SPL services

From Nintendo Switch Brew
Revision as of 21:10, 24 August 2017 by Hexkyz (talk | contribs)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

csrng

Cmd Name
0 #GetRandomBytes

GetRandomBytes

Takes a type-6 buffer and fills it with random data. Same command for "spl:" and "csrng" services.

spl:

[2.0.0+] Where previously only one AES engine was utilized, there is now support for 4 of them.

[2.0.0+] When the session closes, all AES engines that were locked are automatically unlocked.

Cmd Name Notes
0 #GetConfig wrapper for GetConfig
1 user supplied modulus and exponent
2 #GenerateAesKek wrapper for KeygenAndSealX
3 #LoadAesKey wrapper for SetKeyslotFromXY
4 #GenerateAesKey decrypts 0x10 bytes using AES ECB, uses SetKeyslotFromXY with a fixed Y
5 #SetConfig wrapper for SetConfig
7 #GetRandomBytes uses PrngX931
9 wrapper for ImportParamsForFWithXY
10 wrapper for ExpMod
11 #IsDevelopment
12 GenerateSpecificAesKey wrapper for KeygenA
13 #DecryptExpModParamsWithXY wrapper for DecryptExpModParamsWithXY
14 #GenerateAesKeyOther decrypts 0x10 bytes using AES ECB, uses SetKeyslotFromXY with fixed X and Y
15 #DecryptAesCtr wrapper for SymmetricCrypto
16 #ComputeCmac wrapper for CMAC
17 wrapper for ImportParamsFor10WithXY
18 wrapper for ExpModAndKeygenAndSealZ
19 #SetKeyslotFromZ wrapper for SetKeyslotFromZ
20 [2.0.0+] wrapper for KeygenAndSealZ
21 [2.0.0+] #LockAesEngine
22 [2.0.0+] #UnlockAesEngine
23 [2.0.0+] GetSplWaitEvent

GetConfig

Takes an input word (ConfigItem), and returns a u64 with the config params.

ConfigItem Name
1 DisableProgramVerification
2 MemoryConfiguration
3 Returns 0x2C?
4 Returns 0x02?
5 HardwareType (0=Icosa, 1=Copper)
6 IsRetail
7 IsRecoveryBoot
8 DeviceId (byte7 clear)
9 BootReason
10 MemoryArrange
11 IsDebugMode
12 KernelMemoryConfiguration
13 BatteryProfile


PCV configures memory profiles based on id2.

Platform Version Revision id2
"jetson-tx1" "11_40800_01_V9.8.3_V1.6" N/A N/A
"nx-abcb" "10_40800_NoCfgVersion_V9.8.4_V1.6" 0 0
"nx-abca2" "10_40800_NoCfgVersion_V9.8.7_V1.6" 0 0 or 3
"nx-abca2" "10_40800_NoCfgVersion_V9.8.7_V1.6" 1 4
"nx-abca2" "10_40800_NoCfgVersion_V9.8.7_V1.6" 2 1
"nx-abca2" "10_40800_NoCfgVersion_V9.8.7_V1.6" 3 2


PM checks id1 and if non-zero, calls fsp-pr SetEnabledProgramVerification(false).

NIM checks that id8 output must match the set:cal DeviceId with byte7 cleared, otherwise panic.

[3.0.0+] RO checks id11, if set then skipping NRR rsa signatures is allowed.

Kernel uses id11 to determine behavior of svcBreak positive arguments. It will break instead of just force-exiting the process which is what happens on retail.

Kernel reads id12 when setting up memory-related code. If bit0 is set, it will memset various allocated memory-regions with 0x58, 0x59, 0x5A ('X', 'Y', 'Z') instead of zero. This allows Nintendo devs to find uninitialized memory bugs. If bit17-16 is 0b01, the kernel assumes 6GB of DRAM instead of 4GB.

GenerateAesKek

Takes a 16-byte seed ("BisEncryptionKeySourceForKek") and two words ("KeyGeneration" and "option") as input. KeyGeneration ranges from 0 to 2.

Same input gives same output. Output changes when system is rebooted.

LoadAesKey

[2.0.0+] Now verifies that the engine used (0..3) is locked/owned by the current spl session, otherwise errors with 0xD21A. Previously engine was hardcoded to 0.

GenerateAesKey

[2.0.0+] Previously it used engine 0 always. Now it tries to allocate an engine to be used, returns 0xD01A if they're all busy. After command is done, the engine is released.

SetConfig

Takes two input words, a ConfigItem and the value to set.

ConfigItem Name
13 BatteryProfile

IsDevelopment

No input params.

Uses #GetConfig internally with id=6. Returns true if output from that is 0, or if the SMC returned error 2.

Returns an u8 flag for whether the system is devunit. Output flag is 0 on retail.

DecryptExpModParamsWithXY

Last SPL cmd used by SSL-sysmodule for TLS client-privk.

GenerateAesKeyOther

Scrambles with a different constant than non-"other" version.

[2.0.0+] Introduced same engine allocation code as for #GenerateAesKey.

DecryptAesCtr

[2.0.0+] Verifies the engine is locked by current session, same change as #LoadAesKey.

ComputeCmac

[2.0.0+] Verifies the engine is locked by current session, same change as #LoadAesKey.

SetKeyslotFromZ

[2.0.0+] Verifies the engine is locked by current session, same change as #LoadAesKey.

LockAesEngine

Returns the id of the engine that was locked, or 0xD01A if all engines are busy. You need to lock an engine before using AES functions.

UnlockAesEngine

Takes a single u32 and unlocks the engine with that id. It must be owned by current session otherwise 0xD21A will be returned.