SPL services

Revision as of 19:10, 24 August 2017 by Hexkyz (talk | contribs)

csrng

Cmd Name
0 #GetRandomBytes

GetRandomBytes

Takes a type-6 buffer and fills it with random data. Same command for "spl:" and "csrng" services.

spl:

[2.0.0+] Where previously only one AES engine was utilized, there is now support for 4 of them.

[2.0.0+] When the session closes, all AES engines that were locked are automatically unlocked.

Cmd Name Notes
0 #GetConfig wrapper for GetConfig
1 user supplied modulus and exponent
2 #GenerateAesKek wrapper for KeygenAndSealX
3 #LoadAesKey wrapper for SetKeyslotFromXY
4 #GenerateAesKey decrypts 0x10 bytes using AES ECB, uses SetKeyslotFromXY with a fixed Y
5 #SetConfig wrapper for SetConfig
7 #GetRandomBytes uses PrngX931
9 wrapper for ImportParamsForFWithXY
10 wrapper for ExpMod
11 #IsDevelopment
12 GenerateSpecificAesKey wrapper for KeygenA
13 #DecryptExpModParamsWithXY wrapper for DecryptExpModParamsWithXY
14 #GenerateAesKeyOther decrypts 0x10 bytes using AES ECB, uses SetKeyslotFromXY with fixed X and Y
15 #DecryptAesCtr wrapper for SymmetricCrypto
16 #ComputeCmac wrapper for CMAC
17 wrapper for ImportParamsFor10WithXY
18 wrapper for ExpModAndKeygenAndSealZ
19 #SetKeyslotFromZ wrapper for SetKeyslotFromZ
20 [2.0.0+] wrapper for KeygenAndSealZ
21 [2.0.0+] #LockAesEngine
22 [2.0.0+] #UnlockAesEngine
23 [2.0.0+] GetSplWaitEvent

GetConfig

Takes an input word (ConfigItem), and returns a u64 with the config params.

ConfigItem Name
1 DisableProgramVerification
2 MemoryConfiguration
3 Returns 0x2C?
4 Returns 0x02?
5 HardwareType (0=Icosa, 1=Copper)
6 IsRetail
7 IsRecoveryBoot
8 DeviceId (byte7 clear)
9 BootReason
10 MemoryArrange
11 IsDebugMode
12 KernelMemoryConfiguration
13 BatteryProfile


PCV configures memory profiles based on id2.

Platform Version Revision id2
"jetson-tx1" "11_40800_01_V9.8.3_V1.6" N/A N/A
"nx-abcb" "10_40800_NoCfgVersion_V9.8.4_V1.6" 0 0
"nx-abca2" "10_40800_NoCfgVersion_V9.8.7_V1.6" 0 0 or 3
"nx-abca2" "10_40800_NoCfgVersion_V9.8.7_V1.6" 1 4
"nx-abca2" "10_40800_NoCfgVersion_V9.8.7_V1.6" 2 1
"nx-abca2" "10_40800_NoCfgVersion_V9.8.7_V1.6" 3 2


PM checks id1 and if non-zero, calls fsp-pr SetEnabledProgramVerification(false).

NIM checks that id8 output must match the set:cal DeviceId with byte7 cleared, otherwise panic.

[3.0.0+] RO checks id11, if set then skipping NRR rsa signatures is allowed.

Kernel uses id11 to determine behavior of svcBreak positive arguments. It will break instead of just force-exiting the process which is what happens on retail.

Kernel reads id12 when setting up memory-related code. If bit0 is set, it will memset various allocated memory-regions with 0x58, 0x59, 0x5A ('X', 'Y', 'Z') instead of zero. This allows Nintendo devs to find uninitialized memory bugs. If bit17-16 is 0b01, the kernel assumes 6GB of DRAM instead of 4GB.

GenerateAesKek

Takes a 16-byte seed ("BisEncryptionKeySourceForKek") and two words ("KeyGeneration" and "option") as input. KeyGeneration ranges from 0 to 2.

Same input gives same output. Output changes when system is rebooted.

LoadAesKey

[2.0.0+] Now verifies that the engine used (0..3) is locked/owned by the current spl session, otherwise errors with 0xD21A. Previously engine was hardcoded to 0.

GenerateAesKey

[2.0.0+] Previously it used engine 0 always. Now it tries to allocate an engine to be used, returns 0xD01A if they're all busy. After command is done, the engine is released.

SetConfig

Takes two input words, a ConfigItem and the value to set.

ConfigItem Name
13 BatteryProfile

IsDevelopment

No input params.

Uses #GetConfig internally with id=6. Returns true if output from that is 0, or if the SMC returned error 2.

Returns an u8 flag for whether the system is devunit. Output flag is 0 on retail.

DecryptExpModParamsWithXY

Last SPL cmd used by SSL-sysmodule for TLS client-privk.

GenerateAesKeyOther

Scrambles with a different constant than non-"other" version.

[2.0.0+] Introduced same engine allocation code as for #GenerateAesKey.

DecryptAesCtr

[2.0.0+] Verifies the engine is locked by current session, same change as #LoadAesKey.

ComputeCmac

[2.0.0+] Verifies the engine is locked by current session, same change as #LoadAesKey.

SetKeyslotFromZ

[2.0.0+] Verifies the engine is locked by current session, same change as #LoadAesKey.

LockAesEngine

Returns the id of the engine that was locked, or 0xD01A if all engines are busy. You need to lock an engine before using AES functions.

UnlockAesEngine

Takes a single u32 and unlocks the engine with that id. It must be owned by current session otherwise 0xD21A will be returned.