Changes

Jump to navigation Jump to search
6 bytes added ,  02:25, 8 February 2021
no edit summary
Line 3: Line 3:  
This flags is set to bigmac keyring 0x50C.
 
This flags is set to bigmac keyring 0x50C.
   −
Defined at same time as [[Sysroot#Boot type indicator 1]] and embeds some common information but with different flags.
+
Defined at same time as [[KBL Param#Boot type indicator 1]] and embeds some common information but with different flags.
    
{| class="wikitable"
 
{| class="wikitable"
Line 168: Line 168:  
LABEL_32:
 
LABEL_32:
 
     v20 = 0;
 
     v20 = 0;
     clear_sysroot_801C0C();
+
     clear_kbl_param_801C0C();
 
     goto LBL_123;
 
     goto LBL_123;
 
   }
 
   }
   if ( copy_sysroot_to_0x4001FD00_801C1E() )
+
   if ( copy_kbl_param_to_0x4001FD00_801C1E() )
 
   {
 
   {
 
     is_resume = 1LL;
 
     is_resume = 1LL;
Line 193: Line 193:  
Coldboot/resume is determined from bit 7 of boot_type returned by syscon. Then, something with dram??? If boot type is resume but TZ magic word (0x9E3199B7) isn't present, it changes boot type to coldboot.
 
Coldboot/resume is determined from bit 7 of boot_type returned by syscon. Then, something with dram??? If boot type is resume but TZ magic word (0x9E3199B7) isn't present, it changes boot type to coldboot.
   −
If coldboot, sysroot buffer at 0x1F000100 is cleared, otherwise it's restored from 0x4001FD00. Then, some check on emmc crypto reg??? <code>sub_806B58(0x40000500LL, 0x1000LL);</code>???
+
If coldboot, KBL Param at 0x1F000100 is cleared, otherwise it's restored from 0x4001FD00. Then, some check on emmc crypto reg??? <code>sub_806B58(0x40000500LL, 0x1000LL);</code>???
    
=== Factory firmware check ===
 
=== Factory firmware check ===
Line 252: Line 252:  
       report_error_808CAA(1LL, 86LL, v24, 0LL);
 
       report_error_808CAA(1LL, 86LL, v24, 0LL);
 
     if ( !v20 )
 
     if ( !v20 )
       syscon_read_cmd_0x1082_ptr_0x4a0_into_sysroot_802346();
+
       syscon_read_cmd_0x1082_ptr_0x4a0_into_kbl_param_802346();
 
     if ( !(_DWORD)is_resume && !v23 )
 
     if ( !(_DWORD)is_resume && !v23 )
 
       dmac_wait_804C16(&ctx);
 
       dmac_wait_804C16(&ctx);
Line 288: Line 288:  
         sub_808B66(1LL);
 
         sub_808B66(1LL);
 
     }
 
     }
     write_sysroot_fields_from_syscon_801FC0();
+
     write_kbl_param_fields_from_syscon_801FC0();
 
     keyring_writeX_80250C(0x510LL, (__int64)line_0x510, 0x20LL);
 
     keyring_writeX_80250C(0x510LL, (__int64)line_0x510, 0x20LL);
 
     memset((__int64)line_0x50A, 0LL, 0x10LL);
 
     memset((__int64)line_0x50A, 0LL, 0x10LL);
Line 405: Line 405:  
If coldboot, make sure that kbl version is not lower than factory firmware version.
 
If coldboot, make sure that kbl version is not lower than factory firmware version.
   −
=== Write sysroot fields ===
+
=== Write KBL Param fields ===
    
<pre>
 
<pre>
         write_sysroot_801C36((__int64)line_0x510, (__int64)line_0x50A, boot_type, is_resume, a3);
+
         write_kbl_param_801C36((__int64)line_0x510, (__int64)line_0x50A, boot_type, is_resume, a3);
 
         set_status(96LL);
 
         set_status(96LL);
    
</pre>
 
</pre>
   −
Writes most of sysroot fields ???
+
Writes most of KBL Param fields ???
    
=== TODO ===
 
=== TODO ===
Line 526: Line 526:  
== Session key/coredump encryption ==
 
== Session key/coredump encryption ==
   −
0x20 random bytes are generated and written to keyslot 0x51A. Then, the buffer is encrypted with aes128-cbc using coredump_key and coredump_iv. The result is copied to sysroot buffer +0x100 (0x1F000200)
+
0x20 random bytes are generated and written to keyslot 0x51A. Then, the buffer is encrypted with aes128-cbc using coredump_key and coredump_iv. The result is copied to KBL Param +0x100 (0x1F000200)
5,856

edits

Navigation menu