
 		lv_label_set_text(lb_desc, txt_buf);
@@ -1223,7 +1235,7 @@ static lv_res_t _create_window_dump_pk12_tool(lv_obj_t *btn)

 		// Dump warmboot.
 		emmcsn_path_impl(path, "/pkg1", "warmboot.bin", &storage);
-		if (sd_save_to_file(warmboot, hdr->wb_size, path))
+		if (sd_save_to_file(warmboot, hdr_pk11->wb_size, path))
 			goto out_free;
 		strcat(txt_buf, "Warmboot dumped to warmboot.bin\n\n");
 		lv_label_set_text(lb_desc, txt_buf);
--- a/nyx/nyx_gui/hos/pkg1.c
+++ b/nyx/nyx_gui/hos/pkg1.c
@@ -26,36 +26,34 @@
 #include <sec/se.h>
 #include <utils/aarch64_util.h>

-#define PK11_SECTION_WB 0
-#define PK11_SECTION_LD 1
-#define PK11_SECTION_SM 2
-
 /*
 * package1.1 header: <wb, ldr, sm>
 * package1.1 layout:
 * 1.0:  {sm, ldr, wb} { 2, 1, 0 }
- * 2.0:  {wb, ldr, sm} { 0, 1, 2 }
- * 3.0:  {wb, ldr, sm} { 0, 1, 2 }
- * 3.1:  {wb, ldr, sm} { 0, 1, 2 }
+ * 2.0+: {wb, ldr, sm} { 0, 1, 2 }
 * 4.0+: {ldr, sm, wb} { 1, 2, 0 }
 */

+static const u8 sec_map_100[3] = { PK11_SECTION_SM, PK11_SECTION_LD, PK11_SECTION_WB };
+static const u8 sec_map_2xx[3] = { PK11_SECTION_WB, PK11_SECTION_LD, PK11_SECTION_SM };
+static const u8 sec_map_4xx[3] = { PK11_SECTION_LD, PK11_SECTION_SM, PK11_SECTION_WB };
+
 static const pkg1_id_t _pkg1_ids[] = {
-	{ "20161121183008",  0, 0x1900, 0x3FE0, 0x40014020, 0x8000D000 }, //1.0.0
-	{ "20170210155124",  0, 0x1900, 0x3FE0, 0x4002D000, 0x8000D000 }, //2.0.0 - 2.3.0
-	{ "20170519101410",  1, 0x1A00, 0x3FE0, 0x4002D000, 0x8000D000 }, //3.0.0
-	{ "20170710161758",  2, 0x1A00, 0x3FE0, 0x4002D000, 0x8000D000 }, //3.0.1 - 3.0.2
-	{ "20170921172629",  3, 0x1800, 0x3FE0, 0x4002B000, 0x4003B000 }, //4.0.0 - 4.1.0
-	{ "20180220163747",  4, 0x1900, 0x3FE0, 0x4002B000, 0x4003B000 }, //5.0.0 - 5.1.0
-	{ "20180802162753",  5, 0x1900, 0x3FE0, 0x4002B000, 0x4003D800 }, //6.0.0 - 6.1.0
-	{ "20181107105733",  6, 0x0E00, 0x6FE0, 0x4002B000, 0x4003D800 }, //6.2.0
-	{ "20181218175730",  7, 0x0F00, 0x6FE0, 0x40030000, 0x4003E000 }, //7.0.0
-	{ "20190208150037",  7, 0x0F00, 0x6FE0, 0x40030000, 0x4003E000 }, //7.0.1
-	{ "20190314172056",  7, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000 }, //8.0.0 - 8.0.1
-	{ "20190531152432",  8, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000 }, //8.1.0
-	{ "20190809135709",  9, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000 }, //9.0.0 - 9.0.1
-	{ "20191021113848", 10, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000 }, //9.1.0
-	{ "20200303104606", 10, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000 }, //10.0.0
+	{ "20161121183008",  0, 0x1900, 0x3FE0, 0x40014020, 0x8000D000 }, // 1.0.0.
+	{ "20170210155124",  0, 0x1900, 0x3FE0, 0x4002D000, 0x8000D000 }, // 2.0.0 - 2.3.0.
+	{ "20170519101410",  1, 0x1A00, 0x3FE0, 0x4002D000, 0x8000D000 }, // 3.0.0.
+	{ "20170710161758",  2, 0x1A00, 0x3FE0, 0x4002D000, 0x8000D000 }, // 3.0.1 - 3.0.2.
+	{ "20170921172629",  3, 0x1800, 0x3FE0, 0x4002B000, 0x4003B000 }, // 4.0.0 - 4.1.0.
+	{ "20180220163747",  4, 0x1900, 0x3FE0, 0x4002B000, 0x4003B000 }, // 5.0.0 - 5.1.0.
+	{ "20180802162753",  5, 0x1900, 0x3FE0, 0x4002B000, 0x4003D800 }, // 6.0.0 - 6.1.0.
+	{ "20181107105733",  6, 0x0E00, 0x6FE0, 0x4002B000, 0x4003D800 }, // 6.2.0.
+	{ "20181218175730",  7, 0x0F00, 0x6FE0, 0x40030000, 0x4003E000 }, // 7.0.0.
+	{ "20190208150037",  7, 0x0F00, 0x6FE0, 0x40030000, 0x4003E000 }, // 7.0.1.
+	{ "20190314172056",  7, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000 }, // 8.0.0 - 8.0.1.
+	{ "20190531152432",  8, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000 }, // 8.1.0.
+	{ "20190809135709",  9, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000 }, // 9.0.0 - 9.0.1.
+	{ "20191021113848", 10, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000 }, // 9.1.0.
+	{ "20200303104606", 10, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000 }, // 10.0.0.
 	{ NULL } //End.
 };

@@ -81,18 +79,15 @@ void pkg1_decrypt(const pkg1_id_t *id, u8 *pkg1)
 	se_aes_crypt_ctr(11, pkg11 + 0x20, pkg11_size, pkg11 + 0x20, pkg11_size, pkg11 + 0x10);
 }

-void pkg1_unpack(void *warmboot_dst, void *secmon_dst, void *ldr_dst, const pkg1_id_t *id, u8 *pkg1)
+const u8 *pkg1_unpack(void *wm_dst, void *sm_dst, void *ldr_dst, const pkg1_id_t *id, u8 *pkg1)
 {
-	u8 *sec_map;
-	u8  sec_map_100[3] = { PK11_SECTION_SM, PK11_SECTION_LD, PK11_SECTION_WB };
-	u8  sec_map_2xx[3] = { PK11_SECTION_WB, PK11_SECTION_LD, PK11_SECTION_SM };
-	u8  sec_map_4xx[3] = { PK11_SECTION_LD, PK11_SECTION_SM, PK11_SECTION_WB };
-
-	pk11_hdr_t *hdr = (pk11_hdr_t *)(pkg1 + id->pkg11_off + 0x20);
+	const u8 *sec_map;
+	const pk11_hdr_t *hdr = (pk11_hdr_t *)(pkg1 + id->pkg11_off + 0x20);

 	u32 sec_size[3] = { hdr->wb_size, hdr->ldr_size, hdr->sm_size };
 	//u32 sec_off[3] = { hdr->wb_off, hdr->ldr_off, hdr->sm_off };

+	// Get correct header mapping.
 	if (id->kb == KB_FIRMWARE_VERSION_100_200 && !strcmp(id->id, "20161121183008"))
 		sec_map = sec_map_100;
 	else if (id->kb >= KB_FIRMWARE_VERSION_100_200 && id->kb <= KB_FIRMWARE_VERSION_301)
@@ -100,15 +95,18 @@ void pkg1_unpack(void *warmboot_dst, void *secmon_dst, void *ldr_dst, const pkg1
 	else
 		sec_map = sec_map_4xx;

+	// Copy secmon, warmboot and nx bootloader payloads.
 	u8 *pdata = (u8 *)hdr + sizeof(pk11_hdr_t);
 	for (u32 i = 0; i < 3; i++)
 	{
-		if (sec_map[i] == PK11_SECTION_WB && warmboot_dst)
-			memcpy(warmboot_dst, pdata, sec_size[sec_map[i]]);
+		if (sec_map[i] == PK11_SECTION_WB && wm_dst)
+			memcpy(wm_dst, pdata, sec_size[sec_map[i]]);
 		else if (sec_map[i] == PK11_SECTION_LD && ldr_dst)
 			memcpy(ldr_dst, pdata, sec_size[sec_map[i]]);
-		else if (sec_map[i] == PK11_SECTION_SM && secmon_dst)
-			memcpy(secmon_dst, pdata, sec_size[sec_map[i]]);
+		else if (sec_map[i] == PK11_SECTION_SM && sm_dst)
+			memcpy(sm_dst, pdata, sec_size[sec_map[i]]);
 		pdata += sec_size[sec_map[i]];
 	}
+
+	return sec_map;
 }
--- a/nyx/nyx_gui/hos/pkg1.h
+++ b/nyx/nyx_gui/hos/pkg1.h
@@ -19,6 +19,10 @@

 #include <utils/types.h>

+#define PK11_SECTION_WB 0
+#define PK11_SECTION_LD 1
+#define PK11_SECTION_SM 2
+
 typedef struct _pkg1_id_t
 {
 	const char *id;
@@ -43,6 +47,6 @@ typedef struct _pk11_hdr_t

 const pkg1_id_t *pkg1_identify(u8 *pkg1, char *build_date);
 void pkg1_decrypt(const pkg1_id_t *id, u8 *pkg1);
-void pkg1_unpack(void *warmboot_dst, void *secmon_dst, void *ldr_dst, const pkg1_id_t *id, u8 *pkg1);
+const u8 *pkg1_unpack(void *wm_dst, void *sm_dst, void *ldr_dst, const pkg1_id_t *id, u8 *pkg1);

 #endif