Difference between revisions of "SPL services"

From Nintendo Switch Brew
Jump to navigation Jump to search
Line 146: Line 146:
 
[3.0.0+] [[Loader services|RO]] checks id11, if set then skipping NRR rsa signatures is allowed.
 
[3.0.0+] [[Loader services|RO]] checks id11, if set then skipping NRR rsa signatures is allowed.
  
Kernel uses id11 to determine behavior of svcBreak positive arguments. It will break instead of just force-exiting the process which is what happens on retail. This is also used with certain debug [[SVC|SVCs]].
+
Kernel uses id11 to determine behavior of svcBreak positive arguments. It will break instead of just force-exiting the process which is what happens on retail. [2.0.0+] This is also used with certain debug [[SVC|SVCs]].
  
 
Kernel reads id12 when setting up memory-related code. If bit0 is set, it will memset various allocated memory-regions with 0x58, 0x59, 0x5A ('X', 'Y', 'Z') instead of zero. This allows Nintendo devs to find uninitialized memory bugs. If bit17-16 is 0b01, the kernel assumes 6GB of DRAM instead of 4GB.
 
Kernel reads id12 when setting up memory-related code. If bit0 is set, it will memset various allocated memory-regions with 0x58, 0x59, 0x5A ('X', 'Y', 'Z') instead of zero. This allows Nintendo devs to find uninitialized memory bugs. If bit17-16 is 0b01, the kernel assumes 6GB of DRAM instead of 4GB.

Revision as of 23:29, 10 September 2017

csrng

Cmd Name
0 #GetRandomBytes

GetRandomBytes

Takes a type-6 buffer and fills it with random data. Same command for "spl:" and "csrng" services.

spl:

[2.0.0+] Where previously only one AES engine was utilized, there is now support for 4 of them.

[2.0.0+] When the session closes, all AES engines that were locked are automatically unlocked.

Cmd Name Notes
0 #GetConfig Wrapper for GetConfig.
1 #UserExpMod User supplied modulus and exponent.
2 #GenerateAesKek Wrapper for KeygenAndSealX.
3 #LoadAesKey Wrapper for SetKeyslotFromXY.
4 #GenerateAesKey Decrypts 0x10 bytes using AES ECB and uses SetKeyslotFromXY with a fixed Y.
5 #SetConfig Wrapper for SetConfig.
7 #GetRandomBytes Uses PrngX931.
9 #DecryptImportPrivkForExpMod0 Wrapper for ImportParamsForFWithXY.
10 #ExpMod0 Wrapper for ExpMod.
11 #IsDevelopment
12 #GenerateSpecificAesKey Wrapper for KeygenA.
13 #DecryptPrivk Wrapper for DecryptExpModParamsWithXY.
14 #DecryptAesKey Decrypts 0x10 bytes using AES ECB and uses SetKeyslotFromXY with fixed X and Y.
15 #DecryptAesCtr Wrapper for SymmetricCrypto.
16 #ComputeCmac Wrapper for CMAC.
17 #DecryptImportPrivkForExpMod1 Wrapper for ImportParamsFor10WithXY.
18 #ExpMod1 Wrapper for ExpModAndKeygenAndSealZ.
19 #LoadRsaKey Wrapper for SetKeyslotFromZ.
20 [2.0.0+] #GenerateRsaKek Wrapper for KeygenAndSealZ.
21 [2.0.0+] #LockAesEngine
22 [2.0.0+] #UnlockAesEngine
23 [2.0.0+] #GetSplWaitEvent

GetConfig

Takes a u32 (ConfigItem), and returns a u64 (ConfigVal).

ConfigItem Name
1 DisableProgramVerification
2 MemoryConfiguration
3 Returns 0x2C?
4 Returns 0x02?
5 HardwareType (0=Icosa, 1=Copper)
6 IsRetail
7 IsRecoveryBoot
8 DeviceId (byte7 clear)
9 BootReason
10 MemoryArrange
11 IsDebugMode
12 KernelMemoryConfiguration
13 BatteryProfile


PCV configures memory profiles based on id2.

Platform Version Revision id2
"jetson-tx1" "11_40800_01_V9.8.3_V1.6" N/A N/A
"nx-abcb" "10_40800_NoCfgVersion_V9.8.4_V1.6" 0 0
"nx-abca2" "10_40800_NoCfgVersion_V9.8.7_V1.6" 0 0 or 3
"nx-abca2" "10_40800_NoCfgVersion_V9.8.7_V1.6" 1 4
"nx-abca2" "10_40800_NoCfgVersion_V9.8.7_V1.6" 2 1
"nx-abca2" "10_40800_NoCfgVersion_V9.8.7_V1.6" 3 2


PM checks id1 and if non-zero, calls fsp-pr SetEnabledProgramVerification(false).

NIM checks that id8 output must match the set:cal DeviceId with byte7 cleared, otherwise panic.

[3.0.0+] RO checks id11, if set then skipping NRR rsa signatures is allowed.

Kernel uses id11 to determine behavior of svcBreak positive arguments. It will break instead of just force-exiting the process which is what happens on retail. [2.0.0+] This is also used with certain debug SVCs.

Kernel reads id12 when setting up memory-related code. If bit0 is set, it will memset various allocated memory-regions with 0x58, 0x59, 0x5A ('X', 'Y', 'Z') instead of zero. This allows Nintendo devs to find uninitialized memory bugs. If bit17-16 is 0b01, the kernel assumes 6GB of DRAM instead of 4GB.

UserExpMod

Takes one type-10 (C descriptor) buffer (data_out_buf) and 3 type-9 (X descriptor) buffers (data_in_buf, exp_in_buf and mod_in_buf).

Performs asymmetric crypto with user supplied modulus and exponent.

GenerateAesKek

Takes a 16-byte EKS (Encryption Key Source) and two words (KeyGeneration and option) as input. KeyGeneration ranges from 0 to 2.

Returns a scrambled sealed KEK (Key Encryption Key used as key_x).

LoadAesKey

Takes a u32 (keyslot) and two 16-byte keys (key_x and key_y).

Sets the specified keyslot with a key generated from key_x and key_y.

[2.0.0+] Now verifies that the engine in use (0..3) is locked/owned by the current spl session, otherwise errors with 0xD21A. Previously engine was hardcoded to 0.

GenerateAesKey

Takes a 16-byte KEK (key_x) and a 16-byte encrypted key (enc_key).

Generates a new key by decrypting enc_key with a key generated from the supplied key_x and a fixed key_y.

[2.0.0+] Previously, it always used engine 0. Now it tries to allocate an engine to be used and returns 0xD01A if they're all busy. When the command is done, the engine is released.

SetConfig

Takes a u32 (ConfigItem) and a u64 (ConfigVal).

ConfigItem Name
13 BatteryProfile

Any other ConfigItem, besides 13, can't be set.

DecryptImportPrivkForExpMod0

Takes one type-9 (X descriptor) buffer (enc_privk_in_buf), a 16-byte KEK (key_x), a 16-byte key (key_y) and a u32 (version). version is 0 for normal keys or 1 for extended keys.

Decrypts enc_privk_in_buf with a key generated from key_x and key_y and imports it for later usage.

ExpMod0

Takes one type-10 (C descriptor) buffer (data_out_buf) and 3 type-9 (X descriptor) buffers (data_in_buf, param0_in_buf and param1_in_buf).

Decrypts data_in_buf into data_out_buf using the private key imported with #DecryptImportPrivkForExpMod0 and the supplied buffers param0_in_buf and param1_in_buf.

Returns and unknown u32.

IsDevelopment

No input params.

Uses #GetConfig internally with id=6. Returns true if output from that is 0, or if the SMC returned error 2.

Returns an u8 flag for whether the system is devunit. Output flag is 0 on retail.

GenerateSpecificAesKey

Takes a 16-byte seed (key_seed) and two words (KeyGeneration and option) as input. KeyGeneration ranges from 0 to 2.

Returns a scrambled (unsealed?) key (key_a).

DecryptPrivk

Takes one type-10 (C descriptor) buffer (dec_privk_out_buf), one type-9 (X descriptor) buffer (enc_privk_in_buf), a 16-byte KEK (key_x), a 16-byte key (key_y) and a u32 (version). version is 0 for normal keys or 1 for extended keys.

Decrypts enc_privk_in_buf into dec_privk_out_buf with a key generated from key_x and key_y.

Used by SSL-sysmodule for TLS client-privk.

DecryptAesKey

Takes a 16-byte encrypted key (enc_key) and two words (KeyGeneration and option) as input. KeyGeneration ranges from 0 to 2.

Decrypts enc_key with a key generated from fixed key_x and key_y and returns a 16-byte decrypted key (dec_key).

[2.0.0+] Introduced same engine allocation code as for #GenerateAesKey.

DecryptAesCtr

Takes a type-0x46 (B descriptor) buffer (data_out_buf), a u32 (keyslot), a type-0x45 (A descriptor) buffer (data_in_buf) and a 16-byte CTR (aes_ctr).

Decrypts data_in_buf into data_out_buf using the key set in the specified keyslot.

[2.0.0+] Verifies the engine is locked by current session.

ComputeCmac

Takes one type-9 (X descriptor) buffer (data_in_buf) and a u32 (type?).

Returns a 16-byte CMAC calculated over data_in_buf.

[2.0.0+] Verifies the engine is locked by current session.

DecryptImportPrivkForExpMod1

Takes one type-9 (X descriptor) buffer (enc_privk_in_buf), a 16-byte KEK (key_x), a 16-byte key (key_y) and a u32 (version). version is 0 for normal keys or 1 for extended keys.

Decrypts enc_privk_in_buf with a key generated from key_x and key_y and imports it for later usage.

ExpMod1

Takes 3 type-9 (X descriptor) buffers (data_in_buf, param0_in_buf and param1_in_buf).

Decrypts data_in_buf using the private key imported with #DecryptImportPrivkForExpMod1 and the supplied buffers param0_in_buf and param1_in_buf.

Generates and returns a 16-byte key (key_z).

LoadRsaKey

Takes a u32 (keyslot) and a 16-byte key (key_z).

Sets the specified keyslot with a key generated from key_z.

[2.0.0+] Verifies the engine is locked by current session.

GenerateRsaKek

Takes a 16-byte EKS (Encryption Key Source).

Returns a scrambled sealed KEK (Key Encryption Key used as key_z).

LockAesEngine

Returns the id of the engine that was locked, or 0xD01A if all engines are busy. You need to lock an engine before using AES functions.

UnlockAesEngine

Takes a single u32 and unlocks the engine with that id. It must be owned by current session otherwise 0xD21A will be returned.

GetSplWaitEvent

Returns an event handle for synchronizing with the locked AES engine.