Difference between revisions of "Secure Services"

From MILEDROPEDIA
Jump to: navigation, search
(Added C version of PPA_SMC_handler instead of asm version)
m (security_ISW_authentication)
 
Line 308: Line 308:
  
 
== security_ISW_authentication ==
 
== security_ISW_authentication ==
 +
<syntaxhighlight lang="c" line>
 +
uint32_t security_ISW_authentication(char *membuf)
 +
{
 +
  uint32_t result;
  
<syntaxhighlight lang="ida" line>
+
  memory_buffer |= tracing_Initial_SW_authentication_started;
ROM:400162B8
+
  security_call_SSID_0x04(membuf); // Checking RSA digest of ISW/PPA
ROM:400162B8    ; int __cdecl security_ISW_authentication(void *mem_1, void *mem_2)
+
  result = 0x4020FFB4;
ROM:400162B8    security_ISW_authentication                                ; CODE XREF: boot_HS_image_exec+CE�p
+
  *(0x4020FFB4) |= tracing2_No_known_NAND_was_detected;
ROM:400162B8                                                                ; boot_memory_image_auth_exec+106�p
+
  return result;
ROM:400162B8 000                LDR            R2, =memory_buffer          ; Load from Memory
+
}
ROM:400162BA 000                PUSH            {R4,LR}                    ; Push registers
+
ROM:400162BC 008                LDR            R3, [R2]                    ; Load from Memory
+
ROM:400162BE 008                ORR.W          R3, R3, #tracing_Initial_SW_authentication_started ; Rd = Op1 | Op2
+
ROM:400162C2 008                STR            R3, [R2]                    ; Store to Memory
+
ROM:400162C4 008                BL              security_call_SSID_0x04    ; Initial Software Image auth
+
ROM:400162C4
+
ROM:400162C8 008                LDR            R0, =unk_4020FFB4          ; Load from Memory
+
ROM:400162CA 008                LDR            R1, [R0]                    ; Load from Memory
+
ROM:400162CC 008                ORR.W          R1, R1, #tracing2_No_known_NAND_was_detected ; Rd = Op1 | Op2
+
ROM:400162D0 008                STR            R1, [R0]                    ; Store to Memory
+
ROM:400162D2 008                POP            {R4,PC}                     ; Pop registers
+
ROM:400162D2
+
ROM:400162D2    ; End of function security_ISW_authentication
+
ROM:400162D2
+
ROM:400162D2    ; ---------------------------------------------------------------------------
+
ROM:400162D4    off_400162D4    DCD memory_buffer                          ; DATA XREF: security_ISW_authentication�r
+
ROM:400162D8    off_400162D8    DCD unk_4020FFB4                            ; DATA XREF: security_ISW_authentication+10�r
+
ROM:400162DC
+
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 
[[Category:Security]]
 
[[Category:Security]]

Latest revision as of 07:16, 15 January 2012

Summary

Secure Service ID (SSID) Secure Service Name Hardware/Software Secure Service Description
0x01 unknown Hardware Authenticate and import keys
0x02 unknown Hardware Check if R&D certificate present and authenticate it
0x03 unknown Hardware Load and authenticate PPA
0x04 unknown Hardware Check RSA digest
0xf API_HAL_PA_LOAD Hardware Load Protected Application at Secure RAM
0x11 API_HAL_PA_UNLOAD_ALL Hardware Unload all loaded Protected Applications (except of PPA?) from Secure RAM
0x13 API_HAL_SDP_RUNTIME_INIT Hardware unknown
0x15 API_HAL_SEC_RPC_INIT Hardware unknown
0x19 API_HAL_CONTEXT_SAVE_RESTORE Hardware unknown
0x1a API_HAL_SEC_RAM_RESIZE Hardware Resize Secure RAM
0x1e unknown Hardware unknown (from bootrom)
0x1f unknown Hardware unknown (from bootrom)
0x22 API_HAL_KM_CRC_READ Hardware unknown
0x27 API_HAL_NB_MAX_SVC Hardware unknown
0x28 unknown Software dcache invalidate (defined in PPA from mbmloader)
0x29 unknown Software L2 aux write (defined in PPA from mbmloader)
0x2a unknown Software aux write (defined in PPA from mbmloader)
0x2b unknown Software nonsecure access write (defined in PPA from mbmloader)
0x31 API_HAL_MOT_EFUSE Software Blow eFuse entry (defined in PPA from mbmloader)
0x36 API_HAL_MOT_EFUSE_READ Software Read eFuse entry (defined in PPA from mbmloader)

Security services in BootROM

Using in ROM_CRC_check function (see Application_Processor_Boot_ROM#ROM_CRC_check) 

  1. uint32_t security_monitor_parse_flags_and_call(uint32_t ssid, uint32_t proc_id, uint32_t flag, uint32_t params_count, void **params)
  2. {
  3.   return security_monitor_call(ssid, proc_id, flag, params_count, params);
  4. }
  5.  
  6. uint32_t security_monitor_call(uint32_t result, uint32_t proc_id, uint32_t flags, uint32_t param_count, void **params)
  7. {
  8.   __mcr(15, 0, result, 7, 5, 4); // Prefetch flush
  9.   __mcr(15, 0, result, 7, 10, 4); // Data syncronisation barrier
  10.   __asm { SMC 1 ; Secure Monitor Call }
  11.   return result;
  12. }

Security services from PPA from mbmloader

  1. void *PPA_control_smc_handler(uint32_t arg)
  2. {
  3.   void *result = NULL;
  4.  
  5.   *(0xAF900088) = 0x8000;
  6.   switch ( arg )
  7.   {
  8.     case 40:
  9.       result = PPA_control_dcache_invalidate;
  10.       break;
  11.     case 41:
  12.       result = PPA_control_L2_aux_write;
  13.       break;
  14.     case 42:
  15.       result = PPA_control_aux_write;
  16.       break;
  17.     case 43:
  18.       result = PPA_control_nonsecure_access_write;
  19.       break;
  20.     case 49:
  21.       result = PPA_API_HAL_MOT_EFUSE;
  22.       break;
  23.     case 54:
  24.       result = PPA_API_HAL_MOT_EFUSE_READ;
  25.       break;
  26.     case 44:
  27.       result = PPA_control_data_memory_sync;
  28.       break;
  29.     case 50:
  30.       result = PPA_wait_for_something;
  31.       break;
  32.     case 72:
  33.       result = PPA_sub_86FFFD06;
  34.       break;
  35.   }
  36.   return result;
  37. }

security_check_ISW

Invalid language.

You need to specify a language like this: <source lang="html4strict">...</source>

Supported languages for syntax highlighting:

4cs, 6502acme, 6502kickass, 6502tasm, 68000devpac, abap, actionscript, actionscript3, ada, algol68, apache, applescript, apt_sources, arm, asm, asp, asymptote, autoconf, autohotkey, autoit, avisynth, awk, bascomavr, bash, basic4gl, bf, bibtex, blitzbasic, bnf, boo, c, c_loadrunner, c_mac, caddcl, cadlisp, cfdg, cfm, chaiscript, cil, clojure, cmake, cobol, coffeescript, cpp, cpp-qt, csharp, css, cuesheet, d, dcl, dcpu16, dcs, delphi, diff, div, dos, dot, e, ecmascript, eiffel, email, epc, erlang, euphoria, f1, falcon, fo, fortran, freebasic, freeswitch, fsharp, gambas, gdb, genero, genie, gettext, glsl, gml, gnuplot, go, groovy, gwbasic, haskell, haxe, hicest, hq9plus, html4strict, html5, icon, idl, ini, inno, intercal, io, j, java, java5, javascript, jquery, kixtart, klonec, klonecpp, latex, lb, ldif, lisp, llvm, locobasic, logtalk, lolcode, lotusformulas, lotusscript, lscript, lsl2, lua, m68k, magiksf, make, mapbasic, matlab, mirc, mmix, modula2, modula3, mpasm, mxml, mysql, nagios, netrexx, newlisp, nsis, oberon2, objc, objeck, ocaml, ocaml-brief, octave, oobas, oorexx, oracle11, oracle8, oxygene, oz, parasail, parigp, pascal, pcre, per, perl, perl6, pf, php, php-brief, pic16, pike, pixelbender, pli, plsql, postgresql, povray, powerbuilder, powershell, proftpd, progress, prolog, properties, providex, purebasic, pycon, pys60, python, q, qbasic, rails, rebol, reg, rexx, robots, rpmspec, rsplus, ruby, sas, scala, scheme, scilab, sdlbasic, smalltalk, smarty, spark, sparql, sql, stonescript, systemverilog, tcl, teraterm, text, thinbasic, tsql, typoscript, unicon, upc, urbi, uscript, vala, vb, vbnet, vedit, verilog, vhdl, vim, visualfoxpro, visualprolog, whitespace, whois, winbatch, xbasic, xml, xorg_conf, xpp, yaml, z80, zxbasic


ROM:400161E8     ; int __cdecl security_check_CertISW(void *arg1, int arg2, void *arg3, int arg4)
ROM:400161E8     security_check_CertISW                                      ; CODE XREF: boot_HS_image_exec+C4
ROM:400161E8                                                                 ; boot_memory_image_auth_exec+C4
ROM:400161E8
ROM:400161E8     arg_0           =  0
ROM:400161E8
ROM:400161E8 000                 PUSH.W          {R4-R10,LR}                 ; count
ROM:400161EC 020                 MOV             R10, R1                     ; Rd = Op2
ROM:400161EE 020                 LDR             R5, =unk_4020FFB4           ; Load from Memory
ROM:400161F0 020                 MOV             R9, R0                      ; Rd = Op2
ROM:400161F2 020                 LDR             R7, [SP,#0x20+arg_0]        ; Load from Memory
ROM:400161F4 020                 MOVS            R0, #0                      ; Rd = Op2
ROM:400161F6 020                 MOV             R8, R2                      ; Rd = Op2
ROM:400161F8 020                 MOV             R6, R3                      ; Rd = Op2
ROM:400161FA 020                 LDR             R1, [R5]                    ; Load from Memory
ROM:400161FC 020                 ORR.W           R1, R1, #tracing2_Reserved2 ; Rd = Op1 | Op2
ROM:40016200 020                 STR             R1, [R5]                    ; Store to Memory
ROM:40016202 020                 MOVS            R4, #1                      ; Rd = Op2
ROM:40016204 020                 LDR             R2, =0x809795A3             ; Load from Memory
ROM:40016206 020                 LDR             R1, [R3]                    ; Load from Memory
ROM:40016208 020                 CMP             R1, R2                      ; Set cond. codes on Op1 - Op2
ROM:4001620A 020                 BEQ             search_CertISW_mark         ; Branch
ROM:4001620A
ROM:4001620C 020                 MOVS            R4, #0                      ; Rd = Op2
ROM:4001620C
ROM:4001620E
ROM:4001620E     search_CertISW_mark                                         ; CODE XREF: security_check_CertISW+22
ROM:4001620E 020                 CBNZ            R4, found                   ; Compare and Branch on Non-Zero
ROM:4001620E
ROM:40016210 020                 MOVS            R2, #CH_STRINGS.CHMMCSD     ; source
ROM:40016212 020                 MOV             R1, R6                      ; void *
ROM:40016214 020                 ADR             R0, CertISW_mark            ; "CertISW"
ROM:40016216 020                 BL              standard_memcmp             ; Branch with Link
ROM:40016216
ROM:4001621A 020                 CBNZ            R0, not_found               ; Compare and Branch on Non-Zero
ROM:4001621A
ROM:4001621C 020                 MOVS            R0, #1                      ; Rd = Op2
ROM:4001621E 020                 B               found                       ; Branch
ROM:4001621E
ROM:40016220     ; ---------------------------------------------------------------------------
ROM:40016220
ROM:40016220     not_found                                                   ; CODE XREF: security_check_CertISW+32
ROM:40016220 020                 MOVS            R0, #0                      ; Rd = Op2
ROM:40016220
ROM:40016222
ROM:40016222     found                                                       ; CODE XREF: security_check_CertISW:search_CertISW_mark
ROM:40016222                                                                 ; security_check_CertISW+36
ROM:40016222 020                 ORRS            R0, R4                      ; Rd = Op1 | Op2
ROM:40016224 020                 BEQ             return_1                    ; Branch
ROM:40016224
ROM:40016226 020                 LDRH            R0, [R7]                    ; Load from Memory
ROM:40016228 020                 LSLS            R0, R0, #28                 ; Logical Shift Left
ROM:4001622A 020                 BMI             Load_keys_and_search_for_RnD_certificate ; Branch
ROM:4001622A
ROM:4001622C 020                 LDR             R0, [R5]                    ; Load from Memory
ROM:4001622E 020                 CBZ             R4, loc_4001623C            ; Compare and Branch on Zero
ROM:4001622E
ROM:40016230 020                 ORR.W           R0, R0, #0b1000000000       ; Rd = Op1 | Op2
ROM:40016234 020                 STR             R0, [R5]                    ; Store to Memory
ROM:40016236 020                 ADD.W           R0, R6, #0x38               ; Rd = Op1 + Op2
ROM:4001623A 020                 B               enable_speedup              ; Branch
ROM:4001623A
ROM:4001623C     ; ---------------------------------------------------------------------------
ROM:4001623C
ROM:4001623C     loc_4001623C                                                ; CODE XREF: security_check_CertISW+46
ROM:4001623C 020                 ORR.W           R0, R0, #0b10000000000      ; Rd = Op1 | Op2
ROM:40016240 020                 STR             R0, [R5]                    ; Store to Memory
ROM:40016242 020                 ADD.W           R0, R6, #0xA4               ; arg
ROM:40016242
ROM:40016246
ROM:40016246     enable_speedup                                              ; CODE XREF: security_check_CertISW+52
ROM:40016246 020                 BL              load_speedup_table          ; Branch with Link
ROM:40016246
ROM:4001624A
ROM:4001624A     Load_keys_and_search_for_RnD_certificate                    ; CODE XREF: security_check_CertISW+42
ROM:4001624A 020                 MOV             R0, R9                      ; Rd = Op2
ROM:4001624C 020                 BL              security_call_SSID_0x01     ; SECURITY SERVICE: Load Keys (CertPK) to Secure RAM
ROM:4001624C
ROM:40016250 020                 CMP.W           R8, #0                      ; Set cond. codes on Op1 - Op2
ROM:40016254 020                 BEQ             Keys_loaded_without_RnD     ; Branch
ROM:40016254
ROM:40016256 020                 LDR             R0, =memory_buffer          ; Load from Memory
ROM:40016258 020                 LDR             R1, [R0]                    ; Load from Memory
ROM:4001625A 020                 ORR.W           R1, R1, #tracing_R&D_certificate_found ; Rd = Op1 | Op2
ROM:4001625E 020                 STR             R1, [R0]                    ; Store to Memory
ROM:40016260 020                 MOV             R0, R8                      ; arg_1
ROM:40016262 020                 BL              security_call_SSID_0x02     ; verify R&D certificate
ROM:40016262
ROM:40016266
ROM:40016266     Keys_loaded_without_RnD                                     ; CODE XREF: security_check_CertISW+6C
ROM:40016266 020                 LDR             R0, [R5]                    ; Load from Memory
ROM:40016268 020                 ORR.W           R0, R0, #0x800              ; Rd = Op1 | Op2
ROM:4001626C 020                 STR             R0, [R5]                    ; Store to Memory
ROM:4001626E 020                 MOV             R0, R10                     ; arg_1
ROM:40016270 020                 BL              security_call_SSID_0x03     ; load and authenticate PPA
ROM:40016270
ROM:40016274 020                 CBNZ            R0, return_error            ; Compare and Branch on Non-Zero
ROM:40016274
ROM:40016276 020                 LDRH            R0, [R7]                    ; Load from Memory
ROM:40016278 020                 ORR.W           R0, R0, #0x800              ; Rd = Op1 | Op2
ROM:4001627C 020                 STRH            R0, [R7]                    ; Store to Memory
ROM:4001627E 020                 MOVS            R0, #0                      ; Rd = Op2
ROM:4001627E
ROM:40016280
ROM:40016280     return                                                      ; CODE XREF: security_check_CertISW+B4
ROM:40016280 020                 POP.W           {R4-R10,PC}                 ; Pop registers
ROM:40016280
ROM:40016284     ; ---------------------------------------------------------------------------
ROM:40016284
ROM:40016284     return_error                                                ; CODE XREF: security_check_CertISW+8C
ROM:40016284 020                 LDR             R0, [R5]                    ; Load from Memory
ROM:40016286 020                 ORR.W           R0, R0, #0b1000000000000    ; set bit #12
ROM:4001628A 020                 STR             R0, [R5]                    ; Store to Memory
ROM:4001628C 020                 LDR             R0, =sub_140A8              ; Load from Memory
ROM:4001628E 020                 BLX             call_dead_loops             ; Branch with Link and Exchange (immediate address)
ROM:4001628E
ROM:40016292
ROM:40016292     return_1                                                    ; CODE XREF: security_check_CertISW+3C
ROM:40016292 020                 LDR             R0, [R5]                    ; Load from Memory
ROM:40016294 020                 ORR.W           R0, R0, #0b10000000000000   ; set bit #13
ROM:40016298 020                 STR             R0, [R5]                    ; Store to Memory
ROM:4001629A 020                 MOVS            R0, #1                      ; Rd = Op2
ROM:4001629C 020                 B               return                      ; Branch
ROM:4001629C
ROM:4001629C     ; End of function security_check_CertISW
ROM:4001629C
ROM:4001629C     ; ---------------------------------------------------------------------------
ROM:4001629E                     DCW 0
ROM:400162A0     off_400162A0    DCD unk_4020FFB4                            ; DATA XREF: security_check_CertISW+6
ROM:400162A4     dword_400162A4  DCD 0x809795A3                              ; DATA XREF: security_check_CertISW+1C
ROM:400162A8     CertISW_mark    DCB "CertISW",0                             ; DATA XREF: security_check_CertISW+2C
ROM:400162B0     off_400162B0    DCD memory_buffer                           ; DATA XREF: security_check_CertISW+6E
ROM:400162B4     image_cant_exec DCD sub_140A8                               ; DATA XREF: security_check_CertISW+A4

security_ISW_authentication

  1. uint32_t security_ISW_authentication(char *membuf)
  2. {
  3.   uint32_t result;
  4.  
  5.   memory_buffer |= tracing_Initial_SW_authentication_started;
  6.   security_call_SSID_0x04(membuf); // Checking RSA digest of ISW/PPA
  7.   result = 0x4020FFB4;
  8.   *(0x4020FFB4) |= tracing2_No_known_NAND_was_detected;
  9.   return result;
  10. }
Retrieved from "http://droid-developers.org/index.php?title=Secure_Services&oldid=1278"