The new key generation explained:
The switch has an Nvidia coprocessor ( a second processor) inside of it called the TSEC or Falcon that handles cryptographic operations like AES and verifying signatures. This processor is ordinarily supplied a firmware when the switch boots and then hands over the TSEC key to the boot loader so it can decrypt and load the rest of the firmware.
What was changed in 6.2 is that the TSEC firmware now derives one of the decryption keys internally rather than letting the boot loader do it. This means that despite having full control over the boot process, the derivation of this key now happens secretly where we cannot see it.
I'm looking at the TSEC firmware now to research this process but it may be simply out of our reach unless we can exploit or trick the TSEC into doing what we want or leaking the info. Here is a screenshot I took of reverse engineering the 6.2 TSEC firmware.
View attachment 149848