Yuuki/Lockpick_RCM
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Validate mariko keyslot contents; dump class keys

Browse source
This commit is contained in:
shchmue 2021-08-21 16:02:19 -06:00
parent fe17b12ea7
commit d84ab5796a
3 changed files with 104 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

23
README.md
View file

@ -11,6 +11,29 @@ Usage
* Upon completion, keys will be saved to `/switch/prod.keys` and titlekeys to `/switch/title.keys` on SD
* If the console has Firmware 7.x or higher, the `/sept/` folder from [Atmosphère](https://github.com/Atmosphere-NX/Atmosphere/releases) or [Kosmos](https://github.com/AtlasNX/Kosmos/releases) release zip must be present on SD or else only keyblob master key derivation is possible (ie. up to `master_key_05` only)
Mariko-Specific Keys
=
Mariko consoles have several unique keys and protected keyslots. To get your SBK or the Mariko specific keys, you will need to use the `/switch/partialaes.keys` file along with a brute forcing tool such as <https://files.sshnuke.net/PartialAesKeyCrack.zip>. The contents of this file are the keyslot number followed by the result of that keyslot encrypting 16 null bytes. With the tool linked above, enter them in sequence for a given keyslot you want the contents of, for example: `PartialAesKeyCrack.exe <num1> <num2> <num3> <num4>` with the `--numthreads=N` where N is the number of threads you can dedicate to the brute force.
The keyslots are as follows, with names recognized by `hactool`:
* 0-11 - `mariko_aes_class_key_xx` (this is not used by the Switch but is set by the bootrom; hactoolnet recognizes it but it serves no purpose)
* 12 - `mariko_kek` (not unique - this is used for master key derivation)
* 13 - `mariko_bek` (not unique - this is used for BCT and package1 decryption)
* 14 - `secure_boot_key` (console unique - this isn't needed for further key derivation than what Lockpick_RCM does but might be nice to have for your records)
* 15 - Secure storage key (console unique - this is not used on retail or dev consoles and not recognized by any tools)
So if you want to brute force the `mariko_kek`, open your `partialaes.keys` and observe the numbers beneath keyslot 12. Here's an example with fake numbers:
```
12
11111111111111111111111111111111 22222222222222222222222222222222 33333333333333333333333333333333 44444444444444444444444444444444
```
Then take those numbers and open a command prompt window at the location of the exe linked above and type:
`PartialAesKeyCrack.exe 11111111111111111111111111111111 22222222222222222222222222222222 33333333333333333333333333333333 44444444444444444444444444444444` and if you're on a powerful enough multicore system, add ` --numthreads=[whatever number of threads]`, ideally not your system's maximum if it's, for example, an older laptop with a low-end dual core CPU. On a Ryzen 3900x with 24 threads this generates a lot of heat but finishes in about 45 seconds.
These keys never change so a brute force need only be conducted once.
This works due to the security engine immediately flushing writes to keyslots which can be written one 32-bit chunk at a time. See: <https://switchbrew.org/wiki/Switch_System_Flaws#Hardware>
Building
=
Install [devkitARM](https://devkitpro.org/) and run `make`.