Line 1: |
Line 1: |
− | = Secure Monitor Calls = | + | = Secure Monitor calls = |
− | | |
| The secure monitor provides two top level handlers of which each provides a range of sub handlers. | | The secure monitor provides two top level handlers of which each provides a range of sub handlers. |
| | | |
− | Secure Monitor Calls follow the ARM SMC calling convention up to a small change: | + | Secure Monitor calls follow the ARM SMC calling convention up to a small change: |
| {| class=wikitable | | {| class=wikitable |
| ! Bit number || Bit mask || Description | | ! Bit number || Bit mask || Description |
Line 24: |
Line 23: |
| SMC arguments are passed using registers X0-X7 with X0 always sending the call sub-id and returning the result of the call. | | SMC arguments are passed using registers X0-X7 with X0 always sending the call sub-id and returning the result of the call. |
| | | |
− | == ID 0 == | + | == FunctionId0 == |
− | Functions exposed to user-mode processes using [[SVC|svcCallSecureMonitor]]. | + | Functions exposed to user-mode processes using [[SVC|svcCallSecureMonitor]]. SMCs should be called from CPUID 3 (where SPL runs). |
| | | |
| {| class=wikitable | | {| class=wikitable |
− | ! Sub-ID || Name || In || Out | + | ! Value || Name |
| + | |- |
| + | | 0xC3000401 || SetConfig |
| |- | | |- |
− | | 0xC3000401 || SetConfig || || | + | | 0xC3000002 || [[#GetConfig]] (same as in [[#FunctionId1]]) |
| |- | | |- |
− | | 0xC3000002 || GetConfig (Same as ID 1, Sub-ID 4) || || | + | | 0xC3000003 || GetResult |
| |- | | |- |
− | | 0xC3000003 || CheckStatus || || | + | | 0xC3000404 || GetResultData |
| |- | | |- |
− | | 0xC3000404 || GetResult || || | + | | 0xC3000E05 || ExpMod |
| |- | | |- |
− | | 0xC3000E05 || ExpMod || || | + | | 0xC3000006 || [[#GenerateRandomBytes]] (same as in [[#FunctionId1]]) |
| |- | | |- |
− | | 0xC3000006 || GetRandomBytes (Same as ID 1, Sub-ID 5) || || | + | | 0xC3000007 || [[#GenerateAesKek]] |
| |- | | |- |
− | | 0xC3000007 || [[#GenerateAesKek]] || || | + | | 0xC3000008 || [[#LoadAesKey]] |
| |- | | |- |
− | | 0xC3000008 || [[#LoadAesKey]] || || | + | | 0xC3000009 || [[#ComputeAes]] |
| |- | | |- |
− | | 0xC3000009 || [[#CryptAes]] || || | + | | 0xC300000A || [[#GenerateSpecificAesKey]] |
| |- | | |- |
− | | 0xC300000A || [[#GenerateSpecificAesKey]] || || | + | | 0xC300040B || [[#ComputeCmac]] |
| |- | | |- |
− | | 0xC300040B || [[#ComputeCmac]] || || | + | | [1.0.0-4.1.0] 0xC300100C || [[#ImportEsKey]] |
| |- | | |- |
− | | 0xC300100C || [[#LoadRsaPrivateKey]] || || | + | | [5.0.0+] 0xC300D60C || [[#ReEncryptRsaPrivateKey]] |
| |- | | |- |
− | | 0xC300100D || [[#DecryptRsaPrivateKey]] || || | + | | [1.0.0-4.1.0] 0xC300100D || [[#DecryptRsaPrivateKey]] |
| |- | | |- |
− | | 0xC300100E || [[#LoadRsaPublicKey]] || || | + | | [5.0.0+] 0xC300100D || [[#DecryptOrImportRsaPrivateKey]] |
| |- | | |- |
− | | 0xC300060F || [[#PublicRsa]] || || | + | | [1.0.0-4.1.0] 0xC300100E || [[#ImportLotusKey]] |
| |- | | |- |
− | | 0xC3000610 || [[#UnwrapPreparedAesKey]] || || | + | | 0xC300060F || [[#StorageExpMod]] |
| |- | | |- |
− | | 0xC3000011 || [[#LoadPreparedAesKey]] || || | + | | 0xC3000610 || [[#UnwrapTitleKey]] |
| |- | | |- |
− | | 0xC3000012 || [2.0.0+] GeneratePreparedAesKek || || | + | | 0xC3000011 || [[#LoadTitleKey]] |
| + | |- |
| + | | 0xC3000012 || [2.0.0+] [[#UnwrapCommonTitleKey]] |
| |} | | |} |
| | | |
Line 76: |
Line 79: |
| ** This means: Plaintext kek keys never leave TrustZone. | | ** This means: Plaintext kek keys never leave TrustZone. |
| ** Further, this means: Actual AES/RSA keys never leave TrustZone. | | ** Further, this means: Actual AES/RSA keys never leave TrustZone. |
− |
| |
− | Note:
| |
− | The [[#CryptoUsecase|CryptoUsecase_PreparedAesKey]] represents a RSA wrapped AES key.
| |
| | | |
| === GenerateAesKek === | | === GenerateAesKek === |
Line 88: |
Line 88: |
| Takes a session kek created with [[#GenerateAesKek]], and a wrapped AES key. | | Takes a session kek created with [[#GenerateAesKek]], and a wrapped AES key. |
| | | |
− | The session kek must have been created with CryptoUsecase_Aes. | + | The session kek must have been created with [[#CryptoUsecase|CryptoUsecase Aes]]. |
| | | |
− | === CryptAes === | + | === ComputeAes === |
− | Encrypts/decrypts using Aes (CTR and CBC). | + | Encrypts/decrypts using AES (CTR and CBC). Takes an [[#CipherMode]]. |
| | | |
− | Key must be set prior using one of the [[#LoadAesKey]], [[#GenerateSpecificAesKey]] or [[#LoadRsaWrappedAesKey]] commands. | + | Key must be set prior using one of the [[#LoadAesKey]] or [[#GenerateSpecificAesKey]] commands. |
| | | |
| === GenerateSpecificAesKey === | | === GenerateSpecificAesKey === |
− | Todo: This one seems unrelated to [[#CryptoUsecase]].
| + | Takes a wrapped AES key and decrypts it using static data. |
| + | |
| + | === ComputeCmac === |
| + | Calculates CMAC over input data. |
| + | |
| + | === ImportEsKey === |
| + | Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, and a wrapped RSA private key. |
| + | |
| + | The session kek must have been created with [[#CryptoUsecase|CryptoUsecase TitleKey]]. |
| + | |
| + | [5.0.0] This function was removed and replaced with [[#ReEncryptRsaPrivateKey]]. |
| | | |
− | === LoadRsaPrivateKey === | + | === ReEncryptRsaPrivateKey === |
− | Takes a session kek created with [[#GenerateAesKek]], and a wrapped RSA private key. | + | Takes in two session keks created with [[#GenerateAesKek]], two wrapped AES keys, an enum member, and a wrapped RSA private key. |
| | | |
− | The session kek must have been created with CryptoUsecase_PrivateRsa. | + | Decrypts and validates the wrapped RSA private key with the first kek/wrapped key, and re-encrypts it with the second if valid. |
| + | |
| + | The re-encrypted key is then passed to the user, for use with [[#DecryptOrImportRsaPrivateKey]]. |
| | | |
| === DecryptRsaPrivateKey === | | === DecryptRsaPrivateKey === |
− | Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, and a wrapped RSA private key. | + | Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, an enum member, and a wrapped RSA private key. |
| + | |
| + | The session kek must have been created with [[#CryptoUsecase|CryptoUsecase RsaPrivate]]. |
| + | |
| + | [4.0.0+] The SMC handler when certain conditions pass and FunctionId0==0xC300100D now returns error 0x6 instead of calling the handler funcptr. |
| + | |
| + | [5.0.0+] This function was replaced by [[#DecryptOrImportRsaPrivateKey]]. |
| + | |
| + | === DecryptOrImportRsaPrivateKey === |
| + | This function replaced [[#DecryptRsaPrivateKey]] in [[5.0.0]], adding an additional [[#DecryptOrImportMode]]. |
| + | |
| + | This SMC extends DecryptRsaPrivateKey's original functionality to enable importing private keys into the security engine instead of decrypting them, when certain enum members are passed. |
| + | |
| + | === ImportLotusKey === |
| + | Takes a session kek created with [[#GenerateAesKek]], and a wrapped RSA key. |
| + | |
| + | The session kek must have been created with [[#CryptoUsecase|CryptoUsecase RsaSecureExpMod]]. |
| | | |
− | The session kek must have been created with CryptoUsecase_PrivateRsa.
| + | [5.0.0] This function was removed. |
| | | |
− | === LoadRsaPublicKey === | + | === SecureExpMod === |
− | Takes a session kek created with [[#GenerateAesKek]], and a wrapped RSA public key.
| + | Performs an ExpMod operation using an exponent previously loaded with the [[#ImportLotusKey]] command. |
| | | |
− | The session kek must have been created with CryptoUsecase_PublicRsa.
| + | [5.0.0+] This now uses any exponent previously loaded with [[#DecryptOrImportRsaPrivateKey]] and takes an [[#SecureExpModMode]]. |
| | | |
− | === PublicRsa === | + | === UnwrapTitleKey === |
− | Encrypts using Rsa public key.
| + | Takes an Rsa-Oaep-wrapped TitleKey, an RSA Public Key, and a label hash. |
| | | |
− | Key must be set prior using the [[#LoadRsaPublicKey]] command.
| + | Performs an ExpMod operation using an exponent previously loaded with the [[#ImportEsKey]] command, and then validates/extracts a Titlekey from the resulting message. |
| | | |
− | === UnwrapPreparedAesKey ===
| + | Returns a session-unique AES key especially for use in [[#LoadTitleKey]]. |
− | Takes a session kek created with [[#GenerateAesKek]], and a wrapped RSA public key.
| |
| | | |
− | Returns a session-unique AES key especially for use in [[#LoadPreparedAesKey]].
| + | [5.0.0+] This now uses any exponent previously loaded with [[#DecryptOrImportRsaPrivateKey]]. |
| | | |
− | The session kek must have been created with CryptoUsecase_PreparedAesKey.
| + | === LoadTitleKey === |
| + | Takes a session-unique AES key from [[#UnwrapCommonTitleKey]] or [[#UnwrapTitleKey]]. |
| | | |
− | === LoadPreparedAesKey === | + | === UnwrapCommonTitleKey === |
− | Takes a session-unique AES key from [[#UnwrapPreparedAesKey]]. | + | Takes an AES-wrapped TitleKey and returns a sealed AES key. |
| + | |
| + | == FunctionId1 == |
| + | Functions exposed to the kernel internally. |
| | | |
− | === enum CryptoUsecase ===
| |
| {| class=wikitable | | {| class=wikitable |
| ! Value || Name | | ! Value || Name |
| |- | | |- |
− | | 0 || CryptoUsecase_Aes | + | | 0xC4000001 || [[#CpuSuspend]] |
| + | |- |
| + | | 0x84000002 || [[#CpuOff]] |
| + | |- |
| + | | 0xC4000003 || [[#CpuOn]] |
| + | |- |
| + | | 0xC3000004 || [[#GetConfig]] (same as in [[#FunctionId0]]) |
| + | |- |
| + | | 0xC3000005 || [[#GenerateRandomBytes]] (same as in [[#FunctionId0]]) |
| + | |- |
| + | | 0xC3000006 || [[#Panic]] |
| + | |- |
| + | | 0xC3000007 || [2.0.0+] [[#ConfigureCarveout]] |
| + | |- |
| + | | 0xC3000008 || [2.0.0+] [[#ReadWriteRegister]] |
| + | |} |
| + | |
| + | === CpuSuspend === |
| + | Takes an u64 '''PowerState''', an u64 '''EntrypointAddr''' and an u64 '''ContextId'''. No output. |
| + | |
| + | Suspends the CPU (CPU0). |
| + | |
| + | The kernel calls this SMC on shutdown with '''PowerState''' set to 0x0201001B (power level: 0x02==system; power type: 0x01==powerdown; ID: 0x1B). |
| + | |
| + | === CpuOff === |
| + | No input/output. |
| + | |
| + | Turns off the CPU (CPU1, CPU2 or CPU3). |
| + | |
| + | === CpuOn === |
| + | Takes an u64 '''TargetCpu''', an u64 '''EntrypointAddr''' and an u64 '''ContextId'''. Returns [[#Result]]. |
| + | |
| + | Turns on the CPU (CPU1, CPU2 or CPU3). |
| + | |
| + | === GetConfig === |
| + | Takes a [[#ConfigItem]]. Returns [[#Result]] and a '''ConfigVal'''. |
| + | |
| + | ==== ConfigItem ==== |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! Value || Name |
| + | |- |
| + | | 1 || [[#DisableProgramVerification]] |
| + | |- |
| + | | 2 || [[#DramId]] |
| + | |- |
| + | | 3 || [[#SecurityEngineInterruptNumber]] |
| + | |- |
| + | | 4 || [[#FuseVersion]] |
| + | |- |
| + | | 5 || [[#HardwareType]] |
| + | |- |
| + | | 6 || [[#IsRetail]] |
| + | |- |
| + | | 7 || [[#IsRecoveryBoot]] |
| + | |- |
| + | | 8 || [[#DeviceId]] |
| + | |- |
| + | | 9 || [1.0.0-4.0.0] [[#BootReason]] |
| + | |- |
| + | | 10 || [[#MemoryMode]] |
| + | |- |
| + | | 11 || [[#IsDebugMode]] |
| + | |- |
| + | | 12 || [[#KernelConfiguration]] |
| + | |- |
| + | | 13 || [[#IsChargerHiZModeEnabled]] |
| + | |- |
| + | | 14 || [4.0.0+] [[#IsQuest]] |
| + | |- |
| + | | 15 || [5.0.0+] [[#RegulatorType]] |
| + | |- |
| + | | 16 || [5.0.0+] [[#DeviceUniqueKeyGeneration]] |
| + | |- |
| + | | 17 || [5.0.0+] [[#Package2Hash]] |
| + | |} |
| + | |
| + | ===== DisableProgramVerification ===== |
| + | [[Process Manager services|PM]] checks this item and if non-zero, calls fsp-pr SetEnabledProgramVerification(false). |
| + | |
| + | ===== DramId ===== |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! Value |
| + | ! Description |
| + | |- |
| + | | 0 |
| + | | EristaIcosaSamsung4gb |
| + | |- |
| + | | 1 |
| + | | EristaIcosaHynix4gb |
| + | |- |
| + | | 2 |
| + | | EristaIcosaMicron4gb |
| + | |- |
| + | | 3 |
| + | | Reserved |
| + | |- |
| + | | 4 |
| + | | EristaIcosaSamsung6gb |
| + | |- |
| + | | 5 |
| + | | [4.0.0+] Reserved |
| + | |- |
| + | | 6 |
| + | | [4.0.0+] Reserved |
| + | |- |
| + | | 7 |
| + | | [5.0.0+] MarikoIowax1x2Samsung4gb ([4.0.0-4.1.0] Reserved) |
| + | |- |
| + | | 8 |
| + | | [5.0.0+] MarikoIowaSamsung4gb |
| + | |- |
| + | | 9 |
| + | | [5.0.0+] MarikoIowaSamsung8gb |
| + | |- |
| + | | 10 |
| + | | [6.0.0+] MarikoIowaHynix4gb ([5.0.0-5.1.0] Reserved) |
| + | |- |
| + | | 11 |
| + | | [7.0.0+] MarikoIowaMicron4gb ([5.0.0-6.2.0] Reserved) |
| + | |- |
| + | | 12 |
| + | | [5.0.0+] MarikoHoagSamsung4gb |
| + | |- |
| + | | 13 |
| + | | [5.0.0+] MarikoHoagSamsung8gb |
| + | |- |
| + | | 14 |
| + | | [7.0.0+] MarikoHoagHynix4gb ([5.0.0-6.2.0] Reserved) |
| + | |- |
| + | | 15 |
| + | | [7.0.0+] MarikoHoagMicron4gb ([5.0.0-6.2.0] Reserved) |
| + | |- |
| + | | 16 |
| + | | [8.0.0+] MarikoIowaSamsung4gbY |
| + | |- |
| + | | 17 |
| + | | [9.0.0+] MarikoIowaSamsung1y4gbX |
| + | |- |
| + | | 18 |
| + | | [9.0.0+] MarikoIowaSamsung1y8gbX |
| + | |- |
| + | | 19 |
| + | | [9.0.0+] MarikoHoagSamsung1y4gbX |
| + | |- |
| + | | 20 |
| + | | [9.0.0+] MarikoIowaSamsung1y4gbY |
| + | |- |
| + | | 21 |
| + | | [9.0.0+] MarikoIowaSamsung1y8gbY |
| + | |- |
| + | | 22 |
| + | | [9.0.0+] MarikoIowaSamsung1y4gbA |
| + | |} |
| + | |
| + | This is extracted directly from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. |
| + | |
| + | [[PCV_services|PCV]] selects memory training tables based on DramId. |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! SoC |
| + | ! Platform |
| + | ! DramId |
| + | ! Revision |
| + | ! DVFS version |
| + | |- |
| + | | T210 |
| + | | jetson-tx1 |
| + | | N/A |
| + | | 0x07 |
| + | | |
| + | 11_40800_01_V9.8.3_V1.6 |
| + | 11_68000_01_V9.8.3_V1.6 |
| + | 11_102000_01_V9.8.3_V1.6 |
| + | 11_204000_05_V9.8.3_V1.6 |
| + | 11_408000_02_V9.8.3_V1.6 |
| + | 11_665600_03_V9.8.3_V1.6 |
| + | 11_800000_01_V9.8.3_V1.6 |
| + | 11_1065600_01_V9.8.3_V1.6 |
| + | 11_1331200_01_V9.8.3_V1.6 |
| + | 11_1600000_02_V9.8.3_V1.6 |
| + | |- |
| + | | T210 |
| + | | nx-abcb |
| + | | EristaIcosaSamsung4gb |
| + | | 0x07 |
| + | | |
| + | 10_40800_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_68000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_102000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_204000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_408000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_665600_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_800000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_1065600_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_1331200_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_1600000_NoCfgVersion_V9.8.7_V1.6 |
| + | |- |
| + | | T210 |
| + | | nx-abcb |
| + | | EristaIcosaMicron4gb |
| + | | 0x07 |
| + | | |
| + | 10_40800_NoCfgVersion_V9.8.4_V1.6 |
| + | 10_68000_NoCfgVersion_V9.8.4_V1.6 |
| + | 10_102000_NoCfgVersion_V9.8.4_V1.6 |
| + | 10_204000_NoCfgVersion_V9.8.4_V1.6 |
| + | 10_408000_NoCfgVersion_V9.8.4_V1.6 |
| + | 10_665600_NoCfgVersion_V9.8.4_V1.6 |
| + | 10_800000_NoCfgVersion_V9.8.4_V1.6 |
| + | 10_1065600_NoCfgVersion_V9.8.4_V1.6 |
| + | 10_1331200_NoCfgVersion_V9.8.4_V1.6 |
| + | 10_1600000_NoCfgVersion_V9.8.4_V1.6 |
| + | |- |
| + | | T210 |
| + | | nx-abcb |
| + | | EristaIcosaHynix4gb |
| + | | 0x07 |
| + | | |
| + | 10_40800_NoCfgVersion_V9.8.4_V1.6 |
| + | 10_68000_NoCfgVersion_V9.8.4_V1.6 |
| + | 10_102000_NoCfgVersion_V9.8.4_V1.6 |
| + | 10_204000_NoCfgVersion_V9.8.4_V1.6 |
| + | 10_408000_NoCfgVersion_V9.8.4_V1.6 |
| + | 10_665600_NoCfgVersion_V9.8.4_V1.6 |
| + | 10_800000_NoCfgVersion_V9.8.4_V1.6 |
| + | 10_1065600_NoCfgVersion_V9.8.4_V1.6 |
| + | 10_1331200_NoCfgVersion_V9.8.4_V1.6 |
| + | 10_1600000_NoCfgVersion_V9.8.4_V1.6 |
| + | |- |
| + | | T210 |
| + | | nx-abca2 |
| + | | EristaIcosaSamsung4gb, EristaIcosaMicron4gb |
| + | | 0x07 |
| + | | |
| + | 10_40800_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_68000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_102000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_204000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_408000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_665600_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_800000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_1065600_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_1331200_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_1600000_NoCfgVersion_V9.8.7_V1.6 |
| + | |- |
| + | | T210 |
| + | | nx-abca2 |
| + | | EristaIcosaHynix4gb |
| + | | 0x07 |
| + | | |
| + | 10_40800_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_68000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_102000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_204000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_408000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_665600_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_800000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_1065600_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_1331200_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_1600000_NoCfgVersion_V9.8.7_V1.6 |
| + | |- |
| + | | T210 |
| + | | nx-abca2 |
| + | | EristaIcosaSamsung6gb |
| + | | 0x07 |
| + | | |
| + | 10_40800_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_68000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_102000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_204000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_408000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_665600_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_800000_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_1065600_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_1331200_NoCfgVersion_V9.8.7_V1.6 |
| + | 10_1600000_NoCfgVersion_V9.8.7_V1.6 |
| + | |- |
| + | | T214 |
| + | | nx-abca2, nx-abcb, nx-abcc |
| + | | MarikoIowax1x2Samsung4gb |
| + | | 0x03 |
| + | | |
| + | 01_204000_NoCfgVersion_V0.3.1_V2.0 |
| + | 01_1331200.0_NoCfgVersion_V0.3.1_V2.0 |
| + | 01_1600000_NoCfgVersion_V0.3.1_V2.0 |
| + | |- |
| + | | T214 |
| + | | nx-abca2, nx-abcb, nx-abcc |
| + | | MarikoIowaSamsung4gb, MarikoHoagSamsung4gb |
| + | | 0x03 |
| + | | |
| + | 01_204000_NoCfgVersion_V0.3.1_V2.0 |
| + | 01_1331200.0_NoCfgVersion_V0.3.1_V2.0 |
| + | 01_1600000_NoCfgVersion_V0.3.1_V2.0 |
| + | |- |
| + | | T214 |
| + | | nx-abca2, nx-abcb, nx-abcc |
| + | | MarikoIowaSamsung8gb, MarikoHoagSamsung8gb |
| + | | 0x03 |
| + | | |
| + | 01_204000_NoCfgVersion_V0.4.2_V2.0 |
| + | 01_1331200.0_NoCfgVersion_V0.4.2_V2.0 |
| + | 01_1600000_NoCfgVersion_V0.4.2_V2.0 |
| + | |- |
| + | | T214 |
| + | | nx-abca2, nx-abcb, nx-abcc |
| + | | MarikoIowaHynix4gb, MarikoHoagHynix4gb |
| + | | 0x03 |
| + | | |
| + | 01_204000_NoCfgVersion_V0.3.1_V2.0 |
| + | 01_1331200.0_NoCfgVersion_V0.3.1_V2.0 |
| + | 01_1600000_NoCfgVersion_V0.3.1_V2.0 |
| + | |- |
| + | | T214 |
| + | | nx-abca2, nx-abcb, nx-abcc |
| + | | MarikoIowaMicron4gb, MarikoHoagMicron4gb |
| + | | 0x03 |
| + | | |
| + | 01_204000_NoCfgVersion_V0.4.2_V2.0 |
| + | 01_1331200.0_NoCfgVersion_V0.4.2_V2.0 |
| + | 01_1600000_NoCfgVersion_V0.4.2_V2.0 |
| + | |- |
| + | | T214 |
| + | | nx-abca2, nx-abcb, nx-abcc |
| + | | MarikoIowaSamsung4gbY |
| + | | 0x03 |
| + | | |
| + | 01_204000_NoCfgVersion_V0.4.2_V2.0 |
| + | 01_1331200.0_NoCfgVersion_V0.4.2_V2.0 |
| + | 01_1600000_NoCfgVersion_V0.4.2_V2.0 |
| + | |- |
| + | | T214 |
| + | | nx-abca2, nx-abcb, nx-abcc |
| + | | MarikoIowaSamsung1y4gbX |
| + | | 0x03 |
| + | | |
| + | 01_204000_NoCfgVersion_V0.4.2_V2.0 |
| + | 01_1331200.0_NoCfgVersion_V0.4.2_V2.0 |
| + | 01_1600000_NoCfgVersion_V0.4.2_V2.0 |
| + | |- |
| + | | T214 |
| + | | nx-abca2, nx-abcb, nx-abcc |
| + | | MarikoIowaSamsung1y8gbX |
| + | | 0x03 |
| + | | |
| + | 01_204000_NoCfgVersion_V0.4.2_V2.0 |
| + | 01_1331200.0_NoCfgVersion_V0.4.2_V2.0 |
| + | 01_1600000_NoCfgVersion_V0.4.2_V2.0 |
| + | |- |
| + | | T214 |
| + | | nx-abca2, nx-abcb, nx-abcc |
| + | | MarikoHoagSamsung1y4gbX |
| + | | 0x03 |
| + | | |
| + | 01_204000_NoCfgVersion_V0.4.2_V2.0 |
| + | 01_1331200.0_NoCfgVersion_V0.4.2_V2.0 |
| + | 01_1600000_NoCfgVersion_V0.4.2_V2.0 |
| |- | | |- |
− | | 1 || CryptoUsecase_PrivateRsa | + | | T214 |
| + | | nx-abca2, nx-abcb, nx-abcc |
| + | | MarikoIowaSamsung1y4gbY |
| + | | 0x03 |
| + | | |
| + | 01_204000_NoCfgVersion_V0.4.2_V2.0 |
| + | 01_1331200.0_NoCfgVersion_V0.4.2_V2.0 |
| + | 01_1600000_NoCfgVersion_V0.4.2_V2.0 |
| |- | | |- |
− | | 2 || CryptoUsecase_PublicRsa | + | | T214 |
| + | | nx-abca2, nx-abcb, nx-abcc |
| + | | MarikoIowaSamsung1y8gbY |
| + | | 0x03 |
| + | | |
| + | 01_204000_NoCfgVersion_V0.4.2_V2.0 |
| + | 01_1331200.0_NoCfgVersion_V0.4.2_V2.0 |
| + | 01_1600000_NoCfgVersion_V0.4.2_V2.0 |
| |- | | |- |
− | | 3 || CryptoUsecase_PreparedAesKey | + | | T214 |
| + | | nx-abca2, nx-abcb, nx-abcc |
| + | | MarikoIowaSamsung1y4gbA |
| + | | 0x03 |
| + | | |
| + | 01_204000_NoCfgVersion_V0.4.5_V2.0 |
| + | 01_1331200.0_NoCfgVersion_V0.4.5_V2.0 |
| + | 01_1600000_NoCfgVersion_V0.4.5_V2.0 |
| |} | | |} |
| | | |
− | == ID 1 == | + | '''nx-abca2''' ('''Icosa''' in '''Erista''', '''Iowa''' in '''Mariko''') hardware types are variations of the retail, EDEV and SDEV form factors. |
− | Functions exposed to the kernel internally.
| + | |
| + | '''nx-abcb''' ('''Copper''' in '''Erista''', '''Calcio''' in '''Mariko''') is a prototype unit. Among other differences, this has extra hardware to support HDMI output. |
| + | |
| + | [8.0.0+] '''nx-abcc''' ('''Hoag''') was added for the Lite retail and HDEV form factors. |
| + | |
| + | '''Erista''' memory is LPDDR4, while '''Mariko''' memory is LPDDR4X. |
| + | |
| + | ===== SecurityEngineInterruptNumber ===== |
| + | SPL uses this for setting up the security engine IRQ. |
| + | |
| + | ===== FuseVersion ===== |
| + | The current [[Package2#Versions|Package1 Maxver Constant]] - 1. |
| + | |
| + | ===== HardwareType ===== |
| + | [1.0.0+] This item is obtained by checking bits 8 and 2 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. It can be: |
| + | * 0 ('''Icosa'''; Erista retail, EDEV and SDEV), if development flag (bit 8) is '''Retail''' and production flag (bit 2) is '''Production'''. |
| + | * 1 ('''Copper'''; Erista prototype), if development flag (bit 8) is '''Development''' and production flag (bit 2) is '''Prototype'''. |
| + | * 3 (Invalid). |
| + | |
| + | Value 2 is reserved and considered invalid. |
| + | |
| + | [4.0.0+] This item is obtained by checking bits 8, 2 and 16-19 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. It can be: |
| + | * 0 ('''Icosa'''; Erista retail, EDEV and SDEV), if development flag (bit 8) is '''Retail''' and production flag (bit 2) is '''Production'''. |
| + | * 1 ('''Copper'''; Erista prototype), if development flag (bit 8) is '''Development''' and production flag (bit 2) is '''Prototype'''. |
| + | * 3 ('''Iowa'''; Mariko retail, EDEV and SDEV), if new hardware type (bits 16-19) is '''Iowa'''. |
| + | * 4 (Invalid). |
| + | |
| + | Value 2 is reserved and considered invalid. |
| + | |
| + | [7.0.0+] This item can be obtained by checking bits 8, 2 and 16-19 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]], but is now only 0 (Icosa) or 0xF (Invalid) in retail units. |
| + | |
| + | [8.0.0+] This item can be obtained by checking bits 8, 2 and 16-19 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. It can be: |
| + | * 0 ('''Icosa'''; Erista retail, EDEV and SDEV), if development flag (bit 8) is '''Retail''' and production flag (bit 2) is '''Production'''. |
| + | * 1 ('''Copper'''; Erista prototype), if development flag (bit 8) is '''Development''' and production flag (bit 2) is '''Prototype'''. |
| + | * 2 ('''Hoag'''; Mariko Lite retail and HDEV), if new hardware type (bits 16-19) is '''Hoag'''. |
| + | * 3 ('''Iowa'''; Mariko retail, EDEV and SDEV), if new hardware type (bits 16-19) is '''Iowa'''. |
| + | * 4 ('''Calcio'''; Mariko prototype), if development flag (bit 8) is '''Development''' and production flag (bit 2) is '''Prototype'''. |
| + | * 5 (Invalid). |
| + | |
| + | It is still only 0 (Icosa) or 0xF (Invalid) in retail units. |
| + | |
| + | ===== IsRetail ===== |
| + | This item is obtained by checking bits 9 and 0-1 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. It can be 0 (Debug), 1 (Retail) or 2 (Invalid). |
| + | |
| + | ===== IsRecoveryBoot ===== |
| + | Used to determine if the system is booting from SafeMode firmware. |
| + | |
| + | Under normal circumstances, this just returns bit 0 of the active [[BCT#bootloader0_info|bootloader info]]'s attribute field. |
| + | |
| + | ===== DeviceId ===== |
| + | [[NIM_services|NIM]] checks if this item matches the [[Settings_services|set:cal]] DeviceId with byte7 cleared. If they don't match, a panic is thrown. |
| | | |
| + | ===== BootReason ===== |
| {| class=wikitable | | {| class=wikitable |
− | ! Sub-ID || Name || In || Out | + | ! Value || Description |
| |- | | |- |
− | | 0xC4000001 || [[#CpuSuspend]] || X1=power_state, X2=entrypoint_addr, X3=context_id || None | + | | 0 || Invalid |
| |- | | |- |
− | | 0x84000002 || [[#CpuOff]] || None || None | + | | 1 || AcOk |
| |- | | |- |
− | | 0xC4000003 || [[#CpuOn]] || X1=target_cpu, X2=entrypoint_addr, X3=context_id, X4,X5,X6,X7=0 || X0=result | + | | 2 || OnKey |
| |- | | |- |
− | | 0xC3000004 || [[#GetConfig]] (Same as ID 0, Sub-ID 2) || W1=config_item, X2,X3,X4,X5,X6,X7=0 || X0=result, X1,X2,X3,X4=config_val | + | | 3 || RtcAlarm1 |
| + | |- |
| + | | 4 || RtcAlarm2 |
| + | |} |
| + | |
| + | Used to determine how the system booted. |
| + | |
| + | ===== MemoryMode ===== |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! Bits |
| + | ! Description |
| + | |- |
| + | | 0-3 |
| + | | Purpose (0 = None, 1 = ForStandard, 2 = ForAppletDev, 3 = ForSystemDev) |
| + | |- |
| + | | 4-7 |
| + | | Size (0 = 4GB, 1 = 6GB, 2 = 8GB) |
| + | |} |
| + | |
| + | [[Process Manager services|PM]] and the kernel decide memory arrangement based on MemoryMode. |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! MemoryArrange |
| + | ! MemoryMode |
| + | ! Description |
| + | |- |
| + | | 0 |
| + | | 0x01 |
| + | | Standard |
| + | |- |
| + | | 1 |
| + | | 0x02 |
| + | | StandardForAppletDev |
| + | |- |
| + | | 2 |
| + | | 0x03 |
| + | | StandardForSystemDev |
| + | |- |
| + | | 3 |
| + | | 0x11 |
| + | | Expanded |
| + | |- |
| + | | 4 |
| + | | 0x12 |
| + | | ExpandedForAppletDev |
| + | |- |
| + | | 5 |
| + | | 0x21 |
| + | | ExpandedForMarikoDev |
| + | |} |
| + | |
| + | ===== IsDebugMode ===== |
| + | Kernel uses this to determine behavior of svcBreak positive arguments. It will break instead of just force-exiting the process which is what happens on retail. |
| + | |
| + | [2.0.0+] This is also used with certain debug [[SVC|SVCs]]. |
| + | |
| + | [3.0.0+] [[Loader services|RO]] checks this and if set then skipping NRR rsa signatures is allowed. |
| + | |
| + | ===== KernelConfiguration ===== |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! Bits |
| + | ! Description |
| + | |- |
| + | | 0 |
| + | | EnableNonZeroFillMemory |
| + | |- |
| + | | 1 |
| + | | EnableUserExceptionHandler |
| + | |- |
| + | | 2 |
| + | | PerformanceMonitoringUnit |
| + | |- |
| + | | 3 |
| + | | [8.0.0+] EnableApplicationExtraThread |
| + | |- |
| + | | 8 |
| + | | CallShowErrorOnPanic |
| + | |- |
| + | | 16-17 |
| + | | MemorySize |
| + | |} |
| + | |
| + | Kernel reads this when setting up memory-related code. |
| + | |
| + | EnableNonZeroFillMemory is a boolean determining whether kernel should it will memset various allocated memory-regions with 0x58, 0x59, 0x5A ('X', 'Y', 'Z') instead of zero. This allows Nintendo devs to find uninitialized memory bugs. |
| + | |
| + | EnableUserExceptionHandler is a boolean determining whether kernel should forcefully enable usermode exception handlers (when false, only certain aborts (((1LL << (esr >> 26)) & 0x1115804400224001) == 0, typically data/prefetch aborts) that occur when the faulting address is in a readable region with MemoryType_CodeStatic will trigger usermode exception handlers). |
| + | |
| + | PerformanceMonitoringUnit is a boolean determining whether kernel should enable usermode access to the Performance Monitors (whether PMUSERENR_EL0 should be 1 or 0). |
| + | |
| + | EnableApplicationExtraThread is a boolean determining whether the kernel should increase the KThread slabheap capacity by 160. This also increases object capacities that are calculated based on number of threads. |
| + | |
| + | CallShowErrorOnPanic is a boolean determining whether kernel should call smcPanic on error instead of infinite-looping. |
| + | |
| + | MemorySize determines how much memory is available. 00/03 = 4 GB, 01 = 6 GB, 02 = 8 GB. |
| + | |
| + | ===== IsChargerHiZModeEnabled ===== |
| + | This tells if the TI Charger (bq24192) is active. |
| + | |
| + | ===== IsQuest ===== |
| + | This item is bit 10 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. |
| + | |
| + | [4.0.0+] [[Settings_services|Settings]] uses this value to overwrite the quest flag from [[Settings_services#set:sys|GetQuestFlag]]. This is used to detect if a Switch is a kiosk unit for display at retail stores. |
| + | |
| + | ===== RegulatorType ===== |
| + | {| class="wikitable" border="1" |
| |- | | |- |
− | | 0xC3000005 || [[#GetRandomBytes]] (Same as ID 0, Sub-ID 6) || X1=size, X2,X3,X4,X5,X6,X7=0 || X0=result, X1,X2,X3,X4,X5,X6,X7=rand_bytes
| + | ! Value |
| + | ! SoC |
| + | ! GPU |
| + | ! Power Blocks |
| |- | | |- |
− | | 0xC3000006 || [[#Panic]] || W1=unk, X2,X3,X4,X5,X6,X7=0 || X0=result | + | | 0 |
| + | | T210 |
| + | | GM20B (0x12B) |
| + | | max77620_sd0, max77621_cpu and max77621_gpu |
| |- | | |- |
− | | 0xC3000007 || [2.0.0+] ProtectKernelRegion || || | + | | 1 |
| + | | T214 |
| + | | GM20B_B (0x12E) |
| + | | max77620_sd0, max77812_cpu and max77812_gpu |
| |- | | |- |
− | | 0xC3000008 || [2.0.0+] ReadWriteRegister || || | + | | 2 |
| + | | T214 |
| + | | GM20B_B (0x12E) |
| + | | max77620_sd0, max77812_cpu and max77812_gpu |
| |} | | |} |
| | | |
− | === CpuSuspend ===
| + | This item is currently hardcoded to 0. |
− | Standard ARM PCSI SMC. Suspends the CPU (CPU0).
| |
| | | |
− | The kernel calls this SMC on shutdown with '''power_state''' set to 0x0201001B (power level: 0x02==system; power type: 0x01==powerdown; ID: 0x1B).
| + | [5.0.0+] [[PCV_services|PCV]] uses this value in combination with [[#HardwareType|HardwareType]] to configure power blocks and memory tables for different hardware. |
| | | |
− | === CpuOff === | + | ===== DeviceUniqueKeyGeneration ===== |
− | Standard ARM PCSI SMC. Turns off the CPU (CPU1, CPU2 or CPU3).
| + | This item is obtained from [[Fuse_registers#FUSE_RESERVED_ODM2|FUSE_RESERVED_ODM2]] if bit 11 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]] is set, [[Fuse_registers#FUSE_RESERVED_ODM0|FUSE_RESERVED_ODM0]] matches 0x8E61ECAE and [[Fuse_registers#FUSE_RESERVED_ODM1|FUSE_RESERVED_ODM1]] matches 0xF2BA3BB2. |
| | | |
− | === CpuOn ===
| + | [5.0.0+] [[Filesystem services|FS]] can now use this value for the '''KeyGeneration''' parameter when calling [[#GenerateAesKek|GenerateAesKek]] during "GetBisEncryptionKey". |
− | Standard ARM PCSI SMC. Turns on the CPU (CPU1, CPU2 or CPU3).
| |
| | | |
− | === GetConfig === | + | ===== Package2Hash ===== |
− | Takes a '''config_item''' and returns an associated '''config_val'''.
| + | This is a SHA-256 hash calculated over the [[Package2|package2]] image. Since the hash calculation is an optional step in pkg2ldr, this item is only valid in recovery mode. Otherwise, an error is returned instead. |
| | | |
− | === GetRandomBytes === | + | === GenerateRandomBytes === |
− | Takes a '''size''' and returns '''rand_bytes'''. | + | Takes an u64 '''RndSize'''. Returns [[#Result]] and '''RndData'''. |
| | | |
− | The kernel limits '''size''' to 0x38 (for fitting in return registers). | + | The kernel limits '''RndSize''' to 0x38 (for fitting in return registers). |
| | | |
| === Panic === | | === Panic === |
− | Issues a system panic.
| + | Takes an u32 '''PanicColor''' and issues a system panic. |
| | | |
− | The kernel always calls this with '''unk''' set to 0xF00. | + | The kernel always calls this with '''PanicColor''' set to 0xF00. |
| | | |
− | = Errors = | + | === ConfigureCarveout === |
| + | Takes an u64 '''CarveoutIdx''', an u64 '''CarveoutAddr''' and an u64 '''CarveoutSize'''. Returns [[#Result]]. |
| + | |
| + | If '''CarveoutIdx''' is 0, '''CarveoutAddr''' and '''CarveoutSize''' are used to configure '''MC_SECURITY_CARVEOUT4'''. |
| + | If '''CarveoutIdx''' is 1, '''CarveoutAddr''' and '''CarveoutSize''' are used to configure '''MC_SECURITY_CARVEOUT5'''. |
| + | Any other '''CarveoutIdx''' values are invalid. |
| + | |
| + | The kernel calls this with '''CarveoutIdx''' set to 0, '''CarveoutAddr''' set to 0x80060000 and '''CarveoutSize''' set to a dynamically calculated size which covers all the kernel and built-in sysmodules' DRAM regions. |
| + | |
| + | === ReadWriteRegister === |
| + | Takes an u64 '''RegAddr''', an u32 '''RwMask''' and an u32 '''InValue'''. Returns [[#Result]] and an u32 '''OutValue'''. |
| + | |
| + | Relays [[SVC#svcReadWriteRegister|svcReadWriteRegister]] to the Secure Monitor. |
| + | |
| + | = CryptoUsecase = |
| + | {| class=wikitable |
| + | ! Value || Name |
| + | |- |
| + | | 0 || Aes |
| + | |- |
| + | | 1 || RsaPrivate |
| + | |- |
| + | | 2 || RsaSecureExpMod |
| + | |- |
| + | | 3 || TitleKey |
| + | |} |
| + | |
| + | TitleKey represents a RSA wrapped AES key. |
| + | |
| + | = CipherMode = |
| + | {| class=wikitable |
| + | ! Value || Name |
| + | |- |
| + | | 0 || CbcEncrypt |
| + | |- |
| + | | 1 || CbcDecrypt |
| + | |- |
| + | | 2 || Ctr |
| + | |} |
| + | |
| + | = DecryptOrImportMode = |
| + | {| class=wikitable |
| + | ! Value || Name |
| + | |- |
| + | | 0 || DecryptRsaPrivateKey |
| + | |- |
| + | | 1 || ImportLotusKey |
| + | |- |
| + | | 2 || ImportEsKey |
| + | |- |
| + | | 3 || ImportSslKey |
| + | |- |
| + | | 4 || ImportDrmKey |
| + | |} |
| + | |
| + | = SecureExpModMode = |
| + | {| class=wikitable |
| + | ! Value || Name |
| + | |- |
| + | | 0 || Lotus |
| + | |- |
| + | | 1 || Ssl |
| + | |- |
| + | | 2 || Drm |
| + | |} |
| + | |
| + | = Result = |
| {| class=wikitable | | {| class=wikitable |
| ! Value || Description | | ! Value || Description |
| |- | | |- |
− | | 2 || Invalid input | + | | 0 || Success |
| + | |- |
| + | | 1 || Not implemented |
| + | |- |
| + | | 2 || Invalid argument |
| + | |- |
| + | | 3 || In progress |
| + | |- |
| + | | 4 || No async operation |
| + | |- |
| + | | 5 || Invalid async operation |
| |- | | |- |
− | | 3 || Busy | + | | [8.0.0+] 6 || Not permitted |
| |} | | |} |