Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
CTCaer
GitHub Repository: CTCaer/hekate
 Path: blob/master/bootloader/hos/pkg1.h
2547 views
1
/*

2
 * Copyright (c) 2018 naehrwert

3
 * Copyright (c) 2022-2025 CTCaer

4
 *

5
 * This program is free software; you can redistribute it and/or modify it

6
 * under the terms and conditions of the GNU General Public License,

7
 * version 2, as published by the Free Software Foundation.

8
 *

9
 * This program is distributed in the hope it will be useful, but WITHOUT

10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for

12
 * more details.

13
 *

14
 * You should have received a copy of the GNU General Public License

15
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.

16
 */

17


18
#ifndef _PKG1_H_

19
#define _PKG1_H_

20


21
#include <bdk.h>

22


23
#define PKG1_MAGIC 0x31314B50

24


25
#define PK11_SECTION_WB 0

26
#define PK11_SECTION_LD 1

27
#define PK11_SECTION_SM 2

28


29
#define PKG1_BOOTLOADER_SIZE          SZ_256K

30
#define PKG1_BOOTLOADER_MAIN_OFFSET   (0x100000 / EMMC_BLOCKSIZE)

31
#define PKG1_BOOTLOADER_BACKUP_OFFSET (0x140000 / EMMC_BLOCKSIZE)

32
#define PKG1_BOOTLOADER_SAFE_OFFSET   (0x000000 / EMMC_BLOCKSIZE)

33
#define PKG1_HOS_EKS_OFFSET           (0x180000 / EMMC_BLOCKSIZE)

34


35
#define PKG1_ERISTA_ON_MARIKO_MAGIC 0xE59FD00C // For 4.0.0 Erista and up.

36
#define PKG1_MARIKO_ON_ERISTA_MAGIC 0x40010040 // Mariko pkg1 entrypoint.

37


38
typedef struct _patch_t

39
{

40
	u32 off;

41
	u32 val;

42
} patch_t;

43


44
#define PATCHSET_DEF(name, ...) \

45
	const patch_t name[] = { \

46
		__VA_ARGS__, \

47
		{ 0xFFFFFFFF, 0xFFFFFFFF } \

48
	}

49


50
typedef struct _bl_hdr_t210b01_t

51
{

52
/* 0x000 */	u8  aes_mac[0x10];

53
/* 0x010 */	u8  rsa_sig[0x100];

54
/* 0x110 */	u8  salt[0x20];

55
/* 0x130 */	u8  sha256[0x20];

56
/* 0x150 */	u32 version;

57
/* 0x154 */	u32 size;

58
/* 0x158 */	u32 load_addr;

59
/* 0x15C */	u32 entrypoint;

60
/* 0x160 */	u8  rsvd[0x10];

61
} bl_hdr_t210b01_t;

62


63
typedef struct _eks_keys_t

64
{

65
	u8 master_kekseed[SE_KEY_128_SIZE];

66
	u8 random_data[0x70];

67
	u8 package1_key[SE_KEY_128_SIZE];

68
} eks_keys_t;

69


70
typedef struct _pkg1_eks_t

71
{

72
	u8 cmac[SE_KEY_128_SIZE];

73
	u8 ctr[SE_AES_IV_SIZE];

74
	eks_keys_t keys;

75
	u8 padding[0x150];

76
} pkg1_eks_t;

77


78
typedef struct _pk1_hdr_t

79
{

80
/* 0x00 */	u32 si_sha256; // Secure Init.

81
/* 0x04 */	u32 sm_sha256; // Secure Monitor.

82
/* 0x08 */	u32 sl_sha256; // Secure Loader.

83
/* 0x0C */	u32 unk;       // what's this? It's not warmboot.

84
/* 0x10 */	char timestamp[14];

85
/* 0x1E */	u8 keygen;

86
/* 0x1F */	u8 version;

87
} pk1_hdr_t;

88


89
typedef struct _pkg1_id_t

90
{

91
	const char *id;

92
	u16 mkey;

93
	u16 fuses;

94
	u16 tsec_off;

95
	u16 pkg11_off;

96
	u32 secmon_base;

97
	u32 warmboot_base;

98
	const patch_t *secmon_patchset;

99
} pkg1_id_t;

100


101
typedef struct _pk11_hdr_t

102
{

103
/* 0x00 */	u32 magic;

104
/* 0x04 */	u32 wb_size;

105
/* 0x08 */	u32 wb_off;

106
/* 0x0C */	u32 pad;

107
/* 0x10 */	u32 ldr_size;

108
/* 0x14 */	u32 ldr_off;

109
/* 0x18 */	u32 sm_size;

110
/* 0x1C */	u32 sm_off;

111
} pk11_hdr_t;

112


113
/*

114
 * NX BIT - Secure monitor mailbox

115
 *

116
 * On older versions the Tegra BIT was remaining intact.

117
 * The bootloader info from BCT was copied in the mailbox at 0x40002E10.

118
 * On >= 4.0.0 the boot reason was replaced by BCT boot type.

119
 * On newer versions (>= 7.0.0) the Tegra BIT is replaced with NX BIT.

120
 * That also includes secmon state mailbox and pkg1 and pkg11 headers.

121
 */

122
#define NX_BIT1_MAILBOX_ADDR 0x40002E00

123
#define NX_BIT7_MAILBOX_ADDR 0x40000000

124


125
enum

126
{

127
	SECMON_STATE_NOT_READY    = 0,

128


129
	PKG1_STATE_NOT_READY      = 0,

130
	PKG1_STATE_NXBC_COPIED    = 1,

131
	PKG1_STATE_DRAM_READY     = 2,

132
	PKG1_STATE_PKG2_READY_OLD = 3,

133
	PKG1_STATE_PKG2_READY     = 4

134
};

135


136
#define NX_BIT_BL_ATTR_SAFE_MODE              BIT(0)

137
#define NX_BIT_BL_ATTR_SMC_BLACKLIST_STANDARD BIT(1) // Accounted only on >= 8.0.0.

138
#define NX_BIT_BL_ATTR_SMC_BLACKLIST_DEVICEUD BIT(2) // Accounted only on >= 8.0.0.

139
#define NX_BIT_BL_ATTR_SMC_BLACKLIST_SAFEMODE BIT(3) // Accounted only on >= 8.0.0.

140


141
typedef struct _nx_bit_t

142
{

143
/* 0x00 */	u32 secldr_tmr_start;

144
/* 0x04 */	u32 secldr_tmr_end;

145
/* 0x08 */	u32 secmon_tmr_start;

146
/* 0x0C */	u32 secmon_tmr_end;

147
/* 0x10 */	u32 bl_version;

148
/* 0x14 */	u32 bl_start_block;

149
/* 0x18 */	u32 bl_start_page;

150
/* 0x1C */	u32 bl_attribute; // bit0: Safe, bit1-4: SMC blacklist mask.

151
/* 0x20 */	u32 boot_type;    // 0: None, 1: Coldboot, 2: RMC, 3: UART, 4: Exit RCM.

152
/* 0x24 */	u8  padding_nxbit[12];

153


154
/* 0x30 */	pk1_hdr_t  pk1_hdr;  // (>= 7.0.0).

155
/* 0x50 */	pk11_hdr_t pk11_hdr; // (>= 7.0.0).

156
/* 0x70 */  u8 padding_pkg1[0x88];

157


158
/* 0xF8 */	vu32 secldr_state;

159
/* 0xFC */	vu32 secmon_state;

160
			u8   padding_mail[0x100];

161
} nx_bit_t;

162


163
const pkg1_id_t *pkg1_get_latest();

164
const pkg1_id_t *pkg1_identify(u8 *pkg1);

165
int  pkg1_decrypt(const pkg1_id_t *id, u8 *pkg1);

166
const u8 *pkg1_unpack(void *wm_dst, u32 *wb_sz, void *sm_dst, void *ldr_dst, const pkg1_id_t *id, u8 *pkg1);

167
void pkg1_secmon_patch(void *hos_ctxt, u32 secmon_base, bool t210b01);

168
void pkg1_warmboot_patch(void *hos_ctxt);

169
int  pkg1_warmboot_config(void *hos_ctxt, u32 warmboot_base, u32 fuses_fw, u8 mkey);

170
void pkg1_warmboot_rsa_mod(u32 warmboot_base);

171


172
#endif

173


174