SPL services

From Nintendo Switch Brew
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.


Cmd Name
0 #GetRandomBytes


Takes a type-6 buffer and fills it with random data. Same command for "spl:" and "csrng" services.


[2.0.0+] Where previously only one AES engine was utilized, there is now support for 4 of them.

[2.0.0+] When the session closes, all AES engines that were locked are automatically unlocked.

Cmd Name Notes
0 #GetConfig wrapper for GetConfig
1 user supplied modulus and exponent
2 #GenerateAesKek wrapper for KeygenAndSealX
3 #LoadAesKey wrapper for SetKeyslotFromXY
4 #GenerateAesKey decrypts 0x10 bytes using AES ECB, uses SetKeyslotFromXY with a fixed Y
5 #SetConfig wrapper for SetConfig
7 #GetRandomBytes uses PrngX931
9 wrapper for ImportParamsForFWithXY
10 wrapper for ExpMod
11 #IsDevelopment
12 GenerateSpecificAesKey wrapper for KeygenA
13 #DecryptExpModParamsWithXY wrapper for DecryptExpModParamsWithXY
14 #GenerateAesKeyOther decrypts 0x10 bytes using AES ECB, uses SetKeyslotFromXY with fixed X and Y
15 #DecryptAesCtr wrapper for SymmetricCrypto
16 #ComputeCmac wrapper for CMAC
17 wrapper for ImportParamsFor10WithXY
18 wrapper for ExpModAndKeygenAndSealZ
19 #SetKeyslotFromZ wrapper for SetKeyslotFromZ
20 [2.0.0+] wrapper for KeygenAndSealZ
21 [2.0.0+] #LockAesEngine
22 [2.0.0+] #UnlockAesEngine
23 [2.0.0+] GetSplWaitEvent


Takes an input word (ConfigItem), and returns a u64 with the config params.

ConfigItem Name
1 DisableProgramVerification
2 MemoryConfiguration
5 HardwareType (0=Icosa, 1=Copper)
6 IsRetail
7 IsRecoveryBoot
8 DeviceId (byte7 clear).
9 BootReason
10 MemoryArrange
11 IsDebugMode
13 BatteryProfile?

PM checks id1 and if non-zero, calls fsp-pr SetEnabledProgramVerification(false).

NIM checks that id8 output must match the set:cal DeviceId with byte7 cleared, otherwise panic.

[3.0.0+] RO checks id11, if set then skipping NRR rsa signatures is allowed.

Kernel uses id11 to determine behavior of svcBreak positive arguments. It will break instead of just force-exiting the process which is what happens on retail.


Takes a 16-byte seed ("BisEncryptionKeySourceForKek") and two words ("KeyGeneration" and "option") as input. KeyGeneration ranges from 0 to 2.

Same input gives same output. Output changes when system is rebooted.


[2.0.0+] Now verifies that the engine used (0..3) is locked/owned by the current spl session, otherwise errors with 0xD21A. Previously engine was hardcoded to 0.


[2.0.0+] Previously it used engine 0 always. Now it tries to allocate an engine to be used, returns 0xD01A if they're all busy. After command is done, the engine is released.


Takes two input words, a ConfigItem and the value to set.

ConfigItem Name
13 BatteryProfile?


No input params.

Uses #GetConfig internally with id=6. Returns true if output from that is 0, or if the SMC returned error 2.

Returns an u8 flag for whether the system is devunit. Output flag is 0 on retail.


Last SPL cmd used by SSL-sysmodule for TLS client-privk.


Scrambles with a different constant than non-"other" version.

[2.0.0+] Introduced same engine allocation code as for #GenerateAesKey.


[2.0.0+] Verifies the engine is locked by current session, same change as #LoadAesKey.


[2.0.0+] Verifies the engine is locked by current session, same change as #LoadAesKey.


[2.0.0+] Verifies the engine is locked by current session, same change as #LoadAesKey.


Returns the id of the engine that was locked, or 0xD01A if all engines are busy. You need to lock an engine before using AES functions.


Takes a single u32 and unlocks the engine with that id. It must be owned by current session otherwise 0xD21A will be returned.