Nintendo Switch Brew

TSEC: Difference between revisions

← Older editNewer edit →
No edit summary
New findings
Line 1: Line 1:
TSEC (Tegra Security Engine Controller) is a dedicated unit powered by a NVIDIA Falcon microprocessor with crypto extensions.
TSEC (Tegra Security Co-processor) is a dedicated unit powered by a NVIDIA Falcon microprocessor with crypto extensions.


= Driver =
= Driver =
Line 5: Line 5:


== Registers ==
== Registers ==
Registers from 0x54500000 to 0x54501000 are used to configure values for the host interface (HOST1X).
Registers from 0x54501000 to 0x54502000 are a MMIO window for communicating with the Falcon microprocessor. From this range, the subset of registers from 0x54501400 to 0x54501FE8 are specific to the TSEC.
Registers from 0x54501000 to 0x54502000 are a MMIO window for communicating with the Falcon microprocessor. From this range, the subset of registers from 0x54501400 to 0x54501FE8 are specific to the TSEC.


Line 11: Line 13:
!  Address
!  Address
!  Width
!  Width
|-
| TSEC_THI_INT_STATUS
| 0x54500078
| 0x04
|-
| TSEC_THI_SLCG_OVERRIDE_HIGH_A
| 0x54500088
| 0x04
|-
| TSEC_THI_SLCG_OVERRIDE_LOW_A
| 0x5450008C
| 0x04
|-
| TSEC_THI_CLK_OVERRIDE
| 0x54500E00
| 0x04
|-
|-
| FALCON_IRQSSET
| FALCON_IRQSSET
Line 56: Line 74:
| 0x04
| 0x04
|-
|-
| FALCON_IDLESTATE
| [[#FALCON_IDLESTATE|FALCON_IDLESTATE]]
| 0x5450104C
| 0x5450104C
| 0x04
| 0x04
Line 74: Line 92:
| FALCON_SCRATCH3
| FALCON_SCRATCH3
| 0x54501084
| 0x54501084
| 0x04
|-
| FALCON_CGCTL
| 0x545010A0
| 0x04
| 0x04
|-
|-
Line 122: Line 144:
| FALCON_EXTERRSTAT
| FALCON_EXTERRSTAT
| 0x5450116C
| 0x5450116C
| 0x04
|-
| FALCON_CG2
| 0x5450117C
| 0x04
| 0x04
|-
|-
Line 220: Line 246:
| 0x04
| 0x04
|-
|-
| TSEC_AUTH_MODE
| [[#TSEC_SCP_CTL_STAT|TSEC_SCP_CTL_STAT]]
| 0x54501408
| 0x04
|-
| TSEC_SCP_CTL_AUTH_MODE
| 0x5450140C
| 0x5450140C
| 0x04
| 0x04
Line 226: Line 256:
| [[#TSEC_SCP_CTL_PKEY|TSEC_SCP_CTL_PKEY]]
| [[#TSEC_SCP_CTL_PKEY|TSEC_SCP_CTL_PKEY]]
| 0x54501418
| 0x54501418
| 0x04
|-
| TSEC_TFBIF_MCCIF_FIFOCTRL
| 0x54501604
| 0x04
| 0x04
|-
|-
Line 276: Line 310:


Used for enabling/disabling Falcon interfaces.
Used for enabling/disabling Falcon interfaces.
=== FALCON_IDLESTATE ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
| 0
| FALCON_IDLESTATE_FALCON_BUSY
|-
|}
Used for detecting if Falcon is busy or not.


=== FALCON_CPUCTL ===
=== FALCON_CPUCTL ===
Line 283: Line 329:
|-
|-
| 0
| 0
| FALCON_CPUCTL_IINVAL
|-
| 1
| FALCON_CPUCTL_STARTCPU
| FALCON_CPUCTL_STARTCPU
|-
| 2
| FALCON_CPUCTL_SRESET
|-
| 3
| FALCON_CPUCTL_HRESET
|-
| 4
| FALCON_CPUCTL_HALTED
|-
| 5
| FALCON_CPUCTL_STOPPED
|-
|-
|}
|}


Used for signaling Falcon's CPU.
Used for signaling the Falcon CPU.


=== FALCON_BOOTVEC ===
=== FALCON_BOOTVEC ===
Line 296: Line 357:
!  Bits
!  Bits
!  Description
!  Description
|-
| 0
| FALCON_DMACTL_REQUIRE_CTX
|-
|-
| 1
| 1
Line 302: Line 366:
| 2
| 2
| FALCON_DMACTL_IMEM_SCRUBBING
| FALCON_DMACTL_IMEM_SCRUBBING
|-
| 3-6
| FALCON_DMACTL_DMAQ_NUM
|-
| 7
| FALCON_DMACTL_SECURE_STAT
|-
|-
|}
|}
Line 317: Line 387:
!  Bits
!  Bits
!  Description
!  Description
|-
| 0
| FALCON_DMATRFCMD_FULL
|-
|-
| 1
| 1
| FALCON_DMATRFCMD_IDLE (this is set if the engine is idle)
| FALCON_DMATRFCMD_IDLE (this is set if the engine is idle)
|-
| 2-3
| FALCON_DMATRFCMD_SEC
|-
|-
| 4
| 4
| FALCON_DMATRFCMD_IMEM
| FALCON_DMATRFCMD_IMEM
|-
|-
| 9-10
| 5
| FALCON_DMATRFCMD_SIZE_256B
| FALCON_DMATRFCMD_WRITE
|-
| 8-10
| FALCON_DMATRFCMD_SIZE
|-
| 12-14
| FALCON_DMATRFCMD_CTXDMA
|-
|-
|}
|}
Line 333: Line 415:
=== FALCON_DMATRFFBOFFS ===
=== FALCON_DMATRFFBOFFS ===
Takes the offset for Falcon's target memory being transferred.
Takes the offset for Falcon's target memory being transferred.
=== TSEC_SCP_CTL_STAT ===
{| class="wikitable" border="1"
!  Bits
!  Description
|-
| 20
| TSEC_SCP_CTL_STAT_DEBUG_MODE
|-
|}


=== TSEC_SCP_CTL_PKEY ===
=== TSEC_SCP_CTL_PKEY ===
Line 354: Line 446:
| 16
| 16
| TSEC_TEGRA_CTL_TKFI_KFUSE
| TSEC_TEGRA_CTL_TKFI_KFUSE
|-
| 17
| TSEC_TEGRA_CTL_TKFI_RESTART_FSM_KFUSE
|-
| 24
| TSEC_TEGRA_CTL_TMPI_FORCE_IDLE_INPUTS_I2C
|-
| 25
| TSEC_TEGRA_CTL_TMPI_RESTART_FSM_HOST1X
|-
| 26
| TSEC_TEGRA_CTL_TMPI_RESTART_FSM_APB
|-
| 27
| TSEC_TEGRA_CTL_TMPI_DISABLE_OUTPUT_I2C
|-
|-
|}
|}
Line 422: Line 529:
== Firmware booting ==
== Firmware booting ==
Falcon is booted up and the first bootloader waits for it to finish.
Falcon is booted up and the first bootloader waits for it to finish.
  // Set something in host channel 0 (host1x) MMIO region
  // Set something in unknown host1x channel 0 sync register (HOST1X_SYNC_UNK_300)
// This appears to grant TSEC exclusive access to host1x
  *(u32 *)0x50003300 = 0x34C2E1DA;
  *(u32 *)0x50003300 = 0x34C2E1DA;
   
   
Line 464: Line 572:
== Device key generation ==
== Device key generation ==
The Falcon device key is generated by reading SOR registers modified by Falcon.
The Falcon device key is generated by reading SOR registers modified by Falcon.
  // Clear something in host channel 0 (host1x) MMIO region
  // Clear something in unknown host1x channel 0 sync register (HOST1X_SYNC_UNK_300)
// This appears to revoke TSEC's exclusive access to host1x
  *(u32 *)0x50003300 = 0;
  *(u32 *)0x50003300 = 0;
   
   
Line 731: Line 840:
  // Exit Authenticated Mode
  // Exit Authenticated Mode
  // This is TSEC_MMIO + 0x1000 + (0x10300 / 0x40)
  // This is TSEC_MMIO + 0x1000 + (0x10300 / 0x40)
  *(u32 *)TSEC_AUTH_MODE = 0;
  *(u32 *)TSEC_SCP_CTL_AUTH_MODE = 0;
   
   
  return;
  return;
Retrieved from "https://switchbrew.org/wiki/TSEC"