Difference between revisions of "Secure Services"

From MILEDROPEDIA
Jump to: navigation, search
m
m (security_ISW_authentication)
 
(17 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"
 
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"
 
! Secure Service ID (SSID)
 
! Secure Service ID (SSID)
! Serure Service Name
+
! Secure Service Name
 
! Hardware/Software
 
! Hardware/Software
 
! Secure Service Description
 
! Secure Service Description
Line 10: Line 10:
 
| unknown
 
| unknown
 
| Hardware
 
| Hardware
| unknown (from bootrom, using in function "security_check_CertISW")
+
| Authenticate and import keys
 
|-
 
|-
 
| 0x02
 
| 0x02
 
| unknown
 
| unknown
 
| Hardware
 
| Hardware
| unknown (from bootrom, using in function "security_check_CertISW")
+
| Check if R&D certificate present and authenticate it
 
|-
 
|-
 
| 0x03
 
| 0x03
 
| unknown
 
| unknown
 
| Hardware
 
| Hardware
| unknown (from bootrom, using in function "security_check_CertISW")
+
| Load and authenticate [[PPA]]
 
|-
 
|-
 
| 0x04
 
| 0x04
 
| unknown
 
| unknown
 
| Hardware
 
| Hardware
| unknown (from bootrom, using in function "security_ISW_authethication"
+
| Check RSA digest
 +
|-
 +
| 0xf
 +
| API_HAL_PA_LOAD
 +
| Hardware
 +
| Load Protected Application at Secure RAM
 +
|-
 +
| 0x11
 +
| API_HAL_PA_UNLOAD_ALL
 +
| Hardware
 +
| Unload all loaded Protected Applications (except of PPA?) from Secure RAM
 +
|-
 +
| 0x13
 +
| API_HAL_SDP_RUNTIME_INIT
 +
| Hardware
 +
| unknown
 +
|-
 +
| 0x15
 +
| API_HAL_SEC_RPC_INIT
 +
| Hardware
 +
| unknown
 +
|-
 +
| 0x19
 +
| API_HAL_CONTEXT_SAVE_RESTORE
 +
| Hardware
 +
| unknown
 +
|-
 +
| 0x1a
 +
| API_HAL_SEC_RAM_RESIZE
 +
| Hardware
 +
| Resize Secure RAM
 
|-
 
|-
 
| 0x1e
 
| 0x1e
Line 36: Line 66:
 
| Hardware
 
| Hardware
 
| unknown (from bootrom)
 
| unknown (from bootrom)
 +
|-
 +
| 0x22
 +
| API_HAL_KM_CRC_READ
 +
| Hardware
 +
| unknown
 
|-
 
|-
 
| 0x27
 
| 0x27
 
| API_HAL_NB_MAX_SVC
 
| API_HAL_NB_MAX_SVC
| Unknown
+
| Hardware
 
| unknown
 
| unknown
 
|-
 
|-
 
| 0x28
 
| 0x28
 
| unknown
 
| unknown
 +
| Software
 +
| dcache invalidate (defined in PPA from mbmloader)
 +
|-
 +
| 0x29
 
| unknown
 
| unknown
| unknown (from mbmloader)
+
| Software
 +
| L2 aux write (defined in PPA from mbmloader)
 
|-
 
|-
 
| 0x2a
 
| 0x2a
 
| unknown
 
| unknown
 +
| Software
 +
| aux write (defined in PPA from mbmloader)
 +
|-
 +
| 0x2b
 
| unknown
 
| unknown
| unknown (from mbmloader)
+
| Software
 +
| nonsecure access write (defined in PPA from mbmloader)
 
|-
 
|-
 
| 0x31
 
| 0x31
 
| API_HAL_MOT_EFUSE
 
| API_HAL_MOT_EFUSE
 
| Software
 
| Software
| unknown
+
| Blow eFuse entry (defined in PPA from mbmloader)
 
|-
 
|-
 
| 0x36
 
| 0x36
 
| API_HAL_MOT_EFUSE_READ
 
| API_HAL_MOT_EFUSE_READ
 
| Software
 
| Software
| unknown
+
| Read eFuse entry (defined in PPA from mbmloader)
 
|}
 
|}
 +
 +
== Security services in BootROM ==
 +
 +
Using in ROM_CRC_check function (see [[Application_Processor_Boot_ROM#ROM_CRC_check]])
 +
<syntaxhighlight lang="c" line>
 +
uint32_t security_monitor_parse_flags_and_call(uint32_t ssid, uint32_t proc_id, uint32_t flag, uint32_t params_count, void **params)
 +
{
 +
  return security_monitor_call(ssid, proc_id, flag, params_count, params);
 +
}
 +
 +
uint32_t security_monitor_call(uint32_t result, uint32_t proc_id, uint32_t flags, uint32_t param_count, void **params)
 +
{
 +
  __mcr(15, 0, result, 7, 5, 4); // Prefetch flush
 +
  __mcr(15, 0, result, 7, 10, 4); // Data syncronisation barrier
 +
  __asm { SMC 1 ; Secure Monitor Call }
 +
  return result;
 +
}
 +
</syntaxhighlight>
 +
 +
== Security services from PPA from mbmloader ==
 +
 +
<syntaxhighlight lang="c" line>
 +
void *PPA_control_smc_handler(uint32_t arg)
 +
{
 +
  void *result = NULL;
 +
 +
  *(0xAF900088) = 0x8000;
 +
  switch ( arg )
 +
  {
 +
    case 40:
 +
      result = PPA_control_dcache_invalidate;
 +
      break;
 +
    case 41:
 +
      result = PPA_control_L2_aux_write;
 +
      break;
 +
    case 42:
 +
      result = PPA_control_aux_write;
 +
      break;
 +
    case 43:
 +
      result = PPA_control_nonsecure_access_write;
 +
      break;
 +
    case 49:
 +
      result = PPA_API_HAL_MOT_EFUSE;
 +
      break;
 +
    case 54:
 +
      result = PPA_API_HAL_MOT_EFUSE_READ;
 +
      break;
 +
    case 44:
 +
      result = PPA_control_data_memory_sync;
 +
      break;
 +
    case 50:
 +
      result = PPA_wait_for_something;
 +
      break;
 +
    case 72:
 +
      result = PPA_sub_86FFFD06;
 +
      break;
 +
  }
 +
  return result;
 +
}
 +
</syntaxhighlight>
  
 
== security_check_ISW ==
 
== security_check_ISW ==
  
<syntaxhighlight lang="asm" line>
+
<syntaxhighlight lang="ida" line>
ROM:400161E8
+
 
 
ROM:400161E8    ; int __cdecl security_check_CertISW(void *arg1, int arg2, void *arg3, int arg4)
 
ROM:400161E8    ; int __cdecl security_check_CertISW(void *arg1, int arg2, void *arg3, int arg4)
ROM:400161E8    security_check_CertISW                                      ; CODE XREF: boot_HS_image_exec+C4�p
+
ROM:400161E8    security_check_CertISW                                      ; CODE XREF: boot_HS_image_exec+C4
ROM:400161E8                                                                ; boot_memory_image_auth_exec+C4�p
+
ROM:400161E8                                                                ; boot_memory_image_auth_exec+C4
 
ROM:400161E8
 
ROM:400161E8
 
ROM:400161E8    arg_0          =  0
 
ROM:400161E8    arg_0          =  0
Line 75: Line 180:
 
ROM:400161E8 000                PUSH.W          {R4-R10,LR}                ; count
 
ROM:400161E8 000                PUSH.W          {R4-R10,LR}                ; count
 
ROM:400161EC 020                MOV            R10, R1                    ; Rd = Op2
 
ROM:400161EC 020                MOV            R10, R1                    ; Rd = Op2
ROM:400161EE 020                LDR            R5, =dword_4020FFB4        ; Load from Memory
+
ROM:400161EE 020                LDR            R5, =unk_4020FFB4          ; Load from Memory
 
ROM:400161F0 020                MOV            R9, R0                      ; Rd = Op2
 
ROM:400161F0 020                MOV            R9, R0                      ; Rd = Op2
 
ROM:400161F2 020                LDR            R7, [SP,#0x20+arg_0]        ; Load from Memory
 
ROM:400161F2 020                LDR            R7, [SP,#0x20+arg_0]        ; Load from Memory
Line 93: Line 198:
 
ROM:4001620C
 
ROM:4001620C
 
ROM:4001620E
 
ROM:4001620E
ROM:4001620E    search_CertISW_mark                                        ; CODE XREF: security_check_CertISW+22�j
+
ROM:4001620E    search_CertISW_mark                                        ; CODE XREF: security_check_CertISW+22
 
ROM:4001620E 020                CBNZ            R4, found                  ; Compare and Branch on Non-Zero
 
ROM:4001620E 020                CBNZ            R4, found                  ; Compare and Branch on Non-Zero
 
ROM:4001620E
 
ROM:4001620E
Line 108: Line 213:
 
ROM:40016220    ; ---------------------------------------------------------------------------
 
ROM:40016220    ; ---------------------------------------------------------------------------
 
ROM:40016220
 
ROM:40016220
ROM:40016220    not_found                                                  ; CODE XREF: security_check_CertISW+32�j
+
ROM:40016220    not_found                                                  ; CODE XREF: security_check_CertISW+32
 
ROM:40016220 020                MOVS            R0, #0                      ; Rd = Op2
 
ROM:40016220 020                MOVS            R0, #0                      ; Rd = Op2
 
ROM:40016220
 
ROM:40016220
 
ROM:40016222
 
ROM:40016222
ROM:40016222    found                                                      ; CODE XREF: security_check_CertISW:search_CertISW_mark�j
+
ROM:40016222    found                                                      ; CODE XREF: security_check_CertISW:search_CertISW_mark
ROM:40016222                                                                ; security_check_CertISW+36�j
+
ROM:40016222                                                                ; security_check_CertISW+36
 
ROM:40016222 020                ORRS            R0, R4                      ; Rd = Op1 | Op2
 
ROM:40016222 020                ORRS            R0, R4                      ; Rd = Op1 | Op2
 
ROM:40016224 020                BEQ            return_1                    ; Branch
 
ROM:40016224 020                BEQ            return_1                    ; Branch
Line 119: Line 224:
 
ROM:40016226 020                LDRH            R0, [R7]                    ; Load from Memory
 
ROM:40016226 020                LDRH            R0, [R7]                    ; Load from Memory
 
ROM:40016228 020                LSLS            R0, R0, #28                ; Logical Shift Left
 
ROM:40016228 020                LSLS            R0, R0, #28                ; Logical Shift Left
ROM:4001622A 020                BMI            loc_4001624A                ; Branch
+
ROM:4001622A 020                BMI            Load_keys_and_search_for_RnD_certificate ; Branch
 
ROM:4001622A
 
ROM:4001622A
 
ROM:4001622C 020                LDR            R0, [R5]                    ; Load from Memory
 
ROM:4001622C 020                LDR            R0, [R5]                    ; Load from Memory
Line 127: Line 232:
 
ROM:40016234 020                STR            R0, [R5]                    ; Store to Memory
 
ROM:40016234 020                STR            R0, [R5]                    ; Store to Memory
 
ROM:40016236 020                ADD.W          R0, R6, #0x38              ; Rd = Op1 + Op2
 
ROM:40016236 020                ADD.W          R0, R6, #0x38              ; Rd = Op1 + Op2
ROM:4001623A 020                B              loc_40016246                ; Branch
+
ROM:4001623A 020                B              enable_speedup              ; Branch
 
ROM:4001623A
 
ROM:4001623A
 
ROM:4001623C    ; ---------------------------------------------------------------------------
 
ROM:4001623C    ; ---------------------------------------------------------------------------
 
ROM:4001623C
 
ROM:4001623C
ROM:4001623C    loc_4001623C                                                ; CODE XREF: security_check_CertISW+46�j
+
ROM:4001623C    loc_4001623C                                                ; CODE XREF: security_check_CertISW+46
 
ROM:4001623C 020                ORR.W          R0, R0, #0b10000000000      ; Rd = Op1 | Op2
 
ROM:4001623C 020                ORR.W          R0, R0, #0b10000000000      ; Rd = Op1 | Op2
 
ROM:40016240 020                STR            R0, [R5]                    ; Store to Memory
 
ROM:40016240 020                STR            R0, [R5]                    ; Store to Memory
ROM:40016242 020                ADD.W          R0, R6, #0b10100100        ; Rd = Op1 + Op2
+
ROM:40016242 020                ADD.W          R0, R6, #0xA4              ; arg
 
ROM:40016242
 
ROM:40016242
 
ROM:40016246
 
ROM:40016246
ROM:40016246    loc_40016246                                                ; CODE XREF: security_check_CertISW+52�j
+
ROM:40016246    enable_speedup                                              ; CODE XREF: security_check_CertISW+52
ROM:40016246 020                BL              security_speedup_parsing    ; Branch with Link
+
ROM:40016246 020                BL              load_speedup_table          ; Branch with Link
 
ROM:40016246
 
ROM:40016246
 
ROM:4001624A
 
ROM:4001624A
ROM:4001624A    loc_4001624A                                                ; CODE XREF: security_check_CertISW+42�j
+
ROM:4001624A    Load_keys_and_search_for_RnD_certificate                    ; CODE XREF: security_check_CertISW+42
 
ROM:4001624A 020                MOV            R0, R9                      ; Rd = Op2
 
ROM:4001624A 020                MOV            R0, R9                      ; Rd = Op2
ROM:4001624C 020                BL              security_call_SSID_0x01    ; Branch with Link
+
ROM:4001624C 020                BL              security_call_SSID_0x01    ; SECURITY SERVICE: Load Keys (CertPK) to Secure RAM
 
ROM:4001624C
 
ROM:4001624C
 
ROM:40016250 020                CMP.W          R8, #0                      ; Set cond. codes on Op1 - Op2
 
ROM:40016250 020                CMP.W          R8, #0                      ; Set cond. codes on Op1 - Op2
ROM:40016254 020                BEQ            loc_40016266                ; Branch
+
ROM:40016254 020                BEQ            Keys_loaded_without_RnD    ; Branch
 
ROM:40016254
 
ROM:40016254
 
ROM:40016256 020                LDR            R0, =memory_buffer          ; Load from Memory
 
ROM:40016256 020                LDR            R0, =memory_buffer          ; Load from Memory
Line 153: Line 258:
 
ROM:4001625E 020                STR            R1, [R0]                    ; Store to Memory
 
ROM:4001625E 020                STR            R1, [R0]                    ; Store to Memory
 
ROM:40016260 020                MOV            R0, R8                      ; arg_1
 
ROM:40016260 020                MOV            R0, R8                      ; arg_1
ROM:40016262 020                BL              security_call_SSID_0x02    ; Branch with Link
+
ROM:40016262 020                BL              security_call_SSID_0x02    ; verify R&D certificate
 
ROM:40016262
 
ROM:40016262
 
ROM:40016266
 
ROM:40016266
ROM:40016266    loc_40016266                                                ; CODE XREF: security_check_CertISW+6C�j
+
ROM:40016266    Keys_loaded_without_RnD                                    ; CODE XREF: security_check_CertISW+6C
 
ROM:40016266 020                LDR            R0, [R5]                    ; Load from Memory
 
ROM:40016266 020                LDR            R0, [R5]                    ; Load from Memory
 
ROM:40016268 020                ORR.W          R0, R0, #0x800              ; Rd = Op1 | Op2
 
ROM:40016268 020                ORR.W          R0, R0, #0x800              ; Rd = Op1 | Op2
 
ROM:4001626C 020                STR            R0, [R5]                    ; Store to Memory
 
ROM:4001626C 020                STR            R0, [R5]                    ; Store to Memory
 
ROM:4001626E 020                MOV            R0, R10                    ; arg_1
 
ROM:4001626E 020                MOV            R0, R10                    ; arg_1
ROM:40016270 020                BL              security_call_SSID_0x03    ; Branch with Link
+
ROM:40016270 020                BL              security_call_SSID_0x03    ; load and authenticate PPA
 
ROM:40016270
 
ROM:40016270
 
ROM:40016274 020                CBNZ            R0, return_error            ; Compare and Branch on Non-Zero
 
ROM:40016274 020                CBNZ            R0, return_error            ; Compare and Branch on Non-Zero
Line 171: Line 276:
 
ROM:4001627E
 
ROM:4001627E
 
ROM:40016280
 
ROM:40016280
ROM:40016280    return                                                      ; CODE XREF: security_check_CertISW+B4�j
+
ROM:40016280    return                                                      ; CODE XREF: security_check_CertISW+B4
 
ROM:40016280 020                POP.W          {R4-R10,PC}                ; Pop registers
 
ROM:40016280 020                POP.W          {R4-R10,PC}                ; Pop registers
 
ROM:40016280
 
ROM:40016280
 
ROM:40016284    ; ---------------------------------------------------------------------------
 
ROM:40016284    ; ---------------------------------------------------------------------------
 
ROM:40016284
 
ROM:40016284
ROM:40016284    return_error                                                ; CODE XREF: security_check_CertISW+8C�j
+
ROM:40016284    return_error                                                ; CODE XREF: security_check_CertISW+8C
 
ROM:40016284 020                LDR            R0, [R5]                    ; Load from Memory
 
ROM:40016284 020                LDR            R0, [R5]                    ; Load from Memory
 
ROM:40016286 020                ORR.W          R0, R0, #0b1000000000000    ; set bit #12
 
ROM:40016286 020                ORR.W          R0, R0, #0b1000000000000    ; set bit #12
Line 184: Line 289:
 
ROM:4001628E
 
ROM:4001628E
 
ROM:40016292
 
ROM:40016292
ROM:40016292    return_1                                                    ; CODE XREF: security_check_CertISW+3C�j
+
ROM:40016292    return_1                                                    ; CODE XREF: security_check_CertISW+3C
 
ROM:40016292 020                LDR            R0, [R5]                    ; Load from Memory
 
ROM:40016292 020                LDR            R0, [R5]                    ; Load from Memory
 
ROM:40016294 020                ORR.W          R0, R0, #0b10000000000000  ; set bit #13
 
ROM:40016294 020                ORR.W          R0, R0, #0b10000000000000  ; set bit #13
Line 195: Line 300:
 
ROM:4001629C    ; ---------------------------------------------------------------------------
 
ROM:4001629C    ; ---------------------------------------------------------------------------
 
ROM:4001629E                    DCW 0
 
ROM:4001629E                    DCW 0
ROM:400162A0    off_400162A0    DCD dword_4020FFB4                          ; DATA XREF: security_check_CertISW+6�r
+
ROM:400162A0    off_400162A0    DCD unk_4020FFB4                            ; DATA XREF: security_check_CertISW+6
ROM:400162A4    dword_400162A4  DCD 0x809795A3                              ; DATA XREF: security_check_CertISW+1C�r
+
ROM:400162A4    dword_400162A4  DCD 0x809795A3                              ; DATA XREF: security_check_CertISW+1C
ROM:400162A8    CertISW_mark    DCB "CertISW",0                            ; DATA XREF: security_check_CertISW+2C�o
+
ROM:400162A8    CertISW_mark    DCB "CertISW",0                            ; DATA XREF: security_check_CertISW+2C
ROM:400162B0    off_400162B0    DCD memory_buffer                          ; DATA XREF: security_check_CertISW+6E�r
+
ROM:400162B0    off_400162B0    DCD memory_buffer                          ; DATA XREF: security_check_CertISW+6E
ROM:400162B4    image_cant_exec DCD sub_140A8                              ; DATA XREF: security_check_CertISW+A4�r
+
ROM:400162B4    image_cant_exec DCD sub_140A8                              ; DATA XREF: security_check_CertISW+A4
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 
== security_ISW_authentication ==
 
== security_ISW_authentication ==
 +
<syntaxhighlight lang="c" line>
 +
uint32_t security_ISW_authentication(char *membuf)
 +
{
 +
  uint32_t result;
  
<syntaxhighlight lang="asm" line>
+
  memory_buffer |= tracing_Initial_SW_authentication_started;
ROM:400162B8
+
  security_call_SSID_0x04(membuf); // Checking RSA digest of ISW/PPA
ROM:400162B8    ; int __cdecl security_ISW_authentication(void *mem_1, void *mem_2)
+
  result = 0x4020FFB4;
ROM:400162B8    security_ISW_authentication                                ; CODE XREF: boot_HS_image_exec+CE�p
+
  *(0x4020FFB4) |= tracing2_No_known_NAND_was_detected;
ROM:400162B8                                                                ; boot_memory_image_auth_exec+106�p
+
  return result;
ROM:400162B8 000                LDR            R2, =memory_buffer          ; Load from Memory
+
}
ROM:400162BA 000                PUSH            {R4,LR}                    ; Push registers
+
ROM:400162BC 008                LDR            R3, [R2]                    ; Load from Memory
+
ROM:400162BE 008                ORR.W          R3, R3, #tracing_Initial_SW_authentication_started ; Rd = Op1 | Op2
+
ROM:400162C2 008                STR            R3, [R2]                    ; Store to Memory
+
ROM:400162C4 008                BL              security_call_SSID_0x04    ; Branch with Link
+
ROM:400162C4
+
ROM:400162C8 008                LDR            R0, =dword_4020FFB4        ; Load from Memory
+
ROM:400162CA 008                LDR            R1, [R0]                    ; Load from Memory
+
ROM:400162CC 008                ORR.W          R1, R1, #tracing2_No_known_NAND_was_detected ; Rd = Op1 | Op2
+
ROM:400162D0 008                STR            R1, [R0]                    ; Store to Memory
+
ROM:400162D2 008                POP            {R4,PC}                     ; Pop registers
+
ROM:400162D2
+
ROM:400162D2    ; End of function security_ISW_authentication
+
ROM:400162D2
+
ROM:400162D2    ; ---------------------------------------------------------------------------
+
ROM:400162D4    off_400162D4    DCD memory_buffer                          ; DATA XREF: security_ISW_authentication�r
+
ROM:400162D8    off_400162D8    DCD dword_4020FFB4                          ; DATA XREF: security_ISW_authentication+10�r
+
ROM:400162DC
+
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 
[[Category:Security]]
 
[[Category:Security]]

Latest revision as of 07:16, 15 January 2012

Summary

Secure Service ID (SSID) Secure Service Name Hardware/Software Secure Service Description
0x01 unknown Hardware Authenticate and import keys
0x02 unknown Hardware Check if R&D certificate present and authenticate it
0x03 unknown Hardware Load and authenticate PPA
0x04 unknown Hardware Check RSA digest
0xf API_HAL_PA_LOAD Hardware Load Protected Application at Secure RAM
0x11 API_HAL_PA_UNLOAD_ALL Hardware Unload all loaded Protected Applications (except of PPA?) from Secure RAM
0x13 API_HAL_SDP_RUNTIME_INIT Hardware unknown
0x15 API_HAL_SEC_RPC_INIT Hardware unknown
0x19 API_HAL_CONTEXT_SAVE_RESTORE Hardware unknown
0x1a API_HAL_SEC_RAM_RESIZE Hardware Resize Secure RAM
0x1e unknown Hardware unknown (from bootrom)
0x1f unknown Hardware unknown (from bootrom)
0x22 API_HAL_KM_CRC_READ Hardware unknown
0x27 API_HAL_NB_MAX_SVC Hardware unknown
0x28 unknown Software dcache invalidate (defined in PPA from mbmloader)
0x29 unknown Software L2 aux write (defined in PPA from mbmloader)
0x2a unknown Software aux write (defined in PPA from mbmloader)
0x2b unknown Software nonsecure access write (defined in PPA from mbmloader)
0x31 API_HAL_MOT_EFUSE Software Blow eFuse entry (defined in PPA from mbmloader)
0x36 API_HAL_MOT_EFUSE_READ Software Read eFuse entry (defined in PPA from mbmloader)

Security services in BootROM

Using in ROM_CRC_check function (see Application_Processor_Boot_ROM#ROM_CRC_check)

  1. uint32_t security_monitor_parse_flags_and_call(uint32_t ssid, uint32_t proc_id, uint32_t flag, uint32_t params_count, void **params)
  2. {
  3.   return security_monitor_call(ssid, proc_id, flag, params_count, params);
  4. }
  5.  
  6. uint32_t security_monitor_call(uint32_t result, uint32_t proc_id, uint32_t flags, uint32_t param_count, void **params)
  7. {
  8.   __mcr(15, 0, result, 7, 5, 4); // Prefetch flush
  9.   __mcr(15, 0, result, 7, 10, 4); // Data syncronisation barrier
  10.   __asm { SMC 1 ; Secure Monitor Call }
  11.   return result;
  12. }

Security services from PPA from mbmloader

  1. void *PPA_control_smc_handler(uint32_t arg)
  2. {
  3.   void *result = NULL;
  4.  
  5.   *(0xAF900088) = 0x8000;
  6.   switch ( arg )
  7.   {
  8.     case 40:
  9.       result = PPA_control_dcache_invalidate;
  10.       break;
  11.     case 41:
  12.       result = PPA_control_L2_aux_write;
  13.       break;
  14.     case 42:
  15.       result = PPA_control_aux_write;
  16.       break;
  17.     case 43:
  18.       result = PPA_control_nonsecure_access_write;
  19.       break;
  20.     case 49:
  21.       result = PPA_API_HAL_MOT_EFUSE;
  22.       break;
  23.     case 54:
  24.       result = PPA_API_HAL_MOT_EFUSE_READ;
  25.       break;
  26.     case 44:
  27.       result = PPA_control_data_memory_sync;
  28.       break;
  29.     case 50:
  30.       result = PPA_wait_for_something;
  31.       break;
  32.     case 72:
  33.       result = PPA_sub_86FFFD06;
  34.       break;
  35.   }
  36.   return result;
  37. }

security_check_ISW

Invalid language.

You need to specify a language like this: <source lang="html4strict">...</source>

Supported languages for syntax highlighting:

4cs, 6502acme, 6502kickass, 6502tasm, 68000devpac, abap, actionscript, actionscript3, ada, algol68, apache, applescript, apt_sources, arm, asm, asp, asymptote, autoconf, autohotkey, autoit, avisynth, awk, bascomavr, bash, basic4gl, bf, bibtex, blitzbasic, bnf, boo, c, c_loadrunner, c_mac, caddcl, cadlisp, cfdg, cfm, chaiscript, cil, clojure, cmake, cobol, coffeescript, cpp, cpp-qt, csharp, css, cuesheet, d, dcl, dcpu16, dcs, delphi, diff, div, dos, dot, e, ecmascript, eiffel, email, epc, erlang, euphoria, f1, falcon, fo, fortran, freebasic, freeswitch, fsharp, gambas, gdb, genero, genie, gettext, glsl, gml, gnuplot, go, groovy, gwbasic, haskell, haxe, hicest, hq9plus, html4strict, html5, icon, idl, ini, inno, intercal, io, j, java, java5, javascript, jquery, kixtart, klonec, klonecpp, latex, lb, ldif, lisp, llvm, locobasic, logtalk, lolcode, lotusformulas, lotusscript, lscript, lsl2, lua, m68k, magiksf, make, mapbasic, matlab, mirc, mmix, modula2, modula3, mpasm, mxml, mysql, nagios, netrexx, newlisp, nsis, oberon2, objc, objeck, ocaml, ocaml-brief, octave, oobas, oorexx, oracle11, oracle8, oxygene, oz, parasail, parigp, pascal, pcre, per, perl, perl6, pf, php, php-brief, pic16, pike, pixelbender, pli, plsql, postgresql, povray, powerbuilder, powershell, proftpd, progress, prolog, properties, providex, purebasic, pycon, pys60, python, q, qbasic, rails, rebol, reg, rexx, robots, rpmspec, rsplus, ruby, sas, scala, scheme, scilab, sdlbasic, smalltalk, smarty, spark, sparql, sql, stonescript, systemverilog, tcl, teraterm, text, thinbasic, tsql, typoscript, unicon, upc, urbi, uscript, vala, vb, vbnet, vedit, verilog, vhdl, vim, visualfoxpro, visualprolog, whitespace, whois, winbatch, xbasic, xml, xorg_conf, xpp, yaml, z80, zxbasic


ROM:400161E8     ; int __cdecl security_check_CertISW(void *arg1, int arg2, void *arg3, int arg4)
ROM:400161E8     security_check_CertISW                                      ; CODE XREF: boot_HS_image_exec+C4
ROM:400161E8                                                                 ; boot_memory_image_auth_exec+C4
ROM:400161E8
ROM:400161E8     arg_0           =  0
ROM:400161E8
ROM:400161E8 000                 PUSH.W          {R4-R10,LR}                 ; count
ROM:400161EC 020                 MOV             R10, R1                     ; Rd = Op2
ROM:400161EE 020                 LDR             R5, =unk_4020FFB4           ; Load from Memory
ROM:400161F0 020                 MOV             R9, R0                      ; Rd = Op2
ROM:400161F2 020                 LDR             R7, [SP,#0x20+arg_0]        ; Load from Memory
ROM:400161F4 020                 MOVS            R0, #0                      ; Rd = Op2
ROM:400161F6 020                 MOV             R8, R2                      ; Rd = Op2
ROM:400161F8 020                 MOV             R6, R3                      ; Rd = Op2
ROM:400161FA 020                 LDR             R1, [R5]                    ; Load from Memory
ROM:400161FC 020                 ORR.W           R1, R1, #tracing2_Reserved2 ; Rd = Op1 | Op2
ROM:40016200 020                 STR             R1, [R5]                    ; Store to Memory
ROM:40016202 020                 MOVS            R4, #1                      ; Rd = Op2
ROM:40016204 020                 LDR             R2, =0x809795A3             ; Load from Memory
ROM:40016206 020                 LDR             R1, [R3]                    ; Load from Memory
ROM:40016208 020                 CMP             R1, R2                      ; Set cond. codes on Op1 - Op2
ROM:4001620A 020                 BEQ             search_CertISW_mark         ; Branch
ROM:4001620A
ROM:4001620C 020                 MOVS            R4, #0                      ; Rd = Op2
ROM:4001620C
ROM:4001620E
ROM:4001620E     search_CertISW_mark                                         ; CODE XREF: security_check_CertISW+22
ROM:4001620E 020                 CBNZ            R4, found                   ; Compare and Branch on Non-Zero
ROM:4001620E
ROM:40016210 020                 MOVS            R2, #CH_STRINGS.CHMMCSD     ; source
ROM:40016212 020                 MOV             R1, R6                      ; void *
ROM:40016214 020                 ADR             R0, CertISW_mark            ; "CertISW"
ROM:40016216 020                 BL              standard_memcmp             ; Branch with Link
ROM:40016216
ROM:4001621A 020                 CBNZ            R0, not_found               ; Compare and Branch on Non-Zero
ROM:4001621A
ROM:4001621C 020                 MOVS            R0, #1                      ; Rd = Op2
ROM:4001621E 020                 B               found                       ; Branch
ROM:4001621E
ROM:40016220     ; ---------------------------------------------------------------------------
ROM:40016220
ROM:40016220     not_found                                                   ; CODE XREF: security_check_CertISW+32
ROM:40016220 020                 MOVS            R0, #0                      ; Rd = Op2
ROM:40016220
ROM:40016222
ROM:40016222     found                                                       ; CODE XREF: security_check_CertISW:search_CertISW_mark
ROM:40016222                                                                 ; security_check_CertISW+36
ROM:40016222 020                 ORRS            R0, R4                      ; Rd = Op1 | Op2
ROM:40016224 020                 BEQ             return_1                    ; Branch
ROM:40016224
ROM:40016226 020                 LDRH            R0, [R7]                    ; Load from Memory
ROM:40016228 020                 LSLS            R0, R0, #28                 ; Logical Shift Left
ROM:4001622A 020                 BMI             Load_keys_and_search_for_RnD_certificate ; Branch
ROM:4001622A
ROM:4001622C 020                 LDR             R0, [R5]                    ; Load from Memory
ROM:4001622E 020                 CBZ             R4, loc_4001623C            ; Compare and Branch on Zero
ROM:4001622E
ROM:40016230 020                 ORR.W           R0, R0, #0b1000000000       ; Rd = Op1 | Op2
ROM:40016234 020                 STR             R0, [R5]                    ; Store to Memory
ROM:40016236 020                 ADD.W           R0, R6, #0x38               ; Rd = Op1 + Op2
ROM:4001623A 020                 B               enable_speedup              ; Branch
ROM:4001623A
ROM:4001623C     ; ---------------------------------------------------------------------------
ROM:4001623C
ROM:4001623C     loc_4001623C                                                ; CODE XREF: security_check_CertISW+46
ROM:4001623C 020                 ORR.W           R0, R0, #0b10000000000      ; Rd = Op1 | Op2
ROM:40016240 020                 STR             R0, [R5]                    ; Store to Memory
ROM:40016242 020                 ADD.W           R0, R6, #0xA4               ; arg
ROM:40016242
ROM:40016246
ROM:40016246     enable_speedup                                              ; CODE XREF: security_check_CertISW+52
ROM:40016246 020                 BL              load_speedup_table          ; Branch with Link
ROM:40016246
ROM:4001624A
ROM:4001624A     Load_keys_and_search_for_RnD_certificate                    ; CODE XREF: security_check_CertISW+42
ROM:4001624A 020                 MOV             R0, R9                      ; Rd = Op2
ROM:4001624C 020                 BL              security_call_SSID_0x01     ; SECURITY SERVICE: Load Keys (CertPK) to Secure RAM
ROM:4001624C
ROM:40016250 020                 CMP.W           R8, #0                      ; Set cond. codes on Op1 - Op2
ROM:40016254 020                 BEQ             Keys_loaded_without_RnD     ; Branch
ROM:40016254
ROM:40016256 020                 LDR             R0, =memory_buffer          ; Load from Memory
ROM:40016258 020                 LDR             R1, [R0]                    ; Load from Memory
ROM:4001625A 020                 ORR.W           R1, R1, #tracing_R&D_certificate_found ; Rd = Op1 | Op2
ROM:4001625E 020                 STR             R1, [R0]                    ; Store to Memory
ROM:40016260 020                 MOV             R0, R8                      ; arg_1
ROM:40016262 020                 BL              security_call_SSID_0x02     ; verify R&D certificate
ROM:40016262
ROM:40016266
ROM:40016266     Keys_loaded_without_RnD                                     ; CODE XREF: security_check_CertISW+6C
ROM:40016266 020                 LDR             R0, [R5]                    ; Load from Memory
ROM:40016268 020                 ORR.W           R0, R0, #0x800              ; Rd = Op1 | Op2
ROM:4001626C 020                 STR             R0, [R5]                    ; Store to Memory
ROM:4001626E 020                 MOV             R0, R10                     ; arg_1
ROM:40016270 020                 BL              security_call_SSID_0x03     ; load and authenticate PPA
ROM:40016270
ROM:40016274 020                 CBNZ            R0, return_error            ; Compare and Branch on Non-Zero
ROM:40016274
ROM:40016276 020                 LDRH            R0, [R7]                    ; Load from Memory
ROM:40016278 020                 ORR.W           R0, R0, #0x800              ; Rd = Op1 | Op2
ROM:4001627C 020                 STRH            R0, [R7]                    ; Store to Memory
ROM:4001627E 020                 MOVS            R0, #0                      ; Rd = Op2
ROM:4001627E
ROM:40016280
ROM:40016280     return                                                      ; CODE XREF: security_check_CertISW+B4
ROM:40016280 020                 POP.W           {R4-R10,PC}                 ; Pop registers
ROM:40016280
ROM:40016284     ; ---------------------------------------------------------------------------
ROM:40016284
ROM:40016284     return_error                                                ; CODE XREF: security_check_CertISW+8C
ROM:40016284 020                 LDR             R0, [R5]                    ; Load from Memory
ROM:40016286 020                 ORR.W           R0, R0, #0b1000000000000    ; set bit #12
ROM:4001628A 020                 STR             R0, [R5]                    ; Store to Memory
ROM:4001628C 020                 LDR             R0, =sub_140A8              ; Load from Memory
ROM:4001628E 020                 BLX             call_dead_loops             ; Branch with Link and Exchange (immediate address)
ROM:4001628E
ROM:40016292
ROM:40016292     return_1                                                    ; CODE XREF: security_check_CertISW+3C
ROM:40016292 020                 LDR             R0, [R5]                    ; Load from Memory
ROM:40016294 020                 ORR.W           R0, R0, #0b10000000000000   ; set bit #13
ROM:40016298 020                 STR             R0, [R5]                    ; Store to Memory
ROM:4001629A 020                 MOVS            R0, #1                      ; Rd = Op2
ROM:4001629C 020                 B               return                      ; Branch
ROM:4001629C
ROM:4001629C     ; End of function security_check_CertISW
ROM:4001629C
ROM:4001629C     ; ---------------------------------------------------------------------------
ROM:4001629E                     DCW 0
ROM:400162A0     off_400162A0    DCD unk_4020FFB4                            ; DATA XREF: security_check_CertISW+6
ROM:400162A4     dword_400162A4  DCD 0x809795A3                              ; DATA XREF: security_check_CertISW+1C
ROM:400162A8     CertISW_mark    DCB "CertISW",0                             ; DATA XREF: security_check_CertISW+2C
ROM:400162B0     off_400162B0    DCD memory_buffer                           ; DATA XREF: security_check_CertISW+6E
ROM:400162B4     image_cant_exec DCD sub_140A8                               ; DATA XREF: security_check_CertISW+A4

security_ISW_authentication

  1. uint32_t security_ISW_authentication(char *membuf)
  2. {
  3.   uint32_t result;
  4.  
  5.   memory_buffer |= tracing_Initial_SW_authentication_started;
  6.   security_call_SSID_0x04(membuf); // Checking RSA digest of ISW/PPA
  7.   result = 0x4020FFB4;
  8.   *(0x4020FFB4) |= tracing2_No_known_NAND_was_detected;
  9.   return result;
  10. }