se: Refactor with proper names

Additionally fix some bugs in rsa access control

bootloader/frontend/fe_emmc_tools.c

@@ -1,7 +1,7 @@
 /*
  * Copyright (c) 2018 naehrwert
  * Copyright (c) 2018 Rajko Stojadinovic
- * Copyright (c) 2018-2019 CTCaer
+ * Copyright (c) 2018-2021 CTCaer
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
@@ -27,6 +27,7 @@
 #include <libs/fatfs/ff.h>
 #include <mem/heap.h>
 #include <sec/se.h>
+#include <sec/se_t210.h>
 #include "../storage/nx_emmc.h"
 #include <storage/nx_sd.h>
 #include <storage/sdmmc.h>
@@ -96,7 +97,7 @@ static int _dump_emmc_verify(sdmmc_storage_t *storage, u32 lba_curr, char *outFi
 
 				se_calc_sha256_oneshot(hashEm, bufEm, num << 9);
 				se_calc_sha256_oneshot(hashSd, bufSd, num << 9);
-				res = memcmp(hashEm, hashSd, 0x10);
+				res = memcmp(hashEm, hashSd, SE_SHA_256_SIZE / 2);
 
 				if (res)
 				{

bootloader/frontend/fe_info.c

@@ -1,6 +1,6 @@
 /*
  * Copyright (c) 2018 naehrwert
- * Copyright (c) 2018-2020 CTCaer
+ * Copyright (c) 2018-2021 CTCaer
  * Copyright (c) 2018 balika011
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -27,6 +27,7 @@
 #include <mem/smmu.h>
 #include <power/bq24193.h>
 #include <power/max17050.h>
+#include <sec/se_t210.h>
 #include <sec/tsec.h>
 #include <soc/fuse.h>
 #include <soc/i2c.h>
@@ -354,7 +355,7 @@ void print_tsec_key()
 		goto out_wait;
 	}
 
-	u8 keys[0x10 * 2];
+	u8 keys[SE_KEY_128_SIZE * 2];
 	memset(keys, 0x00, 0x20);
 
 	tsec_ctxt.fw = (u8 *)pkg1 + pkg1_id->tsec_off;
@@ -401,14 +402,14 @@ void print_tsec_key()
 
 	if (res >= 0)
 	{
-		for (u32 j = 0; j < 0x10; j++)
+		for (u32 j = 0; j < SE_KEY_128_SIZE; j++)
 			gfx_printf("%02X", keys[j]);
 
 		if (pkg1_id->kb == KB_FIRMWARE_VERSION_620)
 		{
 			gfx_printf("\n%kTSEC root: %k", 0xFF00DDFF, 0xFFCCCCCC);
-			for (u32 j = 0; j < 0x10; j++)
-				gfx_printf("%02X", keys[0x10 + j]);
+			for (u32 j = 0; j < SE_KEY_128_SIZE; j++)
+				gfx_printf("%02X", keys[SE_KEY_128_SIZE + j]);
 		}
 	}
 	else
@@ -423,7 +424,7 @@ void print_tsec_key()
 		{
 			char path[64];
 			emmcsn_path_impl(path, "/dumps", "tsec_keys.bin", NULL);
-			if (!sd_save_to_file(keys, 0x10 * 2, path))
+			if (!sd_save_to_file(keys, SE_KEY_128_SIZE * 2, path))
 				gfx_puts("\nDone!\n");
 			sd_end();
 		}

bootloader/frontend/fe_tools.c

@@ -1,6 +1,6 @@
 /*
  * Copyright (c) 2018 naehrwert
- * Copyright (c) 2018-2019 CTCaer
+ * Copyright (c) 2018-2021 CTCaer
  * Copyright (c) 2018 Reisyukaku
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -31,6 +31,7 @@
 #include <mem/heap.h>
 #include <power/max7762x.h>
 #include <sec/se.h>
+#include <sec/se_t210.h>
 #include "../storage/nx_emmc.h"
 #include <storage/nx_sd.h>
 #include <storage/sdmmc.h>

bootloader/hos/hos.c

@@ -2,7 +2,7 @@
  * Copyright (c) 2018 naehrwert
  * Copyright (c) 2018 st4rk
  * Copyright (c) 2018 Ced2911
- * Copyright (c) 2018-2020 CTCaer
+ * Copyright (c) 2018-2021 CTCaer
  * Copyright (c) 2018 balika011
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -75,7 +75,7 @@ typedef struct _secmon_mailbox_t
 	u32 out;
 } secmon_mailbox_t;
 
-static const u8 keyblob_keyseeds[][0x10] = {
+static const u8 keyblob_keyseeds[][SE_KEY_128_SIZE] = {
 	{ 0xDF, 0x20, 0x6F, 0x59, 0x44, 0x54, 0xEF, 0xDC, 0x70, 0x74, 0x48, 0x3B, 0x0D, 0xED, 0x9F, 0xD3 }, // 1.0.0.
 	{ 0x0C, 0x25, 0x61, 0x5D, 0x68, 0x4C, 0xEB, 0x42, 0x1C, 0x23, 0x79, 0xEA, 0x82, 0x25, 0x12, 0xAC }, // 3.0.0.
 	{ 0x33, 0x76, 0x85, 0xEE, 0x88, 0x4A, 0xAE, 0x0A, 0xC2, 0x8A, 0xFD, 0x7D, 0x63, 0xC0, 0x43, 0x3B }, // 3.0.1.
@@ -84,19 +84,19 @@ static const u8 keyblob_keyseeds[][0x10] = {
 	{ 0xD8, 0xCC, 0xE1, 0x26, 0x6A, 0x35, 0x3F, 0xCC, 0x20, 0xF3, 0x2D, 0x3B, 0x51, 0x7D, 0xE9, 0xC0 }  // 6.0.0.
 };
 
-static const u8 cmac_keyseed[0x10] =
+static const u8 cmac_keyseed[SE_KEY_128_SIZE] =
 	{ 0x59, 0xC7, 0xFB, 0x6F, 0xBE, 0x9B, 0xBE, 0x87, 0x65, 0x6B, 0x15, 0xC0, 0x53, 0x73, 0x36, 0xA5 };
 
-static const u8 master_keyseed_retail[0x10] =
+static const u8 master_keyseed_retail[SE_KEY_128_SIZE] =
 	{ 0xD8, 0xA2, 0x41, 0x0A, 0xC6, 0xC5, 0x90, 0x01, 0xC6, 0x1D, 0x6A, 0x26, 0x7C, 0x51, 0x3F, 0x3C };
 
-static const u8 master_keyseed_4xx_5xx_610[0x10] =
+static const u8 master_keyseed_4xx_5xx_610[SE_KEY_128_SIZE] =
 	{ 0x2D, 0xC1, 0xF4, 0x8D, 0xF3, 0x5B, 0x69, 0x33, 0x42, 0x10, 0xAC, 0x65, 0xDA, 0x90, 0x46, 0x66 };
 
-static const u8 master_keyseed_620[0x10] =
+static const u8 master_keyseed_620[SE_KEY_128_SIZE] =
 	{ 0x37, 0x4B, 0x77, 0x29, 0x59, 0xB4, 0x04, 0x30, 0x81, 0xF6, 0xE5, 0x8C, 0x6D, 0x36, 0x17, 0x9A };
 
-static const u8 master_kekseed_t210b01[][0x10] = {
+static const u8 master_kekseed_t210b01[][SE_KEY_128_SIZE] = {
 	{ 0x77, 0x60, 0x5A, 0xD2, 0xEE, 0x6E, 0xF8, 0x3C, 0x3F, 0x72, 0xE2, 0x59, 0x9D, 0xAC, 0x5E, 0x56 }, // 6.0.0.
 	{ 0x1E, 0x80, 0xB8, 0x17, 0x3E, 0xC0, 0x60, 0xAA, 0x11, 0xBE, 0x1A, 0x4A, 0xA6, 0x6F, 0xE4, 0xAE }, // 6.2.0.
 	{ 0x94, 0x08, 0x67, 0xBD, 0x0A, 0x00, 0x38, 0x84, 0x11, 0xD3, 0x1A, 0xDB, 0xDD, 0x8D, 0xF1, 0x8A }, // 7.0.0.
@@ -105,13 +105,13 @@ static const u8 master_kekseed_t210b01[][0x10] = {
 	{ 0x0E, 0x44, 0x0C, 0xED, 0xB4, 0x36, 0xC0, 0x3F, 0xAA, 0x1D, 0xAE, 0xBF, 0x62, 0xB1, 0x09, 0x82 }, // 9.1.0.
 };
 
-static const u8 console_keyseed[0x10] =
+static const u8 console_keyseed[SE_KEY_128_SIZE] =
 	{ 0x4F, 0x02, 0x5F, 0x0E, 0xB6, 0x6D, 0x11, 0x0E, 0xDC, 0x32, 0x7D, 0x41, 0x86, 0xC2, 0xF4, 0x78 };
 
-static const u8 console_keyseed_4xx_5xx[0x10] =
+static const u8 console_keyseed_4xx_5xx[SE_KEY_128_SIZE] =
 	{ 0x0C, 0x91, 0x09, 0xDB, 0x93, 0x93, 0x07, 0x81, 0x07, 0x3C, 0xC4, 0x16, 0x22, 0x7C, 0x6C, 0x28 };
 
-const u8 package2_keyseed[0x10] =
+const u8 package2_keyseed[SE_KEY_128_SIZE] =
 	{ 0xFB, 0x8B, 0x6A, 0x9C, 0x79, 0x00, 0xC8, 0x49, 0xEF, 0xD2, 0x4D, 0x85, 0x4D, 0x30, 0xA0, 0xC7 };
 
 static void _hos_crit_error(const char *text)
@@ -124,30 +124,33 @@ static void _se_lock(bool lock_se)
 {
 	if (lock_se)
 	{
+		// Disable aes key read.
 		for (u32 i = 0; i < 16; i++)
 			se_key_acc_ctrl(i, SE_KEY_TBL_DIS_KEYREAD_FLAG | SE_KEY_TBL_DIS_OIVREAD_FLAG | SE_KEY_TBL_DIS_UIVREAD_FLAG);
 
+		// Disable RSA key read.
 		for (u32 i = 0; i < 2; i++)
 			se_rsa_acc_ctrl(i, SE_RSA_KEY_TBL_DIS_KEYREAD_FLAG);
-		SE(SE_TZRAM_SECURITY_0) = 0; // Make SE TZRAM secure only.
-		SE(SE_KEY_TABLE_ACCESS_LOCK_OFFSET) = 0; // Make all key access regs secure only.
-		SE(SE_RSA_KEYTABLE_ACCESS_LOCK_OFFSET) = 0; // Make all RSA access regs secure only.
-		SE(SE_SECURITY_0) &= 0xFFFFFFFB; // Make access lock regs secure only.
+
+		SE(SE_TZRAM_SECURITY_REG) = 0;                // Make SE TZRAM secure only.
+		SE(SE_CRYPTO_SECURITY_PERKEY_REG) = 0;        // Make all AES keys access secure only.
+		SE(SE_RSA_SECURITY_PERKEY_REG) = 0;           // Make all RSA keys access secure only.
+		SE(SE_SE_SECURITY_REG) &= ~SE_PERKEY_SETTING; // Make access lock regs secure only.
 	}
 
 	memset((void *)IPATCH_BASE, 0, 14 * sizeof(u32));
 	SB(SB_CSR) = SB_CSR_PIROM_DISABLE;
 
 	// This is useful for documenting the bits in the SE config registers, so we can keep it around.
-	/*gfx_printf("SE(SE_SECURITY_0) = %08X\n", SE(SE_SECURITY_0));
+	/*gfx_printf("SE(SE_SE_SECURITY_REG) = %08X\n", SE(SE_SE_SECURITY_REG));
 	gfx_printf("SE(0x4) = %08X\n", SE(0x4));
-	gfx_printf("SE(SE_KEY_TABLE_ACCESS_LOCK_OFFSET) = %08X\n", SE(SE_KEY_TABLE_ACCESS_LOCK_OFFSET));
-	gfx_printf("SE(SE_RSA_KEYTABLE_ACCESS_LOCK_OFFSET) = %08X\n", SE(SE_RSA_KEYTABLE_ACCESS_LOCK_OFFSET));
+	gfx_printf("SE(SE_CRYPTO_SECURITY_PERKEY_REG) = %08X\n", SE(SE_CRYPTO_SECURITY_PERKEY_REG));
+	gfx_printf("SE(SE_RSA_SECURITY_PERKEY_REG) = %08X\n", SE(SE_RSA_SECURITY_PERKEY_REG));
 	for(u32 i = 0; i < 16; i++)
-		gfx_printf("%02X ", SE(SE_KEY_TABLE_ACCESS_REG_OFFSET + i * 4) & 0xFF);
+		gfx_printf("%02X ", SE(SE_CRYPTO_KEYTABLE_ACCESS_REG + i * 4) & 0xFF);
 	gfx_putc('\n');
 	for(u32 i = 0; i < 2; i++)
-		gfx_printf("%02X ", SE(SE_RSA_KEYTABLE_ACCESS_REG_OFFSET + i * 4) & 0xFF);
+		gfx_printf("%02X ", SE(SE_RSA_KEYTABLE_ACCESS_REG + i * 4) & 0xFF);
 	gfx_putc('\n');
 	gfx_hexdump(SE_BASE, (void *)SE_BASE, 0x400);*/
 }
@@ -257,7 +260,7 @@ void hos_eks_save(u32 kb)
 
 			// Get keys.
 			u8 *keys = (u8 *)calloc(0x1000, 1);
-			se_get_aes_keys(keys + 0x800, keys, 0x10);
+			se_get_aes_keys(keys + 0x800, keys, SE_KEY_128_SIZE);
 
 			// Set magic and personalized info.
 			h_cfg.eks->magic = HOS_EKS_MAGIC;
@@ -265,18 +268,18 @@ void hos_eks_save(u32 kb)
 			h_cfg.eks->lot0 = FUSE(FUSE_OPT_LOT_CODE_0);
 
 			// Copy new keys.
-			memcpy(h_cfg.eks->dkg, keys + 10 * 0x10, 0x10);
-			memcpy(h_cfg.eks->dkk, keys + 15 * 0x10, 0x10);
+			memcpy(h_cfg.eks->dkg, keys + 10 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
+			memcpy(h_cfg.eks->dkk, keys + 15 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
 
 			if (!h_cfg.aes_slots_new)
 			{
-				memcpy(h_cfg.eks->keys[key_idx].mkk, keys + 12 * 0x10, 0x10);
-				memcpy(h_cfg.eks->keys[key_idx].fdk, keys + 13 * 0x10, 0x10);
+				memcpy(h_cfg.eks->keys[key_idx].mkk, keys + 12 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
+				memcpy(h_cfg.eks->keys[key_idx].fdk, keys + 13 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
 			}
 			else // New sept slots.
 			{
-				memcpy(h_cfg.eks->keys[key_idx].mkk, keys + 13 * 0x10, 0x10);
-				memcpy(h_cfg.eks->keys[key_idx].fdk, keys + 12 * 0x10, 0x10);
+				memcpy(h_cfg.eks->keys[key_idx].mkk, keys + 13 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
+				memcpy(h_cfg.eks->keys[key_idx].fdk, keys + 12 * SE_KEY_128_SIZE, SE_KEY_128_SIZE);
 			}
 
 			// Encrypt EKS blob.
@@ -288,7 +291,6 @@ void hos_eks_save(u32 kb)
 			memcpy(mbr + 0x80, eks, sizeof(hos_eks_mbr_t));
 			hos_eks_rw_try(mbr, true);
 
-
 			free(eks);
 			free(keys);
 out:
@@ -409,25 +411,25 @@ int hos_keygen(u8 *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos_c
 		if (h_cfg.eks && h_cfg.eks->enabled[key_idx] >= kb)
 		{
 			// Set Device keygen key to slot 10.
-			se_aes_key_set(10, h_cfg.eks->dkg, 0x10);
+			se_aes_key_set(10, h_cfg.eks->dkg, SE_KEY_128_SIZE);
 			// Set Device key to slot 15.
-			se_aes_key_set(15, h_cfg.eks->dkk, 0x10);
+			se_aes_key_set(15, h_cfg.eks->dkk, SE_KEY_128_SIZE);
 
 			if (!h_cfg.aes_slots_new)
 			{
 				// Set Master key to slot 12.
-				se_aes_key_set(12, h_cfg.eks->keys[key_idx].mkk, 0x10);
+				se_aes_key_set(12, h_cfg.eks->keys[key_idx].mkk, SE_KEY_128_SIZE);
 				// Set FW Device key key to slot 13.
-				se_aes_key_set(13, h_cfg.eks->keys[key_idx].fdk, 0x10);
+				se_aes_key_set(13, h_cfg.eks->keys[key_idx].fdk, SE_KEY_128_SIZE);
 				// Lock FDK.
 				se_key_acc_ctrl(13, SE_KEY_TBL_DIS_KEYREAD_FLAG | SE_KEY_TBL_DIS_OIVREAD_FLAG | SE_KEY_TBL_DIS_UIVREAD_FLAG);
 			}
 			else // New exosphere.
 			{
 				// Set Master key to slot 13.
-				se_aes_key_set(13, h_cfg.eks->keys[key_idx].mkk, 0x10);
+				se_aes_key_set(13, h_cfg.eks->keys[key_idx].mkk, SE_KEY_128_SIZE);
 				// Set FW Device key key to slot 12.
-				se_aes_key_set(12, h_cfg.eks->keys[key_idx].fdk, 0x10);
+				se_aes_key_set(12, h_cfg.eks->keys[key_idx].fdk, SE_KEY_128_SIZE);
 				// Lock FDK.
 				se_key_acc_ctrl(12, SE_KEY_TBL_DIS_KEYREAD_FLAG | SE_KEY_TBL_DIS_OIVREAD_FLAG | SE_KEY_TBL_DIS_UIVREAD_FLAG);
 			}
@@ -439,14 +441,14 @@ int hos_keygen(u8 *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos_c
 	else if (kb == KB_FIRMWARE_VERSION_620)
 	{
 		// Set TSEC key.
-		se_aes_key_set(12, tmp, 0x10);
+		se_aes_key_set(12, tmp, SE_KEY_128_SIZE);
 		// Set TSEC root key.
-		se_aes_key_set(13, tmp + 0x10, 0x10);
+		se_aes_key_set(13, tmp + SE_KEY_128_SIZE, SE_KEY_128_SIZE);
 
 		if (!(emu_cfg.enabled && !h_cfg.emummc_force_disable) && hos_ctxt->stock)
 		{
 			// Package2 key.
-			se_aes_key_set(8, tmp + 0x10, 0x10);
+			se_aes_key_set(8, tmp + SE_KEY_128_SIZE, SE_KEY_128_SIZE);
 			se_aes_unwrap_key(8, 8, master_keyseed_620);
 			se_aes_unwrap_key(8, 8, master_keyseed_retail);
 			se_aes_unwrap_key(8, 8, package2_keyseed);
@@ -484,7 +486,7 @@ int hos_keygen(u8 *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos_c
 		se_key_acc_ctrl(14, SE_KEY_TBL_DIS_KEYREAD_FLAG | SE_KEY_TBL_DIS_OIVREAD_FLAG | SE_KEY_TBL_DIS_UIVREAD_FLAG);
 
 		// Set TSEC key.
-		se_aes_key_set(13, tmp, 0x10);
+		se_aes_key_set(13, tmp, SE_KEY_128_SIZE);
 
 		// Derive keyblob keys from TSEC+SBK.
 		se_aes_crypt_block_ecb(13, 0, tmp, keyblob_keyseeds[0]);
@@ -506,9 +508,9 @@ int hos_keygen(u8 *keyblob, u32 kb, tsec_ctxt_t *tsec_ctxt, launch_ctxt_t *hos_c
 
 		// Decrypt keyblob and set keyslots.
 		se_aes_crypt_ctr(13, keyblob + 0x20, 0x90, keyblob + 0x20, 0x90, keyblob + 0x10);
-		se_aes_key_set(11, keyblob + 0x20 + 0x80, 0x10); // Package1 key.
-		se_aes_key_set(12, keyblob + 0x20, 0x10);
-		se_aes_key_set(13, keyblob + 0x20, 0x10);
+		se_aes_key_set(11, keyblob + 0x20 + 0x80, SE_KEY_128_SIZE); // Package1 key.
+		se_aes_key_set(12, keyblob + 0x20, SE_KEY_128_SIZE);
+		se_aes_key_set(13, keyblob + 0x20, SE_KEY_128_SIZE);
 
 		se_aes_crypt_block_ecb(12, 0, tmp, master_keyseed_retail);
 
@@ -1016,16 +1018,16 @@ int hos_launch(ini_sec_t *cfg)
 	case KB_FIRMWARE_VERSION_100_200:
 	case KB_FIRMWARE_VERSION_300:
 	case KB_FIRMWARE_VERSION_301:
-		se_key_acc_ctrl(12, SE_KEY_TBL_DIS_KEY_ACCESS_FLAG | SE_KEY_TBL_DIS_KEY_LOCK_FLAG);
-		se_key_acc_ctrl(13, SE_KEY_TBL_DIS_KEY_ACCESS_FLAG | SE_KEY_TBL_DIS_KEY_LOCK_FLAG);
+		se_key_acc_ctrl(12, SE_KEY_TBL_DIS_KEY_ACCESS_FLAG | SE_KEY_LOCK_FLAG);
+		se_key_acc_ctrl(13, SE_KEY_TBL_DIS_KEY_ACCESS_FLAG | SE_KEY_LOCK_FLAG);
 		bootStateDramPkg2 = 2;
 		bootStatePkg2Continue = 3;
 		break;
 	case KB_FIRMWARE_VERSION_400:
 	case KB_FIRMWARE_VERSION_500:
 	case KB_FIRMWARE_VERSION_600:
-		se_key_acc_ctrl(12, SE_KEY_TBL_DIS_KEY_ACCESS_FLAG | SE_KEY_TBL_DIS_KEY_LOCK_FLAG);
-		se_key_acc_ctrl(15, SE_KEY_TBL_DIS_KEY_ACCESS_FLAG | SE_KEY_TBL_DIS_KEY_LOCK_FLAG);
+		se_key_acc_ctrl(12, SE_KEY_TBL_DIS_KEY_ACCESS_FLAG | SE_KEY_LOCK_FLAG);
+		se_key_acc_ctrl(15, SE_KEY_TBL_DIS_KEY_ACCESS_FLAG | SE_KEY_LOCK_FLAG);
 	default:
 		bootStateDramPkg2 = 2;
 		bootStatePkg2Continue = 4;

bootloader/hos/pkg2.c

@@ -1,6 +1,6 @@
 /*
  * Copyright (c) 2018 naehrwert
- * Copyright (c) 2018-2020 CTCaer
+ * Copyright (c) 2018-2021 CTCaer
  * Copyright (c) 2018 Atmosphère-NX
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -27,6 +27,7 @@
 #include <libs/fatfs/ff.h>
 #include <mem/heap.h>
 #include <sec/se.h>
+#include <sec/se_t210.h>
 #include "../storage/emummc.h"
 #include <storage/nx_sd.h>
 #include <utils/aarch64_util.h>
@@ -1335,7 +1336,7 @@ const char* pkg2_patch_kips(link_t *info, char* patchNames)
 	return NULL;
 }
 
-static const u8 mkey_vector_8xx[][0x10] =
+static const u8 mkey_vector_8xx[][SE_KEY_128_SIZE] =
 {
 	// Master key 8 encrypted with 9.  (8.1.0 with 9.0.0)
 	{ 0x4D, 0xD9, 0x98, 0x42, 0x45, 0x0D, 0xB1, 0x3C, 0x52, 0x0C, 0x9A, 0x44, 0xBB, 0xAD, 0xAF, 0x80 },
@@ -1346,10 +1347,10 @@ static const u8 mkey_vector_8xx[][0x10] =
 static bool _pkg2_key_unwrap_validate(pkg2_hdr_t *tmp_test, pkg2_hdr_t *hdr, u8 src_slot, u8 *mkey, const u8 *key_seed)
 {
 	// Decrypt older encrypted mkey.
-	se_aes_crypt_ecb(src_slot, 0, mkey, 0x10, key_seed, 0x10);
+	se_aes_crypt_ecb(src_slot, 0, mkey, SE_KEY_128_SIZE, key_seed, SE_KEY_128_SIZE);
 	// Set and unwrap pkg2 key.
 	se_aes_key_clear(9);
-	se_aes_key_set(9, mkey, 0x10);
+	se_aes_key_set(9, mkey, SE_KEY_128_SIZE);
 	se_aes_unwrap_key(9, 9, package2_keyseed);
 
 	// Decrypt header.
@@ -1383,9 +1384,9 @@ pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb)
 	// Decrypt older pkg2 via new mkeys.
 	if ((kb >= KB_FIRMWARE_VERSION_810) && (kb < KB_FIRMWARE_VERSION_MAX))
 	{
-		u8 tmp_mkey[0x10];
+		u8 tmp_mkey[SE_KEY_128_SIZE];
 		u8 decr_slot = !h_cfg.t210b01 ? (!h_cfg.aes_slots_new ? 12 : 13) : 7; // Sept mkey or T210B01 mkey.
-		u8 mkey_seeds_cnt = sizeof(mkey_vector_8xx) / 0x10;
+		u8 mkey_seeds_cnt = sizeof(mkey_vector_8xx) / SE_KEY_128_SIZE;
 		u8 mkey_seeds_idx = mkey_seeds_cnt; // Real index + 1.
 		u8 mkey_seeds_min_idx = mkey_seeds_cnt - (KB_FIRMWARE_VERSION_MAX - kb);
 
@@ -1405,7 +1406,7 @@ pkg2_hdr_t *pkg2_decrypt(void *data, u8 kb)
 				// Set current mkey in order to decrypt a lower mkey.
 				mkey_seeds_idx--;
 				se_aes_key_clear(9);
-				se_aes_key_set(9, tmp_mkey, 0x10);
+				se_aes_key_set(9, tmp_mkey, SE_KEY_128_SIZE);
 
 				decr_slot = 9; // Temp key.
 
@@ -1439,7 +1440,7 @@ DPRINTF("sec %d has size %08X\n", i, hdr->sec_size[i]);
 		if (!hdr->sec_size[i])
 			continue;
 
-		se_aes_crypt_ctr(pkg2_keyslot, pdata, hdr->sec_size[i], pdata, hdr->sec_size[i], &hdr->sec_ctr[i * 0x10]);
+		se_aes_crypt_ctr(pkg2_keyslot, pdata, hdr->sec_size[i], pdata, hdr->sec_size[i], &hdr->sec_ctr[i * SE_AES_IV_SIZE]);
 		//gfx_hexdump((u32)pdata, pdata, 0x100);
 
 		pdata += hdr->sec_size[i];
@@ -1469,7 +1470,7 @@ DPRINTF("adding kip1 '%s' @ %08X (%08X)\n", ki->kip1->name, (u32)ki->kip1, ki->s
 	{
 		hdr->sec_size[PKG2_SEC_INI1] = ini1_size;
 		hdr->sec_off[PKG2_SEC_INI1] = 0x14080000;
-		se_aes_crypt_ctr(8, ini1, ini1_size, ini1, ini1_size, &hdr->sec_ctr[PKG2_SEC_INI1 * 0x10]);
+		se_aes_crypt_ctr(8, ini1, ini1_size, ini1, ini1_size, &hdr->sec_ctr[PKG2_SEC_INI1 * SE_AES_IV_SIZE]);
 	}
 	else
 	{
@@ -1526,7 +1527,7 @@ DPRINTF("%s @ %08X (%08X)\n", is_meso ? "Mesosphere": "kernel",(u32)ctxt->kernel
 		hdr->sec_off[PKG2_SEC_KERNEL] = 0x60000;
 	}
 	hdr->sec_size[PKG2_SEC_KERNEL] = kernel_size;
-	se_aes_crypt_ctr(pkg2_keyslot, pdst, kernel_size, pdst, kernel_size, &hdr->sec_ctr[PKG2_SEC_KERNEL * 0x10]);
+	se_aes_crypt_ctr(pkg2_keyslot, pdst, kernel_size, pdst, kernel_size, &hdr->sec_ctr[PKG2_SEC_KERNEL * SE_AES_IV_SIZE]);
 	pdst += kernel_size;
 DPRINTF("kernel encrypted\n");
 
@@ -1549,7 +1550,7 @@ DPRINTF("INI1 encrypted\n");
 	*(u32 *)hdr->ctr = 0x100 + sizeof(pkg2_hdr_t) + kernel_size + ini1_size;
 	hdr->ctr[4] = key_ver;
 	se_aes_crypt_ctr(pkg2_keyslot, hdr, sizeof(pkg2_hdr_t), hdr, sizeof(pkg2_hdr_t), hdr);
-	memset(hdr->ctr, 0 , 0x10);
+	memset(hdr->ctr, 0 , SE_AES_IV_SIZE);
 	*(u32 *)hdr->ctr = 0x100 + sizeof(pkg2_hdr_t) + kernel_size + ini1_size;
 	hdr->ctr[4] = key_ver;