mirror of
https://github.com/RPCS3/rpcs3
synced 2024-07-21 10:06:10 +00:00
Add support for sc vtrm crypto
For VSH for @Clienthax
This commit is contained in:
Megamouse
parent
f98595bee5
commit
8dc98bbc1b
|
|
@ -33,6 +33,37 @@ struct SELF_KEY
|
|||
SELF_KEY(u64 ver_start, u64 ver_end, u16 rev, u32 type, const std::string& e, const std::string& r, const std::string& pb, const std::string& pr, u32 ct);
|
||||
};
|
||||
|
||||
constexpr u32 PASSPHRASE_KEY_LEN = 16;
|
||||
constexpr u32 PASSPHRASE_OUT_LEN = 4096;
|
||||
|
||||
constexpr u8 SC_ISO_SERIES_KEY_1[PASSPHRASE_KEY_LEN] = {
|
||||
0xD4, 0x13, 0xB8, 0x96, 0x63, 0xE1, 0xFE, 0x9F, 0x75, 0x14, 0x3D, 0x3B, 0xB4, 0x56, 0x52, 0x74 // D413B89663E1FE9F75143D3BB4565274
|
||||
};
|
||||
|
||||
constexpr u8 SC_ISO_SERIES_KEY_2[PASSPHRASE_KEY_LEN] = {
|
||||
0xFA, 0x72, 0xCE, 0xEF, 0x59, 0xB4, 0xD2, 0x98, 0x9F, 0x11, 0x19, 0x13, 0x28, 0x7F, 0x51, 0xC7 // FA72CEEF59B4D2989F111913287F51C7
|
||||
};
|
||||
|
||||
constexpr u8 SC_KEY_FOR_MASTER_1[PASSPHRASE_KEY_LEN] = {
|
||||
0xDA, 0xA4, 0xB9, 0xF2, 0xBC, 0x70, 0xB2, 0x80, 0xA7, 0xB3, 0x40, 0xFA, 0x0D, 0x04, 0xBA, 0x14 // DAA4B9F2BC70B280A7B340FA0D04BA14
|
||||
};
|
||||
|
||||
constexpr u8 SC_KEY_FOR_MASTER_2[PASSPHRASE_KEY_LEN] = {
|
||||
0x29, 0xC1, 0x94, 0xFF, 0xEC, 0x1F, 0xD1, 0x4D, 0x4A, 0xAE, 0x00, 0x6C, 0x32, 0xB3, 0x59, 0x90 // 29C194FFEC1FD14D4AAE006C32B35990
|
||||
};
|
||||
|
||||
constexpr u8 SC_ISO_SERIES_INTERNAL_KEY_1[PASSPHRASE_KEY_LEN] = {
|
||||
0x73, 0x63, 0x6B, 0x65, 0x79, 0x5F, 0x73, 0x65, 0x72, 0x69, 0x65, 0x73, 0x6B, 0x65, 0x79, 0x00 // 73636B65795F7365726965736B657900
|
||||
};
|
||||
|
||||
constexpr u8 SC_ISO_SERIES_INTERNAL_KEY_2[PASSPHRASE_KEY_LEN] = {
|
||||
0x73, 0x63, 0x6B, 0x65, 0x79, 0x5F, 0x73, 0x65, 0x72, 0x69, 0x65, 0x73, 0x6B, 0x65, 0x79, 0x32 // 73636B65795F7365726965736B657932
|
||||
};
|
||||
|
||||
constexpr u8 SC_ISO_SERIES_INTERNAL_KEY_3[PASSPHRASE_KEY_LEN] = {
|
||||
0x73, 0x63, 0x6B, 0x65, 0x79, 0x5F, 0x66, 0x6F, 0x72, 0x5F, 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72 // 73636B65795F666F725F6D6173746572
|
||||
};
|
||||
|
||||
constexpr u8 PKG_AES_KEY_IDU[0x10] = {
|
||||
0x5d, 0xb9, 0x11, 0xe6, 0xb7, 0xe5, 0x0a, 0x7d, 0x32, 0x15, 0x38, 0xfd, 0x7c, 0x66, 0xf1, 0x7b
|
||||
};
|
||||
|
|
@ -180,6 +211,104 @@ constexpr u8 PUP_KEY[0x40] = {
|
|||
0x30, 0xCE, 0x83, 0x66
|
||||
};
|
||||
|
||||
// name; location; notes
|
||||
constexpr s64 PAID_01 = 0x0003CD28CB47D3C1L; // spu_token_processor.self; CoreOS; Only for 2E - 083.007
|
||||
constexpr s64 PAID_02 = 0x1010000001000001L; // vsh / games / utilities; /dev_flash/, cell_root/target/images; only for 2E - 080.006
|
||||
constexpr s64 PAID_03 = 0x1010000001000003L; // retail games and their updates
|
||||
constexpr s64 PAID_04 = 0x1010000002000003L;
|
||||
constexpr s64 PAID_05 = 0x1020000401000001L; // ps2emu; /dev_flash/ps2emu; CEX DEX DECR ?
|
||||
constexpr s64 PAID_06 = 0x1050000003000001L; // lv2_kernel.self; CoreOS; same for CEX DEX DECR
|
||||
constexpr s64 PAID_07 = 0x1070000001000002L; // onicore_child.self; /dev_flash/vsh/module; same for CEX DEX DECR
|
||||
constexpr s64 PAID_08 = 0x1070000002000002L; // mcore.self; /dev_flash/vsh/module; same for CEX DEX DECR
|
||||
constexpr s64 PAID_09 = 0x1070000003000002L; // mgvideo.self; /dev_flash/vsh/module; same for CEX DEX DECR
|
||||
constexpr s64 PAID_10 = 0x1070000004000002L; // swagner / swreset; /dev_flash/vsh/module; DTCP-IP DRM modules
|
||||
constexpr s64 PAID_11 = 0x107000000E000001L; // vtrm_server.fself; lv1
|
||||
constexpr s64 PAID_12 = 0x107000000F000001L; // update_manager_server.fself; lv1
|
||||
constexpr s64 PAID_13 = 0x1070000010000001L; // sc_manager_server.fself; lv1
|
||||
constexpr s64 PAID_14 = 0x1070000011000001L; // secure_rtc_server.fself; lv1
|
||||
constexpr s64 PAID_15 = 0x1070000012000001L; // spm_server.fself; lv1
|
||||
constexpr s64 PAID_16 = 0x1070000013000001L; // sb_manager_server.fself; lv1
|
||||
constexpr s64 PAID_17 = 0x1070000014000001L; // framework.fself; lv1
|
||||
constexpr s64 PAID_18 = 0x1070000015000001L; // lv2_loader.fself; lv1
|
||||
constexpr s64 PAID_19 = 0x1070000016000001L; // profile_loader.fself; lv1
|
||||
constexpr s64 PAID_20 = 0x1070000017000001L; // ss_init.fself; lv1
|
||||
constexpr s64 PAID_21 = 0x1070000018000001L; // individual_info_mgr_server.fself; lv1
|
||||
constexpr s64 PAID_22 = 0x1070000019000001L; // app_info_manager_server.fself; lv1
|
||||
constexpr s64 PAID_23 = 0x107000001A000001L; // ss_sc_init_pu.fself; JIG lv1 proc
|
||||
constexpr s64 PAID_24 = 0x107000001C000001L; // updater_frontend.fself; lv1
|
||||
constexpr s64 PAID_25 = 0x107000001D000001L; // sysmgr_ss.fself; lv1
|
||||
constexpr s64 PAID_26 = 0x107000001F000001L; // sb_iso_spu_module.self; CoreOS; same for CEX DEX DECR
|
||||
constexpr s64 PAID_27 = 0x1070000020000001L; // sc_iso.self / sc_iso_factory.self; CoreOS / [2.43 JIG PUP]; same for CEX DEX DECR
|
||||
constexpr s64 PAID_28 = 0x1070000021000001L; // spp_verifier.self; CoreOS; same for CEX DEX DECR
|
||||
constexpr s64 PAID_29 = 0x1070000022000001L; // spu_pkg_rvk_verifier.self; CoreOS; same for CEX DEX DECR
|
||||
constexpr s64 PAID_30 = 0x1070000023000001L; // spu_token_processor.self; CoreOS; same for CEX DEX DECR
|
||||
constexpr s64 PAID_31 = 0x1070000024000001L; // sv_iso_spu_module.self; CoreOS; same for CEX DEX DECR
|
||||
constexpr s64 PAID_32 = 0x1070000025000001L; // aim_spu_module.self; CoreOS; same for CEX DEX DECR
|
||||
constexpr s64 PAID_33 = 0x1070000026000001L; // ss_sc_init.self; [2.43 JIG PUP]
|
||||
constexpr s64 PAID_34 = 0x1070000027000001L; // dispatcher.fself; lv1;
|
||||
constexpr s64 PAID_35 = 0x1070000028000001L; // factory_data_mngr_server.fself; JIG lv1 proc
|
||||
constexpr s64 PAID_36 = 0x1070000029000001L; // fdm_spu_module.self; [2.43 JIG PUP]
|
||||
constexpr s64 PAID_37 = 0x107000002A000001L;
|
||||
constexpr s64 PAID_38 = 0x1070000031000001L;
|
||||
constexpr s64 PAID_39 = 0x1070000032000001L; // ss_server1.fself; lv1
|
||||
constexpr s64 PAID_40 = 0x1070000033000001L; // ss_server2.fself; lv1
|
||||
constexpr s64 PAID_41 = 0x1070000034000001L; // ss_server3.fself; lv1
|
||||
constexpr s64 PAID_42 = 0x1070000037000001L; // mc_iso_spu_module.self; CoreOS; same for CEX DEX DECR
|
||||
constexpr s64 PAID_43 = 0x1070000039000001L; // bdp_bdmv.self; /dev_flash/bdplayer
|
||||
constexpr s64 PAID_44 = 0x107000003A000001L; // bdj.self; /dev_flash/bdplayer
|
||||
constexpr s64 PAID_45 = 0x1070000040000001L; // sys/external modules; /dev_flash/sys/external; same for CEX DEX DECR (incl. liblv2dbg_for_cex.sprx + liblv2dbg_for_dex.sprx)
|
||||
constexpr s64 PAID_46 = 0x1070000041000001L; // ps1emu; /dev_flash/ps1emu; CEX DEX DECR ?
|
||||
constexpr s64 PAID_47 = 0x1070000043000001L; // me_iso_spu_module.self; CoreOS; same for CEX DEX DECR
|
||||
constexpr s64 PAID_48 = 0x1070000044000001L; // (related to usb dongle)
|
||||
constexpr s64 PAID_49 = 0x1070000045000001L; // USB Dongle Authenticator; ss_server1.fself; same for CEX DEX DECR
|
||||
constexpr s64 PAID_50 = 0x1070000046000001L; // spu_mode_auth.self; [2.43 JIG PUP]
|
||||
constexpr s64 PAID_51 = 0x1070000047000001L; // otheros.self; otheros.self
|
||||
constexpr s64 PAID_52 = 0x1070000048000001L; // ftpd; cell_root/target/images; DECR
|
||||
constexpr s64 PAID_53 = 0x107000004C000001L; // spu_utoken_processor.self; CoreOS (since FW 2.40)
|
||||
constexpr s64 PAID_54 = 0x107000004E000001L; // (syscall 878)
|
||||
constexpr s64 PAID_55 = 0x107000004F000001L;
|
||||
constexpr s64 PAID_56 = 0x1070000050000001L;
|
||||
constexpr s64 PAID_57 = 0x1070000051000001L;
|
||||
constexpr s64 PAID_58 = 0x1070000052000001L; // sys/internal CEX + vsh/module modules CEX; /dev_flash/sys/internal + /dev_flash/vsh/module; Differs between CEX (this authid) and DECR
|
||||
constexpr s64 PAID_59 = 0x1070000054000001L; // (syscall 21)
|
||||
constexpr s64 PAID_60 = 0x1070000055000001L; // manu_info_spu_module.self; CoreOS (since FW 3.50)
|
||||
constexpr s64 PAID_61 = 0x1070000058000001L; // me_iso_for_ps2emu.self; CoreOS (since FW 3.70)
|
||||
constexpr s64 PAID_62 = 0x1070000059000001L; // sv_iso_for_ps2emu.self; CoreOS (since FW 3.70)
|
||||
constexpr s64 PAID_63 = 0x1070000300000001L; // Lv2diag.self; BD-remarry toolkit
|
||||
constexpr s64 PAID_64 = 0x10700003FC000001L; // emer_init.self; CoreOS (since FW 2.00)
|
||||
constexpr s64 PAID_65 = 0x10700003FD000001L; // ps3swu; PUP root; same for CEX DEX DECR
|
||||
constexpr s64 PAID_66 = 0x10700003FD000001L; // PS3ToolUpdater; cell_root/target/images; Only DECR
|
||||
constexpr s64 PAID_67 = 0x10700003FD000001L; // manufacturing_updater_for_reset.self; BD-remarry toolkit
|
||||
constexpr s64 PAID_68 = 0x10700003FE000001L; // sys_agent.self DECR; /dev_flash/sys/internal; DECR
|
||||
constexpr s64 PAID_69 = 0x10700003FF000001L; // db_backup, mkfs, mkfs_085, mount_hdd, registry_backup, set_monitor, most sys/internal modules DECR + most vsh/module modules DECR; /dev_flash/sys/internal + /dev_flash/vsh/module + cell_root/target/images; Differs between DECR (this authid) and CEX
|
||||
constexpr s64 PAID_70 = 0x1070000400000001L; // vsh / games / utilities; /dev_flash/, cell_root/target/images; only for 081.003 - 083.007
|
||||
constexpr s64 PAID_71 = 0x1070000409000001L; // psp_emulator.self; /dev_flash/pspemu/psp_emulator.self; CEX DEX DECR ?
|
||||
constexpr s64 PAID_72 = 0x107000040A000001L; // psp_translator.self; /dev_flash/pspemu/psp_translator.self; CEX DEX DECR ?
|
||||
constexpr s64 PAID_73 = 0x107000040B000001L; // emulator_api.sprx and other .sprx; /dev_flash/pspemu/release/; CEX DEX DECR ?
|
||||
constexpr s64 PAID_74 = 0x107000040C000001L; // emulator_drm.sprx; /dev_flash/pspemu/release/emulator_drm.sprx; CEX DEX DECR ?
|
||||
constexpr s64 PAID_75 = 0x107000040C000001L; // libchnnlsv.sprx; /dev_flash/sys/internal/; CEX DEX DECR ?
|
||||
constexpr s64 PAID_76 = 0x107000040D000001L; // ?psp related?; ?/dev_flash/pspemu/release/?; CEX DEX DECR ?
|
||||
constexpr s64 PAID_77 = 0x1070000500000001L; // cellftp; cell_root/target/images/; DECR
|
||||
constexpr s64 PAID_78 = 0x1070000501000001L; // hdd_copy.self; CoreOS (since FW 3.10)
|
||||
constexpr s64 PAID_79 = 0x10700005FC000001L; // sys_audio; /dev_flash/sys/internal; CEX
|
||||
constexpr s64 PAID_80 = 0x10700005FD000001L; // sys_init_osd; /dev_flash/sys/internal; CEX
|
||||
constexpr s64 PAID_81 = 0x10700005FF000001L; // vsh.self; /dev_flash/vsh/; CEX
|
||||
constexpr s64 PAID_82 = 0x1070001002000001L; // PvrRecSvr.sprx; BCJB95006\USRDIR\v320; CEX
|
||||
constexpr s64 PAID_83 = 0x1070200056000001L; // cachemgr.self; WebMAF apps/USRDIR
|
||||
constexpr s64 PAID_84 = 0x1070200057000001L; // EBOOT.BIN.self + .sprx files; WebMAF apps/USRDIR/prx/ps3; Demen_prx.ppu.sprx + WebMAF sprx files
|
||||
constexpr s64 PAID_85 = 0x1FF0000001000001L; // lv0; CoreOS; same for CEX DEX DECR
|
||||
constexpr s64 PAID_86 = 0x1FF0000002000001L; // lv1.self; CoreOS; same for CEX DEX DECR
|
||||
constexpr s64 PAID_87 = 0x1FF0000008000001L; // lv1ldr; CoreOS; same for CEX DEX DECR
|
||||
constexpr s64 PAID_88 = 0x1FF0000009000001L; // lv2ldr; CoreOS; same for CEX DEX DECR
|
||||
constexpr s64 PAID_89 = 0x1FF000000A000001L; // isoldr; CoreOS; same for CEX DEX DECR
|
||||
constexpr s64 PAID_90 = 0x1FF000000B000001L; // rvkldr; CoreOS; same for CEX DEX DECR
|
||||
constexpr s64 PAID_91 = 0x1FF000000C000001L; // appldr; CoreOS; same for CEX DEX DECR
|
||||
|
||||
constexpr s64 LAID_1 = 0x1070000001000001L; // (= HV processes / SCE_CELLOS_PME); flash and vflash
|
||||
constexpr s64 LAID_2 = 0x1070000002000001L; // (= GameOS / PS3_LPAR); flash and vflash
|
||||
constexpr s64 LAID_3 = 0x1020000003000001L; // (= PS2_LPAR / PS2_GX_LPAR / PS2_SW_LPAR / PS2_NE_LPAR); (used in ps3vflashc region inside vflash in NOR consoles, and ps3db region)... dev_flash and dev_hdd0 regions
|
||||
constexpr s64 LAID_4 = 0x1080000004000001L; // (= LINUX_LPAR); (used in ps3vflashf region inside vflash in NOR consoles)... otheros bootloader region
|
||||
|
||||
class KeyVault
|
||||
{
|
||||
std::vector<SELF_KEY> sk_LV0_arr{};
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@
|
|||
#include "utils.h"
|
||||
#include "aes.h"
|
||||
#include "sha1.h"
|
||||
#include "key_vault.h"
|
||||
#include <cstring>
|
||||
#include <stdio.h>
|
||||
#include <time.h>
|
||||
|
|
@ -142,3 +143,80 @@ void mbedtls_zeroize(void *v, size_t n)
|
|||
static void *(*const volatile unop_memset)(void *, int, size_t) = &memset;
|
||||
(void)unop_memset(v, 0, n);
|
||||
}
|
||||
|
||||
|
||||
// SC passphrase crypto
|
||||
|
||||
void sc_form_key(const u8* sc_key, const std::array<u8, PASSPHRASE_KEY_LEN>& laid_paid, u8* key)
|
||||
{
|
||||
for (u32 i = 0; i < PASSPHRASE_KEY_LEN; i++)
|
||||
{
|
||||
key[i] = static_cast<u8>(sc_key[i] ^ laid_paid[i]);
|
||||
}
|
||||
}
|
||||
|
||||
std::array<u8, PASSPHRASE_KEY_LEN> sc_combine_laid_paid(s64 laid, s64 paid)
|
||||
{
|
||||
const std::string paid_laid = fmt::format("%016llx%016llx", laid, paid);
|
||||
std::array<u8, PASSPHRASE_KEY_LEN> out{};
|
||||
hex_to_bytes(out.data(), paid_laid.c_str(), PASSPHRASE_KEY_LEN * 2);
|
||||
return out;
|
||||
}
|
||||
|
||||
std::array<u8, PASSPHRASE_KEY_LEN> vtrm_get_laid_paid_from_type(int type)
|
||||
{
|
||||
// No idea what this type stands for
|
||||
switch (type)
|
||||
{
|
||||
case 0: return sc_combine_laid_paid(0xFFFFFFFFFFFFFFFFL, 0xFFFFFFFFFFFFFFFFL);
|
||||
case 1: return sc_combine_laid_paid(LAID_2, 0x1070000000000001L);
|
||||
case 2: return sc_combine_laid_paid(LAID_2, 0x0000000000000000L);
|
||||
case 3: return sc_combine_laid_paid(LAID_2, PAID_69);
|
||||
default:
|
||||
fmt::throw_exception("vtrm_get_laid_paid_from_type: Wrong type specified (type=%d)", type);
|
||||
}
|
||||
}
|
||||
|
||||
std::array<u8, PASSPHRASE_KEY_LEN> vtrm_portability_laid_paid()
|
||||
{
|
||||
// 107000002A000001
|
||||
return sc_combine_laid_paid(0x0000000000000000L, 0x0000000000000000L);
|
||||
}
|
||||
|
||||
int sc_decrypt(const u8* sc_key, const std::array<u8, PASSPHRASE_KEY_LEN>& laid_paid, u8* iv, u8* input, u8* output)
|
||||
{
|
||||
aes_context ctx;
|
||||
u8 key[PASSPHRASE_KEY_LEN];
|
||||
sc_form_key(sc_key, laid_paid, key);
|
||||
aes_setkey_dec(&ctx, key, 128);
|
||||
return aes_crypt_cbc(&ctx, AES_DECRYPT, PASSPHRASE_OUT_LEN, iv, input, output);
|
||||
}
|
||||
|
||||
int vtrm_decrypt(int type, u8* iv, u8* input, u8* output)
|
||||
{
|
||||
return sc_decrypt(SC_ISO_SERIES_KEY_2, vtrm_get_laid_paid_from_type(type), iv, input, output);
|
||||
}
|
||||
|
||||
int vtrm_decrypt_master(s64 laid, s64 paid, u8* iv, u8* input, u8* output)
|
||||
{
|
||||
return sc_decrypt(SC_ISO_SERIES_INTERNAL_KEY_3, sc_combine_laid_paid(laid, paid), iv, input, output);
|
||||
}
|
||||
|
||||
const u8* vtrm_portability_type_mapper(int type)
|
||||
{
|
||||
// No idea what this type stands for
|
||||
switch (type)
|
||||
{
|
||||
//case 0: return key_for_type_1;
|
||||
case 1: return SC_ISO_SERIES_KEY_2;
|
||||
case 2: return SC_ISO_SERIES_KEY_1;
|
||||
case 3: return SC_KEY_FOR_MASTER_2;
|
||||
default:
|
||||
fmt::throw_exception("vtrm_portability_type_mapper: Wrong type specified (type=%d)", type);
|
||||
}
|
||||
}
|
||||
|
||||
int vtrm_decrypt_with_portability(int type, u8* iv, u8* input, u8* output)
|
||||
{
|
||||
return sc_decrypt(vtrm_portability_type_mapper(type), vtrm_portability_laid_paid(), iv, input, output);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -53,3 +53,9 @@ void hmac_hash_forge(unsigned char *key, int key_len, unsigned char *in, int in_
|
|||
bool cmac_hash_compare(unsigned char *key, int key_len, unsigned char *in, int in_len, unsigned char *hash, int hash_len);
|
||||
void cmac_hash_forge(unsigned char *key, int key_len, unsigned char *in, int in_len, unsigned char *hash);
|
||||
void mbedtls_zeroize(void *v, size_t n);
|
||||
|
||||
// SC passphrase crypto
|
||||
|
||||
int vtrm_decrypt(int type, u8* iv, u8* input, u8* output);
|
||||
int vtrm_decrypt_master(s64 laid, s64 paid, u8* iv, u8* input, u8* output);
|
||||
int vtrm_decrypt_with_portability(int type, u8* iv, u8* input, u8* output);
|
||||
|
|
|
|||
Loading…
Reference in a new issue