Difference between revisions of "Secure Monitor"
(32 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | = | + | = SMC = |
The secure monitor provides two top level handlers of which each provides a range of sub handlers. | The secure monitor provides two top level handlers of which each provides a range of sub handlers. | ||
− | Secure Monitor calls follow the ARM SMC calling convention | + | Secure Monitor calls follow the ARM SMC calling convention with a small change: |
{| class=wikitable | {| class=wikitable | ||
− | ! | + | ! Bits || Description |
|- | |- | ||
− | | | + | | 0-7 || Function Number |
|- | |- | ||
− | | | + | | 8-15 || Argument Type |
|- | |- | ||
− | | | + | | 16-23 || Reserved |
|- | |- | ||
− | | | + | | 24-29 || Call Range |
|- | |- | ||
− | | | + | | 30 || Call Convention (0 = SMC32, 1 = SMC64) |
|- | |- | ||
− | | | + | | 31 || Call Type (0 = Yielding Call, 1 = Fast Call) |
|} | |} | ||
Line 31: | Line 31: | ||
| 0xC3000401 || SetConfig | | 0xC3000401 || SetConfig | ||
|- | |- | ||
− | | 0xC3000002 || [[#GetConfig]] (same as in [[#FunctionId1]]) | + | | 0xC3000002 || [[#GetConfig|GetConfig]] (same as in [[#FunctionId1]]) |
|- | |- | ||
| 0xC3000003 || GetResult | | 0xC3000003 || GetResult | ||
Line 37: | Line 37: | ||
| 0xC3000404 || GetResultData | | 0xC3000404 || GetResultData | ||
|- | |- | ||
− | | 0xC3000E05 || | + | | 0xC3000E05 || ModularExponentiate |
|- | |- | ||
− | | 0xC3000006 || [[#GenerateRandomBytes]] (same as in [[#FunctionId1]]) | + | | 0xC3000006 || [[#GenerateRandomBytes|GenerateRandomBytes]] (same as in [[#FunctionId1]]) |
|- | |- | ||
− | | 0xC3000007 || [[#GenerateAesKek]] | + | | 0xC3000007 || [[#GenerateAesKek|GenerateAesKek]] |
|- | |- | ||
− | | 0xC3000008 || [[#LoadAesKey]] | + | | 0xC3000008 || [[#LoadAesKey|LoadAesKey]] |
|- | |- | ||
− | | 0xC3000009 || [[#ComputeAes]] | + | | 0xC3000009 || [[#ComputeAes|ComputeAes]] |
|- | |- | ||
− | | 0xC300000A || [[#GenerateSpecificAesKey]] | + | | 0xC300000A || [[#GenerateSpecificAesKey|GenerateSpecificAesKey]] |
|- | |- | ||
− | | 0xC300040B || [[#ComputeCmac]] | + | | 0xC300040B || [[#ComputeCmac|ComputeCmac]] |
|- | |- | ||
− | | [1.0.0-4.1.0] 0xC300100C || [[# | + | | [1.0.0-4.1.0] 0xC300100C || [[#DecryptAndImportEsDeviceKey|DecryptAndImportEsDeviceKey]] |
|- | |- | ||
− | | [5.0.0+] 0xC300D60C || [[# | + | | [5.0.0+] 0xC300D60C || [[#ReencryptDeviceUniqueData|ReencryptDeviceUniqueData]] |
|- | |- | ||
− | | | + | | 0xC300100D || [[#DecryptDeviceUniqueData|DecryptDeviceUniqueData]] |
|- | |- | ||
− | | [ | + | | [1.0.0-4.1.0] 0xC300100E || [[#DecryptAndImportLotusKey|DecryptAndImportLotusKey]] |
|- | |- | ||
− | | | + | | 0xC300060F || [[#ModularExponentiateByStorageKey|ModularExponentiateByStorageKey]] |
|- | |- | ||
− | | | + | | 0xC3000610 || [[#PrepareEsDeviceUniqueKey|PrepareEsDeviceUniqueKey]] |
|- | |- | ||
− | | | + | | 0xC3000011 || [[#LoadPreparedAesKey|LoadPreparedAesKey]] |
|- | |- | ||
− | + | | 0xC3000012 || [2.0.0+] [[#PrepareEsCommonKey|PrepareEsCommonKey]] | |
− | |||
− | | 0xC3000012 || [2.0.0+] [[# | ||
|} | |} | ||
Line 79: | Line 77: | ||
** This means: Plaintext kek keys never leave TrustZone. | ** This means: Plaintext kek keys never leave TrustZone. | ||
** Further, this means: Actual AES/RSA keys never leave TrustZone. | ** Further, this means: Actual AES/RSA keys never leave TrustZone. | ||
+ | |||
+ | === GenerateRandomBytes === | ||
+ | Takes an u64 '''Size'''. Returns [[#Result]] and '''RandomBytes'''. | ||
+ | |||
+ | '''Size''' is limited to 0x38 (for fitting in return registers). | ||
=== GenerateAesKek === | === GenerateAesKek === | ||
Line 101: | Line 104: | ||
Calculates CMAC over input data. | Calculates CMAC over input data. | ||
− | === | + | === DecryptAndImportEsDeviceKey === |
Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, and a wrapped RSA private key. | Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, and a wrapped RSA private key. | ||
The session kek must have been created with [[#CryptoUsecase|CryptoUsecase TitleKey]]. | The session kek must have been created with [[#CryptoUsecase|CryptoUsecase TitleKey]]. | ||
− | [5.0.0] This function was removed and replaced with [[# | + | [5.0.0] This function was removed and replaced with [[#ReencryptDeviceUniqueData]]. |
− | === | + | === ReencryptDeviceUniqueData === |
Takes in two session keks created with [[#GenerateAesKek]], two wrapped AES keys, an enum member, and a wrapped RSA private key. | Takes in two session keks created with [[#GenerateAesKek]], two wrapped AES keys, an enum member, and a wrapped RSA private key. | ||
Decrypts and validates the wrapped RSA private key with the first kek/wrapped key, and re-encrypts it with the second if valid. | Decrypts and validates the wrapped RSA private key with the first kek/wrapped key, and re-encrypts it with the second if valid. | ||
− | The re-encrypted key is then passed to the user, for use with [[# | + | The re-encrypted key is then passed to the user, for use with [[#DecryptDeviceUniqueData]]. |
− | === | + | === DecryptDeviceUniqueData === |
Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, an enum member, and a wrapped RSA private key. | Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, an enum member, and a wrapped RSA private key. | ||
Line 122: | Line 125: | ||
[4.0.0+] The SMC handler when certain conditions pass and FunctionId0==0xC300100D now returns error 0x6 instead of calling the handler funcptr. | [4.0.0+] The SMC handler when certain conditions pass and FunctionId0==0xC300100D now returns error 0x6 instead of calling the handler funcptr. | ||
− | [5.0.0+] This function | + | [5.0.0+] This function now takes an additional input [[#DecryptOrImportMode]]. This extends the original functionality to enable importing private keys into the security engine instead of decrypting them. |
− | |||
− | |||
− | |||
− | |||
− | This | ||
− | === | + | === DecryptAndImportLotusKey === |
Takes a session kek created with [[#GenerateAesKek]], and a wrapped RSA key. | Takes a session kek created with [[#GenerateAesKek]], and a wrapped RSA key. | ||
Line 136: | Line 134: | ||
[5.0.0] This function was removed. | [5.0.0] This function was removed. | ||
− | === | + | === ModularExponentiateByStorageKey === |
− | Performs an ExpMod operation using an exponent previously loaded with the [[# | + | Performs an ExpMod operation using an exponent previously loaded with the [[#DecryptAndImportLotusKey]] command. |
− | [5.0.0+] This now uses any exponent previously loaded with [[# | + | [5.0.0+] This now uses any exponent previously loaded with [[#DecryptDeviceUniqueData]] and takes an [[#SecureExpModMode]]. |
− | === | + | === PrepareEsDeviceUniqueKey === |
Takes an Rsa-Oaep-wrapped TitleKey, an RSA Public Key, and a label hash. | Takes an Rsa-Oaep-wrapped TitleKey, an RSA Public Key, and a label hash. | ||
− | Performs an ExpMod operation using an exponent previously loaded with the [[# | + | Performs an ExpMod operation using an exponent previously loaded with the [[#DecryptAndImportEsDeviceKey]] command, and then validates/extracts a Titlekey from the resulting message. |
Returns a session-unique AES key especially for use in [[#LoadTitleKey]]. | Returns a session-unique AES key especially for use in [[#LoadTitleKey]]. | ||
− | [5.0.0+] This now uses any exponent previously loaded with [[# | + | [5.0.0+] This now uses any exponent previously loaded with [[#DecryptDeviceUniqueData]]. |
− | === | + | === LoadPreparedAesKey === |
− | Takes a session-unique AES key from [[# | + | Takes a session-unique AES key from [[#PrepareEsCommonKey]] or [[#PrepareEsDeviceUniqueKey]]. |
− | === | + | === PrepareEsCommonKey === |
− | Takes an AES-wrapped TitleKey and returns a sealed AES key. | + | Takes an AES-wrapped common TitleKey and returns a sealed AES key. |
== FunctionId1 == | == FunctionId1 == | ||
Line 162: | Line 160: | ||
! Value || Name | ! Value || Name | ||
|- | |- | ||
− | | 0xC4000001 || [[# | + | | 0xC4000001 || [[#SuspendCpu|SuspendCpu]] |
|- | |- | ||
− | | 0x84000002 || [[# | + | | 0x84000002 || [[#PowerOffCpu|PowerOffCpu]] |
|- | |- | ||
− | | 0xC4000003 || [[# | + | | 0xC4000003 || [[#PowerOnCpu|PowerOnCpu]] |
|- | |- | ||
− | | 0xC3000004 || [[#GetConfig]] (same as in [[#FunctionId0]]) | + | | 0xC3000004 || [[#GetConfig|GetConfig]] (same as in [[#FunctionId0]]) |
|- | |- | ||
− | | 0xC3000005 || [[#GenerateRandomBytes]] | + | | 0xC3000005 || [[#GenerateRandomBytes|GenerateRandomBytesNonBlocking]] |
|- | |- | ||
− | | 0xC3000006 || [[# | + | | 0xC3000006 || [[#ShowError|ShowError]] |
|- | |- | ||
− | | 0xC3000007 || [2.0.0+] [[# | + | | 0xC3000007 || [2.0.0+] [[#SetKernelCarveoutRegion|SetKernelCarveoutRegion]] |
|- | |- | ||
− | | 0xC3000008 || [2.0.0+] [[#ReadWriteRegister]] | + | | 0xC3000008 || [2.0.0+] [[#ReadWriteRegister|ReadWriteRegister]] |
|} | |} | ||
− | === | + | === SuspendCpu === |
− | Takes an u64 '''PowerState''', an u64 ''' | + | Takes an u64 '''PowerState''', an u64 '''EntrypointAddress''' and an u64 '''ContextId'''. No output. |
Suspends the CPU (CPU0). | Suspends the CPU (CPU0). | ||
Line 186: | Line 184: | ||
The kernel calls this SMC on shutdown with '''PowerState''' set to 0x0201001B (power level: 0x02==system; power type: 0x01==powerdown; ID: 0x1B). | The kernel calls this SMC on shutdown with '''PowerState''' set to 0x0201001B (power level: 0x02==system; power type: 0x01==powerdown; ID: 0x1B). | ||
− | === | + | === PowerOffCpu === |
No input/output. | No input/output. | ||
Turns off the CPU (CPU1, CPU2 or CPU3). | Turns off the CPU (CPU1, CPU2 or CPU3). | ||
− | === | + | === PowerOnCpu === |
− | Takes an u64 '''TargetCpu''', an u64 ''' | + | Takes an u64 '''TargetCpu''', an u64 '''EntrypointAddress''' and an u64 '''ContextId'''. Returns [[#Result]]. |
Turns on the CPU (CPU1, CPU2 or CPU3). | Turns on the CPU (CPU1, CPU2 or CPU3). | ||
=== GetConfig === | === GetConfig === | ||
− | Takes a [[#ConfigItem]]. Returns [[#Result]] and a ''' | + | Takes a [[#ConfigItem]]. Returns [[#Result]] and a '''ConfigValue'''. |
==== ConfigItem ==== | ==== ConfigItem ==== | ||
Line 214: | Line 212: | ||
| 5 || [[#HardwareType]] | | 5 || [[#HardwareType]] | ||
|- | |- | ||
− | | 6 || [[# | + | | 6 || [[#HardwareState]] |
|- | |- | ||
| 7 || [[#IsRecoveryBoot]] | | 7 || [[#IsRecoveryBoot]] | ||
Line 224: | Line 222: | ||
| 10 || [[#MemoryMode]] | | 10 || [[#MemoryMode]] | ||
|- | |- | ||
− | | 11 || [[# | + | | 11 || [[#IsDevelopmentFunctionEnabled]] |
|- | |- | ||
| 12 || [[#KernelConfiguration]] | | 12 || [[#KernelConfiguration]] | ||
Line 230: | Line 228: | ||
| 13 || [[#IsChargerHiZModeEnabled]] | | 13 || [[#IsChargerHiZModeEnabled]] | ||
|- | |- | ||
− | | 14 || [4.0.0+] [[# | + | | 14 || [4.0.0+] [[#RetailInteractiveDisplayState]] |
|- | |- | ||
| 15 || [5.0.0+] [[#RegulatorType]] | | 15 || [5.0.0+] [[#RegulatorType]] | ||
Line 258: | Line 256: | ||
|- | |- | ||
| 3 | | 3 | ||
− | | | + | | [11.0.0+] MarikoIowaHynix1y4gb ([1.0.0-10.2.0] EristaCopperSamsung4gb) |
|- | |- | ||
| 4 | | 4 | ||
Line 264: | Line 262: | ||
|- | |- | ||
| 5 | | 5 | ||
− | | [4.0.0 | + | | [12.0.0+] MarikoHoagHynix1y4gb ([4.0.0-11.0.1] EristaCopperHynix4gb) |
|- | |- | ||
| 6 | | 6 | ||
− | | [4.0.0 | + | | [13.0.0+] MarikoAulaHynix1y4gb ([4.0.0-12.1.0] EristaCopperMicron4gb) |
|- | |- | ||
| 7 | | 7 | ||
− | | [5.0.0 | + | | [15.0.0+] Reserved ([5.0.0-14.1.2] MarikoIowax1x2Samsung4gb, [4.0.0-4.1.0] Reserved) |
|- | |- | ||
| 8 | | 8 | ||
Line 297: | Line 295: | ||
|- | |- | ||
| 16 | | 16 | ||
− | | [8.0.0 | + | | [15.0.0+] Reserved ([8.0.0-14.1.2] MarikoIowaSamsung4gbY) |
|- | |- | ||
| 17 | | 17 | ||
Line 309: | Line 307: | ||
|- | |- | ||
| 20 | | 20 | ||
− | | [9.0.0 | + | | [14.0.0+] MarikoIowaSamsung1z4gb ([9.0.0-13.2.1] MarikoIowaSamsung1y4gbY) |
|- | |- | ||
| 21 | | 21 | ||
− | | [9.0.0 | + | | [14.0.0+] MarikoHoagSamsung1z4gb ([9.0.0-13.2.1] MarikoIowaSamsung1y8gbY) |
|- | |- | ||
| 22 | | 22 | ||
− | | [9.0.0+] | + | | [14.0.0+] MarikoAulaSamsung1z4gb ([13.0.0-13.2.1] Reserved, [9.0.0-12.1.0] MarikoAulaSamsung1y4gb) |
+ | |- | ||
+ | | 23 | ||
+ | | [10.0.0+] MarikoHoagSamsung1y8gbX | ||
+ | |- | ||
+ | | 24 | ||
+ | | [10.0.0+] MarikoAulaSamsung1y4gbX | ||
+ | |- | ||
+ | | 25 | ||
+ | | [11.0.0+] MarikoIowaMicron1y4gb | ||
+ | |- | ||
+ | | 26 | ||
+ | | [11.0.0+] MarikoHoagMicron1y4gb | ||
+ | |- | ||
+ | | 27 | ||
+ | | [11.0.0+] MarikoAulaMicron1y4gb | ||
+ | |- | ||
+ | | 28 | ||
+ | | [11.0.0+] MarikoAulaSamsung1y8gbX | ||
+ | |- | ||
+ | | 29 | ||
+ | | [16.0.0+] MarikoIowaHynix1a4gb ([15.0.0-15.0.1] MarikoIowax1x2Samsung4gb) | ||
+ | |- | ||
+ | | 30 | ||
+ | | [16.0.0+] MarikoHoagHynix1a4gb ([15.0.0-15.0.1] MarikoHoagx1x2Samsung4gb) | ||
+ | |- | ||
+ | | 31 | ||
+ | | [16.0.0+] MarikoAulaHynix1a4gb ([15.0.0-15.0.1] MarikoAulax1x2Samsung4gb) | ||
+ | |- | ||
+ | | 32 | ||
+ | | [16.0.0+] MarikoIowaMicron1a4gb ([15.0.0-15.0.1] MarikoIowaSamsung4gbY) | ||
+ | |- | ||
+ | | 33 | ||
+ | | [16.0.0+] MarikoHoagMicron1a4gb ([15.0.0-15.0.1] MarikoHoagSamsung4gbY) | ||
+ | |- | ||
+ | | 34 | ||
+ | | [16.0.0+] MarikoAulaMicron1a4gb ([15.0.0-15.0.1] MarikoAulaSamsung4gbY) | ||
|} | |} | ||
Line 323: | Line 357: | ||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
|- | |- | ||
− | ! | + | ! SocType |
! Platform | ! Platform | ||
! DramId | ! DramId | ||
! Revision | ! Revision | ||
− | ! DVFS | + | ! DVFS |
|- | |- | ||
− | | | + | | Erista |
| jetson-tx1 | | jetson-tx1 | ||
| N/A | | N/A | ||
Line 345: | Line 379: | ||
11_1600000_02_V9.8.3_V1.6 | 11_1600000_02_V9.8.3_V1.6 | ||
|- | |- | ||
− | | | + | | Erista |
| nx-abcb | | nx-abcb | ||
| EristaIcosaSamsung4gb | | EristaIcosaSamsung4gb | ||
Line 361: | Line 395: | ||
10_1600000_NoCfgVersion_V9.8.7_V1.6 | 10_1600000_NoCfgVersion_V9.8.7_V1.6 | ||
|- | |- | ||
− | | | + | | Erista |
| nx-abcb | | nx-abcb | ||
| EristaIcosaMicron4gb | | EristaIcosaMicron4gb | ||
Line 377: | Line 411: | ||
10_1600000_NoCfgVersion_V9.8.4_V1.6 | 10_1600000_NoCfgVersion_V9.8.4_V1.6 | ||
|- | |- | ||
− | | | + | | Erista |
| nx-abcb | | nx-abcb | ||
| EristaIcosaHynix4gb | | EristaIcosaHynix4gb | ||
Line 393: | Line 427: | ||
10_1600000_NoCfgVersion_V9.8.4_V1.6 | 10_1600000_NoCfgVersion_V9.8.4_V1.6 | ||
|- | |- | ||
− | | | + | | Erista |
| nx-abca2 | | nx-abca2 | ||
| EristaIcosaSamsung4gb, EristaIcosaMicron4gb | | EristaIcosaSamsung4gb, EristaIcosaMicron4gb | ||
Line 409: | Line 443: | ||
10_1600000_NoCfgVersion_V9.8.7_V1.6 | 10_1600000_NoCfgVersion_V9.8.7_V1.6 | ||
|- | |- | ||
− | | | + | | Erista |
| nx-abca2 | | nx-abca2 | ||
| EristaIcosaHynix4gb | | EristaIcosaHynix4gb | ||
Line 425: | Line 459: | ||
10_1600000_NoCfgVersion_V9.8.7_V1.6 | 10_1600000_NoCfgVersion_V9.8.7_V1.6 | ||
|- | |- | ||
− | | | + | | Erista |
| nx-abca2 | | nx-abca2 | ||
| EristaIcosaSamsung6gb | | EristaIcosaSamsung6gb | ||
Line 441: | Line 475: | ||
10_1600000_NoCfgVersion_V9.8.7_V1.6 | 10_1600000_NoCfgVersion_V9.8.7_V1.6 | ||
|- | |- | ||
− | | | + | | Mariko |
− | | nx-abca2, nx-abcb, nx-abcc | + | | nx-abca2, nx-abcb, nx-abcc, nx-abcd |
| MarikoIowax1x2Samsung4gb | | MarikoIowax1x2Samsung4gb | ||
| 0x03 | | 0x03 | ||
Line 450: | Line 484: | ||
01_1600000_NoCfgVersion_V0.3.1_V2.0 | 01_1600000_NoCfgVersion_V0.3.1_V2.0 | ||
|- | |- | ||
− | | | + | | Mariko |
− | | nx-abca2, nx-abcb, nx-abcc | + | | nx-abca2, nx-abcb, nx-abcc, nx-abcd |
| MarikoIowaSamsung4gb, MarikoHoagSamsung4gb | | MarikoIowaSamsung4gb, MarikoHoagSamsung4gb | ||
| 0x03 | | 0x03 | ||
Line 459: | Line 493: | ||
01_1600000_NoCfgVersion_V0.3.1_V2.0 | 01_1600000_NoCfgVersion_V0.3.1_V2.0 | ||
|- | |- | ||
− | | | + | | Mariko |
− | | nx-abca2, nx-abcb, nx-abcc | + | | nx-abca2, nx-abcb, nx-abcc, nx-abcd |
| MarikoIowaSamsung8gb, MarikoHoagSamsung8gb | | MarikoIowaSamsung8gb, MarikoHoagSamsung8gb | ||
| 0x03 | | 0x03 | ||
Line 468: | Line 502: | ||
01_1600000_NoCfgVersion_V0.4.2_V2.0 | 01_1600000_NoCfgVersion_V0.4.2_V2.0 | ||
|- | |- | ||
− | | | + | | Mariko |
− | | nx-abca2, nx-abcb, nx-abcc | + | | nx-abca2, nx-abcb, nx-abcc, nx-abcd |
| MarikoIowaHynix4gb, MarikoHoagHynix4gb | | MarikoIowaHynix4gb, MarikoHoagHynix4gb | ||
| 0x03 | | 0x03 | ||
Line 477: | Line 511: | ||
01_1600000_NoCfgVersion_V0.3.1_V2.0 | 01_1600000_NoCfgVersion_V0.3.1_V2.0 | ||
|- | |- | ||
− | | | + | | Mariko |
− | | nx-abca2, nx-abcb, nx-abcc | + | | nx-abca2, nx-abcb, nx-abcc, nx-abcd |
| MarikoIowaMicron4gb, MarikoHoagMicron4gb | | MarikoIowaMicron4gb, MarikoHoagMicron4gb | ||
| 0x03 | | 0x03 | ||
Line 486: | Line 520: | ||
01_1600000_NoCfgVersion_V0.4.2_V2.0 | 01_1600000_NoCfgVersion_V0.4.2_V2.0 | ||
|- | |- | ||
− | | | + | | Mariko |
− | | nx-abca2, nx-abcb, nx-abcc | + | | nx-abca2, nx-abcb, nx-abcc, nx-abcd |
| MarikoIowaSamsung4gbY | | MarikoIowaSamsung4gbY | ||
| 0x03 | | 0x03 | ||
Line 495: | Line 529: | ||
01_1600000_NoCfgVersion_V0.4.2_V2.0 | 01_1600000_NoCfgVersion_V0.4.2_V2.0 | ||
|- | |- | ||
− | | | + | | Mariko |
− | | nx-abca2, nx-abcb, nx-abcc | + | | nx-abca2, nx-abcb, nx-abcc, nx-abcd |
| MarikoIowaSamsung1y4gbX | | MarikoIowaSamsung1y4gbX | ||
| 0x03 | | 0x03 | ||
Line 504: | Line 538: | ||
01_1600000_NoCfgVersion_V0.4.2_V2.0 | 01_1600000_NoCfgVersion_V0.4.2_V2.0 | ||
|- | |- | ||
− | | | + | | Mariko |
− | | nx-abca2, nx-abcb, nx-abcc | + | | nx-abca2, nx-abcb, nx-abcc, nx-abcd |
| MarikoIowaSamsung1y8gbX | | MarikoIowaSamsung1y8gbX | ||
| 0x03 | | 0x03 | ||
Line 513: | Line 547: | ||
01_1600000_NoCfgVersion_V0.4.2_V2.0 | 01_1600000_NoCfgVersion_V0.4.2_V2.0 | ||
|- | |- | ||
− | | | + | | Mariko |
− | | nx-abca2, nx-abcb, nx-abcc | + | | nx-abca2, nx-abcb, nx-abcc, nx-abcd |
| MarikoHoagSamsung1y4gbX | | MarikoHoagSamsung1y4gbX | ||
| 0x03 | | 0x03 | ||
Line 522: | Line 556: | ||
01_1600000_NoCfgVersion_V0.4.2_V2.0 | 01_1600000_NoCfgVersion_V0.4.2_V2.0 | ||
|- | |- | ||
− | | | + | | Mariko |
− | | nx-abca2, nx-abcb, nx-abcc | + | | nx-abca2, nx-abcb, nx-abcc, nx-abcd |
| MarikoIowaSamsung1y4gbY | | MarikoIowaSamsung1y4gbY | ||
| 0x03 | | 0x03 | ||
Line 531: | Line 565: | ||
01_1600000_NoCfgVersion_V0.4.2_V2.0 | 01_1600000_NoCfgVersion_V0.4.2_V2.0 | ||
|- | |- | ||
− | | | + | | Mariko |
− | | nx-abca2, nx-abcb, nx-abcc | + | | nx-abca2, nx-abcb, nx-abcc, nx-abcd |
| MarikoIowaSamsung1y8gbY | | MarikoIowaSamsung1y8gbY | ||
| 0x03 | | 0x03 | ||
Line 540: | Line 574: | ||
01_1600000_NoCfgVersion_V0.4.2_V2.0 | 01_1600000_NoCfgVersion_V0.4.2_V2.0 | ||
|- | |- | ||
− | | | + | | Mariko |
− | | nx-abca2, nx-abcb, nx-abcc | + | | nx-abca2, nx-abcb, nx-abcc, nx-abcd |
| MarikoIowaSamsung1y4gbA | | MarikoIowaSamsung1y4gbA | ||
| 0x03 | | 0x03 | ||
Line 550: | Line 584: | ||
|} | |} | ||
− | '''nx-abca2''' ('''Icosa''' in '''Erista''', '''Iowa''' in '''Mariko''') hardware types are variations of the retail and | + | '''nx-abca2''' ('''Icosa''' in '''Erista''', '''Iowa''' in '''Mariko''') hardware types are variations of the retail, EDEV and SDEV form factors. |
+ | |||
+ | '''nx-abcb''' ('''Copper''' in '''Erista''', '''Calcio''' in '''Mariko''') is unreleased. Among other differences, this has extra hardware to support HDMI output. | ||
− | '''nx- | + | [8.0.0+] '''nx-abcc''' ('''Hoag''') was added for the Lite retail and HDEV form factors. |
− | [ | + | [10.0.0+] '''nx-abcd''' ('''Aula''') was added for the OLED Model retail and ADEV form factors. |
'''Erista''' memory is LPDDR4, while '''Mariko''' memory is LPDDR4X. | '''Erista''' memory is LPDDR4, while '''Mariko''' memory is LPDDR4X. | ||
Line 562: | Line 598: | ||
===== FuseVersion ===== | ===== FuseVersion ===== | ||
− | The current [[Package2#Versions| | + | The current [[Package2#Versions|bootloader maximum version]] - 1. |
===== HardwareType ===== | ===== HardwareType ===== | ||
− | [1.0.0+] This item is obtained by checking bits 8 and 2 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. | + | {| class=wikitable |
− | + | ! Value || Description | |
− | + | |- | |
− | + | | 0 || Icosa | |
+ | |- | ||
+ | | 1 || Copper | ||
+ | |- | ||
+ | | 2 || [8.0.0+] Hoag ([1.0.0-7.0.1] Invalid) | ||
+ | |- | ||
+ | | 3 || [4.0.0+] Iowa | ||
+ | |- | ||
+ | | 4 || [8.0.0+] Calcio | ||
+ | |- | ||
+ | | 5 || [10.0.0+] Aula | ||
+ | |- | ||
+ | | 15 || Invalid | ||
+ | |} | ||
+ | |||
+ | [1.0.0+] This item is obtained by checking bits 8 and 2 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. | ||
+ | |||
+ | [4.0.0+] This item is obtained by checking bits 8, 2 and 16-19 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. | ||
− | + | [7.0.0+] This item can now only be 0 (Icosa) or 15 (Invalid) in Erista units. | |
− | + | Hardware is '''Icosa''' (Erista retail, EDEV and SDEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType1]] (bit 2) is 1 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType2]] (bit 8) is 0. | |
− | |||
− | |||
− | |||
− | |||
− | + | Hardware is '''Copper''' (unreleased Erista model) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType1]] (bit 2) is 0 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType2]] (bit 8) is 1. | |
− | [ | + | [4.0.0+] Hardware is '''Iowa''' (Mariko retail, EDEV and SDEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType3]] (bits 16-19) is 1. |
− | [8.0.0+] | + | [8.0.0+] Hardware is '''Hoag''' (Mariko Lite retail and HDEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType3]] (bits 16-19) is 2. |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | [8.0.0+] Hardware is '''Calcio''' (unreleased Mariko model) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType1]] (bit 2) is 0 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType2]] (bit 8) is 1. | |
− | ===== | + | [10.0.0+] Hardware is '''Aula''' (Mariko OLED Model retail and ADEV) if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareType3]] (bits 16-19) is 4. |
− | This item is obtained by checking bits 9 and 0-1 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. | + | |
+ | ===== HardwareState ===== | ||
+ | {| class=wikitable | ||
+ | ! Value || Description | ||
+ | |- | ||
+ | | 0 || Development | ||
+ | |- | ||
+ | | 1 || Production | ||
+ | |- | ||
+ | | 2 || Invalid | ||
+ | |} | ||
+ | |||
+ | This item is obtained by checking bits 9 and 0-1 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. | ||
+ | |||
+ | Hardware is '''Development''' if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState1]] (bits 0-1) is 3 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState2]] (bit 9) is 0. | ||
+ | |||
+ | Hardware is '''Production''' if [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState1]] (bits 0-1) is 0 and [[Fuse_registers#FUSE_RESERVED_ODM4|HardwareState2]] (bit 9) is 1. | ||
===== IsRecoveryBoot ===== | ===== IsRecoveryBoot ===== | ||
Line 665: | Line 724: | ||
|} | |} | ||
− | ===== | + | ===== IsDevelopmentFunctionEnabled ===== |
− | Kernel uses this to determine behavior of svcBreak positive arguments. It will break instead of just force-exiting the process which is what happens on retail. | + | Kernel uses this to determine behavior of [[SVC#svcBreak|svcBreak]] positive arguments. It will break instead of just force-exiting the process which is what happens on retail. |
[2.0.0+] This is also used with certain debug [[SVC|SVCs]]. | [2.0.0+] This is also used with certain debug [[SVC|SVCs]]. | ||
Line 685: | Line 744: | ||
|- | |- | ||
| 2 | | 2 | ||
− | | | + | | EnablePmuAccess |
|- | |- | ||
| 3 | | 3 | ||
− | | [8.0.0+] | + | | [8.0.0+] EnableExtraThreadResourceAllocation |
+ | |- | ||
+ | | 4 | ||
+ | | [13.0.0+] DisableDynamicSystemResourceAllocation | ||
|- | |- | ||
| 8 | | 8 | ||
Line 699: | Line 761: | ||
Kernel reads this when setting up memory-related code. | Kernel reads this when setting up memory-related code. | ||
− | EnableNonZeroFillMemory is a boolean determining whether kernel should it will memset various allocated memory-regions with 0x58, 0x59, 0x5A ('X', 'Y', 'Z') instead of zero. This allows Nintendo devs to find uninitialized memory bugs. | + | '''EnableNonZeroFillMemory''' is a boolean determining whether kernel should it will memset various allocated memory-regions with 0x58, 0x59, 0x5A ('X', 'Y', 'Z') instead of zero. This allows Nintendo devs to find uninitialized memory bugs. |
− | EnableUserExceptionHandler is a boolean determining whether kernel should forcefully enable usermode exception handlers (when false, only certain aborts (((1LL << (esr >> 26)) & 0x1115804400224001) == 0, typically data/prefetch aborts) that occur when the faulting address is in a readable region with MemoryType_CodeStatic will trigger usermode exception handlers). | + | '''EnableUserExceptionHandler''' is a boolean determining whether kernel should forcefully enable usermode exception handlers (when false, only certain aborts (((1LL << (esr >> 26)) & 0x1115804400224001) == 0, typically data/prefetch aborts) that occur when the faulting address is in a readable region with MemoryType_CodeStatic will trigger usermode exception handlers). |
− | + | '''EnablePmuAccess''' is a boolean determining whether kernel should enable usermode access to the Performance Monitors (whether PMUSERENR_EL0 should be 1 or 0). | |
− | + | '''EnableExtraThreadResourceAllocation''' is a boolean determining whether the kernel should increase the KThread slabheap capacity by 160. This also increases object capacities that are calculated based on number of threads. | |
− | CallShowErrorOnPanic is a boolean determining whether kernel should call smcPanic on error instead of infinite-looping. | + | '''CallShowErrorOnPanic''' is a boolean determining whether kernel should call smcPanic on error instead of infinite-looping. |
− | MemorySize determines how much memory is available. 00/03 = 4 GB, 01 = 6 GB, 02 = 8 GB. | + | '''MemorySize''' determines how much memory is available. 00/03 = 4 GB, 01 = 6 GB, 02 = 8 GB. |
===== IsChargerHiZModeEnabled ===== | ===== IsChargerHiZModeEnabled ===== | ||
This tells if the TI Charger (bq24192) is active. | This tells if the TI Charger (bq24192) is active. | ||
− | ===== | + | ===== RetailInteractiveDisplayState ===== |
+ | {| class=wikitable | ||
+ | ! Value || Description | ||
+ | |- | ||
+ | | 0 || Disabled | ||
+ | |- | ||
+ | | 1 || Enabled | ||
+ | |} | ||
+ | |||
This item is bit 10 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. | This item is bit 10 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. | ||
Line 723: | Line 793: | ||
|- | |- | ||
! Value | ! Value | ||
− | ! | + | ! SocType |
! GPU | ! GPU | ||
! Power Blocks | ! Power Blocks | ||
|- | |- | ||
| 0 | | 0 | ||
− | | | + | | Erista |
| GM20B (0x12B) | | GM20B (0x12B) | ||
| max77620_sd0, max77621_cpu and max77621_gpu | | max77620_sd0, max77621_cpu and max77621_gpu | ||
|- | |- | ||
| 1 | | 1 | ||
− | | | + | | Mariko |
| GM20B_B (0x12E) | | GM20B_B (0x12E) | ||
| max77620_sd0, max77812_cpu and max77812_gpu | | max77620_sd0, max77812_cpu and max77812_gpu | ||
|- | |- | ||
| 2 | | 2 | ||
− | | | + | | Mariko |
| GM20B_B (0x12E) | | GM20B_B (0x12E) | ||
| max77620_sd0, max77812_cpu and max77812_gpu | | max77620_sd0, max77812_cpu and max77812_gpu | ||
|} | |} | ||
− | |||
− | |||
[5.0.0+] [[PCV_services|PCV]] uses this value in combination with [[#HardwareType|HardwareType]] to configure power blocks and memory tables for different hardware. | [5.0.0+] [[PCV_services|PCV]] uses this value in combination with [[#HardwareType|HardwareType]] to configure power blocks and memory tables for different hardware. | ||
Line 755: | Line 823: | ||
This is a SHA-256 hash calculated over the [[Package2|package2]] image. Since the hash calculation is an optional step in pkg2ldr, this item is only valid in recovery mode. Otherwise, an error is returned instead. | This is a SHA-256 hash calculated over the [[Package2|package2]] image. Since the hash calculation is an optional step in pkg2ldr, this item is only valid in recovery mode. Otherwise, an error is returned instead. | ||
− | === | + | === ShowError === |
− | + | Takes an u32 '''Color''' and issues a system panic. | |
− | |||
− | |||
− | |||
− | |||
− | Takes an u32 ''' | ||
− | The kernel always calls this with ''' | + | The kernel always calls this with '''Color''' set to 0xF00. |
− | === | + | === SetKernelCarveoutRegion === |
− | Takes an u64 ''' | + | Takes an u64 '''Index''', an u64 '''Address''' and an u64 '''Size'''. Returns [[#Result]]. |
− | If ''' | + | If '''Index''' is 0, '''Address''' and '''Size''' are used to configure '''MC_SECURITY_CARVEOUT4'''. |
− | If ''' | + | If '''Index''' is 1, '''Address''' and '''Size''' are used to configure '''MC_SECURITY_CARVEOUT5'''. |
− | Any other ''' | + | Any other '''Index''' values are invalid. |
− | The kernel calls this with ''' | + | The kernel calls this with '''Index''' set to 0, '''Address''' set to 0x80060000 and '''Size''' set to a dynamically calculated size which covers all the kernel and built-in sysmodules' DRAM regions. |
=== ReadWriteRegister === | === ReadWriteRegister === | ||
− | Takes an u64 ''' | + | Takes an u64 '''Register''', an u32 '''Mask''' and an u32 '''InValue'''. Returns [[#Result]] and an u32 '''OutValue'''. |
Relays [[SVC#svcReadWriteRegister|svcReadWriteRegister]] to the Secure Monitor. | Relays [[SVC#svcReadWriteRegister|svcReadWriteRegister]] to the Secure Monitor. | ||
Line 787: | Line 850: | ||
| 1 || RsaPrivate | | 1 || RsaPrivate | ||
|- | |- | ||
− | | 2 || | + | | 2 || SecureExpMod |
+ | |- | ||
+ | | 3 || RsaOaep | ||
+ | |- | ||
+ | | 4 || [5.0.0+] RsaImport | ||
|- | |- | ||
− | | | + | | 5 || [5.0.0+] |
+ | |- | ||
+ | | 6 || [5.0.0+] | ||
|} | |} | ||
− | |||
− | |||
= CipherMode = | = CipherMode = | ||
Line 829: | Line 896: | ||
|- | |- | ||
| 2 || Drm | | 2 || Drm | ||
+ | |} | ||
+ | |||
+ | = EsKeyType = | ||
+ | {| class=wikitable | ||
+ | ! Value || Name | ||
+ | |- | ||
+ | | 0 || TitleKey | ||
+ | |- | ||
+ | | 1 || ElicenseKey | ||
|} | |} | ||
Line 847: | Line 923: | ||
| 5 || Invalid async operation | | 5 || Invalid async operation | ||
|- | |- | ||
− | | [8.0.0+] | + | | 6 || [8.0.0+] Not permitted |
|} | |} |
Latest revision as of 00:58, 6 March 2024
SMC
The secure monitor provides two top level handlers of which each provides a range of sub handlers.
Secure Monitor calls follow the ARM SMC calling convention with a small change:
Bits | Description |
---|---|
0-7 | Function Number |
8-15 | Argument Type |
16-23 | Reserved |
24-29 | Call Range |
30 | Call Convention (0 = SMC32, 1 = SMC64) |
31 | Call Type (0 = Yielding Call, 1 = Fast Call) |
If bit n is set in the argument type then parameter Xn is treated as a pointer and the kernel will setup address translation for it in svcCallSecureMonitor.
SMC arguments are passed using registers X0-X7 with X0 always sending the call sub-id and returning the result of the call.
FunctionId0
Functions exposed to user-mode processes using svcCallSecureMonitor. SMCs should be called from CPUID 3 (where SPL runs).
Value | Name |
---|---|
0xC3000401 | SetConfig |
0xC3000002 | GetConfig (same as in #FunctionId1) |
0xC3000003 | GetResult |
0xC3000404 | GetResultData |
0xC3000E05 | ModularExponentiate |
0xC3000006 | GenerateRandomBytes (same as in #FunctionId1) |
0xC3000007 | GenerateAesKek |
0xC3000008 | LoadAesKey |
0xC3000009 | ComputeAes |
0xC300000A | GenerateSpecificAesKey |
0xC300040B | ComputeCmac |
[1.0.0-4.1.0] 0xC300100C | DecryptAndImportEsDeviceKey |
[5.0.0+] 0xC300D60C | ReencryptDeviceUniqueData |
0xC300100D | DecryptDeviceUniqueData |
[1.0.0-4.1.0] 0xC300100E | DecryptAndImportLotusKey |
0xC300060F | ModularExponentiateByStorageKey |
0xC3000610 | PrepareEsDeviceUniqueKey |
0xC3000011 | LoadPreparedAesKey |
0xC3000012 | [2.0.0+] PrepareEsCommonKey |
The overall concept here is the following:
- All key material (AES and RSA) is stored in userspace, but it's encrypted with random AES kek's ("key encryption keys").
- Each kek is generated as a function of an access key (picked at random).
- The kek is generated differently depending on the #CryptoUsecase the key is used for.
- This means: Each key is "locked" to the #CryptoUsecase it was designated for.
- You can use a key for a different usecase, but you will only get garbage output.
- After the kek has been generated, it is wrapped with a session-specific key and given back to userspace.
- This means: Plaintext kek keys never leave TrustZone.
- Further, this means: Actual AES/RSA keys never leave TrustZone.
GenerateRandomBytes
Takes an u64 Size. Returns #Result and RandomBytes.
Size is limited to 0x38 (for fitting in return registers).
GenerateAesKek
Takes an "access key" as input, an #CryptoUsecase.
Returns a session-unique kek for said usecase.
LoadAesKey
Takes a session kek created with #GenerateAesKek, and a wrapped AES key.
The session kek must have been created with CryptoUsecase Aes.
ComputeAes
Encrypts/decrypts using AES (CTR and CBC). Takes an #CipherMode.
Key must be set prior using one of the #LoadAesKey or #GenerateSpecificAesKey commands.
GenerateSpecificAesKey
Takes a wrapped AES key and decrypts it using static data.
ComputeCmac
Calculates CMAC over input data.
DecryptAndImportEsDeviceKey
Takes a session kek created with #GenerateAesKek, a wrapped AES key, and a wrapped RSA private key.
The session kek must have been created with CryptoUsecase TitleKey.
[5.0.0] This function was removed and replaced with #ReencryptDeviceUniqueData.
ReencryptDeviceUniqueData
Takes in two session keks created with #GenerateAesKek, two wrapped AES keys, an enum member, and a wrapped RSA private key.
Decrypts and validates the wrapped RSA private key with the first kek/wrapped key, and re-encrypts it with the second if valid.
The re-encrypted key is then passed to the user, for use with #DecryptDeviceUniqueData.
DecryptDeviceUniqueData
Takes a session kek created with #GenerateAesKek, a wrapped AES key, an enum member, and a wrapped RSA private key.
The session kek must have been created with CryptoUsecase RsaPrivate.
[4.0.0+] The SMC handler when certain conditions pass and FunctionId0==0xC300100D now returns error 0x6 instead of calling the handler funcptr.
[5.0.0+] This function now takes an additional input #DecryptOrImportMode. This extends the original functionality to enable importing private keys into the security engine instead of decrypting them.
DecryptAndImportLotusKey
Takes a session kek created with #GenerateAesKek, and a wrapped RSA key.
The session kek must have been created with CryptoUsecase RsaSecureExpMod.
[5.0.0] This function was removed.
ModularExponentiateByStorageKey
Performs an ExpMod operation using an exponent previously loaded with the #DecryptAndImportLotusKey command.
[5.0.0+] This now uses any exponent previously loaded with #DecryptDeviceUniqueData and takes an #SecureExpModMode.
PrepareEsDeviceUniqueKey
Takes an Rsa-Oaep-wrapped TitleKey, an RSA Public Key, and a label hash.
Performs an ExpMod operation using an exponent previously loaded with the #DecryptAndImportEsDeviceKey command, and then validates/extracts a Titlekey from the resulting message.
Returns a session-unique AES key especially for use in #LoadTitleKey.
[5.0.0+] This now uses any exponent previously loaded with #DecryptDeviceUniqueData.
LoadPreparedAesKey
Takes a session-unique AES key from #PrepareEsCommonKey or #PrepareEsDeviceUniqueKey.
PrepareEsCommonKey
Takes an AES-wrapped common TitleKey and returns a sealed AES key.
FunctionId1
Functions exposed to the kernel internally.
Value | Name |
---|---|
0xC4000001 | SuspendCpu |
0x84000002 | PowerOffCpu |
0xC4000003 | PowerOnCpu |
0xC3000004 | GetConfig (same as in #FunctionId0) |
0xC3000005 | GenerateRandomBytesNonBlocking |
0xC3000006 | ShowError |
0xC3000007 | [2.0.0+] SetKernelCarveoutRegion |
0xC3000008 | [2.0.0+] ReadWriteRegister |
SuspendCpu
Takes an u64 PowerState, an u64 EntrypointAddress and an u64 ContextId. No output.
Suspends the CPU (CPU0).
The kernel calls this SMC on shutdown with PowerState set to 0x0201001B (power level: 0x02==system; power type: 0x01==powerdown; ID: 0x1B).
PowerOffCpu
No input/output.
Turns off the CPU (CPU1, CPU2 or CPU3).
PowerOnCpu
Takes an u64 TargetCpu, an u64 EntrypointAddress and an u64 ContextId. Returns #Result.
Turns on the CPU (CPU1, CPU2 or CPU3).
GetConfig
Takes a #ConfigItem. Returns #Result and a ConfigValue.
ConfigItem
Value | Name |
---|---|
1 | #DisableProgramVerification |
2 | #DramId |
3 | #SecurityEngineInterruptNumber |
4 | #FuseVersion |
5 | #HardwareType |
6 | #HardwareState |
7 | #IsRecoveryBoot |
8 | #DeviceId |
9 | [1.0.0-4.0.0] #BootReason |
10 | #MemoryMode |
11 | #IsDevelopmentFunctionEnabled |
12 | #KernelConfiguration |
13 | #IsChargerHiZModeEnabled |
14 | [4.0.0+] #RetailInteractiveDisplayState |
15 | [5.0.0+] #RegulatorType |
16 | [5.0.0+] #DeviceUniqueKeyGeneration |
17 | [5.0.0+] #Package2Hash |
DisableProgramVerification
PM checks this item and if non-zero, calls fsp-pr SetEnabledProgramVerification(false).
DramId
Value | Description |
---|---|
0 | EristaIcosaSamsung4gb |
1 | EristaIcosaHynix4gb |
2 | EristaIcosaMicron4gb |
3 | [11.0.0+] MarikoIowaHynix1y4gb ([1.0.0-10.2.0] EristaCopperSamsung4gb) |
4 | EristaIcosaSamsung6gb |
5 | [12.0.0+] MarikoHoagHynix1y4gb ([4.0.0-11.0.1] EristaCopperHynix4gb) |
6 | [13.0.0+] MarikoAulaHynix1y4gb ([4.0.0-12.1.0] EristaCopperMicron4gb) |
7 | [15.0.0+] Reserved ([5.0.0-14.1.2] MarikoIowax1x2Samsung4gb, [4.0.0-4.1.0] Reserved) |
8 | [5.0.0+] MarikoIowaSamsung4gb |
9 | [5.0.0+] MarikoIowaSamsung8gb |
10 | [6.0.0+] MarikoIowaHynix4gb ([5.0.0-5.1.0] Reserved) |
11 | [7.0.0+] MarikoIowaMicron4gb ([5.0.0-6.2.0] Reserved) |
12 | [5.0.0+] MarikoHoagSamsung4gb |
13 | [5.0.0+] MarikoHoagSamsung8gb |
14 | [7.0.0+] MarikoHoagHynix4gb ([5.0.0-6.2.0] Reserved) |
15 | [7.0.0+] MarikoHoagMicron4gb ([5.0.0-6.2.0] Reserved) |
16 | [15.0.0+] Reserved ([8.0.0-14.1.2] MarikoIowaSamsung4gbY) |
17 | [9.0.0+] MarikoIowaSamsung1y4gbX |
18 | [9.0.0+] MarikoIowaSamsung1y8gbX |
19 | [9.0.0+] MarikoHoagSamsung1y4gbX |
20 | [14.0.0+] MarikoIowaSamsung1z4gb ([9.0.0-13.2.1] MarikoIowaSamsung1y4gbY) |
21 | [14.0.0+] MarikoHoagSamsung1z4gb ([9.0.0-13.2.1] MarikoIowaSamsung1y8gbY) |
22 | [14.0.0+] MarikoAulaSamsung1z4gb ([13.0.0-13.2.1] Reserved, [9.0.0-12.1.0] MarikoAulaSamsung1y4gb) |
23 | [10.0.0+] MarikoHoagSamsung1y8gbX |
24 | [10.0.0+] MarikoAulaSamsung1y4gbX |
25 | [11.0.0+] MarikoIowaMicron1y4gb |
26 | [11.0.0+] MarikoHoagMicron1y4gb |
27 | [11.0.0+] MarikoAulaMicron1y4gb |
28 | [11.0.0+] MarikoAulaSamsung1y8gbX |
29 | [16.0.0+] MarikoIowaHynix1a4gb ([15.0.0-15.0.1] MarikoIowax1x2Samsung4gb) |
30 | [16.0.0+] MarikoHoagHynix1a4gb ([15.0.0-15.0.1] MarikoHoagx1x2Samsung4gb) |
31 | [16.0.0+] MarikoAulaHynix1a4gb ([15.0.0-15.0.1] MarikoAulax1x2Samsung4gb) |
32 | [16.0.0+] MarikoIowaMicron1a4gb ([15.0.0-15.0.1] MarikoIowaSamsung4gbY) |
33 | [16.0.0+] MarikoHoagMicron1a4gb ([15.0.0-15.0.1] MarikoHoagSamsung4gbY) |
34 | [16.0.0+] MarikoAulaMicron1a4gb ([15.0.0-15.0.1] MarikoAulaSamsung4gbY) |
This is extracted directly from FUSE_RESERVED_ODM4.
PCV selects memory training tables based on DramId.
SocType | Platform | DramId | Revision | DVFS |
---|---|---|---|---|
Erista | jetson-tx1 | N/A | 0x07 |
11_40800_01_V9.8.3_V1.6 11_68000_01_V9.8.3_V1.6 11_102000_01_V9.8.3_V1.6 11_204000_05_V9.8.3_V1.6 11_408000_02_V9.8.3_V1.6 11_665600_03_V9.8.3_V1.6 11_800000_01_V9.8.3_V1.6 11_1065600_01_V9.8.3_V1.6 11_1331200_01_V9.8.3_V1.6 11_1600000_02_V9.8.3_V1.6 |
Erista | nx-abcb | EristaIcosaSamsung4gb | 0x07 |
10_40800_NoCfgVersion_V9.8.7_V1.6 10_68000_NoCfgVersion_V9.8.7_V1.6 10_102000_NoCfgVersion_V9.8.7_V1.6 10_204000_NoCfgVersion_V9.8.7_V1.6 10_408000_NoCfgVersion_V9.8.7_V1.6 10_665600_NoCfgVersion_V9.8.7_V1.6 10_800000_NoCfgVersion_V9.8.7_V1.6 10_1065600_NoCfgVersion_V9.8.7_V1.6 10_1331200_NoCfgVersion_V9.8.7_V1.6 10_1600000_NoCfgVersion_V9.8.7_V1.6 |
Erista | nx-abcb | EristaIcosaMicron4gb | 0x07 |
10_40800_NoCfgVersion_V9.8.4_V1.6 10_68000_NoCfgVersion_V9.8.4_V1.6 10_102000_NoCfgVersion_V9.8.4_V1.6 10_204000_NoCfgVersion_V9.8.4_V1.6 10_408000_NoCfgVersion_V9.8.4_V1.6 10_665600_NoCfgVersion_V9.8.4_V1.6 10_800000_NoCfgVersion_V9.8.4_V1.6 10_1065600_NoCfgVersion_V9.8.4_V1.6 10_1331200_NoCfgVersion_V9.8.4_V1.6 10_1600000_NoCfgVersion_V9.8.4_V1.6 |
Erista | nx-abcb | EristaIcosaHynix4gb | 0x07 |
10_40800_NoCfgVersion_V9.8.4_V1.6 10_68000_NoCfgVersion_V9.8.4_V1.6 10_102000_NoCfgVersion_V9.8.4_V1.6 10_204000_NoCfgVersion_V9.8.4_V1.6 10_408000_NoCfgVersion_V9.8.4_V1.6 10_665600_NoCfgVersion_V9.8.4_V1.6 10_800000_NoCfgVersion_V9.8.4_V1.6 10_1065600_NoCfgVersion_V9.8.4_V1.6 10_1331200_NoCfgVersion_V9.8.4_V1.6 10_1600000_NoCfgVersion_V9.8.4_V1.6 |
Erista | nx-abca2 | EristaIcosaSamsung4gb, EristaIcosaMicron4gb | 0x07 |
10_40800_NoCfgVersion_V9.8.7_V1.6 10_68000_NoCfgVersion_V9.8.7_V1.6 10_102000_NoCfgVersion_V9.8.7_V1.6 10_204000_NoCfgVersion_V9.8.7_V1.6 10_408000_NoCfgVersion_V9.8.7_V1.6 10_665600_NoCfgVersion_V9.8.7_V1.6 10_800000_NoCfgVersion_V9.8.7_V1.6 10_1065600_NoCfgVersion_V9.8.7_V1.6 10_1331200_NoCfgVersion_V9.8.7_V1.6 10_1600000_NoCfgVersion_V9.8.7_V1.6 |
Erista | nx-abca2 | EristaIcosaHynix4gb | 0x07 |
10_40800_NoCfgVersion_V9.8.7_V1.6 10_68000_NoCfgVersion_V9.8.7_V1.6 10_102000_NoCfgVersion_V9.8.7_V1.6 10_204000_NoCfgVersion_V9.8.7_V1.6 10_408000_NoCfgVersion_V9.8.7_V1.6 10_665600_NoCfgVersion_V9.8.7_V1.6 10_800000_NoCfgVersion_V9.8.7_V1.6 10_1065600_NoCfgVersion_V9.8.7_V1.6 10_1331200_NoCfgVersion_V9.8.7_V1.6 10_1600000_NoCfgVersion_V9.8.7_V1.6 |
Erista | nx-abca2 | EristaIcosaSamsung6gb | 0x07 |
10_40800_NoCfgVersion_V9.8.7_V1.6 10_68000_NoCfgVersion_V9.8.7_V1.6 10_102000_NoCfgVersion_V9.8.7_V1.6 10_204000_NoCfgVersion_V9.8.7_V1.6 10_408000_NoCfgVersion_V9.8.7_V1.6 10_665600_NoCfgVersion_V9.8.7_V1.6 10_800000_NoCfgVersion_V9.8.7_V1.6 10_1065600_NoCfgVersion_V9.8.7_V1.6 10_1331200_NoCfgVersion_V9.8.7_V1.6 10_1600000_NoCfgVersion_V9.8.7_V1.6 |
Mariko | nx-abca2, nx-abcb, nx-abcc, nx-abcd | MarikoIowax1x2Samsung4gb | 0x03 |
01_204000_NoCfgVersion_V0.3.1_V2.0 01_1331200.0_NoCfgVersion_V0.3.1_V2.0 01_1600000_NoCfgVersion_V0.3.1_V2.0 |
Mariko | nx-abca2, nx-abcb, nx-abcc, nx-abcd | MarikoIowaSamsung4gb, MarikoHoagSamsung4gb | 0x03 |
01_204000_NoCfgVersion_V0.3.1_V2.0 01_1331200.0_NoCfgVersion_V0.3.1_V2.0 01_1600000_NoCfgVersion_V0.3.1_V2.0 |
Mariko | nx-abca2, nx-abcb, nx-abcc, nx-abcd | MarikoIowaSamsung8gb, MarikoHoagSamsung8gb | 0x03 |
01_204000_NoCfgVersion_V0.4.2_V2.0 01_1331200.0_NoCfgVersion_V0.4.2_V2.0 01_1600000_NoCfgVersion_V0.4.2_V2.0 |
Mariko | nx-abca2, nx-abcb, nx-abcc, nx-abcd | MarikoIowaHynix4gb, MarikoHoagHynix4gb | 0x03 |
01_204000_NoCfgVersion_V0.3.1_V2.0 01_1331200.0_NoCfgVersion_V0.3.1_V2.0 01_1600000_NoCfgVersion_V0.3.1_V2.0 |
Mariko | nx-abca2, nx-abcb, nx-abcc, nx-abcd | MarikoIowaMicron4gb, MarikoHoagMicron4gb | 0x03 |
01_204000_NoCfgVersion_V0.4.2_V2.0 01_1331200.0_NoCfgVersion_V0.4.2_V2.0 01_1600000_NoCfgVersion_V0.4.2_V2.0 |
Mariko | nx-abca2, nx-abcb, nx-abcc, nx-abcd | MarikoIowaSamsung4gbY | 0x03 |
01_204000_NoCfgVersion_V0.4.2_V2.0 01_1331200.0_NoCfgVersion_V0.4.2_V2.0 01_1600000_NoCfgVersion_V0.4.2_V2.0 |
Mariko | nx-abca2, nx-abcb, nx-abcc, nx-abcd | MarikoIowaSamsung1y4gbX | 0x03 |
01_204000_NoCfgVersion_V0.4.2_V2.0 01_1331200.0_NoCfgVersion_V0.4.2_V2.0 01_1600000_NoCfgVersion_V0.4.2_V2.0 |
Mariko | nx-abca2, nx-abcb, nx-abcc, nx-abcd | MarikoIowaSamsung1y8gbX | 0x03 |
01_204000_NoCfgVersion_V0.4.2_V2.0 01_1331200.0_NoCfgVersion_V0.4.2_V2.0 01_1600000_NoCfgVersion_V0.4.2_V2.0 |
Mariko | nx-abca2, nx-abcb, nx-abcc, nx-abcd | MarikoHoagSamsung1y4gbX | 0x03 |
01_204000_NoCfgVersion_V0.4.2_V2.0 01_1331200.0_NoCfgVersion_V0.4.2_V2.0 01_1600000_NoCfgVersion_V0.4.2_V2.0 |
Mariko | nx-abca2, nx-abcb, nx-abcc, nx-abcd | MarikoIowaSamsung1y4gbY | 0x03 |
01_204000_NoCfgVersion_V0.4.2_V2.0 01_1331200.0_NoCfgVersion_V0.4.2_V2.0 01_1600000_NoCfgVersion_V0.4.2_V2.0 |
Mariko | nx-abca2, nx-abcb, nx-abcc, nx-abcd | MarikoIowaSamsung1y8gbY | 0x03 |
01_204000_NoCfgVersion_V0.4.2_V2.0 01_1331200.0_NoCfgVersion_V0.4.2_V2.0 01_1600000_NoCfgVersion_V0.4.2_V2.0 |
Mariko | nx-abca2, nx-abcb, nx-abcc, nx-abcd | MarikoIowaSamsung1y4gbA | 0x03 |
01_204000_NoCfgVersion_V0.4.5_V2.0 01_1331200.0_NoCfgVersion_V0.4.5_V2.0 01_1600000_NoCfgVersion_V0.4.5_V2.0 |
nx-abca2 (Icosa in Erista, Iowa in Mariko) hardware types are variations of the retail, EDEV and SDEV form factors.
nx-abcb (Copper in Erista, Calcio in Mariko) is unreleased. Among other differences, this has extra hardware to support HDMI output.
[8.0.0+] nx-abcc (Hoag) was added for the Lite retail and HDEV form factors.
[10.0.0+] nx-abcd (Aula) was added for the OLED Model retail and ADEV form factors.
Erista memory is LPDDR4, while Mariko memory is LPDDR4X.
SecurityEngineInterruptNumber
SPL uses this for setting up the security engine IRQ.
FuseVersion
The current bootloader maximum version - 1.
HardwareType
Value | Description |
---|---|
0 | Icosa |
1 | Copper |
2 | [8.0.0+] Hoag ([1.0.0-7.0.1] Invalid) |
3 | [4.0.0+] Iowa |
4 | [8.0.0+] Calcio |
5 | [10.0.0+] Aula |
15 | Invalid |
[1.0.0+] This item is obtained by checking bits 8 and 2 from FUSE_RESERVED_ODM4.
[4.0.0+] This item is obtained by checking bits 8, 2 and 16-19 from FUSE_RESERVED_ODM4.
[7.0.0+] This item can now only be 0 (Icosa) or 15 (Invalid) in Erista units.
Hardware is Icosa (Erista retail, EDEV and SDEV) if HardwareType1 (bit 2) is 1 and HardwareType2 (bit 8) is 0.
Hardware is Copper (unreleased Erista model) if HardwareType1 (bit 2) is 0 and HardwareType2 (bit 8) is 1.
[4.0.0+] Hardware is Iowa (Mariko retail, EDEV and SDEV) if HardwareType3 (bits 16-19) is 1.
[8.0.0+] Hardware is Hoag (Mariko Lite retail and HDEV) if HardwareType3 (bits 16-19) is 2.
[8.0.0+] Hardware is Calcio (unreleased Mariko model) if HardwareType1 (bit 2) is 0 and HardwareType2 (bit 8) is 1.
[10.0.0+] Hardware is Aula (Mariko OLED Model retail and ADEV) if HardwareType3 (bits 16-19) is 4.
HardwareState
Value | Description |
---|---|
0 | Development |
1 | Production |
2 | Invalid |
This item is obtained by checking bits 9 and 0-1 from FUSE_RESERVED_ODM4.
Hardware is Development if HardwareState1 (bits 0-1) is 3 and HardwareState2 (bit 9) is 0.
Hardware is Production if HardwareState1 (bits 0-1) is 0 and HardwareState2 (bit 9) is 1.
IsRecoveryBoot
Used to determine if the system is booting from SafeMode firmware.
Under normal circumstances, this just returns bit 0 of the active bootloader info's attribute field.
DeviceId
NIM checks if this item matches the set:cal DeviceId with byte7 cleared. If they don't match, a panic is thrown.
BootReason
Value | Description |
---|---|
0 | Invalid |
1 | AcOk |
2 | OnKey |
3 | RtcAlarm1 |
4 | RtcAlarm2 |
Used to determine how the system booted.
MemoryMode
Bits | Description |
---|---|
0-3 | Purpose (0 = None, 1 = ForStandard, 2 = ForAppletDev, 3 = ForSystemDev) |
4-7 | Size (0 = 4GB, 1 = 6GB, 2 = 8GB) |
PM and the kernel decide memory arrangement based on MemoryMode.
MemoryArrange | MemoryMode | Description |
---|---|---|
0 | 0x01 | Standard |
1 | 0x02 | StandardForAppletDev |
2 | 0x03 | StandardForSystemDev |
3 | 0x11 | Expanded |
4 | 0x12 | ExpandedForAppletDev |
5 | 0x21 | ExpandedForMarikoDev |
IsDevelopmentFunctionEnabled
Kernel uses this to determine behavior of svcBreak positive arguments. It will break instead of just force-exiting the process which is what happens on retail.
[2.0.0+] This is also used with certain debug SVCs.
[3.0.0+] RO checks this and if set then skipping NRR rsa signatures is allowed.
KernelConfiguration
Bits | Description |
---|---|
0 | EnableNonZeroFillMemory |
1 | EnableUserExceptionHandler |
2 | EnablePmuAccess |
3 | [8.0.0+] EnableExtraThreadResourceAllocation |
4 | [13.0.0+] DisableDynamicSystemResourceAllocation |
8 | CallShowErrorOnPanic |
16-17 | MemorySize |
Kernel reads this when setting up memory-related code.
EnableNonZeroFillMemory is a boolean determining whether kernel should it will memset various allocated memory-regions with 0x58, 0x59, 0x5A ('X', 'Y', 'Z') instead of zero. This allows Nintendo devs to find uninitialized memory bugs.
EnableUserExceptionHandler is a boolean determining whether kernel should forcefully enable usermode exception handlers (when false, only certain aborts (((1LL << (esr >> 26)) & 0x1115804400224001) == 0, typically data/prefetch aborts) that occur when the faulting address is in a readable region with MemoryType_CodeStatic will trigger usermode exception handlers).
EnablePmuAccess is a boolean determining whether kernel should enable usermode access to the Performance Monitors (whether PMUSERENR_EL0 should be 1 or 0).
EnableExtraThreadResourceAllocation is a boolean determining whether the kernel should increase the KThread slabheap capacity by 160. This also increases object capacities that are calculated based on number of threads.
CallShowErrorOnPanic is a boolean determining whether kernel should call smcPanic on error instead of infinite-looping.
MemorySize determines how much memory is available. 00/03 = 4 GB, 01 = 6 GB, 02 = 8 GB.
IsChargerHiZModeEnabled
This tells if the TI Charger (bq24192) is active.
RetailInteractiveDisplayState
Value | Description |
---|---|
0 | Disabled |
1 | Enabled |
This item is bit 10 from FUSE_RESERVED_ODM4.
[4.0.0+] Settings uses this value to overwrite the quest flag from GetQuestFlag. This is used to detect if a Switch is a kiosk unit for display at retail stores.
RegulatorType
Value | SocType | GPU | Power Blocks |
---|---|---|---|
0 | Erista | GM20B (0x12B) | max77620_sd0, max77621_cpu and max77621_gpu |
1 | Mariko | GM20B_B (0x12E) | max77620_sd0, max77812_cpu and max77812_gpu |
2 | Mariko | GM20B_B (0x12E) | max77620_sd0, max77812_cpu and max77812_gpu |
[5.0.0+] PCV uses this value in combination with HardwareType to configure power blocks and memory tables for different hardware.
DeviceUniqueKeyGeneration
This item is obtained from FUSE_RESERVED_ODM2 if bit 11 from FUSE_RESERVED_ODM4 is set, FUSE_RESERVED_ODM0 matches 0x8E61ECAE and FUSE_RESERVED_ODM1 matches 0xF2BA3BB2.
[5.0.0+] FS can now use this value for the KeyGeneration parameter when calling GenerateAesKek during "GetBisEncryptionKey".
Package2Hash
This is a SHA-256 hash calculated over the package2 image. Since the hash calculation is an optional step in pkg2ldr, this item is only valid in recovery mode. Otherwise, an error is returned instead.
ShowError
Takes an u32 Color and issues a system panic.
The kernel always calls this with Color set to 0xF00.
SetKernelCarveoutRegion
Takes an u64 Index, an u64 Address and an u64 Size. Returns #Result.
If Index is 0, Address and Size are used to configure MC_SECURITY_CARVEOUT4. If Index is 1, Address and Size are used to configure MC_SECURITY_CARVEOUT5. Any other Index values are invalid.
The kernel calls this with Index set to 0, Address set to 0x80060000 and Size set to a dynamically calculated size which covers all the kernel and built-in sysmodules' DRAM regions.
ReadWriteRegister
Takes an u64 Register, an u32 Mask and an u32 InValue. Returns #Result and an u32 OutValue.
Relays svcReadWriteRegister to the Secure Monitor.
CryptoUsecase
Value | Name |
---|---|
0 | Aes |
1 | RsaPrivate |
2 | SecureExpMod |
3 | RsaOaep |
4 | [5.0.0+] RsaImport |
5 | [5.0.0+] |
6 | [5.0.0+] |
CipherMode
Value | Name |
---|---|
0 | CbcEncrypt |
1 | CbcDecrypt |
2 | Ctr |
DecryptOrImportMode
Value | Name |
---|---|
0 | DecryptRsaPrivateKey |
1 | ImportLotusKey |
2 | ImportEsKey |
3 | ImportSslKey |
4 | ImportDrmKey |
SecureExpModMode
Value | Name |
---|---|
0 | Lotus |
1 | Ssl |
2 | Drm |
EsKeyType
Value | Name |
---|---|
0 | TitleKey |
1 | ElicenseKey |
Result
Value | Description |
---|---|
0 | Success |
1 | Not implemented |
2 | Invalid argument |
3 | In progress |
4 | No async operation |
5 | Invalid async operation |
6 | [8.0.0+] Not permitted |