Initial commit

Author: plutoo

amiibo_crypto.c

@@ -0,0 +1,202 @@
+// Amiibo crypto
+// -- plutoo 2015
+
+#include <openssl/hmac.h>
+#include <openssl/sha.h>
+#include <openssl/aes.h>
+#include <string.h>
+
+typedef unsigned long long int u64;
+typedef unsigned int  uint;
+typedef unsigned char u8;
+
+#define DEBUG_KEYS
+
+u8 random_key[16] = {
+    0xC1, /* Censored. */
+};
+
+u8 random_iv[16] = {
+    0x4F, /* Censored. */
+};
+
+u8 amiibo_constant0[14] = {
+#ifdef DEBUG_KEYS
+    0xDB, /* Censored. */
+#else
+    0x52, /* Censored. */
+#endif
+};
+
+u8 amiibo_constant1[16] = {
+#ifdef DEBUG_KEYS
+    0xFD, /* Censored. */
+#else
+    0x4C, /* Censored. */
+#endif
+};
+
+u8 hmac_key0[16] = {
+#ifdef DEBUG_KEYS
+    0x1D, /* Censored. */
+#else
+    0xED, /* Censored. */
+#endif
+};
+
+u8 hmac_key1[16] = {
+#ifdef DEBUG_KEYS
+    0x7F, /* Censored. */
+#else
+    0x83, /* Censored. */
+#endif
+};
+
+u8 type_string0[] = "unfixed infos\x00";
+u8 type_string1[] = "locked secret\x00";
+
+
+void sha256_hmac(u8* key, uint keylen, u8* in, uint inlen, u8* out) {
+    HMAC_CTX ctx, *c=&ctx;
+    uint outlen = 0x20;
+    HMAC_CTX_init(c);
+    HMAC_Init(c, key, keylen, EVP_sha256());
+    HMAC_Update(c, in, inlen);
+    HMAC_Final(c, out, &outlen);
+    HMAC_CTX_cleanup(c);
+}
+
+void sha256(u8* in, uint inlen, u8* out) {
+    SHA256_CTX ctx;
+    SHA256_Init(&ctx);
+    SHA256_Update(&ctx, in, inlen);
+    SHA256_Final(out, &ctx);
+}
+
+void aes128(u8* key, u8* in, u8* out) {
+    u8 iv[16];
+    AES_KEY aes_key;
+    memset(iv, 0, 16);
+    AES_set_encrypt_key(key, 128, &aes_key);
+    AES_cbc_encrypt(in, out, 16, &aes_key, iv, AES_ENCRYPT);
+}
+
+void aes128_ctr(u8* key, u8* iv, u8* in_out, uint len) {
+    u8 buf[16], out[16];
+    memcpy(buf, iv, 16);
+
+    uint i;
+    for(i=0; i<len/16; i++) {
+        aes128(key, buf, out);
+
+        uint j;
+        for(j=0; j<16; j++)
+            in_out[i*16 + j] ^= out[j];
+
+        for(j=0; j<16; j++) {
+            uint old = buf[15-j] + 1;
+            buf[15-j] = old;
+            if(old < 0x100)
+                break;
+        }
+    }
+}
+
+void amiibo_hmac_scramble(u8* hmac_key, u8* type_str/*len=0xE*/, u8* seeds/*len=0x40*/, u8* out) {
+    u8 data[0x50];
+    memcpy(data+2,    type_str, 14);
+    memcpy(data+2+14, seeds, 0x40);
+    data[0] = 0; data[1] = 0;
+    sha256_hmac(hmac_key, 0x10, data, 0x50, out);
+    data[0] = 0; data[1] = 1;
+    sha256_hmac(hmac_key, 0x10, data, 0x50, out+0x20);
+}
+
+void generate_seeds1(int type, u8* seed1/*len=0x10 or 8*/, u8* randomseed, u8* out/*len=0x40*/) {
+    memcpy(out, amiibo_constant1, 16);
+    if(type == 0)
+        memcpy(out+16, seed1, 16);
+    else {
+        memcpy(out+16,   seed1, 8);
+        memcpy(out+16+8, seed1, 8);
+    }
+    memcpy(out+32, randomseed, 32);
+}
+
+void generate_seeds0(int type, u8* seed0/*len=2*/, u8* seed1, u8* randomseed, u8* out/*len=0x40*/) {
+    memcpy(out, seed0, 2);
+    memcpy(out+2, amiibo_constant0, 14);
+    if(type == 0)
+        memcpy(out+16, seed1, 16);
+    else {
+        memcpy(out+16,   seed1, 8);
+        memcpy(out+16+8, seed1, 8);
+    }
+    memcpy(out+32, randomseed, 32);
+}
+
+void hexdump(u8* a, uint len) {
+    uint i;
+    for(i=0; i<len; i++) {
+        printf("%02x", a[i]);
+        if(((i+1) % 16) == 0)
+            printf("\n");
+    }
+}
+
+void encrypt_zeroes(u8* key, u8* iv) {
+    u8 out[16];
+    memset(out, 0, 0x10);
+    aes128_ctr(key, iv, out, 16);
+    hexdump(out, 0x10);
+}
+
+int main() {
+    u8 randomseed[0x20];
+    u8 seed0[2];
+    u8 seed1[0x10]; // For type2, this is 8-bytes.
+
+    memset(randomseed, 0, 0x20);
+    memset(seed0, 0, 2);
+    memset(seed1, 0, 0x10);
+
+    #define TYPE 2
+    aes128_ctr(random_key, random_iv, randomseed, 0x20);
+    //hexdump(randomseed, 0x20);
+
+    u8 seeds[0x40];
+    u8 hmac[0x20];
+    generate_seeds0(TYPE, seed0, seed1, randomseed, seeds);
+    amiibo_hmac_scramble(hmac_key0, type_string0, seeds, hmac);
+
+    printf("Per-key0:      ");
+    hexdump(hmac, 0x10);
+    printf("Per-iv0:       ");
+    hexdump(hmac+0x10, 0x10);
+    printf("(Zeroes:)      ");
+    encrypt_zeroes(hmac, hmac+0x10);
+    printf("Per-hmac-key0: ");
+    hexdump(hmac+0x20, 0x10);
+
+    generate_seeds1(TYPE, seed1, randomseed, seeds);
+    amiibo_hmac_scramble(hmac_key1, type_string1, seeds, hmac);
+    
+    printf("Per-key1:      ");
+    hexdump(hmac, 0x10);
+    printf("Per-iv1:       ");
+    hexdump(hmac+0x10, 0x10);
+    printf("(Zeroes:)      ");
+    encrypt_zeroes(hmac, hmac+0x10);
+    printf("Per-hmac-key1: ");
+    hexdump(hmac+0x20, 0x10);
+
+    return 0;
+}
+
+// __ Keychunk: __
+// type_str = "unfixed infos" (flag != 0)
+// type_str = "locked secret" (flag == 0)
+// offset 0x0E size 0x0E    (amiibo_constant flag != 0)
+// offset 0x1C size 0x10    (hmac-key flag != 0)
+// offset 0x3A size 0x10    (amiibo_constant flag == 0)
+// offset 0x4A size 0x10    (hmac-key flag == 0)

common.py

@@ -0,0 +1,53 @@
+import urllib
+import sys
+import os
+import struct
+from Crypto.Cipher import AES
+import hashlib
+
+def be32(s):
+    return struct.unpack('>I', s)[0]
+def be16(s):
+    return struct.unpack('>H', s)[0]
+
+def get_key(name):
+    try:
+        return open(os.environ['WIIU']+'/keys/'+name,'rb').read()
+    except:
+        print 'Key \'%s\' not found..' % name
+        print 'You need to set WIIU environment variable.'
+        sys.exit(1)
+
+def aes_cbc_dec_file(inf, outf, key, iv, offset=0):
+    in_file = open(inf, 'rb')
+    out_file = open(outf, 'wb')
+
+    in_file.seek(offset)
+
+    while True:
+        cipher = AES.new(key, AES.MODE_CBC, iv)
+
+        enc = in_file.read(16)
+        if len(enc) == 0:
+            break
+        if len(enc) < 16:
+            break
+
+        dec = cipher.decrypt(enc)
+        out_file.write(dec)
+
+        iv = enc
+
+    in_file.close()
+    out_file.close()
+
+def aes_cbc_dec(inb, key, iv='\x00'*16):
+    return AES.new(key, AES.MODE_CBC, iv).decrypt(inb)
+
+def aes_cbc_enc(inb, key, iv='\x00'*16):
+    return AES.new(key, AES.MODE_CBC, iv).encrypt(inb)
+
+def sha1(buf):
+    m = hashlib.sha1()
+    m.update(buf)
+    return m.digest()

dec_ancast.py

@@ -0,0 +1,75 @@
+#!/usr/bin/python2
+# dec_ancast.py -- Decrypt Wii U ancast images
+# plutoo, nwert
+
+import sys
+import struct
+from common import *
+import hashlib
+
+def rsa_verify(sig, hdr, N):
+    e = 0x10001
+    sig = int(sig.encode("hex"), 16)
+    p = "{0:X}".format(pow(sig, rsa_e, N))
+    p = ("0" if len(p)%2 else "") + p
+    p = p.decode("hex")
+    return p[0xEB:] == hashlib.sha1(hdr).digest()
+
+if len(sys.argv) != 2:
+    print '%s file.img' % sys.argv[0]
+    sys.exit(1)
+
+in_file  = sys.argv[1]
+out_file = in_file + '.bin'
+
+header = open(in_file, 'rb').read(0x200)
+
+magic = be32(header[0:4])
+if magic != 0xEFA282D9:
+    print 'Bad magic!'
+    sys.exit(1)
+
+sig_type = be32(header[0x20:0x24])
+
+if sig_type == 1:
+    offset = 0x100
+elif sig_type == 2:
+    offset = 0x200
+else:
+    print 'Unknown signature type %x..' % sig_type
+    sys.exit(1)
+
+types = {0x11: 'ppc_wiiu', 0x13: 'ppc_vwii', 0x21: 'arm'}
+type_raw = be32(header[offset-0x5C:offset-0x58])
+
+if type_raw not in types:
+    print 'Unknown type %x..' % type
+    sys.exit(1)
+
+type = types[type_raw]
+if type == 'arm':
+    if be32(header[offset-0x54:offset-0x50]) in [0xE000, 0xC000]:
+        type += '_boot1'
+    else:
+        type += '_iosu'
+
+btypes = {1: 'debug', 2: 'retail'}
+btype_raw = be32(header[offset-0x58:offset-0x54])
+type += '_'+btypes[btype_raw]
+
+print 'Type:', type
+
+#print "Signature verified:", rsa_verify(header[0x24:0x124], header[0x1A0:0x200], Ns[btype])
+
+key  = get_key('ancast_%s_key' % type)
+iv   = get_key('ancast_%s_iv'  % type)
+
+aes_cbc_dec_file(in_file, out_file, key, iv, offset)
+
+out      = open(out_file, 'rb').read()
+elf_pos  = out.find('\x7FELF')
+
+if elf_pos != -1:
+    elf_file = in_file + '.elf'
+    elf      = open(elf_file, 'wb')
+    elf.write(out[elf_pos:])