SPL services
csrng
Cmd | Name |
---|---|
0 | #GetRandomBytes |
GetRandomBytes
Takes a type-6 buffer and fills it with random data. Same command for "spl:" and "csrng" services.
spl:
[2.0.0+] Where previously only one AES engine was utilized, there is now support for 4 of them.
[2.0.0+] When the session closes, all AES engines that were locked are automatically unlocked.
Cmd | Name | Notes |
---|---|---|
0 | #GetConfig | wrapper for GetConfig |
1 | user supplied modulus and exponent | |
2 | #GenerateAesKek | wrapper for KeygenAndSealX |
3 | #LoadAesKey | wrapper for SetKeyslotFromXY |
4 | #GenerateAesKey | decrypts 0x10 bytes using AES ECB, uses SetKeyslotFromXY with a fixed Y |
5 | #SetConfig | wrapper for SetConfig |
7 | #GetRandomBytes | uses PrngX931 |
9 | wrapper for ImportParamsForFWithXY | |
10 | wrapper for ExpMod | |
11 | #IsDevelopment | |
12 | GenerateSpecificAesKey | wrapper for KeygenA |
13 | #DecryptExpModParamsWithXY | wrapper for DecryptExpModParamsWithXY |
14 | #GenerateAesKeyOther | decrypts 0x10 bytes using AES ECB, uses SetKeyslotFromXY with fixed X and Y |
15 | #DecryptAesCtr | wrapper for SymmetricCrypto |
16 | #ComputeCmac | wrapper for CMAC |
17 | wrapper for ImportParamsFor10WithXY | |
18 | wrapper for ExpModAndKeygenAndSealZ | |
19 | #SetKeyslotFromZ | wrapper for SetKeyslotFromZ |
20 | [2.0.0+] | wrapper for KeygenAndSealZ |
21 | [2.0.0+] #LockAesEngine | |
22 | [2.0.0+] #UnlockAesEngine | |
23 | [2.0.0+] GetSplWaitEvent |
GetConfig
Takes an input word (ConfigItem), and returns a u64 with the config params.
ConfigItem | Name |
---|---|
1 | DisableProgramVerification |
2 | MemoryConfiguration |
5 | HardwareType (0=Icosa, 1=Copper) |
6 | IsRetail |
7 | IsRecoveryBoot |
8 | DeviceId (byte7 clear). |
9 | BootReason |
10 | MemoryArrange |
11 | IsDebugMode |
12 | KernelMemoryConfiguration |
13 | BatteryProfile? |
PM checks id1 and if non-zero, calls fsp-pr SetEnabledProgramVerification(false).
NIM checks that id8 output must match the set:cal DeviceId with byte7 cleared, otherwise panic.
[3.0.0+] RO checks id11, if set then skipping NRR rsa signatures is allowed.
Kernel uses id11 to determine behavior of svcBreak positive arguments. It will break instead of just force-exiting the process which is what happens on retail.
Kernel reads id12 when setting up memory-related code. If bit0 is set, it will memset various allocated memory-regions with 0x58, 0x59, 0x5A ('X', 'Y', 'Z') instead of zero. This allows Nintendo devs to find uninitialized memory bugs. If bit17-16 is 0b01, the kernel assumes 6GB of DRAM instead of 4GB.
GenerateAesKek
Takes a 16-byte seed ("BisEncryptionKeySourceForKek") and two words ("KeyGeneration" and "option") as input. KeyGeneration ranges from 0 to 2.
Same input gives same output. Output changes when system is rebooted.
LoadAesKey
[2.0.0+] Now verifies that the engine used (0..3) is locked/owned by the current spl session, otherwise errors with 0xD21A. Previously engine was hardcoded to 0.
GenerateAesKey
[2.0.0+] Previously it used engine 0 always. Now it tries to allocate an engine to be used, returns 0xD01A if they're all busy. After command is done, the engine is released.
SetConfig
Takes two input words, a ConfigItem and the value to set.
ConfigItem | Name |
---|---|
13 | BatteryProfile? |
IsDevelopment
No input params.
Uses #GetConfig internally with id=6. Returns true if output from that is 0, or if the SMC returned error 2.
Returns an u8 flag for whether the system is devunit. Output flag is 0 on retail.
DecryptExpModParamsWithXY
Last SPL cmd used by SSL-sysmodule for TLS client-privk.
GenerateAesKeyOther
Scrambles with a different constant than non-"other" version.
[2.0.0+] Introduced same engine allocation code as for #GenerateAesKey.
DecryptAesCtr
[2.0.0+] Verifies the engine is locked by current session, same change as #LoadAesKey.
ComputeCmac
[2.0.0+] Verifies the engine is locked by current session, same change as #LoadAesKey.
SetKeyslotFromZ
[2.0.0+] Verifies the engine is locked by current session, same change as #LoadAesKey.
LockAesEngine
Returns the id of the engine that was locked, or 0xD01A if all engines are busy. You need to lock an engine before using AES functions.
UnlockAesEngine
Takes a single u32 and unlocks the engine with that id. It must be owned by current session otherwise 0xD21A will be returned.