Difference between revisions of "F00D"

From Vita Development Wiki
Jump to navigation Jump to search
Line 572: Line 572:
 
r1=?
 
r1=?
 
r2=?
 
r2=?
r3=?
+
r3=keys, ptr to { void *aes_key, void *rsa_pubkey_and_exp }
 
r4=?
 
r4=?
 
sp0=sce_type (distinguishes rvk from self)
 
sp0=sce_type (distinguishes rvk from self)

Revision as of 23:18, 20 March 2017

Files

Calling convention

  • $1 = arg0
  • $2 = arg1
  • $3 = arg2
  • $4 = arg3

Unmodified by callee: $5, $6, $7, $8

Clobbered by callee: $9, $10, $11, $12


Configuration

Note: This is dumped with a sm exploit. Some options are read/write so it might differ.

$opt

0x03FD0201 (devkit)

This register is read-only.

  • CBS = 00: coprocessor data bus width 32-bit
  • DBS = 00: DSP data bus width 32-bit
  • 0
  • HWE = 0: hardware engine off
  • DIV = 1: 32-bit divide instruction on
  • MUL = 1: multiply instruction on
  • BIT = 1: bit manipulation instruction on
  • SAT = 1: saturation instruction on
  • CLP = 1: clip instruction on
  • MIN = 1: min/max instruction on
  • AVE = 1: average instruction on
  • ABS = 1: abs instruction on
  • 0
  • LDZ = 1: leading zero instruction on
  • BIS = 00: bus interface width is 32-bit
  • LBS = 00: local bus interface width is 32-bit
  • 0
  • TCN = 010: 2 timer/counter channels
  • 0
  • VL64 = 0: 64-bit VLIW off
  • VL32 = 0: 32-bit VLIW off
  • COP = 0: coprocessor off
  • 0
  • DSP = 0: DSP off
  • UCI = 0: UCI off
  • DBG = 1: DBG on (devkit only?)


F00D messages

These are sent to ARM using the lower 16-bits at 0xE0000000. When ARM has read it, it is set to 0.

ARM can write a 32-bit response to 0xE0000010. For ARM->F00D, bit0 is used to indictate the message was written by ARM.

     1 = Request succeded
     4 = Debug string
 0x101 = Main init started
 0x102 = Sm can be loaded/resumed
 0x103 = Sm resumed successfully
 0x104 = Sm was shut down
 0x106 = Main shutting down
 0x107 = Suspend beginning
 0x108 = Ready for suspending, when using the async version.
0x8016 = Error: Invalid address range
0x802F = Error: Failed to init E003, E006.


Debug prints

secure_kernel supports tracing to a buffer.

Enabled by -7FF8h($gp) being non-zero. Out-buf address is stored in -7FF4($gp). It writes in a loop, 16 bytes at a time, inserting a null-terminator at buf[15] each "line".

After out-buf is written, writes 0x20000 to 0xE0000000. This will either signal ARM or disable ARM communications. Then inf-loop, this is a panic function.

Print types

Addresses are xored with a stack cookie that's fixed for all functions.

SuspendEncrypt BadAddr:                        00000003
SWI 1 BadAddr:                                 00000004
SWI 1 UnreachableCode:                         00000006
SWI 7 UnreachableCode:                         00000007
Addrcheck IntegerOverflow Food:                0000000B
Addrcheck IntegerOverflow Kernel:              0000000B
Addrcheck IntegerOverflow Module:              0000000C
IRQ register func w irq enabled:               0000000E
Force exit dmac w irq enabled:                 0000000F
Crypto irq enabled:                            00000010
Resuming suspendbuf w irq enabled:             00000012
Creating suspendbuf w irq enabled:             00000013
Reset:                                         00000014 <xored-exception-lr> <xored-exception-pc> <exception-lr>
RI:                                            00000015 <xored-exception-pc>
ZDIV:                                          00000016 <xored-exception-pc>
Trace:                                         00000017 <func-addr>
SWI 7:                                         00000018 <xored-r1>
DMAC when updating suspendbuf key:             00000019 <ret-val>
DMAC cmac bad enum:                            0000001A <enum-value>
Bad enum to suspend AES-CBC function:          0000001B <enum-value>
Generating new suspendbuf key failed:          0000001C
Creating suspendbuf w irq8 module-registered:  0000001D
Addrcheck IntegerOverflow Tz:                  0000001E
Addrcheck IntegerOverflow Tz2:                 0000001F
Bad ptr to suspend AES-CBC function:           00000020
IRQ register func w bad irq number:            00000022
Recieved unknown IRQ:                          00000023

SWI

When swi-handler is entered stack is set to 0x00807CC0. It stores context (all regs) on this stack. Then stack is set to 0x00807C40 from which it loads SPRs $tp, $gp, $sp. After SWI has been executed, it restores context from first stack.

in_r4 = Syscall number, starting with 1.

There are only 8 syscalls. Syscall numbers >= 8 are ignored by the handler and returns error 0x800F032C.


IRQ

When irq-handler is entered stack is set to 0x00807B40. Then it reads irq number from control bus space using the ldcb instruction. Irq number must be < 12, otherwise panic.

Then it sets up a special "user irq" context:

 sp = 0x0080B000
 tp = userctx.tp
 gp = userctx.gp 
 <rest same as kernel irq context>

And calls the function with r1=irq_id. The table is empty in the dump.

Above holds for all irqs except 8, which is special, see below.

Just before calling the callback, interrupts are enabled again. This leads to reentracy vulnerabilities.

IRQ8

IRQ8 is the 8th interrupt. This is the one triggered when ARM sends a request to F00D using 0xE0000010. And secure_kernel has a handler for this one.

IRQ9

This interrupt is sent when ARM writes to sm cmd registers (0xE0000014 and maybe more?). It's handled inside every sm module.

Context structure

This is used in suspend buffer at offsets +0x40 and +0xA0.

0x0:  udef $1   $2   $3
0x10: $4   $5   $6   $7
0x20: $8   $9   $10  $11
0x30: $12  $tp  $gp  $sp
0x40: $lp  $sar $rpb $rpe
0x50: $rpc $hi  $lo  $epc

First word +0 is not used.

The special "$tmp" register is not context-saved. So this could be attacked if there is SM code that is using it.

F00D Commands

Handler starts with a switch statement that handles reset commands.

For a command 0x100401 0x10 is size of shared buffer that's used by f00d handler, 0x4 is command ID, 0x1 is validity flag(?).

None of the following 5 commands are enabled/disabled depending on f00d-state. These are all unconditional.

0xB01

 Waits for debugger.
 Then does some OTP protection stuff?

0xC01

  Reads EEPROM blk 0x50C.
  If lower 4 bits are nonzero:
    Waits for debugger
    Then does some OTP protection stuff?

0xD01

  Reads EEPROM blk 0x50C.
  If lower 4 bits are nonzero:
    Does same thing as 0xB01.

0xE01

 Does same thing as 0xB01.
 Then reads 3 bytes from debugger.
 If they are ASCII " 01" then it writes 6 to 0xE0070014.

0xF01: GetEncryptedInfoBlk

 It encrypts a block of size 0x80 with key=eeprom_blk_515, and hardcoded iv from .data.
 Block looks like this:
   +0x00: Magic (0xACB4ACB1)
   +0x04: One
   +0x08: Random (read from 0xE005003C)
   +0x0C: Zero
   +0x10: EEPROM sector 0x511
   +0x30: EEPROM sector 0x512
   +0x50: EEPROM sector 0x517
   +0x70: AES-256-CMAC using key from EEPROM sector 0x514.
 It memcpys this encrypted info-blk size 0x80 to 0x4001FF00.
 Then it programs (u32)1, followed by zeroes, to EEPROM sector 0x516.

After processing, 0xFFFFFFFF is written to 0xE0000010. Then comes the real switch. This one gives different func-ptrs. But before func-ptr is called there's a check in a table-lookup based on f00d-state. So not all cmds are allowed in all states. If not allowed error 0x8029 is sent.

Then it reads lower u16 of f00d mailbox. If all zeroes then it returns 0x802D. Then it reads lower u16 and now wants it to be 0, if not it returns 0x802D.

After this it finally calls the funcptr for cmdhandler. For unknown cmdid it returns 0x802A.

The allowed commands are as follows:

  State: 0   Allowed: 0
  State: 1   Allowed: 0
  State: 2   Allowed: 2
  State: 3   Allowed: 78E
  State: 4   Allowed: 2
  State: 5   Allowed: 72
  State: 6   Allowed: 42
  State: 7   Allowed: 2
  State: 8   Allowed: 2
  State: 9   Allowed: 0
  State: 10  Allowed: 0

todo: Decode these.

0x101: ArmPanic

 Sets food-state to 9.
 This will later cause main() to return, triggering memclr + infloop.
 Then it writes 0xF to control bus addr 0.
 Control bus addr 0 is interrupt controller, but bits don't match architecture doc.
 Corrupt code?
 Followed by 3 NOPs. Wat.

0x500201: LoadModule

 Reads 0x50 bytes from ArmBuffer into buf.
 If *(buf+4) and *(buf+8) are not aligned to 4 it fails.
 Then it TZ-checks addr *(buf+4) size 4.
 Then it TZ-checks addr *(buf+4) size 8.
 If any of these 3 checks fail, return code is 0x8016 or panic.
 Then it sets food-state to 4.
 memcpy(sp+0x68, buf+0x30, 0x20);
 *(sp+0x58)  = *(buf+0x28)
 *(sp+0x5C)  = *(buf+0x2C)
 *(sp+0x178) = *(buf+0x24)
 *(sp+0x54)  = *(buf+0x20)
 Then it calls the big function to load the SM with args (sp, sp+0x50).
 If it fails then either panics or returns 0x800000FF.
 It saves the address for "0x40-buf", without checking it to be in Tz.
 This is okay because they check before writing to it.
 Then it gets the address for the "shared buf", and loads arg0-arg3 from this ptr.
 Then it sets epc to 0x0080B000, sp to 0, gp to 0.
 And uses reti to jump to it.

0x100301: RestoreModule

  Reads 0x10 bytes from shared buf.
  Checks alignment on stuff also.
  TZ-check on *(buf+4) size 4, *(buf+8) size 8, *(buf+12) size 0x18. On fail sends 0x8016.
  After that it sets state to 4.
  Then it calls the big restore function.
  If it fails it sends zeroes module region, sends reply 0x8024, sets state to 3, and sends 0x102.
  If success, it sets the "0x40-buf" to *(buf+8), sets state to 5, and sends back 0x103.

0x100401: RequestModuleSuspend

 Reads 0x10 bytes from shared buf.
 Verifies alignment on *(buf+4), *(buf+8), *(buf+12).
 Verifies the following tz-ptrs:
   *(buf+8) size 4
   *(buf+4) size 8
   *(buf+12) size 0x18
 If bad it returns 8016.
 Sets f00d-state to 6.
 If sm is not ready for suspend, it saves the buf in bss.
 Also sets the flag that suspend has been requested then returns.
 If sm is ready to suspend, it calls the suspend function.

0x501: SubscribeSuspendAsyncEvent

 Sets f00d-state to 6.
 If sm is ready to be suspended, sends 0x108 and move into state 7.

0x601: ForceExitModule

 Sets f00d state to 6.
 Then it calls a function that:
    * Calls a function that appears to stop DMAC.
    * Zeroes the module region.
    * Flushes cache.
    * Writes some unknown DMAC registers.
    * Does a soft-reset.

0x80901: SetTraceBuffer

 Shared buf:
   +0: Addr
   +4: Size
 Checks that region is valid TZ, then sets them in the state.
 On bad addr, it sends error 0x8016, otherwise it sends 1.
 It also prints "rev %s\n" with "5679", however that only happens for some OTP configs.

0x80A01: SetRevocationList

 Reads 8 bytes from "shared buf".
 Calls the function to set the revocation list.
 If that function returns error x, the error that gets sent back is x&0xFF.
 On success, 1 is sent back.

ResumeModule

It checks the suspendbuf-state already in f00d-memory. Checks magic, version, and size. On fail 0x800F0324. Then it uses the easter value to get the key into keyslot 0x22 and 0x33 somehow. Called function does this.

Then it calculates CMAC of the header that's already in f00d-memory into a buf on stack.

Then it calls a corrupted function that probably is this:

   SuspendBufReadPalist(
       dst=suspendContextBuf, size=0x140, skip=0x40, shared_buf, sp0=4, sp4=&some_stack_buf)

Then it continues the CMAC calculation on both contexts just read from ARM.

Then it calls a corrupted function that probably is this:

   SuspendBufReadPalist(
       dst=module_base, size=module_size+0x1C0, skip=0x180, shared_buf, sp0=4, sp4=&some_stack_buf)

Note that size here is read by the f00d header before the ARM one is copied in. So we can't modify it in this call unfortunately.

Then it continues the CMAC calculation on the module just read.

Then it calls the update keyslot 0x22 and 0x23 function. This is to prevent next suspendbuf from having the same key?

After that it does a timing-safe memcmp loop to verify the CMAC on stack against the header. Returns 0x800F0324 on CMAC cmpfail.

If hash checks out, it memcopies the contexts to whereever they were saved from. It loads all func-ptrs for IRQ listeners that were saved. It resets the F00D io-state that was saved. It sets MeP irq mask, but it makes sure to first mask away non-allowed ones.

Then it calls a function that calls the easteregg function. Probably to generate a new key.

SuspendModule

Sends arm message 0x107.

Force-exits DMAC.

Then calls the CreateSuspendBuf function.

Regardless of result, it then jumps to ForceExitModule.

CreateSuspendBuf

Input:

 r1: shared_buf_contents
 r2: 0=is_arm_cmd, 1=is_syscall

It calculates the size of suspend buf as follows:

  module_region_size + 0x1C0

Then it calls an easteregg function? Then it memsets a buffer size 0x10 to zeroes. Then it checks and panics if irq enabled.

Then it writes the following to a struct in .data:

    +0 = 0x534D4300 (Magic)
    +4 = 1          (Version?)
    +8 = <return-of-easteregg-function>
    +12 = total_size

Then, depending on r2, it copies 0x60 from the irq8/swi saved-user-context to:

   +0x40

Then it copies the non-8-irq saved-user-context to:

   +0xA0

Then it writes the uer irq handlers to suspend-buf:

   +0x100 = irq_1_func
   +0x104 = irq_2_func
   +0x108 = irq_3_func
   +0x10C = irq_4_func
   +0x110 = irq_5_func
   +0x114 = irq_6_func
   +0x118 = irq_9_func
   +0x11C = irq_10_func
   +0x120 = irq_11_func

Then it writes (f00d io state):

   +0x124 = *0xE0000004
   +0x128 = *0xE0000008
   +0x128 = *0xE000000C (Bug in sony code, this should be 0x12C!)
   +0x130 = *0xE0000014
   +0x134 = *0xE0000018
   +0x138 = *0xE000001C

Then it memsets:

   +0x140 size 0x40 = zeroes

Then it copies the following to a ARM shared buf ptr:

   *(*(buf+12)   ) = *(suspend_buf+0x130);
   *(*(buf+12)+ 4) = *(suspend_buf+0x134);
   *(*(buf+12)+ 8) = *(suspend_buf+0x138);
   *(*(buf+12)+12) = *(suspend_buf+0x124);
   *(*(buf+12)+16) = *(suspend_buf+0x128);
   *(*(buf+12)+16) = *(suspend_buf+0x12C);

Without verifying ptr, but ptr was verified in cmdhandler!

Then it gets the MeP irq-mask and stores it at:

    +0x13C = mep_irq_mask

Then it panics if module has irq8 registered, but this cannot happen.

Then it calls SuspendBufWritePalist to copy the plaintext header:

   SuspendBufWritePalist(
       src=suspend_buf, size=0x40, skip=0, shared_buf, sp0=1, sp4=0)

Then it starts calculating a AES-CMAC over this header:

   dmacAesCmacKeyslot23(
       dst=suspend_buf+0x180, src=suspend_buf+0, size=0x40, 1/*start*/)

Then it calls SuspendBufWritePalist again to copy the first encrypted part:

   SuspendBufWritePalist(
       src=suspend_buf+0x40, size=0x140, skip=40, shared_buf, sp0=3, sp4=&some_stack_buf)

Then it sets up args for another CMAC call but corrupted instruction?

   dmacAesCmacKeyslot23(
       dst=suspend_buf+0x180, src=suspend_buf+0, size=0x140, 2/*update*/)

Then it finally writes the encrypted module:

   SuspendBufWritePalist(
       src=module_base, size=module_size, skip=0x180, shared_buf, sp0=3, sp4=&some_stack_buf)

Then another corrupted instruction ruins things.. :(

   dmacAesCmacKeyslot23(
       dst=suspend_buf+0x180, src=module_base, size=module_size, 3/*final*/)

Then it writes the CMAC on the end:

   SuspendBufWritePalist(
       src=suspend_buf+0x180, size=0x40, skip=module_size+0x180, shared_buf, sp0=3, sp4=&some_stack_buf)

Encryption is done using DMAC channel 0, and CMAC is using channel 1

Then it uses an Dmac feature to overwrite the keyslots 0x22 and 0x23 with output from itself. It uses AES-ECB to crypt a key in .data with key from keyslot 0x347.


SuspendBufWritePalist

r1=src r2=size r3=skip_offset r4=shared_buf_ptr sp0: 0=plaintext, 1=plaintext, 2=encrypt, 3=decrypt, 4=? sp4=?

It panics if shared_buf_ptr is NULL. Then it loops through pa-list and writes, each entry is checked to be within Tz region. If it is outside, then panic with value 3.

For pseudocode see below:

u32 size = r2;
u32 left = r3;
u32 switch_id = sp0;

for(i=0; i<num_pa; i++) {
  pa_t pa;
  read_pa(&pa, pa_list[i]);

  // <checks tz region on pa>

  u32 out = pa->addr;
  u32 sz  = pa->size;

  if (skip != 0) {
    if (pa->size < skip) {
      skip -= pa->size;
      continue;
    }

    out += skip;
    sz  -= skip;
  }

  sz = MAX(sz, left); // only write at most how much we have left
  switch(switch_id) {
  case 0:
    dmacSetup(0,dst,src,buf,0,0,0,1);
    break;
  case 1:
    dmacSetup(0,dst,src,buf,0,0,0,1);
    break;
  case 2: // start decrypt
    dmacSetup(0,dst,src,buf,0x22,*sp4,0x10A,1);
    break;
  case 3: // start encrypt
    if (sp4 == shared_buf_ptr) panic("%08x\n", 0x20);
    dmacSetup(0,dst,src,buf,0x22,*sp4,0x109,1);
    break;
  case 4: // hash? dmac function 0x13B
    // todo
  default: panic("%08x %08x\n", 0x1B, switch_id);
  }

  if (dmacWaitForFinish(0)) {
     panic("%08x %08x\n", 0x19, err_code);
  }

  left -= sz;
  src  += sz;
}

Note:

  • It only checked the palist ptr for size=8 in the cmdhandler.
  • Thus it can read outside Tz region for rest of palist.


LoadModule

If either num_paddrs and paddr_list is NULL, return error 0x8016. Then it copies rsa pubkey + exponent to stack bufs.

if ((partition_id & 0x1l000) == 0)
    *0xE0050104 = 3;

... Ends up calling SceDecrypt.


SceDecrypt

r1=? r2=? r3=keys, ptr to { void *aes_key, void *rsa_pubkey_and_exp } r4=? sp0=sce_type (distinguishes rvk from self) sp4= sp8= spC= sp10=expect2, ptr to { u32 a; u32 b; }

  • Error 0x800F0000 if bad magic 'SCE\0'.
  • Error 0x800F0000 if *(sce+4) != 3. (version)
  • Error 0x800F0000 if not *(u8*)(sce+8) & 0x40. (sdk_type)
  • Error 0x800F0624 if *(u8*)(sce+8) & 0x80. (sdk_type)
  • Error 0x800F0624 if *(u16*)(sce+10) != sce_type. (header_type)
  • Error 0x800F0624 if *(sce+12) not aligned to 16. (metadata_offset)
  • Error 0x800F0624 if (expect >= 0) && *(sce+12) != expect. (metadata_offset)
  • Error 0x800F0624 if (expect2->b >= 0) && ((*(sce+16) != expect2->a) || (*(sce+20) != expect2->b)) (header_len, data_len)
end_offset  = *(sce+12); (metadata_offset)
end_offset += 0x90;

Returns 0x800F0624 on overflow. Checks if end_offset > paddr[0]->size, returns 0x800F0624 on fail.

Error 0x800F0624 if *(sce+16) not aligned to 16. If *(sce+20) < end_offset return 0x800F0624.

Then a big fucking loop, this is most likely for walking the paddr_list.

crypto::Biggie

This function where da action at. Has 4 register arguments and 5 stack arguments.

  • arg0: always 1?
  • arg1: always 0?
  • arg2: first 0, then 2 then 0.

todo

dmac::Operation

This function does the crypto.

arg0:     src_pa
arg1:     dst_pa
arg2:     size
arg3:     ??
sp_arg0:  iv/ctr? align? padding? Must be aligned to 4.
sp_arg4:  ptr to {
              u32 device_select; // 0=0xE0050000, 1=0xE0050080
              u32 unk;
          }

Returns 0x8000F016 if src/dst/padding is not aligned to 4.

It writes src_pa, dst_pa, size. todo

Entrypoint

The entrypoint of secure_kernel is +0x100. First thing it does is disable irq. Then it zeroes the bss segment 8 bytes at a time.

It sets up $sp to 0x808FF0, and $gp to 0x80F8A8. Then it sets dbg::TraceEnableFlag to *0xE005003C.

In the dump trace was enabled, and buf_ptr was 0x4002C160.

Then it sets up cfg:

    * Clears bit4 (EVM), this moves exception vectors to 0x00800000.
    * Sets bit3 (IVM), this enables interrupt table at 0x00800030.

Then it copies a jmp instruction to the reset-vector, unsure why.

Then it calls a function that sets up icache: If icache size is 0, function just returns without doing anything. It also bails if icache line width is < 2 or >= 5 (reserved values).

Then it calls a function at 0x400B0, which is an uncached code that does:

  • Enable icache.
  • ORs 0x400 into CFG (this is "reserved" according to datasheet!).

Then it calls a function that just iterates through an empty table of function pointers. C++ object initialization?

Then it calls main().

Then it calls a function that just iterates through an empty table of function pointers, again. C++ object dtors.

Finally goes into death-mode:

Writes a jump instruction to inf-loop to the reset-vector. This works because jmp instruction encoding contains an abs address.

Sets $lp = inf_sleep_loop.

Then it sets up args and jumps to a small stub at 0x008000E0. This small stub clears everything in f00d-mem in the region 0x00800100-0x8080FF0. Unknown why last 0x10 bytes are not cleared.


main()

Interrupts are disabled when this is called. First thing it writes 0x2000F to 0xE0020000. Probably sets up the device.

It checks the f00d-state, and if it's 1 (cold boot?), it writes:

  * Writes 0xFFFFFFFF to 0xE0000010.
  * Calls a big function that initializes 0xE0030000.
  * Sends ARM-message 0x101.
  * Sets f00d-state to 2.
  * Waits for ARM to send address for shared buffer and writes it to a state.
  * Writes 0xFFFFFFFF to the ARM mailbox.
  * If the big function above failed it:
    Sends msg 0x802F to ARM
    Calls a function that deinitializes 0xE0030000.
    Returns from main(), triggering F00D memclear + hang.

Then it calls the following function regardless of state:

 if *E0020004 & 0xFFFFFFEF != 0: return 0x800F032F
 if *E0010004 != 0x80000005:     return 0x800F032F
 if *E0062020 & 0xFFFFFFF4 != 0: return 0x800F032F
 This function detects downgrades!
 if 0x1692000 != eeprom_read_fw_version(): return 0x800F0337;
 return 1;

If this function fails, it does same thing as when the other fails.

Then it calls a function that initializes MeP IRQ controler. Then it calls a function that enables "software interrupt 3", dafuk is this.

Then it sets f00d state to 3. Then it sends msg 0x102 to ARM.

Then it calls a function to save the kernel context to an address. This context is later loaded when processing SWI and IRQs.

Enable interrupts.

After that comes the main sleep-loop.

When main-loop exits (when state is 9) it sends ARM message 0x106. It also does the common error-path code described above.

Main always returns 0 but it's ignored so who cares.


Syscalls

1: Unload

  Sets f00d-state to 8.
  Writes r1 to "the shared2-buf".
  Sends msg 1 to ARM.
  Then it uses dmac with operation 0xC to memset entire module region to 0,
  Finally it jumps to secure_kernel entrypoint, triggering a softreboot.

2: ReadyToSuspend

  This just writes 1 to a state-field and returns 1,
  or returns 0x800F0329 if it's already non-zero.
  This flag tells kernel whether or not module ready to be suspended.

3: SuspendSelfIfRequested

  Returns 0x800F0329 if SuspendReady wasn't called prior to this.
  It checks a flag if 0x501 cmd has subscribed to the event.
  Then it will send msg 0x108 to ARM and goes into f00d-state 7.
  Regardless of that flag it also checks whether or not ARM has requested suspend.
  If so then it calls the suspend function.
  Otherwise it just returns 1.

4: RegisterIrqHandler

  r1 = irq-number
  r2 = func-ptr (or NULL to deregister)
  r3 = old-func-ptr-out (or NULL to ignore)
  Checks that r1 is < 12, and it also checks it against a mask of allowed sm IRQs:
    if (r1*2) & 0xE7E == 0: fail
  On either failure returns 0x800F0316.
  Checks that r2 is inside the module range or NULL, returns 0x800F030E on fail.
  Checks that r3 is inside the module range or NULL, returns 0x800F030E on fail.
  Returns 0x800F0316 if r2 not aligned to 2, or if (r3 & 2) != 0.
  Calls a function to get current function ptr in the irq-table entry for irq-number r1.
  Then it calls a function to register irq listener.
  This function does the following:
     Check addr, check irq number, panic on fail.
     Write r2 to IRQ func-ptr table.
     It reads the MeP interrupt mask register from control bus.
     Then depending on r2 was NULL or not, it sets n:th bit in the mask, where n is the IRQ number.
     Then it writes it back to MeP to enable the interrupt.
  Then it will write the old-func-ptr (before was overwritten) to r3, if r3 not set to NULL.

5: TracePrintf

  This just printfs with "%s" to the emit buffer, and returns 1.

6: CheckRvkList

  If r1 or r2 is 0 it returns 0x800F0B16.
  Then it checks that r1 size 0x130 is in module region.
  And that r2 size 0x80 also, same error.
  It returns 0x800F0326 if no rvk list has been inited.
  After that it returns result of the revocation checking function
  (same as used for sm normally).

7: UnloadPanic

  This one trace-printfs.
  Then it sets f00d-state to 8.
  Then it writes 0x800F033B to the "0x40 buffer".
  Then corrupted insn?
  Then it zeroes the module region and soft-reboots.

8: ReadEepromFlag

  This reads a bool from eeprom block 0x510 byte16 bit31.

CheckAddrRange(addr, size, dbg_code, check_funcptr)

On integer overflow of (addr+size-1) it panics with dbg_code. Returns 1 on success, 0 on failure.

This has a fatal bug, because it calls the check looks like this:

 if (check_funcptr(addr) || check_funcptr(addr+size-1))

Where in fact it should be:

 if (check_funcptr(addr) && check_funcptr(addr+size-1))

Range checks

  ArmTz:   if (x >= 0x40000000 || x < 0x40300000) return 1;
           return 0;

  ArmUser: cut = *0xE0062260;
           if (addr < 0x40300000) return 0;
           end = 0x40000000 + cut;
           if (addr < cut) return 1; // Overflow: why allow it?
           if (addr < end) return 1;
           return 0;

  Kernel:
           if (addr < 0x00800000) return 0;
           return addr < 0x0080A000;
  Module:
           if (addr < 0x0080A000) return 0;
           return addr < (0x0080A000+0x00016000)
  Food:
           if (addr < 0x00800000) return 0;
           return addr < 0x00820000

Food states

 1 = Secure kernel boot value?
 2 = Secure kernel inited
 3 = Secure kernel ready to load
 4 = SM loading
 5 = SM loaded
 6 = SM suspending
 7 = SM suspended
 8 = Soft rebooting. Set by syscall 1.
 9 = Shutdown requested. Triggered by ARM command 0x101.
10 = Shutting down.

EEPROM

EEPROM is readable at 0xE0058000.

EEPROM programmer is at 0xE0030000:

  +0x00 = EEP_DATA0
  +0x04 = EEP_DATA1
  +0x08 = EEP_DATA2
  +0x0C = EEP_DATA3
  +0x10 = EEP_DATA4
  +0x14 = EEP_DATA5
  +0x18 = EEP_DATA6
  +0x1C = EEP_DATA7
  +0x20 = EEP_LINE
  +0x24 = EEP_SET_PROTECTION
  +0x28 = EEP_GET_PROTECTION_REQ
  +0x2C = EEP_GET_PROTECTION_RESP

Writing line_id to EEP_LINE will trigger writing the EEP_DATA registers into said line.

Writing ((prot<<16)|line_id) to EEP_SET_PROTECTION protects a line. prot is a bit mask, 0x1000 makes reads from f00d return 0.

Writing line_id to EEP_GET_PROTECTION_REQ returns current prot in EEP_GET_PROTECTION_RESP.


secure_kernel boot

eep::Init sets up the following protections as described in table below.

Then it verifies protection of some lines in the 0x500+ range.

secure_kernel teardown

eep::Teardown sets full protection on 0-0x7F, 0x100-0x17F, 0x200-0x217, 0x300-0x3FF.

Then it zero-programs and protects the following ranges 0x400-0x47F, 0x500-0x57F, 0x600-0x607, 0x700-0x7FF.

Table

Lines Protection Per-console Description
0-1 0x0442 ? ?
2-7 0x0040 ? ?
8 0x0081 Yes. enp per-console key
9-0xF 0x0080 ? ?
0x10 0x0502 ? ?
0x11 0x0100 ? ?
0x20 0x0200 ? ?
0x21-0x24 0x061F ? ?
0x25-0x2F 0x0200 ? ?
0x30-0x34 0x041F ? ?
0x35-0x7F 0x0000 ? ?
0x80-0xFF 0x0000 ? ?
0x100 0x041F ? ?
0x101-0x17F 0x0000 ? ?
0x180-0x1FF 0x0000 ? ?
0x200-0x203 0x0000 ? ?
0x204-0x205 0x006F ? ?
0x206-0x20D 0x00A0 ? ?
0x20E-0x20F 0x0010 ? ?
0x210-0x211 0x0000 ? ?
0x212-0x213 0x001F ? ?
0x214-0x215 0x0000 ? ?
0x216 0x001F ? ?
0x217 0x0000 ? ?
0x218-0x2FF 0x0000 ? ?
0x300-0x33F 0x0000 ? ?
0x340 0x012F ? ?
0x341-0x343 0x0120 ? ?
0x344 0x0220 ? ?
0x345-0x348 0x022F ? ?
0x349-0x353 0x0220 ? ?
0x354-0x4FF 0x0000 ? ?
0x500 0x1800 ? ?
0x501 0x1000 ? Downgrade protection? Set to 4 on 1.692, 0 on 1.05.
0x502-0x504 0x1800 Yes ?
0x505 0x0000 ? ?
0x506 0x1800 ? ?
0x507 0x1800 No ?
0x508 0x1800 No Revocation related. Set to 0x1060D on 1.692, 0x1010A on 1.05.
0x509 0x1800 ? ?
0x50A 0x1800 ? Byte15bit0,byte14bit0,byte14bit1,byte11bit4: Revocation related. Byte13bit0: Enable F00D debug prints.
0x50B 0x1800 ? ?
0x50C 0x1800 No ?
0x50D 0x1800 No Flags. Set to 1 on 1.692, 0 on 1.05.
0x50E 0x1800 Yes ?
0x50F 0x1800 Yes Current firmware version.
0x510 0x1800 Yes Factory firmware version.
0x511 0x1800 ? Disabled on 1.05?
0x512 0x1800 Yes ?
0x513 0x1800 No DRAM size. Set to 0x20000000 on 1.692, 0x40000000 on 1.05.
0x514 0x1800 No? F00d-cmd F01 AES-256-CMAC key. Protected on 1.05.
0x515 0x1800 No? F00d-cmd F01 AES-256-CBC key. Protected on 1.05.
0x516 0x1800 ? F00d-cmd F01 writes (u32)1 here when exporting the infoblk. Next time main() executes this flag is cleared.
0x517 0x1800 When initializing the EEPROM, this is zeroed if 0x50D has bit8 clear (on 1.692).
0x518-0x57F 0x0000 ? ?
0x580-0x5FF 0x0000 ? ?
0x600-0x602 0x1000 Yes ?
0x603 0x1000 No ?
0x604 0x1000 No ?
0x605-0x607 0x0000 ? ?
0x608-0x6FF 0x0000 ? ?
0x700-0x7FF 0x0000 ? ?

IO

0xE0000000:

 Lower 16 bits: ARM mailbox

0xE0000010:

 Bidirectional ARM<->F00D mailbox
 Convention: ARM sets bit0 when writing, F00D writes -1 when done.

0xE0050000:

 Bigmac is located here.

0xE005003C:

 RNG output

0xE0058000:

 On-die EEPROM. Stores keys, per-console and console configuration.

0xE0030000:

 This is the EEPROM programmer. See above.

Bigmac

There are two channels, one located at 0xE0050000 and another at 0xE0050080.

Fields (uint32_t):

  • 0: src
  • 1: dst
  • 2: size
  • 3: function

Overall seems similar to dmac5: https://wiki.henkaku.xyz/vita/Dmac5

AES key is written to 0xE0050200.

memcpy

Function 0x0 is memcpy.

memset

Function 0xC is memset. Memset-value is written to dmac_device+0x104.

Overwrite keyslot

If you set bit28 in function, dst is keyslot-id instead of physical address. This is used to generate random key 0x22 and 0x23 for suspendbuf.

Diff vs. 105

Stack cookies weren't enabled.

Debug vector was initially a "reti" instruction, was later replaced with infloop.

sm::Suspend didn't wait for ongoing dmac operations to finish.
They fixed this bug.

sm::Load:
  An additional check added:
      ret = sub_803E8C(r6);
      if ret != 0:
          return ret;

  Now clears the 0x800 buffer using dmac-memset on some error cases.

dbg::Panic:
  Used a static buf in .bss instead of stack (for the snprintf()).
  Did not disable interrupts.

eeprom::Init
  Changed a lot. todo: Investigate later.

suspend::Aes128CbcEncDec:
  Code to "panic with 00000020 if shared_buf == NULL" was not there.

Cmd 0xF01 did not exist.

All f00d cmds that read from the shared region uses a buf in .bss instead of stack.
  This allowed a race condition where you could request a suspend using cmd 0x401.
  Then just before the sm calls syscall 3 you send another F00D cmd to overwrite the sharedbuf.
  This will call sm::Suspend on a buffer that's not properly checked.

A range-check on irq-id was missing from irq::SetIrqFuncTableAndEnableIrq.
  Harmless?

dbg::EmitStr:
  Code was added to prevent it for ending up in an infinite recursion if stack cookie gets corrupted.

The foodcmd::AllowedCmdInStateTable was unchanged.

Diff vs. 160

.bss size grew from 0x478 bytes to 0x480.

A small function was added that clears bit 1 and 10 in $cfg.
Rev changed from 5209->5679

foodcmd::Parse changed:
  Stackframe grew 0x20 bytes.
  The function that that changed appears to be 0x501.

GetFirmwareVersion returns 0x16920000 instead of 0x16000000 (duh!).

eeprom::Init changed:
  Some bitmask in was chanaged from 0x3FFFDF to 0xFFFFDF.
  Branch was removed here that programmed Eeprom blk 0x516 to all zeroes.
  The function was also extended a lot.

  Idea: Does this possibly protect additional EEPROM stuff?
  However otp::Teardown looks identical.

sm::Load changed:
  Stackframe increased from 0x1E0 to 0x220.
  However function didn't change at all.
  So they just increased size of a buffer by 0x40.

A function called by a function called by sm::Load changed:
  Stackframe increased from 0x70->0x78.
  This adds a new call to a function at the bottom.

sub_80468E->sub_8046E4 called indirectly by sm::Load changed:
  This one now writes 0x80 instead of 0x40 to a local variable.
  This is probably for the expanded buffer in sm::Load.
  Also been extended with some calls to memcpy and memset.

New function added sub_804B7A, called by rvk::CheckSm.
This is a timing-safe memcmp with hardcoded len=16.

rvk::CheckSm changed:
  Stackframe increased from 0x30 to 0x38.

Two new functions were added that are called by rvk::CheckSm:
  sub_805062
  sub_80508E

sub_805BEA -> sub_805DB2:
  Stackframe reduced 0x18->0x10.
  The function before called same function 3 times in a row, now only 2.

sub_805C4E -> sub_805DB2:
  Call to unknown function was removed. r3 to this function was 0x111.

sub_805DF8 added.
sub_805C4E removed.

Many small functions removed:
  sub_805EC4
  sub_805ECA
  sub_805EE4
  sub_805EFE
  ...

sub_80631C removed.
sub_806EFE removed.
sub_9068D2 removed.
sub_8069E2 removed.
sub_806A16 removed.

Then some code to talk to 0xE004???? was removed.

sm common code

sm modules are loaded to 0x80B000, then code from that addr is executed. These functions are called:

  • Init (__libc_init_array?)
  • main()
    • Some unknown sub is called.
    • Then it registers all cmd handlers creating a list of pairs function id=>function ptr
    • Main loop:
      • Calls syscall 4 to register interrupt 9, this is the command handler
      • Then it busyloops until some flag is set to 0
      • Calls syscall 4 to unregister interrupt 9
    • Some other unk func
  • Deinit
  • Syscall 1 is executed (unload)
  • Then it infinite loops