How to dump the latest master key (master_key_06) + others

Discussion in 'Switch - Tutorials' started by SimonMKWii, Dec 4, 2018 at 9:03 AM.

  1. SimonMKWii
    OP

    SimonMKWii GBAtemp Advanced Fan

    Member
    10
    Nov 18, 2017
    Australia
    Melbourne, Victoria
    Here's a quick guide/code snippet for dumping the latest master key, as well as the tsec_root_key.

    Add this to line 144 of key_derivation.c in atmosphere/fusee_secondary, then compile atmosphere as usual:

    Code:
        if (target_firmware >= EXOSPHERE_TARGET_FIRMWARE_620) {
            if (memcmp(tsec_root_key, zeroes, 0x10) != 0) {
                /* Determine filename based on whether the device is a retail or dev unit. */
                char *filename = fuse_get_retail_type() ? "prod.keys" : "dev.keys";
                /* Open the key file for writing. */
                FILE *keyf = fopen(filename, "wb");
                /* Log to screen. */
                printf("[NXBOOT]: Dumping keys to %s...\n", filename);
                /* Print the name of the key. */
                fprintf(keyf, "tsec_root_key = ");
                /* Print the tsec_root_key as an uppercase hex string to the key file. */
                for (int i = 0; i < 16; i++) {
                    fprintf(keyf, "%02X", ((uint8_t*)tsec_root_key)[i]);
                }
                /* Print the name of the key. */
                fprintf(keyf, "\nmaster_kek_source_06 = ");
                /* Print master_key_source_06 as an uppercase hex string to the key file. */
                for (int i = 0; i < 16; i++) {
                    fprintf(keyf, "%02X", new_master_kek_seeds[0][i]);
                }
                /* Print the name of the key. */
                fprintf(keyf, "\nmaster_key_06 = ");
                /* Set keyslot 0xC with the tsec_root_key. */
                set_aes_keyslot(0xC, tsec_root_key, 0x10);
                for (unsigned int rev = MASTERKEY_REVISION_620_CURRENT; rev < MASTERKEY_REVISION_MAX; rev++) {
                    /* Decrypt the new master kek seed with the contents of keyslot 0xC (tsec_root_key) and write the result to work_buffer. */
                    se_aes_ecb_decrypt_block(0xC, work_buffer, 0x10, new_master_kek_seeds[rev - MASTERKEY_REVISION_620_CURRENT], 0x10);
                    /* Set keyslot 0xC to the derived value stored in work_buffer */
                    set_aes_keyslot(0xC, work_buffer, 0x10);
                    /* Lastly, decrypt the masterkey_seed with the contents of keyslot 0xC (the master_kek) and write the result to work_buffer. */
                    se_aes_ecb_decrypt_block(0xC, work_buffer, 0x10, masterkey_seed, 0x10);
                    /* Print work_buffer as an uppercase hex string to the key file. (this is master_key_06!) */
                    for (int i = 0; i < 16; i++) {
                        fprintf(keyf, "%02X", work_buffer[i]);
                    }
                    /* Set keyslot 0xC back to its intended value. */
                    set_aes_keyslot(0xC, tsec_root_key, 0x10);
                    se_aes_ecb_decrypt_block(0xC, work_buffer, 0x10, new_master_kek_seeds[rev - MASTERKEY_REVISION_620_CURRENT], 0x10);
                    memcpy(g_dec_keyblobs[rev].master_kek, work_buffer, 0x10);
                }
                fclose(keyf);
            } else {
    
    Alternatively, attached is a pre-compiled fusee_secondary.bin (for version 0.8.1) to save you the trouble of compiling atmosphere.

    Place the fusee_secondary.bin file on the root of your SD card, boot atmosphere as normal, and the keys will be dumped to prod.keys (or dev.keys if using a dev unit).
     

    Attached Files:

  2. LordApplz

    LordApplz Member

    Newcomer
    1
    Sep 22, 2018
    Norway
  3. Space_Man_Ed

    Space_Man_Ed Newbie

    Newcomer
    1
    Jun 24, 2018
    United States
  4. Selver

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    3
    Dec 22, 2015
    Can you give a GIT repo link and corresponding GIT commit hash for the source you apply this to?

    As you know, giving a line number makes the instructions heavily dependent on a specific revision. Giving the git commit hash the instructions are based on removes (future) ambiguity.

    Thanks!
     
  5. ScarletDreamz

    ScarletDreamz [Debug Mode]

    Member
    11
    Feb 16, 2015
    United States
    California
  6. Selver

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    3
    Dec 22, 2015
    Fusee-secondary does not dump the keys, it only initializes them for internal use.
    It's OK, I was able to modify the file enough for my use.
     
  7. SimonMKWii
    OP

    SimonMKWii GBAtemp Advanced Fan

    Member
    10
    Nov 18, 2017
    Australia
    Melbourne, Victoria
    Sorry, I should have clarified, replace lines 144-152 with the code snippet.
    Although you may want to alter it a little bit and add another buffer for the derived master_kek to prevent performing the same crypto operation twice.
     
  8. midstor

    midstor GBAtemp Regular

    Member
    4
    Aug 1, 2018
    United States
    Thanks <3 very g00d work
     
  9. OrGoN3

    OrGoN3 GBAtemp Addict

    Member
    7
    Apr 23, 2007
    United States
    Sure. Don't mind if I do! I assume tsec_root_key is console unique?
     
  10. SimonMKWii
    OP

    SimonMKWii GBAtemp Advanced Fan

    Member
    10
    Nov 18, 2017
    Australia
    Melbourne, Victoria
    tsec_root_key isn't console unique.
     
    OrGoN3 likes this.
  11. Space_Man_Ed

    Space_Man_Ed Newbie

    Newcomer
    1
    Jun 24, 2018
    United States
Loading...