BOSS Services

Revision as of 00:00, 20 December 2016 by Yellows8 (talk | contribs)

BOSS Service "boss:U"

Command Header Description
0x00010082 InitializeSession
0x00020100 SetStorageInfo
0x00030000 UnregisterStorage
0x00040000 GetTaskStorageInfo
0x00050042 ?
0x00060084 This writes the content of the input buffers into files "bossdb:/%s_CL" and "bossdb:/%s_CLK", where "%s" is generated from the programID.
0x00070000 ?
0x00080002 Used for sending a handle. This is used with a table of programIDs etc with a maximum of 5 entries.
0x00090040 SetOptoutFlag
0x000A0000 GetOptoutFlag
0x000B00C2 RegisterTask
0x000C0082 UnregisterTask
0x000D0082 ReconfigureTask
0x000E0000 GetTaskIdList
0x000F0042 ?
0x00100102 GetNsDataIdList
0x00110102 ?
0x00120102 ?
0x00130102 ?
0x00140082 SendProperty
0x00150042 SendPropertyHandle
0x00160082 ReceiveProperty
0x00170082 ?
0x00180082 UpdateTaskCount
0x00190042 ?
0x001A0042 GetTaskCount
0x001B0042 GetTaskServiceStatus
0x001C0042 StartTask
0x001D0042 StartTaskImmediate
0x001E0042 CancelTask
0x001F0000 GetTaskFinishHandle
0x00200082 GetTaskState
0x00210042 GetTaskResult
0x00220042 ?
0x002300C2 GetTaskStatus
0x00240082 ?
0x00250082 ?
0x00260040 DeleteNsData
0x002700C2 GetNsDataHeaderInfo
0x00280102 ReadNsData
0x00290080 ?
0x002A0040 Unknown. Writes an output u32 to cmdreply[2].
0x002B0080 SetNsDataNewFlag
0x002C0040 GetNsDataNewFlag
0x002D0040 unknown...
0x002E0040 GetErrorCode
0x002F0140 RegisterStorageEntry
0x00300000 unknown...
0x00310100 ?
0x00320000 ?
0x00330042 StartBgImmediate
0x00340042 ?
0x003500C2 RegisterImmediateTask
0x00360084 unknown...
0x00370084 ?

Privileged BOSS Service "boss:P"

Command Header Description
0x04010082 InitializeSessionPrivileged
0x04040080 GetAppNewFlag
0x040500C0 unknown...
0x040600C0 unknown...
0x04070080 unknown...
0x04090102 unknown...
0x040B0080 unknown...
0x040D0182 unknown...
0x04130082 SendPropertyPrivileged
0x041500C0 DeleteNsDataPrivileged
0x04160142 GetNsDataHeaderInfoPrivileged
0x04170182 ReadNsDataPrivileged
0x041A0100 SetNsDataNewFlagPrivileged
0x041B00C0 GetNsDataNewFlagPrivileged
0x041C00C0 unknown...
0x042E00C2 unknown...
0x042F00C2 unknown...
0x043000C2 unknown...
0x04490142 unknown...
0x044A0180 unknown...
0x044D0080 unknown...
0x04500102 unknown...
0x04540102 unknown...
0x045500C2 unknown...
0x04580104 ?

boss:P also contains all of the commands from boss:U.

When Home Menu loads the SpotPass CBMD with Extended_Banner, it uses bossP command 0x040D0182 first. Then it uses GetNsDataHeaderInfoPrivileged, then ReadNsDataPrivileged for loading the actual banner data.

BOSS Service "boss:M"

Content Data Storage

SpotPass content for each application is stored under the extdata specified by BOSS:SetStorageInfo. Certain commands verify that the PID associated with the current service session has access to the specified extdata by using FS:CheckAuthorityToAccessExtSaveData, returning an error on failure. This basically renders SpotPass unusable under user-processes(when initialized under those processes) which don't have access to any SD extdata(unless NAND extdata is used instead).

All of these commands using FS:CheckAuthorityToAccessExtSaveData are: BOSS:SetStorageInfo and RegisterStorageEntry, for both BOSSU and BOSSP.

Custom SpotPass content

All data downloaded with SpotPass must use the signed+encrypted BOSS container. There doesn't seem to be any way to write to the SpotPass data stored in extdata via service commands either.

Therefore, the only known ways to use custom SpotPass content(homebrew usage etc) is: "CFW" / ARM11-kernelhax with the sigchecks for this patched, or some sort of BOSS-sysmodule exploit if there's any vulns to begin with.

HTTP upload

SpotPass tasks can be used for uploading data via HTTP POST. The exact method varies, but the main one is a raw POST.

The content data is loaded from the following path: snprintf(outpath, outpathsize, "%s/%s%02x.up", archivepath, taskidstr_probably, unk);

The archivepath can be either "bossdb:"(BOSS-sysmodule NAND savedata) or the content-data-storage extdata. Certain other paths in the BOSS savedata can be used too.

BOSS Tasks

The TaskID is a 8-byte buffer containing a string including NUL-terminator(taskIDs are compared with: strncmp(str0, str1, 7)).

When disabling SpotPass, applications use BOSSU:CancelTask then BOSSU:UnregisterTask, to delete each task.

NsDataId

This is an u32 ID for SpotPass content, used with the NsData service commands etc.

NsDataHeaderInfo

When the input type is not one of the below or when the specified output size doesn't match the expected size for this type, an error is returned.

Type0

Total size is 0x8-bytes.

Offset Size Description
0x0 0x8 programID

Type1

Total size is 0x4-bytes.

Offset Size Description
0x0 0x4 ?

Type2

Total size is 0x4-bytes.

Offset Size Description
0x0 0x4 ?

Type3

Total size is 0x4-bytes.

Offset Size Description
0x0 0x4 Content size

Type4

Total size is 0x4-bytes.

Offset Size Description
0x0 0x4 ?

Type5

Total size is 0x4-bytes.

Offset Size Description
0x0 0x4 ?

Type6

Total size is 0x20-bytes.

Offset Size Description
0x0 0x8 programID. Same data as Type0.
0x8 0x4 Same data as Type1.
0xC 0x4 ?
0x10 0x4 Same data as Type3.
0x14 0xC ?

PropertyIDs

ID Size Description
0x0 0x1 Unknown. Usually 0x7D?
0x1 0x1 Unknown. Usually 0x1?
0x2 0x4 Unknown. Usually 0x0?
0x3 0x4 Interval in seconds.
0x4 0x4 Duration, ~1 = infinite. 0x1 can be used for running the task just once.
0x5 0x1 Unknown. Usually 0x2?
0x7 0x200 URL
0xC BOSSU:SendPropertyHandle is used for this. This property is only setup for HTTP uploads?
0xD 0x360 Contains additional HTTP headers to send in the request, otherwise this is all-zero. This is an array of 3 entries: +0x0 size 0x20 is the header name, and +0x20 size 0x100 is the header value. Example: header-name "Content-Type" at 0x0, with header-value "application/octet-stream" at offset 0x20.
0x35 0x2 u16 total_tasks. BOSSU:GetTaskIdList is used before reading this.
0x36 0x400 List of TaskIDs. BOSSU:GetTaskIdList is used before reading this.