Nintendo Switch Brew

TSEC: Difference between revisions

← Older editNewer edit →
No edit summary
more TSEC goodness
Line 13: Line 13:
!  Address
!  Address
!  Width
!  Width
|-
| TSEC_THI_UNK0
| 0x54500020
| 0x04
|-
|-
| TSEC_THI_INT_STATUS
| TSEC_THI_INT_STATUS
| 0x54500078
| 0x54500078
| 0x04
|-
| TSEC_THI_INT_STATUS2
| 0x5450007C
| 0x04
|-
| TSEC_THI_UNK1
| 0x54500084
| 0x04
| 0x04
|-
|-
Line 244: Line 256:
| FALCON_SCTL
| FALCON_SCTL
| 0x54501240
| 0x54501240
| 0x04
|-
| TSEC_SCP_CTL_UNK0
| 0x54501400
| 0x04
|-
| TSEC_SCP_CTL_UNK1
| 0x54501404
| 0x04
| 0x04
|-
|-
Line 252: Line 272:
| TSEC_SCP_CTL_AUTH_MODE
| TSEC_SCP_CTL_AUTH_MODE
| 0x5450140C
| 0x5450140C
| 0x04
|-
| TSEC_SCP_CTL_UNK2
| 0x54501410
| 0x04
| 0x04
|-
|-
Line 258: Line 282:
| 0x04
| 0x04
|-
|-
| TSEC_TFBIF_MCCIF_FIFOCTRL
| TSEC_SCP_CTL_UNK3
| 0x54501604
| 0x54501420
| 0x04
|-
| TSEC_SCP_CTL_UNK4
| 0x54501428
| 0x04
| 0x04
|-
|-
| TSEC_DMA_CMD
| TSEC_SCP_CTL_UNK5
| 0x54501700
| 0x54501430
| 0x04
| 0x04
|-
|-
| TSEC_DMA_ADDR
| TSEC_SCP_UNK0
| 0x54501704
| 0x54501454
| 0x04
| 0x04
|-
|-
| TSEC_DMA_VAL
| TSEC_SCP_UNK1
| 0x54501708
| 0x54501458
| 0x04
| 0x04
|-
|-
| TSEC_DMA_UNK
| TSEC_SCP_UNK2
| 0x5450170C
| 0x54501470
| 0x04
| 0x04
|-
|-
| [[#TSEC_TEGRA_CTL|TSEC_TEGRA_CTL]]
| TSEC_SCP_UNK3
| 0x54501838
| 0x54501480
| 0x04
| 0x04
|-
|-
|}
| TSEC_SCP_UNK4
 
| 0x54501490
=== FALCON_IRQMSET ===
| 0x04
Used for configuring Falcon's IRQs.
|-
 
| TSEC_UNK0
=== FALCON_IRQDEST ===
| 0x54501500
Used for configuring Falcon's IRQs.
| 0x04
 
=== FALCON_SCRATCH0 ===
MMIO register for reading/writing data to Falcon.
 
=== FALCON_SCRATCH1 ===
MMIO register for reading/writing data to Falcon.
 
=== FALCON_ITFEN ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
|-
| 0
| TSEC_UNK1
| FALCON_ITFEN_CTXEN
| 0x54501504
| 0x04
|-
|-
| 1
| TSEC_UNK2
| FALCON_ITFEN_MTHDEN
| 0x5450150C
| 0x04
|-
|-
|}
| TSEC_UNK3
 
| 0x54501510
Used for enabling/disabling Falcon interfaces.
| 0x04
|-
| TSEC_UNK4
| 0x54501514
| 0x04
|-
| TSEC_UNK5
| 0x54501518
| 0x04
|-
| TSEC_UNK6
| 0x5450151C
| 0x04
|-
| TSEC_UNK7
| 0x54501528
| 0x04
|-
| TSEC_UNK8
| 0x5450152C
| 0x04
|-
| TSEC_TFBIF_MCCIF_UNK0
| 0x54501600
| 0x04
|-
| TSEC_TFBIF_MCCIF_FIFOCTRL
| 0x54501604
| 0x04
|-
| TSEC_TFBIF_MCCIF_UNK1
| 0x54501608
| 0x04
|-
| TSEC_TFBIF_MCCIF_UNK2
| 0x5450160C
| 0x04
|-
| TSEC_TFBIF_UNK0
| 0x54501630
| 0x04
|-
| TSEC_TFBIF_UNK1
| 0x54501634
| 0x04
|-
| TSEC_TFBIF_UNK2
| 0x54501640
| 0x04
|-
| [[#TSEC_DMA_CMD|TSEC_DMA_CMD]]
| 0x54501700
| 0x04
|-
| [[#TSEC_DMA_ADDR|TSEC_DMA_ADDR]]
| 0x54501704
| 0x04
|-
| [[#TSEC_DMA_VAL|TSEC_DMA_VAL]]
| 0x54501708
| 0x04
|-
| [[#TSEC_DMA_UNK|TSEC_DMA_UNK]]
| 0x5450170C
| 0x04
|-
| TSEC_TEGRA_UNK0
| 0x54501800
| 0x04
|-
| TSEC_TEGRA_UNK1
| 0x54501824
| 0x04
|-
| TSEC_TEGRA_UNK2
| 0x54501828
| 0x04
|-
| TSEC_TEGRA_UNK3
| 0x5450182C
| 0x04
|-
| [[#TSEC_TEGRA_CTL|TSEC_TEGRA_CTL]]
| 0x54501838
| 0x04
|-
|}
 
=== FALCON_IRQMSET ===
Used for configuring Falcon's IRQs.
 
=== FALCON_IRQDEST ===
Used for configuring Falcon's IRQs.
 
=== FALCON_SCRATCH0 ===
MMIO register for reading/writing data to Falcon.
 
=== FALCON_SCRATCH1 ===
MMIO register for reading/writing data to Falcon.
 
=== FALCON_ITFEN ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
| 0
| FALCON_ITFEN_CTXEN
|-
| 1
| FALCON_ITFEN_MTHDEN
|-
|}
 
Used for enabling/disabling Falcon interfaces.
 
=== FALCON_IDLESTATE ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
| 0
| FALCON_IDLESTATE_FALCON_BUSY
|-
|}
 
Used for detecting if Falcon is busy or not.
 
=== FALCON_CPUCTL ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
| 0
| FALCON_CPUCTL_IINVAL
|-
| 1
| FALCON_CPUCTL_STARTCPU
|-
| 2
| FALCON_CPUCTL_SRESET
|-
| 3
| FALCON_CPUCTL_HRESET
|-
| 4
| FALCON_CPUCTL_HALTED
|-
| 5
| FALCON_CPUCTL_STOPPED
|-
|}
 
Used for signaling the Falcon CPU.
 
=== FALCON_BOOTVEC ===
Takes the Falcon's boot vector address.
 
=== FALCON_DMACTL ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
| 0
| FALCON_DMACTL_REQUIRE_CTX
|-
| 1
| FALCON_DMACTL_DMEM_SCRUBBING
|-
| 2
| FALCON_DMACTL_IMEM_SCRUBBING
|-
| 3-6
| FALCON_DMACTL_DMAQ_NUM
|-
| 7
| FALCON_DMACTL_SECURE_STAT
|-
|}
 
Used for configuring the Falcon's DMA engine.
 
=== FALCON_DMATRFBASE ===
Takes the host's base address for transferring data to/from the Falcon (DMA).
 
=== FALCON_DMATRFMOFFS ===
Takes the offset for the host's source memory being transferred.


=== FALCON_IDLESTATE ===
=== FALCON_DMATRFCMD ===
{| class="wikitable" border="1"
{| class="wikitable" border="1"
!  Bits
!  Bits
Line 317: Line 521:
|-
|-
| 0
| 0
| FALCON_IDLESTATE_FALCON_BUSY
| FALCON_DMATRFCMD_FULL
|-
|}
 
Used for detecting if Falcon is busy or not.
 
=== FALCON_CPUCTL ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
| 0
| FALCON_CPUCTL_IINVAL
|-
|-
| 1
| 1
| FALCON_CPUCTL_STARTCPU
| FALCON_DMATRFCMD_IDLE (this is set if the engine is idle)
|-
|-
| 2
| 2-3
| FALCON_CPUCTL_SRESET
| FALCON_DMATRFCMD_SEC
|-
| 3
| FALCON_CPUCTL_HRESET
|-
|-
| 4
| 4
| FALCON_CPUCTL_HALTED
| FALCON_DMATRFCMD_IMEM
|-
|-
| 5
| 5
| FALCON_CPUCTL_STOPPED
| FALCON_DMATRFCMD_WRITE
|-
| 8-10
| FALCON_DMATRFCMD_SIZE
|-
| 12-14
| FALCON_DMATRFCMD_CTXDMA
|-
|-
|}
|}


Used for signaling the Falcon CPU.
Used for configuring DMA transfers.


=== FALCON_BOOTVEC ===
=== FALCON_DMATRFFBOFFS ===
Takes the Falcon's boot vector address.
Takes the offset for Falcon's target memory being transferred.


=== FALCON_DMACTL ===
=== TSEC_SCP_CTL_STAT ===
{| class="wikitable" border="1"
{| class="wikitable" border="1"
!  Bits
!  Bits
!  Description
!  Description
|-
|-
| 0
| 20
| FALCON_DMACTL_REQUIRE_CTX
| TSEC_SCP_CTL_STAT_DEBUG_MODE
|-
|-
| 1
|}
| FALCON_DMACTL_DMEM_SCRUBBING
 
=== TSEC_SCP_CTL_PKEY ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
|-
| 2
| 0
| FALCON_DMACTL_IMEM_SCRUBBING
| TSEC_SCP_CTL_PKEY_REQUEST_RELOAD
|-
|-
| 3-6
| 1
| FALCON_DMACTL_DMAQ_NUM
| TSEC_SCP_CTL_PKEY_LOADED
|-
| 7
| FALCON_DMACTL_SECURE_STAT
|-
|-
|}
|}


Used for configuring the Falcon's DMA engine.
=== TSEC_DMA_CMD ===
 
=== FALCON_DMATRFBASE ===
Takes the host's base address for transferring data to/from the Falcon (DMA).
 
=== FALCON_DMATRFMOFFS ===
Takes the offset for the host's source memory being transferred.
 
=== FALCON_DMATRFCMD ===
{| class="wikitable" border="1"
{| class="wikitable" border="1"
!  Bits
!  Bits
Line 389: Line 577:
|-
|-
| 0
| 0
| FALCON_DMATRFCMD_FULL
| TSEC_DMA_CMD_READ
|-
|-
| 1
| 1
| FALCON_DMATRFCMD_IDLE (this is set if the engine is idle)
| TSEC_DMA_CMD_WRITE
|-
| 4-7
| TSEC_DMA_CMD_UNK
|-
|-
| 2-3
| 12
| FALCON_DMATRFCMD_SEC
| TSEC_DMA_CMD_BUSY
|-
|-
| 4
| 31
| FALCON_DMATRFCMD_IMEM
| TSEC_DMA_CMD_INIT
|-
| 5
| FALCON_DMATRFCMD_WRITE
|-
| 8-10
| FALCON_DMATRFCMD_SIZE
|-
| 12-14
| FALCON_DMATRFCMD_CTXDMA
|-
|-
|}
|}


Used for configuring DMA transfers.
A DMA read/write operation requires bits TSEC_DMA_CMD_INIT and TSEC_DMA_CMD_READ/TSEC_DMA_CMD_WRITE to be set in TSEC_DMA_CMD.
 
During the transfer, the TSEC_DMA_CMD_BUSY bit is set.


=== FALCON_DMATRFFBOFFS ===
=== TSEC_DMA_ADDR ===
Takes the offset for Falcon's target memory being transferred.
Takes the address for DMA transfers between TSEC and HOST1X (master and clients).


=== TSEC_SCP_CTL_STAT ===
=== TSEC_DMA_VAL ===
{| class="wikitable" border="1"
Takes the value for DMA transfers between TSEC and HOST1X (master and clients).
!  Bits
!  Description
|-
| 20
| TSEC_SCP_CTL_STAT_DEBUG_MODE
|-
|}


=== TSEC_SCP_CTL_PKEY ===
=== TSEC_DMA_UNK ===
{| class="wikitable" border="1"
Always 0xFFF.
!  Bits
!  Description
|-
| 0
| TSEC_SCP_CTL_PKEY_REQUEST_RELOAD
|-
| 1
| TSEC_SCP_CTL_PKEY_LOADED
|-
|}


=== TSEC_TEGRA_CTL ===
=== TSEC_TEGRA_CTL ===
Line 902: Line 1,069:
  // Partially unknown fuc5 instruction
  // Partially unknown fuc5 instruction
  // Likely forces a change of permissions
  // Likely forces a change of permissions
  acl_chmod(c0, c0);
  cchmod(c0, c0);
   
   
  // Clear all crypto registers and propagate permissions
  // Clear all crypto registers and propagate permissions
Line 1,388: Line 1,555:
|-
|-
|  0b001 || external mem <-> crypto input/output stream
|  0b001 || external mem <-> crypto input/output stream
|-
|  0b011 || falcon data mem <-> crypto input/output stream
|-
|  0b100 || unknown, but can be combined with other types
|}
|}


Line 1,404: Line 1,575:
Entry to Authenticated Mode always sets $pc to the address supplied in $cauth (ie the base of the signature-checked region). This takes effect when trying to branch to any address within the range covered by $cauth. Entry to Authenticated Mode (also called "Secure Mode") computes a MAC over the $cauth region and compares it to $c6 in order to perform the signature check.
Entry to Authenticated Mode always sets $pc to the address supplied in $cauth (ie the base of the signature-checked region). This takes effect when trying to branch to any address within the range covered by $cauth. Entry to Authenticated Mode (also called "Secure Mode") computes a MAC over the $cauth region and compares it to $c6 in order to perform the signature check.


Exit from Authenticated Mode must poke a special register (this seems to be I[0x10300] = 0) before leaving authenticated code pages. Failure to do this would result in the Falcon core halting.
Exit from Authenticated Mode must poke a special register before leaving authenticated code pages and a failure to do this would result in the Falcon core halting. Every Falcon based unit (TSEC, NVDEC, VIC) must map this register in their engine-specific subset of registers. In TSEC's case, the register is TSEC_SCP_CTL_AUTH_MODE.
 
=== Unknown Instructions ===
 
<code>00000000: f5 3c XY e0    cchmod $cY $cX</code> - likely forces a change of permissions.
 
<code>00000000: f5 3c XY a8    c_unk $cY $cX</code> - unknown crypto operation.
 
<code>00000000: f5 3c 0X 90    c_unk $cX</code> - unknown crypto operation.
Retrieved from "https://switchbrew.org/wiki/TSEC"