diff --git a/Versions.inc b/Versions.inc index 5733cf3..539334e 100644 --- a/Versions.inc +++ b/Versions.inc @@ -1,5 +1,5 @@ # LP Version. LPVERSION_MAJOR := 1 LPVERSION_MINOR := 9 -LPVERSION_BUGFX := 10 +LPVERSION_BUGFX := 7 LPVERSION_RSVD := 0 diff --git a/bdk/libs/nx_savedata/header.h b/bdk/libs/nx_savedata/header.h index 76e4c31..4a6e259 100644 --- a/bdk/libs/nx_savedata/header.h +++ b/bdk/libs/nx_savedata/header.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019-2022 shchmue + * Copyright (c) 2019-2020 shchmue * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, diff --git a/bdk/libs/nx_savedata/remap_storage.h b/bdk/libs/nx_savedata/remap_storage.h index fc048a3..2917775 100644 --- a/bdk/libs/nx_savedata/remap_storage.h +++ b/bdk/libs/nx_savedata/remap_storage.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019-2022 shchmue + * Copyright (c) 2019-2020 shchmue * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, diff --git a/bdk/libs/nx_savedata/save_fs_list.h b/bdk/libs/nx_savedata/save_fs_list.h index da98736..72b4e4b 100644 --- a/bdk/libs/nx_savedata/save_fs_list.h +++ b/bdk/libs/nx_savedata/save_fs_list.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019-2022 shchmue + * Copyright (c) 2019-2020 shchmue * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, diff --git a/bdk/sec/se.c b/bdk/sec/se.c index 5c2a391..45652dc 100644 --- a/bdk/sec/se.c +++ b/bdk/sec/se.c @@ -718,6 +718,76 @@ out:; return res; } +// _mgf1_xor() and rsa_oaep_decode were derived from Atmosphère +static void _mgf1_xor(void *masked, u32 masked_size, const void *seed, u32 seed_size) +{ + u8 cur_hash[0x20] __attribute__((aligned(4))); + u8 hash_buf[0xe4] __attribute__((aligned(4))); + + u32 hash_buf_size = seed_size + 4; + memcpy(hash_buf, seed, seed_size); + u32 round_num = 0; + + u8 *p_out = (u8 *)masked; + + while (masked_size) { + u32 cur_size = MIN(masked_size, 0x20); + + for (u32 i = 0; i < 4; i++) + hash_buf[seed_size + 3 - i] = (round_num >> (8 * i)) & 0xff; + round_num++; + + se_calc_sha256_oneshot(cur_hash, hash_buf, hash_buf_size); + + for (unsigned int i = 0; i < cur_size; i++) { + *p_out ^= cur_hash[i]; + p_out++; + } + + masked_size -= cur_size; + } +} + +u32 se_rsa_oaep_decode(void *dst, u32 dst_size, const void *label_digest, u32 label_digest_size, u8 *buf, u32 buf_size) +{ + if (dst_size <= 0 || buf_size < 0x43 || label_digest_size != 0x20) + return 0; + + bool is_valid = buf[0] == 0; + + u32 db_len = buf_size - 0x21; + u8 *seed = buf + 1; + u8 *db = seed + 0x20; + _mgf1_xor(seed, 0x20, db, db_len); + _mgf1_xor(db, db_len, seed, 0x20); + + is_valid &= memcmp(label_digest, db, 0x20) ? 0 : 1; + + db += 0x20; + db_len -= 0x20; + + int msg_ofs = 0; + int looking_for_one = 1; + int invalid_db_padding = 0; + int is_zero; + int is_one; + for (int i = 0; i < db_len; ) + { + is_zero = (db[i] == 0); + is_one = (db[i] == 1); + msg_ofs += (looking_for_one & is_one) * (++i); + looking_for_one &= ~is_one; + invalid_db_padding |= (looking_for_one & ~is_zero); + } + + is_valid &= (invalid_db_padding == 0); + + const u32 msg_size = MIN(dst_size, is_valid * (db_len - msg_ofs)); + memcpy(dst, db + msg_ofs, msg_size); + + return msg_size; +} + void se_get_aes_keys(u8 *buf, u8 *keys, u32 keysize) { u8 *aligned_buf = (u8 *)ALIGN((u32)buf, 0x40); diff --git a/bdk/sec/se.h b/bdk/sec/se.h index 1bb435d..2a2f8cd 100644 --- a/bdk/sec/se.h +++ b/bdk/sec/se.h @@ -49,5 +49,6 @@ int se_calc_sha256(void *hash, u32 *msg_left, const void *src, u32 src_size, u64 int se_calc_sha256_oneshot(void *hash, const void *src, u32 src_size); int se_calc_sha256_finalize(void *hash, u32 *msg_left); int se_calc_hmac_sha256(void *dst, const void *src, u32 src_size, const void *key, u32 key_size); +u32 se_rsa_oaep_decode(void *dst, u32 dst_size, const void *label_digest, u32 label_digest_size, u8 *buf, u32 buf_size); #endif diff --git a/bdk/utils/util.c b/bdk/utils/util.c index bf30929..1fae04e 100644 --- a/bdk/utils/util.c +++ b/bdk/utils/util.c @@ -1,7 +1,6 @@ /* * Copyright (c) 2018 naehrwert * Copyright (c) 2018-2020 CTCaer -# Copyright (c) 2022 shchmue * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, diff --git a/bdk/utils/util.h b/bdk/utils/util.h index d27d52d..972a906 100644 --- a/bdk/utils/util.h +++ b/bdk/utils/util.h @@ -96,4 +96,5 @@ void panic(u32 val); void power_set_state(power_state_t state); void power_set_state_ex(void *param); + #endif diff --git a/source/gfx/tui.c b/source/gfx/tui.c index ec6c08a..6d0e6b4 100644 --- a/source/gfx/tui.c +++ b/source/gfx/tui.c @@ -135,7 +135,7 @@ void *tui_do_menu(menu_t *menu) gfx_con_setcol(0xFF1B1B1B, 1, 0xFFCCCCCC); else gfx_con_setcol(0xFFCCCCCC, 1, 0xFF1B1B1B); - if (menu->ents[cnt].type != MENT_CHGLINE) + if (menu->ents[cnt].type != MENT_CHGLINE && menu->ents[cnt].type != MENT_MENU) { if (cnt == idx) gfx_printf(" %s", menu->ents[cnt].caption); diff --git a/source/gfx/tui.h b/source/gfx/tui.h index 98330b6..6f02781 100644 --- a/source/gfx/tui.h +++ b/source/gfx/tui.h @@ -54,8 +54,8 @@ typedef struct _menu_t #define MDEF_END() {MENT_END} #define MDEF_HANDLER(caption, _handler, color) { MENT_HANDLER, caption, color, NULL, { .handler = _handler } } #define MDEF_HANDLER_EX(caption, data, _handler, color) { MENT_HANDLER, caption, color, data, { .handler = _handler } } -#define MDEF_MENU(caption, _menu, color) { MENT_MENU, caption, color, NULL, { .menu = _menu } } -#define MDEF_BACK(color) { MENT_BACK, "Back", color } +#define MDEF_MENU(caption, _menu) { MENT_MENU, caption, 0, NULL, { .menu = _menu } } +#define MDEF_BACK() { MENT_BACK, "Back" } #define MDEF_CAPTION(caption, color) { MENT_CAPTION, caption, color } #define MDEF_CHGLINE() {MENT_CHGLINE} diff --git a/source/hos/hos.h b/source/hos/hos.h index 17d9a56..b4111c7 100644 --- a/source/hos/hos.h +++ b/source/hos/hos.h @@ -34,8 +34,6 @@ #define KB_FIRMWARE_VERSION_1210 11 #define KB_FIRMWARE_VERSION_1300 12 #define KB_FIRMWARE_VERSION_1400 13 -#define KB_FIRMWARE_VERSION_1500 14 -#define KB_FIRMWARE_VERSION_1600 15 -#define KB_FIRMWARE_VERSION_MAX KB_FIRMWARE_VERSION_1600 //!TODO: Update on mkey changes. +#define KB_FIRMWARE_VERSION_MAX KB_FIRMWARE_VERSION_1400 //!TODO: Update on mkey changes. #endif diff --git a/source/keys/cal0_read.c b/source/keys/cal0_read.c deleted file mode 100644 index 9b0c4fd..0000000 --- a/source/keys/cal0_read.c +++ /dev/null @@ -1,96 +0,0 @@ -/* - * Copyright (c) 2022 shchmue - * - * This program is free software; you can redistribute it and/or modify it - * under the terms and conditions of the GNU General Public License, - * version 2, as published by the Free Software Foundation. - * - * This program is distributed in the hope it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#include "cal0_read.h" - -#include -#include -#include -#include "../storage/emummc.h" -#include "../storage/nx_emmc.h" -#include - -bool cal0_read(u32 tweak_ks, u32 crypt_ks, void *read_buffer) { - nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)read_buffer; - - // Check if CAL0 was already read into this buffer - if (cal0->magic == MAGIC_CAL0) { - return true; - } - - if (!emummc_storage_read(NX_EMMC_CALIBRATION_OFFSET / NX_EMMC_BLOCKSIZE, NX_EMMC_CALIBRATION_SIZE / NX_EMMC_BLOCKSIZE, read_buffer)) { - EPRINTF("Unable to read PRODINFO."); - return false; - } - - se_aes_xts_crypt(tweak_ks, crypt_ks, DECRYPT, 0, read_buffer, read_buffer, XTS_CLUSTER_SIZE, NX_EMMC_CALIBRATION_SIZE / XTS_CLUSTER_SIZE); - - if (cal0->magic != MAGIC_CAL0) { - EPRINTF("Invalid CAL0 magic. Check BIS key 0."); - return false; - } - - return true; -} - -bool cal0_get_ssl_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation) { - const u32 ext_key_size = sizeof(cal0->ext_ssl_key_iv) + sizeof(cal0->ext_ssl_key); - const u32 ext_key_crc_size = ext_key_size + sizeof(cal0->ext_ssl_key_ver) + sizeof(cal0->crc16_pad39); - const u32 key_size = sizeof(cal0->ssl_key_iv) + sizeof(cal0->ssl_key); - const u32 key_crc_size = key_size + sizeof(cal0->crc16_pad18); - - if (cal0->ext_ssl_key_crc == crc16_calc(cal0->ext_ssl_key_iv, ext_key_crc_size)) { - *out_key = cal0->ext_ssl_key; - *out_key_size = ext_key_size; - *out_iv = cal0->ext_ssl_key_iv; - // Settings sysmodule manually zeroes this out below cal version 9 - *out_generation = cal0->version <= 8 ? 0 : cal0->ext_ssl_key_ver; - } else if (cal0->ssl_key_crc == crc16_calc(cal0->ssl_key_iv, key_crc_size)) { - *out_key = cal0->ssl_key; - *out_key_size = key_size; - *out_iv = cal0->ssl_key_iv; - *out_generation = 0; - } else { - EPRINTF("Crc16 error reading device key."); - return false; - } - return true; -} - - -bool cal0_get_eticket_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation) { - const u32 ext_key_size = sizeof(cal0->ext_ecc_rsa2048_eticket_key_iv) + sizeof(cal0->ext_ecc_rsa2048_eticket_key); - const u32 ext_key_crc_size = ext_key_size + sizeof(cal0->ext_ecc_rsa2048_eticket_key_ver) + sizeof(cal0->crc16_pad38); - const u32 key_size = sizeof(cal0->rsa2048_eticket_key_iv) + sizeof(cal0->rsa2048_eticket_key); - const u32 key_crc_size = key_size + sizeof(cal0->crc16_pad21); - - if (cal0->ext_ecc_rsa2048_eticket_key_crc == crc16_calc(cal0->ext_ecc_rsa2048_eticket_key_iv, ext_key_crc_size)) { - *out_key = cal0->ext_ecc_rsa2048_eticket_key; - *out_key_size = ext_key_size; - *out_iv = cal0->ext_ecc_rsa2048_eticket_key_iv; - // Settings sysmodule manually zeroes this out below cal version 9 - *out_generation = cal0->version <= 8 ? 0 : cal0->ext_ecc_rsa2048_eticket_key_ver; - } else if (cal0->rsa2048_eticket_key_crc == crc16_calc(cal0->rsa2048_eticket_key_iv, key_crc_size)) { - *out_key = cal0->rsa2048_eticket_key; - *out_key_size = key_size; - *out_iv = cal0->rsa2048_eticket_key_iv; - *out_generation = 0; - } else { - EPRINTF("Crc16 error reading device key."); - return false; - } - return true; -} diff --git a/source/keys/cal0_read.h b/source/keys/cal0_read.h deleted file mode 100644 index 2ab1ae1..0000000 --- a/source/keys/cal0_read.h +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Copyright (c) 2022 shchmue - * - * This program is free software; you can redistribute it and/or modify it - * under the terms and conditions of the GNU General Public License, - * version 2, as published by the Free Software Foundation. - * - * This program is distributed in the hope it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#ifndef _CAL0_READ_H_ -#define _CAL0_READ_H_ - -#include "../storage/nx_emmc_bis.h" -#include - -bool cal0_read(u32 tweak_ks, u32 crypt_ks, void *read_buffer); -bool cal0_get_ssl_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation); -bool cal0_get_eticket_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation); - -#endif diff --git a/source/keys/crypto.c b/source/keys/crypto.c deleted file mode 100644 index 3e766c1..0000000 --- a/source/keys/crypto.c +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Copyright (c) 2022 shchmue - * Copyright (c) 2018 Atmosphère-NX - * - * This program is free software; you can redistribute it and/or modify it - * under the terms and conditions of the GNU General Public License, - * version 2, as published by the Free Software Foundation. - * - * This program is distributed in the hope it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#include "crypto.h" - -#include "../../keygen/tsec_keygen.h" - -#include "../config.h" -#include "../hos/hos.h" -#include -#include -#include -#include -#include - -#include - -extern hekate_config h_cfg; - -int key_exists(const void *data) { - return memcmp(data, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) != 0; -} - -int run_ams_keygen() { - tsec_ctxt_t tsec_ctxt; - tsec_ctxt.fw = tsec_keygen; - tsec_ctxt.size = sizeof(tsec_keygen); - tsec_ctxt.type = TSEC_FW_TYPE_NEW; - - u32 retries = 0; - u32 temp_key[SE_KEY_128_SIZE / 4]; - while (tsec_query(temp_key, &tsec_ctxt) < 0) { - retries++; - if (retries > 15) { - return -1; - } - } - - return 0; -} - -bool check_keyslot_access() { - u8 test_data[SE_KEY_128_SIZE] = {0}; - const u8 test_ciphertext[SE_KEY_128_SIZE] = {0}; - se_aes_key_set(KS_AES_ECB, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", SE_KEY_128_SIZE); - se_aes_crypt_block_ecb(KS_AES_ECB, DECRYPT, test_data, test_ciphertext); - - return memcmp(test_data, "\x7b\x1d\x29\xa1\x6c\xf8\xcc\xab\x84\xf0\xb8\xa5\x98\xe4\x2f\xa6", SE_KEY_128_SIZE) == 0; -} - -bool test_rsa_keypair(const void *public_exponent, const void *private_exponent, const void *modulus) { - u32 plaintext[SE_RSA2048_DIGEST_SIZE / 4] = {0}, - ciphertext[SE_RSA2048_DIGEST_SIZE / 4] = {0}, - work[SE_RSA2048_DIGEST_SIZE / 4] = {0}; - - plaintext[63] = 0xCAFEBABE; - - se_rsa_key_set(0, modulus, SE_RSA2048_DIGEST_SIZE, private_exponent, SE_RSA2048_DIGEST_SIZE); - se_rsa_exp_mod(0, ciphertext, SE_RSA2048_DIGEST_SIZE, plaintext, SE_RSA2048_DIGEST_SIZE); - - se_rsa_key_set(0, modulus, SE_RSA2048_DIGEST_SIZE, public_exponent, 4); - se_rsa_exp_mod(0, work, SE_RSA2048_DIGEST_SIZE, ciphertext, SE_RSA2048_DIGEST_SIZE); - - return memcmp(plaintext, work, SE_RSA2048_DIGEST_SIZE) == 0; -} - -// _mgf1_xor() and rsa_oaep_decode were derived from Atmosphère -static void _mgf1_xor(void *masked, u32 masked_size, const void *seed, u32 seed_size) { - u8 cur_hash[0x20] __attribute__((aligned(4))); - u8 hash_buf[0xe4] __attribute__((aligned(4))); - - u32 hash_buf_size = seed_size + 4; - memcpy(hash_buf, seed, seed_size); - u32 round_num = 0; - - u8 *p_out = (u8 *)masked; - - while (masked_size) { - u32 cur_size = MIN(masked_size, 0x20); - - for (u32 i = 0; i < 4; i++) - hash_buf[seed_size + 3 - i] = (round_num >> (8 * i)) & 0xff; - round_num++; - - se_calc_sha256_oneshot(cur_hash, hash_buf, hash_buf_size); - - for (unsigned int i = 0; i < cur_size; i++) { - *p_out ^= cur_hash[i]; - p_out++; - } - - masked_size -= cur_size; - } -} - -u32 rsa_oaep_decode(void *dst, u32 dst_size, const void *label_digest, u32 label_digest_size, u8 *buf, u32 buf_size) { - if (dst_size <= 0 || buf_size < 0x43 || label_digest_size != 0x20) - return 0; - - bool is_valid = buf[0] == 0; - - u32 db_len = buf_size - 0x21; - u8 *seed = buf + 1; - u8 *db = seed + 0x20; - _mgf1_xor(seed, 0x20, db, db_len); - _mgf1_xor(db, db_len, seed, 0x20); - - is_valid &= memcmp(label_digest, db, 0x20) ? 0 : 1; - - db += 0x20; - db_len -= 0x20; - - int msg_ofs = 0; - int looking_for_one = 1; - int invalid_db_padding = 0; - int is_zero; - int is_one; - for (int i = 0; i < db_len; ) { - is_zero = (db[i] == 0); - is_one = (db[i] == 1); - msg_ofs += (looking_for_one & is_one) * (++i); - looking_for_one &= ~is_one; - invalid_db_padding |= (looking_for_one & ~is_zero); - } - - is_valid &= (invalid_db_padding == 0); - - const u32 msg_size = MIN(dst_size, is_valid * (db_len - msg_ofs)); - memcpy(dst, db + msg_ofs, msg_size); - - return msg_size; -} - -void derive_rsa_kek(u32 ks, key_storage_t *keys, void *out_rsa_kek, const void *kekek_source, const void *kek_source, u32 generation, u32 option) { - u32 access_key[SE_KEY_128_SIZE / 4] = {0}; - generate_aes_kek(ks, keys, access_key, kekek_source, generation, option); - get_device_unique_data_key(ks, out_rsa_kek, access_key, kek_source); -} - -// Equivalent to spl::GenerateAesKek -void generate_aes_kek(u32 ks, key_storage_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option) { - bool device_unique = GET_IS_DEVICE_UNIQUE(option); - u32 seal_key_index = GET_SEAL_KEY_INDEX(option); - - if (generation) - generation--; - - u8 static_source[SE_KEY_128_SIZE] __attribute__((aligned(4))); - for (u32 i = 0; i < SE_KEY_128_SIZE; i++) - static_source[i] = aes_kek_generation_source[i] ^ seal_key_masks[seal_key_index][i]; - - if (device_unique) { - get_device_key(ks, keys, keys->temp_key, generation); - } else { - memcpy(keys->temp_key, keys->master_key[generation], sizeof(keys->temp_key)); - } - se_aes_key_set(ks, keys->temp_key, SE_KEY_128_SIZE); - se_aes_unwrap_key(ks, ks, static_source); - se_aes_crypt_block_ecb(ks, DECRYPT, out_kek, kek_source); -} - -// Based on spl::LoadAesKey but instead of prepping keyslot, returns calculated key -void load_aes_key(u32 ks, void *out_key, const void *access_key, const void *key_source) { - se_aes_key_set(ks, access_key, SE_KEY_128_SIZE); - se_aes_crypt_block_ecb(ks, DECRYPT, out_key, key_source); -} - -// Equivalent to spl::GenerateAesKey -void generate_aes_key(u32 ks, key_storage_t *keys, void *out_key, u32 key_size, const void *access_key, const void *key_source) { - u32 aes_key[SE_KEY_128_SIZE / 4] = {0}; - load_aes_key(ks, aes_key, access_key, aes_key_generation_source); - se_aes_key_set(ks, aes_key, SE_KEY_128_SIZE); - se_aes_crypt_ecb(ks, DECRYPT, out_key, key_size, key_source, key_size); -} - -// Equivalent to smc::PrepareDeviceUniqueDataKey but with no sealing -void get_device_unique_data_key(u32 ks, void *out_key, const void *access_key, const void *key_source) { - load_aes_key(ks, out_key, access_key, key_source); -} - -// Equivalent to spl::DecryptAesKey. -void decrypt_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation, u32 option) { - u32 access_key[SE_KEY_128_SIZE / 4] = {0}; - generate_aes_kek(ks, keys, access_key, aes_key_decryption_source, generation, option); - generate_aes_key(ks, keys, out_key, SE_KEY_128_SIZE, access_key, key_source); -} - -// Equivalent to smc::GetSecureData -void get_secure_data(key_storage_t *keys, void *out_data) { - se_aes_key_set(KS_AES_CTR, keys->device_key, SE_KEY_128_SIZE); - u8 *d = (u8 *)out_data; - se_aes_crypt_ctr(KS_AES_CTR, d + SE_KEY_128_SIZE * 0, SE_KEY_128_SIZE, secure_data_source, SE_KEY_128_SIZE, secure_data_counters[0]); - se_aes_crypt_ctr(KS_AES_CTR, d + SE_KEY_128_SIZE * 1, SE_KEY_128_SIZE, secure_data_source, SE_KEY_128_SIZE, secure_data_counters[0]); - - // Apply tweak - for (u32 i = 0; i < SE_KEY_128_SIZE; i++) { - d[SE_KEY_128_SIZE + i] ^= secure_data_tweaks[0][i]; - } -} - -// Equivalent to spl::GenerateSpecificAesKey -void generate_specific_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation) { - if (fuse_read_bootrom_rev() >= 0x7F) { - get_device_key(ks, keys, keys->temp_key, generation == 0 ? 0 : generation - 1); - se_aes_key_set(ks, keys->temp_key, SE_KEY_128_SIZE); - se_aes_unwrap_key(ks, ks, retail_specific_aes_key_source); - se_aes_crypt_ecb(ks, DECRYPT, out_key, SE_KEY_128_SIZE * 2, key_source, SE_KEY_128_SIZE * 2); - } else { - get_secure_data(keys, out_key); - } -} - -void get_device_key(u32 ks, key_storage_t *keys, void *out_device_key, u32 generation) { - if (generation == KB_FIRMWARE_VERSION_100 && !h_cfg.t210b01) { - memcpy(out_device_key, keys->device_key, SE_KEY_128_SIZE); - return; - } - - if (generation >= KB_FIRMWARE_VERSION_400) { - generation -= KB_FIRMWARE_VERSION_400; - } else { - generation = 0; - } - u32 temp_key_source[SE_KEY_128_SIZE / 4] = {0}; - load_aes_key(ks, temp_key_source, keys->device_key_4x, device_master_key_source_sources[generation]); - const void *kek_source = fuse_read_hw_state() == FUSE_NX_HW_STATE_PROD ? device_master_kek_sources[generation] : device_master_kek_sources_dev[generation]; - se_aes_key_set(ks, keys->master_key[0], SE_KEY_128_SIZE); - se_aes_unwrap_key(ks, ks, kek_source); - se_aes_crypt_block_ecb(ks, DECRYPT, out_device_key, temp_key_source); -} diff --git a/source/keys/crypto.h b/source/keys/crypto.h deleted file mode 100644 index f2da17d..0000000 --- a/source/keys/crypto.h +++ /dev/null @@ -1,240 +0,0 @@ -/* - * Copyright (c) 2022 shchmue - * - * This program is free software; you can redistribute it and/or modify it - * under the terms and conditions of the GNU General Public License, - * version 2, as published by the Free Software Foundation. - * - * This program is distributed in the hope it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#ifndef _CRYPTO_H_ -#define _CRYPTO_H_ - -#include "es_types.h" - -#include "../hos/hos.h" -#include -#include "../storage/nx_emmc.h" -#include - -#include - -// Sha256 hash of the null string. -static const u8 null_hash[SE_SHA_256_SIZE] __attribute__((aligned(4))) = { - 0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8, 0x99, 0x6F, 0xB9, 0x24, - 0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C, 0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55}; - -static const u8 aes_kek_generation_source[0x10] __attribute__((aligned(4))) = { - 0x4D, 0x87, 0x09, 0x86, 0xC4, 0x5D, 0x20, 0x72, 0x2F, 0xBA, 0x10, 0x53, 0xDA, 0x92, 0xE8, 0xA9}; - -static const u8 aes_key_generation_source[0x10] __attribute__((aligned(4))) = { - 0x89, 0x61, 0x5E, 0xE0, 0x5C, 0x31, 0xB6, 0x80, 0x5F, 0xE5, 0x8F, 0x3D, 0xA2, 0x4F, 0x7A, 0xA8}; - -static const u8 aes_key_decryption_source[0x10] __attribute__((aligned(4))) = { - 0x11, 0x70, 0x24, 0x2B, 0x48, 0x69, 0x11, 0xF1, 0x11, 0xB0, 0x0C, 0x47, 0x7C, 0xC3, 0xEF, 0x7E}; - -static const u8 device_master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = { - {0x88, 0x62, 0x34, 0x6E, 0xFA, 0xF7, 0xD8, 0x3F, 0xE1, 0x30, 0x39, 0x50, 0xF0, 0xB7, 0x5D, 0x5D}, /* 4.0.0 Device Master Kek Source. */ - {0x06, 0x1E, 0x7B, 0xE9, 0x6D, 0x47, 0x8C, 0x77, 0xC5, 0xC8, 0xE7, 0x94, 0x9A, 0xA8, 0x5F, 0x2E}, /* 5.0.0 Device Master Kek Source. */ - {0x99, 0xFA, 0x98, 0xBD, 0x15, 0x1C, 0x72, 0xFD, 0x7D, 0x9A, 0xD5, 0x41, 0x00, 0xFD, 0xB2, 0xEF}, /* 6.0.0 Device Master Kek Source. */ - {0x81, 0x3C, 0x6C, 0xBF, 0x5D, 0x21, 0xDE, 0x77, 0x20, 0xD9, 0x6C, 0xE3, 0x22, 0x06, 0xAE, 0xBB}, /* 6.2.0 Device Master Kek Source. */ - {0x86, 0x61, 0xB0, 0x16, 0xFA, 0x7A, 0x9A, 0xEA, 0xF6, 0xF5, 0xBE, 0x1A, 0x13, 0x5B, 0x6D, 0x9E}, /* 7.0.0 Device Master Kek Source. */ - {0xA6, 0x81, 0x71, 0xE7, 0xB5, 0x23, 0x74, 0xB0, 0x39, 0x8C, 0xB7, 0xFF, 0xA0, 0x62, 0x9F, 0x8D}, /* 8.1.0 Device Master Kek Source. */ - {0x03, 0xE7, 0xEB, 0x43, 0x1B, 0xCF, 0x5F, 0xB5, 0xED, 0xDC, 0x97, 0xAE, 0x21, 0x8D, 0x19, 0xED}, /* 9.0.0 Device Master Kek Source. */ - {0xCE, 0xFE, 0x41, 0x0F, 0x46, 0x9A, 0x30, 0xD6, 0xF2, 0xE9, 0x0C, 0x6B, 0xB7, 0x15, 0x91, 0x36}, /* 9.1.0 Device Master Kek Source. */ - {0xC2, 0x65, 0x34, 0x6E, 0xC7, 0xC6, 0x5D, 0x97, 0x3E, 0x34, 0x5C, 0x6B, 0xB3, 0x7E, 0xC6, 0xE3}, /* 12.1.0 Device Master Kek Source. */ - {0x77, 0x52, 0x92, 0xF0, 0xAA, 0xE3, 0xFB, 0xE0, 0x60, 0x16, 0xB3, 0x78, 0x68, 0x53, 0xF7, 0xA8}, /* 13.0.0 Device Master Kek Source. */ - {0x67, 0xD5, 0xD6, 0x0C, 0x08, 0xF5, 0xA3, 0x11, 0xBD, 0x6D, 0x5A, 0xEB, 0x96, 0x24, 0xB0, 0xD2}, /* 14.0.0 Device Master Kek Source. */ - {0x7C, 0x30, 0xED, 0x8B, 0x39, 0x25, 0x2C, 0x08, 0x8F, 0x48, 0xDC, 0x28, 0xE6, 0x1A, 0x6B, 0x49}, /* 15.0.0 Device Master Kek Source. */ - {0xF0, 0xF3, 0xFF, 0x52, 0x75, 0x2F, 0xBA, 0x4D, 0x09, 0x72, 0x30, 0x89, 0xA9, 0xDF, 0xFE, 0x1F}, /* 16.0.0 Device Master Kek Source. */ -}; //!TODO: Update on mkey changes. - -static const u8 device_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = { - {0xD6, 0xBD, 0x9F, 0xC6, 0x18, 0x09, 0xE1, 0x96, 0x20, 0x39, 0x60, 0xD2, 0x89, 0x83, 0x31, 0x34}, /* 4.0.0 Device Master Kek Source. */ - {0x59, 0x2D, 0x20, 0x69, 0x33, 0xB5, 0x17, 0xBA, 0xCF, 0xB1, 0x4E, 0xFD, 0xE4, 0xC2, 0x7B, 0xA8}, /* 5.0.0 Device Master Kek Source. */ - {0xF6, 0xD8, 0x59, 0x63, 0x8F, 0x47, 0xCB, 0x4A, 0xD8, 0x74, 0x05, 0x7F, 0x88, 0x92, 0x33, 0xA5}, /* 6.0.0 Device Master Kek Source. */ - {0x20, 0xAB, 0xF2, 0x0F, 0x05, 0xE3, 0xDE, 0x2E, 0xA1, 0xFB, 0x37, 0x5E, 0x8B, 0x22, 0x1A, 0x38}, /* 6.2.0 Device Master Kek Source. */ - {0x60, 0xAE, 0x56, 0x68, 0x11, 0xE2, 0x0C, 0x99, 0xDE, 0x05, 0xAE, 0x68, 0x78, 0x85, 0x04, 0xAE}, /* 7.0.0 Device Master Kek Source. */ - {0x94, 0xD6, 0xA8, 0xC0, 0x95, 0xAF, 0xD0, 0xA6, 0x27, 0x53, 0x5E, 0xE5, 0x8E, 0x70, 0x1F, 0x87}, /* 8.1.0 Device Master Kek Source. */ - {0x61, 0x6A, 0x88, 0x21, 0xA3, 0x52, 0xB0, 0x19, 0x16, 0x25, 0xA4, 0xE3, 0x4C, 0x54, 0x02, 0x0F}, /* 9.0.0 Device Master Kek Source. */ - {0x9D, 0xB1, 0xAE, 0xCB, 0xF6, 0xF6, 0xE3, 0xFE, 0xAB, 0x6F, 0xCB, 0xAF, 0x38, 0x03, 0xFC, 0x7B}, /* 9.1.0 Device Master Kek Source. */ - {0xC4, 0xBB, 0xF3, 0x9F, 0xA3, 0xAA, 0x00, 0x99, 0x7C, 0x97, 0xAD, 0x91, 0x8F, 0xE8, 0x45, 0xCB}, /* 12.1.0 Device Master Kek Source. */ - {0x20, 0x20, 0xAA, 0xFB, 0x89, 0xC2, 0xF0, 0x70, 0xB5, 0xE0, 0xA3, 0x11, 0x8A, 0x29, 0x8D, 0x0F}, /* 13.0.0 Device Master Kek Source. */ - {0xCE, 0x14, 0x74, 0x66, 0x98, 0xA8, 0x6D, 0x7D, 0xBD, 0x54, 0x91, 0x68, 0x5F, 0x1D, 0x0E, 0xEA}, /* 14.0.0 Device Master Kek Source. */ - {0xAE, 0x05, 0x48, 0x65, 0xAB, 0x17, 0x9D, 0x3D, 0x51, 0xB7, 0x56, 0xBD, 0x9B, 0x0B, 0x5B, 0x6E}, /* 15.0.0 Device Master Kek Source. */ - {0xFF, 0xF6, 0x4B, 0x0F, 0xFF, 0x0D, 0xC0, 0x4F, 0x56, 0x8A, 0x40, 0x74, 0x67, 0xC5, 0xFE, 0x9F}, /* 16.0.0 Device Master Kek Source. */ -}; //!TODO: Update on mkey changes. - -static const u8 device_master_key_source_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = { - {0x8B, 0x4E, 0x1C, 0x22, 0x42, 0x07, 0xC8, 0x73, 0x56, 0x94, 0x08, 0x8B, 0xCC, 0x47, 0x0F, 0x5D}, /* 4.0.0 Device Master Key Source Source. */ - {0x6C, 0xEF, 0xC6, 0x27, 0x8B, 0xEC, 0x8A, 0x91, 0x99, 0xAB, 0x24, 0xAC, 0x4F, 0x1C, 0x8F, 0x1C}, /* 5.0.0 Device Master Key Source Source. */ - {0x70, 0x08, 0x1B, 0x97, 0x44, 0x64, 0xF8, 0x91, 0x54, 0x9D, 0xC6, 0x84, 0x8F, 0x1A, 0xB2, 0xE4}, /* 6.0.0 Device Master Key Source Source. */ - {0x8E, 0x09, 0x1F, 0x7A, 0xBB, 0xCA, 0x6A, 0xFB, 0xB8, 0x9B, 0xD5, 0xC1, 0x25, 0x9C, 0xA9, 0x17}, /* 6.2.0 Device Master Key Source Source. */ - {0x8F, 0x77, 0x5A, 0x96, 0xB0, 0x94, 0xFD, 0x8D, 0x28, 0xE4, 0x19, 0xC8, 0x16, 0x1C, 0xDB, 0x3D}, /* 7.0.0 Device Master Key Source Source. */ - {0x67, 0x62, 0xD4, 0x8E, 0x55, 0xCF, 0xFF, 0x41, 0x31, 0x15, 0x3B, 0x24, 0x0C, 0x7C, 0x07, 0xAE}, /* 8.1.0 Device Master Key Source Source. */ - {0x4A, 0xC3, 0x4E, 0x14, 0x8B, 0x96, 0x4A, 0xD5, 0xD4, 0x99, 0x73, 0xC4, 0x45, 0xAB, 0x8B, 0x49}, /* 9.0.0 Device Master Key Source Source. */ - {0x14, 0xB8, 0x74, 0x12, 0xCB, 0xBD, 0x0B, 0x8F, 0x20, 0xFB, 0x30, 0xDA, 0x27, 0xE4, 0x58, 0x94}, /* 9.1.0 Device Master Key Source Source. */ - {0xAA, 0xFD, 0xBC, 0xBB, 0x25, 0xC3, 0xA4, 0xEF, 0xE3, 0xEE, 0x58, 0x53, 0xB7, 0xF8, 0xDD, 0xD6}, /* 12.1.0 Device Master Key Source Source. */ - {0xE4, 0xF3, 0x45, 0x6F, 0x18, 0xA1, 0x89, 0xF8, 0xDA, 0x4C, 0x64, 0x75, 0x68, 0xE6, 0xBD, 0x4F}, /* 13.0.0 Device Master Key Source Source. */ - {0x5B, 0x94, 0x63, 0xF7, 0xAD, 0x96, 0x1B, 0xA6, 0x23, 0x30, 0x06, 0x4D, 0x01, 0xE4, 0xCE, 0x1D}, /* 14.0.0 Device Master Key Source Source. */ - {0x5E, 0xC9, 0xC5, 0x0A, 0xD0, 0x5F, 0x8B, 0x7B, 0xA7, 0x39, 0xEA, 0xBC, 0x60, 0x0F, 0x74, 0xE6}, /* 15.0.0 Device Master Key Source Source. */ - {0xEA, 0x90, 0x6E, 0xA8, 0xAE, 0x92, 0x99, 0x64, 0x36, 0xC1, 0xF3, 0x1C, 0xC6, 0x32, 0x83, 0x8C}, /* 16.0.0 Device Master Key Source Source. */ -}; //!TODO: Update on mkey changes. - -static const u8 seal_key_masks[][0x10] __attribute__((aligned(4))) = { - {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, // SealKey_LoadAesKey - {0xA2, 0xAB, 0xBF, 0x9C, 0x92, 0x2F, 0xBB, 0xE3, 0x78, 0x79, 0x9B, 0xC0, 0xCC, 0xEA, 0xA5, 0x74}, // SealKey_DecryptDeviceUniqueData - {0x57, 0xE2, 0xD9, 0x45, 0xE4, 0x92, 0xF4, 0xFD, 0xC3, 0xF9, 0x86, 0x38, 0x89, 0x78, 0x9F, 0x3C}, // SealKey_ImportLotusKey - {0xE5, 0x4D, 0x9A, 0x02, 0xF0, 0x4F, 0x5F, 0xA8, 0xAD, 0x76, 0x0A, 0xF6, 0x32, 0x95, 0x59, 0xBB}, // SealKey_ImportEsDeviceKey - {0x59, 0xD9, 0x31, 0xF4, 0xA7, 0x97, 0xB8, 0x14, 0x40, 0xD6, 0xA2, 0x60, 0x2B, 0xED, 0x15, 0x31}, // SealKey_ReencryptDeviceUniqueData - {0xFD, 0x6A, 0x25, 0xE5, 0xD8, 0x38, 0x7F, 0x91, 0x49, 0xDA, 0xF8, 0x59, 0xA8, 0x28, 0xE6, 0x75}, // SealKey_ImportSslKey - {0x89, 0x96, 0x43, 0x9A, 0x7C, 0xD5, 0x59, 0x55, 0x24, 0xD5, 0x24, 0x18, 0xAB, 0x6C, 0x04, 0x61}, // SealKey_ImportEsClientCertKey -}; - -static const u8 retail_specific_aes_key_source[0x10] __attribute__((aligned(4))) = { - 0xE2, 0xD6, 0xB8, 0x7A, 0x11, 0x9C, 0xB8, 0x80, 0xE8, 0x22, 0x88, 0x8A, 0x46, 0xFB, 0xA1, 0x95}; - -static const u8 secure_data_source[0x10] __attribute__((aligned(4))) = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; - -static const u8 secure_data_counters[1][0x10] __attribute__((aligned(4))) = { - {0x3C, 0xD5, 0x92, 0xEC, 0x68, 0x31, 0x4A, 0x06, 0xD4, 0x1B, 0x0C, 0xD9, 0xF6, 0x2E, 0xD9, 0xE9} -}; - -static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = { - {0xAC, 0xCA, 0x9A, 0xCA, 0xFF, 0x2E, 0xB9, 0x22, 0xCC, 0x1F, 0x4F, 0xAD, 0xDD, 0x77, 0x21, 0x1E} -}; - - //!TODO: Update on keygen changes. -#define TSEC_ROOT_KEY_VERSION 2 - -// Lockpick_RCM keyslots -#define KS_BIS_00_CRYPT 0 -#define KS_BIS_00_TWEAK 1 -#define KS_BIS_01_CRYPT 2 -#define KS_BIS_01_TWEAK 3 -#define KS_BIS_02_CRYPT 4 -#define KS_BIS_02_TWEAK 5 -#define KS_AES_CTR 6 -#define KS_AES_ECB 8 -#define KS_AES_CMAC 10 - -// Mariko keyslots -#define KS_MARIKO_KEK 12 -#define KS_MARIKO_BEK 13 - -// Other Switch keyslots -#define KS_TSEC 12 -#define KS_SECURE_BOOT 14 - -// Atmosphere keygen keyslots -#define KS_TSEC_ROOT_DEV 11 -#define KS_TSEC_ROOT 13 - -#define RSA_PUBLIC_EXPONENT 65537 - -#define KEYBLOB_UNK_DATA_SIZE 0x70 -#define KEYBLOB_UNUSED_SIZE (NX_EMMC_BLOCKSIZE - SE_AES_CMAC_DIGEST_SIZE - SE_AES_IV_SIZE - sizeof(keyblob_t)) - -typedef struct { - u8 master_kek[SE_KEY_128_SIZE]; - u8 data[KEYBLOB_UNK_DATA_SIZE]; - u8 package1_key[SE_KEY_128_SIZE]; -} keyblob_t; - -typedef struct { - u8 cmac[SE_AES_CMAC_DIGEST_SIZE]; - u8 iv[SE_AES_IV_SIZE]; - keyblob_t key_data; - u8 unused[KEYBLOB_UNUSED_SIZE]; -} encrypted_keyblob_t; - -typedef struct { - u8 temp_key[SE_KEY_128_SIZE], - bis_key[4][SE_KEY_128_SIZE * 2], - device_key[SE_KEY_128_SIZE], - device_key_4x[SE_KEY_128_SIZE], - sd_seed[SE_KEY_128_SIZE], - // FS-related keys - header_key[SE_KEY_128_SIZE * 2], - save_mac_key[SE_KEY_128_SIZE], - // other sysmodule keys - eticket_rsa_kek[SE_KEY_128_SIZE], - eticket_rsa_kek_personalized[SE_KEY_128_SIZE], - ssl_rsa_kek[SE_KEY_128_SIZE], - ssl_rsa_kek_legacy[SE_KEY_128_SIZE], - ssl_rsa_kek_personalized[SE_KEY_128_SIZE], - ssl_rsa_key[SE_RSA2048_DIGEST_SIZE + 0x20], - // keyblob-derived families - keyblob_key[KB_FIRMWARE_VERSION_600 + 1][SE_KEY_128_SIZE], - keyblob_mac_key[KB_FIRMWARE_VERSION_600 + 1][SE_KEY_128_SIZE], - package1_key[KB_FIRMWARE_VERSION_600 + 1][SE_KEY_128_SIZE], - // master key-derived families - key_area_key[3][KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE], - master_kek[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE], - master_key[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE], - package2_key[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE], - titlekek[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE], - tsec_key[SE_KEY_128_SIZE], - tsec_root_key[SE_KEY_128_SIZE]; - u32 secure_boot_key[4]; - keyblob_t keyblob[KB_FIRMWARE_VERSION_600 + 1]; - eticket_rsa_keypair_t eticket_rsa_keypair; -} key_storage_t; - -typedef enum { - SEAL_KEY_LOAD_AES_KEY = 0, - SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA = 1, - SEAL_KEY_IMPORT_LOTUS_KEY = 2, - SEAL_KEY_IMPORT_ES_DEVICE_KEY = 3, - SEAL_KEY_REENCRYPT_DEVICE_UNIQUE_DATA = 4, - SEAL_KEY_IMPORT_SSL_KEY = 5, - SEAL_KEY_IMPORT_ES_CLIENT_CERT_KEY = 6, -} seal_key_t; - -typedef enum { - NOT_DEVICE_UNIQUE = 0, - IS_DEVICE_UNIQUE = 1, -} device_unique_t; - -#define SET_SEAL_KEY_INDEX(x) (((x) & 7) << 5) -#define GET_SEAL_KEY_INDEX(x) (((x) >> 5) & 7) -#define GET_IS_DEVICE_UNIQUE(x) ((x) & 1) - -int key_exists(const void *data); - -int run_ams_keygen(); - -bool check_keyslot_access(); - -bool test_rsa_keypair(const void *public_exponent, const void *private_exponent, const void *modulus); -u32 rsa_oaep_decode(void *dst, u32 dst_size, const void *label_digest, u32 label_digest_size, u8 *buf, u32 buf_size); - -void derive_rsa_kek(u32 ks, key_storage_t *keys, void *out_rsa_kek, const void *kekek_source, const void *kek_source, u32 generation, u32 option); - -// Equivalent to spl::GenerateAesKek -void generate_aes_kek(u32 ks, key_storage_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option); -// Equivalent to spl::GenerateAesKey -void generate_aes_key(u32 ks, key_storage_t *keys, void *out_key, u32 key_size, const void *access_key, const void *key_source); -// Equivalent to spl::GenerateSpecificAesKey -void generate_specific_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation); -// Equivalent to spl::DecryptAesKey. -void decrypt_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation, u32 option); -// Based on spl::LoadAesKey but instead of prepping keyslot, returns calculated key -void load_aes_key(u32 ks, void *out_key, const void *access_key, const void *key_source); - -// Equivalent to smc::PrepareDeviceUniqueDataKey but with no sealing -void get_device_unique_data_key(u32 ks, void *out_key, const void *access_key, const void *key_source); -// Equivalent to smc::GetSecureData -void get_secure_data(key_storage_t *keys, void *out_data); -// Equivalent to smc::PrepareDeviceMasterKey -void get_device_key(u32 ks, key_storage_t *keys, void *out_device_key, u32 generation); - -#endif diff --git a/source/keys/es_crypto.c b/source/keys/es_crypto.c deleted file mode 100644 index f31b46a..0000000 --- a/source/keys/es_crypto.c +++ /dev/null @@ -1,146 +0,0 @@ -/* - * Copyright (c) 2022 shchmue - * - * This program is free software; you can redistribute it and/or modify it - * under the terms and conditions of the GNU General Public License, - * version 2, as published by the Free Software Foundation. - * - * This program is distributed in the hope it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#include "es_crypto.h" - -#include "cal0_read.h" - -#include "../config.h" -#include -#include "../gfx/tui.h" -#include -#include -#include - -#include - -extern hekate_config h_cfg; - -bool test_eticket_rsa_keypair(const eticket_rsa_keypair_t *keypair) { - if (byte_swap_32(keypair->public_exponent) != RSA_PUBLIC_EXPONENT) - return false; - return test_rsa_keypair(&keypair->public_exponent, keypair->private_exponent, keypair->modulus); -} - -void es_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32 generation, bool is_dev) { - if ((!h_cfg.t210b01 && !key_exists(keys->device_key)) || (h_cfg.t210b01 && (!key_exists(keys->master_key[0]) || !key_exists(keys->device_key_4x)))) { - return; - } - - const void *kek_source = is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source; - const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | IS_DEVICE_UNIQUE; - derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, eticket_rsa_kekek_source, kek_source, generation, option); -} - -void es_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek) { - if (!key_exists(keys->master_key[0])) { - return; - } - - const u32 generation = 0; - const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | NOT_DEVICE_UNIQUE; - derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, eticket_rsa_kekek_source, eticket_rsa_kek_source_legacy, generation, option); -} - -void es_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev) { - if (!key_exists(keys->master_key[0])) { - return; - } - - const void *kek_source = is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source; - const u32 generation = 0; - const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | NOT_DEVICE_UNIQUE; - derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, eticket_rsa_kekek_source, kek_source, generation, option); -} - -bool decrypt_eticket_rsa_key(key_storage_t *keys, void *buffer, bool is_dev) { - if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, buffer)) { - return false; - } - - nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)buffer; - u32 generation = 0; - const void *encrypted_key = NULL; - const void *iv = NULL; - u32 key_size = 0; - void *ctr_key = NULL; - - if (!cal0_get_eticket_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) { - return false; - } - - // Handle legacy case - if (key_size == ETICKET_RSA_KEYPAIR_SIZE) { - u32 temp_key[SE_KEY_128_SIZE / 4] = {0}; - es_derive_rsa_kek_legacy(keys, temp_key); - ctr_key = temp_key; - - se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE); - se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv); - - if (test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) { - memcpy(keys->eticket_rsa_kek, ctr_key, sizeof(keys->eticket_rsa_kek)); - return true; - } - // Fall through and try usual method if not applicable - } - - if (generation) { - es_derive_rsa_kek_device_unique(keys, keys->eticket_rsa_kek_personalized, generation, is_dev); - ctr_key = keys->eticket_rsa_kek_personalized; - } else { - ctr_key = keys->eticket_rsa_kek; - } - - se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE); - se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv); - - if (!test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) { - EPRINTF("Invalid eticket keypair."); - memset(&keys->eticket_rsa_keypair, 0, sizeof(keys->eticket_rsa_keypair)); - return false; - } - - return true; -} - -void es_decode_tickets(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 remaining, u32 total, u32 *titlekey_count, u32 x, u32 y, u32 *pct, u32 *last_pct, bool is_personalized) { - ticket_t *curr_ticket = (ticket_t *)titlekey_buffer->read_buffer; - for (u32 i = 0; i < MIN(buf_size / sizeof(ticket_t), remaining) * sizeof(ticket_t) && curr_ticket->signature_type != 0; i += sizeof(ticket_t), curr_ticket++) { - minerva_periodic_training(); - *pct = (total - remaining) * 100 / total; - if (*pct > *last_pct && *pct <= 100) { - *last_pct = *pct; - tui_pbar(x, y, *pct, COLOR_GREEN, 0xFF155500); - } - - // This is in case an encrypted volatile ticket is left behind - if (curr_ticket->signature_type != TICKET_SIG_TYPE_RSA2048_SHA256) - continue; - - u8 *curr_titlekey = curr_ticket->titlekey_block; - const u32 block_size = SE_RSA2048_DIGEST_SIZE; - const u32 titlekey_size = sizeof(titlekey_buffer->titlekeys[0]); - if (is_personalized) { - se_rsa_exp_mod(0, curr_titlekey, block_size, curr_titlekey, block_size); - if (rsa_oaep_decode(curr_titlekey, titlekey_size, null_hash, sizeof(null_hash), curr_titlekey, block_size) != titlekey_size) - continue; - } - memcpy(titlekey_buffer->rights_ids[*titlekey_count], curr_ticket->rights_id, sizeof(titlekey_buffer->rights_ids[0])); - memcpy(titlekey_buffer->titlekeys[*titlekey_count], curr_titlekey, titlekey_size); - (*titlekey_count)++; - } -} diff --git a/source/keys/es_crypto.h b/source/keys/es_crypto.h deleted file mode 100644 index 03c777b..0000000 --- a/source/keys/es_crypto.h +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (c) 2022 shchmue - * - * This program is free software; you can redistribute it and/or modify it - * under the terms and conditions of the GNU General Public License, - * version 2, as published by the Free Software Foundation. - * - * This program is distributed in the hope it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#ifndef _ES_CRYPTO_H_ -#define _ES_CRYPTO_H_ - -#include "crypto.h" -#include "es_types.h" - -#include -#include - -#define ETICKET_RSA_KEYPAIR_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE * 2 + SE_KEY_128_SIZE) - -#define TICKET_SIG_TYPE_RSA2048_SHA256 0x10004 - -static const u8 eticket_rsa_kek_source[0x10] __attribute__((aligned(4))) = { - 0xDB, 0xA4, 0x51, 0x12, 0x4C, 0xA0, 0xA9, 0x83, 0x68, 0x14, 0xF5, 0xED, 0x95, 0xE3, 0x12, 0x5B}; -static const u8 eticket_rsa_kek_source_dev[0x10] __attribute__((aligned(4))) = { - 0xBE, 0xC0, 0xBC, 0x8E, 0x75, 0xA0, 0xF6, 0x0C, 0x4A, 0x56, 0x64, 0x02, 0x3E, 0xD4, 0x9C, 0xD5}; -static const u8 eticket_rsa_kek_source_legacy[0x10] __attribute__((aligned(4))) = { - 0x88, 0x87, 0x50, 0x90, 0xA6, 0x2F, 0x75, 0x70, 0xA2, 0xD7, 0x71, 0x51, 0xAE, 0x6D, 0x39, 0x87}; -static const u8 eticket_rsa_kekek_source[0x10] __attribute__((aligned(4))) = { - 0x46, 0x6E, 0x57, 0xB7, 0x4A, 0x44, 0x7F, 0x02, 0xF3, 0x21, 0xCD, 0xE5, 0x8F, 0x2F, 0x55, 0x35}; - -bool test_eticket_rsa_keypair(const eticket_rsa_keypair_t *keypair); - -void es_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32 generation, bool is_dev); -void es_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek); -void es_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev); - -bool decrypt_eticket_rsa_key(key_storage_t *keys, void *buffer, bool is_dev); - -void es_decode_tickets(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 remaining, u32 total, u32 *titlekey_count, u32 x, u32 y, u32 *pct, u32 *last_pct, bool is_personalized); - -#endif diff --git a/source/keys/es_types.h b/source/keys/es_types.h deleted file mode 100644 index 2dca8dc..0000000 --- a/source/keys/es_types.h +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright (c) 2022 shchmue - * - * This program is free software; you can redistribute it and/or modify it - * under the terms and conditions of the GNU General Public License, - * version 2, as published by the Free Software Foundation. - * - * This program is distributed in the hope it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#ifndef _ES_TYPES_H_ -#define _ES_TYPES_H_ - -#include -#include - -typedef struct { - u8 private_exponent[SE_RSA2048_DIGEST_SIZE]; - u8 modulus[SE_RSA2048_DIGEST_SIZE]; - u32 public_exponent; - u8 reserved[0xC]; -} eticket_rsa_keypair_t; - -// only tickets of type Rsa2048Sha256 are expected -typedef struct { - u32 signature_type; // always 0x10004 - u8 signature[SE_RSA2048_DIGEST_SIZE]; - u8 sig_padding[0x3C]; - char issuer[0x40]; - u8 titlekey_block[SE_RSA2048_DIGEST_SIZE]; - u8 format_version; - u8 titlekey_type; - u16 ticket_version; - u8 license_type; - u8 common_key_id; - u16 property_mask; - u64 reserved; - u64 ticket_id; - u64 device_id; - u8 rights_id[0x10]; - u32 account_id; - u32 sect_total_size; - u32 sect_hdr_offset; - u16 sect_hdr_count; - u16 sect_hdr_entry_size; - u8 padding[0x140]; -} ticket_t; - -typedef struct { - u8 rights_id[0x10]; - u64 ticket_id; - u32 account_id; - u16 property_mask; - u16 reserved; -} ticket_record_t; - -typedef struct { - u8 read_buffer[SZ_256K]; - u8 rights_ids[SZ_256K / 0x10][0x10]; - u8 titlekeys[SZ_256K / 0x10][0x10]; -} titlekey_buffer_t; - -typedef struct { - char rights_id[0x20]; - char equals[3]; - char titlekey[0x20]; - char newline[1]; -} titlekey_text_buffer_t; - -#endif diff --git a/source/keys/fs_crypto.c b/source/keys/fs_crypto.c deleted file mode 100644 index 359237f..0000000 --- a/source/keys/fs_crypto.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (c) 2022 shchmue - * - * This program is free software; you can redistribute it and/or modify it - * under the terms and conditions of the GNU General Public License, - * version 2, as published by the Free Software Foundation. - * - * This program is distributed in the hope it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#include "fs_crypto.h" - -#include "../config.h" -#include - -#include - -extern hekate_config h_cfg; - -void fs_derive_bis_keys(key_storage_t *keys, u8 out_bis_keys[4][32], u32 generation) { - if ((!h_cfg.t210b01 && !key_exists(keys->device_key)) || (h_cfg.t210b01 && (!key_exists(keys->master_key[0]) || !key_exists(keys->device_key_4x)))) { - return; - } - - generate_specific_aes_key(KS_AES_ECB, keys, out_bis_keys[0], bis_key_sources[0], generation); - u32 access_key[SE_KEY_128_SIZE / 4] = {0}; - const u32 option = IS_DEVICE_UNIQUE; - generate_aes_kek(KS_AES_ECB, keys, access_key, bis_kek_source, generation, option); - generate_aes_key(KS_AES_ECB, keys, out_bis_keys[1], sizeof(bis_key_sources[1]), access_key, bis_key_sources[1]); - generate_aes_key(KS_AES_ECB, keys, out_bis_keys[2], sizeof(bis_key_sources[2]), access_key, bis_key_sources[2]); - memcpy(out_bis_keys[3], out_bis_keys[2], sizeof(bis_key_sources[2])); -} - -void fs_derive_header_key(key_storage_t *keys, void *out_key) { - if (!key_exists(keys->master_key[0])) { - return; - } - - u32 access_key[SE_KEY_128_SIZE / 4] = {0}; - const u32 generation = 0; - const u32 option = NOT_DEVICE_UNIQUE; - generate_aes_kek(KS_AES_ECB, keys, access_key, header_kek_source, generation, option); - generate_aes_key(KS_AES_ECB, keys, out_key, sizeof(header_key_source), access_key, header_key_source); -} - -void fs_derive_key_area_key(key_storage_t *keys, void *out_key, u32 source_type, u32 generation) { - u32 access_key[SE_KEY_128_SIZE / 4] = {0}; - const u32 option = NOT_DEVICE_UNIQUE; - generate_aes_kek(KS_AES_ECB, keys, access_key, key_area_key_sources[source_type], generation + 1, option); - load_aes_key(KS_AES_ECB, out_key, access_key, aes_key_generation_source); -} - -void fs_derive_save_mac_key(key_storage_t *keys, void *out_key) { - if ((!h_cfg.t210b01 && !key_exists(keys->device_key)) || (h_cfg.t210b01 && (!key_exists(keys->master_key[0]) || !key_exists(keys->device_key_4x)))) { - return; - } - - u32 access_key[SE_KEY_128_SIZE / 4] = {0}; - const u32 generation = 0; - const u32 option = IS_DEVICE_UNIQUE; - generate_aes_kek(KS_AES_ECB, keys, access_key, save_mac_kek_source, generation, option); - load_aes_key(KS_AES_ECB, out_key, access_key, save_mac_key_source); -} diff --git a/source/keys/fs_crypto.h b/source/keys/fs_crypto.h deleted file mode 100644 index f8ccdf7..0000000 --- a/source/keys/fs_crypto.h +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright (c) 2022 shchmue - * - * This program is free software; you can redistribute it and/or modify it - * under the terms and conditions of the GNU General Public License, - * version 2, as published by the Free Software Foundation. - * - * This program is distributed in the hope it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#ifndef _FS_CRYPTO_H_ -#define _FS_CRYPTO_H_ - -#include "crypto.h" - -#include - -static const u8 bis_kek_source[0x10] __attribute__((aligned(4))) = { - 0x34, 0xC1, 0xA0, 0xC4, 0x82, 0x58, 0xF8, 0xB4, 0xFA, 0x9E, 0x5E, 0x6A, 0xDA, 0xFC, 0x7E, 0x4F}; -static const u8 bis_key_sources[3][0x20] __attribute__((aligned(4))) = { - {0xF8, 0x3F, 0x38, 0x6E, 0x2C, 0xD2, 0xCA, 0x32, 0xA8, 0x9A, 0xB9, 0xAA, 0x29, 0xBF, 0xC7, 0x48, - 0x7D, 0x92, 0xB0, 0x3A, 0xA8, 0xBF, 0xDE, 0xE1, 0xA7, 0x4C, 0x3B, 0x6E, 0x35, 0xCB, 0x71, 0x06}, - {0x41, 0x00, 0x30, 0x49, 0xDD, 0xCC, 0xC0, 0x65, 0x64, 0x7A, 0x7E, 0xB4, 0x1E, 0xED, 0x9C, 0x5F, - 0x44, 0x42, 0x4E, 0xDA, 0xB4, 0x9D, 0xFC, 0xD9, 0x87, 0x77, 0x24, 0x9A, 0xDC, 0x9F, 0x7C, 0xA4}, - {0x52, 0xC2, 0xE9, 0xEB, 0x09, 0xE3, 0xEE, 0x29, 0x32, 0xA1, 0x0C, 0x1F, 0xB6, 0xA0, 0x92, 0x6C, - 0x4D, 0x12, 0xE1, 0x4B, 0x2A, 0x47, 0x4C, 0x1C, 0x09, 0xCB, 0x03, 0x59, 0xF0, 0x15, 0xF4, 0xE4} -}; - -static const u8 header_kek_source[0x10] __attribute__((aligned(4))) = { - 0x1F, 0x12, 0x91, 0x3A, 0x4A, 0xCB, 0xF0, 0x0D, 0x4C, 0xDE, 0x3A, 0xF6, 0xD5, 0x23, 0x88, 0x2A}; -static const u8 header_key_source[0x20] __attribute__((aligned(4))) = { - 0x5A, 0x3E, 0xD8, 0x4F, 0xDE, 0xC0, 0xD8, 0x26, 0x31, 0xF7, 0xE2, 0x5D, 0x19, 0x7B, 0xF5, 0xD0, - 0x1C, 0x9B, 0x7B, 0xFA, 0xF6, 0x28, 0x18, 0x3D, 0x71, 0xF6, 0x4D, 0x73, 0xF1, 0x50, 0xB9, 0xD2}; - -static const u8 key_area_key_sources[3][0x10] __attribute__((aligned(4))) = { - {0x7F, 0x59, 0x97, 0x1E, 0x62, 0x9F, 0x36, 0xA1, 0x30, 0x98, 0x06, 0x6F, 0x21, 0x44, 0xC3, 0x0D}, // application - {0x32, 0x7D, 0x36, 0x08, 0x5A, 0xD1, 0x75, 0x8D, 0xAB, 0x4E, 0x6F, 0xBA, 0xA5, 0x55, 0xD8, 0x82}, // ocean - {0x87, 0x45, 0xF1, 0xBB, 0xA6, 0xBE, 0x79, 0x64, 0x7D, 0x04, 0x8B, 0xA6, 0x7B, 0x5F, 0xDA, 0x4A}, // system -}; - -static const u8 save_mac_kek_source[0x10] __attribute__((aligned(4))) = { - 0xD8, 0x9C, 0x23, 0x6E, 0xC9, 0x12, 0x4E, 0x43, 0xC8, 0x2B, 0x03, 0x87, 0x43, 0xF9, 0xCF, 0x1B}; -static const u8 save_mac_key_source[0x10] __attribute__((aligned(4))) = { - 0xE4, 0xCD, 0x3D, 0x4A, 0xD5, 0x0F, 0x74, 0x28, 0x45, 0xA4, 0x87, 0xE5, 0xA0, 0x63, 0xEA, 0x1F}; - -static const u8 save_mac_sd_card_kek_source[0x10] __attribute__((aligned(4))) = { - 0x04, 0x89, 0xEF, 0x5D, 0x32, 0x6E, 0x1A, 0x59, 0xC4, 0xB7, 0xAB, 0x8C, 0x36, 0x7A, 0xAB, 0x17}; -static const u8 save_mac_sd_card_key_source[0x10] __attribute__((aligned(4))) = { - 0x6F, 0x64, 0x59, 0x47, 0xC5, 0x61, 0x46, 0xF9, 0xFF, 0xA0, 0x45, 0xD5, 0x95, 0x33, 0x29, 0x18}; - -static const u8 sd_card_custom_storage_key_source[0x20] __attribute__((aligned(4))) = { - 0x37, 0x0C, 0x34, 0x5E, 0x12, 0xE4, 0xCE, 0xFE, 0x21, 0xB5, 0x8E, 0x64, 0xDB, 0x52, 0xAF, 0x35, - 0x4F, 0x2C, 0xA5, 0xA3, 0xFC, 0x99, 0x9A, 0x47, 0xC0, 0x3E, 0xE0, 0x04, 0x48, 0x5B, 0x2F, 0xD0}; -static const u8 sd_card_kek_source[0x10] __attribute__((aligned(4))) = { - 0x88, 0x35, 0x8D, 0x9C, 0x62, 0x9B, 0xA1, 0xA0, 0x01, 0x47, 0xDB, 0xE0, 0x62, 0x1B, 0x54, 0x32}; -static const u8 sd_card_nca_key_source[0x20] __attribute__((aligned(4))) = { - 0x58, 0x41, 0xA2, 0x84, 0x93, 0x5B, 0x56, 0x27, 0x8B, 0x8E, 0x1F, 0xC5, 0x18, 0xE9, 0x9F, 0x2B, - 0x67, 0xC7, 0x93, 0xF0, 0xF2, 0x4F, 0xDE, 0xD0, 0x75, 0x49, 0x5D, 0xCA, 0x00, 0x6D, 0x99, 0xC2}; -static const u8 sd_card_save_key_source[0x20] __attribute__((aligned(4))) = { - 0x24, 0x49, 0xB7, 0x22, 0x72, 0x67, 0x03, 0xA8, 0x19, 0x65, 0xE6, 0xE3, 0xEA, 0x58, 0x2F, 0xDD, - 0x9A, 0x95, 0x15, 0x17, 0xB1, 0x6E, 0x8F, 0x7F, 0x1F, 0x68, 0x26, 0x31, 0x52, 0xEA, 0x29, 0x6A}; - -void fs_derive_bis_keys(key_storage_t *keys, u8 out_bis_keys[4][32], u32 generation); -void fs_derive_header_key(key_storage_t *keys, void *out_key); -void fs_derive_key_area_key(key_storage_t *keys, void *out_key, u32 source_type, u32 generation); -void fs_derive_save_mac_key(key_storage_t *keys, void *out_key); - -#endif diff --git a/source/keys/gmac.c b/source/keys/gmac.c deleted file mode 100644 index f8aea77..0000000 --- a/source/keys/gmac.c +++ /dev/null @@ -1,130 +0,0 @@ -/* - * Copyright (c) 2018-2020 Atmosphère-NX - * Copyright (c) 2019-2022 shchmue - * - * This program is free software; you can redistribute it and/or modify it - * under the terms and conditions of the GNU General Public License, - * version 2, as published by the Free Software Foundation. - * - * This program is distributed in the hope it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#include "gmac.h" - -#include -#include - -#include -#include - -/* Shifts right a little endian 128-bit value. */ -static void _shr_128(uint64_t *val) { - val[0] >>= 1; - val[0] |= (val[1] & 1) << 63; - val[1] >>= 1; -} - -/* Shifts left a little endian 128-bit value. */ -static void _shl_128(uint64_t *val) { - val[1] <<= 1; - val[1] |= (val[0] & (1ull << 63)) >> 63; - val[0] <<= 1; -} - -/* Multiplies two 128-bit numbers X,Y in the GF(128) Galois Field. */ -static void _gf128_mul(uint8_t *dst, const uint8_t *x, const uint8_t *y) { - uint8_t x_work[0x10]; - uint8_t y_work[0x10]; - uint8_t dst_work[0x10]; - - uint64_t *p_x = (uint64_t *)(&x_work[0]); - uint64_t *p_y = (uint64_t *)(&y_work[0]); - uint64_t *p_dst = (uint64_t *)(&dst_work[0]); - - /* Initialize buffers. */ - for (unsigned int i = 0; i < 0x10; i++) { - x_work[i] = x[0xF-i]; - y_work[i] = y[0xF-i]; - dst_work[i] = 0; - } - - /* Perform operation for each bit in y. */ - for (unsigned int round = 0; round < 0x80; round++) { - p_dst[0] ^= p_x[0] * ((y_work[0xF] & 0x80) >> 7); - p_dst[1] ^= p_x[1] * ((y_work[0xF] & 0x80) >> 7); - _shl_128(p_y); - uint8_t xval = 0xE1 * (x_work[0] & 1); - _shr_128(p_x); - x_work[0xF] ^= xval; - } - - for (unsigned int i = 0; i < 0x10; i++) { - dst[i] = dst_work[0xF-i]; - } -} - -static void _ghash(u32 ks, void *dst, const void *src, u32 src_size, const void *j_block, bool encrypt) { - uint8_t x[0x10] = {0}; - uint8_t h[0x10]; - - uint64_t *p_x = (uint64_t *)(&x[0]); - uint64_t *p_data = (uint64_t *)src; - - /* H = aes_ecb_encrypt(zeroes) */ - se_aes_crypt_block_ecb(ks, ENCRYPT, h, x); - - u64 total_size = src_size; - - while (src_size >= 0x10) { - /* X = (X ^ current_block) * H */ - p_x[0] ^= p_data[0]; - p_x[1] ^= p_data[1]; - _gf128_mul(x, x, h); - - /* Increment p_data by 0x10 bytes. */ - p_data += 2; - src_size -= 0x10; - } - - /* Nintendo's code *discards all data in the last block* if unaligned. */ - /* And treats that block as though it were all-zero. */ - /* This is a bug, they just forget to XOR with the copy of the last block they save. */ - if (src_size & 0xF) { - _gf128_mul(x, x, h); - } - - uint64_t xor_size = total_size << 3; - xor_size = __builtin_bswap64(xor_size); - - /* Due to a Nintendo bug, the wrong QWORD gets XOR'd in the "final output block" case. */ - if (encrypt) { - p_x[0] ^= xor_size; - } else { - p_x[1] ^= xor_size; - } - - _gf128_mul(x, x, h); - - /* If final output block, XOR with encrypted J block. */ - if (encrypt) { - se_aes_crypt_block_ecb(ks, ENCRYPT, h, j_block); - for (unsigned int i = 0; i < 0x10; i++) { - x[i] ^= h[i]; - } - } - /* Copy output. */ - memcpy(dst, x, 0x10); -} - -void calc_gmac(u32 ks, void *out_gmac, const void *data, u32 size, const void *key, const void *iv) { - u32 j_block[4] = {0}; - se_aes_key_set(ks, key, 0x10); - _ghash(ks, j_block, iv, 0x10, NULL, false); - _ghash(ks, out_gmac, data, size, j_block, true); -} diff --git a/source/keys/gmac.h b/source/keys/gmac.h deleted file mode 100644 index 98b7bdc..0000000 --- a/source/keys/gmac.h +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright (c) 2022 shchmue - * - * This program is free software; you can redistribute it and/or modify it - * under the terms and conditions of the GNU General Public License, - * version 2, as published by the Free Software Foundation. - * - * This program is distributed in the hope it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#ifndef _GMAC_H_ -#define _GMAC_H_ - -#include - -void calc_gmac(u32 ks, void *out_gmac, const void *data, u32 size, const void *key, const void *iv); - -#endif diff --git a/source/keys/key_sources.inl b/source/keys/key_sources.inl index 042ffbb..9bfdbb0 100644 --- a/source/keys/key_sources.inl +++ b/source/keys/key_sources.inl @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019-2022 shchmue + * Copyright (c) 2019-2021 shchmue * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -14,6 +14,21 @@ * along with this program. If not, see . */ +// Sha256 hash of the null string. +static const u8 null_hash[0x20] __attribute__((aligned(4))) = { + 0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8, 0x99, 0x6F, 0xB9, 0x24, + 0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C, 0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55}; + +static const u8 keyblob_key_sources[][0x10] __attribute__((aligned(4))) = { + {0xDF, 0x20, 0x6F, 0x59, 0x44, 0x54, 0xEF, 0xDC, 0x70, 0x74, 0x48, 0x3B, 0x0D, 0xED, 0x9F, 0xD3}, //1.0.0 + {0x0C, 0x25, 0x61, 0x5D, 0x68, 0x4C, 0xEB, 0x42, 0x1C, 0x23, 0x79, 0xEA, 0x82, 0x25, 0x12, 0xAC}, //3.0.0 + {0x33, 0x76, 0x85, 0xEE, 0x88, 0x4A, 0xAE, 0x0A, 0xC2, 0x8A, 0xFD, 0x7D, 0x63, 0xC0, 0x43, 0x3B}, //3.0.1 + {0x2D, 0x1F, 0x48, 0x80, 0xED, 0xEC, 0xED, 0x3E, 0x3C, 0xF2, 0x48, 0xB5, 0x65, 0x7D, 0xF7, 0xBE}, //4.0.0 + {0xBB, 0x5A, 0x01, 0xF9, 0x88, 0xAF, 0xF5, 0xFC, 0x6C, 0xFF, 0x07, 0x9E, 0x13, 0x3C, 0x39, 0x80}, //5.0.0 + {0xD8, 0xCC, 0xE1, 0x26, 0x6A, 0x35, 0x3F, 0xCC, 0x20, 0xF3, 0x2D, 0x3B, 0x51, 0x7D, 0xE9, 0xC0} //6.0.0 +}; + +//!TODO: Update on mkey changes. static const u8 master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_620 + 1][0x10] __attribute__((aligned(4))) = { {0x37, 0x4B, 0x77, 0x29, 0x59, 0xB4, 0x04, 0x30, 0x81, 0xF6, 0xE5, 0x8C, 0x6D, 0x36, 0x17, 0x9A}, //6.2.0 {0x9A, 0x3E, 0xA9, 0xAB, 0xFD, 0x56, 0x46, 0x1C, 0x9B, 0xF6, 0x48, 0x7F, 0x5C, 0xFA, 0x09, 0x5C}, //7.0.0 @@ -23,10 +38,9 @@ static const u8 master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION {0x84, 0x67, 0xB6, 0x7F, 0x13, 0x11, 0xAE, 0xE6, 0x58, 0x9B, 0x19, 0xAF, 0x13, 0x6C, 0x80, 0x7A}, //12.1.0 {0x68, 0x3B, 0xCA, 0x54, 0xB8, 0x6F, 0x92, 0x48, 0xC3, 0x05, 0x76, 0x87, 0x88, 0x70, 0x79, 0x23}, //13.0.0 {0xF0, 0x13, 0x37, 0x9A, 0xD5, 0x63, 0x51, 0xC3, 0xB4, 0x96, 0x35, 0xBC, 0x9C, 0xE8, 0x76, 0x81}, //14.0.0 - {0x6E, 0x77, 0x86, 0xAC, 0x83, 0x0A, 0x8D, 0x3E, 0x7D, 0xB7, 0x66, 0xA0, 0x22, 0xB7, 0x6E, 0x67}, //15.0.0 - {0x99, 0x22, 0x09, 0x57, 0xA7, 0xF9, 0x5E, 0x94, 0xFE, 0x78, 0x7F, 0x41, 0xD6, 0xE7, 0x56, 0xE6}, //16.0.0 -}; //!TODO: Update on mkey changes. +}; +//!TODO: Update on mkey changes. static const u8 master_key_vectors[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attribute__((aligned(4))) = { {0x0C, 0xF0, 0x59, 0xAC, 0x85, 0xF6, 0x26, 0x65, 0xE1, 0xE9, 0x19, 0x55, 0xE6, 0xF2, 0x67, 0x3D}, /* Zeroes encrypted with Master Key 00. */ {0x29, 0x4C, 0x04, 0xC8, 0xEB, 0x10, 0xED, 0x9D, 0x51, 0x64, 0x97, 0xFB, 0xF3, 0x4D, 0x50, 0xDD}, /* Master key 00 encrypted with Master key 01. */ @@ -42,10 +56,9 @@ static const u8 master_key_vectors[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attribut {0xC1, 0x8D, 0x16, 0xBB, 0x2A, 0xE4, 0x1D, 0xD4, 0xC2, 0xC1, 0xB6, 0x40, 0x94, 0x35, 0x63, 0x98}, /* Master key 0A encrypted with Master key 0B. */ {0xA3, 0x24, 0x65, 0x75, 0xEA, 0xCC, 0x6E, 0x8D, 0xFB, 0x5A, 0x16, 0x50, 0x74, 0xD2, 0x15, 0x06}, /* Master key 0B encrypted with Master key 0C. */ {0x83, 0x67, 0xAF, 0x01, 0xCF, 0x93, 0xA1, 0xAB, 0x80, 0x45, 0xF7, 0x3F, 0x72, 0xFD, 0x3B, 0x38}, /* Master key 0C encrypted with Master key 0D. */ - {0xB1, 0x81, 0xA6, 0x0D, 0x72, 0xC7, 0xEE, 0x15, 0x21, 0xF3, 0xC0, 0xB5, 0x6B, 0x61, 0x6D, 0xE7}, /* Master key 0D encrypted with Master key 0E. */ - {0xAF, 0x11, 0x4C, 0x67, 0x17, 0x7A, 0x52, 0x43, 0xF7, 0x70, 0x2F, 0xC7, 0xEF, 0x81, 0x72, 0x16}, /* Master key 0E encrypted with Master key 0F. */ -}; //!TODO: Update on mkey changes. +}; +//!TODO: Update on mkey changes. static const u8 master_key_vectors_dev[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attribute__((aligned(4))) = { {0x46, 0x22, 0xB4, 0x51, 0x9A, 0x7E, 0xA7, 0x7F, 0x62, 0xA1, 0x1F, 0x8F, 0xC5, 0x3A, 0xDB, 0xFE}, /* Zeroes encrypted with Master Key 00. */ {0x39, 0x33, 0xF9, 0x31, 0xBA, 0xE4, 0xA7, 0x21, 0x2C, 0xDD, 0xB7, 0xD8, 0xB4, 0x4E, 0x37, 0x23}, /* Master key 00 encrypted with Master key 01. */ @@ -61,9 +74,7 @@ static const u8 master_key_vectors_dev[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attr {0x21, 0x88, 0x6B, 0x10, 0x9E, 0x83, 0xD6, 0x52, 0xAB, 0x08, 0xDB, 0x6D, 0x39, 0xFF, 0x1C, 0x9C}, /* Master key 0A encrypted with Master key 0B. */ {0x8A, 0xCE, 0xC4, 0x7F, 0xBE, 0x08, 0x61, 0x88, 0xD3, 0x73, 0x64, 0x51, 0xE2, 0xB6, 0x53, 0x15}, /* Master key 0B encrypted with Master key 0C. */ {0x08, 0xE0, 0xF4, 0xBE, 0xAA, 0x6E, 0x5A, 0xC3, 0xA6, 0xBC, 0xFE, 0xB9, 0xE2, 0xA3, 0x24, 0x12}, /* Master key 0C encrypted with Master key 0D. */ - {0xD6, 0x80, 0x98, 0xC0, 0xFA, 0xC7, 0x13, 0xCB, 0x93, 0xD2, 0x0B, 0x82, 0x4C, 0xA1, 0x7B, 0x8D}, /* Master key 0D encrypted with Master key 0E. */ - {0x78, 0x66, 0x19, 0xBD, 0x86, 0xE7, 0xC1, 0x09, 0x9B, 0x6F, 0x92, 0xB2, 0x58, 0x7D, 0xCF, 0x26}, /* Master key 0E encrypted with Master key 0F. */ -}; //!TODO: Update on mkey changes. +}; static const u8 mariko_key_vectors[][0x10] __attribute__((aligned(4))) = { {0x20, 0x9E, 0x97, 0xAE, 0xAF, 0x7E, 0x6A, 0xF6, 0x9E, 0xF5, 0xA7, 0x17, 0x2F, 0xF4, 0x49, 0xA6}, /* Zeroes encrypted with AES Class Key 00. */ @@ -82,22 +93,32 @@ static const u8 mariko_key_vectors[][0x10] __attribute__((aligned(4))) = { {0x95, 0x48, 0xC1, 0x59, 0x0F, 0x84, 0x19, 0xC4, 0xAB, 0x69, 0x05, 0x88, 0x01, 0x31, 0x52, 0x59}, /* Zeroes encrypted with Mariko BEK. */ }; +//======================================Keys======================================// +// from Package1 -> Secure_Monitor +static const u8 aes_kek_generation_source[0x10] __attribute__((aligned(4))) = { + 0x4D, 0x87, 0x09, 0x86, 0xC4, 0x5D, 0x20, 0x72, 0x2F, 0xBA, 0x10, 0x53, 0xDA, 0x92, 0xE8, 0xA9}; +static const u8 aes_seal_key_mask_decrypt_device_unique_data[0x10] __attribute__((aligned(4))) = { + 0xA2, 0xAB, 0xBF, 0x9C, 0x92, 0x2F, 0xBB, 0xE3, 0x78, 0x79, 0x9B, 0xC0, 0xCC, 0xEA, 0xA5, 0x74}; +static const u8 aes_seal_key_mask_import_es_device_key[0x10] __attribute__((aligned(4))) = { + 0xE5, 0x4D, 0x9A, 0x02, 0xF0, 0x4F, 0x5F, 0xA8, 0xAD, 0x76, 0x0A, 0xF6, 0x32, 0x95, 0x59, 0xBB}; static const u8 package2_key_source[0x10] __attribute__((aligned(4))) = { 0xFB, 0x8B, 0x6A, 0x9C, 0x79, 0x00, 0xC8, 0x49, 0xEF, 0xD2, 0x4D, 0x85, 0x4D, 0x30, 0xA0, 0xC7}; static const u8 titlekek_source[0x10] __attribute__((aligned(4))) = { 0x1E, 0xDC, 0x7B, 0x3B, 0x60, 0xE6, 0xB4, 0xD8, 0x78, 0xB8, 0x17, 0x15, 0x98, 0x5E, 0x62, 0x9B}; - -static const u8 keyblob_key_sources[][0x10] __attribute__((aligned(4))) = { - {0xDF, 0x20, 0x6F, 0x59, 0x44, 0x54, 0xEF, 0xDC, 0x70, 0x74, 0x48, 0x3B, 0x0D, 0xED, 0x9F, 0xD3}, //1.0.0 - {0x0C, 0x25, 0x61, 0x5D, 0x68, 0x4C, 0xEB, 0x42, 0x1C, 0x23, 0x79, 0xEA, 0x82, 0x25, 0x12, 0xAC}, //3.0.0 - {0x33, 0x76, 0x85, 0xEE, 0x88, 0x4A, 0xAE, 0x0A, 0xC2, 0x8A, 0xFD, 0x7D, 0x63, 0xC0, 0x43, 0x3B}, //3.0.1 - {0x2D, 0x1F, 0x48, 0x80, 0xED, 0xEC, 0xED, 0x3E, 0x3C, 0xF2, 0x48, 0xB5, 0x65, 0x7D, 0xF7, 0xBE}, //4.0.0 - {0xBB, 0x5A, 0x01, 0xF9, 0x88, 0xAF, 0xF5, 0xFC, 0x6C, 0xFF, 0x07, 0x9E, 0x13, 0x3C, 0x39, 0x80}, //5.0.0 - {0xD8, 0xCC, 0xE1, 0x26, 0x6A, 0x35, 0x3F, 0xCC, 0x20, 0xF3, 0x2D, 0x3B, 0x51, 0x7D, 0xE9, 0xC0} //6.0.0 +static const u8 retail_specific_aes_key_source[0x10] __attribute__((aligned(4))) = { + 0xE2, 0xD6, 0xB8, 0x7A, 0x11, 0x9C, 0xB8, 0x80, 0xE8, 0x22, 0x88, 0x8A, 0x46, 0xFB, 0xA1, 0x95}; +static const u8 secure_data_source[0x10] __attribute__((aligned(4))) = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; +static const u8 secure_data_counters[1][0x10] __attribute__((aligned(4))) = { + {0x3C, 0xD5, 0x92, 0xEC, 0x68, 0x31, 0x4A, 0x06, 0xD4, 0x1B, 0x0C, 0xD9, 0xF6, 0x2E, 0xD9, 0xE9} }; +static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = { + {0xAC, 0xCA, 0x9A, 0xCA, 0xFF, 0x2E, 0xB9, 0x22, 0xCC, 0x1F, 0x4F, 0xAD, 0xDD, 0x77, 0x21, 0x1E} +}; + +// from Package1ldr (or Secure_Monitor on 6.2.0+) static const u8 keyblob_mac_key_source[0x10] __attribute__((aligned(4))) = { 0x59, 0xC7, 0xFB, 0x6F, 0xBE, 0x9B, 0xBE, 0x87, 0x65, 0x6B, 0x15, 0xC0, 0x53, 0x73, 0x36, 0xA5}; - static const u8 master_key_source[0x10] __attribute__((aligned(4))) = { 0xD8, 0xA2, 0x41, 0x0A, 0xC6, 0xC5, 0x90, 0x01, 0xC6, 0x1D, 0x6A, 0x26, 0x7C, 0x51, 0x3F, 0x3C}; static const u8 per_console_key_source[0x10] __attribute__((aligned(4))) = { @@ -114,8 +135,6 @@ static const u8 mariko_master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_ {0xE5, 0x41, 0xAC, 0xEC, 0xD1, 0xA7, 0xD1, 0xAB, 0xED, 0x03, 0x77, 0xF1, 0x27, 0xCA, 0xF8, 0xF1}, // 12.1.0. {0x52, 0x71, 0x9B, 0xDF, 0xA7, 0x8B, 0x61, 0xD8, 0xD5, 0x85, 0x11, 0xE4, 0x8E, 0x4F, 0x74, 0xC6}, // 13.0.0. {0xD2, 0x68, 0xC6, 0x53, 0x9D, 0x94, 0xF9, 0xA8, 0xA5, 0xA8, 0xA7, 0xC8, 0x8F, 0x53, 0x4B, 0x7A}, // 14.0.0. - {0xEC, 0x61, 0xBC, 0x82, 0x1E, 0x0F, 0x5A, 0xC3, 0x2B, 0x64, 0x3F, 0x9D, 0xD6, 0x19, 0x22, 0x2D}, // 15.0.0. - {0xA5, 0xEC, 0x16, 0x39, 0x1A, 0x30, 0x16, 0x08, 0x2E, 0xCF, 0x09, 0x6F, 0x5E, 0x7C, 0xEE, 0xA9}, // 16.0.0. }; //!TODO: Update on mkey changes. static const u8 mariko_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_600 + 1][0x10] __attribute__((aligned(4))) = { {0x32, 0xC0, 0x97, 0x6B, 0x63, 0x6D, 0x44, 0x64, 0xF2, 0x3A, 0xA5, 0xC0, 0xDE, 0x46, 0xCC, 0xE9}, // 6.0.0. @@ -127,6 +146,107 @@ static const u8 mariko_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMW {0x75, 0x2D, 0x2E, 0xF3, 0x2F, 0x3F, 0xFE, 0x65, 0xF4, 0xA9, 0x83, 0xB4, 0xED, 0x42, 0x63, 0xBA}, // 12.1.0. {0x4D, 0x5A, 0xB2, 0xC9, 0xE9, 0xE4, 0x4E, 0xA4, 0xD3, 0xBF, 0x94, 0x12, 0x36, 0x30, 0xD0, 0x7F}, // 13.0.0. {0xEC, 0x5E, 0xB5, 0x11, 0xD5, 0x43, 0x1E, 0x6A, 0x4E, 0x54, 0x6F, 0xD4, 0xD3, 0x22, 0xCE, 0x87}, // 14.0.0. - {0x18, 0xA5, 0x6F, 0xEF, 0x72, 0x11, 0x62, 0xC5, 0x1A, 0x14, 0xF1, 0x8C, 0x21, 0x83, 0x27, 0xB7}, // 15.0.0. - {0x3A, 0x9C, 0xF0, 0x39, 0x70, 0x23, 0xF6, 0xAF, 0x71, 0x44, 0x60, 0xF4, 0x6D, 0xED, 0xA1, 0xD6}, // 16.0.0. }; //!TODO: Update on mkey changes. + +static const u8 device_master_key_source_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = { + {0x8B, 0x4E, 0x1C, 0x22, 0x42, 0x07, 0xC8, 0x73, 0x56, 0x94, 0x08, 0x8B, 0xCC, 0x47, 0x0F, 0x5D}, /* 4.0.0 Device Master Key Source Source. */ + {0x6C, 0xEF, 0xC6, 0x27, 0x8B, 0xEC, 0x8A, 0x91, 0x99, 0xAB, 0x24, 0xAC, 0x4F, 0x1C, 0x8F, 0x1C}, /* 5.0.0 Device Master Key Source Source. */ + {0x70, 0x08, 0x1B, 0x97, 0x44, 0x64, 0xF8, 0x91, 0x54, 0x9D, 0xC6, 0x84, 0x8F, 0x1A, 0xB2, 0xE4}, /* 6.0.0 Device Master Key Source Source. */ + {0x8E, 0x09, 0x1F, 0x7A, 0xBB, 0xCA, 0x6A, 0xFB, 0xB8, 0x9B, 0xD5, 0xC1, 0x25, 0x9C, 0xA9, 0x17}, /* 6.2.0 Device Master Key Source Source. */ + {0x8F, 0x77, 0x5A, 0x96, 0xB0, 0x94, 0xFD, 0x8D, 0x28, 0xE4, 0x19, 0xC8, 0x16, 0x1C, 0xDB, 0x3D}, /* 7.0.0 Device Master Key Source Source. */ + {0x67, 0x62, 0xD4, 0x8E, 0x55, 0xCF, 0xFF, 0x41, 0x31, 0x15, 0x3B, 0x24, 0x0C, 0x7C, 0x07, 0xAE}, /* 8.1.0 Device Master Key Source Source. */ + {0x4A, 0xC3, 0x4E, 0x14, 0x8B, 0x96, 0x4A, 0xD5, 0xD4, 0x99, 0x73, 0xC4, 0x45, 0xAB, 0x8B, 0x49}, /* 9.0.0 Device Master Key Source Source. */ + {0x14, 0xB8, 0x74, 0x12, 0xCB, 0xBD, 0x0B, 0x8F, 0x20, 0xFB, 0x30, 0xDA, 0x27, 0xE4, 0x58, 0x94}, /* 9.1.0 Device Master Key Source Source. */ + {0xAA, 0xFD, 0xBC, 0xBB, 0x25, 0xC3, 0xA4, 0xEF, 0xE3, 0xEE, 0x58, 0x53, 0xB7, 0xF8, 0xDD, 0xD6}, /* 12.1.0 Device Master Key Source Source. */ + {0xE4, 0xF3, 0x45, 0x6F, 0x18, 0xA1, 0x89, 0xF8, 0xDA, 0x4C, 0x64, 0x75, 0x68, 0xE6, 0xBD, 0x4F}, /* 13.0.0 Device Master Key Source Source. */ + {0x5B, 0x94, 0x63, 0xF7, 0xAD, 0x96, 0x1B, 0xA6, 0x23, 0x30, 0x06, 0x4D, 0x01, 0xE4, 0xCE, 0x1D}, /* 14.0.0 Device Master Key Source Source. */ +}; //!TODO: Update on mkey changes. + +// from ES +static const u8 eticket_rsa_kek_source[0x10] __attribute__((aligned(4))) = { + 0XDB, 0XA4, 0X51, 0X12, 0X4C, 0XA0, 0XA9, 0X83, 0X68, 0X14, 0XF5, 0XED, 0X95, 0XE3, 0X12, 0X5B}; +static const u8 eticket_rsa_kek_source_dev[0x10] __attribute__((aligned(4))) = { + 0xBE, 0xC0, 0xBC, 0x8E, 0x75, 0xA0, 0xF6, 0x0C, 0x4A, 0x56, 0x64, 0x02, 0x3E, 0xD4, 0x9C, 0xD5}; +static const u8 eticket_rsa_kek_source_legacy[0x10] __attribute__((aligned(4))) = { + 0x88, 0x87, 0x50, 0x90, 0xA6, 0x2F, 0x75, 0x70, 0xA2, 0xD7, 0x71, 0x51, 0xAE, 0x6D, 0x39, 0x87}; +static const u8 eticket_rsa_kekek_source[0x10] __attribute__((aligned(4))) = { + 0X46, 0X6E, 0X57, 0XB7, 0X4A, 0X44, 0X7F, 0X02, 0XF3, 0X21, 0XCD, 0XE5, 0X8F, 0X2F, 0X55, 0X35}; + +// from SSL +static const u8 ssl_rsa_kek_source_x[0x10] __attribute__((aligned(4))) = { + 0X7F, 0X5B, 0XB0, 0X84, 0X7B, 0X25, 0XAA, 0X67, 0XFA, 0XC8, 0X4B, 0XE2, 0X3D, 0X7B, 0X69, 0X03}; +static const u8 ssl_rsa_kek_source_y[0x10] __attribute__((aligned(4))) = { + 0X9A, 0X38, 0X3B, 0XF4, 0X31, 0XD0, 0XBD, 0X81, 0X32, 0X53, 0X4B, 0XA9, 0X64, 0X39, 0X7D, 0XE3}; + +static const u8 device_master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = { + {0x88, 0x62, 0x34, 0x6E, 0xFA, 0xF7, 0xD8, 0x3F, 0xE1, 0x30, 0x39, 0x50, 0xF0, 0xB7, 0x5D, 0x5D}, /* 4.0.0 Device Master Kek Source. */ + {0x06, 0x1E, 0x7B, 0xE9, 0x6D, 0x47, 0x8C, 0x77, 0xC5, 0xC8, 0xE7, 0x94, 0x9A, 0xA8, 0x5F, 0x2E}, /* 5.0.0 Device Master Kek Source. */ + {0x99, 0xFA, 0x98, 0xBD, 0x15, 0x1C, 0x72, 0xFD, 0x7D, 0x9A, 0xD5, 0x41, 0x00, 0xFD, 0xB2, 0xEF}, /* 6.0.0 Device Master Kek Source. */ + {0x81, 0x3C, 0x6C, 0xBF, 0x5D, 0x21, 0xDE, 0x77, 0x20, 0xD9, 0x6C, 0xE3, 0x22, 0x06, 0xAE, 0xBB}, /* 6.2.0 Device Master Kek Source. */ + {0x86, 0x61, 0xB0, 0x16, 0xFA, 0x7A, 0x9A, 0xEA, 0xF6, 0xF5, 0xBE, 0x1A, 0x13, 0x5B, 0x6D, 0x9E}, /* 7.0.0 Device Master Kek Source. */ + {0xA6, 0x81, 0x71, 0xE7, 0xB5, 0x23, 0x74, 0xB0, 0x39, 0x8C, 0xB7, 0xFF, 0xA0, 0x62, 0x9F, 0x8D}, /* 8.1.0 Device Master Kek Source. */ + {0x03, 0xE7, 0xEB, 0x43, 0x1B, 0xCF, 0x5F, 0xB5, 0xED, 0xDC, 0x97, 0xAE, 0x21, 0x8D, 0x19, 0xED}, /* 9.0.0 Device Master Kek Source. */ + {0xCE, 0xFE, 0x41, 0x0F, 0x46, 0x9A, 0x30, 0xD6, 0xF2, 0xE9, 0x0C, 0x6B, 0xB7, 0x15, 0x91, 0x36}, /* 9.1.0 Device Master Kek Source. */ + {0xC2, 0x65, 0x34, 0x6E, 0xC7, 0xC6, 0x5D, 0x97, 0x3E, 0x34, 0x5C, 0x6B, 0xB3, 0x7E, 0xC6, 0xE3}, /* 12.1.0 Device Master Kek Source. */ + {0x77, 0x52, 0x92, 0xF0, 0xAA, 0xE3, 0xFB, 0xE0, 0x60, 0x16, 0xB3, 0x78, 0x68, 0x53, 0xF7, 0xA8}, /* 13.0.0 Device Master Kek Source. */ + {0x67, 0xD5, 0xD6, 0x0C, 0x08, 0xF5, 0xA3, 0x11, 0xBD, 0x6D, 0x5A, 0xEB, 0x96, 0x24, 0xB0, 0xD2}, /* 14.0.0 Device Master Kek Source. */ +}; //!TODO: Update on mkey changes. + +static const u8 device_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = { + {0xD6, 0xBD, 0x9F, 0xC6, 0x18, 0x09, 0xE1, 0x96, 0x20, 0x39, 0x60, 0xD2, 0x89, 0x83, 0x31, 0x34}, /* 4.0.0 Device Master Kek Source. */ + {0x59, 0x2D, 0x20, 0x69, 0x33, 0xB5, 0x17, 0xBA, 0xCF, 0xB1, 0x4E, 0xFD, 0xE4, 0xC2, 0x7B, 0xA8}, /* 5.0.0 Device Master Kek Source. */ + {0xF6, 0xD8, 0x59, 0x63, 0x8F, 0x47, 0xCB, 0x4A, 0xD8, 0x74, 0x05, 0x7F, 0x88, 0x92, 0x33, 0xA5}, /* 6.0.0 Device Master Kek Source. */ + {0x20, 0xAB, 0xF2, 0x0F, 0x05, 0xE3, 0xDE, 0x2E, 0xA1, 0xFB, 0x37, 0x5E, 0x8B, 0x22, 0x1A, 0x38}, /* 6.2.0 Device Master Kek Source. */ + {0x60, 0xAE, 0x56, 0x68, 0x11, 0xE2, 0x0C, 0x99, 0xDE, 0x05, 0xAE, 0x68, 0x78, 0x85, 0x04, 0xAE}, /* 7.0.0 Device Master Kek Source. */ + {0x94, 0xD6, 0xA8, 0xC0, 0x95, 0xAF, 0xD0, 0xA6, 0x27, 0x53, 0x5E, 0xE5, 0x8E, 0x70, 0x1F, 0x87}, /* 8.1.0 Device Master Kek Source. */ + {0x61, 0x6A, 0x88, 0x21, 0xA3, 0x52, 0xB0, 0x19, 0x16, 0x25, 0xA4, 0xE3, 0x4C, 0x54, 0x02, 0x0F}, /* 9.0.0 Device Master Kek Source. */ + {0x9D, 0xB1, 0xAE, 0xCB, 0xF6, 0xF6, 0xE3, 0xFE, 0xAB, 0x6F, 0xCB, 0xAF, 0x38, 0x03, 0xFC, 0x7B}, /* 9.1.0 Device Master Kek Source. */ + {0xC4, 0xBB, 0xF3, 0x9F, 0xA3, 0xAA, 0x00, 0x99, 0x7C, 0x97, 0xAD, 0x91, 0x8F, 0xE8, 0x45, 0xCB}, /* 12.1.0 Device Master Kek Source. */ + {0x20, 0x20, 0xAA, 0xFB, 0x89, 0xC2, 0xF0, 0x70, 0xB5, 0xE0, 0xA3, 0x11, 0x8A, 0x29, 0x8D, 0x0F}, /* 13.0.0 Device Master Kek Source. */ + {0xCE, 0x14, 0x74, 0x66, 0x98, 0xA8, 0x6D, 0x7D, 0xBD, 0x54, 0x91, 0x68, 0x5F, 0x1D, 0x0E, 0xEA}, /* 14.0.0 Device Master Kek Source. */ +}; //!TODO: Update on mkey changes. + +// from SPL +static const u8 aes_key_generation_source[0x10] __attribute__((aligned(4))) = { + 0x89, 0x61, 0x5E, 0xE0, 0x5C, 0x31, 0xB6, 0x80, 0x5F, 0xE5, 0x8F, 0x3D, 0xA2, 0x4F, 0x7A, 0xA8}; + +// from FS +static const u8 bis_kek_source[0x10] __attribute__((aligned(4))) = { + 0x34, 0xC1, 0xA0, 0xC4, 0x82, 0x58, 0xF8, 0xB4, 0xFA, 0x9E, 0x5E, 0x6A, 0xDA, 0xFC, 0x7E, 0x4F}; +static const u8 bis_key_sources[3][0x20] __attribute__((aligned(4))) = { + {0xF8, 0x3F, 0x38, 0x6E, 0x2C, 0xD2, 0xCA, 0x32, 0xA8, 0x9A, 0xB9, 0xAA, 0x29, 0xBF, 0xC7, 0x48, + 0x7D, 0x92, 0xB0, 0x3A, 0xA8, 0xBF, 0xDE, 0xE1, 0xA7, 0x4C, 0x3B, 0x6E, 0x35, 0xCB, 0x71, 0x06}, + {0x41, 0x00, 0x30, 0x49, 0xDD, 0xCC, 0xC0, 0x65, 0x64, 0x7A, 0x7E, 0xB4, 0x1E, 0xED, 0x9C, 0x5F, + 0x44, 0x42, 0x4E, 0xDA, 0xB4, 0x9D, 0xFC, 0xD9, 0x87, 0x77, 0x24, 0x9A, 0xDC, 0x9F, 0x7C, 0xA4}, + {0x52, 0xC2, 0xE9, 0xEB, 0x09, 0xE3, 0xEE, 0x29, 0x32, 0xA1, 0x0C, 0x1F, 0xB6, 0xA0, 0x92, 0x6C, + 0x4D, 0x12, 0xE1, 0x4B, 0x2A, 0x47, 0x4C, 0x1C, 0x09, 0xCB, 0x03, 0x59, 0xF0, 0x15, 0xF4, 0xE4} +}; +static const u8 header_kek_source[0x10] __attribute__((aligned(4))) = { + 0x1F, 0x12, 0x91, 0x3A, 0x4A, 0xCB, 0xF0, 0x0D, 0x4C, 0xDE, 0x3A, 0xF6, 0xD5, 0x23, 0x88, 0x2A}; +static const u8 header_key_source[0x20] __attribute__((aligned(4))) = { + 0x5A, 0x3E, 0xD8, 0x4F, 0xDE, 0xC0, 0xD8, 0x26, 0x31, 0xF7, 0xE2, 0x5D, 0x19, 0x7B, 0xF5, 0xD0, + 0x1C, 0x9B, 0x7B, 0xFA, 0xF6, 0x28, 0x18, 0x3D, 0x71, 0xF6, 0x4D, 0x73, 0xF1, 0x50, 0xB9, 0xD2}; +static const u8 key_area_key_sources[3][0x10] __attribute__((aligned(4))) = { + {0x7F, 0x59, 0x97, 0x1E, 0x62, 0x9F, 0x36, 0xA1, 0x30, 0x98, 0x06, 0x6F, 0x21, 0x44, 0xC3, 0x0D}, // application + {0x32, 0x7D, 0x36, 0x08, 0x5A, 0xD1, 0x75, 0x8D, 0xAB, 0x4E, 0x6F, 0xBA, 0xA5, 0x55, 0xD8, 0x82}, // ocean + {0x87, 0x45, 0xF1, 0xBB, 0xA6, 0xBE, 0x79, 0x64, 0x7D, 0x04, 0x8B, 0xA6, 0x7B, 0x5F, 0xDA, 0x4A}, // system +}; +static const u8 save_mac_kek_source[0x10] __attribute__((aligned(4))) = { + 0XD8, 0X9C, 0X23, 0X6E, 0XC9, 0X12, 0X4E, 0X43, 0XC8, 0X2B, 0X03, 0X87, 0X43, 0XF9, 0XCF, 0X1B}; +static const u8 save_mac_key_source[0x10] __attribute__((aligned(4))) = { + 0XE4, 0XCD, 0X3D, 0X4A, 0XD5, 0X0F, 0X74, 0X28, 0X45, 0XA4, 0X87, 0XE5, 0XA0, 0X63, 0XEA, 0X1F}; +static const u8 save_mac_sd_card_kek_source[0x10] __attribute__((aligned(4))) = { + 0X04, 0X89, 0XEF, 0X5D, 0X32, 0X6E, 0X1A, 0X59, 0XC4, 0XB7, 0XAB, 0X8C, 0X36, 0X7A, 0XAB, 0X17}; +static const u8 save_mac_sd_card_key_source[0x10] __attribute__((aligned(4))) = { + 0X6F, 0X64, 0X59, 0X47, 0XC5, 0X61, 0X46, 0XF9, 0XFF, 0XA0, 0X45, 0XD5, 0X95, 0X33, 0X29, 0X18}; +static const u8 sd_card_custom_storage_key_source[0x20] __attribute__((aligned(4))) = { + 0X37, 0X0C, 0X34, 0X5E, 0X12, 0XE4, 0XCE, 0XFE, 0X21, 0XB5, 0X8E, 0X64, 0XDB, 0X52, 0XAF, 0X35, + 0X4F, 0X2C, 0XA5, 0XA3, 0XFC, 0X99, 0X9A, 0X47, 0XC0, 0X3E, 0XE0, 0X04, 0X48, 0X5B, 0X2F, 0XD0}; +static const u8 sd_card_kek_source[0x10] __attribute__((aligned(4))) = { + 0X88, 0X35, 0X8D, 0X9C, 0X62, 0X9B, 0XA1, 0XA0, 0X01, 0X47, 0XDB, 0XE0, 0X62, 0X1B, 0X54, 0X32}; +static const u8 sd_card_nca_key_source[0x20] __attribute__((aligned(4))) = { + 0X58, 0X41, 0XA2, 0X84, 0X93, 0X5B, 0X56, 0X27, 0X8B, 0X8E, 0X1F, 0XC5, 0X18, 0XE9, 0X9F, 0X2B, + 0X67, 0XC7, 0X93, 0XF0, 0XF2, 0X4F, 0XDE, 0XD0, 0X75, 0X49, 0X5D, 0XCA, 0X00, 0X6D, 0X99, 0XC2}; +static const u8 sd_card_save_key_source[0x20] __attribute__((aligned(4))) = { + 0X24, 0X49, 0XB7, 0X22, 0X72, 0X67, 0X03, 0XA8, 0X19, 0X65, 0XE6, 0XE3, 0XEA, 0X58, 0X2F, 0XDD, + 0X9A, 0X95, 0X15, 0X17, 0XB1, 0X6E, 0X8F, 0X7F, 0X1F, 0X68, 0X26, 0X31, 0X52, 0XEA, 0X29, 0X6A}; diff --git a/source/keys/keys.c b/source/keys/keys.c index 511aef5..74d2ecf 100644 --- a/source/keys/keys.c +++ b/source/keys/keys.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019-2022 shchmue + * Copyright (c) 2019-2021 shchmue * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -16,10 +16,7 @@ #include "keys.h" -#include "es_crypto.h" -#include "fs_crypto.h" -#include "nfc_crypto.h" -#include "ssl_crypto.h" +#include "../../keygen/tsec_keygen.h" #include "../config.h" #include @@ -28,14 +25,15 @@ #include "../gfx/tui.h" #include "../hos/hos.h" #include -#include #include #include #include #include #include #include +#include #include +#include #include #include "../storage/emummc.h" #include "../storage/nx_emmc.h" @@ -57,206 +55,225 @@ static u32 _key_count = 0, _titlekey_count = 0; static u32 start_time, end_time; u32 color_idx = 0; -static void _save_key(const char *name, const void *data, u32 len, char *outbuf) { - if (!key_exists(data)) - return; - u32 pos = strlen(outbuf); - pos += s_printf(&outbuf[pos], "%s = ", name); - for (u32 i = 0; i < len; i++) - pos += s_printf(&outbuf[pos], "%02x", *(u8*)(data + i)); - s_printf(&outbuf[pos], "\n"); - _key_count++; +static ALWAYS_INLINE u32 _read_le_u32(const void *buffer, u32 offset) { + return (*(u8*)(buffer + offset + 0) ) | + (*(u8*)(buffer + offset + 1) << 0x08) | + (*(u8*)(buffer + offset + 2) << 0x10) | + (*(u8*)(buffer + offset + 3) << 0x18); } -static void _save_key_family(const char *name, const void *data, u32 start_key, u32 num_keys, u32 len, char *outbuf) { - char *temp_name = calloc(1, 0x40); - for (u32 i = 0; i < num_keys; i++) { - s_printf(temp_name, "%s_%02x", name, i + start_key); - _save_key(temp_name, data + i * len, len, outbuf); - } - free(temp_name); +static ALWAYS_INLINE u32 _read_be_u32(const void *buffer, u32 offset) { + return (*(u8*)(buffer + offset + 3) ) | + (*(u8*)(buffer + offset + 2) << 0x08) | + (*(u8*)(buffer + offset + 1) << 0x10) | + (*(u8*)(buffer + offset + 0) << 0x18); } -static void _derive_master_keys_mariko(key_storage_t *keys, bool is_dev) { - minerva_periodic_training(); +// key functions +static int _key_exists(const void *data) { return memcmp(data, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) != 0; }; +static void _save_key(const char *name, const void *data, u32 len, char *outbuf); +static void _save_key_family(const char *name, const void *data, u32 start_key, u32 num_keys, u32 len, char *outbuf); +static void _generate_kek(u32 ks, const void *key_source, const void *master_key, const void *kek_seed, const void *key_seed); +static void _generate_specific_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 key_generation); +static void _get_device_key(u32 ks, key_derivation_ctx_t *keys, void *out_device_key, u32 revision); +// titlekey functions +static bool _test_key_pair(const void *E, const void *D, const void *N); + +static void _derive_master_key_mariko(key_derivation_ctx_t *keys, bool is_dev) { // Relies on the SBK being properly set in slot 14 - se_aes_crypt_block_ecb(KS_SECURE_BOOT, DECRYPT, keys->device_key_4x, device_master_key_source_kek_source); + se_aes_crypt_block_ecb(14, DECRYPT, keys->device_key_4x, device_master_key_source_kek_source); // Derive all master keys based on Mariko KEK for (u32 i = KB_FIRMWARE_VERSION_600; i < ARRAY_SIZE(mariko_master_kek_sources) + KB_FIRMWARE_VERSION_600; i++) { // Relies on the Mariko KEK being properly set in slot 12 - u32 kek_source_index = i - KB_FIRMWARE_VERSION_600; - const void *kek_source = is_dev ? &mariko_master_kek_sources_dev[kek_source_index] : &mariko_master_kek_sources[kek_source_index]; - se_aes_crypt_block_ecb(KS_MARIKO_KEK, DECRYPT, keys->master_kek[i], kek_source); - load_aes_key(KS_AES_ECB, keys->master_key[i], keys->master_kek[i], master_key_source); + se_aes_crypt_block_ecb(12, DECRYPT, keys->master_kek[i], is_dev ? &mariko_master_kek_sources_dev[i - KB_FIRMWARE_VERSION_600] : &mariko_master_kek_sources[i - KB_FIRMWARE_VERSION_600]); // mkek = unwrap(mariko_kek, mariko_kek_source) + se_aes_key_set(8, keys->master_kek[i], AES_128_KEY_SIZE); // mkey = unwrap(mkek, mkeys) + se_aes_crypt_block_ecb(8, DECRYPT, keys->master_key[i], master_key_source); } } -static void _derive_master_keys_from_latest_key(key_storage_t *keys, bool is_dev) { - minerva_periodic_training(); - if (!h_cfg.t210b01) { - u32 tsec_root_key_slot = is_dev ? KS_TSEC_ROOT_DEV : KS_TSEC_ROOT; - // Derive all master keys based on current root key - for (u32 i = KB_FIRMWARE_VERSION_810 - KB_FIRMWARE_VERSION_620; i < ARRAY_SIZE(master_kek_sources); i++) { - u32 key_index = i + KB_FIRMWARE_VERSION_620; - se_aes_crypt_block_ecb(tsec_root_key_slot, DECRYPT, keys->master_kek[key_index], master_kek_sources[i]); - load_aes_key(KS_AES_ECB, keys->master_key[key_index], keys->master_kek[key_index], master_key_source); +static int _run_ams_keygen(key_derivation_ctx_t *keys) { + tsec_ctxt_t tsec_ctxt; + tsec_ctxt.fw = tsec_keygen; + tsec_ctxt.size = sizeof(tsec_keygen); + tsec_ctxt.type = TSEC_FW_TYPE_NEW; + + u32 retries = 0; + while (tsec_query(keys->temp_key, &tsec_ctxt) < 0) { + retries++; + if (retries > 15) { + EPRINTF("Failed to run keygen."); + return -1; } } - minerva_periodic_training(); + return 0; +} + +static void _derive_master_keys_from_latest_key(key_derivation_ctx_t *keys, bool is_dev) { + if (!h_cfg.t210b01) { + u32 tsec_root_key_slot = is_dev ? 11 : 13; + // Derive all master keys based on current root key + for (u32 i = KB_FIRMWARE_VERSION_810 - KB_FIRMWARE_VERSION_620; i < ARRAY_SIZE(master_kek_sources); i++) { + se_aes_crypt_block_ecb(tsec_root_key_slot, DECRYPT, keys->master_kek[i + KB_FIRMWARE_VERSION_620], master_kek_sources[i]); // mkek = unwrap(tsec_root, mkeks) + se_aes_key_set(8, keys->master_kek[i + KB_FIRMWARE_VERSION_620], AES_128_KEY_SIZE); // mkey = unwrap(mkek, mkeys) + se_aes_crypt_block_ecb(8, DECRYPT, keys->master_key[i + KB_FIRMWARE_VERSION_620], master_key_source); + } + } // Derive all lower master keys for (u32 i = KB_FIRMWARE_VERSION_MAX; i > 0; i--) { - load_aes_key(KS_AES_ECB, keys->master_key[i - 1], keys->master_key[i], is_dev ? master_key_vectors_dev[i] : master_key_vectors[i]); + se_aes_key_set(8, keys->master_key[i], AES_128_KEY_SIZE); + se_aes_crypt_block_ecb(8, DECRYPT, keys->master_key[i - 1], is_dev ? master_key_vectors_dev[i] : master_key_vectors[i]); } - load_aes_key(KS_AES_ECB, keys->temp_key, keys->master_key[0], is_dev ? master_key_vectors_dev[0] : master_key_vectors[0]); + se_aes_key_set(8, keys->master_key[0], AES_128_KEY_SIZE); + se_aes_crypt_block_ecb(8, DECRYPT, keys->temp_key, is_dev ? master_key_vectors_dev[0] : master_key_vectors[0]); - if (key_exists(keys->temp_key)) { + if (_key_exists(keys->temp_key)) { EPRINTFARGS("Unable to derive master keys for %s.", is_dev ? "dev" : "prod"); memset(keys->master_key, 0, sizeof(keys->master_key)); } } -static void _derive_keyblob_keys(key_storage_t *keys) { - minerva_periodic_training(); - - encrypted_keyblob_t *keyblob_buffer = (encrypted_keyblob_t *)calloc(KB_FIRMWARE_VERSION_600 + 1, sizeof(encrypted_keyblob_t)); - u32 keyblob_mac[SE_AES_CMAC_DIGEST_SIZE / 4] = {0}; +static void _derive_keyblob_keys(key_derivation_ctx_t *keys) { + u8 *keyblob_block = (u8 *)calloc(KB_FIRMWARE_VERSION_600 + 1, NX_EMMC_BLOCKSIZE); + u32 keyblob_mac[AES_128_KEY_SIZE / 4] = {0}; bool have_keyblobs = true; - if (FUSE(FUSE_PRIVATE_KEY0) != 0xFFFFFFFF) { - keys->secure_boot_key[0] = FUSE(FUSE_PRIVATE_KEY0); - keys->secure_boot_key[1] = FUSE(FUSE_PRIVATE_KEY1); - keys->secure_boot_key[2] = FUSE(FUSE_PRIVATE_KEY2); - keys->secure_boot_key[3] = FUSE(FUSE_PRIVATE_KEY3); + if (FUSE(FUSE_PRIVATE_KEY0) == 0xFFFFFFFF) { + u8 *aes_keys = (u8 *)calloc(SZ_4K, 1); + se_get_aes_keys(aes_keys + SZ_2K, aes_keys, AES_128_KEY_SIZE); + memcpy(keys->sbk, aes_keys + 14 * AES_128_KEY_SIZE, AES_128_KEY_SIZE); + free(aes_keys); + } else { + keys->sbk[0] = FUSE(FUSE_PRIVATE_KEY0); + keys->sbk[1] = FUSE(FUSE_PRIVATE_KEY1); + keys->sbk[2] = FUSE(FUSE_PRIVATE_KEY2); + keys->sbk[3] = FUSE(FUSE_PRIVATE_KEY3); } if (!emmc_storage.initialized) { have_keyblobs = false; - } else if (!emummc_storage_read(KEYBLOB_OFFSET / NX_EMMC_BLOCKSIZE, KB_FIRMWARE_VERSION_600 + 1, keyblob_buffer)) { + } else if (!emummc_storage_read(KEYBLOB_OFFSET / NX_EMMC_BLOCKSIZE, KB_FIRMWARE_VERSION_600 + 1, keyblob_block)) { EPRINTF("Unable to read keyblobs."); have_keyblobs = false; } else { have_keyblobs = true; } - encrypted_keyblob_t *current_keyblob = keyblob_buffer; - for (u32 i = 0; i < ARRAY_SIZE(keyblob_key_sources); i++, current_keyblob++) { + encrypted_keyblob_t *current_keyblob = (encrypted_keyblob_t *)keyblob_block; + for (u32 i = 0; i <= KB_FIRMWARE_VERSION_600; i++, current_keyblob++) { minerva_periodic_training(); - se_aes_crypt_block_ecb(KS_TSEC, DECRYPT, keys->keyblob_key[i], keyblob_key_sources[i]); - se_aes_crypt_block_ecb(KS_SECURE_BOOT, DECRYPT, keys->keyblob_key[i], keys->keyblob_key[i]); - load_aes_key(KS_AES_ECB, keys->keyblob_mac_key[i], keys->keyblob_key[i], keyblob_mac_key_source); + se_aes_crypt_block_ecb(12, DECRYPT, keys->keyblob_key[i], keyblob_key_sources[i]); // temp = unwrap(kbks, tsec) + se_aes_crypt_block_ecb(14, DECRYPT, keys->keyblob_key[i], keys->keyblob_key[i]); // kbk = unwrap(temp, sbk) + se_aes_key_set(7, keys->keyblob_key[i], sizeof(keys->keyblob_key[i])); + se_aes_crypt_block_ecb(7, DECRYPT, keys->keyblob_mac_key[i], keyblob_mac_key_source); // kbm = unwrap(kbms, kbk) if (i == 0) { - se_aes_crypt_block_ecb(KS_AES_ECB, DECRYPT, keys->device_key, per_console_key_source); - se_aes_crypt_block_ecb(KS_AES_ECB, DECRYPT, keys->device_key_4x, device_master_key_source_kek_source); + se_aes_crypt_block_ecb(7, DECRYPT, keys->device_key, per_console_key_source); // devkey = unwrap(pcks, kbk0) + se_aes_crypt_block_ecb(7, DECRYPT, keys->device_key_4x, device_master_key_source_kek_source); } if (!have_keyblobs) { continue; } - // Verify keyblob is not corrupt - se_aes_key_set(KS_AES_CMAC, keys->keyblob_mac_key[i], sizeof(keys->keyblob_mac_key[i])); - se_aes_cmac(KS_AES_CMAC, keyblob_mac, sizeof(keyblob_mac), current_keyblob->iv, sizeof(current_keyblob->iv) + sizeof(keyblob_t)); + // verify keyblob is not corrupt + se_aes_key_set(10, keys->keyblob_mac_key[i], sizeof(keys->keyblob_mac_key[i])); + se_aes_cmac(10, keyblob_mac, sizeof(keyblob_mac), current_keyblob->iv, sizeof(current_keyblob->iv) + sizeof(keyblob_t)); if (memcmp(current_keyblob->cmac, keyblob_mac, sizeof(keyblob_mac)) != 0) { EPRINTFARGS("Keyblob %x corrupt.", i); continue; } - // Decrypt keyblobs - se_aes_key_set(KS_AES_CTR, keys->keyblob_key[i], sizeof(keys->keyblob_key[i])); - se_aes_crypt_ctr(KS_AES_CTR, &keys->keyblob[i], sizeof(keyblob_t), ¤t_keyblob->key_data, sizeof(keyblob_t), current_keyblob->iv); + // decrypt keyblobs + se_aes_key_set(6, keys->keyblob_key[i], sizeof(keys->keyblob_key[i])); + se_aes_crypt_ctr(6, &keys->keyblob[i], sizeof(keyblob_t), ¤t_keyblob->key_data, sizeof(keyblob_t), current_keyblob->iv); memcpy(keys->package1_key[i], keys->keyblob[i].package1_key, sizeof(keys->package1_key[i])); memcpy(keys->master_kek[i], keys->keyblob[i].master_kek, sizeof(keys->master_kek[i])); - if (!key_exists(keys->master_key[i])) { - load_aes_key(KS_AES_ECB, keys->master_key[i], keys->master_kek[i], master_key_source); + se_aes_key_set(7, keys->master_kek[i], sizeof(keys->master_kek[i])); + if (!_key_exists(keys->master_key[i])) { + se_aes_crypt_block_ecb(7, DECRYPT, keys->master_key[i], master_key_source); } } - free(keyblob_buffer); + free(keyblob_block); } -static void _derive_master_keys(key_storage_t *prod_keys, key_storage_t *dev_keys, bool is_dev) { - key_storage_t *keys = is_dev ? dev_keys : prod_keys; +static void _derive_bis_keys(key_derivation_ctx_t *keys) { + /* key = unwrap(source, wrapped_key): + key_set(ks, wrapped_key), block_ecb(ks, 0, key, source) -> final key in key + */ + minerva_periodic_training(); + u32 key_generation = fuse_read_odm_keygen_rev(); + if (key_generation) + key_generation--; - if (h_cfg.t210b01) { - _derive_master_keys_mariko(keys, is_dev); - _derive_master_keys_from_latest_key(keys, is_dev); - } else { - if (run_ams_keygen()) { - EPRINTF("Failed to run keygen."); - return; - } + if (!(_key_exists(keys->device_key) || (key_generation && _key_exists(keys->master_key[0]) && _key_exists(keys->device_key_4x)))) { + return; + } + _generate_specific_aes_key(8, keys, &keys->bis_key[0], &bis_key_sources[0], key_generation); + // kek = generate_kek(bkeks, devkey, aeskek, aeskey) + _get_device_key(8, keys, keys->temp_key, key_generation); + _generate_kek(8, bis_kek_source, keys->temp_key, aes_kek_generation_source, aes_key_generation_source); + se_aes_crypt_ecb(8, DECRYPT, keys->bis_key[1], AES_128_KEY_SIZE * 2, bis_key_sources[1], AES_128_KEY_SIZE * 2); // bkey = unwrap(bkeys, kek) + se_aes_crypt_ecb(8, DECRYPT, keys->bis_key[2], AES_128_KEY_SIZE * 2, bis_key_sources[2], AES_128_KEY_SIZE * 2); + memcpy(keys->bis_key[3], keys->bis_key[2], 0x20); +} - u8 *aes_keys = (u8 *)calloc(1, SZ_4K); - se_get_aes_keys(aes_keys + SZ_2K, aes_keys, SE_KEY_128_SIZE); - memcpy(&dev_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT_DEV * SE_KEY_128_SIZE, SE_KEY_128_SIZE); - memcpy(&dev_keys->tsec_key, aes_keys + KS_TSEC * SE_KEY_128_SIZE, SE_KEY_128_SIZE); - memcpy(&prod_keys->tsec_key, aes_keys + KS_TSEC * SE_KEY_128_SIZE, SE_KEY_128_SIZE); - memcpy(&prod_keys->tsec_root_key, aes_keys + KS_TSEC_ROOT * SE_KEY_128_SIZE, SE_KEY_128_SIZE); - if (FUSE(FUSE_PRIVATE_KEY0) != 0xFFFFFFFF) { - memcpy(&dev_keys->secure_boot_key, aes_keys + KS_SECURE_BOOT * SE_KEY_128_SIZE, SE_KEY_128_SIZE); - memcpy(&prod_keys->secure_boot_key, aes_keys + KS_SECURE_BOOT * SE_KEY_128_SIZE, SE_KEY_128_SIZE); - } - free(aes_keys); - - _derive_master_keys_from_latest_key(prod_keys, false); - _derive_master_keys_from_latest_key(dev_keys, true); - _derive_keyblob_keys(keys); +static void _derive_non_unique_keys(key_derivation_ctx_t *keys, bool is_dev) { + if (_key_exists(keys->master_key[0])) { + _generate_kek(8, header_kek_source, keys->master_key[0], aes_kek_generation_source, aes_key_generation_source); + se_aes_crypt_ecb(8, DECRYPT, keys->header_key, AES_128_KEY_SIZE * 2, header_key_source, AES_128_KEY_SIZE * 2); } } -static void _derive_bis_keys(key_storage_t *keys) { - minerva_periodic_training(); - u32 generation = fuse_read_odm_keygen_rev(); - fs_derive_bis_keys(keys, keys->bis_key, generation); +static void _derive_eticket_rsa_kek(key_derivation_ctx_t *keys, u32 ks, void *out_rsa_kek, const void *master_key, const void *kek_source) { + u8 kek_seed[AES_128_KEY_SIZE]; + for (u32 i = 0; i < AES_128_KEY_SIZE; i++) + kek_seed[i] = aes_kek_generation_source[i] ^ aes_seal_key_mask_import_es_device_key[i]; + _generate_kek(ks, eticket_rsa_kekek_source, master_key, kek_seed, NULL); + se_aes_crypt_block_ecb(ks, DECRYPT, out_rsa_kek, kek_source); } -static void _derive_misc_keys(key_storage_t *keys) { - minerva_periodic_training(); - fs_derive_save_mac_key(keys, keys->save_mac_key); +static void _derive_misc_keys(key_derivation_ctx_t *keys, bool is_dev) { + if (_key_exists(keys->device_key) || (_key_exists(keys->master_key[0]) && _key_exists(keys->device_key_4x))) { + _get_device_key(8, keys, keys->temp_key, 0); + _generate_kek(8, save_mac_kek_source, keys->temp_key, aes_kek_generation_source, NULL); + se_aes_crypt_block_ecb(8, DECRYPT, keys->save_mac_key, save_mac_key_source); + } + + if (_key_exists(keys->master_key[0])) { + _derive_eticket_rsa_kek(keys, 8, keys->eticket_rsa_kek, keys->master_key[0], is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source); + + for (u32 i = 0; i < AES_128_KEY_SIZE; i++) + keys->temp_key[i] = aes_kek_generation_source[i] ^ aes_seal_key_mask_decrypt_device_unique_data[i]; + _generate_kek(8, ssl_rsa_kek_source_x, keys->master_key[0], keys->temp_key, NULL); + se_aes_crypt_block_ecb(8, DECRYPT, keys->ssl_rsa_kek, ssl_rsa_kek_source_y); + } } -static void _derive_non_unique_keys(key_storage_t *keys, bool is_dev) { - minerva_periodic_training(); - fs_derive_header_key(keys, keys->header_key); - es_derive_rsa_kek_original(keys, keys->eticket_rsa_kek, is_dev); - ssl_derive_rsa_kek_original(keys, keys->ssl_rsa_kek, is_dev); - - for (u32 generation = 0; generation < ARRAY_SIZE(keys->master_key); generation++) { - minerva_periodic_training(); - if (!key_exists(keys->master_key[generation])) +static void _derive_per_generation_keys(key_derivation_ctx_t *keys) { + for (u32 i = 0; i < KB_FIRMWARE_VERSION_MAX + 1; i++) { + if (!_key_exists(keys->master_key[i])) continue; - for (u32 source_type = 0; source_type < ARRAY_SIZE(key_area_key_sources); source_type++) { - fs_derive_key_area_key(keys, keys->key_area_key[source_type][generation], source_type, generation); + for (u32 j = 0; j < 3; j++) { + _generate_kek(8, key_area_key_sources[j], keys->master_key[i], aes_kek_generation_source, NULL); + se_aes_crypt_block_ecb(8, DECRYPT, keys->key_area_key[j][i], aes_key_generation_source); } - load_aes_key(KS_AES_ECB, keys->package2_key[generation], keys->master_key[generation], package2_key_source); - load_aes_key(KS_AES_ECB, keys->titlekek[generation], keys->master_key[generation], titlekek_source); + se_aes_key_set(8, keys->master_key[i], AES_128_KEY_SIZE); + se_aes_crypt_block_ecb(8, DECRYPT, keys->package2_key[i], package2_key_source); + se_aes_crypt_block_ecb(8, DECRYPT, keys->titlekek[i], titlekek_source); } } -// Returns true when terminator is found -static bool _count_ticket_records(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 *tkey_count) { - ticket_record_t *curr_ticket_record = (ticket_record_t *)titlekey_buffer->read_buffer; - for (u32 i = 0; i < buf_size; i += sizeof(ticket_record_t), curr_ticket_record++) { - if (curr_ticket_record->rights_id[0] == 0xFF) - return true; - (*tkey_count)++; - } - return false; -} - -static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, titlekey_buffer_t *titlekey_buffer, eticket_rsa_keypair_t *rsa_keypair) { +static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, titlekey_buffer_t *titlekey_buffer, rsa_keypair_t *rsa_keypair) { FIL fp; u64 br = buf_size; u64 offset = 0; u32 file_tkey_count = 0; u32 save_x = gfx_con.x, save_y = gfx_con.y; bool is_personalized = rsa_keypair != NULL; - const char ticket_bin_path[32] = "/ticket.bin"; - const char ticket_list_bin_path[32] = "/ticket_list.bin"; + u32 start_titlekey_count = _titlekey_count; char titlekey_save_path[32] = "bis:/save/80000000000000E1"; - save_data_file_ctx_t ticket_file; if (is_personalized) { titlekey_save_path[25] = '2'; @@ -284,6 +301,10 @@ static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, title return false; } + const char ticket_bin_path[32] = "/ticket.bin"; + const char ticket_list_bin_path[32] = "/ticket_list.bin"; + save_data_file_ctx_t ticket_file; + if (!save_open_file(save_ctx, &ticket_file, ticket_list_bin_path, OPEN_MODE_READ)) { EPRINTF("Unable to locate ticket_list.bin in save."); f_close(&fp); @@ -292,19 +313,22 @@ static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, title return false; } - // Read ticket list to get ticket count - while (offset < ticket_file.size) { - minerva_periodic_training(); - if (!save_data_file_read(&ticket_file, &br, offset, titlekey_buffer->read_buffer, buf_size) || - titlekey_buffer->read_buffer[0] == 0 || - br != buf_size || - _count_ticket_records(buf_size, titlekey_buffer, &file_tkey_count) - ) { + bool terminator_reached = false; + while (offset < ticket_file.size && !terminator_reached) { + if (!save_data_file_read(&ticket_file, &br, offset, titlekey_buffer->read_buffer, buf_size) || titlekey_buffer->read_buffer[0] == 0 || br != buf_size) break; - } offset += br; + minerva_periodic_training(); + ticket_record_t *curr_ticket_record = (ticket_record_t *)titlekey_buffer->read_buffer; + for (u32 i = 0; i < buf_size; i += sizeof(ticket_record_t), curr_ticket_record++) { + if (curr_ticket_record->rights_id[0] == 0xFF) { + terminator_reached = true; + break; + } + file_tkey_count++; + } } - TPRINTF(" Count titlekeys..."); + TPRINTF(" Count keys..."); if (!save_open_file(save_ctx, &ticket_file, ticket_bin_path, OPEN_MODE_READ)) { EPRINTF("Unable to locate ticket.bin in save."); @@ -314,17 +338,46 @@ static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, title return false; } - if (is_personalized) - se_rsa_key_set(0, rsa_keypair->modulus, sizeof(rsa_keypair->modulus), rsa_keypair->private_exponent, sizeof(rsa_keypair->private_exponent)); + const u32 ticket_sig_type_rsa2048_sha256 = 0x10004; offset = 0; - u32 pct = 0, last_pct = 0, remaining = file_tkey_count; - while (offset < ticket_file.size && remaining) { + terminator_reached = false; + u32 pct = 0, last_pct = 0, i = 0; + while (offset < ticket_file.size && !terminator_reached) { if (!save_data_file_read(&ticket_file, &br, offset, titlekey_buffer->read_buffer, buf_size) || titlekey_buffer->read_buffer[0] == 0 || br != buf_size) break; offset += br; - es_decode_tickets(buf_size, titlekey_buffer, remaining, file_tkey_count, &_titlekey_count, save_x, save_y, &pct, &last_pct, is_personalized); - remaining -= MIN(buf_size / sizeof(ticket_t), remaining); + ticket_t *curr_ticket = (ticket_t *)titlekey_buffer->read_buffer; + for (u32 j = 0; j < buf_size; j += sizeof(ticket_t), curr_ticket++) { + minerva_periodic_training(); + pct = (_titlekey_count - start_titlekey_count) * 100 / file_tkey_count; + if (pct > last_pct && pct <= 100) { + last_pct = pct; + tui_pbar(save_x, save_y, pct, COLOR_GREEN, 0xFF155500); + } + if (i == file_tkey_count || curr_ticket->signature_type == 0) { + terminator_reached = true; + break; + } + if (curr_ticket->signature_type != ticket_sig_type_rsa2048_sha256) { + i++; + continue; + } + if (is_personalized) { + se_rsa_exp_mod(0, curr_ticket->titlekey_block, sizeof(curr_ticket->titlekey_block), curr_ticket->titlekey_block, sizeof(curr_ticket->titlekey_block)); + if (se_rsa_oaep_decode( + curr_ticket->titlekey_block, sizeof(titlekey_buffer->titlekeys[0]), + null_hash, sizeof(null_hash), + curr_ticket->titlekey_block, sizeof(curr_ticket->titlekey_block) + ) != sizeof(titlekey_buffer->titlekeys[0]) + ) + continue; + } + memcpy(titlekey_buffer->rights_ids[_titlekey_count], curr_ticket->rights_id, sizeof(titlekey_buffer->rights_ids[0])); + memcpy(titlekey_buffer->titlekeys[_titlekey_count], curr_ticket->titlekey_block, sizeof(titlekey_buffer->titlekeys[0])); + _titlekey_count++; + i++; + } } tui_pbar(save_x, save_y, 100, COLOR_GREEN, 0xFF155500); f_close(&fp); @@ -344,7 +397,7 @@ static bool _get_titlekeys_from_save(u32 buf_size, const u8 *save_mac_key, title return true; } -static bool _derive_sd_seed(key_storage_t *keys) { +static bool _derive_sd_seed(key_derivation_ctx_t *keys) { FIL fp; u32 read_bytes = 0; char *private_path = malloc(200); @@ -362,27 +415,25 @@ static bool _derive_sd_seed(key_storage_t *keys) { EPRINTF("Unable to open SD seed vector. Skipping."); return false; } - // Get sd seed verification vector - if (f_read(&fp, keys->temp_key, SE_KEY_128_SIZE, &read_bytes) || read_bytes != SE_KEY_128_SIZE) { + // get sd seed verification vector + if (f_read(&fp, keys->temp_key, AES_128_KEY_SIZE, &read_bytes) || read_bytes != AES_128_KEY_SIZE) { EPRINTF("Unable to read SD seed vector. Skipping."); f_close(&fp); return false; } f_close(&fp); - // This file is small enough that parsing the savedata properly is slower + // this file is small enough that parsing the savedata properly is slower if (f_open(&fp, "bis:/save/8000000000000043", FA_READ | FA_OPEN_EXISTING)) { EPRINTF("Unable to open ns_appman save.\nSkipping SD seed."); return false; } u8 read_buf[0x20] __attribute__((aligned(4))) = {0}; - // Skip the two header blocks and only check the first bytes of each block - // File contents are always block-aligned - for (u32 i = SAVE_BLOCK_SIZE_DEFAULT * 2; i < f_size(&fp); i += SAVE_BLOCK_SIZE_DEFAULT) { + for (u32 i = SZ_32K; i < f_size(&fp); i += SZ_16K) { if (f_lseek(&fp, i) || f_read(&fp, read_buf, 0x20, &read_bytes) || read_bytes != 0x20) break; - if (memcmp(keys->temp_key, read_buf, sizeof(keys->temp_key)) == 0) { + if (!memcmp(keys->temp_key, read_buf, sizeof(keys->temp_key))) { memcpy(keys->sd_seed, read_buf + 0x10, sizeof(keys->sd_seed)); break; } @@ -394,48 +445,107 @@ static bool _derive_sd_seed(key_storage_t *keys) { return true; } -static bool _derive_titlekeys(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) { - if (!key_exists(&keys->eticket_rsa_keypair)) { +static bool _derive_titlekeys(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) { + if (!_key_exists(keys->eticket_rsa_kek)) { return false; } gfx_printf("%kTitlekeys... \n", colors[(color_idx++) % 6]); - const u32 buf_size = SAVE_BLOCK_SIZE_DEFAULT; + rsa_keypair_t rsa_keypair = {0}; + + if (!emummc_storage_read(NX_EMMC_CALIBRATION_OFFSET / NX_EMMC_BLOCKSIZE, NX_EMMC_CALIBRATION_SIZE / NX_EMMC_BLOCKSIZE, titlekey_buffer->read_buffer)) { + EPRINTF("Unable to read PRODINFO."); + return false; + } + + se_aes_xts_crypt(1, 0, DECRYPT, 0, titlekey_buffer->read_buffer, titlekey_buffer->read_buffer, XTS_CLUSTER_SIZE, NX_EMMC_CALIBRATION_SIZE / XTS_CLUSTER_SIZE); + + nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)titlekey_buffer->read_buffer; + if (cal0->magic != MAGIC_CAL0) { + EPRINTF("Invalid CAL0 magic. Check BIS key 0."); + return false; + } + + u32 keypair_generation = 0; + const void *eticket_device_key = NULL; + const void *eticket_iv = NULL; + + if (cal0->ext_ecc_rsa2048_eticket_key_crc == crc16_calc(cal0->ext_ecc_rsa2048_eticket_key_iv, 0x24E)) { + eticket_device_key = cal0->ext_ecc_rsa2048_eticket_key; + eticket_iv = cal0->ext_ecc_rsa2048_eticket_key_iv; + + // settings sysmodule manually zeroes this out below cal version 9 + keypair_generation = cal0->version <= 8 ? 0 : cal0->ext_ecc_rsa2048_eticket_key_ver; + } else if (cal0->rsa2048_eticket_key_crc == crc16_calc(cal0->rsa2048_eticket_key_iv, 0x22E)) { + eticket_device_key = cal0->rsa2048_eticket_key; + eticket_iv = cal0->rsa2048_eticket_key_iv; + } else { + EPRINTF("Crc16 error reading device key."); + return false; + } + + if (keypair_generation) { + keypair_generation--; + _get_device_key(7, keys, keys->temp_key, keypair_generation); + _derive_eticket_rsa_kek(keys, 7, keys->eticket_rsa_kek_personalized, keys->temp_key, is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source); + memcpy(keys->temp_key, keys->eticket_rsa_kek_personalized, sizeof(keys->temp_key)); + } else { + memcpy(keys->temp_key, keys->eticket_rsa_kek, sizeof(keys->temp_key)); + } + + se_aes_key_set(6, keys->temp_key, sizeof(keys->temp_key)); + se_aes_crypt_ctr(6, &rsa_keypair, sizeof(rsa_keypair), eticket_device_key, sizeof(rsa_keypair), eticket_iv); + + // Check public exponent is 65537 big endian + if (_read_be_u32(rsa_keypair.public_exponent, 0) != 65537) { + // try legacy kek source + _derive_eticket_rsa_kek(keys, 7, keys->temp_key, keys->master_key[0], eticket_rsa_kek_source_legacy); + + se_aes_key_set(6, keys->temp_key, sizeof(keys->temp_key)); + se_aes_crypt_ctr(6, &rsa_keypair, sizeof(rsa_keypair), eticket_device_key, sizeof(rsa_keypair), eticket_iv); + + if (_read_be_u32(rsa_keypair.public_exponent, 0) != 65537) { + EPRINTF("Invalid public exponent."); + return false; + } else { + memcpy(keys->eticket_rsa_kek, keys->temp_key, sizeof(keys->eticket_rsa_kek)); + } + } + + if (!_test_key_pair(rsa_keypair.public_exponent, rsa_keypair.private_exponent, rsa_keypair.modulus)) { + EPRINTF("Invalid keypair. Check eticket_rsa_kek."); + return false; + } + + se_rsa_key_set(0, rsa_keypair.modulus, sizeof(rsa_keypair.modulus), rsa_keypair.private_exponent, sizeof(rsa_keypair.private_exponent)); + + const u32 buf_size = SZ_16K; _get_titlekeys_from_save(buf_size, keys->save_mac_key, titlekey_buffer, NULL); - _get_titlekeys_from_save(buf_size, keys->save_mac_key, titlekey_buffer, &keys->eticket_rsa_keypair); + _get_titlekeys_from_save(buf_size, keys->save_mac_key, titlekey_buffer, &rsa_keypair); gfx_printf("\n%k Found %d titlekeys.\n\n", colors[(color_idx++) % 6], _titlekey_count); return true; } -static void _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) { +static bool _derive_emmc_keys(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) { // Set BIS keys. // PRODINFO/PRODINFOF - se_aes_key_set(KS_BIS_00_CRYPT, keys->bis_key[0] + 0x00, SE_KEY_128_SIZE); - se_aes_key_set(KS_BIS_00_TWEAK, keys->bis_key[0] + 0x10, SE_KEY_128_SIZE); + se_aes_key_set(0, keys->bis_key[0] + 0x00, AES_128_KEY_SIZE); + se_aes_key_set(1, keys->bis_key[0] + 0x10, AES_128_KEY_SIZE); // SAFE - se_aes_key_set(KS_BIS_01_CRYPT, keys->bis_key[1] + 0x00, SE_KEY_128_SIZE); - se_aes_key_set(KS_BIS_01_TWEAK, keys->bis_key[1] + 0x10, SE_KEY_128_SIZE); + se_aes_key_set(2, keys->bis_key[1] + 0x00, AES_128_KEY_SIZE); + se_aes_key_set(3, keys->bis_key[1] + 0x10, AES_128_KEY_SIZE); // SYSTEM/USER - se_aes_key_set(KS_BIS_02_CRYPT, keys->bis_key[2] + 0x00, SE_KEY_128_SIZE); - se_aes_key_set(KS_BIS_02_TWEAK, keys->bis_key[2] + 0x10, SE_KEY_128_SIZE); + se_aes_key_set(4, keys->bis_key[2] + 0x00, AES_128_KEY_SIZE); + se_aes_key_set(5, keys->bis_key[2] + 0x10, AES_128_KEY_SIZE); if (!emummc_storage_set_mmc_partition(EMMC_GPP)) { EPRINTF("Unable to set partition."); - return; + return false; } - - if (!decrypt_ssl_rsa_key(keys, titlekey_buffer)) { - EPRINTF("Unable to derive SSL key."); - } - - if (!decrypt_eticket_rsa_key(keys, titlekey_buffer, is_dev)) { - EPRINTF("Unable to derive ETicket key."); - } - - // Parse eMMC GPT + // Parse eMMC GPT. LIST_INIT(gpt); nx_emmc_gpt_parse(&gpt, &emmc_storage); @@ -443,7 +553,7 @@ static void _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_b if (!system_part) { EPRINTF("Unable to locate System partition."); nx_emmc_gpt_free(&gpt); - return; + return false; } nx_emmc_bis_init(system_part); @@ -451,7 +561,7 @@ static void _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_b if (f_mount(&emmc_fs, "bis:", 1)) { EPRINTF("Unable to mount system partition."); nx_emmc_gpt_free(&gpt); - return; + return false; } if (!sd_mount()) { @@ -460,69 +570,60 @@ static void _derive_emmc_keys(key_storage_t *keys, titlekey_buffer_t *titlekey_b EPRINTF("Unable to get SD seed."); } - if (!_derive_titlekeys(keys, titlekey_buffer, is_dev)) { + bool res = _derive_titlekeys(keys, titlekey_buffer, is_dev); + if (!res) { EPRINTF("Unable to derive titlekeys."); } - f_mount(NULL, "bis:", 1); nx_emmc_gpt_free(&gpt); + + return res; } // The security engine supports partial key override for locked keyslots // This allows for a manageable brute force on a PC // Then the Mariko AES class keys, KEK, BEK, unique SBK and SSK can be recovered -int save_mariko_partial_keys(u32 start, u32 count, bool append) { - const char *keyfile_path = "sd:/switch/partialaes.keys"; - if (!f_stat(keyfile_path, NULL)) { - f_unlink(keyfile_path); - } - +static void _save_mariko_partial_keys(u32 start, u32 count, bool append) { if (start + count > SE_AES_KEYSLOT_COUNT) { - return 1; + return; } - display_backlight_brightness(h_cfg.backlight, 1000); - gfx_clear_partial_grey(0x1B, 32, 1224); - gfx_con_setpos(0, 32); - - color_idx = 0; - u32 pos = 0; - u32 zeros[SE_KEY_128_SIZE / 4] = {0}; - u8 *data = malloc(4 * SE_KEY_128_SIZE); - char *text_buffer = calloc(count, 0x100); + u32 zeros[AES_128_KEY_SIZE / 4] = {0}; + u8 *data = malloc(4 * AES_128_KEY_SIZE); + char *text_buffer = calloc(1, 0x100 * count); for (u32 ks = start; ks < start + count; ks++) { // Check if key is as expected if (ks < ARRAY_SIZE(mariko_key_vectors)) { se_aes_crypt_block_ecb(ks, DECRYPT, &data[0], mariko_key_vectors[ks]); - if (key_exists(data)) { + if (_key_exists(data)) { EPRINTFARGS("Failed to validate keyslot %d.", ks); continue; } } // Encrypt zeros with complete key - se_aes_crypt_block_ecb(ks, ENCRYPT, &data[3 * SE_KEY_128_SIZE], zeros); + se_aes_crypt_block_ecb(ks, ENCRYPT, &data[3 * AES_128_KEY_SIZE], zeros); // We only need to overwrite 3 of the dwords of the key for (u32 i = 0; i < 3; i++) { // Overwrite ith dword of key with zeros se_aes_key_partial_set(ks, i, 0); // Encrypt zeros with more of the key zeroed out - se_aes_crypt_block_ecb(ks, ENCRYPT, &data[(2 - i) * SE_KEY_128_SIZE], zeros); + se_aes_crypt_block_ecb(ks, ENCRYPT, &data[(2 - i) * AES_128_KEY_SIZE], zeros); } // Skip saving key if two results are the same indicating unsuccessful overwrite or empty slot - if (memcmp(&data[0], &data[SE_KEY_128_SIZE], SE_KEY_128_SIZE) == 0) { + if (memcmp(&data[0], &data[SE_KEY_128_SIZE], AES_128_KEY_SIZE) == 0) { EPRINTFARGS("Failed to overwrite keyslot %d.", ks); continue; } pos += s_printf(&text_buffer[pos], "%d\n", ks); for (u32 i = 0; i < 4; i++) { - for (u32 j = 0; j < SE_KEY_128_SIZE; j++) - pos += s_printf(&text_buffer[pos], "%02x", data[i * SE_KEY_128_SIZE + j]); + for (u32 j = 0; j < AES_128_KEY_SIZE; j++) + pos += s_printf(&text_buffer[pos], "%02x", data[i * AES_128_KEY_SIZE + j]); pos += s_printf(&text_buffer[pos], " "); } pos += s_printf(&text_buffer[pos], "\n"); @@ -531,11 +632,11 @@ int save_mariko_partial_keys(u32 start, u32 count, bool append) { if (strlen(text_buffer) == 0) { EPRINTFARGS("Failed to dump partial keys %d-%d.", start, start + count - 1); - free(text_buffer); - return 2; + return; } FIL fp; + u32 res = 0; BYTE mode = FA_WRITE; if (append) { @@ -544,36 +645,29 @@ int save_mariko_partial_keys(u32 start, u32 count, bool append) { mode |= FA_CREATE_ALWAYS; } - if (!sd_mount()) { - EPRINTF("Unable to mount SD."); - free(text_buffer); - return 3; - } - - if (f_open(&fp, keyfile_path, mode)) { + res = f_open(&fp, "sd:/switch/partialaes.keys", mode); + if (res) { EPRINTF("Unable to write partial keys to SD."); - free(text_buffer); - return 3; + return; } f_write(&fp, text_buffer, strlen(text_buffer), NULL); f_close(&fp); - gfx_printf("%kWrote partials to %s\n", colors[(color_idx++) % 6], keyfile_path); + gfx_printf("%kWrote partials to sd:/switch/partialaes.keys\n", colors[(color_idx++) % 6]); free(text_buffer); - - return 0; } -static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) { +static void _save_keys_to_sd(key_derivation_ctx_t *keys, titlekey_buffer_t *titlekey_buffer, bool is_dev) { + char *text_buffer = NULL; if (!sd_mount()) { EPRINTF("Unable to mount SD."); return; } u32 text_buffer_size = MAX(_titlekey_count * sizeof(titlekey_text_buffer_t) + 1, SZ_16K); - char *text_buffer = (char *)calloc(1, text_buffer_size); + text_buffer = (char *)calloc(1, text_buffer_size); SAVE_KEY(aes_kek_generation_source); SAVE_KEY(aes_key_generation_source); @@ -590,7 +684,6 @@ static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_bu SAVE_KEY(eticket_rsa_kek_source); } SAVE_KEY(eticket_rsa_kekek_source); - _save_key("eticket_rsa_keypair", &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), text_buffer); SAVE_KEY(header_kek_source); SAVE_KEY_VAR(header_key, keys->header_key); SAVE_KEY(header_key_source); @@ -606,9 +699,9 @@ static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_bu SAVE_KEY_FAMILY_VAR(keyblob_mac_key, keys->keyblob_mac_key, 0); SAVE_KEY(keyblob_mac_key_source); if (is_dev) { - SAVE_KEY_FAMILY_VAR(mariko_master_kek_source, mariko_master_kek_sources_dev, KB_FIRMWARE_VERSION_600); + SAVE_KEY_FAMILY_VAR(mariko_master_kek_source, mariko_master_kek_sources_dev, 5); } else { - SAVE_KEY_FAMILY_VAR(mariko_master_kek_source, mariko_master_kek_sources, KB_FIRMWARE_VERSION_600); + SAVE_KEY_FAMILY_VAR(mariko_master_kek_source, mariko_master_kek_sources, 5); } SAVE_KEY_FAMILY_VAR(master_kek, keys->master_kek, 0); SAVE_KEY_FAMILY_VAR(master_kek_source, master_kek_sources, KB_FIRMWARE_VERSION_620); @@ -619,6 +712,12 @@ static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_bu SAVE_KEY(package2_key_source); SAVE_KEY(per_console_key_source); SAVE_KEY(retail_specific_aes_key_source); + for (u32 i = 0; i < AES_128_KEY_SIZE; i++) + keys->temp_key[i] = aes_kek_generation_source[i] ^ aes_seal_key_mask_import_es_device_key[i]; + SAVE_KEY_VAR(rsa_oaep_kek_generation_source, keys->temp_key); + for (u32 i = 0; i < AES_128_KEY_SIZE; i++) + keys->temp_key[i] = aes_kek_generation_source[i] ^ aes_seal_key_mask_decrypt_device_unique_data[i]; + SAVE_KEY_VAR(rsa_private_kek_generation_source, keys->temp_key); SAVE_KEY(save_mac_kek_source); SAVE_KEY_VAR(save_mac_key, keys->save_mac_key); SAVE_KEY(save_mac_key_source); @@ -629,36 +728,36 @@ static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_bu SAVE_KEY(sd_card_nca_key_source); SAVE_KEY(sd_card_save_key_source); SAVE_KEY_VAR(sd_seed, keys->sd_seed); - SAVE_KEY_VAR(secure_boot_key, keys->secure_boot_key); + SAVE_KEY_VAR(secure_boot_key, keys->sbk); SAVE_KEY_VAR(ssl_rsa_kek, keys->ssl_rsa_kek); - SAVE_KEY_VAR(ssl_rsa_kek_personalized, keys->ssl_rsa_kek_personalized); - if (is_dev) { - SAVE_KEY_VAR(ssl_rsa_kek_source, ssl_rsa_kek_source_dev); - } else { - SAVE_KEY(ssl_rsa_kek_source); - } - SAVE_KEY(ssl_rsa_kekek_source); - _save_key("ssl_rsa_key", keys->ssl_rsa_key, SE_RSA2048_DIGEST_SIZE, text_buffer); + SAVE_KEY(ssl_rsa_kek_source_x); + SAVE_KEY(ssl_rsa_kek_source_y); SAVE_KEY_FAMILY_VAR(titlekek, keys->titlekek, 0); SAVE_KEY(titlekek_source); SAVE_KEY_VAR(tsec_key, keys->tsec_key); + const u32 root_key_ver = 2; char root_key_name[21] = "tsec_root_key_00"; - s_printf(root_key_name + 14, "%02x", TSEC_ROOT_KEY_VERSION); - _save_key(root_key_name, keys->tsec_root_key, SE_KEY_128_SIZE, text_buffer); + s_printf(root_key_name + 14, "%02x", root_key_ver); + _save_key(root_key_name, keys->tsec_root_key, AES_128_KEY_SIZE, text_buffer); gfx_printf("\n%k Found %d %s keys.\n\n", colors[(color_idx++) % 6], _key_count, is_dev ? "dev" : "prod"); gfx_printf("%kFound through master_key_%02x.\n\n", colors[(color_idx++) % 6], KB_FIRMWARE_VERSION_MAX); f_mkdir("sd:/switch"); - - const char *keyfile_path = is_dev ? "sd:/switch/dev.keys" : "sd:/switch/prod.keys"; + char keyfile_path[30] = "sd:/switch/prod.keys"; + if (is_dev) { + s_printf(&keyfile_path[11], "dev.keys"); + } FILINFO fno; if (!sd_save_to_file(text_buffer, strlen(text_buffer), keyfile_path) && !f_stat(keyfile_path, &fno)) { gfx_printf("%kWrote %d bytes to %s\n", colors[(color_idx++) % 6], (u32)fno.fsize, keyfile_path); - } else { + } else EPRINTF("Unable to save keys to SD."); + + if (h_cfg.t210b01) { + _save_mariko_partial_keys(12, 4, true); } if (_titlekey_count == 0 || !titlekey_buffer) { @@ -670,28 +769,45 @@ static void _save_keys_to_sd(key_storage_t *keys, titlekey_buffer_t *titlekey_bu titlekey_text_buffer_t *titlekey_text = (titlekey_text_buffer_t *)text_buffer; for (u32 i = 0; i < _titlekey_count; i++) { - for (u32 j = 0; j < SE_KEY_128_SIZE; j++) + for (u32 j = 0; j < AES_128_KEY_SIZE; j++) s_printf(&titlekey_text[i].rights_id[j * 2], "%02x", titlekey_buffer->rights_ids[i][j]); s_printf(titlekey_text[i].equals, " = "); - for (u32 j = 0; j < SE_KEY_128_SIZE; j++) + for (u32 j = 0; j < AES_128_KEY_SIZE; j++) s_printf(&titlekey_text[i].titlekey[j * 2], "%02x", titlekey_buffer->titlekeys[i][j]); s_printf(titlekey_text[i].newline, "\n"); } - - keyfile_path = "sd:/switch/title.keys"; + s_printf(&keyfile_path[11], "title.keys"); if (!sd_save_to_file(text_buffer, strlen(text_buffer), keyfile_path) && !f_stat(keyfile_path, &fno)) { gfx_printf("%kWrote %d bytes to %s\n", colors[(color_idx++) % 6], (u32)fno.fsize, keyfile_path); - } else { + } else EPRINTF("Unable to save titlekeys to SD."); - } free(text_buffer); } +static bool _check_keyslot_access() { + u8 test_data[AES_128_KEY_SIZE] = {0}; + const u8 test_ciphertext[AES_128_KEY_SIZE] = {0}; + se_aes_key_set(8, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", SE_KEY_128_SIZE); + se_aes_crypt_block_ecb(8, DECRYPT, test_data, test_ciphertext); + + return memcmp(test_data, "\x7b\x1d\x29\xa1\x6c\xf8\xcc\xab\x84\xf0\xb8\xa5\x98\xe4\x2f\xa6", SE_KEY_128_SIZE) == 0; +} + static void _derive_keys() { + if (!f_stat("sd:/switch/partialaes.keys", NULL)) { + f_unlink("sd:/switch/partialaes.keys"); + } + minerva_periodic_training(); - if (!check_keyslot_access()) { + if (h_cfg.t210b01) { + _save_mariko_partial_keys(0, 12, false); + } + + minerva_periodic_training(); + + if (!_check_keyslot_access()) { EPRINTF("Unable to set crypto keyslots!\nTry launching payload differently\n or flash Spacecraft-NX if using a modchip."); return; } @@ -713,10 +829,33 @@ static void _derive_keys() { bool is_dev = fuse_read_hw_state() == FUSE_NX_HW_STATE_DEV; - key_storage_t __attribute__((aligned(4))) prod_keys = {0}, dev_keys = {0}; - key_storage_t *keys = is_dev ? &dev_keys : &prod_keys; + key_derivation_ctx_t __attribute__((aligned(4))) prod_keys = {0}, dev_keys = {0}; + key_derivation_ctx_t *keys = is_dev ? &dev_keys : &prod_keys; - _derive_master_keys(&prod_keys, &dev_keys, is_dev); + // Master key derivation + if (h_cfg.t210b01) { + _derive_master_key_mariko(keys, is_dev); + minerva_periodic_training(); + _derive_master_keys_from_latest_key(keys, is_dev); + } else { + int res = _run_ams_keygen(keys); + if (res) { + return; + } + + u8 *aes_keys = (u8 *)calloc(SZ_4K, 1); + se_get_aes_keys(aes_keys + SZ_2K, aes_keys, AES_128_KEY_SIZE); + memcpy(&dev_keys.tsec_root_key, aes_keys + 11 * AES_128_KEY_SIZE, AES_128_KEY_SIZE); + memcpy(keys->tsec_key, aes_keys + 12 * AES_128_KEY_SIZE, AES_128_KEY_SIZE); + memcpy(&prod_keys.tsec_root_key, aes_keys + 13 * AES_128_KEY_SIZE, AES_128_KEY_SIZE); + free(aes_keys); + + _derive_master_keys_from_latest_key(&prod_keys, false); + minerva_periodic_training(); + _derive_master_keys_from_latest_key(&dev_keys, true); + minerva_periodic_training(); + _derive_keyblob_keys(keys); + } TPRINTFARGS("%kMaster keys... ", colors[(color_idx++) % 6]); @@ -724,16 +863,24 @@ static void _derive_keys() { TPRINTFARGS("%kBIS keys... ", colors[(color_idx++) % 6]); - _derive_misc_keys(keys); + minerva_periodic_training(); + _derive_misc_keys(keys, is_dev); + + minerva_periodic_training(); _derive_non_unique_keys(&prod_keys, is_dev); + minerva_periodic_training(); _derive_non_unique_keys(&dev_keys, is_dev); + minerva_periodic_training(); + _derive_per_generation_keys(&prod_keys); + minerva_periodic_training(); + _derive_per_generation_keys(&dev_keys); titlekey_buffer_t *titlekey_buffer = (titlekey_buffer_t *)TITLEKEY_BUF_ADR; // Requires BIS key for SYSTEM partition if (!emmc_storage.initialized) { EPRINTF("eMMC not initialized.\nSkipping SD seed and titlekeys."); - } else if (key_exists(keys->bis_key[2])) { + } else if (_key_exists(keys->bis_key[2])) { _derive_emmc_keys(keys, titlekey_buffer, is_dev); } else { EPRINTF("Missing needed BIS keys.\nSkipping SD seed and titlekeys."); @@ -753,60 +900,6 @@ static void _derive_keys() { } } -void derive_amiibo_keys() { - minerva_change_freq(FREQ_1600); - - bool is_dev = fuse_read_hw_state() == FUSE_NX_HW_STATE_DEV; - - key_storage_t __attribute__((aligned(4))) prod_keys = {0}, dev_keys = {0}; - key_storage_t *keys = is_dev ? &dev_keys : &prod_keys; - - _derive_master_keys(&prod_keys, &dev_keys, is_dev); - - minerva_periodic_training(); - - display_backlight_brightness(h_cfg.backlight, 1000); - gfx_clear_partial_grey(0x1B, 32, 1224); - gfx_con_setpos(0, 32); - - color_idx = 0; - - minerva_periodic_training(); - - if (!key_exists(keys->master_key[0])) { - EPRINTF("Unable to derive master keys for NFC."); - minerva_change_freq(FREQ_800); - btn_wait(); - return; - } - - nfc_save_key_t __attribute__((aligned(4))) nfc_save_keys[2] = {0}; - - nfc_decrypt_amiibo_keys(keys, nfc_save_keys, is_dev); - - minerva_periodic_training(); - - u32 hash[SE_SHA_256_SIZE / 4] = {0}; - se_calc_sha256_oneshot(hash, &nfc_save_keys[0], sizeof(nfc_save_keys)); - - if (memcmp(hash, is_dev ? nfc_blob_hash_dev : nfc_blob_hash, sizeof(hash)) != 0) { - EPRINTF("Amiibo hash mismatch. Skipping save."); - } else { - const char *keyfile_path = is_dev ? "sd:/switch/key_dev.bin" : "sd:/switch/key_retail.bin"; - - if (!sd_save_to_file(&nfc_save_keys[0], sizeof(nfc_save_keys), keyfile_path)) { - gfx_printf("%kWrote Amiibo keys to\n %s\n", colors[(color_idx++) % 6], keyfile_path); - } else { - EPRINTF("Unable to save Amiibo keys to SD."); - } - } - - gfx_printf("\n%kPress a button to return to the menu.", colors[(color_idx++) % 6]); - minerva_change_freq(FREQ_800); - btn_wait(); - gfx_clear_grey(0x1B); -} - void dump_keys() { minerva_change_freq(FREQ_1600); @@ -848,3 +941,94 @@ void dump_keys() { } gfx_clear_grey(0x1B); } + +static void _save_key(const char *name, const void *data, u32 len, char *outbuf) { + if (!_key_exists(data)) + return; + u32 pos = strlen(outbuf); + pos += s_printf(&outbuf[pos], "%s = ", name); + for (u32 i = 0; i < len; i++) + pos += s_printf(&outbuf[pos], "%02x", *(u8*)(data + i)); + s_printf(&outbuf[pos], "\n"); + _key_count++; +} + +static void _save_key_family(const char *name, const void *data, u32 start_key, u32 num_keys, u32 len, char *outbuf) { + char *temp_name = calloc(1, 0x40); + for (u32 i = 0; i < num_keys; i++) { + s_printf(temp_name, "%s_%02x", name, i + start_key); + _save_key(temp_name, data + i * len, len, outbuf); + } + free(temp_name); +} + +static void _generate_kek(u32 ks, const void *key_source, const void *master_key, const void *kek_seed, const void *key_seed) { + if (!_key_exists(key_source) || !_key_exists(master_key) || !_key_exists(kek_seed)) + return; + + se_aes_key_set(ks, master_key, AES_128_KEY_SIZE); + se_aes_unwrap_key(ks, ks, kek_seed); + se_aes_unwrap_key(ks, ks, key_source); + if (key_seed && _key_exists(key_seed)) + se_aes_unwrap_key(ks, ks, key_seed); +} + +static void _get_secure_data(key_derivation_ctx_t *keys, void *dst) { + se_aes_key_set(6, keys->device_key, AES_128_KEY_SIZE); + u8 *d = (u8 *)dst; + se_aes_crypt_ctr(6, d + 0x00, AES_128_KEY_SIZE, secure_data_source, AES_128_KEY_SIZE, secure_data_counters[0]); + se_aes_crypt_ctr(6, d + 0x10, AES_128_KEY_SIZE, secure_data_source, AES_128_KEY_SIZE, secure_data_counters[0]); + + // Apply tweak + for (u32 i = 0; i < AES_128_KEY_SIZE; i++) { + d[AES_128_KEY_SIZE + i] ^= secure_data_tweaks[0][i]; + } +} + +static void _generate_specific_aes_key(u32 ks, key_derivation_ctx_t *keys, void *out_key, const void *key_source, u32 key_generation) { + if (fuse_read_bootrom_rev() >= 0x7F) { + _get_device_key(ks, keys, keys->temp_key, key_generation); + se_aes_key_set(ks, keys->temp_key, AES_128_KEY_SIZE); + se_aes_unwrap_key(ks, ks, retail_specific_aes_key_source); // kek = unwrap(rsaks, devkey) + se_aes_crypt_ecb(ks, DECRYPT, out_key, AES_128_KEY_SIZE * 2, key_source, AES_128_KEY_SIZE * 2); // bkey = unwrap(bkeys, kek) + } else { + _get_secure_data(keys, out_key); + } +} + +static void _get_device_key(u32 ks, key_derivation_ctx_t *keys, void *out_device_key, u32 revision) { + if (revision == KB_FIRMWARE_VERSION_100 && !h_cfg.t210b01) { + memcpy(out_device_key, keys->device_key, AES_128_KEY_SIZE); + return; + } + + if (revision >= KB_FIRMWARE_VERSION_400) { + revision -= KB_FIRMWARE_VERSION_400; + } else { + revision = 0; + } + u32 temp_key[AES_128_KEY_SIZE / 4] = {0}; + se_aes_key_set(ks, keys->device_key_4x, AES_128_KEY_SIZE); + se_aes_crypt_block_ecb(ks, DECRYPT, temp_key, device_master_key_source_sources[revision]); + se_aes_key_set(ks, keys->master_key[0], AES_128_KEY_SIZE); + const void *kek_source = fuse_read_hw_state() == FUSE_NX_HW_STATE_PROD ? device_master_kek_sources[revision] : device_master_kek_sources_dev[revision]; + se_aes_unwrap_key(ks, ks, kek_source); + se_aes_crypt_block_ecb(ks, DECRYPT, out_device_key, temp_key); +} + +static bool _test_key_pair(const void *public_exponent, const void *private_exponent, const void *modulus) { + u8 plaintext[RSA_2048_KEY_SIZE] __attribute__((aligned(4))) = {0}, + ciphertext[RSA_2048_KEY_SIZE] __attribute__((aligned(4))) = {0}, + work[RSA_2048_KEY_SIZE] __attribute__((aligned(4))) = {0}; + + // 0xCAFEBABE + plaintext[0xfc] = 0xca; plaintext[0xfd] = 0xfe; plaintext[0xfe] = 0xba; plaintext[0xff] = 0xbe; + + se_rsa_key_set(0, modulus, RSA_2048_KEY_SIZE, private_exponent, RSA_2048_KEY_SIZE); + se_rsa_exp_mod(0, ciphertext, RSA_2048_KEY_SIZE, plaintext, RSA_2048_KEY_SIZE); + + se_rsa_key_set(0, modulus, RSA_2048_KEY_SIZE, public_exponent, 4); + se_rsa_exp_mod(0, work, RSA_2048_KEY_SIZE, ciphertext, RSA_2048_KEY_SIZE); + + return !memcmp(plaintext, work, RSA_2048_KEY_SIZE); +} diff --git a/source/keys/keys.h b/source/keys/keys.h index f8a84c1..676fddb 100644 --- a/source/keys/keys.h +++ b/source/keys/keys.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019-2022 shchmue + * Copyright (c) 2019-2021 shchmue * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -17,11 +17,107 @@ #ifndef _KEYS_H_ #define _KEYS_H_ -#include "crypto.h" +#include #include "../hos/hos.h" -#include -#include + +#define AES_128_KEY_SIZE 16 +#define RSA_2048_KEY_SIZE 256 + +// only tickets of type Rsa2048Sha256 are expected +typedef struct { + u32 signature_type; // always 0x10004 + u8 signature[RSA_2048_KEY_SIZE]; + u8 sig_padding[0x3C]; + char issuer[0x40]; + u8 titlekey_block[RSA_2048_KEY_SIZE]; + u8 format_version; + u8 titlekey_type; + u16 ticket_version; + u8 license_type; + u8 common_key_id; + u16 property_mask; + u64 reserved; + u64 ticket_id; + u64 device_id; + u8 rights_id[0x10]; + u32 account_id; + u32 sect_total_size; + u32 sect_hdr_offset; + u16 sect_hdr_count; + u16 sect_hdr_entry_size; + u8 padding[0x140]; +} ticket_t; + +typedef struct { + u8 rights_id[0x10]; + u64 ticket_id; + u32 account_id; + u16 property_mask; + u16 reserved; +} ticket_record_t; + +typedef struct { + u8 read_buffer[SZ_256K]; + u8 rights_ids[SZ_256K / 0x10][0x10]; + u8 titlekeys[SZ_256K / 0x10][0x10]; +} titlekey_buffer_t; + +typedef struct { + u8 private_exponent[RSA_2048_KEY_SIZE]; + u8 modulus[RSA_2048_KEY_SIZE]; + u8 public_exponent[4]; + u8 reserved[0xC]; +} rsa_keypair_t; + +typedef struct { + u8 master_kek[AES_128_KEY_SIZE]; + u8 data[0x70]; + u8 package1_key[AES_128_KEY_SIZE]; +} keyblob_t; + +typedef struct { + u8 cmac[0x10]; + u8 iv[0x10]; + keyblob_t key_data; + u8 unused[0x150]; +} encrypted_keyblob_t; + +typedef struct { + u8 temp_key[AES_128_KEY_SIZE], + bis_key[4][AES_128_KEY_SIZE * 2], + device_key[AES_128_KEY_SIZE], + device_key_4x[AES_128_KEY_SIZE], + sd_seed[AES_128_KEY_SIZE], + // FS-related keys + header_key[AES_128_KEY_SIZE * 2], + save_mac_key[AES_128_KEY_SIZE], + // other sysmodule keys + eticket_rsa_kek[AES_128_KEY_SIZE], + eticket_rsa_kek_personalized[AES_128_KEY_SIZE], + ssl_rsa_kek[AES_128_KEY_SIZE], + // keyblob-derived families + keyblob_key[KB_FIRMWARE_VERSION_600 + 1][AES_128_KEY_SIZE], + keyblob_mac_key[KB_FIRMWARE_VERSION_600 + 1][AES_128_KEY_SIZE], + package1_key[KB_FIRMWARE_VERSION_600 + 1][AES_128_KEY_SIZE], + // master key-derived families + key_area_key[3][KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE], + master_kek[KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE], + master_key[KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE], + package2_key[KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE], + titlekek[KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE], + tsec_key[AES_128_KEY_SIZE], + tsec_root_key[AES_128_KEY_SIZE]; + u32 sbk[4]; + keyblob_t keyblob[KB_FIRMWARE_VERSION_600 + 1]; +} key_derivation_ctx_t; + +typedef struct { + char rights_id[0x20]; + char equals[3]; + char titlekey[0x20]; + char newline[1]; +} titlekey_text_buffer_t; #define TPRINTF(text) \ end_time = get_tmr_us(); \ @@ -45,7 +141,5 @@ #define SAVE_KEY_FAMILY_VAR(name, varname, start) _save_key_family(#name, varname, start, ARRAY_SIZE(varname), sizeof(*(varname)), text_buffer) void dump_keys(); -int save_mariko_partial_keys(u32 start, u32 count, bool append); -void derive_amiibo_keys(); #endif diff --git a/source/keys/nfc_crypto.c b/source/keys/nfc_crypto.c deleted file mode 100644 index b6caa5e..0000000 --- a/source/keys/nfc_crypto.c +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (c) 2022 shchmue - * - * This program is free software; you can redistribute it and/or modify it - * under the terms and conditions of the GNU General Public License, - * version 2, as published by the Free Software Foundation. - * - * This program is distributed in the hope it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#include "nfc_crypto.h" - -#include -#include - -#include - -void nfc_decrypt_amiibo_keys(key_storage_t *keys, nfc_save_key_t out_nfc_save_keys[2], bool is_dev) { - const u8 *encrypted_keys = is_dev ? encrypted_nfc_keys_dev : encrypted_nfc_keys; - u32 kek[SE_KEY_128_SIZE / 4] = {0}; - decrypt_aes_key(KS_AES_ECB, keys, kek, nfc_key_source, 0, 0); - - nfc_keyblob_t __attribute__((aligned(4))) nfc_keyblob; - static const u8 nfc_iv[SE_AES_IV_SIZE] = { - 0xB9, 0x1D, 0xC1, 0xCF, 0x33, 0x5F, 0xA6, 0x13, 0x2A, 0xEF, 0x90, 0x99, 0xAA, 0xCA, 0x93, 0xC8}; - se_aes_key_set(KS_AES_CTR, kek, SE_KEY_128_SIZE); - se_aes_crypt_ctr(KS_AES_CTR, &nfc_keyblob, sizeof(nfc_keyblob), encrypted_keys, sizeof(nfc_keyblob), &nfc_iv); - - minerva_periodic_training(); - - u32 xor_pad[0x20 / 4] = {0}; - se_aes_key_set(KS_AES_CTR, nfc_keyblob.ctr_key, SE_KEY_128_SIZE); - se_aes_crypt_ctr(KS_AES_CTR, xor_pad, sizeof(xor_pad), xor_pad, sizeof(xor_pad), nfc_keyblob.ctr_iv); - - minerva_periodic_training(); - - memcpy(out_nfc_save_keys[0].hmac_key, nfc_keyblob.hmac_key, sizeof(nfc_keyblob.hmac_key)); - memcpy(out_nfc_save_keys[0].phrase, nfc_keyblob.phrase, sizeof(nfc_keyblob.phrase)); - out_nfc_save_keys[0].seed_size = sizeof(nfc_keyblob.seed); - memcpy(out_nfc_save_keys[0].seed, nfc_keyblob.seed, sizeof(nfc_keyblob.seed)); - memcpy(out_nfc_save_keys[0].xor_pad, xor_pad, sizeof(xor_pad)); - - memcpy(out_nfc_save_keys[1].hmac_key, nfc_keyblob.hmac_key_for_verif, sizeof(nfc_keyblob.hmac_key_for_verif)); - memcpy(out_nfc_save_keys[1].phrase, nfc_keyblob.phrase_for_verif, sizeof(nfc_keyblob.phrase_for_verif)); - out_nfc_save_keys[1].seed_size = sizeof(nfc_keyblob.seed_for_verif); - memcpy(out_nfc_save_keys[1].seed, nfc_keyblob.seed_for_verif, sizeof(nfc_keyblob.seed_for_verif)); - memcpy(out_nfc_save_keys[1].xor_pad, xor_pad, sizeof(xor_pad)); -} diff --git a/source/keys/nfc_crypto.h b/source/keys/nfc_crypto.h deleted file mode 100644 index 26a1104..0000000 --- a/source/keys/nfc_crypto.h +++ /dev/null @@ -1,75 +0,0 @@ -/* - * Copyright (c) 2022 shchmue - * - * This program is free software; you can redistribute it and/or modify it - * under the terms and conditions of the GNU General Public License, - * version 2, as published by the Free Software Foundation. - * - * This program is distributed in the hope it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#ifndef _NFC_CRYPTO_H_ -#define _NFC_CRYPTO_H_ - -#include "crypto.h" - -#include -#include - -static const u8 nfc_key_source[0x10] __attribute__((aligned(4))) = { - 0x83, 0xF6, 0xEF, 0xD8, 0x13, 0x26, 0x49, 0xAB, 0x97, 0x5F, 0xEA, 0xBA, 0x65, 0x71, 0xCA, 0xCA}; -static const u8 encrypted_nfc_keys[0x80] __attribute__((aligned(4))) = { - 0x76, 0x50, 0x87, 0x02, 0x40, 0xA6, 0x5A, 0x98, 0xCE, 0x39, 0x2F, 0xC8, 0x83, 0xAF, 0x54, 0x76, - 0x28, 0xFF, 0x50, 0xFC, 0xC1, 0xFB, 0x26, 0x14, 0xA2, 0x4A, 0xA6, 0x74, 0x90, 0xA4, 0x37, 0x06, - 0x03, 0x63, 0xC2, 0xB1, 0xAF, 0x9F, 0xF7, 0x07, 0xFC, 0x8A, 0xB9, 0xCA, 0x28, 0x68, 0x6E, 0xF7, - 0x42, 0xCD, 0x68, 0x13, 0xCD, 0x7B, 0x3A, 0x60, 0x3E, 0x8B, 0xAB, 0x3A, 0xCC, 0xED, 0xE0, 0xDD, - 0x71, 0x1F, 0xA5, 0xDE, 0xB8, 0xB1, 0xF5, 0x1D, 0x14, 0x73, 0xBE, 0x27, 0xCC, 0xA1, 0x9B, 0x23, - 0x06, 0x91, 0x89, 0x05, 0xED, 0xD6, 0x92, 0x76, 0x3F, 0x42, 0xFB, 0xD1, 0x8F, 0x2D, 0x6D, 0x72, - 0xC8, 0x9E, 0x48, 0xE8, 0x03, 0x64, 0xF0, 0x3C, 0x0E, 0x2A, 0xF1, 0x26, 0x83, 0x02, 0x4F, 0xE2, - 0x41, 0xAA, 0xC8, 0x33, 0x68, 0x84, 0x3A, 0xFB, 0x87, 0x18, 0xEA, 0xF7, 0x36, 0xA2, 0x4E, 0xA9}; -static const u8 encrypted_nfc_keys_dev[0x80] __attribute__((aligned(4))) = { - 0x13, 0xB0, 0xFB, 0xC2, 0x91, 0x6D, 0x6E, 0x5A, 0x10, 0x31, 0x40, 0xB7, 0xDF, 0xCF, 0x69, 0x69, - 0xB0, 0xFA, 0xAE, 0x7F, 0xB2, 0x4D, 0x27, 0xC9, 0xE9, 0x3F, 0x5B, 0x38, 0x39, 0x24, 0x98, 0xCE, - 0xED, 0xD2, 0xA9, 0x6C, 0x6F, 0xA7, 0x72, 0xD7, 0x11, 0x31, 0x17, 0x93, 0x12, 0x49, 0x32, 0x85, - 0x21, 0xE5, 0xE1, 0x88, 0x0F, 0x08, 0xF2, 0x30, 0x5C, 0xC3, 0xAA, 0xFF, 0xC0, 0xAB, 0x21, 0x96, - 0x74, 0x39, 0xED, 0xE0, 0x5A, 0xB6, 0x75, 0xC2, 0x3B, 0x08, 0x61, 0xE4, 0xA7, 0xD6, 0xED, 0x8C, - 0xA9, 0x02, 0x12, 0xA6, 0xCC, 0x27, 0x4C, 0x1C, 0x41, 0x9C, 0xD8, 0x4C, 0x00, 0xC7, 0x5B, 0x5D, - 0xED, 0xC2, 0x3D, 0x5E, 0x00, 0xF5, 0x49, 0xFA, 0x6C, 0x75, 0x67, 0xCF, 0x1F, 0x73, 0x1A, 0xE8, - 0x47, 0xD4, 0x3D, 0x9B, 0x83, 0x5B, 0x18, 0x2F, 0x95, 0xA9, 0x04, 0xBC, 0x2E, 0xBB, 0x64, 0x4A}; -static const u8 nfc_blob_hash[SE_SHA_256_SIZE] __attribute__((aligned(4))) = { - 0x7F, 0x92, 0x83, 0x65, 0x4E, 0xC1, 0x09, 0x7F, 0xBD, 0xFF, 0x31, 0xDE, 0x94, 0x66, 0x51, 0xAE, - 0x60, 0xC2, 0x85, 0x4A, 0xFB, 0x54, 0x4A, 0xBE, 0x89, 0x63, 0xD3, 0x89, 0x63, 0x9C, 0x71, 0x0E}; -static const u8 nfc_blob_hash_dev[SE_SHA_256_SIZE] __attribute__((aligned(4))) = { - 0x4E, 0x36, 0x59, 0x1C, 0x75, 0x80, 0x23, 0x03, 0x98, 0x2D, 0x45, 0xD9, 0x85, 0xB8, 0x60, 0x18, - 0x7C, 0x85, 0x37, 0x9B, 0xCB, 0xBA, 0xF3, 0xDC, 0x25, 0x38, 0x73, 0xDB, 0x2F, 0xFA, 0xAE, 0x26}; - -typedef struct { - char phrase[0xE]; - u8 seed[0xE]; - u8 hmac_key[0x10]; - char phrase_for_verif[0xE]; - u8 seed_for_verif[0x10]; - u8 hmac_key_for_verif[0x10]; - u8 ctr_key[0x10]; - u8 ctr_iv[0x10]; - u8 pad[6]; -} nfc_keyblob_t; - -typedef struct { - u8 hmac_key[0x10]; - char phrase[0xE]; - u8 rsvd; - u8 seed_size; - u8 seed[0x10]; - u8 xor_pad[0x20]; -} nfc_save_key_t; - -void nfc_decrypt_amiibo_keys(key_storage_t *keys, nfc_save_key_t out_nfc_save_keys[2], bool is_dev); - -#endif diff --git a/source/keys/ssl_crypto.c b/source/keys/ssl_crypto.c deleted file mode 100644 index b6b235b..0000000 --- a/source/keys/ssl_crypto.c +++ /dev/null @@ -1,120 +0,0 @@ -/* - * Copyright (c) 2022 shchmue - * - * This program is free software; you can redistribute it and/or modify it - * under the terms and conditions of the GNU General Public License, - * version 2, as published by the Free Software Foundation. - * - * This program is distributed in the hope it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#include "ssl_crypto.h" - -#include "cal0_read.h" -#include "gmac.h" - -#include "../config.h" -#include -#include -#include - -#include - -extern hekate_config h_cfg; - -void ssl_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32 generation) { - if ((!h_cfg.t210b01 && !key_exists(keys->device_key)) || (h_cfg.t210b01 && (!key_exists(keys->master_key[0]) || !key_exists(keys->device_key_4x)))) { - return; - } - - const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_SSL_KEY) | IS_DEVICE_UNIQUE; - derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, ssl_client_cert_kek_source, ssl_client_cert_key_source, generation, option); -} - -void ssl_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek) { - if (!key_exists(keys->master_key[0])) { - return; - } - - const u32 generation = 0; - const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA) | NOT_DEVICE_UNIQUE; - derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, ssl_rsa_kekek_source, ssl_rsa_kek_source_legacy, generation, option); -} - -void ssl_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev) { - if (!key_exists(keys->master_key[0])) { - return; - } - - const void *ssl_kek_source = is_dev ? ssl_rsa_kek_source_dev : ssl_rsa_kek_source; - const u32 generation = 0; - u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA) | NOT_DEVICE_UNIQUE; - derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, ssl_rsa_kekek_source, ssl_kek_source, generation, option); -} - -bool decrypt_ssl_rsa_key(key_storage_t *keys, void *buffer) { - if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, buffer)) { - return false; - } - - nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)buffer; - u32 generation = 0; - const void *encrypted_key = NULL; - const void *iv = NULL; - u32 key_size = 0; - void *ctr_key = NULL; - bool enforce_unique = true; - - if (!cal0_get_ssl_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) { - return false; - } - - if (key_size == SSL_RSA_KEY_SIZE) { - bool all_zero = true; - const u8 *key8 = (const u8 *)encrypted_key; - for (u32 i = SE_RSA2048_DIGEST_SIZE; i < SSL_RSA_KEY_SIZE; i++) { - if (key8[i] != 0) { - all_zero = false; - break; - } - } - if (all_zero) { - // Keys of this form are not encrypted - memcpy(keys->ssl_rsa_key, encrypted_key, SE_RSA2048_DIGEST_SIZE); - return true; - } - - ssl_derive_rsa_kek_legacy(keys, keys->ssl_rsa_kek_legacy); - ctr_key = keys->ssl_rsa_kek_legacy; - enforce_unique = false; - } else if (generation) { - ssl_derive_rsa_kek_device_unique(keys, keys->ssl_rsa_kek_personalized, generation); - ctr_key = keys->ssl_rsa_kek_personalized; - } else { - ctr_key = keys->ssl_rsa_kek; - } - - u32 ctr_size = enforce_unique ? key_size - 0x20 : key_size - 0x10; - se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE); - se_aes_crypt_ctr(KS_AES_CTR, keys->ssl_rsa_key, ctr_size, encrypted_key, ctr_size, iv); - - if (enforce_unique) { - u32 calc_mac[SE_KEY_128_SIZE / 4] = {0}; - calc_gmac(KS_AES_ECB, calc_mac, keys->ssl_rsa_key, ctr_size, ctr_key, iv); - - const u8 *key8 = (const u8 *)encrypted_key; - if (memcmp(calc_mac, &key8[ctr_size], 0x10) != 0) { - EPRINTF("SSL keypair has invalid GMac."); - memset(keys->ssl_rsa_key, 0, sizeof(keys->ssl_rsa_key)); - return false; - } - } - - return true; -} diff --git a/source/keys/ssl_crypto.h b/source/keys/ssl_crypto.h deleted file mode 100644 index 830fd45..0000000 --- a/source/keys/ssl_crypto.h +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright (c) 2022 shchmue - * - * This program is free software; you can redistribute it and/or modify it - * under the terms and conditions of the GNU General Public License, - * version 2, as published by the Free Software Foundation. - * - * This program is distributed in the hope it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#ifndef _SSL_CRYPTO_H_ -#define _SSL_CRYPTO_H_ - -#include "crypto.h" - -#include - -#define SSL_RSA_KEY_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE) - -static const u8 ssl_rsa_kekek_source[0x10] __attribute__((aligned(4))) = { - 0x7F, 0x5B, 0xB0, 0x84, 0x7B, 0x25, 0xAA, 0x67, 0xFA, 0xC8, 0x4B, 0xE2, 0x3D, 0x7B, 0x69, 0x03}; -static const u8 ssl_rsa_kek_source[0x10] __attribute__((aligned(4))) = { - 0x9A, 0x38, 0x3B, 0xF4, 0x31, 0xD0, 0xBD, 0x81, 0x32, 0x53, 0x4B, 0xA9, 0x64, 0x39, 0x7D, 0xE3}; -static const u8 ssl_rsa_kek_source_dev[0x10] __attribute__((aligned(4))) = { - 0xD5, 0xD2, 0xFC, 0x00, 0xFD, 0x49, 0xDD, 0xF8, 0xEE, 0x7B, 0xC4, 0x4B, 0xE1, 0x4C, 0xAA, 0x99}; -static const u8 ssl_rsa_kek_source_legacy[0x10] __attribute__((aligned(4))) = { - 0xED, 0x36, 0xB1, 0x32, 0x27, 0x17, 0xD2, 0xB0, 0xBA, 0x1F, 0xC1, 0xBD, 0x4D, 0x38, 0x0F, 0x5E}; -static const u8 ssl_client_cert_kek_source[0x10] __attribute__((aligned(4))) = { - 0x64, 0xB8, 0x30, 0xDD, 0x0F, 0x3C, 0xB7, 0xFB, 0x4C, 0x16, 0x01, 0x97, 0xEA, 0x9D, 0x12, 0x10}; -static const u8 ssl_client_cert_key_source[0x10] __attribute__((aligned(4))) = { - 0x4D, 0x92, 0x5A, 0x69, 0x42, 0x23, 0xBB, 0x92, 0x59, 0x16, 0x3E, 0x51, 0x8C, 0x78, 0x14, 0x0F}; - -void ssl_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32 generation); -void ssl_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek); -void ssl_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev); - -bool decrypt_ssl_rsa_key(key_storage_t *keys, void *buffer); - -#endif diff --git a/source/main.c b/source/main.c index 368b820..cd8e92e 100644 --- a/source/main.c +++ b/source/main.c @@ -304,86 +304,26 @@ void dump_emunand() dump_keys(); } -void dump_amiibo_keys() -{ - derive_amiibo_keys(); -} - -void dump_mariko_partial_keys(); - -ment_t ment_partials[] = { - MDEF_BACK(colors[0]), - MDEF_CHGLINE(), - MDEF_CAPTION("This dumps the results of writing zeros", colors[1]), - MDEF_CAPTION("over consecutive 32-bit portions of each", colors[1]), - MDEF_CAPTION("keyslot, the results of which can then", colors[1]), - MDEF_CAPTION("be bruteforced quickly on a computer", colors[1]), - MDEF_CAPTION("to recover keys from unreadable keyslots.", colors[1]), - MDEF_CHGLINE(), - MDEF_CAPTION("This includes the Mariko KEK and BEK", colors[2]), - MDEF_CAPTION("as well as the unique SBK.", colors[2]), - MDEF_CHGLINE(), - MDEF_CAPTION("These are not useful for most users", colors[3]), - MDEF_CAPTION("but are included for archival purposes.", colors[3]), - MDEF_CHGLINE(), - MDEF_CAPTION("Warning: this wipes keyslots!", colors[4]), - MDEF_CAPTION("The console must be completely restarted!", colors[4]), - MDEF_CAPTION("Modchip must run again to fix the keys!", colors[4]), - MDEF_CAPTION("---------------", colors[5]), - MDEF_HANDLER("Dump Mariko Partials", dump_mariko_partial_keys, colors[0]), - MDEF_END() -}; - -menu_t menu_partials = { ment_partials, NULL, 0, 0 }; - power_state_t STATE_POWER_OFF = POWER_OFF_RESET; power_state_t STATE_REBOOT_FULL = POWER_OFF_REBOOT; power_state_t STATE_REBOOT_RCM = REBOOT_RCM; power_state_t STATE_REBOOT_BYPASS_FUSES = REBOOT_BYPASS_FUSES; ment_t ment_top[] = { - MDEF_HANDLER("Dump from SysNAND", dump_sysnand, colors[0]), - MDEF_HANDLER("Dump from EmuNAND", dump_emunand, colors[1]), - MDEF_CAPTION("---------------", colors[2]), - MDEF_HANDLER("Dump Amiibo Keys", dump_amiibo_keys, colors[3]), - MDEF_MENU("Dump Mariko Partials (requires reboot)", &menu_partials, colors[4]), - MDEF_CAPTION("---------------", colors[5]), - MDEF_HANDLER("Payloads...", launch_tools, colors[0]), - MDEF_HANDLER("Reboot to hekate", launch_hekate, colors[1]), - MDEF_CAPTION("---------------", colors[2]), - MDEF_HANDLER_EX("Reboot (OFW)", &STATE_REBOOT_BYPASS_FUSES, power_set_state_ex, colors[3]), - MDEF_HANDLER_EX("Reboot (RCM)", &STATE_REBOOT_RCM, power_set_state_ex, colors[4]), - MDEF_HANDLER_EX("Power off", &STATE_POWER_OFF, power_set_state_ex, colors[5]), + MDEF_HANDLER("Dump from SysNAND", dump_sysnand, COLOR_RED), + MDEF_HANDLER("Dump from EmuNAND", dump_emunand, COLOR_ORANGE), + MDEF_CAPTION("---------------", COLOR_YELLOW), + MDEF_HANDLER("Payloads...", launch_tools, COLOR_GREEN), + MDEF_HANDLER("Reboot to hekate", launch_hekate, COLOR_BLUE), + MDEF_CAPTION("---------------", COLOR_VIOLET), + MDEF_HANDLER_EX("Reboot (OFW)", &STATE_REBOOT_BYPASS_FUSES, power_set_state_ex, COLOR_RED), + MDEF_HANDLER_EX("Reboot (RCM)", &STATE_REBOOT_RCM, power_set_state_ex, COLOR_ORANGE), + MDEF_HANDLER_EX("Power off", &STATE_POWER_OFF, power_set_state_ex, COLOR_YELLOW), MDEF_END() }; menu_t menu_top = { ment_top, NULL, 0, 0 }; -void grey_out_menu_item(ment_t *menu) -{ - menu->type = MENT_CAPTION; - menu->color = 0xFF555555; - menu->handler = NULL; -} - -void dump_mariko_partial_keys() -{ - if (h_cfg.t210b01) { - int res = save_mariko_partial_keys(0, 16, false); - if (res == 0 || res == 3) - { - // Grey out dumping menu items as the keyslots have been invalidated. - grey_out_menu_item(&ment_top[0]); - grey_out_menu_item(&ment_top[1]); - grey_out_menu_item(&ment_top[4]); - grey_out_menu_item(&ment_partials[18]); - } - - gfx_printf("\n%kPress a button to return to the menu.", COLOR_ORANGE); - btn_wait(); - } -} - extern void pivot_stack(u32 stack_top); void ipl_main() @@ -433,24 +373,30 @@ void ipl_main() // Grey out emummc option if not present. if (h_cfg.emummc_force_disable) { - grey_out_menu_item(&ment_top[1]); + ment_top[1].type = MENT_CAPTION; + ment_top[1].color = 0xFF555555; + ment_top[1].handler = NULL; } // Grey out reboot to RCM option if on Mariko or patched console. if (h_cfg.t210b01 || h_cfg.rcm_patched) { - grey_out_menu_item(&ment_top[10]); + ment_top[7].type = MENT_CAPTION; + ment_top[7].color = 0xFF555555; + ment_top[7].handler = NULL; } - // Grey out Mariko partial dump option on Erista. - if (!h_cfg.t210b01) { - grey_out_menu_item(&ment_top[4]); + if (h_cfg.rcm_patched) + { + ment_top[7].data = &STATE_REBOOT_FULL; } // Grey out reboot to hekate option if no update.bin found. if (f_stat("bootloader/update.bin", NULL)) { - grey_out_menu_item(&ment_top[7]); + ment_top[4].type = MENT_CAPTION; + ment_top[4].color = 0xFF555555; + ment_top[4].handler = NULL; } minerva_change_freq(FREQ_800); diff --git a/source/storage/nx_emmc_bis.h b/source/storage/nx_emmc_bis.h index f207acd..59b766e 100644 --- a/source/storage/nx_emmc_bis.h +++ b/source/storage/nx_emmc_bis.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019-2022 shchmue + * Copyright (c) 2019 shchmue * Copyright (c) 2019 CTCaer * * This program is free software; you can redistribute it and/or modify it @@ -112,10 +112,8 @@ typedef struct _nx_emmc_cal0_t u8 crc16_pad16[0x10]; u8 ecc_p33_ticket_cert[0x180]; u8 crc16_pad17[0x10]; - u8 ssl_key_iv[0x10]; - u8 ssl_key[0x100]; - u8 crc16_pad18[0xE]; - u16 ssl_key_crc; + u8 ssl_key[0x110]; + u8 crc16_pad18[0x10]; u32 ssl_cert_size; u8 crc16_pad19[0xC]; u8 ssl_cert[0x800]; @@ -172,11 +170,8 @@ typedef struct _nx_emmc_cal0_t u32 ext_ecc_rsa2048_eticket_key_ver; u8 crc16_pad38[0xA]; u16 ext_ecc_rsa2048_eticket_key_crc; - u8 ext_ssl_key_iv[0x10]; - u8 ext_ssl_key[0x120]; - u32 ext_ssl_key_ver; - u8 crc16_pad39[0xA]; - u16 ext_ssl_key_crc; + u8 ext_ssl_key[0x130]; + u8 crc16_pad39[0x10]; u8 ext_gc_key[0x130]; u8 crc16_pad40[0x10];