mirror of
https://github.com/Decscots/Lockpick_RCM
synced 2024-11-15 05:46:33 +00:00
keys: Move RSA functions out of keys.c
This commit is contained in:
parent
1b2c829ca0
commit
dcf4bca30c
9 changed files with 266 additions and 241 deletions
|
@ -25,6 +25,11 @@
|
|||
|
||||
#include <string.h>
|
||||
|
||||
// Sha256 hash of the null string.
|
||||
static const u8 null_hash[0x20] __attribute__((aligned(4))) = {
|
||||
0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8, 0x99, 0x6F, 0xB9, 0x24,
|
||||
0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C, 0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55};
|
||||
|
||||
static const u8 aes_kek_generation_source[0x10] __attribute__((aligned(4))) = {
|
||||
0x4D, 0x87, 0x09, 0x86, 0xC4, 0x5D, 0x20, 0x72, 0x2F, 0xBA, 0x10, 0x53, 0xDA, 0x92, 0xE8, 0xA9};
|
||||
|
||||
|
@ -103,6 +108,9 @@ static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = {
|
|||
{0xAC, 0xCA, 0x9A, 0xCA, 0xFF, 0x2E, 0xB9, 0x22, 0xCC, 0x1F, 0x4F, 0xAD, 0xDD, 0x77, 0x21, 0x1E}
|
||||
};
|
||||
|
||||
//!TODO: Update on keygen changes.
|
||||
#define TSEC_ROOT_KEY_VERSION 2
|
||||
|
||||
// Lockpick_RCM keyslots
|
||||
#define KS_BIS_00_CRYPT 0
|
||||
#define KS_BIS_00_TWEAK 1
|
||||
|
@ -128,11 +136,6 @@ static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = {
|
|||
|
||||
#define RSA_PUBLIC_EXPONENT 65537
|
||||
|
||||
#define SSL_RSA_KEY_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE)
|
||||
#define ETICKET_RSA_KEYPAIR_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE * 2 + SE_KEY_128_SIZE)
|
||||
|
||||
#define TICKET_SIG_TYPE_RSA2048_SHA256 0x10004
|
||||
|
||||
typedef struct {
|
||||
u8 master_kek[SE_KEY_128_SIZE];
|
||||
u8 data[0x70];
|
||||
|
|
|
@ -16,7 +16,16 @@
|
|||
|
||||
#include "es_crypto.h"
|
||||
|
||||
#include "cal0_read.h"
|
||||
|
||||
#include "../config.h"
|
||||
#include <gfx_utils.h>
|
||||
#include "../gfx/tui.h"
|
||||
#include <mem/minerva.h>
|
||||
#include <sec/se.h>
|
||||
#include <sec/se_t210.h>
|
||||
|
||||
#include <string.h>
|
||||
|
||||
extern hekate_config h_cfg;
|
||||
|
||||
|
@ -56,3 +65,82 @@ void es_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_
|
|||
const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | NOT_DEVICE_UNIQUE;
|
||||
derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, eticket_rsa_kekek_source, kek_source, generation, option);
|
||||
}
|
||||
|
||||
bool decrypt_eticket_rsa_key(key_storage_t *keys, void *buffer, bool is_dev) {
|
||||
if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, buffer)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)buffer;
|
||||
u32 generation = 0;
|
||||
const void *encrypted_key = NULL;
|
||||
const void *iv = NULL;
|
||||
u32 key_size = 0;
|
||||
void *ctr_key = NULL;
|
||||
|
||||
if (!cal0_get_eticket_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Handle legacy case
|
||||
if (key_size == ETICKET_RSA_KEYPAIR_SIZE) {
|
||||
u32 temp_key[SE_KEY_128_SIZE / 4] = {0};
|
||||
es_derive_rsa_kek_legacy(keys, temp_key);
|
||||
ctr_key = temp_key;
|
||||
|
||||
se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
|
||||
se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv);
|
||||
|
||||
if (test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) {
|
||||
memcpy(keys->eticket_rsa_kek, ctr_key, sizeof(keys->eticket_rsa_kek));
|
||||
return true;
|
||||
}
|
||||
// Fall through and try usual method if not applicable
|
||||
}
|
||||
|
||||
if (generation) {
|
||||
es_derive_rsa_kek_device_unique(keys, keys->eticket_rsa_kek_personalized, generation, is_dev);
|
||||
ctr_key = keys->eticket_rsa_kek_personalized;
|
||||
} else {
|
||||
ctr_key = keys->eticket_rsa_kek;
|
||||
}
|
||||
|
||||
se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
|
||||
se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv);
|
||||
|
||||
if (!test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) {
|
||||
EPRINTF("Invalid eticket keypair.");
|
||||
memset(&keys->eticket_rsa_keypair, 0, sizeof(keys->eticket_rsa_keypair));
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
void es_decode_tickets(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 remaining, u32 total, u32 *titlekey_count, u32 x, u32 y, u32 *pct, u32 *last_pct, bool is_personalized) {
|
||||
ticket_t *curr_ticket = (ticket_t *)titlekey_buffer->read_buffer;
|
||||
for (u32 i = 0; i < MIN(buf_size / sizeof(ticket_t), remaining) * sizeof(ticket_t) && curr_ticket->signature_type != 0; i += sizeof(ticket_t), curr_ticket++) {
|
||||
minerva_periodic_training();
|
||||
*pct = (total - remaining) * 100 / total;
|
||||
if (*pct > *last_pct && *pct <= 100) {
|
||||
*last_pct = *pct;
|
||||
tui_pbar(x, y, *pct, COLOR_GREEN, 0xFF155500);
|
||||
}
|
||||
|
||||
// This is in case an encrypted volatile ticket is left behind
|
||||
if (curr_ticket->signature_type != TICKET_SIG_TYPE_RSA2048_SHA256)
|
||||
continue;
|
||||
|
||||
u8 *curr_titlekey = curr_ticket->titlekey_block;
|
||||
const u32 block_size = SE_RSA2048_DIGEST_SIZE;
|
||||
const u32 titlekey_size = sizeof(titlekey_buffer->titlekeys[0]);
|
||||
if (is_personalized) {
|
||||
se_rsa_exp_mod(0, curr_titlekey, block_size, curr_titlekey, block_size);
|
||||
if (rsa_oaep_decode(curr_titlekey, titlekey_size, null_hash, sizeof(null_hash), curr_titlekey, block_size) != titlekey_size)
|
||||
continue;
|
||||
}
|
||||
memcpy(titlekey_buffer->rights_ids[*titlekey_count], curr_ticket->rights_id, sizeof(titlekey_buffer->rights_ids[0]));
|
||||
memcpy(titlekey_buffer->titlekeys[*titlekey_count], curr_titlekey, titlekey_size);
|
||||
(*titlekey_count)++;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -20,8 +20,13 @@
|
|||
#include "crypto.h"
|
||||
#include "es_types.h"
|
||||
|
||||
#include <sec/se_t210.h>
|
||||
#include <utils/types.h>
|
||||
|
||||
#define ETICKET_RSA_KEYPAIR_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE * 2 + SE_KEY_128_SIZE)
|
||||
|
||||
#define TICKET_SIG_TYPE_RSA2048_SHA256 0x10004
|
||||
|
||||
static const u8 eticket_rsa_kek_source[0x10] __attribute__((aligned(4))) = {
|
||||
0xDB, 0xA4, 0x51, 0x12, 0x4C, 0xA0, 0xA9, 0x83, 0x68, 0x14, 0xF5, 0xED, 0x95, 0xE3, 0x12, 0x5B};
|
||||
static const u8 eticket_rsa_kek_source_dev[0x10] __attribute__((aligned(4))) = {
|
||||
|
@ -37,4 +42,8 @@ void es_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32
|
|||
void es_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek);
|
||||
void es_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev);
|
||||
|
||||
bool decrypt_eticket_rsa_key(key_storage_t *keys, void *buffer, bool is_dev);
|
||||
|
||||
void es_decode_tickets(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 remaining, u32 total, u32 *titlekey_count, u32 x, u32 y, u32 *pct, u32 *last_pct, bool is_personalized);
|
||||
|
||||
#endif
|
||||
|
|
|
@ -27,4 +27,50 @@ typedef struct {
|
|||
u8 reserved[0xC];
|
||||
} eticket_rsa_keypair_t;
|
||||
|
||||
// only tickets of type Rsa2048Sha256 are expected
|
||||
typedef struct {
|
||||
u32 signature_type; // always 0x10004
|
||||
u8 signature[SE_RSA2048_DIGEST_SIZE];
|
||||
u8 sig_padding[0x3C];
|
||||
char issuer[0x40];
|
||||
u8 titlekey_block[SE_RSA2048_DIGEST_SIZE];
|
||||
u8 format_version;
|
||||
u8 titlekey_type;
|
||||
u16 ticket_version;
|
||||
u8 license_type;
|
||||
u8 common_key_id;
|
||||
u16 property_mask;
|
||||
u64 reserved;
|
||||
u64 ticket_id;
|
||||
u64 device_id;
|
||||
u8 rights_id[0x10];
|
||||
u32 account_id;
|
||||
u32 sect_total_size;
|
||||
u32 sect_hdr_offset;
|
||||
u16 sect_hdr_count;
|
||||
u16 sect_hdr_entry_size;
|
||||
u8 padding[0x140];
|
||||
} ticket_t;
|
||||
|
||||
typedef struct {
|
||||
u8 rights_id[0x10];
|
||||
u64 ticket_id;
|
||||
u32 account_id;
|
||||
u16 property_mask;
|
||||
u16 reserved;
|
||||
} ticket_record_t;
|
||||
|
||||
typedef struct {
|
||||
u8 read_buffer[SZ_256K];
|
||||
u8 rights_ids[SZ_256K / 0x10][0x10];
|
||||
u8 titlekeys[SZ_256K / 0x10][0x10];
|
||||
} titlekey_buffer_t;
|
||||
|
||||
typedef struct {
|
||||
char rights_id[0x20];
|
||||
char equals[3];
|
||||
char titlekey[0x20];
|
||||
char newline[1];
|
||||
} titlekey_text_buffer_t;
|
||||
|
||||
#endif
|
||||
|
|
|
@ -14,11 +14,6 @@
|
|||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
// Sha256 hash of the null string.
|
||||
static const u8 null_hash[0x20] __attribute__((aligned(4))) = {
|
||||
0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8, 0x99, 0x6F, 0xB9, 0x24,
|
||||
0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C, 0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55};
|
||||
|
||||
static const u8 master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_620 + 1][0x10] __attribute__((aligned(4))) = {
|
||||
{0x37, 0x4B, 0x77, 0x29, 0x59, 0xB4, 0x04, 0x30, 0x81, 0xF6, 0xE5, 0x8C, 0x6D, 0x36, 0x17, 0x9A}, //6.2.0
|
||||
{0x9A, 0x3E, 0xA9, 0xAB, 0xFD, 0x56, 0x46, 0x1C, 0x9B, 0xF6, 0x48, 0x7F, 0x5C, 0xFA, 0x09, 0x5C}, //7.0.0
|
||||
|
|
|
@ -16,10 +16,8 @@
|
|||
|
||||
#include "keys.h"
|
||||
|
||||
#include "cal0_read.h"
|
||||
#include "es_crypto.h"
|
||||
#include "fs_crypto.h"
|
||||
#include "gmac.h"
|
||||
#include "nfc_crypto.h"
|
||||
#include "ssl_crypto.h"
|
||||
|
||||
|
@ -127,7 +125,7 @@ static void _derive_keyblob_keys(key_storage_t *keys) {
|
|||
bool have_keyblobs = true;
|
||||
|
||||
if (FUSE(FUSE_PRIVATE_KEY0) == 0xFFFFFFFF) {
|
||||
u8 *aes_keys = (u8 *)calloc(SZ_4K, 1);
|
||||
u8 *aes_keys = (u8 *)calloc(1, SZ_4K);
|
||||
se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE);
|
||||
memcpy(keys->sbk, aes_keys + 14 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
free(aes_keys);
|
||||
|
@ -183,22 +181,47 @@ static void _derive_keyblob_keys(key_storage_t *keys) {
|
|||
free(keyblob_block);
|
||||
}
|
||||
|
||||
static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_keys, bool is_dev) {
|
||||
key_storage_t *keys = is_dev ? dev_keys : prod_keys;
|
||||
|
||||
if (h_cfg.t210b01) {
|
||||
_derive_master_keys_mariko(keys, is_dev);
|
||||
_derive_master_keys_from_latest_key(keys, is_dev);
|
||||
} else {
|
||||
if (run_ams_keygen(keys)) {
|
||||
EPRINTF("Failed to run keygen.");
|
||||
return;
|
||||
}
|
||||
|
||||
u8 *aes_keys = (u8 *)calloc(1, SZ_4K);
|
||||
se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE);
|
||||
memcpy(&dev_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT_DEV * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
memcpy(keys->tsec_key, aes_keys + KS_TSEC * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
memcpy(&prod_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
free(aes_keys);
|
||||
|
||||
_derive_master_keys_from_latest_key(prod_keys, false);
|
||||
_derive_master_keys_from_latest_key(dev_keys, true);
|
||||
_derive_keyblob_keys(keys);
|
||||
}
|
||||
}
|
||||
|
||||
static void _derive_bis_keys(key_storage_t *keys) {
|
||||
minerva_periodic_training();
|
||||
u32 generation = fuse_read_odm_keygen_rev();
|
||||
fs_derive_bis_keys(keys, keys->bis_key, generation);
|
||||
}
|
||||
|
||||
static void _derive_misc_keys(key_storage_t *keys, bool is_dev) {
|
||||
static void _derive_misc_keys(key_storage_t *keys) {
|
||||
minerva_periodic_training();
|
||||
fs_derive_save_mac_key(keys, keys->save_mac_key);
|
||||
es_derive_rsa_kek_original(keys, keys->eticket_rsa_kek, is_dev);
|
||||
ssl_derive_rsa_kek_original(keys, keys->ssl_rsa_kek, is_dev);
|
||||
}
|
||||
|
||||
static void _derive_non_unique_keys(key_storage_t *keys) {
|
||||
static void _derive_non_unique_keys(key_storage_t *keys, bool is_dev) {
|
||||
minerva_periodic_training();
|
||||
fs_derive_header_key(keys, keys->header_key);
|
||||
es_derive_rsa_kek_original(keys, keys->eticket_rsa_kek, is_dev);
|
||||
ssl_derive_rsa_kek_original(keys, keys->ssl_rsa_kek, is_dev);
|
||||
|
||||
for (u32 generation = 0; generation < ARRAY_SIZE(keys->master_key); generation++) {
|
||||
minerva_periodic_training();
|
||||
|
@ -223,34 +246,6 @@ static bool _count_ticket_records(u32 buf_size, titlekey_buffer_t *titlekey_buff
|
|||
return false;
|
||||
}
|
||||
|
||||
static void _decode_tickets(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 remaining, u32 total, u32 x, u32 y, u32 *pct, u32 *last_pct, bool is_personalized) {
|
||||
ticket_t *curr_ticket = (ticket_t *)titlekey_buffer->read_buffer;
|
||||
for (u32 i = 0; i < MIN(buf_size / sizeof(ticket_t), remaining) * sizeof(ticket_t) && curr_ticket->signature_type != 0; i += sizeof(ticket_t), curr_ticket++) {
|
||||
minerva_periodic_training();
|
||||
*pct = (total - remaining) * 100 / total;
|
||||
if (*pct > *last_pct && *pct <= 100) {
|
||||
*last_pct = *pct;
|
||||
tui_pbar(x, y, *pct, COLOR_GREEN, 0xFF155500);
|
||||
}
|
||||
|
||||
// This is in case an encrypted volatile ticket is left behind
|
||||
if (curr_ticket->signature_type != TICKET_SIG_TYPE_RSA2048_SHA256)
|
||||
continue;
|
||||
|
||||
u8 *curr_titlekey = curr_ticket->titlekey_block;
|
||||
const u32 block_size = SE_RSA2048_DIGEST_SIZE;
|
||||
const u32 titlekey_size = sizeof(titlekey_buffer->titlekeys[0]);
|
||||
if (is_personalized) {
|
||||
se_rsa_exp_mod(0, curr_titlekey, block_size, curr_titlekey, block_size);
|
||||
if (rsa_oaep_decode(curr_titlekey, titlekey_size, null_hash, sizeof(null_hash), curr_titlekey, block_size) != titlekey_size)
|
||||
continue;
|
||||
}
|
||||
memcpy(titlekey_buffer->rights_ids[_titlekey_count], curr_ticket->rights_id, sizeof(titlekey_buffer->rights_ids[0]));
|
||||
memcpy(titlekey_buffer->titlekeys[_titlekey_count], curr_titlekey, titlekey_size);
|
||||
_titlekey_count++;
|
||||
}
|
||||
}
|
||||
|
||||
static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, titlekey_buffer_t *titlekey_buffer, eticket_rsa_keypair_t *rsa_keypair) {
|
||||
FIL fp;
|
||||
u64 br = buf_size;
|
||||
|
@ -328,7 +323,7 @@ static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, title
|
|||
if (!save_data_file_read(&ticket_file, &br, offset, titlekey_buffer->read_buffer, buf_size) || titlekey_buffer->read_buffer[0] == 0 || br != buf_size)
|
||||
break;
|
||||
offset += br;
|
||||
_decode_tickets(buf_size, titlekey_buffer, remaining, file_tkey_count, save_x, save_y, &pct, &last_pct, is_personalized);
|
||||
es_decode_tickets(buf_size, titlekey_buffer, remaining, file_tkey_count, &_titlekey_count, save_x, save_y, &pct, &last_pct, is_personalized);
|
||||
remaining -= MIN(buf_size / sizeof(ticket_t), remaining);
|
||||
}
|
||||
tui_pbar(save_x, save_y, 100, COLOR_GREEN, 0xFF155500);
|
||||
|
@ -382,7 +377,8 @@ static bool _derive_sd_seed(key_storage_t *keys) {
|
|||
}
|
||||
|
||||
u8 read_buf[0x20] __attribute__((aligned(4))) = {0};
|
||||
// Skip the two header blocks and only check the first bytes of each block - file contents are always block-aligned
|
||||
// Skip the two header blocks and only check the first bytes of each block
|
||||
// File contents are always block-aligned
|
||||
for (u32 i = SAVE_BLOCK_SIZE_DEFAULT * 2; i < f_size(&fp); i += SAVE_BLOCK_SIZE_DEFAULT) {
|
||||
if (f_lseek(&fp, i) || f_read(&fp, read_buf, 0x20, &read_bytes) || read_bytes != 0x20)
|
||||
break;
|
||||
|
@ -398,120 +394,8 @@ static bool _derive_sd_seed(key_storage_t *keys) {
|
|||
return true;
|
||||
}
|
||||
|
||||
static bool _decrypt_ssl_rsa_key(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer) {
|
||||
if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, titlekey_buffer->read_buffer)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)titlekey_buffer->read_buffer;
|
||||
u32 generation = 0;
|
||||
const void *encrypted_key = NULL;
|
||||
const void *iv = NULL;
|
||||
u32 key_size = 0;
|
||||
void *ctr_key = NULL;
|
||||
bool enforce_unique = true;
|
||||
|
||||
if (!cal0_get_ssl_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (key_size == SSL_RSA_KEY_SIZE) {
|
||||
bool all_zero = true;
|
||||
const u8 *key8 = (const u8 *)encrypted_key;
|
||||
for (u32 i = SE_RSA2048_DIGEST_SIZE; i < SSL_RSA_KEY_SIZE; i++) {
|
||||
if (key8[i] != 0) {
|
||||
all_zero = false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (all_zero) {
|
||||
// Keys of this form are not encrypted
|
||||
memcpy(keys->ssl_rsa_key, encrypted_key, SE_RSA2048_DIGEST_SIZE);
|
||||
return true;
|
||||
}
|
||||
|
||||
ssl_derive_rsa_kek_legacy(keys, keys->ssl_rsa_kek_legacy);
|
||||
ctr_key = keys->ssl_rsa_kek_legacy;
|
||||
enforce_unique = false;
|
||||
} else if (generation) {
|
||||
ssl_derive_rsa_kek_device_unique(keys, keys->ssl_rsa_kek_personalized, generation);
|
||||
ctr_key = keys->ssl_rsa_kek_personalized;
|
||||
} else {
|
||||
ctr_key = keys->ssl_rsa_kek;
|
||||
}
|
||||
|
||||
u32 ctr_size = enforce_unique ? key_size - 0x20 : key_size - 0x10;
|
||||
se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
|
||||
se_aes_crypt_ctr(KS_AES_CTR, keys->ssl_rsa_key, ctr_size, encrypted_key, ctr_size, iv);
|
||||
|
||||
if (enforce_unique) {
|
||||
u32 calc_mac[SE_KEY_128_SIZE / 4] = {0};
|
||||
calc_gmac(KS_AES_ECB, calc_mac, keys->ssl_rsa_key, ctr_size, ctr_key, iv);
|
||||
|
||||
const u8 *key8 = (const u8 *)encrypted_key;
|
||||
if (memcmp(calc_mac, &key8[ctr_size], 0x10) != 0) {
|
||||
EPRINTF("SSL keypair has invalid GMac.");
|
||||
memset(keys->ssl_rsa_key, 0, sizeof(keys->ssl_rsa_key));
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool _decrypt_eticket_rsa_key(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
|
||||
if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, titlekey_buffer->read_buffer)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)titlekey_buffer->read_buffer;
|
||||
u32 generation = 0;
|
||||
const void *encrypted_key = NULL;
|
||||
const void *iv = NULL;
|
||||
u32 key_size = 0;
|
||||
void *ctr_key = NULL;
|
||||
|
||||
if (!cal0_get_eticket_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Handle legacy case
|
||||
if (key_size == ETICKET_RSA_KEYPAIR_SIZE) {
|
||||
u32 temp_key[SE_KEY_128_SIZE / 4] = {0};
|
||||
es_derive_rsa_kek_legacy(keys, temp_key);
|
||||
ctr_key = temp_key;
|
||||
|
||||
se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
|
||||
se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv);
|
||||
|
||||
if (test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) {
|
||||
memcpy(keys->eticket_rsa_kek, ctr_key, sizeof(keys->eticket_rsa_kek));
|
||||
return true;
|
||||
}
|
||||
// Fall through and try usual method if not applicable
|
||||
}
|
||||
|
||||
if (generation) {
|
||||
es_derive_rsa_kek_device_unique(keys, keys->eticket_rsa_kek_personalized, generation, is_dev);
|
||||
ctr_key = keys->eticket_rsa_kek_personalized;
|
||||
} else {
|
||||
ctr_key = keys->eticket_rsa_kek;
|
||||
}
|
||||
|
||||
se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
|
||||
se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv);
|
||||
|
||||
if (!test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) {
|
||||
EPRINTF("Invalid eticket keypair.");
|
||||
memset(&keys->eticket_rsa_keypair, 0, sizeof(keys->eticket_rsa_keypair));
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool _derive_titlekeys(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
|
||||
if (!key_exists(keys->eticket_rsa_kek)) {
|
||||
if (!key_exists(&keys->eticket_rsa_keypair)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -543,12 +427,12 @@ static bool _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_b
|
|||
return false;
|
||||
}
|
||||
|
||||
bool res = _decrypt_ssl_rsa_key(keys, titlekey_buffer);
|
||||
bool res = decrypt_ssl_rsa_key(keys, titlekey_buffer);
|
||||
if (!res) {
|
||||
EPRINTF("Unable to derive SSL key.");
|
||||
}
|
||||
|
||||
res =_decrypt_eticket_rsa_key(keys, titlekey_buffer, is_dev);
|
||||
res = decrypt_eticket_rsa_key(keys, titlekey_buffer, is_dev);
|
||||
if (!res) {
|
||||
EPRINTF("Unable to derive ETicket key.");
|
||||
}
|
||||
|
@ -611,7 +495,7 @@ int save_mariko_partial_keys(u32 start, u32 count, bool append) {
|
|||
u32 pos = 0;
|
||||
u32 zeros[SE_KEY_128_SIZE / 4] = {0};
|
||||
u8 *data = malloc(4 * SE_KEY_128_SIZE);
|
||||
char *text_buffer = calloc(1, 0x100 * count);
|
||||
char *text_buffer = calloc(count, 0x100);
|
||||
|
||||
for (u32 ks = start; ks < start + count; ks++) {
|
||||
// Check if key is as expected
|
||||
|
@ -688,14 +572,13 @@ int save_mariko_partial_keys(u32 start, u32 count, bool append) {
|
|||
}
|
||||
|
||||
static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
|
||||
char *text_buffer = NULL;
|
||||
if (!sd_mount()) {
|
||||
EPRINTF("Unable to mount SD.");
|
||||
return;
|
||||
}
|
||||
|
||||
u32 text_buffer_size = MAX(_titlekey_count * sizeof(titlekey_text_buffer_t) + 1, SZ_16K);
|
||||
text_buffer = (char *)calloc(1, text_buffer_size);
|
||||
char *text_buffer = (char *)calloc(1, text_buffer_size);
|
||||
|
||||
SAVE_KEY(aes_kek_generation_source);
|
||||
SAVE_KEY(aes_key_generation_source);
|
||||
|
@ -765,9 +648,8 @@ static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_bu
|
|||
SAVE_KEY(titlekek_source);
|
||||
SAVE_KEY_VAR(tsec_key, keys->tsec_key);
|
||||
|
||||
const u32 root_key_ver = 2;
|
||||
char root_key_name[21] = "tsec_root_key_00";
|
||||
s_printf(root_key_name + 14, "%02x", root_key_ver);
|
||||
s_printf(root_key_name + 14, "%02x", TSEC_ROOT_KEY_VERSION);
|
||||
_save_key(root_key_name, keys->tsec_root_key, SE_KEY_128_SIZE, text_buffer);
|
||||
|
||||
gfx_printf("\n%k Found %d %s keys.\n\n", colors[(color_idx++) % 6], _key_count, is_dev ? "dev" : "prod");
|
||||
|
@ -811,31 +693,6 @@ static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_bu
|
|||
free(text_buffer);
|
||||
}
|
||||
|
||||
static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_keys, bool is_dev) {
|
||||
key_storage_t *keys = is_dev ? dev_keys : prod_keys;
|
||||
|
||||
if (h_cfg.t210b01) {
|
||||
_derive_master_keys_mariko(keys, is_dev);
|
||||
_derive_master_keys_from_latest_key(keys, is_dev);
|
||||
} else {
|
||||
if (run_ams_keygen(keys)) {
|
||||
EPRINTF("Failed to run keygen.");
|
||||
return;
|
||||
}
|
||||
|
||||
u8 *aes_keys = (u8 *)calloc(SZ_4K, 1);
|
||||
se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE);
|
||||
memcpy(&dev_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT_DEV * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
memcpy(keys->tsec_key, aes_keys + KS_TSEC * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
memcpy(&prod_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
|
||||
free(aes_keys);
|
||||
|
||||
_derive_master_keys_from_latest_key(prod_keys, false);
|
||||
_derive_master_keys_from_latest_key(dev_keys, true);
|
||||
_derive_keyblob_keys(keys);
|
||||
}
|
||||
}
|
||||
|
||||
static void _derive_keys() {
|
||||
minerva_periodic_training();
|
||||
|
||||
|
@ -872,9 +729,9 @@ static void _derive_keys() {
|
|||
|
||||
TPRINTFARGS("%kBIS keys... ", colors[(color_idx++) % 6]);
|
||||
|
||||
_derive_misc_keys(keys, is_dev);
|
||||
_derive_non_unique_keys(&prod_keys);
|
||||
_derive_non_unique_keys(&dev_keys);
|
||||
_derive_misc_keys(keys);
|
||||
_derive_non_unique_keys(&prod_keys, is_dev);
|
||||
_derive_non_unique_keys(&dev_keys, is_dev);
|
||||
|
||||
titlekey_buffer_t *titlekey_buffer = (titlekey_buffer_t *)TITLEKEY_BUF_ADR;
|
||||
|
||||
|
|
|
@ -23,52 +23,6 @@
|
|||
#include <sec/se_t210.h>
|
||||
#include <utils/types.h>
|
||||
|
||||
// only tickets of type Rsa2048Sha256 are expected
|
||||
typedef struct {
|
||||
u32 signature_type; // always 0x10004
|
||||
u8 signature[SE_RSA2048_DIGEST_SIZE];
|
||||
u8 sig_padding[0x3C];
|
||||
char issuer[0x40];
|
||||
u8 titlekey_block[SE_RSA2048_DIGEST_SIZE];
|
||||
u8 format_version;
|
||||
u8 titlekey_type;
|
||||
u16 ticket_version;
|
||||
u8 license_type;
|
||||
u8 common_key_id;
|
||||
u16 property_mask;
|
||||
u64 reserved;
|
||||
u64 ticket_id;
|
||||
u64 device_id;
|
||||
u8 rights_id[0x10];
|
||||
u32 account_id;
|
||||
u32 sect_total_size;
|
||||
u32 sect_hdr_offset;
|
||||
u16 sect_hdr_count;
|
||||
u16 sect_hdr_entry_size;
|
||||
u8 padding[0x140];
|
||||
} ticket_t;
|
||||
|
||||
typedef struct {
|
||||
u8 rights_id[0x10];
|
||||
u64 ticket_id;
|
||||
u32 account_id;
|
||||
u16 property_mask;
|
||||
u16 reserved;
|
||||
} ticket_record_t;
|
||||
|
||||
typedef struct {
|
||||
u8 read_buffer[SZ_256K];
|
||||
u8 rights_ids[SZ_256K / 0x10][0x10];
|
||||
u8 titlekeys[SZ_256K / 0x10][0x10];
|
||||
} titlekey_buffer_t;
|
||||
|
||||
typedef struct {
|
||||
char rights_id[0x20];
|
||||
char equals[3];
|
||||
char titlekey[0x20];
|
||||
char newline[1];
|
||||
} titlekey_text_buffer_t;
|
||||
|
||||
#define TPRINTF(text) \
|
||||
end_time = get_tmr_us(); \
|
||||
gfx_printf(text" done in %d us\n", end_time - start_time); \
|
||||
|
|
|
@ -16,7 +16,15 @@
|
|||
|
||||
#include "ssl_crypto.h"
|
||||
|
||||
#include "cal0_read.h"
|
||||
#include "gmac.h"
|
||||
|
||||
#include "../config.h"
|
||||
#include <gfx_utils.h>
|
||||
#include <sec/se.h>
|
||||
#include <sec/se_t210.h>
|
||||
|
||||
#include <string.h>
|
||||
|
||||
extern hekate_config h_cfg;
|
||||
|
||||
|
@ -49,3 +57,64 @@ void ssl_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is
|
|||
u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA) | NOT_DEVICE_UNIQUE;
|
||||
derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, ssl_rsa_kekek_source, ssl_kek_source, generation, option);
|
||||
}
|
||||
|
||||
bool decrypt_ssl_rsa_key(key_storage_t *keys, void *buffer) {
|
||||
if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, buffer)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)buffer;
|
||||
u32 generation = 0;
|
||||
const void *encrypted_key = NULL;
|
||||
const void *iv = NULL;
|
||||
u32 key_size = 0;
|
||||
void *ctr_key = NULL;
|
||||
bool enforce_unique = true;
|
||||
|
||||
if (!cal0_get_ssl_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (key_size == SSL_RSA_KEY_SIZE) {
|
||||
bool all_zero = true;
|
||||
const u8 *key8 = (const u8 *)encrypted_key;
|
||||
for (u32 i = SE_RSA2048_DIGEST_SIZE; i < SSL_RSA_KEY_SIZE; i++) {
|
||||
if (key8[i] != 0) {
|
||||
all_zero = false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (all_zero) {
|
||||
// Keys of this form are not encrypted
|
||||
memcpy(keys->ssl_rsa_key, encrypted_key, SE_RSA2048_DIGEST_SIZE);
|
||||
return true;
|
||||
}
|
||||
|
||||
ssl_derive_rsa_kek_legacy(keys, keys->ssl_rsa_kek_legacy);
|
||||
ctr_key = keys->ssl_rsa_kek_legacy;
|
||||
enforce_unique = false;
|
||||
} else if (generation) {
|
||||
ssl_derive_rsa_kek_device_unique(keys, keys->ssl_rsa_kek_personalized, generation);
|
||||
ctr_key = keys->ssl_rsa_kek_personalized;
|
||||
} else {
|
||||
ctr_key = keys->ssl_rsa_kek;
|
||||
}
|
||||
|
||||
u32 ctr_size = enforce_unique ? key_size - 0x20 : key_size - 0x10;
|
||||
se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
|
||||
se_aes_crypt_ctr(KS_AES_CTR, keys->ssl_rsa_key, ctr_size, encrypted_key, ctr_size, iv);
|
||||
|
||||
if (enforce_unique) {
|
||||
u32 calc_mac[SE_KEY_128_SIZE / 4] = {0};
|
||||
calc_gmac(KS_AES_ECB, calc_mac, keys->ssl_rsa_key, ctr_size, ctr_key, iv);
|
||||
|
||||
const u8 *key8 = (const u8 *)encrypted_key;
|
||||
if (memcmp(calc_mac, &key8[ctr_size], 0x10) != 0) {
|
||||
EPRINTF("SSL keypair has invalid GMac.");
|
||||
memset(keys->ssl_rsa_key, 0, sizeof(keys->ssl_rsa_key));
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
|
|
@ -21,6 +21,8 @@
|
|||
|
||||
#include <utils/types.h>
|
||||
|
||||
#define SSL_RSA_KEY_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE)
|
||||
|
||||
static const u8 ssl_rsa_kekek_source[0x10] __attribute__((aligned(4))) = {
|
||||
0x7F, 0x5B, 0xB0, 0x84, 0x7B, 0x25, 0xAA, 0x67, 0xFA, 0xC8, 0x4B, 0xE2, 0x3D, 0x7B, 0x69, 0x03};
|
||||
static const u8 ssl_rsa_kek_source[0x10] __attribute__((aligned(4))) = {
|
||||
|
@ -38,4 +40,6 @@ void ssl_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u3
|
|||
void ssl_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek);
|
||||
void ssl_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev);
|
||||
|
||||
bool decrypt_ssl_rsa_key(key_storage_t *keys, void *buffer);
|
||||
|
||||
#endif
|
||||
|
|
Loading…
Reference in a new issue