How to dump the latest master key (master_key_06) + others
Here's a quick guide/code snippet for dumping the latest master key, as well as the tsec_root_key.
Add this to line 144 of key_derivation.c in atmosphere/fusee_secondary, then compile atmosphere as usual:
Alternatively, attached is a pre-compiled fusee_secondary.bin (for version 0.8.1) to save you the trouble of compiling atmosphere.
Place the fusee_secondary.bin file on the root of your SD card, boot atmosphere as normal, and the keys will be dumped to prod.keys (or dev.keys if using a dev unit).
Add this to line 144 of key_derivation.c in atmosphere/fusee_secondary, then compile atmosphere as usual:
Code:
if (target_firmware >= EXOSPHERE_TARGET_FIRMWARE_620) {
if (memcmp(tsec_root_key, zeroes, 0x10) != 0) {
/* Determine filename based on whether the device is a retail or dev unit. */
char *filename = fuse_get_retail_type() ? "prod.keys" : "dev.keys";
/* Open the key file for writing. */
FILE *keyf = fopen(filename, "wb");
/* Log to screen. */
printf("[NXBOOT]: Dumping keys to %s...\n", filename);
/* Print the name of the key. */
fprintf(keyf, "tsec_root_key = ");
/* Print the tsec_root_key as an uppercase hex string to the key file. */
for (int i = 0; i < 16; i++) {
fprintf(keyf, "%02X", ((uint8_t*)tsec_root_key)[i]);
}
/* Print the name of the key. */
fprintf(keyf, "\nmaster_kek_source_06 = ");
/* Print master_key_source_06 as an uppercase hex string to the key file. */
for (int i = 0; i < 16; i++) {
fprintf(keyf, "%02X", new_master_kek_seeds[0][i]);
}
/* Print the name of the key. */
fprintf(keyf, "\nmaster_key_06 = ");
/* Set keyslot 0xC with the tsec_root_key. */
set_aes_keyslot(0xC, tsec_root_key, 0x10);
for (unsigned int rev = MASTERKEY_REVISION_620_CURRENT; rev < MASTERKEY_REVISION_MAX; rev++) {
/* Decrypt the new master kek seed with the contents of keyslot 0xC (tsec_root_key) and write the result to work_buffer. */
se_aes_ecb_decrypt_block(0xC, work_buffer, 0x10, new_master_kek_seeds[rev - MASTERKEY_REVISION_620_CURRENT], 0x10);
/* Set keyslot 0xC to the derived value stored in work_buffer */
set_aes_keyslot(0xC, work_buffer, 0x10);
/* Lastly, decrypt the masterkey_seed with the contents of keyslot 0xC (the master_kek) and write the result to work_buffer. */
se_aes_ecb_decrypt_block(0xC, work_buffer, 0x10, masterkey_seed, 0x10);
/* Print work_buffer as an uppercase hex string to the key file. (this is master_key_06!) */
for (int i = 0; i < 16; i++) {
fprintf(keyf, "%02X", work_buffer[i]);
}
/* Set keyslot 0xC back to its intended value. */
set_aes_keyslot(0xC, tsec_root_key, 0x10);
se_aes_ecb_decrypt_block(0xC, work_buffer, 0x10, new_master_kek_seeds[rev - MASTERKEY_REVISION_620_CURRENT], 0x10);
memcpy(g_dec_keyblobs[rev].master_kek, work_buffer, 0x10);
}
fclose(keyf);
} else {
Alternatively, attached is a pre-compiled fusee_secondary.bin (for version 0.8.1) to save you the trouble of compiling atmosphere.
Place the fusee_secondary.bin file on the root of your SD card, boot atmosphere as normal, and the keys will be dumped to prod.keys (or dev.keys if using a dev unit).