Difference between revisions of "S5L8720 (Hardware - SHA1)"

From The iPhone Wiki
Jump to: navigation, search
m (Calculating the SHA-1 of a message)
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
  +
==S5L8720 SHA-1 Hardware==
  +
Base Address: 0x38000000
   
  +
===Programming Guide===
Haxed by 1337Urmom at The Pois0nhack team
 
  +
As there is no real documentation of the hardware (The Samsung S3C6400X seams to use a very similar SHA-1 generator, but not the same), this is based on what [[iBoot]] does and on a lot of trial-and-error.
Haxed by 1337Urmom at The Pois0nhack team
 
  +
====How it works====
Haxed by 1337Urmom at The Pois0nhack team
 
  +
Basically it is like a hardware version of a SHA-1 algorithm. The hardware processes data in 512Bit (64 Bytes) chunks (Just like a software algorithm). <br>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
It does NO pre-processing (appending a '1' Bit to the data, pad the data so that the length mod 512 is 448, and append the bit-length of the data as a 64-bit big-endian integer). <br>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
This has to be done in software.
   
  +
====Calculating the SHA-1 of a message====
Haxed by 1337Urmom at The Pois0nhack team
 
  +
# Prepare the message as usual. See [[wikipedia:Secure Hash Algorithm|Wikipedia on SHA]]
Haxed by 1337Urmom at The Pois0nhack team
 
  +
# Switch on the clock for the SHA-1 generator
Haxed by 1337Urmom at The Pois0nhack team
 
  +
# Reset the generator. To do this set bit 0 of reset register and clear it afterwards (iBoot waits until the hash is ready before resetting it)
Haxed by 1337Urmom at The Pois0nhack team
 
  +
# Clear (Write 0) to the Configuration Register (Not sure if this is needed as it already reads 0 after resetting, but iBoot does it)
Haxed by 1337Urmom at The Pois0nhack team
 
  +
# Clear register 0x80 and 0x10 (Also not sure why, as they also read 0)
  +
# Write 64 bytes of the message to the data input registers starting at the lowest
  +
# If this were the the first 64 bytes clear bit 3 in the Configuration register, else set it
  +
# Set bit 1 (Start Hash) of the Configuration register and wait until bit 0 (Hash Busy) is cleared
  +
# If more data to hash go to point 6
  +
# Read the calculated hash of the Output SHA-1 Hash registers
  +
# Switch off the clock
   
  +
==Registers==
Haxed by 1337Urmom at The Pois0nhack team
 
  +
===Register Summary===
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<table border=1 width=100%>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<td align=left width=100pix><b>Register</b></td>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<td><b>Description</b></td>
  +
</tr>
  +
<tr>
  +
<td align=left width=100pix>0x00</td>
  +
<td align=left>Configuration</td>
  +
</tr>
  +
<tr>
  +
<td align=left width=100pix>0x04</td>
  +
<td align=left>Reset</td>
  +
</tr>
  +
<tr>
  +
<td align=left width=100pix>0x08</td>
  +
<td align=left>Unknown, but referenced in iBoot</td>
  +
</tr>
  +
<tr>
  +
<td align=left width=100pix>0x0C</td>
  +
<td align=left>Unknown, but referenced in iBoot</td>
  +
</tr>
  +
<tr>
  +
<td align=left width=100pix>0x10</td>
  +
<td align=left>Unknown, but referenced in iBoot (Set to 0 before calculating a hash)</td>
  +
</tr>
  +
<tr>
  +
<td align=left width=100pix>0x20 - 0x30</td>
  +
<td align=left>Output SHA-1 hash / Input Initialization Vector</td>
  +
</tr>
  +
<tr>
  +
<td align=left width=100pix>0x40 - 0x7C</td>
  +
<td align=left>Data Input (64 Bytes)</td>
  +
</tr>
  +
<tr>
  +
<td align=left width=100pix>0x80</td>
  +
<td align=left>Unknown, but referenced in iBoot (Set to 0 before calculating a hash)</td>
  +
</tr>
  +
<tr>
  +
<td align=left width=100pix>0x84</td>
  +
<td align=left>Unknown, but referenced in iBoot</td>
  +
</tr>
  +
<tr>
  +
<td align=left width=100pix>0x8C</td>
  +
<td align=left>Unknown, but referenced in iBoot</td>
  +
</tr>
  +
</table>
   
  +
===Configuration Register===
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<table border=1 width=100%>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<td align=left width=100pix><b>Bit</b></td>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<td><b>Function</b></td>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
</tr>
  +
<tr>
  +
<td align=left width=100pix>Bit 0</td>
  +
<td align=left>Hash Busy. Is set when the hash calculation is started and cleared when the generator is done.</td>
  +
</tr>
  +
<tr>
  +
<td align=left width=100pix>Bit 1</td>
  +
<td align=left>Start Hash. Set to 1 to start hashing of the data in the Input Data registers.</td>
  +
</tr>
  +
<tr>
  +
<td align=left width=100pix>Bit 2</td>
  +
<td align=left>Unknown</td>
  +
</tr>
  +
<tr>
  +
<td align=left width=100pix>Bit 3</td>
  +
<td align=left>Config IV. Use arbitary IV (=1), Use SHA-1 constants (=0) (Used for starting a new hash (=0), or continue a previous one (=1)).</td>
  +
</tr>
  +
</table>
  +
All other bits are unknown or not used
   
  +
===Reset Register===
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<table border=1 width=100%>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<td align=left width=100pix><b>Bit</b></td>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<td><b>Function</b></td>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
</tr>
  +
<tr>
  +
<td align=left width=100pix>Bit 0</td>
  +
<td align=left>Reset Hash. Resets the generator and all registers.</td>
  +
</tr>
  +
</table>
  +
All other bits are unknown or not used
   
  +
===Hash Out / IV In===
Haxed by 1337Urmom at The Pois0nhack team
 
  +
Read: Outputs the hash in little-endian <br>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
Write: Set the initialization vectors
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
   
  +
===Data Input===
Haxed by 1337Urmom at The Pois0nhack team
 
  +
Read: Read what was previously written there (like normal RAM) <br>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
Write: The current 64 byte data chunk to calculate the hash of. (little-endian)
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
vv
 

Latest revision as of 05:12, 29 July 2010

S5L8720 SHA-1 Hardware

Base Address: 0x38000000

Programming Guide

As there is no real documentation of the hardware (The Samsung S3C6400X seams to use a very similar SHA-1 generator, but not the same), this is based on what iBoot does and on a lot of trial-and-error.

How it works

Basically it is like a hardware version of a SHA-1 algorithm. The hardware processes data in 512Bit (64 Bytes) chunks (Just like a software algorithm).
It does NO pre-processing (appending a '1' Bit to the data, pad the data so that the length mod 512 is 448, and append the bit-length of the data as a 64-bit big-endian integer).
This has to be done in software.

Calculating the SHA-1 of a message

  1. Prepare the message as usual. See Wikipedia on SHA
  2. Switch on the clock for the SHA-1 generator
  3. Reset the generator. To do this set bit 0 of reset register and clear it afterwards (iBoot waits until the hash is ready before resetting it)
  4. Clear (Write 0) to the Configuration Register (Not sure if this is needed as it already reads 0 after resetting, but iBoot does it)
  5. Clear register 0x80 and 0x10 (Also not sure why, as they also read 0)
  6. Write 64 bytes of the message to the data input registers starting at the lowest
  7. If this were the the first 64 bytes clear bit 3 in the Configuration register, else set it
  8. Set bit 1 (Start Hash) of the Configuration register and wait until bit 0 (Hash Busy) is cleared
  9. If more data to hash go to point 6
  10. Read the calculated hash of the Output SHA-1 Hash registers
  11. Switch off the clock

Registers

Register Summary

Register Description
0x00 Configuration
0x04 Reset
0x08 Unknown, but referenced in iBoot
0x0C Unknown, but referenced in iBoot
0x10 Unknown, but referenced in iBoot (Set to 0 before calculating a hash)
0x20 - 0x30 Output SHA-1 hash / Input Initialization Vector
0x40 - 0x7C Data Input (64 Bytes)
0x80 Unknown, but referenced in iBoot (Set to 0 before calculating a hash)
0x84 Unknown, but referenced in iBoot
0x8C Unknown, but referenced in iBoot

Configuration Register

Bit Function
Bit 0 Hash Busy. Is set when the hash calculation is started and cleared when the generator is done.
Bit 1 Start Hash. Set to 1 to start hashing of the data in the Input Data registers.
Bit 2 Unknown
Bit 3 Config IV. Use arbitary IV (=1), Use SHA-1 constants (=0) (Used for starting a new hash (=0), or continue a previous one (=1)).

All other bits are unknown or not used

Reset Register

Bit Function
Bit 0 Reset Hash. Resets the generator and all registers.

All other bits are unknown or not used

Hash Out / IV In

Read: Outputs the hash in little-endian
Write: Set the initialization vectors

Data Input

Read: Read what was previously written there (like normal RAM)
Write: The current 64 byte data chunk to calculate the hash of. (little-endian)