From ee9fe327e2c1c5b9289540a710d4ad2ac04e65c8 Mon Sep 17 00:00:00 2001 From: Arisotura Date: Mon, 1 Jun 2020 23:13:38 +0200 Subject: [PATCH] remove requirement for aeskeys.bin and boot2_7/9.bin --- src/DSi.cpp | 87 +++++++++++++++++++++++++++++-------------------- src/DSi_AES.cpp | 36 ++++++++++---------- 2 files changed, 68 insertions(+), 55 deletions(-) diff --git a/src/DSi.cpp b/src/DSi.cpp index 520b269c..6a60f80a 100644 --- a/src/DSi.cpp +++ b/src/DSi.cpp @@ -31,6 +31,8 @@ #include "DSi_SD.h" #include "DSi_AES.h" +#include "tiny-AES-c/aes.hpp" + namespace NDS { @@ -341,52 +343,65 @@ bool LoadNAND() MBK[0][8] = mbk[11]; MBK[1][8] = mbk[11]; - // load binaries - // TODO: optionally support loading from actual NAND? - // currently decrypted binaries have to be provided - // they can be decrypted with twltool + // load boot2 binaries - FILE* bin; + AES_ctx ctx; + const u8 boot2key[16] = {0xAD, 0x34, 0xEC, 0xF9, 0x62, 0x6E, 0xC2, 0x3A, 0xF6, 0xB4, 0x6C, 0x00, 0x80, 0x80, 0xEE, 0x98}; + u8 boot2iv[16]; + u8 tmp[16]; + u32 dstaddr; - bin = Platform::OpenLocalFile("boot2_9.bin", "rb"); - if (bin) + *(u32*)&tmp[0] = bootparams[3]; + *(u32*)&tmp[4] = -bootparams[3]; + *(u32*)&tmp[8] = ~bootparams[3]; + *(u32*)&tmp[12] = 0; + for (int i = 0; i < 16; i++) boot2iv[i] = tmp[15-i]; + + AES_init_ctx_iv(&ctx, boot2key, boot2iv); + + fseek(f, bootparams[0], SEEK_SET); + dstaddr = bootparams[2]; + for (u32 i = 0; i < bootparams[3]; i += 16) { - u32 dstaddr = bootparams[2]; - for (u32 i = 0; i < bootparams[1]; i += 4) - { - u32 _tmp; - fread(&_tmp, 4, 1, bin); - ARM9Write32(dstaddr, _tmp); - dstaddr += 4; - } + u8 data[16]; + fread(data, 16, 1, f); - fclose(bin); - } - else - { - printf("ARM9 boot2 not found\n"); + for (int j = 0; j < 16; j++) tmp[j] = data[15-j]; + AES_CTR_xcrypt_buffer(&ctx, tmp, 16); + for (int j = 0; j < 16; j++) data[j] = tmp[15-j]; + + ARM9Write32(dstaddr, *(u32*)&data[0]); dstaddr += 4; + ARM9Write32(dstaddr, *(u32*)&data[4]); dstaddr += 4; + ARM9Write32(dstaddr, *(u32*)&data[8]); dstaddr += 4; + ARM9Write32(dstaddr, *(u32*)&data[12]); dstaddr += 4; } - bin = Platform::OpenLocalFile("boot2_7.bin", "rb"); - if (bin) - { - u32 dstaddr = bootparams[6]; - for (u32 i = 0; i < bootparams[5]; i += 4) - { - u32 _tmp; - fread(&_tmp, 4, 1, bin); - ARM7Write32(dstaddr, _tmp); - dstaddr += 4; - } + *(u32*)&tmp[0] = bootparams[7]; + *(u32*)&tmp[4] = -bootparams[7]; + *(u32*)&tmp[8] = ~bootparams[7]; + *(u32*)&tmp[12] = 0; + for (int i = 0; i < 16; i++) boot2iv[i] = tmp[15-i]; - fclose(bin); - } - else + AES_init_ctx_iv(&ctx, boot2key, boot2iv); + + fseek(f, bootparams[4], SEEK_SET); + dstaddr = bootparams[6]; + for (u32 i = 0; i < bootparams[7]; i += 16) { - printf("ARM7 boot2 not found\n"); + u8 data[16]; + fread(data, 16, 1, f); + + for (int j = 0; j < 16; j++) tmp[j] = data[15-j]; + AES_CTR_xcrypt_buffer(&ctx, tmp, 16); + for (int j = 0; j < 16; j++) data[j] = tmp[15-j]; + + ARM7Write32(dstaddr, *(u32*)&data[0]); dstaddr += 4; + ARM7Write32(dstaddr, *(u32*)&data[4]); dstaddr += 4; + ARM7Write32(dstaddr, *(u32*)&data[8]); dstaddr += 4; + ARM7Write32(dstaddr, *(u32*)&data[12]); dstaddr += 4; } - // repoint CPUs to the boot2 binaries + // repoint the CPUs to the boot2 binaries BootAddr[0] = bootparams[2]; BootAddr[1] = bootparams[6]; diff --git a/src/DSi_AES.cpp b/src/DSi_AES.cpp index 4cb11691..6a8ffad9 100644 --- a/src/DSi_AES.cpp +++ b/src/DSi_AES.cpp @@ -131,26 +131,24 @@ void Reset() // initialize keys - FILE* f = Platform::OpenLocalFile("aeskeys.bin", "rb"); - if (f) - { - fread(KeyNormal[0], 16, 1, f); - fread(KeyX[0], 16, 1, f); - fread(KeyY[0], 16, 1, f); - fread(KeyNormal[1], 16, 1, f); - fread(KeyX[1], 16, 1, f); - fread(KeyY[1], 16, 1, f); - fread(KeyNormal[2], 16, 1, f); - fread(KeyX[2], 16, 1, f); - fread(KeyY[2], 16, 1, f); - fread(KeyNormal[3], 16, 1, f); - fread(KeyX[3], 16, 1, f); - fread(KeyY[3], 16, 1, f); + // slot 0: modcrypt + *(u32*)&KeyX[0][0] = 0x746E694E; + *(u32*)&KeyX[0][4] = 0x6F646E65; - fclose(f); - } - else - printf("AES: aeskeys.bin not found\n"); + // slot 1: 'Tad'/dev.kp + *(u32*)&KeyX[1][0] = 0x4E00004A; + *(u32*)&KeyX[1][4] = 0x4A00004E; + *(u32*)&KeyX[1][8] = (u32)(DSi::ConsoleID >> 32) ^ 0xC80C4B72; + *(u32*)&KeyX[1][12] = (u32)DSi::ConsoleID; + + // slot 3: console-unique eMMC crypto + *(u32*)&KeyX[3][0] = (u32)DSi::ConsoleID; + *(u32*)&KeyX[3][4] = (u32)DSi::ConsoleID ^ 0x24EE6906; + *(u32*)&KeyX[3][8] = (u32)(DSi::ConsoleID >> 32) ^ 0xE65B601D; + *(u32*)&KeyX[3][12] = (u32)(DSi::ConsoleID >> 32); + *(u32*)&KeyY[3][0] = 0x0AB9DC76; + *(u32*)&KeyY[3][4] = 0xBD4DC4D3; + *(u32*)&KeyY[3][8] = 0x202DDD1D; }