In memory of Ben “bushing” Byer, who passed away on Monday, February 8th, 2016.

Difference between revisions of "/dev/crypto"

From WiiUBrew
Jump to navigation Jump to search
(Created page with "{{stub}}")
 
Line 1: Line 1:
{{stub}}
+
/dev/crypto is the IOSU device node for the cryptographic engine. It can only be opened by the IOSU and it also provides a stripped down library (IOSC) that is implemented on most IOSU modules under the name "crypto_ios_interface".
 +
Requests are issued via ioctl()/ioctlv() commands which are then mapped to internal functions inside the IOS-CRYPTO process. This is done using different message queues, each one mapping a subset of commands in a jump table:
 +
0x00: Mapped by the 3rd message queue
 +
0x01: Mapped by the 3rd message queue
 +
0x02: Mapped by the 4th message queue
 +
0x03: Mapped by the 4th message queue
 +
0x04: Mapped by the 4th message queue
 +
0x05: Mapped by the 4th message queue
 +
0x06: Mapped by the 3rd message queue
 +
0x07: Mapped by the 4th message queue
 +
0x08: Mapped by the 4th message queue
 +
0x09: Mapped by the 3rd message queue
 +
0x0A: Mapped by the 3rd message queue
 +
0x0B: Mapped by the 2nd message queue | Mapped by the 4th message queue (async version)
 +
0x0C: Mapped by the 2nd message queue
 +
0x0D: Mapped by the 2nd message queue
 +
0x0E: Mapped by the 4th message queue
 +
0x0F: Mapped by the 2nd message queue | Mapped by the 4th message queue (async version)
 +
0x10: Mapped by the 4th message queue
 +
0x11: Mapped by the 3rd message queue
 +
0x12: Mapped by the 4th message queue
 +
0x13: Mapped by the 4th message queue
 +
0x14: Mapped by the 1st message queue
 +
0x15: Mapped by the 3rd message queue
 +
0x16: Mapped by the 4th message queue
 +
0x17: Mapped by the 4th message queue
 +
0x18: Not mapped
 +
0x19: Mapped by the 2nd message queue
 +
0x1A: Mapped by the 2nd message queue
 +
0x1B: Mapped by the 1st message queue
 +
0x1C: Mapped by the 2nd message queue
 +
0x1D: Mapped by the 1st message queue
 +
0x1E: Mapped by the 1st message queue
 +
0x1F: Mapped by the 4th message queue
 +
0x20: Mapped by the 4th message queue
 +
0x21: Mapped by the 1st message queue
 +
0x22: Mapped by the 3rd message queue
 +
 
 +
== List of functions (ioctl/ioctlv) ==
 +
{| class="wikitable sortable"
 +
! Command
 +
! Function
 +
! Call
 +
! Description
 +
! Notes
 +
|-
 +
| 0x01
 +
| IOSC_CreateObject()
 +
| IOS_Ioctl(FD, 0x01, in_buf, 0x10, out_buf, 4);
 +
| Creates a new crypto object and returns a handle for it.
 +
|
 +
|-
 +
| 0x02
 +
| IOSC_DeleteObject()
 +
| IOS_Ioctl(FD, 0x02, in_buf, 4, 0, 0);
 +
| Deletes a crypto object.
 +
|
 +
|-
 +
| 0x03
 +
| import_secret_key()
 +
| IOS_Ioctlv(FD, 0x03, 4, 0, vector);
 +
|
 +
|
 +
|-
 +
| 0x04
 +
| keyring_deallocate_entry()
 +
| IOS_Ioctlv(FD, 0x04, 1, 3, vector);
 +
|
 +
|
 +
|-
 +
| 0x05
 +
| import_pub_key()
 +
| IOS_Ioctlv(FD, 0x05, 3, 0, vector);
 +
|
 +
|
 +
|-
 +
| 0x06
 +
| export_root()
 +
| IOS_Ioctlv(FD, 0x06, 1, 3, vector);
 +
|
 +
|
 +
|-
 +
| 0x07
 +
| compute_shared_key()
 +
| IOS_Ioctl(FD, 0x07, in_buf, 0x10, 0, 0);
 +
|
 +
|
 +
|-
 +
| 0x08
 +
| set_device_id()
 +
| IOS_Ioctlv(FD, 0x08, 2, 0, vector);
 +
|
 +
|
 +
|-
 +
| 0x09
 +
| get_device_id()
 +
| IOS_Ioctlv(FD, 0x09, 1, 1, vector);
 +
|
 +
|
 +
|-
 +
| 0x0A
 +
| get_key_size()
 +
| IOS_Ioctl(FD, 0x0A, in_buf, 4, out_buf, 4);
 +
|
 +
|
 +
|-
 +
| 0x0B
 +
| get_key_userdata_size()
 +
| IOS_Ioctl(FD, 0x0B, in_buf, 4, out_buf, 4);
 +
|
 +
|
 +
|-
 +
| 0x0C
 +
| IOSC_GenerateHash() / IOSC_GenerateHashAsync();
 +
| IOS_Ioctlv(FD, 0x0C, 3, 1, vector); / IOS_IoctlvAsync(FD, 0x0C, 3, 1, vector, queueid, message);
 +
|
 +
| This function has 2 different implementations, one async and the other not.
 +
|-
 +
| 0x0D
 +
| IOSC_Encrypt() / IOSC_EncryptAsync()
 +
| IOS_Ioctlv(FD, 0x0D, 3, 1, vector); / IOS_IoctlvAsync(FD, 0x0D, 3, 1, vector, queueid, message);
 +
|
 +
| This function has 2 different implementations, one async and the other not.
 +
|-
 +
| 0x0E
 +
| IOSC_Decrypt() / IOSC_DecryptAsync()
 +
| IOS_Ioctlv(FD, 0x0E, 3, 1, vector); / IOS_IoctlvAsync(FD, 0x0E, 3, 1, vector, queueid, message);
 +
|
 +
| This function has 2 different implementations, one async and the other not.
 +
|-
 +
| 0x0F
 +
| verify_public_key_sign()
 +
| IOS_Ioctlv(FD, 0x0F, 3, 0, vector);
 +
|
 +
|
 +
|-
 +
| 0x10
 +
| hmac() / hmac_async()
 +
| IOS_Ioctlv(FD, 0x10, 4, 1, vector); / IOS_IoctlvAsync(FD, 0x10, 4, 1, vector, queueid, message);
 +
|
 +
| This function has 2 different implementations, one async and the other not.
 +
|-
 +
| 0x11
 +
| verify_cert()
 +
| IOS_Ioctlv(FD, 0x11, 2, 0, vector);
 +
|
 +
|
 +
|-
 +
| 0x12
 +
| get_device_cert()
 +
| IOS_Ioctl(FD, 0x12, 0, 0, out_buf, 0x180);
 +
|
 +
|
 +
|-
 +
| 0x13
 +
| set_title_key_ownership()
 +
| IOS_Ioctlv(FD, 0x13, 2, 0, vector);
 +
|
 +
|
 +
|-
 +
| 0x14
 +
| get_title_key_ownership()
 +
| IOS_Ioctlv(FD, 0x14, 1, 1, vector);
 +
|
 +
|
 +
|-
 +
| 0x15
 +
| IOSC_GenerateRand()
 +
| IOS_Ioctl(FD, 0x15, 0, 0, out_buf, out_size);
 +
| Generate random data of an arbitrary size.
 +
|
 +
|-
 +
| 0x16
 +
| generate_secret_key()
 +
| IOS_Ioctl(FD, 0x16, in_buf, 4, 0, 0);
 +
|
 +
|
 +
|-
 +
| 0x17
 +
| sign()
 +
| IOS_Ioctlv(FD, 0x17, 2, 1, vector);
 +
|
 +
|
 +
|-
 +
| 0x18
 +
| IOSC_GenerateCertificate()
 +
| IOS_Ioctlv(FD, 0x18, 2, 1, vector);
 +
|
 +
|
 +
|-
 +
| 0x19
 +
| Unknown
 +
| IOS_Ioctl(FD, 0x19, ???, ???, ???, ???);
 +
|
 +
| This command is not mapped by the IOS-CRYPTO process.
 +
|-
 +
| 0x1A
 +
| odm_encrypt()
 +
| IOS_Ioctlv(FD, 0x1A, 3, 2, vector);
 +
|
 +
|
 +
|-
 +
| 0x1B
 +
| odm_generate_session_key()
 +
| IOS_Ioctlv(FD, 0x1B, 3, 1, vector);
 +
|
 +
|
 +
|-
 +
| 0x1C
 +
| read_otp_bank1_word()
 +
| IOS_Ioctl(FD, 0x1C, 0, 0, out_buf, 4);
 +
| Reads the first word from OTP's bank 1.
 +
|
 +
|-
 +
| 0x1D
 +
| cryptoReadHashedBlock()
 +
| IOS_Ioctlv(FD, 0x1D, 5, 1, vector);
 +
|
 +
|
 +
|-
 +
| 0x1E
 +
| read_seeprom_data()
 +
| IOS_Ioctl(FD, 0x1E, 0, 0, out_buf, 0x60);
 +
| Reads the old Wii SEEPROM certificate data from OTP's bank 6.
 +
|
 +
|-
 +
| 0x1F
 +
| Unknown
 +
| IOS_Ioctl(FD, 0x1F, ???, ???, ???, ???);
 +
|
 +
|
 +
|-
 +
| 0x20
 +
| Unknown
 +
| IOS_Ioctlv(FD, 0x20, 3, 1, vector);
 +
|
 +
|
 +
|-
 +
| 0x21
 +
| Unknown
 +
| IOS_Ioctlv(FD, 0x21, 3, 1, vector);
 +
|
 +
|
 +
|-
 +
| 0x22
 +
| mcp_auth_unk()
 +
| IOS_Ioctl(FD, 0x22, in_buf, 4, 0, 0);
 +
|
 +
|
 +
|-
 +
| 0x23
 +
| mcp_wagon_archive_unk()
 +
| IOS_Ioctl(FD, 0x23, in_buf, 0x10, out_buf, 0x200);
 +
|
 +
|
 +
|-
 +
|}

Revision as of 18:02, 16 September 2015

/dev/crypto is the IOSU device node for the cryptographic engine. It can only be opened by the IOSU and it also provides a stripped down library (IOSC) that is implemented on most IOSU modules under the name "crypto_ios_interface". Requests are issued via ioctl()/ioctlv() commands which are then mapped to internal functions inside the IOS-CRYPTO process. This is done using different message queues, each one mapping a subset of commands in a jump table: 

0x00: Mapped by the 3rd message queue
0x01: Mapped by the 3rd message queue
0x02: Mapped by the 4th message queue
0x03: Mapped by the 4th message queue
0x04: Mapped by the 4th message queue
0x05: Mapped by the 4th message queue
0x06: Mapped by the 3rd message queue
0x07: Mapped by the 4th message queue
0x08: Mapped by the 4th message queue
0x09: Mapped by the 3rd message queue
0x0A: Mapped by the 3rd message queue
0x0B: Mapped by the 2nd message queue | Mapped by the 4th message queue (async version)
0x0C: Mapped by the 2nd message queue
0x0D: Mapped by the 2nd message queue
0x0E: Mapped by the 4th message queue
0x0F: Mapped by the 2nd message queue | Mapped by the 4th message queue (async version)
0x10: Mapped by the 4th message queue
0x11: Mapped by the 3rd message queue
0x12: Mapped by the 4th message queue
0x13: Mapped by the 4th message queue
0x14: Mapped by the 1st message queue
0x15: Mapped by the 3rd message queue
0x16: Mapped by the 4th message queue
0x17: Mapped by the 4th message queue
0x18: Not mapped
0x19: Mapped by the 2nd message queue
0x1A: Mapped by the 2nd message queue
0x1B: Mapped by the 1st message queue
0x1C: Mapped by the 2nd message queue
0x1D: Mapped by the 1st message queue
0x1E: Mapped by the 1st message queue
0x1F: Mapped by the 4th message queue
0x20: Mapped by the 4th message queue
0x21: Mapped by the 1st message queue
0x22: Mapped by the 3rd message queue

List of functions (ioctl/ioctlv)

Command Function Call Description Notes
0x01 IOSC_CreateObject() IOS_Ioctl(FD, 0x01, in_buf, 0x10, out_buf, 4); Creates a new crypto object and returns a handle for it.
0x02 IOSC_DeleteObject() IOS_Ioctl(FD, 0x02, in_buf, 4, 0, 0); Deletes a crypto object.
0x03 import_secret_key() IOS_Ioctlv(FD, 0x03, 4, 0, vector);
0x04 keyring_deallocate_entry() IOS_Ioctlv(FD, 0x04, 1, 3, vector);
0x05 import_pub_key() IOS_Ioctlv(FD, 0x05, 3, 0, vector);
0x06 export_root() IOS_Ioctlv(FD, 0x06, 1, 3, vector);
0x07 compute_shared_key() IOS_Ioctl(FD, 0x07, in_buf, 0x10, 0, 0);
0x08 set_device_id() IOS_Ioctlv(FD, 0x08, 2, 0, vector);
0x09 get_device_id() IOS_Ioctlv(FD, 0x09, 1, 1, vector);
0x0A get_key_size() IOS_Ioctl(FD, 0x0A, in_buf, 4, out_buf, 4);
0x0B get_key_userdata_size() IOS_Ioctl(FD, 0x0B, in_buf, 4, out_buf, 4);
0x0C IOSC_GenerateHash() / IOSC_GenerateHashAsync(); IOS_Ioctlv(FD, 0x0C, 3, 1, vector); / IOS_IoctlvAsync(FD, 0x0C, 3, 1, vector, queueid, message); This function has 2 different implementations, one async and the other not.
0x0D IOSC_Encrypt() / IOSC_EncryptAsync() IOS_Ioctlv(FD, 0x0D, 3, 1, vector); / IOS_IoctlvAsync(FD, 0x0D, 3, 1, vector, queueid, message); This function has 2 different implementations, one async and the other not.
0x0E IOSC_Decrypt() / IOSC_DecryptAsync() IOS_Ioctlv(FD, 0x0E, 3, 1, vector); / IOS_IoctlvAsync(FD, 0x0E, 3, 1, vector, queueid, message); This function has 2 different implementations, one async and the other not.
0x0F verify_public_key_sign() IOS_Ioctlv(FD, 0x0F, 3, 0, vector);
0x10 hmac() / hmac_async() IOS_Ioctlv(FD, 0x10, 4, 1, vector); / IOS_IoctlvAsync(FD, 0x10, 4, 1, vector, queueid, message); This function has 2 different implementations, one async and the other not.
0x11 verify_cert() IOS_Ioctlv(FD, 0x11, 2, 0, vector);
0x12 get_device_cert() IOS_Ioctl(FD, 0x12, 0, 0, out_buf, 0x180);
0x13 set_title_key_ownership() IOS_Ioctlv(FD, 0x13, 2, 0, vector);
0x14 get_title_key_ownership() IOS_Ioctlv(FD, 0x14, 1, 1, vector);
0x15 IOSC_GenerateRand() IOS_Ioctl(FD, 0x15, 0, 0, out_buf, out_size); Generate random data of an arbitrary size.
0x16 generate_secret_key() IOS_Ioctl(FD, 0x16, in_buf, 4, 0, 0);
0x17 sign() IOS_Ioctlv(FD, 0x17, 2, 1, vector);
0x18 IOSC_GenerateCertificate() IOS_Ioctlv(FD, 0x18, 2, 1, vector);
0x19 Unknown IOS_Ioctl(FD, 0x19, ???, ???, ???, ???); This command is not mapped by the IOS-CRYPTO process.
0x1A odm_encrypt() IOS_Ioctlv(FD, 0x1A, 3, 2, vector);
0x1B odm_generate_session_key() IOS_Ioctlv(FD, 0x1B, 3, 1, vector);
0x1C read_otp_bank1_word() IOS_Ioctl(FD, 0x1C, 0, 0, out_buf, 4); Reads the first word from OTP's bank 1.
0x1D cryptoReadHashedBlock() IOS_Ioctlv(FD, 0x1D, 5, 1, vector);
0x1E read_seeprom_data() IOS_Ioctl(FD, 0x1E, 0, 0, out_buf, 0x60); Reads the old Wii SEEPROM certificate data from OTP's bank 6.
0x1F Unknown IOS_Ioctl(FD, 0x1F, ???, ???, ???, ???);
0x20 Unknown IOS_Ioctlv(FD, 0x20, 3, 1, vector);
0x21 Unknown IOS_Ioctlv(FD, 0x21, 3, 1, vector);
0x22 mcp_auth_unk() IOS_Ioctl(FD, 0x22, in_buf, 4, 0, 0);
0x23 mcp_wagon_archive_unk() IOS_Ioctl(FD, 0x23, in_buf, 0x10, out_buf, 0x200);
Retrieved from "https://wiiubrew.org/w/index.php?title=/dev/crypto&oldid=1370"