Changes

Jump to navigation Jump to search
1,118 bytes added ,  21:25, 12 January 2019
no edit summary
Line 129: Line 129:  
| FALCON_WDTMR_ENABLE
 
| FALCON_WDTMR_ENABLE
 
| 0x54501038
 
| 0x54501038
 +
| 0x04
 +
|-
 +
| FALCON_UNK_3C
 +
| 0x5450103C
 
| 0x04
 
| 0x04
 
|-
 
|-
Line 245: Line 249:  
| [[#FALCON_EXCI|FALCON_EXCI]]
 
| [[#FALCON_EXCI|FALCON_EXCI]]
 
| 0x545010D0
 
| 0x545010D0
 +
| 0x04
 +
|-
 +
| FALCON_UNK_D4
 +
| 0x545010D4
 +
| 0x04
 +
|-
 +
| FALCON_UNK_D8
 +
| 0x545010D8
 +
| 0x04
 +
|-
 +
| FALCON_UNK_DC
 +
| 0x545010DC
 +
| 0x04
 +
|-
 +
| FALCON_UNK_E0
 +
| 0x545010E0
 
| 0x04
 
| 0x04
 
|-
 
|-
Line 441: Line 461:  
| [[#FALCON_SCTL|FALCON_SCTL]]
 
| [[#FALCON_SCTL|FALCON_SCTL]]
 
| 0x54501240
 
| 0x54501240
 +
| 0x04
 +
|-
 +
| [[#FALCON_SCTL_STAT|FALCON_SCTL_STAT]]
 +
| 0x54501244
 +
| 0x04
 +
|-
 +
| FALCON_UNK_248
 +
| 0x54501248
 +
| 0x04
 +
|-
 +
| FALCON_UNK_24C
 +
| 0x5450124C
 +
| 0x04
 +
|-
 +
| FALCON_UNK_250
 +
| 0x54501250
 
| 0x04
 
| 0x04
 
|-
 
|-
Line 473: Line 509:  
| [[#FALCON_SPROT_WDTMR|FALCON_SPROT_WDTMR]]
 
| [[#FALCON_SPROT_WDTMR|FALCON_SPROT_WDTMR]]
 
| 0x5450129C
 
| 0x5450129C
 +
| 0x04
 +
|-
 +
| FALCON_UNK_2E0
 +
| 0x545012E0
 
| 0x04
 
| 0x04
 
|-
 
|-
Line 491: Line 531:  
| 0x04
 
| 0x04
 
|-
 
|-
| TSEC_SCP_UNK0
+
| TSEC_SCP_UNK_10
 
| 0x54501410
 
| 0x54501410
 
| 0x04
 
| 0x04
Line 499: Line 539:  
| 0x04
 
| 0x04
 
|-
 
|-
| [[#TSEC_SCP_SEQ0_STAT|TSEC_SCP_SEQ0_STAT]]
+
| [[#TSEC_SCP_SEQ_CTL|TSEC_SCP_SEQ_CTL]]
 
| 0x54501420
 
| 0x54501420
 +
| 0x04
 +
|-
 +
| [[#TSEC_SCP_SEQ_VAL|TSEC_SCP_SEQ_VAL]]
 +
| 0x54501424
 
| 0x04
 
| 0x04
 
|-
 
|-
Line 511: Line 555:  
| 0x04
 
| 0x04
 
|-
 
|-
| TSEC_SCP_UNK2
+
| [[#TSEC_SCP_AUTH_STAT|TSEC_SCP_AUTH_STAT]]
 
| 0x54501454
 
| 0x54501454
 
| 0x04
 
| 0x04
Line 519: Line 563:  
| 0x04
 
| 0x04
 
|-
 
|-
| TSEC_SCP_UNK3
+
| TSEC_SCP_UNK_70
 
| 0x54501470
 
| 0x54501470
 
| 0x04
 
| 0x04
Line 531: Line 575:  
| 0x04
 
| 0x04
 
|-
 
|-
| TSEC_SCP_UNK4
+
| TSEC_SCP_RES
 
| 0x54501490
 
| 0x54501490
 
| 0x04
 
| 0x04
Line 543: Line 587:  
| 0x04
 
| 0x04
 
|-
 
|-
| TSEC_TRNG_UNK0
+
| TSEC_TRNG_04
 
| 0x54501504
 
| 0x54501504
 
| 0x04
 
| 0x04
Line 567: Line 611:  
| 0x04
 
| 0x04
 
|-
 
|-
| TSEC_TRNG_UNK1
+
| TSEC_TRNG_28
 
| 0x54501528
 
| 0x54501528
 
| 0x04
 
| 0x04
 
|-
 
|-
| TSEC_TRNG_UNK2
+
| TSEC_TRNG_2C
 
| 0x5450152C
 
| 0x5450152C
 
| 0x04
 
| 0x04
 
|-
 
|-
| TSEC_TFBIF_UNK0
+
| TSEC_TFBIF_00
 
| 0x54501600
 
| 0x54501600
 
| 0x04
 
| 0x04
Line 583: Line 627:  
| 0x04
 
| 0x04
 
|-
 
|-
| TSEC_TFBIF_UNK1
+
| TSEC_TFBIF_08
 
| 0x54501608
 
| 0x54501608
 
| 0x04
 
| 0x04
 
|-
 
|-
| TSEC_TFBIF_UNK2
+
| TSEC_TFBIF_0C
 
| 0x5450160C
 
| 0x5450160C
 
| 0x04
 
| 0x04
 
|-
 
|-
| TSEC_TFBIF_UNK3
+
| TSEC_TFBIF_30
 
| 0x54501630
 
| 0x54501630
 
| 0x04
 
| 0x04
Line 599: Line 643:  
| 0x04
 
| 0x04
 
|-
 
|-
| TSEC_TFBIF_UNK4
+
| TSEC_TFBIF_40
 
| 0x54501640
 
| 0x54501640
 
| 0x04
 
| 0x04
 
|-
 
|-
| [[#TSEC_TFBIF_UNK5|TSEC_TFBIF_UNK5]]
+
| [[#TSEC_TFBIF_44|TSEC_TFBIF_44]]
 
| 0x54501644
 
| 0x54501644
 
| 0x04
 
| 0x04
 
|-
 
|-
| [[#TSEC_TFBIF_UNK6|TSEC_TFBIF_UNK6]]
+
| [[#TSEC_TFBIF_48|TSEC_TFBIF_48]]
 
| 0x54501648
 
| 0x54501648
 
| 0x04
 
| 0x04
Line 623: Line 667:  
| 0x04
 
| 0x04
 
|-
 
|-
| [[#TSEC_DMA_UNK|TSEC_DMA_UNK]]
+
| [[#TSEC_DMA_CFG|TSEC_DMA_CFG]]
 
| 0x5450170C
 
| 0x5450170C
 
| 0x04
 
| 0x04
Line 631: Line 675:  
| 0x04
 
| 0x04
 
|-
 
|-
| TSEC_TEGRA_UNK0
+
| TSEC_TEGRA_24
 
| 0x54501824
 
| 0x54501824
 
| 0x04
 
| 0x04
 
|-
 
|-
| TSEC_TEGRA_UNK1
+
| TSEC_TEGRA_28
 
| 0x54501828
 
| 0x54501828
 
| 0x04
 
| 0x04
 
|-
 
|-
| TSEC_TEGRA_UNK2
+
| TSEC_TEGRA_2C
 
| 0x5450182C
 
| 0x5450182C
 
| 0x04
 
| 0x04
Line 1,411: Line 1,455:  
| 14
 
| 14
 
| Initialize the transition to LS mode
 
| Initialize the transition to LS mode
 +
|}
 +
 +
=== FALCON_SCTL_STAT ===
 +
{| class="wikitable" border="1"
 +
!  Bits
 +
!  Description
 +
|-
 +
| 31
 +
| Set on memory protection violation
 
|}
 
|}
   Line 1,629: Line 1,682:  
|}
 
|}
   −
=== TSEC_SCP_SEQ0_STAT ===
+
=== TSEC_SCP_SEQ_CTL ===
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
!  Bits
 
!  Bits
 
!  Description
 
!  Description
 +
|-
 +
| 0-3
 +
| Sequence's instruction index
 +
|-
 +
| 4-7
 +
| Target and control flags
 
|-
 
|-
 
| 8-11
 
| 8-11
| Size of current cs0begin macro
+
| Sequence's size
 +
|}
 +
 
 +
Controls the last crypto sequence (cs0 or cs1) created.
 +
 
 +
=== TSEC_SCP_SEQ_VAL ===
 +
{| class="wikitable" border="1"
 +
!  Bits
 +
!  Description
 +
|-
 +
| 0-3
 +
| Sequence instruction's first operand
 +
|-
 +
| 4-9
 +
| Sequence instruction's second operand
 
|-
 
|-
 +
| 10-14
 +
| Sequence instruction's opcode
 
|}
 
|}
 +
 +
Contains information on the last crypto sequence (cs0 or cs1) created.
    
=== TSEC_SCP_SEQ_STAT ===
 
=== TSEC_SCP_SEQ_STAT ===
Line 1,662: Line 1,739:  
|-
 
|-
 
| 0-3
 
| 0-3
| Crypto fuc5 destination register or immediate value
+
| Destination register or immediate value
 
|-
 
|-
 
| 8-13
 
| 8-13
| Crypto fuc5 source register or immediate value
+
| Source register or immediate value
 
|-
 
|-
 
| 20-24
 
| 20-24
| Crypto fuc5 operation
+
| Operation
 
  0x0:  nop (fuc5 opcode 0x00)  
 
  0x0:  nop (fuc5 opcode 0x00)  
 
  0x1:  cmov (fuc5 opcode 0x84)
 
  0x1:  cmov (fuc5 opcode 0x84)
Line 1,703: Line 1,780:     
Contains information on the last crypto instruction executed.
 
Contains information on the last crypto instruction executed.
 +
 +
=== TSEC_SCP_AUTH_STAT ===
 +
{| class="wikitable" border="1"
 +
!  Bits
 +
!  Description
 +
|-
 +
| 0-1
 +
| Signature comparison result (3=succeeded, 2=failed)
 +
|}
 +
 +
Contains information on the last authentication attempt.
    
=== TSEC_SCP_AES_STAT ===
 
=== TSEC_SCP_AES_STAT ===
Line 1,857: Line 1,945:  
|}
 
|}
   −
=== TSEC_TFBIF_UNK5 ===
+
=== TSEC_TFBIF_UNK_44 ===
 
Used to control accesses to DRAM.
 
Used to control accesses to DRAM.
    
[6.0.0+] The nvhost_tsec firmware sets this register to 0x10 or 0x111110 before reading memory from the GPU UCODE carveout.
 
[6.0.0+] The nvhost_tsec firmware sets this register to 0x10 or 0x111110 before reading memory from the GPU UCODE carveout.
   −
=== TSEC_TFBIF_UNK6 ===
+
=== TSEC_TFBIF_UNK_48 ===
 
Used to control accesses to DRAM.
 
Used to control accesses to DRAM.
   Line 1,903: Line 1,991:  
Takes the value for DMA transfers between TSEC and HOST1X (master and clients).
 
Takes the value for DMA transfers between TSEC and HOST1X (master and clients).
   −
=== TSEC_DMA_UNK ===
+
=== TSEC_DMA_CFG ===
 
Always 0xFFF.
 
Always 0xFFF.
   Line 1,943: Line 2,031:  
Under certain circumstances, it is possible to observe [[#csigauth|csigauth]] being briefly written to [[#TSEC_SCP_INSN_STAT|TSEC_SCP_INSN_STAT]] as "csigauth $c4 $c6" while the opcodes in [[#TSEC_SCP_AES_STAT|TSEC_SCP_AES_STAT]] are set to "cxsin" and "csigauth", respectively.
 
Under certain circumstances, it is possible to observe [[#csigauth|csigauth]] being briefly written to [[#TSEC_SCP_INSN_STAT|TSEC_SCP_INSN_STAT]] as "csigauth $c4 $c6" while the opcodes in [[#TSEC_SCP_AES_STAT|TSEC_SCP_AES_STAT]] are set to "cxsin" and "csigauth", respectively.
   −
Via [[#TSEC_SCP_SEQ0_STAT|TSEC_SCP_SEQ0_STAT]] it can be observed that a 3-sized macro sequence is loaded into cs0 during a secure mode transition.
+
Via [[#TSEC_SCP_SEQ_CTL|TSEC_SCP_SEQ_CTL]] it can be observed that a 3-sized macro sequence is loaded into cs0 during a secure mode transition.
    
=== Operations ===
 
=== Operations ===
Line 2,027: Line 2,115:  
Executing this instruction only succeeds if the TRNG is enabled for the SCP, which requires taking the following steps:
 
Executing this instruction only succeeds if the TRNG is enabled for the SCP, which requires taking the following steps:
 
* Write 0x7FFF to TSEC_TRNG_CLKDIV.
 
* Write 0x7FFF to TSEC_TRNG_CLKDIV.
* Write 0x3FF0000 to TSEC_TRNG_UNK0.
+
* Write 0x3FF0000 to TSEC_TRNG_UNK_00.
* Write 0xFF00 to TSEC_TRNG_UNK2.
+
* Write 0xFF00 to TSEC_TRNG_UNK_2C.
 
* Write 0x1000 to [[#TSEC_SCP_CTL1|TSEC_SCP_CTL1]].
 
* Write 0x1000 to [[#TSEC_SCP_CTL1|TSEC_SCP_CTL1]].
   Line 2,069: Line 2,157:  
| 8-15 || Unknown
 
| 8-15 || Unknown
 
|-
 
|-
| 16 || Use secret xfers (?)
+
| 16 || Use secret xfers
 
|-
 
|-
| 17 || Region is encrypted (?)
+
| 17 || Region is encrypted
 
|-
 
|-
 
| 18 || Unknown
 
| 18 || Unknown
Line 2,110: Line 2,198:  
=== Secrets ===
 
=== Secrets ===
 
Falcon's Authenticated Mode has access to 64 128-bit keys which are burned at factory. These keys can be loaded by using the $csecret instruction which takes the target crypto register and the key index as arguments.
 
Falcon's Authenticated Mode has access to 64 128-bit keys which are burned at factory. These keys can be loaded by using the $csecret instruction which takes the target crypto register and the key index as arguments.
 +
 +
All secrets appear to be common across Falcon units of the same version, with the exception of secret 0x3F. This secret is effectively empty (all zeros), but is configured to be overwritten with the KFUSE private key once the KFUSE clock is enabled. The KFUSE private key is console-unique.
    
{| class=wikitable
 
{| class=wikitable
! Index || ACL || Console-unique || Notes  
+
! Index || ACL || Notes  
 
|-
 
|-
| 0x00 || 0x13 || No || Used by [[TSEC_Firmware#Keygen|Keygen]], nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
+
| 0x00 || 0x13 || Used by [[TSEC_Firmware#Keygen|Keygen]], nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
 
|-
 
|-
| 0x01 || 0x10 || No || Used by nvhost_nvdec_bl020_prod firmware.
+
| 0x01 || 0x10 || Used by nvhost_nvdec_bl020_prod firmware.
 
|-
 
|-
| 0x02 || 0x10 || No ||
+
| 0x02 || 0x10 ||
 
|-
 
|-
| 0x03 || 0x11 || No || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
+
| 0x03 || 0x11 || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
 
|-
 
|-
| 0x04 || 0x10 || No || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
+
| 0x04 || 0x10 || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
 
|-
 
|-
| 0x05 || 0x13 || No || Used by nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
+
| 0x05 || 0x13 || Used by nvhost_tsec, nvhost_nvdec_bl020_prod, nvhost_nvdec020_prod, nvhost_nvdec020_ns and acr_ucode firmwares.
 
|-
 
|-
| 0x06 || 0x11 || No ||
+
| 0x06 || 0x11 ||
 
|-
 
|-
| 0x07 || 0x11 || No || Used by [6.0.0+] nvhost_tsec firmware.
+
| 0x07 || 0x11 || Used by [6.0.0+] nvhost_tsec firmware.
 
|-
 
|-
| 0x08 || 0x10 || No ||
+
| 0x08 || 0x10 ||
 
|-
 
|-
| 0x09 || 0x13 || No || Used by nvhost_tsec firmware.
+
| 0x09 || 0x13 || Used by nvhost_tsec firmware.
 
|-
 
|-
| 0x0A || 0x11 || No ||
+
| 0x0A || 0x11 ||
 
|-
 
|-
| 0x0B || 0x10 || No || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
+
| 0x0B || 0x10 || Used by nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
 
|-
 
|-
| 0x0C || 0x13 || No ||
+
| 0x0C || 0x13 ||
 
|-
 
|-
| 0x0D || 0x11 || No ||
+
| 0x0D || 0x11 ||
 
|-
 
|-
| 0x0E || 0x10 || No ||
+
| 0x0E || 0x10 ||
 
|-
 
|-
| 0x0F || 0x13 || No || Used by nvhost_tsec firmware.
+
| 0x0F || 0x13 || Used by nvhost_tsec firmware.
 
|-
 
|-
| 0x10 || 0x11 || No || Used by [1.0.0-5.1.0] nvhost_tsec firmware.
+
| 0x10 || 0x11 || Used by [1.0.0-5.1.0] nvhost_tsec firmware.
 
|-
 
|-
| 0x11 || 0x10 || No ||
+
| 0x11 || 0x10 ||
 
|-
 
|-
| 0x12 || 0x13 || No ||
+
| 0x12 || 0x13 ||
 
|-
 
|-
| 0x13 || 0x11 || No ||
+
| 0x13 || 0x11 ||
 
|-
 
|-
| 0x14 || 0x10 || No ||
+
| 0x14 || 0x10 ||
 
|-
 
|-
| 0x15 || 0x13 || No || Used by nvhost_nvdec_bl020_prod, [5.0.0+] nvhost_nvdec020_prod, [5.0.0+] nvhost_nvdec020_ns and [6.0.0+] nvhost_tsec firmwares.
+
| 0x15 || 0x13 || Used by nvhost_nvdec_bl020_prod, [5.0.0+] nvhost_nvdec020_prod, [5.0.0+] nvhost_nvdec020_ns and [6.0.0+] nvhost_tsec firmwares.
 
|-
 
|-
| 0x16 || 0x11 || No ||
+
| 0x16 || 0x11 ||
 
|-
 
|-
| 0x17 || 0x10 || No ||
+
| 0x17 || 0x10 ||
 
|-
 
|-
| 0x18 || 0x13 || No ||
+
| 0x18 || 0x13 ||
 
|-
 
|-
| 0x19 || 0x11 || No ||
+
| 0x19 || 0x11 ||
 
|-
 
|-
| 0x1A || 0x10 || No ||
+
| 0x1A || 0x10 ||
 
|-
 
|-
| 0x1B || 0x13 || No ||
+
| 0x1B || 0x13 ||
 
|-
 
|-
| 0x1C || 0x11 || No ||
+
| 0x1C || 0x11 ||
 
|-
 
|-
| 0x1D || 0x10 || No ||
+
| 0x1D || 0x10 ||
 
|-
 
|-
| 0x1E || 0x13 || No ||
+
| 0x1E || 0x13 ||
 
|-
 
|-
| 0x1F || 0x11 || No ||
+
| 0x1F || 0x11 ||
 
|-
 
|-
| 0x20 || 0x10 || No ||
+
| 0x20 || 0x10 ||
 
|-
 
|-
| 0x21 || 0x13 || No ||
+
| 0x21 || 0x13 ||
 
|-
 
|-
| 0x22 || 0x11 || No ||
+
| 0x22 || 0x11 ||
 
|-
 
|-
| 0x23 || 0x10 || No ||
+
| 0x23 || 0x10 ||
 
|-
 
|-
| 0x24 || 0x13 || No ||
+
| 0x24 || 0x13 ||
 
|-
 
|-
| 0x25 || 0x11 || No ||
+
| 0x25 || 0x11 ||
 
|-
 
|-
| 0x26 || 0x10 || No || Used by [[TSEC_Firmware#KeygenLdr|KeygenLdr]].
+
| 0x26 || 0x10 || Used by [[TSEC_Firmware#KeygenLdr|KeygenLdr]] and [[TSEC_Firmware#SecureBoot|SecureBoot]]
 
|-
 
|-
| 0x27 || 0x13 || No ||
+
| 0x27 || 0x13 ||
 
|-
 
|-
| 0x28 || 0x11 || No ||
+
| 0x28 || 0x11 ||
 
|-
 
|-
| 0x29 || 0x10 || No ||
+
| 0x29 || 0x10 ||
 
|-
 
|-
| 0x2A || 0x13 || No ||
+
| 0x2A || 0x13 ||
 
|-
 
|-
| 0x2B || 0x11 || No ||
+
| 0x2B || 0x11 ||
 
|-
 
|-
| 0x2C || 0x10 || No ||
+
| 0x2C || 0x10 ||
 
|-
 
|-
| 0x2D || 0x13 || No ||
+
| 0x2D || 0x13 ||
 
|-
 
|-
| 0x2E || 0x11 || No ||
+
| 0x2E || 0x11 ||
 
|-
 
|-
| 0x2F || 0x10 || No ||
+
| 0x2F || 0x10 ||
 
|-
 
|-
| 0x30 || 0x13 || No ||
+
| 0x30 || 0x13 ||
 
|-
 
|-
| 0x31 || 0x11 || No ||
+
| 0x31 || 0x11 ||
 
|-
 
|-
| 0x32 || 0x10 || No ||
+
| 0x32 || 0x10 ||
 
|-
 
|-
| 0x33 || 0x13 || No ||
+
| 0x33 || 0x13 ||
 
|-
 
|-
| 0x34 || 0x11 || No ||
+
| 0x34 || 0x11 ||
 
|-
 
|-
| 0x35 || 0x10 || No ||
+
| 0x35 || 0x10 ||
 
|-
 
|-
| 0x36 || 0x13 || No ||
+
| 0x36 || 0x13 ||
 
|-
 
|-
| 0x37 || 0x11 || No ||
+
| 0x37 || 0x11 ||
 
|-
 
|-
| 0x38 || 0x10 || No ||
+
| 0x38 || 0x10 ||
 
|-
 
|-
| 0x39 || 0x13 || No ||
+
| 0x39 || 0x13 ||
 
|-
 
|-
| 0x3A || 0x11 || No ||
+
| 0x3A || 0x11 ||
 
|-
 
|-
| 0x3B || 0x10 || No ||
+
| 0x3B || 0x10 ||
 
|-
 
|-
| 0x3C || 0x13 || No || Used by nvhost_tsec firmware.
+
| 0x3C || 0x13 || Used by nvhost_tsec firmware.
 
|-
 
|-
| 0x3D || 0x11 || No ||
+
| 0x3D || 0x11 ||
 
|-
 
|-
| 0x3E || 0x10 || No ||
+
| 0x3E || 0x10 ||
 
|-
 
|-
| 0x3F || 0x10 || Yes || Used by [[TSEC_Firmware#Keygen|Keygen]], nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
+
| 0x3F || 0x10 || Used by [[TSEC_Firmware#Keygen|Keygen]], nvhost_tsec, nvhost_nvdec020_prod and nvhost_nvdec020_ns firmwares.
 
|}
 
|}

Navigation menu