Bump version to v1.9.10

Support 16.0.0 keys

Versions.inc

@@ -1,5 +1,5 @@
 # LP Version.
 LPVERSION_MAJOR := 1
 LPVERSION_MINOR := 9
-LPVERSION_BUGFX := 8
+LPVERSION_BUGFX := 10
 LPVERSION_RSVD := 0

bdk/libs/nx_savedata/header.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2020 shchmue
+ * Copyright (c) 2019-2022 shchmue
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,

bdk/libs/nx_savedata/remap_storage.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2020 shchmue
+ * Copyright (c) 2019-2022 shchmue
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,

bdk/libs/nx_savedata/save_fs_list.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2020 shchmue
+ * Copyright (c) 2019-2022 shchmue
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,

bdk/sec/se.c

@@ -718,76 +718,6 @@ out:;
 	return res;
 }
 
-// _mgf1_xor() and rsa_oaep_decode were derived from Atmosphère
-static void _mgf1_xor(void *masked, u32 masked_size, const void *seed, u32 seed_size)
-{
-    u8 cur_hash[0x20] __attribute__((aligned(4)));
-    u8 hash_buf[0xe4] __attribute__((aligned(4)));
-
-    u32 hash_buf_size = seed_size + 4;
-    memcpy(hash_buf, seed, seed_size);
-    u32 round_num = 0;
-
-    u8 *p_out = (u8 *)masked;
-
-    while (masked_size) {
-        u32 cur_size = MIN(masked_size, 0x20);
-
-        for (u32 i = 0; i < 4; i++)
-            hash_buf[seed_size + 3 - i] = (round_num >> (8 * i)) & 0xff;
-        round_num++;
-
-        se_calc_sha256_oneshot(cur_hash, hash_buf, hash_buf_size);
-
-        for (unsigned int i = 0; i < cur_size; i++) {
-            *p_out ^= cur_hash[i];
-            p_out++;
-        }
-
-        masked_size -= cur_size;
-    }
-}
-
-u32 se_rsa_oaep_decode(void *dst, u32 dst_size, const void *label_digest, u32 label_digest_size, u8 *buf, u32 buf_size)
-{
-	if (dst_size <= 0 || buf_size < 0x43 || label_digest_size != 0x20)
-		return 0;
-
-	bool is_valid = buf[0] == 0;
-
-	u32 db_len = buf_size - 0x21;
-	u8 *seed = buf + 1;
-	u8 *db = seed + 0x20;
-	_mgf1_xor(seed, 0x20, db, db_len);
-	_mgf1_xor(db, db_len, seed, 0x20);
-
-	is_valid &= memcmp(label_digest, db, 0x20) ? 0 : 1;
-
-	db += 0x20;
-	db_len -= 0x20;
-
-	int msg_ofs = 0;
-	int looking_for_one = 1;
-	int invalid_db_padding = 0;
-	int is_zero;
-	int is_one;
-	for (int i = 0; i < db_len; )
-	{
-		is_zero = (db[i] == 0);
-		is_one  = (db[i] == 1);
-		msg_ofs += (looking_for_one & is_one) * (++i);
-		looking_for_one &= ~is_one;
-		invalid_db_padding |= (looking_for_one & ~is_zero);
-	}
-
-	is_valid &= (invalid_db_padding == 0);
-
-	const u32 msg_size = MIN(dst_size, is_valid * (db_len - msg_ofs));
-	memcpy(dst, db + msg_ofs, msg_size);
-
-	return msg_size;
-}
-
 void se_get_aes_keys(u8 *buf, u8 *keys, u32 keysize)
 {
 	u8 *aligned_buf = (u8 *)ALIGN((u32)buf, 0x40);

bdk/sec/se.h

@@ -49,6 +49,5 @@ int se_calc_sha256(void *hash, u32 *msg_left, const void *src, u32 src_size, u64
 int se_calc_sha256_oneshot(void *hash, const void *src, u32 src_size);
 int se_calc_sha256_finalize(void *hash, u32 *msg_left);
 int se_calc_hmac_sha256(void *dst, const void *src, u32 src_size, const void *key, u32 key_size);
-u32 se_rsa_oaep_decode(void *dst, u32 dst_size, const void *label_digest, u32 label_digest_size, u8 *buf, u32 buf_size);
 
 #endif

bdk/utils/util.c

@@ -1,6 +1,7 @@
 /*
 * Copyright (c) 2018 naehrwert
 * Copyright (c) 2018-2020 CTCaer
+# Copyright (c) 2022 shchmue
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms and conditions of the GNU General Public License,

bdk/utils/util.h

@@ -96,5 +96,4 @@ void panic(u32 val);
 void power_set_state(power_state_t state);
 void power_set_state_ex(void *param);
 
-
 #endif

source/hos/hos.h

@@ -34,6 +34,8 @@
 #define KB_FIRMWARE_VERSION_1210 11
 #define KB_FIRMWARE_VERSION_1300 12
 #define KB_FIRMWARE_VERSION_1400 13
-#define KB_FIRMWARE_VERSION_MAX  KB_FIRMWARE_VERSION_1400 //!TODO: Update on mkey changes.
+#define KB_FIRMWARE_VERSION_1500 14
+#define KB_FIRMWARE_VERSION_1600 15
+#define KB_FIRMWARE_VERSION_MAX  KB_FIRMWARE_VERSION_1600 //!TODO: Update on mkey changes.
 
 #endif

source/keys/cal0_read.c

@@ -0,0 +1,96 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "cal0_read.h"
+
+#include <gfx_utils.h>
+#include <sec/se.h>
+#include <sec/se_t210.h>
+#include "../storage/emummc.h"
+#include "../storage/nx_emmc.h"
+#include <utils/util.h>
+
+bool cal0_read(u32 tweak_ks, u32 crypt_ks, void *read_buffer) {
+    nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)read_buffer;
+
+    // Check if CAL0 was already read into this buffer
+    if (cal0->magic == MAGIC_CAL0) {
+        return true;
+    }
+
+    if (!emummc_storage_read(NX_EMMC_CALIBRATION_OFFSET / NX_EMMC_BLOCKSIZE, NX_EMMC_CALIBRATION_SIZE / NX_EMMC_BLOCKSIZE, read_buffer)) {
+        EPRINTF("Unable to read PRODINFO.");
+        return false;
+    }
+
+    se_aes_xts_crypt(tweak_ks, crypt_ks, DECRYPT, 0, read_buffer, read_buffer, XTS_CLUSTER_SIZE, NX_EMMC_CALIBRATION_SIZE / XTS_CLUSTER_SIZE);
+
+    if (cal0->magic != MAGIC_CAL0) {
+        EPRINTF("Invalid CAL0 magic. Check BIS key 0.");
+        return false;
+    }
+
+    return true;
+}
+
+bool cal0_get_ssl_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation) {
+    const u32 ext_key_size = sizeof(cal0->ext_ssl_key_iv) + sizeof(cal0->ext_ssl_key);
+    const u32 ext_key_crc_size = ext_key_size + sizeof(cal0->ext_ssl_key_ver) + sizeof(cal0->crc16_pad39);
+    const u32 key_size = sizeof(cal0->ssl_key_iv) + sizeof(cal0->ssl_key);
+    const u32 key_crc_size = key_size + sizeof(cal0->crc16_pad18);
+
+    if (cal0->ext_ssl_key_crc == crc16_calc(cal0->ext_ssl_key_iv, ext_key_crc_size)) {
+        *out_key = cal0->ext_ssl_key;
+        *out_key_size = ext_key_size;
+        *out_iv = cal0->ext_ssl_key_iv;
+        // Settings sysmodule manually zeroes this out below cal version 9
+        *out_generation = cal0->version <= 8 ? 0 : cal0->ext_ssl_key_ver;
+    } else if (cal0->ssl_key_crc == crc16_calc(cal0->ssl_key_iv, key_crc_size)) {
+        *out_key = cal0->ssl_key;
+        *out_key_size = key_size;
+        *out_iv = cal0->ssl_key_iv;
+        *out_generation = 0;
+    } else {
+        EPRINTF("Crc16 error reading device key.");
+        return false;
+    }
+    return true;
+}
+
+
+bool cal0_get_eticket_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation) {
+    const u32 ext_key_size = sizeof(cal0->ext_ecc_rsa2048_eticket_key_iv) + sizeof(cal0->ext_ecc_rsa2048_eticket_key);
+    const u32 ext_key_crc_size = ext_key_size + sizeof(cal0->ext_ecc_rsa2048_eticket_key_ver) + sizeof(cal0->crc16_pad38);
+    const u32 key_size = sizeof(cal0->rsa2048_eticket_key_iv) + sizeof(cal0->rsa2048_eticket_key);
+    const u32 key_crc_size = key_size + sizeof(cal0->crc16_pad21);
+
+    if (cal0->ext_ecc_rsa2048_eticket_key_crc == crc16_calc(cal0->ext_ecc_rsa2048_eticket_key_iv, ext_key_crc_size)) {
+        *out_key = cal0->ext_ecc_rsa2048_eticket_key;
+        *out_key_size = ext_key_size;
+        *out_iv = cal0->ext_ecc_rsa2048_eticket_key_iv;
+        // Settings sysmodule manually zeroes this out below cal version 9
+        *out_generation = cal0->version <= 8 ? 0 : cal0->ext_ecc_rsa2048_eticket_key_ver;
+    } else if (cal0->rsa2048_eticket_key_crc == crc16_calc(cal0->rsa2048_eticket_key_iv, key_crc_size)) {
+        *out_key = cal0->rsa2048_eticket_key;
+        *out_key_size = key_size;
+        *out_iv = cal0->rsa2048_eticket_key_iv;
+        *out_generation = 0;
+    } else {
+        EPRINTF("Crc16 error reading device key.");
+        return false;
+    }
+    return true;
+}

source/keys/cal0_read.h

@@ -0,0 +1,27 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _CAL0_READ_H_
+#define _CAL0_READ_H_
+
+#include "../storage/nx_emmc_bis.h"
+#include <utils/types.h>
+
+bool cal0_read(u32 tweak_ks, u32 crypt_ks, void *read_buffer);
+bool cal0_get_ssl_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation);
+bool cal0_get_eticket_rsa_key(const nx_emmc_cal0_t *cal0, const void **out_key, u32 *out_key_size, const void **out_iv, u32 *out_generation);
+
+#endif

source/keys/crypto.c

@@ -0,0 +1,244 @@
+/*
+ * Copyright (c) 2022 shchmue
+ * Copyright (c) 2018 Atmosphère-NX
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto.h"
+
+#include "../../keygen/tsec_keygen.h"
+
+#include "../config.h"
+#include "../hos/hos.h"
+#include <sec/se.h>
+#include <sec/se_t210.h>
+#include <sec/tsec.h>
+#include <soc/fuse.h>
+#include <utils/util.h>
+
+#include <string.h>
+
+extern hekate_config h_cfg;
+
+int key_exists(const void *data) {
+    return memcmp(data, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) != 0;
+}
+
+int run_ams_keygen() {
+    tsec_ctxt_t tsec_ctxt;
+    tsec_ctxt.fw = tsec_keygen;
+    tsec_ctxt.size = sizeof(tsec_keygen);
+    tsec_ctxt.type = TSEC_FW_TYPE_NEW;
+
+    u32 retries = 0;
+    u32 temp_key[SE_KEY_128_SIZE / 4];
+    while (tsec_query(temp_key, &tsec_ctxt) < 0) {
+        retries++;
+        if (retries > 15) {
+            return -1;
+        }
+    }
+
+    return 0;
+}
+
+bool check_keyslot_access() {
+    u8 test_data[SE_KEY_128_SIZE] = {0};
+    const u8 test_ciphertext[SE_KEY_128_SIZE] = {0};
+    se_aes_key_set(KS_AES_ECB, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", SE_KEY_128_SIZE);
+    se_aes_crypt_block_ecb(KS_AES_ECB, DECRYPT, test_data, test_ciphertext);
+
+    return memcmp(test_data, "\x7b\x1d\x29\xa1\x6c\xf8\xcc\xab\x84\xf0\xb8\xa5\x98\xe4\x2f\xa6", SE_KEY_128_SIZE) == 0;
+}
+
+bool test_rsa_keypair(const void *public_exponent, const void *private_exponent, const void *modulus) {
+    u32 plaintext[SE_RSA2048_DIGEST_SIZE / 4] = {0},
+        ciphertext[SE_RSA2048_DIGEST_SIZE / 4] = {0},
+        work[SE_RSA2048_DIGEST_SIZE / 4] = {0};
+
+    plaintext[63] = 0xCAFEBABE;
+
+    se_rsa_key_set(0, modulus, SE_RSA2048_DIGEST_SIZE, private_exponent, SE_RSA2048_DIGEST_SIZE);
+    se_rsa_exp_mod(0, ciphertext, SE_RSA2048_DIGEST_SIZE, plaintext, SE_RSA2048_DIGEST_SIZE);
+
+    se_rsa_key_set(0, modulus, SE_RSA2048_DIGEST_SIZE, public_exponent, 4);
+    se_rsa_exp_mod(0, work, SE_RSA2048_DIGEST_SIZE, ciphertext, SE_RSA2048_DIGEST_SIZE);
+
+    return memcmp(plaintext, work, SE_RSA2048_DIGEST_SIZE) == 0;
+}
+
+// _mgf1_xor() and rsa_oaep_decode were derived from Atmosphère
+static void _mgf1_xor(void *masked, u32 masked_size, const void *seed, u32 seed_size) {
+    u8 cur_hash[0x20] __attribute__((aligned(4)));
+    u8 hash_buf[0xe4] __attribute__((aligned(4)));
+
+    u32 hash_buf_size = seed_size + 4;
+    memcpy(hash_buf, seed, seed_size);
+    u32 round_num = 0;
+
+    u8 *p_out = (u8 *)masked;
+
+    while (masked_size) {
+        u32 cur_size = MIN(masked_size, 0x20);
+
+        for (u32 i = 0; i < 4; i++)
+            hash_buf[seed_size + 3 - i] = (round_num >> (8 * i)) & 0xff;
+        round_num++;
+
+        se_calc_sha256_oneshot(cur_hash, hash_buf, hash_buf_size);
+
+        for (unsigned int i = 0; i < cur_size; i++) {
+            *p_out ^= cur_hash[i];
+            p_out++;
+        }
+
+        masked_size -= cur_size;
+    }
+}
+
+u32 rsa_oaep_decode(void *dst, u32 dst_size, const void *label_digest, u32 label_digest_size, u8 *buf, u32 buf_size) {
+    if (dst_size <= 0 || buf_size < 0x43 || label_digest_size != 0x20)
+        return 0;
+
+    bool is_valid = buf[0] == 0;
+
+    u32 db_len = buf_size - 0x21;
+    u8 *seed = buf + 1;
+    u8 *db = seed + 0x20;
+    _mgf1_xor(seed, 0x20, db, db_len);
+    _mgf1_xor(db, db_len, seed, 0x20);
+
+    is_valid &= memcmp(label_digest, db, 0x20) ? 0 : 1;
+
+    db += 0x20;
+    db_len -= 0x20;
+
+    int msg_ofs = 0;
+    int looking_for_one = 1;
+    int invalid_db_padding = 0;
+    int is_zero;
+    int is_one;
+    for (int i = 0; i < db_len; ) {
+        is_zero = (db[i] == 0);
+        is_one  = (db[i] == 1);
+        msg_ofs += (looking_for_one & is_one) * (++i);
+        looking_for_one &= ~is_one;
+        invalid_db_padding |= (looking_for_one & ~is_zero);
+    }
+
+    is_valid &= (invalid_db_padding == 0);
+
+    const u32 msg_size = MIN(dst_size, is_valid * (db_len - msg_ofs));
+    memcpy(dst, db + msg_ofs, msg_size);
+
+    return msg_size;
+}
+
+void derive_rsa_kek(u32 ks, key_storage_t *keys, void *out_rsa_kek, const void *kekek_source, const void *kek_source, u32 generation, u32 option) {
+    u32 access_key[SE_KEY_128_SIZE / 4] = {0};
+    generate_aes_kek(ks, keys, access_key, kekek_source, generation, option);
+    get_device_unique_data_key(ks, out_rsa_kek, access_key, kek_source);
+}
+
+// Equivalent to spl::GenerateAesKek
+void generate_aes_kek(u32 ks, key_storage_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option) {
+    bool device_unique = GET_IS_DEVICE_UNIQUE(option);
+    u32 seal_key_index = GET_SEAL_KEY_INDEX(option);
+
+    if (generation)
+        generation--;
+
+    u8 static_source[SE_KEY_128_SIZE] __attribute__((aligned(4)));
+    for (u32 i = 0; i < SE_KEY_128_SIZE; i++)
+        static_source[i] = aes_kek_generation_source[i] ^ seal_key_masks[seal_key_index][i];
+
+    if (device_unique) {
+        get_device_key(ks, keys, keys->temp_key, generation);
+    } else {
+        memcpy(keys->temp_key, keys->master_key[generation], sizeof(keys->temp_key));
+    }
+    se_aes_key_set(ks, keys->temp_key, SE_KEY_128_SIZE);
+    se_aes_unwrap_key(ks, ks, static_source);
+    se_aes_crypt_block_ecb(ks, DECRYPT, out_kek, kek_source);
+}
+
+// Based on spl::LoadAesKey but instead of prepping keyslot, returns calculated key
+void load_aes_key(u32 ks, void *out_key, const void *access_key, const void *key_source) {
+    se_aes_key_set(ks, access_key, SE_KEY_128_SIZE);
+    se_aes_crypt_block_ecb(ks, DECRYPT, out_key, key_source);
+}
+
+// Equivalent to spl::GenerateAesKey
+void generate_aes_key(u32 ks, key_storage_t *keys, void *out_key, u32 key_size, const void *access_key, const void *key_source) {
+    u32 aes_key[SE_KEY_128_SIZE / 4] = {0};
+    load_aes_key(ks, aes_key, access_key, aes_key_generation_source);
+    se_aes_key_set(ks, aes_key, SE_KEY_128_SIZE);
+    se_aes_crypt_ecb(ks, DECRYPT, out_key, key_size, key_source, key_size);
+}
+
+// Equivalent to smc::PrepareDeviceUniqueDataKey but with no sealing
+void get_device_unique_data_key(u32 ks, void *out_key, const void *access_key, const void *key_source) {
+    load_aes_key(ks, out_key, access_key, key_source);
+}
+
+// Equivalent to spl::DecryptAesKey.
+void decrypt_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation, u32 option) {
+    u32 access_key[SE_KEY_128_SIZE / 4] = {0};
+    generate_aes_kek(ks, keys, access_key, aes_key_decryption_source, generation, option);
+    generate_aes_key(ks, keys, out_key, SE_KEY_128_SIZE, access_key, key_source);
+}
+
+// Equivalent to smc::GetSecureData
+void get_secure_data(key_storage_t *keys, void *out_data) {
+    se_aes_key_set(KS_AES_CTR, keys->device_key, SE_KEY_128_SIZE);
+    u8 *d = (u8 *)out_data;
+    se_aes_crypt_ctr(KS_AES_CTR, d + SE_KEY_128_SIZE * 0, SE_KEY_128_SIZE, secure_data_source, SE_KEY_128_SIZE, secure_data_counters[0]);
+    se_aes_crypt_ctr(KS_AES_CTR, d + SE_KEY_128_SIZE * 1, SE_KEY_128_SIZE, secure_data_source, SE_KEY_128_SIZE, secure_data_counters[0]);
+
+    // Apply tweak
+    for (u32 i = 0; i < SE_KEY_128_SIZE; i++) {
+        d[SE_KEY_128_SIZE + i] ^= secure_data_tweaks[0][i];
+    }
+}
+
+// Equivalent to spl::GenerateSpecificAesKey
+void generate_specific_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation) {
+    if (fuse_read_bootrom_rev() >= 0x7F) {
+        get_device_key(ks, keys, keys->temp_key, generation == 0 ? 0 : generation - 1);
+        se_aes_key_set(ks, keys->temp_key, SE_KEY_128_SIZE);
+        se_aes_unwrap_key(ks, ks, retail_specific_aes_key_source);
+        se_aes_crypt_ecb(ks, DECRYPT, out_key, SE_KEY_128_SIZE * 2, key_source, SE_KEY_128_SIZE * 2);
+    } else {
+        get_secure_data(keys, out_key);
+    }
+}
+
+void get_device_key(u32 ks, key_storage_t *keys, void *out_device_key, u32 generation) {
+    if (generation == KB_FIRMWARE_VERSION_100 && !h_cfg.t210b01) {
+        memcpy(out_device_key, keys->device_key, SE_KEY_128_SIZE);
+        return;
+    }
+
+    if (generation >= KB_FIRMWARE_VERSION_400) {
+        generation -= KB_FIRMWARE_VERSION_400;
+    } else {
+        generation = 0;
+    }
+    u32 temp_key_source[SE_KEY_128_SIZE / 4] = {0};
+    load_aes_key(ks, temp_key_source, keys->device_key_4x, device_master_key_source_sources[generation]);
+    const void *kek_source = fuse_read_hw_state() == FUSE_NX_HW_STATE_PROD ? device_master_kek_sources[generation] : device_master_kek_sources_dev[generation];
+    se_aes_key_set(ks, keys->master_key[0], SE_KEY_128_SIZE);
+    se_aes_unwrap_key(ks, ks, kek_source);
+    se_aes_crypt_block_ecb(ks, DECRYPT, out_device_key, temp_key_source);
+}

source/keys/crypto.h

@@ -0,0 +1,240 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _CRYPTO_H_
+#define _CRYPTO_H_
+
+#include "es_types.h"
+
+#include "../hos/hos.h"
+#include <sec/se_t210.h>
+#include "../storage/nx_emmc.h"
+#include <utils/types.h>
+
+#include <string.h>
+
+// Sha256 hash of the null string.
+static const u8 null_hash[SE_SHA_256_SIZE] __attribute__((aligned(4))) = {
+    0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8, 0x99, 0x6F, 0xB9, 0x24,
+    0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C, 0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55};
+
+static const u8 aes_kek_generation_source[0x10] __attribute__((aligned(4))) = {
+    0x4D, 0x87, 0x09, 0x86, 0xC4, 0x5D, 0x20, 0x72, 0x2F, 0xBA, 0x10, 0x53, 0xDA, 0x92, 0xE8, 0xA9};
+
+static const u8 aes_key_generation_source[0x10] __attribute__((aligned(4))) = {
+    0x89, 0x61, 0x5E, 0xE0, 0x5C, 0x31, 0xB6, 0x80, 0x5F, 0xE5, 0x8F, 0x3D, 0xA2, 0x4F, 0x7A, 0xA8};
+
+static const u8 aes_key_decryption_source[0x10] __attribute__((aligned(4))) = {
+    0x11, 0x70, 0x24, 0x2B, 0x48, 0x69, 0x11, 0xF1, 0x11, 0xB0, 0x0C, 0x47, 0x7C, 0xC3, 0xEF, 0x7E};
+
+static const u8 device_master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
+    {0x88, 0x62, 0x34, 0x6E, 0xFA, 0xF7, 0xD8, 0x3F, 0xE1, 0x30, 0x39, 0x50, 0xF0, 0xB7, 0x5D, 0x5D}, /* 4.0.0  Device Master Kek Source. */
+    {0x06, 0x1E, 0x7B, 0xE9, 0x6D, 0x47, 0x8C, 0x77, 0xC5, 0xC8, 0xE7, 0x94, 0x9A, 0xA8, 0x5F, 0x2E}, /* 5.0.0  Device Master Kek Source. */
+    {0x99, 0xFA, 0x98, 0xBD, 0x15, 0x1C, 0x72, 0xFD, 0x7D, 0x9A, 0xD5, 0x41, 0x00, 0xFD, 0xB2, 0xEF}, /* 6.0.0  Device Master Kek Source. */
+    {0x81, 0x3C, 0x6C, 0xBF, 0x5D, 0x21, 0xDE, 0x77, 0x20, 0xD9, 0x6C, 0xE3, 0x22, 0x06, 0xAE, 0xBB}, /* 6.2.0  Device Master Kek Source. */
+    {0x86, 0x61, 0xB0, 0x16, 0xFA, 0x7A, 0x9A, 0xEA, 0xF6, 0xF5, 0xBE, 0x1A, 0x13, 0x5B, 0x6D, 0x9E}, /* 7.0.0  Device Master Kek Source. */
+    {0xA6, 0x81, 0x71, 0xE7, 0xB5, 0x23, 0x74, 0xB0, 0x39, 0x8C, 0xB7, 0xFF, 0xA0, 0x62, 0x9F, 0x8D}, /* 8.1.0  Device Master Kek Source. */
+    {0x03, 0xE7, 0xEB, 0x43, 0x1B, 0xCF, 0x5F, 0xB5, 0xED, 0xDC, 0x97, 0xAE, 0x21, 0x8D, 0x19, 0xED}, /* 9.0.0  Device Master Kek Source. */
+    {0xCE, 0xFE, 0x41, 0x0F, 0x46, 0x9A, 0x30, 0xD6, 0xF2, 0xE9, 0x0C, 0x6B, 0xB7, 0x15, 0x91, 0x36}, /* 9.1.0  Device Master Kek Source. */
+    {0xC2, 0x65, 0x34, 0x6E, 0xC7, 0xC6, 0x5D, 0x97, 0x3E, 0x34, 0x5C, 0x6B, 0xB3, 0x7E, 0xC6, 0xE3}, /* 12.1.0 Device Master Kek Source. */
+    {0x77, 0x52, 0x92, 0xF0, 0xAA, 0xE3, 0xFB, 0xE0, 0x60, 0x16, 0xB3, 0x78, 0x68, 0x53, 0xF7, 0xA8}, /* 13.0.0 Device Master Kek Source. */
+    {0x67, 0xD5, 0xD6, 0x0C, 0x08, 0xF5, 0xA3, 0x11, 0xBD, 0x6D, 0x5A, 0xEB, 0x96, 0x24, 0xB0, 0xD2}, /* 14.0.0 Device Master Kek Source. */
+    {0x7C, 0x30, 0xED, 0x8B, 0x39, 0x25, 0x2C, 0x08, 0x8F, 0x48, 0xDC, 0x28, 0xE6, 0x1A, 0x6B, 0x49}, /* 15.0.0 Device Master Kek Source. */
+    {0xF0, 0xF3, 0xFF, 0x52, 0x75, 0x2F, 0xBA, 0x4D, 0x09, 0x72, 0x30, 0x89, 0xA9, 0xDF, 0xFE, 0x1F}, /* 16.0.0 Device Master Kek Source. */    
+}; //!TODO: Update on mkey changes.
+
+static const u8 device_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
+    {0xD6, 0xBD, 0x9F, 0xC6, 0x18, 0x09, 0xE1, 0x96, 0x20, 0x39, 0x60, 0xD2, 0x89, 0x83, 0x31, 0x34}, /* 4.0.0  Device Master Kek Source. */
+    {0x59, 0x2D, 0x20, 0x69, 0x33, 0xB5, 0x17, 0xBA, 0xCF, 0xB1, 0x4E, 0xFD, 0xE4, 0xC2, 0x7B, 0xA8}, /* 5.0.0  Device Master Kek Source. */
+    {0xF6, 0xD8, 0x59, 0x63, 0x8F, 0x47, 0xCB, 0x4A, 0xD8, 0x74, 0x05, 0x7F, 0x88, 0x92, 0x33, 0xA5}, /* 6.0.0  Device Master Kek Source. */
+    {0x20, 0xAB, 0xF2, 0x0F, 0x05, 0xE3, 0xDE, 0x2E, 0xA1, 0xFB, 0x37, 0x5E, 0x8B, 0x22, 0x1A, 0x38}, /* 6.2.0  Device Master Kek Source. */
+    {0x60, 0xAE, 0x56, 0x68, 0x11, 0xE2, 0x0C, 0x99, 0xDE, 0x05, 0xAE, 0x68, 0x78, 0x85, 0x04, 0xAE}, /* 7.0.0  Device Master Kek Source. */
+    {0x94, 0xD6, 0xA8, 0xC0, 0x95, 0xAF, 0xD0, 0xA6, 0x27, 0x53, 0x5E, 0xE5, 0x8E, 0x70, 0x1F, 0x87}, /* 8.1.0  Device Master Kek Source. */
+    {0x61, 0x6A, 0x88, 0x21, 0xA3, 0x52, 0xB0, 0x19, 0x16, 0x25, 0xA4, 0xE3, 0x4C, 0x54, 0x02, 0x0F}, /* 9.0.0  Device Master Kek Source. */
+    {0x9D, 0xB1, 0xAE, 0xCB, 0xF6, 0xF6, 0xE3, 0xFE, 0xAB, 0x6F, 0xCB, 0xAF, 0x38, 0x03, 0xFC, 0x7B}, /* 9.1.0  Device Master Kek Source. */
+    {0xC4, 0xBB, 0xF3, 0x9F, 0xA3, 0xAA, 0x00, 0x99, 0x7C, 0x97, 0xAD, 0x91, 0x8F, 0xE8, 0x45, 0xCB}, /* 12.1.0 Device Master Kek Source. */
+    {0x20, 0x20, 0xAA, 0xFB, 0x89, 0xC2, 0xF0, 0x70, 0xB5, 0xE0, 0xA3, 0x11, 0x8A, 0x29, 0x8D, 0x0F}, /* 13.0.0 Device Master Kek Source. */
+    {0xCE, 0x14, 0x74, 0x66, 0x98, 0xA8, 0x6D, 0x7D, 0xBD, 0x54, 0x91, 0x68, 0x5F, 0x1D, 0x0E, 0xEA}, /* 14.0.0 Device Master Kek Source. */
+    {0xAE, 0x05, 0x48, 0x65, 0xAB, 0x17, 0x9D, 0x3D, 0x51, 0xB7, 0x56, 0xBD, 0x9B, 0x0B, 0x5B, 0x6E}, /* 15.0.0 Device Master Kek Source. */
+    {0xFF, 0xF6, 0x4B, 0x0F, 0xFF, 0x0D, 0xC0, 0x4F, 0x56, 0x8A, 0x40, 0x74, 0x67, 0xC5, 0xFE, 0x9F}, /* 16.0.0 Device Master Kek Source. */
+}; //!TODO: Update on mkey changes.
+
+static const u8 device_master_key_source_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
+    {0x8B, 0x4E, 0x1C, 0x22, 0x42, 0x07, 0xC8, 0x73, 0x56, 0x94, 0x08, 0x8B, 0xCC, 0x47, 0x0F, 0x5D}, /* 4.0.0  Device Master Key Source Source. */
+    {0x6C, 0xEF, 0xC6, 0x27, 0x8B, 0xEC, 0x8A, 0x91, 0x99, 0xAB, 0x24, 0xAC, 0x4F, 0x1C, 0x8F, 0x1C}, /* 5.0.0  Device Master Key Source Source. */
+    {0x70, 0x08, 0x1B, 0x97, 0x44, 0x64, 0xF8, 0x91, 0x54, 0x9D, 0xC6, 0x84, 0x8F, 0x1A, 0xB2, 0xE4}, /* 6.0.0  Device Master Key Source Source. */
+    {0x8E, 0x09, 0x1F, 0x7A, 0xBB, 0xCA, 0x6A, 0xFB, 0xB8, 0x9B, 0xD5, 0xC1, 0x25, 0x9C, 0xA9, 0x17}, /* 6.2.0  Device Master Key Source Source. */
+    {0x8F, 0x77, 0x5A, 0x96, 0xB0, 0x94, 0xFD, 0x8D, 0x28, 0xE4, 0x19, 0xC8, 0x16, 0x1C, 0xDB, 0x3D}, /* 7.0.0  Device Master Key Source Source. */
+    {0x67, 0x62, 0xD4, 0x8E, 0x55, 0xCF, 0xFF, 0x41, 0x31, 0x15, 0x3B, 0x24, 0x0C, 0x7C, 0x07, 0xAE}, /* 8.1.0  Device Master Key Source Source. */
+    {0x4A, 0xC3, 0x4E, 0x14, 0x8B, 0x96, 0x4A, 0xD5, 0xD4, 0x99, 0x73, 0xC4, 0x45, 0xAB, 0x8B, 0x49}, /* 9.0.0  Device Master Key Source Source. */
+    {0x14, 0xB8, 0x74, 0x12, 0xCB, 0xBD, 0x0B, 0x8F, 0x20, 0xFB, 0x30, 0xDA, 0x27, 0xE4, 0x58, 0x94}, /* 9.1.0  Device Master Key Source Source. */
+    {0xAA, 0xFD, 0xBC, 0xBB, 0x25, 0xC3, 0xA4, 0xEF, 0xE3, 0xEE, 0x58, 0x53, 0xB7, 0xF8, 0xDD, 0xD6}, /* 12.1.0 Device Master Key Source Source. */
+    {0xE4, 0xF3, 0x45, 0x6F, 0x18, 0xA1, 0x89, 0xF8, 0xDA, 0x4C, 0x64, 0x75, 0x68, 0xE6, 0xBD, 0x4F}, /* 13.0.0 Device Master Key Source Source. */
+    {0x5B, 0x94, 0x63, 0xF7, 0xAD, 0x96, 0x1B, 0xA6, 0x23, 0x30, 0x06, 0x4D, 0x01, 0xE4, 0xCE, 0x1D}, /* 14.0.0 Device Master Key Source Source. */ 
+    {0x5E, 0xC9, 0xC5, 0x0A, 0xD0, 0x5F, 0x8B, 0x7B, 0xA7, 0x39, 0xEA, 0xBC, 0x60, 0x0F, 0x74, 0xE6}, /* 15.0.0 Device Master Key Source Source. */
+    {0xEA, 0x90, 0x6E, 0xA8, 0xAE, 0x92, 0x99, 0x64, 0x36, 0xC1, 0xF3, 0x1C, 0xC6, 0x32, 0x83, 0x8C}, /* 16.0.0 Device Master Key Source Source. */
+}; //!TODO: Update on mkey changes.
+
+static const u8 seal_key_masks[][0x10] __attribute__((aligned(4))) = {
+    {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, // SealKey_LoadAesKey
+    {0xA2, 0xAB, 0xBF, 0x9C, 0x92, 0x2F, 0xBB, 0xE3, 0x78, 0x79, 0x9B, 0xC0, 0xCC, 0xEA, 0xA5, 0x74}, // SealKey_DecryptDeviceUniqueData
+    {0x57, 0xE2, 0xD9, 0x45, 0xE4, 0x92, 0xF4, 0xFD, 0xC3, 0xF9, 0x86, 0x38, 0x89, 0x78, 0x9F, 0x3C}, // SealKey_ImportLotusKey
+    {0xE5, 0x4D, 0x9A, 0x02, 0xF0, 0x4F, 0x5F, 0xA8, 0xAD, 0x76, 0x0A, 0xF6, 0x32, 0x95, 0x59, 0xBB}, // SealKey_ImportEsDeviceKey
+    {0x59, 0xD9, 0x31, 0xF4, 0xA7, 0x97, 0xB8, 0x14, 0x40, 0xD6, 0xA2, 0x60, 0x2B, 0xED, 0x15, 0x31}, // SealKey_ReencryptDeviceUniqueData
+    {0xFD, 0x6A, 0x25, 0xE5, 0xD8, 0x38, 0x7F, 0x91, 0x49, 0xDA, 0xF8, 0x59, 0xA8, 0x28, 0xE6, 0x75}, // SealKey_ImportSslKey
+    {0x89, 0x96, 0x43, 0x9A, 0x7C, 0xD5, 0x59, 0x55, 0x24, 0xD5, 0x24, 0x18, 0xAB, 0x6C, 0x04, 0x61}, // SealKey_ImportEsClientCertKey
+};
+
+static const u8 retail_specific_aes_key_source[0x10] __attribute__((aligned(4))) = {
+    0xE2, 0xD6, 0xB8, 0x7A, 0x11, 0x9C, 0xB8, 0x80, 0xE8, 0x22, 0x88, 0x8A, 0x46, 0xFB, 0xA1, 0x95};
+
+static const u8 secure_data_source[0x10] __attribute__((aligned(4))) = {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
+
+static const u8 secure_data_counters[1][0x10] __attribute__((aligned(4))) = {
+    {0x3C, 0xD5, 0x92, 0xEC, 0x68, 0x31, 0x4A, 0x06, 0xD4, 0x1B, 0x0C, 0xD9, 0xF6, 0x2E, 0xD9, 0xE9}
+};
+
+static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = {
+    {0xAC, 0xCA, 0x9A, 0xCA, 0xFF, 0x2E, 0xB9, 0x22, 0xCC, 0x1F, 0x4F, 0xAD, 0xDD, 0x77, 0x21, 0x1E}
+};
+
+ //!TODO: Update on keygen changes.
+#define TSEC_ROOT_KEY_VERSION 2
+
+// Lockpick_RCM keyslots
+#define KS_BIS_00_CRYPT 0
+#define KS_BIS_00_TWEAK 1
+#define KS_BIS_01_CRYPT 2
+#define KS_BIS_01_TWEAK 3
+#define KS_BIS_02_CRYPT 4
+#define KS_BIS_02_TWEAK 5
+#define KS_AES_CTR  6
+#define KS_AES_ECB  8
+#define KS_AES_CMAC 10
+
+// Mariko keyslots
+#define KS_MARIKO_KEK 12
+#define KS_MARIKO_BEK 13
+
+// Other Switch keyslots
+#define KS_TSEC        12
+#define KS_SECURE_BOOT 14
+
+// Atmosphere keygen keyslots
+#define KS_TSEC_ROOT_DEV 11
+#define KS_TSEC_ROOT     13
+
+#define RSA_PUBLIC_EXPONENT 65537
+
+#define KEYBLOB_UNK_DATA_SIZE 0x70
+#define KEYBLOB_UNUSED_SIZE (NX_EMMC_BLOCKSIZE - SE_AES_CMAC_DIGEST_SIZE - SE_AES_IV_SIZE - sizeof(keyblob_t))
+
+typedef struct {
+    u8 master_kek[SE_KEY_128_SIZE];
+    u8 data[KEYBLOB_UNK_DATA_SIZE];
+    u8 package1_key[SE_KEY_128_SIZE];
+} keyblob_t;
+
+typedef struct {
+    u8 cmac[SE_AES_CMAC_DIGEST_SIZE];
+    u8 iv[SE_AES_IV_SIZE];
+    keyblob_t key_data;
+    u8 unused[KEYBLOB_UNUSED_SIZE];
+} encrypted_keyblob_t;
+
+typedef struct {
+    u8  temp_key[SE_KEY_128_SIZE],
+        bis_key[4][SE_KEY_128_SIZE * 2],
+        device_key[SE_KEY_128_SIZE],
+        device_key_4x[SE_KEY_128_SIZE],
+        sd_seed[SE_KEY_128_SIZE],
+        // FS-related keys
+        header_key[SE_KEY_128_SIZE * 2],
+        save_mac_key[SE_KEY_128_SIZE],
+        // other sysmodule keys
+        eticket_rsa_kek[SE_KEY_128_SIZE],
+        eticket_rsa_kek_personalized[SE_KEY_128_SIZE],
+        ssl_rsa_kek[SE_KEY_128_SIZE],
+        ssl_rsa_kek_legacy[SE_KEY_128_SIZE],
+        ssl_rsa_kek_personalized[SE_KEY_128_SIZE],
+        ssl_rsa_key[SE_RSA2048_DIGEST_SIZE + 0x20],
+        // keyblob-derived families
+        keyblob_key[KB_FIRMWARE_VERSION_600 + 1][SE_KEY_128_SIZE],
+        keyblob_mac_key[KB_FIRMWARE_VERSION_600 + 1][SE_KEY_128_SIZE],
+        package1_key[KB_FIRMWARE_VERSION_600 + 1][SE_KEY_128_SIZE],
+        // master key-derived families
+        key_area_key[3][KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE],
+        master_kek[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE],
+        master_key[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE],
+        package2_key[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE],
+        titlekek[KB_FIRMWARE_VERSION_MAX + 1][SE_KEY_128_SIZE],
+        tsec_key[SE_KEY_128_SIZE],
+        tsec_root_key[SE_KEY_128_SIZE];
+    u32 secure_boot_key[4];
+    keyblob_t keyblob[KB_FIRMWARE_VERSION_600 + 1];
+    eticket_rsa_keypair_t eticket_rsa_keypair;
+} key_storage_t;
+
+typedef enum {
+    SEAL_KEY_LOAD_AES_KEY = 0,
+    SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA = 1,
+    SEAL_KEY_IMPORT_LOTUS_KEY = 2,
+    SEAL_KEY_IMPORT_ES_DEVICE_KEY = 3,
+    SEAL_KEY_REENCRYPT_DEVICE_UNIQUE_DATA = 4,
+    SEAL_KEY_IMPORT_SSL_KEY = 5,
+    SEAL_KEY_IMPORT_ES_CLIENT_CERT_KEY = 6,
+} seal_key_t;
+
+typedef enum {
+    NOT_DEVICE_UNIQUE = 0,
+    IS_DEVICE_UNIQUE = 1,
+} device_unique_t;
+
+#define SET_SEAL_KEY_INDEX(x) (((x) & 7) << 5)
+#define GET_SEAL_KEY_INDEX(x) (((x) >> 5) & 7)
+#define GET_IS_DEVICE_UNIQUE(x) ((x) & 1)
+
+int key_exists(const void *data);
+
+int run_ams_keygen();
+
+bool check_keyslot_access();
+
+bool test_rsa_keypair(const void *public_exponent, const void *private_exponent, const void *modulus);
+u32 rsa_oaep_decode(void *dst, u32 dst_size, const void *label_digest, u32 label_digest_size, u8 *buf, u32 buf_size);
+
+void derive_rsa_kek(u32 ks, key_storage_t *keys, void *out_rsa_kek, const void *kekek_source, const void *kek_source, u32 generation, u32 option);
+
+// Equivalent to spl::GenerateAesKek
+void generate_aes_kek(u32 ks, key_storage_t *keys, void *out_kek, const void *kek_source, u32 generation, u32 option);
+// Equivalent to spl::GenerateAesKey
+void generate_aes_key(u32 ks, key_storage_t *keys, void *out_key, u32 key_size, const void *access_key, const void *key_source);
+// Equivalent to spl::GenerateSpecificAesKey
+void generate_specific_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation);
+// Equivalent to spl::DecryptAesKey.
+void decrypt_aes_key(u32 ks, key_storage_t *keys, void *out_key, const void *key_source, u32 generation, u32 option);
+// Based on spl::LoadAesKey but instead of prepping keyslot, returns calculated key
+void load_aes_key(u32 ks, void *out_key, const void *access_key, const void *key_source);
+
+// Equivalent to smc::PrepareDeviceUniqueDataKey but with no sealing
+void get_device_unique_data_key(u32 ks, void *out_key, const void *access_key, const void *key_source);
+// Equivalent to smc::GetSecureData
+void get_secure_data(key_storage_t *keys, void *out_data);
+// Equivalent to smc::PrepareDeviceMasterKey
+void get_device_key(u32 ks, key_storage_t *keys, void *out_device_key, u32 generation);
+
+#endif

source/keys/es_crypto.c

@@ -0,0 +1,146 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "es_crypto.h"
+
+#include "cal0_read.h"
+
+#include "../config.h"
+#include <gfx_utils.h>
+#include "../gfx/tui.h"
+#include <mem/minerva.h>
+#include <sec/se.h>
+#include <sec/se_t210.h>
+
+#include <string.h>
+
+extern hekate_config h_cfg;
+
+bool test_eticket_rsa_keypair(const eticket_rsa_keypair_t *keypair) {
+    if (byte_swap_32(keypair->public_exponent) != RSA_PUBLIC_EXPONENT)
+        return false;
+    return test_rsa_keypair(&keypair->public_exponent, keypair->private_exponent, keypair->modulus);
+}
+
+void es_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32 generation, bool is_dev) {
+    if ((!h_cfg.t210b01 && !key_exists(keys->device_key)) || (h_cfg.t210b01 && (!key_exists(keys->master_key[0]) || !key_exists(keys->device_key_4x)))) {
+        return;
+    }
+
+    const void *kek_source = is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source;
+    const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | IS_DEVICE_UNIQUE;
+    derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, eticket_rsa_kekek_source, kek_source, generation, option);
+}
+
+void es_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek) {
+    if (!key_exists(keys->master_key[0])) {
+        return;
+    }
+
+    const u32 generation = 0;
+    const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | NOT_DEVICE_UNIQUE;
+    derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, eticket_rsa_kekek_source, eticket_rsa_kek_source_legacy, generation, option);
+}
+
+void es_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev) {
+    if (!key_exists(keys->master_key[0])) {
+        return;
+    }
+
+    const void *kek_source = is_dev ? eticket_rsa_kek_source_dev : eticket_rsa_kek_source;
+    const u32 generation = 0;
+    const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_ES_DEVICE_KEY) | NOT_DEVICE_UNIQUE;
+    derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, eticket_rsa_kekek_source, kek_source, generation, option);
+}
+
+bool decrypt_eticket_rsa_key(key_storage_t *keys, void *buffer, bool is_dev) {
+    if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, buffer)) {
+        return false;
+    }
+
+    nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)buffer;
+    u32 generation = 0;
+    const void *encrypted_key = NULL;
+    const void *iv = NULL;
+    u32 key_size = 0;
+    void *ctr_key = NULL;
+
+    if (!cal0_get_eticket_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) {
+        return false;
+    }
+
+    // Handle legacy case
+    if (key_size == ETICKET_RSA_KEYPAIR_SIZE) {
+        u32 temp_key[SE_KEY_128_SIZE / 4] = {0};
+        es_derive_rsa_kek_legacy(keys, temp_key);
+        ctr_key = temp_key;
+
+        se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
+        se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv);
+
+        if (test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) {
+            memcpy(keys->eticket_rsa_kek, ctr_key, sizeof(keys->eticket_rsa_kek));
+            return true;
+        }
+        // Fall through and try usual method if not applicable
+    }
+
+    if (generation) {
+        es_derive_rsa_kek_device_unique(keys, keys->eticket_rsa_kek_personalized, generation, is_dev);
+        ctr_key = keys->eticket_rsa_kek_personalized;
+    } else {
+        ctr_key = keys->eticket_rsa_kek;
+    }
+
+    se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
+    se_aes_crypt_ctr(KS_AES_CTR, &keys->eticket_rsa_keypair, sizeof(keys->eticket_rsa_keypair), encrypted_key, sizeof(keys->eticket_rsa_keypair), iv);
+
+    if (!test_eticket_rsa_keypair(&keys->eticket_rsa_keypair)) {
+        EPRINTF("Invalid eticket keypair.");
+        memset(&keys->eticket_rsa_keypair, 0, sizeof(keys->eticket_rsa_keypair));
+        return false;
+    }
+
+    return true;
+}
+
+void es_decode_tickets(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 remaining, u32 total, u32 *titlekey_count, u32 x, u32 y, u32 *pct, u32 *last_pct, bool is_personalized) {
+    ticket_t *curr_ticket = (ticket_t *)titlekey_buffer->read_buffer;
+    for (u32 i = 0; i < MIN(buf_size / sizeof(ticket_t), remaining) * sizeof(ticket_t) && curr_ticket->signature_type != 0; i += sizeof(ticket_t), curr_ticket++) {
+        minerva_periodic_training();
+        *pct = (total - remaining) * 100 / total;
+        if (*pct > *last_pct && *pct <= 100) {
+            *last_pct = *pct;
+            tui_pbar(x, y, *pct, COLOR_GREEN, 0xFF155500);
+        }
+
+        // This is in case an encrypted volatile ticket is left behind
+        if (curr_ticket->signature_type != TICKET_SIG_TYPE_RSA2048_SHA256)
+            continue;
+
+        u8 *curr_titlekey = curr_ticket->titlekey_block;
+        const u32 block_size = SE_RSA2048_DIGEST_SIZE;
+        const u32 titlekey_size = sizeof(titlekey_buffer->titlekeys[0]);
+        if (is_personalized) {
+            se_rsa_exp_mod(0, curr_titlekey, block_size, curr_titlekey, block_size);
+            if (rsa_oaep_decode(curr_titlekey, titlekey_size, null_hash, sizeof(null_hash), curr_titlekey, block_size) != titlekey_size)
+                continue;
+        }
+        memcpy(titlekey_buffer->rights_ids[*titlekey_count], curr_ticket->rights_id, sizeof(titlekey_buffer->rights_ids[0]));
+        memcpy(titlekey_buffer->titlekeys[*titlekey_count], curr_titlekey, titlekey_size);
+        (*titlekey_count)++;
+    }
+}

source/keys/es_crypto.h

@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _ES_CRYPTO_H_
+#define _ES_CRYPTO_H_
+
+#include "crypto.h"
+#include "es_types.h"
+
+#include <sec/se_t210.h>
+#include <utils/types.h>
+
+#define ETICKET_RSA_KEYPAIR_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE * 2 + SE_KEY_128_SIZE)
+
+#define TICKET_SIG_TYPE_RSA2048_SHA256 0x10004
+
+static const u8 eticket_rsa_kek_source[0x10] __attribute__((aligned(4))) = {
+    0xDB, 0xA4, 0x51, 0x12, 0x4C, 0xA0, 0xA9, 0x83, 0x68, 0x14, 0xF5, 0xED, 0x95, 0xE3, 0x12, 0x5B};
+static const u8 eticket_rsa_kek_source_dev[0x10] __attribute__((aligned(4))) = {
+    0xBE, 0xC0, 0xBC, 0x8E, 0x75, 0xA0, 0xF6, 0x0C, 0x4A, 0x56, 0x64, 0x02, 0x3E, 0xD4, 0x9C, 0xD5};
+static const u8 eticket_rsa_kek_source_legacy[0x10] __attribute__((aligned(4))) = {
+    0x88, 0x87, 0x50, 0x90, 0xA6, 0x2F, 0x75, 0x70, 0xA2, 0xD7, 0x71, 0x51, 0xAE, 0x6D, 0x39, 0x87};
+static const u8 eticket_rsa_kekek_source[0x10] __attribute__((aligned(4))) = {
+    0x46, 0x6E, 0x57, 0xB7, 0x4A, 0x44, 0x7F, 0x02, 0xF3, 0x21, 0xCD, 0xE5, 0x8F, 0x2F, 0x55, 0x35};
+
+bool test_eticket_rsa_keypair(const eticket_rsa_keypair_t *keypair);
+
+void es_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32 generation, bool is_dev);
+void es_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek);
+void es_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev);
+
+bool decrypt_eticket_rsa_key(key_storage_t *keys, void *buffer, bool is_dev);
+
+void es_decode_tickets(u32 buf_size, titlekey_buffer_t *titlekey_buffer, u32 remaining, u32 total, u32 *titlekey_count, u32 x, u32 y, u32 *pct, u32 *last_pct, bool is_personalized);
+
+#endif

source/keys/es_types.h

@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _ES_TYPES_H_
+#define _ES_TYPES_H_
+
+#include <sec/se_t210.h>
+#include <utils/types.h>
+
+typedef struct {
+    u8 private_exponent[SE_RSA2048_DIGEST_SIZE];
+    u8 modulus[SE_RSA2048_DIGEST_SIZE];
+    u32 public_exponent;
+    u8 reserved[0xC];
+} eticket_rsa_keypair_t;
+
+// only tickets of type Rsa2048Sha256 are expected
+typedef struct {
+    u32 signature_type; // always 0x10004
+    u8 signature[SE_RSA2048_DIGEST_SIZE];
+    u8 sig_padding[0x3C];
+    char issuer[0x40];
+    u8 titlekey_block[SE_RSA2048_DIGEST_SIZE];
+    u8 format_version;
+    u8 titlekey_type;
+    u16 ticket_version;
+    u8 license_type;
+    u8 common_key_id;
+    u16 property_mask;
+    u64 reserved;
+    u64 ticket_id;
+    u64 device_id;
+    u8 rights_id[0x10];
+    u32 account_id;
+    u32 sect_total_size;
+    u32 sect_hdr_offset;
+    u16 sect_hdr_count;
+    u16 sect_hdr_entry_size;
+    u8 padding[0x140];
+} ticket_t;
+
+typedef struct {
+    u8 rights_id[0x10];
+    u64 ticket_id;
+    u32 account_id;
+    u16 property_mask;
+    u16 reserved;
+} ticket_record_t;
+
+typedef struct {
+    u8 read_buffer[SZ_256K];
+    u8 rights_ids[SZ_256K / 0x10][0x10];
+    u8 titlekeys[SZ_256K / 0x10][0x10];
+} titlekey_buffer_t;
+
+typedef struct {
+    char rights_id[0x20];
+    char equals[3];
+    char titlekey[0x20];
+    char newline[1];
+} titlekey_text_buffer_t;
+
+#endif

source/keys/fs_crypto.c

@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "fs_crypto.h"
+
+#include "../config.h"
+#include <sec/se_t210.h>
+
+#include <string.h>
+
+extern hekate_config h_cfg;
+
+void fs_derive_bis_keys(key_storage_t *keys, u8 out_bis_keys[4][32], u32 generation) {
+    if ((!h_cfg.t210b01 && !key_exists(keys->device_key)) || (h_cfg.t210b01 && (!key_exists(keys->master_key[0]) || !key_exists(keys->device_key_4x)))) {
+        return;
+    }
+
+    generate_specific_aes_key(KS_AES_ECB, keys, out_bis_keys[0], bis_key_sources[0], generation);
+    u32 access_key[SE_KEY_128_SIZE / 4] = {0};
+    const u32 option = IS_DEVICE_UNIQUE;
+    generate_aes_kek(KS_AES_ECB, keys, access_key, bis_kek_source, generation, option);
+    generate_aes_key(KS_AES_ECB, keys, out_bis_keys[1], sizeof(bis_key_sources[1]), access_key, bis_key_sources[1]);
+    generate_aes_key(KS_AES_ECB, keys, out_bis_keys[2], sizeof(bis_key_sources[2]), access_key, bis_key_sources[2]);
+    memcpy(out_bis_keys[3], out_bis_keys[2], sizeof(bis_key_sources[2]));
+}
+
+void fs_derive_header_key(key_storage_t *keys, void *out_key) {
+    if (!key_exists(keys->master_key[0])) {
+        return;
+    }
+
+    u32 access_key[SE_KEY_128_SIZE / 4] = {0};
+    const u32 generation = 0;
+    const u32 option = NOT_DEVICE_UNIQUE;
+    generate_aes_kek(KS_AES_ECB, keys, access_key, header_kek_source, generation, option);
+    generate_aes_key(KS_AES_ECB, keys, out_key, sizeof(header_key_source), access_key, header_key_source);
+}
+
+void fs_derive_key_area_key(key_storage_t *keys, void *out_key, u32 source_type, u32 generation) {
+    u32 access_key[SE_KEY_128_SIZE / 4] = {0};
+    const u32 option = NOT_DEVICE_UNIQUE;
+    generate_aes_kek(KS_AES_ECB, keys, access_key, key_area_key_sources[source_type], generation + 1, option);
+    load_aes_key(KS_AES_ECB, out_key, access_key, aes_key_generation_source);
+}
+
+void fs_derive_save_mac_key(key_storage_t *keys, void *out_key) {
+    if ((!h_cfg.t210b01 && !key_exists(keys->device_key)) || (h_cfg.t210b01 && (!key_exists(keys->master_key[0]) || !key_exists(keys->device_key_4x)))) {
+        return;
+    }
+
+    u32 access_key[SE_KEY_128_SIZE / 4] = {0};
+    const u32 generation = 0;
+    const u32 option = IS_DEVICE_UNIQUE;
+    generate_aes_kek(KS_AES_ECB, keys, access_key, save_mac_kek_source, generation, option);
+    load_aes_key(KS_AES_ECB, out_key, access_key, save_mac_key_source);
+}

source/keys/fs_crypto.h

@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _FS_CRYPTO_H_
+#define _FS_CRYPTO_H_
+
+#include "crypto.h"
+
+#include <utils/types.h>
+
+static const u8 bis_kek_source[0x10] __attribute__((aligned(4))) = {
+    0x34, 0xC1, 0xA0, 0xC4, 0x82, 0x58, 0xF8, 0xB4, 0xFA, 0x9E, 0x5E, 0x6A, 0xDA, 0xFC, 0x7E, 0x4F};
+static const u8 bis_key_sources[3][0x20] __attribute__((aligned(4))) = {
+    {0xF8, 0x3F, 0x38, 0x6E, 0x2C, 0xD2, 0xCA, 0x32, 0xA8, 0x9A, 0xB9, 0xAA, 0x29, 0xBF, 0xC7, 0x48,
+     0x7D, 0x92, 0xB0, 0x3A, 0xA8, 0xBF, 0xDE, 0xE1, 0xA7, 0x4C, 0x3B, 0x6E, 0x35, 0xCB, 0x71, 0x06},
+    {0x41, 0x00, 0x30, 0x49, 0xDD, 0xCC, 0xC0, 0x65, 0x64, 0x7A, 0x7E, 0xB4, 0x1E, 0xED, 0x9C, 0x5F,
+     0x44, 0x42, 0x4E, 0xDA, 0xB4, 0x9D, 0xFC, 0xD9, 0x87, 0x77, 0x24, 0x9A, 0xDC, 0x9F, 0x7C, 0xA4},
+    {0x52, 0xC2, 0xE9, 0xEB, 0x09, 0xE3, 0xEE, 0x29, 0x32, 0xA1, 0x0C, 0x1F, 0xB6, 0xA0, 0x92, 0x6C,
+     0x4D, 0x12, 0xE1, 0x4B, 0x2A, 0x47, 0x4C, 0x1C, 0x09, 0xCB, 0x03, 0x59, 0xF0, 0x15, 0xF4, 0xE4}
+};
+
+static const u8 header_kek_source[0x10] __attribute__((aligned(4))) = {
+    0x1F, 0x12, 0x91, 0x3A, 0x4A, 0xCB, 0xF0, 0x0D, 0x4C, 0xDE, 0x3A, 0xF6, 0xD5, 0x23, 0x88, 0x2A};
+static const u8 header_key_source[0x20] __attribute__((aligned(4))) = {
+    0x5A, 0x3E, 0xD8, 0x4F, 0xDE, 0xC0, 0xD8, 0x26, 0x31, 0xF7, 0xE2, 0x5D, 0x19, 0x7B, 0xF5, 0xD0,
+    0x1C, 0x9B, 0x7B, 0xFA, 0xF6, 0x28, 0x18, 0x3D, 0x71, 0xF6, 0x4D, 0x73, 0xF1, 0x50, 0xB9, 0xD2};
+
+static const u8 key_area_key_sources[3][0x10] __attribute__((aligned(4))) = {
+    {0x7F, 0x59, 0x97, 0x1E, 0x62, 0x9F, 0x36, 0xA1, 0x30, 0x98, 0x06, 0x6F, 0x21, 0x44, 0xC3, 0x0D}, // application
+    {0x32, 0x7D, 0x36, 0x08, 0x5A, 0xD1, 0x75, 0x8D, 0xAB, 0x4E, 0x6F, 0xBA, 0xA5, 0x55, 0xD8, 0x82}, // ocean
+    {0x87, 0x45, 0xF1, 0xBB, 0xA6, 0xBE, 0x79, 0x64, 0x7D, 0x04, 0x8B, 0xA6, 0x7B, 0x5F, 0xDA, 0x4A}, // system
+};
+
+static const u8 save_mac_kek_source[0x10] __attribute__((aligned(4))) = {
+    0xD8, 0x9C, 0x23, 0x6E, 0xC9, 0x12, 0x4E, 0x43, 0xC8, 0x2B, 0x03, 0x87, 0x43, 0xF9, 0xCF, 0x1B};
+static const u8 save_mac_key_source[0x10] __attribute__((aligned(4))) = {
+    0xE4, 0xCD, 0x3D, 0x4A, 0xD5, 0x0F, 0x74, 0x28, 0x45, 0xA4, 0x87, 0xE5, 0xA0, 0x63, 0xEA, 0x1F};
+
+static const u8 save_mac_sd_card_kek_source[0x10] __attribute__((aligned(4))) = {
+    0x04, 0x89, 0xEF, 0x5D, 0x32, 0x6E, 0x1A, 0x59, 0xC4, 0xB7, 0xAB, 0x8C, 0x36, 0x7A, 0xAB, 0x17};
+static const u8 save_mac_sd_card_key_source[0x10] __attribute__((aligned(4))) = {
+    0x6F, 0x64, 0x59, 0x47, 0xC5, 0x61, 0x46, 0xF9, 0xFF, 0xA0, 0x45, 0xD5, 0x95, 0x33, 0x29, 0x18};
+
+static const u8 sd_card_custom_storage_key_source[0x20] __attribute__((aligned(4))) = {
+    0x37, 0x0C, 0x34, 0x5E, 0x12, 0xE4, 0xCE, 0xFE, 0x21, 0xB5, 0x8E, 0x64, 0xDB, 0x52, 0xAF, 0x35,
+    0x4F, 0x2C, 0xA5, 0xA3, 0xFC, 0x99, 0x9A, 0x47, 0xC0, 0x3E, 0xE0, 0x04, 0x48, 0x5B, 0x2F, 0xD0};
+static const u8 sd_card_kek_source[0x10] __attribute__((aligned(4))) = {
+    0x88, 0x35, 0x8D, 0x9C, 0x62, 0x9B, 0xA1, 0xA0, 0x01, 0x47, 0xDB, 0xE0, 0x62, 0x1B, 0x54, 0x32};
+static const u8 sd_card_nca_key_source[0x20] __attribute__((aligned(4))) = {
+    0x58, 0x41, 0xA2, 0x84, 0x93, 0x5B, 0x56, 0x27, 0x8B, 0x8E, 0x1F, 0xC5, 0x18, 0xE9, 0x9F, 0x2B,
+    0x67, 0xC7, 0x93, 0xF0, 0xF2, 0x4F, 0xDE, 0xD0, 0x75, 0x49, 0x5D, 0xCA, 0x00, 0x6D, 0x99, 0xC2};
+static const u8 sd_card_save_key_source[0x20] __attribute__((aligned(4))) = {
+    0x24, 0x49, 0xB7, 0x22, 0x72, 0x67, 0x03, 0xA8, 0x19, 0x65, 0xE6, 0xE3, 0xEA, 0x58, 0x2F, 0xDD,
+    0x9A, 0x95, 0x15, 0x17, 0xB1, 0x6E, 0x8F, 0x7F, 0x1F, 0x68, 0x26, 0x31, 0x52, 0xEA, 0x29, 0x6A};
+
+void fs_derive_bis_keys(key_storage_t *keys, u8 out_bis_keys[4][32], u32 generation);
+void fs_derive_header_key(key_storage_t *keys, void *out_key);
+void fs_derive_key_area_key(key_storage_t *keys, void *out_key, u32 source_type, u32 generation);
+void fs_derive_save_mac_key(key_storage_t *keys, void *out_key);
+
+#endif

source/keys/gmac.c

@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) 2018-2020 Atmosphère-NX
+ * Copyright (c) 2019-2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "gmac.h"
+
+#include <sec/se.h>
+#include <sec/se_t210.h>
+
+#include <stdint.h>
+#include <string.h>
+
+/* Shifts right a little endian 128-bit value. */
+static void _shr_128(uint64_t *val) {
+    val[0] >>= 1;
+    val[0] |= (val[1] & 1) << 63;
+    val[1] >>= 1;
+}
+
+/* Shifts left a little endian 128-bit value. */
+static void _shl_128(uint64_t *val) {
+    val[1] <<= 1;
+    val[1] |= (val[0] & (1ull << 63)) >> 63;
+    val[0] <<= 1;
+}
+
+/* Multiplies two 128-bit numbers X,Y in the GF(128) Galois Field. */
+static void _gf128_mul(uint8_t *dst, const uint8_t *x, const uint8_t *y) {
+    uint8_t x_work[0x10];
+    uint8_t y_work[0x10];
+    uint8_t dst_work[0x10];
+
+    uint64_t *p_x = (uint64_t *)(&x_work[0]);
+    uint64_t *p_y = (uint64_t *)(&y_work[0]);
+    uint64_t *p_dst = (uint64_t *)(&dst_work[0]);
+
+    /* Initialize buffers. */
+    for (unsigned int i = 0; i < 0x10; i++) {
+        x_work[i] = x[0xF-i];
+        y_work[i] = y[0xF-i];
+        dst_work[i] = 0;
+    }
+
+    /* Perform operation for each bit in y. */
+    for (unsigned int round = 0; round < 0x80; round++) {
+        p_dst[0] ^= p_x[0] * ((y_work[0xF] & 0x80) >> 7);
+        p_dst[1] ^= p_x[1] * ((y_work[0xF] & 0x80) >> 7);
+        _shl_128(p_y);
+        uint8_t xval = 0xE1 * (x_work[0] & 1);
+        _shr_128(p_x);
+        x_work[0xF] ^= xval;
+    }
+
+    for (unsigned int i = 0; i < 0x10; i++) {
+        dst[i] = dst_work[0xF-i];
+    }
+}
+
+static void _ghash(u32 ks, void *dst, const void *src, u32 src_size, const void *j_block, bool encrypt) {
+    uint8_t x[0x10] = {0};
+    uint8_t h[0x10];
+
+    uint64_t *p_x = (uint64_t *)(&x[0]);
+    uint64_t *p_data = (uint64_t *)src;
+
+    /* H = aes_ecb_encrypt(zeroes) */
+    se_aes_crypt_block_ecb(ks, ENCRYPT, h, x);
+
+    u64 total_size = src_size;
+
+    while (src_size >= 0x10) {
+        /* X = (X ^ current_block) * H */
+        p_x[0] ^= p_data[0];
+        p_x[1] ^= p_data[1];
+        _gf128_mul(x, x, h);
+
+        /* Increment p_data by 0x10 bytes. */
+        p_data += 2;
+        src_size -= 0x10;
+    }
+
+    /* Nintendo's code *discards all data in the last block* if unaligned. */
+    /* And treats that block as though it were all-zero. */
+    /* This is a bug, they just forget to XOR with the copy of the last block they save. */
+    if (src_size & 0xF) {
+        _gf128_mul(x, x, h);
+    }
+
+    uint64_t xor_size = total_size << 3;
+    xor_size = __builtin_bswap64(xor_size);
+
+    /* Due to a Nintendo bug, the wrong QWORD gets XOR'd in the "final output block" case. */
+    if (encrypt) {
+        p_x[0] ^= xor_size;
+    } else {
+        p_x[1] ^= xor_size;
+    }
+
+    _gf128_mul(x, x, h);
+
+    /* If final output block, XOR with encrypted J block. */
+    if (encrypt) {
+        se_aes_crypt_block_ecb(ks, ENCRYPT, h, j_block);
+        for (unsigned int i = 0; i < 0x10; i++) {
+            x[i] ^= h[i];
+        }
+    }
+    /* Copy output. */
+    memcpy(dst, x, 0x10);
+}
+
+void calc_gmac(u32 ks, void *out_gmac, const void *data, u32 size, const void *key, const void *iv) {
+    u32 j_block[4] = {0};
+    se_aes_key_set(ks, key, 0x10);
+    _ghash(ks, j_block, iv, 0x10, NULL, false);
+    _ghash(ks, out_gmac, data, size, j_block, true);
+}

source/keys/gmac.h

@@ -0,0 +1,24 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _GMAC_H_
+#define _GMAC_H_
+
+#include <utils/types.h>
+
+void calc_gmac(u32 ks, void *out_gmac, const void *data, u32 size, const void *key, const void *iv);
+
+#endif

source/keys/key_sources.inl

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2021 shchmue
+ * Copyright (c) 2019-2022 shchmue
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
@@ -14,21 +14,6 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
-// Sha256 hash of the null string.
-static const u8 null_hash[0x20] __attribute__((aligned(4))) = {
-    0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8, 0x99, 0x6F, 0xB9, 0x24,
-    0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C, 0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55};
-
-static const u8 keyblob_key_sources[][0x10] __attribute__((aligned(4))) = {
-    {0xDF, 0x20, 0x6F, 0x59, 0x44, 0x54, 0xEF, 0xDC, 0x70, 0x74, 0x48, 0x3B, 0x0D, 0xED, 0x9F, 0xD3}, //1.0.0
-    {0x0C, 0x25, 0x61, 0x5D, 0x68, 0x4C, 0xEB, 0x42, 0x1C, 0x23, 0x79, 0xEA, 0x82, 0x25, 0x12, 0xAC}, //3.0.0
-    {0x33, 0x76, 0x85, 0xEE, 0x88, 0x4A, 0xAE, 0x0A, 0xC2, 0x8A, 0xFD, 0x7D, 0x63, 0xC0, 0x43, 0x3B}, //3.0.1
-    {0x2D, 0x1F, 0x48, 0x80, 0xED, 0xEC, 0xED, 0x3E, 0x3C, 0xF2, 0x48, 0xB5, 0x65, 0x7D, 0xF7, 0xBE}, //4.0.0
-    {0xBB, 0x5A, 0x01, 0xF9, 0x88, 0xAF, 0xF5, 0xFC, 0x6C, 0xFF, 0x07, 0x9E, 0x13, 0x3C, 0x39, 0x80}, //5.0.0
-    {0xD8, 0xCC, 0xE1, 0x26, 0x6A, 0x35, 0x3F, 0xCC, 0x20, 0xF3, 0x2D, 0x3B, 0x51, 0x7D, 0xE9, 0xC0}  //6.0.0
-};
-
-//!TODO: Update on mkey changes.
 static const u8 master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_620 + 1][0x10] __attribute__((aligned(4))) = {
     {0x37, 0x4B, 0x77, 0x29, 0x59, 0xB4, 0x04, 0x30, 0x81, 0xF6, 0xE5, 0x8C, 0x6D, 0x36, 0x17, 0x9A}, //6.2.0
     {0x9A, 0x3E, 0xA9, 0xAB, 0xFD, 0x56, 0x46, 0x1C, 0x9B, 0xF6, 0x48, 0x7F, 0x5C, 0xFA, 0x09, 0x5C}, //7.0.0
@@ -38,9 +23,10 @@ static const u8 master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION
     {0x84, 0x67, 0xB6, 0x7F, 0x13, 0x11, 0xAE, 0xE6, 0x58, 0x9B, 0x19, 0xAF, 0x13, 0x6C, 0x80, 0x7A}, //12.1.0
     {0x68, 0x3B, 0xCA, 0x54, 0xB8, 0x6F, 0x92, 0x48, 0xC3, 0x05, 0x76, 0x87, 0x88, 0x70, 0x79, 0x23}, //13.0.0
     {0xF0, 0x13, 0x37, 0x9A, 0xD5, 0x63, 0x51, 0xC3, 0xB4, 0x96, 0x35, 0xBC, 0x9C, 0xE8, 0x76, 0x81}, //14.0.0
-};
+    {0x6E, 0x77, 0x86, 0xAC, 0x83, 0x0A, 0x8D, 0x3E, 0x7D, 0xB7, 0x66, 0xA0, 0x22, 0xB7, 0x6E, 0x67}, //15.0.0
+    {0x99, 0x22, 0x09, 0x57, 0xA7, 0xF9, 0x5E, 0x94, 0xFE, 0x78, 0x7F, 0x41, 0xD6, 0xE7, 0x56, 0xE6}, //16.0.0
+}; //!TODO: Update on mkey changes.
 
-//!TODO: Update on mkey changes.
 static const u8 master_key_vectors[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attribute__((aligned(4))) = {
     {0x0C, 0xF0, 0x59, 0xAC, 0x85, 0xF6, 0x26, 0x65, 0xE1, 0xE9, 0x19, 0x55, 0xE6, 0xF2, 0x67, 0x3D}, /* Zeroes encrypted with Master Key 00. */
     {0x29, 0x4C, 0x04, 0xC8, 0xEB, 0x10, 0xED, 0x9D, 0x51, 0x64, 0x97, 0xFB, 0xF3, 0x4D, 0x50, 0xDD}, /* Master key 00 encrypted with Master key 01. */
@@ -56,9 +42,10 @@ static const u8 master_key_vectors[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attribut
     {0xC1, 0x8D, 0x16, 0xBB, 0x2A, 0xE4, 0x1D, 0xD4, 0xC2, 0xC1, 0xB6, 0x40, 0x94, 0x35, 0x63, 0x98}, /* Master key 0A encrypted with Master key 0B. */
     {0xA3, 0x24, 0x65, 0x75, 0xEA, 0xCC, 0x6E, 0x8D, 0xFB, 0x5A, 0x16, 0x50, 0x74, 0xD2, 0x15, 0x06}, /* Master key 0B encrypted with Master key 0C. */
     {0x83, 0x67, 0xAF, 0x01, 0xCF, 0x93, 0xA1, 0xAB, 0x80, 0x45, 0xF7, 0x3F, 0x72, 0xFD, 0x3B, 0x38}, /* Master key 0C encrypted with Master key 0D. */
-};
+    {0xB1, 0x81, 0xA6, 0x0D, 0x72, 0xC7, 0xEE, 0x15, 0x21, 0xF3, 0xC0, 0xB5, 0x6B, 0x61, 0x6D, 0xE7}, /* Master key 0D encrypted with Master key 0E. */
+    {0xAF, 0x11, 0x4C, 0x67, 0x17, 0x7A, 0x52, 0x43, 0xF7, 0x70, 0x2F, 0xC7, 0xEF, 0x81, 0x72, 0x16}, /* Master key 0E encrypted with Master key 0F. */
+}; //!TODO: Update on mkey changes.
 
-//!TODO: Update on mkey changes.
 static const u8 master_key_vectors_dev[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attribute__((aligned(4))) = {
     {0x46, 0x22, 0xB4, 0x51, 0x9A, 0x7E, 0xA7, 0x7F, 0x62, 0xA1, 0x1F, 0x8F, 0xC5, 0x3A, 0xDB, 0xFE}, /* Zeroes encrypted with Master Key 00. */
     {0x39, 0x33, 0xF9, 0x31, 0xBA, 0xE4, 0xA7, 0x21, 0x2C, 0xDD, 0xB7, 0xD8, 0xB4, 0x4E, 0x37, 0x23}, /* Master key 00 encrypted with Master key 01. */
@@ -74,7 +61,9 @@ static const u8 master_key_vectors_dev[KB_FIRMWARE_VERSION_MAX + 1][0x10] __attr
     {0x21, 0x88, 0x6B, 0x10, 0x9E, 0x83, 0xD6, 0x52, 0xAB, 0x08, 0xDB, 0x6D, 0x39, 0xFF, 0x1C, 0x9C}, /* Master key 0A encrypted with Master key 0B. */
     {0x8A, 0xCE, 0xC4, 0x7F, 0xBE, 0x08, 0x61, 0x88, 0xD3, 0x73, 0x64, 0x51, 0xE2, 0xB6, 0x53, 0x15}, /* Master key 0B encrypted with Master key 0C. */
     {0x08, 0xE0, 0xF4, 0xBE, 0xAA, 0x6E, 0x5A, 0xC3, 0xA6, 0xBC, 0xFE, 0xB9, 0xE2, 0xA3, 0x24, 0x12}, /* Master key 0C encrypted with Master key 0D. */
-};
+    {0xD6, 0x80, 0x98, 0xC0, 0xFA, 0xC7, 0x13, 0xCB, 0x93, 0xD2, 0x0B, 0x82, 0x4C, 0xA1, 0x7B, 0x8D}, /* Master key 0D encrypted with Master key 0E. */
+    {0x78, 0x66, 0x19, 0xBD, 0x86, 0xE7, 0xC1, 0x09, 0x9B, 0x6F, 0x92, 0xB2, 0x58, 0x7D, 0xCF, 0x26}, /* Master key 0E encrypted with Master key 0F. */
+}; //!TODO: Update on mkey changes.
 
 static const u8 mariko_key_vectors[][0x10] __attribute__((aligned(4))) = {
     {0x20, 0x9E, 0x97, 0xAE, 0xAF, 0x7E, 0x6A, 0xF6, 0x9E, 0xF5, 0xA7, 0x17, 0x2F, 0xF4, 0x49, 0xA6}, /* Zeroes encrypted with AES Class Key 00. */
@@ -93,32 +82,22 @@ static const u8 mariko_key_vectors[][0x10] __attribute__((aligned(4))) = {
     {0x95, 0x48, 0xC1, 0x59, 0x0F, 0x84, 0x19, 0xC4, 0xAB, 0x69, 0x05, 0x88, 0x01, 0x31, 0x52, 0x59}, /* Zeroes encrypted with Mariko BEK. */
 };
 
-//======================================Keys======================================//
-// from Package1 -> Secure_Monitor
-static const u8 aes_kek_generation_source[0x10] __attribute__((aligned(4))) = {
-    0x4D, 0x87, 0x09, 0x86, 0xC4, 0x5D, 0x20, 0x72, 0x2F, 0xBA, 0x10, 0x53, 0xDA, 0x92, 0xE8, 0xA9};
-static const u8 aes_seal_key_mask_decrypt_device_unique_data[0x10] __attribute__((aligned(4))) = {
-    0xA2, 0xAB, 0xBF, 0x9C, 0x92, 0x2F, 0xBB, 0xE3, 0x78, 0x79, 0x9B, 0xC0, 0xCC, 0xEA, 0xA5, 0x74};
-static const u8 aes_seal_key_mask_import_es_device_key[0x10] __attribute__((aligned(4))) = {
-    0xE5, 0x4D, 0x9A, 0x02, 0xF0, 0x4F, 0x5F, 0xA8, 0xAD, 0x76, 0x0A, 0xF6, 0x32, 0x95, 0x59, 0xBB};
 static const u8 package2_key_source[0x10] __attribute__((aligned(4))) = {
     0xFB, 0x8B, 0x6A, 0x9C, 0x79, 0x00, 0xC8, 0x49, 0xEF, 0xD2, 0x4D, 0x85, 0x4D, 0x30, 0xA0, 0xC7};
 static const u8 titlekek_source[0x10] __attribute__((aligned(4))) = {
     0x1E, 0xDC, 0x7B, 0x3B, 0x60, 0xE6, 0xB4, 0xD8, 0x78, 0xB8, 0x17, 0x15, 0x98, 0x5E, 0x62, 0x9B};
-static const u8 retail_specific_aes_key_source[0x10] __attribute__((aligned(4))) = {
-    0xE2, 0xD6, 0xB8, 0x7A, 0x11, 0x9C, 0xB8, 0x80, 0xE8, 0x22, 0x88, 0x8A, 0x46, 0xFB, 0xA1, 0x95};
-static const u8 secure_data_source[0x10] __attribute__((aligned(4))) = {
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
-static const u8 secure_data_counters[1][0x10] __attribute__((aligned(4))) = {
-    {0x3C, 0xD5, 0x92, 0xEC, 0x68, 0x31, 0x4A, 0x06, 0xD4, 0x1B, 0x0C, 0xD9, 0xF6, 0x2E, 0xD9, 0xE9}
-};
-static const u8 secure_data_tweaks[1][0x10] __attribute__((aligned(4))) = {
-    {0xAC, 0xCA, 0x9A, 0xCA, 0xFF, 0x2E, 0xB9, 0x22, 0xCC, 0x1F, 0x4F, 0xAD, 0xDD, 0x77, 0x21, 0x1E}
-};
 
-// from Package1ldr (or Secure_Monitor on 6.2.0+)
+static const u8 keyblob_key_sources[][0x10] __attribute__((aligned(4))) = {
+    {0xDF, 0x20, 0x6F, 0x59, 0x44, 0x54, 0xEF, 0xDC, 0x70, 0x74, 0x48, 0x3B, 0x0D, 0xED, 0x9F, 0xD3}, //1.0.0
+    {0x0C, 0x25, 0x61, 0x5D, 0x68, 0x4C, 0xEB, 0x42, 0x1C, 0x23, 0x79, 0xEA, 0x82, 0x25, 0x12, 0xAC}, //3.0.0
+    {0x33, 0x76, 0x85, 0xEE, 0x88, 0x4A, 0xAE, 0x0A, 0xC2, 0x8A, 0xFD, 0x7D, 0x63, 0xC0, 0x43, 0x3B}, //3.0.1
+    {0x2D, 0x1F, 0x48, 0x80, 0xED, 0xEC, 0xED, 0x3E, 0x3C, 0xF2, 0x48, 0xB5, 0x65, 0x7D, 0xF7, 0xBE}, //4.0.0
+    {0xBB, 0x5A, 0x01, 0xF9, 0x88, 0xAF, 0xF5, 0xFC, 0x6C, 0xFF, 0x07, 0x9E, 0x13, 0x3C, 0x39, 0x80}, //5.0.0
+    {0xD8, 0xCC, 0xE1, 0x26, 0x6A, 0x35, 0x3F, 0xCC, 0x20, 0xF3, 0x2D, 0x3B, 0x51, 0x7D, 0xE9, 0xC0}  //6.0.0
+};
 static const u8 keyblob_mac_key_source[0x10] __attribute__((aligned(4))) = {
     0x59, 0xC7, 0xFB, 0x6F, 0xBE, 0x9B, 0xBE, 0x87, 0x65, 0x6B, 0x15, 0xC0, 0x53, 0x73, 0x36, 0xA5};
+
 static const u8 master_key_source[0x10] __attribute__((aligned(4))) = {
     0xD8, 0xA2, 0x41, 0x0A, 0xC6, 0xC5, 0x90, 0x01, 0xC6, 0x1D, 0x6A, 0x26, 0x7C, 0x51, 0x3F, 0x3C};
 static const u8 per_console_key_source[0x10] __attribute__((aligned(4))) = {
@@ -135,6 +114,8 @@ static const u8 mariko_master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_
     {0xE5, 0x41, 0xAC, 0xEC, 0xD1, 0xA7, 0xD1, 0xAB, 0xED, 0x03, 0x77, 0xF1, 0x27, 0xCA, 0xF8, 0xF1}, // 12.1.0.
     {0x52, 0x71, 0x9B, 0xDF, 0xA7, 0x8B, 0x61, 0xD8, 0xD5, 0x85, 0x11, 0xE4, 0x8E, 0x4F, 0x74, 0xC6}, // 13.0.0.
     {0xD2, 0x68, 0xC6, 0x53, 0x9D, 0x94, 0xF9, 0xA8, 0xA5, 0xA8, 0xA7, 0xC8, 0x8F, 0x53, 0x4B, 0x7A}, // 14.0.0.
+    {0xEC, 0x61, 0xBC, 0x82, 0x1E, 0x0F, 0x5A, 0xC3, 0x2B, 0x64, 0x3F, 0x9D, 0xD6, 0x19, 0x22, 0x2D}, // 15.0.0.
+    {0xA5, 0xEC, 0x16, 0x39, 0x1A, 0x30, 0x16, 0x08, 0x2E, 0xCF, 0x09, 0x6F, 0x5E, 0x7C, 0xEE, 0xA9}, // 16.0.0.
 }; //!TODO: Update on mkey changes.
 static const u8 mariko_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_600 + 1][0x10] __attribute__((aligned(4))) = {
     {0x32, 0xC0, 0x97, 0x6B, 0x63, 0x6D, 0x44, 0x64, 0xF2, 0x3A, 0xA5, 0xC0, 0xDE, 0x46, 0xCC, 0xE9}, // 6.0.0.
@@ -146,137 +127,6 @@ static const u8 mariko_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMW
     {0x75, 0x2D, 0x2E, 0xF3, 0x2F, 0x3F, 0xFE, 0x65, 0xF4, 0xA9, 0x83, 0xB4, 0xED, 0x42, 0x63, 0xBA}, // 12.1.0.
     {0x4D, 0x5A, 0xB2, 0xC9, 0xE9, 0xE4, 0x4E, 0xA4, 0xD3, 0xBF, 0x94, 0x12, 0x36, 0x30, 0xD0, 0x7F}, // 13.0.0.
     {0xEC, 0x5E, 0xB5, 0x11, 0xD5, 0x43, 0x1E, 0x6A, 0x4E, 0x54, 0x6F, 0xD4, 0xD3, 0x22, 0xCE, 0x87}, // 14.0.0.
+    {0x18, 0xA5, 0x6F, 0xEF, 0x72, 0x11, 0x62, 0xC5, 0x1A, 0x14, 0xF1, 0x8C, 0x21, 0x83, 0x27, 0xB7}, // 15.0.0.
+    {0x3A, 0x9C, 0xF0, 0x39, 0x70, 0x23, 0xF6, 0xAF, 0x71, 0x44, 0x60, 0xF4, 0x6D, 0xED, 0xA1, 0xD6}, // 16.0.0.
 }; //!TODO: Update on mkey changes.
-
-static const u8 device_master_key_source_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
-    {0x8B, 0x4E, 0x1C, 0x22, 0x42, 0x07, 0xC8, 0x73, 0x56, 0x94, 0x08, 0x8B, 0xCC, 0x47, 0x0F, 0x5D}, /* 4.0.0  Device Master Key Source Source. */
-    {0x6C, 0xEF, 0xC6, 0x27, 0x8B, 0xEC, 0x8A, 0x91, 0x99, 0xAB, 0x24, 0xAC, 0x4F, 0x1C, 0x8F, 0x1C}, /* 5.0.0  Device Master Key Source Source. */
-    {0x70, 0x08, 0x1B, 0x97, 0x44, 0x64, 0xF8, 0x91, 0x54, 0x9D, 0xC6, 0x84, 0x8F, 0x1A, 0xB2, 0xE4}, /* 6.0.0  Device Master Key Source Source. */
-    {0x8E, 0x09, 0x1F, 0x7A, 0xBB, 0xCA, 0x6A, 0xFB, 0xB8, 0x9B, 0xD5, 0xC1, 0x25, 0x9C, 0xA9, 0x17}, /* 6.2.0  Device Master Key Source Source. */
-    {0x8F, 0x77, 0x5A, 0x96, 0xB0, 0x94, 0xFD, 0x8D, 0x28, 0xE4, 0x19, 0xC8, 0x16, 0x1C, 0xDB, 0x3D}, /* 7.0.0  Device Master Key Source Source. */
-    {0x67, 0x62, 0xD4, 0x8E, 0x55, 0xCF, 0xFF, 0x41, 0x31, 0x15, 0x3B, 0x24, 0x0C, 0x7C, 0x07, 0xAE}, /* 8.1.0  Device Master Key Source Source. */
-    {0x4A, 0xC3, 0x4E, 0x14, 0x8B, 0x96, 0x4A, 0xD5, 0xD4, 0x99, 0x73, 0xC4, 0x45, 0xAB, 0x8B, 0x49}, /* 9.0.0  Device Master Key Source Source. */
-    {0x14, 0xB8, 0x74, 0x12, 0xCB, 0xBD, 0x0B, 0x8F, 0x20, 0xFB, 0x30, 0xDA, 0x27, 0xE4, 0x58, 0x94}, /* 9.1.0  Device Master Key Source Source. */
-    {0xAA, 0xFD, 0xBC, 0xBB, 0x25, 0xC3, 0xA4, 0xEF, 0xE3, 0xEE, 0x58, 0x53, 0xB7, 0xF8, 0xDD, 0xD6}, /* 12.1.0 Device Master Key Source Source. */
-    {0xE4, 0xF3, 0x45, 0x6F, 0x18, 0xA1, 0x89, 0xF8, 0xDA, 0x4C, 0x64, 0x75, 0x68, 0xE6, 0xBD, 0x4F}, /* 13.0.0 Device Master Key Source Source. */
-    {0x5B, 0x94, 0x63, 0xF7, 0xAD, 0x96, 0x1B, 0xA6, 0x23, 0x30, 0x06, 0x4D, 0x01, 0xE4, 0xCE, 0x1D}, /* 14.0.0 Device Master Key Source Source. */ 
-}; //!TODO: Update on mkey changes.
-
-// from ES
-static const u8 eticket_rsa_kek_source[0x10] __attribute__((aligned(4))) = {
-    0XDB, 0XA4, 0X51, 0X12, 0X4C, 0XA0, 0XA9, 0X83, 0X68, 0X14, 0XF5, 0XED, 0X95, 0XE3, 0X12, 0X5B};
-static const u8 eticket_rsa_kek_source_dev[0x10] __attribute__((aligned(4))) = {
-    0xBE, 0xC0, 0xBC, 0x8E, 0x75, 0xA0, 0xF6, 0x0C, 0x4A, 0x56, 0x64, 0x02, 0x3E, 0xD4, 0x9C, 0xD5};
-static const u8 eticket_rsa_kek_source_legacy[0x10] __attribute__((aligned(4))) = {
-    0x88, 0x87, 0x50, 0x90, 0xA6, 0x2F, 0x75, 0x70, 0xA2, 0xD7, 0x71, 0x51, 0xAE, 0x6D, 0x39, 0x87};
-static const u8 eticket_rsa_kekek_source[0x10] __attribute__((aligned(4))) = {
-    0X46, 0X6E, 0X57, 0XB7, 0X4A, 0X44, 0X7F, 0X02, 0XF3, 0X21, 0XCD, 0XE5, 0X8F, 0X2F, 0X55, 0X35};
-
-// from SSL
-static const u8 ssl_rsa_kek_source_x[0x10] __attribute__((aligned(4))) = {
-    0X7F, 0X5B, 0XB0, 0X84, 0X7B, 0X25, 0XAA, 0X67, 0XFA, 0XC8, 0X4B, 0XE2, 0X3D, 0X7B, 0X69, 0X03};
-static const u8 ssl_rsa_kek_source_y[0x10] __attribute__((aligned(4))) = {
-    0X9A, 0X38, 0X3B, 0XF4, 0X31, 0XD0, 0XBD, 0X81, 0X32, 0X53, 0X4B, 0XA9, 0X64, 0X39, 0X7D, 0XE3};
-
-static const u8 device_master_kek_sources[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
-    {0x88, 0x62, 0x34, 0x6E, 0xFA, 0xF7, 0xD8, 0x3F, 0xE1, 0x30, 0x39, 0x50, 0xF0, 0xB7, 0x5D, 0x5D}, /* 4.0.0  Device Master Kek Source. */
-    {0x06, 0x1E, 0x7B, 0xE9, 0x6D, 0x47, 0x8C, 0x77, 0xC5, 0xC8, 0xE7, 0x94, 0x9A, 0xA8, 0x5F, 0x2E}, /* 5.0.0  Device Master Kek Source. */
-    {0x99, 0xFA, 0x98, 0xBD, 0x15, 0x1C, 0x72, 0xFD, 0x7D, 0x9A, 0xD5, 0x41, 0x00, 0xFD, 0xB2, 0xEF}, /* 6.0.0  Device Master Kek Source. */
-    {0x81, 0x3C, 0x6C, 0xBF, 0x5D, 0x21, 0xDE, 0x77, 0x20, 0xD9, 0x6C, 0xE3, 0x22, 0x06, 0xAE, 0xBB}, /* 6.2.0  Device Master Kek Source. */
-    {0x86, 0x61, 0xB0, 0x16, 0xFA, 0x7A, 0x9A, 0xEA, 0xF6, 0xF5, 0xBE, 0x1A, 0x13, 0x5B, 0x6D, 0x9E}, /* 7.0.0  Device Master Kek Source. */
-    {0xA6, 0x81, 0x71, 0xE7, 0xB5, 0x23, 0x74, 0xB0, 0x39, 0x8C, 0xB7, 0xFF, 0xA0, 0x62, 0x9F, 0x8D}, /* 8.1.0  Device Master Kek Source. */
-    {0x03, 0xE7, 0xEB, 0x43, 0x1B, 0xCF, 0x5F, 0xB5, 0xED, 0xDC, 0x97, 0xAE, 0x21, 0x8D, 0x19, 0xED}, /* 9.0.0  Device Master Kek Source. */
-    {0xCE, 0xFE, 0x41, 0x0F, 0x46, 0x9A, 0x30, 0xD6, 0xF2, 0xE9, 0x0C, 0x6B, 0xB7, 0x15, 0x91, 0x36}, /* 9.1.0  Device Master Kek Source. */
-    {0xC2, 0x65, 0x34, 0x6E, 0xC7, 0xC6, 0x5D, 0x97, 0x3E, 0x34, 0x5C, 0x6B, 0xB3, 0x7E, 0xC6, 0xE3}, /* 12.1.0 Device Master Kek Source. */
-    {0x77, 0x52, 0x92, 0xF0, 0xAA, 0xE3, 0xFB, 0xE0, 0x60, 0x16, 0xB3, 0x78, 0x68, 0x53, 0xF7, 0xA8}, /* 13.0.0 Device Master Kek Source. */
-    {0x67, 0xD5, 0xD6, 0x0C, 0x08, 0xF5, 0xA3, 0x11, 0xBD, 0x6D, 0x5A, 0xEB, 0x96, 0x24, 0xB0, 0xD2}, /* 14.0.0 Device Master Kek Source. */
-}; //!TODO: Update on mkey changes.
-
-static const u8 device_master_kek_sources_dev[KB_FIRMWARE_VERSION_MAX - KB_FIRMWARE_VERSION_400 + 1][0x10] __attribute__((aligned(4))) = {
-    {0xD6, 0xBD, 0x9F, 0xC6, 0x18, 0x09, 0xE1, 0x96, 0x20, 0x39, 0x60, 0xD2, 0x89, 0x83, 0x31, 0x34}, /* 4.0.0  Device Master Kek Source. */
-    {0x59, 0x2D, 0x20, 0x69, 0x33, 0xB5, 0x17, 0xBA, 0xCF, 0xB1, 0x4E, 0xFD, 0xE4, 0xC2, 0x7B, 0xA8}, /* 5.0.0  Device Master Kek Source. */
-    {0xF6, 0xD8, 0x59, 0x63, 0x8F, 0x47, 0xCB, 0x4A, 0xD8, 0x74, 0x05, 0x7F, 0x88, 0x92, 0x33, 0xA5}, /* 6.0.0  Device Master Kek Source. */
-    {0x20, 0xAB, 0xF2, 0x0F, 0x05, 0xE3, 0xDE, 0x2E, 0xA1, 0xFB, 0x37, 0x5E, 0x8B, 0x22, 0x1A, 0x38}, /* 6.2.0  Device Master Kek Source. */
-    {0x60, 0xAE, 0x56, 0x68, 0x11, 0xE2, 0x0C, 0x99, 0xDE, 0x05, 0xAE, 0x68, 0x78, 0x85, 0x04, 0xAE}, /* 7.0.0  Device Master Kek Source. */
-    {0x94, 0xD6, 0xA8, 0xC0, 0x95, 0xAF, 0xD0, 0xA6, 0x27, 0x53, 0x5E, 0xE5, 0x8E, 0x70, 0x1F, 0x87}, /* 8.1.0  Device Master Kek Source. */
-    {0x61, 0x6A, 0x88, 0x21, 0xA3, 0x52, 0xB0, 0x19, 0x16, 0x25, 0xA4, 0xE3, 0x4C, 0x54, 0x02, 0x0F}, /* 9.0.0  Device Master Kek Source. */
-    {0x9D, 0xB1, 0xAE, 0xCB, 0xF6, 0xF6, 0xE3, 0xFE, 0xAB, 0x6F, 0xCB, 0xAF, 0x38, 0x03, 0xFC, 0x7B}, /* 9.1.0  Device Master Kek Source. */
-    {0xC4, 0xBB, 0xF3, 0x9F, 0xA3, 0xAA, 0x00, 0x99, 0x7C, 0x97, 0xAD, 0x91, 0x8F, 0xE8, 0x45, 0xCB}, /* 12.1.0 Device Master Kek Source. */
-    {0x20, 0x20, 0xAA, 0xFB, 0x89, 0xC2, 0xF0, 0x70, 0xB5, 0xE0, 0xA3, 0x11, 0x8A, 0x29, 0x8D, 0x0F}, /* 13.0.0 Device Master Kek Source. */
-    {0xCE, 0x14, 0x74, 0x66, 0x98, 0xA8, 0x6D, 0x7D, 0xBD, 0x54, 0x91, 0x68, 0x5F, 0x1D, 0x0E, 0xEA}, /* 14.0.0 Device Master Kek Source. */
-}; //!TODO: Update on mkey changes.
-
-// from SPL
-static const u8 aes_key_generation_source[0x10] __attribute__((aligned(4))) = {
-    0x89, 0x61, 0x5E, 0xE0, 0x5C, 0x31, 0xB6, 0x80, 0x5F, 0xE5, 0x8F, 0x3D, 0xA2, 0x4F, 0x7A, 0xA8};
-static const u8 aes_key_decryption_source[0x10] __attribute__((aligned(4))) = {
-    0x11, 0x70, 0x24, 0x2B, 0x48, 0x69, 0x11, 0xF1, 0x11, 0xB0, 0x0C, 0x47, 0x7C, 0xC3, 0xEF, 0x7E};
-
-// from FS
-static const u8 bis_kek_source[0x10] __attribute__((aligned(4))) = {
-    0x34, 0xC1, 0xA0, 0xC4, 0x82, 0x58, 0xF8, 0xB4, 0xFA, 0x9E, 0x5E, 0x6A, 0xDA, 0xFC, 0x7E, 0x4F};
-static const u8 bis_key_sources[3][0x20] __attribute__((aligned(4))) = {
-    {0xF8, 0x3F, 0x38, 0x6E, 0x2C, 0xD2, 0xCA, 0x32, 0xA8, 0x9A, 0xB9, 0xAA, 0x29, 0xBF, 0xC7, 0x48,
-     0x7D, 0x92, 0xB0, 0x3A, 0xA8, 0xBF, 0xDE, 0xE1, 0xA7, 0x4C, 0x3B, 0x6E, 0x35, 0xCB, 0x71, 0x06},
-    {0x41, 0x00, 0x30, 0x49, 0xDD, 0xCC, 0xC0, 0x65, 0x64, 0x7A, 0x7E, 0xB4, 0x1E, 0xED, 0x9C, 0x5F,
-     0x44, 0x42, 0x4E, 0xDA, 0xB4, 0x9D, 0xFC, 0xD9, 0x87, 0x77, 0x24, 0x9A, 0xDC, 0x9F, 0x7C, 0xA4},
-    {0x52, 0xC2, 0xE9, 0xEB, 0x09, 0xE3, 0xEE, 0x29, 0x32, 0xA1, 0x0C, 0x1F, 0xB6, 0xA0, 0x92, 0x6C,
-     0x4D, 0x12, 0xE1, 0x4B, 0x2A, 0x47, 0x4C, 0x1C, 0x09, 0xCB, 0x03, 0x59, 0xF0, 0x15, 0xF4, 0xE4}
-};
-static const u8 header_kek_source[0x10] __attribute__((aligned(4))) = {
-    0x1F, 0x12, 0x91, 0x3A, 0x4A, 0xCB, 0xF0, 0x0D, 0x4C, 0xDE, 0x3A, 0xF6, 0xD5, 0x23, 0x88, 0x2A};
-static const u8 header_key_source[0x20] __attribute__((aligned(4))) = {
-    0x5A, 0x3E, 0xD8, 0x4F, 0xDE, 0xC0, 0xD8, 0x26, 0x31, 0xF7, 0xE2, 0x5D, 0x19, 0x7B, 0xF5, 0xD0,
-    0x1C, 0x9B, 0x7B, 0xFA, 0xF6, 0x28, 0x18, 0x3D, 0x71, 0xF6, 0x4D, 0x73, 0xF1, 0x50, 0xB9, 0xD2};
-static const u8 key_area_key_sources[3][0x10] __attribute__((aligned(4))) = {
-    {0x7F, 0x59, 0x97, 0x1E, 0x62, 0x9F, 0x36, 0xA1, 0x30, 0x98, 0x06, 0x6F, 0x21, 0x44, 0xC3, 0x0D}, // application
-    {0x32, 0x7D, 0x36, 0x08, 0x5A, 0xD1, 0x75, 0x8D, 0xAB, 0x4E, 0x6F, 0xBA, 0xA5, 0x55, 0xD8, 0x82}, // ocean
-    {0x87, 0x45, 0xF1, 0xBB, 0xA6, 0xBE, 0x79, 0x64, 0x7D, 0x04, 0x8B, 0xA6, 0x7B, 0x5F, 0xDA, 0x4A}, // system
-};
-static const u8 save_mac_kek_source[0x10] __attribute__((aligned(4))) = {
-    0XD8, 0X9C, 0X23, 0X6E, 0XC9, 0X12, 0X4E, 0X43, 0XC8, 0X2B, 0X03, 0X87, 0X43, 0XF9, 0XCF, 0X1B};
-static const u8 save_mac_key_source[0x10] __attribute__((aligned(4))) = {
-    0XE4, 0XCD, 0X3D, 0X4A, 0XD5, 0X0F, 0X74, 0X28, 0X45, 0XA4, 0X87, 0XE5, 0XA0, 0X63, 0XEA, 0X1F};
-static const u8 save_mac_sd_card_kek_source[0x10] __attribute__((aligned(4))) = {
-    0X04, 0X89, 0XEF, 0X5D, 0X32, 0X6E, 0X1A, 0X59, 0XC4, 0XB7, 0XAB, 0X8C, 0X36, 0X7A, 0XAB, 0X17};
-static const u8 save_mac_sd_card_key_source[0x10] __attribute__((aligned(4))) = {
-    0X6F, 0X64, 0X59, 0X47, 0XC5, 0X61, 0X46, 0XF9, 0XFF, 0XA0, 0X45, 0XD5, 0X95, 0X33, 0X29, 0X18};
-static const u8 sd_card_custom_storage_key_source[0x20] __attribute__((aligned(4))) = {
-    0X37, 0X0C, 0X34, 0X5E, 0X12, 0XE4, 0XCE, 0XFE, 0X21, 0XB5, 0X8E, 0X64, 0XDB, 0X52, 0XAF, 0X35,
-    0X4F, 0X2C, 0XA5, 0XA3, 0XFC, 0X99, 0X9A, 0X47, 0XC0, 0X3E, 0XE0, 0X04, 0X48, 0X5B, 0X2F, 0XD0};
-static const u8 sd_card_kek_source[0x10] __attribute__((aligned(4))) = {
-    0X88, 0X35, 0X8D, 0X9C, 0X62, 0X9B, 0XA1, 0XA0, 0X01, 0X47, 0XDB, 0XE0, 0X62, 0X1B, 0X54, 0X32};
-static const u8 sd_card_nca_key_source[0x20] __attribute__((aligned(4))) = {
-    0X58, 0X41, 0XA2, 0X84, 0X93, 0X5B, 0X56, 0X27, 0X8B, 0X8E, 0X1F, 0XC5, 0X18, 0XE9, 0X9F, 0X2B,
-    0X67, 0XC7, 0X93, 0XF0, 0XF2, 0X4F, 0XDE, 0XD0, 0X75, 0X49, 0X5D, 0XCA, 0X00, 0X6D, 0X99, 0XC2};
-static const u8 sd_card_save_key_source[0x20] __attribute__((aligned(4))) = {
-    0X24, 0X49, 0XB7, 0X22, 0X72, 0X67, 0X03, 0XA8, 0X19, 0X65, 0XE6, 0XE3, 0XEA, 0X58, 0X2F, 0XDD,
-    0X9A, 0X95, 0X15, 0X17, 0XB1, 0X6E, 0X8F, 0X7F, 0X1F, 0X68, 0X26, 0X31, 0X52, 0XEA, 0X29, 0X6A};
-
-// from NFC
-static const u8 nfc_key_source[0x10] __attribute__((aligned(4))) = {
-    0x83, 0xF6, 0xEF, 0xD8, 0x13, 0x26, 0x49, 0xAB, 0x97, 0x5F, 0xEA, 0xBA, 0x65, 0x71, 0xCA, 0xCA};
-static const u8 encrypted_nfc_keys[0x80] __attribute__((aligned(4))) = {
-    0x76, 0x50, 0x87, 0x02, 0x40, 0xA6, 0x5A, 0x98, 0xCE, 0x39, 0x2F, 0xC8, 0x83, 0xAF, 0x54, 0x76,
-    0x28, 0xFF, 0x50, 0xFC, 0xC1, 0xFB, 0x26, 0x14, 0xA2, 0x4A, 0xA6, 0x74, 0x90, 0xA4, 0x37, 0x06,
-    0x03, 0x63, 0xC2, 0xB1, 0xAF, 0x9F, 0xF7, 0x07, 0xFC, 0x8A, 0xB9, 0xCA, 0x28, 0x68, 0x6E, 0xF7,
-    0x42, 0xCD, 0x68, 0x13, 0xCD, 0x7B, 0x3A, 0x60, 0x3E, 0x8B, 0xAB, 0x3A, 0xCC, 0xED, 0xE0, 0xDD,
-    0x71, 0x1F, 0xA5, 0xDE, 0xB8, 0xB1, 0xF5, 0x1D, 0x14, 0x73, 0xBE, 0x27, 0xCC, 0xA1, 0x9B, 0x23,
-    0x06, 0x91, 0x89, 0x05, 0xED, 0xD6, 0x92, 0x76, 0x3F, 0x42, 0xFB, 0xD1, 0x8F, 0x2D, 0x6D, 0x72,
-    0xC8, 0x9E, 0x48, 0xE8, 0x03, 0x64, 0xF0, 0x3C, 0x0E, 0x2A, 0xF1, 0x26, 0x83, 0x02, 0x4F, 0xE2,
-    0x41, 0xAA, 0xC8, 0x33, 0x68, 0x84, 0x3A, 0xFB, 0x87, 0x18, 0xEA, 0xF7, 0x36, 0xA2, 0x4E, 0xA9};
-static const u8 encrypted_nfc_keys_dev[0x80] __attribute__((aligned(4))) = {
-    0x13, 0xB0, 0xFB, 0xC2, 0x91, 0x6D, 0x6E, 0x5A, 0x10, 0x31, 0x40, 0xB7, 0xDF, 0xCF, 0x69, 0x69,
-    0xB0, 0xFA, 0xAE, 0x7F, 0xB2, 0x4D, 0x27, 0xC9, 0xE9, 0x3F, 0x5B, 0x38, 0x39, 0x24, 0x98, 0xCE,
-    0xED, 0xD2, 0xA9, 0x6C, 0x6F, 0xA7, 0x72, 0xD7, 0x11, 0x31, 0x17, 0x93, 0x12, 0x49, 0x32, 0x85,
-    0x21, 0xE5, 0xE1, 0x88, 0x0F, 0x08, 0xF2, 0x30, 0x5C, 0xC3, 0xAA, 0xFF, 0xC0, 0xAB, 0x21, 0x96,
-    0x74, 0x39, 0xED, 0xE0, 0x5A, 0xB6, 0x75, 0xC2, 0x3B, 0x08, 0x61, 0xE4, 0xA7, 0xD6, 0xED, 0x8C,
-    0xA9, 0x02, 0x12, 0xA6, 0xCC, 0x27, 0x4C, 0x1C, 0x41, 0x9C, 0xD8, 0x4C, 0x00, 0xC7, 0x5B, 0x5D,
-    0xED, 0xC2, 0x3D, 0x5E, 0x00, 0xF5, 0x49, 0xFA, 0x6C, 0x75, 0x67, 0xCF, 0x1F, 0x73, 0x1A, 0xE8,
-    0x47, 0xD4, 0x3D, 0x9B, 0x83, 0x5B, 0x18, 0x2F, 0x95, 0xA9, 0x04, 0xBC, 0x2E, 0xBB, 0x64, 0x4A};
-static const u8 nfc_blob_hash[0x20] __attribute__((aligned(4))) = {
-    0x7F, 0x92, 0x83, 0x65, 0x4E, 0xC1, 0x09, 0x7F, 0xBD, 0xFF, 0x31, 0xDE, 0x94, 0x66, 0x51, 0xAE,
-    0x60, 0xC2, 0x85, 0x4A, 0xFB, 0x54, 0x4A, 0xBE, 0x89, 0x63, 0xD3, 0x89, 0x63, 0x9C, 0x71, 0x0E};
-static const u8 nfc_blob_hash_dev[0x20] __attribute__((aligned(4))) = {
-    0x4E, 0x36, 0x59, 0x1C, 0x75, 0x80, 0x23, 0x03, 0x98, 0x2D, 0x45, 0xD9, 0x85, 0xB8, 0x60, 0x18,
-    0x7C, 0x85, 0x37, 0x9B, 0xCB, 0xBA, 0xF3, 0xDC, 0x25, 0x38, 0x73, 0xDB, 0x2F, 0xFA, 0xAE, 0x26};

source/keys/keys.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2021 shchmue
+ * Copyright (c) 2019-2022 shchmue
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
@@ -17,129 +17,11 @@
 #ifndef _KEYS_H_
 #define _KEYS_H_
 
-#include <utils/types.h>
+#include "crypto.h"
 
 #include "../hos/hos.h"
-
-#define AES_128_KEY_SIZE 16
-#define RSA_2048_KEY_SIZE 256
-
-// only tickets of type Rsa2048Sha256 are expected
-typedef struct {
-    u32 signature_type;   // always 0x10004
-    u8 signature[RSA_2048_KEY_SIZE];
-    u8 sig_padding[0x3C];
-    char issuer[0x40];
-    u8 titlekey_block[RSA_2048_KEY_SIZE];
-    u8 format_version;
-    u8 titlekey_type;
-    u16 ticket_version;
-    u8 license_type;
-    u8 common_key_id;
-    u16 property_mask;
-    u64 reserved;
-    u64 ticket_id;
-    u64 device_id;
-    u8 rights_id[0x10];
-    u32 account_id;
-    u32 sect_total_size;
-    u32 sect_hdr_offset;
-    u16 sect_hdr_count;
-    u16 sect_hdr_entry_size;
-    u8 padding[0x140];
-} ticket_t;
-
-typedef struct {
-    u8 rights_id[0x10];
-    u64 ticket_id;
-    u32 account_id;
-    u16 property_mask;
-    u16 reserved;
-} ticket_record_t;
-
-typedef struct {
-    u8 read_buffer[SZ_256K];
-    u8 rights_ids[SZ_256K / 0x10][0x10];
-    u8 titlekeys[SZ_256K / 0x10][0x10];
-} titlekey_buffer_t;
-
-typedef struct {
-    u8 private_exponent[RSA_2048_KEY_SIZE];
-    u8 modulus[RSA_2048_KEY_SIZE];
-    u8 public_exponent[4];
-    u8 reserved[0xC];
-} rsa_keypair_t;
-
-typedef struct {
-    u8 master_kek[AES_128_KEY_SIZE];
-    u8 data[0x70];
-    u8 package1_key[AES_128_KEY_SIZE];
-} keyblob_t;
-
-typedef struct {
-    u8 cmac[0x10];
-    u8 iv[0x10];
-    keyblob_t key_data;
-    u8 unused[0x150];
-} encrypted_keyblob_t;
-
-typedef struct {
-    char phrase[0xE];
-    u8 seed[0xE];
-    u8 hmac_key[0x10];
-    char phrase_for_verif[0xE];
-    u8 seed_for_verif[0x10];
-    u8 hmac_key_for_verif[0x10];
-    u8 ctr_key[0x10];
-    u8 ctr_iv[0x10];
-    u8 pad[6];
-} nfc_keyblob_t;
-
-typedef struct {
-    u8 hmac_key[0x10];
-    char phrase[0xE];
-    u8 rsvd;
-    u8 seed_size;
-    u8 seed[0x10];
-    u8 xor_pad[0x20];
-} nfc_save_key_t;
-
-typedef struct {
-    u8  temp_key[AES_128_KEY_SIZE],
-        bis_key[4][AES_128_KEY_SIZE * 2],
-        device_key[AES_128_KEY_SIZE],
-        device_key_4x[AES_128_KEY_SIZE],
-        sd_seed[AES_128_KEY_SIZE],
-        // FS-related keys
-        header_key[AES_128_KEY_SIZE * 2],
-        save_mac_key[AES_128_KEY_SIZE],
-        // other sysmodule keys
-        eticket_rsa_kek[AES_128_KEY_SIZE],
-        eticket_rsa_kek_personalized[AES_128_KEY_SIZE],
-        ssl_rsa_kek[AES_128_KEY_SIZE],
-        // keyblob-derived families
-        keyblob_key[KB_FIRMWARE_VERSION_600 + 1][AES_128_KEY_SIZE],
-        keyblob_mac_key[KB_FIRMWARE_VERSION_600 + 1][AES_128_KEY_SIZE],
-        package1_key[KB_FIRMWARE_VERSION_600 + 1][AES_128_KEY_SIZE],
-        // master key-derived families
-        key_area_key[3][KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE],
-        master_kek[KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE],
-        master_key[KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE],
-        package2_key[KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE],
-        titlekek[KB_FIRMWARE_VERSION_MAX + 1][AES_128_KEY_SIZE],
-        tsec_key[AES_128_KEY_SIZE],
-        tsec_root_key[AES_128_KEY_SIZE];
-    u32 sbk[4];
-    keyblob_t keyblob[KB_FIRMWARE_VERSION_600 + 1];
-    rsa_keypair_t rsa_keypair;
-} key_derivation_ctx_t;
-
-typedef struct {
-    char rights_id[0x20];
-    char equals[3];
-    char titlekey[0x20];
-    char newline[1];
-} titlekey_text_buffer_t;
+#include <sec/se_t210.h>
+#include <utils/types.h>
 
 #define TPRINTF(text) \
     end_time = get_tmr_us(); \

source/keys/nfc_crypto.c

@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "nfc_crypto.h"
+
+#include <mem/minerva.h>
+#include <sec/se.h>
+
+#include <string.h>
+
+void nfc_decrypt_amiibo_keys(key_storage_t *keys, nfc_save_key_t out_nfc_save_keys[2], bool is_dev) {
+    const u8 *encrypted_keys = is_dev ? encrypted_nfc_keys_dev : encrypted_nfc_keys;
+    u32 kek[SE_KEY_128_SIZE / 4] = {0};
+    decrypt_aes_key(KS_AES_ECB, keys, kek, nfc_key_source, 0, 0);
+
+    nfc_keyblob_t __attribute__((aligned(4))) nfc_keyblob;
+    static const u8 nfc_iv[SE_AES_IV_SIZE] = {
+        0xB9, 0x1D, 0xC1, 0xCF, 0x33, 0x5F, 0xA6, 0x13, 0x2A, 0xEF, 0x90, 0x99, 0xAA, 0xCA, 0x93, 0xC8};
+    se_aes_key_set(KS_AES_CTR, kek, SE_KEY_128_SIZE);
+    se_aes_crypt_ctr(KS_AES_CTR, &nfc_keyblob, sizeof(nfc_keyblob), encrypted_keys, sizeof(nfc_keyblob), &nfc_iv);
+
+    minerva_periodic_training();
+
+    u32 xor_pad[0x20 / 4] = {0};
+    se_aes_key_set(KS_AES_CTR, nfc_keyblob.ctr_key, SE_KEY_128_SIZE);
+    se_aes_crypt_ctr(KS_AES_CTR, xor_pad, sizeof(xor_pad), xor_pad, sizeof(xor_pad), nfc_keyblob.ctr_iv);
+
+    minerva_periodic_training();
+
+    memcpy(out_nfc_save_keys[0].hmac_key, nfc_keyblob.hmac_key, sizeof(nfc_keyblob.hmac_key));
+    memcpy(out_nfc_save_keys[0].phrase, nfc_keyblob.phrase, sizeof(nfc_keyblob.phrase));
+    out_nfc_save_keys[0].seed_size = sizeof(nfc_keyblob.seed);
+    memcpy(out_nfc_save_keys[0].seed, nfc_keyblob.seed, sizeof(nfc_keyblob.seed));
+    memcpy(out_nfc_save_keys[0].xor_pad, xor_pad, sizeof(xor_pad));
+
+    memcpy(out_nfc_save_keys[1].hmac_key, nfc_keyblob.hmac_key_for_verif, sizeof(nfc_keyblob.hmac_key_for_verif));
+    memcpy(out_nfc_save_keys[1].phrase, nfc_keyblob.phrase_for_verif, sizeof(nfc_keyblob.phrase_for_verif));
+    out_nfc_save_keys[1].seed_size = sizeof(nfc_keyblob.seed_for_verif);
+    memcpy(out_nfc_save_keys[1].seed, nfc_keyblob.seed_for_verif, sizeof(nfc_keyblob.seed_for_verif));
+    memcpy(out_nfc_save_keys[1].xor_pad, xor_pad, sizeof(xor_pad));
+}

source/keys/nfc_crypto.h

@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _NFC_CRYPTO_H_
+#define _NFC_CRYPTO_H_
+
+#include "crypto.h"
+
+#include <sec/se_t210.h>
+#include <utils/types.h>
+
+static const u8 nfc_key_source[0x10] __attribute__((aligned(4))) = {
+    0x83, 0xF6, 0xEF, 0xD8, 0x13, 0x26, 0x49, 0xAB, 0x97, 0x5F, 0xEA, 0xBA, 0x65, 0x71, 0xCA, 0xCA};
+static const u8 encrypted_nfc_keys[0x80] __attribute__((aligned(4))) = {
+    0x76, 0x50, 0x87, 0x02, 0x40, 0xA6, 0x5A, 0x98, 0xCE, 0x39, 0x2F, 0xC8, 0x83, 0xAF, 0x54, 0x76,
+    0x28, 0xFF, 0x50, 0xFC, 0xC1, 0xFB, 0x26, 0x14, 0xA2, 0x4A, 0xA6, 0x74, 0x90, 0xA4, 0x37, 0x06,
+    0x03, 0x63, 0xC2, 0xB1, 0xAF, 0x9F, 0xF7, 0x07, 0xFC, 0x8A, 0xB9, 0xCA, 0x28, 0x68, 0x6E, 0xF7,
+    0x42, 0xCD, 0x68, 0x13, 0xCD, 0x7B, 0x3A, 0x60, 0x3E, 0x8B, 0xAB, 0x3A, 0xCC, 0xED, 0xE0, 0xDD,
+    0x71, 0x1F, 0xA5, 0xDE, 0xB8, 0xB1, 0xF5, 0x1D, 0x14, 0x73, 0xBE, 0x27, 0xCC, 0xA1, 0x9B, 0x23,
+    0x06, 0x91, 0x89, 0x05, 0xED, 0xD6, 0x92, 0x76, 0x3F, 0x42, 0xFB, 0xD1, 0x8F, 0x2D, 0x6D, 0x72,
+    0xC8, 0x9E, 0x48, 0xE8, 0x03, 0x64, 0xF0, 0x3C, 0x0E, 0x2A, 0xF1, 0x26, 0x83, 0x02, 0x4F, 0xE2,
+    0x41, 0xAA, 0xC8, 0x33, 0x68, 0x84, 0x3A, 0xFB, 0x87, 0x18, 0xEA, 0xF7, 0x36, 0xA2, 0x4E, 0xA9};
+static const u8 encrypted_nfc_keys_dev[0x80] __attribute__((aligned(4))) = {
+    0x13, 0xB0, 0xFB, 0xC2, 0x91, 0x6D, 0x6E, 0x5A, 0x10, 0x31, 0x40, 0xB7, 0xDF, 0xCF, 0x69, 0x69,
+    0xB0, 0xFA, 0xAE, 0x7F, 0xB2, 0x4D, 0x27, 0xC9, 0xE9, 0x3F, 0x5B, 0x38, 0x39, 0x24, 0x98, 0xCE,
+    0xED, 0xD2, 0xA9, 0x6C, 0x6F, 0xA7, 0x72, 0xD7, 0x11, 0x31, 0x17, 0x93, 0x12, 0x49, 0x32, 0x85,
+    0x21, 0xE5, 0xE1, 0x88, 0x0F, 0x08, 0xF2, 0x30, 0x5C, 0xC3, 0xAA, 0xFF, 0xC0, 0xAB, 0x21, 0x96,
+    0x74, 0x39, 0xED, 0xE0, 0x5A, 0xB6, 0x75, 0xC2, 0x3B, 0x08, 0x61, 0xE4, 0xA7, 0xD6, 0xED, 0x8C,
+    0xA9, 0x02, 0x12, 0xA6, 0xCC, 0x27, 0x4C, 0x1C, 0x41, 0x9C, 0xD8, 0x4C, 0x00, 0xC7, 0x5B, 0x5D,
+    0xED, 0xC2, 0x3D, 0x5E, 0x00, 0xF5, 0x49, 0xFA, 0x6C, 0x75, 0x67, 0xCF, 0x1F, 0x73, 0x1A, 0xE8,
+    0x47, 0xD4, 0x3D, 0x9B, 0x83, 0x5B, 0x18, 0x2F, 0x95, 0xA9, 0x04, 0xBC, 0x2E, 0xBB, 0x64, 0x4A};
+static const u8 nfc_blob_hash[SE_SHA_256_SIZE] __attribute__((aligned(4))) = {
+    0x7F, 0x92, 0x83, 0x65, 0x4E, 0xC1, 0x09, 0x7F, 0xBD, 0xFF, 0x31, 0xDE, 0x94, 0x66, 0x51, 0xAE,
+    0x60, 0xC2, 0x85, 0x4A, 0xFB, 0x54, 0x4A, 0xBE, 0x89, 0x63, 0xD3, 0x89, 0x63, 0x9C, 0x71, 0x0E};
+static const u8 nfc_blob_hash_dev[SE_SHA_256_SIZE] __attribute__((aligned(4))) = {
+    0x4E, 0x36, 0x59, 0x1C, 0x75, 0x80, 0x23, 0x03, 0x98, 0x2D, 0x45, 0xD9, 0x85, 0xB8, 0x60, 0x18,
+    0x7C, 0x85, 0x37, 0x9B, 0xCB, 0xBA, 0xF3, 0xDC, 0x25, 0x38, 0x73, 0xDB, 0x2F, 0xFA, 0xAE, 0x26};
+
+typedef struct {
+    char phrase[0xE];
+    u8 seed[0xE];
+    u8 hmac_key[0x10];
+    char phrase_for_verif[0xE];
+    u8 seed_for_verif[0x10];
+    u8 hmac_key_for_verif[0x10];
+    u8 ctr_key[0x10];
+    u8 ctr_iv[0x10];
+    u8 pad[6];
+} nfc_keyblob_t;
+
+typedef struct {
+    u8 hmac_key[0x10];
+    char phrase[0xE];
+    u8 rsvd;
+    u8 seed_size;
+    u8 seed[0x10];
+    u8 xor_pad[0x20];
+} nfc_save_key_t;
+
+void nfc_decrypt_amiibo_keys(key_storage_t *keys, nfc_save_key_t out_nfc_save_keys[2], bool is_dev);
+
+#endif

source/keys/ssl_crypto.c

@@ -0,0 +1,120 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "ssl_crypto.h"
+
+#include "cal0_read.h"
+#include "gmac.h"
+
+#include "../config.h"
+#include <gfx_utils.h>
+#include <sec/se.h>
+#include <sec/se_t210.h>
+
+#include <string.h>
+
+extern hekate_config h_cfg;
+
+void ssl_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32 generation) {
+    if ((!h_cfg.t210b01 && !key_exists(keys->device_key)) || (h_cfg.t210b01 && (!key_exists(keys->master_key[0]) || !key_exists(keys->device_key_4x)))) {
+        return;
+    }
+
+    const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_IMPORT_SSL_KEY) | IS_DEVICE_UNIQUE;
+    derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, ssl_client_cert_kek_source, ssl_client_cert_key_source, generation, option);
+}
+
+void ssl_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek) {
+    if (!key_exists(keys->master_key[0])) {
+        return;
+    }
+
+    const u32 generation = 0;
+    const u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA) | NOT_DEVICE_UNIQUE;
+    derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, ssl_rsa_kekek_source, ssl_rsa_kek_source_legacy, generation, option);
+}
+
+void ssl_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev) {
+    if (!key_exists(keys->master_key[0])) {
+        return;
+    }
+
+    const void *ssl_kek_source = is_dev ? ssl_rsa_kek_source_dev : ssl_rsa_kek_source;
+    const u32 generation = 0;
+    u32 option = SET_SEAL_KEY_INDEX(SEAL_KEY_DECRYPT_DEVICE_UNIQUE_DATA) | NOT_DEVICE_UNIQUE;
+    derive_rsa_kek(KS_AES_ECB, keys, out_rsa_kek, ssl_rsa_kekek_source, ssl_kek_source, generation, option);
+}
+
+bool decrypt_ssl_rsa_key(key_storage_t *keys, void *buffer) {
+    if (!cal0_read(KS_BIS_00_TWEAK, KS_BIS_00_CRYPT, buffer)) {
+        return false;
+    }
+
+    nx_emmc_cal0_t *cal0 = (nx_emmc_cal0_t *)buffer;
+    u32 generation = 0;
+    const void *encrypted_key = NULL;
+    const void *iv = NULL;
+    u32 key_size = 0;
+    void *ctr_key = NULL;
+    bool enforce_unique = true;
+
+    if (!cal0_get_ssl_rsa_key(cal0, &encrypted_key, &key_size, &iv, &generation)) {
+        return false;
+    }
+
+    if (key_size == SSL_RSA_KEY_SIZE) {
+        bool all_zero = true;
+        const u8 *key8 = (const u8 *)encrypted_key;
+        for (u32 i = SE_RSA2048_DIGEST_SIZE; i < SSL_RSA_KEY_SIZE; i++) {
+            if (key8[i] != 0) {
+                all_zero = false;
+                break;
+            }
+        }
+        if (all_zero) {
+            // Keys of this form are not encrypted
+            memcpy(keys->ssl_rsa_key, encrypted_key, SE_RSA2048_DIGEST_SIZE);
+            return true;
+        }
+
+        ssl_derive_rsa_kek_legacy(keys, keys->ssl_rsa_kek_legacy);
+        ctr_key = keys->ssl_rsa_kek_legacy;
+        enforce_unique = false;
+    } else if (generation) {
+        ssl_derive_rsa_kek_device_unique(keys, keys->ssl_rsa_kek_personalized, generation);
+        ctr_key = keys->ssl_rsa_kek_personalized;
+    } else {
+        ctr_key = keys->ssl_rsa_kek;
+    }
+
+    u32 ctr_size = enforce_unique ? key_size - 0x20 : key_size - 0x10;
+    se_aes_key_set(KS_AES_CTR, ctr_key, SE_KEY_128_SIZE);
+    se_aes_crypt_ctr(KS_AES_CTR, keys->ssl_rsa_key, ctr_size, encrypted_key, ctr_size, iv);
+
+    if (enforce_unique) {
+        u32 calc_mac[SE_KEY_128_SIZE / 4] = {0};
+        calc_gmac(KS_AES_ECB, calc_mac, keys->ssl_rsa_key, ctr_size, ctr_key, iv);
+
+        const u8 *key8 = (const u8 *)encrypted_key;
+        if (memcmp(calc_mac, &key8[ctr_size], 0x10) != 0) {
+            EPRINTF("SSL keypair has invalid GMac.");
+            memset(keys->ssl_rsa_key, 0, sizeof(keys->ssl_rsa_key));
+            return false;
+        }
+    }
+
+    return true;
+}

source/keys/ssl_crypto.h

@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2022 shchmue
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _SSL_CRYPTO_H_
+#define _SSL_CRYPTO_H_
+
+#include "crypto.h"
+
+#include <utils/types.h>
+
+#define SSL_RSA_KEY_SIZE (SE_AES_IV_SIZE + SE_RSA2048_DIGEST_SIZE)
+
+static const u8 ssl_rsa_kekek_source[0x10] __attribute__((aligned(4))) = {
+    0x7F, 0x5B, 0xB0, 0x84, 0x7B, 0x25, 0xAA, 0x67, 0xFA, 0xC8, 0x4B, 0xE2, 0x3D, 0x7B, 0x69, 0x03};
+static const u8 ssl_rsa_kek_source[0x10] __attribute__((aligned(4))) = {
+    0x9A, 0x38, 0x3B, 0xF4, 0x31, 0xD0, 0xBD, 0x81, 0x32, 0x53, 0x4B, 0xA9, 0x64, 0x39, 0x7D, 0xE3};
+static const u8 ssl_rsa_kek_source_dev[0x10] __attribute__((aligned(4))) = {
+    0xD5, 0xD2, 0xFC, 0x00, 0xFD, 0x49, 0xDD, 0xF8, 0xEE, 0x7B, 0xC4, 0x4B, 0xE1, 0x4C, 0xAA, 0x99};
+static const u8 ssl_rsa_kek_source_legacy[0x10] __attribute__((aligned(4))) = {
+    0xED, 0x36, 0xB1, 0x32, 0x27, 0x17, 0xD2, 0xB0, 0xBA, 0x1F, 0xC1, 0xBD, 0x4D, 0x38, 0x0F, 0x5E};
+static const u8 ssl_client_cert_kek_source[0x10] __attribute__((aligned(4))) = {
+    0x64, 0xB8, 0x30, 0xDD, 0x0F, 0x3C, 0xB7, 0xFB, 0x4C, 0x16, 0x01, 0x97, 0xEA, 0x9D, 0x12, 0x10};
+static const u8 ssl_client_cert_key_source[0x10] __attribute__((aligned(4))) = {
+    0x4D, 0x92, 0x5A, 0x69, 0x42, 0x23, 0xBB, 0x92, 0x59, 0x16, 0x3E, 0x51, 0x8C, 0x78, 0x14, 0x0F};
+
+void ssl_derive_rsa_kek_device_unique(key_storage_t *keys, void *out_rsa_kek, u32 generation);
+void ssl_derive_rsa_kek_legacy(key_storage_t *keys, void *out_rsa_kek);
+void ssl_derive_rsa_kek_original(key_storage_t *keys, void *out_rsa_kek, bool is_dev);
+
+bool decrypt_ssl_rsa_key(key_storage_t *keys, void *buffer);
+
+#endif

source/storage/nx_emmc_bis.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019 shchmue
+ * Copyright (c) 2019-2022 shchmue
  * Copyright (c) 2019 CTCaer
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -112,8 +112,10 @@ typedef struct _nx_emmc_cal0_t
 	u8   crc16_pad16[0x10];
 	u8   ecc_p33_ticket_cert[0x180];
 	u8   crc16_pad17[0x10];
-	u8   ssl_key[0x110];
-	u8   crc16_pad18[0x10];
+	u8   ssl_key_iv[0x10];
+	u8   ssl_key[0x100];
+	u8   crc16_pad18[0xE];
+	u16  ssl_key_crc;
 	u32  ssl_cert_size;
 	u8   crc16_pad19[0xC];
 	u8   ssl_cert[0x800];
@@ -170,8 +172,11 @@ typedef struct _nx_emmc_cal0_t
 	u32  ext_ecc_rsa2048_eticket_key_ver;
 	u8   crc16_pad38[0xA];
 	u16  ext_ecc_rsa2048_eticket_key_crc;
-	u8   ext_ssl_key[0x130];
-	u8   crc16_pad39[0x10];
+	u8   ext_ssl_key_iv[0x10];
+	u8   ext_ssl_key[0x120];
+	u32  ext_ssl_key_ver;
+	u8   crc16_pad39[0xA];
+	u16  ext_ssl_key_crc;
 	u8   ext_gc_key[0x130];
 	u8   crc16_pad40[0x10];