6,028
edits
Changes
Jump to navigation
Jump to search
Line 3:
Line 3: − + Line 168:
Line 168: − clear_sysroot_801C0C(); + − + Line 193:
Line 193: − + Line 252:
Line 252: − syscon_read_cmd_0x1082_ptr_0x4a0_into_sysroot_802346(); + Line 288:
Line 288: − write_sysroot_fields_from_syscon_801FC0(); + Line 405:
Line 405: − + − write_sysroot_801C36((__int64)line_0x510, (__int64)line_0x50A, boot_type, is_resume, a3); + − + Line 526:
Line 526: − +
no edit summary
This flags is set to bigmac keyring 0x50C.
This flags is set to bigmac keyring 0x50C.
Defined at same time as [[Sysroot#Boot type indicator 1]] and embeds some common information but with different flags.
Defined at same time as [[KBL Param#Boot type indicator 1]] and embeds some common information but with different flags.
{| class="wikitable"
{| class="wikitable"
LABEL_32:
LABEL_32:
v20 = 0;
v20 = 0;
clear_kbl_param_801C0C();
goto LBL_123;
goto LBL_123;
}
}
if ( copy_sysroot_to_0x4001FD00_801C1E() )
if ( copy_kbl_param_to_0x4001FD00_801C1E() )
{
{
is_resume = 1LL;
is_resume = 1LL;
Coldboot/resume is determined from bit 7 of boot_type returned by syscon. Then, something with dram??? If boot type is resume but TZ magic word (0x9E3199B7) isn't present, it changes boot type to coldboot.
Coldboot/resume is determined from bit 7 of boot_type returned by syscon. Then, something with dram??? If boot type is resume but TZ magic word (0x9E3199B7) isn't present, it changes boot type to coldboot.
If coldboot, sysroot buffer at 0x1F000100 is cleared, otherwise it's restored from 0x4001FD00. Then, some check on emmc crypto reg??? <code>sub_806B58(0x40000500LL, 0x1000LL);</code>???
If coldboot, KBL Param at 0x1F000100 is cleared, otherwise it's restored from 0x4001FD00. Then, some check on emmc crypto reg??? <code>sub_806B58(0x40000500LL, 0x1000LL);</code>???
=== Factory firmware check ===
=== Factory firmware check ===
report_error_808CAA(1LL, 86LL, v24, 0LL);
report_error_808CAA(1LL, 86LL, v24, 0LL);
if ( !v20 )
if ( !v20 )
syscon_read_cmd_0x1082_ptr_0x4a0_into_kbl_param_802346();
if ( !(_DWORD)is_resume && !v23 )
if ( !(_DWORD)is_resume && !v23 )
dmac_wait_804C16(&ctx);
dmac_wait_804C16(&ctx);
sub_808B66(1LL);
sub_808B66(1LL);
}
}
write_kbl_param_fields_from_syscon_801FC0();
keyring_writeX_80250C(0x510LL, (__int64)line_0x510, 0x20LL);
keyring_writeX_80250C(0x510LL, (__int64)line_0x510, 0x20LL);
memset((__int64)line_0x50A, 0LL, 0x10LL);
memset((__int64)line_0x50A, 0LL, 0x10LL);
If coldboot, make sure that kbl version is not lower than factory firmware version.
If coldboot, make sure that kbl version is not lower than factory firmware version.
=== Write sysroot fields ===
=== Write KBL Param fields ===
<pre>
<pre>
write_kbl_param_801C36((__int64)line_0x510, (__int64)line_0x50A, boot_type, is_resume, a3);
set_status(96LL);
set_status(96LL);
</pre>
</pre>
Writes most of sysroot fields ???
Writes most of KBL Param fields ???
=== TODO ===
=== TODO ===
== Session key/coredump encryption ==
== Session key/coredump encryption ==
0x20 random bytes are generated and written to keyslot 0x51A. Then, the buffer is encrypted with aes128-cbc using coredump_key and coredump_iv. The result is copied to sysroot buffer +0x100 (0x1F000200)
0x20 random bytes are generated and written to keyslot 0x51A. Then, the buffer is encrypted with aes128-cbc using coredump_key and coredump_iv. The result is copied to KBL Param +0x100 (0x1F000200)