From cc4f8bf1f66e926329384f198f43781faba265e0 Mon Sep 17 00:00:00 2001 From: shchmue Date: Mon, 31 Oct 2022 21:46:38 -0700 Subject: [PATCH] keys: Move more logic out of keys.c --- bdk/utils/util.c | 14 ++ bdk/utils/util.h | 2 + source/keys/cal0_read.c | 96 +++++++++ source/keys/cal0_read.h | 27 +++ source/keys/crypto.c | 146 +++++++++++++ source/keys/crypto.h | 223 +++++++++++++++++++ source/keys/gmac.c | 2 +- source/keys/gmac.h | 2 +- source/keys/key_sources.inl | 72 ------- source/keys/keys.c | 411 +++++++++--------------------------- source/keys/keys.h | 111 +--------- 11 files changed, 615 insertions(+), 491 deletions(-) create mode 100644 source/keys/cal0_read.c create mode 100644 source/keys/cal0_read.h create mode 100644 source/keys/crypto.c create mode 100644 source/keys/crypto.h diff --git a/bdk/utils/util.c b/bdk/utils/util.c index bf30929..e05c2bc 100644 --- a/bdk/utils/util.c +++ b/bdk/utils/util.c @@ -230,3 +230,17 @@ void power_set_state_ex(void *param) power_state_t *state = (power_state_t *)param; power_set_state(*state); } + +u32 read_le_u32(const void *buffer, u32 offset) { + return (*(u8*)(buffer + offset + 0) ) | + (*(u8*)(buffer + offset + 1) << 0x08) | + (*(u8*)(buffer + offset + 2) << 0x10) | + (*(u8*)(buffer + offset + 3) << 0x18); +} + +u32 read_be_u32(const void *buffer, u32 offset) { + return (*(u8*)(buffer + offset + 3) ) | + (*(u8*)(buffer + offset + 2) << 0x08) | + (*(u8*)(buffer + offset + 1) << 0x10) | + (*(u8*)(buffer + offset + 0) << 0x18); +} diff --git a/bdk/utils/util.h b/bdk/utils/util.h index 972a906..df929bc 100644 --- a/bdk/utils/util.h +++ b/bdk/utils/util.h @@ -96,5 +96,7 @@ void panic(u32 val); void power_set_state(power_state_t state); void power_set_state_ex(void *param); +u32 read_le_u32(const void *buffer, u32 offset); +u32 read_be_u32(const void *buffer, u32 offset); #endif diff --git a/source/keys/cal0_read.c b/source/keys/cal0_read.c new file mode 100644 index 0000000..9b0c4fd --- /dev/null +++ b/source/keys/cal0_read.c @@ -0,0 +1,96 @@ +/* + * Copyright (c) 2022 shchmue + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2, as published by the Free Software Foundation. + * + * This program is distributed in the hope it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include "cal0_read.h" + +#include +#include +#include +#include "../storage/emummc.h" +#include "../storage/nx_emmc.h" +#include + +bool cal0_read(u32 tweak_ks, u32 crypt_ks, void *read_buffer) { + nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)read_buffer; + + // Check if CAL0 was already read into this buffer + if (cal0->magic == MAGIC_CAL0) { + return true; + } + + if (!emummc_storage_read(NX_EMMC_CALIBRATION_OFFSET / NX_EMMC_BLOCKSIZE, NX_EMMC_CALIBRATION_SIZE / NX_EMMC_BLOCKSIZE, read_buffer)) { + EPRINTF("Unable to read PRODINFO."); + return false; + } + + se_aes_xts_crypt(tweak_ks, crypt_ks, DECRYPT, 0, read_buffer, read_buffer, XTS_CLUSTER_SIZE, NX_EMMC_CALIBRATION_SIZE / XTS_CLUSTER_SIZE); + + if (cal0->magic != MAGIC_CAL0) { + EPRINTF("Invalid CAL0 magic. Check BIS key 0."); + return false; + } + + return true; +} + +bool cal0_get_ssl_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation) { + const u32 ext_key_size = sizeof(cal0->ext_ssl_key_iv) + sizeof(cal0->ext_ssl_key); + const u32 ext_key_crc_size = ext_key_size + sizeof(cal0->ext_ssl_key_ver) + sizeof(cal0->crc16_pad39); + const u32 key_size = sizeof(cal0->ssl_key_iv) + sizeof(cal0->ssl_key); + const u32 key_crc_size = key_size + sizeof(cal0->crc16_pad18); + + if (cal0->ext_ssl_key_crc == crc16_calc(cal0->ext_ssl_key_iv, ext_key_crc_size)) { + *out_key = cal0->ext_ssl_key; + *out_key_size = ext_key_size; + *out_iv = cal0->ext_ssl_key_iv; + // Settings sysmodule manually zeroes this out below cal version 9 + *out_generation = cal0->version <= 8 ? 0 : cal0->ext_ssl_key_ver; + } else if (cal0->ssl_key_crc == crc16_calc(cal0->ssl_key_iv, key_crc_size)) { + *out_key = cal0->ssl_key; + *out_key_size = key_size; + *out_iv = cal0->ssl_key_iv; + *out_generation = 0; + } else { + EPRINTF("Crc16 error reading device key."); + return false; + } + return true; +} + + +bool cal0_get_eticket_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation) { + const u32 ext_key_size = sizeof(cal0->ext_ecc_rsa2048_eticket_key_iv) + sizeof(cal0->ext_ecc_rsa2048_eticket_key); + const u32 ext_key_crc_size = ext_key_size + sizeof(cal0->ext_ecc_rsa2048_eticket_key_ver) + sizeof(cal0->crc16_pad38); + const u32 key_size = sizeof(cal0->rsa2048_eticket_key_iv) + sizeof(cal0->rsa2048_eticket_key); + const u32 key_crc_size = key_size + sizeof(cal0->crc16_pad21); + + if (cal0->ext_ecc_rsa2048_eticket_key_crc == crc16_calc(cal0->ext_ecc_rsa2048_eticket_key_iv, ext_key_crc_size)) { + *out_key = cal0->ext_ecc_rsa2048_eticket_key; + *out_key_size = ext_key_size; + *out_iv = cal0->ext_ecc_rsa2048_eticket_key_iv; + // Settings sysmodule manually zeroes this out below cal version 9 + *out_generation = cal0->version <= 8 ? 0 : cal0->ext_ecc_rsa2048_eticket_key_ver; + } else if (cal0->rsa2048_eticket_key_crc == crc16_calc(cal0->rsa2048_eticket_key_iv, key_crc_size)) { + *out_key = cal0->rsa2048_eticket_key; + *out_key_size = key_size; + *out_iv = cal0->rsa2048_eticket_key_iv; + *out_generation = 0; + } else { + EPRINTF("Crc16 error reading device key."); + return false; + } + return true; +} diff --git a/source/keys/cal0_read.h b/source/keys/cal0_read.h new file mode 100644 index 0000000..2ab1ae1 --- /dev/null +++ b/source/keys/cal0_read.h @@ -0,0 +1,27 @@ +/* + * Copyright (c) 2022 shchmue + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2, as published by the Free Software Foundation. + * + * This program is distributed in the hope it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#ifndef _CAL0_READ_H_ +#define _CAL0_READ_H_ + +#include "../storage/nx_emmc_bis.h" +#include + +bool cal0_read(u32 tweak_ks, u32 crypt_ks, void *read_buffer); +bool cal0_get_ssl_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation); +bool cal0_get_eticket_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation); + +#endif diff --git a/source/keys/crypto.c b/source/keys/crypto.c new file mode 100644 index 0000000..cd5afd0 --- /dev/null +++ b/source/keys/crypto.c @@ -0,0 +1,146 @@ +/* + * Copyright (c) 2022 shchmue + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2, as published by the Free Software Foundation. + * + * This program is distributed in the hope it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include "crypto.h" + +#include "../config.h" +#include "../hos/hos.h" +#include +#include +#include +#include + +#include + +extern hekate_config h_cfg; + +bool test_rsa_keypair(const void *public_exponent, const void *private_exponent, const void *modulus) { + u32 plaintext[SE_RSA2048_DIGEST_SIZE / 4] = {0}, + ciphertext[SE_RSA2048_DIGEST_SIZE / 4] = {0}, + work[SE_RSA2048_DIGEST_SIZE / 4] = {0}; + + plaintext[63] = 0xCAFEBABE; + + se_rsa_key_set(0, modulus, SE_RSA2048_DIGEST_SIZE, private_exponent, SE_RSA2048_DIGEST_SIZE); + se_rsa_exp_mod(0, ciphertext, SE_RSA2048_DIGEST_SIZE, plaintext, SE_RSA2048_DIGEST_SIZE); + + se_rsa_key_set(0, modulus, SE_RSA2048_DIGEST_SIZE, public_exponent, 4); + se_rsa_exp_mod(0, work, SE_RSA2048_DIGEST_SIZE, ciphertext, SE_RSA2048_DIGEST_SIZE); + + return memcmp(plaintext, work, SE_RSA2048_DIGEST_SIZE) == 0; +} + +bool test_eticket_rsa_keypair(const rsa_keypair_t *keypair) { + // Unlike the SSL RSA key, we don't need to check the gmac - we can just verify the public exponent + // and test the keypair since we have the modulus + if ((read_be_u32(keypair->public_exponent, 0) != RSA_PUBLIC_EXPONENT) || + (!test_rsa_keypair(keypair->public_exponent, keypair->private_exponent, keypair->modulus))) { + return false; + } + return true; +} + +// Equivalent to spl::GenerateAesKek +void generate_aes_kek(u32 ks, key_storage_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option) { + bool device_unique = GET_IS_DEVICE_UNIQUE(option); + u32 seal_key_index = GET_SEAL_KEY_INDEX(option); + + if (generation) + generation--; + + u8 static_source[SE_KEY_128_SIZE] __attribute__((aligned(4))); + for (u32 i = 0; i < SE_KEY_128_SIZE; i++) + static_source[i] = aes_kek_generation_source[i] ^ seal_key_masks[seal_key_index][i]; + + if (device_unique) { + get_device_key(ks, keys, keys->temp_key, generation); + } else { + memcpy(keys->temp_key, keys->master_key[generation], sizeof(keys->temp_key)); + } + se_aes_key_set(ks, keys->temp_key, SE_KEY_128_SIZE); + se_aes_unwrap_key(ks, ks, static_source); + se_aes_crypt_block_ecb(ks, DECRYPT, out_kek, kek_source); +} + +// Based on spl::LoadAesKey but instead of prepping keyslot, returns calculated key +void load_aes_key(u32 ks, void *out_key, const void *access_key, const void *key_source) { + se_aes_key_set(ks, access_key, SE_KEY_128_SIZE); + se_aes_crypt_block_ecb(ks, DECRYPT, out_key, key_source); +} + +// Equivalent to spl::GenerateAesKey +void generate_aes_key(u32 ks, key_storage_t *keys, void *out_key, u32 key_size, const void *access_key, const void *key_source) { + void *aes_key = keys->temp_key; + load_aes_key(ks, aes_key, access_key, aes_key_generation_source); + se_aes_key_set(ks, aes_key, SE_KEY_128_SIZE); + se_aes_crypt_ecb(ks, DECRYPT, out_key, key_size, key_source, key_size); +} + +// Equivalent to smc::PrepareDeviceUniqueDataKey but with no sealing +void get_device_unique_data_key(u32 ks, void *out_key, const void *access_key, const void *key_source) { + load_aes_key(ks, out_key, access_key, key_source); +} + +// Equivalent to spl::DecryptAesKey. +void decrypt_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation, u32 option) { + void *access_key = keys->temp_key; + generate_aes_kek(ks, keys, access_key, aes_key_decryption_source, generation, option); + generate_aes_key(ks, keys, out_key, SE_KEY_128_SIZE, access_key, key_source); +} + +// Equivalent to smc::GetSecureData +void get_secure_data(key_storage_t *keys, void *out_data) { + se_aes_key_set(KS_AES_CTR, keys->device_key, SE_KEY_128_SIZE); + u8 *d = (u8 *)out_data; + se_aes_crypt_ctr(KS_AES_CTR, d + SE_KEY_128_SIZE * 0, SE_KEY_128_SIZE, secure_data_source, SE_KEY_128_SIZE, secure_data_counters[0]); + se_aes_crypt_ctr(KS_AES_CTR, d + SE_KEY_128_SIZE * 1, SE_KEY_128_SIZE, secure_data_source, SE_KEY_128_SIZE, secure_data_counters[0]); + + // Apply tweak + for (u32 i = 0; i < SE_KEY_128_SIZE; i++) { + d[SE_KEY_128_SIZE + i] ^= secure_data_tweaks[0][i]; + } +} + +// Equivalent to spl::GenerateSpecificAesKey +void generate_specific_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation) { + if (fuse_read_bootrom_rev() >= 0x7F) { + get_device_key(ks, keys, keys->temp_key, generation == 0 ? 0 : generation - 1); + se_aes_key_set(ks, keys->temp_key, SE_KEY_128_SIZE); + se_aes_unwrap_key(ks, ks, retail_specific_aes_key_source); + se_aes_crypt_ecb(ks, DECRYPT, out_key, SE_KEY_128_SIZE * 2, key_source, SE_KEY_128_SIZE * 2); + } else { + get_secure_data(keys, out_key); + } +} + +void get_device_key(u32 ks, key_storage_t *keys, void *out_device_key, u32 generation) { + if (generation == KB_FIRMWARE_VERSION_100 && !h_cfg.t210b01) { + memcpy(out_device_key, keys->device_key, SE_KEY_128_SIZE); + return; + } + + if (generation >= KB_FIRMWARE_VERSION_400) { + generation -= KB_FIRMWARE_VERSION_400; + } else { + generation = 0; + } + u32 temp_key_source[SE_KEY_128_SIZE / 4] = {0}; + load_aes_key(ks, temp_key_source, keys->device_key_4x, device_master_key_source_sources[generation]); + const void *kek_source = fuse_read_hw_state() == FUSE_NX_HW_STATE_PROD ? device_master_kek_sources[generation] : device_master_kek_sources_dev[generation]; + se_aes_key_set(ks, keys->master_key[0], SE_KEY_128_SIZE); + se_aes_unwrap_key(ks, ks, kek_source); + se_aes_crypt_block_ecb(ks, DECRYPT, out_device_key, temp_key_source); +} diff --git a/source/keys/crypto.h b/source/keys/crypto.h new file mode 100644 index 0000000..4e1d0d7 --- /dev/null +++ b/source/keys/crypto.h @@ -0,0 +1,223 @@ +/* + * Copyright (c) 2022 shchmue + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2, as published by the Free Software Foundation. + * + * This program is distributed in the hope it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#ifndef _CRYPTO_H_ +#define _CRYPTO_H_ + +#include "../hos/hos.h" +#include +#include + +static const u8 aes_kek_generation_source[0x10] __attribute__((aligned(4))) = { + 0x4D, 0x87, 0x09, 0x86, 0xC4, 0x5D, 0x20, 0x72, 0x2F, 0xBA, 0x10, 0x53, 0xDA, 0x92, 0xE8, 0xA9}; + +static const u8 aes_key_generation_source[0x10] __attribute__((aligned(4))) = { + 0x89, 0x61, 0x5E, 0xE0, 0x5C, 0x31, 0xB6, 0x80, 0x5F, 0xE5, 0x8F, 0x3D, 0xA2, 0x4F, 0x7A, 0xA8}; + +static const u8 aes_key_decryption_source[0x10] __attribute__((aligned(4))) = { + 0x11, 0x70, 0x24, 0x2B, 0x48, 0x69, 0x11, 0xF1, 0x11, 0xB0, 0x0C, 0x47, 0x7C, 0xC3, 0xEF, 0x7E}; + +static const u8 device_master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = { + {0x88, 0x62, 0x34, 0x6E, 0xFA, 0xF7, 0xD8, 0x3F, 0xE1, 0x30, 0x39, 0x50, 0xF0, 0xB7, 0x5D, 0x5D}, /* 4.0.0 Device Master Kek Source. */ + {0x06, 0x1E, 0x7B, 0xE9, 0x6D, 0x47, 0x8C, 0x77, 0xC5, 0xC8, 0xE7, 0x94, 0x9A, 0xA8, 0x5F, 0x2E}, /* 5.0.0 Device Master Kek Source. */ + {0x99, 0xFA, 0x98, 0xBD, 0x15, 0x1C, 0x72, 0xFD, 0x7D, 0x9A, 0xD5, 0x41, 0x00, 0xFD, 0xB2, 0xEF}, /* 6.0.0 Device Master Kek Source. */ + {0x81, 0x3C, 0x6C, 0xBF, 0x5D, 0x21, 0xDE, 0x77, 0x20, 0xD9, 0x6C, 0xE3, 0x22, 0x06, 0xAE, 0xBB}, /* 6.2.0 Device Master Kek Source. */ + {0x86, 0x61, 0xB0, 0x16, 0xFA, 0x7A, 0x9A, 0xEA, 0xF6, 0xF5, 0xBE, 0x1A, 0x13, 0x5B, 0x6D, 0x9E}, /* 7.0.0 Device Master Kek Source. */ + {0xA6, 0x81, 0x71, 0xE7, 0xB5, 0x23, 0x74, 0xB0, 0x39, 0x8C, 0xB7, 0xFF, 0xA0, 0x62, 0x9F, 0x8D}, /* 8.1.0 Device Master Kek Source. */ + {0x03, 0xE7, 0xEB, 0x43, 0x1B, 0xCF, 0x5F, 0xB5, 0xED, 0xDC, 0x97, 0xAE, 0x21, 0x8D, 0x19, 0xED}, /* 9.0.0 Device Master Kek Source. */ + {0xCE, 0xFE, 0x41, 0x0F, 0x46, 0x9A, 0x30, 0xD6, 0xF2, 0xE9, 0x0C, 0x6B, 0xB7, 0x15, 0x91, 0x36}, /* 9.1.0 Device Master Kek Source. */ + {0xC2, 0x65, 0x34, 0x6E, 0xC7, 0xC6, 0x5D, 0x97, 0x3E, 0x34, 0x5C, 0x6B, 0xB3, 0x7E, 0xC6, 0xE3}, /* 12.1.0 Device Master Kek Source. */ + {0x77, 0x52, 0x92, 0xF0, 0xAA, 0xE3, 0xFB, 0xE0, 0x60, 0x16, 0xB3, 0x78, 0x68, 0x53, 0xF7, 0xA8}, /* 13.0.0 Device Master Kek Source. */ + {0x67, 0xD5, 0xD6, 0x0C, 0x08, 0xF5, 0xA3, 0x11, 0xBD, 0x6D, 0x5A, 0xEB, 0x96, 0x24, 0xB0, 0xD2}, /* 14.0.0 Device Master Kek Source. */ + {0x7C, 0x30, 0xED, 0x8B, 0x39, 0x25, 0x2C, 0x08, 0x8F, 0x48, 0xDC, 0x28, 0xE6, 0x1A, 0x6B, 0x49}, /* 15.0.0 Device Master Kek Source. */ +}; //!TODO: Update on mkey changes. + +static const u8 device_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = { + {0xD6, 0xBD, 0x9F, 0xC6, 0x18, 0x09, 0xE1, 0x96, 0x20, 0x39, 0x60, 0xD2, 0x89, 0x83, 0x31, 0x34}, /* 4.0.0 Device Master Kek Source. */ + {0x59, 0x2D, 0x20, 0x69, 0x33, 0xB5, 0x17, 0xBA, 0xCF, 0xB1, 0x4E, 0xFD, 0xE4, 0xC2, 0x7B, 0xA8}, /* 5.0.0 Device Master Kek Source. */ + {0xF6, 0xD8, 0x59, 0x63, 0x8F, 0x47, 0xCB, 0x4A, 0xD8, 0x74, 0x05, 0x7F, 0x88, 0x92, 0x33, 0xA5}, /* 6.0.0 Device Master Kek Source. */ + {0x20, 0xAB, 0xF2, 0x0F, 0x05, 0xE3, 0xDE, 0x2E, 0xA1, 0xFB, 0x37, 0x5E, 0x8B, 0x22, 0x1A, 0x38}, /* 6.2.0 Device Master Kek Source. */ + {0x60, 0xAE, 0x56, 0x68, 0x11, 0xE2, 0x0C, 0x99, 0xDE, 0x05, 0xAE, 0x68, 0x78, 0x85, 0x04, 0xAE}, /* 7.0.0 Device Master Kek Source. */ + {0x94, 0xD6, 0xA8, 0xC0, 0x95, 0xAF, 0xD0, 0xA6, 0x27, 0x53, 0x5E, 0xE5, 0x8E, 0x70, 0x1F, 0x87}, /* 8.1.0 Device Master Kek Source. */ + {0x61, 0x6A, 0x88, 0x21, 0xA3, 0x52, 0xB0, 0x19, 0x16, 0x25, 0xA4, 0xE3, 0x4C, 0x54, 0x02, 0x0F}, /* 9.0.0 Device Master Kek Source. */ + {0x9D, 0xB1, 0xAE, 0xCB, 0xF6, 0xF6, 0xE3, 0xFE, 0xAB, 0x6F, 0xCB, 0xAF, 0x38, 0x03, 0xFC, 0x7B}, /* 9.1.0 Device Master Kek Source. */ + {0xC4, 0xBB, 0xF3, 0x9F, 0xA3, 0xAA, 0x00, 0x99, 0x7C, 0x97, 0xAD, 0x91, 0x8F, 0xE8, 0x45, 0xCB}, /* 12.1.0 Device Master Kek Source. */ + {0x20, 0x20, 0xAA, 0xFB, 0x89, 0xC2, 0xF0, 0x70, 0xB5, 0xE0, 0xA3, 0x11, 0x8A, 0x29, 0x8D, 0x0F}, /* 13.0.0 Device Master Kek Source. */ + {0xCE, 0x14, 0x74, 0x66, 0x98, 0xA8, 0x6D, 0x7D, 0xBD, 0x54, 0x91, 0x68, 0x5F, 0x1D, 0x0E, 0xEA}, /* 14.0.0 Device Master Kek Source. */ + {0xAE, 0x05, 0x48, 0x65, 0xAB, 0x17, 0x9D, 0x3D, 0x51, 0xB7, 0x56, 0xBD, 0x9B, 0x0B, 0x5B, 0x6E}, /* 15.0.0 Device Master Kek Source. */ +}; //!TODO: Update on mkey changes. + +static const u8 device_master_key_source_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = { + {0x8B, 0x4E, 0x1C, 0x22, 0x42, 0x07, 0xC8, 0x73, 0x56, 0x94, 0x08, 0x8B, 0xCC, 0x47, 0x0F, 0x5D}, /* 4.0.0 Device Master Key Source Source. */ + {0x6C, 0xEF, 0xC6, 0x27, 0x8B, 0xEC, 0x8A, 0x91, 0x99, 0xAB, 0x24, 0xAC, 0x4F, 0x1C, 0x8F, 0x1C}, /* 5.0.0 Device Master Key Source Source. */ + {0x70, 0x08, 0x1B, 0x97, 0x44, 0x64, 0xF8, 0x91, 0x54, 0x9D, 0xC6, 0x84, 0x8F, 0x1A, 0xB2, 0xE4}, /* 6.0.0 Device Master Key Source Source. */ + {0x8E, 0x09, 0x1F, 0x7A, 0xBB, 0xCA, 0x6A, 0xFB, 0xB8, 0x9B, 0xD5, 0xC1, 0x25, 0x9C, 0xA9, 0x17}, /* 6.2.0 Device Master Key Source Source. */ + {0x8F, 0x77, 0x5A, 0x96, 0xB0, 0x94, 0xFD, 0x8D, 0x28, 0xE4, 0x19, 0xC8, 0x16, 0x1C, 0xDB, 0x3D}, /* 7.0.0 Device Master Key Source Source. */ + {0x67, 0x62, 0xD4, 0x8E, 0x55, 0xCF, 0xFF, 0x41, 0x31, 0x15, 0x3B, 0x24, 0x0C, 0x7C, 0x07, 0xAE}, /* 8.1.0 Device Master Key Source Source. */ + {0x4A, 0xC3, 0x4E, 0x14, 0x8B, 0x96, 0x4A, 0xD5, 0xD4, 0x99, 0x73, 0xC4, 0x45, 0xAB, 0x8B, 0x49}, /* 9.0.0 Device Master Key Source Source. */ + {0x14, 0xB8, 0x74, 0x12, 0xCB, 0xBD, 0x0B, 0x8F, 0x20, 0xFB, 0x30, 0xDA, 0x27, 0xE4, 0x58, 0x94}, /* 9.1.0 Device Master Key Source Source. */ + {0xAA, 0xFD, 0xBC, 0xBB, 0x25, 0xC3, 0xA4, 0xEF, 0xE3, 0xEE, 0x58, 0x53, 0xB7, 0xF8, 0xDD, 0xD6}, /* 12.1.0 Device Master Key Source Source. */ + {0xE4, 0xF3, 0x45, 0x6F, 0x18, 0xA1, 0x89, 0xF8, 0xDA, 0x4C, 0x64, 0x75, 0x68, 0xE6, 0xBD, 0x4F}, /* 13.0.0 Device Master Key Source Source. */ + {0x5B, 0x94, 0x63, 0xF7, 0xAD, 0x96, 0x1B, 0xA6, 0x23, 0x30, 0x06, 0x4D, 0x01, 0xE4, 0xCE, 0x1D}, /* 14.0.0 Device Master Key Source Source. */ + {0x5E, 0xC9, 0xC5, 0x0A, 0xD0, 0x5F, 0x8B, 0x7B, 0xA7, 0x39, 0xEA, 0xBC, 0x60, 0x0F, 0x74, 0xE6}, /* 15.0.0 Device Master Key Source Source. */ +}; //!TODO: Update on mkey changes. + +static const u8 seal_key_masks[][0x10] __attribute__((aligned(4))) = { + {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, // SealKey_LoadAesKey + {0xA2, 0xAB, 0xBF, 0x9C, 0x92, 0x2F, 0xBB, 0xE3, 0x78, 0x79, 0x9B, 0xC0, 0xCC, 0xEA, 0xA5, 0x74}, // SealKey_DecryptDeviceUniqueData + {0x57, 0xE2, 0xD9, 0x45, 0xE4, 0x92, 0xF4, 0xFD, 0xC3, 0xF9, 0x86, 0x38, 0x89, 0x78, 0x9F, 0x3C}, // SealKey_ImportLotusKey + {0xE5, 0x4D, 0x9A, 0x02, 0xF0, 0x4F, 0x5F, 0xA8, 0xAD, 0x76, 0x0A, 0xF6, 0x32, 0x95, 0x59, 0xBB}, // SealKey_ImportEsDeviceKey + {0x59, 0xD9, 0x31, 0xF4, 0xA7, 0x97, 0xB8, 0x14, 0x40, 0xD6, 0xA2, 0x60, 0x2B, 0xED, 0x15, 0x31}, // SealKey_ReencryptDeviceUniqueData + {0xFD, 0x6A, 0x25, 0xE5, 0xD8, 0x38, 0x7F, 0x91, 0x49, 0xDA, 0xF8, 0x59, 0xA8, 0x28, 0xE6, 0x75}, // SealKey_ImportSslKey + {0x89, 0x96, 0x43, 0x9A, 0x7C, 0xD5, 0x59, 0x55, 0x24, 0xD5, 0x24, 0x18, 0xAB, 0x6C, 0x04, 0x61}, // SealKey_ImportEsClientCertKey +}; + +static const u8 retail_specific_aes_key_source[0x10] __attribute__((aligned(4))) = { + 0xE2, 0xD6, 0xB8, 0x7A, 0x11, 0x9C, 0xB8, 0x80, 0xE8, 0x22, 0x88, 0x8A, 0x46, 0xFB, 0xA1, 0x95}; + +static const u8 secure_data_source[0x10] __attribute__((aligned(4))) = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; + +static const u8 secure_data_counters[1][0x10] __attribute__((aligned(4))) = { + {0x3C, 0xD5, 0x92, 0xEC, 0x68, 0x31, 0x4A, 0x06, 0xD4, 0x1B, 0x0C, 0xD9, 0xF6, 0x2E, 0xD9, 0xE9} +}; + +static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = { + {0xAC, 0xCA, 0x9A, 0xCA, 0xFF, 0x2E, 0xB9, 0x22, 0xCC, 0x1F, 0x4F, 0xAD, 0xDD, 0x77, 0x21, 0x1E} +}; + +// Lockpick_RCM keyslots +#define KS_BIS_00_CRYPT 0 +#define KS_BIS_00_TWEAK 1 +#define KS_BIS_01_CRYPT 2 +#define KS_BIS_01_TWEAK 3 +#define KS_BIS_02_CRYPT 4 +#define KS_BIS_02_TWEAK 5 +#define KS_AES_CTR 6 +#define KS_AES_ECB 8 +#define KS_AES_CMAC 10 + +// Mariko keyslots +#define KS_MARIKO_KEK 12 +#define KS_MARIKO_BEK 13 + +// Other Switch keyslots +#define KS_TSEC 12 +#define KS_SECURE_BOOT 14 + +// Atmosphere keygen keyslots +#define KS_TSEC_ROOT_DEV 11 +#define KS_TSEC_ROOT 13 + +#define RSA_PUBLIC_EXPONENT 65537 + +#define SSL_RSA_KEY_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE) +#define ETICKET_RSA_KEYPAIR_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE * 2 + SE_KEY_128_SIZE) + +typedef struct { + u8 private_exponent[SE_RSA2048_DIGEST_SIZE]; + u8 modulus[SE_RSA2048_DIGEST_SIZE]; + u8 public_exponent[4]; + u8 reserved[0xC]; +} rsa_keypair_t; + +typedef struct { + u8 master_kek[SE_KEY_128_SIZE]; + u8 data[0x70]; + u8 package1_key[SE_KEY_128_SIZE]; +} keyblob_t; + +typedef struct { + u8 cmac[0x10]; + u8 iv[0x10]; + keyblob_t key_data; + u8 unused[0x150]; +} encrypted_keyblob_t; + +typedef struct { + u8 temp_key[SE_KEY_128_SIZE], + bis_key[4][SE_KEY_128_SIZE * 2], + device_key[SE_KEY_128_SIZE], + device_key_4x[SE_KEY_128_SIZE], + sd_seed[SE_KEY_128_SIZE], + // FS-related keys + header_key[SE_KEY_128_SIZE * 2], + save_mac_key[SE_KEY_128_SIZE], + // other sysmodule keys + eticket_rsa_kek[SE_KEY_128_SIZE], + eticket_rsa_kek_personalized[SE_KEY_128_SIZE], + ssl_rsa_kek[SE_KEY_128_SIZE], + ssl_rsa_kek_legacy[SE_KEY_128_SIZE], + ssl_rsa_kek_personalized[SE_KEY_128_SIZE], + ssl_rsa_key[SE_RSA2048_DIGEST_SIZE + 0x20], + // keyblob-derived families + keyblob_key[KB_FIRMWARE_VERSION_600 + 1][SE_KEY_128_SIZE], + keyblob_mac_key[KB_FIRMWARE_VERSION_600 + 1][SE_KEY_128_SIZE], + package1_key[KB_FIRMWARE_VERSION_600 + 1][SE_KEY_128_SIZE], + // master key-derived families + key_area_key[3][KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE], + master_kek[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE], + master_key[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE], + package2_key[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE], + titlekek[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE], + tsec_key[SE_KEY_128_SIZE], + tsec_root_key[SE_KEY_128_SIZE]; + u32 sbk[4]; + keyblob_t keyblob[KB_FIRMWARE_VERSION_600 + 1]; + rsa_keypair_t eticket_rsa_keypair; +} key_storage_t; + +typedef enum { + SEAL_KEY_LOAD_AES_KEY = 0, + SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA = 1, + SEAL_KEY_IMPORT_LOTUS_KEY = 2, + SEAL_KEY_IMPORT_ES_DEVICE_KEY = 3, + SEAL_KEY_REENCRYPT_DEVICE_UNIQUE_DATA = 4, + SEAL_KEY_IMPORT_SSL_KEY = 5, + SEAL_KEY_IMPORT_ES_CLIENT_CERT_KEY = 6, +} seal_key_t; + +typedef enum { + NOT_DEVICE_UNIQUE = 0, + IS_DEVICE_UNIQUE = 1, +} device_unique_t; + +#define SET_SEAL_KEY_INDEX(x) (((x) & 7) << 5) +#define GET_SEAL_KEY_INDEX(x) (((x) >> 5) & 7) +#define GET_IS_DEVICE_UNIQUE(x) ((x) & 1) + +bool test_rsa_keypair(const void *public_exponent, const void *private_exponent, const void *modulus); +bool test_eticket_rsa_keypair(const rsa_keypair_t *keypair); + +// Equivalent to spl::GenerateAesKek +void generate_aes_kek(u32 ks, key_storage_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option); +// Equivalent to spl::GenerateAesKey +void generate_aes_key(u32 ks, key_storage_t *keys, void *out_key, u32 key_size, const void *access_key, const void *key_source); +// Equivalent to spl::GenerateSpecificAesKey +void generate_specific_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation); +// Equivalent to spl::DecryptAesKey. +void decrypt_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation, u32 option); +// Based on spl::LoadAesKey but instead of prepping keyslot, returns calculated key +void load_aes_key(u32 ks, void *out_key, const void *access_key, const void *key_source); + +// Equivalent to smc::PrepareDeviceUniqueDataKey but with no sealing +void get_device_unique_data_key(u32 ks, void *out_key, const void *access_key, const void *key_source); +// Equivalent to smc::GetSecureData +void get_secure_data(key_storage_t *keys, void *out_data); +// Equivalent to smc::PrepareDeviceMasterKey +void get_device_key(u32 ks, key_storage_t *keys, void *out_device_key, u32 generation); + +#endif diff --git a/source/keys/gmac.c b/source/keys/gmac.c index 0749411..f8aea77 100644 --- a/source/keys/gmac.c +++ b/source/keys/gmac.c @@ -122,7 +122,7 @@ static void _ghash(u32 ks, void *dst, const void *src, u32 src_size, const void memcpy(dst, x, 0x10); } -void _calc_gmac(u32 ks, void *out_gmac, const void *data, u32 size, const void *key, const void *iv) { +void calc_gmac(u32 ks, void *out_gmac, const void *data, u32 size, const void *key, const void *iv) { u32 j_block[4] = {0}; se_aes_key_set(ks, key, 0x10); _ghash(ks, j_block, iv, 0x10, NULL, false); diff --git a/source/keys/gmac.h b/source/keys/gmac.h index b97b4af..98b7bdc 100644 --- a/source/keys/gmac.h +++ b/source/keys/gmac.h @@ -19,6 +19,6 @@ #include -void _calc_gmac(u32 ks, void *out_gmac, const void *data, u32 size, const void *key, const void *iv); +void calc_gmac(u32 ks, void *out_gmac, const void *data, u32 size, const void *key, const void *iv); #endif diff --git a/source/keys/key_sources.inl b/source/keys/key_sources.inl index a11ba7a..5d049f7 100644 --- a/source/keys/key_sources.inl +++ b/source/keys/key_sources.inl @@ -98,31 +98,10 @@ static const u8 mariko_key_vectors[][0x10] __attribute__((aligned(4))) = { //======================================Keys======================================// // from Package1 -> Secure_Monitor -static const u8 aes_kek_generation_source[0x10] __attribute__((aligned(4))) = { - 0x4D, 0x87, 0x09, 0x86, 0xC4, 0x5D, 0x20, 0x72, 0x2F, 0xBA, 0x10, 0x53, 0xDA, 0x92, 0xE8, 0xA9}; -static const u8 seal_key_masks[][0x10] __attribute__((aligned(4))) = { - {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, // SealKey_LoadAesKey - {0xA2, 0xAB, 0xBF, 0x9C, 0x92, 0x2F, 0xBB, 0xE3, 0x78, 0x79, 0x9B, 0xC0, 0xCC, 0xEA, 0xA5, 0x74}, // SealKey_DecryptDeviceUniqueData - {0x57, 0xE2, 0xD9, 0x45, 0xE4, 0x92, 0xF4, 0xFD, 0xC3, 0xF9, 0x86, 0x38, 0x89, 0x78, 0x9F, 0x3C}, // SealKey_ImportLotusKey - {0xE5, 0x4D, 0x9A, 0x02, 0xF0, 0x4F, 0x5F, 0xA8, 0xAD, 0x76, 0x0A, 0xF6, 0x32, 0x95, 0x59, 0xBB}, // SealKey_ImportEsDeviceKey - {0x59, 0xD9, 0x31, 0xF4, 0xA7, 0x97, 0xB8, 0x14, 0x40, 0xD6, 0xA2, 0x60, 0x2B, 0xED, 0x15, 0x31}, // SealKey_ReencryptDeviceUniqueData - {0xFD, 0x6A, 0x25, 0xE5, 0xD8, 0x38, 0x7F, 0x91, 0x49, 0xDA, 0xF8, 0x59, 0xA8, 0x28, 0xE6, 0x75}, // SealKey_ImportSslKey - {0x89, 0x96, 0x43, 0x9A, 0x7C, 0xD5, 0x59, 0x55, 0x24, 0xD5, 0x24, 0x18, 0xAB, 0x6C, 0x04, 0x61}, // SealKey_ImportEsClientCertKey -}; static const u8 package2_key_source[0x10] __attribute__((aligned(4))) = { 0xFB, 0x8B, 0x6A, 0x9C, 0x79, 0x00, 0xC8, 0x49, 0xEF, 0xD2, 0x4D, 0x85, 0x4D, 0x30, 0xA0, 0xC7}; static const u8 titlekek_source[0x10] __attribute__((aligned(4))) = { 0x1E, 0xDC, 0x7B, 0x3B, 0x60, 0xE6, 0xB4, 0xD8, 0x78, 0xB8, 0x17, 0x15, 0x98, 0x5E, 0x62, 0x9B}; -static const u8 retail_specific_aes_key_source[0x10] __attribute__((aligned(4))) = { - 0xE2, 0xD6, 0xB8, 0x7A, 0x11, 0x9C, 0xB8, 0x80, 0xE8, 0x22, 0x88, 0x8A, 0x46, 0xFB, 0xA1, 0x95}; -static const u8 secure_data_source[0x10] __attribute__((aligned(4))) = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; -static const u8 secure_data_counters[1][0x10] __attribute__((aligned(4))) = { - {0x3C, 0xD5, 0x92, 0xEC, 0x68, 0x31, 0x4A, 0x06, 0xD4, 0x1B, 0x0C, 0xD9, 0xF6, 0x2E, 0xD9, 0xE9} -}; -static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = { - {0xAC, 0xCA, 0x9A, 0xCA, 0xFF, 0x2E, 0xB9, 0x22, 0xCC, 0x1F, 0x4F, 0xAD, 0xDD, 0x77, 0x21, 0x1E} -}; // from Package1ldr (or Secure_Monitor on 6.2.0+) static const u8 keyblob_mac_key_source[0x10] __attribute__((aligned(4))) = { @@ -158,21 +137,6 @@ static const u8 mariko_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMW {0x18, 0xA5, 0x6F, 0xEF, 0x72, 0x11, 0x62, 0xC5, 0x1A, 0x14, 0xF1, 0x8C, 0x21, 0x83, 0x27, 0xB7}, // 15.0.0. }; //!TODO: Update on mkey changes. -static const u8 device_master_key_source_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = { - {0x8B, 0x4E, 0x1C, 0x22, 0x42, 0x07, 0xC8, 0x73, 0x56, 0x94, 0x08, 0x8B, 0xCC, 0x47, 0x0F, 0x5D}, /* 4.0.0 Device Master Key Source Source. */ - {0x6C, 0xEF, 0xC6, 0x27, 0x8B, 0xEC, 0x8A, 0x91, 0x99, 0xAB, 0x24, 0xAC, 0x4F, 0x1C, 0x8F, 0x1C}, /* 5.0.0 Device Master Key Source Source. */ - {0x70, 0x08, 0x1B, 0x97, 0x44, 0x64, 0xF8, 0x91, 0x54, 0x9D, 0xC6, 0x84, 0x8F, 0x1A, 0xB2, 0xE4}, /* 6.0.0 Device Master Key Source Source. */ - {0x8E, 0x09, 0x1F, 0x7A, 0xBB, 0xCA, 0x6A, 0xFB, 0xB8, 0x9B, 0xD5, 0xC1, 0x25, 0x9C, 0xA9, 0x17}, /* 6.2.0 Device Master Key Source Source. */ - {0x8F, 0x77, 0x5A, 0x96, 0xB0, 0x94, 0xFD, 0x8D, 0x28, 0xE4, 0x19, 0xC8, 0x16, 0x1C, 0xDB, 0x3D}, /* 7.0.0 Device Master Key Source Source. */ - {0x67, 0x62, 0xD4, 0x8E, 0x55, 0xCF, 0xFF, 0x41, 0x31, 0x15, 0x3B, 0x24, 0x0C, 0x7C, 0x07, 0xAE}, /* 8.1.0 Device Master Key Source Source. */ - {0x4A, 0xC3, 0x4E, 0x14, 0x8B, 0x96, 0x4A, 0xD5, 0xD4, 0x99, 0x73, 0xC4, 0x45, 0xAB, 0x8B, 0x49}, /* 9.0.0 Device Master Key Source Source. */ - {0x14, 0xB8, 0x74, 0x12, 0xCB, 0xBD, 0x0B, 0x8F, 0x20, 0xFB, 0x30, 0xDA, 0x27, 0xE4, 0x58, 0x94}, /* 9.1.0 Device Master Key Source Source. */ - {0xAA, 0xFD, 0xBC, 0xBB, 0x25, 0xC3, 0xA4, 0xEF, 0xE3, 0xEE, 0x58, 0x53, 0xB7, 0xF8, 0xDD, 0xD6}, /* 12.1.0 Device Master Key Source Source. */ - {0xE4, 0xF3, 0x45, 0x6F, 0x18, 0xA1, 0x89, 0xF8, 0xDA, 0x4C, 0x64, 0x75, 0x68, 0xE6, 0xBD, 0x4F}, /* 13.0.0 Device Master Key Source Source. */ - {0x5B, 0x94, 0x63, 0xF7, 0xAD, 0x96, 0x1B, 0xA6, 0x23, 0x30, 0x06, 0x4D, 0x01, 0xE4, 0xCE, 0x1D}, /* 14.0.0 Device Master Key Source Source. */ - {0x5E, 0xC9, 0xC5, 0x0A, 0xD0, 0x5F, 0x8B, 0x7B, 0xA7, 0x39, 0xEA, 0xBC, 0x60, 0x0F, 0x74, 0xE6}, /* 15.0.0 Device Master Key Source Source. */ -}; //!TODO: Update on mkey changes. - // from ES static const u8 eticket_rsa_kek_source[0x10] __attribute__((aligned(4))) = { 0XDB, 0XA4, 0X51, 0X12, 0X4C, 0XA0, 0XA9, 0X83, 0X68, 0X14, 0XF5, 0XED, 0X95, 0XE3, 0X12, 0X5B}; @@ -197,42 +161,6 @@ static const u8 ssl_client_cert_kek_source[0x10] __attribute__((aligned(4))) = { static const u8 ssl_client_cert_key_source[0x10] __attribute__((aligned(4))) = { 0x4D, 0x92, 0x5A, 0x69, 0x42, 0x23, 0xBB, 0x92, 0x59, 0x16, 0x3E, 0x51, 0x8C, 0x78, 0x14, 0x0F}; -static const u8 device_master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = { - {0x88, 0x62, 0x34, 0x6E, 0xFA, 0xF7, 0xD8, 0x3F, 0xE1, 0x30, 0x39, 0x50, 0xF0, 0xB7, 0x5D, 0x5D}, /* 4.0.0 Device Master Kek Source. */ - {0x06, 0x1E, 0x7B, 0xE9, 0x6D, 0x47, 0x8C, 0x77, 0xC5, 0xC8, 0xE7, 0x94, 0x9A, 0xA8, 0x5F, 0x2E}, /* 5.0.0 Device Master Kek Source. */ - {0x99, 0xFA, 0x98, 0xBD, 0x15, 0x1C, 0x72, 0xFD, 0x7D, 0x9A, 0xD5, 0x41, 0x00, 0xFD, 0xB2, 0xEF}, /* 6.0.0 Device Master Kek Source. */ - {0x81, 0x3C, 0x6C, 0xBF, 0x5D, 0x21, 0xDE, 0x77, 0x20, 0xD9, 0x6C, 0xE3, 0x22, 0x06, 0xAE, 0xBB}, /* 6.2.0 Device Master Kek Source. */ - {0x86, 0x61, 0xB0, 0x16, 0xFA, 0x7A, 0x9A, 0xEA, 0xF6, 0xF5, 0xBE, 0x1A, 0x13, 0x5B, 0x6D, 0x9E}, /* 7.0.0 Device Master Kek Source. */ - {0xA6, 0x81, 0x71, 0xE7, 0xB5, 0x23, 0x74, 0xB0, 0x39, 0x8C, 0xB7, 0xFF, 0xA0, 0x62, 0x9F, 0x8D}, /* 8.1.0 Device Master Kek Source. */ - {0x03, 0xE7, 0xEB, 0x43, 0x1B, 0xCF, 0x5F, 0xB5, 0xED, 0xDC, 0x97, 0xAE, 0x21, 0x8D, 0x19, 0xED}, /* 9.0.0 Device Master Kek Source. */ - {0xCE, 0xFE, 0x41, 0x0F, 0x46, 0x9A, 0x30, 0xD6, 0xF2, 0xE9, 0x0C, 0x6B, 0xB7, 0x15, 0x91, 0x36}, /* 9.1.0 Device Master Kek Source. */ - {0xC2, 0x65, 0x34, 0x6E, 0xC7, 0xC6, 0x5D, 0x97, 0x3E, 0x34, 0x5C, 0x6B, 0xB3, 0x7E, 0xC6, 0xE3}, /* 12.1.0 Device Master Kek Source. */ - {0x77, 0x52, 0x92, 0xF0, 0xAA, 0xE3, 0xFB, 0xE0, 0x60, 0x16, 0xB3, 0x78, 0x68, 0x53, 0xF7, 0xA8}, /* 13.0.0 Device Master Kek Source. */ - {0x67, 0xD5, 0xD6, 0x0C, 0x08, 0xF5, 0xA3, 0x11, 0xBD, 0x6D, 0x5A, 0xEB, 0x96, 0x24, 0xB0, 0xD2}, /* 14.0.0 Device Master Kek Source. */ - {0x7C, 0x30, 0xED, 0x8B, 0x39, 0x25, 0x2C, 0x08, 0x8F, 0x48, 0xDC, 0x28, 0xE6, 0x1A, 0x6B, 0x49}, /* 15.0.0 Device Master Kek Source. */ -}; //!TODO: Update on mkey changes. - -static const u8 device_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = { - {0xD6, 0xBD, 0x9F, 0xC6, 0x18, 0x09, 0xE1, 0x96, 0x20, 0x39, 0x60, 0xD2, 0x89, 0x83, 0x31, 0x34}, /* 4.0.0 Device Master Kek Source. */ - {0x59, 0x2D, 0x20, 0x69, 0x33, 0xB5, 0x17, 0xBA, 0xCF, 0xB1, 0x4E, 0xFD, 0xE4, 0xC2, 0x7B, 0xA8}, /* 5.0.0 Device Master Kek Source. */ - {0xF6, 0xD8, 0x59, 0x63, 0x8F, 0x47, 0xCB, 0x4A, 0xD8, 0x74, 0x05, 0x7F, 0x88, 0x92, 0x33, 0xA5}, /* 6.0.0 Device Master Kek Source. */ - {0x20, 0xAB, 0xF2, 0x0F, 0x05, 0xE3, 0xDE, 0x2E, 0xA1, 0xFB, 0x37, 0x5E, 0x8B, 0x22, 0x1A, 0x38}, /* 6.2.0 Device Master Kek Source. */ - {0x60, 0xAE, 0x56, 0x68, 0x11, 0xE2, 0x0C, 0x99, 0xDE, 0x05, 0xAE, 0x68, 0x78, 0x85, 0x04, 0xAE}, /* 7.0.0 Device Master Kek Source. */ - {0x94, 0xD6, 0xA8, 0xC0, 0x95, 0xAF, 0xD0, 0xA6, 0x27, 0x53, 0x5E, 0xE5, 0x8E, 0x70, 0x1F, 0x87}, /* 8.1.0 Device Master Kek Source. */ - {0x61, 0x6A, 0x88, 0x21, 0xA3, 0x52, 0xB0, 0x19, 0x16, 0x25, 0xA4, 0xE3, 0x4C, 0x54, 0x02, 0x0F}, /* 9.0.0 Device Master Kek Source. */ - {0x9D, 0xB1, 0xAE, 0xCB, 0xF6, 0xF6, 0xE3, 0xFE, 0xAB, 0x6F, 0xCB, 0xAF, 0x38, 0x03, 0xFC, 0x7B}, /* 9.1.0 Device Master Kek Source. */ - {0xC4, 0xBB, 0xF3, 0x9F, 0xA3, 0xAA, 0x00, 0x99, 0x7C, 0x97, 0xAD, 0x91, 0x8F, 0xE8, 0x45, 0xCB}, /* 12.1.0 Device Master Kek Source. */ - {0x20, 0x20, 0xAA, 0xFB, 0x89, 0xC2, 0xF0, 0x70, 0xB5, 0xE0, 0xA3, 0x11, 0x8A, 0x29, 0x8D, 0x0F}, /* 13.0.0 Device Master Kek Source. */ - {0xCE, 0x14, 0x74, 0x66, 0x98, 0xA8, 0x6D, 0x7D, 0xBD, 0x54, 0x91, 0x68, 0x5F, 0x1D, 0x0E, 0xEA}, /* 14.0.0 Device Master Kek Source. */ - {0xAE, 0x05, 0x48, 0x65, 0xAB, 0x17, 0x9D, 0x3D, 0x51, 0xB7, 0x56, 0xBD, 0x9B, 0x0B, 0x5B, 0x6E}, /* 15.0.0 Device Master Kek Source. */ -}; //!TODO: Update on mkey changes. - -// from SPL -static const u8 aes_key_generation_source[0x10] __attribute__((aligned(4))) = { - 0x89, 0x61, 0x5E, 0xE0, 0x5C, 0x31, 0xB6, 0x80, 0x5F, 0xE5, 0x8F, 0x3D, 0xA2, 0x4F, 0x7A, 0xA8}; -static const u8 aes_key_decryption_source[0x10] __attribute__((aligned(4))) = { - 0x11, 0x70, 0x24, 0x2B, 0x48, 0x69, 0x11, 0xF1, 0x11, 0xB0, 0x0C, 0x47, 0x7C, 0xC3, 0xEF, 0x7E}; - // from FS static const u8 bis_kek_source[0x10] __attribute__((aligned(4))) = { 0x34, 0xC1, 0xA0, 0xC4, 0x82, 0x58, 0xF8, 0xB4, 0xFA, 0x9E, 0x5E, 0x6A, 0xDA, 0xFC, 0x7E, 0x4F}; diff --git a/source/keys/keys.c b/source/keys/keys.c index 414a320..a53061e 100644 --- a/source/keys/keys.c +++ b/source/keys/keys.c @@ -16,6 +16,7 @@ #include "keys.h" +#include "cal0_read.h" #include "gmac.h" #include "../../keygen/tsec_keygen.h" @@ -58,46 +59,23 @@ static u32 _key_count = 0, _titlekey_count = 0; static u32 start_time, end_time; u32 color_idx = 0; -static ALWAYS_INLINE u32 _read_le_u32(const void *buffer, u32 offset) { - return (*(u8*)(buffer + offset + 0) ) | - (*(u8*)(buffer + offset + 1) << 0x08) | - (*(u8*)(buffer + offset + 2) << 0x10) | - (*(u8*)(buffer + offset + 3) << 0x18); -} - -static ALWAYS_INLINE u32 _read_be_u32(const void *buffer, u32 offset) { - return (*(u8*)(buffer + offset + 3) ) | - (*(u8*)(buffer + offset + 2) << 0x08) | - (*(u8*)(buffer + offset + 1) << 0x10) | - (*(u8*)(buffer + offset + 0) << 0x18); -} - // key functions static int _key_exists(const void *data) { return memcmp(data, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) != 0; }; static void _save_key(const char *name, const void *data, u32 len, char *outbuf); static void _save_key_family(const char *name, const void *data, u32 start_key, u32 num_keys, u32 len, char *outbuf); -static void _generate_aes_kek(u32 ks, key_derivation_ctx_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option); -static void _generate_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, u32 key_size, const void *access_key, const void *key_source); -static void _load_aes_key(u32 ks, void *out_key, const void *access_key, const void *key_source); -static void _get_device_unique_data_key(u32 ks, void *out_key, const void *access_key, const void *key_source); -static void _decrypt_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 generation, u32 option); -static void _generate_specific_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 generation); -static void _get_device_key(u32 ks, key_derivation_ctx_t *keys, void *out_device_key, u32 generation); -// titlekey functions -static bool _test_rsa_keypair(const void *E, const void *D, const void *N); -static void _derive_master_key_mariko(key_derivation_ctx_t *keys, bool is_dev) { +static void _derive_master_key_mariko(key_storage_t *keys, bool is_dev) { // Relies on the SBK being properly set in slot 14 se_aes_crypt_block_ecb(KS_SECURE_BOOT, DECRYPT, keys->device_key_4x, device_master_key_source_kek_source); // Derive all master keys based on Mariko KEK for (u32 i = KB_FIRMWARE_VERSION_600; i < ARRAY_SIZE(mariko_master_kek_sources) + KB_FIRMWARE_VERSION_600; i++) { // Relies on the Mariko KEK being properly set in slot 12 se_aes_crypt_block_ecb(KS_MARIKO_KEK, DECRYPT, keys->master_kek[i], is_dev ? &mariko_master_kek_sources_dev[i - KB_FIRMWARE_VERSION_600] : &mariko_master_kek_sources[i - KB_FIRMWARE_VERSION_600]); - _load_aes_key(KS_AES_ECB, keys->master_key[i], keys->master_kek[i], master_key_source); + load_aes_key(KS_AES_ECB, keys->master_key[i], keys->master_kek[i], master_key_source); } } -static int _run_ams_keygen(key_derivation_ctx_t *keys) { +static int _run_ams_keygen(key_storage_t *keys) { tsec_ctxt_t tsec_ctxt; tsec_ctxt.fw = tsec_keygen; tsec_ctxt.size = sizeof(tsec_keygen); @@ -115,21 +93,21 @@ static int _run_ams_keygen(key_derivation_ctx_t *keys) { return 0; } -static void _derive_master_keys_from_latest_key(key_derivation_ctx_t *keys, bool is_dev) { +static void _derive_master_keys_from_latest_key(key_storage_t *keys, bool is_dev) { if (!h_cfg.t210b01) { u32 tsec_root_key_slot = is_dev ? 11 : 13; // Derive all master keys based on current root key for (u32 i = KB_FIRMWARE_VERSION_810 - KB_FIRMWARE_VERSION_620; i < ARRAY_SIZE(master_kek_sources); i++) { se_aes_crypt_block_ecb(tsec_root_key_slot, DECRYPT, keys->master_kek[i + KB_FIRMWARE_VERSION_620], master_kek_sources[i]); - _load_aes_key(KS_AES_ECB, keys->master_key[i + KB_FIRMWARE_VERSION_620], keys->master_kek[i + KB_FIRMWARE_VERSION_620], master_key_source); + load_aes_key(KS_AES_ECB, keys->master_key[i + KB_FIRMWARE_VERSION_620], keys->master_kek[i + KB_FIRMWARE_VERSION_620], master_key_source); } } // Derive all lower master keys for (u32 i = KB_FIRMWARE_VERSION_MAX; i > 0; i--) { - _load_aes_key(KS_AES_ECB, keys->master_key[i - 1], keys->master_key[i], is_dev ? master_key_vectors_dev[i] : master_key_vectors[i]); + load_aes_key(KS_AES_ECB, keys->master_key[i - 1], keys->master_key[i], is_dev ? master_key_vectors_dev[i] : master_key_vectors[i]); } - _load_aes_key(KS_AES_ECB, keys->temp_key, keys->master_key[0], is_dev ? master_key_vectors_dev[0] : master_key_vectors[0]); + load_aes_key(KS_AES_ECB, keys->temp_key, keys->master_key[0], is_dev ? master_key_vectors_dev[0] : master_key_vectors[0]); if (_key_exists(keys->temp_key)) { EPRINTFARGS("Unable to derive master keys for %s.", is_dev ? "dev" : "prod"); @@ -137,15 +115,15 @@ static void _derive_master_keys_from_latest_key(key_derivation_ctx_t *keys, bool } } -static void _derive_keyblob_keys(key_derivation_ctx_t *keys) { +static void _derive_keyblob_keys(key_storage_t *keys) { u8 *keyblob_block = (u8 *)calloc(KB_FIRMWARE_VERSION_600 + 1, NX_EMMC_BLOCKSIZE); - u32 keyblob_mac[AES_128_KEY_SIZE / 4] = {0}; + u32 keyblob_mac[SE_KEY_128_SIZE / 4] = {0}; bool have_keyblobs = true; if (FUSE(FUSE_PRIVATE_KEY0) == 0xFFFFFFFF) { u8 *aes_keys = (u8 *)calloc(SZ_4K, 1); - se_get_aes_keys(aes_keys + SZ_2K, aes_keys, AES_128_KEY_SIZE); - memcpy(keys->sbk, aes_keys + 14 * AES_128_KEY_SIZE, AES_128_KEY_SIZE); + se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE); + memcpy(keys->sbk, aes_keys + 14 * SE_KEY_128_SIZE, SE_KEY_128_SIZE); free(aes_keys); } else { keys->sbk[0] = FUSE(FUSE_PRIVATE_KEY0); @@ -168,7 +146,7 @@ static void _derive_keyblob_keys(key_derivation_ctx_t *keys) { minerva_periodic_training(); se_aes_crypt_block_ecb(KS_TSEC, DECRYPT, keys->keyblob_key[i], keyblob_key_sources[i]); se_aes_crypt_block_ecb(KS_SECURE_BOOT, DECRYPT, keys->keyblob_key[i], keys->keyblob_key[i]); - _load_aes_key(KS_AES_ECB, keys->keyblob_mac_key[i], keys->keyblob_key[i], keyblob_mac_key_source); + load_aes_key(KS_AES_ECB, keys->keyblob_mac_key[i], keys->keyblob_key[i], keyblob_mac_key_source); if (i == 0) { se_aes_crypt_block_ecb(KS_AES_ECB, DECRYPT, keys->device_key, per_console_key_source); se_aes_crypt_block_ecb(KS_AES_ECB, DECRYPT, keys->device_key_4x, device_master_key_source_kek_source); @@ -193,50 +171,50 @@ static void _derive_keyblob_keys(key_derivation_ctx_t *keys) { memcpy(keys->package1_key[i], keys->keyblob[i].package1_key, sizeof(keys->package1_key[i])); memcpy(keys->master_kek[i], keys->keyblob[i].master_kek, sizeof(keys->master_kek[i])); if (!_key_exists(keys->master_key[i])) { - _load_aes_key(KS_AES_ECB, keys->master_key[i], keys->master_kek[i], master_key_source); + load_aes_key(KS_AES_ECB, keys->master_key[i], keys->master_kek[i], master_key_source); } } free(keyblob_block); } -static void _derive_bis_keys(key_derivation_ctx_t *keys) { +static void _derive_bis_keys(key_storage_t *keys) { minerva_periodic_training(); u32 generation = fuse_read_odm_keygen_rev(); if (!(_key_exists(keys->device_key) || (generation && _key_exists(keys->master_key[0]) && _key_exists(keys->device_key_4x)))) { return; } - _generate_specific_aes_key(KS_AES_ECB, keys, &keys->bis_key[0], bis_key_sources[0], generation); - u32 access_key[AES_128_KEY_SIZE / 4] = {0}; + generate_specific_aes_key(KS_AES_ECB, keys, &keys->bis_key[0], bis_key_sources[0], generation); + u32 access_key[SE_KEY_128_SIZE / 4] = {0}; const u32 option = IS_DEVICE_UNIQUE; - _generate_aes_kek(KS_AES_ECB, keys, access_key, bis_kek_source, generation, option); - _generate_aes_key(KS_AES_ECB, keys, keys->bis_key[1], sizeof(keys->bis_key[1]), access_key, bis_key_sources[1]); - _generate_aes_key(KS_AES_ECB, keys, keys->bis_key[2], sizeof(keys->bis_key[2]), access_key, bis_key_sources[2]); + generate_aes_kek(KS_AES_ECB, keys, access_key, bis_kek_source, generation, option); + generate_aes_key(KS_AES_ECB, keys, keys->bis_key[1], sizeof(keys->bis_key[1]), access_key, bis_key_sources[1]); + generate_aes_key(KS_AES_ECB, keys, keys->bis_key[2], sizeof(keys->bis_key[2]), access_key, bis_key_sources[2]); memcpy(keys->bis_key[3], keys->bis_key[2], sizeof(keys->bis_key[3])); } -static void _derive_non_unique_keys(key_derivation_ctx_t *keys, bool is_dev) { +static void _derive_non_unique_keys(key_storage_t *keys, bool is_dev) { if (_key_exists(keys->master_key[0])) { const u32 generation = 0; const u32 option = GET_IS_DEVICE_UNIQUE(NOT_DEVICE_UNIQUE); - _generate_aes_kek(KS_AES_ECB, keys, keys->temp_key, header_kek_source, generation, option); - _generate_aes_key(KS_AES_ECB, keys, keys->header_key, sizeof(keys->header_key), keys->temp_key, header_key_source); + generate_aes_kek(KS_AES_ECB, keys, keys->temp_key, header_kek_source, generation, option); + generate_aes_key(KS_AES_ECB, keys, keys->header_key, sizeof(keys->header_key), keys->temp_key, header_key_source); } } -static void _derive_rsa_kek(u32 ks, key_derivation_ctx_t *keys, void *out_rsa_kek, const void *kekek_source, const void *kek_source, u32 generation, u32 option) { +static void _derive_rsa_kek(u32 ks, key_storage_t *keys, void *out_rsa_kek, const void *kekek_source, const void *kek_source, u32 generation, u32 option) { void *access_key = keys->temp_key; - _generate_aes_kek(ks, keys, access_key, kekek_source, generation, option); - _get_device_unique_data_key(ks, out_rsa_kek, access_key, kek_source); + generate_aes_kek(ks, keys, access_key, kekek_source, generation, option); + get_device_unique_data_key(ks, out_rsa_kek, access_key, kek_source); } -static void _derive_misc_keys(key_derivation_ctx_t *keys, bool is_dev) { +static void _derive_misc_keys(key_storage_t *keys, bool is_dev) { if (_key_exists(keys->device_key) || (_key_exists(keys->master_key[0]) && _key_exists(keys->device_key_4x))) { void *access_key = keys->temp_key; const u32 generation = 0; const u32 option = IS_DEVICE_UNIQUE; - _generate_aes_kek(KS_AES_ECB, keys, access_key, save_mac_kek_source, generation, option); - _load_aes_key(KS_AES_ECB, keys->save_mac_key, access_key, save_mac_key_source); + generate_aes_kek(KS_AES_ECB, keys, access_key, save_mac_kek_source, generation, option); + load_aes_key(KS_AES_ECB, keys->save_mac_key, access_key, save_mac_key_source); } if (_key_exists(keys->master_key[0])) { @@ -251,18 +229,18 @@ static void _derive_misc_keys(key_derivation_ctx_t *keys, bool is_dev) { } } -static void _derive_per_generation_keys(key_derivation_ctx_t *keys) { +static void _derive_per_generation_keys(key_storage_t *keys) { for (u32 generation = 0; generation < ARRAY_SIZE(keys->master_key); generation++) { if (!_key_exists(keys->master_key[generation])) continue; for (u32 source_type = 0; source_type < ARRAY_SIZE(key_area_key_sources); source_type++) { void *access_key = keys->temp_key; const u32 option = GET_IS_DEVICE_UNIQUE(NOT_DEVICE_UNIQUE); - _generate_aes_kek(KS_AES_ECB, keys, access_key, key_area_key_sources[source_type], generation + 1, option); - _load_aes_key(KS_AES_ECB, keys->key_area_key[source_type][generation], access_key, aes_key_generation_source); + generate_aes_kek(KS_AES_ECB, keys, access_key, key_area_key_sources[source_type], generation + 1, option); + load_aes_key(KS_AES_ECB, keys->key_area_key[source_type][generation], access_key, aes_key_generation_source); } - _load_aes_key(KS_AES_ECB, keys->package2_key[generation], keys->master_key[generation], package2_key_source); - _load_aes_key(KS_AES_ECB, keys->titlekek[generation], keys->master_key[generation], titlekek_source); + load_aes_key(KS_AES_ECB, keys->package2_key[generation], keys->master_key[generation], package2_key_source); + load_aes_key(KS_AES_ECB, keys->titlekek[generation], keys->master_key[generation], titlekek_source); } } @@ -402,7 +380,7 @@ static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, title return true; } -static bool _derive_sd_seed(key_derivation_ctx_t *keys) { +static bool _derive_sd_seed(key_storage_t *keys) { FIL fp; u32 read_bytes = 0; char *private_path = malloc(200); @@ -421,7 +399,7 @@ static bool _derive_sd_seed(key_derivation_ctx_t *keys) { return false; } // Get sd seed verification vector - if (f_read(&fp, keys->temp_key, AES_128_KEY_SIZE, &read_bytes) || read_bytes != AES_128_KEY_SIZE) { + if (f_read(&fp, keys->temp_key, SE_KEY_128_SIZE, &read_bytes) || read_bytes != SE_KEY_128_SIZE) { EPRINTF("Unable to read SD seed vector. Skipping."); f_close(&fp); return false; @@ -451,54 +429,8 @@ static bool _derive_sd_seed(key_derivation_ctx_t *keys) { return true; } -static bool _read_cal0(void *read_buffer) { - nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)read_buffer; - - // Check if CAL0 was already read into this buffer - if (cal0->magic == MAGIC_CAL0) { - return true; - } - - if (!emummc_storage_read(NX_EMMC_CALIBRATION_OFFSET / NX_EMMC_BLOCKSIZE, NX_EMMC_CALIBRATION_SIZE / NX_EMMC_BLOCKSIZE, read_buffer)) { - EPRINTF("Unable to read PRODINFO."); - return false; - } - - se_aes_xts_crypt(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, DECRYPT, 0, read_buffer, read_buffer, XTS_CLUSTER_SIZE, NX_EMMC_CALIBRATION_SIZE / XTS_CLUSTER_SIZE); - - if (cal0->magic != MAGIC_CAL0) { - EPRINTF("Invalid CAL0 magic. Check BIS key 0."); - return false; - } - - return true; -} - -static bool _cal0_read_ssl_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation) { - const u32 ext_key_size = sizeof(cal0->ext_ssl_key_iv) + sizeof(cal0->ext_ssl_key); - const u32 ext_key_crc_size = ext_key_size + sizeof(cal0->ext_ssl_key_ver) + sizeof(cal0->crc16_pad39); - const u32 key_size = sizeof(cal0->ssl_key_iv) + sizeof(cal0->ssl_key); - const u32 key_crc_size = key_size + sizeof(cal0->crc16_pad18); - - if (cal0->ext_ssl_key_crc == crc16_calc(cal0->ext_ssl_key_iv, ext_key_crc_size)) { - *out_key = cal0->ext_ssl_key; - *out_key_size = ext_key_size; - *out_iv = cal0->ext_ssl_key_iv; - // Settings sysmodule manually zeroes this out below cal version 9 - *out_generation = cal0->version <= 8 ? 0 : cal0->ext_ssl_key_ver; - } else if (cal0->ssl_key_crc == crc16_calc(cal0->ssl_key_iv, key_crc_size)) { - *out_key = cal0->ssl_key; - *out_key_size = key_size; - *out_iv = cal0->ssl_key_iv; - *out_generation = 0; - } else { - return false; - } - return true; -} - -static bool _decrypt_ssl_rsa_key(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer) { - if (!_read_cal0(titlekey_buffer->read_buffer)) { +static bool _decrypt_ssl_rsa_key(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer) { + if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, titlekey_buffer->read_buffer)) { return false; } @@ -507,18 +439,17 @@ static bool _decrypt_ssl_rsa_key(key_derivation_ctx_t *keys, titlekey_buffer_t * const void *encrypted_key = NULL; const void *iv = NULL; u32 key_size = 0; - void *keypair_ctr_key = NULL; + void *ctr_key = NULL; bool enforce_unique = true; - if (!_cal0_read_ssl_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) { - EPRINTF("Crc16 error reading device key."); + if (!cal0_get_ssl_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) { return false; } if (key_size == SSL_RSA_KEY_SIZE) { bool all_zero = true; const u8 *key8 = (const u8 *)encrypted_key; - for (u32 i = RSA_2048_KEY_SIZE; i < SSL_RSA_KEY_SIZE; i++) { + for (u32 i = SE_RSA2048_DIGEST_SIZE; i < SSL_RSA_KEY_SIZE; i++) { if (key8[i] != 0) { all_zero = false; break; @@ -526,29 +457,29 @@ static bool _decrypt_ssl_rsa_key(key_derivation_ctx_t *keys, titlekey_buffer_t * } if (all_zero) { // Keys of this form are not encrypted - memcpy(keys->ssl_rsa_key, encrypted_key, RSA_2048_KEY_SIZE); + memcpy(keys->ssl_rsa_key, encrypted_key, SE_RSA2048_DIGEST_SIZE); return true; } const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA) | NOT_DEVICE_UNIQUE; - keypair_ctr_key = keys->ssl_rsa_kek_legacy; - _derive_rsa_kek(KS_AES_ECB, keys, keypair_ctr_key, ssl_rsa_kekek_source, ssl_rsa_kek_source_legacy, generation, option); + ctr_key = keys->ssl_rsa_kek_legacy; + _derive_rsa_kek(KS_AES_ECB, keys, ctr_key, ssl_rsa_kekek_source, ssl_rsa_kek_source_legacy, generation, option); enforce_unique = false; } else if (generation) { const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_SSL_KEY) | IS_DEVICE_UNIQUE; - keypair_ctr_key = keys->ssl_rsa_kek_personalized; - _derive_rsa_kek(KS_AES_ECB, keys, keypair_ctr_key, ssl_client_cert_kek_source, ssl_client_cert_key_source, generation, option); + ctr_key = keys->ssl_rsa_kek_personalized; + _derive_rsa_kek(KS_AES_ECB, keys, ctr_key, ssl_client_cert_kek_source, ssl_client_cert_key_source, generation, option); } else { - keypair_ctr_key = keys->ssl_rsa_kek; + ctr_key = keys->ssl_rsa_kek; } u32 ctr_size = enforce_unique ? key_size - 0x20 : key_size - 0x10; - se_aes_key_set(KS_AES_CTR, keypair_ctr_key, AES_128_KEY_SIZE); + se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE); se_aes_crypt_ctr(KS_AES_CTR, keys->ssl_rsa_key, ctr_size, encrypted_key, ctr_size, iv); if (enforce_unique) { - u32 calc_mac[AES_128_KEY_SIZE / 4] = {0}; - _calc_gmac(KS_AES_ECB, calc_mac, keys->ssl_rsa_key, ctr_size, keypair_ctr_key, iv); + u32 calc_mac[SE_KEY_128_SIZE / 4] = {0}; + calc_gmac(KS_AES_ECB, calc_mac, keys->ssl_rsa_key, ctr_size, ctr_key, iv); const u8 *key8 = (const u8 *)encrypted_key; if (memcmp(calc_mac, &key8[ctr_size], 0x10) != 0) { @@ -561,41 +492,8 @@ static bool _decrypt_ssl_rsa_key(key_derivation_ctx_t *keys, titlekey_buffer_t * return true; } -static bool _cal0_read_eticket_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation) { - const u32 ext_key_size = sizeof(cal0->ext_ecc_rsa2048_eticket_key_iv) + sizeof(cal0->ext_ecc_rsa2048_eticket_key); - const u32 ext_key_crc_size = ext_key_size + sizeof(cal0->ext_ecc_rsa2048_eticket_key_ver) + sizeof(cal0->crc16_pad38); - const u32 key_size = sizeof(cal0->rsa2048_eticket_key_iv) + sizeof(cal0->rsa2048_eticket_key); - const u32 key_crc_size = key_size + sizeof(cal0->crc16_pad21); - - if (cal0->ext_ecc_rsa2048_eticket_key_crc == crc16_calc(cal0->ext_ecc_rsa2048_eticket_key_iv, ext_key_crc_size)) { - *out_key = cal0->ext_ecc_rsa2048_eticket_key; - *out_key_size = ext_key_size; - *out_iv = cal0->ext_ecc_rsa2048_eticket_key_iv; - // Settings sysmodule manually zeroes this out below cal version 9 - *out_generation = cal0->version <= 8 ? 0 : cal0->ext_ecc_rsa2048_eticket_key_ver; - } else if (cal0->rsa2048_eticket_key_crc == crc16_calc(cal0->rsa2048_eticket_key_iv, key_crc_size)) { - *out_key = cal0->rsa2048_eticket_key; - *out_key_size = key_size; - *out_iv = cal0->rsa2048_eticket_key_iv; - *out_generation = 0; - } else { - return false; - } - return true; -} - -static bool _test_eticket_rsa_keypair(const rsa_keypair_t *keypair) { - // Unlike the SSL RSA key, we don't need to check the gmac - we can just verify the public exponent - // and test the keypair since we have the modulus - if ((_read_be_u32(keypair->public_exponent, 0) != RSA_PUBLIC_EXPONENT) || - (!_test_rsa_keypair(keypair->public_exponent, keypair->private_exponent, keypair->modulus))) { - return false; - } - return true; -} - -static bool _decrypt_eticket_rsa_key(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) { - if (!_read_cal0(titlekey_buffer->read_buffer)) { +static bool _decrypt_eticket_rsa_key(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) { + if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, titlekey_buffer->read_buffer)) { return false; } @@ -604,24 +502,23 @@ static bool _decrypt_eticket_rsa_key(key_derivation_ctx_t *keys, titlekey_buffer const void *encrypted_key = NULL; const void *iv = NULL; u32 key_size = 0; - void *keypair_ctr_key = NULL; + void *ctr_key = NULL; - if (!_cal0_read_eticket_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) { - EPRINTF("Crc16 error reading device key."); + if (!cal0_get_eticket_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) { return false; } // Handle legacy case if (key_size == ETICKET_RSA_KEYPAIR_SIZE) { const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | NOT_DEVICE_UNIQUE; - keypair_ctr_key = keys->temp_key; - _derive_rsa_kek(KS_AES_ECB, keys, keypair_ctr_key, eticket_rsa_kekek_source, eticket_rsa_kek_source_legacy, generation, option); + ctr_key = keys->temp_key; + _derive_rsa_kek(KS_AES_ECB, keys, ctr_key, eticket_rsa_kekek_source, eticket_rsa_kek_source_legacy, generation, option); - se_aes_key_set(KS_AES_CTR, keypair_ctr_key, AES_128_KEY_SIZE); + se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE); se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv); - if (_test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) { - memcpy(keys->eticket_rsa_kek, keypair_ctr_key, sizeof(keys->eticket_rsa_kek)); + if (test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) { + memcpy(keys->eticket_rsa_kek, ctr_key, sizeof(keys->eticket_rsa_kek)); return true; } // Fall through and try usual method if not applicable @@ -629,17 +526,17 @@ static bool _decrypt_eticket_rsa_key(key_derivation_ctx_t *keys, titlekey_buffer if (generation) { const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | IS_DEVICE_UNIQUE; - keypair_ctr_key = keys->eticket_rsa_kek_personalized; + ctr_key = keys->eticket_rsa_kek_personalized; const void *kek_source = is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source; - _derive_rsa_kek(KS_AES_ECB, keys, keypair_ctr_key, eticket_rsa_kekek_source, kek_source, generation, option); + _derive_rsa_kek(KS_AES_ECB, keys, ctr_key, eticket_rsa_kekek_source, kek_source, generation, option); } else { - keypair_ctr_key = keys->eticket_rsa_kek; + ctr_key = keys->eticket_rsa_kek; } - se_aes_key_set(KS_AES_CTR, keypair_ctr_key, AES_128_KEY_SIZE); + se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE); se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv); - if (!_test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) { + if (!test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) { EPRINTF("Invalid eticket keypair."); memset(&keys->eticket_rsa_keypair, 0, sizeof(keys->eticket_rsa_keypair)); return false; @@ -648,7 +545,7 @@ static bool _decrypt_eticket_rsa_key(key_derivation_ctx_t *keys, titlekey_buffer return true; } -static bool _derive_titlekeys(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) { +static bool _derive_titlekeys(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) { if (!_key_exists(keys->eticket_rsa_kek)) { return false; } @@ -668,17 +565,17 @@ static bool _derive_titlekeys(key_derivation_ctx_t *keys, titlekey_buffer_t *tit return true; } -static bool _derive_emmc_keys(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) { +static bool _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) { // Set BIS keys. // PRODINFO/PRODINFOF - se_aes_key_set(KS_BIS_00_CRYPT, keys->bis_key[0] + 0x00, AES_128_KEY_SIZE); - se_aes_key_set(KS_BIS_00_TWEAK, keys->bis_key[0] + 0x10, AES_128_KEY_SIZE); + se_aes_key_set(KS_BIS_00_CRYPT, keys->bis_key[0] + 0x00, SE_KEY_128_SIZE); + se_aes_key_set(KS_BIS_00_TWEAK, keys->bis_key[0] + 0x10, SE_KEY_128_SIZE); // SAFE - se_aes_key_set(KS_BIS_01_CRYPT, keys->bis_key[1] + 0x00, AES_128_KEY_SIZE); - se_aes_key_set(KS_BIS_01_TWEAK, keys->bis_key[1] + 0x10, AES_128_KEY_SIZE); + se_aes_key_set(KS_BIS_01_CRYPT, keys->bis_key[1] + 0x00, SE_KEY_128_SIZE); + se_aes_key_set(KS_BIS_01_TWEAK, keys->bis_key[1] + 0x10, SE_KEY_128_SIZE); // SYSTEM/USER - se_aes_key_set(KS_BIS_02_CRYPT, keys->bis_key[2] + 0x00, AES_128_KEY_SIZE); - se_aes_key_set(KS_BIS_02_TWEAK, keys->bis_key[2] + 0x10, AES_128_KEY_SIZE); + se_aes_key_set(KS_BIS_02_CRYPT, keys->bis_key[2] + 0x00, SE_KEY_128_SIZE); + se_aes_key_set(KS_BIS_02_TWEAK, keys->bis_key[2] + 0x10, SE_KEY_128_SIZE); if (!emummc_storage_set_mmc_partition(EMMC_GPP)) { EPRINTF("Unable to set partition."); @@ -745,8 +642,8 @@ int save_mariko_partial_keys(u32 start, u32 count, bool append) { color_idx = 0; u32 pos = 0; - u32 zeros[AES_128_KEY_SIZE / 4] = {0}; - u8 *data = malloc(4 * AES_128_KEY_SIZE); + u32 zeros[SE_KEY_128_SIZE / 4] = {0}; + u8 *data = malloc(4 * SE_KEY_128_SIZE); char *text_buffer = calloc(1, 0x100 * count); for (u32 ks = start; ks < start + count; ks++) { @@ -760,26 +657,26 @@ int save_mariko_partial_keys(u32 start, u32 count, bool append) { } // Encrypt zeros with complete key - se_aes_crypt_block_ecb(ks, ENCRYPT, &data[3 * AES_128_KEY_SIZE], zeros); + se_aes_crypt_block_ecb(ks, ENCRYPT, &data[3 * SE_KEY_128_SIZE], zeros); // We only need to overwrite 3 of the dwords of the key for (u32 i = 0; i < 3; i++) { // Overwrite ith dword of key with zeros se_aes_key_partial_set(ks, i, 0); // Encrypt zeros with more of the key zeroed out - se_aes_crypt_block_ecb(ks, ENCRYPT, &data[(2 - i) * AES_128_KEY_SIZE], zeros); + se_aes_crypt_block_ecb(ks, ENCRYPT, &data[(2 - i) * SE_KEY_128_SIZE], zeros); } // Skip saving key if two results are the same indicating unsuccessful overwrite or empty slot - if (memcmp(&data[0], &data[SE_KEY_128_SIZE], AES_128_KEY_SIZE) == 0) { + if (memcmp(&data[0], &data[SE_KEY_128_SIZE], SE_KEY_128_SIZE) == 0) { EPRINTFARGS("Failed to overwrite keyslot %d.", ks); continue; } pos += s_printf(&text_buffer[pos], "%d\n", ks); for (u32 i = 0; i < 4; i++) { - for (u32 j = 0; j < AES_128_KEY_SIZE; j++) - pos += s_printf(&text_buffer[pos], "%02x", data[i * AES_128_KEY_SIZE + j]); + for (u32 j = 0; j < SE_KEY_128_SIZE; j++) + pos += s_printf(&text_buffer[pos], "%02x", data[i * SE_KEY_128_SIZE + j]); pos += s_printf(&text_buffer[pos], " "); } pos += s_printf(&text_buffer[pos], "\n"); @@ -823,7 +720,7 @@ int save_mariko_partial_keys(u32 start, u32 count, bool append) { return 0; } -static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) { +static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) { char *text_buffer = NULL; if (!sd_mount()) { EPRINTF("Unable to mount SD."); @@ -896,7 +793,7 @@ static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titl SAVE_KEY(ssl_rsa_kek_source); } SAVE_KEY(ssl_rsa_kekek_source); - _save_key("ssl_rsa_key", keys->ssl_rsa_key, RSA_2048_KEY_SIZE, text_buffer); + _save_key("ssl_rsa_key", keys->ssl_rsa_key, SE_RSA2048_DIGEST_SIZE, text_buffer); SAVE_KEY_FAMILY_VAR(titlekek, keys->titlekek, 0); SAVE_KEY(titlekek_source); SAVE_KEY_VAR(tsec_key, keys->tsec_key); @@ -904,7 +801,7 @@ static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titl const u32 root_key_ver = 2; char root_key_name[21] = "tsec_root_key_00"; s_printf(root_key_name + 14, "%02x", root_key_ver); - _save_key(root_key_name, keys->tsec_root_key, AES_128_KEY_SIZE, text_buffer); + _save_key(root_key_name, keys->tsec_root_key, SE_KEY_128_SIZE, text_buffer); gfx_printf("\n%k Found %d %s keys.\n\n", colors[(color_idx++) % 6], _key_count, is_dev ? "dev" : "prod"); gfx_printf("%kFound through master_key_%02x.\n\n", colors[(color_idx++) % 6], KB_FIRMWARE_VERSION_MAX); @@ -929,10 +826,10 @@ static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titl titlekey_text_buffer_t *titlekey_text = (titlekey_text_buffer_t *)text_buffer; for (u32 i = 0; i < _titlekey_count; i++) { - for (u32 j = 0; j < AES_128_KEY_SIZE; j++) + for (u32 j = 0; j < SE_KEY_128_SIZE; j++) s_printf(&titlekey_text[i].rights_id[j * 2], "%02x", titlekey_buffer->rights_ids[i][j]); s_printf(titlekey_text[i].equals, " = "); - for (u32 j = 0; j < AES_128_KEY_SIZE; j++) + for (u32 j = 0; j < SE_KEY_128_SIZE; j++) s_printf(&titlekey_text[i].titlekey[j * 2], "%02x", titlekey_buffer->titlekeys[i][j]); s_printf(titlekey_text[i].newline, "\n"); } @@ -948,16 +845,16 @@ static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titl } static bool _check_keyslot_access() { - u8 test_data[AES_128_KEY_SIZE] = {0}; - const u8 test_ciphertext[AES_128_KEY_SIZE] = {0}; + u8 test_data[SE_KEY_128_SIZE] = {0}; + const u8 test_ciphertext[SE_KEY_128_SIZE] = {0}; se_aes_key_set(KS_AES_ECB, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", SE_KEY_128_SIZE); se_aes_crypt_block_ecb(KS_AES_ECB, DECRYPT, test_data, test_ciphertext); return memcmp(test_data, "\x7b\x1d\x29\xa1\x6c\xf8\xcc\xab\x84\xf0\xb8\xa5\x98\xe4\x2f\xa6", SE_KEY_128_SIZE) == 0; } -static void _derive_master_keys(key_derivation_ctx_t *prod_keys, key_derivation_ctx_t *dev_keys, bool is_dev) { - key_derivation_ctx_t *keys = is_dev ? dev_keys : prod_keys; +static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_keys, bool is_dev) { + key_storage_t *keys = is_dev ? dev_keys : prod_keys; if (h_cfg.t210b01) { _derive_master_key_mariko(keys, is_dev); @@ -970,10 +867,10 @@ static void _derive_master_keys(key_derivation_ctx_t *prod_keys, key_derivation_ } u8 *aes_keys = (u8 *)calloc(SZ_4K, 1); - se_get_aes_keys(aes_keys + SZ_2K, aes_keys, AES_128_KEY_SIZE); - memcpy(&dev_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT_DEV * AES_128_KEY_SIZE, AES_128_KEY_SIZE); - memcpy(keys->tsec_key, aes_keys + KS_TSEC * AES_128_KEY_SIZE, AES_128_KEY_SIZE); - memcpy(&prod_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT * AES_128_KEY_SIZE, AES_128_KEY_SIZE); + se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE); + memcpy(&dev_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT_DEV * SE_KEY_128_SIZE, SE_KEY_128_SIZE); + memcpy(keys->tsec_key, aes_keys + KS_TSEC * SE_KEY_128_SIZE, SE_KEY_128_SIZE); + memcpy(&prod_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT * SE_KEY_128_SIZE, SE_KEY_128_SIZE); free(aes_keys); _derive_master_keys_from_latest_key(prod_keys, false); @@ -1009,8 +906,8 @@ static void _derive_keys() { bool is_dev = fuse_read_hw_state() == FUSE_NX_HW_STATE_DEV; - key_derivation_ctx_t __attribute__((aligned(4))) prod_keys = {0}, dev_keys = {0}; - key_derivation_ctx_t *keys = is_dev ? &dev_keys : &prod_keys; + key_storage_t __attribute__((aligned(4))) prod_keys = {0}, dev_keys = {0}; + key_storage_t *keys = is_dev ? &dev_keys : &prod_keys; _derive_master_keys(&prod_keys, &dev_keys, is_dev); @@ -1065,8 +962,8 @@ void derive_amiibo_keys() { bool is_dev = fuse_read_hw_state() == FUSE_NX_HW_STATE_DEV; - key_derivation_ctx_t __attribute__((aligned(4))) prod_keys = {0}, dev_keys = {0}; - key_derivation_ctx_t *keys = is_dev ? &dev_keys : &prod_keys; + key_storage_t __attribute__((aligned(4))) prod_keys = {0}, dev_keys = {0}; + key_storage_t *keys = is_dev ? &dev_keys : &prod_keys; const u8 *encrypted_keys = is_dev ? encrypted_nfc_keys_dev : encrypted_nfc_keys; _derive_master_keys(&prod_keys, &dev_keys, is_dev); @@ -1088,18 +985,18 @@ void derive_amiibo_keys() { return; } - _decrypt_aes_key(KS_AES_ECB, keys, keys->temp_key, nfc_key_source, 0, 0); + decrypt_aes_key(KS_AES_ECB, keys, keys->temp_key, nfc_key_source, 0, 0); nfc_keyblob_t __attribute__((aligned(4))) nfc_keyblob; - static const u8 nfc_iv[AES_128_KEY_SIZE] = { + static const u8 nfc_iv[SE_KEY_128_SIZE] = { 0xB9, 0x1D, 0xC1, 0xCF, 0x33, 0x5F, 0xA6, 0x13, 0x2A, 0xEF, 0x90, 0x99, 0xAA, 0xCA, 0x93, 0xC8}; - se_aes_key_set(KS_AES_CTR, keys->temp_key, AES_128_KEY_SIZE); + se_aes_key_set(KS_AES_CTR, keys->temp_key, SE_KEY_128_SIZE); se_aes_crypt_ctr(KS_AES_CTR, &nfc_keyblob, sizeof(nfc_keyblob), encrypted_keys, sizeof(nfc_keyblob), &nfc_iv); minerva_periodic_training(); u8 xor_pad[0x20] __attribute__((aligned(4))) = {0}; - se_aes_key_set(KS_AES_CTR, nfc_keyblob.ctr_key, AES_128_KEY_SIZE); + se_aes_key_set(KS_AES_CTR, nfc_keyblob.ctr_key, SE_KEY_128_SIZE); se_aes_crypt_ctr(KS_AES_CTR, xor_pad, sizeof(xor_pad), xor_pad, sizeof(xor_pad), nfc_keyblob.ctr_iv); minerva_periodic_training(); @@ -1204,111 +1101,3 @@ static void _save_key_family(const char *name, const void *data, u32 start_key, } free(temp_name); } - -// Equivalent to spl::GenerateAesKek -static void _generate_aes_kek(u32 ks, key_derivation_ctx_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option) { - bool device_unique = GET_IS_DEVICE_UNIQUE(option); - u32 seal_key_index = GET_SEAL_KEY_INDEX(option); - - if (generation) - generation--; - - u8 static_source[AES_128_KEY_SIZE] __attribute__((aligned(4))); - for (u32 i = 0; i < AES_128_KEY_SIZE; i++) - static_source[i] = aes_kek_generation_source[i] ^ seal_key_masks[seal_key_index][i]; - - if (device_unique) { - _get_device_key(ks, keys, keys->temp_key, generation); - } else { - memcpy(keys->temp_key, keys->master_key[generation], sizeof(keys->temp_key)); - } - se_aes_key_set(ks, keys->temp_key, AES_128_KEY_SIZE); - se_aes_unwrap_key(ks, ks, static_source); - se_aes_crypt_block_ecb(ks, DECRYPT, out_kek, kek_source); -} - -// Based on spl::LoadAesKey but instead of prepping keyslot, returns calculated key -static void _load_aes_key(u32 ks, void *out_key, const void *access_key, const void *key_source) { - se_aes_key_set(ks, access_key, AES_128_KEY_SIZE); - se_aes_crypt_block_ecb(ks, DECRYPT, out_key, key_source); -} - -// Equivalent to spl::GenerateAesKey -static void _generate_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, u32 key_size, const void *access_key, const void *key_source) { - void *aes_key = keys->temp_key; - _load_aes_key(ks, aes_key, access_key, aes_key_generation_source); - se_aes_key_set(ks, aes_key, AES_128_KEY_SIZE); - se_aes_crypt_ecb(ks, DECRYPT, out_key, key_size, key_source, key_size); -} - -// Equivalent to smc::PrepareDeviceUniqueDataKey but with no sealing -static void _get_device_unique_data_key(u32 ks, void *out_key, const void *access_key, const void *key_source) { - _load_aes_key(ks, out_key, access_key, key_source); -} - -// Equivalent to spl::DecryptAesKey. -static void _decrypt_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 generation, u32 option) { - void *access_key = keys->temp_key; - _generate_aes_kek(ks, keys, access_key, aes_key_decryption_source, generation, option); - _generate_aes_key(ks, keys, out_key, AES_128_KEY_SIZE, access_key, key_source); -} - -// Equivalent to smc::GetSecureData -static void _get_secure_data(key_derivation_ctx_t *keys, void *out_data) { - se_aes_key_set(KS_AES_CTR, keys->device_key, AES_128_KEY_SIZE); - u8 *d = (u8 *)out_data; - se_aes_crypt_ctr(KS_AES_CTR, d + AES_128_KEY_SIZE * 0, AES_128_KEY_SIZE, secure_data_source, AES_128_KEY_SIZE, secure_data_counters[0]); - se_aes_crypt_ctr(KS_AES_CTR, d + AES_128_KEY_SIZE * 1, AES_128_KEY_SIZE, secure_data_source, AES_128_KEY_SIZE, secure_data_counters[0]); - - // Apply tweak - for (u32 i = 0; i < AES_128_KEY_SIZE; i++) { - d[AES_128_KEY_SIZE + i] ^= secure_data_tweaks[0][i]; - } -} - -// Equivalent to spl::GenerateSpecificAesKey -static void _generate_specific_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 generation) { - if (fuse_read_bootrom_rev() >= 0x7F) { - _get_device_key(ks, keys, keys->temp_key, generation == 0 ? 0 : generation - 1); - se_aes_key_set(ks, keys->temp_key, AES_128_KEY_SIZE); - se_aes_unwrap_key(ks, ks, retail_specific_aes_key_source); - se_aes_crypt_ecb(ks, DECRYPT, out_key, AES_128_KEY_SIZE * 2, key_source, AES_128_KEY_SIZE * 2); - } else { - _get_secure_data(keys, out_key); - } -} - -static void _get_device_key(u32 ks, key_derivation_ctx_t *keys, void *out_device_key, u32 generation) { - if (generation == KB_FIRMWARE_VERSION_100 && !h_cfg.t210b01) { - memcpy(out_device_key, keys->device_key, AES_128_KEY_SIZE); - return; - } - - if (generation >= KB_FIRMWARE_VERSION_400) { - generation -= KB_FIRMWARE_VERSION_400; - } else { - generation = 0; - } - u32 temp_key_source[AES_128_KEY_SIZE / 4] = {0}; - _load_aes_key(ks, temp_key_source, keys->device_key_4x, device_master_key_source_sources[generation]); - const void *kek_source = fuse_read_hw_state() == FUSE_NX_HW_STATE_PROD ? device_master_kek_sources[generation] : device_master_kek_sources_dev[generation]; - se_aes_key_set(ks, keys->master_key[0], AES_128_KEY_SIZE); - se_aes_unwrap_key(ks, ks, kek_source); - se_aes_crypt_block_ecb(ks, DECRYPT, out_device_key, temp_key_source); -} - -static bool _test_rsa_keypair(const void *public_exponent, const void *private_exponent, const void *modulus) { - u32 plaintext[RSA_2048_KEY_SIZE / 4] = {0}, - ciphertext[RSA_2048_KEY_SIZE / 4] = {0}, - work[RSA_2048_KEY_SIZE / 4] = {0}; - - plaintext[63] = 0xCAFEBABE; - - se_rsa_key_set(0, modulus, RSA_2048_KEY_SIZE, private_exponent, RSA_2048_KEY_SIZE); - se_rsa_exp_mod(0, ciphertext, RSA_2048_KEY_SIZE, plaintext, RSA_2048_KEY_SIZE); - - se_rsa_key_set(0, modulus, RSA_2048_KEY_SIZE, public_exponent, 4); - se_rsa_exp_mod(0, work, RSA_2048_KEY_SIZE, ciphertext, RSA_2048_KEY_SIZE); - - return memcmp(plaintext, work, RSA_2048_KEY_SIZE) == 0; -} diff --git a/source/keys/keys.h b/source/keys/keys.h index bb1b5af..ca84f85 100644 --- a/source/keys/keys.h +++ b/source/keys/keys.h @@ -17,45 +17,19 @@ #ifndef _KEYS_H_ #define _KEYS_H_ -#include +#include "crypto.h" #include "../hos/hos.h" - -#define AES_128_KEY_SIZE 16 -#define RSA_2048_KEY_SIZE 256 - -#define RSA_PUBLIC_EXPONENT 65537 - -// Lockpick_RCM keyslots -#define KS_BIS_00_CRYPT 0 -#define KS_BIS_00_TWEAK 1 -#define KS_BIS_01_CRYPT 2 -#define KS_BIS_01_TWEAK 3 -#define KS_BIS_02_CRYPT 4 -#define KS_BIS_02_TWEAK 5 -#define KS_AES_CTR 6 -#define KS_AES_ECB 8 -#define KS_AES_CMAC 10 - -// Mariko keyslots -#define KS_MARIKO_KEK 12 -#define KS_MARIKO_BEK 13 - -// Other Switch keyslots -#define KS_TSEC 12 -#define KS_SECURE_BOOT 14 - -// Atmosphere keygen keyslots -#define KS_TSEC_ROOT_DEV 11 -#define KS_TSEC_ROOT 13 +#include +#include // only tickets of type Rsa2048Sha256 are expected typedef struct { u32 signature_type; // always 0x10004 - u8 signature[RSA_2048_KEY_SIZE]; + u8 signature[SE_RSA2048_DIGEST_SIZE]; u8 sig_padding[0x3C]; char issuer[0x40]; - u8 titlekey_block[RSA_2048_KEY_SIZE]; + u8 titlekey_block[SE_RSA2048_DIGEST_SIZE]; u8 format_version; u8 titlekey_type; u16 ticket_version; @@ -88,26 +62,6 @@ typedef struct { u8 titlekeys[SZ_256K / 0x10][0x10]; } titlekey_buffer_t; -typedef struct { - u8 private_exponent[RSA_2048_KEY_SIZE]; - u8 modulus[RSA_2048_KEY_SIZE]; - u8 public_exponent[4]; - u8 reserved[0xC]; -} rsa_keypair_t; - -typedef struct { - u8 master_kek[AES_128_KEY_SIZE]; - u8 data[0x70]; - u8 package1_key[AES_128_KEY_SIZE]; -} keyblob_t; - -typedef struct { - u8 cmac[0x10]; - u8 iv[0x10]; - keyblob_t key_data; - u8 unused[0x150]; -} encrypted_keyblob_t; - typedef struct { char phrase[0xE]; u8 seed[0xE]; @@ -129,61 +83,6 @@ typedef struct { u8 xor_pad[0x20]; } nfc_save_key_t; -typedef enum { - SEAL_KEY_LOAD_AES_KEY = 0, - SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA = 1, - SEAL_KEY_IMPORT_LOTUS_KEY = 2, - SEAL_KEY_IMPORT_ES_DEVICE_KEY = 3, - SEAL_KEY_REENCRYPT_DEVICE_UNIQUE_DATA = 4, - SEAL_KEY_IMPORT_SSL_KEY = 5, - SEAL_KEY_IMPORT_ES_CLIENT_CERT_KEY = 6, -} seal_key_t; - -typedef enum { - NOT_DEVICE_UNIQUE = 0, - IS_DEVICE_UNIQUE = 1, -} device_unique_t; - -#define SET_SEAL_KEY_INDEX(x) (((x) & 7) << 5) -#define GET_SEAL_KEY_INDEX(x) (((x) >> 5) & 7) -#define GET_IS_DEVICE_UNIQUE(x) ((x) & 1) - -#define SSL_RSA_KEY_SIZE (RSA_2048_KEY_SIZE + AES_128_KEY_SIZE) -#define ETICKET_RSA_KEYPAIR_SIZE (RSA_2048_KEY_SIZE * 2 + AES_128_KEY_SIZE * 2) - -typedef struct { - u8 temp_key[AES_128_KEY_SIZE], - bis_key[4][AES_128_KEY_SIZE * 2], - device_key[AES_128_KEY_SIZE], - device_key_4x[AES_128_KEY_SIZE], - sd_seed[AES_128_KEY_SIZE], - // FS-related keys - header_key[AES_128_KEY_SIZE * 2], - save_mac_key[AES_128_KEY_SIZE], - // other sysmodule keys - eticket_rsa_kek[AES_128_KEY_SIZE], - eticket_rsa_kek_personalized[AES_128_KEY_SIZE], - ssl_rsa_kek[AES_128_KEY_SIZE], - ssl_rsa_kek_legacy[AES_128_KEY_SIZE], - ssl_rsa_kek_personalized[AES_128_KEY_SIZE], - ssl_rsa_key[RSA_2048_KEY_SIZE + 0x20], - // keyblob-derived families - keyblob_key[KB_FIRMWARE_VERSION_600 + 1][AES_128_KEY_SIZE], - keyblob_mac_key[KB_FIRMWARE_VERSION_600 + 1][AES_128_KEY_SIZE], - package1_key[KB_FIRMWARE_VERSION_600 + 1][AES_128_KEY_SIZE], - // master key-derived families - key_area_key[3][KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE], - master_kek[KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE], - master_key[KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE], - package2_key[KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE], - titlekek[KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE], - tsec_key[AES_128_KEY_SIZE], - tsec_root_key[AES_128_KEY_SIZE]; - u32 sbk[4]; - keyblob_t keyblob[KB_FIRMWARE_VERSION_600 + 1]; - rsa_keypair_t eticket_rsa_keypair; -} key_derivation_ctx_t; - typedef struct { char rights_id[0x20]; char equals[3];