Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
CTCaer
GitHub Repository: CTCaer/hekate
 Path: blob/master/bootloader/hos/pkg1.c
3693 views
1
/*

2
 * Copyright (c) 2018 naehrwert

3
 * Copyright (c) 2018 st4rk

4
 * Copyright (c) 2018-2026 CTCaer

5
 * Copyright (c) 2018 balika011

6
 *

7
 * This program is free software; you can redistribute it and/or modify it

8
 * under the terms and conditions of the GNU General Public License,

9
 * version 2, as published by the Free Software Foundation.

10
 *

11
 * This program is distributed in the hope it will be useful, but WITHOUT

12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for

14
 * more details.

15
 *

16
 * You should have received a copy of the GNU General Public License

17
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.

18
 */

19


20
#include <string.h>

21
#include <stdlib.h>

22


23
#include <bdk.h>

24


25
#include "hos.h"

26
#include "pkg1.h"

27
#include "../config.h"

28
#include <libs/compr/lz4.h>

29


30
// Secmon package2 signature/hash checks patches for Erista.

31
#define SM_100_ADR 0x4002B020 // Original: 0x40014020.

32
PATCHSET_DEF(_secmon_1_patchset,

33
	// Patch the relocator to be able to run from SM_100_ADR.

34
	{ 0x1E0, _ADRP(0, TZRAM_BASE + 0x3000 - _PAGEOFF(SM_100_ADR)) },

35
	// Patch package2 signature/hash checks.

36
	{ 0x9F0 + 0xADC, _NOP() }

37
);

38


39
PATCHSET_DEF(_secmon_2_patchset,

40
	// Patch package2 signature/hash checks.

41
	{ 0xAC8 + 0xAAC, _NOP() }

42
);

43


44
PATCHSET_DEF(_secmon_3_patchset,

45
	// Patch package2 signature/hash checks.

46
	{ 0xAC8 + 0xA30, _NOP() }

47
);

48


49
PATCHSET_DEF(_secmon_4_patchset,

50
	// Patch package2 signature/hash checks.

51
	{ 0x2300 + 0x5EFC, _NOP() }

52
);

53


54
PATCHSET_DEF(_secmon_5_patchset,

55
	// Patch package2 signature/hash checks.

56
	{ 0xDA8 + 0xC9C, _NOP() }

57
);

58


59
PATCHSET_DEF(_secmon_6_patchset,

60
	// Patch package2 signature/hash checks.

61
	{ 0xDC8 + 0xE90, _NOP() }

62
	// Fix sleep mode for debug.

63
	// { 0x1A68 + 0x3854, 0x94000E45 }, //gpio_config_for_uart.

64
	// { 0x1A68 + 0x3858, 0x97FFFC0F }, //clkrst_reboot_uarta.

65
	// { 0x1A68 + 0x385C, 0x52A00021 }, //MOV W1, #0x10000 ; baudrate.

66
	// { 0x1A68 + 0x3860, 0x2A1F03E0 }, //MOV W0, WZR ; uart_port -> A.

67
	// { 0x1A68 + 0x3864, 0x72984001 }, //MOVK W1, #0xC200 ; baudrate.

68
	// { 0x1A68 + 0x3868, 0x94000C8C }, //uart_configure.

69
	// { 0x1A68 + 0x3A6C, _NOP() }      // warmboot UARTA cfg.

70
);

71


72
PATCHSET_DEF(_secmon_62_patchset,

73
	// Patch package2 signature/hash checks.

74
	{ 0xDC8 + 0xC74, _NOP() }

75
	// Fix sleep mode for debug.

76
	// { 0x2AC8 + 0x3854, 0x94000F42 }, //gpio_config_for_uart.

77
	// { 0x2AC8 + 0x3858, 0x97FFFC0F }, //clkrst_reboot_uarta.

78
	// { 0x2AC8 + 0x385C, 0x52A00021 }, //MOV W1, #0x10000 ; baudrate.

79
	// { 0x2AC8 + 0x3860, 0x2A1F03E0 }, //MOV W0, WZR ; uart_port -> A.

80
	// { 0x2AC8 + 0x3864, 0x72984001 }, //MOVK W1, #0xC200 ; baudrate.

81
	// { 0x2AC8 + 0x3868, 0x94000D89 }, //uart_configure.

82
	// { 0x2AC8 + 0x3A6C, _NOP() }      // warmboot UARTA cfg.

83
);

84


85
// Secmon patches for Mariko.

86
#define TZRAM_PROG_ADDR               (TZRAM_BASE + 0x800)

87
#define TZRAM_COMPR_PROG_OFF          0xE04

88
#define TZRAM_PROG_PK2_SIG_PATCH      (TZRAM_PROG_ADDR + 0xC10)

89
#define TZRAM_PROG_PK2_SIG_PATCH_1000 (TZRAM_PROG_ADDR + 0xD70)

90
PATCHSET_DEF(_secmon_6_mariko_patchset,

91
	// Patch package2 decryption and signature/hash checks.

92
	{ 0xDC8 + 0xE94, _NOP() }

93
);

94


95
PATCHSET_DEF(_secmon_620_mariko_patchset,

96
	// Patch package2 decryption and signature/hash checks.

97
	{ 0xDC8 + 0xC78, _NOP() }

98
);

99


100
// From 7.0.0 and above secmon is compressed.

101
PATCHSET_DEF(_secmon_7_mariko_patchset,

102
	// Patch out decompression of program payload.

103
	{ 0x82C, _NOP() }

104
);

105


106
const u16 _secmon_mariko_prog_comp_size[] = {

107
	0x6B03, // 7.0.0.  Patch offset: 0xC10.

108
	0x6B16, // 7.0.1.  Patch offset: 0xC10.

109
	0x6B23, // 8.0.0.  Patch offset: 0xC10.

110
	0x6B84, // 8.1.0.  Patch offset: 0xC10.

111
	0x6C90, // 9.0.0.  Patch offset: 0xC10.

112
	0x6CE5, // 9.1.0.  Patch offset: 0xC10.

113
	0x6EE9, // 10.0.0. Patch offset: 0xD70.

114
};

115


116
// Erista fuse check warmboot patches.

117
#define _NOPv7() 0xE320F000

118
PATCHSET_DEF(_warmboot_1_patchset,

119
	{ 0x4DC, _NOPv7() } // Fuse check.

120
);

121


122
PATCHSET_DEF(_warmboot_3_patchset,

123
	{ 0x4DC, _NOPv7() }, // Fuse check.

124
	{ 0x4F0, _NOPv7() }  // Segment id check.

125
);

126


127
PATCHSET_DEF(_warmboot_4_patchset,

128
	{ 0x544, _NOPv7() }, // Fuse check.

129
	{ 0x558, _NOPv7() }  // Segment id check.

130
);

131


132
/*

133
 * package1.1 header: <wb, ldr, sm>

134
 * package1.1 layout:

135
 * 1.0:  {sm, ldr, wb} { 2, 1, 0 }

136
 * 2.0+: {wb, ldr, sm} { 0, 1, 2 }

137
 * 4.0+: {ldr, sm, wb} { 1, 2, 0 }

138
 */

139


140
static const u8 sec_map_100[3] = { PK11_SECTION_SM, PK11_SECTION_LD, PK11_SECTION_WB };

141
static const u8 sec_map_2xx[3] = { PK11_SECTION_WB, PK11_SECTION_LD, PK11_SECTION_SM };

142
static const u8 sec_map_4xx[3] = { PK11_SECTION_LD, PK11_SECTION_SM, PK11_SECTION_WB };

143


144
	// Timestamp  MK  FU   TSEC    PK11     SECMON     Warmboot

145
static const pkg1_id_t _pkg1_ids[] = {

146
	{ "20161121",  0,  1, 0x1900, 0x3FE0, SM_100_ADR, 0x8000D000, _secmon_1_patchset }, // 1.0.0 (Patched relocator).

147
	{ "20170210",  0,  2, 0x1900, 0x3FE0, 0x4002D000, 0x8000D000, _secmon_2_patchset }, // 2.0.0 - 2.3.0.

148
	{ "20170519",  1,  3, 0x1A00, 0x3FE0, 0x4002D000, 0x8000D000, _secmon_3_patchset }, // 3.0.0.

149
	{ "20170710",  2,  4, 0x1A00, 0x3FE0, 0x4002D000, 0x8000D000, _secmon_3_patchset }, // 3.0.1 - 3.0.2.

150
	{ "20170921",  3,  5, 0x1800, 0x3FE0, 0x4002B000, 0x4003B000, _secmon_4_patchset }, // 4.0.0 - 4.1.0.

151
	{ "20180220",  4,  6, 0x1900, 0x3FE0, 0x4002B000, 0x4003B000, _secmon_5_patchset }, // 5.0.0 - 5.1.0.

152
	{ "20180802",  5,  7, 0x1900, 0x3FE0, 0x4002B000, 0x4003D800, _secmon_6_patchset }, // 6.0.0 - 6.1.0.

153
	{ "20181107",  6,  8, 0x0E00, 0x6FE0, 0x4002B000, 0x4003D800, _secmon_62_patchset}, // 6.2.0.

154
	{ "20181218",  7,  9, 0x0F00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, //  7.0.0.

155
	{ "20190208",  7,  9, 0x0F00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, //  7.0.1.

156
	{ "20190314",  7,  9, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, //  8.0.0 - 8.0.1.

157
	{ "20190531",  8, 10, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, //  8.1.0 - 8.1.1.

158
	{ "20190809",  9, 11, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, //  9.0.0 - 9.0.1.

159
	{ "20191021", 10, 12, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, //  9.1.0 - 9.2.0.

160
	{ "20200303", 10, 13, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, // 10.0.0 - 10.2.0.

161
	{ "20201030", 10, 14, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, // 11.0.0 - 11.0.1.

162
	{ "20210129", 10, 14, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, // 12.0.0 - 12.0.1.

163
	{ "20210422", 10, 15, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, // 12.0.2 - 12.0.3.

164
	{ "20210607", 11, 15, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, // 12.1.0.

165
	{ "20210805", 12, 15, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, // 13.0.0 - 13.2.0.

166
	{ "20220105", 12, 16, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, // 13.2.1.

167
	{ "20220209", 13, 16, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, // 14.0.0 - 14.1.2.

168
	{ "20220801", 14, 17, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, // 15.0.0 - 15.0.1.

169
	{ "20230111", 15, 18, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, // 16.0.0 - 16.1.0.

170
	{ "20230906", 16, 19, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, // 17.0.0 - 17.0.1.

171
	{ "20240207", 17, 19, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, // 18.0.0 - 18.1.0.

172
	{ "20240808", 18, 20, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, // 19.0.0 - 19.0.1.

173
	{ "20250206", 19, 21, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, // 20.0.0 - 20.5.0.

174
	{ "20251009", 20, 22, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, // 21.0.0 - 21.2.0.

175
	{ "20260123", 21, 23, 0x0E00, 0x6FE0, 0x40030000, 0x4003E000, NULL }, // 22.0.0+

176
};

177


178
const pkg1_id_t *pkg1_get_latest()

179
{

180
	return &_pkg1_ids[ARRAY_SIZE(_pkg1_ids) - 1];

181
}

182


183
const pkg1_id_t *pkg1_identify(u8 *pkg1)

184
{

185
	char build_date[15];

186
	pk1_hdr_t *hdr = (pk1_hdr_t *)pkg1;

187


188
	memcpy(build_date, hdr->timestamp, 14);

189
	build_date[14] = 0;

190
	gfx_printf("Found pkg1 ('%s').\n\n", build_date);

191


192
	for (int i = ARRAY_SIZE(_pkg1_ids) - 1; i >= 0; i--)

193
		if (!memcmp(hdr->timestamp, _pkg1_ids[i].id, 8))

194
			return &_pkg1_ids[i];

195


196
	return NULL;

197
}

198


199
bool pkg1_decrypt(const pkg1_id_t *id, u8 *pkg1)

200
{

201
	pk11_hdr_t *hdr;

202


203
	// Decrypt package1.

204
	if (!h_cfg.t210b01)

205
	{

206
		u8 *pkg11 = pkg1 + id->pkg11_off;

207
		u32 pkg11_size = *(u32 *)pkg11;

208
		hdr = (pk11_hdr_t *)(pkg11 + 0x20);

209
		se_aes_crypt_ctr(11, hdr, hdr, pkg11_size, pkg11 + 0x10);

210
	}

211
	else

212
	{

213
		bl_hdr_t210b01_t *oem_hdr = (bl_hdr_t210b01_t *)pkg1;

214
		pkg1 += sizeof(bl_hdr_t210b01_t);

215
		hdr = (pk11_hdr_t *)(pkg1 + id->pkg11_off + 0x20);

216


217
		// Use BEK for T210B01.

218
		// Additionally, skip 0x20 bytes from decryption to maintain the header.

219
		se_aes_iv_clear(13);

220
		se_aes_crypt_cbc(13, DECRYPT, pkg1 + 0x20, pkg1 + 0x20, oem_hdr->size - 0x20);

221
	}

222


223
	// Return if header is valid.

224
	return (hdr->magic == PKG1_MAGIC);

225
}

226


227
const u8 *pkg1_unpack(void *wm_dst, u32 *wb_sz, void *sm_dst, void *ldr_dst, const pkg1_id_t *id, u8 *pkg1)

228
{

229
	const u8 *sec_map;

230
	const pk11_hdr_t *hdr = (pk11_hdr_t *)(pkg1 + id->pkg11_off + 0x20);

231


232
	u32 sec_size[3] = { hdr->wb_size, hdr->ldr_size, hdr->sm_size };

233


234
	// Get correct header mapping.

235
	if (id->fuses == 1)                        // 1.0.0.

236
		sec_map = sec_map_100;

237
	else if (id->fuses >= 2 && id->fuses <= 4) // 2.0.0 - 3.0.2.

238
		sec_map = sec_map_2xx;

239
	else                                       // 4.0.0+

240
		sec_map = sec_map_4xx;

241


242
	// Copy secmon, warmboot and nx bootloader payloads.

243
	u8 *pdata = (u8 *)hdr + sizeof(pk11_hdr_t);

244
	for (u32 i = 0; i < 3; i++)

245
	{

246
		u32 ssize = sec_size[sec_map[i]];

247
		switch (sec_map[i])

248
		{

249
		case PK11_SECTION_WB:

250
			if (wm_dst)

251
				memcpy(wm_dst,  pdata, ssize);

252
			if (wb_sz)

253
				*wb_sz = ssize;

254
			break;

255
		case PK11_SECTION_LD:

256
			if (ldr_dst)

257
				memcpy(ldr_dst, pdata, ssize);

258
			break;

259
		case PK11_SECTION_SM:

260
			if (sm_dst)

261
				memcpy(sm_dst,  pdata, ssize);

262
			break;

263
		}

264
		pdata += ssize;

265
	}

266


267
	return sec_map;

268
}

269


270
void pkg1_secmon_patch(void *hos_ctxt, u32 secmon_base, bool t210b01)

271
{

272
	const patch_t *secmon_patchset;

273
	launch_ctxt_t *ctxt = (launch_ctxt_t *)hos_ctxt;

274


275
	// Patch Secmon to allow for an unsigned package2 and patched kernel.

276
	if (!t210b01 && ctxt->pkg1_id->secmon_patchset)

277
	{

278
		// For T210 till 6.2.0 the patching is used as is, because of no compression.

279
		secmon_patchset = ctxt->pkg1_id->secmon_patchset;

280
	}

281
#ifdef HOS_MARIKO_STOCK_SECMON

282
	else if (t210b01)

283
	{

284
		// For T210B01 we patch 6.X.X as is. Otherwise we decompress the program payload.

285
		if (ctxt->pkg1_id->mkey      == HOS_MKEY_VER_600)

286
			secmon_patchset = _secmon_6_mariko_patchset;

287
		else if (ctxt->pkg1_id->mkey == HOS_MKEY_VER_620)

288
			secmon_patchset = _secmon_620_mariko_patchset;

289
		else

290
		{

291
			// Patch uncompress of program payload clear TZRAM.

292
			secmon_patchset = _secmon_7_mariko_patchset;

293
			memset((void *)TZRAM_PROG_ADDR, 0, 0x38800);

294


295
			// Get size of compressed program payload and set patch offset.

296
			u32 idx = ctxt->pkg1_id->mkey - HOS_MKEY_VER_700;

297
			u32 patch_offset = TZRAM_PROG_PK2_SIG_PATCH;

298
			if (ctxt->pkg1_id->mkey >= HOS_MKEY_VER_1210 || !memcmp(ctxt->pkg1_id->id, "20200303", 8)) //TODO: Add 11.0.0 support.

299
			{

300
				idx++;

301
				patch_offset = TZRAM_PROG_PK2_SIG_PATCH_1000;

302
			}

303


304
			// Uncompress directly to TZRAM.

305
			LZ4_decompress_fast((const char*)(secmon_base + TZRAM_COMPR_PROG_OFF),

306
				(char *)TZRAM_PROG_ADDR, _secmon_mariko_prog_comp_size[idx]);

307


308
			// Patch package2 signature/hash checks.

309
			*(vu32 *)patch_offset = _NOP();

310
		}

311
	}

312
#endif

313
	else

314
		return;

315


316
	// Patch Secmon.

317
	gfx_printf("%kPatching Secure Monitor%k\n", TXT_CLR_ORANGE, TXT_CLR_DEFAULT);

318
	for (u32 i = 0; secmon_patchset[i].off != 0xFFFFFFFF; i++)

319
		*(vu32 *)(secmon_base + secmon_patchset[i].off) = secmon_patchset[i].val;

320
}

321


322
void pkg1_warmboot_patch(void *hos_ctxt)

323
{

324
	launch_ctxt_t *ctxt = (launch_ctxt_t *)hos_ctxt;

325
	const patch_t *warmboot_patchset;

326


327
	// Patch warmboot on T210 to allow downgrading.

328
	switch (ctxt->pkg1_id->mkey)

329
	{

330
	case 0:

331
		warmboot_patchset = _warmboot_1_patchset;

332
		break;

333
	case 1 ... 2:

334
		warmboot_patchset = _warmboot_3_patchset;

335
		break;

336
	default: // 4.0.0 - 6.2.0.

337
		warmboot_patchset = _warmboot_4_patchset;

338
		break;

339
	}

340
	gfx_printf("%kPatching Warmboot%k\n", TXT_CLR_ORANGE, TXT_CLR_DEFAULT);

341
	for (u32 i = 0; warmboot_patchset[i].off != 0xFFFFFFFF; i++)

342
		*(vu32 *)(ctxt->pkg1_id->warmboot_base + warmboot_patchset[i].off) = warmboot_patchset[i].val;

343
}

344


345
int pkg1_warmboot_config(void *hos_ctxt, u32 warmboot_base, u32 fuses_fw, u8 mkey)

346
{

347
	launch_ctxt_t *ctxt = (launch_ctxt_t *)hos_ctxt;

348
	int res = 0;

349


350
	if (h_cfg.t210b01)

351
	{

352
		u8  burnt_fuses = bit_count(fuse_read_odm(7));

353


354
		// Check if not overridden.

355
		if (!ctxt->warmboot)

356
		{

357
			char path[32];

358
			strcpy(path, "warmboot_mariko/wb_00.bin");

359
			itoa(fuses_fw, &path[19 + (fuses_fw < 0x10 ? 1 : 0)], 16);

360
			path[21] = '.';

361


362
			//!OBSOLETE: Check if warmboot fw does not exist and save it.

363
			if (ctxt->warmboot_size && warmboot_base && f_stat(path, NULL))

364
			{

365
				f_mkdir("warmboot_mariko");

366
				sd_save_to_file((void *)warmboot_base, ctxt->warmboot_size, path);

367
			}

368


369
			// Load sc7exit-fw from storage if low.

370
			if (burnt_fuses > fuses_fw)

371
			{

372
				//!TODO: Update on fuse burns.

373
				void *warmboot_fw = sd_file_read("bootloader/sys/l4t/sc7exit_b01.bin", &ctxt->warmboot_size);

374
				fuses_fw = *(u32 *)warmboot_fw;

375


376
				// Check if high enough.

377
				if (!warmboot_fw || burnt_fuses > fuses_fw)

378
					res = 1;

379
				else

380
				{

381
					ctxt->warmboot = warmboot_fw + sizeof(u32);

382
					ctxt->warmboot_size -= sizeof(u32) * 2;

383
					burnt_fuses = fuses_fw;

384
				}

385
			}

386
			else // Replace burnt fuses with higher count.

387
				burnt_fuses = fuses_fw;

388
		}

389


390
		// Configure warmboot parameters. Anything lower than 6.0.0 is not supported.

391
		// From 7.0.0 and up, it's not derived from PA segment but it's 0x21 * fuses.

392
		u32 pa_id = 0x21 * burnt_fuses;

393
		if (burnt_fuses <= 8) // Old method.

394
			pa_id -= 0x60;

395


396
		// Set Warmboot Physical Address ID and lock SECURE_SCRATCH32 register.

397
		PMC(APBDEV_PMC_SECURE_SCRATCH32) = pa_id;

398
		PMC(APBDEV_PMC_SEC_DISABLE3) |= BIT(16);

399
	}

400
	else

401
	{

402
		// Set Warmboot address in PMC if required.

403
		if (mkey <= HOS_MKEY_VER_301)

404
			PMC(APBDEV_PMC_SCRATCH1) = warmboot_base;

405


406
		// Set Warmboot Physical Address ID for 3.0.0 - 3.0.2. For 4.0.0 and up, secmon does it.

407
		// The check is already patched so it's actually irrelevant.

408
		if (mkey == HOS_MKEY_VER_300)

409
			PMC(APBDEV_PMC_SECURE_SCRATCH32) = 0xE3;  // Warmboot 3.0.0 PA ID.

410
		else if (mkey == HOS_MKEY_VER_301)

411
			PMC(APBDEV_PMC_SECURE_SCRATCH32) = 0x104; // Warmboot 3.0.1/.2 PA ID.

412
	}

413


414
	return res;

415
}

416


417
void pkg1_warmboot_rsa_mod(u32 warmboot_base)

418
{

419
	// Set warmboot binary rsa modulus.

420
	u8 *rsa_mod = (u8 *)malloc(EMMC_BLOCKSIZE);

421


422
	emmc_set_partition(EMMC_BOOT0);

423


424
	u32 sector;

425
	u8  mod0, mod1;

426


427
	// Get the correct RSA modulus byte masks.

428
	nx_emmc_get_autorcm_masks(&mod0, &mod1);

429


430
	// Iterate BCTs.

431
	for (u32 i = 0; i < 4; i++)

432
	{

433
		sector = 1 + (32 * i); // 0x4000 bct + 0x200 offset.

434
		sdmmc_storage_read(&emmc_storage, sector, 1, rsa_mod);

435


436
		// Check if 2nd byte of modulus is correct.

437
		if (rsa_mod[0x11] != mod1)

438
			continue;

439


440
		// Patch AutoRCM out.

441
		rsa_mod[0x10] = mod0;

442


443
		break;

444
	}

445


446
	memcpy((void *)(warmboot_base + 0x10), rsa_mod + 0x10, 0x100);

447
}

448


449