Difference between revisions of "Secure Services"
(Added C version of PPA_SMC_handler instead of asm version) |
m (→security_ISW_authentication) |
||
Line 308: | Line 308: | ||
== security_ISW_authentication == | == security_ISW_authentication == | ||
+ | <syntaxhighlight lang="c" line> | ||
+ | uint32_t security_ISW_authentication(char *membuf) | ||
+ | { | ||
+ | uint32_t result; | ||
− | + | memory_buffer |= tracing_Initial_SW_authentication_started; | |
− | + | security_call_SSID_0x04(membuf); // Checking RSA digest of ISW/PPA | |
− | + | result = 0x4020FFB4; | |
− | + | *(0x4020FFB4) |= tracing2_No_known_NAND_was_detected; | |
− | + | return result; | |
− | + | } | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
</syntaxhighlight> | </syntaxhighlight> | ||
[[Category:Security]] | [[Category:Security]] |
Latest revision as of 07:16, 15 January 2012
Contents
Summary
Secure Service ID (SSID) | Secure Service Name | Hardware/Software | Secure Service Description |
---|---|---|---|
0x01 | unknown | Hardware | Authenticate and import keys |
0x02 | unknown | Hardware | Check if R&D certificate present and authenticate it |
0x03 | unknown | Hardware | Load and authenticate PPA |
0x04 | unknown | Hardware | Check RSA digest |
0xf | API_HAL_PA_LOAD | Hardware | Load Protected Application at Secure RAM |
0x11 | API_HAL_PA_UNLOAD_ALL | Hardware | Unload all loaded Protected Applications (except of PPA?) from Secure RAM |
0x13 | API_HAL_SDP_RUNTIME_INIT | Hardware | unknown |
0x15 | API_HAL_SEC_RPC_INIT | Hardware | unknown |
0x19 | API_HAL_CONTEXT_SAVE_RESTORE | Hardware | unknown |
0x1a | API_HAL_SEC_RAM_RESIZE | Hardware | Resize Secure RAM |
0x1e | unknown | Hardware | unknown (from bootrom) |
0x1f | unknown | Hardware | unknown (from bootrom) |
0x22 | API_HAL_KM_CRC_READ | Hardware | unknown |
0x27 | API_HAL_NB_MAX_SVC | Hardware | unknown |
0x28 | unknown | Software | dcache invalidate (defined in PPA from mbmloader) |
0x29 | unknown | Software | L2 aux write (defined in PPA from mbmloader) |
0x2a | unknown | Software | aux write (defined in PPA from mbmloader) |
0x2b | unknown | Software | nonsecure access write (defined in PPA from mbmloader) |
0x31 | API_HAL_MOT_EFUSE | Software | Blow eFuse entry (defined in PPA from mbmloader) |
0x36 | API_HAL_MOT_EFUSE_READ | Software | Read eFuse entry (defined in PPA from mbmloader) |
Security services in BootROM
Using in ROM_CRC_check function (see Application_Processor_Boot_ROM#ROM_CRC_check)
uint32_t security_monitor_parse_flags_and_call(uint32_t ssid, uint32_t proc_id, uint32_t flag, uint32_t params_count, void **params)
{
return security_monitor_call(ssid, proc_id, flag, params_count, params);
}
uint32_t security_monitor_call(uint32_t result, uint32_t proc_id, uint32_t flags, uint32_t param_count, void **params)
{
__mcr(15, 0, result, 7, 5, 4); // Prefetch flush
__mcr(15, 0, result, 7, 10, 4); // Data syncronisation barrier
__asm { SMC 1 ; Secure Monitor Call }
return result;
}
Security services from PPA from mbmloader
void *PPA_control_smc_handler(uint32_t arg)
{
void *result = NULL;
*(0xAF900088) = 0x8000;
switch ( arg )
{
case 40:
result = PPA_control_dcache_invalidate;
break;
case 41:
result = PPA_control_L2_aux_write;
break;
case 42:
result = PPA_control_aux_write;
break;
case 43:
result = PPA_control_nonsecure_access_write;
break;
case 49:
result = PPA_API_HAL_MOT_EFUSE;
break;
case 54:
result = PPA_API_HAL_MOT_EFUSE_READ;
break;
case 44:
result = PPA_control_data_memory_sync;
break;
case 50:
result = PPA_wait_for_something;
break;
case 72:
result = PPA_sub_86FFFD06;
break;
}
return result;
}
security_check_ISW
Invalid language.
You need to specify a language like this: <source lang="html4strict">...</source>
Supported languages for syntax highlighting:
4cs, 6502acme, 6502kickass, 6502tasm, 68000devpac, abap, actionscript, actionscript3, ada, algol68, apache, applescript, apt_sources, arm, asm, asp, asymptote, autoconf, autohotkey, autoit, avisynth, awk, bascomavr, bash, basic4gl, bf, bibtex, blitzbasic, bnf, boo, c, c_loadrunner, c_mac, caddcl, cadlisp, cfdg, cfm, chaiscript, cil, clojure, cmake, cobol, coffeescript, cpp, cpp-qt, csharp, css, cuesheet, d, dcl, dcpu16, dcs, delphi, diff, div, dos, dot, e, ecmascript, eiffel, email, epc, erlang, euphoria, f1, falcon, fo, fortran, freebasic, freeswitch, fsharp, gambas, gdb, genero, genie, gettext, glsl, gml, gnuplot, go, groovy, gwbasic, haskell, haxe, hicest, hq9plus, html4strict, html5, icon, idl, ini, inno, intercal, io, j, java, java5, javascript, jquery, kixtart, klonec, klonecpp, latex, lb, ldif, lisp, llvm, locobasic, logtalk, lolcode, lotusformulas, lotusscript, lscript, lsl2, lua, m68k, magiksf, make, mapbasic, matlab, mirc, mmix, modula2, modula3, mpasm, mxml, mysql, nagios, netrexx, newlisp, nsis, oberon2, objc, objeck, ocaml, ocaml-brief, octave, oobas, oorexx, oracle11, oracle8, oxygene, oz, parasail, parigp, pascal, pcre, per, perl, perl6, pf, php, php-brief, pic16, pike, pixelbender, pli, plsql, postgresql, povray, powerbuilder, powershell, proftpd, progress, prolog, properties, providex, purebasic, pycon, pys60, python, q, qbasic, rails, rebol, reg, rexx, robots, rpmspec, rsplus, ruby, sas, scala, scheme, scilab, sdlbasic, smalltalk, smarty, spark, sparql, sql, stonescript, systemverilog, tcl, teraterm, text, thinbasic, tsql, typoscript, unicon, upc, urbi, uscript, vala, vb, vbnet, vedit, verilog, vhdl, vim, visualfoxpro, visualprolog, whitespace, whois, winbatch, xbasic, xml, xorg_conf, xpp, yaml, z80, zxbasic
ROM:400161E8 ; int __cdecl security_check_CertISW(void *arg1, int arg2, void *arg3, int arg4) ROM:400161E8 security_check_CertISW ; CODE XREF: boot_HS_image_exec+C4 ROM:400161E8 ; boot_memory_image_auth_exec+C4 ROM:400161E8 ROM:400161E8 arg_0 = 0 ROM:400161E8 ROM:400161E8 000 PUSH.W {R4-R10,LR} ; count ROM:400161EC 020 MOV R10, R1 ; Rd = Op2 ROM:400161EE 020 LDR R5, =unk_4020FFB4 ; Load from Memory ROM:400161F0 020 MOV R9, R0 ; Rd = Op2 ROM:400161F2 020 LDR R7, [SP,#0x20+arg_0] ; Load from Memory ROM:400161F4 020 MOVS R0, #0 ; Rd = Op2 ROM:400161F6 020 MOV R8, R2 ; Rd = Op2 ROM:400161F8 020 MOV R6, R3 ; Rd = Op2 ROM:400161FA 020 LDR R1, [R5] ; Load from Memory ROM:400161FC 020 ORR.W R1, R1, #tracing2_Reserved2 ; Rd = Op1 | Op2 ROM:40016200 020 STR R1, [R5] ; Store to Memory ROM:40016202 020 MOVS R4, #1 ; Rd = Op2 ROM:40016204 020 LDR R2, =0x809795A3 ; Load from Memory ROM:40016206 020 LDR R1, [R3] ; Load from Memory ROM:40016208 020 CMP R1, R2 ; Set cond. codes on Op1 - Op2 ROM:4001620A 020 BEQ search_CertISW_mark ; Branch ROM:4001620A ROM:4001620C 020 MOVS R4, #0 ; Rd = Op2 ROM:4001620C ROM:4001620E ROM:4001620E search_CertISW_mark ; CODE XREF: security_check_CertISW+22 ROM:4001620E 020 CBNZ R4, found ; Compare and Branch on Non-Zero ROM:4001620E ROM:40016210 020 MOVS R2, #CH_STRINGS.CHMMCSD ; source ROM:40016212 020 MOV R1, R6 ; void * ROM:40016214 020 ADR R0, CertISW_mark ; "CertISW" ROM:40016216 020 BL standard_memcmp ; Branch with Link ROM:40016216 ROM:4001621A 020 CBNZ R0, not_found ; Compare and Branch on Non-Zero ROM:4001621A ROM:4001621C 020 MOVS R0, #1 ; Rd = Op2 ROM:4001621E 020 B found ; Branch ROM:4001621E ROM:40016220 ; --------------------------------------------------------------------------- ROM:40016220 ROM:40016220 not_found ; CODE XREF: security_check_CertISW+32 ROM:40016220 020 MOVS R0, #0 ; Rd = Op2 ROM:40016220 ROM:40016222 ROM:40016222 found ; CODE XREF: security_check_CertISW:search_CertISW_mark ROM:40016222 ; security_check_CertISW+36 ROM:40016222 020 ORRS R0, R4 ; Rd = Op1 | Op2 ROM:40016224 020 BEQ return_1 ; Branch ROM:40016224 ROM:40016226 020 LDRH R0, [R7] ; Load from Memory ROM:40016228 020 LSLS R0, R0, #28 ; Logical Shift Left ROM:4001622A 020 BMI Load_keys_and_search_for_RnD_certificate ; Branch ROM:4001622A ROM:4001622C 020 LDR R0, [R5] ; Load from Memory ROM:4001622E 020 CBZ R4, loc_4001623C ; Compare and Branch on Zero ROM:4001622E ROM:40016230 020 ORR.W R0, R0, #0b1000000000 ; Rd = Op1 | Op2 ROM:40016234 020 STR R0, [R5] ; Store to Memory ROM:40016236 020 ADD.W R0, R6, #0x38 ; Rd = Op1 + Op2 ROM:4001623A 020 B enable_speedup ; Branch ROM:4001623A ROM:4001623C ; --------------------------------------------------------------------------- ROM:4001623C ROM:4001623C loc_4001623C ; CODE XREF: security_check_CertISW+46 ROM:4001623C 020 ORR.W R0, R0, #0b10000000000 ; Rd = Op1 | Op2 ROM:40016240 020 STR R0, [R5] ; Store to Memory ROM:40016242 020 ADD.W R0, R6, #0xA4 ; arg ROM:40016242 ROM:40016246 ROM:40016246 enable_speedup ; CODE XREF: security_check_CertISW+52 ROM:40016246 020 BL load_speedup_table ; Branch with Link ROM:40016246 ROM:4001624A ROM:4001624A Load_keys_and_search_for_RnD_certificate ; CODE XREF: security_check_CertISW+42 ROM:4001624A 020 MOV R0, R9 ; Rd = Op2 ROM:4001624C 020 BL security_call_SSID_0x01 ; SECURITY SERVICE: Load Keys (CertPK) to Secure RAM ROM:4001624C ROM:40016250 020 CMP.W R8, #0 ; Set cond. codes on Op1 - Op2 ROM:40016254 020 BEQ Keys_loaded_without_RnD ; Branch ROM:40016254 ROM:40016256 020 LDR R0, =memory_buffer ; Load from Memory ROM:40016258 020 LDR R1, [R0] ; Load from Memory ROM:4001625A 020 ORR.W R1, R1, #tracing_R&D_certificate_found ; Rd = Op1 | Op2 ROM:4001625E 020 STR R1, [R0] ; Store to Memory ROM:40016260 020 MOV R0, R8 ; arg_1 ROM:40016262 020 BL security_call_SSID_0x02 ; verify R&D certificate ROM:40016262 ROM:40016266 ROM:40016266 Keys_loaded_without_RnD ; CODE XREF: security_check_CertISW+6C ROM:40016266 020 LDR R0, [R5] ; Load from Memory ROM:40016268 020 ORR.W R0, R0, #0x800 ; Rd = Op1 | Op2 ROM:4001626C 020 STR R0, [R5] ; Store to Memory ROM:4001626E 020 MOV R0, R10 ; arg_1 ROM:40016270 020 BL security_call_SSID_0x03 ; load and authenticate PPA ROM:40016270 ROM:40016274 020 CBNZ R0, return_error ; Compare and Branch on Non-Zero ROM:40016274 ROM:40016276 020 LDRH R0, [R7] ; Load from Memory ROM:40016278 020 ORR.W R0, R0, #0x800 ; Rd = Op1 | Op2 ROM:4001627C 020 STRH R0, [R7] ; Store to Memory ROM:4001627E 020 MOVS R0, #0 ; Rd = Op2 ROM:4001627E ROM:40016280 ROM:40016280 return ; CODE XREF: security_check_CertISW+B4 ROM:40016280 020 POP.W {R4-R10,PC} ; Pop registers ROM:40016280 ROM:40016284 ; --------------------------------------------------------------------------- ROM:40016284 ROM:40016284 return_error ; CODE XREF: security_check_CertISW+8C ROM:40016284 020 LDR R0, [R5] ; Load from Memory ROM:40016286 020 ORR.W R0, R0, #0b1000000000000 ; set bit #12 ROM:4001628A 020 STR R0, [R5] ; Store to Memory ROM:4001628C 020 LDR R0, =sub_140A8 ; Load from Memory ROM:4001628E 020 BLX call_dead_loops ; Branch with Link and Exchange (immediate address) ROM:4001628E ROM:40016292 ROM:40016292 return_1 ; CODE XREF: security_check_CertISW+3C ROM:40016292 020 LDR R0, [R5] ; Load from Memory ROM:40016294 020 ORR.W R0, R0, #0b10000000000000 ; set bit #13 ROM:40016298 020 STR R0, [R5] ; Store to Memory ROM:4001629A 020 MOVS R0, #1 ; Rd = Op2 ROM:4001629C 020 B return ; Branch ROM:4001629C ROM:4001629C ; End of function security_check_CertISW ROM:4001629C ROM:4001629C ; --------------------------------------------------------------------------- ROM:4001629E DCW 0 ROM:400162A0 off_400162A0 DCD unk_4020FFB4 ; DATA XREF: security_check_CertISW+6 ROM:400162A4 dword_400162A4 DCD 0x809795A3 ; DATA XREF: security_check_CertISW+1C ROM:400162A8 CertISW_mark DCB "CertISW",0 ; DATA XREF: security_check_CertISW+2C ROM:400162B0 off_400162B0 DCD memory_buffer ; DATA XREF: security_check_CertISW+6E ROM:400162B4 image_cant_exec DCD sub_140A8 ; DATA XREF: security_check_CertISW+A4
security_ISW_authentication
uint32_t security_ISW_authentication(char *membuf)
{
uint32_t result;
memory_buffer |= tracing_Initial_SW_authentication_started;
security_call_SSID_0x04(membuf); // Checking RSA digest of ISW/PPA
result = 0x4020FFB4;
*(0x4020FFB4) |= tracing2_No_known_NAND_was_detected;
return result;
}