Difference between revisions of "Secure Services"

From MILEDROPEDIA
Jump to: navigation, search
m (security_ISW_authentication)
m (added security services from boot rom)
Line 107: Line 107:
 
| Read eFuse entry (defined in PPA from mbmloader)
 
| Read eFuse entry (defined in PPA from mbmloader)
 
|}
 
|}
 +
 +
== Security services in BootROM ==
 +
 +
<syntaxhighlight lang="asm" line>
 +
ROM:40018644
 +
ROM:40018644
 +
ROM:40018644                ; int __cdecl ROM_CRC_check(int arg_1, void *memory)
 +
ROM:40018644                ROM_CRC_check                                                        ; CODE XREF: boot_main+F0�p
 +
ROM:40018644
 +
ROM:40018644                pa              = -0x24
 +
ROM:40018644
 +
ROM:40018644 000 70 B5                      PUSH            {R4-R6,LR}                            ; Push registers
 +
ROM:40018646 010 06 46                      MOV            R6, R0                                ; Rd = Op2
 +
ROM:40018648 010 08 78                      LDRB            R0, [R1]                              ; Load from Memory
 +
ROM:4001864A 010 05 25                      MOVS            R5, #5                                ; Rd = Op2
 +
ROM:4001864C 010 86 B0                      SUB            SP, SP, #0x18                        ; Rd = Op1 - Op2
 +
ROM:4001864E 028 0C 46                      MOV            R4, R1                                ; Rd = Op2
 +
ROM:40018650 028 00 28                      CMP            R0, #0                                ; Set cond. codes on Op1 - Op2
 +
ROM:40018652 028 47 D1                      BNE            is_GP_mode                            ; Branch
 +
ROM:40018652
 +
ROM:40018654 028 45 21                      MOVS            R1, #0x45 ; 'E'                      ; size
 +
ROM:40018656 028 20 46                      MOV            R0, R4                                ; mem
 +
ROM:40018658 028 FC F7 CE EA                BLX            standard_memclr                      ; Branch with Link and Exchange (immediate address)
 +
ROM:40018658 028
 +
ROM:4001865C 028 01 20                      MOVS            R0, #1                                ; Writing header for the structure
 +
ROM:4001865E 028 34 21                      MOVS            R1, #0x34 ; '4'                      ; 00 01 R5 01 34 30 07 RV 13 02 01 00 12 15 01 00
 +
ROM:40018660 028 60 70                      STRB            R0, [R4,#1]                          ; Store to Memory
 +
ROM:40018662 028 14 22                      MOVS            R2, #0x14                            ; Rd = Op2
 +
ROM:40018664 028 A5 70                      STRB            R5, [R4,#2]                          ; Store to Memory
 +
ROM:40018666 028 E0 70                      STRB            R0, [R4,#3]                          ; Store to Memory
 +
ROM:40018668 028 21 71                      STRB            R1, [R4,#4]                          ; Store to Memory
 +
ROM:4001866A 028 30 21                      MOVS            R1, #0x30 ; '0'                      ; Rd = Op2
 +
ROM:4001866C 028 61 71                      STRB            R1, [R4,#5]                          ; Store to Memory
 +
ROM:4001866E 028 07 21                      MOVS            R1, #7                                ; Rd = Op2
 +
ROM:40018670 028 A1 71                      STRB            R1, [R4,#6]                          ; Store to Memory
 +
ROM:40018672 028 20 49                      LDR            R1, =ROM_Version_addr                ; Load from Memory
 +
ROM:40018674 028 09 68                      LDR            R1, [R1]                              ; Load from Memory
 +
ROM:40018676 028 E1 71                      STRB            R1, [R4,#7]                          ; Store to Memory
 +
ROM:40018678 028 13 21                      MOVS            R1, #0x13                            ; Rd = Op2
 +
ROM:4001867A 028 21 72                      STRB            R1, [R4,#8]                          ; Store to Memory
 +
ROM:4001867C 028 02 21                      MOVS            R1, #2                                ; Rd = Op2
 +
ROM:4001867E 028 61 72                      STRB            R1, [R4,#9]                          ; Store to Memory
 +
ROM:40018680 028 12 21                      MOVS            R1, #0x12                            ; Rd = Op2
 +
ROM:40018682 028 A0 72                      STRB            R0, [R4,#0xA]                        ; Store to Memory
 +
ROM:40018684 028 21 73                      STRB            R1, [R4,#0xC]                        ; Store to Memory
 +
ROM:40018686 028 15 21                      MOVS            R1, #0x15                            ; Rd = Op2
 +
ROM:40018688 028 61 73                      STRB            R1, [R4,#0xD]                        ; Store to Memory
 +
ROM:4001868A 028 A0 73                      STRB            R0, [R4,#0xE]                        ; Store to Memory
 +
ROM:4001868C 028 84 F8 23 20                STRB.W          R2, [R4,#0x23]                        ; Store to Memory
 +
ROM:40018690 028 84 F8 24 10                STRB.W          R1, [R4,#0x24]                        ; Store to Memory
 +
ROM:40018694 028 84 F8 25 00                STRB.W          R0, [R4,#0x25]                        ; Store to Memory
 +
ROM:40018698 028 84 F8 3A 10                STRB.W          R1, [R4,#0x3A]                        ; Store to Memory
 +
ROM:4001869C 028 09 21                      MOVS            R1, #9                                ; Rd = Op2
 +
ROM:4001869E 028 84 F8 3B 10                STRB.W          R1, [R4,#0x3B]                        ; Store to Memory
 +
ROM:400186A2 028 04 F1 3D 01                ADD.W          R1, R4, #0x3D                        ; arg2
 +
ROM:400186A6 028 84 F8 3C 00                STRB.W          R0, [R4,#0x3C]                        ; Store to Memory
 +
ROM:400186AA 028 13 48                      LDR            R0, =ROM_Exceptions_addr              ; load CRC32 data
 +
ROM:400186AC 028 00 68                      LDR            R0, [R0]                              ; arg1
 +
ROM:400186AE 028 FC F7 F8 EA                BLX            standard_uwrite4                      ; Branch with Link and Exchange (immediate address)
 +
ROM:400186AE 028
 +
ROM:400186B2 028 FF F7 C7 F8                BL              security_check_GP_mode                ; Return 1 if non-GP mode, return 0 if GP mode
 +
ROM:400186B2 028
 +
ROM:400186B6 028 A8 B1                      CBZ            R0, is_GP_mode                        ; Compare and Branch on Zero
 +
ROM:400186B6
 +
ROM:400186B8 028 FF F7 D0 F8                BL              security_check_HS_mode                ; check SYS_BOOT
 +
ROM:400186B8 028
 +
ROM:400186BC 028 E0 72                      STRB            R0, [R4,#0xB]                        ; Store to Memory
 +
ROM:400186BE 028 04 F1 0F 00                ADD.W          R0, R4, #0xF                          ; pa
 +
ROM:400186C2 028 FF F7 F4 FA                BL              security_call_SSID_0x1E              ; Branch with Link
 +
ROM:400186C2 028
 +
ROM:400186C6 028 01 A8                      ADD            R0, SP, #0x28+pa                      ; pa
 +
ROM:400186C8 028 FF F7 03 FB                BL              security_call_SSID_0x1F              ; Branch with Link
 +
ROM:400186C8 028
 +
ROM:400186CC 028 14 22                      MOVS            R2, #20                              ; num
 +
ROM:400186CE 028 01 A9                      ADD            R1, SP, #0x28+pa                      ; source
 +
ROM:400186D0 028 04 F1 26 00                ADD.W          R0, R4, #38                          ; destination
 +
ROM:400186D4 028 FC F7 F4 E9                BLX            standard_memmove                      ; Branch with Link and Exchange (immediate address)
 +
ROM:400186D4 028
 +
ROM:400186D8 028 FF F7 04 FB                BL              security_call_SSID_0x22              ; API_HAL_KM_CRC_READ
 +
ROM:400186D8 028
 +
ROM:400186DC 028 04 F1 41 01                ADD.W          R1, R4, #0x41                        ; arg2
 +
ROM:400186E0 028 FC F7 DE EA                BLX            standard_uwrite4                      ; Branch with Link and Exchange (immediate address)
 +
ROM:400186E0 028
 +
ROM:400186E4
 +
ROM:400186E4                is_GP_mode                                                            ; CODE XREF: ROM_CRC_check+E�j
 +
ROM:400186E4                                                                                      ; ROM_CRC_check+72�j
 +
ROM:400186E4 028 10 2E                      CMP            R6, #0x10                            ; R6 - arg_1
 +
ROM:400186E6 028 03 D1                      BNE            write_R5                              ; Branch
 +
ROM:400186E6
 +
ROM:400186E8
 +
ROM:400186E8                write_4                                                              ; Rd = Op2
 +
ROM:400186E8 028 04 20                      MOVS            R0, #4
 +
ROM:400186EA 028 20 70                      STRB            R0, [R4]                              ; Store to Memory
 +
ROM:400186EA
 +
ROM:400186EC
 +
ROM:400186EC                return                                                                ; CODE XREF: ROM_CRC_check+AE�j
 +
ROM:400186EC 028 06 B0                      ADD            SP, SP, #0x18                        ; Rd = Op1 + Op2
 +
ROM:400186EE 010 70 BD                      POP            {R4-R6,PC}                            ; Pop registers
 +
ROM:400186EE
 +
ROM:400186F0                ; ---------------------------------------------------------------------------
 +
ROM:400186F0
 +
ROM:400186F0                write_R5                                                              ; CODE XREF: ROM_CRC_check+A2�j
 +
ROM:400186F0 028 25 70                      STRB            R5, [R4]                              ; Store to Memory
 +
ROM:400186F2 028 FB E7                      B              return                                ; Branch
 +
ROM:400186F2
 +
ROM:400186F2                ; End of function ROM_CRC_check
 +
ROM:400186F2
 +
ROM:400186F2                ; ---------------------------------------------------------------------------
 +
ROM:400186F4 FC BF 01 00    ROM_VERSION_ADDR DCD ROM_Version_addr                                ; DATA XREF: ROM_CRC_check+2E�r
 +
ROM:400186F8 20 40 01 00    ROM_EXCEPTIONS_ADDR DCD ROM_Exceptions_addr                          ; DATA XREF: ROM_CRC_check+66�r
 +
</syntaxhighlight>
  
 
== Security services from PPA from mbmloader ==
 
== Security services from PPA from mbmloader ==

Revision as of 23:15, 22 June 2011

Summary

Secure Service ID (SSID) Serure Service Name Hardware/Software Secure Service Description
0x01 unknown Hardware Authenticate and import keys
0x02 unknown Hardware Check if R&D certificate present and authenticate it
0x03 unknown Hardware Load and authenticate PPA
0x04 unknown Hardware Check RSA digest
0xf API_HAL_PA_LOAD Hardware Load Protected Application at Secure RAM
0x11 API_HAL_PA_UNLOAD_ALL Hardware Unload all loaded Protected Applications (except of PPA?) from Secure RAM
0x13 API_HAL_SDP_RUNTIME_INIT Hardware unknown
0x15 API_HAL_SEC_RPC_INIT Hardware unknown
0x19 API_HAL_CONTEXT_SAVE_RESTORE Hardware unknown
0x1a API_HAL_SEC_RAM_RESIZE Hardware Resize Secure RAM
0x1e unknown Hardware unknown (from bootrom)
0x1f unknown Hardware unknown (from bootrom)
0x22 API_HAL_KM_CRC_READ Hardware unknown
0x27 API_HAL_NB_MAX_SVC Hardware unknown
0x28 unknown Software dcache invalidate (defined in PPA from mbmloader)
0x29 unknown Software L2 aux write (defined in PPA from mbmloader)
0x2a unknown Software aux write (defined in PPA from mbmloader)
0x2b unknown Software nonsecure access write (defined in PPA from mbmloader)
0x31 API_HAL_MOT_EFUSE Software Blow eFuse entry (defined in PPA from mbmloader)
0x36 API_HAL_MOT_EFUSE_READ Software Read eFuse entry (defined in PPA from mbmloader)

Security services in BootROM

  1. ROM:40018644
  2. ROM:40018644
  3. ROM:40018644                 ; int __cdecl ROM_CRC_check(int arg_1, void *memory)
  4. ROM:40018644                 ROM_CRC_check                                                         ; CODE XREF: boot_main+F0�p
  5. ROM:40018644
  6. ROM:40018644                 pa              = -0x24
  7. ROM:40018644
  8. ROM:40018644 000 70 B5                       PUSH            {R4-R6,LR}                            ; Push registers
  9. ROM:40018646 010 06 46                       MOV             R6, R0                                ; Rd = Op2
  10. ROM:40018648 010 08 78                       LDRB            R0, [R1]                              ; Load from Memory
  11. ROM:4001864A 010 05 25                       MOVS            R5, #5                                ; Rd = Op2
  12. ROM:4001864C 010 86 B0                       SUB             SP, SP, #0x18                         ; Rd = Op1 - Op2
  13. ROM:4001864E 028 0C 46                       MOV             R4, R1                                ; Rd = Op2
  14. ROM:40018650 028 00 28                       CMP             R0, #0                                ; Set cond. codes on Op1 - Op2
  15. ROM:40018652 028 47 D1                       BNE             is_GP_mode                            ; Branch
  16. ROM:40018652
  17. ROM:40018654 028 45 21                       MOVS            R1, #0x45 ; 'E'                       ; size
  18. ROM:40018656 028 20 46                       MOV             R0, R4                                ; mem
  19. ROM:40018658 028 FC F7 CE EA                 BLX             standard_memclr                       ; Branch with Link and Exchange (immediate address)
  20. ROM:40018658 028
  21. ROM:4001865C 028 01 20                       MOVS            R0, #1                                ; Writing header for the structure
  22. ROM:4001865E 028 34 21                       MOVS            R1, #0x34 ; '4'                       ; 00 01 R5 01 34 30 07 RV 13 02 01 00 12 15 01 00
  23. ROM:40018660 028 60 70                       STRB            R0, [R4,#1]                           ; Store to Memory
  24. ROM:40018662 028 14 22                       MOVS            R2, #0x14                             ; Rd = Op2
  25. ROM:40018664 028 A5 70                       STRB            R5, [R4,#2]                           ; Store to Memory
  26. ROM:40018666 028 E0 70                       STRB            R0, [R4,#3]                           ; Store to Memory
  27. ROM:40018668 028 21 71                       STRB            R1, [R4,#4]                           ; Store to Memory
  28. ROM:4001866A 028 30 21                       MOVS            R1, #0x30 ; '0'                       ; Rd = Op2
  29. ROM:4001866C 028 61 71                       STRB            R1, [R4,#5]                           ; Store to Memory
  30. ROM:4001866E 028 07 21                       MOVS            R1, #7                                ; Rd = Op2
  31. ROM:40018670 028 A1 71                       STRB            R1, [R4,#6]                           ; Store to Memory
  32. ROM:40018672 028 20 49                       LDR             R1, =ROM_Version_addr                 ; Load from Memory
  33. ROM:40018674 028 09 68                       LDR             R1, [R1]                              ; Load from Memory
  34. ROM:40018676 028 E1 71                       STRB            R1, [R4,#7]                           ; Store to Memory
  35. ROM:40018678 028 13 21                       MOVS            R1, #0x13                             ; Rd = Op2
  36. ROM:4001867A 028 21 72                       STRB            R1, [R4,#8]                           ; Store to Memory
  37. ROM:4001867C 028 02 21                       MOVS            R1, #2                                ; Rd = Op2
  38. ROM:4001867E 028 61 72                       STRB            R1, [R4,#9]                           ; Store to Memory
  39. ROM:40018680 028 12 21                       MOVS            R1, #0x12                             ; Rd = Op2
  40. ROM:40018682 028 A0 72                       STRB            R0, [R4,#0xA]                         ; Store to Memory
  41. ROM:40018684 028 21 73                       STRB            R1, [R4,#0xC]                         ; Store to Memory
  42. ROM:40018686 028 15 21                       MOVS            R1, #0x15                             ; Rd = Op2
  43. ROM:40018688 028 61 73                       STRB            R1, [R4,#0xD]                         ; Store to Memory
  44. ROM:4001868A 028 A0 73                       STRB            R0, [R4,#0xE]                         ; Store to Memory
  45. ROM:4001868C 028 84 F8 23 20                 STRB.W          R2, [R4,#0x23]                        ; Store to Memory
  46. ROM:40018690 028 84 F8 24 10                 STRB.W          R1, [R4,#0x24]                        ; Store to Memory
  47. ROM:40018694 028 84 F8 25 00                 STRB.W          R0, [R4,#0x25]                        ; Store to Memory
  48. ROM:40018698 028 84 F8 3A 10                 STRB.W          R1, [R4,#0x3A]                        ; Store to Memory
  49. ROM:4001869C 028 09 21                       MOVS            R1, #9                                ; Rd = Op2
  50. ROM:4001869E 028 84 F8 3B 10                 STRB.W          R1, [R4,#0x3B]                        ; Store to Memory
  51. ROM:400186A2 028 04 F1 3D 01                 ADD.W           R1, R4, #0x3D                         ; arg2
  52. ROM:400186A6 028 84 F8 3C 00                 STRB.W          R0, [R4,#0x3C]                        ; Store to Memory
  53. ROM:400186AA 028 13 48                       LDR             R0, =ROM_Exceptions_addr              ; load CRC32 data
  54. ROM:400186AC 028 00 68                       LDR             R0, [R0]                              ; arg1
  55. ROM:400186AE 028 FC F7 F8 EA                 BLX             standard_uwrite4                      ; Branch with Link and Exchange (immediate address)
  56. ROM:400186AE 028
  57. ROM:400186B2 028 FF F7 C7 F8                 BL              security_check_GP_mode                ; Return 1 if non-GP mode, return 0 if GP mode
  58. ROM:400186B2 028
  59. ROM:400186B6 028 A8 B1                       CBZ             R0, is_GP_mode                        ; Compare and Branch on Zero
  60. ROM:400186B6
  61. ROM:400186B8 028 FF F7 D0 F8                 BL              security_check_HS_mode                ; check SYS_BOOT
  62. ROM:400186B8 028
  63. ROM:400186BC 028 E0 72                       STRB            R0, [R4,#0xB]                         ; Store to Memory
  64. ROM:400186BE 028 04 F1 0F 00                 ADD.W           R0, R4, #0xF                          ; pa
  65. ROM:400186C2 028 FF F7 F4 FA                 BL              security_call_SSID_0x1E               ; Branch with Link
  66. ROM:400186C2 028
  67. ROM:400186C6 028 01 A8                       ADD             R0, SP, #0x28+pa                      ; pa
  68. ROM:400186C8 028 FF F7 03 FB                 BL              security_call_SSID_0x1F               ; Branch with Link
  69. ROM:400186C8 028
  70. ROM:400186CC 028 14 22                       MOVS            R2, #20                               ; num
  71. ROM:400186CE 028 01 A9                       ADD             R1, SP, #0x28+pa                      ; source
  72. ROM:400186D0 028 04 F1 26 00                 ADD.W           R0, R4, #38                           ; destination
  73. ROM:400186D4 028 FC F7 F4 E9                 BLX             standard_memmove                      ; Branch with Link and Exchange (immediate address)
  74. ROM:400186D4 028
  75. ROM:400186D8 028 FF F7 04 FB                 BL              security_call_SSID_0x22               ; API_HAL_KM_CRC_READ
  76. ROM:400186D8 028
  77. ROM:400186DC 028 04 F1 41 01                 ADD.W           R1, R4, #0x41                         ; arg2
  78. ROM:400186E0 028 FC F7 DE EA                 BLX             standard_uwrite4                      ; Branch with Link and Exchange (immediate address)
  79. ROM:400186E0 028
  80. ROM:400186E4
  81. ROM:400186E4                 is_GP_mode                                                            ; CODE XREF: ROM_CRC_check+E�j
  82. ROM:400186E4                                                                                       ; ROM_CRC_check+72�j
  83. ROM:400186E4 028 10 2E                       CMP             R6, #0x10                             ; R6 - arg_1
  84. ROM:400186E6 028 03 D1                       BNE             write_R5                              ; Branch
  85. ROM:400186E6
  86. ROM:400186E8
  87. ROM:400186E8                 write_4                                                               ; Rd = Op2
  88. ROM:400186E8 028 04 20                       MOVS            R0, #4
  89. ROM:400186EA 028 20 70                       STRB            R0, [R4]                              ; Store to Memory
  90. ROM:400186EA
  91. ROM:400186EC
  92. ROM:400186EC                 return                                                                ; CODE XREF: ROM_CRC_check+AE�j
  93. ROM:400186EC 028 06 B0                       ADD             SP, SP, #0x18                         ; Rd = Op1 + Op2
  94. ROM:400186EE 010 70 BD                       POP             {R4-R6,PC}                            ; Pop registers
  95. ROM:400186EE
  96. ROM:400186F0                 ; ---------------------------------------------------------------------------
  97. ROM:400186F0
  98. ROM:400186F0                 write_R5                                                              ; CODE XREF: ROM_CRC_check+A2�j
  99. ROM:400186F0 028 25 70                       STRB            R5, [R4]                              ; Store to Memory
  100. ROM:400186F2 028 FB E7                       B               return                                ; Branch
  101. ROM:400186F2
  102. ROM:400186F2                 ; End of function ROM_CRC_check
  103. ROM:400186F2
  104. ROM:400186F2                 ; ---------------------------------------------------------------------------
  105. ROM:400186F4 FC BF 01 00     ROM_VERSION_ADDR DCD ROM_Version_addr                                 ; DATA XREF: ROM_CRC_check+2E�r
  106. ROM:400186F8 20 40 01 00     ROM_EXCEPTIONS_ADDR DCD ROM_Exceptions_addr                           ; DATA XREF: ROM_CRC_check+66�r

Security services from PPA from mbmloader

  1. ROM:86FFF538     ; =============== S U B R O U T I N E =======================================
  2. ROM:86FFF538
  3. ROM:86FFF538
  4. ROM:86FFF538     ; int __cdecl PPA_SMC_handler(__int32 arg)
  5. ROM:86FFF538     PPA_SMC_handler                                             ; CODE XREF: PPA_control_smc_handler_+2�p
  6. ROM:86FFF538 000                 LDR             R3, =0xAF900088             ; Load from Memory
  7. ROM:86FFF53A 000                 MOV.W           R2, #0x8000                 ; Rd = Op2
  8. ROM:86FFF53E 000                 MOV             R1, R0                      ; Rd = Op2
  9. ROM:86FFF540 000                 MOVS            R0, #0                      ; Rd = Op2
  10. ROM:86FFF542 000                 STR             R2, [R3]                    ; Store to Memory
  11. ROM:86FFF544 000                 CMP             R1, #0x28                   ; Set cond. codes on Op1 - Op2
  12. ROM:86FFF546 000                 BNE             not_dcache_invalidate       ; Branch
  13. ROM:86FFF546
  14. ROM:86FFF548 000                 LDR             R0, =(PPA_control_dcache_invalidate - not_dcache_invalidate) ; Load from Memory
  15. ROM:86FFF54A 000                 ADD             R0, PC                      ; Rd = Op1 + Op2
  16. ROM:86FFF54C 000                 BX              LR                          ; Branch to/from Thumb mode
  17. ROM:86FFF54C
  18. ROM:86FFF54E     ; ---------------------------------------------------------------------------
  19. ROM:86FFF54E
  20. ROM:86FFF54E     not_dcache_invalidate                                       ; CODE XREF: PPA_SMC_handler+E�j
  21. ROM:86FFF54E                                                                 ; DATA XREF: ROM:off_86FFF5A4�o
  22. ROM:86FFF54E 000                 CMP             R1, #0x29                   ; Set cond. codes on Op1 - Op2
  23. ROM:86FFF550 000                 BNE             not_control_L2_aux_write    ; Branch
  24. ROM:86FFF550
  25. ROM:86FFF552 000                 LDR             R0, =(PPA_control_L2_aux_write - not_control_L2_aux_write) ; Load from Memory
  26. ROM:86FFF554 000                 ADD             R0, PC                      ; Rd = Op1 + Op2
  27. ROM:86FFF556 000                 BX              LR                          ; Branch to/from Thumb mode
  28. ROM:86FFF556
  29. ROM:86FFF558     ; ---------------------------------------------------------------------------
  30. ROM:86FFF558
  31. ROM:86FFF558     not_control_L2_aux_write                                    ; CODE XREF: PPA_SMC_handler+18�j
  32. ROM:86FFF558                                                                 ; DATA XREF: ROM:off_86FFF5A8�o
  33. ROM:86FFF558 000                 CMP             R1, #0x2A                   ; Set cond. codes on Op1 - Op2
  34. ROM:86FFF55A 000                 BNE             not_control_aux_write       ; Branch
  35. ROM:86FFF55A
  36. ROM:86FFF55C 000                 LDR             R0, =(PPA_control_aux_write - not_control_aux_write) ; Load from Memory
  37. ROM:86FFF55E 000                 ADD             R0, PC                      ; Rd = Op1 + Op2
  38. ROM:86FFF560 000                 BX              LR                          ; Branch to/from Thumb mode
  39. ROM:86FFF560
  40. ROM:86FFF562     ; ---------------------------------------------------------------------------
  41. ROM:86FFF562
  42. ROM:86FFF562     not_control_aux_write                                       ; CODE XREF: PPA_SMC_handler+22�j
  43. ROM:86FFF562                                                                 ; DATA XREF: ROM:off_86FFF5AC�o
  44. ROM:86FFF562 000                 CMP             R1, #0x2B                   ; Set cond. codes on Op1 - Op2
  45. ROM:86FFF564 000                 BNE             not_control_nonsecure_access_write ; Branch
  46. ROM:86FFF564
  47. ROM:86FFF566 000                 LDR             R0, =(PPA_control_nonsecure_access_write - not_control_nonsecure_access_write) ; Load from Memory
  48. ROM:86FFF568 000                 ADD             R0, PC                      ; Rd = Op1 + Op2
  49. ROM:86FFF56A 000                 BX              LR                          ; Branch to/from Thumb mode
  50. ROM:86FFF56A
  51. ROM:86FFF56C     ; ---------------------------------------------------------------------------
  52. ROM:86FFF56C
  53. ROM:86FFF56C     not_control_nonsecure_access_write                          ; CODE XREF: PPA_SMC_handler+2C�j
  54. ROM:86FFF56C                                                                 ; DATA XREF: ROM:off_86FFF5B0�o
  55. ROM:86FFF56C 000                 CMP             R1, #API_HAL_MOT_EFUSE      ; Set cond. codes on Op1 - Op2
  56. ROM:86FFF56E 000                 BNE             not_API_HAL_MOT_EFUSE       ; Branch
  57. ROM:86FFF56E
  58. ROM:86FFF570 000                 LDR             R0, =(PPA_API_HAL_MOT_EFUSE+1 - not_API_HAL_MOT_EFUSE) ; Load from Memory
  59. ROM:86FFF572 000                 ADD             R0, PC                      ; Rd = Op1 + Op2
  60. ROM:86FFF574 000                 BX              LR                          ; Branch to/from Thumb mode
  61. ROM:86FFF574
  62. ROM:86FFF576     ; ---------------------------------------------------------------------------
  63. ROM:86FFF576
  64. ROM:86FFF576     not_API_HAL_MOT_EFUSE                                       ; CODE XREF: PPA_SMC_handler+36�j
  65. ROM:86FFF576                                                                 ; DATA XREF: ROM:off_86FFF5B4�o
  66. ROM:86FFF576 000                 CMP             R1, #API_HAL_MOT_EFUSE_READ ; Set cond. codes on Op1 - Op2
  67. ROM:86FFF578 000                 BNE             not_API_HAL_MOT_EFUSE_READ  ; Branch
  68. ROM:86FFF578
  69. ROM:86FFF57A 000                 LDR             R0, =(PPA_API_HAL_MOT_EFUSE_READ+1 - not_API_HAL_MOT_EFUSE_READ) ; Load from Memory
  70. ROM:86FFF57C 000                 ADD             R0, PC                      ; Rd = Op1 + Op2
  71. ROM:86FFF57E 000                 BX              LR                          ; Branch to/from Thumb mode
  72. ROM:86FFF57E
  73. ROM:86FFF580     ; ---------------------------------------------------------------------------
  74. ROM:86FFF580
  75. ROM:86FFF580     not_API_HAL_MOT_EFUSE_READ                                  ; CODE XREF: PPA_SMC_handler+40�j
  76. ROM:86FFF580                                                                 ; DATA XREF: ROM:off_86FFF5B8�o
  77. ROM:86FFF580 000                 CMP             R1, #0x2C                   ; Set cond. codes on Op1 - Op2
  78. ROM:86FFF582 000                 BNE             not_control_data_memory_sync ; Branch
  79. ROM:86FFF582
  80. ROM:86FFF584 000                 LDR             R0, =(PPA_control_data_memory_sync - not_control_data_memory_sync) ; Load from Memory
  81. ROM:86FFF586 000                 ADD             R0, PC                      ; Rd = Op1 + Op2
  82. ROM:86FFF588 000                 BX              LR                          ; Branch to/from Thumb mode
  83. ROM:86FFF588
  84. ROM:86FFF58A     ; ---------------------------------------------------------------------------
  85. ROM:86FFF58A
  86. ROM:86FFF58A     not_control_data_memory_sync                                ; CODE XREF: PPA_SMC_handler+4A�j
  87. ROM:86FFF58A                                                                 ; DATA XREF: ROM:off_86FFF5BC�o
  88. ROM:86FFF58A 000                 CMP             R1, #0x32                   ; Set cond. codes on Op1 - Op2
  89. ROM:86FFF58C 000                 BNE             function_is_48              ; Branch
  90. ROM:86FFF58C
  91. ROM:86FFF58E 000                 LDR             R0, =(PPA_wait_for_something+1 - function_is_48) ; Load from Memory
  92. ROM:86FFF590 000                 ADD             R0, PC                      ; Rd = Op1 + Op2
  93. ROM:86FFF590
  94. ROM:86FFF592
  95. ROM:86FFF592     return                                                      ; CODE XREF: PPA_SMC_handler+5E�j
  96. ROM:86FFF592 000                 BX              LR                          ; Branch to/from Thumb mode
  97. ROM:86FFF592
  98. ROM:86FFF594     ; ---------------------------------------------------------------------------
  99. ROM:86FFF594
  100. ROM:86FFF594     function_is_48                                              ; CODE XREF: PPA_SMC_handler+54�j
  101. ROM:86FFF594                                                                 ; DATA XREF: ROM:off_86FFF5C0�o
  102. ROM:86FFF594 000                 CMP             R1, #0x48                   ; Set cond. codes on Op1 - Op2
  103. ROM:86FFF596 000                 BNE             return                      ; Branch
  104. ROM:86FFF596
  105. ROM:86FFF598 000                 LDR             R0, =(PPA_sub_86FFFD06+1 - 0x86FFF59E) ; Load from Memory
  106. ROM:86FFF59A 000                 ADD             R0, PC                      ; Rd = Op1 + Op2
  107. ROM:86FFF59C 000                 BX              LR                          ; Branch to/from Thumb mode
  108. ROM:86FFF59C
  109. ROM:86FFF59C     ; End of function PPA_SMC_handler
  110. ROM:86FFF59C
  111. ROM:86FFF59C     ; ---------------------------------------------------------------------------
  112. ROM:86FFF59E                     ALIGN 0x10
  113. ROM:86FFF5A0     dword_86FFF5A0  DCD 0xAF900088                              ; DATA XREF: PPA_SMC_handler�r
  114. ROM:86FFF5A4     off_86FFF5A4    DCD PPA_control_dcache_invalidate - not_dcache_invalidate
  115. ROM:86FFF5A4                                                                 ; DATA XREF: PPA_SMC_handler+10�r
  116. ROM:86FFF5A8     off_86FFF5A8    DCD PPA_control_L2_aux_write - not_control_L2_aux_write
  117. ROM:86FFF5A8                                                                 ; DATA XREF: PPA_SMC_handler+1A�r
  118. ROM:86FFF5AC     off_86FFF5AC    DCD PPA_control_aux_write - not_control_aux_write
  119. ROM:86FFF5AC                                                                 ; DATA XREF: PPA_SMC_handler+24�r
  120. ROM:86FFF5B0     off_86FFF5B0    DCD PPA_control_nonsecure_access_write - not_control_nonsecure_access_write
  121. ROM:86FFF5B0                                                                 ; DATA XREF: PPA_SMC_handler+2E�r
  122. ROM:86FFF5B4     off_86FFF5B4    DCD PPA_API_HAL_MOT_EFUSE+1 - not_API_HAL_MOT_EFUSE
  123. ROM:86FFF5B4                                                                 ; DATA XREF: PPA_SMC_handler+38�r
  124. ROM:86FFF5B8     off_86FFF5B8    DCD PPA_API_HAL_MOT_EFUSE_READ+1 - not_API_HAL_MOT_EFUSE_READ
  125. ROM:86FFF5B8                                                                 ; DATA XREF: PPA_SMC_handler+42�r
  126. ROM:86FFF5BC     off_86FFF5BC    DCD PPA_control_data_memory_sync - not_control_data_memory_sync
  127. ROM:86FFF5BC                                                                 ; DATA XREF: PPA_SMC_handler+4C�r
  128. ROM:86FFF5C0     off_86FFF5C0    DCD PPA_wait_for_something+1 - function_is_48
  129. ROM:86FFF5C0                                                                 ; DATA XREF: PPA_SMC_handler+56�r
  130. ROM:86FFF5C4     off_86FFF5C4    DCD PPA_sub_86FFFD06+1 - 0x86FFF59E         ; DATA XREF: PPA_SMC_handler+60�r

security_check_ISW

  1. ROM:400161E8     ; int __cdecl security_check_CertISW(void *arg1, int arg2, void *arg3, int arg4)
  2. ROM:400161E8     security_check_CertISW                                      ; CODE XREF: boot_HS_image_exec+C4
  3. ROM:400161E8                                                                 ; boot_memory_image_auth_exec+C4
  4. ROM:400161E8
  5. ROM:400161E8     arg_0           =  0
  6. ROM:400161E8
  7. ROM:400161E8 000                 PUSH.W          {R4-R10,LR}                 ; count
  8. ROM:400161EC 020                 MOV             R10, R1                     ; Rd = Op2
  9. ROM:400161EE 020                 LDR             R5, =unk_4020FFB4           ; Load from Memory
  10. ROM:400161F0 020                 MOV             R9, R0                      ; Rd = Op2
  11. ROM:400161F2 020                 LDR             R7, [SP,#0x20+arg_0]        ; Load from Memory
  12. ROM:400161F4 020                 MOVS            R0, #0                      ; Rd = Op2
  13. ROM:400161F6 020                 MOV             R8, R2                      ; Rd = Op2
  14. ROM:400161F8 020                 MOV             R6, R3                      ; Rd = Op2
  15. ROM:400161FA 020                 LDR             R1, [R5]                    ; Load from Memory
  16. ROM:400161FC 020                 ORR.W           R1, R1, #tracing2_Reserved2 ; Rd = Op1 | Op2
  17. ROM:40016200 020                 STR             R1, [R5]                    ; Store to Memory
  18. ROM:40016202 020                 MOVS            R4, #1                      ; Rd = Op2
  19. ROM:40016204 020                 LDR             R2, =0x809795A3             ; Load from Memory
  20. ROM:40016206 020                 LDR             R1, [R3]                    ; Load from Memory
  21. ROM:40016208 020                 CMP             R1, R2                      ; Set cond. codes on Op1 - Op2
  22. ROM:4001620A 020                 BEQ             search_CertISW_mark         ; Branch
  23. ROM:4001620A
  24. ROM:4001620C 020                 MOVS            R4, #0                      ; Rd = Op2
  25. ROM:4001620C
  26. ROM:4001620E
  27. ROM:4001620E     search_CertISW_mark                                         ; CODE XREF: security_check_CertISW+22
  28. ROM:4001620E 020                 CBNZ            R4, found                   ; Compare and Branch on Non-Zero
  29. ROM:4001620E
  30. ROM:40016210 020                 MOVS            R2, #CH_STRINGS.CHMMCSD     ; source
  31. ROM:40016212 020                 MOV             R1, R6                      ; void *
  32. ROM:40016214 020                 ADR             R0, CertISW_mark            ; "CertISW"
  33. ROM:40016216 020                 BL              standard_memcmp             ; Branch with Link
  34. ROM:40016216
  35. ROM:4001621A 020                 CBNZ            R0, not_found               ; Compare and Branch on Non-Zero
  36. ROM:4001621A
  37. ROM:4001621C 020                 MOVS            R0, #1                      ; Rd = Op2
  38. ROM:4001621E 020                 B               found                       ; Branch
  39. ROM:4001621E
  40. ROM:40016220     ; ---------------------------------------------------------------------------
  41. ROM:40016220
  42. ROM:40016220     not_found                                                   ; CODE XREF: security_check_CertISW+32
  43. ROM:40016220 020                 MOVS            R0, #0                      ; Rd = Op2
  44. ROM:40016220
  45. ROM:40016222
  46. ROM:40016222     found                                                       ; CODE XREF: security_check_CertISW:search_CertISW_mark
  47. ROM:40016222                                                                 ; security_check_CertISW+36
  48. ROM:40016222 020                 ORRS            R0, R4                      ; Rd = Op1 | Op2
  49. ROM:40016224 020                 BEQ             return_1                    ; Branch
  50. ROM:40016224
  51. ROM:40016226 020                 LDRH            R0, [R7]                    ; Load from Memory
  52. ROM:40016228 020                 LSLS            R0, R0, #28                 ; Logical Shift Left
  53. ROM:4001622A 020                 BMI             Load_keys_and_search_for_RnD_certificate ; Branch
  54. ROM:4001622A
  55. ROM:4001622C 020                 LDR             R0, [R5]                    ; Load from Memory
  56. ROM:4001622E 020                 CBZ             R4, loc_4001623C            ; Compare and Branch on Zero
  57. ROM:4001622E
  58. ROM:40016230 020                 ORR.W           R0, R0, #0b1000000000       ; Rd = Op1 | Op2
  59. ROM:40016234 020                 STR             R0, [R5]                    ; Store to Memory
  60. ROM:40016236 020                 ADD.W           R0, R6, #0x38               ; Rd = Op1 + Op2
  61. ROM:4001623A 020                 B               enable_speedup              ; Branch
  62. ROM:4001623A
  63. ROM:4001623C     ; ---------------------------------------------------------------------------
  64. ROM:4001623C
  65. ROM:4001623C     loc_4001623C                                                ; CODE XREF: security_check_CertISW+46
  66. ROM:4001623C 020                 ORR.W           R0, R0, #0b10000000000      ; Rd = Op1 | Op2
  67. ROM:40016240 020                 STR             R0, [R5]                    ; Store to Memory
  68. ROM:40016242 020                 ADD.W           R0, R6, #0xA4               ; arg
  69. ROM:40016242
  70. ROM:40016246
  71. ROM:40016246     enable_speedup                                              ; CODE XREF: security_check_CertISW+52
  72. ROM:40016246 020                 BL              load_speedup_table          ; Branch with Link
  73. ROM:40016246
  74. ROM:4001624A
  75. ROM:4001624A     Load_keys_and_search_for_RnD_certificate                    ; CODE XREF: security_check_CertISW+42
  76. ROM:4001624A 020                 MOV             R0, R9                      ; Rd = Op2
  77. ROM:4001624C 020                 BL              security_call_SSID_0x01     ; SECURITY SERVICE: Load Keys (CertPK) to Secure RAM
  78. ROM:4001624C
  79. ROM:40016250 020                 CMP.W           R8, #0                      ; Set cond. codes on Op1 - Op2
  80. ROM:40016254 020                 BEQ             Keys_loaded_without_RnD     ; Branch
  81. ROM:40016254
  82. ROM:40016256 020                 LDR             R0, =memory_buffer          ; Load from Memory
  83. ROM:40016258 020                 LDR             R1, [R0]                    ; Load from Memory
  84. ROM:4001625A 020                 ORR.W           R1, R1, #tracing_R&D_certificate_found ; Rd = Op1 | Op2
  85. ROM:4001625E 020                 STR             R1, [R0]                    ; Store to Memory
  86. ROM:40016260 020                 MOV             R0, R8                      ; arg_1
  87. ROM:40016262 020                 BL              security_call_SSID_0x02     ; verify R&D certificate
  88. ROM:40016262
  89. ROM:40016266
  90. ROM:40016266     Keys_loaded_without_RnD                                     ; CODE XREF: security_check_CertISW+6C
  91. ROM:40016266 020                 LDR             R0, [R5]                    ; Load from Memory
  92. ROM:40016268 020                 ORR.W           R0, R0, #0x800              ; Rd = Op1 | Op2
  93. ROM:4001626C 020                 STR             R0, [R5]                    ; Store to Memory
  94. ROM:4001626E 020                 MOV             R0, R10                     ; arg_1
  95. ROM:40016270 020                 BL              security_call_SSID_0x03     ; load and authenticate PPA
  96. ROM:40016270
  97. ROM:40016274 020                 CBNZ            R0, return_error            ; Compare and Branch on Non-Zero
  98. ROM:40016274
  99. ROM:40016276 020                 LDRH            R0, [R7]                    ; Load from Memory
  100. ROM:40016278 020                 ORR.W           R0, R0, #0x800              ; Rd = Op1 | Op2
  101. ROM:4001627C 020                 STRH            R0, [R7]                    ; Store to Memory
  102. ROM:4001627E 020                 MOVS            R0, #0                      ; Rd = Op2
  103. ROM:4001627E
  104. ROM:40016280
  105. ROM:40016280     return                                                      ; CODE XREF: security_check_CertISW+B4
  106. ROM:40016280 020                 POP.W           {R4-R10,PC}                 ; Pop registers
  107. ROM:40016280
  108. ROM:40016284     ; ---------------------------------------------------------------------------
  109. ROM:40016284
  110. ROM:40016284     return_error                                                ; CODE XREF: security_check_CertISW+8C
  111. ROM:40016284 020                 LDR             R0, [R5]                    ; Load from Memory
  112. ROM:40016286 020                 ORR.W           R0, R0, #0b1000000000000    ; set bit #12
  113. ROM:4001628A 020                 STR             R0, [R5]                    ; Store to Memory
  114. ROM:4001628C 020                 LDR             R0, =sub_140A8              ; Load from Memory
  115. ROM:4001628E 020                 BLX             call_dead_loops             ; Branch with Link and Exchange (immediate address)
  116. ROM:4001628E
  117. ROM:40016292
  118. ROM:40016292     return_1                                                    ; CODE XREF: security_check_CertISW+3C
  119. ROM:40016292 020                 LDR             R0, [R5]                    ; Load from Memory
  120. ROM:40016294 020                 ORR.W           R0, R0, #0b10000000000000   ; set bit #13
  121. ROM:40016298 020                 STR             R0, [R5]                    ; Store to Memory
  122. ROM:4001629A 020                 MOVS            R0, #1                      ; Rd = Op2
  123. ROM:4001629C 020                 B               return                      ; Branch
  124. ROM:4001629C
  125. ROM:4001629C     ; End of function security_check_CertISW
  126. ROM:4001629C
  127. ROM:4001629C     ; ---------------------------------------------------------------------------
  128. ROM:4001629E                     DCW 0
  129. ROM:400162A0     off_400162A0    DCD unk_4020FFB4                            ; DATA XREF: security_check_CertISW+6
  130. ROM:400162A4     dword_400162A4  DCD 0x809795A3                              ; DATA XREF: security_check_CertISW+1C
  131. ROM:400162A8     CertISW_mark    DCB "CertISW",0                             ; DATA XREF: security_check_CertISW+2C
  132. ROM:400162B0     off_400162B0    DCD memory_buffer                           ; DATA XREF: security_check_CertISW+6E
  133. ROM:400162B4     image_cant_exec DCD sub_140A8                               ; DATA XREF: security_check_CertISW+A4

security_ISW_authentication

  1. ROM:400162B8
  2. ROM:400162B8     ; int __cdecl security_ISW_authentication(void *mem_1, void *mem_2)
  3. ROM:400162B8     security_ISW_authentication                                 ; CODE XREF: boot_HS_image_exec+CE�p
  4. ROM:400162B8                                                                 ; boot_memory_image_auth_exec+106�p
  5. ROM:400162B8 000                 LDR             R2, =memory_buffer          ; Load from Memory
  6. ROM:400162BA 000                 PUSH            {R4,LR}                     ; Push registers
  7. ROM:400162BC 008                 LDR             R3, [R2]                    ; Load from Memory
  8. ROM:400162BE 008                 ORR.W           R3, R3, #tracing_Initial_SW_authentication_started ; Rd = Op1 | Op2
  9. ROM:400162C2 008                 STR             R3, [R2]                    ; Store to Memory
  10. ROM:400162C4 008                 BL              security_call_SSID_0x04     ; Initial Software Image auth
  11. ROM:400162C4
  12. ROM:400162C8 008                 LDR             R0, =unk_4020FFB4           ; Load from Memory
  13. ROM:400162CA 008                 LDR             R1, [R0]                    ; Load from Memory
  14. ROM:400162CC 008                 ORR.W           R1, R1, #tracing2_No_known_NAND_was_detected ; Rd = Op1 | Op2
  15. ROM:400162D0 008                 STR             R1, [R0]                    ; Store to Memory
  16. ROM:400162D2 008                 POP             {R4,PC}                     ; Pop registers
  17. ROM:400162D2
  18. ROM:400162D2     ; End of function security_ISW_authentication
  19. ROM:400162D2
  20. ROM:400162D2     ; ---------------------------------------------------------------------------
  21. ROM:400162D4     off_400162D4    DCD memory_buffer                           ; DATA XREF: security_ISW_authentication�r
  22. ROM:400162D8     off_400162D8    DCD unk_4020FFB4                            ; DATA XREF: security_ISW_authentication+10�r
  23. ROM:400162DC