BOSS Service "boss:U"
Command Header | Description |
---|---|
0x00010082 | InitializeSession |
0x00020100 | SetStorageInfo |
0x00030000 | UnregisterStorage |
0x00040000 | GetTaskStorageInfo |
0x00050042 | ? |
0x00060084 | This writes the content of the input buffers into files "bossdb:/%s_CL" and "bossdb:/%s_CLK", where "%s" is generated from the programID. |
0x00070000 | ? |
0x00080002 | Used for sending a handle. This is used with a table of programIDs etc with a maximum of 5 entries. |
0x00090040 | SetOptoutFlag |
0x000A0000 | GetOptoutFlag |
0x000B00C2 | RegisterTask |
0x000C0082 | UnregisterTask |
0x000D0082 | ReconfigureTask |
0x000E0000 | GetTaskIdList |
0x000F0042 | ? |
0x00100102 | GetNsDataIdList |
0x00110102 | ? |
0x00120102 | ? |
0x00130102 | ? |
0x00140082 | SendProperty |
0x00150042 | SendPropertyHandle |
0x00160082 | ReceiveProperty |
0x00170082 | ? |
0x00180082 | UpdateTaskCount |
0x00190042 | ? |
0x001A0042 | GetTaskCount |
0x001B0042 | GetTaskServiceStatus |
0x001C0042 | StartTask |
0x001D0042 | StartTaskImmediate |
0x001E0042 | CancelTask |
0x001F0000 | GetTaskFinishHandle |
0x00200082 | GetTaskState |
0x00210042 | GetTaskResult |
0x00220042 | ? |
0x002300C2 | GetTaskStatus |
0x00240082 | ? |
0x00250082 | ? |
0x00260040 | DeleteNsData |
0x002700C2 | GetNsDataHeaderInfo |
0x00280102 | ReadNsData |
0x00290080 | ? |
0x002A0040 | Unknown. Writes an output u32 to cmdreply[2]. |
0x002B0080 | SetNsDataNewFlag |
0x002C0040 | GetNsDataNewFlag |
0x002D0040 | unknown... |
0x002E0040 | GetErrorCode |
0x002F0140 | RegisterStorageEntry |
0x00300000 | unknown... |
0x00310100 | ? |
0x00320000 | ? |
0x00330042 | StartBgImmediate |
0x00340042 | ? |
0x003500C2 | RegisterImmediateTask |
0x00360084 | unknown... |
0x00370084 | ? |
Privileged BOSS Service "boss:P"
Command Header | Description |
---|---|
0x04010082 | InitializeSessionPrivileged |
0x04040080 | GetAppNewFlag |
0x040500C0 | unknown... |
0x040600C0 | unknown... |
0x04070080 | unknown... |
0x04090102 | unknown... |
0x040B0080 | unknown... |
0x040D0182 | unknown... |
0x04130082 | SendPropertyPrivileged |
0x041500C0 | DeleteNsDataPrivileged |
0x04160142 | GetNsDataHeaderInfoPrivileged |
0x04170182 | ReadNsDataPrivileged |
0x041A0100 | SetNsDataNewFlagPrivileged |
0x041B00C0 | GetNsDataNewFlagPrivileged |
0x041C00C0 | unknown... |
0x042E00C2 | unknown... |
0x042F00C2 | unknown... |
0x043000C2 | unknown... |
0x04490142 | unknown... |
0x044A0180 | unknown... |
0x044D0080 | unknown... |
0x04500102 | unknown... |
0x04540102 | unknown... |
0x045500C2 | unknown... |
0x04580104 | ? |
boss:P also contains all of the commands from boss:U.
When Home Menu loads the SpotPass CBMD with Extended_Banner, it uses bossP command 0x040D0182 first. Then it uses GetNsDataHeaderInfoPrivileged, then ReadNsDataPrivileged for loading the actual banner data.
BOSS Service "boss:M"
Content Data Storage
SpotPass content for each application is stored under the extdata specified by BOSS:SetStorageInfo. Certain commands verify that the PID associated with the current service session has access to the specified extdata by using FS:CheckAuthorityToAccessExtSaveData, returning an error on failure. This basically renders SpotPass unusable under user-processes(when initialized under those processes) which don't have access to any SD extdata(unless NAND extdata is used instead).
All of these commands using FS:CheckAuthorityToAccessExtSaveData are: BOSS:SetStorageInfo and RegisterStorageEntry, for both BOSSU and BOSSP.
Custom SpotPass content
All data downloaded with SpotPass must use the signed+encrypted BOSS container. There doesn't seem to be any way to write to the SpotPass data stored in extdata via service commands either.
Therefore, the only known ways to use custom SpotPass content(homebrew usage etc) is: "CFW" / ARM11-kernelhax with the sigchecks for this patched, or some sort of BOSS-sysmodule exploit if there's any vulns to begin with.
HTTP upload
SpotPass tasks can be used for uploading data via HTTP POST. The exact method varies, but the main one is a raw POST.
The content data is loaded from the following path: snprintf(outpath, outpathsize, "%s/%s%02x.up", archivepath, taskidstr_probably, unk);
The archivepath can be either "bossdb:"(BOSS-sysmodule NAND savedata) or the content-data-storage extdata. Certain other paths in the BOSS savedata can be used too.
BOSS Tasks
The TaskID is a 8-byte buffer containing a string including NUL-terminator(taskIDs are compared with: strncmp(str0, str1, 7)).
When disabling SpotPass, applications use BOSSU:CancelTask then BOSSU:UnregisterTask, to delete each task.
NsDataId
This is an u32 ID for SpotPass content, used with the NsData service commands etc.
NsDataHeaderInfo
When the input type is not one of the below or when the specified output size doesn't match the expected size for this type, an error is returned.
Type0
Total size is 0x8-bytes.
Offset | Size | Description |
---|---|---|
0x0 | 0x8 | programID |
Type1
Total size is 0x4-bytes.
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | ? |
Type2
Total size is 0x4-bytes.
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | ? |
Type3
Total size is 0x4-bytes.
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | Content size |
Type4
Total size is 0x4-bytes.
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | ? |
Type5
Total size is 0x4-bytes.
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | ? |
Type6
Total size is 0x20-bytes.
Offset | Size | Description |
---|---|---|
0x0 | 0x8 | programID. Same data as Type0. |
0x8 | 0x4 | Same data as Type1. |
0xC | 0x4 | ? |
0x10 | 0x4 | Same data as Type3. |
0x14 | 0xC | ? |
PropertyIDs
ID | Size | Description |
---|---|---|
0x0 | 0x1 | Unknown. Usually 0x7D? |
0x1 | 0x1 | Unknown. Usually 0x1? |
0x2 | 0x4 | Unknown. Usually 0x0? |
0x3 | 0x4 | Interval in seconds. |
0x4 | 0x4 | Duration, ~1 = infinite. 0x1 can be used for running the task just once. |
0x5 | 0x1 | Unknown. Usually 0x2? |
0x7 | 0x200 | URL |
0xC | BOSSU:SendPropertyHandle is used for this. This property is only setup for HTTP uploads? | |
0xD | 0x360 | Contains additional HTTP headers to send in the request, otherwise this is all-zero. This is an array of 3 entries: +0x0 size 0x20 is the header name, and +0x20 size 0x100 is the header value. Example: header-name "Content-Type" at 0x0, with header-value "application/octet-stream" at offset 0x20. |
0x35 | 0x2 | u16 total_tasks. BOSSU:GetTaskIdList is used before reading this. |
0x36 | 0x400 | List of TaskIDs. BOSSU:GetTaskIdList is used before reading this. |