diff --git a/firmware/storage.c b/firmware/storage.c
index 478269446d..8d7f15a568 100644
--- a/firmware/storage.c
+++ b/firmware/storage.c
@@ -323,9 +323,14 @@ bool storage_getRootNode(HDNode *node, const char *curve)
 		if (storage.has_passphrase_protection && storage.passphrase_protection && sessionPassphraseCached && strlen(sessionPassphrase) > 0) {
 			// decrypt hd node
 			uint8_t secret[64];
-			uint8_t salt[12];
-			memcpy(salt, "TREZORHD", 8);
-			pbkdf2_hmac_sha512((const uint8_t *)sessionPassphrase, strlen(sessionPassphrase), salt, 8, BIP39_PBKDF2_ROUNDS, secret, 64, get_root_node_callback);
+			PBKDF2_HMAC_SHA512_CTX pctx;
+			pbkdf2_hmac_sha512_Init(&pctx, (const uint8_t *)sessionPassphrase, strlen(sessionPassphrase), (const uint8_t *)"TREZORHD", 8);
+			get_root_node_callback(0, BIP39_PBKDF2_ROUNDS);
+			for (int i = 0; i < 8; i++) {
+				pbkdf2_hmac_sha512_Update(&pctx, BIP39_PBKDF2_ROUNDS / 8);
+				get_root_node_callback((i + 1) * BIP39_PBKDF2_ROUNDS / 8, BIP39_PBKDF2_ROUNDS);
+			}
+			pbkdf2_hmac_sha512_Final(&pctx, secret);
 			aes_decrypt_ctx ctx;
 			aes_decrypt_key256(secret, &ctx);
 			aes_cbc_decrypt(node->chain_code, node->chain_code, 32, secret + 32, &ctx);