From dcf4bca30cb3f9a82068dab21382957b29974053 Mon Sep 17 00:00:00 2001 From: shchmue Date: Sat, 5 Nov 2022 15:41:16 -0700 Subject: [PATCH] keys: Move RSA functions out of keys.c --- source/keys/crypto.h | 13 ++- source/keys/es_crypto.c | 88 ++++++++++++++ source/keys/es_crypto.h | 9 ++ source/keys/es_types.h | 46 ++++++++ source/keys/key_sources.inl | 5 - source/keys/keys.c | 227 +++++++----------------------------- source/keys/keys.h | 46 -------- source/keys/ssl_crypto.c | 69 +++++++++++ source/keys/ssl_crypto.h | 4 + 9 files changed, 266 insertions(+), 241 deletions(-) diff --git a/source/keys/crypto.h b/source/keys/crypto.h index c242485..67195be 100644 --- a/source/keys/crypto.h +++ b/source/keys/crypto.h @@ -25,6 +25,11 @@ #include +// Sha256 hash of the null string. +static const u8 null_hash[0x20] __attribute__((aligned(4))) = { + 0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8, 0x99, 0x6F, 0xB9, 0x24, + 0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C, 0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55}; + static const u8 aes_kek_generation_source[0x10] __attribute__((aligned(4))) = { 0x4D, 0x87, 0x09, 0x86, 0xC4, 0x5D, 0x20, 0x72, 0x2F, 0xBA, 0x10, 0x53, 0xDA, 0x92, 0xE8, 0xA9}; @@ -103,6 +108,9 @@ static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = { {0xAC, 0xCA, 0x9A, 0xCA, 0xFF, 0x2E, 0xB9, 0x22, 0xCC, 0x1F, 0x4F, 0xAD, 0xDD, 0x77, 0x21, 0x1E} }; + //!TODO: Update on keygen changes. +#define TSEC_ROOT_KEY_VERSION 2 + // Lockpick_RCM keyslots #define KS_BIS_00_CRYPT 0 #define KS_BIS_00_TWEAK 1 @@ -128,11 +136,6 @@ static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = { #define RSA_PUBLIC_EXPONENT 65537 -#define SSL_RSA_KEY_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE) -#define ETICKET_RSA_KEYPAIR_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE * 2 + SE_KEY_128_SIZE) - -#define TICKET_SIG_TYPE_RSA2048_SHA256 0x10004 - typedef struct { u8 master_kek[SE_KEY_128_SIZE]; u8 data[0x70]; diff --git a/source/keys/es_crypto.c b/source/keys/es_crypto.c index 57b2912..f31b46a 100644 --- a/source/keys/es_crypto.c +++ b/source/keys/es_crypto.c @@ -16,7 +16,16 @@ #include "es_crypto.h" +#include "cal0_read.h" + #include "../config.h" +#include +#include "../gfx/tui.h" +#include +#include +#include + +#include extern hekate_config h_cfg; @@ -56,3 +65,82 @@ void es_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_ const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | NOT_DEVICE_UNIQUE; derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, eticket_rsa_kekek_source, kek_source, generation, option); } + +bool decrypt_eticket_rsa_key(key_storage_t *keys, void *buffer, bool is_dev) { + if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, buffer)) { + return false; + } + + nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)buffer; + u32 generation = 0; + const void *encrypted_key = NULL; + const void *iv = NULL; + u32 key_size = 0; + void *ctr_key = NULL; + + if (!cal0_get_eticket_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) { + return false; + } + + // Handle legacy case + if (key_size == ETICKET_RSA_KEYPAIR_SIZE) { + u32 temp_key[SE_KEY_128_SIZE / 4] = {0}; + es_derive_rsa_kek_legacy(keys, temp_key); + ctr_key = temp_key; + + se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE); + se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv); + + if (test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) { + memcpy(keys->eticket_rsa_kek, ctr_key, sizeof(keys->eticket_rsa_kek)); + return true; + } + // Fall through and try usual method if not applicable + } + + if (generation) { + es_derive_rsa_kek_device_unique(keys, keys->eticket_rsa_kek_personalized, generation, is_dev); + ctr_key = keys->eticket_rsa_kek_personalized; + } else { + ctr_key = keys->eticket_rsa_kek; + } + + se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE); + se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv); + + if (!test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) { + EPRINTF("Invalid eticket keypair."); + memset(&keys->eticket_rsa_keypair, 0, sizeof(keys->eticket_rsa_keypair)); + return false; + } + + return true; +} + +void es_decode_tickets(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 remaining, u32 total, u32 *titlekey_count, u32 x, u32 y, u32 *pct, u32 *last_pct, bool is_personalized) { + ticket_t *curr_ticket = (ticket_t *)titlekey_buffer->read_buffer; + for (u32 i = 0; i < MIN(buf_size / sizeof(ticket_t), remaining) * sizeof(ticket_t) && curr_ticket->signature_type != 0; i += sizeof(ticket_t), curr_ticket++) { + minerva_periodic_training(); + *pct = (total - remaining) * 100 / total; + if (*pct > *last_pct && *pct <= 100) { + *last_pct = *pct; + tui_pbar(x, y, *pct, COLOR_GREEN, 0xFF155500); + } + + // This is in case an encrypted volatile ticket is left behind + if (curr_ticket->signature_type != TICKET_SIG_TYPE_RSA2048_SHA256) + continue; + + u8 *curr_titlekey = curr_ticket->titlekey_block; + const u32 block_size = SE_RSA2048_DIGEST_SIZE; + const u32 titlekey_size = sizeof(titlekey_buffer->titlekeys[0]); + if (is_personalized) { + se_rsa_exp_mod(0, curr_titlekey, block_size, curr_titlekey, block_size); + if (rsa_oaep_decode(curr_titlekey, titlekey_size, null_hash, sizeof(null_hash), curr_titlekey, block_size) != titlekey_size) + continue; + } + memcpy(titlekey_buffer->rights_ids[*titlekey_count], curr_ticket->rights_id, sizeof(titlekey_buffer->rights_ids[0])); + memcpy(titlekey_buffer->titlekeys[*titlekey_count], curr_titlekey, titlekey_size); + (*titlekey_count)++; + } +} diff --git a/source/keys/es_crypto.h b/source/keys/es_crypto.h index acca3f8..03c777b 100644 --- a/source/keys/es_crypto.h +++ b/source/keys/es_crypto.h @@ -20,8 +20,13 @@ #include "crypto.h" #include "es_types.h" +#include #include +#define ETICKET_RSA_KEYPAIR_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE * 2 + SE_KEY_128_SIZE) + +#define TICKET_SIG_TYPE_RSA2048_SHA256 0x10004 + static const u8 eticket_rsa_kek_source[0x10] __attribute__((aligned(4))) = { 0xDB, 0xA4, 0x51, 0x12, 0x4C, 0xA0, 0xA9, 0x83, 0x68, 0x14, 0xF5, 0xED, 0x95, 0xE3, 0x12, 0x5B}; static const u8 eticket_rsa_kek_source_dev[0x10] __attribute__((aligned(4))) = { @@ -37,4 +42,8 @@ void es_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32 void es_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek); void es_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev); +bool decrypt_eticket_rsa_key(key_storage_t *keys, void *buffer, bool is_dev); + +void es_decode_tickets(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 remaining, u32 total, u32 *titlekey_count, u32 x, u32 y, u32 *pct, u32 *last_pct, bool is_personalized); + #endif diff --git a/source/keys/es_types.h b/source/keys/es_types.h index feb35fa..2dca8dc 100644 --- a/source/keys/es_types.h +++ b/source/keys/es_types.h @@ -27,4 +27,50 @@ typedef struct { u8 reserved[0xC]; } eticket_rsa_keypair_t; +// only tickets of type Rsa2048Sha256 are expected +typedef struct { + u32 signature_type; // always 0x10004 + u8 signature[SE_RSA2048_DIGEST_SIZE]; + u8 sig_padding[0x3C]; + char issuer[0x40]; + u8 titlekey_block[SE_RSA2048_DIGEST_SIZE]; + u8 format_version; + u8 titlekey_type; + u16 ticket_version; + u8 license_type; + u8 common_key_id; + u16 property_mask; + u64 reserved; + u64 ticket_id; + u64 device_id; + u8 rights_id[0x10]; + u32 account_id; + u32 sect_total_size; + u32 sect_hdr_offset; + u16 sect_hdr_count; + u16 sect_hdr_entry_size; + u8 padding[0x140]; +} ticket_t; + +typedef struct { + u8 rights_id[0x10]; + u64 ticket_id; + u32 account_id; + u16 property_mask; + u16 reserved; +} ticket_record_t; + +typedef struct { + u8 read_buffer[SZ_256K]; + u8 rights_ids[SZ_256K / 0x10][0x10]; + u8 titlekeys[SZ_256K / 0x10][0x10]; +} titlekey_buffer_t; + +typedef struct { + char rights_id[0x20]; + char equals[3]; + char titlekey[0x20]; + char newline[1]; +} titlekey_text_buffer_t; + #endif diff --git a/source/keys/key_sources.inl b/source/keys/key_sources.inl index fa05e80..c03a4e1 100644 --- a/source/keys/key_sources.inl +++ b/source/keys/key_sources.inl @@ -14,11 +14,6 @@ * along with this program. If not, see . */ -// Sha256 hash of the null string. -static const u8 null_hash[0x20] __attribute__((aligned(4))) = { - 0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8, 0x99, 0x6F, 0xB9, 0x24, - 0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C, 0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55}; - static const u8 master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_620 + 1][0x10] __attribute__((aligned(4))) = { {0x37, 0x4B, 0x77, 0x29, 0x59, 0xB4, 0x04, 0x30, 0x81, 0xF6, 0xE5, 0x8C, 0x6D, 0x36, 0x17, 0x9A}, //6.2.0 {0x9A, 0x3E, 0xA9, 0xAB, 0xFD, 0x56, 0x46, 0x1C, 0x9B, 0xF6, 0x48, 0x7F, 0x5C, 0xFA, 0x09, 0x5C}, //7.0.0 diff --git a/source/keys/keys.c b/source/keys/keys.c index 17ef755..c8c8eae 100644 --- a/source/keys/keys.c +++ b/source/keys/keys.c @@ -16,10 +16,8 @@ #include "keys.h" -#include "cal0_read.h" #include "es_crypto.h" #include "fs_crypto.h" -#include "gmac.h" #include "nfc_crypto.h" #include "ssl_crypto.h" @@ -127,7 +125,7 @@ static void _derive_keyblob_keys(key_storage_t *keys) { bool have_keyblobs = true; if (FUSE(FUSE_PRIVATE_KEY0) == 0xFFFFFFFF) { - u8 *aes_keys = (u8 *)calloc(SZ_4K, 1); + u8 *aes_keys = (u8 *)calloc(1, SZ_4K); se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE); memcpy(keys->sbk, aes_keys + 14 * SE_KEY_128_SIZE, SE_KEY_128_SIZE); free(aes_keys); @@ -183,22 +181,47 @@ static void _derive_keyblob_keys(key_storage_t *keys) { free(keyblob_block); } +static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_keys, bool is_dev) { + key_storage_t *keys = is_dev ? dev_keys : prod_keys; + + if (h_cfg.t210b01) { + _derive_master_keys_mariko(keys, is_dev); + _derive_master_keys_from_latest_key(keys, is_dev); + } else { + if (run_ams_keygen(keys)) { + EPRINTF("Failed to run keygen."); + return; + } + + u8 *aes_keys = (u8 *)calloc(1, SZ_4K); + se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE); + memcpy(&dev_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT_DEV * SE_KEY_128_SIZE, SE_KEY_128_SIZE); + memcpy(keys->tsec_key, aes_keys + KS_TSEC * SE_KEY_128_SIZE, SE_KEY_128_SIZE); + memcpy(&prod_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT * SE_KEY_128_SIZE, SE_KEY_128_SIZE); + free(aes_keys); + + _derive_master_keys_from_latest_key(prod_keys, false); + _derive_master_keys_from_latest_key(dev_keys, true); + _derive_keyblob_keys(keys); + } +} + static void _derive_bis_keys(key_storage_t *keys) { minerva_periodic_training(); u32 generation = fuse_read_odm_keygen_rev(); fs_derive_bis_keys(keys, keys->bis_key, generation); } -static void _derive_misc_keys(key_storage_t *keys, bool is_dev) { +static void _derive_misc_keys(key_storage_t *keys) { minerva_periodic_training(); fs_derive_save_mac_key(keys, keys->save_mac_key); - es_derive_rsa_kek_original(keys, keys->eticket_rsa_kek, is_dev); - ssl_derive_rsa_kek_original(keys, keys->ssl_rsa_kek, is_dev); } -static void _derive_non_unique_keys(key_storage_t *keys) { +static void _derive_non_unique_keys(key_storage_t *keys, bool is_dev) { minerva_periodic_training(); fs_derive_header_key(keys, keys->header_key); + es_derive_rsa_kek_original(keys, keys->eticket_rsa_kek, is_dev); + ssl_derive_rsa_kek_original(keys, keys->ssl_rsa_kek, is_dev); for (u32 generation = 0; generation < ARRAY_SIZE(keys->master_key); generation++) { minerva_periodic_training(); @@ -223,34 +246,6 @@ static bool _count_ticket_records(u32 buf_size, titlekey_buffer_t *titlekey_buff return false; } -static void _decode_tickets(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 remaining, u32 total, u32 x, u32 y, u32 *pct, u32 *last_pct, bool is_personalized) { - ticket_t *curr_ticket = (ticket_t *)titlekey_buffer->read_buffer; - for (u32 i = 0; i < MIN(buf_size / sizeof(ticket_t), remaining) * sizeof(ticket_t) && curr_ticket->signature_type != 0; i += sizeof(ticket_t), curr_ticket++) { - minerva_periodic_training(); - *pct = (total - remaining) * 100 / total; - if (*pct > *last_pct && *pct <= 100) { - *last_pct = *pct; - tui_pbar(x, y, *pct, COLOR_GREEN, 0xFF155500); - } - - // This is in case an encrypted volatile ticket is left behind - if (curr_ticket->signature_type != TICKET_SIG_TYPE_RSA2048_SHA256) - continue; - - u8 *curr_titlekey = curr_ticket->titlekey_block; - const u32 block_size = SE_RSA2048_DIGEST_SIZE; - const u32 titlekey_size = sizeof(titlekey_buffer->titlekeys[0]); - if (is_personalized) { - se_rsa_exp_mod(0, curr_titlekey, block_size, curr_titlekey, block_size); - if (rsa_oaep_decode(curr_titlekey, titlekey_size, null_hash, sizeof(null_hash), curr_titlekey, block_size) != titlekey_size) - continue; - } - memcpy(titlekey_buffer->rights_ids[_titlekey_count], curr_ticket->rights_id, sizeof(titlekey_buffer->rights_ids[0])); - memcpy(titlekey_buffer->titlekeys[_titlekey_count], curr_titlekey, titlekey_size); - _titlekey_count++; - } -} - static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, titlekey_buffer_t *titlekey_buffer, eticket_rsa_keypair_t *rsa_keypair) { FIL fp; u64 br = buf_size; @@ -328,7 +323,7 @@ static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, title if (!save_data_file_read(&ticket_file, &br, offset, titlekey_buffer->read_buffer, buf_size) || titlekey_buffer->read_buffer[0] == 0 || br != buf_size) break; offset += br; - _decode_tickets(buf_size, titlekey_buffer, remaining, file_tkey_count, save_x, save_y, &pct, &last_pct, is_personalized); + es_decode_tickets(buf_size, titlekey_buffer, remaining, file_tkey_count, &_titlekey_count, save_x, save_y, &pct, &last_pct, is_personalized); remaining -= MIN(buf_size / sizeof(ticket_t), remaining); } tui_pbar(save_x, save_y, 100, COLOR_GREEN, 0xFF155500); @@ -382,7 +377,8 @@ static bool _derive_sd_seed(key_storage_t *keys) { } u8 read_buf[0x20] __attribute__((aligned(4))) = {0}; - // Skip the two header blocks and only check the first bytes of each block - file contents are always block-aligned + // Skip the two header blocks and only check the first bytes of each block + // File contents are always block-aligned for (u32 i = SAVE_BLOCK_SIZE_DEFAULT * 2; i < f_size(&fp); i += SAVE_BLOCK_SIZE_DEFAULT) { if (f_lseek(&fp, i) || f_read(&fp, read_buf, 0x20, &read_bytes) || read_bytes != 0x20) break; @@ -398,120 +394,8 @@ static bool _derive_sd_seed(key_storage_t *keys) { return true; } -static bool _decrypt_ssl_rsa_key(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer) { - if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, titlekey_buffer->read_buffer)) { - return false; - } - - nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)titlekey_buffer->read_buffer; - u32 generation = 0; - const void *encrypted_key = NULL; - const void *iv = NULL; - u32 key_size = 0; - void *ctr_key = NULL; - bool enforce_unique = true; - - if (!cal0_get_ssl_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) { - return false; - } - - if (key_size == SSL_RSA_KEY_SIZE) { - bool all_zero = true; - const u8 *key8 = (const u8 *)encrypted_key; - for (u32 i = SE_RSA2048_DIGEST_SIZE; i < SSL_RSA_KEY_SIZE; i++) { - if (key8[i] != 0) { - all_zero = false; - break; - } - } - if (all_zero) { - // Keys of this form are not encrypted - memcpy(keys->ssl_rsa_key, encrypted_key, SE_RSA2048_DIGEST_SIZE); - return true; - } - - ssl_derive_rsa_kek_legacy(keys, keys->ssl_rsa_kek_legacy); - ctr_key = keys->ssl_rsa_kek_legacy; - enforce_unique = false; - } else if (generation) { - ssl_derive_rsa_kek_device_unique(keys, keys->ssl_rsa_kek_personalized, generation); - ctr_key = keys->ssl_rsa_kek_personalized; - } else { - ctr_key = keys->ssl_rsa_kek; - } - - u32 ctr_size = enforce_unique ? key_size - 0x20 : key_size - 0x10; - se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE); - se_aes_crypt_ctr(KS_AES_CTR, keys->ssl_rsa_key, ctr_size, encrypted_key, ctr_size, iv); - - if (enforce_unique) { - u32 calc_mac[SE_KEY_128_SIZE / 4] = {0}; - calc_gmac(KS_AES_ECB, calc_mac, keys->ssl_rsa_key, ctr_size, ctr_key, iv); - - const u8 *key8 = (const u8 *)encrypted_key; - if (memcmp(calc_mac, &key8[ctr_size], 0x10) != 0) { - EPRINTF("SSL keypair has invalid GMac."); - memset(keys->ssl_rsa_key, 0, sizeof(keys->ssl_rsa_key)); - return false; - } - } - - return true; -} - -static bool _decrypt_eticket_rsa_key(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) { - if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, titlekey_buffer->read_buffer)) { - return false; - } - - nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)titlekey_buffer->read_buffer; - u32 generation = 0; - const void *encrypted_key = NULL; - const void *iv = NULL; - u32 key_size = 0; - void *ctr_key = NULL; - - if (!cal0_get_eticket_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) { - return false; - } - - // Handle legacy case - if (key_size == ETICKET_RSA_KEYPAIR_SIZE) { - u32 temp_key[SE_KEY_128_SIZE / 4] = {0}; - es_derive_rsa_kek_legacy(keys, temp_key); - ctr_key = temp_key; - - se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE); - se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv); - - if (test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) { - memcpy(keys->eticket_rsa_kek, ctr_key, sizeof(keys->eticket_rsa_kek)); - return true; - } - // Fall through and try usual method if not applicable - } - - if (generation) { - es_derive_rsa_kek_device_unique(keys, keys->eticket_rsa_kek_personalized, generation, is_dev); - ctr_key = keys->eticket_rsa_kek_personalized; - } else { - ctr_key = keys->eticket_rsa_kek; - } - - se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE); - se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv); - - if (!test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) { - EPRINTF("Invalid eticket keypair."); - memset(&keys->eticket_rsa_keypair, 0, sizeof(keys->eticket_rsa_keypair)); - return false; - } - - return true; -} - static bool _derive_titlekeys(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) { - if (!key_exists(keys->eticket_rsa_kek)) { + if (!key_exists(&keys->eticket_rsa_keypair)) { return false; } @@ -543,12 +427,12 @@ static bool _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_b return false; } - bool res = _decrypt_ssl_rsa_key(keys, titlekey_buffer); + bool res = decrypt_ssl_rsa_key(keys, titlekey_buffer); if (!res) { EPRINTF("Unable to derive SSL key."); } - res =_decrypt_eticket_rsa_key(keys, titlekey_buffer, is_dev); + res = decrypt_eticket_rsa_key(keys, titlekey_buffer, is_dev); if (!res) { EPRINTF("Unable to derive ETicket key."); } @@ -611,7 +495,7 @@ int save_mariko_partial_keys(u32 start, u32 count, bool append) { u32 pos = 0; u32 zeros[SE_KEY_128_SIZE / 4] = {0}; u8 *data = malloc(4 * SE_KEY_128_SIZE); - char *text_buffer = calloc(1, 0x100 * count); + char *text_buffer = calloc(count, 0x100); for (u32 ks = start; ks < start + count; ks++) { // Check if key is as expected @@ -688,14 +572,13 @@ int save_mariko_partial_keys(u32 start, u32 count, bool append) { } static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) { - char *text_buffer = NULL; if (!sd_mount()) { EPRINTF("Unable to mount SD."); return; } u32 text_buffer_size = MAX(_titlekey_count * sizeof(titlekey_text_buffer_t) + 1, SZ_16K); - text_buffer = (char *)calloc(1, text_buffer_size); + char *text_buffer = (char *)calloc(1, text_buffer_size); SAVE_KEY(aes_kek_generation_source); SAVE_KEY(aes_key_generation_source); @@ -765,9 +648,8 @@ static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_bu SAVE_KEY(titlekek_source); SAVE_KEY_VAR(tsec_key, keys->tsec_key); - const u32 root_key_ver = 2; char root_key_name[21] = "tsec_root_key_00"; - s_printf(root_key_name + 14, "%02x", root_key_ver); + s_printf(root_key_name + 14, "%02x", TSEC_ROOT_KEY_VERSION); _save_key(root_key_name, keys->tsec_root_key, SE_KEY_128_SIZE, text_buffer); gfx_printf("\n%k Found %d %s keys.\n\n", colors[(color_idx++) % 6], _key_count, is_dev ? "dev" : "prod"); @@ -811,31 +693,6 @@ static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_bu free(text_buffer); } -static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_keys, bool is_dev) { - key_storage_t *keys = is_dev ? dev_keys : prod_keys; - - if (h_cfg.t210b01) { - _derive_master_keys_mariko(keys, is_dev); - _derive_master_keys_from_latest_key(keys, is_dev); - } else { - if (run_ams_keygen(keys)) { - EPRINTF("Failed to run keygen."); - return; - } - - u8 *aes_keys = (u8 *)calloc(SZ_4K, 1); - se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE); - memcpy(&dev_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT_DEV * SE_KEY_128_SIZE, SE_KEY_128_SIZE); - memcpy(keys->tsec_key, aes_keys + KS_TSEC * SE_KEY_128_SIZE, SE_KEY_128_SIZE); - memcpy(&prod_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT * SE_KEY_128_SIZE, SE_KEY_128_SIZE); - free(aes_keys); - - _derive_master_keys_from_latest_key(prod_keys, false); - _derive_master_keys_from_latest_key(dev_keys, true); - _derive_keyblob_keys(keys); - } -} - static void _derive_keys() { minerva_periodic_training(); @@ -872,9 +729,9 @@ static void _derive_keys() { TPRINTFARGS("%kBIS keys... ", colors[(color_idx++) % 6]); - _derive_misc_keys(keys, is_dev); - _derive_non_unique_keys(&prod_keys); - _derive_non_unique_keys(&dev_keys); + _derive_misc_keys(keys); + _derive_non_unique_keys(&prod_keys, is_dev); + _derive_non_unique_keys(&dev_keys, is_dev); titlekey_buffer_t *titlekey_buffer = (titlekey_buffer_t *)TITLEKEY_BUF_ADR; diff --git a/source/keys/keys.h b/source/keys/keys.h index 622249e..f8a84c1 100644 --- a/source/keys/keys.h +++ b/source/keys/keys.h @@ -23,52 +23,6 @@ #include #include -// only tickets of type Rsa2048Sha256 are expected -typedef struct { - u32 signature_type; // always 0x10004 - u8 signature[SE_RSA2048_DIGEST_SIZE]; - u8 sig_padding[0x3C]; - char issuer[0x40]; - u8 titlekey_block[SE_RSA2048_DIGEST_SIZE]; - u8 format_version; - u8 titlekey_type; - u16 ticket_version; - u8 license_type; - u8 common_key_id; - u16 property_mask; - u64 reserved; - u64 ticket_id; - u64 device_id; - u8 rights_id[0x10]; - u32 account_id; - u32 sect_total_size; - u32 sect_hdr_offset; - u16 sect_hdr_count; - u16 sect_hdr_entry_size; - u8 padding[0x140]; -} ticket_t; - -typedef struct { - u8 rights_id[0x10]; - u64 ticket_id; - u32 account_id; - u16 property_mask; - u16 reserved; -} ticket_record_t; - -typedef struct { - u8 read_buffer[SZ_256K]; - u8 rights_ids[SZ_256K / 0x10][0x10]; - u8 titlekeys[SZ_256K / 0x10][0x10]; -} titlekey_buffer_t; - -typedef struct { - char rights_id[0x20]; - char equals[3]; - char titlekey[0x20]; - char newline[1]; -} titlekey_text_buffer_t; - #define TPRINTF(text) \ end_time = get_tmr_us(); \ gfx_printf(text" done in %d us\n", end_time - start_time); \ diff --git a/source/keys/ssl_crypto.c b/source/keys/ssl_crypto.c index 109627f..b6b235b 100644 --- a/source/keys/ssl_crypto.c +++ b/source/keys/ssl_crypto.c @@ -16,7 +16,15 @@ #include "ssl_crypto.h" +#include "cal0_read.h" +#include "gmac.h" + #include "../config.h" +#include +#include +#include + +#include extern hekate_config h_cfg; @@ -49,3 +57,64 @@ void ssl_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA) | NOT_DEVICE_UNIQUE; derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, ssl_rsa_kekek_source, ssl_kek_source, generation, option); } + +bool decrypt_ssl_rsa_key(key_storage_t *keys, void *buffer) { + if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, buffer)) { + return false; + } + + nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)buffer; + u32 generation = 0; + const void *encrypted_key = NULL; + const void *iv = NULL; + u32 key_size = 0; + void *ctr_key = NULL; + bool enforce_unique = true; + + if (!cal0_get_ssl_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) { + return false; + } + + if (key_size == SSL_RSA_KEY_SIZE) { + bool all_zero = true; + const u8 *key8 = (const u8 *)encrypted_key; + for (u32 i = SE_RSA2048_DIGEST_SIZE; i < SSL_RSA_KEY_SIZE; i++) { + if (key8[i] != 0) { + all_zero = false; + break; + } + } + if (all_zero) { + // Keys of this form are not encrypted + memcpy(keys->ssl_rsa_key, encrypted_key, SE_RSA2048_DIGEST_SIZE); + return true; + } + + ssl_derive_rsa_kek_legacy(keys, keys->ssl_rsa_kek_legacy); + ctr_key = keys->ssl_rsa_kek_legacy; + enforce_unique = false; + } else if (generation) { + ssl_derive_rsa_kek_device_unique(keys, keys->ssl_rsa_kek_personalized, generation); + ctr_key = keys->ssl_rsa_kek_personalized; + } else { + ctr_key = keys->ssl_rsa_kek; + } + + u32 ctr_size = enforce_unique ? key_size - 0x20 : key_size - 0x10; + se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE); + se_aes_crypt_ctr(KS_AES_CTR, keys->ssl_rsa_key, ctr_size, encrypted_key, ctr_size, iv); + + if (enforce_unique) { + u32 calc_mac[SE_KEY_128_SIZE / 4] = {0}; + calc_gmac(KS_AES_ECB, calc_mac, keys->ssl_rsa_key, ctr_size, ctr_key, iv); + + const u8 *key8 = (const u8 *)encrypted_key; + if (memcmp(calc_mac, &key8[ctr_size], 0x10) != 0) { + EPRINTF("SSL keypair has invalid GMac."); + memset(keys->ssl_rsa_key, 0, sizeof(keys->ssl_rsa_key)); + return false; + } + } + + return true; +} diff --git a/source/keys/ssl_crypto.h b/source/keys/ssl_crypto.h index 6d84784..830fd45 100644 --- a/source/keys/ssl_crypto.h +++ b/source/keys/ssl_crypto.h @@ -21,6 +21,8 @@ #include +#define SSL_RSA_KEY_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE) + static const u8 ssl_rsa_kekek_source[0x10] __attribute__((aligned(4))) = { 0x7F, 0x5B, 0xB0, 0x84, 0x7B, 0x25, 0xAA, 0x67, 0xFA, 0xC8, 0x4B, 0xE2, 0x3D, 0x7B, 0x69, 0x03}; static const u8 ssl_rsa_kek_source[0x10] __attribute__((aligned(4))) = { @@ -38,4 +40,6 @@ void ssl_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u3 void ssl_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek); void ssl_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev); +bool decrypt_ssl_rsa_key(key_storage_t *keys, void *buffer); + #endif