I am trying to create an offline red blob and then have it decrypt appropriately on the hardware, I am using a t1040rdb for the current test and it is currently in non-secure mode. The documentation implies that the BKEK is derived from the MASTERKEY(256 bit) appended with my Modifier(128bit) and a 2 byte pad (some docs have values and some say it is the blob type 16 bits) I have used all 65k combinations for the pad in this effort to rule out any discrepancies. In non secure mode a test key is suppose to be used and is documented to be all zeros in place of the OTPMK for the master key. However when I create a unsigned char array of 32 zero's along with my modifier used to create a test blob and any combination for the 2 byte pad then a sha 256 of that message, I don't get the bkek returned in the test blob. Can someone clearify what I am missing? Or where I can view the test key being used for the test blob? Or if I need to set something in order to make it zeros, since that is also implied in some of the manuals.
Thanks in advance.