TSEC

From Nintendo Switch Brew
Revision as of 19:25, 20 March 2019 by Hexkyz (talk | contribs)
Jump to navigation Jump to search

TSEC (Tegra Security Co-processor) is a dedicated unit powered by a NVIDIA Falcon microprocessor with crypto extensions.

Driver

A host driver for communicating with the TSEC is mapped to physical address 0x54500000 with a total size of 0x40000 bytes and exposes several registers.

Registers

Registers from 0x54500000 to 0x54501000 are used to configure the host interface (HOST1X).

Registers from 0x54501000 to 0x54502000 are a MMIO window for communicating with the Falcon microprocessor. From this range, the subset of registers from 0x54501400 to 0x54501FE8 are specific to the TSEC and are subdivided into:

  • 0x54501400 to 0x54501500: SCP (Secure Crypto Processor?).
  • 0x54501500 to 0x54501600: TRNG (True Random Number Generator).
  • 0x54501600 to 0x54501700: TFBIF (Tegra Framebuffer Interface) and CG (Clock Gate).
  • 0x54501700 to 0x54501800: DMA.
  • 0x54501800 to 0x54501900: TEGRA (miscellaneous interfaces).
Name Address Width
TSEC_THI_INCR_SYNCPT 0x54500000 0x04
TSEC_THI_INCR_SYNCPT_ERR 0x54500008 0x04
TSEC_THI_CTXSW_INCR_SYNCPT 0x5450000C 0x04
TSEC_THI_CTXSW 0x54500020 0x04
TSEC_THI_CONT_SYNCPT_EOF 0x54500028 0x04
TSEC_THI_METHOD0 0x54500040 0x04
TSEC_THI_METHOD1 0x54500044 0x04
TSEC_THI_INT_STATUS 0x54500078 0x04
TSEC_THI_INT_MASK 0x5450007C 0x04
TSEC_THI_INT_CLEAR 0x54500080 0x04
TSEC_THI_INT_ENABLE 0x54500084 0x04
TSEC_THI_SLCG_OVERRIDE_HIGH_A 0x54500088 0x04
TSEC_THI_SLCG_OVERRIDE_LOW_A 0x5450008C 0x04
TSEC_THI_CLK_OVERRIDE 0x54500E00 0x04
FALCON_IRQSSET 0x54501000 0x04
FALCON_IRQSCLR 0x54501004 0x04
FALCON_IRQSTAT 0x54501008 0x04
FALCON_IRQMODE 0x5450100C 0x04
FALCON_IRQMSET 0x54501010 0x04
FALCON_IRQMCLR 0x54501014 0x04
FALCON_IRQMASK 0x54501018 0x04
FALCON_IRQDEST 0x5450101C 0x04
FALCON_GPTMR_PERIOD 0x54501020 0x04
FALCON_GPTMR_TIME 0x54501024 0x04
FALCON_GPTMR_ENABLE 0x54501028 0x04
FALCON_TIME_LOW 0x5450102C 0x04
FALCON_TIME_HIGH 0x54501030 0x04
FALCON_WDTMR_TIME 0x54501034 0x04
FALCON_WDTMR_ENABLE 0x54501038 0x04
FALCON_UNK_3C 0x5450103C 0x04
FALCON_MAILBOX0 0x54501040 0x04
FALCON_MAILBOX1 0x54501044 0x04
FALCON_ITFEN 0x54501048 0x04
FALCON_IDLESTATE 0x5450104C 0x04
FALCON_CURCTX 0x54501050 0x04
FALCON_NXTCTX 0x54501054 0x04
FALCON_CMDCTX 0x54501058 0x04
FALCON_STATUS_MASK 0x5450105C 0x04
FALCON_VM_SUPERVISOR 0x54501060 0x04
FALCON_MTHD_DATA 0x54501064 0x04
FALCON_MTHD_CMD 0x54501068 0x04
FALCON_MTHD_DATA_WR 0x5450106C 0x04
FALCON_MTHD_OCCUPIED 0x54501070 0x04
FALCON_MTHD_ACK 0x54501074 0x04
FALCON_MTHD_LIMIT 0x54501078 0x04
FALCON_SUBENGINE_RESET 0x5450107C 0x04
FALCON_OS 0x54501080 0x04
FALCON_RM 0x54501084 0x04
FALCON_PM_SIGNAL 0x54501088 0x04
FALCON_PM_MODE 0x5450108C 0x04
FALCON_DEBUG1 0x54501090 0x04
FALCON_DEBUGINFO 0x54501094 0x04
FALCON_BREAKPOINT0 0x54501098 0x04
FALCON_BREAKPOINT1 0x5450109C 0x04
FALCON_CGCTL 0x545010A0 0x04
FALCON_ENGCTL 0x545010A4 0x04
FALCON_PM_SEL 0x545010A8 0x04
FALCON_HOST_IO_INDEX 0x545010AC 0x04
FALCON_BREAKPOINT2 0x545010B0 0x04
FALCON_BREAKPOINT3 0x545010B4 0x04
FALCON_BREAKPOINT4 0x545010B8 0x04
FALCON_EXCI 0x545010D0 0x04
FALCON_UNK_D4 0x545010D4 0x04
FALCON_UNK_D8 0x545010D8 0x04
FALCON_UNK_DC 0x545010DC 0x04
FALCON_UNK_E0 0x545010E0 0x04
FALCON_CPUCTL 0x54501100 0x04
FALCON_BOOTVEC 0x54501104 0x04
FALCON_HWCFG 0x54501108 0x04
FALCON_DMACTL 0x5450110C 0x04
FALCON_DMATRFBASE 0x54501110 0x04
FALCON_DMATRFMOFFS 0x54501114 0x04
FALCON_DMATRFCMD 0x54501118 0x04
FALCON_DMATRFFBOFFS 0x5450111C 0x04
FALCON_DMATRFSTAT 0x54501120 0x04
FALCON_CRYPTTRFSTAT 0x54501124 0x04
FALCON_CPUSTAT 0x54501128 0x04
FALCON_HWCFG1 0x5450112C 0x04
FALCON_CPUCTL_ALIAS 0x54501130 0x04
FALCON_IMCTL 0x54501140 0x04
FALCON_IMSTAT 0x54501144 0x04
FALCON_TRACEIDX 0x54501148 0x04
FALCON_TRACEPC 0x5450114C 0x04
FALCON_IMFILLRNG0 0x54501150 0x04
FALCON_IMFILLRNG1 0x54501154 0x04
FALCON_IMFILLCTL 0x54501158 0x04
FALCON_IMCTL_DEBUG 0x5450115C 0x04
FALCON_EXTERRWIN 0x54501160 0x04
FALCON_EXTERRCFG 0x54501164 0x04
FALCON_EXTERRADDR 0x54501168 0x04
FALCON_EXTERRSTAT 0x5450116C 0x04
FALCON_CG2 0x5450117C 0x04
FALCON_IMEMC 0x54501180 0x04
FALCON_IMEMD 0x54501184 0x04
FALCON_IMEMT 0x54501188 0x04
FALCON_DMEMC0 0x545011C0 0x04
FALCON_DMEMD0 0x545011C4 0x04
FALCON_DMEMC1 0x545011C8 0x04
FALCON_DMEMD1 0x545011CC 0x04
FALCON_DMEMC2 0x545011D0 0x04
FALCON_DMEMD2 0x545011D4 0x04
FALCON_DMEMC3 0x545011D8 0x04
FALCON_DMEMD3 0x545011DC 0x04
FALCON_DMEMC4 0x545011E0 0x04
FALCON_DMEMD4 0x545011E4 0x04
FALCON_DMEMC5 0x545011E8 0x04
FALCON_DMEMD5 0x545011EC 0x04
FALCON_DMEMC6 0x545011F0 0x04
FALCON_DMEMD6 0x545011F4 0x04
FALCON_DMEMC7 0x545011F8 0x04
FALCON_DMEMD7 0x545011FC 0x04
FALCON_ICD_CMD 0x54501200 0x04
FALCON_ICD_ADDR 0x54501204 0x04
FALCON_ICD_WDATA 0x54501208 0x04
FALCON_ICD_RDATA 0x5450120C 0x04
FALCON_SCTL 0x54501240 0x04
FALCON_SCTL_STAT 0x54501244 0x04
FALCON_UNK_248 0x54501248 0x04
FALCON_UNK_24C 0x5450124C 0x04
FALCON_UNK_250 0x54501250 0x04
FALCON_UNK_260 0x54501260 0x04
FALCON_SPROT_IMEM 0x54501280 0x04
FALCON_SPROT_DMEM 0x54501284 0x04
FALCON_SPROT_CPUCTL 0x54501288 0x04
FALCON_SPROT_MISC 0x5450128C 0x04
FALCON_SPROT_IRQ 0x54501290 0x04
FALCON_SPROT_MTHD 0x54501294 0x04
FALCON_SPROT_SCTL 0x54501298 0x04
FALCON_SPROT_WDTMR 0x5450129C 0x04
FALCON_UNK_2C0 0x545012C0 0x04
FALCON_UNK_2C4 0x545012C4 0x04
FALCON_UNK_2C8 0x545012C8 0x04
FALCON_UNK_2CC 0x545012CC 0x04
FALCON_UNK_2E0 0x545012E0 0x04
TSEC_SCP_CTL0 0x54501400 0x04
TSEC_SCP_CTL1 0x54501404 0x04
TSEC_SCP_CTL_STAT 0x54501408 0x04
TSEC_SCP_CTL_LOCK 0x5450140C 0x04
TSEC_SCP_UNK_10 0x54501410 0x04
TSEC_SCP_UNK_14 0x54501414 0x04
TSEC_SCP_CTL_PKEY 0x54501418 0x04
TSEC_SCP_UNK_1C 0x5450141C 0x04
TSEC_SCP_SEQ_CTL 0x54501420 0x04
TSEC_SCP_SEQ_VAL 0x54501424 0x04
TSEC_SCP_SEQ_STAT 0x54501428 0x04
TSEC_SCP_INSN_STAT 0x54501430 0x04
TSEC_SCP_UNK_50 0x54501450 0x04
TSEC_SCP_AUTH_STAT 0x54501454 0x04
TSEC_SCP_AES_STAT 0x54501458 0x04
TSEC_SCP_UNK_70 0x54501470 0x04
TSEC_SCP_IRQSTAT 0x54501480 0x04
TSEC_SCP_IRQMASK 0x54501484 0x04
TSEC_SCP_ACL_ERR 0x54501490 0x04
TSEC_SCP_UNK_94 0x54501494 0x04
TSEC_SCP_INSN_ERR 0x54501498 0x04
TSEC_TRNG_CLK_LIMIT_LOW 0x54501500 0x04
TSEC_TRNG_CLK_LIMIT_HIGH 0x54501504 0x04
TSEC_TRNG_UNK_08 0x54501508 0x04
TSEC_TRNG_TEST_CTL 0x5450150C 0x04
TSEC_TRNG_TEST_CFG0 0x54501510 0x04
TSEC_TRNG_TEST_SEED0 0x54501514 0x04
TSEC_TRNG_TEST_CFG1 0x54501518 0x04
TSEC_TRNG_TEST_SEED1 0x5450151C 0x04
TSEC_TRNG_UNK_20 0x54501520 0x04
TSEC_TRNG_UNK_24 0x54501524 0x04
TSEC_TRNG_UNK_28 0x54501528 0x04
TSEC_TRNG_CTL 0x5450152C 0x04
TSEC_TFBIF_CTL 0x54501600 0x04
TSEC_TFBIF_MCCIF_FIFOCTRL 0x54501604 0x04
TSEC_TFBIF_THROTTLE 0x54501608 0x04
TSEC_TFBIF_UNK_0C 0x5450160C 0x04
TSEC_TFBIF_DEBUG_STAT 0x54501630 0x04
TSEC_TFBIF_MCCIF_FIFOCTRL1 0x54501634 0x04
TSEC_TFBIF_MMU_PHYS_PROT 0x54501640 0x04
TSEC_TFBIF_MMU_PHYS_SEC 0x54501644 0x04
TSEC_TFBIF_MMU_PHYS_TRANSCFG 0x54501648 0x04
TSEC_TFBIF_ACTMON_MAMASK 0x5450164C 0x04
TSEC_TFBIF_ACTMON_BORPS 0x54501650 0x04
TSEC_TFBIF_ACTMON_CTL 0x54501654 0x04
TSEC_CG 0x545016D0 0x04
TSEC_DMA_CMD 0x54501700 0x04
TSEC_DMA_ADDR 0x54501704 0x04
TSEC_DMA_DATA 0x54501708 0x04
TSEC_DMA_TIMEOUT 0x5450170C 0x04
TSEC_TEGRA_FALCON_IP_VER 0x54501800 0x04
TSEC_TEGRA_UNK_04 0x54501804 0x04
TSEC_TEGRA_UNK_08 0x54501808 0x04
TSEC_TEGRA_UNK_0C 0x5450180C 0x04
TSEC_TEGRA_UNK_10 0x54501810 0x04
TSEC_TEGRA_UNK_14 0x54501814 0x04
TSEC_TEGRA_UNK_18 0x54501818 0x04
TSEC_TEGRA_UNK_1C 0x5450181C 0x04
TSEC_TEGRA_UNK_20 0x54501820 0x04
TSEC_TEGRA_UNK_24 0x54501824 0x04
TSEC_TEGRA_UNK_28 0x54501828 0x04
TSEC_TEGRA_UNK_2C 0x5450182C 0x04
TSEC_TEGRA_UNK_30 0x54501830 0x04
TSEC_TEGRA_UNK_34 0x54501834 0x04
TSEC_TEGRA_CTL 0x54501838 0x04

TSEC_THI_METHOD0

ID Method
0x200 SET_APPLICATION_ID
0x300 EXECUTE
0x500 HDCP_INIT
0x504 HDCP_CREATE_SESSION
0x508 HDCP_VERIFY_CERT_RX
0x50C HDCP_GENERATE_EKM
0x510 HDCP_REVOCATION_CHECK
0x514 HDCP_VERIFY_HPRIME
0x518 HDCP_ENCRYPT_PAIRING_INFO
0x51C HDCP_DECRYPT_PAIRING_INFO
0x520 HDCP_UPDATE_SESSION
0x524 HDCP_GENERATE_LC_INIT
0x528 HDCP_VERIFY_LPRIME
0x52C HDCP_GENERATE_SKE_INIT
0x530 HDCP_VERIFY_VPRIME
0x534 HDCP_ENCRYPTION_RUN_CTRL
0x538 HDCP_SESSION_CTRL
0x53C HDCP_COMPUTE_SPRIME
0x540 HDCP_GET_CERT_RX
0x544 HDCP_EXCHANGE_INFO
0x548 HDCP_DECRYPT_KM
0x54C HDCP_GET_HPRIME
0x550 HDCP_GENERATE_EKH_KM
0x554 HDCP_VERIFY_RTT_CHALLENGE
0x558 HDCP_GET_LPRIME
0x55C HDCP_DECRYPT_KS
0x560 HDCP_DECRYPT
0x564 HDCP_GET_RRX
0x568 HDCP_DECRYPT_REENCRYPT
0x56C
0x570
0x574
0x578
0x57C
0x700 HDCP_VALIDATE_SRM
0x704 HDCP_VALIDATE_STREAM
0x708 HDCP_TEST_SECURE_STATUS
0x70C HDCP_SET_DCP_KPUB
0x710 HDCP_SET_RX_KPUB
0x714 HDCP_SET_CERT_RX
0x718 HDCP_SET_SCRATCH_BUFFER
0x71C HDCP_SET_SRM
0x720 HDCP_SET_RECEIVER_ID_LIST
0x724 HDCP_SET_SPRIME
0x728 HDCP_SET_ENC_INPUT_BUFFER
0x72C HDCP_SET_ENC_OUTPUT_BUFFER
0x730 HDCP_GET_RTT_CHALLENGE
0x734 HDCP_STREAM_MANAGE
0x738 HDCP_READ_CAPS
0x73C HDCP_ENCRYPT
0x740 [6.0.0+] HDCP_GET_CURRENT_NONCE

Used to encode and send a method's ID over HOST1X to TSEC. This register mirrors the functionality of HOST1X's channel opcode submission.

TSEC_THI_METHOD1

Used to encode and send a method's data over HOST1X to TSEC. This register mirrors the functionality of HOST1X's channel opcode submission.

TSEC_THI_INT_STATUS

Bits Description
0 TSEC_THI_INT_STATUS_FALCON_INT

TSEC_THI_INT_MASK

Bits Description
0 TSEC_THI_INT_MASK_FALCON_INT

FALCON_IRQSSET

Bits Description
0 FALCON_IRQSSET_GPTMR
1 FALCON_IRQSSET_WDTMR
2 FALCON_IRQSSET_MTHD
3 FALCON_IRQSSET_CTXSW
4 FALCON_IRQSSET_HALT
5 FALCON_IRQSSET_EXTERR
6 FALCON_IRQSSET_SWGEN0
7 FALCON_IRQSSET_SWGEN1
8-15 FALCON_IRQSSET_EXT

Used for setting Falcon's IRQs.

FALCON_IRQSCLR

Bits Description
0 FALCON_IRQSCLR_GPTMR
1 FALCON_IRQSCLR_WDTMR
2 FALCON_IRQSCLR_MTHD
3 FALCON_IRQSCLR_CTXSW
4 FALCON_IRQSCLR_HALT
5 FALCON_IRQSCLR_EXTERR
6 FALCON_IRQSCLR_SWGEN0
7 FALCON_IRQSCLR_SWGEN1
8-15 FALCON_IRQSCLR_EXT

Used for clearing Falcon's IRQs.

FALCON_IRQSTAT

Bits Description
0 FALCON_IRQSTAT_GPTMR
1 FALCON_IRQSTAT_WDTMR
2 FALCON_IRQSTAT_MTHD
3 FALCON_IRQSTAT_CTXSW
4 FALCON_IRQSTAT_HALT
5 FALCON_IRQSTAT_EXTERR
6 FALCON_IRQSTAT_SWGEN0
7 FALCON_IRQSTAT_SWGEN1
8-15 FALCON_IRQSTAT_EXT

Used for getting the status of Falcon's IRQs.

FALCON_IRQMODE

Bits Description
0 FALCON_IRQMODE_GPTMR
1 FALCON_IRQMODE_WDTMR
2 FALCON_IRQMODE_MTHD
3 FALCON_IRQMODE_CTXSW
4 FALCON_IRQMODE_HALT
5 FALCON_IRQMODE_EXTERR
6 FALCON_IRQMODE_SWGEN0
7 FALCON_IRQMODE_SWGEN1
8-15 FALCON_IRQMODE_EXT

Used for changing the mode Falcon's IRQs. A value of 1 means level triggered while a value of 0 means edge triggered.

FALCON_IRQMSET

Bits Description
0 FALCON_IRQMSET_GPTMR
1 FALCON_IRQMSET_WDTMR
2 FALCON_IRQMSET_MTHD
3 FALCON_IRQMSET_CTXSW
4 FALCON_IRQMSET_HALT
5 FALCON_IRQMSET_EXTERR
6 FALCON_IRQMSET_SWGEN0
7 FALCON_IRQMSET_SWGEN1
8-15 FALCON_IRQMSET_EXT

Used for setting the mask for Falcon's IRQs.

FALCON_IRQMCLR

Bits Description
0 FALCON_IRQMCLR_GPTMR
1 FALCON_IRQMCLR_WDTMR
2 FALCON_IRQMCLR_MTHD
3 FALCON_IRQMCLR_CTXSW
4 FALCON_IRQMCLR_HALT
5 FALCON_IRQMCLR_EXTERR
6 FALCON_IRQMCLR_SWGEN0
7 FALCON_IRQMCLR_SWGEN1
8-15 FALCON_IRQMCLR_EXT

Used for clearing the mask for Falcon's IRQs.

FALCON_IRQMASK

Bits Description
0 FALCON_IRQMASK_GPTMR
1 FALCON_IRQMASK_WDTMR
2 FALCON_IRQMASK_MTHD
3 FALCON_IRQMASK_CTXSW
4 FALCON_IRQMASK_HALT
5 FALCON_IRQMASK_EXTERR
6 FALCON_IRQMASK_SWGEN0
7 FALCON_IRQMASK_SWGEN1
8-15 FALCON_IRQMASK_EXT

Used for getting the value of the mask for Falcon's IRQs.

FALCON_IRQDEST

Bits Description
0 FALCON_IRQDEST_HOST_GPTMR
1 FALCON_IRQDEST_HOST_WDTMR
2 FALCON_IRQDEST_HOST_MTHD
3 FALCON_IRQDEST_HOST_CTXSW
4 FALCON_IRQDEST_HOST_HALT
5 FALCON_IRQDEST_HOST_EXTERR
6 FALCON_IRQDEST_HOST_SWGEN0
7 FALCON_IRQDEST_HOST_SWGEN1
8-15 FALCON_IRQDEST_HOST_EXT
16 FALCON_IRQDEST_TARGET_GPTMR
17 FALCON_IRQDEST_TARGET_WDTMR
18 FALCON_IRQDEST_TARGET_MTHD
19 FALCON_IRQDEST_TARGET_CTXSW
20 FALCON_IRQDEST_TARGET_HALT
21 FALCON_IRQDEST_TARGET_EXTERR
22 FALCON_IRQDEST_TARGET_SWGEN0
23 FALCON_IRQDEST_TARGET_SWGEN1
24-31 FALCON_IRQDEST_TARGET_EXT

Used for routing Falcon's IRQs.

FALCON_MAILBOX0

Scratch register for reading/writing data to Falcon.

FALCON_MAILBOX1

Scratch register for reading/writing data to Falcon.

FALCON_ITFEN

Bits Description
0 FALCON_ITFEN_CTXEN
1 FALCON_ITFEN_MTHDEN

Used for enabling/disabling Falcon interfaces.

FALCON_IDLESTATE

Bits Description
0 FALCON_IDLESTATE_FALCON_BUSY
1-15 FALCON_IDLESTATE_EXT_BUSY

Used for detecting if Falcon is busy or not.

FALCON_DEBUG1

Bits Description
16 FALCON_DEBUG1_CTXSW_MODE

FALCON_DEBUGINFO

Used for UCODE self revocation. This register takes the base address of the GSC carveout shifted right by 8.

[6.0.0+] nvservices sets this to 0x8005FF00 >> 8 (physical DRAM address inside the GPU UCODE carveout) before starting the nvhost_tsec firmware.

FALCON_EXCI

Bits Description
0-19 PC that originated the exception
20-23 Exception type
0x00: Trap 0
0x01: Trap 1
0x02: Trap 2
0x03: Trap 3
0x08: Invalid opcode
0x09: Authentication entry
0x0A: Page fault (no hit)
0x0B: Page fault (multi hit)
0x0F: Breakpoint

Contains information about raised exceptions.

FALCON_CPUCTL

Bits Description
0 FALCON_CPUCTL_IINVAL
1 FALCON_CPUCTL_STARTCPU
2 FALCON_CPUCTL_SRESET
3 FALCON_CPUCTL_HRESET
4 FALCON_CPUCTL_HALTED
5 FALCON_CPUCTL_STOPPED
6 FALCON_CPUCTL_CPUCTL_ALIAS_EN

Used for signaling the Falcon CPU.

FALCON_BOOTVEC

Takes the Falcon's boot vector address.

FALCON_HWCFG

Bits Description
0-8 FALCON_HWCFG_IMEM_SIZE
9-17 FALCON_HWCFG_DMEM_SIZE
18-25 FALCON_HWCFG_MTHD_SIZE
26-31 FALCON_HWCFG_DMATRF_SLOTS

FALCON_DMACTL

Bits Description
0 FALCON_DMACTL_REQUIRE_CTX
1 FALCON_DMACTL_DMEM_SCRUBBING
2 FALCON_DMACTL_IMEM_SCRUBBING
3-6 FALCON_DMACTL_DMAQ_NUM
7 FALCON_DMACTL_SECURE_STAT

Used for configuring the Falcon's DMA engine.

FALCON_DMATRFBASE

Base address of the external memory buffer, shifted right by 8.

The current transfer address is calculated by adding FALCON_DMATRFFBOFFS to the base.

FALCON_DMATRFMOFFS

For transfers to DMEM: the destination address. For transfers to IMEM: the destination virtual IMEM page.

FALCON_DMATRFCMD

Bits Description
0 FALCON_DMATRFCMD_FULL
1 FALCON_DMATRFCMD_IDLE
2-3 FALCON_DMATRFCMD_SEC
4 FALCON_DMATRFCMD_IMEM
5 FALCON_DMATRFCMD_WRITE
8-10 FALCON_DMATRFCMD_SIZE
12-14 FALCON_DMATRFCMD_CTXDMA

Used for configuring DMA transfers.

FALCON_DMATRFFBOFFS

For transfers to IMEM: the destination physical IMEM page.

FALCON_DMATRFSTAT

Bits Description
0 FALCON_DMATRFSTAT_PENDING
16-18 FALCON_DMATRFSTAT_NUM_STORES_PENDING
24-26 FALCON_DMATRFSTAT_NUM_LOADS_PENDING

FALCON_CRYPTTRFSTAT

Bits Description
1 FALCON_CRYPTTRFSTAT_PENDING
5 FALCON_CRYPTTRFSTAT_ENABLED
16-18 FALCON_CRYPTTRFSTAT_NUM_STORES_PENDING
24-26 FALCON_CRYPTTRFSTAT_NUM_LOADS_PENDING

FALCON_HWCFG1

Bits Description
0-3 FALCON_HWCFG1_VERSION
4-5 FALCON_HWCFG1_SCP_MODE
6-7 FALCON_HWCFG1_SUBVERSION
8-11 FALCON_HWCFG1_IMEM_PORTS
12-15 FALCON_HWCFG1_DMEM_PORTS
16-19 FALCON_HWCFG1_VM_PAGES_LOG2
27 FALCON_HWCFG1_HAS_ICD
28-29 FALCON_HWCFG1_IO_ADDR_TYPE
30 FALCON_HWCFG1_HAS_EXTERR
31 FALCON_HWCFG1_HAS_IMFILL

FALCON_IMCTL

Bits Description
0-23 Address
24-26 Command
1: ITLB
2: PTLB
3: VTLB

Controls the Falcon TLB.

FALCON_IMSTAT

Returns the result of the last command from FALCON_IMCTL.

FALCON_TRACEIDX

Bits Description
0-7 Index of where to start tracing from
16-23 Maximum valid index
24-31 Number of trace reads remaining

Controls the index for tracing with FALCON_TRACEPC.

FALCON_TRACEPC

Returns the PC of the last call or branch executed.

FALCON_IMEMC

Bits Description
2-7 Offset in IMEM block to read/write
8-15 IMEM block to read/write
24 Write auto-increment
25 Read auto-increment
28 Mark uploaded code as secret
29 Secret code upload lockdown status (read-only)
30 Secret code upload failure status (read-only)
31 Secret code upload reset scrubber status (read-only)

Used for configuring access to Falcon's IMEM.

FALCON_IMEMD

Returns or takes the value for an IMEM read/write operation.

FALCON_IMEMT

Returns or takes the virtual page index for an IMEM read/write operation.

FALCON_DMEMC0

Bits Description
2-7 Offset in DMEM block to read/write
8-15 DMEM block to read/write
24 Write auto-increment
25 Read auto-increment

Used for configuring access to Falcon's DMEM.

FALCON_DMEMD0

Returns or takes the value for a DMEM read/write operation.

FALCON_ICD_CMD

Bits Description
0-3 FALCON_ICD_CMD_OPC
0x0: BREAK
0x1: CONTINUE_FROM_PC
0x2: CONTINUE_FROM_ADDR
0x3: CONTINUE_UNK1_FROM_PC
0x4: CONTINUE_UNK1_FROM_ADDR
0x5: SINGLE_STEP_FROM_PC
0x6: SINGLE_STEP_FROM_ADDR
0x7: SET_BREAK_MASK
0x8: REG_READ
0x9: REG_WRITE
0xA: DATA_READ
0xB: DATA_WRITE
0xC: IO_READ
0xD: IO_WRITE
0xE: STATUS_READ
6-7 FALCON_ICD_CMD_DATA_SIZE
8-12 FALCON_ICD_CMD_IDX
14 FALCON_ICD_CMD_ERROR
15 FALCON_ICD_CMD_DONE
16-31 FALCON_ICD_CMD_BREAK_MASK

FALCON_SCTL

Bits Description
0-1 FALCON_SCTL_SEC_MODE
0: Non-secure
1: Light Secure
2: Heavy Secure
4-5 FALCON_SCTL_OLD_SEC_MODE
0: Non-secure
1: Light Secure
2: Heavy Secure
12-13 Unknown
14 Initialize the transition to LS mode

FALCON_SCTL_STAT

Bits Description
31 Set on memory protection violation

FALCON_SPROT_IMEM

Bits Description
0-3 Read access level
4-7 Write access level

Controls accesses to Falcon IMEM.

FALCON_SPROT_DMEM

Bits Description
0-3 Read access level
4-7 Write access level

Controls accesses to Falcon DMEM.

FALCON_SPROT_CPUCTL

Bits Description
0-3 Read access level
4-7 Write access level

Controls accesses to the FALCON_CPUCTL register.

FALCON_SPROT_MISC

Bits Description
0-3 Read access level
4-7 Write access level

Controls accesses to the following registers:

FALCON_SPROT_IRQ

Bits Description
0-3 Read access level
4-7 Write access level

Controls accesses to the following registers:

FALCON_SPROT_MTHD

Bits Description
0-3 Read access level
4-7 Write access level

Controls accesses to the following registers:

  • FALCON_ITFEN
  • FALCON_CURCTX
  • FALCON_NXTCTX
  • FALCON_CMDCTX
  • FALCON_MTHD_DATA
  • FALCON_MTHD_CMD
  • FALCON_MTHD_DATA_WR
  • FALCON_MTHD_OCCUPIED
  • FALCON_MTHD_ACK
  • FALCON_MTHD_LIMIT
  • FALCON_DEBUG1

FALCON_SPROT_SCTL

Bits Description
0-3 Read access level
4-7 Write access level

Controls accesses to the FALCON_SCTL register.

FALCON_SPROT_WDTMR

Bits Description
0-3 Read access level
4-7 Write access level

Controls accesses to the following registers:

  • FALCON_WDTMR_TIME
  • FALCON_WDTMR_ENABLE

TSEC_SCP_CTL0

Bits Description
20 Enable TSEC_SCP_INSN_STAT register

TSEC_SCP_CTL1

Bits Description
11 Enable TRNG testing mode
12 Enable the TRNG

TSEC_SCP_CTL_STAT

Bits Description
20 TSEC_SCP_CTL_STAT_DEBUG_MODE

TSEC_SCP_CTL_LOCK

Bits Description
0 Disable reads for the SCP and TRNG register blocks
1 Disable reads for the TFBIF register block
2 Disable reads for the DMA register block
3 Disable reads for the TEGRA register block
4 Disable writes for the SCP and TRNG register blocks
5 Disable writes for the TFBIF register block
6 Disable writes for the DMA register block
7 Disable writes for the TEGRA register block

Locks accesses to sub-engines and can only be cleared in Heavy Secure mode.

TSEC_SCP_CTL_PKEY

Bits Description
0 TSEC_SCP_CTL_PKEY_REQUEST_RELOAD
1 TSEC_SCP_CTL_PKEY_LOADED

TSEC_SCP_SEQ_CTL

Bits Description
0-3 Sequence's instruction index
4-7 Target and control flags
8-11 Sequence's size

Controls the last crypto sequence (cs0 or cs1) created.

TSEC_SCP_SEQ_VAL

Bits Description
0-3 Sequence instruction's first operand
4-9 Sequence instruction's second operand
10-14 Sequence instruction's opcode

Contains information on the last crypto sequence (cs0 or cs1) created.

TSEC_SCP_SEQ_STAT

Bits Description
0 Set if crypto sequence recording (cs0begin/cs1begin) is active
4-7 Number of instructions left for the crypto sequence
12-15 Active crypto key register

Contains information on the last crypto sequence (cs0 or cs1) executed.

TSEC_SCP_INSN_STAT

Bits Description
0-3 Destination register or immediate value
8-13 Source register or immediate value
20-24 Operation
0x0:  nop (fuc5 opcode 0x00) 
0x1:  cmov (fuc5 opcode 0x84)
0x2:  cxsin (fuc5 opcode 0x88) or xdst (with cxset)
0x3:  cxsout (fuc5 opcode 0x8C) or xdld (with cxset) 
0x4:  crnd (fuc5 opcode 0x90)
0x5:  cs0begin (fuc5 opcode 0x94)
0x6:  cs0exec (fuc5 opcode 0x98)
0x7:  cs1begin (fuc5 opcode 0x9C)
0x8:  cs1exec (fuc5 opcode 0xA0)
0x9:  invalid (fuc5 opcode 0xA4)
0xA:  cchmod (fuc5 opcode 0xA8)
0xB:  cxor (fuc5 opcode 0xAC)
0xC:  cadd (fuc5 opcode 0xB0)
0xD:  cand (fuc5 opcode 0xB4)
0xE:  crev (fuc5 opcode 0xB8)
0xF:  cprecmac (fuc5 opcode 0xBC)
0x10: csecret (fuc5 opcode 0xC0)
0x11: ckeyreg (fuc5 opcode 0xC4)
0x12: ckexp (fuc5 opcode 0xC8)
0x13: ckrexp (fuc5 opcode 0xCC)
0x14: cenc (fuc5 opcode 0xD0)
0x15: cdec (fuc5 opcode 0xD4)
0x16: csigauth (fuc5 opcode 0xD8)
0x17: csigenc (fuc5 opcode 0xDC)
0x18: csigclr (fuc5 opcode 0xE0)
28 Set if the instruction is valid
31 Set if running in HS mode

Contains information on the last crypto instruction executed.

TSEC_SCP_AUTH_STAT

Bits Description
0-1 Signature comparison result (3=succeeded, 2=failed)

Contains information on the last authentication attempt.

TSEC_SCP_AES_STAT

Bits Description
0-4 First opcode
5-9 Second opcode
15-16 AES operation
0: Encryption
1: Decryption
2: Key expansion
3: Key reverse expansion

Contains information on the last AES sequence executed.

TSEC_SCP_IRQSTAT

Bits Description
0 TSEC_SCP_IRQSTAT_TRNG
8 TSEC_SCP_IRQSTAT_ACL_ERROR
12 Unknown
16 TSEC_SCP_IRQSTAT_INSN_ERROR
20 TSEC_SCP_IRQSTAT_SINGLE_STEP
24 Unknown
28 Unknown

Used for getting the status of crypto IRQs.

TSEC_SCP_IRQMASK

Bits Description
0 TSEC_SCP_IRQMASK_TRNG
8 TSEC_SCP_IRQMASK_ACL_ERROR
12 Unknown
16 TSEC_SCP_IRQMASK_INSN_ERROR
20 TSEC_SCP_IRQMASK_SINGLE_STEP
24 Unknown
28 Unknown

Used for getting the value of the mask for crypto IRQs.

TSEC_SCP_ACL_ERR

Bits Description
0 Set when writing to a crypto register without the correct ACL
4 Set when reading from a crypto register without the correct ACL
8 Set on an invalid ACL change (cchmod)
31 An ACL error occurred

Contains information on the status generated by the TSEC_SCP_IRQSTAT_ACL_ERROR IRQ.

TSEC_SCP_INSN_ERR

Bits Description
0 Invalid instruction
4 Empty crypto sequence
8 Crypto sequence is too long
12 Crypto sequence was not finished
16 Insecure signature (csigenc, csigclr or csigauth)
20 Invalid signature (csigauth in HS mode)
24 Forbidden ACL change (cchmod in NS mode)

Contains information on crypto errors generated by the TSEC_SCP_IRQSTAT_INSN_ERROR IRQ.

TSEC_TFBIF_MCCIF_FIFOCTRL

Bits Description
0 TSEC_TFBIF_MCCIF_FIFOCTRL_RCLK_OVERRIDE
1 TSEC_TFBIF_MCCIF_FIFOCTRL_WCLK_OVERRIDE
2 TSEC_TFBIF_MCCIF_FIFOCTRL_WRCL_MCLE2X
3 TSEC_TFBIF_MCCIF_FIFOCTRL_RDMC_RDFAST
4 TSEC_TFBIF_MCCIF_FIFOCTRL_WRMC_CLLE2X
5 TSEC_TFBIF_MCCIF_FIFOCTRL_RDCL_RDFAST
6 TSEC_TFBIF_MCCIF_FIFOCTRL_CCLK_OVERRIDE
7 TSEC_TFBIF_MCCIF_FIFOCTRL_RCLK_OVR_MODE
8 TSEC_TFBIF_MCCIF_FIFOCTRL_WCLK_OVR_MODE

TSEC_TFBIF_MCCIF_FIFOCTRL1

Bits Description
0-15 TSEC_TFBIF_MCCIF_FIFOCTRL1_SRD2MC_REORDER_DEPTH_LIMIT
16-31 TSEC_TFBIF_MCCIF_FIFOCTRL1_SWR2MC_REORDER_DEPTH_LIMIT

TSEC_TFBIF_MMU_PHYS_PROT

Bits Description
0-3 Read access level
4-7 Write access level

Controls accesses to external memory in MMU physical mode.

TSEC_TFBIF_MMU_PHYS_SEC

Bits Description
0 Bypass MMU translation on CTXDMA port 0
4 Bypass MMU translation on CTXDMA port 1
8 Bypass MMU translation on CTXDMA port 2
12 Bypass MMU translation on CTXDMA port 3
16 Bypass MMU translation on CTXDMA port 4
20 Bypass MMU translation on CTXDMA port 5
24 Bypass MMU translation on CTXDMA port 6
28 Bypass MMU translation on CTXDMA port 7

Configures MMU physical mode.

[6.0.0+] The nvhost_tsec firmware sets this register to 0x10 or 0x111110 before reading memory from the GPU UCODE carveout.

TSEC_TFBIF_MMU_PHYS_TRANSCFG

Bits Description
0-3 Transfer configuration for CTXDMA port 0
4-7 Transfer configuration for CTXDMA port 1
8-11 Transfer configuration for CTXDMA port 2
12-15 Transfer configuration for CTXDMA port 3
16-19 Transfer configuration for CTXDMA port 4
20-23 Transfer configuration for CTXDMA port 5
24-27 Transfer configuration for CTXDMA port 6
28-31 Transfer configuration for CTXDMA port 7

Controls the transfer configuration for MMU physical mode.

[6.0.0+] The nvhost_tsec firmware sets this register to 0x20 or 0x140 before reading memory from the GPU UCODE carveout.

TSEC_CG

Bits Description
0-5 TSEC_CG_IDLE_CG_DLY_CNT
6 TSEC_CG_IDLE_CG_EN
16-18 TSEC_CG_WAKEUP_DLY_CNT
19 TSEC_CG_WAKEUP_DLY_EN

TSEC_DMA_CMD

Bits Description
0 TSEC_DMA_CMD_READ
1 TSEC_DMA_CMD_WRITE
4-7 TSEC_DMA_CMD_BYTE_MASK
12-13 TSEC_DMA_CMD_STATUS
0: Idle
1: Busy
2: Error
3: Disabled
31 TSEC_DMA_CMD_INIT

A DMA read/write operation requires bits TSEC_DMA_CMD_INIT and TSEC_DMA_CMD_READ/TSEC_DMA_CMD_WRITE to be set in TSEC_DMA_CMD.

During the transfer, TSEC_DMA_CMD_STATUS is set to "Busy".

Accessing an invalid address sets TSEC_DMA_CMD_STATUS to "Error".

TSEC_DMA_ADDR

Takes the address for DMA transfers between TSEC and HOST1X (master and clients).

TSEC_DMA_DATA

Takes the data for DMA transfers between TSEC and HOST1X (master and clients).

TSEC_DMA_TIMEOUT

Always 0xFFF.

TSEC_TEGRA_CTL

Bits Description
16 TSEC_TEGRA_CTL_TKFI_KFUSE
17 TSEC_TEGRA_CTL_TKFI_RESTART_FSM_KFUSE
24 TSEC_TEGRA_CTL_TMPI_FORCE_IDLE_INPUTS_I2C
25 TSEC_TEGRA_CTL_TMPI_RESTART_FSM_HOST1X
26 TSEC_TEGRA_CTL_TMPI_RESTART_FSM_APB
27 TSEC_TEGRA_CTL_TMPI_DISABLE_OUTPUT_I2C

SCP

Part of the information here (which hasn't made it into envytools documentation yet) was shared by mwk from reverse engineering falcon processors over the years.

Authenticated Mode

Entry

From non-secure mode, upon jumping to a page marked as secret, a secret fault occurs. This causes the CPU to verify the region specified in $cauth against the MAC loaded in $c6. If the comparison is successful, the valid bit (bit0) is set on all pages in the $cauth region, and $pc is set to the base of the $cauth region. If the comparsion fails, the CPU is halted.

Exit

The CPU automatically goes back to non-secure mode when returning back into non-secret pages. When this happens, the valid bit (bit0) in the TLB flags is cleared for all secret pages.

Implementation

Under certain circumstances, it is possible to observe csigauth being briefly written to TSEC_SCP_INSN_STAT as "csigauth $c4 $c6" while the opcodes in TSEC_SCP_AES_STAT are set to "cxsin" and "csigauth", respectively.

Via TSEC_SCP_SEQ_CTL it can be observed that a 3-sized macro sequence is loaded into cs0 during a secure mode transition.

Operations

Opcode Name Operand0 Operand1 Operation Condition
0 nop N/A N/A
1 mov $cX $cY $cX = $cY; ACL(X) = ACL(Y);
2 sin $cX N/A $cX = read_stream(); ACL(X) = ???;
3 sout $cX N/A write_stream($cX); ?
4 rnd $cX N/A $cX = read_trng(); ACL(X) = ???;
5 s0begin immX N/A record_macro_for_N_instructions(0, immX);
6 s0exec immX N/A execute_macro_N_times(0, immX);
7 s1begin immX N/A record_macro_for_N_instructions(1, immX);
8 s1exec immX N/A execute_macro_N_times(1, immX);
9 <invalid>
0xA chmod $cX immY Complicated, see ACL.
0xB xor $cX $cY $cX ^= $cY; (ACL(X) & 2) && (ACL(Y) & 2)
0xC add $cX immY $cX += immY; (ACL(X) & 2)
0xD and $cX $cY $cX &= $cY; (ACL(X) & 2) && (ACL(Y) & 2)
0xE rev $cX $cY $cX = endian_swap128($cY); ACL(X) = ACL(Y);
0xF gfmul $cX $cY $cX = gfmul($cY); ACL(X) = ACL(Y); (ACL(Y) & 2)
0x10 secret $cX immY $cX = load_secret(immY); ACL(X) = load_secret_acl(immY);
0x11 keyreg immX N/A active_key_idx = immX;
0x12 kexp $cX $cY $cX = aes_kexp($cY); ACL(X) = ACL(Y);
0x13 krexp $cX $cY $cX = aes_kexp_reverse($cY); ACL(X) = ACL(Y);
0x14 enc $cX $cY $cX = aes_enc(active_key_idx, $cY); ACL(X) = ACL(active_key_idx) & ACL(Y);
0x15 dec $cX $cY $cX = aes_dec(active_key_idx, $cY); ACL(X) = ACL(active_key_idx) & ACL(Y);
0x16 csigauth $cX $cY if (hash_verify($cX, $cY)) { has_sig = true; current_sig = $cX; } ?
0x17 csigclr N/A N/A has_sig = false;
0x18 csigenc $cX $cY if (has_sig) { $cX = aes_enc($cY, current_sig); ACL(X) = 0x13; }

csigauth

00000000: f5 3c XY d8 csigauth $cY $cX

Takes 2 crypto registers as operands and is automatically executed when jumping to a code region previously uploaded as secret. This instruction does not work in secure mode.

csigclr

00000000: f5 3c 00 e0 csigclr

This instruction takes no operands and appears to clear the saved cauth signature used by the csigenc instruction.

cchmod

00000000: f5 3c XY a8 cchmod $cY 0X or 00000000: f5 3c XY a9 cchmod $cY 1X

This instruction takes a crypto register and a 5 bit immediate value which represents the ACL mask to set.

crnd

00000000: f5 3c 0X 90 crnd $cX

This instruction initializes a crypto register with random data.

Executing this instruction only succeeds if the TRNG is enabled for the SCP, which requires taking the following steps:

  • Write 0x7FFF to TSEC_TRNG_CLK_LIMIT_LOW.
  • Write 0x3FF0000 to TSEC_TRNG_CLK_LIMIT_HIGH.
  • Write 0xFF00 to TSEC_TRNG_CTL.
  • Write 0x1000 to TSEC_SCP_CTL1.

Otherwise it hangs forever.

ACL

Bit Meaning
0 Secure key. Forced set if bit1 is set. Once cleared, cannot be set again.
1 Secure readable. Once cleared, cannot be set again.
2 Insecure key. Forced set if bit3 is set. Forced clear if bit0 is clear. Can be toggled back and forth.
3 Insecure readable. Forced clear if bit1 is clear. Can be toggled back and forth.
4 Insecure overwritable. Can be toggled back and forth.

Initial values

On SCP boot, the ACL is 0x1F for all $cX.

Loading into $cX using xdst instruction sets ACL($cX) to 0x13 and 0x1F, for secure and insecure mode respectively.

Spilling a $cX to DMEM using xdld instruction is allowed if (ACL($cX) & 2) or (ACL($cX) & 8), for secure and insecure mode respectively.

Loading a secret into $cX sets a per-secret ACL, unconditionally.

cauth

$cauth is a special purpose register in the CPU.

Bits Description
0-7 Start of region to authenticate (in 0x100 pages)
8-15 Unknown
16 Use secret xfers
17 Region is encrypted
18 Unknown (set in HS mode)
19 Block traps and interrupts (set in HS mode)
20-23 Unknown
24-31 Size of region to authenticate (in 0x100 pages)

cxset

cxset instruction provides a way to change behavior of a variable amount of successively executed DMA-related instructions.

for example: 000000de: f4 3c 02 cxset 0x2

can be read as: dma_override(type=crypto_reg, count=2)

The argument to cxset specifies the type of behavior change in the top 3 bits, and the number of DMA-related instructions the effect lasts for in the lower 5 bits.

Bits Description
0-4 Number of instructions it is valid for (0x1f is a special value meaning infinitely many instructions -- until overriden by another cxset)
5 Crypto destination/source select (0=crypto register, 1=crypto stream)
6 External memory override (0=Disabled, 1=Enabled)
7 Internal memory select (0=DMEM, 1=IMEM)

DMA-Related Instructions

At least the following instructions may have changed behavior, and count against the cxset "count" argument: xdwait, xdst, xdld.

For example, if override type=0b000, then the "length" argument to xdst is instead treated as the index of the target $cX register.

Secrets

Falcon's Authenticated Mode has access to 64 128-bit keys which are burned at factory. These keys can be loaded by using the $csecret instruction which takes the target crypto register and the key index as arguments.

Secrets are specific to each Falcon unit with the exception of secret 0x3F. This secret is effectively empty (all zeros), but is configured to be overwritten with the KFUSE private key once the KFUSE clock is enabled. The KFUSE private key is console-unique.

Index ACL Notes
0x00 0x13 Used by Keygen, nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
0x01 0x10 Used by nvhost_nvdec_bl020_prod firmware.
0x02 0x10
0x03 0x11 Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
0x04 0x10 Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
0x05 0x13 Used by nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
0x06 0x11
0x07 0x11 Used by [6.0.0+] nvhost_tsec firmware.
0x08 0x10
0x09 0x13 Used by nvhost_tsec firmware.
0x0A 0x11
0x0B 0x10 Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
0x0C 0x13
0x0D 0x11
0x0E 0x10
0x0F 0x13 Used by nvhost_tsec firmware.
0x10 0x11 Used by [1.0.0-5.1.0] nvhost_tsec firmware.
0x11 0x10
0x12 0x13
0x13 0x11
0x14 0x10
0x15 0x13 Used by nvhost_nvdec_bl020_prod, [5.0.0+] nvhost_nvdec020_prod, [5.0.0+] nvhost_nvdec020_ns and [6.0.0+] nvhost_tsec firmwares.
0x16 0x11
0x17 0x10
0x18 0x13
0x19 0x11
0x1A 0x10
0x1B 0x13
0x1C 0x11
0x1D 0x10
0x1E 0x13
0x1F 0x11
0x20 0x10
0x21 0x13
0x22 0x11
0x23 0x10
0x24 0x13
0x25 0x11
0x26 0x10 Used by KeygenLdr and SecureBoot
0x27 0x13
0x28 0x11
0x29 0x10
0x2A 0x13
0x2B 0x11
0x2C 0x10
0x2D 0x13
0x2E 0x11
0x2F 0x10
0x30 0x13
0x31 0x11
0x32 0x10
0x33 0x13
0x34 0x11
0x35 0x10
0x36 0x13
0x37 0x11
0x38 0x10
0x39 0x13
0x3A 0x11
0x3B 0x10
0x3C 0x13 Used by nvhost_tsec firmware.
0x3D 0x11
0x3E 0x10
0x3F 0x10 Used by Keygen, nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.