2,775
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − + − − + Line 24:
Line 23: − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + Line 80:
Line 79: − − Note: − The [[#enum_CryptoUsecase|CryptoUsecase_TitleKey]] represents a RSA wrapped AES key. − + Line 92:
Line 88: − + − + − + − + − Todo: This one seems unrelated to [[#enum_CryptoUsecase]].+ − + + + + − + − This function was removed in [[5.0.0]], and replaced with [[#EncryptRsaKeyForImport]].+ − + − + − + − + − === DecryptOrImportRsaKey ===+ − + + − + − + − This function was removed in [[5.0.0]], and replaced with [[#EncryptRsaKeyForImport]].+ − + + + − + − + + + − + − + − {| class=wikitable+ − ! Value || Name − |- − | 0 || CryptoUsecase_Aes − |- − | 1 || CryptoUsecase_RsaPrivate − |- − | 2 || CryptoUsecase_RsaSecureExpMod − |- − | 3 || CryptoUsecase_RsaOaep − |} − + − + − + − + − + − + − + − + − + − + − Standard ARM PCSI SMC. Suspends the CPU (CPU0).+ − + + + − Standard ARM PCSI SMC. Turns off the CPU (CPU1, CPU2 or CPU3).+ + + − Standard ARM PCSI SMC. Turns on the CPU (CPU1, CPU2 or CPU3).+ + + − + + − + Line 207:
Line 208: − + − + Line 221:
Line 222: − + Line 229:
Line 230: − + − + − + − + − + − This is extracted directly from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. − − + − + + + + + + + + + + + + + + + + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + + + + + + + + + − + − + − + − + + − + − + − + + Line 321:
Line 345: − + − + − + + Line 336:
Line 361: − + − + − + + Line 351:
Line 377: − + − + − + + Line 366:
Line 393: − + − + − + + Line 381:
Line 409: − + − + − + + Line 396:
Line 425: − + − + − + + Line 411:
Line 441: − + − + − + + Line 419:
Line 450: − + − + − + + Line 427:
Line 459: − + − + − + + Line 435:
Line 468: − + − + − + + Line 443:
Line 477: − + − + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + − + + + − + − + − + − + − + − + + + + + + − + + + + + − A value of 2 (Hoag) is always mapped to 4 (Invalid).+ − + + + + + + + + + + + + + − + − + + + − + + + + + + + + + + + + + + + − + − [[Process Manager services|PM]] uses this item for selecting the appropriate size for each [[SVC#LimitableResource|LimitableResource_Memory]].+ + + + + + + + + + + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 493:
Line 672: − The value of this field is loaded from [[BootConfig]] unsigned-config+0x10 u8 bit1.+ + + + + + + + + + + + + + + + + + + + + + + + + + − ==== KernelConfiguration ====+ − Kernel reads this when setting up memory-related code. − Bit 0 is a boolean determining whether kernel should it will memset various allocated memory-regions with 0x58, 0x59, 0x5A ('X', 'Y', 'Z') instead of zero. This allows Nintendo devs to find uninitialized memory bugs.+ − Bit 1 is a boolean determining whether kernel should forcefully enable usermode exception handlers (when false, only certain aborts (((1LL << (esr >> 26)) & 0x1115804400224001) == 0, typically data/prefetch aborts) that occur when the faulting address is in a readable region with MemoryType_CodeStatic will trigger usermode exception handlers).+ − Bit 2 is a boolean determining whether kernel should enable usermode access to the Performance Monitors (whether PMUSERENR_EL0 should be 1 or 0).+ − Bits 8-15 are a boolean determining whether kernel should call smcPanic on error instead of infinite-looping.+ − Bits 16-17 determine how much memory is available. 00/03 = 4 GB, 01 = 6 GB, 02 = 8 GB.+ − + − + − This item is obtained from [[Fuse_registers#FUSE_RESERVED_ODM2|FUSE_RESERVED_ODM2]] if bit 11 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]] is set, [[Fuse_registers#FUSE_RESERVED_ODM0|FUSE_RESERVED_ODM0]] matches 0x8E61ECAE and [[Fuse_registers#FUSE_RESERVED_ODM1|FUSE_RESERVED_ODM1]] matches 0xF2BA3BB2. − − [5.0.0+] [[Filesystem services|FS]] can now use this value for the '''KeyGeneration''' parameter when calling [[#GenerateAesKek|GenerateAesKek]] during "GetBisEncryptionKey". − − ==== IsKiosk ==== − + − This item is currently hardcoded to 0. − − [5.0.0+] [[PCV_services|PCV]] overrides the value from [[#HardwareType|HardwareType]] and configures PMIC devices with this item. − + − + + + − + − + + + − + − + + + − + − + + + − + + + + + + + + + + − + − + − + − Issues a system panic.+ − + − Configures memory controller carveout regions.+ − + − + − + − + + + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + − + + + + + + + + + + + − +
no edit summary
= Secure Monitor Calls =
= Secure Monitor calls =
The secure monitor provides two top level handlers of which each provides a range of sub handlers.
The secure monitor provides two top level handlers of which each provides a range of sub handlers.
Secure Monitor Calls follow the ARM SMC calling convention up to a small change:
Secure Monitor calls follow the ARM SMC calling convention up to a small change:
{| class=wikitable
{| class=wikitable
! Bit number || Bit mask || Description
! Bit number || Bit mask || Description
SMC arguments are passed using registers X0-X7 with X0 always sending the call sub-id and returning the result of the call.
SMC arguments are passed using registers X0-X7 with X0 always sending the call sub-id and returning the result of the call.
== ID 0 ==
== FunctionId0 ==
Functions exposed to user-mode processes using [[SVC|svcCallSecureMonitor]]. SMCs should be called from CPUID 3 (where SPL runs).
Functions exposed to user-mode processes using [[SVC|svcCallSecureMonitor]]. SMCs should be called from CPUID 3 (where SPL runs).
{| class=wikitable
{| class=wikitable
! Sub-ID || Name || In || Out
! Value || Name
|-
|-
| 0xC3000401 || SetConfig || ||
| 0xC3000401 || SetConfig
|-
|-
| 0xC3000002 || GetConfig (Same as ID 1, Sub-ID 4) || ||
| 0xC3000002 || [[#GetConfig]] (same as in [[#FunctionId1]])
|-
|-
| 0xC3000003 || CheckStatus || ||
| 0xC3000003 || GetResult
|-
|-
| 0xC3000404 || GetResult || ||
| 0xC3000404 || GetResultData
|-
|-
| 0xC3000E05 || ExpMod || ||
| 0xC3000E05 || ExpMod
|-
|-
| 0xC3000006 || GetRandomBytes (Same as ID 1, Sub-ID 5) || ||
| 0xC3000006 || [[#GenerateRandomBytes]] (same as in [[#FunctionId1]])
|-
|-
| 0xC3000007 || [[#GenerateAesKek]] || ||
| 0xC3000007 || [[#GenerateAesKek]]
|-
|-
| 0xC3000008 || [[#LoadAesKey]] || ||
| 0xC3000008 || [[#LoadAesKey]]
|-
|-
| 0xC3000009 || [[#CryptAes]] || ||
| 0xC3000009 || [[#ComputeAes]]
|-
|-
| 0xC300000A || [[#GenerateSpecificAesKey]] || ||
| 0xC300000A || [[#GenerateSpecificAesKey]]
|-
|-
| 0xC300040B || [[#ComputeCmac]] || ||
| 0xC300040B || [[#ComputeCmac]]
|-
|-
| [1.0.0-4.1.0] 0xC300100C || [[#LoadRsaOaepKey]] || ||
| [1.0.0-4.1.0] 0xC300100C || [[#ImportEsKey]]
|-
|-
| [5.0.0+] 0xC300D60C || [[#EncryptRsaKeyForImport]] || ||
| [5.0.0+] 0xC300D60C || [[#ReEncryptRsaPrivateKey]]
|-
|-
| [1.0.0-4.1.0] 0xC300100D || [[#DecryptRsaPrivateKey]] || ||
| [1.0.0-4.1.0] 0xC300100D || [[#DecryptRsaPrivateKey]]
|-
|-
| [5.0.0] 0xC300100D || [[#DecryptOrImportRsaKey]] || ||
| [5.0.0+] 0xC300100D || [[#DecryptOrImportRsaPrivateKey]]
|-
|-
| [1.0.0-4.1.0] 0xC300100E || [[#LoadSecureExpModKey]] || ||
| [1.0.0-4.1.0] 0xC300100E || [[#ImportLotusKey]]
|-
|-
| 0xC300060F || [[#SecureExpMod]] || ||
| 0xC300060F || [[#StorageExpMod]]
|-
|-
| 0xC3000610 || [[#UnwrapRsaOaepWrappedTitleKey]] || ||
| 0xC3000610 || [[#UnwrapTitleKey]]
|-
|-
| 0xC3000011 || [[#LoadTitleKey]] || ||
| 0xC3000011 || [[#LoadTitleKey]]
|-
|-
| 0xC3000012 || [2.0.0+] UnwrapAesWrappedTitleKey || ||
| 0xC3000012 || [2.0.0+] [[#UnwrapCommonTitleKey]]
|}
|}
** This means: Plaintext kek keys never leave TrustZone.
** This means: Plaintext kek keys never leave TrustZone.
** Further, this means: Actual AES/RSA keys never leave TrustZone.
** Further, this means: Actual AES/RSA keys never leave TrustZone.
=== GenerateAesKek ===
=== GenerateAesKek ===
Takes an "access key" as input, an [[#enum_CryptoUsecase]].
Takes an "access key" as input, an [[#CryptoUsecase]].
Returns a session-unique kek for said usecase.
Returns a session-unique kek for said usecase.
Takes a session kek created with [[#GenerateAesKek]], and a wrapped AES key.
Takes a session kek created with [[#GenerateAesKek]], and a wrapped AES key.
The session kek must have been created with [[#enum_CryptoUsecase|CryptoUsecase_Aes]].
The session kek must have been created with [[#CryptoUsecase|CryptoUsecase Aes]].
=== CryptAes ===
=== ComputeAes ===
Encrypts/decrypts using Aes (CTR and CBC).
Encrypts/decrypts using AES (CTR and CBC). Takes an [[#CipherMode]].
Key must be set prior using one of the [[#LoadAesKey]], [[#GenerateSpecificAesKey]] or [[#LoadRsaWrappedAesKey]] commands.
Key must be set prior using one of the [[#LoadAesKey]] or [[#GenerateSpecificAesKey]] commands.
=== GenerateSpecificAesKey ===
=== GenerateSpecificAesKey ===
Takes a wrapped AES key and decrypts it using static data.
=== LoadRsaOaepKey ===
=== ComputeCmac ===
Calculates CMAC over input data.
=== ImportEsKey ===
Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, and a wrapped RSA private key.
Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, and a wrapped RSA private key.
The session kek must have been created with [[#enum_CryptoUsecase|CryptoUsecase_RsaOaep]].
The session kek must have been created with [[#CryptoUsecase|CryptoUsecase TitleKey]].
[5.0.0] This function was removed and replaced with [[#ReEncryptRsaPrivateKey]].
=== EncryptRsaKeyForImport ===
=== ReEncryptRsaPrivateKey ===
Takes in two session keks created with [[#GenerateAesKek]], two wrapped AES keys, an enum member, and a wrapped RSA private key.
Takes in two session keks created with [[#GenerateAesKek]], two wrapped AES keys, an enum member, and a wrapped RSA private key.
Decrypts and validates the wrapped RSA private key with the first kek/wrapped key, and re-encrypts it with the second if valid.
Decrypts and validates the wrapped RSA private key with the first kek/wrapped key, and re-encrypts it with the second if valid.
The re-encrypted key is then passed to the user, for use with [[#DecryptOrImportRsaKey]].
The re-encrypted key is then passed to the user, for use with [[#DecryptOrImportRsaPrivateKey]].
=== DecryptRsaPrivateKey ===
=== DecryptRsaPrivateKey ===
Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, an enum member, and a wrapped RSA private key.
Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, an enum member, and a wrapped RSA private key.
The session kek must have been created with [[#enum_CryptoUsecase|CryptoUsecase_RsaPrivate]].
The session kek must have been created with [[#CryptoUsecase|CryptoUsecase RsaPrivate]].
[4.0.0+] The SMC handler when certain conditions pass and SMC_ID==0xC300100D now returns error 0x6 instead of calling the handler funcptr.
[4.0.0+] The SMC handler when certain conditions pass and FunctionId0==0xC300100D now returns error 0x6 instead of calling the handler funcptr.
[5.0.0+] This function was replaced by [[#DecryptOrImportRsaPrivateKey]].
This function replaced [[#DecryptRsaPrivateKey]] in [[5.0.0]], adding an additional enum member argument.
=== DecryptOrImportRsaPrivateKey ===
This function replaced [[#DecryptRsaPrivateKey]] in [[5.0.0]], adding an additional [[#DecryptOrImportMode]].
This SMC extends DecryptRsaPrivateKey's original functionality to enable importing private keys into the security engine instead of decrypting them, when certain enum members are passed.
This SMC extends DecryptRsaPrivateKey's original functionality to enable importing private keys into the security engine instead of decrypting them, when certain enum members are passed.
=== LoadSecureExpModKey ===
=== ImportLotusKey ===
Takes a session kek created with [[#GenerateAesKek]], and a wrapped RSA key.
Takes a session kek created with [[#GenerateAesKek]], and a wrapped RSA key.
The session kek must have been created with [[#enum_CryptoUsecase|CryptoUsecase_RsaSecureExpMod]].
The session kek must have been created with [[#CryptoUsecase|CryptoUsecase RsaSecureExpMod]].
[5.0.0] This function was removed.
=== SecureExpMod ===
=== SecureExpMod ===
Performs an Exp Mod operation using an exponent previously loaded with the [[#LoadSecureExpModKey]] command.
Performs an ExpMod operation using an exponent previously loaded with the [[#ImportLotusKey]] command.
[5.0.0+] This now uses any exponent previously loaded with [[#DecryptOrImportRsaPrivateKey]] and takes an [[#SecureExpModMode]].
=== UnwrapRsaOaepWrappedTitleKey ===
=== UnwrapTitleKey ===
Takes an Rsa-Oaep-wrapped TitleKey, an RSA Public Key, and a label hash.
Takes an Rsa-Oaep-wrapped TitleKey, an RSA Public Key, and a label hash.
Performs an Exp Mod operation using an exponent previously loaded with the [[#LoadRsaOaepKey]] command, and then validates/extracts a Titlekey from the resulting message.
Performs an ExpMod operation using an exponent previously loaded with the [[#ImportEsKey]] command, and then validates/extracts a Titlekey from the resulting message.
Returns a session-unique AES key especially for use in [[#LoadTitleKey]].
Returns a session-unique AES key especially for use in [[#LoadTitleKey]].
[5.0.0+] This now uses any exponent previously loaded with [[#DecryptOrImportRsaPrivateKey]].
=== LoadTitleKey ===
=== LoadTitleKey ===
Takes a session-unique AES key from [[#UnwrapAesWrappedTitleKey]] or [[#UnwrapRsaOaepWrappedTitleKey]].
Takes a session-unique AES key from [[#UnwrapCommonTitleKey]] or [[#UnwrapTitleKey]].
=== enum CryptoUsecase ===
=== UnwrapCommonTitleKey ===
Takes an AES-wrapped TitleKey and returns a sealed AES key.
== ID 1 ==
== FunctionId1 ==
Functions exposed to the kernel internally.
Functions exposed to the kernel internally.
{| class=wikitable
{| class=wikitable
! Sub-ID || Name || In || Out
! Value || Name
|-
|-
| 0xC4000001 || [[#CpuSuspend]] || X1=power_state, X2=entrypoint_addr, X3=context_id || None
| 0xC4000001 || [[#CpuSuspend]]
|-
|-
| 0x84000002 || [[#CpuOff]] || None || None
| 0x84000002 || [[#CpuOff]]
|-
|-
| 0xC4000003 || [[#CpuOn]] || X1=target_cpu, X2=entrypoint_addr, X3=context_id, X4,X5,X6,X7=0 || X0=result
| 0xC4000003 || [[#CpuOn]]
|-
|-
| 0xC3000004 || [[#GetConfig]] (Same as ID 0, Sub-ID 2) || W1=config_item, X2,X3,X4,X5,X6,X7=0 || X0=result, X1,X2,X3,X4=config_val
| 0xC3000004 || [[#GetConfig]] (same as in [[#FunctionId0]])
|-
|-
| 0xC3000005 || [[#GetRandomBytes]] (Same as ID 0, Sub-ID 6) || X1=size, X2,X3,X4,X5,X6,X7=0 || X0=result, X1,X2,X3,X4,X5,X6,X7=rand_bytes
| 0xC3000005 || [[#GenerateRandomBytes]] (same as in [[#FunctionId0]])
|-
|-
| 0xC3000006 || [[#Panic]] || W1=panic_color, X2,X3,X4,X5,X6,X7=0 || X0=result
| 0xC3000006 || [[#Panic]]
|-
|-
| 0xC3000007 || [2.0.0+] [[#ConfigureCarveout]] || X1=carveout_index, X2=region_phys_addr, X3=region_size, X4,X5,X6,X7=0 || X0=result
| 0xC3000007 || [2.0.0+] [[#ConfigureCarveout]]
|-
|-
| 0xC3000008 || [2.0.0+] [[#ReadWriteRegister]] || X1=reg_addr, W2=rw_mask, W3=in_val, X4,X5,X6,X7=0 || X0=result, W1=out_val
| 0xC3000008 || [2.0.0+] [[#ReadWriteRegister]]
|}
|}
=== CpuSuspend ===
=== CpuSuspend ===
Takes an u64 '''PowerState''', an u64 '''EntrypointAddr''' and an u64 '''ContextId'''. No output.
The kernel calls this SMC on shutdown with '''power_state''' set to 0x0201001B (power level: 0x02==system; power type: 0x01==powerdown; ID: 0x1B).
Suspends the CPU (CPU0).
The kernel calls this SMC on shutdown with '''PowerState''' set to 0x0201001B (power level: 0x02==system; power type: 0x01==powerdown; ID: 0x1B).
=== CpuOff ===
=== CpuOff ===
No input/output.
Turns off the CPU (CPU1, CPU2 or CPU3).
=== CpuOn ===
=== CpuOn ===
Takes an u64 '''TargetCpu''', an u64 '''EntrypointAddr''' and an u64 '''ContextId'''. Returns [[#Result]].
Turns on the CPU (CPU1, CPU2 or CPU3).
=== GetConfig ===
=== GetConfig ===
Takes a '''config_item''' and returns an associated '''config_val'''.
Takes a [[#ConfigItem]]. Returns [[#Result]] and a '''ConfigVal'''.
==== ConfigItem ====
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
! ConfigItem || Name
! Value || Name
|-
|-
| 1 || [[#DisableProgramVerification]]
| 1 || [[#DisableProgramVerification]]
| 2 || [[#DramId]]
| 2 || [[#DramId]]
|-
|-
| 3 || [[#SecurityEngineIrqNumber]]
| 3 || [[#SecurityEngineInterruptNumber]]
|-
|-
| 4 || [[#Version]]
| 4 || [[#FuseVersion]]
|-
|-
| 5 || [[#HardwareType]]
| 5 || [[#HardwareType]]
| 9 || [1.0.0-4.0.0] [[#BootReason]]
| 9 || [1.0.0-4.0.0] [[#BootReason]]
|-
|-
| 10 || [[#MemoryArrange]]
| 10 || [[#MemoryMode]]
|-
|-
| 11 || [[#IsDebugMode]]
| 11 || [[#IsDebugMode]]
| 13 || [[#IsChargerHiZModeEnabled]]
| 13 || [[#IsChargerHiZModeEnabled]]
|-
|-
| 14 || [4.0.0+] [[#IsKiosk]]
| 14 || [4.0.0+] [[#IsQuest]]
|-
|-
| 15 || [5.0.0+] [[#NewHardwareType]]
| 15 || [5.0.0+] [[#RegulatorType]]
|-
|-
| 16 || [5.0.0+] [[#NewKeyGeneration]]
| 16 || [5.0.0+] [[#DeviceUniqueKeyGeneration]]
|-
|-
| 17 || [5.0.0+] [[#Package2Hash]]
| 17 || [5.0.0+] [[#Package2Hash]]
|}
|}
==== DisableProgramVerification ====
===== DisableProgramVerification =====
[[Process Manager services|PM]] checks this item and if non-zero, calls fsp-pr SetEnabledProgramVerification(false).
[[Process Manager services|PM]] checks this item and if non-zero, calls fsp-pr SetEnabledProgramVerification(false).
==== DramId ====
===== DramId =====
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
! Value
! Value
! Description
! Description
|-
| 0
| EristaIcosaSamsung4gb
|-
| 1
| EristaIcosaHynix4gb
|-
| 2
| EristaIcosaMicron4gb
|-
| 3
| Reserved
|-
| 4
| EristaIcosaSamsung6gb
|-
|-
| 0
| 5
| DramId_EristaIcosaSamsung4gb
| [4.0.0+] Reserved
|-
|-
| 1
| 6
| DramId_EristaIcosaHynix4gb
| [4.0.0+] Reserved
|-
|-
| 2
| 7
| DramId_EristaIcosaMicron4gb
| [5.0.0+] MarikoIowax1x2Samsung4gb ([4.0.0-4.1.0] Reserved)
|-
|-
| 3
| 8
| Reserved
| [5.0.0+] MarikoIowaSamsung4gb
|-
|-
| 4
| 9
| DramId_EristaIcosaSamsung6gb
| [5.0.0+] MarikoIowaSamsung8gb
|-
|-
| 5
| 10
| [4.0.0+] Reserved (DramId_EristaIcosaHynix6gb)
| [6.0.0+] MarikoIowaHynix4gb ([5.0.0-5.1.0] Reserved)
|-
|-
| 6
| 11
| [4.0.0+] Reserved (DramId_EristaIcosaMicron6gb)
| [7.0.0+] MarikoIowaMicron4gb ([5.0.0-6.2.0] Reserved)
|-
|-
| 7
| 12
| [5.0.0+] DramId_MarikoIowax1x2Samsung4gb ([4.0.0-4.1.0] Reserved)
| [5.0.0+] MarikoHoagSamsung4gb
|-
|-
| 8
| 13
| [5.0.0+] DramId_MarikoIowaSamsung4gb
| [5.0.0+] MarikoHoagSamsung8gb
|-
|-
| 9
| 14
| [5.0.0+] DramId_MarikoIowaSamsung8gb
| [7.0.0+] MarikoHoagHynix4gb ([5.0.0-6.2.0] Reserved)
|-
|-
| 10
| 15
| [6.0.0+] DramId_MarikoIowaHynix4gb ([5.0.0-5.1.0] Reserved)
| [7.0.0+] MarikoHoagMicron4gb ([5.0.0-6.2.0] Reserved)
|-
|-
| 11
| 16
| [7.0.0+] DramId_MarikoIowaMicron4gb ([5.0.0-6.2.0] Reserved)
| [8.0.0+] MarikoIowaSamsung4gbY
|-
|-
| 12
| 17
| [5.0.0+] DramId_MarikoHoagSamsung4gb
| [9.0.0+] MarikoIowaSamsung1y4gbX
|-
|-
| 13
| 18
| [5.0.0+] DramId_MarikoHoagSamsung8gb
| [9.0.0+] MarikoIowaSamsung1y8gbX
|-
|-
| 14
| 19
| [7.0.0+] DramId_MarikoHoagHynix4gb ([5.0.0-6.2.0] Reserved)
| [9.0.0+] MarikoHoagSamsung1y4gbX
|-
|-
| 15
| 20
| [7.0.0+] DramId_MarikoHoagMicron4gb ([5.0.0-6.2.0] Reserved)
| [9.0.0+] MarikoIowaSamsung1y4gbY
|-
| 21
| [9.0.0+] MarikoIowaSamsung1y8gbY
|-
| 22
| [9.0.0+] MarikoIowaSamsung1y4gbA
|}
|}
This is extracted directly from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]].
[[PCV_services|PCV]] selects memory training tables based on DramId.
[[PCV_services|PCV]] selects memory training tables based on DramId.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
! Platform
! SoC
! DramId
! Platform
! Revision
! DramId
! DVFS version
! Revision
! DVFS version
|-
|-
| jetson-tx1
| T210
| N/A
| jetson-tx1
| 0x07
| N/A
| 0x07
|
|
11_40800_01_V9.8.3_V1.6
11_40800_01_V9.8.3_V1.6
11_1600000_02_V9.8.3_V1.6
11_1600000_02_V9.8.3_V1.6
|-
|-
| nx-abcb
| T210
| EristaIcosaSamsung4gb
| nx-abcb
| 0x07
| EristaIcosaSamsung4gb
| 0x07
|
|
10_40800_NoCfgVersion_V9.8.7_V1.6
10_40800_NoCfgVersion_V9.8.7_V1.6
10_1600000_NoCfgVersion_V9.8.7_V1.6
10_1600000_NoCfgVersion_V9.8.7_V1.6
|-
|-
| nx-abcb
| T210
| EristaIcosaMicron4gb
| nx-abcb
| 0x07
| EristaIcosaMicron4gb
| 0x07
|
|
10_40800_NoCfgVersion_V9.8.4_V1.6
10_40800_NoCfgVersion_V9.8.4_V1.6
10_1600000_NoCfgVersion_V9.8.4_V1.6
10_1600000_NoCfgVersion_V9.8.4_V1.6
|-
|-
| nx-abcb
| T210
| EristaIcosaHynix4gb
| nx-abcb
| 0x07
| EristaIcosaHynix4gb
| 0x07
|
|
10_40800_NoCfgVersion_V9.8.4_V1.6
10_40800_NoCfgVersion_V9.8.4_V1.6
10_1600000_NoCfgVersion_V9.8.4_V1.6
10_1600000_NoCfgVersion_V9.8.4_V1.6
|-
|-
| nx-abca2
| T210
| EristaIcosaSamsung4gb or EristaIcosaMicron4gb
| nx-abca2
| 0x07
| EristaIcosaSamsung4gb, EristaIcosaMicron4gb
| 0x07
|
|
10_40800_NoCfgVersion_V9.8.7_V1.6
10_40800_NoCfgVersion_V9.8.7_V1.6
10_1600000_NoCfgVersion_V9.8.7_V1.6
10_1600000_NoCfgVersion_V9.8.7_V1.6
|-
|-
| nx-abca2
| T210
| EristaIcosaHynix4gb
| nx-abca2
| 0x07
| EristaIcosaHynix4gb
| 0x07
|
|
10_40800_NoCfgVersion_V9.8.7_V1.6
10_40800_NoCfgVersion_V9.8.7_V1.6
10_1600000_NoCfgVersion_V9.8.7_V1.6
10_1600000_NoCfgVersion_V9.8.7_V1.6
|-
|-
| nx-abca2
| T210
| EristaIcosaSamsung6gb
| nx-abca2
| 0x07
| EristaIcosaSamsung6gb
| 0x07
|
|
10_40800_NoCfgVersion_V9.8.7_V1.6
10_40800_NoCfgVersion_V9.8.7_V1.6
10_1600000_NoCfgVersion_V9.8.7_V1.6
10_1600000_NoCfgVersion_V9.8.7_V1.6
|-
|-
| nx-abca2
| T214
| MarikoIowax1x2Samsung4gb
| nx-abca2, nx-abcb, nx-abcc
| 0x03
| MarikoIowax1x2Samsung4gb
| 0x03
|
|
01_204000_NoCfgVersion_V0.3.1_V2.0
01_204000_NoCfgVersion_V0.3.1_V2.0
01_1600000_NoCfgVersion_V0.3.1_V2.0
01_1600000_NoCfgVersion_V0.3.1_V2.0
|-
|-
| nx-abca2
| T214
| MarikoIowaSamsung4gb or MarikoHoagSamsung4gb
| nx-abca2, nx-abcb, nx-abcc
| 0x03
| MarikoIowaSamsung4gb, MarikoHoagSamsung4gb
| 0x03
|
|
01_204000_NoCfgVersion_V0.3.1_V2.0
01_204000_NoCfgVersion_V0.3.1_V2.0
01_1600000_NoCfgVersion_V0.3.1_V2.0
01_1600000_NoCfgVersion_V0.3.1_V2.0
|-
|-
| nx-abca2
| T214
| MarikoIowaSamsung8gb or MarikoHoagSamsung8gb
| nx-abca2, nx-abcb, nx-abcc
| 0x03
| MarikoIowaSamsung8gb, MarikoHoagSamsung8gb
| 0x03
|
|
01_204000_NoCfgVersion_V0.4.2_V2.0
01_204000_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0
|-
|-
| nx-abca2
| T214
| MarikoIowaHynix4gb or MarikoHoagHynix4gb
| nx-abca2, nx-abcb, nx-abcc
| 0x03
| MarikoIowaHynix4gb, MarikoHoagHynix4gb
| 0x03
|
|
01_204000_NoCfgVersion_V0.3.1_V2.0
01_204000_NoCfgVersion_V0.3.1_V2.0
01_1600000_NoCfgVersion_V0.3.1_V2.0
01_1600000_NoCfgVersion_V0.3.1_V2.0
|-
|-
| nx-abca2
| T214
| MarikoIowaMicron4gb or MarikoHoagMicron4gb
| nx-abca2, nx-abcb, nx-abcc
| 0x03
| MarikoIowaMicron4gb, MarikoHoagMicron4gb
| 0x03
|
01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0
|-
| T214
| nx-abca2, nx-abcb, nx-abcc
| MarikoIowaSamsung4gbY
| 0x03
|
01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0
|-
| T214
| nx-abca2, nx-abcb, nx-abcc
| MarikoIowaSamsung1y4gbX
| 0x03
|
01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0
|-
| T214
| nx-abca2, nx-abcb, nx-abcc
| MarikoIowaSamsung1y8gbX
| 0x03
|
01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0
|-
| T214
| nx-abca2, nx-abcb, nx-abcc
| MarikoHoagSamsung1y4gbX
| 0x03
|
01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0
|-
| T214
| nx-abca2, nx-abcb, nx-abcc
| MarikoIowaSamsung1y4gbY
| 0x03
|
01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0
|-
| T214
| nx-abca2, nx-abcb, nx-abcc
| MarikoIowaSamsung1y8gbY
| 0x03
|
|
01_204000_NoCfgVersion_V0.4.2_V2.0
01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0
|-
| T214
| nx-abca2, nx-abcb, nx-abcc
| MarikoIowaSamsung1y4gbA
| 0x03
|
01_204000_NoCfgVersion_V0.4.5_V2.0
01_1331200.0_NoCfgVersion_V0.4.5_V2.0
01_1600000_NoCfgVersion_V0.4.5_V2.0
|}
|}
nx-abcb (Copper) is the SDEV unit. Among other differences, this has extra hardware to support HDMI output.
'''nx-abca2''' ('''Icosa''' in '''Erista''', '''Iowa''' in '''Mariko''') hardware types are variations of the retail, EDEV and SDEV form factors.
'''nx-abcb''' ('''Copper''' in '''Erista''', '''Calcio''' in '''Mariko''') is a prototype unit. Among other differences, this has extra hardware to support HDMI output.
nx-abca2 (Icosa) hardware types are variations of the retail form factor.
[8.0.0+] '''nx-abcc''' ('''Hoag''') was added for the Lite retail and HDEV form factors.
Erista memory is LPDDR4, while Mariko memory is LPDDR4X.
'''Erista''' memory is LPDDR4, while '''Mariko''' memory is LPDDR4X.
==== SecurityEngineIrqNumber ====
===== SecurityEngineInterruptNumber =====
SPL uses this for setting up the security engine IRQ.
SPL uses this for setting up the security engine IRQ.
==== Version ====
===== FuseVersion =====
The current [[Package2#Versions|Package1 Maxver Constant]] - 1.
The current [[Package2#Versions|Package1 Maxver Constant]] - 1.
==== HardwareType ====
===== HardwareType =====
[1.0.0+] This item is obtained by checking bits 8 and 2 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. It can be 0 (Icosa), 1 (Copper) or 3 (Invalid).
[1.0.0+] This item is obtained by checking bits 8 and 2 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. It can be:
* 0 ('''Icosa'''; Erista retail, EDEV and SDEV), if development flag (bit 8) is '''Retail''' and production flag (bit 2) is '''Production'''.
* 1 ('''Copper'''; Erista prototype), if development flag (bit 8) is '''Development''' and production flag (bit 2) is '''Prototype'''.
* 3 (Invalid).
Value 2 is reserved and considered invalid.
[4.0.0+] This item is obtained by checking bits 8, 2 and 16-19 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. It can be 0 (Icosa), 1 (Copper), 3 (Mariko) or 4 (Invalid).
[4.0.0+] This item is obtained by checking bits 8, 2 and 16-19 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. It can be:
* 0 ('''Icosa'''; Erista retail, EDEV and SDEV), if development flag (bit 8) is '''Retail''' and production flag (bit 2) is '''Production'''.
* 1 ('''Copper'''; Erista prototype), if development flag (bit 8) is '''Development''' and production flag (bit 2) is '''Prototype'''.
* 3 ('''Iowa'''; Mariko retail, EDEV and SDEV), if new hardware type (bits 16-19) is '''Iowa'''.
* 4 (Invalid).
Value 2 is reserved and considered invalid.
==== IsRetail ====
[7.0.0+] This item can be obtained by checking bits 8, 2 and 16-19 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]], but is now only 0 (Icosa) or 0xF (Invalid) in retail units.
[8.0.0+] This item can be obtained by checking bits 8, 2 and 16-19 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. It can be:
* 0 ('''Icosa'''; Erista retail, EDEV and SDEV), if development flag (bit 8) is '''Retail''' and production flag (bit 2) is '''Production'''.
* 1 ('''Copper'''; Erista prototype), if development flag (bit 8) is '''Development''' and production flag (bit 2) is '''Prototype'''.
* 2 ('''Hoag'''; Mariko Lite retail and HDEV), if new hardware type (bits 16-19) is '''Hoag'''.
* 3 ('''Iowa'''; Mariko retail, EDEV and SDEV), if new hardware type (bits 16-19) is '''Iowa'''.
* 4 ('''Calcio'''; Mariko prototype), if development flag (bit 8) is '''Development''' and production flag (bit 2) is '''Prototype'''.
* 5 (Invalid).
It is still only 0 (Icosa) or 0xF (Invalid) in retail units.
===== IsRetail =====
This item is obtained by checking bits 9 and 0-1 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. It can be 0 (Debug), 1 (Retail) or 2 (Invalid).
This item is obtained by checking bits 9 and 0-1 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. It can be 0 (Debug), 1 (Retail) or 2 (Invalid).
==== IsRecoveryBoot ====
===== IsRecoveryBoot =====
Used to determine if the system is booting from SafeMode firmware.
Used to determine if the system is booting from SafeMode firmware.
==== DeviceId ====
Under normal circumstances, this just returns bit 0 of the active [[BCT#bootloader0_info|bootloader info]]'s attribute field.
===== DeviceId =====
[[NIM_services|NIM]] checks if this item matches the [[Settings_services|set:cal]] DeviceId with byte7 cleared. If they don't match, a panic is thrown.
[[NIM_services|NIM]] checks if this item matches the [[Settings_services|set:cal]] DeviceId with byte7 cleared. If they don't match, a panic is thrown.
==== BootReason ====
===== BootReason =====
{| class=wikitable
! Value || Description
|-
| 0 || Invalid
|-
| 1 || AcOk
|-
| 2 || OnKey
|-
| 3 || RtcAlarm1
|-
| 4 || RtcAlarm2
|}
Used to determine how the system booted.
Used to determine how the system booted.
==== MemoryArrange ====
===== MemoryMode =====
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 0-3
| Purpose (0 = None, 1 = ForStandard, 2 = ForAppletDev, 3 = ForSystemDev)
|-
| 4-7
| Size (0 = 4GB, 1 = 6GB, 2 = 8GB)
|}
==== IsDebugMode ====
[[Process Manager services|PM]] and the kernel decide memory arrangement based on MemoryMode.
{| class="wikitable" border="1"
|-
! MemoryArrange
! MemoryMode
! Description
|-
| 0
| 0x01
| Standard
|-
| 1
| 0x02
| StandardForAppletDev
|-
| 2
| 0x03
| StandardForSystemDev
|-
| 3
| 0x11
| Expanded
|-
| 4
| 0x12
| ExpandedForAppletDev
|-
| 5
| 0x21
| ExpandedForMarikoDev
|}
===== IsDebugMode =====
Kernel uses this to determine behavior of svcBreak positive arguments. It will break instead of just force-exiting the process which is what happens on retail.
Kernel uses this to determine behavior of svcBreak positive arguments. It will break instead of just force-exiting the process which is what happens on retail.
[3.0.0+] [[Loader services|RO]] checks this and if set then skipping NRR rsa signatures is allowed.
[3.0.0+] [[Loader services|RO]] checks this and if set then skipping NRR rsa signatures is allowed.
===== KernelConfiguration =====
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 0
| EnableNonZeroFillMemory
|-
| 1
| EnableUserExceptionHandler
|-
| 2
| PerformanceMonitoringUnit
|-
| 3
| [8.0.0+] EnableApplicationExtraThread
|-
| 8
| CallShowErrorOnPanic
|-
| 16-17
| MemorySize
|}
Kernel reads this when setting up memory-related code.
EnableNonZeroFillMemory is a boolean determining whether kernel should it will memset various allocated memory-regions with 0x58, 0x59, 0x5A ('X', 'Y', 'Z') instead of zero. This allows Nintendo devs to find uninitialized memory bugs.
EnableUserExceptionHandler is a boolean determining whether kernel should forcefully enable usermode exception handlers (when false, only certain aborts (((1LL << (esr >> 26)) & 0x1115804400224001) == 0, typically data/prefetch aborts) that occur when the faulting address is in a readable region with MemoryType_CodeStatic will trigger usermode exception handlers).
PerformanceMonitoringUnit is a boolean determining whether kernel should enable usermode access to the Performance Monitors (whether PMUSERENR_EL0 should be 1 or 0).
EnableApplicationExtraThread is a boolean determining whether the kernel should increase the KThread slabheap capacity by 160. This also increases object capacities that are calculated based on number of threads.
CallShowErrorOnPanic is a boolean determining whether kernel should call smcPanic on error instead of infinite-looping.
MemorySize determines how much memory is available. 00/03 = 4 GB, 01 = 6 GB, 02 = 8 GB.
==== IsChargerHiZModeEnabled ====
===== IsChargerHiZModeEnabled =====
This tells if the TI Charger (bq24192) is active.
This tells if the TI Charger (bq24192) is active.
==== NewKeyGeneration ====
===== IsQuest =====
This item is bit 10 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]].
This item is bit 10 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]].
[4.0.0+] [[Settings_services|Settings]] uses this value to overwrite the quest flag from [[Settings_services#set:sys|GetQuestFlag]]. This is used to detect if a Switch is a kiosk unit for display at retail stores.
[4.0.0+] [[Settings_services|Settings]] uses this value to overwrite the quest flag from [[Settings_services#set:sys|GetQuestFlag]]. This is used to detect if a Switch is a kiosk unit for display at retail stores.
==== NewHardwareType ====
===== RegulatorType =====
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
! Value
! Value
! Devices
! SoC
! GPU
! Power Blocks
|-
|-
| 0
| 0
| max77620_sd0, max77621_cpu and max77621_gpu
| T210
| GM20B (0x12B)
| max77620_sd0, max77621_cpu and max77621_gpu
|-
|-
| 1
| 1
| max77620_sd0, max77812_cpu and max77812_gpu
| T214
| GM20B_B (0x12E)
| max77620_sd0, max77812_cpu and max77812_gpu
|-
|-
| 2
| 2
| max77620_sd0, max77812_cpu and max77812_gpu
| T214
| GM20B_B (0x12E)
| max77620_sd0, max77812_cpu and max77812_gpu
|}
|}
==== Package2Hash ====
This item is currently hardcoded to 0.
[5.0.0+] [[PCV_services|PCV]] uses this value in combination with [[#HardwareType|HardwareType]] to configure power blocks and memory tables for different hardware.
===== DeviceUniqueKeyGeneration =====
This item is obtained from [[Fuse_registers#FUSE_RESERVED_ODM2|FUSE_RESERVED_ODM2]] if bit 11 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]] is set, [[Fuse_registers#FUSE_RESERVED_ODM0|FUSE_RESERVED_ODM0]] matches 0x8E61ECAE and [[Fuse_registers#FUSE_RESERVED_ODM1|FUSE_RESERVED_ODM1]] matches 0xF2BA3BB2.
[5.0.0+] [[Filesystem services|FS]] can now use this value for the '''KeyGeneration''' parameter when calling [[#GenerateAesKek|GenerateAesKek]] during "GetBisEncryptionKey".
===== Package2Hash =====
This is a SHA-256 hash calculated over the [[Package2|package2]] image. Since the hash calculation is an optional step in pkg2ldr, this item is only valid in recovery mode. Otherwise, an error is returned instead.
This is a SHA-256 hash calculated over the [[Package2|package2]] image. Since the hash calculation is an optional step in pkg2ldr, this item is only valid in recovery mode. Otherwise, an error is returned instead.
=== GetRandomBytes ===
=== GenerateRandomBytes ===
Takes a '''size''' and returns '''rand_bytes'''.
Takes an u64 '''RndSize'''. Returns [[#Result]] and '''RndData'''.
The kernel limits '''size''' to 0x38 (for fitting in return registers).
The kernel limits '''RndSize''' to 0x38 (for fitting in return registers).
=== Panic ===
=== Panic ===
Takes an u32 '''PanicColor''' and issues a system panic.
The kernel always calls this with '''panic_color''' set to 0xF00.
The kernel always calls this with '''PanicColor''' set to 0xF00.
=== ConfigureCarveout ===
=== ConfigureCarveout ===
Takes an u64 '''CarveoutIdx''', an u64 '''CarveoutAddr''' and an u64 '''CarveoutSize'''. Returns [[#Result]].
If '''carveout_index''' is 0, '''region_phys_addr''' and '''region_size''' are used to configure '''MC_SECURITY_CARVEOUT4'''.
If '''CarveoutIdx''' is 0, '''CarveoutAddr''' and '''CarveoutSize''' are used to configure '''MC_SECURITY_CARVEOUT4'''.
If '''carveout_index''' is 1, '''region_phys_addr''' and '''region_size''' are used to configure '''MC_SECURITY_CARVEOUT5'''.
If '''CarveoutIdx''' is 1, '''CarveoutAddr''' and '''CarveoutSize''' are used to configure '''MC_SECURITY_CARVEOUT5'''.
Any other '''carveout_index''' values are invalid.
Any other '''CarveoutIdx''' values are invalid.
The kernel calls this with '''carveout_index''' set to 0, '''region_phys_addr''' set to 0x80060000 and '''region_size''' set to a dynamically calculated size which covers all the kernel and built-in sysmodules' DRAM regions.
The kernel calls this with '''CarveoutIdx''' set to 0, '''CarveoutAddr''' set to 0x80060000 and '''CarveoutSize''' set to a dynamically calculated size which covers all the kernel and built-in sysmodules' DRAM regions.
=== ReadWriteRegister ===
=== ReadWriteRegister ===
Takes an u64 '''RegAddr''', an u32 '''RwMask''' and an u32 '''InValue'''. Returns [[#Result]] and an u32 '''OutValue'''.
Relays [[SVC#svcReadWriteRegister|svcReadWriteRegister]] to the Secure Monitor.
Relays [[SVC#svcReadWriteRegister|svcReadWriteRegister]] to the Secure Monitor.
= Errors =
= CryptoUsecase =
{| class=wikitable
! Value || Name
|-
| 0 || Aes
|-
| 1 || RsaPrivate
|-
| 2 || RsaSecureExpMod
|-
| 3 || TitleKey
|}
TitleKey represents a RSA wrapped AES key.
= CipherMode =
{| class=wikitable
! Value || Name
|-
| 0 || CbcEncrypt
|-
| 1 || CbcDecrypt
|-
| 2 || Ctr
|}
= DecryptOrImportMode =
{| class=wikitable
! Value || Name
|-
| 0 || DecryptRsaPrivateKey
|-
| 1 || ImportLotusKey
|-
| 2 || ImportEsKey
|-
| 3 || ImportSslKey
|-
| 4 || ImportDrmKey
|}
= SecureExpModMode =
{| class=wikitable
! Value || Name
|-
| 0 || Lotus
|-
| 1 || Ssl
|-
| 2 || Drm
|}
= Result =
{| class=wikitable
{| class=wikitable
! Value || Description
! Value || Description
|-
|-
| 2 || Invalid input
| 0 || Success
|-
| 1 || Not implemented
|-
| 2 || Invalid argument
|-
| 3 || In progress
|-
| 4 || No async operation
|-
| 5 || Invalid async operation
|-
|-
| 3 || Busy
| [8.0.0+] 6 || Not permitted
|}
|}