Espresso boot ROM

From WiiUBrew
(Redirected from Espresso Boot ROM)
Jump to navigation Jump to search

The Espresso includes a special boot ROM that checks all software it boots. It only boots software in the form of an Ancast Image.

Initialization

The Espresso boot ROM runs from address 0x00000100 where the PPC reset vector is located. It begins by setting up SPRs, mapping memory and jumping to the main routine:

// Clear MSR, TLB and TBU
MSR = 0
TBL = 0
TBU = 0

// Set HID0_BHT, HID0_BTIC, HID0_SGE and HID0_SPD
HID0 = 0x2A4

// Set HID4_SBE
HID4 |= 0x2000000

// Set a flag in BCR when in vWii mode
if ((SCR & 0x8000000) != 0 && (SCR & 0x4000000) != 0)
    BCR = ((BCR & 0x1FFFFFFF) | 0x20000000)
   
__isync();

// Clear all DBATs/IBATs
DBAT0U = 0
DBAT1U = 0
DBAT2U = 0
DBAT3U = 0
DBAT4U = 0
DBAT5U = 0
DBAT6U = 0
DBAT7U = 0
IBAT0U = 0
IBAT1U = 0
IBAT2U = 0
IBAT3U = 0
IBAT4U = 0
IBAT5U = 0
IBAT6U = 0
IBAT7U = 0

__isync();

// Clear all SRs
SR0 = 0
SR1 = 0
SR2 = 0
SR3 = 0
SR4 = 0
SR5 = 0
SR6 = 0
SR7 = 0
SR8 = 0
SR9 = 0
SR10 = 0
SR11 = 0
SR12 = 0
SR13 = 0
SR14 = 0
SR15 = 0

__sync();

// Flush L2CR with a dummy read
L2CR = L2CR

__sync();

// Set L2CR_L2I
L2CR |= 0x200000

// Wait for L2CR_L2IP to be cleared
while ((L2CR & 0x1) != 0);

// Clear L2CR_L2I
L2CR &= 0xFFDFFFFF

// Wait for L2CR_L2IP to be cleared
while ((L2CR & 0x1) != 0);

// Set HID0_DCFI and HID0_ICFI
HID0 |= 0xC00

__isync();

// Configure DBAT0
// Physical address is 0
// Virtual address is 0
// Mapped as read only, cache inhibit, user valid and supervisor valid
DBAT0L = 0x21
DBAT0U = 0x3

__isync();

// Configure IBAT0
// Physical address is 0
// Virtual address is 0
// Mapped as read only, cache inhibit, user valid and supervisor valid
IBAT0L = 0x21
IBAT0U = 0x3

__isync();

// Configure DBAT1
// Physical address is 0xC320000
// Virtual address is 0xC320000
// Mapped as read only, cache inhibit, user valid and supervisor valid
DBAT1L = 0xC320021
DBAT1U = 0xC320003

__isync();

// Configure DBAT2
// Physical address is 0xE0000000
// Virtual address is 0xE0000000
// Mapped as read write, user valid and supervisor valid
DBAT2L = 0xE0000002
DBAT2U = 0xE0000003

__isync();

// Configure DBAT4
// Physical address is 0x16C0000
// Virtual address is 0x20000
// Mapped as read write, user valid and supervisor valid
DBAT4L = 0x16C0002
DBAT4U = 0x20003

__isync();

// Configure IBAT4
// Physical address is 0x16C0000
// Virtual address is 0x20000
// Mapped as read write, user valid and supervisor valid
IBAT0L = 0x16C0002
IBAT0U = 0x20003

__isync();

// Clear DBAT6
DBAT6L = 0
DBAT6U = 0

__isync();

// Configure DBAT7
// Physical address is 0x16E0000
// Virtual address is 0xC16E0000
// Mapped as read write, guarded, cache inhibit, user valid and supervisor valid
DBAT7L = 0x16E002A
DBAT7U = 0xC16E0003

__isync();

// Set MSR_DR and MSR_IR
MSR |= 0x30

__isync();

// Clear L2CR_L2TS, L2CR_L2I, L2CR_L2DO and set L2CR_L2E
L2CR = ((L2CR | 0x80000000) & 0xFF9BFFFF)

// Set HID0_ICE and HID0_DCE
HID0 |= 0xC000

// Set HID2_LCE
HID2 |= 0x10000000

u32 index = 0xE0000000;
u32 size = 0x200;

// Set to zero data cache for the 0xE0000000 region
while (size > 0)
{
    __dcbzl(0, index);
    index += 0x20;
    size -= 0x1;
}

// Configure DBAT5
// Physical address is 0
// Virtual address is 0xF0000000
// Mapped as read write, user valid and supervisor valid
DBAT5L = 0x2
DBAT5U = 0xF0000003

__isync();

index = 0xF0000100;
size = 0x7;

// Test cache flushing
while (size > 0)
{
    *(u32 *)index = 0x48000000;
    
    __dcbf(0, index);
    __isync();
    __sync();
    
    if (*(u32 *)index != 0x48000000)
    {
        // Deadlock
        sub_E0();
    }
        
    index += 0x100;
    size -= 0x1;
}

// Clear DBAT5
DBAT5L = 0
DBAT5U = 0

__isync();

SRR0 = 0x758
SRR1 = MSR

// Set LR to a deadlock
LR = sub_E0

// Execution will jump to 0x758
return;

Main

This is the main function of the Espresso boot ROM. It is located at address 0x00000758 (where the initialization routine jumps to) and is responsible for initializing registers and memory, processing the PPC ancast image and running it.

*(u32 *)0xC16FFFFC = 0;
*(u32 *)0xC16FFFF8 = 0;
*(u32 *)0xC16FFFF4 = 0;
*(u32 *)0xC16FFFF0 = 0;

// Clear all GPRs and set the TOC and SDA addresses
InitializeRegisters();

// Initialize and map virtual memory
InitializeMemory();

// Load, verify and decrypt the ancast image
u32 entry_addr = LoadImg();

// Cleanup and jump to the loaded image
Finish(entry_addr);

// Execution will jump to a deadlock
return;

InitializeMemory

The Espresso boot ROM copies and clears several memory regions.

// Copy memory regions:
// Source address 0xB0C, destination address 0x20000, size 0x2D58
// Source address 0x3864, destination address 0xE0000000, size 0x6A0
// Source address 0x3F04, destination address 0xE00006A0, size 0xD0
// Source address 0x3FD4, destination address 0xE0000780, size 0xC
for (int i = 0; mem_copy_array[i].size > 0; i++)
{
    u32 src_addr = mem_copy_array[i].src_addr;
    u32 dst_addr = mem_copy_array[i].dst_addr;
    u32 size = mem_copy_array[i].size;

    if (src_addr != dst_addr)
    {
        memcpy(dst_addr, src_addr, size);
        
        if (dst_addr == 0x20000)
        {
            // Set to zero data cache for the 0x24000 region
            sub_5A4();
            
            // Invalidate instruction cache for the given range
            sub_604(dst_addr, size);
            
            if (size)
            {
                if (memcmp(dst_addr, src_addr, size))
                {
                    *(u32 *)0xC16FFFFC = 0x1000000;
                    while (1);
                }
            }
        }
    }
}

// Clear memory regions:
// Address 0xE00007A0, size 0x18
// Address 0xE00007C0, size 0x2E4
for (int i = 0; mem_clear_array[i].size > 0; i++)
{
    memset(mem_clear_array[i].addr, 0, mem_clear_array[i].size);
}

return;

LoadImg

The Espresso boot ROM loads, verifies and decrypts the PPC ancast image.

u8 aes_key[0x10] = {0};
u32 aes_key_addr = 0;
u32 ecdsa_key_addr = 0;
u32 img_addr = 0;
u32 img_state = 0;
ImgHeader img_header;
u8 img_hash[0x14] = {0};
u32 is_evaluation = 0;
u32 time_fw_verify_start = 0;
u32 time_fw_verify_end = 0;
u32 time_fw_decrypt_start = 0;
u32 time_fw_decrypt_end = 0;

// Does nothing, just returns
sub_784();

// Check if SCR bits 30 and 31 are set
if ((GetSCR() & 0xF0000000) == 0xC0000000)
{
    // Set an error if bit 26 is not set
    if ((GetSCR() & 0x2000000) == 0)
    {
      SetState(0x11000000);
      
      // Deadlock
      sub_20000();
    }
    
    // Use a secret static key
    memcpy(aes_key, aes_static_key, 0x10);
    aes_key_addr = &aes_key;
    
    SetImgState(0x80);
    
    // Use production ECDSA key
    ecdsa_key_addr = &ecdsa_prod_key;
    
    SetImgState(0x20000);
}
else
{
    // Read the fuse type from eFuses
    u32 fuse_type = *(u32 *)(efuse_addr + 0x3C);
    
    // Set SCR bit 28
    SetSCR(GetSCR() | 0x10000000);
    
    if ((fuse_type & 0x4000000) != 0)
    {
        if (IsVWii())
        {
            // Copy the vWii AES key from eFuses
            memcpy(aes_key, efuse_addr + 0x10, 0x10);
            
            SetImgState(2);
        }
        else
        {
            // Copy the WiiU AES key from eFuses
            memcpy(aes_key, efuse_addr, 0x10);
            
            SetImgState(1);
        }
        
        aes_key_addr = &aes_key;
        
        // Read the fuse type from eFuses
        fuse_type = *(u32 *)(efuse_addr + 0x3C);
        
        if ((fuse_type & 0x18000000) == 0x8000000)
        {
            // Use development ECDSA key
            ecdsa_key_addr = &ecdsa_dev_key;
            
            SetImgState(0x10000);
        }
        else if ((fuse_type & 0x18000000) == 0x10000000)
        {
            // Use production ECDSA key
            ecdsa_key_addr = &ecdsa_prod_key;
            
            SetImgState(0x20000);
        }
        else
        {
            SetState(0x12000000);
      
            // Deadlock
            sub_20000();
        }
    }
    else
    {
        aes_key_addr = 0;
        ecdsa_key_addr = 0;
        is_evaluation = 1;
    }
}

if (IsVWii())
{
    img_addr = 0x1330000;
    
    if ((GetHID1() & 0x8000000) != 0)
        SetImgState(0x400);
    else
        SetImgState(0x200);
}
else
{
    img_addr = 0x8000000;
    
    SetImgState(0x100);
}
  
if (aes_key_addr)
{    
    // Get the current time
    time_fw_verify_start = GetTB();
    
    // Load the ancast image over DMA
    DmaLoad(dma_addr, img_addr, 0);
    DmaBarrier(0);

    // Copy the ancast header
    memcpy(&img_header, dma_addr, 0x100);
    
    // Verify the ancast header's ECDSA signature
    if (!EcdsaVerify(ecdsa_key_addr, (u8 *)&img_header.reserved4, 0x60, img_header.signature))
    {
        SetState(0x21000000);
        
        // Deadlock
        sub_20000();
    }
    
    // Ensure 2 bytes at offset 0xA0 are set to 0
    if (img_header.reserved4 != 0)
    {
        SetState(0x22000000);
        
        // Deadlock
        sub_20000();
    }
    
    // Ensure bytes at offsets 0xA2 and 0xA3 are set to 0
    if ((img_header.reserved5 != 0) || (img_header.reserved6 != 0))
    {
        SetState(0x23000000);
        
        // Deadlock
        sub_20000();
    }
    
    // Ensure 0x3C bytes at offset 0xC4 are set to 0
    for (int i = 0; i < 0x3C; i++)
    {
        if (img_header.reserved7[i] != 0)
        {
            SetState(0x24000000);
        
            // Deadlock
            sub_20000();
        }
    }
    
    if ((img_state & 0xFF) == 0x80)
    {
        if (img_header.targetDevice != 0x14)
        {
            SetState(0x29000000);
        
            // Deadlock
            sub_20000();
        }
    }
    else
    {
        if (img_header.targetDevice == 0x11)
        {
            if ((img_state & 0xFF00) != 0x100)
            {
                SetState(0x25000000);
        
                // Deadlock
                sub_20000();
            }
        }
        else if (img_header.targetDevice == 0x12)
        {
            if ((img_state & 0xFF00) != 0x400)
            {
                SetState(0x25000000);
        
                // Deadlock
                sub_20000();
            }
        }
        else if (img_header.targetDevice == 0x13)
        {
            if ((img_state & 0xFF00) != 0x200)
            {
                SetState(0x25000000);
        
                // Deadlock
                sub_20000();
            }
        }
        else
        {
            SetState(0x25000000);
        
            // Deadlock
            sub_20000();
        }
    }
    
    if (img_header.consoleType == 1)
    {
        if ((img_state & 0xFF0000) != 0x10000)
        {
            SetState(0x26000000);
    
            // Deadlock
            sub_20000();
        }
    }
    else if (img_header.consoleType == 2)
    {
        
        if ((img_state & 0xFF0000) != 0x20000)
        {
            SetState(0x26000000);
    
            // Deadlock
            sub_20000();
        }
    }
    else
    {
        SetState(0x26000000);

        // Deadlock
        sub_20000();
    }
    
    u32 img_blk_count = (img_header.imgSize >> 0xC);
    
    if (!img_blk_count)
    {
        SetState(0x27000000);

        // Deadlock
        sub_20000();
    }
    else
    {
        u32 img_offset = img_addr + 0x100;
        
        // Initialize the SHA1 context
        Sha1Init(&sha1_ctx);
        
        // Load the ancast image and update the SHA1 context
        for (int i = 0; i < img_blk_count; i++)
        {
            DmaLoad(dma_addr + ((i << 12) & 0x1000), img_offset, 0);
            Sha1Update(&sha1_ctx, dma_addr + ((i << 12) & 0x1000), 0x1000);
            DmaBarrier(0);
            img_offset += 0x1000;
        }
        
        // Calculate the ancast image's hash
        Sha1Final(&sha1_ctx, img_hash);
        
        // Compare the calculated hash with the expected one
        if (memcmp(img_header.imgHash, img_hash, 0x14))
        {
            SetState(0x28000000);

            // Deadlock
            sub_20000();
        }
        else
        {
            // Get the current time
            time_fw_verify_end = GetTB(); 
            
            // Save the time spent verifying the image
            *(u32 *)0xC16FFFF8 = time_fw_verify_end - time_fw_verify_start;
            
            if (!img_blk_count)
            {
                // Deadlock
                sub_20000();
            }
            else
            {
                // Get the current time
                time_fw_decrypt_start = GetTB();
                
                // Initialize the AES context
                AesCtxIni(&aes_ctx, aes_key_addr, 0x10, aes_iv, 0);
                
                img_offset = img_addr + 0x100;
                
                // Load, decrypt and store the ancast image
                for (int i = 0; i < img_blk_count; i++)
                {
                    DmaLoad(dma_addr + ((i << 12) & 0x1000), img_offset, 0);
                    AesDecrypt(&aes_ctx, dma_addr + ((i << 12) & 0x1000), 0x1000, dma_addr + ((i << 12) & 0x1000));
                    DmaStore(img_offset, dma_addr + ((i << 12) & 0x1000), 0);
                    DmaBarrier(0);
                    img_offset += 0x1000;
                }
                
                // Does nothing, just returns
                sub_20950();
                
                // Get the current time
                time_fw_decrypt_end = GetTB(); 
                
                // Save the time spent decrypting the image
                *(u32 *)0xC16FFFF4 = time_fw_decrypt_end - time_fw_decrypt_start;
            }
        }
    }
}

return img_addr + 0x100;

Finish

The Espresso boot ROM cleans up and jumps to the entrypoint address returned by LoadImg minus 4 bytes.

// Load state from MSR
u32 state = MSR

if (!is_evaluation)
    SCR &= 0xCFFFFFFF

// Clear 0x20000 region
memset(0x20000, 0, 0x4000);

// Set to zero data cache for the 0x24000 region
sub_5A4();

// Clear 0xE0000000 region
memset(0xE0000000, 0, 0x4000);

// Invalidate cache for the 0xE0000000 region and clear HID2_LCE
sub_638();

// Clear DBAT1, DBAT2, DBAT4 and IBAT4
sub_660();

if (!IsVWii())
{
    // Configure DBAT3 and IBAT3 for WiiU mode
    // Physical address is 0x8000000
    // Virtual address is 0x8000000
    // Mapped as read only, user valid, supervisor valid and block size is 2MB
    sub_788();
    
    if (entry_addr != 0x8000100)
    {
        *(u32 *)0xC16FFFFC |= 0x31000000;
        while (1);
    }
    else
        state |= 0x40;
}
else
{
    // Configure DBAT3 and IBAT3 for vWii mode
    // Physical address is 0x1000000
    // Virtual address is 0x1000000
    // Mapped as read only, user valid, supervisor valid and block size is 8MB
    sub_7B4();
    
    if (entry_addr != 0x1330100)
    {
        *(u32 *)0xC16FFFFC |= 0x31000000;
        while (1);
    }
}

// Store TB
*(u32 *)0xC16FFFF0 = TB

// Clear TBL and TBU
sub_1E8();

// Clear L2CR_L2TS and do a global invalidate
sub_69C();

// Clear HID0_DCE and HID0_ICE
HID0 &= 0xFFFF3FFF

__isync();

// Set L2CR_L2E and clear L2CR_L2I 
sub_7E0();

// Set HID0_DCE and HID0_ICE
HID0 |= 0xFFFF3FFF

__isync();

// Set HID0_DCFI and HID0_ICFI  
HID0 |= 0xC00

__isync();
__sync();
  
// Write the bootrom disable instruction and flush the cache  
u32 index = ((entry_addr - 0x4) & 0xFFFFFFE0);
*(u32 *)(entry_addr - 0x4) = 0x7C73EBA6;
  
__dcbf(0, index);
__isync();
__sync();
  
if (*(u32 *)(entry_addr - 0x4) != 0x7C73EBA6)
{
    *(u32 *)0xC16FFFFC |= 0x31000000;
    while (1);
}
    
*(u32 *)0xC16FFFFC |= 0x80000000;

SRR0 = (entry_addr - 0x4)
SRR1 = state

// Copy SCR to R3 as it will be used by the bootrom disable instruction
R3 = ((SCR | 0x80000000) & 0xBFFFFFFF)

// Execution will jump to entry_addr - 4
return;

BootInfo

This is a structure mapped by the Espresso boot ROM to address 0xC16FFFF0.

Offset Size Description
0x0 0x4 BootMainTime
0x4 0x4 BootDecryptTime
0x8 0x4 BootVerifyTime
0xC 0x4 BootState