Secure Monitor Calls

The secure monitor provides two top level handlers of which each provides a range of sub handlers.

Secure Monitor calls follow the ARM SMC calling convention with a small change:

If bit n is set in the argument type then parameter Xn is treated as a pointer and the kernel will setup address translation for it in svcCallSecureMonitor.

SMC arguments are passed using registers X0-X7 with X0 always sending the call sub-id and returning the result of the call.

FunctionId0

Functions exposed to user-mode processes using svcCallSecureMonitor. SMCs should be called from CPUID 3 (where SPL runs).

The overall concept here is the following:

• All key material (AES and RSA) is stored in userspace, but it's encrypted with random AES kek's ("key encryption keys").
• Each kek is generated as a function of an access key (picked at random).
• The kek is generated differently depending on the #CryptoUsecase the key is used for.
  • This means: Each key is "locked" to the #CryptoUsecase it was designated for.
  • You can use a key for a different usecase, but you will only get garbage output.
• After the kek has been generated, it is wrapped with a session-specific key and given back to userspace.
  • This means: Plaintext kek keys never leave TrustZone.
  • Further, this means: Actual AES/RSA keys never leave TrustZone.

GenerateRandomBytes

Takes an u64 Size. Returns #Result and RandomBytes.

Size is limited to 0x38 (for fitting in return registers).

GenerateAesKek

Takes an "access key" as input, an #CryptoUsecase.

Returns a session-unique kek for said usecase.

LoadAesKey

Takes a session kek created with #GenerateAesKek, and a wrapped AES key.

The session kek must have been created with CryptoUsecase Aes.

ComputeAes

Encrypts/decrypts using AES (CTR and CBC). Takes an #CipherMode.

Key must be set prior using one of the #LoadAesKey or #GenerateSpecificAesKey commands.

GenerateSpecificAesKey

Takes a wrapped AES key and decrypts it using static data.

ComputeCmac

Calculates CMAC over input data.

DecryptAndImportEsDeviceKey

Takes a session kek created with #GenerateAesKek, a wrapped AES key, and a wrapped RSA private key.

The session kek must have been created with CryptoUsecase TitleKey.

[5.0.0] This function was removed and replaced with #ReencryptDeviceUniqueData.

ReencryptDeviceUniqueData

Takes in two session keks created with #GenerateAesKek, two wrapped AES keys, an enum member, and a wrapped RSA private key.

Decrypts and validates the wrapped RSA private key with the first kek/wrapped key, and re-encrypts it with the second if valid.

The re-encrypted key is then passed to the user, for use with #DecryptDeviceUniqueData.

DecryptDeviceUniqueData

Takes a session kek created with #GenerateAesKek, a wrapped AES key, an enum member, and a wrapped RSA private key.

The session kek must have been created with CryptoUsecase RsaPrivate.

[4.0.0+] The SMC handler when certain conditions pass and FunctionId0==0xC300100D now returns error 0x6 instead of calling the handler funcptr.

[5.0.0+] This function now takes an additional input #DecryptOrImportMode. This extends the original functionality to enable importing private keys into the security engine instead of decrypting them.

DecryptAndImportLotusKey

Takes a session kek created with #GenerateAesKek, and a wrapped RSA key.

The session kek must have been created with CryptoUsecase RsaSecureExpMod.

[5.0.0] This function was removed.

ModularExponentiateByStorageKey

Performs an ExpMod operation using an exponent previously loaded with the #DecryptAndImportLotusKey command.

[5.0.0+] This now uses any exponent previously loaded with #DecryptDeviceUniqueData and takes an #SecureExpModMode.

PrepareEsDeviceUniqueKey

Takes an Rsa-Oaep-wrapped TitleKey, an RSA Public Key, and a label hash.

Performs an ExpMod operation using an exponent previously loaded with the #DecryptAndImportEsDeviceKey command, and then validates/extracts a Titlekey from the resulting message.

Returns a session-unique AES key especially for use in #LoadTitleKey.

[5.0.0+] This now uses any exponent previously loaded with #DecryptDeviceUniqueData.

LoadPreparedAesKey

Takes a session-unique AES key from #PrepareEsCommonKey or #PrepareEsDeviceUniqueKey.

PrepareEsCommonKey

Takes an AES-wrapped common TitleKey and returns a sealed AES key.

FunctionId1

Functions exposed to the kernel internally.

SuspendCpu

Takes an u64 PowerState, an u64 EntrypointAddress and an u64 ContextId. No output.

Suspends the CPU (CPU0).

The kernel calls this SMC on shutdown with PowerState set to 0x0201001B (power level: 0x02==system; power type: 0x01==powerdown; ID: 0x1B).

PowerOffCpu

No input/output.

Turns off the CPU (CPU1, CPU2 or CPU3).

PowerOnCpu

Takes an u64 TargetCpu, an u64 EntrypointAddress and an u64 ContextId. Returns #Result.

Turns on the CPU (CPU1, CPU2 or CPU3).

GetConfig

Takes a #ConfigItem. Returns #Result and a ConfigValue.

ConfigItem

DisableProgramVerification

PM checks this item and if non-zero, calls fsp-pr SetEnabledProgramVerification(false).

DramId

This is extracted directly from FUSE_RESERVED_ODM4.

PCV selects memory training tables based on DramId.

11_40800_01_V9.8.3_V1.6
11_68000_01_V9.8.3_V1.6
11_102000_01_V9.8.3_V1.6
11_204000_05_V9.8.3_V1.6
11_408000_02_V9.8.3_V1.6
11_665600_03_V9.8.3_V1.6
11_800000_01_V9.8.3_V1.6
11_1065600_01_V9.8.3_V1.6
11_1331200_01_V9.8.3_V1.6
11_1600000_02_V9.8.3_V1.6

10_40800_NoCfgVersion_V9.8.7_V1.6
10_68000_NoCfgVersion_V9.8.7_V1.6
10_102000_NoCfgVersion_V9.8.7_V1.6
10_204000_NoCfgVersion_V9.8.7_V1.6
10_408000_NoCfgVersion_V9.8.7_V1.6
10_665600_NoCfgVersion_V9.8.7_V1.6
10_800000_NoCfgVersion_V9.8.7_V1.6
10_1065600_NoCfgVersion_V9.8.7_V1.6
10_1331200_NoCfgVersion_V9.8.7_V1.6
10_1600000_NoCfgVersion_V9.8.7_V1.6

10_40800_NoCfgVersion_V9.8.4_V1.6
10_68000_NoCfgVersion_V9.8.4_V1.6
10_102000_NoCfgVersion_V9.8.4_V1.6
10_204000_NoCfgVersion_V9.8.4_V1.6
10_408000_NoCfgVersion_V9.8.4_V1.6
10_665600_NoCfgVersion_V9.8.4_V1.6
10_800000_NoCfgVersion_V9.8.4_V1.6
10_1065600_NoCfgVersion_V9.8.4_V1.6
10_1331200_NoCfgVersion_V9.8.4_V1.6
10_1600000_NoCfgVersion_V9.8.4_V1.6

10_40800_NoCfgVersion_V9.8.4_V1.6
10_68000_NoCfgVersion_V9.8.4_V1.6
10_102000_NoCfgVersion_V9.8.4_V1.6
10_204000_NoCfgVersion_V9.8.4_V1.6
10_408000_NoCfgVersion_V9.8.4_V1.6
10_665600_NoCfgVersion_V9.8.4_V1.6
10_800000_NoCfgVersion_V9.8.4_V1.6
10_1065600_NoCfgVersion_V9.8.4_V1.6
10_1331200_NoCfgVersion_V9.8.4_V1.6
10_1600000_NoCfgVersion_V9.8.4_V1.6

10_40800_NoCfgVersion_V9.8.7_V1.6
10_68000_NoCfgVersion_V9.8.7_V1.6
10_102000_NoCfgVersion_V9.8.7_V1.6
10_204000_NoCfgVersion_V9.8.7_V1.6
10_408000_NoCfgVersion_V9.8.7_V1.6
10_665600_NoCfgVersion_V9.8.7_V1.6
10_800000_NoCfgVersion_V9.8.7_V1.6
10_1065600_NoCfgVersion_V9.8.7_V1.6
10_1331200_NoCfgVersion_V9.8.7_V1.6
10_1600000_NoCfgVersion_V9.8.7_V1.6

10_40800_NoCfgVersion_V9.8.7_V1.6
10_68000_NoCfgVersion_V9.8.7_V1.6
10_102000_NoCfgVersion_V9.8.7_V1.6
10_204000_NoCfgVersion_V9.8.7_V1.6
10_408000_NoCfgVersion_V9.8.7_V1.6
10_665600_NoCfgVersion_V9.8.7_V1.6
10_800000_NoCfgVersion_V9.8.7_V1.6
10_1065600_NoCfgVersion_V9.8.7_V1.6
10_1331200_NoCfgVersion_V9.8.7_V1.6
10_1600000_NoCfgVersion_V9.8.7_V1.6

10_40800_NoCfgVersion_V9.8.7_V1.6
10_68000_NoCfgVersion_V9.8.7_V1.6
10_102000_NoCfgVersion_V9.8.7_V1.6
10_204000_NoCfgVersion_V9.8.7_V1.6
10_408000_NoCfgVersion_V9.8.7_V1.6
10_665600_NoCfgVersion_V9.8.7_V1.6
10_800000_NoCfgVersion_V9.8.7_V1.6
10_1065600_NoCfgVersion_V9.8.7_V1.6
10_1331200_NoCfgVersion_V9.8.7_V1.6
10_1600000_NoCfgVersion_V9.8.7_V1.6

01_204000_NoCfgVersion_V0.3.1_V2.0
01_1331200.0_NoCfgVersion_V0.3.1_V2.0
01_1600000_NoCfgVersion_V0.3.1_V2.0

01_204000_NoCfgVersion_V0.3.1_V2.0
01_1331200.0_NoCfgVersion_V0.3.1_V2.0
01_1600000_NoCfgVersion_V0.3.1_V2.0

01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0

01_204000_NoCfgVersion_V0.3.1_V2.0
01_1331200.0_NoCfgVersion_V0.3.1_V2.0
01_1600000_NoCfgVersion_V0.3.1_V2.0

01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0

01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0

01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0

01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0

01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0

01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0

01_204000_NoCfgVersion_V0.4.2_V2.0
01_1331200.0_NoCfgVersion_V0.4.2_V2.0
01_1600000_NoCfgVersion_V0.4.2_V2.0

01_204000_NoCfgVersion_V0.4.5_V2.0
01_1331200.0_NoCfgVersion_V0.4.5_V2.0
01_1600000_NoCfgVersion_V0.4.5_V2.0

nx-abca2 (Icosa in Erista, Iowa in Mariko) hardware types are variations of the retail, EDEV and SDEV form factors.

nx-abcb (Copper in Erista, Calcio in Mariko) is a prototype unit. Among other differences, this has extra hardware to support HDMI output.

[8.0.0+] nx-abcc (Hoag) was added for the Lite retail and HDEV form factors.

[10.0.0+] nx-abcd was added.

Erista memory is LPDDR4, while Mariko memory is LPDDR4X.

SecurityEngineInterruptNumber

SPL uses this for setting up the security engine IRQ.

FuseVersion

The current Package1 Maxver Constant - 1.

HardwareType

[1.0.0+] This item is obtained by checking bits 8 and 2 from FUSE_RESERVED_ODM4.

[4.0.0+] This item is obtained by checking bits 8, 2 and 16-19 from FUSE_RESERVED_ODM4.

[7.0.0+] This item can now only be 0 (Icosa) or 15 (Invalid) in Erista units.

Hardware is Icosa (Erista retail, EDEV and SDEV) if development flag (bit 8) is Retail and production flag (bit 2) is Production.

Hardware is Copper (Erista prototype) if development flag (bit 8) is Development and production flag (bit 2) is Prototype.

[4.0.0+] Hardware is Iowa (Mariko retail, EDEV and SDEV) if new hardware type (bits 16-19) is Iowa.

[8.0.0+] Hardware is Hoag (Mariko Lite retail and HDEV) if new hardware type (bits 16-19) is Hoag.

[8.0.0+] Hardware is Calcio (Mariko prototype) if development flag (bit 8) is Development and production flag (bit 2) is Prototype.

[10.0.0+] Hardware is Unknown if new hardware type (bits 16-19) is 0x4.

HardwareState

This item is obtained by checking bits 9 and 0-1 from FUSE_RESERVED_ODM4.

IsRecoveryBoot

Used to determine if the system is booting from SafeMode firmware.

Under normal circumstances, this just returns bit 0 of the active bootloader info's attribute field.

DeviceId

NIM checks if this item matches the set:cal DeviceId with byte7 cleared. If they don't match, a panic is thrown.

BootReason

Used to determine how the system booted.

MemoryMode

PM and the kernel decide memory arrangement based on MemoryMode.

IsDevelopmentFunctionEnabled

Kernel uses this to determine behavior of svcBreak positive arguments. It will break instead of just force-exiting the process which is what happens on retail.

[2.0.0+] This is also used with certain debug SVCs.

[3.0.0+] RO checks this and if set then skipping NRR rsa signatures is allowed.

KernelConfiguration

Kernel reads this when setting up memory-related code.

EnableNonZeroFillMemory is a boolean determining whether kernel should it will memset various allocated memory-regions with 0x58, 0x59, 0x5A ('X', 'Y', 'Z') instead of zero. This allows Nintendo devs to find uninitialized memory bugs.

EnableUserExceptionHandler is a boolean determining whether kernel should forcefully enable usermode exception handlers (when false, only certain aborts (((1LL << (esr >> 26)) & 0x1115804400224001) == 0, typically data/prefetch aborts) that occur when the faulting address is in a readable region with MemoryType_CodeStatic will trigger usermode exception handlers).

PerformanceMonitoringUnit is a boolean determining whether kernel should enable usermode access to the Performance Monitors (whether PMUSERENR_EL0 should be 1 or 0).

EnableApplicationExtraThread is a boolean determining whether the kernel should increase the KThread slabheap capacity by 160. This also increases object capacities that are calculated based on number of threads.

CallShowErrorOnPanic is a boolean determining whether kernel should call smcPanic on error instead of infinite-looping.

MemorySize determines how much memory is available. 00/03 = 4 GB, 01 = 6 GB, 02 = 8 GB.

IsChargerHiZModeEnabled

This tells if the TI Charger (bq24192) is active.

IsQuest

This item is bit 10 from FUSE_RESERVED_ODM4.

[4.0.0+] Settings uses this value to overwrite the quest flag from GetQuestFlag. This is used to detect if a Switch is a kiosk unit for display at retail stores.

RegulatorType

[5.0.0+] PCV uses this value in combination with HardwareType to configure power blocks and memory tables for different hardware.

DeviceUniqueKeyGeneration

This item is obtained from FUSE_RESERVED_ODM2 if bit 11 from FUSE_RESERVED_ODM4 is set, FUSE_RESERVED_ODM0 matches 0x8E61ECAE and FUSE_RESERVED_ODM1 matches 0xF2BA3BB2.

[5.0.0+] FS can now use this value for the KeyGeneration parameter when calling GenerateAesKek during "GetBisEncryptionKey".

Package2Hash

This is a SHA-256 hash calculated over the package2 image. Since the hash calculation is an optional step in pkg2ldr, this item is only valid in recovery mode. Otherwise, an error is returned instead.

ShowError

Takes an u32 Color and issues a system panic.

The kernel always calls this with Color set to 0xF00.

SetKernelCarveoutRegion

Takes an u64 Index, an u64 Address and an u64 Size. Returns #Result.

If Index is 0, Address and Size are used to configure MC_SECURITY_CARVEOUT4. If Index is 1, Address and Size are used to configure MC_SECURITY_CARVEOUT5. Any other Index values are invalid.

The kernel calls this with Index set to 0, Address set to 0x80060000 and Size set to a dynamically calculated size which covers all the kernel and built-in sysmodules' DRAM regions.

ReadWriteRegister

Takes an u64 Register, an u32 Mask and an u32 InValue. Returns #Result and an u32 OutValue.

Relays svcReadWriteRegister to the Secure Monitor.

CryptoUsecase

CipherMode

DecryptOrImportMode

SecureExpModMode

EsKeyType

Result