BOSS Services

BOSS Services

BOSS Service “boss:U” #

Command HeaderDescription
0x00010082InitializeSession
0x00020100SetStorageInfo
0x00030000UnregisterStorage
0x00040000GetStorageInfo
0x00050042RegisterPrivateRootCa
0x00060084RegisterPrivateClientCert (u32 Size0, u32 Size1, ((Size0<<4) | 10), Buf0, ((Size1<<4) | 10), Buf1) This writes the content of the input buffers into files “bossdb:/%s_CL” and “bossdb:/%s_CLK”, where “%s” is generated from the programID.
0x00070000GetNewArrivalFlag
0x00080002RegisterNewArrivalEvent: Used for sending a handle. This is used with a table of programIDs etc with a maximum of 5 entries.
0x00090040SetOptoutFlag
0x000A0000GetOptoutFlag
0x000B00C2RegisterTask
0x000C0082UnregisterTask
0x000D0082ReconfigureTask
0x000E0000GetTaskIdList
0x000F0042GetStepIdList
0x00100102GetNsDataIdList
0x00110102GetNsDataIdList1
0x00120102GetNsDataIdList2
0x00130102GetNsDataIdList3
0x00140082SendProperty
0x00150042SendPropertyHandle
0x00160082ReceiveProperty
0x00170082UpdateTaskInterval
0x00180082UpdateTaskCount
0x00190042GetTaskInterval
0x001A0042GetTaskCount
0x001B0042GetTaskServiceStatus
0x001C0042StartTask
0x001D0042StartTaskImmediate
0x001E0042CancelTask
0x001F0000GetTaskFinishHandle
0x00200082GetTaskState
0x00210042GetTaskResult
0x00220042GetTaskCommErrorCode
0x002300C2GetTaskStatus
0x00240082GetTaskError
0x00250082GetTaskInfo
0x00260040DeleteNsData
0x002700C2GetNsDataHeaderInfo
0x00280102ReadNsData
0x00290080SetNsDataAdditionalInfo
0x002A0040GetNsDataAdditionalInfo. Writes an output u32 to cmdreply[2].
0x002B0080SetNsDataNewFlag
0x002C0040GetNsDataNewFlag
0x002D0040GetNsDataLastUpdate (u32 NsDataId) Writes an output u64 to cmdreply[2-3], from the content file in extdata.
0x002E0040GetErrorCode
0x002F0140RegisterStorageEntry
0x00300000GetStorageEntryInfo
0x00310100SetStorageOption
0x00320000GetStorageOption
0x00330042StartBgImmediate
0x00340042GetTaskProperty0
0x003500C2RegisterImmediateTask
0x00360084SetTaskQuery (u32 TaskID_Size, u32 BufSize, ((TaskID_Size<<4) | 10), TaskID_buf, ((BufSize<<4) | 10), Buf) BufSize must match 0x60.
0x00370084GetTaskQuery (u32 TaskID_Size, u32 BufSize, ((TaskID_Size<<4) | 10), TaskID_buf, ((BufSize<<4) | 10), Buf) BufSize must match 0x60.

Privileged BOSS Service “boss:P” #

Command HeaderDescription
0x04010082InitializeSessionPrivileged
0x04040080GetAppNewFlag
0x040500C0unknown…
0x040600C0unknown…
0x04070080unknown…
0x04090102unknown…
0x040B0080unknown…
0x040D0182GetNsDataIdListPrivileged
0x040E0182GetNsDataIdListPrivileged1
0x04130082SendPropertyPrivileged
0x041500C0DeleteNsDataPrivileged
0x04160142GetNsDataHeaderInfoPrivileged
0x04170182ReadNsDataPrivileged
0x041A0100SetNsDataNewFlagPrivileged
0x041B00C0GetNsDataNewFlagPrivileged
0x041C00C0unknown…
0x042E00C2unknown…
0x042F00C2unknown…
0x043000C2unknown…
0x04490142unknown…
0x044A0180unknown…
0x044D0080unknown…
0x04500102unknown…
0x04540102unknown…
0x045500C2unknown…
0x04580104?

boss:P also contains all of the commands from boss:U.

When Home Menu loads the SpotPass CBMD with Extended_Banner, it uses bossP command 0x040D0182 first. Then it uses GetNsDataHeaderInfoPrivileged, then ReadNsDataPrivileged for loading the actual banner data.

BOSS Service “boss:M” #

programIDs #

BOSS uses programIDs raw without any handling for the New3DS programID-low bitmask. For example, attempting a NsDataId listing with the New3DS bitmask set will fail, if BOSS is only setup for that programID with the New3DS bitmask clear.

When initializing BOSS with the default programID, the New3DS programID-low bitmask is always clear for New3DS titles since that’s how it was originally registered with FS. Hence, the programID in the BOSS-container must always have the New3DS bitmask clear. This also means everything using the BOSSP commands with the raw programIDs loaded from AM title-listing are broken with New3DS titles, for example Extended_Banner.

Content Data Storage #

SpotPass content for each application is stored under the extdata specified by BOSS:SetStorageInfo. Certain commands verify that the PID associated with the current service session has access to the specified extdata by using FS:CheckAuthorityToAccessExtSaveData, returning an error on failure. This basically renders SpotPass unusable under user-processes(when initialized under those processes) which don’t have access to any SD extdata(unless NAND extdata is used instead).

All of these commands using FS:CheckAuthorityToAccessExtSaveData are: BOSS:SetStorageInfo and RegisterStorageEntry, for both BOSSU and BOSSP.

BOSS-container content is stored in the extdata registered for the programID specified in the BOSS-container, what task it’s associated with / what title registered it is irrelevant with BOSS-container data storage.

Custom SpotPass content #

SpotPass supports raw content download without using the encrypted+signed SpotPass container(raw content is used by Home Menu SpotPass VersionList for example). However, this is incompatible with the data-loading method used with SpotPass-container content(NsData commands can’t be used with it).

When writing the raw content, it firsts deletes and creates the <taskID> file under the data-storage extdata with normal extdata(not the separate boss archive). Once successful, the final filename specified by the task config will be deleted if needed, then the <taskID> file will be renamed to the final filename. Afterwards, the user-process can access the final file just like any other extdata file.

For using custom content with the SpotPass container(like official titles), the only known ways to do so is: “CFW” / ARM11-kernelhax with the sigchecks for this patched, or some sort of BOSS-sysmodule exploit if there’s any vulns to begin with.

HTTP upload #

SpotPass tasks can be used for uploading data via HTTP POST. The exact method varies, but the main one is a raw POST.

The content data is loaded from the following path: snprintf(outpath, outpathsize, “%s/%s%02x.up”, archivepath, taskidstr_probably, unk);

The archivepath can be either “bossdb:"(BOSS-sysmodule NAND savedata) or the content-data-storage extdata. Certain other paths in the BOSS savedata can be used too.

BOSS Tasks #

The TaskID is a 8-byte buffer containing a string including NUL-terminator(taskIDs are compared with: strncmp(str0, str1, 7)).

When disabling SpotPass, applications use BOSSU:CancelTask then BOSSU:UnregisterTask, to delete each task.

Each process can only access tasks which it created, not other processes’ tasks(even when using bossP with init_programID=0).

After registration, tasks will not automatically run until they are started using one of the start-task commands.

NsDataId #

This is an u32 ID for SpotPass content, used with the NsData service commands etc.

NsDataHeaderInfo #

When the input type is not one of the below or when the specified output size doesn’t match the expected size for this type, an error is returned.

Type0 #

Total size is 0x8-bytes.

OffsetSizeDescription
0x00x8programID

Type1 #

Total size is 0x4-bytes.

OffsetSizeDescription
0x00x4?

Type2 #

Total size is 0x4-bytes.

OffsetSizeDescription
0x00x4Content data-type, originally from the BOSS-container.

Type3 #

Total size is 0x4-bytes.

OffsetSizeDescription
0x00x4Content size

Type4 #

Total size is 0x4-bytes.

OffsetSizeDescription
0x00x4?

Type5 #

Total size is 0x4-bytes.

OffsetSizeDescription
0x00x4?

Type6 #

Total size is 0x20-bytes.

OffsetSizeDescription
0x00x8programID. Same data as Type0.
0x80x4Same data as Type1.
0xC0x4?
0x100x4Same data as Type3.
0x140xC?

PropertyIDs #

IDSizeDescription
0x00x1Unknown. Example values used by official titles: 0x7D, 0xAA, …
0x10x1Unknown. Usually 0x1?
0x20x4Unknown. Usually 0x0?
0x30x4Interval in seconds.
0x40x4Duration(?), ~0 = infinite. 0x1 can be used for running the task just once. Usually set to 0x64(100). When not set to ~0 this is decreased by 1 each time the task runs(or at least when it fails). Task processing is skipped when the current state value is already 0x0.
0x50x1Unknown. Usually 0x2?
0x60x1?
0x70x200URL
0x80x4?
0x90x1?
0xA0x100?
0xB0x200?
0xCBOSSU:SendPropertyHandle is used for this. This property is only setup for HTTP uploads? This can be used with BOSSU:SendProperty too but that’s not the intended use.
0xD0x360Contains additional HTTP headers to send in the request, otherwise this is all-zero. This is an array of 3 entries: +0x0 size 0x20 is the header name, and +0x20 size 0x100 is the header value. Example: header-name “Content-Type” at 0x0, with header-value “application/octet-stream” at offset 0x20.
0xE0x4This u32 is passed directly as an u32 certID for HTTPC:SetClientCertDefault(without masking to u8), even when this field is set to 0.
0xF0xC3 words. Last word is unknown, normally 0(non-zero doesn’t seem to affect any HTTPC commands). HTTPC:AddDefaultCert is called twice for each of the first two words which are used as certIDs(not masked to u8).
0x100x1When non-zero this enables loading the client cert+privk from FS, requires the filepaths to be actually set.
0x110x1When non-zero this enables loading a trusted rootCA cert DER from FS, requires the filepath to be actually set.
0x120x1?
0x130x4?
0x140x4?
0x150x40?
0x160x4?
0x180x1?
0x190x1?
0x1A0x1?
0x1B0x4?
0x1C0x4?
0x350x2u16 total_tasks. BOSSU:GetTaskIdList is used before reading this.
0x360x400List of TaskIDs. BOSSU:GetTaskIdList is used before reading this.
0x3B0x4?
0x3E0x200?
0x3F0x1?

The only valid PropertyIDs for BOSSU:SendProperty are the ones listed above, except 0x35 and 0x36. If the specified size for the command is larger than the property size, it will use the actual property size instead. When the specified size is less than the actual property size, all of the property data that won’t be written to is cleared.

TaskStatus #

ValueDescription
0x0Last task run was successful?
0x2Task started.
0x5Task not started(also the initial state immediately after task creation).
0x6Unknown
0x7Task processing failed(such as network error).

This u8 is returned by BOSSU:GetTaskState.

Errors #

Error-codeDescription
0xC8A0F833taskID not found.
0xC8A0F836taskID already exists, for task creation.
0xC8A0F842The specified programID is not setup for BOSS.
0xC8A0F843The specified NsDataId was not found.