From 063b23cc58b1e7367f9e530e752ab56fe1f56532 Mon Sep 17 00:00:00 2001 From: german77 Date: Wed, 7 Sep 2022 01:03:02 -0500 Subject: core: nfp: Remove magic numbers --- src/core/hle/service/nfp/amiibo_crypto.cpp | 171 ++++++++++++++--------------- src/core/hle/service/nfp/amiibo_crypto.h | 29 +++-- src/core/hle/service/nfp/amiibo_types.h | 8 +- 3 files changed, 103 insertions(+), 105 deletions(-) diff --git a/src/core/hle/service/nfp/amiibo_crypto.cpp b/src/core/hle/service/nfp/amiibo_crypto.cpp index d9d0c8f62..31dd3a307 100644 --- a/src/core/hle/service/nfp/amiibo_crypto.cpp +++ b/src/core/hle/service/nfp/amiibo_crypto.cpp @@ -70,10 +70,10 @@ bool IsAmiiboValid(const EncryptedNTAG215File& ntag_file) { NTAG215File NfcDataToEncodedData(const EncryptedNTAG215File& nfc_data) { NTAG215File encoded_data{}; - memcpy(encoded_data.uuid2.data(), nfc_data.uuid.data() + 0x8, 2); + memcpy(encoded_data.uuid2.data(), nfc_data.uuid.data() + 0x8, sizeof(encoded_data.uuid2)); encoded_data.static_lock = nfc_data.static_lock; encoded_data.compability_container = nfc_data.compability_container; - encoded_data.unfixed_hash = nfc_data.user_memory.unfixed_hash; + encoded_data.hmac_data = nfc_data.user_memory.hmac_data; encoded_data.constant_value = nfc_data.user_memory.constant_value; encoded_data.write_counter = nfc_data.user_memory.write_counter; encoded_data.settings = nfc_data.user_memory.settings; @@ -84,8 +84,8 @@ NTAG215File NfcDataToEncodedData(const EncryptedNTAG215File& nfc_data) { encoded_data.unknown = nfc_data.user_memory.unknown; encoded_data.hash = nfc_data.user_memory.hash; encoded_data.application_area = nfc_data.user_memory.application_area; - encoded_data.locked_hash = nfc_data.user_memory.locked_hash; - memcpy(encoded_data.uuid.data(), nfc_data.uuid.data(), 8); + encoded_data.hmac_tag = nfc_data.user_memory.hmac_tag; + memcpy(encoded_data.uuid.data(), nfc_data.uuid.data(), sizeof(encoded_data.uuid)); encoded_data.model_info = nfc_data.user_memory.model_info; encoded_data.keygen_salt = nfc_data.user_memory.keygen_salt; encoded_data.dynamic_lock = nfc_data.dynamic_lock; @@ -99,11 +99,11 @@ NTAG215File NfcDataToEncodedData(const EncryptedNTAG215File& nfc_data) { EncryptedNTAG215File EncodedDataToNfcData(const NTAG215File& encoded_data) { EncryptedNTAG215File nfc_data{}; - memcpy(nfc_data.uuid.data() + 0x8, encoded_data.uuid2.data(), 2); - memcpy(nfc_data.uuid.data(), encoded_data.uuid.data(), 8); + memcpy(nfc_data.uuid.data() + 0x8, encoded_data.uuid2.data(), sizeof(encoded_data.uuid2)); + memcpy(nfc_data.uuid.data(), encoded_data.uuid.data(), sizeof(encoded_data.uuid)); nfc_data.static_lock = encoded_data.static_lock; nfc_data.compability_container = encoded_data.compability_container; - nfc_data.user_memory.unfixed_hash = encoded_data.unfixed_hash; + nfc_data.user_memory.hmac_data = encoded_data.hmac_data; nfc_data.user_memory.constant_value = encoded_data.constant_value; nfc_data.user_memory.write_counter = encoded_data.write_counter; nfc_data.user_memory.settings = encoded_data.settings; @@ -114,7 +114,7 @@ EncryptedNTAG215File EncodedDataToNfcData(const NTAG215File& encoded_data) { nfc_data.user_memory.unknown = encoded_data.unknown; nfc_data.user_memory.hash = encoded_data.hash; nfc_data.user_memory.application_area = encoded_data.application_area; - nfc_data.user_memory.locked_hash = encoded_data.locked_hash; + nfc_data.user_memory.hmac_tag = encoded_data.hmac_tag; nfc_data.user_memory.model_info = encoded_data.model_info; nfc_data.user_memory.keygen_salt = encoded_data.keygen_salt; nfc_data.dynamic_lock = encoded_data.dynamic_lock; @@ -136,60 +136,53 @@ u32 GetTagPassword(const TagUuid& uuid) { HashSeed GetSeed(const NTAG215File& data) { HashSeed seed{ - .data = - { - .magic = data.write_counter, - .padding = {}, - .uuid1 = {}, - .uuid2 = {}, - .keygen_salt = data.keygen_salt, - }, + .magic = data.write_counter, + .padding = {}, + .uuid1 = {}, + .uuid2 = {}, + .keygen_salt = data.keygen_salt, }; // Copy the first 8 bytes of uuid - memcpy(seed.data.uuid1.data(), data.uuid.data(), sizeof(seed.data.uuid1)); - memcpy(seed.data.uuid2.data(), data.uuid.data(), sizeof(seed.data.uuid2)); + memcpy(seed.uuid1.data(), data.uuid.data(), sizeof(seed.uuid1)); + memcpy(seed.uuid2.data(), data.uuid.data(), sizeof(seed.uuid2)); return seed; } -void PreGenerateKey(const InternalKey& key, const HashSeed& seed, u8* output, - std::size_t& outputLen) { - std::size_t index = 0; +std::vector GenerateInternalKey(const InternalKey& key, const HashSeed& seed) { + const std::size_t seedPart1Len = sizeof(key.magic_bytes) - key.magic_length; + const std::size_t string_size = key.type_string.size(); + std::vector output(string_size + seedPart1Len); // Copy whole type string - memccpy(output + index, key.type_string.data(), '\0', key.type_string.size()); - index += key.type_string.size(); + memccpy(output.data(), key.type_string.data(), '\0', string_size); // Append (16 - magic_length) from the input seed - std::size_t seedPart1Len = 16 - key.magic_length; - memcpy(output + index, &seed, seedPart1Len); - index += seedPart1Len; + memcpy(output.data() + string_size, &seed, seedPart1Len); // Append all bytes from magicBytes - memcpy(output + index, &key.magic_bytes, key.magic_length); - index += key.magic_length; + output.insert(output.end(), key.magic_bytes.begin(), + key.magic_bytes.begin() + key.magic_length); - // Seed 16 bytes at +0x10 - memcpy(output + index, &seed.raw[0x10], 16); - index += 16; + output.insert(output.end(), seed.uuid1.begin(), seed.uuid1.end()); + output.insert(output.end(), seed.uuid2.begin(), seed.uuid2.end()); - // 32 bytes at +0x20 from input seed xored with xor pad - for (std::size_t i = 0; i < 32; i++) - output[index + i] = seed.raw[i + 32] ^ key.xor_pad[i]; - index += 32; + for (std::size_t i = 0; i < sizeof(seed.keygen_salt); i++) { + output.emplace_back(static_cast(seed.keygen_salt[i] ^ key.xor_pad[i])); + } - outputLen = index; + return output; } void CryptoInit(CryptoCtx& ctx, mbedtls_md_context_t& hmac_ctx, const HmacKey& hmac_key, - const u8* seed, std::size_t seed_size) { + const std::vector& seed) { // Initialize context ctx.used = false; ctx.counter = 0; - ctx.buffer_size = sizeof(ctx.counter) + seed_size; - memcpy(ctx.buffer.data() + sizeof(u16), seed, seed_size); + ctx.buffer_size = sizeof(ctx.counter) + seed.size(); + memcpy(ctx.buffer.data() + sizeof(u16), seed.data(), seed.size()); // Initialize HMAC context mbedtls_md_init(&hmac_ctx); @@ -217,18 +210,15 @@ void CryptoStep(CryptoCtx& ctx, mbedtls_md_context_t& hmac_ctx, DrgbOutput& outp } DerivedKeys GenerateKey(const InternalKey& key, const NTAG215File& data) { - constexpr std::size_t OUTPUT_SIZE = 512; const auto seed = GetSeed(data); // Generate internal seed - u8 internal_key[OUTPUT_SIZE]; - std::size_t internal_key_lenght = 0; - PreGenerateKey(key, seed, internal_key, internal_key_lenght); + const std::vector internal_key = GenerateInternalKey(key, seed); // Initialize context CryptoCtx ctx{}; mbedtls_md_context_t hmac_ctx; - CryptoInit(ctx, hmac_ctx, key.hmac_key, internal_key, internal_key_lenght); + CryptoInit(ctx, hmac_ctx, key.hmac_key, internal_key); // Generate derived keys DerivedKeys derived_keys{}; @@ -246,27 +236,34 @@ DerivedKeys GenerateKey(const InternalKey& key, const NTAG215File& data) { void Cipher(const DerivedKeys& keys, const NTAG215File& in_data, NTAG215File& out_data) { mbedtls_aes_context aes; std::size_t nc_off = 0; - std::array nonce_counter{}; - std::array stream_block{}; - - mbedtls_aes_setkey_enc(&aes, keys.aes_key.data(), 128); - memcpy(nonce_counter.data(), keys.aes_iv.data(), sizeof(nonce_counter)); - - std::array in_data_byes{}; - std::array out_data_bytes{}; - memcpy(in_data_byes.data(), &in_data, sizeof(NTAG215File)); - memcpy(out_data_bytes.data(), &out_data, sizeof(NTAG215File)); - - mbedtls_aes_crypt_ctr(&aes, 0x188, &nc_off, nonce_counter.data(), stream_block.data(), - in_data_byes.data() + 0x2c, out_data_bytes.data() + 0x2c); - - memcpy(out_data_bytes.data(), in_data_byes.data(), 0x008); - // Data signature NOT copied - memcpy(out_data_bytes.data() + 0x028, in_data_byes.data() + 0x028, 0x004); - // Tag signature NOT copied - memcpy(out_data_bytes.data() + 0x1D4, in_data_byes.data() + 0x1D4, 0x048); - - memcpy(&out_data, out_data_bytes.data(), sizeof(NTAG215File)); + std::array nonce_counter{}; + std::array stream_block{}; + + const auto aes_key_size = static_cast(keys.aes_key.size() * 8); + mbedtls_aes_setkey_enc(&aes, keys.aes_key.data(), aes_key_size); + memcpy(nonce_counter.data(), keys.aes_iv.data(), sizeof(keys.aes_iv)); + + constexpr std::size_t encrypted_data_size = HMAC_TAG_START - SETTINGS_START; + mbedtls_aes_crypt_ctr(&aes, encrypted_data_size, &nc_off, nonce_counter.data(), + stream_block.data(), + reinterpret_cast(&in_data.settings), + reinterpret_cast(&out_data.settings)); + + // Copy the rest of the data directly + out_data.uuid2 = in_data.uuid2; + out_data.static_lock = in_data.static_lock; + out_data.compability_container = in_data.compability_container; + + out_data.constant_value = in_data.constant_value; + out_data.write_counter = in_data.write_counter; + + out_data.uuid = in_data.uuid; + out_data.model_info = in_data.model_info; + out_data.keygen_salt = in_data.keygen_salt; + out_data.dynamic_lock = in_data.dynamic_lock; + out_data.CFG0 = in_data.CFG0; + out_data.CFG1 = in_data.CFG1; + out_data.password = in_data.password; } bool LoadKeys(InternalKey& locked_secret, InternalKey& unfixed_info) { @@ -309,26 +306,26 @@ bool DecodeAmiibo(const EncryptedNTAG215File& encrypted_tag_data, NTAG215File& t // Decrypt Cipher(data_keys, encoded_data, tag_data); - std::array out{}; - memcpy(out.data(), &tag_data, sizeof(NTAG215File)); - // Regenerate tag HMAC. Note: order matters, data HMAC depends on tag HMAC! + constexpr std::size_t input_length = DYNAMIC_LOCK_START - UUID_START; mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), tag_keys.hmac_key.data(), - sizeof(HmacKey), out.data() + 0x1D4, 0x34, out.data() + HMAC_POS_TAG); + sizeof(HmacKey), reinterpret_cast(&tag_data.uuid), + input_length, reinterpret_cast(&tag_data.hmac_tag)); // Regenerate data HMAC + constexpr std::size_t input_length2 = DYNAMIC_LOCK_START - WRITE_COUNTER_START; mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), data_keys.hmac_key.data(), - sizeof(HmacKey), out.data() + 0x29, 0x1DF, out.data() + HMAC_POS_DATA); - - memcpy(&tag_data, out.data(), sizeof(NTAG215File)); + sizeof(HmacKey), + reinterpret_cast(&tag_data.write_counter), input_length2, + reinterpret_cast(&tag_data.hmac_data)); - if (memcmp(tag_data.unfixed_hash.data(), encrypted_tag_data.user_memory.unfixed_hash.data(), - 32) != 0) { + if (tag_data.hmac_data != encrypted_tag_data.user_memory.hmac_data) { + LOG_ERROR(Service_NFP, "hmac_data doesn't match"); return false; } - if (memcmp(tag_data.locked_hash.data(), encrypted_tag_data.user_memory.locked_hash.data(), - 32) != 0) { + if (tag_data.hmac_tag != encrypted_tag_data.user_memory.hmac_tag) { + LOG_ERROR(Service_NFP, "hmac_tag doesn't match"); return false; } @@ -347,13 +344,14 @@ bool EncodeAmiibo(const NTAG215File& tag_data, EncryptedNTAG215File& encrypted_t const auto data_keys = GenerateKey(unfixed_info, tag_data); const auto tag_keys = GenerateKey(locked_secret, tag_data); - std::array plain{}; - std::array cipher{}; - memcpy(plain.data(), &tag_data, sizeof(NTAG215File)); + NTAG215File encoded_tag_data{}; // Generate tag HMAC + constexpr std::size_t input_length = DYNAMIC_LOCK_START - UUID_START; + constexpr std::size_t input_length2 = HMAC_TAG_START - WRITE_COUNTER_START; mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), tag_keys.hmac_key.data(), - sizeof(HmacKey), plain.data() + 0x1D4, 0x34, cipher.data() + HMAC_POS_TAG); + sizeof(HmacKey), reinterpret_cast(&tag_data.uuid), + input_length, reinterpret_cast(&encoded_tag_data.hmac_tag)); // Init mbedtls HMAC context mbedtls_md_context_t ctx; @@ -362,17 +360,18 @@ bool EncodeAmiibo(const NTAG215File& tag_data, EncryptedNTAG215File& encrypted_t // Generate data HMAC mbedtls_md_hmac_starts(&ctx, data_keys.hmac_key.data(), sizeof(HmacKey)); - mbedtls_md_hmac_update(&ctx, plain.data() + 0x029, 0x18B); // Data - mbedtls_md_hmac_update(&ctx, cipher.data() + HMAC_POS_TAG, 0x20); // Tag HMAC - mbedtls_md_hmac_update(&ctx, plain.data() + 0x1D4, 0x34); - mbedtls_md_hmac_finish(&ctx, cipher.data() + HMAC_POS_DATA); + mbedtls_md_hmac_update(&ctx, reinterpret_cast(&tag_data.write_counter), + input_length2); // Data + mbedtls_md_hmac_update(&ctx, reinterpret_cast(&encoded_tag_data.hmac_tag), + sizeof(HashData)); // Tag HMAC + mbedtls_md_hmac_update(&ctx, reinterpret_cast(&tag_data.uuid), + input_length); + mbedtls_md_hmac_finish(&ctx, reinterpret_cast(&encoded_tag_data.hmac_data)); // HMAC cleanup mbedtls_md_free(&ctx); // Encrypt - NTAG215File encoded_tag_data{}; - memcpy(&encoded_tag_data, cipher.data(), sizeof(NTAG215File)); Cipher(data_keys, tag_data, encoded_tag_data); // Convert back to hardware diff --git a/src/core/hle/service/nfp/amiibo_crypto.h b/src/core/hle/service/nfp/amiibo_crypto.h index 9b021a5eb..af7335912 100644 --- a/src/core/hle/service/nfp/amiibo_crypto.h +++ b/src/core/hle/service/nfp/amiibo_crypto.h @@ -10,23 +10,23 @@ struct mbedtls_md_context_t; namespace Service::NFP::AmiiboCrypto { -constexpr std::size_t HMAC_POS_DATA = 0x8; -constexpr std::size_t HMAC_POS_TAG = 0x1B4; +// Byte locations in Service::NFP::NTAG215File +constexpr std::size_t HMAC_DATA_START = 0x8; +constexpr std::size_t SETTINGS_START = 0x2c; +constexpr std::size_t WRITE_COUNTER_START = 0x29; +constexpr std::size_t HMAC_TAG_START = 0x1B4; +constexpr std::size_t UUID_START = 0x1D4; +constexpr std::size_t DYNAMIC_LOCK_START = 0x208; using HmacKey = std::array; using DrgbOutput = std::array; struct HashSeed { - union { - std::array raw; - struct { - u16 magic; - std::array padding; - std::array uuid1; - std::array uuid2; - std::array keygen_salt; - } data; - }; + u16 magic; + std::array padding; + std::array uuid1; + std::array uuid2; + std::array keygen_salt; }; static_assert(sizeof(HashSeed) == 0x40, "HashSeed is an invalid size"); @@ -71,12 +71,11 @@ u32 GetTagPassword(const TagUuid& uuid); HashSeed GetSeed(const NTAG215File& data); // Middle step on the generation of derived keys -void PreGenerateKey(const InternalKey& key, const HashSeed& seed, u8* output, - std::size_t& outputLen); +std::vector GenerateInternalKey(const InternalKey& key, const HashSeed& seed); // Initializes mbedtls context void CryptoInit(CryptoCtx& ctx, mbedtls_md_context_t& hmac_ctx, const HmacKey& hmac_key, - const u8* seed, std::size_t seed_size); + const std::vector& seed); // Feeds data to mbedtls context to generate the derived key void CryptoStep(CryptoCtx& ctx, mbedtls_md_context_t& hmac_ctx, DrgbOutput& output); diff --git a/src/core/hle/service/nfp/amiibo_types.h b/src/core/hle/service/nfp/amiibo_types.h index c9c0932d0..bf2de811a 100644 --- a/src/core/hle/service/nfp/amiibo_types.h +++ b/src/core/hle/service/nfp/amiibo_types.h @@ -137,10 +137,10 @@ struct EncryptedAmiiboFile { u16 write_counter; // Number of times the amiibo has been written? INSERT_PADDING_BYTES(0x1); // Unknown 1 AmiiboSettings settings; // Encrypted amiibo settings - HashData locked_hash; // Hash + HashData hmac_tag; // Hash AmiiboModelInfo model_info; // Encrypted amiibo model info HashData keygen_salt; // Salt - HashData unfixed_hash; // Hash + HashData hmac_data; // Hash Service::Mii::Ver3StoreData owner_mii; // Encrypted Mii data u64_be title_id; // Encrypted Game id u16_be applicaton_write_counter; // Encrypted Counter @@ -155,7 +155,7 @@ struct NTAG215File { std::array uuid2; u16 static_lock; // Set defined pages as read only u32 compability_container; // Defines available memory - HashData unfixed_hash; // Hash + HashData hmac_data; // Hash u8 constant_value; // Must be A5 u16 write_counter; // Number of times the amiibo has been written? INSERT_PADDING_BYTES(0x1); // Unknown 1 @@ -167,7 +167,7 @@ struct NTAG215File { std::array unknown; HashData hash; // Probably a SHA256-HMAC hash? ApplicationArea application_area; // Encrypted Game data - HashData locked_hash; // Hash + HashData hmac_tag; // Hash std::array uuid; AmiiboModelInfo model_info; HashData keygen_salt; // Salt -- cgit v1.2.3