Shield Server Handling

1. TSecLoaderMiscData (size: 0x120 = 288 bytes):
2.  
3. struct {
4. u8 bootStrapperSignature[16];
5. u8 snippetSignature[16];
6. u8 snippetCodeIV[16];
7. u8 globalDataSignature[16];
8. u8 globalDataIV[16];
9. u32_t flags;
10. u32_t returnCode;
11. u32 version;
12. u32 fps;
13. u8 stateSignature[16];
14. u8 randSignature[16];
15. BootstrapState boot;
16. RandState rnd;
17. ProtocolState proto;
18. }
19.  
20. BootstrapState (size 0x30 = 48 bytes):
21.  
22. struct {
23. ServerState ttl;
24. u8_t init;
25. u8_t ttl_adjusted;
26. u8 pad[6];
27. u32_t ttr_count;
28. u32_t ttl_count;
29. }
30.  
31. ServerState (size 0x20 = 32 bytes)
32.  
33. struct {
34. u32_t ttl;
35. u32_t ttr;
36. u32 nonce[2];
37. u8 snippetSignature[16];
38. }
39.  
40. RandState (size 0x30 = 48 bytes):
41.  
42. struct {
43. u8 seed[16];
44. u32_t ctr;
45. u8 pad[12];
46. u32 nonce[2];
47. u8 pad2[8];
48. }
49.  
50. ProtocolState (size 0x40 = 64 bytes):
51.  
52. struct {
53. u8 sessionId[16];
54. u8 sessionKey[16];
55. u8 R[16];
56. u32 nonce[2];
57. u8 pad[8];
58. }
59.  
60.  
61.  
62.  
63. My god the debug stuff has the server point of view included rofl, this might actually still be happening!
64.  
65. 1. Client Out ---> ServerChallengeIn (0x50 = 80 bytes):
66.  
67. struct {
68. u8 falconVersion[64];
69. u8 UID[16]; //always e816ebb8-44b7-3a37-9398-47ec566a63cd on Pheenohs Shield (since it claims to be unique this might be the android device id)
70. }
71.  
72. 2. ServerChallengeOut ---> ClientChallengeIn (size 0x20 = 32 bytes)
73.  
74. struct {
75. u8 challenge[16]; //always "0x2E2E2E2E NVSI_2.0 0x2E2E2E2E"
76. u8 R1[16]; //16 random bytes. Wouldnt be surprised if the actual challenge the client needs to solve is to XOR them with the challenge bytes or the UID (or both)
77. }
78.  
79. the server sends more data after those 32 bytes but since its always the same stuff it doesnt matter)
80.  
81. 3. ClientAuthenticateDeviceOut ---> ServerAuthenticateDeviceIn (size 0x34 = 52 bytes):
82.  
83. struct {
84. u8 UID[16]; //repeat of UID from Client Out ---> ServerChallengeIn Stage
85. u8 keyboxId[16]; //Always 6235D3E3 30DEC513 4DC9DABB 59FF02F6 (e3d33562-de30-13c5-c94d-ff59bbdaf602) for Pheenoh. Since the prior and next content is probably device unique this one is probably too (hence "device auth"). Probably an Android Keybox request ID.
86. u8 AID[4]; //always 0x1C1DFE67 for Pheenohs Shield. Read in from the "sys/devices/platform/tegra-fuse/aid" file. Probably device unique
87. u8 R1[16]; //the solved challenge submitted by the server
88. }
89.  
90. 4. ServerAuthenticateDeviceOut ---> Client (size 0x40 = 64 bytes):
91.  
92. struct {
93. u8 sessionKey[16]; //the session key. appears to be random
94. u8 sessionId[16]; //the id for this session, probably entirely random too. Maybe the keyboxId comes into play here somehow
95. u8 R2[16]; //another random 16 bytes
96. u8 signature[16]; //this should sign the prior 48 bytes so the client can confirm its authenticity. Probably a hash checksum
97. }
98.  
99. (Server seems to send an .img file afterwards, perhaps the challenger.img used for the very next step, always identical)
100.  
101.  
102. 5. Client sends the Session Data off for further processing to the TSecProtocolSessionIn (size: 0xC0 = 192 bytes) :
103.  
104. struct {
105. u8 sessionKey[16];
106. u8 sessionId[16];
107. u8 R2[16];
108. u8 signature[16]; //up to here should be a 1:1 match for what the server put out
109. u8 appName[128]; //"com.nvidia.nintendo.twipri", this must have some use, maybe used in de/encryption
110. }
111.  
112. 6. GPU finishes processing and spits out TSecProtocolSessionOut (size: 0xC0 = 192 bytes):
113.  
114. struct {
115. u8 appName[128]; //"com.nvidia.nintendo.twipri" or already truncated to "ndo.twipri"
116. u8 sessionId[16]; //transformed session id ; perhaps by using the session key. Does not use R3 or signature since those can already differ
117. u8 R2[16]; //transformed R2 ; perhaps using the session key. Does not use R3 or signature since those can already differ
118. u8 R3[16]; //new 16 random bytes generated by the GPU. Future new session key?
119. u8 signature[16]; //this should sign the prior 48 bytes (maybe the app name too) so the client can confirm its authenticity. Probably a hash checksum
120. }
121.  
122. 7. Client ---> ServerGenerateNonceIn (size: 0xC4 = 196):
123.  
124. struct {
125. u32 appNameL; //no clue, but always 0x0000001A
126. u8 appName[128]; //truncated app name. "com.nvidia.nintendo.twipri" turns into "ndo.twipri"
127. u8 sessionId[16]; //the transformed session id
128. u8 R2[16]; //transformed R2
129. u8 R3[16]; //16 random bytes
130. u8 signature[16]; //signature, random due R3 being random
131. }
132.  
133. 8. Server ---> Client: (size 0x50 = 80 bytes):
134.  
135. struct
136. {
137. u8 nonce[16]; //random 16 byte nonce
138. u8 sessionId[16]; //warped session id, possibly by using R3 or R2
139. u8 R3[16]; //warped R3, possibly by using R3 or R2 (I think R2 is still used so the key is not used to encrypt itself)
140. u8 R4[16]; //another random 16 bytes
141. u8 signature[16]; //this should sign the prior 48 bytes (or all 64 of them) so the client can confirm its authenticity. Probably a hash checksum
142. }
143.  
144.  
145. 9. Client ---> TSecProtocolNonceIn (size 0x50 = 80 bytes):
146.  
147. struct {
148. u8 nonce[16]; //nonce 1:1 as send by the server
149. u8 sessionId[16]; //warped session id by R2
150. u8 R3[16]; //warped R3 by R2 (we fail this Stage right here atm)
151. u8 R4[16]; //new random 16 bytes
152. u8 signature[16]; //signature for 48 or 64 byes
153. }
154.  
155. 10. TSecProtocolNonceOut (size 0x50 = 80 bytes):
156.  
157. struct {
158. u8 nonce[16]; //nonce 1:1 as send by the server
159. u8 sessionId[16]; //warped session id by R3
160. u8 R4[16]; //warped R4 by R3
161. u8 R5[16]; //new random 16 bytes
162. u8 signature[16]; //sig for 48 (or unlikely 64) bytes
163. }
164.  
165. 11. 3rd Party Server is contacted with Nonce. Gets a reply with response and sig and verifies it being okay
166.  
167. 12. Client packages giant response package including code_snippet.img
168.  
169. 13. Client ---> ServerValidateLicenseIn (size 0x44 = 68 bytes, 104 with padding):
170.  
171. struct {
172. u8 sessionId[16]; //warped session id by r3
173. u8 R4[16]; //warped R4 by R3
174. u8 R5[16]; //new random 16 bytes
175. u8 signature[16]; //sig for 48 bytes
176. //some consistent padding (36 bytes)
177. u32 responseL; //response code from 3rd party = 0x00AC0231 ("1") if the check passed
178. }
179.  
180. //|response|sig follow from 3rd party, then code_snippet.img
181.  
182. 14. Server ---> Client
183.  
184. struct {
185.  
186. u8 weirdSig[16] //mirror of an IV?
187.  
188. //ttl and ttr follow
189.  
190. u8 weirdSig2[8] //mirror of a sig or final new nonce?
191. u8 sessionId[16]; //warped session id by R4
192. u8 R5[16]; //warped R5 by R4
193. u8 R6[16]; //new random 16 bytes or signature (since no more send operations after this one)
194.  
195. //several img files, sig files and iv files follow. img files with a corresponding iv file are encrypted by it
196.  
197. u8 weirdSig3[16]; //mirror of a sig or actual signature?
198.  
199. --->Needs a lot more testing lol