CB Code: Difference between revisions
imported>TEIR1plus2 (Created page with "=Dump CB= <syntaxhighlight lang="c"> // BLKey = 1BL Key // Hvx methods are meant to be proxies to read HV memory from user mode. #define SPACE_NAND 0x80000200C8000000ULL voi...") |
imported>TEIR1plus2 |
||
Line 1: | Line 1: | ||
=Dump CB= | =Dump CB= | ||
< | <code> | ||
// BLKey = 1BL Key | // BLKey = 1BL Key | ||
// Hvx methods are meant to be proxies to read HV memory from user mode. | // Hvx methods are meant to be proxies to read HV memory from user mode. | ||
Line 68: | Line 68: | ||
XPhysicalFree(cbb); | XPhysicalFree(cbb); | ||
} | } | ||
</ | </code> |
Revision as of 06:48, 21 October 2017
Dump CB
// BLKey = 1BL Key
// Hvx methods are meant to be proxies to read HV memory from user mode.
- define SPACE_NAND 0x80000200C8000000ULL
void getCB_AKey(PBYTE Keybuf)
{
QWORD cbAddy = SPACE_NAND + Hvx::HvPeekDWORD(SPACE_NAND + 8);
BYTE cbSalt[0x10];
Hvx::HvPeekBytes(cbAddy+0x10, cbSalt, 0x10);
XeCryptHmacSha(BLKey, 0x10, cbSalt, 0x10, 0, 0, 0, 0, Keybuf, 0x10);
}
void getCB_BKey(PBYTE Keybuf)
{
DWORD cbOffs = Hvx::HvPeekDWORD(SPACE_NAND + 8);
DWORD cbbOffs = cbOffs + (Hvx::HvPeekDWORD(SPACE_NAND + cbOffs + 0xC) + 0xF) & 0xFFFFFFF0;
QWORD cbbAddy = SPACE_NAND + cbbOffs;
BYTE cbbSalt[0x10];
BYTE cbKey[0x10];
BYTE CPUKey[0x10];
getCB_AKey(cbKey);
getCPUKey(CPUKey);
Hvx::HvPeekBytes(cbbAddy+0x10, cbbSalt, 0x10);
XeCryptHmacSha(cbKey, 0x10, cbbSalt, 0x10, CPUKey, 0x10, 0, 0, Keybuf, 0x10);
}
void DumpCB_A()
{
DbgOut("Dumping CB_A....\n");
QWORD cbAddy = SPACE_NAND + Hvx::HvPeekDWORD(SPACE_NAND + 8);
DWORD size = Hvx::HvPeekDWORD(cbAddy+0xC);
printf("cbAddy: %016llX\nSize: %X\n", cbAddy, size);
PBYTE cb = (PBYTE)XPhysicalAlloc(size, MAXULONG_PTR, NULL, PAGE_READWRITE);
Hvx::HvPeekBytes(cbAddy, cb, size);
CWriteFile("Hdd:\\cb_enc.bin", cb, size);
BYTE rc4key[0x10];
getCB_AKey(rc4key);
XECRYPT_RC4_STATE rc4;
XeCryptRc4Key(&rc4, rc4key, 0x10);
XeCryptRc4Ecb(&rc4, cb + 0x20, size - 0x20);
CWriteFile("Hdd:\\cb_dec.bin", cb, size);
XPhysicalFree(cb);
}
void DumpCB_B()
{
DbgOut("Dumping CB_B....\n");
DWORD cbOffs = Hvx::HvPeekDWORD(SPACE_NAND + 8);
DWORD cbbOffs = cbOffs + (Hvx::HvPeekDWORD(SPACE_NAND + cbOffs+0xC) + 0xF) & 0xFFFFFFF0;
QWORD cbbAddy = SPACE_NAND + cbbOffs;
DWORD size = Hvx::HvPeekDWORD(cbbAddy + 0xC);
printf("cbbOffs: 0x%08X\ncbbAddy: 0x%016llX\nSize: 0x%X\n", cbbOffs, cbbAddy, size);
PBYTE cbb = (PBYTE)XPhysicalAlloc(size, MAXULONG_PTR, NULL, PAGE_READWRITE);
Hvx::HvPeekBytes(cbbAddy, cbb, size);
CWriteFile("Hdd:\\cbb_enc.bin", cbb, size);
BYTE cbbKey[0x10];
getCB_BKey(cbbKey);
XECRYPT_RC4_STATE rc4;
XeCryptRc4Key(&rc4, cbbKey, 0x10);
XeCryptRc4Ecb(&rc4, cbb + 0x20, size - 0x20);
CWriteFile("Hdd:\\cbb_dec.bin", cbb, size);
XPhysicalFree(cbb);
}