psptool 2.6__tar.gz → 2.7__tar.gz

{psptool-2.6 → psptool-2.7}/.github/workflows/python-tests.yml

@@ -14,8 +14,7 @@ jobs:
       - uses: actions/checkout@v3
         with:
           submodules: recursive
-          ssh-key: ${{ secrets.PSPTOOL_FIXTURES_REPO_PRIVATE_KEY }}
-          lfs: true
+          ssh-key: ${{ secrets.PSPTOOL_FIXTURES_NEW_PRIVATE_KEY }}
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v3
         with:
@@ -34,4 +33,4 @@ jobs:
           flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
       - name: Test with unittest
         run: |
-          python -m unittest discover -s tests -v
+          python -m unittest discover -s tests -v

{psptool-2.6 → psptool-2.7}/.gitmodules

@@ -1,3 +1,3 @@
 [submodule "tests/integration/fixtures"]
 	path = tests/integration/fixtures
-	url = git@github.com:PSPReverse/PSPTool-fixtures.git
+	url = git@github.com:cwerling/PSPTool-fixtures.git

{psptool-2.6 → psptool-2.7}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: psptool
-Version: 2.6
+Version: 2.7
 Summary: PSPTool is a tool for dealing with AMD binary blobs
 Home-page: https://github.com/PSPReverse/PSPTool
 Author: Christian Werling
@@ -23,6 +23,8 @@ It is based on reverse-engineering efforts of AMD's **proprietary filesystem** u
 PSPTool favourably works with UEFI images as obtained through BIOS updates. If these updates are only available through Windows executables, tools like [innoextract](https://github.com/dscharrer/innoextract) can help.
 
 PSPTool was developed at TU Berlin in context of the following research:
+- 2023, talk: [Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla's x86-Based Seat Heater](https://www.blackhat.com/us-23/briefings/schedule/#jailbreaking-an-electric-vehicle-in--or-what-it-means-to-hotwire-teslas-x-based-seat-heater-33049)
+- 2023, paper: [faulTPM: Exposing AMD fTPMs' Deepest Secrets](https://arxiv.org/abs/2304.14717)
 - 2021, paper: [One Glitch to Rule Them All: Fault Injection Attacks Against AMD's Secure Encrypted Virtualization](https://arxiv.org/abs/2108.04575)
 - 2020, talk: [All You Ever Wanted to Know about the AMD Platform Security Processor and were Afraid to Emulate](https://youtu.be/KR8bPLj4nKE)
 - 2019, talk: [Uncover, Understand, Own - Regaining Control Over Your AMD CPU](https://media.ccc.de/v/36c3-10942-uncover_understand_own_-_regaining_control_over_your_amd_cpu)
@@ -66,7 +68,7 @@ $ psptool Lenovo_Thinkpad_T495_r12uj35wd.iso
 
 <details>
   <summary>Click to expand output</summary>
-  
+
   ```
 +-----+----------+-----------+----------+--------------------------------+
 | ROM |   Addr   |    Size   |   FET    |             AGESA              |

{psptool-2.6 → psptool-2.7}/README.md

@@ -7,6 +7,8 @@ It is based on reverse-engineering efforts of AMD's **proprietary filesystem** u
 PSPTool favourably works with UEFI images as obtained through BIOS updates. If these updates are only available through Windows executables, tools like [innoextract](https://github.com/dscharrer/innoextract) can help.
 
 PSPTool was developed at TU Berlin in context of the following research:
+- 2023, talk: [Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla's x86-Based Seat Heater](https://www.blackhat.com/us-23/briefings/schedule/#jailbreaking-an-electric-vehicle-in--or-what-it-means-to-hotwire-teslas-x-based-seat-heater-33049)
+- 2023, paper: [faulTPM: Exposing AMD fTPMs' Deepest Secrets](https://arxiv.org/abs/2304.14717)
 - 2021, paper: [One Glitch to Rule Them All: Fault Injection Attacks Against AMD's Secure Encrypted Virtualization](https://arxiv.org/abs/2108.04575)
 - 2020, talk: [All You Ever Wanted to Know about the AMD Platform Security Processor and were Afraid to Emulate](https://youtu.be/KR8bPLj4nKE)
 - 2019, talk: [Uncover, Understand, Own - Regaining Control Over Your AMD CPU](https://media.ccc.de/v/36c3-10942-uncover_understand_own_-_regaining_control_over_your_amd_cpu)
@@ -50,7 +52,7 @@ $ psptool Lenovo_Thinkpad_T495_r12uj35wd.iso
 
 <details>
   <summary>Click to expand output</summary>
-  
+
   ```
 +-----+----------+-----------+----------+--------------------------------+
 | ROM |   Addr   |    Size   |   FET    |             AGESA              |

{psptool-2.6 → psptool-2.7}/psptool/__main__.py

@@ -46,6 +46,7 @@ def main():
     parser.add_argument('-n', '--no-duplicates', help=SUPPRESS, action='store_true')
     parser.add_argument('-j', '--json', help=SUPPRESS, action='store_true')
     parser.add_argument('-t', '--key-tree', help=SUPPRESS, action='store_true')
+    parser.add_argument('-m', '--metrics', help=SUPPRESS, action='store_true')
     parser.add_argument('-p', '--privkeystub', help=SUPPRESS)
     parser.add_argument('-a', '--privkeypass', help=SUPPRESS)
 
@@ -60,6 +61,7 @@ def main():
         '-n:      list unique entries only ordered by their offset',
         '-j:      output in JSON format instead of tables',
         '-t:      print tree of all signed entities and their certifying keys',
+        '-m:      print entry parsing metrics for testing',
         '', '']), action='store_true')
 
     action.add_argument('-X', '--extract-entry', help='\n'.join([
@@ -114,7 +116,7 @@ def main():
             elif args.decrypt:
                 if not entry.encrypted:
                     ph.print_error_and_exit(f'Entry is not encrypted {entry.get_readable_type()}')
-                output = entry.get_decrypted()
+                output = entry.to_decrypted_entry_bytes()
             elif args.pem_key:
                 output = entry.get_pem_encoded()
             else:
@@ -187,7 +189,7 @@ def main():
             if args.privkeystub:
                 privkeys = PrivateKeyDict.read_from_files(args.privkeystub, args.privkeypass)
 
-            if entry.signed_entity:
+            if hasattr(entry, 'signed_entity') and entry.signed_entity:
                 entry.signed_entity.resign_and_replace(privkeys=privkeys, recursive=True)
             else:
                 ph.print_warning("Did not resign anything since target entry is not signed")
@@ -203,6 +205,8 @@ def main():
             psp.ls_json(verbose=args.verbose)
         elif args.key_tree:
             psp.cert_tree.print_key_tree()
+        elif args.metrics:
+            psp.print_metrics()
         elif args.no_duplicates:
             psp.ls_entries(verbose=args.verbose)
         else:

{psptool-2.6 → psptool-2.7}/psptool/blob.py

@@ -75,6 +75,9 @@ class Blob(NestedBuffer):
             if not fet_parsed:
                 self.psptool.ph.print_warning(f"Skipping FET at {hex(fet_location)} due to unknown ROM alignment")
 
+        if len(self.roms) == 0:
+            self.psptool.ph.print_warning("Could not find any Firmware Entry Table!")
+
         self._construct_range_dict()
 
     def __repr__(self):

{psptool-2.6 → psptool-2.7}/psptool/cert_tree.py

@@ -106,7 +106,8 @@ class SignedEntity:
                 print(f'        Need to rehash')
                 self.entry.update_sha256()
                 print(f'        Done')
-        assert self.signature.buffer_size == privkey.signature_size
+        assert self.signature.buffer_size == privkey.signature_size, \
+            f"{self.signature.buffer_size=}, {privkey.signature_size=}"
         signature = privkey.sign_blob(self.entry.get_signed_bytes())
         assert len(signature) == self.signature.buffer_size, f'Could not resign {self} with {privkey}: ' \
                                                              f'The new signature has the wrong length ' \
@@ -116,6 +117,8 @@ class SignedEntity:
     def resign_and_replace(self, privkeys: PrivateKeyDict = None, recursive: bool = False):
         # this resigns self (multiple times!)
         for pk in self.certifying_keys:
+            if pk in self.contained_keys:
+                continue # TODO hotfix
             pk.replace_and_resign(privkeys, recursive=recursive)
 
 
@@ -227,13 +230,13 @@ class PublicKeyEntity:
         privkey = privkeys[self.key_type.name]
         assert self.key_type.signature_size == privkey.signature_size
 
+        # replace self
+        self.replace_only(privkey.get_public_key())
+
         # resign children
         for se in self.certified_entities:
             se.resign_only(privkey)
 
-        # replace self
-        self.replace_only(privkey.get_public_key())
-
         # check crypto
         for se in self.certified_entities:
             assert se.is_verified_by(self), f'Resigning {se} with {self} failed!'

{psptool-2.6 → psptool-2.7}/psptool/directory.py

@@ -32,21 +32,23 @@ class Directory(NestedBuffer):
         'rsv2'
     ]
 
+    _DEFAULT_HEADER_SIZE = 2 * 4,
     _HEADER_SIZES = {
         b'$PSP': 4 * 4,
         b'$PL2': 4 * 4,
         b'$BHD': 4 * 4,
-        b'$BL2': 4 * 4
+        b'$BL2': 4 * 4,
     }
 
+    _DEFAULT_ENTRY_SIZE = 2 * 4,
     _ENTRY_SIZES = {
         b'$PSP': 4 * 4,
         b'$PL2': 4 * 4,
         b'$BHD': 4 * 6,
-        b'$BL2': 4 * 6
+        b'$BL2': 4 * 6,
     }
 
-    _ENTRY_TYPES_SECONDARY_DIR = [0x40, 0x70]
+    _ENTRY_TYPES_SECONDARY_DIR = [0x40, 0x48, 0x49, 0x4a, 0x70]
     _ENTRY_TYPES_PUBKEY = [0x0, 0x9, 0xa, 0x5, 0xd]
 
     def __init__(self, parent_rom, rom_address: int, type_: str, psptool, zen_generation='unknown'):
@@ -69,16 +71,16 @@ class Directory(NestedBuffer):
         self.type = type_
         self.entries: List[Entry] = []
 
-        self._entry_size = self._ENTRY_SIZES[self.magic]
+        self._entry_size = self._ENTRY_SIZES.get(self.magic, self._DEFAULT_ENTRY_SIZE)
 
         self._parse_entries()
 
         # check entries for a link to a secondary directory (i.e. a continuation of this directory)
-        self.secondary_directory_address = None
+        self.secondary_directory_addresses = []
         for entry in self.entries:
             if entry.type in self._ENTRY_TYPES_SECONDARY_DIR:
-                # print_warning(f"Secondary dir at 0x{entry.buffer_offset:x}")
-                self.secondary_directory_address = entry.buffer_offset
+                # psptool.ph.print_warning(f"Secondary dir at 0x{entry.buffer_offset:x}")
+                self.secondary_directory_addresses.append(entry.buffer_offset)
 
         self.verify_checksum()
 
@@ -97,6 +99,11 @@ class Directory(NestedBuffer):
         self.header[8:12] = struct.pack('<I', self.count)
         self.update_checksum()
 
+    @property
+    def address_mode(self):
+        rsvd = struct.unpack('=L', self.reserved)[0]
+        return (rsvd & 0x60000000) >> 29 if rsvd != 0 else None
+
     def _parse_header(self):
         # ugly to do this manually, but we do not know our size yet
         self._count = int.from_bytes(
@@ -104,15 +111,16 @@ class Directory(NestedBuffer):
             'little'
         )
         self.magic = self.rom.get_bytes(self.buffer_offset, 4)
+        self.reserved = self.rom.get_bytes(self.buffer_offset + 12, 4)
 
         self.header = NestedBuffer(
             self,
-            self._HEADER_SIZES[self.magic]
+            self._HEADER_SIZES.get(self.magic, self._DEFAULT_HEADER_SIZE)
         )
         self.body = NestedBuffer(
             self,
-            self._ENTRY_SIZES[self.magic] * self._count,
-            buffer_offset=self._HEADER_SIZES[self.magic]
+            self._ENTRY_SIZES.get(self.magic, self._DEFAULT_ENTRY_SIZE) * self._count,
+            buffer_offset=self._HEADER_SIZES.get(self.magic, self._DEFAULT_HEADER_SIZE)
         )
 
         self.buffer_size = len(self.header) + len(self.body)
@@ -126,15 +134,23 @@ class Directory(NestedBuffer):
             for key, word in zip(self.ENTRY_FIELDS, chunker(entry_bytes, 4)):
                 entry_fields[key] = struct.unpack('<I', word)[0]
 
+            entry_fields['type_flags'] = entry_fields['type'] >> 8
+            entry_fields['type'] = entry_fields['type'] & 0xFFFF
+
             entry_fields['offset'] &= self.rom.addr_mask
             destination = None
 
             if entry_fields['type'] in BIOS_ENTRY_TYPES:
                 destination = struct.unpack('<Q', entry_bytes[0x10:0x18])[0]
 
+            # Seen on the Lenovo X13 for the first time
+            if self.address_mode == 2:
+                entry_fields['offset'] += self.buffer_offset
+
             try:
                 entry = Entry.from_fields(self, self.parent_buffer,
                                           entry_fields['type'],
+                                          entry_fields['type_flags'],
                                           entry_fields['size'],
                                           entry_fields['offset'],
                                           self.rom,

{psptool-2.6 → psptool-2.7}/psptool/entry.py

@@ -61,11 +61,16 @@ class Entry(NestedBuffer):
         0x12: 'SMU_OFF_CHIP_FW_2',
         0x13: 'DEBUG_UNLOCK',
         0x1A: 'PSP_S3_NV_DATA',
+        0x20: 'HARDWARE_IP_CONFIG',
         0x21: 'WRAPPED_IKEK',
         0x22: 'TOKEN_UNLOCK',
         0x24: 'SEC_GASKET',
         0x25: 'MP2_FW',
+        0x26: 'MP2_FW_2',
+        0x27: 'USER_MODE_UNIT_TEST',
         0x28: 'DRIVER_ENTRIES',
+        0x29: 'KVM_IMAGE',
+        0x2A: 'MP5_FW',
         0x2D: 'S0I3_DRIVER',
         0x30: 'ABL0',
         0x31: 'ABL1',
@@ -75,35 +80,52 @@ class Entry(NestedBuffer):
         0x35: 'ABL5',
         0x36: 'ABL6',
         0x37: 'ABL7',
+        0x38: 'SEV_DATA',
+        0x39: 'SEV_CODE',
         0x3A: 'FW_PSP_WHITELIST',
+        0x3C: 'VBIOS_PRELOAD',
         # 0x40: 'FW_L2_PTR',
         0x41: 'FW_IMC',
         0x42: 'FW_GEC',
         # 0x43: 'FW_XHCI',
         0x44: 'FW_INVALID',
+        0x45: 'TOS_SECURITY_POLICY',
+        0x47: 'DRTM_TA',
+        0x51: 'TOS_PUBLIC_KEY',
+        0x54: 'PSP_NVRAM',
+        0x55: 'BL_ROLLBACK_SPL',
+        0x5a: 'MSMU_BINARY_0',
+        0x5c: 'WMOS',
+        0x71: 'DMCUB_INS',
         0x46: 'ANOTHER_FET',
         0x50: 'KEY_DATABASE',
         0x5f: 'FW_PSP_SMUSCS',
-        0x60: 'FW_IMC',
-        0x61: 'FW_GEC',
+        0x60: 'APCB',
+        0x61: 'APOB',
         0x62: 'FW_XHCI',
-        0x63: 'FW_INVALID',
+        0x63: 'APOB_NV_COPY',
+        0x64: 'PMU_CODE',
+        0x65: 'PMU_DATA',
+        0x66: 'MICROCODE_PATCH',
+        0x67: 'CORE_MCE_DATA',
+        0x68: 'APCB_COPY',
+        0x69: 'EARLY_VGA_IMAGE',
+        0x6A: 'MP2_FW_CFG',
+        0x73: 'PSP_FW_BOOT_LOADER',
+        0x80: 'OEM_System_Trusted_Application',
+        0x81: 'OEM_System_TA_Signing_key',
         0x108: 'PSP_SMU_FN_FIRMWARE',
         0x118: 'PSP_SMU_FN_FIRMWARE2',
 
         # Entry types named by us
         #   Custom names are denoted by a leading '!'
         0x14: '!PSP_MCLF_TRUSTLETS',  # very similiar to ~PspTrustlets.bin~ in coreboot blobs
-        0x38: '!PSP_ENCRYPTED_NV_DATA',
         0x40: '!PL2_SECONDARY_DIRECTORY',
         0x43: '!KEY_UNKNOWN_1',
         0x4e: '!KEY_UNKNOWN_2',
         0x70: '!BL2_SECONDARY_DIRECTORY',
         0x15f: '!FW_PSP_SMUSCS_2',  # seems to be a secondary FW_PSP_SMUSCS (see above)
         0x112: '!SMU_OFF_CHIP_FW_3',  # seems to tbe a tertiary SMU image (see above)
-        0x39: '!SEV_APP',
-        0x10062: '!UEFI-IMAGE',
-        0x30062: '!UEFI-IMAGE',
         0xdead: '!KEY_NOT_IN_DIR'
 
     }
@@ -122,19 +144,15 @@ class Entry(NestedBuffer):
         pass
 
     @classmethod
-    def from_fields(cls, parent_directory, parent_buffer, type_, size, offset, blob, psptool, destination: int = None):
+    def from_fields(cls, parent_directory, parent_buffer, type_, type_flags, size, offset, blob, psptool, destination: int = None):
         # Try to parse these ID's as a key entry
         # todo: consolidate these constants with Directory._ENTRY_TYPES_PUBKEY
         PUBKEY_ENTRY_TYPES = [0x0, 0x9, 0xa, 0x5, 0xd, 0x43, 0x4e, 0xdead]
 
         # Types known to have no PSP HDR
         # TODO: Find a better way to identify those entries
-        NO_HDR_ENTRY_TYPES = [0x4, 0xb, 0x21, 0x40, 0x70, 0x30062, 0x6, 0x61, 0x60,
-                              0x68, 0x100060, 0x100068, 0x5f, 0x15f, 0x1a, 0x22, 0x63,
-                              0x67, 0x66, 0x100066, 0x200066, 0x300066, 0x10062,
-                              0x400066, 0x500066, 0x800068, 0x61, 0x200060, 0x300060,
-                              0x300068, 0x400068, 0x500068, 0x400060, 0x500060, 0x200068,
-                              0x7, 0x38, 0x46, 0x54, 0x600060, 0x700060, 0x600068, 0x700068]
+        NO_HDR_ENTRY_TYPES = [0x4, 0xb, 0x21, 0x40, 0x70, 0x6, 0x61, 0x60, 0x68, 0x5f, 0x15f, 0x1a, 0x22, 0x63, 0x67,
+                              0x66, 0x62, 0x61, 0x7, 0x38, 0x46, 0x54]
 
         NO_SIZE_ENTRY_TYPES = [0xb]
 
@@ -152,6 +170,7 @@ class Entry(NestedBuffer):
                     parent_directory,
                     parent_buffer,
                     type_,
+                    type_flags,
                     size,
                     offset,
                     blob,
@@ -164,12 +183,13 @@ class Entry(NestedBuffer):
         elif type_ in PUBKEY_ENTRY_TYPES:
             # Option 2: it's a PubkeyEntry
             try:
-                new_entry = PubkeyEntry(parent_directory, parent_buffer, type_, size, offset, blob, psptool)
+                new_entry = PubkeyEntry(parent_directory, parent_buffer, type_, type_flags, size, offset, blob, psptool)
             except Exception as e:
                 new_entry = Entry(
                     parent_directory,
                     parent_buffer,
                     type_,
+                    type_flags,
                     size,
                     offset,
                     blob,
@@ -181,12 +201,13 @@ class Entry(NestedBuffer):
         elif type_ in Entry.KEY_STORE_TYPES:
             # Option 2: it's a KeyStoreEntry
             try:
-                new_entry = KeyStoreEntry(parent_directory, parent_buffer, type_, size, offset, blob, psptool)
+                new_entry = KeyStoreEntry(parent_directory, parent_buffer, type_, type_flags, size, offset, blob, psptool)
             except:
                 new_entry = Entry(
                     parent_directory,
                     parent_buffer,
                     type_,
+                    type_flags,
                     size,
                     offset,
                     blob,
@@ -200,7 +221,7 @@ class Entry(NestedBuffer):
                 # If the size in the directory is zero, set the size to hdr len
                 size = HeaderEntry.HEADER_LEN
             try:
-                new_entry = HeaderEntry(parent_directory, parent_buffer, type_, size, offset, blob, psptool)
+                new_entry = HeaderEntry(parent_directory, parent_buffer, type_, type_flags, size, offset, blob, psptool)
                 if size == 0:
                     psptool.ph.print_warning(f"Entry with zero size. Type: {type_}. Dir: 0x{offset:x}")
             except:
@@ -208,6 +229,7 @@ class Entry(NestedBuffer):
                     parent_directory,
                     parent_buffer,
                     type_,
+                    type_flags,
                     size,
                     offset,
                     blob,
@@ -269,7 +291,7 @@ class Entry(NestedBuffer):
                 # Set zlib_size
                 blob[0x54:0x58] = zlib_size.to_bytes(4, 'little')
 
-            entry = HeaderEntry(None, blob, id_, total_size, 0x0, blob, psptool)
+            entry = HeaderEntry(None, blob, id_, None, total_size, 0x0, blob, psptool)
 
             if signed:
                 entry.signature[:] = private_key.sign(entry.get_signed_bytes())
@@ -278,7 +300,7 @@ class Entry(NestedBuffer):
         else:
             raise Entry.TypeError()
 
-    def __init__(self, parent_directory, parent_buffer, type_, buffer_size, buffer_offset: int, blob, psptool,
+    def __init__(self, parent_directory, parent_buffer, type_, type_flags, buffer_size, buffer_offset: int, blob, psptool,
                  destination: int = None):
         super().__init__(parent_buffer, buffer_size, buffer_offset=buffer_offset)
 
@@ -286,6 +308,7 @@ class Entry(NestedBuffer):
         self.blob = blob
         self.psptool = psptool
         self.type = type_
+        self.type_flags = type_flags
         self.destination = destination
         # todo: deduplicate Entry objects pointing to the same address (in `from_fields`?)
         self.references = [parent_directory] if parent_directory is not None else []
@@ -459,12 +482,13 @@ class KeyStoreEntryHeader(NestedBuffer):
         if self.has_sha256_checksum:
             self.sha256_checksum = NestedBuffer(self, 0x20, buffer_offset=0xd0)
 
+        # Based on KeyStore entries seen in: Lenovo X13 and Lenovo Ideapad 5 Pro 16ACH6
         zero_ranges = {
-            (0x00, 0x10),
             (0x18, 0x18),
             (0x48, 0x04),
             (0x50, 0x08),
-            (0x5c, 0x10),
+            (0x5c, 0x04),
+            (0x64, 0x08),
             (0x70, 0x0c),
             (0x80, 0x50),
             (0xf0, 0x10),
@@ -514,7 +538,7 @@ class KeyStoreEntryHeader(NestedBuffer):
     @property
     def has_sha256_checksum(self) -> bool:
         # assert self.sha256_checksum_flag_1 == self.sha256_checksum_flag_2
-        assert self.sha256_checksum_flag_1 in {0, 1}
+        assert self.sha256_checksum_flag_1 in {0, 1, 2}, f"unknown {self.sha256_checksum_flag_1=}"
         return self.sha256_checksum_flag_1 == 1
 
 
@@ -649,7 +673,7 @@ class PubkeyEntry(Entry):
 
         # misc info
         self._version = NestedBuffer(self, 4)
-        if self.version != 1:
+        if self.version not in {1, 2}:
             raise UnknownPubkeyEntryVersion
         self._key_usage = NestedBuffer(self, 4, 0x24)
 
@@ -657,6 +681,9 @@ class PubkeyEntry(Entry):
         self.key_id = KeyId(self, 0x10, 0x4)
         self.certifying_id = KeyId(self, 0x10, 0x14)
 
+        # security features
+        self._security_features = NestedBuffer(self, 2, 0x2A)
+
         # crypto material
         self._pubexp_bits = NestedBuffer(self, 4, 0x38)
         self._modulus_bits = NestedBuffer(self, 4, 0x3c)
@@ -716,6 +743,10 @@ class PubkeyEntry(Entry):
     def modulus(self) -> int:
         return int.from_bytes(self._modulus.get_bytes(), 'little')
 
+    @property
+    def security_features(self) -> int:
+        return int.from_bytes(self._security_features.get_bytes(), 'little')
+
     def get_signed_bytes(self):
         return self.get_bytes(0, self.buffer_size - self.signature_size)
 
@@ -729,6 +760,26 @@ class PubkeyEntry(Entry):
     def get_readable_version(self):
         return str(self.version)
 
+    def get_readable_key_usage(self):
+        if self.key_usage == 0:
+            return 'AMD_CODE_SIGN'
+        if self.key_usage == 1:
+            return 'BIOS_CODE_SIGN'
+        if self.key_usage == 2:
+            return 'AMD_AND_BIOS_CODE_SIGN'
+        if self.key_usage == 8:
+            return 'PLATFORM_SECURE_BOOT'
+        return f'unknown_key_usage({self.key_usage})'
+
+    def get_readable_security_features(self):
+        features = []
+        if self.security_features & 0b001:
+            features.append('DISABLE_BIOS_KEY_ANTI_ROLLBACK')
+        if self.security_features & 0b010:
+            features.append('DISABLE_AMD_BIOS_KEY_USE')
+        if self.security_features & 0b100:
+            features.append('DISABLE_SECURE_DEBUG_UNLOCK')
+        return ', '.join(features)
 
 class HeaderEntry(Entry):
 
@@ -890,14 +941,14 @@ class HeaderEntry(Entry):
         return self._sha256_checksum_flag_2 == 1
 
     def verify_sha256(self, print_warning=True) -> bool:
-        if self._sha256_checksum.get_bytes() == sha256(self.get_decompressed_body()).digest():
+        if self._sha256_checksum.get_bytes() == sha256(self.get_decrypted_decompressed_body()).digest():
             return True
         if print_warning:
             self.psptool.ph.print_warning(f"Could not verify sha256 checksum for {self}")
         return False
 
     def update_sha256(self):
-        self._sha256_checksum[:] = sha256(self.get_decompressed_body()).digest()
+        self._sha256_checksum[:] = sha256(self.get_decrypted_decompressed_body()).digest()
         self.verify_sha256()
 
     def get_readable_version(self):
@@ -929,30 +980,31 @@ class HeaderEntry(Entry):
         return readable_magic
 
     def get_readable_signed_by(self):
-        return str(self.signature_fingerprint, encoding='ascii').upper()[:4]
+        return self.signed_entity.certifying_id.magic
 
     def get_signed_bytes(self) -> bytes:
-        if self.compressed:
-            full_decompressed = self.header.get_bytes() + self.get_decompressed_body()
-            # Truncate to actually signed portion
-            return full_decompressed[:self.header_len + self.size_signed]
-        elif self.encrypted:
-            return self.get_decrypted()[:self.size_signed + self.header_len]
-        else:
-            return self.get_bytes()[:self.size_signed + self.header_len]
+        entry_bytes = self.header.get_bytes() + self.get_decrypted_decompressed_body()
+        return entry_bytes[:self.header_len + self.size_signed]
 
-    def get_decompressed_body(self) -> bytes:
-        if not self.compressed:
-            return self.body.get_bytes()
+    def get_decrypted_decompressed_body(self) -> bytes:
+        if self.encrypted:
+            output = self.get_decrypted_body()
         else:
+            output = self.body.get_bytes()
+        if self.compressed:
             try:
-                return zlib_decompress(self.body.get_bytes()[:self.zlib_size])
+                return zlib_decompress(output[:self.zlib_size])
             except:
                 self.psptool.ph.print_warning(f"ZLIB decompression failed on entry {self.get_readable_type()}")
-                return self.body.get_bytes()
-
-    def get_decrypted(self) -> bytes:
-        return self.header.get_bytes() + self.get_decrypted_body()
+        return output
+
+    def to_decrypted_entry_bytes(self) -> bytes:
+        """Returns the bytes of the same entry, just with the encryption removed"""
+        header = bytearray(self.header.get_bytes())
+        header[0x18:0x1c] = bytes(4)
+        header[0x20:0x30] = bytes(0x10)
+        signature = self.signature.get_bytes() if self.signed else b''
+        return bytes(header) + self.get_decrypted_body() + signature
 
     def get_decrypted_body(self) -> bytes:
         if not self.encrypted:

{psptool-2.6 → psptool-2.7}/psptool/fet.py

@@ -76,10 +76,23 @@ class Fet(NestedBuffer):
             return
         dir_ = Directory(self.rom, addr, type_, self.psptool, zen_generation)
         self.directories.append(dir_)
-        if dir_.secondary_directory_address is not None:
-            self.directories.append(
-                Directory(self.rom, dir_.secondary_directory_address, 'secondary', self.psptool, zen_generation)
-            )
+        for secondary_directory_address in dir_.secondary_directory_addresses:
+            secondary_directory_magic = self.rom.get_bytes(secondary_directory_address, 4)
+            if secondary_directory_magic in [b'*\rY/', b'j\x8d+1', b'&\r=/', b'd\x8d\x011']:
+                weird_new_directory_body = self.rom.get_bytes(secondary_directory_address+16, 8)
+                try:
+                    secondary_dir = Directory(self.rom, int.from_bytes(weird_new_directory_body[:4], 'little'), 'tertiary', self.psptool)
+                except:
+                    self.psptool.ph.print_warning(f"Couldn't create secondary directory at 0x{secondary_directory_address:x}")
+                self.directories.append(secondary_dir)
+            else:
+                secondary_dir = Directory(self.rom, secondary_directory_address, 'secondary', self.psptool, zen_generation)
+                self.directories.append(secondary_dir)
+
+            # Tertiary directories are a thing, apparently
+            for tertiary_directory_address in secondary_dir.secondary_directory_addresses:
+                tertiary_dir = Directory(self.rom, tertiary_directory_address, 'secondary', self.psptool, zen_generation)
+                self.directories.append(tertiary_dir)
 
     def _parse_entry_table(self):
         entries = self.get_chunks(4, 4)
@@ -109,8 +122,7 @@ class Fet(NestedBuffer):
 
     def _parse_combo_dir(self, dir_addr):
         results = []
-        no_of_entries = int.from_bytes(self.rom[dir_addr + 8: dir_addr + 0xc],
-                                    'little')
+        no_of_entries = int.from_bytes(self.rom[dir_addr + 8: dir_addr + 0xc], 'little')
         combo_dir = self.rom[dir_addr: dir_addr + 16 * (no_of_entries + 2)]
 
         # Combo dir entries seem to begin at offset 0x20, make sure we don't