Nintendo Switch Brew

NFC services: Difference between revisions

← Older edit
XorTroll (talk | contribs)
25 edits
Improved NFP structs, detailed some NFP commands, detailed amiibo information and structures
 
(9 intermediate revisions by 2 users not shown)
Line 329: Line 329:
|-
|-
| 24 || [3.0.0+] [[#RecreateApplicationArea]]
| 24 || [3.0.0+] [[#RecreateApplicationArea]]
|-
| 300 || [S2] [20.0.0+] [[#InitializeWithExtendedApplicationArea|InitializeWithExtendedApplicationArea]]
|-
| 301 || [S2] [20.0.0+] [[#GetExtendedApplicationAreaInfo|GetExtendedApplicationAreaInfo]]
|-
| 302 || [S2] [20.0.0+] [[#GetExtendedApplicationArea|GetExtendedApplicationArea]]
|-
| 303 || [S2] [20.0.0+] [[#SetExtendedApplicationArea|SetExtendedApplicationArea]]
|}
|}


Line 399: Line 407:
|-
|-
| 106 || [[#ExistsApplicationArea]]
| 106 || [[#ExistsApplicationArea]]
|-
| 300 || [S2] [20.0.0+] [[#InitializeWithExtendedApplicationArea|InitializeWithExtendedApplicationArea]]
|-
| 301 || [S2] [20.0.0+] [[#GetExtendedApplicationAreaInfo|GetExtendedApplicationAreaInfo]]
|-
| 302 || [S2] [20.0.0+] [[#GetExtendedApplicationArea|GetExtendedApplicationArea]]
|-
| 303 || [S2] [20.0.0+] [[#SetExtendedApplicationArea|SetExtendedApplicationArea]]
|}
|}


Line 496: Line 512:
| 206 || [[#WriteNtf]]
| 206 || [[#WriteNtf]]
|-
|-
| 300 || [3.0.0-3.0.2]
| 300 || [S2] [20.0.0+] [[#InitializeWithExtendedApplicationArea|InitializeWithExtendedApplicationArea]] ([3.0.0-3.0.2])
|-
|-
| 301 || [3.0.0-3.0.2]
| 301 || [S2] [20.0.0+] [[#GetExtendedApplicationAreaInfo|GetExtendedApplicationAreaInfo]] ([3.0.0-3.0.2])
|-
|-
| 302 || [3.0.0-3.0.2]
| 302 || [S2] [20.0.0+] [[#GetExtendedApplicationArea|GetExtendedApplicationArea]] ([3.0.0-3.0.2])
|-
|-
| 303 || [3.0.0-3.0.2]
| 303 || [S2] [20.0.0+] [[#SetExtendedApplicationArea|SetExtendedApplicationArea]] ([3.0.0-3.0.2])
|-
|-
| 304 || [3.0.0-3.0.2]
| 304 || [3.0.0-3.0.2]
Line 525: Line 541:
|-
|-
| 314 || [3.0.0-3.0.2]
| 314 || [3.0.0-3.0.2]
|-
| 500 || [S2] [20.0.0+] [[#BreakExtendedApplicationArea|BreakExtendedApplicationArea]]
|}
|}


Line 533: Line 551:


Just converts data from the internal [[#Amiibo settings]] to the output data. The last write date is not validated here (unlike with [[#GetCommonInfo]]).
Just converts data from the internal [[#Amiibo settings]] to the output data. The last write date is not validated here (unlike with [[#GetCommonInfo]]).
[20.5.0+] Amiibo version is no longer hardcoded to value 2, and actually set from the corresponding amiibo ID bits.


==== SetAll ====
==== SetAll ====
Line 573: Line 593:


The input buffer size must match 0x2A0. This handles Amiibo crypto, etc.
The input buffer size must match 0x2A0. This handles Amiibo crypto, etc.
==== BreakExtendedApplicationArea ====
Takes an input [[#DeviceHandle]], an input u32 [[#BreakType]], no output.


== Common ==
== Common ==
Line 608: Line 631:


Creates an internal object that manages mounted amiibo data. This step loads the amiibo [[#Raw format]], saves it in [[#Backup data]], and converts/decrypts it internally into a [[#Plain format]].
Creates an internal object that manages mounted amiibo data. This step loads the amiibo [[#Raw format]], saves it in [[#Backup data]], and converts/decrypts it internally into a [[#Plain format]].
[20.5.0+] Internal check "amiibo_version == 2" was changed to "(amiibo_version & 0xFE) == 2" to also cover new v3 amiibos.


=== Unmount ===
=== Unmount ===
Line 639: Line 664:


Performs CRC verifications, updates write counters (see [[#Amiibo settings]]) and then calls internally the same function as [[#BreakTag]] with [[#BreakType]] 0.
Performs CRC verifications, updates write counters (see [[#Amiibo settings]]) and then calls internally the same function as [[#BreakTag]] with [[#BreakType]] 0.
[20.5.0+] [[#Amiibo settings]] Field `Unknown2` always zeroed for v3 amiibos, while it it conditionally zeroed for v2 amiibos (as it was done so far).


=== Restore ===
=== Restore ===
Line 644: Line 671:


Reloads amiibo data (same internal functions as [[#Mount]]) and writes the data to the amiibo again. If reading the amiibo fails, it tries to load the [[#Raw data]] from the [[#Backup data]].
Reloads amiibo data (same internal functions as [[#Mount]]) and writes the data to the amiibo again. If reading the amiibo fails, it tries to load the [[#Raw data]] from the [[#Backup data]].
[20.5.0+] Internal check "amiibo_version == 2" was changed to "(amiibo_version & 0xFE) == 2" to also cover new v3 amiibos.


=== CreateApplicationArea ===
=== CreateApplicationArea ===
Line 651: Line 680:


Sets the new application ID / access ID values (even if an application area already existed), updates CRC values, updates write counters (see [[#Amiibo settings]]), copies input data, fills remaining space with random bytes, and then calls internally the same function as [[#BreakTag]] with [[#BreakType]] 0.
Sets the new application ID / access ID values (even if an application area already existed), updates CRC values, updates write counters (see [[#Amiibo settings]]), copies input data, fills remaining space with random bytes, and then calls internally the same function as [[#BreakTag]] with [[#BreakType]] 0.
[20.5.0+] [[#Amiibo settings]] Field `Unknown2` always zeroed for v3 amiibos, while it it conditionally zeroed for v2 amiibos (as it was done so far).


=== GetTagInfo ===
=== GetTagInfo ===
Line 713: Line 744:


Performs the same logic as [[#SetApplicationArea]] but without checking the current access ID, just overwriting it.
Performs the same logic as [[#SetApplicationArea]] but without checking the current access ID, just overwriting it.
[20.5.0+] Now the Mii CRC32 in [[#Amiibo settings]] is properly computed for v3 amiibos, while for v2 amiibos (as it was done so far)the field is set to a random u16 value.


=== Format ===
=== Format ===
Line 723: Line 756:


Just converts data from the internal [[#Amiibo settings]] to the output info.
Just converts data from the internal [[#Amiibo settings]] to the output info.
[20.5.0+] Amiibo version is no longer hardcoded to value 2, and actually set from the corresponding amiibo ID bits.


=== GetRegisterInfoPrivate ===
=== GetRegisterInfoPrivate ===
Line 737: Line 772:


Just converts data from the input info to the internal [[#Amiibo settings]]. No flushing / writing to the amiibo is done in this command.
Just converts data from the input info to the internal [[#Amiibo settings]]. No flushing / writing to the amiibo is done in this command.
[20.5.0+] [[#Amiibo settings]] Field `Unknown2` always zeroed for v3 amiibos, while it it conditionally zeroed for v2 amiibos (as it was done so far).


=== DeleteRegisterInfo ===
=== DeleteRegisterInfo ===
Line 744: Line 781:


All [[#RegisterInfo]]-related fields in the internal [[#Amiibo settings]] are filled with random bytes, and the amiibo-initialized [[#Amiibo flag]] is removed. Finally, it calls internally the same function as [[#BreakTag]] with [[#BreakType]] 0.
All [[#RegisterInfo]]-related fields in the internal [[#Amiibo settings]] are filled with random bytes, and the amiibo-initialized [[#Amiibo flag]] is removed. Finally, it calls internally the same function as [[#BreakTag]] with [[#BreakType]] 0.
[20.5.0+] Now the Mii CRC32 in [[#Amiibo settings]] is properly computed for v3 amiibos, while for v2 amiibos (as it was done so far)the field is set to a random u16 value.


=== DeleteApplicationArea ===
=== DeleteApplicationArea ===
Line 751: Line 790:


All [[#Application area]]-related fields in the internal [[#Amiibo settings]] are filled with random bytes, and the corresponding [[#Amiibo flag]] is removed. Finally, it calls internally the same function as [[#BreakTag]] with [[#BreakType]] 0.
All [[#Application area]]-related fields in the internal [[#Amiibo settings]] are filled with random bytes, and the corresponding [[#Amiibo flag]] is removed. Finally, it calls internally the same function as [[#BreakTag]] with [[#BreakType]] 0.
[20.5.0+] [[#Amiibo settings]] Field `Unknown2` always zeroed for v3 amiibos, while it it conditionally zeroed for v2 amiibos (as it was done so far).


=== ExistsApplicationArea ===
=== ExistsApplicationArea ===
Line 758: Line 799:


Just returns whether the corresponding [[#Amiibo flag]] in the internal [[#Amiibo settings]] is set.
Just returns whether the corresponding [[#Amiibo flag]] in the internal [[#Amiibo settings]] is set.
=== InitializeWithExtendedApplicationArea ===
Takes a PID, an u32, an [[AM_services|AppletResourceUserId]], an u64 placeholder for the PID, a type-0x5 input buffer containing an array of [[#RequiredMcuVersionData]], no output.
This is exclusive to S2.
Official sw uses the same [[#RequiredMcuVersionData]] input as the the other Initialize cmds. Value 1 is passed for the u32.
=== GetExtendedApplicationAreaInfo ===
This is exclusive to S2.
Takes an input [[#DeviceHandle]] and a type-0x1A output buffer containining an [[#ExtendedApplicationAreaInfo|ExtendedApplicationAreaInfo]].
=== GetExtendedApplicationArea ===
This is exclusive to S2.
Takes an input [[#DeviceHandle]] and a type-0x6 output buffer, returns an output u32 (converted to an u64 by official sw).
Official sw uses [[#GetExtendedApplicationAreaInfo|GetExtendedApplicationAreaInfo]] prior to this to clamp the buffer size with the [[#ExtendedApplicationAreaInfo|size]] field.
=== SetExtendedApplicationArea ===
This is exclusive to S2.
Takes an input [[#DeviceHandle]] and a type-0x5 input buffer, no output.


= RequiredMcuVersionData =
= RequiredMcuVersionData =
Line 1,040: Line 1,105:
| 0x48 || 0x29 || Amiibo name (NUL-terminated UTF-8 string, converted from UTF-16)
| 0x48 || 0x29 || Amiibo name (NUL-terminated UTF-8 string, converted from UTF-16)
|-
|-
| 0x71 || 0x1 || Unknown
| 0x71 || 0x1 || Font region
|-
|-
| 0x72 || 0x8E || Reserved
| 0x72 || 0x8E || Reserved
Line 1,114: Line 1,179:
| 0 || Does no breaking, just flushes
| 0 || Does no breaking, just flushes
|-
|-
| 1 || Breaks the amiibo data SHA256 HMAC hash (see [[#Amiibo settings]])
| 1 || Breaks the amiibo data SHA256 HMAC hash (see [[#Plain format]])
|-
|-
| 2 || Breaks the amiibo header magic (see [[#Amiibo settings]])
| 2 || Breaks the amiibo header magic (see [[#Amiibo header]])
|}
|}
Value 0 is internally used in some places, aside for [[#BreakTag]] commands called externally.


= WriteType =
= WriteType =
Line 1,131: Line 1,194:
|-
|-
| 1 || ?
| 1 || ?
|}
= ExtendedApplicationAreaInfo =
This is "nn::nfp::ExtendedApplicationAreaInfo".
This is a 0x40-byte struct.
This is exclusive to S2.
{| class="wikitable" border="1"
|-
! Offset || Size || Description
|-
| 0x0 || 0x4 || ExtendedApplicationAreaSize
|}
|}


Line 1,227: Line 1,304:
| 0xC || 0x2 || Packed date (when this entry was written)
| 0xC || 0x2 || Packed date (when this entry was written)
|-
|-
| 0xE || 0xE || Unknown (zero?)
| 0xE || 0x1 || [20.5.0+] Backup entry type, depending on amiibo version (0 = v2, 1 = v3), previously reserved/zero
|-
| 0xF || 0xD || Unknown (reserved?)
|-
|-
| 0x1C || 0x4 || CRC32 of the 0x1C bytes above
| 0x1C || 0x4 || CRC32 of the 0x1C bytes above
Line 1,239: Line 1,318:


NFC writes here the amiibo [[#Raw format]], while the remaining 0x5E4 bytes are unused.
NFC writes here the amiibo [[#Raw format]], while the remaining 0x5E4 bytes are unused.
[20.5.0+] The entry data stored is different for v3 amiibos: the first 0x80 bytes of the [[#Raw format]] are stored, then followed by 0x40 internal bytes from the corresponding Noft2 object (what exactly?) and finally followed by the remaining (0x19C) bytes of the raw data, thus now using 0x25C bytes of the entry data (and leaving the remaining 0x5A4 bytes unused).


= Amiibo =
= Amiibo =
Line 1,415: Line 1,496:
| 0x6 || 0x1 || NFP type (figurine type)
| 0x6 || 0x1 || NFP type (figurine type)
|-
|-
| 0x7 || 0x1 || Version? (0x02)
| 0x7 || 0x1 || Amiibo version (v2 or [20.5.0+] v3)
|}
|}


Line 1,473: Line 1,554:
| 0x0 || 0x1 || Font region (bits0-3) and [[#Amiibo flag]] (bits4-7)
| 0x0 || 0x1 || Font region (bits0-3) and [[#Amiibo flag]] (bits4-7)
|-
|-
| 0x1 || 0x2 || Country code ID
| 0x1 || 0x1 || Country code ID
|-
|-
| 0x2 || 0x2 || Counter of the times the terminal ID CRC32 has changed (big-endian)
| 0x2 || 0x2 || Counter of the times the terminal ID CRC32 has changed (big-endian)
Line 1,481: Line 1,562:
| 0x6 || 0x2 || Last write date (big-endian, see [[#Amiibo date]] for format in little-endian)
| 0x6 || 0x2 || Last write date (big-endian, see [[#Amiibo date]] for format in little-endian)
|-
|-
| 0x8 || 0x4 || CRC32 of NFC terminal ID (8 bytes, see below)
| 0x8 || 0x4 || CRC32 of NFC terminal ID (8 bytes, see below) (big-endian)
|-
|-
| 0xC || 0x14 (2*10) || Amiibo name (UTF16-BE, not null-terminated)
| 0xC || 0x14 (2*10) || Amiibo name (UTF16-BE, not null-terminated)
Line 1,503: Line 1,584:
| 0x90 || 0x8 || Mii StoreDataExtension
| 0x90 || 0x8 || Mii StoreDataExtension
|-
|-
| 0x98 || 0x14 || Unknown2
| 0x98 || 0x14 || Unknown2 (appears to be reserved for v2 amiibos and used in v3 amiibos, for maybe application area-related purposes?)
|-
|-
| 0xAC || 0x4 || CRC32 of mii data (Ver3StoreData + pad + CRC16) +  Application ID byte + Unknown1 + StoreDataExtension + Unknown2 (total of 0x7E bytes)
| 0xAC || 0x4 || CRC32 of mii data (Ver3StoreData + pad + CRC16) +  Application ID byte + Unknown1 + StoreDataExtension + Unknown2 (total of 0x7E bytes) (big-endian)
|}
|}


The country code ID is zeroed when calling [[#SetRegisterInfoPrivate]].
The country code ID is zeroed when calling [[#SetRegisterInfoPrivate]].


The application ID byte contains the original application ID hex-digit (only used for Switcj games, see [[#Application area version]]), so it can be to restore the original value (which is needed for [[#GetAdminInfo]]).
The application ID byte contains the original application ID hex-digit (only used for Switch games, see [[#Application area version]]), so it can be to restore the original value (which is needed for [[#GetAdminInfo]]).


The terminal ID is a randomly-generated 8-byte value that is re-generated every time [[#Initialize]] is called (thus every nfc/nfp/mifare session), and saved at [[Flash_Filesystem#SystemSaveData|data]]:/nfc_terminal_id.dat.
The terminal ID is a randomly-generated 8-byte value that is re-generated every time [[#Initialize]] is called (thus every nfc/nfp/mifare session), and saved at [[Flash_Filesystem#SystemSaveData|data]]:/nfc_terminal_id.dat.
Line 1,525: Line 1,606:


These are firmware files for the NFC IC inside Switch Lite units.
These are firmware files for the NFC IC inside Switch Lite units.
= Notes =
The following services are accessible to nfc:
* arp:r, fatal:u, fsp-srv, gpio, hid, hid:sys, i2c, prepo:s, psc:m, psm, set:sys, spl:mig, time:u 
[S2] The accessible services (on 20.x) are exactly the same as NX.
The sm handle is 0x100FE. The [S2] fsp-srv handle is 0x1200E0.
== Code-region Memory Layout ==
=== S2 20.1.0 ===
This is the codebin-region layout for S2 nfc 20.1.0-20.5.0.
Total size is 0x1A7000-bytes.
{| class="wikitable" border="1"
|-
! Offset
! Size
! Permissions
! Description
|-
| 0x0 || 0xB0000 || --X || .text
|-
| 0xB0000 || 0x3E000 || R-- || RO-region
|-
| 0xEE000 || 0x3000 || RW ||
|-
| 0xF1000 || 0x1000 || non-RW ||
|-
| 0xF2000 || 0x2000 || RW ||
|-
| 0xF4000 || 0x1000 || non-RW ||
|-
| 0xF5000 || 0xA3000 || RW ||
|-
| 0x198000 || 0x8000 || non-RW ||
|-
| 0x1A0000 || 0x7000 || RW ||
|}
Retrieved from "https://switchbrew.org/wiki/NFC_services"