Line 84: |
Line 84: |
| The master static seed selected depends on whether the unit type is zero and whether the last byte of the bootloader's RSA modulus is 0x4F. | | The master static seed selected depends on whether the unit type is zero and whether the last byte of the bootloader's RSA modulus is 0x4F. |
| | | |
− | This method is described on the [[Cryptosystem|cryptosystem]] page.
| + | * Falcon microcode is loaded, the device keyblob seed generation key is obtained from the Falcon. |
| + | * The device keyblob seed generation key is stored in keyslot 0xD. |
| + | * [3.0.0+] keyblob key seed 1 is generated by decrypting the keyblob seed constant 1 with the device keyblob seed generation key |
| + | * [3.0.0+] keyblob key 1 is generated by decrypting keyblob key seed 1 with the SBK. The result is directly stored in keyslot 0xA without leaving the crypto engine. |
| + | * keyblob key seed N is generated by decrypting the keyblob seed constant N with the device keyblob seed generation key |
| + | * keyblob key N is generated by decrypting keyblob key seed N with the SBK. The result is directly stored in keyslot 0xD without leaving the crypto engine. |
| + | * The SBK and the SSK are cleared. |
| + | * The constant MAC key generator block is decrypted with keyblob key N to generate keyblob MAC key N. The result is directly stored in keyslot 0xB without leaving the crypto engine. |
| + | * With keyblob MAC key N, AES CMAC is performed over the keyblob. |
| + | * With a comparison function which is safe against timing attacks, the CMAC is compared with the stored CMAC. If they differ, panic is called. |
| + | * The keyblob data is decrypted with AES-CTR, using the keyblob key N and the stored CTR. |
| + | * The stage 2 decryption key (the ninth key in the blob) is loaded in keyslot 0xB. |
| + | * The master static key encryption key. is loaded in keyslot 0xC. |
| + | * The decrypted keyblob data is erased. |
| + | * The master static key is generated by decrypting the master static seed with the master static key encryption key. The result is directly stored in keyslot 0xC without leaving the crypto engine. |
| + | * [1.0.0-2.3.0] The master device key is generated by decrypting a constant block with keyslot 0xD (which contains keyblob N's key 1). The result is directly stored in keyslot 0xD without leaving the crypto engine. |
| + | * [3.0.0+] The master device key is generated by decrypting a constant block with keyslot 0xA (which contains keyblob 1's key 1). The result is directly stored in keyslot 0xD without leaving the crypto engine. |
| + | * [3.0.0+] Keyslot 0xA is cleared. |
| | | |
| ==== Secondary method ==== | | ==== Secondary method ==== |