Mascali/Picklock_RCM
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

You aint taking this down

Browse source
This commit is contained in:
Slluxx 2023-05-09 01:53:15 +02:00
parent 0bcd59d0cb
commit a2679d92c9
398 changed files with 116325 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

96
source/keys/cal0_read.c Normal file
View file

@ -0,0 +1,96 @@
/*
* Copyright (c) 2022 shchmue
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "cal0_read.h"
#include <gfx_utils.h>
#include <sec/se.h>
#include <sec/se_t210.h>
#include "../storage/emummc.h"
#include "../storage/nx_emmc.h"
#include <utils/util.h>
bool cal0_read(u32 tweak_ks, u32 crypt_ks, void *read_buffer) {
nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)read_buffer;
// Check if CAL0 was already read into this buffer
if (cal0->magic == MAGIC_CAL0) {
return true;
}
if (!emummc_storage_read(NX_EMMC_CALIBRATION_OFFSET / NX_EMMC_BLOCKSIZE, NX_EMMC_CALIBRATION_SIZE / NX_EMMC_BLOCKSIZE, read_buffer)) {
EPRINTF("Unable to read PRODINFO.");
return false;
}
se_aes_xts_crypt(tweak_ks, crypt_ks, DECRYPT, 0, read_buffer, read_buffer, XTS_CLUSTER_SIZE, NX_EMMC_CALIBRATION_SIZE / XTS_CLUSTER_SIZE);
if (cal0->magic != MAGIC_CAL0) {
EPRINTF("Invalid CAL0 magic. Check BIS key 0.");
return false;
}
return true;
}
bool cal0_get_ssl_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation) {
const u32 ext_key_size = sizeof(cal0->ext_ssl_key_iv) + sizeof(cal0->ext_ssl_key);
const u32 ext_key_crc_size = ext_key_size + sizeof(cal0->ext_ssl_key_ver) + sizeof(cal0->crc16_pad39);
const u32 key_size = sizeof(cal0->ssl_key_iv) + sizeof(cal0->ssl_key);
const u32 key_crc_size = key_size + sizeof(cal0->crc16_pad18);
if (cal0->ext_ssl_key_crc == crc16_calc(cal0->ext_ssl_key_iv, ext_key_crc_size)) {
*out_key = cal0->ext_ssl_key;
*out_key_size = ext_key_size;
*out_iv = cal0->ext_ssl_key_iv;
// Settings sysmodule manually zeroes this out below cal version 9
*out_generation = cal0->version <= 8 ? 0 : cal0->ext_ssl_key_ver;
} else if (cal0->ssl_key_crc == crc16_calc(cal0->ssl_key_iv, key_crc_size)) {
*out_key = cal0->ssl_key;
*out_key_size = key_size;
*out_iv = cal0->ssl_key_iv;
*out_generation = 0;
} else {
EPRINTF("Crc16 error reading device key.");
return false;
}
return true;
}
bool cal0_get_eticket_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation) {
const u32 ext_key_size = sizeof(cal0->ext_ecc_rsa2048_eticket_key_iv) + sizeof(cal0->ext_ecc_rsa2048_eticket_key);
const u32 ext_key_crc_size = ext_key_size + sizeof(cal0->ext_ecc_rsa2048_eticket_key_ver) + sizeof(cal0->crc16_pad38);
const u32 key_size = sizeof(cal0->rsa2048_eticket_key_iv) + sizeof(cal0->rsa2048_eticket_key);
const u32 key_crc_size = key_size + sizeof(cal0->crc16_pad21);
if (cal0->ext_ecc_rsa2048_eticket_key_crc == crc16_calc(cal0->ext_ecc_rsa2048_eticket_key_iv, ext_key_crc_size)) {
*out_key = cal0->ext_ecc_rsa2048_eticket_key;
*out_key_size = ext_key_size;
*out_iv = cal0->ext_ecc_rsa2048_eticket_key_iv;
// Settings sysmodule manually zeroes this out below cal version 9
*out_generation = cal0->version <= 8 ? 0 : cal0->ext_ecc_rsa2048_eticket_key_ver;
} else if (cal0->rsa2048_eticket_key_crc == crc16_calc(cal0->rsa2048_eticket_key_iv, key_crc_size)) {
*out_key = cal0->rsa2048_eticket_key;
*out_key_size = key_size;
*out_iv = cal0->rsa2048_eticket_key_iv;
*out_generation = 0;
} else {
EPRINTF("Crc16 error reading device key.");
return false;
}
return true;
}

27
source/keys/cal0_read.h Normal file
View file

@ -0,0 +1,27 @@
/*
* Copyright (c) 2022 shchmue
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _CAL0_READ_H_
#define _CAL0_READ_H_
#include "../storage/nx_emmc_bis.h"
#include <utils/types.h>
bool cal0_read(u32 tweak_ks, u32 crypt_ks, void *read_buffer);
bool cal0_get_ssl_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation);
bool cal0_get_eticket_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation);
#endif

244
source/keys/crypto.c Normal file
View file

@ -0,0 +1,244 @@
/*
* Copyright (c) 2022 shchmue
* Copyright (c) 2018 Atmosphère-NX
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "crypto.h"
#include "../../keygen/tsec_keygen.h"
#include "../config.h"
#include "../hos/hos.h"
#include <sec/se.h>
#include <sec/se_t210.h>
#include <sec/tsec.h>
#include <soc/fuse.h>
#include <utils/util.h>
#include <string.h>
extern hekate_config h_cfg;
int key_exists(const void *data) {
return memcmp(data, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) != 0;
}
int run_ams_keygen() {
tsec_ctxt_t tsec_ctxt;
tsec_ctxt.fw = tsec_keygen;
tsec_ctxt.size = sizeof(tsec_keygen);
tsec_ctxt.type = TSEC_FW_TYPE_NEW;
u32 retries = 0;
u32 temp_key[SE_KEY_128_SIZE / 4];
while (tsec_query(temp_key, &tsec_ctxt) < 0) {
retries++;
if (retries > 15) {
return -1;
}
}
return 0;
}
bool check_keyslot_access() {
u8 test_data[SE_KEY_128_SIZE] = {0};
const u8 test_ciphertext[SE_KEY_128_SIZE] = {0};
se_aes_key_set(KS_AES_ECB, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", SE_KEY_128_SIZE);
se_aes_crypt_block_ecb(KS_AES_ECB, DECRYPT, test_data, test_ciphertext);
return memcmp(test_data, "\x7b\x1d\x29\xa1\x6c\xf8\xcc\xab\x84\xf0\xb8\xa5\x98\xe4\x2f\xa6", SE_KEY_128_SIZE) == 0;
}
bool test_rsa_keypair(const void *public_exponent, const void *private_exponent, const void *modulus) {
u32 plaintext[SE_RSA2048_DIGEST_SIZE / 4] = {0},
ciphertext[SE_RSA2048_DIGEST_SIZE / 4] = {0},
work[SE_RSA2048_DIGEST_SIZE / 4] = {0};
plaintext[63] = 0xCAFEBABE;
se_rsa_key_set(0, modulus, SE_RSA2048_DIGEST_SIZE, private_exponent, SE_RSA2048_DIGEST_SIZE);
se_rsa_exp_mod(0, ciphertext, SE_RSA2048_DIGEST_SIZE, plaintext, SE_RSA2048_DIGEST_SIZE);
se_rsa_key_set(0, modulus, SE_RSA2048_DIGEST_SIZE, public_exponent, 4);
se_rsa_exp_mod(0, work, SE_RSA2048_DIGEST_SIZE, ciphertext, SE_RSA2048_DIGEST_SIZE);
return memcmp(plaintext, work, SE_RSA2048_DIGEST_SIZE) == 0;
}
// _mgf1_xor() and rsa_oaep_decode were derived from Atmosphère
static void _mgf1_xor(void *masked, u32 masked_size, const void *seed, u32 seed_size) {
u8 cur_hash[0x20] __attribute__((aligned(4)));
u8 hash_buf[0xe4] __attribute__((aligned(4)));
u32 hash_buf_size = seed_size + 4;
memcpy(hash_buf, seed, seed_size);
u32 round_num = 0;
u8 *p_out = (u8 *)masked;
while (masked_size) {
u32 cur_size = MIN(masked_size, 0x20);
for (u32 i = 0; i < 4; i++)
hash_buf[seed_size + 3 - i] = (round_num >> (8 * i)) & 0xff;
round_num++;
se_calc_sha256_oneshot(cur_hash, hash_buf, hash_buf_size);
for (unsigned int i = 0; i < cur_size; i++) {
*p_out ^= cur_hash[i];
p_out++;
}
masked_size -= cur_size;
}
}
u32 rsa_oaep_decode(void *dst, u32 dst_size, const void *label_digest, u32 label_digest_size, u8 *buf, u32 buf_size) {
if (dst_size <= 0 || buf_size < 0x43 || label_digest_size != 0x20)
return 0;
bool is_valid = buf[0] == 0;
u32 db_len = buf_size - 0x21;
u8 *seed = buf + 1;
u8 *db = seed + 0x20;
_mgf1_xor(seed, 0x20, db, db_len);
_mgf1_xor(db, db_len, seed, 0x20);
is_valid &= memcmp(label_digest, db, 0x20) ? 0 : 1;
db += 0x20;
db_len -= 0x20;
int msg_ofs = 0;
int looking_for_one = 1;
int invalid_db_padding = 0;
int is_zero;
int is_one;
for (int i = 0; i < db_len; ) {
is_zero = (db[i] == 0);
is_one = (db[i] == 1);
msg_ofs += (looking_for_one & is_one) * (++i);
looking_for_one &= ~is_one;
invalid_db_padding |= (looking_for_one & ~is_zero);
}
is_valid &= (invalid_db_padding == 0);
const u32 msg_size = MIN(dst_size, is_valid * (db_len - msg_ofs));
memcpy(dst, db + msg_ofs, msg_size);
return msg_size;
}
void derive_rsa_kek(u32 ks, key_storage_t *keys, void *out_rsa_kek, const void *kekek_source, const void *kek_source, u32 generation, u32 option) {
u32 access_key[SE_KEY_128_SIZE / 4] = {0};
generate_aes_kek(ks, keys, access_key, kekek_source, generation, option);
get_device_unique_data_key(ks, out_rsa_kek, access_key, kek_source);
}
// Equivalent to spl::GenerateAesKek
void generate_aes_kek(u32 ks, key_storage_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option) {
bool device_unique = GET_IS_DEVICE_UNIQUE(option);
u32 seal_key_index = GET_SEAL_KEY_INDEX(option);
if (generation)
generation--;
u8 static_source[SE_KEY_128_SIZE] __attribute__((aligned(4)));
for (u32 i = 0; i < SE_KEY_128_SIZE; i++)
static_source[i] = aes_kek_generation_source[i] ^ seal_key_masks[seal_key_index][i];
if (device_unique) {
get_device_key(ks, keys, keys->temp_key, generation);
} else {
memcpy(keys->temp_key, keys->master_key[generation], sizeof(keys->temp_key));
}
se_aes_key_set(ks, keys->temp_key, SE_KEY_128_SIZE);
se_aes_unwrap_key(ks, ks, static_source);
se_aes_crypt_block_ecb(ks, DECRYPT, out_kek, kek_source);
}
// Based on spl::LoadAesKey but instead of prepping keyslot, returns calculated key
void load_aes_key(u32 ks, void *out_key, const void *access_key, const void *key_source) {
se_aes_key_set(ks, access_key, SE_KEY_128_SIZE);
se_aes_crypt_block_ecb(ks, DECRYPT, out_key, key_source);
}
// Equivalent to spl::GenerateAesKey
void generate_aes_key(u32 ks, key_storage_t *keys, void *out_key, u32 key_size, const void *access_key, const void *key_source) {
u32 aes_key[SE_KEY_128_SIZE / 4] = {0};
load_aes_key(ks, aes_key, access_key, aes_key_generation_source);
se_aes_key_set(ks, aes_key, SE_KEY_128_SIZE);
se_aes_crypt_ecb(ks, DECRYPT, out_key, key_size, key_source, key_size);
}
// Equivalent to smc::PrepareDeviceUniqueDataKey but with no sealing
void get_device_unique_data_key(u32 ks, void *out_key, const void *access_key, const void *key_source) {
load_aes_key(ks, out_key, access_key, key_source);
}
// Equivalent to spl::DecryptAesKey.
void decrypt_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation, u32 option) {
u32 access_key[SE_KEY_128_SIZE / 4] = {0};
generate_aes_kek(ks, keys, access_key, aes_key_decryption_source, generation, option);
generate_aes_key(ks, keys, out_key, SE_KEY_128_SIZE, access_key, key_source);
}
// Equivalent to smc::GetSecureData
void get_secure_data(key_storage_t *keys, void *out_data) {
se_aes_key_set(KS_AES_CTR, keys->device_key, SE_KEY_128_SIZE);
u8 *d = (u8 *)out_data;
se_aes_crypt_ctr(KS_AES_CTR, d + SE_KEY_128_SIZE * 0, SE_KEY_128_SIZE, secure_data_source, SE_KEY_128_SIZE, secure_data_counters[0]);
se_aes_crypt_ctr(KS_AES_CTR, d + SE_KEY_128_SIZE * 1, SE_KEY_128_SIZE, secure_data_source, SE_KEY_128_SIZE, secure_data_counters[0]);
// Apply tweak
for (u32 i = 0; i < SE_KEY_128_SIZE; i++) {
d[SE_KEY_128_SIZE + i] ^= secure_data_tweaks[0][i];
}
}
// Equivalent to spl::GenerateSpecificAesKey
void generate_specific_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation) {
if (fuse_read_bootrom_rev() >= 0x7F) {
get_device_key(ks, keys, keys->temp_key, generation == 0 ? 0 : generation - 1);
se_aes_key_set(ks, keys->temp_key, SE_KEY_128_SIZE);
se_aes_unwrap_key(ks, ks, retail_specific_aes_key_source);
se_aes_crypt_ecb(ks, DECRYPT, out_key, SE_KEY_128_SIZE * 2, key_source, SE_KEY_128_SIZE * 2);
} else {
get_secure_data(keys, out_key);
}
}
void get_device_key(u32 ks, key_storage_t *keys, void *out_device_key, u32 generation) {
if (generation == KB_FIRMWARE_VERSION_100 && !h_cfg.t210b01) {
memcpy(out_device_key, keys->device_key, SE_KEY_128_SIZE);
return;
}
if (generation >= KB_FIRMWARE_VERSION_400) {
generation -= KB_FIRMWARE_VERSION_400;
} else {
generation = 0;
}
u32 temp_key_source[SE_KEY_128_SIZE / 4] = {0};
load_aes_key(ks, temp_key_source, keys->device_key_4x, device_master_key_source_sources[generation]);
const void *kek_source = fuse_read_hw_state() == FUSE_NX_HW_STATE_PROD ? device_master_kek_sources[generation] : device_master_kek_sources_dev[generation];
se_aes_key_set(ks, keys->master_key[0], SE_KEY_128_SIZE);
se_aes_unwrap_key(ks, ks, kek_source);
se_aes_crypt_block_ecb(ks, DECRYPT, out_device_key, temp_key_source);
}

240
source/keys/crypto.h Normal file
View file

@ -0,0 +1,240 @@
/*
* Copyright (c) 2022 shchmue
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _CRYPTO_H_
#define _CRYPTO_H_
#include "es_types.h"
#include "../hos/hos.h"
#include <sec/se_t210.h>
#include "../storage/nx_emmc.h"
#include <utils/types.h>
#include <string.h>
// Sha256 hash of the null string.
static const u8 null_hash[SE_SHA_256_SIZE] __attribute__((aligned(4))) = {
0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8, 0x99, 0x6F, 0xB9, 0x24,
0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C, 0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55};
static const u8 aes_kek_generation_source[0x10] __attribute__((aligned(4))) = {
0x4D, 0x87, 0x09, 0x86, 0xC4, 0x5D, 0x20, 0x72, 0x2F, 0xBA, 0x10, 0x53, 0xDA, 0x92, 0xE8, 0xA9};
static const u8 aes_key_generation_source[0x10] __attribute__((aligned(4))) = {
0x89, 0x61, 0x5E, 0xE0, 0x5C, 0x31, 0xB6, 0x80, 0x5F, 0xE5, 0x8F, 0x3D, 0xA2, 0x4F, 0x7A, 0xA8};
static const u8 aes_key_decryption_source[0x10] __attribute__((aligned(4))) = {
0x11, 0x70, 0x24, 0x2B, 0x48, 0x69, 0x11, 0xF1, 0x11, 0xB0, 0x0C, 0x47, 0x7C, 0xC3, 0xEF, 0x7E};
static const u8 device_master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
{0x88, 0x62, 0x34, 0x6E, 0xFA, 0xF7, 0xD8, 0x3F, 0xE1, 0x30, 0x39, 0x50, 0xF0, 0xB7, 0x5D, 0x5D}, /* 4.0.0 Device Master Kek Source. */
{0x06, 0x1E, 0x7B, 0xE9, 0x6D, 0x47, 0x8C, 0x77, 0xC5, 0xC8, 0xE7, 0x94, 0x9A, 0xA8, 0x5F, 0x2E}, /* 5.0.0 Device Master Kek Source. */
{0x99, 0xFA, 0x98, 0xBD, 0x15, 0x1C, 0x72, 0xFD, 0x7D, 0x9A, 0xD5, 0x41, 0x00, 0xFD, 0xB2, 0xEF}, /* 6.0.0 Device Master Kek Source. */
{0x81, 0x3C, 0x6C, 0xBF, 0x5D, 0x21, 0xDE, 0x77, 0x20, 0xD9, 0x6C, 0xE3, 0x22, 0x06, 0xAE, 0xBB}, /* 6.2.0 Device Master Kek Source. */
{0x86, 0x61, 0xB0, 0x16, 0xFA, 0x7A, 0x9A, 0xEA, 0xF6, 0xF5, 0xBE, 0x1A, 0x13, 0x5B, 0x6D, 0x9E}, /* 7.0.0 Device Master Kek Source. */
{0xA6, 0x81, 0x71, 0xE7, 0xB5, 0x23, 0x74, 0xB0, 0x39, 0x8C, 0xB7, 0xFF, 0xA0, 0x62, 0x9F, 0x8D}, /* 8.1.0 Device Master Kek Source. */
{0x03, 0xE7, 0xEB, 0x43, 0x1B, 0xCF, 0x5F, 0xB5, 0xED, 0xDC, 0x97, 0xAE, 0x21, 0x8D, 0x19, 0xED}, /* 9.0.0 Device Master Kek Source. */
{0xCE, 0xFE, 0x41, 0x0F, 0x46, 0x9A, 0x30, 0xD6, 0xF2, 0xE9, 0x0C, 0x6B, 0xB7, 0x15, 0x91, 0x36}, /* 9.1.0 Device Master Kek Source. */
{0xC2, 0x65, 0x34, 0x6E, 0xC7, 0xC6, 0x5D, 0x97, 0x3E, 0x34, 0x5C, 0x6B, 0xB3, 0x7E, 0xC6, 0xE3}, /* 12.1.0 Device Master Kek Source. */
{0x77, 0x52, 0x92, 0xF0, 0xAA, 0xE3, 0xFB, 0xE0, 0x60, 0x16, 0xB3, 0x78, 0x68, 0x53, 0xF7, 0xA8}, /* 13.0.0 Device Master Kek Source. */
{0x67, 0xD5, 0xD6, 0x0C, 0x08, 0xF5, 0xA3, 0x11, 0xBD, 0x6D, 0x5A, 0xEB, 0x96, 0x24, 0xB0, 0xD2}, /* 14.0.0 Device Master Kek Source. */
{0x7C, 0x30, 0xED, 0x8B, 0x39, 0x25, 0x2C, 0x08, 0x8F, 0x48, 0xDC, 0x28, 0xE6, 0x1A, 0x6B, 0x49}, /* 15.0.0 Device Master Kek Source. */
{0xF0, 0xF3, 0xFF, 0x52, 0x75, 0x2F, 0xBA, 0x4D, 0x09, 0x72, 0x30, 0x89, 0xA9, 0xDF, 0xFE, 0x1F}, /* 16.0.0 Device Master Kek Source. */
}; //!TODO: Update on mkey changes.
static const u8 device_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
{0xD6, 0xBD, 0x9F, 0xC6, 0x18, 0x09, 0xE1, 0x96, 0x20, 0x39, 0x60, 0xD2, 0x89, 0x83, 0x31, 0x34}, /* 4.0.0 Device Master Kek Source. */
{0x59, 0x2D, 0x20, 0x69, 0x33, 0xB5, 0x17, 0xBA, 0xCF, 0xB1, 0x4E, 0xFD, 0xE4, 0xC2, 0x7B, 0xA8}, /* 5.0.0 Device Master Kek Source. */
{0xF6, 0xD8, 0x59, 0x63, 0x8F, 0x47, 0xCB, 0x4A, 0xD8, 0x74, 0x05, 0x7F, 0x88, 0x92, 0x33, 0xA5}, /* 6.0.0 Device Master Kek Source. */
{0x20, 0xAB, 0xF2, 0x0F, 0x05, 0xE3, 0xDE, 0x2E, 0xA1, 0xFB, 0x37, 0x5E, 0x8B, 0x22, 0x1A, 0x38}, /* 6.2.0 Device Master Kek Source. */
{0x60, 0xAE, 0x56, 0x68, 0x11, 0xE2, 0x0C, 0x99, 0xDE, 0x05, 0xAE, 0x68, 0x78, 0x85, 0x04, 0xAE}, /* 7.0.0 Device Master Kek Source. */
{0x94, 0xD6, 0xA8, 0xC0, 0x95, 0xAF, 0xD0, 0xA6, 0x27, 0x53, 0x5E, 0xE5, 0x8E, 0x70, 0x1F, 0x87}, /* 8.1.0 Device Master Kek Source. */
{0x61, 0x6A, 0x88, 0x21, 0xA3, 0x52, 0xB0, 0x19, 0x16, 0x25, 0xA4, 0xE3, 0x4C, 0x54, 0x02, 0x0F}, /* 9.0.0 Device Master Kek Source. */
{0x9D, 0xB1, 0xAE, 0xCB, 0xF6, 0xF6, 0xE3, 0xFE, 0xAB, 0x6F, 0xCB, 0xAF, 0x38, 0x03, 0xFC, 0x7B}, /* 9.1.0 Device Master Kek Source. */
{0xC4, 0xBB, 0xF3, 0x9F, 0xA3, 0xAA, 0x00, 0x99, 0x7C, 0x97, 0xAD, 0x91, 0x8F, 0xE8, 0x45, 0xCB}, /* 12.1.0 Device Master Kek Source. */
{0x20, 0x20, 0xAA, 0xFB, 0x89, 0xC2, 0xF0, 0x70, 0xB5, 0xE0, 0xA3, 0x11, 0x8A, 0x29, 0x8D, 0x0F}, /* 13.0.0 Device Master Kek Source. */
{0xCE, 0x14, 0x74, 0x66, 0x98, 0xA8, 0x6D, 0x7D, 0xBD, 0x54, 0x91, 0x68, 0x5F, 0x1D, 0x0E, 0xEA}, /* 14.0.0 Device Master Kek Source. */
{0xAE, 0x05, 0x48, 0x65, 0xAB, 0x17, 0x9D, 0x3D, 0x51, 0xB7, 0x56, 0xBD, 0x9B, 0x0B, 0x5B, 0x6E}, /* 15.0.0 Device Master Kek Source. */
{0xFF, 0xF6, 0x4B, 0x0F, 0xFF, 0x0D, 0xC0, 0x4F, 0x56, 0x8A, 0x40, 0x74, 0x67, 0xC5, 0xFE, 0x9F}, /* 16.0.0 Device Master Kek Source. */
}; //!TODO: Update on mkey changes.
static const u8 device_master_key_source_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
{0x8B, 0x4E, 0x1C, 0x22, 0x42, 0x07, 0xC8, 0x73, 0x56, 0x94, 0x08, 0x8B, 0xCC, 0x47, 0x0F, 0x5D}, /* 4.0.0 Device Master Key Source Source. */
{0x6C, 0xEF, 0xC6, 0x27, 0x8B, 0xEC, 0x8A, 0x91, 0x99, 0xAB, 0x24, 0xAC, 0x4F, 0x1C, 0x8F, 0x1C}, /* 5.0.0 Device Master Key Source Source. */
{0x70, 0x08, 0x1B, 0x97, 0x44, 0x64, 0xF8, 0x91, 0x54, 0x9D, 0xC6, 0x84, 0x8F, 0x1A, 0xB2, 0xE4}, /* 6.0.0 Device Master Key Source Source. */
{0x8E, 0x09, 0x1F, 0x7A, 0xBB, 0xCA, 0x6A, 0xFB, 0xB8, 0x9B, 0xD5, 0xC1, 0x25, 0x9C, 0xA9, 0x17}, /* 6.2.0 Device Master Key Source Source. */
{0x8F, 0x77, 0x5A, 0x96, 0xB0, 0x94, 0xFD, 0x8D, 0x28, 0xE4, 0x19, 0xC8, 0x16, 0x1C, 0xDB, 0x3D}, /* 7.0.0 Device Master Key Source Source. */
{0x67, 0x62, 0xD4, 0x8E, 0x55, 0xCF, 0xFF, 0x41, 0x31, 0x15, 0x3B, 0x24, 0x0C, 0x7C, 0x07, 0xAE}, /* 8.1.0 Device Master Key Source Source. */
{0x4A, 0xC3, 0x4E, 0x14, 0x8B, 0x96, 0x4A, 0xD5, 0xD4, 0x99, 0x73, 0xC4, 0x45, 0xAB, 0x8B, 0x49}, /* 9.0.0 Device Master Key Source Source. */
{0x14, 0xB8, 0x74, 0x12, 0xCB, 0xBD, 0x0B, 0x8F, 0x20, 0xFB, 0x30, 0xDA, 0x27, 0xE4, 0x58, 0x94}, /* 9.1.0 Device Master Key Source Source. */
{0xAA, 0xFD, 0xBC, 0xBB, 0x25, 0xC3, 0xA4, 0xEF, 0xE3, 0xEE, 0x58, 0x53, 0xB7, 0xF8, 0xDD, 0xD6}, /* 12.1.0 Device Master Key Source Source. */
{0xE4, 0xF3, 0x45, 0x6F, 0x18, 0xA1, 0x89, 0xF8, 0xDA, 0x4C, 0x64, 0x75, 0x68, 0xE6, 0xBD, 0x4F}, /* 13.0.0 Device Master Key Source Source. */
{0x5B, 0x94, 0x63, 0xF7, 0xAD, 0x96, 0x1B, 0xA6, 0x23, 0x30, 0x06, 0x4D, 0x01, 0xE4, 0xCE, 0x1D}, /* 14.0.0 Device Master Key Source Source. */
{0x5E, 0xC9, 0xC5, 0x0A, 0xD0, 0x5F, 0x8B, 0x7B, 0xA7, 0x39, 0xEA, 0xBC, 0x60, 0x0F, 0x74, 0xE6}, /* 15.0.0 Device Master Key Source Source. */
{0xEA, 0x90, 0x6E, 0xA8, 0xAE, 0x92, 0x99, 0x64, 0x36, 0xC1, 0xF3, 0x1C, 0xC6, 0x32, 0x83, 0x8C}, /* 16.0.0 Device Master Key Source Source. */
}; //!TODO: Update on mkey changes.
static const u8 seal_key_masks[][0x10] __attribute__((aligned(4))) = {
{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, // SealKey_LoadAesKey
{0xA2, 0xAB, 0xBF, 0x9C, 0x92, 0x2F, 0xBB, 0xE3, 0x78, 0x79, 0x9B, 0xC0, 0xCC, 0xEA, 0xA5, 0x74}, // SealKey_DecryptDeviceUniqueData
{0x57, 0xE2, 0xD9, 0x45, 0xE4, 0x92, 0xF4, 0xFD, 0xC3, 0xF9, 0x86, 0x38, 0x89, 0x78, 0x9F, 0x3C}, // SealKey_ImportLotusKey
{0xE5, 0x4D, 0x9A, 0x02, 0xF0, 0x4F, 0x5F, 0xA8, 0xAD, 0x76, 0x0A, 0xF6, 0x32, 0x95, 0x59, 0xBB}, // SealKey_ImportEsDeviceKey
{0x59, 0xD9, 0x31, 0xF4, 0xA7, 0x97, 0xB8, 0x14, 0x40, 0xD6, 0xA2, 0x60, 0x2B, 0xED, 0x15, 0x31}, // SealKey_ReencryptDeviceUniqueData
{0xFD, 0x6A, 0x25, 0xE5, 0xD8, 0x38, 0x7F, 0x91, 0x49, 0xDA, 0xF8, 0x59, 0xA8, 0x28, 0xE6, 0x75}, // SealKey_ImportSslKey
{0x89, 0x96, 0x43, 0x9A, 0x7C, 0xD5, 0x59, 0x55, 0x24, 0xD5, 0x24, 0x18, 0xAB, 0x6C, 0x04, 0x61}, // SealKey_ImportEsClientCertKey
};
static const u8 retail_specific_aes_key_source[0x10] __attribute__((aligned(4))) = {
0xE2, 0xD6, 0xB8, 0x7A, 0x11, 0x9C, 0xB8, 0x80, 0xE8, 0x22, 0x88, 0x8A, 0x46, 0xFB, 0xA1, 0x95};
static const u8 secure_data_source[0x10] __attribute__((aligned(4))) = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
static const u8 secure_data_counters[1][0x10] __attribute__((aligned(4))) = {
{0x3C, 0xD5, 0x92, 0xEC, 0x68, 0x31, 0x4A, 0x06, 0xD4, 0x1B, 0x0C, 0xD9, 0xF6, 0x2E, 0xD9, 0xE9}
};
static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = {
{0xAC, 0xCA, 0x9A, 0xCA, 0xFF, 0x2E, 0xB9, 0x22, 0xCC, 0x1F, 0x4F, 0xAD, 0xDD, 0x77, 0x21, 0x1E}
};
//!TODO: Update on keygen changes.
#define TSEC_ROOT_KEY_VERSION 2
// Picklock_RCM keyslots
#define KS_BIS_00_CRYPT 0
#define KS_BIS_00_TWEAK 1
#define KS_BIS_01_CRYPT 2
#define KS_BIS_01_TWEAK 3
#define KS_BIS_02_CRYPT 4
#define KS_BIS_02_TWEAK 5
#define KS_AES_CTR 6
#define KS_AES_ECB 8
#define KS_AES_CMAC 10
// Mariko keyslots
#define KS_MARIKO_KEK 12
#define KS_MARIKO_BEK 13
// Other Switch keyslots
#define KS_TSEC 12
#define KS_SECURE_BOOT 14
// Atmosphere keygen keyslots
#define KS_TSEC_ROOT_DEV 11
#define KS_TSEC_ROOT 13
#define RSA_PUBLIC_EXPONENT 65537
#define KEYBLOB_UNK_DATA_SIZE 0x70
#define KEYBLOB_UNUSED_SIZE (NX_EMMC_BLOCKSIZE - SE_AES_CMAC_DIGEST_SIZE - SE_AES_IV_SIZE - sizeof(keyblob_t))
typedef struct {
u8 master_kek[SE_KEY_128_SIZE];
u8 data[KEYBLOB_UNK_DATA_SIZE];
u8 package1_key[SE_KEY_128_SIZE];
} keyblob_t;
typedef struct {
u8 cmac[SE_AES_CMAC_DIGEST_SIZE];
u8 iv[SE_AES_IV_SIZE];
keyblob_t key_data;
u8 unused[KEYBLOB_UNUSED_SIZE];
} encrypted_keyblob_t;
typedef struct {
u8 temp_key[SE_KEY_128_SIZE],
bis_key[4][SE_KEY_128_SIZE * 2],
device_key[SE_KEY_128_SIZE],
device_key_4x[SE_KEY_128_SIZE],
sd_seed[SE_KEY_128_SIZE],
// FS-related keys
header_key[SE_KEY_128_SIZE * 2],
save_mac_key[SE_KEY_128_SIZE],
// other sysmodule keys
eticket_rsa_kek[SE_KEY_128_SIZE],
eticket_rsa_kek_personalized[SE_KEY_128_SIZE],
ssl_rsa_kek[SE_KEY_128_SIZE],
ssl_rsa_kek_legacy[SE_KEY_128_SIZE],
ssl_rsa_kek_personalized[SE_KEY_128_SIZE],
ssl_rsa_key[SE_RSA2048_DIGEST_SIZE + 0x20],
// keyblob-derived families
keyblob_key[KB_FIRMWARE_VERSION_600 + 1][SE_KEY_128_SIZE],
keyblob_mac_key[KB_FIRMWARE_VERSION_600 + 1][SE_KEY_128_SIZE],
package1_key[KB_FIRMWARE_VERSION_600 + 1][SE_KEY_128_SIZE],
// master key-derived families
key_area_key[3][KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE],
master_kek[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE],
master_key[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE],
package2_key[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE],
titlekek[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE],
tsec_key[SE_KEY_128_SIZE],
tsec_root_key[SE_KEY_128_SIZE];
u32 secure_boot_key[4];
keyblob_t keyblob[KB_FIRMWARE_VERSION_600 + 1];
eticket_rsa_keypair_t eticket_rsa_keypair;
} key_storage_t;
typedef enum {
SEAL_KEY_LOAD_AES_KEY = 0,
SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA = 1,
SEAL_KEY_IMPORT_LOTUS_KEY = 2,
SEAL_KEY_IMPORT_ES_DEVICE_KEY = 3,
SEAL_KEY_REENCRYPT_DEVICE_UNIQUE_DATA = 4,
SEAL_KEY_IMPORT_SSL_KEY = 5,
SEAL_KEY_IMPORT_ES_CLIENT_CERT_KEY = 6,
} seal_key_t;
typedef enum {
NOT_DEVICE_UNIQUE = 0,
IS_DEVICE_UNIQUE = 1,
} device_unique_t;
#define SET_SEAL_KEY_INDEX(x) (((x) & 7) << 5)
#define GET_SEAL_KEY_INDEX(x) (((x) >> 5) & 7)
#define GET_IS_DEVICE_UNIQUE(x) ((x) & 1)
int key_exists(const void *data);
int run_ams_keygen();
bool check_keyslot_access();
bool test_rsa_keypair(const void *public_exponent, const void *private_exponent, const void *modulus);
u32 rsa_oaep_decode(void *dst, u32 dst_size, const void *label_digest, u32 label_digest_size, u8 *buf, u32 buf_size);
void derive_rsa_kek(u32 ks, key_storage_t *keys, void *out_rsa_kek, const void *kekek_source, const void *kek_source, u32 generation, u32 option);
// Equivalent to spl::GenerateAesKek
void generate_aes_kek(u32 ks, key_storage_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option);
// Equivalent to spl::GenerateAesKey
void generate_aes_key(u32 ks, key_storage_t *keys, void *out_key, u32 key_size, const void *access_key, const void *key_source);
// Equivalent to spl::GenerateSpecificAesKey
void generate_specific_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation);
// Equivalent to spl::DecryptAesKey.
void decrypt_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation, u32 option);
// Based on spl::LoadAesKey but instead of prepping keyslot, returns calculated key
void load_aes_key(u32 ks, void *out_key, const void *access_key, const void *key_source);
// Equivalent to smc::PrepareDeviceUniqueDataKey but with no sealing
void get_device_unique_data_key(u32 ks, void *out_key, const void *access_key, const void *key_source);
// Equivalent to smc::GetSecureData
void get_secure_data(key_storage_t *keys, void *out_data);
// Equivalent to smc::PrepareDeviceMasterKey
void get_device_key(u32 ks, key_storage_t *keys, void *out_device_key, u32 generation);
#endif

146
source/keys/es_crypto.c Normal file
View file

@ -0,0 +1,146 @@
/*
* Copyright (c) 2022 shchmue
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "es_crypto.h"
#include "cal0_read.h"
#include "../config.h"
#include <gfx_utils.h>
#include "../gfx/tui.h"
#include <mem/minerva.h>
#include <sec/se.h>
#include <sec/se_t210.h>
#include <string.h>
extern hekate_config h_cfg;
bool test_eticket_rsa_keypair(const eticket_rsa_keypair_t *keypair) {
if (byte_swap_32(keypair->public_exponent) != RSA_PUBLIC_EXPONENT)
return false;
return test_rsa_keypair(&keypair->public_exponent, keypair->private_exponent, keypair->modulus);
}
void es_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32 generation, bool is_dev) {
if ((!h_cfg.t210b01 && !key_exists(keys->device_key)) || (h_cfg.t210b01 && (!key_exists(keys->master_key[0]) || !key_exists(keys->device_key_4x)))) {
return;
}
const void *kek_source = is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source;
const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | IS_DEVICE_UNIQUE;
derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, eticket_rsa_kekek_source, kek_source, generation, option);
}
void es_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek) {
if (!key_exists(keys->master_key[0])) {
return;
}
const u32 generation = 0;
const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | NOT_DEVICE_UNIQUE;
derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, eticket_rsa_kekek_source, eticket_rsa_kek_source_legacy, generation, option);
}
void es_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev) {
if (!key_exists(keys->master_key[0])) {
return;
}
const void *kek_source = is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source;
const u32 generation = 0;
const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | NOT_DEVICE_UNIQUE;
derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, eticket_rsa_kekek_source, kek_source, generation, option);
}
bool decrypt_eticket_rsa_key(key_storage_t *keys, void *buffer, bool is_dev) {
if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, buffer)) {
return false;
}
nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)buffer;
u32 generation = 0;
const void *encrypted_key = NULL;
const void *iv = NULL;
u32 key_size = 0;
void *ctr_key = NULL;
if (!cal0_get_eticket_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) {
return false;
}
// Handle legacy case
if (key_size == ETICKET_RSA_KEYPAIR_SIZE) {
u32 temp_key[SE_KEY_128_SIZE / 4] = {0};
es_derive_rsa_kek_legacy(keys, temp_key);
ctr_key = temp_key;
se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv);
if (test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) {
memcpy(keys->eticket_rsa_kek, ctr_key, sizeof(keys->eticket_rsa_kek));
return true;
}
// Fall through and try usual method if not applicable
}
if (generation) {
es_derive_rsa_kek_device_unique(keys, keys->eticket_rsa_kek_personalized, generation, is_dev);
ctr_key = keys->eticket_rsa_kek_personalized;
} else {
ctr_key = keys->eticket_rsa_kek;
}
se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv);
if (!test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) {
EPRINTF("Invalid eticket keypair.");
memset(&keys->eticket_rsa_keypair, 0, sizeof(keys->eticket_rsa_keypair));
return false;
}
return true;
}
void es_decode_tickets(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 remaining, u32 total, u32 *titlekey_count, u32 x, u32 y, u32 *pct, u32 *last_pct, bool is_personalized) {
ticket_t *curr_ticket = (ticket_t *)titlekey_buffer->read_buffer;
for (u32 i = 0; i < MIN(buf_size / sizeof(ticket_t), remaining) * sizeof(ticket_t) && curr_ticket->signature_type != 0; i += sizeof(ticket_t), curr_ticket++) {
minerva_periodic_training();
*pct = (total - remaining) * 100 / total;
if (*pct > *last_pct && *pct <= 100) {
*last_pct = *pct;
tui_pbar(x, y, *pct, COLOR_GREEN, 0xFF155500);
}
// This is in case an encrypted volatile ticket is left behind
if (curr_ticket->signature_type != TICKET_SIG_TYPE_RSA2048_SHA256)
continue;
u8 *curr_titlekey = curr_ticket->titlekey_block;
const u32 block_size = SE_RSA2048_DIGEST_SIZE;
const u32 titlekey_size = sizeof(titlekey_buffer->titlekeys[0]);
if (is_personalized) {
se_rsa_exp_mod(0, curr_titlekey, block_size, curr_titlekey, block_size);
if (rsa_oaep_decode(curr_titlekey, titlekey_size, null_hash, sizeof(null_hash), curr_titlekey, block_size) != titlekey_size)
continue;
}
memcpy(titlekey_buffer->rights_ids[*titlekey_count], curr_ticket->rights_id, sizeof(titlekey_buffer->rights_ids[0]));
memcpy(titlekey_buffer->titlekeys[*titlekey_count], curr_titlekey, titlekey_size);
(*titlekey_count)++;
}
}

49
source/keys/es_crypto.h Normal file
View file

@ -0,0 +1,49 @@
/*
* Copyright (c) 2022 shchmue
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _ES_CRYPTO_H_
#define _ES_CRYPTO_H_
#include "crypto.h"
#include "es_types.h"
#include <sec/se_t210.h>
#include <utils/types.h>
#define ETICKET_RSA_KEYPAIR_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE * 2 + SE_KEY_128_SIZE)
#define TICKET_SIG_TYPE_RSA2048_SHA256 0x10004
static const u8 eticket_rsa_kek_source[0x10] __attribute__((aligned(4))) = {
0xDB, 0xA4, 0x51, 0x12, 0x4C, 0xA0, 0xA9, 0x83, 0x68, 0x14, 0xF5, 0xED, 0x95, 0xE3, 0x12, 0x5B};
static const u8 eticket_rsa_kek_source_dev[0x10] __attribute__((aligned(4))) = {
0xBE, 0xC0, 0xBC, 0x8E, 0x75, 0xA0, 0xF6, 0x0C, 0x4A, 0x56, 0x64, 0x02, 0x3E, 0xD4, 0x9C, 0xD5};
static const u8 eticket_rsa_kek_source_legacy[0x10] __attribute__((aligned(4))) = {
0x88, 0x87, 0x50, 0x90, 0xA6, 0x2F, 0x75, 0x70, 0xA2, 0xD7, 0x71, 0x51, 0xAE, 0x6D, 0x39, 0x87};
static const u8 eticket_rsa_kekek_source[0x10] __attribute__((aligned(4))) = {
0x46, 0x6E, 0x57, 0xB7, 0x4A, 0x44, 0x7F, 0x02, 0xF3, 0x21, 0xCD, 0xE5, 0x8F, 0x2F, 0x55, 0x35};
bool test_eticket_rsa_keypair(const eticket_rsa_keypair_t *keypair);
void es_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32 generation, bool is_dev);
void es_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek);
void es_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev);
bool decrypt_eticket_rsa_key(key_storage_t *keys, void *buffer, bool is_dev);
void es_decode_tickets(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 remaining, u32 total, u32 *titlekey_count, u32 x, u32 y, u32 *pct, u32 *last_pct, bool is_personalized);
#endif

76
source/keys/es_types.h Normal file
View file

@ -0,0 +1,76 @@
/*
* Copyright (c) 2022 shchmue
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _ES_TYPES_H_
#define _ES_TYPES_H_
#include <sec/se_t210.h>
#include <utils/types.h>
typedef struct {
u8 private_exponent[SE_RSA2048_DIGEST_SIZE];
u8 modulus[SE_RSA2048_DIGEST_SIZE];
u32 public_exponent;
u8 reserved[0xC];
} eticket_rsa_keypair_t;
// only tickets of type Rsa2048Sha256 are expected
typedef struct {
u32 signature_type; // always 0x10004
u8 signature[SE_RSA2048_DIGEST_SIZE];
u8 sig_padding[0x3C];
char issuer[0x40];
u8 titlekey_block[SE_RSA2048_DIGEST_SIZE];
u8 format_version;
u8 titlekey_type;
u16 ticket_version;
u8 license_type;
u8 common_key_id;
u16 property_mask;
u64 reserved;
u64 ticket_id;
u64 device_id;
u8 rights_id[0x10];
u32 account_id;
u32 sect_total_size;
u32 sect_hdr_offset;
u16 sect_hdr_count;
u16 sect_hdr_entry_size;
u8 padding[0x140];
} ticket_t;
typedef struct {
u8 rights_id[0x10];
u64 ticket_id;
u32 account_id;
u16 property_mask;
u16 reserved;
} ticket_record_t;
typedef struct {
u8 read_buffer[SZ_256K];
u8 rights_ids[SZ_256K / 0x10][0x10];
u8 titlekeys[SZ_256K / 0x10][0x10];
} titlekey_buffer_t;
typedef struct {
char rights_id[0x20];
char equals[3];
char titlekey[0x20];
char newline[1];
} titlekey_text_buffer_t;
#endif

69
source/keys/fs_crypto.c Normal file
View file

@ -0,0 +1,69 @@
/*
* Copyright (c) 2022 shchmue
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "fs_crypto.h"
#include "../config.h"
#include <sec/se_t210.h>
#include <string.h>
extern hekate_config h_cfg;
void fs_derive_bis_keys(key_storage_t *keys, u8 out_bis_keys[4][32], u32 generation) {
if ((!h_cfg.t210b01 && !key_exists(keys->device_key)) || (h_cfg.t210b01 && (!key_exists(keys->master_key[0]) || !key_exists(keys->device_key_4x)))) {
return;
}
generate_specific_aes_key(KS_AES_ECB, keys, out_bis_keys[0], bis_key_sources[0], generation);
u32 access_key[SE_KEY_128_SIZE / 4] = {0};
const u32 option = IS_DEVICE_UNIQUE;
generate_aes_kek(KS_AES_ECB, keys, access_key, bis_kek_source, generation, option);
generate_aes_key(KS_AES_ECB, keys, out_bis_keys[1], sizeof(bis_key_sources[1]), access_key, bis_key_sources[1]);
generate_aes_key(KS_AES_ECB, keys, out_bis_keys[2], sizeof(bis_key_sources[2]), access_key, bis_key_sources[2]);
memcpy(out_bis_keys[3], out_bis_keys[2], sizeof(bis_key_sources[2]));
}
void fs_derive_header_key(key_storage_t *keys, void *out_key) {
if (!key_exists(keys->master_key[0])) {
return;
}
u32 access_key[SE_KEY_128_SIZE / 4] = {0};
const u32 generation = 0;
const u32 option = NOT_DEVICE_UNIQUE;
generate_aes_kek(KS_AES_ECB, keys, access_key, header_kek_source, generation, option);
generate_aes_key(KS_AES_ECB, keys, out_key, sizeof(header_key_source), access_key, header_key_source);
}
void fs_derive_key_area_key(key_storage_t *keys, void *out_key, u32 source_type, u32 generation) {
u32 access_key[SE_KEY_128_SIZE / 4] = {0};
const u32 option = NOT_DEVICE_UNIQUE;
generate_aes_kek(KS_AES_ECB, keys, access_key, key_area_key_sources[source_type], generation + 1, option);
load_aes_key(KS_AES_ECB, out_key, access_key, aes_key_generation_source);
}
void fs_derive_save_mac_key(key_storage_t *keys, void *out_key) {
if ((!h_cfg.t210b01 && !key_exists(keys->device_key)) || (h_cfg.t210b01 && (!key_exists(keys->master_key[0]) || !key_exists(keys->device_key_4x)))) {
return;
}
u32 access_key[SE_KEY_128_SIZE / 4] = {0};
const u32 generation = 0;
const u32 option = IS_DEVICE_UNIQUE;
generate_aes_kek(KS_AES_ECB, keys, access_key, save_mac_kek_source, generation, option);
load_aes_key(KS_AES_ECB, out_key, access_key, save_mac_key_source);
}

74
source/keys/fs_crypto.h Normal file
View file

@ -0,0 +1,74 @@
/*
* Copyright (c) 2022 shchmue
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _FS_CRYPTO_H_
#define _FS_CRYPTO_H_
#include "crypto.h"
#include <utils/types.h>
static const u8 bis_kek_source[0x10] __attribute__((aligned(4))) = {
0x34, 0xC1, 0xA0, 0xC4, 0x82, 0x58, 0xF8, 0xB4, 0xFA, 0x9E, 0x5E, 0x6A, 0xDA, 0xFC, 0x7E, 0x4F};
static const u8 bis_key_sources[3][0x20] __attribute__((aligned(4))) = {
{0xF8, 0x3F, 0x38, 0x6E, 0x2C, 0xD2, 0xCA, 0x32, 0xA8, 0x9A, 0xB9, 0xAA, 0x29, 0xBF, 0xC7, 0x48,
0x7D, 0x92, 0xB0, 0x3A, 0xA8, 0xBF, 0xDE, 0xE1, 0xA7, 0x4C, 0x3B, 0x6E, 0x35, 0xCB, 0x71, 0x06},
{0x41, 0x00, 0x30, 0x49, 0xDD, 0xCC, 0xC0, 0x65, 0x64, 0x7A, 0x7E, 0xB4, 0x1E, 0xED, 0x9C, 0x5F,
0x44, 0x42, 0x4E, 0xDA, 0xB4, 0x9D, 0xFC, 0xD9, 0x87, 0x77, 0x24, 0x9A, 0xDC, 0x9F, 0x7C, 0xA4},
{0x52, 0xC2, 0xE9, 0xEB, 0x09, 0xE3, 0xEE, 0x29, 0x32, 0xA1, 0x0C, 0x1F, 0xB6, 0xA0, 0x92, 0x6C,
0x4D, 0x12, 0xE1, 0x4B, 0x2A, 0x47, 0x4C, 0x1C, 0x09, 0xCB, 0x03, 0x59, 0xF0, 0x15, 0xF4, 0xE4}
};
static const u8 header_kek_source[0x10] __attribute__((aligned(4))) = {
0x1F, 0x12, 0x91, 0x3A, 0x4A, 0xCB, 0xF0, 0x0D, 0x4C, 0xDE, 0x3A, 0xF6, 0xD5, 0x23, 0x88, 0x2A};
static const u8 header_key_source[0x20] __attribute__((aligned(4))) = {
0x5A, 0x3E, 0xD8, 0x4F, 0xDE, 0xC0, 0xD8, 0x26, 0x31, 0xF7, 0xE2, 0x5D, 0x19, 0x7B, 0xF5, 0xD0,
0x1C, 0x9B, 0x7B, 0xFA, 0xF6, 0x28, 0x18, 0x3D, 0x71, 0xF6, 0x4D, 0x73, 0xF1, 0x50, 0xB9, 0xD2};
static const u8 key_area_key_sources[3][0x10] __attribute__((aligned(4))) = {
{0x7F, 0x59, 0x97, 0x1E, 0x62, 0x9F, 0x36, 0xA1, 0x30, 0x98, 0x06, 0x6F, 0x21, 0x44, 0xC3, 0x0D}, // application
{0x32, 0x7D, 0x36, 0x08, 0x5A, 0xD1, 0x75, 0x8D, 0xAB, 0x4E, 0x6F, 0xBA, 0xA5, 0x55, 0xD8, 0x82}, // ocean
{0x87, 0x45, 0xF1, 0xBB, 0xA6, 0xBE, 0x79, 0x64, 0x7D, 0x04, 0x8B, 0xA6, 0x7B, 0x5F, 0xDA, 0x4A}, // system
};
static const u8 save_mac_kek_source[0x10] __attribute__((aligned(4))) = {
0xD8, 0x9C, 0x23, 0x6E, 0xC9, 0x12, 0x4E, 0x43, 0xC8, 0x2B, 0x03, 0x87, 0x43, 0xF9, 0xCF, 0x1B};
static const u8 save_mac_key_source[0x10] __attribute__((aligned(4))) = {
0xE4, 0xCD, 0x3D, 0x4A, 0xD5, 0x0F, 0x74, 0x28, 0x45, 0xA4, 0x87, 0xE5, 0xA0, 0x63, 0xEA, 0x1F};
static const u8 save_mac_sd_card_kek_source[0x10] __attribute__((aligned(4))) = {
0x04, 0x89, 0xEF, 0x5D, 0x32, 0x6E, 0x1A, 0x59, 0xC4, 0xB7, 0xAB, 0x8C, 0x36, 0x7A, 0xAB, 0x17};
static const u8 save_mac_sd_card_key_source[0x10] __attribute__((aligned(4))) = {
0x6F, 0x64, 0x59, 0x47, 0xC5, 0x61, 0x46, 0xF9, 0xFF, 0xA0, 0x45, 0xD5, 0x95, 0x33, 0x29, 0x18};
static const u8 sd_card_custom_storage_key_source[0x20] __attribute__((aligned(4))) = {
0x37, 0x0C, 0x34, 0x5E, 0x12, 0xE4, 0xCE, 0xFE, 0x21, 0xB5, 0x8E, 0x64, 0xDB, 0x52, 0xAF, 0x35,
0x4F, 0x2C, 0xA5, 0xA3, 0xFC, 0x99, 0x9A, 0x47, 0xC0, 0x3E, 0xE0, 0x04, 0x48, 0x5B, 0x2F, 0xD0};
static const u8 sd_card_kek_source[0x10] __attribute__((aligned(4))) = {
0x88, 0x35, 0x8D, 0x9C, 0x62, 0x9B, 0xA1, 0xA0, 0x01, 0x47, 0xDB, 0xE0, 0x62, 0x1B, 0x54, 0x32};
static const u8 sd_card_nca_key_source[0x20] __attribute__((aligned(4))) = {
0x58, 0x41, 0xA2, 0x84, 0x93, 0x5B, 0x56, 0x27, 0x8B, 0x8E, 0x1F, 0xC5, 0x18, 0xE9, 0x9F, 0x2B,
0x67, 0xC7, 0x93, 0xF0, 0xF2, 0x4F, 0xDE, 0xD0, 0x75, 0x49, 0x5D, 0xCA, 0x00, 0x6D, 0x99, 0xC2};
static const u8 sd_card_save_key_source[0x20] __attribute__((aligned(4))) = {
0x24, 0x49, 0xB7, 0x22, 0x72, 0x67, 0x03, 0xA8, 0x19, 0x65, 0xE6, 0xE3, 0xEA, 0x58, 0x2F, 0xDD,
0x9A, 0x95, 0x15, 0x17, 0xB1, 0x6E, 0x8F, 0x7F, 0x1F, 0x68, 0x26, 0x31, 0x52, 0xEA, 0x29, 0x6A};
void fs_derive_bis_keys(key_storage_t *keys, u8 out_bis_keys[4][32], u32 generation);
void fs_derive_header_key(key_storage_t *keys, void *out_key);
void fs_derive_key_area_key(key_storage_t *keys, void *out_key, u32 source_type, u32 generation);
void fs_derive_save_mac_key(key_storage_t *keys, void *out_key);
#endif

130
source/keys/gmac.c Normal file
View file

@ -0,0 +1,130 @@
/*
* Copyright (c) 2018-2020 Atmosphère-NX
* Copyright (c) 2019-2022 shchmue
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "gmac.h"
#include <sec/se.h>
#include <sec/se_t210.h>
#include <stdint.h>
#include <string.h>
/* Shifts right a little endian 128-bit value. */
static void _shr_128(uint64_t *val) {
val[0] >>= 1;
val[0] |= (val[1] & 1) << 63;
val[1] >>= 1;
}
/* Shifts left a little endian 128-bit value. */
static void _shl_128(uint64_t *val) {
val[1] <<= 1;
val[1] |= (val[0] & (1ull << 63)) >> 63;
val[0] <<= 1;
}
/* Multiplies two 128-bit numbers X,Y in the GF(128) Galois Field. */
static void _gf128_mul(uint8_t *dst, const uint8_t *x, const uint8_t *y) {
uint8_t x_work[0x10];
uint8_t y_work[0x10];
uint8_t dst_work[0x10];
uint64_t *p_x = (uint64_t *)(&x_work[0]);
uint64_t *p_y = (uint64_t *)(&y_work[0]);
uint64_t *p_dst = (uint64_t *)(&dst_work[0]);
/* Initialize buffers. */
for (unsigned int i = 0; i < 0x10; i++) {
x_work[i] = x[0xF-i];
y_work[i] = y[0xF-i];
dst_work[i] = 0;
}
/* Perform operation for each bit in y. */
for (unsigned int round = 0; round < 0x80; round++) {
p_dst[0] ^= p_x[0] * ((y_work[0xF] & 0x80) >> 7);
p_dst[1] ^= p_x[1] * ((y_work[0xF] & 0x80) >> 7);
_shl_128(p_y);
uint8_t xval = 0xE1 * (x_work[0] & 1);
_shr_128(p_x);
x_work[0xF] ^= xval;
}
for (unsigned int i = 0; i < 0x10; i++) {
dst[i] = dst_work[0xF-i];
}
}
static void _ghash(u32 ks, void *dst, const void *src, u32 src_size, const void *j_block, bool encrypt) {
uint8_t x[0x10] = {0};
uint8_t h[0x10];
uint64_t *p_x = (uint64_t *)(&x[0]);
uint64_t *p_data = (uint64_t *)src;
/* H = aes_ecb_encrypt(zeroes) */
se_aes_crypt_block_ecb(ks, ENCRYPT, h, x);
u64 total_size = src_size;
while (src_size >= 0x10) {
/* X = (X ^ current_block) * H */
p_x[0] ^= p_data[0];
p_x[1] ^= p_data[1];
_gf128_mul(x, x, h);
/* Increment p_data by 0x10 bytes. */
p_data += 2;
src_size -= 0x10;
}
/* Nintendo's code *discards all data in the last block* if unaligned. */
/* And treats that block as though it were all-zero. */
/* This is a bug, they just forget to XOR with the copy of the last block they save. */
if (src_size & 0xF) {
_gf128_mul(x, x, h);
}
uint64_t xor_size = total_size << 3;
xor_size = __builtin_bswap64(xor_size);
/* Due to a Nintendo bug, the wrong QWORD gets XOR'd in the "final output block" case. */
if (encrypt) {
p_x[0] ^= xor_size;
} else {
p_x[1] ^= xor_size;
}
_gf128_mul(x, x, h);
/* If final output block, XOR with encrypted J block. */
if (encrypt) {
se_aes_crypt_block_ecb(ks, ENCRYPT, h, j_block);
for (unsigned int i = 0; i < 0x10; i++) {
x[i] ^= h[i];
}
}
/* Copy output. */
memcpy(dst, x, 0x10);
}
void calc_gmac(u32 ks, void *out_gmac, const void *data, u32 size, const void *key, const void *iv) {
u32 j_block[4] = {0};
se_aes_key_set(ks, key, 0x10);
_ghash(ks, j_block, iv, 0x10, NULL, false);
_ghash(ks, out_gmac, data, size, j_block, true);
}

24
source/keys/gmac.h Normal file
View file

@ -0,0 +1,24 @@
/*
* Copyright (c) 2022 shchmue
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _GMAC_H_
#define _GMAC_H_
#include <utils/types.h>
void calc_gmac(u32 ks, void *out_gmac, const void *data, u32 size, const void *key, const void *iv);
#endif

132
source/keys/key_sources.inl Normal file
View file

@ -0,0 +1,132 @@
/*
* Copyright (c) 2019-2022 shchmue
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
static const u8 master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_620 + 1][0x10] __attribute__((aligned(4))) = {
{0x37, 0x4B, 0x77, 0x29, 0x59, 0xB4, 0x04, 0x30, 0x81, 0xF6, 0xE5, 0x8C, 0x6D, 0x36, 0x17, 0x9A}, //6.2.0
{0x9A, 0x3E, 0xA9, 0xAB, 0xFD, 0x56, 0x46, 0x1C, 0x9B, 0xF6, 0x48, 0x7F, 0x5C, 0xFA, 0x09, 0x5C}, //7.0.0
{0xDE, 0xDC, 0xE3, 0x39, 0x30, 0x88, 0x16, 0xF8, 0xAE, 0x97, 0xAD, 0xEC, 0x64, 0x2D, 0x41, 0x41}, //8.1.0
{0x1A, 0xEC, 0x11, 0x82, 0x2B, 0x32, 0x38, 0x7A, 0x2B, 0xED, 0xBA, 0x01, 0x47, 0x7E, 0x3B, 0x67}, //9.0.0
{0x30, 0x3F, 0x02, 0x7E, 0xD8, 0x38, 0xEC, 0xD7, 0x93, 0x25, 0x34, 0xB5, 0x30, 0xEB, 0xCA, 0x7A}, //9.1.0
{0x84, 0x67, 0xB6, 0x7F, 0x13, 0x11, 0xAE, 0xE6, 0x58, 0x9B, 0x19, 0xAF, 0x13, 0x6C, 0x80, 0x7A}, //12.1.0
{0x68, 0x3B, 0xCA, 0x54, 0xB8, 0x6F, 0x92, 0x48, 0xC3, 0x05, 0x76, 0x87, 0x88, 0x70, 0x79, 0x23}, //13.0.0
{0xF0, 0x13, 0x37, 0x9A, 0xD5, 0x63, 0x51, 0xC3, 0xB4, 0x96, 0x35, 0xBC, 0x9C, 0xE8, 0x76, 0x81}, //14.0.0
{0x6E, 0x77, 0x86, 0xAC, 0x83, 0x0A, 0x8D, 0x3E, 0x7D, 0xB7, 0x66, 0xA0, 0x22, 0xB7, 0x6E, 0x67}, //15.0.0
{0x99, 0x22, 0x09, 0x57, 0xA7, 0xF9, 0x5E, 0x94, 0xFE, 0x78, 0x7F, 0x41, 0xD6, 0xE7, 0x56, 0xE6}, //16.0.0
}; //!TODO: Update on mkey changes.
static const u8 master_key_vectors[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attribute__((aligned(4))) = {
{0x0C, 0xF0, 0x59, 0xAC, 0x85, 0xF6, 0x26, 0x65, 0xE1, 0xE9, 0x19, 0x55, 0xE6, 0xF2, 0x67, 0x3D}, /* Zeroes encrypted with Master Key 00. */
{0x29, 0x4C, 0x04, 0xC8, 0xEB, 0x10, 0xED, 0x9D, 0x51, 0x64, 0x97, 0xFB, 0xF3, 0x4D, 0x50, 0xDD}, /* Master key 00 encrypted with Master key 01. */
{0xDE, 0xCF, 0xEB, 0xEB, 0x10, 0xAE, 0x74, 0xD8, 0xAD, 0x7C, 0xF4, 0x9E, 0x62, 0xE0, 0xE8, 0x72}, /* Master key 01 encrypted with Master key 02. */
{0x0A, 0x0D, 0xDF, 0x34, 0x22, 0x06, 0x6C, 0xA4, 0xE6, 0xB1, 0xEC, 0x71, 0x85, 0xCA, 0x4E, 0x07}, /* Master key 02 encrypted with Master key 03. */
{0x6E, 0x7D, 0x2D, 0xC3, 0x0F, 0x59, 0xC8, 0xFA, 0x87, 0xA8, 0x2E, 0xD5, 0x89, 0x5E, 0xF3, 0xE9}, /* Master key 03 encrypted with Master key 04. */
{0xEB, 0xF5, 0x6F, 0x83, 0x61, 0x9E, 0xF8, 0xFA, 0xE0, 0x87, 0xD7, 0xA1, 0x4E, 0x25, 0x36, 0xEE}, /* Master key 04 encrypted with Master key 05. */
{0x1E, 0x1E, 0x22, 0xC0, 0x5A, 0x33, 0x3C, 0xB9, 0x0B, 0xA9, 0x03, 0x04, 0xBA, 0xDB, 0x07, 0x57}, /* Master key 05 encrypted with Master key 06. */
{0xA4, 0xD4, 0x52, 0x6F, 0xD1, 0xE4, 0x36, 0xAA, 0x9F, 0xCB, 0x61, 0x27, 0x1C, 0x67, 0x65, 0x1F}, /* Master key 06 encrypted with Master key 07. */
{0xEA, 0x60, 0xB3, 0xEA, 0xCE, 0x8F, 0x24, 0x46, 0x7D, 0x33, 0x9C, 0xD1, 0xBC, 0x24, 0x98, 0x29}, /* Master key 07 encrypted with Master key 08. */
{0x4D, 0xD9, 0x98, 0x42, 0x45, 0x0D, 0xB1, 0x3C, 0x52, 0x0C, 0x9A, 0x44, 0xBB, 0xAD, 0xAF, 0x80}, /* Master key 08 encrypted with Master key 09. */
{0xB8, 0x96, 0x9E, 0x4A, 0x00, 0x0D, 0xD6, 0x28, 0xB3, 0xD1, 0xDB, 0x68, 0x5F, 0xFB, 0xE1, 0x2A}, /* Master key 09 encrypted with Master key 0A. */
{0xC1, 0x8D, 0x16, 0xBB, 0x2A, 0xE4, 0x1D, 0xD4, 0xC2, 0xC1, 0xB6, 0x40, 0x94, 0x35, 0x63, 0x98}, /* Master key 0A encrypted with Master key 0B. */
{0xA3, 0x24, 0x65, 0x75, 0xEA, 0xCC, 0x6E, 0x8D, 0xFB, 0x5A, 0x16, 0x50, 0x74, 0xD2, 0x15, 0x06}, /* Master key 0B encrypted with Master key 0C. */
{0x83, 0x67, 0xAF, 0x01, 0xCF, 0x93, 0xA1, 0xAB, 0x80, 0x45, 0xF7, 0x3F, 0x72, 0xFD, 0x3B, 0x38}, /* Master key 0C encrypted with Master key 0D. */
{0xB1, 0x81, 0xA6, 0x0D, 0x72, 0xC7, 0xEE, 0x15, 0x21, 0xF3, 0xC0, 0xB5, 0x6B, 0x61, 0x6D, 0xE7}, /* Master key 0D encrypted with Master key 0E. */
{0xAF, 0x11, 0x4C, 0x67, 0x17, 0x7A, 0x52, 0x43, 0xF7, 0x70, 0x2F, 0xC7, 0xEF, 0x81, 0x72, 0x16}, /* Master key 0E encrypted with Master key 0F. */
}; //!TODO: Update on mkey changes.
static const u8 master_key_vectors_dev[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attribute__((aligned(4))) = {
{0x46, 0x22, 0xB4, 0x51, 0x9A, 0x7E, 0xA7, 0x7F, 0x62, 0xA1, 0x1F, 0x8F, 0xC5, 0x3A, 0xDB, 0xFE}, /* Zeroes encrypted with Master Key 00. */
{0x39, 0x33, 0xF9, 0x31, 0xBA, 0xE4, 0xA7, 0x21, 0x2C, 0xDD, 0xB7, 0xD8, 0xB4, 0x4E, 0x37, 0x23}, /* Master key 00 encrypted with Master key 01. */
{0x97, 0x29, 0xB0, 0x32, 0x43, 0x14, 0x8C, 0xA6, 0x85, 0xE9, 0x5A, 0x94, 0x99, 0x39, 0xAC, 0x5D}, /* Master key 01 encrypted with Master key 02. */
{0x2C, 0xCA, 0x9C, 0x31, 0x1E, 0x07, 0xB0, 0x02, 0x97, 0x0A, 0xD8, 0x03, 0xA2, 0x76, 0x3F, 0xA3}, /* Master key 02 encrypted with Master key 03. */
{0x9B, 0x84, 0x76, 0x14, 0x72, 0x94, 0x52, 0xCB, 0x54, 0x92, 0x9B, 0xC4, 0x8C, 0x5B, 0x0F, 0xBA}, /* Master key 03 encrypted with Master key 04. */
{0x78, 0xD5, 0xF1, 0x20, 0x3D, 0x16, 0xE9, 0x30, 0x32, 0x27, 0x34, 0x6F, 0xCF, 0xE0, 0x27, 0xDC}, /* Master key 04 encrypted with Master key 05. */
{0x6F, 0xD2, 0x84, 0x1D, 0x05, 0xEC, 0x40, 0x94, 0x5F, 0x18, 0xB3, 0x81, 0x09, 0x98, 0x8D, 0x4E}, /* Master key 05 encrypted with Master key 06. */
{0x37, 0xAF, 0xAB, 0x35, 0x79, 0x09, 0xD9, 0x48, 0x29, 0xD2, 0xDB, 0xA5, 0xA5, 0xF5, 0x30, 0x19}, /* Master key 06 encrypted with Master key 07. */
{0xEC, 0xE1, 0x46, 0x89, 0x37, 0xFD, 0xD2, 0x15, 0x8C, 0x3F, 0x24, 0x82, 0xEF, 0x49, 0x68, 0x04}, /* Master key 07 encrypted with Master key 08. */
{0x43, 0x3D, 0xC5, 0x3B, 0xEF, 0x91, 0x02, 0x21, 0x61, 0x54, 0x63, 0x8A, 0x35, 0xE7, 0xCA, 0xEE}, /* Master key 08 encrypted with Master key 09. */
{0x6C, 0x2E, 0xCD, 0xB3, 0x34, 0x61, 0x77, 0xF5, 0xF9, 0xB1, 0xDD, 0x61, 0x98, 0x19, 0x3E, 0xD4}, /* Master key 09 encrypted with Master key 0A. */
{0x21, 0x88, 0x6B, 0x10, 0x9E, 0x83, 0xD6, 0x52, 0xAB, 0x08, 0xDB, 0x6D, 0x39, 0xFF, 0x1C, 0x9C}, /* Master key 0A encrypted with Master key 0B. */
{0x8A, 0xCE, 0xC4, 0x7F, 0xBE, 0x08, 0x61, 0x88, 0xD3, 0x73, 0x64, 0x51, 0xE2, 0xB6, 0x53, 0x15}, /* Master key 0B encrypted with Master key 0C. */
{0x08, 0xE0, 0xF4, 0xBE, 0xAA, 0x6E, 0x5A, 0xC3, 0xA6, 0xBC, 0xFE, 0xB9, 0xE2, 0xA3, 0x24, 0x12}, /* Master key 0C encrypted with Master key 0D. */
{0xD6, 0x80, 0x98, 0xC0, 0xFA, 0xC7, 0x13, 0xCB, 0x93, 0xD2, 0x0B, 0x82, 0x4C, 0xA1, 0x7B, 0x8D}, /* Master key 0D encrypted with Master key 0E. */
{0x78, 0x66, 0x19, 0xBD, 0x86, 0xE7, 0xC1, 0x09, 0x9B, 0x6F, 0x92, 0xB2, 0x58, 0x7D, 0xCF, 0x26}, /* Master key 0E encrypted with Master key 0F. */
}; //!TODO: Update on mkey changes.
static const u8 mariko_key_vectors[][0x10] __attribute__((aligned(4))) = {
{0x20, 0x9E, 0x97, 0xAE, 0xAF, 0x7E, 0x6A, 0xF6, 0x9E, 0xF5, 0xA7, 0x17, 0x2F, 0xF4, 0x49, 0xA6}, /* Zeroes encrypted with AES Class Key 00. */
{0x83, 0x1C, 0xC7, 0x7F, 0xB8, 0xB2, 0x66, 0x16, 0xFC, 0x6B, 0x81, 0xBB, 0xF6, 0x05, 0x07, 0x49}, /* Zeroes encrypted with AES Class Key 01. */
{0x61, 0x19, 0xBA, 0x39, 0x6D, 0xFA, 0xF4, 0x63, 0x27, 0x8E, 0x9E, 0xB1, 0xEA, 0xD4, 0x65, 0xCC}, /* Zeroes encrypted with AES Class Key 02. */
{0x6C, 0xDB, 0x10, 0xD4, 0x14, 0x3A, 0xBD, 0x22, 0xC9, 0xCC, 0xEF, 0xE4, 0xA0, 0x94, 0x85, 0x87}, /* Zeroes encrypted with AES Class Key 03. */
{0xD3, 0x40, 0xC7, 0x86, 0xDC, 0x77, 0x50, 0x7C, 0x01, 0x56, 0x11, 0xDE, 0x18, 0xDF, 0x30, 0xCA}, /* Zeroes encrypted with AES Class Key 04. */
{0xC4, 0x8B, 0xD7, 0x5A, 0x22, 0x6C, 0xF7, 0x85, 0xE4, 0xC0, 0x68, 0xFC, 0xB4, 0xD8, 0x76, 0x6C}, /* Zeroes encrypted with AES Class Key 05. */
{0x83, 0x86, 0xEF, 0xE6, 0x6B, 0x38, 0x24, 0xD3, 0xC9, 0xB0, 0xE7, 0x03, 0x59, 0xC8, 0x54, 0xB9}, /* Zeroes encrypted with AES Class Key 06. */
{0xDA, 0xC0, 0xD3, 0x27, 0x1D, 0x35, 0xAB, 0x4B, 0x01, 0x63, 0x90, 0xED, 0x1B, 0x5D, 0xA7, 0x6C}, /* Zeroes encrypted with AES Class Key 07. */
{0x96, 0x75, 0x0E, 0x4F, 0xF5, 0x1A, 0xAF, 0xD4, 0x30, 0x73, 0x8C, 0x61, 0x03, 0xE5, 0xF7, 0x80}, /* Zeroes encrypted with AES Class Key 08. */
{0x74, 0xF2, 0x1D, 0xA1, 0x4C, 0x48, 0x91, 0xE6, 0xE0, 0xD5, 0x19, 0x42, 0x2A, 0x2B, 0x5D, 0xF8}, /* Zeroes encrypted with AES Class Key 09. */
{0x7D, 0xA6, 0xFE, 0xDA, 0xF9, 0xEF, 0x83, 0xD8, 0x29, 0x40, 0x24, 0x6D, 0x70, 0x8D, 0x99, 0x93}, /* Zeroes encrypted with AES Class Key 0A. */
{0xF6, 0x71, 0xAD, 0xC3, 0xCD, 0xD4, 0x2F, 0x37, 0xAB, 0x50, 0x1C, 0x9B, 0xAF, 0x3B, 0xE6, 0xC3}, /* Zeroes encrypted with AES Class Key 0B. */
{0x01, 0x96, 0x59, 0x07, 0x62, 0xF4, 0xF4, 0x2D, 0x13, 0x60, 0xD8, 0x03, 0xFB, 0xF0, 0xAE, 0xC8}, /* Zeroes encrypted with Mariko KEK. */
{0x95, 0x48, 0xC1, 0x59, 0x0F, 0x84, 0x19, 0xC4, 0xAB, 0x69, 0x05, 0x88, 0x01, 0x31, 0x52, 0x59}, /* Zeroes encrypted with Mariko BEK. */
};
static const u8 package2_key_source[0x10] __attribute__((aligned(4))) = {
0xFB, 0x8B, 0x6A, 0x9C, 0x79, 0x00, 0xC8, 0x49, 0xEF, 0xD2, 0x4D, 0x85, 0x4D, 0x30, 0xA0, 0xC7};
static const u8 titlekek_source[0x10] __attribute__((aligned(4))) = {
0x1E, 0xDC, 0x7B, 0x3B, 0x60, 0xE6, 0xB4, 0xD8, 0x78, 0xB8, 0x17, 0x15, 0x98, 0x5E, 0x62, 0x9B};
static const u8 keyblob_key_sources[][0x10] __attribute__((aligned(4))) = {
{0xDF, 0x20, 0x6F, 0x59, 0x44, 0x54, 0xEF, 0xDC, 0x70, 0x74, 0x48, 0x3B, 0x0D, 0xED, 0x9F, 0xD3}, //1.0.0
{0x0C, 0x25, 0x61, 0x5D, 0x68, 0x4C, 0xEB, 0x42, 0x1C, 0x23, 0x79, 0xEA, 0x82, 0x25, 0x12, 0xAC}, //3.0.0
{0x33, 0x76, 0x85, 0xEE, 0x88, 0x4A, 0xAE, 0x0A, 0xC2, 0x8A, 0xFD, 0x7D, 0x63, 0xC0, 0x43, 0x3B}, //3.0.1
{0x2D, 0x1F, 0x48, 0x80, 0xED, 0xEC, 0xED, 0x3E, 0x3C, 0xF2, 0x48, 0xB5, 0x65, 0x7D, 0xF7, 0xBE}, //4.0.0
{0xBB, 0x5A, 0x01, 0xF9, 0x88, 0xAF, 0xF5, 0xFC, 0x6C, 0xFF, 0x07, 0x9E, 0x13, 0x3C, 0x39, 0x80}, //5.0.0
{0xD8, 0xCC, 0xE1, 0x26, 0x6A, 0x35, 0x3F, 0xCC, 0x20, 0xF3, 0x2D, 0x3B, 0x51, 0x7D, 0xE9, 0xC0} //6.0.0
};
static const u8 keyblob_mac_key_source[0x10] __attribute__((aligned(4))) = {
0x59, 0xC7, 0xFB, 0x6F, 0xBE, 0x9B, 0xBE, 0x87, 0x65, 0x6B, 0x15, 0xC0, 0x53, 0x73, 0x36, 0xA5};
static const u8 master_key_source[0x10] __attribute__((aligned(4))) = {
0xD8, 0xA2, 0x41, 0x0A, 0xC6, 0xC5, 0x90, 0x01, 0xC6, 0x1D, 0x6A, 0x26, 0x7C, 0x51, 0x3F, 0x3C};
static const u8 per_console_key_source[0x10] __attribute__((aligned(4))) = {
0x4F, 0x02, 0x5F, 0x0E, 0xB6, 0x6D, 0x11, 0x0E, 0xDC, 0x32, 0x7D, 0x41, 0x86, 0xC2, 0xF4, 0x78};
static const u8 device_master_key_source_kek_source[0x10] __attribute__((aligned(4))) = {
0x0C, 0x91, 0x09, 0xDB, 0x93, 0x93, 0x07, 0x81, 0x07, 0x3C, 0xC4, 0x16, 0x22, 0x7C, 0x6C, 0x28};
static const u8 mariko_master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_600 + 1][0x10] __attribute__((aligned(4))) = {
{0x77, 0x60, 0x5A, 0xD2, 0xEE, 0x6E, 0xF8, 0x3C, 0x3F, 0x72, 0xE2, 0x59, 0x9D, 0xAC, 0x5E, 0x56}, // 6.0.0.
{0x1E, 0x80, 0xB8, 0x17, 0x3E, 0xC0, 0x60, 0xAA, 0x11, 0xBE, 0x1A, 0x4A, 0xA6, 0x6F, 0xE4, 0xAE}, // 6.2.0.
{0x94, 0x08, 0x67, 0xBD, 0x0A, 0x00, 0x38, 0x84, 0x11, 0xD3, 0x1A, 0xDB, 0xDD, 0x8D, 0xF1, 0x8A}, // 7.0.0.
{0x5C, 0x24, 0xE3, 0xB8, 0xB4, 0xF7, 0x00, 0xC2, 0x3C, 0xFD, 0x0A, 0xCE, 0x13, 0xC3, 0xDC, 0x23}, // 8.1.0.
{0x86, 0x69, 0xF0, 0x09, 0x87, 0xC8, 0x05, 0xAE, 0xB5, 0x7B, 0x48, 0x74, 0xDE, 0x62, 0xA6, 0x13}, // 9.0.0.
{0x0E, 0x44, 0x0C, 0xED, 0xB4, 0x36, 0xC0, 0x3F, 0xAA, 0x1D, 0xAE, 0xBF, 0x62, 0xB1, 0x09, 0x82}, // 9.1.0.
{0xE5, 0x41, 0xAC, 0xEC, 0xD1, 0xA7, 0xD1, 0xAB, 0xED, 0x03, 0x77, 0xF1, 0x27, 0xCA, 0xF8, 0xF1}, // 12.1.0.
{0x52, 0x71, 0x9B, 0xDF, 0xA7, 0x8B, 0x61, 0xD8, 0xD5, 0x85, 0x11, 0xE4, 0x8E, 0x4F, 0x74, 0xC6}, // 13.0.0.
{0xD2, 0x68, 0xC6, 0x53, 0x9D, 0x94, 0xF9, 0xA8, 0xA5, 0xA8, 0xA7, 0xC8, 0x8F, 0x53, 0x4B, 0x7A}, // 14.0.0.
{0xEC, 0x61, 0xBC, 0x82, 0x1E, 0x0F, 0x5A, 0xC3, 0x2B, 0x64, 0x3F, 0x9D, 0xD6, 0x19, 0x22, 0x2D}, // 15.0.0.
{0xA5, 0xEC, 0x16, 0x39, 0x1A, 0x30, 0x16, 0x08, 0x2E, 0xCF, 0x09, 0x6F, 0x5E, 0x7C, 0xEE, 0xA9}, // 16.0.0.
}; //!TODO: Update on mkey changes.
static const u8 mariko_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_600 + 1][0x10] __attribute__((aligned(4))) = {
{0x32, 0xC0, 0x97, 0x6B, 0x63, 0x6D, 0x44, 0x64, 0xF2, 0x3A, 0xA5, 0xC0, 0xDE, 0x46, 0xCC, 0xE9}, // 6.0.0.
{0xCC, 0x97, 0x4C, 0x46, 0x2A, 0x0C, 0xB0, 0xA6, 0xC9, 0xC0, 0xB7, 0xBE, 0x30, 0x2E, 0xC3, 0x68}, // 6.2.0.
{0x86, 0xBD, 0x1D, 0x76, 0x50, 0xDF, 0x6D, 0xFA, 0x2C, 0x7D, 0x33, 0x22, 0xAB, 0xF1, 0x82, 0x18}, // 7.0.0.
{0xA3, 0xB1, 0xE0, 0xA9, 0x58, 0xA2, 0x26, 0x7F, 0x40, 0xBF, 0x5B, 0xBB, 0x87, 0x33, 0x0B, 0x66}, // 8.1.0.
{0x82, 0x72, 0x91, 0x65, 0x40, 0x3B, 0x9D, 0x66, 0x60, 0xD0, 0x1B, 0x3D, 0x4D, 0xA5, 0x70, 0xE1}, // 9.0.0.
{0xF9, 0x37, 0xCF, 0x9A, 0xBD, 0x86, 0xBB, 0xA9, 0x9C, 0x9E, 0x03, 0xC4, 0xFC, 0xBC, 0x3B, 0xCE}, // 9.1.0.
{0x75, 0x2D, 0x2E, 0xF3, 0x2F, 0x3F, 0xFE, 0x65, 0xF4, 0xA9, 0x83, 0xB4, 0xED, 0x42, 0x63, 0xBA}, // 12.1.0.
{0x4D, 0x5A, 0xB2, 0xC9, 0xE9, 0xE4, 0x4E, 0xA4, 0xD3, 0xBF, 0x94, 0x12, 0x36, 0x30, 0xD0, 0x7F}, // 13.0.0.
{0xEC, 0x5E, 0xB5, 0x11, 0xD5, 0x43, 0x1E, 0x6A, 0x4E, 0x54, 0x6F, 0xD4, 0xD3, 0x22, 0xCE, 0x87}, // 14.0.0.
{0x18, 0xA5, 0x6F, 0xEF, 0x72, 0x11, 0x62, 0xC5, 0x1A, 0x14, 0xF1, 0x8C, 0x21, 0x83, 0x27, 0xB7}, // 15.0.0.
{0x3A, 0x9C, 0xF0, 0x39, 0x70, 0x23, 0xF6, 0xAF, 0x71, 0x44, 0x60, 0xF4, 0x6D, 0xED, 0xA1, 0xD6}, // 16.0.0.
}; //!TODO: Update on mkey changes.

850
source/keys/keys.c Normal file
View file

@ -0,0 +1,850 @@
/*
* Copyright (c) 2019-2022 shchmue
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "keys.h"
#include "es_crypto.h"
#include "fs_crypto.h"
#include "nfc_crypto.h"
#include "ssl_crypto.h"
#include "../config.h"
#include <display/di.h>
#include "../frontend/gui.h"
#include <gfx_utils.h>
#include "../gfx/tui.h"
#include "../hos/hos.h"
#include <libs/fatfs/ff.h>
#include <libs/nx_savedata/header.h>
#include <libs/nx_savedata/save.h>
#include <mem/heap.h>
#include <mem/minerva.h>
#include <mem/sdram.h>
#include <sec/se.h>
#include <sec/se_t210.h>
#include <soc/fuse.h>
#include <soc/t210.h>
#include "../storage/emummc.h"
#include "../storage/nx_emmc.h"
#include "../storage/nx_emmc_bis.h"
#include <storage/nx_sd.h>
#include <storage/sdmmc.h>
#include <utils/btn.h>
#include <utils/list.h>
#include <utils/sprintf.h>
#include <utils/util.h>
#include "key_sources.inl"
#include <string.h>
extern hekate_config h_cfg;
static u32 _key_count = 0, _titlekey_count = 0;
static u32 start_time, end_time;
u32 color_idx = 0;
static void _save_key(const char *name, const void *data, u32 len, char *outbuf) {
if (!key_exists(data))
return;
u32 pos = strlen(outbuf);
pos += s_printf(&outbuf[pos], "%s = ", name);
for (u32 i = 0; i < len; i++)
pos += s_printf(&outbuf[pos], "%02x", *(u8*)(data + i));
s_printf(&outbuf[pos], "\n");
_key_count++;
}
static void _save_key_family(const char *name, const void *data, u32 start_key, u32 num_keys, u32 len, char *outbuf) {
char *temp_name = calloc(1, 0x40);
for (u32 i = 0; i < num_keys; i++) {
s_printf(temp_name, "%s_%02x", name, i + start_key);
_save_key(temp_name, data + i * len, len, outbuf);
}
free(temp_name);
}
static void _derive_master_keys_mariko(key_storage_t *keys, bool is_dev) {
minerva_periodic_training();
// Relies on the SBK being properly set in slot 14
se_aes_crypt_block_ecb(KS_SECURE_BOOT, DECRYPT, keys->device_key_4x, device_master_key_source_kek_source);
// Derive all master keys based on Mariko KEK
for (u32 i = KB_FIRMWARE_VERSION_600; i < ARRAY_SIZE(mariko_master_kek_sources) + KB_FIRMWARE_VERSION_600; i++) {
// Relies on the Mariko KEK being properly set in slot 12
u32 kek_source_index = i - KB_FIRMWARE_VERSION_600;
const void *kek_source = is_dev ? &mariko_master_kek_sources_dev[kek_source_index] : &mariko_master_kek_sources[kek_source_index];
se_aes_crypt_block_ecb(KS_MARIKO_KEK, DECRYPT, keys->master_kek[i], kek_source);
load_aes_key(KS_AES_ECB, keys->master_key[i], keys->master_kek[i], master_key_source);
}
}
static void _derive_master_keys_from_latest_key(key_storage_t *keys, bool is_dev) {
minerva_periodic_training();
if (!h_cfg.t210b01) {
u32 tsec_root_key_slot = is_dev ? KS_TSEC_ROOT_DEV : KS_TSEC_ROOT;
// Derive all master keys based on current root key
for (u32 i = KB_FIRMWARE_VERSION_810 - KB_FIRMWARE_VERSION_620; i < ARRAY_SIZE(master_kek_sources); i++) {
u32 key_index = i + KB_FIRMWARE_VERSION_620;
se_aes_crypt_block_ecb(tsec_root_key_slot, DECRYPT, keys->master_kek[key_index], master_kek_sources[i]);
load_aes_key(KS_AES_ECB, keys->master_key[key_index], keys->master_kek[key_index], master_key_source);
}
}
minerva_periodic_training();
// Derive all lower master keys
for (u32 i = KB_FIRMWARE_VERSION_MAX; i > 0; i--) {
load_aes_key(KS_AES_ECB, keys->master_key[i - 1], keys->master_key[i], is_dev ? master_key_vectors_dev[i] : master_key_vectors[i]);
}
load_aes_key(KS_AES_ECB, keys->temp_key, keys->master_key[0], is_dev ? master_key_vectors_dev[0] : master_key_vectors[0]);
if (key_exists(keys->temp_key)) {
EPRINTFARGS("Unable to derive master keys for %s.", is_dev ? "dev" : "prod");
memset(keys->master_key, 0, sizeof(keys->master_key));
}
}
static void _derive_keyblob_keys(key_storage_t *keys) {
minerva_periodic_training();
encrypted_keyblob_t *keyblob_buffer = (encrypted_keyblob_t *)calloc(KB_FIRMWARE_VERSION_600 + 1, sizeof(encrypted_keyblob_t));
u32 keyblob_mac[SE_AES_CMAC_DIGEST_SIZE / 4] = {0};
bool have_keyblobs = true;
if (FUSE(FUSE_PRIVATE_KEY0) != 0xFFFFFFFF) {
keys->secure_boot_key[0] = FUSE(FUSE_PRIVATE_KEY0);
keys->secure_boot_key[1] = FUSE(FUSE_PRIVATE_KEY1);
keys->secure_boot_key[2] = FUSE(FUSE_PRIVATE_KEY2);
keys->secure_boot_key[3] = FUSE(FUSE_PRIVATE_KEY3);
}
if (!emmc_storage.initialized) {
have_keyblobs = false;
} else if (!emummc_storage_read(KEYBLOB_OFFSET / NX_EMMC_BLOCKSIZE, KB_FIRMWARE_VERSION_600 + 1, keyblob_buffer)) {
EPRINTF("Unable to read keyblobs.");
have_keyblobs = false;
} else {
have_keyblobs = true;
}
encrypted_keyblob_t *current_keyblob = keyblob_buffer;
for (u32 i = 0; i < ARRAY_SIZE(keyblob_key_sources); i++, current_keyblob++) {
minerva_periodic_training();
se_aes_crypt_block_ecb(KS_TSEC, DECRYPT, keys->keyblob_key[i], keyblob_key_sources[i]);
se_aes_crypt_block_ecb(KS_SECURE_BOOT, DECRYPT, keys->keyblob_key[i], keys->keyblob_key[i]);
load_aes_key(KS_AES_ECB, keys->keyblob_mac_key[i], keys->keyblob_key[i], keyblob_mac_key_source);
if (i == 0) {
se_aes_crypt_block_ecb(KS_AES_ECB, DECRYPT, keys->device_key, per_console_key_source);
se_aes_crypt_block_ecb(KS_AES_ECB, DECRYPT, keys->device_key_4x, device_master_key_source_kek_source);
}
if (!have_keyblobs) {
continue;
}
// Verify keyblob is not corrupt
se_aes_key_set(KS_AES_CMAC, keys->keyblob_mac_key[i], sizeof(keys->keyblob_mac_key[i]));
se_aes_cmac(KS_AES_CMAC, keyblob_mac, sizeof(keyblob_mac), current_keyblob->iv, sizeof(current_keyblob->iv) + sizeof(keyblob_t));
if (memcmp(current_keyblob->cmac, keyblob_mac, sizeof(keyblob_mac)) != 0) {
EPRINTFARGS("Keyblob %x corrupt.", i);
continue;
}
// Decrypt keyblobs
se_aes_key_set(KS_AES_CTR, keys->keyblob_key[i], sizeof(keys->keyblob_key[i]));
se_aes_crypt_ctr(KS_AES_CTR, &keys->keyblob[i], sizeof(keyblob_t), &current_keyblob->key_data, sizeof(keyblob_t), current_keyblob->iv);
memcpy(keys->package1_key[i], keys->keyblob[i].package1_key, sizeof(keys->package1_key[i]));
memcpy(keys->master_kek[i], keys->keyblob[i].master_kek, sizeof(keys->master_kek[i]));
if (!key_exists(keys->master_key[i])) {
load_aes_key(KS_AES_ECB, keys->master_key[i], keys->master_kek[i], master_key_source);
}
}
free(keyblob_buffer);
}
static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_keys, bool is_dev) {
key_storage_t *keys = is_dev ? dev_keys : prod_keys;
if (h_cfg.t210b01) {
_derive_master_keys_mariko(keys, is_dev);
_derive_master_keys_from_latest_key(keys, is_dev);
} else {
if (run_ams_keygen()) {
EPRINTF("Failed to run keygen.");
return;
}
u8 *aes_keys = (u8 *)calloc(1, SZ_4K);
se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE);
memcpy(&dev_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT_DEV * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(&dev_keys->tsec_key, aes_keys + KS_TSEC * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(&prod_keys->tsec_key, aes_keys + KS_TSEC * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(&prod_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
if (FUSE(FUSE_PRIVATE_KEY0) != 0xFFFFFFFF) {
memcpy(&dev_keys->secure_boot_key, aes_keys + KS_SECURE_BOOT * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
memcpy(&prod_keys->secure_boot_key, aes_keys + KS_SECURE_BOOT * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
}
free(aes_keys);
_derive_master_keys_from_latest_key(prod_keys, false);
_derive_master_keys_from_latest_key(dev_keys, true);
_derive_keyblob_keys(keys);
}
}
static void _derive_bis_keys(key_storage_t *keys) {
minerva_periodic_training();
u32 generation = fuse_read_odm_keygen_rev();
fs_derive_bis_keys(keys, keys->bis_key, generation);
}
static void _derive_misc_keys(key_storage_t *keys) {
minerva_periodic_training();
fs_derive_save_mac_key(keys, keys->save_mac_key);
}
static void _derive_non_unique_keys(key_storage_t *keys, bool is_dev) {
minerva_periodic_training();
fs_derive_header_key(keys, keys->header_key);
es_derive_rsa_kek_original(keys, keys->eticket_rsa_kek, is_dev);
ssl_derive_rsa_kek_original(keys, keys->ssl_rsa_kek, is_dev);
for (u32 generation = 0; generation < ARRAY_SIZE(keys->master_key); generation++) {
minerva_periodic_training();
if (!key_exists(keys->master_key[generation]))
continue;
for (u32 source_type = 0; source_type < ARRAY_SIZE(key_area_key_sources); source_type++) {
fs_derive_key_area_key(keys, keys->key_area_key[source_type][generation], source_type, generation);
}
load_aes_key(KS_AES_ECB, keys->package2_key[generation], keys->master_key[generation], package2_key_source);
load_aes_key(KS_AES_ECB, keys->titlekek[generation], keys->master_key[generation], titlekek_source);
}
}
// Returns true when terminator is found
static bool _count_ticket_records(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 *tkey_count) {
ticket_record_t *curr_ticket_record = (ticket_record_t *)titlekey_buffer->read_buffer;
for (u32 i = 0; i < buf_size; i += sizeof(ticket_record_t), curr_ticket_record++) {
if (curr_ticket_record->rights_id[0] == 0xFF)
return true;
(*tkey_count)++;
}
return false;
}
static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, titlekey_buffer_t *titlekey_buffer, eticket_rsa_keypair_t *rsa_keypair) {
FIL fp;
u64 br = buf_size;
u64 offset = 0;
u32 file_tkey_count = 0;
u32 save_x = gfx_con.x, save_y = gfx_con.y;
bool is_personalized = rsa_keypair != NULL;
const char ticket_bin_path[32] = "/ticket.bin";
const char ticket_list_bin_path[32] = "/ticket_list.bin";
char titlekey_save_path[32] = "bis:/save/80000000000000E1";
save_data_file_ctx_t ticket_file;
if (is_personalized) {
titlekey_save_path[25] = '2';
gfx_printf("\n%kPersonalized... ", colors[color_idx % 6]);
} else {
gfx_printf("\n%kCommon... ", colors[color_idx % 6]);
}
if (f_open(&fp, titlekey_save_path, FA_READ | FA_OPEN_EXISTING)) {
EPRINTF("Unable to open e1 save. Skipping.");
return false;
}
save_ctx_t *save_ctx = calloc(1, sizeof(save_ctx_t));
save_init(save_ctx, &fp, save_mac_key, 0);
bool save_process_success = save_process(save_ctx);
TPRINTF("\n Save process...");
if (!save_process_success) {
EPRINTF("Failed to process es save.");
f_close(&fp);
save_free_contexts(save_ctx);
free(save_ctx);
return false;
}
if (!save_open_file(save_ctx, &ticket_file, ticket_list_bin_path, OPEN_MODE_READ)) {
EPRINTF("Unable to locate ticket_list.bin in save.");
f_close(&fp);
save_free_contexts(save_ctx);
free(save_ctx);
return false;
}
// Read ticket list to get ticket count
while (offset < ticket_file.size) {
minerva_periodic_training();
if (!save_data_file_read(&ticket_file, &br, offset, titlekey_buffer->read_buffer, buf_size) ||
titlekey_buffer->read_buffer[0] == 0 ||
br != buf_size ||
_count_ticket_records(buf_size, titlekey_buffer, &file_tkey_count)
) {
break;
}
offset += br;
}
TPRINTF(" Count titlekeys...");
if (!save_open_file(save_ctx, &ticket_file, ticket_bin_path, OPEN_MODE_READ)) {
EPRINTF("Unable to locate ticket.bin in save.");
f_close(&fp);
save_free_contexts(save_ctx);
free(save_ctx);
return false;
}
if (is_personalized)
se_rsa_key_set(0, rsa_keypair->modulus, sizeof(rsa_keypair->modulus), rsa_keypair->private_exponent, sizeof(rsa_keypair->private_exponent));
offset = 0;
u32 pct = 0, last_pct = 0, remaining = file_tkey_count;
while (offset < ticket_file.size && remaining) {
if (!save_data_file_read(&ticket_file, &br, offset, titlekey_buffer->read_buffer, buf_size) || titlekey_buffer->read_buffer[0] == 0 || br != buf_size)
break;
offset += br;
es_decode_tickets(buf_size, titlekey_buffer, remaining, file_tkey_count, &_titlekey_count, save_x, save_y, &pct, &last_pct, is_personalized);
remaining -= MIN(buf_size / sizeof(ticket_t), remaining);
}
tui_pbar(save_x, save_y, 100, COLOR_GREEN, 0xFF155500);
f_close(&fp);
save_free_contexts(save_ctx);
free(save_ctx);
gfx_con_setpos(0, save_y);
if (is_personalized) {
TPRINTFARGS("\n%kPersonalized... ", colors[(color_idx++) % 6]);
} else {
TPRINTFARGS("\n%kCommon... ", colors[(color_idx++) % 6]);
}
gfx_printf("\n\n\n");
return true;
}
static bool _derive_sd_seed(key_storage_t *keys) {
FIL fp;
u32 read_bytes = 0;
char *private_path = malloc(200);
strcpy(private_path, "sd:/");
if (emu_cfg.nintendo_path && (emu_cfg.enabled || !h_cfg.emummc_force_disable)) {
strcat(private_path, emu_cfg.nintendo_path);
} else {
strcat(private_path, "Nintendo");
}
strcat(private_path, "/Contents/private");
FRESULT fr = f_open(&fp, private_path, FA_READ | FA_OPEN_EXISTING);
free(private_path);
if (fr) {
EPRINTF("Unable to open SD seed vector. Skipping.");
return false;
}
// Get sd seed verification vector
if (f_read(&fp, keys->temp_key, SE_KEY_128_SIZE, &read_bytes) || read_bytes != SE_KEY_128_SIZE) {
EPRINTF("Unable to read SD seed vector. Skipping.");
f_close(&fp);
return false;
}
f_close(&fp);
// This file is small enough that parsing the savedata properly is slower
if (f_open(&fp, "bis:/save/8000000000000043", FA_READ | FA_OPEN_EXISTING)) {
EPRINTF("Unable to open ns_appman save.\nSkipping SD seed.");
return false;
}
u8 read_buf[0x20] __attribute__((aligned(4))) = {0};
// Skip the two header blocks and only check the first bytes of each block
// File contents are always block-aligned
for (u32 i = SAVE_BLOCK_SIZE_DEFAULT * 2; i < f_size(&fp); i += SAVE_BLOCK_SIZE_DEFAULT) {
if (f_lseek(&fp, i) || f_read(&fp, read_buf, 0x20, &read_bytes) || read_bytes != 0x20)
break;
if (memcmp(keys->temp_key, read_buf, sizeof(keys->temp_key)) == 0) {
memcpy(keys->sd_seed, read_buf + 0x10, sizeof(keys->sd_seed));
break;
}
}
f_close(&fp);
TPRINTFARGS("%kSD Seed... ", colors[(color_idx++) % 6]);
return true;
}
static bool _derive_titlekeys(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
if (!key_exists(&keys->eticket_rsa_keypair)) {
return false;
}
gfx_printf("%kTitlekeys... \n", colors[(color_idx++) % 6]);
const u32 buf_size = SAVE_BLOCK_SIZE_DEFAULT;
_get_titlekeys_from_save(buf_size, keys->save_mac_key, titlekey_buffer, NULL);
_get_titlekeys_from_save(buf_size, keys->save_mac_key, titlekey_buffer, &keys->eticket_rsa_keypair);
gfx_printf("\n%k Found %d titlekeys.\n\n", colors[(color_idx++) % 6], _titlekey_count);
return true;
}
static void _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
// Set BIS keys.
// PRODINFO/PRODINFOF
se_aes_key_set(KS_BIS_00_CRYPT, keys->bis_key[0] + 0x00, SE_KEY_128_SIZE);
se_aes_key_set(KS_BIS_00_TWEAK, keys->bis_key[0] + 0x10, SE_KEY_128_SIZE);
// SAFE
se_aes_key_set(KS_BIS_01_CRYPT, keys->bis_key[1] + 0x00, SE_KEY_128_SIZE);
se_aes_key_set(KS_BIS_01_TWEAK, keys->bis_key[1] + 0x10, SE_KEY_128_SIZE);
// SYSTEM/USER
se_aes_key_set(KS_BIS_02_CRYPT, keys->bis_key[2] + 0x00, SE_KEY_128_SIZE);
se_aes_key_set(KS_BIS_02_TWEAK, keys->bis_key[2] + 0x10, SE_KEY_128_SIZE);
if (!emummc_storage_set_mmc_partition(EMMC_GPP)) {
EPRINTF("Unable to set partition.");
return;
}
if (!decrypt_ssl_rsa_key(keys, titlekey_buffer)) {
EPRINTF("Unable to derive SSL key.");
}
if (!decrypt_eticket_rsa_key(keys, titlekey_buffer, is_dev)) {
EPRINTF("Unable to derive ETicket key.");
}
// Parse eMMC GPT
LIST_INIT(gpt);
nx_emmc_gpt_parse(&gpt, &emmc_storage);
emmc_part_t *system_part = nx_emmc_part_find(&gpt, "SYSTEM");
if (!system_part) {
EPRINTF("Unable to locate System partition.");
nx_emmc_gpt_free(&gpt);
return;
}
nx_emmc_bis_init(system_part);
if (f_mount(&emmc_fs, "bis:", 1)) {
EPRINTF("Unable to mount system partition.");
nx_emmc_gpt_free(&gpt);
return;
}
if (!sd_mount()) {
EPRINTF("Unable to mount SD.");
} else if (!_derive_sd_seed(keys)) {
EPRINTF("Unable to get SD seed.");
}
if (!_derive_titlekeys(keys, titlekey_buffer, is_dev)) {
EPRINTF("Unable to derive titlekeys.");
}
f_mount(NULL, "bis:", 1);
nx_emmc_gpt_free(&gpt);
}
// The security engine supports partial key override for locked keyslots
// This allows for a manageable brute force on a PC
// Then the Mariko AES class keys, KEK, BEK, unique SBK and SSK can be recovered
int save_mariko_partial_keys(u32 start, u32 count, bool append) {
const char *keyfile_path = "sd:/switch/partialaes.keys";
if (!f_stat(keyfile_path, NULL)) {
f_unlink(keyfile_path);
}
if (start + count > SE_AES_KEYSLOT_COUNT) {
return 1;
}
display_backlight_brightness(h_cfg.backlight, 1000);
gfx_clear_partial_grey(0x1B, 32, 1224);
gfx_con_setpos(0, 32);
color_idx = 0;
u32 pos = 0;
u32 zeros[SE_KEY_128_SIZE / 4] = {0};
u8 *data = malloc(4 * SE_KEY_128_SIZE);
char *text_buffer = calloc(count, 0x100);
for (u32 ks = start; ks < start + count; ks++) {
// Check if key is as expected
if (ks < ARRAY_SIZE(mariko_key_vectors)) {
se_aes_crypt_block_ecb(ks, DECRYPT, &data[0], mariko_key_vectors[ks]);
if (key_exists(data)) {
EPRINTFARGS("Failed to validate keyslot %d.", ks);
continue;
}
}
// Encrypt zeros with complete key
se_aes_crypt_block_ecb(ks, ENCRYPT, &data[3 * SE_KEY_128_SIZE], zeros);
// We only need to overwrite 3 of the dwords of the key
for (u32 i = 0; i < 3; i++) {
// Overwrite ith dword of key with zeros
se_aes_key_partial_set(ks, i, 0);
// Encrypt zeros with more of the key zeroed out
se_aes_crypt_block_ecb(ks, ENCRYPT, &data[(2 - i) * SE_KEY_128_SIZE], zeros);
}
// Skip saving key if two results are the same indicating unsuccessful overwrite or empty slot
if (memcmp(&data[0], &data[SE_KEY_128_SIZE], SE_KEY_128_SIZE) == 0) {
EPRINTFARGS("Failed to overwrite keyslot %d.", ks);
continue;
}
pos += s_printf(&text_buffer[pos], "%d\n", ks);
for (u32 i = 0; i < 4; i++) {
for (u32 j = 0; j < SE_KEY_128_SIZE; j++)
pos += s_printf(&text_buffer[pos], "%02x", data[i * SE_KEY_128_SIZE + j]);
pos += s_printf(&text_buffer[pos], " ");
}
pos += s_printf(&text_buffer[pos], "\n");
}
free(data);
if (strlen(text_buffer) == 0) {
EPRINTFARGS("Failed to dump partial keys %d-%d.", start, start + count - 1);
free(text_buffer);
return 2;
}
FIL fp;
BYTE mode = FA_WRITE;
if (append) {
mode |= FA_OPEN_APPEND;
} else {
mode |= FA_CREATE_ALWAYS;
}
if (!sd_mount()) {
EPRINTF("Unable to mount SD.");
free(text_buffer);
return 3;
}
if (f_open(&fp, keyfile_path, mode)) {
EPRINTF("Unable to write partial keys to SD.");
free(text_buffer);
return 3;
}
f_write(&fp, text_buffer, strlen(text_buffer), NULL);
f_close(&fp);
gfx_printf("%kWrote partials to %s\n", colors[(color_idx++) % 6], keyfile_path);
free(text_buffer);
return 0;
}
static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
if (!sd_mount()) {
EPRINTF("Unable to mount SD.");
return;
}
u32 text_buffer_size = MAX(_titlekey_count * sizeof(titlekey_text_buffer_t) + 1, SZ_16K);
char *text_buffer = (char *)calloc(1, text_buffer_size);
SAVE_KEY(aes_kek_generation_source);
SAVE_KEY(aes_key_generation_source);
SAVE_KEY(bis_kek_source);
SAVE_KEY_FAMILY_VAR(bis_key, keys->bis_key, 0);
SAVE_KEY_FAMILY_VAR(bis_key_source, bis_key_sources, 0);
SAVE_KEY_VAR(device_key, keys->device_key);
SAVE_KEY_VAR(device_key_4x, keys->device_key_4x);
SAVE_KEY_VAR(eticket_rsa_kek, keys->eticket_rsa_kek);
SAVE_KEY_VAR(eticket_rsa_kek_personalized, keys->eticket_rsa_kek_personalized);
if (is_dev) {
SAVE_KEY_VAR(eticket_rsa_kek_source, eticket_rsa_kek_source_dev);
} else {
SAVE_KEY(eticket_rsa_kek_source);
}
SAVE_KEY(eticket_rsa_kekek_source);
_save_key("eticket_rsa_keypair", &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), text_buffer);
SAVE_KEY(header_kek_source);
SAVE_KEY_VAR(header_key, keys->header_key);
SAVE_KEY(header_key_source);
SAVE_KEY_FAMILY_VAR(key_area_key_application, keys->key_area_key[0], 0);
SAVE_KEY_VAR(key_area_key_application_source, key_area_key_sources[0]);
SAVE_KEY_FAMILY_VAR(key_area_key_ocean, keys->key_area_key[1], 0);
SAVE_KEY_VAR(key_area_key_ocean_source, key_area_key_sources[1]);
SAVE_KEY_FAMILY_VAR(key_area_key_system, keys->key_area_key[2], 0);
SAVE_KEY_VAR(key_area_key_system_source, key_area_key_sources[2]);
SAVE_KEY_FAMILY_VAR(keyblob, keys->keyblob, 0);
SAVE_KEY_FAMILY_VAR(keyblob_key, keys->keyblob_key, 0);
SAVE_KEY_FAMILY_VAR(keyblob_key_source, keyblob_key_sources, 0);
SAVE_KEY_FAMILY_VAR(keyblob_mac_key, keys->keyblob_mac_key, 0);
SAVE_KEY(keyblob_mac_key_source);
if (is_dev) {
SAVE_KEY_FAMILY_VAR(mariko_master_kek_source, mariko_master_kek_sources_dev, KB_FIRMWARE_VERSION_600);
} else {
SAVE_KEY_FAMILY_VAR(mariko_master_kek_source, mariko_master_kek_sources, KB_FIRMWARE_VERSION_600);
}
SAVE_KEY_FAMILY_VAR(master_kek, keys->master_kek, 0);
SAVE_KEY_FAMILY_VAR(master_kek_source, master_kek_sources, KB_FIRMWARE_VERSION_620);
SAVE_KEY_FAMILY_VAR(master_key, keys->master_key, 0);
SAVE_KEY(master_key_source);
SAVE_KEY_FAMILY_VAR(package1_key, keys->package1_key, 0);
SAVE_KEY_FAMILY_VAR(package2_key, keys->package2_key, 0);
SAVE_KEY(package2_key_source);
SAVE_KEY(per_console_key_source);
SAVE_KEY(retail_specific_aes_key_source);
SAVE_KEY(save_mac_kek_source);
SAVE_KEY_VAR(save_mac_key, keys->save_mac_key);
SAVE_KEY(save_mac_key_source);
SAVE_KEY(save_mac_sd_card_kek_source);
SAVE_KEY(save_mac_sd_card_key_source);
SAVE_KEY(sd_card_custom_storage_key_source);
SAVE_KEY(sd_card_kek_source);
SAVE_KEY(sd_card_nca_key_source);
SAVE_KEY(sd_card_save_key_source);
SAVE_KEY_VAR(sd_seed, keys->sd_seed);
SAVE_KEY_VAR(secure_boot_key, keys->secure_boot_key);
SAVE_KEY_VAR(ssl_rsa_kek, keys->ssl_rsa_kek);
SAVE_KEY_VAR(ssl_rsa_kek_personalized, keys->ssl_rsa_kek_personalized);
if (is_dev) {
SAVE_KEY_VAR(ssl_rsa_kek_source, ssl_rsa_kek_source_dev);
} else {
SAVE_KEY(ssl_rsa_kek_source);
}
SAVE_KEY(ssl_rsa_kekek_source);
_save_key("ssl_rsa_key", keys->ssl_rsa_key, SE_RSA2048_DIGEST_SIZE, text_buffer);
SAVE_KEY_FAMILY_VAR(titlekek, keys->titlekek, 0);
SAVE_KEY(titlekek_source);
SAVE_KEY_VAR(tsec_key, keys->tsec_key);
char root_key_name[21] = "tsec_root_key_00";
s_printf(root_key_name + 14, "%02x", TSEC_ROOT_KEY_VERSION);
_save_key(root_key_name, keys->tsec_root_key, SE_KEY_128_SIZE, text_buffer);
gfx_printf("\n%k Found %d %s keys.\n\n", colors[(color_idx++) % 6], _key_count, is_dev ? "dev" : "prod");
gfx_printf("%kFound through master_key_%02x.\n\n", colors[(color_idx++) % 6], KB_FIRMWARE_VERSION_MAX);
f_mkdir("sd:/switch");
const char *keyfile_path = is_dev ? "sd:/switch/dev.keys" : "sd:/switch/prod.keys";
FILINFO fno;
if (!sd_save_to_file(text_buffer, strlen(text_buffer), keyfile_path) && !f_stat(keyfile_path, &fno)) {
gfx_printf("%kWrote %d bytes to %s\n", colors[(color_idx++) % 6], (u32)fno.fsize, keyfile_path);
} else {
EPRINTF("Unable to save keys to SD.");
}
if (_titlekey_count == 0 || !titlekey_buffer) {
free(text_buffer);
return;
}
memset(text_buffer, 0, text_buffer_size);
titlekey_text_buffer_t *titlekey_text = (titlekey_text_buffer_t *)text_buffer;
for (u32 i = 0; i < _titlekey_count; i++) {
for (u32 j = 0; j < SE_KEY_128_SIZE; j++)
s_printf(&titlekey_text[i].rights_id[j * 2], "%02x", titlekey_buffer->rights_ids[i][j]);
s_printf(titlekey_text[i].equals, " = ");
for (u32 j = 0; j < SE_KEY_128_SIZE; j++)
s_printf(&titlekey_text[i].titlekey[j * 2], "%02x", titlekey_buffer->titlekeys[i][j]);
s_printf(titlekey_text[i].newline, "\n");
}
keyfile_path = "sd:/switch/title.keys";
if (!sd_save_to_file(text_buffer, strlen(text_buffer), keyfile_path) && !f_stat(keyfile_path, &fno)) {
gfx_printf("%kWrote %d bytes to %s\n", colors[(color_idx++) % 6], (u32)fno.fsize, keyfile_path);
} else {
EPRINTF("Unable to save titlekeys to SD.");
}
free(text_buffer);
}
static void _derive_keys() {
minerva_periodic_training();
if (!check_keyslot_access()) {
EPRINTF("Unable to set crypto keyslots!\nTry launching payload differently\n or flash Spacecraft-NX if using a modchip.");
return;
}
u32 start_whole_operation_time = get_tmr_us();
if (emummc_storage_init_mmc()) {
EPRINTF("Unable to init MMC.");
} else {
TPRINTFARGS("%kMMC init... ", colors[(color_idx++) % 6]);
}
minerva_periodic_training();
if (emmc_storage.initialized && !emummc_storage_set_mmc_partition(EMMC_BOOT0)) {
EPRINTF("Unable to set partition.");
emummc_storage_end();
}
bool is_dev = fuse_read_hw_state() == FUSE_NX_HW_STATE_DEV;
key_storage_t __attribute__((aligned(4))) prod_keys = {0}, dev_keys = {0};
key_storage_t *keys = is_dev ? &dev_keys : &prod_keys;
_derive_master_keys(&prod_keys, &dev_keys, is_dev);
TPRINTFARGS("%kMaster keys... ", colors[(color_idx++) % 6]);
_derive_bis_keys(keys);
TPRINTFARGS("%kBIS keys... ", colors[(color_idx++) % 6]);
_derive_misc_keys(keys);
_derive_non_unique_keys(&prod_keys, is_dev);
_derive_non_unique_keys(&dev_keys, is_dev);
titlekey_buffer_t *titlekey_buffer = (titlekey_buffer_t *)TITLEKEY_BUF_ADR;
// Requires BIS key for SYSTEM partition
if (!emmc_storage.initialized) {
EPRINTF("eMMC not initialized.\nSkipping SD seed and titlekeys.");
} else if (key_exists(keys->bis_key[2])) {
_derive_emmc_keys(keys, titlekey_buffer, is_dev);
} else {
EPRINTF("Missing needed BIS keys.\nSkipping SD seed and titlekeys.");
}
end_time = get_tmr_us();
gfx_printf("%Picklock totally done in %d us\n", colors[(color_idx++) % 6], end_time - start_whole_operation_time);
if (h_cfg.t210b01) {
// On Mariko, save only relevant key set
_save_keys_to_sd(keys, titlekey_buffer, is_dev);
} else {
// On Erista, save both prod and dev key sets
_save_keys_to_sd(&prod_keys, titlekey_buffer, false);
_key_count = 0;
_save_keys_to_sd(&dev_keys, NULL, true);
}
}
void derive_amiibo_keys() {
minerva_change_freq(FREQ_1600);
bool is_dev = fuse_read_hw_state() == FUSE_NX_HW_STATE_DEV;
key_storage_t __attribute__((aligned(4))) prod_keys = {0}, dev_keys = {0};
key_storage_t *keys = is_dev ? &dev_keys : &prod_keys;
_derive_master_keys(&prod_keys, &dev_keys, is_dev);
minerva_periodic_training();
display_backlight_brightness(h_cfg.backlight, 1000);
gfx_clear_partial_grey(0x1B, 32, 1224);
gfx_con_setpos(0, 32);
color_idx = 0;
minerva_periodic_training();
if (!key_exists(keys->master_key[0])) {
EPRINTF("Unable to derive master keys for NFC.");
minerva_change_freq(FREQ_800);
btn_wait();
return;
}
nfc_save_key_t __attribute__((aligned(4))) nfc_save_keys[2] = {0};
nfc_decrypt_amiibo_keys(keys, nfc_save_keys, is_dev);
minerva_periodic_training();
u32 hash[SE_SHA_256_SIZE / 4] = {0};
se_calc_sha256_oneshot(hash, &nfc_save_keys[0], sizeof(nfc_save_keys));
if (memcmp(hash, is_dev ? nfc_blob_hash_dev : nfc_blob_hash, sizeof(hash)) != 0) {
EPRINTF("Amiibo hash mismatch. Skipping save.");
} else {
const char *keyfile_path = is_dev ? "sd:/switch/key_dev.bin" : "sd:/switch/key_retail.bin";
if (!sd_save_to_file(&nfc_save_keys[0], sizeof(nfc_save_keys), keyfile_path)) {
gfx_printf("%kWrote Amiibo keys to\n %s\n", colors[(color_idx++) % 6], keyfile_path);
} else {
EPRINTF("Unable to save Amiibo keys to SD.");
}
}
gfx_printf("\n%kPress a button to return to the menu.", colors[(color_idx++) % 6]);
minerva_change_freq(FREQ_800);
btn_wait();
gfx_clear_grey(0x1B);
}
void dump_keys() {
minerva_change_freq(FREQ_1600);
display_backlight_brightness(h_cfg.backlight, 1000);
gfx_clear_grey(0x1B);
gfx_con_setpos(0, 0);
gfx_printf("[%kLo%kck%kpi%kck%k_R%kCM%k v%d.%d.%d%k]\n\n",
colors[0], colors[1], colors[2], colors[3], colors[4], colors[5], 0xFFFF00FF, LP_VER_MJ, LP_VER_MN, LP_VER_BF, 0xFFCCCCCC);
_key_count = 0;
_titlekey_count = 0;
color_idx = 0;
start_time = get_tmr_us();
_derive_keys();
emummc_load_cfg();
// Ignore whether emummc is enabled.
h_cfg.emummc_force_disable = emu_cfg.sector == 0 && !emu_cfg.path;
emu_cfg.enabled = !h_cfg.emummc_force_disable;
if (emmc_storage.initialized) {
sdmmc_storage_end(&emmc_storage);
}
minerva_change_freq(FREQ_800);
gfx_printf("\n%kPress VOL+ to save a screenshot\n or another button to return to the menu.\n\n", colors[(color_idx++) % 6]);
u8 btn = btn_wait();
if (btn == BTN_VOL_UP) {
int res = save_fb_to_bmp();
if (!res) {
gfx_printf("%kScreenshot sd:/switch/picklock_rcm.bmp saved.", colors[(color_idx++) % 6]);
} else {
EPRINTF("Screenshot failed.");
}
gfx_printf("\n%kPress a button to return to the menu.", colors[(color_idx++) % 6]);
btn_wait();
}
gfx_clear_grey(0x1B);
}

51
source/keys/keys.h Normal file
View file

@ -0,0 +1,51 @@
/*
* Copyright (c) 2019-2022 shchmue
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _KEYS_H_
#define _KEYS_H_
#include "crypto.h"
#include "../hos/hos.h"
#include <sec/se_t210.h>
#include <utils/types.h>
#define TPRINTF(text) \
end_time = get_tmr_us(); \
gfx_printf(text" done in %d us\n", end_time - start_time); \
start_time = get_tmr_us(); \
minerva_periodic_training()
#define TPRINTFARGS(text, args...) \
end_time = get_tmr_us(); \
gfx_printf(text" done in %d us\n", args, end_time - start_time); \
start_time = get_tmr_us(); \
minerva_periodic_training()
// save key wrapper
#define SAVE_KEY(name) _save_key(#name, name, sizeof(name), text_buffer)
// save key with different name than variable
#define SAVE_KEY_VAR(name, varname) _save_key(#name, varname, sizeof(varname), text_buffer)
// save key family wrapper
#define SAVE_KEY_FAMILY(name, start) _save_key_family(#name, name, start, ARRAY_SIZE(name), sizeof(*(name)), text_buffer)
// save key family with different name than variable
#define SAVE_KEY_FAMILY_VAR(name, varname, start) _save_key_family(#name, varname, start, ARRAY_SIZE(varname), sizeof(*(varname)), text_buffer)
void dump_keys();
int save_mariko_partial_keys(u32 start, u32 count, bool append);
void derive_amiibo_keys();
#endif

54
source/keys/nfc_crypto.c Normal file
View file

@ -0,0 +1,54 @@
/*
* Copyright (c) 2022 shchmue
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "nfc_crypto.h"
#include <mem/minerva.h>
#include <sec/se.h>
#include <string.h>
void nfc_decrypt_amiibo_keys(key_storage_t *keys, nfc_save_key_t out_nfc_save_keys[2], bool is_dev) {
const u8 *encrypted_keys = is_dev ? encrypted_nfc_keys_dev : encrypted_nfc_keys;
u32 kek[SE_KEY_128_SIZE / 4] = {0};
decrypt_aes_key(KS_AES_ECB, keys, kek, nfc_key_source, 0, 0);
nfc_keyblob_t __attribute__((aligned(4))) nfc_keyblob;
static const u8 nfc_iv[SE_AES_IV_SIZE] = {
0xB9, 0x1D, 0xC1, 0xCF, 0x33, 0x5F, 0xA6, 0x13, 0x2A, 0xEF, 0x90, 0x99, 0xAA, 0xCA, 0x93, 0xC8};
se_aes_key_set(KS_AES_CTR, kek, SE_KEY_128_SIZE);
se_aes_crypt_ctr(KS_AES_CTR, &nfc_keyblob, sizeof(nfc_keyblob), encrypted_keys, sizeof(nfc_keyblob), &nfc_iv);
minerva_periodic_training();
u32 xor_pad[0x20 / 4] = {0};
se_aes_key_set(KS_AES_CTR, nfc_keyblob.ctr_key, SE_KEY_128_SIZE);
se_aes_crypt_ctr(KS_AES_CTR, xor_pad, sizeof(xor_pad), xor_pad, sizeof(xor_pad), nfc_keyblob.ctr_iv);
minerva_periodic_training();
memcpy(out_nfc_save_keys[0].hmac_key, nfc_keyblob.hmac_key, sizeof(nfc_keyblob.hmac_key));
memcpy(out_nfc_save_keys[0].phrase, nfc_keyblob.phrase, sizeof(nfc_keyblob.phrase));
out_nfc_save_keys[0].seed_size = sizeof(nfc_keyblob.seed);
memcpy(out_nfc_save_keys[0].seed, nfc_keyblob.seed, sizeof(nfc_keyblob.seed));
memcpy(out_nfc_save_keys[0].xor_pad, xor_pad, sizeof(xor_pad));
memcpy(out_nfc_save_keys[1].hmac_key, nfc_keyblob.hmac_key_for_verif, sizeof(nfc_keyblob.hmac_key_for_verif));
memcpy(out_nfc_save_keys[1].phrase, nfc_keyblob.phrase_for_verif, sizeof(nfc_keyblob.phrase_for_verif));
out_nfc_save_keys[1].seed_size = sizeof(nfc_keyblob.seed_for_verif);
memcpy(out_nfc_save_keys[1].seed, nfc_keyblob.seed_for_verif, sizeof(nfc_keyblob.seed_for_verif));
memcpy(out_nfc_save_keys[1].xor_pad, xor_pad, sizeof(xor_pad));
}

75
source/keys/nfc_crypto.h Normal file
View file

@ -0,0 +1,75 @@
/*
* Copyright (c) 2022 shchmue
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _NFC_CRYPTO_H_
#define _NFC_CRYPTO_H_
#include "crypto.h"
#include <sec/se_t210.h>
#include <utils/types.h>
static const u8 nfc_key_source[0x10] __attribute__((aligned(4))) = {
0x83, 0xF6, 0xEF, 0xD8, 0x13, 0x26, 0x49, 0xAB, 0x97, 0x5F, 0xEA, 0xBA, 0x65, 0x71, 0xCA, 0xCA};
static const u8 encrypted_nfc_keys[0x80] __attribute__((aligned(4))) = {
0x76, 0x50, 0x87, 0x02, 0x40, 0xA6, 0x5A, 0x98, 0xCE, 0x39, 0x2F, 0xC8, 0x83, 0xAF, 0x54, 0x76,
0x28, 0xFF, 0x50, 0xFC, 0xC1, 0xFB, 0x26, 0x14, 0xA2, 0x4A, 0xA6, 0x74, 0x90, 0xA4, 0x37, 0x06,
0x03, 0x63, 0xC2, 0xB1, 0xAF, 0x9F, 0xF7, 0x07, 0xFC, 0x8A, 0xB9, 0xCA, 0x28, 0x68, 0x6E, 0xF7,
0x42, 0xCD, 0x68, 0x13, 0xCD, 0x7B, 0x3A, 0x60, 0x3E, 0x8B, 0xAB, 0x3A, 0xCC, 0xED, 0xE0, 0xDD,
0x71, 0x1F, 0xA5, 0xDE, 0xB8, 0xB1, 0xF5, 0x1D, 0x14, 0x73, 0xBE, 0x27, 0xCC, 0xA1, 0x9B, 0x23,
0x06, 0x91, 0x89, 0x05, 0xED, 0xD6, 0x92, 0x76, 0x3F, 0x42, 0xFB, 0xD1, 0x8F, 0x2D, 0x6D, 0x72,
0xC8, 0x9E, 0x48, 0xE8, 0x03, 0x64, 0xF0, 0x3C, 0x0E, 0x2A, 0xF1, 0x26, 0x83, 0x02, 0x4F, 0xE2,
0x41, 0xAA, 0xC8, 0x33, 0x68, 0x84, 0x3A, 0xFB, 0x87, 0x18, 0xEA, 0xF7, 0x36, 0xA2, 0x4E, 0xA9};
static const u8 encrypted_nfc_keys_dev[0x80] __attribute__((aligned(4))) = {
0x13, 0xB0, 0xFB, 0xC2, 0x91, 0x6D, 0x6E, 0x5A, 0x10, 0x31, 0x40, 0xB7, 0xDF, 0xCF, 0x69, 0x69,
0xB0, 0xFA, 0xAE, 0x7F, 0xB2, 0x4D, 0x27, 0xC9, 0xE9, 0x3F, 0x5B, 0x38, 0x39, 0x24, 0x98, 0xCE,
0xED, 0xD2, 0xA9, 0x6C, 0x6F, 0xA7, 0x72, 0xD7, 0x11, 0x31, 0x17, 0x93, 0x12, 0x49, 0x32, 0x85,
0x21, 0xE5, 0xE1, 0x88, 0x0F, 0x08, 0xF2, 0x30, 0x5C, 0xC3, 0xAA, 0xFF, 0xC0, 0xAB, 0x21, 0x96,
0x74, 0x39, 0xED, 0xE0, 0x5A, 0xB6, 0x75, 0xC2, 0x3B, 0x08, 0x61, 0xE4, 0xA7, 0xD6, 0xED, 0x8C,
0xA9, 0x02, 0x12, 0xA6, 0xCC, 0x27, 0x4C, 0x1C, 0x41, 0x9C, 0xD8, 0x4C, 0x00, 0xC7, 0x5B, 0x5D,
0xED, 0xC2, 0x3D, 0x5E, 0x00, 0xF5, 0x49, 0xFA, 0x6C, 0x75, 0x67, 0xCF, 0x1F, 0x73, 0x1A, 0xE8,
0x47, 0xD4, 0x3D, 0x9B, 0x83, 0x5B, 0x18, 0x2F, 0x95, 0xA9, 0x04, 0xBC, 0x2E, 0xBB, 0x64, 0x4A};
static const u8 nfc_blob_hash[SE_SHA_256_SIZE] __attribute__((aligned(4))) = {
0x7F, 0x92, 0x83, 0x65, 0x4E, 0xC1, 0x09, 0x7F, 0xBD, 0xFF, 0x31, 0xDE, 0x94, 0x66, 0x51, 0xAE,
0x60, 0xC2, 0x85, 0x4A, 0xFB, 0x54, 0x4A, 0xBE, 0x89, 0x63, 0xD3, 0x89, 0x63, 0x9C, 0x71, 0x0E};
static const u8 nfc_blob_hash_dev[SE_SHA_256_SIZE] __attribute__((aligned(4))) = {
0x4E, 0x36, 0x59, 0x1C, 0x75, 0x80, 0x23, 0x03, 0x98, 0x2D, 0x45, 0xD9, 0x85, 0xB8, 0x60, 0x18,
0x7C, 0x85, 0x37, 0x9B, 0xCB, 0xBA, 0xF3, 0xDC, 0x25, 0x38, 0x73, 0xDB, 0x2F, 0xFA, 0xAE, 0x26};
typedef struct {
char phrase[0xE];
u8 seed[0xE];
u8 hmac_key[0x10];
char phrase_for_verif[0xE];
u8 seed_for_verif[0x10];
u8 hmac_key_for_verif[0x10];
u8 ctr_key[0x10];
u8 ctr_iv[0x10];
u8 pad[6];
} nfc_keyblob_t;
typedef struct {
u8 hmac_key[0x10];
char phrase[0xE];
u8 rsvd;
u8 seed_size;
u8 seed[0x10];
u8 xor_pad[0x20];
} nfc_save_key_t;
void nfc_decrypt_amiibo_keys(key_storage_t *keys, nfc_save_key_t out_nfc_save_keys[2], bool is_dev);
#endif

120
source/keys/ssl_crypto.c Normal file
View file

@ -0,0 +1,120 @@
/*
* Copyright (c) 2022 shchmue
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "ssl_crypto.h"
#include "cal0_read.h"
#include "gmac.h"
#include "../config.h"
#include <gfx_utils.h>
#include <sec/se.h>
#include <sec/se_t210.h>
#include <string.h>
extern hekate_config h_cfg;
void ssl_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32 generation) {
if ((!h_cfg.t210b01 && !key_exists(keys->device_key)) || (h_cfg.t210b01 && (!key_exists(keys->master_key[0]) || !key_exists(keys->device_key_4x)))) {
return;
}
const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_SSL_KEY) | IS_DEVICE_UNIQUE;
derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, ssl_client_cert_kek_source, ssl_client_cert_key_source, generation, option);
}
void ssl_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek) {
if (!key_exists(keys->master_key[0])) {
return;
}
const u32 generation = 0;
const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA) | NOT_DEVICE_UNIQUE;
derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, ssl_rsa_kekek_source, ssl_rsa_kek_source_legacy, generation, option);
}
void ssl_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev) {
if (!key_exists(keys->master_key[0])) {
return;
}
const void *ssl_kek_source = is_dev ? ssl_rsa_kek_source_dev : ssl_rsa_kek_source;
const u32 generation = 0;
u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA) | NOT_DEVICE_UNIQUE;
derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, ssl_rsa_kekek_source, ssl_kek_source, generation, option);
}
bool decrypt_ssl_rsa_key(key_storage_t *keys, void *buffer) {
if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, buffer)) {
return false;
}
nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)buffer;
u32 generation = 0;
const void *encrypted_key = NULL;
const void *iv = NULL;
u32 key_size = 0;
void *ctr_key = NULL;
bool enforce_unique = true;
if (!cal0_get_ssl_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) {
return false;
}
if (key_size == SSL_RSA_KEY_SIZE) {
bool all_zero = true;
const u8 *key8 = (const u8 *)encrypted_key;
for (u32 i = SE_RSA2048_DIGEST_SIZE; i < SSL_RSA_KEY_SIZE; i++) {
if (key8[i] != 0) {
all_zero = false;
break;
}
}
if (all_zero) {
// Keys of this form are not encrypted
memcpy(keys->ssl_rsa_key, encrypted_key, SE_RSA2048_DIGEST_SIZE);
return true;
}
ssl_derive_rsa_kek_legacy(keys, keys->ssl_rsa_kek_legacy);
ctr_key = keys->ssl_rsa_kek_legacy;
enforce_unique = false;
} else if (generation) {
ssl_derive_rsa_kek_device_unique(keys, keys->ssl_rsa_kek_personalized, generation);
ctr_key = keys->ssl_rsa_kek_personalized;
} else {
ctr_key = keys->ssl_rsa_kek;
}
u32 ctr_size = enforce_unique ? key_size - 0x20 : key_size - 0x10;
se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
se_aes_crypt_ctr(KS_AES_CTR, keys->ssl_rsa_key, ctr_size, encrypted_key, ctr_size, iv);
if (enforce_unique) {
u32 calc_mac[SE_KEY_128_SIZE / 4] = {0};
calc_gmac(KS_AES_ECB, calc_mac, keys->ssl_rsa_key, ctr_size, ctr_key, iv);
const u8 *key8 = (const u8 *)encrypted_key;
if (memcmp(calc_mac, &key8[ctr_size], 0x10) != 0) {
EPRINTF("SSL keypair has invalid GMac.");
memset(keys->ssl_rsa_key, 0, sizeof(keys->ssl_rsa_key));
return false;
}
}
return true;
}

45
source/keys/ssl_crypto.h Normal file
View file

@ -0,0 +1,45 @@
/*
* Copyright (c) 2022 shchmue
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _SSL_CRYPTO_H_
#define _SSL_CRYPTO_H_
#include "crypto.h"
#include <utils/types.h>
#define SSL_RSA_KEY_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE)
static const u8 ssl_rsa_kekek_source[0x10] __attribute__((aligned(4))) = {
0x7F, 0x5B, 0xB0, 0x84, 0x7B, 0x25, 0xAA, 0x67, 0xFA, 0xC8, 0x4B, 0xE2, 0x3D, 0x7B, 0x69, 0x03};
static const u8 ssl_rsa_kek_source[0x10] __attribute__((aligned(4))) = {
0x9A, 0x38, 0x3B, 0xF4, 0x31, 0xD0, 0xBD, 0x81, 0x32, 0x53, 0x4B, 0xA9, 0x64, 0x39, 0x7D, 0xE3};
static const u8 ssl_rsa_kek_source_dev[0x10] __attribute__((aligned(4))) = {
0xD5, 0xD2, 0xFC, 0x00, 0xFD, 0x49, 0xDD, 0xF8, 0xEE, 0x7B, 0xC4, 0x4B, 0xE1, 0x4C, 0xAA, 0x99};
static const u8 ssl_rsa_kek_source_legacy[0x10] __attribute__((aligned(4))) = {
0xED, 0x36, 0xB1, 0x32, 0x27, 0x17, 0xD2, 0xB0, 0xBA, 0x1F, 0xC1, 0xBD, 0x4D, 0x38, 0x0F, 0x5E};
static const u8 ssl_client_cert_kek_source[0x10] __attribute__((aligned(4))) = {
0x64, 0xB8, 0x30, 0xDD, 0x0F, 0x3C, 0xB7, 0xFB, 0x4C, 0x16, 0x01, 0x97, 0xEA, 0x9D, 0x12, 0x10};
static const u8 ssl_client_cert_key_source[0x10] __attribute__((aligned(4))) = {
0x4D, 0x92, 0x5A, 0x69, 0x42, 0x23, 0xBB, 0x92, 0x59, 0x16, 0x3E, 0x51, 0x8C, 0x78, 0x14, 0x0F};
void ssl_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32 generation);
void ssl_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek);
void ssl_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev);
bool decrypt_ssl_rsa_key(key_storage_t *keys, void *buffer);
#endif