Line 72: |
Line 72: |
| | | |
| If (u8*)0x10000000 bit 1 is clear (which means that this happens only on hard reboots), it does the following things: | | If (u8*)0x10000000 bit 1 is clear (which means that this happens only on hard reboots), it does the following things: |
| + | * On [[9.5.0-22|9.5.0-X]]: executes a nop instruction with r0=0 and r1=<address of arm9binhdr+0x50>. |
| * Hashes data from the region [[IO|0x10012000-0x10012090]] using SHA256 via the [[SHA_Registers|SHA]] hardware. | | * Hashes data from the region [[IO|0x10012000-0x10012090]] using SHA256 via the [[SHA_Registers|SHA]] hardware. |
| * Initializes AES keyslot 0x11 keyX, keyY to the lower and higher portion of that hash, respectively. | | * Initializes AES keyslot 0x11 keyX, keyY to the lower and higher portion of that hash, respectively. |
| * Decrypts an unknown 0x10-byte block with keyslot 0x11 using AES-ECB. Then the normalkey, keyX, and keyY, for keyslot 0x11 are cleared to zero. Then it uses the output block to set the normalkey for keyslot 0x11. | | * Decrypts an unknown 0x10-byte block with keyslot 0x11 using AES-ECB. Then the normalkey, keyX, and keyY, for keyslot 0x11 are cleared to zero. Then it uses the output block to set the normalkey for keyslot 0x11. |
| * Decrypts arm9_bin_buf+0 using keyslot 0x11 with AES-ECB, and initialises keyX for keyslot 0x15 with it. | | * Decrypts arm9_bin_buf+0 using keyslot 0x11 with AES-ECB, and initialises keyX for keyslot 0x15 with it. |
− | * Initialises KeyX for keyslots 0x18-0x20 with the output of decrypting a certain binary sequence with AES-ECB using keyslot 0x11. These are presumably New3DS-specific keys. | + | * Initialises KeyX for keyslots 0x18..0x1F with the output of decrypting a 0x10-byte block with AES-ECB using keyslot 0x11. The last byte in this 0x10-byte input block is increased by 0x01 after initializing each keyslot. These are New3DS-specific keys. |
− | * The normalkey, keyX, and keyY, for keyslot 0x11 are cleared to zero. | + | * [[9.5.0-22|9.5.0-X]]: Decrypts the 0x10-byte block at arm9binhdr+0x60 with AES-ECB using keyslot 0x11, then sets the keyX for keyslot 0x16 to the output data. The normalkey, keyX, and keyY, for keyslot 0x11 are cleared to zero. |
| | | |
− | It sets KeyY for keyslot 0x15 to arm9_bin_buf+16, the CTR to arm9_bin_buf+32. It then proceeds to decrypt the binary with AES-CTR. When done, it decrypts arm9_bin_buf+64 using an hardcoded keyY for keyslot 0x15 and makes sure it's all zeroes. If it is, it does some cleanup then it jumps to the entrypoint for the decrypted binary. Otherwise it will just loop forever. | + | When (u8*)0x10000000 bit 1 is set(which means this happens only when this loader runs again for firm-launch), the normalkey, keyX, and keyY, for keyslot 0x11 are cleared to zero. |
| + | |
| + | It sets KeyY for keyslot 0x15(0x16 with [[9.5.0-22|9.5.0-X]]) to arm9_bin_buf+16, the CTR to arm9_bin_buf+32. It then proceeds to decrypt the binary with AES-CTR. When done, it decrypts arm9_bin_buf+64 using an hardcoded keyY for keyslot 0x15(0x16 with [[9.5.0-22|9.5.0-X]]) and makes sure it's all zeroes. If it is, it does some cleanup then it jumps to the entrypoint for the decrypted binary. Otherwise it will just loop forever. |
| | | |
| Thus, the ARM9 binary has the following header: | | Thus, the ARM9 binary has the following header: |