From e0841b9dd4d0e6c0941aa6dac4b43e653e1ce4b3 Mon Sep 17 00:00:00 2001 From: Mike Date: Tue, 3 Nov 2020 23:00:38 -0600 Subject: [PATCH] vl: Generate factory Xbox EEPROM if not provided --- hw/xbox/Makefile.objs | 2 +- hw/xbox/eeprom_generation.c | 246 ++++++++++++++++++++++++++++++++++++ hw/xbox/eeprom_generation.h | 72 +++++++++++ hw/xbox/smbus_storage.c | 39 +----- softmmu/vl.c | 45 ++++--- ui/xemu-settings.c | 25 ++++ ui/xemu-settings.h | 3 + 7 files changed, 378 insertions(+), 54 deletions(-) create mode 100644 hw/xbox/eeprom_generation.c create mode 100644 hw/xbox/eeprom_generation.h diff --git a/hw/xbox/Makefile.objs b/hw/xbox/Makefile.objs index 8519da60f3..b1581e6378 100644 --- a/hw/xbox/Makefile.objs +++ b/hw/xbox/Makefile.objs @@ -1,7 +1,7 @@ obj-y += xbox.o obj-y += chihiro.o obj-y += xbox_pci.o acpi_xbox.o -obj-y += amd_smbus.o smbus_xbox_smc.o smbus_cx25871.o smbus_adm1032.o smbus_storage.o +obj-y += amd_smbus.o smbus_xbox_smc.o smbus_cx25871.o smbus_adm1032.o smbus_storage.o eeprom_generation.o obj-y += nvnet.o obj-y += mcpx_apu.o mcpx_aci.o obj-y += lpc47m157.o diff --git a/hw/xbox/eeprom_generation.c b/hw/xbox/eeprom_generation.c new file mode 100644 index 0000000000..caa1fe8103 --- /dev/null +++ b/hw/xbox/eeprom_generation.c @@ -0,0 +1,246 @@ +/* + * QEMU Xbox EEPROM Generation (MCPX Version 1.0) + * + * Copyright (c) 2020 Mike Davis + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, see . + */ + +#include "eeprom_generation.h" + +static uint32_t xbox_eeprom_crc(uint8_t *data, size_t len) { + uint32_t high = 0; + uint32_t low = 0; + for (int i = 0; i < len / 4; i++) { + uint32_t val = le32_to_cpu(((uint32_t*)data)[i]); + uint64_t sum = ((uint64_t)high << 32) | low; + + high = (sum + val) >> 32; + low += val; + } + return ~(high + low); +} + +static void xbox_rc4_swap(RC4Context *ctx, int first, int second) { + uint8_t temp = ctx->s[first]; + ctx->s[first] = ctx->s[second]; + ctx->s[second] = temp; +} + +static void xbox_rc4_init(RC4Context *ctx, uint8_t *data, size_t len) { + for (int i = 0; i < 256; i++) { + ctx->s[i] = i; + } + for (int i = 0, j = 0; i < 256; i++) { + j = (j + ctx->s[i] + data[i % len]) % 256; + xbox_rc4_swap(ctx, i, j); + } +} + +static void xbox_rc4_crypt(RC4Context *ctx, uint8_t *data, size_t len) { + for (int i = 0, j = 0, k = 0; k < len; k++) { + i = (i + 1) % 256; + j = (j + ctx->s[i]) % 256; + xbox_rc4_swap(ctx, i, j); + data[k] ^= ctx->s[(ctx->s[i] + ctx->s[j]) % 256]; + } +} + +static uint32_t xbox_sha1_rotate(uint32_t bits, uint32_t val) { + return (val << bits) | (val >> (32 - bits)); +} + +static void xbox_sha1_fill(SHA1Context *ctx, + uint32_t a, uint32_t b, uint32_t c, uint32_t d, uint32_t e) { + ctx->intermediate[0] = a; + ctx->intermediate[1] = b; + ctx->intermediate[2] = c; + ctx->intermediate[3] = d; + ctx->intermediate[4] = e; +} + +static void xbox_sha1_reset(SHA1Context *ctx, XboxEEPROMVersion ver, bool first) { + ctx->msg_blk_index = 0; + ctx->computed = false; + ctx->length = 512; + + // https://web.archive.org/web/20040618164907/http://www.xbox-linux.org/down/The%20Middle%20Message-1a.pdf + switch (ver) { + case XBOX_EEPROM_VERSION_D: + if (first) { + xbox_sha1_fill(ctx, 0x85F9E51A, 0xE04613D2, + 0x6D86A50C, 0x77C32E3C, 0x4BD717A4); + } else { + xbox_sha1_fill(ctx, 0x5D7A9C6B, 0xE1922BEB, + 0xB82CCDBC, 0x3137AB34, 0x486B52B3); + } + break; + case XBOX_EEPROM_VERSION_R2: + if (first) { + xbox_sha1_fill(ctx, 0x39B06E79, 0xC9BD25E8, + 0xDBC6B498, 0x40B4389D, 0x86BBD7ED); + } else { + xbox_sha1_fill(ctx, 0x9B49BED3, 0x84B430FC, + 0x6B8749CD, 0xEBFE5FE5, 0xD96E7393); + } + break; + case XBOX_EEPROM_VERSION_R3: + if (first) { + xbox_sha1_fill(ctx, 0x8058763A, 0xF97D4E0E, + 0x865A9762, 0x8A3D920D, 0x08995B2C); + } else { + xbox_sha1_fill(ctx, 0x01075307, 0xA2f1E037, + 0x1186EEEA, 0x88DA9992, 0x168A5609); + } + break; + default: // default to 1.0 version + if (first) { + xbox_sha1_fill(ctx, 0x72127625, 0x336472B9, + 0xBE609BEA, 0xF55E226B, 0x99958DAC); + } else { + xbox_sha1_fill(ctx, 0x76441D41, 0x4DE82659, + 0x2E8EF85E, 0xB256FACA, 0xC4FE2DE8); + } + } +} + +static void xbox_sha1_process(SHA1Context *ctx) { + const uint32_t k[] = { 0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6 }; + uint32_t w[80]; + uint32_t a = ctx->intermediate[0]; + uint32_t b = ctx->intermediate[1]; + uint32_t c = ctx->intermediate[2]; + uint32_t d = ctx->intermediate[3]; + uint32_t e = ctx->intermediate[4]; + + for (int i = 0; i < 16; i++) { + *(uint32_t*)&w[i] = cpu_to_be32(((uint32_t*)ctx->msg_blk)[i]); + } + + for (int i = 16; i < 80; i++) { + w[i] = xbox_sha1_rotate(1, w[i - 3] ^ w[i - 8] ^ w[i - 14] ^ w[i - 16]); + } + + for (int i = 0; i < 80; i++) { + uint32_t temp = xbox_sha1_rotate(5, a) + w[i] + e; + switch (i / 20) { + case 0: temp += k[0] + ((b & c) | ((~b) & d)); break; + case 1: temp += k[1] + (b ^ c ^ d); break; + case 2: temp += k[2] + ((b & c) | (b & d) | (c & d)); break; + case 3: temp += k[3] + (b ^ c ^ d); break; + } + e = d; + d = c; + c = xbox_sha1_rotate(30, b); + b = a; + a = temp; + } + + ctx->intermediate[0] += a; + ctx->intermediate[1] += b; + ctx->intermediate[2] += c; + ctx->intermediate[3] += d; + ctx->intermediate[4] += e; + ctx->msg_blk_index = 0; +} + +static void xbox_sha1_input(SHA1Context *ctx, uint8_t *data, size_t len) { + ctx->length += len << 3; + for (int i = 0; i < len; i++) { + ctx->msg_blk[ctx->msg_blk_index++] = data[i]; + if (ctx->msg_blk_index == 64) { + xbox_sha1_process(ctx); + } + } +} + +static void xbox_sha1_pad(SHA1Context *ctx) { + ctx->msg_blk[ctx->msg_blk_index++] = 0x80; + if (ctx->msg_blk_index > 56) { + while (ctx->msg_blk_index < 64) { + ctx->msg_blk[ctx->msg_blk_index++] = 0; + } + xbox_sha1_process(ctx); + } + while (ctx->msg_blk_index < 56) { + ctx->msg_blk[ctx->msg_blk_index++] = 0; + } + *(uint32_t*)&ctx->msg_blk[56] = 0; + *(uint32_t*)&ctx->msg_blk[60] = cpu_to_be32(ctx->length); + xbox_sha1_process(ctx); +} + +static void xbox_sha1_result(SHA1Context *ctx, uint8_t *data) { + if (!ctx->computed) { + xbox_sha1_pad(ctx); + ctx->length = 0; + ctx->computed = true; + } + for (int i = 0; i < 20; ++i) { + data[i] = ctx->intermediate[i >> 2] >> 8 * (3 - (i & 3)); + } +} + +static void xbox_sha1_compute(SHA1Context *ctx, XboxEEPROMVersion ver, + uint8_t *data, size_t len, uint8_t *hash) { + xbox_sha1_reset(ctx, ver, true); + xbox_sha1_input(ctx, data, len); + xbox_sha1_result(ctx, ctx->msg_blk); + xbox_sha1_reset(ctx, ver, false); + xbox_sha1_input(ctx, ctx->msg_blk, 20); + xbox_sha1_result(ctx, hash); +} + +bool xbox_eeprom_generate(const char *file, XboxEEPROMVersion ver) { + XboxEEPROM e; + memset(&e, 0, sizeof(e)); + + // set default North American and NTSC-M region settings + e.region = cpu_to_le32(1); + e.video_standard = cpu_to_le32(0x00400100); + + // randomize hardware information + qcrypto_random_bytes(e.confounder, sizeof(e.confounder), &error_fatal); + qcrypto_random_bytes(e.hdd_key, sizeof(e.hdd_key), &error_fatal); + qcrypto_random_bytes(e.online_key, sizeof(e.online_key), &error_fatal); + memcpy(e.mac, "\x00\x50\xF2", 3); + qcrypto_random_bytes(e.mac + 3, sizeof(e.mac) - 3, &error_fatal); + qcrypto_random_bytes(e.serial, sizeof(e.serial), &error_fatal); + for (int i = 0; i < sizeof(e.serial); i++) { + e.serial[i] = '0' + (e.serial[i] % 10); + } + + // update checksums + e.checksum = cpu_to_le32(xbox_eeprom_crc(e.serial, 0x2C)); + e.user_checksum = cpu_to_le32(xbox_eeprom_crc(e.user_section, 0x5C)); + + // encrypt security section + RC4Context rctx; + SHA1Context sctx; + uint8_t seed[20]; + xbox_sha1_compute(&sctx, ver, e.confounder, 0x1C, e.hash); + xbox_sha1_compute(&sctx, ver, e.hash, sizeof(e.hash), seed); + xbox_rc4_init(&rctx, seed, sizeof(seed)); + xbox_rc4_crypt(&rctx, e.confounder, 0x1C); + + // save to file + FILE *fd = fopen(file, "wb"); + if (fd == NULL) { + return false; + } + + bool success = fwrite(&e, sizeof(e), 1, fd) == 1; + fclose(fd); + return success; +} diff --git a/hw/xbox/eeprom_generation.h b/hw/xbox/eeprom_generation.h new file mode 100644 index 0000000000..44e13165ac --- /dev/null +++ b/hw/xbox/eeprom_generation.h @@ -0,0 +1,72 @@ +/* + * QEMU Xbox EEPROM Generation (MCPX Version 1.0) + * + * Copyright (c) 2020 Mike Davis + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, see . + */ + +#ifndef HW_EEPROM_GENERATION_H +#define HW_EEPROM_GENERATION_H + +#include "qemu/osdep.h" +#include "qapi/error.h" +#include "crypto/random.h" +#include "include/qemu/bswap.h" + +typedef struct RC4Context { + uint8_t s[256]; +} RC4Context; + +typedef struct SHA1Context { + uint32_t intermediate[5]; + uint8_t msg_blk[64]; + uint32_t msg_blk_index; + uint32_t length; + bool computed; +} SHA1Context; + +#pragma pack(push,1) +typedef struct XboxEEPROM { + uint8_t hash[20]; + uint8_t confounder[8]; + uint8_t hdd_key[16]; + uint32_t region; + uint32_t checksum; + uint8_t serial[12]; + uint8_t mac[6]; + uint16_t padding; + uint8_t online_key[16]; + uint32_t video_standard; + uint32_t padding2; + uint32_t user_checksum; + uint8_t user_section[156]; +} XboxEEPROM; +#pragma pack(pop) + +typedef enum { + // debug kernels + XBOX_EEPROM_VERSION_D, + // retail v1.0 kernels + XBOX_EEPROM_VERSION_R1, + // retail v1.1-1.4 kernels + XBOX_EEPROM_VERSION_R2, + // retail v1.6 kernels + XBOX_EEPROM_VERSION_R3 +} XboxEEPROMVersion; + +bool xbox_eeprom_generate(const char *file, XboxEEPROMVersion ver); + +#endif + diff --git a/hw/xbox/smbus_storage.c b/hw/xbox/smbus_storage.c index f82352e0e8..4611450e01 100644 --- a/hw/xbox/smbus_storage.c +++ b/hw/xbox/smbus_storage.c @@ -53,42 +53,6 @@ typedef struct SMBusStorageDevice { bool persist; } SMBusStorageDevice; -// FIXME: remove, file should be generated upstream if unspecified -const uint8_t default_eeprom[] = { - 0xe3, 0x1c, 0x5c, 0x23, 0x6a, 0x58, 0x68, 0x37, - 0xb7, 0x12, 0x26, 0x6c, 0x99, 0x11, 0x30, 0xd1, - 0xe2, 0x3e, 0x4d, 0x56, 0xf7, 0x73, 0x2b, 0x73, - 0x85, 0xfe, 0x7f, 0x0a, 0x08, 0xef, 0x15, 0x3c, - 0x77, 0xee, 0x6d, 0x4e, 0x93, 0x2f, 0x28, 0xee, - 0xf8, 0x61, 0xf7, 0x94, 0x17, 0x1f, 0xfc, 0x11, - 0x0b, 0x84, 0x44, 0xed, 0x31, 0x30, 0x35, 0x35, - 0x38, 0x31, 0x31, 0x31, 0x34, 0x30, 0x30, 0x33, - 0x00, 0x50, 0xf2, 0x4f, 0x65, 0x52, 0x00, 0x00, - 0x0a, 0x1e, 0x35, 0x33, 0x71, 0x85, 0x31, 0x4d, - 0x59, 0x12, 0x38, 0x48, 0x1c, 0x91, 0x53, 0x60, - 0x00, 0x01, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x75, 0x61, 0x57, 0xfb, 0x2c, 0x01, 0x00, 0x00, - 0x45, 0x53, 0x54, 0x00, 0x45, 0x44, 0x54, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x0a, 0x05, 0x00, 0x02, 0x04, 0x01, 0x00, 0x02, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0xc4, 0xff, 0xff, 0xff, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 -}; - static void smbus_storage_realize(DeviceState *dev, Error **errp) { SMBusStorageDevice *s = SMBUS_STORAGE(dev); @@ -119,8 +83,7 @@ static void smbus_storage_realize(DeviceState *dev, Error **errp) } close(fd); } else { - // FIXME: remove, file should be generated upstream if unspecified - memcpy(s->data, default_eeprom, MIN(s->size, sizeof(default_eeprom))); + error_setg(errp, "%s: file unspecified\n", __func__); } } diff --git a/softmmu/vl.c b/softmmu/vl.c index ad91027a50..d479e3b26f 100644 --- a/softmmu/vl.c +++ b/softmmu/vl.c @@ -118,6 +118,7 @@ #include "ui/xemu-notifications.h" #include "ui/xemu-net.h" #include "ui/xemu-input.h" +#include "hw/xbox/eeprom_generation.h" #define MAX_VIRTIO_CONSOLES 1 @@ -2890,6 +2891,12 @@ void qemu_init(int argc, char **argv, char **envp) error_init(argv[0]); module_call_init(MODULE_INIT_TRACE); + // init earlier because it's needed for eeprom generation + if (qcrypto_init(&err) < 0) { + error_reportf_err(err, "cannot initialize crypto: "); + exit(1); + } + // // FIXME: This is a hack to get QEMU to load correct machine and properties // very early, and handle some basic error cases without hooking QEMU error @@ -2933,27 +2940,40 @@ void qemu_init(int argc, char **argv, char **envp) if (strlen(eeprom_path) > 0) { int eeprom_size = get_image_size(eeprom_path); if (eeprom_size < 0) { - char *msg = g_strdup_printf("Failed to open EEPROM file '%s'. " - "Please check machine settings.", eeprom_path); + char *msg = g_strdup_printf("Failed to open EEPROM file '%s'.\n\n" + "Automatically generating a new one instead. " + "Please check machine settings for the new path and move if desired.", eeprom_path); xemu_queue_error_message(msg); g_free(msg); eeprom_path = ""; } else if (eeprom_size != 256) { char *msg = g_strdup_printf( - "Invalid EEPROM file '%s' size of %d; should be 256 bytes. " - "Please check machine settings.", eeprom_path, eeprom_size); + "Invalid EEPROM file '%s' size of %d; should be 256 bytes.\n\n" + "Automatically generating a new one instead. " + "Please check machine settings for the new path and move if desired.", eeprom_path, eeprom_size); xemu_queue_error_message(msg); g_free(msg); eeprom_path = ""; + } else { + fake_argv[fake_argc++] = strdup("-device"); + fake_argv[fake_argc++] = g_strdup_printf("smbus-storage,file=%s", eeprom_path); } } - fake_argv[fake_argc++] = strdup("-device"); - if (strlen(eeprom_path) > 0) { - fake_argv[fake_argc++] = g_strdup_printf("smbus-storage,file=%s", - eeprom_path); - } else { - fake_argv[fake_argc++] = strdup("smbus-storage"); + // Generate a new EEPROM file if one isn't specified or contents are invalid + if (strlen(eeprom_path) == 0) { + eeprom_path = xemu_settings_get_default_eeprom_path(); + if (xbox_eeprom_generate(eeprom_path, XBOX_EEPROM_VERSION_R1)) { + xemu_settings_set_string(XEMU_SETTINGS_SYSTEM_EEPROM_PATH, eeprom_path); + xemu_settings_save(); + fake_argv[fake_argc++] = strdup("-device"); + fake_argv[fake_argc++] = g_strdup_printf("smbus-storage,file=%s", eeprom_path); + free((char*)eeprom_path); + } else { + char *msg = g_strdup_printf("Failed to generate eeprom file '%s'. Please check machine settings.", eeprom_path); + xemu_queue_error_message(msg); + g_free(msg); + } } const char *flash_path; @@ -3087,11 +3107,6 @@ void qemu_init(int argc, char **argv, char **envp) postcopy_infrastructure_init(); monitor_init_globals(); - if (qcrypto_init(&err) < 0) { - error_reportf_err(err, "cannot initialize crypto: "); - exit(1); - } - QTAILQ_INIT(&vm_change_state_head); os_setup_early_signal_handling(); diff --git a/ui/xemu-settings.c b/ui/xemu-settings.c index 8f1ef8a079..90b82bf52c 100644 --- a/ui/xemu-settings.c +++ b/ui/xemu-settings.c @@ -216,6 +216,31 @@ const char *xemu_settings_get_path(void) return settings_path; } +const char *xemu_settings_get_default_eeprom_path(void) +{ + char *base = SDL_GetPrefPath("xemu", "xemu"); + assert(base != NULL); + size_t base_len = strlen(base); + + const char *name = "eeprom.bin"; + size_t name_len = strlen(name); + size_t final_len = base_len + name_len; + final_len += 1; // Terminating null byte + + char *path = malloc(final_len); + assert(path != NULL); + + // Copy base part + memcpy(path, base, base_len); + free(base); + + // Copy name part + memcpy(path+base_len, name, name_len); + path[final_len-1] = '\0'; + + return path; +} + static int xemu_enum_str_to_int(const struct enum_str_map *map, const char *str, int *value) { for (int i = 0; map[i].str != NULL; i++) { diff --git a/ui/xemu-settings.h b/ui/xemu-settings.h index 11504e352a..352224e0b0 100644 --- a/ui/xemu-settings.h +++ b/ui/xemu-settings.h @@ -73,6 +73,9 @@ int xemu_settings_did_fail_to_load(void); // Get path of the config file on disk const char *xemu_settings_get_path(void); +// Get path of the default generated eeprom file on disk +const char *xemu_settings_get_default_eeprom_path(void); + // Load config file from disk, or load defaults void xemu_settings_load(void);