From 8dc98bbc1b5899cb3e9f359f2375711863acfb1f Mon Sep 17 00:00:00 2001 From: Megamouse Date: Tue, 27 Jul 2021 11:04:46 +0200 Subject: [PATCH] Add support for sc vtrm crypto For VSH for @Clienthax --- rpcs3/Crypto/key_vault.h | 129 +++++++++++++++++++++++++++++++++++++++ rpcs3/Crypto/utils.cpp | 78 +++++++++++++++++++++++ rpcs3/Crypto/utils.h | 6 ++ 3 files changed, 213 insertions(+) diff --git a/rpcs3/Crypto/key_vault.h b/rpcs3/Crypto/key_vault.h index 71a3fa6e08..4157138587 100644 --- a/rpcs3/Crypto/key_vault.h +++ b/rpcs3/Crypto/key_vault.h @@ -33,6 +33,37 @@ struct SELF_KEY SELF_KEY(u64 ver_start, u64 ver_end, u16 rev, u32 type, const std::string& e, const std::string& r, const std::string& pb, const std::string& pr, u32 ct); }; +constexpr u32 PASSPHRASE_KEY_LEN = 16; +constexpr u32 PASSPHRASE_OUT_LEN = 4096; + +constexpr u8 SC_ISO_SERIES_KEY_1[PASSPHRASE_KEY_LEN] = { + 0xD4, 0x13, 0xB8, 0x96, 0x63, 0xE1, 0xFE, 0x9F, 0x75, 0x14, 0x3D, 0x3B, 0xB4, 0x56, 0x52, 0x74 // D413B89663E1FE9F75143D3BB4565274 +}; + +constexpr u8 SC_ISO_SERIES_KEY_2[PASSPHRASE_KEY_LEN] = { + 0xFA, 0x72, 0xCE, 0xEF, 0x59, 0xB4, 0xD2, 0x98, 0x9F, 0x11, 0x19, 0x13, 0x28, 0x7F, 0x51, 0xC7 // FA72CEEF59B4D2989F111913287F51C7 +}; + +constexpr u8 SC_KEY_FOR_MASTER_1[PASSPHRASE_KEY_LEN] = { + 0xDA, 0xA4, 0xB9, 0xF2, 0xBC, 0x70, 0xB2, 0x80, 0xA7, 0xB3, 0x40, 0xFA, 0x0D, 0x04, 0xBA, 0x14 // DAA4B9F2BC70B280A7B340FA0D04BA14 +}; + +constexpr u8 SC_KEY_FOR_MASTER_2[PASSPHRASE_KEY_LEN] = { + 0x29, 0xC1, 0x94, 0xFF, 0xEC, 0x1F, 0xD1, 0x4D, 0x4A, 0xAE, 0x00, 0x6C, 0x32, 0xB3, 0x59, 0x90 // 29C194FFEC1FD14D4AAE006C32B35990 +}; + +constexpr u8 SC_ISO_SERIES_INTERNAL_KEY_1[PASSPHRASE_KEY_LEN] = { + 0x73, 0x63, 0x6B, 0x65, 0x79, 0x5F, 0x73, 0x65, 0x72, 0x69, 0x65, 0x73, 0x6B, 0x65, 0x79, 0x00 // 73636B65795F7365726965736B657900 +}; + +constexpr u8 SC_ISO_SERIES_INTERNAL_KEY_2[PASSPHRASE_KEY_LEN] = { + 0x73, 0x63, 0x6B, 0x65, 0x79, 0x5F, 0x73, 0x65, 0x72, 0x69, 0x65, 0x73, 0x6B, 0x65, 0x79, 0x32 // 73636B65795F7365726965736B657932 +}; + +constexpr u8 SC_ISO_SERIES_INTERNAL_KEY_3[PASSPHRASE_KEY_LEN] = { + 0x73, 0x63, 0x6B, 0x65, 0x79, 0x5F, 0x66, 0x6F, 0x72, 0x5F, 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72 // 73636B65795F666F725F6D6173746572 +}; + constexpr u8 PKG_AES_KEY_IDU[0x10] = { 0x5d, 0xb9, 0x11, 0xe6, 0xb7, 0xe5, 0x0a, 0x7d, 0x32, 0x15, 0x38, 0xfd, 0x7c, 0x66, 0xf1, 0x7b }; @@ -180,6 +211,104 @@ constexpr u8 PUP_KEY[0x40] = { 0x30, 0xCE, 0x83, 0x66 }; + // name; location; notes +constexpr s64 PAID_01 = 0x0003CD28CB47D3C1L; // spu_token_processor.self; CoreOS; Only for 2E - 083.007 +constexpr s64 PAID_02 = 0x1010000001000001L; // vsh / games / utilities; /dev_flash/, cell_root/target/images; only for 2E - 080.006 +constexpr s64 PAID_03 = 0x1010000001000003L; // retail games and their updates +constexpr s64 PAID_04 = 0x1010000002000003L; +constexpr s64 PAID_05 = 0x1020000401000001L; // ps2emu; /dev_flash/ps2emu; CEX DEX DECR ? +constexpr s64 PAID_06 = 0x1050000003000001L; // lv2_kernel.self; CoreOS; same for CEX DEX DECR +constexpr s64 PAID_07 = 0x1070000001000002L; // onicore_child.self; /dev_flash/vsh/module; same for CEX DEX DECR +constexpr s64 PAID_08 = 0x1070000002000002L; // mcore.self; /dev_flash/vsh/module; same for CEX DEX DECR +constexpr s64 PAID_09 = 0x1070000003000002L; // mgvideo.self; /dev_flash/vsh/module; same for CEX DEX DECR +constexpr s64 PAID_10 = 0x1070000004000002L; // swagner / swreset; /dev_flash/vsh/module; DTCP-IP DRM modules +constexpr s64 PAID_11 = 0x107000000E000001L; // vtrm_server.fself; lv1 +constexpr s64 PAID_12 = 0x107000000F000001L; // update_manager_server.fself; lv1 +constexpr s64 PAID_13 = 0x1070000010000001L; // sc_manager_server.fself; lv1 +constexpr s64 PAID_14 = 0x1070000011000001L; // secure_rtc_server.fself; lv1 +constexpr s64 PAID_15 = 0x1070000012000001L; // spm_server.fself; lv1 +constexpr s64 PAID_16 = 0x1070000013000001L; // sb_manager_server.fself; lv1 +constexpr s64 PAID_17 = 0x1070000014000001L; // framework.fself; lv1 +constexpr s64 PAID_18 = 0x1070000015000001L; // lv2_loader.fself; lv1 +constexpr s64 PAID_19 = 0x1070000016000001L; // profile_loader.fself; lv1 +constexpr s64 PAID_20 = 0x1070000017000001L; // ss_init.fself; lv1 +constexpr s64 PAID_21 = 0x1070000018000001L; // individual_info_mgr_server.fself; lv1 +constexpr s64 PAID_22 = 0x1070000019000001L; // app_info_manager_server.fself; lv1 +constexpr s64 PAID_23 = 0x107000001A000001L; // ss_sc_init_pu.fself; JIG lv1 proc +constexpr s64 PAID_24 = 0x107000001C000001L; // updater_frontend.fself; lv1 +constexpr s64 PAID_25 = 0x107000001D000001L; // sysmgr_ss.fself; lv1 +constexpr s64 PAID_26 = 0x107000001F000001L; // sb_iso_spu_module.self; CoreOS; same for CEX DEX DECR +constexpr s64 PAID_27 = 0x1070000020000001L; // sc_iso.self / sc_iso_factory.self; CoreOS / [2.43 JIG PUP]; same for CEX DEX DECR +constexpr s64 PAID_28 = 0x1070000021000001L; // spp_verifier.self; CoreOS; same for CEX DEX DECR +constexpr s64 PAID_29 = 0x1070000022000001L; // spu_pkg_rvk_verifier.self; CoreOS; same for CEX DEX DECR +constexpr s64 PAID_30 = 0x1070000023000001L; // spu_token_processor.self; CoreOS; same for CEX DEX DECR +constexpr s64 PAID_31 = 0x1070000024000001L; // sv_iso_spu_module.self; CoreOS; same for CEX DEX DECR +constexpr s64 PAID_32 = 0x1070000025000001L; // aim_spu_module.self; CoreOS; same for CEX DEX DECR +constexpr s64 PAID_33 = 0x1070000026000001L; // ss_sc_init.self; [2.43 JIG PUP] +constexpr s64 PAID_34 = 0x1070000027000001L; // dispatcher.fself; lv1; +constexpr s64 PAID_35 = 0x1070000028000001L; // factory_data_mngr_server.fself; JIG lv1 proc +constexpr s64 PAID_36 = 0x1070000029000001L; // fdm_spu_module.self; [2.43 JIG PUP] +constexpr s64 PAID_37 = 0x107000002A000001L; +constexpr s64 PAID_38 = 0x1070000031000001L; +constexpr s64 PAID_39 = 0x1070000032000001L; // ss_server1.fself; lv1 +constexpr s64 PAID_40 = 0x1070000033000001L; // ss_server2.fself; lv1 +constexpr s64 PAID_41 = 0x1070000034000001L; // ss_server3.fself; lv1 +constexpr s64 PAID_42 = 0x1070000037000001L; // mc_iso_spu_module.self; CoreOS; same for CEX DEX DECR +constexpr s64 PAID_43 = 0x1070000039000001L; // bdp_bdmv.self; /dev_flash/bdplayer +constexpr s64 PAID_44 = 0x107000003A000001L; // bdj.self; /dev_flash/bdplayer +constexpr s64 PAID_45 = 0x1070000040000001L; // sys/external modules; /dev_flash/sys/external; same for CEX DEX DECR (incl. liblv2dbg_for_cex.sprx + liblv2dbg_for_dex.sprx) +constexpr s64 PAID_46 = 0x1070000041000001L; // ps1emu; /dev_flash/ps1emu; CEX DEX DECR ? +constexpr s64 PAID_47 = 0x1070000043000001L; // me_iso_spu_module.self; CoreOS; same for CEX DEX DECR +constexpr s64 PAID_48 = 0x1070000044000001L; // (related to usb dongle) +constexpr s64 PAID_49 = 0x1070000045000001L; // USB Dongle Authenticator; ss_server1.fself; same for CEX DEX DECR +constexpr s64 PAID_50 = 0x1070000046000001L; // spu_mode_auth.self; [2.43 JIG PUP] +constexpr s64 PAID_51 = 0x1070000047000001L; // otheros.self; otheros.self +constexpr s64 PAID_52 = 0x1070000048000001L; // ftpd; cell_root/target/images; DECR +constexpr s64 PAID_53 = 0x107000004C000001L; // spu_utoken_processor.self; CoreOS (since FW 2.40) +constexpr s64 PAID_54 = 0x107000004E000001L; // (syscall 878) +constexpr s64 PAID_55 = 0x107000004F000001L; +constexpr s64 PAID_56 = 0x1070000050000001L; +constexpr s64 PAID_57 = 0x1070000051000001L; +constexpr s64 PAID_58 = 0x1070000052000001L; // sys/internal CEX + vsh/module modules CEX; /dev_flash/sys/internal + /dev_flash/vsh/module; Differs between CEX (this authid) and DECR +constexpr s64 PAID_59 = 0x1070000054000001L; // (syscall 21) +constexpr s64 PAID_60 = 0x1070000055000001L; // manu_info_spu_module.self; CoreOS (since FW 3.50) +constexpr s64 PAID_61 = 0x1070000058000001L; // me_iso_for_ps2emu.self; CoreOS (since FW 3.70) +constexpr s64 PAID_62 = 0x1070000059000001L; // sv_iso_for_ps2emu.self; CoreOS (since FW 3.70) +constexpr s64 PAID_63 = 0x1070000300000001L; // Lv2diag.self; BD-remarry toolkit +constexpr s64 PAID_64 = 0x10700003FC000001L; // emer_init.self; CoreOS (since FW 2.00) +constexpr s64 PAID_65 = 0x10700003FD000001L; // ps3swu; PUP root; same for CEX DEX DECR +constexpr s64 PAID_66 = 0x10700003FD000001L; // PS3ToolUpdater; cell_root/target/images; Only DECR +constexpr s64 PAID_67 = 0x10700003FD000001L; // manufacturing_updater_for_reset.self; BD-remarry toolkit +constexpr s64 PAID_68 = 0x10700003FE000001L; // sys_agent.self DECR; /dev_flash/sys/internal; DECR +constexpr s64 PAID_69 = 0x10700003FF000001L; // db_backup, mkfs, mkfs_085, mount_hdd, registry_backup, set_monitor, most sys/internal modules DECR + most vsh/module modules DECR; /dev_flash/sys/internal + /dev_flash/vsh/module + cell_root/target/images; Differs between DECR (this authid) and CEX +constexpr s64 PAID_70 = 0x1070000400000001L; // vsh / games / utilities; /dev_flash/, cell_root/target/images; only for 081.003 - 083.007 +constexpr s64 PAID_71 = 0x1070000409000001L; // psp_emulator.self; /dev_flash/pspemu/psp_emulator.self; CEX DEX DECR ? +constexpr s64 PAID_72 = 0x107000040A000001L; // psp_translator.self; /dev_flash/pspemu/psp_translator.self; CEX DEX DECR ? +constexpr s64 PAID_73 = 0x107000040B000001L; // emulator_api.sprx and other .sprx; /dev_flash/pspemu/release/; CEX DEX DECR ? +constexpr s64 PAID_74 = 0x107000040C000001L; // emulator_drm.sprx; /dev_flash/pspemu/release/emulator_drm.sprx; CEX DEX DECR ? +constexpr s64 PAID_75 = 0x107000040C000001L; // libchnnlsv.sprx; /dev_flash/sys/internal/; CEX DEX DECR ? +constexpr s64 PAID_76 = 0x107000040D000001L; // ?psp related?; ?/dev_flash/pspemu/release/?; CEX DEX DECR ? +constexpr s64 PAID_77 = 0x1070000500000001L; // cellftp; cell_root/target/images/; DECR +constexpr s64 PAID_78 = 0x1070000501000001L; // hdd_copy.self; CoreOS (since FW 3.10) +constexpr s64 PAID_79 = 0x10700005FC000001L; // sys_audio; /dev_flash/sys/internal; CEX +constexpr s64 PAID_80 = 0x10700005FD000001L; // sys_init_osd; /dev_flash/sys/internal; CEX +constexpr s64 PAID_81 = 0x10700005FF000001L; // vsh.self; /dev_flash/vsh/; CEX +constexpr s64 PAID_82 = 0x1070001002000001L; // PvrRecSvr.sprx; BCJB95006\USRDIR\v320; CEX +constexpr s64 PAID_83 = 0x1070200056000001L; // cachemgr.self; WebMAF apps/USRDIR +constexpr s64 PAID_84 = 0x1070200057000001L; // EBOOT.BIN.self + .sprx files; WebMAF apps/USRDIR/prx/ps3; Demen_prx.ppu.sprx + WebMAF sprx files +constexpr s64 PAID_85 = 0x1FF0000001000001L; // lv0; CoreOS; same for CEX DEX DECR +constexpr s64 PAID_86 = 0x1FF0000002000001L; // lv1.self; CoreOS; same for CEX DEX DECR +constexpr s64 PAID_87 = 0x1FF0000008000001L; // lv1ldr; CoreOS; same for CEX DEX DECR +constexpr s64 PAID_88 = 0x1FF0000009000001L; // lv2ldr; CoreOS; same for CEX DEX DECR +constexpr s64 PAID_89 = 0x1FF000000A000001L; // isoldr; CoreOS; same for CEX DEX DECR +constexpr s64 PAID_90 = 0x1FF000000B000001L; // rvkldr; CoreOS; same for CEX DEX DECR +constexpr s64 PAID_91 = 0x1FF000000C000001L; // appldr; CoreOS; same for CEX DEX DECR + +constexpr s64 LAID_1 = 0x1070000001000001L; // (= HV processes / SCE_CELLOS_PME); flash and vflash +constexpr s64 LAID_2 = 0x1070000002000001L; // (= GameOS / PS3_LPAR); flash and vflash +constexpr s64 LAID_3 = 0x1020000003000001L; // (= PS2_LPAR / PS2_GX_LPAR / PS2_SW_LPAR / PS2_NE_LPAR); (used in ps3vflashc region inside vflash in NOR consoles, and ps3db region)... dev_flash and dev_hdd0 regions +constexpr s64 LAID_4 = 0x1080000004000001L; // (= LINUX_LPAR); (used in ps3vflashf region inside vflash in NOR consoles)... otheros bootloader region + class KeyVault { std::vector sk_LV0_arr{}; diff --git a/rpcs3/Crypto/utils.cpp b/rpcs3/Crypto/utils.cpp index 1eb02b727f..461c459b96 100644 --- a/rpcs3/Crypto/utils.cpp +++ b/rpcs3/Crypto/utils.cpp @@ -5,6 +5,7 @@ #include "utils.h" #include "aes.h" #include "sha1.h" +#include "key_vault.h" #include #include #include @@ -142,3 +143,80 @@ void mbedtls_zeroize(void *v, size_t n) static void *(*const volatile unop_memset)(void *, int, size_t) = &memset; (void)unop_memset(v, 0, n); } + + +// SC passphrase crypto + +void sc_form_key(const u8* sc_key, const std::array& laid_paid, u8* key) +{ + for (u32 i = 0; i < PASSPHRASE_KEY_LEN; i++) + { + key[i] = static_cast(sc_key[i] ^ laid_paid[i]); + } +} + +std::array sc_combine_laid_paid(s64 laid, s64 paid) +{ + const std::string paid_laid = fmt::format("%016llx%016llx", laid, paid); + std::array out{}; + hex_to_bytes(out.data(), paid_laid.c_str(), PASSPHRASE_KEY_LEN * 2); + return out; +} + +std::array vtrm_get_laid_paid_from_type(int type) +{ + // No idea what this type stands for + switch (type) + { + case 0: return sc_combine_laid_paid(0xFFFFFFFFFFFFFFFFL, 0xFFFFFFFFFFFFFFFFL); + case 1: return sc_combine_laid_paid(LAID_2, 0x1070000000000001L); + case 2: return sc_combine_laid_paid(LAID_2, 0x0000000000000000L); + case 3: return sc_combine_laid_paid(LAID_2, PAID_69); + default: + fmt::throw_exception("vtrm_get_laid_paid_from_type: Wrong type specified (type=%d)", type); + } +} + +std::array vtrm_portability_laid_paid() +{ + // 107000002A000001 + return sc_combine_laid_paid(0x0000000000000000L, 0x0000000000000000L); +} + +int sc_decrypt(const u8* sc_key, const std::array& laid_paid, u8* iv, u8* input, u8* output) +{ + aes_context ctx; + u8 key[PASSPHRASE_KEY_LEN]; + sc_form_key(sc_key, laid_paid, key); + aes_setkey_dec(&ctx, key, 128); + return aes_crypt_cbc(&ctx, AES_DECRYPT, PASSPHRASE_OUT_LEN, iv, input, output); +} + +int vtrm_decrypt(int type, u8* iv, u8* input, u8* output) +{ + return sc_decrypt(SC_ISO_SERIES_KEY_2, vtrm_get_laid_paid_from_type(type), iv, input, output); +} + +int vtrm_decrypt_master(s64 laid, s64 paid, u8* iv, u8* input, u8* output) +{ + return sc_decrypt(SC_ISO_SERIES_INTERNAL_KEY_3, sc_combine_laid_paid(laid, paid), iv, input, output); +} + +const u8* vtrm_portability_type_mapper(int type) +{ + // No idea what this type stands for + switch (type) + { + //case 0: return key_for_type_1; + case 1: return SC_ISO_SERIES_KEY_2; + case 2: return SC_ISO_SERIES_KEY_1; + case 3: return SC_KEY_FOR_MASTER_2; + default: + fmt::throw_exception("vtrm_portability_type_mapper: Wrong type specified (type=%d)", type); + } +} + +int vtrm_decrypt_with_portability(int type, u8* iv, u8* input, u8* output) +{ + return sc_decrypt(vtrm_portability_type_mapper(type), vtrm_portability_laid_paid(), iv, input, output); +} diff --git a/rpcs3/Crypto/utils.h b/rpcs3/Crypto/utils.h index d1c81a6ba8..610e095cab 100644 --- a/rpcs3/Crypto/utils.h +++ b/rpcs3/Crypto/utils.h @@ -53,3 +53,9 @@ void hmac_hash_forge(unsigned char *key, int key_len, unsigned char *in, int in_ bool cmac_hash_compare(unsigned char *key, int key_len, unsigned char *in, int in_len, unsigned char *hash, int hash_len); void cmac_hash_forge(unsigned char *key, int key_len, unsigned char *in, int in_len, unsigned char *hash); void mbedtls_zeroize(void *v, size_t n); + +// SC passphrase crypto + +int vtrm_decrypt(int type, u8* iv, u8* input, u8* output); +int vtrm_decrypt_master(s64 laid, s64 paid, u8* iv, u8* input, u8* output); +int vtrm_decrypt_with_portability(int type, u8* iv, u8* input, u8* output);