Tutorial How to dump the latest master key (master_key_06) + others

SimonMKWii

Professional Idiot
OP
Member
Joined
Nov 18, 2017
Messages
666
Trophies
0
Location
Melbourne, Victoria
XP
2,722
Country
Australia
Here's a quick guide/code snippet for dumping the latest master key, as well as the tsec_root_key.

Add this to line 144 of key_derivation.c in atmosphere/fusee_secondary, then compile atmosphere as usual:

Code:
    if (target_firmware >= EXOSPHERE_TARGET_FIRMWARE_620) {
        if (memcmp(tsec_root_key, zeroes, 0x10) != 0) {
            /* Determine filename based on whether the device is a retail or dev unit. */
            char *filename = fuse_get_retail_type() ? "prod.keys" : "dev.keys";
            /* Open the key file for writing. */
            FILE *keyf = fopen(filename, "wb");
            /* Log to screen. */
            printf("[NXBOOT]: Dumping keys to %s...\n", filename);
            /* Print the name of the key. */
            fprintf(keyf, "tsec_root_key = ");
            /* Print the tsec_root_key as an uppercase hex string to the key file. */
            for (int i = 0; i < 16; i++) {
                fprintf(keyf, "%02X", ((uint8_t*)tsec_root_key)[i]);
            }
            /* Print the name of the key. */
            fprintf(keyf, "\nmaster_kek_source_06 = ");
            /* Print master_key_source_06 as an uppercase hex string to the key file. */
            for (int i = 0; i < 16; i++) {
                fprintf(keyf, "%02X", new_master_kek_seeds[0][i]);
            }
            /* Print the name of the key. */
            fprintf(keyf, "\nmaster_key_06 = ");
            /* Set keyslot 0xC with the tsec_root_key. */
            set_aes_keyslot(0xC, tsec_root_key, 0x10);
            for (unsigned int rev = MASTERKEY_REVISION_620_CURRENT; rev < MASTERKEY_REVISION_MAX; rev++) {
                /* Decrypt the new master kek seed with the contents of keyslot 0xC (tsec_root_key) and write the result to work_buffer. */
                se_aes_ecb_decrypt_block(0xC, work_buffer, 0x10, new_master_kek_seeds[rev - MASTERKEY_REVISION_620_CURRENT], 0x10);
                /* Set keyslot 0xC to the derived value stored in work_buffer */
                set_aes_keyslot(0xC, work_buffer, 0x10);
                /* Lastly, decrypt the masterkey_seed with the contents of keyslot 0xC (the master_kek) and write the result to work_buffer. */
                se_aes_ecb_decrypt_block(0xC, work_buffer, 0x10, masterkey_seed, 0x10);
                /* Print work_buffer as an uppercase hex string to the key file. (this is master_key_06!) */
                for (int i = 0; i < 16; i++) {
                    fprintf(keyf, "%02X", work_buffer[i]);
                }
                /* Set keyslot 0xC back to its intended value. */
                set_aes_keyslot(0xC, tsec_root_key, 0x10);
                se_aes_ecb_decrypt_block(0xC, work_buffer, 0x10, new_master_kek_seeds[rev - MASTERKEY_REVISION_620_CURRENT], 0x10);
                memcpy(g_dec_keyblobs[rev].master_kek, work_buffer, 0x10);
            }
            fclose(keyf);
        } else {

Alternatively, attached is a pre-compiled fusee_secondary.bin (for version 0.8.1) to save you the trouble of compiling atmosphere.

Place the fusee_secondary.bin file on the root of your SD card, boot atmosphere as normal, and the keys will be dumped to prod.keys (or dev.keys if using a dev unit).
 

Attachments

  • fusee-secondary.zip
    905.7 KB · Views: 859

Selver

13,5,1,14,9,14,7,12,5,19,19
Member
Joined
Dec 22, 2015
Messages
219
Trophies
0
XP
406
Country
Add this to line 144 of key_derivation.c in atmosphere/fusee_secondary, then compile atmosphere as usual:

Can you give a GIT repo link and corresponding GIT commit hash for the source you apply this to?

As you know, giving a line number makes the instructions heavily dependent on a specific revision. Giving the git commit hash the instructions are based on removes (future) ambiguity.

Thanks!
 

Selver

13,5,1,14,9,14,7,12,5,19,19
Member
Joined
Dec 22, 2015
Messages
219
Trophies
0
XP
406
Country
Fusee-secondary does not dump the keys, it only initializes them for internal use.
It's OK, I was able to modify the file enough for my use.
 

SimonMKWii

Professional Idiot
OP
Member
Joined
Nov 18, 2017
Messages
666
Trophies
0
Location
Melbourne, Victoria
XP
2,722
Country
Australia
Sorry, I should have clarified, replace lines 144-152 with the code snippet.
Although you may want to alter it a little bit and add another buffer for the derived master_kek to prevent performing the same crypto operation twice.
 

midstor

Well-Known Member
Member
Joined
Aug 1, 2018
Messages
299
Trophies
0
Age
23
XP
777
Country
United States
Here's a quick guide/code snippet for dumping the latest master key, as well as the tsec_root_key.

Add this to line 144 of key_derivation.c in atmosphere/fusee_secondary, then compile atmosphere as usual:

Code:
    if (target_firmware >= EXOSPHERE_TARGET_FIRMWARE_620) {
        if (memcmp(tsec_root_key, zeroes, 0x10) != 0) {
            /* Determine filename based on whether the device is a retail or dev unit. */
            char *filename = fuse_get_retail_type() ? "prod.keys" : "dev.keys";
            /* Open the key file for writing. */
            FILE *keyf = fopen(filename, "wb");
            /* Log to screen. */
            printf("[NXBOOT]: Dumping keys to %s...\n", filename);
            /* Print the name of the key. */
            fprintf(keyf, "tsec_root_key = ");
            /* Print the tsec_root_key as an uppercase hex string to the key file. */
            for (int i = 0; i < 16; i++) {
                fprintf(keyf, "%02X", ((uint8_t*)tsec_root_key)[i]);
            }
            /* Print the name of the key. */
            fprintf(keyf, "\nmaster_kek_source_06 = ");
            /* Print master_key_source_06 as an uppercase hex string to the key file. */
            for (int i = 0; i < 16; i++) {
                fprintf(keyf, "%02X", new_master_kek_seeds[0][i]);
            }
            /* Print the name of the key. */
            fprintf(keyf, "\nmaster_key_06 = ");
            /* Set keyslot 0xC with the tsec_root_key. */
            set_aes_keyslot(0xC, tsec_root_key, 0x10);
            for (unsigned int rev = MASTERKEY_REVISION_620_CURRENT; rev < MASTERKEY_REVISION_MAX; rev++) {
                /* Decrypt the new master kek seed with the contents of keyslot 0xC (tsec_root_key) and write the result to work_buffer. */
                se_aes_ecb_decrypt_block(0xC, work_buffer, 0x10, new_master_kek_seeds[rev - MASTERKEY_REVISION_620_CURRENT], 0x10);
                /* Set keyslot 0xC to the derived value stored in work_buffer */
                set_aes_keyslot(0xC, work_buffer, 0x10);
                /* Lastly, decrypt the masterkey_seed with the contents of keyslot 0xC (the master_kek) and write the result to work_buffer. */
                se_aes_ecb_decrypt_block(0xC, work_buffer, 0x10, masterkey_seed, 0x10);
                /* Print work_buffer as an uppercase hex string to the key file. (this is master_key_06!) */
                for (int i = 0; i < 16; i++) {
                    fprintf(keyf, "%02X", work_buffer[i]);
                }
                /* Set keyslot 0xC back to its intended value. */
                set_aes_keyslot(0xC, tsec_root_key, 0x10);
                se_aes_ecb_decrypt_block(0xC, work_buffer, 0x10, new_master_kek_seeds[rev - MASTERKEY_REVISION_620_CURRENT], 0x10);
                memcpy(g_dec_keyblobs[rev].master_kek, work_buffer, 0x10);
            }
            fclose(keyf);
        } else {

Alternatively, attached is a pre-compiled fusee_secondary.bin (for version 0.8.1) to save you the trouble of compiling atmosphere.

Place the fusee_secondary.bin file on the root of your SD card, boot atmosphere as normal, and the keys will be dumped to prod.keys (or dev.keys if using a dev unit).
Thanks <3 very g00d work
 
General chit-chat
Help Users
    C @ CommanderCool: Any good places mirroring Sea of Harkinian lately besides their shitty discord?