-
Notifications
You must be signed in to change notification settings - Fork 5
Tool: bootcsum
bootcsum provides two tools for calculating and reversing the checksum used in the IPL2 stage of the N64's PIF ROM code to verify the ROM bootcode integrity.
Simply make in the pseultra/bootcsum directory.
To use bootcsum, invoke the bootcsum executable with the following arguments:
- The file whose checksum you'd like to check
- (Optional) a checksum to verify against
In the case the second argument is omitted, it will return the checksum via stdout. In the case it is included, it will either exit with 0 and pass "Correct" to stdout if the checksum is correct, or "Incorrect" to stdout, with exit code -1
To use bootcsumr, invoke the bootcsumr executable with the following arguments:
- The file whose checksum you would like to find a collision for
- The checksum to attempt to find
- The first halfword to use in the search (explained below)
In order to optimize searching for collisions, bootcsumr uses a few tricks which reduce the cycle count from about 350,000 on MIPS to about 500-1000 on x86. To begin, it calculates the frame array only one time, for the bootcode instructions 0x0 - 0x3ed. Then, for the last 6 bytes of the bootcode, it puts the halfword passed via the command line in the first 2 bytes, then calculates 0x3ee - 0x3ef and the rest of the checksum by testing every single combination of the last 4 bytes, 0x0 - 0xffffffff.
When brute forcing, there should be a collaboration to keep track of which starting half words have been brute-forced already, to prevent unnecessary calculation repition.
Execute pseultra/bootcsum/unit-tests/test from the pseultra root directory. It should display "Correct" for all 4 test checksums.
- Optimize reverse checksum further