borntohonk/Switch-Ghidra-Guides

Dev keygen - key_hash

Closed this issue · 3 comments

Hi again, thanks for adding dev keygen. I did notice that the keyhash for dev - master_key_00_key = '59xxx' should be this:

if key_hash != "201d449a1654ed659e9bd9f3546a0609f710d6b8b81eb567fd7c738ff04324fc":

Also to generate dev keys in the temp key file we need to have :

aes_kek_generation_source = 4dxx
aes_key_generation_source = 89xxx
mariko_master_kek_source_11 = e445xxx
master_kek_source_11 = 00045xxx
tsec_root_key_02 = ca99xxx

Do you happen to know what file - master_kek_source_11 lives in (for dev - not prod)? I guess this can be extracted from a file in the same way that mariko_master_kek_source_11 can be as we need to get that to generate the dev keys - or am I missing something?

Hi again, thanks for adding dev keygen. I did notice that the keyhash for dev - master_key_00_key = '59xxx' should be this:

if key_hash != "201d449a1654ed659e9bd9f3546a0609f710d6b8b81eb567fd7c738ff04324fc":

not needed.

aes_kek_generation_source = 4dxx

no, not required

aes_key_generation_source = 89xxx

no, not required

mariko_master_kek_source_11 = e445xxx

wrong, mariko-nondev https://github.com/Atmosphere-NX/Atmosphere/blob/master/fusee/program/source/fusee_key_derivation.cpp#L31

master_kek_source_11 = 00045xxx

erista-non-dev (wrong) https://github.com/Atmosphere-NX/Atmosphere/blob/master/fusee/program/source/fusee_key_derivation.cpp#L36

tsec_root_key_02 = ca99xxx

no, not required, sec_root_key_%% is the equivalent of mariko_kek, and "package1_key_%%" is the equivelant of mariko_bek (required to decrypt erista package1), and to obtain package1_key_%%, you must have tsec_secret_26 to produce package1_key_%% (not public, methods to obtain require aes glitching and bruteforcing).

We already are obtaining mariko_master_kek_source_dev whatever you want to call it and mariko_master_kek_source from marikos package1, we don't need master_key_00_dev.

The way this works, if you haven't caught up on it is this:
We use marikos bootroom encryptionkey and marikos key encryption key, alongside master_key_00.

how do we obtain master_key_00?

two paths.
path 1 (erista):
package1_key_%% (opens erista package1) + tsec_root_key_%% + master_key_source equals -> master_kek_source
master_kek_source_%% + tsec_root_key_00 = master_kek_%%

path 2:
mariko_bek (opens mariko package1) + mariko_kek + master_key_source equals -> mariko_master_kek_source
mariko_master_kek_source + mariko_kek = master_kek

done without hactool or hactoolnet

aesdecrypt(ecb 128bit, no padding) mariko_kek as key, decrypt mariko_master_kek_source == master_kek
mariko_master_kek_source_11 = 4F413C3BFB6A012A689F83E953BD16D2
master_kek_11 C618D3F...etc etc (18.1.1)

aesdecrypt(ecb 128bit, no padding) master_kek_11 as key, decrypt master_key_source == master_key_11
master_key_source = D8A2410AC6C59001C61D6A267C513F3C
master_key_11 03D1D7...etc etc (18.1.1)

You seem to misunderstand how this works in general.

https://github.com/Thealexbarney/LibHac/blob/master/src/LibHac/Common/Keys/KeyDerivation.cs#L295-L315

you can read more about the logic here
this is what gets called with --dev when running "hactoolnet -t keygen --dev"

Thanks, it's hard to find all this info if you don't know what to look for or where to look. Not many people on forums can help with this level or want to share the knowledge. Thanks again.