From cd17480368e474b05753bd9ab7b04f84a5aaa589 Mon Sep 17 00:00:00 2001 From: Joshua Goins Date: Mon, 15 Apr 2024 22:15:40 -0400 Subject: [PATCH] Add initial files --- .gitignore | 2 + CMakeLists.txt | 11 + LICENSE | 674 +++++++++++++++++ README.md | 31 + src/libkirk/aes.c | 1463 +++++++++++++++++++++++++++++++++++++ src/libkirk/aes.h | 51 ++ src/libkirk/amctrl.c | 825 +++++++++++++++++++++ src/libkirk/amctrl.h | 59 ++ src/libkirk/bn.c | 200 +++++ src/libkirk/ec.c | 423 +++++++++++ src/libkirk/key_vault.h | 78 ++ src/libkirk/kirk_engine.c | 603 +++++++++++++++ src/libkirk/kirk_engine.h | 245 +++++++ src/libkirk/psp_headers.h | 148 ++++ src/libkirk/sha1.c | 389 ++++++++++ src/libkirk/sha1.h | 52 ++ src/pkgrip.c | 487 ++++++++++++ 17 files changed, 5741 insertions(+) create mode 100644 .gitignore create mode 100644 CMakeLists.txt create mode 100644 LICENSE create mode 100644 README.md create mode 100644 src/libkirk/aes.c create mode 100644 src/libkirk/aes.h create mode 100644 src/libkirk/amctrl.c create mode 100644 src/libkirk/amctrl.h create mode 100644 src/libkirk/bn.c create mode 100644 src/libkirk/ec.c create mode 100644 src/libkirk/key_vault.h create mode 100644 src/libkirk/kirk_engine.c create mode 100644 src/libkirk/kirk_engine.h create mode 100644 src/libkirk/psp_headers.h create mode 100644 src/libkirk/sha1.c create mode 100644 src/libkirk/sha1.h create mode 100644 src/pkgrip.c diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..88a44a6 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.directory +/cmake-*build* \ No newline at end of file diff --git a/CMakeLists.txt b/CMakeLists.txt new file mode 100644 index 0000000..ed91581 --- /dev/null +++ b/CMakeLists.txt @@ -0,0 +1,11 @@ +cmake_minimum_required(VERSION 3.16) +project(pkgrip) + +add_executable(pkgrip + src/libkirk/aes.c + src/libkirk/amctrl.c + src/libkirk/bn.c + src/libkirk/ec.c + src/libkirk/kirk_engine.c + src/libkirk/sha1.c + src/pkgrip.c) \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..20d40b6 --- /dev/null +++ b/LICENSE @@ -0,0 +1,674 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..945aba6 --- /dev/null +++ b/README.md @@ -0,0 +1,31 @@ +# pkgrip + +Tool for decrypting PS3/PSP [PKG files](https://psdevwiki.com/ps3/PKG_files). + +This is modified [from it's original source code](https://github.com/qwikrazor87/pkgrip) to include some patches, and fixes I needed for what I needed the tool for. I also ported to CMake. + +## Usage + +Compile with CMake and then run `pkgrip`: + +```shell +$ ./pkgrip +Usage: + pkgrip [options] pathtopkg + +Options: (optional) + -psp - extract PSP files only + -ps3 - extract PS3 files only + Both enabled by default. +``` + +## Credits + +* [qwikrazor87](https://github.com/qwikrazor87) for writing pkgrip. +* [misha](https://github.com/it-misha) for her patch to increase the supported file up to 16 GB. + +## License + +![GPLv3](https://www.gnu.org/graphics/gplv3-127x51.png) + +This project is licensed under the GNU General Public License 3. Some parts of libkirk may be licensed differently. \ No newline at end of file diff --git a/src/libkirk/aes.c b/src/libkirk/aes.c new file mode 100644 index 0000000..e1b50c6 --- /dev/null +++ b/src/libkirk/aes.c @@ -0,0 +1,1463 @@ +/* $OpenBSD: rijndael.c,v 1.19 2008/06/09 07:49:45 djm Exp $ */ + +/** + * rijndael-alg-fst.c + * + * @version 3.0 (December 2000) + * + * Optimised ANSI C code for the Rijndael cipher (now AES) + * + * @author Vincent Rijmen + * @author Antoon Bosselaers + * @author Paulo Barreto + * + * This code is hereby placed in the public domain. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS + * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE + * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, + * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include + +#include "aes.h" + +#undef FULL_UNROLL + +//CMAC GLOBS +#define AES_128 0 +unsigned char const_Rb[16] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87 +}; +unsigned char const_Zero[16] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; +//END + +/* +Te0[x] = S [x].[02, 01, 01, 03]; +Te1[x] = S [x].[03, 02, 01, 01]; +Te2[x] = S [x].[01, 03, 02, 01]; +Te3[x] = S [x].[01, 01, 03, 02]; +Te4[x] = S [x].[01, 01, 01, 01]; + +Td0[x] = Si[x].[0e, 09, 0d, 0b]; +Td1[x] = Si[x].[0b, 0e, 09, 0d]; +Td2[x] = Si[x].[0d, 0b, 0e, 09]; +Td3[x] = Si[x].[09, 0d, 0b, 0e]; +Td4[x] = Si[x].[01, 01, 01, 01]; +*/ + +static const u32 Te0[256] = { + 0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU, + 0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U, + 0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU, + 0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU, + 0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U, + 0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU, + 0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU, + 0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU, + 0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU, + 0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU, + 0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U, + 0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU, + 0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU, + 0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U, + 0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU, + 0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU, + 0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU, + 0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU, + 0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU, + 0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U, + 0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU, + 0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU, + 0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU, + 0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU, + 0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U, + 0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U, + 0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U, + 0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U, + 0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU, + 0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U, + 0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U, + 0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU, + 0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU, + 0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U, + 0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U, + 0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U, + 0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU, + 0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U, + 0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU, + 0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U, + 0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU, + 0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U, + 0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U, + 0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU, + 0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U, + 0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U, + 0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U, + 0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U, + 0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U, + 0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U, + 0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U, + 0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U, + 0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU, + 0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U, + 0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U, + 0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U, + 0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U, + 0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U, + 0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U, + 0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU, + 0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U, + 0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U, + 0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U, + 0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU, +}; + +static const u32 Te1[256] = { + 0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU, + 0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U, + 0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU, + 0x19e7fefeU, 0x62b5d7d7U, 0xe64dababU, 0x9aec7676U, + 0x458fcacaU, 0x9d1f8282U, 0x4089c9c9U, 0x87fa7d7dU, + 0x15effafaU, 0xebb25959U, 0xc98e4747U, 0x0bfbf0f0U, + 0xec41adadU, 0x67b3d4d4U, 0xfd5fa2a2U, 0xea45afafU, + 0xbf239c9cU, 0xf753a4a4U, 0x96e47272U, 0x5b9bc0c0U, + 0xc275b7b7U, 0x1ce1fdfdU, 0xae3d9393U, 0x6a4c2626U, + 0x5a6c3636U, 0x417e3f3fU, 0x02f5f7f7U, 0x4f83ccccU, + 0x5c683434U, 0xf451a5a5U, 0x34d1e5e5U, 0x08f9f1f1U, + 0x93e27171U, 0x73abd8d8U, 0x53623131U, 0x3f2a1515U, + 0x0c080404U, 0x5295c7c7U, 0x65462323U, 0x5e9dc3c3U, + 0x28301818U, 0xa1379696U, 0x0f0a0505U, 0xb52f9a9aU, + 0x090e0707U, 0x36241212U, 0x9b1b8080U, 0x3ddfe2e2U, + 0x26cdebebU, 0x694e2727U, 0xcd7fb2b2U, 0x9fea7575U, + 0x1b120909U, 0x9e1d8383U, 0x74582c2cU, 0x2e341a1aU, + 0x2d361b1bU, 0xb2dc6e6eU, 0xeeb45a5aU, 0xfb5ba0a0U, + 0xf6a45252U, 0x4d763b3bU, 0x61b7d6d6U, 0xce7db3b3U, + 0x7b522929U, 0x3edde3e3U, 0x715e2f2fU, 0x97138484U, + 0xf5a65353U, 0x68b9d1d1U, 0x00000000U, 0x2cc1ededU, + 0x60402020U, 0x1fe3fcfcU, 0xc879b1b1U, 0xedb65b5bU, + 0xbed46a6aU, 0x468dcbcbU, 0xd967bebeU, 0x4b723939U, + 0xde944a4aU, 0xd4984c4cU, 0xe8b05858U, 0x4a85cfcfU, + 0x6bbbd0d0U, 0x2ac5efefU, 0xe54faaaaU, 0x16edfbfbU, + 0xc5864343U, 0xd79a4d4dU, 0x55663333U, 0x94118585U, + 0xcf8a4545U, 0x10e9f9f9U, 0x06040202U, 0x81fe7f7fU, + 0xf0a05050U, 0x44783c3cU, 0xba259f9fU, 0xe34ba8a8U, + 0xf3a25151U, 0xfe5da3a3U, 0xc0804040U, 0x8a058f8fU, + 0xad3f9292U, 0xbc219d9dU, 0x48703838U, 0x04f1f5f5U, + 0xdf63bcbcU, 0xc177b6b6U, 0x75afdadaU, 0x63422121U, + 0x30201010U, 0x1ae5ffffU, 0x0efdf3f3U, 0x6dbfd2d2U, + 0x4c81cdcdU, 0x14180c0cU, 0x35261313U, 0x2fc3ececU, + 0xe1be5f5fU, 0xa2359797U, 0xcc884444U, 0x392e1717U, + 0x5793c4c4U, 0xf255a7a7U, 0x82fc7e7eU, 0x477a3d3dU, + 0xacc86464U, 0xe7ba5d5dU, 0x2b321919U, 0x95e67373U, + 0xa0c06060U, 0x98198181U, 0xd19e4f4fU, 0x7fa3dcdcU, + 0x66442222U, 0x7e542a2aU, 0xab3b9090U, 0x830b8888U, + 0xca8c4646U, 0x29c7eeeeU, 0xd36bb8b8U, 0x3c281414U, + 0x79a7dedeU, 0xe2bc5e5eU, 0x1d160b0bU, 0x76addbdbU, + 0x3bdbe0e0U, 0x56643232U, 0x4e743a3aU, 0x1e140a0aU, + 0xdb924949U, 0x0a0c0606U, 0x6c482424U, 0xe4b85c5cU, + 0x5d9fc2c2U, 0x6ebdd3d3U, 0xef43acacU, 0xa6c46262U, + 0xa8399191U, 0xa4319595U, 0x37d3e4e4U, 0x8bf27979U, + 0x32d5e7e7U, 0x438bc8c8U, 0x596e3737U, 0xb7da6d6dU, + 0x8c018d8dU, 0x64b1d5d5U, 0xd29c4e4eU, 0xe049a9a9U, + 0xb4d86c6cU, 0xfaac5656U, 0x07f3f4f4U, 0x25cfeaeaU, + 0xafca6565U, 0x8ef47a7aU, 0xe947aeaeU, 0x18100808U, + 0xd56fbabaU, 0x88f07878U, 0x6f4a2525U, 0x725c2e2eU, + 0x24381c1cU, 0xf157a6a6U, 0xc773b4b4U, 0x5197c6c6U, + 0x23cbe8e8U, 0x7ca1ddddU, 0x9ce87474U, 0x213e1f1fU, + 0xdd964b4bU, 0xdc61bdbdU, 0x860d8b8bU, 0x850f8a8aU, + 0x90e07070U, 0x427c3e3eU, 0xc471b5b5U, 0xaacc6666U, + 0xd8904848U, 0x05060303U, 0x01f7f6f6U, 0x121c0e0eU, + 0xa3c26161U, 0x5f6a3535U, 0xf9ae5757U, 0xd069b9b9U, + 0x91178686U, 0x5899c1c1U, 0x273a1d1dU, 0xb9279e9eU, + 0x38d9e1e1U, 0x13ebf8f8U, 0xb32b9898U, 0x33221111U, + 0xbbd26969U, 0x70a9d9d9U, 0x89078e8eU, 0xa7339494U, + 0xb62d9b9bU, 0x223c1e1eU, 0x92158787U, 0x20c9e9e9U, + 0x4987ceceU, 0xffaa5555U, 0x78502828U, 0x7aa5dfdfU, + 0x8f038c8cU, 0xf859a1a1U, 0x80098989U, 0x171a0d0dU, + 0xda65bfbfU, 0x31d7e6e6U, 0xc6844242U, 0xb8d06868U, + 0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU, + 0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U, +}; + +static const u32 Te2[256] = { + 0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU, + 0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U, + 0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU, + 0xfe19e7feU, 0xd762b5d7U, 0xabe64dabU, 0x769aec76U, + 0xca458fcaU, 0x829d1f82U, 0xc94089c9U, 0x7d87fa7dU, + 0xfa15effaU, 0x59ebb259U, 0x47c98e47U, 0xf00bfbf0U, + 0xadec41adU, 0xd467b3d4U, 0xa2fd5fa2U, 0xafea45afU, + 0x9cbf239cU, 0xa4f753a4U, 0x7296e472U, 0xc05b9bc0U, + 0xb7c275b7U, 0xfd1ce1fdU, 0x93ae3d93U, 0x266a4c26U, + 0x365a6c36U, 0x3f417e3fU, 0xf702f5f7U, 0xcc4f83ccU, + 0x345c6834U, 0xa5f451a5U, 0xe534d1e5U, 0xf108f9f1U, + 0x7193e271U, 0xd873abd8U, 0x31536231U, 0x153f2a15U, + 0x040c0804U, 0xc75295c7U, 0x23654623U, 0xc35e9dc3U, + 0x18283018U, 0x96a13796U, 0x050f0a05U, 0x9ab52f9aU, + 0x07090e07U, 0x12362412U, 0x809b1b80U, 0xe23ddfe2U, + 0xeb26cdebU, 0x27694e27U, 0xb2cd7fb2U, 0x759fea75U, + 0x091b1209U, 0x839e1d83U, 0x2c74582cU, 0x1a2e341aU, + 0x1b2d361bU, 0x6eb2dc6eU, 0x5aeeb45aU, 0xa0fb5ba0U, + 0x52f6a452U, 0x3b4d763bU, 0xd661b7d6U, 0xb3ce7db3U, + 0x297b5229U, 0xe33edde3U, 0x2f715e2fU, 0x84971384U, + 0x53f5a653U, 0xd168b9d1U, 0x00000000U, 0xed2cc1edU, + 0x20604020U, 0xfc1fe3fcU, 0xb1c879b1U, 0x5bedb65bU, + 0x6abed46aU, 0xcb468dcbU, 0xbed967beU, 0x394b7239U, + 0x4ade944aU, 0x4cd4984cU, 0x58e8b058U, 0xcf4a85cfU, + 0xd06bbbd0U, 0xef2ac5efU, 0xaae54faaU, 0xfb16edfbU, + 0x43c58643U, 0x4dd79a4dU, 0x33556633U, 0x85941185U, + 0x45cf8a45U, 0xf910e9f9U, 0x02060402U, 0x7f81fe7fU, + 0x50f0a050U, 0x3c44783cU, 0x9fba259fU, 0xa8e34ba8U, + 0x51f3a251U, 0xa3fe5da3U, 0x40c08040U, 0x8f8a058fU, + 0x92ad3f92U, 0x9dbc219dU, 0x38487038U, 0xf504f1f5U, + 0xbcdf63bcU, 0xb6c177b6U, 0xda75afdaU, 0x21634221U, + 0x10302010U, 0xff1ae5ffU, 0xf30efdf3U, 0xd26dbfd2U, + 0xcd4c81cdU, 0x0c14180cU, 0x13352613U, 0xec2fc3ecU, + 0x5fe1be5fU, 0x97a23597U, 0x44cc8844U, 0x17392e17U, + 0xc45793c4U, 0xa7f255a7U, 0x7e82fc7eU, 0x3d477a3dU, + 0x64acc864U, 0x5de7ba5dU, 0x192b3219U, 0x7395e673U, + 0x60a0c060U, 0x81981981U, 0x4fd19e4fU, 0xdc7fa3dcU, + 0x22664422U, 0x2a7e542aU, 0x90ab3b90U, 0x88830b88U, + 0x46ca8c46U, 0xee29c7eeU, 0xb8d36bb8U, 0x143c2814U, + 0xde79a7deU, 0x5ee2bc5eU, 0x0b1d160bU, 0xdb76addbU, + 0xe03bdbe0U, 0x32566432U, 0x3a4e743aU, 0x0a1e140aU, + 0x49db9249U, 0x060a0c06U, 0x246c4824U, 0x5ce4b85cU, + 0xc25d9fc2U, 0xd36ebdd3U, 0xacef43acU, 0x62a6c462U, + 0x91a83991U, 0x95a43195U, 0xe437d3e4U, 0x798bf279U, + 0xe732d5e7U, 0xc8438bc8U, 0x37596e37U, 0x6db7da6dU, + 0x8d8c018dU, 0xd564b1d5U, 0x4ed29c4eU, 0xa9e049a9U, + 0x6cb4d86cU, 0x56faac56U, 0xf407f3f4U, 0xea25cfeaU, + 0x65afca65U, 0x7a8ef47aU, 0xaee947aeU, 0x08181008U, + 0xbad56fbaU, 0x7888f078U, 0x256f4a25U, 0x2e725c2eU, + 0x1c24381cU, 0xa6f157a6U, 0xb4c773b4U, 0xc65197c6U, + 0xe823cbe8U, 0xdd7ca1ddU, 0x749ce874U, 0x1f213e1fU, + 0x4bdd964bU, 0xbddc61bdU, 0x8b860d8bU, 0x8a850f8aU, + 0x7090e070U, 0x3e427c3eU, 0xb5c471b5U, 0x66aacc66U, + 0x48d89048U, 0x03050603U, 0xf601f7f6U, 0x0e121c0eU, + 0x61a3c261U, 0x355f6a35U, 0x57f9ae57U, 0xb9d069b9U, + 0x86911786U, 0xc15899c1U, 0x1d273a1dU, 0x9eb9279eU, + 0xe138d9e1U, 0xf813ebf8U, 0x98b32b98U, 0x11332211U, + 0x69bbd269U, 0xd970a9d9U, 0x8e89078eU, 0x94a73394U, + 0x9bb62d9bU, 0x1e223c1eU, 0x87921587U, 0xe920c9e9U, + 0xce4987ceU, 0x55ffaa55U, 0x28785028U, 0xdf7aa5dfU, + 0x8c8f038cU, 0xa1f859a1U, 0x89800989U, 0x0d171a0dU, + 0xbfda65bfU, 0xe631d7e6U, 0x42c68442U, 0x68b8d068U, + 0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU, + 0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U, +}; + +static const u32 Te3[256] = { + 0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U, + 0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U, + 0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U, + 0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU, + 0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU, + 0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU, + 0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U, + 0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU, + 0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU, + 0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U, + 0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U, + 0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU, + 0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU, + 0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU, + 0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU, + 0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU, + 0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U, + 0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU, + 0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU, + 0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U, + 0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U, + 0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U, + 0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U, + 0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U, + 0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU, + 0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U, + 0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU, + 0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU, + 0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U, + 0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U, + 0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U, + 0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU, + 0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U, + 0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU, + 0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU, + 0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U, + 0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U, + 0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU, + 0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U, + 0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU, + 0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U, + 0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U, + 0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U, + 0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U, + 0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU, + 0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U, + 0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU, + 0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U, + 0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU, + 0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U, + 0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU, + 0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU, + 0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU, + 0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU, + 0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U, + 0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U, + 0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U, + 0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U, + 0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U, + 0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U, + 0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU, + 0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U, + 0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU, + 0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU, +}; + +static const u32 Te4[256] = { + 0x63636363U, 0x7c7c7c7cU, 0x77777777U, 0x7b7b7b7bU, + 0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U, + 0x30303030U, 0x01010101U, 0x67676767U, 0x2b2b2b2bU, + 0xfefefefeU, 0xd7d7d7d7U, 0xababababU, 0x76767676U, + 0xcacacacaU, 0x82828282U, 0xc9c9c9c9U, 0x7d7d7d7dU, + 0xfafafafaU, 0x59595959U, 0x47474747U, 0xf0f0f0f0U, + 0xadadadadU, 0xd4d4d4d4U, 0xa2a2a2a2U, 0xafafafafU, + 0x9c9c9c9cU, 0xa4a4a4a4U, 0x72727272U, 0xc0c0c0c0U, + 0xb7b7b7b7U, 0xfdfdfdfdU, 0x93939393U, 0x26262626U, + 0x36363636U, 0x3f3f3f3fU, 0xf7f7f7f7U, 0xccccccccU, + 0x34343434U, 0xa5a5a5a5U, 0xe5e5e5e5U, 0xf1f1f1f1U, + 0x71717171U, 0xd8d8d8d8U, 0x31313131U, 0x15151515U, + 0x04040404U, 0xc7c7c7c7U, 0x23232323U, 0xc3c3c3c3U, + 0x18181818U, 0x96969696U, 0x05050505U, 0x9a9a9a9aU, + 0x07070707U, 0x12121212U, 0x80808080U, 0xe2e2e2e2U, + 0xebebebebU, 0x27272727U, 0xb2b2b2b2U, 0x75757575U, + 0x09090909U, 0x83838383U, 0x2c2c2c2cU, 0x1a1a1a1aU, + 0x1b1b1b1bU, 0x6e6e6e6eU, 0x5a5a5a5aU, 0xa0a0a0a0U, + 0x52525252U, 0x3b3b3b3bU, 0xd6d6d6d6U, 0xb3b3b3b3U, + 0x29292929U, 0xe3e3e3e3U, 0x2f2f2f2fU, 0x84848484U, + 0x53535353U, 0xd1d1d1d1U, 0x00000000U, 0xededededU, + 0x20202020U, 0xfcfcfcfcU, 0xb1b1b1b1U, 0x5b5b5b5bU, + 0x6a6a6a6aU, 0xcbcbcbcbU, 0xbebebebeU, 0x39393939U, + 0x4a4a4a4aU, 0x4c4c4c4cU, 0x58585858U, 0xcfcfcfcfU, + 0xd0d0d0d0U, 0xefefefefU, 0xaaaaaaaaU, 0xfbfbfbfbU, + 0x43434343U, 0x4d4d4d4dU, 0x33333333U, 0x85858585U, + 0x45454545U, 0xf9f9f9f9U, 0x02020202U, 0x7f7f7f7fU, + 0x50505050U, 0x3c3c3c3cU, 0x9f9f9f9fU, 0xa8a8a8a8U, + 0x51515151U, 0xa3a3a3a3U, 0x40404040U, 0x8f8f8f8fU, + 0x92929292U, 0x9d9d9d9dU, 0x38383838U, 0xf5f5f5f5U, + 0xbcbcbcbcU, 0xb6b6b6b6U, 0xdadadadaU, 0x21212121U, + 0x10101010U, 0xffffffffU, 0xf3f3f3f3U, 0xd2d2d2d2U, + 0xcdcdcdcdU, 0x0c0c0c0cU, 0x13131313U, 0xececececU, + 0x5f5f5f5fU, 0x97979797U, 0x44444444U, 0x17171717U, + 0xc4c4c4c4U, 0xa7a7a7a7U, 0x7e7e7e7eU, 0x3d3d3d3dU, + 0x64646464U, 0x5d5d5d5dU, 0x19191919U, 0x73737373U, + 0x60606060U, 0x81818181U, 0x4f4f4f4fU, 0xdcdcdcdcU, + 0x22222222U, 0x2a2a2a2aU, 0x90909090U, 0x88888888U, + 0x46464646U, 0xeeeeeeeeU, 0xb8b8b8b8U, 0x14141414U, + 0xdedededeU, 0x5e5e5e5eU, 0x0b0b0b0bU, 0xdbdbdbdbU, + 0xe0e0e0e0U, 0x32323232U, 0x3a3a3a3aU, 0x0a0a0a0aU, + 0x49494949U, 0x06060606U, 0x24242424U, 0x5c5c5c5cU, + 0xc2c2c2c2U, 0xd3d3d3d3U, 0xacacacacU, 0x62626262U, + 0x91919191U, 0x95959595U, 0xe4e4e4e4U, 0x79797979U, + 0xe7e7e7e7U, 0xc8c8c8c8U, 0x37373737U, 0x6d6d6d6dU, + 0x8d8d8d8dU, 0xd5d5d5d5U, 0x4e4e4e4eU, 0xa9a9a9a9U, + 0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU, + 0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U, + 0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU, + 0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U, + 0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU, + 0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU, + 0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U, + 0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU, + 0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U, + 0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU, + 0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U, + 0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U, + 0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U, + 0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU, + 0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU, + 0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U, + 0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU, + 0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U, +}; + +static const u32 Td0[256] = { + 0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U, + 0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U, + 0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U, + 0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU, + 0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U, + 0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U, + 0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU, + 0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U, + 0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU, + 0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U, + 0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U, + 0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U, + 0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U, + 0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU, + 0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U, + 0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU, + 0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U, + 0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU, + 0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U, + 0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U, + 0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U, + 0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU, + 0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U, + 0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU, + 0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U, + 0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU, + 0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U, + 0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU, + 0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU, + 0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U, + 0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU, + 0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U, + 0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU, + 0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U, + 0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U, + 0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U, + 0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU, + 0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U, + 0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U, + 0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU, + 0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U, + 0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U, + 0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U, + 0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U, + 0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U, + 0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU, + 0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U, + 0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U, + 0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U, + 0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U, + 0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U, + 0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU, + 0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU, + 0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU, + 0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU, + 0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U, + 0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U, + 0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU, + 0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU, + 0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U, + 0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU, + 0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U, + 0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U, + 0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U, +}; + +static const u32 Td1[256] = { + 0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU, + 0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U, + 0x552030faU, 0xf6ad766dU, 0x9188cc76U, 0x25f5024cU, + 0xfc4fe5d7U, 0xd7c52acbU, 0x80263544U, 0x8fb562a3U, + 0x49deb15aU, 0x6725ba1bU, 0x9845ea0eU, 0xe15dfec0U, + 0x02c32f75U, 0x12814cf0U, 0xa38d4697U, 0xc66bd3f9U, + 0xe7038f5fU, 0x9515929cU, 0xebbf6d7aU, 0xda955259U, + 0x2dd4be83U, 0xd3587421U, 0x2949e069U, 0x448ec9c8U, + 0x6a75c289U, 0x78f48e79U, 0x6b99583eU, 0xdd27b971U, + 0xb6bee14fU, 0x17f088adU, 0x66c920acU, 0xb47dce3aU, + 0x1863df4aU, 0x82e51a31U, 0x60975133U, 0x4562537fU, + 0xe0b16477U, 0x84bb6baeU, 0x1cfe81a0U, 0x94f9082bU, + 0x58704868U, 0x198f45fdU, 0x8794de6cU, 0xb7527bf8U, + 0x23ab73d3U, 0xe2724b02U, 0x57e31f8fU, 0x2a6655abU, + 0x07b2eb28U, 0x032fb5c2U, 0x9a86c57bU, 0xa5d33708U, + 0xf2302887U, 0xb223bfa5U, 0xba02036aU, 0x5ced1682U, + 0x2b8acf1cU, 0x92a779b4U, 0xf0f307f2U, 0xa14e69e2U, + 0xcd65daf4U, 0xd50605beU, 0x1fd13462U, 0x8ac4a6feU, + 0x9d342e53U, 0xa0a2f355U, 0x32058ae1U, 0x75a4f6ebU, + 0x390b83ecU, 0xaa4060efU, 0x065e719fU, 0x51bd6e10U, + 0xf93e218aU, 0x3d96dd06U, 0xaedd3e05U, 0x464de6bdU, + 0xb591548dU, 0x0571c45dU, 0x6f0406d4U, 0xff605015U, + 0x241998fbU, 0x97d6bde9U, 0xcc894043U, 0x7767d99eU, + 0xbdb0e842U, 0x8807898bU, 0x38e7195bU, 0xdb79c8eeU, + 0x47a17c0aU, 0xe97c420fU, 0xc9f8841eU, 0x00000000U, + 0x83098086U, 0x48322bedU, 0xac1e1170U, 0x4e6c5a72U, + 0xfbfd0effU, 0x560f8538U, 0x1e3daed5U, 0x27362d39U, + 0x640a0fd9U, 0x21685ca6U, 0xd19b5b54U, 0x3a24362eU, + 0xb10c0a67U, 0x0f9357e7U, 0xd2b4ee96U, 0x9e1b9b91U, + 0x4f80c0c5U, 0xa261dc20U, 0x695a774bU, 0x161c121aU, + 0x0ae293baU, 0xe5c0a02aU, 0x433c22e0U, 0x1d121b17U, + 0x0b0e090dU, 0xadf28bc7U, 0xb92db6a8U, 0xc8141ea9U, + 0x8557f119U, 0x4caf7507U, 0xbbee99ddU, 0xfda37f60U, + 0x9ff70126U, 0xbc5c72f5U, 0xc544663bU, 0x345bfb7eU, + 0x768b4329U, 0xdccb23c6U, 0x68b6edfcU, 0x63b8e4f1U, + 0xcad731dcU, 0x10426385U, 0x40139722U, 0x2084c611U, + 0x7d854a24U, 0xf8d2bb3dU, 0x11aef932U, 0x6dc729a1U, + 0x4b1d9e2fU, 0xf3dcb230U, 0xec0d8652U, 0xd077c1e3U, + 0x6c2bb316U, 0x99a970b9U, 0xfa119448U, 0x2247e964U, + 0xc4a8fc8cU, 0x1aa0f03fU, 0xd8567d2cU, 0xef223390U, + 0xc787494eU, 0xc1d938d1U, 0xfe8ccaa2U, 0x3698d40bU, + 0xcfa6f581U, 0x28a57adeU, 0x26dab78eU, 0xa43fadbfU, + 0xe42c3a9dU, 0x0d507892U, 0x9b6a5fccU, 0x62547e46U, + 0xc2f68d13U, 0xe890d8b8U, 0x5e2e39f7U, 0xf582c3afU, + 0xbe9f5d80U, 0x7c69d093U, 0xa96fd52dU, 0xb3cf2512U, + 0x3bc8ac99U, 0xa710187dU, 0x6ee89c63U, 0x7bdb3bbbU, + 0x09cd2678U, 0xf46e5918U, 0x01ec9ab7U, 0xa8834f9aU, + 0x65e6956eU, 0x7eaaffe6U, 0x0821bccfU, 0xe6ef15e8U, + 0xd9bae79bU, 0xce4a6f36U, 0xd4ea9f09U, 0xd629b07cU, + 0xaf31a4b2U, 0x312a3f23U, 0x30c6a594U, 0xc035a266U, + 0x37744ebcU, 0xa6fc82caU, 0xb0e090d0U, 0x1533a7d8U, + 0x4af10498U, 0xf741ecdaU, 0x0e7fcd50U, 0x2f1791f6U, + 0x8d764dd6U, 0x4d43efb0U, 0x54ccaa4dU, 0xdfe49604U, + 0xe39ed1b5U, 0x1b4c6a88U, 0xb8c12c1fU, 0x7f466551U, + 0x049d5eeaU, 0x5d018c35U, 0x73fa8774U, 0x2efb0b41U, + 0x5ab3671dU, 0x5292dbd2U, 0x33e91056U, 0x136dd647U, + 0x8c9ad761U, 0x7a37a10cU, 0x8e59f814U, 0x89eb133cU, + 0xeecea927U, 0x35b761c9U, 0xede11ce5U, 0x3c7a47b1U, + 0x599cd2dfU, 0x3f55f273U, 0x791814ceU, 0xbf73c737U, + 0xea53f7cdU, 0x5b5ffdaaU, 0x14df3d6fU, 0x867844dbU, + 0x81caaff3U, 0x3eb968c4U, 0x2c382434U, 0x5fc2a340U, + 0x72161dc3U, 0x0cbce225U, 0x8b283c49U, 0x41ff0d95U, + 0x7139a801U, 0xde080cb3U, 0x9cd8b4e4U, 0x906456c1U, + 0x617bcb84U, 0x70d532b6U, 0x74486c5cU, 0x42d0b857U, +}; + +static const u32 Td2[256] = { + 0xa75051f4U, 0x65537e41U, 0xa4c31a17U, 0x5e963a27U, + 0x6bcb3babU, 0x45f11f9dU, 0x58abacfaU, 0x03934be3U, + 0xfa552030U, 0x6df6ad76U, 0x769188ccU, 0x4c25f502U, + 0xd7fc4fe5U, 0xcbd7c52aU, 0x44802635U, 0xa38fb562U, + 0x5a49deb1U, 0x1b6725baU, 0x0e9845eaU, 0xc0e15dfeU, + 0x7502c32fU, 0xf012814cU, 0x97a38d46U, 0xf9c66bd3U, + 0x5fe7038fU, 0x9c951592U, 0x7aebbf6dU, 0x59da9552U, + 0x832dd4beU, 0x21d35874U, 0x692949e0U, 0xc8448ec9U, + 0x896a75c2U, 0x7978f48eU, 0x3e6b9958U, 0x71dd27b9U, + 0x4fb6bee1U, 0xad17f088U, 0xac66c920U, 0x3ab47dceU, + 0x4a1863dfU, 0x3182e51aU, 0x33609751U, 0x7f456253U, + 0x77e0b164U, 0xae84bb6bU, 0xa01cfe81U, 0x2b94f908U, + 0x68587048U, 0xfd198f45U, 0x6c8794deU, 0xf8b7527bU, + 0xd323ab73U, 0x02e2724bU, 0x8f57e31fU, 0xab2a6655U, + 0x2807b2ebU, 0xc2032fb5U, 0x7b9a86c5U, 0x08a5d337U, + 0x87f23028U, 0xa5b223bfU, 0x6aba0203U, 0x825ced16U, + 0x1c2b8acfU, 0xb492a779U, 0xf2f0f307U, 0xe2a14e69U, + 0xf4cd65daU, 0xbed50605U, 0x621fd134U, 0xfe8ac4a6U, + 0x539d342eU, 0x55a0a2f3U, 0xe132058aU, 0xeb75a4f6U, + 0xec390b83U, 0xefaa4060U, 0x9f065e71U, 0x1051bd6eU, + 0x8af93e21U, 0x063d96ddU, 0x05aedd3eU, 0xbd464de6U, + 0x8db59154U, 0x5d0571c4U, 0xd46f0406U, 0x15ff6050U, + 0xfb241998U, 0xe997d6bdU, 0x43cc8940U, 0x9e7767d9U, + 0x42bdb0e8U, 0x8b880789U, 0x5b38e719U, 0xeedb79c8U, + 0x0a47a17cU, 0x0fe97c42U, 0x1ec9f884U, 0x00000000U, + 0x86830980U, 0xed48322bU, 0x70ac1e11U, 0x724e6c5aU, + 0xfffbfd0eU, 0x38560f85U, 0xd51e3daeU, 0x3927362dU, + 0xd9640a0fU, 0xa621685cU, 0x54d19b5bU, 0x2e3a2436U, + 0x67b10c0aU, 0xe70f9357U, 0x96d2b4eeU, 0x919e1b9bU, + 0xc54f80c0U, 0x20a261dcU, 0x4b695a77U, 0x1a161c12U, + 0xba0ae293U, 0x2ae5c0a0U, 0xe0433c22U, 0x171d121bU, + 0x0d0b0e09U, 0xc7adf28bU, 0xa8b92db6U, 0xa9c8141eU, + 0x198557f1U, 0x074caf75U, 0xddbbee99U, 0x60fda37fU, + 0x269ff701U, 0xf5bc5c72U, 0x3bc54466U, 0x7e345bfbU, + 0x29768b43U, 0xc6dccb23U, 0xfc68b6edU, 0xf163b8e4U, + 0xdccad731U, 0x85104263U, 0x22401397U, 0x112084c6U, + 0x247d854aU, 0x3df8d2bbU, 0x3211aef9U, 0xa16dc729U, + 0x2f4b1d9eU, 0x30f3dcb2U, 0x52ec0d86U, 0xe3d077c1U, + 0x166c2bb3U, 0xb999a970U, 0x48fa1194U, 0x642247e9U, + 0x8cc4a8fcU, 0x3f1aa0f0U, 0x2cd8567dU, 0x90ef2233U, + 0x4ec78749U, 0xd1c1d938U, 0xa2fe8ccaU, 0x0b3698d4U, + 0x81cfa6f5U, 0xde28a57aU, 0x8e26dab7U, 0xbfa43fadU, + 0x9de42c3aU, 0x920d5078U, 0xcc9b6a5fU, 0x4662547eU, + 0x13c2f68dU, 0xb8e890d8U, 0xf75e2e39U, 0xaff582c3U, + 0x80be9f5dU, 0x937c69d0U, 0x2da96fd5U, 0x12b3cf25U, + 0x993bc8acU, 0x7da71018U, 0x636ee89cU, 0xbb7bdb3bU, + 0x7809cd26U, 0x18f46e59U, 0xb701ec9aU, 0x9aa8834fU, + 0x6e65e695U, 0xe67eaaffU, 0xcf0821bcU, 0xe8e6ef15U, + 0x9bd9bae7U, 0x36ce4a6fU, 0x09d4ea9fU, 0x7cd629b0U, + 0xb2af31a4U, 0x23312a3fU, 0x9430c6a5U, 0x66c035a2U, + 0xbc37744eU, 0xcaa6fc82U, 0xd0b0e090U, 0xd81533a7U, + 0x984af104U, 0xdaf741ecU, 0x500e7fcdU, 0xf62f1791U, + 0xd68d764dU, 0xb04d43efU, 0x4d54ccaaU, 0x04dfe496U, + 0xb5e39ed1U, 0x881b4c6aU, 0x1fb8c12cU, 0x517f4665U, + 0xea049d5eU, 0x355d018cU, 0x7473fa87U, 0x412efb0bU, + 0x1d5ab367U, 0xd25292dbU, 0x5633e910U, 0x47136dd6U, + 0x618c9ad7U, 0x0c7a37a1U, 0x148e59f8U, 0x3c89eb13U, + 0x27eecea9U, 0xc935b761U, 0xe5ede11cU, 0xb13c7a47U, + 0xdf599cd2U, 0x733f55f2U, 0xce791814U, 0x37bf73c7U, + 0xcdea53f7U, 0xaa5b5ffdU, 0x6f14df3dU, 0xdb867844U, + 0xf381caafU, 0xc43eb968U, 0x342c3824U, 0x405fc2a3U, + 0xc372161dU, 0x250cbce2U, 0x498b283cU, 0x9541ff0dU, + 0x017139a8U, 0xb3de080cU, 0xe49cd8b4U, 0xc1906456U, + 0x84617bcbU, 0xb670d532U, 0x5c74486cU, 0x5742d0b8U, +}; + +static const u32 Td3[256] = { + 0xf4a75051U, 0x4165537eU, 0x17a4c31aU, 0x275e963aU, + 0xab6bcb3bU, 0x9d45f11fU, 0xfa58abacU, 0xe303934bU, + 0x30fa5520U, 0x766df6adU, 0xcc769188U, 0x024c25f5U, + 0xe5d7fc4fU, 0x2acbd7c5U, 0x35448026U, 0x62a38fb5U, + 0xb15a49deU, 0xba1b6725U, 0xea0e9845U, 0xfec0e15dU, + 0x2f7502c3U, 0x4cf01281U, 0x4697a38dU, 0xd3f9c66bU, + 0x8f5fe703U, 0x929c9515U, 0x6d7aebbfU, 0x5259da95U, + 0xbe832dd4U, 0x7421d358U, 0xe0692949U, 0xc9c8448eU, + 0xc2896a75U, 0x8e7978f4U, 0x583e6b99U, 0xb971dd27U, + 0xe14fb6beU, 0x88ad17f0U, 0x20ac66c9U, 0xce3ab47dU, + 0xdf4a1863U, 0x1a3182e5U, 0x51336097U, 0x537f4562U, + 0x6477e0b1U, 0x6bae84bbU, 0x81a01cfeU, 0x082b94f9U, + 0x48685870U, 0x45fd198fU, 0xde6c8794U, 0x7bf8b752U, + 0x73d323abU, 0x4b02e272U, 0x1f8f57e3U, 0x55ab2a66U, + 0xeb2807b2U, 0xb5c2032fU, 0xc57b9a86U, 0x3708a5d3U, + 0x2887f230U, 0xbfa5b223U, 0x036aba02U, 0x16825cedU, + 0xcf1c2b8aU, 0x79b492a7U, 0x07f2f0f3U, 0x69e2a14eU, + 0xdaf4cd65U, 0x05bed506U, 0x34621fd1U, 0xa6fe8ac4U, + 0x2e539d34U, 0xf355a0a2U, 0x8ae13205U, 0xf6eb75a4U, + 0x83ec390bU, 0x60efaa40U, 0x719f065eU, 0x6e1051bdU, + 0x218af93eU, 0xdd063d96U, 0x3e05aeddU, 0xe6bd464dU, + 0x548db591U, 0xc45d0571U, 0x06d46f04U, 0x5015ff60U, + 0x98fb2419U, 0xbde997d6U, 0x4043cc89U, 0xd99e7767U, + 0xe842bdb0U, 0x898b8807U, 0x195b38e7U, 0xc8eedb79U, + 0x7c0a47a1U, 0x420fe97cU, 0x841ec9f8U, 0x00000000U, + 0x80868309U, 0x2bed4832U, 0x1170ac1eU, 0x5a724e6cU, + 0x0efffbfdU, 0x8538560fU, 0xaed51e3dU, 0x2d392736U, + 0x0fd9640aU, 0x5ca62168U, 0x5b54d19bU, 0x362e3a24U, + 0x0a67b10cU, 0x57e70f93U, 0xee96d2b4U, 0x9b919e1bU, + 0xc0c54f80U, 0xdc20a261U, 0x774b695aU, 0x121a161cU, + 0x93ba0ae2U, 0xa02ae5c0U, 0x22e0433cU, 0x1b171d12U, + 0x090d0b0eU, 0x8bc7adf2U, 0xb6a8b92dU, 0x1ea9c814U, + 0xf1198557U, 0x75074cafU, 0x99ddbbeeU, 0x7f60fda3U, + 0x01269ff7U, 0x72f5bc5cU, 0x663bc544U, 0xfb7e345bU, + 0x4329768bU, 0x23c6dccbU, 0xedfc68b6U, 0xe4f163b8U, + 0x31dccad7U, 0x63851042U, 0x97224013U, 0xc6112084U, + 0x4a247d85U, 0xbb3df8d2U, 0xf93211aeU, 0x29a16dc7U, + 0x9e2f4b1dU, 0xb230f3dcU, 0x8652ec0dU, 0xc1e3d077U, + 0xb3166c2bU, 0x70b999a9U, 0x9448fa11U, 0xe9642247U, + 0xfc8cc4a8U, 0xf03f1aa0U, 0x7d2cd856U, 0x3390ef22U, + 0x494ec787U, 0x38d1c1d9U, 0xcaa2fe8cU, 0xd40b3698U, + 0xf581cfa6U, 0x7ade28a5U, 0xb78e26daU, 0xadbfa43fU, + 0x3a9de42cU, 0x78920d50U, 0x5fcc9b6aU, 0x7e466254U, + 0x8d13c2f6U, 0xd8b8e890U, 0x39f75e2eU, 0xc3aff582U, + 0x5d80be9fU, 0xd0937c69U, 0xd52da96fU, 0x2512b3cfU, + 0xac993bc8U, 0x187da710U, 0x9c636ee8U, 0x3bbb7bdbU, + 0x267809cdU, 0x5918f46eU, 0x9ab701ecU, 0x4f9aa883U, + 0x956e65e6U, 0xffe67eaaU, 0xbccf0821U, 0x15e8e6efU, + 0xe79bd9baU, 0x6f36ce4aU, 0x9f09d4eaU, 0xb07cd629U, + 0xa4b2af31U, 0x3f23312aU, 0xa59430c6U, 0xa266c035U, + 0x4ebc3774U, 0x82caa6fcU, 0x90d0b0e0U, 0xa7d81533U, + 0x04984af1U, 0xecdaf741U, 0xcd500e7fU, 0x91f62f17U, + 0x4dd68d76U, 0xefb04d43U, 0xaa4d54ccU, 0x9604dfe4U, + 0xd1b5e39eU, 0x6a881b4cU, 0x2c1fb8c1U, 0x65517f46U, + 0x5eea049dU, 0x8c355d01U, 0x877473faU, 0x0b412efbU, + 0x671d5ab3U, 0xdbd25292U, 0x105633e9U, 0xd647136dU, + 0xd7618c9aU, 0xa10c7a37U, 0xf8148e59U, 0x133c89ebU, + 0xa927eeceU, 0x61c935b7U, 0x1ce5ede1U, 0x47b13c7aU, + 0xd2df599cU, 0xf2733f55U, 0x14ce7918U, 0xc737bf73U, + 0xf7cdea53U, 0xfdaa5b5fU, 0x3d6f14dfU, 0x44db8678U, + 0xaff381caU, 0x68c43eb9U, 0x24342c38U, 0xa3405fc2U, + 0x1dc37216U, 0xe2250cbcU, 0x3c498b28U, 0x0d9541ffU, + 0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U, + 0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U, +}; + +static const u32 Td4[256] = { + 0x52525252U, 0x09090909U, 0x6a6a6a6aU, 0xd5d5d5d5U, + 0x30303030U, 0x36363636U, 0xa5a5a5a5U, 0x38383838U, + 0xbfbfbfbfU, 0x40404040U, 0xa3a3a3a3U, 0x9e9e9e9eU, + 0x81818181U, 0xf3f3f3f3U, 0xd7d7d7d7U, 0xfbfbfbfbU, + 0x7c7c7c7cU, 0xe3e3e3e3U, 0x39393939U, 0x82828282U, + 0x9b9b9b9bU, 0x2f2f2f2fU, 0xffffffffU, 0x87878787U, + 0x34343434U, 0x8e8e8e8eU, 0x43434343U, 0x44444444U, + 0xc4c4c4c4U, 0xdedededeU, 0xe9e9e9e9U, 0xcbcbcbcbU, + 0x54545454U, 0x7b7b7b7bU, 0x94949494U, 0x32323232U, + 0xa6a6a6a6U, 0xc2c2c2c2U, 0x23232323U, 0x3d3d3d3dU, + 0xeeeeeeeeU, 0x4c4c4c4cU, 0x95959595U, 0x0b0b0b0bU, + 0x42424242U, 0xfafafafaU, 0xc3c3c3c3U, 0x4e4e4e4eU, + 0x08080808U, 0x2e2e2e2eU, 0xa1a1a1a1U, 0x66666666U, + 0x28282828U, 0xd9d9d9d9U, 0x24242424U, 0xb2b2b2b2U, + 0x76767676U, 0x5b5b5b5bU, 0xa2a2a2a2U, 0x49494949U, + 0x6d6d6d6dU, 0x8b8b8b8bU, 0xd1d1d1d1U, 0x25252525U, + 0x72727272U, 0xf8f8f8f8U, 0xf6f6f6f6U, 0x64646464U, + 0x86868686U, 0x68686868U, 0x98989898U, 0x16161616U, + 0xd4d4d4d4U, 0xa4a4a4a4U, 0x5c5c5c5cU, 0xccccccccU, + 0x5d5d5d5dU, 0x65656565U, 0xb6b6b6b6U, 0x92929292U, + 0x6c6c6c6cU, 0x70707070U, 0x48484848U, 0x50505050U, + 0xfdfdfdfdU, 0xededededU, 0xb9b9b9b9U, 0xdadadadaU, + 0x5e5e5e5eU, 0x15151515U, 0x46464646U, 0x57575757U, + 0xa7a7a7a7U, 0x8d8d8d8dU, 0x9d9d9d9dU, 0x84848484U, + 0x90909090U, 0xd8d8d8d8U, 0xababababU, 0x00000000U, + 0x8c8c8c8cU, 0xbcbcbcbcU, 0xd3d3d3d3U, 0x0a0a0a0aU, + 0xf7f7f7f7U, 0xe4e4e4e4U, 0x58585858U, 0x05050505U, + 0xb8b8b8b8U, 0xb3b3b3b3U, 0x45454545U, 0x06060606U, + 0xd0d0d0d0U, 0x2c2c2c2cU, 0x1e1e1e1eU, 0x8f8f8f8fU, + 0xcacacacaU, 0x3f3f3f3fU, 0x0f0f0f0fU, 0x02020202U, + 0xc1c1c1c1U, 0xafafafafU, 0xbdbdbdbdU, 0x03030303U, + 0x01010101U, 0x13131313U, 0x8a8a8a8aU, 0x6b6b6b6bU, + 0x3a3a3a3aU, 0x91919191U, 0x11111111U, 0x41414141U, + 0x4f4f4f4fU, 0x67676767U, 0xdcdcdcdcU, 0xeaeaeaeaU, + 0x97979797U, 0xf2f2f2f2U, 0xcfcfcfcfU, 0xcecececeU, + 0xf0f0f0f0U, 0xb4b4b4b4U, 0xe6e6e6e6U, 0x73737373U, + 0x96969696U, 0xacacacacU, 0x74747474U, 0x22222222U, + 0xe7e7e7e7U, 0xadadadadU, 0x35353535U, 0x85858585U, + 0xe2e2e2e2U, 0xf9f9f9f9U, 0x37373737U, 0xe8e8e8e8U, + 0x1c1c1c1cU, 0x75757575U, 0xdfdfdfdfU, 0x6e6e6e6eU, + 0x47474747U, 0xf1f1f1f1U, 0x1a1a1a1aU, 0x71717171U, + 0x1d1d1d1dU, 0x29292929U, 0xc5c5c5c5U, 0x89898989U, + 0x6f6f6f6fU, 0xb7b7b7b7U, 0x62626262U, 0x0e0e0e0eU, + 0xaaaaaaaaU, 0x18181818U, 0xbebebebeU, 0x1b1b1b1bU, + 0xfcfcfcfcU, 0x56565656U, 0x3e3e3e3eU, 0x4b4b4b4bU, + 0xc6c6c6c6U, 0xd2d2d2d2U, 0x79797979U, 0x20202020U, + 0x9a9a9a9aU, 0xdbdbdbdbU, 0xc0c0c0c0U, 0xfefefefeU, + 0x78787878U, 0xcdcdcdcdU, 0x5a5a5a5aU, 0xf4f4f4f4U, + 0x1f1f1f1fU, 0xddddddddU, 0xa8a8a8a8U, 0x33333333U, + 0x88888888U, 0x07070707U, 0xc7c7c7c7U, 0x31313131U, + 0xb1b1b1b1U, 0x12121212U, 0x10101010U, 0x59595959U, + 0x27272727U, 0x80808080U, 0xececececU, 0x5f5f5f5fU, + 0x60606060U, 0x51515151U, 0x7f7f7f7fU, 0xa9a9a9a9U, + 0x19191919U, 0xb5b5b5b5U, 0x4a4a4a4aU, 0x0d0d0d0dU, + 0x2d2d2d2dU, 0xe5e5e5e5U, 0x7a7a7a7aU, 0x9f9f9f9fU, + 0x93939393U, 0xc9c9c9c9U, 0x9c9c9c9cU, 0xefefefefU, + 0xa0a0a0a0U, 0xe0e0e0e0U, 0x3b3b3b3bU, 0x4d4d4d4dU, + 0xaeaeaeaeU, 0x2a2a2a2aU, 0xf5f5f5f5U, 0xb0b0b0b0U, + 0xc8c8c8c8U, 0xebebebebU, 0xbbbbbbbbU, 0x3c3c3c3cU, + 0x83838383U, 0x53535353U, 0x99999999U, 0x61616161U, + 0x17171717U, 0x2b2b2b2bU, 0x04040404U, 0x7e7e7e7eU, + 0xbabababaU, 0x77777777U, 0xd6d6d6d6U, 0x26262626U, + 0xe1e1e1e1U, 0x69696969U, 0x14141414U, 0x63636363U, + 0x55555555U, 0x21212121U, 0x0c0c0c0cU, 0x7d7d7d7dU, +}; + +static const u32 rcon[] = { + 0x01000000, 0x02000000, 0x04000000, 0x08000000, + 0x10000000, 0x20000000, 0x40000000, 0x80000000, + 0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */ +}; + +#define GETU32(pt) (((u32)(pt)[0] << 24) ^ ((u32)(pt)[1] << 16) ^ ((u32)(pt)[2] << 8) ^ ((u32)(pt)[3])) +#define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >> 8); (ct)[3] = (u8)(st); } + +/** + * Expand the cipher key into the encryption key schedule. + * + * @return the number of rounds for the given cipher key size. + */ +int rijndaelKeySetupEnc(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits) +{ + int i = 0; + u32 temp; + + rk[0] = GETU32(cipherKey ); + rk[1] = GETU32(cipherKey + 4); + rk[2] = GETU32(cipherKey + 8); + rk[3] = GETU32(cipherKey + 12); + if (keyBits == 128) { + for (;;) { + temp = rk[3]; + rk[4] = rk[0] ^ + (Te4[(temp >> 16) & 0xff] & 0xff000000) ^ + (Te4[(temp >> 8) & 0xff] & 0x00ff0000) ^ + (Te4[(temp ) & 0xff] & 0x0000ff00) ^ + (Te4[(temp >> 24) ] & 0x000000ff) ^ + rcon[i]; + rk[5] = rk[1] ^ rk[4]; + rk[6] = rk[2] ^ rk[5]; + rk[7] = rk[3] ^ rk[6]; + if (++i == 10) { + return 10; + } + rk += 4; + } + } + rk[4] = GETU32(cipherKey + 16); + rk[5] = GETU32(cipherKey + 20); + if (keyBits == 192) { + for (;;) { + temp = rk[ 5]; + rk[ 6] = rk[ 0] ^ + (Te4[(temp >> 16) & 0xff] & 0xff000000) ^ + (Te4[(temp >> 8) & 0xff] & 0x00ff0000) ^ + (Te4[(temp ) & 0xff] & 0x0000ff00) ^ + (Te4[(temp >> 24) ] & 0x000000ff) ^ + rcon[i]; + rk[ 7] = rk[ 1] ^ rk[ 6]; + rk[ 8] = rk[ 2] ^ rk[ 7]; + rk[ 9] = rk[ 3] ^ rk[ 8]; + if (++i == 8) { + return 12; + } + rk[10] = rk[ 4] ^ rk[ 9]; + rk[11] = rk[ 5] ^ rk[10]; + rk += 6; + } + } + rk[6] = GETU32(cipherKey + 24); + rk[7] = GETU32(cipherKey + 28); + if (keyBits == 256) { + for (;;) { + temp = rk[ 7]; + rk[ 8] = rk[ 0] ^ + (Te4[(temp >> 16) & 0xff] & 0xff000000) ^ + (Te4[(temp >> 8) & 0xff] & 0x00ff0000) ^ + (Te4[(temp ) & 0xff] & 0x0000ff00) ^ + (Te4[(temp >> 24) ] & 0x000000ff) ^ + rcon[i]; + rk[ 9] = rk[ 1] ^ rk[ 8]; + rk[10] = rk[ 2] ^ rk[ 9]; + rk[11] = rk[ 3] ^ rk[10]; + if (++i == 7) { + return 14; + } + temp = rk[11]; + rk[12] = rk[ 4] ^ + (Te4[(temp >> 24) ] & 0xff000000) ^ + (Te4[(temp >> 16) & 0xff] & 0x00ff0000) ^ + (Te4[(temp >> 8) & 0xff] & 0x0000ff00) ^ + (Te4[(temp ) & 0xff] & 0x000000ff); + rk[13] = rk[ 5] ^ rk[12]; + rk[14] = rk[ 6] ^ rk[13]; + rk[15] = rk[ 7] ^ rk[14]; + rk += 8; + } + } + return 0; +} + +/** + * Expand the cipher key into the decryption key schedule. + * + * @return the number of rounds for the given cipher key size. + */ +int rijndaelKeySetupDec(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits) +{ + int Nr, i, j; + u32 temp; + + /* expand the cipher key: */ + Nr = rijndaelKeySetupEnc(rk, cipherKey, keyBits); + + /* invert the order of the round keys: */ + for (i = 0, j = 4*Nr; i < j; i += 4, j -= 4) { + temp = rk[i ]; rk[i ] = rk[j ]; rk[j ] = temp; + temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp; + temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp; + temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp; + } + /* apply the inverse MixColumn transform to all round keys but the first and the last: */ + for (i = 1; i < Nr; i++) { + rk += 4; + rk[0] = + Td0[Te4[(rk[0] >> 24) ] & 0xff] ^ + Td1[Te4[(rk[0] >> 16) & 0xff] & 0xff] ^ + Td2[Te4[(rk[0] >> 8) & 0xff] & 0xff] ^ + Td3[Te4[(rk[0] ) & 0xff] & 0xff]; + rk[1] = + Td0[Te4[(rk[1] >> 24) ] & 0xff] ^ + Td1[Te4[(rk[1] >> 16) & 0xff] & 0xff] ^ + Td2[Te4[(rk[1] >> 8) & 0xff] & 0xff] ^ + Td3[Te4[(rk[1] ) & 0xff] & 0xff]; + rk[2] = + Td0[Te4[(rk[2] >> 24) ] & 0xff] ^ + Td1[Te4[(rk[2] >> 16) & 0xff] & 0xff] ^ + Td2[Te4[(rk[2] >> 8) & 0xff] & 0xff] ^ + Td3[Te4[(rk[2] ) & 0xff] & 0xff]; + rk[3] = + Td0[Te4[(rk[3] >> 24) ] & 0xff] ^ + Td1[Te4[(rk[3] >> 16) & 0xff] & 0xff] ^ + Td2[Te4[(rk[3] >> 8) & 0xff] & 0xff] ^ + Td3[Te4[(rk[3] ) & 0xff] & 0xff]; + } + return Nr; +} + +void rijndaelEncrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 pt[16], + u8 ct[16]) +{ + u32 s0, s1, s2, s3, t0, t1, t2, t3; +#ifndef FULL_UNROLL + int r; +#endif /* ?FULL_UNROLL */ + + /* + * map byte array block to cipher state + * and add initial round key: + */ + s0 = GETU32(pt ) ^ rk[0]; + s1 = GETU32(pt + 4) ^ rk[1]; + s2 = GETU32(pt + 8) ^ rk[2]; + s3 = GETU32(pt + 12) ^ rk[3]; +#ifdef FULL_UNROLL + /* round 1: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7]; + /* round 2: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[ 8]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[ 9]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[10]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[11]; + /* round 3: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[12]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[13]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[14]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[15]; + /* round 4: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[16]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[17]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[18]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[19]; + /* round 5: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[20]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[21]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[22]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[23]; + /* round 6: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[24]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[25]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[26]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[27]; + /* round 7: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[28]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[29]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[30]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[31]; + /* round 8: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[32]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[33]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[34]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[35]; + /* round 9: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[36]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[37]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[38]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[39]; + if (Nr > 10) { + /* round 10: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[40]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[41]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[42]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[43]; + /* round 11: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[44]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[45]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[46]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[47]; + if (Nr > 12) { + /* round 12: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[48]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[49]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[50]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[51]; + /* round 13: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[52]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[53]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[54]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[55]; + } + } + rk += Nr << 2; +#else /* !FULL_UNROLL */ + /* + * Nr - 1 full rounds: + */ + r = Nr >> 1; + for (;;) { + t0 = + Te0[(s0 >> 24) ] ^ + Te1[(s1 >> 16) & 0xff] ^ + Te2[(s2 >> 8) & 0xff] ^ + Te3[(s3 ) & 0xff] ^ + rk[4]; + t1 = + Te0[(s1 >> 24) ] ^ + Te1[(s2 >> 16) & 0xff] ^ + Te2[(s3 >> 8) & 0xff] ^ + Te3[(s0 ) & 0xff] ^ + rk[5]; + t2 = + Te0[(s2 >> 24) ] ^ + Te1[(s3 >> 16) & 0xff] ^ + Te2[(s0 >> 8) & 0xff] ^ + Te3[(s1 ) & 0xff] ^ + rk[6]; + t3 = + Te0[(s3 >> 24) ] ^ + Te1[(s0 >> 16) & 0xff] ^ + Te2[(s1 >> 8) & 0xff] ^ + Te3[(s2 ) & 0xff] ^ + rk[7]; + + rk += 8; + if (--r == 0) { + break; + } + + s0 = + Te0[(t0 >> 24) ] ^ + Te1[(t1 >> 16) & 0xff] ^ + Te2[(t2 >> 8) & 0xff] ^ + Te3[(t3 ) & 0xff] ^ + rk[0]; + s1 = + Te0[(t1 >> 24) ] ^ + Te1[(t2 >> 16) & 0xff] ^ + Te2[(t3 >> 8) & 0xff] ^ + Te3[(t0 ) & 0xff] ^ + rk[1]; + s2 = + Te0[(t2 >> 24) ] ^ + Te1[(t3 >> 16) & 0xff] ^ + Te2[(t0 >> 8) & 0xff] ^ + Te3[(t1 ) & 0xff] ^ + rk[2]; + s3 = + Te0[(t3 >> 24) ] ^ + Te1[(t0 >> 16) & 0xff] ^ + Te2[(t1 >> 8) & 0xff] ^ + Te3[(t2 ) & 0xff] ^ + rk[3]; + } +#endif /* ?FULL_UNROLL */ + /* + * apply last round and + * map cipher state to byte array block: + */ + s0 = + (Te4[(t0 >> 24) ] & 0xff000000) ^ + (Te4[(t1 >> 16) & 0xff] & 0x00ff0000) ^ + (Te4[(t2 >> 8) & 0xff] & 0x0000ff00) ^ + (Te4[(t3 ) & 0xff] & 0x000000ff) ^ + rk[0]; + PUTU32(ct , s0); + s1 = + (Te4[(t1 >> 24) ] & 0xff000000) ^ + (Te4[(t2 >> 16) & 0xff] & 0x00ff0000) ^ + (Te4[(t3 >> 8) & 0xff] & 0x0000ff00) ^ + (Te4[(t0 ) & 0xff] & 0x000000ff) ^ + rk[1]; + PUTU32(ct + 4, s1); + s2 = + (Te4[(t2 >> 24) ] & 0xff000000) ^ + (Te4[(t3 >> 16) & 0xff] & 0x00ff0000) ^ + (Te4[(t0 >> 8) & 0xff] & 0x0000ff00) ^ + (Te4[(t1 ) & 0xff] & 0x000000ff) ^ + rk[2]; + PUTU32(ct + 8, s2); + s3 = + (Te4[(t3 >> 24) ] & 0xff000000) ^ + (Te4[(t0 >> 16) & 0xff] & 0x00ff0000) ^ + (Te4[(t1 >> 8) & 0xff] & 0x0000ff00) ^ + (Te4[(t2 ) & 0xff] & 0x000000ff) ^ + rk[3]; + PUTU32(ct + 12, s3); +} + +static void rijndaelDecrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 ct[16], + u8 pt[16]) +{ + u32 s0, s1, s2, s3, t0, t1, t2, t3; +#ifndef FULL_UNROLL + int r; +#endif /* ?FULL_UNROLL */ + + /* + * map byte array block to cipher state + * and add initial round key: + */ + s0 = GETU32(ct ) ^ rk[0]; + s1 = GETU32(ct + 4) ^ rk[1]; + s2 = GETU32(ct + 8) ^ rk[2]; + s3 = GETU32(ct + 12) ^ rk[3]; +#ifdef FULL_UNROLL + /* round 1: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[ 4]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[ 5]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[ 6]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[ 7]; + /* round 2: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[ 8]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[ 9]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[10]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[11]; + /* round 3: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[12]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[13]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[14]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[15]; + /* round 4: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[16]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[17]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[18]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[19]; + /* round 5: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[20]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[21]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[22]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[23]; + /* round 6: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[24]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[25]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[26]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[27]; + /* round 7: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[28]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[29]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[30]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[31]; + /* round 8: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[32]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[33]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[34]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[35]; + /* round 9: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[36]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[37]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[38]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[39]; + if (Nr > 10) { + /* round 10: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[40]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[41]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[42]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[43]; + /* round 11: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[44]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[45]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[46]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[47]; + if (Nr > 12) { + /* round 12: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[48]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[49]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[50]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[51]; + /* round 13: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[52]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[53]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[54]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[55]; + } + } + rk += Nr << 2; +#else /* !FULL_UNROLL */ + /* + * Nr - 1 full rounds: + */ + r = Nr >> 1; + for (;;) { + t0 = + Td0[(s0 >> 24) ] ^ + Td1[(s3 >> 16) & 0xff] ^ + Td2[(s2 >> 8) & 0xff] ^ + Td3[(s1 ) & 0xff] ^ + rk[4]; + t1 = + Td0[(s1 >> 24) ] ^ + Td1[(s0 >> 16) & 0xff] ^ + Td2[(s3 >> 8) & 0xff] ^ + Td3[(s2 ) & 0xff] ^ + rk[5]; + t2 = + Td0[(s2 >> 24) ] ^ + Td1[(s1 >> 16) & 0xff] ^ + Td2[(s0 >> 8) & 0xff] ^ + Td3[(s3 ) & 0xff] ^ + rk[6]; + t3 = + Td0[(s3 >> 24) ] ^ + Td1[(s2 >> 16) & 0xff] ^ + Td2[(s1 >> 8) & 0xff] ^ + Td3[(s0 ) & 0xff] ^ + rk[7]; + + rk += 8; + if (--r == 0) { + break; + } + + s0 = + Td0[(t0 >> 24) ] ^ + Td1[(t3 >> 16) & 0xff] ^ + Td2[(t2 >> 8) & 0xff] ^ + Td3[(t1 ) & 0xff] ^ + rk[0]; + s1 = + Td0[(t1 >> 24) ] ^ + Td1[(t0 >> 16) & 0xff] ^ + Td2[(t3 >> 8) & 0xff] ^ + Td3[(t2 ) & 0xff] ^ + rk[1]; + s2 = + Td0[(t2 >> 24) ] ^ + Td1[(t1 >> 16) & 0xff] ^ + Td2[(t0 >> 8) & 0xff] ^ + Td3[(t3 ) & 0xff] ^ + rk[2]; + s3 = + Td0[(t3 >> 24) ] ^ + Td1[(t2 >> 16) & 0xff] ^ + Td2[(t1 >> 8) & 0xff] ^ + Td3[(t0 ) & 0xff] ^ + rk[3]; + } +#endif /* ?FULL_UNROLL */ + /* + * apply last round and + * map cipher state to byte array block: + */ + s0 = + (Td4[(t0 >> 24) ] & 0xff000000) ^ + (Td4[(t3 >> 16) & 0xff] & 0x00ff0000) ^ + (Td4[(t2 >> 8) & 0xff] & 0x0000ff00) ^ + (Td4[(t1 ) & 0xff] & 0x000000ff) ^ + rk[0]; + PUTU32(pt , s0); + s1 = + (Td4[(t1 >> 24) ] & 0xff000000) ^ + (Td4[(t0 >> 16) & 0xff] & 0x00ff0000) ^ + (Td4[(t3 >> 8) & 0xff] & 0x0000ff00) ^ + (Td4[(t2 ) & 0xff] & 0x000000ff) ^ + rk[1]; + PUTU32(pt + 4, s1); + s2 = + (Td4[(t2 >> 24) ] & 0xff000000) ^ + (Td4[(t1 >> 16) & 0xff] & 0x00ff0000) ^ + (Td4[(t0 >> 8) & 0xff] & 0x0000ff00) ^ + (Td4[(t3 ) & 0xff] & 0x000000ff) ^ + rk[2]; + PUTU32(pt + 8, s2); + s3 = + (Td4[(t3 >> 24) ] & 0xff000000) ^ + (Td4[(t2 >> 16) & 0xff] & 0x00ff0000) ^ + (Td4[(t1 >> 8) & 0xff] & 0x0000ff00) ^ + (Td4[(t0 ) & 0xff] & 0x000000ff) ^ + rk[3]; + PUTU32(pt + 12, s3); +} + +/* setup key context for encryption only */ +int rijndael_set_key_enc_only(rijndael_ctx *ctx, const u8 *key, int bits) +{ + int rounds; + + rounds = rijndaelKeySetupEnc(ctx->ek, key, bits); + if (rounds == 0) + return -1; + + ctx->Nr = rounds; + ctx->enc_only = 1; + + return 0; +} + +/* setup key context for both encryption and decryption */ +int rijndael_set_key(rijndael_ctx *ctx, const u8 *key, int bits) +{ + int rounds; + + rounds = rijndaelKeySetupEnc(ctx->ek, key, bits); + if (rounds == 0) + return -1; + if (rijndaelKeySetupDec(ctx->dk, key, bits) != rounds) + return -1; + + ctx->Nr = rounds; + ctx->enc_only = 0; + + return 0; +} + +void rijndael_decrypt(rijndael_ctx *ctx, const u8 *src, u8 *dst) +{ + rijndaelDecrypt(ctx->dk, ctx->Nr, src, dst); +} + +void rijndael_encrypt(rijndael_ctx *ctx, const u8 *src, u8 *dst) +{ + rijndaelEncrypt(ctx->ek, ctx->Nr, src, dst); +} + +int AES_set_key(AES_ctx *ctx, const u8 *key, int bits) +{ + return rijndael_set_key((rijndael_ctx *)ctx, key, bits); +} + +void AES_decrypt(AES_ctx *ctx, const u8 *src, u8 *dst) +{ + rijndaelDecrypt(ctx->dk, ctx->Nr, src, dst); +} + +void AES_encrypt(AES_ctx *ctx, const u8 *src, u8 *dst) +{ + rijndaelEncrypt(ctx->ek, ctx->Nr, src, dst); +} + +void xor_128(unsigned char *a, unsigned char *b, unsigned char *out) +{ + int i; + for (i=0;i<16; i++) + { + out[i] = a[i] ^ b[i]; + } +} + +//No IV support! +void AES_cbc_encrypt(AES_ctx *ctx, u8 *src, u8 *dst, int size) +{ + u8 block_buff[16]; + + int i; + for(i = 0; i < size; i+=16) + { + //step 1: copy block to dst + memcpy(dst, src, 16); + //step 2: XOR with previous block + if(i) xor_128(dst, block_buff, dst); + //step 3: encrypt the block -> it land in block buffer + AES_encrypt(ctx, dst, block_buff); + //step 4: copy back the encrypted block to destination + memcpy(dst, block_buff, 16); + + dst += 16; + src += 16; + } +} + +void AES_cbc_decrypt(AES_ctx *ctx, u8 *src, u8 *dst, int size) +{ + u8 block_buff[16]; + u8 block_buff_previous[16]; + int i; + + memcpy(block_buff, src, 16); + memcpy(block_buff_previous, src, 16); + AES_decrypt(ctx, src, dst); + + dst += 16; + src += 16; + + for(i = 16; i < size; i+=16) + { + //step1: backup current block for next block decrypt + memcpy(block_buff, src, 16); + //step2: copy current block to destination + memcpy(dst, src, 16); + //step3: decrypt current buffer in place + AES_decrypt(ctx, dst, dst); + //step4: XOR current buffer with previous buffer + xor_128(dst, block_buff_previous, dst); + //step5: swap buffers + memcpy(block_buff_previous, block_buff, 16); + + dst += 16; + src += 16; + } +} + +/* AES-CMAC Generation Function */ +void leftshift_onebit(unsigned char *input,unsigned char *output) +{ + int i; + unsigned char overflow = 0; + + for ( i=15; i>=0; i-- ) + { + output[i] = input[i] << 1; + output[i] |= overflow; + overflow = (input[i] & 0x80)?1:0; + } +} + +void generate_subkey(AES_ctx *ctx, unsigned char *K1, unsigned char *K2) +{ + unsigned char L[16]; + unsigned char Z[16]; + unsigned char tmp[16]; + int i; + + for ( i=0; i<16; i++ ) Z[i] = 0; + + + AES_encrypt(ctx, Z, L); + + if ( (L[0] & 0x80) == 0 ) /* If MSB(L) = 0, then K1 = L << 1 */ + { + leftshift_onebit(L,K1); + } else { /* Else K1 = ( L << 1 ) (+) Rb */ + leftshift_onebit(L,tmp); + xor_128(tmp,const_Rb,K1); + } + + if ( (K1[0] & 0x80) == 0 ) + { + leftshift_onebit(K1,K2); + } else { + leftshift_onebit(K1,tmp); + xor_128(tmp,const_Rb,K2); + } +} + +void padding (unsigned char *lastb, unsigned char *pad, int length) +{ + int j; + + /* original last block */ + for ( j=0; j<16; j++ ) + { + if ( j < length ) + { + pad[j] = lastb[j]; + } else if ( j == length ) { + pad[j] = 0x80; + } else { + pad[j] = 0x00; + } + } +} + +void AES_CMAC (AES_ctx *ctx, unsigned char *input, int length, unsigned char *mac) +{ + unsigned char X[16],Y[16], M_last[16], padded[16]; + unsigned char K1[16], K2[16]; + int n, i, flag; + generate_subkey(ctx,K1,K2); + + n = (length+15) / 16; /* n is number of rounds */ + + if (n == 0) + { + n = 1; + flag = 0; + } else { + if ((length%16) == 0) { /* last block is a complete block */ + flag = 1; + } else { /* last block is not complete block */ + flag = 0; + } + + } + + if (flag) { /* last block is complete block */ + xor_128(&input[16*(n-1)],K1,M_last); + } else { + padding(&input[16*(n-1)],padded,length%16); + xor_128(padded,K2,M_last); + } + + for (i=0; i<16; i++) X[i] = 0; + for (i=0; i +// Licensed under the terms of the GNU GPL, version 3 +// http://www.gnu.org/licenses/gpl-3.0.txt + +#include +#include +#include + +#include "kirk_engine.h" +#include "amctrl.h" +#include "aes.h" + +// KIRK buffer. +static u8 kirk_buf[0x0814]; + +// AMCTRL keys. +static u8 amctrl_key1[0x10] = {0xE3, 0x50, 0xED, 0x1D, 0x91, 0x0A, 0x1F, 0xD0, 0x29, 0xBB, 0x1C, 0x3E, 0xF3, 0x40, 0x77, 0xFB}; +static u8 amctrl_key2[0x10] = {0x13, 0x5F, 0xA4, 0x7C, 0xAB, 0x39, 0x5B, 0xA4, 0x76, 0xB8, 0xCC, 0xA9, 0x8F, 0x3A, 0x04, 0x45}; +static u8 amctrl_key3[0x10] = {0x67, 0x8D, 0x7F, 0xA3, 0x2A, 0x9C, 0xA0, 0xD1, 0x50, 0x8A, 0xD8, 0x38, 0x5E, 0x4B, 0x01, 0x7E}; + +u8 dnas_key1A90[] = {0xED,0xE2,0x5D,0x2D,0xBB,0xF8,0x12,0xE5,0x3C,0x5C,0x59,0x32,0xFA,0xE3,0xE2,0x43}; +u8 dnas_key1AA0[] = {0x27,0x74,0xFB,0xEB,0xA4,0xA0,0x01,0xD7,0x02,0x56,0x9E,0x33,0x8C,0x19,0x57,0x83}; + +// sceNpDrmGetFixedKey keys. +static u8 npdrm_enc_keys[0x30] = { + 0x07, 0x3D, 0x9E, 0x9D, 0xA8, 0xFD, 0x3B, 0x2F, 0x63, 0x18, 0x93, 0x2E, 0xF8, 0x57, 0xA6, 0x64, + 0x37, 0x49, 0xB7, 0x01, 0xCA, 0xE2, 0xE0, 0xC5, 0x44, 0x2E, 0x06, 0xB6, 0x1E, 0xFF, 0x84, 0xF2, + 0x9D, 0x31, 0xB8, 0x5A, 0xC8, 0xFA, 0x16, 0x80, 0x73, 0x60, 0x18, 0x82, 0x18, 0x77, 0x91, 0x9D, +}; +static u8 npdrm_fixed_key[0x10] = { + 0x38, 0x20, 0xD0, 0x11, 0x07, 0xA3, 0xFF, 0x3E, 0x0A, 0x4C, 0x20, 0x85, 0x39, 0x10, 0xB5, 0x54, +}; + +/* + KIRK wrapper functions. +*/ +static int kirk4(u8 *buf, int size, int type) +{ + int retv; + u32 *header = (u32*)buf; + + header[0] = 4; + header[1] = 0; + header[2] = 0; + header[3] = type; + header[4] = size; + + retv = sceUtilsBufferCopyWithRange(buf, size + 0x14, buf, size, 4); + + if (retv) + return 0x80510311; + + return 0; +} + +static int kirk7(u8 *buf, int size, int type) +{ + int retv; + u32 *header = (u32*)buf; + + header[0] = 5; + header[1] = 0; + header[2] = 0; + header[3] = type; + header[4] = size; + + retv = sceUtilsBufferCopyWithRange(buf, size + 0x14, buf, size, 7); + + if (retv) + return 0x80510311; + + return 0; +} + +static int kirk5(u8 *buf, int size) +{ + int retv; + u32 *header = (u32*)buf; + + header[0] = 4; + header[1] = 0; + header[2] = 0; + header[3] = 0x0100; + header[4] = size; + + retv = sceUtilsBufferCopyWithRange(buf, size + 0x14, buf, size, 5); + + if (retv) + return 0x80510312; + + return 0; +} + +static int kirk8(u8 *buf, int size) +{ + int retv; + u32 *header = (u32*)buf; + + header[0] = 5; + header[1] = 0; + header[2] = 0; + header[3] = 0x0100; + header[4] = size; + + retv = sceUtilsBufferCopyWithRange(buf, size+0x14, buf, size, 8); + + if (retv) + return 0x80510312; + + return 0; +} + +static int kirk14(u8 *buf) +{ + int retv; + + retv = sceUtilsBufferCopyWithRange(buf, 0x14, 0, 0, 14); + + if (retv) + return 0x80510315; + + return 0; +} + +/* + Internal functions. +*/ +static int encrypt_buf(u8 *buf, int size, u8 *key, int key_type) +{ + int i, retv; + + for (i = 0; i < 16; i++) { + buf[0x14+i] ^= key[i]; + } + + retv = kirk4(buf, size, key_type); + + if (retv) + return retv; + + memcpy(key, buf + size + 4, 16); + + return 0; +} + +static int decrypt_buf(u8 *buf, int size, u8 *key, int key_type) +{ + int i, retv; + u8 tmp[16]; + + memcpy(tmp, buf + size + 0x14 - 16, 16); + + retv = kirk7(buf, size, key_type); + + if (retv) + return retv; + + for (i = 0; i < 16; i++) { + buf[i] ^= key[i]; + } + + memcpy(key, tmp, 16); + + return 0; +} + +static int cipher_buf(u8 *kbuf, u8 *dbuf, int size, CIPHER_KEY *ckey) +{ + int i, retv; + u8 tmp1[16], tmp2[16]; + + memcpy(kbuf + 0x14, ckey->key, 16); + + for (i = 0; i < 16; i++) { + kbuf[0x14 + i] ^= amctrl_key3[i]; + } + + if (ckey->type == 2) + retv = kirk8(kbuf, 16); + else + retv = kirk7(kbuf, 16, 0x39); + + if (retv) + return retv; + + for (i = 0; i < 16; i++) { + kbuf[i] ^= amctrl_key2[i]; + } + + memcpy(tmp2, kbuf, 0x10); + + if (ckey->seed == 1) { + memset(tmp1, 0, 0x10); + } else { + memcpy(tmp1, tmp2, 0x10); + *(u32*)(tmp1 + 0x0c) = ckey->seed - 1; + } + + for (i = 0; i < size; i += 16) { + memcpy(kbuf + 0x14 + i, tmp2, 12); + *(u32*)(kbuf + 0x14 + i + 12) = ckey->seed; + ckey->seed += 1; + } + + retv = decrypt_buf(kbuf, size, tmp1, 0x63); + + if (retv) + return retv; + + for (i = 0; i < size; i++) { + dbuf[i] ^= kbuf[i]; + } + + return 0; +} + +/* + BBMac functions. +*/ +int sceDrmBBMacInit(MAC_KEY *mkey, int type) +{ + mkey->type = type; + mkey->pad_size = 0; + + memset(mkey->key, 0, 16); + memset(mkey->pad, 0, 16); + + return 0; +} + +int sceDrmBBMacUpdate(MAC_KEY *mkey, u8 *buf, int size) +{ + int retv = 0, ksize, p, type; + u8 *kbuf; + + if (mkey->pad_size > 16) { + retv = 0x80510302; + goto _exit; + } + + if (mkey->pad_size + size <= 16) { + memcpy(mkey->pad + mkey->pad_size, buf, size); + mkey->pad_size += size; + retv = 0; + } else { + kbuf = kirk_buf + 0x14; + memcpy(kbuf, mkey->pad, mkey->pad_size); + + p = mkey->pad_size; + + mkey->pad_size += size; + mkey->pad_size &= 0x0f; + if (mkey->pad_size == 0) + mkey->pad_size = 16; + + size -= mkey->pad_size; + memcpy(mkey->pad, buf + size, mkey->pad_size); + + type = (mkey->type == 2) ? 0x3A : 0x38; + + while (size) + { + ksize = (size + p >= 0x0800) ? 0x0800 : size + p; + memcpy(kbuf + p, buf, ksize - p); + retv = encrypt_buf(kirk_buf, ksize, mkey->key, type); + + if (retv) + goto _exit; + + size -= (ksize - p); + buf += ksize - p; + p = 0; + } + } + +_exit: + return retv; + +} + +int sceDrmBBMacFinal(MAC_KEY *mkey, u8 *buf, u8 *vkey) +{ + int i, retv, code; + u8 *kbuf, tmp[16], tmp1[16]; + u32 t0, v0, v1; + + if (mkey->pad_size > 16) + return 0x80510302; + + code = (mkey->type == 2) ? 0x3A : 0x38; + kbuf = kirk_buf + 0x14; + + memset(kbuf, 0, 16); + retv = kirk4(kirk_buf, 16, code); + + if (retv) + goto _exit; + + memcpy(tmp, kbuf, 16); + + t0 = (tmp[0] & 0x80) ? 0x87 : 0; + for (i = 0; i < 15; i++) + { + v1 = tmp[i + 0]; + v0 = tmp[i + 1]; + v1 <<= 1; + v0 >>= 7; + v0 |= v1; + tmp[i + 0] = v0; + } + v0 = tmp[15]; + v0 <<= 1; + v0 ^= t0; + tmp[15] = v0; + + if (mkey->pad_size < 16) + { + t0 = (tmp[0] & 0x80) ? 0x87 : 0; + for (i = 0; i < 15; i++) + { + v1 = tmp[i + 0]; + v0 = tmp[i + 1]; + v1 <<= 1; + v0 >>= 7; + v0 |= v1; + tmp[i + 0] = v0; + } + v0 = tmp[15]; + v0 <<= 1; + v0 ^= t0; + tmp[15] = v0; + + mkey->pad[mkey->pad_size] = 0x80; + if (mkey->pad_size + 1 < 16) + memset(mkey->pad + mkey->pad_size + 1, 0, 16 - mkey->pad_size - 1); + } + + for (i = 0; i < 16; i++) { + mkey->pad[i] ^= tmp[i]; + } + + memcpy(kbuf, mkey->pad, 16); + memcpy(tmp1, mkey->key, 16); + + retv = encrypt_buf(kirk_buf, 0x10, tmp1, code); + + if (retv) + return retv; + + for (i = 0; i < 0x10; i++) { + tmp1[i] ^= amctrl_key1[i]; + } + + if (mkey->type == 2) + { + memcpy(kbuf, tmp1, 16); + + retv = kirk5(kirk_buf, 0x10); + + if (retv) + goto _exit; + + retv = kirk4(kirk_buf, 0x10, code); + + if (retv) + goto _exit; + + memcpy(tmp1, kbuf, 16); + } + + if (vkey) + { + for (i = 0; i < 0x10; i++) { + tmp1[i] ^= vkey[i]; + } + memcpy(kbuf, tmp1, 16); + + retv = kirk4(kirk_buf, 0x10, code); + + if (retv) + goto _exit; + + memcpy(tmp1, kbuf, 16); + } + + memcpy(buf, tmp1, 16); + + memset(mkey->key, 0, 16); + memset(mkey->pad, 0, 16); + + mkey->pad_size = 0; + mkey->type = 0; + retv = 0; + +_exit: + return retv; +} + +int sceDrmBBMacFinal2(MAC_KEY *mkey, u8 *out, u8 *vkey) +{ + int i, retv, type; + u8 *kbuf, tmp[16]; + + type = mkey->type; + retv = sceDrmBBMacFinal(mkey, tmp, vkey); + if (retv) + return retv; + + kbuf = kirk_buf+0x14; + + if (type == 3) { + memcpy(kbuf, out, 0x10); + kirk7(kirk_buf, 0x10, 0x63); + } else { + memcpy(kirk_buf, out, 0x10); + } + + retv = 0; + for (i = 0; i < 0x10; i++) { + if (kirk_buf[i] != tmp[i]) { + retv = 0x80510300; + break; + } + } + + return retv; +} + +/* + BBCipher functions. +*/ +int sceDrmBBCipherInit(CIPHER_KEY *ckey, int type, int mode, u8 *header_key, u8 *version_key, u32 seed) +{ + int i, retv; + u8 *kbuf; + + kbuf = kirk_buf + 0x14; + ckey->type = type; + if (mode == 2) + { + ckey->seed = seed + 1; + for (i = 0; i < 16; i++) { + ckey->key[i] = header_key[i]; + } + if (version_key) { + for (i = 0; i < 16; i++) { + ckey->key[i] ^= version_key[i]; + } + } + retv = 0; + } + else if (mode == 1) + { + ckey->seed = 1; + retv = kirk14(kirk_buf); + + if (retv) + return retv; + + memcpy(kbuf, kirk_buf, 0x10); + memset(kbuf + 0x0c, 0, 4); + + if (ckey->type == 2) + { + for (i = 0; i < 16; i++) { + kbuf[i] ^= amctrl_key2[i]; + } + retv = kirk5(kirk_buf, 0x10); + for (i = 0; i < 16; i++) { + kbuf[i] ^= amctrl_key3[i]; + } + } + else + { + for (i = 0; i < 16; i++) { + kbuf[i] ^= amctrl_key2[i]; + } + retv = kirk4(kirk_buf, 0x10, 0x39); + for(i = 0; i < 16; i++) { + kbuf[i] ^= amctrl_key3[i]; + } + } + + if (retv) + return retv; + + memcpy(ckey->key, kbuf, 0x10); + memcpy(header_key, kbuf, 0x10); + + if (version_key) + { + for (i = 0; i < 16; i++) { + ckey->key[i] ^= version_key[i]; + } + } + } + else + { + retv = 0; + } + + return retv; +} + +int sceDrmBBCipherUpdate(CIPHER_KEY *ckey, u8 *data, int size) +{ + int p, retv, dsize; + + retv = 0; + p = 0; + + while (size > 0) + { + dsize = (size >= 0x0800) ? 0x0800 : size; + retv = cipher_buf(kirk_buf, data + p, dsize, ckey); + + if (retv) + break; + + size -= dsize; + p += dsize; + } + + return retv; +} + +int sceDrmBBCipherFinal(CIPHER_KEY *ckey) +{ + memset(ckey->key, 0, 16); + ckey->type = 0; + ckey->seed = 0; + + return 0; +} + +/* + Extra functions. +*/ +int bbmac_build_final2(int type, u8 *mac) +{ + u8 *kbuf = kirk_buf + 0x14; + + if (type == 3) + { + memcpy(kbuf, mac, 16); + kirk4(kirk_buf, 0x10, 0x63); + memcpy(mac, kbuf, 16); + } + + return 0; +} + +int bbmac_getkey(MAC_KEY *mkey, u8 *bbmac, u8 *vkey) +{ + int i, retv, type, code; + u8 *kbuf, tmp[16], tmp1[16]; + + type = mkey->type; + retv = sceDrmBBMacFinal(mkey, tmp, NULL); + + if (retv) + return retv; + + kbuf = kirk_buf + 0x14; + + if (type == 3) { + memcpy(kbuf, bbmac, 0x10); + kirk7(kirk_buf, 0x10, 0x63); + } else { + memcpy(kirk_buf, bbmac, 0x10); + } + + memcpy(tmp1, kirk_buf, 16); + memcpy(kbuf, tmp1, 16); + + code = (type == 2) ? 0x3A : 0x38; + kirk7(kirk_buf, 0x10, code); + + for (i = 0; i < 0x10; i++) { + vkey[i] = tmp[i] ^ kirk_buf[i]; + } + + return 0; +} + +int bbmac_forge(MAC_KEY *mkey, u8 *bbmac, u8 *vkey, u8 *buf) +{ + int i, retv, type; + u8 *kbuf, tmp[16], tmp1[16]; + u32 t0, v0, v1; + + if (mkey->pad_size > 16) + return 0x80510302; + + type = (mkey->type == 2) ? 0x3A : 0x38; + kbuf = kirk_buf + 0x14; + + memset(kbuf, 0, 16); + retv = kirk4(kirk_buf, 16, type); + + if (retv) + return retv; + + memcpy(tmp, kbuf, 16); + + t0 = (tmp[0] & 0x80) ? 0x87 : 0; + for (i = 0; i < 15; i++) + { + v1 = tmp[i + 0]; + v0 = tmp[i + 1]; + v1 <<= 1; + v0 >>= 7; + v0 |= v1; + tmp[i + 0] = v0; + } + v0 = tmp[15]; + v0 <<= 1; + v0 ^= t0; + tmp[15] = v0; + + if (mkey->pad_size < 16) + { + t0 = (tmp[0] & 0x80) ? 0x87 : 0; + for (i = 0; i < 15; i++) + { + v1 = tmp[i + 0]; + v0 = tmp[i + 1]; + v1 <<= 1; + v0 >>= 7; + v0 |= v1; + tmp[i + 0] = v0; + } + v0 = tmp[15]; + v0 <<= 1; + v0 ^= t0; + tmp[15] = t0; + + mkey->pad[mkey->pad_size] = 0x80; + if (mkey->pad_size + 1 < 16) + memset(mkey->pad+mkey->pad_size + 1, 0, 16 - mkey->pad_size - 1); + } + + for (i = 0; i < 16; i++) { + mkey->pad[i] ^= tmp[i]; + } + for (i = 0; i < 0x10; i++) { + mkey->pad[i] ^= mkey->key[i]; + } + + memcpy(kbuf, bbmac, 0x10); + kirk7(kirk_buf, 0x10, 0x63); + + memcpy(kbuf, kirk_buf, 0x10); + kirk7(kirk_buf, 0x10, type); + + memcpy(tmp1, kirk_buf, 0x10); + for (i = 0; i < 0x10; i++) { + tmp1[i] ^= vkey[i]; + } + for (i = 0; i < 0x10; i++) { + tmp1[i] ^= amctrl_key1[i]; + } + + memcpy(kbuf, tmp1, 0x10); + kirk7(kirk_buf, 0x10, type); + + memcpy(tmp1, kirk_buf, 0x10); + for (i = 0; i < 16; i++) { + mkey->pad[i] ^= tmp1[i]; + } + + for (i = 0; i < 16; i++) { + buf[i] ^= mkey->pad[i]; + } + + return 0; +} + +/* + sceNpDrm functions. +*/ +int sceNpDrmGetFixedKey(u8 *key, char *npstr, int type) +{ + AES_ctx akey; + MAC_KEY mkey; + char strbuf[0x30]; + int retv; + + if ((type & 0x01000000) == 0) + return 0x80550901; + + type &= 0x000000ff; + + memset(strbuf, 0, 0x30); + strncpy(strbuf, npstr, 0x30); + + retv = sceDrmBBMacInit(&mkey, 1); + + if (retv) + return retv; + + retv = sceDrmBBMacUpdate(&mkey, (u8*)strbuf, 0x30); + + if (retv) + return retv; + + retv = sceDrmBBMacFinal(&mkey, key, npdrm_fixed_key); + + if (retv) + return 0x80550902; + + if (type == 0) + return 0; + if (type > 3) + return 0x80550901; + + type = (type - 1) * 16; + + AES_set_key(&akey, &npdrm_enc_keys[type], 128); + AES_encrypt(&akey, key, key); + + return 0; +} + +int decrypt_pgd(u8* pgd_data, int pgd_size, int flag, u8* key __attribute__((unused))) +{ + int result; + PGD_HEADER PGD[sizeof(PGD_HEADER)]; + MAC_KEY mkey; + CIPHER_KEY ckey; + u8* fkey; + + // Read in the PGD header parameters. + memset(PGD, 0, sizeof(PGD_HEADER)); + + PGD->buf = pgd_data; + PGD->key_index = *(u32*)(pgd_data + 4); + PGD->drm_type = *(u32*)(pgd_data + 8); + + // Set the hashing, crypto and open modes. + if (PGD->drm_type == 1) { + PGD->mac_type = 1; + flag |= 4; + + if(PGD->key_index > 1) { + PGD->mac_type = 3; + flag |= 8; + } + + PGD->cipher_type = 1; + } else { + PGD->mac_type = 2; + PGD->cipher_type = 2; + } + + PGD->open_flag = flag; + + // Get the fixed DNAS key. + fkey = NULL; + if ((flag & 0x2) == 0x2) + fkey = dnas_key1A90; + if ((flag & 0x1) == 0x1) + fkey = dnas_key1AA0; + + if (fkey == NULL) { + printf("PGD: Invalid PGD DNAS flag! %08x\n", flag); + return -1; + } + + // Test MAC hash at 0x80 (DNAS hash). + sceDrmBBMacInit(&mkey, PGD->mac_type); + sceDrmBBMacUpdate(&mkey, pgd_data, 0x80); + result = sceDrmBBMacFinal2(&mkey, pgd_data + 0x80, fkey); + + if (result) { + printf("PGD: Invalid PGD 0x80 MAC hash!\n"); + return -1; + } + + // Test MAC hash at 0x70 (key hash). + sceDrmBBMacInit(&mkey, PGD->mac_type); + sceDrmBBMacUpdate(&mkey, pgd_data, 0x70); + + // Generate the key from MAC 0x70. + bbmac_getkey(&mkey, pgd_data + 0x70, PGD->vkey); + + // Decrypt the PGD header block (0x30 bytes). + sceDrmBBCipherInit(&ckey, PGD->cipher_type, 2, pgd_data + 0x10, PGD->vkey, 0); + sceDrmBBCipherUpdate(&ckey, pgd_data + 0x30, 0x30); + sceDrmBBCipherFinal(&ckey); + + // Get the decryption parameters from the decrypted header. + PGD->data_size = *(u32*)(pgd_data + 0x44); + PGD->block_size = *(u32*)(pgd_data + 0x48); + PGD->data_offset = *(u32*)(pgd_data + 0x4c); + + // Additional size variables. + PGD->align_size = (PGD->data_size + 15) &~ 15; + PGD->table_offset = PGD->data_offset + PGD->align_size; + PGD->block_nr = (PGD->align_size + PGD->block_size - 1) &~ (PGD->block_size - 1); + PGD->block_nr = PGD->block_nr / PGD->block_size; + + if ((PGD->align_size + PGD->block_nr * 16) > pgd_size) { + printf("ERROR: Invalid PGD data size!\n"); + return -1; + } + + // Test MAC hash at 0x60 (table hash). + sceDrmBBMacInit(&mkey, PGD->mac_type); + sceDrmBBMacUpdate(&mkey, pgd_data + PGD->table_offset, PGD->block_nr * 16); + result = sceDrmBBMacFinal2(&mkey, pgd_data + 0x60, PGD->vkey); + + if (result) { + printf("ERROR: Invalid PGD 0x60 MAC hash!\n"); + return -1; + } + + // Decrypt the data. + sceDrmBBCipherInit(&ckey, PGD->cipher_type, 2, pgd_data + 0x30, PGD->vkey, 0); + sceDrmBBCipherUpdate(&ckey, pgd_data + 0x90, PGD->align_size); + sceDrmBBCipherFinal(&ckey); + + return PGD->data_size; +} diff --git a/src/libkirk/amctrl.h b/src/libkirk/amctrl.h new file mode 100644 index 0000000..a5d26dd --- /dev/null +++ b/src/libkirk/amctrl.h @@ -0,0 +1,59 @@ +// Copyright (C) 2013 tpu +// Copyright (C) 2015 Hykem +// Licensed under the terms of the GNU GPL, version 3 +// http://www.gnu.org/licenses/gpl-3.0.txt + +#ifndef AMCTRL_H +#define AMCTRL_H + +typedef struct +{ + int type; + u8 key[16]; + u8 pad[16]; + int pad_size; +} MAC_KEY; + +typedef struct +{ + u32 type; + u32 seed; + u8 key[16]; +} CIPHER_KEY; + +typedef struct { + unsigned char vkey[16]; + + int open_flag; + int key_index; + int drm_type; + int mac_type; + int cipher_type; + + int data_size; + int align_size; + int block_size; + int block_nr; + int data_offset; + int table_offset; + + unsigned char *buf; +} PGD_HEADER; + +int sceDrmBBMacInit(MAC_KEY *mkey, int type); +int sceDrmBBMacUpdate(MAC_KEY *mkey, u8 *buf, int size); +int sceDrmBBMacFinal(MAC_KEY *mkey, u8 *buf, u8 *vkey); +int sceDrmBBMacFinal2(MAC_KEY *mkey, u8 *out, u8 *vkey); + +int bbmac_build_final2(int type, u8 *mac); +int bbmac_getkey(MAC_KEY *mkey, u8 *bbmac, u8 *vkey); +int bbmac_forge(MAC_KEY *mkey, u8 *bbmac, u8 *vkey, u8 *buf); + +int sceDrmBBCipherInit(CIPHER_KEY *ckey, int type, int mode, u8 *header_key, u8 *version_key, u32 seed); +int sceDrmBBCipherUpdate(CIPHER_KEY *ckey, u8 *data, int size); +int sceDrmBBCipherFinal(CIPHER_KEY *ckey); + +int sceNpDrmGetFixedKey(u8 *key, char *npstr, int type); +int decrypt_pgd(u8* pgd_data, int pgd_size, int flag, u8* key __attribute__((unused))); + +#endif diff --git a/src/libkirk/bn.c b/src/libkirk/bn.c new file mode 100644 index 0000000..e8873e2 --- /dev/null +++ b/src/libkirk/bn.c @@ -0,0 +1,200 @@ +// Copyright 2007,2008,2010 Segher Boessenkool +// Licensed under the terms of the GNU GPL, version 2 +// http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt + +#include +#include + +#include "kirk_engine.h" + +void bn_print(char *name, u8 *a, u32 n) +{ + u32 i; + + printf("%s = ", name); + + for (i = 0; i < n; i++) + printf("%02x", a[i]); + + printf("\n"); +} + +static void bn_zero(u8 *d, u32 n) +{ + memset(d, 0, n); +} + +void bn_copy(u8 *d, u8 *a, u32 n) +{ + memcpy(d, a, n); +} + +int bn_compare(u8 *a, u8 *b, u32 n) +{ + u32 i; + + for (i = 0; i < n; i++) { + if (a[i] < b[i]) + return -1; + if (a[i] > b[i]) + return 1; + } + + return 0; +} + +static u8 bn_add_1(u8 *d, u8 *a, u8 *b, u32 n) +{ + u32 i; + u32 dig; + u8 c; + + c = 0; + for (i = n - 1; i < n; i--) { + dig = a[i] + b[i] + c; + c = dig >> 8; + d[i] = dig; + } + + return c; +} + +static u8 bn_sub_1(u8 *d, u8 *a, u8 *b, u32 n) +{ + u32 i; + u32 dig; + u8 c; + + c = 1; + for (i = n - 1; i < n; i--) { + dig = a[i] + 255 - b[i] + c; + c = dig >> 8; + d[i] = dig; + } + + return 1 - c; +} + +void bn_reduce(u8 *d, u8 *N, u32 n) +{ + if (bn_compare(d, N, n) >= 0) + bn_sub_1(d, d, N, n); +} + +void bn_add(u8 *d, u8 *a, u8 *b, u8 *N, u32 n) +{ + if (bn_add_1(d, a, b, n)) + bn_sub_1(d, d, N, n); + + bn_reduce(d, N, n); +} + +void bn_sub(u8 *d, u8 *a, u8 *b, u8 *N, u32 n) +{ + if (bn_sub_1(d, a, b, n)) + bn_add_1(d, d, N, n); +} + +static const u8 inv256[0x80] = { + 0x01, 0xab, 0xcd, 0xb7, 0x39, 0xa3, 0xc5, 0xef, + 0xf1, 0x1b, 0x3d, 0xa7, 0x29, 0x13, 0x35, 0xdf, + 0xe1, 0x8b, 0xad, 0x97, 0x19, 0x83, 0xa5, 0xcf, + 0xd1, 0xfb, 0x1d, 0x87, 0x09, 0xf3, 0x15, 0xbf, + 0xc1, 0x6b, 0x8d, 0x77, 0xf9, 0x63, 0x85, 0xaf, + 0xb1, 0xdb, 0xfd, 0x67, 0xe9, 0xd3, 0xf5, 0x9f, + 0xa1, 0x4b, 0x6d, 0x57, 0xd9, 0x43, 0x65, 0x8f, + 0x91, 0xbb, 0xdd, 0x47, 0xc9, 0xb3, 0xd5, 0x7f, + 0x81, 0x2b, 0x4d, 0x37, 0xb9, 0x23, 0x45, 0x6f, + 0x71, 0x9b, 0xbd, 0x27, 0xa9, 0x93, 0xb5, 0x5f, + 0x61, 0x0b, 0x2d, 0x17, 0x99, 0x03, 0x25, 0x4f, + 0x51, 0x7b, 0x9d, 0x07, 0x89, 0x73, 0x95, 0x3f, + 0x41, 0xeb, 0x0d, 0xf7, 0x79, 0xe3, 0x05, 0x2f, + 0x31, 0x5b, 0x7d, 0xe7, 0x69, 0x53, 0x75, 0x1f, + 0x21, 0xcb, 0xed, 0xd7, 0x59, 0xc3, 0xe5, 0x0f, + 0x11, 0x3b, 0x5d, 0xc7, 0x49, 0x33, 0x55, 0xff, +}; + +static void bn_mon_muladd_dig(u8 *d, u8 *a, u8 b, u8 *N, u32 n) +{ + u32 dig; + u32 i; + + u8 z = -(d[n-1] + a[n-1]*b) * inv256[N[n-1]/2]; + + dig = d[n-1] + a[n-1]*b + N[n-1]*z; + dig >>= 8; + + for (i = n - 2; i < n; i--) { + dig += d[i] + a[i]*b + N[i]*z; + d[i+1] = dig; + dig >>= 8; + } + + d[0] = dig; + dig >>= 8; + + if (dig) + bn_sub_1(d, d, N, n); + + bn_reduce(d, N, n); +} + +void bn_mon_mul(u8 *d, u8 *a, u8 *b, u8 *N, u32 n) +{ + u8 t[512]; + u32 i; + + bn_zero(t, n); + + for (i = n - 1; i < n; i--) + bn_mon_muladd_dig(t, a, b[i], N, n); + + bn_copy(d, t, n); +} + +void bn_to_mon(u8 *d, u8 *N, u32 n) +{ + u32 i; + + for (i = 0; i < 8*n; i++) + bn_add(d, d, d, N, n); +} + +void bn_from_mon(u8 *d, u8 *N, u32 n) +{ + u8 t[512]; + + bn_zero(t, n); + t[n-1] = 1; + bn_mon_mul(d, d, t, N, n); +} + +static void bn_mon_exp(u8 *d, u8 *a, u8 *N, u32 n, u8 *e, u32 en) +{ + u8 t[512]; + u32 i; + u8 mask; + + bn_zero(d, n); + d[n-1] = 1; + bn_to_mon(d, N, n); + + for (i = 0; i < en; i++) + for (mask = 0x80; mask != 0; mask >>= 1) { + bn_mon_mul(t, d, d, N, n); + if ((e[i] & mask) != 0) + bn_mon_mul(d, t, a, N, n); + else + bn_copy(d, t, n); + } +} + +void bn_mon_inv(u8 *d, u8 *a, u8 *N, u32 n) +{ + u8 t[512], s[512]; + + bn_zero(s, n); + s[n-1] = 2; + bn_sub_1(t, N, s, n); + bn_mon_exp(d, a, N, n, t, n); +} diff --git a/src/libkirk/ec.c b/src/libkirk/ec.c new file mode 100644 index 0000000..0b28ff2 --- /dev/null +++ b/src/libkirk/ec.c @@ -0,0 +1,423 @@ +// Copyright 2007,2008,2010 Segher Boessenkool +// Licensed under the terms of the GNU GPL, version 2 +// http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt + +#include +#include + +#include "kirk_engine.h" + +struct point { + u8 x[20]; + u8 y[20]; +}; + +u8 ec_p[20]; +u8 ec_a[20]; +u8 ec_b[20]; +u8 ec_N[21]; +struct point ec_G; // mon +struct point ec_Q; // mon +u8 ec_k[21]; + +void hex_dump(char *str, u8 *buf, int size) +{ + int i; + + if(str) + printf("%s:", str); + + for(i=0; ix, ec_p, 20); + bn_to_mon(p->y, ec_p, 20); +} + +static void point_from_mon(struct point *p) +{ + bn_from_mon(p->x, ec_p, 20); + bn_from_mon(p->y, ec_p, 20); +} + +#if 0 +static int point_is_on_curve(u8 *p) +{ + u8 s[20], t[20]; + u8 *x, *y; + + x = p; + y = p + 20; + + elt_square(t, x); + elt_mul(s, t, x); + + elt_mul(t, x, ec_a); + elt_add(s, s, t); + + elt_add(s, s, ec_b); + + elt_square(t, y); + elt_sub(s, s, t); + + return elt_is_zero(s); +} +#endif + +static void point_zero(struct point *p) +{ + elt_zero(p->x); + elt_zero(p->y); +} + +static int point_is_zero(struct point *p) +{ + return elt_is_zero(p->x) && elt_is_zero(p->y); +} + +static void point_double(struct point *r, struct point *p) +{ + u8 s[20], t[20]; + struct point pp; + u8 *px, *py, *rx, *ry; + + pp = *p; + + px = pp.x; + py = pp.y; + rx = r->x; + ry = r->y; + + if (elt_is_zero(py)) { + point_zero(r); + return; + } + + elt_square(t, px); // t = px*px + elt_add(s, t, t); // s = 2*px*px + elt_add(s, s, t); // s = 3*px*px + elt_add(s, s, ec_a); // s = 3*px*px + a + elt_add(t, py, py); // t = 2*py + elt_inv(t, t); // t = 1/(2*py) + elt_mul(s, s, t); // s = (3*px*px+a)/(2*py) + + elt_square(rx, s); // rx = s*s + elt_add(t, px, px); // t = 2*px + elt_sub(rx, rx, t); // rx = s*s - 2*px + + elt_sub(t, px, rx); // t = -(rx-px) + elt_mul(ry, s, t); // ry = -s*(rx-px) + elt_sub(ry, ry, py); // ry = -s*(rx-px) - py +} + +static void point_add(struct point *r, struct point *p, struct point *q) +{ + u8 s[20], t[20], u[20]; + u8 *px, *py, *qx, *qy, *rx, *ry; + struct point pp, qq; + + pp = *p; + qq = *q; + + px = pp.x; + py = pp.y; + qx = qq.x; + qy = qq.y; + rx = r->x; + ry = r->y; + + if (point_is_zero(&pp)) { + elt_copy(rx, qx); + elt_copy(ry, qy); + return; + } + + if (point_is_zero(&qq)) { + elt_copy(rx, px); + elt_copy(ry, py); + return; + } + + elt_sub(u, qx, px); + + if (elt_is_zero(u)) { + elt_sub(u, qy, py); + if (elt_is_zero(u)) + point_double(r, &pp); + else + point_zero(r); + + return; + } + + elt_inv(t, u); // t = 1/(qx-px) + elt_sub(u, qy, py); // u = qy-py + elt_mul(s, t, u); // s = (qy-py)/(qx-px) + + elt_square(rx, s); // rx = s*s + elt_add(t, px, qx); // t = px+qx + elt_sub(rx, rx, t); // rx = s*s - (px+qx) + + elt_sub(t, px, rx); // t = -(rx-px) + elt_mul(ry, s, t); // ry = -s*(rx-px) + elt_sub(ry, ry, py); // ry = -s*(rx-px) - py +} + +static void point_mul(struct point *d, u8 *a, struct point *b) +{ + u32 i; + u8 mask; + + point_zero(d); + + for (i = 0; i < 21; i++) + for (mask = 0x80; mask != 0; mask >>= 1) { + point_double(d, d); + if ((a[i] & mask) != 0) + point_add(d, d, b); + } +} + +static void generate_ecdsa(u8 *outR, u8 *outS, u8 *k, u8 *hash) +{ + u8 e[21]; + u8 kk[21]; + u8 m[21]; + u8 R[21]; + u8 S[21]; + u8 minv[21]; + struct point mG; + + e[0] = 0;R[0] = 0;S[0] = 0; + memcpy(e + 1, hash, 20); + bn_reduce(e, ec_N, 21); + + kirk_CMD14(m+1, 20); + m[0] = 0; + + point_mul(&mG, m, &ec_G); + point_from_mon(&mG); + R[0] = 0; + elt_copy(R+1, mG.x); + + bn_copy(kk, k, 21); + bn_reduce(kk, ec_N, 21); + bn_to_mon(m, ec_N, 21); + bn_to_mon(e, ec_N, 21); + bn_to_mon(R, ec_N, 21); + bn_to_mon(kk, ec_N, 21); + + bn_mon_mul(S, R, kk, ec_N, 21); + bn_add(kk, S, e, ec_N, 21); + bn_mon_inv(minv, m, ec_N, 21); + bn_mon_mul(S, minv, kk, ec_N, 21); + + bn_from_mon(R, ec_N, 21); + bn_from_mon(S, ec_N, 21); + memcpy(outR,R+1,0x20); + memcpy(outS,S+1,0x20); +} + +static int check_ecdsa(struct point *Q, u8 *inR, u8 *inS, u8 *hash) +{ + u8 Sinv[21]; + u8 e[21], R[21], S[21]; + u8 w1[21], w2[21]; + struct point r1, r2; + u8 rr[21]; + + e[0] = 0; + memcpy(e + 1, hash, 20); + bn_reduce(e, ec_N, 21); + R[0] = 0; + memcpy(R + 1, inR, 20); + bn_reduce(R, ec_N, 21); + S[0] = 0; + memcpy(S + 1, inS, 20); + bn_reduce(S, ec_N, 21); + + bn_to_mon(R, ec_N, 21); + bn_to_mon(S, ec_N, 21); + bn_to_mon(e, ec_N, 21); + // make Sinv = 1/S + bn_mon_inv(Sinv, S, ec_N, 21); + // w1 = m * Sinv + bn_mon_mul(w1, e, Sinv, ec_N, 21); + // w2 = r * Sinv + bn_mon_mul(w2, R, Sinv, ec_N, 21); + + // mod N both + bn_from_mon(w1, ec_N, 21); + bn_from_mon(w2, ec_N, 21); + + // r1 = m/s * G + point_mul(&r1, w1, &ec_G); + // r2 = r/s * P + point_mul(&r2, w2, Q); + + //r1 = r1 + r2 + point_add(&r1, &r1, &r2); + + point_from_mon(&r1); + + rr[0] = 0; + memcpy(rr + 1, r1.x, 20); + bn_reduce(rr, ec_N, 21); + + bn_from_mon(R, ec_N, 21); + bn_from_mon(S, ec_N, 21); + + return (bn_compare(rr, R, 21) == 0); +} + +void ec_priv_to_pub(u8 *k, u8 *Q) +{ + struct point ec_temp; + bn_to_mon(k, ec_N, 21); + point_mul(&ec_temp, k, &ec_G); + point_from_mon(&ec_temp); + memcpy(Q,ec_temp.x,20); + memcpy(Q+20,ec_temp.y,20); +} + +void ec_pub_mult(u8 *k, u8 *Q) +{ + struct point ec_temp; + point_mul(&ec_temp, k, &ec_Q); + point_from_mon(&ec_temp); + memcpy(Q,ec_temp.x,20); + memcpy(Q+20,ec_temp.y,20); +} + +int ecdsa_set_curve(u8* p,u8* a,u8* b,u8* N,u8* Gx,u8* Gy) +{ + memcpy(ec_p,p,20); + memcpy(ec_a,a,20); + memcpy(ec_b,b,20); + memcpy(ec_N,N,21); + + bn_to_mon(ec_a, ec_p, 20); + bn_to_mon(ec_b, ec_p, 20); + + memcpy(ec_G.x, Gx, 20); + memcpy(ec_G.y, Gy, 20); + point_to_mon(&ec_G); + + return 0; +} + +void ecdsa_set_pub(u8 *Q) +{ + memcpy(ec_Q.x, Q, 20); + memcpy(ec_Q.y, Q+20, 20); + point_to_mon(&ec_Q); +} + +void ecdsa_set_priv(u8 *ink) +{ + u8 k[21]; + k[0]=0; + memcpy(k+1,ink,20); + bn_reduce(k, ec_N, 21); + + memcpy(ec_k, k, sizeof ec_k); +} + +int ecdsa_verify(u8 *hash, u8 *R, u8 *S) +{ + return check_ecdsa(&ec_Q, R, S, hash); +} + +void ecdsa_sign(u8 *hash, u8 *R, u8 *S) +{ + generate_ecdsa(R, S, ec_k, hash); +} + +int point_is_on_curve(u8 *p) +{ + u8 s[20], t[20]; + u8 *x, *y; + + x = p; + y = p + 20; + + elt_square(t, x); + elt_mul(s, t, x);// s = x^3 + + elt_mul(t, x, ec_a); + elt_add(s, s, t); //s = x^3 + a *x + + elt_add(s, s, ec_b);//s = x^3 + a *x + b + + elt_square(t, y); //t = y^2 + elt_sub(s, s, t); // is s - t = 0? + hex_dump("S", s, 20); + hex_dump("T", t,20); + return elt_is_zero(s); +} + +void dump_ecc(void) +{ + hex_dump("P", ec_p, 20); + hex_dump("a", ec_a, 20); + hex_dump("b", ec_b, 20); + hex_dump("N", ec_N, 21); + hex_dump("Gx", ec_G.x, 20); + hex_dump("Gy", ec_G.y, 20); +} diff --git a/src/libkirk/key_vault.h b/src/libkirk/key_vault.h new file mode 100644 index 0000000..edafd66 --- /dev/null +++ b/src/libkirk/key_vault.h @@ -0,0 +1,78 @@ +/* + Draan proudly presents: + + With huge help from community: + coyotebean, Davee, hitchhikr, kgsws, liquidzigong, Mathieulh, Proxima, SilverSpring + + ******************** KIRK-ENGINE ******************** + An Open-Source implementation of KIRK (PSP crypto engine) algorithms and keys. + Includes also additional routines for hash forging. + + ******************** + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef KEY_VAULT +#define KEY_VAULT + +// KIRK AES keys +static u8 kirk1_key[0x10] = {0x98, 0xC9, 0x40, 0x97, 0x5C, 0x1D, 0x10, 0xE8, 0x7F, 0xE6, 0x0E, 0xA3, 0xFD, 0x03, 0xA8, 0xBA}; +static u8 kirk7_key02[0x10] = {0xB8, 0x13, 0xC3, 0x5E, 0xC6, 0x44, 0x41, 0xE3, 0xDC, 0x3C, 0x16, 0xF5, 0xB4, 0x5E, 0x64, 0x84}; +static u8 kirk7_key03[0x10] = {0x98, 0x02, 0xC4, 0xE6, 0xEC, 0x9E, 0x9E, 0x2F, 0xFC, 0x63, 0x4C, 0xE4, 0x2F, 0xBB, 0x46, 0x68}; +static u8 kirk7_key04[0x10] = {0x99, 0x24, 0x4C, 0xD2, 0x58, 0xF5, 0x1B, 0xCB, 0xB0, 0x61, 0x9C, 0xA7, 0x38, 0x30, 0x07, 0x5F}; +static u8 kirk7_key05[0x10] = {0x02, 0x25, 0xD7, 0xBA, 0x63, 0xEC, 0xB9, 0x4A, 0x9D, 0x23, 0x76, 0x01, 0xB3, 0xF6, 0xAC, 0x17}; +static u8 kirk7_key07[0x10] = {0x76, 0x36, 0x8B, 0x43, 0x8F, 0x77, 0xD8, 0x7E, 0xFE, 0x5F, 0xB6, 0x11, 0x59, 0x39, 0x88, 0x5C}; +static u8 kirk7_key0C[0x10] = {0x84, 0x85, 0xC8, 0x48, 0x75, 0x08, 0x43, 0xBC, 0x9B, 0x9A, 0xEC, 0xA7, 0x9C, 0x7F, 0x60, 0x18}; +static u8 kirk7_key0D[0x10] = {0xB5, 0xB1, 0x6E, 0xDE, 0x23, 0xA9, 0x7B, 0x0E, 0xA1, 0x7C, 0xDB, 0xA2, 0xDC, 0xDE, 0xC4, 0x6E}; +static u8 kirk7_key0E[0x10] = {0xC8, 0x71, 0xFD, 0xB3, 0xBC, 0xC5, 0xD2, 0xF2, 0xE2, 0xD7, 0x72, 0x9D, 0xDF, 0x82, 0x68, 0x82}; +static u8 kirk7_key0F[0x10] = {0x0A, 0xBB, 0x33, 0x6C, 0x96, 0xD4, 0xCD, 0xD8, 0xCB, 0x5F, 0x4B, 0xE0, 0xBA, 0xDB, 0x9E, 0x03}; +static u8 kirk7_key10[0x10] = {0x32, 0x29, 0x5B, 0xD5, 0xEA, 0xF7, 0xA3, 0x42, 0x16, 0xC8, 0x8E, 0x48, 0xFF, 0x50, 0xD3, 0x71}; +static u8 kirk7_key11[0x10] = {0x46, 0xF2, 0x5E, 0x8E, 0x4D, 0x2A, 0xA5, 0x40, 0x73, 0x0B, 0xC4, 0x6E, 0x47, 0xEE, 0x6F, 0x0A}; +static u8 kirk7_key12[0x10] = {0x5D, 0xC7, 0x11, 0x39, 0xD0, 0x19, 0x38, 0xBC, 0x02, 0x7F, 0xDD, 0xDC, 0xB0, 0x83, 0x7D, 0x9D}; +static u8 kirk7_key38[0x10] = {0x12, 0x46, 0x8D, 0x7E, 0x1C, 0x42, 0x20, 0x9B, 0xBA, 0x54, 0x26, 0x83, 0x5E, 0xB0, 0x33, 0x03}; +static u8 kirk7_key39[0x10] = {0xC4, 0x3B, 0xB6, 0xD6, 0x53, 0xEE, 0x67, 0x49, 0x3E, 0xA9, 0x5F, 0xBC, 0x0C, 0xED, 0x6F, 0x8A}; +static u8 kirk7_key3A[0x10] = {0x2C, 0xC3, 0xCF, 0x8C, 0x28, 0x78, 0xA5, 0xA6, 0x63, 0xE2, 0xAF, 0x2D, 0x71, 0x5E, 0x86, 0xBA}; +static u8 kirk7_key44[0x10] = {0x7D, 0xF4, 0x92, 0x65, 0xE3, 0xFA, 0xD6, 0x78, 0xD6, 0xFE, 0x78, 0xAD, 0xBB, 0x3D, 0xFB, 0x63}; +static u8 kirk7_key4B[0x10] = {0x0C, 0xFD, 0x67, 0x9A, 0xF9, 0xB4, 0x72, 0x4F, 0xD7, 0x8D, 0xD6, 0xE9, 0x96, 0x42, 0x28, 0x8B}; +static u8 kirk7_key53[0x10] = {0xAF, 0xFE, 0x8E, 0xB1, 0x3D, 0xD1, 0x7E, 0xD8, 0x0A, 0x61, 0x24, 0x1C, 0x95, 0x92, 0x56, 0xB6}; +static u8 kirk7_key57[0x10] = {0x1C, 0x9B, 0xC4, 0x90, 0xE3, 0x06, 0x64, 0x81, 0xFA, 0x59, 0xFD, 0xB6, 0x00, 0xBB, 0x28, 0x70}; +static u8 kirk7_key5D[0x10] = {0x11, 0x5A, 0x5D, 0x20, 0xD5, 0x3A, 0x8D, 0xD3, 0x9C, 0xC5, 0xAF, 0x41, 0x0F, 0x0F, 0x18, 0x6F}; +static u8 kirk7_key63[0x10] = {0x9C, 0x9B, 0x13, 0x72, 0xF8, 0xC6, 0x40, 0xCF, 0x1C, 0x62, 0xF5, 0xD5, 0x92, 0xDD, 0xB5, 0x82}; +static u8 kirk7_key64[0x10] = {0x03, 0xB3, 0x02, 0xE8, 0x5F, 0xF3, 0x81, 0xB1, 0x3B, 0x8D, 0xAA, 0x2A, 0x90, 0xFF, 0x5E, 0x61}; +static u8 kirk16_key[0x10] = {0x47, 0x5E, 0x09, 0xF4, 0xA2, 0x37, 0xDA, 0x9B, 0xEF, 0xFF, 0x3B, 0xC0, 0x77, 0x14, 0x3D, 0x8A}; + +/* ECC Curves for Kirk 1 and Kirk 0x11 */ +// Common Curve paramters p and a +static u8 ec_p[0x14] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; +static u8 ec_a[0x14] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC}; // mon + +// Kirk 0xC,0xD,0x10,0x11,(likely 0x12)- Unique curve parameters for b, N, and base point G for Kirk 0xC,0xD,0x10,0x11,(likely 0x12) service +// Since public key is variable, it is not specified here +static u8 ec_b2[0x14] = {0xA6, 0x8B, 0xED, 0xC3, 0x34, 0x18, 0x02, 0x9C, 0x1D, 0x3C, 0xE3, 0x3B, 0x9A, 0x32, 0x1F, 0xCC, 0xBB, 0x9E, 0x0F, 0x0B};// mon +static u8 ec_N2[0x15] = {0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xB5, 0xAE, 0x3C, 0x52, 0x3E, 0x63, 0x94, 0x4F, 0x21, 0x27}; +static u8 Gx2[0x14] = {0x12, 0x8E, 0xC4, 0x25, 0x64, 0x87, 0xFD, 0x8F, 0xDF, 0x64, 0xE2, 0x43, 0x7B, 0xC0, 0xA1, 0xF6, 0xD5, 0xAF, 0xDE, 0x2C }; +static u8 Gy2[0x14] = {0x59, 0x58, 0x55, 0x7E, 0xB1, 0xDB, 0x00, 0x12, 0x60, 0x42, 0x55, 0x24, 0xDB, 0xC3, 0x79, 0xD5, 0xAC, 0x5F, 0x4A, 0xDF }; + +// KIRK 1 - Unique curve parameters for b, N, and base point G +// Since public key is hard coded, it is also included +static u8 ec_b1[0x14] = {0x65, 0xD1, 0x48, 0x8C, 0x03, 0x59, 0xE2, 0x34, 0xAD, 0xC9, 0x5B, 0xD3, 0x90, 0x80, 0x14, 0xBD, 0x91, 0xA5, 0x25, 0xF9}; +static u8 ec_N1[0x15] = {0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x01, 0xB5, 0xC6, 0x17, 0xF2, 0x90, 0xEA, 0xE1, 0xDB, 0xAD, 0x8F}; +static u8 Gx1[0x14] = {0x22, 0x59, 0xAC, 0xEE, 0x15, 0x48, 0x9C, 0xB0, 0x96, 0xA8, 0x82, 0xF0, 0xAE, 0x1C, 0xF9, 0xFD, 0x8E, 0xE5, 0xF8, 0xFA }; +static u8 Gy1[0x14] = {0x60, 0x43, 0x58, 0x45, 0x6D, 0x0A, 0x1C, 0xB2, 0x90, 0x8D, 0xE9, 0x0F, 0x27, 0xD7, 0x5C, 0x82, 0xBE, 0xC1, 0x08, 0xC0 }; + +static u8 Px1[0x14] = {0xED, 0x9C, 0xE5, 0x82, 0x34, 0xE6, 0x1A, 0x53, 0xC6, 0x85, 0xD6, 0x4D, 0x51, 0xD0, 0x23, 0x6B, 0xC3, 0xB5, 0xD4, 0xB9 }; +static u8 Py1[0x14] = {0x04, 0x9D, 0xF1, 0xA0, 0x75, 0xC0, 0xE0, 0x4F, 0xB3, 0x44, 0x85, 0x8B, 0x61, 0xB7, 0x9B, 0x69, 0xA6, 0x3D, 0x2C, 0x39 }; + +#endif diff --git a/src/libkirk/kirk_engine.c b/src/libkirk/kirk_engine.c new file mode 100644 index 0000000..c9bfda3 --- /dev/null +++ b/src/libkirk/kirk_engine.c @@ -0,0 +1,603 @@ +/* + Draan proudly presents: + + With huge help from community: + coyotebean, Davee, hitchhikr, kgsws, liquidzigong, Mathieulh, Proxima, SilverSpring + + ******************** KIRK-ENGINE ******************** + An Open-Source implementation of KIRK (PSP crypto engine) algorithms and keys. + Includes also additional routines for hash forging. + + ******************** + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "kirk_engine.h" +#include "key_vault.h" +#include "aes.h" +#include "sha1.h" + +// Internal variables +typedef struct kirk16_data +{ + u8 fuseid[8]; + u8 mesh[0x40]; +} kirk16_data; + +typedef struct header_keys +{ + u8 AES[16]; + u8 CMAC[16]; +} header_keys; + +u32 g_fuse90; +u32 g_fuse94; + +AES_ctx aes_kirk1; +u8 PRNG_DATA[0x14]; + +char is_kirk_initialized; + +// Internal functions +u8* kirk_4_7_get_key(int key_type) + { + switch(key_type) + { + case(0x02): return kirk7_key02; break; + case(0x03): return kirk7_key03; break; + case(0x04): return kirk7_key04; break; + case(0x05): return kirk7_key05; break; + case(0x07): return kirk7_key07; break; + case(0x0C): return kirk7_key0C; break; + case(0x0D): return kirk7_key0D; break; + case(0x0E): return kirk7_key0E; break; + case(0x0F): return kirk7_key0F; break; + case(0x10): return kirk7_key10; break; + case(0x11): return kirk7_key11; break; + case(0x12): return kirk7_key12; break; + case(0x38): return kirk7_key38; break; + case(0x39): return kirk7_key39; break; + case(0x3A): return kirk7_key3A; break; + case(0x44): return kirk7_key44; break; + case(0x4B): return kirk7_key4B; break; + case(0x53): return kirk7_key53; break; + case(0x57): return kirk7_key57; break; + case(0x5D): return kirk7_key5D; break; + case(0x63): return kirk7_key63; break; + case(0x64): return kirk7_key64; break; + default: return (u8*)KIRK_INVALID_SIZE; break; + } +} + +void decrypt_kirk16_private(u8 *dA_out, u8 *dA_enc) +{ + int i, k; + kirk16_data keydata; + u8 subkey_1[0x10], subkey_2[0x10]; + rijndael_ctx aes_ctx; + + keydata.fuseid[7] = g_fuse90 &0xFF; + keydata.fuseid[6] = (g_fuse90>>8) &0xFF; + keydata.fuseid[5] = (g_fuse90>>16) &0xFF; + keydata.fuseid[4] = (g_fuse90>>24) &0xFF; + keydata.fuseid[3] = g_fuse94 &0xFF; + keydata.fuseid[2] = (g_fuse94>>8) &0xFF; + keydata.fuseid[1] = (g_fuse94>>16) &0xFF; + keydata.fuseid[0] = (g_fuse94>>24) &0xFF; + + /* set encryption key */ + rijndael_set_key(&aes_ctx, kirk16_key, 128); + + /* set the subkeys */ + for (i = 0; i < 0x10; i++) + { + /* set to the fuseid */ + subkey_2[i] = subkey_1[i] = keydata.fuseid[i % 8]; + } + + /* do aes crypto */ + for (i = 0; i < 3; i++) + { + /* encrypt + decrypt */ + rijndael_encrypt(&aes_ctx, subkey_1, subkey_1); + rijndael_decrypt(&aes_ctx, subkey_2, subkey_2); + } + + /* set new key */ + rijndael_set_key(&aes_ctx, subkey_1, 128); + + /* now lets make the key mesh */ + for (i = 0; i < 3; i++) + { + /* do encryption in group of 3 */ + for (k = 0; k < 3; k++) + { + /* crypto */ + rijndael_encrypt(&aes_ctx, subkey_2, subkey_2); + } + + /* copy to out block */ + memcpy(&keydata.mesh[i * 0x10], subkey_2, 0x10); + } + + /* set the key to the mesh */ + rijndael_set_key(&aes_ctx, &keydata.mesh[0x20], 128); + + /* do the encryption routines for the aes key */ + for (i = 0; i < 2; i++) + { + /* encrypt the data */ + rijndael_encrypt(&aes_ctx, &keydata.mesh[0x10], &keydata.mesh[0x10]); + } + + /* set the key to that mesh shit */ + rijndael_set_key(&aes_ctx, &keydata.mesh[0x10], 128); + + /* cbc decrypt the dA */ + AES_cbc_decrypt((AES_ctx *)&aes_ctx, dA_enc, dA_out, 0x20); +} + +void encrypt_kirk16_private(u8 *dA_out, u8 *dA_dec) +{ + int i, k; + kirk16_data keydata; + u8 subkey_1[0x10], subkey_2[0x10]; + rijndael_ctx aes_ctx; + + keydata.fuseid[7] = g_fuse90 &0xFF; + keydata.fuseid[6] = (g_fuse90>>8) &0xFF; + keydata.fuseid[5] = (g_fuse90>>16) &0xFF; + keydata.fuseid[4] = (g_fuse90>>24) &0xFF; + keydata.fuseid[3] = g_fuse94 &0xFF; + keydata.fuseid[2] = (g_fuse94>>8) &0xFF; + keydata.fuseid[1] = (g_fuse94>>16) &0xFF; + keydata.fuseid[0] = (g_fuse94>>24) &0xFF; + /* set encryption key */ + rijndael_set_key(&aes_ctx, kirk16_key, 128); + + /* set the subkeys */ + for (i = 0; i < 0x10; i++) + { + /* set to the fuseid */ + subkey_2[i] = subkey_1[i] = keydata.fuseid[i % 8]; + } + + /* do aes crypto */ + for (i = 0; i < 3; i++) + { + /* encrypt + decrypt */ + rijndael_encrypt(&aes_ctx, subkey_1, subkey_1); + rijndael_decrypt(&aes_ctx, subkey_2, subkey_2); + } + + /* set new key */ + rijndael_set_key(&aes_ctx, subkey_1, 128); + + /* now lets make the key mesh */ + for (i = 0; i < 3; i++) + { + /* do encryption in group of 3 */ + for (k = 0; k < 3; k++) + { + /* crypto */ + rijndael_encrypt(&aes_ctx, subkey_2, subkey_2); + } + + /* copy to out block */ + memcpy(&keydata.mesh[i * 0x10], subkey_2, 0x10); + } + + /* set the key to the mesh */ + rijndael_set_key(&aes_ctx, &keydata.mesh[0x20], 128); + + /* do the encryption routines for the aes key */ + for (i = 0; i < 2; i++) + { + /* encrypt the data */ + rijndael_encrypt(&aes_ctx, &keydata.mesh[0x10], &keydata.mesh[0x10]); + } + + /* set the key to that mesh shit */ + rijndael_set_key(&aes_ctx, &keydata.mesh[0x10], 128); + + /* cbc encrypt the dA */ + AES_cbc_encrypt((AES_ctx *)&aes_ctx, dA_dec, dA_out, 0x20); +} + +// KIRK commands +int kirk_init() +{ + return kirk_init2((u8*)"Lazy Dev should have initialized!", 33, 0xBABEF00D, 0xDEADBEEF); +} + +int kirk_init2(u8 * rnd_seed __attribute__((unused)), u32 seed_size, u32 fuseid_90, u32 fuseid_94) +{ + u8 temp[0x104]; + + KIRK_SHA1_HEADER *header = (KIRK_SHA1_HEADER *) temp; + + // Another randomly selected data for a "key" to add to each randomization + u8 key[0x10] = {0x07, 0xAB, 0xEF, 0xF8, 0x96, 0x8C, 0xF3, 0xD6, 0x14, 0xE0, 0xEB, 0xB2, 0x9D, 0x8B, 0x4E, 0x74}; + u32 curtime; + + //Set PRNG_DATA initially, otherwise use what ever uninitialized data is in the buffer + if(seed_size > 0) { + u8 * seedbuf; + KIRK_SHA1_HEADER *seedheader;; + seedbuf=(u8*)malloc(seed_size+4); + seedheader= (KIRK_SHA1_HEADER *) seedbuf; + seedheader->data_size = seed_size; + kirk_CMD11(PRNG_DATA, seedbuf, seed_size+4); + free(seedbuf); + } + + memcpy(temp+4, PRNG_DATA,0x14); + + // This uses the standard C time function for portability. + curtime = (u32)time(0); + temp[0x18] = curtime &0xFF; + temp[0x19] = (curtime>>8) &0xFF; + temp[0x1A] = (curtime>>16) &0xFF; + temp[0x1B] = (curtime>>24) &0xFF; + memcpy(&temp[0x1C], key, 0x10); + + // This leaves the remainder of the 0x100 bytes in temp to whatever remains on the stack + // in an uninitialized state. This should add unpredicableness to the results as well + header->data_size = 0x100; + kirk_CMD11(PRNG_DATA, temp, 0x104); + + //Set Fuse ID + g_fuse90 = fuseid_90; + g_fuse94 = fuseid_94; + + // Set KIRK1 main key + AES_set_key(&aes_kirk1, kirk1_key, 128); + + is_kirk_initialized = 1; + return 0; +} + +int kirk_CMD0(u8* outbuff, u8* inbuff, int size, int generate_trash) +{ + KIRK_CMD1_HEADER* header = (KIRK_CMD1_HEADER*)outbuff; + header_keys *keys = (header_keys *)outbuff; //0-15 AES key, 16-31 CMAC key + int chk_size; + AES_ctx k1; + AES_ctx cmac_key; + u8 cmac_header_hash[16]; + u8 cmac_data_hash[16]; + + if (is_kirk_initialized == 0) return KIRK_NOT_INITIALIZED; + + memcpy(outbuff, inbuff, size); + + if (header->mode != KIRK_MODE_CMD1) return KIRK_INVALID_MODE; + + // FILL PREDATA WITH RANDOM DATA + if (generate_trash) kirk_CMD14(outbuff+sizeof(KIRK_CMD1_HEADER), header->data_offset); + + // Make sure data is 16 aligned + chk_size = header->data_size; + if (chk_size % 16) chk_size += 16 - (chk_size % 16); + + // ENCRYPT DATA + AES_set_key(&k1, keys->AES, 128); + AES_cbc_encrypt(&k1, inbuff+sizeof(KIRK_CMD1_HEADER)+header->data_offset, (u8*)outbuff+sizeof(KIRK_CMD1_HEADER)+header->data_offset, chk_size); + + // CMAC HASHES + AES_set_key(&cmac_key, keys->CMAC, 128); + AES_CMAC(&cmac_key, outbuff+0x60, 0x30, cmac_header_hash); + AES_CMAC(&cmac_key, outbuff+0x60, 0x30 + chk_size + header->data_offset, cmac_data_hash); + + memcpy(header->CMAC_header_hash, cmac_header_hash, 16); + memcpy(header->CMAC_data_hash, cmac_data_hash, 16); + + // ENCRYPT KEYS + AES_cbc_encrypt(&aes_kirk1, inbuff, outbuff, 16*2); + return KIRK_OPERATION_SUCCESS; +} + +int kirk_CMD1(u8* outbuff, u8* inbuff, int size) +{ + KIRK_CMD1_HEADER* header = (KIRK_CMD1_HEADER*)inbuff; + header_keys keys; //0-15 AES key, 16-31 CMAC key + AES_ctx k1; + + if (size < 0x90) return KIRK_INVALID_SIZE; + if (is_kirk_initialized == 0) return KIRK_NOT_INITIALIZED; + if (header->mode != KIRK_MODE_CMD1) return KIRK_INVALID_MODE; + + AES_cbc_decrypt(&aes_kirk1, inbuff, (u8*)&keys, 16*2); //decrypt AES & CMAC key to temp buffer + + if(header->ecdsa_hash == 1) + { + SHA_CTX sha; + KIRK_CMD1_ECDSA_HEADER* eheader = (KIRK_CMD1_ECDSA_HEADER*) inbuff; + u8 kirk1_pub[40]; + u8 header_hash[20];u8 data_hash[20]; + ecdsa_set_curve(ec_p,ec_a,ec_b1,ec_N1,Gx1,Gy1); + memcpy(kirk1_pub,Px1,20); + memcpy(kirk1_pub+20,Py1,20); + ecdsa_set_pub(kirk1_pub); + + //Hash the Header + SHAInit(&sha); + SHAUpdate(&sha, (u8*)eheader+0x60, 0x30); + SHAFinal(header_hash, &sha); + + if(!ecdsa_verify(header_hash,eheader->header_sig_r,eheader->header_sig_s)) { + return KIRK_HEADER_HASH_INVALID; + } + + SHAInit(&sha); + SHAUpdate(&sha, (u8*)eheader+0x60, size-0x60); + SHAFinal(data_hash, &sha); + + if(!ecdsa_verify(data_hash,eheader->data_sig_r,eheader->data_sig_s)) { + return KIRK_DATA_HASH_INVALID; + } + } else { + int ret = kirk_CMD10(inbuff, size); + if(ret != KIRK_OPERATION_SUCCESS) return ret; + } + + AES_set_key(&k1, keys.AES, 128); + AES_cbc_decrypt(&k1, inbuff+sizeof(KIRK_CMD1_HEADER)+header->data_offset, outbuff, header->data_size); + + return KIRK_OPERATION_SUCCESS; +} + +int kirk_CMD1_ex(u8* outbuff, u8* inbuff, int size, KIRK_CMD1_HEADER* header) +{ + u8* buffer = (u8*)malloc(size); + int ret; + + memcpy(buffer, header, sizeof(KIRK_CMD1_HEADER)); + memcpy(buffer+sizeof(KIRK_CMD1_HEADER), inbuff, header->data_size); + + ret = kirk_CMD1(outbuff, buffer, size); + free(buffer); + return ret; +} + +int kirk_CMD4(u8* outbuff, u8* inbuff, int size) +{ + KIRK_AES128CBC_HEADER *header = (KIRK_AES128CBC_HEADER*)inbuff; + u8* key; + AES_ctx aesKey; + + if (is_kirk_initialized == 0) return KIRK_NOT_INITIALIZED; + if (header->mode != KIRK_MODE_ENCRYPT_CBC) return KIRK_INVALID_MODE; + if (header->data_size == 0) return KIRK_DATA_SIZE_ZERO; + + key = kirk_4_7_get_key(header->keyseed); + if (key == (u8*)KIRK_INVALID_SIZE) return KIRK_INVALID_SIZE; + + // Set the key + AES_set_key(&aesKey, key, 128); + AES_cbc_encrypt(&aesKey, inbuff+sizeof(KIRK_AES128CBC_HEADER), outbuff+sizeof(KIRK_AES128CBC_HEADER), size); + + return KIRK_OPERATION_SUCCESS; +} + +int kirk_CMD7(u8* outbuff, u8* inbuff, int size) +{ + KIRK_AES128CBC_HEADER *header = (KIRK_AES128CBC_HEADER*)inbuff; + u8* key; + AES_ctx aesKey; + + if (is_kirk_initialized == 0) return KIRK_NOT_INITIALIZED; + if (header->mode != KIRK_MODE_DECRYPT_CBC) return KIRK_INVALID_MODE; + if (header->data_size == 0) return KIRK_DATA_SIZE_ZERO; + + key = kirk_4_7_get_key(header->keyseed); + if (key == (u8*)KIRK_INVALID_SIZE) return KIRK_INVALID_SIZE; + + // Set the key + AES_set_key(&aesKey, key, 128); + AES_cbc_decrypt(&aesKey, inbuff+sizeof(KIRK_AES128CBC_HEADER), outbuff, size); + + return KIRK_OPERATION_SUCCESS; +} + +int kirk_CMD10(u8* inbuff, int insize __attribute__((unused))) +{ + KIRK_CMD1_HEADER* header = (KIRK_CMD1_HEADER*)inbuff; + header_keys keys; //0-15 AES key, 16-31 CMAC key + u8 cmac_header_hash[16]; + u8 cmac_data_hash[16]; + AES_ctx cmac_key; + int chk_size; + + if (is_kirk_initialized == 0) return KIRK_NOT_INITIALIZED; + if (!(header->mode == KIRK_MODE_CMD1 || header->mode == KIRK_MODE_CMD2 || header->mode == KIRK_MODE_CMD3)) return KIRK_INVALID_MODE; + if (header->data_size == 0) return KIRK_DATA_SIZE_ZERO; + + if (header->mode == KIRK_MODE_CMD1) + { + AES_cbc_decrypt(&aes_kirk1, inbuff, (u8*)&keys, 32); //decrypt AES & CMAC key to temp buffer + AES_set_key(&cmac_key, keys.CMAC, 128); + AES_CMAC(&cmac_key, inbuff+0x60, 0x30, cmac_header_hash); + + // Make sure data is 16 aligned + chk_size = header->data_size; + if(chk_size % 16) chk_size += 16 - (chk_size % 16); + AES_CMAC(&cmac_key, inbuff+0x60, 0x30 + chk_size + header->data_offset, cmac_data_hash); + + if(memcmp(cmac_header_hash, header->CMAC_header_hash, 16) != 0) return KIRK_HEADER_HASH_INVALID; + if(memcmp(cmac_data_hash, header->CMAC_data_hash, 16) != 0) return KIRK_DATA_HASH_INVALID; + + return KIRK_OPERATION_SUCCESS; + } + + return KIRK_SIG_CHECK_INVALID; //Checks for cmd 2 & 3 not included right now +} + +int kirk_CMD11(u8* outbuff, u8* inbuff, int size) +{ + KIRK_SHA1_HEADER *header = (KIRK_SHA1_HEADER *)inbuff; + SHA_CTX sha; + if (is_kirk_initialized == 0) return KIRK_NOT_INITIALIZED; + if (header->data_size == 0 || size == 0) return KIRK_DATA_SIZE_ZERO; + + SHAInit(&sha); + SHAUpdate(&sha, inbuff+sizeof(KIRK_SHA1_HEADER), header->data_size); + SHAFinal(outbuff, &sha); + + return KIRK_OPERATION_SUCCESS; +} + +int kirk_CMD12(u8 * outbuff, int outsize) +{ + u8 k[0x15]; + KIRK_CMD12_BUFFER * keypair = (KIRK_CMD12_BUFFER *) outbuff; + + if (outsize != 0x3C) return KIRK_INVALID_SIZE; + ecdsa_set_curve(ec_p,ec_a,ec_b2,ec_N2,Gx2,Gy2); + k[0] = 0; + + kirk_CMD14(k+1,0x14); + ec_priv_to_pub(k, (u8*)keypair->public_key.x); + memcpy(keypair->private_key,k+1,0x14); + + return KIRK_OPERATION_SUCCESS; +} + +int kirk_CMD13(u8 * outbuff, int outsize,u8 * inbuff, int insize) +{ + u8 k[0x15]; + KIRK_CMD13_BUFFER * pointmult = (KIRK_CMD13_BUFFER *) inbuff; + k[0]=0; + + if (outsize != 0x28) return KIRK_INVALID_SIZE; + if (insize != 0x3C) return KIRK_INVALID_SIZE; + + ecdsa_set_curve(ec_p,ec_a,ec_b2,ec_N2,Gx2,Gy2); + ecdsa_set_pub((u8*)pointmult->public_key.x); + memcpy(k+1,pointmult->multiplier,0x14); + ec_pub_mult(k, outbuff); + + return KIRK_OPERATION_SUCCESS; +} + +int kirk_CMD14(u8 * outbuff, int outsize) +{ + u8 temp[0x104]; + KIRK_SHA1_HEADER *header = (KIRK_SHA1_HEADER *) temp; + + // Some randomly selected data for a "key" to add to each randomization + u8 key[0x10] = { 0xA7, 0x2E, 0x4C, 0xB6, 0xC3, 0x34, 0xDF, 0x85, 0x70, 0x01, 0x49, 0xFC, 0xC0, 0x87, 0xC4, 0x77 }; + u32 curtime; + + if(outsize <=0) return KIRK_OPERATION_SUCCESS; + + memcpy(temp+4, PRNG_DATA,0x14); + + // This uses the standard C time function for portability. + curtime=(u32)time(0); + temp[0x18] = curtime &0xFF; + temp[0x19] = (curtime>>8) &0xFF; + temp[0x1A] = (curtime>>16) &0xFF; + temp[0x1B] = (curtime>>24) &0xFF; + memcpy(&temp[0x1C], key, 0x10); + + // This leaves the remainder of the 0x100 bytes in temp to whatever remains on the stack + // in an uninitialized state. This should add unpredicableness to the results as well + header->data_size=0x100; + kirk_CMD11(PRNG_DATA, temp, 0x104); + + while(outsize) + { + int blockrem = outsize %0x14; + int block = outsize /0x14; + + if(block) + { + memcpy(outbuff, PRNG_DATA, 0x14); + outbuff += 0x14; + outsize -= 0x14; + kirk_CMD14(outbuff, outsize); + } else { + if(blockrem) + { + memcpy(outbuff, PRNG_DATA, blockrem); + outsize -= blockrem; + } + } + } + + return KIRK_OPERATION_SUCCESS; +} + +int kirk_CMD16(u8 * outbuff, int outsize, u8 * inbuff, int insize) +{ + u8 dec_private[0x20]; + KIRK_CMD16_BUFFER * signbuf = (KIRK_CMD16_BUFFER *) inbuff; + ECDSA_SIG * sig = (ECDSA_SIG *) outbuff; + + if (insize != 0x34) return KIRK_INVALID_SIZE; + if (outsize != 0x28) return KIRK_INVALID_SIZE; + + decrypt_kirk16_private(dec_private,signbuf->enc_private); + + // Clear out the padding for safety + memset(&dec_private[0x14], 0, 0xC); + + ecdsa_set_curve(ec_p,ec_a,ec_b2,ec_N2,Gx2,Gy2); + ecdsa_set_priv(dec_private); + ecdsa_sign(signbuf->message_hash,sig->r, sig->s); + + return KIRK_OPERATION_SUCCESS; +} + +int kirk_CMD17(u8 * inbuff, int insize) +{ + KIRK_CMD17_BUFFER * sig = (KIRK_CMD17_BUFFER *) inbuff; + + if (insize != 0x64) return KIRK_INVALID_SIZE; + + ecdsa_set_curve(ec_p,ec_a,ec_b2,ec_N2,Gx2,Gy2); + ecdsa_set_pub(sig->public_key.x); + + if (ecdsa_verify(sig->message_hash,sig->signature.r,sig->signature.s)) { + return KIRK_OPERATION_SUCCESS; + } else { + return KIRK_SIG_CHECK_INVALID; + } +} + +// SCE functions +int sceUtilsBufferCopyWithRange(u8* outbuff, int outsize, u8* inbuff, int insize, int cmd) +{ + switch(cmd) + { + case KIRK_CMD_DECRYPT_PRIVATE: return kirk_CMD1(outbuff, inbuff, insize); break; + case KIRK_CMD_ENCRYPT_IV_0: return kirk_CMD4(outbuff, inbuff, insize); break; + case KIRK_CMD_DECRYPT_IV_0: return kirk_CMD7(outbuff, inbuff, insize); break; + case KIRK_CMD_PRIV_SIGN_CHECK: return kirk_CMD10(inbuff, insize); break; + case KIRK_CMD_SHA1_HASH: return kirk_CMD11(outbuff, inbuff, insize); break; + case KIRK_CMD_ECDSA_GEN_KEYS: return kirk_CMD12(outbuff,outsize); break; + case KIRK_CMD_ECDSA_MULTIPLY_POINT: return kirk_CMD13(outbuff,outsize, inbuff, insize); break; + case KIRK_CMD_PRNG: return kirk_CMD14(outbuff,outsize); break; + case KIRK_CMD_ECDSA_SIGN: return kirk_CMD16(outbuff, outsize, inbuff, insize); break; + case KIRK_CMD_ECDSA_VERIFY: return kirk_CMD17(inbuff, insize); break; + } + return -1; +} diff --git a/src/libkirk/kirk_engine.h b/src/libkirk/kirk_engine.h new file mode 100644 index 0000000..cd297fd --- /dev/null +++ b/src/libkirk/kirk_engine.h @@ -0,0 +1,245 @@ +/* + Draan proudly presents: + + With huge help from community: + coyotebean, Davee, hitchhikr, kgsws, liquidzigong, Mathieulh, Proxima, SilverSpring + + ******************** KIRK-ENGINE ******************** + An Open-Source implementation of KIRK (PSP crypto engine) algorithms and keys. + Includes also additional routines for hash forging. + + ******************** + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef KIRK_ENGINE +#define KIRK_ENGINE + +typedef unsigned char u8; +typedef unsigned short int u16; +typedef unsigned int u32; + +// Macros +#define round_up(x,n) (-(-(x) & -(n))) +#define array_size(x) (sizeof(x) / sizeof(*(x))) + +// KIRK return values +#define KIRK_OPERATION_SUCCESS 0 +#define KIRK_NOT_ENABLED 1 +#define KIRK_INVALID_MODE 2 +#define KIRK_HEADER_HASH_INVALID 3 +#define KIRK_DATA_HASH_INVALID 4 +#define KIRK_SIG_CHECK_INVALID 5 +#define KIRK_UNK_1 6 +#define KIRK_UNK_2 7 +#define KIRK_UNK_3 8 +#define KIRK_UNK_4 9 +#define KIRK_UNK_5 0xA +#define KIRK_UNK_6 0xB +#define KIRK_NOT_INITIALIZED 0xC +#define KIRK_INVALID_OPERATION 0xD +#define KIRK_INVALID_SEED_CODE 0xE +#define KIRK_INVALID_SIZE 0xF +#define KIRK_DATA_SIZE_ZERO 0x10 + +// sceUtilsBufferCopyWithRange modes +#define KIRK_CMD_DECRYPT_PRIVATE 1 +#define KIRK_CMD_2 2 +#define KIRK_CMD_3 3 +#define KIRK_CMD_ENCRYPT_IV_0 4 +#define KIRK_CMD_ENCRYPT_IV_FUSE 5 +#define KIRK_CMD_ENCRYPT_IV_USER 6 +#define KIRK_CMD_DECRYPT_IV_0 7 +#define KIRK_CMD_DECRYPT_IV_FUSE 8 +#define KIRK_CMD_DECRYPT_IV_USER 9 +#define KIRK_CMD_PRIV_SIGN_CHECK 10 +#define KIRK_CMD_SHA1_HASH 11 +#define KIRK_CMD_ECDSA_GEN_KEYS 12 +#define KIRK_CMD_ECDSA_MULTIPLY_POINT 13 +#define KIRK_CMD_PRNG 14 +#define KIRK_CMD_15 15 +#define KIRK_CMD_ECDSA_SIGN 16 +#define KIRK_CMD_ECDSA_VERIFY 17 + +// KIRK header modes +#define KIRK_MODE_CMD1 1 +#define KIRK_MODE_CMD2 2 +#define KIRK_MODE_CMD3 3 +#define KIRK_MODE_ENCRYPT_CBC 4 +#define KIRK_MODE_DECRYPT_CBC 5 + +// sceUtilsBufferCopyWithRange errors +#define SUBCWR_NOT_16_ALGINED 0x90A +#define SUBCWR_HEADER_HASH_INVALID 0x920 +#define SUBCWR_BUFFER_TOO_SMALL 0x1000 + +// Structs +typedef struct +{ + int mode; + int unk_4; + int unk_8; + int keyseed; + int data_size; +} KIRK_AES128CBC_HEADER; + +typedef struct +{ + u8 AES_key[16]; + u8 CMAC_key[16]; + u8 CMAC_header_hash[16]; + u8 CMAC_data_hash[16]; + u8 unused[32]; + u32 mode; + u8 ecdsa_hash; + u8 unk3[11]; + u32 data_size; + u32 data_offset; + u8 unk4[8]; + u8 unk5[16]; +} KIRK_CMD1_HEADER; + +typedef struct +{ + u8 AES_key[16]; + u8 header_sig_r[20]; + u8 header_sig_s[20]; + u8 data_sig_r[20]; + u8 data_sig_s[20]; + u32 mode; + u8 ecdsa_hash; + u8 unk3[11]; + u32 data_size; + u32 data_offset; + u8 unk4[8]; + u8 unk5[16]; +} KIRK_CMD1_ECDSA_HEADER; + +typedef struct +{ + u8 r[0x14]; + u8 s[0x14]; +} ECDSA_SIG; + +typedef struct +{ + u8 x[0x14]; + u8 y[0x14]; +} ECDSA_POINT; + +typedef struct +{ + u32 data_size; +} KIRK_SHA1_HEADER; + +typedef struct +{ + u8 private_key[0x14]; + ECDSA_POINT public_key; +} KIRK_CMD12_BUFFER; + +typedef struct +{ + u8 multiplier[0x14]; + ECDSA_POINT public_key; +} KIRK_CMD13_BUFFER; + +typedef struct +{ + u8 enc_private[0x20]; + u8 message_hash[0x14]; +} KIRK_CMD16_BUFFER; + +typedef struct +{ + ECDSA_POINT public_key; + u8 message_hash[0x14]; + ECDSA_SIG signature; +} KIRK_CMD17_BUFFER; + +// KIRK commands +/* + // Private Sig + Cipher + 0x01: Super-Duper decryption (no inverse) + 0x02: Encrypt Operation (inverse of 0x03) + 0x03: Decrypt Operation (inverse of 0x02) + + // Cipher + 0x04: Encrypt Operation (inverse of 0x07) (IV=0) + 0x05: Encrypt Operation (inverse of 0x08) (IV=FuseID) + 0x06: Encrypt Operation (inverse of 0x09) (IV=UserDefined) + 0x07: Decrypt Operation (inverse of 0x04) + 0x08: Decrypt Operation (inverse of 0x05) + 0x09: Decrypt Operation (inverse of 0x06) + + // Sig Gens + 0x0A: Private Signature Check (checks for private SCE sig) + 0x0B: SHA1 Hash + 0x0C: Mul1 + 0x0D: Mul2 + 0x0E: Random Number Gen + 0x0F: (absolutely no idea – could be KIRK initialization) + 0x10: Signature Gen + + // Sig Checks + 0x11: Signature Check (checks for generated sigs) + 0x12: Certificate Check (idstorage signatures) +*/ + +int kirk_init(); +int kirk_init2(u8 *, u32, u32, u32); +int kirk_CMD0(u8* outbuff, u8* inbuff, int size, int generate_trash); +int kirk_CMD1(u8* outbuff, u8* inbuff, int size); +int kirk_CMD1_ex(u8* outbuff, u8* inbuff, int size, KIRK_CMD1_HEADER* header); +int kirk_CMD4(u8* outbuff, u8* inbuff, int size); +int kirk_CMD7(u8* outbuff, u8* inbuff, int size); +int kirk_CMD10(u8* inbuff, int insize); +int kirk_CMD11(u8* outbuff, u8* inbuff, int size); +int kirk_CMD12(u8* outbuff, int outsize); +int kirk_CMD13(u8* outbuff, int outsize,u8* inbuff, int insize); +int kirk_CMD14(u8* outbuff, int outsize); +int kirk_CMD16(u8* outbuff, int outsize,u8* inbuff, int insize); +int kirk_CMD17(u8* inbuff, int insize); + +// Internal functions +u8* kirk_4_7_get_key(int key_type); +void decrypt_kirk16_private(u8 *dA_out, u8 *dA_enc); +void encrypt_kirk16_private(u8 *dA_out, u8 *dA_dec); + +// SCE functions +int sceUtilsSetFuseID(u8*fuse); +int sceUtilsBufferCopyWithRange(u8* outbuff, int outsize, u8* inbuff, int insize, int cmd); + +// Prototypes for the Elliptic Curve and Big Number functions +int ecdsa_get_params(u32 type, u8 *p, u8 *a, u8 *b, u8 *N, u8 *Gx, u8 *Gy); +int ecdsa_set_curve(u8* p,u8* a,u8* b,u8* N,u8* Gx,u8* Gy); +void ecdsa_set_pub(u8 *Q); +void ecdsa_set_priv(u8 *k); +int ecdsa_verify(u8 *hash, u8 *R, u8 *S); +void ecdsa_sign(u8 *hash, u8 *R, u8 *S); +void ec_priv_to_pub(u8 *k, u8 *Q); +void ec_pub_mult(u8 *k, u8 *Q); +void bn_copy(u8 *d, u8 *a, u32 n); +int bn_compare(u8 *a, u8 *b, u32 n); +void bn_reduce(u8 *d, u8 *N, u32 n); +void bn_add(u8 *d, u8 *a, u8 *b, u8 *N, u32 n); +void bn_sub(u8 *d, u8 *a, u8 *b, u8 *N, u32 n); +void bn_to_mon(u8 *d, u8 *N, u32 n); +void bn_from_mon(u8 *d, u8 *N, u32 n); +void bn_mon_mul(u8 *d, u8 *a, u8 *b, u8 *N, u32 n); +void bn_mon_inv(u8 *d, u8 *a, u8 *N, u32 n); +void hex_dump(char *str, u8 *buf, int size); + +#endif diff --git a/src/libkirk/psp_headers.h b/src/libkirk/psp_headers.h new file mode 100644 index 0000000..5ad0ad0 --- /dev/null +++ b/src/libkirk/psp_headers.h @@ -0,0 +1,148 @@ +// Copyright (C) 2013 tpu +// Copyright (C) 2015 Hykem +// Licensed under the terms of the GNU GPL, version 3 +// http://www.gnu.org/licenses/gpl-3.0.txt + +/* Values for p_type. */ +#define PT_LOAD 1 /* Loadable segment. */ + +/* Values for p_flags. */ +#define PF_X 0x1 /* Executable. */ +#define PF_W 0x2 /* Writable. */ +#define PF_R 0x4 /* Readable. */ +#define PF_RW (PF_R|PF_W) + +typedef struct +{ + u32 e_magic; + u8 e_class; + u8 e_data; + u8 e_idver; + u8 e_pad[9]; + u16 e_type; + u16 e_machine; + u32 e_version; + u32 e_entry; + u32 e_phoff; + u32 e_shoff; + u32 e_flags; + u16 e_ehsize; + u16 e_phentsize; + u16 e_phnum; + u16 e_shentsize; + u16 e_shnum; + u16 e_shstrndx; +} __attribute__((packed)) Elf32_Ehdr; + +typedef struct +{ + u32 p_type; + u32 p_offset; + u32 p_vaddr; + u32 p_paddr; + u32 p_filesz; + u32 p_memsz; + u32 p_flags; + u32 p_align; +} __attribute__((packed)) Elf32_Phdr; + +typedef struct +{ + u32 sh_name; + u32 sh_type; + u32 sh_flags; + u32 sh_addr; + u32 sh_offset; + u32 sh_size; + u32 sh_link; + u32 sh_info; + u32 sh_addralign; + u32 sh_entsize; +} __attribute__((packed)) Elf32_Shdr; + +typedef struct { + u32 r_offset; + u32 r_info; /* sym, type: ELF32_R_... */ +} Elf32_Rel; + +typedef struct { + u16 modattribute; + u8 modversion[2]; /* minor, major, etc... */ + char modname[28]; + void *gp_value; + void *ent_top; + void *ent_end; + void *stub_top; + void *stub_end; +} SceModuleInfo; + +typedef struct +{ + u32 signature; //0 + u16 mod_attribute; //4 + u16 comp_attribute; //6 compress method: + // 0x0001=PRX Compress + // 0x0002=ELF Packed + // 0x0008=GZIP overlap + // 0x0200=KL4E(if not set, GZIP) + u8 module_ver_lo; //8 + u8 module_ver_hi; //9 + char modname[28]; //0xA + u8 mod_version; //0x26 + u8 nsegments; //0x27 + u32 elf_size; //0x28 + u32 psp_size; //0x2C + u32 boot_entry; //0x30 + u32 modinfo_offset; //0x34 + int bss_size; //0x38 + u16 seg_align[4]; //0x3C + u32 seg_address[4]; //0x44 + int seg_size[4]; //0x54 + u32 reserved[5]; //0x64 + u32 devkit_version; //0x78 + u8 decrypt_mode; //0x7C + u8 padding; //0x7D + u16 overlap_size; //0x7E + u8 key_data[0x30]; //0x80 + u32 comp_size; //0xB0 kirk data_size + int _80; //0xB4 kirk data_offset + u32 unk_B8; //0xB8 + u32 unk_BC; //0xBC + u8 key_data2[0x10]; //0xC0 + u32 tag; //0xD0 + u8 scheck[0x58]; //0xD4 + u8 sha1_hash[0x14]; //0x12C + u8 key_data4[0x10]; //0x140 +} __attribute__((packed)) PSP_Header2; //0x150 + +typedef struct +{ + u32 signature; // 0 + u16 attribute; + u8 module_ver_lo; + u8 module_ver_hi; + char modname[28]; + u8 version; // 26 + u8 nsegments; // 27 + int elf_size; // 28 + int psp_size; // 2C + u32 entry; // 30 + u32 modinfo_offset; // 34 + int bss_size; // 38 + u16 seg_align[4]; // 3C + u32 seg_address[4]; // 44 + int seg_size[4]; // 54 + u32 reserved[5]; // 64 + u32 devkitversion; // 78 + u32 decrypt_mode; // 7C + u8 key_data0[0x30]; // 80 + int comp_size; // B0 + int _80; // B4 + int reserved2[2]; // B8 + u8 key_data1[0x10]; // C0 + u32 tag; // D0 + u8 scheck[0x58]; // D4 + u32 key_data2; // 12C + u32 oe_tag; // 130 + u8 key_data3[0x1C]; // 134 +} __attribute__((packed)) PSP_Header; \ No newline at end of file diff --git a/src/libkirk/sha1.c b/src/libkirk/sha1.c new file mode 100644 index 0000000..a7956a5 --- /dev/null +++ b/src/libkirk/sha1.c @@ -0,0 +1,389 @@ +/* sha1.c : Implementation of the Secure Hash Algorithm */ + +/* SHA: NIST's Secure Hash Algorithm */ + +/* This version written November 2000 by David Ireland of + DI Management Services Pty Limited + + Adapted from code in the Python Cryptography Toolkit, + version 1.0.0 by A.M. Kuchling 1995. +*/ + +/* AM Kuchling's posting:- + Based on SHA code originally posted to sci.crypt by Peter Gutmann + in message <30ajo5$oe8@ccu2.auckland.ac.nz>. + Modified to test for endianness on creation of SHA objects by AMK. + Also, the original specification of SHA was found to have a weakness + by NSA/NIST. This code implements the fixed version of SHA. +*/ + +/* Here's the first paragraph of Peter Gutmann's posting: + +The following is my SHA (FIPS 180) code updated to allow use of the "fixed" +SHA, thanks to Jim Gillogly and an anonymous contributor for the information on +what's changed in the new version. The fix is a simple change which involves +adding a single rotate in the initial expansion function. It is unknown +whether this is an optimal solution to the problem which was discovered in the +SHA or whether it's simply a bandaid which fixes the problem with a minimum of +effort (for example the reengineering of a great many Capstone chips). +*/ + +/* h files included here to make this just one file ... */ + +/* sha.c */ +#include "sha1.h" + +#include +#include + +static void SHAtoByte(BYTE *output, UINT4 *input, unsigned int len); + +/* The SHS block size and message digest sizes, in bytes */ + +#define SHS_DATASIZE 64 +#define SHS_DIGESTSIZE 20 + + +/* The SHS f()-functions. The f1 and f3 functions can be optimized to + save one boolean operation each - thanks to Rich Schroeppel, + rcs@cs.arizona.edu for discovering this */ + +/*#define f1(x,y,z) ( ( x & y ) | ( ~x & z ) ) // Rounds 0-19 */ +#define f1(x,y,z) ( z ^ ( x & ( y ^ z ) ) ) /* Rounds 0-19 */ +#define f2(x,y,z) ( x ^ y ^ z ) /* Rounds 20-39 */ +/*#define f3(x,y,z) ( ( x & y ) | ( x & z ) | ( y & z ) ) // Rounds 40-59 */ +#define f3(x,y,z) ( ( x & y ) | ( z & ( x | y ) ) ) /* Rounds 40-59 */ +#define f4(x,y,z) ( x ^ y ^ z ) /* Rounds 60-79 */ + +/* The SHS Mysterious Constants */ + +#define K1 0x5A827999L /* Rounds 0-19 */ +#define K2 0x6ED9EBA1L /* Rounds 20-39 */ +#define K3 0x8F1BBCDCL /* Rounds 40-59 */ +#define K4 0xCA62C1D6L /* Rounds 60-79 */ + +/* SHS initial values */ + +#define h0init 0x67452301L +#define h1init 0xEFCDAB89L +#define h2init 0x98BADCFEL +#define h3init 0x10325476L +#define h4init 0xC3D2E1F0L + +/* Note that it may be necessary to add parentheses to these macros if they + are to be called with expressions as arguments */ +/* 32-bit rotate left - kludged with shifts */ + +#define ROTL(n,X) ( ( ( X ) << n ) | ( ( X ) >> ( 32 - n ) ) ) + +/* The initial expanding function. The hash function is defined over an + 80-UINT2 expanded input array W, where the first 16 are copies of the input + data, and the remaining 64 are defined by + + W[ i ] = W[ i - 16 ] ^ W[ i - 14 ] ^ W[ i - 8 ] ^ W[ i - 3 ] + + This implementation generates these values on the fly in a circular + buffer - thanks to Colin Plumb, colin@nyx10.cs.du.edu for this + optimization. + + The updated SHS changes the expanding function by adding a rotate of 1 + bit. Thanks to Jim Gillogly, jim@rand.org, and an anonymous contributor + for this information */ + +#define expand(W,i) ( W[ i & 15 ] = ROTL( 1, ( W[ i & 15 ] ^ W[ (i - 14) & 15 ] ^ \ + W[ (i - 8) & 15 ] ^ W[ (i - 3) & 15 ] ) ) ) + + +/* The prototype SHS sub-round. The fundamental sub-round is: + + a' = e + ROTL( 5, a ) + f( b, c, d ) + k + data; + b' = a; + c' = ROTL( 30, b ); + d' = c; + e' = d; + + but this is implemented by unrolling the loop 5 times and renaming the + variables ( e, a, b, c, d ) = ( a', b', c', d', e' ) each iteration. + This code is then replicated 20 times for each of the 4 functions, using + the next 20 values from the W[] array each time */ + +#define subRound(a, b, c, d, e, f, k, data) \ + ( e += ROTL( 5, a ) + f( b, c, d ) + k + data, b = ROTL( 30, b ) ) + +/* Initialize the SHS values */ + +void SHAInit(SHA_CTX *shsInfo) +{ + endianTest(&shsInfo->Endianness); + /* Set the h-vars to their initial values */ + shsInfo->digest[ 0 ] = h0init; + shsInfo->digest[ 1 ] = h1init; + shsInfo->digest[ 2 ] = h2init; + shsInfo->digest[ 3 ] = h3init; + shsInfo->digest[ 4 ] = h4init; + + /* Initialise bit count */ + shsInfo->countLo = shsInfo->countHi = 0; +} + + +/* Perform the SHS transformation. Note that this code, like MD5, seems to + break some optimizing compilers due to the complexity of the expressions + and the size of the basic block. It may be necessary to split it into + sections, e.g. based on the four subrounds + + Note that this corrupts the shsInfo->data area */ + +static void SHSTransform( digest, data ) + UINT4 *digest, *data ; + { + UINT4 A, B, C, D, E; /* Local vars */ + UINT4 eData[ 16 ]; /* Expanded data */ + + /* Set up first buffer and local data buffer */ + A = digest[ 0 ]; + B = digest[ 1 ]; + C = digest[ 2 ]; + D = digest[ 3 ]; + E = digest[ 4 ]; + memcpy( (POINTER)eData, (POINTER)data, SHS_DATASIZE ); + + /* Heavy mangling, in 4 sub-rounds of 20 interations each. */ + subRound( A, B, C, D, E, f1, K1, eData[ 0 ] ); + subRound( E, A, B, C, D, f1, K1, eData[ 1 ] ); + subRound( D, E, A, B, C, f1, K1, eData[ 2 ] ); + subRound( C, D, E, A, B, f1, K1, eData[ 3 ] ); + subRound( B, C, D, E, A, f1, K1, eData[ 4 ] ); + subRound( A, B, C, D, E, f1, K1, eData[ 5 ] ); + subRound( E, A, B, C, D, f1, K1, eData[ 6 ] ); + subRound( D, E, A, B, C, f1, K1, eData[ 7 ] ); + subRound( C, D, E, A, B, f1, K1, eData[ 8 ] ); + subRound( B, C, D, E, A, f1, K1, eData[ 9 ] ); + subRound( A, B, C, D, E, f1, K1, eData[ 10 ] ); + subRound( E, A, B, C, D, f1, K1, eData[ 11 ] ); + subRound( D, E, A, B, C, f1, K1, eData[ 12 ] ); + subRound( C, D, E, A, B, f1, K1, eData[ 13 ] ); + subRound( B, C, D, E, A, f1, K1, eData[ 14 ] ); + subRound( A, B, C, D, E, f1, K1, eData[ 15 ] ); + subRound( E, A, B, C, D, f1, K1, expand( eData, 16 ) ); + subRound( D, E, A, B, C, f1, K1, expand( eData, 17 ) ); + subRound( C, D, E, A, B, f1, K1, expand( eData, 18 ) ); + subRound( B, C, D, E, A, f1, K1, expand( eData, 19 ) ); + + subRound( A, B, C, D, E, f2, K2, expand( eData, 20 ) ); + subRound( E, A, B, C, D, f2, K2, expand( eData, 21 ) ); + subRound( D, E, A, B, C, f2, K2, expand( eData, 22 ) ); + subRound( C, D, E, A, B, f2, K2, expand( eData, 23 ) ); + subRound( B, C, D, E, A, f2, K2, expand( eData, 24 ) ); + subRound( A, B, C, D, E, f2, K2, expand( eData, 25 ) ); + subRound( E, A, B, C, D, f2, K2, expand( eData, 26 ) ); + subRound( D, E, A, B, C, f2, K2, expand( eData, 27 ) ); + subRound( C, D, E, A, B, f2, K2, expand( eData, 28 ) ); + subRound( B, C, D, E, A, f2, K2, expand( eData, 29 ) ); + subRound( A, B, C, D, E, f2, K2, expand( eData, 30 ) ); + subRound( E, A, B, C, D, f2, K2, expand( eData, 31 ) ); + subRound( D, E, A, B, C, f2, K2, expand( eData, 32 ) ); + subRound( C, D, E, A, B, f2, K2, expand( eData, 33 ) ); + subRound( B, C, D, E, A, f2, K2, expand( eData, 34 ) ); + subRound( A, B, C, D, E, f2, K2, expand( eData, 35 ) ); + subRound( E, A, B, C, D, f2, K2, expand( eData, 36 ) ); + subRound( D, E, A, B, C, f2, K2, expand( eData, 37 ) ); + subRound( C, D, E, A, B, f2, K2, expand( eData, 38 ) ); + subRound( B, C, D, E, A, f2, K2, expand( eData, 39 ) ); + + subRound( A, B, C, D, E, f3, K3, expand( eData, 40 ) ); + subRound( E, A, B, C, D, f3, K3, expand( eData, 41 ) ); + subRound( D, E, A, B, C, f3, K3, expand( eData, 42 ) ); + subRound( C, D, E, A, B, f3, K3, expand( eData, 43 ) ); + subRound( B, C, D, E, A, f3, K3, expand( eData, 44 ) ); + subRound( A, B, C, D, E, f3, K3, expand( eData, 45 ) ); + subRound( E, A, B, C, D, f3, K3, expand( eData, 46 ) ); + subRound( D, E, A, B, C, f3, K3, expand( eData, 47 ) ); + subRound( C, D, E, A, B, f3, K3, expand( eData, 48 ) ); + subRound( B, C, D, E, A, f3, K3, expand( eData, 49 ) ); + subRound( A, B, C, D, E, f3, K3, expand( eData, 50 ) ); + subRound( E, A, B, C, D, f3, K3, expand( eData, 51 ) ); + subRound( D, E, A, B, C, f3, K3, expand( eData, 52 ) ); + subRound( C, D, E, A, B, f3, K3, expand( eData, 53 ) ); + subRound( B, C, D, E, A, f3, K3, expand( eData, 54 ) ); + subRound( A, B, C, D, E, f3, K3, expand( eData, 55 ) ); + subRound( E, A, B, C, D, f3, K3, expand( eData, 56 ) ); + subRound( D, E, A, B, C, f3, K3, expand( eData, 57 ) ); + subRound( C, D, E, A, B, f3, K3, expand( eData, 58 ) ); + subRound( B, C, D, E, A, f3, K3, expand( eData, 59 ) ); + + subRound( A, B, C, D, E, f4, K4, expand( eData, 60 ) ); + subRound( E, A, B, C, D, f4, K4, expand( eData, 61 ) ); + subRound( D, E, A, B, C, f4, K4, expand( eData, 62 ) ); + subRound( C, D, E, A, B, f4, K4, expand( eData, 63 ) ); + subRound( B, C, D, E, A, f4, K4, expand( eData, 64 ) ); + subRound( A, B, C, D, E, f4, K4, expand( eData, 65 ) ); + subRound( E, A, B, C, D, f4, K4, expand( eData, 66 ) ); + subRound( D, E, A, B, C, f4, K4, expand( eData, 67 ) ); + subRound( C, D, E, A, B, f4, K4, expand( eData, 68 ) ); + subRound( B, C, D, E, A, f4, K4, expand( eData, 69 ) ); + subRound( A, B, C, D, E, f4, K4, expand( eData, 70 ) ); + subRound( E, A, B, C, D, f4, K4, expand( eData, 71 ) ); + subRound( D, E, A, B, C, f4, K4, expand( eData, 72 ) ); + subRound( C, D, E, A, B, f4, K4, expand( eData, 73 ) ); + subRound( B, C, D, E, A, f4, K4, expand( eData, 74 ) ); + subRound( A, B, C, D, E, f4, K4, expand( eData, 75 ) ); + subRound( E, A, B, C, D, f4, K4, expand( eData, 76 ) ); + subRound( D, E, A, B, C, f4, K4, expand( eData, 77 ) ); + subRound( C, D, E, A, B, f4, K4, expand( eData, 78 ) ); + subRound( B, C, D, E, A, f4, K4, expand( eData, 79 ) ); + + /* Build message digest */ + digest[ 0 ] += A; + digest[ 1 ] += B; + digest[ 2 ] += C; + digest[ 3 ] += D; + digest[ 4 ] += E; + } + +/* When run on a little-endian CPU we need to perform byte reversal on an + array of long words. */ + +static void longReverse(UINT4 *buffer, int byteCount, int Endianness ) +{ + UINT4 value; + + if (Endianness==TRUE) return; + byteCount /= sizeof( UINT4 ); + while( byteCount-- ) + { + value = *buffer; + value = ( ( value & 0xFF00FF00L ) >> 8 ) | \ + ( ( value & 0x00FF00FFL ) << 8 ); + *buffer++ = ( value << 16 ) | ( value >> 16 ); + } +} + +/* Update SHS for a block of data */ + +void SHAUpdate(SHA_CTX *shsInfo, BYTE *buffer, int count) +{ + UINT4 tmp; + int dataCount; + + /* Update bitcount */ + tmp = shsInfo->countLo; + if ( ( shsInfo->countLo = tmp + ( ( UINT4 ) count << 3 ) ) < tmp ) + shsInfo->countHi++; /* Carry from low to high */ + shsInfo->countHi += count >> 29; + + /* Get count of bytes already in data */ + dataCount = ( int ) ( tmp >> 3 ) & 0x3F; + + /* Handle any leading odd-sized chunks */ + if( dataCount ) + { + BYTE *p = ( BYTE * ) shsInfo->data + dataCount; + + dataCount = SHS_DATASIZE - dataCount; + if( count < dataCount ) + { + memcpy( p, buffer, count ); + return; + } + memcpy( p, buffer, dataCount ); + longReverse( shsInfo->data, SHS_DATASIZE, shsInfo->Endianness); + SHSTransform( shsInfo->digest, shsInfo->data ); + buffer += dataCount; + count -= dataCount; + } + + /* Process data in SHS_DATASIZE chunks */ + while( count >= SHS_DATASIZE ) + { + memcpy( (POINTER)shsInfo->data, (POINTER)buffer, SHS_DATASIZE ); + longReverse( shsInfo->data, SHS_DATASIZE, shsInfo->Endianness ); + SHSTransform( shsInfo->digest, shsInfo->data ); + buffer += SHS_DATASIZE; + count -= SHS_DATASIZE; + } + + /* Handle any remaining bytes of data. */ + memcpy( (POINTER)shsInfo->data, (POINTER)buffer, count ); + } + +/* Final wrapup - pad to SHS_DATASIZE-byte boundary with the bit pattern + 1 0* (64-bit count of bits processed, MSB-first) */ + +void SHAFinal(BYTE *output, SHA_CTX *shsInfo) +{ + int count; + BYTE *dataPtr; + + /* Compute number of bytes mod 64 */ + count = ( int ) shsInfo->countLo; + count = ( count >> 3 ) & 0x3F; + + /* Set the first char of padding to 0x80. This is safe since there is + always at least one byte free */ + dataPtr = ( BYTE * ) shsInfo->data + count; + *dataPtr++ = 0x80; + + /* Bytes of padding needed to make 64 bytes */ + count = SHS_DATASIZE - 1 - count; + + /* Pad out to 56 mod 64 */ + if( count < 8 ) + { + /* Two lots of padding: Pad the first block to 64 bytes */ + memset( dataPtr, 0, count ); + longReverse( shsInfo->data, SHS_DATASIZE, shsInfo->Endianness ); + SHSTransform( shsInfo->digest, shsInfo->data ); + + /* Now fill the next block with 56 bytes */ + memset( (POINTER)shsInfo->data, 0, SHS_DATASIZE - 8 ); + } + else + /* Pad block to 56 bytes */ + memset( dataPtr, 0, count - 8 ); + + /* Append length in bits and transform */ + shsInfo->data[ 14 ] = shsInfo->countHi; + shsInfo->data[ 15 ] = shsInfo->countLo; + + longReverse( shsInfo->data, SHS_DATASIZE - 8, shsInfo->Endianness ); + SHSTransform( shsInfo->digest, shsInfo->data ); + + /* Output to an array of bytes */ + SHAtoByte(output, shsInfo->digest, SHS_DIGESTSIZE); + + /* Zeroise sensitive stuff */ + memset((POINTER)shsInfo, 0, sizeof(shsInfo)); +} + +static void SHAtoByte(BYTE *output, UINT4 *input, unsigned int len) +{ /* Output SHA digest in byte array */ + unsigned int i, j; + + for(i = 0, j = 0; j < len; i++, j += 4) + { + output[j+3] = (BYTE)( input[i] & 0xff); + output[j+2] = (BYTE)((input[i] >> 8 ) & 0xff); + output[j+1] = (BYTE)((input[i] >> 16) & 0xff); + output[j ] = (BYTE)((input[i] >> 24) & 0xff); + } +} + + + + +/* endian.c */ + +void endianTest(int *endian_ness) +{ + if((*(unsigned short *) ("#S") >> 8) == '#') + { + /* printf("Big endian = no change\n"); */ + *endian_ness = !(0); + } + else + { + /* printf("Little endian = swap\n"); */ + *endian_ness = 0; + } +} diff --git a/src/libkirk/sha1.h b/src/libkirk/sha1.h new file mode 100644 index 0000000..ff0eba2 --- /dev/null +++ b/src/libkirk/sha1.h @@ -0,0 +1,52 @@ +#ifndef _GLOBAL_H_ +#define _GLOBAL_H_ 1 + +/* POINTER defines a generic pointer type */ +typedef unsigned char *POINTER; + +/* UINT4 defines a four byte word */ +typedef unsigned int UINT4; + +/* BYTE defines a unsigned character */ +typedef unsigned char BYTE; + +#ifndef TRUE + #define FALSE 0 + #define TRUE ( !FALSE ) +#endif /* TRUE */ + +#endif /* end _GLOBAL_H_ */ + +/* sha.h */ + +#ifndef _SHA_H_ +#define _SHA_H_ 1 + +/* #include "global.h" */ + +/* The structure for storing SHS info */ + +typedef struct +{ + UINT4 digest[ 5 ]; /* Message digest */ + UINT4 countLo, countHi; /* 64-bit bit count */ + UINT4 data[ 16 ]; /* SHS data buffer */ + int Endianness; +} SHA_CTX; + +/* Message digest functions */ + +void SHAInit(SHA_CTX *); +void SHAUpdate(SHA_CTX *, BYTE *buffer, int count); +void SHAFinal(BYTE *output, SHA_CTX *); + +#endif /* end _SHA_H_ */ + +/* endian.h */ + +#ifndef _ENDIAN_H_ +#define _ENDIAN_H_ 1 + +void endianTest(int *endianness); + +#endif /* end _ENDIAN_H_ */ diff --git a/src/pkgrip.c b/src/pkgrip.c new file mode 100644 index 0000000..abc4b80 --- /dev/null +++ b/src/pkgrip.c @@ -0,0 +1,487 @@ +#include +#include +#include +#include +#include +#include "libkirk/aes.h" +#include "libkirk/amctrl.h" +#include "libkirk/kirk_engine.h" + +#define PKGRIP_VERSION "1.1a" + +/* NOTE: Supports files up to 16 GB */ + +typedef unsigned char u8; +typedef unsigned short u16; +typedef unsigned int u64; + +char *exec; +char *pkgfile; +u8 public_key[16], static_public_key[16], pkg_key[16], xor_key[16], + title_id[10], *pkg_header, *pkg_file_name; +u64 *pkg_file_name_offset, *pkg_file_name_length, *pkg_file_offset, + *pkg_file_size, *pkg_is_file, *pkg_entry_type; +u64 pkg_enc_start, pkg_enc_size, pkg_file_count; +int xpsp = 0; +int xps3 = 0; + +u8 PSPAESKey[16] = {0x07, 0xF2, 0xC6, 0x82, 0x90, 0xB5, 0x0D, 0x2C, + 0x33, 0x81, 0x8D, 0x70, 0x9B, 0x60, 0xE6, 0x2B}; + +u8 PS3AESKey[16] = {0x2E, 0x7B, 0x71, 0xD7, 0xC9, 0xC9, 0xA1, 0x4E, + 0xA3, 0x22, 0x1F, 0x18, 0x88, 0x28, 0xB8, 0xF8}; + +void usage(const char *fmt, ...) { + va_list list; + char msg[256]; + + va_start(list, fmt); + vsprintf(msg, fmt, list); + va_end(list); + + printf("%s", msg); + + printf("\nUsage:\n\t%s [options] pathtopkg\n\n", exec); + printf("Options: (optional)\n\t-psp - extract PSP files only\n\t-ps3 - " + "extract PS3 files only\n\tBoth enabled by default.\n\n"); + exit(0); +} + +void dumpPS1key(const char *path) { + int flag = 2; + PGD_HEADER PGD; + memset(&PGD, 0, sizeof(PGD_HEADER)); + MAC_KEY mkey; + u8 buf[1024]; + + kirk_init(); + + FILE *fd = fopen(path, "rb"); + fseek(fd, 0x24, 0); + u64 psar, pgdoff = 0; + + if (fread(&psar, 1, 4, fd)) { + }; + fseek(fd, psar, 0); + if (fread(buf, 1, 16, fd)) { + }; + + if (!memcmp(buf, "PSTITLE", 7)) + pgdoff = psar + 0x200; + else if (!memcmp(buf, "PSISO", 5)) + pgdoff = psar + 0x400; + else { + fclose(fd); + return; + } + + fseek(fd, pgdoff, 0); + if (fread(buf, 1, sizeof(buf), fd)) { + }; + fclose(fd); + + PGD.buf = buf; + PGD.key_index = *(u64 *)(buf + 4); + PGD.drm_type = *(u64 *)(buf + 8); + + // Set the hashing, crypto and open modes. + if (PGD.drm_type == 1) { + PGD.mac_type = 1; + flag |= 4; + + if (PGD.key_index > 1) { + PGD.mac_type = 3; + flag |= 8; + } + + PGD.cipher_type = 1; + } else { + PGD.mac_type = 2; + PGD.cipher_type = 2; + } + + PGD.open_flag = flag; + + int rt = sceDrmBBMacInit(&mkey, PGD.mac_type); + printf("0x%08X\n", rt); + rt = sceDrmBBMacUpdate(&mkey, buf, 0x70); + printf("0x%08X\n", rt); + rt = bbmac_getkey(&mkey, buf + 0x70, PGD.vkey); + printf("0x%08X\n", rt); + char Path[1024]; + strcpy(Path, path); + int len = strlen(Path); + + while (Path[len] != '/') + len--; + + Path[len + 1] = 0; + strcat(Path, "KEYS.BIN"); + fd = fopen(Path, "wb"); + fwrite(PGD.vkey, 1, 16, fd); + fclose(fd); +} + +void printhex(u8 *buf) { + int i; + for (i = 0; i < 16; i++) + printf("%02X ", buf[i]); + printf("\n"); +} + +u64 tou64(u8 *buf) { + return (u64)((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]); +} + +void xor128(u8 *dst, u8 *xor1, u8 *xor2) { + int i; + for (i = 0; i < 16; i++) + dst[i] = xor1[i] ^ xor2[i]; +} + +void iter128(u8 *buf) { + int i; + for (i = 15; i >= 0; i--) { + buf[i]++; + + if (buf[i]) + break; + } +} + +void setiter128(u8 *dst, int size) { + memcpy(dst, static_public_key, 16); + + int i; + for (i = 0; i < size; i++) + iter128(dst); +} + +void check_pkg_exist(const char *file) { + FILE *fd = fopen(file, "rb"); + + if (fd == NULL) + usage("Could not locate file \"%s\"\n", file); + + fclose(fd); +} + +void check_pkg_supported(const char *file) { + u8 buf[4]; + + FILE *fd = fopen(file, "rb"); + if (fread(buf, 1, sizeof(buf), fd)) { + }; + fclose(fd); + + if (memcmp(buf, "\x7FPKG", 4)) + usage("Unknown PKG detected!\n"); +} + +void check_pkg_retail(const char *file) { + u8 buf[1]; + + FILE *fd = fopen(file, "rb"); + fseek(fd, 4, 0); + if (fread(buf, 1, sizeof(buf), fd)) { + }; + fclose(fd); + + if (buf[0] != 0x80) + usage("Non-retail PKG type detected!\n"); +} + +void check_pkg_type(const char *file) { + u8 buf[1]; + + FILE *fd = fopen(file, "rb"); + fseek(fd, 7, 0); + if (fread(buf, 1, sizeof(buf), fd)) { + }; + fclose(fd); + + if (buf[0] != 0x01 && buf[0] != 0x02) + usage("File is not a PS3/PSP PKG!\n"); +} + +void check_pkg_size(const char *file) { + u8 buf[4]; + u64 size, pkgsize; + + FILE *fd = fopen(file, "rb"); + fseek(fd, 0x1C, 0); + if (fread(buf, 1, sizeof(buf), fd)) { + }; + pkgsize = tou64(buf); + fseek(fd, 0x18, 0); + if (fread(buf, 1, sizeof(buf), fd)) { + }; + fseek(fd, 0, 2); + size = ftell(fd); + fclose(fd); + + if (size != pkgsize) + usage("Corrupt PKG detected!\ndetected size: %u\nexpected size: %u\n", + size, tou64(buf)); + + //if (tou64(buf)) + // usage("PKG size too large, must be less than 16 GB!\n"); +} + +void get_pkg_info(const char *file) { + pkg_header = malloc(0x80); + + FILE *fd = fopen(file, "rb"); + if (fread(pkg_header, 1, 0x80, fd)) { + }; + fclose(fd); + + memcpy(title_id, pkg_header + 0x37, 9); + title_id[9] = 0; + memcpy(public_key, pkg_header + 0x70, 16); + memcpy(static_public_key, pkg_header + 0x70, 16); + + memcpy(pkg_key, pkg_header[0x07] == 0x01 ? PS3AESKey : PSPAESKey, + sizeof(pkg_key)); + + pkg_file_count = tou64(pkg_header + 0x14); + pkg_enc_start = tou64(pkg_header + 0x24); + pkg_enc_size = tou64(pkg_header + 0x2C); + + pkg_file_name_offset = malloc(pkg_file_count * sizeof(u64)); + pkg_file_name_length = malloc(pkg_file_count * sizeof(u64)); + pkg_file_offset = malloc(pkg_file_count * sizeof(u64)); + pkg_file_size = malloc(pkg_file_count * sizeof(u64)); + pkg_is_file = malloc(pkg_file_count * sizeof(u64)); + pkg_entry_type = malloc(pkg_file_count * sizeof(u64)); + + printf("PKG info:\n"); + printf("\tPKG type: %s\n", pkg_header[0x07] == 0x01 ? "PS3" : "PSP"); + printf("\tContent ID: %s\n", pkg_header + 0x30); + printf("\tTitle ID: %s\n", title_id); + printf("\tPKG file count: %u\n", pkg_file_count); + printf("\tPKG size: %u\n\n", tou64(pkg_header + 0x1C)); +} + +void extract_pkg(const char *file) { + int i, j, extracted = 0; + u64 MB = 1024 * 1024; + u8 buf[16], *decbuf = malloc(MB); + char path[512]; + AES_ctx ctx; + memset(&ctx, 0, sizeof(AES_ctx)); + AES_set_key(&ctx, pkg_key, AES_KEY_LEN_128); + + sprintf(path, "./%s_dec", title_id); + + mkdir(path, 0777); + + FILE *fd = fopen(file, "rb"); + fseek(fd, pkg_enc_start, 0); + + for (i = 0; i < (int)pkg_file_count * 2; i++) { + if (fread(buf, 1, sizeof(buf), fd)) { + }; + + AES_encrypt(&ctx, public_key, xor_key); + xor128(buf, buf, xor_key); + iter128(public_key); + + if (!(i & 1)) { + pkg_file_name_offset[i / 2] = tou64(buf); + pkg_file_name_length[i / 2] = tou64(buf + 4); + pkg_file_offset[i / 2] = tou64(buf + 12); + } else { + pkg_file_size[(i - 1) / 2] = tou64(buf + 4); + pkg_entry_type[(i - 1) / 2] = tou64(buf + 8); + } + } + + for (i = 0; i < (int)pkg_file_count; i++) { + if (!xpsp && (pkg_entry_type[i] >> 24) == 0x90) + continue; + if (!xps3 && ((pkg_entry_type[i] >> 24) != 0x90) && + ((pkg_entry_type[i] & 0xFF) != 0x04)) + continue; + + int namelength = (pkg_file_name_length[i] + 15) & -16; + int isfile = !((pkg_entry_type[i] & 0xFF) == 0x04 && !pkg_file_size[i]); + pkg_file_name = malloc(namelength); + fseek(fd, pkg_enc_start + pkg_file_name_offset[i], 0); + if (fread(pkg_file_name, 1, namelength, fd)) { + }; + setiter128(public_key, pkg_file_name_offset[i] >> 4); + AES_set_key(&ctx, + (pkg_entry_type[i] >> 24) == 0x90 ? PSPAESKey : PS3AESKey, + AES_KEY_LEN_128); + + for (j = 0; j < (namelength >> 4); j++) { + AES_encrypt(&ctx, public_key, xor_key); + xor128(pkg_file_name + (j * 16), pkg_file_name + (j * 16), xor_key); + iter128(public_key); + } + + sprintf(path, "%s_dec/%s", title_id, pkg_file_name); + char tmpstr[21]; + sprintf(tmpstr, "Extracting %s file:", + ((pkg_entry_type[i] >> 24) == 0x90) ? "PSP" : "PS3"); + printf("\n%s\n%s\n", isfile ? tmpstr : "Creating directory:", path); + + if (isfile) { + u64 szcheck = 0, mincheck = 0; + FILE *dst = fopen(path, "wb"); + fseek(fd, pkg_enc_start + pkg_file_offset[i], 0); + if (fread(decbuf, 1, + (pkg_file_size[i] >= MB) ? MB : pkg_file_size[i], fd)) { + }; + setiter128(public_key, pkg_file_offset[i] >> 4); + + printf("%u/%u bytes written\r", 0, pkg_file_size[i]); + + for (j = 0; j < (int)(pkg_file_size[i] >> 4); j++) { + if (szcheck == MB) { + szcheck = 0; + mincheck += MB; + fwrite(decbuf, 1, MB, dst); + printf("%u/%u bytes written\r", mincheck, pkg_file_size[i]); + if (fread(decbuf, 1, + ((pkg_file_size[i] - (j << 4)) >= MB) + ? MB + : pkg_file_size[i] - (j << 4), + fd)) { + }; + } + + AES_encrypt(&ctx, public_key, xor_key); + xor128(decbuf + ((j << 4) - mincheck), + decbuf + ((j << 4) - mincheck), xor_key); + iter128(public_key); + + szcheck += 16; + } + + if (mincheck < pkg_file_size[i]) { + printf("%u/%u bytes written", pkg_file_size[i], + pkg_file_size[i]); + fwrite(decbuf, 1, pkg_file_size[i] - mincheck, dst); + } + + fclose(dst); + printf("\n"); + extracted++; + + int pathlen = strlen(path); + if (!strcmp(path + pathlen - 9, "EBOOT.PBP")) { + dst = fopen(path, "rb"); + fseek(dst, 0x24, 0); + u64 psar; + if (fread(&psar, 1, 4, dst)) { + }; + fseek(dst, psar, 0); + u8 block[16]; + if (fread(block, 1, sizeof(block), dst)) { + }; + + if (!memcmp(block, "PSTITLE", 7)) + fseek(dst, psar + 0x200, 0); + else if (!memcmp(block, "PSISO", 5)) + fseek(dst, psar + 0x400, 0); + + if (fread(block, 1, 4, dst)) { + }; + + if (!memcmp(block, "\x00PGD", 4)) { + dumpPS1key(path); + printf("PS1 KEYS.BIN dumped.\n"); + extracted++; + } + + fclose(dst); + } else if (!strcmp(path + pathlen - 4, ".PTF")) { + u8 *pgdbuf = malloc(pkg_file_size[i] - 0x80); + dst = fopen(path, "rb"); + fseek(dst, 0x80, 0); + if (fread(pgdbuf, 1, pkg_file_size[i] - 0x80, dst)) { + }; + fclose(dst); + kirk_init(); + u64 pgdsize = + decrypt_pgd(pgdbuf, pkg_file_size[i] - 0x80, 2, NULL); + path[pathlen - 4] = 0; + strcat(path, "_DEC.PTF"); + dst = fopen(path, "wb"); + fwrite(pgdbuf + 0x90, 1, pgdsize, dst); + fclose(dst); + printf("PTF theme decrypted.\nDecrypted size: %u bytes\n", + pgdsize); + extracted++; + } + } else { + mkdir(path, 0777); + } + + free(pkg_file_name); + } + + free(decbuf); + fclose(fd); + + printf("\nFiles extracted: %u\n", extracted); +} + +void free_mallocs() { + if (pkg_header) + free(pkg_header); + + if (pkg_file_name_offset) + free(pkg_file_name_offset); + + if (pkg_file_name_length) + free(pkg_file_name_length); + + if (pkg_file_offset) + free(pkg_file_offset); + + if (pkg_file_size) + free(pkg_file_size); + + if (pkg_is_file) + free(pkg_is_file); + + if (pkg_entry_type) + free(pkg_entry_type); +} + +int main(int argc, char **argv) { + exec = argv[0]; + + if (argc < 2) + usage(""); + + int i; + for (i = 1; i < (argc - 1); i++) { + if (!strcmp(argv[i], "-psp")) + xpsp = 1; + else if (!strcmp(argv[i], "-ps3")) + xps3 = 1; + } + + if (!xpsp && !xps3) { + xpsp = 1; + xps3 = 1; + } + + pkgfile = argv[argc - 1]; + + check_pkg_exist(pkgfile); + check_pkg_supported(pkgfile); + check_pkg_retail(pkgfile); + check_pkg_type(pkgfile); + check_pkg_size(pkgfile); + get_pkg_info(pkgfile); + extract_pkg(pkgfile); + + free_mallocs(); + + return 0; +}