Nintendo Switch Brew

Secure Monitor: Difference between revisions

← Older editNewer edit →
No edit summary
(20 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= Secure Monitor Calls =
= Secure Monitor calls =
 
The secure monitor provides two top level handlers of which each provides a range of sub handlers.
The secure monitor provides two top level handlers of which each provides a range of sub handlers.


Secure Monitor Calls follow the ARM SMC calling convention up to a small change:
Secure Monitor calls follow the ARM SMC calling convention up to a small change:
{| class=wikitable
{| class=wikitable
! Bit number || Bit mask || Description
! Bit number || Bit mask || Description
Line 24: Line 23:
SMC arguments are passed using registers X0-X7 with X0 always sending the call sub-id and returning the result of the call.
SMC arguments are passed using registers X0-X7 with X0 always sending the call sub-id and returning the result of the call.


== ID 0 ==
== FunctionId0 ==
Functions exposed to user-mode processes using [[SVC|svcCallSecureMonitor]]. SMCs should be called from CPUID 3 (where SPL runs).
Functions exposed to user-mode processes using [[SVC|svcCallSecureMonitor]]. SMCs should be called from CPUID 3 (where SPL runs).


{| class=wikitable
{| class=wikitable
! Sub-ID || Name || In || Out
! Value || Name
|-
|-
| 0xC3000401 || SetConfig || ||
| 0xC3000401 || SetConfig
|-
|-
| 0xC3000002 || GetConfig (Same as ID 1, Sub-ID 4) || ||
| 0xC3000002 || [[#GetConfig]] (same as in [[#FunctionId1]])
|-
|-
| 0xC3000003 || CheckStatus || ||
| 0xC3000003 || GetResult
|-
|-
| 0xC3000404 || GetResult || ||
| 0xC3000404 || GetResultData
|-
|-
| 0xC3000E05 || ExpMod || ||
| 0xC3000E05 || ExpMod
|-
|-
| 0xC3000006 || GetRandomBytes (Same as ID 1, Sub-ID 5) || ||
| 0xC3000006 || [[#GenerateRandomBytes]] (same as in [[#FunctionId1]])
|-
|-
| 0xC3000007 || [[#GenerateAesKek]] || ||
| 0xC3000007 || [[#GenerateAesKek]]
|-
|-
| 0xC3000008 || [[#LoadAesKey]] || ||
| 0xC3000008 || [[#LoadAesKey]]
|-
|-
| 0xC3000009 || [[#CryptAes]] || ||
| 0xC3000009 || [[#ComputeAes]]
|-
|-
| 0xC300000A || [[#GenerateSpecificAesKey]] || ||
| 0xC300000A || [[#GenerateSpecificAesKey]]
|-
|-
| 0xC300040B || [[#ComputeCmac]] || ||
| 0xC300040B || [[#ComputeCmac]]
|-
|-
| [1.0.0-4.1.0] 0xC300100C || [[#LoadRsaOaepKey]] || ||
| [1.0.0-4.1.0] 0xC300100C || [[#ImportEsKey]]
|-
|-
| [5.0.0+] 0xC300D60C || [[#EncryptRsaKeyForImport]] || ||
| [5.0.0+] 0xC300D60C || [[#ReEncryptRsaPrivateKey]]
|-
|-
| [1.0.0-4.1.0] 0xC300100D || [[#DecryptRsaPrivateKey]] || ||
| [1.0.0-4.1.0] 0xC300100D || [[#DecryptRsaPrivateKey]]
|-
|-
| [5.0.0] 0xC300100D || [[#DecryptOrImportRsaKey]] || ||
| [5.0.0+] 0xC300100D || [[#DecryptOrImportRsaPrivateKey]]
|-
|-
| [1.0.0-4.1.0] 0xC300100E || [[#LoadSecureExpModKey]] || ||
| [1.0.0-4.1.0] 0xC300100E || [[#ImportLotusKey]]
|-
|-
| 0xC300060F || [[#SecureExpMod]] || ||
| 0xC300060F || [[#StorageExpMod]]
|-
|-
| 0xC3000610 || [[#UnwrapRsaOaepWrappedTitleKey]] || ||
| 0xC3000610 || [[#UnwrapTitleKey]]
|-
|-
| 0xC3000011 || [[#LoadTitleKey]] || ||
| 0xC3000011 || [[#LoadTitleKey]]
|-
|-
| 0xC3000012 || [2.0.0+] UnwrapAesWrappedTitleKey || ||
| 0xC3000012 || [2.0.0+] [[#UnwrapCommonTitleKey]]
|}
|}


Line 80: Line 79:
** This means: Plaintext kek keys never leave TrustZone.
** This means: Plaintext kek keys never leave TrustZone.
** Further, this means: Actual AES/RSA keys never leave TrustZone.
** Further, this means: Actual AES/RSA keys never leave TrustZone.
Note:
The [[#enum_CryptoUsecase|CryptoUsecase_TitleKey]] represents a RSA wrapped AES key.


=== GenerateAesKek ===
=== GenerateAesKek ===
Takes an "access key" as input, an [[#enum_CryptoUsecase]].
Takes an "access key" as input, an [[#CryptoUsecase]].


Returns a session-unique kek for said usecase.
Returns a session-unique kek for said usecase.
Line 92: Line 88:
Takes a session kek created with [[#GenerateAesKek]], and a wrapped AES key.
Takes a session kek created with [[#GenerateAesKek]], and a wrapped AES key.


The session kek must have been created with [[#enum_CryptoUsecase|CryptoUsecase_Aes]].
The session kek must have been created with [[#CryptoUsecase|CryptoUsecase Aes]].


=== CryptAes ===
=== ComputeAes ===
Encrypts/decrypts using Aes (CTR and CBC).
Encrypts/decrypts using AES (CTR and CBC). Takes an [[#CipherMode]].


Key must be set prior using one of the [[#LoadAesKey]], [[#GenerateSpecificAesKey]] or [[#LoadRsaWrappedAesKey]] commands.
Key must be set prior using one of the [[#LoadAesKey]] or [[#GenerateSpecificAesKey]] commands.


=== GenerateSpecificAesKey ===
=== GenerateSpecificAesKey ===
Todo: This one seems unrelated to [[#enum_CryptoUsecase]].
Takes a wrapped AES key and decrypts it using static data.


=== LoadRsaOaepKey ===
=== ComputeCmac ===
Calculates CMAC over input data.
 
=== ImportEsKey ===
Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, and a wrapped RSA private key.
Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, and a wrapped RSA private key.


The session kek must have been created with [[#enum_CryptoUsecase|CryptoUsecase_RsaOaep]].
The session kek must have been created with [[#CryptoUsecase|CryptoUsecase TitleKey]].


This function was removed in [[5.0.0]], and replaced with [[#EncryptRsaKeyForImport]].
[5.0.0] This function was removed and replaced with [[#ReEncryptRsaPrivateKey]].


=== EncryptRsaKeyForImport ===
=== ReEncryptRsaPrivateKey ===
Takes in two session keks created with [[#GenerateAesKek]], two wrapped AES keys, an enum member, and a wrapped RSA private key.
Takes in two session keks created with [[#GenerateAesKek]], two wrapped AES keys, an enum member, and a wrapped RSA private key.


Decrypts and validates the wrapped RSA private key with the first kek/wrapped key, and re-encrypts it with the second if valid.
Decrypts and validates the wrapped RSA private key with the first kek/wrapped key, and re-encrypts it with the second if valid.


The re-encrypted key is then passed to the user, for use with [[#DecryptOrImportRsaKey]].
The re-encrypted key is then passed to the user, for use with [[#DecryptOrImportRsaPrivateKey]].


=== DecryptRsaPrivateKey ===
=== DecryptRsaPrivateKey ===
Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, an enum member, and a wrapped RSA private key.
Takes a session kek created with [[#GenerateAesKek]], a wrapped AES key, an enum member, and a wrapped RSA private key.


The session kek must have been created with [[#enum_CryptoUsecase|CryptoUsecase_RsaPrivate]].
The session kek must have been created with [[#CryptoUsecase|CryptoUsecase RsaPrivate]].


[4.0.0+] The SMC handler when certain conditions pass and SMC_ID==0xC300100D now returns error 0x6 instead of calling the handler funcptr.
[4.0.0+] The SMC handler when certain conditions pass and FunctionId0==0xC300100D now returns error 0x6 instead of calling the handler funcptr.


=== DecryptOrImportRsaKey ===
[5.0.0+] This function was replaced by [[#DecryptOrImportRsaPrivateKey]].


This function replaced [[#DecryptRsaPrivateKey]] in [[5.0.0]], adding an additional enum member argument.
=== DecryptOrImportRsaPrivateKey ===
This function replaced [[#DecryptRsaPrivateKey]] in [[5.0.0]], adding an additional [[#DecryptOrImportMode]].


This SMC extends DecryptRsaPrivateKey's original functionality to enable importing private keys into the security engine instead of decrypting them, when certain enum members are passed.
This SMC extends DecryptRsaPrivateKey's original functionality to enable importing private keys into the security engine instead of decrypting them, when certain enum members are passed.


=== LoadSecureExpModKey ===
=== ImportLotusKey ===
Takes a session kek created with [[#GenerateAesKek]], and a wrapped RSA key.
Takes a session kek created with [[#GenerateAesKek]], and a wrapped RSA key.


The session kek must have been created with [[#enum_CryptoUsecase|CryptoUsecase_RsaSecureExpMod]].
The session kek must have been created with [[#CryptoUsecase|CryptoUsecase RsaSecureExpMod]].


This function was removed in [[5.0.0]], and replaced with [[#EncryptRsaKeyForImport]].
[5.0.0] This function was removed.


=== SecureExpMod ===
=== SecureExpMod ===
Performs an Exp Mod operation using an exponent previously loaded with the [[#LoadSecureExpModKey]] command.
Performs an ExpMod operation using an exponent previously loaded with the [[#ImportLotusKey]] command.
 
[5.0.0+] This now uses any exponent previously loaded with [[#DecryptOrImportRsaPrivateKey]] and takes an [[#SecureExpModMode]].


=== UnwrapRsaOaepWrappedTitleKey ===
=== UnwrapTitleKey ===
Takes an Rsa-Oaep-wrapped TitleKey, an RSA Public Key, and a label hash.
Takes an Rsa-Oaep-wrapped TitleKey, an RSA Public Key, and a label hash.


Performs an Exp Mod operation using an exponent previously loaded with the [[#LoadRsaOaepKey]] command, and then validates/extracts a Titlekey from the resulting message.
Performs an ExpMod operation using an exponent previously loaded with the [[#ImportEsKey]] command, and then validates/extracts a Titlekey from the resulting message.


Returns a session-unique AES key especially for use in [[#LoadTitleKey]].
Returns a session-unique AES key especially for use in [[#LoadTitleKey]].
[5.0.0+] This now uses any exponent previously loaded with [[#DecryptOrImportRsaPrivateKey]].


=== LoadTitleKey ===
=== LoadTitleKey ===
Takes a session-unique AES key from [[#UnwrapAesWrappedTitleKey]] or [[#UnwrapRsaOaepWrappedTitleKey]].
Takes a session-unique AES key from [[#UnwrapCommonTitleKey]] or [[#UnwrapTitleKey]].


=== enum CryptoUsecase ===
=== UnwrapCommonTitleKey ===
{| class=wikitable
Takes an AES-wrapped TitleKey and returns a sealed AES key.
! Value || Name
|-
| 0 || CryptoUsecase_Aes
|-
| 1 || CryptoUsecase_RsaPrivate
|-
| 2 || CryptoUsecase_RsaSecureExpMod
|-
| 3 || CryptoUsecase_RsaOaep
|}


== ID 1 ==
== FunctionId1 ==
Functions exposed to the kernel internally.
Functions exposed to the kernel internally.


{| class=wikitable
{| class=wikitable
! Sub-ID || Name || In || Out
! Value || Name
|-
|-
| 0xC4000001 || [[#CpuSuspend]] || X1=power_state, X2=entrypoint_addr, X3=context_id || None
| 0xC4000001 || [[#CpuSuspend]]
|-
|-
| 0x84000002 || [[#CpuOff]] || None || None
| 0x84000002 || [[#CpuOff]]
|-
|-
| 0xC4000003 || [[#CpuOn]] || X1=target_cpu, X2=entrypoint_addr, X3=context_id, X4,X5,X6,X7=0 || X0=result
| 0xC4000003 || [[#CpuOn]]
|-
|-
| 0xC3000004 || [[#GetConfig]] (Same as ID 0, Sub-ID 2) || W1=config_item, X2,X3,X4,X5,X6,X7=0 || X0=result, X1,X2,X3,X4=config_val
| 0xC3000004 || [[#GetConfig]] (same as in [[#FunctionId0]])
|-
|-
| 0xC3000005 || [[#GetRandomBytes]] (Same as ID 0, Sub-ID 6) || X1=size, X2,X3,X4,X5,X6,X7=0 || X0=result, X1,X2,X3,X4,X5,X6,X7=rand_bytes
| 0xC3000005 || [[#GenerateRandomBytes]] (same as in [[#FunctionId0]])
|-
|-
| 0xC3000006 || [[#Panic]] || W1=panic_color, X2,X3,X4,X5,X6,X7=0 || X0=result
| 0xC3000006 || [[#Panic]]
|-
|-
| 0xC3000007 || [2.0.0+] [[#ConfigureCarveout]] || X1=carveout_index, X2=region_phys_addr, X3=region_size, X4,X5,X6,X7=0 || X0=result
| 0xC3000007 || [2.0.0+] [[#ConfigureCarveout]]
|-
|-
| 0xC3000008 || [2.0.0+] [[#ReadWriteRegister]] || X1=reg_addr, W2=rw_mask, W3=in_val, X4,X5,X6,X7=0 || X0=result, W1=out_val
| 0xC3000008 || [2.0.0+] [[#ReadWriteRegister]]
|}
|}


=== CpuSuspend ===
=== CpuSuspend ===
Standard ARM PCSI SMC. Suspends the CPU (CPU0).
Takes an u64 '''PowerState''', an u64 '''EntrypointAddr''' and an u64 '''ContextId'''. No output.
 
Suspends the CPU (CPU0).


The kernel calls this SMC on shutdown with '''power_state''' set to 0x0201001B (power level: 0x02==system; power type: 0x01==powerdown; ID: 0x1B).
The kernel calls this SMC on shutdown with '''PowerState''' set to 0x0201001B (power level: 0x02==system; power type: 0x01==powerdown; ID: 0x1B).


=== CpuOff ===
=== CpuOff ===
Standard ARM PCSI SMC. Turns off the CPU (CPU1, CPU2 or CPU3).
No input/output.
 
Turns off the CPU (CPU1, CPU2 or CPU3).


=== CpuOn ===
=== CpuOn ===
Standard ARM PCSI SMC. Turns on the CPU (CPU1, CPU2 or CPU3).
Takes an u64 '''TargetCpu''', an u64 '''EntrypointAddr''' and an u64 '''ContextId'''. Returns [[#Result]].
 
Turns on the CPU (CPU1, CPU2 or CPU3).


=== GetConfig ===
=== GetConfig ===
Takes a '''config_item''' and returns an associated '''config_val'''.
Takes a [[#ConfigItem]]. Returns [[#Result]] and a '''ConfigVal'''.


==== ConfigItem ====
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
! ConfigItem || Name
! Value || Name
|-
|-
| 1 || [[#DisableProgramVerification]]
| 1 || [[#DisableProgramVerification]]
Line 207: Line 208:
| 2 || [[#DramId]]
| 2 || [[#DramId]]
|-
|-
| 3 || [[#SecurityEngineIrqNumber]]
| 3 || [[#SecurityEngineInterruptNumber]]
|-
|-
| 4 || [[#Version]]
| 4 || [[#FuseVersion]]
|-
|-
| 5 || [[#HardwareType]]
| 5 || [[#HardwareType]]
Line 221: Line 222:
| 9 || [1.0.0-4.0.0] [[#BootReason]]
| 9 || [1.0.0-4.0.0] [[#BootReason]]
|-
|-
| 10 || [[#MemoryArrange]]
| 10 || [[#MemoryMode]]
|-
|-
| 11 || [[#IsDebugMode]]
| 11 || [[#IsDebugMode]]
Line 229: Line 230:
| 13 || [[#IsChargerHiZModeEnabled]]
| 13 || [[#IsChargerHiZModeEnabled]]
|-
|-
| 14 || [4.0.0+] [[#IsKiosk]]
| 14 || [4.0.0+] [[#IsQuest]]
|-
|-
| 15 || [5.0.0+] [[#NewHardwareType]]
| 15 || [5.0.0+] [[#RegulatorType]]
|-
|-
| 16 || [5.0.0+] [[#NewKeyGeneration]]
| 16 || [5.0.0+] [[#DeviceUniqueKeyGeneration]]
|-
|-
| 17 || [5.0.0+] [[#Package2Hash]]
| 17 || [5.0.0+] [[#Package2Hash]]
|}
|}


==== DisableProgramVerification ====
===== DisableProgramVerification =====
[[Process Manager services|PM]] checks this item and if non-zero, calls fsp-pr SetEnabledProgramVerification(false).
[[Process Manager services|PM]] checks this item and if non-zero, calls fsp-pr SetEnabledProgramVerification(false).


==== DramId ====
===== DramId =====
This is extracted directly from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]].
 
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
! Value
! Value
! Description
! Description
|-
|-
| 0
| 0
| DramId_EristaIcosaSamsung4gb
| EristaIcosaSamsung4gb
|-
|-
| 1
| 1
| DramId_EristaIcosaHynix4gb
| EristaIcosaHynix4gb
|-
|-
| 2
| 2
| DramId_EristaIcosaMicron4gb
| EristaIcosaMicron4gb
|-
|-
| 3
| 3
| Reserved
| Reserved
|-
|-
| 4
| 4
| DramId_EristaIcosaSamsung6gb
| EristaIcosaSamsung6gb
|-
|-
| 5
| 5
| [4.0.0+] Reserved (DramId_EristaIcosaHynix6gb)
| [4.0.0+] Reserved
|-
|-
| 6
| 6
| [4.0.0+] Reserved (DramId_EristaIcosaMicron6gb)
| [4.0.0+] Reserved
|-
|-
| 7
| 7
| [5.0.0+] DramId_MarikoIowax1x2Samsung4gb ([4.0.0-4.1.0] Reserved)
| [5.0.0+] MarikoIowax1x2Samsung4gb ([4.0.0-4.1.0] Reserved)
|-
|-
| 8
| 8
| [5.0.0+] DramId_MarikoIowaSamsung4gb
| [5.0.0+] MarikoIowaSamsung4gb
|-
|-
| 9
| 9
| [5.0.0+] DramId_MarikoIowaSamsung8gb
| [5.0.0+] MarikoIowaSamsung8gb
|-
|-
| 10
| 10
| [6.0.0+] DramId_MarikoIowaHynix4gb ([5.0.0-5.1.0] Reserved)
| [6.0.0+] MarikoIowaHynix4gb ([5.0.0-5.1.0] Reserved)
|-
|-
| 11
| 11
| [7.0.0+] DramId_MarikoIowaMicron4gb ([5.0.0-6.2.0] Reserved)
| [7.0.0+] MarikoIowaMicron4gb ([5.0.0-6.2.0] Reserved)
|-
|-
| 12
| 12
| [5.0.0+] DramId_MarikoHoagSamsung4gb
| [5.0.0+] MarikoHoagSamsung4gb
|-
|-
| 13
| 13
| [5.0.0+] DramId_MarikoHoagSamsung8gb
| [5.0.0+] MarikoHoagSamsung8gb
|-
|-
| 14
| 14
| [7.0.0+] DramId_MarikoHoagHynix4gb ([5.0.0-6.2.0] Reserved)
| [7.0.0+] MarikoHoagHynix4gb ([5.0.0-6.2.0] Reserved)
|-
|-
| 15
| 15
| [7.0.0+] DramId_MarikoHoagMicron4gb ([5.0.0-6.2.0] Reserved)
| [7.0.0+] MarikoHoagMicron4gb ([5.0.0-6.2.0] Reserved)
|-
| 16
| [8.0.0+] MarikoIowaSamsung4gbY
|-
| 17
| [9.0.0+] MarikoIowaSamsung1y4gbX
|-
| 18
| [9.0.0+] MarikoIowaSamsung1y8gbX
|-
| 19
| [9.0.0+] MarikoHoagSamsung1y4gbX
|-
| 20
| [9.0.0+] MarikoIowaSamsung1y4gbY
|-
| 21
| [9.0.0+] MarikoIowaSamsung1y8gbY
|-
| 22
| [9.0.0+] MarikoIowaSamsung1y4gbA
|}
|}
This is extracted directly from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]].


[[PCV_services|PCV]] selects memory training tables based on DramId.
[[PCV_services|PCV]] selects memory training tables based on DramId.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
! Platform
! SoC
! DramId
! Platform
! Revision
! DramId
! DVFS version
! Revision
! DVFS version
|-
|-
| jetson-tx1
| T210
| N/A
| jetson-tx1
| 0x07
| N/A
| 0x07
|
|
  11_40800_01_V9.8.3_V1.6
  11_40800_01_V9.8.3_V1.6
Line 321: Line 345:
  11_1600000_02_V9.8.3_V1.6
  11_1600000_02_V9.8.3_V1.6
|-
|-
| nx-abcb
| T210
| EristaIcosaSamsung4gb
| nx-abcb
| 0x07
| EristaIcosaSamsung4gb
| 0x07
|
|
  10_40800_NoCfgVersion_V9.8.7_V1.6
  10_40800_NoCfgVersion_V9.8.7_V1.6
Line 336: Line 361:
  10_1600000_NoCfgVersion_V9.8.7_V1.6
  10_1600000_NoCfgVersion_V9.8.7_V1.6
|-
|-
| nx-abcb
| T210
| EristaIcosaMicron4gb
| nx-abcb
| 0x07
| EristaIcosaMicron4gb
| 0x07
|
|
  10_40800_NoCfgVersion_V9.8.4_V1.6
  10_40800_NoCfgVersion_V9.8.4_V1.6
Line 351: Line 377:
  10_1600000_NoCfgVersion_V9.8.4_V1.6
  10_1600000_NoCfgVersion_V9.8.4_V1.6
|-
|-
| nx-abcb
| T210
| EristaIcosaHynix4gb
| nx-abcb
| 0x07
| EristaIcosaHynix4gb
| 0x07
|
|
  10_40800_NoCfgVersion_V9.8.4_V1.6
  10_40800_NoCfgVersion_V9.8.4_V1.6
Line 366: Line 393:
  10_1600000_NoCfgVersion_V9.8.4_V1.6
  10_1600000_NoCfgVersion_V9.8.4_V1.6
|-
|-
| nx-abca2
| T210
| EristaIcosaSamsung4gb or EristaIcosaMicron4gb
| nx-abca2
| 0x07
| EristaIcosaSamsung4gb, EristaIcosaMicron4gb
| 0x07
|  
|  
  10_40800_NoCfgVersion_V9.8.7_V1.6
  10_40800_NoCfgVersion_V9.8.7_V1.6
Line 381: Line 409:
  10_1600000_NoCfgVersion_V9.8.7_V1.6
  10_1600000_NoCfgVersion_V9.8.7_V1.6
|-
|-
| nx-abca2
| T210
| EristaIcosaHynix4gb
| nx-abca2
| 0x07
| EristaIcosaHynix4gb
| 0x07
|
|
  10_40800_NoCfgVersion_V9.8.7_V1.6
  10_40800_NoCfgVersion_V9.8.7_V1.6
Line 396: Line 425:
  10_1600000_NoCfgVersion_V9.8.7_V1.6
  10_1600000_NoCfgVersion_V9.8.7_V1.6
|-
|-
| nx-abca2
| T210
| EristaIcosaSamsung6gb
| nx-abca2
| 0x07
| EristaIcosaSamsung6gb
| 0x07
|
|
  10_40800_NoCfgVersion_V9.8.7_V1.6
  10_40800_NoCfgVersion_V9.8.7_V1.6
Line 411: Line 441:
  10_1600000_NoCfgVersion_V9.8.7_V1.6
  10_1600000_NoCfgVersion_V9.8.7_V1.6
|-
|-
| nx-abca2
| T214
| MarikoIowax1x2Samsung4gb
| nx-abca2, nx-abcb, nx-abcc
| 0x03
| MarikoIowax1x2Samsung4gb
| 0x03
|
|
  01_204000_NoCfgVersion_V0.3.1_V2.0
  01_204000_NoCfgVersion_V0.3.1_V2.0
Line 419: Line 450:
  01_1600000_NoCfgVersion_V0.3.1_V2.0
  01_1600000_NoCfgVersion_V0.3.1_V2.0
|-
|-
| nx-abca2
| T214
| MarikoIowaSamsung4gb or MarikoHoagSamsung4gb
| nx-abca2, nx-abcb, nx-abcc
| 0x03
| MarikoIowaSamsung4gb, MarikoHoagSamsung4gb
| 0x03
|   
|   
  01_204000_NoCfgVersion_V0.3.1_V2.0
  01_204000_NoCfgVersion_V0.3.1_V2.0
Line 427: Line 459:
  01_1600000_NoCfgVersion_V0.3.1_V2.0
  01_1600000_NoCfgVersion_V0.3.1_V2.0
|-
|-
| nx-abca2
| T214
| MarikoIowaSamsung8gb or MarikoHoagSamsung8gb
| nx-abca2, nx-abcb, nx-abcc
| 0x03
| MarikoIowaSamsung8gb, MarikoHoagSamsung8gb
| 0x03
|
|
  01_204000_NoCfgVersion_V0.4.2_V2.0
  01_204000_NoCfgVersion_V0.4.2_V2.0
Line 435: Line 468:
  01_1600000_NoCfgVersion_V0.4.2_V2.0
  01_1600000_NoCfgVersion_V0.4.2_V2.0
|-
|-
| nx-abca2
| T214
| MarikoIowaHynix4gb or MarikoHoagHynix4gb
| nx-abca2, nx-abcb, nx-abcc
| 0x03
| MarikoIowaHynix4gb, MarikoHoagHynix4gb
| 0x03
|   
|   
  01_204000_NoCfgVersion_V0.3.1_V2.0
  01_204000_NoCfgVersion_V0.3.1_V2.0
Line 443: Line 477:
  01_1600000_NoCfgVersion_V0.3.1_V2.0
  01_1600000_NoCfgVersion_V0.3.1_V2.0
|-
|-
| nx-abca2
| T214
| MarikoIowaMicron4gb or MarikoHoagMicron4gb
| nx-abca2, nx-abcb, nx-abcc
| 0x03
| MarikoIowaMicron4gb, MarikoHoagMicron4gb
| 0x03
|   
|   
  01_204000_NoCfgVersion_V0.4.2_V2.0
  01_204000_NoCfgVersion_V0.4.2_V2.0
  01_1331200.0_NoCfgVersion_V0.4.2_V2.0
  01_1331200.0_NoCfgVersion_V0.4.2_V2.0
  01_1600000_NoCfgVersion_V0.4.2_V2.0
  01_1600000_NoCfgVersion_V0.4.2_V2.0
|-
| T214
| nx-abca2, nx-abcb, nx-abcc
| MarikoIowaSamsung4gbY
| 0x03
01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0
|-
| T214
| nx-abca2, nx-abcb, nx-abcc
| MarikoIowaSamsung1y4gbX
| 0x03
01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0
|-
| T214
| nx-abca2, nx-abcb, nx-abcc
| MarikoIowaSamsung1y8gbX
| 0x03
01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0
|-
| T214
| nx-abca2, nx-abcb, nx-abcc
| MarikoHoagSamsung1y4gbX
| 0x03
01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0
|-
| T214
| nx-abca2, nx-abcb, nx-abcc
| MarikoIowaSamsung1y4gbY
| 0x03
01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0
|-
| T214
| nx-abca2, nx-abcb, nx-abcc
| MarikoIowaSamsung1y8gbY
| 0x03
01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0
|-
| T214
| nx-abca2, nx-abcb, nx-abcc
| MarikoIowaSamsung1y4gbA
| 0x03
01_204000_NoCfgVersion_V0.4.5_V2.0
01_1331200.0_NoCfgVersion_V0.4.5_V2.0
01_1600000_NoCfgVersion_V0.4.5_V2.0
|}
|}


nx-abcb (Copper) is the SDEV unit. Among other differences, this has extra hardware to support HDMI output.
'''nx-abca2''' ('''Icosa''' in '''Erista''', '''Iowa''' in '''Mariko''') hardware types are variations of the retail, EDEV and SDEV form factors.


nx-abca2 (Icosa) hardware types are variations of the retail form factor.
'''nx-abcb''' ('''Copper''' in '''Erista''', '''Calcio''' in '''Mariko''') is a prototype unit. Among other differences, this has extra hardware to support HDMI output.


Erista memory is LPDDR4, while Mariko memory is LPDDR4X.
[8.0.0+] '''nx-abcc''' ('''Hoag''') was added for the Lite retail and HDEV form factors.


==== SecurityEngineIrqNumber ====
'''Erista''' memory is LPDDR4, while '''Mariko''' memory is LPDDR4X.
 
===== SecurityEngineInterruptNumber =====
SPL uses this for setting up the security engine IRQ.
SPL uses this for setting up the security engine IRQ.


==== Version ====
===== FuseVersion =====
The current [[Package2#Versions|Package1 Maxver Constant]] - 1.
The current [[Package2#Versions|Package1 Maxver Constant]] - 1.


==== HardwareType ====
===== HardwareType =====
[1.0.0+] This item is obtained by checking bits 8 and 2 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. It can be 0 (Icosa), 1 (Copper), 2 (Hoag) or 3 (Invalid).
[1.0.0+] This item is obtained by checking bits 8 and 2 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. It can be:
* 0 ('''Icosa'''; Erista retail, EDEV and SDEV), if development flag (bit 8) is '''Retail''' and production flag (bit 2) is '''Production'''.
* 1 ('''Copper'''; Erista prototype), if development flag (bit 8) is '''Development''' and production flag (bit 2) is '''Prototype'''.
* 3 (Invalid).
 
Value 2 is reserved and considered invalid.
 
[4.0.0+] This item is obtained by checking bits 8, 2 and 16-19 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. It can be:
* 0 ('''Icosa'''; Erista retail, EDEV and SDEV), if development flag (bit 8) is '''Retail''' and production flag (bit 2) is '''Production'''.
* 1 ('''Copper'''; Erista prototype), if development flag (bit 8) is '''Development''' and production flag (bit 2) is '''Prototype'''.
* 3 ('''Iowa'''; Mariko retail, EDEV and SDEV), if new hardware type (bits 16-19) is '''Iowa'''.
* 4 (Invalid).


[4.0.0+] This item is obtained by checking bits 8, 2 and 16-19 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. It can be 0 (Icosa), 1 (Copper), 2 (Hoag), 3 (Mariko) or 4 (Invalid).
Value 2 is reserved and considered invalid.


[7.0.0+] This item no longer depends on fuses and can only be 0 (Icosa) or 0xF (Invalid) in retail units.
[7.0.0+] This item can be obtained by checking bits 8, 2 and 16-19 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]], but is now only 0 (Icosa) or 0xF (Invalid) in retail units.


==== IsRetail ====
[8.0.0+] This item can be obtained by checking bits 8, 2 and 16-19 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. It can be:
* 0 ('''Icosa'''; Erista retail, EDEV and SDEV), if development flag (bit 8) is '''Retail''' and production flag (bit 2) is '''Production'''.
* 1 ('''Copper'''; Erista prototype), if development flag (bit 8) is '''Development''' and production flag (bit 2) is '''Prototype'''.
* 2 ('''Hoag'''; Mariko Lite retail and HDEV), if new hardware type (bits 16-19) is '''Hoag'''.
* 3 ('''Iowa'''; Mariko retail, EDEV and SDEV), if new hardware type (bits 16-19) is '''Iowa'''.
* 4 ('''Calcio'''; Mariko prototype), if development flag (bit 8) is '''Development''' and production flag (bit 2) is '''Prototype'''.
* 5 (Invalid).
 
It is still only 0 (Icosa) or 0xF (Invalid) in retail units.
 
===== IsRetail =====
This item is obtained by checking bits 9 and 0-1 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. It can be 0 (Debug), 1 (Retail) or 2 (Invalid).
This item is obtained by checking bits 9 and 0-1 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]]. It can be 0 (Debug), 1 (Retail) or 2 (Invalid).


==== IsRecoveryBoot ====
===== IsRecoveryBoot =====
Used to determine if the system is booting from SafeMode firmware.
Used to determine if the system is booting from SafeMode firmware.


Under normal circumstances, this just returns bit 0 of the active [[BCT#bootloader0_info|bootloader info]]'s attribute field.
Under normal circumstances, this just returns bit 0 of the active [[BCT#bootloader0_info|bootloader info]]'s attribute field.


==== DeviceId ====
===== DeviceId =====
[[NIM_services|NIM]] checks if this item matches the [[Settings_services|set:cal]] DeviceId with byte7 cleared. If they don't match, a panic is thrown.
[[NIM_services|NIM]] checks if this item matches the [[Settings_services|set:cal]] DeviceId with byte7 cleared. If they don't match, a panic is thrown.


==== BootReason ====
===== BootReason =====
{| class=wikitable
! Value || Description
|-
| 0 || Invalid
|-
| 1 || AcOk
|-
| 2 || OnKey
|-
| 3 || RtcAlarm1
|-
| 4 || RtcAlarm2
|}
 
Used to determine how the system booted.
Used to determine how the system booted.


==== MemoryArrange ====
===== MemoryMode =====
[[Process Manager services|PM]] uses this item for selecting the appropriate size for each [[SVC#LimitableResource|LimitableResource_Memory]].
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 0-3
| Purpose (0 = None, 1 = ForStandard, 2 = ForAppletDev, 3 = ForSystemDev)
|-
| 4-7
| Size (0 = 4GB, 1 = 6GB, 2 = 8GB)
|}


==== IsDebugMode ====
[[Process Manager services|PM]] and the kernel decide memory arrangement based on MemoryMode.
{| class="wikitable" border="1"
|-
! MemoryArrange
! MemoryMode
! Description
|-
| 0
| 0x01
| Standard
|-
| 1
| 0x02
| StandardForAppletDev
|-
| 2
| 0x03
| StandardForSystemDev
|-
| 3
| 0x11
| Expanded
|-
| 4
| 0x12
| ExpandedForAppletDev
|-
| 5
| 0x21
| ExpandedForMarikoDev
|}
 
===== IsDebugMode =====
Kernel uses this to determine behavior of svcBreak positive arguments. It will break instead of just force-exiting the process which is what happens on retail.
Kernel uses this to determine behavior of svcBreak positive arguments. It will break instead of just force-exiting the process which is what happens on retail.


Line 495: Line 672:
[3.0.0+] [[Loader services|RO]] checks this and if set then skipping NRR rsa signatures is allowed.
[3.0.0+] [[Loader services|RO]] checks this and if set then skipping NRR rsa signatures is allowed.


The value of this field is loaded from [[BootConfig]] unsigned-config+0x10 u8 bit1.
===== KernelConfiguration =====
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 0
| EnableNonZeroFillMemory
|-
| 1
| EnableUserExceptionHandler
|-
| 2
| PerformanceMonitoringUnit
|-
| 3
| [8.0.0+] EnableApplicationExtraThread
|-
| 8
| CallShowErrorOnPanic
|-
| 16-17
| MemorySize
|}
 
Kernel reads this when setting up memory-related code.


==== KernelConfiguration ====
EnableNonZeroFillMemory is a boolean determining whether kernel should it will memset various allocated memory-regions with 0x58, 0x59, 0x5A ('X', 'Y', 'Z') instead of zero. This allows Nintendo devs to find uninitialized memory bugs.
Kernel reads this when setting up memory-related code.  


Bit 0 is a boolean determining whether kernel should it will memset various allocated memory-regions with 0x58, 0x59, 0x5A ('X', 'Y', 'Z') instead of zero. This allows Nintendo devs to find uninitialized memory bugs.
EnableUserExceptionHandler is a boolean determining whether kernel should forcefully enable usermode exception handlers (when false, only certain aborts (((1LL << (esr >> 26)) & 0x1115804400224001) == 0, typically data/prefetch aborts) that occur when the faulting address is in a readable region with MemoryType_CodeStatic will trigger usermode exception handlers).


Bit 1 is a boolean determining whether kernel should forcefully enable usermode exception handlers (when false, only certain aborts (((1LL << (esr >> 26)) & 0x1115804400224001) == 0, typically data/prefetch aborts) that occur when the faulting address is in a readable region with MemoryType_CodeStatic will trigger usermode exception handlers).
PerformanceMonitoringUnit is a boolean determining whether kernel should enable usermode access to the Performance Monitors (whether PMUSERENR_EL0 should be 1 or 0).


Bit 2 is a boolean determining whether kernel should enable usermode access to the Performance Monitors (whether PMUSERENR_EL0 should be 1 or 0).
EnableApplicationExtraThread is a boolean determining whether the kernel should increase the KThread slabheap capacity by 160. This also increases object capacities that are calculated based on number of threads.


Bits 8-15 are a boolean determining whether kernel should call smcPanic on error instead of infinite-looping.
CallShowErrorOnPanic is a boolean determining whether kernel should call smcPanic on error instead of infinite-looping.


Bits 16-17 determine how much memory is available. 00/03 = 4 GB, 01 = 6 GB, 02 = 8 GB.
MemorySize determines how much memory is available. 00/03 = 4 GB, 01 = 6 GB, 02 = 8 GB.


==== IsChargerHiZModeEnabled ====
===== IsChargerHiZModeEnabled =====
This tells if the TI Charger (bq24192) is active.
This tells if the TI Charger (bq24192) is active.


==== NewKeyGeneration ====
===== IsQuest =====
This item is obtained from [[Fuse_registers#FUSE_RESERVED_ODM2|FUSE_RESERVED_ODM2]] if bit 11 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]] is set, [[Fuse_registers#FUSE_RESERVED_ODM0|FUSE_RESERVED_ODM0]] matches 0x8E61ECAE and [[Fuse_registers#FUSE_RESERVED_ODM1|FUSE_RESERVED_ODM1]] matches 0xF2BA3BB2.
 
[5.0.0+] [[Filesystem services|FS]] can now use this value for the '''KeyGeneration''' parameter when calling [[#GenerateAesKek|GenerateAesKek]] during "GetBisEncryptionKey".
 
==== IsKiosk ====
This item is bit 10 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]].
This item is bit 10 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]].


[4.0.0+] [[Settings_services|Settings]] uses this value to overwrite the quest flag from [[Settings_services#set:sys|GetQuestFlag]]. This is used to detect if a Switch is a kiosk unit for display at retail stores.
[4.0.0+] [[Settings_services|Settings]] uses this value to overwrite the quest flag from [[Settings_services#set:sys|GetQuestFlag]]. This is used to detect if a Switch is a kiosk unit for display at retail stores.


==== NewHardwareType ====
===== RegulatorType =====
This item is currently hardcoded to 0.
 
[5.0.0+] [[PCV_services|PCV]] uses this value in combination with [[#HardwareType|HardwareType]] to configure power blocks and memory tables for different hardware.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
! Value
! Value
! SoC
! SoC
! GPU
! GPU
! Power Blocks
! Power Blocks
|-
|-
| 0
| 0
| T210
| T210
| GM20B (0x12B)
| GM20B (0x12B)
| max77620_sd0, max77621_cpu and max77621_gpu
| max77620_sd0, max77621_cpu and max77621_gpu
|-
|-
| 1
| 1
| T214
| T214
| GM2?? (0x12E)
| GM20B_B (0x12E)
| max77620_sd0, max77812_cpu and max77812_gpu
| max77620_sd0, max77812_cpu and max77812_gpu
|-
|-
| 2
| 2
| T214
| T214
| GM2?? (0x12E)
| GM20B_B (0x12E)
| max77620_sd0, max77812_cpu and max77812_gpu
| max77620_sd0, max77812_cpu and max77812_gpu
|}
|}


==== Package2Hash ====
This item is currently hardcoded to 0.
 
[5.0.0+] [[PCV_services|PCV]] uses this value in combination with [[#HardwareType|HardwareType]] to configure power blocks and memory tables for different hardware.
 
===== DeviceUniqueKeyGeneration =====
This item is obtained from [[Fuse_registers#FUSE_RESERVED_ODM2|FUSE_RESERVED_ODM2]] if bit 11 from [[Fuse_registers#FUSE_RESERVED_ODM4|FUSE_RESERVED_ODM4]] is set, [[Fuse_registers#FUSE_RESERVED_ODM0|FUSE_RESERVED_ODM0]] matches 0x8E61ECAE and [[Fuse_registers#FUSE_RESERVED_ODM1|FUSE_RESERVED_ODM1]] matches 0xF2BA3BB2.
 
[5.0.0+] [[Filesystem services|FS]] can now use this value for the '''KeyGeneration''' parameter when calling [[#GenerateAesKek|GenerateAesKek]] during "GetBisEncryptionKey".
 
===== Package2Hash =====
This is a SHA-256 hash calculated over the [[Package2|package2]] image. Since the hash calculation is an optional step in pkg2ldr, this item is only valid in recovery mode. Otherwise, an error is returned instead.
This is a SHA-256 hash calculated over the [[Package2|package2]] image. Since the hash calculation is an optional step in pkg2ldr, this item is only valid in recovery mode. Otherwise, an error is returned instead.


=== GetRandomBytes ===
=== GenerateRandomBytes ===
Takes a '''size''' and returns '''rand_bytes'''.
Takes an u64 '''RndSize'''. Returns [[#Result]] and '''RndData'''.


The kernel limits '''size''' to 0x38 (for fitting in return registers).
The kernel limits '''RndSize''' to 0x38 (for fitting in return registers).


=== Panic ===
=== Panic ===
Issues a system panic.
Takes an u32 '''PanicColor''' and issues a system panic.


The kernel always calls this with '''panic_color''' set to 0xF00.
The kernel always calls this with '''PanicColor''' set to 0xF00.


=== ConfigureCarveout ===
=== ConfigureCarveout ===
Configures memory controller carveout regions.
Takes an u64 '''CarveoutIdx''', an u64 '''CarveoutAddr''' and an u64 '''CarveoutSize'''. Returns [[#Result]].


If '''carveout_index''' is 0, '''region_phys_addr''' and '''region_size''' are used to configure '''MC_SECURITY_CARVEOUT4'''.
If '''CarveoutIdx''' is 0, '''CarveoutAddr''' and '''CarveoutSize''' are used to configure '''MC_SECURITY_CARVEOUT4'''.
If '''carveout_index''' is 1, '''region_phys_addr''' and '''region_size''' are used to configure '''MC_SECURITY_CARVEOUT5'''.
If '''CarveoutIdx''' is 1, '''CarveoutAddr''' and '''CarveoutSize''' are used to configure '''MC_SECURITY_CARVEOUT5'''.
Any other '''carveout_index''' values are invalid.
Any other '''CarveoutIdx''' values are invalid.


The kernel calls this with '''carveout_index''' set to 0, '''region_phys_addr''' set to 0x80060000 and '''region_size''' set to a dynamically calculated size which covers all the kernel and built-in sysmodules' DRAM regions.
The kernel calls this with '''CarveoutIdx''' set to 0, '''CarveoutAddr''' set to 0x80060000 and '''CarveoutSize''' set to a dynamically calculated size which covers all the kernel and built-in sysmodules' DRAM regions.


=== ReadWriteRegister ===
=== ReadWriteRegister ===
Takes an u64 '''RegAddr''', an u32 '''RwMask''' and an u32 '''InValue'''. Returns [[#Result]] and an u32 '''OutValue'''.
Relays [[SVC#svcReadWriteRegister|svcReadWriteRegister]] to the Secure Monitor.
Relays [[SVC#svcReadWriteRegister|svcReadWriteRegister]] to the Secure Monitor.


= Errors =
= CryptoUsecase =
{| class=wikitable
! Value || Name
|-
| 0 || Aes
|-
| 1 || RsaPrivate
|-
| 2 || RsaSecureExpMod
|-
| 3 || TitleKey
|}
 
TitleKey represents a RSA wrapped AES key.
 
= CipherMode =
{| class=wikitable
! Value || Name
|-
| 0 || CbcEncrypt
|-
| 1 || CbcDecrypt
|-
| 2 || Ctr
|}
 
= DecryptOrImportMode =
{| class=wikitable
! Value || Name
|-
| 0 || DecryptRsaPrivateKey
|-
| 1 || ImportLotusKey
|-
| 2 || ImportEsKey
|-
| 3 || ImportSslKey
|-
| 4 || ImportDrmKey
|}
 
= SecureExpModMode =
{| class=wikitable
! Value || Name
|-
| 0 || Lotus
|-
| 1 || Ssl
|-
| 2 || Drm
|}
 
= Result =
{| class=wikitable
{| class=wikitable
! Value || Description
! Value || Description
|-
|-
| 2 || Invalid input
| 0 || Success
|-
| 1 || Not implemented
|-
| 2 || Invalid argument
|-
| 3 || In progress
|-
| 4 || No async operation
|-
| 5 || Invalid async operation
|-
|-
| 3 || Busy
| [8.0.0+] 6 || Not permitted
|}
|}
Retrieved from "https://switchbrew.org/wiki/Secure_Monitor"