From 582bc916053ab2f30aeb78d7932232a5bbd78bd5 Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Thu, 31 Mar 2022 12:28:32 -0600
Subject: [PATCH 01/21] Move Mariko partial key dump to main menu

---
 source/gfx/tui.c   |  2 +-
 source/gfx/tui.h   |  4 +--
 source/keys/keys.c | 36 ++++++++++---------
 source/keys/keys.h |  1 +
 source/main.c      | 90 +++++++++++++++++++++++++++++++++++-----------
 5 files changed, 92 insertions(+), 41 deletions(-)

diff --git a/source/gfx/tui.c b/source/gfx/tui.c
index 6d0e6b4..ec6c08a 100644
--- a/source/gfx/tui.c
+++ b/source/gfx/tui.c
@@ -135,7 +135,7 @@ void *tui_do_menu(menu_t *menu)
 				gfx_con_setcol(0xFF1B1B1B, 1, 0xFFCCCCCC);
 			else
 				gfx_con_setcol(0xFFCCCCCC, 1, 0xFF1B1B1B);
-			if (menu->ents[cnt].type != MENT_CHGLINE && menu->ents[cnt].type != MENT_MENU)
+			if (menu->ents[cnt].type != MENT_CHGLINE)
 			{
 				if (cnt == idx)
 					gfx_printf(" %s", menu->ents[cnt].caption);
diff --git a/source/gfx/tui.h b/source/gfx/tui.h
index 6f02781..98330b6 100644
--- a/source/gfx/tui.h
+++ b/source/gfx/tui.h
@@ -54,8 +54,8 @@ typedef struct _menu_t
 #define MDEF_END() {MENT_END}
 #define MDEF_HANDLER(caption, _handler, color) { MENT_HANDLER, caption, color, NULL, { .handler = _handler } }
 #define MDEF_HANDLER_EX(caption, data, _handler, color) { MENT_HANDLER, caption, color, data, { .handler = _handler } }
-#define MDEF_MENU(caption, _menu) { MENT_MENU, caption, 0, NULL, { .menu = _menu } }
-#define MDEF_BACK() { MENT_BACK, "Back" }
+#define MDEF_MENU(caption, _menu, color) { MENT_MENU, caption, color, NULL, { .menu = _menu } }
+#define MDEF_BACK(color) { MENT_BACK, "Back", color }
 #define MDEF_CAPTION(caption, color) { MENT_CAPTION, caption, color }
 #define MDEF_CHGLINE() {MENT_CHGLINE}
 
diff --git a/source/keys/keys.c b/source/keys/keys.c
index 74d2ecf..c5c4bae 100644
--- a/source/keys/keys.c
+++ b/source/keys/keys.c
@@ -583,11 +583,15 @@ static bool _derive_emmc_keys(key_derivation_ctx_t *keys, titlekey_buffer_t *tit
 // The security engine supports partial key override for locked keyslots
 // This allows for a manageable brute force on a PC
 // Then the Mariko AES class keys, KEK, BEK, unique SBK and SSK can be recovered
-static void _save_mariko_partial_keys(u32 start, u32 count, bool append) {
+int save_mariko_partial_keys(u32 start, u32 count, bool append) {
     if (start + count > SE_AES_KEYSLOT_COUNT) {
-        return;
+        return 1;
     }
 
+    display_backlight_brightness(h_cfg.backlight, 1000);
+    gfx_clear_partial_grey(0x1B, 32, 1224);
+    gfx_con_setpos(0, 32);
+
     u32 pos = 0;
     u32 zeros[AES_128_KEY_SIZE / 4] = {0};
     u8 *data = malloc(4 * AES_128_KEY_SIZE);
@@ -632,11 +636,11 @@ static void _save_mariko_partial_keys(u32 start, u32 count, bool append) {
 
     if (strlen(text_buffer) == 0) {
         EPRINTFARGS("Failed to dump partial keys %d-%d.", start, start + count - 1);
-        return;
+        free(text_buffer);
+        return 2;
     }
 
     FIL fp;
-    u32 res = 0;
     BYTE mode = FA_WRITE;
 
     if (append) {
@@ -645,10 +649,16 @@ static void _save_mariko_partial_keys(u32 start, u32 count, bool append) {
         mode |= FA_CREATE_ALWAYS;
     }
 
-    res = f_open(&fp, "sd:/switch/partialaes.keys", mode);
-    if (res) {
+    if (!sd_mount()) {
+        EPRINTF("Unable to mount SD.");
+        free(text_buffer);
+        return 3;
+    }
+
+    if (f_open(&fp, "sd:/switch/partialaes.keys", mode)) {
         EPRINTF("Unable to write partial keys to SD.");
-        return;
+        free(text_buffer);
+        return 3;
     }
 
     f_write(&fp, text_buffer, strlen(text_buffer), NULL);
@@ -657,6 +667,8 @@ static void _save_mariko_partial_keys(u32 start, u32 count, bool append) {
     gfx_printf("%kWrote partials to sd:/switch/partialaes.keys\n", colors[(color_idx++) % 6]);
 
     free(text_buffer);
+
+    return 0;
 }
 
 static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
@@ -756,10 +768,6 @@ static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titl
     } else
         EPRINTF("Unable to save keys to SD.");
 
-    if (h_cfg.t210b01) {
-        _save_mariko_partial_keys(12, 4, true);
-    }
-
     if (_titlekey_count == 0 || !titlekey_buffer) {
         free(text_buffer);
         return;
@@ -801,12 +809,6 @@ static void _derive_keys() {
 
     minerva_periodic_training();
 
-    if (h_cfg.t210b01) {
-        _save_mariko_partial_keys(0, 12, false);
-    }
-
-    minerva_periodic_training();
-
     if (!_check_keyslot_access()) {
         EPRINTF("Unable to set crypto keyslots!\nTry launching payload differently\n or flash Spacecraft-NX if using a modchip.");
         return;
diff --git a/source/keys/keys.h b/source/keys/keys.h
index 676fddb..8e2fb23 100644
--- a/source/keys/keys.h
+++ b/source/keys/keys.h
@@ -141,5 +141,6 @@ typedef struct {
 #define SAVE_KEY_FAMILY_VAR(name, varname, start) _save_key_family(#name, varname, start, ARRAY_SIZE(varname), sizeof(*(varname)), text_buffer)
 
 void dump_keys();
+int save_mariko_partial_keys(u32 start, u32 count, bool append);
 
 #endif
diff --git a/source/main.c b/source/main.c
index cd8e92e..b4aa670 100644
--- a/source/main.c
+++ b/source/main.c
@@ -304,26 +304,80 @@ void dump_emunand()
 	dump_keys();
 }
 
+void dump_mariko_partial_keys();
+
+ment_t ment_partials[] = {
+	MDEF_BACK(colors[0]),
+	MDEF_CHGLINE(),
+	MDEF_CAPTION("This dumps the results of writing zeros", colors[1]),
+	MDEF_CAPTION("over consecutive 32-bit portions of each", colors[1]),
+	MDEF_CAPTION("keyslot, the results of which can then", colors[1]),
+	MDEF_CAPTION("be bruteforced quickly on a computer", colors[1]),
+	MDEF_CAPTION("to recover keys from unreadable keyslots.", colors[1]),
+	MDEF_CHGLINE(),
+	MDEF_CAPTION("This includes the Mariko KEK and BEK", colors[2]),
+	MDEF_CAPTION("as well as the unique SBK.", colors[2]),
+	MDEF_CHGLINE(),
+	MDEF_CAPTION("These are not useful for most users", colors[3]),
+	MDEF_CAPTION("but are included for archival purposes.", colors[3]),
+	MDEF_CHGLINE(),
+	MDEF_CAPTION("Warning: this wipes keyslots!", colors[4]),
+	MDEF_CAPTION("The console must be completely restarted!", colors[4]),
+	MDEF_CAPTION("Modchip must run again to fix the keys!", colors[4]),
+	MDEF_CAPTION("---------------", colors[5]),
+	MDEF_HANDLER("Dump Mariko Partials", dump_mariko_partial_keys, colors[0]),
+	MDEF_END()
+};
+
+menu_t menu_partials = { ment_partials, NULL, 0, 0 };
+
 power_state_t STATE_POWER_OFF           = POWER_OFF_RESET;
 power_state_t STATE_REBOOT_FULL         = POWER_OFF_REBOOT;
 power_state_t STATE_REBOOT_RCM          = REBOOT_RCM;
 power_state_t STATE_REBOOT_BYPASS_FUSES = REBOOT_BYPASS_FUSES;
 
 ment_t ment_top[] = {
-	MDEF_HANDLER("Dump from SysNAND", dump_sysnand, COLOR_RED),
-	MDEF_HANDLER("Dump from EmuNAND", dump_emunand, COLOR_ORANGE),
-	MDEF_CAPTION("---------------", COLOR_YELLOW),
-	MDEF_HANDLER("Payloads...", launch_tools, COLOR_GREEN),
-	MDEF_HANDLER("Reboot to hekate", launch_hekate, COLOR_BLUE),
-	MDEF_CAPTION("---------------", COLOR_VIOLET),
-	MDEF_HANDLER_EX("Reboot (OFW)", &STATE_REBOOT_BYPASS_FUSES, power_set_state_ex, COLOR_RED),
-	MDEF_HANDLER_EX("Reboot (RCM)", &STATE_REBOOT_RCM, power_set_state_ex, COLOR_ORANGE),
-	MDEF_HANDLER_EX("Power off", &STATE_POWER_OFF, power_set_state_ex, COLOR_YELLOW),
+	MDEF_HANDLER("Dump from SysNAND", dump_sysnand, colors[0]),
+	MDEF_HANDLER("Dump from EmuNAND", dump_emunand, colors[1]),
+	MDEF_CAPTION("---------------", colors[2]),
+	MDEF_MENU("Dump Mariko Partials (requires reboot)", &menu_partials, colors[3]),
+	MDEF_CAPTION("---------------", colors[4]),
+	MDEF_HANDLER("Payloads...", launch_tools, colors[5]),
+	MDEF_HANDLER("Reboot to hekate", launch_hekate, colors[0]),
+	MDEF_CAPTION("---------------", colors[1]),
+	MDEF_HANDLER_EX("Reboot (OFW)", &STATE_REBOOT_BYPASS_FUSES, power_set_state_ex, colors[2]),
+	MDEF_HANDLER_EX("Reboot (RCM)", &STATE_REBOOT_RCM, power_set_state_ex, colors[3]),
+	MDEF_HANDLER_EX("Power off", &STATE_POWER_OFF, power_set_state_ex, colors[4]),
 	MDEF_END()
 };
 
 menu_t menu_top = { ment_top, NULL, 0, 0 };
 
+void grey_out_menu_item(ment_t *menu)
+{
+	menu->type = MENT_CAPTION;
+	menu->color = 0xFF555555;
+	menu->handler = NULL;
+}
+
+void dump_mariko_partial_keys()
+{
+	if (h_cfg.t210b01) {
+		int res = save_mariko_partial_keys(0, 16, false);
+		if (res == 0 || res == 3)
+		{
+			// Grey out dumping menu items as the keyslots have been invalidated.
+			grey_out_menu_item(&ment_top[0]);
+			grey_out_menu_item(&ment_top[1]);
+			grey_out_menu_item(&ment_top[3]);
+			grey_out_menu_item(&ment_partials[18]);
+		}
+
+		gfx_printf("\n%kPress a button to return to the menu.", COLOR_ORANGE);
+		btn_wait();
+	}
+}
+
 extern void pivot_stack(u32 stack_top);
 
 void ipl_main()
@@ -373,30 +427,24 @@ void ipl_main()
 	// Grey out emummc option if not present.
 	if (h_cfg.emummc_force_disable)
 	{
-		ment_top[1].type = MENT_CAPTION;
-		ment_top[1].color = 0xFF555555;
-		ment_top[1].handler = NULL;
+		grey_out_menu_item(&ment_top[1]);
 	}
 
 	// Grey out reboot to RCM option if on Mariko or patched console.
 	if (h_cfg.t210b01 || h_cfg.rcm_patched)
 	{
-		ment_top[7].type = MENT_CAPTION;
-		ment_top[7].color = 0xFF555555;
-		ment_top[7].handler = NULL;
+		grey_out_menu_item(&ment_top[9]);
 	}
 
-	if (h_cfg.rcm_patched)
-	{
-		ment_top[7].data = &STATE_REBOOT_FULL;
+	// Grey out Mariko partial dump option on Erista.
+	if (!h_cfg.t210b01) {
+		grey_out_menu_item(&ment_top[3]);
 	}
 
 	// Grey out reboot to hekate option if no update.bin found.
 	if (f_stat("bootloader/update.bin", NULL))
 	{
-		ment_top[4].type = MENT_CAPTION;
-		ment_top[4].color = 0xFF555555;
-		ment_top[4].handler = NULL;
+		grey_out_menu_item(&ment_top[6]);
 	}
 
 	minerva_change_freq(FREQ_800);

From 5f35c8396da14f23b076f140364647273063fe69 Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Thu, 31 Mar 2022 13:58:26 -0600
Subject: [PATCH 02/21] keys: Move master key derivation into own function

---
 source/keys/keys.c | 53 +++++++++++++++++++++++++---------------------
 1 file changed, 29 insertions(+), 24 deletions(-)

diff --git a/source/keys/keys.c b/source/keys/keys.c
index c5c4bae..43702ff 100644
--- a/source/keys/keys.c
+++ b/source/keys/keys.c
@@ -802,6 +802,34 @@ static bool _check_keyslot_access() {
     return memcmp(test_data, "\x7b\x1d\x29\xa1\x6c\xf8\xcc\xab\x84\xf0\xb8\xa5\x98\xe4\x2f\xa6", SE_KEY_128_SIZE) == 0;
 }
 
+static void _derive_master_keys(key_derivation_ctx_t *prod_keys, key_derivation_ctx_t *dev_keys, bool is_dev) {
+    key_derivation_ctx_t *keys = is_dev ? dev_keys : prod_keys;
+
+    if (h_cfg.t210b01) {
+        _derive_master_key_mariko(keys, is_dev);
+        minerva_periodic_training();
+        _derive_master_keys_from_latest_key(keys, is_dev);
+    } else {
+        int res = _run_ams_keygen(keys);
+        if (res) {
+            return;
+        }
+
+        u8 *aes_keys = (u8 *)calloc(SZ_4K, 1);
+        se_get_aes_keys(aes_keys + SZ_2K, aes_keys, AES_128_KEY_SIZE);
+        memcpy(&dev_keys->tsec_root_key, aes_keys + 11 * AES_128_KEY_SIZE, AES_128_KEY_SIZE);
+        memcpy(keys->tsec_key, aes_keys + 12 * AES_128_KEY_SIZE, AES_128_KEY_SIZE);
+        memcpy(&prod_keys->tsec_root_key, aes_keys + 13 * AES_128_KEY_SIZE, AES_128_KEY_SIZE);
+        free(aes_keys);
+
+        _derive_master_keys_from_latest_key(prod_keys, false);
+        minerva_periodic_training();
+        _derive_master_keys_from_latest_key(dev_keys, true);
+        minerva_periodic_training();
+        _derive_keyblob_keys(keys);
+    }
+}
+
 static void _derive_keys() {
     if (!f_stat("sd:/switch/partialaes.keys", NULL)) {
         f_unlink("sd:/switch/partialaes.keys");
@@ -834,30 +862,7 @@ static void _derive_keys() {
     key_derivation_ctx_t __attribute__((aligned(4))) prod_keys = {0}, dev_keys = {0};
     key_derivation_ctx_t *keys = is_dev ? &dev_keys : &prod_keys;
 
-    // Master key derivation
-    if (h_cfg.t210b01) {
-        _derive_master_key_mariko(keys, is_dev);
-        minerva_periodic_training();
-        _derive_master_keys_from_latest_key(keys, is_dev);
-    } else {
-        int res = _run_ams_keygen(keys);
-        if (res) {
-            return;
-        }
-
-        u8 *aes_keys = (u8 *)calloc(SZ_4K, 1);
-        se_get_aes_keys(aes_keys + SZ_2K, aes_keys, AES_128_KEY_SIZE);
-        memcpy(&dev_keys.tsec_root_key, aes_keys + 11 * AES_128_KEY_SIZE, AES_128_KEY_SIZE);
-        memcpy(keys->tsec_key, aes_keys + 12 * AES_128_KEY_SIZE, AES_128_KEY_SIZE);
-        memcpy(&prod_keys.tsec_root_key, aes_keys + 13 * AES_128_KEY_SIZE, AES_128_KEY_SIZE);
-        free(aes_keys);
-
-        _derive_master_keys_from_latest_key(&prod_keys, false);
-        minerva_periodic_training();
-        _derive_master_keys_from_latest_key(&dev_keys, true);
-        minerva_periodic_training();
-        _derive_keyblob_keys(keys);
-    }
+    _derive_master_keys(&prod_keys, &dev_keys, is_dev);
 
     TPRINTFARGS("%kMaster keys...  ", colors[(color_idx++) % 6]);
 

From 065ba8bc115772c99496d41454f17e4ff1f18b7e Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Thu, 31 Mar 2022 18:30:57 -0600
Subject: [PATCH 03/21] Add Amiibo key dump support

---
 source/keys/key_sources.inl |  30 +++++++++
 source/keys/keys.c          | 125 ++++++++++++++++++++++++++++++++----
 source/keys/keys.h          |  22 +++++++
 source/main.c               |  30 +++++----
 4 files changed, 182 insertions(+), 25 deletions(-)

diff --git a/source/keys/key_sources.inl b/source/keys/key_sources.inl
index 9bfdbb0..02063b2 100644
--- a/source/keys/key_sources.inl
+++ b/source/keys/key_sources.inl
@@ -209,6 +209,8 @@ static const u8 device_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMW
 // from SPL
 static const u8 aes_key_generation_source[0x10] __attribute__((aligned(4))) = {
     0x89, 0x61, 0x5E, 0xE0, 0x5C, 0x31, 0xB6, 0x80, 0x5F, 0xE5, 0x8F, 0x3D, 0xA2, 0x4F, 0x7A, 0xA8};
+static const u8 aes_key_decryption_source[0x10] __attribute__((aligned(4))) = {
+    0x11, 0x70, 0x24, 0x2B, 0x48, 0x69, 0x11, 0xF1, 0x11, 0xB0, 0x0C, 0x47, 0x7C, 0xC3, 0xEF, 0x7E};
 
 // from FS
 static const u8 bis_kek_source[0x10] __attribute__((aligned(4))) = {
@@ -250,3 +252,31 @@ static const u8 sd_card_nca_key_source[0x20] __attribute__((aligned(4))) = {
 static const u8 sd_card_save_key_source[0x20] __attribute__((aligned(4))) = {
     0X24, 0X49, 0XB7, 0X22, 0X72, 0X67, 0X03, 0XA8, 0X19, 0X65, 0XE6, 0XE3, 0XEA, 0X58, 0X2F, 0XDD,
     0X9A, 0X95, 0X15, 0X17, 0XB1, 0X6E, 0X8F, 0X7F, 0X1F, 0X68, 0X26, 0X31, 0X52, 0XEA, 0X29, 0X6A};
+
+// from NFC
+static const u8 nfc_key_source[0x10] __attribute__((aligned(4))) = {
+    0x83, 0xF6, 0xEF, 0xD8, 0x13, 0x26, 0x49, 0xAB, 0x97, 0x5F, 0xEA, 0xBA, 0x65, 0x71, 0xCA, 0xCA};
+static const u8 encrypted_nfc_keys[0x80] __attribute__((aligned(4))) = {
+    0x76, 0x50, 0x87, 0x02, 0x40, 0xA6, 0x5A, 0x98, 0xCE, 0x39, 0x2F, 0xC8, 0x83, 0xAF, 0x54, 0x76,
+    0x28, 0xFF, 0x50, 0xFC, 0xC1, 0xFB, 0x26, 0x14, 0xA2, 0x4A, 0xA6, 0x74, 0x90, 0xA4, 0x37, 0x06,
+    0x03, 0x63, 0xC2, 0xB1, 0xAF, 0x9F, 0xF7, 0x07, 0xFC, 0x8A, 0xB9, 0xCA, 0x28, 0x68, 0x6E, 0xF7,
+    0x42, 0xCD, 0x68, 0x13, 0xCD, 0x7B, 0x3A, 0x60, 0x3E, 0x8B, 0xAB, 0x3A, 0xCC, 0xED, 0xE0, 0xDD,
+    0x71, 0x1F, 0xA5, 0xDE, 0xB8, 0xB1, 0xF5, 0x1D, 0x14, 0x73, 0xBE, 0x27, 0xCC, 0xA1, 0x9B, 0x23,
+    0x06, 0x91, 0x89, 0x05, 0xED, 0xD6, 0x92, 0x76, 0x3F, 0x42, 0xFB, 0xD1, 0x8F, 0x2D, 0x6D, 0x72,
+    0xC8, 0x9E, 0x48, 0xE8, 0x03, 0x64, 0xF0, 0x3C, 0x0E, 0x2A, 0xF1, 0x26, 0x83, 0x02, 0x4F, 0xE2,
+    0x41, 0xAA, 0xC8, 0x33, 0x68, 0x84, 0x3A, 0xFB, 0x87, 0x18, 0xEA, 0xF7, 0x36, 0xA2, 0x4E, 0xA9};
+static const u8 encrypted_nfc_keys_dev[0x80] __attribute__((aligned(4))) = {
+    0x13, 0xB0, 0xFB, 0xC2, 0x91, 0x6D, 0x6E, 0x5A, 0x10, 0x31, 0x40, 0xB7, 0xDF, 0xCF, 0x69, 0x69,
+    0xB0, 0xFA, 0xAE, 0x7F, 0xB2, 0x4D, 0x27, 0xC9, 0xE9, 0x3F, 0x5B, 0x38, 0x39, 0x24, 0x98, 0xCE,
+    0xED, 0xD2, 0xA9, 0x6C, 0x6F, 0xA7, 0x72, 0xD7, 0x11, 0x31, 0x17, 0x93, 0x12, 0x49, 0x32, 0x85,
+    0x21, 0xE5, 0xE1, 0x88, 0x0F, 0x08, 0xF2, 0x30, 0x5C, 0xC3, 0xAA, 0xFF, 0xC0, 0xAB, 0x21, 0x96,
+    0x74, 0x39, 0xED, 0xE0, 0x5A, 0xB6, 0x75, 0xC2, 0x3B, 0x08, 0x61, 0xE4, 0xA7, 0xD6, 0xED, 0x8C,
+    0xA9, 0x02, 0x12, 0xA6, 0xCC, 0x27, 0x4C, 0x1C, 0x41, 0x9C, 0xD8, 0x4C, 0x00, 0xC7, 0x5B, 0x5D,
+    0xED, 0xC2, 0x3D, 0x5E, 0x00, 0xF5, 0x49, 0xFA, 0x6C, 0x75, 0x67, 0xCF, 0x1F, 0x73, 0x1A, 0xE8,
+    0x47, 0xD4, 0x3D, 0x9B, 0x83, 0x5B, 0x18, 0x2F, 0x95, 0xA9, 0x04, 0xBC, 0x2E, 0xBB, 0x64, 0x4A};
+static const u8 nfc_blob_hash[0x20] __attribute__((aligned(4))) = {
+    0x7F, 0x92, 0x83, 0x65, 0x4E, 0xC1, 0x09, 0x7F, 0xBD, 0xFF, 0x31, 0xDE, 0x94, 0x66, 0x51, 0xAE,
+    0x60, 0xC2, 0x85, 0x4A, 0xFB, 0x54, 0x4A, 0xBE, 0x89, 0x63, 0xD3, 0x89, 0x63, 0x9C, 0x71, 0x0E};
+static const u8 nfc_blob_hash_dev[0x20] __attribute__((aligned(4))) = {
+    0x4E, 0x36, 0x59, 0x1C, 0x75, 0x80, 0x23, 0x03, 0x98, 0x2D, 0x45, 0xD9, 0x85, 0xB8, 0x60, 0x18,
+    0x7C, 0x85, 0x37, 0x9B, 0xCB, 0xBA, 0xF3, 0xDC, 0x25, 0x38, 0x73, 0xDB, 0x2F, 0xFA, 0xAE, 0x26};
diff --git a/source/keys/keys.c b/source/keys/keys.c
index 43702ff..f17a66d 100644
--- a/source/keys/keys.c
+++ b/source/keys/keys.c
@@ -74,6 +74,7 @@ static int  _key_exists(const void *data) { return memcmp(data, "\x00\x00\x00\x0
 static void _save_key(const char *name, const void *data, u32 len, char *outbuf);
 static void _save_key_family(const char *name, const void *data, u32 start_key, u32 num_keys, u32 len, char *outbuf);
 static void _generate_kek(u32 ks, const void *key_source, const void *master_key, const void *kek_seed, const void *key_seed);
+static void _decrypt_aes_key(u32 ks, void *dst, const void *key_source, const void *master_key);
 static void _generate_specific_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 key_generation);
 static void _get_device_key(u32 ks, key_derivation_ctx_t *keys, void *out_device_key, u32 revision);
 // titlekey functions
@@ -584,6 +585,11 @@ static bool _derive_emmc_keys(key_derivation_ctx_t *keys, titlekey_buffer_t *tit
 // This allows for a manageable brute force on a PC
 // Then the Mariko AES class keys, KEK, BEK, unique SBK and SSK can be recovered
 int save_mariko_partial_keys(u32 start, u32 count, bool append) {
+    const char *keyfile_path = "sd:/switch/partialaes.keys";
+    if (!f_stat(keyfile_path, NULL)) {
+        f_unlink(keyfile_path);
+    }
+
     if (start + count > SE_AES_KEYSLOT_COUNT) {
         return 1;
     }
@@ -592,6 +598,8 @@ int save_mariko_partial_keys(u32 start, u32 count, bool append) {
     gfx_clear_partial_grey(0x1B, 32, 1224);
     gfx_con_setpos(0, 32);
 
+    color_idx = 0;
+
     u32 pos = 0;
     u32 zeros[AES_128_KEY_SIZE / 4] = {0};
     u8 *data = malloc(4 * AES_128_KEY_SIZE);
@@ -655,7 +663,7 @@ int save_mariko_partial_keys(u32 start, u32 count, bool append) {
         return 3;
     }
 
-    if (f_open(&fp, "sd:/switch/partialaes.keys", mode)) {
+    if (f_open(&fp, keyfile_path, mode)) {
         EPRINTF("Unable to write partial keys to SD.");
         free(text_buffer);
         return 3;
@@ -664,7 +672,7 @@ int save_mariko_partial_keys(u32 start, u32 count, bool append) {
     f_write(&fp, text_buffer, strlen(text_buffer), NULL);
     f_close(&fp);
 
-    gfx_printf("%kWrote partials to sd:/switch/partialaes.keys\n", colors[(color_idx++) % 6]);
+    gfx_printf("%kWrote partials to %s\n", colors[(color_idx++) % 6], keyfile_path);
 
     free(text_buffer);
 
@@ -757,16 +765,15 @@ static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titl
     gfx_printf("%kFound through master_key_%02x.\n\n", colors[(color_idx++) % 6], KB_FIRMWARE_VERSION_MAX);
 
     f_mkdir("sd:/switch");
-    char keyfile_path[30] = "sd:/switch/prod.keys";
-    if (is_dev) {
-        s_printf(&keyfile_path[11], "dev.keys");
-    }
+
+    const char *keyfile_path = is_dev ? "sd:/switch/dev.keys" : "sd:/switch/prod.keys";
 
     FILINFO fno;
     if (!sd_save_to_file(text_buffer, strlen(text_buffer), keyfile_path) && !f_stat(keyfile_path, &fno)) {
         gfx_printf("%kWrote %d bytes to %s\n", colors[(color_idx++) % 6], (u32)fno.fsize, keyfile_path);
-    } else
+    } else {
         EPRINTF("Unable to save keys to SD.");
+    }
 
     if (_titlekey_count == 0 || !titlekey_buffer) {
         free(text_buffer);
@@ -784,11 +791,13 @@ static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titl
             s_printf(&titlekey_text[i].titlekey[j * 2], "%02x", titlekey_buffer->titlekeys[i][j]);
         s_printf(titlekey_text[i].newline, "\n");
     }
-    s_printf(&keyfile_path[11], "title.keys");
+
+    keyfile_path = "sd:/switch/title.keys";
     if (!sd_save_to_file(text_buffer, strlen(text_buffer), keyfile_path) && !f_stat(keyfile_path, &fno)) {
         gfx_printf("%kWrote %d bytes to %s\n", colors[(color_idx++) % 6], (u32)fno.fsize, keyfile_path);
-    } else
+    } else {
         EPRINTF("Unable to save titlekeys to SD.");
+    }
 
     free(text_buffer);
 }
@@ -831,10 +840,6 @@ static void _derive_master_keys(key_derivation_ctx_t *prod_keys, key_derivation_
 }
 
 static void _derive_keys() {
-    if (!f_stat("sd:/switch/partialaes.keys", NULL)) {
-        f_unlink("sd:/switch/partialaes.keys");
-    }
-
     minerva_periodic_training();
 
     if (!_check_keyslot_access()) {
@@ -875,10 +880,13 @@ static void _derive_keys() {
 
     minerva_periodic_training();
     _derive_non_unique_keys(&prod_keys, is_dev);
+
     minerva_periodic_training();
     _derive_non_unique_keys(&dev_keys, is_dev);
+
     minerva_periodic_training();
     _derive_per_generation_keys(&prod_keys);
+
     minerva_periodic_training();
     _derive_per_generation_keys(&dev_keys);
 
@@ -907,6 +915,89 @@ static void _derive_keys() {
     }
 }
 
+void derive_amiibo_keys() {
+    minerva_change_freq(FREQ_1600);
+
+    bool is_dev = fuse_read_hw_state() == FUSE_NX_HW_STATE_DEV;
+
+    key_derivation_ctx_t __attribute__((aligned(4))) prod_keys = {0}, dev_keys = {0};
+    key_derivation_ctx_t *keys = is_dev ? &dev_keys : &prod_keys;
+    const u8 *encrypted_keys = is_dev ? encrypted_nfc_keys_dev : encrypted_nfc_keys;
+
+    _derive_master_keys(&prod_keys, &dev_keys, is_dev);
+
+    minerva_periodic_training();
+
+    display_backlight_brightness(h_cfg.backlight, 1000);
+    gfx_clear_partial_grey(0x1B, 32, 1224);
+    gfx_con_setpos(0, 32);
+
+    color_idx = 0;
+
+    minerva_periodic_training();
+
+    if (!_key_exists(keys->master_key[0])) {
+        EPRINTF("Unable to derive master keys for NFC.");
+        minerva_change_freq(FREQ_800);
+        btn_wait();
+        return;
+    }
+
+    _decrypt_aes_key(8, keys->temp_key, nfc_key_source, keys->master_key[0]);
+
+    nfc_keyblob_t __attribute__((aligned(4))) nfc_keyblob;
+    static const u8 nfc_iv[AES_128_KEY_SIZE] = {
+        0xB9, 0x1D, 0xC1, 0xCF, 0x33, 0x5F, 0xA6, 0x13, 0x2A, 0xEF, 0x90, 0x99, 0xAA, 0xCA, 0x93, 0xC8};
+    se_aes_key_set(6, keys->temp_key, AES_128_KEY_SIZE);
+    se_aes_crypt_ctr(6, &nfc_keyblob, sizeof(nfc_keyblob), encrypted_keys, sizeof(nfc_keyblob), &nfc_iv);
+
+    minerva_periodic_training();
+
+    u8 xor_pad[0x20] __attribute__((aligned(4))) = {0};
+    se_aes_key_set(6, nfc_keyblob.ctr_key, AES_128_KEY_SIZE);
+    se_aes_crypt_ctr(6, xor_pad, sizeof(xor_pad), xor_pad, sizeof(xor_pad), nfc_keyblob.ctr_iv);
+
+    minerva_periodic_training();
+
+    nfc_save_key_t __attribute__((aligned(4))) nfc_save_keys[2] = {0};
+    memcpy(nfc_save_keys[0].hmac_key, nfc_keyblob.hmac_key, sizeof(nfc_keyblob.hmac_key));
+    memcpy(nfc_save_keys[0].phrase, nfc_keyblob.phrase, sizeof(nfc_keyblob.phrase));
+    nfc_save_keys[0].seed_size = sizeof(nfc_keyblob.seed);
+    memcpy(nfc_save_keys[0].seed, nfc_keyblob.seed, sizeof(nfc_keyblob.seed));
+    memcpy(nfc_save_keys[0].xor_pad, xor_pad, sizeof(xor_pad));
+
+    memcpy(nfc_save_keys[1].hmac_key, nfc_keyblob.hmac_key_for_verif, sizeof(nfc_keyblob.hmac_key_for_verif));
+    memcpy(nfc_save_keys[1].phrase, nfc_keyblob.phrase_for_verif, sizeof(nfc_keyblob.phrase_for_verif));
+    nfc_save_keys[1].seed_size = sizeof(nfc_keyblob.seed_for_verif);
+    memcpy(nfc_save_keys[1].seed, nfc_keyblob.seed_for_verif, sizeof(nfc_keyblob.seed_for_verif));
+    memcpy(nfc_save_keys[1].xor_pad, xor_pad, sizeof(xor_pad));
+
+    minerva_periodic_training();
+
+    u8 hash[0x20] = {0};
+    se_calc_sha256_oneshot(hash, &nfc_save_keys[0], sizeof(nfc_save_keys));
+
+    if (memcmp(hash, is_dev ? nfc_blob_hash_dev : nfc_blob_hash, sizeof(hash)) != 0) {
+        EPRINTF("Amiibo hash mismatch. Skipping save.");
+        minerva_change_freq(FREQ_800);
+        btn_wait();
+        return;
+    }
+
+    const char *keyfile_path = is_dev ? "sd:/switch/key_dev.bin" : "sd:/switch/key_retail.bin";
+
+    if (!sd_save_to_file(&nfc_save_keys[0], sizeof(nfc_save_keys), keyfile_path)) {
+        gfx_printf("%kWrote Amiibo keys to\n %s\n", colors[(color_idx++) % 6], keyfile_path);
+    } else {
+        EPRINTF("Unable to save Amiibo keys to SD.");
+    }
+
+    gfx_printf("\n%kPress a button to return to the menu.", colors[(color_idx++) % 6]);
+    minerva_change_freq(FREQ_800);
+    btn_wait();
+    gfx_clear_grey(0x1B);
+}
+
 void dump_keys() {
     minerva_change_freq(FREQ_1600);
 
@@ -969,6 +1060,8 @@ static void _save_key_family(const char *name, const void *data, u32 start_key,
     free(temp_name);
 }
 
+// Equivalent to spl::GenerateAesKek. When key_seed is set, the result is as if spl::GenerateAesKey was called immediately after.
+// The generation and option args are dictated by master_key and kek_seed.
 static void _generate_kek(u32 ks, const void *key_source, const void *master_key, const void *kek_seed, const void *key_seed) {
     if (!_key_exists(key_source) || !_key_exists(master_key) || !_key_exists(kek_seed))
         return;
@@ -980,6 +1073,12 @@ static void _generate_kek(u32 ks, const void *key_source, const void *master_key
         se_aes_unwrap_key(ks, ks, key_seed);
 }
 
+// Equivalent to spl::DecryptAesKey.
+static void _decrypt_aes_key(u32 ks, void *dst, const void *key_source, const void *master_key) {
+    _generate_kek(ks, aes_key_decryption_source, master_key, aes_kek_generation_source, aes_key_generation_source);
+    se_aes_crypt_block_ecb(ks, 0, dst, key_source);
+}
+
 static void _get_secure_data(key_derivation_ctx_t *keys, void *dst) {
     se_aes_key_set(6, keys->device_key, AES_128_KEY_SIZE);
     u8 *d = (u8 *)dst;
diff --git a/source/keys/keys.h b/source/keys/keys.h
index 8e2fb23..ccb1e66 100644
--- a/source/keys/keys.h
+++ b/source/keys/keys.h
@@ -83,6 +83,27 @@ typedef struct {
     u8 unused[0x150];
 } encrypted_keyblob_t;
 
+typedef struct {
+    char phrase[0xE];
+    u8 seed[0xE];
+    u8 hmac_key[0x10];
+    char phrase_for_verif[0xE];
+    u8 seed_for_verif[0x10];
+    u8 hmac_key_for_verif[0x10];
+    u8 ctr_key[0x10];
+    u8 ctr_iv[0x10];
+    u8 pad[6];
+} nfc_keyblob_t;
+
+typedef struct {
+    u8 hmac_key[0x10];
+    char phrase[0xE];
+    u8 rsvd;
+    u8 seed_size;
+    u8 seed[0x10];
+    u8 xor_pad[0x20];
+} nfc_save_key_t;
+
 typedef struct {
     u8  temp_key[AES_128_KEY_SIZE],
         bis_key[4][AES_128_KEY_SIZE * 2],
@@ -142,5 +163,6 @@ typedef struct {
 
 void dump_keys();
 int save_mariko_partial_keys(u32 start, u32 count, bool append);
+void derive_amiibo_keys();
 
 #endif
diff --git a/source/main.c b/source/main.c
index b4aa670..368b820 100644
--- a/source/main.c
+++ b/source/main.c
@@ -304,6 +304,11 @@ void dump_emunand()
 	dump_keys();
 }
 
+void dump_amiibo_keys()
+{
+	derive_amiibo_keys();
+}
+
 void dump_mariko_partial_keys();
 
 ment_t ment_partials[] = {
@@ -340,14 +345,15 @@ ment_t ment_top[] = {
 	MDEF_HANDLER("Dump from SysNAND", dump_sysnand, colors[0]),
 	MDEF_HANDLER("Dump from EmuNAND", dump_emunand, colors[1]),
 	MDEF_CAPTION("---------------", colors[2]),
-	MDEF_MENU("Dump Mariko Partials (requires reboot)", &menu_partials, colors[3]),
-	MDEF_CAPTION("---------------", colors[4]),
-	MDEF_HANDLER("Payloads...", launch_tools, colors[5]),
-	MDEF_HANDLER("Reboot to hekate", launch_hekate, colors[0]),
-	MDEF_CAPTION("---------------", colors[1]),
-	MDEF_HANDLER_EX("Reboot (OFW)", &STATE_REBOOT_BYPASS_FUSES, power_set_state_ex, colors[2]),
-	MDEF_HANDLER_EX("Reboot (RCM)", &STATE_REBOOT_RCM, power_set_state_ex, colors[3]),
-	MDEF_HANDLER_EX("Power off", &STATE_POWER_OFF, power_set_state_ex, colors[4]),
+	MDEF_HANDLER("Dump Amiibo Keys", dump_amiibo_keys, colors[3]),
+	MDEF_MENU("Dump Mariko Partials (requires reboot)", &menu_partials, colors[4]),
+	MDEF_CAPTION("---------------", colors[5]),
+	MDEF_HANDLER("Payloads...", launch_tools, colors[0]),
+	MDEF_HANDLER("Reboot to hekate", launch_hekate, colors[1]),
+	MDEF_CAPTION("---------------", colors[2]),
+	MDEF_HANDLER_EX("Reboot (OFW)", &STATE_REBOOT_BYPASS_FUSES, power_set_state_ex, colors[3]),
+	MDEF_HANDLER_EX("Reboot (RCM)", &STATE_REBOOT_RCM, power_set_state_ex, colors[4]),
+	MDEF_HANDLER_EX("Power off", &STATE_POWER_OFF, power_set_state_ex, colors[5]),
 	MDEF_END()
 };
 
@@ -369,7 +375,7 @@ void dump_mariko_partial_keys()
 			// Grey out dumping menu items as the keyslots have been invalidated.
 			grey_out_menu_item(&ment_top[0]);
 			grey_out_menu_item(&ment_top[1]);
-			grey_out_menu_item(&ment_top[3]);
+			grey_out_menu_item(&ment_top[4]);
 			grey_out_menu_item(&ment_partials[18]);
 		}
 
@@ -433,18 +439,18 @@ void ipl_main()
 	// Grey out reboot to RCM option if on Mariko or patched console.
 	if (h_cfg.t210b01 || h_cfg.rcm_patched)
 	{
-		grey_out_menu_item(&ment_top[9]);
+		grey_out_menu_item(&ment_top[10]);
 	}
 
 	// Grey out Mariko partial dump option on Erista.
 	if (!h_cfg.t210b01) {
-		grey_out_menu_item(&ment_top[3]);
+		grey_out_menu_item(&ment_top[4]);
 	}
 
 	// Grey out reboot to hekate option if no update.bin found.
 	if (f_stat("bootloader/update.bin", NULL))
 	{
-		grey_out_menu_item(&ment_top[6]);
+		grey_out_menu_item(&ment_top[7]);
 	}
 
 	minerva_change_freq(FREQ_800);

From 85e56adbf5659a09a0c6e769d2d6898f94f09770 Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Sat, 2 Apr 2022 09:45:14 -0600
Subject: [PATCH 04/21] keys: Add ETicket RSA keypair to keyfile

---
 source/keys/keys.c | 19 ++++++++++---------
 source/keys/keys.h |  1 +
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/source/keys/keys.c b/source/keys/keys.c
index f17a66d..0b325f1 100644
--- a/source/keys/keys.c
+++ b/source/keys/keys.c
@@ -453,8 +453,6 @@ static bool _derive_titlekeys(key_derivation_ctx_t *keys, titlekey_buffer_t *tit
 
     gfx_printf("%kTitlekeys...     \n", colors[(color_idx++) % 6]);
 
-    rsa_keypair_t rsa_keypair = {0};
-
     if (!emummc_storage_read(NX_EMMC_CALIBRATION_OFFSET / NX_EMMC_BLOCKSIZE, NX_EMMC_CALIBRATION_SIZE / NX_EMMC_BLOCKSIZE, titlekey_buffer->read_buffer)) {
         EPRINTF("Unable to read PRODINFO.");
         return false;
@@ -496,34 +494,36 @@ static bool _derive_titlekeys(key_derivation_ctx_t *keys, titlekey_buffer_t *tit
     }
 
     se_aes_key_set(6, keys->temp_key, sizeof(keys->temp_key));
-    se_aes_crypt_ctr(6, &rsa_keypair, sizeof(rsa_keypair), eticket_device_key, sizeof(rsa_keypair), eticket_iv);
+    se_aes_crypt_ctr(6, &keys->rsa_keypair, sizeof(keys->rsa_keypair), eticket_device_key, sizeof(keys->rsa_keypair), eticket_iv);
 
     // Check public exponent is 65537 big endian
-    if (_read_be_u32(rsa_keypair.public_exponent, 0) != 65537) {
+    if (_read_be_u32(keys->rsa_keypair.public_exponent, 0) != 65537) {
         // try legacy kek source
         _derive_eticket_rsa_kek(keys, 7, keys->temp_key, keys->master_key[0], eticket_rsa_kek_source_legacy);
 
         se_aes_key_set(6, keys->temp_key, sizeof(keys->temp_key));
-        se_aes_crypt_ctr(6, &rsa_keypair, sizeof(rsa_keypair), eticket_device_key, sizeof(rsa_keypair), eticket_iv);
+        se_aes_crypt_ctr(6, &keys->rsa_keypair, sizeof(keys->rsa_keypair), eticket_device_key, sizeof(keys->rsa_keypair), eticket_iv);
 
-        if (_read_be_u32(rsa_keypair.public_exponent, 0) != 65537) {
+        if (_read_be_u32(keys->rsa_keypair.public_exponent, 0) != 65537) {
             EPRINTF("Invalid public exponent.");
+            memset(&keys->rsa_keypair, 0, sizeof(keys->rsa_keypair));
             return false;
         } else {
             memcpy(keys->eticket_rsa_kek, keys->temp_key, sizeof(keys->eticket_rsa_kek));
         }
     }
 
-    if (!_test_key_pair(rsa_keypair.public_exponent, rsa_keypair.private_exponent, rsa_keypair.modulus)) {
+    if (!_test_key_pair(keys->rsa_keypair.public_exponent, keys->rsa_keypair.private_exponent, keys->rsa_keypair.modulus)) {
         EPRINTF("Invalid keypair. Check eticket_rsa_kek.");
+        memset(&keys->rsa_keypair, 0, sizeof(keys->rsa_keypair));
         return false;
     }
 
-    se_rsa_key_set(0, rsa_keypair.modulus, sizeof(rsa_keypair.modulus), rsa_keypair.private_exponent, sizeof(rsa_keypair.private_exponent));
+    se_rsa_key_set(0, keys->rsa_keypair.modulus, sizeof(keys->rsa_keypair.modulus), keys->rsa_keypair.private_exponent, sizeof(keys->rsa_keypair.private_exponent));
 
     const u32 buf_size = SZ_16K;
     _get_titlekeys_from_save(buf_size, keys->save_mac_key, titlekey_buffer, NULL);
-    _get_titlekeys_from_save(buf_size, keys->save_mac_key, titlekey_buffer, &rsa_keypair);
+    _get_titlekeys_from_save(buf_size, keys->save_mac_key, titlekey_buffer, &keys->rsa_keypair);
 
     gfx_printf("\n%k  Found %d titlekeys.\n\n", colors[(color_idx++) % 6], _titlekey_count);
 
@@ -704,6 +704,7 @@ static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titl
         SAVE_KEY(eticket_rsa_kek_source);
     }
     SAVE_KEY(eticket_rsa_kekek_source);
+    _save_key("eticket_rsa_keypair", &keys->rsa_keypair, sizeof(keys->rsa_keypair), text_buffer);
     SAVE_KEY(header_kek_source);
     SAVE_KEY_VAR(header_key, keys->header_key);
     SAVE_KEY(header_key_source);
diff --git a/source/keys/keys.h b/source/keys/keys.h
index ccb1e66..0d65681 100644
--- a/source/keys/keys.h
+++ b/source/keys/keys.h
@@ -131,6 +131,7 @@ typedef struct {
         tsec_root_key[AES_128_KEY_SIZE];
     u32 sbk[4];
     keyblob_t keyblob[KB_FIRMWARE_VERSION_600 + 1];
+    rsa_keypair_t rsa_keypair;
 } key_derivation_ctx_t;
 
 typedef struct {

From 815bb55f6479b15cee8eea5cf32c510cc6e0cd3b Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Sat, 2 Apr 2022 09:47:29 -0600
Subject: [PATCH 05/21] Bump version to v1.9.8

---
 Versions.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Versions.inc b/Versions.inc
index 539334e..eafbd19 100644
--- a/Versions.inc
+++ b/Versions.inc
@@ -1,5 +1,5 @@
 # LP Version.
 LPVERSION_MAJOR := 1
 LPVERSION_MINOR := 9
-LPVERSION_BUGFX := 7
+LPVERSION_BUGFX := 8
 LPVERSION_RSVD := 0

From 58eb5f6dd2a6c27a7efa6628f4eaefc4d89e0fea Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Wed, 18 May 2022 08:09:52 -0600
Subject: [PATCH 06/21] Suport personalized SSL kek, dump SSL private key

---
 source/keys/key_sources.inl  |  8 +++
 source/keys/keys.c           | 97 ++++++++++++++++++++++++++++++------
 source/keys/keys.h           |  2 +
 source/storage/nx_emmc_bis.h | 13 +++--
 4 files changed, 102 insertions(+), 18 deletions(-)

diff --git a/source/keys/key_sources.inl b/source/keys/key_sources.inl
index 02063b2..ef2f044 100644
--- a/source/keys/key_sources.inl
+++ b/source/keys/key_sources.inl
@@ -101,6 +101,8 @@ static const u8 aes_seal_key_mask_decrypt_device_unique_data[0x10] __attribute__
     0xA2, 0xAB, 0xBF, 0x9C, 0x92, 0x2F, 0xBB, 0xE3, 0x78, 0x79, 0x9B, 0xC0, 0xCC, 0xEA, 0xA5, 0x74};
 static const u8 aes_seal_key_mask_import_es_device_key[0x10] __attribute__((aligned(4))) = {
     0xE5, 0x4D, 0x9A, 0x02, 0xF0, 0x4F, 0x5F, 0xA8, 0xAD, 0x76, 0x0A, 0xF6, 0x32, 0x95, 0x59, 0xBB};
+static const u8 aes_seal_key_mask_decrypt_ssl_client_cert_key[0x10] __attribute__((aligned(4))) = {
+    0xFD, 0x6A, 0x25, 0xE5, 0xD8, 0x38, 0x7F, 0x91, 0x49, 0xDA, 0xF8, 0x59, 0xA8, 0x28, 0xE6, 0x75};
 static const u8 package2_key_source[0x10] __attribute__((aligned(4))) = {
     0xFB, 0x8B, 0x6A, 0x9C, 0x79, 0x00, 0xC8, 0x49, 0xEF, 0xD2, 0x4D, 0x85, 0x4D, 0x30, 0xA0, 0xC7};
 static const u8 titlekek_source[0x10] __attribute__((aligned(4))) = {
@@ -177,6 +179,12 @@ static const u8 ssl_rsa_kek_source_x[0x10] __attribute__((aligned(4))) = {
     0X7F, 0X5B, 0XB0, 0X84, 0X7B, 0X25, 0XAA, 0X67, 0XFA, 0XC8, 0X4B, 0XE2, 0X3D, 0X7B, 0X69, 0X03};
 static const u8 ssl_rsa_kek_source_y[0x10] __attribute__((aligned(4))) = {
     0X9A, 0X38, 0X3B, 0XF4, 0X31, 0XD0, 0XBD, 0X81, 0X32, 0X53, 0X4B, 0XA9, 0X64, 0X39, 0X7D, 0XE3};
+static const u8 ssl_rsa_kek_source_y_dev[0x10] __attribute__((aligned(4))) = {
+    0xD5, 0xD2, 0xFC, 0x00, 0xFD, 0x49, 0xDD, 0xF8, 0xEE, 0x7B, 0xC4, 0x4B, 0xE1, 0x4C, 0xAA, 0x99};
+static const u8 ssl_client_cert_kek_source[0x10] __attribute__((aligned(4))) = {
+    0x64, 0xB8, 0x30, 0xDD, 0x0F, 0x3C, 0xB7, 0xFB, 0x4C, 0x16, 0x01, 0x97, 0xEA, 0x9D, 0x12, 0x10};
+static const u8 ssl_client_cert_key_source[0x10] __attribute__((aligned(4))) = {
+    0x4D, 0x92, 0x5A, 0x69, 0x42, 0x23, 0xBB, 0x92, 0x59, 0x16, 0x3E, 0x51, 0x8C, 0x78, 0x14, 0x0F};
 
 static const u8 device_master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
     {0x88, 0x62, 0x34, 0x6E, 0xFA, 0xF7, 0xD8, 0x3F, 0xE1, 0x30, 0x39, 0x50, 0xF0, 0xB7, 0x5D, 0x5D}, /* 4.0.0  Device Master Kek Source. */
diff --git a/source/keys/keys.c b/source/keys/keys.c
index 0b325f1..941a801 100644
--- a/source/keys/keys.c
+++ b/source/keys/keys.c
@@ -235,6 +235,14 @@ static void _derive_eticket_rsa_kek(key_derivation_ctx_t *keys, u32 ks, void *ou
     se_aes_crypt_block_ecb(ks, DECRYPT, out_rsa_kek, kek_source);
 }
 
+static void _derive_ssl_rsa_kek(key_derivation_ctx_t *keys, u32 ks, void *out_rsa_kek, const void *master_key, const void *kekek_source, const void *kek_source) {
+    u8 kek_seed[AES_128_KEY_SIZE];
+    for (u32 i = 0; i < AES_128_KEY_SIZE; i++)
+        kek_seed[i] = aes_kek_generation_source[i] ^ aes_seal_key_mask_decrypt_device_unique_data[i];
+    _generate_kek(8, kekek_source, master_key, kek_seed, NULL);
+    se_aes_crypt_block_ecb(8, DECRYPT, out_rsa_kek, kek_source);
+}
+
 static void _derive_misc_keys(key_derivation_ctx_t *keys, bool is_dev) {
     if (_key_exists(keys->device_key) || (_key_exists(keys->master_key[0]) && _key_exists(keys->device_key_4x))) {
         _get_device_key(8, keys, keys->temp_key, 0);
@@ -244,11 +252,7 @@ static void _derive_misc_keys(key_derivation_ctx_t *keys, bool is_dev) {
 
     if (_key_exists(keys->master_key[0])) {
         _derive_eticket_rsa_kek(keys, 8, keys->eticket_rsa_kek, keys->master_key[0], is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source);
-
-        for (u32 i = 0; i < AES_128_KEY_SIZE; i++)
-            keys->temp_key[i] = aes_kek_generation_source[i] ^ aes_seal_key_mask_decrypt_device_unique_data[i];
-        _generate_kek(8, ssl_rsa_kek_source_x, keys->master_key[0], keys->temp_key, NULL);
-        se_aes_crypt_block_ecb(8, DECRYPT, keys->ssl_rsa_kek, ssl_rsa_kek_source_y);
+        _derive_ssl_rsa_kek(keys, 8, keys->ssl_rsa_kek, keys->master_key[0], ssl_rsa_kek_source_x, is_dev ? ssl_rsa_kek_source_y_dev : ssl_rsa_kek_source_y);
     }
 }
 
@@ -446,6 +450,74 @@ static bool _derive_sd_seed(key_derivation_ctx_t *keys) {
     return true;
 }
 
+static bool _read_cal0(void *read_buffer) {
+    if (!emummc_storage_read(NX_EMMC_CALIBRATION_OFFSET / NX_EMMC_BLOCKSIZE, NX_EMMC_CALIBRATION_SIZE / NX_EMMC_BLOCKSIZE, read_buffer)) {
+        EPRINTF("Unable to read PRODINFO.");
+        return false;
+    }
+
+    se_aes_xts_crypt(1, 0, DECRYPT, 0, read_buffer, read_buffer, XTS_CLUSTER_SIZE, NX_EMMC_CALIBRATION_SIZE / XTS_CLUSTER_SIZE);
+
+    nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)read_buffer;
+    if (cal0->magic != MAGIC_CAL0) {
+        EPRINTF("Invalid CAL0 magic. Check BIS key 0.");
+        return false;
+    }
+
+    return true;
+}
+
+static bool _derive_personalized_ssl_key(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer) {
+    if (!_read_cal0(titlekey_buffer->read_buffer)) {
+        return false;
+    }
+
+    nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)titlekey_buffer->read_buffer;
+    u32 keypair_generation = 0;
+    const void *ssl_device_key = NULL;
+    const void *ssl_iv = NULL;
+    u32 key_size = 0;
+
+    if (cal0->ext_ssl_key_crc == crc16_calc(cal0->ext_ssl_key_iv, 0x13E)) {
+        ssl_device_key = cal0->ext_ssl_key;
+        ssl_iv = cal0->ext_ssl_key_iv;
+        key_size = 0x120;
+
+        // settings sysmodule manually zeroes this out below cal version 9
+        keypair_generation = cal0->version <= 8 ? 0 : cal0->ext_ssl_key_ver;
+    } else if (cal0->ssl_key_crc == crc16_calc(cal0->ssl_key_iv, 0x11E)) {
+        ssl_device_key = cal0->ssl_key;
+        ssl_iv = cal0->ssl_key_iv;
+        key_size = 0x100;
+    } else {
+        EPRINTF("Crc16 error reading device key.");
+        return false;
+    }
+
+    if (keypair_generation) {
+        keypair_generation--;
+        _get_device_key(7, keys, keys->temp_key, keypair_generation);
+        _derive_ssl_rsa_kek(keys, 7, keys->ssl_rsa_kek_personalized, keys->temp_key, ssl_client_cert_kek_source, ssl_client_cert_key_source);
+
+        memcpy(keys->temp_key, keys->ssl_rsa_kek_personalized, sizeof(keys->temp_key));
+    } else {
+        memcpy(keys->temp_key, keys->ssl_rsa_kek, sizeof(keys->temp_key));
+    }
+
+    se_aes_key_set(6, keys->temp_key, sizeof(keys->temp_key));
+    se_aes_crypt_ctr(6, &keys->ssl_rsa_key, sizeof(keys->ssl_rsa_key), ssl_device_key, sizeof(keys->ssl_rsa_key), ssl_iv);
+
+    if (key_size == 0x120) {
+        if (_key_exists(keys->ssl_rsa_key + 0x100)) {
+            EPRINTF("Invalid SSL key.");
+            memset(&keys->ssl_rsa_key, 0, sizeof(keys->ssl_rsa_key));
+            return false;
+        }
+    }
+
+    return true;
+}
+
 static bool _derive_titlekeys(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
     if (!_key_exists(keys->eticket_rsa_kek)) {
         return false;
@@ -453,19 +525,11 @@ static bool _derive_titlekeys(key_derivation_ctx_t *keys, titlekey_buffer_t *tit
 
     gfx_printf("%kTitlekeys...     \n", colors[(color_idx++) % 6]);
 
-    if (!emummc_storage_read(NX_EMMC_CALIBRATION_OFFSET / NX_EMMC_BLOCKSIZE, NX_EMMC_CALIBRATION_SIZE / NX_EMMC_BLOCKSIZE, titlekey_buffer->read_buffer)) {
-        EPRINTF("Unable to read PRODINFO.");
+    if (!_read_cal0(titlekey_buffer->read_buffer)) {
         return false;
     }
 
-    se_aes_xts_crypt(1, 0, DECRYPT, 0, titlekey_buffer->read_buffer, titlekey_buffer->read_buffer, XTS_CLUSTER_SIZE, NX_EMMC_CALIBRATION_SIZE / XTS_CLUSTER_SIZE);
-
     nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)titlekey_buffer->read_buffer;
-    if (cal0->magic != MAGIC_CAL0) {
-        EPRINTF("Invalid CAL0 magic. Check BIS key 0.");
-        return false;
-    }
-
     u32 keypair_generation = 0;
     const void *eticket_device_key = NULL;
     const void *eticket_iv = NULL;
@@ -575,6 +639,9 @@ static bool _derive_emmc_keys(key_derivation_ctx_t *keys, titlekey_buffer_t *tit
     if (!res) {
         EPRINTF("Unable to derive titlekeys.");
     }
+
+    _derive_personalized_ssl_key(keys, titlekey_buffer);
+
     f_mount(NULL, "bis:", 1);
     nx_emmc_gpt_free(&gpt);
 
@@ -751,8 +818,10 @@ static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titl
     SAVE_KEY_VAR(sd_seed, keys->sd_seed);
     SAVE_KEY_VAR(secure_boot_key, keys->sbk);
     SAVE_KEY_VAR(ssl_rsa_kek, keys->ssl_rsa_kek);
+    SAVE_KEY_VAR(ssl_rsa_kek_personalized, keys->ssl_rsa_kek_personalized);
     SAVE_KEY(ssl_rsa_kek_source_x);
     SAVE_KEY(ssl_rsa_kek_source_y);
+    _save_key("ssl_rsa_key", keys->ssl_rsa_key, RSA_2048_KEY_SIZE, text_buffer);
     SAVE_KEY_FAMILY_VAR(titlekek, keys->titlekek, 0);
     SAVE_KEY(titlekek_source);
     SAVE_KEY_VAR(tsec_key, keys->tsec_key);
diff --git a/source/keys/keys.h b/source/keys/keys.h
index 0d65681..c0440d8 100644
--- a/source/keys/keys.h
+++ b/source/keys/keys.h
@@ -117,6 +117,8 @@ typedef struct {
         eticket_rsa_kek[AES_128_KEY_SIZE],
         eticket_rsa_kek_personalized[AES_128_KEY_SIZE],
         ssl_rsa_kek[AES_128_KEY_SIZE],
+        ssl_rsa_kek_personalized[AES_128_KEY_SIZE],
+        ssl_rsa_key[RSA_2048_KEY_SIZE + 0x20],
         // keyblob-derived families
         keyblob_key[KB_FIRMWARE_VERSION_600 + 1][AES_128_KEY_SIZE],
         keyblob_mac_key[KB_FIRMWARE_VERSION_600 + 1][AES_128_KEY_SIZE],
diff --git a/source/storage/nx_emmc_bis.h b/source/storage/nx_emmc_bis.h
index 59b766e..a1cfaa6 100644
--- a/source/storage/nx_emmc_bis.h
+++ b/source/storage/nx_emmc_bis.h
@@ -112,8 +112,10 @@ typedef struct _nx_emmc_cal0_t
 	u8   crc16_pad16[0x10];
 	u8   ecc_p33_ticket_cert[0x180];
 	u8   crc16_pad17[0x10];
-	u8   ssl_key[0x110];
-	u8   crc16_pad18[0x10];
+	u8   ssl_key_iv[0x10];
+	u8   ssl_key[0x100];
+	u8   crc16_pad18[0xE];
+	u16  ssl_key_crc;
 	u32  ssl_cert_size;
 	u8   crc16_pad19[0xC];
 	u8   ssl_cert[0x800];
@@ -170,8 +172,11 @@ typedef struct _nx_emmc_cal0_t
 	u32  ext_ecc_rsa2048_eticket_key_ver;
 	u8   crc16_pad38[0xA];
 	u16  ext_ecc_rsa2048_eticket_key_crc;
-	u8   ext_ssl_key[0x130];
-	u8   crc16_pad39[0x10];
+	u8   ext_ssl_key_iv[0x10];
+	u8   ext_ssl_key[0x120];
+	u32  ext_ssl_key_ver;
+	u8   crc16_pad39[0xA];
+	u16  ext_ssl_key_crc;
 	u8   ext_gc_key[0x130];
 	u8   crc16_pad40[0x10];
 

From 7a4a99c008cad8140bcaefe83f493afb9b445331 Mon Sep 17 00:00:00 2001
From: dezem <dezem@users.noreply.github.com>
Date: Wed, 12 Oct 2022 00:02:39 +0200
Subject: [PATCH 07/21] Add support firmware 15.0.0

---
 source/hos/hos.h            | 3 ++-
 source/keys/key_sources.inl | 8 ++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/source/hos/hos.h b/source/hos/hos.h
index b4111c7..9663d07 100644
--- a/source/hos/hos.h
+++ b/source/hos/hos.h
@@ -34,6 +34,7 @@
 #define KB_FIRMWARE_VERSION_1210 11
 #define KB_FIRMWARE_VERSION_1300 12
 #define KB_FIRMWARE_VERSION_1400 13
-#define KB_FIRMWARE_VERSION_MAX  KB_FIRMWARE_VERSION_1400 //!TODO: Update on mkey changes.
+#define KB_FIRMWARE_VERSION_1500 14
+#define KB_FIRMWARE_VERSION_MAX  KB_FIRMWARE_VERSION_1500 //!TODO: Update on mkey changes.
 
 #endif
diff --git a/source/keys/key_sources.inl b/source/keys/key_sources.inl
index ef2f044..fe6d577 100644
--- a/source/keys/key_sources.inl
+++ b/source/keys/key_sources.inl
@@ -38,6 +38,7 @@ static const u8 master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION
     {0x84, 0x67, 0xB6, 0x7F, 0x13, 0x11, 0xAE, 0xE6, 0x58, 0x9B, 0x19, 0xAF, 0x13, 0x6C, 0x80, 0x7A}, //12.1.0
     {0x68, 0x3B, 0xCA, 0x54, 0xB8, 0x6F, 0x92, 0x48, 0xC3, 0x05, 0x76, 0x87, 0x88, 0x70, 0x79, 0x23}, //13.0.0
     {0xF0, 0x13, 0x37, 0x9A, 0xD5, 0x63, 0x51, 0xC3, 0xB4, 0x96, 0x35, 0xBC, 0x9C, 0xE8, 0x76, 0x81}, //14.0.0
+    {0x6E, 0x77, 0x86, 0xAC, 0x83, 0x0A, 0x8D, 0x3E, 0x7D, 0xB7, 0x66, 0xA0, 0x22, 0xB7, 0x6E, 0x67}, //15.0.0
 };
 
 //!TODO: Update on mkey changes.
@@ -56,6 +57,7 @@ static const u8 master_key_vectors[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attribut
     {0xC1, 0x8D, 0x16, 0xBB, 0x2A, 0xE4, 0x1D, 0xD4, 0xC2, 0xC1, 0xB6, 0x40, 0x94, 0x35, 0x63, 0x98}, /* Master key 0A encrypted with Master key 0B. */
     {0xA3, 0x24, 0x65, 0x75, 0xEA, 0xCC, 0x6E, 0x8D, 0xFB, 0x5A, 0x16, 0x50, 0x74, 0xD2, 0x15, 0x06}, /* Master key 0B encrypted with Master key 0C. */
     {0x83, 0x67, 0xAF, 0x01, 0xCF, 0x93, 0xA1, 0xAB, 0x80, 0x45, 0xF7, 0x3F, 0x72, 0xFD, 0x3B, 0x38}, /* Master key 0C encrypted with Master key 0D. */
+    {0xB1, 0x81, 0xA6, 0x0D, 0x72, 0xC7, 0xEE, 0x15, 0x21, 0xF3, 0xC0, 0xB5, 0x6B, 0x61, 0x6D, 0xE7}, /* Master key 0D encrypted with Master key 0E. */
 };
 
 //!TODO: Update on mkey changes.
@@ -74,6 +76,7 @@ static const u8 master_key_vectors_dev[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attr
     {0x21, 0x88, 0x6B, 0x10, 0x9E, 0x83, 0xD6, 0x52, 0xAB, 0x08, 0xDB, 0x6D, 0x39, 0xFF, 0x1C, 0x9C}, /* Master key 0A encrypted with Master key 0B. */
     {0x8A, 0xCE, 0xC4, 0x7F, 0xBE, 0x08, 0x61, 0x88, 0xD3, 0x73, 0x64, 0x51, 0xE2, 0xB6, 0x53, 0x15}, /* Master key 0B encrypted with Master key 0C. */
     {0x08, 0xE0, 0xF4, 0xBE, 0xAA, 0x6E, 0x5A, 0xC3, 0xA6, 0xBC, 0xFE, 0xB9, 0xE2, 0xA3, 0x24, 0x12}, /* Master key 0C encrypted with Master key 0D. */
+    {0xD6, 0x80, 0x98, 0xC0, 0xFA, 0xC7, 0x13, 0xCB, 0x93, 0xD2, 0x0B, 0x82, 0x4C, 0xA1, 0x7B, 0x8D}, /* Master key 0D encrypted with Master key 0E. */
 };
 
 static const u8 mariko_key_vectors[][0x10] __attribute__((aligned(4))) = {
@@ -137,6 +140,7 @@ static const u8 mariko_master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_
     {0xE5, 0x41, 0xAC, 0xEC, 0xD1, 0xA7, 0xD1, 0xAB, 0xED, 0x03, 0x77, 0xF1, 0x27, 0xCA, 0xF8, 0xF1}, // 12.1.0.
     {0x52, 0x71, 0x9B, 0xDF, 0xA7, 0x8B, 0x61, 0xD8, 0xD5, 0x85, 0x11, 0xE4, 0x8E, 0x4F, 0x74, 0xC6}, // 13.0.0.
     {0xD2, 0x68, 0xC6, 0x53, 0x9D, 0x94, 0xF9, 0xA8, 0xA5, 0xA8, 0xA7, 0xC8, 0x8F, 0x53, 0x4B, 0x7A}, // 14.0.0.
+    {0xEC, 0x61, 0xBC, 0x82, 0x1E, 0x0F, 0x5A, 0xC3, 0x2B, 0x64, 0x3F, 0x9D, 0xD6, 0x19, 0x22, 0x2D}, // 15.0.0.
 }; //!TODO: Update on mkey changes.
 static const u8 mariko_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_600 + 1][0x10] __attribute__((aligned(4))) = {
     {0x32, 0xC0, 0x97, 0x6B, 0x63, 0x6D, 0x44, 0x64, 0xF2, 0x3A, 0xA5, 0xC0, 0xDE, 0x46, 0xCC, 0xE9}, // 6.0.0.
@@ -148,6 +152,7 @@ static const u8 mariko_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMW
     {0x75, 0x2D, 0x2E, 0xF3, 0x2F, 0x3F, 0xFE, 0x65, 0xF4, 0xA9, 0x83, 0xB4, 0xED, 0x42, 0x63, 0xBA}, // 12.1.0.
     {0x4D, 0x5A, 0xB2, 0xC9, 0xE9, 0xE4, 0x4E, 0xA4, 0xD3, 0xBF, 0x94, 0x12, 0x36, 0x30, 0xD0, 0x7F}, // 13.0.0.
     {0xEC, 0x5E, 0xB5, 0x11, 0xD5, 0x43, 0x1E, 0x6A, 0x4E, 0x54, 0x6F, 0xD4, 0xD3, 0x22, 0xCE, 0x87}, // 14.0.0.
+    {0x18, 0xA5, 0x6F, 0xEF, 0x72, 0x11, 0x62, 0xC5, 0x1A, 0x14, 0xF1, 0x8C, 0x21, 0x83, 0x27, 0xB7}, // 15.0.0.
 }; //!TODO: Update on mkey changes.
 
 static const u8 device_master_key_source_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
@@ -162,6 +167,7 @@ static const u8 device_master_key_source_sources[KB_FIRMWARE_VERSION_MAX - KB_FI
     {0xAA, 0xFD, 0xBC, 0xBB, 0x25, 0xC3, 0xA4, 0xEF, 0xE3, 0xEE, 0x58, 0x53, 0xB7, 0xF8, 0xDD, 0xD6}, /* 12.1.0 Device Master Key Source Source. */
     {0xE4, 0xF3, 0x45, 0x6F, 0x18, 0xA1, 0x89, 0xF8, 0xDA, 0x4C, 0x64, 0x75, 0x68, 0xE6, 0xBD, 0x4F}, /* 13.0.0 Device Master Key Source Source. */
     {0x5B, 0x94, 0x63, 0xF7, 0xAD, 0x96, 0x1B, 0xA6, 0x23, 0x30, 0x06, 0x4D, 0x01, 0xE4, 0xCE, 0x1D}, /* 14.0.0 Device Master Key Source Source. */ 
+    {0x5E, 0xC9, 0xC5, 0x0A, 0xD0, 0x5F, 0x8B, 0x7B, 0xA7, 0x39, 0xEA, 0xBC, 0x60, 0x0F, 0x74, 0xE6}, /* 15.0.0 Device Master Key Source Source. */
 }; //!TODO: Update on mkey changes.
 
 // from ES
@@ -198,6 +204,7 @@ static const u8 device_master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_
     {0xC2, 0x65, 0x34, 0x6E, 0xC7, 0xC6, 0x5D, 0x97, 0x3E, 0x34, 0x5C, 0x6B, 0xB3, 0x7E, 0xC6, 0xE3}, /* 12.1.0 Device Master Kek Source. */
     {0x77, 0x52, 0x92, 0xF0, 0xAA, 0xE3, 0xFB, 0xE0, 0x60, 0x16, 0xB3, 0x78, 0x68, 0x53, 0xF7, 0xA8}, /* 13.0.0 Device Master Kek Source. */
     {0x67, 0xD5, 0xD6, 0x0C, 0x08, 0xF5, 0xA3, 0x11, 0xBD, 0x6D, 0x5A, 0xEB, 0x96, 0x24, 0xB0, 0xD2}, /* 14.0.0 Device Master Kek Source. */
+    {0x7C, 0x30, 0xED, 0x8B, 0x39, 0x25, 0x2C, 0x08, 0x8F, 0x48, 0xDC, 0x28, 0xE6, 0x1A, 0x6B, 0x49}, /* 15.0.0 Device Master Kek Source. */
 }; //!TODO: Update on mkey changes.
 
 static const u8 device_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
@@ -212,6 +219,7 @@ static const u8 device_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMW
     {0xC4, 0xBB, 0xF3, 0x9F, 0xA3, 0xAA, 0x00, 0x99, 0x7C, 0x97, 0xAD, 0x91, 0x8F, 0xE8, 0x45, 0xCB}, /* 12.1.0 Device Master Kek Source. */
     {0x20, 0x20, 0xAA, 0xFB, 0x89, 0xC2, 0xF0, 0x70, 0xB5, 0xE0, 0xA3, 0x11, 0x8A, 0x29, 0x8D, 0x0F}, /* 13.0.0 Device Master Kek Source. */
     {0xCE, 0x14, 0x74, 0x66, 0x98, 0xA8, 0x6D, 0x7D, 0xBD, 0x54, 0x91, 0x68, 0x5F, 0x1D, 0x0E, 0xEA}, /* 14.0.0 Device Master Kek Source. */
+    {0xAE, 0x05, 0x48, 0x65, 0xAB, 0x17, 0x9D, 0x3D, 0x51, 0xB7, 0x56, 0xBD, 0x9B, 0x0B, 0x5B, 0x6E}, /* 15.0.0 Device Master Kek Source. */
 }; //!TODO: Update on mkey changes.
 
 // from SPL

From e8d66f318d94af1ea3fb54cbb4f421d754c3a981 Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Sat, 29 Oct 2022 15:11:13 -0700
Subject: [PATCH 08/21] keys: Refactor key crypto, fix SSL key dumping

---
 bdk/sec/se.c                |  36 +--
 source/keys/key_sources.inl |  23 +-
 source/keys/keys.c          | 489 +++++++++++++++++++++++++-----------
 source/keys/keys.h          |  30 ++-
 4 files changed, 398 insertions(+), 180 deletions(-)

diff --git a/bdk/sec/se.c b/bdk/sec/se.c
index 45652dc..02f6f90 100644
--- a/bdk/sec/se.c
+++ b/bdk/sec/se.c
@@ -721,31 +721,31 @@ out:;
 // _mgf1_xor() and rsa_oaep_decode were derived from Atmosphère
 static void _mgf1_xor(void *masked, u32 masked_size, const void *seed, u32 seed_size)
 {
-    u8 cur_hash[0x20] __attribute__((aligned(4)));
-    u8 hash_buf[0xe4] __attribute__((aligned(4)));
+	u8 cur_hash[0x20] __attribute__((aligned(4)));
+	u8 hash_buf[0xe4] __attribute__((aligned(4)));
 
-    u32 hash_buf_size = seed_size + 4;
-    memcpy(hash_buf, seed, seed_size);
-    u32 round_num = 0;
+	u32 hash_buf_size = seed_size + 4;
+	memcpy(hash_buf, seed, seed_size);
+	u32 round_num = 0;
 
-    u8 *p_out = (u8 *)masked;
+	u8 *p_out = (u8 *)masked;
 
-    while (masked_size) {
-        u32 cur_size = MIN(masked_size, 0x20);
+	while (masked_size) {
+		u32 cur_size = MIN(masked_size, 0x20);
 
-        for (u32 i = 0; i < 4; i++)
-            hash_buf[seed_size + 3 - i] = (round_num >> (8 * i)) & 0xff;
-        round_num++;
+		for (u32 i = 0; i < 4; i++)
+			hash_buf[seed_size + 3 - i] = (round_num >> (8 * i)) & 0xff;
+		round_num++;
 
-        se_calc_sha256_oneshot(cur_hash, hash_buf, hash_buf_size);
+		se_calc_sha256_oneshot(cur_hash, hash_buf, hash_buf_size);
 
-        for (unsigned int i = 0; i < cur_size; i++) {
-            *p_out ^= cur_hash[i];
-            p_out++;
-        }
+		for (unsigned int i = 0; i < cur_size; i++) {
+			*p_out ^= cur_hash[i];
+			p_out++;
+		}
 
-        masked_size -= cur_size;
-    }
+		masked_size -= cur_size;
+	}
 }
 
 u32 se_rsa_oaep_decode(void *dst, u32 dst_size, const void *label_digest, u32 label_digest_size, u8 *buf, u32 buf_size)
diff --git a/source/keys/key_sources.inl b/source/keys/key_sources.inl
index fe6d577..bff4f9b 100644
--- a/source/keys/key_sources.inl
+++ b/source/keys/key_sources.inl
@@ -100,12 +100,15 @@ static const u8 mariko_key_vectors[][0x10] __attribute__((aligned(4))) = {
 // from Package1 -> Secure_Monitor
 static const u8 aes_kek_generation_source[0x10] __attribute__((aligned(4))) = {
     0x4D, 0x87, 0x09, 0x86, 0xC4, 0x5D, 0x20, 0x72, 0x2F, 0xBA, 0x10, 0x53, 0xDA, 0x92, 0xE8, 0xA9};
-static const u8 aes_seal_key_mask_decrypt_device_unique_data[0x10] __attribute__((aligned(4))) = {
-    0xA2, 0xAB, 0xBF, 0x9C, 0x92, 0x2F, 0xBB, 0xE3, 0x78, 0x79, 0x9B, 0xC0, 0xCC, 0xEA, 0xA5, 0x74};
-static const u8 aes_seal_key_mask_import_es_device_key[0x10] __attribute__((aligned(4))) = {
-    0xE5, 0x4D, 0x9A, 0x02, 0xF0, 0x4F, 0x5F, 0xA8, 0xAD, 0x76, 0x0A, 0xF6, 0x32, 0x95, 0x59, 0xBB};
-static const u8 aes_seal_key_mask_decrypt_ssl_client_cert_key[0x10] __attribute__((aligned(4))) = {
-    0xFD, 0x6A, 0x25, 0xE5, 0xD8, 0x38, 0x7F, 0x91, 0x49, 0xDA, 0xF8, 0x59, 0xA8, 0x28, 0xE6, 0x75};
+static const u8 seal_key_masks[][0x10] __attribute__((aligned(4))) = {
+    {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, // SealKey_LoadAesKey
+    {0xA2, 0xAB, 0xBF, 0x9C, 0x92, 0x2F, 0xBB, 0xE3, 0x78, 0x79, 0x9B, 0xC0, 0xCC, 0xEA, 0xA5, 0x74}, // SealKey_DecryptDeviceUniqueData
+    {0x57, 0xE2, 0xD9, 0x45, 0xE4, 0x92, 0xF4, 0xFD, 0xC3, 0xF9, 0x86, 0x38, 0x89, 0x78, 0x9F, 0x3C}, // SealKey_ImportLotusKey
+    {0xE5, 0x4D, 0x9A, 0x02, 0xF0, 0x4F, 0x5F, 0xA8, 0xAD, 0x76, 0x0A, 0xF6, 0x32, 0x95, 0x59, 0xBB}, // SealKey_ImportEsDeviceKey
+    {0x59, 0xD9, 0x31, 0xF4, 0xA7, 0x97, 0xB8, 0x14, 0x40, 0xD6, 0xA2, 0x60, 0x2B, 0xED, 0x15, 0x31}, // SealKey_ReencryptDeviceUniqueData
+    {0xFD, 0x6A, 0x25, 0xE5, 0xD8, 0x38, 0x7F, 0x91, 0x49, 0xDA, 0xF8, 0x59, 0xA8, 0x28, 0xE6, 0x75}, // SealKey_ImportSslKey
+    {0x89, 0x96, 0x43, 0x9A, 0x7C, 0xD5, 0x59, 0x55, 0x24, 0xD5, 0x24, 0x18, 0xAB, 0x6C, 0x04, 0x61}, // SealKey_ImportEsClientCertKey
+};
 static const u8 package2_key_source[0x10] __attribute__((aligned(4))) = {
     0xFB, 0x8B, 0x6A, 0x9C, 0x79, 0x00, 0xC8, 0x49, 0xEF, 0xD2, 0x4D, 0x85, 0x4D, 0x30, 0xA0, 0xC7};
 static const u8 titlekek_source[0x10] __attribute__((aligned(4))) = {
@@ -181,12 +184,14 @@ static const u8 eticket_rsa_kekek_source[0x10] __attribute__((aligned(4))) = {
     0X46, 0X6E, 0X57, 0XB7, 0X4A, 0X44, 0X7F, 0X02, 0XF3, 0X21, 0XCD, 0XE5, 0X8F, 0X2F, 0X55, 0X35};
 
 // from SSL
-static const u8 ssl_rsa_kek_source_x[0x10] __attribute__((aligned(4))) = {
+static const u8 ssl_rsa_kekek_source[0x10] __attribute__((aligned(4))) = {
     0X7F, 0X5B, 0XB0, 0X84, 0X7B, 0X25, 0XAA, 0X67, 0XFA, 0XC8, 0X4B, 0XE2, 0X3D, 0X7B, 0X69, 0X03};
-static const u8 ssl_rsa_kek_source_y[0x10] __attribute__((aligned(4))) = {
+static const u8 ssl_rsa_kek_source[0x10] __attribute__((aligned(4))) = {
     0X9A, 0X38, 0X3B, 0XF4, 0X31, 0XD0, 0XBD, 0X81, 0X32, 0X53, 0X4B, 0XA9, 0X64, 0X39, 0X7D, 0XE3};
-static const u8 ssl_rsa_kek_source_y_dev[0x10] __attribute__((aligned(4))) = {
+static const u8 ssl_rsa_kek_source_dev[0x10] __attribute__((aligned(4))) = {
     0xD5, 0xD2, 0xFC, 0x00, 0xFD, 0x49, 0xDD, 0xF8, 0xEE, 0x7B, 0xC4, 0x4B, 0xE1, 0x4C, 0xAA, 0x99};
+static const u8 ssl_rsa_kek_source_legacy[0x10] __attribute__((aligned(4))) = {
+    0xED, 0x36, 0xB1, 0x32, 0x27, 0x17, 0xD2, 0xB0, 0xBA, 0x1F, 0xC1, 0xBD, 0x4D, 0x38, 0x0F, 0x5E};
 static const u8 ssl_client_cert_kek_source[0x10] __attribute__((aligned(4))) = {
     0x64, 0xB8, 0x30, 0xDD, 0x0F, 0x3C, 0xB7, 0xFB, 0x4C, 0x16, 0x01, 0x97, 0xEA, 0x9D, 0x12, 0x10};
 static const u8 ssl_client_cert_key_source[0x10] __attribute__((aligned(4))) = {
diff --git a/source/keys/keys.c b/source/keys/keys.c
index 941a801..ceb40f5 100644
--- a/source/keys/keys.c
+++ b/source/keys/keys.c
@@ -73,10 +73,14 @@ static ALWAYS_INLINE u32 _read_be_u32(const void *buffer, u32 offset) {
 static int  _key_exists(const void *data) { return memcmp(data, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) != 0; };
 static void _save_key(const char *name, const void *data, u32 len, char *outbuf);
 static void _save_key_family(const char *name, const void *data, u32 start_key, u32 num_keys, u32 len, char *outbuf);
-static void _generate_kek(u32 ks, const void *key_source, const void *master_key, const void *kek_seed, const void *key_seed);
-static void _decrypt_aes_key(u32 ks, void *dst, const void *key_source, const void *master_key);
-static void _generate_specific_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 key_generation);
-static void _get_device_key(u32 ks, key_derivation_ctx_t *keys, void *out_device_key, u32 revision);
+static void _generate_aes_kek(u32 ks, key_derivation_ctx_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option);
+static void _generate_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, u32 key_size, const void *access_key, const void *key_source);
+static void _load_aes_key(u32 ks, void *out_key, const void *access_key, const void *key_source);
+static void _get_device_unique_data_key(u32 ks, void *out_key, const void *access_key, const void *key_source);
+static void _decrypt_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 generation, u32 option);
+static void _generate_specific_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 generation);
+static void _get_device_key(u32 ks, key_derivation_ctx_t *keys, void *out_device_key, u32 generation);
+static void _ghash(u32 ks, void *dst, const void *src, u32 src_size, const void *j_block, bool encrypt);
 // titlekey functions
 static bool _test_key_pair(const void *E, const void *D, const void *N);
 
@@ -87,8 +91,7 @@ static void _derive_master_key_mariko(key_derivation_ctx_t *keys, bool is_dev) {
     for (u32 i = KB_FIRMWARE_VERSION_600; i < ARRAY_SIZE(mariko_master_kek_sources) + KB_FIRMWARE_VERSION_600; i++) {
         // Relies on the Mariko KEK being properly set in slot 12
         se_aes_crypt_block_ecb(12, DECRYPT, keys->master_kek[i], is_dev ? &mariko_master_kek_sources_dev[i - KB_FIRMWARE_VERSION_600] : &mariko_master_kek_sources[i - KB_FIRMWARE_VERSION_600]); // mkek = unwrap(mariko_kek, mariko_kek_source)
-        se_aes_key_set(8, keys->master_kek[i], AES_128_KEY_SIZE); // mkey = unwrap(mkek, mkeys)
-        se_aes_crypt_block_ecb(8, DECRYPT, keys->master_key[i], master_key_source);
+        _load_aes_key(8, keys->master_key[i], keys->master_kek[i], master_key_source);
     }
 }
 
@@ -116,18 +119,15 @@ static void _derive_master_keys_from_latest_key(key_derivation_ctx_t *keys, bool
         // Derive all master keys based on current root key
         for (u32 i = KB_FIRMWARE_VERSION_810 - KB_FIRMWARE_VERSION_620; i < ARRAY_SIZE(master_kek_sources); i++) {
             se_aes_crypt_block_ecb(tsec_root_key_slot, DECRYPT, keys->master_kek[i + KB_FIRMWARE_VERSION_620], master_kek_sources[i]); // mkek = unwrap(tsec_root, mkeks)
-            se_aes_key_set(8, keys->master_kek[i + KB_FIRMWARE_VERSION_620], AES_128_KEY_SIZE); // mkey = unwrap(mkek, mkeys)
-            se_aes_crypt_block_ecb(8, DECRYPT, keys->master_key[i + KB_FIRMWARE_VERSION_620], master_key_source);
+            _load_aes_key(8, keys->master_key[i + KB_FIRMWARE_VERSION_620], keys->master_kek[i + KB_FIRMWARE_VERSION_620], master_key_source);
         }
     }
 
     // Derive all lower master keys
     for (u32 i = KB_FIRMWARE_VERSION_MAX; i > 0; i--) {
-        se_aes_key_set(8, keys->master_key[i], AES_128_KEY_SIZE);
-        se_aes_crypt_block_ecb(8, DECRYPT, keys->master_key[i - 1], is_dev ? master_key_vectors_dev[i] : master_key_vectors[i]);
+        _load_aes_key(8, keys->master_key[i - 1], keys->master_key[i], is_dev ? master_key_vectors_dev[i] : master_key_vectors[i]);
     }
-    se_aes_key_set(8, keys->master_key[0], AES_128_KEY_SIZE);
-    se_aes_crypt_block_ecb(8, DECRYPT, keys->temp_key, is_dev ? master_key_vectors_dev[0] : master_key_vectors[0]);
+    _load_aes_key(8, keys->temp_key, keys->master_key[0], is_dev ? master_key_vectors_dev[0] : master_key_vectors[0]);
 
     if (_key_exists(keys->temp_key)) {
         EPRINTFARGS("Unable to derive master keys for %s.", is_dev ? "dev" : "prod");
@@ -166,8 +166,7 @@ static void _derive_keyblob_keys(key_derivation_ctx_t *keys) {
         minerva_periodic_training();
         se_aes_crypt_block_ecb(12, DECRYPT, keys->keyblob_key[i], keyblob_key_sources[i]); // temp = unwrap(kbks, tsec)
         se_aes_crypt_block_ecb(14, DECRYPT, keys->keyblob_key[i], keys->keyblob_key[i]); // kbk = unwrap(temp, sbk)
-        se_aes_key_set(7, keys->keyblob_key[i], sizeof(keys->keyblob_key[i]));
-        se_aes_crypt_block_ecb(7, DECRYPT, keys->keyblob_mac_key[i], keyblob_mac_key_source); // kbm = unwrap(kbms, kbk)
+        _load_aes_key(7, keys->keyblob_mac_key[i], keys->keyblob_key[i], keyblob_mac_key_source); // kbm = unwrap(kbms, kbk)
         if (i == 0) {
             se_aes_crypt_block_ecb(7, DECRYPT, keys->device_key, per_console_key_source); // devkey = unwrap(pcks, kbk0)
             se_aes_crypt_block_ecb(7, DECRYPT, keys->device_key_4x, device_master_key_source_kek_source);
@@ -191,82 +190,84 @@ static void _derive_keyblob_keys(key_derivation_ctx_t *keys) {
 
         memcpy(keys->package1_key[i], keys->keyblob[i].package1_key, sizeof(keys->package1_key[i]));
         memcpy(keys->master_kek[i], keys->keyblob[i].master_kek, sizeof(keys->master_kek[i]));
-        se_aes_key_set(7, keys->master_kek[i], sizeof(keys->master_kek[i]));
         if (!_key_exists(keys->master_key[i])) {
-            se_aes_crypt_block_ecb(7, DECRYPT, keys->master_key[i], master_key_source);
+            _load_aes_key(7, keys->master_key[i], keys->master_kek[i], master_key_source);
         }
     }
     free(keyblob_block);
 }
 
 static void _derive_bis_keys(key_derivation_ctx_t *keys) {
-    /*  key = unwrap(source, wrapped_key):
-        key_set(ks, wrapped_key), block_ecb(ks, 0, key, source) -> final key in key
-    */
     minerva_periodic_training();
-    u32 key_generation = fuse_read_odm_keygen_rev();
-    if (key_generation)
-        key_generation--;
+    u32 generation = fuse_read_odm_keygen_rev();
 
-    if (!(_key_exists(keys->device_key) || (key_generation && _key_exists(keys->master_key[0]) && _key_exists(keys->device_key_4x)))) {
+    if (!(_key_exists(keys->device_key) || (generation && _key_exists(keys->master_key[0]) && _key_exists(keys->device_key_4x)))) {
         return;
     }
-    _generate_specific_aes_key(8, keys, &keys->bis_key[0], &bis_key_sources[0], key_generation);
-    // kek = generate_kek(bkeks, devkey, aeskek, aeskey)
-    _get_device_key(8, keys, keys->temp_key, key_generation);
-    _generate_kek(8, bis_kek_source, keys->temp_key, aes_kek_generation_source, aes_key_generation_source);
-    se_aes_crypt_ecb(8, DECRYPT, keys->bis_key[1], AES_128_KEY_SIZE * 2, bis_key_sources[1], AES_128_KEY_SIZE * 2); // bkey = unwrap(bkeys, kek)
-    se_aes_crypt_ecb(8, DECRYPT, keys->bis_key[2], AES_128_KEY_SIZE * 2, bis_key_sources[2], AES_128_KEY_SIZE * 2);
-    memcpy(keys->bis_key[3], keys->bis_key[2], 0x20);
+    _generate_specific_aes_key(8, keys, &keys->bis_key[0], bis_key_sources[0], generation);
+    u32 access_key[AES_128_KEY_SIZE / 4] = {0};
+    const u32 option = GET_IS_DEVICE_UNIQUE(IS_DEVICE_UNIQUE);
+    _generate_aes_kek(8, keys, access_key, bis_kek_source, generation, option);
+    _generate_aes_key(8, keys, keys->bis_key[1], sizeof(keys->bis_key[1]), access_key, bis_key_sources[1]);
+    _generate_aes_key(8, keys, keys->bis_key[2], sizeof(keys->bis_key[2]), access_key, bis_key_sources[2]);
+    memcpy(keys->bis_key[3], keys->bis_key[2], sizeof(keys->bis_key[3]));
 }
 
 static void _derive_non_unique_keys(key_derivation_ctx_t *keys, bool is_dev) {
     if (_key_exists(keys->master_key[0])) {
-        _generate_kek(8, header_kek_source, keys->master_key[0], aes_kek_generation_source, aes_key_generation_source);
-        se_aes_crypt_ecb(8, DECRYPT, keys->header_key, AES_128_KEY_SIZE * 2, header_key_source, AES_128_KEY_SIZE * 2);
+        const u32 generation = 0;
+        const u32 option = GET_IS_DEVICE_UNIQUE(NOT_DEVICE_UNIQUE);
+        _generate_aes_kek(8, keys, keys->temp_key, header_kek_source, generation, option);
+        _generate_aes_key(8, keys, keys->header_key, sizeof(keys->header_key), keys->temp_key, header_key_source);
     }
 }
 
-static void _derive_eticket_rsa_kek(key_derivation_ctx_t *keys, u32 ks, void *out_rsa_kek, const void *master_key, const void *kek_source) {
-    u8 kek_seed[AES_128_KEY_SIZE];
-    for (u32 i = 0; i < AES_128_KEY_SIZE; i++)
-        kek_seed[i] = aes_kek_generation_source[i] ^ aes_seal_key_mask_import_es_device_key[i];
-    _generate_kek(ks, eticket_rsa_kekek_source, master_key, kek_seed, NULL);
-    se_aes_crypt_block_ecb(ks, DECRYPT, out_rsa_kek, kek_source);
+static void _derive_eticket_rsa_kek(key_derivation_ctx_t *keys, u32 ks, void *out_rsa_kek, const void *kek_source, u32 generation, u32 option) {
+    void *access_key = keys->temp_key;
+    _generate_aes_kek(ks, keys, access_key, eticket_rsa_kekek_source, generation, option);
+    _get_device_unique_data_key(ks, out_rsa_kek, access_key, kek_source);
+    
 }
 
-static void _derive_ssl_rsa_kek(key_derivation_ctx_t *keys, u32 ks, void *out_rsa_kek, const void *master_key, const void *kekek_source, const void *kek_source) {
-    u8 kek_seed[AES_128_KEY_SIZE];
-    for (u32 i = 0; i < AES_128_KEY_SIZE; i++)
-        kek_seed[i] = aes_kek_generation_source[i] ^ aes_seal_key_mask_decrypt_device_unique_data[i];
-    _generate_kek(8, kekek_source, master_key, kek_seed, NULL);
-    se_aes_crypt_block_ecb(8, DECRYPT, out_rsa_kek, kek_source);
+static void _derive_ssl_rsa_kek(key_derivation_ctx_t *keys, u32 ks, void *out_rsa_kek, const void *kekek_source, const void *kek_source, u32 generation, u32 option) {
+    void *access_key = keys->temp_key;
+    _generate_aes_kek(ks, keys, access_key, kekek_source, generation, option);
+    _get_device_unique_data_key(ks, out_rsa_kek, access_key, kek_source);
 }
 
 static void _derive_misc_keys(key_derivation_ctx_t *keys, bool is_dev) {
     if (_key_exists(keys->device_key) || (_key_exists(keys->master_key[0]) && _key_exists(keys->device_key_4x))) {
-        _get_device_key(8, keys, keys->temp_key, 0);
-        _generate_kek(8, save_mac_kek_source, keys->temp_key, aes_kek_generation_source, NULL);
-        se_aes_crypt_block_ecb(8, DECRYPT, keys->save_mac_key, save_mac_key_source);
+        void *access_key = keys->temp_key;
+        const u32 generation = 0;
+        const u32 option = GET_IS_DEVICE_UNIQUE(IS_DEVICE_UNIQUE);
+        _generate_aes_kek(8, keys, access_key, save_mac_kek_source, generation, option);
+        _load_aes_key(8, keys->save_mac_key, access_key, save_mac_key_source);
     }
 
     if (_key_exists(keys->master_key[0])) {
-        _derive_eticket_rsa_kek(keys, 8, keys->eticket_rsa_kek, keys->master_key[0], is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source);
-        _derive_ssl_rsa_kek(keys, 8, keys->ssl_rsa_kek, keys->master_key[0], ssl_rsa_kek_source_x, is_dev ? ssl_rsa_kek_source_y_dev : ssl_rsa_kek_source_y);
+        const void *eticket_kek_source = is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source;
+        const u32 generation = 0;
+        u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY);
+        _derive_eticket_rsa_kek(keys, 8, keys->eticket_rsa_kek, eticket_kek_source, generation, option);
+
+        const void *ssl_kek_source = is_dev ? ssl_rsa_kek_source_dev : ssl_rsa_kek_source;
+        option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA);
+        _derive_ssl_rsa_kek(keys, 8, keys->ssl_rsa_kek, ssl_rsa_kekek_source, ssl_kek_source, generation, option);
     }
 }
 
 static void _derive_per_generation_keys(key_derivation_ctx_t *keys) {
-    for (u32 i = 0; i < KB_FIRMWARE_VERSION_MAX + 1; i++) {
-        if (!_key_exists(keys->master_key[i]))
+    for (u32 generation = 0; generation < ARRAY_SIZE(keys->master_key); generation++) {
+        if (!_key_exists(keys->master_key[generation]))
             continue;
-        for (u32 j = 0; j < 3; j++) {
-            _generate_kek(8, key_area_key_sources[j], keys->master_key[i], aes_kek_generation_source, NULL);
-            se_aes_crypt_block_ecb(8, DECRYPT, keys->key_area_key[j][i], aes_key_generation_source);
+        for (u32 source_type = 0; source_type < ARRAY_SIZE(key_area_key_sources); source_type++) {
+            void *access_key = keys->temp_key;
+            const u32 option = GET_IS_DEVICE_UNIQUE(NOT_DEVICE_UNIQUE);
+            _generate_aes_kek(8, keys, access_key, key_area_key_sources[source_type], generation + 1, option);
+            _load_aes_key(8, keys->key_area_key[source_type][generation], access_key, aes_key_generation_source);
         }
-        se_aes_key_set(8, keys->master_key[i], AES_128_KEY_SIZE);
-        se_aes_crypt_block_ecb(8, DECRYPT, keys->package2_key[i], package2_key_source);
-        se_aes_crypt_block_ecb(8, DECRYPT, keys->titlekek[i], titlekek_source);
+        _load_aes_key(8, keys->package2_key[generation], keys->master_key[generation], package2_key_source);
+        _load_aes_key(8, keys->titlekek[generation], keys->master_key[generation], titlekek_source);
     }
 }
 
@@ -343,6 +344,10 @@ static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, title
         return false;
     }
 
+    if (is_personalized) {
+        se_rsa_key_set(0, rsa_keypair->modulus, sizeof(rsa_keypair->modulus), rsa_keypair->private_exponent, sizeof(rsa_keypair->private_exponent));
+    }
+
     const u32 ticket_sig_type_rsa2048_sha256 = 0x10004;
 
     offset = 0;
@@ -467,6 +472,29 @@ static bool _read_cal0(void *read_buffer) {
     return true;
 }
 
+static bool _get_rsa_ssl_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation) {
+    const u32 ext_key_size = sizeof(cal0->ext_ssl_key_iv) + sizeof(cal0->ext_ssl_key);
+    const u32 ext_key_crc_size = ext_key_size + sizeof(cal0->ext_ssl_key_ver) + sizeof(cal0->crc16_pad39);
+    const u32 key_size = sizeof(cal0->ssl_key_iv) + sizeof(cal0->ssl_key);
+    const u32 key_crc_size = key_size + sizeof(cal0->crc16_pad18);
+
+    if (cal0->ext_ssl_key_crc == crc16_calc(cal0->ext_ssl_key_iv, ext_key_crc_size)) {
+        *out_key = cal0->ext_ssl_key;
+        *out_key_size = ext_key_size;
+        *out_iv = cal0->ext_ssl_key_iv;
+        // settings sysmodule manually zeroes this out below cal version 9
+        *out_generation = cal0->version <= 8 ? 0 : cal0->ext_ssl_key_ver;
+    } else if (cal0->ssl_key_crc == crc16_calc(cal0->ssl_key_iv, key_crc_size)) {
+        *out_key = cal0->ssl_key;
+        *out_key_size = key_size;
+        *out_iv = cal0->ssl_key_iv;
+        *out_generation = 0;
+    } else {
+        return false;
+    }
+    return true;
+}
+
 static bool _derive_personalized_ssl_key(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer) {
     if (!_read_cal0(titlekey_buffer->read_buffer)) {
         return false;
@@ -477,40 +505,59 @@ static bool _derive_personalized_ssl_key(key_derivation_ctx_t *keys, titlekey_bu
     const void *ssl_device_key = NULL;
     const void *ssl_iv = NULL;
     u32 key_size = 0;
+    void *keypair_ctr_key = NULL;
+    bool enforce_unique = true;
 
-    if (cal0->ext_ssl_key_crc == crc16_calc(cal0->ext_ssl_key_iv, 0x13E)) {
-        ssl_device_key = cal0->ext_ssl_key;
-        ssl_iv = cal0->ext_ssl_key_iv;
-        key_size = 0x120;
-
-        // settings sysmodule manually zeroes this out below cal version 9
-        keypair_generation = cal0->version <= 8 ? 0 : cal0->ext_ssl_key_ver;
-    } else if (cal0->ssl_key_crc == crc16_calc(cal0->ssl_key_iv, 0x11E)) {
-        ssl_device_key = cal0->ssl_key;
-        ssl_iv = cal0->ssl_key_iv;
-        key_size = 0x100;
-    } else {
+    if (!_get_rsa_ssl_key(cal0, &ssl_device_key, &key_size, &ssl_iv, &keypair_generation)) {
         EPRINTF("Crc16 error reading device key.");
         return false;
     }
 
-    if (keypair_generation) {
-        keypair_generation--;
-        _get_device_key(7, keys, keys->temp_key, keypair_generation);
-        _derive_ssl_rsa_kek(keys, 7, keys->ssl_rsa_kek_personalized, keys->temp_key, ssl_client_cert_kek_source, ssl_client_cert_key_source);
+    if (key_size == SSL_RSA_KEYPAIR_SIZE) {
+        bool all_zero = true;
+        const u8 *key8 = (const u8 *)ssl_device_key;
+        for (u32 i = RSA_2048_KEY_SIZE; i < SSL_RSA_KEYPAIR_SIZE; i++) {
+            if (key8[i] != 0) {
+                all_zero = false;
+                break;
+            }
+        }
+        if (all_zero) {
+            // keypairs of this form are not encrypted
+            memcpy(keys->ssl_rsa_keypair, ssl_device_key, RSA_2048_KEY_SIZE);
+            return true;
+        }
 
-        memcpy(keys->temp_key, keys->ssl_rsa_kek_personalized, sizeof(keys->temp_key));
-    } else {
-        memcpy(keys->temp_key, keys->ssl_rsa_kek, sizeof(keys->temp_key));
+        u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA);
+        keypair_ctr_key = keys->ssl_rsa_kek_legacy;
+        _derive_ssl_rsa_kek(keys, 7, keypair_ctr_key, ssl_rsa_kekek_source, ssl_rsa_kek_source_legacy, keypair_generation, option);
+        enforce_unique = false;
     }
 
-    se_aes_key_set(6, keys->temp_key, sizeof(keys->temp_key));
-    se_aes_crypt_ctr(6, &keys->ssl_rsa_key, sizeof(keys->ssl_rsa_key), ssl_device_key, sizeof(keys->ssl_rsa_key), ssl_iv);
+    if (keypair_generation) {
+        u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_SSL_KEY) | IS_DEVICE_UNIQUE;
+        keypair_ctr_key = keys->ssl_rsa_kek_personalized;
+        _derive_ssl_rsa_kek(keys, 7, keypair_ctr_key, ssl_client_cert_kek_source, ssl_client_cert_key_source, keypair_generation, option);
+    } else {
+        keypair_ctr_key = keys->ssl_rsa_kek;
+    }
 
-    if (key_size == 0x120) {
-        if (_key_exists(keys->ssl_rsa_key + 0x100)) {
-            EPRINTF("Invalid SSL key.");
-            memset(&keys->ssl_rsa_key, 0, sizeof(keys->ssl_rsa_key));
+    u32 ctr_size = enforce_unique ? key_size - 0x20 : key_size - 0x10;
+    se_aes_key_set(6, keypair_ctr_key, AES_128_KEY_SIZE);
+    se_aes_crypt_ctr(6, keys->ssl_rsa_keypair, ctr_size, ssl_device_key, ctr_size, ssl_iv);
+
+    if (enforce_unique) {
+        u32 j_block[AES_128_KEY_SIZE / 4] = {0};
+        se_aes_key_set(7, keypair_ctr_key, AES_128_KEY_SIZE);
+        _ghash(7, j_block, ssl_iv, 0x10, NULL, false);
+
+        u32 calc_mac[AES_128_KEY_SIZE / 4] = {0};
+        _ghash(7, calc_mac, keys->ssl_rsa_keypair, ctr_size, j_block, true);
+
+        const u8 *key8 = (const u8 *)ssl_device_key;
+        if (memcmp(calc_mac, &key8[ctr_size], 0x10) != 0) {
+            EPRINTF("SSL keypair has invalid GMac.");
+            memset(keys->ssl_rsa_keypair, 0, sizeof(keys->ssl_rsa_keypair));
             return false;
         }
     }
@@ -518,6 +565,27 @@ static bool _derive_personalized_ssl_key(key_derivation_ctx_t *keys, titlekey_bu
     return true;
 }
 
+static bool _get_rsa_eticket_key(const nx_emmc_cal0_t *cal0, const void **out_key, const void **out_iv, u32 *out_generation) {
+    const u32 ext_key_size = sizeof(cal0->ext_ecc_rsa2048_eticket_key_iv) + sizeof(cal0->ext_ecc_rsa2048_eticket_key);
+    const u32 ext_key_crc_size = ext_key_size + sizeof(cal0->ext_ecc_rsa2048_eticket_key_ver) + sizeof(cal0->crc16_pad38);
+    const u32 key_size = sizeof(cal0->rsa2048_eticket_key_iv) + sizeof(cal0->rsa2048_eticket_key);
+    const u32 key_crc_size = key_size + sizeof(cal0->crc16_pad21);
+
+    if (cal0->ext_ecc_rsa2048_eticket_key_crc == crc16_calc(cal0->ext_ecc_rsa2048_eticket_key_iv, ext_key_crc_size)) {
+        *out_key = cal0->ext_ecc_rsa2048_eticket_key;
+        *out_iv = cal0->ext_ecc_rsa2048_eticket_key_iv;
+        // settings sysmodule manually zeroes this out below cal version 9
+        *out_generation = cal0->version <= 8 ? 0 : cal0->ext_ecc_rsa2048_eticket_key_ver;
+    } else if (cal0->rsa2048_eticket_key_crc == crc16_calc(cal0->rsa2048_eticket_key_iv, key_crc_size)) {
+        *out_key = cal0->rsa2048_eticket_key;
+        *out_iv = cal0->rsa2048_eticket_key_iv;
+        *out_generation = 0;
+    } else {
+        return false;
+    }
+    return true;
+}
+
 static bool _derive_titlekeys(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
     if (!_key_exists(keys->eticket_rsa_kek)) {
         return false;
@@ -533,61 +601,51 @@ static bool _derive_titlekeys(key_derivation_ctx_t *keys, titlekey_buffer_t *tit
     u32 keypair_generation = 0;
     const void *eticket_device_key = NULL;
     const void *eticket_iv = NULL;
+    void *keypair_ctr_key = NULL;
 
-    if (cal0->ext_ecc_rsa2048_eticket_key_crc == crc16_calc(cal0->ext_ecc_rsa2048_eticket_key_iv, 0x24E)) {
-        eticket_device_key = cal0->ext_ecc_rsa2048_eticket_key;
-        eticket_iv = cal0->ext_ecc_rsa2048_eticket_key_iv;
-
-        // settings sysmodule manually zeroes this out below cal version 9
-        keypair_generation = cal0->version <= 8 ? 0 : cal0->ext_ecc_rsa2048_eticket_key_ver;
-    } else if (cal0->rsa2048_eticket_key_crc == crc16_calc(cal0->rsa2048_eticket_key_iv, 0x22E)) {
-        eticket_device_key = cal0->rsa2048_eticket_key;
-        eticket_iv = cal0->rsa2048_eticket_key_iv;
-    } else {
+    if (!_get_rsa_eticket_key(cal0, &eticket_device_key, &eticket_iv, &keypair_generation)) {
         EPRINTF("Crc16 error reading device key.");
         return false;
     }
 
     if (keypair_generation) {
-        keypair_generation--;
-        _get_device_key(7, keys, keys->temp_key, keypair_generation);
-        _derive_eticket_rsa_kek(keys, 7, keys->eticket_rsa_kek_personalized, keys->temp_key, is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source);
-        memcpy(keys->temp_key, keys->eticket_rsa_kek_personalized, sizeof(keys->temp_key));
+        u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | IS_DEVICE_UNIQUE;
+        _derive_eticket_rsa_kek(keys, 7, keys->eticket_rsa_kek_personalized, is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source, keypair_generation, option);
+        keypair_ctr_key = keys->eticket_rsa_kek_personalized;
     } else {
-        memcpy(keys->temp_key, keys->eticket_rsa_kek, sizeof(keys->temp_key));
+        keypair_ctr_key = keys->eticket_rsa_kek;
     }
 
-    se_aes_key_set(6, keys->temp_key, sizeof(keys->temp_key));
-    se_aes_crypt_ctr(6, &keys->rsa_keypair, sizeof(keys->rsa_keypair), eticket_device_key, sizeof(keys->rsa_keypair), eticket_iv);
+    se_aes_key_set(6, keypair_ctr_key, AES_128_KEY_SIZE);
+    se_aes_crypt_ctr(6, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), eticket_device_key, sizeof(keys->eticket_rsa_keypair), eticket_iv);
 
-    // Check public exponent is 65537 big endian
-    if (_read_be_u32(keys->rsa_keypair.public_exponent, 0) != 65537) {
+    if (_read_be_u32(keys->eticket_rsa_keypair.public_exponent, 0) != RSA_PUBLIC_EXPONENT) {
         // try legacy kek source
-        _derive_eticket_rsa_kek(keys, 7, keys->temp_key, keys->master_key[0], eticket_rsa_kek_source_legacy);
+        u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY);
+        keypair_ctr_key = keys->temp_key;
+        _derive_eticket_rsa_kek(keys, 7, keypair_ctr_key, eticket_rsa_kek_source_legacy, 0, option);
 
-        se_aes_key_set(6, keys->temp_key, sizeof(keys->temp_key));
-        se_aes_crypt_ctr(6, &keys->rsa_keypair, sizeof(keys->rsa_keypair), eticket_device_key, sizeof(keys->rsa_keypair), eticket_iv);
+        se_aes_key_set(6, keypair_ctr_key, AES_128_KEY_SIZE);
+        se_aes_crypt_ctr(6, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), eticket_device_key, sizeof(keys->eticket_rsa_keypair), eticket_iv);
 
-        if (_read_be_u32(keys->rsa_keypair.public_exponent, 0) != 65537) {
+        if (_read_be_u32(keys->eticket_rsa_keypair.public_exponent, 0) != RSA_PUBLIC_EXPONENT) {
             EPRINTF("Invalid public exponent.");
-            memset(&keys->rsa_keypair, 0, sizeof(keys->rsa_keypair));
+            memset(&keys->eticket_rsa_keypair, 0, sizeof(keys->eticket_rsa_keypair));
             return false;
         } else {
             memcpy(keys->eticket_rsa_kek, keys->temp_key, sizeof(keys->eticket_rsa_kek));
         }
     }
 
-    if (!_test_key_pair(keys->rsa_keypair.public_exponent, keys->rsa_keypair.private_exponent, keys->rsa_keypair.modulus)) {
+    if (!_test_key_pair(keys->eticket_rsa_keypair.public_exponent, keys->eticket_rsa_keypair.private_exponent, keys->eticket_rsa_keypair.modulus)) {
         EPRINTF("Invalid keypair. Check eticket_rsa_kek.");
-        memset(&keys->rsa_keypair, 0, sizeof(keys->rsa_keypair));
+        memset(&keys->eticket_rsa_keypair, 0, sizeof(keys->eticket_rsa_keypair));
         return false;
     }
 
-    se_rsa_key_set(0, keys->rsa_keypair.modulus, sizeof(keys->rsa_keypair.modulus), keys->rsa_keypair.private_exponent, sizeof(keys->rsa_keypair.private_exponent));
-
     const u32 buf_size = SZ_16K;
     _get_titlekeys_from_save(buf_size, keys->save_mac_key, titlekey_buffer, NULL);
-    _get_titlekeys_from_save(buf_size, keys->save_mac_key, titlekey_buffer, &keys->rsa_keypair);
+    _get_titlekeys_from_save(buf_size, keys->save_mac_key, titlekey_buffer, &keys->eticket_rsa_keypair);
 
     gfx_printf("\n%k  Found %d titlekeys.\n\n", colors[(color_idx++) % 6], _titlekey_count);
 
@@ -771,7 +829,7 @@ static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titl
         SAVE_KEY(eticket_rsa_kek_source);
     }
     SAVE_KEY(eticket_rsa_kekek_source);
-    _save_key("eticket_rsa_keypair", &keys->rsa_keypair, sizeof(keys->rsa_keypair), text_buffer);
+    _save_key("eticket_rsa_keypair", &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), text_buffer);
     SAVE_KEY(header_kek_source);
     SAVE_KEY_VAR(header_key, keys->header_key);
     SAVE_KEY(header_key_source);
@@ -800,12 +858,6 @@ static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titl
     SAVE_KEY(package2_key_source);
     SAVE_KEY(per_console_key_source);
     SAVE_KEY(retail_specific_aes_key_source);
-    for (u32 i = 0; i < AES_128_KEY_SIZE; i++)
-        keys->temp_key[i] = aes_kek_generation_source[i] ^ aes_seal_key_mask_import_es_device_key[i];
-    SAVE_KEY_VAR(rsa_oaep_kek_generation_source, keys->temp_key);
-    for (u32 i = 0; i < AES_128_KEY_SIZE; i++)
-        keys->temp_key[i] = aes_kek_generation_source[i] ^ aes_seal_key_mask_decrypt_device_unique_data[i];
-    SAVE_KEY_VAR(rsa_private_kek_generation_source, keys->temp_key);
     SAVE_KEY(save_mac_kek_source);
     SAVE_KEY_VAR(save_mac_key, keys->save_mac_key);
     SAVE_KEY(save_mac_key_source);
@@ -819,9 +871,13 @@ static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titl
     SAVE_KEY_VAR(secure_boot_key, keys->sbk);
     SAVE_KEY_VAR(ssl_rsa_kek, keys->ssl_rsa_kek);
     SAVE_KEY_VAR(ssl_rsa_kek_personalized, keys->ssl_rsa_kek_personalized);
-    SAVE_KEY(ssl_rsa_kek_source_x);
-    SAVE_KEY(ssl_rsa_kek_source_y);
-    _save_key("ssl_rsa_key", keys->ssl_rsa_key, RSA_2048_KEY_SIZE, text_buffer);
+    if (is_dev) {
+        SAVE_KEY_VAR(ssl_rsa_kek_source, ssl_rsa_kek_source_dev);
+    } else {
+        SAVE_KEY(ssl_rsa_kek_source);
+    }
+    SAVE_KEY(ssl_rsa_kekek_source);
+    _save_key("ssl_rsa_keypair", keys->ssl_rsa_keypair, RSA_2048_KEY_SIZE, text_buffer);
     SAVE_KEY_FAMILY_VAR(titlekek, keys->titlekek, 0);
     SAVE_KEY(titlekek_source);
     SAVE_KEY_VAR(tsec_key, keys->tsec_key);
@@ -1013,7 +1069,7 @@ void derive_amiibo_keys() {
         return;
     }
 
-    _decrypt_aes_key(8, keys->temp_key, nfc_key_source, keys->master_key[0]);
+    _decrypt_aes_key(8, keys, keys->temp_key, nfc_key_source, 0, 0);
 
     nfc_keyblob_t __attribute__((aligned(4))) nfc_keyblob;
     static const u8 nfc_iv[AES_128_KEY_SIZE] = {
@@ -1130,30 +1186,60 @@ static void _save_key_family(const char *name, const void *data, u32 start_key,
     free(temp_name);
 }
 
-// Equivalent to spl::GenerateAesKek. When key_seed is set, the result is as if spl::GenerateAesKey was called immediately after.
-// The generation and option args are dictated by master_key and kek_seed.
-static void _generate_kek(u32 ks, const void *key_source, const void *master_key, const void *kek_seed, const void *key_seed) {
-    if (!_key_exists(key_source) || !_key_exists(master_key) || !_key_exists(kek_seed))
-        return;
+// Equivalent to spl::GenerateAesKek
+static void _generate_aes_kek(u32 ks, key_derivation_ctx_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option) {
+    bool device_unique = GET_IS_DEVICE_UNIQUE(option);
+    u32 seal_key_index = GET_SEAL_KEY_INDEX(option);
 
-    se_aes_key_set(ks, master_key, AES_128_KEY_SIZE);
-    se_aes_unwrap_key(ks, ks, kek_seed);
-    se_aes_unwrap_key(ks, ks, key_source);
-    if (key_seed && _key_exists(key_seed))
-        se_aes_unwrap_key(ks, ks, key_seed);
+    if (generation)
+        generation--;
+
+    u8 static_source[AES_128_KEY_SIZE];
+    for (u32 i = 0; i < AES_128_KEY_SIZE; i++)
+        static_source[i] = aes_kek_generation_source[i] ^ seal_key_masks[seal_key_index][i];
+
+    if (device_unique) {
+        _get_device_key(ks, keys, keys->temp_key, generation);
+    } else {
+        memcpy(keys->temp_key, keys->master_key[generation], sizeof(keys->temp_key));
+    }
+    se_aes_key_set(ks, keys->temp_key, AES_128_KEY_SIZE);
+    se_aes_unwrap_key(ks, ks, static_source);
+    se_aes_crypt_block_ecb(ks, DECRYPT, out_kek, kek_source);
+}
+
+// Based on spl::LoadAesKey but instead of prepping keyslot, returns calculated key
+static void _load_aes_key(u32 ks, void *out_key, const void *access_key, const void *key_source) {
+    se_aes_key_set(ks, access_key, AES_128_KEY_SIZE);
+    se_aes_crypt_block_ecb(ks, DECRYPT, out_key, key_source);
+}
+
+// Equivalent to spl::GenerateAesKey
+static void _generate_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, u32 key_size, const void *access_key, const void *key_source) {
+    void *aes_key = keys->temp_key;
+    _load_aes_key(ks, aes_key, access_key, aes_key_generation_source);
+    se_aes_key_set(ks, aes_key, AES_128_KEY_SIZE);
+    se_aes_crypt_ecb(ks, DECRYPT, out_key, key_size, key_source, key_size);
+}
+
+// Equivalent to smc::PrepareDeviceUniqueDataKey but with no sealing
+static void _get_device_unique_data_key(u32 ks, void *out_key, const void *access_key, const void *key_source) {
+    _load_aes_key(ks, out_key, access_key, key_source);
 }
 
 // Equivalent to spl::DecryptAesKey.
-static void _decrypt_aes_key(u32 ks, void *dst, const void *key_source, const void *master_key) {
-    _generate_kek(ks, aes_key_decryption_source, master_key, aes_kek_generation_source, aes_key_generation_source);
-    se_aes_crypt_block_ecb(ks, 0, dst, key_source);
+static void _decrypt_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 generation, u32 option) {
+    void *access_key = keys->temp_key;
+    _generate_aes_kek(ks, keys, access_key, aes_key_decryption_source, generation, option);
+    _generate_aes_key(ks, keys, out_key, AES_128_KEY_SIZE, access_key, key_source);
 }
 
-static void _get_secure_data(key_derivation_ctx_t *keys, void *dst) {
+// Equivalent to smc::GetSecureData
+static void _get_secure_data(key_derivation_ctx_t *keys, void *out_data) {
     se_aes_key_set(6, keys->device_key, AES_128_KEY_SIZE);
-    u8 *d = (u8 *)dst;
-    se_aes_crypt_ctr(6, d + 0x00, AES_128_KEY_SIZE, secure_data_source, AES_128_KEY_SIZE, secure_data_counters[0]);
-    se_aes_crypt_ctr(6, d + 0x10, AES_128_KEY_SIZE, secure_data_source, AES_128_KEY_SIZE, secure_data_counters[0]);
+    u8 *d = (u8 *)out_data;
+    se_aes_crypt_ctr(6, d + AES_128_KEY_SIZE * 0, AES_128_KEY_SIZE, secure_data_source, AES_128_KEY_SIZE, secure_data_counters[0]);
+    se_aes_crypt_ctr(6, d + AES_128_KEY_SIZE * 1, AES_128_KEY_SIZE, secure_data_source, AES_128_KEY_SIZE, secure_data_counters[0]);
 
     // Apply tweak
     for (u32 i = 0; i < AES_128_KEY_SIZE; i++) {
@@ -1161,9 +1247,10 @@ static void _get_secure_data(key_derivation_ctx_t *keys, void *dst) {
     }
 }
 
-static void _generate_specific_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 key_generation) {
+// Equivalent to spl::GenerateSpecificAesKey
+static void _generate_specific_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 generation) {
     if (fuse_read_bootrom_rev() >= 0x7F) {
-        _get_device_key(ks, keys, keys->temp_key, key_generation);
+        _get_device_key(ks, keys, keys->temp_key, generation - 1);
         se_aes_key_set(ks, keys->temp_key, AES_128_KEY_SIZE);
         se_aes_unwrap_key(ks, ks, retail_specific_aes_key_source); // kek = unwrap(rsaks, devkey)
         se_aes_crypt_ecb(ks, DECRYPT, out_key, AES_128_KEY_SIZE * 2, key_source, AES_128_KEY_SIZE * 2); // bkey = unwrap(bkeys, kek)
@@ -1172,24 +1259,124 @@ static void _generate_specific_aes_key(u32 ks, key_derivation_ctx_t *keys, void
     }
 }
 
-static void _get_device_key(u32 ks, key_derivation_ctx_t *keys, void *out_device_key, u32 revision) {
-    if (revision == KB_FIRMWARE_VERSION_100 && !h_cfg.t210b01) {
+static void _get_device_key(u32 ks, key_derivation_ctx_t *keys, void *out_device_key, u32 generation) {
+    if (generation == KB_FIRMWARE_VERSION_100 && !h_cfg.t210b01) {
         memcpy(out_device_key, keys->device_key, AES_128_KEY_SIZE);
         return;
     }
 
-    if (revision >= KB_FIRMWARE_VERSION_400) {
-        revision -= KB_FIRMWARE_VERSION_400;
+    if (generation >= KB_FIRMWARE_VERSION_400) {
+        generation -= KB_FIRMWARE_VERSION_400;
     } else {
-        revision = 0;
+        generation = 0;
     }
-    u32 temp_key[AES_128_KEY_SIZE / 4] = {0};
-    se_aes_key_set(ks, keys->device_key_4x, AES_128_KEY_SIZE);
-    se_aes_crypt_block_ecb(ks, DECRYPT, temp_key, device_master_key_source_sources[revision]);
+    u32 temp_key_source[AES_128_KEY_SIZE / 4] = {0};
+    _load_aes_key(ks, temp_key_source, keys->device_key_4x, device_master_key_source_sources[generation]);
+    const void *kek_source = fuse_read_hw_state() == FUSE_NX_HW_STATE_PROD ? device_master_kek_sources[generation] : device_master_kek_sources_dev[generation];
     se_aes_key_set(ks, keys->master_key[0], AES_128_KEY_SIZE);
-    const void *kek_source = fuse_read_hw_state() == FUSE_NX_HW_STATE_PROD ? device_master_kek_sources[revision] : device_master_kek_sources_dev[revision];
     se_aes_unwrap_key(ks, ks, kek_source);
-    se_aes_crypt_block_ecb(ks, DECRYPT, out_device_key, temp_key);
+    se_aes_crypt_block_ecb(ks, DECRYPT, out_device_key, temp_key_source);
+}
+
+// The following ghash implementation is from Atmosphère's original exosphere implementation
+
+/* Shifts right a little endian 128-bit value. */
+static void _shr_128(uint64_t *val) {
+    val[0] >>= 1;
+    val[0] |= (val[1] & 1) << 63;
+    val[1] >>= 1;
+}
+
+/* Shifts left a little endian 128-bit value. */
+static void _shl_128(uint64_t *val) {
+    val[1] <<= 1;
+    val[1] |= (val[0] & (1ull << 63)) >> 63;
+    val[0] <<= 1;
+}
+
+/* Multiplies two 128-bit numbers X,Y in the GF(128) Galois Field. */
+static void _gf128_mul(uint8_t *dst, const uint8_t *x, const uint8_t *y) {
+    uint8_t x_work[0x10];
+    uint8_t y_work[0x10];
+    uint8_t dst_work[0x10];
+
+    uint64_t *p_x = (uint64_t *)(&x_work[0]);
+    uint64_t *p_y = (uint64_t *)(&y_work[0]);
+    uint64_t *p_dst = (uint64_t *)(&dst_work[0]);
+
+    /* Initialize buffers. */
+    for (unsigned int i = 0; i < 0x10; i++) {
+        x_work[i] = x[0xF-i];
+        y_work[i] = y[0xF-i];
+        dst_work[i] = 0;
+    }
+
+    /* Perform operation for each bit in y. */
+    for (unsigned int round = 0; round < 0x80; round++) {
+        p_dst[0] ^= p_x[0] * ((y_work[0xF] & 0x80) >> 7);
+        p_dst[1] ^= p_x[1] * ((y_work[0xF] & 0x80) >> 7);
+        _shl_128(p_y);
+        uint8_t xval = 0xE1 * (x_work[0] & 1);
+        _shr_128(p_x);
+        x_work[0xF] ^= xval;
+    }
+
+    for (unsigned int i = 0; i < 0x10; i++) {
+        dst[i] = dst_work[0xF-i];
+    }
+}
+
+static void _ghash(u32 ks, void *dst, const void *src, u32 src_size, const void *j_block, bool encrypt) {
+    uint8_t x[0x10] = {0};
+    uint8_t h[0x10];
+
+    uint64_t *p_x = (uint64_t *)(&x[0]);
+    uint64_t *p_data = (uint64_t *)src;
+
+    /* H = aes_ecb_encrypt(zeroes) */
+    se_aes_crypt_block_ecb(ks, ENCRYPT, h, x);
+
+    u64 total_size = src_size;
+
+    while (src_size >= 0x10) {
+        /* X = (X ^ current_block) * H */
+        p_x[0] ^= p_data[0];
+        p_x[1] ^= p_data[1];
+        _gf128_mul(x, x, h);
+
+        /* Increment p_data by 0x10 bytes. */
+        p_data += 2;
+        src_size -= 0x10;
+    }
+
+    /* Nintendo's code *discards all data in the last block* if unaligned. */
+    /* And treats that block as though it were all-zero. */
+    /* This is a bug, they just forget to XOR with the copy of the last block they save. */
+    if (src_size & 0xF) {
+        _gf128_mul(x, x, h);
+    }
+
+    uint64_t xor_size = total_size << 3;
+    xor_size = __builtin_bswap64(xor_size);
+
+    /* Due to a Nintendo bug, the wrong QWORD gets XOR'd in the "final output block" case. */
+    if (encrypt) {
+        p_x[0] ^= xor_size;
+    } else {
+        p_x[1] ^= xor_size;
+    }
+
+    _gf128_mul(x, x, h);
+
+    /* If final output block, XOR with encrypted J block. */
+    if (encrypt) {
+        se_aes_crypt_block_ecb(ks, ENCRYPT, h, j_block);
+        for (unsigned int i = 0; i < 0x10; i++) {
+            x[i] ^= h[i];
+        }
+    }
+    /* Copy output. */
+    memcpy(dst, x, 0x10);
 }
 
 static bool _test_key_pair(const void *public_exponent, const void *private_exponent, const void *modulus) {
diff --git a/source/keys/keys.h b/source/keys/keys.h
index c0440d8..cc67c4a 100644
--- a/source/keys/keys.h
+++ b/source/keys/keys.h
@@ -24,6 +24,8 @@
 #define AES_128_KEY_SIZE 16
 #define RSA_2048_KEY_SIZE 256
 
+#define RSA_PUBLIC_EXPONENT 65537
+
 // only tickets of type Rsa2048Sha256 are expected
 typedef struct {
     u32 signature_type;   // always 0x10004
@@ -104,6 +106,29 @@ typedef struct {
     u8 xor_pad[0x20];
 } nfc_save_key_t;
 
+typedef enum {
+    SEAL_KEY_LOAD_AES_KEY = 0,
+    SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA = 1,
+    SEAL_KEY_IMPORT_LOTUS_KEY = 2,
+    SEAL_KEY_IMPORT_ES_DEVICE_KEY = 3,
+    SEAL_KEY_REENCRYPT_DEVICE_UNIQUE_DATA = 4,
+    SEAL_KEY_IMPORT_SSL_KEY = 5,
+    SEAL_KEY_IMPORT_ES_CLIENT_CERT_KEY = 6,
+} seal_key_t;
+
+typedef enum {
+    NOT_DEVICE_UNIQUE = 0,
+    IS_DEVICE_UNIQUE = 1,
+} device_unique_t;
+
+#define SET_SEAL_KEY_INDEX(x) (((x) & 7) << 5)
+#define GET_SEAL_KEY_INDEX(x) (((x) >> 5) & 7)
+#define GET_IS_DEVICE_UNIQUE(x) ((x) & 1)
+
+#define WRAPPED_RSA_EXT_DATA_SIZE 0x20
+#define SSL_RSA_KEYPAIR_SIZE (RSA_2048_KEY_SIZE + AES_128_KEY_SIZE)
+#define SSL_RSA_EXT_KEYPAIR_SIZE (SSL_RSA_KEYPAIR_SIZE + WRAPPED_RSA_EXT_DATA_SIZE)
+
 typedef struct {
     u8  temp_key[AES_128_KEY_SIZE],
         bis_key[4][AES_128_KEY_SIZE * 2],
@@ -117,8 +142,9 @@ typedef struct {
         eticket_rsa_kek[AES_128_KEY_SIZE],
         eticket_rsa_kek_personalized[AES_128_KEY_SIZE],
         ssl_rsa_kek[AES_128_KEY_SIZE],
+        ssl_rsa_kek_legacy[AES_128_KEY_SIZE],
         ssl_rsa_kek_personalized[AES_128_KEY_SIZE],
-        ssl_rsa_key[RSA_2048_KEY_SIZE + 0x20],
+        ssl_rsa_keypair[RSA_2048_KEY_SIZE + 0x20],
         // keyblob-derived families
         keyblob_key[KB_FIRMWARE_VERSION_600 + 1][AES_128_KEY_SIZE],
         keyblob_mac_key[KB_FIRMWARE_VERSION_600 + 1][AES_128_KEY_SIZE],
@@ -133,7 +159,7 @@ typedef struct {
         tsec_root_key[AES_128_KEY_SIZE];
     u32 sbk[4];
     keyblob_t keyblob[KB_FIRMWARE_VERSION_600 + 1];
-    rsa_keypair_t rsa_keypair;
+    rsa_keypair_t eticket_rsa_keypair;
 } key_derivation_ctx_t;
 
 typedef struct {

From 8207aaa66e2414b3307c2970e2270a16875e5431 Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Sat, 29 Oct 2022 15:43:17 -0700
Subject: [PATCH 09/21] keys: Name keyslots, use more apt SSL key name

---
 source/keys/keys.c | 180 ++++++++++++++++++++++-----------------------
 source/keys/keys.h |  29 +++++++-
 2 files changed, 115 insertions(+), 94 deletions(-)

diff --git a/source/keys/keys.c b/source/keys/keys.c
index ceb40f5..5604180 100644
--- a/source/keys/keys.c
+++ b/source/keys/keys.c
@@ -82,16 +82,16 @@ static void _generate_specific_aes_key(u32 ks, key_derivation_ctx_t *keys, void
 static void _get_device_key(u32 ks, key_derivation_ctx_t *keys, void *out_device_key, u32 generation);
 static void _ghash(u32 ks, void *dst, const void *src, u32 src_size, const void *j_block, bool encrypt);
 // titlekey functions
-static bool _test_key_pair(const void *E, const void *D, const void *N);
+static bool _test_rsa_keypair(const void *E, const void *D, const void *N);
 
 static void _derive_master_key_mariko(key_derivation_ctx_t *keys, bool is_dev) {
     // Relies on the SBK being properly set in slot 14
-    se_aes_crypt_block_ecb(14, DECRYPT, keys->device_key_4x, device_master_key_source_kek_source);
+    se_aes_crypt_block_ecb(KS_SECURE_BOOT, DECRYPT, keys->device_key_4x, device_master_key_source_kek_source);
     // Derive all master keys based on Mariko KEK
     for (u32 i = KB_FIRMWARE_VERSION_600; i < ARRAY_SIZE(mariko_master_kek_sources) + KB_FIRMWARE_VERSION_600; i++) {
         // Relies on the Mariko KEK being properly set in slot 12
-        se_aes_crypt_block_ecb(12, DECRYPT, keys->master_kek[i], is_dev ? &mariko_master_kek_sources_dev[i - KB_FIRMWARE_VERSION_600] : &mariko_master_kek_sources[i - KB_FIRMWARE_VERSION_600]); // mkek = unwrap(mariko_kek, mariko_kek_source)
-        _load_aes_key(8, keys->master_key[i], keys->master_kek[i], master_key_source);
+        se_aes_crypt_block_ecb(KS_MARIKO_KEK, DECRYPT, keys->master_kek[i], is_dev ? &mariko_master_kek_sources_dev[i - KB_FIRMWARE_VERSION_600] : &mariko_master_kek_sources[i - KB_FIRMWARE_VERSION_600]);
+        _load_aes_key(KS_AES_ECB, keys->master_key[i], keys->master_kek[i], master_key_source);
     }
 }
 
@@ -118,16 +118,16 @@ static void _derive_master_keys_from_latest_key(key_derivation_ctx_t *keys, bool
         u32 tsec_root_key_slot = is_dev ? 11 : 13;
         // Derive all master keys based on current root key
         for (u32 i = KB_FIRMWARE_VERSION_810 - KB_FIRMWARE_VERSION_620; i < ARRAY_SIZE(master_kek_sources); i++) {
-            se_aes_crypt_block_ecb(tsec_root_key_slot, DECRYPT, keys->master_kek[i + KB_FIRMWARE_VERSION_620], master_kek_sources[i]); // mkek = unwrap(tsec_root, mkeks)
-            _load_aes_key(8, keys->master_key[i + KB_FIRMWARE_VERSION_620], keys->master_kek[i + KB_FIRMWARE_VERSION_620], master_key_source);
+            se_aes_crypt_block_ecb(tsec_root_key_slot, DECRYPT, keys->master_kek[i + KB_FIRMWARE_VERSION_620], master_kek_sources[i]);
+            _load_aes_key(KS_AES_ECB, keys->master_key[i + KB_FIRMWARE_VERSION_620], keys->master_kek[i + KB_FIRMWARE_VERSION_620], master_key_source);
         }
     }
 
     // Derive all lower master keys
     for (u32 i = KB_FIRMWARE_VERSION_MAX; i > 0; i--) {
-        _load_aes_key(8, keys->master_key[i - 1], keys->master_key[i], is_dev ? master_key_vectors_dev[i] : master_key_vectors[i]);
+        _load_aes_key(KS_AES_ECB, keys->master_key[i - 1], keys->master_key[i], is_dev ? master_key_vectors_dev[i] : master_key_vectors[i]);
     }
-    _load_aes_key(8, keys->temp_key, keys->master_key[0], is_dev ? master_key_vectors_dev[0] : master_key_vectors[0]);
+    _load_aes_key(KS_AES_ECB, keys->temp_key, keys->master_key[0], is_dev ? master_key_vectors_dev[0] : master_key_vectors[0]);
 
     if (_key_exists(keys->temp_key)) {
         EPRINTFARGS("Unable to derive master keys for %s.", is_dev ? "dev" : "prod");
@@ -164,34 +164,34 @@ static void _derive_keyblob_keys(key_derivation_ctx_t *keys) {
     encrypted_keyblob_t *current_keyblob = (encrypted_keyblob_t *)keyblob_block;
     for (u32 i = 0; i <= KB_FIRMWARE_VERSION_600; i++, current_keyblob++) {
         minerva_periodic_training();
-        se_aes_crypt_block_ecb(12, DECRYPT, keys->keyblob_key[i], keyblob_key_sources[i]); // temp = unwrap(kbks, tsec)
-        se_aes_crypt_block_ecb(14, DECRYPT, keys->keyblob_key[i], keys->keyblob_key[i]); // kbk = unwrap(temp, sbk)
-        _load_aes_key(7, keys->keyblob_mac_key[i], keys->keyblob_key[i], keyblob_mac_key_source); // kbm = unwrap(kbms, kbk)
+        se_aes_crypt_block_ecb(KS_TSEC, DECRYPT, keys->keyblob_key[i], keyblob_key_sources[i]);
+        se_aes_crypt_block_ecb(KS_SECURE_BOOT, DECRYPT, keys->keyblob_key[i], keys->keyblob_key[i]);
+        _load_aes_key(KS_AES_ECB, keys->keyblob_mac_key[i], keys->keyblob_key[i], keyblob_mac_key_source);
         if (i == 0) {
-            se_aes_crypt_block_ecb(7, DECRYPT, keys->device_key, per_console_key_source); // devkey = unwrap(pcks, kbk0)
-            se_aes_crypt_block_ecb(7, DECRYPT, keys->device_key_4x, device_master_key_source_kek_source);
+            se_aes_crypt_block_ecb(KS_AES_ECB, DECRYPT, keys->device_key, per_console_key_source);
+            se_aes_crypt_block_ecb(KS_AES_ECB, DECRYPT, keys->device_key_4x, device_master_key_source_kek_source);
         }
 
         if (!have_keyblobs) {
             continue;
         }
 
-        // verify keyblob is not corrupt
-        se_aes_key_set(10, keys->keyblob_mac_key[i], sizeof(keys->keyblob_mac_key[i]));
-        se_aes_cmac(10, keyblob_mac, sizeof(keyblob_mac), current_keyblob->iv, sizeof(current_keyblob->iv) + sizeof(keyblob_t));
+        // Verify keyblob is not corrupt
+        se_aes_key_set(KS_AES_CMAC, keys->keyblob_mac_key[i], sizeof(keys->keyblob_mac_key[i]));
+        se_aes_cmac(KS_AES_CMAC, keyblob_mac, sizeof(keyblob_mac), current_keyblob->iv, sizeof(current_keyblob->iv) + sizeof(keyblob_t));
         if (memcmp(current_keyblob->cmac, keyblob_mac, sizeof(keyblob_mac)) != 0) {
             EPRINTFARGS("Keyblob %x corrupt.", i);
             continue;
         }
 
-        // decrypt keyblobs
-        se_aes_key_set(6, keys->keyblob_key[i], sizeof(keys->keyblob_key[i]));
-        se_aes_crypt_ctr(6, &keys->keyblob[i], sizeof(keyblob_t), &current_keyblob->key_data, sizeof(keyblob_t), current_keyblob->iv);
+        // Decrypt keyblobs
+        se_aes_key_set(KS_AES_CTR, keys->keyblob_key[i], sizeof(keys->keyblob_key[i]));
+        se_aes_crypt_ctr(KS_AES_CTR, &keys->keyblob[i], sizeof(keyblob_t), &current_keyblob->key_data, sizeof(keyblob_t), current_keyblob->iv);
 
         memcpy(keys->package1_key[i], keys->keyblob[i].package1_key, sizeof(keys->package1_key[i]));
         memcpy(keys->master_kek[i], keys->keyblob[i].master_kek, sizeof(keys->master_kek[i]));
         if (!_key_exists(keys->master_key[i])) {
-            _load_aes_key(7, keys->master_key[i], keys->master_kek[i], master_key_source);
+            _load_aes_key(KS_AES_ECB, keys->master_key[i], keys->master_kek[i], master_key_source);
         }
     }
     free(keyblob_block);
@@ -204,12 +204,12 @@ static void _derive_bis_keys(key_derivation_ctx_t *keys) {
     if (!(_key_exists(keys->device_key) || (generation && _key_exists(keys->master_key[0]) && _key_exists(keys->device_key_4x)))) {
         return;
     }
-    _generate_specific_aes_key(8, keys, &keys->bis_key[0], bis_key_sources[0], generation);
+    _generate_specific_aes_key(KS_AES_ECB, keys, &keys->bis_key[0], bis_key_sources[0], generation);
     u32 access_key[AES_128_KEY_SIZE / 4] = {0};
     const u32 option = GET_IS_DEVICE_UNIQUE(IS_DEVICE_UNIQUE);
-    _generate_aes_kek(8, keys, access_key, bis_kek_source, generation, option);
-    _generate_aes_key(8, keys, keys->bis_key[1], sizeof(keys->bis_key[1]), access_key, bis_key_sources[1]);
-    _generate_aes_key(8, keys, keys->bis_key[2], sizeof(keys->bis_key[2]), access_key, bis_key_sources[2]);
+    _generate_aes_kek(KS_AES_ECB, keys, access_key, bis_kek_source, generation, option);
+    _generate_aes_key(KS_AES_ECB, keys, keys->bis_key[1], sizeof(keys->bis_key[1]), access_key, bis_key_sources[1]);
+    _generate_aes_key(KS_AES_ECB, keys, keys->bis_key[2], sizeof(keys->bis_key[2]), access_key, bis_key_sources[2]);
     memcpy(keys->bis_key[3], keys->bis_key[2], sizeof(keys->bis_key[3]));
 }
 
@@ -217,19 +217,19 @@ static void _derive_non_unique_keys(key_derivation_ctx_t *keys, bool is_dev) {
     if (_key_exists(keys->master_key[0])) {
         const u32 generation = 0;
         const u32 option = GET_IS_DEVICE_UNIQUE(NOT_DEVICE_UNIQUE);
-        _generate_aes_kek(8, keys, keys->temp_key, header_kek_source, generation, option);
-        _generate_aes_key(8, keys, keys->header_key, sizeof(keys->header_key), keys->temp_key, header_key_source);
+        _generate_aes_kek(KS_AES_ECB, keys, keys->temp_key, header_kek_source, generation, option);
+        _generate_aes_key(KS_AES_ECB, keys, keys->header_key, sizeof(keys->header_key), keys->temp_key, header_key_source);
     }
 }
 
-static void _derive_eticket_rsa_kek(key_derivation_ctx_t *keys, u32 ks, void *out_rsa_kek, const void *kek_source, u32 generation, u32 option) {
+static void _derive_eticket_rsa_kek(u32 ks, key_derivation_ctx_t *keys, void *out_rsa_kek, const void *kek_source, u32 generation, u32 option) {
     void *access_key = keys->temp_key;
     _generate_aes_kek(ks, keys, access_key, eticket_rsa_kekek_source, generation, option);
     _get_device_unique_data_key(ks, out_rsa_kek, access_key, kek_source);
     
 }
 
-static void _derive_ssl_rsa_kek(key_derivation_ctx_t *keys, u32 ks, void *out_rsa_kek, const void *kekek_source, const void *kek_source, u32 generation, u32 option) {
+static void _derive_ssl_rsa_kek(u32 ks, key_derivation_ctx_t *keys, void *out_rsa_kek, const void *kekek_source, const void *kek_source, u32 generation, u32 option) {
     void *access_key = keys->temp_key;
     _generate_aes_kek(ks, keys, access_key, kekek_source, generation, option);
     _get_device_unique_data_key(ks, out_rsa_kek, access_key, kek_source);
@@ -240,19 +240,19 @@ static void _derive_misc_keys(key_derivation_ctx_t *keys, bool is_dev) {
         void *access_key = keys->temp_key;
         const u32 generation = 0;
         const u32 option = GET_IS_DEVICE_UNIQUE(IS_DEVICE_UNIQUE);
-        _generate_aes_kek(8, keys, access_key, save_mac_kek_source, generation, option);
-        _load_aes_key(8, keys->save_mac_key, access_key, save_mac_key_source);
+        _generate_aes_kek(KS_AES_ECB, keys, access_key, save_mac_kek_source, generation, option);
+        _load_aes_key(KS_AES_ECB, keys->save_mac_key, access_key, save_mac_key_source);
     }
 
     if (_key_exists(keys->master_key[0])) {
         const void *eticket_kek_source = is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source;
         const u32 generation = 0;
         u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY);
-        _derive_eticket_rsa_kek(keys, 8, keys->eticket_rsa_kek, eticket_kek_source, generation, option);
+        _derive_eticket_rsa_kek(KS_AES_ECB, keys, keys->eticket_rsa_kek, eticket_kek_source, generation, option);
 
         const void *ssl_kek_source = is_dev ? ssl_rsa_kek_source_dev : ssl_rsa_kek_source;
         option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA);
-        _derive_ssl_rsa_kek(keys, 8, keys->ssl_rsa_kek, ssl_rsa_kekek_source, ssl_kek_source, generation, option);
+        _derive_ssl_rsa_kek(KS_AES_ECB, keys, keys->ssl_rsa_kek, ssl_rsa_kekek_source, ssl_kek_source, generation, option);
     }
 }
 
@@ -263,11 +263,11 @@ static void _derive_per_generation_keys(key_derivation_ctx_t *keys) {
         for (u32 source_type = 0; source_type < ARRAY_SIZE(key_area_key_sources); source_type++) {
             void *access_key = keys->temp_key;
             const u32 option = GET_IS_DEVICE_UNIQUE(NOT_DEVICE_UNIQUE);
-            _generate_aes_kek(8, keys, access_key, key_area_key_sources[source_type], generation + 1, option);
-            _load_aes_key(8, keys->key_area_key[source_type][generation], access_key, aes_key_generation_source);
+            _generate_aes_kek(KS_AES_ECB, keys, access_key, key_area_key_sources[source_type], generation + 1, option);
+            _load_aes_key(KS_AES_ECB, keys->key_area_key[source_type][generation], access_key, aes_key_generation_source);
         }
-        _load_aes_key(8, keys->package2_key[generation], keys->master_key[generation], package2_key_source);
-        _load_aes_key(8, keys->titlekek[generation], keys->master_key[generation], titlekek_source);
+        _load_aes_key(KS_AES_ECB, keys->package2_key[generation], keys->master_key[generation], package2_key_source);
+        _load_aes_key(KS_AES_ECB, keys->titlekek[generation], keys->master_key[generation], titlekek_source);
     }
 }
 
@@ -425,7 +425,7 @@ static bool _derive_sd_seed(key_derivation_ctx_t *keys) {
         EPRINTF("Unable to open SD seed vector. Skipping.");
         return false;
     }
-    // get sd seed verification vector
+    // Get sd seed verification vector
     if (f_read(&fp, keys->temp_key, AES_128_KEY_SIZE, &read_bytes) || read_bytes != AES_128_KEY_SIZE) {
         EPRINTF("Unable to read SD seed vector. Skipping.");
         f_close(&fp);
@@ -433,7 +433,7 @@ static bool _derive_sd_seed(key_derivation_ctx_t *keys) {
     }
     f_close(&fp);
 
-    // this file is small enough that parsing the savedata properly is slower
+    // This file is small enough that parsing the savedata properly is slower
     if (f_open(&fp, "bis:/save/8000000000000043", FA_READ | FA_OPEN_EXISTING)) {
         EPRINTF("Unable to open ns_appman save.\nSkipping SD seed.");
         return false;
@@ -482,7 +482,7 @@ static bool _get_rsa_ssl_key(const nx_emmc_cal0_t *cal0, const void **out_key, u
         *out_key = cal0->ext_ssl_key;
         *out_key_size = ext_key_size;
         *out_iv = cal0->ext_ssl_key_iv;
-        // settings sysmodule manually zeroes this out below cal version 9
+        // Settings sysmodule manually zeroes this out below cal version 9
         *out_generation = cal0->version <= 8 ? 0 : cal0->ext_ssl_key_ver;
     } else if (cal0->ssl_key_crc == crc16_calc(cal0->ssl_key_iv, key_crc_size)) {
         *out_key = cal0->ssl_key;
@@ -501,63 +501,63 @@ static bool _derive_personalized_ssl_key(key_derivation_ctx_t *keys, titlekey_bu
     }
 
     nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)titlekey_buffer->read_buffer;
-    u32 keypair_generation = 0;
+    u32 generation = 0;
     const void *ssl_device_key = NULL;
     const void *ssl_iv = NULL;
     u32 key_size = 0;
     void *keypair_ctr_key = NULL;
     bool enforce_unique = true;
 
-    if (!_get_rsa_ssl_key(cal0, &ssl_device_key, &key_size, &ssl_iv, &keypair_generation)) {
+    if (!_get_rsa_ssl_key(cal0, &ssl_device_key, &key_size, &ssl_iv, &generation)) {
         EPRINTF("Crc16 error reading device key.");
         return false;
     }
 
-    if (key_size == SSL_RSA_KEYPAIR_SIZE) {
+    if (key_size == SSL_RSA_KEY_SIZE) {
         bool all_zero = true;
         const u8 *key8 = (const u8 *)ssl_device_key;
-        for (u32 i = RSA_2048_KEY_SIZE; i < SSL_RSA_KEYPAIR_SIZE; i++) {
+        for (u32 i = RSA_2048_KEY_SIZE; i < SSL_RSA_KEY_SIZE; i++) {
             if (key8[i] != 0) {
                 all_zero = false;
                 break;
             }
         }
         if (all_zero) {
-            // keypairs of this form are not encrypted
-            memcpy(keys->ssl_rsa_keypair, ssl_device_key, RSA_2048_KEY_SIZE);
+            // Keypairs of this form are not encrypted
+            memcpy(keys->ssl_rsa_key, ssl_device_key, RSA_2048_KEY_SIZE);
             return true;
         }
 
         u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA);
         keypair_ctr_key = keys->ssl_rsa_kek_legacy;
-        _derive_ssl_rsa_kek(keys, 7, keypair_ctr_key, ssl_rsa_kekek_source, ssl_rsa_kek_source_legacy, keypair_generation, option);
+        _derive_ssl_rsa_kek(KS_AES_ECB, keys, keypair_ctr_key, ssl_rsa_kekek_source, ssl_rsa_kek_source_legacy, generation, option);
         enforce_unique = false;
     }
 
-    if (keypair_generation) {
+    if (generation) {
         u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_SSL_KEY) | IS_DEVICE_UNIQUE;
         keypair_ctr_key = keys->ssl_rsa_kek_personalized;
-        _derive_ssl_rsa_kek(keys, 7, keypair_ctr_key, ssl_client_cert_kek_source, ssl_client_cert_key_source, keypair_generation, option);
+        _derive_ssl_rsa_kek(KS_AES_ECB, keys, keypair_ctr_key, ssl_client_cert_kek_source, ssl_client_cert_key_source, generation, option);
     } else {
         keypair_ctr_key = keys->ssl_rsa_kek;
     }
 
     u32 ctr_size = enforce_unique ? key_size - 0x20 : key_size - 0x10;
-    se_aes_key_set(6, keypair_ctr_key, AES_128_KEY_SIZE);
-    se_aes_crypt_ctr(6, keys->ssl_rsa_keypair, ctr_size, ssl_device_key, ctr_size, ssl_iv);
+    se_aes_key_set(KS_AES_CTR, keypair_ctr_key, AES_128_KEY_SIZE);
+    se_aes_crypt_ctr(KS_AES_CTR, keys->ssl_rsa_key, ctr_size, ssl_device_key, ctr_size, ssl_iv);
 
     if (enforce_unique) {
         u32 j_block[AES_128_KEY_SIZE / 4] = {0};
-        se_aes_key_set(7, keypair_ctr_key, AES_128_KEY_SIZE);
-        _ghash(7, j_block, ssl_iv, 0x10, NULL, false);
+        se_aes_key_set(KS_AES_ECB, keypair_ctr_key, AES_128_KEY_SIZE);
+        _ghash(KS_AES_ECB, j_block, ssl_iv, 0x10, NULL, false);
 
         u32 calc_mac[AES_128_KEY_SIZE / 4] = {0};
-        _ghash(7, calc_mac, keys->ssl_rsa_keypair, ctr_size, j_block, true);
+        _ghash(KS_AES_ECB, calc_mac, keys->ssl_rsa_key, ctr_size, j_block, true);
 
         const u8 *key8 = (const u8 *)ssl_device_key;
         if (memcmp(calc_mac, &key8[ctr_size], 0x10) != 0) {
             EPRINTF("SSL keypair has invalid GMac.");
-            memset(keys->ssl_rsa_keypair, 0, sizeof(keys->ssl_rsa_keypair));
+            memset(keys->ssl_rsa_key, 0, sizeof(keys->ssl_rsa_key));
             return false;
         }
     }
@@ -574,7 +574,7 @@ static bool _get_rsa_eticket_key(const nx_emmc_cal0_t *cal0, const void **out_ke
     if (cal0->ext_ecc_rsa2048_eticket_key_crc == crc16_calc(cal0->ext_ecc_rsa2048_eticket_key_iv, ext_key_crc_size)) {
         *out_key = cal0->ext_ecc_rsa2048_eticket_key;
         *out_iv = cal0->ext_ecc_rsa2048_eticket_key_iv;
-        // settings sysmodule manually zeroes this out below cal version 9
+        // Settings sysmodule manually zeroes this out below cal version 9
         *out_generation = cal0->version <= 8 ? 0 : cal0->ext_ecc_rsa2048_eticket_key_ver;
     } else if (cal0->rsa2048_eticket_key_crc == crc16_calc(cal0->rsa2048_eticket_key_iv, key_crc_size)) {
         *out_key = cal0->rsa2048_eticket_key;
@@ -598,35 +598,35 @@ static bool _derive_titlekeys(key_derivation_ctx_t *keys, titlekey_buffer_t *tit
     }
 
     nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)titlekey_buffer->read_buffer;
-    u32 keypair_generation = 0;
+    u32 generation = 0;
     const void *eticket_device_key = NULL;
     const void *eticket_iv = NULL;
     void *keypair_ctr_key = NULL;
 
-    if (!_get_rsa_eticket_key(cal0, &eticket_device_key, &eticket_iv, &keypair_generation)) {
+    if (!_get_rsa_eticket_key(cal0, &eticket_device_key, &eticket_iv, &generation)) {
         EPRINTF("Crc16 error reading device key.");
         return false;
     }
 
-    if (keypair_generation) {
+    if (generation) {
         u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | IS_DEVICE_UNIQUE;
-        _derive_eticket_rsa_kek(keys, 7, keys->eticket_rsa_kek_personalized, is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source, keypair_generation, option);
+        _derive_eticket_rsa_kek(KS_AES_ECB, keys, keys->eticket_rsa_kek_personalized, is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source, generation, option);
         keypair_ctr_key = keys->eticket_rsa_kek_personalized;
     } else {
         keypair_ctr_key = keys->eticket_rsa_kek;
     }
 
-    se_aes_key_set(6, keypair_ctr_key, AES_128_KEY_SIZE);
-    se_aes_crypt_ctr(6, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), eticket_device_key, sizeof(keys->eticket_rsa_keypair), eticket_iv);
+    se_aes_key_set(KS_AES_CTR, keypair_ctr_key, AES_128_KEY_SIZE);
+    se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), eticket_device_key, sizeof(keys->eticket_rsa_keypair), eticket_iv);
 
     if (_read_be_u32(keys->eticket_rsa_keypair.public_exponent, 0) != RSA_PUBLIC_EXPONENT) {
-        // try legacy kek source
+        // Try legacy kek source
         u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY);
         keypair_ctr_key = keys->temp_key;
-        _derive_eticket_rsa_kek(keys, 7, keypair_ctr_key, eticket_rsa_kek_source_legacy, 0, option);
+        _derive_eticket_rsa_kek(KS_AES_ECB, keys, keypair_ctr_key, eticket_rsa_kek_source_legacy, 0, option);
 
-        se_aes_key_set(6, keypair_ctr_key, AES_128_KEY_SIZE);
-        se_aes_crypt_ctr(6, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), eticket_device_key, sizeof(keys->eticket_rsa_keypair), eticket_iv);
+        se_aes_key_set(KS_AES_CTR, keypair_ctr_key, AES_128_KEY_SIZE);
+        se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), eticket_device_key, sizeof(keys->eticket_rsa_keypair), eticket_iv);
 
         if (_read_be_u32(keys->eticket_rsa_keypair.public_exponent, 0) != RSA_PUBLIC_EXPONENT) {
             EPRINTF("Invalid public exponent.");
@@ -637,7 +637,7 @@ static bool _derive_titlekeys(key_derivation_ctx_t *keys, titlekey_buffer_t *tit
         }
     }
 
-    if (!_test_key_pair(keys->eticket_rsa_keypair.public_exponent, keys->eticket_rsa_keypair.private_exponent, keys->eticket_rsa_keypair.modulus)) {
+    if (!_test_rsa_keypair(keys->eticket_rsa_keypair.public_exponent, keys->eticket_rsa_keypair.private_exponent, keys->eticket_rsa_keypair.modulus)) {
         EPRINTF("Invalid keypair. Check eticket_rsa_kek.");
         memset(&keys->eticket_rsa_keypair, 0, sizeof(keys->eticket_rsa_keypair));
         return false;
@@ -655,20 +655,20 @@ static bool _derive_titlekeys(key_derivation_ctx_t *keys, titlekey_buffer_t *tit
 static bool _derive_emmc_keys(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
     // Set BIS keys.
     // PRODINFO/PRODINFOF
-    se_aes_key_set(0, keys->bis_key[0] + 0x00, AES_128_KEY_SIZE);
-    se_aes_key_set(1, keys->bis_key[0] + 0x10, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_BIS_00_0, keys->bis_key[0] + 0x00, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_BIS_00_1, keys->bis_key[0] + 0x10, AES_128_KEY_SIZE);
     // SAFE
-    se_aes_key_set(2, keys->bis_key[1] + 0x00, AES_128_KEY_SIZE);
-    se_aes_key_set(3, keys->bis_key[1] + 0x10, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_BIS_01_0, keys->bis_key[1] + 0x00, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_BIS_01_1, keys->bis_key[1] + 0x10, AES_128_KEY_SIZE);
     // SYSTEM/USER
-    se_aes_key_set(4, keys->bis_key[2] + 0x00, AES_128_KEY_SIZE);
-    se_aes_key_set(5, keys->bis_key[2] + 0x10, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_BIS_02_0, keys->bis_key[2] + 0x00, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_BIS_02_1, keys->bis_key[2] + 0x10, AES_128_KEY_SIZE);
 
     if (!emummc_storage_set_mmc_partition(EMMC_GPP)) {
         EPRINTF("Unable to set partition.");
         return false;
     }
-    // Parse eMMC GPT.
+    // Parse eMMC GPT
     LIST_INIT(gpt);
     nx_emmc_gpt_parse(&gpt, &emmc_storage);
 
@@ -877,7 +877,7 @@ static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titl
         SAVE_KEY(ssl_rsa_kek_source);
     }
     SAVE_KEY(ssl_rsa_kekek_source);
-    _save_key("ssl_rsa_keypair", keys->ssl_rsa_keypair, RSA_2048_KEY_SIZE, text_buffer);
+    _save_key("ssl_rsa_key", keys->ssl_rsa_key, RSA_2048_KEY_SIZE, text_buffer);
     SAVE_KEY_FAMILY_VAR(titlekek, keys->titlekek, 0);
     SAVE_KEY(titlekek_source);
     SAVE_KEY_VAR(tsec_key, keys->tsec_key);
@@ -931,8 +931,8 @@ static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titl
 static bool _check_keyslot_access() {
     u8 test_data[AES_128_KEY_SIZE] = {0};
     const u8 test_ciphertext[AES_128_KEY_SIZE] = {0};
-    se_aes_key_set(8, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", SE_KEY_128_SIZE);
-    se_aes_crypt_block_ecb(8, DECRYPT, test_data, test_ciphertext);
+    se_aes_key_set(KS_AES_ECB, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", SE_KEY_128_SIZE);
+    se_aes_crypt_block_ecb(KS_AES_ECB, DECRYPT, test_data, test_ciphertext);
 
     return memcmp(test_data, "\x7b\x1d\x29\xa1\x6c\xf8\xcc\xab\x84\xf0\xb8\xa5\x98\xe4\x2f\xa6", SE_KEY_128_SIZE) == 0;
 }
@@ -952,9 +952,9 @@ static void _derive_master_keys(key_derivation_ctx_t *prod_keys, key_derivation_
 
         u8 *aes_keys = (u8 *)calloc(SZ_4K, 1);
         se_get_aes_keys(aes_keys + SZ_2K, aes_keys, AES_128_KEY_SIZE);
-        memcpy(&dev_keys->tsec_root_key, aes_keys + 11 * AES_128_KEY_SIZE, AES_128_KEY_SIZE);
-        memcpy(keys->tsec_key, aes_keys + 12 * AES_128_KEY_SIZE, AES_128_KEY_SIZE);
-        memcpy(&prod_keys->tsec_root_key, aes_keys + 13 * AES_128_KEY_SIZE, AES_128_KEY_SIZE);
+        memcpy(&dev_keys->tsec_root_key,  aes_keys + KS_TSEC_ROOT_DEV * AES_128_KEY_SIZE, AES_128_KEY_SIZE);
+        memcpy(keys->tsec_key,            aes_keys + KS_TSEC * AES_128_KEY_SIZE,          AES_128_KEY_SIZE);
+        memcpy(&prod_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT * AES_128_KEY_SIZE,     AES_128_KEY_SIZE);
         free(aes_keys);
 
         _derive_master_keys_from_latest_key(prod_keys, false);
@@ -1069,19 +1069,19 @@ void derive_amiibo_keys() {
         return;
     }
 
-    _decrypt_aes_key(8, keys, keys->temp_key, nfc_key_source, 0, 0);
+    _decrypt_aes_key(KS_AES_ECB, keys, keys->temp_key, nfc_key_source, 0, 0);
 
     nfc_keyblob_t __attribute__((aligned(4))) nfc_keyblob;
     static const u8 nfc_iv[AES_128_KEY_SIZE] = {
         0xB9, 0x1D, 0xC1, 0xCF, 0x33, 0x5F, 0xA6, 0x13, 0x2A, 0xEF, 0x90, 0x99, 0xAA, 0xCA, 0x93, 0xC8};
-    se_aes_key_set(6, keys->temp_key, AES_128_KEY_SIZE);
-    se_aes_crypt_ctr(6, &nfc_keyblob, sizeof(nfc_keyblob), encrypted_keys, sizeof(nfc_keyblob), &nfc_iv);
+    se_aes_key_set(KS_AES_CTR, keys->temp_key, AES_128_KEY_SIZE);
+    se_aes_crypt_ctr(KS_AES_CTR, &nfc_keyblob, sizeof(nfc_keyblob), encrypted_keys, sizeof(nfc_keyblob), &nfc_iv);
 
     minerva_periodic_training();
 
     u8 xor_pad[0x20] __attribute__((aligned(4))) = {0};
-    se_aes_key_set(6, nfc_keyblob.ctr_key, AES_128_KEY_SIZE);
-    se_aes_crypt_ctr(6, xor_pad, sizeof(xor_pad), xor_pad, sizeof(xor_pad), nfc_keyblob.ctr_iv);
+    se_aes_key_set(KS_AES_CTR, nfc_keyblob.ctr_key, AES_128_KEY_SIZE);
+    se_aes_crypt_ctr(KS_AES_CTR, xor_pad, sizeof(xor_pad), xor_pad, sizeof(xor_pad), nfc_keyblob.ctr_iv);
 
     minerva_periodic_training();
 
@@ -1236,10 +1236,10 @@ static void _decrypt_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key,
 
 // Equivalent to smc::GetSecureData
 static void _get_secure_data(key_derivation_ctx_t *keys, void *out_data) {
-    se_aes_key_set(6, keys->device_key, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_AES_CTR, keys->device_key, AES_128_KEY_SIZE);
     u8 *d = (u8 *)out_data;
-    se_aes_crypt_ctr(6, d + AES_128_KEY_SIZE * 0, AES_128_KEY_SIZE, secure_data_source, AES_128_KEY_SIZE, secure_data_counters[0]);
-    se_aes_crypt_ctr(6, d + AES_128_KEY_SIZE * 1, AES_128_KEY_SIZE, secure_data_source, AES_128_KEY_SIZE, secure_data_counters[0]);
+    se_aes_crypt_ctr(KS_AES_CTR, d + AES_128_KEY_SIZE * 0, AES_128_KEY_SIZE, secure_data_source, AES_128_KEY_SIZE, secure_data_counters[0]);
+    se_aes_crypt_ctr(KS_AES_CTR, d + AES_128_KEY_SIZE * 1, AES_128_KEY_SIZE, secure_data_source, AES_128_KEY_SIZE, secure_data_counters[0]);
 
     // Apply tweak
     for (u32 i = 0; i < AES_128_KEY_SIZE; i++) {
@@ -1252,8 +1252,8 @@ static void _generate_specific_aes_key(u32 ks, key_derivation_ctx_t *keys, void
     if (fuse_read_bootrom_rev() >= 0x7F) {
         _get_device_key(ks, keys, keys->temp_key, generation - 1);
         se_aes_key_set(ks, keys->temp_key, AES_128_KEY_SIZE);
-        se_aes_unwrap_key(ks, ks, retail_specific_aes_key_source); // kek = unwrap(rsaks, devkey)
-        se_aes_crypt_ecb(ks, DECRYPT, out_key, AES_128_KEY_SIZE * 2, key_source, AES_128_KEY_SIZE * 2); // bkey = unwrap(bkeys, kek)
+        se_aes_unwrap_key(ks, ks, retail_specific_aes_key_source);
+        se_aes_crypt_ecb(ks, DECRYPT, out_key, AES_128_KEY_SIZE * 2, key_source, AES_128_KEY_SIZE * 2);
     } else {
         _get_secure_data(keys, out_key);
     }
@@ -1379,7 +1379,7 @@ static void _ghash(u32 ks, void *dst, const void *src, u32 src_size, const void
     memcpy(dst, x, 0x10);
 }
 
-static bool _test_key_pair(const void *public_exponent, const void *private_exponent, const void *modulus) {
+static bool _test_rsa_keypair(const void *public_exponent, const void *private_exponent, const void *modulus) {
     u8  plaintext[RSA_2048_KEY_SIZE] __attribute__((aligned(4))) = {0},
         ciphertext[RSA_2048_KEY_SIZE] __attribute__((aligned(4))) = {0},
         work[RSA_2048_KEY_SIZE] __attribute__((aligned(4))) = {0};
diff --git a/source/keys/keys.h b/source/keys/keys.h
index cc67c4a..3a61684 100644
--- a/source/keys/keys.h
+++ b/source/keys/keys.h
@@ -26,6 +26,29 @@
 
 #define RSA_PUBLIC_EXPONENT 65537
 
+// Lockpick_RCM keyslots
+#define KS_BIS_00_0 0
+#define KS_BIS_00_1 1
+#define KS_BIS_01_0 2
+#define KS_BIS_01_1 3
+#define KS_BIS_02_0 4
+#define KS_BIS_02_1 5
+#define KS_AES_CTR  6
+#define KS_AES_ECB  8
+#define KS_AES_CMAC 10
+
+// Mariko keyslots
+#define KS_MARIKO_KEK 12
+#define KS_MARIKO_BEK 13
+
+// Other Switch keyslots
+#define KS_TSEC        12
+#define KS_SECURE_BOOT 14
+
+// Atmosphere keygen keyslots
+#define KS_TSEC_ROOT_DEV 11
+#define KS_TSEC_ROOT     13
+
 // only tickets of type Rsa2048Sha256 are expected
 typedef struct {
     u32 signature_type;   // always 0x10004
@@ -125,9 +148,7 @@ typedef enum {
 #define GET_SEAL_KEY_INDEX(x) (((x) >> 5) & 7)
 #define GET_IS_DEVICE_UNIQUE(x) ((x) & 1)
 
-#define WRAPPED_RSA_EXT_DATA_SIZE 0x20
-#define SSL_RSA_KEYPAIR_SIZE (RSA_2048_KEY_SIZE + AES_128_KEY_SIZE)
-#define SSL_RSA_EXT_KEYPAIR_SIZE (SSL_RSA_KEYPAIR_SIZE + WRAPPED_RSA_EXT_DATA_SIZE)
+#define SSL_RSA_KEY_SIZE (RSA_2048_KEY_SIZE + AES_128_KEY_SIZE)
 
 typedef struct {
     u8  temp_key[AES_128_KEY_SIZE],
@@ -144,7 +165,7 @@ typedef struct {
         ssl_rsa_kek[AES_128_KEY_SIZE],
         ssl_rsa_kek_legacy[AES_128_KEY_SIZE],
         ssl_rsa_kek_personalized[AES_128_KEY_SIZE],
-        ssl_rsa_keypair[RSA_2048_KEY_SIZE + 0x20],
+        ssl_rsa_key[RSA_2048_KEY_SIZE + 0x20],
         // keyblob-derived families
         keyblob_key[KB_FIRMWARE_VERSION_600 + 1][AES_128_KEY_SIZE],
         keyblob_mac_key[KB_FIRMWARE_VERSION_600 + 1][AES_128_KEY_SIZE],

From ab9322af53274392ee35b177af9297d9627408a6 Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Sat, 29 Oct 2022 15:52:42 -0700
Subject: [PATCH 10/21] Update copyright notice years

---
 bdk/libs/nx_savedata/header.h        | 2 +-
 bdk/libs/nx_savedata/remap_storage.h | 2 +-
 bdk/libs/nx_savedata/save_fs_list.h  | 2 +-
 bdk/utils/util.c                     | 1 +
 source/keys/key_sources.inl          | 2 +-
 source/keys/keys.c                   | 2 +-
 source/keys/keys.h                   | 2 +-
 source/storage/nx_emmc_bis.h         | 2 +-
 8 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/bdk/libs/nx_savedata/header.h b/bdk/libs/nx_savedata/header.h
index 4a6e259..76e4c31 100644
--- a/bdk/libs/nx_savedata/header.h
+++ b/bdk/libs/nx_savedata/header.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2020 shchmue
+ * Copyright (c) 2019-2022 shchmue
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
diff --git a/bdk/libs/nx_savedata/remap_storage.h b/bdk/libs/nx_savedata/remap_storage.h
index 2917775..fc048a3 100644
--- a/bdk/libs/nx_savedata/remap_storage.h
+++ b/bdk/libs/nx_savedata/remap_storage.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2020 shchmue
+ * Copyright (c) 2019-2022 shchmue
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
diff --git a/bdk/libs/nx_savedata/save_fs_list.h b/bdk/libs/nx_savedata/save_fs_list.h
index 72b4e4b..da98736 100644
--- a/bdk/libs/nx_savedata/save_fs_list.h
+++ b/bdk/libs/nx_savedata/save_fs_list.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2020 shchmue
+ * Copyright (c) 2019-2022 shchmue
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
diff --git a/bdk/utils/util.c b/bdk/utils/util.c
index 1fae04e..bf30929 100644
--- a/bdk/utils/util.c
+++ b/bdk/utils/util.c
@@ -1,6 +1,7 @@
 /*
 * Copyright (c) 2018 naehrwert
 * Copyright (c) 2018-2020 CTCaer
+# Copyright (c) 2022 shchmue
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms and conditions of the GNU General Public License,
diff --git a/source/keys/key_sources.inl b/source/keys/key_sources.inl
index bff4f9b..a11ba7a 100644
--- a/source/keys/key_sources.inl
+++ b/source/keys/key_sources.inl
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2021 shchmue
+ * Copyright (c) 2019-2022 shchmue
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
diff --git a/source/keys/keys.c b/source/keys/keys.c
index 5604180..1f26f53 100644
--- a/source/keys/keys.c
+++ b/source/keys/keys.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2021 shchmue
+ * Copyright (c) 2019-2022 shchmue
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
diff --git a/source/keys/keys.h b/source/keys/keys.h
index 3a61684..6850e07 100644
--- a/source/keys/keys.h
+++ b/source/keys/keys.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2021 shchmue
+ * Copyright (c) 2019-2022 shchmue
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
diff --git a/source/storage/nx_emmc_bis.h b/source/storage/nx_emmc_bis.h
index a1cfaa6..f207acd 100644
--- a/source/storage/nx_emmc_bis.h
+++ b/source/storage/nx_emmc_bis.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019 shchmue
+ * Copyright (c) 2019-2022 shchmue
  * Copyright (c) 2019 CTCaer
  *
  * This program is free software; you can redistribute it and/or modify it

From cbab1ec5b0207327d9fed497d85824a3045681de Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Mon, 31 Oct 2022 20:20:13 -0700
Subject: [PATCH 11/21] keys: Make code more readable

---
 source/keys/gmac.c | 130 ++++++++++++++++++
 source/keys/gmac.h |  24 ++++
 source/keys/keys.c | 333 +++++++++++++++++----------------------------
 source/keys/keys.h |  15 +-
 4 files changed, 287 insertions(+), 215 deletions(-)
 create mode 100644 source/keys/gmac.c
 create mode 100644 source/keys/gmac.h

diff --git a/source/keys/gmac.c b/source/keys/gmac.c
new file mode 100644
index 0000000..0749411
--- /dev/null
+++ b/source/keys/gmac.c
@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) 2018-2020 Atmosphère-NX
+ * Copyright (c) 2019-2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "gmac.h"
+
+#include <sec/se.h>
+#include <sec/se_t210.h>
+
+#include <stdint.h>
+#include <string.h>
+
+/* Shifts right a little endian 128-bit value. */
+static void _shr_128(uint64_t *val) {
+    val[0] >>= 1;
+    val[0] |= (val[1] & 1) << 63;
+    val[1] >>= 1;
+}
+
+/* Shifts left a little endian 128-bit value. */
+static void _shl_128(uint64_t *val) {
+    val[1] <<= 1;
+    val[1] |= (val[0] & (1ull << 63)) >> 63;
+    val[0] <<= 1;
+}
+
+/* Multiplies two 128-bit numbers X,Y in the GF(128) Galois Field. */
+static void _gf128_mul(uint8_t *dst, const uint8_t *x, const uint8_t *y) {
+    uint8_t x_work[0x10];
+    uint8_t y_work[0x10];
+    uint8_t dst_work[0x10];
+
+    uint64_t *p_x = (uint64_t *)(&x_work[0]);
+    uint64_t *p_y = (uint64_t *)(&y_work[0]);
+    uint64_t *p_dst = (uint64_t *)(&dst_work[0]);
+
+    /* Initialize buffers. */
+    for (unsigned int i = 0; i < 0x10; i++) {
+        x_work[i] = x[0xF-i];
+        y_work[i] = y[0xF-i];
+        dst_work[i] = 0;
+    }
+
+    /* Perform operation for each bit in y. */
+    for (unsigned int round = 0; round < 0x80; round++) {
+        p_dst[0] ^= p_x[0] * ((y_work[0xF] & 0x80) >> 7);
+        p_dst[1] ^= p_x[1] * ((y_work[0xF] & 0x80) >> 7);
+        _shl_128(p_y);
+        uint8_t xval = 0xE1 * (x_work[0] & 1);
+        _shr_128(p_x);
+        x_work[0xF] ^= xval;
+    }
+
+    for (unsigned int i = 0; i < 0x10; i++) {
+        dst[i] = dst_work[0xF-i];
+    }
+}
+
+static void _ghash(u32 ks, void *dst, const void *src, u32 src_size, const void *j_block, bool encrypt) {
+    uint8_t x[0x10] = {0};
+    uint8_t h[0x10];
+
+    uint64_t *p_x = (uint64_t *)(&x[0]);
+    uint64_t *p_data = (uint64_t *)src;
+
+    /* H = aes_ecb_encrypt(zeroes) */
+    se_aes_crypt_block_ecb(ks, ENCRYPT, h, x);
+
+    u64 total_size = src_size;
+
+    while (src_size >= 0x10) {
+        /* X = (X ^ current_block) * H */
+        p_x[0] ^= p_data[0];
+        p_x[1] ^= p_data[1];
+        _gf128_mul(x, x, h);
+
+        /* Increment p_data by 0x10 bytes. */
+        p_data += 2;
+        src_size -= 0x10;
+    }
+
+    /* Nintendo's code *discards all data in the last block* if unaligned. */
+    /* And treats that block as though it were all-zero. */
+    /* This is a bug, they just forget to XOR with the copy of the last block they save. */
+    if (src_size & 0xF) {
+        _gf128_mul(x, x, h);
+    }
+
+    uint64_t xor_size = total_size << 3;
+    xor_size = __builtin_bswap64(xor_size);
+
+    /* Due to a Nintendo bug, the wrong QWORD gets XOR'd in the "final output block" case. */
+    if (encrypt) {
+        p_x[0] ^= xor_size;
+    } else {
+        p_x[1] ^= xor_size;
+    }
+
+    _gf128_mul(x, x, h);
+
+    /* If final output block, XOR with encrypted J block. */
+    if (encrypt) {
+        se_aes_crypt_block_ecb(ks, ENCRYPT, h, j_block);
+        for (unsigned int i = 0; i < 0x10; i++) {
+            x[i] ^= h[i];
+        }
+    }
+    /* Copy output. */
+    memcpy(dst, x, 0x10);
+}
+
+void _calc_gmac(u32 ks, void *out_gmac, const void *data, u32 size, const void *key, const void *iv) {
+    u32 j_block[4] = {0};
+    se_aes_key_set(ks, key, 0x10);
+    _ghash(ks, j_block, iv, 0x10, NULL, false);
+    _ghash(ks, out_gmac, data, size, j_block, true);
+}
diff --git a/source/keys/gmac.h b/source/keys/gmac.h
new file mode 100644
index 0000000..b97b4af
--- /dev/null
+++ b/source/keys/gmac.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _GMAC_H_
+#define _GMAC_H_
+
+#include <utils/types.h>
+
+void _calc_gmac(u32 ks, void *out_gmac, const void *data, u32 size, const void *key, const void *iv);
+
+#endif
diff --git a/source/keys/keys.c b/source/keys/keys.c
index 1f26f53..414a320 100644
--- a/source/keys/keys.c
+++ b/source/keys/keys.c
@@ -16,6 +16,8 @@
 
 #include "keys.h"
 
+#include "gmac.h"
+
 #include "../../keygen/tsec_keygen.h"
 
 #include "../config.h"
@@ -25,6 +27,7 @@
 #include "../gfx/tui.h"
 #include "../hos/hos.h"
 #include <libs/fatfs/ff.h>
+#include <libs/nx_savedata/header.h>
 #include <libs/nx_savedata/save.h>
 #include <mem/heap.h>
 #include <mem/minerva.h>
@@ -80,7 +83,6 @@ static void _get_device_unique_data_key(u32 ks, void *out_key, const void *acces
 static void _decrypt_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 generation, u32 option);
 static void _generate_specific_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 generation);
 static void _get_device_key(u32 ks, key_derivation_ctx_t *keys, void *out_device_key, u32 generation);
-static void _ghash(u32 ks, void *dst, const void *src, u32 src_size, const void *j_block, bool encrypt);
 // titlekey functions
 static bool _test_rsa_keypair(const void *E, const void *D, const void *N);
 
@@ -206,7 +208,7 @@ static void _derive_bis_keys(key_derivation_ctx_t *keys) {
     }
     _generate_specific_aes_key(KS_AES_ECB, keys, &keys->bis_key[0], bis_key_sources[0], generation);
     u32 access_key[AES_128_KEY_SIZE / 4] = {0};
-    const u32 option = GET_IS_DEVICE_UNIQUE(IS_DEVICE_UNIQUE);
+    const u32 option = IS_DEVICE_UNIQUE;
     _generate_aes_kek(KS_AES_ECB, keys, access_key, bis_kek_source, generation, option);
     _generate_aes_key(KS_AES_ECB, keys, keys->bis_key[1], sizeof(keys->bis_key[1]), access_key, bis_key_sources[1]);
     _generate_aes_key(KS_AES_ECB, keys, keys->bis_key[2], sizeof(keys->bis_key[2]), access_key, bis_key_sources[2]);
@@ -222,14 +224,7 @@ static void _derive_non_unique_keys(key_derivation_ctx_t *keys, bool is_dev) {
     }
 }
 
-static void _derive_eticket_rsa_kek(u32 ks, key_derivation_ctx_t *keys, void *out_rsa_kek, const void *kek_source, u32 generation, u32 option) {
-    void *access_key = keys->temp_key;
-    _generate_aes_kek(ks, keys, access_key, eticket_rsa_kekek_source, generation, option);
-    _get_device_unique_data_key(ks, out_rsa_kek, access_key, kek_source);
-    
-}
-
-static void _derive_ssl_rsa_kek(u32 ks, key_derivation_ctx_t *keys, void *out_rsa_kek, const void *kekek_source, const void *kek_source, u32 generation, u32 option) {
+static void _derive_rsa_kek(u32 ks, key_derivation_ctx_t *keys, void *out_rsa_kek, const void *kekek_source, const void *kek_source, u32 generation, u32 option) {
     void *access_key = keys->temp_key;
     _generate_aes_kek(ks, keys, access_key, kekek_source, generation, option);
     _get_device_unique_data_key(ks, out_rsa_kek, access_key, kek_source);
@@ -239,7 +234,7 @@ static void _derive_misc_keys(key_derivation_ctx_t *keys, bool is_dev) {
     if (_key_exists(keys->device_key) || (_key_exists(keys->master_key[0]) && _key_exists(keys->device_key_4x))) {
         void *access_key = keys->temp_key;
         const u32 generation = 0;
-        const u32 option = GET_IS_DEVICE_UNIQUE(IS_DEVICE_UNIQUE);
+        const u32 option = IS_DEVICE_UNIQUE;
         _generate_aes_kek(KS_AES_ECB, keys, access_key, save_mac_kek_source, generation, option);
         _load_aes_key(KS_AES_ECB, keys->save_mac_key, access_key, save_mac_key_source);
     }
@@ -247,12 +242,12 @@ static void _derive_misc_keys(key_derivation_ctx_t *keys, bool is_dev) {
     if (_key_exists(keys->master_key[0])) {
         const void *eticket_kek_source = is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source;
         const u32 generation = 0;
-        u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY);
-        _derive_eticket_rsa_kek(KS_AES_ECB, keys, keys->eticket_rsa_kek, eticket_kek_source, generation, option);
+        u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | NOT_DEVICE_UNIQUE;
+        _derive_rsa_kek(KS_AES_ECB, keys, keys->eticket_rsa_kek, eticket_rsa_kekek_source, eticket_kek_source, generation, option);
 
         const void *ssl_kek_source = is_dev ? ssl_rsa_kek_source_dev : ssl_rsa_kek_source;
-        option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA);
-        _derive_ssl_rsa_kek(KS_AES_ECB, keys, keys->ssl_rsa_kek, ssl_rsa_kekek_source, ssl_kek_source, generation, option);
+        option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA) | NOT_DEVICE_UNIQUE;
+        _derive_rsa_kek(KS_AES_ECB, keys, keys->ssl_rsa_kek, ssl_rsa_kekek_source, ssl_kek_source, generation, option);
     }
 }
 
@@ -440,10 +435,11 @@ static bool _derive_sd_seed(key_derivation_ctx_t *keys) {
     }
 
     u8 read_buf[0x20] __attribute__((aligned(4))) = {0};
-    for (u32 i = SZ_32K; i < f_size(&fp); i += SZ_16K) {
+    // Skip the two header blocks and only check the first bytes of each block - file contents are always block-aligned
+    for (u32 i = SAVE_BLOCK_SIZE_DEFAULT * 2; i < f_size(&fp); i += SAVE_BLOCK_SIZE_DEFAULT) {
         if (f_lseek(&fp, i) || f_read(&fp, read_buf, 0x20, &read_bytes) || read_bytes != 0x20)
             break;
-        if (!memcmp(keys->temp_key, read_buf, sizeof(keys->temp_key))) {
+        if (memcmp(keys->temp_key, read_buf, sizeof(keys->temp_key)) == 0) {
             memcpy(keys->sd_seed, read_buf + 0x10, sizeof(keys->sd_seed));
             break;
         }
@@ -456,14 +452,20 @@ static bool _derive_sd_seed(key_derivation_ctx_t *keys) {
 }
 
 static bool _read_cal0(void *read_buffer) {
+    nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)read_buffer;
+
+    // Check if CAL0 was already read into this buffer
+    if (cal0->magic == MAGIC_CAL0) {
+        return true;
+    }
+
     if (!emummc_storage_read(NX_EMMC_CALIBRATION_OFFSET / NX_EMMC_BLOCKSIZE, NX_EMMC_CALIBRATION_SIZE / NX_EMMC_BLOCKSIZE, read_buffer)) {
         EPRINTF("Unable to read PRODINFO.");
         return false;
     }
 
-    se_aes_xts_crypt(1, 0, DECRYPT, 0, read_buffer, read_buffer, XTS_CLUSTER_SIZE, NX_EMMC_CALIBRATION_SIZE / XTS_CLUSTER_SIZE);
+    se_aes_xts_crypt(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, DECRYPT, 0, read_buffer, read_buffer, XTS_CLUSTER_SIZE, NX_EMMC_CALIBRATION_SIZE / XTS_CLUSTER_SIZE);
 
-    nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)read_buffer;
     if (cal0->magic != MAGIC_CAL0) {
         EPRINTF("Invalid CAL0 magic. Check BIS key 0.");
         return false;
@@ -472,7 +474,7 @@ static bool _read_cal0(void *read_buffer) {
     return true;
 }
 
-static bool _get_rsa_ssl_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation) {
+static bool _cal0_read_ssl_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation) {
     const u32 ext_key_size = sizeof(cal0->ext_ssl_key_iv) + sizeof(cal0->ext_ssl_key);
     const u32 ext_key_crc_size = ext_key_size + sizeof(cal0->ext_ssl_key_ver) + sizeof(cal0->crc16_pad39);
     const u32 key_size = sizeof(cal0->ssl_key_iv) + sizeof(cal0->ssl_key);
@@ -495,27 +497,27 @@ static bool _get_rsa_ssl_key(const nx_emmc_cal0_t *cal0, const void **out_key, u
     return true;
 }
 
-static bool _derive_personalized_ssl_key(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer) {
+static bool _decrypt_ssl_rsa_key(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer) {
     if (!_read_cal0(titlekey_buffer->read_buffer)) {
         return false;
     }
 
     nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)titlekey_buffer->read_buffer;
     u32 generation = 0;
-    const void *ssl_device_key = NULL;
-    const void *ssl_iv = NULL;
+    const void *encrypted_key = NULL;
+    const void *iv = NULL;
     u32 key_size = 0;
     void *keypair_ctr_key = NULL;
     bool enforce_unique = true;
 
-    if (!_get_rsa_ssl_key(cal0, &ssl_device_key, &key_size, &ssl_iv, &generation)) {
+    if (!_cal0_read_ssl_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) {
         EPRINTF("Crc16 error reading device key.");
         return false;
     }
 
     if (key_size == SSL_RSA_KEY_SIZE) {
         bool all_zero = true;
-        const u8 *key8 = (const u8 *)ssl_device_key;
+        const u8 *key8 = (const u8 *)encrypted_key;
         for (u32 i = RSA_2048_KEY_SIZE; i < SSL_RSA_KEY_SIZE; i++) {
             if (key8[i] != 0) {
                 all_zero = false;
@@ -523,38 +525,32 @@ static bool _derive_personalized_ssl_key(key_derivation_ctx_t *keys, titlekey_bu
             }
         }
         if (all_zero) {
-            // Keypairs of this form are not encrypted
-            memcpy(keys->ssl_rsa_key, ssl_device_key, RSA_2048_KEY_SIZE);
+            // Keys of this form are not encrypted
+            memcpy(keys->ssl_rsa_key, encrypted_key, RSA_2048_KEY_SIZE);
             return true;
         }
 
-        u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA);
+        const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA) | NOT_DEVICE_UNIQUE;
         keypair_ctr_key = keys->ssl_rsa_kek_legacy;
-        _derive_ssl_rsa_kek(KS_AES_ECB, keys, keypair_ctr_key, ssl_rsa_kekek_source, ssl_rsa_kek_source_legacy, generation, option);
+        _derive_rsa_kek(KS_AES_ECB, keys, keypair_ctr_key, ssl_rsa_kekek_source, ssl_rsa_kek_source_legacy, generation, option);
         enforce_unique = false;
-    }
-
-    if (generation) {
-        u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_SSL_KEY) | IS_DEVICE_UNIQUE;
+    } else if (generation) {
+        const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_SSL_KEY) | IS_DEVICE_UNIQUE;
         keypair_ctr_key = keys->ssl_rsa_kek_personalized;
-        _derive_ssl_rsa_kek(KS_AES_ECB, keys, keypair_ctr_key, ssl_client_cert_kek_source, ssl_client_cert_key_source, generation, option);
+        _derive_rsa_kek(KS_AES_ECB, keys, keypair_ctr_key, ssl_client_cert_kek_source, ssl_client_cert_key_source, generation, option);
     } else {
         keypair_ctr_key = keys->ssl_rsa_kek;
     }
 
     u32 ctr_size = enforce_unique ? key_size - 0x20 : key_size - 0x10;
     se_aes_key_set(KS_AES_CTR, keypair_ctr_key, AES_128_KEY_SIZE);
-    se_aes_crypt_ctr(KS_AES_CTR, keys->ssl_rsa_key, ctr_size, ssl_device_key, ctr_size, ssl_iv);
+    se_aes_crypt_ctr(KS_AES_CTR, keys->ssl_rsa_key, ctr_size, encrypted_key, ctr_size, iv);
 
     if (enforce_unique) {
-        u32 j_block[AES_128_KEY_SIZE / 4] = {0};
-        se_aes_key_set(KS_AES_ECB, keypair_ctr_key, AES_128_KEY_SIZE);
-        _ghash(KS_AES_ECB, j_block, ssl_iv, 0x10, NULL, false);
-
         u32 calc_mac[AES_128_KEY_SIZE / 4] = {0};
-        _ghash(KS_AES_ECB, calc_mac, keys->ssl_rsa_key, ctr_size, j_block, true);
+        _calc_gmac(KS_AES_ECB, calc_mac, keys->ssl_rsa_key, ctr_size, keypair_ctr_key, iv);
 
-        const u8 *key8 = (const u8 *)ssl_device_key;
+        const u8 *key8 = (const u8 *)encrypted_key;
         if (memcmp(calc_mac, &key8[ctr_size], 0x10) != 0) {
             EPRINTF("SSL keypair has invalid GMac.");
             memset(keys->ssl_rsa_key, 0, sizeof(keys->ssl_rsa_key));
@@ -565,7 +561,7 @@ static bool _derive_personalized_ssl_key(key_derivation_ctx_t *keys, titlekey_bu
     return true;
 }
 
-static bool _get_rsa_eticket_key(const nx_emmc_cal0_t *cal0, const void **out_key, const void **out_iv, u32 *out_generation) {
+static bool _cal0_read_eticket_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation) {
     const u32 ext_key_size = sizeof(cal0->ext_ecc_rsa2048_eticket_key_iv) + sizeof(cal0->ext_ecc_rsa2048_eticket_key);
     const u32 ext_key_crc_size = ext_key_size + sizeof(cal0->ext_ecc_rsa2048_eticket_key_ver) + sizeof(cal0->crc16_pad38);
     const u32 key_size = sizeof(cal0->rsa2048_eticket_key_iv) + sizeof(cal0->rsa2048_eticket_key);
@@ -573,11 +569,13 @@ static bool _get_rsa_eticket_key(const nx_emmc_cal0_t *cal0, const void **out_ke
 
     if (cal0->ext_ecc_rsa2048_eticket_key_crc == crc16_calc(cal0->ext_ecc_rsa2048_eticket_key_iv, ext_key_crc_size)) {
         *out_key = cal0->ext_ecc_rsa2048_eticket_key;
+        *out_key_size = ext_key_size;
         *out_iv = cal0->ext_ecc_rsa2048_eticket_key_iv;
         // Settings sysmodule manually zeroes this out below cal version 9
         *out_generation = cal0->version <= 8 ? 0 : cal0->ext_ecc_rsa2048_eticket_key_ver;
     } else if (cal0->rsa2048_eticket_key_crc == crc16_calc(cal0->rsa2048_eticket_key_iv, key_crc_size)) {
         *out_key = cal0->rsa2048_eticket_key;
+        *out_key_size = key_size;
         *out_iv = cal0->rsa2048_eticket_key_iv;
         *out_generation = 0;
     } else {
@@ -586,6 +584,70 @@ static bool _get_rsa_eticket_key(const nx_emmc_cal0_t *cal0, const void **out_ke
     return true;
 }
 
+static bool _test_eticket_rsa_keypair(const rsa_keypair_t *keypair) {
+    // Unlike the SSL RSA key, we don't need to check the gmac - we can just verify the public exponent
+    // and test the keypair since we have the modulus
+    if ((_read_be_u32(keypair->public_exponent, 0) != RSA_PUBLIC_EXPONENT) ||
+        (!_test_rsa_keypair(keypair->public_exponent, keypair->private_exponent, keypair->modulus))) {
+        return false;
+    }
+    return true;
+}
+
+static bool _decrypt_eticket_rsa_key(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
+    if (!_read_cal0(titlekey_buffer->read_buffer)) {
+        return false;
+    }
+
+    nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)titlekey_buffer->read_buffer;
+    u32 generation = 0;
+    const void *encrypted_key = NULL;
+    const void *iv = NULL;
+    u32 key_size = 0;
+    void *keypair_ctr_key = NULL;
+
+    if (!_cal0_read_eticket_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) {
+        EPRINTF("Crc16 error reading device key.");
+        return false;
+    }
+
+    // Handle legacy case
+    if (key_size == ETICKET_RSA_KEYPAIR_SIZE) {
+        const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | NOT_DEVICE_UNIQUE;
+        keypair_ctr_key = keys->temp_key;
+        _derive_rsa_kek(KS_AES_ECB, keys, keypair_ctr_key, eticket_rsa_kekek_source, eticket_rsa_kek_source_legacy, generation, option);
+
+        se_aes_key_set(KS_AES_CTR, keypair_ctr_key, AES_128_KEY_SIZE);
+        se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv);
+
+        if (_test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) {
+            memcpy(keys->eticket_rsa_kek, keypair_ctr_key, sizeof(keys->eticket_rsa_kek));
+            return true;
+        }
+        // Fall through and try usual method if not applicable
+    }
+
+    if (generation) {
+        const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | IS_DEVICE_UNIQUE;
+        keypair_ctr_key = keys->eticket_rsa_kek_personalized;
+        const void *kek_source = is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source;
+        _derive_rsa_kek(KS_AES_ECB, keys, keypair_ctr_key, eticket_rsa_kekek_source, kek_source, generation, option);
+    } else {
+        keypair_ctr_key = keys->eticket_rsa_kek;
+    }
+
+    se_aes_key_set(KS_AES_CTR, keypair_ctr_key, AES_128_KEY_SIZE);
+    se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv);
+
+    if (!_test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) {
+        EPRINTF("Invalid eticket keypair.");
+        memset(&keys->eticket_rsa_keypair, 0, sizeof(keys->eticket_rsa_keypair));
+        return false;
+    }
+
+    return true;
+}
+
 static bool _derive_titlekeys(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
     if (!_key_exists(keys->eticket_rsa_kek)) {
         return false;
@@ -593,57 +655,11 @@ static bool _derive_titlekeys(key_derivation_ctx_t *keys, titlekey_buffer_t *tit
 
     gfx_printf("%kTitlekeys...     \n", colors[(color_idx++) % 6]);
 
-    if (!_read_cal0(titlekey_buffer->read_buffer)) {
+    if (!_decrypt_eticket_rsa_key(keys, titlekey_buffer, is_dev)) {
         return false;
     }
 
-    nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)titlekey_buffer->read_buffer;
-    u32 generation = 0;
-    const void *eticket_device_key = NULL;
-    const void *eticket_iv = NULL;
-    void *keypair_ctr_key = NULL;
-
-    if (!_get_rsa_eticket_key(cal0, &eticket_device_key, &eticket_iv, &generation)) {
-        EPRINTF("Crc16 error reading device key.");
-        return false;
-    }
-
-    if (generation) {
-        u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | IS_DEVICE_UNIQUE;
-        _derive_eticket_rsa_kek(KS_AES_ECB, keys, keys->eticket_rsa_kek_personalized, is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source, generation, option);
-        keypair_ctr_key = keys->eticket_rsa_kek_personalized;
-    } else {
-        keypair_ctr_key = keys->eticket_rsa_kek;
-    }
-
-    se_aes_key_set(KS_AES_CTR, keypair_ctr_key, AES_128_KEY_SIZE);
-    se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), eticket_device_key, sizeof(keys->eticket_rsa_keypair), eticket_iv);
-
-    if (_read_be_u32(keys->eticket_rsa_keypair.public_exponent, 0) != RSA_PUBLIC_EXPONENT) {
-        // Try legacy kek source
-        u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY);
-        keypair_ctr_key = keys->temp_key;
-        _derive_eticket_rsa_kek(KS_AES_ECB, keys, keypair_ctr_key, eticket_rsa_kek_source_legacy, 0, option);
-
-        se_aes_key_set(KS_AES_CTR, keypair_ctr_key, AES_128_KEY_SIZE);
-        se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), eticket_device_key, sizeof(keys->eticket_rsa_keypair), eticket_iv);
-
-        if (_read_be_u32(keys->eticket_rsa_keypair.public_exponent, 0) != RSA_PUBLIC_EXPONENT) {
-            EPRINTF("Invalid public exponent.");
-            memset(&keys->eticket_rsa_keypair, 0, sizeof(keys->eticket_rsa_keypair));
-            return false;
-        } else {
-            memcpy(keys->eticket_rsa_kek, keys->temp_key, sizeof(keys->eticket_rsa_kek));
-        }
-    }
-
-    if (!_test_rsa_keypair(keys->eticket_rsa_keypair.public_exponent, keys->eticket_rsa_keypair.private_exponent, keys->eticket_rsa_keypair.modulus)) {
-        EPRINTF("Invalid keypair. Check eticket_rsa_kek.");
-        memset(&keys->eticket_rsa_keypair, 0, sizeof(keys->eticket_rsa_keypair));
-        return false;
-    }
-
-    const u32 buf_size = SZ_16K;
+    const u32 buf_size = SAVE_BLOCK_SIZE_DEFAULT;
     _get_titlekeys_from_save(buf_size, keys->save_mac_key, titlekey_buffer, NULL);
     _get_titlekeys_from_save(buf_size, keys->save_mac_key, titlekey_buffer, &keys->eticket_rsa_keypair);
 
@@ -655,14 +671,14 @@ static bool _derive_titlekeys(key_derivation_ctx_t *keys, titlekey_buffer_t *tit
 static bool _derive_emmc_keys(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
     // Set BIS keys.
     // PRODINFO/PRODINFOF
-    se_aes_key_set(KS_BIS_00_0, keys->bis_key[0] + 0x00, AES_128_KEY_SIZE);
-    se_aes_key_set(KS_BIS_00_1, keys->bis_key[0] + 0x10, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_BIS_00_CRYPT, keys->bis_key[0] + 0x00, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_BIS_00_TWEAK, keys->bis_key[0] + 0x10, AES_128_KEY_SIZE);
     // SAFE
-    se_aes_key_set(KS_BIS_01_0, keys->bis_key[1] + 0x00, AES_128_KEY_SIZE);
-    se_aes_key_set(KS_BIS_01_1, keys->bis_key[1] + 0x10, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_BIS_01_CRYPT, keys->bis_key[1] + 0x00, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_BIS_01_TWEAK, keys->bis_key[1] + 0x10, AES_128_KEY_SIZE);
     // SYSTEM/USER
-    se_aes_key_set(KS_BIS_02_0, keys->bis_key[2] + 0x00, AES_128_KEY_SIZE);
-    se_aes_key_set(KS_BIS_02_1, keys->bis_key[2] + 0x10, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_BIS_02_CRYPT, keys->bis_key[2] + 0x00, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_BIS_02_TWEAK, keys->bis_key[2] + 0x10, AES_128_KEY_SIZE);
 
     if (!emummc_storage_set_mmc_partition(EMMC_GPP)) {
         EPRINTF("Unable to set partition.");
@@ -693,13 +709,16 @@ static bool _derive_emmc_keys(key_derivation_ctx_t *keys, titlekey_buffer_t *tit
         EPRINTF("Unable to get SD seed.");
     }
 
-    bool res = _derive_titlekeys(keys, titlekey_buffer, is_dev);
+    bool res = _decrypt_ssl_rsa_key(keys, titlekey_buffer);
+    if (!res) {
+        EPRINTF("Unable to derive SSL key.");
+    }
+
+    res = _derive_titlekeys(keys, titlekey_buffer, is_dev);
     if (!res) {
         EPRINTF("Unable to derive titlekeys.");
     }
 
-    _derive_personalized_ssl_key(keys, titlekey_buffer);
-
     f_mount(NULL, "bis:", 1);
     nx_emmc_gpt_free(&gpt);
 
@@ -1194,7 +1213,7 @@ static void _generate_aes_kek(u32 ks, key_derivation_ctx_t *keys, void *out_kek,
     if (generation)
         generation--;
 
-    u8 static_source[AES_128_KEY_SIZE];
+    u8 static_source[AES_128_KEY_SIZE] __attribute__((aligned(4)));
     for (u32 i = 0; i < AES_128_KEY_SIZE; i++)
         static_source[i] = aes_kek_generation_source[i] ^ seal_key_masks[seal_key_index][i];
 
@@ -1250,7 +1269,7 @@ static void _get_secure_data(key_derivation_ctx_t *keys, void *out_data) {
 // Equivalent to spl::GenerateSpecificAesKey
 static void _generate_specific_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 generation) {
     if (fuse_read_bootrom_rev() >= 0x7F) {
-        _get_device_key(ks, keys, keys->temp_key, generation - 1);
+        _get_device_key(ks, keys, keys->temp_key, generation == 0 ? 0 : generation - 1);
         se_aes_key_set(ks, keys->temp_key, AES_128_KEY_SIZE);
         se_aes_unwrap_key(ks, ks, retail_specific_aes_key_source);
         se_aes_crypt_ecb(ks, DECRYPT, out_key, AES_128_KEY_SIZE * 2, key_source, AES_128_KEY_SIZE * 2);
@@ -1278,114 +1297,12 @@ static void _get_device_key(u32 ks, key_derivation_ctx_t *keys, void *out_device
     se_aes_crypt_block_ecb(ks, DECRYPT, out_device_key, temp_key_source);
 }
 
-// The following ghash implementation is from Atmosphère's original exosphere implementation
-
-/* Shifts right a little endian 128-bit value. */
-static void _shr_128(uint64_t *val) {
-    val[0] >>= 1;
-    val[0] |= (val[1] & 1) << 63;
-    val[1] >>= 1;
-}
-
-/* Shifts left a little endian 128-bit value. */
-static void _shl_128(uint64_t *val) {
-    val[1] <<= 1;
-    val[1] |= (val[0] & (1ull << 63)) >> 63;
-    val[0] <<= 1;
-}
-
-/* Multiplies two 128-bit numbers X,Y in the GF(128) Galois Field. */
-static void _gf128_mul(uint8_t *dst, const uint8_t *x, const uint8_t *y) {
-    uint8_t x_work[0x10];
-    uint8_t y_work[0x10];
-    uint8_t dst_work[0x10];
-
-    uint64_t *p_x = (uint64_t *)(&x_work[0]);
-    uint64_t *p_y = (uint64_t *)(&y_work[0]);
-    uint64_t *p_dst = (uint64_t *)(&dst_work[0]);
-
-    /* Initialize buffers. */
-    for (unsigned int i = 0; i < 0x10; i++) {
-        x_work[i] = x[0xF-i];
-        y_work[i] = y[0xF-i];
-        dst_work[i] = 0;
-    }
-
-    /* Perform operation for each bit in y. */
-    for (unsigned int round = 0; round < 0x80; round++) {
-        p_dst[0] ^= p_x[0] * ((y_work[0xF] & 0x80) >> 7);
-        p_dst[1] ^= p_x[1] * ((y_work[0xF] & 0x80) >> 7);
-        _shl_128(p_y);
-        uint8_t xval = 0xE1 * (x_work[0] & 1);
-        _shr_128(p_x);
-        x_work[0xF] ^= xval;
-    }
-
-    for (unsigned int i = 0; i < 0x10; i++) {
-        dst[i] = dst_work[0xF-i];
-    }
-}
-
-static void _ghash(u32 ks, void *dst, const void *src, u32 src_size, const void *j_block, bool encrypt) {
-    uint8_t x[0x10] = {0};
-    uint8_t h[0x10];
-
-    uint64_t *p_x = (uint64_t *)(&x[0]);
-    uint64_t *p_data = (uint64_t *)src;
-
-    /* H = aes_ecb_encrypt(zeroes) */
-    se_aes_crypt_block_ecb(ks, ENCRYPT, h, x);
-
-    u64 total_size = src_size;
-
-    while (src_size >= 0x10) {
-        /* X = (X ^ current_block) * H */
-        p_x[0] ^= p_data[0];
-        p_x[1] ^= p_data[1];
-        _gf128_mul(x, x, h);
-
-        /* Increment p_data by 0x10 bytes. */
-        p_data += 2;
-        src_size -= 0x10;
-    }
-
-    /* Nintendo's code *discards all data in the last block* if unaligned. */
-    /* And treats that block as though it were all-zero. */
-    /* This is a bug, they just forget to XOR with the copy of the last block they save. */
-    if (src_size & 0xF) {
-        _gf128_mul(x, x, h);
-    }
-
-    uint64_t xor_size = total_size << 3;
-    xor_size = __builtin_bswap64(xor_size);
-
-    /* Due to a Nintendo bug, the wrong QWORD gets XOR'd in the "final output block" case. */
-    if (encrypt) {
-        p_x[0] ^= xor_size;
-    } else {
-        p_x[1] ^= xor_size;
-    }
-
-    _gf128_mul(x, x, h);
-
-    /* If final output block, XOR with encrypted J block. */
-    if (encrypt) {
-        se_aes_crypt_block_ecb(ks, ENCRYPT, h, j_block);
-        for (unsigned int i = 0; i < 0x10; i++) {
-            x[i] ^= h[i];
-        }
-    }
-    /* Copy output. */
-    memcpy(dst, x, 0x10);
-}
-
 static bool _test_rsa_keypair(const void *public_exponent, const void *private_exponent, const void *modulus) {
-    u8  plaintext[RSA_2048_KEY_SIZE] __attribute__((aligned(4))) = {0},
-        ciphertext[RSA_2048_KEY_SIZE] __attribute__((aligned(4))) = {0},
-        work[RSA_2048_KEY_SIZE] __attribute__((aligned(4))) = {0};
+    u32 plaintext[RSA_2048_KEY_SIZE / 4] = {0},
+        ciphertext[RSA_2048_KEY_SIZE / 4] = {0},
+        work[RSA_2048_KEY_SIZE / 4] = {0};
 
-    // 0xCAFEBABE
-    plaintext[0xfc] = 0xca; plaintext[0xfd] = 0xfe; plaintext[0xfe] = 0xba; plaintext[0xff] = 0xbe;
+    plaintext[63] = 0xCAFEBABE;
 
     se_rsa_key_set(0, modulus, RSA_2048_KEY_SIZE, private_exponent, RSA_2048_KEY_SIZE);
     se_rsa_exp_mod(0, ciphertext, RSA_2048_KEY_SIZE, plaintext, RSA_2048_KEY_SIZE);
@@ -1393,5 +1310,5 @@ static bool _test_rsa_keypair(const void *public_exponent, const void *private_e
     se_rsa_key_set(0, modulus, RSA_2048_KEY_SIZE, public_exponent, 4);
     se_rsa_exp_mod(0, work, RSA_2048_KEY_SIZE, ciphertext, RSA_2048_KEY_SIZE);
 
-    return !memcmp(plaintext, work, RSA_2048_KEY_SIZE);
+    return memcmp(plaintext, work, RSA_2048_KEY_SIZE) == 0;
 }
diff --git a/source/keys/keys.h b/source/keys/keys.h
index 6850e07..bb1b5af 100644
--- a/source/keys/keys.h
+++ b/source/keys/keys.h
@@ -27,12 +27,12 @@
 #define RSA_PUBLIC_EXPONENT 65537
 
 // Lockpick_RCM keyslots
-#define KS_BIS_00_0 0
-#define KS_BIS_00_1 1
-#define KS_BIS_01_0 2
-#define KS_BIS_01_1 3
-#define KS_BIS_02_0 4
-#define KS_BIS_02_1 5
+#define KS_BIS_00_CRYPT 0
+#define KS_BIS_00_TWEAK 1
+#define KS_BIS_01_CRYPT 2
+#define KS_BIS_01_TWEAK 3
+#define KS_BIS_02_CRYPT 4
+#define KS_BIS_02_TWEAK 5
 #define KS_AES_CTR  6
 #define KS_AES_ECB  8
 #define KS_AES_CMAC 10
@@ -148,7 +148,8 @@ typedef enum {
 #define GET_SEAL_KEY_INDEX(x) (((x) >> 5) & 7)
 #define GET_IS_DEVICE_UNIQUE(x) ((x) & 1)
 
-#define SSL_RSA_KEY_SIZE (RSA_2048_KEY_SIZE + AES_128_KEY_SIZE)
+#define SSL_RSA_KEY_SIZE         (RSA_2048_KEY_SIZE + AES_128_KEY_SIZE)
+#define ETICKET_RSA_KEYPAIR_SIZE (RSA_2048_KEY_SIZE * 2 + AES_128_KEY_SIZE * 2)
 
 typedef struct {
     u8  temp_key[AES_128_KEY_SIZE],

From cc4f8bf1f66e926329384f198f43781faba265e0 Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Mon, 31 Oct 2022 21:46:38 -0700
Subject: [PATCH 12/21] keys: Move more logic out of keys.c

---
 bdk/utils/util.c            |  14 ++
 bdk/utils/util.h            |   2 +
 source/keys/cal0_read.c     |  96 +++++++++
 source/keys/cal0_read.h     |  27 +++
 source/keys/crypto.c        | 146 +++++++++++++
 source/keys/crypto.h        | 223 +++++++++++++++++++
 source/keys/gmac.c          |   2 +-
 source/keys/gmac.h          |   2 +-
 source/keys/key_sources.inl |  72 -------
 source/keys/keys.c          | 411 +++++++++---------------------------
 source/keys/keys.h          | 111 +---------
 11 files changed, 615 insertions(+), 491 deletions(-)
 create mode 100644 source/keys/cal0_read.c
 create mode 100644 source/keys/cal0_read.h
 create mode 100644 source/keys/crypto.c
 create mode 100644 source/keys/crypto.h

diff --git a/bdk/utils/util.c b/bdk/utils/util.c
index bf30929..e05c2bc 100644
--- a/bdk/utils/util.c
+++ b/bdk/utils/util.c
@@ -230,3 +230,17 @@ void power_set_state_ex(void *param)
 	power_state_t *state = (power_state_t *)param;
 	power_set_state(*state);
 }
+
+u32 read_le_u32(const void *buffer, u32 offset) {
+	return	(*(u8*)(buffer + offset + 0)        ) |
+			(*(u8*)(buffer + offset + 1) << 0x08) |
+			(*(u8*)(buffer + offset + 2) << 0x10) |
+			(*(u8*)(buffer + offset + 3) << 0x18);
+}
+
+u32 read_be_u32(const void *buffer, u32 offset) {
+	return	(*(u8*)(buffer + offset + 3)        ) |
+			(*(u8*)(buffer + offset + 2) << 0x08) |
+			(*(u8*)(buffer + offset + 1) << 0x10) |
+			(*(u8*)(buffer + offset + 0) << 0x18);
+}
diff --git a/bdk/utils/util.h b/bdk/utils/util.h
index 972a906..df929bc 100644
--- a/bdk/utils/util.h
+++ b/bdk/utils/util.h
@@ -96,5 +96,7 @@ void panic(u32 val);
 void power_set_state(power_state_t state);
 void power_set_state_ex(void *param);
 
+u32 read_le_u32(const void *buffer, u32 offset);
+u32 read_be_u32(const void *buffer, u32 offset);
 
 #endif
diff --git a/source/keys/cal0_read.c b/source/keys/cal0_read.c
new file mode 100644
index 0000000..9b0c4fd
--- /dev/null
+++ b/source/keys/cal0_read.c
@@ -0,0 +1,96 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "cal0_read.h"
+
+#include <gfx_utils.h>
+#include <sec/se.h>
+#include <sec/se_t210.h>
+#include "../storage/emummc.h"
+#include "../storage/nx_emmc.h"
+#include <utils/util.h>
+
+bool cal0_read(u32 tweak_ks, u32 crypt_ks, void *read_buffer) {
+    nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)read_buffer;
+
+    // Check if CAL0 was already read into this buffer
+    if (cal0->magic == MAGIC_CAL0) {
+        return true;
+    }
+
+    if (!emummc_storage_read(NX_EMMC_CALIBRATION_OFFSET / NX_EMMC_BLOCKSIZE, NX_EMMC_CALIBRATION_SIZE / NX_EMMC_BLOCKSIZE, read_buffer)) {
+        EPRINTF("Unable to read PRODINFO.");
+        return false;
+    }
+
+    se_aes_xts_crypt(tweak_ks, crypt_ks, DECRYPT, 0, read_buffer, read_buffer, XTS_CLUSTER_SIZE, NX_EMMC_CALIBRATION_SIZE / XTS_CLUSTER_SIZE);
+
+    if (cal0->magic != MAGIC_CAL0) {
+        EPRINTF("Invalid CAL0 magic. Check BIS key 0.");
+        return false;
+    }
+
+    return true;
+}
+
+bool cal0_get_ssl_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation) {
+    const u32 ext_key_size = sizeof(cal0->ext_ssl_key_iv) + sizeof(cal0->ext_ssl_key);
+    const u32 ext_key_crc_size = ext_key_size + sizeof(cal0->ext_ssl_key_ver) + sizeof(cal0->crc16_pad39);
+    const u32 key_size = sizeof(cal0->ssl_key_iv) + sizeof(cal0->ssl_key);
+    const u32 key_crc_size = key_size + sizeof(cal0->crc16_pad18);
+
+    if (cal0->ext_ssl_key_crc == crc16_calc(cal0->ext_ssl_key_iv, ext_key_crc_size)) {
+        *out_key = cal0->ext_ssl_key;
+        *out_key_size = ext_key_size;
+        *out_iv = cal0->ext_ssl_key_iv;
+        // Settings sysmodule manually zeroes this out below cal version 9
+        *out_generation = cal0->version <= 8 ? 0 : cal0->ext_ssl_key_ver;
+    } else if (cal0->ssl_key_crc == crc16_calc(cal0->ssl_key_iv, key_crc_size)) {
+        *out_key = cal0->ssl_key;
+        *out_key_size = key_size;
+        *out_iv = cal0->ssl_key_iv;
+        *out_generation = 0;
+    } else {
+        EPRINTF("Crc16 error reading device key.");
+        return false;
+    }
+    return true;
+}
+
+
+bool cal0_get_eticket_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation) {
+    const u32 ext_key_size = sizeof(cal0->ext_ecc_rsa2048_eticket_key_iv) + sizeof(cal0->ext_ecc_rsa2048_eticket_key);
+    const u32 ext_key_crc_size = ext_key_size + sizeof(cal0->ext_ecc_rsa2048_eticket_key_ver) + sizeof(cal0->crc16_pad38);
+    const u32 key_size = sizeof(cal0->rsa2048_eticket_key_iv) + sizeof(cal0->rsa2048_eticket_key);
+    const u32 key_crc_size = key_size + sizeof(cal0->crc16_pad21);
+
+    if (cal0->ext_ecc_rsa2048_eticket_key_crc == crc16_calc(cal0->ext_ecc_rsa2048_eticket_key_iv, ext_key_crc_size)) {
+        *out_key = cal0->ext_ecc_rsa2048_eticket_key;
+        *out_key_size = ext_key_size;
+        *out_iv = cal0->ext_ecc_rsa2048_eticket_key_iv;
+        // Settings sysmodule manually zeroes this out below cal version 9
+        *out_generation = cal0->version <= 8 ? 0 : cal0->ext_ecc_rsa2048_eticket_key_ver;
+    } else if (cal0->rsa2048_eticket_key_crc == crc16_calc(cal0->rsa2048_eticket_key_iv, key_crc_size)) {
+        *out_key = cal0->rsa2048_eticket_key;
+        *out_key_size = key_size;
+        *out_iv = cal0->rsa2048_eticket_key_iv;
+        *out_generation = 0;
+    } else {
+        EPRINTF("Crc16 error reading device key.");
+        return false;
+    }
+    return true;
+}
diff --git a/source/keys/cal0_read.h b/source/keys/cal0_read.h
new file mode 100644
index 0000000..2ab1ae1
--- /dev/null
+++ b/source/keys/cal0_read.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _CAL0_READ_H_
+#define _CAL0_READ_H_
+
+#include "../storage/nx_emmc_bis.h"
+#include <utils/types.h>
+
+bool cal0_read(u32 tweak_ks, u32 crypt_ks, void *read_buffer);
+bool cal0_get_ssl_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation);
+bool cal0_get_eticket_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation);
+
+#endif
diff --git a/source/keys/crypto.c b/source/keys/crypto.c
new file mode 100644
index 0000000..cd5afd0
--- /dev/null
+++ b/source/keys/crypto.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto.h"
+
+#include "../config.h"
+#include "../hos/hos.h"
+#include <sec/se.h>
+#include <sec/se_t210.h>
+#include <soc/fuse.h>
+#include <utils/util.h>
+
+#include <string.h>
+
+extern hekate_config h_cfg;
+
+bool test_rsa_keypair(const void *public_exponent, const void *private_exponent, const void *modulus) {
+    u32 plaintext[SE_RSA2048_DIGEST_SIZE / 4] = {0},
+        ciphertext[SE_RSA2048_DIGEST_SIZE / 4] = {0},
+        work[SE_RSA2048_DIGEST_SIZE / 4] = {0};
+
+    plaintext[63] = 0xCAFEBABE;
+
+    se_rsa_key_set(0, modulus, SE_RSA2048_DIGEST_SIZE, private_exponent, SE_RSA2048_DIGEST_SIZE);
+    se_rsa_exp_mod(0, ciphertext, SE_RSA2048_DIGEST_SIZE, plaintext, SE_RSA2048_DIGEST_SIZE);
+
+    se_rsa_key_set(0, modulus, SE_RSA2048_DIGEST_SIZE, public_exponent, 4);
+    se_rsa_exp_mod(0, work, SE_RSA2048_DIGEST_SIZE, ciphertext, SE_RSA2048_DIGEST_SIZE);
+
+    return memcmp(plaintext, work, SE_RSA2048_DIGEST_SIZE) == 0;
+}
+
+bool test_eticket_rsa_keypair(const rsa_keypair_t *keypair) {
+    // Unlike the SSL RSA key, we don't need to check the gmac - we can just verify the public exponent
+    // and test the keypair since we have the modulus
+    if ((read_be_u32(keypair->public_exponent, 0) != RSA_PUBLIC_EXPONENT) ||
+        (!test_rsa_keypair(keypair->public_exponent, keypair->private_exponent, keypair->modulus))) {
+        return false;
+    }
+    return true;
+}
+
+// Equivalent to spl::GenerateAesKek
+void generate_aes_kek(u32 ks, key_storage_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option) {
+    bool device_unique = GET_IS_DEVICE_UNIQUE(option);
+    u32 seal_key_index = GET_SEAL_KEY_INDEX(option);
+
+    if (generation)
+        generation--;
+
+    u8 static_source[SE_KEY_128_SIZE] __attribute__((aligned(4)));
+    for (u32 i = 0; i < SE_KEY_128_SIZE; i++)
+        static_source[i] = aes_kek_generation_source[i] ^ seal_key_masks[seal_key_index][i];
+
+    if (device_unique) {
+        get_device_key(ks, keys, keys->temp_key, generation);
+    } else {
+        memcpy(keys->temp_key, keys->master_key[generation], sizeof(keys->temp_key));
+    }
+    se_aes_key_set(ks, keys->temp_key, SE_KEY_128_SIZE);
+    se_aes_unwrap_key(ks, ks, static_source);
+    se_aes_crypt_block_ecb(ks, DECRYPT, out_kek, kek_source);
+}
+
+// Based on spl::LoadAesKey but instead of prepping keyslot, returns calculated key
+void load_aes_key(u32 ks, void *out_key, const void *access_key, const void *key_source) {
+    se_aes_key_set(ks, access_key, SE_KEY_128_SIZE);
+    se_aes_crypt_block_ecb(ks, DECRYPT, out_key, key_source);
+}
+
+// Equivalent to spl::GenerateAesKey
+void generate_aes_key(u32 ks, key_storage_t *keys, void *out_key, u32 key_size, const void *access_key, const void *key_source) {
+    void *aes_key = keys->temp_key;
+    load_aes_key(ks, aes_key, access_key, aes_key_generation_source);
+    se_aes_key_set(ks, aes_key, SE_KEY_128_SIZE);
+    se_aes_crypt_ecb(ks, DECRYPT, out_key, key_size, key_source, key_size);
+}
+
+// Equivalent to smc::PrepareDeviceUniqueDataKey but with no sealing
+void get_device_unique_data_key(u32 ks, void *out_key, const void *access_key, const void *key_source) {
+    load_aes_key(ks, out_key, access_key, key_source);
+}
+
+// Equivalent to spl::DecryptAesKey.
+void decrypt_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation, u32 option) {
+    void *access_key = keys->temp_key;
+    generate_aes_kek(ks, keys, access_key, aes_key_decryption_source, generation, option);
+    generate_aes_key(ks, keys, out_key, SE_KEY_128_SIZE, access_key, key_source);
+}
+
+// Equivalent to smc::GetSecureData
+void get_secure_data(key_storage_t *keys, void *out_data) {
+    se_aes_key_set(KS_AES_CTR, keys->device_key, SE_KEY_128_SIZE);
+    u8 *d = (u8 *)out_data;
+    se_aes_crypt_ctr(KS_AES_CTR, d + SE_KEY_128_SIZE * 0, SE_KEY_128_SIZE, secure_data_source, SE_KEY_128_SIZE, secure_data_counters[0]);
+    se_aes_crypt_ctr(KS_AES_CTR, d + SE_KEY_128_SIZE * 1, SE_KEY_128_SIZE, secure_data_source, SE_KEY_128_SIZE, secure_data_counters[0]);
+
+    // Apply tweak
+    for (u32 i = 0; i < SE_KEY_128_SIZE; i++) {
+        d[SE_KEY_128_SIZE + i] ^= secure_data_tweaks[0][i];
+    }
+}
+
+// Equivalent to spl::GenerateSpecificAesKey
+void generate_specific_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation) {
+    if (fuse_read_bootrom_rev() >= 0x7F) {
+        get_device_key(ks, keys, keys->temp_key, generation == 0 ? 0 : generation - 1);
+        se_aes_key_set(ks, keys->temp_key, SE_KEY_128_SIZE);
+        se_aes_unwrap_key(ks, ks, retail_specific_aes_key_source);
+        se_aes_crypt_ecb(ks, DECRYPT, out_key, SE_KEY_128_SIZE * 2, key_source, SE_KEY_128_SIZE * 2);
+    } else {
+        get_secure_data(keys, out_key);
+    }
+}
+
+void get_device_key(u32 ks, key_storage_t *keys, void *out_device_key, u32 generation) {
+    if (generation == KB_FIRMWARE_VERSION_100 && !h_cfg.t210b01) {
+        memcpy(out_device_key, keys->device_key, SE_KEY_128_SIZE);
+        return;
+    }
+
+    if (generation >= KB_FIRMWARE_VERSION_400) {
+        generation -= KB_FIRMWARE_VERSION_400;
+    } else {
+        generation = 0;
+    }
+    u32 temp_key_source[SE_KEY_128_SIZE / 4] = {0};
+    load_aes_key(ks, temp_key_source, keys->device_key_4x, device_master_key_source_sources[generation]);
+    const void *kek_source = fuse_read_hw_state() == FUSE_NX_HW_STATE_PROD ? device_master_kek_sources[generation] : device_master_kek_sources_dev[generation];
+    se_aes_key_set(ks, keys->master_key[0], SE_KEY_128_SIZE);
+    se_aes_unwrap_key(ks, ks, kek_source);
+    se_aes_crypt_block_ecb(ks, DECRYPT, out_device_key, temp_key_source);
+}
diff --git a/source/keys/crypto.h b/source/keys/crypto.h
new file mode 100644
index 0000000..4e1d0d7
--- /dev/null
+++ b/source/keys/crypto.h
@@ -0,0 +1,223 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _CRYPTO_H_
+#define _CRYPTO_H_
+
+#include "../hos/hos.h"
+#include <sec/se_t210.h>
+#include <utils/types.h>
+
+static const u8 aes_kek_generation_source[0x10] __attribute__((aligned(4))) = {
+    0x4D, 0x87, 0x09, 0x86, 0xC4, 0x5D, 0x20, 0x72, 0x2F, 0xBA, 0x10, 0x53, 0xDA, 0x92, 0xE8, 0xA9};
+
+static const u8 aes_key_generation_source[0x10] __attribute__((aligned(4))) = {
+    0x89, 0x61, 0x5E, 0xE0, 0x5C, 0x31, 0xB6, 0x80, 0x5F, 0xE5, 0x8F, 0x3D, 0xA2, 0x4F, 0x7A, 0xA8};
+
+static const u8 aes_key_decryption_source[0x10] __attribute__((aligned(4))) = {
+    0x11, 0x70, 0x24, 0x2B, 0x48, 0x69, 0x11, 0xF1, 0x11, 0xB0, 0x0C, 0x47, 0x7C, 0xC3, 0xEF, 0x7E};
+
+static const u8 device_master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
+    {0x88, 0x62, 0x34, 0x6E, 0xFA, 0xF7, 0xD8, 0x3F, 0xE1, 0x30, 0x39, 0x50, 0xF0, 0xB7, 0x5D, 0x5D}, /* 4.0.0  Device Master Kek Source. */
+    {0x06, 0x1E, 0x7B, 0xE9, 0x6D, 0x47, 0x8C, 0x77, 0xC5, 0xC8, 0xE7, 0x94, 0x9A, 0xA8, 0x5F, 0x2E}, /* 5.0.0  Device Master Kek Source. */
+    {0x99, 0xFA, 0x98, 0xBD, 0x15, 0x1C, 0x72, 0xFD, 0x7D, 0x9A, 0xD5, 0x41, 0x00, 0xFD, 0xB2, 0xEF}, /* 6.0.0  Device Master Kek Source. */
+    {0x81, 0x3C, 0x6C, 0xBF, 0x5D, 0x21, 0xDE, 0x77, 0x20, 0xD9, 0x6C, 0xE3, 0x22, 0x06, 0xAE, 0xBB}, /* 6.2.0  Device Master Kek Source. */
+    {0x86, 0x61, 0xB0, 0x16, 0xFA, 0x7A, 0x9A, 0xEA, 0xF6, 0xF5, 0xBE, 0x1A, 0x13, 0x5B, 0x6D, 0x9E}, /* 7.0.0  Device Master Kek Source. */
+    {0xA6, 0x81, 0x71, 0xE7, 0xB5, 0x23, 0x74, 0xB0, 0x39, 0x8C, 0xB7, 0xFF, 0xA0, 0x62, 0x9F, 0x8D}, /* 8.1.0  Device Master Kek Source. */
+    {0x03, 0xE7, 0xEB, 0x43, 0x1B, 0xCF, 0x5F, 0xB5, 0xED, 0xDC, 0x97, 0xAE, 0x21, 0x8D, 0x19, 0xED}, /* 9.0.0  Device Master Kek Source. */
+    {0xCE, 0xFE, 0x41, 0x0F, 0x46, 0x9A, 0x30, 0xD6, 0xF2, 0xE9, 0x0C, 0x6B, 0xB7, 0x15, 0x91, 0x36}, /* 9.1.0  Device Master Kek Source. */
+    {0xC2, 0x65, 0x34, 0x6E, 0xC7, 0xC6, 0x5D, 0x97, 0x3E, 0x34, 0x5C, 0x6B, 0xB3, 0x7E, 0xC6, 0xE3}, /* 12.1.0 Device Master Kek Source. */
+    {0x77, 0x52, 0x92, 0xF0, 0xAA, 0xE3, 0xFB, 0xE0, 0x60, 0x16, 0xB3, 0x78, 0x68, 0x53, 0xF7, 0xA8}, /* 13.0.0 Device Master Kek Source. */
+    {0x67, 0xD5, 0xD6, 0x0C, 0x08, 0xF5, 0xA3, 0x11, 0xBD, 0x6D, 0x5A, 0xEB, 0x96, 0x24, 0xB0, 0xD2}, /* 14.0.0 Device Master Kek Source. */
+    {0x7C, 0x30, 0xED, 0x8B, 0x39, 0x25, 0x2C, 0x08, 0x8F, 0x48, 0xDC, 0x28, 0xE6, 0x1A, 0x6B, 0x49}, /* 15.0.0 Device Master Kek Source. */
+}; //!TODO: Update on mkey changes.
+
+static const u8 device_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
+    {0xD6, 0xBD, 0x9F, 0xC6, 0x18, 0x09, 0xE1, 0x96, 0x20, 0x39, 0x60, 0xD2, 0x89, 0x83, 0x31, 0x34}, /* 4.0.0  Device Master Kek Source. */
+    {0x59, 0x2D, 0x20, 0x69, 0x33, 0xB5, 0x17, 0xBA, 0xCF, 0xB1, 0x4E, 0xFD, 0xE4, 0xC2, 0x7B, 0xA8}, /* 5.0.0  Device Master Kek Source. */
+    {0xF6, 0xD8, 0x59, 0x63, 0x8F, 0x47, 0xCB, 0x4A, 0xD8, 0x74, 0x05, 0x7F, 0x88, 0x92, 0x33, 0xA5}, /* 6.0.0  Device Master Kek Source. */
+    {0x20, 0xAB, 0xF2, 0x0F, 0x05, 0xE3, 0xDE, 0x2E, 0xA1, 0xFB, 0x37, 0x5E, 0x8B, 0x22, 0x1A, 0x38}, /* 6.2.0  Device Master Kek Source. */
+    {0x60, 0xAE, 0x56, 0x68, 0x11, 0xE2, 0x0C, 0x99, 0xDE, 0x05, 0xAE, 0x68, 0x78, 0x85, 0x04, 0xAE}, /* 7.0.0  Device Master Kek Source. */
+    {0x94, 0xD6, 0xA8, 0xC0, 0x95, 0xAF, 0xD0, 0xA6, 0x27, 0x53, 0x5E, 0xE5, 0x8E, 0x70, 0x1F, 0x87}, /* 8.1.0  Device Master Kek Source. */
+    {0x61, 0x6A, 0x88, 0x21, 0xA3, 0x52, 0xB0, 0x19, 0x16, 0x25, 0xA4, 0xE3, 0x4C, 0x54, 0x02, 0x0F}, /* 9.0.0  Device Master Kek Source. */
+    {0x9D, 0xB1, 0xAE, 0xCB, 0xF6, 0xF6, 0xE3, 0xFE, 0xAB, 0x6F, 0xCB, 0xAF, 0x38, 0x03, 0xFC, 0x7B}, /* 9.1.0  Device Master Kek Source. */
+    {0xC4, 0xBB, 0xF3, 0x9F, 0xA3, 0xAA, 0x00, 0x99, 0x7C, 0x97, 0xAD, 0x91, 0x8F, 0xE8, 0x45, 0xCB}, /* 12.1.0 Device Master Kek Source. */
+    {0x20, 0x20, 0xAA, 0xFB, 0x89, 0xC2, 0xF0, 0x70, 0xB5, 0xE0, 0xA3, 0x11, 0x8A, 0x29, 0x8D, 0x0F}, /* 13.0.0 Device Master Kek Source. */
+    {0xCE, 0x14, 0x74, 0x66, 0x98, 0xA8, 0x6D, 0x7D, 0xBD, 0x54, 0x91, 0x68, 0x5F, 0x1D, 0x0E, 0xEA}, /* 14.0.0 Device Master Kek Source. */
+    {0xAE, 0x05, 0x48, 0x65, 0xAB, 0x17, 0x9D, 0x3D, 0x51, 0xB7, 0x56, 0xBD, 0x9B, 0x0B, 0x5B, 0x6E}, /* 15.0.0 Device Master Kek Source. */
+}; //!TODO: Update on mkey changes.
+
+static const u8 device_master_key_source_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
+    {0x8B, 0x4E, 0x1C, 0x22, 0x42, 0x07, 0xC8, 0x73, 0x56, 0x94, 0x08, 0x8B, 0xCC, 0x47, 0x0F, 0x5D}, /* 4.0.0  Device Master Key Source Source. */
+    {0x6C, 0xEF, 0xC6, 0x27, 0x8B, 0xEC, 0x8A, 0x91, 0x99, 0xAB, 0x24, 0xAC, 0x4F, 0x1C, 0x8F, 0x1C}, /* 5.0.0  Device Master Key Source Source. */
+    {0x70, 0x08, 0x1B, 0x97, 0x44, 0x64, 0xF8, 0x91, 0x54, 0x9D, 0xC6, 0x84, 0x8F, 0x1A, 0xB2, 0xE4}, /* 6.0.0  Device Master Key Source Source. */
+    {0x8E, 0x09, 0x1F, 0x7A, 0xBB, 0xCA, 0x6A, 0xFB, 0xB8, 0x9B, 0xD5, 0xC1, 0x25, 0x9C, 0xA9, 0x17}, /* 6.2.0  Device Master Key Source Source. */
+    {0x8F, 0x77, 0x5A, 0x96, 0xB0, 0x94, 0xFD, 0x8D, 0x28, 0xE4, 0x19, 0xC8, 0x16, 0x1C, 0xDB, 0x3D}, /* 7.0.0  Device Master Key Source Source. */
+    {0x67, 0x62, 0xD4, 0x8E, 0x55, 0xCF, 0xFF, 0x41, 0x31, 0x15, 0x3B, 0x24, 0x0C, 0x7C, 0x07, 0xAE}, /* 8.1.0  Device Master Key Source Source. */
+    {0x4A, 0xC3, 0x4E, 0x14, 0x8B, 0x96, 0x4A, 0xD5, 0xD4, 0x99, 0x73, 0xC4, 0x45, 0xAB, 0x8B, 0x49}, /* 9.0.0  Device Master Key Source Source. */
+    {0x14, 0xB8, 0x74, 0x12, 0xCB, 0xBD, 0x0B, 0x8F, 0x20, 0xFB, 0x30, 0xDA, 0x27, 0xE4, 0x58, 0x94}, /* 9.1.0  Device Master Key Source Source. */
+    {0xAA, 0xFD, 0xBC, 0xBB, 0x25, 0xC3, 0xA4, 0xEF, 0xE3, 0xEE, 0x58, 0x53, 0xB7, 0xF8, 0xDD, 0xD6}, /* 12.1.0 Device Master Key Source Source. */
+    {0xE4, 0xF3, 0x45, 0x6F, 0x18, 0xA1, 0x89, 0xF8, 0xDA, 0x4C, 0x64, 0x75, 0x68, 0xE6, 0xBD, 0x4F}, /* 13.0.0 Device Master Key Source Source. */
+    {0x5B, 0x94, 0x63, 0xF7, 0xAD, 0x96, 0x1B, 0xA6, 0x23, 0x30, 0x06, 0x4D, 0x01, 0xE4, 0xCE, 0x1D}, /* 14.0.0 Device Master Key Source Source. */ 
+    {0x5E, 0xC9, 0xC5, 0x0A, 0xD0, 0x5F, 0x8B, 0x7B, 0xA7, 0x39, 0xEA, 0xBC, 0x60, 0x0F, 0x74, 0xE6}, /* 15.0.0 Device Master Key Source Source. */
+}; //!TODO: Update on mkey changes.
+
+static const u8 seal_key_masks[][0x10] __attribute__((aligned(4))) = {
+    {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, // SealKey_LoadAesKey
+    {0xA2, 0xAB, 0xBF, 0x9C, 0x92, 0x2F, 0xBB, 0xE3, 0x78, 0x79, 0x9B, 0xC0, 0xCC, 0xEA, 0xA5, 0x74}, // SealKey_DecryptDeviceUniqueData
+    {0x57, 0xE2, 0xD9, 0x45, 0xE4, 0x92, 0xF4, 0xFD, 0xC3, 0xF9, 0x86, 0x38, 0x89, 0x78, 0x9F, 0x3C}, // SealKey_ImportLotusKey
+    {0xE5, 0x4D, 0x9A, 0x02, 0xF0, 0x4F, 0x5F, 0xA8, 0xAD, 0x76, 0x0A, 0xF6, 0x32, 0x95, 0x59, 0xBB}, // SealKey_ImportEsDeviceKey
+    {0x59, 0xD9, 0x31, 0xF4, 0xA7, 0x97, 0xB8, 0x14, 0x40, 0xD6, 0xA2, 0x60, 0x2B, 0xED, 0x15, 0x31}, // SealKey_ReencryptDeviceUniqueData
+    {0xFD, 0x6A, 0x25, 0xE5, 0xD8, 0x38, 0x7F, 0x91, 0x49, 0xDA, 0xF8, 0x59, 0xA8, 0x28, 0xE6, 0x75}, // SealKey_ImportSslKey
+    {0x89, 0x96, 0x43, 0x9A, 0x7C, 0xD5, 0x59, 0x55, 0x24, 0xD5, 0x24, 0x18, 0xAB, 0x6C, 0x04, 0x61}, // SealKey_ImportEsClientCertKey
+};
+
+static const u8 retail_specific_aes_key_source[0x10] __attribute__((aligned(4))) = {
+    0xE2, 0xD6, 0xB8, 0x7A, 0x11, 0x9C, 0xB8, 0x80, 0xE8, 0x22, 0x88, 0x8A, 0x46, 0xFB, 0xA1, 0x95};
+
+static const u8 secure_data_source[0x10] __attribute__((aligned(4))) = {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
+
+static const u8 secure_data_counters[1][0x10] __attribute__((aligned(4))) = {
+    {0x3C, 0xD5, 0x92, 0xEC, 0x68, 0x31, 0x4A, 0x06, 0xD4, 0x1B, 0x0C, 0xD9, 0xF6, 0x2E, 0xD9, 0xE9}
+};
+
+static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = {
+    {0xAC, 0xCA, 0x9A, 0xCA, 0xFF, 0x2E, 0xB9, 0x22, 0xCC, 0x1F, 0x4F, 0xAD, 0xDD, 0x77, 0x21, 0x1E}
+};
+
+// Lockpick_RCM keyslots
+#define KS_BIS_00_CRYPT 0
+#define KS_BIS_00_TWEAK 1
+#define KS_BIS_01_CRYPT 2
+#define KS_BIS_01_TWEAK 3
+#define KS_BIS_02_CRYPT 4
+#define KS_BIS_02_TWEAK 5
+#define KS_AES_CTR  6
+#define KS_AES_ECB  8
+#define KS_AES_CMAC 10
+
+// Mariko keyslots
+#define KS_MARIKO_KEK 12
+#define KS_MARIKO_BEK 13
+
+// Other Switch keyslots
+#define KS_TSEC        12
+#define KS_SECURE_BOOT 14
+
+// Atmosphere keygen keyslots
+#define KS_TSEC_ROOT_DEV 11
+#define KS_TSEC_ROOT     13
+
+#define RSA_PUBLIC_EXPONENT 65537
+
+#define SSL_RSA_KEY_SIZE         (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE)
+#define ETICKET_RSA_KEYPAIR_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE * 2 + SE_KEY_128_SIZE)
+
+typedef struct {
+    u8 private_exponent[SE_RSA2048_DIGEST_SIZE];
+    u8 modulus[SE_RSA2048_DIGEST_SIZE];
+    u8 public_exponent[4];
+    u8 reserved[0xC];
+} rsa_keypair_t;
+
+typedef struct {
+    u8 master_kek[SE_KEY_128_SIZE];
+    u8 data[0x70];
+    u8 package1_key[SE_KEY_128_SIZE];
+} keyblob_t;
+
+typedef struct {
+    u8 cmac[0x10];
+    u8 iv[0x10];
+    keyblob_t key_data;
+    u8 unused[0x150];
+} encrypted_keyblob_t;
+
+typedef struct {
+    u8  temp_key[SE_KEY_128_SIZE],
+        bis_key[4][SE_KEY_128_SIZE * 2],
+        device_key[SE_KEY_128_SIZE],
+        device_key_4x[SE_KEY_128_SIZE],
+        sd_seed[SE_KEY_128_SIZE],
+        // FS-related keys
+        header_key[SE_KEY_128_SIZE * 2],
+        save_mac_key[SE_KEY_128_SIZE],
+        // other sysmodule keys
+        eticket_rsa_kek[SE_KEY_128_SIZE],
+        eticket_rsa_kek_personalized[SE_KEY_128_SIZE],
+        ssl_rsa_kek[SE_KEY_128_SIZE],
+        ssl_rsa_kek_legacy[SE_KEY_128_SIZE],
+        ssl_rsa_kek_personalized[SE_KEY_128_SIZE],
+        ssl_rsa_key[SE_RSA2048_DIGEST_SIZE + 0x20],
+        // keyblob-derived families
+        keyblob_key[KB_FIRMWARE_VERSION_600 + 1][SE_KEY_128_SIZE],
+        keyblob_mac_key[KB_FIRMWARE_VERSION_600 + 1][SE_KEY_128_SIZE],
+        package1_key[KB_FIRMWARE_VERSION_600 + 1][SE_KEY_128_SIZE],
+        // master key-derived families
+        key_area_key[3][KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE],
+        master_kek[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE],
+        master_key[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE],
+        package2_key[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE],
+        titlekek[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE],
+        tsec_key[SE_KEY_128_SIZE],
+        tsec_root_key[SE_KEY_128_SIZE];
+    u32 sbk[4];
+    keyblob_t keyblob[KB_FIRMWARE_VERSION_600 + 1];
+    rsa_keypair_t eticket_rsa_keypair;
+} key_storage_t;
+
+typedef enum {
+    SEAL_KEY_LOAD_AES_KEY = 0,
+    SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA = 1,
+    SEAL_KEY_IMPORT_LOTUS_KEY = 2,
+    SEAL_KEY_IMPORT_ES_DEVICE_KEY = 3,
+    SEAL_KEY_REENCRYPT_DEVICE_UNIQUE_DATA = 4,
+    SEAL_KEY_IMPORT_SSL_KEY = 5,
+    SEAL_KEY_IMPORT_ES_CLIENT_CERT_KEY = 6,
+} seal_key_t;
+
+typedef enum {
+    NOT_DEVICE_UNIQUE = 0,
+    IS_DEVICE_UNIQUE = 1,
+} device_unique_t;
+
+#define SET_SEAL_KEY_INDEX(x) (((x) & 7) << 5)
+#define GET_SEAL_KEY_INDEX(x) (((x) >> 5) & 7)
+#define GET_IS_DEVICE_UNIQUE(x) ((x) & 1)
+
+bool test_rsa_keypair(const void *public_exponent, const void *private_exponent, const void *modulus);
+bool test_eticket_rsa_keypair(const rsa_keypair_t *keypair);
+
+// Equivalent to spl::GenerateAesKek
+void generate_aes_kek(u32 ks, key_storage_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option);
+// Equivalent to spl::GenerateAesKey
+void generate_aes_key(u32 ks, key_storage_t *keys, void *out_key, u32 key_size, const void *access_key, const void *key_source);
+// Equivalent to spl::GenerateSpecificAesKey
+void generate_specific_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation);
+// Equivalent to spl::DecryptAesKey.
+void decrypt_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation, u32 option);
+// Based on spl::LoadAesKey but instead of prepping keyslot, returns calculated key
+void load_aes_key(u32 ks, void *out_key, const void *access_key, const void *key_source);
+
+// Equivalent to smc::PrepareDeviceUniqueDataKey but with no sealing
+void get_device_unique_data_key(u32 ks, void *out_key, const void *access_key, const void *key_source);
+// Equivalent to smc::GetSecureData
+void get_secure_data(key_storage_t *keys, void *out_data);
+// Equivalent to smc::PrepareDeviceMasterKey
+void get_device_key(u32 ks, key_storage_t *keys, void *out_device_key, u32 generation);
+
+#endif
diff --git a/source/keys/gmac.c b/source/keys/gmac.c
index 0749411..f8aea77 100644
--- a/source/keys/gmac.c
+++ b/source/keys/gmac.c
@@ -122,7 +122,7 @@ static void _ghash(u32 ks, void *dst, const void *src, u32 src_size, const void
     memcpy(dst, x, 0x10);
 }
 
-void _calc_gmac(u32 ks, void *out_gmac, const void *data, u32 size, const void *key, const void *iv) {
+void calc_gmac(u32 ks, void *out_gmac, const void *data, u32 size, const void *key, const void *iv) {
     u32 j_block[4] = {0};
     se_aes_key_set(ks, key, 0x10);
     _ghash(ks, j_block, iv, 0x10, NULL, false);
diff --git a/source/keys/gmac.h b/source/keys/gmac.h
index b97b4af..98b7bdc 100644
--- a/source/keys/gmac.h
+++ b/source/keys/gmac.h
@@ -19,6 +19,6 @@
 
 #include <utils/types.h>
 
-void _calc_gmac(u32 ks, void *out_gmac, const void *data, u32 size, const void *key, const void *iv);
+void calc_gmac(u32 ks, void *out_gmac, const void *data, u32 size, const void *key, const void *iv);
 
 #endif
diff --git a/source/keys/key_sources.inl b/source/keys/key_sources.inl
index a11ba7a..5d049f7 100644
--- a/source/keys/key_sources.inl
+++ b/source/keys/key_sources.inl
@@ -98,31 +98,10 @@ static const u8 mariko_key_vectors[][0x10] __attribute__((aligned(4))) = {
 
 //======================================Keys======================================//
 // from Package1 -> Secure_Monitor
-static const u8 aes_kek_generation_source[0x10] __attribute__((aligned(4))) = {
-    0x4D, 0x87, 0x09, 0x86, 0xC4, 0x5D, 0x20, 0x72, 0x2F, 0xBA, 0x10, 0x53, 0xDA, 0x92, 0xE8, 0xA9};
-static const u8 seal_key_masks[][0x10] __attribute__((aligned(4))) = {
-    {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, // SealKey_LoadAesKey
-    {0xA2, 0xAB, 0xBF, 0x9C, 0x92, 0x2F, 0xBB, 0xE3, 0x78, 0x79, 0x9B, 0xC0, 0xCC, 0xEA, 0xA5, 0x74}, // SealKey_DecryptDeviceUniqueData
-    {0x57, 0xE2, 0xD9, 0x45, 0xE4, 0x92, 0xF4, 0xFD, 0xC3, 0xF9, 0x86, 0x38, 0x89, 0x78, 0x9F, 0x3C}, // SealKey_ImportLotusKey
-    {0xE5, 0x4D, 0x9A, 0x02, 0xF0, 0x4F, 0x5F, 0xA8, 0xAD, 0x76, 0x0A, 0xF6, 0x32, 0x95, 0x59, 0xBB}, // SealKey_ImportEsDeviceKey
-    {0x59, 0xD9, 0x31, 0xF4, 0xA7, 0x97, 0xB8, 0x14, 0x40, 0xD6, 0xA2, 0x60, 0x2B, 0xED, 0x15, 0x31}, // SealKey_ReencryptDeviceUniqueData
-    {0xFD, 0x6A, 0x25, 0xE5, 0xD8, 0x38, 0x7F, 0x91, 0x49, 0xDA, 0xF8, 0x59, 0xA8, 0x28, 0xE6, 0x75}, // SealKey_ImportSslKey
-    {0x89, 0x96, 0x43, 0x9A, 0x7C, 0xD5, 0x59, 0x55, 0x24, 0xD5, 0x24, 0x18, 0xAB, 0x6C, 0x04, 0x61}, // SealKey_ImportEsClientCertKey
-};
 static const u8 package2_key_source[0x10] __attribute__((aligned(4))) = {
     0xFB, 0x8B, 0x6A, 0x9C, 0x79, 0x00, 0xC8, 0x49, 0xEF, 0xD2, 0x4D, 0x85, 0x4D, 0x30, 0xA0, 0xC7};
 static const u8 titlekek_source[0x10] __attribute__((aligned(4))) = {
     0x1E, 0xDC, 0x7B, 0x3B, 0x60, 0xE6, 0xB4, 0xD8, 0x78, 0xB8, 0x17, 0x15, 0x98, 0x5E, 0x62, 0x9B};
-static const u8 retail_specific_aes_key_source[0x10] __attribute__((aligned(4))) = {
-    0xE2, 0xD6, 0xB8, 0x7A, 0x11, 0x9C, 0xB8, 0x80, 0xE8, 0x22, 0x88, 0x8A, 0x46, 0xFB, 0xA1, 0x95};
-static const u8 secure_data_source[0x10] __attribute__((aligned(4))) = {
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
-static const u8 secure_data_counters[1][0x10] __attribute__((aligned(4))) = {
-    {0x3C, 0xD5, 0x92, 0xEC, 0x68, 0x31, 0x4A, 0x06, 0xD4, 0x1B, 0x0C, 0xD9, 0xF6, 0x2E, 0xD9, 0xE9}
-};
-static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = {
-    {0xAC, 0xCA, 0x9A, 0xCA, 0xFF, 0x2E, 0xB9, 0x22, 0xCC, 0x1F, 0x4F, 0xAD, 0xDD, 0x77, 0x21, 0x1E}
-};
 
 // from Package1ldr (or Secure_Monitor on 6.2.0+)
 static const u8 keyblob_mac_key_source[0x10] __attribute__((aligned(4))) = {
@@ -158,21 +137,6 @@ static const u8 mariko_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMW
     {0x18, 0xA5, 0x6F, 0xEF, 0x72, 0x11, 0x62, 0xC5, 0x1A, 0x14, 0xF1, 0x8C, 0x21, 0x83, 0x27, 0xB7}, // 15.0.0.
 }; //!TODO: Update on mkey changes.
 
-static const u8 device_master_key_source_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
-    {0x8B, 0x4E, 0x1C, 0x22, 0x42, 0x07, 0xC8, 0x73, 0x56, 0x94, 0x08, 0x8B, 0xCC, 0x47, 0x0F, 0x5D}, /* 4.0.0  Device Master Key Source Source. */
-    {0x6C, 0xEF, 0xC6, 0x27, 0x8B, 0xEC, 0x8A, 0x91, 0x99, 0xAB, 0x24, 0xAC, 0x4F, 0x1C, 0x8F, 0x1C}, /* 5.0.0  Device Master Key Source Source. */
-    {0x70, 0x08, 0x1B, 0x97, 0x44, 0x64, 0xF8, 0x91, 0x54, 0x9D, 0xC6, 0x84, 0x8F, 0x1A, 0xB2, 0xE4}, /* 6.0.0  Device Master Key Source Source. */
-    {0x8E, 0x09, 0x1F, 0x7A, 0xBB, 0xCA, 0x6A, 0xFB, 0xB8, 0x9B, 0xD5, 0xC1, 0x25, 0x9C, 0xA9, 0x17}, /* 6.2.0  Device Master Key Source Source. */
-    {0x8F, 0x77, 0x5A, 0x96, 0xB0, 0x94, 0xFD, 0x8D, 0x28, 0xE4, 0x19, 0xC8, 0x16, 0x1C, 0xDB, 0x3D}, /* 7.0.0  Device Master Key Source Source. */
-    {0x67, 0x62, 0xD4, 0x8E, 0x55, 0xCF, 0xFF, 0x41, 0x31, 0x15, 0x3B, 0x24, 0x0C, 0x7C, 0x07, 0xAE}, /* 8.1.0  Device Master Key Source Source. */
-    {0x4A, 0xC3, 0x4E, 0x14, 0x8B, 0x96, 0x4A, 0xD5, 0xD4, 0x99, 0x73, 0xC4, 0x45, 0xAB, 0x8B, 0x49}, /* 9.0.0  Device Master Key Source Source. */
-    {0x14, 0xB8, 0x74, 0x12, 0xCB, 0xBD, 0x0B, 0x8F, 0x20, 0xFB, 0x30, 0xDA, 0x27, 0xE4, 0x58, 0x94}, /* 9.1.0  Device Master Key Source Source. */
-    {0xAA, 0xFD, 0xBC, 0xBB, 0x25, 0xC3, 0xA4, 0xEF, 0xE3, 0xEE, 0x58, 0x53, 0xB7, 0xF8, 0xDD, 0xD6}, /* 12.1.0 Device Master Key Source Source. */
-    {0xE4, 0xF3, 0x45, 0x6F, 0x18, 0xA1, 0x89, 0xF8, 0xDA, 0x4C, 0x64, 0x75, 0x68, 0xE6, 0xBD, 0x4F}, /* 13.0.0 Device Master Key Source Source. */
-    {0x5B, 0x94, 0x63, 0xF7, 0xAD, 0x96, 0x1B, 0xA6, 0x23, 0x30, 0x06, 0x4D, 0x01, 0xE4, 0xCE, 0x1D}, /* 14.0.0 Device Master Key Source Source. */ 
-    {0x5E, 0xC9, 0xC5, 0x0A, 0xD0, 0x5F, 0x8B, 0x7B, 0xA7, 0x39, 0xEA, 0xBC, 0x60, 0x0F, 0x74, 0xE6}, /* 15.0.0 Device Master Key Source Source. */
-}; //!TODO: Update on mkey changes.
-
 // from ES
 static const u8 eticket_rsa_kek_source[0x10] __attribute__((aligned(4))) = {
     0XDB, 0XA4, 0X51, 0X12, 0X4C, 0XA0, 0XA9, 0X83, 0X68, 0X14, 0XF5, 0XED, 0X95, 0XE3, 0X12, 0X5B};
@@ -197,42 +161,6 @@ static const u8 ssl_client_cert_kek_source[0x10] __attribute__((aligned(4))) = {
 static const u8 ssl_client_cert_key_source[0x10] __attribute__((aligned(4))) = {
     0x4D, 0x92, 0x5A, 0x69, 0x42, 0x23, 0xBB, 0x92, 0x59, 0x16, 0x3E, 0x51, 0x8C, 0x78, 0x14, 0x0F};
 
-static const u8 device_master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
-    {0x88, 0x62, 0x34, 0x6E, 0xFA, 0xF7, 0xD8, 0x3F, 0xE1, 0x30, 0x39, 0x50, 0xF0, 0xB7, 0x5D, 0x5D}, /* 4.0.0  Device Master Kek Source. */
-    {0x06, 0x1E, 0x7B, 0xE9, 0x6D, 0x47, 0x8C, 0x77, 0xC5, 0xC8, 0xE7, 0x94, 0x9A, 0xA8, 0x5F, 0x2E}, /* 5.0.0  Device Master Kek Source. */
-    {0x99, 0xFA, 0x98, 0xBD, 0x15, 0x1C, 0x72, 0xFD, 0x7D, 0x9A, 0xD5, 0x41, 0x00, 0xFD, 0xB2, 0xEF}, /* 6.0.0  Device Master Kek Source. */
-    {0x81, 0x3C, 0x6C, 0xBF, 0x5D, 0x21, 0xDE, 0x77, 0x20, 0xD9, 0x6C, 0xE3, 0x22, 0x06, 0xAE, 0xBB}, /* 6.2.0  Device Master Kek Source. */
-    {0x86, 0x61, 0xB0, 0x16, 0xFA, 0x7A, 0x9A, 0xEA, 0xF6, 0xF5, 0xBE, 0x1A, 0x13, 0x5B, 0x6D, 0x9E}, /* 7.0.0  Device Master Kek Source. */
-    {0xA6, 0x81, 0x71, 0xE7, 0xB5, 0x23, 0x74, 0xB0, 0x39, 0x8C, 0xB7, 0xFF, 0xA0, 0x62, 0x9F, 0x8D}, /* 8.1.0  Device Master Kek Source. */
-    {0x03, 0xE7, 0xEB, 0x43, 0x1B, 0xCF, 0x5F, 0xB5, 0xED, 0xDC, 0x97, 0xAE, 0x21, 0x8D, 0x19, 0xED}, /* 9.0.0  Device Master Kek Source. */
-    {0xCE, 0xFE, 0x41, 0x0F, 0x46, 0x9A, 0x30, 0xD6, 0xF2, 0xE9, 0x0C, 0x6B, 0xB7, 0x15, 0x91, 0x36}, /* 9.1.0  Device Master Kek Source. */
-    {0xC2, 0x65, 0x34, 0x6E, 0xC7, 0xC6, 0x5D, 0x97, 0x3E, 0x34, 0x5C, 0x6B, 0xB3, 0x7E, 0xC6, 0xE3}, /* 12.1.0 Device Master Kek Source. */
-    {0x77, 0x52, 0x92, 0xF0, 0xAA, 0xE3, 0xFB, 0xE0, 0x60, 0x16, 0xB3, 0x78, 0x68, 0x53, 0xF7, 0xA8}, /* 13.0.0 Device Master Kek Source. */
-    {0x67, 0xD5, 0xD6, 0x0C, 0x08, 0xF5, 0xA3, 0x11, 0xBD, 0x6D, 0x5A, 0xEB, 0x96, 0x24, 0xB0, 0xD2}, /* 14.0.0 Device Master Kek Source. */
-    {0x7C, 0x30, 0xED, 0x8B, 0x39, 0x25, 0x2C, 0x08, 0x8F, 0x48, 0xDC, 0x28, 0xE6, 0x1A, 0x6B, 0x49}, /* 15.0.0 Device Master Kek Source. */
-}; //!TODO: Update on mkey changes.
-
-static const u8 device_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
-    {0xD6, 0xBD, 0x9F, 0xC6, 0x18, 0x09, 0xE1, 0x96, 0x20, 0x39, 0x60, 0xD2, 0x89, 0x83, 0x31, 0x34}, /* 4.0.0  Device Master Kek Source. */
-    {0x59, 0x2D, 0x20, 0x69, 0x33, 0xB5, 0x17, 0xBA, 0xCF, 0xB1, 0x4E, 0xFD, 0xE4, 0xC2, 0x7B, 0xA8}, /* 5.0.0  Device Master Kek Source. */
-    {0xF6, 0xD8, 0x59, 0x63, 0x8F, 0x47, 0xCB, 0x4A, 0xD8, 0x74, 0x05, 0x7F, 0x88, 0x92, 0x33, 0xA5}, /* 6.0.0  Device Master Kek Source. */
-    {0x20, 0xAB, 0xF2, 0x0F, 0x05, 0xE3, 0xDE, 0x2E, 0xA1, 0xFB, 0x37, 0x5E, 0x8B, 0x22, 0x1A, 0x38}, /* 6.2.0  Device Master Kek Source. */
-    {0x60, 0xAE, 0x56, 0x68, 0x11, 0xE2, 0x0C, 0x99, 0xDE, 0x05, 0xAE, 0x68, 0x78, 0x85, 0x04, 0xAE}, /* 7.0.0  Device Master Kek Source. */
-    {0x94, 0xD6, 0xA8, 0xC0, 0x95, 0xAF, 0xD0, 0xA6, 0x27, 0x53, 0x5E, 0xE5, 0x8E, 0x70, 0x1F, 0x87}, /* 8.1.0  Device Master Kek Source. */
-    {0x61, 0x6A, 0x88, 0x21, 0xA3, 0x52, 0xB0, 0x19, 0x16, 0x25, 0xA4, 0xE3, 0x4C, 0x54, 0x02, 0x0F}, /* 9.0.0  Device Master Kek Source. */
-    {0x9D, 0xB1, 0xAE, 0xCB, 0xF6, 0xF6, 0xE3, 0xFE, 0xAB, 0x6F, 0xCB, 0xAF, 0x38, 0x03, 0xFC, 0x7B}, /* 9.1.0  Device Master Kek Source. */
-    {0xC4, 0xBB, 0xF3, 0x9F, 0xA3, 0xAA, 0x00, 0x99, 0x7C, 0x97, 0xAD, 0x91, 0x8F, 0xE8, 0x45, 0xCB}, /* 12.1.0 Device Master Kek Source. */
-    {0x20, 0x20, 0xAA, 0xFB, 0x89, 0xC2, 0xF0, 0x70, 0xB5, 0xE0, 0xA3, 0x11, 0x8A, 0x29, 0x8D, 0x0F}, /* 13.0.0 Device Master Kek Source. */
-    {0xCE, 0x14, 0x74, 0x66, 0x98, 0xA8, 0x6D, 0x7D, 0xBD, 0x54, 0x91, 0x68, 0x5F, 0x1D, 0x0E, 0xEA}, /* 14.0.0 Device Master Kek Source. */
-    {0xAE, 0x05, 0x48, 0x65, 0xAB, 0x17, 0x9D, 0x3D, 0x51, 0xB7, 0x56, 0xBD, 0x9B, 0x0B, 0x5B, 0x6E}, /* 15.0.0 Device Master Kek Source. */
-}; //!TODO: Update on mkey changes.
-
-// from SPL
-static const u8 aes_key_generation_source[0x10] __attribute__((aligned(4))) = {
-    0x89, 0x61, 0x5E, 0xE0, 0x5C, 0x31, 0xB6, 0x80, 0x5F, 0xE5, 0x8F, 0x3D, 0xA2, 0x4F, 0x7A, 0xA8};
-static const u8 aes_key_decryption_source[0x10] __attribute__((aligned(4))) = {
-    0x11, 0x70, 0x24, 0x2B, 0x48, 0x69, 0x11, 0xF1, 0x11, 0xB0, 0x0C, 0x47, 0x7C, 0xC3, 0xEF, 0x7E};
-
 // from FS
 static const u8 bis_kek_source[0x10] __attribute__((aligned(4))) = {
     0x34, 0xC1, 0xA0, 0xC4, 0x82, 0x58, 0xF8, 0xB4, 0xFA, 0x9E, 0x5E, 0x6A, 0xDA, 0xFC, 0x7E, 0x4F};
diff --git a/source/keys/keys.c b/source/keys/keys.c
index 414a320..a53061e 100644
--- a/source/keys/keys.c
+++ b/source/keys/keys.c
@@ -16,6 +16,7 @@
 
 #include "keys.h"
 
+#include "cal0_read.h"
 #include "gmac.h"
 
 #include "../../keygen/tsec_keygen.h"
@@ -58,46 +59,23 @@ static u32 _key_count = 0, _titlekey_count = 0;
 static u32 start_time, end_time;
 u32 color_idx = 0;
 
-static ALWAYS_INLINE u32 _read_le_u32(const void *buffer, u32 offset) {
-    return (*(u8*)(buffer + offset + 0)        ) |
-           (*(u8*)(buffer + offset + 1) << 0x08) |
-           (*(u8*)(buffer + offset + 2) << 0x10) |
-           (*(u8*)(buffer + offset + 3) << 0x18);
-}
-
-static ALWAYS_INLINE u32 _read_be_u32(const void *buffer, u32 offset) {
-    return (*(u8*)(buffer + offset + 3)        ) |
-           (*(u8*)(buffer + offset + 2) << 0x08) |
-           (*(u8*)(buffer + offset + 1) << 0x10) |
-           (*(u8*)(buffer + offset + 0) << 0x18);
-}
-
 // key functions
 static int  _key_exists(const void *data) { return memcmp(data, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) != 0; };
 static void _save_key(const char *name, const void *data, u32 len, char *outbuf);
 static void _save_key_family(const char *name, const void *data, u32 start_key, u32 num_keys, u32 len, char *outbuf);
-static void _generate_aes_kek(u32 ks, key_derivation_ctx_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option);
-static void _generate_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, u32 key_size, const void *access_key, const void *key_source);
-static void _load_aes_key(u32 ks, void *out_key, const void *access_key, const void *key_source);
-static void _get_device_unique_data_key(u32 ks, void *out_key, const void *access_key, const void *key_source);
-static void _decrypt_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 generation, u32 option);
-static void _generate_specific_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 generation);
-static void _get_device_key(u32 ks, key_derivation_ctx_t *keys, void *out_device_key, u32 generation);
-// titlekey functions
-static bool _test_rsa_keypair(const void *E, const void *D, const void *N);
 
-static void _derive_master_key_mariko(key_derivation_ctx_t *keys, bool is_dev) {
+static void _derive_master_key_mariko(key_storage_t *keys, bool is_dev) {
     // Relies on the SBK being properly set in slot 14
     se_aes_crypt_block_ecb(KS_SECURE_BOOT, DECRYPT, keys->device_key_4x, device_master_key_source_kek_source);
     // Derive all master keys based on Mariko KEK
     for (u32 i = KB_FIRMWARE_VERSION_600; i < ARRAY_SIZE(mariko_master_kek_sources) + KB_FIRMWARE_VERSION_600; i++) {
         // Relies on the Mariko KEK being properly set in slot 12
         se_aes_crypt_block_ecb(KS_MARIKO_KEK, DECRYPT, keys->master_kek[i], is_dev ? &mariko_master_kek_sources_dev[i - KB_FIRMWARE_VERSION_600] : &mariko_master_kek_sources[i - KB_FIRMWARE_VERSION_600]);
-        _load_aes_key(KS_AES_ECB, keys->master_key[i], keys->master_kek[i], master_key_source);
+        load_aes_key(KS_AES_ECB, keys->master_key[i], keys->master_kek[i], master_key_source);
     }
 }
 
-static int _run_ams_keygen(key_derivation_ctx_t *keys) {
+static int _run_ams_keygen(key_storage_t *keys) {
     tsec_ctxt_t tsec_ctxt;
     tsec_ctxt.fw = tsec_keygen;
     tsec_ctxt.size = sizeof(tsec_keygen);
@@ -115,21 +93,21 @@ static int _run_ams_keygen(key_derivation_ctx_t *keys) {
     return 0;
 }
 
-static void _derive_master_keys_from_latest_key(key_derivation_ctx_t *keys, bool is_dev) {
+static void _derive_master_keys_from_latest_key(key_storage_t *keys, bool is_dev) {
     if (!h_cfg.t210b01) {
         u32 tsec_root_key_slot = is_dev ? 11 : 13;
         // Derive all master keys based on current root key
         for (u32 i = KB_FIRMWARE_VERSION_810 - KB_FIRMWARE_VERSION_620; i < ARRAY_SIZE(master_kek_sources); i++) {
             se_aes_crypt_block_ecb(tsec_root_key_slot, DECRYPT, keys->master_kek[i + KB_FIRMWARE_VERSION_620], master_kek_sources[i]);
-            _load_aes_key(KS_AES_ECB, keys->master_key[i + KB_FIRMWARE_VERSION_620], keys->master_kek[i + KB_FIRMWARE_VERSION_620], master_key_source);
+            load_aes_key(KS_AES_ECB, keys->master_key[i + KB_FIRMWARE_VERSION_620], keys->master_kek[i + KB_FIRMWARE_VERSION_620], master_key_source);
         }
     }
 
     // Derive all lower master keys
     for (u32 i = KB_FIRMWARE_VERSION_MAX; i > 0; i--) {
-        _load_aes_key(KS_AES_ECB, keys->master_key[i - 1], keys->master_key[i], is_dev ? master_key_vectors_dev[i] : master_key_vectors[i]);
+        load_aes_key(KS_AES_ECB, keys->master_key[i - 1], keys->master_key[i], is_dev ? master_key_vectors_dev[i] : master_key_vectors[i]);
     }
-    _load_aes_key(KS_AES_ECB, keys->temp_key, keys->master_key[0], is_dev ? master_key_vectors_dev[0] : master_key_vectors[0]);
+    load_aes_key(KS_AES_ECB, keys->temp_key, keys->master_key[0], is_dev ? master_key_vectors_dev[0] : master_key_vectors[0]);
 
     if (_key_exists(keys->temp_key)) {
         EPRINTFARGS("Unable to derive master keys for %s.", is_dev ? "dev" : "prod");
@@ -137,15 +115,15 @@ static void _derive_master_keys_from_latest_key(key_derivation_ctx_t *keys, bool
     }
 }
 
-static void _derive_keyblob_keys(key_derivation_ctx_t *keys) {
+static void _derive_keyblob_keys(key_storage_t *keys) {
     u8 *keyblob_block = (u8 *)calloc(KB_FIRMWARE_VERSION_600 + 1, NX_EMMC_BLOCKSIZE);
-    u32 keyblob_mac[AES_128_KEY_SIZE / 4] = {0};
+    u32 keyblob_mac[SE_KEY_128_SIZE / 4] = {0};
     bool have_keyblobs = true;
 
     if (FUSE(FUSE_PRIVATE_KEY0) == 0xFFFFFFFF) {
         u8 *aes_keys = (u8 *)calloc(SZ_4K, 1);
-        se_get_aes_keys(aes_keys + SZ_2K, aes_keys, AES_128_KEY_SIZE);
-        memcpy(keys->sbk, aes_keys + 14 * AES_128_KEY_SIZE, AES_128_KEY_SIZE);
+        se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE);
+        memcpy(keys->sbk, aes_keys + 14 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
         free(aes_keys);
     } else {
         keys->sbk[0] = FUSE(FUSE_PRIVATE_KEY0);
@@ -168,7 +146,7 @@ static void _derive_keyblob_keys(key_derivation_ctx_t *keys) {
         minerva_periodic_training();
         se_aes_crypt_block_ecb(KS_TSEC, DECRYPT, keys->keyblob_key[i], keyblob_key_sources[i]);
         se_aes_crypt_block_ecb(KS_SECURE_BOOT, DECRYPT, keys->keyblob_key[i], keys->keyblob_key[i]);
-        _load_aes_key(KS_AES_ECB, keys->keyblob_mac_key[i], keys->keyblob_key[i], keyblob_mac_key_source);
+        load_aes_key(KS_AES_ECB, keys->keyblob_mac_key[i], keys->keyblob_key[i], keyblob_mac_key_source);
         if (i == 0) {
             se_aes_crypt_block_ecb(KS_AES_ECB, DECRYPT, keys->device_key, per_console_key_source);
             se_aes_crypt_block_ecb(KS_AES_ECB, DECRYPT, keys->device_key_4x, device_master_key_source_kek_source);
@@ -193,50 +171,50 @@ static void _derive_keyblob_keys(key_derivation_ctx_t *keys) {
         memcpy(keys->package1_key[i], keys->keyblob[i].package1_key, sizeof(keys->package1_key[i]));
         memcpy(keys->master_kek[i], keys->keyblob[i].master_kek, sizeof(keys->master_kek[i]));
         if (!_key_exists(keys->master_key[i])) {
-            _load_aes_key(KS_AES_ECB, keys->master_key[i], keys->master_kek[i], master_key_source);
+            load_aes_key(KS_AES_ECB, keys->master_key[i], keys->master_kek[i], master_key_source);
         }
     }
     free(keyblob_block);
 }
 
-static void _derive_bis_keys(key_derivation_ctx_t *keys) {
+static void _derive_bis_keys(key_storage_t *keys) {
     minerva_periodic_training();
     u32 generation = fuse_read_odm_keygen_rev();
 
     if (!(_key_exists(keys->device_key) || (generation && _key_exists(keys->master_key[0]) && _key_exists(keys->device_key_4x)))) {
         return;
     }
-    _generate_specific_aes_key(KS_AES_ECB, keys, &keys->bis_key[0], bis_key_sources[0], generation);
-    u32 access_key[AES_128_KEY_SIZE / 4] = {0};
+    generate_specific_aes_key(KS_AES_ECB, keys, &keys->bis_key[0], bis_key_sources[0], generation);
+    u32 access_key[SE_KEY_128_SIZE / 4] = {0};
     const u32 option = IS_DEVICE_UNIQUE;
-    _generate_aes_kek(KS_AES_ECB, keys, access_key, bis_kek_source, generation, option);
-    _generate_aes_key(KS_AES_ECB, keys, keys->bis_key[1], sizeof(keys->bis_key[1]), access_key, bis_key_sources[1]);
-    _generate_aes_key(KS_AES_ECB, keys, keys->bis_key[2], sizeof(keys->bis_key[2]), access_key, bis_key_sources[2]);
+    generate_aes_kek(KS_AES_ECB, keys, access_key, bis_kek_source, generation, option);
+    generate_aes_key(KS_AES_ECB, keys, keys->bis_key[1], sizeof(keys->bis_key[1]), access_key, bis_key_sources[1]);
+    generate_aes_key(KS_AES_ECB, keys, keys->bis_key[2], sizeof(keys->bis_key[2]), access_key, bis_key_sources[2]);
     memcpy(keys->bis_key[3], keys->bis_key[2], sizeof(keys->bis_key[3]));
 }
 
-static void _derive_non_unique_keys(key_derivation_ctx_t *keys, bool is_dev) {
+static void _derive_non_unique_keys(key_storage_t *keys, bool is_dev) {
     if (_key_exists(keys->master_key[0])) {
         const u32 generation = 0;
         const u32 option = GET_IS_DEVICE_UNIQUE(NOT_DEVICE_UNIQUE);
-        _generate_aes_kek(KS_AES_ECB, keys, keys->temp_key, header_kek_source, generation, option);
-        _generate_aes_key(KS_AES_ECB, keys, keys->header_key, sizeof(keys->header_key), keys->temp_key, header_key_source);
+        generate_aes_kek(KS_AES_ECB, keys, keys->temp_key, header_kek_source, generation, option);
+        generate_aes_key(KS_AES_ECB, keys, keys->header_key, sizeof(keys->header_key), keys->temp_key, header_key_source);
     }
 }
 
-static void _derive_rsa_kek(u32 ks, key_derivation_ctx_t *keys, void *out_rsa_kek, const void *kekek_source, const void *kek_source, u32 generation, u32 option) {
+static void _derive_rsa_kek(u32 ks, key_storage_t *keys, void *out_rsa_kek, const void *kekek_source, const void *kek_source, u32 generation, u32 option) {
     void *access_key = keys->temp_key;
-    _generate_aes_kek(ks, keys, access_key, kekek_source, generation, option);
-    _get_device_unique_data_key(ks, out_rsa_kek, access_key, kek_source);
+    generate_aes_kek(ks, keys, access_key, kekek_source, generation, option);
+    get_device_unique_data_key(ks, out_rsa_kek, access_key, kek_source);
 }
 
-static void _derive_misc_keys(key_derivation_ctx_t *keys, bool is_dev) {
+static void _derive_misc_keys(key_storage_t *keys, bool is_dev) {
     if (_key_exists(keys->device_key) || (_key_exists(keys->master_key[0]) && _key_exists(keys->device_key_4x))) {
         void *access_key = keys->temp_key;
         const u32 generation = 0;
         const u32 option = IS_DEVICE_UNIQUE;
-        _generate_aes_kek(KS_AES_ECB, keys, access_key, save_mac_kek_source, generation, option);
-        _load_aes_key(KS_AES_ECB, keys->save_mac_key, access_key, save_mac_key_source);
+        generate_aes_kek(KS_AES_ECB, keys, access_key, save_mac_kek_source, generation, option);
+        load_aes_key(KS_AES_ECB, keys->save_mac_key, access_key, save_mac_key_source);
     }
 
     if (_key_exists(keys->master_key[0])) {
@@ -251,18 +229,18 @@ static void _derive_misc_keys(key_derivation_ctx_t *keys, bool is_dev) {
     }
 }
 
-static void _derive_per_generation_keys(key_derivation_ctx_t *keys) {
+static void _derive_per_generation_keys(key_storage_t *keys) {
     for (u32 generation = 0; generation < ARRAY_SIZE(keys->master_key); generation++) {
         if (!_key_exists(keys->master_key[generation]))
             continue;
         for (u32 source_type = 0; source_type < ARRAY_SIZE(key_area_key_sources); source_type++) {
             void *access_key = keys->temp_key;
             const u32 option = GET_IS_DEVICE_UNIQUE(NOT_DEVICE_UNIQUE);
-            _generate_aes_kek(KS_AES_ECB, keys, access_key, key_area_key_sources[source_type], generation + 1, option);
-            _load_aes_key(KS_AES_ECB, keys->key_area_key[source_type][generation], access_key, aes_key_generation_source);
+            generate_aes_kek(KS_AES_ECB, keys, access_key, key_area_key_sources[source_type], generation + 1, option);
+            load_aes_key(KS_AES_ECB, keys->key_area_key[source_type][generation], access_key, aes_key_generation_source);
         }
-        _load_aes_key(KS_AES_ECB, keys->package2_key[generation], keys->master_key[generation], package2_key_source);
-        _load_aes_key(KS_AES_ECB, keys->titlekek[generation], keys->master_key[generation], titlekek_source);
+        load_aes_key(KS_AES_ECB, keys->package2_key[generation], keys->master_key[generation], package2_key_source);
+        load_aes_key(KS_AES_ECB, keys->titlekek[generation], keys->master_key[generation], titlekek_source);
     }
 }
 
@@ -402,7 +380,7 @@ static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, title
     return true;
 }
 
-static bool _derive_sd_seed(key_derivation_ctx_t *keys) {
+static bool _derive_sd_seed(key_storage_t *keys) {
     FIL fp;
     u32 read_bytes = 0;
     char *private_path = malloc(200);
@@ -421,7 +399,7 @@ static bool _derive_sd_seed(key_derivation_ctx_t *keys) {
         return false;
     }
     // Get sd seed verification vector
-    if (f_read(&fp, keys->temp_key, AES_128_KEY_SIZE, &read_bytes) || read_bytes != AES_128_KEY_SIZE) {
+    if (f_read(&fp, keys->temp_key, SE_KEY_128_SIZE, &read_bytes) || read_bytes != SE_KEY_128_SIZE) {
         EPRINTF("Unable to read SD seed vector. Skipping.");
         f_close(&fp);
         return false;
@@ -451,54 +429,8 @@ static bool _derive_sd_seed(key_derivation_ctx_t *keys) {
     return true;
 }
 
-static bool _read_cal0(void *read_buffer) {
-    nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)read_buffer;
-
-    // Check if CAL0 was already read into this buffer
-    if (cal0->magic == MAGIC_CAL0) {
-        return true;
-    }
-
-    if (!emummc_storage_read(NX_EMMC_CALIBRATION_OFFSET / NX_EMMC_BLOCKSIZE, NX_EMMC_CALIBRATION_SIZE / NX_EMMC_BLOCKSIZE, read_buffer)) {
-        EPRINTF("Unable to read PRODINFO.");
-        return false;
-    }
-
-    se_aes_xts_crypt(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, DECRYPT, 0, read_buffer, read_buffer, XTS_CLUSTER_SIZE, NX_EMMC_CALIBRATION_SIZE / XTS_CLUSTER_SIZE);
-
-    if (cal0->magic != MAGIC_CAL0) {
-        EPRINTF("Invalid CAL0 magic. Check BIS key 0.");
-        return false;
-    }
-
-    return true;
-}
-
-static bool _cal0_read_ssl_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation) {
-    const u32 ext_key_size = sizeof(cal0->ext_ssl_key_iv) + sizeof(cal0->ext_ssl_key);
-    const u32 ext_key_crc_size = ext_key_size + sizeof(cal0->ext_ssl_key_ver) + sizeof(cal0->crc16_pad39);
-    const u32 key_size = sizeof(cal0->ssl_key_iv) + sizeof(cal0->ssl_key);
-    const u32 key_crc_size = key_size + sizeof(cal0->crc16_pad18);
-
-    if (cal0->ext_ssl_key_crc == crc16_calc(cal0->ext_ssl_key_iv, ext_key_crc_size)) {
-        *out_key = cal0->ext_ssl_key;
-        *out_key_size = ext_key_size;
-        *out_iv = cal0->ext_ssl_key_iv;
-        // Settings sysmodule manually zeroes this out below cal version 9
-        *out_generation = cal0->version <= 8 ? 0 : cal0->ext_ssl_key_ver;
-    } else if (cal0->ssl_key_crc == crc16_calc(cal0->ssl_key_iv, key_crc_size)) {
-        *out_key = cal0->ssl_key;
-        *out_key_size = key_size;
-        *out_iv = cal0->ssl_key_iv;
-        *out_generation = 0;
-    } else {
-        return false;
-    }
-    return true;
-}
-
-static bool _decrypt_ssl_rsa_key(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer) {
-    if (!_read_cal0(titlekey_buffer->read_buffer)) {
+static bool _decrypt_ssl_rsa_key(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer) {
+    if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, titlekey_buffer->read_buffer)) {
         return false;
     }
 
@@ -507,18 +439,17 @@ static bool _decrypt_ssl_rsa_key(key_derivation_ctx_t *keys, titlekey_buffer_t *
     const void *encrypted_key = NULL;
     const void *iv = NULL;
     u32 key_size = 0;
-    void *keypair_ctr_key = NULL;
+    void *ctr_key = NULL;
     bool enforce_unique = true;
 
-    if (!_cal0_read_ssl_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) {
-        EPRINTF("Crc16 error reading device key.");
+    if (!cal0_get_ssl_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) {
         return false;
     }
 
     if (key_size == SSL_RSA_KEY_SIZE) {
         bool all_zero = true;
         const u8 *key8 = (const u8 *)encrypted_key;
-        for (u32 i = RSA_2048_KEY_SIZE; i < SSL_RSA_KEY_SIZE; i++) {
+        for (u32 i = SE_RSA2048_DIGEST_SIZE; i < SSL_RSA_KEY_SIZE; i++) {
             if (key8[i] != 0) {
                 all_zero = false;
                 break;
@@ -526,29 +457,29 @@ static bool _decrypt_ssl_rsa_key(key_derivation_ctx_t *keys, titlekey_buffer_t *
         }
         if (all_zero) {
             // Keys of this form are not encrypted
-            memcpy(keys->ssl_rsa_key, encrypted_key, RSA_2048_KEY_SIZE);
+            memcpy(keys->ssl_rsa_key, encrypted_key, SE_RSA2048_DIGEST_SIZE);
             return true;
         }
 
         const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA) | NOT_DEVICE_UNIQUE;
-        keypair_ctr_key = keys->ssl_rsa_kek_legacy;
-        _derive_rsa_kek(KS_AES_ECB, keys, keypair_ctr_key, ssl_rsa_kekek_source, ssl_rsa_kek_source_legacy, generation, option);
+        ctr_key = keys->ssl_rsa_kek_legacy;
+        _derive_rsa_kek(KS_AES_ECB, keys, ctr_key, ssl_rsa_kekek_source, ssl_rsa_kek_source_legacy, generation, option);
         enforce_unique = false;
     } else if (generation) {
         const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_SSL_KEY) | IS_DEVICE_UNIQUE;
-        keypair_ctr_key = keys->ssl_rsa_kek_personalized;
-        _derive_rsa_kek(KS_AES_ECB, keys, keypair_ctr_key, ssl_client_cert_kek_source, ssl_client_cert_key_source, generation, option);
+        ctr_key = keys->ssl_rsa_kek_personalized;
+        _derive_rsa_kek(KS_AES_ECB, keys, ctr_key, ssl_client_cert_kek_source, ssl_client_cert_key_source, generation, option);
     } else {
-        keypair_ctr_key = keys->ssl_rsa_kek;
+        ctr_key = keys->ssl_rsa_kek;
     }
 
     u32 ctr_size = enforce_unique ? key_size - 0x20 : key_size - 0x10;
-    se_aes_key_set(KS_AES_CTR, keypair_ctr_key, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
     se_aes_crypt_ctr(KS_AES_CTR, keys->ssl_rsa_key, ctr_size, encrypted_key, ctr_size, iv);
 
     if (enforce_unique) {
-        u32 calc_mac[AES_128_KEY_SIZE / 4] = {0};
-        _calc_gmac(KS_AES_ECB, calc_mac, keys->ssl_rsa_key, ctr_size, keypair_ctr_key, iv);
+        u32 calc_mac[SE_KEY_128_SIZE / 4] = {0};
+        calc_gmac(KS_AES_ECB, calc_mac, keys->ssl_rsa_key, ctr_size, ctr_key, iv);
 
         const u8 *key8 = (const u8 *)encrypted_key;
         if (memcmp(calc_mac, &key8[ctr_size], 0x10) != 0) {
@@ -561,41 +492,8 @@ static bool _decrypt_ssl_rsa_key(key_derivation_ctx_t *keys, titlekey_buffer_t *
     return true;
 }
 
-static bool _cal0_read_eticket_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation) {
-    const u32 ext_key_size = sizeof(cal0->ext_ecc_rsa2048_eticket_key_iv) + sizeof(cal0->ext_ecc_rsa2048_eticket_key);
-    const u32 ext_key_crc_size = ext_key_size + sizeof(cal0->ext_ecc_rsa2048_eticket_key_ver) + sizeof(cal0->crc16_pad38);
-    const u32 key_size = sizeof(cal0->rsa2048_eticket_key_iv) + sizeof(cal0->rsa2048_eticket_key);
-    const u32 key_crc_size = key_size + sizeof(cal0->crc16_pad21);
-
-    if (cal0->ext_ecc_rsa2048_eticket_key_crc == crc16_calc(cal0->ext_ecc_rsa2048_eticket_key_iv, ext_key_crc_size)) {
-        *out_key = cal0->ext_ecc_rsa2048_eticket_key;
-        *out_key_size = ext_key_size;
-        *out_iv = cal0->ext_ecc_rsa2048_eticket_key_iv;
-        // Settings sysmodule manually zeroes this out below cal version 9
-        *out_generation = cal0->version <= 8 ? 0 : cal0->ext_ecc_rsa2048_eticket_key_ver;
-    } else if (cal0->rsa2048_eticket_key_crc == crc16_calc(cal0->rsa2048_eticket_key_iv, key_crc_size)) {
-        *out_key = cal0->rsa2048_eticket_key;
-        *out_key_size = key_size;
-        *out_iv = cal0->rsa2048_eticket_key_iv;
-        *out_generation = 0;
-    } else {
-        return false;
-    }
-    return true;
-}
-
-static bool _test_eticket_rsa_keypair(const rsa_keypair_t *keypair) {
-    // Unlike the SSL RSA key, we don't need to check the gmac - we can just verify the public exponent
-    // and test the keypair since we have the modulus
-    if ((_read_be_u32(keypair->public_exponent, 0) != RSA_PUBLIC_EXPONENT) ||
-        (!_test_rsa_keypair(keypair->public_exponent, keypair->private_exponent, keypair->modulus))) {
-        return false;
-    }
-    return true;
-}
-
-static bool _decrypt_eticket_rsa_key(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
-    if (!_read_cal0(titlekey_buffer->read_buffer)) {
+static bool _decrypt_eticket_rsa_key(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
+    if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, titlekey_buffer->read_buffer)) {
         return false;
     }
 
@@ -604,24 +502,23 @@ static bool _decrypt_eticket_rsa_key(key_derivation_ctx_t *keys, titlekey_buffer
     const void *encrypted_key = NULL;
     const void *iv = NULL;
     u32 key_size = 0;
-    void *keypair_ctr_key = NULL;
+    void *ctr_key = NULL;
 
-    if (!_cal0_read_eticket_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) {
-        EPRINTF("Crc16 error reading device key.");
+    if (!cal0_get_eticket_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) {
         return false;
     }
 
     // Handle legacy case
     if (key_size == ETICKET_RSA_KEYPAIR_SIZE) {
         const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | NOT_DEVICE_UNIQUE;
-        keypair_ctr_key = keys->temp_key;
-        _derive_rsa_kek(KS_AES_ECB, keys, keypair_ctr_key, eticket_rsa_kekek_source, eticket_rsa_kek_source_legacy, generation, option);
+        ctr_key = keys->temp_key;
+        _derive_rsa_kek(KS_AES_ECB, keys, ctr_key, eticket_rsa_kekek_source, eticket_rsa_kek_source_legacy, generation, option);
 
-        se_aes_key_set(KS_AES_CTR, keypair_ctr_key, AES_128_KEY_SIZE);
+        se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
         se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv);
 
-        if (_test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) {
-            memcpy(keys->eticket_rsa_kek, keypair_ctr_key, sizeof(keys->eticket_rsa_kek));
+        if (test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) {
+            memcpy(keys->eticket_rsa_kek, ctr_key, sizeof(keys->eticket_rsa_kek));
             return true;
         }
         // Fall through and try usual method if not applicable
@@ -629,17 +526,17 @@ static bool _decrypt_eticket_rsa_key(key_derivation_ctx_t *keys, titlekey_buffer
 
     if (generation) {
         const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | IS_DEVICE_UNIQUE;
-        keypair_ctr_key = keys->eticket_rsa_kek_personalized;
+        ctr_key = keys->eticket_rsa_kek_personalized;
         const void *kek_source = is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source;
-        _derive_rsa_kek(KS_AES_ECB, keys, keypair_ctr_key, eticket_rsa_kekek_source, kek_source, generation, option);
+        _derive_rsa_kek(KS_AES_ECB, keys, ctr_key, eticket_rsa_kekek_source, kek_source, generation, option);
     } else {
-        keypair_ctr_key = keys->eticket_rsa_kek;
+        ctr_key = keys->eticket_rsa_kek;
     }
 
-    se_aes_key_set(KS_AES_CTR, keypair_ctr_key, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
     se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv);
 
-    if (!_test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) {
+    if (!test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) {
         EPRINTF("Invalid eticket keypair.");
         memset(&keys->eticket_rsa_keypair, 0, sizeof(keys->eticket_rsa_keypair));
         return false;
@@ -648,7 +545,7 @@ static bool _decrypt_eticket_rsa_key(key_derivation_ctx_t *keys, titlekey_buffer
     return true;
 }
 
-static bool _derive_titlekeys(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
+static bool _derive_titlekeys(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
     if (!_key_exists(keys->eticket_rsa_kek)) {
         return false;
     }
@@ -668,17 +565,17 @@ static bool _derive_titlekeys(key_derivation_ctx_t *keys, titlekey_buffer_t *tit
     return true;
 }
 
-static bool _derive_emmc_keys(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
+static bool _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
     // Set BIS keys.
     // PRODINFO/PRODINFOF
-    se_aes_key_set(KS_BIS_00_CRYPT, keys->bis_key[0] + 0x00, AES_128_KEY_SIZE);
-    se_aes_key_set(KS_BIS_00_TWEAK, keys->bis_key[0] + 0x10, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_BIS_00_CRYPT, keys->bis_key[0] + 0x00, SE_KEY_128_SIZE);
+    se_aes_key_set(KS_BIS_00_TWEAK, keys->bis_key[0] + 0x10, SE_KEY_128_SIZE);
     // SAFE
-    se_aes_key_set(KS_BIS_01_CRYPT, keys->bis_key[1] + 0x00, AES_128_KEY_SIZE);
-    se_aes_key_set(KS_BIS_01_TWEAK, keys->bis_key[1] + 0x10, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_BIS_01_CRYPT, keys->bis_key[1] + 0x00, SE_KEY_128_SIZE);
+    se_aes_key_set(KS_BIS_01_TWEAK, keys->bis_key[1] + 0x10, SE_KEY_128_SIZE);
     // SYSTEM/USER
-    se_aes_key_set(KS_BIS_02_CRYPT, keys->bis_key[2] + 0x00, AES_128_KEY_SIZE);
-    se_aes_key_set(KS_BIS_02_TWEAK, keys->bis_key[2] + 0x10, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_BIS_02_CRYPT, keys->bis_key[2] + 0x00, SE_KEY_128_SIZE);
+    se_aes_key_set(KS_BIS_02_TWEAK, keys->bis_key[2] + 0x10, SE_KEY_128_SIZE);
 
     if (!emummc_storage_set_mmc_partition(EMMC_GPP)) {
         EPRINTF("Unable to set partition.");
@@ -745,8 +642,8 @@ int save_mariko_partial_keys(u32 start, u32 count, bool append) {
     color_idx = 0;
 
     u32 pos = 0;
-    u32 zeros[AES_128_KEY_SIZE / 4] = {0};
-    u8 *data = malloc(4 * AES_128_KEY_SIZE);
+    u32 zeros[SE_KEY_128_SIZE / 4] = {0};
+    u8 *data = malloc(4 * SE_KEY_128_SIZE);
     char *text_buffer = calloc(1, 0x100 * count);
 
     for (u32 ks = start; ks < start + count; ks++) {
@@ -760,26 +657,26 @@ int save_mariko_partial_keys(u32 start, u32 count, bool append) {
         }
 
         // Encrypt zeros with complete key
-        se_aes_crypt_block_ecb(ks, ENCRYPT, &data[3 * AES_128_KEY_SIZE], zeros);
+        se_aes_crypt_block_ecb(ks, ENCRYPT, &data[3 * SE_KEY_128_SIZE], zeros);
 
         // We only need to overwrite 3 of the dwords of the key
         for (u32 i = 0; i < 3; i++) {
             // Overwrite ith dword of key with zeros
             se_aes_key_partial_set(ks, i, 0);
             // Encrypt zeros with more of the key zeroed out
-            se_aes_crypt_block_ecb(ks, ENCRYPT, &data[(2 - i) * AES_128_KEY_SIZE], zeros);
+            se_aes_crypt_block_ecb(ks, ENCRYPT, &data[(2 - i) * SE_KEY_128_SIZE], zeros);
         }
 
         // Skip saving key if two results are the same indicating unsuccessful overwrite or empty slot
-        if (memcmp(&data[0], &data[SE_KEY_128_SIZE], AES_128_KEY_SIZE) == 0) {
+        if (memcmp(&data[0], &data[SE_KEY_128_SIZE], SE_KEY_128_SIZE) == 0) {
             EPRINTFARGS("Failed to overwrite keyslot %d.", ks);
             continue;
         }
 
         pos += s_printf(&text_buffer[pos], "%d\n", ks);
         for (u32 i = 0; i < 4; i++) {
-            for (u32 j = 0; j < AES_128_KEY_SIZE; j++)
-                pos += s_printf(&text_buffer[pos], "%02x", data[i * AES_128_KEY_SIZE + j]);
+            for (u32 j = 0; j < SE_KEY_128_SIZE; j++)
+                pos += s_printf(&text_buffer[pos], "%02x", data[i * SE_KEY_128_SIZE + j]);
             pos += s_printf(&text_buffer[pos], " ");
         }
         pos += s_printf(&text_buffer[pos], "\n");
@@ -823,7 +720,7 @@ int save_mariko_partial_keys(u32 start, u32 count, bool append) {
     return 0;
 }
 
-static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
+static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
     char *text_buffer = NULL;
     if (!sd_mount()) {
         EPRINTF("Unable to mount SD.");
@@ -896,7 +793,7 @@ static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titl
         SAVE_KEY(ssl_rsa_kek_source);
     }
     SAVE_KEY(ssl_rsa_kekek_source);
-    _save_key("ssl_rsa_key", keys->ssl_rsa_key, RSA_2048_KEY_SIZE, text_buffer);
+    _save_key("ssl_rsa_key", keys->ssl_rsa_key, SE_RSA2048_DIGEST_SIZE, text_buffer);
     SAVE_KEY_FAMILY_VAR(titlekek, keys->titlekek, 0);
     SAVE_KEY(titlekek_source);
     SAVE_KEY_VAR(tsec_key, keys->tsec_key);
@@ -904,7 +801,7 @@ static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titl
     const u32 root_key_ver = 2;
     char root_key_name[21] = "tsec_root_key_00";
     s_printf(root_key_name + 14, "%02x", root_key_ver);
-    _save_key(root_key_name, keys->tsec_root_key, AES_128_KEY_SIZE, text_buffer);
+    _save_key(root_key_name, keys->tsec_root_key, SE_KEY_128_SIZE, text_buffer);
 
     gfx_printf("\n%k  Found %d %s keys.\n\n", colors[(color_idx++) % 6], _key_count, is_dev ? "dev" : "prod");
     gfx_printf("%kFound through master_key_%02x.\n\n", colors[(color_idx++) % 6], KB_FIRMWARE_VERSION_MAX);
@@ -929,10 +826,10 @@ static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titl
     titlekey_text_buffer_t *titlekey_text = (titlekey_text_buffer_t *)text_buffer;
 
     for (u32 i = 0; i < _titlekey_count; i++) {
-        for (u32 j = 0; j < AES_128_KEY_SIZE; j++)
+        for (u32 j = 0; j < SE_KEY_128_SIZE; j++)
             s_printf(&titlekey_text[i].rights_id[j * 2], "%02x", titlekey_buffer->rights_ids[i][j]);
         s_printf(titlekey_text[i].equals, " = ");
-        for (u32 j = 0; j < AES_128_KEY_SIZE; j++)
+        for (u32 j = 0; j < SE_KEY_128_SIZE; j++)
             s_printf(&titlekey_text[i].titlekey[j * 2], "%02x", titlekey_buffer->titlekeys[i][j]);
         s_printf(titlekey_text[i].newline, "\n");
     }
@@ -948,16 +845,16 @@ static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titl
 }
 
 static bool _check_keyslot_access() {
-    u8 test_data[AES_128_KEY_SIZE] = {0};
-    const u8 test_ciphertext[AES_128_KEY_SIZE] = {0};
+    u8 test_data[SE_KEY_128_SIZE] = {0};
+    const u8 test_ciphertext[SE_KEY_128_SIZE] = {0};
     se_aes_key_set(KS_AES_ECB, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", SE_KEY_128_SIZE);
     se_aes_crypt_block_ecb(KS_AES_ECB, DECRYPT, test_data, test_ciphertext);
 
     return memcmp(test_data, "\x7b\x1d\x29\xa1\x6c\xf8\xcc\xab\x84\xf0\xb8\xa5\x98\xe4\x2f\xa6", SE_KEY_128_SIZE) == 0;
 }
 
-static void _derive_master_keys(key_derivation_ctx_t *prod_keys, key_derivation_ctx_t *dev_keys, bool is_dev) {
-    key_derivation_ctx_t *keys = is_dev ? dev_keys : prod_keys;
+static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_keys, bool is_dev) {
+    key_storage_t *keys = is_dev ? dev_keys : prod_keys;
 
     if (h_cfg.t210b01) {
         _derive_master_key_mariko(keys, is_dev);
@@ -970,10 +867,10 @@ static void _derive_master_keys(key_derivation_ctx_t *prod_keys, key_derivation_
         }
 
         u8 *aes_keys = (u8 *)calloc(SZ_4K, 1);
-        se_get_aes_keys(aes_keys + SZ_2K, aes_keys, AES_128_KEY_SIZE);
-        memcpy(&dev_keys->tsec_root_key,  aes_keys + KS_TSEC_ROOT_DEV * AES_128_KEY_SIZE, AES_128_KEY_SIZE);
-        memcpy(keys->tsec_key,            aes_keys + KS_TSEC * AES_128_KEY_SIZE,          AES_128_KEY_SIZE);
-        memcpy(&prod_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT * AES_128_KEY_SIZE,     AES_128_KEY_SIZE);
+        se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE);
+        memcpy(&dev_keys->tsec_root_key,  aes_keys + KS_TSEC_ROOT_DEV * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
+        memcpy(keys->tsec_key,            aes_keys + KS_TSEC * SE_KEY_128_SIZE,          SE_KEY_128_SIZE);
+        memcpy(&prod_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT * SE_KEY_128_SIZE,     SE_KEY_128_SIZE);
         free(aes_keys);
 
         _derive_master_keys_from_latest_key(prod_keys, false);
@@ -1009,8 +906,8 @@ static void _derive_keys() {
 
     bool is_dev = fuse_read_hw_state() == FUSE_NX_HW_STATE_DEV;
 
-    key_derivation_ctx_t __attribute__((aligned(4))) prod_keys = {0}, dev_keys = {0};
-    key_derivation_ctx_t *keys = is_dev ? &dev_keys : &prod_keys;
+    key_storage_t __attribute__((aligned(4))) prod_keys = {0}, dev_keys = {0};
+    key_storage_t *keys = is_dev ? &dev_keys : &prod_keys;
 
     _derive_master_keys(&prod_keys, &dev_keys, is_dev);
 
@@ -1065,8 +962,8 @@ void derive_amiibo_keys() {
 
     bool is_dev = fuse_read_hw_state() == FUSE_NX_HW_STATE_DEV;
 
-    key_derivation_ctx_t __attribute__((aligned(4))) prod_keys = {0}, dev_keys = {0};
-    key_derivation_ctx_t *keys = is_dev ? &dev_keys : &prod_keys;
+    key_storage_t __attribute__((aligned(4))) prod_keys = {0}, dev_keys = {0};
+    key_storage_t *keys = is_dev ? &dev_keys : &prod_keys;
     const u8 *encrypted_keys = is_dev ? encrypted_nfc_keys_dev : encrypted_nfc_keys;
 
     _derive_master_keys(&prod_keys, &dev_keys, is_dev);
@@ -1088,18 +985,18 @@ void derive_amiibo_keys() {
         return;
     }
 
-    _decrypt_aes_key(KS_AES_ECB, keys, keys->temp_key, nfc_key_source, 0, 0);
+    decrypt_aes_key(KS_AES_ECB, keys, keys->temp_key, nfc_key_source, 0, 0);
 
     nfc_keyblob_t __attribute__((aligned(4))) nfc_keyblob;
-    static const u8 nfc_iv[AES_128_KEY_SIZE] = {
+    static const u8 nfc_iv[SE_KEY_128_SIZE] = {
         0xB9, 0x1D, 0xC1, 0xCF, 0x33, 0x5F, 0xA6, 0x13, 0x2A, 0xEF, 0x90, 0x99, 0xAA, 0xCA, 0x93, 0xC8};
-    se_aes_key_set(KS_AES_CTR, keys->temp_key, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_AES_CTR, keys->temp_key, SE_KEY_128_SIZE);
     se_aes_crypt_ctr(KS_AES_CTR, &nfc_keyblob, sizeof(nfc_keyblob), encrypted_keys, sizeof(nfc_keyblob), &nfc_iv);
 
     minerva_periodic_training();
 
     u8 xor_pad[0x20] __attribute__((aligned(4))) = {0};
-    se_aes_key_set(KS_AES_CTR, nfc_keyblob.ctr_key, AES_128_KEY_SIZE);
+    se_aes_key_set(KS_AES_CTR, nfc_keyblob.ctr_key, SE_KEY_128_SIZE);
     se_aes_crypt_ctr(KS_AES_CTR, xor_pad, sizeof(xor_pad), xor_pad, sizeof(xor_pad), nfc_keyblob.ctr_iv);
 
     minerva_periodic_training();
@@ -1204,111 +1101,3 @@ static void _save_key_family(const char *name, const void *data, u32 start_key,
     }
     free(temp_name);
 }
-
-// Equivalent to spl::GenerateAesKek
-static void _generate_aes_kek(u32 ks, key_derivation_ctx_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option) {
-    bool device_unique = GET_IS_DEVICE_UNIQUE(option);
-    u32 seal_key_index = GET_SEAL_KEY_INDEX(option);
-
-    if (generation)
-        generation--;
-
-    u8 static_source[AES_128_KEY_SIZE] __attribute__((aligned(4)));
-    for (u32 i = 0; i < AES_128_KEY_SIZE; i++)
-        static_source[i] = aes_kek_generation_source[i] ^ seal_key_masks[seal_key_index][i];
-
-    if (device_unique) {
-        _get_device_key(ks, keys, keys->temp_key, generation);
-    } else {
-        memcpy(keys->temp_key, keys->master_key[generation], sizeof(keys->temp_key));
-    }
-    se_aes_key_set(ks, keys->temp_key, AES_128_KEY_SIZE);
-    se_aes_unwrap_key(ks, ks, static_source);
-    se_aes_crypt_block_ecb(ks, DECRYPT, out_kek, kek_source);
-}
-
-// Based on spl::LoadAesKey but instead of prepping keyslot, returns calculated key
-static void _load_aes_key(u32 ks, void *out_key, const void *access_key, const void *key_source) {
-    se_aes_key_set(ks, access_key, AES_128_KEY_SIZE);
-    se_aes_crypt_block_ecb(ks, DECRYPT, out_key, key_source);
-}
-
-// Equivalent to spl::GenerateAesKey
-static void _generate_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, u32 key_size, const void *access_key, const void *key_source) {
-    void *aes_key = keys->temp_key;
-    _load_aes_key(ks, aes_key, access_key, aes_key_generation_source);
-    se_aes_key_set(ks, aes_key, AES_128_KEY_SIZE);
-    se_aes_crypt_ecb(ks, DECRYPT, out_key, key_size, key_source, key_size);
-}
-
-// Equivalent to smc::PrepareDeviceUniqueDataKey but with no sealing
-static void _get_device_unique_data_key(u32 ks, void *out_key, const void *access_key, const void *key_source) {
-    _load_aes_key(ks, out_key, access_key, key_source);
-}
-
-// Equivalent to spl::DecryptAesKey.
-static void _decrypt_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 generation, u32 option) {
-    void *access_key = keys->temp_key;
-    _generate_aes_kek(ks, keys, access_key, aes_key_decryption_source, generation, option);
-    _generate_aes_key(ks, keys, out_key, AES_128_KEY_SIZE, access_key, key_source);
-}
-
-// Equivalent to smc::GetSecureData
-static void _get_secure_data(key_derivation_ctx_t *keys, void *out_data) {
-    se_aes_key_set(KS_AES_CTR, keys->device_key, AES_128_KEY_SIZE);
-    u8 *d = (u8 *)out_data;
-    se_aes_crypt_ctr(KS_AES_CTR, d + AES_128_KEY_SIZE * 0, AES_128_KEY_SIZE, secure_data_source, AES_128_KEY_SIZE, secure_data_counters[0]);
-    se_aes_crypt_ctr(KS_AES_CTR, d + AES_128_KEY_SIZE * 1, AES_128_KEY_SIZE, secure_data_source, AES_128_KEY_SIZE, secure_data_counters[0]);
-
-    // Apply tweak
-    for (u32 i = 0; i < AES_128_KEY_SIZE; i++) {
-        d[AES_128_KEY_SIZE + i] ^= secure_data_tweaks[0][i];
-    }
-}
-
-// Equivalent to spl::GenerateSpecificAesKey
-static void _generate_specific_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 generation) {
-    if (fuse_read_bootrom_rev() >= 0x7F) {
-        _get_device_key(ks, keys, keys->temp_key, generation == 0 ? 0 : generation - 1);
-        se_aes_key_set(ks, keys->temp_key, AES_128_KEY_SIZE);
-        se_aes_unwrap_key(ks, ks, retail_specific_aes_key_source);
-        se_aes_crypt_ecb(ks, DECRYPT, out_key, AES_128_KEY_SIZE * 2, key_source, AES_128_KEY_SIZE * 2);
-    } else {
-        _get_secure_data(keys, out_key);
-    }
-}
-
-static void _get_device_key(u32 ks, key_derivation_ctx_t *keys, void *out_device_key, u32 generation) {
-    if (generation == KB_FIRMWARE_VERSION_100 && !h_cfg.t210b01) {
-        memcpy(out_device_key, keys->device_key, AES_128_KEY_SIZE);
-        return;
-    }
-
-    if (generation >= KB_FIRMWARE_VERSION_400) {
-        generation -= KB_FIRMWARE_VERSION_400;
-    } else {
-        generation = 0;
-    }
-    u32 temp_key_source[AES_128_KEY_SIZE / 4] = {0};
-    _load_aes_key(ks, temp_key_source, keys->device_key_4x, device_master_key_source_sources[generation]);
-    const void *kek_source = fuse_read_hw_state() == FUSE_NX_HW_STATE_PROD ? device_master_kek_sources[generation] : device_master_kek_sources_dev[generation];
-    se_aes_key_set(ks, keys->master_key[0], AES_128_KEY_SIZE);
-    se_aes_unwrap_key(ks, ks, kek_source);
-    se_aes_crypt_block_ecb(ks, DECRYPT, out_device_key, temp_key_source);
-}
-
-static bool _test_rsa_keypair(const void *public_exponent, const void *private_exponent, const void *modulus) {
-    u32 plaintext[RSA_2048_KEY_SIZE / 4] = {0},
-        ciphertext[RSA_2048_KEY_SIZE / 4] = {0},
-        work[RSA_2048_KEY_SIZE / 4] = {0};
-
-    plaintext[63] = 0xCAFEBABE;
-
-    se_rsa_key_set(0, modulus, RSA_2048_KEY_SIZE, private_exponent, RSA_2048_KEY_SIZE);
-    se_rsa_exp_mod(0, ciphertext, RSA_2048_KEY_SIZE, plaintext, RSA_2048_KEY_SIZE);
-
-    se_rsa_key_set(0, modulus, RSA_2048_KEY_SIZE, public_exponent, 4);
-    se_rsa_exp_mod(0, work, RSA_2048_KEY_SIZE, ciphertext, RSA_2048_KEY_SIZE);
-
-    return memcmp(plaintext, work, RSA_2048_KEY_SIZE) == 0;
-}
diff --git a/source/keys/keys.h b/source/keys/keys.h
index bb1b5af..ca84f85 100644
--- a/source/keys/keys.h
+++ b/source/keys/keys.h
@@ -17,45 +17,19 @@
 #ifndef _KEYS_H_
 #define _KEYS_H_
 
-#include <utils/types.h>
+#include "crypto.h"
 
 #include "../hos/hos.h"
-
-#define AES_128_KEY_SIZE 16
-#define RSA_2048_KEY_SIZE 256
-
-#define RSA_PUBLIC_EXPONENT 65537
-
-// Lockpick_RCM keyslots
-#define KS_BIS_00_CRYPT 0
-#define KS_BIS_00_TWEAK 1
-#define KS_BIS_01_CRYPT 2
-#define KS_BIS_01_TWEAK 3
-#define KS_BIS_02_CRYPT 4
-#define KS_BIS_02_TWEAK 5
-#define KS_AES_CTR  6
-#define KS_AES_ECB  8
-#define KS_AES_CMAC 10
-
-// Mariko keyslots
-#define KS_MARIKO_KEK 12
-#define KS_MARIKO_BEK 13
-
-// Other Switch keyslots
-#define KS_TSEC        12
-#define KS_SECURE_BOOT 14
-
-// Atmosphere keygen keyslots
-#define KS_TSEC_ROOT_DEV 11
-#define KS_TSEC_ROOT     13
+#include <sec/se_t210.h>
+#include <utils/types.h>
 
 // only tickets of type Rsa2048Sha256 are expected
 typedef struct {
     u32 signature_type;   // always 0x10004
-    u8 signature[RSA_2048_KEY_SIZE];
+    u8 signature[SE_RSA2048_DIGEST_SIZE];
     u8 sig_padding[0x3C];
     char issuer[0x40];
-    u8 titlekey_block[RSA_2048_KEY_SIZE];
+    u8 titlekey_block[SE_RSA2048_DIGEST_SIZE];
     u8 format_version;
     u8 titlekey_type;
     u16 ticket_version;
@@ -88,26 +62,6 @@ typedef struct {
     u8 titlekeys[SZ_256K / 0x10][0x10];
 } titlekey_buffer_t;
 
-typedef struct {
-    u8 private_exponent[RSA_2048_KEY_SIZE];
-    u8 modulus[RSA_2048_KEY_SIZE];
-    u8 public_exponent[4];
-    u8 reserved[0xC];
-} rsa_keypair_t;
-
-typedef struct {
-    u8 master_kek[AES_128_KEY_SIZE];
-    u8 data[0x70];
-    u8 package1_key[AES_128_KEY_SIZE];
-} keyblob_t;
-
-typedef struct {
-    u8 cmac[0x10];
-    u8 iv[0x10];
-    keyblob_t key_data;
-    u8 unused[0x150];
-} encrypted_keyblob_t;
-
 typedef struct {
     char phrase[0xE];
     u8 seed[0xE];
@@ -129,61 +83,6 @@ typedef struct {
     u8 xor_pad[0x20];
 } nfc_save_key_t;
 
-typedef enum {
-    SEAL_KEY_LOAD_AES_KEY = 0,
-    SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA = 1,
-    SEAL_KEY_IMPORT_LOTUS_KEY = 2,
-    SEAL_KEY_IMPORT_ES_DEVICE_KEY = 3,
-    SEAL_KEY_REENCRYPT_DEVICE_UNIQUE_DATA = 4,
-    SEAL_KEY_IMPORT_SSL_KEY = 5,
-    SEAL_KEY_IMPORT_ES_CLIENT_CERT_KEY = 6,
-} seal_key_t;
-
-typedef enum {
-    NOT_DEVICE_UNIQUE = 0,
-    IS_DEVICE_UNIQUE = 1,
-} device_unique_t;
-
-#define SET_SEAL_KEY_INDEX(x) (((x) & 7) << 5)
-#define GET_SEAL_KEY_INDEX(x) (((x) >> 5) & 7)
-#define GET_IS_DEVICE_UNIQUE(x) ((x) & 1)
-
-#define SSL_RSA_KEY_SIZE         (RSA_2048_KEY_SIZE + AES_128_KEY_SIZE)
-#define ETICKET_RSA_KEYPAIR_SIZE (RSA_2048_KEY_SIZE * 2 + AES_128_KEY_SIZE * 2)
-
-typedef struct {
-    u8  temp_key[AES_128_KEY_SIZE],
-        bis_key[4][AES_128_KEY_SIZE * 2],
-        device_key[AES_128_KEY_SIZE],
-        device_key_4x[AES_128_KEY_SIZE],
-        sd_seed[AES_128_KEY_SIZE],
-        // FS-related keys
-        header_key[AES_128_KEY_SIZE * 2],
-        save_mac_key[AES_128_KEY_SIZE],
-        // other sysmodule keys
-        eticket_rsa_kek[AES_128_KEY_SIZE],
-        eticket_rsa_kek_personalized[AES_128_KEY_SIZE],
-        ssl_rsa_kek[AES_128_KEY_SIZE],
-        ssl_rsa_kek_legacy[AES_128_KEY_SIZE],
-        ssl_rsa_kek_personalized[AES_128_KEY_SIZE],
-        ssl_rsa_key[RSA_2048_KEY_SIZE + 0x20],
-        // keyblob-derived families
-        keyblob_key[KB_FIRMWARE_VERSION_600 + 1][AES_128_KEY_SIZE],
-        keyblob_mac_key[KB_FIRMWARE_VERSION_600 + 1][AES_128_KEY_SIZE],
-        package1_key[KB_FIRMWARE_VERSION_600 + 1][AES_128_KEY_SIZE],
-        // master key-derived families
-        key_area_key[3][KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE],
-        master_kek[KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE],
-        master_key[KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE],
-        package2_key[KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE],
-        titlekek[KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE],
-        tsec_key[AES_128_KEY_SIZE],
-        tsec_root_key[AES_128_KEY_SIZE];
-    u32 sbk[4];
-    keyblob_t keyblob[KB_FIRMWARE_VERSION_600 + 1];
-    rsa_keypair_t eticket_rsa_keypair;
-} key_derivation_ctx_t;
-
 typedef struct {
     char rights_id[0x20];
     char equals[3];

From c7d90ec8caf22a901c2b9bb816f6c2e346aa42a6 Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Wed, 2 Nov 2022 18:36:39 -0700
Subject: [PATCH 13/21] Further improve readability

---
 bdk/sec/se.c         |  70 --------------
 bdk/sec/se.h         |   1 -
 bdk/utils/util.c     |  14 ---
 bdk/utils/util.h     |   3 -
 source/keys/crypto.c |  83 +++++++++++++++-
 source/keys/crypto.h |   7 +-
 source/keys/keys.c   | 222 +++++++++++++++++++++----------------------
 source/keys/keys.h   |   2 +-
 8 files changed, 195 insertions(+), 207 deletions(-)

diff --git a/bdk/sec/se.c b/bdk/sec/se.c
index 02f6f90..5c2a391 100644
--- a/bdk/sec/se.c
+++ b/bdk/sec/se.c
@@ -718,76 +718,6 @@ out:;
 	return res;
 }
 
-// _mgf1_xor() and rsa_oaep_decode were derived from Atmosphère
-static void _mgf1_xor(void *masked, u32 masked_size, const void *seed, u32 seed_size)
-{
-	u8 cur_hash[0x20] __attribute__((aligned(4)));
-	u8 hash_buf[0xe4] __attribute__((aligned(4)));
-
-	u32 hash_buf_size = seed_size + 4;
-	memcpy(hash_buf, seed, seed_size);
-	u32 round_num = 0;
-
-	u8 *p_out = (u8 *)masked;
-
-	while (masked_size) {
-		u32 cur_size = MIN(masked_size, 0x20);
-
-		for (u32 i = 0; i < 4; i++)
-			hash_buf[seed_size + 3 - i] = (round_num >> (8 * i)) & 0xff;
-		round_num++;
-
-		se_calc_sha256_oneshot(cur_hash, hash_buf, hash_buf_size);
-
-		for (unsigned int i = 0; i < cur_size; i++) {
-			*p_out ^= cur_hash[i];
-			p_out++;
-		}
-
-		masked_size -= cur_size;
-	}
-}
-
-u32 se_rsa_oaep_decode(void *dst, u32 dst_size, const void *label_digest, u32 label_digest_size, u8 *buf, u32 buf_size)
-{
-	if (dst_size <= 0 || buf_size < 0x43 || label_digest_size != 0x20)
-		return 0;
-
-	bool is_valid = buf[0] == 0;
-
-	u32 db_len = buf_size - 0x21;
-	u8 *seed = buf + 1;
-	u8 *db = seed + 0x20;
-	_mgf1_xor(seed, 0x20, db, db_len);
-	_mgf1_xor(db, db_len, seed, 0x20);
-
-	is_valid &= memcmp(label_digest, db, 0x20) ? 0 : 1;
-
-	db += 0x20;
-	db_len -= 0x20;
-
-	int msg_ofs = 0;
-	int looking_for_one = 1;
-	int invalid_db_padding = 0;
-	int is_zero;
-	int is_one;
-	for (int i = 0; i < db_len; )
-	{
-		is_zero = (db[i] == 0);
-		is_one  = (db[i] == 1);
-		msg_ofs += (looking_for_one & is_one) * (++i);
-		looking_for_one &= ~is_one;
-		invalid_db_padding |= (looking_for_one & ~is_zero);
-	}
-
-	is_valid &= (invalid_db_padding == 0);
-
-	const u32 msg_size = MIN(dst_size, is_valid * (db_len - msg_ofs));
-	memcpy(dst, db + msg_ofs, msg_size);
-
-	return msg_size;
-}
-
 void se_get_aes_keys(u8 *buf, u8 *keys, u32 keysize)
 {
 	u8 *aligned_buf = (u8 *)ALIGN((u32)buf, 0x40);
diff --git a/bdk/sec/se.h b/bdk/sec/se.h
index 2a2f8cd..1bb435d 100644
--- a/bdk/sec/se.h
+++ b/bdk/sec/se.h
@@ -49,6 +49,5 @@ int se_calc_sha256(void *hash, u32 *msg_left, const void *src, u32 src_size, u64
 int se_calc_sha256_oneshot(void *hash, const void *src, u32 src_size);
 int se_calc_sha256_finalize(void *hash, u32 *msg_left);
 int se_calc_hmac_sha256(void *dst, const void *src, u32 src_size, const void *key, u32 key_size);
-u32 se_rsa_oaep_decode(void *dst, u32 dst_size, const void *label_digest, u32 label_digest_size, u8 *buf, u32 buf_size);
 
 #endif
diff --git a/bdk/utils/util.c b/bdk/utils/util.c
index e05c2bc..bf30929 100644
--- a/bdk/utils/util.c
+++ b/bdk/utils/util.c
@@ -230,17 +230,3 @@ void power_set_state_ex(void *param)
 	power_state_t *state = (power_state_t *)param;
 	power_set_state(*state);
 }
-
-u32 read_le_u32(const void *buffer, u32 offset) {
-	return	(*(u8*)(buffer + offset + 0)        ) |
-			(*(u8*)(buffer + offset + 1) << 0x08) |
-			(*(u8*)(buffer + offset + 2) << 0x10) |
-			(*(u8*)(buffer + offset + 3) << 0x18);
-}
-
-u32 read_be_u32(const void *buffer, u32 offset) {
-	return	(*(u8*)(buffer + offset + 3)        ) |
-			(*(u8*)(buffer + offset + 2) << 0x08) |
-			(*(u8*)(buffer + offset + 1) << 0x10) |
-			(*(u8*)(buffer + offset + 0) << 0x18);
-}
diff --git a/bdk/utils/util.h b/bdk/utils/util.h
index df929bc..d27d52d 100644
--- a/bdk/utils/util.h
+++ b/bdk/utils/util.h
@@ -96,7 +96,4 @@ void panic(u32 val);
 void power_set_state(power_state_t state);
 void power_set_state_ex(void *param);
 
-u32 read_le_u32(const void *buffer, u32 offset);
-u32 read_be_u32(const void *buffer, u32 offset);
-
 #endif
diff --git a/source/keys/crypto.c b/source/keys/crypto.c
index cd5afd0..42e10bb 100644
--- a/source/keys/crypto.c
+++ b/source/keys/crypto.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2022 shchmue
+ * Copyright (c) 2018 Atmosphère-NX
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
@@ -27,6 +28,15 @@
 
 extern hekate_config h_cfg;
 
+bool check_keyslot_access() {
+    u8 test_data[SE_KEY_128_SIZE] = {0};
+    const u8 test_ciphertext[SE_KEY_128_SIZE] = {0};
+    se_aes_key_set(KS_AES_ECB, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", SE_KEY_128_SIZE);
+    se_aes_crypt_block_ecb(KS_AES_ECB, DECRYPT, test_data, test_ciphertext);
+
+    return memcmp(test_data, "\x7b\x1d\x29\xa1\x6c\xf8\xcc\xab\x84\xf0\xb8\xa5\x98\xe4\x2f\xa6", SE_KEY_128_SIZE) == 0;
+}
+
 bool test_rsa_keypair(const void *public_exponent, const void *private_exponent, const void *modulus) {
     u32 plaintext[SE_RSA2048_DIGEST_SIZE / 4] = {0},
         ciphertext[SE_RSA2048_DIGEST_SIZE / 4] = {0},
@@ -46,13 +56,82 @@ bool test_rsa_keypair(const void *public_exponent, const void *private_exponent,
 bool test_eticket_rsa_keypair(const rsa_keypair_t *keypair) {
     // Unlike the SSL RSA key, we don't need to check the gmac - we can just verify the public exponent
     // and test the keypair since we have the modulus
-    if ((read_be_u32(keypair->public_exponent, 0) != RSA_PUBLIC_EXPONENT) ||
-        (!test_rsa_keypair(keypair->public_exponent, keypair->private_exponent, keypair->modulus))) {
+    if ((byte_swap_32(keypair->public_exponent) != RSA_PUBLIC_EXPONENT) ||
+        (!test_rsa_keypair(&keypair->public_exponent, keypair->private_exponent, keypair->modulus))
+    ) {
         return false;
     }
     return true;
 }
 
+// _mgf1_xor() and rsa_oaep_decode were derived from Atmosphère
+static void _mgf1_xor(void *masked, u32 masked_size, const void *seed, u32 seed_size)
+{
+    u8 cur_hash[0x20] __attribute__((aligned(4)));
+    u8 hash_buf[0xe4] __attribute__((aligned(4)));
+
+    u32 hash_buf_size = seed_size + 4;
+    memcpy(hash_buf, seed, seed_size);
+    u32 round_num = 0;
+
+    u8 *p_out = (u8 *)masked;
+
+    while (masked_size) {
+        u32 cur_size = MIN(masked_size, 0x20);
+
+        for (u32 i = 0; i < 4; i++)
+            hash_buf[seed_size + 3 - i] = (round_num >> (8 * i)) & 0xff;
+        round_num++;
+
+        se_calc_sha256_oneshot(cur_hash, hash_buf, hash_buf_size);
+
+        for (unsigned int i = 0; i < cur_size; i++) {
+            *p_out ^= cur_hash[i];
+            p_out++;
+        }
+
+        masked_size -= cur_size;
+    }
+}
+
+u32 rsa_oaep_decode(void *dst, u32 dst_size, const void *label_digest, u32 label_digest_size, u8 *buf, u32 buf_size) {
+    if (dst_size <= 0 || buf_size < 0x43 || label_digest_size != 0x20)
+        return 0;
+
+    bool is_valid = buf[0] == 0;
+
+    u32 db_len = buf_size - 0x21;
+    u8 *seed = buf + 1;
+    u8 *db = seed + 0x20;
+    _mgf1_xor(seed, 0x20, db, db_len);
+    _mgf1_xor(db, db_len, seed, 0x20);
+
+    is_valid &= memcmp(label_digest, db, 0x20) ? 0 : 1;
+
+    db += 0x20;
+    db_len -= 0x20;
+
+    int msg_ofs = 0;
+    int looking_for_one = 1;
+    int invalid_db_padding = 0;
+    int is_zero;
+    int is_one;
+    for (int i = 0; i < db_len; ) {
+        is_zero = (db[i] == 0);
+        is_one  = (db[i] == 1);
+        msg_ofs += (looking_for_one & is_one) * (++i);
+        looking_for_one &= ~is_one;
+        invalid_db_padding |= (looking_for_one & ~is_zero);
+    }
+
+    is_valid &= (invalid_db_padding == 0);
+
+    const u32 msg_size = MIN(dst_size, is_valid * (db_len - msg_ofs));
+    memcpy(dst, db + msg_ofs, msg_size);
+
+    return msg_size;
+}
+
 // Equivalent to spl::GenerateAesKek
 void generate_aes_kek(u32 ks, key_storage_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option) {
     bool device_unique = GET_IS_DEVICE_UNIQUE(option);
diff --git a/source/keys/crypto.h b/source/keys/crypto.h
index 4e1d0d7..33389f8 100644
--- a/source/keys/crypto.h
+++ b/source/keys/crypto.h
@@ -127,10 +127,12 @@ static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = {
 #define SSL_RSA_KEY_SIZE         (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE)
 #define ETICKET_RSA_KEYPAIR_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE * 2 + SE_KEY_128_SIZE)
 
+#define TICKET_SIG_TYPE_RSA2048_SHA256 0x10004
+
 typedef struct {
     u8 private_exponent[SE_RSA2048_DIGEST_SIZE];
     u8 modulus[SE_RSA2048_DIGEST_SIZE];
-    u8 public_exponent[4];
+    u32 public_exponent;
     u8 reserved[0xC];
 } rsa_keypair_t;
 
@@ -199,8 +201,11 @@ typedef enum {
 #define GET_SEAL_KEY_INDEX(x) (((x) >> 5) & 7)
 #define GET_IS_DEVICE_UNIQUE(x) ((x) & 1)
 
+bool check_keyslot_access();
+
 bool test_rsa_keypair(const void *public_exponent, const void *private_exponent, const void *modulus);
 bool test_eticket_rsa_keypair(const rsa_keypair_t *keypair);
+u32 rsa_oaep_decode(void *dst, u32 dst_size, const void *label_digest, u32 label_digest_size, u8 *buf, u32 buf_size);
 
 // Equivalent to spl::GenerateAesKek
 void generate_aes_kek(u32 ks, key_storage_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option);
diff --git a/source/keys/keys.c b/source/keys/keys.c
index a53061e..f7fc7c3 100644
--- a/source/keys/keys.c
+++ b/source/keys/keys.c
@@ -65,6 +65,7 @@ static void _save_key(const char *name, const void *data, u32 len, char *outbuf)
 static void _save_key_family(const char *name, const void *data, u32 start_key, u32 num_keys, u32 len, char *outbuf);
 
 static void _derive_master_key_mariko(key_storage_t *keys, bool is_dev) {
+    minerva_periodic_training();
     // Relies on the SBK being properly set in slot 14
     se_aes_crypt_block_ecb(KS_SECURE_BOOT, DECRYPT, keys->device_key_4x, device_master_key_source_kek_source);
     // Derive all master keys based on Mariko KEK
@@ -94,6 +95,7 @@ static int _run_ams_keygen(key_storage_t *keys) {
 }
 
 static void _derive_master_keys_from_latest_key(key_storage_t *keys, bool is_dev) {
+    minerva_periodic_training();
     if (!h_cfg.t210b01) {
         u32 tsec_root_key_slot = is_dev ? 11 : 13;
         // Derive all master keys based on current root key
@@ -103,6 +105,8 @@ static void _derive_master_keys_from_latest_key(key_storage_t *keys, bool is_dev
         }
     }
 
+    minerva_periodic_training();
+
     // Derive all lower master keys
     for (u32 i = KB_FIRMWARE_VERSION_MAX; i > 0; i--) {
         load_aes_key(KS_AES_ECB, keys->master_key[i - 1], keys->master_key[i], is_dev ? master_key_vectors_dev[i] : master_key_vectors[i]);
@@ -116,6 +120,8 @@ static void _derive_master_keys_from_latest_key(key_storage_t *keys, bool is_dev
 }
 
 static void _derive_keyblob_keys(key_storage_t *keys) {
+    minerva_periodic_training();
+
     u8 *keyblob_block = (u8 *)calloc(KB_FIRMWARE_VERSION_600 + 1, NX_EMMC_BLOCKSIZE);
     u32 keyblob_mac[SE_KEY_128_SIZE / 4] = {0};
     bool have_keyblobs = true;
@@ -194,6 +200,7 @@ static void _derive_bis_keys(key_storage_t *keys) {
 }
 
 static void _derive_non_unique_keys(key_storage_t *keys, bool is_dev) {
+    minerva_periodic_training();
     if (_key_exists(keys->master_key[0])) {
         const u32 generation = 0;
         const u32 option = GET_IS_DEVICE_UNIQUE(NOT_DEVICE_UNIQUE);
@@ -209,6 +216,7 @@ static void _derive_rsa_kek(u32 ks, key_storage_t *keys, void *out_rsa_kek, cons
 }
 
 static void _derive_misc_keys(key_storage_t *keys, bool is_dev) {
+    minerva_periodic_training();
     if (_key_exists(keys->device_key) || (_key_exists(keys->master_key[0]) && _key_exists(keys->device_key_4x))) {
         void *access_key = keys->temp_key;
         const u32 generation = 0;
@@ -231,6 +239,7 @@ static void _derive_misc_keys(key_storage_t *keys, bool is_dev) {
 
 static void _derive_per_generation_keys(key_storage_t *keys) {
     for (u32 generation = 0; generation < ARRAY_SIZE(keys->master_key); generation++) {
+        minerva_periodic_training();
         if (!_key_exists(keys->master_key[generation]))
             continue;
         for (u32 source_type = 0; source_type < ARRAY_SIZE(key_area_key_sources); source_type++) {
@@ -244,6 +253,45 @@ static void _derive_per_generation_keys(key_storage_t *keys) {
     }
 }
 
+// Returns true when terminator is found
+static bool _count_ticket_records(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 *tkey_count) {
+    ticket_record_t *curr_ticket_record = (ticket_record_t *)titlekey_buffer->read_buffer;
+    for (u32 i = 0; i < buf_size; i += sizeof(ticket_record_t), curr_ticket_record++) {
+        if (curr_ticket_record->rights_id[0] == 0xFF)
+            return true;
+        (*tkey_count)++;
+    }
+    return false;
+}
+
+static void _decode_tickets(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 remaining, u32 total, u32 x, u32 y, u32 *pct, u32 *last_pct, bool is_personalized) {
+    ticket_t *curr_ticket = (ticket_t *)titlekey_buffer->read_buffer;
+    for (u32 i = 0; i < MIN(buf_size / sizeof(ticket_t), remaining) * sizeof(ticket_t) && curr_ticket->signature_type != 0; i += sizeof(ticket_t), curr_ticket++) {
+        minerva_periodic_training();
+        *pct = (total - remaining) * 100 / total;
+        if (*pct > *last_pct && *pct <= 100) {
+            *last_pct = *pct;
+            tui_pbar(x, y, *pct, COLOR_GREEN, 0xFF155500);
+        }
+
+        // This is in case an encrypted volatile ticket is left behind
+        if (curr_ticket->signature_type != TICKET_SIG_TYPE_RSA2048_SHA256)
+            continue;
+
+        u8 *curr_titlekey = curr_ticket->titlekey_block;
+        const u32 block_size = SE_RSA2048_DIGEST_SIZE;
+        const u32 titlekey_size = sizeof(titlekey_buffer->titlekeys[0]);
+        if (is_personalized) {
+            se_rsa_exp_mod(0, curr_titlekey, block_size, curr_titlekey, block_size);
+            if (rsa_oaep_decode(curr_titlekey, titlekey_size, null_hash, sizeof(null_hash), curr_titlekey, block_size) != titlekey_size)
+                continue;
+        }
+        memcpy(titlekey_buffer->rights_ids[_titlekey_count], curr_ticket->rights_id, sizeof(titlekey_buffer->rights_ids[0]));
+        memcpy(titlekey_buffer->titlekeys[_titlekey_count], curr_titlekey, titlekey_size);
+        _titlekey_count++;
+    }
+}
+
 static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, titlekey_buffer_t *titlekey_buffer, rsa_keypair_t *rsa_keypair) {
     FIL fp;
     u64 br = buf_size;
@@ -251,8 +299,10 @@ static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, title
     u32 file_tkey_count = 0;
     u32 save_x = gfx_con.x, save_y = gfx_con.y;
     bool is_personalized = rsa_keypair != NULL;
-    u32 start_titlekey_count = _titlekey_count;
+    const char ticket_bin_path[32] = "/ticket.bin";
+    const char ticket_list_bin_path[32] = "/ticket_list.bin";
     char titlekey_save_path[32] = "bis:/save/80000000000000E1";
+    save_data_file_ctx_t ticket_file;
 
     if (is_personalized) {
         titlekey_save_path[25] = '2';
@@ -280,10 +330,6 @@ static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, title
         return false;
     }
 
-    const char ticket_bin_path[32] = "/ticket.bin";
-    const char ticket_list_bin_path[32] = "/ticket_list.bin";
-    save_data_file_ctx_t ticket_file;
-
     if (!save_open_file(save_ctx, &ticket_file, ticket_list_bin_path, OPEN_MODE_READ)) {
         EPRINTF("Unable to locate ticket_list.bin in save.");
         f_close(&fp);
@@ -292,22 +338,19 @@ static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, title
         return false;
     }
 
-    bool terminator_reached = false;
-    while (offset < ticket_file.size && !terminator_reached) {
-        if (!save_data_file_read(&ticket_file, &br, offset, titlekey_buffer->read_buffer, buf_size) || titlekey_buffer->read_buffer[0] == 0 || br != buf_size)
-            break;
-        offset += br;
+    // Read ticket list to get ticket count
+    while (offset < ticket_file.size) {
         minerva_periodic_training();
-        ticket_record_t *curr_ticket_record = (ticket_record_t *)titlekey_buffer->read_buffer;
-        for (u32 i = 0; i < buf_size; i += sizeof(ticket_record_t), curr_ticket_record++) {
-            if (curr_ticket_record->rights_id[0] == 0xFF) {
-                terminator_reached = true;
-                break;
-            }
-            file_tkey_count++;
+        if (!save_data_file_read(&ticket_file, &br, offset, titlekey_buffer->read_buffer, buf_size) ||
+            titlekey_buffer->read_buffer[0] == 0 ||
+            br != buf_size ||
+            _count_ticket_records(buf_size, titlekey_buffer, &file_tkey_count)
+        ) {
+            break;
         }
+        offset += br;
     }
-    TPRINTF("  Count keys...");
+    TPRINTF("  Count titlekeys...");
 
     if (!save_open_file(save_ctx, &ticket_file, ticket_bin_path, OPEN_MODE_READ)) {
         EPRINTF("Unable to locate ticket.bin in save.");
@@ -317,50 +360,17 @@ static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, title
         return false;
     }
 
-    if (is_personalized) {
+    if (is_personalized)
         se_rsa_key_set(0, rsa_keypair->modulus, sizeof(rsa_keypair->modulus), rsa_keypair->private_exponent, sizeof(rsa_keypair->private_exponent));
-    }
-
-    const u32 ticket_sig_type_rsa2048_sha256 = 0x10004;
 
     offset = 0;
-    terminator_reached = false;
-    u32 pct = 0, last_pct = 0, i = 0;
-    while (offset < ticket_file.size && !terminator_reached) {
+    u32 pct = 0, last_pct = 0, remaining = file_tkey_count;
+    while (offset < ticket_file.size && remaining) {
         if (!save_data_file_read(&ticket_file, &br, offset, titlekey_buffer->read_buffer, buf_size) || titlekey_buffer->read_buffer[0] == 0 || br != buf_size)
             break;
         offset += br;
-        ticket_t *curr_ticket = (ticket_t *)titlekey_buffer->read_buffer;
-        for (u32 j = 0; j < buf_size; j += sizeof(ticket_t), curr_ticket++) {
-            minerva_periodic_training();
-            pct = (_titlekey_count - start_titlekey_count) * 100 / file_tkey_count;
-            if (pct > last_pct && pct <= 100) {
-                last_pct = pct;
-                tui_pbar(save_x, save_y, pct, COLOR_GREEN, 0xFF155500);
-            }
-            if (i == file_tkey_count || curr_ticket->signature_type == 0) {
-                terminator_reached = true;
-                break;
-            }
-            if (curr_ticket->signature_type != ticket_sig_type_rsa2048_sha256) {
-                i++;
-                continue;
-            }
-            if (is_personalized) {
-                se_rsa_exp_mod(0, curr_ticket->titlekey_block, sizeof(curr_ticket->titlekey_block), curr_ticket->titlekey_block, sizeof(curr_ticket->titlekey_block));
-                if (se_rsa_oaep_decode(
-                        curr_ticket->titlekey_block, sizeof(titlekey_buffer->titlekeys[0]),
-                        null_hash, sizeof(null_hash),
-                        curr_ticket->titlekey_block, sizeof(curr_ticket->titlekey_block)
-                    ) != sizeof(titlekey_buffer->titlekeys[0])
-                )
-                    continue;
-            }
-            memcpy(titlekey_buffer->rights_ids[_titlekey_count], curr_ticket->rights_id, sizeof(titlekey_buffer->rights_ids[0]));
-            memcpy(titlekey_buffer->titlekeys[_titlekey_count], curr_ticket->titlekey_block, sizeof(titlekey_buffer->titlekeys[0]));
-            _titlekey_count++;
-            i++;
-        }
+        _decode_tickets(buf_size, titlekey_buffer, remaining, file_tkey_count, save_x, save_y, &pct, &last_pct, is_personalized);
+        remaining -= MIN(buf_size / sizeof(ticket_t), remaining);
     }
     tui_pbar(save_x, save_y, 100, COLOR_GREEN, 0xFF155500);
     f_close(&fp);
@@ -844,21 +854,11 @@ static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_bu
     free(text_buffer);
 }
 
-static bool _check_keyslot_access() {
-    u8 test_data[SE_KEY_128_SIZE] = {0};
-    const u8 test_ciphertext[SE_KEY_128_SIZE] = {0};
-    se_aes_key_set(KS_AES_ECB, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", SE_KEY_128_SIZE);
-    se_aes_crypt_block_ecb(KS_AES_ECB, DECRYPT, test_data, test_ciphertext);
-
-    return memcmp(test_data, "\x7b\x1d\x29\xa1\x6c\xf8\xcc\xab\x84\xf0\xb8\xa5\x98\xe4\x2f\xa6", SE_KEY_128_SIZE) == 0;
-}
-
 static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_keys, bool is_dev) {
     key_storage_t *keys = is_dev ? dev_keys : prod_keys;
 
     if (h_cfg.t210b01) {
         _derive_master_key_mariko(keys, is_dev);
-        minerva_periodic_training();
         _derive_master_keys_from_latest_key(keys, is_dev);
     } else {
         int res = _run_ams_keygen(keys);
@@ -874,9 +874,7 @@ static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_key
         free(aes_keys);
 
         _derive_master_keys_from_latest_key(prod_keys, false);
-        minerva_periodic_training();
         _derive_master_keys_from_latest_key(dev_keys, true);
-        minerva_periodic_training();
         _derive_keyblob_keys(keys);
     }
 }
@@ -884,7 +882,7 @@ static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_key
 static void _derive_keys() {
     minerva_periodic_training();
 
-    if (!_check_keyslot_access()) {
+    if (!check_keyslot_access()) {
         EPRINTF("Unable to set crypto keyslots!\nTry launching payload differently\n or flash Spacecraft-NX if using a modchip.");
         return;
     }
@@ -917,19 +915,10 @@ static void _derive_keys() {
 
     TPRINTFARGS("%kBIS keys...     ", colors[(color_idx++) % 6]);
 
-    minerva_periodic_training();
     _derive_misc_keys(keys, is_dev);
-
-    minerva_periodic_training();
     _derive_non_unique_keys(&prod_keys, is_dev);
-
-    minerva_periodic_training();
     _derive_non_unique_keys(&dev_keys, is_dev);
-
-    minerva_periodic_training();
     _derive_per_generation_keys(&prod_keys);
-
-    minerva_periodic_training();
     _derive_per_generation_keys(&dev_keys);
 
     titlekey_buffer_t *titlekey_buffer = (titlekey_buffer_t *)TITLEKEY_BUF_ADR;
@@ -957,6 +946,37 @@ static void _derive_keys() {
     }
 }
 
+ static void _decrypt_amiibo_keys(key_storage_t *keys, const u8 *encrypted_keys, nfc_save_key_t nfc_save_keys[2]) {
+    u32 kek[SE_KEY_128_SIZE / 4] = {0};
+    decrypt_aes_key(KS_AES_ECB, keys, kek, nfc_key_source, 0, 0);
+
+    nfc_keyblob_t __attribute__((aligned(4))) nfc_keyblob;
+    static const u8 nfc_iv[SE_KEY_128_SIZE] = {
+        0xB9, 0x1D, 0xC1, 0xCF, 0x33, 0x5F, 0xA6, 0x13, 0x2A, 0xEF, 0x90, 0x99, 0xAA, 0xCA, 0x93, 0xC8};
+    se_aes_key_set(KS_AES_CTR, kek, SE_KEY_128_SIZE);
+    se_aes_crypt_ctr(KS_AES_CTR, &nfc_keyblob, sizeof(nfc_keyblob), encrypted_keys, sizeof(nfc_keyblob), &nfc_iv);
+
+    minerva_periodic_training();
+
+    u32 xor_pad[0x20 / 4] = {0};
+    se_aes_key_set(KS_AES_CTR, nfc_keyblob.ctr_key, SE_KEY_128_SIZE);
+    se_aes_crypt_ctr(KS_AES_CTR, xor_pad, sizeof(xor_pad), xor_pad, sizeof(xor_pad), nfc_keyblob.ctr_iv);
+
+    minerva_periodic_training();
+
+    memcpy(nfc_save_keys[0].hmac_key, nfc_keyblob.hmac_key, sizeof(nfc_keyblob.hmac_key));
+    memcpy(nfc_save_keys[0].phrase, nfc_keyblob.phrase, sizeof(nfc_keyblob.phrase));
+    nfc_save_keys[0].seed_size = sizeof(nfc_keyblob.seed);
+    memcpy(nfc_save_keys[0].seed, nfc_keyblob.seed, sizeof(nfc_keyblob.seed));
+    memcpy(nfc_save_keys[0].xor_pad, xor_pad, sizeof(xor_pad));
+
+    memcpy(nfc_save_keys[1].hmac_key, nfc_keyblob.hmac_key_for_verif, sizeof(nfc_keyblob.hmac_key_for_verif));
+    memcpy(nfc_save_keys[1].phrase, nfc_keyblob.phrase_for_verif, sizeof(nfc_keyblob.phrase_for_verif));
+    nfc_save_keys[1].seed_size = sizeof(nfc_keyblob.seed_for_verif);
+    memcpy(nfc_save_keys[1].seed, nfc_keyblob.seed_for_verif, sizeof(nfc_keyblob.seed_for_verif));
+    memcpy(nfc_save_keys[1].xor_pad, xor_pad, sizeof(xor_pad));
+ }
+
 void derive_amiibo_keys() {
     minerva_change_freq(FREQ_1600);
 
@@ -985,53 +1005,25 @@ void derive_amiibo_keys() {
         return;
     }
 
-    decrypt_aes_key(KS_AES_ECB, keys, keys->temp_key, nfc_key_source, 0, 0);
-
-    nfc_keyblob_t __attribute__((aligned(4))) nfc_keyblob;
-    static const u8 nfc_iv[SE_KEY_128_SIZE] = {
-        0xB9, 0x1D, 0xC1, 0xCF, 0x33, 0x5F, 0xA6, 0x13, 0x2A, 0xEF, 0x90, 0x99, 0xAA, 0xCA, 0x93, 0xC8};
-    se_aes_key_set(KS_AES_CTR, keys->temp_key, SE_KEY_128_SIZE);
-    se_aes_crypt_ctr(KS_AES_CTR, &nfc_keyblob, sizeof(nfc_keyblob), encrypted_keys, sizeof(nfc_keyblob), &nfc_iv);
-
-    minerva_periodic_training();
-
-    u8 xor_pad[0x20] __attribute__((aligned(4))) = {0};
-    se_aes_key_set(KS_AES_CTR, nfc_keyblob.ctr_key, SE_KEY_128_SIZE);
-    se_aes_crypt_ctr(KS_AES_CTR, xor_pad, sizeof(xor_pad), xor_pad, sizeof(xor_pad), nfc_keyblob.ctr_iv);
-
-    minerva_periodic_training();
-
     nfc_save_key_t __attribute__((aligned(4))) nfc_save_keys[2] = {0};
-    memcpy(nfc_save_keys[0].hmac_key, nfc_keyblob.hmac_key, sizeof(nfc_keyblob.hmac_key));
-    memcpy(nfc_save_keys[0].phrase, nfc_keyblob.phrase, sizeof(nfc_keyblob.phrase));
-    nfc_save_keys[0].seed_size = sizeof(nfc_keyblob.seed);
-    memcpy(nfc_save_keys[0].seed, nfc_keyblob.seed, sizeof(nfc_keyblob.seed));
-    memcpy(nfc_save_keys[0].xor_pad, xor_pad, sizeof(xor_pad));
 
-    memcpy(nfc_save_keys[1].hmac_key, nfc_keyblob.hmac_key_for_verif, sizeof(nfc_keyblob.hmac_key_for_verif));
-    memcpy(nfc_save_keys[1].phrase, nfc_keyblob.phrase_for_verif, sizeof(nfc_keyblob.phrase_for_verif));
-    nfc_save_keys[1].seed_size = sizeof(nfc_keyblob.seed_for_verif);
-    memcpy(nfc_save_keys[1].seed, nfc_keyblob.seed_for_verif, sizeof(nfc_keyblob.seed_for_verif));
-    memcpy(nfc_save_keys[1].xor_pad, xor_pad, sizeof(xor_pad));
+    _decrypt_amiibo_keys(keys, encrypted_keys, nfc_save_keys);
 
     minerva_periodic_training();
 
-    u8 hash[0x20] = {0};
+    u32 hash[SE_SHA_256_SIZE / 4] = {0};
     se_calc_sha256_oneshot(hash, &nfc_save_keys[0], sizeof(nfc_save_keys));
 
     if (memcmp(hash, is_dev ? nfc_blob_hash_dev : nfc_blob_hash, sizeof(hash)) != 0) {
         EPRINTF("Amiibo hash mismatch. Skipping save.");
-        minerva_change_freq(FREQ_800);
-        btn_wait();
-        return;
-    }
-
-    const char *keyfile_path = is_dev ? "sd:/switch/key_dev.bin" : "sd:/switch/key_retail.bin";
-
-    if (!sd_save_to_file(&nfc_save_keys[0], sizeof(nfc_save_keys), keyfile_path)) {
-        gfx_printf("%kWrote Amiibo keys to\n %s\n", colors[(color_idx++) % 6], keyfile_path);
     } else {
-        EPRINTF("Unable to save Amiibo keys to SD.");
+        const char *keyfile_path = is_dev ? "sd:/switch/key_dev.bin" : "sd:/switch/key_retail.bin";
+
+        if (!sd_save_to_file(&nfc_save_keys[0], sizeof(nfc_save_keys), keyfile_path)) {
+            gfx_printf("%kWrote Amiibo keys to\n %s\n", colors[(color_idx++) % 6], keyfile_path);
+        } else {
+            EPRINTF("Unable to save Amiibo keys to SD.");
+        }
     }
 
     gfx_printf("\n%kPress a button to return to the menu.", colors[(color_idx++) % 6]);
diff --git a/source/keys/keys.h b/source/keys/keys.h
index ca84f85..3f15719 100644
--- a/source/keys/keys.h
+++ b/source/keys/keys.h
@@ -25,7 +25,7 @@
 
 // only tickets of type Rsa2048Sha256 are expected
 typedef struct {
-    u32 signature_type;   // always 0x10004
+    u32 signature_type; // always 0x10004
     u8 signature[SE_RSA2048_DIGEST_SIZE];
     u8 sig_padding[0x3C];
     char issuer[0x40];

From dd41e3fee82f69eb3021cc69512aad686aa6209c Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Sat, 5 Nov 2022 14:39:02 -0700
Subject: [PATCH 14/21] keys: Split crypto functions by sysmodule

---
 source/keys/crypto.c        |  48 ++++---
 source/keys/crypto.h        |  20 +--
 source/keys/es_crypto.c     |  58 +++++++++
 source/keys/es_crypto.h     |  40 ++++++
 source/keys/es_types.h      |  30 +++++
 source/keys/fs_crypto.c     |  69 ++++++++++
 source/keys/fs_crypto.h     |  74 +++++++++++
 source/keys/key_sources.inl | 123 ++----------------
 source/keys/keys.c          | 243 +++++++++++-------------------------
 source/keys/keys.h          |  21 ----
 source/keys/nfc_crypto.c    |  54 ++++++++
 source/keys/nfc_crypto.h    |  75 +++++++++++
 source/keys/ssl_crypto.c    |  51 ++++++++
 source/keys/ssl_crypto.h    |  41 ++++++
 14 files changed, 621 insertions(+), 326 deletions(-)
 create mode 100644 source/keys/es_crypto.c
 create mode 100644 source/keys/es_crypto.h
 create mode 100644 source/keys/es_types.h
 create mode 100644 source/keys/fs_crypto.c
 create mode 100644 source/keys/fs_crypto.h
 create mode 100644 source/keys/nfc_crypto.c
 create mode 100644 source/keys/nfc_crypto.h
 create mode 100644 source/keys/ssl_crypto.c
 create mode 100644 source/keys/ssl_crypto.h

diff --git a/source/keys/crypto.c b/source/keys/crypto.c
index 42e10bb..46a7564 100644
--- a/source/keys/crypto.c
+++ b/source/keys/crypto.c
@@ -17,10 +17,13 @@
 
 #include "crypto.h"
 
+#include "../../keygen/tsec_keygen.h"
+
 #include "../config.h"
 #include "../hos/hos.h"
 #include <sec/se.h>
 #include <sec/se_t210.h>
+#include <sec/tsec.h>
 #include <soc/fuse.h>
 #include <utils/util.h>
 
@@ -28,6 +31,27 @@
 
 extern hekate_config h_cfg;
 
+int key_exists(const void *data) {
+    return memcmp(data, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) != 0;
+}
+
+int run_ams_keygen(key_storage_t *keys) {
+    tsec_ctxt_t tsec_ctxt;
+    tsec_ctxt.fw = tsec_keygen;
+    tsec_ctxt.size = sizeof(tsec_keygen);
+    tsec_ctxt.type = TSEC_FW_TYPE_NEW;
+
+    u32 retries = 0;
+    while (tsec_query(keys->temp_key, &tsec_ctxt) < 0) {
+        retries++;
+        if (retries > 15) {
+            return -1;
+        }
+    }
+
+    return 0;
+}
+
 bool check_keyslot_access() {
     u8 test_data[SE_KEY_128_SIZE] = {0};
     const u8 test_ciphertext[SE_KEY_128_SIZE] = {0};
@@ -53,20 +77,8 @@ bool test_rsa_keypair(const void *public_exponent, const void *private_exponent,
     return memcmp(plaintext, work, SE_RSA2048_DIGEST_SIZE) == 0;
 }
 
-bool test_eticket_rsa_keypair(const rsa_keypair_t *keypair) {
-    // Unlike the SSL RSA key, we don't need to check the gmac - we can just verify the public exponent
-    // and test the keypair since we have the modulus
-    if ((byte_swap_32(keypair->public_exponent) != RSA_PUBLIC_EXPONENT) ||
-        (!test_rsa_keypair(&keypair->public_exponent, keypair->private_exponent, keypair->modulus))
-    ) {
-        return false;
-    }
-    return true;
-}
-
 // _mgf1_xor() and rsa_oaep_decode were derived from Atmosphère
-static void _mgf1_xor(void *masked, u32 masked_size, const void *seed, u32 seed_size)
-{
+static void _mgf1_xor(void *masked, u32 masked_size, const void *seed, u32 seed_size) {
     u8 cur_hash[0x20] __attribute__((aligned(4)));
     u8 hash_buf[0xe4] __attribute__((aligned(4)));
 
@@ -132,6 +144,12 @@ u32 rsa_oaep_decode(void *dst, u32 dst_size, const void *label_digest, u32 label
     return msg_size;
 }
 
+void derive_rsa_kek(u32 ks, key_storage_t *keys, void *out_rsa_kek, const void *kekek_source, const void *kek_source, u32 generation, u32 option) {
+    u32 access_key[SE_KEY_128_SIZE / 4] = {0};
+    generate_aes_kek(ks, keys, access_key, kekek_source, generation, option);
+    get_device_unique_data_key(ks, out_rsa_kek, access_key, kek_source);
+}
+
 // Equivalent to spl::GenerateAesKek
 void generate_aes_kek(u32 ks, key_storage_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option) {
     bool device_unique = GET_IS_DEVICE_UNIQUE(option);
@@ -162,7 +180,7 @@ void load_aes_key(u32 ks, void *out_key, const void *access_key, const void *key
 
 // Equivalent to spl::GenerateAesKey
 void generate_aes_key(u32 ks, key_storage_t *keys, void *out_key, u32 key_size, const void *access_key, const void *key_source) {
-    void *aes_key = keys->temp_key;
+    u32 aes_key[SE_KEY_128_SIZE / 4] = {0};
     load_aes_key(ks, aes_key, access_key, aes_key_generation_source);
     se_aes_key_set(ks, aes_key, SE_KEY_128_SIZE);
     se_aes_crypt_ecb(ks, DECRYPT, out_key, key_size, key_source, key_size);
@@ -175,7 +193,7 @@ void get_device_unique_data_key(u32 ks, void *out_key, const void *access_key, c
 
 // Equivalent to spl::DecryptAesKey.
 void decrypt_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation, u32 option) {
-    void *access_key = keys->temp_key;
+    u32 access_key[SE_KEY_128_SIZE / 4] = {0};
     generate_aes_kek(ks, keys, access_key, aes_key_decryption_source, generation, option);
     generate_aes_key(ks, keys, out_key, SE_KEY_128_SIZE, access_key, key_source);
 }
diff --git a/source/keys/crypto.h b/source/keys/crypto.h
index 33389f8..c242485 100644
--- a/source/keys/crypto.h
+++ b/source/keys/crypto.h
@@ -17,10 +17,14 @@
 #ifndef _CRYPTO_H_
 #define _CRYPTO_H_
 
+#include "es_types.h"
+
 #include "../hos/hos.h"
 #include <sec/se_t210.h>
 #include <utils/types.h>
 
+#include <string.h>
+
 static const u8 aes_kek_generation_source[0x10] __attribute__((aligned(4))) = {
     0x4D, 0x87, 0x09, 0x86, 0xC4, 0x5D, 0x20, 0x72, 0x2F, 0xBA, 0x10, 0x53, 0xDA, 0x92, 0xE8, 0xA9};
 
@@ -129,13 +133,6 @@ static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = {
 
 #define TICKET_SIG_TYPE_RSA2048_SHA256 0x10004
 
-typedef struct {
-    u8 private_exponent[SE_RSA2048_DIGEST_SIZE];
-    u8 modulus[SE_RSA2048_DIGEST_SIZE];
-    u32 public_exponent;
-    u8 reserved[0xC];
-} rsa_keypair_t;
-
 typedef struct {
     u8 master_kek[SE_KEY_128_SIZE];
     u8 data[0x70];
@@ -179,7 +176,7 @@ typedef struct {
         tsec_root_key[SE_KEY_128_SIZE];
     u32 sbk[4];
     keyblob_t keyblob[KB_FIRMWARE_VERSION_600 + 1];
-    rsa_keypair_t eticket_rsa_keypair;
+    eticket_rsa_keypair_t eticket_rsa_keypair;
 } key_storage_t;
 
 typedef enum {
@@ -201,12 +198,17 @@ typedef enum {
 #define GET_SEAL_KEY_INDEX(x) (((x) >> 5) & 7)
 #define GET_IS_DEVICE_UNIQUE(x) ((x) & 1)
 
+int key_exists(const void *data);
+
+int run_ams_keygen(key_storage_t *keys);
+
 bool check_keyslot_access();
 
 bool test_rsa_keypair(const void *public_exponent, const void *private_exponent, const void *modulus);
-bool test_eticket_rsa_keypair(const rsa_keypair_t *keypair);
 u32 rsa_oaep_decode(void *dst, u32 dst_size, const void *label_digest, u32 label_digest_size, u8 *buf, u32 buf_size);
 
+void derive_rsa_kek(u32 ks, key_storage_t *keys, void *out_rsa_kek, const void *kekek_source, const void *kek_source, u32 generation, u32 option);
+
 // Equivalent to spl::GenerateAesKek
 void generate_aes_kek(u32 ks, key_storage_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option);
 // Equivalent to spl::GenerateAesKey
diff --git a/source/keys/es_crypto.c b/source/keys/es_crypto.c
new file mode 100644
index 0000000..57b2912
--- /dev/null
+++ b/source/keys/es_crypto.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "es_crypto.h"
+
+#include "../config.h"
+
+extern hekate_config h_cfg;
+
+bool test_eticket_rsa_keypair(const eticket_rsa_keypair_t *keypair) {
+    if (byte_swap_32(keypair->public_exponent) != RSA_PUBLIC_EXPONENT)
+        return false;
+    return test_rsa_keypair(&keypair->public_exponent, keypair->private_exponent, keypair->modulus);
+}
+
+void es_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32 generation, bool is_dev) {
+    if ((!h_cfg.t210b01 && !key_exists(keys->device_key)) || (h_cfg.t210b01 && (!key_exists(keys->master_key[0]) || !key_exists(keys->device_key_4x)))) {
+        return;
+    }
+
+    const void *kek_source = is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source;
+    const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | IS_DEVICE_UNIQUE;
+    derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, eticket_rsa_kekek_source, kek_source, generation, option);
+}
+
+void es_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek) {
+    if (!key_exists(keys->master_key[0])) {
+        return;
+    }
+
+    const u32 generation = 0;
+    const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | NOT_DEVICE_UNIQUE;
+    derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, eticket_rsa_kekek_source, eticket_rsa_kek_source_legacy, generation, option);
+}
+
+void es_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev) {
+    if (!key_exists(keys->master_key[0])) {
+        return;
+    }
+
+    const void *kek_source = is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source;
+    const u32 generation = 0;
+    const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | NOT_DEVICE_UNIQUE;
+    derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, eticket_rsa_kekek_source, kek_source, generation, option);
+}
diff --git a/source/keys/es_crypto.h b/source/keys/es_crypto.h
new file mode 100644
index 0000000..cc0fb95
--- /dev/null
+++ b/source/keys/es_crypto.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _ES_CRYPTO_H_
+#define _ES_CRYPTO_H_
+
+#include "crypto.h"
+#include "es_types.h"
+
+#include <utils/types.h>
+
+static const u8 eticket_rsa_kek_source[0x10] __attribute__((aligned(4))) = {
+    0XDB, 0XA4, 0X51, 0X12, 0X4C, 0XA0, 0XA9, 0X83, 0X68, 0X14, 0XF5, 0XED, 0X95, 0XE3, 0X12, 0X5B};
+static const u8 eticket_rsa_kek_source_dev[0x10] __attribute__((aligned(4))) = {
+    0xBE, 0xC0, 0xBC, 0x8E, 0x75, 0xA0, 0xF6, 0x0C, 0x4A, 0x56, 0x64, 0x02, 0x3E, 0xD4, 0x9C, 0xD5};
+static const u8 eticket_rsa_kek_source_legacy[0x10] __attribute__((aligned(4))) = {
+    0x88, 0x87, 0x50, 0x90, 0xA6, 0x2F, 0x75, 0x70, 0xA2, 0xD7, 0x71, 0x51, 0xAE, 0x6D, 0x39, 0x87};
+static const u8 eticket_rsa_kekek_source[0x10] __attribute__((aligned(4))) = {
+    0X46, 0X6E, 0X57, 0XB7, 0X4A, 0X44, 0X7F, 0X02, 0XF3, 0X21, 0XCD, 0XE5, 0X8F, 0X2F, 0X55, 0X35};
+
+bool test_eticket_rsa_keypair(const eticket_rsa_keypair_t *keypair);
+
+void es_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32 generation, bool is_dev);
+void es_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek);
+void es_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev);
+
+#endif
diff --git a/source/keys/es_types.h b/source/keys/es_types.h
new file mode 100644
index 0000000..feb35fa
--- /dev/null
+++ b/source/keys/es_types.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _ES_TYPES_H_
+#define _ES_TYPES_H_
+
+#include <sec/se_t210.h>
+#include <utils/types.h>
+
+typedef struct {
+    u8 private_exponent[SE_RSA2048_DIGEST_SIZE];
+    u8 modulus[SE_RSA2048_DIGEST_SIZE];
+    u32 public_exponent;
+    u8 reserved[0xC];
+} eticket_rsa_keypair_t;
+
+#endif
diff --git a/source/keys/fs_crypto.c b/source/keys/fs_crypto.c
new file mode 100644
index 0000000..359237f
--- /dev/null
+++ b/source/keys/fs_crypto.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "fs_crypto.h"
+
+#include "../config.h"
+#include <sec/se_t210.h>
+
+#include <string.h>
+
+extern hekate_config h_cfg;
+
+void fs_derive_bis_keys(key_storage_t *keys, u8 out_bis_keys[4][32], u32 generation) {
+    if ((!h_cfg.t210b01 && !key_exists(keys->device_key)) || (h_cfg.t210b01 && (!key_exists(keys->master_key[0]) || !key_exists(keys->device_key_4x)))) {
+        return;
+    }
+
+    generate_specific_aes_key(KS_AES_ECB, keys, out_bis_keys[0], bis_key_sources[0], generation);
+    u32 access_key[SE_KEY_128_SIZE / 4] = {0};
+    const u32 option = IS_DEVICE_UNIQUE;
+    generate_aes_kek(KS_AES_ECB, keys, access_key, bis_kek_source, generation, option);
+    generate_aes_key(KS_AES_ECB, keys, out_bis_keys[1], sizeof(bis_key_sources[1]), access_key, bis_key_sources[1]);
+    generate_aes_key(KS_AES_ECB, keys, out_bis_keys[2], sizeof(bis_key_sources[2]), access_key, bis_key_sources[2]);
+    memcpy(out_bis_keys[3], out_bis_keys[2], sizeof(bis_key_sources[2]));
+}
+
+void fs_derive_header_key(key_storage_t *keys, void *out_key) {
+    if (!key_exists(keys->master_key[0])) {
+        return;
+    }
+
+    u32 access_key[SE_KEY_128_SIZE / 4] = {0};
+    const u32 generation = 0;
+    const u32 option = NOT_DEVICE_UNIQUE;
+    generate_aes_kek(KS_AES_ECB, keys, access_key, header_kek_source, generation, option);
+    generate_aes_key(KS_AES_ECB, keys, out_key, sizeof(header_key_source), access_key, header_key_source);
+}
+
+void fs_derive_key_area_key(key_storage_t *keys, void *out_key, u32 source_type, u32 generation) {
+    u32 access_key[SE_KEY_128_SIZE / 4] = {0};
+    const u32 option = NOT_DEVICE_UNIQUE;
+    generate_aes_kek(KS_AES_ECB, keys, access_key, key_area_key_sources[source_type], generation + 1, option);
+    load_aes_key(KS_AES_ECB, out_key, access_key, aes_key_generation_source);
+}
+
+void fs_derive_save_mac_key(key_storage_t *keys, void *out_key) {
+    if ((!h_cfg.t210b01 && !key_exists(keys->device_key)) || (h_cfg.t210b01 && (!key_exists(keys->master_key[0]) || !key_exists(keys->device_key_4x)))) {
+        return;
+    }
+
+    u32 access_key[SE_KEY_128_SIZE / 4] = {0};
+    const u32 generation = 0;
+    const u32 option = IS_DEVICE_UNIQUE;
+    generate_aes_kek(KS_AES_ECB, keys, access_key, save_mac_kek_source, generation, option);
+    load_aes_key(KS_AES_ECB, out_key, access_key, save_mac_key_source);
+}
diff --git a/source/keys/fs_crypto.h b/source/keys/fs_crypto.h
new file mode 100644
index 0000000..976ffde
--- /dev/null
+++ b/source/keys/fs_crypto.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _FS_CRYPTO_H_
+#define _FS_CRYPTO_H_
+
+#include "crypto.h"
+
+#include <utils/types.h>
+
+static const u8 bis_kek_source[0x10] __attribute__((aligned(4))) = {
+    0x34, 0xC1, 0xA0, 0xC4, 0x82, 0x58, 0xF8, 0xB4, 0xFA, 0x9E, 0x5E, 0x6A, 0xDA, 0xFC, 0x7E, 0x4F};
+static const u8 bis_key_sources[3][0x20] __attribute__((aligned(4))) = {
+    {0xF8, 0x3F, 0x38, 0x6E, 0x2C, 0xD2, 0xCA, 0x32, 0xA8, 0x9A, 0xB9, 0xAA, 0x29, 0xBF, 0xC7, 0x48,
+     0x7D, 0x92, 0xB0, 0x3A, 0xA8, 0xBF, 0xDE, 0xE1, 0xA7, 0x4C, 0x3B, 0x6E, 0x35, 0xCB, 0x71, 0x06},
+    {0x41, 0x00, 0x30, 0x49, 0xDD, 0xCC, 0xC0, 0x65, 0x64, 0x7A, 0x7E, 0xB4, 0x1E, 0xED, 0x9C, 0x5F,
+     0x44, 0x42, 0x4E, 0xDA, 0xB4, 0x9D, 0xFC, 0xD9, 0x87, 0x77, 0x24, 0x9A, 0xDC, 0x9F, 0x7C, 0xA4},
+    {0x52, 0xC2, 0xE9, 0xEB, 0x09, 0xE3, 0xEE, 0x29, 0x32, 0xA1, 0x0C, 0x1F, 0xB6, 0xA0, 0x92, 0x6C,
+     0x4D, 0x12, 0xE1, 0x4B, 0x2A, 0x47, 0x4C, 0x1C, 0x09, 0xCB, 0x03, 0x59, 0xF0, 0x15, 0xF4, 0xE4}
+};
+
+static const u8 header_kek_source[0x10] __attribute__((aligned(4))) = {
+    0x1F, 0x12, 0x91, 0x3A, 0x4A, 0xCB, 0xF0, 0x0D, 0x4C, 0xDE, 0x3A, 0xF6, 0xD5, 0x23, 0x88, 0x2A};
+static const u8 header_key_source[0x20] __attribute__((aligned(4))) = {
+    0x5A, 0x3E, 0xD8, 0x4F, 0xDE, 0xC0, 0xD8, 0x26, 0x31, 0xF7, 0xE2, 0x5D, 0x19, 0x7B, 0xF5, 0xD0,
+    0x1C, 0x9B, 0x7B, 0xFA, 0xF6, 0x28, 0x18, 0x3D, 0x71, 0xF6, 0x4D, 0x73, 0xF1, 0x50, 0xB9, 0xD2};
+
+static const u8 key_area_key_sources[3][0x10] __attribute__((aligned(4))) = {
+    {0x7F, 0x59, 0x97, 0x1E, 0x62, 0x9F, 0x36, 0xA1, 0x30, 0x98, 0x06, 0x6F, 0x21, 0x44, 0xC3, 0x0D}, // application
+    {0x32, 0x7D, 0x36, 0x08, 0x5A, 0xD1, 0x75, 0x8D, 0xAB, 0x4E, 0x6F, 0xBA, 0xA5, 0x55, 0xD8, 0x82}, // ocean
+    {0x87, 0x45, 0xF1, 0xBB, 0xA6, 0xBE, 0x79, 0x64, 0x7D, 0x04, 0x8B, 0xA6, 0x7B, 0x5F, 0xDA, 0x4A}, // system
+};
+
+static const u8 save_mac_kek_source[0x10] __attribute__((aligned(4))) = {
+    0XD8, 0X9C, 0X23, 0X6E, 0XC9, 0X12, 0X4E, 0X43, 0XC8, 0X2B, 0X03, 0X87, 0X43, 0XF9, 0XCF, 0X1B};
+static const u8 save_mac_key_source[0x10] __attribute__((aligned(4))) = {
+    0XE4, 0XCD, 0X3D, 0X4A, 0XD5, 0X0F, 0X74, 0X28, 0X45, 0XA4, 0X87, 0XE5, 0XA0, 0X63, 0XEA, 0X1F};
+
+static const u8 save_mac_sd_card_kek_source[0x10] __attribute__((aligned(4))) = {
+    0X04, 0X89, 0XEF, 0X5D, 0X32, 0X6E, 0X1A, 0X59, 0XC4, 0XB7, 0XAB, 0X8C, 0X36, 0X7A, 0XAB, 0X17};
+static const u8 save_mac_sd_card_key_source[0x10] __attribute__((aligned(4))) = {
+    0X6F, 0X64, 0X59, 0X47, 0XC5, 0X61, 0X46, 0XF9, 0XFF, 0XA0, 0X45, 0XD5, 0X95, 0X33, 0X29, 0X18};
+
+static const u8 sd_card_custom_storage_key_source[0x20] __attribute__((aligned(4))) = {
+    0X37, 0X0C, 0X34, 0X5E, 0X12, 0XE4, 0XCE, 0XFE, 0X21, 0XB5, 0X8E, 0X64, 0XDB, 0X52, 0XAF, 0X35,
+    0X4F, 0X2C, 0XA5, 0XA3, 0XFC, 0X99, 0X9A, 0X47, 0XC0, 0X3E, 0XE0, 0X04, 0X48, 0X5B, 0X2F, 0XD0};
+static const u8 sd_card_kek_source[0x10] __attribute__((aligned(4))) = {
+    0X88, 0X35, 0X8D, 0X9C, 0X62, 0X9B, 0XA1, 0XA0, 0X01, 0X47, 0XDB, 0XE0, 0X62, 0X1B, 0X54, 0X32};
+static const u8 sd_card_nca_key_source[0x20] __attribute__((aligned(4))) = {
+    0X58, 0X41, 0XA2, 0X84, 0X93, 0X5B, 0X56, 0X27, 0X8B, 0X8E, 0X1F, 0XC5, 0X18, 0XE9, 0X9F, 0X2B,
+    0X67, 0XC7, 0X93, 0XF0, 0XF2, 0X4F, 0XDE, 0XD0, 0X75, 0X49, 0X5D, 0XCA, 0X00, 0X6D, 0X99, 0XC2};
+static const u8 sd_card_save_key_source[0x20] __attribute__((aligned(4))) = {
+    0X24, 0X49, 0XB7, 0X22, 0X72, 0X67, 0X03, 0XA8, 0X19, 0X65, 0XE6, 0XE3, 0XEA, 0X58, 0X2F, 0XDD,
+    0X9A, 0X95, 0X15, 0X17, 0XB1, 0X6E, 0X8F, 0X7F, 0X1F, 0X68, 0X26, 0X31, 0X52, 0XEA, 0X29, 0X6A};
+
+void fs_derive_bis_keys(key_storage_t *keys, u8 out_bis_keys[4][32], u32 generation);
+void fs_derive_header_key(key_storage_t *keys, void *out_key);
+void fs_derive_key_area_key(key_storage_t *keys, void *out_key, u32 source_type, u32 generation);
+void fs_derive_save_mac_key(key_storage_t *keys, void *out_key);
+
+#endif
diff --git a/source/keys/key_sources.inl b/source/keys/key_sources.inl
index 5d049f7..fa05e80 100644
--- a/source/keys/key_sources.inl
+++ b/source/keys/key_sources.inl
@@ -19,16 +19,6 @@ static const u8 null_hash[0x20] __attribute__((aligned(4))) = {
     0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8, 0x99, 0x6F, 0xB9, 0x24,
     0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C, 0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55};
 
-static const u8 keyblob_key_sources[][0x10] __attribute__((aligned(4))) = {
-    {0xDF, 0x20, 0x6F, 0x59, 0x44, 0x54, 0xEF, 0xDC, 0x70, 0x74, 0x48, 0x3B, 0x0D, 0xED, 0x9F, 0xD3}, //1.0.0
-    {0x0C, 0x25, 0x61, 0x5D, 0x68, 0x4C, 0xEB, 0x42, 0x1C, 0x23, 0x79, 0xEA, 0x82, 0x25, 0x12, 0xAC}, //3.0.0
-    {0x33, 0x76, 0x85, 0xEE, 0x88, 0x4A, 0xAE, 0x0A, 0xC2, 0x8A, 0xFD, 0x7D, 0x63, 0xC0, 0x43, 0x3B}, //3.0.1
-    {0x2D, 0x1F, 0x48, 0x80, 0xED, 0xEC, 0xED, 0x3E, 0x3C, 0xF2, 0x48, 0xB5, 0x65, 0x7D, 0xF7, 0xBE}, //4.0.0
-    {0xBB, 0x5A, 0x01, 0xF9, 0x88, 0xAF, 0xF5, 0xFC, 0x6C, 0xFF, 0x07, 0x9E, 0x13, 0x3C, 0x39, 0x80}, //5.0.0
-    {0xD8, 0xCC, 0xE1, 0x26, 0x6A, 0x35, 0x3F, 0xCC, 0x20, 0xF3, 0x2D, 0x3B, 0x51, 0x7D, 0xE9, 0xC0}  //6.0.0
-};
-
-//!TODO: Update on mkey changes.
 static const u8 master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_620 + 1][0x10] __attribute__((aligned(4))) = {
     {0x37, 0x4B, 0x77, 0x29, 0x59, 0xB4, 0x04, 0x30, 0x81, 0xF6, 0xE5, 0x8C, 0x6D, 0x36, 0x17, 0x9A}, //6.2.0
     {0x9A, 0x3E, 0xA9, 0xAB, 0xFD, 0x56, 0x46, 0x1C, 0x9B, 0xF6, 0x48, 0x7F, 0x5C, 0xFA, 0x09, 0x5C}, //7.0.0
@@ -39,9 +29,8 @@ static const u8 master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION
     {0x68, 0x3B, 0xCA, 0x54, 0xB8, 0x6F, 0x92, 0x48, 0xC3, 0x05, 0x76, 0x87, 0x88, 0x70, 0x79, 0x23}, //13.0.0
     {0xF0, 0x13, 0x37, 0x9A, 0xD5, 0x63, 0x51, 0xC3, 0xB4, 0x96, 0x35, 0xBC, 0x9C, 0xE8, 0x76, 0x81}, //14.0.0
     {0x6E, 0x77, 0x86, 0xAC, 0x83, 0x0A, 0x8D, 0x3E, 0x7D, 0xB7, 0x66, 0xA0, 0x22, 0xB7, 0x6E, 0x67}, //15.0.0
-};
+}; //!TODO: Update on mkey changes.
 
-//!TODO: Update on mkey changes.
 static const u8 master_key_vectors[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attribute__((aligned(4))) = {
     {0x0C, 0xF0, 0x59, 0xAC, 0x85, 0xF6, 0x26, 0x65, 0xE1, 0xE9, 0x19, 0x55, 0xE6, 0xF2, 0x67, 0x3D}, /* Zeroes encrypted with Master Key 00. */
     {0x29, 0x4C, 0x04, 0xC8, 0xEB, 0x10, 0xED, 0x9D, 0x51, 0x64, 0x97, 0xFB, 0xF3, 0x4D, 0x50, 0xDD}, /* Master key 00 encrypted with Master key 01. */
@@ -58,9 +47,8 @@ static const u8 master_key_vectors[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attribut
     {0xA3, 0x24, 0x65, 0x75, 0xEA, 0xCC, 0x6E, 0x8D, 0xFB, 0x5A, 0x16, 0x50, 0x74, 0xD2, 0x15, 0x06}, /* Master key 0B encrypted with Master key 0C. */
     {0x83, 0x67, 0xAF, 0x01, 0xCF, 0x93, 0xA1, 0xAB, 0x80, 0x45, 0xF7, 0x3F, 0x72, 0xFD, 0x3B, 0x38}, /* Master key 0C encrypted with Master key 0D. */
     {0xB1, 0x81, 0xA6, 0x0D, 0x72, 0xC7, 0xEE, 0x15, 0x21, 0xF3, 0xC0, 0xB5, 0x6B, 0x61, 0x6D, 0xE7}, /* Master key 0D encrypted with Master key 0E. */
-};
+}; //!TODO: Update on mkey changes.
 
-//!TODO: Update on mkey changes.
 static const u8 master_key_vectors_dev[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attribute__((aligned(4))) = {
     {0x46, 0x22, 0xB4, 0x51, 0x9A, 0x7E, 0xA7, 0x7F, 0x62, 0xA1, 0x1F, 0x8F, 0xC5, 0x3A, 0xDB, 0xFE}, /* Zeroes encrypted with Master Key 00. */
     {0x39, 0x33, 0xF9, 0x31, 0xBA, 0xE4, 0xA7, 0x21, 0x2C, 0xDD, 0xB7, 0xD8, 0xB4, 0x4E, 0x37, 0x23}, /* Master key 00 encrypted with Master key 01. */
@@ -77,7 +65,7 @@ static const u8 master_key_vectors_dev[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attr
     {0x8A, 0xCE, 0xC4, 0x7F, 0xBE, 0x08, 0x61, 0x88, 0xD3, 0x73, 0x64, 0x51, 0xE2, 0xB6, 0x53, 0x15}, /* Master key 0B encrypted with Master key 0C. */
     {0x08, 0xE0, 0xF4, 0xBE, 0xAA, 0x6E, 0x5A, 0xC3, 0xA6, 0xBC, 0xFE, 0xB9, 0xE2, 0xA3, 0x24, 0x12}, /* Master key 0C encrypted with Master key 0D. */
     {0xD6, 0x80, 0x98, 0xC0, 0xFA, 0xC7, 0x13, 0xCB, 0x93, 0xD2, 0x0B, 0x82, 0x4C, 0xA1, 0x7B, 0x8D}, /* Master key 0D encrypted with Master key 0E. */
-};
+}; //!TODO: Update on mkey changes.
 
 static const u8 mariko_key_vectors[][0x10] __attribute__((aligned(4))) = {
     {0x20, 0x9E, 0x97, 0xAE, 0xAF, 0x7E, 0x6A, 0xF6, 0x9E, 0xF5, 0xA7, 0x17, 0x2F, 0xF4, 0x49, 0xA6}, /* Zeroes encrypted with AES Class Key 00. */
@@ -96,16 +84,22 @@ static const u8 mariko_key_vectors[][0x10] __attribute__((aligned(4))) = {
     {0x95, 0x48, 0xC1, 0x59, 0x0F, 0x84, 0x19, 0xC4, 0xAB, 0x69, 0x05, 0x88, 0x01, 0x31, 0x52, 0x59}, /* Zeroes encrypted with Mariko BEK. */
 };
 
-//======================================Keys======================================//
-// from Package1 -> Secure_Monitor
 static const u8 package2_key_source[0x10] __attribute__((aligned(4))) = {
     0xFB, 0x8B, 0x6A, 0x9C, 0x79, 0x00, 0xC8, 0x49, 0xEF, 0xD2, 0x4D, 0x85, 0x4D, 0x30, 0xA0, 0xC7};
 static const u8 titlekek_source[0x10] __attribute__((aligned(4))) = {
     0x1E, 0xDC, 0x7B, 0x3B, 0x60, 0xE6, 0xB4, 0xD8, 0x78, 0xB8, 0x17, 0x15, 0x98, 0x5E, 0x62, 0x9B};
 
-// from Package1ldr (or Secure_Monitor on 6.2.0+)
+static const u8 keyblob_key_sources[][0x10] __attribute__((aligned(4))) = {
+    {0xDF, 0x20, 0x6F, 0x59, 0x44, 0x54, 0xEF, 0xDC, 0x70, 0x74, 0x48, 0x3B, 0x0D, 0xED, 0x9F, 0xD3}, //1.0.0
+    {0x0C, 0x25, 0x61, 0x5D, 0x68, 0x4C, 0xEB, 0x42, 0x1C, 0x23, 0x79, 0xEA, 0x82, 0x25, 0x12, 0xAC}, //3.0.0
+    {0x33, 0x76, 0x85, 0xEE, 0x88, 0x4A, 0xAE, 0x0A, 0xC2, 0x8A, 0xFD, 0x7D, 0x63, 0xC0, 0x43, 0x3B}, //3.0.1
+    {0x2D, 0x1F, 0x48, 0x80, 0xED, 0xEC, 0xED, 0x3E, 0x3C, 0xF2, 0x48, 0xB5, 0x65, 0x7D, 0xF7, 0xBE}, //4.0.0
+    {0xBB, 0x5A, 0x01, 0xF9, 0x88, 0xAF, 0xF5, 0xFC, 0x6C, 0xFF, 0x07, 0x9E, 0x13, 0x3C, 0x39, 0x80}, //5.0.0
+    {0xD8, 0xCC, 0xE1, 0x26, 0x6A, 0x35, 0x3F, 0xCC, 0x20, 0xF3, 0x2D, 0x3B, 0x51, 0x7D, 0xE9, 0xC0}  //6.0.0
+};
 static const u8 keyblob_mac_key_source[0x10] __attribute__((aligned(4))) = {
     0x59, 0xC7, 0xFB, 0x6F, 0xBE, 0x9B, 0xBE, 0x87, 0x65, 0x6B, 0x15, 0xC0, 0x53, 0x73, 0x36, 0xA5};
+
 static const u8 master_key_source[0x10] __attribute__((aligned(4))) = {
     0xD8, 0xA2, 0x41, 0x0A, 0xC6, 0xC5, 0x90, 0x01, 0xC6, 0x1D, 0x6A, 0x26, 0x7C, 0x51, 0x3F, 0x3C};
 static const u8 per_console_key_source[0x10] __attribute__((aligned(4))) = {
@@ -136,96 +130,3 @@ static const u8 mariko_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMW
     {0xEC, 0x5E, 0xB5, 0x11, 0xD5, 0x43, 0x1E, 0x6A, 0x4E, 0x54, 0x6F, 0xD4, 0xD3, 0x22, 0xCE, 0x87}, // 14.0.0.
     {0x18, 0xA5, 0x6F, 0xEF, 0x72, 0x11, 0x62, 0xC5, 0x1A, 0x14, 0xF1, 0x8C, 0x21, 0x83, 0x27, 0xB7}, // 15.0.0.
 }; //!TODO: Update on mkey changes.
-
-// from ES
-static const u8 eticket_rsa_kek_source[0x10] __attribute__((aligned(4))) = {
-    0XDB, 0XA4, 0X51, 0X12, 0X4C, 0XA0, 0XA9, 0X83, 0X68, 0X14, 0XF5, 0XED, 0X95, 0XE3, 0X12, 0X5B};
-static const u8 eticket_rsa_kek_source_dev[0x10] __attribute__((aligned(4))) = {
-    0xBE, 0xC0, 0xBC, 0x8E, 0x75, 0xA0, 0xF6, 0x0C, 0x4A, 0x56, 0x64, 0x02, 0x3E, 0xD4, 0x9C, 0xD5};
-static const u8 eticket_rsa_kek_source_legacy[0x10] __attribute__((aligned(4))) = {
-    0x88, 0x87, 0x50, 0x90, 0xA6, 0x2F, 0x75, 0x70, 0xA2, 0xD7, 0x71, 0x51, 0xAE, 0x6D, 0x39, 0x87};
-static const u8 eticket_rsa_kekek_source[0x10] __attribute__((aligned(4))) = {
-    0X46, 0X6E, 0X57, 0XB7, 0X4A, 0X44, 0X7F, 0X02, 0XF3, 0X21, 0XCD, 0XE5, 0X8F, 0X2F, 0X55, 0X35};
-
-// from SSL
-static const u8 ssl_rsa_kekek_source[0x10] __attribute__((aligned(4))) = {
-    0X7F, 0X5B, 0XB0, 0X84, 0X7B, 0X25, 0XAA, 0X67, 0XFA, 0XC8, 0X4B, 0XE2, 0X3D, 0X7B, 0X69, 0X03};
-static const u8 ssl_rsa_kek_source[0x10] __attribute__((aligned(4))) = {
-    0X9A, 0X38, 0X3B, 0XF4, 0X31, 0XD0, 0XBD, 0X81, 0X32, 0X53, 0X4B, 0XA9, 0X64, 0X39, 0X7D, 0XE3};
-static const u8 ssl_rsa_kek_source_dev[0x10] __attribute__((aligned(4))) = {
-    0xD5, 0xD2, 0xFC, 0x00, 0xFD, 0x49, 0xDD, 0xF8, 0xEE, 0x7B, 0xC4, 0x4B, 0xE1, 0x4C, 0xAA, 0x99};
-static const u8 ssl_rsa_kek_source_legacy[0x10] __attribute__((aligned(4))) = {
-    0xED, 0x36, 0xB1, 0x32, 0x27, 0x17, 0xD2, 0xB0, 0xBA, 0x1F, 0xC1, 0xBD, 0x4D, 0x38, 0x0F, 0x5E};
-static const u8 ssl_client_cert_kek_source[0x10] __attribute__((aligned(4))) = {
-    0x64, 0xB8, 0x30, 0xDD, 0x0F, 0x3C, 0xB7, 0xFB, 0x4C, 0x16, 0x01, 0x97, 0xEA, 0x9D, 0x12, 0x10};
-static const u8 ssl_client_cert_key_source[0x10] __attribute__((aligned(4))) = {
-    0x4D, 0x92, 0x5A, 0x69, 0x42, 0x23, 0xBB, 0x92, 0x59, 0x16, 0x3E, 0x51, 0x8C, 0x78, 0x14, 0x0F};
-
-// from FS
-static const u8 bis_kek_source[0x10] __attribute__((aligned(4))) = {
-    0x34, 0xC1, 0xA0, 0xC4, 0x82, 0x58, 0xF8, 0xB4, 0xFA, 0x9E, 0x5E, 0x6A, 0xDA, 0xFC, 0x7E, 0x4F};
-static const u8 bis_key_sources[3][0x20] __attribute__((aligned(4))) = {
-    {0xF8, 0x3F, 0x38, 0x6E, 0x2C, 0xD2, 0xCA, 0x32, 0xA8, 0x9A, 0xB9, 0xAA, 0x29, 0xBF, 0xC7, 0x48,
-     0x7D, 0x92, 0xB0, 0x3A, 0xA8, 0xBF, 0xDE, 0xE1, 0xA7, 0x4C, 0x3B, 0x6E, 0x35, 0xCB, 0x71, 0x06},
-    {0x41, 0x00, 0x30, 0x49, 0xDD, 0xCC, 0xC0, 0x65, 0x64, 0x7A, 0x7E, 0xB4, 0x1E, 0xED, 0x9C, 0x5F,
-     0x44, 0x42, 0x4E, 0xDA, 0xB4, 0x9D, 0xFC, 0xD9, 0x87, 0x77, 0x24, 0x9A, 0xDC, 0x9F, 0x7C, 0xA4},
-    {0x52, 0xC2, 0xE9, 0xEB, 0x09, 0xE3, 0xEE, 0x29, 0x32, 0xA1, 0x0C, 0x1F, 0xB6, 0xA0, 0x92, 0x6C,
-     0x4D, 0x12, 0xE1, 0x4B, 0x2A, 0x47, 0x4C, 0x1C, 0x09, 0xCB, 0x03, 0x59, 0xF0, 0x15, 0xF4, 0xE4}
-};
-static const u8 header_kek_source[0x10] __attribute__((aligned(4))) = {
-    0x1F, 0x12, 0x91, 0x3A, 0x4A, 0xCB, 0xF0, 0x0D, 0x4C, 0xDE, 0x3A, 0xF6, 0xD5, 0x23, 0x88, 0x2A};
-static const u8 header_key_source[0x20] __attribute__((aligned(4))) = {
-    0x5A, 0x3E, 0xD8, 0x4F, 0xDE, 0xC0, 0xD8, 0x26, 0x31, 0xF7, 0xE2, 0x5D, 0x19, 0x7B, 0xF5, 0xD0,
-    0x1C, 0x9B, 0x7B, 0xFA, 0xF6, 0x28, 0x18, 0x3D, 0x71, 0xF6, 0x4D, 0x73, 0xF1, 0x50, 0xB9, 0xD2};
-static const u8 key_area_key_sources[3][0x10] __attribute__((aligned(4))) = {
-    {0x7F, 0x59, 0x97, 0x1E, 0x62, 0x9F, 0x36, 0xA1, 0x30, 0x98, 0x06, 0x6F, 0x21, 0x44, 0xC3, 0x0D}, // application
-    {0x32, 0x7D, 0x36, 0x08, 0x5A, 0xD1, 0x75, 0x8D, 0xAB, 0x4E, 0x6F, 0xBA, 0xA5, 0x55, 0xD8, 0x82}, // ocean
-    {0x87, 0x45, 0xF1, 0xBB, 0xA6, 0xBE, 0x79, 0x64, 0x7D, 0x04, 0x8B, 0xA6, 0x7B, 0x5F, 0xDA, 0x4A}, // system
-};
-static const u8 save_mac_kek_source[0x10] __attribute__((aligned(4))) = {
-    0XD8, 0X9C, 0X23, 0X6E, 0XC9, 0X12, 0X4E, 0X43, 0XC8, 0X2B, 0X03, 0X87, 0X43, 0XF9, 0XCF, 0X1B};
-static const u8 save_mac_key_source[0x10] __attribute__((aligned(4))) = {
-    0XE4, 0XCD, 0X3D, 0X4A, 0XD5, 0X0F, 0X74, 0X28, 0X45, 0XA4, 0X87, 0XE5, 0XA0, 0X63, 0XEA, 0X1F};
-static const u8 save_mac_sd_card_kek_source[0x10] __attribute__((aligned(4))) = {
-    0X04, 0X89, 0XEF, 0X5D, 0X32, 0X6E, 0X1A, 0X59, 0XC4, 0XB7, 0XAB, 0X8C, 0X36, 0X7A, 0XAB, 0X17};
-static const u8 save_mac_sd_card_key_source[0x10] __attribute__((aligned(4))) = {
-    0X6F, 0X64, 0X59, 0X47, 0XC5, 0X61, 0X46, 0XF9, 0XFF, 0XA0, 0X45, 0XD5, 0X95, 0X33, 0X29, 0X18};
-static const u8 sd_card_custom_storage_key_source[0x20] __attribute__((aligned(4))) = {
-    0X37, 0X0C, 0X34, 0X5E, 0X12, 0XE4, 0XCE, 0XFE, 0X21, 0XB5, 0X8E, 0X64, 0XDB, 0X52, 0XAF, 0X35,
-    0X4F, 0X2C, 0XA5, 0XA3, 0XFC, 0X99, 0X9A, 0X47, 0XC0, 0X3E, 0XE0, 0X04, 0X48, 0X5B, 0X2F, 0XD0};
-static const u8 sd_card_kek_source[0x10] __attribute__((aligned(4))) = {
-    0X88, 0X35, 0X8D, 0X9C, 0X62, 0X9B, 0XA1, 0XA0, 0X01, 0X47, 0XDB, 0XE0, 0X62, 0X1B, 0X54, 0X32};
-static const u8 sd_card_nca_key_source[0x20] __attribute__((aligned(4))) = {
-    0X58, 0X41, 0XA2, 0X84, 0X93, 0X5B, 0X56, 0X27, 0X8B, 0X8E, 0X1F, 0XC5, 0X18, 0XE9, 0X9F, 0X2B,
-    0X67, 0XC7, 0X93, 0XF0, 0XF2, 0X4F, 0XDE, 0XD0, 0X75, 0X49, 0X5D, 0XCA, 0X00, 0X6D, 0X99, 0XC2};
-static const u8 sd_card_save_key_source[0x20] __attribute__((aligned(4))) = {
-    0X24, 0X49, 0XB7, 0X22, 0X72, 0X67, 0X03, 0XA8, 0X19, 0X65, 0XE6, 0XE3, 0XEA, 0X58, 0X2F, 0XDD,
-    0X9A, 0X95, 0X15, 0X17, 0XB1, 0X6E, 0X8F, 0X7F, 0X1F, 0X68, 0X26, 0X31, 0X52, 0XEA, 0X29, 0X6A};
-
-// from NFC
-static const u8 nfc_key_source[0x10] __attribute__((aligned(4))) = {
-    0x83, 0xF6, 0xEF, 0xD8, 0x13, 0x26, 0x49, 0xAB, 0x97, 0x5F, 0xEA, 0xBA, 0x65, 0x71, 0xCA, 0xCA};
-static const u8 encrypted_nfc_keys[0x80] __attribute__((aligned(4))) = {
-    0x76, 0x50, 0x87, 0x02, 0x40, 0xA6, 0x5A, 0x98, 0xCE, 0x39, 0x2F, 0xC8, 0x83, 0xAF, 0x54, 0x76,
-    0x28, 0xFF, 0x50, 0xFC, 0xC1, 0xFB, 0x26, 0x14, 0xA2, 0x4A, 0xA6, 0x74, 0x90, 0xA4, 0x37, 0x06,
-    0x03, 0x63, 0xC2, 0xB1, 0xAF, 0x9F, 0xF7, 0x07, 0xFC, 0x8A, 0xB9, 0xCA, 0x28, 0x68, 0x6E, 0xF7,
-    0x42, 0xCD, 0x68, 0x13, 0xCD, 0x7B, 0x3A, 0x60, 0x3E, 0x8B, 0xAB, 0x3A, 0xCC, 0xED, 0xE0, 0xDD,
-    0x71, 0x1F, 0xA5, 0xDE, 0xB8, 0xB1, 0xF5, 0x1D, 0x14, 0x73, 0xBE, 0x27, 0xCC, 0xA1, 0x9B, 0x23,
-    0x06, 0x91, 0x89, 0x05, 0xED, 0xD6, 0x92, 0x76, 0x3F, 0x42, 0xFB, 0xD1, 0x8F, 0x2D, 0x6D, 0x72,
-    0xC8, 0x9E, 0x48, 0xE8, 0x03, 0x64, 0xF0, 0x3C, 0x0E, 0x2A, 0xF1, 0x26, 0x83, 0x02, 0x4F, 0xE2,
-    0x41, 0xAA, 0xC8, 0x33, 0x68, 0x84, 0x3A, 0xFB, 0x87, 0x18, 0xEA, 0xF7, 0x36, 0xA2, 0x4E, 0xA9};
-static const u8 encrypted_nfc_keys_dev[0x80] __attribute__((aligned(4))) = {
-    0x13, 0xB0, 0xFB, 0xC2, 0x91, 0x6D, 0x6E, 0x5A, 0x10, 0x31, 0x40, 0xB7, 0xDF, 0xCF, 0x69, 0x69,
-    0xB0, 0xFA, 0xAE, 0x7F, 0xB2, 0x4D, 0x27, 0xC9, 0xE9, 0x3F, 0x5B, 0x38, 0x39, 0x24, 0x98, 0xCE,
-    0xED, 0xD2, 0xA9, 0x6C, 0x6F, 0xA7, 0x72, 0xD7, 0x11, 0x31, 0x17, 0x93, 0x12, 0x49, 0x32, 0x85,
-    0x21, 0xE5, 0xE1, 0x88, 0x0F, 0x08, 0xF2, 0x30, 0x5C, 0xC3, 0xAA, 0xFF, 0xC0, 0xAB, 0x21, 0x96,
-    0x74, 0x39, 0xED, 0xE0, 0x5A, 0xB6, 0x75, 0xC2, 0x3B, 0x08, 0x61, 0xE4, 0xA7, 0xD6, 0xED, 0x8C,
-    0xA9, 0x02, 0x12, 0xA6, 0xCC, 0x27, 0x4C, 0x1C, 0x41, 0x9C, 0xD8, 0x4C, 0x00, 0xC7, 0x5B, 0x5D,
-    0xED, 0xC2, 0x3D, 0x5E, 0x00, 0xF5, 0x49, 0xFA, 0x6C, 0x75, 0x67, 0xCF, 0x1F, 0x73, 0x1A, 0xE8,
-    0x47, 0xD4, 0x3D, 0x9B, 0x83, 0x5B, 0x18, 0x2F, 0x95, 0xA9, 0x04, 0xBC, 0x2E, 0xBB, 0x64, 0x4A};
-static const u8 nfc_blob_hash[0x20] __attribute__((aligned(4))) = {
-    0x7F, 0x92, 0x83, 0x65, 0x4E, 0xC1, 0x09, 0x7F, 0xBD, 0xFF, 0x31, 0xDE, 0x94, 0x66, 0x51, 0xAE,
-    0x60, 0xC2, 0x85, 0x4A, 0xFB, 0x54, 0x4A, 0xBE, 0x89, 0x63, 0xD3, 0x89, 0x63, 0x9C, 0x71, 0x0E};
-static const u8 nfc_blob_hash_dev[0x20] __attribute__((aligned(4))) = {
-    0x4E, 0x36, 0x59, 0x1C, 0x75, 0x80, 0x23, 0x03, 0x98, 0x2D, 0x45, 0xD9, 0x85, 0xB8, 0x60, 0x18,
-    0x7C, 0x85, 0x37, 0x9B, 0xCB, 0xBA, 0xF3, 0xDC, 0x25, 0x38, 0x73, 0xDB, 0x2F, 0xFA, 0xAE, 0x26};
diff --git a/source/keys/keys.c b/source/keys/keys.c
index f7fc7c3..17ef755 100644
--- a/source/keys/keys.c
+++ b/source/keys/keys.c
@@ -17,9 +17,11 @@
 #include "keys.h"
 
 #include "cal0_read.h"
+#include "es_crypto.h"
+#include "fs_crypto.h"
 #include "gmac.h"
-
-#include "../../keygen/tsec_keygen.h"
+#include "nfc_crypto.h"
+#include "ssl_crypto.h"
 
 #include "../config.h"
 #include <display/di.h>
@@ -35,9 +37,7 @@
 #include <mem/sdram.h>
 #include <sec/se.h>
 #include <sec/se_t210.h>
-#include <sec/tsec.h>
 #include <soc/fuse.h>
-#include <mem/smmu.h>
 #include <soc/t210.h>
 #include "../storage/emummc.h"
 #include "../storage/nx_emmc.h"
@@ -59,49 +59,49 @@ static u32 _key_count = 0, _titlekey_count = 0;
 static u32 start_time, end_time;
 u32 color_idx = 0;
 
-// key functions
-static int  _key_exists(const void *data) { return memcmp(data, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) != 0; };
-static void _save_key(const char *name, const void *data, u32 len, char *outbuf);
-static void _save_key_family(const char *name, const void *data, u32 start_key, u32 num_keys, u32 len, char *outbuf);
+static void _save_key(const char *name, const void *data, u32 len, char *outbuf) {
+    if (!key_exists(data))
+        return;
+    u32 pos = strlen(outbuf);
+    pos += s_printf(&outbuf[pos], "%s = ", name);
+    for (u32 i = 0; i < len; i++)
+        pos += s_printf(&outbuf[pos], "%02x", *(u8*)(data + i));
+    s_printf(&outbuf[pos], "\n");
+    _key_count++;
+}
 
-static void _derive_master_key_mariko(key_storage_t *keys, bool is_dev) {
+static void _save_key_family(const char *name, const void *data, u32 start_key, u32 num_keys, u32 len, char *outbuf) {
+    char *temp_name = calloc(1, 0x40);
+    for (u32 i = 0; i < num_keys; i++) {
+        s_printf(temp_name, "%s_%02x", name, i + start_key);
+        _save_key(temp_name, data + i * len, len, outbuf);
+    }
+    free(temp_name);
+}
+
+static void _derive_master_keys_mariko(key_storage_t *keys, bool is_dev) {
     minerva_periodic_training();
     // Relies on the SBK being properly set in slot 14
     se_aes_crypt_block_ecb(KS_SECURE_BOOT, DECRYPT, keys->device_key_4x, device_master_key_source_kek_source);
     // Derive all master keys based on Mariko KEK
     for (u32 i = KB_FIRMWARE_VERSION_600; i < ARRAY_SIZE(mariko_master_kek_sources) + KB_FIRMWARE_VERSION_600; i++) {
         // Relies on the Mariko KEK being properly set in slot 12
-        se_aes_crypt_block_ecb(KS_MARIKO_KEK, DECRYPT, keys->master_kek[i], is_dev ? &mariko_master_kek_sources_dev[i - KB_FIRMWARE_VERSION_600] : &mariko_master_kek_sources[i - KB_FIRMWARE_VERSION_600]);
+        u32 kek_source_index = i - KB_FIRMWARE_VERSION_600;
+        const void *kek_source = is_dev ? &mariko_master_kek_sources_dev[kek_source_index] : &mariko_master_kek_sources[kek_source_index];
+        se_aes_crypt_block_ecb(KS_MARIKO_KEK, DECRYPT, keys->master_kek[i], kek_source);
         load_aes_key(KS_AES_ECB, keys->master_key[i], keys->master_kek[i], master_key_source);
     }
 }
 
-static int _run_ams_keygen(key_storage_t *keys) {
-    tsec_ctxt_t tsec_ctxt;
-    tsec_ctxt.fw = tsec_keygen;
-    tsec_ctxt.size = sizeof(tsec_keygen);
-    tsec_ctxt.type = TSEC_FW_TYPE_NEW;
-
-    u32 retries = 0;
-    while (tsec_query(keys->temp_key, &tsec_ctxt) < 0) {
-        retries++;
-        if (retries > 15) {
-            EPRINTF("Failed to run keygen.");
-            return -1;
-        }
-    }
-
-    return 0;
-}
-
 static void _derive_master_keys_from_latest_key(key_storage_t *keys, bool is_dev) {
     minerva_periodic_training();
     if (!h_cfg.t210b01) {
-        u32 tsec_root_key_slot = is_dev ? 11 : 13;
+        u32 tsec_root_key_slot = is_dev ? KS_TSEC_ROOT_DEV : KS_TSEC_ROOT;
         // Derive all master keys based on current root key
         for (u32 i = KB_FIRMWARE_VERSION_810 - KB_FIRMWARE_VERSION_620; i < ARRAY_SIZE(master_kek_sources); i++) {
-            se_aes_crypt_block_ecb(tsec_root_key_slot, DECRYPT, keys->master_kek[i + KB_FIRMWARE_VERSION_620], master_kek_sources[i]);
-            load_aes_key(KS_AES_ECB, keys->master_key[i + KB_FIRMWARE_VERSION_620], keys->master_kek[i + KB_FIRMWARE_VERSION_620], master_key_source);
+            u32 key_index = i + KB_FIRMWARE_VERSION_620;
+            se_aes_crypt_block_ecb(tsec_root_key_slot, DECRYPT, keys->master_kek[key_index], master_kek_sources[i]);
+            load_aes_key(KS_AES_ECB, keys->master_key[key_index], keys->master_kek[key_index], master_key_source);
         }
     }
 
@@ -113,7 +113,7 @@ static void _derive_master_keys_from_latest_key(key_storage_t *keys, bool is_dev
     }
     load_aes_key(KS_AES_ECB, keys->temp_key, keys->master_key[0], is_dev ? master_key_vectors_dev[0] : master_key_vectors[0]);
 
-    if (_key_exists(keys->temp_key)) {
+    if (key_exists(keys->temp_key)) {
         EPRINTFARGS("Unable to derive master keys for %s.", is_dev ? "dev" : "prod");
         memset(keys->master_key, 0, sizeof(keys->master_key));
     }
@@ -176,7 +176,7 @@ static void _derive_keyblob_keys(key_storage_t *keys) {
 
         memcpy(keys->package1_key[i], keys->keyblob[i].package1_key, sizeof(keys->package1_key[i]));
         memcpy(keys->master_kek[i], keys->keyblob[i].master_kek, sizeof(keys->master_kek[i]));
-        if (!_key_exists(keys->master_key[i])) {
+        if (!key_exists(keys->master_key[i])) {
             load_aes_key(KS_AES_ECB, keys->master_key[i], keys->master_kek[i], master_key_source);
         }
     }
@@ -186,67 +186,26 @@ static void _derive_keyblob_keys(key_storage_t *keys) {
 static void _derive_bis_keys(key_storage_t *keys) {
     minerva_periodic_training();
     u32 generation = fuse_read_odm_keygen_rev();
-
-    if (!(_key_exists(keys->device_key) || (generation && _key_exists(keys->master_key[0]) && _key_exists(keys->device_key_4x)))) {
-        return;
-    }
-    generate_specific_aes_key(KS_AES_ECB, keys, &keys->bis_key[0], bis_key_sources[0], generation);
-    u32 access_key[SE_KEY_128_SIZE / 4] = {0};
-    const u32 option = IS_DEVICE_UNIQUE;
-    generate_aes_kek(KS_AES_ECB, keys, access_key, bis_kek_source, generation, option);
-    generate_aes_key(KS_AES_ECB, keys, keys->bis_key[1], sizeof(keys->bis_key[1]), access_key, bis_key_sources[1]);
-    generate_aes_key(KS_AES_ECB, keys, keys->bis_key[2], sizeof(keys->bis_key[2]), access_key, bis_key_sources[2]);
-    memcpy(keys->bis_key[3], keys->bis_key[2], sizeof(keys->bis_key[3]));
-}
-
-static void _derive_non_unique_keys(key_storage_t *keys, bool is_dev) {
-    minerva_periodic_training();
-    if (_key_exists(keys->master_key[0])) {
-        const u32 generation = 0;
-        const u32 option = GET_IS_DEVICE_UNIQUE(NOT_DEVICE_UNIQUE);
-        generate_aes_kek(KS_AES_ECB, keys, keys->temp_key, header_kek_source, generation, option);
-        generate_aes_key(KS_AES_ECB, keys, keys->header_key, sizeof(keys->header_key), keys->temp_key, header_key_source);
-    }
-}
-
-static void _derive_rsa_kek(u32 ks, key_storage_t *keys, void *out_rsa_kek, const void *kekek_source, const void *kek_source, u32 generation, u32 option) {
-    void *access_key = keys->temp_key;
-    generate_aes_kek(ks, keys, access_key, kekek_source, generation, option);
-    get_device_unique_data_key(ks, out_rsa_kek, access_key, kek_source);
+    fs_derive_bis_keys(keys, keys->bis_key, generation);
 }
 
 static void _derive_misc_keys(key_storage_t *keys, bool is_dev) {
     minerva_periodic_training();
-    if (_key_exists(keys->device_key) || (_key_exists(keys->master_key[0]) && _key_exists(keys->device_key_4x))) {
-        void *access_key = keys->temp_key;
-        const u32 generation = 0;
-        const u32 option = IS_DEVICE_UNIQUE;
-        generate_aes_kek(KS_AES_ECB, keys, access_key, save_mac_kek_source, generation, option);
-        load_aes_key(KS_AES_ECB, keys->save_mac_key, access_key, save_mac_key_source);
-    }
-
-    if (_key_exists(keys->master_key[0])) {
-        const void *eticket_kek_source = is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source;
-        const u32 generation = 0;
-        u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | NOT_DEVICE_UNIQUE;
-        _derive_rsa_kek(KS_AES_ECB, keys, keys->eticket_rsa_kek, eticket_rsa_kekek_source, eticket_kek_source, generation, option);
-
-        const void *ssl_kek_source = is_dev ? ssl_rsa_kek_source_dev : ssl_rsa_kek_source;
-        option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA) | NOT_DEVICE_UNIQUE;
-        _derive_rsa_kek(KS_AES_ECB, keys, keys->ssl_rsa_kek, ssl_rsa_kekek_source, ssl_kek_source, generation, option);
-    }
+    fs_derive_save_mac_key(keys, keys->save_mac_key);
+    es_derive_rsa_kek_original(keys, keys->eticket_rsa_kek, is_dev);
+    ssl_derive_rsa_kek_original(keys, keys->ssl_rsa_kek, is_dev);
 }
 
-static void _derive_per_generation_keys(key_storage_t *keys) {
+static void _derive_non_unique_keys(key_storage_t *keys) {
+    minerva_periodic_training();
+    fs_derive_header_key(keys, keys->header_key);
+
     for (u32 generation = 0; generation < ARRAY_SIZE(keys->master_key); generation++) {
         minerva_periodic_training();
-        if (!_key_exists(keys->master_key[generation]))
+        if (!key_exists(keys->master_key[generation]))
             continue;
         for (u32 source_type = 0; source_type < ARRAY_SIZE(key_area_key_sources); source_type++) {
-            void *access_key = keys->temp_key;
-            const u32 option = GET_IS_DEVICE_UNIQUE(NOT_DEVICE_UNIQUE);
-            generate_aes_kek(KS_AES_ECB, keys, access_key, key_area_key_sources[source_type], generation + 1, option);
-            load_aes_key(KS_AES_ECB, keys->key_area_key[source_type][generation], access_key, aes_key_generation_source);
+            fs_derive_key_area_key(keys, keys->key_area_key[source_type][generation], source_type, generation);
         }
         load_aes_key(KS_AES_ECB, keys->package2_key[generation], keys->master_key[generation], package2_key_source);
         load_aes_key(KS_AES_ECB, keys->titlekek[generation], keys->master_key[generation], titlekek_source);
@@ -292,7 +251,7 @@ static void _decode_tickets(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u3
     }
 }
 
-static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, titlekey_buffer_t *titlekey_buffer, rsa_keypair_t *rsa_keypair) {
+static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, titlekey_buffer_t *titlekey_buffer, eticket_rsa_keypair_t *rsa_keypair) {
     FIL fp;
     u64 br = buf_size;
     u64 offset = 0;
@@ -471,14 +430,12 @@ static bool _decrypt_ssl_rsa_key(key_storage_t *keys, titlekey_buffer_t *titleke
             return true;
         }
 
-        const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA) | NOT_DEVICE_UNIQUE;
+        ssl_derive_rsa_kek_legacy(keys, keys->ssl_rsa_kek_legacy);
         ctr_key = keys->ssl_rsa_kek_legacy;
-        _derive_rsa_kek(KS_AES_ECB, keys, ctr_key, ssl_rsa_kekek_source, ssl_rsa_kek_source_legacy, generation, option);
         enforce_unique = false;
     } else if (generation) {
-        const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_SSL_KEY) | IS_DEVICE_UNIQUE;
+        ssl_derive_rsa_kek_device_unique(keys, keys->ssl_rsa_kek_personalized, generation);
         ctr_key = keys->ssl_rsa_kek_personalized;
-        _derive_rsa_kek(KS_AES_ECB, keys, ctr_key, ssl_client_cert_kek_source, ssl_client_cert_key_source, generation, option);
     } else {
         ctr_key = keys->ssl_rsa_kek;
     }
@@ -520,9 +477,9 @@ static bool _decrypt_eticket_rsa_key(key_storage_t *keys, titlekey_buffer_t *tit
 
     // Handle legacy case
     if (key_size == ETICKET_RSA_KEYPAIR_SIZE) {
-        const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | NOT_DEVICE_UNIQUE;
-        ctr_key = keys->temp_key;
-        _derive_rsa_kek(KS_AES_ECB, keys, ctr_key, eticket_rsa_kekek_source, eticket_rsa_kek_source_legacy, generation, option);
+        u32 temp_key[SE_KEY_128_SIZE / 4] = {0};
+        es_derive_rsa_kek_legacy(keys, temp_key);
+        ctr_key = temp_key;
 
         se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
         se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv);
@@ -535,10 +492,8 @@ static bool _decrypt_eticket_rsa_key(key_storage_t *keys, titlekey_buffer_t *tit
     }
 
     if (generation) {
-        const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | IS_DEVICE_UNIQUE;
+        es_derive_rsa_kek_device_unique(keys, keys->eticket_rsa_kek_personalized, generation, is_dev);
         ctr_key = keys->eticket_rsa_kek_personalized;
-        const void *kek_source = is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source;
-        _derive_rsa_kek(KS_AES_ECB, keys, ctr_key, eticket_rsa_kekek_source, kek_source, generation, option);
     } else {
         ctr_key = keys->eticket_rsa_kek;
     }
@@ -556,16 +511,12 @@ static bool _decrypt_eticket_rsa_key(key_storage_t *keys, titlekey_buffer_t *tit
 }
 
 static bool _derive_titlekeys(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
-    if (!_key_exists(keys->eticket_rsa_kek)) {
+    if (!key_exists(keys->eticket_rsa_kek)) {
         return false;
     }
 
     gfx_printf("%kTitlekeys...     \n", colors[(color_idx++) % 6]);
 
-    if (!_decrypt_eticket_rsa_key(keys, titlekey_buffer, is_dev)) {
-        return false;
-    }
-
     const u32 buf_size = SAVE_BLOCK_SIZE_DEFAULT;
     _get_titlekeys_from_save(buf_size, keys->save_mac_key, titlekey_buffer, NULL);
     _get_titlekeys_from_save(buf_size, keys->save_mac_key, titlekey_buffer, &keys->eticket_rsa_keypair);
@@ -591,6 +542,17 @@ static bool _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_b
         EPRINTF("Unable to set partition.");
         return false;
     }
+
+    bool res = _decrypt_ssl_rsa_key(keys, titlekey_buffer);
+    if (!res) {
+        EPRINTF("Unable to derive SSL key.");
+    }
+
+    res =_decrypt_eticket_rsa_key(keys, titlekey_buffer, is_dev);
+    if (!res) {
+        EPRINTF("Unable to derive ETicket key.");
+    }
+
     // Parse eMMC GPT
     LIST_INIT(gpt);
     nx_emmc_gpt_parse(&gpt, &emmc_storage);
@@ -616,11 +578,6 @@ static bool _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_b
         EPRINTF("Unable to get SD seed.");
     }
 
-    bool res = _decrypt_ssl_rsa_key(keys, titlekey_buffer);
-    if (!res) {
-        EPRINTF("Unable to derive SSL key.");
-    }
-
     res = _derive_titlekeys(keys, titlekey_buffer, is_dev);
     if (!res) {
         EPRINTF("Unable to derive titlekeys.");
@@ -660,7 +617,7 @@ int save_mariko_partial_keys(u32 start, u32 count, bool append) {
         // Check if key is as expected
         if (ks < ARRAY_SIZE(mariko_key_vectors)) {
             se_aes_crypt_block_ecb(ks, DECRYPT, &data[0], mariko_key_vectors[ks]);
-            if (_key_exists(data)) {
+            if (key_exists(data)) {
                 EPRINTFARGS("Failed to validate keyslot %d.", ks);
                 continue;
             }
@@ -858,19 +815,19 @@ static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_key
     key_storage_t *keys = is_dev ? dev_keys : prod_keys;
 
     if (h_cfg.t210b01) {
-        _derive_master_key_mariko(keys, is_dev);
+        _derive_master_keys_mariko(keys, is_dev);
         _derive_master_keys_from_latest_key(keys, is_dev);
     } else {
-        int res = _run_ams_keygen(keys);
-        if (res) {
+        if (run_ams_keygen(keys)) {
+            EPRINTF("Failed to run keygen.");
             return;
         }
 
         u8 *aes_keys = (u8 *)calloc(SZ_4K, 1);
         se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE);
         memcpy(&dev_keys->tsec_root_key,  aes_keys + KS_TSEC_ROOT_DEV * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
-        memcpy(keys->tsec_key,            aes_keys + KS_TSEC * SE_KEY_128_SIZE,          SE_KEY_128_SIZE);
-        memcpy(&prod_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT * SE_KEY_128_SIZE,     SE_KEY_128_SIZE);
+        memcpy(keys->tsec_key,            aes_keys + KS_TSEC          * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
+        memcpy(&prod_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT     * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
         free(aes_keys);
 
         _derive_master_keys_from_latest_key(prod_keys, false);
@@ -916,17 +873,15 @@ static void _derive_keys() {
     TPRINTFARGS("%kBIS keys...     ", colors[(color_idx++) % 6]);
 
     _derive_misc_keys(keys, is_dev);
-    _derive_non_unique_keys(&prod_keys, is_dev);
-    _derive_non_unique_keys(&dev_keys, is_dev);
-    _derive_per_generation_keys(&prod_keys);
-    _derive_per_generation_keys(&dev_keys);
+    _derive_non_unique_keys(&prod_keys);
+    _derive_non_unique_keys(&dev_keys);
 
     titlekey_buffer_t *titlekey_buffer = (titlekey_buffer_t *)TITLEKEY_BUF_ADR;
 
     // Requires BIS key for SYSTEM partition
     if (!emmc_storage.initialized) {
         EPRINTF("eMMC not initialized.\nSkipping SD seed and titlekeys.");
-    } else if (_key_exists(keys->bis_key[2])) {
+    } else if (key_exists(keys->bis_key[2])) {
         _derive_emmc_keys(keys, titlekey_buffer, is_dev);
     } else {
         EPRINTF("Missing needed BIS keys.\nSkipping SD seed and titlekeys.");
@@ -946,37 +901,6 @@ static void _derive_keys() {
     }
 }
 
- static void _decrypt_amiibo_keys(key_storage_t *keys, const u8 *encrypted_keys, nfc_save_key_t nfc_save_keys[2]) {
-    u32 kek[SE_KEY_128_SIZE / 4] = {0};
-    decrypt_aes_key(KS_AES_ECB, keys, kek, nfc_key_source, 0, 0);
-
-    nfc_keyblob_t __attribute__((aligned(4))) nfc_keyblob;
-    static const u8 nfc_iv[SE_KEY_128_SIZE] = {
-        0xB9, 0x1D, 0xC1, 0xCF, 0x33, 0x5F, 0xA6, 0x13, 0x2A, 0xEF, 0x90, 0x99, 0xAA, 0xCA, 0x93, 0xC8};
-    se_aes_key_set(KS_AES_CTR, kek, SE_KEY_128_SIZE);
-    se_aes_crypt_ctr(KS_AES_CTR, &nfc_keyblob, sizeof(nfc_keyblob), encrypted_keys, sizeof(nfc_keyblob), &nfc_iv);
-
-    minerva_periodic_training();
-
-    u32 xor_pad[0x20 / 4] = {0};
-    se_aes_key_set(KS_AES_CTR, nfc_keyblob.ctr_key, SE_KEY_128_SIZE);
-    se_aes_crypt_ctr(KS_AES_CTR, xor_pad, sizeof(xor_pad), xor_pad, sizeof(xor_pad), nfc_keyblob.ctr_iv);
-
-    minerva_periodic_training();
-
-    memcpy(nfc_save_keys[0].hmac_key, nfc_keyblob.hmac_key, sizeof(nfc_keyblob.hmac_key));
-    memcpy(nfc_save_keys[0].phrase, nfc_keyblob.phrase, sizeof(nfc_keyblob.phrase));
-    nfc_save_keys[0].seed_size = sizeof(nfc_keyblob.seed);
-    memcpy(nfc_save_keys[0].seed, nfc_keyblob.seed, sizeof(nfc_keyblob.seed));
-    memcpy(nfc_save_keys[0].xor_pad, xor_pad, sizeof(xor_pad));
-
-    memcpy(nfc_save_keys[1].hmac_key, nfc_keyblob.hmac_key_for_verif, sizeof(nfc_keyblob.hmac_key_for_verif));
-    memcpy(nfc_save_keys[1].phrase, nfc_keyblob.phrase_for_verif, sizeof(nfc_keyblob.phrase_for_verif));
-    nfc_save_keys[1].seed_size = sizeof(nfc_keyblob.seed_for_verif);
-    memcpy(nfc_save_keys[1].seed, nfc_keyblob.seed_for_verif, sizeof(nfc_keyblob.seed_for_verif));
-    memcpy(nfc_save_keys[1].xor_pad, xor_pad, sizeof(xor_pad));
- }
-
 void derive_amiibo_keys() {
     minerva_change_freq(FREQ_1600);
 
@@ -984,7 +908,6 @@ void derive_amiibo_keys() {
 
     key_storage_t __attribute__((aligned(4))) prod_keys = {0}, dev_keys = {0};
     key_storage_t *keys = is_dev ? &dev_keys : &prod_keys;
-    const u8 *encrypted_keys = is_dev ? encrypted_nfc_keys_dev : encrypted_nfc_keys;
 
     _derive_master_keys(&prod_keys, &dev_keys, is_dev);
 
@@ -998,7 +921,7 @@ void derive_amiibo_keys() {
 
     minerva_periodic_training();
 
-    if (!_key_exists(keys->master_key[0])) {
+    if (!key_exists(keys->master_key[0])) {
         EPRINTF("Unable to derive master keys for NFC.");
         minerva_change_freq(FREQ_800);
         btn_wait();
@@ -1007,7 +930,7 @@ void derive_amiibo_keys() {
 
     nfc_save_key_t __attribute__((aligned(4))) nfc_save_keys[2] = {0};
 
-    _decrypt_amiibo_keys(keys, encrypted_keys, nfc_save_keys);
+    nfc_decrypt_amiibo_keys(keys, nfc_save_keys, is_dev);
 
     minerva_periodic_training();
 
@@ -1073,23 +996,3 @@ void dump_keys() {
     }
     gfx_clear_grey(0x1B);
 }
-
-static void _save_key(const char *name, const void *data, u32 len, char *outbuf) {
-    if (!_key_exists(data))
-        return;
-    u32 pos = strlen(outbuf);
-    pos += s_printf(&outbuf[pos], "%s = ", name);
-    for (u32 i = 0; i < len; i++)
-        pos += s_printf(&outbuf[pos], "%02x", *(u8*)(data + i));
-    s_printf(&outbuf[pos], "\n");
-    _key_count++;
-}
-
-static void _save_key_family(const char *name, const void *data, u32 start_key, u32 num_keys, u32 len, char *outbuf) {
-    char *temp_name = calloc(1, 0x40);
-    for (u32 i = 0; i < num_keys; i++) {
-        s_printf(temp_name, "%s_%02x", name, i + start_key);
-        _save_key(temp_name, data + i * len, len, outbuf);
-    }
-    free(temp_name);
-}
diff --git a/source/keys/keys.h b/source/keys/keys.h
index 3f15719..622249e 100644
--- a/source/keys/keys.h
+++ b/source/keys/keys.h
@@ -62,27 +62,6 @@ typedef struct {
     u8 titlekeys[SZ_256K / 0x10][0x10];
 } titlekey_buffer_t;
 
-typedef struct {
-    char phrase[0xE];
-    u8 seed[0xE];
-    u8 hmac_key[0x10];
-    char phrase_for_verif[0xE];
-    u8 seed_for_verif[0x10];
-    u8 hmac_key_for_verif[0x10];
-    u8 ctr_key[0x10];
-    u8 ctr_iv[0x10];
-    u8 pad[6];
-} nfc_keyblob_t;
-
-typedef struct {
-    u8 hmac_key[0x10];
-    char phrase[0xE];
-    u8 rsvd;
-    u8 seed_size;
-    u8 seed[0x10];
-    u8 xor_pad[0x20];
-} nfc_save_key_t;
-
 typedef struct {
     char rights_id[0x20];
     char equals[3];
diff --git a/source/keys/nfc_crypto.c b/source/keys/nfc_crypto.c
new file mode 100644
index 0000000..078d5e7
--- /dev/null
+++ b/source/keys/nfc_crypto.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "nfc_crypto.h"
+
+#include <mem/minerva.h>
+#include <sec/se.h>
+
+#include <string.h>
+
+void nfc_decrypt_amiibo_keys(key_storage_t *keys, nfc_save_key_t out_nfc_save_keys[2], bool is_dev) {
+    const u8 *encrypted_keys = is_dev ? encrypted_nfc_keys_dev : encrypted_nfc_keys;
+    u32 kek[SE_KEY_128_SIZE / 4] = {0};
+    decrypt_aes_key(KS_AES_ECB, keys, kek, nfc_key_source, 0, 0);
+
+    nfc_keyblob_t __attribute__((aligned(4))) nfc_keyblob;
+    static const u8 nfc_iv[SE_KEY_128_SIZE] = {
+        0xB9, 0x1D, 0xC1, 0xCF, 0x33, 0x5F, 0xA6, 0x13, 0x2A, 0xEF, 0x90, 0x99, 0xAA, 0xCA, 0x93, 0xC8};
+    se_aes_key_set(KS_AES_CTR, kek, SE_KEY_128_SIZE);
+    se_aes_crypt_ctr(KS_AES_CTR, &nfc_keyblob, sizeof(nfc_keyblob), encrypted_keys, sizeof(nfc_keyblob), &nfc_iv);
+
+    minerva_periodic_training();
+
+    u32 xor_pad[0x20 / 4] = {0};
+    se_aes_key_set(KS_AES_CTR, nfc_keyblob.ctr_key, SE_KEY_128_SIZE);
+    se_aes_crypt_ctr(KS_AES_CTR, xor_pad, sizeof(xor_pad), xor_pad, sizeof(xor_pad), nfc_keyblob.ctr_iv);
+
+    minerva_periodic_training();
+
+    memcpy(out_nfc_save_keys[0].hmac_key, nfc_keyblob.hmac_key, sizeof(nfc_keyblob.hmac_key));
+    memcpy(out_nfc_save_keys[0].phrase, nfc_keyblob.phrase, sizeof(nfc_keyblob.phrase));
+    out_nfc_save_keys[0].seed_size = sizeof(nfc_keyblob.seed);
+    memcpy(out_nfc_save_keys[0].seed, nfc_keyblob.seed, sizeof(nfc_keyblob.seed));
+    memcpy(out_nfc_save_keys[0].xor_pad, xor_pad, sizeof(xor_pad));
+
+    memcpy(out_nfc_save_keys[1].hmac_key, nfc_keyblob.hmac_key_for_verif, sizeof(nfc_keyblob.hmac_key_for_verif));
+    memcpy(out_nfc_save_keys[1].phrase, nfc_keyblob.phrase_for_verif, sizeof(nfc_keyblob.phrase_for_verif));
+    out_nfc_save_keys[1].seed_size = sizeof(nfc_keyblob.seed_for_verif);
+    memcpy(out_nfc_save_keys[1].seed, nfc_keyblob.seed_for_verif, sizeof(nfc_keyblob.seed_for_verif));
+    memcpy(out_nfc_save_keys[1].xor_pad, xor_pad, sizeof(xor_pad));
+}
diff --git a/source/keys/nfc_crypto.h b/source/keys/nfc_crypto.h
new file mode 100644
index 0000000..26a1104
--- /dev/null
+++ b/source/keys/nfc_crypto.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _NFC_CRYPTO_H_
+#define _NFC_CRYPTO_H_
+
+#include "crypto.h"
+
+#include <sec/se_t210.h>
+#include <utils/types.h>
+
+static const u8 nfc_key_source[0x10] __attribute__((aligned(4))) = {
+    0x83, 0xF6, 0xEF, 0xD8, 0x13, 0x26, 0x49, 0xAB, 0x97, 0x5F, 0xEA, 0xBA, 0x65, 0x71, 0xCA, 0xCA};
+static const u8 encrypted_nfc_keys[0x80] __attribute__((aligned(4))) = {
+    0x76, 0x50, 0x87, 0x02, 0x40, 0xA6, 0x5A, 0x98, 0xCE, 0x39, 0x2F, 0xC8, 0x83, 0xAF, 0x54, 0x76,
+    0x28, 0xFF, 0x50, 0xFC, 0xC1, 0xFB, 0x26, 0x14, 0xA2, 0x4A, 0xA6, 0x74, 0x90, 0xA4, 0x37, 0x06,
+    0x03, 0x63, 0xC2, 0xB1, 0xAF, 0x9F, 0xF7, 0x07, 0xFC, 0x8A, 0xB9, 0xCA, 0x28, 0x68, 0x6E, 0xF7,
+    0x42, 0xCD, 0x68, 0x13, 0xCD, 0x7B, 0x3A, 0x60, 0x3E, 0x8B, 0xAB, 0x3A, 0xCC, 0xED, 0xE0, 0xDD,
+    0x71, 0x1F, 0xA5, 0xDE, 0xB8, 0xB1, 0xF5, 0x1D, 0x14, 0x73, 0xBE, 0x27, 0xCC, 0xA1, 0x9B, 0x23,
+    0x06, 0x91, 0x89, 0x05, 0xED, 0xD6, 0x92, 0x76, 0x3F, 0x42, 0xFB, 0xD1, 0x8F, 0x2D, 0x6D, 0x72,
+    0xC8, 0x9E, 0x48, 0xE8, 0x03, 0x64, 0xF0, 0x3C, 0x0E, 0x2A, 0xF1, 0x26, 0x83, 0x02, 0x4F, 0xE2,
+    0x41, 0xAA, 0xC8, 0x33, 0x68, 0x84, 0x3A, 0xFB, 0x87, 0x18, 0xEA, 0xF7, 0x36, 0xA2, 0x4E, 0xA9};
+static const u8 encrypted_nfc_keys_dev[0x80] __attribute__((aligned(4))) = {
+    0x13, 0xB0, 0xFB, 0xC2, 0x91, 0x6D, 0x6E, 0x5A, 0x10, 0x31, 0x40, 0xB7, 0xDF, 0xCF, 0x69, 0x69,
+    0xB0, 0xFA, 0xAE, 0x7F, 0xB2, 0x4D, 0x27, 0xC9, 0xE9, 0x3F, 0x5B, 0x38, 0x39, 0x24, 0x98, 0xCE,
+    0xED, 0xD2, 0xA9, 0x6C, 0x6F, 0xA7, 0x72, 0xD7, 0x11, 0x31, 0x17, 0x93, 0x12, 0x49, 0x32, 0x85,
+    0x21, 0xE5, 0xE1, 0x88, 0x0F, 0x08, 0xF2, 0x30, 0x5C, 0xC3, 0xAA, 0xFF, 0xC0, 0xAB, 0x21, 0x96,
+    0x74, 0x39, 0xED, 0xE0, 0x5A, 0xB6, 0x75, 0xC2, 0x3B, 0x08, 0x61, 0xE4, 0xA7, 0xD6, 0xED, 0x8C,
+    0xA9, 0x02, 0x12, 0xA6, 0xCC, 0x27, 0x4C, 0x1C, 0x41, 0x9C, 0xD8, 0x4C, 0x00, 0xC7, 0x5B, 0x5D,
+    0xED, 0xC2, 0x3D, 0x5E, 0x00, 0xF5, 0x49, 0xFA, 0x6C, 0x75, 0x67, 0xCF, 0x1F, 0x73, 0x1A, 0xE8,
+    0x47, 0xD4, 0x3D, 0x9B, 0x83, 0x5B, 0x18, 0x2F, 0x95, 0xA9, 0x04, 0xBC, 0x2E, 0xBB, 0x64, 0x4A};
+static const u8 nfc_blob_hash[SE_SHA_256_SIZE] __attribute__((aligned(4))) = {
+    0x7F, 0x92, 0x83, 0x65, 0x4E, 0xC1, 0x09, 0x7F, 0xBD, 0xFF, 0x31, 0xDE, 0x94, 0x66, 0x51, 0xAE,
+    0x60, 0xC2, 0x85, 0x4A, 0xFB, 0x54, 0x4A, 0xBE, 0x89, 0x63, 0xD3, 0x89, 0x63, 0x9C, 0x71, 0x0E};
+static const u8 nfc_blob_hash_dev[SE_SHA_256_SIZE] __attribute__((aligned(4))) = {
+    0x4E, 0x36, 0x59, 0x1C, 0x75, 0x80, 0x23, 0x03, 0x98, 0x2D, 0x45, 0xD9, 0x85, 0xB8, 0x60, 0x18,
+    0x7C, 0x85, 0x37, 0x9B, 0xCB, 0xBA, 0xF3, 0xDC, 0x25, 0x38, 0x73, 0xDB, 0x2F, 0xFA, 0xAE, 0x26};
+
+typedef struct {
+    char phrase[0xE];
+    u8 seed[0xE];
+    u8 hmac_key[0x10];
+    char phrase_for_verif[0xE];
+    u8 seed_for_verif[0x10];
+    u8 hmac_key_for_verif[0x10];
+    u8 ctr_key[0x10];
+    u8 ctr_iv[0x10];
+    u8 pad[6];
+} nfc_keyblob_t;
+
+typedef struct {
+    u8 hmac_key[0x10];
+    char phrase[0xE];
+    u8 rsvd;
+    u8 seed_size;
+    u8 seed[0x10];
+    u8 xor_pad[0x20];
+} nfc_save_key_t;
+
+void nfc_decrypt_amiibo_keys(key_storage_t *keys, nfc_save_key_t out_nfc_save_keys[2], bool is_dev);
+
+#endif
diff --git a/source/keys/ssl_crypto.c b/source/keys/ssl_crypto.c
new file mode 100644
index 0000000..109627f
--- /dev/null
+++ b/source/keys/ssl_crypto.c
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "ssl_crypto.h"
+
+#include "../config.h"
+
+extern hekate_config h_cfg;
+
+void ssl_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32 generation) {
+    if ((!h_cfg.t210b01 && !key_exists(keys->device_key)) || (h_cfg.t210b01 && (!key_exists(keys->master_key[0]) || !key_exists(keys->device_key_4x)))) {
+        return;
+    }
+
+    const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_SSL_KEY) | IS_DEVICE_UNIQUE;
+    derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, ssl_client_cert_kek_source, ssl_client_cert_key_source, generation, option);
+}
+
+void ssl_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek) {
+    if (!key_exists(keys->master_key[0])) {
+        return;
+    }
+
+    const u32 generation = 0;
+    const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA) | NOT_DEVICE_UNIQUE;
+    derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, ssl_rsa_kekek_source, ssl_rsa_kek_source_legacy, generation, option);
+}
+
+void ssl_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev) {
+    if (!key_exists(keys->master_key[0])) {
+        return;
+    }
+
+    const void *ssl_kek_source = is_dev ? ssl_rsa_kek_source_dev : ssl_rsa_kek_source;
+    const u32 generation = 0;
+    u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA) | NOT_DEVICE_UNIQUE;
+    derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, ssl_rsa_kekek_source, ssl_kek_source, generation, option);
+}
diff --git a/source/keys/ssl_crypto.h b/source/keys/ssl_crypto.h
new file mode 100644
index 0000000..de462a6
--- /dev/null
+++ b/source/keys/ssl_crypto.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _SSL_CRYPTO_H_
+#define _SSL_CRYPTO_H_
+
+#include "crypto.h"
+
+#include <utils/types.h>
+
+static const u8 ssl_rsa_kekek_source[0x10] __attribute__((aligned(4))) = {
+    0X7F, 0X5B, 0XB0, 0X84, 0X7B, 0X25, 0XAA, 0X67, 0XFA, 0XC8, 0X4B, 0XE2, 0X3D, 0X7B, 0X69, 0X03};
+static const u8 ssl_rsa_kek_source[0x10] __attribute__((aligned(4))) = {
+    0X9A, 0X38, 0X3B, 0XF4, 0X31, 0XD0, 0XBD, 0X81, 0X32, 0X53, 0X4B, 0XA9, 0X64, 0X39, 0X7D, 0XE3};
+static const u8 ssl_rsa_kek_source_dev[0x10] __attribute__((aligned(4))) = {
+    0xD5, 0xD2, 0xFC, 0x00, 0xFD, 0x49, 0xDD, 0xF8, 0xEE, 0x7B, 0xC4, 0x4B, 0xE1, 0x4C, 0xAA, 0x99};
+static const u8 ssl_rsa_kek_source_legacy[0x10] __attribute__((aligned(4))) = {
+    0xED, 0x36, 0xB1, 0x32, 0x27, 0x17, 0xD2, 0xB0, 0xBA, 0x1F, 0xC1, 0xBD, 0x4D, 0x38, 0x0F, 0x5E};
+static const u8 ssl_client_cert_kek_source[0x10] __attribute__((aligned(4))) = {
+    0x64, 0xB8, 0x30, 0xDD, 0x0F, 0x3C, 0xB7, 0xFB, 0x4C, 0x16, 0x01, 0x97, 0xEA, 0x9D, 0x12, 0x10};
+static const u8 ssl_client_cert_key_source[0x10] __attribute__((aligned(4))) = {
+    0x4D, 0x92, 0x5A, 0x69, 0x42, 0x23, 0xBB, 0x92, 0x59, 0x16, 0x3E, 0x51, 0x8C, 0x78, 0x14, 0x0F};
+
+void ssl_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32 generation);
+void ssl_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek);
+void ssl_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev);
+
+#endif

From 1b2c829ca07ac1c4c2997b0fd0a6a45ab9a7682a Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Sat, 5 Nov 2022 14:40:33 -0700
Subject: [PATCH 15/21] keys: Fix hex prefix capitalization

---
 source/keys/es_crypto.h  |  4 ++--
 source/keys/fs_crypto.h  | 22 +++++++++++-----------
 source/keys/ssl_crypto.h |  4 ++--
 3 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/source/keys/es_crypto.h b/source/keys/es_crypto.h
index cc0fb95..acca3f8 100644
--- a/source/keys/es_crypto.h
+++ b/source/keys/es_crypto.h
@@ -23,13 +23,13 @@
 #include <utils/types.h>
 
 static const u8 eticket_rsa_kek_source[0x10] __attribute__((aligned(4))) = {
-    0XDB, 0XA4, 0X51, 0X12, 0X4C, 0XA0, 0XA9, 0X83, 0X68, 0X14, 0XF5, 0XED, 0X95, 0XE3, 0X12, 0X5B};
+    0xDB, 0xA4, 0x51, 0x12, 0x4C, 0xA0, 0xA9, 0x83, 0x68, 0x14, 0xF5, 0xED, 0x95, 0xE3, 0x12, 0x5B};
 static const u8 eticket_rsa_kek_source_dev[0x10] __attribute__((aligned(4))) = {
     0xBE, 0xC0, 0xBC, 0x8E, 0x75, 0xA0, 0xF6, 0x0C, 0x4A, 0x56, 0x64, 0x02, 0x3E, 0xD4, 0x9C, 0xD5};
 static const u8 eticket_rsa_kek_source_legacy[0x10] __attribute__((aligned(4))) = {
     0x88, 0x87, 0x50, 0x90, 0xA6, 0x2F, 0x75, 0x70, 0xA2, 0xD7, 0x71, 0x51, 0xAE, 0x6D, 0x39, 0x87};
 static const u8 eticket_rsa_kekek_source[0x10] __attribute__((aligned(4))) = {
-    0X46, 0X6E, 0X57, 0XB7, 0X4A, 0X44, 0X7F, 0X02, 0XF3, 0X21, 0XCD, 0XE5, 0X8F, 0X2F, 0X55, 0X35};
+    0x46, 0x6E, 0x57, 0xB7, 0x4A, 0x44, 0x7F, 0x02, 0xF3, 0x21, 0xCD, 0xE5, 0x8F, 0x2F, 0x55, 0x35};
 
 bool test_eticket_rsa_keypair(const eticket_rsa_keypair_t *keypair);
 
diff --git a/source/keys/fs_crypto.h b/source/keys/fs_crypto.h
index 976ffde..f8ccdf7 100644
--- a/source/keys/fs_crypto.h
+++ b/source/keys/fs_crypto.h
@@ -45,26 +45,26 @@ static const u8 key_area_key_sources[3][0x10] __attribute__((aligned(4))) = {
 };
 
 static const u8 save_mac_kek_source[0x10] __attribute__((aligned(4))) = {
-    0XD8, 0X9C, 0X23, 0X6E, 0XC9, 0X12, 0X4E, 0X43, 0XC8, 0X2B, 0X03, 0X87, 0X43, 0XF9, 0XCF, 0X1B};
+    0xD8, 0x9C, 0x23, 0x6E, 0xC9, 0x12, 0x4E, 0x43, 0xC8, 0x2B, 0x03, 0x87, 0x43, 0xF9, 0xCF, 0x1B};
 static const u8 save_mac_key_source[0x10] __attribute__((aligned(4))) = {
-    0XE4, 0XCD, 0X3D, 0X4A, 0XD5, 0X0F, 0X74, 0X28, 0X45, 0XA4, 0X87, 0XE5, 0XA0, 0X63, 0XEA, 0X1F};
+    0xE4, 0xCD, 0x3D, 0x4A, 0xD5, 0x0F, 0x74, 0x28, 0x45, 0xA4, 0x87, 0xE5, 0xA0, 0x63, 0xEA, 0x1F};
 
 static const u8 save_mac_sd_card_kek_source[0x10] __attribute__((aligned(4))) = {
-    0X04, 0X89, 0XEF, 0X5D, 0X32, 0X6E, 0X1A, 0X59, 0XC4, 0XB7, 0XAB, 0X8C, 0X36, 0X7A, 0XAB, 0X17};
+    0x04, 0x89, 0xEF, 0x5D, 0x32, 0x6E, 0x1A, 0x59, 0xC4, 0xB7, 0xAB, 0x8C, 0x36, 0x7A, 0xAB, 0x17};
 static const u8 save_mac_sd_card_key_source[0x10] __attribute__((aligned(4))) = {
-    0X6F, 0X64, 0X59, 0X47, 0XC5, 0X61, 0X46, 0XF9, 0XFF, 0XA0, 0X45, 0XD5, 0X95, 0X33, 0X29, 0X18};
+    0x6F, 0x64, 0x59, 0x47, 0xC5, 0x61, 0x46, 0xF9, 0xFF, 0xA0, 0x45, 0xD5, 0x95, 0x33, 0x29, 0x18};
 
 static const u8 sd_card_custom_storage_key_source[0x20] __attribute__((aligned(4))) = {
-    0X37, 0X0C, 0X34, 0X5E, 0X12, 0XE4, 0XCE, 0XFE, 0X21, 0XB5, 0X8E, 0X64, 0XDB, 0X52, 0XAF, 0X35,
-    0X4F, 0X2C, 0XA5, 0XA3, 0XFC, 0X99, 0X9A, 0X47, 0XC0, 0X3E, 0XE0, 0X04, 0X48, 0X5B, 0X2F, 0XD0};
+    0x37, 0x0C, 0x34, 0x5E, 0x12, 0xE4, 0xCE, 0xFE, 0x21, 0xB5, 0x8E, 0x64, 0xDB, 0x52, 0xAF, 0x35,
+    0x4F, 0x2C, 0xA5, 0xA3, 0xFC, 0x99, 0x9A, 0x47, 0xC0, 0x3E, 0xE0, 0x04, 0x48, 0x5B, 0x2F, 0xD0};
 static const u8 sd_card_kek_source[0x10] __attribute__((aligned(4))) = {
-    0X88, 0X35, 0X8D, 0X9C, 0X62, 0X9B, 0XA1, 0XA0, 0X01, 0X47, 0XDB, 0XE0, 0X62, 0X1B, 0X54, 0X32};
+    0x88, 0x35, 0x8D, 0x9C, 0x62, 0x9B, 0xA1, 0xA0, 0x01, 0x47, 0xDB, 0xE0, 0x62, 0x1B, 0x54, 0x32};
 static const u8 sd_card_nca_key_source[0x20] __attribute__((aligned(4))) = {
-    0X58, 0X41, 0XA2, 0X84, 0X93, 0X5B, 0X56, 0X27, 0X8B, 0X8E, 0X1F, 0XC5, 0X18, 0XE9, 0X9F, 0X2B,
-    0X67, 0XC7, 0X93, 0XF0, 0XF2, 0X4F, 0XDE, 0XD0, 0X75, 0X49, 0X5D, 0XCA, 0X00, 0X6D, 0X99, 0XC2};
+    0x58, 0x41, 0xA2, 0x84, 0x93, 0x5B, 0x56, 0x27, 0x8B, 0x8E, 0x1F, 0xC5, 0x18, 0xE9, 0x9F, 0x2B,
+    0x67, 0xC7, 0x93, 0xF0, 0xF2, 0x4F, 0xDE, 0xD0, 0x75, 0x49, 0x5D, 0xCA, 0x00, 0x6D, 0x99, 0xC2};
 static const u8 sd_card_save_key_source[0x20] __attribute__((aligned(4))) = {
-    0X24, 0X49, 0XB7, 0X22, 0X72, 0X67, 0X03, 0XA8, 0X19, 0X65, 0XE6, 0XE3, 0XEA, 0X58, 0X2F, 0XDD,
-    0X9A, 0X95, 0X15, 0X17, 0XB1, 0X6E, 0X8F, 0X7F, 0X1F, 0X68, 0X26, 0X31, 0X52, 0XEA, 0X29, 0X6A};
+    0x24, 0x49, 0xB7, 0x22, 0x72, 0x67, 0x03, 0xA8, 0x19, 0x65, 0xE6, 0xE3, 0xEA, 0x58, 0x2F, 0xDD,
+    0x9A, 0x95, 0x15, 0x17, 0xB1, 0x6E, 0x8F, 0x7F, 0x1F, 0x68, 0x26, 0x31, 0x52, 0xEA, 0x29, 0x6A};
 
 void fs_derive_bis_keys(key_storage_t *keys, u8 out_bis_keys[4][32], u32 generation);
 void fs_derive_header_key(key_storage_t *keys, void *out_key);
diff --git a/source/keys/ssl_crypto.h b/source/keys/ssl_crypto.h
index de462a6..6d84784 100644
--- a/source/keys/ssl_crypto.h
+++ b/source/keys/ssl_crypto.h
@@ -22,9 +22,9 @@
 #include <utils/types.h>
 
 static const u8 ssl_rsa_kekek_source[0x10] __attribute__((aligned(4))) = {
-    0X7F, 0X5B, 0XB0, 0X84, 0X7B, 0X25, 0XAA, 0X67, 0XFA, 0XC8, 0X4B, 0XE2, 0X3D, 0X7B, 0X69, 0X03};
+    0x7F, 0x5B, 0xB0, 0x84, 0x7B, 0x25, 0xAA, 0x67, 0xFA, 0xC8, 0x4B, 0xE2, 0x3D, 0x7B, 0x69, 0x03};
 static const u8 ssl_rsa_kek_source[0x10] __attribute__((aligned(4))) = {
-    0X9A, 0X38, 0X3B, 0XF4, 0X31, 0XD0, 0XBD, 0X81, 0X32, 0X53, 0X4B, 0XA9, 0X64, 0X39, 0X7D, 0XE3};
+    0x9A, 0x38, 0x3B, 0xF4, 0x31, 0xD0, 0xBD, 0x81, 0x32, 0x53, 0x4B, 0xA9, 0x64, 0x39, 0x7D, 0xE3};
 static const u8 ssl_rsa_kek_source_dev[0x10] __attribute__((aligned(4))) = {
     0xD5, 0xD2, 0xFC, 0x00, 0xFD, 0x49, 0xDD, 0xF8, 0xEE, 0x7B, 0xC4, 0x4B, 0xE1, 0x4C, 0xAA, 0x99};
 static const u8 ssl_rsa_kek_source_legacy[0x10] __attribute__((aligned(4))) = {

From dcf4bca30cb3f9a82068dab21382957b29974053 Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Sat, 5 Nov 2022 15:41:16 -0700
Subject: [PATCH 16/21] keys: Move RSA functions out of keys.c

---
 source/keys/crypto.h        |  13 ++-
 source/keys/es_crypto.c     |  88 ++++++++++++++
 source/keys/es_crypto.h     |   9 ++
 source/keys/es_types.h      |  46 ++++++++
 source/keys/key_sources.inl |   5 -
 source/keys/keys.c          | 227 +++++++-----------------------------
 source/keys/keys.h          |  46 --------
 source/keys/ssl_crypto.c    |  69 +++++++++++
 source/keys/ssl_crypto.h    |   4 +
 9 files changed, 266 insertions(+), 241 deletions(-)

diff --git a/source/keys/crypto.h b/source/keys/crypto.h
index c242485..67195be 100644
--- a/source/keys/crypto.h
+++ b/source/keys/crypto.h
@@ -25,6 +25,11 @@
 
 #include <string.h>
 
+// Sha256 hash of the null string.
+static const u8 null_hash[0x20] __attribute__((aligned(4))) = {
+    0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8, 0x99, 0x6F, 0xB9, 0x24,
+    0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C, 0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55};
+
 static const u8 aes_kek_generation_source[0x10] __attribute__((aligned(4))) = {
     0x4D, 0x87, 0x09, 0x86, 0xC4, 0x5D, 0x20, 0x72, 0x2F, 0xBA, 0x10, 0x53, 0xDA, 0x92, 0xE8, 0xA9};
 
@@ -103,6 +108,9 @@ static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = {
     {0xAC, 0xCA, 0x9A, 0xCA, 0xFF, 0x2E, 0xB9, 0x22, 0xCC, 0x1F, 0x4F, 0xAD, 0xDD, 0x77, 0x21, 0x1E}
 };
 
+ //!TODO: Update on keygen changes.
+#define TSEC_ROOT_KEY_VERSION 2
+
 // Lockpick_RCM keyslots
 #define KS_BIS_00_CRYPT 0
 #define KS_BIS_00_TWEAK 1
@@ -128,11 +136,6 @@ static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = {
 
 #define RSA_PUBLIC_EXPONENT 65537
 
-#define SSL_RSA_KEY_SIZE         (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE)
-#define ETICKET_RSA_KEYPAIR_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE * 2 + SE_KEY_128_SIZE)
-
-#define TICKET_SIG_TYPE_RSA2048_SHA256 0x10004
-
 typedef struct {
     u8 master_kek[SE_KEY_128_SIZE];
     u8 data[0x70];
diff --git a/source/keys/es_crypto.c b/source/keys/es_crypto.c
index 57b2912..f31b46a 100644
--- a/source/keys/es_crypto.c
+++ b/source/keys/es_crypto.c
@@ -16,7 +16,16 @@
 
 #include "es_crypto.h"
 
+#include "cal0_read.h"
+
 #include "../config.h"
+#include <gfx_utils.h>
+#include "../gfx/tui.h"
+#include <mem/minerva.h>
+#include <sec/se.h>
+#include <sec/se_t210.h>
+
+#include <string.h>
 
 extern hekate_config h_cfg;
 
@@ -56,3 +65,82 @@ void es_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_
     const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | NOT_DEVICE_UNIQUE;
     derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, eticket_rsa_kekek_source, kek_source, generation, option);
 }
+
+bool decrypt_eticket_rsa_key(key_storage_t *keys, void *buffer, bool is_dev) {
+    if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, buffer)) {
+        return false;
+    }
+
+    nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)buffer;
+    u32 generation = 0;
+    const void *encrypted_key = NULL;
+    const void *iv = NULL;
+    u32 key_size = 0;
+    void *ctr_key = NULL;
+
+    if (!cal0_get_eticket_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) {
+        return false;
+    }
+
+    // Handle legacy case
+    if (key_size == ETICKET_RSA_KEYPAIR_SIZE) {
+        u32 temp_key[SE_KEY_128_SIZE / 4] = {0};
+        es_derive_rsa_kek_legacy(keys, temp_key);
+        ctr_key = temp_key;
+
+        se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
+        se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv);
+
+        if (test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) {
+            memcpy(keys->eticket_rsa_kek, ctr_key, sizeof(keys->eticket_rsa_kek));
+            return true;
+        }
+        // Fall through and try usual method if not applicable
+    }
+
+    if (generation) {
+        es_derive_rsa_kek_device_unique(keys, keys->eticket_rsa_kek_personalized, generation, is_dev);
+        ctr_key = keys->eticket_rsa_kek_personalized;
+    } else {
+        ctr_key = keys->eticket_rsa_kek;
+    }
+
+    se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
+    se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv);
+
+    if (!test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) {
+        EPRINTF("Invalid eticket keypair.");
+        memset(&keys->eticket_rsa_keypair, 0, sizeof(keys->eticket_rsa_keypair));
+        return false;
+    }
+
+    return true;
+}
+
+void es_decode_tickets(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 remaining, u32 total, u32 *titlekey_count, u32 x, u32 y, u32 *pct, u32 *last_pct, bool is_personalized) {
+    ticket_t *curr_ticket = (ticket_t *)titlekey_buffer->read_buffer;
+    for (u32 i = 0; i < MIN(buf_size / sizeof(ticket_t), remaining) * sizeof(ticket_t) && curr_ticket->signature_type != 0; i += sizeof(ticket_t), curr_ticket++) {
+        minerva_periodic_training();
+        *pct = (total - remaining) * 100 / total;
+        if (*pct > *last_pct && *pct <= 100) {
+            *last_pct = *pct;
+            tui_pbar(x, y, *pct, COLOR_GREEN, 0xFF155500);
+        }
+
+        // This is in case an encrypted volatile ticket is left behind
+        if (curr_ticket->signature_type != TICKET_SIG_TYPE_RSA2048_SHA256)
+            continue;
+
+        u8 *curr_titlekey = curr_ticket->titlekey_block;
+        const u32 block_size = SE_RSA2048_DIGEST_SIZE;
+        const u32 titlekey_size = sizeof(titlekey_buffer->titlekeys[0]);
+        if (is_personalized) {
+            se_rsa_exp_mod(0, curr_titlekey, block_size, curr_titlekey, block_size);
+            if (rsa_oaep_decode(curr_titlekey, titlekey_size, null_hash, sizeof(null_hash), curr_titlekey, block_size) != titlekey_size)
+                continue;
+        }
+        memcpy(titlekey_buffer->rights_ids[*titlekey_count], curr_ticket->rights_id, sizeof(titlekey_buffer->rights_ids[0]));
+        memcpy(titlekey_buffer->titlekeys[*titlekey_count], curr_titlekey, titlekey_size);
+        (*titlekey_count)++;
+    }
+}
diff --git a/source/keys/es_crypto.h b/source/keys/es_crypto.h
index acca3f8..03c777b 100644
--- a/source/keys/es_crypto.h
+++ b/source/keys/es_crypto.h
@@ -20,8 +20,13 @@
 #include "crypto.h"
 #include "es_types.h"
 
+#include <sec/se_t210.h>
 #include <utils/types.h>
 
+#define ETICKET_RSA_KEYPAIR_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE * 2 + SE_KEY_128_SIZE)
+
+#define TICKET_SIG_TYPE_RSA2048_SHA256 0x10004
+
 static const u8 eticket_rsa_kek_source[0x10] __attribute__((aligned(4))) = {
     0xDB, 0xA4, 0x51, 0x12, 0x4C, 0xA0, 0xA9, 0x83, 0x68, 0x14, 0xF5, 0xED, 0x95, 0xE3, 0x12, 0x5B};
 static const u8 eticket_rsa_kek_source_dev[0x10] __attribute__((aligned(4))) = {
@@ -37,4 +42,8 @@ void es_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32
 void es_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek);
 void es_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev);
 
+bool decrypt_eticket_rsa_key(key_storage_t *keys, void *buffer, bool is_dev);
+
+void es_decode_tickets(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 remaining, u32 total, u32 *titlekey_count, u32 x, u32 y, u32 *pct, u32 *last_pct, bool is_personalized);
+
 #endif
diff --git a/source/keys/es_types.h b/source/keys/es_types.h
index feb35fa..2dca8dc 100644
--- a/source/keys/es_types.h
+++ b/source/keys/es_types.h
@@ -27,4 +27,50 @@ typedef struct {
     u8 reserved[0xC];
 } eticket_rsa_keypair_t;
 
+// only tickets of type Rsa2048Sha256 are expected
+typedef struct {
+    u32 signature_type; // always 0x10004
+    u8 signature[SE_RSA2048_DIGEST_SIZE];
+    u8 sig_padding[0x3C];
+    char issuer[0x40];
+    u8 titlekey_block[SE_RSA2048_DIGEST_SIZE];
+    u8 format_version;
+    u8 titlekey_type;
+    u16 ticket_version;
+    u8 license_type;
+    u8 common_key_id;
+    u16 property_mask;
+    u64 reserved;
+    u64 ticket_id;
+    u64 device_id;
+    u8 rights_id[0x10];
+    u32 account_id;
+    u32 sect_total_size;
+    u32 sect_hdr_offset;
+    u16 sect_hdr_count;
+    u16 sect_hdr_entry_size;
+    u8 padding[0x140];
+} ticket_t;
+
+typedef struct {
+    u8 rights_id[0x10];
+    u64 ticket_id;
+    u32 account_id;
+    u16 property_mask;
+    u16 reserved;
+} ticket_record_t;
+
+typedef struct {
+    u8 read_buffer[SZ_256K];
+    u8 rights_ids[SZ_256K / 0x10][0x10];
+    u8 titlekeys[SZ_256K / 0x10][0x10];
+} titlekey_buffer_t;
+
+typedef struct {
+    char rights_id[0x20];
+    char equals[3];
+    char titlekey[0x20];
+    char newline[1];
+} titlekey_text_buffer_t;
+
 #endif
diff --git a/source/keys/key_sources.inl b/source/keys/key_sources.inl
index fa05e80..c03a4e1 100644
--- a/source/keys/key_sources.inl
+++ b/source/keys/key_sources.inl
@@ -14,11 +14,6 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
-// Sha256 hash of the null string.
-static const u8 null_hash[0x20] __attribute__((aligned(4))) = {
-    0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8, 0x99, 0x6F, 0xB9, 0x24,
-    0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C, 0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55};
-
 static const u8 master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_620 + 1][0x10] __attribute__((aligned(4))) = {
     {0x37, 0x4B, 0x77, 0x29, 0x59, 0xB4, 0x04, 0x30, 0x81, 0xF6, 0xE5, 0x8C, 0x6D, 0x36, 0x17, 0x9A}, //6.2.0
     {0x9A, 0x3E, 0xA9, 0xAB, 0xFD, 0x56, 0x46, 0x1C, 0x9B, 0xF6, 0x48, 0x7F, 0x5C, 0xFA, 0x09, 0x5C}, //7.0.0
diff --git a/source/keys/keys.c b/source/keys/keys.c
index 17ef755..c8c8eae 100644
--- a/source/keys/keys.c
+++ b/source/keys/keys.c
@@ -16,10 +16,8 @@
 
 #include "keys.h"
 
-#include "cal0_read.h"
 #include "es_crypto.h"
 #include "fs_crypto.h"
-#include "gmac.h"
 #include "nfc_crypto.h"
 #include "ssl_crypto.h"
 
@@ -127,7 +125,7 @@ static void _derive_keyblob_keys(key_storage_t *keys) {
     bool have_keyblobs = true;
 
     if (FUSE(FUSE_PRIVATE_KEY0) == 0xFFFFFFFF) {
-        u8 *aes_keys = (u8 *)calloc(SZ_4K, 1);
+        u8 *aes_keys = (u8 *)calloc(1, SZ_4K);
         se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE);
         memcpy(keys->sbk, aes_keys + 14 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
         free(aes_keys);
@@ -183,22 +181,47 @@ static void _derive_keyblob_keys(key_storage_t *keys) {
     free(keyblob_block);
 }
 
+static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_keys, bool is_dev) {
+    key_storage_t *keys = is_dev ? dev_keys : prod_keys;
+
+    if (h_cfg.t210b01) {
+        _derive_master_keys_mariko(keys, is_dev);
+        _derive_master_keys_from_latest_key(keys, is_dev);
+    } else {
+        if (run_ams_keygen(keys)) {
+            EPRINTF("Failed to run keygen.");
+            return;
+        }
+
+        u8 *aes_keys = (u8 *)calloc(1, SZ_4K);
+        se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE);
+        memcpy(&dev_keys->tsec_root_key,  aes_keys + KS_TSEC_ROOT_DEV * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
+        memcpy(keys->tsec_key,            aes_keys + KS_TSEC          * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
+        memcpy(&prod_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT     * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
+        free(aes_keys);
+
+        _derive_master_keys_from_latest_key(prod_keys, false);
+        _derive_master_keys_from_latest_key(dev_keys, true);
+        _derive_keyblob_keys(keys);
+    }
+}
+
 static void _derive_bis_keys(key_storage_t *keys) {
     minerva_periodic_training();
     u32 generation = fuse_read_odm_keygen_rev();
     fs_derive_bis_keys(keys, keys->bis_key, generation);
 }
 
-static void _derive_misc_keys(key_storage_t *keys, bool is_dev) {
+static void _derive_misc_keys(key_storage_t *keys) {
     minerva_periodic_training();
     fs_derive_save_mac_key(keys, keys->save_mac_key);
-    es_derive_rsa_kek_original(keys, keys->eticket_rsa_kek, is_dev);
-    ssl_derive_rsa_kek_original(keys, keys->ssl_rsa_kek, is_dev);
 }
 
-static void _derive_non_unique_keys(key_storage_t *keys) {
+static void _derive_non_unique_keys(key_storage_t *keys, bool is_dev) {
     minerva_periodic_training();
     fs_derive_header_key(keys, keys->header_key);
+    es_derive_rsa_kek_original(keys, keys->eticket_rsa_kek, is_dev);
+    ssl_derive_rsa_kek_original(keys, keys->ssl_rsa_kek, is_dev);
 
     for (u32 generation = 0; generation < ARRAY_SIZE(keys->master_key); generation++) {
         minerva_periodic_training();
@@ -223,34 +246,6 @@ static bool _count_ticket_records(u32 buf_size, titlekey_buffer_t *titlekey_buff
     return false;
 }
 
-static void _decode_tickets(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 remaining, u32 total, u32 x, u32 y, u32 *pct, u32 *last_pct, bool is_personalized) {
-    ticket_t *curr_ticket = (ticket_t *)titlekey_buffer->read_buffer;
-    for (u32 i = 0; i < MIN(buf_size / sizeof(ticket_t), remaining) * sizeof(ticket_t) && curr_ticket->signature_type != 0; i += sizeof(ticket_t), curr_ticket++) {
-        minerva_periodic_training();
-        *pct = (total - remaining) * 100 / total;
-        if (*pct > *last_pct && *pct <= 100) {
-            *last_pct = *pct;
-            tui_pbar(x, y, *pct, COLOR_GREEN, 0xFF155500);
-        }
-
-        // This is in case an encrypted volatile ticket is left behind
-        if (curr_ticket->signature_type != TICKET_SIG_TYPE_RSA2048_SHA256)
-            continue;
-
-        u8 *curr_titlekey = curr_ticket->titlekey_block;
-        const u32 block_size = SE_RSA2048_DIGEST_SIZE;
-        const u32 titlekey_size = sizeof(titlekey_buffer->titlekeys[0]);
-        if (is_personalized) {
-            se_rsa_exp_mod(0, curr_titlekey, block_size, curr_titlekey, block_size);
-            if (rsa_oaep_decode(curr_titlekey, titlekey_size, null_hash, sizeof(null_hash), curr_titlekey, block_size) != titlekey_size)
-                continue;
-        }
-        memcpy(titlekey_buffer->rights_ids[_titlekey_count], curr_ticket->rights_id, sizeof(titlekey_buffer->rights_ids[0]));
-        memcpy(titlekey_buffer->titlekeys[_titlekey_count], curr_titlekey, titlekey_size);
-        _titlekey_count++;
-    }
-}
-
 static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, titlekey_buffer_t *titlekey_buffer, eticket_rsa_keypair_t *rsa_keypair) {
     FIL fp;
     u64 br = buf_size;
@@ -328,7 +323,7 @@ static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, title
         if (!save_data_file_read(&ticket_file, &br, offset, titlekey_buffer->read_buffer, buf_size) || titlekey_buffer->read_buffer[0] == 0 || br != buf_size)
             break;
         offset += br;
-        _decode_tickets(buf_size, titlekey_buffer, remaining, file_tkey_count, save_x, save_y, &pct, &last_pct, is_personalized);
+        es_decode_tickets(buf_size, titlekey_buffer, remaining, file_tkey_count, &_titlekey_count, save_x, save_y, &pct, &last_pct, is_personalized);
         remaining -= MIN(buf_size / sizeof(ticket_t), remaining);
     }
     tui_pbar(save_x, save_y, 100, COLOR_GREEN, 0xFF155500);
@@ -382,7 +377,8 @@ static bool _derive_sd_seed(key_storage_t *keys) {
     }
 
     u8 read_buf[0x20] __attribute__((aligned(4))) = {0};
-    // Skip the two header blocks and only check the first bytes of each block - file contents are always block-aligned
+    // Skip the two header blocks and only check the first bytes of each block
+    // File contents are always block-aligned
     for (u32 i = SAVE_BLOCK_SIZE_DEFAULT * 2; i < f_size(&fp); i += SAVE_BLOCK_SIZE_DEFAULT) {
         if (f_lseek(&fp, i) || f_read(&fp, read_buf, 0x20, &read_bytes) || read_bytes != 0x20)
             break;
@@ -398,120 +394,8 @@ static bool _derive_sd_seed(key_storage_t *keys) {
     return true;
 }
 
-static bool _decrypt_ssl_rsa_key(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer) {
-    if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, titlekey_buffer->read_buffer)) {
-        return false;
-    }
-
-    nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)titlekey_buffer->read_buffer;
-    u32 generation = 0;
-    const void *encrypted_key = NULL;
-    const void *iv = NULL;
-    u32 key_size = 0;
-    void *ctr_key = NULL;
-    bool enforce_unique = true;
-
-    if (!cal0_get_ssl_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) {
-        return false;
-    }
-
-    if (key_size == SSL_RSA_KEY_SIZE) {
-        bool all_zero = true;
-        const u8 *key8 = (const u8 *)encrypted_key;
-        for (u32 i = SE_RSA2048_DIGEST_SIZE; i < SSL_RSA_KEY_SIZE; i++) {
-            if (key8[i] != 0) {
-                all_zero = false;
-                break;
-            }
-        }
-        if (all_zero) {
-            // Keys of this form are not encrypted
-            memcpy(keys->ssl_rsa_key, encrypted_key, SE_RSA2048_DIGEST_SIZE);
-            return true;
-        }
-
-        ssl_derive_rsa_kek_legacy(keys, keys->ssl_rsa_kek_legacy);
-        ctr_key = keys->ssl_rsa_kek_legacy;
-        enforce_unique = false;
-    } else if (generation) {
-        ssl_derive_rsa_kek_device_unique(keys, keys->ssl_rsa_kek_personalized, generation);
-        ctr_key = keys->ssl_rsa_kek_personalized;
-    } else {
-        ctr_key = keys->ssl_rsa_kek;
-    }
-
-    u32 ctr_size = enforce_unique ? key_size - 0x20 : key_size - 0x10;
-    se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
-    se_aes_crypt_ctr(KS_AES_CTR, keys->ssl_rsa_key, ctr_size, encrypted_key, ctr_size, iv);
-
-    if (enforce_unique) {
-        u32 calc_mac[SE_KEY_128_SIZE / 4] = {0};
-        calc_gmac(KS_AES_ECB, calc_mac, keys->ssl_rsa_key, ctr_size, ctr_key, iv);
-
-        const u8 *key8 = (const u8 *)encrypted_key;
-        if (memcmp(calc_mac, &key8[ctr_size], 0x10) != 0) {
-            EPRINTF("SSL keypair has invalid GMac.");
-            memset(keys->ssl_rsa_key, 0, sizeof(keys->ssl_rsa_key));
-            return false;
-        }
-    }
-
-    return true;
-}
-
-static bool _decrypt_eticket_rsa_key(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
-    if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, titlekey_buffer->read_buffer)) {
-        return false;
-    }
-
-    nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)titlekey_buffer->read_buffer;
-    u32 generation = 0;
-    const void *encrypted_key = NULL;
-    const void *iv = NULL;
-    u32 key_size = 0;
-    void *ctr_key = NULL;
-
-    if (!cal0_get_eticket_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) {
-        return false;
-    }
-
-    // Handle legacy case
-    if (key_size == ETICKET_RSA_KEYPAIR_SIZE) {
-        u32 temp_key[SE_KEY_128_SIZE / 4] = {0};
-        es_derive_rsa_kek_legacy(keys, temp_key);
-        ctr_key = temp_key;
-
-        se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
-        se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv);
-
-        if (test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) {
-            memcpy(keys->eticket_rsa_kek, ctr_key, sizeof(keys->eticket_rsa_kek));
-            return true;
-        }
-        // Fall through and try usual method if not applicable
-    }
-
-    if (generation) {
-        es_derive_rsa_kek_device_unique(keys, keys->eticket_rsa_kek_personalized, generation, is_dev);
-        ctr_key = keys->eticket_rsa_kek_personalized;
-    } else {
-        ctr_key = keys->eticket_rsa_kek;
-    }
-
-    se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
-    se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv);
-
-    if (!test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) {
-        EPRINTF("Invalid eticket keypair.");
-        memset(&keys->eticket_rsa_keypair, 0, sizeof(keys->eticket_rsa_keypair));
-        return false;
-    }
-
-    return true;
-}
-
 static bool _derive_titlekeys(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
-    if (!key_exists(keys->eticket_rsa_kek)) {
+    if (!key_exists(&keys->eticket_rsa_keypair)) {
         return false;
     }
 
@@ -543,12 +427,12 @@ static bool _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_b
         return false;
     }
 
-    bool res = _decrypt_ssl_rsa_key(keys, titlekey_buffer);
+    bool res = decrypt_ssl_rsa_key(keys, titlekey_buffer);
     if (!res) {
         EPRINTF("Unable to derive SSL key.");
     }
 
-    res =_decrypt_eticket_rsa_key(keys, titlekey_buffer, is_dev);
+    res = decrypt_eticket_rsa_key(keys, titlekey_buffer, is_dev);
     if (!res) {
         EPRINTF("Unable to derive ETicket key.");
     }
@@ -611,7 +495,7 @@ int save_mariko_partial_keys(u32 start, u32 count, bool append) {
     u32 pos = 0;
     u32 zeros[SE_KEY_128_SIZE / 4] = {0};
     u8 *data = malloc(4 * SE_KEY_128_SIZE);
-    char *text_buffer = calloc(1, 0x100 * count);
+    char *text_buffer = calloc(count, 0x100);
 
     for (u32 ks = start; ks < start + count; ks++) {
         // Check if key is as expected
@@ -688,14 +572,13 @@ int save_mariko_partial_keys(u32 start, u32 count, bool append) {
 }
 
 static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
-    char *text_buffer = NULL;
     if (!sd_mount()) {
         EPRINTF("Unable to mount SD.");
         return;
     }
 
     u32 text_buffer_size = MAX(_titlekey_count * sizeof(titlekey_text_buffer_t) + 1, SZ_16K);
-    text_buffer = (char *)calloc(1, text_buffer_size);
+    char *text_buffer = (char *)calloc(1, text_buffer_size);
 
     SAVE_KEY(aes_kek_generation_source);
     SAVE_KEY(aes_key_generation_source);
@@ -765,9 +648,8 @@ static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_bu
     SAVE_KEY(titlekek_source);
     SAVE_KEY_VAR(tsec_key, keys->tsec_key);
 
-    const u32 root_key_ver = 2;
     char root_key_name[21] = "tsec_root_key_00";
-    s_printf(root_key_name + 14, "%02x", root_key_ver);
+    s_printf(root_key_name + 14, "%02x", TSEC_ROOT_KEY_VERSION);
     _save_key(root_key_name, keys->tsec_root_key, SE_KEY_128_SIZE, text_buffer);
 
     gfx_printf("\n%k  Found %d %s keys.\n\n", colors[(color_idx++) % 6], _key_count, is_dev ? "dev" : "prod");
@@ -811,31 +693,6 @@ static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_bu
     free(text_buffer);
 }
 
-static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_keys, bool is_dev) {
-    key_storage_t *keys = is_dev ? dev_keys : prod_keys;
-
-    if (h_cfg.t210b01) {
-        _derive_master_keys_mariko(keys, is_dev);
-        _derive_master_keys_from_latest_key(keys, is_dev);
-    } else {
-        if (run_ams_keygen(keys)) {
-            EPRINTF("Failed to run keygen.");
-            return;
-        }
-
-        u8 *aes_keys = (u8 *)calloc(SZ_4K, 1);
-        se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE);
-        memcpy(&dev_keys->tsec_root_key,  aes_keys + KS_TSEC_ROOT_DEV * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
-        memcpy(keys->tsec_key,            aes_keys + KS_TSEC          * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
-        memcpy(&prod_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT     * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
-        free(aes_keys);
-
-        _derive_master_keys_from_latest_key(prod_keys, false);
-        _derive_master_keys_from_latest_key(dev_keys, true);
-        _derive_keyblob_keys(keys);
-    }
-}
-
 static void _derive_keys() {
     minerva_periodic_training();
 
@@ -872,9 +729,9 @@ static void _derive_keys() {
 
     TPRINTFARGS("%kBIS keys...     ", colors[(color_idx++) % 6]);
 
-    _derive_misc_keys(keys, is_dev);
-    _derive_non_unique_keys(&prod_keys);
-    _derive_non_unique_keys(&dev_keys);
+    _derive_misc_keys(keys);
+    _derive_non_unique_keys(&prod_keys, is_dev);
+    _derive_non_unique_keys(&dev_keys, is_dev);
 
     titlekey_buffer_t *titlekey_buffer = (titlekey_buffer_t *)TITLEKEY_BUF_ADR;
 
diff --git a/source/keys/keys.h b/source/keys/keys.h
index 622249e..f8a84c1 100644
--- a/source/keys/keys.h
+++ b/source/keys/keys.h
@@ -23,52 +23,6 @@
 #include <sec/se_t210.h>
 #include <utils/types.h>
 
-// only tickets of type Rsa2048Sha256 are expected
-typedef struct {
-    u32 signature_type; // always 0x10004
-    u8 signature[SE_RSA2048_DIGEST_SIZE];
-    u8 sig_padding[0x3C];
-    char issuer[0x40];
-    u8 titlekey_block[SE_RSA2048_DIGEST_SIZE];
-    u8 format_version;
-    u8 titlekey_type;
-    u16 ticket_version;
-    u8 license_type;
-    u8 common_key_id;
-    u16 property_mask;
-    u64 reserved;
-    u64 ticket_id;
-    u64 device_id;
-    u8 rights_id[0x10];
-    u32 account_id;
-    u32 sect_total_size;
-    u32 sect_hdr_offset;
-    u16 sect_hdr_count;
-    u16 sect_hdr_entry_size;
-    u8 padding[0x140];
-} ticket_t;
-
-typedef struct {
-    u8 rights_id[0x10];
-    u64 ticket_id;
-    u32 account_id;
-    u16 property_mask;
-    u16 reserved;
-} ticket_record_t;
-
-typedef struct {
-    u8 read_buffer[SZ_256K];
-    u8 rights_ids[SZ_256K / 0x10][0x10];
-    u8 titlekeys[SZ_256K / 0x10][0x10];
-} titlekey_buffer_t;
-
-typedef struct {
-    char rights_id[0x20];
-    char equals[3];
-    char titlekey[0x20];
-    char newline[1];
-} titlekey_text_buffer_t;
-
 #define TPRINTF(text) \
     end_time = get_tmr_us(); \
     gfx_printf(text" done in %d us\n", end_time - start_time); \
diff --git a/source/keys/ssl_crypto.c b/source/keys/ssl_crypto.c
index 109627f..b6b235b 100644
--- a/source/keys/ssl_crypto.c
+++ b/source/keys/ssl_crypto.c
@@ -16,7 +16,15 @@
 
 #include "ssl_crypto.h"
 
+#include "cal0_read.h"
+#include "gmac.h"
+
 #include "../config.h"
+#include <gfx_utils.h>
+#include <sec/se.h>
+#include <sec/se_t210.h>
+
+#include <string.h>
 
 extern hekate_config h_cfg;
 
@@ -49,3 +57,64 @@ void ssl_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is
     u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA) | NOT_DEVICE_UNIQUE;
     derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, ssl_rsa_kekek_source, ssl_kek_source, generation, option);
 }
+
+bool decrypt_ssl_rsa_key(key_storage_t *keys, void *buffer) {
+    if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, buffer)) {
+        return false;
+    }
+
+    nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)buffer;
+    u32 generation = 0;
+    const void *encrypted_key = NULL;
+    const void *iv = NULL;
+    u32 key_size = 0;
+    void *ctr_key = NULL;
+    bool enforce_unique = true;
+
+    if (!cal0_get_ssl_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) {
+        return false;
+    }
+
+    if (key_size == SSL_RSA_KEY_SIZE) {
+        bool all_zero = true;
+        const u8 *key8 = (const u8 *)encrypted_key;
+        for (u32 i = SE_RSA2048_DIGEST_SIZE; i < SSL_RSA_KEY_SIZE; i++) {
+            if (key8[i] != 0) {
+                all_zero = false;
+                break;
+            }
+        }
+        if (all_zero) {
+            // Keys of this form are not encrypted
+            memcpy(keys->ssl_rsa_key, encrypted_key, SE_RSA2048_DIGEST_SIZE);
+            return true;
+        }
+
+        ssl_derive_rsa_kek_legacy(keys, keys->ssl_rsa_kek_legacy);
+        ctr_key = keys->ssl_rsa_kek_legacy;
+        enforce_unique = false;
+    } else if (generation) {
+        ssl_derive_rsa_kek_device_unique(keys, keys->ssl_rsa_kek_personalized, generation);
+        ctr_key = keys->ssl_rsa_kek_personalized;
+    } else {
+        ctr_key = keys->ssl_rsa_kek;
+    }
+
+    u32 ctr_size = enforce_unique ? key_size - 0x20 : key_size - 0x10;
+    se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
+    se_aes_crypt_ctr(KS_AES_CTR, keys->ssl_rsa_key, ctr_size, encrypted_key, ctr_size, iv);
+
+    if (enforce_unique) {
+        u32 calc_mac[SE_KEY_128_SIZE / 4] = {0};
+        calc_gmac(KS_AES_ECB, calc_mac, keys->ssl_rsa_key, ctr_size, ctr_key, iv);
+
+        const u8 *key8 = (const u8 *)encrypted_key;
+        if (memcmp(calc_mac, &key8[ctr_size], 0x10) != 0) {
+            EPRINTF("SSL keypair has invalid GMac.");
+            memset(keys->ssl_rsa_key, 0, sizeof(keys->ssl_rsa_key));
+            return false;
+        }
+    }
+
+    return true;
+}
diff --git a/source/keys/ssl_crypto.h b/source/keys/ssl_crypto.h
index 6d84784..830fd45 100644
--- a/source/keys/ssl_crypto.h
+++ b/source/keys/ssl_crypto.h
@@ -21,6 +21,8 @@
 
 #include <utils/types.h>
 
+#define SSL_RSA_KEY_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE)
+
 static const u8 ssl_rsa_kekek_source[0x10] __attribute__((aligned(4))) = {
     0x7F, 0x5B, 0xB0, 0x84, 0x7B, 0x25, 0xAA, 0x67, 0xFA, 0xC8, 0x4B, 0xE2, 0x3D, 0x7B, 0x69, 0x03};
 static const u8 ssl_rsa_kek_source[0x10] __attribute__((aligned(4))) = {
@@ -38,4 +40,6 @@ void ssl_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u3
 void ssl_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek);
 void ssl_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev);
 
+bool decrypt_ssl_rsa_key(key_storage_t *keys, void *buffer);
+
 #endif

From 43be4ef19f9179b24d95c566bd92e1eca678c49e Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Sat, 5 Nov 2022 16:40:15 -0700
Subject: [PATCH 17/21] keys: Make more readability tweaks

---
 source/keys/crypto.c |  5 ++--
 source/keys/crypto.h | 16 +++++++-----
 source/keys/keys.c   | 61 ++++++++++++++++++++------------------------
 3 files changed, 41 insertions(+), 41 deletions(-)

diff --git a/source/keys/crypto.c b/source/keys/crypto.c
index 46a7564..3e766c1 100644
--- a/source/keys/crypto.c
+++ b/source/keys/crypto.c
@@ -35,14 +35,15 @@ int key_exists(const void *data) {
     return memcmp(data, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) != 0;
 }
 
-int run_ams_keygen(key_storage_t *keys) {
+int run_ams_keygen() {
     tsec_ctxt_t tsec_ctxt;
     tsec_ctxt.fw = tsec_keygen;
     tsec_ctxt.size = sizeof(tsec_keygen);
     tsec_ctxt.type = TSEC_FW_TYPE_NEW;
 
     u32 retries = 0;
-    while (tsec_query(keys->temp_key, &tsec_ctxt) < 0) {
+    u32 temp_key[SE_KEY_128_SIZE / 4];
+    while (tsec_query(temp_key, &tsec_ctxt) < 0) {
         retries++;
         if (retries > 15) {
             return -1;
diff --git a/source/keys/crypto.h b/source/keys/crypto.h
index 67195be..4ea954f 100644
--- a/source/keys/crypto.h
+++ b/source/keys/crypto.h
@@ -21,6 +21,7 @@
 
 #include "../hos/hos.h"
 #include <sec/se_t210.h>
+#include "../storage/nx_emmc.h"
 #include <utils/types.h>
 
 #include <string.h>
@@ -136,17 +137,20 @@ static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = {
 
 #define RSA_PUBLIC_EXPONENT 65537
 
+#define KEYBLOB_UNK_DATA_SIZE 0x70
+#define KEYBLOB_UNUSED_SIZE (NX_EMMC_BLOCKSIZE - SE_AES_CMAC_DIGEST_SIZE - SE_AES_IV_SIZE - sizeof(keyblob_t))
+
 typedef struct {
     u8 master_kek[SE_KEY_128_SIZE];
-    u8 data[0x70];
+    u8 data[KEYBLOB_UNK_DATA_SIZE];
     u8 package1_key[SE_KEY_128_SIZE];
 } keyblob_t;
 
 typedef struct {
-    u8 cmac[0x10];
-    u8 iv[0x10];
+    u8 cmac[SE_AES_CMAC_DIGEST_SIZE];
+    u8 iv[SE_AES_IV_SIZE];
     keyblob_t key_data;
-    u8 unused[0x150];
+    u8 unused[KEYBLOB_UNUSED_SIZE];
 } encrypted_keyblob_t;
 
 typedef struct {
@@ -177,7 +181,7 @@ typedef struct {
         titlekek[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE],
         tsec_key[SE_KEY_128_SIZE],
         tsec_root_key[SE_KEY_128_SIZE];
-    u32 sbk[4];
+    u32 secure_boot_key[4];
     keyblob_t keyblob[KB_FIRMWARE_VERSION_600 + 1];
     eticket_rsa_keypair_t eticket_rsa_keypair;
 } key_storage_t;
@@ -203,7 +207,7 @@ typedef enum {
 
 int key_exists(const void *data);
 
-int run_ams_keygen(key_storage_t *keys);
+int run_ams_keygen();
 
 bool check_keyslot_access();
 
diff --git a/source/keys/keys.c b/source/keys/keys.c
index c8c8eae..511aef5 100644
--- a/source/keys/keys.c
+++ b/source/keys/keys.c
@@ -120,33 +120,28 @@ static void _derive_master_keys_from_latest_key(key_storage_t *keys, bool is_dev
 static void _derive_keyblob_keys(key_storage_t *keys) {
     minerva_periodic_training();
 
-    u8 *keyblob_block = (u8 *)calloc(KB_FIRMWARE_VERSION_600 + 1, NX_EMMC_BLOCKSIZE);
-    u32 keyblob_mac[SE_KEY_128_SIZE / 4] = {0};
+    encrypted_keyblob_t *keyblob_buffer = (encrypted_keyblob_t *)calloc(KB_FIRMWARE_VERSION_600 + 1, sizeof(encrypted_keyblob_t));
+    u32 keyblob_mac[SE_AES_CMAC_DIGEST_SIZE / 4] = {0};
     bool have_keyblobs = true;
 
-    if (FUSE(FUSE_PRIVATE_KEY0) == 0xFFFFFFFF) {
-        u8 *aes_keys = (u8 *)calloc(1, SZ_4K);
-        se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE);
-        memcpy(keys->sbk, aes_keys + 14 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
-        free(aes_keys);
-    } else {
-        keys->sbk[0] = FUSE(FUSE_PRIVATE_KEY0);
-        keys->sbk[1] = FUSE(FUSE_PRIVATE_KEY1);
-        keys->sbk[2] = FUSE(FUSE_PRIVATE_KEY2);
-        keys->sbk[3] = FUSE(FUSE_PRIVATE_KEY3);
+    if (FUSE(FUSE_PRIVATE_KEY0) != 0xFFFFFFFF) {
+        keys->secure_boot_key[0] = FUSE(FUSE_PRIVATE_KEY0);
+        keys->secure_boot_key[1] = FUSE(FUSE_PRIVATE_KEY1);
+        keys->secure_boot_key[2] = FUSE(FUSE_PRIVATE_KEY2);
+        keys->secure_boot_key[3] = FUSE(FUSE_PRIVATE_KEY3);
     }
 
     if (!emmc_storage.initialized) {
         have_keyblobs = false;
-    } else if (!emummc_storage_read(KEYBLOB_OFFSET / NX_EMMC_BLOCKSIZE, KB_FIRMWARE_VERSION_600 + 1, keyblob_block)) {
+    } else if (!emummc_storage_read(KEYBLOB_OFFSET / NX_EMMC_BLOCKSIZE, KB_FIRMWARE_VERSION_600 + 1, keyblob_buffer)) {
         EPRINTF("Unable to read keyblobs.");
         have_keyblobs = false;
     } else {
         have_keyblobs = true;
     }
 
-    encrypted_keyblob_t *current_keyblob = (encrypted_keyblob_t *)keyblob_block;
-    for (u32 i = 0; i <= KB_FIRMWARE_VERSION_600; i++, current_keyblob++) {
+    encrypted_keyblob_t *current_keyblob = keyblob_buffer;
+    for (u32 i = 0; i < ARRAY_SIZE(keyblob_key_sources); i++, current_keyblob++) {
         minerva_periodic_training();
         se_aes_crypt_block_ecb(KS_TSEC, DECRYPT, keys->keyblob_key[i], keyblob_key_sources[i]);
         se_aes_crypt_block_ecb(KS_SECURE_BOOT, DECRYPT, keys->keyblob_key[i], keys->keyblob_key[i]);
@@ -178,7 +173,7 @@ static void _derive_keyblob_keys(key_storage_t *keys) {
             load_aes_key(KS_AES_ECB, keys->master_key[i], keys->master_kek[i], master_key_source);
         }
     }
-    free(keyblob_block);
+    free(keyblob_buffer);
 }
 
 static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_keys, bool is_dev) {
@@ -188,7 +183,7 @@ static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_key
         _derive_master_keys_mariko(keys, is_dev);
         _derive_master_keys_from_latest_key(keys, is_dev);
     } else {
-        if (run_ams_keygen(keys)) {
+        if (run_ams_keygen()) {
             EPRINTF("Failed to run keygen.");
             return;
         }
@@ -196,8 +191,13 @@ static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_key
         u8 *aes_keys = (u8 *)calloc(1, SZ_4K);
         se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE);
         memcpy(&dev_keys->tsec_root_key,  aes_keys + KS_TSEC_ROOT_DEV * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
-        memcpy(keys->tsec_key,            aes_keys + KS_TSEC          * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
+        memcpy(&dev_keys->tsec_key,       aes_keys + KS_TSEC          * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
+        memcpy(&prod_keys->tsec_key,      aes_keys + KS_TSEC          * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
         memcpy(&prod_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT     * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
+        if (FUSE(FUSE_PRIVATE_KEY0) != 0xFFFFFFFF) {
+            memcpy(&dev_keys->secure_boot_key,  aes_keys + KS_SECURE_BOOT * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
+            memcpy(&prod_keys->secure_boot_key, aes_keys + KS_SECURE_BOOT * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
+        }
         free(aes_keys);
 
         _derive_master_keys_from_latest_key(prod_keys, false);
@@ -410,7 +410,7 @@ static bool _derive_titlekeys(key_storage_t *keys, titlekey_buffer_t *titlekey_b
     return true;
 }
 
-static bool _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
+static void _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) {
     // Set BIS keys.
     // PRODINFO/PRODINFOF
     se_aes_key_set(KS_BIS_00_CRYPT, keys->bis_key[0] + 0x00, SE_KEY_128_SIZE);
@@ -424,16 +424,14 @@ static bool _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_b
 
     if (!emummc_storage_set_mmc_partition(EMMC_GPP)) {
         EPRINTF("Unable to set partition.");
-        return false;
+        return;
     }
 
-    bool res = decrypt_ssl_rsa_key(keys, titlekey_buffer);
-    if (!res) {
+    if (!decrypt_ssl_rsa_key(keys, titlekey_buffer)) {
         EPRINTF("Unable to derive SSL key.");
     }
 
-    res = decrypt_eticket_rsa_key(keys, titlekey_buffer, is_dev);
-    if (!res) {
+    if (!decrypt_eticket_rsa_key(keys, titlekey_buffer, is_dev)) {
         EPRINTF("Unable to derive ETicket key.");
     }
 
@@ -445,7 +443,7 @@ static bool _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_b
     if (!system_part) {
         EPRINTF("Unable to locate System partition.");
         nx_emmc_gpt_free(&gpt);
-        return false;
+        return;
     }
 
     nx_emmc_bis_init(system_part);
@@ -453,7 +451,7 @@ static bool _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_b
     if (f_mount(&emmc_fs, "bis:", 1)) {
         EPRINTF("Unable to mount system partition.");
         nx_emmc_gpt_free(&gpt);
-        return false;
+        return;
     }
 
     if (!sd_mount()) {
@@ -462,15 +460,12 @@ static bool _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_b
         EPRINTF("Unable to get SD seed.");
     }
 
-    res = _derive_titlekeys(keys, titlekey_buffer, is_dev);
-    if (!res) {
+    if (!_derive_titlekeys(keys, titlekey_buffer, is_dev)) {
         EPRINTF("Unable to derive titlekeys.");
     }
 
     f_mount(NULL, "bis:", 1);
     nx_emmc_gpt_free(&gpt);
-
-    return res;
 }
 
 // The security engine supports partial key override for locked keyslots
@@ -611,9 +606,9 @@ static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_bu
     SAVE_KEY_FAMILY_VAR(keyblob_mac_key, keys->keyblob_mac_key, 0);
     SAVE_KEY(keyblob_mac_key_source);
     if (is_dev) {
-        SAVE_KEY_FAMILY_VAR(mariko_master_kek_source, mariko_master_kek_sources_dev, 5);
+        SAVE_KEY_FAMILY_VAR(mariko_master_kek_source, mariko_master_kek_sources_dev, KB_FIRMWARE_VERSION_600);
     } else {
-        SAVE_KEY_FAMILY_VAR(mariko_master_kek_source, mariko_master_kek_sources, 5);
+        SAVE_KEY_FAMILY_VAR(mariko_master_kek_source, mariko_master_kek_sources, KB_FIRMWARE_VERSION_600);
     }
     SAVE_KEY_FAMILY_VAR(master_kek, keys->master_kek, 0);
     SAVE_KEY_FAMILY_VAR(master_kek_source, master_kek_sources, KB_FIRMWARE_VERSION_620);
@@ -634,7 +629,7 @@ static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_bu
     SAVE_KEY(sd_card_nca_key_source);
     SAVE_KEY(sd_card_save_key_source);
     SAVE_KEY_VAR(sd_seed, keys->sd_seed);
-    SAVE_KEY_VAR(secure_boot_key, keys->sbk);
+    SAVE_KEY_VAR(secure_boot_key, keys->secure_boot_key);
     SAVE_KEY_VAR(ssl_rsa_kek, keys->ssl_rsa_kek);
     SAVE_KEY_VAR(ssl_rsa_kek_personalized, keys->ssl_rsa_kek_personalized);
     if (is_dev) {

From ffea336ecce54f4c3dcecbb9c72b2fa7f4abd228 Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Sat, 5 Nov 2022 16:47:21 -0700
Subject: [PATCH 18/21] keys: Use SE size definitions

---
 source/keys/crypto.h     | 2 +-
 source/keys/nfc_crypto.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/source/keys/crypto.h b/source/keys/crypto.h
index 4ea954f..f4bf14f 100644
--- a/source/keys/crypto.h
+++ b/source/keys/crypto.h
@@ -27,7 +27,7 @@
 #include <string.h>
 
 // Sha256 hash of the null string.
-static const u8 null_hash[0x20] __attribute__((aligned(4))) = {
+static const u8 null_hash[SE_SHA_256_SIZE] __attribute__((aligned(4))) = {
     0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8, 0x99, 0x6F, 0xB9, 0x24,
     0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C, 0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55};
 
diff --git a/source/keys/nfc_crypto.c b/source/keys/nfc_crypto.c
index 078d5e7..b6caa5e 100644
--- a/source/keys/nfc_crypto.c
+++ b/source/keys/nfc_crypto.c
@@ -27,7 +27,7 @@ void nfc_decrypt_amiibo_keys(key_storage_t *keys, nfc_save_key_t out_nfc_save_ke
     decrypt_aes_key(KS_AES_ECB, keys, kek, nfc_key_source, 0, 0);
 
     nfc_keyblob_t __attribute__((aligned(4))) nfc_keyblob;
-    static const u8 nfc_iv[SE_KEY_128_SIZE] = {
+    static const u8 nfc_iv[SE_AES_IV_SIZE] = {
         0xB9, 0x1D, 0xC1, 0xCF, 0x33, 0x5F, 0xA6, 0x13, 0x2A, 0xEF, 0x90, 0x99, 0xAA, 0xCA, 0x93, 0xC8};
     se_aes_key_set(KS_AES_CTR, kek, SE_KEY_128_SIZE);
     se_aes_crypt_ctr(KS_AES_CTR, &nfc_keyblob, sizeof(nfc_keyblob), encrypted_keys, sizeof(nfc_keyblob), &nfc_iv);

From fb6b966bd65db7612ff640c85698e737dcf6d016 Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Sun, 6 Nov 2022 17:59:36 -0800
Subject: [PATCH 19/21] Bump version to v1.9.9

---
 Versions.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Versions.inc b/Versions.inc
index eafbd19..dd0b543 100644
--- a/Versions.inc
+++ b/Versions.inc
@@ -1,5 +1,5 @@
 # LP Version.
 LPVERSION_MAJOR := 1
 LPVERSION_MINOR := 9
-LPVERSION_BUGFX := 8
+LPVERSION_BUGFX := 9
 LPVERSION_RSVD := 0

From b5be83652cb119c25bb83c08686918c12bebd67d Mon Sep 17 00:00:00 2001
From: FlyingBananaTree <74322834+FlyingBananaTree@users.noreply.github.com>
Date: Tue, 21 Feb 2023 23:10:17 +0000
Subject: [PATCH 20/21] Support 16.0.0 keys

---
 source/hos/hos.h            | 3 ++-
 source/keys/crypto.h        | 3 +++
 source/keys/key_sources.inl | 5 +++++
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/source/hos/hos.h b/source/hos/hos.h
index 9663d07..17d9a56 100644
--- a/source/hos/hos.h
+++ b/source/hos/hos.h
@@ -35,6 +35,7 @@
 #define KB_FIRMWARE_VERSION_1300 12
 #define KB_FIRMWARE_VERSION_1400 13
 #define KB_FIRMWARE_VERSION_1500 14
-#define KB_FIRMWARE_VERSION_MAX  KB_FIRMWARE_VERSION_1500 //!TODO: Update on mkey changes.
+#define KB_FIRMWARE_VERSION_1600 15
+#define KB_FIRMWARE_VERSION_MAX  KB_FIRMWARE_VERSION_1600 //!TODO: Update on mkey changes.
 
 #endif
diff --git a/source/keys/crypto.h b/source/keys/crypto.h
index f4bf14f..f2da17d 100644
--- a/source/keys/crypto.h
+++ b/source/keys/crypto.h
@@ -53,6 +53,7 @@ static const u8 device_master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_
     {0x77, 0x52, 0x92, 0xF0, 0xAA, 0xE3, 0xFB, 0xE0, 0x60, 0x16, 0xB3, 0x78, 0x68, 0x53, 0xF7, 0xA8}, /* 13.0.0 Device Master Kek Source. */
     {0x67, 0xD5, 0xD6, 0x0C, 0x08, 0xF5, 0xA3, 0x11, 0xBD, 0x6D, 0x5A, 0xEB, 0x96, 0x24, 0xB0, 0xD2}, /* 14.0.0 Device Master Kek Source. */
     {0x7C, 0x30, 0xED, 0x8B, 0x39, 0x25, 0x2C, 0x08, 0x8F, 0x48, 0xDC, 0x28, 0xE6, 0x1A, 0x6B, 0x49}, /* 15.0.0 Device Master Kek Source. */
+    {0xF0, 0xF3, 0xFF, 0x52, 0x75, 0x2F, 0xBA, 0x4D, 0x09, 0x72, 0x30, 0x89, 0xA9, 0xDF, 0xFE, 0x1F}, /* 16.0.0 Device Master Kek Source. */    
 }; //!TODO: Update on mkey changes.
 
 static const u8 device_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
@@ -68,6 +69,7 @@ static const u8 device_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMW
     {0x20, 0x20, 0xAA, 0xFB, 0x89, 0xC2, 0xF0, 0x70, 0xB5, 0xE0, 0xA3, 0x11, 0x8A, 0x29, 0x8D, 0x0F}, /* 13.0.0 Device Master Kek Source. */
     {0xCE, 0x14, 0x74, 0x66, 0x98, 0xA8, 0x6D, 0x7D, 0xBD, 0x54, 0x91, 0x68, 0x5F, 0x1D, 0x0E, 0xEA}, /* 14.0.0 Device Master Kek Source. */
     {0xAE, 0x05, 0x48, 0x65, 0xAB, 0x17, 0x9D, 0x3D, 0x51, 0xB7, 0x56, 0xBD, 0x9B, 0x0B, 0x5B, 0x6E}, /* 15.0.0 Device Master Kek Source. */
+    {0xFF, 0xF6, 0x4B, 0x0F, 0xFF, 0x0D, 0xC0, 0x4F, 0x56, 0x8A, 0x40, 0x74, 0x67, 0xC5, 0xFE, 0x9F}, /* 16.0.0 Device Master Kek Source. */
 }; //!TODO: Update on mkey changes.
 
 static const u8 device_master_key_source_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
@@ -83,6 +85,7 @@ static const u8 device_master_key_source_sources[KB_FIRMWARE_VERSION_MAX - KB_FI
     {0xE4, 0xF3, 0x45, 0x6F, 0x18, 0xA1, 0x89, 0xF8, 0xDA, 0x4C, 0x64, 0x75, 0x68, 0xE6, 0xBD, 0x4F}, /* 13.0.0 Device Master Key Source Source. */
     {0x5B, 0x94, 0x63, 0xF7, 0xAD, 0x96, 0x1B, 0xA6, 0x23, 0x30, 0x06, 0x4D, 0x01, 0xE4, 0xCE, 0x1D}, /* 14.0.0 Device Master Key Source Source. */ 
     {0x5E, 0xC9, 0xC5, 0x0A, 0xD0, 0x5F, 0x8B, 0x7B, 0xA7, 0x39, 0xEA, 0xBC, 0x60, 0x0F, 0x74, 0xE6}, /* 15.0.0 Device Master Key Source Source. */
+    {0xEA, 0x90, 0x6E, 0xA8, 0xAE, 0x92, 0x99, 0x64, 0x36, 0xC1, 0xF3, 0x1C, 0xC6, 0x32, 0x83, 0x8C}, /* 16.0.0 Device Master Key Source Source. */
 }; //!TODO: Update on mkey changes.
 
 static const u8 seal_key_masks[][0x10] __attribute__((aligned(4))) = {
diff --git a/source/keys/key_sources.inl b/source/keys/key_sources.inl
index c03a4e1..042ffbb 100644
--- a/source/keys/key_sources.inl
+++ b/source/keys/key_sources.inl
@@ -24,6 +24,7 @@ static const u8 master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION
     {0x68, 0x3B, 0xCA, 0x54, 0xB8, 0x6F, 0x92, 0x48, 0xC3, 0x05, 0x76, 0x87, 0x88, 0x70, 0x79, 0x23}, //13.0.0
     {0xF0, 0x13, 0x37, 0x9A, 0xD5, 0x63, 0x51, 0xC3, 0xB4, 0x96, 0x35, 0xBC, 0x9C, 0xE8, 0x76, 0x81}, //14.0.0
     {0x6E, 0x77, 0x86, 0xAC, 0x83, 0x0A, 0x8D, 0x3E, 0x7D, 0xB7, 0x66, 0xA0, 0x22, 0xB7, 0x6E, 0x67}, //15.0.0
+    {0x99, 0x22, 0x09, 0x57, 0xA7, 0xF9, 0x5E, 0x94, 0xFE, 0x78, 0x7F, 0x41, 0xD6, 0xE7, 0x56, 0xE6}, //16.0.0
 }; //!TODO: Update on mkey changes.
 
 static const u8 master_key_vectors[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attribute__((aligned(4))) = {
@@ -42,6 +43,7 @@ static const u8 master_key_vectors[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attribut
     {0xA3, 0x24, 0x65, 0x75, 0xEA, 0xCC, 0x6E, 0x8D, 0xFB, 0x5A, 0x16, 0x50, 0x74, 0xD2, 0x15, 0x06}, /* Master key 0B encrypted with Master key 0C. */
     {0x83, 0x67, 0xAF, 0x01, 0xCF, 0x93, 0xA1, 0xAB, 0x80, 0x45, 0xF7, 0x3F, 0x72, 0xFD, 0x3B, 0x38}, /* Master key 0C encrypted with Master key 0D. */
     {0xB1, 0x81, 0xA6, 0x0D, 0x72, 0xC7, 0xEE, 0x15, 0x21, 0xF3, 0xC0, 0xB5, 0x6B, 0x61, 0x6D, 0xE7}, /* Master key 0D encrypted with Master key 0E. */
+    {0xAF, 0x11, 0x4C, 0x67, 0x17, 0x7A, 0x52, 0x43, 0xF7, 0x70, 0x2F, 0xC7, 0xEF, 0x81, 0x72, 0x16}, /* Master key 0E encrypted with Master key 0F. */
 }; //!TODO: Update on mkey changes.
 
 static const u8 master_key_vectors_dev[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attribute__((aligned(4))) = {
@@ -60,6 +62,7 @@ static const u8 master_key_vectors_dev[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attr
     {0x8A, 0xCE, 0xC4, 0x7F, 0xBE, 0x08, 0x61, 0x88, 0xD3, 0x73, 0x64, 0x51, 0xE2, 0xB6, 0x53, 0x15}, /* Master key 0B encrypted with Master key 0C. */
     {0x08, 0xE0, 0xF4, 0xBE, 0xAA, 0x6E, 0x5A, 0xC3, 0xA6, 0xBC, 0xFE, 0xB9, 0xE2, 0xA3, 0x24, 0x12}, /* Master key 0C encrypted with Master key 0D. */
     {0xD6, 0x80, 0x98, 0xC0, 0xFA, 0xC7, 0x13, 0xCB, 0x93, 0xD2, 0x0B, 0x82, 0x4C, 0xA1, 0x7B, 0x8D}, /* Master key 0D encrypted with Master key 0E. */
+    {0x78, 0x66, 0x19, 0xBD, 0x86, 0xE7, 0xC1, 0x09, 0x9B, 0x6F, 0x92, 0xB2, 0x58, 0x7D, 0xCF, 0x26}, /* Master key 0E encrypted with Master key 0F. */
 }; //!TODO: Update on mkey changes.
 
 static const u8 mariko_key_vectors[][0x10] __attribute__((aligned(4))) = {
@@ -112,6 +115,7 @@ static const u8 mariko_master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_
     {0x52, 0x71, 0x9B, 0xDF, 0xA7, 0x8B, 0x61, 0xD8, 0xD5, 0x85, 0x11, 0xE4, 0x8E, 0x4F, 0x74, 0xC6}, // 13.0.0.
     {0xD2, 0x68, 0xC6, 0x53, 0x9D, 0x94, 0xF9, 0xA8, 0xA5, 0xA8, 0xA7, 0xC8, 0x8F, 0x53, 0x4B, 0x7A}, // 14.0.0.
     {0xEC, 0x61, 0xBC, 0x82, 0x1E, 0x0F, 0x5A, 0xC3, 0x2B, 0x64, 0x3F, 0x9D, 0xD6, 0x19, 0x22, 0x2D}, // 15.0.0.
+    {0xA5, 0xEC, 0x16, 0x39, 0x1A, 0x30, 0x16, 0x08, 0x2E, 0xCF, 0x09, 0x6F, 0x5E, 0x7C, 0xEE, 0xA9}, // 16.0.0.
 }; //!TODO: Update on mkey changes.
 static const u8 mariko_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_600 + 1][0x10] __attribute__((aligned(4))) = {
     {0x32, 0xC0, 0x97, 0x6B, 0x63, 0x6D, 0x44, 0x64, 0xF2, 0x3A, 0xA5, 0xC0, 0xDE, 0x46, 0xCC, 0xE9}, // 6.0.0.
@@ -124,4 +128,5 @@ static const u8 mariko_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMW
     {0x4D, 0x5A, 0xB2, 0xC9, 0xE9, 0xE4, 0x4E, 0xA4, 0xD3, 0xBF, 0x94, 0x12, 0x36, 0x30, 0xD0, 0x7F}, // 13.0.0.
     {0xEC, 0x5E, 0xB5, 0x11, 0xD5, 0x43, 0x1E, 0x6A, 0x4E, 0x54, 0x6F, 0xD4, 0xD3, 0x22, 0xCE, 0x87}, // 14.0.0.
     {0x18, 0xA5, 0x6F, 0xEF, 0x72, 0x11, 0x62, 0xC5, 0x1A, 0x14, 0xF1, 0x8C, 0x21, 0x83, 0x27, 0xB7}, // 15.0.0.
+    {0x3A, 0x9C, 0xF0, 0x39, 0x70, 0x23, 0xF6, 0xAF, 0x71, 0x44, 0x60, 0xF4, 0x6D, 0xED, 0xA1, 0xD6}, // 16.0.0.
 }; //!TODO: Update on mkey changes.

From d625847124652ee8a69bc335adcbdf8be144b4f8 Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Wed, 22 Feb 2023 16:18:38 -0800
Subject: [PATCH 21/21] Bump version to v1.9.10

---
 Versions.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Versions.inc b/Versions.inc
index dd0b543..5733cf3 100644
--- a/Versions.inc
+++ b/Versions.inc
@@ -1,5 +1,5 @@
 # LP Version.
 LPVERSION_MAJOR := 1
 LPVERSION_MINOR := 9
-LPVERSION_BUGFX := 9
+LPVERSION_BUGFX := 10
 LPVERSION_RSVD := 0