Nintendo Switch Brew

Secure Monitor: Difference between revisions

← Older edit
 
(28 intermediate revisions by 4 users not shown)
Line 1: Line 1:
= Secure Monitor Calls =
= SMC =
The secure monitor provides two top level handlers of which each provides a range of sub handlers.
The secure monitor provides two top level handlers of which each provides a range of sub handlers.


Line 168: Line 168:
| 0xC3000004 || [[#GetConfig|GetConfig]] (same as in [[#FunctionId0]])
| 0xC3000004 || [[#GetConfig|GetConfig]] (same as in [[#FunctionId0]])
|-
|-
| 0xC3000005 || [[#GenerateRandomBytes|GenerateRandomBytesNonBlocking]] (same as in [[#FunctionId0]])
| 0xC3000005 || [[#GenerateRandomBytes|GenerateRandomBytesNonBlocking]]
|-
|-
| 0xC3000006 || [[#ShowError|ShowError]]
| 0xC3000006 || [[#ShowError|ShowError]]
Line 204: Line 204:
| 1 || [[#DisableProgramVerification]]
| 1 || [[#DisableProgramVerification]]
|-
|-
| 2 || [[#DramId]]
| 2 || [S1] [[#DramId]]
|-
|-
| 3 || [[#SecurityEngineInterruptNumber]]
| 3 || [[#SecurityEngineInterruptNumber]]
|-
|-
| 4 || [[#FuseVersion]]
| 4 || [S1] [[#FuseVersion]]
|-
|-
| 5 || [[#HardwareType]]
| 5 || [[#HardwareType]]
Line 214: Line 214:
| 6 || [[#HardwareState]]
| 6 || [[#HardwareState]]
|-
|-
| 7 || [[#IsRecoveryBoot]]
| 7 || [S1] [[#IsRecoveryBoot]]
|-
|-
| 8 || [[#DeviceId]]
| 8 || [[#DeviceId]]
Line 226: Line 226:
| 12 || [[#KernelConfiguration]]
| 12 || [[#KernelConfiguration]]
|-
|-
| 13 || [[#IsChargerHiZModeEnabled]]
| 13 || [S1] [[#IsChargerHiZModeEnabled]]
|-
|-
| 14 || [4.0.0+] [[#IsQuest]]
| 14 || [4.0.0+] [[#RetailInteractiveDisplayState]]
|-
|-
| 15 || [5.0.0+] [[#RegulatorType]]
| 15 || [S1] [5.0.0+] [[#RegulatorType]]
|-
|-
| 16 || [5.0.0+] [[#DeviceUniqueKeyGeneration]]
| 16 || [5.0.0+] [[#DeviceUniqueKeyGeneration]]
|-
|-
| 17 || [5.0.0+] [[#Package2Hash]]
| 17 || [5.0.0+] [[#Package2Hash]]
|-
| 18 || [S2]
|-
| 19 || [S2]
|-
| 256-280 || [S2] [[#Bcc]]
|}
|}


Line 256: Line 262:
|-
|-
| 3
| 3
| Reserved
| [11.0.0+] MarikoIowaHynix1y4gb ([1.0.0-10.2.0] EristaCopperSamsung4gb)
|-
|-
| 4
| 4
Line 262: Line 268:
|-
|-
| 5
| 5
| [4.0.0+] Reserved
| [12.0.0+] MarikoHoagHynix1y4gb ([4.0.0-11.0.1] EristaCopperHynix4gb)
|-
|-
| 6
| 6
| [4.0.0+] Reserved
| [13.0.0+] MarikoAulaHynix1y4gb ([4.0.0-12.1.0] EristaCopperMicron4gb)
|-
|-
| 7
| 7
| [5.0.0+] MarikoIowax1x2Samsung4gb ([4.0.0-4.1.0] Reserved)
| [15.0.0+] Reserved ([5.0.0-14.1.2] MarikoIowax1x2Samsung4gb, [4.0.0-4.1.0] Reserved)
|-
|-
| 8
| 8
Line 295: Line 301:
|-
|-
| 16
| 16
| [8.0.0+] MarikoIowaSamsung4gbY
| [15.0.0+] Reserved ([8.0.0-14.1.2] MarikoIowaSamsung4gbY)
|-
|-
| 17
| 17
Line 307: Line 313:
|-
|-
| 20
| 20
| [9.0.0+] MarikoIowaSamsung1y4gbY
| [14.0.0+] MarikoIowaSamsung1z4gb ([9.0.0-13.2.1] MarikoIowaSamsung1y4gbY)
|-
|-
| 21
| 21
| [9.0.0+] MarikoIowaSamsung1y8gbY
| [14.0.0+] MarikoHoagSamsung1z4gb ([9.0.0-13.2.1] MarikoIowaSamsung1y8gbY)
|-
|-
| 22
| 22
| [9.0.0+] MarikoIowaSamsung1y4gbA
| [14.0.0+] MarikoAulaSamsung1z4gb ([13.0.0-13.2.1] Reserved, [9.0.0-12.1.0] MarikoAulaSamsung1y4gb)
|-
|-
| 23
| 23
| [10.0.0+] MarikoUnkSamsung1y8gbX
| [10.0.0+] MarikoHoagSamsung1y8gbX
|-
|-
| 24
| 24
| [10.0.0+] MarikoUnkSamsung1y4gbX
| [10.0.0+] MarikoAulaSamsung1y4gbX
|-
| 25
| [11.0.0+] MarikoIowaMicron1y4gb
|-
| 26
| [11.0.0+] MarikoHoagMicron1y4gb
|-
| 27
| [11.0.0+] MarikoAulaMicron1y4gb
|-
| 28
| [11.0.0+] MarikoAulaSamsung1y8gbX
|-
| 29
| [16.0.0+] MarikoIowaHynix1a4gb ([15.0.0-15.0.1] MarikoIowax1x2Samsung4gb)
|-
| 30
| [16.0.0+] MarikoHoagHynix1a4gb ([15.0.0-15.0.1] MarikoHoagx1x2Samsung4gb)
|-
| 31
| [16.0.0+] MarikoAulaHynix1a4gb ([15.0.0-15.0.1] MarikoAulax1x2Samsung4gb)
|-
| 32
| [16.0.0+] MarikoIowaMicron1a4gb ([15.0.0-15.0.1] MarikoIowaSamsung4gbY)
|-
| 33
| [16.0.0+] MarikoHoagMicron1a4gb ([15.0.0-15.0.1] MarikoHoagSamsung4gbY)
|-
| 34
| [16.0.0+] MarikoAulaMicron1a4gb ([15.0.0-15.0.1] MarikoAulaSamsung4gbY)
|}
|}


Line 556: Line 592:
'''nx-abca2''' ('''Icosa''' in '''Erista''', '''Iowa''' in '''Mariko''') hardware types are variations of the retail, EDEV and SDEV form factors.
'''nx-abca2''' ('''Icosa''' in '''Erista''', '''Iowa''' in '''Mariko''') hardware types are variations of the retail, EDEV and SDEV form factors.


'''nx-abcb''' ('''Copper''' in '''Erista''', '''Calcio''' in '''Mariko''') is a prototype unit. Among other differences, this has extra hardware to support HDMI output.
'''nx-abcb''' ('''Copper''' in '''Erista''', '''Calcio''' in '''Mariko''') is unreleased. Among other differences, this has extra hardware to support HDMI output.


[8.0.0+] '''nx-abcc''' ('''Hoag''') was added for the Lite retail and HDEV form factors.
[8.0.0+] '''nx-abcc''' ('''Hoag''') was added for the Lite retail and HDEV form factors.


[10.0.0+] '''nx-abcd''' was added.
[10.0.0+] '''nx-abcd''' ('''Aula''') was added for the OLED Model retail and ADEV form factors.


'''Erista''' memory is LPDDR4, while '''Mariko''' memory is LPDDR4X.
'''Erista''' memory is LPDDR4, while '''Mariko''' memory is LPDDR4X.
Line 568: Line 604:


===== FuseVersion =====
===== FuseVersion =====
The current [[Package2#Versions|Package1 Maxver Constant]] - 1.
The current [[Package2#Versions|bootloader maximum version]] - 1.


===== HardwareType =====
===== HardwareType =====
Line 584: Line 620:
| 4 || [8.0.0+] Calcio
| 4 || [8.0.0+] Calcio
|-
|-
| 5 || [10.0.0+] Unknown
| 5 || [10.0.0+] Aula
|-
|-
| 15 || Invalid
| 15 || Invalid
Line 595: Line 631:
[7.0.0+] This item can now only be 0 (Icosa) or 15 (Invalid) in Erista units.
[7.0.0+] This item can now only be 0 (Icosa) or 15 (Invalid) in Erista units.


Hardware is '''Icosa''' (Erista retail, EDEV and SDEV) if development flag (bit 8) is '''Retail''' and production flag (bit 2) is '''Production'''.
Hardware is '''Icosa''' (Erista retail, EDEV and SDEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType1]] (bit 2) is 1 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType2]] (bit 8) is 0.


Hardware is '''Copper''' (Erista prototype) if development flag (bit 8) is '''Development''' and production flag (bit 2) is '''Prototype'''.
Hardware is '''Copper''' (unreleased Erista model) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType1]] (bit 2) is 0 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType2]] (bit 8) is 1.


[4.0.0+] Hardware is '''Iowa''' (Mariko retail, EDEV and SDEV) if new hardware type (bits 16-19) is '''Iowa'''.
[4.0.0+] Hardware is '''Iowa''' (Mariko retail, EDEV and SDEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType3]] (bits 16-19) is 1.


[8.0.0+] Hardware is '''Hoag''' (Mariko Lite retail and HDEV) if new hardware type (bits 16-19) is '''Hoag'''.
[8.0.0+] Hardware is '''Hoag''' (Mariko Lite retail and HDEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType3]] (bits 16-19) is 2.


[8.0.0+] Hardware is '''Calcio''' (Mariko prototype) if development flag (bit 8) is '''Development''' and production flag (bit 2) is '''Prototype'''.
[8.0.0+] Hardware is '''Calcio''' (unreleased Mariko model) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType1]] (bit 2) is 0 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType2]] (bit 8) is 1.


[10.0.0+] Hardware is '''Unknown''' if new hardware type (bits 16-19) is 0x4.
[10.0.0+] Hardware is '''Aula''' (Mariko OLED Model retail and ADEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType3]] (bits 16-19) is 4.


===== HardwareState =====
===== HardwareState =====
Line 619: Line 655:


This item is obtained by checking bits 9 and 0-1 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]].
This item is obtained by checking bits 9 and 0-1 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]].
Hardware is '''Development''' if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState1]] (bits 0-1) is 3 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState2]] (bit 9) is 0.
Hardware is '''Production''' if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState1]] (bits 0-1) is 0 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState2]] (bit 9) is 1.


===== IsRecoveryBoot =====
===== IsRecoveryBoot =====
Line 710: Line 750:
|-
|-
| 2
| 2
| PerformanceMonitoringUnit
| EnablePmuAccess
|-
|-
| 3
| 3
| [8.0.0+] EnableApplicationExtraThread
| [8.0.0+] EnableExtraThreadResourceAllocation
|-
| 4
| [13.0.0+] DisableDynamicSystemResourceAllocation
|-
|-
| 8
| 8
Line 728: Line 771:
'''EnableUserExceptionHandler''' is a boolean determining whether kernel should forcefully enable usermode exception handlers (when false, only certain aborts (((1LL << (esr >> 26)) & 0x1115804400224001) == 0, typically data/prefetch aborts) that occur when the faulting address is in a readable region with MemoryType_CodeStatic will trigger usermode exception handlers).
'''EnableUserExceptionHandler''' is a boolean determining whether kernel should forcefully enable usermode exception handlers (when false, only certain aborts (((1LL << (esr >> 26)) & 0x1115804400224001) == 0, typically data/prefetch aborts) that occur when the faulting address is in a readable region with MemoryType_CodeStatic will trigger usermode exception handlers).


'''PerformanceMonitoringUnit''' is a boolean determining whether kernel should enable usermode access to the Performance Monitors (whether PMUSERENR_EL0 should be 1 or 0).
'''EnablePmuAccess''' is a boolean determining whether kernel should enable usermode access to the Performance Monitors (whether PMUSERENR_EL0 should be 1 or 0).


'''EnableApplicationExtraThread''' is a boolean determining whether the kernel should increase the KThread slabheap capacity by 160. This also increases object capacities that are calculated based on number of threads.
'''EnableExtraThreadResourceAllocation''' is a boolean determining whether the kernel should increase the KThread slabheap capacity by 160. This also increases object capacities that are calculated based on number of threads.


'''CallShowErrorOnPanic''' is a boolean determining whether kernel should call smcPanic on error instead of infinite-looping.
'''CallShowErrorOnPanic''' is a boolean determining whether kernel should call smcPanic on error instead of infinite-looping.
Line 739: Line 782:
This tells if the TI Charger (bq24192) is active.
This tells if the TI Charger (bq24192) is active.


===== IsQuest =====
===== RetailInteractiveDisplayState =====
{| class=wikitable
! Value || Description
|-
| 0 || Disabled
|-
| 1 || Enabled
|}
 
This item is bit 10 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]].
This item is bit 10 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]].


Line 777: Line 828:
===== Package2Hash =====
===== Package2Hash =====
This is a SHA-256 hash calculated over the [[Package2|package2]] image. Since the hash calculation is an optional step in pkg2ldr, this item is only valid in recovery mode. Otherwise, an error is returned instead.
This is a SHA-256 hash calculated over the [[Package2|package2]] image. Since the hash calculation is an optional step in pkg2ldr, this item is only valid in recovery mode. Otherwise, an error is returned instead.
===== Bcc =====
This is a 0x320 bytes buffer split across 25 items of 0x20 bytes each. When put together, these form a Boot Certificate Chain (BCC) for Switch 2 remote device attestation.
The format follows the [https://pigweed.googlesource.com/open-dice/+/HEAD/docs/specification.md Open Profile for DICE] from Google and includes the main DK_pub and the following entries (twice, likely for phases 2 and 3):
* codeHash (empty)
* configurationDescriptor ("Security version" set to 0)
* authorityHash (empty)
* mode ("Normal")
* keyUsage ("keyCertSign")
* subjectPublicKey (changes on reboot)


=== ShowError ===
=== ShowError ===
Retrieved from "https://switchbrew.org/wiki/Secure_Monitor"