From Nintendo Switch Brew
Jump to: navigation, search

System calls

Id Name In Out
0x1 #svcSetHeapSize W1=size W0=result, X1=outaddr
0x2 #svcSetMemoryPermission X0=addr, X1=size, W2=prot W0=result
0x3 #svcSetMemoryAttribute X0=addr, X1=size, W2=state0, W3=state1 W0=result
0x4 #svcMapMemory X0=dstaddr, X1=srcaddr, X2=size W0=result
0x5 #svcUnmapMemory X0=dstaddr, X1=srcaddr, X2=size W0=result
0x6 svcQueryMemory X0=meminfo_ptr, X2=addr W0=result, W1=pageinfo
0x7 svcExitProcess None
0x8 #svcCreateThread X1=entry, X2=arg, X3=stacktop, W4=prio, W5=processor_id W0=result, W1=handle
0x9 svcStartThread W0=thread_handle W0=result
0xA svcExitThread None
0xB #svcSleepThread X0=nano W0=result
0xC svcGetThreadPriority W1=thread_handle W0=result, W1=prio
0xD svcSetThreadPriority W0=thread_handle, W1=prio W0=result
0xE svcGetThreadCoreMask W2=thread_handle W0=result, W1=out, X2=out
0xF svcSetThreadCoreMask W0=thread_handle, W1=in, X2=in2 W0=result
0x10 svcGetCurrentProcessorNumber None W0/X0=cpuid
0x11 svcSignalEvent W0=wevent_handle W0=result
0x12 svcClearEvent W0=wevent_or_revent_handle W0=result
0x13 #svcMapSharedMemory W0=memblk_handle, X1=addr, X2=size, W3=perm W0=result
0x14 svcUnmapSharedMemory W0=memblk_handle, X1=addr, X2=size W0=result
0x15 #svcCreateTransferMemory X1=addr, X2=size, W3=perm W0=result, W1=handle
0x16 svcCloseHandle W0=handle W0=result
0x17 svcResetSignal W0=handle W0=result
0x18 #svcWaitSynchronization X1=handles_ptr, W2=num_handles. X3=timeout W0=result, W1=handle_idx
0x19 svcCancelSynchronization W0=handle W0=result
0x1A svcArbitrateLock W0=cur_thread_handle, X1=ptr, W2=req_thread_handle
0x1B svcArbitrateUnlock X0=ptr
0x1C svcWaitProcessWideKeyAtomic X0=ptr0, X1=ptr, W2=thread_handle, X3=timeout W0=result
0x1D svcSignalProcessWideKey X0=ptr, W1=value W0=result
0x1E svcGetSystemTick X0={value of cntpct_el0}
0x1F svcConnectToNamedPort X1=port_name_str W0=result, W1=handle
0x20 svcSendSyncRequestLight
0x21 svcSendSyncRequest X0=handle W0=result
0x22 #svcSendSyncRequestWithUserBuffer X0=cmdbufptr, X1=size, X2=handle W0=result
0x23 svcSendAsyncRequestWithUserBuffer
0x24 svcGetProcessId
0x25 svcGetThreadId W0=thread_handle W0=result, X1=out
0x26 svcBreak X0,X1,X2=info  ?
0x27 svcOutputDebugString X0=str, X1=size
0x28 svcReturnFromException X0=result
0x29 #svcGetInfo X1=info_id, X2=handle, X3=info_sub_id W0=result, X1=out
0x2A svcFlushEntireDataCache
0x2B svcFlushDataCache
0x2C [ 3.0.0+ ] svcMapPhysicalMemory
0x2D [ 3.0.0+ ] svcUnmapPhysicalMemory
....  ?  ?  ?
0x2F svcGetLastThreadInfo
0x30 svcGetResourceLimitLimitValue
0x31 svcGetResourceLimitCurrentValue
0x32 svcSetThreadActivity
0x33 svcGetThreadContext3
0x3C svcDumpInfo
0x40 svcCreateSession W2=?, X3=? W0=result, W1=client_handle, W2=server_handle
0x41 svcAcceptSession W1=port_handle W0=result, W1=session_handle
0x42 svcReplyAndReceiveLight
0x43 svcReplyAndReceive X1=ptr_handles, W2=num_handles, X3=?, X4=timeout W0=result, W1=handle_idx
0x44 svcReplyAndReceiveWithUserBuffer X1=buf, X2=sz, X3=ptr_handles, W4=num_handles, X5=?, X6=timeout W0=result, W1=handle_idx
0x45 svcCreateEvent None W0=result, W1=client_handle ?, W2=server_handle ?
0x4D svcSleepSystem
0x4E #svcReadWriteRegister X1=reg_addr, W2=rw_mask, W3=in_val W0=result, W1=out_val
0x4F svcSetProcessActivity
0x50 #svcCreateSharedMemory W1=size?, W2=myperm, W3=otherperm W0=result, W1=handle
0x51 #svcMapTransferMemory X0=mirror_handle, X1=addr, X2=size, W3=perm W0=result
0x52 #svcUnmapTransferMemory W0=mirror_handle, X1=addr, X2=size W0=result
0x53 svcCreateInterruptEvent X1=irq_id, W2=flag W0=result, W1=handle
0x54 #svcQueryPhysicalAddress
0x55 #svcQueryIoMapping X0=physaddr, X1=size X0=virtaddr
0x56 svcCreateDeviceAddressSpace X1=dev_addr, X2=dev_size W0=result, W1=handle
0x57 #svcAttachDeviceAddressSpace W0=device, X1=handle W0=result
0x58 #svcDetachDeviceAddressSpace W0=device, X1=handle W0=result
0x59 svcMapDeviceAddressSpaceByForce W0=handle, W1=proc_handle, X2=dev_addr, X3=dev_size, X4=map_addr, W5=perm W0=result
0x5A svcMapDeviceAddressSpaceAligned W0=handle, W1=proc_handle, X2=dev_addr, X3=dev_size, X4=map_addr, W5=perm W0=result
0x5B svcMapDeviceAddressSpace
0x5C svcUnmapDeviceAddressSpace W0=handle, W1=proc_handle, X2=map_addr, X3=map_size, W4=perm W0=result
0x5D svcInvalidateProcessDataCache
0x5E svcStoreProcessDataCache
0x5F svcFlushProcessDataCache
0x60 svcDebugActiveProcess
0x61 svcBreakDebugProcess
0x62 svcTerminateDebugProcess
0x63 svcGetDebugEvent
0x64 svcContinueDebugEvent
0x65 svcGetProcessList
0x66 svcGetThreadList
0x67 svcGetDebugThreadContext
0x68 svcSetDebugThreadContext
0x69 svcQueryDebugProcessMemory
0x6A svcReadDebugProcessMemory
0x6B svcWriteDebugProcessMemory
0x6C svcSetHardwareBreakPoint
0x6D svcGetDebugThreadParam
0x70 svcCreatePort
0x71 svcManageNamedPort
0x72 svcConnectToPort
0x73 svcSetProcessMemoryPermission
0x74 svcMapProcessMemory X0=srcaddr, W1=process_handle, X2=dstaddr, X3=size W0=result
0x75 svcUnmapProcessMemory W0=process_handle, X1=dstaddr, X2=srcaddr, X3=size W0=result
0x76 svcQueryProcessMemory
0x77 svcMapProcessCodeMemory W0=process_handle, X2=dstaddr, X2=srcaddr, X3=size W0=result
0x78 svcUnmapProcessCodeMemory W0=process_handle, X1=dstaddr, X2=srcaddr, X3=size W0=result
0x79 #svcCreateProcess X1=procinfo_ptr, X2=caps_ptr, W3=cap_num W0=result, W1=process_handle
0x7A svcStartProcess W0=proc_handle, W1=main_thread_prio, W2=default_cpuid, W3=main_thread_stacksz W0=result
0x7B svcTerminateProcess
0x7C svcGetProcessInfo
0x7D svcCreateResourceLimit
0x7E svcSetResourceLimitLimitValue
0x7F svcCallSecureMonitor


Description: Set the process heap to a given size. It can both extend and shrink the heap.

Size must be a multiple of 0x2000000.

On success, the heap base-address (which is fixed by kernel, aslr'd) is written to outaddr.


Description: Change permission of page-aligned memory region.

Bit2 of permission (exec) is not allowed. Setting write-only is not allowed either (bit1).

This can be used to move back and forth between ---, r-- and rw-.


Description: Change attribute of page-aligned memory region.

This is used to turn on/off caching for a given memory area. Useful when talking to devices such as the GPU.

State0 State1 Action
0 0 Clear bit3 in #MemoryAttribute.
8 0 Clear bit3 in #MemoryAttribute.
8 8 Set bit3 in #MemoryAttribute.


Description: Maps a memory range into a different range.

Useful for adding guard pages around stack.

Source range gets reprotected to --- (it can no longer be accessed), and bit0 is set in #MemoryAttribute.

Destination range is enforced to be within a special region. Code can get the range of this region from #svcGetInfo id0=2,3.


Description: Unmaps a region that was previously mapped with #svcMapMemory.

It's possible to unmap ranges partially, you don't need to unmap the entire range "in one go".

The srcaddr/dstaddr must match what was given when the pages were originally mapped.


Description: Create a thread in the current process.

Processor_id must be 0,1,2,3 or -2, where -2 uses the default cpuid for process.


Description: Sleep for a specified amount of time, or yield thread.

Setting nano=0 means "yield thread".


Maps the block supplied by the handle. The required permissions are different for the process that created the handle and all other processes.

Increases reference count for the KSharedMemory object. Thus in order to release the memory associated with the object, all handles to it must be closed and all mappings must be unmapped.


This one reprotects the src block with perms you give it. It also sets bit0 into #MemoryAttribute.

Executable bit perm not allowed.

Closing all handles automatically causes the bit0 in #MemoryAttribute to clear, and the permission to reset.


Works with num_handles <= 0x40, error on num_handles == 0.

Does not accept 0xFFFF8001 or 0xFFFF8000 as handles.


Size must be 0x1000-aligned.


When used on retail where inx0 bit31 is clear, the system will throw a fatal-error. Otherwise when bit31 is set, it will return 0.


Handle type Id0 Id1 Description
Process 0 0 AllowedCpuIdBitmask
Process 1 0 AllowedThreadPrioBitmask
Process 2 0 MapRegionBaseAddress
Process 3 0 MapRegionSize
Process 4 0 HeapRegionBaseAddress
Process 5 0 HeapRegionSize
Process 6 0 TotalMemoryUsage
Process 7 0 TotalHeapUsage
Zero 8 0 ExceptionInfo for current process.
Zero 9 0 Returns ResourceLimit handle for current process. Used by PM.
Zero 10 -1, {current coreid} Unknown. Output data changes each time this SVC is used. Global and core-specific tick-count?
Zero 11 0-3 RandomEntropy from current process. TRNG. Used to seed usermode PRNGs.
Process 12 0 [ 2.0.0 +] AddressSpaceStart.
Process 13 0 [ 2.0.0 +] AddressSpaceSize.
Process 14 0 [ 2.0.0 +] MapRegionBased. Randomized.
Process 15 0 [ 2.0.0 +] MapRegionSize.
Process 18 0 [ 3.0.0 +] Title-id.
Thread 0xF0000002 0 Performance counter related.


Does nothing, just returns with registers set to all-zero.


Read/write Tegra hardware registers with a hardcoded whitelist. Input address is physical-address.

rw_mask is 0 for reading and -1 for writing.

The whitelist is same for writing as for reading.


Address Register Name Description
0x700192E8 MC_LATENCY_ALLOWANCE_DC_0_0 Latency allowance settings for DC clients
0x700192EC MC_LATENCY_ALLOWANCE_DC_1_0 Latency allowance settings for DC clients
0x700192F0 MC_LATENCY_ALLOWANCE_DC_2_0 Latency allowance settings for DC clients
0x700192F4 MC_LATENCY_ALLOWANCE_DCB_0_0 Latency allowance settings for DCB clients
0x700192F8 MC_LATENCY_ALLOWANCE_DCB_1_0 Latency allowance settings for DCB clients
0x7001941C MC_DIS_PTSA_RATE_0 DDA rate for dis PTSA
0x70019420 MC_DIS_PTSA_MIN_0 DDA minimum value for direct client dis PTSA.
0x70019424 MC_DIS_PTSA_MAX_0 DDA maximum value for direct client dis PTSA.
0x70019428 MC_DISB_PTSA_RATE_0 DDA rate for disb PTSA
0x7001942C MC_DISB_PTSA_MIN_0 DDA minimum value for direct client disb PTSA
0x70019430 MC_DISB_PTSA_MAX_0 DDA maximum value for direct client disb PTSA
0x7001944C MC_MLL_MPCORER_PTSA_RATE_0 DDA rate for mll_mpcorer PTSA
0x7001947C MC_RING1_PTSA_RATE_0 DDA rate for ring1 PTSA
0x70019480 MC_RING1_PTSA_MIN_0 DDA minimum value for direct client ring1 PTSA
0x70019484 MC_RING1_PTSA_MAX_0 DDA maximum value for direct client ring1 PTSA
0x7001950C MC_FTOP_PTSA_RATE_0 DDA rate for ftop PTSA
0x70019670 MC_SEC_CARVEOUT_BOM_0 Baseaddress for the SEC carveout address space.
0x70019674 MC_SEC_CARVEOUT_SIZE_MB_0 Size in MB for the SEC carveout region
0x70019690 MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0A_0 Scaled Latency Allowance settings for DISPLAY0A
0x70019694 MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0AB_0 Scaled Latency Allowance settings for DISPLAY0AB
0x70019698 MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0B_0 Scaled Latency Allowance settings for DISPLAY0B
0x7001969C MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0BB_0 Scaled Latency Allowance settings for DISPLAY0BB
0x700196A0 MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0C_0 Scaled Latency Allowance settings for DISPLAY0C
0x700196A4 MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0CB_0 Scaled Latency Allowance settings for DISPLAY0CB


Other perm can be used to enforce permission 1, 3, or 0x10000000 if don't care.


The newly mapped pages will have #MemoryState type 0xE.

You must pass same size and permissions as given in svcCreateMemoryMirror, otherwise error.


Size must match size given in map syscall, otherwise there's an invalid-size error.


The inverse operation of #svcQueryIoMapping.



Takes a #CreateProcessInfo as input.

svcAttachDeviceAddressSpace / svcDetachDeviceAddressSpace

These take a #DeviceName and a device address space handle.



Value Name
2 DC
4 HC
6 ISP2
8 NV
9 NV2
12 VI
13 VIC
17 PPCS1
18 DC1
23 ISP2B
24 GPU
26 PPCS2
28 APE
29 SE
31 HC1
32 SE1
34 ETR
36 TSEC1


Offset Length Bits Description
0 8
8 2
0xA 2
0xC 4
0x10 8 TitleId
0x18 8 CodeAddr
0x20 4 CodeNumPages
0x24 4 Bit0 Is64bit
0x24 4 Bit3-1 AddressSpaceType (0=32-bit with map and heap regions, 1=36-bit with map and heap regions, 2=32-bit with heap region only), 3=Invalid
0x24 4 Bit4
0x24 4 Bit5 EnableAslr
0x24 4 Bit6 IsSystem
0x28 4 ResourceLimitHandle
0x2C 4


Bits Description
0 IsBorrowed
1 IsIpcMapped
2 IsDeviceMapped
3 IsUncached [?]


Bits Description
7-0 Type
8 PermissionChangeAllowed
14 ProcessPermissionChangeAllowed
15 MapAllowed
16 UnmapProcessCodeMemoryAllowed
17 TransferMemoryAllowed
19 MapDeviceAllowed (#svcMapDeviceAddressSpace and #svcMapDeviceAddressSpaceByForce)
20 MapDeviceAlignedAllowed
21 IpcBufferAllowed
22 IsCached [?]
23 MapProcessAllowed
24 AttributeChangeAllowed
Value Type Meaning
0x00000000 Unmapped
0x00002001 IO Mapped by kernel capability parsing in #svcCreateProcess.
0x00042002 Normal Mapped by kernel capability parsing in #svcCreateProcess.
0x00DC7E03 Code static Mapped during #svcCreateProcess.
0x01FEBD04 Code Transition from 0xDC7E03 performed by #svcSetProcessMemoryPermission.
0x017EBD05 Heap Mapped using #svcSetHeapSize.
0x00402006 Shared memory block Mapped using #svcMapSharedMemory.
0x00482907 Weird mapped memory Mapped using #svcMapMemory.
0x00DD7E08 Module code static Mapped using #svcMapProcessCodeMemory.
0x01FFBD09 Module code mutable Transition from 0xDD7E08 performed by #svcSetProcessMemoryPermission.
0x005C3C0B Mapped memory Mapped using #svcMapMemory.
0x0040200C Thread local storage Mapped during #svcCreateThread.
0x015C3C0D Isolated transfer memory Mapped using #svcMapTransferMemory when the owning process has perm=0.
0x005C380E Transfer memory Mapped using #svcMapTransferMemory when the owning process has perm!=0.
0x0040380F Process memory Mapped using #svcMapProcessMemory.
0x00000010 Reserved

Exception Handling

There appears to be userland code for handling exceptions, however this doesn't seem to be executed on retail.

On usermode exception, it jumps to main code binary entrypoint (main_binary_address+0) with X0=exception_info_ptr and X1=exception_info2_ptr. On boot, X0 is set to 0 triggering normal crt0 setup.