29
edits
Changes
Jump to navigation
Jump to search
Line 41:
Line 41: − + Line 121:
Line 121: − +
Details on the unknown 0x10-long seed
The key is generated using the [[AES|AES Engine]] key generator, where the keyX is set by the bootrom (see below for the keyslots) and the keyY is the first 0x10 bytes of the NCCH signature. This method of key generation is referred to as "secure-crypto".
The key is generated using the [[AES|AES Engine]] key generator, where the keyX is set by the bootrom (see below for the keyslots) and the keyY is the first 0x10 bytes of the NCCH signature. This method of key generation is referred to as "secure-crypto".
Starting with [[9.6.0-24|9.6.0-X]] Process9 can now generate the NCCH keyY with the first 0x10-bytes from a SHA256 hash (when ncchflag[7] has bitmask 0x20 set). This hash is generated with the data <0x10-long old-method keyY><unknown 0x10-bytes>. This new keyY generation can only be used with [[7.0.0-13|7.0.0-X]] NCCH encryption or above(that is, the new keyY is only used with the non-0x2C-keyslots).
Starting with [[9.6.0-24|9.6.0-X]] Process9 can now generate the NCCH keyY with the first 0x10-bytes from a SHA256 hash (when ncchflag[7] has bitmask 0x20 set). This hash is generated with the data <0x10-long old-method keyY><0x10-long title-unique seed>, where seeds for downloaded titles that use the new crypto are stored in SEEDDB (nand:/data/<console-unique>/sysdata/0001000f/00000000). This new keyY generation can only be used with [[7.0.0-13|7.0.0-X]] NCCH encryption or above (that is, the new keyY is only used with the non-0x2C-keyslots).
If a certain NCCH flag is set, a fixed AES key is used. There are two fixed keys, one for titles which have the system category bit set (SystemFixedKey), and one for the rest ("zeros" key). These are debug keys, as they aren't nomally supported on retail systems.
If a certain NCCH flag is set, a fixed AES key is used. There are two fixed keys, one for titles which have the system category bit set (SystemFixedKey), and one for the rest ("zeros" key). These are debug keys, as they aren't nomally supported on retail systems.
| 0x114
| 0x114
| 4
| 4
| When ncchflag[7] = 0x20 starting with FIRM [[9.6.0-24|9.6.0-X]], this is compared with the first output u32 from a SHA256 hash. The data used for that hash is 0x18-bytes: <unknown 0x10 bytes> <programID from NCCH+0x118>. This hash seems to be purely for verification of 0x10-long keyY hash data, and is not the actual keyY.
| When ncchflag[7] = 0x20 starting with FIRM [[9.6.0-24|9.6.0-X]], this is compared with the first output u32 from a SHA256 hash. The data used for that hash is 0x18-bytes: <0x10-long title-unique seed> <programID from NCCH+0x118>. This hash seems to be purely for verification of 0x10-long keyY hash data, and is not the actual keyY.
|-
|-
| 0x118
| 0x118