rmauth_sm.self keyslot 1C test

1. #include <psp2kern/kernel/modulemgr.h>
2. #include <psp2kern/kernel/threadmgr.h>
3. #include <psp2kern/kernel/sysmem.h>
4. #include <psp2kern/kernel/cpu.h>
5. #include <psp2kern/io/fcntl.h>
6. #include <psp2kern/sblauthmgr.h>
7. #include "log.h"
8. #include "draw.h"
9.  
10. #define LOG(s, ...) \
11.     do { \
12.         char __buffer[256]; \
13.         snprintf(__buffer, sizeof(__buffer), s, ##__VA_ARGS__); \
14.         console_print(__buffer); \
15.     } while (0)
16.  
17. #define DBG(...) (void)0
18.  
19. void _start() __attribute__((weak, alias("module_start")));
20.  
21. void dmac5_submit(uint32_t dst_pa, uint32_t src_pa, uint32_t len, uint32_t dmac_cmd, int keyslot)
22. {
23.     SceUID reg_memuid;
24.     volatile uint32_t *reg_addr;
25.     SceKernelAllocMemBlockKernelOpt opt;
26.  
27.     memset(&opt, 0, sizeof(opt));
28.     opt.size = sizeof(opt);
29.     opt.attr = SCE_KERNEL_ALLOC_MEMBLOCK_ATTR_HAS_PADDR;
30.     opt.paddr = 0xE0410000;
31.     reg_memuid = ksceKernelAllocMemBlock("SceDmacmgrDmac5Reg", 0x20100206, 0x1000, &opt);
32.  
33.     ksceKernelGetMemBlockBase(reg_memuid, (void **)&reg_addr);
34.     DBG("DMAC5 reg block: 0x%08X | va: %p\n", reg_memuid, reg_addr);
35.  
36.     #define DMAC_COMMIT_WAIT \
37.         do { \
38.             reg_addr[10] = reg_addr[10]; \
39.             reg_addr[7] = 1; \
40.             while(reg_addr[9] & 1) \
41.                 ; \
42.         } while (0)
43.  
44.     reg_addr[0] = (uint32_t)src_pa;
45.     reg_addr[1] = (uint32_t)dst_pa;
46.     reg_addr[2] = len;
47.     reg_addr[3] = dmac_cmd;
48.     reg_addr[4] = keyslot;
49.     reg_addr[5] = 0;
50.     // reg_addr[8] = 0;
51.     reg_addr[11] = 0xE070;
52.     reg_addr[12] = 0x700070;
53.     DMAC_COMMIT_WAIT;
54.     asm volatile ("dmb sy");
55.     asm volatile ("dsb sy");
56.  
57.     ksceKernelFreeMemBlock(reg_memuid);
58. }
59.  
60. #define SCE_KERNEL_SYSROOT_SELF_INDEX_RMAUTH_SM 1
61.  
62. typedef struct SceSblSmCommContext130 {
63.     uint32_t unk_0;
64.     uint32_t self_type; // 2 - user = 1 / kernel = 0
65.     char data0[0x90]; //hardcoded data
66.     char data1[0x90];
67.     uint32_t pathId; // 2 (2 = os0)
68.     uint32_t unk_12C;
69. } SceSblSmCommContext130;
70.  
71. typedef struct SceSblSmCommPair {
72.     uint32_t unk_0;
73.     uint32_t unk_4;
74. } SceSblSmCommPair;
75.  
76. typedef struct SceSblSmCommMsifData {
77.     unsigned int unk00;
78.     unsigned int unk04;
79.     unsigned int unk08;
80.     unsigned int unk0C;
81.     unsigned int unk10;
82.     unsigned int unk14;
83.     unsigned int unk18;
84.     unsigned int unk1C;
85. } SceSblSmCommMsifData;
86.  
87. extern int ksceSblSmCommStartSmFromData(int priority, const char *elf_data, int elf_size, int num1, SceSblSmCommContext130 *ctx, int *id);
88. extern int ksceSblSmCommStopSm(int id, SceSblSmCommPair *res);
89. extern int ksceSblSmCommCallFunc(int id, int command_id, int *f00d_resp, const void *data, int size);
90.  
91. static const unsigned char ctx_130_data[0x90] =
92. {
93.     0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x28, 0x00, 0x00,
94.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
95.     0xC0, 0x00, 0xF0, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF,
96.     0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
97.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x09,
98.     0x80, 0x03, 0x00, 0x00, 0xC3, 0x00, 0x00, 0x00, 0x80, 0x09,
99.     0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
100.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
101.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
102.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
103.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
104.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
105.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
106.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
107.     0x00, 0x00, 0x00, 0x00
108. };
109.  
110. static int sblcomm_start_rmauth_sm(int *rmauth_sm_id)
111. {
112.     int ret;
113.     SceKernelSysrootSelfInfo self_info;
114.     SceSblSmCommContext130 smcomm_ctx;
115.  
116.     memset(&self_info, 0, sizeof(self_info));
117.     self_info.size = sizeof(self_info);
118.  
119.     ret = ksceSysrootGetSelfInfo(SCE_KERNEL_SYSROOT_SELF_INDEX_RMAUTH_SM, &self_info);
120.     if (ret < 0)
121.         return ret;
122.  
123.     memset(&smcomm_ctx, 0, sizeof(smcomm_ctx));
124.     memcpy(smcomm_ctx.data0, ctx_130_data, 0x90);
125.     smcomm_ctx.pathId = 2;
126.     smcomm_ctx.self_type = (smcomm_ctx.self_type & 0xFFFFFFF0) | 2;
127.  
128.     ret = ksceSblSmCommStartSmFromData(0, self_info.self_data,
129.                        self_info.self_size, 0,
130.                        &smcomm_ctx, rmauth_sm_id);
131.     if (ret < 0)
132.         return ret;
133.  
134.     return 0;
135. }
136.  
137. static int f00d_rmauth_sm_cmd_1(int *res)
138. {
139.     int ret;
140.     int rmauth_sm_id;
141.     int f00d_resp;
142.         SceSblSmCommPair stop_res;
143.         SceSblSmCommMsifData data;
144.  
145.     ret = sblcomm_start_rmauth_sm(&rmauth_sm_id);
146.     if (ret < 0)
147.         return ret;
148.  
149.     ret = ksceSblSmCommCallFunc(rmauth_sm_id, 1, &f00d_resp, &data, 0x20);
150.     if (ret < 0)
151.         return ret;
152.  
153.     ret = ksceSblSmCommStopSm(rmauth_sm_id, &stop_res);
154.     if (ret < 0)
155.         return ret;
156.  
157.     *res = data.unk10;
158.  
159.     return f00d_resp;
160. }
161.  
162. static int f00d_rmauth_sm_cmd_2(const uint32_t seed[8])
163. {
164.     int ret;
165.     int rmauth_sm_id;
166.     int f00d_resp;
167.         SceSblSmCommPair stop_res;
168.         uint32_t buffer[8];
169.  
170.     ret = sblcomm_start_rmauth_sm(&rmauth_sm_id);
171.     if (ret < 0)
172.         return ret;
173.  
174.     LOG("rmauth_sm id: 0x%08X\n", rmauth_sm_id);
175.  
176.     memcpy(buffer, seed, sizeof(buffer));
177.     ret = ksceSblSmCommCallFunc(rmauth_sm_id, 2, &f00d_resp, buffer, 0x20);
178.     if (ret < 0)
179.         return ret;
180.  
181.     ret = ksceSblSmCommStopSm(rmauth_sm_id, &stop_res);
182.     if (ret < 0)
183.         return ret;
184.  
185.     return f00d_resp;
186. }
187.  
188. void dmac_test()
189. {
190.     int i;
191.     SceUID work_memuid;
192.     void *work_addr;
193.  
194.     #define WORK_SIZE 0x3000
195.  
196.     work_memuid = ksceKernelAllocMemBlock("work", 0x1050D006, WORK_SIZE, NULL);
197.     ksceKernelGetMemBlockBase(work_memuid, &work_addr);
198.  
199.     DBG("Work block: 0x%08X | va: %p\n", work_memuid, work_addr);
200.  
201.     /* Set src (plaintext) to 0s */
202.     memset(work_addr, 0, WORK_SIZE);
203.     ksceKernelCpuDcacheAndL2WritebackRange(work_addr, WORK_SIZE);
204.  
205.     uint8_t *src = (uint8_t *)work_addr;
206.     uint8_t *dst1 = (uint8_t *)work_addr + 0x1000;
207.     uint8_t *dst2 = (uint8_t *)work_addr + 0x2000;
208.  
209.     uintptr_t src_pa, dst1_pa, dst2_pa;
210.     ksceKernelGetPaddr(src, &src_pa);
211.     ksceKernelGetPaddr(dst1, &dst1_pa);
212.     ksceKernelGetPaddr(dst2, &dst2_pa);
213.  
214.     #define DMAC_CMD    0x41    /* DES64ECB */
215.     #define KEY_SLOT    0x1C
216.     #define LEN     8   /* in bytes */
217.  
218.     static const uint32_t seed1[] = {
219.         0x11111111, 0x11111111, 0x11111111, 0x11111111,
220.         0x11111111, 0x11111111, 0x11111111, 0x11111111
221.     };
222.  
223.     static const uint32_t seed2[] = {
224.         0x22222222, 0x22222222, 0x22222222, 0x22222222,
225.         0x22222222, 0x22222222, 0x22222222, 0x22222222
226.     };
227.  
228.     f00d_rmauth_sm_cmd_2(seed1);
229.     dmac5_submit(dst1_pa, src_pa, LEN, DMAC_CMD, KEY_SLOT);
230.  
231.     f00d_rmauth_sm_cmd_2(seed2);
232.     dmac5_submit(dst2_pa, src_pa, LEN, DMAC_CMD, KEY_SLOT);
233.  
234.     ksceKernelCpuDcacheAndL2InvalidateRange(dst1, 0x1000);
235.     ksceKernelCpuDcacheAndL2InvalidateRange(dst2, 0x1000);
236.  
237.     LOG("\nDMAC command: 0x%08X\n", DMAC_CMD);
238.     LOG("DMAC key slot: 0x%02X\n", KEY_SLOT);
239.     LOG("DMAC job length: 0x%02X bytes\n", LEN);
240.  
241.     LOG("\nInput:");
242.     for (i = 0; i < LEN; i++)
243.         LOG(" %02X", src[i]);
244.     LOG("\n\n");
245.  
246.     LOG("Seed 1:");
247.     for (i = 0; i < LEN; i++)
248.         LOG(" %08lX", seed1[i]);
249.     LOG("\n");
250.  
251.     LOG("Output 1:");
252.     for (i = 0; i < LEN; i++)
253.         LOG(" %02X", dst1[i]);
254.     LOG("\n\n\n");
255.  
256.     LOG("Seed 2:");
257.     for (i = 0; i < LEN; i++)
258.         LOG(" %08lX", seed2[i]);
259.     LOG("\n");
260.  
261.     LOG("Output 2:");
262.     for (i = 0; i < LEN; i++)
263.         LOG(" %02X", dst2[i]);
264.     LOG("\n\n\n");
265.  
266.     LOG("Done!\n");
267.  
268.     ksceKernelFreeMemBlock(work_memuid);
269. }
270.  
271. int module_start(SceSize argc, const void *args)
272. {
273.     map_framebuffer();
274.  
275.     LOG("vita-keyslot-1c-test by xerpi\n\n");
276.  
277.     dmac_test();
278.  
279.     return SCE_KERNEL_START_SUCCESS;
280. }
281.  
282. int module_stop(SceSize argc, const void *args)
283. {
284.     unmap_framebuffer();
285.  
286.     return SCE_KERNEL_STOP_SUCCESS;
287. }