BOSS Services
BOSS Service "boss:U"
| Command Header | Description |
|---|---|
| 0x00010082 | InitializeSession |
| 0x00020100 | SetStorageInfo |
| 0x00030000 | UnregisterStorage |
| 0x00040000 | GetTaskStorageInfo |
| 0x00050042 | ? |
| 0x00060084 | (u32 Size0, u32 Size1, ((Size0<<4) | 10), Buf0, ((Size1<<4) | 10), Buf1) This writes the content of the input buffers into files "bossdb:/%s_CL" and "bossdb:/%s_CLK", where "%s" is generated from the programID. |
| 0x00070000 | ? |
| 0x00080002 | Used for sending a handle. This is used with a table of programIDs etc with a maximum of 5 entries. |
| 0x00090040 | SetOptoutFlag |
| 0x000A0000 | GetOptoutFlag |
| 0x000B00C2 | RegisterTask |
| 0x000C0082 | UnregisterTask |
| 0x000D0082 | ReconfigureTask |
| 0x000E0000 | GetTaskIdList |
| 0x000F0042 | ? |
| 0x00100102 | GetNsDataIdList |
| 0x00110102 | ? |
| 0x00120102 | ? |
| 0x00130102 | ? |
| 0x00140082 | SendProperty |
| 0x00150042 | SendPropertyHandle |
| 0x00160082 | ReceiveProperty |
| 0x00170082 | ? |
| 0x00180082 | UpdateTaskCount |
| 0x00190042 | ? |
| 0x001A0042 | GetTaskCount |
| 0x001B0042 | GetTaskServiceStatus |
| 0x001C0042 | StartTask |
| 0x001D0042 | StartTaskImmediate |
| 0x001E0042 | CancelTask |
| 0x001F0000 | GetTaskFinishHandle |
| 0x00200082 | GetTaskState |
| 0x00210042 | GetTaskResult |
| 0x00220042 | ? |
| 0x002300C2 | GetTaskStatus |
| 0x00240082 | ? |
| 0x00250082 | ? |
| 0x00260040 | DeleteNsData |
| 0x002700C2 | GetNsDataHeaderInfo |
| 0x00280102 | ReadNsData |
| 0x00290080 | ? |
| 0x002A0040 | Unknown. Writes an output u32 to cmdreply[2]. |
| 0x002B0080 | SetNsDataNewFlag |
| 0x002C0040 | GetNsDataNewFlag |
| 0x002D0040 | unknown... |
| 0x002E0040 | GetErrorCode |
| 0x002F0140 | RegisterStorageEntry |
| 0x00300000 | unknown... |
| 0x00310100 | ? |
| 0x00320000 | ? |
| 0x00330042 | StartBgImmediate |
| 0x00340042 | GetTaskProperty0 |
| 0x003500C2 | RegisterImmediateTask |
| 0x00360084 | (u32 TaskID_Size, u32 BufSize, ((TaskID_Size<<4) | 10), TaskID_buf, ((BufSize<<4) | 10), Buf) BufSize must match 0x60. |
| 0x00370084 | (u32 TaskID_Size, u32 BufSize, ((TaskID_Size<<4) | 10), TaskID_buf, ((BufSize<<4) | 10), Buf) BufSize must match 0x60. |
Privileged BOSS Service "boss:P"
| Command Header | Description |
|---|---|
| 0x04010082 | InitializeSessionPrivileged |
| 0x04040080 | GetAppNewFlag |
| 0x040500C0 | unknown... |
| 0x040600C0 | unknown... |
| 0x04070080 | unknown... |
| 0x04090102 | unknown... |
| 0x040B0080 | unknown... |
| 0x040D0182 | unknown... |
| 0x04130082 | SendPropertyPrivileged |
| 0x041500C0 | DeleteNsDataPrivileged |
| 0x04160142 | GetNsDataHeaderInfoPrivileged |
| 0x04170182 | ReadNsDataPrivileged |
| 0x041A0100 | SetNsDataNewFlagPrivileged |
| 0x041B00C0 | GetNsDataNewFlagPrivileged |
| 0x041C00C0 | unknown... |
| 0x042E00C2 | unknown... |
| 0x042F00C2 | unknown... |
| 0x043000C2 | unknown... |
| 0x04490142 | unknown... |
| 0x044A0180 | unknown... |
| 0x044D0080 | unknown... |
| 0x04500102 | unknown... |
| 0x04540102 | unknown... |
| 0x045500C2 | unknown... |
| 0x04580104 | ? |
boss:P also contains all of the commands from boss:U.
When Home Menu loads the SpotPass CBMD with Extended_Banner, it uses bossP command 0x040D0182 first. Then it uses GetNsDataHeaderInfoPrivileged, then ReadNsDataPrivileged for loading the actual banner data.
BOSS Service "boss:M"
Content Data Storage
SpotPass content for each application is stored under the extdata specified by BOSS:SetStorageInfo. Certain commands verify that the PID associated with the current service session has access to the specified extdata by using FS:CheckAuthorityToAccessExtSaveData, returning an error on failure. This basically renders SpotPass unusable under user-processes(when initialized under those processes) which don't have access to any SD extdata(unless NAND extdata is used instead).
All of these commands using FS:CheckAuthorityToAccessExtSaveData are: BOSS:SetStorageInfo and RegisterStorageEntry, for both BOSSU and BOSSP.
Custom SpotPass content
SpotPass supports raw content download without using the encrypted+signed SpotPass container(raw content is used by Home Menu SpotPass VersionList for example). However, this is incompatible with the data-loading method used with SpotPass-container content(NsData commands can't be used with it).
When writing the raw content, it firsts deletes and creates the "<taskID>" file under the data-storage extdata with normal extdata(not the separate boss archive). Once successful, the final filename specified by the task config will be deleted if needed, then the "<taskID>" file will be renamed to the final filename. Afterwards, the user-process can access the final file just like any other extdata file.
For using custom content with the SpotPass container(like official titles), the only known ways to do so is: "CFW" / ARM11-kernelhax with the sigchecks for this patched, or some sort of BOSS-sysmodule exploit if there's any vulns to begin with.
HTTP upload
SpotPass tasks can be used for uploading data via HTTP POST. The exact method varies, but the main one is a raw POST.
The content data is loaded from the following path: snprintf(outpath, outpathsize, "%s/%s%02x.up", archivepath, taskidstr_probably, unk);
The archivepath can be either "bossdb:"(BOSS-sysmodule NAND savedata) or the content-data-storage extdata. Certain other paths in the BOSS savedata can be used too.
BOSS Tasks
The TaskID is a 8-byte buffer containing a string including NUL-terminator(taskIDs are compared with: strncmp(str0, str1, 7)).
When disabling SpotPass, applications use BOSSU:CancelTask then BOSSU:UnregisterTask, to delete each task.
Each process can only access tasks which it created, not other processes' tasks(even when using bossP with init_programID=0).
After registration, tasks will not automatically run until they are started using one of the start-task commands.
NsDataId
This is an u32 ID for SpotPass content, used with the NsData service commands etc.
NsDataHeaderInfo
When the input type is not one of the below or when the specified output size doesn't match the expected size for this type, an error is returned.
Type0
Total size is 0x8-bytes.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x8 | programID |
Type1
Total size is 0x4-bytes.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | ? |
Type2
Total size is 0x4-bytes.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | ? |
Type3
Total size is 0x4-bytes.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Content size |
Type4
Total size is 0x4-bytes.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | ? |
Type5
Total size is 0x4-bytes.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | ? |
Type6
Total size is 0x20-bytes.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x8 | programID. Same data as Type0. |
| 0x8 | 0x4 | Same data as Type1. |
| 0xC | 0x4 | ? |
| 0x10 | 0x4 | Same data as Type3. |
| 0x14 | 0xC | ? |
PropertyIDs
| ID | Size | Description |
|---|---|---|
| 0x0 | 0x1 | Unknown. Example values used by official titles: 0x7D, 0xAA, ... |
| 0x1 | 0x1 | Unknown. Usually 0x1? |
| 0x2 | 0x4 | Unknown. Usually 0x0? |
| 0x3 | 0x4 | Interval in seconds. |
| 0x4 | 0x4 | Duration(?), ~0 = infinite. 0x1 can be used for running the task just once. Usually set to 0x64(100). When not set to ~0 this is decreased by 1 each time the task runs(or at least when it fails). Task processing is skipped when the current state value is already 0x0. |
| 0x5 | 0x1 | Unknown. Usually 0x2? |
| 0x7 | 0x200 | URL |
| 0xC | BOSSU:SendPropertyHandle is used for this. This property is only setup for HTTP uploads? | |
| 0xD | 0x360 | Contains additional HTTP headers to send in the request, otherwise this is all-zero. This is an array of 3 entries: +0x0 size 0x20 is the header name, and +0x20 size 0x100 is the header value. Example: header-name "Content-Type" at 0x0, with header-value "application/octet-stream" at offset 0x20. |
| 0xE | 0x4 | This u32 is passed directly as an u32 certID for HTTPC:SetClientCertDefault(without masking to u8), even when this field is set to 0. |
| 0xF | 0xC | 3 words. Last word is unknown, normally 0(non-zero doesn't seem to affect any HTTPC commands). HTTPC:AddDefaultCert is called twice for each of the first two words which are used as certIDs(not masked to u8). |
| 0x35 | 0x2 | u16 total_tasks. BOSSU:GetTaskIdList is used before reading this. |
| 0x36 | 0x400 | List of TaskIDs. BOSSU:GetTaskIdList is used before reading this. |
TaskStatus
| Value | Description |
|---|---|
| 0x0 | Last task run was successful? |
| 0x2 | Task started. |
| 0x5 | Task not started(also the initial state immediately after task creation). |
| 0x6 | Unknown |
| 0x7 | Task processing failed(such as network error). |
This u8 is returned by BOSSU:GetTaskState.
Errors
| Error-code | Description |
|---|---|
| 0xC8A0F833 | taskID not found. |