Nintendo Switch Brew - User contributions [en]

21.1.0

2025-12-09T01:47:23Z

SciresM: /* System Titles */ creport

The Switch 21.1.0 system update was released on December 9, 2025 (UTC). This Switch update was released for the following regions: ALL.

Security flaws fixed: <fill this in manually>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* General system stability improvements to enhance the user's experience.

==System Titles==
* The following titles were updated:
** Sysmodules: bcat, nifm, ns, psc, nim, pctl, creport, migration, olsc.
** SystemData (non-sysver): BrowserDll, ClientCertData.
** Applets: qlaunch, LibAppletWeb, LibAppletShop, LibAppletOff, LibAppletLns, LibAppletAuth.

=== [[Creport|creport]] ===
The code which terminates the process when the enable_jit_debug argument is true is now duplicated. Before, the process was terminated before the screenshot attachment was submitted to erpt. Now, if the process is not an application, termination occurs prior to screenshot attachment is submitted; otherwise, application processes are terminated after the screenshot attachment is submitted.

RomFs changes:
* BrowserDll: "/buildinfo/buildinfo.dat" updated, "/nro/netfront/core_3/Default/cfi_nncfi/oss_wkc.nro.lz4" updated, "/nro/netfront/core_3/Default/cfi_nncfi/peer_wkc.nro.lz4" updated, "/nro/netfront/core_3/Default/cfi_nncfi/webkit_wkc.nro.lz4" updated
* [[System_Version_Title|SystemVersion]]: All files updated.
* [[Internet_Browser|LibAppletOff/LibAppletWeb/LibAppletShop/LibAppletLns/LibAppletAuth]]: All files updated.

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2025-12-09_01-15-06&sys=hac]

{{NavboxVersions}}

NPDM

2025-11-14T00:19:44Z

SciresM: /* Flags */ 21.0.0+ LoadBrowserCoreDll

This is the Switch equivalent of 3DS [https://www.3dbrew.org/wiki/NCCH/Extended_Header exheader]. This is the file with extension ".npdm" in {Switch ExeFS}. The size of this file varies.

{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x80
| [[#META|META]]
|-
| 0x80
| <Varies>
| [[#ACID|ACID]]
|-
| <See META>
| <See META>
| [[#ACI0|ACI0]]
|}

= META =
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x4
| Magic ("META")
|-
| 0x4
| 0x4
| [9.0.0+] SignatureKeyGeneration
|-
| 0x8
| 0x4
| Reserved
|-
| 0xC
| 0x1
| [[#Flags|Flags]]
|-
| 0xD
| 0x1
| Reserved
|-
| 0xE
| 0x1
| [[#MainThreadPriority|MainThreadPriority]]
|-
| 0xF
| 0x1
| MainThreadCoreNumber
|-
| 0x10
| 0x4
| Reserved
|-
| 0x14
| 0x4
| [3.0.0+] [[#SystemResourceSize|SystemResourceSize]]
|-
| 0x18
| 0x4
| [[#Version|Version]]
|-
| 0x1C
| 0x4
| [[#MainThreadStackSize|MainThreadStackSize]]
|-
| 0x20
| 0x10
| Name (usually/always "Application")
|-
| 0x30
| 0x10
| ProductCode (usually/always all zeroes)
|-
| 0x40
| 0x30
| Reserved
|-
| 0x70
| 0x4
| [[#ACI0|AciOffset]]
|-
| 0x74
| 0x4
| [[#ACI0|AciSize]]
|-
| 0x78
| 0x4
| [[#ACID|AcidOffset]]
|-
| 0x7C
| 0x4
| [[#ACID|AcidSize]]
|}

== Flags ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 0
| Is64BitInstruction
|-
| 1-3
| ProcessAddressSpace (0x00 = AddressSpace32Bit, 0x01 = AddressSpace64BitOld, 0x02 = AddressSpace32BitNoReserved, 0x03 = AddressSpace64Bit)
|-
| 4
| [7.0.0+] OptimizeMemoryAllocation
|-
| 5
| [11.0.0+] DisableDeviceAddressSpaceMerge
|-
| 6
| [18.0.0+] EnableAliasRegionExtraSize
|-
| 7
| [19.0.0-19.0.1] PreventCodeReads
|}

== MainThreadPriority ==
Ranges from 0 to 0x3F.

== SystemResourceSize ==
When this is non-zero, the kernel reserves this amount of memory and dynamically uses it as needed for page table pages, KMemoryBlocks, and KBlockInfos. When this is zero, the process uses global shared heaps for these.

This enables a process to sacrifice some of the memory available to it in order to have higher limits on these resources, thus enabling the use of SvcMapPhysicalMemory.

Maximum size as is 0x1FE00000.

== Version ==
0 for all titles.

[8.1.0+] Now set to 1 for certain titles.

[9.0.0+] Now set to a proper version field for all titles.

== MainThreadStackSize ==
Must be aligned to 0x1000. If zero, kernel will start the process's initial thread with sp=0.

= ACID =
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x100
| RSA-2048 signature over the data starting at 0x100 with the size field from 0x204
|-
| 0x100
| 0x100
| RSA-2048 public key for the second [[NCA_Format|NCA]] signature
|-
| 0x200
| 0x4
| Magic ("ACID")
|-
| 0x204
| 0x4
| Size
|-
| 0x208
| 0x1
| [9.0.0+] Version
|-
| 0x209
| 0x1
| [14.0.0+]
|-
| 0x20A
| 0x2
| Reserved
|-
| 0x20C
| 0x4
| [[#Flags_2|Flags]]
|-
| 0x210
| 0x8
| ProgramIdMin
|-
| 0x218
| 0x8
| ProgramIdMax
|-
| 0x220
| 0x4
| [[#FsAccessControl|FacOffset]]
|-
| 0x224
| 0x4
| [[#FsAccessControl|FacSize]]
|-
| 0x228
| 0x4
| [[#SrvAccessControl|SacOffset]]
|-
| 0x22C
| 0x4
| [[#SrvAccessControl|SacSize]]
|-
| 0x230
| 0x4
| [[#KernelCapability|KcOffset]]
|-
| 0x234
| 0x4
| [[#KernelCapability|KcSize]]
|-
| 0x238
| 0x8
| Reserved
|}

== Flags ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 0
| ProductionFlag
|-
| 1
| UnqualifiedApproval
|-
| 2-5
| [5.0.0+] MemoryRegion (0 = Application, 1 = Applet, 2 = SecureSystem, 3 = NonSecureSystem)
|-
| 6
| Unused?
|-
| 7
| [21.0.0+] LoadBrowserCoreDll
|}

MemoryRegion is set to Application for "starter" and NonSecureSystem for "nvservices".

When LoadBrowserCoreDll flag is set, an additional NPDM + NSOs (wkc0-wkc9) will be loaded from program id 010000000000085D (not present on retail).

= ACI0 =
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x4
| Magic ("ACI0")
|-
| 0x4
| 0xC
| Reserved
|-
| 0x10
| 0x8
| ProgramId
|-
| 0x18
| 0x8
| Reserved
|-
| 0x20
| 0x4
| [[#FsAccessControl|FacOffset]]
|-
| 0x24
| 0x4
| [[#FsAccessControl|FacSize]]
|-
| 0x28
| 0x4
| [[#SrvAccessControl|SacOffset]]
|-
| 0x2C
| 0x4
| [[#SrvAccessControl|SacSize]]
|-
| 0x30
| 0x4
| [[#KernelCapability|KcOffset]]
|-
| 0x34
| 0x4
| [[#KernelCapability|KcSize]]
|-
| 0x38
| 0x8
| Reserved
|}

= FsAccessControl =
For [[#ACID|ACID]] this is a simple descriptor as follows:
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x1
| Version (always 1, must be non-zero)
|-
| 0x1
| 0x1
| [5.0.0+] ContentOwnerIdCount
|-
| 0x2
| 0x1
| [5.0.0+] SaveDataOwnerIdCount
|-
| 0x3
| 0x1
| Padding
|-
| 0x4
| 0x8
| [[#FsAccessFlag|FsAccessFlag]]
|-
| 0xC
| 0x8
| ContentOwnerIdMin
|-
| 0x14
| 0x8
| ContentOwnerIdMax
|-
| 0x1C
| 0x8
| SaveDataOwnerIdMin
|-
| 0x24
| 0x8
| SaveDataOwnerIdMax
|-
| 0x2C
| 0x8 * ContentOwnerIdCount
| [5.0.0+] ContentOwnerIds
|-
| Variable
| 0x8 * SaveDataOwnerIdCount
| [5.0.0+] SaveDataOwnerIds
|}

For [[#ACI0|ACI0]] this embeds data as follows:
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x1
| Version (always 1, must be non-zero)
|-
| 0x1
| 0x3
| Padding
|-
| 0x4
| 0x8
| [[#FsAccessFlag|FsAccessFlag]]
|-
| 0xC
| 0x4
| ContentOwnerInfoOffset
|-
| 0x10
| 0x4
| ContentOwnerInfoSize
|-
| 0x14
| 0x4
| SaveDataOwnerInfoOffset
|-
| 0x18
| 0x4
| SaveDataOwnerInfoSize
|-
| 0x1C
| 0x4
| (Optional) ContentOwnerIdCount
|-
| 0x1C
| 0x8 * ContentOwnerIdCount
| ContentOwnerIds
|-
| Variable
| 0x4
| SaveDataOwnerIdCount
|-
| Variable
| 0x1 * SaveDataOwnerIdCount
| Accessibilities (1=Read, 2=Write, 3=ReadWrite)
|-
| Variable (padded to nearest 4 bytes)
| 0x8 * SaveDataOwnerIdCount
| SaveDataOwnerIds
|}

== FsAccessFlag ==
{| class="wikitable" border="1"
|-
! Bits
! Name
! Description
|-
| 0
| ApplicationInfo
| MountContent* is accessible when set.
|-
| 1
| BootModeControl
|
|-
| 2
| Calibration
|
|-
| 3
| SystemSaveData
|
|-
| 4
| GameCard
|
|-
| 5
| SaveDataBackUp
|
|-
| 6
| SaveDataManagement
|
|-
| 7
| BisAllRaw
|
|-
| 8
| GameCardRaw
|
|-
| 9
| GameCardPrivate
|
|-
| 10
| SetTime
|
|-
| 11
| ContentManager
|
|-
| 12
| ImageManager
|
|-
| 13
| CreateSaveData
|
|-
| 14
| SystemSaveDataManagement
|
|-
| 15
| BisFileSystem
|
|-
| 16
| SystemUpdate
|
|-
| 17
| SaveDataMeta
|
|-
| 18
| DeviceSaveData
|
|-
| 19
| SettingsControl
|
|-
| 20
| SystemData
|
|-
| 21
| SdCard
|
|-
| 22
| Host
|
|-
| 23
| FillBis
|
|-
| 24
| CorruptSaveData
|
|-
| 25
| SaveDataForDebug
|
|-
| 26
| FormatSdCard
|
|-
| 27
| GetRightsId
|
|-
| 28
| RegisterExternalKey
|
|-
| 29
| RegisterUpdatePartition
|
|-
| 30
| SaveDataTransfer
|
|-
| 31
| DeviceDetection
|
|-
| 32
| AccessFailureResolution
|
|-
| 33
| SaveDataTransferVersion2
|
|-
| 34
| RegisterProgramIndexMapInfo
|
|-
| 35
| CreateOwnSaveData
|
|-
| 36
| MoveCacheStorage
|
|-
| 37
| DeviceTreeBlob
|
|-
| 38
| NotifyErrorContextServiceReady
|
|-
| 39
| CalibrationSystemData
|
|-
| 40
| CalibrationLog
|
|-
| 41
| StorageSecure
|
|-
| 42
| StorageControl
|
|-
| 43
| GameCardReport
|
|-
| 44
| MarkBeforeEraseBis
|
|-
| 45-61
| Reserved
|
|-
| 62
| Debug
| See [[SPL_services#GetConfig|here]]. Ignored on non-DebugMode.
|-
| 63
| FullPermission
| Enables access to everything: all [[Filesystem_services#Permissions|permission types]] which check a bitmask have this bit set. Ignored on non-DebugMode.
|}

Controls the [[Filesystem_services#Permissions|filesystem permissions]].

Web-applets permissions:
* "LibAppletWeb" and "LibAppletOff" have same access control: bit0 and bit3 set, and bit62 set.
* Rest of the web-applets: Same as above except bit0 isn't set.

= Service Access Control =
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 0-2
| Size (length of the service-name without null-terminator minus 1)
|-
| 7
| IsServer (service is allowed to be registered)
|-
| Variable
| Name
|}

This is a list of [[Services_API|service]]-name strings which the title has access to.

The service name string starts after the first byte and supports the wildcard <code>*</code> character.

= KernelCapability =
{| class="wikitable" border="1"
|-
! Pattern of lower bits
! Lowest clear bitmask/bit
! Description
|-
| <code>0bxxxxxxxxxxxx0111</code>
| Bit3
| [[#ThreadInfo]]
|-
| <code>0bxxxxxxxxxxx01111</code>
| Bit4
| [[#EnableSystemCalls]]
|-
| <code>0bxxxxxxxxx0111111</code>
| Bit6
| [[#MemoryMap]]
|-
| <code>0bxxxxxxxx01111111</code>
| Bit7
| [[#IoMemoryMap]]
|-
| <code>0bxxxxx01111111111</code>
| Bit10
| [8.0.0+] [[#MemoryRegionMap]]
|-
| <code>0bxxxx011111111111</code>
| Bit11
| [[#EnableInterrupts]]
|-
| <code>0bxx01111111111111</code>
| Bit13
| [[#MiscParams]]
|-
| <code>0bx011111111111111</code>
| Bit14
| [[#KernelVersion]]
|-
| <code>0b0111111111111111</code>
| Bit15
| [[#HandleTableSize]]
|-
| <code>0b1111111111111111</code>
| Bit16
| [[#MiscFlags]]
|-
| All ones
|
| Invalid
|}

These descriptors are identified by pattern 01..11 in low bits.

== ThreadInfo ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 4-9
| LowestPriority
|-
| 10-15
| HighestPriority
|-
| 16-23
| MinCoreNumber
|-
| 24-31
| MaxCoreNumber
|}

== EnableSystemCalls ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 5-28
| SystemCallId
|-
| 29-31
| Index
|}

== MemoryMap ==
MemoryMap entries are stored in pairs. The first pair will contain BeginAddress and PermissionType, while the second pair will contain Size and MappingType.
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 7-30
| BeginAddress
|-
| 31
| PermissionType (0=RW, 1=RO)
|}

{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 7-26
| Size
|-
| 27-30
| Reserved
|-
| 31
| MappingType (0=Io, 1=Static)
|}

=== Restrictions ===
The physaddr range 0x80060000-0x2000000000 is not allowed to be mapped as IO.
The physaddr range 0x80000000-0x2000000000 is not allowed to be mapped as Normal.

[2.0.0-4.1.0] The range for IO was changed into 0x80060000-0x81D3FFFF.

[2.0.0-4.1.0] A blacklist was added for IO and Normal mappings:
* 0x50040000-0x50060000 (ARM, Interrupt Controller)
* 0x6000F000 (Exception Vectors)
* 0x6001DC00-0x6001E000 (IPATCH)
* 0x7000E000 (RTC/PMC)
* 0x70019000 (MC)
* 0x7001C000 (MC0)
* 0x7001D000 (MC1)

[5.0.0+] For IO, this blacklist was abandoned and instead two range checks were added. For Normal mappings it is still applied

== IoMemoryMap ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 8-31
| BeginAddress
|}

== MemoryRegionMap ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 11-16
| RegionType0 (0 = NoMapping, 1 = KernelTraceBuffer, 2 = OnMemoryBootImage, 3 = DTB)
|-
| 17
| RegionIsReadOnly0
|-
| 18-23
| RegionType1 (0 = NoMapping, 1 = KernelTraceBuffer, 2 = OnMemoryBootImage, 3 = DTB)
|-
| 24
| RegionIsReadOnly1
|-
| 25-30
| RegionType2 (0 = NoMapping, 1 = KernelTraceBuffer, 2 = OnMemoryBootImage, 3 = DTB)
|-
| 31
| RegionIsReadOnly2
|}

== EnableInterrupts ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 12-21
| InterruptNumber0
|-
| 22-31
| InterruptNumber1
|}

0x3FF means empty.

== MiscParams ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 14-16
| ProgramType (0 = System, 1 = Application, 2 = Applet)
|}

ProgramType is parsed by [[Process Manager services]]. Defaults to 0 if descriptor doesn't exist. Can only run 1 application at a time.

== KernelVersion ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 15-18
| MinorVersion
|-
| 19-31
| MajorVersion
|}

This encodes the intended kernel version for the program.

The kernel requires that the intended version is >= the minimum supported version (3.0 for all released kernels), and <= the current version.

Kernel version is derived from/equivalent to SDK version:
* Kernel Major = SDK Major + 4
* Kernel Minor = SDK Minor

=== Versions ===
{| class="wikitable" border="1"
|-
! Firmware || Kernel Version || Corresponding SDK Version
|-
| 1.0.0 || 5.0 || 1.0.0.0
|-
| 2.0.0 || 6.1 || 2.1.0.0
|-
| 3.0.0 || 7.4 || 3.4.0.0
|-
| 3.0.2 || 7.4 || 3.4.0.0
|-
| 5.0.0 || 9.3 || 5.3.0.0
|-
| 10.0.0 || 14.4 || 10.4.0.0
|-
| 11.0.0 || 15.4 || 11.4.0.0
|-
| 11.0.1 || 15.4 || 11.4.0.0
|}

== HandleTableSize ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 16-25
| HandleTableSize
|}

== MiscFlags ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 17
| EnableDebug
|-
| 18
| [19.0.0+] ForceDebugProd ([1.0.0-18.1.0] ForceDebug)
|-
| 19
| [19.0.0+] ForceDebug
|}

SPL services

2025-11-12T01:37:57Z

SciresM: Add note on valid key generations

SPL ("Secure Platform services") is responsible for handling all cryptographic operations within the system and relaying them to the [[SMC|Secure Monitor]] when necessary.

During [1.0.0-3.0.2], the only existing services were "csrng" and "spl:". However, in [4.0.0+] the "spl:" service was refactored and split into new services with different permission levels. Each service exposes the IPC command list differently in order to prevent cryptographic operations to take place in the wrong context.

In [2.0.0+] where previously only one AES keyslot was used, there is now support for 4 of them and when the session closes, all allocated AES keyslots are automatically freed.

[S2] The spl services were overhauled. New services were added, this appears to replace spl:mig where required for the relevant sysmodules. GenerateAesKek is no longer directly exposed, thus the Kek AccessKey and KeySource are no longer exposed.

= csrng =
This is "nn::spl::detail::IRandomInterface".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GenerateRandomBytes]]
|}

== GenerateRandomBytes ==
Takes an output type-0xA buffer and fills it with random data from [[SMC#GenerateRandomBytes|GenerateRandomBytes SMC]]. Same command for "spl:" and "csrng" services, except for buffer-type.

= spl: =
This is "nn::spl::detail::IGeneralInterface".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GetConfig]]
|-
| 1 || [[#ModularExponentiate]]
|-
| 5 || [[#SetConfig]]
|-
| 7 || [[#GenerateRandomBytes]]
|-
| 11 || [[#IsDevelopment]]
|-
| 24 || [3.0.0+] [[#SetBootReason]]
|-
| 25 || [3.0.0+] [[#GetBootReason]]
|}

Going by spl:ldn, this likely has a new interface on [S2]:

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GenerateRandomBytes|GenerateRandomBytes]]
|-
| 1 || [[#GetConfig|GetConfig]]
|-
| 2 ||
|-
| 3 ||
|-
| 4 ||
|-
| 5 || [[#GetConfigWithBuffer|GetConfigWithBuffer]]
|}

== GetConfig ==
Wrapper for [[SMC#GetConfig|GetConfig SMC]].

Takes an input u32 '''ConfigItem'''. Returns one or more output u64s '''ConfigValue'''.

== ModularExponentiate ==
Wrapper for [[SMC#ModularExponentiate|ModularExponentiate SMC]].

Takes an output type-0xA buffer '''DataOut''' and 3 input type-0x9 buffers '''DataIn''', '''ExpIn''' and '''ModIn'''.

Performs asymmetric crypto with user supplied modulus and exponent.

== Cmd2 ==
This is for the [S2] interface.

Takes no input, returns 0x10-bytes of output.

This returns the first 0xD-bytes from [[#GetConfigWithBuffer|GetConfigWithBuffer]] ConfigItem 8, byteswapped.

== Cmd3 ==
This is for the [S2] interface.

Takes no input. Returns unknown output, usually zeros?

== Cmd4 ==
This is for the [S2] interface.

Takes no input. Returns unknown output, usually zeros?

== GetConfigWithBuffer ==
Unofficial name.

Some config is incomplete when accessed with [[#GetConfig|GetConfig]], this allows returning the full config.

Takes an input u32 '''ConfigItem''' and an output type-0xA buffer.

== GenerateAesKek ==
Wrapper for [[SMC#GenerateAesKek|GenerateAesKek SMC]].

Takes an input 16-byte '''KeySource''' and two input u32s '''Generation''' and '''Option'''. Returns an output 16-byte '''AccessKey'''.

== LoadAesKey ==
Wrapper for [[SMC#LoadAesKey|LoadAesKey SMC]].

Takes an input u32 '''KeySlot''' , an input 16-byte '''AccessKey''' and an input 16-byte '''KeySource'''.

Sets the specified '''KeySlot''' with a key generated from '''AccessKey''' and '''KeySource'''.

[2.0.0+] Now verifies that the keyslot in use (0..3) is allocated by the current spl session, otherwise errors with 0xD21A. Previously, keyslot was hardcoded to 0.

== GenerateAesKey ==
Takes an input 16-byte '''AccessKey''' and an input 16-byte '''KeySource'''. Returns an output 16-byte '''AesKey'''.

Generates a new key by decrypting (AES-ECB) '''KeySource''' with a key generated from the supplied '''AccessKey''' and the key set with [[SMC#LoadAesKey|LoadAesKey SMC]].

[2.0.0+] Previously, it always used keyslot 0. Now it tries to allocate a keyslot to be used and returns 0xD01A if they're all busy. When the command is done, the keyslot is released.

== SetConfig ==
Wrapper for [[SMC#SetConfig|SetConfig SMC]].

Takes an input u32 '''ConfigItem''' and an input u64 '''ConfigValue'''.

Only '''ConfigItem''' 13 (IsChargerHiZModeEnabled) can be set.

== DecryptAndStoreGcKey ==
Wrapper for [[SMC#DecryptAndImportLotusKey|DecryptAndImportLotusKey SMC]].

Takes an input type-0x9 buffer '''DataIn''', an input 16-byte '''AccessKey''', an input 16-byte '''KeySource''' and an input u32 '''Version''' (0 for normal keys or 1 for extended keys).

Decrypts '''DataIn''' with a key generated from '''AccessKey''' and '''KeySource''' and imports it for later usage.

[5.0.0+] The '''Version''' argument was removed and this now calls the [[SMC#ReencryptDeviceUniqueData|ReencryptDeviceUniqueData SMC]] instead.

== DecryptGcMessage ==
Takes 3 input type-0x9 buffers '''DataIn''', '''ModIn''' and '''LabelHashIn'''.

Uses the [[SMC#ModularExponentiateByStorageKey|ModularExponentiateByStorageKey SMC]] to decrypt '''DataIn''' using the private key imported with [[#DecryptAndStoreGcKey]] and the supplied '''ModIn''' and '''LabelHashIn'''.

== IsDevelopment ==
No input. Returns an output u8 bool.

Uses [[#GetConfig]] internally.

== GenerateSpecificAesKey ==
Wrapper for [[SMC#GenerateSpecificAesKey|GenerateSpecificAesKey SMC]].

Takes an input 16-byte '''KeySource''' and two input u32s '''Generation''' and '''Option'''. Returns an output 16-byte '''AesKey'''.

== DecryptDeviceUniqueData ==
Wrapper for [[SMC#DecryptDeviceUniqueData|DecryptDeviceUniqueData SMC]].

Takes an output type-0xA buffer '''DataOut''', an input type-0x9 '''DataIn''', an input 16-byte '''AccessKey''', an input 16-byte '''KeySource''' and an input u32 '''Version''' (0 for normal keys or 1 for extended keys).

Decrypts '''DataIn''' into '''DataOut''' with a key generated from '''AccessKey''' and '''KeySource'''.

Used by [[SSL_services|SSL]] for TLS client-privk.

[5.0.0+] The '''Version''' argument was removed.

== DecryptAesKey ==
Takes an input 16-byte '''KeySource''' and two input u32s '''Generation''' and '''Option'''. Returns an output 16-byte '''AesKey'''.

Decrypts (AES-ECB) '''KeySource''' with a key set with [[SMC#LoadAesKey|LoadAesKey SMC]].

[2.0.0+] Introduced same keyslot allocation code as for [[#GenerateAesKey]].

== ComputeCtr ==
Takes an output type-0x46 buffer '''DataOut''', an input u32 '''KeySlot''', an input type-0x45 buffer '''DataIn''' and an input 16-byte '''IvCtr'''.

Uses [[SMC#ComputeAes|ComputeAes SMC]] to decrypt '''DataIn''' into '''DataOut''' using the key set in the specified '''KeySlot'''.

[2.0.0+] Verifies the keyslot was allocated by the current session.

== ComputeCmac ==
Wrapper for [[SMC#ComputeCmac|ComputeCmac SMC]].

Takes an input type-0x9 buffer '''DataIn''' and an input u32 '''KeySlot'''. Returns an output 16-byte '''Cmac'''.

[2.0.0+] Verifies the keyslot was allocated by the current session.

== LoadEsDeviceKey ==
Wrapper for [[SMC#DecryptAndImportEsDeviceKey|DecryptAndImportEsDeviceKey SMC]].

Takes an input type-0x9 buffer '''DataIn''', an input 16-byte '''AccessKey''', an input 16-byte '''KeySource''' and an input u32 '''Version''' (0 for normal keys or 1 for extended keys).

Decrypts '''DataIn''' with a key generated from '''AccessKey''' and '''KeySource''' and imports it for later usage.

[5.0.0+] The '''Version''' argument was removed and this now calls the [[SMC#ReencryptDeviceUniqueData|ReencryptDeviceUniqueData SMC]] instead.

== PrepareEsTitleKey ==
Wrapper for [[SMC#PrepareEsDeviceUniqueKey|PrepareEsDeviceUniqueKey SMC]].

Takes an output type-0xA buffer '''DataOut''' and 3 input type-0x9 buffers '''DataIn''', '''ModIn''' and '''LabelHashIn'''. Returns an output u32 '''DataOutSize'''.

[3.0.0+] Now takes an input u32 '''Generation'''.

Decrypts '''DataIn''' into '''DataOut''' using the private key imported with [[#LoadEsDeviceKey]] and the supplied '''ModIn'''. Afterwards, verifies RSA-OAEP encoding using '''LabelHashIn'''.

== LoadPreparedAesKey ==
Wrapper for [[SMC#LoadPreparedAesKey|LoadPreparedAesKey SMC]].

Takes an input u32 '''KeySlot''' and an input 16-byte '''AccessKey'''.

[2.0.0+] Verifies the keyslot was allocated in the current session.

== PrepareCommonEsTitleKey ==
Wrapper for [[SMC#PrepareEsCommonKey|PrepareEsCommonKey SMC]].

Takes an input 16-byte '''KeySource'''. Returns an output 16-byte '''AccessKey'''.

[3.0.0+] Now takes an input u32 '''Generation'''.

== AllocateAesKeySlot ==
Returns an output u32 '''KeySlot'''.

Returns error 0xD01A if all keyslots are taken.

== DeallocateAesKeySlot ==
Takes an input u32 '''KeySlot'''.

Returns error 0xD21A if the keyslot wasn't allocated by current session.

== GetAesKeySlotAvailableEvent ==
Returns an output event handle for synchronizing with the AES keyslots.

== SetBootReason ==
Takes an input u32 '''BootReason'''.

[4.0.0+] Returns 0xD41A if a value has been previously set without being [[#GetBootReason|gotten]].

== GetBootReason ==
Returns an output u32 '''BootReason'''.

[4.0.0+] Returns 0xD61A if a value has not previously been set and unsets the value after getting it.

= spl:mig =
This is "nn::spl::detail::ICryptoInterface".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GetConfig]]
|-
| 1 || [[#ModularExponentiate]]
|-
| 5 || [[#SetConfig]]
|-
| 7 || [[#GenerateRandomBytes]]
|-
| 11 || [[#IsDevelopment]]
|-
| 24 || [3.0.0+] [[#SetBootReason]]
|-
| 25 || [3.0.0+] [[#GetBootReason]]
|-
| 2 || [[#GenerateAesKek]]
|-
| 3 || [[#LoadAesKey]]
|-
| 4 || [[#GenerateAesKey]]
|-
| 14 || [[#DecryptAesKey]]
|-
| 15 || [[#ComputeCtr]]
|-
| 16 || [[#ComputeCmac]]
|-
| 21 || [2.0.0+] [[#AllocateAesKeySlot]]
|-
| 22 || [2.0.0+] [[#DeallocateAesKeySlot]]
|-
| 23 || [2.0.0+] [[#GetAesKeySlotAvailableEvent]]
|}

= spl:fs =
This is "nn::spl::detail::IFsInterface".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GetConfig]]
|-
| 1 || [[#ModularExponentiate]]
|-
| 5 || [[#SetConfig]]
|-
| 7 || [[#GenerateRandomBytes]]
|-
| 11 || [[#IsDevelopment]]
|-
| 24 || [3.0.0+] [[#SetBootReason]]
|-
| 25 || [3.0.0+] [[#GetBootReason]]
|-
| 2 || [[#GenerateAesKek]]
|-
| 3 || [[#LoadAesKey]]
|-
| 4 || [[#GenerateAesKey]]
|-
| 14 || [[#DecryptAesKey]]
|-
| 15 || [[#ComputeCtr]]
|-
| 16 || [[#ComputeCmac]]
|-
| 21 || [2.0.0+] [[#AllocateAesKeySlot]]
|-
| 22 || [2.0.0+] [[#DeallocateAesKeySlot]]
|-
| 23 || [2.0.0+] [[#GetAesKeySlotAvailableEvent]]
|-
| 9 || [[#DecryptAndStoreGcKey]]
|-
| 10 || [[#DecryptGcMessage]]
|-
| 12 || [[#GenerateSpecificAesKey]]
|-
| 19 || [[#LoadPreparedAesKey]]
|-
| 31 || [5.0.0+] GetPackage2Hash
|}

= spl:ssl =
This is "nn::spl::detail::ISslInterface".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GetConfig]]
|-
| 1 || [[#ModularExponentiate]]
|-
| 5 || [[#SetConfig]]
|-
| 7 || [[#GenerateRandomBytes]]
|-
| 11 || [[#IsDevelopment]]
|-
| 24 || [3.0.0+] [[#SetBootReason]]
|-
| 25 || [3.0.0+] [[#GetBootReason]]
|-
| 2 || [[#GenerateAesKek]]
|-
| 3 || [[#LoadAesKey]]
|-
| 4 || [[#GenerateAesKey]]
|-
| 14 || [[#DecryptAesKey]]
|-
| 15 || [[#ComputeCtr]]
|-
| 16 || [[#ComputeCmac]]
|-
| 21 || [2.0.0+] [[#AllocateAesKeySlot]]
|-
| 22 || [2.0.0+] [[#DeallocateAesKeySlot]]
|-
| 23 || [2.0.0+] [[#GetAesKeySlotAvailableEvent]]
|-
| 13 || [[#DecryptDeviceUniqueData]]
|-
| 26 || [5.0.0+] DecryptAndStoreSslClientCertKey
|-
| 27 || [5.0.0+] ModularExponentiateWithSslClientCertKey
|}

= spl:es =
This is "nn::spl::detail::IEsInterface".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GetConfig]]
|-
| 1 || [[#ModularExponentiate]]
|-
| 5 || [[#SetConfig]]
|-
| 7 || [[#GenerateRandomBytes]]
|-
| 11 || [[#IsDevelopment]]
|-
| 24 || [3.0.0+] [[#SetBootReason]]
|-
| 25 || [3.0.0+] [[#GetBootReason]]
|-
| 2 || [[#GenerateAesKek]]
|-
| 3 || [[#LoadAesKey]]
|-
| 4 || [[#GenerateAesKey]]
|-
| 14 || [[#DecryptAesKey]]
|-
| 15 || [[#ComputeCtr]]
|-
| 16 || [[#ComputeCmac]]
|-
| 21 || [2.0.0+] [[#AllocateAesKeySlot]]
|-
| 22 || [2.0.0+] [[#DeallocateAesKeySlot]]
|-
| 23 || [2.0.0+] [[#GetAesKeySlotAvailableEvent]]
|-
| 13 || [[#DecryptDeviceUniqueData]]
|-
| 17 || [[#LoadEsDeviceKey]]
|-
| 18 || [[#PrepareEsTitleKey]]
|-
| 20 || [2.0.0+] [[#PrepareCommonEsTitleKey]]
|-
| 28 || [5.0.0+] DecryptAndStoreDrmDeviceCertKey
|-
| 29 || [5.0.0+] ModularExponentiateWithDrmDeviceCertKey
|-
| 31 || [6.0.0+] PrepareEsArchiveKey
|-
| 32 || [6.0.0+] [[#LoadPreparedAesKey]]
|-
| 33 || [18.0.0+]
|}

= spl:manu =
This is "nn::spl::detail::IManuInterface".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GetConfig]]
|-
| 1 || [[#ModularExponentiate]]
|-
| 5 || [[#SetConfig]]
|-
| 7 || [[#GenerateRandomBytes]]
|-
| 11 || [[#IsDevelopment]]
|-
| 24 || [3.0.0+] [[#SetBootReason]]
|-
| 25 || [3.0.0+] [[#GetBootReason]]
|-
| 2 || [[#GenerateAesKek]]
|-
| 3 || [[#LoadAesKey]]
|-
| 4 || [[#GenerateAesKey]]
|-
| 14 || [[#DecryptAesKey]]
|-
| 15 || [[#ComputeCtr]]
|-
| 16 || [[#ComputeCmac]]
|-
| 21 || [2.0.0+] [[#AllocateAesKeySlot]]
|-
| 22 || [2.0.0+] [[#DeallocateAesKeySlot]]
|-
| 23 || [2.0.0+] [[#GetAesKeySlotAvailableEvent]]
|-
| 13 || [[#DecryptDeviceUniqueData]]
|-
| 30 || [5.0.0+] ReencryptDeviceUniqueData
|}

= (S2) spl:da =

= (S2) spl:gc =

= (S2) spl:nv =

= (S2) spl:hid =

= (S2) spl:ldn =
This is "nn::spl::detail::ILdnInterface".

This has IPC max_sessions 1?

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GenerateRandomBytes|GenerateRandomBytes]]
|-
| 1 || [[#GetConfig|GetConfig]]
|-
| 2 ||
|-
| 3 ||
|-
| 4 ||
|-
| 5 || [[#GetConfigWithBuffer|GetConfigWithBuffer]]
|-
| 7000 || [[#GenerateNxAdvertiseKey|GenerateNxAdvertiseKey]]
|-
| 7001 || [[#GenerateNxSessionKey|GenerateNxSessionKey]]
|-
| 7002 || [[#GenerateNxLp2pKeyIndex1|GenerateNxLp2pKeyIndex1]]
|-
| 7003 || [[#GenerateNxLp2pKeyIndex2|GenerateNxLp2pKeyIndex2]]
|-
| 7004 || [[#GenerateOunceAdvertiseKey|GenerateOunceAdvertiseKey]]
|-
| 7005 || [[#GenerateOunceSessionKey|GenerateOunceSessionKey]]
|}

The below 7000+ cmds take a KeySource (equivalent to NX-GenerateAesKey) and an u32. Bitmask 0x1F of the u32 is the Generation, 0x20 is valid but doesn't seem to do anything. Values >=0x21 throw error. A 0x10-byte outbuf is used for the output key. Cmd7004/Cmd7005 use a 0x20-byte outbuf. These are equivalent to GenerateAesKek+GenerateAesKey combined.

With Nx commands, valid key generations match what's expected for S1. With Ounce commands, the valid key generations on 20.x are 0/1.

All of these use AES-ECB with the input KeySource, with the buffer as the output.

== GenerateNxAdvertiseKey ==
Unofficial name.

Takes an input 16-byte '''KeySource''', an input u32, and an output type-0xA buffer '''AesKey'''.

Generates a key using the NX-equivalent of the ldn Kek-action_keysource.

== GenerateNxSessionKey ==
Unofficial name.

Takes an input 16-byte '''KeySource''', an input u32, and an output type-0xA buffer '''AesKey'''.

Generates a key using the NX-equivalent of the ldn Kek-data_keysource.

== GenerateNxLp2pKeyIndex1 ==
Unofficial name.

Takes an input 16-byte '''KeySource''', an input u32, and an output type-0xA buffer '''AesKey'''.

Generates a key using the NX-equivalent of the lp2p Kek-Index1.

== GenerateNxLp2pKeyIndex2 ==
Unofficial name.

Takes an input 16-byte '''KeySource''', an input u32, and an output type-0xA buffer '''AesKey'''.

Generates a key using the NX-equivalent of the lp2p Kek-Index2.

== GenerateOunceAdvertiseKey ==
Unofficial name.

Takes an input 32-byte '''KeySource''', an input u32, and an output type-0xA buffer '''AesKey'''.

Ounce version of [[#GenerateNxAdvertiseKey|GenerateNxAdvertiseKey]]. [[LDN_services|ldn]] only uses the first 0x10-bytes of the output key.

== GenerateOunceSessionKey ==
Unofficial name.

Takes an input 32-byte '''KeySource''', an input u32, and an output type-0xA buffer '''AesKey'''.

Ounce version of [[#GenerateNxSessionKey|GenerateNxSessionKey]]. [[LDN_services|ldn]] only uses the first 0x10-bytes of the output key.

[[Category:Services]]

21.0.0

2025-11-12T01:05:30Z

SciresM: Fix some kernel diffs that were new in 20.1.0, not 21.0.0. I bindiff'd against 20.0.0, sorry :)

The Switch 21.0.0 system update was released on November 11, 2025 (UTC). This Switch update was released for the following regions: ALL.

Security flaws fixed: yes.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
*
* Added symbols above software icons displayed on the HOME Menu to indicate whether the software is a physical or a digital version.
* Added the ability to download data for a virtual game card even if the “Use Online License" setting is turned off.
*
* This option is available in the Options of a virtual game card when accessed via Virtual Game Cards from the HOME Menu.
*
*
* The information regarding Save Data Cloud Backup that appears when launching certain software has been updated.
* The option "Platinum Point Notification Settings” was renamed to "Nintendo Switch Online Notification Settings" in the Notifications menu in System Settings.
* Added the ability to disable the following options when performing a system transfer from a Nintendo Switch system to a Nintendo Switch 2 system using System Transfer to Nintendo Switch 2 in System Settings.
*
* Redownload Software on Nintendo Switch 2
* Transfer Album Data
*
*
* Added the ability to adjust the volume from the Quick Settings menu while in VR mode.
* General system stability improvements to enhance the user's experience.
*

==System Titles==
* The following titles were updated:
** Sysmodules: usb, htc.stub, boot2.ProdBoot, settings, Bus, bluetooth, bcat, friends, nifm, ptm, bsdsocket, hid, audio, LogManager.Prod, wlan, ldn, nvservices, pcv, capmtp, nvnflinger, pcie, account, ns, nfc, psc, capsrv, am, ssl, nim, btm, erpt, vi, pctl, npns, eupld, glue, eclct, es, fatal, creport, ro, sdb, grc, migration, jpegdec, safemode, olsc, ngct, jit, pgl, omm, eth, ngc.
** SystemData (non-sysver): CertStore, ErrorMessage, MiiModel, BrowserDll, Help, NgWord, SsidList, TimeZoneBinary, FontNintendoExtension, FontStandard, FontKorean, FontChineseTraditional, FontChineseSimple, FirmwareDebugSettings, BootImagePackage, BootImagePackageSafe, BootImagePackageExFat, FatalMessage, PlatformConfigIcosa, PlatformConfigCopper, PlatformConfigHoag, ControllerFirmware, NgWord2, BootImagePackageExFatSafe, PlatformConfigIcosaMariko, ContentActionTable, NgWordT, PlatformConfigAula, AulaDockFirmware, ClientCertData, GameCardConfigurationData.
** Applets: qlaunch, auth, cabinet, controller, dataErase, error, playerSelect, swkbd, miiEdit, LibAppletWeb, LibAppletShop, overlayDisp, photoViewer, LibAppletOff, LibAppletLns, LibAppletAuth, "starter" application, myPage, splay.

The [[NGCT_services|ngct]]-sysmodule is now stubbed, the ngct:u service was moved into [[NGC_services|ngc]].

[[NPDM]] changes (besides usual version-bump):
* Bus: KernelCap HandleTableSize: removed HandleTableSize=0x100.
* bcat: Service access: removed bsdcfg, npns:u.
* friends: Service access: removed bsdcfg.
* ptm: Service server access: added fgm:0, fgm, fgm:9, removed fgm*.
* capmtp: Service access: removed fsp-srv, lm.
* ns: Service access: removed htc.
* psc: Service server access: added psc:c, psc:l, psc:m, srepo:a, srepo:u, removed psc*, srepo:*.
* npns: Service access: removed time:u.
* eclct: Service access: removed npns:s, psc:m.
* sdb: Service access: removed set.
* migration: Service access: removed nim:shp.
* pgl: Service access: removed erpt:c, lm, set.
* ngc: Service server access: added ngct:u.
* LibAppletShop: Service access: added friend:m.
* overlayDisp: Service access: added mnpp:sys.

RomFs changes:
* ErrorMessage: updated
* BrowserDll:
** "/browser/effective_tld_names.dat" updated
** "/browser/icudt62l.dat.lz4" added
** "/browser/MediaControls.css" updated
** "/browser/MediaControlsInline.css" updated
** "/browser/MediaControlsInline.js" updated
** "/browser/MediaControls.js" updated
** "/browser/RootCaSdkAdditional.pem" updated
** "/buildinfo/buildinfo.dat" updated
** "/lyt/": Various data updated.
** "/lyt/Browse/NodeMouse.arc" removed
** "/lyt/Browse/TapHighlight.arc" added
** "/message/": Various data updated.
** "/nro/netfront/core_0/default/" removed
** "/nro/netfront/core_0/Default/" added
** "/nro/netfront/core_3/default/" removed
** "/nro/netfront/core_3/Default/" added
* Help: "/legallines.htdocs/index.html" updated
* NgWord: "/0.txt" updated, "/version.dat" updated
* [[System_Version_Title|SystemVersion]]: All files updated.
* TimeZoneBinary: updated
* [[System_Settings|FirmwareDebugSettings/PlatformConfigIcosa/PlatformConfigCopper/PlatformConfigHoag/PlatformConfigIcosaMariko/PlatformConfigAula]]: All files updated.
* ControllerFirmware: "/FirmwareInfo.csv" updated, "/ukyosakyo_ep2_ota.bin" updated
* NgWord2: updated
* RebootlessSystemUpdateVersion: All files updated.
* qlaunch applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/qlaunch_action.bksnd" updated
** "/sound/qlaunch.bfsar" updated
* auth applet:
** "/message/": Various data updated.
** "/sound/auth_action.bksnd" updated
* cabinet applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/cabinet_action.bksnd" updated
* controller applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/controller_action.bksnd" updated
* dataErase applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/dataErase_action.bksnd" updated
* error applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/error_action.bksnd" updated
* playerSelect applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/playerSelect_action.bksnd" updated
* swkbd applet:
** "/message/": Various data updated.
** "/sound/swkbd_action.bksnd" updated
* overlayDisp applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/overlayDisp_action.bksnd" updated
* photoViewer applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/photoViewer_action.bksnd" updated
* [[Internet_Browser|LibAppletOff/LibAppletWeb/LibAppletShop/LibAppletLns/LibAppletAuth]]: All files updated.
* "starter" application:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/starter_action.bksnd" updated
* myPage applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/myPage_action.bksnd" updated
* splay applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/splay_action.bksnd" updated

=== IPC Interface Changes ===
* Interface Changed: nn::settings::IFirmwareDebugSettingsServer
** Added: 27 - buffer_entry_sizes: [0x141], buffers: [0x5], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::settings::ISystemSettingsServer
** Added: 315 - buffer_entry_sizes: [0x141], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 319 - buffer_entry_sizes: [0x40], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 320 - buffer_entry_sizes: [0x40], buffers: [0x5], inbytes: 0x0, outbytes: 0x0
** Added: 321 - inbytes: 0x0, outbytes: 0x40
* Interface Changed: nn::pinmux::ISession
** Added: 11 - inbytes: 0x4, outbytes: 0x0
** Added: 12 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::mnpp::detail::ipc::IServiceForSystem
** Added: 200 - buffer_entry_sizes: [0x194], buffers: [0x16], inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::prepo::detail::ipc::IPrepoService
** Added: 10106 - buffers: [0x9, 0x5], inbytes: 0x10, outbytes: 0x0, pid: True
** Added: 10107 - buffers: [0x9, 0x5], inbytes: 0x20, outbytes: 0x0, pid: True
** Added: 20102 - buffers: [0x9, 0x5], inbytes: 0x10, outbytes: 0x0
** Added: 20103 - buffers: [0x9, 0x5], inbytes: 0x20, outbytes: 0x0
* Unknown Interface prev-version: 0x710008741C
* Unknown Interface cur-version: 0x7100088640
* Interface Changed: nn::friends::detail::ipc::IServiceCreator
** Changed: 2 - outinterfaces: ['0x710008741C'] -> ['0x7100088640'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100088640'])
* Interface Changed: nn::nifm::detail::IRequest
** Added: 26 - buffer_entry_sizes: [0x100], buffers: [0x1A], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::psm::IPsmServer
** Added: 25 - inbytes: 0x0, outbytes: 0x4
** Added: 26 - inbytes: 0x0, outbytes: 0x1
** Added: 27 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::socket::sf::IClient
** Changed: 39 - outhandles: [1, 1] -> {} (final state: inbytes: 0x10, outbytes: 0x8)
** Added: 41 - inbytes: 0x4, outbytes: 0x8, outhandles: [1, 1, 1, 1, 1, 1]
** Added: 42 - buffers: [0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21], inbytes: 0x0, outbytes: 0x24
** Added: 43 - buffers: [0x21, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22], inbytes: 0x10, outbytes: 0x24
* Interface Changed: nn::hid::IHidDebugServer
** Added: 23 - inbytes: 0x4, outbytes: 0x0
** Added: 261 - inbytes: 0x40, outbytes: 0x0
** Added: 266 - buffer_entry_sizes: [0x4], buffers: [0x6], inbytes: 0x8, outbytes: 0x0
** Added: 267 - inbytes: 0x18, outbytes: 0x0
** Added: 268 - inbytes: 0x10, outbytes: 0x0
** Added: 700 - inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::hid::IHidServer
** Added: 320 - inbytes: 0x10, inhandles: [1], outbytes: 0x0, pid: True
** Added: 321 - inbytes: 0x8, outbytes: 0x0, pid: True
** Added: 3012 - buffer_entry_sizes: [0x80], buffers: [0x1A], inbytes: 0x0, outbytes: 0x0
** Added: 3013 - buffer_entry_sizes: [0x80], buffers: [0x19], inbytes: 0x0, outbytes: 0x0
** Added: 3014 - inbytes: 0x0, outbytes: 0x68
** Added: 3015 - inbytes: 0x68, outbytes: 0x0
** Added: 3150 - inbytes: 0x10, outbytes: 0x0, pid: True
* Interface Changed: nn::hid::IHidSystemServer
** Added: 1323 - inbytes: 0x0, outbytes: 0x0
** Added: 1324 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 1325 - inbytes: 0x0, outbytes: 0x1
** Added: 1326 - inbytes: 0x8, outbytes: 0x0
* Interface Changed: nn::audio::detail::IAudioDevice
** Added: 21 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::audioctrl::detail::IAudioController
** Added: 43 - inbytes: 0x4, outbytes: 0x1
* Interface Changed: nn::wlan::detail::IPrivateWirelessCommunicationService
** Removed: 4 - inbytes: 0x4, outbytes: 0x0
** Removed: 5 - inbytes: 0x4, outbytes: 0x0
* Unknown Interface prev-version: 0x71000055E0
* Unknown Interface cur-version: 0x71000055C0
* Interface Changed: nn::rtc::IRtcManager
** Added: 14 - buffers: [0x22], inbytes: 0x4, outbytes: 0x8
** Added: 15 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::account::baas::IAdministrator
** Added: 291 - buffer_entry_sizes: [0x1000], buffers: [0x1A], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::account::baas::IAdministrator
** Added: 291 - buffer_entry_sizes: [0x1000], buffers: [0x1A], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::ns::detail::IApplicationManagerInterface
** Added: 428 - inbytes: 0x0, outbytes: 0x0
** Added: 429 - inbytes: 0x10, outbytes: 0x0
** Added: 430 - inbytes: 0x28, outbytes: 0x0
** Added: 516 - inbytes: 0x0, outbytes: 0x1
** Added: 517 - buffer_entry_sizes: [0x8], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 518 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 519 - inbytes: 0x4, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 934 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 935 - inbytes: 0x0, outbytes: 0x0
** Added: 936 - inbytes: 0x0, outbytes: 0x88
** Added: 2369 - buffer_entry_sizes: [0x8], buffers: [0x6], inbytes: 0x1, outbytes: 0x4
** Added: 4099 - inbytes: 0x20, outbytes: 0x0
* Interface Changed: nn::ns::detail::IContentManagementInterface
** Added: 608 - inbytes: 0x0, outbytes: 0x10
* Interface Changed: nn::ns::detail::IDynamicRightsInterface
** Added: 29 - inbytes: 0x10, outbytes: 0x4
** Added: 30 - inbytes: 0x8, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
* Interface Changed: nn::ns::detail::IECommerceInterface
** Added: 14 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::ns::detail::IReadOnlyApplicationControlDataInterface
** Added: 18 - buffers: [0x6], inbytes: 0x10, outbytes: 0x8
** Added: 19 - buffers: [0x6], inbytes: 0x10, outbytes: 0xC
** Added: 20 - buffers: [0x6], inbytes: 0x10, outbytes: 0xC
** Added: 21 - buffers: [0x6], inbytes: 0x10, outbytes: 0xC
** Added: 22 - buffers: [0x6], inbytes: 0x10, outbytes: 0xC
* Interface Changed: nn::srepo::detail::ipc::ISrepoService
** Changed: 10100 - inbytes: 0x8 -> 0x10 (final state: buffers: [0x9, 0x5], inbytes: 0x10, outbytes: 0x0)
** Changed: 10101 - inbytes: 0x18 -> 0x20 (final state: buffers: [0x9, 0x5], inbytes: 0x20, outbytes: 0x0)
* Interface Changed: nn::capsrv::sf::IAlbumAccessorService
** Added: 50010 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::am::service::IApplicationAccessor
** Added: 310 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::am::service::IApplicationFunctions
** Changed: 14 - ininterfaces: [None] -> ['nn::am::service::IStorage'] (final state: buffer_entry_sizes: [0x20], buffers: [0x15], inbytes: 0x8, ininterfaces: ['nn::am::service::IStorage'], outbytes: 0x0)
** Changed: 310 - inbytes: 0x1 -> 0x18 (final state: inbytes: 0x18, ininterfaces: [None], outbytes: 0x0)
* Interface Changed: nn::am::service::ICommonStateGetter
** Added: 130 - inbytes: 0x0, outbytes: 0x0
** Added: 610 - inbytes: 0x8, outbytes: 0x0
** Added: 1003 - inbytes: 0x0, outbytes: 0x10
** Added: 1004 - inbytes: 0x0, outbytes: 0x8
** Added: 1005 - inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::am::service::IDebugFunctions
** Added: 150 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::am::service::IOverlayFunctions
** Added: 70 - inbytes: 0x0, outbytes: 0x0
** Added: 71 - inbytes: 0x0, outbytes: 0x0
** Added: 75 - inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::am::service::ISelfController
** Added: 73 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::ssl::sf::ISslService
** Added: 10 - buffers: [0x6, 0x6], inbytes: 0x4, outbytes: 0x0
** Added: 11 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::ssl::sf::ISslServiceForSystem
** Added: 10 - buffers: [0x6, 0x6], inbytes: 0x4, outbytes: 0x0
** Added: 11 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::nim::detail::INetworkInstallManager
** Added: 92 - buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x8, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 174 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncValue']
** Added: 175 - inbytes: 0x0, outbytes: 0x1
** Added: 176 - inbytes: 0x1, outbytes: 0x0
** Added: 177 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::erpt::sf::IContext
** Added: 5 - buffer_entry_sizes: [0x0, 0x0, 0x0, 0xC, 0x0, 0x0], buffers: [0x5, 0x5, 0x5, 0x5, 0x5, 0x5], inbytes: 0xC, outbytes: 0x0
** Changed: 6 - buffer_entry_sizes: [0x4C8, 0x0] -> [0xC, 0x10, 0x0], buffers: [0x15, 0x5] -> [0x5, 0x5, 0x5] (final state: buffer_entry_sizes: [0xC, 0x10, 0x0], buffers: [0x5, 0x5, 0x5], inbytes: 0x0, outbytes: 0x0)
** Changed: 7 - inbytes: 0x0 -> 0x10 (final state: inbytes: 0x10, outbytes: 0x0)
** Added: 40 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::visrv::sf::IApplicationDisplayService
** Added: 2103 - inbytes: 0x0, outbytes: 0x18
* Interface Changed: nn::pctl::detail::ipc::IParentalControlService
** Added: 1021 - inbytes: 0x0, outbytes: 0x0
** Added: 1022 - inbytes: 0x0, outbytes: 0x0
** Removed: 1456 - inbytes: 0x0, outbytes: 0x34
** Removed: 1951 - inbytes: 0x34, outbytes: 0x0
** Added: 2024 - inbytes: 0x0, outbytes: 0x0
** Changed: 145601 - outbytes: 0x36 -> 0x44 (final state: inbytes: 0x0, outbytes: 0x44)
** Changed: 195101 - inbytes: 0x36 -> 0x44 (final state: inbytes: 0x44, outbytes: 0x0)
* Unknown Interface prev-version: 0x7100097948 [ID = 0xfe214da9]
* Unknown Interface cur-version: 0x7100099A00 [ID = 0xfe214da9]
* Interface Changed: nn::npns::INpnsSystem
** Added: 204 - inbytes: 0x8, outbytes: 0x0
* Interface Changed: nn::es::IActiveRightsContext
** Added: 19 - buffer_entry_sizes: [0x20, 0x8], buffers: [0x6, 0x5], inbytes: 0x8, outbytes: 0x0
* Interface Changed: nn::es::IETicketService
** Added: 1038 - buffer_entry_sizes: [0x8, 0x8], buffers: [0x6, 0x6], inbytes: 0x0, outbytes: 0x4
** Added: 3001 - inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::ndrm::low::detail::INdrmLowAdminInterface
** Added: 51 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x18, outbytes: 0x4
* Interface Changed: nn::fatalsrv::IService
** Added: 3 - inbytes: 0x38, outbytes: 0x0
* Interface Changed: nn::grcsrv::IContinuousRecorder
** Removed: 1 - inbytes: 0x0, outbytes: 0x0
* Unknown Interface prev-version: 0x710005EC90 [ID = 0xef2a5618]
* Unknown Interface cur-version: 0x710005FEB0 [ID = 0xef2a5618]
* Interface Changed: nn::pdm::detail::INotifyService
** Changed: 100 - outinterfaces: ['0x710005EC90 [ID = 0xef2a5618]'] -> ['0x710005FEB0 [ID = 0xef2a5618]'] (final state: inbytes: 0x20, outbytes: 0x0, outinterfaces: ['0x710005FEB0 [ID = 0xef2a5618]'])
** Changed: 101 - outinterfaces: ['0x710005EC90 [ID = 0xef2a5618]'] -> ['0x710005FEB0 [ID = 0xef2a5618]'] (final state: inbytes: 0x20, outbytes: 0x0, outinterfaces: ['0x710005FEB0 [ID = 0xef2a5618]'])
* Interface Changed: nn::pl::detail::IPlatformServiceManagerForSystem
** Removed: 1000 - buffers: [0x6], inbytes: 0x4, outbytes: 0x4
** Removed: 1001 - inbytes: 0x0, outbytes: 0x4
* Interface Removed: nn::migration::detail::IAsyncSaveDataMigrationPolicyInfoContext
* Unknown Interface prev-version: 0x7100140F78 [ID = 0x29d8801c]
* Unknown Interface cur-version: 0x7100127590 [ID = 0x29d8801c]
* Interface Changed: nn::migration::device::IDownloader
** Added: 390 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
* Interface Changed: nn::migration::device::IServer
** Removed: 120 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
** Added: 121 - inbytes: 0x1, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
** Removed: 510 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
** Added: 511 - inbytes: 0x1, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
* Interface Changed: nn::migration::device::IUploader
** Removed: 100 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
** Added: 101 - inbytes: 0x1, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
** Removed: 610 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
** Added: 611 - inbytes: 0x1, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
* Interface Changed: nn::migration::savedata::IClient
** Removed: 221 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
** Added: 222 - inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
* Interface Changed: nn::migration::savedata::IServer
** Added: 220 - inbytes: 0x0, outbytes: 0x10
** Removed: 510 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
** Added: 511 - inbytes: 0x1, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
* Interface Changed: nn::migration::user::IService
** Removed: 1001 - inbytes: 0x8, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncSaveDataMigrationPolicyInfoContext']
** Changed: 2250 - outinterfaces: ['0x7100140F78 [ID = 0x29d8801c]'] -> ['0x7100127590 [ID = 0x29d8801c]'] (final state: inbytes: 0x18, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100127590 [ID = 0x29d8801c]'])
** Changed: 2260 - outinterfaces: ['0x7100140F78 [ID = 0x29d8801c]'] -> ['0x7100127590 [ID = 0x29d8801c]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100127590 [ID = 0x29d8801c]'])
* Interface Changed: nn::olsc::srv::IOlscServiceForSystemService
** Added: 206 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::olsc::srv::IAsyncResult']
** Added: 302 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::olsc::srv::IAsyncResult']
* Interface Changed: nn::olsc::srv::IRemoteStorageController
** Added: 29 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::olsc::srv::IAsyncResult']
* Interface Changed: nn::omm::detail::IOperationModeManager
** Added: 300 - inbytes: 0x1, outbytes: 0x0
** Added: 301 - inbytes: 0x0, outbytes: 0x0
* Interface Added: nn::ngc::t::detail::IService
* Interface Changed: nn::ngc::detail::IService
** Added: 4 - buffers: [0x5], inbytes: 0x18, outbytes: 0x4
** Added: 5 - buffers: [0x6, 0x5], inbytes: 0x18, outbytes: 0x4

=== BootImagePackages ===
RomFs changes: all files updated.

Using updated master-key: master_key_14 (previously master_key_13). See [[NCA]] for the KeyGeneration listing.

The anti-downgrade fuses were [[Fuses#Anti-downgrade|updated]].

==== Kernel ====
* Compiler was upgraded (to clang 18.1.0+).
** Besides the usual reordering, this is now most noticeable in the following:
*** Many atomic st(l)xrs now use cmp + csetm + tbz instead of cbnz.
**** Testing on godbolt indicates this seems to be a change made in clang 18.1.0+ (not present in 17.0.1).
*** Many cases where they previously did some_condition ? m_a : m_b now have different assembly.
**** Previously: add Xn, Xz, #A; add Xm, Xz, #B; csel Xn, Xn, Xm; ldr Xn, [Xn]
**** Now: mov Xn, #A; mov Xn, #B; csel Xn, Xn, Xm; ldr Xn, [Xz, Xn]
*** Many cases of booleans now explicitly test for 1 instead of <any non-zero value>
**** Previously: ldrb w8, [x8]; cbz w8, some_loc
**** Now: ldrb w8, [x8]; cmp w8, #1; b.ne some_loc
** Many, many cases of superfluous red-black-tree iteration prior to calls to KIntrusiveRedBlackTree::Remove have finally been optimized out.
*** Basically, KIntrusiveRedBlackTree::erase returns an iterator to the next item in the tree.
*** Previously, the table walk to find the next item was being performed even when the result was discarded/not-used, which was almost every case.
*** Now, it's successfully getting optimized out.
* KAutoObject's class token has been devirtualized.
** It is now stored as a 16-bit value in previously unused padding bytes, after the reference count.
** KAutoObject::Create() sets this to the correct value when setting refcount=1.
** This implementation is generally identical to the one already present in mesosphere.
* HandleFloatingPointException now sets a previously unused StackParameters flag (+0x2F) to 1.
** This flag doesn't seem to be referenced/used anywhere else in the kernel?
* KThread StackParameter exception_flags bitflags are now volatile and mostly atomic; many bits now use atomic read-modify-write loops to set and clear bits.
** This is not done for bit 0 ("is in svc"), accesses specifically for bit 0 continue to use non-atomic reads/writes.
** This generates pretty terrible assembly for GetThreadUserContext, which now must perform a volatile read of this value over and over in a loop.
* KIoRegion fields were reordered to save 8 bytes.
** The 8-byte size/alignment lock field is no longer wedged inbetween two 1-byte booleans.
* KScheduler::SwitchThread now writes a tick differential (thread->GetCpuTime() - context_switch_time) to user-tls + 0x108.
** NOTE: This is an ABI change which will not affect official software, but will force any homebrew software which uses TLS-slots to need re-compile.
* UserspaceAccess::CopyMemoryToUserSize32Bit now takes in a 32-bit word to write, instead of a kernel-pointer-to-32-bit-word.
* Nintendo appears to have done something akin to marking nn::Result nodiscard + gone through and fixed literally every instance of Result return values not being used.
** This results in sweeping changes (many Result-return functions are now void return, many new kernel panics, some changed behaviors), including e,g,
** KInterruptManager::ClearInterrupt no longer checks if a handler has been registered, and always clear the table entry.
** KInterruptManager::UnbindHandler is now void-return instead of Result; it no longer checks if the handler has been registered, and unconditionally clears to unbound state.
** KPageTableBase::InitializeForKernel now returns void, and panics if the KMemoryBlockManager::Initialize fails.
** KDebugBase::OnExitProcess/OnTerminateProcess now return void instead of Result.
** KEvent/KReadableEvent::Signal/Clear now return void instead of Result; svc::ClearEvent/SignalEvent now just calls the relevant function and returns ResultSuccess.
** KThreadLocalPage::Finalize now returns void + kernel-panics if unmapping the page fails; KProcess::DeleteThreadLocalRegion now returns void instead of Result.
** Every kernel-use of KInterruptManager::BindHandler now panics on failure.
** Every kernel-use of cpu::StoreDataCache and cpu::FlushDataCache and cpu::InvalidateDataCache now panics on failure.
** Every kernel-use of KThread::Initialize now panics on failure
** Every kernel-use of KThread::Run now panics on failure.
** The kernel-use of KDynamicSlabHeapPageAllocator::Initialize in resource manager init now panics on failure
** There are more cases, too many to fully enumerate with high confidence.

=== [[LDN_services|ldn]] ===
A vuln was [[Switch_System_Flaws|fixed]].

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2025-11-11_03-15-07&sys=hac]

{{NavboxVersions}}

SPL services

2025-11-12T00:57:37Z

SciresM: add some spl:ldn cmd details

SPL ("Secure Platform services") is responsible for handling all cryptographic operations within the system and relaying them to the [[SMC|Secure Monitor]] when necessary.

During [1.0.0-3.0.2], the only existing services were "csrng" and "spl:". However, in [4.0.0+] the "spl:" service was refactored and split into new services with different permission levels. Each service exposes the IPC command list differently in order to prevent cryptographic operations to take place in the wrong context.

In [2.0.0+] where previously only one AES keyslot was used, there is now support for 4 of them and when the session closes, all allocated AES keyslots are automatically freed.

[S2] The spl services were overhauled. New services were added, this appears to replace spl:mig where required for the relevant sysmodules. GenerateAesKek is no longer directly exposed, thus the Kek AccessKey and KeySource are no longer exposed.

= csrng =
This is "nn::spl::detail::IRandomInterface".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GenerateRandomBytes]]
|}

== GenerateRandomBytes ==
Takes an output type-0xA buffer and fills it with random data from [[SMC#GenerateRandomBytes|GenerateRandomBytes SMC]]. Same command for "spl:" and "csrng" services, except for buffer-type.

= spl: =
This is "nn::spl::detail::IGeneralInterface".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GetConfig]]
|-
| 1 || [[#ModularExponentiate]]
|-
| 5 || [[#SetConfig]]
|-
| 7 || [[#GenerateRandomBytes]]
|-
| 11 || [[#IsDevelopment]]
|-
| 24 || [3.0.0+] [[#SetBootReason]]
|-
| 25 || [3.0.0+] [[#GetBootReason]]
|}

Going by spl:ldn, this likely has a new interface on [S2]:

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GenerateRandomBytes|GenerateRandomBytes]]
|-
| 1 || [[#GetConfig|GetConfig]]
|-
| 2 ||
|-
| 3 ||
|-
| 4 ||
|-
| 5 || [[#GetConfigWithBuffer|GetConfigWithBuffer]]
|}

== GetConfig ==
Wrapper for [[SMC#GetConfig|GetConfig SMC]].

Takes an input u32 '''ConfigItem'''. Returns one or more output u64s '''ConfigValue'''.

== ModularExponentiate ==
Wrapper for [[SMC#ModularExponentiate|ModularExponentiate SMC]].

Takes an output type-0xA buffer '''DataOut''' and 3 input type-0x9 buffers '''DataIn''', '''ExpIn''' and '''ModIn'''.

Performs asymmetric crypto with user supplied modulus and exponent.

== Cmd2 ==
This is for the [S2] interface.

Takes no input, returns 0x10-bytes of output.

This returns the first 0xD-bytes from [[#GetConfigWithBuffer|GetConfigWithBuffer]] ConfigItem 8, byteswapped.

== Cmd3 ==
This is for the [S2] interface.

Takes no input. Returns unknown output, usually zeros?

== Cmd4 ==
This is for the [S2] interface.

Takes no input. Returns unknown output, usually zeros?

== GetConfigWithBuffer ==
Unofficial name.

Some config is incomplete when accessed with [[#GetConfig|GetConfig]], this allows returning the full config.

Takes an input u32 '''ConfigItem''' and an output type-0xA buffer.

== GenerateAesKek ==
Wrapper for [[SMC#GenerateAesKek|GenerateAesKek SMC]].

Takes an input 16-byte '''KeySource''' and two input u32s '''Generation''' and '''Option'''. Returns an output 16-byte '''AccessKey'''.

== LoadAesKey ==
Wrapper for [[SMC#LoadAesKey|LoadAesKey SMC]].

Takes an input u32 '''KeySlot''' , an input 16-byte '''AccessKey''' and an input 16-byte '''KeySource'''.

Sets the specified '''KeySlot''' with a key generated from '''AccessKey''' and '''KeySource'''.

[2.0.0+] Now verifies that the keyslot in use (0..3) is allocated by the current spl session, otherwise errors with 0xD21A. Previously, keyslot was hardcoded to 0.

== GenerateAesKey ==
Takes an input 16-byte '''AccessKey''' and an input 16-byte '''KeySource'''. Returns an output 16-byte '''AesKey'''.

Generates a new key by decrypting (AES-ECB) '''KeySource''' with a key generated from the supplied '''AccessKey''' and the key set with [[SMC#LoadAesKey|LoadAesKey SMC]].

[2.0.0+] Previously, it always used keyslot 0. Now it tries to allocate a keyslot to be used and returns 0xD01A if they're all busy. When the command is done, the keyslot is released.

== SetConfig ==
Wrapper for [[SMC#SetConfig|SetConfig SMC]].

Takes an input u32 '''ConfigItem''' and an input u64 '''ConfigValue'''.

Only '''ConfigItem''' 13 (IsChargerHiZModeEnabled) can be set.

== DecryptAndStoreGcKey ==
Wrapper for [[SMC#DecryptAndImportLotusKey|DecryptAndImportLotusKey SMC]].

Takes an input type-0x9 buffer '''DataIn''', an input 16-byte '''AccessKey''', an input 16-byte '''KeySource''' and an input u32 '''Version''' (0 for normal keys or 1 for extended keys).

Decrypts '''DataIn''' with a key generated from '''AccessKey''' and '''KeySource''' and imports it for later usage.

[5.0.0+] The '''Version''' argument was removed and this now calls the [[SMC#ReencryptDeviceUniqueData|ReencryptDeviceUniqueData SMC]] instead.

== DecryptGcMessage ==
Takes 3 input type-0x9 buffers '''DataIn''', '''ModIn''' and '''LabelHashIn'''.

Uses the [[SMC#ModularExponentiateByStorageKey|ModularExponentiateByStorageKey SMC]] to decrypt '''DataIn''' using the private key imported with [[#DecryptAndStoreGcKey]] and the supplied '''ModIn''' and '''LabelHashIn'''.

== IsDevelopment ==
No input. Returns an output u8 bool.

Uses [[#GetConfig]] internally.

== GenerateSpecificAesKey ==
Wrapper for [[SMC#GenerateSpecificAesKey|GenerateSpecificAesKey SMC]].

Takes an input 16-byte '''KeySource''' and two input u32s '''Generation''' and '''Option'''. Returns an output 16-byte '''AesKey'''.

== DecryptDeviceUniqueData ==
Wrapper for [[SMC#DecryptDeviceUniqueData|DecryptDeviceUniqueData SMC]].

Takes an output type-0xA buffer '''DataOut''', an input type-0x9 '''DataIn''', an input 16-byte '''AccessKey''', an input 16-byte '''KeySource''' and an input u32 '''Version''' (0 for normal keys or 1 for extended keys).

Decrypts '''DataIn''' into '''DataOut''' with a key generated from '''AccessKey''' and '''KeySource'''.

Used by [[SSL_services|SSL]] for TLS client-privk.

[5.0.0+] The '''Version''' argument was removed.

== DecryptAesKey ==
Takes an input 16-byte '''KeySource''' and two input u32s '''Generation''' and '''Option'''. Returns an output 16-byte '''AesKey'''.

Decrypts (AES-ECB) '''KeySource''' with a key set with [[SMC#LoadAesKey|LoadAesKey SMC]].

[2.0.0+] Introduced same keyslot allocation code as for [[#GenerateAesKey]].

== ComputeCtr ==
Takes an output type-0x46 buffer '''DataOut''', an input u32 '''KeySlot''', an input type-0x45 buffer '''DataIn''' and an input 16-byte '''IvCtr'''.

Uses [[SMC#ComputeAes|ComputeAes SMC]] to decrypt '''DataIn''' into '''DataOut''' using the key set in the specified '''KeySlot'''.

[2.0.0+] Verifies the keyslot was allocated by the current session.

== ComputeCmac ==
Wrapper for [[SMC#ComputeCmac|ComputeCmac SMC]].

Takes an input type-0x9 buffer '''DataIn''' and an input u32 '''KeySlot'''. Returns an output 16-byte '''Cmac'''.

[2.0.0+] Verifies the keyslot was allocated by the current session.

== LoadEsDeviceKey ==
Wrapper for [[SMC#DecryptAndImportEsDeviceKey|DecryptAndImportEsDeviceKey SMC]].

Takes an input type-0x9 buffer '''DataIn''', an input 16-byte '''AccessKey''', an input 16-byte '''KeySource''' and an input u32 '''Version''' (0 for normal keys or 1 for extended keys).

Decrypts '''DataIn''' with a key generated from '''AccessKey''' and '''KeySource''' and imports it for later usage.

[5.0.0+] The '''Version''' argument was removed and this now calls the [[SMC#ReencryptDeviceUniqueData|ReencryptDeviceUniqueData SMC]] instead.

== PrepareEsTitleKey ==
Wrapper for [[SMC#PrepareEsDeviceUniqueKey|PrepareEsDeviceUniqueKey SMC]].

Takes an output type-0xA buffer '''DataOut''' and 3 input type-0x9 buffers '''DataIn''', '''ModIn''' and '''LabelHashIn'''. Returns an output u32 '''DataOutSize'''.

[3.0.0+] Now takes an input u32 '''Generation'''.

Decrypts '''DataIn''' into '''DataOut''' using the private key imported with [[#LoadEsDeviceKey]] and the supplied '''ModIn'''. Afterwards, verifies RSA-OAEP encoding using '''LabelHashIn'''.

== LoadPreparedAesKey ==
Wrapper for [[SMC#LoadPreparedAesKey|LoadPreparedAesKey SMC]].

Takes an input u32 '''KeySlot''' and an input 16-byte '''AccessKey'''.

[2.0.0+] Verifies the keyslot was allocated in the current session.

== PrepareCommonEsTitleKey ==
Wrapper for [[SMC#PrepareEsCommonKey|PrepareEsCommonKey SMC]].

Takes an input 16-byte '''KeySource'''. Returns an output 16-byte '''AccessKey'''.

[3.0.0+] Now takes an input u32 '''Generation'''.

== AllocateAesKeySlot ==
Returns an output u32 '''KeySlot'''.

Returns error 0xD01A if all keyslots are taken.

== DeallocateAesKeySlot ==
Takes an input u32 '''KeySlot'''.

Returns error 0xD21A if the keyslot wasn't allocated by current session.

== GetAesKeySlotAvailableEvent ==
Returns an output event handle for synchronizing with the AES keyslots.

== SetBootReason ==
Takes an input u32 '''BootReason'''.

[4.0.0+] Returns 0xD41A if a value has been previously set without being [[#GetBootReason|gotten]].

== GetBootReason ==
Returns an output u32 '''BootReason'''.

[4.0.0+] Returns 0xD61A if a value has not previously been set and unsets the value after getting it.

= spl:mig =
This is "nn::spl::detail::ICryptoInterface".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GetConfig]]
|-
| 1 || [[#ModularExponentiate]]
|-
| 5 || [[#SetConfig]]
|-
| 7 || [[#GenerateRandomBytes]]
|-
| 11 || [[#IsDevelopment]]
|-
| 24 || [3.0.0+] [[#SetBootReason]]
|-
| 25 || [3.0.0+] [[#GetBootReason]]
|-
| 2 || [[#GenerateAesKek]]
|-
| 3 || [[#LoadAesKey]]
|-
| 4 || [[#GenerateAesKey]]
|-
| 14 || [[#DecryptAesKey]]
|-
| 15 || [[#ComputeCtr]]
|-
| 16 || [[#ComputeCmac]]
|-
| 21 || [2.0.0+] [[#AllocateAesKeySlot]]
|-
| 22 || [2.0.0+] [[#DeallocateAesKeySlot]]
|-
| 23 || [2.0.0+] [[#GetAesKeySlotAvailableEvent]]
|}

= spl:fs =
This is "nn::spl::detail::IFsInterface".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GetConfig]]
|-
| 1 || [[#ModularExponentiate]]
|-
| 5 || [[#SetConfig]]
|-
| 7 || [[#GenerateRandomBytes]]
|-
| 11 || [[#IsDevelopment]]
|-
| 24 || [3.0.0+] [[#SetBootReason]]
|-
| 25 || [3.0.0+] [[#GetBootReason]]
|-
| 2 || [[#GenerateAesKek]]
|-
| 3 || [[#LoadAesKey]]
|-
| 4 || [[#GenerateAesKey]]
|-
| 14 || [[#DecryptAesKey]]
|-
| 15 || [[#ComputeCtr]]
|-
| 16 || [[#ComputeCmac]]
|-
| 21 || [2.0.0+] [[#AllocateAesKeySlot]]
|-
| 22 || [2.0.0+] [[#DeallocateAesKeySlot]]
|-
| 23 || [2.0.0+] [[#GetAesKeySlotAvailableEvent]]
|-
| 9 || [[#DecryptAndStoreGcKey]]
|-
| 10 || [[#DecryptGcMessage]]
|-
| 12 || [[#GenerateSpecificAesKey]]
|-
| 19 || [[#LoadPreparedAesKey]]
|-
| 31 || [5.0.0+] GetPackage2Hash
|}

= spl:ssl =
This is "nn::spl::detail::ISslInterface".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GetConfig]]
|-
| 1 || [[#ModularExponentiate]]
|-
| 5 || [[#SetConfig]]
|-
| 7 || [[#GenerateRandomBytes]]
|-
| 11 || [[#IsDevelopment]]
|-
| 24 || [3.0.0+] [[#SetBootReason]]
|-
| 25 || [3.0.0+] [[#GetBootReason]]
|-
| 2 || [[#GenerateAesKek]]
|-
| 3 || [[#LoadAesKey]]
|-
| 4 || [[#GenerateAesKey]]
|-
| 14 || [[#DecryptAesKey]]
|-
| 15 || [[#ComputeCtr]]
|-
| 16 || [[#ComputeCmac]]
|-
| 21 || [2.0.0+] [[#AllocateAesKeySlot]]
|-
| 22 || [2.0.0+] [[#DeallocateAesKeySlot]]
|-
| 23 || [2.0.0+] [[#GetAesKeySlotAvailableEvent]]
|-
| 13 || [[#DecryptDeviceUniqueData]]
|-
| 26 || [5.0.0+] DecryptAndStoreSslClientCertKey
|-
| 27 || [5.0.0+] ModularExponentiateWithSslClientCertKey
|}

= spl:es =
This is "nn::spl::detail::IEsInterface".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GetConfig]]
|-
| 1 || [[#ModularExponentiate]]
|-
| 5 || [[#SetConfig]]
|-
| 7 || [[#GenerateRandomBytes]]
|-
| 11 || [[#IsDevelopment]]
|-
| 24 || [3.0.0+] [[#SetBootReason]]
|-
| 25 || [3.0.0+] [[#GetBootReason]]
|-
| 2 || [[#GenerateAesKek]]
|-
| 3 || [[#LoadAesKey]]
|-
| 4 || [[#GenerateAesKey]]
|-
| 14 || [[#DecryptAesKey]]
|-
| 15 || [[#ComputeCtr]]
|-
| 16 || [[#ComputeCmac]]
|-
| 21 || [2.0.0+] [[#AllocateAesKeySlot]]
|-
| 22 || [2.0.0+] [[#DeallocateAesKeySlot]]
|-
| 23 || [2.0.0+] [[#GetAesKeySlotAvailableEvent]]
|-
| 13 || [[#DecryptDeviceUniqueData]]
|-
| 17 || [[#LoadEsDeviceKey]]
|-
| 18 || [[#PrepareEsTitleKey]]
|-
| 20 || [2.0.0+] [[#PrepareCommonEsTitleKey]]
|-
| 28 || [5.0.0+] DecryptAndStoreDrmDeviceCertKey
|-
| 29 || [5.0.0+] ModularExponentiateWithDrmDeviceCertKey
|-
| 31 || [6.0.0+] PrepareEsArchiveKey
|-
| 32 || [6.0.0+] [[#LoadPreparedAesKey]]
|-
| 33 || [18.0.0+]
|}

= spl:manu =
This is "nn::spl::detail::IManuInterface".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GetConfig]]
|-
| 1 || [[#ModularExponentiate]]
|-
| 5 || [[#SetConfig]]
|-
| 7 || [[#GenerateRandomBytes]]
|-
| 11 || [[#IsDevelopment]]
|-
| 24 || [3.0.0+] [[#SetBootReason]]
|-
| 25 || [3.0.0+] [[#GetBootReason]]
|-
| 2 || [[#GenerateAesKek]]
|-
| 3 || [[#LoadAesKey]]
|-
| 4 || [[#GenerateAesKey]]
|-
| 14 || [[#DecryptAesKey]]
|-
| 15 || [[#ComputeCtr]]
|-
| 16 || [[#ComputeCmac]]
|-
| 21 || [2.0.0+] [[#AllocateAesKeySlot]]
|-
| 22 || [2.0.0+] [[#DeallocateAesKeySlot]]
|-
| 23 || [2.0.0+] [[#GetAesKeySlotAvailableEvent]]
|-
| 13 || [[#DecryptDeviceUniqueData]]
|-
| 30 || [5.0.0+] ReencryptDeviceUniqueData
|}

= (S2) spl:da =

= (S2) spl:gc =

= (S2) spl:nv =

= (S2) spl:hid =

= (S2) spl:ldn =
This is "nn::spl::detail::ILdnInterface".

This has IPC max_sessions 1?

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GenerateRandomBytes|GenerateRandomBytes]]
|-
| 1 || [[#GetConfig|GetConfig]]
|-
| 2 ||
|-
| 3 ||
|-
| 4 ||
|-
| 5 || [[#GetConfigWithBuffer|GetConfigWithBuffer]]
|-
| 7000 || [[#GenerateNxAdvertiseKey|GenerateNxAdvertiseKey]]
|-
| 7001 || [[#GenerateNxSessionKey|GenerateNxSessionKey]]
|-
| 7002 || [[#GenerateNxLp2pKeyIndex1|GenerateNxLp2pKeyIndex1]]
|-
| 7003 || [[#GenerateNxLp2pKeyIndex2|GenerateNxLp2pKeyIndex2]]
|-
| 7004 || [[#GenerateOunceAdvertiseKey|GenerateOunceAdvertiseKey]]
|-
| 7005 || [[#GenerateOunceSessionKey|GenerateOunceSessionKey]]
|}

The below 7000+ cmds take a KeySource (equivalent to NX-GenerateAesKey) and an u32. Bitmask 0x1F of the u32 is the Generation, 0x20 is valid but doesn't seem to do anything. Values >=0x21 throw error. A 0x10-byte outbuf is used for the output key. Cmd7004/Cmd7005 use a 0x20-byte outbuf. These are equivalent to GenerateAesKek+GenerateAesKey combined.

All of these use AES-ECB with the input KeySource, with the buffer as the output.

== GenerateNxAdvertiseKey ==
Unofficial name.

Takes an input 16-byte '''KeySource''', an input u32, and an output type-0xA buffer '''AesKey'''.

Generates a key using the NX-equivalent of the ldn Kek-action_keysource.

== GenerateNxSessionKey ==
Unofficial name.

Takes an input 16-byte '''KeySource''', an input u32, and an output type-0xA buffer '''AesKey'''.

Generates a key using the NX-equivalent of the ldn Kek-data_keysource.

== GenerateNxLp2pKeyIndex1 ==
Unofficial name.

Takes an input 16-byte '''KeySource''', an input u32, and an output type-0xA buffer '''AesKey'''.

Generates a key using the NX-equivalent of the lp2p Kek-Index1.

== GenerateNxLp2pKeyIndex2 ==
Unofficial name.

Takes an input 16-byte '''KeySource''', an input u32, and an output type-0xA buffer '''AesKey'''.

Generates a key using the NX-equivalent of the lp2p Kek-Index2.

== GenerateOunceAdvertiseKey ==
Unofficial name.

Takes an input 32-byte '''KeySource''', an input u32, and an output type-0xA buffer '''AesKey'''.

Ounce version of [[#GenerateNxAdvertiseKey|GenerateNxAdvertiseKey]]. [[LDN_services|ldn]] only uses the first 0x10-bytes of the output key.

== GenerateOunceSessionKey ==
Unofficial name.

Takes an input 32-byte '''KeySource''', an input u32, and an output type-0xA buffer '''AesKey'''.

Ounce version of [[#GenerateNxSessionKey|GenerateNxSessionKey]]. [[LDN_services|ldn]] only uses the first 0x10-bytes of the output key.

[[Category:Services]]

21.0.0

2025-11-11T17:42:37Z

SciresM: Add 20 -> 21 kernel diff

The Switch 21.0.0 system update was released on November 11, 2025 (UTC). This Switch update was released for the following regions: ALL.

Security flaws fixed: yes.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
*
* Added symbols above software icons displayed on the HOME Menu to indicate whether the software is a physical or a digital version.
* Added the ability to download data for a virtual game card even if the “Use Online License" setting is turned off.
*
* This option is available in the Options of a virtual game card when accessed via Virtual Game Cards from the HOME Menu.
*
*
* The information regarding Save Data Cloud Backup that appears when launching certain software has been updated.
* The option "Platinum Point Notification Settings” was renamed to "Nintendo Switch Online Notification Settings" in the Notifications menu in System Settings.
* Added the ability to disable the following options when performing a system transfer from a Nintendo Switch system to a Nintendo Switch 2 system using System Transfer to Nintendo Switch 2 in System Settings.
*
* Redownload Software on Nintendo Switch 2
* Transfer Album Data
*
*
* Added the ability to adjust the volume from the Quick Settings menu while in VR mode.
* General system stability improvements to enhance the user's experience.
*

==System Titles==
* The following titles were updated:
** Sysmodules: usb, htc.stub, boot2.ProdBoot, settings, Bus, bluetooth, bcat, friends, nifm, ptm, bsdsocket, hid, audio, LogManager.Prod, wlan, ldn, nvservices, pcv, capmtp, nvnflinger, pcie, account, ns, nfc, psc, capsrv, am, ssl, nim, btm, erpt, vi, pctl, npns, eupld, glue, eclct, es, fatal, creport, ro, sdb, grc, migration, jpegdec, safemode, olsc, ngct, jit, pgl, omm, eth, ngc.
** SystemData (non-sysver): CertStore, ErrorMessage, MiiModel, BrowserDll, Help, NgWord, SsidList, TimeZoneBinary, FontNintendoExtension, FontStandard, FontKorean, FontChineseTraditional, FontChineseSimple, FirmwareDebugSettings, BootImagePackage, BootImagePackageSafe, BootImagePackageExFat, FatalMessage, PlatformConfigIcosa, PlatformConfigCopper, PlatformConfigHoag, ControllerFirmware, NgWord2, BootImagePackageExFatSafe, PlatformConfigIcosaMariko, ContentActionTable, NgWordT, PlatformConfigAula, AulaDockFirmware, ClientCertData, GameCardConfigurationData.
** Applets: qlaunch, auth, cabinet, controller, dataErase, error, playerSelect, swkbd, miiEdit, LibAppletWeb, LibAppletShop, overlayDisp, photoViewer, LibAppletOff, LibAppletLns, LibAppletAuth, "starter" application, myPage, splay.

The [[NGCT_services|ngct]]-sysmodule is now stubbed, the ngct:u service was moved into [[NGC_services|ngc]].

[[NPDM]] changes (besides usual version-bump):
* Bus: KernelCap HandleTableSize: removed HandleTableSize=0x100.
* bcat: Service access: removed bsdcfg, npns:u.
* friends: Service access: removed bsdcfg.
* ptm: Service server access: added fgm:0, fgm, fgm:9, removed fgm*.
* capmtp: Service access: removed fsp-srv, lm.
* ns: Service access: removed htc.
* psc: Service server access: added psc:c, psc:l, psc:m, srepo:a, srepo:u, removed psc*, srepo:*.
* npns: Service access: removed time:u.
* eclct: Service access: removed npns:s, psc:m.
* sdb: Service access: removed set.
* migration: Service access: removed nim:shp.
* pgl: Service access: removed erpt:c, lm, set.
* ngc: Service server access: added ngct:u.
* LibAppletShop: Service access: added friend:m.
* overlayDisp: Service access: added mnpp:sys.

RomFs changes:
* ErrorMessage: updated
* BrowserDll:
** "/browser/effective_tld_names.dat" updated
** "/browser/icudt62l.dat.lz4" added
** "/browser/MediaControls.css" updated
** "/browser/MediaControlsInline.css" updated
** "/browser/MediaControlsInline.js" updated
** "/browser/MediaControls.js" updated
** "/browser/RootCaSdkAdditional.pem" updated
** "/buildinfo/buildinfo.dat" updated
** "/lyt/": Various data updated.
** "/lyt/Browse/NodeMouse.arc" removed
** "/lyt/Browse/TapHighlight.arc" added
** "/message/": Various data updated.
** "/nro/netfront/core_0/default/" removed
** "/nro/netfront/core_0/Default/" added
** "/nro/netfront/core_3/default/" removed
** "/nro/netfront/core_3/Default/" added
* Help: "/legallines.htdocs/index.html" updated
* NgWord: "/0.txt" updated, "/version.dat" updated
* [[System_Version_Title|SystemVersion]]: All files updated.
* TimeZoneBinary: updated
* [[System_Settings|FirmwareDebugSettings/PlatformConfigIcosa/PlatformConfigCopper/PlatformConfigHoag/PlatformConfigIcosaMariko/PlatformConfigAula]]: All files updated.
* ControllerFirmware: "/FirmwareInfo.csv" updated, "/ukyosakyo_ep2_ota.bin" updated
* NgWord2: updated
* RebootlessSystemUpdateVersion: All files updated.
* qlaunch applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/qlaunch_action.bksnd" updated
** "/sound/qlaunch.bfsar" updated
* auth applet:
** "/message/": Various data updated.
** "/sound/auth_action.bksnd" updated
* cabinet applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/cabinet_action.bksnd" updated
* controller applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/controller_action.bksnd" updated
* dataErase applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/dataErase_action.bksnd" updated
* error applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/error_action.bksnd" updated
* playerSelect applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/playerSelect_action.bksnd" updated
* swkbd applet:
** "/message/": Various data updated.
** "/sound/swkbd_action.bksnd" updated
* overlayDisp applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/overlayDisp_action.bksnd" updated
* photoViewer applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/photoViewer_action.bksnd" updated
* [[Internet_Browser|LibAppletOff/LibAppletWeb/LibAppletShop/LibAppletLns/LibAppletAuth]]: All files updated.
* "starter" application:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/starter_action.bksnd" updated
* myPage applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/myPage_action.bksnd" updated
* splay applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/splay_action.bksnd" updated

=== IPC Interface Changes ===
* Interface Changed: nn::settings::IFirmwareDebugSettingsServer
** Added: 27 - buffer_entry_sizes: [0x141], buffers: [0x5], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::settings::ISystemSettingsServer
** Added: 315 - buffer_entry_sizes: [0x141], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 319 - buffer_entry_sizes: [0x40], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 320 - buffer_entry_sizes: [0x40], buffers: [0x5], inbytes: 0x0, outbytes: 0x0
** Added: 321 - inbytes: 0x0, outbytes: 0x40
* Interface Changed: nn::pinmux::ISession
** Added: 11 - inbytes: 0x4, outbytes: 0x0
** Added: 12 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::mnpp::detail::ipc::IServiceForSystem
** Added: 200 - buffer_entry_sizes: [0x194], buffers: [0x16], inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::prepo::detail::ipc::IPrepoService
** Added: 10106 - buffers: [0x9, 0x5], inbytes: 0x10, outbytes: 0x0, pid: True
** Added: 10107 - buffers: [0x9, 0x5], inbytes: 0x20, outbytes: 0x0, pid: True
** Added: 20102 - buffers: [0x9, 0x5], inbytes: 0x10, outbytes: 0x0
** Added: 20103 - buffers: [0x9, 0x5], inbytes: 0x20, outbytes: 0x0
* Unknown Interface prev-version: 0x710008741C
* Unknown Interface cur-version: 0x7100088640
* Interface Changed: nn::friends::detail::ipc::IServiceCreator
** Changed: 2 - outinterfaces: ['0x710008741C'] -> ['0x7100088640'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100088640'])
* Interface Changed: nn::nifm::detail::IRequest
** Added: 26 - buffer_entry_sizes: [0x100], buffers: [0x1A], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::psm::IPsmServer
** Added: 25 - inbytes: 0x0, outbytes: 0x4
** Added: 26 - inbytes: 0x0, outbytes: 0x1
** Added: 27 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::socket::sf::IClient
** Changed: 39 - outhandles: [1, 1] -> {} (final state: inbytes: 0x10, outbytes: 0x8)
** Added: 41 - inbytes: 0x4, outbytes: 0x8, outhandles: [1, 1, 1, 1, 1, 1]
** Added: 42 - buffers: [0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21], inbytes: 0x0, outbytes: 0x24
** Added: 43 - buffers: [0x21, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22], inbytes: 0x10, outbytes: 0x24
* Interface Changed: nn::hid::IHidDebugServer
** Added: 23 - inbytes: 0x4, outbytes: 0x0
** Added: 261 - inbytes: 0x40, outbytes: 0x0
** Added: 266 - buffer_entry_sizes: [0x4], buffers: [0x6], inbytes: 0x8, outbytes: 0x0
** Added: 267 - inbytes: 0x18, outbytes: 0x0
** Added: 268 - inbytes: 0x10, outbytes: 0x0
** Added: 700 - inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::hid::IHidServer
** Added: 320 - inbytes: 0x10, inhandles: [1], outbytes: 0x0, pid: True
** Added: 321 - inbytes: 0x8, outbytes: 0x0, pid: True
** Added: 3012 - buffer_entry_sizes: [0x80], buffers: [0x1A], inbytes: 0x0, outbytes: 0x0
** Added: 3013 - buffer_entry_sizes: [0x80], buffers: [0x19], inbytes: 0x0, outbytes: 0x0
** Added: 3014 - inbytes: 0x0, outbytes: 0x68
** Added: 3015 - inbytes: 0x68, outbytes: 0x0
** Added: 3150 - inbytes: 0x10, outbytes: 0x0, pid: True
* Interface Changed: nn::hid::IHidSystemServer
** Added: 1323 - inbytes: 0x0, outbytes: 0x0
** Added: 1324 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 1325 - inbytes: 0x0, outbytes: 0x1
** Added: 1326 - inbytes: 0x8, outbytes: 0x0
* Interface Changed: nn::audio::detail::IAudioDevice
** Added: 21 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::audioctrl::detail::IAudioController
** Added: 43 - inbytes: 0x4, outbytes: 0x1
* Interface Changed: nn::wlan::detail::IPrivateWirelessCommunicationService
** Removed: 4 - inbytes: 0x4, outbytes: 0x0
** Removed: 5 - inbytes: 0x4, outbytes: 0x0
* Unknown Interface prev-version: 0x71000055E0
* Unknown Interface cur-version: 0x71000055C0
* Interface Changed: nn::rtc::IRtcManager
** Added: 14 - buffers: [0x22], inbytes: 0x4, outbytes: 0x8
** Added: 15 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::account::baas::IAdministrator
** Added: 291 - buffer_entry_sizes: [0x1000], buffers: [0x1A], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::account::baas::IAdministrator
** Added: 291 - buffer_entry_sizes: [0x1000], buffers: [0x1A], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::ns::detail::IApplicationManagerInterface
** Added: 428 - inbytes: 0x0, outbytes: 0x0
** Added: 429 - inbytes: 0x10, outbytes: 0x0
** Added: 430 - inbytes: 0x28, outbytes: 0x0
** Added: 516 - inbytes: 0x0, outbytes: 0x1
** Added: 517 - buffer_entry_sizes: [0x8], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 518 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 519 - inbytes: 0x4, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 934 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 935 - inbytes: 0x0, outbytes: 0x0
** Added: 936 - inbytes: 0x0, outbytes: 0x88
** Added: 2369 - buffer_entry_sizes: [0x8], buffers: [0x6], inbytes: 0x1, outbytes: 0x4
** Added: 4099 - inbytes: 0x20, outbytes: 0x0
* Interface Changed: nn::ns::detail::IContentManagementInterface
** Added: 608 - inbytes: 0x0, outbytes: 0x10
* Interface Changed: nn::ns::detail::IDynamicRightsInterface
** Added: 29 - inbytes: 0x10, outbytes: 0x4
** Added: 30 - inbytes: 0x8, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
* Interface Changed: nn::ns::detail::IECommerceInterface
** Added: 14 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::ns::detail::IReadOnlyApplicationControlDataInterface
** Added: 18 - buffers: [0x6], inbytes: 0x10, outbytes: 0x8
** Added: 19 - buffers: [0x6], inbytes: 0x10, outbytes: 0xC
** Added: 20 - buffers: [0x6], inbytes: 0x10, outbytes: 0xC
** Added: 21 - buffers: [0x6], inbytes: 0x10, outbytes: 0xC
** Added: 22 - buffers: [0x6], inbytes: 0x10, outbytes: 0xC
* Interface Changed: nn::srepo::detail::ipc::ISrepoService
** Changed: 10100 - inbytes: 0x8 -> 0x10 (final state: buffers: [0x9, 0x5], inbytes: 0x10, outbytes: 0x0)
** Changed: 10101 - inbytes: 0x18 -> 0x20 (final state: buffers: [0x9, 0x5], inbytes: 0x20, outbytes: 0x0)
* Interface Changed: nn::capsrv::sf::IAlbumAccessorService
** Added: 50010 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::am::service::IApplicationAccessor
** Added: 310 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::am::service::IApplicationFunctions
** Changed: 14 - ininterfaces: [None] -> ['nn::am::service::IStorage'] (final state: buffer_entry_sizes: [0x20], buffers: [0x15], inbytes: 0x8, ininterfaces: ['nn::am::service::IStorage'], outbytes: 0x0)
** Changed: 310 - inbytes: 0x1 -> 0x18 (final state: inbytes: 0x18, ininterfaces: [None], outbytes: 0x0)
* Interface Changed: nn::am::service::ICommonStateGetter
** Added: 130 - inbytes: 0x0, outbytes: 0x0
** Added: 610 - inbytes: 0x8, outbytes: 0x0
** Added: 1003 - inbytes: 0x0, outbytes: 0x10
** Added: 1004 - inbytes: 0x0, outbytes: 0x8
** Added: 1005 - inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::am::service::IDebugFunctions
** Added: 150 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::am::service::IOverlayFunctions
** Added: 70 - inbytes: 0x0, outbytes: 0x0
** Added: 71 - inbytes: 0x0, outbytes: 0x0
** Added: 75 - inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::am::service::ISelfController
** Added: 73 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::ssl::sf::ISslService
** Added: 10 - buffers: [0x6, 0x6], inbytes: 0x4, outbytes: 0x0
** Added: 11 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::ssl::sf::ISslServiceForSystem
** Added: 10 - buffers: [0x6, 0x6], inbytes: 0x4, outbytes: 0x0
** Added: 11 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::nim::detail::INetworkInstallManager
** Added: 92 - buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x8, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 174 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncValue']
** Added: 175 - inbytes: 0x0, outbytes: 0x1
** Added: 176 - inbytes: 0x1, outbytes: 0x0
** Added: 177 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::erpt::sf::IContext
** Added: 5 - buffer_entry_sizes: [0x0, 0x0, 0x0, 0xC, 0x0, 0x0], buffers: [0x5, 0x5, 0x5, 0x5, 0x5, 0x5], inbytes: 0xC, outbytes: 0x0
** Changed: 6 - buffer_entry_sizes: [0x4C8, 0x0] -> [0xC, 0x10, 0x0], buffers: [0x15, 0x5] -> [0x5, 0x5, 0x5] (final state: buffer_entry_sizes: [0xC, 0x10, 0x0], buffers: [0x5, 0x5, 0x5], inbytes: 0x0, outbytes: 0x0)
** Changed: 7 - inbytes: 0x0 -> 0x10 (final state: inbytes: 0x10, outbytes: 0x0)
** Added: 40 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::visrv::sf::IApplicationDisplayService
** Added: 2103 - inbytes: 0x0, outbytes: 0x18
* Interface Changed: nn::pctl::detail::ipc::IParentalControlService
** Added: 1021 - inbytes: 0x0, outbytes: 0x0
** Added: 1022 - inbytes: 0x0, outbytes: 0x0
** Removed: 1456 - inbytes: 0x0, outbytes: 0x34
** Removed: 1951 - inbytes: 0x34, outbytes: 0x0
** Added: 2024 - inbytes: 0x0, outbytes: 0x0
** Changed: 145601 - outbytes: 0x36 -> 0x44 (final state: inbytes: 0x0, outbytes: 0x44)
** Changed: 195101 - inbytes: 0x36 -> 0x44 (final state: inbytes: 0x44, outbytes: 0x0)
* Unknown Interface prev-version: 0x7100097948 [ID = 0xfe214da9]
* Unknown Interface cur-version: 0x7100099A00 [ID = 0xfe214da9]
* Interface Changed: nn::npns::INpnsSystem
** Added: 204 - inbytes: 0x8, outbytes: 0x0
* Interface Changed: nn::es::IActiveRightsContext
** Added: 19 - buffer_entry_sizes: [0x20, 0x8], buffers: [0x6, 0x5], inbytes: 0x8, outbytes: 0x0
* Interface Changed: nn::es::IETicketService
** Added: 1038 - buffer_entry_sizes: [0x8, 0x8], buffers: [0x6, 0x6], inbytes: 0x0, outbytes: 0x4
** Added: 3001 - inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::ndrm::low::detail::INdrmLowAdminInterface
** Added: 51 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x18, outbytes: 0x4
* Interface Changed: nn::fatalsrv::IService
** Added: 3 - inbytes: 0x38, outbytes: 0x0
* Interface Changed: nn::grcsrv::IContinuousRecorder
** Removed: 1 - inbytes: 0x0, outbytes: 0x0
* Unknown Interface prev-version: 0x710005EC90 [ID = 0xef2a5618]
* Unknown Interface cur-version: 0x710005FEB0 [ID = 0xef2a5618]
* Interface Changed: nn::pdm::detail::INotifyService
** Changed: 100 - outinterfaces: ['0x710005EC90 [ID = 0xef2a5618]'] -> ['0x710005FEB0 [ID = 0xef2a5618]'] (final state: inbytes: 0x20, outbytes: 0x0, outinterfaces: ['0x710005FEB0 [ID = 0xef2a5618]'])
** Changed: 101 - outinterfaces: ['0x710005EC90 [ID = 0xef2a5618]'] -> ['0x710005FEB0 [ID = 0xef2a5618]'] (final state: inbytes: 0x20, outbytes: 0x0, outinterfaces: ['0x710005FEB0 [ID = 0xef2a5618]'])
* Interface Changed: nn::pl::detail::IPlatformServiceManagerForSystem
** Removed: 1000 - buffers: [0x6], inbytes: 0x4, outbytes: 0x4
** Removed: 1001 - inbytes: 0x0, outbytes: 0x4
* Interface Removed: nn::migration::detail::IAsyncSaveDataMigrationPolicyInfoContext
* Unknown Interface prev-version: 0x7100140F78 [ID = 0x29d8801c]
* Unknown Interface cur-version: 0x7100127590 [ID = 0x29d8801c]
* Interface Changed: nn::migration::device::IDownloader
** Added: 390 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
* Interface Changed: nn::migration::device::IServer
** Removed: 120 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
** Added: 121 - inbytes: 0x1, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
** Removed: 510 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
** Added: 511 - inbytes: 0x1, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
* Interface Changed: nn::migration::device::IUploader
** Removed: 100 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
** Added: 101 - inbytes: 0x1, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
** Removed: 610 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
** Added: 611 - inbytes: 0x1, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
* Interface Changed: nn::migration::savedata::IClient
** Removed: 221 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
** Added: 222 - inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
* Interface Changed: nn::migration::savedata::IServer
** Added: 220 - inbytes: 0x0, outbytes: 0x10
** Removed: 510 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
** Added: 511 - inbytes: 0x1, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
* Interface Changed: nn::migration::user::IService
** Removed: 1001 - inbytes: 0x8, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncSaveDataMigrationPolicyInfoContext']
** Changed: 2250 - outinterfaces: ['0x7100140F78 [ID = 0x29d8801c]'] -> ['0x7100127590 [ID = 0x29d8801c]'] (final state: inbytes: 0x18, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100127590 [ID = 0x29d8801c]'])
** Changed: 2260 - outinterfaces: ['0x7100140F78 [ID = 0x29d8801c]'] -> ['0x7100127590 [ID = 0x29d8801c]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100127590 [ID = 0x29d8801c]'])
* Interface Changed: nn::olsc::srv::IOlscServiceForSystemService
** Added: 206 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::olsc::srv::IAsyncResult']
** Added: 302 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::olsc::srv::IAsyncResult']
* Interface Changed: nn::olsc::srv::IRemoteStorageController
** Added: 29 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::olsc::srv::IAsyncResult']
* Interface Changed: nn::omm::detail::IOperationModeManager
** Added: 300 - inbytes: 0x1, outbytes: 0x0
** Added: 301 - inbytes: 0x0, outbytes: 0x0
* Interface Added: nn::ngc::t::detail::IService
* Interface Changed: nn::ngc::detail::IService
** Added: 4 - buffers: [0x5], inbytes: 0x18, outbytes: 0x4
** Added: 5 - buffers: [0x6, 0x5], inbytes: 0x18, outbytes: 0x4

=== BootImagePackages ===
RomFs changes: all files updated.

Using updated master-key: master_key_14 (previously master_key_13). See [[NCA]] for the KeyGeneration listing.

The anti-downgrade fuses were [[Fuses#Anti-downgrade|updated]].

==== Kernel ====
* Compiler was upgraded (to clang 18.1.0+).
** Besides the usual reordering, this is now most noticeable in the following:
*** Many atomic st(l)xrs now use cmp + csetm + tbz instead of cbnz.
**** Testing on godbolt indicates this seems to be a change made in clang 18.1.0+ (not present in 17.0.1).
*** Many cases where they previously did some_condition ? m_a : m_b now have different assembly.
**** Previously: add Xn, Xz, #A; add Xm, Xz, #B; csel Xn, Xn, Xm; ldr Xn, [Xn]
**** Now: mov Xn, #A; mov Xn, #B; csel Xn, Xn, Xm; ldr Xn, [Xz, Xn]
*** Many cases of booleans now explicitly test for 1 instead of <any non-zero value>
**** Previously: ldrb w8, [x8]; cbz w8, some_loc
**** Now: ldrb w8, [x8]; cmp w8, #1; b.ne some_loc
** Many, many cases of superfluous red-black-tree iteration prior to calls to KIntrusiveRedBlackTree::Remove have finally been optimized out.
*** Basically, KIntrusiveRedBlackTree::erase returns an iterator to the next item in the tree.
*** Previously, the table walk to find the next item was being performed even when the result was discarded/not-used, which was almost every case.
*** Now, it's successfully getting optimized out.
* KAutoObject's class token has been devirtualized.
** It is now stored as a 16-bit value in previously unused padding bytes, after the reference count.
** KAutoObject::Create() sets this to the correct value when setting refcount=1.
** This implementation is generally identical to the one already present in mesosphere.
* HandleFloatingPointException now sets a previously unused StackParameters flag (+0x2F) to 1.
** This flag doesn't seem to be referenced/used anywhere else in the kernel?
* KInterruptManager/Controller was changed:
** KInterruptController::LocalState now stores the private spendsgir, which is also now saved/restored by KInterruptController::SaveLocalState/RestoreLocalState
** KSleepManager now spins for 100 microseconds before calling KInterruptManager::Save, after synchronizing all cores.
* cpu::DoCoreInterruptBarrier now uses a global KLightLock; this prevents more than one thread from performing an interrupt barrier at the same time.
* KThread StackParameter exception_flags bitflags are now volatile and mostly atomic; many bits now use atomic read-modify-write loops to set and clear bits.
** This is not done for bit 0 ("is in svc"), accesses specifically for bit 0 continue to use non-atomic reads/writes.
** This generates pretty terrible assembly for GetThreadUserContext, which now must perform a volatile read of this value over and over in a loop.
* KIoRegion fields were reordered to save 8 bytes.
** The 8-byte size/alignment lock field is no longer wedged inbetween two 1-byte booleans.
* KScheduler::SwitchThread now writes a tick differential (thread->GetCpuTime() - context_switch_time) to user-tls + 0x108.
** NOTE: This is an ABI change which will not affect official software, but will force any homebrew software which uses TLS-slots to need re-compile.
* UserspaceAccess::CopyMemoryToUserSize32Bit now takes in a 32-bit word to write, instead of a kernel-pointer-to-32-bit-word.
* Nintendo appears to have done something akin to marking nn::Result nodiscard + gone through and fixed literally every instance of Result return values not being used.
** This results in sweeping changes (many Result-return functions are now void return, many new kernel panics, some changed behaviors), including e,g,
** KInterruptManager::ClearInterrupt no longer checks if a handler has been registered, and always clear the table entry.
** KInterruptManager::UnbindHandler is now void-return instead of Result; it no longer checks if the handler has been registered, and unconditionally clears to unbound state.
** KPageTableBase::InitializeForKernel now returns void, and panics if the KMemoryBlockManager::Initialize fails.
** KDebugBase::OnExitProcess/OnTerminateProcess now return void instead of Result.
** KEvent/KReadableEvent::Signal/Clear now return void instead of Result; svc::ClearEvent/SignalEvent now just calls the relevant function and returns ResultSuccess.
** KThreadLocalPage::Finalize now returns void + kernel-panics if unmapping the page fails; KProcess::DeleteThreadLocalRegion now returns void instead of Result.
** Every kernel-use of KInterruptManager::BindHandler now panics on failure.
** Every kernel-use of cpu::StoreDataCache and cpu::FlushDataCache and cpu::InvalidateDataCache now panics on failure.
** Every kernel-use of KThread::Initialize now panics on failure
** Every kernel-use of KThread::Run now panics on failure.
** The kernel-use of KDynamicSlabHeapPageAllocator::Initialize in resource manager init now panics on failure
** There are more cases, too many to fully enumerate with high confidence.

=== [[LDN_services|ldn]] ===
A vuln was [[Switch_System_Flaws|fixed]].

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2025-11-11_03-15-07&sys=hac]

{{NavboxVersions}}

System Version Title

2025-08-11T07:14:20Z

SciresM: /* Retail */ add ounce 19.0.0, it has "/digest"

This is the system data archive with ProgramId 0100000000000809. It contains the files "/file" and, with [5.0.0+], "/digest".

With [S2] "/digest" was removed. Besides different platform strings, on [S2] this is identical besides the version hash.

= Format =
{| class=wikitable
! Offset
! Size
! Description
|-
| 0x0
| 0x1
| Major
|-
| 0x1
| 0x1
| Minor
|-
| 0x2
| 0x1
| Micro
|-
| 0x3
| 0x1
| Padding
|-
| 0x4
| 0x1
| Revision Major
|-
| 0x5
| 0x1
| Revision Minor
|-
| 0x6
| 0x2
| Padding
|-
| 0x8
| 0x20
| Platform string ("NX" with zeros afterwards, "Ounce" with [S2])
|-
| 0x28
| 0x40
| Version hash (Hex ASCII string). 0x28-bytes(not including NUL-terminator) normally with zeros afterwards.
|-
| 0x68
| 0x18
| Display version (System-version in string form with zeros afterwards, e.g. "2.1.0"). This is what is displayed in System settings.
|-
| 0x80
| 0x80
| Display title (System version in longform, e.g. "NintendoSDK Firmware for NX 2.0.0-15"). This is what is displayed in DevMenu.
|}

= Known Versions =
== NX ==
=== Retail ===
{| class=wikitable
! Firmware
! Version String
! Version hash
! "/digest" contents
! Notes
|-
| 1.0.0
| NintendoSDK Firmware for NX 1.0.0-15
| 84b8da475a02261c456e6472b403b31416480165
| N/A
|
|-
| 2.0.0
| NintendoSDK Firmware for NX 2.0.0-15
| 25233e518f580062b41f45fae7ce56bff261094a
| N/A
|
|-
| 2.1.0
| NintendoSDK Firmware for NX 2.1.0-0
| e548f82b0aaff5fd18cfd80e7b9bd9808eeb7c99
| N/A
|
|-
| 2.2.0
| NintendoSDK Firmware for NX 2.2.0-1
| c83b637205048e61e73c870f21271cc3c6364396
| N/A
|
|-
| 2.3.0
| NintendoSDK Firmware for NX 2.3.0-0
| 3ed3bbc8885b6362f4f244dcecd2b430fa27310e
| N/A
|
|-
| 3.0.0
| NintendoSDK Firmware for NX 3.0.0-10.0
| 7fbde2b0bba4d14107bf836e4643043d9f6c8e47
| N/A
|
|-
| 3.0.1
| NintendoSDK Firmware for NX 3.0.1-0.0
| a3363e086791370ed89dca69c697b4a8bc443d66
| N/A
|
|-
| 3.0.2
| NintendoSDK Firmware for NX 3.0.2-0.0
| 56bc7f71d0e13179ccb6543bbb33d7f537859e49
| N/A
|
|-
| 4.0.0
| NintendoSDK Firmware for NX 4.0.0-4.0
| 875be0f6edc29b23938b7aea50764421b9f217e5
| N/A
|
|-
| 4.0.1
| NintendoSDK Firmware for NX 4.0.1-0.0
| 826588c45cecab1672c46f5de87d83ea6008d583
| N/A
|
|-
| 4.1.0
| NintendoSDK Firmware for NX 4.1.0-0.0
| 314f9468b704e84e1ffed449dfa6108ba4be221d
| N/A
|
|-
| 5.0.0
| NintendoSDK Firmware for NX 5.0.0-3.0
| 66790aa646927601523df36a6750205cd944b3de
| gW93A#00050000#QRnTiv2kqQV-KO9DAn1Wzz4S2-SDH4Zd10y8Jx5KalI=
|
|-
| 5.0.1
| NintendoSDK Firmware for NX 5.0.1-0.0
| 4b51b56242cc388ef487e148048e2c80e25994ad
| gW93A#00050001#wBt05i54vmIPr7cs44Vvod3M9s5M2Yl2ZVd_pd036MY=
|
|-
| 5.0.2
| NintendoSDK Firmware for NX 5.0.2-0.0
| 683ab6ea765f68aa7b84cfafbe8bfb6cebb8cfa9
| gW93A#00050002#_Azj02OenS1rVwdAUqofLE16n9h3ECO6tgML5A50d7U=
|
|-
| 5.1.0
| NintendoSDK Firmware for NX 5.1.0-3.0
| 23f9df53e25709d756e0c76effcb2473bd3447dd
| gW93A#00050100#29uVhARHOdeTZmfdPnP785egrfRbPUW5n3IAACuHoPw=
|
|-
| 6.0.0
| NintendoSDK Firmware for NX 6.0.0-5.0
| ef435c4fcf83831d535424f6fc28e6c91f7669d1
| gW93A#00060000#9k9lgdev3glK0ltQTdWmdK7jU1BL9oWNJRAFkQpHUYI=
|
|-
| 6.0.1
| NintendoSDK Firmware for NX 6.0.1-1.0
| 880a0ba230a9b9225a87abe1de6c8ab8d832551e
| gW93A#00060001#a4EXpeev_mWNw7Dk0vkOsCMIxlosx2JuXPiOa5hEMd0=
|
|-
| 6.1.0
| NintendoSDK Firmware for NX 6.1.0-4.0
| 3e478da6353b192c36490f4aa34df0d10d575146
| gW93A#00060100#FziXCoELZt0C7o-t_rro9xWTcKkgPrsksov-OVrL00c=
|
|-
| 6.2.0
| NintendoSDK Firmware for NX 6.2.0-1.0
| 921f86701e69af7ac02712e24abf18a666c2b5fb
| CusHY#00060200#-uAUBEUSc-Se5mvfhJsj3Krr9ayN7IyTX60_XcLsZkQ=
|
|-
| 7.0.0
| NintendoSDK Firmware for NX 7.0.0-5.0
| e4b38b15e880d251c182323894077508803abaaf
| CusHY#00070000#5PRVTLegTfFlaOw3kznosYec9d8BxGj8pN3wqGa80so=
|
|-
| 7.0.1
| NintendoSDK Firmware for NX 7.0.1-1.0
| b9d2547128fa22760492cf09bffd0a3e43f2132c
| CusHY#00070001#rBuhja_901l8V8bKFqeiNBCY-fflYlZVa_iqvkpEGJI=
|
|-
| 8.0.0
| NintendoSDK Firmware for NX 8.0.0-4.99
| e19a1c3067a96ec3028d53564704e4fb76ef7c59
| CusHY#00080000#s7CpDsmxJh1kenRjC5cfTDfbrMFNHxBbzr6XvNTA5RI=
|
|-
| 8.0.1
| NintendoSDK Firmware for NX 8.0.1-1.0
| c7b483d6d953f515b9b449489dcfd828cb50fd69
| CusHY#00080001#fgCfbpEweqCg1S49PsWL_b9R-C1Vj_hJ6aTmSRxycSQ=
|
|-
| 8.1.0
| NintendoSDK Firmware for NX 8.1.0-1.0
| 250fc5984a776bf488cdbde04acfac2cd853978f
| CusHY#00080100#OvqIXdglAGfnEd_VQr28t7rUtxNE6LHjMQicnQ9o7zk=
|
|-
| 9.0.0
| NintendoSDK Firmware for NX 9.0.0-4.0
| 4de65c071fd0869695b7629f75eb97b2551dbf2f
| CusHY#00090000#-80vwBkUjWLb5Kpb_cnuTjBZ0rHwZHhN7R1-vg0Ti5c=
|
|-
| 9.0.1
| NintendoSDK Firmware for NX 9.0.1-1.0
| 2a6263de2d9f790a0df759d365a8a971a2be1101
| CusHY#00090001#qVDSOCehwMDCHyDnkXiTSJ1wEJZHtpRV_CLMKgD-fSw=
|
|-
| 9.1.0
| NintendoSDK Firmware for NX 9.1.0-1.0
| 5914af412282e4b9c0ced8fc19b7d04f74490a48
| CusHY#00090100#vIPNrRbf30SoU8ZJ6uGklMqKAkyjHfdE9m6yLFeChkE=
|
|-
| 9.2.0
| NintendoSDK Firmware for NX 9.2.0-1.0
| f420eb7a1345c3d7067c1fc8b9b0989d030e1041
| CusHY#00090200#Uxxmc8gYnfMqxzdZdygZ_OrKo98O7QA65s_EkZnGsDo=
|
|-
| 10.0.0
| NintendoSDK Firmware for NX 10.0.0-6.0
| 0fa58d66530d710027dfcd6ecfd78ae4940cd7ec
| CusHY#000a0000#EmdxOnZjZ9Ihf3Zskt_48pYgowAUeeJccU6tCBIweEc=
|
|-
| 10.0.1
| NintendoSDK Firmware for NX 10.0.1-1.0
| df6cdaee9e2a21e63d3f29485f682f72c0a3c6df
| CusHY#000a0001#JEuSEdid24qqHqQzfW1tuNsCGcCk-86gcPq0I7M1x18=
|
|-
| 10.0.2
| NintendoSDK Firmware for NX 10.0.2-1.0
| f90143fa8bbc061d4f68c35f95f04f8080c0ecdc
| CusHY#000a0002#BTOGo0giC7bbrNoi8JEm-FBzmXb2Kgpq4K3OzQrD5l8=
|
|-
| 10.0.3
| NintendoSDK Firmware for NX 10.0.3-1.0
| 254bdca8851c49b707c91f407aa2ab06e6be39f8
| CusHY#000a0003#4mBbTFYnE0Rtmh8NLCVq61rbvx0kJPQUxXkDpwj0V84=
|
|-
| 10.0.4
| NintendoSDK Firmware for NX 10.0.3-1.0
| 254bdca8851c49b707c91f407aa2ab06e6be39f8
| CusHY#000a0003#4mBbTFYnE0Rtmh8NLCVq61rbvx0kJPQUxXkDpwj0V84=
|
|-
| 10.1.0
| NintendoSDK Firmware for NX 10.1.0-1.0
| 4f496dc60fa0ebb4e731a3ec355ea80d9d9e98e9
| CusHY#000a0100#Vlw9dIEqjxE2F5jDOQPYWXs2p7wIGyDYWXXIyQGdxcE=
|
|-
| 10.1.1
| NintendoSDK Firmware for NX 10.1.0-1.0
| 4f496dc60fa0ebb4e731a3ec355ea80d9d9e98e9
| CusHY#000a0100#Vlw9dIEqjxE2F5jDOQPYWXs2p7wIGyDYWXXIyQGdxcE=
|
|-
| 10.2.0
| NintendoSDK Firmware for NX 10.2.0-1.0
| 7bcaa2b57b032fe0f73944072a55fb4cff5b5eb6
| CusHY#000a0200#90k0dE_eO7hRcs6ByTZMvgUm4lhEoqAlik96WkznQcQ=
|
|-
| 11.0.0
| NintendoSDK Firmware for NX 11.0.0-5.0
| 34197eba8810e2edd5e9dfcfbde7b340882e856d
| CusHY#000b0000#VyA0fsWi6ZBEOzVsseXIcEfFLqQMgW0tWzN2oJ7viqk=
|
|-
| 11.0.1
| NintendoSDK Firmware for NX 11.0.1-1.0
| 69103fcb2004dace877094c2f8c29e6113be5dbf
| CusHY#000b0001#iI0rZ0Q2dg3Evhd-8GoYmp-KTE8malKe0GOJgXa-XG8=
|
|-
| 12.0.0
| NintendoSDK Firmware for NX 12.0.0-4.0
| 97942e96fe34284d4820fdcc1e3818afe6fba88d
| CusHY#000c0000#C-BynYNPXdQJNBZjx02Hizi8lRUSIKLwPGa5p8EY1uo=
|
|-
| 12.0.1
| NintendoSDK Firmware for NX 12.0.1-1.0
| c564464a2f47db6a84b98685cfbb3a2ee25b240a
| CusHY#000c0001#YXsU5FTbkUh18QH27L3woGqw5n1gIDpMGbPXM8oACzY=
|
|-
| 12.0.2
| NintendoSDK Firmware for NX 12.0.2-1.0
| 2b43ddacdd02c08245d3d77ba8c296a24f54ccdc
| CusHY#000c0002#6tB3UVnmvT_nsNBMPSD-K1oe0IA1cYvYDyqDCjy2W_I=
|
|-
| 12.0.3
| NintendoSDK Firmware for NX 12.0.3-1.0
| 0cb3bc4061383f14258be29e1382512630ef5874
| CusHY#000c0003#E8Ph6vISWsJtN0E3hsfVRoZMG1Qqkc-qGRlAp-Bs2SI=
|
|-
| 12.1.0
| NintendoSDK Firmware for NX 12.1.0-1.0
| 76b10c2dab7d3aa73fc162f8dff1655e6a21caf4
| CusHY#000c0100#Hzs8Gtp6yKgGKMb732-5Q-NvbQcHCgBh_LQrrpg0bIs=
|
|-
| 13.0.0
| NintendoSDK Firmware for NX 13.0.0-4.0
| 9b87ee6cd509f49e7df100cae8b31bdcf628ebcb
| CusHY#000d0000#r1xneESd4PiTRYIhVIl0bK1ST5L5BUmv_uGPLqc4PPo=
|
|-
| 13.1.0
| NintendoSDK Firmware for NX 13.1.0-1.2
| 687351451968bf8d46d2abb927c0a1e3cb4025f0
| CusHY#000d0100#plps6S3C43QHhkI2oNvYIFjNxQjTcLdUX2_biEI5w2w=
|
|-
| 13.2.0
| NintendoSDK Firmware for NX 13.2.0-1.0
| 12047e7b29ae8263d4d498f7322a3ef20d73a73e
| CusHY#000d0200#JFVNVuG9x3V5tRshdD9FdJjgHOmzsrgXHocEPvW5eMM=
|
|-
| 13.2.1
| NintendoSDK Firmware for NX 13.2.1-1.0
| 6e99217a1ec1f19388cf40fadbb29990a18bfb06
| CusHY#000d0201#V1i7M7oEhkDaH1lcGlHhGAnyHONMAnTAA6pGdZ7MFqc=
|
|-
| 14.0.0
| NintendoSDK Firmware for NX 14.0.0-4.0
| 4775bf5e4fef675c759e34a2c3005bd0206f9d62
| CusHY#000e0000#35hWb15SBXTnbUfTMLBz9sCnfheuRGis0OTZqa7l8yw=
|
|-
| 14.1.0
| NintendoSDK Firmware for NX 14.1.0-1.0
| 43e2fb60ac6f1d3f08e445469f1aaeae01fae3ff
| CusHY#000e0100#ctIxSPR4jenzQNGc6y4zXIvzvF75ty53jN0T15Rjtmk=
|
|-
| 14.1.1
| NintendoSDK Firmware for NX 14.1.1-1.0
| aacbee77373bad2823dc30571f0bc12eebb5db09
| CusHY#000e0101#uTt4IVydkYqwYArOFR3BzOCmw0MkEeF_tZxHENYDh4E=
|
|-
| 14.1.2
| NintendoSDK Firmware for NX 14.1.2-1.0
| ad52f4983f7857a7bf0b9824de15cc4e92c5d2ab
| CusHY#000e0102#jHk6_VwXVPPl3ijRZ5jRy5MIAcUW_Q2uFdfJ0vrjhCA=
|
|-
| 15.0.0
| NintendoSDK Firmware for NX 15.0.0-4.0
| 064be9b3f0aabfda75944f03065d3a32f7523e67
| CusHY#000f0000#MJE7we0zvVhAnXN9uCU7fQAM7GiqGHpR5ECuC9G_nuU=
|-
| 16.0.0
| NintendoSDK Firmware for NX 16.0.0-3.0
| be1a2ac25b07bcd6f16924127003bbeb1b46ca19
| CusHY#00100000#k_VrW8iX7QgupPlYZYhg3dLEVDhqGN_iXW5Mm0VYEvQ=
|-
| 16.0.1
| NintendoSDK Firmware for NX 16.0.1-1.0
| 8b55ab2d7248f88a5cc35cfd0859e57a6d1b7e87
| CusHY#00100001#qHay53MkzVLOUU_Iy7_kyPlUMnaoi7HXCAmESYTft_c=
|-
| 16.0.2
| NintendoSDK Firmware for NX 16.0.2-1.0
| 4aa80cec72bb25cdde406f00527df6ff53f1475c
| CusHY#00100002#qjeCnaxVt5NjGjxosJOMVw-ZyR219B3qgAB3YtSil6g=
|-
| 16.0.3
| NintendoSDK Firmware for NX 16.0.3-1.0
| 479b0f2d1e187b9eef7661fca1f7fdb15f7c5d64
| CusHY#00100003#Lis4m_Z4pXlDAaBBxeRO66_glyu92IAf2-dHKNxYAJs=
|-
| 16.1.0
| NintendoSDK Firmware for NX 16.1.0-1.0
| 8c40cd350cdcf150593c0d31ff152586c6e7c7ee
| CusHY#00100100#3kOLHmbuMWa-kHN-SMtCkgNvwdwBHIb2b4f60BNNmrw=
|
|-
| 17.0.0
| NintendoSDK Firmware for NX 17.0.0-6.0
| d993bc431c51073d5a29a6c953d9f4008d6b68e8
| CusHY#00110000#ntMZ00Jmb7Rdu18Fy1FPZo7RO3h_MYIqxozbQQDcVaA=
|
|-
| 17.0.1
| NintendoSDK Firmware for NX 17.0.1-1.0
| 30dd7d0584cd38e3a1db26a5719566d21d77110e
| CusHY#00110001#7CmXEDXEN8wnVu-e7WY6Cv5CvmzjuG6EnKEkf1_jaC8=
|
|-
| 18.0.0
| NintendoSDK Firmware for NX 18.0.0-4.0
| 12dd67abcd6e05f44dc8a526e5af9c1f14202c8b
| CusHY#00120000#U531L4Si9RbhOVeyVppe18WHkJ0k4_KzrNtygsekMNo=
|
|-
| 18.0.1
| NintendoSDK Firmware for NX 18.0.1-1.0
| 8cf56436d71e12b36c6481c52c5afdc24ed40da2
| CusHY#00120001#chuxR_O35JFyJq7dIlT8yP1A-j1yBcF-iU4iVDjHt9g=
|
|-
| 18.1.0
| NintendoSDK Firmware for NX 18.1.0-1.0
| 437857bcb1604c717ae3fe62d03ae1fcaa783264
| CusHY#00120100#7pfwz-8raijuW2lv4UOi4Hukp-DuY898HEK6hEYUjSM=
|
|-
| 19.0.0
| NintendoSDK Firmware for NX 19.0.0-4.0
| 52971eebbba7ab9e6e23d73753aa63e0c3794b16
| CusHY#00130000#x2jf5al2EkqJmdvmnTFaL6s4ic7X68N0dY9jnwwcL98=
|
|-
| 19.0.1
| NintendoSDK Firmware for NX 19.0.1-1.0
| 835c78223df116284ef7e36e8441760edc81729c
| CusHY#00130001#6I1eeoSqDdjA7eXPDrsWBbdM-VxVhveQYiG1oNfNSt0=
|
|-
| 20.0.0
| NintendoSDK Firmware for NX 20.0.0-9.0
| 7147e1386c9b6c15d8f14e6ed68c4b9a7f28fb9b
| CusHY#00140000#x6A4ywhjzZU3HyC3CZRCfSndPILH3YfkRE9VfTo_pog=
|
|-
| 20.0.1
| NintendoSDK Firmware for NX 20.0.1-1.0
| 0b2540e5cd7498dd61f6caeca5136c73d9b1d21a
| CusHY#00140001#HmPjOvVID7TDJopFmbbEUVnz6xIL8gU8cNsGdFkVMEY=
|
|-
| 20.1.0
| NintendoSDK Firmware for NX 20.1.0-1.0
| fa9b24a1d97b9adf5fe462f7f0ee97e6ed6294d0
| CusHY#00140100#NbHLVbambSfa-7KueUgBsDVkof2MGPq66Tc2-0ZR-6E=
|
|-
| 20.1.1
| NintendoSDK Firmware for NX 20.1.1-1.0
| 9ffad64d79dd150490201461bdf66c8db963f57d
| CusHY#00140101#NKhZdIWIKBk5DuMY-ZAcIVD_THEHFAyfts1oab0oIuk=
|
|-
| 20.1.5
| NintendoSDK Firmware for NX 20.1.5-1.0
| 0605c36a7aa2535fb8989a0d133a0b96b0d97a12
| CusHY#00140105#mhy47tYgj1X6xuIIEzgm_eFw9DTa3ZZvwZwDVJPVYWQ=
|
|-
| 20.2.0
| NintendoSDK Firmware for NX 20.2.0-1.0
| ad939aa8ed828aa87f8ca9c6231bc76697298b8d
| CusHY#00140200#TT-sGuFXcg00F7aLle4yO-Oad3L_8CDBcPUOO6M3bWA=
|
|-
| 20.3.0
| NintendoSDK Firmware for NX 20.3.0-1.0
| c6061464f68281807f4780ae737392516d4813c7
| CusHY#00140300#g9uOjrFTeFaZmkMKnbwNB9dUs_tcVX6CmTqdRTxQz3w=
|
|}

=== Development ===
{| class=wikitable
! Firmware
! Version String
! Version hash
! "/digest" contents
! Notes
|-
| 0.1.0
| SystemUpdater for NX 0.1.0-0
| 3ea0c0e345e1722ff680ca25c6cd3103ceed8771
| N/A
| Mislabelled as pre-SDK firmware
|-
| 0.1.0
| NintendoSDK Firmware for NX 0.1.0-0
| 3ea0c0e345e1722ff680ca25c6cd3103ceed8771
| N/A
|
|-
| 0.1.1
| NintendoSDK Firmware for NX 0.1.1
| 20ef5fa83ad495b62a4eb622b392f1d2190d1057
| N/A
|
|-
| 0.2.0
| NintendoSDK Firmware for NX 0.2.0-0
| 8a76dab01ce5184ef0b49563c0e34477c0ff0acc
| N/A
|
|-
| 0.2.0
| NintendoSDK Firmware for NX 0.2.0-2
| 789b0cfcb4b426f295ee731da2670a7d6c365a79
| N/A
|
|-
| 0.2.0
| NintendoSDK Firmware for NX 0.2.0-4
| 82e0e249cceca1b603e733866b9f1ee6a7b62190
| N/A
|
|-
| 0.4.0
| NintendoSDK Firmware for NX 0.4.0-0
| 5686fc6f648e48671abbea0f0779aa35dc947dd7
| N/A
| Pre-installed on DPRD consoles.
|-
| 0.4.0
| NintendoSDK Firmware for NX 0.4.0-0
| 32393bb753612184500a4da77d59c4f85f1fad39
| N/A
|
|-
| 0.5.0
| NintendoSDK Firmware for NX 0.5.0-0
| 00813b5cef05e218f580d9fa1daf67307ed80f02
| N/A
|
|-
| 0.5.0
| NintendoSDK Firmware for NX 0.5.0-3
| 37ff4f65e03e1e2076147e5f1df3d833f39d92a3
| N/A
| Pre-installed on certain SDEV MP consoles.
|-
| 0.5.0
| NintendoSDK Firmware for NX 0.5.0-3
| 3a3abe4672d4239f8170c530714d9be8b1b31dfa
| N/A
| Pre-installed on certain EDEV MP consoles.
|-
| 0.6.0
| NintendoSDK Firmware for NX 0.6.0-0
| 71b5fecf27c06ed69fdc5e1b1ec36c176678f545
| N/A
|
|-
| 0.6.0
| NintendoSDK Firmware for NX 0.6.0-2
| 439c2e0624a149a122221fa9273182ca208ef40b
| N/A
|
|-
| 0.6.0
| NintendoSDK Firmware for NX 0.6.0-2
| bc02e9b3826cf80f3716416b75b945cef2fdd36f
| N/A
|
|-
| 0.7.0
| NintendoSDK Firmware for NX 0.7.0-0
| b08d4289d3649ce920d81347663b979ab2ebe0e4
| N/A
|
|-
| 0.7.0
| NintendoSDK Firmware for NX 0.7.0-1
| bb914d5b3c0548dc34f9e84e8ae1d7b37cbc5042
| N/A
|
|-
| 0.7.0
| NintendoSDK Firmware for NX 0.7.0-1
| 3fd5f2c9daf130867a1ab7db237de6c1d8c9be25
| N/A
|
|-
| 0.8.0
| NintendoSDK Firmware for NX 0.8.0-2
| 2b9ac2b11f137f92336665d07d5bf4eb395cf692
| N/A
|
|-
| 0.8.4
| NintendoSDK Firmware for NX 0.8.4-0
| b8d85144f9d43ad72dd293cb66e295e0506eadd7
| N/A
|
|-
| 0.8.5
| NintendoSDK Firmware for NX 0.8.5-0
| 136abeb28b902570295d6a8898c9518b182f5123
| N/A
|
|-
| 0.8.5
| NintendoSDK Firmware for NX 0.8.5-0
| 3dd94e3e75a61a7a828756919dba98c42ed7069a
| N/A
| Version of 0.8.5 with all the normal applets
|-
| 0.8.5
| NintendoSDK Firmware for NX 0.8.5-0
| 36733157fb1d0a3e0926015093bb1a19125d76df
| N/A
|
|-
| 0.8.7
| NintendoSDK Firmware for NX 0.8.7-0
| 086dfbea06fb48b15975df8935bbb0c610040e37
| N/A
|
|-
| 1.0.0
| NintendoSDK Firmware for NX 1.0.0-5
| 1f8c8eea9a629ea55fa8351cc5091e6db78aced9
| N/A
|
|-
| 1.0.0
| NintendoSDK Firmware for NX 1.0.0-17
| 6263af8c7d7724fd11c573dd9467dedbb61cbec7
| N/A
|
|-
| 2.0.0
| NintendoSDK Firmware for NX 2.0.0-2
| a76769473b39479ee40aaa96b0991412f382d637
| N/A
|
|-
| 2.0.0
| NintendoSDK Firmware for NX 2.0.0-3
| 646274cb0611ee0d07a664b58f24f3c36843f60c
| N/A
|
|-
| 3.0.0
| NintendoSDK Firmware for NX 3.0.0-1.0
| 46b7df4a4286b0ce191417e8ef5fbb1ef766b7b9
| N/A
|
|-
| 3.0.0
| NintendoSDK Firmware for NX 3.0.0-7.0
| aafadd9f3bd88c8cb4c9dd598aba6d4f23545b4c
| N/A
|
|-
| 3.0.1
| NintendoSDK Firmware for NX 3.0.1-1.0
| 917c9c125078bf604f762322b38dde1a9f01651e
| N/A
|
|-
| 4.0.1
| NintendoSDK Firmware for NX 4.0.1-0.0
| cfdbf4bf29913bfa965ddd31063d4577a13f634e
| N/A
|
|-
| 4.1.0
| NintendoSDK Firmware for NX 4.1.0-1.0
| 2eb7c2f82c588ad5cb73e88fcd656ecf6d0ecf4b
| N/A
|
|-
| 5.1.0
| NintendoSDK Firmware for NX 5.1.0-2.0
| 1e6eeb584624ec74cd7f0aad1f4e27fe34421916
| gW93A#00050100#29uVhARHOdeTZmfdPnP785egrfRbPUW5n3IAACuHoPw=
|
|-
| 6.0.0
| NintendoSDK Firmware for NX 6.0.0-1.0
| cec29af339974a31f085bd970bc00ff801409d6d
| gW93A#00060000#9k9lgdev3glK0ltQTdWmdK7jU1BL9oWNJRAFkQpHUYI=
|
|-
| 6.2.0
| NintendoSDK Firmware for NX 6.2.0-1.0
| 84e27a0321707eb641f8a6a0eefa8e72f57263f0
| CusHY#00060200#-uAUBEUSc-Se5mvfhJsj3Krr9ayN7IyTX60_XcLsZkQ=
|
|-
| 7.0.0
| NintendoSDK Firmware for NX 7.0.0-1.0
| 76e673b87fe461a6942a062b66942f20ca7c67a8
| gW93A#00070000#-yCvsyiPWY6z6z_sxqtNBQQLl9f6roDNZc5ErfWucIU=
|
|-
| 7.0.1
| NintendoSDK Firmware for NX 7.0.1-1.0
| 507cc44ebc5db0ee7ecc888b068373729d6721dc
| CusHY#00070001#rBuhja_9O1l8V8bKFqeiNBCY-fflYlZVa_iqvkpEGJI=
|
|-
| 8.0.1
| NintendoSDK Firmware for NX 8.0.1-1.0
| 77b000cb1de3d987ff5fccdb4c35c0865a82c57b
| CusHY#00080001#fgCfbpEweqCg1S49PsWL_b9R-C1Vj_hJ6aTmSRxycSQ=
|
|-
| 8.1.0
| NintendoSDK Firmware for NX 8.1.0-1.0
| ea2157a12d37e66546d999d67e6fb46aa29d16cd
| CusHY#00080100#OvqIXdglAGfnEd_VQr28t7rUtxNE6LHjMQicnQ9o7zk=
|
|-
| 9.0.0
| NintendoSDK Firmware for NX 9.0.0-1.0
| 3258337b6455534c1347a8c4f6ea44becc38c5ea
| CusHY#00090000#-80vwBkUjWLb5Kpb_cnuTjBZ0rHwZHhN7R1-vg0Ti5c=
|
|-
| 9.0.0
| NintendoSDK Firmware for NX 9.0.0-5.0
| 9527665016204363d31502161fadefa85f99081a
| CusHY#00090000#-80vwBkUjWLb5Kpb_cnuTjBZ0rHwZHhN7R1-vg0Ti5c=
| Pre-installed on certain EDEV-D MP and HDEV MP consoles.
|-
| 9.0.1
| NintendoSDK Firmware for NX 9.0.1-1.0
| 64975f7d2f19214a45d7749d2e9b0a6aa2d2c9e1
| CusHY#00090001#qVDSOCehwMDCHyDnkXiTSJ1wEJZHtpRV_CLMKgD-fSw=
|
|-
| 9.1.0
| NintendoSDK Firmware for NX 9.1.0-1.0
| 3f7f4f966e283d8c490de7c74356402534a2d8e1
| CusHY#00090100#vIPNrRbf30SoU8ZJ6uGklMqKAkyjHfdE9m6yLFeChkE=
|
|-
| 9.1.0
| NintendoSDK Firmware for NX 9.1.0-2.0
| 6d4a80bc865b69674dcf97fa2f3d511ed8f0a4e1
| CusHY#00090100#vIPNrRbf30SoU8ZJ6uGklMqKAkyjHfdE9m6yLFeChkE=
|
|-
| 9.2.0
| NintendoSDK Firmware for NX 9.2.0-1.0
| 0d8a2066a53c2ed5fa8d3b9dc486a0e877ecc4d7
| CusHY#00090200#Uxxmc8gYnfMqxzdZdygZ_OrKo98O7QA65s_EkZnGsDo=
|
|-
| 10.0.0
| NintendoSDK Firmware for NX 10.0.0-1.0
| 25bd1fcccda8ff3ffa54d8ddf2dbb37667df97c2
| CusHY#000a0000#EmdxOnZjZ9Ihf3Zskt_48pYgowAUeeJccU6tCBIweEc=
|
|-
| 10.0.0
| NintendoSDK Firmware for NX 10.0.0-2.0
| 16b7761efb697e273396a6b37beb0fc892eefcb0
| CusHY#000a0000#EmdxOnZjZ9Ihf3Zskt_48pYgowAUeeJccU6tCBIweEc=
|
|-
| 10.0.0
| NintendoSDK Firmware for NX 10.0.0-3.0
| ebbb57d71133383dfe894b81b6ab598ffbc34da7
| CusHY#000a0000#EmdxOnZjZ9Ihf3Zskt_48pYgowAUeeJccU6tCBIweEc=
|
|-
| 10.0.0
| NintendoSDK Firmware for NX 10.0.0-4.0
| 45797b8dd053c47405b77d2f24d30841c9c27145
| CusHY#000a0000#EmdxOnZjZ9Ihf3Zskt_48pYgowAUeeJccU6tCBIweEc=
|
|-
| 10.0.0
| NintendoSDK Firmware for NX 10.0.0-6.0
| 0b36d72cc9038954202842583e694f5dce9728dd
| CusHY#000a0000#EmdxOnZjZ9Ihf3Zskt_48pYgowAUeeJccU6tCBIweEc=
|
|-
| 10.0.1
| NintendoSDK Firmware for NX 10.0.1-1.0
| e3f269e19490592fd6c83957983ca49458cf9932
| CusHY#000a0001#JEuSEdid24qqHqQzfW1tuNsCGcCk-86gcPq0I7M1x18=
|
|-
| 10.0.2
| NintendoSDK Firmware for NX 10.0.2-1.0
| f72302ca144a1bce988310f4473248e4fe6f88b1
| CusHY#000a0002#BTOGo0giC7bbrNoi8JEm-FBzmXb2Kgpq4K3OzQrD5l8=
|
|-
| 10.0.3
| NintendoSDK Firmware for NX 10.0.3-1.0
| c189eeac744f64fe2bf9bc3a1717c5470b5cac65
| CusHY#000a0003#4mBbTFYnE0Rtmh8NLCVq61rbvx0kJPQUxXkDpwj0V84=
|
|-
| 10.0.4
| NintendoSDK Fimrware for NX 10.0.4-1.0
| d48ab1fee03a4e0e9bdecb536418146240cda28c
| CusHY#000a0004#zTIjlVsAjVPsrLrASfdwd4r03O94n3jtDS7V53hIcR4=
|
|-
| 10.0.4
| NintendoSDK Firmware for NX 10.0.4-1.1
| b37bd75e54c842e21f931562e0efddf6375681c7
| CusHY#000a0004#zTIjlVsAjVPsrLrASfdwd4r03O94n3jtDS7V53hIcR4=
|
|-
| 10.1.0
| NintendoSDK Firmware for NX 10.1.0-3.0
| 811f1f87deedddaddba4425ae5fb3b892b865cbf
| CusHY#000a0100#Vlw9dIEqjxE2F5jDOQPYWXs2p7wIGyDYWXXIyQGdxcE=
|
|-
| 10.2.0
| NintendoSDK Firmware for NX 10.2.0-3.0
| a1382cea70005bea869673c40bacd111f8785c1b
| CusHY#000a0200#90k0dE_eO7hRcs6ByTZMvgUm4lhEoqAlik96WkznQcQ=
|
|-
| 10.2.0
| NintendoSDK Firmware for NX 10.2.0-4.0
| 79797e08e261632caf8a306c60518c0e91cc8800
| CusHY#000a0200#90k0dE_eO7hRcs6ByTZMvgUm4lhEoqAlik96WkznQcQ=
|
|-
| 11.0.0
| NintendoSDK Firmware for NX 11.0.0-1.0
| 6fec683f603b9ee0ec3cb8138f7a91f74d782ff4
| CusHY#000b0000#VyA0fsWi6ZBEOzVsseXIcEfFLqQMgW0tWzN2oJ7viqk=
|
|-
| 11.0.0
| NintendoSDK Firmware for NX 11.0.0-2.0
| a39e2ee536c93c13ca879a50a9d1b457cde81dc4
| CusHY#000b0000#VyA0fsWi6ZBEOzVsseXIcEfFLqQMgW0tWzN2oJ7viqk=
|
|-
| 11.0.0
| NintendoSDK Firmware for NX 11.0.0-3.0
| 39fc6a3b0a95469c878e754e0bd24eba9f217051
| CusHY#000b0000#VyA0fsWi6ZBEOzVsseXIcEfFLqQMgW0tWzN2oJ7viqk=
|
|-
| 11.0.0
| NintendoSDK Firmware for NX 11.0.0-3.1
| d642c137a44d7f4b30ddce9f696c281998a0dc26
| CusHY#000b0000#VyA0fsWi6ZBEOzVsseXIcEfFLqQMgW0tWzN2oJ7viqk=
|
|-
| 11.0.0
| NintendoSDK Firmware for NX 11.0.0-4.0
| d64f1b3004555fb4279b14cea1e06370114bf2f6
| CusHY#000b0000#VyA0fsWi6ZBEOzVsseXIcEfFLqQMgW0tWzN2oJ7viqk=
|
|-
| 11.0.0
| NintendoSDK Firmware for NX 11.0.0-6.0
| ec03314d2d4b4dcd240d83a5217bc80800aa8456
| CusHY#000b0000#VyA0fsWi6ZBEOzVsseXIcEfFLqQMgW0tWzN2oJ7viqk=
|
|-
| 11.0.1
| NintendoSDK Firmware for NX 11.0.1-1.0
| 994fa419fbc9cf13ced5986794a669dc0160c7df
| CusHY#000b0001#iI0rZ0Q2dg3Evhd-8GoYmp-KTE8malKe0GOJgXa-XG8=
|
|-
| 11.0.1
| NintendoSDK Firmware for NX 11.0.1-1.2
| 54a19d40c9f834e728b7290084a16e37f19e1ff0
| CusHY#000b0001#iI0rZ0Q2dg3Evhd-8GoYmp-KTE8malKe0GOJgXa-XG8=
|
|-
| 12.0.0
| NintendoSDK Firmware for NX 12.0.0-1.0
| 69d9b0f4931f50c7fcc1a96e14ea159b7b7a835a
| CusHY#000c0000#C-BynYNPXdQJNBZjx02Hizi8lRUSIKLwPGa5p8EY1uo=
|
|-
| 12.0.0
| NintendoSDK Firmware for NX 12.0.0-2.0
| 5c281eb3aca91d851708f42aec4481d19d8cf6be
| CusHY#000c0000#C-BynYNPXdQJNBZjx02Hizi8lRUSIKLwPGa5p8EY1uo=
|
|-
| 12.0.0
| NintendoSDK Firmware for NX 12.0.0-3.0
| 4aca53fcbe7f17c05411ef663c256d0b59e105ba
| CusHY#000c0000#C-BynYNPXdQJNBZjx02Hizi8lRUSIKLwPGa5p8EY1uo=
|
|-
| 12.0.0
| NintendoSDK Firmware for NX 12.0.0-3.0
| 4b71ea4ac11fa019da7405b4fbbf3af452f9786e
| CusHY#000c0000#C-BynYNPXdQJNBZjx02Hizi8lRUSIKLwPGa5p8EY1uo=
| Pre-installed on certain ADEV MP consoles.
|-
| 12.0.0
| NintendoSDK Firmware for NX 12.0.0-5.0
| 3b474c8053b4ccb6ba34f2692885d4710a564076
| CusHY#000c0000#C-BynYNPXdQJNBZjx02Hizi8lRUSIKLwPGa5p8EY1uo=
|
|-
| 12.0.1
| NintendoSDK Firmware for NX 12.0.1-1.0
| b59f4e032faf08d9f210ae83cc4ca4d0c27ff082
| CusHY#000c0001#YXsU5FTbkUh18QH27L3woGqw5n1gIDpMGbPXM8oACzY=
|
|-
| 12.0.2
| NintendoSDK Firmware for NX 12.0.2-1.0
| b6ceec060059816fc5431d9218c297118e74cc3a
| CusHY#000c0002#6tB3UVnmvT_nsNBMPSD-K1oe0IA1cYvYDyqDCjy2W_I=
|
|-
| 12.0.3
| NintendoSDK Firmware for NX 12.0.3-1.0
| 8aa8e9452ef235ce3f730557c94811072f193a03
| CusHY#000c0003#E8Ph6vISWsJtN0E3hsfVRoZMG1Qqkc-qGRlAp-Bs2SI=
|
|-
| 12.1.0
| NintendoSDK Firmware for NX 12.1.0-1.0
| ca01cff44337796c3274c9fdf33bd6a8611cf31b
| CusHY#000c0100#Hzs8Gtp6yKgGKMb732-5Q-NvbQcHCgBh_LQrrpg0bIs=
|
|-
| 13.0.0
| NintendoSDK Firmware for NX 13.0.0-1.0
| e83fe527e549561d4113f6ffc70e7196df489997
| CusHY#000d0000#r1xneESd4PiTRYIhVIl0bK1ST5L5BUmv_uGPLqc4PPo=
|
|-
| 13.0.0
| NintendoSDK Firmware for NX 13.0.0-2.0
| a1083d2e97d9d9b672a3037dc9f4d9e45a50d8f6
| CusHY#000d0000#r1xneESd4PiTRYIhVIl0bK1ST5L5BUmv_uGPLqc4PPo=
|
|-
| 13.0.0
| NintendoSDK Firmware for NX 13.0.0-3.0
| 56c6892300351126ed61f8e6f68e2f8027e062c8
| CusHY#000d0000#r1xneESd4PiTRYIhVIl0bK1ST5L5BUmv_uGPLqc4PPo=
|
|-
| 13.0.0
| NintendoSDK Firmware for NX 13.0.0-5.0
| c33e24efa623098a1eef78443c42839e74587414
| CusHY#000d0000#r1xneESd4PiTRYIhVIl0bK1ST5L5BUmv_uGPLqc4PPo=
|
|-
| 13.1.0
| NintendoSDK Firmware for NX 13.1.0-1.3
| a18493fa4ce9eaa7ff257540abe54e2387eab082
| CusHY#000d0100#plps6S3C43QHhkI2oNvYIFjNxQjTcLdUX2_biEI5w2w=
|
|-
| 13.2.0
| NintendoSDK Firmware for NX 13.2.0-1.0
| 9f181d351ab659a32cc618561398d86cce274e62
| CusHY#000d0200#JFVNVuG9x3V5tRshdD9FdJjgHOmzsrgXHocEPvW5eMM=
|
|-
| 13.2.1
| NintendoSDK Firmware for NX 13.2.1-1.0
| 7b0bad6d7a2d7cfbc96dc88a6bfacb4a87d8633a
| CusHY#000d0201#V1i7M7oEhkDaH1lcGlHhGAnyHONMAnTAA6pGdZ7MFqc=
|
|-
| 13.2.1
| NintendoSDK Firmware for NX 13.2.1-1.1
| c275501689eceb5c6e88479e9c5ae4c5fd712882
| CusHY#000d0201#V1i7M7oEhkDaH1lcGlHhGAnyHONMAnTAA6pGdZ7MFqc=
|
|-
| 14.0.0
| NintendoSDK Firmware for NX 14.0.0-1.0
| 52128cd3de097af16870f1c617e813d5ce9de1ef
| CusHY#000e0000#35hWb15SBXTnbUfTMLBz9sCnfheuRGis0OTZqa7l8yw=
|
|-
| 14.0.0
| NintendoSDK Firmware for NX 14.0.0-2.0
| ae112b9d0abdad2c0ae99fc5cdaae7d1a62097fb
| CusHY#000e0000#35hWb15SBXTnbUfTMLBz9sCnfheuRGis0OTZqa7l8yw=
|
|-
| 14.0.0
| NintendoSDK Firmware for NX 14.0.0-3.0
| 780db0b6d293d08c792d9680ad6b9ee2a7e58c09
| CusHY#000e0000#35hWb15SBXTnbUfTMLBz9sCnfheuRGis0OTZqa7l8yw=
|
|-
| 14.0.0
| NintendoSDK Firmware for NX 14.0.0-5.0
| 99ec0f583e3ddb5d70e9e26abbc65c2df592f894
| CusHY#000e0000#35hWb15SBXTnbUfTMLBz9sCnfheuRGis0OTZqa7l8yw=
|
|-
| 14.1.0
| NintendoSDK Firmware for NX 14.1.0-1.0
| d4f087695beccb014a8ef8c259a5f0a61f9ddb1c
| CusHY#000e0100#ctIxSPR4jenzQNGc6y4zXIvzvF75ty53jN0T15Rjtmk=
|
|}

=== Other ===
{| class=wikitable
! Firmware
! Version String
! Version hash
! "/digest" contents
! Notes
|-
| 0.8.0
| SystemUpdater for NX 0.8.0-3
| a228ae430829d6324cd80c7bb5953889ffc950f9
| N/A
| Pre-SDK firmware
|-
| 0.9.0
| SystemUpdater for NX 0.9.0-0
| 4ef77bf71d3da940a0b75f791d341157ffae075a
| N/A
| Pre-SDK firmware
|-
| 0.9.0
| SystemUpdater for NX 0.9.0-0
| 8fcc7067deaca6a8f2b7754503ae535df8c83b08
| N/A
| Pre-SDK firmware
|-
| 0.7.0
| NintendoSDK Firmware for NX 0.7.0-0
| 07814d60b31c5925b0c9330d68a7ade1f39f350d
| N/A
| Revision of [[Factory Setup|factory firmware]].
|-
| 1.0.0-89d9b_r49916
| NintendoSDK Firmware for NX 1.0.0-7
| 89d9b7e2576ce56866be5b16de85906157a7e72d
| N/A
| Pre-release version of firmware 1.0.0
|-
| 2.0.0
| NintendoSDK Firmware for NX 2.0.0-2
| 665fafc03935d12eebba8060a135516b021ccbaa
| N/A
| Revision of [[Factory Setup|factory firmware]].
|-
| 2.0.0
| NintendoSDK Firmware for NX 2.0.0-13
| 5c53d88ef4b4e7fd1ba8e34fef8535712da9a149
| N/A
| Pre-release version of firmware 2.0.0
|-
| 2.0.0
| NintendoSDK Firmware for NX 2.0.0-13
| 60b5fa391b0055f50fec362d29ac18395f387412
| N/A
| Revision of [[Factory Setup|factory firmware]].
|-
| 3.0.0
| NintendoSDK Firmware for NX 3.0.0-10.0
| 83480e96a810a6c7cd3a8fb58dfb5b53961ac781
| N/A
| Revision of [[Factory Setup|factory firmware]].
|-
| 3.0.1
| NintendoSDK Firmware for NX 3.0.1-0.0
| 1fc07046046a3677a08b7cf9d49b4de0c957fb25
| N/A
| Revision of [[Factory Setup|factory firmware]].
|-
| 6.0.0
| NintendoSDK Firmware for NX 6.0.0-4.0
| 5dc1909aea612d7a444884faca584fa8ae895b5c
| gW93A#00060000#9k9lgdev3glK0ltQTdWmdK7jU1BL9oWNJRAFkQpHUYI=
| Pre-release version of firmware 6.0.0.
|-
| 7.0.0
| NintendoSDK Firmware for NX 7.0.0-5.0
| bceb282da2e3053a7de410df29ee53128e85702e
| CusHY#00070000#5PRVTLegTfFlaOw3kznosYec9d8BxGj8pN3wqGa80so=
| Revision of [[Factory Setup|factory firmware]].
|-
| 8.1.1
| NintendoSDK Firmware for NX 8.1.1-12.0
| 0d124bb8ddfe1065087d6837957357b369878ba3
| CusHY#00080101#PNfaWb4Y5K1aH-JaerDQijXvq460tJdVp5kwe8HlGbA=
| Present on certain Chinese game cards
|-
| 8.1.1
| NintendoSDK Firmware for NX 8.1.1-100.0
| 16593da95879534f7d67af8edef0be017c8fcc32
| CusHY#00080101#PNfaWb4Y5K1aH-JaerDQijXvq460tJdVp5kwe8HlGbA=
| Pre-installed on certain Lite devices
|-
| 9.1.0
| NintendoSDK Firmware for NX 9.1.0-1.0
| 4f9001d7fc04469cffe95812b0086c3c13badbad
| CusHY#00090100#vIPNrRbf30SoU8ZJ6uGklMqKAkyjHfdE9m6yLFeChkE=
| Revision of [[Factory Setup|factory firmware]].
|-
| 14.0.0
| NintendoSDK Firmware for NX 14.0.0-4.0
| c0245d4e92aa5e6ec5d0862cd837ad360480ecdd
| CusHY#000e0000#35hWb15SBXTnbUfTMLBz9sCnfheuRGis0OTZqa7l8yw=
| Revision of [[Factory Setup|factory firmware]].
|}

== Ounce ==
=== Retail ===
{| class=wikitable
! Firmware
! Version String
! Version hash
! "/digest" contents
! Notes
|-
| 19.0.0
| NintendoSDK Firmware for Ounce 19.0.0-4.0
| cca59ba31e315a7623da1e4dc6c7b8c2ff303569
| CusHY#00130000#x2jf5al2EkqJmdvmnTFaL6s4ic7X68N0dY9jnwwcL98=
|
|-
| 20.1.1
| NintendoSDK Firmware for Ounce 20.1.1-1.0
| d4148c28417c3438d2d020ca545ce3e7b6388628
| N/A
|
|}

=== Development ===
{| class=wikitable
! Firmware
! Version String
! Version hash
! Notes
|-
|}

=== Other ===
{| class=wikitable
! Firmware
! Version String
! Version hash
! Notes
|-
|}

20.1.5

2025-06-19T02:08:18Z

SciresM: /* System Titles */ erpt

The Switch 20.1.5 system update was released on June 19, 2025 (UTC). This Switch update was released for the following regions: ALL.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* General system stability improvements to enhance the user's experience.

==System Titles==
* The following titles were updated:
** Sysmodules: account, ns, erpt, pctl, migration.
** Applets: qlaunch.

[[NPDM]] changes (besides usual version-bump):
* migration: Service access: added eupld:c.

RomFs changes:
* [[System_Version_Title|SystemVersion]]: All files updated.

=== [[Error_Report_services|erpt]] ===
Only a single instruction was changed (besides GNU build-id). Previously, when validating the CreateReportContext in Reporter::CreateReport, Nintendo checks that FieldId_ErrorCode is present, and that the field corresponding to FieldId_ErrorCode has type == FieldType_String (ResultFieldTypeMismatch if not) and that it has size <= 0xE (ResultArrayFieldTooLarge if not).

It now checks that the error code string is size <= 0xF instead of <= 0xE.

=== IPC Interface Changes ===
* Unknown Interface prev-version: 0x7100086504 [ID = 0x0919ff75]
* Unknown Interface prev-version: 0x7100085DD4 [ID = 0x38f0bb3d]
* Unknown Interface prev-version: 0x71000846F0 [ID = 0x107aa108]
* Unknown Interface prev-version: 0x7100085B3C [ID = 0x3af03446]
* Unknown Interface prev-version: 0x7100086228 [ID = 0x36f3a242]
* Unknown Interface cur-version: 0x7100086504 [ID = 0x0919ff75]
* Unknown Interface cur-version: 0x7100085DD4 [ID = 0x38f0bb3d]
* Unknown Interface cur-version: 0x71000846F0 [ID = 0x107aa108]
* Unknown Interface cur-version: 0x7100085B3C [ID = 0x3af03446]
* Unknown Interface cur-version: 0x7100086228 [ID = 0x36f3a242]
* Unknown Interface prev-version: 0x7100266784 [ID = 0x3af03446]
* Unknown Interface prev-version: 0x7100265338 [ID = 0x107aa108]
* Unknown Interface prev-version: 0x71001A5D44 [ID = 0x04dea048]
* Unknown Interface prev-version: 0x7100266A1C [ID = 0x38f0bb3d]
* Unknown Interface prev-version: 0x710026714C [ID = 0x0919ff75]
* Unknown Interface prev-version: 0x71001A6348 [ID = 0x4e930893]
* Unknown Interface prev-version: 0x7100266E70 [ID = 0x36f3a242]
* Unknown Interface cur-version: 0x71002673BC [ID = 0x0919ff75]
* Unknown Interface cur-version: 0x71002669F4 [ID = 0x3af03446]
* Unknown Interface cur-version: 0x71002655A8 [ID = 0x107aa108]
* Unknown Interface cur-version: 0x71001A65C0 [ID = 0x4e930893]
* Unknown Interface cur-version: 0x7100266C8C [ID = 0x38f0bb3d]
* Unknown Interface cur-version: 0x71002670E0 [ID = 0x36f3a242]
* Unknown Interface cur-version: 0x71001A5FBC [ID = 0x04dea048]
* Interface Changed: nn::account::IAccountServiceForAdministrator
** Changed: 292 - outinterfaces: ['0x7100266784 [ID = 0x3af03446]'] -> ['0x71002669F4 [ID = 0x3af03446]'] (final state: inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x71002669F4 [ID = 0x3af03446]'])
** Changed: 293 - outinterfaces: ['0x7100266A1C [ID = 0x38f0bb3d]'] -> ['0x7100266C8C [ID = 0x38f0bb3d]'] (final state: inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100266C8C [ID = 0x38f0bb3d]'])
** Changed: 350 - outinterfaces: ['0x7100266E70 [ID = 0x36f3a242]'] -> ['0x71002670E0 [ID = 0x36f3a242]'] (final state: inbytes: 0x1, outbytes: 0x0, outinterfaces: ['0x71002670E0 [ID = 0x36f3a242]'])
** Changed: 352 - outinterfaces: ['0x710026714C [ID = 0x0919ff75]'] -> ['0x71002673BC [ID = 0x0919ff75]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x71002673BC [ID = 0x0919ff75]'])
* Interface Changed: nn::account::baas::IAdministrator
** Changed: 181 - outinterfaces: ['0x7100265338 [ID = 0x107aa108]'] -> ['0x71002655A8 [ID = 0x107aa108]'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x71002655A8 [ID = 0x107aa108]'])
** Changed: 182 - outinterfaces: ['0x7100265338 [ID = 0x107aa108]'] -> ['0x71002655A8 [ID = 0x107aa108]'] (final state: inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x71002655A8 [ID = 0x107aa108]'])
* Interface Changed: nn::account::baas::IManagerForSystemService
** Changed: 181 - outinterfaces: ['0x7100265338 [ID = 0x107aa108]'] -> ['0x71002655A8 [ID = 0x107aa108]'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x71002655A8 [ID = 0x107aa108]'])
** Changed: 182 - outinterfaces: ['0x7100265338 [ID = 0x107aa108]'] -> ['0x71002655A8 [ID = 0x107aa108]'] (final state: inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x71002655A8 [ID = 0x107aa108]'])
* Interface Changed: nn::ns::detail::IApplicationManagerInterface
** Changed: 4026 - outinterfaces: ['0x71001A5D44 [ID = 0x04dea048]'] -> ['0x71001A5FBC [ID = 0x04dea048]'] (final state: inbytes: 0x8, outbytes: 0x0, outinterfaces: ['0x71001A5FBC [ID = 0x04dea048]'])
** Changed: 4027 - outinterfaces: ['0x71001A6348 [ID = 0x4e930893]'] -> ['0x71001A65C0 [ID = 0x4e930893]'] (final state: inbytes: 0x8, outbytes: 0x0, outinterfaces: ['0x71001A65C0 [ID = 0x4e930893]'])
* Unknown Interface prev-version: 0x710013C728 [ID = 0x6e021695]
* Unknown Interface prev-version: 0x71001408F8 [ID = 0x29d8801c]
* Unknown Interface prev-version: 0x7100141D04 [ID = 0x3c7c9db7]
* Unknown Interface prev-version: 0x7100140D7C [ID = 0xeb5e4ee2]
* Unknown Interface prev-version: 0x710013E3E8 [ID = 0x8cf617a1]
* Unknown Interface cur-version: 0x710013E538 [ID = 0x8cf617a1]
* Unknown Interface cur-version: 0x7100140ECC [ID = 0xeb5e4ee2]
* Unknown Interface cur-version: 0x710013C878 [ID = 0x6e021695]
* Unknown Interface cur-version: 0x7100140A48 [ID = 0x29d8801c]
* Unknown Interface cur-version: 0x7100141E54 [ID = 0x3c7c9db7]
* Interface Changed: nn::migration::user::IService
** Changed: 2100 - outinterfaces: ['0x710013C728 [ID = 0x6e021695]'] -> ['0x710013C878 [ID = 0x6e021695]'] (final state: buffer_entry_sizes: [0x100], buffers: [0x19], inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013C878 [ID = 0x6e021695]'])
** Changed: 2110 - outinterfaces: ['0x710013C728 [ID = 0x6e021695]'] -> ['0x710013C878 [ID = 0x6e021695]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013C878 [ID = 0x6e021695]'])
** Changed: 2200 - outinterfaces: ['0x710013E3E8 [ID = 0x8cf617a1]'] -> ['0x710013E538 [ID = 0x8cf617a1]'] (final state: buffer_entry_sizes: [0x100], buffers: [0x19], inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013E538 [ID = 0x8cf617a1]'])
** Changed: 2210 - outinterfaces: ['0x710013E3E8 [ID = 0x8cf617a1]'] -> ['0x710013E538 [ID = 0x8cf617a1]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013E538 [ID = 0x8cf617a1]'])
** Changed: 2250 - outinterfaces: ['0x71001408F8 [ID = 0x29d8801c]'] -> ['0x7100140A48 [ID = 0x29d8801c]'] (final state: inbytes: 0x18, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100140A48 [ID = 0x29d8801c]'])
** Changed: 2260 - outinterfaces: ['0x71001408F8 [ID = 0x29d8801c]'] -> ['0x7100140A48 [ID = 0x29d8801c]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100140A48 [ID = 0x29d8801c]'])
** Changed: 2300 - outinterfaces: ['0x7100140D7C [ID = 0xeb5e4ee2]'] -> ['0x7100140ECC [ID = 0xeb5e4ee2]'] (final state: inbytes: 0x18, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100140ECC [ID = 0xeb5e4ee2]'])
** Changed: 2310 - outinterfaces: ['0x7100140D7C [ID = 0xeb5e4ee2]'] -> ['0x7100140ECC [ID = 0xeb5e4ee2]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100140ECC [ID = 0xeb5e4ee2]'])
** Changed: 2400 - outinterfaces: ['0x7100141D04 [ID = 0x3c7c9db7]'] -> ['0x7100141E54 [ID = 0x3c7c9db7]'] (final state: inbytes: 0x10, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100141E54 [ID = 0x3c7c9db7]'])
** Changed: 2420 - outinterfaces: ['0x7100141D04 [ID = 0x3c7c9db7]'] -> ['0x7100141E54 [ID = 0x3c7c9db7]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100141E54 [ID = 0x3c7c9db7]'])

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2025-06-19_01-05-06&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

20.1.1

2025-06-19T02:08:02Z

SciresM: Reverted edit by SciresM (talk) to last revision by Yellows8

The Switch 20.1.1 system update was released on June 3, 2025 (UTC). This Switch update was released for the following regions: ALL.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* Fixed an issue where some software would not start after updating to system version 20.1.0.

==System Titles==
* The following titles were updated:
** Sysmodules: ns.

[[NPDM]] changes (besides usual version-bump): none.

RomFs changes:
* [[System_Version_Title|SystemVersion]]: All files updated.

=== IPC Interface Changes ===
* Unknown Interface prev-version: 0x7100266784 [ID = 0x3af03446]
* Unknown Interface prev-version: 0x7100265338 [ID = 0x107aa108]
* Unknown Interface prev-version: 0x71001A5D44 [ID = 0x04dea048]
* Unknown Interface prev-version: 0x7100266A1C [ID = 0x38f0bb3d]
* Unknown Interface prev-version: 0x710026714C [ID = 0x0919ff75]
* Unknown Interface prev-version: 0x71001A6348 [ID = 0x4e930893]
* Unknown Interface prev-version: 0x7100266E70 [ID = 0x36f3a242]
* Unknown Interface cur-version: 0x7100266784 [ID = 0x3af03446]
* Unknown Interface cur-version: 0x7100265338 [ID = 0x107aa108]
* Unknown Interface cur-version: 0x71001A5D44 [ID = 0x04dea048]
* Unknown Interface cur-version: 0x7100266A1C [ID = 0x38f0bb3d]
* Unknown Interface cur-version: 0x710026714C [ID = 0x0919ff75]
* Unknown Interface cur-version: 0x71001A6348 [ID = 0x4e930893]
* Unknown Interface cur-version: 0x7100266E70 [ID = 0x36f3a242]

=== [[NS_services|ns]] ===
This seems to be a rebuild?(IPC-client vfuncs were added)

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2025-06-03_00-04-35&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

20.1.1

2025-06-19T02:07:49Z

SciresM: /* System Titles */ erpt

The Switch 20.1.1 system update was released on June 3, 2025 (UTC). This Switch update was released for the following regions: ALL.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* Fixed an issue where some software would not start after updating to system version 20.1.0.

==System Titles==
* The following titles were updated:
** Sysmodules: ns.

[[NPDM]] changes (besides usual version-bump): none.

RomFs changes:
* [[System_Version_Title|SystemVersion]]: All files updated.

=== IPC Interface Changes ===
* Unknown Interface prev-version: 0x7100266784 [ID = 0x3af03446]
* Unknown Interface prev-version: 0x7100265338 [ID = 0x107aa108]
* Unknown Interface prev-version: 0x71001A5D44 [ID = 0x04dea048]
* Unknown Interface prev-version: 0x7100266A1C [ID = 0x38f0bb3d]
* Unknown Interface prev-version: 0x710026714C [ID = 0x0919ff75]
* Unknown Interface prev-version: 0x71001A6348 [ID = 0x4e930893]
* Unknown Interface prev-version: 0x7100266E70 [ID = 0x36f3a242]
* Unknown Interface cur-version: 0x7100266784 [ID = 0x3af03446]
* Unknown Interface cur-version: 0x7100265338 [ID = 0x107aa108]
* Unknown Interface cur-version: 0x71001A5D44 [ID = 0x04dea048]
* Unknown Interface cur-version: 0x7100266A1C [ID = 0x38f0bb3d]
* Unknown Interface cur-version: 0x710026714C [ID = 0x0919ff75]
* Unknown Interface cur-version: 0x71001A6348 [ID = 0x4e930893]
* Unknown Interface cur-version: 0x7100266E70 [ID = 0x36f3a242]

=== [[Error_Report_services|erpt]] ===
Only a single instruction was changed (besides GNU build-id). Previously, when validating the CreateReportContext in Reporter::CreateReport, Nintendo checks that FieldId_ErrorCode is present, and that the field corresponding to FieldId_ErrorCode has type == FieldType_String (ResultFieldTypeMismatch if not) and that it has size <= 0xE (ResultArrayFieldTooLarge if not).

It now checks that the error code string is size <= 0xF instead of <= 0xE.

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2025-06-03_00-04-35&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

20.1.0

2025-05-28T21:21:21Z

SciresM: Add ro diff

The Switch 20.1.0 system update was released on May 28, 2025 (UTC). This Switch update was released for the following regions: ALL.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
*
* Visual updates have been made to the Parental Control settings.
* The sound that plays when Nintendo Switch Online is launched from the HOME Menu has been changed.
* General system stability improvements to enhance the user's experience.
*
* Note: If performing a system transfer from Nintendo Switch to Nintendo Switch 2 using local communication, the Nintendo Switch console will need to be updated to this latest system version to perform the transfer. See System Transfer from Nintendo Switch to Nintendo Switch 2 for more information.

==System Titles==
* The following titles were updated:
** Sysmodules: usb, htc.stub, boot2.ProdBoot, settings, Bus, bluetooth, bcat, friends, nifm, ptm, bsdsocket, hid, audio, LogManager.Prod, wlan, ldn, nvservices, pcv, capmtp, nvnflinger, pcie, account, ns, nfc, psc, capsrv, am, ssl, nim, btm, erpt, vi, pctl, npns, eupld, glue, eclct, es, fatal, creport, ro, sdb, grc, migration, jpegdec, safemode, olsc, ngct, jit, pgl, omm, eth, ngc.
** SystemData (non-sysver): CertStore, ErrorMessage, MiiModel, BrowserDll, NgWord, SsidList, LocalNews, TimeZoneBinary, FontNintendoExtension, FontStandard, FontKorean, FontChineseTraditional, FontChineseSimple, FirmwareDebugSettings, BootImagePackage, BootImagePackageSafe, BootImagePackageExFat, FatalMessage, ControllerIcon, PlatformConfigIcosa, PlatformConfigCopper, PlatformConfigHoag, ControllerFirmware, NgWord2, BootImagePackageExFatSafe, PlatformConfigIcosaMariko, ContentActionTable, NgWordT, PlatformConfigAula, AulaDockFirmware, 0100000000000859, 010000000000085C.
** Applets: qlaunch, auth, controller, dataErase, error, netConnect, playerSelect, LibAppletWeb, LibAppletShop, overlayDisp, photoViewer, LibAppletOff, LibAppletLns, LibAppletAuth, "starter" application, myPage, splay.

[[NPDM]] changes (besides usual version-bump): none.

Sysmodules were rebuilt with latest SDK, unless noted otherwise the only .text changes are from sdkver-update / logging-constants-update. The sysmodules with actual changes are (besides ones with IPC changes):
* bcat, jit, ...

RomFs changes:
* ErrorMessage: updated
* BrowserDll:
** "/buildinfo/buildinfo.dat" updated
** "/lyt/": Various data updated.
** "/nro/netfront/": Various data updated.
** "/sound/cruiser.bfsar" updated
* NgWord: "/version.dat" updated
* [[System_Version_Title|SystemVersion]]: All files updated.
* LocalNews: "/image/LnMoonIntro/list.jpg" updated, "/image/LnMoonIntro/main.jpg" updated, "/message/CNzhT/" added
* [[System_Settings|FirmwareDebugSettings]]: All files updated.
* ControllerIcon: "/lyt/ColorTable" updated
* ControllerFirmware: "/FirmwareInfo.csv" updated, "/tera_fullkey_ota.bin" updated, "/tera_fullkey_ota_iap.bin" updated, "/tera_ota.bin" updated, "/tera_ota_iap.bin" updated
* NgWord2: updated
* RebootlessSystemUpdateVersion: All files updated.
* qlaunch applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/qlaunch_action.bksnd" updated
** "/sound/qlaunch.bfsar" updated
** "/texture/LogoMoonCNzh.bntx" added
** "/texture/LogoMoonEUde.bntx" updated
** "/texture/LogoMoonEUen.bntx" removed
** "/texture/LogoMoonEUes.bntx" removed
** "/texture/LogoMoonEUfr.bntx" removed
** "/texture/LogoMoonEUit.bntx" updated
** "/texture/LogoMoonEUnl.bntx" updated
** "/texture/LogoMoonEUpt.bntx" updated
** "/texture/LogoMoonEUru.bntx" updated
** "/texture/LogoMoonJPja.bntx" updated
** "/texture/LogoMoonTWzh.bntx" added
** "/texture/LogoMoonUSen.bntx" updated
** "/texture/LogoMoonUSes.bntx" updated
** "/texture/LogoMoonUSfr.bntx" updated
** "/texture/LogoMoonUSpt.bntx" added
* auth applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/auth_action.bksnd" updated
** "/sound/auth.bfsar" updated
* controller applet:
** "/message/": Various data updated.
** "/sound/controller_action.bksnd" updated
* dataErase applet:
** "/message/": Various data updated.
** "/sound/dataErase_action.bksnd" updated
* error applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/error_action.bksnd" updated
** "/sound/error.bfsar" updated
** "/texture/LogoMoonCNzh.bntx" added
** "/texture/LogoMoonEUde.bntx" updated
** "/texture/LogoMoonEUen.bntx" removed
** "/texture/LogoMoonEUes.bntx" removed
** "/texture/LogoMoonEUfr.bntx" removed
** "/texture/LogoMoonEUit.bntx" updated
** "/texture/LogoMoonEUnl.bntx" updated
** "/texture/LogoMoonEUpt.bntx" updated
** "/texture/LogoMoonEUru.bntx" updated
** "/texture/LogoMoonJPja.bntx" updated
** "/texture/LogoMoonTWzh.bntx" added
** "/texture/LogoMoonUSen.bntx" updated
** "/texture/LogoMoonUSes.bntx" updated
** "/texture/LogoMoonUSfr.bntx" updated
** "/texture/LogoMoonUSpt.bntx" added
* netConnect applet:
** "/message/": Various data updated.
** "/sound/netConnect_action.bksnd" updated
* playerSelect applet:
** "/message/": Various data updated.
** "/sound/playerSelect_action.bksnd" updated
** "/sound/playerSelect.bfsar" updated
* [[Internet_Browser|LibAppletWeb/LibAppletShop/LibAppletOff/LibAppletLns/LibAppletAuth]]: All files updated.
* overlayDisp applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/infoLHub.raw" updated
** "/sound/infoPtcl.raw" updated
** "/sound/infoTimerOver.raw" updated
** "/sound/infoTimer.raw" updated
** "/sound/overlayDisp_action.bksnd" updated
* photoViewer applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/photoViewer_action.bksnd" updated
* "starter" application:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/starter_action.bksnd" updated
* myPage applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/myPage_action.bksnd" updated
** "/sound/myPage.bfsar" updated
* splay applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/splay_action.bksnd" updated
** "/sound/splay.bfsar" updated

=== IPC Interface Changes ===
* Unknown Interface prev-version: 0x710008741C
* Unknown Interface cur-version: 0x710008741C
* Interface Changed: nn::hid::IHidDebugServer
** Added: 214 - inbytes: 0x8, outbytes: 0x1D
* Interface Changed: nn::hid::IHidSystemServer
** Added: 1158 - inbytes: 0x1, outbytes: 0x0
** Added: 1159 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::wlan::detail::IWirelessCommunicationService
** Changed: 120 - outbytes: 0x28 -> 0x2C (final state: inbytes: 0x0, outbytes: 0x2C)
* Unknown Interface prev-version: 0x71000055E0
* Unknown Interface cur-version: 0x71000055E0
* Unknown Interface prev-version: 0x7100086504 [ID = 0x0919ff75]
* Unknown Interface prev-version: 0x7100085DD4 [ID = 0x38f0bb3d]
* Unknown Interface prev-version: 0x71000846F0 [ID = 0x107aa108]
* Unknown Interface prev-version: 0x7100085B3C [ID = 0x3af03446]
* Unknown Interface prev-version: 0x7100086228 [ID = 0x36f3a242]
* Unknown Interface cur-version: 0x7100086504 [ID = 0x0919ff75]
* Unknown Interface cur-version: 0x7100085DD4 [ID = 0x38f0bb3d]
* Unknown Interface cur-version: 0x71000846F0 [ID = 0x107aa108]
* Unknown Interface cur-version: 0x7100085B3C [ID = 0x3af03446]
* Unknown Interface cur-version: 0x7100086228 [ID = 0x36f3a242]
* Unknown Interface prev-version: 0x71001A4F60 [ID = 0x4e930893]
* Unknown Interface prev-version: 0x7100264B34 [ID = 0x3af03446]
* Unknown Interface prev-version: 0x7100264DCC [ID = 0x38f0bb3d]
* Unknown Interface prev-version: 0x7100265220 [ID = 0x36f3a242]
* Unknown Interface prev-version: 0x71002654FC [ID = 0x0919ff75]
* Unknown Interface prev-version: 0x71001A495C [ID = 0x04dea048]
* Unknown Interface prev-version: 0x71002636E8 [ID = 0x107aa108]
* Unknown Interface cur-version: 0x7100266784 [ID = 0x3af03446]
* Unknown Interface cur-version: 0x7100265338 [ID = 0x107aa108]
* Unknown Interface cur-version: 0x71001A5D44 [ID = 0x04dea048]
* Unknown Interface cur-version: 0x7100266A1C [ID = 0x38f0bb3d]
* Unknown Interface cur-version: 0x710026714C [ID = 0x0919ff75]
* Unknown Interface cur-version: 0x71001A6348 [ID = 0x4e930893]
* Unknown Interface cur-version: 0x7100266E70 [ID = 0x36f3a242]
* Interface Changed: nn::account::IAccountServiceForAdministrator
** Changed: 292 - outinterfaces: ['0x7100264B34 [ID = 0x3af03446]'] -> ['0x7100266784 [ID = 0x3af03446]'] (final state: inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100266784 [ID = 0x3af03446]'])
** Changed: 293 - outinterfaces: ['0x7100264DCC [ID = 0x38f0bb3d]'] -> ['0x7100266A1C [ID = 0x38f0bb3d]'] (final state: inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100266A1C [ID = 0x38f0bb3d]'])
** Changed: 350 - outinterfaces: ['0x7100265220 [ID = 0x36f3a242]'] -> ['0x7100266E70 [ID = 0x36f3a242]'] (final state: inbytes: 0x1, outbytes: 0x0, outinterfaces: ['0x7100266E70 [ID = 0x36f3a242]'])
** Changed: 352 - outinterfaces: ['0x71002654FC [ID = 0x0919ff75]'] -> ['0x710026714C [ID = 0x0919ff75]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710026714C [ID = 0x0919ff75]'])
* Interface Changed: nn::account::baas::IAdministrator
** Changed: 181 - outinterfaces: ['0x71002636E8 [ID = 0x107aa108]'] -> ['0x7100265338 [ID = 0x107aa108]'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100265338 [ID = 0x107aa108]'])
** Changed: 182 - outinterfaces: ['0x71002636E8 [ID = 0x107aa108]'] -> ['0x7100265338 [ID = 0x107aa108]'] (final state: inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100265338 [ID = 0x107aa108]'])
* Interface Changed: nn::account::baas::IManagerForSystemService
** Changed: 181 - outinterfaces: ['0x71002636E8 [ID = 0x107aa108]'] -> ['0x7100265338 [ID = 0x107aa108]'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100265338 [ID = 0x107aa108]'])
** Changed: 182 - outinterfaces: ['0x71002636E8 [ID = 0x107aa108]'] -> ['0x7100265338 [ID = 0x107aa108]'] (final state: inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100265338 [ID = 0x107aa108]'])
* Interface Changed: nn::ns::detail::IApplicationManagerInterface
** Added: 933 - buffers: [0x6], inbytes: 0x90, outbytes: 0x4
** Added: 2183 - inbytes: 0x8, outbytes: 0x0
** Changed: 4026 - outinterfaces: ['0x71001A495C [ID = 0x04dea048]'] -> ['0x71001A5D44 [ID = 0x04dea048]'] (final state: inbytes: 0x8, outbytes: 0x0, outinterfaces: ['0x71001A5D44 [ID = 0x04dea048]'])
** Changed: 4027 - outinterfaces: ['0x71001A4F60 [ID = 0x4e930893]'] -> ['0x71001A6348 [ID = 0x4e930893]'] (final state: inbytes: 0x8, outbytes: 0x0, outinterfaces: ['0x71001A6348 [ID = 0x4e930893]'])
* Interface Changed: nn::ns::detail::IContentManagementInterface
** Added: 58 - inbytes: 0x0, outbytes: 0x0
** Added: 71 - inbytes: 0x1, outbytes: 0x10
* Interface Changed: nn::ns::detail::IReadOnlyApplicationControlDataInterface
** Added: 17 - buffers: [0x6], inbytes: 0x90, outbytes: 0x4
* Unknown Interface prev-version: 0x71000CE314 [ID = 0x359536d2]
* Unknown Interface cur-version: 0x71000CE4B4 [ID = 0x359536d2]
* Interface Changed: nn::am::service::IAllSystemAppletProxiesService
** Changed: 460 - outinterfaces: ['0x71000CE314 [ID = 0x359536d2]'] -> ['0x71000CE4B4 [ID = 0x359536d2]'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x71000CE4B4 [ID = 0x359536d2]'])
* Interface Changed: nn::nim::detail::INetworkInstallManager
** Added: 173 - buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x0, outbytes: 0x0
* Unknown Interface prev-version: 0x7100097948 [ID = 0xfe214da9]
* Unknown Interface prev-version: 0x7100096B3C [ID = 0xdf171f31]
* Unknown Interface cur-version: 0x7100097948 [ID = 0xfe214da9]
* Unknown Interface cur-version: 0x7100096B3C [ID = 0xdf171f31]
* Unknown Interface prev-version: 0x710005ECA0 [ID = 0xef2a5618]
* Unknown Interface cur-version: 0x710005ECA0 [ID = 0xef2a5618]
* Unknown Interface prev-version: 0x710014064C [ID = 0x29d8801c]
* Unknown Interface prev-version: 0x7100140AD0 [ID = 0xeb5e4ee2]
* Unknown Interface prev-version: 0x710013C47C [ID = 0x6e021695]
* Unknown Interface prev-version: 0x7100141A58 [ID = 0x3c7c9db7]
* Unknown Interface prev-version: 0x710013E13C [ID = 0x8cf617a1]
* Unknown Interface cur-version: 0x710013C728 [ID = 0x6e021695]
* Unknown Interface cur-version: 0x71001408F8 [ID = 0x29d8801c]
* Unknown Interface cur-version: 0x7100141D04 [ID = 0x3c7c9db7]
* Unknown Interface cur-version: 0x7100140D7C [ID = 0xeb5e4ee2]
* Unknown Interface cur-version: 0x710013E3E8 [ID = 0x8cf617a1]
* Interface Changed: nn::migration::user::IService
** Changed: 2100 - outinterfaces: ['0x710013C47C [ID = 0x6e021695]'] -> ['0x710013C728 [ID = 0x6e021695]'] (final state: buffer_entry_sizes: [0x100], buffers: [0x19], inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013C728 [ID = 0x6e021695]'])
** Changed: 2110 - outinterfaces: ['0x710013C47C [ID = 0x6e021695]'] -> ['0x710013C728 [ID = 0x6e021695]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013C728 [ID = 0x6e021695]'])
** Changed: 2200 - outinterfaces: ['0x710013E13C [ID = 0x8cf617a1]'] -> ['0x710013E3E8 [ID = 0x8cf617a1]'] (final state: buffer_entry_sizes: [0x100], buffers: [0x19], inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013E3E8 [ID = 0x8cf617a1]'])
** Changed: 2210 - outinterfaces: ['0x710013E13C [ID = 0x8cf617a1]'] -> ['0x710013E3E8 [ID = 0x8cf617a1]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013E3E8 [ID = 0x8cf617a1]'])
** Changed: 2250 - outinterfaces: ['0x710014064C [ID = 0x29d8801c]'] -> ['0x71001408F8 [ID = 0x29d8801c]'] (final state: inbytes: 0x18, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x71001408F8 [ID = 0x29d8801c]'])
** Changed: 2260 - outinterfaces: ['0x710014064C [ID = 0x29d8801c]'] -> ['0x71001408F8 [ID = 0x29d8801c]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x71001408F8 [ID = 0x29d8801c]'])
** Changed: 2300 - outinterfaces: ['0x7100140AD0 [ID = 0xeb5e4ee2]'] -> ['0x7100140D7C [ID = 0xeb5e4ee2]'] (final state: inbytes: 0x18, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100140D7C [ID = 0xeb5e4ee2]'])
** Changed: 2310 - outinterfaces: ['0x7100140AD0 [ID = 0xeb5e4ee2]'] -> ['0x7100140D7C [ID = 0xeb5e4ee2]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100140D7C [ID = 0xeb5e4ee2]'])
** Changed: 2400 - outinterfaces: ['0x7100141A58 [ID = 0x3c7c9db7]'] -> ['0x7100141D04 [ID = 0x3c7c9db7]'] (final state: inbytes: 0x10, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100141D04 [ID = 0x3c7c9db7]'])
** Changed: 2420 - outinterfaces: ['0x7100141A58 [ID = 0x3c7c9db7]'] -> ['0x7100141D04 [ID = 0x3c7c9db7]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100141D04 [ID = 0x3c7c9db7]'])
* Unknown Interface prev-version: 0x7100133FE0 [ID = 0x17291af3]
* Unknown Interface prev-version: 0x71001357F4 [ID = 0xa036ce80]
* Unknown Interface cur-version: 0x710013A720 [ID = 0xa036ce80]
* Unknown Interface cur-version: 0x7100138F0C [ID = 0x17291af3]
* Interface Changed: nn::olsc::srv::IDaemonController
** Changed: 13 - outinterfaces: ['0x71001357F4 [ID = 0xa036ce80]', None] -> ['0x710013A720 [ID = 0xa036ce80]', None] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710013A720 [ID = 0xa036ce80]', None])
* Interface Changed: nn::olsc::srv::IOlscServiceForSystemService
** Changed: 1000 - outinterfaces: ['0x7100133FE0 [ID = 0x17291af3]'] -> ['0x7100138F0C [ID = 0x17291af3]'] (final state: buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100138F0C [ID = 0x17291af3]'])
* Interface Changed: nn::olsc::srv::IRemoteStorageController
** Changed: 800 - outinterfaces: ['0x7100133FE0 [ID = 0x17291af3]'] -> ['0x7100138F0C [ID = 0x17291af3]'] (final state: buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100138F0C [ID = 0x17291af3]'])
* Interface Changed: nn::olsc::srv::ITransferTaskListController
** Added: 26 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::olsc::srv::IRemoteStorageController']
** Added: 27 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::olsc::srv::IRemoteStorageController']
** Added: 28 - inbytes: 0x10, outbytes: 0x1
** Added: 29 - inbytes: 0x0, outbytes: 0x1
** Added: 30 - inbytes: 0x1, outbytes: 0x38
* Interface Changed: nn::omm::detail::IOperationModeManager
** Added: 50 - inbytes: 0x0, outbytes: 0x8

=== BootImagePackages ===
RomFs changes:
* "/nx/package2" updated

[[Package2|INI1]] changes:
* BootImagePackage/BootImagePackageExFat:
** All FIRM Sysmodules were just re-built, resulting in updated GNU build-id. The *only* changes besides this are:
*** Loader: Anti-downgrade list is updated.
*** FS: UpdateResult's logging constants/hashes were updated.

==== Kernel ====
* cpu::DoCoreInterruptBarrier now uses a KLightLock instead of a KSpinLock.
* Sleep entry now waits 1920 ticks after synchronizing cores and before saving the interrupt manager
* KInterruptController::SaveLocalState/RestoreLocalState now saves and restores spendsgir

=== [[JIT_services|jit]] ===
The only updated func was L_177b0 (this is the func called by nn::ro::RegisterModuleInfo):
* The order of the validation after magicnum-check ([[NRR]]) was swapped.

=== [[RO_services|ro]] ===
* RoServer object now has two new fields, "m_SupportedPlatforms", "m_NumSupportedPlatforms".
** These are initialized for both JitPlugin and User servers to point to an array of size 1, containing only Platform 0 (NX).
* During NRR validation, the NRR platform byte (NRR + 0x6) is now checked to be contained within the server's supported platforms array before header is copied onto stack, if it is not then error 0xC16 is returned.

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2025-05-28_00-02-36&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

20.1.0

2025-05-28T21:16:16Z

SciresM: /* BootImagePackages */ FIRM sysmodules -> no real changes

The Switch 20.1.0 system update was released on May 28, 2025 (UTC). This Switch update was released for the following regions: ALL.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
*
* Visual updates have been made to the Parental Control settings.
* The sound that plays when Nintendo Switch Online is launched from the HOME Menu has been changed.
* General system stability improvements to enhance the user's experience.
*
* Note: If performing a system transfer from Nintendo Switch to Nintendo Switch 2 using local communication, the Nintendo Switch console will need to be updated to this latest system version to perform the transfer. See System Transfer from Nintendo Switch to Nintendo Switch 2 for more information.

==System Titles==
* The following titles were updated:
** Sysmodules: usb, htc.stub, boot2.ProdBoot, settings, Bus, bluetooth, bcat, friends, nifm, ptm, bsdsocket, hid, audio, LogManager.Prod, wlan, ldn, nvservices, pcv, capmtp, nvnflinger, pcie, account, ns, nfc, psc, capsrv, am, ssl, nim, btm, erpt, vi, pctl, npns, eupld, glue, eclct, es, fatal, creport, ro, sdb, grc, migration, jpegdec, safemode, olsc, ngct, jit, pgl, omm, eth, ngc.
** SystemData (non-sysver): CertStore, ErrorMessage, MiiModel, BrowserDll, NgWord, SsidList, LocalNews, TimeZoneBinary, FontNintendoExtension, FontStandard, FontKorean, FontChineseTraditional, FontChineseSimple, FirmwareDebugSettings, BootImagePackage, BootImagePackageSafe, BootImagePackageExFat, FatalMessage, ControllerIcon, PlatformConfigIcosa, PlatformConfigCopper, PlatformConfigHoag, ControllerFirmware, NgWord2, BootImagePackageExFatSafe, PlatformConfigIcosaMariko, ContentActionTable, NgWordT, PlatformConfigAula, AulaDockFirmware, 0100000000000859, 010000000000085C.
** Applets: qlaunch, auth, controller, dataErase, error, netConnect, playerSelect, LibAppletWeb, LibAppletShop, overlayDisp, photoViewer, LibAppletOff, LibAppletLns, LibAppletAuth, "starter" application, myPage, splay.

[[NPDM]] changes (besides usual version-bump): none.

Sysmodules were rebuilt with latest SDK, unless noted otherwise the only .text changes are from sdkver-update / logging-constants-update. The sysmodules with actual changes are (besides ones with IPC changes):
* bcat, jit, ...

RomFs changes:
* ErrorMessage: updated
* BrowserDll:
** "/buildinfo/buildinfo.dat" updated
** "/lyt/": Various data updated.
** "/nro/netfront/": Various data updated.
** "/sound/cruiser.bfsar" updated
* NgWord: "/version.dat" updated
* [[System_Version_Title|SystemVersion]]: All files updated.
* LocalNews: "/image/LnMoonIntro/list.jpg" updated, "/image/LnMoonIntro/main.jpg" updated, "/message/CNzhT/" added
* [[System_Settings|FirmwareDebugSettings]]: All files updated.
* ControllerIcon: "/lyt/ColorTable" updated
* ControllerFirmware: "/FirmwareInfo.csv" updated, "/tera_fullkey_ota.bin" updated, "/tera_fullkey_ota_iap.bin" updated, "/tera_ota.bin" updated, "/tera_ota_iap.bin" updated
* NgWord2: updated
* RebootlessSystemUpdateVersion: All files updated.
* qlaunch applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/qlaunch_action.bksnd" updated
** "/sound/qlaunch.bfsar" updated
** "/texture/LogoMoonCNzh.bntx" added
** "/texture/LogoMoonEUde.bntx" updated
** "/texture/LogoMoonEUen.bntx" removed
** "/texture/LogoMoonEUes.bntx" removed
** "/texture/LogoMoonEUfr.bntx" removed
** "/texture/LogoMoonEUit.bntx" updated
** "/texture/LogoMoonEUnl.bntx" updated
** "/texture/LogoMoonEUpt.bntx" updated
** "/texture/LogoMoonEUru.bntx" updated
** "/texture/LogoMoonJPja.bntx" updated
** "/texture/LogoMoonTWzh.bntx" added
** "/texture/LogoMoonUSen.bntx" updated
** "/texture/LogoMoonUSes.bntx" updated
** "/texture/LogoMoonUSfr.bntx" updated
** "/texture/LogoMoonUSpt.bntx" added
* auth applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/auth_action.bksnd" updated
** "/sound/auth.bfsar" updated
* controller applet:
** "/message/": Various data updated.
** "/sound/controller_action.bksnd" updated
* dataErase applet:
** "/message/": Various data updated.
** "/sound/dataErase_action.bksnd" updated
* error applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/error_action.bksnd" updated
** "/sound/error.bfsar" updated
** "/texture/LogoMoonCNzh.bntx" added
** "/texture/LogoMoonEUde.bntx" updated
** "/texture/LogoMoonEUen.bntx" removed
** "/texture/LogoMoonEUes.bntx" removed
** "/texture/LogoMoonEUfr.bntx" removed
** "/texture/LogoMoonEUit.bntx" updated
** "/texture/LogoMoonEUnl.bntx" updated
** "/texture/LogoMoonEUpt.bntx" updated
** "/texture/LogoMoonEUru.bntx" updated
** "/texture/LogoMoonJPja.bntx" updated
** "/texture/LogoMoonTWzh.bntx" added
** "/texture/LogoMoonUSen.bntx" updated
** "/texture/LogoMoonUSes.bntx" updated
** "/texture/LogoMoonUSfr.bntx" updated
** "/texture/LogoMoonUSpt.bntx" added
* netConnect applet:
** "/message/": Various data updated.
** "/sound/netConnect_action.bksnd" updated
* playerSelect applet:
** "/message/": Various data updated.
** "/sound/playerSelect_action.bksnd" updated
** "/sound/playerSelect.bfsar" updated
* [[Internet_Browser|LibAppletWeb/LibAppletShop/LibAppletOff/LibAppletLns/LibAppletAuth]]: All files updated.
* overlayDisp applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/infoLHub.raw" updated
** "/sound/infoPtcl.raw" updated
** "/sound/infoTimerOver.raw" updated
** "/sound/infoTimer.raw" updated
** "/sound/overlayDisp_action.bksnd" updated
* photoViewer applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/photoViewer_action.bksnd" updated
* "starter" application:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/starter_action.bksnd" updated
* myPage applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/myPage_action.bksnd" updated
** "/sound/myPage.bfsar" updated
* splay applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/splay_action.bksnd" updated
** "/sound/splay.bfsar" updated

=== IPC Interface Changes ===
* Unknown Interface prev-version: 0x710008741C
* Unknown Interface cur-version: 0x710008741C
* Interface Changed: nn::hid::IHidDebugServer
** Added: 214 - inbytes: 0x8, outbytes: 0x1D
* Interface Changed: nn::hid::IHidSystemServer
** Added: 1158 - inbytes: 0x1, outbytes: 0x0
** Added: 1159 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::wlan::detail::IWirelessCommunicationService
** Changed: 120 - outbytes: 0x28 -> 0x2C (final state: inbytes: 0x0, outbytes: 0x2C)
* Unknown Interface prev-version: 0x71000055E0
* Unknown Interface cur-version: 0x71000055E0
* Unknown Interface prev-version: 0x7100086504 [ID = 0x0919ff75]
* Unknown Interface prev-version: 0x7100085DD4 [ID = 0x38f0bb3d]
* Unknown Interface prev-version: 0x71000846F0 [ID = 0x107aa108]
* Unknown Interface prev-version: 0x7100085B3C [ID = 0x3af03446]
* Unknown Interface prev-version: 0x7100086228 [ID = 0x36f3a242]
* Unknown Interface cur-version: 0x7100086504 [ID = 0x0919ff75]
* Unknown Interface cur-version: 0x7100085DD4 [ID = 0x38f0bb3d]
* Unknown Interface cur-version: 0x71000846F0 [ID = 0x107aa108]
* Unknown Interface cur-version: 0x7100085B3C [ID = 0x3af03446]
* Unknown Interface cur-version: 0x7100086228 [ID = 0x36f3a242]
* Unknown Interface prev-version: 0x71001A4F60 [ID = 0x4e930893]
* Unknown Interface prev-version: 0x7100264B34 [ID = 0x3af03446]
* Unknown Interface prev-version: 0x7100264DCC [ID = 0x38f0bb3d]
* Unknown Interface prev-version: 0x7100265220 [ID = 0x36f3a242]
* Unknown Interface prev-version: 0x71002654FC [ID = 0x0919ff75]
* Unknown Interface prev-version: 0x71001A495C [ID = 0x04dea048]
* Unknown Interface prev-version: 0x71002636E8 [ID = 0x107aa108]
* Unknown Interface cur-version: 0x7100266784 [ID = 0x3af03446]
* Unknown Interface cur-version: 0x7100265338 [ID = 0x107aa108]
* Unknown Interface cur-version: 0x71001A5D44 [ID = 0x04dea048]
* Unknown Interface cur-version: 0x7100266A1C [ID = 0x38f0bb3d]
* Unknown Interface cur-version: 0x710026714C [ID = 0x0919ff75]
* Unknown Interface cur-version: 0x71001A6348 [ID = 0x4e930893]
* Unknown Interface cur-version: 0x7100266E70 [ID = 0x36f3a242]
* Interface Changed: nn::account::IAccountServiceForAdministrator
** Changed: 292 - outinterfaces: ['0x7100264B34 [ID = 0x3af03446]'] -> ['0x7100266784 [ID = 0x3af03446]'] (final state: inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100266784 [ID = 0x3af03446]'])
** Changed: 293 - outinterfaces: ['0x7100264DCC [ID = 0x38f0bb3d]'] -> ['0x7100266A1C [ID = 0x38f0bb3d]'] (final state: inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100266A1C [ID = 0x38f0bb3d]'])
** Changed: 350 - outinterfaces: ['0x7100265220 [ID = 0x36f3a242]'] -> ['0x7100266E70 [ID = 0x36f3a242]'] (final state: inbytes: 0x1, outbytes: 0x0, outinterfaces: ['0x7100266E70 [ID = 0x36f3a242]'])
** Changed: 352 - outinterfaces: ['0x71002654FC [ID = 0x0919ff75]'] -> ['0x710026714C [ID = 0x0919ff75]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710026714C [ID = 0x0919ff75]'])
* Interface Changed: nn::account::baas::IAdministrator
** Changed: 181 - outinterfaces: ['0x71002636E8 [ID = 0x107aa108]'] -> ['0x7100265338 [ID = 0x107aa108]'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100265338 [ID = 0x107aa108]'])
** Changed: 182 - outinterfaces: ['0x71002636E8 [ID = 0x107aa108]'] -> ['0x7100265338 [ID = 0x107aa108]'] (final state: inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100265338 [ID = 0x107aa108]'])
* Interface Changed: nn::account::baas::IManagerForSystemService
** Changed: 181 - outinterfaces: ['0x71002636E8 [ID = 0x107aa108]'] -> ['0x7100265338 [ID = 0x107aa108]'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100265338 [ID = 0x107aa108]'])
** Changed: 182 - outinterfaces: ['0x71002636E8 [ID = 0x107aa108]'] -> ['0x7100265338 [ID = 0x107aa108]'] (final state: inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100265338 [ID = 0x107aa108]'])
* Interface Changed: nn::ns::detail::IApplicationManagerInterface
** Added: 933 - buffers: [0x6], inbytes: 0x90, outbytes: 0x4
** Added: 2183 - inbytes: 0x8, outbytes: 0x0
** Changed: 4026 - outinterfaces: ['0x71001A495C [ID = 0x04dea048]'] -> ['0x71001A5D44 [ID = 0x04dea048]'] (final state: inbytes: 0x8, outbytes: 0x0, outinterfaces: ['0x71001A5D44 [ID = 0x04dea048]'])
** Changed: 4027 - outinterfaces: ['0x71001A4F60 [ID = 0x4e930893]'] -> ['0x71001A6348 [ID = 0x4e930893]'] (final state: inbytes: 0x8, outbytes: 0x0, outinterfaces: ['0x71001A6348 [ID = 0x4e930893]'])
* Interface Changed: nn::ns::detail::IContentManagementInterface
** Added: 58 - inbytes: 0x0, outbytes: 0x0
** Added: 71 - inbytes: 0x1, outbytes: 0x10
* Interface Changed: nn::ns::detail::IReadOnlyApplicationControlDataInterface
** Added: 17 - buffers: [0x6], inbytes: 0x90, outbytes: 0x4
* Unknown Interface prev-version: 0x71000CE314 [ID = 0x359536d2]
* Unknown Interface cur-version: 0x71000CE4B4 [ID = 0x359536d2]
* Interface Changed: nn::am::service::IAllSystemAppletProxiesService
** Changed: 460 - outinterfaces: ['0x71000CE314 [ID = 0x359536d2]'] -> ['0x71000CE4B4 [ID = 0x359536d2]'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x71000CE4B4 [ID = 0x359536d2]'])
* Interface Changed: nn::nim::detail::INetworkInstallManager
** Added: 173 - buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x0, outbytes: 0x0
* Unknown Interface prev-version: 0x7100097948 [ID = 0xfe214da9]
* Unknown Interface prev-version: 0x7100096B3C [ID = 0xdf171f31]
* Unknown Interface cur-version: 0x7100097948 [ID = 0xfe214da9]
* Unknown Interface cur-version: 0x7100096B3C [ID = 0xdf171f31]
* Unknown Interface prev-version: 0x710005ECA0 [ID = 0xef2a5618]
* Unknown Interface cur-version: 0x710005ECA0 [ID = 0xef2a5618]
* Unknown Interface prev-version: 0x710014064C [ID = 0x29d8801c]
* Unknown Interface prev-version: 0x7100140AD0 [ID = 0xeb5e4ee2]
* Unknown Interface prev-version: 0x710013C47C [ID = 0x6e021695]
* Unknown Interface prev-version: 0x7100141A58 [ID = 0x3c7c9db7]
* Unknown Interface prev-version: 0x710013E13C [ID = 0x8cf617a1]
* Unknown Interface cur-version: 0x710013C728 [ID = 0x6e021695]
* Unknown Interface cur-version: 0x71001408F8 [ID = 0x29d8801c]
* Unknown Interface cur-version: 0x7100141D04 [ID = 0x3c7c9db7]
* Unknown Interface cur-version: 0x7100140D7C [ID = 0xeb5e4ee2]
* Unknown Interface cur-version: 0x710013E3E8 [ID = 0x8cf617a1]
* Interface Changed: nn::migration::user::IService
** Changed: 2100 - outinterfaces: ['0x710013C47C [ID = 0x6e021695]'] -> ['0x710013C728 [ID = 0x6e021695]'] (final state: buffer_entry_sizes: [0x100], buffers: [0x19], inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013C728 [ID = 0x6e021695]'])
** Changed: 2110 - outinterfaces: ['0x710013C47C [ID = 0x6e021695]'] -> ['0x710013C728 [ID = 0x6e021695]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013C728 [ID = 0x6e021695]'])
** Changed: 2200 - outinterfaces: ['0x710013E13C [ID = 0x8cf617a1]'] -> ['0x710013E3E8 [ID = 0x8cf617a1]'] (final state: buffer_entry_sizes: [0x100], buffers: [0x19], inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013E3E8 [ID = 0x8cf617a1]'])
** Changed: 2210 - outinterfaces: ['0x710013E13C [ID = 0x8cf617a1]'] -> ['0x710013E3E8 [ID = 0x8cf617a1]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013E3E8 [ID = 0x8cf617a1]'])
** Changed: 2250 - outinterfaces: ['0x710014064C [ID = 0x29d8801c]'] -> ['0x71001408F8 [ID = 0x29d8801c]'] (final state: inbytes: 0x18, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x71001408F8 [ID = 0x29d8801c]'])
** Changed: 2260 - outinterfaces: ['0x710014064C [ID = 0x29d8801c]'] -> ['0x71001408F8 [ID = 0x29d8801c]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x71001408F8 [ID = 0x29d8801c]'])
** Changed: 2300 - outinterfaces: ['0x7100140AD0 [ID = 0xeb5e4ee2]'] -> ['0x7100140D7C [ID = 0xeb5e4ee2]'] (final state: inbytes: 0x18, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100140D7C [ID = 0xeb5e4ee2]'])
** Changed: 2310 - outinterfaces: ['0x7100140AD0 [ID = 0xeb5e4ee2]'] -> ['0x7100140D7C [ID = 0xeb5e4ee2]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100140D7C [ID = 0xeb5e4ee2]'])
** Changed: 2400 - outinterfaces: ['0x7100141A58 [ID = 0x3c7c9db7]'] -> ['0x7100141D04 [ID = 0x3c7c9db7]'] (final state: inbytes: 0x10, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100141D04 [ID = 0x3c7c9db7]'])
** Changed: 2420 - outinterfaces: ['0x7100141A58 [ID = 0x3c7c9db7]'] -> ['0x7100141D04 [ID = 0x3c7c9db7]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100141D04 [ID = 0x3c7c9db7]'])
* Unknown Interface prev-version: 0x7100133FE0 [ID = 0x17291af3]
* Unknown Interface prev-version: 0x71001357F4 [ID = 0xa036ce80]
* Unknown Interface cur-version: 0x710013A720 [ID = 0xa036ce80]
* Unknown Interface cur-version: 0x7100138F0C [ID = 0x17291af3]
* Interface Changed: nn::olsc::srv::IDaemonController
** Changed: 13 - outinterfaces: ['0x71001357F4 [ID = 0xa036ce80]', None] -> ['0x710013A720 [ID = 0xa036ce80]', None] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710013A720 [ID = 0xa036ce80]', None])
* Interface Changed: nn::olsc::srv::IOlscServiceForSystemService
** Changed: 1000 - outinterfaces: ['0x7100133FE0 [ID = 0x17291af3]'] -> ['0x7100138F0C [ID = 0x17291af3]'] (final state: buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100138F0C [ID = 0x17291af3]'])
* Interface Changed: nn::olsc::srv::IRemoteStorageController
** Changed: 800 - outinterfaces: ['0x7100133FE0 [ID = 0x17291af3]'] -> ['0x7100138F0C [ID = 0x17291af3]'] (final state: buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100138F0C [ID = 0x17291af3]'])
* Interface Changed: nn::olsc::srv::ITransferTaskListController
** Added: 26 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::olsc::srv::IRemoteStorageController']
** Added: 27 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::olsc::srv::IRemoteStorageController']
** Added: 28 - inbytes: 0x10, outbytes: 0x1
** Added: 29 - inbytes: 0x0, outbytes: 0x1
** Added: 30 - inbytes: 0x1, outbytes: 0x38
* Interface Changed: nn::omm::detail::IOperationModeManager
** Added: 50 - inbytes: 0x0, outbytes: 0x8

=== BootImagePackages ===
RomFs changes:
* "/nx/package2" updated

[[Package2|INI1]] changes:
* BootImagePackage/BootImagePackageExFat:
** All FIRM Sysmodules were just re-built, resulting in updated GNU build-id. The *only* changes besides this are:
*** Loader: Anti-downgrade list is updated.
*** FS: UpdateResult's logging constants/hashes were updated.

==== Kernel ====
* cpu::DoCoreInterruptBarrier now uses a KLightLock instead of a KSpinLock.
* Sleep entry now waits 1920 ticks after synchronizing cores and before saving the interrupt manager
* KInterruptController::SaveLocalState/RestoreLocalState now saves and restores spendsgir

=== [[JIT_services|jit]] ===
The only updated func was L_177b0 (this is the func called by nn::ro::RegisterModuleInfo):
* The order of the validation after magicnum-check ([[NRR]]) was swapped.

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2025-05-28_00-02-36&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

RO services

2025-05-28T20:56:56Z

SciresM: fixup ro command names

Prior to 3.0.0, ro was included as part of [[Loader_services|Loader]]. Despite the separation, the service name ldr:ro is retained to maintain compatibility with old games.

= ldr:ro, ro:1 =
[1.0.0-2.3.0] This is "nn::ldr::detail::IRoInterface"

[3.0.0+] This is "nn::ro::detail::IRoInterface".

[7.0.0+] ro:1 was added and is also "nn::ro::detail::IRoInterface".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#MapManualLoadModuleMemory]]
|-
| 1 || [[#UnmapManualLoadModuleMemory]]
|-
| 2 || [[#RegisterModuleInfo]]
|-
| 3 || [[#UnregisterModuleInfo]]
|-
| 4 || [[#RegisterProcessHandle]]
|-
| 10 || [7.0.0+] [[#RegisterModuleInfoWithUserProcessHandle]]
|}

== MapManualLoadModuleMemory ==
Takes a PID-descriptor and 4 input u64s ('''nro_address''', '''nro_size''', '''bss_address''' and '''bss_size'''). Returns an output u64 ('''out_address''').

== UnmapManualLoadModuleMemory ==
Takes a PID-descriptor and an input u64 ('''nro_address''').

== RegisterModuleInfo ==
Takes a PID-descriptor and 2 input u64s ('''nrr_address''' and '''nrr_size''').

[7.0.0+] [[NRR|NrrKind]] must be 0 (User) for this function to succeed.

== UnregisterModuleInfo ==
Takes a PID-descriptor and an input u64s ('''nrr_address''').

== RegisterProcessHandle ==
Takes PID-descriptor and a process handle.

== RegisterModuleInfoWithUserProcessHandle ==
Takes a PID-descriptor, a process handle and 2 input u64s ('''nrr_address''' and '''nrr_size''').

First, this validates that the pid descriptor matches the pid for the process handle sent to this->Initialize() earlier. Then, this calls the same function as [[#RegisterModuleInfo|RegisterModuleInfo]], except using the passed process handle instead of the one sent to Initialize.

When called from an ro:1 session, [[NRR|NrrKind]] must be 1 (JitPlugin). When called from ldr:ro session, [[NRR|NrrKind]] must be 0 (User).

= ro:dmnt =
This is "nn::ro::detail::IDebugMonitorInterface".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GetProcessModuleInfo]]
|}

== GetProcessModuleInfo ==
Same as [[Loader_services#GetProcessModuleInfo|GetProcessModuleInfo]] from [[Loader_services#ldr:dmnt|ldr:dmnt]].

[[Category:Services]]

20.1.0

2025-05-28T17:34:51Z

SciresM: /* BootImagePackages */ Kernel changes

The Switch 20.1.0 system update was released on May 28, 2025 (UTC). This Switch update was released for the following regions: ALL.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
*
* Visual updates have been made to the Parental Control settings.
* The sound that plays when Nintendo Switch Online is launched from the HOME Menu has been changed.
* General system stability improvements to enhance the user's experience.
*
* Note: If performing a system transfer from Nintendo Switch to Nintendo Switch 2 using local communication, the Nintendo Switch console will need to be updated to this latest system version to perform the transfer. See System Transfer from Nintendo Switch to Nintendo Switch 2 for more information.

==System Titles==
* The following titles were updated:
** Sysmodules: usb, htc.stub, boot2.ProdBoot, settings, Bus, bluetooth, bcat, friends, nifm, ptm, bsdsocket, hid, audio, LogManager.Prod, wlan, ldn, nvservices, pcv, capmtp, nvnflinger, pcie, account, ns, nfc, psc, capsrv, am, ssl, nim, btm, erpt, vi, pctl, npns, eupld, glue, eclct, es, fatal, creport, ro, sdb, grc, migration, jpegdec, safemode, olsc, ngct, jit, pgl, omm, eth, ngc.
** SystemData (non-sysver): CertStore, ErrorMessage, MiiModel, BrowserDll, NgWord, SsidList, LocalNews, TimeZoneBinary, FontNintendoExtension, FontStandard, FontKorean, FontChineseTraditional, FontChineseSimple, FirmwareDebugSettings, BootImagePackage, BootImagePackageSafe, BootImagePackageExFat, FatalMessage, ControllerIcon, PlatformConfigIcosa, PlatformConfigCopper, PlatformConfigHoag, ControllerFirmware, NgWord2, BootImagePackageExFatSafe, PlatformConfigIcosaMariko, ContentActionTable, NgWordT, PlatformConfigAula, AulaDockFirmware, 0100000000000859, 010000000000085C.
** Applets: qlaunch, auth, controller, dataErase, error, netConnect, playerSelect, LibAppletWeb, LibAppletShop, overlayDisp, photoViewer, LibAppletOff, LibAppletLns, LibAppletAuth, "starter" application, myPage, splay.

[[NPDM]] changes (besides usual version-bump): none.

Sysmodules were rebuilt with latest SDK, unless noted otherwise the only .text changes are from sdkver-update / logging-constants-update. The sysmodules with actual changes are (besides ones with IPC changes):
* bcat, jit, ...

RomFs changes:
* ErrorMessage: updated
* BrowserDll:
** "/buildinfo/buildinfo.dat" updated
** "/lyt/": Various data updated.
** "/nro/netfront/": Various data updated.
** "/sound/cruiser.bfsar" updated
* NgWord: "/version.dat" updated
* [[System_Version_Title|SystemVersion]]: All files updated.
* LocalNews: "/image/LnMoonIntro/list.jpg" updated, "/image/LnMoonIntro/main.jpg" updated, "/message/CNzhT/" added
* [[System_Settings|FirmwareDebugSettings]]: All files updated.
* ControllerIcon: "/lyt/ColorTable" updated
* ControllerFirmware: "/FirmwareInfo.csv" updated, "/tera_fullkey_ota.bin" updated, "/tera_fullkey_ota_iap.bin" updated, "/tera_ota.bin" updated, "/tera_ota_iap.bin" updated
* NgWord2: updated
* RebootlessSystemUpdateVersion: All files updated.
* qlaunch applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/qlaunch_action.bksnd" updated
** "/sound/qlaunch.bfsar" updated
** "/texture/LogoMoonCNzh.bntx" added
** "/texture/LogoMoonEUde.bntx" updated
** "/texture/LogoMoonEUen.bntx" removed
** "/texture/LogoMoonEUes.bntx" removed
** "/texture/LogoMoonEUfr.bntx" removed
** "/texture/LogoMoonEUit.bntx" updated
** "/texture/LogoMoonEUnl.bntx" updated
** "/texture/LogoMoonEUpt.bntx" updated
** "/texture/LogoMoonEUru.bntx" updated
** "/texture/LogoMoonJPja.bntx" updated
** "/texture/LogoMoonTWzh.bntx" added
** "/texture/LogoMoonUSen.bntx" updated
** "/texture/LogoMoonUSes.bntx" updated
** "/texture/LogoMoonUSfr.bntx" updated
** "/texture/LogoMoonUSpt.bntx" added
* auth applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/auth_action.bksnd" updated
** "/sound/auth.bfsar" updated
* controller applet:
** "/message/": Various data updated.
** "/sound/controller_action.bksnd" updated
* dataErase applet:
** "/message/": Various data updated.
** "/sound/dataErase_action.bksnd" updated
* error applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/error_action.bksnd" updated
** "/sound/error.bfsar" updated
** "/texture/LogoMoonCNzh.bntx" added
** "/texture/LogoMoonEUde.bntx" updated
** "/texture/LogoMoonEUen.bntx" removed
** "/texture/LogoMoonEUes.bntx" removed
** "/texture/LogoMoonEUfr.bntx" removed
** "/texture/LogoMoonEUit.bntx" updated
** "/texture/LogoMoonEUnl.bntx" updated
** "/texture/LogoMoonEUpt.bntx" updated
** "/texture/LogoMoonEUru.bntx" updated
** "/texture/LogoMoonJPja.bntx" updated
** "/texture/LogoMoonTWzh.bntx" added
** "/texture/LogoMoonUSen.bntx" updated
** "/texture/LogoMoonUSes.bntx" updated
** "/texture/LogoMoonUSfr.bntx" updated
** "/texture/LogoMoonUSpt.bntx" added
* netConnect applet:
** "/message/": Various data updated.
** "/sound/netConnect_action.bksnd" updated
* playerSelect applet:
** "/message/": Various data updated.
** "/sound/playerSelect_action.bksnd" updated
** "/sound/playerSelect.bfsar" updated
* [[Internet_Browser|LibAppletWeb/LibAppletShop/LibAppletOff/LibAppletLns/LibAppletAuth]]: All files updated.
* overlayDisp applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/infoLHub.raw" updated
** "/sound/infoPtcl.raw" updated
** "/sound/infoTimerOver.raw" updated
** "/sound/infoTimer.raw" updated
** "/sound/overlayDisp_action.bksnd" updated
* photoViewer applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/photoViewer_action.bksnd" updated
* "starter" application:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/starter_action.bksnd" updated
* myPage applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/myPage_action.bksnd" updated
** "/sound/myPage.bfsar" updated
* splay applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/splay_action.bksnd" updated
** "/sound/splay.bfsar" updated

=== IPC Interface Changes ===
* Unknown Interface prev-version: 0x710008741C
* Unknown Interface cur-version: 0x710008741C
* Interface Changed: nn::hid::IHidDebugServer
** Added: 214 - inbytes: 0x8, outbytes: 0x1D
* Interface Changed: nn::hid::IHidSystemServer
** Added: 1158 - inbytes: 0x1, outbytes: 0x0
** Added: 1159 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::wlan::detail::IWirelessCommunicationService
** Changed: 120 - outbytes: 0x28 -> 0x2C (final state: inbytes: 0x0, outbytes: 0x2C)
* Unknown Interface prev-version: 0x71000055E0
* Unknown Interface cur-version: 0x71000055E0
* Unknown Interface prev-version: 0x7100086504 [ID = 0x0919ff75]
* Unknown Interface prev-version: 0x7100085DD4 [ID = 0x38f0bb3d]
* Unknown Interface prev-version: 0x71000846F0 [ID = 0x107aa108]
* Unknown Interface prev-version: 0x7100085B3C [ID = 0x3af03446]
* Unknown Interface prev-version: 0x7100086228 [ID = 0x36f3a242]
* Unknown Interface cur-version: 0x7100086504 [ID = 0x0919ff75]
* Unknown Interface cur-version: 0x7100085DD4 [ID = 0x38f0bb3d]
* Unknown Interface cur-version: 0x71000846F0 [ID = 0x107aa108]
* Unknown Interface cur-version: 0x7100085B3C [ID = 0x3af03446]
* Unknown Interface cur-version: 0x7100086228 [ID = 0x36f3a242]
* Unknown Interface prev-version: 0x71001A4F60 [ID = 0x4e930893]
* Unknown Interface prev-version: 0x7100264B34 [ID = 0x3af03446]
* Unknown Interface prev-version: 0x7100264DCC [ID = 0x38f0bb3d]
* Unknown Interface prev-version: 0x7100265220 [ID = 0x36f3a242]
* Unknown Interface prev-version: 0x71002654FC [ID = 0x0919ff75]
* Unknown Interface prev-version: 0x71001A495C [ID = 0x04dea048]
* Unknown Interface prev-version: 0x71002636E8 [ID = 0x107aa108]
* Unknown Interface cur-version: 0x7100266784 [ID = 0x3af03446]
* Unknown Interface cur-version: 0x7100265338 [ID = 0x107aa108]
* Unknown Interface cur-version: 0x71001A5D44 [ID = 0x04dea048]
* Unknown Interface cur-version: 0x7100266A1C [ID = 0x38f0bb3d]
* Unknown Interface cur-version: 0x710026714C [ID = 0x0919ff75]
* Unknown Interface cur-version: 0x71001A6348 [ID = 0x4e930893]
* Unknown Interface cur-version: 0x7100266E70 [ID = 0x36f3a242]
* Interface Changed: nn::account::IAccountServiceForAdministrator
** Changed: 292 - outinterfaces: ['0x7100264B34 [ID = 0x3af03446]'] -> ['0x7100266784 [ID = 0x3af03446]'] (final state: inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100266784 [ID = 0x3af03446]'])
** Changed: 293 - outinterfaces: ['0x7100264DCC [ID = 0x38f0bb3d]'] -> ['0x7100266A1C [ID = 0x38f0bb3d]'] (final state: inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100266A1C [ID = 0x38f0bb3d]'])
** Changed: 350 - outinterfaces: ['0x7100265220 [ID = 0x36f3a242]'] -> ['0x7100266E70 [ID = 0x36f3a242]'] (final state: inbytes: 0x1, outbytes: 0x0, outinterfaces: ['0x7100266E70 [ID = 0x36f3a242]'])
** Changed: 352 - outinterfaces: ['0x71002654FC [ID = 0x0919ff75]'] -> ['0x710026714C [ID = 0x0919ff75]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710026714C [ID = 0x0919ff75]'])
* Interface Changed: nn::account::baas::IAdministrator
** Changed: 181 - outinterfaces: ['0x71002636E8 [ID = 0x107aa108]'] -> ['0x7100265338 [ID = 0x107aa108]'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100265338 [ID = 0x107aa108]'])
** Changed: 182 - outinterfaces: ['0x71002636E8 [ID = 0x107aa108]'] -> ['0x7100265338 [ID = 0x107aa108]'] (final state: inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100265338 [ID = 0x107aa108]'])
* Interface Changed: nn::account::baas::IManagerForSystemService
** Changed: 181 - outinterfaces: ['0x71002636E8 [ID = 0x107aa108]'] -> ['0x7100265338 [ID = 0x107aa108]'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100265338 [ID = 0x107aa108]'])
** Changed: 182 - outinterfaces: ['0x71002636E8 [ID = 0x107aa108]'] -> ['0x7100265338 [ID = 0x107aa108]'] (final state: inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100265338 [ID = 0x107aa108]'])
* Interface Changed: nn::ns::detail::IApplicationManagerInterface
** Added: 933 - buffers: [0x6], inbytes: 0x90, outbytes: 0x4
** Added: 2183 - inbytes: 0x8, outbytes: 0x0
** Changed: 4026 - outinterfaces: ['0x71001A495C [ID = 0x04dea048]'] -> ['0x71001A5D44 [ID = 0x04dea048]'] (final state: inbytes: 0x8, outbytes: 0x0, outinterfaces: ['0x71001A5D44 [ID = 0x04dea048]'])
** Changed: 4027 - outinterfaces: ['0x71001A4F60 [ID = 0x4e930893]'] -> ['0x71001A6348 [ID = 0x4e930893]'] (final state: inbytes: 0x8, outbytes: 0x0, outinterfaces: ['0x71001A6348 [ID = 0x4e930893]'])
* Interface Changed: nn::ns::detail::IContentManagementInterface
** Added: 58 - inbytes: 0x0, outbytes: 0x0
** Added: 71 - inbytes: 0x1, outbytes: 0x10
* Interface Changed: nn::ns::detail::IReadOnlyApplicationControlDataInterface
** Added: 17 - buffers: [0x6], inbytes: 0x90, outbytes: 0x4
* Unknown Interface prev-version: 0x71000CE314 [ID = 0x359536d2]
* Unknown Interface cur-version: 0x71000CE4B4 [ID = 0x359536d2]
* Interface Changed: nn::am::service::IAllSystemAppletProxiesService
** Changed: 460 - outinterfaces: ['0x71000CE314 [ID = 0x359536d2]'] -> ['0x71000CE4B4 [ID = 0x359536d2]'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x71000CE4B4 [ID = 0x359536d2]'])
* Interface Changed: nn::nim::detail::INetworkInstallManager
** Added: 173 - buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x0, outbytes: 0x0
* Unknown Interface prev-version: 0x7100097948 [ID = 0xfe214da9]
* Unknown Interface prev-version: 0x7100096B3C [ID = 0xdf171f31]
* Unknown Interface cur-version: 0x7100097948 [ID = 0xfe214da9]
* Unknown Interface cur-version: 0x7100096B3C [ID = 0xdf171f31]
* Unknown Interface prev-version: 0x710005ECA0 [ID = 0xef2a5618]
* Unknown Interface cur-version: 0x710005ECA0 [ID = 0xef2a5618]
* Unknown Interface prev-version: 0x710014064C [ID = 0x29d8801c]
* Unknown Interface prev-version: 0x7100140AD0 [ID = 0xeb5e4ee2]
* Unknown Interface prev-version: 0x710013C47C [ID = 0x6e021695]
* Unknown Interface prev-version: 0x7100141A58 [ID = 0x3c7c9db7]
* Unknown Interface prev-version: 0x710013E13C [ID = 0x8cf617a1]
* Unknown Interface cur-version: 0x710013C728 [ID = 0x6e021695]
* Unknown Interface cur-version: 0x71001408F8 [ID = 0x29d8801c]
* Unknown Interface cur-version: 0x7100141D04 [ID = 0x3c7c9db7]
* Unknown Interface cur-version: 0x7100140D7C [ID = 0xeb5e4ee2]
* Unknown Interface cur-version: 0x710013E3E8 [ID = 0x8cf617a1]
* Interface Changed: nn::migration::user::IService
** Changed: 2100 - outinterfaces: ['0x710013C47C [ID = 0x6e021695]'] -> ['0x710013C728 [ID = 0x6e021695]'] (final state: buffer_entry_sizes: [0x100], buffers: [0x19], inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013C728 [ID = 0x6e021695]'])
** Changed: 2110 - outinterfaces: ['0x710013C47C [ID = 0x6e021695]'] -> ['0x710013C728 [ID = 0x6e021695]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013C728 [ID = 0x6e021695]'])
** Changed: 2200 - outinterfaces: ['0x710013E13C [ID = 0x8cf617a1]'] -> ['0x710013E3E8 [ID = 0x8cf617a1]'] (final state: buffer_entry_sizes: [0x100], buffers: [0x19], inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013E3E8 [ID = 0x8cf617a1]'])
** Changed: 2210 - outinterfaces: ['0x710013E13C [ID = 0x8cf617a1]'] -> ['0x710013E3E8 [ID = 0x8cf617a1]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013E3E8 [ID = 0x8cf617a1]'])
** Changed: 2250 - outinterfaces: ['0x710014064C [ID = 0x29d8801c]'] -> ['0x71001408F8 [ID = 0x29d8801c]'] (final state: inbytes: 0x18, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x71001408F8 [ID = 0x29d8801c]'])
** Changed: 2260 - outinterfaces: ['0x710014064C [ID = 0x29d8801c]'] -> ['0x71001408F8 [ID = 0x29d8801c]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x71001408F8 [ID = 0x29d8801c]'])
** Changed: 2300 - outinterfaces: ['0x7100140AD0 [ID = 0xeb5e4ee2]'] -> ['0x7100140D7C [ID = 0xeb5e4ee2]'] (final state: inbytes: 0x18, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100140D7C [ID = 0xeb5e4ee2]'])
** Changed: 2310 - outinterfaces: ['0x7100140AD0 [ID = 0xeb5e4ee2]'] -> ['0x7100140D7C [ID = 0xeb5e4ee2]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100140D7C [ID = 0xeb5e4ee2]'])
** Changed: 2400 - outinterfaces: ['0x7100141A58 [ID = 0x3c7c9db7]'] -> ['0x7100141D04 [ID = 0x3c7c9db7]'] (final state: inbytes: 0x10, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100141D04 [ID = 0x3c7c9db7]'])
** Changed: 2420 - outinterfaces: ['0x7100141A58 [ID = 0x3c7c9db7]'] -> ['0x7100141D04 [ID = 0x3c7c9db7]'] (final state: inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100141D04 [ID = 0x3c7c9db7]'])
* Unknown Interface prev-version: 0x7100133FE0 [ID = 0x17291af3]
* Unknown Interface prev-version: 0x71001357F4 [ID = 0xa036ce80]
* Unknown Interface cur-version: 0x710013A720 [ID = 0xa036ce80]
* Unknown Interface cur-version: 0x7100138F0C [ID = 0x17291af3]
* Interface Changed: nn::olsc::srv::IDaemonController
** Changed: 13 - outinterfaces: ['0x71001357F4 [ID = 0xa036ce80]', None] -> ['0x710013A720 [ID = 0xa036ce80]', None] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710013A720 [ID = 0xa036ce80]', None])
* Interface Changed: nn::olsc::srv::IOlscServiceForSystemService
** Changed: 1000 - outinterfaces: ['0x7100133FE0 [ID = 0x17291af3]'] -> ['0x7100138F0C [ID = 0x17291af3]'] (final state: buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100138F0C [ID = 0x17291af3]'])
* Interface Changed: nn::olsc::srv::IRemoteStorageController
** Changed: 800 - outinterfaces: ['0x7100133FE0 [ID = 0x17291af3]'] -> ['0x7100138F0C [ID = 0x17291af3]'] (final state: buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100138F0C [ID = 0x17291af3]'])
* Interface Changed: nn::olsc::srv::ITransferTaskListController
** Added: 26 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::olsc::srv::IRemoteStorageController']
** Added: 27 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::olsc::srv::IRemoteStorageController']
** Added: 28 - inbytes: 0x10, outbytes: 0x1
** Added: 29 - inbytes: 0x0, outbytes: 0x1
** Added: 30 - inbytes: 0x1, outbytes: 0x38
* Interface Changed: nn::omm::detail::IOperationModeManager
** Added: 50 - inbytes: 0x0, outbytes: 0x8

=== BootImagePackages ===
RomFs changes:
* "/nx/package2" updated

==== Kernel ====
* cpu::DoCoreInterruptBarrier now uses a KLightLock instead of a KSpinLock.
* Sleep entry now waits 1920 ticks after synchronizing cores and before saving the interrupt manager
* KInterruptController::SaveLocalState/RestoreLocalState now saves and restores spendsgir

=== [[JIT_services|jit]] ===
The only updated func was L_177b0:
* The order of the validation after magicnum-check ([[NRR]]) was swapped.

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2025-05-28_00-02-36&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

20.0.0

2025-05-01T21:51:17Z

SciresM: improve kernel diff

The Switch 20.0.0 system update was released on April 30, 2025 (UTC). This Switch update was released for the following regions: ALL.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
*
* The following icons for new features have been added to the HOME Menu:
*
* Vitrual Game Card
*
* Purchased Nintendo Switch digital software, DLC, and some free software, are now virtual game cards and displayed in a list in this menu.
* You can virtually load and eject virtual game cards between up to two Nintendo Switch systems.
* Virtual game cards can be lent to others in the same Nintendo Account family group. For more information, see Virtual Game Card Guide.
*
*
* GameShare
*
* Compatible software can be shared from a Nintendo Switch 2 system to other nearby system(s) to play together.
*
* You can only play together via local wireless, and the Nintendo Switch 2 system must initiate GameShare.
* This feature cannot be used between two Nintendo Switch, Nintendo Switch – OLED Model and/or Nintendo Switch Lite systems.
*
*
*
*
*
*
* User-Verification Settings has been added under User > User Settings.
*
* You can restrict access to the Virtual Game Card menu by requiring entry of a PIN or signing in to your Nintendo Account.
*
*
* Online License Settings has been added.
*
* When turned on, you can play downloaded software or DLC you've purchased while the system is connected to the internet, even if you don't have the virtual game card loaded.
* For more information, please refer to the details about the option on the System Settings screen.
*
*
* The Nintendo eShop and Nintendo Switch News icon colors on the HOME Menu have been changed.
* Multiple save data can be selected and transferred at once in “Transfer Your Save Data” menu.
* System Transfer to Nintendo Switch 2 has been added under System Settings > System.
*
* You can perform a system transfer from your Nintendo Switch to Nintendo Switch 2 using local communication.
*
*  For users that will lose access to their Nintendo Switch before receiving their Nintendo Switch 2, there is an option to upload system transfer data to a dedicated server which can then be retrieved on their Nintendo Switch 2. After you upload your system transfer data to the dedicated server, the Nintendo Switch system will be initialized to factory settings, so only perform this transfer if you’ll be able to complete the transfer on Nintendo Switch 2.
* If you want to continue using your Nintendo Switch until you have a Nintendo Switch 2, we recommend completing the system transfer using local communication after you have acquired a Nintendo Switch 2 system.
*
*
* An internet connection and Nintendo Account is required to complete both local and the server-based system transfer service.
* For more information, see System Transfer from Nintendo Switch to Nintendo Switch 2.
*
*
* The appearance of some user icons have been updated.
*
* For detailed information on Nintendo Switch 2, see the Nintendo website.
* Note that the use of “Primary Console” has been deprecated with the transition to virtual game cards, and “Pass-enabled console” will be used instead. On a console set as the “Pass-enabled console” for a user, all users on the console can access certain subscriptions or passes for some software. For more information, see How to Set or Change the Pass-Enabled Console for a Nintendo Account.

==System Titles==
* The following new titles were added: 0100000000000859, 010000000000085C, 0100000000001048 (splay).
* The following titles were updated:
** Sysmodules: usb, htc.stub, boot2.ProdBoot, settings, Bus, bluetooth, bcat, friends, nifm, ptm, bsdsocket, hid, audio, LogManager.Prod, wlan, ldn, nvservices, pcv, capmtp, nvnflinger, pcie, account, ns, nfc, psc, capsrv, am, ssl, nim, btm, erpt, vi, pctl, npns, eupld, glue, eclct, es, fatal, creport, ro, sdb, grc, migration, jpegdec, safemode, olsc, ngct, jit, pgl, omm, eth, ngc.
** SystemData (non-sysver): CertStore, ErrorMessage, MiiModel, BrowserDll, Help, NgWord, SsidList, AvatarImage, LocalNews, UrlBlackList, TimeZoneBinary, FontNintendoExtension, FontStandard, FontKorean, FontChineseTraditional, FontChineseSimple, FirmwareDebugSettings, BootImagePackage, BootImagePackageSafe, BootImagePackageExFat, FatalMessage, ControllerIcon, PlatformConfigIcosa, PlatformConfigCopper, PlatformConfigHoag, ControllerFirmware, NgWord2, BootImagePackageExFatSafe, PlatformConfigIcosaMariko, ContentActionTable, NgWordT, PlatformConfigAula, AulaDockFirmware.
** Applets: qlaunch, auth, cabinet, controller, dataErase, error, netConnect, playerSelect, swkbd, miiEdit, LibAppletWeb, LibAppletShop, overlayDisp, photoViewer, LibAppletOff, LibAppletLns, LibAppletAuth, "starter" application, myPage, maintenance.

[[NPDM]] changes (besides usual version-bump):
* bluetooth: Name updated: bluetooth -> bluetooth.autog.
* hid: Service access: added lm.
* wlan: Service access: added erpt:c, pm:bm.
* ns: Service access: added hid:sys, removed hid.
* capsrv: Service access: added srepo:u.
* erpt: Fac.FsAccessFlag updated: set bitmask 0x0000080000000000 (bit43).
* pctl: MainThreadStackSize updated: 0x4000 -> 0x6000.
* npns: Service server access: added npns:a. KernelCap HandleTableSize: updated HandleTableSize = 0x80 -> 0x100.
* eclct: Service access: added pctl:s, pm:bm, srepo:a.
* creport: Service access: removed fsp-srv. SVC access: removed CreateSession, AcceptSession, ReplyAndReceiveLight, ReplyAndReceive, ReplyAndReceiveWithUserBuffer, CreateEvent.
* ro: Service access: removed csrng.
* migration: Service access: added nifm:a, notif:s, pctl:s, removed nifm:s.
* omm: Service access: added time:al.
* cabinet: Service access: added bsd:a, removed bsd:u.
* controller: Service access: added bsd:a, removed bsd:u, htcs.
* dataErase: Service access: added bsd:a, htcs:sys, removed bsd:u, htcs.
* error: Service access: added bsd:a, removed bsd:u.
* playerSelect: Service access: added bsd:a, removed bsd:u.
* swkbd: Service access: added bsd:a, htcs:sys, removed bsd:u, htcs.
* overlayDisp: Service access: added bsd:a, removed bsd:u.
* photoViewer: Service access: added bsd:a, htcs:sys, removed bsd:s, htcs.
* LibAppletLns: Service access: added ns:sweb, removed ns:web.
* myPage: Service access: added bsd:a, removed bsd:u.
* maintenance: Service access: added bsd:a, htcs:sys, removed bsd:u, htcs.

RomFs changes:
* [[SSL_services#CertStore|CertStore]]: "/ssl_TrustedCerts.bdf" updated, "/ssl_TrustedCerts.Ounce.bdf" updated
* ErrorMessage: updated
* BrowserDll:
** "/browser/effective_tld_names.dat" updated
** "/browser/ErrorPageFilteringTemplate.html" updated
** "/browser/ErrorPageSubFrameTemplate.html" updated
** "/browser/ErrorPageTemplate.html" updated
** "/browser/MediaControlsInline.css" updated
** "/browser/MediaControlsInline.js" updated
** "/browser/skin/" added
** "/browser/Skin.dat" removed
** "/browser/UserCss.dat" updated
** "/buildinfo/buildinfo.dat" updated
** "/gfxShader/BrowserOffscreenDrawer.bnsh" updated
** "/gfxShader/MediaPlayerDrawer.bnsh" added
** "/lyt/": Various data updated.
** "/lyt/Browse/MouseEffect.arc" removed
** "/lyt/MediaPlayer/MovieCanvasNative.arc" removed
** "/message/": Various data updated.
** "/message/labelConversionTable.json" added
** "/nro/netfront/": Various data updated.
** "/nro/netfront/core_2/" removed
** "/nro/netfront/core_3/" added
** "/shader/OceanShader.arc" updated
** "/sound/cruiser.bfsar" updated
* Help:
** "/legallines.htdocs/img/immersion.png" removed
** "/legallines.htdocs/index.html" updated
** "/safe.htdocs/html/JPja/index.html" updated
** "/safe.htdocs/html/JPja/page_02.html" updated
** "/safe.htdocs/html/JPja/page_04.html" updated
** "/safe.htdocs/html/KRko/index.html" updated
** "/safe.htdocs/html/KRko/page_02.html" updated
** "/safe.htdocs/html/KRko/page_04.html" updated
** "/safe.htdocs/html/TWzh/index.html" updated
** "/safe.htdocs/html/TWzh/page_02.html" updated
** "/safe.htdocs/html/TWzh/page_04.html" updated
** "/safe.htdocs/js/tapaction.js" updated
* NgWord: updated
* [[System_Version_Title|SystemVersion]]: All files updated.
* AvatarImage:
** "/chara/00000001.szs" updated
** "/chara/00000002.szs" updated
** "/chara/00000003.szs" updated
** "/chara/00000004.szs" updated
** "/chara/00000005.szs" updated
** "/chara/00000006.szs" updated
** "/chara/0000000A.szs" updated
** "/chara/0000000B.szs" updated
** "/chara/0000000D.szs" updated
** "/chara/0000000E.szs" updated
** "/chara/0000000F.szs" updated
** "/chara/00000010.szs" updated
** "/chara/00000011.szs" updated
** "/chara/00000012.szs" updated
** "/chara/00000034.szs" updated
** "/chara/00000035.szs" updated
** "/chara/00000036.szs" updated
** "/DatabaseInfo.bin" updated
* LocalNews: "/image/LnShopIntro/list.jpg" updated, "/image/LnShopIntro/main.jpg" updated, "/image/LnSupIntro/main_Terra.jpg" removed, "/message/CNzhT/" removed, "/message/revision.txt" updated
* UrlBlackList: "/listLnsGlobal.txt" updated
* FontNintendoExtension: "/nintendo_ext2_003.bfttf" updated
* [[System_Settings|FirmwareDebugSettings/PlatformConfigIcosa/PlatformConfigCopper/PlatformConfigHoag/PlatformConfigIcosaMariko/PlatformConfigAula]]: All files updated.
* ControllerIcon: "/lyt/ColorTable" updated
* NgWord2: updated
* RebootlessSystemUpdateVersion: All files updated.
* qlaunch applet:
** "/icon/hatena174.jpg" added
** "/icon/hatena.jpg" updated
** "/icon/NaIcon_ShareFrom_ForDemo.jpg" added
** "/icon/NaIcon_ShareFrom_ForDemo.png" added
** "/icon/NaIcon_ShareTo_ForDemo.jpg" added
** "/icon/NaIcon_ShareTo_ForDemo.png" added
** "/icon/SubstituteUserIcon.jpg" updated
** "/lyt/": Various data updated.
** "/lyt/DataTransfer.szs" added
** "/lyt/Vgc.szs" added
** "/message/": Various data updated.
** "/message/CNzh/dataTransfer.msbt.szs" added
** "/message/CNzh/splay.msbt.szs" added
** "/message/CNzh/vgc.msbt.szs" added
** "/message/CNzhT/" removed
** "/message/EUde/dataTransfer.msbt.szs" added
** "/message/EUde/splay.msbt.szs" added
** "/message/EUde/vgc.msbt.szs" added
** "/message/EUen/dataTransfer.msbt.szs" added
** "/message/EUen/splay.msbt.szs" added
** "/message/EUen/vgc.msbt.szs" added
** "/message/EUes/dataTransfer.msbt.szs" added
** "/message/EUes/splay.msbt.szs" added
** "/message/EUes/vgc.msbt.szs" added
** "/message/EUfr/dataTransfer.msbt.szs" added
** "/message/EUfr/splay.msbt.szs" added
** "/message/EUfr/vgc.msbt.szs" added
** "/message/EUit/dataTransfer.msbt.szs" added
** "/message/EUit/splay.msbt.szs" added
** "/message/EUit/vgc.msbt.szs" added
** "/message/EUnl/dataTransfer.msbt.szs" added
** "/message/EUnl/splay.msbt.szs" added
** "/message/EUnl/vgc.msbt.szs" added
** "/message/EUpt/dataTransfer.msbt.szs" added
** "/message/EUpt/splay.msbt.szs" added
** "/message/EUpt/vgc.msbt.szs" added
** "/message/EUru/dataTransfer.msbt.szs" added
** "/message/EUru/splay.msbt.szs" added
** "/message/EUru/vgc.msbt.szs" added
** "/message/JPja/dataTransfer.msbt.szs" added
** "/message/JPja/splay.msbt.szs" added
** "/message/JPja/vgc.msbt.szs" added
** "/message/KRko/dataTransfer.msbt.szs" added
** "/message/KRko/splay.msbt.szs" added
** "/message/KRko/vgc.msbt.szs" added
** "/message/TWzh/dataTransfer.msbt.szs" added
** "/message/TWzh/splay.msbt.szs" added
** "/message/TWzh/vgc.msbt.szs" added
** "/message/USen/dataTransfer.msbt.szs" added
** "/message/USen/splay.msbt.szs" added
** "/message/USen/vgc.msbt.szs" added
** "/message/USes/dataTransfer.msbt.szs" added
** "/message/USes/splay.msbt.szs" added
** "/message/USes/vgc.msbt.szs" added
** "/message/USfr/dataTransfer.msbt.szs" added
** "/message/USfr/splay.msbt.szs" added
** "/message/USfr/vgc.msbt.szs" added
** "/message/USpt/dataTransfer.msbt.szs" added
** "/message/USpt/splay.msbt.szs" added
** "/message/USpt/vgc.msbt.szs" added
** "/sound/qlaunch_action.bksnd" updated
** "/sound/qlaunch.bfsar" updated
** "/texture/IcoPctl.bntx" removed
* auth applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/message/CNzhT/" removed
** "/sound/auth_action.bksnd" updated
** "/sound/auth.bfsar" updated
** "/sound/auth_module.bksnd" updated
* cabinet applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/message/CNzhT/" removed
** "/sound/cabinet_action.bksnd" updated
** "/sound/cabinet.bfsar" updated
* controller applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/message/CNzhT/" removed
** "/sound/controller_action.bksnd" updated
** "/sound/controller.bfsar" updated
** "/sound/controller_module.bksnd" updated
* dataErase applet:
** "/icon/" added
** "/lyt/": Various data updated.
** "/lyt/hatena.jpg" removed
** "/message/": Various data updated.
** "/message/CNzhT/" removed
** "/sound/dataErase_action.bksnd" updated
** "/sound/dataErase.bfsar" updated
* error applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/message/CNzhT/" removed
** "/sound/error_action.bksnd" updated
** "/sound/error.bfsar" updated
** "/texture/IcoPctl.bntx" removed
* netConnect applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/message/CNzhT/" removed
** "/sound/netConnect_action.bksnd" updated
** "/sound/netConnect.bfsar" updated
* playerSelect applet:
** "/lyt/": Various data updated.
** "/lyt/Pin.szs" added
** "/message/": Various data updated.
** "/message/CNzhT/" removed
** "/sound/playerSelect_action.bksnd" updated
** "/sound/playerSelect.bfsar" updated
** "/sound/playerSelect_module.bksnd" updated
* swkbd applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/message/CNzhT/" removed
** "/sound/swkbd_action.bksnd" updated
** "/sound/swkbd.bfsar" updated
* [[Internet_Browser|LibAppletWeb/LibAppletShop/LibAppletOff/LibAppletLns/LibAppletAuth]]: All files updated.
* overlayDisp applet:
** "/icon/hatena174.jpg" added
** "/icon/hatena.jpg" removed
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/message/CNzhT/" removed
** "/sound/batteryIn.raw" updated
** "/sound/batteryOut.raw" updated
** "/sound/infoAlarm.raw" updated
** "/sound/infoCapture.raw" updated
** "/sound/infoLHub.raw" added
** "/sound/infoPtcl.raw" added
** "/sound/infoReactionError.raw" updated
** "/sound/overlayDisp_action.bksnd" updated
* photoViewer applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/message/CNzhT/" removed
** "/sound/photoViewer_action.bksnd" updated
** "/sound/photoViewer.bfsar" updated
* "starter" application:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/message/CNzhT/" removed
** "/sound/starter_action.bksnd" updated
** "/sound/starter.bfsar" updated
* myPage applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/message/CNzhT/" removed
** "/sound/myPage_action.bksnd" updated
** "/sound/myPage.bfsar" updated
** "/sound/myPage_module.bksnd" updated
* maintenance applet:
** "/common/shader/VarietyOceanShader_Nx.arc.szs" updated
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/message/CNzhT/" removed
** "/sound/maintenance_action.bksnd" updated
** "/sound/maintenance.bfsar" updated

=== IPC Interface Changes ===
* Interface Changed: nn::settings::IFirmwareDebugSettingsServer
** Added: 24 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::settings::ISystemSettingsServer
** Added: 263 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 264 - inbytes: 0x0, outbytes: 0x10
** Added: 282 - inbytes: 0x8, outbytes: 0x4
** Added: 283 - inbytes: 0x4, outbytes: 0x8
** Added: 289 - inbytes: 0x0, outbytes: 0x4
** Added: 300 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 301 - inbytes: 0x0, outbytes: 0x8
** Added: 306 - buffer_entry_sizes: [0x8], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 307 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::news::detail::ipc::IDownloadContext
** Added: 4 - inbytes: 0x0, outbytes: 0x48
* Unknown Interface prev-version: 0x71000844C0
* Unknown Interface cur-version: 0x710008741C
* Interface Changed: nn::friends::detail::ipc::IFriendService
** Added: 20107 - buffer_entry_sizes: [0x800], buffers: [0x1A], inbytes: 0x18, outbytes: 0x0
** Added: 20202 - buffer_entry_sizes: [0x200], buffers: [0x6], inbytes: 0x18, outbytes: 0x4
** Removed: 20302 - inbytes: 0x10, outbytes: 0x8
** Removed: 20303 - buffer_entry_sizes: [0x380], buffers: [0x1A], inbytes: 0x20, outbytes: 0x0
** Removed: 20304 - buffer_entry_sizes: [0x400], buffers: [0x6], inbytes: 0x18, outbytes: 0x4
** Added: 20402 - buffer_entry_sizes: [0x200], buffers: [0x6], inbytes: 0x18, outbytes: 0x4
** Added: 30218 - buffer_entry_sizes: [0x48, 0x48], buffers: [0x19, 0x19], inbytes: 0x38, outbytes: 0x0
** Removed: 30300 - buffer_entry_sizes: [0x1000], buffers: [0x16], inbytes: 0x18, outbytes: 0x0
** Removed: 30301 - inbytes: 0x18, outbytes: 0x0
** Added: 30403 - buffer_entry_sizes: [0x48], buffers: [0x19], inbytes: 0x38, outbytes: 0x0
* Interface Changed: nn::friends::detail::ipc::IServiceCreator
** Changed: 2 - outinterfaces: ['0x71000844C0'] -> ['0x710008741C'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710008741C'])
* Interface Changed: nn::nifm::detail::IGeneralService
** Added: 48 - inbytes: 0x0, outbytes: 0x0
** Added: 53 - inbytes: 0x0, outbytes: 0x1
** Added: 54 - inbytes: 0x4, outbytes: 0x0
** Added: 55 - inbytes: 0x0, outbytes: 0x4
** Added: 56 - buffer_entry_sizes: [0x1438], buffers: [0x32], inbytes: 0x4, outbytes: 0x0
** Added: 57 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::psm::IPsmServer
** Removed: 21 - inbytes: 0x0, outbytes: 0x4
** Added: 24 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::psm::IPsmSession
** Added: 5 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::tc::IManager
** Added: 11 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 12 - inbytes: 0x0, outbytes: 0x20
** Added: 13 - inbytes: 0x0, outbytes: 0x70
* Interface Changed: nn::socket::sf::IClient
** Added: 39 - inbytes: 0x10, outbytes: 0x8, outhandles: [1, 1]
** Added: 40 - buffers: [0x21], inbytes: 0x4, outbytes: 0x8
* Interface Changed: nn::hid::IHidDebugServer
** Added: 213 - inbytes: 0x8, outbytes: 0x1D
* Interface Changed: nn::hid::IHidServer
** Added: 137 - inbytes: 0x10, outbytes: 0x0, pid: True
** Added: 1005 - inbytes: 0x10, outbytes: 0x0, pid: True
* Interface Changed: nn::hid::IHidSystemServer
** Added: 333 - inbytes: 0x8, outbytes: 0x0, pid: True
** Added: 334 - inbytes: 0x8, outbytes: 0x0, outhandles: [1], pid: True
** Added: 551 - buffer_entry_sizes: [0x48], buffers: [0x6], inbytes: 0x0, outbytes: 0x8
** Added: 711 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 712 - inbytes: 0x8, outbytes: 0x34
** Added: 1012 - inbytes: 0x8, outbytes: 0x1D
** Added: 1322 - inbytes: 0x8, outbytes: 0x0, outhandles: [1], pid: True
* Interface Changed: nn::audio::detail::IAudioSnoopManager
** Added: 1 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 2 - buffer_entry_sizes: [0x40], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
** Added: 3 - buffer_entry_sizes: [0x40], buffers: [0x16], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::audio::detail::IAudioSystemManagerForApplet
** Removed: 10 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::audioctrl::detail::IAudioController
** Added: 6 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 25 - inbytes: 0x8, outbytes: 0x0
** Changed: 40 - buffer_entry_sizes: [0x1000] -> [0x2000], inbytes: 0x0 -> 0x4 (final state: buffer_entry_sizes: [0x2000], buffers: [0x16], inbytes: 0x4, outbytes: 0x0)
** Removed: 41 - inbytes: 0x8, outbytes: 0x0
** Removed: 10000 - inbytes: 0x4, outbytes: 0x0
** Removed: 10001 - inbytes: 0x4, outbytes: 0x0
** Removed: 10002 - inbytes: 0x0, outbytes: 0x0
** Changed: 10100 - buffer_entry_sizes: {} -> [0x400], buffers: {} -> [0x16], outbytes: 0x9 -> 0x0 (final state: buffer_entry_sizes: [0x400], buffers: [0x16], inbytes: 0x0, outbytes: 0x0)
** Removed: 10102 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Removed: 10103 - inbytes: 0x0, outbytes: 0x4
** Removed: 10104 - inbytes: 0x0, outbytes: 0x4
** Removed: 10105 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Removed: 10106 - inbytes: 0x0, outbytes: 0x4
** Added: 10200 - buffer_entry_sizes: [0x100], buffers: [0x16], inbytes: 0x0, outbytes: 0x0
** Removed: 50001 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::lm::ILogger
** Added: 2 - buffers: [0x21], inbytes: 0x0, outbytes: 0x0
** Added: 3 - buffers: [0x21], inbytes: 0x28, outbytes: 0x0
* Interface Changed: nn::wlan::detail::IPrivateWirelessCommunicationService
** Changed: 6 - outbytes: 0x58 -> 0x5C (final state: inbytes: 0x0, outbytes: 0x5C)
** Removed: 8 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::wlan::detail::IWirelessCommunicationService
** Changed: 111 - inbytes: 0x18 -> 0x40 (final state: inbytes: 0x40, outbytes: 0x0)
** Changed: 120 - outbytes: 0x18 -> 0x28 (final state: inbytes: 0x0, outbytes: 0x28)
** Added: 130 - inbytes: 0x1, outbytes: 0x0
** Added: 140 - inbytes: 0x0, outbytes: 0x0
** Added: 900 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::ldn::detail::ISystemLocalCommunicationService
** Changed: 505 - inbytes: 0x4 -> 0x2 (final state: inbytes: 0x2, outbytes: 0x0)
* Interface Changed: nn::ldn::detail::IUserLocalCommunicationService
** Changed: 505 - inbytes: 0x4 -> 0x2 (final state: inbytes: 0x2, outbytes: 0x0)
* Unknown Interface prev-version: 0x7100004EF0
* Unknown Interface cur-version: 0x71000055E0
* Interface Changed: nn::clkrst::IClkrstManager
** Added: 7 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::rtc::IRtcManager
** Changed: 13 - inbytes: 0x8 -> 0x4, outbytes: 0x0 -> 0x2 (final state: inbytes: 0x4, outbytes: 0x2)
* Unknown Interface cur-version: 0x7100086504 [ID = 0x0919ff75]
* Unknown Interface cur-version: 0x7100085DD4 [ID = 0x38f0bb3d]
* Unknown Interface cur-version: 0x71000846F0 [ID = 0x107aa108]
* Unknown Interface cur-version: 0x7100085B3C [ID = 0x3af03446]
* Unknown Interface cur-version: 0x7100086228 [ID = 0x36f3a242]
* Interface Changed: nn::account::IAccountEntityServiceForAccountPolicy
** Removed: 191 - inbytes: 0x0, outbytes: 0x0
** Added: 251 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
** Added: 292 - inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100085B3C [ID = 0x3af03446]']
** Added: 293 - inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100085DD4 [ID = 0x38f0bb3d]']
** Added: 350 - inbytes: 0x1, outbytes: 0x0, outinterfaces: ['0x7100086228 [ID = 0x36f3a242]']
** Added: 351 - inbytes: 0x18, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
** Added: 352 - inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100086504 [ID = 0x0919ff75]']
** Added: 353 - inbytes: 0x0, outbytes: 0x0
** Removed: 402 - buffers: [0x6], inbytes: 0x10, outbytes: 0x4
** Added: 403 - buffers: [0xA], inbytes: 0x10, outbytes: 0x4
** Added: 404 - buffers: [0x5], inbytes: 0x10, outbytes: 0x1
** Added: 405 - inbytes: 0x10, outbytes: 0x1
** Removed: 411 - inbytes: 0x10, outbytes: 0x0
** Removed: 412 - inbytes: 0x10, outbytes: 0x0
** Added: 413 - inbytes: 0x18, outbytes: 0x0
* Interface Changed: nn::account::IAccountServiceForAdministrator
** Removed: 191 - inbytes: 0x0, outbytes: 0x0
** Added: 251 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
** Added: 292 - inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100085B3C [ID = 0x3af03446]']
** Added: 293 - inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100085DD4 [ID = 0x38f0bb3d]']
** Added: 350 - inbytes: 0x1, outbytes: 0x0, outinterfaces: ['0x7100086228 [ID = 0x36f3a242]']
** Added: 351 - inbytes: 0x18, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
** Added: 352 - inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100086504 [ID = 0x0919ff75]']
** Added: 353 - inbytes: 0x0, outbytes: 0x0
** Removed: 402 - buffers: [0x6], inbytes: 0x10, outbytes: 0x4
** Added: 403 - buffers: [0xA], inbytes: 0x10, outbytes: 0x4
** Added: 404 - buffers: [0x5], inbytes: 0x10, outbytes: 0x1
** Added: 405 - inbytes: 0x10, outbytes: 0x1
** Removed: 411 - inbytes: 0x10, outbytes: 0x0
** Removed: 412 - inbytes: 0x10, outbytes: 0x0
** Added: 413 - inbytes: 0x18, outbytes: 0x0
* Interface Changed: nn::account::IAccountServiceForSystemService
** Removed: 191 - inbytes: 0x0, outbytes: 0x0
** Removed: 402 - buffers: [0x6], inbytes: 0x10, outbytes: 0x4
** Added: 403 - buffers: [0xA], inbytes: 0x10, outbytes: 0x4
** Added: 404 - buffers: [0x5], inbytes: 0x10, outbytes: 0x1
** Added: 405 - inbytes: 0x10, outbytes: 0x1
* Interface Changed: nn::account::IAccountServiceForSystemServiceWithProfileEditor
** Removed: 191 - inbytes: 0x0, outbytes: 0x0
** Removed: 402 - buffers: [0x6], inbytes: 0x10, outbytes: 0x4
** Added: 403 - buffers: [0xA], inbytes: 0x10, outbytes: 0x4
** Added: 404 - buffers: [0x5], inbytes: 0x10, outbytes: 0x1
** Added: 405 - inbytes: 0x10, outbytes: 0x1
* Interface Changed: nn::account::baas::IAdministrator
** Removed: 180 - buffer_entry_sizes: [0x1000, 0x100], buffers: [0x1A, 0x1A], inbytes: 0x4, outbytes: 0x0
** Added: 181 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x71000846F0 [ID = 0x107aa108]']
** Added: 182 - inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x71000846F0 [ID = 0x107aa108]']
** Removed: 204 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
* Interface Changed: nn::account::baas::IManagerForSystemService
** Removed: 180 - buffer_entry_sizes: [0x1000, 0x100], buffers: [0x1A, 0x1A], inbytes: 0x4, outbytes: 0x0
** Added: 181 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x71000846F0 [ID = 0x107aa108]']
** Added: 182 - inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x71000846F0 [ID = 0x107aa108]']
* Unknown Interface cur-version: 0x710026550C [ID = 0x0919ff75]
* Unknown Interface cur-version: 0x7100264DDC [ID = 0x38f0bb3d]
* Unknown Interface cur-version: 0x71001A4F6C [ID = 0x4e930893]
* Unknown Interface cur-version: 0x71002636F8 [ID = 0x107aa108]
* Unknown Interface cur-version: 0x71001A4968 [ID = 0x04dea048]
* Unknown Interface cur-version: 0x7100264B44 [ID = 0x3af03446]
* Unknown Interface cur-version: 0x7100265230 [ID = 0x36f3a242]
* Interface Changed: nn::account::IAccountServiceForAdministrator
** Removed: 191 - inbytes: 0x0, outbytes: 0x0
** Added: 251 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
** Added: 292 - inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100264B44 [ID = 0x3af03446]']
** Added: 293 - inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x7100264DDC [ID = 0x38f0bb3d]']
** Added: 350 - inbytes: 0x1, outbytes: 0x0, outinterfaces: ['0x7100265230 [ID = 0x36f3a242]']
** Added: 351 - inbytes: 0x18, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
** Added: 352 - inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710026550C [ID = 0x0919ff75]']
** Added: 353 - inbytes: 0x0, outbytes: 0x0
** Removed: 402 - buffers: [0x6], inbytes: 0x10, outbytes: 0x4
** Added: 403 - buffers: [0xA], inbytes: 0x10, outbytes: 0x4
** Added: 404 - buffers: [0x5], inbytes: 0x10, outbytes: 0x1
** Added: 405 - inbytes: 0x10, outbytes: 0x1
** Removed: 411 - inbytes: 0x10, outbytes: 0x0
** Removed: 412 - inbytes: 0x10, outbytes: 0x0
** Added: 413 - inbytes: 0x18, outbytes: 0x0
* Interface Changed: nn::account::IAccountServiceForSystemService
** Removed: 191 - inbytes: 0x0, outbytes: 0x0
** Removed: 402 - buffers: [0x6], inbytes: 0x10, outbytes: 0x4
** Added: 403 - buffers: [0xA], inbytes: 0x10, outbytes: 0x4
** Added: 404 - buffers: [0x5], inbytes: 0x10, outbytes: 0x1
** Added: 405 - inbytes: 0x10, outbytes: 0x1
* Interface Changed: nn::account::baas::IAdministrator
** Removed: 180 - buffer_entry_sizes: [0x1000, 0x100], buffers: [0x1A, 0x1A], inbytes: 0x4, outbytes: 0x0
** Added: 181 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x71002636F8 [ID = 0x107aa108]']
** Added: 182 - inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x71002636F8 [ID = 0x107aa108]']
** Removed: 204 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
* Interface Changed: nn::account::baas::IManagerForSystemService
** Removed: 180 - buffer_entry_sizes: [0x1000, 0x100], buffers: [0x1A, 0x1A], inbytes: 0x4, outbytes: 0x0
** Added: 181 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x71002636F8 [ID = 0x107aa108]']
** Added: 182 - inbytes: 0x10, outbytes: 0x0, outinterfaces: ['0x71002636F8 [ID = 0x107aa108]']
* Interface Changed: nn::ns::detail::IApplicationManagerInterface
** Added: 421 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x10, inhandles: [1], outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 422 - buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x8, inhandles: [1], outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 423 - buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x10, inhandles: [1], outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 424 - buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x8, inhandles: [1], outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncData']
** Added: 425 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x8, inhandles: [1], outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncData']
** Added: 426 - buffer_entry_sizes: [0x18], buffers: [0x5], inbytes: 0x0, outbytes: 0x0
** Added: 427 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x8, inhandles: [1], outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 513 - inbytes: 0x0, outbytes: 0x1
** Added: 514 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 515 - inbytes: 0x0, outbytes: 0x0
** Added: 917 - inbytes: 0x8, outbytes: 0x0
** Added: 918 - inbytes: 0x8, outbytes: 0x0
** Added: 919 - inbytes: 0x8, outbytes: 0x0
** Added: 920 - inbytes: 0x8, outbytes: 0x0
** Added: 921 - inbytes: 0x8, outbytes: 0x80
** Added: 922 - buffers: [0x6], inbytes: 0x88, outbytes: 0x4
** Added: 923 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0
** Added: 928 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 929 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::ns::detail::IProgressAsyncResult']
** Added: 930 - inbytes: 0x10, outbytes: 0x0
** Added: 931 - inbytes: 0x8, outbytes: 0x0
** Added: 1508 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 1509 - inbytes: 0x1, outbytes: 0x0
** Added: 1510 - inbytes: 0x0, outbytes: 0x0
** Added: 1511 - inbytes: 0x0, outbytes: 0x0
** Added: 1512 - inbytes: 0x0, outbytes: 0x1
** Changed: 1704 - buffer_entry_sizes: [0x70, 0x8] -> [0x78, 0x8] (final state: buffer_entry_sizes: [0x78, 0x8], buffers: [0x6, 0x5], inbytes: 0x0, outbytes: 0x0)
** Added: 1706 - buffer_entry_sizes: [0x58, 0x8], buffers: [0x6, 0x5], inbytes: 0x0, outbytes: 0x0
** Added: 2019 - buffer_entry_sizes: [0x100, 0x100, 0x100], buffers: [0x15, 0x5, 0x5], inbytes: 0x0, outbytes: 0x1
** Added: 2052 - inbytes: 0x8, outbytes: 0x0
** Added: 2053 - buffer_entry_sizes: [0x10, 0x0], buffers: [0x6, 0x5], inbytes: 0x8, outbytes: 0x4
** Added: 2362 - inbytes: 0x0, outbytes: 0x4
** Added: 2363 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 2364 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 2365 - inbytes: 0x8, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 2366 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 2367 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 2368 - inbytes: 0x8, outbytes: 0x0
** Changed: 2402 - buffer_entry_sizes: [0x20] -> [0x28] (final state: buffer_entry_sizes: [0x28], buffers: [0x6], inbytes: 0x0, outbytes: 0x4)
** Added: 2525 - inbytes: 0x20, outbytes: 0x1
** Added: 4000 - inbytes: 0x20, outbytes: 0x0
** Added: 4004 - inbytes: 0x8, outbytes: 0x0
** Added: 4006 - inbytes: 0x45, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4007 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4008 - inbytes: 0x18, inhandles: [1], outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncData']
** Added: 4009 - inbytes: 0x18, inhandles: [1], outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncData']
** Added: 4010 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncData']
** Added: 4011 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4012 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 4013 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncData']
** Added: 4015 - inbytes: 0x20, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4017 - inbytes: 0x20, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4019 - inbytes: 0x20, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 4020 - inbytes: 0x8, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4021 - inbytes: 0x8, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4022 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 4023 - inbytes: 0x0, outbytes: 0x58
** Added: 4024 - inbytes: 0x20, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 4025 - inbytes: 0x28, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 4026 - inbytes: 0x8, outbytes: 0x0, outinterfaces: ['0x71001A4968 [ID = 0x04dea048]']
** Added: 4027 - inbytes: 0x8, outbytes: 0x0, outinterfaces: ['0x71001A4F6C [ID = 0x4e930893]']
** Added: 4028 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 4029 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 4030 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncData']
** Added: 4031 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4032 - inbytes: 0x10, outbytes: 0x1
** Added: 4033 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4034 - inbytes: 0x8, outbytes: 0x1
** Added: 4035 - inbytes: 0x28, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 4037 - buffer_entry_sizes: [0x20], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4038 - buffer_entry_sizes: [0x20], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4039 - inbytes: 0x20, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 4040 - inbytes: 0x20, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 4041 - inbytes: 0x45, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncData']
** Added: 4042 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4043 - inbytes: 0x45, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 4044 - buffer_entry_sizes: [0x20], buffers: [0x5], inbytes: 0x4, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 4045 - buffer_entry_sizes: [0x20], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncData']
** Added: 4046 - inbytes: 0x50, outbytes: 0x0
** Added: 4049 - inbytes: 0x8, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4050 - buffer_entry_sizes: [0x18], buffers: [0x6], inbytes: 0x8, outbytes: 0x4
** Added: 4051 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 4052 - inbytes: 0x8, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncData']
** Added: 4053 - inbytes: 0x0, outbytes: 0x0
** Added: 4054 - inbytes: 0x0, outbytes: 0x22
** Added: 4055 - buffer_entry_sizes: [0x20], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4056 - buffer_entry_sizes: [0x20], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4057 - inbytes: 0x10, outbytes: 0x0
** Added: 4058 - inbytes: 0x0, outbytes: 0x0
** Added: 4059 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4060 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4061 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4062 - inbytes: 0x10, outbytes: 0x1
** Added: 4063 - buffers: [0x6], inbytes: 0x0, outbytes: 0x0
** Added: 4064 - buffers: [0x6], inbytes: 0x0, outbytes: 0x0
** Added: 4065 - buffer_entry_sizes: [0x20], buffers: [0x5], inbytes: 0x4, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 4066 - buffer_entry_sizes: [0x200, 0x0, 0x0], buffers: [0x16, 0x5, 0x5], inbytes: 0x0, outbytes: 0x0
** Added: 4067 - inbytes: 0x10, outbytes: 0x0
** Added: 4068 - buffer_entry_sizes: [0x20], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncData']
** Added: 4069 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncData']
** Added: 4070 - buffer_entry_sizes: [0x4], buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncData']
** Added: 4071 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 4072 - inbytes: 0x10, outbytes: 0x1
** Added: 4073 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4074 - inbytes: 0x10, outbytes: 0x0
** Added: 4075 - buffer_entry_sizes: [0x20], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4076 - buffer_entry_sizes: [0x20], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncData']
** Added: 4077 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 4078 - buffer_entry_sizes: [0x4], buffers: [0x5], inbytes: 0x20, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4079 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 4080 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4081 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4083 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4084 - inbytes: 0x0, outbytes: 0x0
** Added: 4085 - inbytes: 0x20, outbytes: 0x0
** Added: 4086 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4087 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4088 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 4089 - inbytes: 0x0, outbytes: 0x58
** Added: 4090 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4091 - inbytes: 0x20, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4092 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4093 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 4094 - inbytes: 0x10, outbytes: 0x0
** Added: 4095 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 4096 - inbytes: 0x0, outbytes: 0x0
** Added: 4097 - inbytes: 0x22, outbytes: 0x0
* Interface Changed: nn::ns::detail::IDownloadTaskInterface
** Added: 710 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::ns::detail::IDynamicRightsInterface
** Added: 27 - buffer_entry_sizes: [0x8], buffers: [0x6], inbytes: 0x8, outbytes: 0x4
** Added: 28 - inbytes: 0x8, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
* Interface Changed: nn::ns::detail::IECommerceInterface
** Added: 8 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 9 - buffers: [0x6], inbytes: 0x10, outbytes: 0x8
** Added: 10 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 11 - buffers: [0x6], inbytes: 0x10, outbytes: 0x8
** Added: 12 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 13 - buffer_entry_sizes: [0x0, 0x8], buffers: [0x6, 0x5], inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::ns::detail::IFactoryResetInterface
** Added: 107 - inbytes: 0x0, outbytes: 0x0
** Added: 108 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::ns::detail::IReadOnlyApplicationControlDataInterface
** Added: 7 - inbytes: 0x8, outbytes: 0x80
** Added: 8 - buffers: [0x6], inbytes: 0x88, outbytes: 0x4
** Added: 9 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0
** Added: 10 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x10, inhandles: [1], outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 11 - buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x8, inhandles: [1], outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 12 - buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x10, inhandles: [1], outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 13 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x8, inhandles: [1], outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 14 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x10, inhandles: [1], outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 15 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x10, inhandles: [1], outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 16 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
* Interface Changed: nn::ns::detail::IReadOnlyApplicationRecordInterface
** Added: 3 - buffer_entry_sizes: [0x18], buffers: [0x6], inbytes: 0x4, outbytes: 0x4
* Interface Changed: nn::hshl::IChargeSetterSession
** Added: 6 - inbytes: 0x4, outbytes: 0x0
** Added: 7 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::hshl::IManager
** Added: 14 - inbytes: 0x0, outbytes: 0x4
** Added: 15 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::srepo::detail::ipc::ISrepoService
** Added: 12010 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Removed: 13001 - inbytes: 0x10, outbytes: 0x0
** Changed: 13002 - inbytes: 0x0 -> 0x8 (final state: buffers: [0x6], inbytes: 0x8, outbytes: 0x4)
** Added: 13003 - buffers: [0x6], inbytes: 0x8, outbytes: 0x10
** Added: 13004 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::capsrv::sf::IAlbumAccessorService
** Added: 20 - inbytes: 0x8, outbytes: 0x1
** Added: 121 - buffer_entry_sizes: [0x20, 0x10], buffers: [0x6, 0x5], inbytes: 0x10, outbytes: 0x8
** Added: 122 - buffer_entry_sizes: [0x20], buffers: [0x6], inbytes: 0x10, outbytes: 0x8
** Added: 123 - buffer_entry_sizes: [0x20], buffers: [0x6], inbytes: 0x18, outbytes: 0x8
** Added: 170 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 171 - inbytes: 0x0, outbytes: 0x0
** Added: 172 - inbytes: 0x0, outbytes: 0x0
** Added: 502 - buffer_entry_sizes: [0x20, 0x0], buffers: [0x5, 0x6], inbytes: 0x2, outbytes: 0x0
** Added: 600 - buffer_entry_sizes: [0x20], buffers: [0x6], inbytes: 0x10, outbytes: 0x8
** Added: 8031 - inbytes: 0x1, outbytes: 0x0
** Added: 8032 - inbytes: 0x0, outbytes: 0x0
** Added: 50021 - inbytes: 0x1, outbytes: 0x0
** Added: 50022 - inbytes: 0x1, outbytes: 0x0
** Added: 50023 - buffers: [0x6], inbytes: 0x1, outbytes: 0x8
** Added: 50024 - buffers: [0x45], inbytes: 0x1, outbytes: 0x0
** Added: 50031 - inbytes: 0x8, outbytes: 0x0
** Added: 50032 - buffer_entry_sizes: [0x8], buffers: [0x6], inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::capsrv::sf::IAlbumControlService
** Added: 2015 - inbytes: 0x1, outbytes: 0x0
** Added: 2016 - inbytes: 0x10, outbytes: 0x0
** Changed: 2202 - inbytes: 0x30 -> 0x70 (final state: buffer_entry_sizes: [0x200, 0x0], buffers: [0x15, 0x45], inbytes: 0x70, outbytes: 0x8)
* Interface Changed: nn::capsrv::sf::IAlbumControlSession
** Added: 2436 - inbytes: 0x48, outbytes: 0x0
* Unknown Interface cur-version: 0x71000CE314 [ID = 0x359536d2]
* Interface Changed: nn::am::service::IAllSystemAppletProxiesService
** Added: 110 - buffer_entry_sizes: [0x80], buffers: [0x15], inbytes: 0x8, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::am::service::ISystemAppletProxy'], pid: True
** Added: 460 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x71000CE314 [ID = 0x359536d2]']
* Interface Changed: nn::am::service::IAppletCommonFunctions
** Added: 311 - inbytes: 0x0, outbytes: 0x4
** Added: 322 - inbytes: 0x8, outbytes: 0x0
** Added: 340 - inbytes: 0x0, outbytes: 0x0
** Added: 341 - inbytes: 0x0, outbytes: 0x0
** Added: 342 - inbytes: 0x0, outbytes: 0x1
** Added: 350 - inbytes: 0x0, outbytes: 0x2
** Added: 360 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::am::service::IApplicationAccessor
** Added: 300 - inbytes: 0x0, outbytes: 0x1
** Added: 301 - inbytes: 0x0, outbytes: 0x20, outinterfaces: ['nn::am::service::IStorage']
* Interface Changed: nn::am::service::IApplicationFunctions
** Added: 112 - buffer_entry_sizes: [0x18, 0x8], buffers: [0x6, 0x5], inbytes: 0x0, outbytes: 0x4
** Added: 113 - buffer_entry_sizes: [0x18, 0x8], buffers: [0x6, 0x5], inbytes: 0x10, outbytes: 0x4
** Added: 210 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 220 - inbytes: 0x1, outbytes: 0x0
** Added: 310 - inbytes: 0x1, ininterfaces: [None], outbytes: 0x0
** Added: 320 - inbytes: 0x0, outbytes: 0x2
* Interface Changed: nn::am::service::IAudioController
** Added: 5 - inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::am::service::ICommonStateGetter
** Added: 600 - inbytes: 0xC, outbytes: 0x0
* Interface Changed: nn::am::service::IDebugFunctions
** Added: 430 - inbytes: 0x0, outbytes: 0x0
** Added: 431 - inbytes: 0x4, outbytes: 0x0
** Added: 910 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::am::service::ILibraryAppletAccessor
** Added: 90 - inbytes: 0x20, outbytes: 0x0
* Interface Changed: nn::am::service::ILibraryAppletCreator
** Added: 3 - inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::am::service::ILibraryAppletAccessor']
* Interface Changed: nn::am::service::ISelfController
** Added: 200 - inbytes: 0x20, outbytes: 0x0
** Added: 210 - buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x0, outbytes: 0x0
** Added: 211 - inbytes: 0x0, outbytes: 0x0
** Added: 220 - inbytes: 0x1, outbytes: 0x0
** Added: 221 - inbytes: 0x1, outbytes: 0x0
** Added: 230 - inbytes: 0x4, outbytes: 0x2
* Interface Changed: nn::ssl::sf::ISslConnection
** Added: 36 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 37 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::nim::detail::INetworkInstallManager
** Changed: 31 - buffer_entry_sizes: [0x10] -> [0x18] (final state: buffer_entry_sizes: [0x18], buffers: [0x5], inbytes: 0x20, outbytes: 0x10)
** Removed: 92 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Changed: 119 - buffer_entry_sizes: {} -> [0x18], buffers: {} -> [0x6], outbytes: 0x18 -> 0x4 (final state: buffer_entry_sizes: [0x18], buffers: [0x6], inbytes: 0x10, outbytes: 0x4)
** Changed: 143 - inbytes: 0x18 -> 0x20 (final state: inbytes: 0x20, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData'])
** Added: 151 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 152 - buffers: [0x6], inbytes: 0x10, outbytes: 0x8
** Added: 153 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 154 - buffers: [0x6], inbytes: 0x10, outbytes: 0x8
** Added: 155 - inbytes: 0x22, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 156 - inbytes: 0x22, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 157 - inbytes: 0x4A, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 158 - inbytes: 0x0, outbytes: 0x1
** Added: 159 - inbytes: 0x0, outbytes: 0x0
** Added: 160 - inbytes: 0x0, outbytes: 0x0
** Added: 161 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 162 - buffer_entry_sizes: [0x10, 0x8], buffers: [0x5, 0x5], inbytes: 0x8, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 163 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncValue']
** Added: 164 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 165 - buffer_entry_sizes: [0x18, 0x18], buffers: [0x5, 0x5], inbytes: 0x8, outbytes: 0x10
** Added: 166 - buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x50, outbytes: 0x10
** Added: 167 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 168 - buffer_entry_sizes: [0x18], buffers: [0x6], inbytes: 0x14, outbytes: 0x4
** Added: 169 - inbytes: 0x8, outbytes: 0x0
** Added: 170 - buffers: [0x5, 0x5], inbytes: 0x0, outbytes: 0x1
** Added: 171 - inbytes: 0x11, outbytes: 0x0
** Added: 172 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncValue']
** Added: 2000 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2001 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2002 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2003 - buffer_entry_sizes: [0x8, 0x8], buffers: [0x5, 0x5], inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2004 - inbytes: 0x28, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2007 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2011 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2012 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2013 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2014 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2015 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x8, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2016 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2017 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2018 - buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2019 - buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2020 - buffers: [0x5], inbytes: 0x1, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2021 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2022 - inbytes: 0x20, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2023 - inbytes: 0x25, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2024 - buffer_entry_sizes: [0x80, 0x80], buffers: [0x15, 0x15], inbytes: 0x25, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2025 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2026 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2027 - inbytes: 0x40, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2028 - inbytes: 0x40, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2029 - buffers: [0x5], inbytes: 0x20, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2030 - inbytes: 0x22, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2031 - buffers: [0x5], inbytes: 0x25, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2032 - inbytes: 0x25, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2033 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2034 - inbytes: 0x25, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2035 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2036 - inbytes: 0x20, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2037 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2038 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2039 - buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x8, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2040 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2041 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** Added: 2042 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2043 - inbytes: 0x20, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2044 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2045 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2046 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2047 - buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2048 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2049 - buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2050 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 2051 - buffer_entry_sizes: [0x8, 0x8], buffers: [0x5, 0x5], inbytes: 0x28, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
* Interface Changed: nn::erpt::sf::IContext
** Added: 13 - buffers: [0x5, 0x5], inbytes: 0x0, outbytes: 0x14
** Added: 14 - buffers: [0x5, 0x5, 0x5, 0x5], inbytes: 0x20, outbytes: 0x0
* Interface Changed: nn::erpt::sf::IManager
** Removed: 5 - buffers: [0x6], inbytes: 0x14, outbytes: 0x0
** Added: 6 - buffers: [0x6], inbytes: 0x14, outbytes: 0x4
** Added: 10 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::capsrv::sf::IScreenShotControlService
** Added: 9000 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::capsrv::sf::IScreenShotService
** Added: 2000 - buffer_entry_sizes: [0x88, 0x104], buffers: [0x15, 0x15], inbytes: 0x70, outbytes: 0x20
* Interface Changed: nn::pctl::detail::ipc::IParentalControlService
** Added: 1019 - buffers: [0x9], inbytes: 0x10, outbytes: 0x0
** Added: 1020 - buffers: [0x9], inbytes: 0x10, outbytes: 0x0
** Added: 1050 - inbytes: 0x10, outbytes: 0x0
** Added: 1051 - inbytes: 0x10, outbytes: 0x0
** Removed: 1425 - buffer_entry_sizes: [0x60], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Removed: 1426 - inbytes: 0x0, outbytes: 0x4
** Removed: 1427 - inbytes: 0x4, outbytes: 0x0
** Added: 1459 - inbytes: 0x0, outbytes: 0x18
** Added: 1501 - inbytes: 0x1, outbytes: 0x0
** Added: 1958 - inbytes: 0x0, outbytes: 0x1
** Added: 1959 - inbytes: 0x0, outbytes: 0x1
** Added: 1960 - inbytes: 0x0, outbytes: 0x8
** Added: 2021 - inbytes: 0x0, outbytes: 0x8, outhandles: [1]
** Added: 2022 - inbytes: 0x8, outbytes: 0x10
** Added: 2023 - inbytes: 0x0, outbytes: 0x1
** Added: 3001 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 9401 - buffer_entry_sizes: [0x60], buffers: [0x6], inbytes: 0x2, outbytes: 0x4
** Added: 9402 - buffer_entry_sizes: [0x60, 0x0], buffers: [0x6, 0x6], inbytes: 0x0, outbytes: 0x4
** Added: 9403 - buffer_entry_sizes: [0x60], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 9404 - inbytes: 0x0, outbytes: 0x4
** Added: 9405 - inbytes: 0x4, outbytes: 0x0
* Unknown Interface cur-version: 0x7100097948 [ID = 0xfe214da9]
* Unknown Interface cur-version: 0x7100096B3C [ID = 0xdf171f31]
* Interface Changed: nn::npns::INpnsSystem
** Removed: 34 - buffer_entry_sizes: [0x8], buffers: [0x9], inbytes: 0x0, outbytes: 0x0
** Added: 45 - inbytes: 0x0, outbytes: 0x0
** Added: 52 - buffers: [0x6, 0x9], inbytes: 0x0, outbytes: 0x8
** Added: 53 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100096B3C [ID = 0xdf171f31]']
** Added: 70 - buffers: [0x9, 0x5], inbytes: 0x10, outbytes: 0x0, outinterfaces: [None]
** Changed: 143 - inbytes: 0x8 -> 0x10 (final state: buffers: [0x9], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::npns::IFuture'])
** Added: 146 - buffers: [0x9], inbytes: 0x8, outbytes: 0x0, outinterfaces: ['nn::npns::IFuture']
** Added: 147 - buffers: [0x9, 0x9], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::npns::IFuture']
** Added: 203 - inbytes: 0x0, outbytes: 0x0
** Removed: 301 - buffers: [0xA], inbytes: 0x0, outbytes: 0x0
** Removed: 302 - buffer_entry_sizes: [0x10, 0x0], buffers: [0xA, 0xA], inbytes: 0x0, outbytes: 0x8
** Removed: 303 - buffer_entry_sizes: [0x138, 0x138], buffers: [0x6, 0x6], inbytes: 0x0, outbytes: 0x8
** Removed: 304 - inbytes: 0x0, outbytes: 0x50
** Removed: 305 - buffer_entry_sizes: [0x48], buffers: [0x6], inbytes: 0x4, outbytes: 0x8
** Removed: 306 - buffers: [0x6, 0x9], inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::notification::server::INotificationServices
** Added: 3000 - buffer_entry_sizes: [0x20], buffers: [0x5], inbytes: 0x0, outbytes: 0x0
** Added: 3010 - buffer_entry_sizes: [0x20], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::es::IETicketService
** Added: 105 - buffer_entry_sizes: [0x0, 0x10], buffers: [0x6, 0x5], inbytes: 0x0, outbytes: 0x0
** Added: 1030 - buffer_entry_sizes: [0x10, 0x8, 0x0, 0x0], buffers: [0x6, 0x5, 0x5, 0x5], inbytes: 0x0, outbytes: 0x4
** Added: 1031 - buffer_entry_sizes: [0x138, 0x8], buffers: [0x15, 0x6], inbytes: 0x0, outbytes: 0x28
** Added: 1032 - buffer_entry_sizes: [0x8, 0x0, 0x0], buffers: [0x5, 0x5, 0x5], inbytes: 0x0, outbytes: 0x8
** Added: 1033 - buffer_entry_sizes: [0x40, 0x10], buffers: [0x6, 0x5], inbytes: 0x0, outbytes: 0x4
** Added: 1034 - buffer_entry_sizes: [0x50], buffers: [0x6], inbytes: 0x8, outbytes: 0x8
** Added: 1035 - inbytes: 0x18, outbytes: 0x80
** Added: 1036 - buffer_entry_sizes: [0x8, 0x0], buffers: [0x5, 0x5], inbytes: 0x8, outbytes: 0x4
** Added: 1037 - buffer_entry_sizes: [0x10, 0x8, 0x0, 0x0], buffers: [0x6, 0x5, 0x5, 0x5], inbytes: 0x8, outbytes: 0x4
** Added: 1601 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
** Added: 1602 - buffers: [0x5, 0x5, 0x5], inbytes: 0x4, outbytes: 0x0
** Added: 1603 - buffer_entry_sizes: [0x20], buffers: [0x16], inbytes: 0x0, outbytes: 0x0
** Added: 1604 - buffer_entry_sizes: [0x40, 0x20], buffers: [0x16, 0x15], inbytes: 0x0, outbytes: 0x0
** Added: 1605 - buffer_entry_sizes: [0x80, 0x40], buffers: [0x16, 0x15], inbytes: 0x0, outbytes: 0x0
** Added: 1606 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::ndrm::low::detail::INdrmLowAdminInterface
** Added: 47 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x8, outbytes: 0x4
** Added: 48 - buffer_entry_sizes: [0x8], buffers: [0x6], inbytes: 0x10, outbytes: 0x4
** Added: 49 - inbytes: 0x10, outbytes: 0x1
** Added: 50 - buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x8, outbytes: 0x0
* Interface Changed: nn::grcsrv::IContinuousRecorder
** Added: 5 - inbytes: 0x4, outbytes: 0x0
* Unknown Interface cur-version: 0x710005ECA0 [ID = 0xef2a5618]
* Interface Changed: nn::mii::detail::IDatabaseService
** Removed: 27 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::mii::detail::IImageDatabaseService
** Added: 19 - inbytes: 0x0, outbytes: 0x0
** Added: 20 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::pdm::detail::INotifyService
** Added: 20 - inbytes: 0x1, outbytes: 0x0
** Added: 100 - inbytes: 0x20, outbytes: 0x0, outinterfaces: ['0x710005ECA0 [ID = 0xef2a5618]']
** Added: 101 - inbytes: 0x20, outbytes: 0x0, outinterfaces: ['0x710005ECA0 [ID = 0xef2a5618]']
* Interface Changed: nn::pdm::detail::IQueryService
** Added: 100 - buffer_entry_sizes: [0x38], buffers: [0x6], inbytes: 0x4, outbytes: 0x4
** Added: 110 - buffer_entry_sizes: [0x40, 0x40, 0x8], buffers: [0x6, 0x6, 0x5], inbytes: 0x18, outbytes: 0x0
** Added: 118 - buffer_entry_sizes: [0x18, 0x8], buffers: [0x6, 0x5], inbytes: 0x0, outbytes: 0x4
** Added: 119 - buffer_entry_sizes: [0x18, 0x8], buffers: [0x6, 0x5], inbytes: 0x10, outbytes: 0x4
* Interface Changed: nn::pl::detail::IPlatformServiceManagerForSystem
** Added: 108 - inbytes: 0x10, outbytes: 0x4
* Unknown Interface cur-version: 0x710014064C [ID = 0x29d8801c]
* Unknown Interface cur-version: 0x7100140AD0 [ID = 0xeb5e4ee2]
* Unknown Interface cur-version: 0x710013C47C [ID = 0x6e021695]
* Unknown Interface cur-version: 0x7100141A58 [ID = 0x3c7c9db7]
* Unknown Interface cur-version: 0x710013E13C [ID = 0x8cf617a1]
* Interface Changed: nn::migration::savedata::IClient
** Added: 101 - inbytes: 0x0, outbytes: 0x1
** Changed: 201 - buffer_entry_sizes: [0x128] -> [0x130] (final state: buffer_entry_sizes: [0x130], buffers: [0x6], inbytes: 0x0, outbytes: 0x4)
** Removed: 500 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::migration::savedata::IServer
** Removed: 1 - inbytes: 0x0, outbytes: 0x8
** Added: 102 - inbytes: 0x0, outbytes: 0x1
** Added: 202 - inbytes: 0x0, outbytes: 0x4
** Added: 203 - inbytes: 0x0, outbytes: 0x8
** Removed: 500 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::migration::user::IClient
** Added: 102 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::migration::user::IServer
** Added: 102 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::migration::user::IService
** Added: 1 - inbytes: 0x0, outbytes: 0x0
** Added: 2 - inbytes: 0x10, outbytes: 0x0
** Removed: 10 - inbytes: 0x0, outbytes: 0xC
** Added: 11 - inbytes: 0x0, outbytes: 0x10
** Removed: 1100 - buffer_entry_sizes: [0x100], buffers: [0x19], inbytes: 0x20, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::migration::savedata::IServer']
** Added: 2001 - inbytes: 0x0, outbytes: 0x10
** Added: 2010 - inbytes: 0x0, outbytes: 0x10
** Added: 2100 - buffer_entry_sizes: [0x100], buffers: [0x19], inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013C47C [ID = 0x6e021695]']
** Added: 2110 - inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013C47C [ID = 0x6e021695]']
** Added: 2200 - buffer_entry_sizes: [0x100], buffers: [0x19], inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013E13C [ID = 0x8cf617a1]']
** Added: 2210 - inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710013E13C [ID = 0x8cf617a1]']
** Added: 2220 - inbytes: 0x0, outbytes: 0x10
** Added: 2230 - inbytes: 0x0, outbytes: 0x0
** Added: 2231 - inbytes: 0x0, outbytes: 0x8
** Added: 2232 - inbytes: 0x0, outbytes: 0x21
** Added: 2233 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 2234 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 2250 - inbytes: 0x18, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710014064C [ID = 0x29d8801c]']
** Added: 2260 - inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710014064C [ID = 0x29d8801c]']
** Added: 2270 - inbytes: 0x8, outbytes: 0x0
** Added: 2280 - inbytes: 0x8, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
** Added: 2300 - inbytes: 0x18, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100140AD0 [ID = 0xeb5e4ee2]']
** Added: 2310 - inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100140AD0 [ID = 0xeb5e4ee2]']
** Added: 2400 - inbytes: 0x10, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100141A58 [ID = 0x3c7c9db7]']
** Added: 2420 - inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x7100141A58 [ID = 0x3c7c9db7]']
* Unknown Interface cur-version: 0x7100133FE0 [ID = 0x17291af3]
* Unknown Interface cur-version: 0x71001357F4 [ID = 0xa036ce80]
* Interface Changed: nn::olsc::srv::IDaemonController
** Added: 13 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x71001357F4 [ID = 0xa036ce80]', None]
* Interface Changed: nn::olsc::srv::IOlscServiceForSystemService
** Added: 1000 - buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100133FE0 [ID = 0x17291af3]']
* Interface Changed: nn::olsc::srv::IRemoteStorageController
** Added: 26 - buffers: [0x6], inbytes: 0x8, outbytes: 0x4
** Added: 27 - inbytes: 0x8, outbytes: 0x38
** Added: 800 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100133FE0 [ID = 0x17291af3]']
* Interface Changed: nn::omm::detail::IOperationModeManager
** Added: 40 - inbytes: 0x0, outbytes: 0x1
** Added: 41 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Added: 7 - inbytes: 0x1, outbytes: 0x0
** Added: 8 - buffers: [0x6], inbytes: 0x8, outbytes: 0x0
** Added: 118 - inbytes: 0x0, outbytes: 0x0
** Added: 119 - inbytes: 0x0, outbytes: 0x0
** Added: 225 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0
** Added: 226 - buffers: [0x6], inbytes: 0x8, outbytes: 0x0
** Added: 303 - inbytes: 0x4, outbytes: 0x0
** Added: 304 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 38 - inbytes: 0x0, outbytes: 0x0
** Added: 502 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IEventNotifier']
* Interface Changed: nn::fssrv::sf::IFileSystemProxyForLoader
** Changed: 0 - buffer_entry_sizes: [0x301, 0x0] -> {}, buffers: [0x19, 0x6] -> [0x6] (final state: buffers: [0x6], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IFileSystem'])
* Interface Changed: nn::fssrv::sf::ISaveDataDivisionExporter
** Added: 75 - buffers: [0x6], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::ISaveDataTransferManagerWithDivision
** Added: 17 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::ldr::detail::IProcessManagerInterface
** Changed: 1 - inbytes: 0x10 -> 0x18 (final state: buffer_entry_sizes: [0x410], buffers: [0x1A], inbytes: 0x18, outbytes: 0x0)
* Interface Changed: nn::ncm::IContentMetaDatabase
** Added: 27 - inbytes: 0x1, outbytes: 0x1
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Added: 7 - inbytes: 0x1, outbytes: 0x0
** Added: 8 - buffers: [0x6], inbytes: 0x8, outbytes: 0x0
** Added: 118 - inbytes: 0x0, outbytes: 0x0
** Added: 119 - inbytes: 0x0, outbytes: 0x0
** Added: 225 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0
** Added: 226 - buffers: [0x6], inbytes: 0x8, outbytes: 0x0
** Added: 303 - inbytes: 0x4, outbytes: 0x0
** Added: 304 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 38 - inbytes: 0x0, outbytes: 0x0
** Added: 502 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IEventNotifier']
* Interface Changed: nn::fssrv::sf::IFileSystemProxyForLoader
** Changed: 0 - buffer_entry_sizes: [0x301, 0x0] -> {}, buffers: [0x19, 0x6] -> [0x6] (final state: buffers: [0x6], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IFileSystem'])
* Interface Changed: nn::fssrv::sf::ISaveDataDivisionExporter
** Added: 75 - buffers: [0x6], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::ISaveDataTransferManagerWithDivision
** Added: 17 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::ldr::detail::IProcessManagerInterface
** Changed: 1 - inbytes: 0x10 -> 0x18 (final state: buffer_entry_sizes: [0x410], buffers: [0x1A], inbytes: 0x18, outbytes: 0x0)
* Interface Changed: nn::ncm::IContentMetaDatabase
** Added: 27 - inbytes: 0x1, outbytes: 0x1
* Interface Changed: nn::clkrst::IClkrstManager
** Added: 7 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::rtc::IRtcManager
** Changed: 13 - inbytes: 0x8 -> 0x4, outbytes: 0x0 -> 0x2 (final state: inbytes: 0x4, outbytes: 0x2)
* Interface Changed: nn::hshl::IChargeSetterSession
** Added: 6 - inbytes: 0x4, outbytes: 0x0
** Added: 7 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::hshl::IManager
** Added: 14 - inbytes: 0x0, outbytes: 0x4
** Added: 15 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::srepo::detail::ipc::ISrepoService
** Added: 12010 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Removed: 13001 - inbytes: 0x10, outbytes: 0x0
** Changed: 13002 - inbytes: 0x0 -> 0x8 (final state: buffers: [0x6], inbytes: 0x8, outbytes: 0x4)
** Added: 13003 - buffers: [0x6], inbytes: 0x8, outbytes: 0x10
** Added: 13004 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Added: 7 - inbytes: 0x1, outbytes: 0x0
** Added: 8 - buffers: [0x6], inbytes: 0x8, outbytes: 0x0
** Added: 118 - inbytes: 0x0, outbytes: 0x0
** Added: 119 - inbytes: 0x0, outbytes: 0x0
** Added: 225 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0
** Added: 226 - buffers: [0x6], inbytes: 0x8, outbytes: 0x0
** Added: 303 - inbytes: 0x4, outbytes: 0x0
** Added: 304 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 38 - inbytes: 0x0, outbytes: 0x0
** Added: 502 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IEventNotifier']
* Interface Changed: nn::fssrv::sf::IFileSystemProxyForLoader
** Changed: 0 - buffer_entry_sizes: [0x301, 0x0] -> {}, buffers: [0x19, 0x6] -> [0x6] (final state: buffers: [0x6], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IFileSystem'])
* Interface Changed: nn::fssrv::sf::ISaveDataDivisionExporter
** Added: 75 - buffers: [0x6], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::ISaveDataTransferManagerWithDivision
** Added: 17 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::ldr::detail::IProcessManagerInterface
** Changed: 1 - inbytes: 0x10 -> 0x18 (final state: buffer_entry_sizes: [0x410], buffers: [0x1A], inbytes: 0x18, outbytes: 0x0)
* Interface Changed: nn::ncm::IContentMetaDatabase
** Added: 27 - inbytes: 0x1, outbytes: 0x1
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Added: 7 - inbytes: 0x1, outbytes: 0x0
** Added: 8 - buffers: [0x6], inbytes: 0x8, outbytes: 0x0
** Added: 118 - inbytes: 0x0, outbytes: 0x0
** Added: 119 - inbytes: 0x0, outbytes: 0x0
** Added: 225 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0
** Added: 226 - buffers: [0x6], inbytes: 0x8, outbytes: 0x0
** Added: 303 - inbytes: 0x4, outbytes: 0x0
** Added: 304 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 38 - inbytes: 0x0, outbytes: 0x0
** Added: 502 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IEventNotifier']
* Interface Changed: nn::fssrv::sf::IFileSystemProxyForLoader
** Changed: 0 - buffer_entry_sizes: [0x301, 0x0] -> {}, buffers: [0x19, 0x6] -> [0x6] (final state: buffers: [0x6], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IFileSystem'])
* Interface Changed: nn::fssrv::sf::ISaveDataDivisionExporter
** Added: 75 - buffers: [0x6], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::ISaveDataTransferManagerWithDivision
** Added: 17 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::ldr::detail::IProcessManagerInterface
** Changed: 1 - inbytes: 0x10 -> 0x18 (final state: buffer_entry_sizes: [0x410], buffers: [0x1A], inbytes: 0x18, outbytes: 0x0)
* Interface Changed: nn::ncm::IContentMetaDatabase
** Added: 27 - inbytes: 0x1, outbytes: 0x1
* Interface Changed: nn::clkrst::IClkrstManager
** Added: 7 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::rtc::IRtcManager
** Changed: 13 - inbytes: 0x8 -> 0x4, outbytes: 0x0 -> 0x2 (final state: inbytes: 0x4, outbytes: 0x2)
* Interface Changed: nn::hshl::IChargeSetterSession
** Added: 6 - inbytes: 0x4, outbytes: 0x0
** Added: 7 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::hshl::IManager
** Added: 14 - inbytes: 0x0, outbytes: 0x4
** Added: 15 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::srepo::detail::ipc::ISrepoService
** Added: 12010 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Removed: 13001 - inbytes: 0x10, outbytes: 0x0
** Changed: 13002 - inbytes: 0x0 -> 0x8 (final state: buffers: [0x6], inbytes: 0x8, outbytes: 0x4)
** Added: 13003 - buffers: [0x6], inbytes: 0x8, outbytes: 0x10
** Added: 13004 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0

=== BootImagePackages ===
RomFs changes: all files updated.

Using updated master-key: master_key_13 (previously master_key_12). See [[NCA]] for the KeyGeneration listing.

The anti-downgrade fuses were [[Fuses#Anti-downgrade|updated]].

==== Kernel ====
* No/minimal compiler update
* crt0 was restructured, Cache Invalidation/sctlr mmu disable are now different assembly functions.
* Inverted boolean(s) in system control/targetsystem logic
** All KTargetSystem fields have inverted meaning
** KTargetSystem "is present" bool is now inverted
** MersenneTwister "is initialized" bool is now inverted
* KPageTable::ChangeProperties now does a data synchronization barrier after calling the set-attrs lambda
* KPageTableImpl::MergePages now takes an argument for a callback to call after updating page table PTE entries.
** All callers on NX are KPageTable::NoteUpdated
** This causes TLB entries to be flushed/etc every time an entry is written instead of once at the end.
* KAddressSpaceInfo::GetBegin now takes a size as a third argument; this is unused on NX.
** This is presumably only for debug assertions, probably to assert size <= region size.
** This code seems used incorrectly/bugged; it is passed a number of pages by one caller but a size by others.
* KAddressSpaceInfo::GetSize now performs more complicated logic based on the input type.
** If address space not CreateProcessFlag_AddressSpace32BitWithoutAlias then the size is returned directly.
** Otherwise:
*** If the type is Heap, it returns the requested size + the alias size.
*** If the type is Alias, it returns 0.
** KProcess::InitializeByParam now sets m_max_process_memory to KAddressSpaceInfo::GetSize(..., Type_Heap) instead of getting the page table's heap size.
** KPageTableBase::InitializeForProcess has simpler calculation of region extents for 32BitWithoutAlias now.
* KPageTableBase::MapPageGroup_ now checks if the input permission has the execute bit set, and invalidates instruction cache if so.
** This fixes a correctness bug; this was used to map pages as ReadExecute by JIT svcs, so stale instruction cache could result before.
** KPageTableBase::UnmapPageGroup also now invalidates instruction cache after unmapping, if the memory had the execute bit set.
* KSecureSystemResource now has better checking for the case where resource limit is nullptr.
** This is impossible on NX.
** This includes checks in GetUsed/TotalUserPhysicalMemorySize
** KSecureSystemResource::Destroy now checks before calling ReleaseLimit
* KPageTableBase::SetProcessMemoryPermission changes:
** Function now uses PageTableOperation_ChangePermsAndRefresh instead of _ChangePermsAndRefreshAndFlushDataCache when the execute permission is set.
** Data cache store + instruction cache invalidate is now done before operating instead of after
** instruction cache invalidate is done after memory block manager is updated.
* El0SynchronousExceptionHandler now always does tlbi vae1 instead of doing that or tlbi aside1 depending on status bits.
* El1SynchronousExceptionHandler now always does tlbi vaae1 instead of doing that or tlbi vmalle1 depending on status bits.
** NOTE: The checks Nintendo did previously have been bugged for many years and did not work.
** These checks were fixed to actually work now.
* UserspaceAccess changes:
** UserspaceAccess functions are now all called through helper functions, which directly call UserspaceAccess::*
*** This is probably "UserspaceAccessChecked", and likely for parity with the supervisor mode access function they added in 19.0.0.
** UserspaceAccess functions which previously had no callers have been deleted.
*** This includes UserspaceAccess::ClearUserMemory*.
* HandleException changes:
** After checking for thread termination, fixup is done on esr_el1/ec values.
*** If esr_ec is 0x20 or 0x24 (DataAbortEl0/InstructionAbortEl0):
**** If esr_el1 & 0x43F == 0x410 then pc is treated as 0
**** Otherwise, if pc is a kernel address, then esr_el1 has the ISFC bits set to hardcoded-value 4.
** This is also done in ReturnFromException
* Kernel::InitializeResourceManagers now initializes the managers in a different order.
* FindFreeArea was refactored in both KMemoryBlockManager and KPageTableBase to use shared common logic to compute the start and end of the guarded region to generate an address within.
** The core helper is a KMemoryBlockManager function.
** KMemoryBlockManager::FindFreeArea calls this helper twice (both inlined); KPageTable::FindFreeArea calls it once.

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2025-04-30_00-03-37&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

20.0.0

2025-04-30T02:27:51Z

SciresM: Add kernel diff

19.0.0

2024-10-09T23:59:48Z

SciresM: Undo revision 13016 by SciresM (talk)

The Switch 19.0.0 system update was released on October 8, 2024 (UTC). This Switch update was released for the following regions: CHN, and ALL.

Security flaws fixed: yes.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* General system stability improvements to enhance the user's experience.
*

==System Titles==
* The following titles were updated:
** Sysmodules: usb, htc.stub, boot2.ProdBoot, settings, Bus, bluetooth, bcat, friends, nifm, ptm, bsdsocket, hid, audio, LogManager.Prod, wlan, ldn, nvservices, pcv, capmtp, nvnflinger, pcie, account, ns, nfc, psc, capsrv, am, ssl, nim, btm, erpt, vi, pctl, npns, eupld, glue, eclct, es, fatal, creport, ro, sdb, grc, migration, jpegdec, safemode, olsc, ngct, jit, pgl, omm, eth, ngc.
** SystemData (non-sysver): CertStore, ErrorMessage, MiiModel, BrowserDll, Help, NgWord, SsidList, TimeZoneBinary, FontNintendoExtension, FontStandard, FontKorean, FontChineseTraditional, FontChineseSimple, FirmwareDebugSettings, BootImagePackage, BootImagePackageSafe, BootImagePackageExFat, FatalMessage, PlatformConfigIcosa, PlatformConfigCopper, PlatformConfigHoag, ControllerFirmware, NgWord2, BootImagePackageExFatSafe, PlatformConfigIcosaMariko, ContentActionTable, NgWordT, PlatformConfigAula, AulaDockFirmware.
** Applets: qlaunch, auth, netConnect, LibAppletWeb, LibAppletShop, LibAppletOff, LibAppletLns, LibAppletAuth, "starter" application.

[[NPDM]] changes (besides usual version-bump):
* usb: Service access: removed set:fd.
* htc.stub: SVC access: removed SetHeapSize, MapMemory, UnmapMemory, ExitProcess, CreateThread, StartThread, ExitThread, SleepThread, SetThreadPriority, GetThreadCoreMask, SetThreadCoreMask, GetCurrentProcessorNumber, SignalEvent, MapSharedMemory, UnmapSharedMemory, CreateTransferMemory, CloseHandle, ResetSignal, CancelSynchronization, ArbitrateLock, ArbitrateUnlock, WaitProcessWideKeyAtomic, SignalProcessWideKey, GetSystemTick, SendSyncRequestLight, SendSyncRequestWithUserBuffer, SendAsyncRequestWithUserBuffer, GetProcessId, Break, OutputDebugString, ReturnFromException, WaitForAddress, SignalToAddress.
* bluetooth: Service access: removed set:fd.
* bcat: Service access: added ssl:s, removed ssl.
* friends: Service access: added ssl:s, removed set, ssl. SVC access: removed MapTransferMemory, UnmapTransferMemory.
* nifm: Service access: added ssl:s, removed ssl.
* ptm: Service access: removed set:fd. KernelCap HandleTableSize: removed HandleTableSize=0x100.
* bsdsocket: Service server access: removed bsdcfg.
* hid: Service access: removed set:fd.
* audio: Service access: removed set, set:cal.
* wlan: Service access: removed i2c.
* pcv: Service access: removed set:fd.
* account: Service access: added ssl:s, removed ssl.
* ns: Service access: added caps:dc.
* nfc: Service access: removed xcd:sys.
* capsrv: Service access: added acc:e:u1.
* erpt: Service access: added srepo:a, removed srepo:u.
* pctl: Service access: added ssl:s, removed ssl.
* npns: Service access: added ssl:s, removed ssl. SVC access: added MapTransferMemory, UnmapTransferMemory.
* eupld: Service access: added ssl:s, removed ssl.
* creport: SVC access: removed GetThreadList.
* migration: Service access: added hid, set, ssl:s, removed bsdcfg, ssl.
* olsc: Service access: added ssl:s, removed ssl.
* omm: Service access: removed irs:sys.
* qlaunch: Service access: added bsd:a, removed bsd:u.
* auth: Service access: added bsd:a, removed bsd:u.
* netConnect: Service access: added bsd:a, removed bsd:u.
* LibAppletWeb: Service access: added bsd:a, removed bsd:u.
* LibAppletShop: Service access: added bsd:a, removed bsd:u.
* LibAppletOff: Service access: added bsd:a, removed bsd:u.
* LibAppletLns: Service access: added bsd:a, removed bsd:u.
* LibAppletAuth: Service access: added bsd:a, removed bsd:u.

RomFs changes:
* [[SSL_services#CertStore|CertStore]]: "/ssl_TrustedCerts.Ounce.bdf" updated
* ErrorMessage: updated
* BrowserDll: "/buildinfo/buildinfo.dat" updated, "/nro/netfront/core_2/default/cfi_enabled/cairo_wkc.nro.lz4" updated, "/nro/netfront/core_2/default/cfi_enabled/libfont.nro.lz4" updated, "/nro/netfront/core_2/default/cfi_enabled/oss_wkc.nro.lz4" updated, "/nro/netfront/core_2/default/cfi_enabled/peer_wkc.nro.lz4" updated, "/nro/netfront/core_2/default/cfi_enabled/webkit_wkc.nro.lz4" updated
* Help: "/legallines.htdocs/index.html" updated
* NgWord: updated
* [[System_Version_Title|SystemVersion]]: All files updated.
* TimeZoneBinary: updated
* [[System_Settings|FirmwareDebugSettings]]: All files updated.
* NgWord2: updated
* RebootlessSystemUpdateVersion: All files updated.
* NgWordT: All files updated.
* qlaunch applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
* auth applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
* netConnect applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
* [[Internet_Browser|LibAppletWeb/LibAppletShop/LibAppletOff/LibAppletLns/LibAppletAuth]]: All files updated.
* "starter" application:
** "/lyt/": Various data updated.
** "/message/": Various data updated.

The SDK library version strings were removed from all titles. The "SDK MW+Nintendo+{...}" strings are no longer present. The used libraries/versions can therefore no longer be determined via checking these strings (unless there's other version-strings).

=== IPC Interface Changes ===
* Interface Changed: nn::sasbus::ISession
** Added: 4 - inbytes: 0x10, inhandles: [1], outbytes: 0x0
** Added: 5 - inbytes: 0x0, outbytes: 0x0
* Interface Removed: nn::news::detail::ipc::INewlyArrivedEventHolder
* Interface Removed: nn::news::detail::ipc::INewsDatabaseService
* Interface Added: nn::news::detail::ipc::IDeviceNewsDatabaseService
* Interface Added: nn::news::detail::ipc::INewArrivalEventHolder
* Interface Changed: nn::news::detail::ipc::INewsDataService
** Added: 1100 - inbytes: 0x18, outbytes: 0x0
* Interface Changed: nn::news::detail::ipc::INewsService
** Removed: 30400 - buffers: [0x6, 0x5], inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::news::detail::ipc::IServiceCreator
** Changed: 1 - outinterfaces: ['nn::news::detail::ipc::INewlyArrivedEventHolder'] -> ['nn::news::detail::ipc::INewArrivalEventHolder'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::news::detail::ipc::INewArrivalEventHolder'])
** Changed: 3 - outinterfaces: ['nn::news::detail::ipc::INewsDatabaseService'] -> ['nn::news::detail::ipc::IDeviceNewsDatabaseService'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::news::detail::ipc::IDeviceNewsDatabaseService'])
* Unknown Interface prev-version: 0x710007CD3C
* Unknown Interface cur-version: 0x71000844C0
* Interface Changed: nn::friends::detail::ipc::IFriendService
** Added: 20105 - buffer_entry_sizes: [0x200], buffers: [0x6], inbytes: 0x28, outbytes: 0x4
** Added: 20106 - buffer_entry_sizes: [0x200, 0x8], buffers: [0x6, 0x9], inbytes: 0x10, outbytes: 0x0
** Added: 20502 - buffer_entry_sizes: [0x4A8, 0x8], buffers: [0x6, 0x9], inbytes: 0x10, outbytes: 0x0
** Added: 20601 - buffer_entry_sizes: [0xE8], buffers: [0x1A], inbytes: 0x10, outbytes: 0x0
** Added: 20702 - buffer_entry_sizes: [0x100], buffers: [0x6], inbytes: 0x18, outbytes: 0x4
** Added: 20802 - buffer_entry_sizes: [0x800], buffers: [0x1A], inbytes: 0x10, outbytes: 0x0
** Added: 22002 - buffer_entry_sizes: [0x500], buffers: [0x6], inbytes: 0x10, outbytes: 0x4
** Added: 22003 - buffer_entry_sizes: [0x1400], buffers: [0x16], inbytes: 0x18, outbytes: 0x0
** Added: 30501 - buffer_entry_sizes: [0x4A8], buffers: [0x1A], inbytes: 0x30, outbytes: 0x0
** Added: 30701 - buffer_entry_sizes: [0x40, 0x48, 0x48], buffers: [0x19, 0x19, 0x19], inbytes: 0x28, outbytes: 0x0
** Added: 30901 - buffer_entry_sizes: [0xC00, 0x8, 0x0], buffers: [0x15, 0x9, 0x5], inbytes: 0x30, outbytes: 0x0
** Added: 31000 - inbytes: 0x28, outbytes: 0x0, outinterfaces: ['nn::friends::detail::ipc::INotificationService']
* Interface Changed: nn::friends::detail::ipc::IServiceCreator
** Changed: 2 - outinterfaces: ['0x710007CD3C'] -> ['0x71000844C0'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x71000844C0'])
* Interface Removed: nn::fgm::sf::IRequest
* Interface Removed: nn::fgm::sf::ISession
* Interface Added: nn::fgm::IRequest
* Interface Added: nn::fgm::ISession
* Interface Changed: nn::psm::IPsmServer
** Added: 21 - inbytes: 0x0, outbytes: 0x4
** Added: 22 - inbytes: 0x0, outbytes: 0x1
** Added: 23 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::bsdsocket::cfg::ServerInterface
** Added: 24 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, pid: True
* Interface Changed: nn::hid::IHidDebugServer
** Added: 212 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x8, outbytes: 0x4
** Added: 253 - inbytes: 0x8, outbytes: 0x0
** Removed: 351 - inbytes: 0x0, outbytes: 0x4
** Removed: 352 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::hid::IHidServer
** Added: 22 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::hid::IHidSystemServer
** Removed: 214 - inbytes: 0x10, outbytes: 0x8
** Added: 216 - inbytes: 0x10, outbytes: 0x8
** Added: 217 - inbytes: 0x8, outbytes: 0x0, outhandles: [1, 1]
** Added: 218 - buffer_entry_sizes: [0x804], buffers: [0x32], inbytes: 0x8, outbytes: 0x0
** Added: 219 - inbytes: 0x10, outbytes: 0x0
** Added: 220 - inbytes: 0x8, outbytes: 0x0
** Added: 221 - inbytes: 0x30, outbytes: 0x0
** Added: 222 - buffer_entry_sizes: [0x3F4], buffers: [0x31], inbytes: 0x8, outbytes: 0x0
** Added: 223 - buffer_entry_sizes: [0x218], buffers: [0x31], inbytes: 0x8, outbytes: 0x0
** Added: 224 - buffer_entry_sizes: [0x64], buffers: [0x31], inbytes: 0x8, outbytes: 0x0
** Added: 225 - inbytes: 0x10, outbytes: 0x0
** Added: 226 - buffer_entry_sizes: [0x118], buffers: [0x31], inbytes: 0x8, outbytes: 0x0
** Added: 227 - buffer_entry_sizes: [0x218], buffers: [0x31], inbytes: 0x8, outbytes: 0x0
** Added: 234 - inbytes: 0x8, outbytes: 0x8
** Added: 241 - inbytes: 0x8, outbytes: 0x1
** Added: 242 - inbytes: 0x10, outbytes: 0x0
** Added: 243 - inbytes: 0x8, outbytes: 0x1
** Added: 244 - inbytes: 0x10, outbytes: 0x0
** Added: 245 - inbytes: 0x8, outbytes: 0x20
** Added: 246 - inbytes: 0x8, outbytes: 0x0
** Added: 247 - inbytes: 0x10, outbytes: 0x0
** Added: 332 - inbytes: 0x8, outbytes: 0x4
** Added: 526 - inbytes: 0x0, outbytes: 0x1
** Removed: 543 - buffer_entry_sizes: [0x30], buffers: [0xA], inbytes: 0x0, outbytes: 0x8
** Added: 1420 - inbytes: 0x8, outbytes: 0xC
* Interface Changed: nn::xcd::detail::ISystemServer
** Removed: 0 - inbytes: 0x8, outbytes: 0x1
** Removed: 1 - inbytes: 0xC, outbytes: 0x0
** Removed: 2 - inbytes: 0x8, outbytes: 0x1
** Removed: 3 - inbytes: 0xC, outbytes: 0x0
** Removed: 4 - inbytes: 0x8, outbytes: 0x20
** Removed: 5 - inbytes: 0x8, outbytes: 0x0
** Removed: 6 - inbytes: 0xC, outbytes: 0x0
** Removed: 10 - inbytes: 0x8, outbytes: 0x0, outhandles: [1, 1]
** Removed: 11 - buffer_entry_sizes: [0x804], buffers: [0x32], inbytes: 0x8, outbytes: 0x0
** Removed: 12 - inbytes: 0x10, outbytes: 0x0
** Removed: 13 - inbytes: 0x8, outbytes: 0x0
** Removed: 14 - inbytes: 0x30, outbytes: 0x0
** Removed: 15 - buffer_entry_sizes: [0x3F4], buffers: [0x19], inbytes: 0x8, outbytes: 0x0
** Removed: 16 - buffer_entry_sizes: [0x218], buffers: [0x19], inbytes: 0x8, outbytes: 0x0
** Removed: 17 - buffer_entry_sizes: [0x64], buffers: [0x19], inbytes: 0x8, outbytes: 0x0
** Removed: 18 - inbytes: 0xC, outbytes: 0x0
** Removed: 19 - buffer_entry_sizes: [0x118], buffers: [0x19], inbytes: 0x8, outbytes: 0x0
** Removed: 20 - buffer_entry_sizes: [0x218], buffers: [0x19], inbytes: 0x8, outbytes: 0x0
* Interface Changed: nn::audioctrl::detail::IAudioController
** Added: 5000 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::audioctrl::detail::IAudioController']
** Removed: 50000 - inbytes: 0x4, outbytes: 0x0
** Added: 50001 - inbytes: 0x4, outbytes: 0x0
** Added: 50003 - buffers: [0x9], inbytes: 0x0, outbytes: 0x0
** Added: 50004 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::wlan::detail::IPrivateWirelessCommunicationService
** Changed: 2 - buffer_entry_sizes: [0x1F8] -> [0x9A] (final state: buffer_entry_sizes: [0x9A], buffers: [0x19], inbytes: 0x4, outbytes: 0x0)
** Changed: 12 - buffer_entry_sizes: [0x84] -> [0x80] (final state: buffer_entry_sizes: [0x80], buffers: [0x19], inbytes: 0x0, outbytes: 0x32)
* Interface Changed: nn::wlan::detail::IWirelessCommunicationService
** Changed: 60 - buffer_entry_sizes: [0x1F8] -> [0x9A] (final state: buffer_entry_sizes: [0x9A], buffers: [0x19], inbytes: 0x0, outbytes: 0x0)
** Changed: 90 - buffer_entry_sizes: [0x84] -> [0x80] (final state: buffer_entry_sizes: [0x80], buffers: [0x19], inbytes: 0x0, outbytes: 0x32)
** Changed: 100 - inbytes: 0x80 -> 0x7C (final state: inbytes: 0x7C, outbytes: 0x0)
** Added: 109 - inbytes: 0x8, outbytes: 0x0
** Added: 120 - inbytes: 0x0, outbytes: 0x18
** Added: 204 - buffers: [0x21], inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::ldn::detail::ISystemLocalCommunicationService
** Added: 404 - inbytes: 0x10, outbytes: 0x0, pid: True
* Interface Changed: nn::ldn::detail::IUserLocalCommunicationService
** Added: 403 - inbytes: 0x4, outbytes: 0x0
* Unknown Interface prev-version: 0x7100005438
* Unknown Interface cur-version: 0x7100004EF0
* Interface Changed: nn::account::IAccountEntityServiceForAccountPolicy
** Added: 52 - inbytes: 0x8, outbytes: 0x10
** Added: 420 - buffer_entry_sizes: [0xD0], buffers: [0x19], inbytes: 0x10, outbytes: 0x0
** Added: 421 - buffer_entry_sizes: [0xD0], buffers: [0x1A], inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::account::IAccountEntityServiceForApplication
** Added: 52 - inbytes: 0x8, outbytes: 0x10
* Interface Changed: nn::account::IAccountServiceForAdministrator
** Added: 52 - inbytes: 0x8, outbytes: 0x10
** Added: 420 - buffer_entry_sizes: [0xD0], buffers: [0x19], inbytes: 0x10, outbytes: 0x0
** Added: 421 - buffer_entry_sizes: [0xD0], buffers: [0x1A], inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::account::IAccountServiceForSystemService
** Added: 52 - inbytes: 0x8, outbytes: 0x10
* Interface Changed: nn::account::IAccountServiceForSystemServiceWithProfileEditor
** Added: 52 - inbytes: 0x8, outbytes: 0x10
* Interface Changed: nn::account::baas::IAdministrator
** Added: 4 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 136 - buffer_entry_sizes: [0x270, 0x0], buffers: [0x1A, 0x6], inbytes: 0x0, outbytes: 0x8
** Added: 204 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
** Added: 223 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
* Interface Changed: nn::account::baas::IManagerForApplication
** Added: 4 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::account::baas::IManagerForSystemService
** Added: 4 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 136 - buffer_entry_sizes: [0x270, 0x0], buffers: [0x1A, 0x6], inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::account::nas::IOAuthProcedureForExternalNsa
** Added: 1000 - buffer_entry_sizes: [0x1000, 0x100], buffers: [0x1A, 0x1A], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::account::profile::IProfile
** Added: 40 - inbytes: 0x0, outbytes: 0x10
* Interface Changed: nn::account::profile::IProfileEditor
** Added: 40 - inbytes: 0x0, outbytes: 0x10
* Interface Changed: nn::account::IAccountServiceForAdministrator
** Added: 52 - inbytes: 0x8, outbytes: 0x10
** Added: 420 - buffer_entry_sizes: [0xD0], buffers: [0x19], inbytes: 0x10, outbytes: 0x0
** Added: 421 - buffer_entry_sizes: [0xD0], buffers: [0x1A], inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::account::IAccountServiceForApplication
** Added: 52 - inbytes: 0x8, outbytes: 0x10
* Interface Changed: nn::account::IAccountServiceForSystemService
** Added: 52 - inbytes: 0x8, outbytes: 0x10
* Interface Changed: nn::account::baas::IAdministrator
** Added: 4 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 136 - buffer_entry_sizes: [0x270, 0x0], buffers: [0x1A, 0x6], inbytes: 0x0, outbytes: 0x8
** Added: 204 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
** Added: 223 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
* Interface Changed: nn::account::baas::IManagerForApplication
** Added: 4 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::account::baas::IManagerForSystemService
** Added: 4 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 136 - buffer_entry_sizes: [0x270, 0x0], buffers: [0x1A, 0x6], inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::account::nas::IOAuthProcedureForExternalNsa
** Added: 1000 - buffer_entry_sizes: [0x1000, 0x100], buffers: [0x1A, 0x1A], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::account::profile::IProfile
** Added: 40 - inbytes: 0x0, outbytes: 0x10
* Interface Changed: nn::account::profile::IProfileEditor
** Added: 40 - inbytes: 0x0, outbytes: 0x10
* Interface Changed: nn::ns::detail::IApplicationManagerInterface
** Changed: 94 - inbytes: 0x58 -> 0x88 (final state: inbytes: 0x88, outbytes: 0x8)
** Changed: 95 - outbytes: 0x50 -> 0x80 (final state: inbytes: 0x8, outbytes: 0x80)
** Changed: 96 - outbytes: 0x50 -> 0x80 (final state: inbytes: 0x8, outbytes: 0x80)
** Changed: 97 - inbytes: 0x50 -> 0x80 (final state: inbytes: 0x80, outbytes: 0x1)
** Removed: 406 - buffer_entry_sizes: [0x4000], buffers: [0x16], inbytes: 0x58, outbytes: 0x0
** Added: 411 - buffers: [0x6], inbytes: 0x10, outbytes: 0x8
** Added: 412 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 413 - inbytes: 0x1, outbytes: 0x4
** Added: 414 - buffer_entry_sizes: [0x20], buffers: [0x6], inbytes: 0x1, outbytes: 0x4
** Added: 415 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x10, inhandles: [1], outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 416 - buffers: [0x6], inbytes: 0x10, outbytes: 0x8
** Added: 417 - inbytes: 0x1, outbytes: 0x0
** Added: 418 - inbytes: 0x10, outbytes: 0x0
** Added: 419 - inbytes: 0x10, outbytes: 0x0
** Added: 420 - buffer_entry_sizes: [0x18], buffers: [0x5], inbytes: 0x20, outbytes: 0x0
** Added: 511 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 512 - inbytes: 0x0, outbytes: 0x1
** Changed: 1802 - buffer_entry_sizes: [0x90] -> [0x98] (final state: buffer_entry_sizes: [0x98], buffers: [0x6], inbytes: 0x0, outbytes: 0x4)
** Changed: 1803 - buffer_entry_sizes: [0xB0] -> [0xB8] (final state: buffer_entry_sizes: [0xB8], buffers: [0x6], inbytes: 0x0, outbytes: 0x4)
** Added: 2360 - inbytes: 0x0, outbytes: 0x4
** Added: 2361 - inbytes: 0x0, outbytes: 0x4
** Changed: 2513 - inbytes: 0x50 -> 0x80 (final state: inbytes: 0x80, outbytes: 0x8)
** Changed: 2517 - inbytes: 0x50 -> 0x80 (final state: inbytes: 0x80, outbytes: 0x8)
** Added: 2524 - buffer_entry_sizes: [0x300], buffers: [0x16], inbytes: 0x10, outbytes: 0x10
* Interface Changed: nn::ns::detail::IDevelopInterface
** Changed: 17 - outbytes: 0x50 -> 0x80 (final state: buffers: [0x5], inbytes: 0x4, outbytes: 0x80)
** Changed: 18 - inbytes: 0x50 -> 0x80 (final state: inbytes: 0x80, outbytes: 0x0, outhandles: [1])
** Changed: 19 - inbytes: 0x50 -> 0x80 (final state: inbytes: 0x80, outbytes: 0x0)
** Changed: 21 - outbytes: 0x50 -> 0x80 (final state: inbytes: 0x10, outbytes: 0x80)
** Changed: 22 - inbytes: 0x50 -> 0x80 (final state: inbytes: 0x80, outbytes: 0x8)
** Changed: 23 - inbytes: 0x50 -> 0x80 (final state: inbytes: 0x80, outbytes: 0x8)
* Interface Changed: nn::ns::detail::IDocumentInterface
** Added: 2524 - buffer_entry_sizes: [0x300], buffers: [0x16], inbytes: 0x10, outbytes: 0x10
* Interface Changed: nn::ns::detail::IReadOnlyApplicationControlDataInterface
** Added: 5 - buffers: [0x6], inbytes: 0x10, outbytes: 0x8
** Added: 6 - buffers: [0x6], inbytes: 0x10, outbytes: 0x8
* Interface Changed: nn::hshl::IChargeSetterSession
** Added: 5 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::hshl::IManager
** Added: 13 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::srepo::detail::ipc::ISrepoService
** Added: 13002 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::timesrv::detail::service::IStaticService
** Added: 600 - inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::timesrv::detail::service::ITimeServiceManager
** Added: 20 - inbytes: 0x0, outbytes: 0x18
* Interface Changed: nn::capsrv::sf::IAlbumAccessorService
** Added: 8022 - buffer_entry_sizes: [0x20, 0x10], buffers: [0x6, 0x5], inbytes: 0x10, outbytes: 0x8
** Added: 50001 - buffers: [0x6], inbytes: 0x18, outbytes: 0x0
** Added: 50011 - inbytes: 0x0, outbytes: 0x4
** Added: 50012 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::capsrv::sf::IAlbumAccessorSession
** Added: 2009 - inbytes: 0x8, outbytes: 0x10
* Interface Changed: nn::capsrv::sf::IAlbumControlService
** Changed: 2011 - inbytes: 0x10 -> 0x18 (final state: inbytes: 0x18, outbytes: 0x0)
** Changed: 2012 - inbytes: 0x10 -> 0x18 (final state: inbytes: 0x18, outbytes: 0x0)
** Changed: 2013 - outbytes: 0x8 -> 0x10 (final state: inbytes: 0x8, outbytes: 0x10)
** Changed: 2101 - inbytes: 0x10 -> 0x18 (final state: inbytes: 0x18, outbytes: 0x18)
** Added: 2103 - buffer_entry_sizes: [0x200, 0x88], buffers: [0x16, 0x15], inbytes: 0x8, outbytes: 0x0
** Added: 2104 - buffer_entry_sizes: [0x200], buffers: [0x16], inbytes: 0x20, outbytes: 0x0
** Added: 2401 - buffer_entry_sizes: [0x400], buffers: [0x16], inbytes: 0x18, outbytes: 0x0
** Added: 2501 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::capsrv::sf::IAlbumControlSession
** Added: 2009 - inbytes: 0x8, outbytes: 0x10
* Interface Added: nn::am::service::IApplicationObserver
* Interface Added: nn::am::service::IMovieWriter
* Interface Added: nn::am::service::ISystemProcessCommonFunctions
* Interface Added: nn::grcsrv::IMovieWriter
* Interface Changed: nn::am::service::IAllSystemAppletProxiesService
** Added: 450 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::am::service::ISystemProcessCommonFunctions']
* Interface Changed: nn::am::service::IAppletCommonFunctions
** Added: 310 - inbytes: 0x0, outbytes: 0x1
** Added: 320 - inbytes: 0x8, outbytes: 0x0
** Added: 321 - inbytes: 0x8, outbytes: 0x0
** Added: 330 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::am::service::IApplicationFunctions
** Added: 300 - inbytes: 0x8, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::am::service::IMovieWriter']
* Interface Changed: nn::am::service::ICommonStateGetter
** Added: 15 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Removed: 600 - inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::am::service::IStorageChannel']
** Added: 1000 - inbytes: 0x0, outbytes: 0x0
** Added: 1001 - inbytes: 0x0, outbytes: 0x0
** Added: 1002 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::am::service::IDebugFunctions
** Changed: 31 - inbytes: 0x58 -> 0x88 (final state: buffer_entry_sizes: [0x10, 0x0], buffers: [0x5, 0x5], inbytes: 0x88, outbytes: 0x0)
* Interface Changed: nn::am::service::IHomeMenuFunctions
** Added: 60 - inbytes: 0x0, outbytes: 0x0
** Added: 61 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::am::service::ILibraryAppletAccessor
** Added: 80 - inbytes: 0x0, outbytes: 0x0
** Added: 81 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::am::service::IAppletAccessor']
* Interface Changed: nn::am::service::IOverlayFunctions
** Added: 50 - inbytes: 0x8, outbytes: 0x0
** Added: 60 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::am::service::ISelfController
** Added: 22 - inbytes: 0x0, outbytes: 0x1
** Added: 23 - inbytes: 0x0, outbytes: 0x1
** Added: 24 - inbytes: 0x0, outbytes: 0x10
* Interface Changed: nn::grcsrv::IGameMovieTrimmer
** Added: 21 - buffers: [0x45], inbytes: 0x8, outbytes: 0x0
* Interface Changed: nn::ssl::sf::ISslServiceForSystem
** Changed: 103 - inbytes: 0x0 -> 0x4 (final state: buffers: [0x5, 0x5, 0x5], inbytes: 0x4, outbytes: 0x0)
* Interface Changed: nn::nim::detail::INetworkInstallManager
** Added: 150 - buffer_entry_sizes: [0x300], buffers: [0x16], inbytes: 0x20, outbytes: 0x0
* Interface Changed: nn::erpt::sf::IContext
** Changed: 2 - inbytes: 0x18 -> 0x20 (final state: inbytes: 0x20, outbytes: 0x0)
* Interface Changed: nn::capsrv::sf::IScreenShotControlService
** Changed: 1004 - inbytes: 0x68 -> 0x70 (final state: buffer_entry_sizes: [0x404, 0x88], buffers: [0x15, 0x15], inbytes: 0x70, outbytes: 0x0)
** Changed: 1106 - inbytes: 0x68 -> 0x78 (final state: buffer_entry_sizes: [0x400, 0x404, 0x88, 0x0, 0x0, 0x0], buffers: [0x15, 0x15, 0x15, 0x6, 0x46, 0x46], inbytes: 0x78, outbytes: 0x18)
** Changed: 1107 - inbytes: 0x68 -> 0x78 (final state: buffer_entry_sizes: [0x400, 0x404, 0x88, 0x0, 0x0], buffers: [0x15, 0x15, 0x15, 0x6, 0x45], inbytes: 0x78, outbytes: 0x18)
** Changed: 1108 - inbytes: 0x70 -> 0x80 (final state: buffer_entry_sizes: [0x400, 0x404, 0x88, 0x0], buffers: [0x15, 0x15, 0x15, 0x6], inbytes: 0x80, outbytes: 0x18)
** Added: 1109 - buffer_entry_sizes: [0x400, 0x404, 0x88, 0x0, 0x0, 0x0], buffers: [0x15, 0x15, 0x15, 0x6, 0x45, 0x45], inbytes: 0x78, outbytes: 0x18
** Added: 1110 - buffers: [0x6, 0x45, 0x6], inbytes: 0x8, outbytes: 0x8
** Added: 1111 - buffer_entry_sizes: [0x400, 0x404, 0x0, 0x0, 0x0], buffers: [0x15, 0x15, 0x6, 0x46, 0x46], inbytes: 0x80, outbytes: 0x18
** Added: 1112 - buffer_entry_sizes: [0x400, 0x404, 0x0, 0x0], buffers: [0x15, 0x15, 0x6, 0x45], inbytes: 0x80, outbytes: 0x18
** Added: 1113 - buffer_entry_sizes: [0x400, 0x404, 0x0], buffers: [0x15, 0x15, 0x6], inbytes: 0x88, outbytes: 0x18
** Added: 1114 - buffer_entry_sizes: [0x400, 0x404, 0x0, 0x0, 0x0], buffers: [0x15, 0x15, 0x6, 0x45, 0x45], inbytes: 0x80, outbytes: 0x18
* Interface Changed: nn::capsrv::sf::IScreenShotService
** Changed: 1000 - inbytes: 0x68 -> 0x70 (final state: buffer_entry_sizes: [0x88, 0x400], buffers: [0x15, 0x15], inbytes: 0x70, outbytes: 0x20)
* Interface Changed: nn::dp2hdmi::detail::IDp2hdmiController
** Removed: 7 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::pctl::detail::ipc::IParentalControlService
** Added: 2017 - inbytes: 0x20, outbytes: 0x8, outhandles: [1]
** Added: 2019 - inbytes: 0x0, outbytes: 0x0
* Interface Added: nn::npns::IFuture
* Interface Added: nn::npns::ISubscriptionUpdateNotifier
* Interface Changed: nn::npns::INpnsSystem
** Added: 17 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::npns::ISubscriptionUpdateNotifier']
** Added: 60 - buffer_entry_sizes: [0x298], buffers: [0x15], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::npns::IFuture']
** Added: 61 - inbytes: 0x0, outbytes: 0x1
** Added: 141 - buffers: [0x9], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::npns::IFuture']
** Added: 142 - buffers: [0x9], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::npns::IFuture']
** Added: 143 - buffers: [0x9], inbytes: 0x8, outbytes: 0x0, outinterfaces: ['nn::npns::IFuture']
** Added: 144 - buffers: [0x9], inbytes: 0x8, outbytes: 0x0, outinterfaces: ['nn::npns::IFuture']
** Added: 145 - inbytes: 0x10, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::npns::IFuture']
* Interface Changed: nn::arp::detail::IRegistrar
** Removed: 2 - buffer_entry_sizes: [0x4000], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::arp::detail::IWriter
** Added: 4 - buffer_entry_sizes: [0x4000], buffers: [0x15], inbytes: 0x8, outbytes: 0x0
* Interface Changed: nn::timesrv::detail::service::IStaticService
** Added: 600 - inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::es::IETicketService
** Changed: 1027 - buffer_entry_sizes: [0x10, 0x0] -> [0x10, 0x8, 0x0], buffers: [0x6, 0x5] -> [0x6, 0x5, 0x5], inbytes: 0x10 -> 0x8 (final state: buffer_entry_sizes: [0x10, 0x8, 0x0], buffers: [0x6, 0x5, 0x5], inbytes: 0x8, outbytes: 0x4)
** Added: 1029 - buffer_entry_sizes: [0x18, 0x8, 0x0], buffers: [0x6, 0x5, 0x5], inbytes: 0x10, outbytes: 0x4
* Interface Added: nn::grcsrv::IMovieWriter
* Interface Changed: nn::grcsrv::IGameMovieTrimmer
** Added: 21 - buffers: [0x45], inbytes: 0x8, outbytes: 0x0
* Interface Changed: nn::grcsrv::IGrcService
** Added: 110 - inbytes: 0x20, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::grcsrv::IMovieWriter']
* Interface Changed: nn::mii::detail::IDatabaseService
** Added: 27 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::mii::detail::IImageDatabaseService
** Added: 18 - buffers: [0x5], inbytes: 0x3A, outbytes: 0x0
* Interface Changed: nn::migration::savedata::IClient
** Added: 510 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
* Interface Changed: nn::migration::savedata::IServer
** Added: 510 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
* Interface Changed: nn::migration::user::IService
** Added: 0 - inbytes: 0x0, outbytes: 0x2
* Interface Changed: nn::olsc::srv::IOlscServiceForSystemService
** Changed: 907 - inbytes: 0x70 -> 0x78 (final state: inbytes: 0x78, outbytes: 0x0)
* Interface Changed: nn::omm::detail::IOperationModeManager
** Added: 29 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
* Interface Changed: nn::omm::srv::IDisplayLayerControl
** Changed: 610 - buffer_entry_sizes: [0x4C8] -> [0x4D0] (final state: buffer_entry_sizes: [0x4D0], buffers: [0x15], inbytes: 0x0, outbytes: 0x0)
** Changed: 611 - buffer_entry_sizes: [0x4C8] -> [0x4D0] (final state: buffer_entry_sizes: [0x4D0], buffers: [0x15], inbytes: 0x0, outbytes: 0x0)
** Changed: 612 - buffer_entry_sizes: [0x4C8] -> [0x4D0] (final state: buffer_entry_sizes: [0x4D0], buffers: [0x15], inbytes: 0x0, outbytes: 0x0)
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Changed: 206 - outbytes: 0x0 -> 0x8 (final state: buffers: [0x6], inbytes: 0x10, outbytes: 0x8)
** Added: 223 - inbytes: 0x8, outbytes: 0x0
** Added: 224 - buffers: [0x6], inbytes: 0x10, outbytes: 0x2
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 29 - inbytes: 0x0, outbytes: 0x1
** Added: 503 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IEventNotifier']
** Added: 632 - inbytes: 0x20, outbytes: 0x0
** Added: 820 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::ldr::detail::IProcessManagerInterface
** Changed: 1 - buffer_entry_sizes: [0x400] -> [0x410] (final state: buffer_entry_sizes: [0x410], buffers: [0x1A], inbytes: 0x10, outbytes: 0x0)
* Interface Changed: nn::pm::detail::IBootModeInterface
** Added: 2 - inbytes: 0x0, outbytes: 0x4
** Added: 3 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::pm::detail::IShellInterface
** Added: 12 - inbytes: 0x8, outbytes: 0x8
* Interface Changed: nn::sasbus::ISession
** Added: 4 - inbytes: 0x10, inhandles: [1], outbytes: 0x0
** Added: 5 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Changed: 206 - outbytes: 0x0 -> 0x8 (final state: buffers: [0x6], inbytes: 0x10, outbytes: 0x8)
** Added: 223 - inbytes: 0x8, outbytes: 0x0
** Added: 224 - buffers: [0x6], inbytes: 0x10, outbytes: 0x2
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 29 - inbytes: 0x0, outbytes: 0x1
** Added: 503 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IEventNotifier']
** Added: 632 - inbytes: 0x20, outbytes: 0x0
** Added: 820 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::ldr::detail::IProcessManagerInterface
** Changed: 1 - buffer_entry_sizes: [0x400] -> [0x410] (final state: buffer_entry_sizes: [0x410], buffers: [0x1A], inbytes: 0x10, outbytes: 0x0)
* Interface Changed: nn::pm::detail::IBootModeInterface
** Added: 2 - inbytes: 0x0, outbytes: 0x4
** Added: 3 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::pm::detail::IShellInterface
** Added: 12 - inbytes: 0x8, outbytes: 0x8
* Interface Changed: nn::hshl::IChargeSetterSession
** Added: 5 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::hshl::IManager
** Added: 13 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::srepo::detail::ipc::ISrepoService
** Added: 13002 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::timesrv::detail::service::IStaticService
** Added: 600 - inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::timesrv::detail::service::ITimeServiceManager
** Added: 20 - inbytes: 0x0, outbytes: 0x18
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Changed: 206 - outbytes: 0x0 -> 0x8 (final state: buffers: [0x6], inbytes: 0x10, outbytes: 0x8)
** Added: 223 - inbytes: 0x8, outbytes: 0x0
** Added: 224 - buffers: [0x6], inbytes: 0x10, outbytes: 0x2
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 29 - inbytes: 0x0, outbytes: 0x1
** Added: 503 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IEventNotifier']
** Added: 632 - inbytes: 0x20, outbytes: 0x0
** Added: 820 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::ldr::detail::IProcessManagerInterface
** Changed: 1 - buffer_entry_sizes: [0x400] -> [0x410] (final state: buffer_entry_sizes: [0x410], buffers: [0x1A], inbytes: 0x10, outbytes: 0x0)
* Interface Changed: nn::pm::detail::IBootModeInterface
** Added: 2 - inbytes: 0x0, outbytes: 0x4
** Added: 3 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::pm::detail::IShellInterface
** Added: 12 - inbytes: 0x8, outbytes: 0x8
* Interface Changed: nn::sasbus::ISession
** Added: 4 - inbytes: 0x10, inhandles: [1], outbytes: 0x0
** Added: 5 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Changed: 206 - outbytes: 0x0 -> 0x8 (final state: buffers: [0x6], inbytes: 0x10, outbytes: 0x8)
** Added: 223 - inbytes: 0x8, outbytes: 0x0
** Added: 224 - buffers: [0x6], inbytes: 0x10, outbytes: 0x2
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 29 - inbytes: 0x0, outbytes: 0x1
** Added: 503 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IEventNotifier']
** Added: 632 - inbytes: 0x20, outbytes: 0x0
** Added: 820 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::ldr::detail::IProcessManagerInterface
** Changed: 1 - buffer_entry_sizes: [0x400] -> [0x410] (final state: buffer_entry_sizes: [0x410], buffers: [0x1A], inbytes: 0x10, outbytes: 0x0)
* Interface Changed: nn::pm::detail::IBootModeInterface
** Added: 2 - inbytes: 0x0, outbytes: 0x4
** Added: 3 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::pm::detail::IShellInterface
** Added: 12 - inbytes: 0x8, outbytes: 0x8
* Interface Changed: nn::hshl::IChargeSetterSession
** Added: 5 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::hshl::IManager
** Added: 13 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::srepo::detail::ipc::ISrepoService
** Added: 13002 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::timesrv::detail::service::IStaticService
** Added: 600 - inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::timesrv::detail::service::ITimeServiceManager
** Added: 20 - inbytes: 0x0, outbytes: 0x18

=== BootImagePackages ===
RomFs changes: all files updated.

Using updated master-key: master_key_12 (previously master_key_11). See [[NCA]] for the KeyGeneration listing.

The anti-downgrade fuses were [[Fuses#Anti-downgrade|updated]].

==== Kernel ====
* KMemoryManager now supports per-pool-partition minimum page alignments.
** KMemoryManager::Initialize now aborts unless a valid pool index is chosen.
** KMemoryManager::Initialize now takes an additional array argument of minimum-page alignments (one array entry per pool partition).
*** This array is currently all-zero, which corresponds to minimum allocation alignment of 0x1000 (1 page).
** Allocation functions now check that alignment is valid for the pool's minimum.
** MapPhysicalMemory now checks alignment based on the mm min-pages.
** UnmapPhysicalMemory now checks alignment based on the mm min-pages.
** StartProcess() now checks alignment/aligns up based on the mm min-pages.
** KProcess::Run no longer aligns the input stack-size up to page size when checking that stack + code size does not exceed m_max_process_memory.
* KMemoryBlock was refactored:
** Fields were shuffled around, optimizing the storage layout.
*** The last field now ends @ +0x3A, instead of +0x40 before, coming close to but not actually saving 8 bytes per block.
**** This presumably makes space for fields which are ifdef'd out on NX.
** DisableMergeAttribute_(Device)Right is now 0x20, instead of 0x10.
*** Bit 0x10 appears nowhere in entire kernel now, and code which previously did & 0xF to get the Left disable attrs still does & 0xF.
**** Bit 0x10 is presumably ifdef'd out on NX.
** KMemoryInfo is essentially no longer used at all any more.
*** All cases where GetMemoryInfo was called now use the fields from the KMemoryBlock directly.
*** The one exception to this is KPageTableBase::QueryInfo, which still returns a KMemoryInfo as output variable.
* The kernel now handles ttbr0 management completely differently:
** The kernel now stores an array of 0x51 TTBR0 pages (Kernel + 0x50 KProcesses, matching the slab heap size) in .rodata.
*** Initialize1 now calls a new function prior to unmapping the identity mapping which allocates these pages from the InitialPageAllocator (using paddr lookup + the identity mapping to write to the read-only array in .rodata).
** KSleepSystemRegisters::Save no longer saves TTBR0_EL1; ::Restore sets ttbr0_el1 to g_Ttbr0Pages[0].
** KProcess::InitializeUser now checks that the KProcess is within the slabheap; the KProcess's slab heap index is now passed to KProcessPageTable::Initialize.
** KPageTable no longer has any globals to track ASID management; ASID is now just the KProcess's slab heap index + 1.
* KTargetSystem refactor:
** KTargetSystem is now located in .rodata, and no longer 4-byte aligns the bools.
** new .init_array function initializes all the KTargetSystem values in .rodata (before the region is write-protected) using values-from-smc.
** KSystemControl::Initialize() now sets new bool (g_HasKTargetSystem) to true.
*** Instead of setting values, KSystemControl now does ABORT_UNLESS(value_from_smc == (g_HasKTargetSystem && g_KTargetSystem.value)) for all values.
*** This essentially just checks that the previous .init call worked as expected.
** All KTargetSystem::Is*() calls now return g_HasKTargetSystem && g_KTargetSystem.value instead of just returning g_KTargetSystem.value
*** Note: these are still fully inlined in all cases.
* KAddressSpaceInfo::GetBegin/GetSize now take in CreateProcess flags instead of bit-width.
* svc::WaitForAddress now supports a new ArbitrationType (ArbitrationType_WaitIfEqual64, value=3).
** svc::WaitForAddress's "value" parameter is now an int64_t, instead of an int32_t.
** When ArbitrationType_WaitIfEqual64 is passed, address is now checked for 8-byte alignment instead of 4-byte alignment, and 64-bit value is read/compared from userspace instead of 32-bit.
* New InfoType 0x22: "InfoType_TransferMemoryHint"
** This returns a hint for the transfer memory's process address.
** InfoType values 0x1D-0x21 are presumably ifdef'd out on NX.
* KProcess->max_process_memory is now set to GetHeapRegionSize() in all cases.
** Previously, this was GetHeapRegionSize() + GetAliasRegionSize() for processes with AddressSpace32BitWithoutAlias.
* The kernel now supports execute-only memory (--X).
** SetProcessMemoryPermission now supports MemoryPermission_Execute.
*** KPageTableBase::SetProcessMemoryPermission now acquires and immediately releases the scheduler lock prior to operating, if the Execute bit is set on the input permissions.
** KPageTable::GetEntryTemplate now checks for the MemoryPermission_Execute bit instead of checking directly against ReadExecute.
** HandleException now supports using supervisor-mode access to read the failing instruction on Unknown/IllegalState/Bkpt/Brk.
*** Supervisor-mode access is used only if user-access fails, KTargetSystem::IsDebugMode() returns true, pc is 4-byte aligned, and 0x200000 <= PC <= (1 << 39).
** HandleException now no longer forces processing when accessing MemoryState_Code without KMemoryPermission_UserRead.
* The way DebugFlags capabilities works was changed:
** Previously, bit0=AllowDebug, bit1=ForceDebug.
** Now, bit0=AllowDebug, bit1=ForceDebugProd, bit2=ForceDebug.
*** Processes may now only have one of the above bits set, previously both AllowDebug and ForceDebug were allowed simultaneously.
** New function requires KTargetSystem::IsDebugMode():
*** GetProcessList,
** Many functions now require (KTargetSystem::IsDebugMode() || GetCurrentProcess().IsForceDebugProd()):
*** DebugActiveProcess, GetDebugEvent, QueryDebugProcessMemory, ReadDebugMemory, GetThreadList, GetDebugThreadContext, GetDebugThreadParam,
** KDebug now has a member which tracks whether the owner process is ForceDebugProd.
** KDebugBase::Attach now requires !ForceDebugProd when attaching to a process in the Created/Running states.
*** Crashed may still be attached to when ForceDebugProd.
** KDebugBase::GetDebugEventInfo now always sets instruction = 0 when creating info for an UndefinedInstruction exception when ForceDebugProd.
** KDebugBase::(Read/Write)Memory no longer allow reading/writing Io memory when ForceDebugProd is set.
** KPageTableBase::(Read/Write)DebugMemory now check memory state differently:
*** Previously: either memory had to be UserRead/UserReadWrite (no state flags check) or KMemoryState_FlagCanDebug had to be set.
*** Now: memory has to be UserRead/UserReadWrite (no state flags check) or (memory has to be UserRead AND KMemoryState_FlagCanDebug has to be set) or (IsDebugMode() && !ForceDebugProd && memory has to have KernelRead|UserExecute bits && KMemoryState_FlagCanDebug has to be set)
**** This renders the original flag check completely pointless for ReadDebugMemory (but still allows writing to UserRead memory).
**** Memory which was previously readable despite not-user-read is no longer readable.
**** Execute-only memory is readable, but only when running under debug mode and using a KDebug created by a process which does not have ForceDebugProd set.
**** The ForceDebugProd check is not present for WriteDebugMemory.
** GetThreadList() no longer functions in non-debug mode even with ForceDebugProd
** KDebugBase::TerminateProcess no longer detaches from the target process.
* Changes relevant to debugging the kernel:
** EL1SynchronousExceptionHandler now infinite loops instead of calling HandleException.
** SupervisorModeThreadStarter now sets X30 to 0 + creates a stack frame + invokes the thread function with "BLR X1" instead of "BR X1".
*** This guarantees validity if walking kernel stack frames.
* KPageTable implementation was heavily rewritten.
** Too many changes to summarize here; the fundamental implementation is now based on iteration over levels using TraversalContext instead of separate per-level logic.
* KPageTableBase::SetupForIpcClient now validates that the unused (on nx) upper memory attribute bits are all unset.
* Many heavy K(Initial)PageTable changes, including:
** KInitialPageTable's table entries no longer have bit 58 (0x0400000000000000) set; previously this was used to indicate/determine whether a mapping was present even if the entry was NotMapped.
*** Bit0 (0x1) is now used to check for mapping existence again in many places.
** KPageTableImpl::InitializeForKernel now iterates over mappings created by KInitialPageTable, setting PageAttribute=#used entries for tables and setting bit 58 on blocks.
* KInterruptController::Finalize() now sets m_gicd and m_gicc to nullptr if core id == 0.

=== [[SSL_services|ssl]] ===
Besides IPC changes, a vuln was [[Switch_System_Flaws|fixed]].

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2024-10-08_00-00-37&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

19.0.0

2024-10-09T23:59:05Z

SciresM: Reverted edits by SciresM (talk) to last revision by Yellows8

The Switch 19.0.0 system update was released on October 8, 2024 (UTC). This Switch update was released for the following regions: CHN, and ALL.

Security flaws fixed: yes.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* General system stability improvements to enhance the user's experience.
*

==System Titles==
* The following titles were updated:
** Sysmodules: usb, htc.stub, boot2.ProdBoot, settings, Bus, bluetooth, bcat, friends, nifm, ptm, bsdsocket, hid, audio, LogManager.Prod, wlan, ldn, nvservices, pcv, capmtp, nvnflinger, pcie, account, ns, nfc, psc, capsrv, am, ssl, nim, btm, erpt, vi, pctl, npns, eupld, glue, eclct, es, fatal, creport, ro, sdb, grc, migration, jpegdec, safemode, olsc, ngct, jit, pgl, omm, eth, ngc.
** SystemData (non-sysver): CertStore, ErrorMessage, MiiModel, BrowserDll, Help, NgWord, SsidList, TimeZoneBinary, FontNintendoExtension, FontStandard, FontKorean, FontChineseTraditional, FontChineseSimple, FirmwareDebugSettings, BootImagePackage, BootImagePackageSafe, BootImagePackageExFat, FatalMessage, PlatformConfigIcosa, PlatformConfigCopper, PlatformConfigHoag, ControllerFirmware, NgWord2, BootImagePackageExFatSafe, PlatformConfigIcosaMariko, ContentActionTable, NgWordT, PlatformConfigAula, AulaDockFirmware.
** Applets: qlaunch, auth, netConnect, LibAppletWeb, LibAppletShop, LibAppletOff, LibAppletLns, LibAppletAuth, "starter" application.

[[NPDM]] changes (besides usual version-bump):
* usb: Service access: removed set:fd.
* htc.stub: SVC access: removed SetHeapSize, MapMemory, UnmapMemory, ExitProcess, CreateThread, StartThread, ExitThread, SleepThread, SetThreadPriority, GetThreadCoreMask, SetThreadCoreMask, GetCurrentProcessorNumber, SignalEvent, MapSharedMemory, UnmapSharedMemory, CreateTransferMemory, CloseHandle, ResetSignal, CancelSynchronization, ArbitrateLock, ArbitrateUnlock, WaitProcessWideKeyAtomic, SignalProcessWideKey, GetSystemTick, SendSyncRequestLight, SendSyncRequestWithUserBuffer, SendAsyncRequestWithUserBuffer, GetProcessId, Break, OutputDebugString, ReturnFromException, WaitForAddress, SignalToAddress.
* bluetooth: Service access: removed set:fd.
* bcat: Service access: added ssl:s, removed ssl.
* friends: Service access: added ssl:s, removed set, ssl. SVC access: removed MapTransferMemory, UnmapTransferMemory.
* nifm: Service access: added ssl:s, removed ssl.
* ptm: Service access: removed set:fd. KernelCap HandleTableSize: removed HandleTableSize=0x100.
* bsdsocket: Service server access: removed bsdcfg.
* hid: Service access: removed set:fd.
* audio: Service access: removed set, set:cal.
* wlan: Service access: removed i2c.
* pcv: Service access: removed set:fd.
* account: Service access: added ssl:s, removed ssl.
* ns: Service access: added caps:dc.
* nfc: Service access: removed xcd:sys.
* capsrv: Service access: added acc:e:u1.
* erpt: Service access: added srepo:a, removed srepo:u.
* pctl: Service access: added ssl:s, removed ssl.
* npns: Service access: added ssl:s, removed ssl. SVC access: added MapTransferMemory, UnmapTransferMemory.
* eupld: Service access: added ssl:s, removed ssl.
* creport: SVC access: removed GetThreadList.
* migration: Service access: added hid, set, ssl:s, removed bsdcfg, ssl.
* olsc: Service access: added ssl:s, removed ssl.
* omm: Service access: removed irs:sys.
* qlaunch: Service access: added bsd:a, removed bsd:u.
* auth: Service access: added bsd:a, removed bsd:u.
* netConnect: Service access: added bsd:a, removed bsd:u.
* LibAppletWeb: Service access: added bsd:a, removed bsd:u.
* LibAppletShop: Service access: added bsd:a, removed bsd:u.
* LibAppletOff: Service access: added bsd:a, removed bsd:u.
* LibAppletLns: Service access: added bsd:a, removed bsd:u.
* LibAppletAuth: Service access: added bsd:a, removed bsd:u.

RomFs changes:
* [[SSL_services#CertStore|CertStore]]: "/ssl_TrustedCerts.Ounce.bdf" updated
* ErrorMessage: updated
* BrowserDll: "/buildinfo/buildinfo.dat" updated, "/nro/netfront/core_2/default/cfi_enabled/cairo_wkc.nro.lz4" updated, "/nro/netfront/core_2/default/cfi_enabled/libfont.nro.lz4" updated, "/nro/netfront/core_2/default/cfi_enabled/oss_wkc.nro.lz4" updated, "/nro/netfront/core_2/default/cfi_enabled/peer_wkc.nro.lz4" updated, "/nro/netfront/core_2/default/cfi_enabled/webkit_wkc.nro.lz4" updated
* Help: "/legallines.htdocs/index.html" updated
* NgWord: updated
* [[System_Version_Title|SystemVersion]]: All files updated.
* TimeZoneBinary: updated
* [[System_Settings|FirmwareDebugSettings]]: All files updated.
* NgWord2: updated
* RebootlessSystemUpdateVersion: All files updated.
* NgWordT: All files updated.
* qlaunch applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
* auth applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
* netConnect applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
* [[Internet_Browser|LibAppletWeb/LibAppletShop/LibAppletOff/LibAppletLns/LibAppletAuth]]: All files updated.
* "starter" application:
** "/lyt/": Various data updated.
** "/message/": Various data updated.

The SDK library version strings were removed from all titles. The "SDK MW+Nintendo+{...}" strings are no longer present. The used libraries/versions can therefore no longer be determined via checking these strings (unless there's other version-strings).

=== IPC Interface Changes ===
* Interface Changed: nn::sasbus::ISession
** Added: 4 - inbytes: 0x10, inhandles: [1], outbytes: 0x0
** Added: 5 - inbytes: 0x0, outbytes: 0x0
* Interface Removed: nn::news::detail::ipc::INewlyArrivedEventHolder
* Interface Removed: nn::news::detail::ipc::INewsDatabaseService
* Interface Added: nn::news::detail::ipc::IDeviceNewsDatabaseService
* Interface Added: nn::news::detail::ipc::INewArrivalEventHolder
* Interface Changed: nn::news::detail::ipc::INewsDataService
** Added: 1100 - inbytes: 0x18, outbytes: 0x0
* Interface Changed: nn::news::detail::ipc::INewsService
** Removed: 30400 - buffers: [0x6, 0x5], inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::news::detail::ipc::IServiceCreator
** Changed: 1 - outinterfaces: ['nn::news::detail::ipc::INewlyArrivedEventHolder'] -> ['nn::news::detail::ipc::INewArrivalEventHolder'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::news::detail::ipc::INewArrivalEventHolder'])
** Changed: 3 - outinterfaces: ['nn::news::detail::ipc::INewsDatabaseService'] -> ['nn::news::detail::ipc::IDeviceNewsDatabaseService'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::news::detail::ipc::IDeviceNewsDatabaseService'])
* Unknown Interface prev-version: 0x710007CD3C
* Unknown Interface cur-version: 0x71000844C0
* Interface Changed: nn::friends::detail::ipc::IFriendService
** Added: 20105 - buffer_entry_sizes: [0x200], buffers: [0x6], inbytes: 0x28, outbytes: 0x4
** Added: 20106 - buffer_entry_sizes: [0x200, 0x8], buffers: [0x6, 0x9], inbytes: 0x10, outbytes: 0x0
** Added: 20502 - buffer_entry_sizes: [0x4A8, 0x8], buffers: [0x6, 0x9], inbytes: 0x10, outbytes: 0x0
** Added: 20601 - buffer_entry_sizes: [0xE8], buffers: [0x1A], inbytes: 0x10, outbytes: 0x0
** Added: 20702 - buffer_entry_sizes: [0x100], buffers: [0x6], inbytes: 0x18, outbytes: 0x4
** Added: 20802 - buffer_entry_sizes: [0x800], buffers: [0x1A], inbytes: 0x10, outbytes: 0x0
** Added: 22002 - buffer_entry_sizes: [0x500], buffers: [0x6], inbytes: 0x10, outbytes: 0x4
** Added: 22003 - buffer_entry_sizes: [0x1400], buffers: [0x16], inbytes: 0x18, outbytes: 0x0
** Added: 30501 - buffer_entry_sizes: [0x4A8], buffers: [0x1A], inbytes: 0x30, outbytes: 0x0
** Added: 30701 - buffer_entry_sizes: [0x40, 0x48, 0x48], buffers: [0x19, 0x19, 0x19], inbytes: 0x28, outbytes: 0x0
** Added: 30901 - buffer_entry_sizes: [0xC00, 0x8, 0x0], buffers: [0x15, 0x9, 0x5], inbytes: 0x30, outbytes: 0x0
** Added: 31000 - inbytes: 0x28, outbytes: 0x0, outinterfaces: ['nn::friends::detail::ipc::INotificationService']
* Interface Changed: nn::friends::detail::ipc::IServiceCreator
** Changed: 2 - outinterfaces: ['0x710007CD3C'] -> ['0x71000844C0'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x71000844C0'])
* Interface Removed: nn::fgm::sf::IRequest
* Interface Removed: nn::fgm::sf::ISession
* Interface Added: nn::fgm::IRequest
* Interface Added: nn::fgm::ISession
* Interface Changed: nn::psm::IPsmServer
** Added: 21 - inbytes: 0x0, outbytes: 0x4
** Added: 22 - inbytes: 0x0, outbytes: 0x1
** Added: 23 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::bsdsocket::cfg::ServerInterface
** Added: 24 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, pid: True
* Interface Changed: nn::hid::IHidDebugServer
** Added: 212 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x8, outbytes: 0x4
** Added: 253 - inbytes: 0x8, outbytes: 0x0
** Removed: 351 - inbytes: 0x0, outbytes: 0x4
** Removed: 352 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::hid::IHidServer
** Added: 22 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::hid::IHidSystemServer
** Removed: 214 - inbytes: 0x10, outbytes: 0x8
** Added: 216 - inbytes: 0x10, outbytes: 0x8
** Added: 217 - inbytes: 0x8, outbytes: 0x0, outhandles: [1, 1]
** Added: 218 - buffer_entry_sizes: [0x804], buffers: [0x32], inbytes: 0x8, outbytes: 0x0
** Added: 219 - inbytes: 0x10, outbytes: 0x0
** Added: 220 - inbytes: 0x8, outbytes: 0x0
** Added: 221 - inbytes: 0x30, outbytes: 0x0
** Added: 222 - buffer_entry_sizes: [0x3F4], buffers: [0x31], inbytes: 0x8, outbytes: 0x0
** Added: 223 - buffer_entry_sizes: [0x218], buffers: [0x31], inbytes: 0x8, outbytes: 0x0
** Added: 224 - buffer_entry_sizes: [0x64], buffers: [0x31], inbytes: 0x8, outbytes: 0x0
** Added: 225 - inbytes: 0x10, outbytes: 0x0
** Added: 226 - buffer_entry_sizes: [0x118], buffers: [0x31], inbytes: 0x8, outbytes: 0x0
** Added: 227 - buffer_entry_sizes: [0x218], buffers: [0x31], inbytes: 0x8, outbytes: 0x0
** Added: 234 - inbytes: 0x8, outbytes: 0x8
** Added: 241 - inbytes: 0x8, outbytes: 0x1
** Added: 242 - inbytes: 0x10, outbytes: 0x0
** Added: 243 - inbytes: 0x8, outbytes: 0x1
** Added: 244 - inbytes: 0x10, outbytes: 0x0
** Added: 245 - inbytes: 0x8, outbytes: 0x20
** Added: 246 - inbytes: 0x8, outbytes: 0x0
** Added: 247 - inbytes: 0x10, outbytes: 0x0
** Added: 332 - inbytes: 0x8, outbytes: 0x4
** Added: 526 - inbytes: 0x0, outbytes: 0x1
** Removed: 543 - buffer_entry_sizes: [0x30], buffers: [0xA], inbytes: 0x0, outbytes: 0x8
** Added: 1420 - inbytes: 0x8, outbytes: 0xC
* Interface Changed: nn::xcd::detail::ISystemServer
** Removed: 0 - inbytes: 0x8, outbytes: 0x1
** Removed: 1 - inbytes: 0xC, outbytes: 0x0
** Removed: 2 - inbytes: 0x8, outbytes: 0x1
** Removed: 3 - inbytes: 0xC, outbytes: 0x0
** Removed: 4 - inbytes: 0x8, outbytes: 0x20
** Removed: 5 - inbytes: 0x8, outbytes: 0x0
** Removed: 6 - inbytes: 0xC, outbytes: 0x0
** Removed: 10 - inbytes: 0x8, outbytes: 0x0, outhandles: [1, 1]
** Removed: 11 - buffer_entry_sizes: [0x804], buffers: [0x32], inbytes: 0x8, outbytes: 0x0
** Removed: 12 - inbytes: 0x10, outbytes: 0x0
** Removed: 13 - inbytes: 0x8, outbytes: 0x0
** Removed: 14 - inbytes: 0x30, outbytes: 0x0
** Removed: 15 - buffer_entry_sizes: [0x3F4], buffers: [0x19], inbytes: 0x8, outbytes: 0x0
** Removed: 16 - buffer_entry_sizes: [0x218], buffers: [0x19], inbytes: 0x8, outbytes: 0x0
** Removed: 17 - buffer_entry_sizes: [0x64], buffers: [0x19], inbytes: 0x8, outbytes: 0x0
** Removed: 18 - inbytes: 0xC, outbytes: 0x0
** Removed: 19 - buffer_entry_sizes: [0x118], buffers: [0x19], inbytes: 0x8, outbytes: 0x0
** Removed: 20 - buffer_entry_sizes: [0x218], buffers: [0x19], inbytes: 0x8, outbytes: 0x0
* Interface Changed: nn::audioctrl::detail::IAudioController
** Added: 5000 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::audioctrl::detail::IAudioController']
** Removed: 50000 - inbytes: 0x4, outbytes: 0x0
** Added: 50001 - inbytes: 0x4, outbytes: 0x0
** Added: 50003 - buffers: [0x9], inbytes: 0x0, outbytes: 0x0
** Added: 50004 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::wlan::detail::IPrivateWirelessCommunicationService
** Changed: 2 - buffer_entry_sizes: [0x1F8] -> [0x9A] (final state: buffer_entry_sizes: [0x9A], buffers: [0x19], inbytes: 0x4, outbytes: 0x0)
** Changed: 12 - buffer_entry_sizes: [0x84] -> [0x80] (final state: buffer_entry_sizes: [0x80], buffers: [0x19], inbytes: 0x0, outbytes: 0x32)
* Interface Changed: nn::wlan::detail::IWirelessCommunicationService
** Changed: 60 - buffer_entry_sizes: [0x1F8] -> [0x9A] (final state: buffer_entry_sizes: [0x9A], buffers: [0x19], inbytes: 0x0, outbytes: 0x0)
** Changed: 90 - buffer_entry_sizes: [0x84] -> [0x80] (final state: buffer_entry_sizes: [0x80], buffers: [0x19], inbytes: 0x0, outbytes: 0x32)
** Changed: 100 - inbytes: 0x80 -> 0x7C (final state: inbytes: 0x7C, outbytes: 0x0)
** Added: 109 - inbytes: 0x8, outbytes: 0x0
** Added: 120 - inbytes: 0x0, outbytes: 0x18
** Added: 204 - buffers: [0x21], inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::ldn::detail::ISystemLocalCommunicationService
** Added: 404 - inbytes: 0x10, outbytes: 0x0, pid: True
* Interface Changed: nn::ldn::detail::IUserLocalCommunicationService
** Added: 403 - inbytes: 0x4, outbytes: 0x0
* Unknown Interface prev-version: 0x7100005438
* Unknown Interface cur-version: 0x7100004EF0
* Interface Changed: nn::account::IAccountEntityServiceForAccountPolicy
** Added: 52 - inbytes: 0x8, outbytes: 0x10
** Added: 420 - buffer_entry_sizes: [0xD0], buffers: [0x19], inbytes: 0x10, outbytes: 0x0
** Added: 421 - buffer_entry_sizes: [0xD0], buffers: [0x1A], inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::account::IAccountEntityServiceForApplication
** Added: 52 - inbytes: 0x8, outbytes: 0x10
* Interface Changed: nn::account::IAccountServiceForAdministrator
** Added: 52 - inbytes: 0x8, outbytes: 0x10
** Added: 420 - buffer_entry_sizes: [0xD0], buffers: [0x19], inbytes: 0x10, outbytes: 0x0
** Added: 421 - buffer_entry_sizes: [0xD0], buffers: [0x1A], inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::account::IAccountServiceForSystemService
** Added: 52 - inbytes: 0x8, outbytes: 0x10
* Interface Changed: nn::account::IAccountServiceForSystemServiceWithProfileEditor
** Added: 52 - inbytes: 0x8, outbytes: 0x10
* Interface Changed: nn::account::baas::IAdministrator
** Added: 4 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 136 - buffer_entry_sizes: [0x270, 0x0], buffers: [0x1A, 0x6], inbytes: 0x0, outbytes: 0x8
** Added: 204 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
** Added: 223 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
* Interface Changed: nn::account::baas::IManagerForApplication
** Added: 4 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::account::baas::IManagerForSystemService
** Added: 4 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 136 - buffer_entry_sizes: [0x270, 0x0], buffers: [0x1A, 0x6], inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::account::nas::IOAuthProcedureForExternalNsa
** Added: 1000 - buffer_entry_sizes: [0x1000, 0x100], buffers: [0x1A, 0x1A], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::account::profile::IProfile
** Added: 40 - inbytes: 0x0, outbytes: 0x10
* Interface Changed: nn::account::profile::IProfileEditor
** Added: 40 - inbytes: 0x0, outbytes: 0x10
* Interface Changed: nn::account::IAccountServiceForAdministrator
** Added: 52 - inbytes: 0x8, outbytes: 0x10
** Added: 420 - buffer_entry_sizes: [0xD0], buffers: [0x19], inbytes: 0x10, outbytes: 0x0
** Added: 421 - buffer_entry_sizes: [0xD0], buffers: [0x1A], inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::account::IAccountServiceForApplication
** Added: 52 - inbytes: 0x8, outbytes: 0x10
* Interface Changed: nn::account::IAccountServiceForSystemService
** Added: 52 - inbytes: 0x8, outbytes: 0x10
* Interface Changed: nn::account::baas::IAdministrator
** Added: 4 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 136 - buffer_entry_sizes: [0x270, 0x0], buffers: [0x1A, 0x6], inbytes: 0x0, outbytes: 0x8
** Added: 204 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
** Added: 223 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
* Interface Changed: nn::account::baas::IManagerForApplication
** Added: 4 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::account::baas::IManagerForSystemService
** Added: 4 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 136 - buffer_entry_sizes: [0x270, 0x0], buffers: [0x1A, 0x6], inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::account::nas::IOAuthProcedureForExternalNsa
** Added: 1000 - buffer_entry_sizes: [0x1000, 0x100], buffers: [0x1A, 0x1A], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::account::profile::IProfile
** Added: 40 - inbytes: 0x0, outbytes: 0x10
* Interface Changed: nn::account::profile::IProfileEditor
** Added: 40 - inbytes: 0x0, outbytes: 0x10
* Interface Changed: nn::ns::detail::IApplicationManagerInterface
** Changed: 94 - inbytes: 0x58 -> 0x88 (final state: inbytes: 0x88, outbytes: 0x8)
** Changed: 95 - outbytes: 0x50 -> 0x80 (final state: inbytes: 0x8, outbytes: 0x80)
** Changed: 96 - outbytes: 0x50 -> 0x80 (final state: inbytes: 0x8, outbytes: 0x80)
** Changed: 97 - inbytes: 0x50 -> 0x80 (final state: inbytes: 0x80, outbytes: 0x1)
** Removed: 406 - buffer_entry_sizes: [0x4000], buffers: [0x16], inbytes: 0x58, outbytes: 0x0
** Added: 411 - buffers: [0x6], inbytes: 0x10, outbytes: 0x8
** Added: 412 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 413 - inbytes: 0x1, outbytes: 0x4
** Added: 414 - buffer_entry_sizes: [0x20], buffers: [0x6], inbytes: 0x1, outbytes: 0x4
** Added: 415 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x10, inhandles: [1], outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** Added: 416 - buffers: [0x6], inbytes: 0x10, outbytes: 0x8
** Added: 417 - inbytes: 0x1, outbytes: 0x0
** Added: 418 - inbytes: 0x10, outbytes: 0x0
** Added: 419 - inbytes: 0x10, outbytes: 0x0
** Added: 420 - buffer_entry_sizes: [0x18], buffers: [0x5], inbytes: 0x20, outbytes: 0x0
** Added: 511 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 512 - inbytes: 0x0, outbytes: 0x1
** Changed: 1802 - buffer_entry_sizes: [0x90] -> [0x98] (final state: buffer_entry_sizes: [0x98], buffers: [0x6], inbytes: 0x0, outbytes: 0x4)
** Changed: 1803 - buffer_entry_sizes: [0xB0] -> [0xB8] (final state: buffer_entry_sizes: [0xB8], buffers: [0x6], inbytes: 0x0, outbytes: 0x4)
** Added: 2360 - inbytes: 0x0, outbytes: 0x4
** Added: 2361 - inbytes: 0x0, outbytes: 0x4
** Changed: 2513 - inbytes: 0x50 -> 0x80 (final state: inbytes: 0x80, outbytes: 0x8)
** Changed: 2517 - inbytes: 0x50 -> 0x80 (final state: inbytes: 0x80, outbytes: 0x8)
** Added: 2524 - buffer_entry_sizes: [0x300], buffers: [0x16], inbytes: 0x10, outbytes: 0x10
* Interface Changed: nn::ns::detail::IDevelopInterface
** Changed: 17 - outbytes: 0x50 -> 0x80 (final state: buffers: [0x5], inbytes: 0x4, outbytes: 0x80)
** Changed: 18 - inbytes: 0x50 -> 0x80 (final state: inbytes: 0x80, outbytes: 0x0, outhandles: [1])
** Changed: 19 - inbytes: 0x50 -> 0x80 (final state: inbytes: 0x80, outbytes: 0x0)
** Changed: 21 - outbytes: 0x50 -> 0x80 (final state: inbytes: 0x10, outbytes: 0x80)
** Changed: 22 - inbytes: 0x50 -> 0x80 (final state: inbytes: 0x80, outbytes: 0x8)
** Changed: 23 - inbytes: 0x50 -> 0x80 (final state: inbytes: 0x80, outbytes: 0x8)
* Interface Changed: nn::ns::detail::IDocumentInterface
** Added: 2524 - buffer_entry_sizes: [0x300], buffers: [0x16], inbytes: 0x10, outbytes: 0x10
* Interface Changed: nn::ns::detail::IReadOnlyApplicationControlDataInterface
** Added: 5 - buffers: [0x6], inbytes: 0x10, outbytes: 0x8
** Added: 6 - buffers: [0x6], inbytes: 0x10, outbytes: 0x8
* Interface Changed: nn::hshl::IChargeSetterSession
** Added: 5 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::hshl::IManager
** Added: 13 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::srepo::detail::ipc::ISrepoService
** Added: 13002 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::timesrv::detail::service::IStaticService
** Added: 600 - inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::timesrv::detail::service::ITimeServiceManager
** Added: 20 - inbytes: 0x0, outbytes: 0x18
* Interface Changed: nn::capsrv::sf::IAlbumAccessorService
** Added: 8022 - buffer_entry_sizes: [0x20, 0x10], buffers: [0x6, 0x5], inbytes: 0x10, outbytes: 0x8
** Added: 50001 - buffers: [0x6], inbytes: 0x18, outbytes: 0x0
** Added: 50011 - inbytes: 0x0, outbytes: 0x4
** Added: 50012 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::capsrv::sf::IAlbumAccessorSession
** Added: 2009 - inbytes: 0x8, outbytes: 0x10
* Interface Changed: nn::capsrv::sf::IAlbumControlService
** Changed: 2011 - inbytes: 0x10 -> 0x18 (final state: inbytes: 0x18, outbytes: 0x0)
** Changed: 2012 - inbytes: 0x10 -> 0x18 (final state: inbytes: 0x18, outbytes: 0x0)
** Changed: 2013 - outbytes: 0x8 -> 0x10 (final state: inbytes: 0x8, outbytes: 0x10)
** Changed: 2101 - inbytes: 0x10 -> 0x18 (final state: inbytes: 0x18, outbytes: 0x18)
** Added: 2103 - buffer_entry_sizes: [0x200, 0x88], buffers: [0x16, 0x15], inbytes: 0x8, outbytes: 0x0
** Added: 2104 - buffer_entry_sizes: [0x200], buffers: [0x16], inbytes: 0x20, outbytes: 0x0
** Added: 2401 - buffer_entry_sizes: [0x400], buffers: [0x16], inbytes: 0x18, outbytes: 0x0
** Added: 2501 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::capsrv::sf::IAlbumControlSession
** Added: 2009 - inbytes: 0x8, outbytes: 0x10
* Interface Added: nn::am::service::IApplicationObserver
* Interface Added: nn::am::service::IMovieWriter
* Interface Added: nn::am::service::ISystemProcessCommonFunctions
* Interface Added: nn::grcsrv::IMovieWriter
* Interface Changed: nn::am::service::IAllSystemAppletProxiesService
** Added: 450 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::am::service::ISystemProcessCommonFunctions']
* Interface Changed: nn::am::service::IAppletCommonFunctions
** Added: 310 - inbytes: 0x0, outbytes: 0x1
** Added: 320 - inbytes: 0x8, outbytes: 0x0
** Added: 321 - inbytes: 0x8, outbytes: 0x0
** Added: 330 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::am::service::IApplicationFunctions
** Added: 300 - inbytes: 0x8, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::am::service::IMovieWriter']
* Interface Changed: nn::am::service::ICommonStateGetter
** Added: 15 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Removed: 600 - inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::am::service::IStorageChannel']
** Added: 1000 - inbytes: 0x0, outbytes: 0x0
** Added: 1001 - inbytes: 0x0, outbytes: 0x0
** Added: 1002 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::am::service::IDebugFunctions
** Changed: 31 - inbytes: 0x58 -> 0x88 (final state: buffer_entry_sizes: [0x10, 0x0], buffers: [0x5, 0x5], inbytes: 0x88, outbytes: 0x0)
* Interface Changed: nn::am::service::IHomeMenuFunctions
** Added: 60 - inbytes: 0x0, outbytes: 0x0
** Added: 61 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::am::service::ILibraryAppletAccessor
** Added: 80 - inbytes: 0x0, outbytes: 0x0
** Added: 81 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::am::service::IAppletAccessor']
* Interface Changed: nn::am::service::IOverlayFunctions
** Added: 50 - inbytes: 0x8, outbytes: 0x0
** Added: 60 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::am::service::ISelfController
** Added: 22 - inbytes: 0x0, outbytes: 0x1
** Added: 23 - inbytes: 0x0, outbytes: 0x1
** Added: 24 - inbytes: 0x0, outbytes: 0x10
* Interface Changed: nn::grcsrv::IGameMovieTrimmer
** Added: 21 - buffers: [0x45], inbytes: 0x8, outbytes: 0x0
* Interface Changed: nn::ssl::sf::ISslServiceForSystem
** Changed: 103 - inbytes: 0x0 -> 0x4 (final state: buffers: [0x5, 0x5, 0x5], inbytes: 0x4, outbytes: 0x0)
* Interface Changed: nn::nim::detail::INetworkInstallManager
** Added: 150 - buffer_entry_sizes: [0x300], buffers: [0x16], inbytes: 0x20, outbytes: 0x0
* Interface Changed: nn::erpt::sf::IContext
** Changed: 2 - inbytes: 0x18 -> 0x20 (final state: inbytes: 0x20, outbytes: 0x0)
* Interface Changed: nn::capsrv::sf::IScreenShotControlService
** Changed: 1004 - inbytes: 0x68 -> 0x70 (final state: buffer_entry_sizes: [0x404, 0x88], buffers: [0x15, 0x15], inbytes: 0x70, outbytes: 0x0)
** Changed: 1106 - inbytes: 0x68 -> 0x78 (final state: buffer_entry_sizes: [0x400, 0x404, 0x88, 0x0, 0x0, 0x0], buffers: [0x15, 0x15, 0x15, 0x6, 0x46, 0x46], inbytes: 0x78, outbytes: 0x18)
** Changed: 1107 - inbytes: 0x68 -> 0x78 (final state: buffer_entry_sizes: [0x400, 0x404, 0x88, 0x0, 0x0], buffers: [0x15, 0x15, 0x15, 0x6, 0x45], inbytes: 0x78, outbytes: 0x18)
** Changed: 1108 - inbytes: 0x70 -> 0x80 (final state: buffer_entry_sizes: [0x400, 0x404, 0x88, 0x0], buffers: [0x15, 0x15, 0x15, 0x6], inbytes: 0x80, outbytes: 0x18)
** Added: 1109 - buffer_entry_sizes: [0x400, 0x404, 0x88, 0x0, 0x0, 0x0], buffers: [0x15, 0x15, 0x15, 0x6, 0x45, 0x45], inbytes: 0x78, outbytes: 0x18
** Added: 1110 - buffers: [0x6, 0x45, 0x6], inbytes: 0x8, outbytes: 0x8
** Added: 1111 - buffer_entry_sizes: [0x400, 0x404, 0x0, 0x0, 0x0], buffers: [0x15, 0x15, 0x6, 0x46, 0x46], inbytes: 0x80, outbytes: 0x18
** Added: 1112 - buffer_entry_sizes: [0x400, 0x404, 0x0, 0x0], buffers: [0x15, 0x15, 0x6, 0x45], inbytes: 0x80, outbytes: 0x18
** Added: 1113 - buffer_entry_sizes: [0x400, 0x404, 0x0], buffers: [0x15, 0x15, 0x6], inbytes: 0x88, outbytes: 0x18
** Added: 1114 - buffer_entry_sizes: [0x400, 0x404, 0x0, 0x0, 0x0], buffers: [0x15, 0x15, 0x6, 0x45, 0x45], inbytes: 0x80, outbytes: 0x18
* Interface Changed: nn::capsrv::sf::IScreenShotService
** Changed: 1000 - inbytes: 0x68 -> 0x70 (final state: buffer_entry_sizes: [0x88, 0x400], buffers: [0x15, 0x15], inbytes: 0x70, outbytes: 0x20)
* Interface Changed: nn::dp2hdmi::detail::IDp2hdmiController
** Removed: 7 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::pctl::detail::ipc::IParentalControlService
** Added: 2017 - inbytes: 0x20, outbytes: 0x8, outhandles: [1]
** Added: 2019 - inbytes: 0x0, outbytes: 0x0
* Interface Added: nn::npns::IFuture
* Interface Added: nn::npns::ISubscriptionUpdateNotifier
* Interface Changed: nn::npns::INpnsSystem
** Added: 17 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::npns::ISubscriptionUpdateNotifier']
** Added: 60 - buffer_entry_sizes: [0x298], buffers: [0x15], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::npns::IFuture']
** Added: 61 - inbytes: 0x0, outbytes: 0x1
** Added: 141 - buffers: [0x9], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::npns::IFuture']
** Added: 142 - buffers: [0x9], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::npns::IFuture']
** Added: 143 - buffers: [0x9], inbytes: 0x8, outbytes: 0x0, outinterfaces: ['nn::npns::IFuture']
** Added: 144 - buffers: [0x9], inbytes: 0x8, outbytes: 0x0, outinterfaces: ['nn::npns::IFuture']
** Added: 145 - inbytes: 0x10, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::npns::IFuture']
* Interface Changed: nn::arp::detail::IRegistrar
** Removed: 2 - buffer_entry_sizes: [0x4000], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::arp::detail::IWriter
** Added: 4 - buffer_entry_sizes: [0x4000], buffers: [0x15], inbytes: 0x8, outbytes: 0x0
* Interface Changed: nn::timesrv::detail::service::IStaticService
** Added: 600 - inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::es::IETicketService
** Changed: 1027 - buffer_entry_sizes: [0x10, 0x0] -> [0x10, 0x8, 0x0], buffers: [0x6, 0x5] -> [0x6, 0x5, 0x5], inbytes: 0x10 -> 0x8 (final state: buffer_entry_sizes: [0x10, 0x8, 0x0], buffers: [0x6, 0x5, 0x5], inbytes: 0x8, outbytes: 0x4)
** Added: 1029 - buffer_entry_sizes: [0x18, 0x8, 0x0], buffers: [0x6, 0x5, 0x5], inbytes: 0x10, outbytes: 0x4
* Interface Added: nn::grcsrv::IMovieWriter
* Interface Changed: nn::grcsrv::IGameMovieTrimmer
** Added: 21 - buffers: [0x45], inbytes: 0x8, outbytes: 0x0
* Interface Changed: nn::grcsrv::IGrcService
** Added: 110 - inbytes: 0x20, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::grcsrv::IMovieWriter']
* Interface Changed: nn::mii::detail::IDatabaseService
** Added: 27 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::mii::detail::IImageDatabaseService
** Added: 18 - buffers: [0x5], inbytes: 0x3A, outbytes: 0x0
* Interface Changed: nn::migration::savedata::IClient
** Added: 510 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
* Interface Changed: nn::migration::savedata::IServer
** Added: 510 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::migration::detail::IAsyncContext']
* Interface Changed: nn::migration::user::IService
** Added: 0 - inbytes: 0x0, outbytes: 0x2
* Interface Changed: nn::olsc::srv::IOlscServiceForSystemService
** Changed: 907 - inbytes: 0x70 -> 0x78 (final state: inbytes: 0x78, outbytes: 0x0)
* Interface Changed: nn::omm::detail::IOperationModeManager
** Added: 29 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
* Interface Changed: nn::omm::srv::IDisplayLayerControl
** Changed: 610 - buffer_entry_sizes: [0x4C8] -> [0x4D0] (final state: buffer_entry_sizes: [0x4D0], buffers: [0x15], inbytes: 0x0, outbytes: 0x0)
** Changed: 611 - buffer_entry_sizes: [0x4C8] -> [0x4D0] (final state: buffer_entry_sizes: [0x4D0], buffers: [0x15], inbytes: 0x0, outbytes: 0x0)
** Changed: 612 - buffer_entry_sizes: [0x4C8] -> [0x4D0] (final state: buffer_entry_sizes: [0x4D0], buffers: [0x15], inbytes: 0x0, outbytes: 0x0)
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Changed: 206 - outbytes: 0x0 -> 0x8 (final state: buffers: [0x6], inbytes: 0x10, outbytes: 0x8)
** Added: 223 - inbytes: 0x8, outbytes: 0x0
** Added: 224 - buffers: [0x6], inbytes: 0x10, outbytes: 0x2
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 29 - inbytes: 0x0, outbytes: 0x1
** Added: 503 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IEventNotifier']
** Added: 632 - inbytes: 0x20, outbytes: 0x0
** Added: 820 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::ldr::detail::IProcessManagerInterface
** Changed: 1 - buffer_entry_sizes: [0x400] -> [0x410] (final state: buffer_entry_sizes: [0x410], buffers: [0x1A], inbytes: 0x10, outbytes: 0x0)
* Interface Changed: nn::pm::detail::IBootModeInterface
** Added: 2 - inbytes: 0x0, outbytes: 0x4
** Added: 3 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::pm::detail::IShellInterface
** Added: 12 - inbytes: 0x8, outbytes: 0x8
* Interface Changed: nn::sasbus::ISession
** Added: 4 - inbytes: 0x10, inhandles: [1], outbytes: 0x0
** Added: 5 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Changed: 206 - outbytes: 0x0 -> 0x8 (final state: buffers: [0x6], inbytes: 0x10, outbytes: 0x8)
** Added: 223 - inbytes: 0x8, outbytes: 0x0
** Added: 224 - buffers: [0x6], inbytes: 0x10, outbytes: 0x2
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 29 - inbytes: 0x0, outbytes: 0x1
** Added: 503 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IEventNotifier']
** Added: 632 - inbytes: 0x20, outbytes: 0x0
** Added: 820 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::ldr::detail::IProcessManagerInterface
** Changed: 1 - buffer_entry_sizes: [0x400] -> [0x410] (final state: buffer_entry_sizes: [0x410], buffers: [0x1A], inbytes: 0x10, outbytes: 0x0)
* Interface Changed: nn::pm::detail::IBootModeInterface
** Added: 2 - inbytes: 0x0, outbytes: 0x4
** Added: 3 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::pm::detail::IShellInterface
** Added: 12 - inbytes: 0x8, outbytes: 0x8
* Interface Changed: nn::hshl::IChargeSetterSession
** Added: 5 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::hshl::IManager
** Added: 13 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::srepo::detail::ipc::ISrepoService
** Added: 13002 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::timesrv::detail::service::IStaticService
** Added: 600 - inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::timesrv::detail::service::ITimeServiceManager
** Added: 20 - inbytes: 0x0, outbytes: 0x18
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Changed: 206 - outbytes: 0x0 -> 0x8 (final state: buffers: [0x6], inbytes: 0x10, outbytes: 0x8)
** Added: 223 - inbytes: 0x8, outbytes: 0x0
** Added: 224 - buffers: [0x6], inbytes: 0x10, outbytes: 0x2
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 29 - inbytes: 0x0, outbytes: 0x1
** Added: 503 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IEventNotifier']
** Added: 632 - inbytes: 0x20, outbytes: 0x0
** Added: 820 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::ldr::detail::IProcessManagerInterface
** Changed: 1 - buffer_entry_sizes: [0x400] -> [0x410] (final state: buffer_entry_sizes: [0x410], buffers: [0x1A], inbytes: 0x10, outbytes: 0x0)
* Interface Changed: nn::pm::detail::IBootModeInterface
** Added: 2 - inbytes: 0x0, outbytes: 0x4
** Added: 3 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::pm::detail::IShellInterface
** Added: 12 - inbytes: 0x8, outbytes: 0x8
* Interface Changed: nn::sasbus::ISession
** Added: 4 - inbytes: 0x10, inhandles: [1], outbytes: 0x0
** Added: 5 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Changed: 206 - outbytes: 0x0 -> 0x8 (final state: buffers: [0x6], inbytes: 0x10, outbytes: 0x8)
** Added: 223 - inbytes: 0x8, outbytes: 0x0
** Added: 224 - buffers: [0x6], inbytes: 0x10, outbytes: 0x2
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 29 - inbytes: 0x0, outbytes: 0x1
** Added: 503 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IEventNotifier']
** Added: 632 - inbytes: 0x20, outbytes: 0x0
** Added: 820 - inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::ldr::detail::IProcessManagerInterface
** Changed: 1 - buffer_entry_sizes: [0x400] -> [0x410] (final state: buffer_entry_sizes: [0x410], buffers: [0x1A], inbytes: 0x10, outbytes: 0x0)
* Interface Changed: nn::pm::detail::IBootModeInterface
** Added: 2 - inbytes: 0x0, outbytes: 0x4
** Added: 3 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::pm::detail::IShellInterface
** Added: 12 - inbytes: 0x8, outbytes: 0x8
* Interface Changed: nn::hshl::IChargeSetterSession
** Added: 5 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::hshl::IManager
** Added: 13 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::srepo::detail::ipc::ISrepoService
** Added: 13002 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::timesrv::detail::service::IStaticService
** Added: 600 - inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::timesrv::detail::service::ITimeServiceManager
** Added: 20 - inbytes: 0x0, outbytes: 0x18

=== BootImagePackages ===
RomFs changes: all files updated.

Using updated master-key: master_key_12 (previously master_key_11). See [[NCA]] for the KeyGeneration listing.

The anti-downgrade fuses were [[Fuses#Anti-downgrade|updated]].

=== [[SSL_services|ssl]] ===
Besides IPC changes, a vuln was [[Switch_System_Flaws|fixed]].

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2024-10-08_00-00-37&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

19.0.0

2024-10-09T15:39:00Z

SciresM: Add kernel diff

Error Report services

2024-03-29T07:23:10Z

SciresM: fix new firleids

= erpt:c =
This is "nn::erpt::sf::IContext".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#SubmitContext]]
|-
| 1 || [[#CreateReportV0]]
|-
| 2 || [3.0.0+] SetInitialLaunchSettingsCompletionTime
|-
| 3 || [3.0.0+] ClearInitialLaunchSettingsCompletionTime
|-
| 4 || [3.0.0-11.0.1] UpdatePowerOnTime
|-
| 5 || [3.0.0-11.0.1] UpdateAwakeTime
|-
| 6 || [5.0.0+] SubmitMultipleCategoryContext
|-
| 7 || [6.0.0+] UpdateApplicationLaunchTime
|-
| 8 || [6.0.0+] ClearApplicationLaunchTime
|-
| 9 || [8.0.0+] SubmitAttachment
|-
| 10 || [8.0.0+] [[#CreateReportWithAttachments]]
|-
| 11 || [17.0.0+] CreateReportV1 ([11.0.0-16.1.0] CreateReport)
|-
| 12 || [17.0.0+] CreateReport
|-
| 20 || [12.0.0+] RegisterRunningApplet
|-
| 21 || [12.0.0+] UnregisterRunningApplet
|-
| 22 || [12.0.0+] UpdateAppletSuspendedDuration
|-
| 30 || [12.0.0+] InvalidateForcedShutdownDetection
|}

== SubmitContext ==
Takes two type-0x5 input buffers [[#ContextEntry]] and '''FieldList'''. No output.

== CreateReportV0 ==
Takes an u32 '''ReportType''' and 3 type-0x5 input buffers [[#ContextEntry]], '''ReportList''' and '''ReportMetaData'''. No output.

== CreateReportWithAttachments ==
Takes an u32 '''ReportType''' and 3 type-0x5 input buffers. No output.

[11.0.0+] Now takes an additional u32.

[17.0.0+] Now takes an additional [[#CreateReportOptionFlag]].

= erpt:r =
This is "nn::erpt::sf::ISession".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || OpenReport
|-
| 1 || OpenManager
|-
| 2 || [8.0.0+] OpenAttachment
|}

== IReport ==
This is "nn::erpt::sf::IReport".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || Open
|-
| 1 || Read
|-
| 2 || SetFlags
|-
| 3 || GetFlags
|-
| 4 || Close
|-
| 5 || GetSize
|}

== IManager ==
This is "nn::erpt::sf::IManager".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || GetReportList
|-
| 1 || GetEvent
|-
| 2 || [4.0.0+] CleanupReports
|-
| 3 || [5.0.0+] DeleteReport
|-
| 4 || [5.0.0+] GetStorageUsageStatistics
|-
| 5 || [8.0.0+] GetAttachmentList
|}

== IAttachment ==
This is "nn::erpt::sf::IAttachment".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || Open
|-
| 1 || Read
|-
| 2 || SetFlags
|-
| 3 || GetFlags
|-
| 4 || Close
|-
| 5 || GetSize
|}

= sprof:bg, sprof:sp =
These are "nn::sprofile::srv::IServiceGetter".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#OpenSprofileServiceForSystemProcess]]
|-
| 1 || [[#OpenSprofileServiceForBgAgent]]
|}

== OpenSprofileServiceForSystemProcess ==
No input. Returns an [[#ISprofileServiceForSystemProcess]].

== OpenSprofileServiceForBgAgent ==
No input. Returns an [[#ISprofileServiceForBgAgent]].

== ISprofileServiceForBgAgent ==
This is "nn::sprofile::srv::ISprofileServiceForBgAgent".

This was added with [13.0.0+].

This was moved from its own service "sprof:bg" with [14.0.0+].

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 100 || [[#OpenProfileImporter]]
|-
| 200 || ReadMetadata
|-
| 201 || IsUpdateNeeded
|-
| 2000 || Reset
|}

=== OpenProfileImporter ===
No input. Returns an [[#IProfileImporter]].

=== IProfileImporter ===
This is "nn::sprofile::srv::IProfileImporter".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || ImportData
|-
| 1 || Commit
|-
| 2 || ImportMetadata
|}

== ISprofileServiceForSystemProcess ==
This is "nn::sprofile::srv::ISprofileServiceForSystemProcess".

This was added with [13.0.0+].

This was moved from its own service "sprof:sp" with [14.0.0+].

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 100 || [[#OpenProfileReader]]
|-
| 101 || [[#OpenProfileUpdateObserver]]
|-
| 900 || [[#OpenProfileControllerForDebug]]
|}

=== OpenProfileReader ===
No input. Returns an [[#IProfileReader]].

=== OpenProfileUpdateObserver ===
No input. Returns an [[#IProfileUpdateObserver]].

=== OpenProfileControllerForDebug ===
No input. Returns an [[#IProfileControllerForDebug]].

=== IProfileReader ===
This is "nn::sprofile::srv::IProfileReader".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || GetSigned64
|-
| 1 || GetUnsigned64
|-
| 2 || GetSigned32
|-
| 3 || GetUnsigned32
|-
| 4 || GetByte
|}

=== IProfileUpdateObserver ===
This is "nn::sprofile::srv::IProfileUpdateObserver".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || Listen
|-
| 1 || Unlisten
|-
| 2 || GetEvent
|}

=== IProfileControllerForDebug ===
This is "nn::sprofile::srv::IProfileControllerForDebug".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 2000 || Reset
|-
| 2001 || GetRaw
|}

= ContextEntry =
This is "nn::erpt::ContextEntry". This is a 0x160-byte struct.

{| class="wikitable" border="1"
|-
! Offset || Size || Description
|-
| 0x0 || 0x4 || Version
|-
| 0x4 || 0x4 || FieldCount
|-
| 0x8 || 0x4 || CategoryId
|-
| 0xC || 0x144 || Array of FieldEntry
|-
| 0x150 || 0x8 || Pointer to a FieldList object
|-
| 0x158 || 0x4 || FieldList free count
|-
| 0x15C || 0x4 || FieldList total size
|}

= CreateReportOptionFlag =
This is "nn::erpt::CreateReportOptionFlag". This is a 32-bit flag.

= FieldId =
This is "nn::erpt::FieldId".

{| class=wikitable
|-
! Value || Name || Category || FieldType || FieldFlag
|-
| 0x0 || TestU64 || Test || NumericU64 || None
|-
| 0x1 || TestU32 || Test || NumericU32 || None
|-
| 0x2 || TestI64 || Test || NumericI64 || None
|-
| 0x3 || TestI32 || Test || NumericI32 || None
|-
| 0x4 || TestString || Test || String || None
|-
| 0x5 || TestU8Array || Test || U8Array || None
|-
| 0x6 || TestU32Array || Test || U32Array || None
|-
| 0x7 || TestU64Array || Test || U64Array || None
|-
| 0x8 || TestI32Array || Test || I32Array || None
|-
| 0x9 || TestI64Array || Test || I64Array || None
|-
| 0xA || ErrorCode || ErrorInfo || String || None
|-
| 0xB || ErrorDescription || ErrorInfo || String || None
|-
| 0xC || OccurrenceTimestamp || ErrorInfoAuto || NumericI64 || None
|-
| 0xD || ReportIdentifier || ErrorInfoAuto || String || None
|-
| 0xE || ConnectionStatus || ConnectionStatusInfo || String || None
|-
| 0xF || AccessPointSSID || AccessPointInfo || String || None
|-
| 0x10 || AccessPointSecurityType || AccessPointInfo || String || None
|-
| 0x11 || RadioStrength || RadioStrengthInfo || NumericU32 || None
|-
| 0x12 || NXMacAddress || NXMacAddressInfo || String || None
|-
| 0x13 || IPAddressAcquisitionMethod || NetworkInfo || NumericU32 || None
|-
| 0x14 || CurrentIPAddress || NetworkInfo || String || None
|-
| 0x15 || SubnetMask || NetworkInfo || String || None
|-
| 0x16 || GatewayIPAddress || NetworkInfo || String || None
|-
| 0x17 || DNSType || NetworkInfo || NumericU32 || None
|-
| 0x18 || PriorityDNSIPAddress || NetworkInfo || String || None
|-
| 0x19 || AlternateDNSIPAddress || NetworkInfo || String || None
|-
| 0x1A || UseProxyFlag || NetworkInfo || Bool || None
|-
| 0x1B || ProxyIPAddress || NetworkInfo || String || None
|-
| 0x1C || ProxyPort || NetworkInfo || NumericU32 || None
|-
| 0x1D || ProxyAutoAuthenticateFlag || NetworkInfo || Bool || None
|-
| 0x1E || MTU || NetworkInfo || NumericU32 || None
|-
| 0x1F || ConnectAutomaticallyFlag || NetworkInfo || Bool || None
|-
| 0x20 || UseStealthNetworkFlag || StealthNetworkInfo || Bool || None
|-
| 0x21 || LimitHighCapacityFlag || LimitHighCapacityInfo || Bool || None
|-
| 0x22 || NATType || NATTypeInfo || String || None
|-
| 0x23 || WirelessAPMacAddress || WirelessAPMacAddressInfo || String || None
|-
| 0x24 || GlobalIPAddress || GlobalIPAddressInfo || String || None
|-
| 0x25 || EnableWirelessInterfaceFlag || EnableWirelessInterfaceInfo || Bool || None
|-
| 0x26 || EnableWifiFlag || EnableWifiInfo || Bool || None
|-
| 0x27 || EnableBluetoothFlag || EnableBluetoothInfo || Bool || None
|-
| 0x28 || EnableNFCFlag || EnableNFCInfo || Bool || None
|-
| 0x29 || NintendoZoneSSIDListVersion || NintendoZoneSSIDListVersionInfo || String || None
|-
| 0x2A || LANAdapterMacAddress || LANAdapterMacAddressInfo || String || None
|-
| 0x2B || ApplicationID || ApplicationInfo || String || None
|-
| 0x2C || ApplicationTitle || ApplicationInfo || String || None
|-
| 0x2D || ApplicationVersion || ApplicationInfo || String || None
|-
| 0x2E || ApplicationStorageLocation || ApplicationInfo || String || None
|-
| 0x2F || DownloadContentType || OccurrenceInfo || String || None
|-
| 0x30 || InstallContentType || OccurrenceInfo || String || None
|-
| 0x31 || ConsoleStartingUpFlag || OccurrenceInfo || Bool || None
|-
| 0x32 || SystemStartingUpFlag || OccurrenceInfo || Bool || None
|-
| 0x33 || ConsoleFirstInitFlag || OccurrenceInfo || Bool || None
|-
| 0x34 || HomeMenuScreenDisplayedFlag || OccurrenceInfo || Bool || None
|-
| 0x35 || DataManagementScreenDisplayedFlag || OccurrenceInfo || Bool || None
|-
| 0x36 || ConnectionTestingFlag || OccurrenceInfo || Bool || None
|-
| 0x37 || ApplicationRunningFlag || OccurrenceInfo || Bool || None
|-
| 0x38 || DataCorruptionDetectedFlag || OccurrenceInfo || Bool || None
|-
| 0x39 || ProductModel || ProductModelInfo || String || None
|-
| 0x3A || CurrentLanguage || CurrentLanguageInfo || String || None
|-
| 0x3B || UseNetworkTimeProtocolFlag || UseNetworkTimeProtocolInfo || Bool || None
|-
| 0x3C || TimeZone || TimeZoneInfo || String || None
|-
| 0x3D || ControllerFirmware || ControllerFirmwareInfo || String || None
|-
| 0x3E || VideoOutputSetting || VideoOutputInfo || String || None
|-
| 0x3F || NANDFreeSpace || NANDFreeSpaceInfo || NumericU64 || None
|-
| 0x40 || SDCardFreeSpace || SDCardFreeSpaceInfo || NumericU64 || None
|-
| 0x41 || SerialNumber || ErrorInfoAuto || String || None
|-
| 0x42 || OsVersion || ErrorInfoAuto || String || None
|-
| 0x43 || ScreenBrightnessAutoAdjustFlag || ScreenBrightnessInfo || Bool || None
|-
| 0x44 || HdmiAudioOutputMode || AudioFormatInfo || String || None
|-
| 0x45 || SpeakerAudioOutputMode || AudioFormatInfo || String || None
|-
| 0x46 || HeadphoneAudioOutputMode || AudioFormatInfo || String || None
|-
| 0x47 || MuteOnHeadsetUnpluggedFlag || MuteOnHeadsetUnpluggedInfo || Bool || None
|-
| 0x48 || NumUserRegistered || NumUserRegisteredInfo || NumericI32 || None
|-
| 0x49 || StorageAutoOrganizeFlag || DataDeletionInfo || Bool || None
|-
| 0x4A || ControllerVibrationVolume || ControllerVibrationInfo || String || None
|-
| 0x4B || LockScreenFlag || LockScreenInfo || Bool || None
|-
| 0x4C || InternalBatteryLotNumber || InternalBatteryLotNumberInfo || String || None
|-
| 0x4D || LeftControllerSerialNumber || LeftControllerSerialNumberInfo || String || None
|-
| 0x4E || RightControllerSerialNumber || RightControllerSerialNumberInfo || String || None
|-
| 0x4F || NotifyInGameDownloadCompletionFlag || NotificationInfo || Bool || None
|-
| 0x50 || NotificationSoundFlag || NotificationInfo || Bool || None
|-
| 0x51 || TVResolutionSetting || TVInfo || String || None
|-
| 0x52 || RGBRangeSetting || TVInfo || String || None
|-
| 0x53 || ReduceScreenBurnFlag || TVInfo || Bool || None
|-
| 0x54 || TVAllowsCecFlag || TVInfo || Bool || None
|-
| 0x55 || HandheldModeTimeToScreenSleep || SleepInfo || String || None
|-
| 0x56 || ConsoleModeTimeToScreenSleep || SleepInfo || String || None
|-
| 0x57 || StopAutoSleepDuringContentPlayFlag || SleepInfo || Bool || None
|-
| 0x58 || LastConnectionTestDownloadSpeed || ConnectionInfo || NumericU32 || None
|-
| 0x59 || LastConnectionTestUploadSpeed || ConnectionInfo || NumericU32 || None
|-
| 0x5A || DEPRECATED_ServerFQDN || NetworkErrorInfo || String || None
|-
| 0x5B || HTTPRequestContents || NetworkErrorInfo || String || None
|-
| 0x5C || HTTPRequestResponseContents || NetworkErrorInfo || String || None
|-
| 0x5D || EdgeServerIPAddress || NetworkErrorInfo || String || None
|-
| 0x5E || CDNContentPath || NetworkErrorInfo || String || None
|-
| 0x5F || FileAccessPath || FileAccessPathInfo || String || None
|-
| 0x60 || GameCardCID || GameCardCIDInfo || U8Array || None
|-
| 0x61 || NANDCID || NANDCIDInfo || U8Array || None
|-
| 0x62 || MicroSDCID || MicroSDCIDInfo || U8Array || None
|-
| 0x63 || NANDSpeedMode || NANDSpeedModeInfo || String || None
|-
| 0x64 || MicroSDSpeedMode || MicroSDSpeedModeInfo || String || None
|-
| 0x65 || GameCardSpeedMode || GameCardSpeedModeInfo || String || None
|-
| 0x66 || UserAccountInternalID || UserAccountInternalIDInfo || String || None
|-
| 0x67 || NetworkServiceAccountInternalID || NetworkServiceAccountInternalIDInfo || String || None
|-
| 0x68 || NintendoAccountInternalID || NintendoAccountInternalIDInfo || String || None
|-
| 0x69 || USB3AvailableFlag || USB3AvailableInfo || Bool || None
|-
| 0x6A || CallStack || CallStackInfo || String || None
|-
| 0x6B || SystemStartupLog || SystemStartupLogInfo || String || None
|-
| 0x6C || RegionSetting || RegionSettingInfo || String || None
|-
| 0x6D || NintendoZoneConnectedFlag || NintendoZoneConnectedInfo || Bool || None
|-
| 0x6E || ForcedSleepHighTemperatureReading || ForceSleepInfo || NumericU32 || None
|-
| 0x6F || ForcedSleepFanSpeedReading || ForceSleepInfo || NumericU32 || None
|-
| 0x70 || ForcedSleepHWInfo || ForceSleepInfo || String || None
|-
| 0x71 || AbnormalPowerStateInfo || ChargerInfo || NumericU32 || None
|-
| 0x72 || ScreenBrightnessLevel || ScreenBrightnessInfo || String || None
|-
| 0x73 || ProgramId || ErrorInfo || String || None
|-
| 0x74 || AbortFlag || ErrorInfo || Bool || None
|-
| 0x75 || ReportVisibilityFlag || ErrorInfoAuto || Bool || None
|-
| 0x76 || FatalFlag || ErrorInfo || Bool || None
|-
| 0x77 || OccurrenceTimestampNet || ErrorInfoAuto || NumericI64 || None
|-
| 0x78 || ResultBacktrace || ErrorInfo || U32Array || None
|-
| 0x79 || GeneralRegisterAarch32 || ErrorInfo || U32Array || None
|-
| 0x7A || StackBacktrace32 || ErrorInfo || U32Array || None
|-
| 0x7B || ExceptionInfoAarch32 || ErrorInfo || U32Array || None
|-
| 0x7C || GeneralRegisterAarch64 || ErrorInfo || U64Array || None
|-
| 0x7D || ExceptionInfoAarch64 || ErrorInfo || U64Array || None
|-
| 0x7E || StackBacktrace64 || ErrorInfo || U64Array || None
|-
| 0x7F || RegisterSetFlag32 || ErrorInfo || NumericU32 || None
|-
| 0x80 || RegisterSetFlag64 || ErrorInfo || NumericU64 || None
|-
| 0x81 || ProgramMappedAddr32 || ErrorInfo || NumericU32 || None
|-
| 0x82 || ProgramMappedAddr64 || ErrorInfo || NumericU64 || None
|-
| 0x83 || AbortType || ErrorInfo || NumericU32 || None
|-
| 0x84 || PrivateOsVersion || ErrorInfoAuto || String || None
|-
| 0x85 || CurrentSystemPowerState || SystemPowerStateInfo || NumericU32 || None
|-
| 0x86 || PreviousSystemPowerState || SystemPowerStateInfo || NumericU32 || None
|-
| 0x87 || DestinationSystemPowerState || SystemPowerStateInfo || NumericU32 || None
|-
| 0x88 || PscTransitionCurrentState || ErrorInfo || NumericU32 || None
|-
| 0x89 || PscTransitionPreviousState || ErrorInfo || NumericU32 || None
|-
| 0x8A || PscInitializedList || ErrorInfo || U8Array || None
|-
| 0x8B || PscCurrentPmStateList || ErrorInfo || U32Array || None
|-
| 0x8C || PscNextPmStateList || ErrorInfo || U32Array || None
|-
| 0x8D || PerformanceMode || PerformanceInfo || NumericI32 || None
|-
| 0x8E || PerformanceConfiguration || PerformanceInfo || NumericU32 || None
|-
| 0x8F || Throttled || ThrottlingInfo || Bool || None
|-
| 0x90 || ThrottlingDuration || ThrottlingInfo || NumericI64 || None
|-
| 0x91 || ThrottlingTimestamp || ThrottlingInfo || NumericI64 || None
|-
| 0x92 || GameCardCrcErrorCount || GameCardErrorInfo || NumericU32 || None
|-
| 0x93 || GameCardAsicCrcErrorCount || GameCardErrorInfo || NumericU32 || None
|-
| 0x94 || GameCardRefreshCount || GameCardErrorInfo || NumericU32 || None
|-
| 0x95 || GameCardReadRetryCount || GameCardErrorInfo || NumericU32 || None
|-
| 0x96 || EdidBlock || EdidInfo || U8Array || None
|-
| 0x97 || EdidExtensionBlock || EdidInfo || U8Array || None
|-
| 0x98 || CreateProcessFailureFlag || ErrorInfo || Bool || None
|-
| 0x99 || TemperaturePcb || ThermalInfo || NumericI32 || None
|-
| 0x9A || TemperatureSoc || ThermalInfo || NumericI32 || None
|-
| 0x9B || CurrentFanDuty || ThermalInfo || NumericI32 || None
|-
| 0x9C || LastDvfsThresholdTripped || ThermalInfo || NumericI32 || None
|-
| 0x9D || CradlePdcHFwVersion || CradleFirmwareInfo || NumericU32 || None
|-
| 0x9E || CradlePdcAFwVersion || CradleFirmwareInfo || NumericU32 || None
|-
| 0x9F || CradleMcuFwVersion || CradleFirmwareInfo || NumericU32 || None
|-
| 0xA0 || CradleDp2HdmiFwVersion || CradleFirmwareInfo || NumericU32 || None
|-
| 0xA1 || RunningApplicationId || RunningApplicationInfo || String || None
|-
| 0xA2 || RunningApplicationTitle || RunningApplicationInfo || String || None
|-
| 0xA3 || RunningApplicationVersion || RunningApplicationInfo || String || None
|-
| 0xA4 || RunningApplicationStorageLocation || RunningApplicationInfo || String || None
|-
| 0xA5 || RunningAppletList || RunningAppletInfo || U64Array || None
|-
| 0xA6 || FocusedAppletHistory || FocusedAppletHistoryInfo || U64Array || None
|-
| 0xA7 || CompositorState || CompositorStateInfo || String || None
|-
| 0xA8 || CompositorLayerState || CompositorLayerInfo || String || None
|-
| 0xA9 || CompositorDisplayState || CompositorDisplayInfo || String || None
|-
| 0xAA || CompositorHWCState || CompositorHWCInfo || String || None
|-
| 0xAB || InputCurrentLimit || BatteryChargeInfo || NumericI32 || None
|-
| 0xAC || BoostModeCurrentLimit || BatteryChargeInfo || NumericI32 || None
|-
| 0xAD || FastChargeCurrentLimit || BatteryChargeInfo || NumericI32 || None
|-
| 0xAE || ChargeVoltageLimit || BatteryChargeInfo || NumericI32 || None
|-
| 0xAF || ChargeConfiguration || BatteryChargeInfo || NumericI32 || None
|-
| 0xB0 || HizMode || BatteryChargeInfo || Bool || None
|-
| 0xB1 || ChargeEnabled || BatteryChargeInfo || Bool || None
|-
| 0xB2 || PowerSupplyPath || BatteryChargeInfo || NumericI32 || None
|-
| 0xB3 || BatteryTemperature || BatteryChargeInfo || NumericI32 || None
|-
| 0xB4 || BatteryChargePercent || BatteryChargeInfo || NumericI32 || None
|-
| 0xB5 || BatteryChargeVoltage || BatteryChargeInfo || NumericI32 || None
|-
| 0xB6 || BatteryAge || BatteryChargeInfo || NumericI32 || None
|-
| 0xB7 || PowerRole || BatteryChargeInfo || NumericI32 || None
|-
| 0xB8 || PowerSupplyType || BatteryChargeInfo || NumericI32 || None
|-
| 0xB9 || PowerSupplyVoltage || BatteryChargeInfo || NumericI32 || None
|-
| 0xBA || PowerSupplyCurrent || BatteryChargeInfo || NumericI32 || None
|-
| 0xBB || FastBatteryChargingEnabled || BatteryChargeInfo || Bool || None
|-
| 0xBC || ControllerPowerSupplyAcquired || BatteryChargeInfo || Bool || None
|-
| 0xBD || OtgRequested || BatteryChargeInfo || Bool || None
|-
| 0xBE || NANDPreEolInfo || NANDExtendedCsd || NumericU32 || None
|-
| 0xBF || NANDDeviceLifeTimeEstTypA || NANDExtendedCsd || NumericU32 || None
|-
| 0xC0 || NANDDeviceLifeTimeEstTypB || NANDExtendedCsd || NumericU32 || None
|-
| 0xC1 || NANDPatrolCount || NANDPatrolInfo || NumericU32 || None
|-
| 0xC2 || NANDNumActivationFailures || NANDErrorInfo || NumericU32 || None
|-
| 0xC3 || NANDNumActivationErrorCorrections || NANDErrorInfo || NumericU32 || None
|-
| 0xC4 || NANDNumReadWriteFailures || NANDErrorInfo || NumericU32 || None
|-
| 0xC5 || NANDNumReadWriteErrorCorrections || NANDErrorInfo || NumericU32 || None
|-
| 0xC6 || NANDErrorLog || NANDDriverLog || String || None
|-
| 0xC7 || SdCardUserAreaSize || SdCardSizeSpec || NumericI64 || None
|-
| 0xC8 || SdCardProtectedAreaSize || SdCardSizeSpec || NumericI64 || None
|-
| 0xC9 || SdCardNumActivationFailures || SdCardErrorInfo || NumericU32 || None
|-
| 0xCA || SdCardNumActivationErrorCorrections || SdCardErrorInfo || NumericU32 || None
|-
| 0xCB || SdCardNumReadWriteFailures || SdCardErrorInfo || NumericU32 || None
|-
| 0xCC || SdCardNumReadWriteErrorCorrections || SdCardErrorInfo || NumericU32 || None
|-
| 0xCD || SdCardErrorLog || SdCardDriverLog || String || None
|-
| 0xCE || EncryptionKey || ErrorInfo || U8Array || None
|-
| 0xCF || EncryptedExceptionInfo || ErrorInfo || U8Array || None
|-
| 0xD0 || GameCardTimeoutRetryErrorCount || GameCardErrorInfo || NumericU32 || None
|-
| 0xD1 || FsRemountForDataCorruptCount || FsProxyErrorInfo || NumericU32 || None
|-
| 0xD2 || FsRemountForDataCorruptRetryOutCount || FsProxyErrorInfo || NumericU32 || None
|-
| 0xD3 || [3.0.0+] GameCardInsertionCount || GameCardErrorInfo || NumericU32 || None
|-
| 0xD4 || [3.0.0+] GameCardRemovalCount || GameCardErrorInfo || NumericU32 || None
|-
| 0xD5 || [3.0.0+] GameCardAsicInitializeCount || GameCardErrorInfo || NumericU32 || None
|-
| 0xD6 || [3.0.0+] TestU16 || Test || NumericU16 || None
|-
| 0xD7 || [3.0.0+] TestU8 || Test || NumericU8 || None
|-
| 0xD8 || [3.0.0+] TestI16 || Test || NumericI16 || None
|-
| 0xD9 || [3.0.0+] TestI8 || Test || NumericI8 || None
|-
| 0xDA || [3.0.0+] SystemAppletScene || SystemAppletSceneInfo || NumericU8 || None
|-
| 0xDB || [3.0.0+] CodecType || VideoInfo || NumericU32 || None
|-
| 0xDC || [3.0.0+] DecodeBuffers || VideoInfo || NumericU32 || None
|-
| 0xDD || [3.0.0+] FrameWidth || VideoInfo || NumericI32 || None
|-
| 0xDE || [3.0.0+] FrameHeight || VideoInfo || NumericI32 || None
|-
| 0xDF || [3.0.0+] ColorPrimaries || VideoInfo || NumericU8 || None
|-
| 0xE0 || [3.0.0+] TransferCharacteristics || VideoInfo || NumericU8 || None
|-
| 0xE1 || [3.0.0+] MatrixCoefficients || VideoInfo || NumericU8 || None
|-
| 0xE2 || [3.0.0+] DisplayWidth || VideoInfo || NumericI32 || None
|-
| 0xE3 || [3.0.0+] DisplayHeight || VideoInfo || NumericI32 || None
|-
| 0xE4 || [3.0.0+] DARWidth || VideoInfo || NumericI32 || None
|-
| 0xE5 || [3.0.0+] DARHeight || VideoInfo || NumericI32 || None
|-
| 0xE6 || [3.0.0+] ColorFormat || VideoInfo || NumericU32 || None
|-
| 0xE7 || [3.0.0+] ColorSpace || VideoInfo || String || None
|-
| 0xE8 || [3.0.0+] SurfaceLayout || VideoInfo || String || None
|-
| 0xE9 || [3.0.0+] BitStream || VideoInfo || U8Array || None
|-
| 0xEA || [3.0.0+] VideoDecState || VideoInfo || String || None
|-
| 0xEB || [3.0.0+] GpuErrorChannelId || GpuErrorInfo || NumericU32 || None
|-
| 0xEC || [3.0.0+] GpuErrorAruId || GpuErrorInfo || NumericU64 || None
|-
| 0xED || [3.0.0+] GpuErrorType || GpuErrorInfo || NumericU32 || None
|-
| 0xEE || [3.0.0+] GpuErrorFaultInfo || GpuErrorInfo || NumericU32 || None
|-
| 0xEF || [3.0.0+] GpuErrorWriteAccess || GpuErrorInfo || Bool || None
|-
| 0xF0 || [3.0.0+] GpuErrorFaultAddress || GpuErrorInfo || NumericU64 || None
|-
| 0xF1 || [3.0.0+] GpuErrorFaultUnit || GpuErrorInfo || NumericU32 || None
|-
| 0xF2 || [3.0.0+] GpuErrorFaultType || GpuErrorInfo || NumericU32 || None
|-
| 0xF3 || [3.0.0+] GpuErrorHwContextPointer || GpuErrorInfo || NumericU64 || None
|-
| 0xF4 || [3.0.0+] GpuErrorContextStatus || GpuErrorInfo || NumericU32 || None
|-
| 0xF5 || [3.0.0+] GpuErrorPbdmaIntr || GpuErrorInfo || NumericU32 || None
|-
| 0xF6 || [3.0.0+] GpuErrorPbdmaErrorType || GpuErrorInfo || NumericU32 || None
|-
| 0xF7 || [3.0.0+] GpuErrorPbdmaHeaderShadow || GpuErrorInfo || NumericU32 || None
|-
| 0xF8 || [3.0.0+] GpuErrorPbdmaHeader || GpuErrorInfo || NumericU32 || None
|-
| 0xF9 || [3.0.0+] GpuErrorPbdmaGpShadow0 || GpuErrorInfo || NumericU32 || None
|-
| 0xFA || [3.0.0+] GpuErrorPbdmaGpShadow1 || GpuErrorInfo || NumericU32 || None
|-
| 0xFB || [3.0.0+] AccessPointChannel || AccessPointInfo || NumericU16 || None
|-
| 0xFC || [3.0.0+] ThreadName || ErrorInfo || String || None
|-
| 0xFD || [3.0.0+] AdspExceptionRegisters || AdspErrorInfo || U32Array || None
|-
| 0xFE || [3.0.0+] AdspExceptionSpsr || AdspErrorInfo || NumericU32 || None
|-
| 0xFF || [3.0.0+] AdspExceptionProgramCounter || AdspErrorInfo || NumericU32 || None
|-
| 0x100 || [3.0.0+] AdspExceptionLinkRegister || AdspErrorInfo || NumericU32 || None
|-
| 0x101 || [3.0.0+] AdspExceptionStackPointer || AdspErrorInfo || NumericU32 || None
|-
| 0x102 || [3.0.0+] AdspExceptionArmModeRegisters || AdspErrorInfo || U32Array || None
|-
| 0x103 || [3.0.0+] AdspExceptionStackAddress || AdspErrorInfo || NumericU32 || None
|-
| 0x104 || [3.0.0+] AdspExceptionStackDump || AdspErrorInfo || U32Array || None
|-
| 0x105 || [3.0.0+] AdspExceptionReason || AdspErrorInfo || NumericU32 || None
|-
| 0x106 || [3.0.0+] OscillatorClock || PowerClockInfo || NumericU32 || None
|-
| 0x107 || [3.0.0+] CpuDvfsTableClocks || PowerClockInfo || U32Array || None
|-
| 0x108 || [3.0.0+] CpuDvfsTableVoltages || PowerClockInfo || I32Array || None
|-
| 0x109 || [3.0.0+] GpuDvfsTableClocks || PowerClockInfo || U32Array || None
|-
| 0x10A || [3.0.0+] GpuDvfsTableVoltages || PowerClockInfo || I32Array || None
|-
| 0x10B || [3.0.0+] EmcDvfsTableClocks || PowerClockInfo || U32Array || None
|-
| 0x10C || [3.0.0+] EmcDvfsTableVoltages || PowerClockInfo || I32Array || None
|-
| 0x10D || [3.0.0+] ModuleClockFrequencies || PowerClockInfo || U32Array || None
|-
| 0x10E || [3.0.0+] ModuleClockEnableFlags || PowerClockInfo || U8Array || None
|-
| 0x10F || [3.0.0+] ModulePowerEnableFlags || PowerClockInfo || U8Array || None
|-
| 0x110 || [3.0.0+] ModuleResetAssertFlags || PowerClockInfo || U8Array || None
|-
| 0x111 || [3.0.0+] ModuleMinimumVoltageClockRates || PowerClockInfo || U32Array || None
|-
| 0x112 || [3.0.0+] PowerDomainEnableFlags || PowerClockInfo || U8Array || None
|-
| 0x113 || [3.0.0+] PowerDomainVoltages || PowerClockInfo || I32Array || None
|-
| 0x114 || [3.0.0+] AccessPointRssi || RadioStrengthInfo || NumericI32 || None
|-
| 0x115 || [3.0.0+] FuseInfo || PowerClockInfo || U32Array || None
|-
| 0x116 || [3.0.0+] VideoLog || VideoInfo || String || None
|-
| 0x117 || [3.0.0+] GameCardDeviceId || GameCardCIDInfo || U8Array || None
|-
| 0x118 || [3.0.0+] GameCardAsicReinitializeCount || GameCardErrorInfo || NumericU16 || None
|-
| 0x119 || [3.0.0+] GameCardAsicReinitializeFailureCount || GameCardErrorInfo || NumericU16 || None
|-
| 0x11A || [3.0.0+] GameCardAsicReinitializeFailureDetail || GameCardErrorInfo || NumericU16 || None
|-
| 0x11B || [3.0.0+] GameCardRefreshSuccessCount || GameCardErrorInfo || NumericU16 || None
|-
| 0x11C || [3.0.0+] GameCardAwakenCount || GameCardErrorInfo || NumericU32 || None
|-
| 0x11D || [3.0.0+] GameCardAwakenFailureCount || GameCardErrorInfo || NumericU16 || None
|-
| 0x11E || [3.0.0+] GameCardReadCountFromInsert || GameCardErrorInfo || NumericU32 || None
|-
| 0x11F || [3.0.0+] GameCardReadCountFromAwaken || GameCardErrorInfo || NumericU32 || None
|-
| 0x120 || [3.0.0+] GameCardLastReadErrorPageAddress || GameCardErrorInfo || NumericU32 || None
|-
| 0x121 || [3.0.0+] GameCardLastReadErrorPageCount || GameCardErrorInfo || NumericU32 || None
|-
| 0x122 || [3.0.0+] AppletManagerContextTrace || ErrorInfo || I32Array || None
|-
| 0x123 || [3.0.0+] NvDispIsRegistered || NvDispDeviceInfo || Bool || None
|-
| 0x124 || [3.0.0+] NvDispIsSuspend || NvDispDeviceInfo || Bool || None
|-
| 0x125 || [3.0.0+] NvDispDC0SurfaceNum || NvDispDeviceInfo || I32Array || None
|-
| 0x126 || [3.0.0+] NvDispDC1SurfaceNum || NvDispDeviceInfo || I32Array || None
|-
| 0x127 || [3.0.0+] NvDispWindowSrcRectX || NvDispDcWindowInfo || NumericU32 || None
|-
| 0x128 || [3.0.0+] NvDispWindowSrcRectY || NvDispDcWindowInfo || NumericU32 || None
|-
| 0x129 || [3.0.0+] NvDispWindowSrcRectWidth || NvDispDcWindowInfo || NumericU32 || None
|-
| 0x12A || [3.0.0+] NvDispWindowSrcRectHeight || NvDispDcWindowInfo || NumericU32 || None
|-
| 0x12B || [3.0.0+] NvDispWindowDstRectX || NvDispDcWindowInfo || NumericU32 || None
|-
| 0x12C || [3.0.0+] NvDispWindowDstRectY || NvDispDcWindowInfo || NumericU32 || None
|-
| 0x12D || [3.0.0+] NvDispWindowDstRectWidth || NvDispDcWindowInfo || NumericU32 || None
|-
| 0x12E || [3.0.0+] NvDispWindowDstRectHeight || NvDispDcWindowInfo || NumericU32 || None
|-
| 0x12F || [3.0.0+] NvDispWindowIndex || NvDispDcWindowInfo || NumericU32 || None
|-
| 0x130 || [3.0.0+] NvDispWindowBlendOperation || NvDispDcWindowInfo || NumericU32 || None
|-
| 0x131 || [3.0.0+] NvDispWindowAlphaOperation || NvDispDcWindowInfo || NumericU32 || None
|-
| 0x132 || [3.0.0+] NvDispWindowDepth || NvDispDcWindowInfo || NumericU32 || None
|-
| 0x133 || [3.0.0+] NvDispWindowAlpha || NvDispDcWindowInfo || NumericU8 || None
|-
| 0x134 || [3.0.0+] NvDispWindowHFilter || NvDispDcWindowInfo || Bool || None
|-
| 0x135 || [3.0.0+] NvDispWindowVFilter || NvDispDcWindowInfo || Bool || None
|-
| 0x136 || [3.0.0+] NvDispWindowOptions || NvDispDcWindowInfo || NumericU32 || None
|-
| 0x137 || [3.0.0+] NvDispWindowSyncPointId || NvDispDcWindowInfo || NumericU32 || None
|-
| 0x138 || [3.0.0+] NvDispDPSorPower || NvDispDpModeInfo || Bool || None
|-
| 0x139 || [3.0.0+] NvDispDPClkType || NvDispDpModeInfo || NumericU8 || None
|-
| 0x13A || [3.0.0+] NvDispDPEnable || NvDispDpModeInfo || NumericU32 || None
|-
| 0x13B || [3.0.0+] NvDispDPState || NvDispDpModeInfo || NumericU32 || None
|-
| 0x13C || [3.0.0+] NvDispDPEdid || NvDispDpModeInfo || U8Array || None
|-
| 0x13D || [3.0.0+] NvDispDPEdidSize || NvDispDpModeInfo || NumericU32 || None
|-
| 0x13E || [3.0.0+] NvDispDPEdidExtSize || NvDispDpModeInfo || NumericU32 || None
|-
| 0x13F || [3.0.0+] NvDispDPFakeMode || NvDispDpModeInfo || Bool || None
|-
| 0x140 || [3.0.0+] NvDispDPModeNumber || NvDispDpModeInfo || NumericU32 || None
|-
| 0x141 || [3.0.0+] NvDispDPPlugInOut || NvDispDpModeInfo || Bool || None
|-
| 0x142 || [3.0.0+] NvDispDPAuxIntHandler || NvDispDpModeInfo || Bool || None
|-
| 0x143 || [3.0.0+] NvDispDPForceMaxLinkBW || NvDispDpModeInfo || Bool || None
|-
| 0x144 || [3.0.0+] NvDispDPIsConnected || NvDispDpModeInfo || Bool || None
|-
| 0x145 || [3.0.0+] NvDispDPLinkValid || NvDispDpLinkSpec || Bool || None
|-
| 0x146 || [3.0.0+] NvDispDPLinkMaxBW || NvDispDpLinkSpec || NumericU8 || None
|-
| 0x147 || [3.0.0+] NvDispDPLinkMaxLaneCount || NvDispDpLinkSpec || NumericU8 || None
|-
| 0x148 || [3.0.0+] NvDispDPLinkDownSpread || NvDispDpLinkSpec || Bool || None
|-
| 0x149 || [3.0.0+] NvDispDPLinkSupportEnhancedFraming || NvDispDpLinkSpec || Bool || None
|-
| 0x14A || [3.0.0+] NvDispDPLinkBpp || NvDispDpLinkSpec || NumericU32 || None
|-
| 0x14B || [3.0.0+] NvDispDPLinkScaramberCap || NvDispDpLinkSpec || Bool || None
|-
| 0x14C || [3.0.0+] NvDispDPLinkBW || NvDispDpLinkStatus || NumericU8 || None
|-
| 0x14D || [3.0.0+] NvDispDPLinkLaneCount || NvDispDpLinkStatus || NumericU8 || None
|-
| 0x14E || [3.0.0+] NvDispDPLinkEnhancedFraming || NvDispDpLinkStatus || Bool || None
|-
| 0x14F || [3.0.0+] NvDispDPLinkScrambleEnable || NvDispDpLinkStatus || Bool || None
|-
| 0x150 || [3.0.0+] NvDispDPLinkActivePolarity || NvDispDpLinkStatus || NumericU32 || None
|-
| 0x151 || [3.0.0+] NvDispDPLinkActiveCount || NvDispDpLinkStatus || NumericU32 || None
|-
| 0x152 || [3.0.0+] NvDispDPLinkTUSize || NvDispDpLinkStatus || NumericU32 || None
|-
| 0x153 || [3.0.0+] NvDispDPLinkActiveFrac || NvDispDpLinkStatus || NumericU32 || None
|-
| 0x154 || [3.0.0+] NvDispDPLinkWatermark || NvDispDpLinkStatus || NumericU32 || None
|-
| 0x155 || [3.0.0+] NvDispDPLinkHBlank || NvDispDpLinkStatus || NumericU32 || None
|-
| 0x156 || [3.0.0+] NvDispDPLinkVBlank || NvDispDpLinkStatus || NumericU32 || None
|-
| 0x157 || [3.0.0+] NvDispDPLinkOnlyEnhancedFraming || NvDispDpLinkStatus || Bool || None
|-
| 0x158 || [3.0.0+] NvDispDPLinkOnlyEdpCap || NvDispDpLinkStatus || Bool || None
|-
| 0x159 || [3.0.0+] NvDispDPLinkSupportFastLT || NvDispDpLinkStatus || Bool || None
|-
| 0x15A || [3.0.0+] NvDispDPLinkLTDataValid || NvDispDpLinkStatus || Bool || None
|-
| 0x15B || [3.0.0+] NvDispDPLinkTsp3Support || NvDispDpLinkStatus || Bool || None
|-
| 0x15C || [3.0.0+] NvDispDPLinkAuxInterval || NvDispDpLinkStatus || NumericU8 || None
|-
| 0x15D || [3.0.0+] NvDispHdcpCreated || NvDispDpHdcpInfo || Bool || None
|-
| 0x15E || [3.0.0+] NvDispHdcpUserRequest || NvDispDpHdcpInfo || Bool || None
|-
| 0x15F || [3.0.0+] NvDispHdcpPlugged || NvDispDpHdcpInfo || Bool || None
|-
| 0x160 || [3.0.0+] NvDispHdcpState || NvDispDpHdcpInfo || NumericU32 || None
|-
| 0x161 || [3.0.0+] NvDispHdcpFailCount || NvDispDpHdcpInfo || NumericI32 || None
|-
| 0x162 || [3.0.0+] NvDispHdcpHdcp22 || NvDispDpHdcpInfo || NumericI8 || None
|-
| 0x163 || [3.0.0+] NvDispHdcpMaxRetry || NvDispDpHdcpInfo || NumericU8 || None
|-
| 0x164 || [3.0.0+] NvDispHdcpHpd || NvDispDpHdcpInfo || NumericU8 || None
|-
| 0x165 || [3.0.0+] NvDispHdcpRepeater || NvDispDpHdcpInfo || NumericU8 || None
|-
| 0x166 || [3.0.0+] NvDispCecRxBuf || NvDispDpAuxCecInfo || U8Array || None
|-
| 0x167 || [3.0.0+] NvDispCecRxLength || NvDispDpAuxCecInfo || NumericI32 || None
|-
| 0x168 || [3.0.0+] NvDispCecTxBuf || NvDispDpAuxCecInfo || U8Array || None
|-
| 0x169 || [3.0.0+] NvDispCecTxLength || NvDispDpAuxCecInfo || NumericI32 || None
|-
| 0x16A || [3.0.0+] NvDispCecTxRet || NvDispDpAuxCecInfo || NumericI32 || None
|-
| 0x16B || [3.0.0+] NvDispCecState || NvDispDpAuxCecInfo || NumericU32 || None
|-
| 0x16C || [3.0.0+] NvDispCecTxInfo || NvDispDpAuxCecInfo || NumericU8 || None
|-
| 0x16D || [3.0.0+] NvDispCecRxInfo || NvDispDpAuxCecInfo || NumericU8 || None
|-
| 0x16E || [3.0.0+] NvDispDCIndex || NvDispDcInfo || NumericU32 || None
|-
| 0x16F || [3.0.0+] NvDispDCInitialize || NvDispDcInfo || Bool || None
|-
| 0x170 || [3.0.0+] NvDispDCClock || NvDispDcInfo || Bool || None
|-
| 0x171 || [3.0.0+] NvDispDCFrequency || NvDispDcInfo || NumericU32 || None
|-
| 0x172 || [3.0.0+] NvDispDCFailed || NvDispDcInfo || Bool || None
|-
| 0x173 || [3.0.0+] NvDispDCModeWidth || NvDispDcInfo || NumericI32 || None
|-
| 0x174 || [3.0.0+] NvDispDCModeHeight || NvDispDcInfo || NumericI32 || None
|-
| 0x175 || [3.0.0+] NvDispDCModeBpp || NvDispDcInfo || NumericU32 || None
|-
| 0x176 || [3.0.0+] NvDispDCPanelFrequency || NvDispDcInfo || NumericU32 || None
|-
| 0x177 || [3.0.0+] NvDispDCWinDirty || NvDispDcInfo || NumericU32 || None
|-
| 0x178 || [3.0.0+] NvDispDCWinEnable || NvDispDcInfo || NumericU32 || None
|-
| 0x179 || [3.0.0+] NvDispDCVrr || NvDispDcInfo || Bool || None
|-
| 0x17A || [3.0.0+] NvDispDCPanelInitialize || NvDispDcInfo || Bool || None
|-
| 0x17B || [3.0.0+] NvDispDsiDataFormat || NvDispDsiInfo || NumericU32 || None
|-
| 0x17C || [3.0.0+] NvDispDsiVideoMode || NvDispDsiInfo || NumericU32 || None
|-
| 0x17D || [3.0.0+] NvDispDsiRefreshRate || NvDispDsiInfo || NumericU32 || None
|-
| 0x17E || [3.0.0+] NvDispDsiLpCmdModeFrequency || NvDispDsiInfo || NumericU32 || None
|-
| 0x17F || [3.0.0+] NvDispDsiHsCmdModeFrequency || NvDispDsiInfo || NumericU32 || None
|-
| 0x180 || [3.0.0+] NvDispDsiPanelResetTimeout || NvDispDsiInfo || NumericU32 || None
|-
| 0x181 || [3.0.0+] NvDispDsiPhyFrequency || NvDispDsiInfo || NumericU32 || None
|-
| 0x182 || [3.0.0+] NvDispDsiFrequency || NvDispDsiInfo || NumericU32 || None
|-
| 0x183 || [3.0.0+] NvDispDsiInstance || NvDispDsiInfo || NumericU32 || None
|-
| 0x184 || [3.0.0+] NvDispDcDsiHostCtrlEnable || NvDispDsiInfo || Bool || None
|-
| 0x185 || [3.0.0+] NvDispDcDsiInit || NvDispDsiInfo || Bool || None
|-
| 0x186 || [3.0.0+] NvDispDcDsiEnable || NvDispDsiInfo || Bool || None
|-
| 0x187 || [3.0.0+] NvDispDcDsiHsMode || NvDispDsiInfo || Bool || None
|-
| 0x188 || [3.0.0+] NvDispDcDsiVendorId || NvDispDsiInfo || U8Array || None
|-
| 0x189 || [3.0.0+] NvDispDcDsiLcdVendorNum || NvDispDsiInfo || NumericU8 || None
|-
| 0x18A || [3.0.0+] NvDispDcDsiHsClockControl || NvDispDsiInfo || NumericU32 || None
|-
| 0x18B || [3.0.0+] NvDispDcDsiEnableHsClockInLpMode || NvDispDsiInfo || Bool || None
|-
| 0x18C || [3.0.0+] NvDispDcDsiTeFrameUpdate || NvDispDsiInfo || Bool || None
|-
| 0x18D || [3.0.0+] NvDispDcDsiGangedType || NvDispDsiInfo || NumericU32 || None
|-
| 0x18E || [3.0.0+] NvDispDcDsiHbpInPktSeq || NvDispDsiInfo || Bool || None
|-
| 0x18F || [3.0.0+] NvDispErrID || NvDispErrIDInfo || NumericU32 || None
|-
| 0x190 || [3.0.0+] NvDispErrData0 || NvDispErrIDInfo || NumericU32 || None
|-
| 0x191 || [3.0.0+] NvDispErrData1 || NvDispErrIDInfo || NumericU32 || None
|-
| 0x192 || [3.0.0+] SdCardMountStatus || SdCardMountInfo || String || None
|-
| 0x193 || [3.0.0+] SdCardMountUnexpectedResult || SdCardMountInfo || String || None
|-
| 0x194 || [3.0.0+] NANDTotalSize || NANDFreeSpaceInfo || NumericU64 || None
|-
| 0x195 || [3.0.0+] SdCardTotalSize || SDCardFreeSpaceInfo || NumericU64 || None
|-
| 0x196 || [3.0.0+] ElapsedTimeSinceInitialLaunch || ErrorInfoAuto || NumericI64 || None
|-
| 0x197 || [3.0.0+] ElapsedTimeSincePowerOn || ErrorInfoAuto || NumericI64 || None
|-
| 0x198 || [3.0.0+] ElapsedTimeSinceLastAwake || ErrorInfoAuto || NumericI64 || None
|-
| 0x199 || [3.0.0+] OccurrenceTick || ErrorInfoAuto || NumericI64 || None
|-
| 0x19A || [3.0.0+] RetailInteractiveDisplayFlag || RetailInteractiveDisplayInfo || Bool || None
|-
| 0x19B || [3.0.0+] FatFsError || FsProxyErrorInfo || NumericI32 || None
|-
| 0x19C || [3.0.0+] FatFsExtraError || FsProxyErrorInfo || NumericI32 || None
|-
| 0x19D || [3.0.0+] FatFsErrorDrive || FsProxyErrorInfo || NumericI32 || None
|-
| 0x19E || [3.0.0+] FatFsErrorName || FsProxyErrorInfo || String || None
|-
| 0x19F || [3.0.0+] MonitorManufactureCode || MonitorCapability || String || None
|-
| 0x1A0 || [3.0.0+] MonitorProductCode || MonitorCapability || NumericU16 || None
|-
| 0x1A1 || [3.0.0+] MonitorSerialNumber || MonitorCapability || NumericU32 || None
|-
| 0x1A2 || [3.0.0+] MonitorManufactureYear || MonitorCapability || NumericI32 || None
|-
| 0x1A3 || [3.0.0+] PhysicalAddress || MonitorCapability || NumericU16 || None
|-
| 0x1A4 || [3.0.0+] Is4k60Hz || MonitorCapability || Bool || None
|-
| 0x1A5 || [3.0.0+] Is4k30Hz || MonitorCapability || Bool || None
|-
| 0x1A6 || [3.0.0+] Is1080P60Hz || MonitorCapability || Bool || None
|-
| 0x1A7 || [3.0.0+] Is720P60Hz || MonitorCapability || Bool || None
|-
| 0x1A8 || [3.0.0+] PcmChannelMax || MonitorCapability || NumericI32 || None
|-
| 0x1A9 || [3.0.0+] CrashReportHash || ErrorInfo || U8Array || None
|-
| 0x1AA || [3.0.0+] ErrorReportSharePermission || ErrorReportSharePermissionInfo || NumericU8 || None
|-
| 0x1AB || [3.0.0+] VideoCodecTypeEnum || MultimediaInfo || NumericI32 || None
|-
| 0x1AC || [3.0.0+] VideoBitRate || MultimediaInfo || NumericI32 || None
|-
| 0x1AD || [3.0.0+] VideoFrameRate || MultimediaInfo || NumericI32 || None
|-
| 0x1AE || [3.0.0+] VideoWidth || MultimediaInfo || NumericI32 || None
|-
| 0x1AF || [3.0.0+] VideoHeight || MultimediaInfo || NumericI32 || None
|-
| 0x1B0 || [3.0.0+] AudioCodecTypeEnum || MultimediaInfo || NumericI32 || None
|-
| 0x1B1 || [3.0.0+] AudioSampleRate || MultimediaInfo || NumericI32 || None
|-
| 0x1B2 || [3.0.0+] AudioChannelCount || MultimediaInfo || NumericI32 || None
|-
| 0x1B3 || [3.0.0+] AudioBitRate || MultimediaInfo || NumericI32 || None
|-
| 0x1B4 || [3.0.0+] MultimediaContainerType || MultimediaInfo || NumericI32 || None
|-
| 0x1B5 || [3.0.0+] MultimediaProfileType || MultimediaInfo || NumericI32 || None
|-
| 0x1B6 || [3.0.0+] MultimediaLevelType || MultimediaInfo || NumericI32 || None
|-
| 0x1B7 || [3.0.0+] MultimediaCacheSizeEnum || MultimediaInfo || NumericI32 || None
|-
| 0x1B8 || [3.0.0+] MultimediaErrorStatusEnum || MultimediaInfo || NumericI32 || None
|-
| 0x1B9 || [3.0.0+] MultimediaErrorLog || MultimediaInfo || U8Array || None
|-
| 0x1BA || [3.0.0+] ServerFqdn || ErrorInfo || String || None
|-
| 0x1BB || [3.0.0+] ServerIpAddress || ErrorInfo || String || None
|-
| 0x1BC || [3.0.0+] TestStringEncrypt || Test || String || Encrypt
|-
| 0x1BD || [3.0.0+] TestU8ArrayEncrypt || Test || U8Array || Encrypt
|-
| 0x1BE || [3.0.0+] TestU32ArrayEncrypt || Test || U32Array || Encrypt
|-
| 0x1BF || [3.0.0+] TestU64ArrayEncrypt || Test || U64Array || Encrypt
|-
| 0x1C0 || [3.0.0+] TestI32ArrayEncrypt || Test || I32Array || Encrypt
|-
| 0x1C1 || [3.0.0+] TestI64ArrayEncrypt || Test || I64Array || Encrypt
|-
| 0x1C2 || [3.0.0+] CipherKey || ErrorInfoAuto || U8Array || None
|-
| 0x1C3 || [3.0.0+] FileSystemPath || ErrorInfo || String || Encrypt
|-
| 0x1C4 || [3.0.0+] WebMediaPlayerOpenUrl || ErrorInfo || String || Encrypt
|-
| 0x1C5 || [3.0.0+] WebMediaPlayerLastSocketErrors || ErrorInfo || I32Array || None
|-
| 0x1C6 || [3.0.0+] UnknownControllerCount || ConnectedControllerInfo || NumericU8 || None
|-
| 0x1C7 || [3.0.0+] AttachedControllerCount || ConnectedControllerInfo || NumericU8 || None
|-
| 0x1C8 || [3.0.0+] BluetoothControllerCount || ConnectedControllerInfo || NumericU8 || None
|-
| 0x1C9 || [3.0.0+] UsbControllerCount || ConnectedControllerInfo || NumericU8 || None
|-
| 0x1CA || [3.0.0+] ControllerTypeList || ConnectedControllerInfo || U8Array || None
|-
| 0x1CB || [3.0.0+] ControllerInterfaceList || ConnectedControllerInfo || U8Array || None
|-
| 0x1CC || [3.0.0+] ControllerStyleList || ConnectedControllerInfo || U8Array || None
|-
| 0x1CD || [3.0.0+] FsPooledBufferPeakFreeSize || FsMemoryInfo || NumericU64 || None
|-
| 0x1CE || [3.0.0+] FsPooledBufferRetriedCount || FsMemoryInfo || NumericU64 || None
|-
| 0x1CF || [3.0.0+] FsPooledBufferReduceAllocationCount || FsMemoryInfo || NumericU64 || None
|-
| 0x1D0 || [3.0.0+] FsBufferManagerPeakFreeSize || FsMemoryInfo || NumericU64 || None
|-
| 0x1D1 || [3.0.0+] FsBufferManagerRetriedCount || FsMemoryInfo || NumericU64 || None
|-
| 0x1D2 || [3.0.0+] FsExpHeapPeakFreeSize || FsMemoryInfo || NumericU64 || None
|-
| 0x1D3 || [3.0.0+] FsBufferPoolPeakFreeSize || FsMemoryInfo || NumericU64 || None
|-
| 0x1D4 || [3.0.0+] FsPatrolReadAllocateBufferSuccessCount || FsMemoryInfo || NumericU64 || None
|-
| 0x1D5 || [3.0.0+] FsPatrolReadAllocateBufferFailureCount || FsMemoryInfo || NumericU64 || None
|-
| 0x1D6 || [5.0.0+] SteadyClockInternalOffset || ErrorInfoAuto || NumericI64 || None
|-
| 0x1D7 || [5.0.0+] SteadyClockCurrentTimePointValue || ErrorInfoAuto || NumericI64 || None
|-
| 0x1D8 || [5.0.0+] UserClockContextOffset || UserClockContextInfo || NumericI64 || None
|-
| 0x1D9 || [5.0.0+] UserClockContextTimeStampValue || UserClockContextInfo || NumericI64 || None
|-
| 0x1DA || [5.0.0+] NetworkClockContextOffset || NetworkClockContextInfo || NumericI64 || None
|-
| 0x1DB || [5.0.0+] NetworkClockContextTimeStampValue || NetworkClockContextInfo || NumericI64 || None
|-
| 0x1DC || [5.0.0+] SystemAbortFlag || ErrorInfo || Bool || None
|-
| 0x1DD || [5.0.0+] ApplicationAbortFlag || ErrorInfo || Bool || None
|-
| 0x1DE || [5.0.0+] NifmErrorCode || ConnectionStatusInfo || String || None
|-
| 0x1DF || [5.0.0+] LcsApplicationId || ErrorInfo || String || None
|-
| 0x1E0 || [5.0.0+] LcsContentMetaKeyIdList || ErrorInfo || U64Array || None
|-
| 0x1E1 || [5.0.0+] LcsContentMetaKeyVersionList || ErrorInfo || U32Array || None
|-
| 0x1E2 || [5.0.0+] LcsContentMetaKeyTypeList || ErrorInfo || U8Array || None
|-
| 0x1E3 || [5.0.0+] LcsContentMetaKeyInstallTypeList || ErrorInfo || U8Array || None
|-
| 0x1E4 || [5.0.0+] LcsSenderFlag || ErrorInfo || Bool || None
|-
| 0x1E5 || [5.0.0+] LcsApplicationRequestFlag || ErrorInfo || Bool || None
|-
| 0x1E6 || [5.0.0+] LcsHasExFatDriverFlag || ErrorInfo || Bool || None
|-
| 0x1E7 || [5.0.0+] LcsIpAddress || ErrorInfo || NumericU32 || None
|-
| 0x1E8 || [5.0.0+] AcpStartupUserAccount || [12.0.0+] AcpUserAccountSettingsInfo ([5.0.0-11.0.1] AcpGeneralSettingsInfo) || NumericU8 || None
|-
| 0x1E9 || [5.0.0+] AcpAocRegistrationType || AcpAocSettingsInfo || NumericU8 || None
|-
| 0x1EA || [5.0.0+] AcpAttributeFlag || AcpGeneralSettingsInfo || NumericU32 || None
|-
| 0x1EB || [5.0.0+] AcpSupportedLanguageFlag || AcpGeneralSettingsInfo || NumericU32 || None
|-
| 0x1EC || [5.0.0+] AcpParentalControlFlag || AcpGeneralSettingsInfo || NumericU32 || None
|-
| 0x1ED || [5.0.0+] AcpScreenShot || AcpGeneralSettingsInfo || NumericU8 || None
|-
| 0x1EE || [5.0.0+] AcpVideoCapture || AcpGeneralSettingsInfo || NumericU8 || None
|-
| 0x1EF || [5.0.0+] AcpDataLossConfirmation || AcpGeneralSettingsInfo || NumericU8 || None
|-
| 0x1F0 || [5.0.0+] AcpPlayLogPolicy || AcpPlayLogSettingsInfo || NumericU8 || None
|-
| 0x1F1 || [5.0.0+] AcpPresenceGroupId || AcpGeneralSettingsInfo || NumericU64 || None
|-
| 0x1F2 || [5.0.0+] AcpRatingAge || AcpRatingSettingsInfo || I8Array || None
|-
| 0x1F3 || [5.0.0+] AcpAocBaseId || AcpAocSettingsInfo || NumericU64 || None
|-
| 0x1F4 || [5.0.0+] AcpSaveDataOwnerId || AcpStorageSettingsInfo || NumericU64 || None
|-
| 0x1F5 || [5.0.0+] AcpUserAccountSaveDataSize || AcpStorageSettingsInfo || NumericI64 || None
|-
| 0x1F6 || [5.0.0+] AcpUserAccountSaveDataJournalSize || AcpStorageSettingsInfo || NumericI64 || None
|-
| 0x1F7 || [5.0.0+] AcpDeviceSaveDataSize || AcpStorageSettingsInfo || NumericI64 || None
|-
| 0x1F8 || [5.0.0+] AcpDeviceSaveDataJournalSize || AcpStorageSettingsInfo || NumericI64 || None
|-
| 0x1F9 || [5.0.0+] AcpBcatDeliveryCacheStorageSize || AcpBcatSettingsInfo || NumericI64 || None
|-
| 0x1FA || [5.0.0+] AcpApplicationErrorCodeCategory || AcpGeneralSettingsInfo || String || None
|-
| 0x1FB || [5.0.0+] AcpLocalCommunicationId || AcpGeneralSettingsInfo || U64Array || None
|-
| 0x1FC || [5.0.0+] AcpLogoType || AcpGeneralSettingsInfo || NumericU8 || None
|-
| 0x1FD || [5.0.0+] AcpLogoHandling || AcpGeneralSettingsInfo || NumericU8 || None
|-
| 0x1FE || [5.0.0+] AcpRuntimeAocInstall || AcpAocSettingsInfo || NumericU8 || None
|-
| 0x1FF || [5.0.0+] AcpCrashReport || AcpGeneralSettingsInfo || NumericU8 || None
|-
| 0x200 || [5.0.0+] AcpHdcp || AcpGeneralSettingsInfo || NumericU8 || None
|-
| 0x201 || [5.0.0+] AcpSeedForPseudoDeviceId || AcpGeneralSettingsInfo || NumericU64 || None
|-
| 0x202 || [5.0.0+] AcpBcatPassphrase || AcpBcatSettingsInfo || String || None
|-
| 0x203 || [5.0.0+] AcpUserAccountSaveDataSizeMax || AcpStorageSettingsInfo || NumericI64 || None
|-
| 0x204 || [5.0.0+] AcpUserAccountSaveDataJournalSizeMax || AcpStorageSettingsInfo || NumericI64 || None
|-
| 0x205 || [5.0.0+] AcpDeviceSaveDataSizeMax || AcpStorageSettingsInfo || NumericI64 || None
|-
| 0x206 || [5.0.0+] AcpDeviceSaveDataJournalSizeMax || AcpStorageSettingsInfo || NumericI64 || None
|-
| 0x207 || [5.0.0+] AcpTemporaryStorageSize || AcpStorageSettingsInfo || NumericI64 || None
|-
| 0x208 || [5.0.0+] AcpCacheStorageSize || AcpStorageSettingsInfo || NumericI64 || None
|-
| 0x209 || [5.0.0+] AcpCacheStorageJournalSize || AcpStorageSettingsInfo || NumericI64 || None
|-
| 0x20A || [5.0.0+] AcpCacheStorageDataAndJournalSizeMax || AcpStorageSettingsInfo || NumericI64 || None
|-
| 0x20B || [5.0.0+] AcpCacheStorageIndexMax || AcpStorageSettingsInfo || NumericI16 || None
|-
| 0x20C || [5.0.0+] AcpPlayLogQueryableApplicationId || AcpPlayLogSettingsInfo || U64Array || None
|-
| 0x20D || [5.0.0+] AcpPlayLogQueryCapability || AcpPlayLogSettingsInfo || NumericU8 || None
|-
| 0x20E || [5.0.0+] AcpRepairFlag || AcpGeneralSettingsInfo || NumericU8 || None
|-
| 0x20F || [5.0.0+] RunningApplicationPatchStorageLocation || RunningApplicationInfo || String || None
|-
| 0x210 || [5.0.0+] RunningApplicationVersionNumber || RunningApplicationInfo || NumericU32 || None
|-
| 0x211 || [5.0.0+] FsRecoveredByInvalidateCacheCount || FsProxyErrorInfo || NumericU32 || None
|-
| 0x212 || [5.0.0+] FsSaveDataIndexCount || FsProxyErrorInfo || NumericU32 || None
|-
| 0x213 || [5.0.0+] FsBufferManagerPeakTotalAllocatableSize || FsMemoryInfo || NumericU64 || None
|-
| 0x214 || [5.0.0+] MonitorCurrentWidth || MonitorSettings || NumericU16 || None
|-
| 0x215 || [5.0.0+] MonitorCurrentHeight || MonitorSettings || NumericU16 || None
|-
| 0x216 || [5.0.0+] MonitorCurrentRefreshRate || MonitorSettings || String || None
|-
| 0x217 || [5.0.0+] RebootlessSystemUpdateVersion || RebootlessSystemUpdateVersionInfo || String || None
|-
| 0x218 || [5.0.0+] EncryptedExceptionInfo1 || ErrorInfo || U8Array || None
|-
| 0x219 || [5.0.0+] EncryptedExceptionInfo2 || ErrorInfo || U8Array || None
|-
| 0x21A || [5.0.0+] EncryptedExceptionInfo3 || ErrorInfo || U8Array || None
|-
| 0x21B || [5.0.0+] EncryptedDyingMessage || ErrorInfo || U8Array || None
|-
| 0x21C || [5.0.0+] DramId || PowerClockInfo || NumericU32 || None
|-
| 0x21D || [6.0.0+] NifmConnectionTestRedirectUrl || NifmConnectionTestInfo || String || None
|-
| 0x21E || [6.0.0+] AcpRequiredNetworkServiceLicenseOnLaunchFlag || [12.0.0+] AcpUserAccountSettingsInfo ([6.0.0-11.0.1] AcpGeneralSettingsInfo) || NumericU8 || None
|-
| 0x21F || [6.0.0+] PciePort0Flags || PcieLoggedStateInfo || NumericU32 || None
|-
| 0x220 || [6.0.0+] PciePort0Speed || PcieLoggedStateInfo || NumericU8 || None
|-
| 0x221 || [6.0.0+] PciePort0ResetTimeInUs || PcieLoggedStateInfo || NumericU32 || None
|-
| 0x222 || [6.0.0+] PciePort0IrqCount || PcieLoggedStateInfo || NumericU32 || None
|-
| 0x223 || [6.0.0+] PciePort0Statistics || PcieLoggedStateInfo || U32Array || None
|-
| 0x224 || [6.0.0+] PciePort1Flags || PcieLoggedStateInfo || NumericU32 || None
|-
| 0x225 || [6.0.0+] PciePort1Speed || PcieLoggedStateInfo || NumericU8 || None
|-
| 0x226 || [6.0.0+] PciePort1ResetTimeInUs || PcieLoggedStateInfo || NumericU32 || None
|-
| 0x227 || [6.0.0+] PciePort1IrqCount || PcieLoggedStateInfo || NumericU32 || None
|-
| 0x228 || [6.0.0+] PciePort1Statistics || PcieLoggedStateInfo || U32Array || None
|-
| 0x229 || [6.0.0+] PcieFunction0VendorId || PcieLoggedStateInfo || NumericU16 || None
|-
| 0x22A || [6.0.0+] PcieFunction0DeviceId || PcieLoggedStateInfo || NumericU16 || None
|-
| 0x22B || [6.0.0+] PcieFunction0PmState || PcieLoggedStateInfo || NumericU8 || None
|-
| 0x22C || [6.0.0+] PcieFunction0IsAcquired || PcieLoggedStateInfo || Bool || None
|-
| 0x22D || [6.0.0+] PcieFunction1VendorId || PcieLoggedStateInfo || NumericU16 || None
|-
| 0x22E || [6.0.0+] PcieFunction1DeviceId || PcieLoggedStateInfo || NumericU16 || None
|-
| 0x22F || [6.0.0+] PcieFunction1PmState || PcieLoggedStateInfo || NumericU8 || None
|-
| 0x230 || [6.0.0+] PcieFunction1IsAcquired || PcieLoggedStateInfo || Bool || None
|-
| 0x231 || [6.0.0+] PcieGlobalRootComplexStatistics || PcieLoggedStateInfo || U32Array || None
|-
| 0x232 || [6.0.0+] PciePllResistorCalibrationValue || PcieLoggedStateInfo || NumericU8 || None
|-
| 0x233 || [6.0.0+] CertificateRequestedHostName || NetworkSecurityCertificateInfo || String || None
|-
| 0x234 || [6.0.0+] CertificateCommonName || NetworkSecurityCertificateInfo || String || None
|-
| 0x235 || [6.0.0+] CertificateSANCount || NetworkSecurityCertificateInfo || NumericU32 || None
|-
| 0x236 || [6.0.0+] CertificateSANs || NetworkSecurityCertificateInfo || String || None
|-
| 0x237 || [6.0.0+] FsBufferPoolMaxAllocateSize || FsMemoryInfo || NumericU64 || None
|-
| 0x238 || [6.0.0+] CertificateIssuerName || NetworkSecurityCertificateInfo || String || None
|-
| 0x239 || [6.0.0+] ApplicationAliveTime || ErrorInfoAuto || NumericI64 || None
|-
| 0x23A || [6.0.0+] ApplicationInFocusTime || ErrorInfoAuto || NumericI64 || None
|-
| 0x23B || [6.0.0+] ApplicationOutOfFocusTime || ErrorInfoAuto || NumericI64 || None
|-
| 0x23C || [6.0.0+] ApplicationBackgroundFocusTime || ErrorInfoAuto || NumericI64 || None
|-
| 0x23D || [6.0.0+] AcpUserAccountSwitchLock || [12.0.0+] AcpUserAccountSettingsInfo ([6.0.0-11.0.1] AcpGeneralSettingsInfo) || NumericU8 || None
|-
| 0x23E || [6.0.0+] USB3HostAvailableFlag || USB3AvailableInfo || Bool || None
|-
| 0x23F || [6.0.0+] USB3DeviceAvailableFlag || USB3AvailableInfo || Bool || None
|-
| 0x240 || [7.0.0+] AcpNeighborDetectionClientConfigurationSendDataId || AcpNeighborDetectionInfo || NumericU64 || None
|-
| 0x241 || [7.0.0+] AcpNeighborDetectionClientConfigurationReceivableDataIds || AcpNeighborDetectionInfo || U64Array || None
|-
| 0x242 || [7.0.0+] AcpStartupUserAccountOptionFlag || [12.0.0+] AcpUserAccountSettingsInfo ([7.0.0-11.0.1] AcpGeneralSettingsInfo) || NumericU8 || None
|-
| 0x243 || [7.0.0+] ServerErrorCode || ErrorInfo || String || None
|-
| 0x244 || [7.0.0+] AppletManagerMetaLogTrace || ErrorInfo || U64Array || None
|-
| 0x245 || [7.0.0+] ServerCertificateSerialNumber || NetworkSecurityCertificateInfo || String || None
|-
| 0x246 || [7.0.0+] ServerCertificatePublicKeyAlgorithm || NetworkSecurityCertificateInfo || String || None
|-
| 0x247 || [7.0.0+] ServerCertificateSignatureAlgorithm || NetworkSecurityCertificateInfo || String || None
|-
| 0x248 || [7.0.0+] ServerCertificateNotBefore || NetworkSecurityCertificateInfo || NumericU64 || None
|-
| 0x249 || [7.0.0+] ServerCertificateNotAfter || NetworkSecurityCertificateInfo || NumericU64 || None
|-
| 0x24A || [7.0.0+] CertificateAlgorithmInfoBits || NetworkSecurityCertificateInfo || NumericU64 || None
|-
| 0x24B || [7.0.0+] TlsConnectionPeerIpAddress || NetworkSecurityCertificateInfo || String || None
|-
| 0x24C || [7.0.0+] TlsConnectionLastHandshakeState || NetworkSecurityCertificateInfo || NumericU32 || None
|-
| 0x24D || [7.0.0+] TlsConnectionInfoBits || NetworkSecurityCertificateInfo || NumericU64 || None
|-
| 0x24E || [7.0.0+] SslStateBits || NetworkSecurityCertificateInfo || NumericU64 || None
|-
| 0x24F || [7.0.0+] SslProcessInfoBits || NetworkSecurityCertificateInfo || NumericU64 || None
|-
| 0x250 || [7.0.0+] SslProcessHeapSize || NetworkSecurityCertificateInfo || NumericU32 || None
|-
| 0x251 || [7.0.0+] SslBaseErrorCode || NetworkSecurityCertificateInfo || NumericI32 || None
|-
| 0x252 || [7.0.0+] GpuCrashDumpSize || GpuCrashInfo || NumericU32 || None
|-
| 0x253 || [7.0.0+] GpuCrashDump || GpuCrashInfo || U8Array || None
|-
| 0x254 || [7.0.0+] RunningApplicationProgramIndex || RunningApplicationInfo || NumericU8 || None
|-
| 0x255 || [8.0.0+] UsbTopology || UsbStateInfo || U8Array || None
|-
| 0x256 || [8.0.0+] AkamaiReferenceId || ErrorInfo || String || None
|-
| 0x257 || [9.0.0+] NvHostErrID || NvHostErrInfo || NumericU32 || None
|-
| 0x258 || [9.0.0+] NvHostErrDataArrayU32 || NvHostErrInfo || U32Array || None
|-
| 0x259 || [9.0.0+] HasSyslogFlag || ErrorInfo || Bool || None
|-
| 0x25A || [9.0.0+] AcpRuntimeParameterDelivery || AcpGeneralSettingsInfo || NumericU8 || None
|-
| 0x25B || [9.0.0+] PlatformRegion || RegionSettingInfo || String || None
|-
| 0x25C || [9.0.0+] RunningUlaApplicationId || RunningUlaInfo || String || None
|-
| 0x25D || [9.0.0+] RunningUlaAppletId || RunningUlaInfo || NumericU8 || None
|-
| 0x25E || [9.0.0+] RunningUlaVersion || RunningUlaInfo || NumericU32 || None
|-
| 0x25F || [9.0.0+] RunningUlaApplicationStorageLocation || RunningUlaInfo || String || None
|-
| 0x260 || [9.0.0+] RunningUlaPatchStorageLocation || RunningUlaInfo || String || None
|-
| 0x261 || [9.1.0+] NANDTotalSizeOfSystem || NANDFreeSpaceInfo || NumericU64 || None
|-
| 0x262 || [9.1.0+] NANDFreeSpaceOfSystem || NANDFreeSpaceInfo || NumericU64 || None
|-
| 0x263 || [11.0.0+] AccessPointSSIDAsHex || AccessPointInfo || String || None
|-
| 0x264 || [11.0.0+] PanelVendorId || InternalPanelInfo || NumericU8 || None
|-
| 0x265 || [11.0.0+] PanelRevisionId || InternalPanelInfo || NumericU8 || None
|-
| 0x266 || [11.0.0+] PanelModelId || InternalPanelInfo || NumericU8 || None
|-
| 0x267 || [11.0.0+] ErrorContext || ErrorInfoAuto || U8Array || None
|-
| 0x268 || [11.0.0+] ErrorContextSize || ErrorInfoAuto || NumericU64 || None
|-
| 0x269 || [11.0.0+] ErrorContextTotalSize || ErrorInfoAuto || NumericU64 || None
|-
| 0x26A || [11.0.0+] SystemPhysicalMemoryLimit || ResourceLimitLimitInfo || NumericI64 || None
|-
| 0x26B || [11.0.0+] SystemThreadCountLimit || ResourceLimitLimitInfo || NumericI64 || None
|-
| 0x26C || [11.0.0+] SystemEventCountLimit || ResourceLimitLimitInfo || NumericI64 || None
|-
| 0x26D || [11.0.0+] SystemTransferMemoryCountLimit || ResourceLimitLimitInfo || NumericI64 || None
|-
| 0x26E || [11.0.0+] SystemSessionCountLimit || ResourceLimitLimitInfo || NumericI64 || None
|-
| 0x26F || [11.0.0+] SystemPhysicalMemoryPeak || ResourceLimitPeakInfo || NumericI64 || None
|-
| 0x270 || [11.0.0+] SystemThreadCountPeak || ResourceLimitPeakInfo || NumericI64 || None
|-
| 0x271 || [11.0.0+] SystemEventCountPeak || ResourceLimitPeakInfo || NumericI64 || None
|-
| 0x272 || [11.0.0+] SystemTransferMemoryCountPeak || ResourceLimitPeakInfo || NumericI64 || None
|-
| 0x273 || [11.0.0+] SystemSessionCountPeak || ResourceLimitPeakInfo || NumericI64 || None
|-
| 0x274 || [11.0.0+] GpuCrashHash || GpuCrashInfo || U8Array || None
|-
| 0x275 || [11.0.0+] TouchScreenPanelGpioValue || TouchScreenInfo || NumericU8 || None
|-
| 0x276 || [12.0.0+] BrowserCertificateHostName || ErrorInfo || String || None
|-
| 0x277 || [12.0.0+] BrowserCertificateCommonName || ErrorInfo || String || None
|-
| 0x278 || [12.0.0+] BrowserCertificateOrganizationalUnitName || ErrorInfo || String || None
|-
| 0x279 || [12.0.0+] FsPooledBufferFailedIdealAllocationCountOnAsyncAccess || FsMemoryInfo || NumericU64 || None
|-
| 0x27A || [12.0.0+] AudioOutputTarget || AudioDeviceInfo || NumericU8 || None
|-
| 0x27B || [12.0.0+] AudioOutputChannelCount || AudioDeviceInfo || NumericU8 || None
|-
| 0x27C || [12.0.0+] AppletTotalActiveTime || ErrorInfoAuto || NumericI64 || None
|-
| 0x27D || [12.0.0+] WakeCount || AbnormalWakeInfo || NumericU32 || None
|-
| 0x27E || [12.0.0+] PredominantWakeReason || AbnormalWakeInfo || NumericU32 || None
|-
| 0x27F || [13.0.0+] EdidExtensionBlock2 || EdidInfo || U8Array || None
|-
| 0x280 || [13.0.0+] EdidExtensionBlock3 || EdidInfo || U8Array || None
|-
| 0x281 || [13.0.0+] LumenRequestId || ErrorInfo || String || None
|-
| 0x282 || [13.0.0+] LlnwLlid || ErrorInfo || String || None
|-
| 0x283 || [14.0.0+] SupportingLimitedApplicationLicenses ([13.0.0-13.2.1] SupportingLimitedLicenses) || RunningApplicationInfo || NumericU32 || None
|-
| 0x284 || [14.0.0+] RuntimeLimitedApplicationLicenseUpgrade ([13.0.0-13.2.1] RuntimeLimitedLicenseUpgrade) || RunningApplicationInfo || NumericU8 || None
|-
| 0x285 || [13.0.0+] ServiceProfileRevisionKey || ServiceProfileInfo || NumericU64 || None
|-
| 0x286 || [13.0.0+] BluetoothAudioConnectionCount || BluetoothAudioInfo || NumericU8 || None
|-
| 0x287 || [13.0.0+] BluetoothHidPairingInfoCount || BluetoothPairingCountInfo || NumericU8 || None
|-
| 0x288 || [13.0.0+] BluetoothAudioPairingInfoCount || BluetoothPairingCountInfo || NumericU8 || None
|-
| 0x289 || [13.0.0+] BluetoothLePairingInfoCount || BluetoothPairingCountInfo || NumericU8 || None
|-
| 0x28A || [14.0.0+] FatFsBisSystemFilePeakOpenCount || FsProxyErrorInfo || NumericU16 || None
|-
| 0x28B || [14.0.0+] FatFsBisSystemDirectoryPeakOpenCount || FsProxyErrorInfo || NumericU16 || None
|-
| 0x28C || [14.0.0+] FatFsBisUserFilePeakOpenCount || FsProxyErrorInfo || NumericU16 || None
|-
| 0x28D || [14.0.0+] FatFsBisUserDirectoryPeakOpenCount || FsProxyErrorInfo || NumericU16 || None
|-
| 0x28E || [14.0.0+] FatFsSdCardFilePeakOpenCount || FsProxyErrorInfo || NumericU16 || None
|-
| 0x28F || [14.0.0+] FatFsSdCardDirectoryPeakOpenCount || FsProxyErrorInfo || NumericU16 || None
|-
| 0x290 || [15.0.0+] SslAlertInfo || NetworkSecurityCertificateInfo || U8Array || None
|-
| 0x291 || [15.0.0+] SslVersionInfo || NetworkSecurityCertificateInfo || U8Array || None
|-
| 0x292 || [15.0.0+] FatFsBisSystemUniqueFileEntryPeakOpenCount || FsProxyErrorInfo || NumericU16 || None
|-
| 0x293 || [15.0.0+] FatFsBisSystemUniqueDirectoryEntryPeakOpenCount || FsProxyErrorInfo || NumericU16 || None
|-
| 0x294 || [15.0.0+] FatFsBisUserUniqueFileEntryPeakOpenCount || FsProxyErrorInfo || NumericU16 || None
|-
| 0x295 || [15.0.0+] FatFsBisUserUniqueDirectoryEntryPeakOpenCount || FsProxyErrorInfo || NumericU16 || None
|-
| 0x296 || [15.0.0+] FatFsSdCardUniqueFileEntryPeakOpenCount || FsProxyErrorInfo || NumericU16 || None
|-
| 0x297 || [15.0.0+] FatFsSdCardUniqueDirectoryEntryPeakOpenCount || FsProxyErrorInfo || NumericU16 || None
|-
| 0x298 || [16.0.0+] ServerErrorIsRetryable || ErrorInfo || Bool || None
|-
| 0x299 || [16.0.0+] FsDeepRetryStartCount || FsProxyErrorInfo2 || NumericU32 || None
|-
| 0x29A || [16.0.0+] FsUnrecoverableByGameCardAccessFailedCount || FsProxyErrorInfo2 || NumericU32 || None
|-
| 0x29B || [16.0.0+] BuiltInWirelessOUI || BuiltInWirelessOUIInfo || String || None
|-
| 0x29C || [16.0.0+] WirelessAPOUI || WirelessAPOUIInfo || String || None
|-
| 0x29D || [16.0.0+] EthernetAdapterOUI || EthernetAdapterOUIInfo || String || None
|-
| 0x29E || [17.0.0+] FatFsBisSystemFatSafeControlResult || FsProxyErrorInfo2 || NumericU8 || None
|-
| 0x29F || [17.0.0+] FatFsBisSystemFatErrorNumber || FsProxyErrorInfo2 || NumericI32 || None
|-
| 0x2A0 || [17.0.0+] FatFsBisSystemFatSafeErrorNumber || FsProxyErrorInfo2 || NumericI32 || None
|-
| 0x2A1 || [17.0.0+] FatFsBisUserFatSafeControlResult || FsProxyErrorInfo2 || NumericU8 || None
|-
| 0x2A2 || [17.0.0+] FatFsBisUserFatErrorNumber || FsProxyErrorInfo2 || NumericI32 || None
|-
| 0x2A3 || [17.0.0+] FatFsBisUserFatSafeErrorNumber || FsProxyErrorInfo2 || NumericI32 || None
|-
| 0x2A4 || [17.0.0+] GpuCrashDump2 || GpuCrashInfo || U8Array || None
|-
| 0x2A5 || [17.0.0+] NANDType || NANDTypeInfo || U8Array || None
|-
| 0x2A6 || [17.0.0+] MicroSDType || MicroSDTypeInfo || U8Array || None
|-
| 0x2A7 || [17.0.0+] GameCardLastDeactivateReasonResult || GameCardErrorInfo || NumericU32 || None
|-
| 0x2A8 || [17.0.0+] GameCardLastDeactivateReason || GameCardErrorInfo || NumericU8 || None
|-
| 0x2A9 || [18.0.0+] InvalidErrorCode || ErrorInfo || String || None
|-
| 0x3E8|| [18.0.0+] TestStringNx || TestNx || String || None
|-
| 0x3E9 || [18.0.0+] BoostModeCurrentLimit || BatteryChargeInfo || NumericI32 || None
|-
| 0x3EA || [18.0.0+] ChargeConfiguration || BatteryChargeInfo || NumericI32 || None
|-
| 0x3EB || [18.0.0+] HizMode || BatteryChargeInfo || Bool || None
|-
| 0x3EC || [18.0.0+] PowerSupplyPath || BatteryChargeInfo || NumericI32 || None
|-
| 0x3ED || [18.0.0+] ControllerPowerSupplyAcquired || BatteryChargeInfo || Bool || None
|-
| 0x3EE || [18.0.0+] OtgRequested || BatteryChargeInfo || Bool || None
|-
| 0x3EF || [18.0.0+] AdspExceptionRegisters || AdspErrorInfo || U32Array || None
|-
| 0x3F0 || [18.0.0+] AdspExceptionSpsr || AdspErrorInfo || NumericU32 || None
|-
| 0x3F1 || [18.0.0+] AdspExceptionArmModeRegisters || AdspErrorInfo || U32Array || None
|-
| 0x3F2 || [18.0.0+] AdspExceptionStackAddress || AdspErrorInfo || NumericU32 || None
|-
| 0x3F3 || [18.0.0+] AdspExceptionStackDump || AdspErrorInfo || U32Array || None
|-
| 0x3F4 || [18.0.0+] AdspExceptionReason || AdspErrorInfo || NumericU32 || None
|}

[[Category:Services]]

18.0.0

2024-03-28T04:11:20Z

SciresM: /* Kernel */ This was in my notes and somehow didn't end up on the wiki

The Switch 18.0.0 system update was released on March 26, 2024 (UTC). This Switch update was released for the following regions: CHN, and ALL.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* Added “15 Minutes” as an option for “Auto-sleep when playing on TV” in Sleep Mode Settings.
* Added Korean as a supported language for “Nintendo Switch Parental Controls” introductory video.
*
* When the console language is set to Korean, the video can be accessed from Settings > Parental Controls.
*
*
* General system stability improvements to enhance the user's experience.

==System Titles==
* The following titles were updated:
** Sysmodules: usb, htc.stub, boot2.ProdBoot, settings, Bus, bluetooth, bcat, friends, nifm, ptm, bsdsocket, hid, audio, LogManager.Prod, wlan, ldn, nvservices, pcv, capmtp, nvnflinger, pcie, account, ns, nfc, psc, capsrv, am, ssl, nim, btm, erpt, vi, pctl, npns, eupld, glue, eclct, es, fatal, creport, ro, sdb, grc, migration, jpegdec, safemode, olsc, ngct, jit, pgl, omm, eth, ngc.
** SystemData (non-sysver): CertStore, ErrorMessage, MiiModel, Help, NgWord, SsidList, LocalNews, TimeZoneBinary, FontNintendoExtension, FontStandard, FontKorean, FontChineseTraditional, FontChineseSimple, FirmwareDebugSettings, BootImagePackage, BootImagePackageSafe, BootImagePackageExFat, FatalMessage, PlatformConfigIcosa, PlatformConfigCopper, PlatformConfigHoag, ControllerFirmware, NgWord2, BootImagePackageExFatSafe, PlatformConfigIcosaMariko, ContentActionTable, NgWordT, PlatformConfigAula, AulaDockFirmware.
** Applets: qlaunch, auth, cabinet, error, netConnect, playerSelect, overlayDisp, "starter" application.

[[NPDM]] changes (besides usual version-bump):
* ptm: Service access: removed ovln:snd.
* bsdsocket: Service server access: added bsd:a, dns:priv.
* ldn: Service access: added lm.
* ns: Service access: added ldn:s.
* psc: Service access: added ovln:snd, psc:m.
* ssl: Service access: added srepo:u, arp:r.
* es: Service access: added ssl:s.
* qlaunch: Service access: removed htcs.
* auth: Service access: added htcs:sys, removed htcs.
* cabinet: Service access: added htcs:sys, ngc:u, removed htcs.
* error: Service access: removed htcs.
* netConnect: Service access: added htcs:sys, removed htcs.
* playerSelect: Service access: removed htcs.
* overlayDisp: Service access: added htcs:sys, removed htcs.

RomFs changes:
* ErrorMessage: updated
* Help: "/legallines.htdocs/index.html" updated
* NgWord: "/0.txt" updated, "/common.txt" updated, "/version.dat" updated
* [[System_Version_Title|SystemVersion]]: All files updated.
* LocalNews: "/message/KRko/localNews.msbt.szs" updated, "/message/revision.txt" updated
* [[System_Settings|FirmwareDebugSettings]]: All files updated.
* NgWord2: "/ac_0_not_b_nx" updated, "/ac_common_b2_nx" updated, "/ac_common_not_b_nx" updated, "/version.dat" updated
* RebootlessSystemUpdateVersion: All files updated.
* NgWordT: All files updated.
* qlaunch applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/qlaunch_action.bksnd" updated
* auth applet: "/lyt/Auth.szs" updated, "/lyt/common.szs" updated, "/message/KRko/auth.msbt.szs" updated, "/message/KRko/common.msbt.szs" updated, "/message/Ocean.msbp.szs" updated, "/sound/auth_action.bksnd" updated
* cabinet applet:
** "/common/shader/VarietyOceanShader_Nx.arc.szs" updated
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/cabinet_action.bksnd" updated
* error applet: "/lyt/common.szs" updated, "/lyt/Error.szs" updated, "/message/KRko/common.msbt.szs" updated, "/message/Ocean.msbp.szs" updated, "/sound/error_action.bksnd" updated
* netConnect applet: "/lyt/common.szs" updated, "/lyt/NetConnect.szs" updated, "/message/KRko/common.msbt.szs" updated, "/message/KRko/netConnect.msbt.szs" updated, "/message/Ocean.msbp.szs" updated, "/sound/netConnect_action.bksnd" updated
* playerSelect applet: "/lyt/common.szs" updated, "/message/KRko/common.msbt.szs" updated, "/message/Ocean.msbp.szs" updated, "/sound/playerSelect_action.bksnd" updated
* overlayDisp applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/overlayDisp_action.bksnd" updated
* "starter" application:
** "/common/shader/VarietyOceanShader_Nx.arc.szs" updated
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/starter_action.bksnd" updated

=== IPC Interface Changes ===
* Interface Changed: nn::settings::ISettingsServer
** Added: 12 - buffer_entry_sizes: [0x1000], buffers: [0x16], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::settings::ISystemSettingsServer
** Added: 251 - buffer_entry_sizes: [0x18], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 252 - buffer_entry_sizes: [0x18], buffers: [0x5], inbytes: 0x0, outbytes: 0x0
* Unknown Interface prev-version: 0x710007AF24
* Unknown Interface cur-version: 0x710007CD3C
* Interface Changed: nn::friends::detail::ipc::IFriendService
** Added: 10111 - buffers: [0x6], inbytes: 0x20, outbytes: 0x4
** Added: 10501 - buffer_entry_sizes: [0x100, 0x8], buffers: [0x6, 0x9], inbytes: 0x10, outbytes: 0x0
** Added: 11001 - inbytes: 0xA4, outbytes: 0xA0
* Interface Changed: nn::friends::detail::ipc::IServiceCreator
** Changed: 2 - outinterfaces: ['0x710007AF24'] -> ['0x710007CD3C'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710007CD3C'])
* Interface Changed: nn::nifm::detail::IGeneralService
** Added: 44 - inbytes: 0x0, outbytes: 0x1
** Added: 45 - inbytes: 0x0, outbytes: 0x1
** Added: 46 - inbytes: 0x4, outbytes: 0x0
** Added: 49 - inbytes: 0x0, outbytes: 0x4
** Added: 50 - inbytes: 0x0, outbytes: 0x1
** Added: 51 - buffer_entry_sizes: [0x410], buffers: [0x15], inbytes: 0x1, outbytes: 0x8
** Added: 52 - inbytes: 0x8, outbytes: 0x0
* Interface Removed: nn::ts::server::IMeasurementServer
* Unknown Interface cur-version: 0x710006930C [ID = 0x26f251af]
* Interface Changed: nn::psm::IPsmServer
** Added: 19 - inbytes: 0x0, outbytes: 0x0
** Added: 20 - inbytes: 0x0, outbytes: 0x0
* Interface Removed: nn::socket::sf::IClient_MC
* Interface Added: nn::socket::sf::IClient
* Unknown Interface cur-version: 0x71000D00F0 [ID = 0xb117a63f]
* Interface Changed: nn::hid::IHidDebugServer
** Added: 18 - buffer_entry_sizes: [0x28], buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
** Changed: 225 - outbytes: 0x18 -> 0x20 (final state: inbytes: 0x8, outbytes: 0x20)
** Added: 601 - inbytes: 0x6, outbytes: 0x1
** Added: 602 - inbytes: 0x0, outbytes: 0x1
** Added: 603 - inbytes: 0x6, outbytes: 0x0
** Added: 604 - inbytes: 0x0, outbytes: 0x0
** Added: 605 - inbytes: 0x7, outbytes: 0x0
** Added: 606 - inbytes: 0x1, outbytes: 0x0
** Added: 607 - inbytes: 0x6, outbytes: 0x1
** Added: 608 - inbytes: 0x0, outbytes: 0x1
** Added: 609 - buffer_entry_sizes: [0x2C8], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
** Added: 610 - buffer_entry_sizes: [0x2C8], buffers: [0x15], inbytes: 0x6, outbytes: 0x0
** Added: 611 - buffer_entry_sizes: [0x1C8], buffers: [0x15], inbytes: 0x6, outbytes: 0x0
** Added: 612 - buffer_entry_sizes: [0x1A0], buffers: [0x15], inbytes: 0x6, outbytes: 0x0
** Added: 613 - buffer_entry_sizes: [0x2C8], buffers: [0x16], inbytes: 0x0, outbytes: 0x0
** Added: 614 - buffer_entry_sizes: [0x2C8], buffers: [0x16], inbytes: 0x6, outbytes: 0x0
** Added: 615 - buffer_entry_sizes: [0x1C8], buffers: [0x16], inbytes: 0x6, outbytes: 0x0
** Added: 616 - buffer_entry_sizes: [0x1A0], buffers: [0x16], inbytes: 0x6, outbytes: 0x0
* Interface Changed: nn::hid::IHidServer
** Added: 92 - inbytes: 0x10, outbytes: 0x0, pid: True
* Interface Changed: nn::hid::IHidSystemServer
** Added: 813 - inbytes: 0x8, outbytes: 0x4
** Removed: 1200 - inbytes: 0x6, outbytes: 0x1
** Removed: 1201 - inbytes: 0x0, outbytes: 0x1
** Removed: 1202 - inbytes: 0x6, outbytes: 0x0
** Removed: 1203 - inbytes: 0x0, outbytes: 0x0
** Removed: 1204 - inbytes: 0x7, outbytes: 0x0
** Removed: 1205 - inbytes: 0x1, outbytes: 0x0
** Removed: 1206 - inbytes: 0x6, outbytes: 0x1
** Removed: 1207 - inbytes: 0x0, outbytes: 0x1
** Removed: 1208 - buffer_entry_sizes: [0x2C8], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
** Removed: 1209 - buffer_entry_sizes: [0x2C8], buffers: [0x15], inbytes: 0x6, outbytes: 0x0
** Removed: 1211 - buffer_entry_sizes: [0x1A0], buffers: [0x15], inbytes: 0x6, outbytes: 0x0
** Removed: 1212 - buffer_entry_sizes: [0x2C8], buffers: [0x16], inbytes: 0x0, outbytes: 0x0
** Removed: 1213 - buffer_entry_sizes: [0x2C8], buffers: [0x16], inbytes: 0x6, outbytes: 0x0
** Removed: 1214 - buffer_entry_sizes: [0x1C8], buffers: [0x16], inbytes: 0x6, outbytes: 0x0
** Removed: 1215 - buffer_entry_sizes: [0x1A0], buffers: [0x16], inbytes: 0x6, outbytes: 0x0
** Added: 1308 - inbytes: 0x10, outbytes: 0x0
** Added: 1309 - inbytes: 0x8, outbytes: 0x1
** Removed: 12010 - buffer_entry_sizes: [0x1C8], buffers: [0x15], inbytes: 0x6, outbytes: 0x0
* Interface Changed: nn::audio::detail::IAudioDevice
** Added: 19 - inbytes: 0x1, outbytes: 0x0
** Added: 20 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::audio::detail::IAudioSystemManagerForApplet
** Added: 10 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::audioctrl::detail::IAudioController
** Removed: 6 - inbytes: 0x4, outbytes: 0x1
* Unknown Interface cur-version: 0x710002D294 [ID = 0xf8ed3aad]
* Interface Changed: nn::ldn::detail::ISystemLocalCommunicationService
** Added: 106 - inbytes: 0x4, outbytes: 0x0
** Added: 500 - inbytes: 0x80, outbytes: 0x0
** Added: 501 - inbytes: 0x0, outbytes: 0x0
** Added: 502 - buffers: [0x21], inbytes: 0x14, outbytes: 0x0
** Added: 503 - buffers: [0x22], inbytes: 0x4, outbytes: 0x18
** Added: 505 - inbytes: 0x4, outbytes: 0x0
** Added: 600 - inbytes: 0x2, outbytes: 0x0
** Added: 601 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::ldn::detail::ISystemServiceCreator
** Added: 1 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710002D294 [ID = 0xf8ed3aad]']
* Interface Changed: nn::ldn::detail::IUserLocalCommunicationService
** Added: 106 - inbytes: 0x4, outbytes: 0x0
** Added: 500 - inbytes: 0x80, outbytes: 0x0
** Added: 501 - inbytes: 0x0, outbytes: 0x0
** Added: 502 - buffers: [0x21], inbytes: 0x14, outbytes: 0x0
** Added: 503 - buffers: [0x22], inbytes: 0x4, outbytes: 0x18
** Added: 505 - inbytes: 0x4, outbytes: 0x0
** Added: 600 - inbytes: 0x2, outbytes: 0x0
** Added: 601 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::ldn::detail::IUserServiceCreator
** Added: 1 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710002D294 [ID = 0xf8ed3aad]']
* Unknown Interface prev-version: 0x7100005828
* Unknown Interface cur-version: 0x7100005438
* Interface Changed: nn::clkrst::IClkrstSession
** Added: 14 - inbytes: 0x0, outbytes: 0x0
** Added: 15 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::rtc::IRtcManager
** Added: 12 - inbytes: 0x8, outbytes: 0x0
** Added: 13 - inbytes: 0x8, outbytes: 0x0
* Unknown Interface prev-version: 0x71000791B8 [ID = 0xf350e826]
* Unknown Interface cur-version: 0x710007E200 [ID = 0xf350e826]
* Interface Changed: nn::account::IAccountEntityServiceForAccountPolicy
** Added: 400 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0
** Added: 401 - inbytes: 0x10, outbytes: 0x4
** Added: 402 - buffers: [0x6], inbytes: 0x10, outbytes: 0x4
** Added: 410 - inbytes: 0x10, outbytes: 0x8
** Added: 411 - inbytes: 0x10, outbytes: 0x0
** Added: 412 - inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::account::IAccountServiceForAdministrator
** Added: 400 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0
** Added: 401 - inbytes: 0x10, outbytes: 0x4
** Added: 402 - buffers: [0x6], inbytes: 0x10, outbytes: 0x4
** Added: 410 - inbytes: 0x10, outbytes: 0x8
** Added: 411 - inbytes: 0x10, outbytes: 0x0
** Added: 412 - inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::account::IAccountServiceForSystemService
** Added: 401 - inbytes: 0x10, outbytes: 0x4
** Added: 402 - buffers: [0x6], inbytes: 0x10, outbytes: 0x4
* Interface Changed: nn::account::IAccountServiceForSystemServiceWithProfileEditor
** Added: 401 - inbytes: 0x10, outbytes: 0x4
** Added: 402 - buffers: [0x6], inbytes: 0x10, outbytes: 0x4
* Interface Changed: nn::account::baas::IAdministrator
** Changed: 170 - outinterfaces: ['0x71000791B8 [ID = 0xf350e826]'] -> ['0x710007E200 [ID = 0xf350e826]'] (final state: inbytes: 0x8, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710007E200 [ID = 0xf350e826]'])
** Added: 180 - buffer_entry_sizes: [0x1000, 0x100], buffers: [0x1A, 0x1A], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::account::baas::IFloatingRegistrationRequest
** Added: 16 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::account::baas::IGuestLoginRequest
** Added: 16 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::account::baas::IManagerForSystemService
** Changed: 170 - outinterfaces: ['0x71000791B8 [ID = 0xf350e826]'] -> ['0x710007E200 [ID = 0xf350e826]'] (final state: inbytes: 0x8, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710007E200 [ID = 0xf350e826]'])
** Added: 180 - buffer_entry_sizes: [0x1000, 0x100], buffers: [0x1A, 0x1A], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::account::nas::IOAuthProcedureForExternalNsa
** Added: 104 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::account::nas::IOAuthProcedureForUserRegistration
** Added: 104 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 230 - buffers: [0x5], inbytes: 0x21, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
* Interface Changed: nn::account::profile::IProfile
** Added: 20 - inbytes: 0x0, outbytes: 0x4
** Added: 21 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 30 - inbytes: 0x0, outbytes: 0x10
* Interface Changed: nn::account::profile::IProfileEditor
** Added: 20 - inbytes: 0x0, outbytes: 0x4
** Added: 21 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 30 - inbytes: 0x0, outbytes: 0x10
** Added: 110 - buffer_entry_sizes: [0x80, 0x0], buffers: [0x19, 0x5], inbytes: 0x38, outbytes: 0x0
* Unknown Interface prev-version: 0x71001BCD60 [ID = 0xf350e826]
* Unknown Interface cur-version: 0x71001B0378 [ID = 0xf350e826]
* Interface Changed: nn::account::IAccountServiceForAdministrator
** Added: 400 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0
** Added: 401 - inbytes: 0x10, outbytes: 0x4
** Added: 402 - buffers: [0x6], inbytes: 0x10, outbytes: 0x4
** Added: 410 - inbytes: 0x10, outbytes: 0x8
** Added: 411 - inbytes: 0x10, outbytes: 0x0
** Added: 412 - inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::account::IAccountServiceForSystemService
** Added: 401 - inbytes: 0x10, outbytes: 0x4
** Added: 402 - buffers: [0x6], inbytes: 0x10, outbytes: 0x4
* Interface Changed: nn::account::baas::IAdministrator
** Changed: 170 - outinterfaces: ['0x71001BCD60 [ID = 0xf350e826]'] -> ['0x71001B0378 [ID = 0xf350e826]'] (final state: inbytes: 0x8, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x71001B0378 [ID = 0xf350e826]'])
** Added: 180 - buffer_entry_sizes: [0x1000, 0x100], buffers: [0x1A, 0x1A], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::account::baas::IFloatingRegistrationRequest
** Added: 16 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::account::baas::IGuestLoginRequest
** Added: 16 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::account::baas::IManagerForSystemService
** Changed: 170 - outinterfaces: ['0x71001BCD60 [ID = 0xf350e826]'] -> ['0x71001B0378 [ID = 0xf350e826]'] (final state: inbytes: 0x8, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x71001B0378 [ID = 0xf350e826]'])
** Added: 180 - buffer_entry_sizes: [0x1000, 0x100], buffers: [0x1A, 0x1A], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::account::nas::IOAuthProcedureForExternalNsa
** Added: 104 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::account::nas::IOAuthProcedureForUserRegistration
** Added: 104 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 230 - buffers: [0x5], inbytes: 0x21, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
* Interface Changed: nn::account::profile::IProfile
** Added: 20 - inbytes: 0x0, outbytes: 0x4
** Added: 21 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 30 - inbytes: 0x0, outbytes: 0x10
* Interface Changed: nn::account::profile::IProfileEditor
** Added: 20 - inbytes: 0x0, outbytes: 0x4
** Added: 21 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 30 - inbytes: 0x0, outbytes: 0x10
** Added: 110 - buffer_entry_sizes: [0x80, 0x0], buffers: [0x19, 0x5], inbytes: 0x38, outbytes: 0x0
* Interface Changed: nn::ns::detail::IApplicationManagerInterface
** Changed: 94 - inbytes: 0x48 -> 0x58 (final state: inbytes: 0x58, outbytes: 0x8)
** Changed: 95 - outbytes: 0x40 -> 0x50 (final state: inbytes: 0x8, outbytes: 0x50)
** Changed: 96 - outbytes: 0x40 -> 0x50 (final state: inbytes: 0x8, outbytes: 0x50)
** Changed: 97 - inbytes: 0x40 -> 0x50 (final state: inbytes: 0x50, outbytes: 0x1)
** Changed: 406 - inbytes: 0x48 -> 0x58 (final state: buffer_entry_sizes: [0x4000], buffers: [0x16], inbytes: 0x58, outbytes: 0x0)
** Changed: 2513 - inbytes: 0x40 -> 0x50 (final state: inbytes: 0x50, outbytes: 0x8)
** Changed: 2517 - inbytes: 0x40 -> 0x50 (final state: inbytes: 0x50, outbytes: 0x8)
** Added: 3015 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 3104 - buffers: [0x6], inbytes: 0x8, outbytes: 0x8
** Added: 3105 - buffers: [0x6], inbytes: 0x8, outbytes: 0x8
** Added: 5000 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncData']
** Added: 5001 - inbytes: 0x8, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncData']
* Interface Changed: nn::ns::detail::IDevelopInterface
** Removed: 8 - buffers: [0x5], inbytes: 0x4, outbytes: 0x8
** Removed: 9 - inbytes: 0x10, outbytes: 0x8
** Removed: 15 - buffers: [0x5], inbytes: 0x0, outbytes: 0x8
** Changed: 17 - outbytes: 0x40 -> 0x50 (final state: buffers: [0x5], inbytes: 0x4, outbytes: 0x50)
** Changed: 18 - inbytes: 0x40 -> 0x50 (final state: inbytes: 0x50, outbytes: 0x0, outhandles: [1])
** Changed: 19 - inbytes: 0x40 -> 0x50 (final state: inbytes: 0x50, outbytes: 0x0)
** Added: 21 - inbytes: 0x10, outbytes: 0x50
** Added: 22 - inbytes: 0x50, outbytes: 0x8
** Added: 23 - inbytes: 0x50, outbytes: 0x8
** Added: 24 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::ns::detail::IDynamicRightsInterface
** Added: 26 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::ns::detail::IVulnerabilityManagerInterface
** Added: 3100 - inbytes: 0x0, outbytes: 0x10
** Added: 3101 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 3102 - inbytes: 0x0, outbytes: 0x0
* Unknown Interface prev-version: 0x71000182AC [ID = 0x5a340f8a]
* Unknown Interface cur-version: 0x710001CE6C [ID = 0x5a340f8a]
* Unknown Interface cur-version: 0x710001D12C [ID = 0x07b4542c]
* Interface Changed: nn::hshl::IChargeSetterSession
** Added: 4 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::hshl::IManager
** Changed: 9 - outinterfaces: ['0x71000182AC [ID = 0x5a340f8a]'] -> ['0x710001CE6C [ID = 0x5a340f8a]'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710001CE6C [ID = 0x5a340f8a]'])
** Added: 11 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710001D12C [ID = 0x07b4542c]']
** Added: 12 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::hshl::ISetterManager
** Added: 4 - inbytes: 0x0, outbytes: 0x0
** Added: 5 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::capsrv::sf::IAlbumAccessorService
** Added: 141 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 151 - buffer_entry_sizes: [0x400], buffers: [0x16], inbytes: 0x18, outbytes: 0x40
** Added: 160 - buffers: [0x6], inbytes: 0x20, outbytes: 0x8
* Interface Changed: nn::capsrv::sf::IAlbumAccessorSession
** Added: 5000 - inbytes: 0x8, outbytes: 0x8
* Interface Changed: nn::capsrv::sf::IAlbumApplicationService
** Added: 148 - buffer_entry_sizes: [0x20], buffers: [0x6], inbytes: 0x20, outbytes: 0x8, pid: True
* Interface Changed: nn::capsrv::sf::IAlbumControlSession
** Added: 2435 - inbytes: 0x10, outbytes: 0x0
** Added: 5000 - inbytes: 0x8, outbytes: 0x8
* Unknown Interface cur-version: 0x71000B9398 [ID = 0xb8f77e09]
* Unknown Interface cur-version: 0x71000B9D70 [ID = 0x43c5fa77]
* Unknown Interface cur-version: 0x71000B9A78 [ID = 0xb0c7a8a3]
* Unknown Interface cur-version: 0x71000B90A8 [ID = 0x8db727a9]
* Interface Changed: nn::am::service::IAppletCommonFunctions
** Added: 82 - inbytes: 0x1, outbytes: 0x0
** Added: 160 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x71000B90A8 [ID = 0x8db727a9]']
** Added: 161 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x71000B9A78 [ID = 0xb0c7a8a3]']
* Interface Changed: nn::am::service::IDebugFunctions
** Added: 53 - inbytes: 0x8, outbytes: 0x8
** Added: 410 - inbytes: 0x10, outbytes: 0x0
** Added: 411 - buffers: [0x22], inbytes: 0x10, outbytes: 0x8
** Added: 412 - buffers: [0x21], inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::am::service::IOverlayFunctions
** Added: 40 - buffers: [0x6], inbytes: 0x0, outbytes: 0x8
** Added: 41 - buffers: [0x6], inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::ssl::sf::ISslServiceForSystem
** Added: 103 - buffers: [0x5, 0x5, 0x5], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::nim::detail::INetworkInstallManager
** Added: 147 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 148 - buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
* Interface Changed: nn::capsrv::sf::IScreenShotControlService
** Added: 1100 - buffers: [0x45], inbytes: 0x28, outbytes: 0x0
** Changed: 1106 - buffer_entry_sizes: [0x400, 0x404, 0x0, 0x0, 0x0] -> [0x400, 0x404, 0x88, 0x0, 0x0, 0x0], buffers: [0x15, 0x15, 0x6, 0x46, 0x46] -> [0x15, 0x15, 0x15, 0x6, 0x46, 0x46] (final state: buffer_entry_sizes: [0x400, 0x404, 0x88, 0x0, 0x0, 0x0], buffers: [0x15, 0x15, 0x15, 0x6, 0x46, 0x46], inbytes: 0x68, outbytes: 0x18)
** Changed: 1107 - buffer_entry_sizes: [0x400, 0x404, 0x0, 0x0] -> [0x400, 0x404, 0x88, 0x0, 0x0], buffers: [0x15, 0x15, 0x6, 0x45] -> [0x15, 0x15, 0x15, 0x6, 0x45] (final state: buffer_entry_sizes: [0x400, 0x404, 0x88, 0x0, 0x0], buffers: [0x15, 0x15, 0x15, 0x6, 0x45], inbytes: 0x68, outbytes: 0x18)
** Added: 1108 - buffer_entry_sizes: [0x400, 0x404, 0x88, 0x0], buffers: [0x15, 0x15, 0x15, 0x6], inbytes: 0x70, outbytes: 0x18
* Interface Changed: nn::pctl::detail::ipc::IParentalControlService
** Added: 1475 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 1954 - inbytes: 0x0, outbytes: 0x1
** Added: 1955 - inbytes: 0x0, outbytes: 0x8
** Added: 1956 - inbytes: 0x0, outbytes: 0x1
** Added: 1957 - inbytes: 0x0, outbytes: 0x1
** Added: 145601 - inbytes: 0x0, outbytes: 0x36
** Added: 195101 - inbytes: 0x36, outbytes: 0x0
* Unknown Interface cur-version: 0x71000913E4 [ID = 0x10763728]
* Interface Changed: nn::npns::INotificationReceiver
** Added: 5 - buffers: [0x9], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::npns::INpnsSystem
** Added: 8 - buffers: [0x9], inbytes: 0x0, outbytes: 0x0
** Removed: 13 - buffers: [0x9], inbytes: 0x0, outbytes: 0x1
** Added: 14 - buffers: [0x9], inbytes: 0x8, outbytes: 0x0
** Added: 15 - buffers: [0x9], inbytes: 0x8, outbytes: 0x0
** Added: 16 - buffer_entry_sizes: [0x28], buffers: [0x6], inbytes: 0x8, outbytes: 0x4
** Added: 28 - buffers: [0x9], inbytes: 0x10, outbytes: 0x28
** Added: 29 - buffers: [0x9], inbytes: 0x10, outbytes: 0x0
** Added: 37 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0
** Added: 51 - buffers: [0x9], inbytes: 0x0, outbytes: 0x0
** Added: 106 - inbytes: 0x0, outbytes: 0x8
** Added: 107 - inbytes: 0x8, outbytes: 0x0
** Added: 156 - buffers: [0x9], inbytes: 0x10, outbytes: 0x0, outinterfaces: [None]
** Added: 301 - buffers: [0xA], inbytes: 0x0, outbytes: 0x0
** Added: 302 - buffer_entry_sizes: [0x10, 0x0], buffers: [0xA, 0xA], inbytes: 0x0, outbytes: 0x8
** Added: 303 - buffer_entry_sizes: [0x138, 0x138], buffers: [0x6, 0x6], inbytes: 0x0, outbytes: 0x8
** Added: 304 - inbytes: 0x0, outbytes: 0x50
** Added: 305 - buffer_entry_sizes: [0x48], buffers: [0x6], inbytes: 0x4, outbytes: 0x8
** Added: 306 - buffers: [0x6, 0x9], inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::npns::INpnsUser
** Added: 8 - buffers: [0x9], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::es::IActiveRightsContext
** Changed: 901 - buffer_entry_sizes: [0x24] -> [0x2C] (final state: buffer_entry_sizes: [0x2C], buffers: [0x16], inbytes: 0x0, outbytes: 0x0)
* Interface Changed: nn::es::IETicketService
** Added: 101 - buffers: [0x5, 0x5], inbytes: 0x0, outbytes: 0x0
** Added: 102 - inbytes: 0x0, outbytes: 0x0
** Added: 103 - inbytes: 0x0, outbytes: 0x4
** Added: 104 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 201 - buffers: [0x5, 0x5], inbytes: 0x0, outbytes: 0x0
** Added: 202 - inbytes: 0x0, outbytes: 0x0
** Added: 203 - inbytes: 0x0, outbytes: 0x4
** Added: 204 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 1028 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::ndrm::low::detail::INdrmLowAdminInterface
** Added: 46 - inbytes: 0x8, outbytes: 0x1
* Interface Changed: nn::grcsrv::IGrcService
** Changed: 1 - inbytes: 0x20 -> 0x28 (final state: inbytes: 0x28, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::grcsrv::IContinuousRecorder'])
** Added: 10 - inbytes: 0x20, outbytes: 0x0, outinterfaces: ['nn::grcsrv::IContinuousRecorder']
* Interface Removed: nn::jitsrv::IJitEnvironment
* Interface Removed: nn::jitsrv::IJitService
* Interface Added: nn::sf::hipc::detail::IHipcManager
* Unknown Interface cur-version: 0x7100000680 [ID = 0x3d92e8a4]
* Unknown Interface cur-version: 0x71000009C4 [ID = 0x2a4c2069]
* Interface Changed: nn::capsrv::sf::IDecoderControlService
** Added: 4002 - buffers: [0x46, 0x5], inbytes: 0x30, outbytes: 0x8
* Unknown Interface cur-version: 0x710011CA80 [ID = 0x7e450fad]
* Interface Changed: nn::spsm::detail::IPowerStateInterface
** Added: 15 - inbytes: 0x4, outbytes: 0x0
** Added: 16 - inbytes: 0x8, outbytes: 0x0
* Unknown Interface cur-version: 0x7100021640 [ID = 0xd3808bc8]
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Added: 222 - buffers: [0x6], inbytes: 0x10, outbytes: 0x0
** Added: 302 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 1020 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100021640 [ID = 0xd3808bc8]']
** Removed: 1100 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
** Added: 1101 - buffers: [0x5], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::ISaveDataDivisionExporter
** Removed: 70 - inbytes: 0x0, outbytes: 0x10
** Added: 74 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::fssrv::sf::ISaveDataTransferManagerWithDivision
** Added: 8 - inbytes: 0x4, outbytes: 0x0
** Added: 9 - inbytes: 0x4, outbytes: 0x0
** Removed: 64 - buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** Removed: 65 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** Removed: 66 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
* Interface Changed: nn::spl::detail::IEsInterface
** Added: 33 - buffers: [0x9, 0x9, 0x9], inbytes: 0x4, outbytes: 0x10
* Unknown Interface cur-version: 0x7100021290 [ID = 0xd3808bc8]
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Added: 222 - buffers: [0x6], inbytes: 0x10, outbytes: 0x0
** Added: 302 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 1020 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100021290 [ID = 0xd3808bc8]']
** Removed: 1100 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
** Added: 1101 - buffers: [0x5], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::ISaveDataDivisionExporter
** Removed: 70 - inbytes: 0x0, outbytes: 0x10
** Added: 74 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::fssrv::sf::ISaveDataTransferManagerWithDivision
** Added: 8 - inbytes: 0x4, outbytes: 0x0
** Added: 9 - inbytes: 0x4, outbytes: 0x0
** Removed: 64 - buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** Removed: 65 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** Removed: 66 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
* Interface Changed: nn::clkrst::IClkrstSession
** Added: 14 - inbytes: 0x0, outbytes: 0x0
** Added: 15 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::rtc::IRtcManager
** Added: 12 - inbytes: 0x8, outbytes: 0x0
** Added: 13 - inbytes: 0x8, outbytes: 0x0
* Unknown Interface prev-version: 0x710001829C [ID = 0x5a340f8a]
* Unknown Interface cur-version: 0x710001CE6C [ID = 0x5a340f8a]
* Unknown Interface cur-version: 0x710001D12C [ID = 0x07b4542c]
* Interface Changed: nn::hshl::IChargeSetterSession
** Added: 4 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::hshl::IManager
** Changed: 9 - outinterfaces: ['0x710001829C [ID = 0x5a340f8a]'] -> ['0x710001CE6C [ID = 0x5a340f8a]'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710001CE6C [ID = 0x5a340f8a]'])
** Added: 11 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710001D12C [ID = 0x07b4542c]']
** Added: 12 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::hshl::ISetterManager
** Added: 4 - inbytes: 0x0, outbytes: 0x0
** Added: 5 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::spl::detail::IEsInterface
** Added: 33 - buffers: [0x9, 0x9, 0x9], inbytes: 0x4, outbytes: 0x10
* Unknown Interface cur-version: 0x7100021640 [ID = 0xd3808bc8]
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Added: 222 - buffers: [0x6], inbytes: 0x10, outbytes: 0x0
** Added: 302 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 1020 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100021640 [ID = 0xd3808bc8]']
** Removed: 1100 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
** Added: 1101 - buffers: [0x5], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::ISaveDataDivisionExporter
** Removed: 70 - inbytes: 0x0, outbytes: 0x10
** Added: 74 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::fssrv::sf::ISaveDataTransferManagerWithDivision
** Added: 8 - inbytes: 0x4, outbytes: 0x0
** Added: 9 - inbytes: 0x4, outbytes: 0x0
** Removed: 64 - buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** Removed: 65 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** Removed: 66 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
* Interface Changed: nn::spl::detail::IEsInterface
** Added: 33 - buffers: [0x9, 0x9, 0x9], inbytes: 0x4, outbytes: 0x10
* Unknown Interface cur-version: 0x7100021290 [ID = 0xd3808bc8]
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Added: 222 - buffers: [0x6], inbytes: 0x10, outbytes: 0x0
** Added: 302 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 1020 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100021290 [ID = 0xd3808bc8]']
** Removed: 1100 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
** Added: 1101 - buffers: [0x5], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::ISaveDataDivisionExporter
** Removed: 70 - inbytes: 0x0, outbytes: 0x10
** Added: 74 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::fssrv::sf::ISaveDataTransferManagerWithDivision
** Added: 8 - inbytes: 0x4, outbytes: 0x0
** Added: 9 - inbytes: 0x4, outbytes: 0x0
** Removed: 64 - buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** Removed: 65 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** Removed: 66 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
* Interface Changed: nn::clkrst::IClkrstSession
** Added: 14 - inbytes: 0x0, outbytes: 0x0
** Added: 15 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::rtc::IRtcManager
** Added: 12 - inbytes: 0x8, outbytes: 0x0
** Added: 13 - inbytes: 0x8, outbytes: 0x0
* Unknown Interface prev-version: 0x710001829C [ID = 0x5a340f8a]
* Unknown Interface cur-version: 0x710001CE6C [ID = 0x5a340f8a]
* Unknown Interface cur-version: 0x710001D12C [ID = 0x07b4542c]
* Interface Changed: nn::hshl::IChargeSetterSession
** Added: 4 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::hshl::IManager
** Changed: 9 - outinterfaces: ['0x710001829C [ID = 0x5a340f8a]'] -> ['0x710001CE6C [ID = 0x5a340f8a]'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710001CE6C [ID = 0x5a340f8a]'])
** Added: 11 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710001D12C [ID = 0x07b4542c]']
** Added: 12 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::hshl::ISetterManager
** Added: 4 - inbytes: 0x0, outbytes: 0x0
** Added: 5 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::spl::detail::IEsInterface
** Added: 33 - buffers: [0x9, 0x9, 0x9], inbytes: 0x4, outbytes: 0x10

=== BootImagePackages ===
RomFs changes: all files updated.

Using updated master-key: master_key_11 (previously master_key_10). See [[NCA]] for the KeyGeneration listing.

==== Kernel ====
* Compiler/libc was upgraded, this results in various minor optimizations throughout the whole kernel.
** Many, many minor changes that this is almost certainly the cause for, e.g. KThread::SuspendRequest now calculates requested value as (0x10 << suspend_type) instead of (1 << (suspend_type + 4)).
** Biggest one is that sp/lr are now much more commonly not saved to stack until actually needed, if a function has a return path which does not make calls/does not need lr/sp saved.
* Initialize0 changes:
** The physical base address of the kernel is now passed by KernelLdr for use during KernelSlab virtual memory region setup.
*** This replaces the previous call to KInitialPageTable::GetPhysicalAddress.
* SVC-handler accesses to the thread local region's disable count now use userspace access instructions.
* SvcSetHeapSize now only sets the output address on success.
** This wasn't a vulnerability before, because prior to this the ABI meant userland would receive whatever was in the userland register at call time.
* CreateProcessParameter now zeroes many fields before performing initialization.
* When making a deep copy of the KPageGroup for loading InitialProcess segments, a new helper with full error checking/etc is now used instead of doing the copy inline
* New CreateProcessFlag 0x2000 is "EnableReservedRegionExtraSize", when set the reserved region size is increased by (AddressSpaceSize / 8).
** Currently, CreateProcess will return svc::ResultInvalidState() unless all the following conditions are met:
*** Address space type must be 39-bit
*** System resource size must be > 0
*** KTargetSystem::IsDebugMode() must be true.
** New InfoType (0x1C) "InfoType_ReservedRegionExtraSize" retrieves the extra size, which is a member of KPageTableBase.
** Loader does not currently support passing this flag in any capacity yet.
** nn::os::VammManager currently calculates the reserved region as [start, end - extra size], and will not map to the extra part of the region.
* Various KPageTable(Base/Impl) changes:
** InitializeForProcess now takes in the create process flags directly instead of parsing as a bunch of bools.
** InitializeForProcess now performs much more complicated initialization/randomization of the four aslr'd regions, dividing them up before/after the process code using largest-region first selection for randomization order.
** KPageTableImpl's traversal functions now take an additional output byte (which is also a new member at +0x11 in the traversal block and in KMemoryRange), this is always set to zero.
*** This byte is checked when traversing by ::Finalize and ::GetContiguousRangeWithMemoryState, but not other page table functions.
*** This byte is also stored as a new member of the memory range struct returned by GetContiguousRangeWithMemoryState
** AllocateAndMapPagesImpl now takes in the page properties by reference instead of by value.
** Read/WriteReadDebugIoMemory now use simpler logic for determining the current readable size.
* The KMemoryBlock helper "ConvertToKMemoryPermission" was changed to only copy the user-write bit to KernelWrite.
** This fixes a longstanding bug where the input was AND'd with KMemoryPermission_UserReadWrite, and these bits were then ORR'd into the final permission <<='d with KernelShift.
** The intent here was to copy the user read/write permissions into the kernel read/write permissions, but KMemoryPermission_UserReadWrite is not bitmask 0x3, it's bitmask 0x1B (including the KernelRead/Write bits).
** Thus, previously this would allow an input with KernelRead bit to spuriously set the NotMapped bit, and an input with KernelWrite bit to spuriously set the unused top bit.
** This was unexploitable, except maybe for causing a kernel-mode access exception.
* HandleException now handles EsrEc_DataAbortEl0 specially when determining the debug exception type.
** When ESR_EL1.IFSC is 0b100001 ("Alignment Fault"), ExceptionType_UnalignedData is selected instead of ExceptionType_DataAbort.
* KMemoryManager(Impl)/KPageHeap changes:
** KPageHeap's heap_virtual_address member is now removed and is a part of KMemoryManagerImpl now (this is still unused in non-debug kernel).
** KMemoryManager::AllocatePageGroup now takes a parameter for the required minimum alignment for the page group.
*** This is currently passed as 1 page (minimum alignment) at all callsites.
* SecureMonitor access was refactored, actual smc invocation is now in its own helper separate from interrupt disable/enable (and helpers which invoke without interrupt disable now exist).

=== [[Audio_services|audio]] ===
Besides IPC changes, vulns were [[Switch_System_Flaws|fixed]].

=== [[JIT_services|jit]] ===
Symbols were stripped from the main-codebin.

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2024-03-26_00-06-36&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

18.0.0

2024-03-27T22:38:05Z

SciresM: /* BootImagePackages */ Kernel diff

The Switch 18.0.0 system update was released on March 26, 2024 (UTC). This Switch update was released for the following regions: CHN, and ALL.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* Added “15 Minutes” as an option for “Auto-sleep when playing on TV” in Sleep Mode Settings.
* Added Korean as a supported language for “Nintendo Switch Parental Controls” introductory video.
*
* When the console language is set to Korean, the video can be accessed from Settings > Parental Controls.
*
*
* General system stability improvements to enhance the user's experience.

==System Titles==
* The following titles were updated:
** Sysmodules: usb, htc.stub, boot2.ProdBoot, settings, Bus, bluetooth, bcat, friends, nifm, ptm, bsdsocket, hid, audio, LogManager.Prod, wlan, ldn, nvservices, pcv, capmtp, nvnflinger, pcie, account, ns, nfc, psc, capsrv, am, ssl, nim, btm, erpt, vi, pctl, npns, eupld, glue, eclct, es, fatal, creport, ro, sdb, grc, migration, jpegdec, safemode, olsc, ngct, jit, pgl, omm, eth, ngc.
** SystemData (non-sysver): CertStore, ErrorMessage, MiiModel, Help, NgWord, SsidList, LocalNews, TimeZoneBinary, FontNintendoExtension, FontStandard, FontKorean, FontChineseTraditional, FontChineseSimple, FirmwareDebugSettings, BootImagePackage, BootImagePackageSafe, BootImagePackageExFat, FatalMessage, PlatformConfigIcosa, PlatformConfigCopper, PlatformConfigHoag, ControllerFirmware, NgWord2, BootImagePackageExFatSafe, PlatformConfigIcosaMariko, ContentActionTable, NgWordT, PlatformConfigAula, AulaDockFirmware.
** Applets: qlaunch, auth, cabinet, error, netConnect, playerSelect, overlayDisp, "starter" application.

[[NPDM]] changes (besides usual version-bump):
* ptm: Service access: removed ovln:snd.
* bsdsocket: Service server access: added bsd:a, dns:priv.
* ldn: Service access: added lm.
* ns: Service access: added ldn:s.
* psc: Service access: added ovln:snd, psc:m.
* ssl: Service access: added srepo:u, arp:r.
* es: Service access: added ssl:s.
* qlaunch: Service access: removed htcs.
* auth: Service access: added htcs:sys, removed htcs.
* cabinet: Service access: added htcs:sys, ngc:u, removed htcs.
* error: Service access: removed htcs.
* netConnect: Service access: added htcs:sys, removed htcs.
* playerSelect: Service access: removed htcs.
* overlayDisp: Service access: added htcs:sys, removed htcs.

RomFs changes:
* ErrorMessage: updated
* Help: "/legallines.htdocs/index.html" updated
* NgWord: "/0.txt" updated, "/common.txt" updated, "/version.dat" updated
* [[System_Version_Title|SystemVersion]]: All files updated.
* LocalNews: "/message/KRko/localNews.msbt.szs" updated, "/message/revision.txt" updated
* [[System_Settings|FirmwareDebugSettings]]: All files updated.
* NgWord2: "/ac_0_not_b_nx" updated, "/ac_common_b2_nx" updated, "/ac_common_not_b_nx" updated, "/version.dat" updated
* RebootlessSystemUpdateVersion: All files updated.
* NgWordT: All files updated.
* qlaunch applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/qlaunch_action.bksnd" updated
* auth applet: "/lyt/Auth.szs" updated, "/lyt/common.szs" updated, "/message/KRko/auth.msbt.szs" updated, "/message/KRko/common.msbt.szs" updated, "/message/Ocean.msbp.szs" updated, "/sound/auth_action.bksnd" updated
* cabinet applet:
** "/common/shader/VarietyOceanShader_Nx.arc.szs" updated
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/cabinet_action.bksnd" updated
* error applet: "/lyt/common.szs" updated, "/lyt/Error.szs" updated, "/message/KRko/common.msbt.szs" updated, "/message/Ocean.msbp.szs" updated, "/sound/error_action.bksnd" updated
* netConnect applet: "/lyt/common.szs" updated, "/lyt/NetConnect.szs" updated, "/message/KRko/common.msbt.szs" updated, "/message/KRko/netConnect.msbt.szs" updated, "/message/Ocean.msbp.szs" updated, "/sound/netConnect_action.bksnd" updated
* playerSelect applet: "/lyt/common.szs" updated, "/message/KRko/common.msbt.szs" updated, "/message/Ocean.msbp.szs" updated, "/sound/playerSelect_action.bksnd" updated
* overlayDisp applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/overlayDisp_action.bksnd" updated
* "starter" application:
** "/common/shader/VarietyOceanShader_Nx.arc.szs" updated
** "/lyt/": Various data updated.
** "/message/": Various data updated.
** "/sound/starter_action.bksnd" updated

=== IPC Interface Changes ===
* Interface Changed: nn::settings::ISettingsServer
** Added: 12 - buffer_entry_sizes: [0x1000], buffers: [0x16], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::settings::ISystemSettingsServer
** Added: 251 - buffer_entry_sizes: [0x18], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 252 - buffer_entry_sizes: [0x18], buffers: [0x5], inbytes: 0x0, outbytes: 0x0
* Unknown Interface prev-version: 0x710007AF24
* Unknown Interface cur-version: 0x710007CD3C
* Interface Changed: nn::friends::detail::ipc::IFriendService
** Added: 10111 - buffers: [0x6], inbytes: 0x20, outbytes: 0x4
** Added: 10501 - buffer_entry_sizes: [0x100, 0x8], buffers: [0x6, 0x9], inbytes: 0x10, outbytes: 0x0
** Added: 11001 - inbytes: 0xA4, outbytes: 0xA0
* Interface Changed: nn::friends::detail::ipc::IServiceCreator
** Changed: 2 - outinterfaces: ['0x710007AF24'] -> ['0x710007CD3C'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710007CD3C'])
* Interface Changed: nn::nifm::detail::IGeneralService
** Added: 44 - inbytes: 0x0, outbytes: 0x1
** Added: 45 - inbytes: 0x0, outbytes: 0x1
** Added: 46 - inbytes: 0x4, outbytes: 0x0
** Added: 49 - inbytes: 0x0, outbytes: 0x4
** Added: 50 - inbytes: 0x0, outbytes: 0x1
** Added: 51 - buffer_entry_sizes: [0x410], buffers: [0x15], inbytes: 0x1, outbytes: 0x8
** Added: 52 - inbytes: 0x8, outbytes: 0x0
* Interface Removed: nn::ts::server::IMeasurementServer
* Unknown Interface cur-version: 0x710006930C [ID = 0x26f251af]
* Interface Changed: nn::psm::IPsmServer
** Added: 19 - inbytes: 0x0, outbytes: 0x0
** Added: 20 - inbytes: 0x0, outbytes: 0x0
* Interface Removed: nn::socket::sf::IClient_MC
* Interface Added: nn::socket::sf::IClient
* Unknown Interface cur-version: 0x71000D00F0 [ID = 0xb117a63f]
* Interface Changed: nn::hid::IHidDebugServer
** Added: 18 - buffer_entry_sizes: [0x28], buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
** Changed: 225 - outbytes: 0x18 -> 0x20 (final state: inbytes: 0x8, outbytes: 0x20)
** Added: 601 - inbytes: 0x6, outbytes: 0x1
** Added: 602 - inbytes: 0x0, outbytes: 0x1
** Added: 603 - inbytes: 0x6, outbytes: 0x0
** Added: 604 - inbytes: 0x0, outbytes: 0x0
** Added: 605 - inbytes: 0x7, outbytes: 0x0
** Added: 606 - inbytes: 0x1, outbytes: 0x0
** Added: 607 - inbytes: 0x6, outbytes: 0x1
** Added: 608 - inbytes: 0x0, outbytes: 0x1
** Added: 609 - buffer_entry_sizes: [0x2C8], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
** Added: 610 - buffer_entry_sizes: [0x2C8], buffers: [0x15], inbytes: 0x6, outbytes: 0x0
** Added: 611 - buffer_entry_sizes: [0x1C8], buffers: [0x15], inbytes: 0x6, outbytes: 0x0
** Added: 612 - buffer_entry_sizes: [0x1A0], buffers: [0x15], inbytes: 0x6, outbytes: 0x0
** Added: 613 - buffer_entry_sizes: [0x2C8], buffers: [0x16], inbytes: 0x0, outbytes: 0x0
** Added: 614 - buffer_entry_sizes: [0x2C8], buffers: [0x16], inbytes: 0x6, outbytes: 0x0
** Added: 615 - buffer_entry_sizes: [0x1C8], buffers: [0x16], inbytes: 0x6, outbytes: 0x0
** Added: 616 - buffer_entry_sizes: [0x1A0], buffers: [0x16], inbytes: 0x6, outbytes: 0x0
* Interface Changed: nn::hid::IHidServer
** Added: 92 - inbytes: 0x10, outbytes: 0x0, pid: True
* Interface Changed: nn::hid::IHidSystemServer
** Added: 813 - inbytes: 0x8, outbytes: 0x4
** Removed: 1200 - inbytes: 0x6, outbytes: 0x1
** Removed: 1201 - inbytes: 0x0, outbytes: 0x1
** Removed: 1202 - inbytes: 0x6, outbytes: 0x0
** Removed: 1203 - inbytes: 0x0, outbytes: 0x0
** Removed: 1204 - inbytes: 0x7, outbytes: 0x0
** Removed: 1205 - inbytes: 0x1, outbytes: 0x0
** Removed: 1206 - inbytes: 0x6, outbytes: 0x1
** Removed: 1207 - inbytes: 0x0, outbytes: 0x1
** Removed: 1208 - buffer_entry_sizes: [0x2C8], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
** Removed: 1209 - buffer_entry_sizes: [0x2C8], buffers: [0x15], inbytes: 0x6, outbytes: 0x0
** Removed: 1211 - buffer_entry_sizes: [0x1A0], buffers: [0x15], inbytes: 0x6, outbytes: 0x0
** Removed: 1212 - buffer_entry_sizes: [0x2C8], buffers: [0x16], inbytes: 0x0, outbytes: 0x0
** Removed: 1213 - buffer_entry_sizes: [0x2C8], buffers: [0x16], inbytes: 0x6, outbytes: 0x0
** Removed: 1214 - buffer_entry_sizes: [0x1C8], buffers: [0x16], inbytes: 0x6, outbytes: 0x0
** Removed: 1215 - buffer_entry_sizes: [0x1A0], buffers: [0x16], inbytes: 0x6, outbytes: 0x0
** Added: 1308 - inbytes: 0x10, outbytes: 0x0
** Added: 1309 - inbytes: 0x8, outbytes: 0x1
** Removed: 12010 - buffer_entry_sizes: [0x1C8], buffers: [0x15], inbytes: 0x6, outbytes: 0x0
* Interface Changed: nn::audio::detail::IAudioDevice
** Added: 19 - inbytes: 0x1, outbytes: 0x0
** Added: 20 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::audio::detail::IAudioSystemManagerForApplet
** Added: 10 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::audioctrl::detail::IAudioController
** Removed: 6 - inbytes: 0x4, outbytes: 0x1
* Unknown Interface cur-version: 0x710002D294 [ID = 0xf8ed3aad]
* Interface Changed: nn::ldn::detail::ISystemLocalCommunicationService
** Added: 106 - inbytes: 0x4, outbytes: 0x0
** Added: 500 - inbytes: 0x80, outbytes: 0x0
** Added: 501 - inbytes: 0x0, outbytes: 0x0
** Added: 502 - buffers: [0x21], inbytes: 0x14, outbytes: 0x0
** Added: 503 - buffers: [0x22], inbytes: 0x4, outbytes: 0x18
** Added: 505 - inbytes: 0x4, outbytes: 0x0
** Added: 600 - inbytes: 0x2, outbytes: 0x0
** Added: 601 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::ldn::detail::ISystemServiceCreator
** Added: 1 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710002D294 [ID = 0xf8ed3aad]']
* Interface Changed: nn::ldn::detail::IUserLocalCommunicationService
** Added: 106 - inbytes: 0x4, outbytes: 0x0
** Added: 500 - inbytes: 0x80, outbytes: 0x0
** Added: 501 - inbytes: 0x0, outbytes: 0x0
** Added: 502 - buffers: [0x21], inbytes: 0x14, outbytes: 0x0
** Added: 503 - buffers: [0x22], inbytes: 0x4, outbytes: 0x18
** Added: 505 - inbytes: 0x4, outbytes: 0x0
** Added: 600 - inbytes: 0x2, outbytes: 0x0
** Added: 601 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::ldn::detail::IUserServiceCreator
** Added: 1 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710002D294 [ID = 0xf8ed3aad]']
* Unknown Interface prev-version: 0x7100005828
* Unknown Interface cur-version: 0x7100005438
* Interface Changed: nn::clkrst::IClkrstSession
** Added: 14 - inbytes: 0x0, outbytes: 0x0
** Added: 15 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::rtc::IRtcManager
** Added: 12 - inbytes: 0x8, outbytes: 0x0
** Added: 13 - inbytes: 0x8, outbytes: 0x0
* Unknown Interface prev-version: 0x71000791B8 [ID = 0xf350e826]
* Unknown Interface cur-version: 0x710007E200 [ID = 0xf350e826]
* Interface Changed: nn::account::IAccountEntityServiceForAccountPolicy
** Added: 400 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0
** Added: 401 - inbytes: 0x10, outbytes: 0x4
** Added: 402 - buffers: [0x6], inbytes: 0x10, outbytes: 0x4
** Added: 410 - inbytes: 0x10, outbytes: 0x8
** Added: 411 - inbytes: 0x10, outbytes: 0x0
** Added: 412 - inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::account::IAccountServiceForAdministrator
** Added: 400 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0
** Added: 401 - inbytes: 0x10, outbytes: 0x4
** Added: 402 - buffers: [0x6], inbytes: 0x10, outbytes: 0x4
** Added: 410 - inbytes: 0x10, outbytes: 0x8
** Added: 411 - inbytes: 0x10, outbytes: 0x0
** Added: 412 - inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::account::IAccountServiceForSystemService
** Added: 401 - inbytes: 0x10, outbytes: 0x4
** Added: 402 - buffers: [0x6], inbytes: 0x10, outbytes: 0x4
* Interface Changed: nn::account::IAccountServiceForSystemServiceWithProfileEditor
** Added: 401 - inbytes: 0x10, outbytes: 0x4
** Added: 402 - buffers: [0x6], inbytes: 0x10, outbytes: 0x4
* Interface Changed: nn::account::baas::IAdministrator
** Changed: 170 - outinterfaces: ['0x71000791B8 [ID = 0xf350e826]'] -> ['0x710007E200 [ID = 0xf350e826]'] (final state: inbytes: 0x8, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710007E200 [ID = 0xf350e826]'])
** Added: 180 - buffer_entry_sizes: [0x1000, 0x100], buffers: [0x1A, 0x1A], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::account::baas::IFloatingRegistrationRequest
** Added: 16 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::account::baas::IGuestLoginRequest
** Added: 16 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::account::baas::IManagerForSystemService
** Changed: 170 - outinterfaces: ['0x71000791B8 [ID = 0xf350e826]'] -> ['0x710007E200 [ID = 0xf350e826]'] (final state: inbytes: 0x8, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x710007E200 [ID = 0xf350e826]'])
** Added: 180 - buffer_entry_sizes: [0x1000, 0x100], buffers: [0x1A, 0x1A], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::account::nas::IOAuthProcedureForExternalNsa
** Added: 104 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::account::nas::IOAuthProcedureForUserRegistration
** Added: 104 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 230 - buffers: [0x5], inbytes: 0x21, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
* Interface Changed: nn::account::profile::IProfile
** Added: 20 - inbytes: 0x0, outbytes: 0x4
** Added: 21 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 30 - inbytes: 0x0, outbytes: 0x10
* Interface Changed: nn::account::profile::IProfileEditor
** Added: 20 - inbytes: 0x0, outbytes: 0x4
** Added: 21 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 30 - inbytes: 0x0, outbytes: 0x10
** Added: 110 - buffer_entry_sizes: [0x80, 0x0], buffers: [0x19, 0x5], inbytes: 0x38, outbytes: 0x0
* Unknown Interface prev-version: 0x71001BCD60 [ID = 0xf350e826]
* Unknown Interface cur-version: 0x71001B0378 [ID = 0xf350e826]
* Interface Changed: nn::account::IAccountServiceForAdministrator
** Added: 400 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0
** Added: 401 - inbytes: 0x10, outbytes: 0x4
** Added: 402 - buffers: [0x6], inbytes: 0x10, outbytes: 0x4
** Added: 410 - inbytes: 0x10, outbytes: 0x8
** Added: 411 - inbytes: 0x10, outbytes: 0x0
** Added: 412 - inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::account::IAccountServiceForSystemService
** Added: 401 - inbytes: 0x10, outbytes: 0x4
** Added: 402 - buffers: [0x6], inbytes: 0x10, outbytes: 0x4
* Interface Changed: nn::account::baas::IAdministrator
** Changed: 170 - outinterfaces: ['0x71001BCD60 [ID = 0xf350e826]'] -> ['0x71001B0378 [ID = 0xf350e826]'] (final state: inbytes: 0x8, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x71001B0378 [ID = 0xf350e826]'])
** Added: 180 - buffer_entry_sizes: [0x1000, 0x100], buffers: [0x1A, 0x1A], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::account::baas::IFloatingRegistrationRequest
** Added: 16 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::account::baas::IGuestLoginRequest
** Added: 16 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::account::baas::IManagerForSystemService
** Changed: 170 - outinterfaces: ['0x71001BCD60 [ID = 0xf350e826]'] -> ['0x71001B0378 [ID = 0xf350e826]'] (final state: inbytes: 0x8, inhandles: [1], outbytes: 0x0, outinterfaces: ['0x71001B0378 [ID = 0xf350e826]'])
** Added: 180 - buffer_entry_sizes: [0x1000, 0x100], buffers: [0x1A, 0x1A], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::account::nas::IOAuthProcedureForExternalNsa
** Added: 104 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::account::nas::IOAuthProcedureForUserRegistration
** Added: 104 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 230 - buffers: [0x5], inbytes: 0x21, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
* Interface Changed: nn::account::profile::IProfile
** Added: 20 - inbytes: 0x0, outbytes: 0x4
** Added: 21 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 30 - inbytes: 0x0, outbytes: 0x10
* Interface Changed: nn::account::profile::IProfileEditor
** Added: 20 - inbytes: 0x0, outbytes: 0x4
** Added: 21 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 30 - inbytes: 0x0, outbytes: 0x10
** Added: 110 - buffer_entry_sizes: [0x80, 0x0], buffers: [0x19, 0x5], inbytes: 0x38, outbytes: 0x0
* Interface Changed: nn::ns::detail::IApplicationManagerInterface
** Changed: 94 - inbytes: 0x48 -> 0x58 (final state: inbytes: 0x58, outbytes: 0x8)
** Changed: 95 - outbytes: 0x40 -> 0x50 (final state: inbytes: 0x8, outbytes: 0x50)
** Changed: 96 - outbytes: 0x40 -> 0x50 (final state: inbytes: 0x8, outbytes: 0x50)
** Changed: 97 - inbytes: 0x40 -> 0x50 (final state: inbytes: 0x50, outbytes: 0x1)
** Changed: 406 - inbytes: 0x48 -> 0x58 (final state: buffer_entry_sizes: [0x4000], buffers: [0x16], inbytes: 0x58, outbytes: 0x0)
** Changed: 2513 - inbytes: 0x40 -> 0x50 (final state: inbytes: 0x50, outbytes: 0x8)
** Changed: 2517 - inbytes: 0x40 -> 0x50 (final state: inbytes: 0x50, outbytes: 0x8)
** Added: 3015 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 3104 - buffers: [0x6], inbytes: 0x8, outbytes: 0x8
** Added: 3105 - buffers: [0x6], inbytes: 0x8, outbytes: 0x8
** Added: 5000 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncData']
** Added: 5001 - inbytes: 0x8, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncData']
* Interface Changed: nn::ns::detail::IDevelopInterface
** Removed: 8 - buffers: [0x5], inbytes: 0x4, outbytes: 0x8
** Removed: 9 - inbytes: 0x10, outbytes: 0x8
** Removed: 15 - buffers: [0x5], inbytes: 0x0, outbytes: 0x8
** Changed: 17 - outbytes: 0x40 -> 0x50 (final state: buffers: [0x5], inbytes: 0x4, outbytes: 0x50)
** Changed: 18 - inbytes: 0x40 -> 0x50 (final state: inbytes: 0x50, outbytes: 0x0, outhandles: [1])
** Changed: 19 - inbytes: 0x40 -> 0x50 (final state: inbytes: 0x50, outbytes: 0x0)
** Added: 21 - inbytes: 0x10, outbytes: 0x50
** Added: 22 - inbytes: 0x50, outbytes: 0x8
** Added: 23 - inbytes: 0x50, outbytes: 0x8
** Added: 24 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::ns::detail::IDynamicRightsInterface
** Added: 26 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::ns::detail::IVulnerabilityManagerInterface
** Added: 3100 - inbytes: 0x0, outbytes: 0x10
** Added: 3101 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** Added: 3102 - inbytes: 0x0, outbytes: 0x0
* Unknown Interface prev-version: 0x71000182AC [ID = 0x5a340f8a]
* Unknown Interface cur-version: 0x710001CE6C [ID = 0x5a340f8a]
* Unknown Interface cur-version: 0x710001D12C [ID = 0x07b4542c]
* Interface Changed: nn::hshl::IChargeSetterSession
** Added: 4 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::hshl::IManager
** Changed: 9 - outinterfaces: ['0x71000182AC [ID = 0x5a340f8a]'] -> ['0x710001CE6C [ID = 0x5a340f8a]'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710001CE6C [ID = 0x5a340f8a]'])
** Added: 11 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710001D12C [ID = 0x07b4542c]']
** Added: 12 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::hshl::ISetterManager
** Added: 4 - inbytes: 0x0, outbytes: 0x0
** Added: 5 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::capsrv::sf::IAlbumAccessorService
** Added: 141 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 151 - buffer_entry_sizes: [0x400], buffers: [0x16], inbytes: 0x18, outbytes: 0x40
** Added: 160 - buffers: [0x6], inbytes: 0x20, outbytes: 0x8
* Interface Changed: nn::capsrv::sf::IAlbumAccessorSession
** Added: 5000 - inbytes: 0x8, outbytes: 0x8
* Interface Changed: nn::capsrv::sf::IAlbumApplicationService
** Added: 148 - buffer_entry_sizes: [0x20], buffers: [0x6], inbytes: 0x20, outbytes: 0x8, pid: True
* Interface Changed: nn::capsrv::sf::IAlbumControlSession
** Added: 2435 - inbytes: 0x10, outbytes: 0x0
** Added: 5000 - inbytes: 0x8, outbytes: 0x8
* Unknown Interface cur-version: 0x71000B9398 [ID = 0xb8f77e09]
* Unknown Interface cur-version: 0x71000B9D70 [ID = 0x43c5fa77]
* Unknown Interface cur-version: 0x71000B9A78 [ID = 0xb0c7a8a3]
* Unknown Interface cur-version: 0x71000B90A8 [ID = 0x8db727a9]
* Interface Changed: nn::am::service::IAppletCommonFunctions
** Added: 82 - inbytes: 0x1, outbytes: 0x0
** Added: 160 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x71000B90A8 [ID = 0x8db727a9]']
** Added: 161 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x71000B9A78 [ID = 0xb0c7a8a3]']
* Interface Changed: nn::am::service::IDebugFunctions
** Added: 53 - inbytes: 0x8, outbytes: 0x8
** Added: 410 - inbytes: 0x10, outbytes: 0x0
** Added: 411 - buffers: [0x22], inbytes: 0x10, outbytes: 0x8
** Added: 412 - buffers: [0x21], inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::am::service::IOverlayFunctions
** Added: 40 - buffers: [0x6], inbytes: 0x0, outbytes: 0x8
** Added: 41 - buffers: [0x6], inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::ssl::sf::ISslServiceForSystem
** Added: 103 - buffers: [0x5, 0x5, 0x5], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::nim::detail::INetworkInstallManager
** Added: 147 - buffer_entry_sizes: [0x8], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** Added: 148 - buffer_entry_sizes: [0x10], buffers: [0x5], inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
* Interface Changed: nn::capsrv::sf::IScreenShotControlService
** Added: 1100 - buffers: [0x45], inbytes: 0x28, outbytes: 0x0
** Changed: 1106 - buffer_entry_sizes: [0x400, 0x404, 0x0, 0x0, 0x0] -> [0x400, 0x404, 0x88, 0x0, 0x0, 0x0], buffers: [0x15, 0x15, 0x6, 0x46, 0x46] -> [0x15, 0x15, 0x15, 0x6, 0x46, 0x46] (final state: buffer_entry_sizes: [0x400, 0x404, 0x88, 0x0, 0x0, 0x0], buffers: [0x15, 0x15, 0x15, 0x6, 0x46, 0x46], inbytes: 0x68, outbytes: 0x18)
** Changed: 1107 - buffer_entry_sizes: [0x400, 0x404, 0x0, 0x0] -> [0x400, 0x404, 0x88, 0x0, 0x0], buffers: [0x15, 0x15, 0x6, 0x45] -> [0x15, 0x15, 0x15, 0x6, 0x45] (final state: buffer_entry_sizes: [0x400, 0x404, 0x88, 0x0, 0x0], buffers: [0x15, 0x15, 0x15, 0x6, 0x45], inbytes: 0x68, outbytes: 0x18)
** Added: 1108 - buffer_entry_sizes: [0x400, 0x404, 0x88, 0x0], buffers: [0x15, 0x15, 0x15, 0x6], inbytes: 0x70, outbytes: 0x18
* Interface Changed: nn::pctl::detail::ipc::IParentalControlService
** Added: 1475 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** Added: 1954 - inbytes: 0x0, outbytes: 0x1
** Added: 1955 - inbytes: 0x0, outbytes: 0x8
** Added: 1956 - inbytes: 0x0, outbytes: 0x1
** Added: 1957 - inbytes: 0x0, outbytes: 0x1
** Added: 145601 - inbytes: 0x0, outbytes: 0x36
** Added: 195101 - inbytes: 0x36, outbytes: 0x0
* Unknown Interface cur-version: 0x71000913E4 [ID = 0x10763728]
* Interface Changed: nn::npns::INotificationReceiver
** Added: 5 - buffers: [0x9], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::npns::INpnsSystem
** Added: 8 - buffers: [0x9], inbytes: 0x0, outbytes: 0x0
** Removed: 13 - buffers: [0x9], inbytes: 0x0, outbytes: 0x1
** Added: 14 - buffers: [0x9], inbytes: 0x8, outbytes: 0x0
** Added: 15 - buffers: [0x9], inbytes: 0x8, outbytes: 0x0
** Added: 16 - buffer_entry_sizes: [0x28], buffers: [0x6], inbytes: 0x8, outbytes: 0x4
** Added: 28 - buffers: [0x9], inbytes: 0x10, outbytes: 0x28
** Added: 29 - buffers: [0x9], inbytes: 0x10, outbytes: 0x0
** Added: 37 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0
** Added: 51 - buffers: [0x9], inbytes: 0x0, outbytes: 0x0
** Added: 106 - inbytes: 0x0, outbytes: 0x8
** Added: 107 - inbytes: 0x8, outbytes: 0x0
** Added: 156 - buffers: [0x9], inbytes: 0x10, outbytes: 0x0, outinterfaces: [None]
** Added: 301 - buffers: [0xA], inbytes: 0x0, outbytes: 0x0
** Added: 302 - buffer_entry_sizes: [0x10, 0x0], buffers: [0xA, 0xA], inbytes: 0x0, outbytes: 0x8
** Added: 303 - buffer_entry_sizes: [0x138, 0x138], buffers: [0x6, 0x6], inbytes: 0x0, outbytes: 0x8
** Added: 304 - inbytes: 0x0, outbytes: 0x50
** Added: 305 - buffer_entry_sizes: [0x48], buffers: [0x6], inbytes: 0x4, outbytes: 0x8
** Added: 306 - buffers: [0x6, 0x9], inbytes: 0x0, outbytes: 0x8
* Interface Changed: nn::npns::INpnsUser
** Added: 8 - buffers: [0x9], inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::es::IActiveRightsContext
** Changed: 901 - buffer_entry_sizes: [0x24] -> [0x2C] (final state: buffer_entry_sizes: [0x2C], buffers: [0x16], inbytes: 0x0, outbytes: 0x0)
* Interface Changed: nn::es::IETicketService
** Added: 101 - buffers: [0x5, 0x5], inbytes: 0x0, outbytes: 0x0
** Added: 102 - inbytes: 0x0, outbytes: 0x0
** Added: 103 - inbytes: 0x0, outbytes: 0x4
** Added: 104 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 201 - buffers: [0x5, 0x5], inbytes: 0x0, outbytes: 0x0
** Added: 202 - inbytes: 0x0, outbytes: 0x0
** Added: 203 - inbytes: 0x0, outbytes: 0x4
** Added: 204 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x0, outbytes: 0x4
** Added: 1028 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0
* Interface Changed: nn::ndrm::low::detail::INdrmLowAdminInterface
** Added: 46 - inbytes: 0x8, outbytes: 0x1
* Interface Changed: nn::grcsrv::IGrcService
** Changed: 1 - inbytes: 0x20 -> 0x28 (final state: inbytes: 0x28, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::grcsrv::IContinuousRecorder'])
** Added: 10 - inbytes: 0x20, outbytes: 0x0, outinterfaces: ['nn::grcsrv::IContinuousRecorder']
* Interface Removed: nn::jitsrv::IJitEnvironment
* Interface Removed: nn::jitsrv::IJitService
* Interface Added: nn::sf::hipc::detail::IHipcManager
* Unknown Interface cur-version: 0x7100000680 [ID = 0x3d92e8a4]
* Unknown Interface cur-version: 0x71000009C4 [ID = 0x2a4c2069]
* Interface Changed: nn::capsrv::sf::IDecoderControlService
** Added: 4002 - buffers: [0x46, 0x5], inbytes: 0x30, outbytes: 0x8
* Unknown Interface cur-version: 0x710011CA80 [ID = 0x7e450fad]
* Interface Changed: nn::spsm::detail::IPowerStateInterface
** Added: 15 - inbytes: 0x4, outbytes: 0x0
** Added: 16 - inbytes: 0x8, outbytes: 0x0
* Unknown Interface cur-version: 0x7100021640 [ID = 0xd3808bc8]
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Added: 222 - buffers: [0x6], inbytes: 0x10, outbytes: 0x0
** Added: 302 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 1020 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100021640 [ID = 0xd3808bc8]']
** Removed: 1100 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
** Added: 1101 - buffers: [0x5], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::ISaveDataDivisionExporter
** Removed: 70 - inbytes: 0x0, outbytes: 0x10
** Added: 74 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::fssrv::sf::ISaveDataTransferManagerWithDivision
** Added: 8 - inbytes: 0x4, outbytes: 0x0
** Added: 9 - inbytes: 0x4, outbytes: 0x0
** Removed: 64 - buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** Removed: 65 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** Removed: 66 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
* Interface Changed: nn::spl::detail::IEsInterface
** Added: 33 - buffers: [0x9, 0x9, 0x9], inbytes: 0x4, outbytes: 0x10
* Unknown Interface cur-version: 0x7100021290 [ID = 0xd3808bc8]
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Added: 222 - buffers: [0x6], inbytes: 0x10, outbytes: 0x0
** Added: 302 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 1020 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100021290 [ID = 0xd3808bc8]']
** Removed: 1100 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
** Added: 1101 - buffers: [0x5], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::ISaveDataDivisionExporter
** Removed: 70 - inbytes: 0x0, outbytes: 0x10
** Added: 74 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::fssrv::sf::ISaveDataTransferManagerWithDivision
** Added: 8 - inbytes: 0x4, outbytes: 0x0
** Added: 9 - inbytes: 0x4, outbytes: 0x0
** Removed: 64 - buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** Removed: 65 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** Removed: 66 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
* Interface Changed: nn::clkrst::IClkrstSession
** Added: 14 - inbytes: 0x0, outbytes: 0x0
** Added: 15 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::rtc::IRtcManager
** Added: 12 - inbytes: 0x8, outbytes: 0x0
** Added: 13 - inbytes: 0x8, outbytes: 0x0
* Unknown Interface prev-version: 0x710001829C [ID = 0x5a340f8a]
* Unknown Interface cur-version: 0x710001CE6C [ID = 0x5a340f8a]
* Unknown Interface cur-version: 0x710001D12C [ID = 0x07b4542c]
* Interface Changed: nn::hshl::IChargeSetterSession
** Added: 4 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::hshl::IManager
** Changed: 9 - outinterfaces: ['0x710001829C [ID = 0x5a340f8a]'] -> ['0x710001CE6C [ID = 0x5a340f8a]'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710001CE6C [ID = 0x5a340f8a]'])
** Added: 11 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710001D12C [ID = 0x07b4542c]']
** Added: 12 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::hshl::ISetterManager
** Added: 4 - inbytes: 0x0, outbytes: 0x0
** Added: 5 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::spl::detail::IEsInterface
** Added: 33 - buffers: [0x9, 0x9, 0x9], inbytes: 0x4, outbytes: 0x10
* Unknown Interface cur-version: 0x7100021640 [ID = 0xd3808bc8]
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Added: 222 - buffers: [0x6], inbytes: 0x10, outbytes: 0x0
** Added: 302 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 1020 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100021640 [ID = 0xd3808bc8]']
** Removed: 1100 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
** Added: 1101 - buffers: [0x5], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::ISaveDataDivisionExporter
** Removed: 70 - inbytes: 0x0, outbytes: 0x10
** Added: 74 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::fssrv::sf::ISaveDataTransferManagerWithDivision
** Added: 8 - inbytes: 0x4, outbytes: 0x0
** Added: 9 - inbytes: 0x4, outbytes: 0x0
** Removed: 64 - buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** Removed: 65 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** Removed: 66 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
* Interface Changed: nn::spl::detail::IEsInterface
** Added: 33 - buffers: [0x9, 0x9, 0x9], inbytes: 0x4, outbytes: 0x10
* Unknown Interface cur-version: 0x7100021290 [ID = 0xd3808bc8]
* Interface Changed: nn::fssrv::sf::IDeviceOperator
** Added: 222 - buffers: [0x6], inbytes: 0x10, outbytes: 0x0
** Added: 302 - inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::IFileSystemProxy
** Added: 1020 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x7100021290 [ID = 0xd3808bc8]']
** Removed: 1100 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
** Added: 1101 - buffers: [0x5], inbytes: 0x4, outbytes: 0x0
* Interface Changed: nn::fssrv::sf::ISaveDataDivisionExporter
** Removed: 70 - inbytes: 0x0, outbytes: 0x10
** Added: 74 - buffers: [0x6], inbytes: 0x0, outbytes: 0x4
* Interface Changed: nn::fssrv::sf::ISaveDataTransferManagerWithDivision
** Added: 8 - inbytes: 0x4, outbytes: 0x0
** Added: 9 - inbytes: 0x4, outbytes: 0x0
** Removed: 64 - buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** Removed: 65 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** Removed: 66 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
* Interface Changed: nn::clkrst::IClkrstSession
** Added: 14 - inbytes: 0x0, outbytes: 0x0
** Added: 15 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::rtc::IRtcManager
** Added: 12 - inbytes: 0x8, outbytes: 0x0
** Added: 13 - inbytes: 0x8, outbytes: 0x0
* Unknown Interface prev-version: 0x710001829C [ID = 0x5a340f8a]
* Unknown Interface cur-version: 0x710001CE6C [ID = 0x5a340f8a]
* Unknown Interface cur-version: 0x710001D12C [ID = 0x07b4542c]
* Interface Changed: nn::hshl::IChargeSetterSession
** Added: 4 - inbytes: 0x1, outbytes: 0x0
* Interface Changed: nn::hshl::IManager
** Changed: 9 - outinterfaces: ['0x710001829C [ID = 0x5a340f8a]'] -> ['0x710001CE6C [ID = 0x5a340f8a]'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710001CE6C [ID = 0x5a340f8a]'])
** Added: 11 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710001D12C [ID = 0x07b4542c]']
** Added: 12 - inbytes: 0x0, outbytes: 0x1
* Interface Changed: nn::hshl::ISetterManager
** Added: 4 - inbytes: 0x0, outbytes: 0x0
** Added: 5 - inbytes: 0x0, outbytes: 0x0
* Interface Changed: nn::spl::detail::IEsInterface
** Added: 33 - buffers: [0x9, 0x9, 0x9], inbytes: 0x4, outbytes: 0x10

=== BootImagePackages ===
RomFs changes: all files updated.

Using updated master-key: master_key_11 (previously master_key_10). See [[NCA]] for the KeyGeneration listing.

==== Kernel ====
* Compiler/libc was upgraded, this results in various minor optimizations throughout the whole kernel.
** Many, many minor changes that this is almost certainly the cause for, e.g. KThread::SuspendRequest now calculates requested value as (0x10 << suspend_type) instead of (1 << (suspend_type + 4)).
** Biggest one is that sp/lr are now much more commonly not saved to stack until actually needed, if a function has a return path which does not make calls/does not need lr/sp saved.
* Initialize0 changes:
** The physical base address of the kernel is now passed by KernelLdr for use during KernelSlab virtual memory region setup.
*** This replaces the previous call to KInitialPageTable::GetPhysicalAddress.
* SVC-handler accesses to the thread local region's disable count now use userspace access instructions.
* SvcSetHeapSize now only sets the output address on success.
** This wasn't a vulnerability before, because prior to this the ABI meant userland would receive whatever was in the userland register at call time.
* CreateProcessParameter now zeroes many fields before performing initialization.
* New CreateProcessFlag 0x2000 is "EnableReservedRegionExtraSize", when set the reserved region size is increased by (AddressSpaceSize / 8).
** Currently, CreateProcess will return svc::ResultInvalidState() unless all the following conditions are met:
*** Address space type must be 39-bit
*** System resource size must be > 0
*** KTargetSystem::IsDebugMode() must be true.
** New InfoType (0x1C) "InfoType_ReservedRegionExtraSize" retrieves the extra size, which is a member of KPageTableBase.
** Loader does not currently support passing this flag in any capacity yet.
** nn::os::VammManager currently calculates the reserved region as [start, end - extra size], and will not map to the extra part of the region.
* Various KPageTable(Base/Impl) changes:
** InitializeForProcess now takes in the create process flags directly instead of parsing as a bunch of bools.
** InitializeForProcess now performs much more complicated initialization/randomization of the four aslr'd regions, dividing them up before/after the process code using largest-region first selection for randomization order.
** KPageTableImpl's traversal functions now take an additional output byte (which is also a new member at +0x11 in the traversal block and in KMemoryRange), this is always set to zero.
*** This byte is checked when traversing by ::Finalize and ::GetContiguousRangeWithMemoryState, but not other page table functions.
*** This byte is also stored as a new member of the memory range struct returned by GetContiguousRangeWithMemoryState
** AllocateAndMapPagesImpl now takes in the page properties by reference instead of by value.
** Read/WriteReadDebugIoMemory now use simpler logic for determining the current readable size.
* The KMemoryBlock helper "ConvertToKMemoryPermission" was changed to only copy the user-write bit to KernelWrite.
** This fixes a longstanding bug where the input was AND'd with KMemoryPermission_UserReadWrite, and these bits were then ORR'd into the final permission <<='d with KernelShift.
** The intent here was to copy the user read/write permissions into the kernel read/write permissions, but KMemoryPermission_UserReadWrite is not bitmask 0x3, it's bitmask 0x1B (including the KernelRead/Write bits).
** Thus, previously this would allow an input with KernelRead bit to spuriously set the NotMapped bit, and an input with KernelWrite bit to spuriously set the unused top bit.
** This was unexploitable, except maybe for causing a kernel-mode access exception.
* HandleException now handles EsrEc_DataAbortEl0 specially when determining the debug exception type.
** When ESR_EL1.IFSC is 0b100001 ("Alignment Fault"), ExceptionType_UnalignedData is selected instead of ExceptionType_DataAbort.
* KMemoryManager(Impl)/KPageHeap changes:
** KPageHeap's heap_virtual_address member is now removed and is a part of KMemoryManagerImpl now (this is still unused in non-debug kernel).
** KMemoryManager::AllocatePageGroup now takes a parameter for the required minimum alignment for the page group.
*** This is currently passed as 1 page (minimum alignment) at all callsites.
* SecureMonitor access was refactored, actual smc invocation is now in its own helper separate from interrupt disable/enable (and helpers which invoke without interrupt disable now exist).

=== [[Audio_services|audio]] ===
Besides IPC changes, vulns were [[Switch_System_Flaws|fixed]].

=== [[JIT_services|jit]] ===
Symbols were stripped from the main-codebin.

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2024-03-26_00-06-36&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

SVC

2023-11-01T17:24:42Z

SciresM: Fixups for query/insecure

__NOTOC__

= System calls =
{| class=wikitable
! ID || Return Type || Name || Arguments
|-
| 0x01 || Result || [[#SetHeapSize|SetHeapSize]] || uintptr_t *out_address, size_t size
|-
| 0x02 || Result || [[#SetMemoryPermission|SetMemoryPermission]] || uintptr_t address, size_t size, MemoryPermission perm
|-
| 0x03 || Result || [[#SetMemoryAttribute|SetMemoryAttribute]] || uintptr_t address, size_t size, uint32_t mask, uint32_t attr
|-
| 0x04 || Result || [[#MapMemory|MapMemory]] || uintptr_t dst_address, uintptr_t src_address, size_t size
|-
| 0x05 || Result || [[#UnmapMemory|UnmapMemory]] || uintptr_t dst_address, uintptr_t src_address, size_t size
|-
| 0x06 || Result || [[#QueryMemory|QueryMemory]] || arch::MemoryInfo *out_memory_info, PageInfo *out_page_info, uintptr_t address
|-
| 0x07 || void || [[#ExitProcess|ExitProcess]] ||
|-
| 0x08 || Result || [[#CreateThread|CreateThread]] || Handle *out_handle, ThreadFunc func, uintptr_t arg, uintptr_t stack_bottom, int32_t priority, int32_t core_id
|-
| 0x09 || Result || [[#StartThread|StartThread]] || Handle thread_handle
|-
| 0x0A || void || [[#ExitThread|ExitThread]] ||
|-
| 0x0B || void || [[#SleepThread|SleepThread]] || int64_t ns
|-
| 0x0C || Result || [[#GetThreadPriority|GetThreadPriority]] || int32_t *out_priority, Handle thread_handle
|-
| 0x0D || Result || [[#SetThreadPriority|SetThreadPriority]] || Handle thread_handle, int32_t priority
|-
| 0x0E || Result || [[#GetThreadCoreMask|GetThreadCoreMask]] || int32_t *out_core_id, uint64_t *out_affinity_mask, Handle thread_handle
|-
| 0x0F || Result || [[#SetThreadCoreMask|SetThreadCoreMask]] || Handle thread_handle, int32_t core_id, uint64_t affinity_mask
|-
| 0x10 || int32_t || [[#GetCurrentProcessorNumber|GetCurrentProcessorNumber]] ||
|-
| 0x11 || Result || [[#SignalEvent|SignalEvent]] || Handle event_handle
|-
| 0x12 || Result || [[#ClearEvent|ClearEvent]] || Handle event_handle
|-
| 0x13 || Result || [[#MapSharedMemory|MapSharedMemory]] || Handle shmem_handle, uintptr_t address, size_t size, MemoryPermission map_perm
|-
| 0x14 || Result || [[#UnmapSharedMemory|UnmapSharedMemory]] || Handle shmem_handle, uintptr_t address, size_t size
|-
| 0x15 || Result || [[#CreateTransferMemory|CreateTransferMemory]] || Handle *out_handle, uintptr_t address, size_t size, MemoryPermission map_perm
|-
| 0x16 || Result || [[#CloseHandle|CloseHandle]] || Handle handle
|-
| 0x17 || Result || [[#ResetSignal|ResetSignal]] || Handle handle
|-
| 0x18 || Result || [[#WaitSynchronization|WaitSynchronization]] || int32_t *out_index, const Handle *handles, int32_t numHandles, int64_t timeout_ns
|-
| 0x19 || Result || [[#CancelSynchronization|CancelSynchronization]] || Handle handle
|-
| 0x1A || Result || [[#ArbitrateLock|ArbitrateLock]] || Handle thread_handle, uintptr_t address, uint32_t tag
|-
| 0x1B || Result || [[#ArbitrateUnlock|ArbitrateUnlock]] || uintptr_t address
|-
| 0x1C || Result || [[#WaitProcessWideKeyAtomic|WaitProcessWideKeyAtomic]] || uintptr_t address, uintptr_t cv_key, uint32_t tag, int64_t timeout_ns
|-
| 0x1D || void || [[#SignalProcessWideKey|SignalProcessWideKey]] || uintptr_t cv_key, int32_t count
|-
| 0x1E || int64_t || [[#GetSystemTick|GetSystemTick]] ||
|-
| 0x1F || Result || [[#ConnectToNamedPort|ConnectToNamedPort]] || Handle *out_handle, const char *name
|-
| 0x20 || Result || [[#SendSyncRequestLight|SendSyncRequestLight]] || Handle session_handle
|-
| 0x21 || Result || [[#SendSyncRequest|SendSyncRequest]] || Handle session_handle
|-
| 0x22 || Result || [[#SendSyncRequestWithUserBuffer|SendSyncRequestWithUserBuffer]] || uintptr_t message_buffer, size_t message_buffer_size, Handle session_handle
|-
| 0x23 || Result || [[#SendAsyncRequestWithUserBuffer|SendAsyncRequestWithUserBuffer]] || Handle *out_event_handle, uintptr_t message_buffer, size_t message_buffer_size, Handle session_handle
|-
| 0x24 || Result || [[#GetProcessId|GetProcessId]] || uint64_t *out_process_id, Handle process_handle
|-
| 0x25 || Result || [[#GetThreadId|GetThreadId]] || uint64_t *out_thread_id, Handle thread_handle
|-
| 0x26 || void || [[#Break|Break]] || BreakReason break_reason, uintptr_t arg, size_t size
|-
| 0x27 || Result || [[#OutputDebugString|OutputDebugString]] || const char *debug_str, size_t len
|-
| 0x28 || void || [[#ReturnFromException|ReturnFromException]] || Result result
|-
| 0x29 || Result || [[#GetInfo|GetInfo]] || uint64_t *out, InfoType info_type, Handle handle, uint64_t info_subtype
|-
| 0x2A || void || [[#FlushEntireDataCache|FlushEntireDataCache]] ||
|-
| 0x2B || Result || [[#FlushDataCache|FlushDataCache]] || uintptr_t address, size_t size
|-
| [3.0.0+] 0x2C || Result || [[#MapPhysicalMemory|MapPhysicalMemory]] || uintptr_t address, size_t size
|-
| [3.0.0+] 0x2D || Result || [[#UnmapPhysicalMemory|UnmapPhysicalMemory]] || uintptr_t address, size_t size
|-
| [5.0.0-5.1.0] 0x2E || Result || GetFutureThreadInfo || arch::LastThreadContext *out_context, uintptr_t *out_tls_address, uint32_t *out_flags, int64_t ns
|-
| [6.0.0+] 0x2E || Result || [[#GetDebugFutureThreadInfo|GetDebugFutureThreadInfo]] || arch::LastThreadContext *out_context, uint64_t *thread_id, Handle debug_handle, int64_t ns
|-
| 0x2F || Result || [[#GetLastThreadInfo|GetLastThreadInfo]] || arch::LastThreadContext *out_context, uintptr_t *out_tls_address, uint32_t *out_flags
|-
| 0x30 || Result || [[#GetResourceLimitLimitValue|GetResourceLimitLimitValue]] || int64_t *out_limit_value, Handle resource_limit_handle, LimitableResource which
|-
| 0x31 || Result || [[#GetResourceLimitCurrentValue|GetResourceLimitCurrentValue]] || int64_t *out_current_value, Handle resource_limit_handle, LimitableResource which
|-
| 0x32 || Result || [[#SetThreadActivity|SetThreadActivity]] || Handle thread_handle, ThreadActivity thread_activity
|-
| 0x33 || Result || [[#GetThreadContext3|GetThreadContext3]] || ThreadContext *out_context, Handle thread_handle
|-
| [4.0.0+] 0x34 || Result || [[#WaitForAddress|WaitForAddress]] || uintptr_t address, ArbitrationType arb_type, int32_t value, int64_t timeout_ns
|-
| [4.0.0+] 0x35 || Result || [[#SignalToAddress|SignalToAddress]] || uintptr_t address, SignalType signal_type, int32_t value, int32_t count
|-
| [8.0.0+] 0x36 || void || [[#SynchronizePreemptionState|SynchronizePreemptionState]] ||
|-
| [11.0.0+] 0x37 || Result || [[#GetResourceLimitPeakValue|GetResourceLimitPeakValue]] || int64_t *out_peak_value, Handle resource_limit_handle, LimitableResource which
|- style="border-top: double"
| [13.0.0+] 0x39 || Result || CreateIoPool || Handle *out_handle, IoPoolType which_pool
|-
| [13.0.0+] 0x3A || Result || CreateIoRegion || Handle *out_handle, Handle io_pool, PhysicalAddress physical_address, size_t size, MemoryMapping mapping, MemoryPermission perm
|- style="border-top: double"
| [1.0.0-3.0.2] 0x3C || void || [[#DumpInfo|DumpInfo]] || DumpInfoType dump_info_type, uint64_t arg
|-
| [4.0.0+] 0x3C || void || [[#KernelDebug|KernelDebug]] || KernelDebugType kern_debug_type, uint64_t arg0, uint64_t arg1, uint64_t arg2
|-
| [4.0.0+] 0x3D || void || [[#ChangeKernelTraceState|ChangeKernelTraceState]] || KernelTraceState kern_trace_state
|- style="border-top: double"
| 0x40 || Result || [[#CreateSession|CreateSession]] || Handle *out_server_session_handle, Handle *out_client_session_handle, bool is_light, uintptr_t name
|-
| 0x41 || Result || [[#AcceptSession|AcceptSession]] || Handle *out_handle, Handle port
|-
| 0x42 || Result || [[#ReplyAndReceiveLight|ReplyAndReceiveLight]] || Handle handle
|-
| 0x43 || Result || [[#ReplyAndReceive|ReplyAndReceive]] || int32_t *out_index, const Handle *handles, int32_t num_handles, Handle reply_target, int64_t timeout_ns
|-
| 0x44 || Result || [[#ReplyAndReceiveWithUserBuffer|ReplyAndReceiveWithUserBuffer]] || int32_t *out_index, uintptr_t message_buffer, size_t message_buffer_size, const Handle *handles, int32_t num_handles, Handle reply_target, int64_t timeout_ns
|-
| 0x45 || Result || [[#CreateEvent|CreateEvent]] || Handle *out_write_handle, Handle *out_read_handle
|-
| [13.0.0+] 0x46 || Result || MapIoRegion || Handle io_region, uintptr_t address, size_t size, MemoryPermission perm
|-
| [13.0.0+] 0x47 || Result || UnmapIoRegion || Handle io_region, uintptr_t address, size_t size
|-
| [5.0.0+] 0x48 || Result || [[#MapPhysicalMemoryUnsafe|MapPhysicalMemoryUnsafe]] || uintptr_t address, size_t size
|-
| [5.0.0+] 0x49 || Result || [[#UnmapPhysicalMemoryUnsafe|UnmapPhysicalMemoryUnsafe]] || uintptr_t address, size_t size
|-
| [5.0.0+] 0x4A || Result || [[#SetUnsafeLimit|SetUnsafeLimit]] || size_t limit
|-
| [4.0.0+] 0x4B || Result || [[#CreateCodeMemory|CreateCodeMemory]] || Handle *out_handle, uintptr_t address, size_t size
|-
| [4.0.0+] 0x4C || Result || [[#ControlCodeMemory|ControlCodeMemory]] || Handle code_memory_handle, CodeMemoryOperation operation, uint64_t address, uint64_t size, MemoryPermission perm
|-
| 0x4D || void || [[#SleepSystem|SleepSystem]] ||
|-
| 0x4E || Result || [[#ReadWriteRegister|ReadWriteRegister]] || uint32_t *out_value, PhysicalAddress address, uint32_t mask, uint32_t value
|-
| 0x4F || Result || [[#SetProcessActivity|SetProcessActivity]] || Handle process_handle, ProcessActivity process_activity
|-
| 0x50 || Result || [[#CreateSharedMemory|CreateSharedMemory]] || Handle *out_handle, size_t size, MemoryPermission owner_perm, MemoryPermission remote_perm
|-
| 0x51 || Result || [[#MapTransferMemory|MapTransferMemory]] || Handle trmem_handle, uintptr_t address, size_t size, MemoryPermission owner_perm
|-
| 0x52 || Result || [[#UnmapTransferMemory|UnmapTransferMemory]] || Handle trmem_handle, uintptr_t address, size_t size
|-
| 0x53 || Result || [[#CreateInterruptEvent|CreateInterruptEvent]] || Handle *out_read_handle, int32_t interrupt_id, InterruptType interrupt_type
|-
| 0x54 || Result || [[#QueryPhysicalAddress|QueryPhysicalAddress]] || arch::PhysicalMemoryInfo *out_info, uintptr_t address
|-
| [1.0.0-9.2.0] 0x55 || Result || [[#QueryIoMapping|QueryIoMapping]] || uintptr_t *out_address, PhysicalAddress physical_address, size_t size
|-
| [10.0.0+] 0x55 || Result || QueryMemoryMapping || uintptr_t *out_address, size_t *out_size, PhysicalAddress physical_address, size_t size
|-
| 0x56 || Result || [[#CreateDeviceAddressSpace|CreateDeviceAddressSpace]] || Handle *out_handle, uint64_t das_address, uint64_t das_size
|-
| 0x57 || Result || [[#AttachDeviceAddressSpace|AttachDeviceAddressSpace]] || DeviceName device_name, Handle das_handle
|-
| 0x58 || Result || [[#DetachDeviceAddressSpace|DetachDeviceAddressSpace]] || DeviceName device_name, Handle das_handle
|-
| 0x59 || Result || [[#MapDeviceAddressSpaceByForce|MapDeviceAddressSpaceByForce]] || Handle das_handle, Handle process_handle, uint64_t process_address, size_t size, uint64_t device_address, uint32_t option
|-
| 0x5A || Result || [[#MapDeviceAddressSpaceAligned|MapDeviceAddressSpaceAligned]] || Handle das_handle, Handle process_handle, uint64_t process_address, size_t size, uint64_t device_address, uint32_t option
|-
| [1.0.0-12.1.0] 0x5B || Result || [[#MapDeviceAddressSpace|MapDeviceAddressSpace]] || size_t *out_mapped_size, Handle das_handle, Handle process_handle, uint64_t process_address, size_t size, uint64_t device_address, MemoryPermission device_perm
|-
| 0x5C || Result || [[#UnmapDeviceAddressSpace|UnmapDeviceAddressSpace]] || Handle das_handle, Handle process_handle, uint64_t process_address, size_t size, uint64_t device_address
|-
| 0x5D || Result || [[#InvalidateProcessDataCache|InvalidateProcessDataCache]] || Handle process_handle, uint64_t address, uint64_t size
|-
| 0x5E || Result || [[#StoreProcessDataCache|StoreProcessDataCache]] || Handle process_handle, uint64_t address, uint64_t size
|-
| 0x5F || Result || [[#FlushProcessDataCache|FlushProcessDataCache]] || Handle process_handle, uint64_t address, uint64_t size
|-
| 0x60 || Result || [[#DebugActiveProcess|DebugActiveProcess]] || Handle *out_handle, uint64_t process_id
|-
| 0x61 || Result || [[#BreakDebugProcess|BreakDebugProcess]] || Handle debug_handle
|-
| 0x62 || Result || [[#TerminateDebugProcess|TerminateDebugProcess]] || Handle debug_handle
|-
| 0x63 || Result || [[#GetDebugEvent|GetDebugEvent]] || arch::DebugEventInfo *out_info, Handle debug_handle
|-
| 0x64 || Result || [[#ContinueDebugEvent|ContinueDebugEvent]] || Handle debug_handle, uint32_t flags, const uint64_t *thread_ids, int32_t num_thread_ids
|-
| 0x65 || Result || [[#GetProcessList|GetProcessList]] || int32_t *out_num_processes, uint64_t *out_process_ids, int32_t max_out_count
|-
| 0x66 || Result || [[#GetThreadList|GetThreadList]] || int32_t *out_num_threads, uint64_t *out_thread_ids, int32_t max_out_count, Handle debug_handle
|-
| 0x67 || Result || [[#GetDebugThreadContext|GetDebugThreadContext]] || ThreadContext *out_context, Handle debug_handle, uint64_t thread_id, uint32_t context_flags
|-
| 0x68 || Result || [[#SetDebugThreadContext|SetDebugThreadContext]] || Handle debug_handle, uint64_t thread_id, const ThreadContext *context, uint32_t context_flags
|-
| 0x69 || Result || [[#QueryDebugProcessMemory|QueryDebugProcessMemory]] || arch::MemoryInfo *out_memory_info, PageInfo *out_page_info, Handle process_handle, uintptr_t address
|-
| 0x6A || Result || [[#ReadDebugProcessMemory|ReadDebugProcessMemory]] || uintptr_t buffer, Handle debug_handle, uintptr_t address, size_t size
|-
| 0x6B || Result || [[#WriteDebugProcessMemory|WriteDebugProcessMemory]] || Handle debug_handle, uintptr_t buffer, uintptr_t address, size_t size
|-
| 0x6C || Result || [[#SetHardwareBreakPoint|SetHardwareBreakPoint]] || HardwareBreakPointRegisterName name, uint64_t flags, uint64_t value
|-
| 0x6D || Result || [[#GetDebugThreadParam|GetDebugThreadParam]] || uint64_t *out_64, uint32_t *out_32, Handle debug_handle, uint64_t thread_id, DebugThreadParam param
|- style="border-top: double"
| [5.0.0+] 0x6F || Result || [[#GetSystemInfo|GetSystemInfo]] || uint64_t *out, SystemInfoType info_type, Handle handle, uint64_t info_subtype
|-
| 0x70 || Result || [[#CreatePort|CreatePort]] || Handle *out_server_handle, Handle *out_client_handle, int32_t max_sessions, bool is_light, uintptr_t name
|-
| 0x71 || Result || [[#ManageNamedPort|ManageNamedPort]] || Handle *out_server_handle, const char *name, int32_t max_sessions
|-
| 0x72 || Result || [[#ConnectToPort|ConnectToPort]] || Handle *out_handle, Handle port
|-
| 0x73 || Result || [[#SetProcessMemoryPermission|SetProcessMemoryPermission]] || Handle process_handle, uint64_t address, uint64_t size, MemoryPermission perm
|-
| 0x74 || Result || [[#MapProcessMemory|MapProcessMemory]] || uintptr_t dst_address, Handle process_handle, uint64_t src_address, size_t size
|-
| 0x75 || Result || [[#UnmapProcessMemory|UnmapProcessMemory]] || uintptr_t dst_address, Handle process_handle, uint64_t src_address, size_t size
|-
| 0x76 || Result || [[#QueryProcessMemory|QueryProcessMemory]] || arch::MemoryInfo *out_memory_info, PageInfo *out_page_info, Handle process_handle, uint64_t address
|-
| 0x77 || Result || [[#MapProcessCodeMemory|MapProcessCodeMemory]] || Handle process_handle, uint64_t dst_address, uint64_t src_address, uint64_t size
|-
| 0x78 || Result || [[#UnmapProcessCodeMemory|UnmapProcessCodeMemory]] || Handle process_handle, uint64_t dst_address, uint64_t src_address, uint64_t size
|-
| 0x79 || Result || [[#CreateProcess|CreateProcess]] || Handle *out_handle, const arch::CreateProcessParameter *parameters, const uint32_t *caps, int32_t num_caps
|-
| 0x7A || Result || [[#StartProcess|StartProcess]] || Handle process_handle, int32_t priority, int32_t core_id, uint64_t main_thread_stack_size
|-
| 0x7B || Result || [[#TerminateProcess|TerminateProcess]] || Handle process_handle
|-
| 0x7C || Result || [[#GetProcessInfo|GetProcessInfo]] || int64_t *out_info, Handle process_handle, ProcessInfoType info_type
|-
| 0x7D || Result || [[#CreateResourceLimit|CreateResourceLimit]] || Handle *out_handle
|-
| 0x7E || Result || [[#SetResourceLimitLimitValue|SetResourceLimitLimitValue]] || Handle resource_limit_handle, LimitableResource which, int64_t limit_value
|-
| 0x7F || void || [[#CallSecureMonitor|CallSecureMonitor]] || SecureMonitorArguments *args
|- style="border-top: double"
| [15.0.0+] 0x90 || Result || MapInsecurePhysicalMemory || uintptr_t address, size_t size
|-
| [15.0.0+] 0x91 || Result || UnmapInsecurePhysicalMemory || uintptr_t address, size_t size
|-
|}

== SetHeapSize ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) X1 || void* || HeapAddress
|}
</div>

Sets the process heap to a given Size. It can both extend and shrink the heap.

Size must be a multiple of 0x200000 (2MB).

On success, the heap base-address (which is fixed by kernel, aslr'd, and always in the Heap memory region) is written to HeapAddress.

Uses current process pool partition. The memory allocated counts towards the caller's process Memory ResourceLimit.

[2.0.0+] Size must be less than or equal to 4GB.

=== Result codes ===
'''0x0:''' Success.

'''0xCA01:''' Invalid size passed. It's either bigger than 4GB, or misaligned.

'''0xD001:''' Size is bigger than the Heap Region size.

'''0xCE01:''' KMemoryBlockAllocator slab allocator exhausted.

'''0xD401:''' The memory region is in an invalid state. Likely because a mapping was made in the heap region.

'''0x10801:''' Memory resource limit reached.

== SetMemoryPermission ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (In) X1 || uint64_t || Size
|-
| (In) W2 || [[#MemoryPermission]] || MemoryPermission
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Changes permission of page-aligned memory region.

Bit2 of permission (exec) is not allowed. Setting write-only is not allowed either (bit1).

This can be used to move back and forth between ---, r-- and rw-.

=== Result codes ===
'''0x0:''' Success. The memory region was reprotected.

'''0xCC01:''' Unaligned address specified.

'''0xCA01:''' Unaligned or zero size specified.

'''0xD401:''' The provided memory region does not fall within the userland address space.

'''0xD801:''' Invalid permission specified. Valid permissions are ---, r-- and rw-.

'''0xD401:''' The provided memory region was in an invalid state. The region must have the [[#MemoryState|FlagCanReprotect]] state, and must not have the [[#MemoryAttribute|Locked]] or [[#MemoryAttribute|Uncached]] attributes.

'''0xCE01:''' Kernel resource exhausted.

== SetMemoryAttribute ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (In) X1 || uint64_t || Size
|-
| (In) W2 || uint32_t || Mask
|-
| (In) W3 || uint32_t || Value
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Changes attribute of page-aligned memory region. The only allowed combination of Value and Mask is 0x8, which means only bit3 in [[#MemoryAttribute]] can be set or cleared.

This is used to turn on/off caching for a given memory area. Useful when talking to devices such as the GPU.

What happens "under the hood" is the "Memory Attribute Indirection Register" index is changed from 2 to 3 in the MMU descriptor.

== MapMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || DstAddress
|-
| (In) X1 || void* || SrcAddress
|-
| (In) X2 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Maps a memory range into a different range.

Mainly used for adding guard pages around stack.

Source range gets reprotected to --- (it can no longer be accessed), and bit0 is set in the source [[#MemoryAttribute]].

[1.0.0] This could be used to map into either the Alias Region or the Stack region.

[2.0.0+] This can only be used to map into the Stack region.

Code can get the range of the Alias region from [[#GetInfo]] id0=2,3, and on 2.0.0+ the range of the Stack region via [[#GetInfo]] id0=14, 15 (on 1.0.0, the Stack region had hardcoded limits).

When mapped into the Alias region, the mapped memory will have state 0x482907.

When mapped into the Stack region, the mapped memory will have state 0x5C3C0B.

== UnmapMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || DstAddress
|-
| (In) X1 || void* || SrcAddress
|-
| (In) X2 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Unmaps a region that was previously mapped with [[#MapMemory]].

It's possible to unmap ranges partially, you don't need to unmap the entire range "in one go".

The srcaddr/dstaddr must match what was given when the pages were originally mapped.

== QueryMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || [[#MemoryInfo]]* || MemoryInfo
|-
| (In) X2 || void* || Address
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || [[#PageInfo]] || PageInfo
|}
</div>

Queries information about an address. Will always fetch the lowest page-aligned mapping that contains the provided address.

Outputs a [[#MemoryInfo]] struct.

== ExitProcess ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) None || ||
|-
| (Out) None || ||
|}
</div>

Exits the current process.

== CreateThread ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R1 || void(*)(void*) || Entry
|-
| (In) X2 || R2 || void* || ThreadContext
|-
| (In) X3 || R3 || void* || StackTop
|-
| (In) W4 || R0 || int32_t || Priority
|-
| (In) W5 || R4 || int32_t || ProcessorId
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || Handle<Thread> || ThreadHandle
|}
</div>

Creates a thread in the current process.

ProcessorId must be 0,1,2,3 or -2, where -2 uses the default CpuId for process.

== StartThread ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Thread> || ThreadHandle
|-
| (Out) None || ||
|}
</div>

Starts the thread for the provided handle.

== ExitThread ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) None || ||
|-
| (Out) None || ||
|}
</div>

Exits the current thread.

== SleepThread ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X0 || R0, R1 || uint64_t || Nanoseconds
|}
</div>

Sleeps for a specified amount of time, or yields the thread.

Setting nanoseconds to 0, -1, or -2 indicates a yielding type.

<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Value || Type
|-
| 0 || Yielding without core migration
|-
| -1 || Yielding with core migration
|-
| -2 || Yielding to any other thread
|}
</div>

== GetThreadPriority ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W1|| Handle<Thread> || ThreadHandle
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || int32_t || Priority
|}
</div>

Gets the priority of provided thread handle.

== SetThreadPriority ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0|| Handle<Thread> || ThreadHandle
|-
| (In) W1|| int32_t || Priority
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Sets the priority of provided thread handle.

Priority is a number 0-0x3F. Lower value means higher priority.

== GetThreadCoreMask ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W2 || R2 || Handle<Thread> || ThreadHandle
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || int32_t || CoreMask0
|-
| (Out) X2 || R2, R3 || uint64_t || CoreMask1
|}
</div>

Gets the affinity mask of provided thread handle.

== SetThreadCoreMask ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Thread> || ThreadHandle
|-
| (In) W1 || R1 || int32_t || CoreMask0
|-
| (In) X2 || R2, R3 || uint64_t || CoreMask1
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Sets the affinity mask of provided thread handle.

== GetCurrentProcessorNumber ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) None || ||
|-
| (Out) W0 || uint32_t || CpuId
|}
</div>

Gets which cpu is executing the current thread.

CpuId is an integer in the range 0-3.

== SignalEvent ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<WritableEvent> || EventHandle
|-
| (Out) X0 || [[#Result]] || Result
|}
</div>

Puts the given event in the signaled state.

Will wake up any thread currently waiting on this event. Can potentially trigger a reschedule.

Any calls to [[#WaitSynchronization]] on this handle will return immediately, until the event's signaled state is reset.

=== Result codes ===
'''0x0:''' Success. Event is now in signaled state.

'''0xE401:''' Invalid handle. The handle either does not exist, or is not a WritableEvent.

== ClearEvent ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<WritableEvent> or Handle<ReadableEvent> || EventHandle
|-
| (Out) X0 || [[#Result]] || Result
|}
</div>

Takes the given event out of the signaled state, if it is signaled.

=== Result codes ===
'''0x0:''' Success, the event is now in the not-signaled state.

'''0xE401:''' Invalid handle. The handle either does not exist, or is not a ReadableEvent nor a WritableEvent.

== MapSharedMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<SharedMemory> || SharedMemoryHandle
|-
| (In) X1 || void* || Address
|-
| (In) X2 || uint64_t || Size
|-
| (In) W3 || [[#MemoryPermission]] || MemoryPermission
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Maps the block supplied by the handle. The required permissions are different for the process that created the handle and all other processes.

Increases reference count for the KSharedMemory object. Thus in order to release the memory associated with the object, all handles to it must be closed and all mappings must be unmapped.

== UnmapSharedMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<SharedMemory> || SharedMemoryHandle
|-
| (In) X1 || void* || Address
|-
| (In) X2 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== CreateTransferMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || void* || Address
|-
| (In) X2 || uint64_t || Size
|-
| (In) W3 || [[#MemoryPermission]] || MemoryPermission
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<TransferMemory> || TransferMemoryHandle
|}
</div>

This one reprotects the src block with perms you give it. It also sets bit0 into [[#MemoryAttribute]].

Executable bit perm not allowed.

Closing all handles automatically causes the bit0 in [[#MemoryAttribute]] to clear, and the permission to reset.

== CloseHandle ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle || Handle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== ResetSignal ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<ReadableEvent> or Handle<Process> || Handle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Resets the signal on the given handle, ensuring future calls to [[#WaitSynchronization]] on this handle will sleep until the handle is signaled again. If the handle is a ReadableEvent, this returns ResultInvalidState if the event is not signaled.

If the handle is a Process, it will clear the signaled state (which is set when the process changes [[#ProcessState]]. Once the process enters the Exited state, calling ResetSignal on the process will no longer have an effect (the process is permanently signaled), and the syscall will return 0xFA01.

=== Result codes ===
'''0x0:''' Success. The signal was reset.

'''0xE401:''' The handle is invalid or of the wrong type.

'''0xFA01:''' The handle was not signaled, or the process is in exited state, causing it to be permanently signaled.

== WaitSynchronization ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R1 || Handle* || HandlesPtr
|-
| (In) W2 || R2 || int32_t || HandlesNum
|-
| (In) X3 || R0, R3 || int64_t || Timeout
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || uint64_t || HandleIndex
|}
</div>

Works with HandlesNum <= 0x40.

When zero handles are passed, this will wait forever until either timeout or cancellation occurs.

Does not accept 0xFFFF8001 or 0xFFFF8000 as handles.

=== Object types ===
'''KDebug:''' signals when there is a new [[#DebugEventInfo|DebugEvent]] (retrievable via [[#GetDebugEvent]]).

'''KClientPort:''' signals when the number of sessions is less than the maximum allowed.

'''KProcess:''' signals when the process undergoes a state change (retrievable via [[#GetProcessInfo]]).

'''KReadableEvent:''' signals when the event's corresponding KWritableEvent has been signaled via [[#SignalEvent]].

'''KServerPort:''' signals when there is an incoming connection waiting to be [[#AcceptSession|accepted]].

'''KServerSession:''' signals when there is an incoming message waiting to be [[#ReplyAndReceive|received]] or the pipe is closed.

'''KThread:''' signals when the thread has exited.

=== Result codes ===
'''0x0:''' Success. One of the objects was signaled before the timeout expired, or one of the objects is a Session with a closed remote. Handle index is updated to indicate which object signaled.

'''0x7601:''' Thread termination requested. Handle index is not updated.

'''0xe401:''' Invalid handle. Returned when one of the handles passed is invalid. Handle index is not updated.

'''0xe601:''' Invalid address. Returned when the handles pointer is not a readable address. Handle index is not updated.

'''0xea01:''' Timeout. Returned when no objects have been signaled within the timeout. Handle index is not updated.

'''0xec01:''' Interrupted. Returned when another thread uses [[#CancelSynchronization]] to cancel this thread. Handle index is not updated.

'''0xee01:''' Too many handles. Returned when the number of handles passed is > 0x40.

== CancelSynchronization ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Thread> || ThreadHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

If the referenced thread is currently in a synchronization call ([[#WaitSynchronization]], [[#ReplyAndReceive]] or [[#ReplyAndReceiveLight]]), that call will be interrupted and return 0xec01.
If that thread is not currently executing such a synchronization call, the next call to a synchronization call will return 0xec01.

This doesn't take force-pause (activity/debug pause) into account.

=== Result codes ===
'''0x0:''' Success. The thread was either interrupted or has had its flag set.

'''0xe401:''' Invalid handle. The handle given was either invalid or not a thread handle.

== ArbitrateLock ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Thread> || ThreadHandle
|-
| (In) X1 || void* || Address
|-
| (In) W2 || uint32_t || Tag
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== ArbitrateUnlock ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== WaitProcessWideKeyAtomic ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X0 || R0 || void* || KeyAddress
|-
| (In) X1 || R1 || void* || TagAddress
|-
| (In) W2 || R2 || uint32_t || Tag
|-
| (In) X3 || R3, R4 || int64_t || Timeout
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== SignalProcessWideKey ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (In) W1 || int32_t || Value
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== GetSystemTick ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (Out) X0 || R0, R1 || uint64_t || Ticks
|}
</div>

Returns the value of cntpct_el0.

The frequency is 19200000 Hz (constant from official sw).

Official sw reads cntpct_el0 directly from usermode without using this SVC. [[ExeFS|sdk-nso]] has this SVC, but it's not known to be called anywhere.

== ConnectToNamedPort ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || char* || PortName
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<Session> || SessionHandle
|}
</div>

== SendSyncRequestLight ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Session> || SessionHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== SendSyncRequest ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Session> || SessionHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== SendSyncRequestWithUserBuffer ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (In) X1 || uint64_t || Size
|-
| (In) W2 || Handle<Session> || SessionHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Size and Address must be 0x1000-aligned.

=== Result codes ===
'''0x0:''' Success.

'''0xcc01:''' Address is not 0x1000-aligned.

'''0xca01:''' Size is not 0x1000-aligned.

'''0xce01:''' KSessionRequest allocation failed (unlikely) or pointer buffer size exceeded.

'''0xe401:''' Handles does not exist, or handle is not an instance of KClientSession.

== SendAsyncRequestWithUserBuffer ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || void* || Address
|-
| (In) X2 || uint64_t || Size
|-
| (In) W3 || Handle<Session> || SessionHandle
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<ReadableEvent> || EventHandle
|}
</div>

Size and Address must be 0x1000-aligned.

== GetProcessId ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W1 || R1 || Handle<Process> || ProcessHandle
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1, R2 || uint64_t || ProcessId
|}
</div>

== GetThreadId ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W1 || R1 || Handle<Thread> || ThreadHandle
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1, R2 || uint64_t || ThreadId
|}
</div>

== Break ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || [[#BreakReason]] || BreakReason
|-
| (In) X1 || uint64_t ||
|-
| (In) X2 || uint64_t || Info
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

If the process is attached, report the Break event. Then, if [[#ContinueDebugEvent]] didn't apply IgnoreException on the thread: if TPIDR_EL0 is 0, adjust ELR_EL1 to retry to svc instruction (and set TPIDR_EL0 to 1).

Otherwise, if bit31 in reason isn't set, perform crash reporting (see Exception Handling section below), if it doesn't terminate the process adjust ELR_EL1 as well.

Otherwise just return 0.

== OutputDebugString ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || char* || String
|-
| (In) X1 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== ReturnFromException ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || [[#Result]] || Result
|}
</div>

== GetInfo ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W1 || R1 || [[#InfoType]] || InfoType
|-
| (In) W2 || R2 || Handle || Handle
|-
| (In) X3 || R0, R3 || uint64_t || InfoSubType
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1, R2 || uint64_t || Info
|}
</div>

== FlushEntireDataCache ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) None || ||
|-
| (Out) None || ||
|}
</div>

== FlushDataCache ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (In) X1 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== MapPhysicalMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (In) X1 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Acts like [[#SetHeapSize]] except you can allocate heap at any address you'd like.

Uses current process pool partition.

=== Result codes ===
'''0x0:''' Success.

'''0xCA01:''' Invalid size passed. It's either zero or not 4k-aligned

'''0xCC01:''' Invalid address. (not 4k-aligned)

'''0xDC01:''' Invalid memory range. It's either causes overflow, or does not fall into "reserved" address range (aka Alias). See AliasRegionAddress at [[#InfoType]]

'''0xFA01:''' Invalid state. (not enough SystemResource (see [[NPDM#SystemResourceSize]]))

== UnmapPhysicalMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (In) X1 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== GetDebugFutureThreadInfo ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X3 || R0, R1 || uint64_t || Timeout
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || uint64_t || LastThreadContextParam0
|-
| (Out) X2 || uint64_t || LastThreadContextParam1
|-
| (Out) X3 || uint64_t || LastThreadContextParam2
|-
| (Out) X4 || uint64_t || LastThreadContextParam3
|-
| (Out) X5 || uint64_t ||
|-
| (Out) W6 || uint32_t ||
|}
</div>

== GetLastThreadInfo ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) None || ||
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) X1 || uint64_t || LastThreadContextParam0
|-
| (Out) X2 || uint64_t || LastThreadContextParam1
|-
| (Out) X3 || uint64_t || LastThreadContextParam2
|-
| (Out) X4 || uint64_t || LastThreadContextParam3
|-
| (Out) X5 || uint64_t ||
|-
| (Out) W6 || uint32_t ||
|}
</div>

== GetResourceLimitLimitValue ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W1 || R1 || Handle<ResourceLimit> || ResourceLimitHandle
|-
| (In) W2 || R2 || [[#LimitableResource]] || LimitableResource
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1, R2 || int64_t || LimitValue
|}
</div>

== GetResourceLimitCurrentValue ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W1 || R1 || Handle<ResourceLimit> || ResourceLimitHandle
|-
| (In) W2 || R2 || [[#LimitableResource]] || LimitableResource
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1, R2 || int64_t || CurrentValue
|}
</div>

== SetThreadActivity ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Thread> || ThreadHandle
|-
| (In) W1 || [[#ThreadActivity]] || ThreadActivity
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== GetThreadContext3 ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || [[#ThreadContext]]* || ThreadContext
|-
| (In) W1 || Handle<Thread> || ThreadHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== WaitForAddress ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X0 || R0 || void* || Address
|-
| (In) W1 || R1 || [[#ArbitrationType]] || ArbitrationType
|-
| (In) W2 || R2 || uint32_t || Value
|-
| (In) X3 || R3, R4 || uint64_t || Timeout
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== SignalToAddress ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X0 || R0 || void* || Address
|-
| (In) W1 || R1 || [[#SignalType]] || SignalType
|-
| (In) W2 || R2 || uint32_t || Value
|-
| (In) W3 || R3 || uint32_t || NumToSignal
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== SynchronizePreemptionState ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) None || ||
|-
| (Out) None || ||
|}
</div>

== GetResourceLimitPeakValue ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W1 || R1 || Handle<ResourceLimit> || ResourceLimitHandle
|-
| (In) W2 || R2 || [[#LimitableResource]] || LimitableResource
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1, R2 || int64_t || PeakValue
|}
</div>

== DumpInfo ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || [[#DumpInfoType]] || DumpInfoType
|-
| (In) X1 || uint64_t || DumpInfoSubType
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Stubbed in retail kernel.

[4.0.0+] This function was removed and replaced by [[#KernelDebug]].

== KernelDebug ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || [[#KernelDebugType]] || KernelDebugType
|-
| (In) X1 || uint64_t ||
|-
| (In) X2 || uint64_t ||
|-
| (In) X3 || uint64_t ||
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Stubbed in retail kernel.

== ChangeKernelTraceState ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || [[#KernelTraceState]] || KernelTraceState
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Stubbed in retail kernel.

== CreateSession ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W2 || bool || IsLight
|-
| (In) X3 || uint64_t || Name
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<ServerSession> || ServerSessionHandle
|-
| (Out) W2 || Handle<ClientSession> || ClientSessionHandle
|}
</div>

== AcceptSession ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W1 || Handle<Port> || PortHandle
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<ServerSession> || ServerSessionHandle
|}
</div>

=== Result codes ===
'''0xf201:''' No session waiting to be accepted

== ReplyAndReceiveLight ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Port> or Handle<ServerSession> || Handle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== ReplyAndReceive ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R1 || Handle<Port>* or Handle<ServerSession>* || Handles
|-
| (In) W2 || R2 || uint32_t || NumHandles
|-
| (In) W3 || R3 || Handle<ServerSession> || ReplyTargetSessionHandle
|-
| (In) X4 || R0, R4 || uint64_t || Timeout
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || uint32_t || HandleIndex
|}
</div>

If ReplyTargetSessionHandle is not zero, a reply from the TLS will be sent to that session.
Then it will wait until either of the passed sessions has an incoming message, is closed, a passed port has an incoming connection, or the timeout expires.
If there is an incoming message, it is copied to the TLS.

If ReplyTargetSessionHandle is zero, the TLS should contain a blank message. If this message has a C descriptor, the buffer it points to will be used as the pointer buffer. See [[IPC_Marshalling#IPC_buffers]]. Note that a pointer buffer cannot be specified if ReplyTargetSessionHandle is not zero.

After being validated, passed handles will be enumerated in order; even if a session has been closed, if one that appears earlier in the list has an incoming message, it will take priority and a result code of 0x0 will be returned.

=== Result codes ===
'''0x0:''' Success. Either a session has an incoming message or a port has an incoming connection. HandleIndex is set appropriately.

'''0xea01:''' Timeout. No handles were signalled before the timeout expired. HandleIndex is not updated.

'''0xf601:''' Port remote dead. One of the sessions has been closed. HandleIndex is set appropriately.

== ReplyAndReceiveWithUserBuffer ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R1 || void* || Address
|-
| (In) X2 || R2 || uint64_t || Size
|-
| (In) X3 || R3 || Handle<Port>* or Handle<ServerSession>* || Handles
|-
| (In) W4 || R0 || uint32_t || NumHandles
|-
| (In) W5 || R4 || Handle<ServerSession> || ReplyTargetSessionHandle
|-
| (In) X6 || R5, R6 || uint64_t || Timeout
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || uint32_t || HandleIndex
|}
</div>

== CreateEvent ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) None || ||
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<WritableEvent> || WritableEventHandle
|-
| (Out) W2 || Handle<ReadableEvent> || ReadableEventHandle
|}
</div>

== MapPhysicalMemoryUnsafe ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (In) X1 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Same as [[#MapPhysicalMemory]] except it always uses pool partition 0.

== UnmapPhysicalMemoryUnsafe ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (In) X1 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== SetUnsafeLimit ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || uint64_t || Limit
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== CreateCodeMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || void* || Address
|-
| (In) X2 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<CodeMemory> || CodeMemoryHandle
|}
</div>

Takes an address range with backing memory to create the code memory object.

The memory is initially memset to 0xFF after being locked.

== ControlCodeMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<CodeMemory> || CodeMemoryHandle
|-
| (In) W1 || R1 || [[#CodeMemoryOperation]] || CodeMemoryOperation
|-
| (In) X2 || R2, R3 || void* || Address
|-
| (In) X3 || R4, R5 || uint64_t || Size
|-
| (In) W4 || R6 || [[#MemoryPermission]] || MemoryPermission
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Maps the backing memory for a CodeMemory object into the current process.

For [[#CodeMemoryOperation|MapOwner]], memory permission must be RW-.

For [[#CodeMemoryOperation|MapSlave]], memory permission must be R-- or R-X.

Operations [[#CodeMemoryOperation|UnmapOwner/UnmapSlave]] unmap memory that was previously mapped this way.

This allows one "secure JIT" process to map the code memory as RW-, and the other "slave" process to map it R-X.

[5.0.0+] Error 0xE401 is now returned when the process owner of the Code memory object is the same as the current process.

== SleepSystem ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) None || ||
|-
| (Out) None || ||
|}
</div>

== ReadWriteRegister ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R2, R3 || uint64_t || RegisterAddress
|-
| (In) W2 || R0 || uint32_t || RwMask
|-
| (In) W3 || R1 || uint32_t || InValue
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || uint32_t || OutValue
|}
</div>

Read/write IO registers with a hardcoded whitelist. Input address is physical-address and must be aligned to 4.

rw_mask is 0 for reading and 0xffffffff for writing. You can also write individual bits by using a mask value.

You can only write to registers inside physical pages 0x70019000 (MC), 0x7001C000 (MC0), 0x7001D000 (MC1), and they all share the same whitelist.

The whitelist is same for writing as for reading.

The whitelist is:

0x054, 0x090, 0x094, 0x098, 0x09c, 0x0a0, 0x0a4, 0x0a8, 0x0ac, 0x0b0, 0x0b4, 0x0b8, 0x0bc, 0x0c0, 0x0c4, 0x0c8, 0x0d0, 0x0d4, 0x0d8, 0x0dc, 0x0e0, 0x100, 0x108, 0x10c, 0x118, 0x11c, 0x124, 0x128, 0x12c, 0x130, 0x134, 0x138, 0x13c, 0x158, 0x15c, 0x164, 0x168, 0x16c, 0x170, 0x174, 0x178, 0x17c, 0x200, 0x204, 0x2e4, 0x2e8, 0x2ec, 0x2f4, 0x2f8, 0x310, 0x314, 0x320, 0x328, 0x344, 0x348, 0x370, 0x374, 0x37c, 0x380, 0x390, 0x394, 0x398, 0x3ac, 0x3b8, 0x3bc, 0x3c0, 0x3c4, 0x3d8, 0x3e8, 0x41c, 0x420, 0x424, 0x428, 0x42c, 0x430, 0x44c, 0x47c, 0x480, 0x484, 0x50c, 0x554, 0x558, 0x55c, 0x670, 0x674, 0x690, 0x694, 0x698, 0x69c, 0x6a0, 0x6a4, 0x6c0, 0x6c4, 0x6f0, 0x6f4, 0x960, 0x970, 0x974, 0xa20, 0xa24, 0xb88, 0xb8c, 0xbc4, 0xbc8, 0xbcc, 0xbd0, 0xbd4, 0xbd8, 0xbdc, 0xbe0, 0xbe4, 0xbe8, 0xbec, 0xc00, 0xc5c, 0xcac

[2.0.0+] Whitelist was extended with 0x4c4, 0x4c8, 0x4cc, 0x584, 0x588, 0x58c.

[2.0.0+] The IO registers in range 0x7000E400 (PMC) size 0xC00 skip the whitelist, and do a TrustZone call using [[SMC#ReadWriteRegister|ReadWriteRegister]].

[4.0.0+] Access to the Memory Controller (0x70019000) also uses smcReadWriteRegister.

Here is the whitelist imposed by that SMC, relative to the start of the PMC registers:

0x000, 0x00c, 0x010, 0x014, 0x01c, 0x020, 0x02c, 0x030, 0x034, 0x038, 0x03c, 0x040, 0x044, 0x048, 0x0dc, 0x0e0, 0x0e4, 0x160, 0x164, 0x168, 0x170, 0x1a8, 0x1b8, 0x1bc, 0x1c0, 0x1c4, 0x1c8, 0x2b4, 0x2d4, 0x440, 0x4d8

Here is the whitelist imposed by the SMC [[SMC#ReadWriteRegister|ReadWriteRegister]] (checked in addition to the whitelist in the ReadWriteRegister SVC), relative to the start of the MC registers:

0x000, 0x004, 0x008, 0x00C, 0x010, 0x01C, 0x020, 0x030, 0x034, 0x050, 0x054, 0x090, 0x094, 0x098, 0x09C, 0x0A0, 0x0A4, 0x0A8, 0x0AC, 0x0B0, 0x0B4, 0x0B8, 0x0BC, 0x0C0, 0x0C4, 0x0C8, 0x0D0, 0x0D4, 0x0D8, 0x0DC, 0x0E0, 0x100, 0x108, 0x10C, 0x118, 0x11C, 0x124, 0x128, 0x12C, 0x130, 0x134, 0x138, 0x13C, 0x158, 0x15C, 0x164, 0x168, 0x16C, 0x170, 0x174, 0x178, 0x17C, 0x200, 0x204, 0x238, 0x240, 0x244, 0x250, 0x254, 0x258, 0x264, 0x268, 0x26C, 0x270, 0x274, 0x280, 0x284, 0x288, 0x28C, 0x294, 0x2E4, 0x2E8, 0x2EC, 0x2F4, 0x2F8, 0x310, 0x314, 0x320, 0x328, 0x344, 0x348, 0x370, 0x374, 0x37C, 0x380, 0x390, 0x394, 0x398, 0x3AC, 0x3B8, 0x3BC, 0x3C0, 0x3C4, 0x3D8, 0x3E8, 0x41C, 0x420, 0x424, 0x428, 0x42C, 0x430, 0x44C, 0x47C, 0x480, 0x484, 0x4C4, 0x4C8, 0x4CC, 0x50C, 0x554, 0x558, 0x55C, 0x584, 0x588, 0x58C, 0x670, 0x674, 0x690, 0x694, 0x698, 0x69C, 0x6A0, 0x6A4, 0x6C0, 0x6C4, 0x6F0, 0x6F4, 0x960, 0x970, 0x974, 0x9B8, 0xA20, 0xA24, 0xA88, 0xA94, 0xA98, 0xA9C, 0xAA0, 0xAA4, 0xAA8, 0xAAC, 0xAB0, 0xAB4, 0xAB8, 0xABC, 0xAC0, 0xAC4, 0xAC8, 0xACC, 0xAD0, 0xAD4, 0xAD8, 0xADC, 0xAE0, 0xB88, 0xB8C, 0xBC4, 0xBC8, 0xBCC, 0xBD0, 0xBD4, 0xBD8, 0xBDC, 0xBE0, 0xBE4, 0xBE8, 0xBEC, 0xC00, 0xC5C, 0xCAC

== SetProcessActivity ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Process> || ProcessHandle
|-
| (In) W1 || [[#ProcessActivity]] || ProcessActivity
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== CreateSharedMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W1 || uint64_t || Size
|-
| (In) W2 || [[#MemoryPermission]] || LocalMemoryPermission
|-
| (In) W3 || [[#MemoryPermission]] || RemoteMemoryPermission
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<SharedMemory> || SharedMemoryHandle
|}
</div>

Other perm can be used to enforce permission 1, 3, or 0x10000000 if don't care.

Allocates memory from the current process' pool partition.

== MapTransferMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || Handle<TransferMemory> || TransferMemoryHandle
|-
| (In) X1 || void* || Address
|-
| (In) X2 || uint64_t || Size
|-
| (In) W3 || [[#MemoryPermission]] || MemoryPermission
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

You must pass same size and permissions as given in [[#CreateTransferMemory]], otherwise error.

== UnmapTransferMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || Handle<TransferMemory> || TransferMemoryHandle
|-
| (In) X1 || void* || Address
|-
| (In) X2 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Size must match size given in map syscall, otherwise there's an invalid-size error.

== CreateInterruptEvent ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || [[#Interrupt]] || Interrupt
|-
| (In) W2 || [[#InterruptType]] || InterruptType
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<ReadableEvent> || ReadableEventHandle
|}
</div>

Creates an event handle for the given IRQ number. Waiting on this handle will wait until the IRQ is triggered. The InterruptType argument configures the triggering. If it is 0, the IRQ is active HIGH level sensitive, if it is 1 it is rising-edge sensitive.

=== Result codes ===
'''0x0:''' Success.

'''0xF001:''' Flags was > 1

'''0xF201:''' IRQ above 0x3FF or outside the [[NPDM#Kernel_Access_Control|IRQ access mask]] was given.

'''0xCE01:''' A SlabHeap was exhausted (too many interrupts created).

'''0xF401:''' IRQ already has an event registered.

'''0xD201:''' The handle table is full. Try closing some handles.

== QueryPhysicalAddress ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || void* || VirtualAddress
|-
| (Out) W0 || [[#Result]]|| Result
|-
| (Out) X1 || uint64_t || PhysicalMemoryInfoAddress
|-
| (Out) X2 || uint64_t || PhysicalMemoryInfoBaseAddress
|-
| (Out) X3 || uint64_t || PhysicalMemoryInfoSize
|}
</div>

Queries the physical address of a virtual address. Will always fetch the lowest page-aligned mapping that contains the provided physical address.

The returned PhysicalMemoryInfoBaseAddress is the virtual address of that page-aligned mapping, while PhysicalMemoryInfoAddress is the physical address of that page. PhysicalMemoryInfoSize is the amount of continuous physical memory in that mapping.

== QueryIoMapping ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R2, R3 || uint64_t || IoAddress
|-
| (In) X2 || R0 || uint64_t || Size
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1 || void* || VirtualAddress
|}
</div>

Returns a virtual address mapped to a given IO range.

== CreateDeviceAddressSpace ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R2, R3 || uint64_t || DeviceAddressSpaceStartAddress
|-
| (In) X2 || R0, R1 || uint64_t || DeviceAddressSpaceEndAddress
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || Handle<DeviceAddressSpace> || DeviceAddressSpaceHandle
|}
</div>

Creates a virtual address space for binding device address spaces and returns a handle.

StartAddr is normally set to 0 and EndAddr is normally set to 0xFFFFFFFF.

== AttachDeviceAddressSpace ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || [[#DeviceName]] || DeviceName
|-
| (In) X1 || Handle<DeviceAddressSpace> || DeviceAddressSpaceHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Attaches a device address space to a [[#DeviceName|device]].

== DetachDeviceAddressSpace ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || [[#DeviceName]] || DeviceName
|-
| (In) X1 || Handle<DeviceAddressSpace> || DeviceAddressSpaceHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Detaches a device address space from a [[#DeviceName|device]].

== MapDeviceAddressSpaceByForce ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<DeviceAddressSpace> || DeviceAddressSpaceHandle
|-
| (In) W1 || R1 || Handle<Process> || ProcessHandle
|-
| (In) X2 || R2, R3 || void* || Address
|-
| (In) X3 || R4 || uint64_t || DeviceAddressSpaceSize
|-
| (In) X4 || R5, R6 || uint64_t || DeviceAddressSpaceAddress
|-
| (In) W5 || R7 || uint32_t || Option
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Maps an attached device address space to an userspace address.

Address is the userspace destination address, while DeviceAddressSpaceAddress is the source address between DeviceAddressSpaceStartAddress and DeviceAddressSpaceEndAddress (passed to [[#CreateDeviceAddressSpace]]).

The userspace destination address must have the [[SVC#MemoryState|FlagCanDeviceMap]] bit set. Bit [[SVC#MemoryAttribute|DeviceShared]] will be set after mapping.

The Option encodes a [[#MemoryPermission]] in the low 16 bits, and an indicator of IO mapping in the high bits.

== MapDeviceAddressSpaceAligned ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<DeviceAddressSpace> || DeviceAddressSpaceHandle
|-
| (In) W1 || R1 || Handle<Process> || ProcessHandle
|-
| (In) X2 || R2, R3 || void* || Address
|-
| (In) X3 || R4 || uint64_t || DeviceAddressSpaceSize
|-
| (In) X4 || R5, R6 || uint64_t || DeviceAddressSpaceAddress
|-
| (In) W5 || R7 || uint32_t || Option
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Maps an attached device address space to an userspace address.

Same as [[#MapDeviceAddressSpaceByForce]], but the userspace destination address must have the [[SVC#MemoryState|FlagCanAlignedDeviceMap]] bit set instead.

The Option encodes a [[#MemoryPermission]] in the low 16 bits, and an indicator of IO mapping in the high bits.

== MapDeviceAddressSpace ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W1 || R1 || Handle<DeviceAddressSpace> || DeviceAddressSpaceHandle
|-
| (In) W2 || R2 || Handle<Process> || ProcessHandle
|-
| (In) X3 || R0, R3 || void* || Address
|-
| (In) X4 || R4 || uint64_t || DeviceAddressSpaceSize
|-
| (In) X5 || R5, R6 || uint64_t || DeviceAddressSpaceAddress
|-
| (In) W6 || R7 || [[#MemoryPermission]] || MemoryPermission
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1 || uint64_t || Size
|}
</div>

== UnmapDeviceAddressSpace ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<DeviceAddressSpace> || DeviceAddressSpaceHandle
|-
| (In) W1 || R1 || Handle<Process> || ProcessHandle
|-
| (In) X2 || R2, R3 || void* || Address
|-
| (In) X3 || R4 || uint64_t || DeviceAddressSpaceSize
|-
| (In) X4 || R5, R6 || uint64_t || DeviceAddressSpaceAddress
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Unmaps an attached device address space from an userspace address.

== InvalidateProcessDataCache ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Process> || ProcessHandle
|-
| (In) X1 || R2, R3 || void* || Address
|-
| (In) X2 || R1, R4 || uint64_t || Size
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== StoreProcessDataCache ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Process> || ProcessHandle
|-
| (In) X1 || R2, R3 || void* || Address
|-
| (In) X2 || R1, R4 || uint64_t || Size
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== FlushProcessDataCache ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Process> || ProcessHandle
|-
| (In) X1 || R2, R3 || void* || Address
|-
| (In) X2 || R1, R4 || uint64_t || Size
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== DebugActiveProcess ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R2, R3 || uint64_t || ProcessId
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || Handle<Debug> || DebugHandle
|}
</div>

== BreakDebugProcess ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Debug> || DebugHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== TerminateDebugProcess ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Debug> || DebugHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== GetDebugEvent ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || [[#DebugEventInfo]]* || DebugEventInfo
|-
| (In) W1 || Handle<Debug> || DebugHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== ContinueDebugEvent ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Debug> || DebugHandle
|-
| (In) W1 || R1 || uint32_t || [[#ContinueDebugFlags]] ([1.0.0-2.3.0] [[#ContinueDebugFlagsOld]])
|-
| (In) X2 || R2 ([1.0.0-2.3.0] R2, R3) || uint64_t* ([1.0.0-2.3.0] uint64_t)|| ThreadIdList ([1.0.0-2.3.0] ThreadId)
|-
| (In) X3 || R3 || uint64_t || [3.0.0+] NumThreadIds
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Maximum NumThreadIds is 64. 0 means "all threads".

=== Result codes ===
'''0x0:''' Success. The process has been resumed.

'''0xe401:''' Invalid debug handle.

'''0xf401:''' Process has debug events queued or is already running.

== GetProcessList ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R1 || uint64_t* || ProcessIdBuffer
|-
| (In) W2 || R2 || uint32_t || ProcessIdBufferSize
|-
| (Out) X0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || uint32_t || NumProcesses
|}
</div>

Fills the provided array with the pids of currently living processes. A process "lives" so long as it is currently running or a handle to it still exists.

It returns the total number of processes currently alive. If this number is bigger than the size of ProcessIdBuffer, the user won't have all the pids.

=== Result codes ===
'''0x0:''' Success.

'''0xd401:''' The provided buffer is outside the process address space.

'''0xe601:''' copyToUser failed. The provided buffer is not user-accessible.

'''0xee01:''' The provided buffer size is too big. Max value is 0xFFFFFFF.

== GetThreadList ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R1 || uint64_t* || ThreadIdBuffer
|-
| (In) W2 || R2 || uint32_t || ThreadIdBufferSize
|-
| (In) W3 || R3 || Handle<Debug> || DebugHandle
|-
| (Out) X0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || uint32_t || NumThreads
|}
</div>

== GetDebugThreadContext ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X0 || R0 || [[#ThreadContext]]* || ThreadContext
|-
| (In) X1 || R1 || Handle<Debug> || DebugHandle
|-
| (In) X2 || R2, R3 || uint64_t || ThreadId
|-
| (In) W3 || R4 || uint32_t || [[#ThreadContextFlags]]
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== SetDebugThreadContext ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Debug> || DebugHandle
|-
| (In) X1 || R2, R3 || uint64_t || ThreadId
|-
| (In) X2 || R1 || [[#ThreadContext]]* || ThreadContext
|-
| (In) W3 || R4 || uint32_t || [[#ThreadContextFlags]]
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== QueryDebugProcessMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || [[#MemoryInfo]]* || MemoryInfo
|-
| (In) W2 || Handle<Debug> || DebugHandle
|-
| (In) X3 || void* || Address
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || [[#PageInfo]] || PageInfo
|}
</div>

== ReadDebugProcessMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || MemoryBufferAddress
|-
| (In) W1 || Handle<Debug> || DebugHandle
|-
| (In) X2 || void* || SrcAddress
|-
| (In) X3 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== WriteDebugProcessMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Debug> || DebugHandle
|-
| (In) X1 || void* || MemoryBufferAddress
|-
| (In) X2 || void* || DstAddress
|-
| (In) X3 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== SetHardwareBreakPoint ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || [[#HardwareBreakPointRegisterName]] || Name
|-
| (In) X1 || R2, R3 || uint64_t || Flags
|-
| (In) X2 || R1, R4 || uint64_t || Value
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Sets one of the AArch64 hardware breakpoints. The nintendo switch has 6 hardware breakpoints, and 4 hardware watchpoints. The syscall has two behaviors depending on the value of HardwareBreakPointRegisterName:

If HardwareBreakPointRegisterName < 0x10, then it sets one of the AArch64 hardware breakpoints. Flags will go to DBGBCRn_EL1, and value to DBGBVRn_EL1. The only flags the user is allowed to set are those in the bitmask 0x7F01E1. Furthermore, the kernel will or it with 0x4004, in order to set various security flags to guarantee the watchpoints only triggers for code in EL0. If the user asks for a Breakpoint Type of ContextIDR match, the kernel shall use the given DebugHandle to set DBGBVRn_EL1 to the ContextID of the debugged process.

If HardwareBreakPointRegisterName is between 0x10 and 0x20 (exclusive), then it sets one of the AArch64 hardware watchpoints. Flags will go to DBGWCRn_EL1, and the value to DBGWVRn_EL1. The only flags the user is allowed to set are those in the bitmask 0xFF0F1FF9. Furthermore, the kernel will or it with 0x104004. This will set various security flags, and set the watchpoint type to be a Linked Watchpoint. This means that you need to link it to a Linked ContextIDR breakpoint. Check the ARM documentation for more information.

Note that HardwareBreakPointRegisterName 0 to 4 match only to Virtual Address, while HardwareBreakPointRegisterName 5 and 6 match against either Virtual Address, ContextID, or VMID. As such, if you are configuring a breakpoint to link for a watchpoint, make sure you use hardware_breakpoint_id 5 or 6.

For more documentation for hardware breakpoints, check out the AArch64 documentation for the [http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0488h/way1382455558968.html DBGBCRn_EL1 register] and the [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0488h/way1382455560629.html DBGWCRn_EL1 register]

== GetDebugThreadParam ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X2 || R2 || Handle<Debug> || DebugHandle
|-
| (In) X3 || R0, R1 || uint64_t || ThreadId
|-
| (In) W4 || R3 || [[#DebugThreadParam]] || DebugThreadParam
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1, R2 || uint64_t || Out0
|-
| (Out) W2 || R3 || uint32_t || Out1
|}
</div>

== GetSystemInfo ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || [[#SystemInfoType]] || SystemInfoType
|-
| (In) W2 || Handle || Handle
|-
| (In) X3 || uint64_t || SystemInfoSubType
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) X1 || uint64_t || SystemInfo
|}
</div>

== CreatePort ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W2 || R2 || int32_t || MaxSessions
|-
| (In) W3 || R3 || bool || IsLight
|-
| (In) X4 || R0 || uint64_t || Name
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || Handle<Port> || ServerPortHandle
|-
| (Out) W2 || R2 || Handle<Port> || ClientPortHandle
|}
</div>

== ManageNamedPort ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || char* || Name
|-
| (In) W2 || int32_t || MaxSessions
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<Port> || ServerPortHandle
|}
</div>

== ConnectToPort ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W1 || Handle<Port> || ClientPortHandle
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<Session> || SessionHandle
|}
</div>

== SetProcessMemoryPermission ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Process> || ProcessHandle
|-
| (In) X1 || R2, R3 || void* || Addr
|-
| (In) X2 || R1, R4 || uint64_t || Size
|-
| (In) W3 || R5 || [[#MemoryPermission]] || MemoryPermission
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

This sets the memory permissions for the specified memory with the supplied process handle.

This throws an error(0xD801) when the input perm is >0x5, hence -WX and RWX are not allowed.

== MapProcessMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X0 || R0 || void* || DstAddress
|-
| (In) W1 || R1 || Handle<Process> || ProcessHandle
|-
| (In) X2 || R2, R3 || void* || SrcAddress
|-
| (In) X3 || R4 || uint64_t || Size
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Maps the src address from the supplied process handle into the current process.

This allows mapping code and rodata with RW- permission.

== UnmapProcessMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X0 || R0 || void* || DstAddress
|-
| (In) W1 || R1 || Handle<Process> || ProcessHandle
|-
| (In) X2 || R2, R3 || void* || SrcAddress
|-
| (In) X3 || R4 || uint64_t || Size
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Unmaps what was mapped by [[#MapProcessMemory]].

== QueryProcessMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X0 || R0 || [[#MemoryInfo]]* || MemoryInfo
|-
| (In) W2 || R2 || Handle<Process> || ProcessHandle
|-
| (In) X3 || R1, R3 || void* || Address
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || [[#PageInfo]] || PageInfo
|}
</div>

Equivalent to [[#QueryMemory]] except takes a process handle.

== MapProcessCodeMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Process> || ProcessHandle
|-
| (In) X1 || R2, R3 || void* || DstAddress
|-
| (In) X2 || R1, R4 || void* || SrcAddress
|-
| (In) X3 || R5, R6 || uint64_t || Size
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Takes a process handle, and maps normal heap in that process as executable code in that process. Used when loading NROs. This does not support using the current-process handle alias.

== UnmapProcessCodeMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Process> || ProcessHandle
|-
| (In) X1 || R2, R3 || void* || DstAddress
|-
| (In) X2 || R1, R4 || void* || SrcAddress
|-
| (In) X3 || R5, R6 || uint64_t || Size
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Unmaps what was mapped by [[#MapProcessCodeMemory]].

== CreateProcess ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || [[#CreateProcessParameter]]* || CreateProcessParameter
|-
| (In) X2 || uint32_t* || Capabilities
|-
| (In) X3 || int32_t || CapabilitiesNum
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<Process> || ProcessHandle
|}
</div>

Takes a [[#CreateProcessParameter]] as input.
Capabilities points to an array of [[NPDM#Kernel_Access_Control|kernel capabilities]].
CapabilitiesNum is a number of capabilities in the Capabilities array (number of element, not number of bytes).

=== Result codes ===
'''0x0:''' Success.

'''0xCA01:''' Attempted to map more code pages than available in address space.

'''0xCC01:''' Provided CodeAddr is invalid (make sure it's in range?)

'''0xE401:''' The resource handle passed is invalid.

'''0xE601:''' Attempt to copy procinfo from user-supplied pointer failed. Attempt to copy capabilities_num from user-supplied pointer failed.

'''0xE801:''' Attempted to create a 32-bit process with a 36-bit address space.

'''0xF001:''' Unused bits are set in mmuflags. Unknown address space type used.

== StartProcess ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Process> || ProcessHandle
|-
| (In) W1 || R1 || int32_t || MainThreadPriority
|-
| (In) W2 || R2 || int32_t || DefaultCpuId
|-
| (In) X3 || R3, R4 || uint64_t || MainThreadStackSize
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== TerminateProcess ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Process> || ProcessHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== GetProcessInfo ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R1 || Handle<Process> || ProcessHandle
|-
| (In) W1 || R2 || [[#ProcessInfoType]] || ProcessInfoType
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1, R2 || uint64_t || [[#ProcessState]]
|}
</div>

Returns an enum with value 0-7.

== CreateResourceLimit ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) None || ||
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<ResourceLimit> || ResourceLimitHandle
|}
</div>

== SetResourceLimitLimitValue ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<ResourceLimit> || ResourceLimitHandle
|-
| (In) W1 || R1 || [[#LimitableResource]] || LimitableResource
|-
| (In) X2 || R2, R3 || int64_t || LimitValue
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== CallSecureMonitor ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X0 || R0 || uint64_t || [[SMC#Secure_Monitor_calls|FunctionId]]
|-
| (In) X1-X7 || R1-R7 || uint64_t || SMC arguments
|-
| (Out) X0 || R0 || [[SMC#Result|Result]] || SMC result
|-
| (Out) X1-X7 || R1-R7 || uint64_t || SMC output
|}
</div>

Takes in a SMC function ID in X0, and arguments for that SMC function in X1-X7.

Passing an invalid SMC function ID or calling from a core other than core 3 will result in a secure monitor panic.

The kernel parses bits 9-15 in the passed SMC function ID (per the ARM SMC calling convention), and when set uses as an indicator to translate a pointer in the associated register (X1-X7) to a physical address. The kernel will translate any address mapped as R-W, other addresses (R--, R-X, or invalid pointers) will be translated as 0/NULL.

Output is returned raw from the Secure Monitor; X0 will be the untranslated SMC result and X1-X7 will contain other SMC output (or be unchanged, depending on the SMC).

== Debugging ==
[2.0.0+] Exactly 6 debug SVCs require that [[SPL_services#GetConfig|IsDebugMode]] is non-zero. Error 0x4201 is returned otherwise.
* BreakDebugProcess
* ContinueDebugEvent
* WriteDebugProcessMemory
* SetDebugThreadContext
* TerminateDebugProcess
* SetHardwareBreakPoint

DebugActiveProcess stops execution of the target process, the normal method for resuming it requires ContinueDebugEvent(see above). Closing the debug handle also results in execution being resumed.

= Enum/Structures =
== InfoType ==
{| class=wikitable
! Handle type || InfoType || InfoSubType || Description
|-
| Process || 0 || 0 || CoreMask
|-
| Process || 1 || 0 || PriorityMask
|-
| Process || 2 || 0 || AliasRegionAddress
|-
| Process || 3 || 0 || AliasRegionSize
|-
| Process || 4 || 0 || HeapRegionAddress
|-
| Process || 5 || 0 || HeapRegionSize
|-
| Process || 6 || 0 || TotalMemorySize. Total memory available(free+used).
|-
| Process || 7 || 0 || UsedMemorySize. Total used size of codebin memory + main-thread stack + allocated heap.
|-
| Zero || 8 || 0 || DebuggerAttached
|-
| Zero || 9 || 0 || ResourceLimit
|-
| Zero || 10 || -1, {current coreid} || IdleTickCount
|-
| Zero || 11 || 0-3 || RandomEntropy. Used to seed usermode PRNGs.
|-
| Process || 12 || 0 || [2.0.0+] AslrRegionAddress
|-
| Process || 13 || 0 || [2.0.0+] AslrRegionSize
|-
| Process || 14 || 0 || [2.0.0+] StackRegionAddress
|-
| Process || 15 || 0 || [2.0.0+] StackRegionSize
|-
| Process || 16 || 0 || [3.0.0+] SystemResourceSizeTotal
|-
| Process || 17 || 0 || [3.0.0+] SystemResourceSizeUsed
|-
| Process || 18 || 0 || [3.0.0+] ProgramId
|-
| Zero || 19 || 0 || [4.0.0-4.1.0] InitialProcessIdRange_LowerBound
|-
| Zero || 19 || 1 || [4.0.0-4.1.0] InitialProcessIdRange_UpperBound
|-
| Process || 20 || 0 || [5.0.0+] UserExceptionContextAddress
|-
| Process || 21 || 0 || [6.0.0+] TotalNonSystemMemorySize
|-
| Process || 22 || 0 || [6.0.0+] UsedNonSystemMemorySize
|-
| Process || 23 || 0 || [9.0.0+] IsApplication
|-
| Process || 24 || 0 || [11.0.0+] FreeThreadCount
|-
| Thread || 25 ([1.0.0-12.1.0] 0xF0000002) || 0-3, -1 || ThreadTickCount. When 0-3 are passed, gets specific core CPU ticks spent on thread. When -1 is passed, gets total CPU ticks spent on thread.
|-
| Process || 26 || 0 || [14.0.0+] IsSvcPermitted
|-
| Process || 27 || 0 || [16.0.0+] IoRegionHint
|}

== SystemInfoType ==
{| class=wikitable
! Handle type || SystemInfoType || SystemInfoSubType || Description
|-
| Zero || 0 || 0 || TotalPhysicalMemorySize_Application
|-
| Zero || 0 || 1 || TotalPhysicalMemorySize_Applet
|-
| Zero || 0 || 2 || TotalPhysicalMemorySize_System
|-
| Zero || 0 || 3 || TotalPhysicalMemorySize_SystemUnsafe
|-
| Zero || 1 || 0 || UsedPhysicalMemorySize_Application
|-
| Zero || 1 || 1 || UsedPhysicalMemorySize_Applet
|-
| Zero || 1 || 2 || UsedPhysicalMemorySize_System
|-
| Zero || 1 || 3 || UsedPhysicalMemorySize_SystemUnsafe
|-
| Zero || 2 || 0 || InitialProcessIdRange_LowerBound
|-
| Zero || 2 || 1 || InitialProcessIdRange_UpperBound
|}

== ThreadContextFlags ==
Bitfield of one of more of these:

{| class=wikitable
! Bit || Bitmask || Name || Description
|-
| 0 || 1 || General-purpose registers || If in 64-bit mode, GPRs 0–28 will be read/written. If in 32-bit mode, GPRs 0–12 will be read/written.
|-
| 1 || 2 || Control registers || Reads/writes the FP, LR, PC, SP, PSTATE, and TPIDR registers.
|-
| 2 || 4 || Floating-point registers || Reads/writes the floating-point vector registers.
|-
| 3 || 8 || Floating-point control registers || Reads/writes the FPCR and FPSR registers.
|}

== DeviceName ==
{| class=wikitable
! Value || Name
|-
| 0 || AFI
|-
| 1 || AVPC
|-
| 2 || DC
|-
| 3 || DCB
|-
| 4 || HC
|-
| 5 || HDA
|-
| 6 || ISP2
|-
| 7 || MSENCNVENC
|-
| 8 || NV
|-
| 9 || NV2
|-
| 10 || PPCS
|-
| 11 || SATA
|-
| 12 || VI
|-
| 13 || VIC
|-
| 14 || XUSB_HOST
|-
| 15 || XUSB_DEV
|-
| 16 || TSEC
|-
| 17 || PPCS1
|-
| 18 || DC1
|-
| 19 || SDMMC1A
|-
| 20 || SDMMC2A
|-
| 21 || SDMMC3A
|-
| 22 || SDMMC4A
|-
| 23 || ISP2B
|-
| 24 || GPU
|-
| 25 || GPUB
|-
| 26 || PPCS2
|-
| 27 || NVDEC
|-
| 28 || APE
|-
| 29 || SE
|-
| 30 || NVJPG
|-
| 31 || HC1
|-
| 32 || SE1
|-
| 33 || AXIAP
|-
| 34 || ETR
|-
| 35 || TSECB
|-
| 36 || TSEC1
|-
| 37 || TSECB1
|-
| 38 || NVDEC1
|}

== CodeMemoryOperation ==
{| class=wikitable
! Value || Name
|-
| 0 || MapOwner
|-
| 1 || MapSlave
|-
| 2 || UnmapOwner
|-
| 3 || UnmapSlave
|}

== LimitableResource ==
{| class=wikitable
! Value || Name || Description
|-
| 0 || PhysicalMemoryMax || Bytes of memory a process may allocate.
|-
| 1 || ThreadCountMax || Amount of threads a process can create.
|-
| 2 || EventCountMax || Amount of events a process can create through [[#CreateEvent]] or [[#SendAsyncRequestWithUserBuffer]].
|-
| 3 || TransferMemoryCountMax || Amount of TransferMemory a process can create through [[#CreateTransferMemory]].
|-
| 4 || SessionCountMax || Amount of session a process can create through [[#CreateSession]], [[#ConnectToPort]] or [[#ConnectToNamedPort]].
|}

= ThreadActivity =
{| class=wikitable
! Value || Name
|-
| 0 || None
|-
| 1 || Runnable
|}

== ProcessActivity ==
{| class=wikitable
! Value || Name
|-
| 0 || None
|-
| 1 || Runnable
|}

== ProcessInfoType ==
{| class=wikitable
! Value || Name
|-
| 0 || [[#ProcessState|ProcessState]]
|}

== ProcessState ==
{| class=wikitable
! Value || Name || Notes
|-
| 0 || Created ||
|-
| 1 || CreatedAttached ||
|-
| 2 || Started ||
|-
| 3 || Crashed || Processes will not enter this state unless they were created with [[#CreateProcessParameter|EnableDebug]].
|-
| 4 || StartedAttached ||
|-
| 5 || Exiting ||
|-
| 6 || Exited ||
|-
| 7 || DebugSuspended ||
|}

== DebugThreadParam ==
{| class=wikitable
! Value || Name
|-
| 0 || DynamicPriority
|-
| 1 || SchedulingStatus
|-
| 2 || PreferredCpuCore
|-
| 3 || CurrentCpuCore
|-
| 4 || AffinityMask
|}

Dynamic priority: output in out2

Scheduling status: out1 contains bit0: is debug-suspended, bit1: is user-suspended ([[#SetThreadActivity]] 1 or [[#SetProcessActivity]] 1).
Out2 contains {suspended, idle, running, terminating} => {5, 0, 1, 4}

PreferredCpuCore: output in out2

CurrentCpuCore: output in out2

AffinityMask: output in out1

== CreateProcessParameter ==
{| class=wikitable
! Offset || Length || Bits || Description
|-
| 0 || 12 || || ProcessName (doesn't have to be null-terminated)
|-
| 0x0C || 4 || || ProcessCategory (0: regular title, 1: kernel built-in)
|-
| 0x10 || 8 || || TitleId
|-
| 0x18 || 8 || || CodeAddr
|-
| 0x20 || 4 || || CodeNumPages
|-
| 0x24 || 4 || || Flags
|-
| || || Bit0 || Is64BitInstruction
|-
| || || Bit3-1 || [[#AddressSpaceType]]
|-
| || || Bit4 || [2.0.0+] EnableDebug
|-
| || || Bit5 || EnableAslr
|-
| || || Bit6 || IsApplication
|-
| || || Bit7 || [4.0.0] UseSecureMemory
|-
| || || Bit10-7 || [5.0.0+] MemoryRegion (0 = Application, 1 = Applet, 2 = SecureSystem, 3 = NonSecureSystem)
|-
| || || Bit11 || [7.0.0+] OptimizeMemoryAllocation (only allowed in combination with IsApplication)
|-
| 0x28 || 4 || || ResourceLimitHandle (can be zero)
|-
| 0x2C || 4 || || [3.0.0+] SystemResourceNumPages
|}

On [1.0.0] there's only one MemoryRegion.

On [2.0.0-4.0.0] MemoryRegion is 1 for built-ins and 0 for rest.

On [5.0.0] MemoryRegion is specified in CreateProcessArgs. There are now 4 pool partitions.

On [5.0.0] (maybe lower?) a zero ResourceLimitHandle defaults to sysmodule limits and 0x12300000 bytes of memory.

The PersonalMmHeap are allocated as follows:
* For the application, normal insecure pool is used. Carveout 5 is used to provide protection.
* For the applet, a pre-allocated secure pool segment of size 0x400000 is used.
* For sysmodules, secure pool is allocated.

=== AddressSpaceType ===
{| class=wikitable
! Type || Name || Width || Description
|-
| 0 || AddressSpace32Bit || 32 ||
|-
| 1 || AddressSpace64BitOld || 36 ||
|-
| 2 || AddressSpace32BitNoReserved || 32 || Appears to be missing map region [?]
|-
| 3 || [2.0.0+] AddressSpace64Bit || 39 ||
|}

== MemoryInfo ==
{| class=wikitable
! Offset || Length || Description
|-
| 0 || 8 || BaseAddress
|-
| 8 || 8 || Size
|-
| 0x10 || 4 || [[#MemoryType]]
|-
| 0x14 || 4 || [[#MemoryAttribute]]
|-
| 0x18 || 4 || [[#MemoryPermission]]
|-
| 0x1C || 4 || IpcRefCount
|-
| 0x20 || 4 || DeviceRefCount
|-
| 0x24 || 4 || Padding: always zero
|}

== MemoryPermission ==
{| class=wikitable
! Bits || Name || Description
|-
| 0 || Read || Can be set by [[#SetMemoryPermission]].
|-
| 1 || Write || Can be set by [[#SetMemoryPermission]].
|-
| 2 || Execute || Can be set by [[#SetProcessMemoryPermission]] and [[#ControlCodeMemory]].
|-
| 28 || DontCare ||
|}

== MemoryAttribute ==
{| class=wikitable
! Bits || Name || Description
|-
| 0 || Locked || Used by MapMemory, as an async IPC user buffer.
|-
| 1 || IpcLocked || True when IpcRefCount > 0.
|-
| 2 || DeviceShared || True when DeviceRefCount > 0.
|-
| 3 || Uncached ||
|}

== MemoryState ==
{| class=wikitable
! Bits || Description || Meaning
|-
| 7-0 || [[#MemoryType]] ||
|-
| 8 || [[#SetMemoryPermission|FlagCanReprotect]] ||
|-
| 9 || FlagCanDebug || Allows using [[#WriteDebugProcessMemory]] on segments mapped read-only.
|-
| 10 || FlagCanUseIpc || Allows sending this region as an IPC A/B/W buffer with flags=0.
|-
| 11 || FlagCanUseNonDeviceIpc || Allows sending this region as an IPC A/B/W buffer with flags=1.
|-
| 12 || FlagCanUseNonSecureIpc || Allows sending this region as an IPC A/B/W buffer with flags=3.
|-
| 13 || FlagMapped ||
|-
| 14 || [[#SetProcessMemoryPermission|FlagCode]] ||
|-
| 15 || [[#MapMemory|FlagCanAlias]] ||
|-
| 16 || [[#MapProcessCodeMemory|FlagCanCodeAlias]] ||
|-
| 17 || [[#CreateTransferMemory|FlagCanTransfer]] ||
|-
| 18 || [[#QueryPhysicalAddress|FlagCanQueryPhysical]] ||
|-
| 19 || [[#MapDeviceAddressSpace|FlagCanDeviceMap]] ||
|-
| 20 || [[#MapDeviceAddressSpaceAligned|FlagCanAlignedDeviceMap]] ||
|-
| 21 || [[#SendSyncRequestWithUserBuffer|FlagCanIpcUserBuffer]] ||
|-
| 22 || FlagReferenceCounted || The physical memory blocks backing this region are refcounted.
|-
| 23 || [[#MapProcessMemory|FlagCanMapProcess]] ||
|-
| 24 || [[#SetMemoryAttribute|FlagCanChangeAttribute]] ||
|-
| 25 || [4.0.0+] [[#CreateCodeMemory|FlagCanCodeMemory]] ||
|-
| 26 || [15.0.0+] FlagLinearMapped ||
|}

=== MemoryType ===
{| class=wikitable
! Value || Type || Meaning
|-
| 0x00000000 || Free ||
|-
| 0x00002001 || Io || Mapped by kernel capability parsing in [[#CreateProcess]].
|-
| 0x00042002 || Static || Mapped by kernel capability parsing in [[#CreateProcess]].
|-
| 0x00DC7E03 || Code || Mapped during [[#CreateProcess]].
|-
| [1.0.0+]

0x01FEBD04

[4.0.0+]

0x03FEBD04
|| CodeData || Transition from 0xDC7E03 performed by [[#SetProcessMemoryPermission]].
|-
| [1.0.0+]
0x017EBD05

[4.0.0+]

0x037EBD05
|| Normal || Mapped using [[#SetHeapSize]].
|-
| 0x00402006 || Shared || Mapped using [[#MapSharedMemory]].
|-
| 0x00482907 || [1.0.0] Alias || Mapped using [[#MapMemory]].
|-
| 0x00DD7E08 || AliasCode || Mapped using [[#MapProcessCodeMemory]].
|-
| [1.0.0+]

0x01FFBD09

[4.0.0+]

0x03FFBD09
|| AliasCodeData || Transition from 0xDD7E08 performed by [[#SetProcessMemoryPermission]].
|-
| 0x005C3C0A || [[IPC_Marshalling|Ipc]] || IPC buffers with descriptor flags=0.
|-
| 0x005C3C0B || Stack || Mapped using [[#MapMemory]].
|-
| 0x0040200C || [[Thread Local Storage|ThreadLocal]] || Mapped during [[#CreateThread]].
|-
| 0x015C3C0D || Transfered || Mapped using [[#MapTransferMemory]] when the owning process has perm=0.
|-
| 0x005C380E || SharedTransfered || Mapped using [[#MapTransferMemory]] when the owning process has perm!=0.
|-
| 0x0040380F || SharedCode || Mapped using [[#MapProcessMemory]].
|-
| 0x00000010 || Inaccessible ||
|-
| 0x005C3811 || [[IPC_Marshalling|NonSecureIpc]] || IPC buffers with descriptor flags=1.
|-
| 0x004C2812 || [[IPC_Marshalling|NonDeviceIpc]] || IPC buffers with descriptor flags=3.
|-
| 0x00002013 || Kernel || Mapped in kernel during [[#CreateThread]].
|-
| 0x00402214 || [4.0.0+] GeneratedCode || Mapped in kernel during [[#ControlCodeMemory]].
|-
| 0x00402015 || [4.0.0+] CodeOut || Mapped in kernel during [[#ControlCodeMemory]].
|-
| 0x00002016 || [13.0.0+] Coverage ||
|-
| 0x05583817 || [15.0.0+] Insecure ||
|}

== ArbitrationType ==
{| class=wikitable
! Value || Type
|-
| 0x0 || WaitIfLessThan
|-
| 0x1 || DecrementAndWaitIfLessThan
|-
| 0x2 || WaitIfEqual
|}

== SignalType ==
{| class=wikitable
! Value || Type
|-
| 0x0 || Signal
|-
| 0x1 || SignalAndIncrementIfEqual
|-
| 0x2 || SignalAndModifyBasedOnWaitingThreadCountIfEqual
|}

== ContinueDebugFlagsOld ==
[1.0.0-2.3.0]
{| class=wikitable
! Bit || Bitmask || Description
|-
| 0 || 1 || IgnoreException (note: ResumeAllThreads or debug-suspended-thread-id needed)
|-
| 1 || 2 || SwallowException
|-
| 2 || 4 || ResumeAllThreads
|}

== ContinueDebugFlags ==
[3.0.0+]
{| class=wikitable
! Bit || Bitmask || Description
|-
| 0 || 1 || IgnoreException (note: doesn't need to be set in the same call than Resume)
|-
| 1 || 2 || DontCatchExceptions
|-
| 2 || 4 || Resume
|-
| 3 || 8 || IgnoreOtherThreadsExceptions
|}

IgnoreExceptionsOfOthers is like IgnoreException but acts on all threads that aren't in the input list. The affected threads are resumed.

Only one of of Resume and IgnoreOtherThreadsExceptions can be set at a time.

If the input number of threads is 0, this means "all threads".

== DebugEventInfo ==
The below table is for the Aarch64 version of the system call. For A32, all u64 fields but title/process/thread id are actually u32, making the structure 0x28-byte-big (0x40 for a64).

Size: 0x40

{| class=wikitable
! Offset || Length || Description
|-
| 0 || u32 || EventType
|-
| 4 || u32 || Flags (bit0: NeedsContinue)
|-
| 8 || u64 || ThreadId
|-
| 0x10 || || PerTypeSpecifics
|}

AttachProcess specific:
{| class=wikitable
! Offset || Length || Description
|-
| 0x10 || u64 || TitleId
|-
| 0x18 || u64 || ProcessId
|-
| 0x20 || char[12] || ProcessName
|-
| 0x2C || u32 || MmuFlags
|-
| 0x30 || u64 || [5.0.0+] UserExceptionContextAddr
|}

AttachThread specific:
{| class=wikitable
! Offset || Length || Description
|-
| 0x10 || u64 || ThreadId
|-
| 0x18 || u64 || TlsPtr
|-
| 0x20 || u64 || Entrypoint
|}

Exit specific:
{| class=wikitable
! Offset || Length || Description
|-
| 0x10 || u32|| Type (0=PausedThread, 1=RunningThread, 2=ExitedProcess, 3=TerminatedProcess)
|}

Exception specific:
{| class=wikitable
! Offset || Length || Description
|-
| 0x10 || u32 || ExceptionType
|-
| 0x18 || u64 || FaultRegister
|-
| 0x20 || || PerExceptionSpecifics
|}

=== DebugEventType ===
{| class=wikitable
! Value || Name
|-
| 0 || AttachProcess
|-
| 1 || AttachThread
|-
| 2 || ExitProcess
|-
| 3 || ExitThread
|-
| 4 || Exception
|}

=== DebugExceptionType ===
{| class=wikitable
! Value || Name
|-
| 0 || Trap (*)
|-
| 1 || InstructionAbort
|-
| 2 || DataAbortMisc (**)
|-
| 3 || PcSpAlignmentFault
|-
| 4 || DebuggerAttached
|-
| 5 || BreakPoint
|-
| 6 || UserBreak
|-
| 7 || DebuggerBreak
|-
| 8 || BadSvcId
|-
| 9 || [2.0.0+] SError
|}

<nowiki>*</nowiki> Undefined instructions, software breakpoints, some other traps.

<nowiki>**</nowiki> Data aborts, FP traps, and everything else that doesn't belong to any of the above.

Trap specifics:
{| class=wikitable
! Offset || Length || Description
|-
| 0x20 || u32 || Opcode
|}

BreakPoint specifics:
{| class=wikitable
! Offset || Length || Description
|-
| 0x20 || u32 || IsWatchpoint
|}

UserBreak specifics:
{| class=wikitable
! Offset || Length || Description
|-
| 0x20 || u32 || Info0
|-
| 0x28 || u64 || Info1
|-
| 0x30 || u64 || Info2
|}

BadSvcId specifics:
{| class=wikitable
! Offset || Length || Description
|-
| 0x20 || u32 || SvcId
|}

= Exception handling =
First of all, a function that might be called by synchronous exception handler and that is called by the SError handler fetches the exception info, adjusts PC, panics on exceptions taken from EL1, then dispatches the exception.

The dispatcher has two mutually exclusive exception reporting methods:
* by storing information at the start of the process's TLS memregion (TPIDRRO_EL0) and jumping back to the crt0
* by using KDebug

KDebug dispatching is used when at least one of the following conditions are met:
* SMC ConfigItem KernelMemConfig bit 1 is NOT set (it isn't on retail), unless: this is a software or hardware breakpoint, or a watchpoint, or [4.0.0+?] the process is attached and this is a Google PNaCl trap instruction (see LLVM source)
* FAR doesn't point to a valid address in mapped-readable CodeStatic memory (i.e. this is the case for NRO and JIT memory) or this is one of the following exceptions (it particular, that doesn't include FP exceptions occurring in CodeStatic memory):
** Uncategorized
** IllegalState
** SupervisorCallA32
** SupervisorCallA64
** PCAlignment
** SPAlignment
** SError
** BreakpointLowerEl
** SoftwareStepLowerEl (note: no way set single-step flag; not parsed)
** WatchpointLowerEl
** SoftwareBreakpointA32 (note: not parsed)
** SoftwareBreakpointA64 (note: not parsed)

In all other cases the userland-handled exception path is taken.

KDebug path:

If the process is attached, the exception is reported to the KDebug. If the thread was continued using flag IgnoreExceptions, it returns from the exception as if nothing happened.

If the latter is not the case, or if the process isn't attached, proceed to [2.0.0+] crash reporting (or in [1.0.0] just terminate the process):
if EnableDebug is set, and depending on the process state (more than one crash per process isn't permitted) it may signal itself with ProcessState_Crashed so that PM asks NS to start creport so that creport attaches to it and reports the crashes. Otherwise, just terminate.

Userland reporting path and [[#ReturnFromException]]:

TLS region start (A64):
{| class=wikitable
! Offset || Length || Description
|-
| 0x0 || 0x148 || Exception stack
|-
| 0x148 || 0x78 || ExceptionFrameA64
|}

ExceptionFrameA64:
{| class=wikitable
! Offset || Length || Description
|-
| 0x0 || 0x48 (8*9) || GPRs 0..8.
|-
| 0x48 || 0x8 || lr
|-
| 0x50 || 0x8 || sp
|-
| 0x58 || 0x8 || pc (elr_el1)
|-
| 0x60 || 0x4 || pstate & 0xFF0FFE20
|-
| 0x64 || 0x4 || afsr0
|-
| 0x68 || 0x4 || afsr1
|-
| 0x6C || 0x4 || esr
|-
| 0x70 || 0x8 || far
|}

TLS region start (A32):
{| class=wikitable
! Offset || Length || Description
|-
| 0x0 || 0x178 || Exception stack
|-
| 0x148 || 0x44 || ExceptionFrameA32
|}

ExceptionFrameA32:
{| class=wikitable
! Offset || Length || Description
|-
| 0x0 || 0x20 (8*4) || GPRs 0..7.
|-
| 0x20 || 0x4 || sp
|-
| 0x24 || 0x4 || lr
|-
| 0x28 || 0x4 || pc (elr_el1)
|-
| 0x2C || 0x4 || tpidr_el0 = 1
|-
| 0x30 || 0x4 || cpsr & 0xFF0FFE20
|-
| 0x34 || 0x4 || afsr0
|-
| 0x38 || 0x4 || afsr1
|-
| 0x3C || 0x4 || esr
|-
| 0x40 || 0x4 || far
|}

In that case, after storing the regs in the TLS, the exception handler returns to the application's crt0 (entrypoint), with X0=<error description code> (see below) and X1=SP=frame=<stack top> (see above)

{| class=wikitable
! Desc. code || Meaning
|-
| 0x100 || Instruction abort
|-
| 0x102 || Misaligned PC
|-
| 0x103 || Misaligned SP
|-
| 0x106 || [2.0.0+] SError
|-
| 0x301 || Bad SVC
|-
| 0x104 || Uncategorized, CP15RTTrap, CP15RRTTrap, CP14RTTrap, CP14RRTTrap, IllegalState, SystemRegisterTrap
|-
| 0x101 || None of the above, EC <= 0x34 and not a breakpoint
|-
|}

(During normal app boot the process is invoked with X0=0 and X1=main_thread_handle. The crt0 of retail apps determines whether to boot normally or handle an exception if X0 is set to 0 or not)

The application is supposed to promptly update the contents of elr_el1 to a user handler (and any other regs it sees fit) and call [[#ReturnFromException]] (error code) to call that handler. The latter is then expected to promptly abort the program.

[[#ReturnFromException]] updates the contents of the kernel stack frame with what the user provided in the TLS structure, sets TPIDR_EL0 to 1, then:
* if the provided error code is 0, gracefully pivots and returns from exception
* if it is not, replays the exception and pass it to the KDebug (see above). One can pass 0x10001 to prevent process termination. If the process is attached, this also prevents crash-collection/termination (different from the exception handler behavior)

If an exception occurs from the above user handler, the entire exception handling process will repeat with the new exception.

Note that if a thread that wasn't faulting calls [[#ReturnFromException]], it signals an "invalid syscall" exception

Note that [[SMC|IsDebugMode]] is not used during exception-handling, except for enabling printing a message to UART-A. This UART code causes a system-hang on retail (likely due to a loop that doesn't exit). This printing doesn't seem to run when the process is attached for debugging?

17.0.0

2023-10-11T04:16:53Z

SciresM: secmon diff

The Switch 17.0.0 system update was released on October 11, 2023 (UTC). This Switch update was released for the following regions: ALL, and CHN.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* General system stability improvements to enhance the user's experience.

==System Titles==
* The following titles were updated:
** Sysmodules: usb, htc.stub, boot2.ProdBoot, settings, Bus, bluetooth, bcat, friends, nifm, ptm, bsdsocket, hid, audio, LogManager.Prod, wlan, ldn, nvservices, pcv, capmtp, nvnflinger, pcie, account, ns, nfc, psc, capsrv, am, ssl, nim, btm, erpt, vi, pctl, npns, eupld, glue, eclct, es, fatal, creport, ro, sdb, grc, migration, jpegdec, safemode, olsc, ngct, jit, pgl, omm, eth, ngc.
** SystemData (non-sysver): CertStore, ErrorMessage, MiiModel, BrowserDll, Help, NgWord, SsidList, TimeZoneBinary, FontNintendoExtension, FontStandard, FontKorean, FontChineseTraditional, FontChineseSimple, FirmwareDebugSettings, BootImagePackage, BootImagePackageSafe, BootImagePackageExFat, FatalMessage, PlatformConfigIcosa, PlatformConfigCopper, PlatformConfigHoag, ControllerFirmware, NgWord2, BootImagePackageExFatSafe, PlatformConfigIcosaMariko, ContentActionTable, NgWordT, PlatformConfigAula, AulaDockFirmware.
** Applets: qlaunch, controller, error, playerSelect, LibAppletWeb, LibAppletShop, LibAppletOff, LibAppletLns, LibAppletAuth.

[[NPDM]] changes (besides usual version-bump):
* nifm: Service access: added ifcfg, nettc:nd, nettc:nu, removed bsdcfg.
* bsdsocket: Service server access: added ifcfg.
* audio: Service access: removed set:fd.
* wlan: Name updated: wlan -> wlan.autogen.
* ldn: Service access: added ifcfg, removed bsdcfg.
* pcie: Service access: added i2c.
* account: Service access: added caps:dc.
* ns: Service access: added hid.
* npns: Service access: added time:u.
* migration: Fac.FsAccessFlag updated: set bitmask 0x0000000200001000 (ImageManager, SaveDataTransferVersion2).
* qlaunch: Service access: added htcs:sys.
* controller: Service access: added htcs:sys.
* error: Service access: added htcs:sys.
* playerSelect: Service access: added htcs:sys.
* LibAppletWeb: Service access: added htcs:sys.
* LibAppletShop: Service access: added htcs:sys.
* LibAppletOff: Service access: added htcs:sys.
* LibAppletLns: Service access: added htcs:sys.
* LibAppletAuth: Service access: added htcs:sys.

RomFs changes:
* ErrorMessage: updated
* BrowserDll:
** "/buildinfo/buildinfo.dat" updated
** "/nro/netfront/": Various data updated.
* Help: "/legallines.htdocs/index.html" updated
* NgWord: updated
* [[System_Version_Title|SystemVersion]]: All files updated.
* TimeZoneBinary: updated
* [[System_Settings|FirmwareDebugSettings/PlatformConfigAula]]: All files updated.
* NgWord2: updated
* RebootlessSystemUpdateVersion: All files updated.
* NgWordT: All files updated.
* qlaunch applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
* controller applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
* error applet: "/lyt/common.szs" updated, "/lyt/Error.szs" updated, "/message/KRko/common.msbt.szs" updated, "/message/Ocean.msbp.szs" updated
* playerSelect applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
* [[Internet_Browser|LibAppletWeb/LibAppletShop/LibAppletOff/LibAppletLns/LibAppletAuth]]: All files updated.

=== IPC Interface Changes ===
* The following interfaces were removed:
** nn::fgm::sf::IDebugger
* The following interfaces were added:
** nn::account::nas::IDeviceHistoryRequest
** nn::hshl::IBridgeSession
* The following interfaces were changed:
** nn::account::IAccountEntityServiceForAccountPolicy
*** Added command 213 - inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IOAuthProcedureForUserRegistration']
*** Added command 214 - inbytes: 0x14, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IOAuthProcedureForUserRegistration']
*** Added command 215 - inbytes: 0x14, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IOAuthProcedureForUserRegistration']
** nn::account::IAccountServiceForAdministrator
*** Added command 213 - inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IOAuthProcedureForUserRegistration']
*** Added command 214 - inbytes: 0x14, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IOAuthProcedureForUserRegistration']
*** Added command 215 - inbytes: 0x14, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IOAuthProcedureForUserRegistration']
** nn::account::baas::IAdministrator
*** Added command 170 - inbytes: 0x8, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IDeviceHistoryRequest']
** nn::account::baas::IManagerForSystemService
*** Added command 170 - inbytes: 0x8, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IDeviceHistoryRequest']
** nn::account::nas::IOAuthProcedureForUserRegistration
*** Added command 200 - buffers: [0x9], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
*** Added command 205 - inbytes: 0x0, outbytes: 0x10
*** Added command 210 - inbytes: 0x0, outbytes: 0x1
*** Added command 220 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
*** Added command 221 - buffers: [0x5], inbytes: 0x21, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
** nn::am::service::IAppletCommonFunctions
*** Added command 300 - inbytes: 0x0, outbytes: 0x8
** nn::am::service::ICommonStateGetter
*** Added command 600 - inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::am::service::IStorageChannel']
*** Added command 910 - inbytes: 0x0, outbytes: 0x8
** nn::am::service::IDebugFunctions
*** Added command 52 - inbytes: 0x4, outbytes: 0x8
** nn::am::service::ILibraryAppletSelfAccessor
*** Added command 160 - inbytes: 0x0, outbytes: 0x8
** nn::apm::ISystemManager
*** Added command 8 - inbytes: 0x0, outbytes: 0x4
** nn::arp::detail::IReader
*** Changed command 2 - outbytes: 0x1 -> 0x10 (final state: inbytes: 0x8, outbytes: 0x10)
** nn::arp::detail::IUpdater
*** Changed command 1 - inbytes: 0x10 -> 0x18 (final state: inbytes: 0x18, outbytes: 0x0)
** nn::audio::detail::IAudioDevice
*** Added command 15 - inbytes: 0x8, outbytes: 0x0, outhandles: [1]
*** Added command 16 - inbytes: 0x8, outbytes: 0x0
*** Added command 17 - inbytes: 0x8, outbytes: 0x0, outhandles: [1]
*** Added command 18 - inbytes: 0x8, outbytes: 0x0
** nn::audio::detail::IAudioSnoopManager
*** Removed command 1 - inbytes: 0x0, outbytes: 0x0
*** Removed command 6 - inbytes: 0x0, outbytes: 0x4
** nn::audioctrl::detail::IAudioController
*** Added command 19 - inbytes: 0x1, outbytes: 0x0
*** Added command 20 - inbytes: 0x0, outbytes: 0x1
*** Removed command 27 - buffer_entry_sizes: [0x4], buffers: [0x5], inbytes: 0x4, outbytes: 0x0
** nn::bsdsocket::cfg::ServerInterface
*** Added command 16 - buffers: [0x5, 0x6], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 17 - buffers: [0x5], inbytes: 0x8, outbytes: 0x8, pid: True
*** Added command 18 - buffers: [0x5, 0x6, 0x6, 0x6], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 19 - buffers: [0x5, 0x6], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 20 - buffers: [0x5, 0x6], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 21 - buffers: [0x5, 0x6], inbytes: 0x10, outbytes: 0x0, pid: True
*** Added command 22 - buffers: [0x5, 0x6, 0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 23 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, pid: True
*** Added command 50 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, pid: True
*** Added command 51 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 52 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 53 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 54 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, pid: True
*** Added command 55 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 56 - buffers: [0x5, 0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 57 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 58 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 100 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, pid: True
** nn::capsrv::sf::IAlbumAccessorService
*** Added command 120 - buffer_entry_sizes: [0x20, 0x0], buffers: [0x6, 0x21], inbytes: 0x18, outbytes: 0x8
*** Added command 130 - buffers: [0x6], inbytes: 0x20, outbytes: 0x8
*** Added command 140 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
*** Added command 150 - buffer_entry_sizes: [0x400], buffers: [0x16], inbytes: 0x18, outbytes: 0x0
*** Changed command 50000 - buffers: [0x6, 0x6] -> [0x6] (final state: buffers: [0x6], inbytes: 0x18, outbytes: 0x8)
** nn::capsrv::sf::IAlbumApplicationService
*** Added command 145 - buffer_entry_sizes: [0x20], buffers: [0x6], inbytes: 0x20, outbytes: 0x8, pid: True
*** Added command 146 - buffer_entry_sizes: [0x20], buffers: [0x6], inbytes: 0x30, outbytes: 0x8, pid: True
*** Added command 147 - buffer_entry_sizes: [0x20], buffers: [0x6], inbytes: 0x20, outbytes: 0x8, pid: True
** nn::capsrv::sf::IDecoderControlService
*** Added command 4001 - buffers: [0x46, 0x5], inbytes: 0x28, outbytes: 0x8
** nn::dp2hdmi::detail::IDp2hdmiController
*** Added command 9 - inbytes: 0x0, outbytes: 0x10
** nn::erpt::sf::IContext
*** Changed command 10 - inbytes: 0x8 -> 0xC (final state: buffers: [0x5, 0x5, 0x5], inbytes: 0xC, outbytes: 0x0)
*** Added command 12 - buffers: [0x5, 0x5, 0x5], inbytes: 0xC, outbytes: 0x0
** nn::es::IActiveRightsContext
*** Removed command 212 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** nn::es::IETicketService
*** Changed command 1006 - buffer_entry_sizes: [0x48, 0x10] -> [0x50, 0x10] (final state: buffer_entry_sizes: [0x50, 0x10], buffers: [0x6, 0x5], inbytes: 0x0, outbytes: 0x4)
*** Added command 1023 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x8, outbytes: 0x4
*** Added command 1024 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x10, outbytes: 0x4
*** Added command 1025 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x8, outbytes: 0x4
*** Added command 1026 - buffer_entry_sizes: [0x10, 0x0], buffers: [0x6, 0x5], inbytes: 0x8, outbytes: 0x4
*** Added command 1027 - buffer_entry_sizes: [0x10, 0x0], buffers: [0x6, 0x5], inbytes: 0x10, outbytes: 0x4
*** Removed command 2002 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
*** Removed command 2003 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** nn::friends::detail::ipc::IServiceCreator
*** Changed command 2 - outinterfaces: ['0x710007990C'] -> ['0x710007AF24'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710007AF24'])
** nn::fssrv::sf::IDeviceOperator
*** Added command 6 - inbytes: 0x0, outbytes: 0xC
*** Added command 117 - inbytes: 0x18, outbytes: 0x0
*** Added command 221 - buffers: [0x6], inbytes: 0x8, outbytes: 0x0
** nn::fssrv::sf::IFileSystemProxy
*** Added command 618 - buffer_entry_sizes: [0x301], buffers: [0x19], inbytes: 0x1, outbytes: 0x8
** nn::fssrv::sf::IFileSystemProxyForLoader
*** Changed command 0 - buffer_entry_sizes: [0x124, 0x301] -> [0x301, 0x0], buffers: [0x1A, 0x19] -> [0x19, 0x6] (final state: buffer_entry_sizes: [0x301, 0x0], buffers: [0x19, 0x6], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IFileSystem'])
** nn::fssrv::sf::ISaveDataTransferManagerForSaveDataRepair
*** Changed command 110 - buffers: [0x5] -> [0x5, 0x5], inbytes: 0x28 -> 0x18 (final state: buffers: [0x5, 0x5], inbytes: 0x18, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter'])
** nn::fssrv::sf::ISaveDataTransferManagerWithDivision
*** Added command 63 - buffer_entry_sizes: [0x200, 0x0], buffers: [0x19, 0x5], inbytes: 0x2, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
*** Removed command 67 - buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** nn::gpio::IPadSession
*** Removed command 6 - inbytes: 0x0, outbytes: 0x4
*** Removed command 7 - inbytes: 0x0, outbytes: 0x0
** nn::grcsrv::IContinuousRecorder
*** Added command 4 - inbytes: 0x0, outbytes: 0x0
** nn::hid::IHidDebugServer
*** Added command 217 - inbytes: 0x10, inhandles: [1], outbytes: 0x8
*** Added command 351 - inbytes: 0x0, outbytes: 0x4
*** Added command 352 - inbytes: 0x0, outbytes: 0x0
** nn::hid::IHidServer
*** Added command 213 - inbytes: 0x20, outbytes: 0x0, pid: True
*** Added command 214 - buffer_entry_sizes: [0x4, 0x10], buffers: [0x9, 0x9], inbytes: 0x10, outbytes: 0x0
*** Added command 311 - inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 312 - inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 1004 - inbytes: 0x10, outbytes: 0x0, pid: True
** nn::hid::IHidSystemServer
*** Added command 1320 - inbytes: 0x0, outbytes: 0x0
*** Added command 1321 - inbytes: 0x0, outbytes: 0x0
** nn::hshl::IManager
*** Added command 9 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::hshl::IBridgeSession']
*** Added command 10 - inbytes: 0x0, outbytes: 0x1
** nn::hshl::ISetterManager
*** Added command 3 - inbytes: 0x1, outbytes: 0x0
** nn::migration::savedata::IClient
*** Added command 304 - buffer_entry_sizes: [0x8], buffers: [0x6], inbytes: 0x4, outbytes: 0x4
** nn::migration::savedata::IServer
*** Added command 3 - buffer_entry_sizes: [0x8], buffers: [0x6], inbytes: 0x4, outbytes: 0x4
** nn::migration::user::IService
*** Added command 1110 - buffer_entry_sizes: [0x100, 0x8], buffers: [0x19, 0x5], inbytes: 0x18, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::migration::savedata::IServer']
** nn::mnpp::detail::ipc::IServiceForWebBrowser
*** Added command 100 - buffers: [0x5, 0x5, 0x6], inbytes: 0x10, outbytes: 0x0
** nn::ncm::IContentMetaDatabase
*** Added command 26 - inbytes: 0x10, outbytes: 0x1
** nn::ncm::IContentStorage
*** Added command 30 - inbytes: 0x11, outbytes: 0x8
** nn::ndrm::low::detail::INdrmLowAdminInterface
*** Added command 45 - inbytes: 0x8, outbytes: 0x0, outhandles: [1]
** nn::nim::detail::INetworkInstallManager
*** Added command 142 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 143 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
*** Added command 144 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
*** Added command 3000 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
*** Added command 3001 - inbytes: 0x8, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** nn::nim::detail::IShopServiceAccessServerInterface
*** Added command 5 - inbytes: 0x10, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::nim::detail::IShopServiceAccessServer'], pid: True
** nn::npns::INpnsSystem
*** Added command 35 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0
*** Added command 36 - inbytes: 0x10, outbytes: 0x0
*** Added command 40 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
*** Added command 41 - inbytes: 0x0, outbytes: 0x10
*** Added command 42 - buffers: [0x9], inbytes: 0x10, outbytes: 0x0
*** Added command 43 - inbytes: 0x18, outbytes: 0x0
*** Added command 44 - buffer_entry_sizes: [0x10], buffers: [0x9], inbytes: 0x0, outbytes: 0x0
*** Added command 50 - buffers: [0x9, 0x5], inbytes: 0x0, outbytes: 0x0
** nn::ns::detail::IApplicationManagerInterface
*** Removed command 84 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
*** Removed command 2521 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
*** Added command 2523 - inbytes: 0x8, outbytes: 0x8
*** Added command 3100 - inbytes: 0x0, outbytes: 0x10
*** Added command 3101 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
*** Added command 3102 - inbytes: 0x0, outbytes: 0x0
** nn::olsc::srv::IOlscServiceForSystemService
*** Added command 10000 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::olsc::srv::IOlscServiceForSystemService']
** nn::omm::srv::IDisplayLayerControl
*** Removed command 600 - buffer_entry_sizes: [0x4B8], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
*** Added command 610 - buffer_entry_sizes: [0x4C8], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
*** Added command 611 - buffer_entry_sizes: [0x4C8], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
*** Added command 612 - buffer_entry_sizes: [0x4C8], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
*** Added command 900 - buffers: [0x45], inbytes: 0x0, outbytes: 0x0
** nn::pdm::detail::INotifyService
*** Changed command 0 - inbytes: 0x10 -> 0x18 (final state: inbytes: 0x18, outbytes: 0x0)
** nn::pinmux::ISession
*** Added command 3 - inbytes: 0x1, outbytes: 0x0
*** Added command 4 - inbytes: 0x0, outbytes: 0x1
*** Added command 5 - inbytes: 0x1, outbytes: 0x0
*** Added command 6 - inbytes: 0x0, outbytes: 0x1
*** Added command 7 - inbytes: 0x4, outbytes: 0x0
*** Added command 8 - inbytes: 0x0, outbytes: 0x4
*** Added command 9 - inbytes: 0x4, outbytes: 0x0
*** Added command 10 - inbytes: 0x0, outbytes: 0x4
** nn::pl::detail::IPlatformServiceManagerForSystem
*** Added command 107 - inbytes: 0x18, outbytes: 0x0
** nn::psc::sf::IPmControl
*** Added command 7 - inbytes: 0xC, outbytes: 0x0
** nn::psm::IPsmServer
*** Changed command 17 - outbytes: 0x40 -> 0x54 (final state: inbytes: 0x0, outbytes: 0x54)
** nn::settings::ISystemSettingsServer
*** Added command 221 - inbytes: 0x0, outbytes: 0x1
*** Added command 222 - inbytes: 0x1, outbytes: 0x0
** nn::socket::sf::IClient_MC
*** Added command 35 - buffers: [0x21, 0x22], inbytes: 0x8, outbytes: 0x8
** nn::spsm::detail::IPowerStateInterface
*** Added command 12 - inbytes: 0x0, outbytes: 0x0
*** Added command 13 - inbytes: 0x0, outbytes: 0x0
*** Added command 14 - inbytes: 0x1, outbytes: 0x0
** nn::ts::server::IMeasurementServer
*** Removed command 0 - inbytes: 0x1, outbytes: 0x8
*** Removed command 1 - inbytes: 0x1, outbytes: 0x4
** nn::ts::server::ISession
*** Added command 5 - inbytes: 0x4, outbytes: 0x0
*** Added command 6 - inbytes: 0x4, outbytes: 0x0
*** Added command 7 - inbytes: 0x0, outbytes: 0x4
** nn::uart::IManager
*** Removed command 0 - inbytes: 0x4, outbytes: 0x1
*** Removed command 1 - inbytes: 0x4, outbytes: 0x1
*** Removed command 2 - inbytes: 0x8, outbytes: 0x1
*** Removed command 3 - inbytes: 0x8, outbytes: 0x1
*** Removed command 4 - inbytes: 0x8, outbytes: 0x1
*** Removed command 5 - inbytes: 0x8, outbytes: 0x1
*** Removed command 7 - inbytes: 0x8, outbytes: 0x1
*** Removed command 8 - inbytes: 0x8, outbytes: 0x1
*** Removed command 9 - inbytes: 0x8, outbytes: 0x1
*** Removed command 10 - inbytes: 0x8, outbytes: 0x1
** nn::wlan::detail::IPrivateWirelessCommunicationService
*** Removed command 1 - inbytes: 0x4, outbytes: 0x0
*** Changed command 19 - inbytes: 0x4 -> 0x1 (final state: inbytes: 0x1, outbytes: 0x0)
*** Removed command 20 - inbytes: 0x0, outbytes: 0x0
*** Removed command 21 - inbytes: 0x0, outbytes: 0x4
*** Removed command 22 - inbytes: 0x1, outbytes: 0x0
** nn::wlan::detail::IWirelessCommunicationService
*** Changed command 94 - buffer_entry_sizes: [0x20] -> [0x28] (final state: buffer_entry_sizes: [0x28], buffers: [0xA], inbytes: 0x0, outbytes: 0x4)
*** Added command 200 - inbytes: 0x4, outbytes: 0x0
*** Added command 201 - inbytes: 0x0, outbytes: 0x0
*** Added command 202 - inbytes: 0x0, outbytes: 0x4
*** Added command 203 - inbytes: 0x4, outbytes: 0x0

=== BootImagePackages ===
RomFs changes: all files updated.

Using updated master-key: master_key_10 (previously master_key_0f). See [[NCA]] for the KeyGeneration listing.

[[Package2|INI1]] changes:
* BootImagePackage:
** 0100000000000003 (ProcessMana): MainThreadStackSize updated: 0x1000 -> 0x3000.
** 0100000000000005 (boot): SVC access: added CreateEvent.
* BootImagePackageSafe:
** 0100000000000003 (ProcessMana): MainThreadStackSize updated: 0x1000 -> 0x3000.
** 0100000000000005 (boot): SVC access: added CreateEvent.
* BootImagePackageExFat:
** 0100000000000005 (boot): SVC access: added CreateEvent.
** 0100000000000003 (ProcessMana): MainThreadStackSize updated: 0x1000 -> 0x3000.
* BootImagePackageExFatSafe:
** 0100000000000003 (ProcessMana): MainThreadStackSize updated: 0x1000 -> 0x3000.
** 0100000000000005 (boot): SVC access: added CreateEvent.

The anti-downgrade fuses were [[Fuses#Anti-downgrade|updated]].

==== Secure Monitor ====
* Support for a new EsCommonKeyType was added (type = 2).
** Previously, only 0 (TitleKey) and 1 (ArchiveKey) were supported.
** Correspondingly, PrepareEsDeviceUniqueKeyOption's type field is now bits 6-7 instead of just bit 6.

==== Kernel ====
* Compiler/libc changes:
** The kernel is now linked using RELR for relocations instead of RELA (see compiler support in lld for .relr.dyn).
** This greatly reduces the relocations segment size; it has decreased from 0x3A50 bytes in 16.0.0 to 0x90 in 17.0.0.
** Many minor optimization changes, e.g. mul+add -> madd, madd -> smaddl/umaddl, (a + b - 1) >> 36 is now (a + b) > 0x1000000000, various reordering.
* crt0 changes:
** crt0 is no longer located at _start, instead _start is `b crt0` followed by 0x7FC of zeroes.
** crt0 is now located at the start of .rodata.
*** The crt0 page is now identity-mapped R-X in .rodata instead of RWX at start-of-text.
** Many system registers which were previously set from KInitArguments are now set using a register constants table in the crt0 .rodata segment.
*** These are ttbr0_el1, ttbr1_el1, tcr_el1, mair_el1, and sctlr_el1.
*** This table is initially zeroes, and is initialized to the correct values by KernelLdr before returning to Kernel/setting permissions.
** Kernel Map now stores offsets relative to itself rather than relative to _start.
*** Kernel map also now stores an additional offset (to the "register constants").
** The big idea here is to make the crt0 page no longer executable after init.
*** This mitigates the ability to execute gadgets (via ROP/etc) to set TTBR1_EL1 (and other important registers) to user-controlled values.
**** The *only* ttbr1_el1 gadget in all of kernel now sets it to the constant in .rodata, which can't be modified after KernelLdr finishes.
*** This also enables setting the WXN bit while still identity-mapped, instead of having to do it later in boot.
* KernelLdr changes:
** INI1 is now used in-place, if KSystemControl does not have a preferred layout.
* Initialize0 changes:
** Initialize0 now receives the initial process binary size from KernelLdr and stores it in a global.
*** Initialize1 forwards this to the rest of the kernel as with the address.
** Initialize0 no longer memsets the slab region to zero before calling the ifdef'd out function for the unknown debug region.
*** This is now done by InitializeSlabHeaps().
* All exception returns now migitate post-eret speculative execution.
** All "eret" instructions are now "eret; dsb nsh; isb;"
* KInitialPageAllocator::Allocate(Aligned) now memsets the pages to zero before returning them to the caller.
** Correspondingly, KInitialPageTable no longer memsets those pages to zero after allocating them.
* KInitialProcessReader::CreateProcessParameter now ands sizes with 0x1FFFFF000 before overflow checking.
** This may actually just be compiler-garbage due to the types being u32-cast-to-higher-width?
* CreateAndStartInitialProcesses changes:
** A difference check is now an != when allocating page group.
** Segment loading/uncompressing has now been refactored:
*** The entire page group is no longer mapped while loading the segments.
*** KInitialProcessReader::Load is now responsible; it now takes the page group as argument, clears bss (using linear map), and then calls a helper to load each segment.
**** This helper creates a page group for just the pages relevant to the segment, copies the data (using linear map), and then if compressed maps the page group, uncompresses, and unmaps.
* KMemoryRegionType had a number of large changes:
** A new memory type is now inserted after the SecureAppletMemory region (id is 0xC200028E).
** Low 0x2 ID derivations changed to accommodate this.
** As a knock-on effect(?) type IDs for pool partitions changed substantially (likely due to derivation changes elsewhere).
* New KProcess field ("has application system resource").
** This is set to 1 when initializing a KProcess with CreateProcessFlag_IsApplication and system_resource_num_pages == 0.
** When this is true, svc::GetInfo() always returns 0 for InfoType_SystemResourceSizeTotal and InfoType_SystemResourceSizeUsed.
*** This also modifies the calculations for various SystemResourceSize calculations.
*** MapPhysicalMemory() and UnmapPhysicalMemory() will also now return svc::ResultInvalidState().
* The KProcess::Initialize() overload used by initial processes now supports system_resource_num_pages != 0 (and allocates a system resource in this case).
** NOTE: KInitialProcessReader::CreateProcessParameter still hardcodes param->system_resource_num_pages = 0 for all KIPs.
* Changes to KPageTable(Base) around KMemoryState:
** There is no longer a bijective mapping between svc::MemoryState and kern::KMemoryState.
** In particular, KMemoryState_Io has been split into two memory states:
*** KMemoryState_Io(Register) no longer has bit 13 (0x2000) set (new value is 0x180001).
*** For memory mapped with SvcMapIoRegion called with svc::MemoryMapping_Memory, KMemoryState_Io(Memory) retains that bit set (value is 0x182001).
*** KPageTableBase functions dealing with Io mappings now take in MemoryState arguments, and/or MemoryMapping arguments (for the IoRegion functions).
** KMemoryState_ThreadLocal no longer has bit 13 (0x2000) set (new value is 0x400000C).
** KMemoryState_Kernel no longer has bit 13 (0x2000) set (new value is 0x13).
** KMemoryState_Static no longer has bit 13 (0x2000) set (new value is 0x40002).
** KMemoryState_Insecure now supports FlagCanQueryPhysical (new value is 0x55C3817).
** To accommodate this, KPageTableBase::QueryMapping/Contains/GetRegionAddress/GetRegionSize now take an svc::MemoryState (u8) instead of the full KMemoryState.
*** In a (presumably) happy accident, this produces much, much better assembly for the switch statement.
** KPageTableBase::CheckMemoryState was made ALWAYS_INLINE and now calls an impl-func which takes KMemoryBlock * as argument.
* KPageTableBase::MapPageGroup no longer sets the io bit in page properties.
** This is the overload used by process creation.
* KMemoryBlockManager::UpdateIfMatch now takes set_disable_attr, clear_disable_attr.
** KPageTableBase::MapPhysicalMemory passes true for set_disable_attr if the address is exactly the start of the alias region.
* KPageTableBase::UnmapPhysicalMemory now passes clear_disable_attr = 1 to KMemoryManager::Update if the address is exactly the start of the alias region.
* KProcessPageTable::Initialize no longer has an unused truncated-process-id argument.
* Changes to KPageTable(Base) mapping for first-reference:
** KPageTable::Operate is no longer allowed to take MapFirst as operation.
** KPageTable::MapContiguousWithBaseAttribute no longer supports not_first argument, always calls OpenAdditionalReference.
** KPageTable::OperateOnPageGroup is now allowed to take MapFirst as operation, and MapWithPageGroup can now call OpenFirst or OpenAdditional for page group references.
** KPageTableBase::AllocatePageGroupAndOperate now passes MapFirst.
* Miscellaneous page table changes:
** KSupervisorPageTable::Initialize now checks that the WXN bit is set in sctlr_el1 instead of setting it.
** KPageTable::Finalize now calls a second OnFinalize() stub after NoteUpdated().
* KPageTableBase::MapStatic alignment checks were loosened/changed.
* New KMemoryAttribute bit 0x10 ("PermissionLocked").
** This can be set via SvcSetMemoryAttribute.
*** NOTE: Once set, this bit is irrevocable and can never be unset.
**** This is to enable relro (read only relocations).
*** This requires a new KMemoryStateFlag (bit 27) "FlagCanPermissionLock", which is set only on CodeData and AliasCodeData.
** KPageTable::SetMemoryAttribute now calls a new KMemoryBlockManager::UpdateAttributes function specifically for updating the attributes.
** This bit is allowed to be set when unmapped CodeMemory (as it can be set on (Alias)CodeData).
* HandleException now uses UserspaceAccess functions to retrieve the instruction when EsrEc is Unknown, IllegalState, Bkpt, or Brk.
* InvalidateProcessDataCache now special-cases being called on the current process, with a simpler (new) KPageTableBase function.
* Changes around signaling/thread termination.
** KThread::BeginTerminate no longer calls NotifyAvailable on the thread.
** KThread::DoWorkerTask now acquires the scheduler lock and calls NotifyAvailable on the thread.
** KThread and KProcess exit now use separate KWorkerTaskManagers (0 = Thread, 1 = Process).
*** Main() now initializes the two KWorkerTaskManagers, and now aborts if their priorities (both constant 11) are zero.
* KSleepManager's no longer saves and restores tcr_el1 when saving/restoring system registers.

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2023-10-11_00-15-06&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

17.0.0

2023-10-11T04:00:12Z

SciresM: Add kernel diff

The Switch 17.0.0 system update was released on October 11, 2023 (UTC). This Switch update was released for the following regions: ALL, and CHN.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* General system stability improvements to enhance the user's experience.

==System Titles==
* The following titles were updated:
** Sysmodules: usb, htc.stub, boot2.ProdBoot, settings, Bus, bluetooth, bcat, friends, nifm, ptm, bsdsocket, hid, audio, LogManager.Prod, wlan, ldn, nvservices, pcv, capmtp, nvnflinger, pcie, account, ns, nfc, psc, capsrv, am, ssl, nim, btm, erpt, vi, pctl, npns, eupld, glue, eclct, es, fatal, creport, ro, sdb, grc, migration, jpegdec, safemode, olsc, ngct, jit, pgl, omm, eth, ngc.
** SystemData (non-sysver): CertStore, ErrorMessage, MiiModel, BrowserDll, Help, NgWord, SsidList, TimeZoneBinary, FontNintendoExtension, FontStandard, FontKorean, FontChineseTraditional, FontChineseSimple, FirmwareDebugSettings, BootImagePackage, BootImagePackageSafe, BootImagePackageExFat, FatalMessage, PlatformConfigIcosa, PlatformConfigCopper, PlatformConfigHoag, ControllerFirmware, NgWord2, BootImagePackageExFatSafe, PlatformConfigIcosaMariko, ContentActionTable, NgWordT, PlatformConfigAula, AulaDockFirmware.
** Applets: qlaunch, controller, error, playerSelect, LibAppletWeb, LibAppletShop, LibAppletOff, LibAppletLns, LibAppletAuth.

[[NPDM]] changes (besides usual version-bump):
* nifm: Service access: added ifcfg, nettc:nd, nettc:nu, removed bsdcfg.
* bsdsocket: Service server access: added ifcfg.
* audio: Service access: removed set:fd.
* wlan: Name updated: wlan -> wlan.autogen.
* ldn: Service access: added ifcfg, removed bsdcfg.
* pcie: Service access: added i2c.
* account: Service access: added caps:dc.
* ns: Service access: added hid.
* npns: Service access: added time:u.
* migration: Fac.FsAccessFlag updated: set bitmask 0x0000000200001000 (ImageManager, SaveDataTransferVersion2).
* qlaunch: Service access: added htcs:sys.
* controller: Service access: added htcs:sys.
* error: Service access: added htcs:sys.
* playerSelect: Service access: added htcs:sys.
* LibAppletWeb: Service access: added htcs:sys.
* LibAppletShop: Service access: added htcs:sys.
* LibAppletOff: Service access: added htcs:sys.
* LibAppletLns: Service access: added htcs:sys.
* LibAppletAuth: Service access: added htcs:sys.

RomFs changes:
* ErrorMessage: updated
* BrowserDll:
** "/buildinfo/buildinfo.dat" updated
** "/nro/netfront/": Various data updated.
* Help: "/legallines.htdocs/index.html" updated
* NgWord: updated
* [[System_Version_Title|SystemVersion]]: All files updated.
* TimeZoneBinary: updated
* [[System_Settings|FirmwareDebugSettings/PlatformConfigAula]]: All files updated.
* NgWord2: updated
* RebootlessSystemUpdateVersion: All files updated.
* NgWordT: All files updated.
* qlaunch applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
* controller applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
* error applet: "/lyt/common.szs" updated, "/lyt/Error.szs" updated, "/message/KRko/common.msbt.szs" updated, "/message/Ocean.msbp.szs" updated
* playerSelect applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
* [[Internet_Browser|LibAppletWeb/LibAppletShop/LibAppletOff/LibAppletLns/LibAppletAuth]]: All files updated.

=== IPC Interface Changes ===
* The following interfaces were removed:
** nn::fgm::sf::IDebugger
* The following interfaces were added:
** nn::account::nas::IDeviceHistoryRequest
** nn::hshl::IBridgeSession
* The following interfaces were changed:
** nn::account::IAccountEntityServiceForAccountPolicy
*** Added command 213 - inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IOAuthProcedureForUserRegistration']
*** Added command 214 - inbytes: 0x14, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IOAuthProcedureForUserRegistration']
*** Added command 215 - inbytes: 0x14, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IOAuthProcedureForUserRegistration']
** nn::account::IAccountServiceForAdministrator
*** Added command 213 - inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IOAuthProcedureForUserRegistration']
*** Added command 214 - inbytes: 0x14, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IOAuthProcedureForUserRegistration']
*** Added command 215 - inbytes: 0x14, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IOAuthProcedureForUserRegistration']
** nn::account::baas::IAdministrator
*** Added command 170 - inbytes: 0x8, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IDeviceHistoryRequest']
** nn::account::baas::IManagerForSystemService
*** Added command 170 - inbytes: 0x8, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IDeviceHistoryRequest']
** nn::account::nas::IOAuthProcedureForUserRegistration
*** Added command 200 - buffers: [0x9], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
*** Added command 205 - inbytes: 0x0, outbytes: 0x10
*** Added command 210 - inbytes: 0x0, outbytes: 0x1
*** Added command 220 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
*** Added command 221 - buffers: [0x5], inbytes: 0x21, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
** nn::am::service::IAppletCommonFunctions
*** Added command 300 - inbytes: 0x0, outbytes: 0x8
** nn::am::service::ICommonStateGetter
*** Added command 600 - inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::am::service::IStorageChannel']
*** Added command 910 - inbytes: 0x0, outbytes: 0x8
** nn::am::service::IDebugFunctions
*** Added command 52 - inbytes: 0x4, outbytes: 0x8
** nn::am::service::ILibraryAppletSelfAccessor
*** Added command 160 - inbytes: 0x0, outbytes: 0x8
** nn::apm::ISystemManager
*** Added command 8 - inbytes: 0x0, outbytes: 0x4
** nn::arp::detail::IReader
*** Changed command 2 - outbytes: 0x1 -> 0x10 (final state: inbytes: 0x8, outbytes: 0x10)
** nn::arp::detail::IUpdater
*** Changed command 1 - inbytes: 0x10 -> 0x18 (final state: inbytes: 0x18, outbytes: 0x0)
** nn::audio::detail::IAudioDevice
*** Added command 15 - inbytes: 0x8, outbytes: 0x0, outhandles: [1]
*** Added command 16 - inbytes: 0x8, outbytes: 0x0
*** Added command 17 - inbytes: 0x8, outbytes: 0x0, outhandles: [1]
*** Added command 18 - inbytes: 0x8, outbytes: 0x0
** nn::audio::detail::IAudioSnoopManager
*** Removed command 1 - inbytes: 0x0, outbytes: 0x0
*** Removed command 6 - inbytes: 0x0, outbytes: 0x4
** nn::audioctrl::detail::IAudioController
*** Added command 19 - inbytes: 0x1, outbytes: 0x0
*** Added command 20 - inbytes: 0x0, outbytes: 0x1
*** Removed command 27 - buffer_entry_sizes: [0x4], buffers: [0x5], inbytes: 0x4, outbytes: 0x0
** nn::bsdsocket::cfg::ServerInterface
*** Added command 16 - buffers: [0x5, 0x6], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 17 - buffers: [0x5], inbytes: 0x8, outbytes: 0x8, pid: True
*** Added command 18 - buffers: [0x5, 0x6, 0x6, 0x6], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 19 - buffers: [0x5, 0x6], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 20 - buffers: [0x5, 0x6], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 21 - buffers: [0x5, 0x6], inbytes: 0x10, outbytes: 0x0, pid: True
*** Added command 22 - buffers: [0x5, 0x6, 0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 23 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, pid: True
*** Added command 50 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, pid: True
*** Added command 51 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 52 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 53 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 54 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, pid: True
*** Added command 55 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 56 - buffers: [0x5, 0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 57 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 58 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 100 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, pid: True
** nn::capsrv::sf::IAlbumAccessorService
*** Added command 120 - buffer_entry_sizes: [0x20, 0x0], buffers: [0x6, 0x21], inbytes: 0x18, outbytes: 0x8
*** Added command 130 - buffers: [0x6], inbytes: 0x20, outbytes: 0x8
*** Added command 140 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
*** Added command 150 - buffer_entry_sizes: [0x400], buffers: [0x16], inbytes: 0x18, outbytes: 0x0
*** Changed command 50000 - buffers: [0x6, 0x6] -> [0x6] (final state: buffers: [0x6], inbytes: 0x18, outbytes: 0x8)
** nn::capsrv::sf::IAlbumApplicationService
*** Added command 145 - buffer_entry_sizes: [0x20], buffers: [0x6], inbytes: 0x20, outbytes: 0x8, pid: True
*** Added command 146 - buffer_entry_sizes: [0x20], buffers: [0x6], inbytes: 0x30, outbytes: 0x8, pid: True
*** Added command 147 - buffer_entry_sizes: [0x20], buffers: [0x6], inbytes: 0x20, outbytes: 0x8, pid: True
** nn::capsrv::sf::IDecoderControlService
*** Added command 4001 - buffers: [0x46, 0x5], inbytes: 0x28, outbytes: 0x8
** nn::dp2hdmi::detail::IDp2hdmiController
*** Added command 9 - inbytes: 0x0, outbytes: 0x10
** nn::erpt::sf::IContext
*** Changed command 10 - inbytes: 0x8 -> 0xC (final state: buffers: [0x5, 0x5, 0x5], inbytes: 0xC, outbytes: 0x0)
*** Added command 12 - buffers: [0x5, 0x5, 0x5], inbytes: 0xC, outbytes: 0x0
** nn::es::IActiveRightsContext
*** Removed command 212 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** nn::es::IETicketService
*** Changed command 1006 - buffer_entry_sizes: [0x48, 0x10] -> [0x50, 0x10] (final state: buffer_entry_sizes: [0x50, 0x10], buffers: [0x6, 0x5], inbytes: 0x0, outbytes: 0x4)
*** Added command 1023 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x8, outbytes: 0x4
*** Added command 1024 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x10, outbytes: 0x4
*** Added command 1025 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x8, outbytes: 0x4
*** Added command 1026 - buffer_entry_sizes: [0x10, 0x0], buffers: [0x6, 0x5], inbytes: 0x8, outbytes: 0x4
*** Added command 1027 - buffer_entry_sizes: [0x10, 0x0], buffers: [0x6, 0x5], inbytes: 0x10, outbytes: 0x4
*** Removed command 2002 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
*** Removed command 2003 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** nn::friends::detail::ipc::IServiceCreator
*** Changed command 2 - outinterfaces: ['0x710007990C'] -> ['0x710007AF24'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710007AF24'])
** nn::fssrv::sf::IDeviceOperator
*** Added command 6 - inbytes: 0x0, outbytes: 0xC
*** Added command 117 - inbytes: 0x18, outbytes: 0x0
*** Added command 221 - buffers: [0x6], inbytes: 0x8, outbytes: 0x0
** nn::fssrv::sf::IFileSystemProxy
*** Added command 618 - buffer_entry_sizes: [0x301], buffers: [0x19], inbytes: 0x1, outbytes: 0x8
** nn::fssrv::sf::IFileSystemProxyForLoader
*** Changed command 0 - buffer_entry_sizes: [0x124, 0x301] -> [0x301, 0x0], buffers: [0x1A, 0x19] -> [0x19, 0x6] (final state: buffer_entry_sizes: [0x301, 0x0], buffers: [0x19, 0x6], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IFileSystem'])
** nn::fssrv::sf::ISaveDataTransferManagerForSaveDataRepair
*** Changed command 110 - buffers: [0x5] -> [0x5, 0x5], inbytes: 0x28 -> 0x18 (final state: buffers: [0x5, 0x5], inbytes: 0x18, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter'])
** nn::fssrv::sf::ISaveDataTransferManagerWithDivision
*** Added command 63 - buffer_entry_sizes: [0x200, 0x0], buffers: [0x19, 0x5], inbytes: 0x2, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
*** Removed command 67 - buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** nn::gpio::IPadSession
*** Removed command 6 - inbytes: 0x0, outbytes: 0x4
*** Removed command 7 - inbytes: 0x0, outbytes: 0x0
** nn::grcsrv::IContinuousRecorder
*** Added command 4 - inbytes: 0x0, outbytes: 0x0
** nn::hid::IHidDebugServer
*** Added command 217 - inbytes: 0x10, inhandles: [1], outbytes: 0x8
*** Added command 351 - inbytes: 0x0, outbytes: 0x4
*** Added command 352 - inbytes: 0x0, outbytes: 0x0
** nn::hid::IHidServer
*** Added command 213 - inbytes: 0x20, outbytes: 0x0, pid: True
*** Added command 214 - buffer_entry_sizes: [0x4, 0x10], buffers: [0x9, 0x9], inbytes: 0x10, outbytes: 0x0
*** Added command 311 - inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 312 - inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 1004 - inbytes: 0x10, outbytes: 0x0, pid: True
** nn::hid::IHidSystemServer
*** Added command 1320 - inbytes: 0x0, outbytes: 0x0
*** Added command 1321 - inbytes: 0x0, outbytes: 0x0
** nn::hshl::IManager
*** Added command 9 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::hshl::IBridgeSession']
*** Added command 10 - inbytes: 0x0, outbytes: 0x1
** nn::hshl::ISetterManager
*** Added command 3 - inbytes: 0x1, outbytes: 0x0
** nn::migration::savedata::IClient
*** Added command 304 - buffer_entry_sizes: [0x8], buffers: [0x6], inbytes: 0x4, outbytes: 0x4
** nn::migration::savedata::IServer
*** Added command 3 - buffer_entry_sizes: [0x8], buffers: [0x6], inbytes: 0x4, outbytes: 0x4
** nn::migration::user::IService
*** Added command 1110 - buffer_entry_sizes: [0x100, 0x8], buffers: [0x19, 0x5], inbytes: 0x18, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::migration::savedata::IServer']
** nn::mnpp::detail::ipc::IServiceForWebBrowser
*** Added command 100 - buffers: [0x5, 0x5, 0x6], inbytes: 0x10, outbytes: 0x0
** nn::ncm::IContentMetaDatabase
*** Added command 26 - inbytes: 0x10, outbytes: 0x1
** nn::ncm::IContentStorage
*** Added command 30 - inbytes: 0x11, outbytes: 0x8
** nn::ndrm::low::detail::INdrmLowAdminInterface
*** Added command 45 - inbytes: 0x8, outbytes: 0x0, outhandles: [1]
** nn::nim::detail::INetworkInstallManager
*** Added command 142 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 143 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
*** Added command 144 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
*** Added command 3000 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
*** Added command 3001 - inbytes: 0x8, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** nn::nim::detail::IShopServiceAccessServerInterface
*** Added command 5 - inbytes: 0x10, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::nim::detail::IShopServiceAccessServer'], pid: True
** nn::npns::INpnsSystem
*** Added command 35 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0
*** Added command 36 - inbytes: 0x10, outbytes: 0x0
*** Added command 40 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
*** Added command 41 - inbytes: 0x0, outbytes: 0x10
*** Added command 42 - buffers: [0x9], inbytes: 0x10, outbytes: 0x0
*** Added command 43 - inbytes: 0x18, outbytes: 0x0
*** Added command 44 - buffer_entry_sizes: [0x10], buffers: [0x9], inbytes: 0x0, outbytes: 0x0
*** Added command 50 - buffers: [0x9, 0x5], inbytes: 0x0, outbytes: 0x0
** nn::ns::detail::IApplicationManagerInterface
*** Removed command 84 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
*** Removed command 2521 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
*** Added command 2523 - inbytes: 0x8, outbytes: 0x8
*** Added command 3100 - inbytes: 0x0, outbytes: 0x10
*** Added command 3101 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
*** Added command 3102 - inbytes: 0x0, outbytes: 0x0
** nn::olsc::srv::IOlscServiceForSystemService
*** Added command 10000 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::olsc::srv::IOlscServiceForSystemService']
** nn::omm::srv::IDisplayLayerControl
*** Removed command 600 - buffer_entry_sizes: [0x4B8], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
*** Added command 610 - buffer_entry_sizes: [0x4C8], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
*** Added command 611 - buffer_entry_sizes: [0x4C8], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
*** Added command 612 - buffer_entry_sizes: [0x4C8], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
*** Added command 900 - buffers: [0x45], inbytes: 0x0, outbytes: 0x0
** nn::pdm::detail::INotifyService
*** Changed command 0 - inbytes: 0x10 -> 0x18 (final state: inbytes: 0x18, outbytes: 0x0)
** nn::pinmux::ISession
*** Added command 3 - inbytes: 0x1, outbytes: 0x0
*** Added command 4 - inbytes: 0x0, outbytes: 0x1
*** Added command 5 - inbytes: 0x1, outbytes: 0x0
*** Added command 6 - inbytes: 0x0, outbytes: 0x1
*** Added command 7 - inbytes: 0x4, outbytes: 0x0
*** Added command 8 - inbytes: 0x0, outbytes: 0x4
*** Added command 9 - inbytes: 0x4, outbytes: 0x0
*** Added command 10 - inbytes: 0x0, outbytes: 0x4
** nn::pl::detail::IPlatformServiceManagerForSystem
*** Added command 107 - inbytes: 0x18, outbytes: 0x0
** nn::psc::sf::IPmControl
*** Added command 7 - inbytes: 0xC, outbytes: 0x0
** nn::psm::IPsmServer
*** Changed command 17 - outbytes: 0x40 -> 0x54 (final state: inbytes: 0x0, outbytes: 0x54)
** nn::settings::ISystemSettingsServer
*** Added command 221 - inbytes: 0x0, outbytes: 0x1
*** Added command 222 - inbytes: 0x1, outbytes: 0x0
** nn::socket::sf::IClient_MC
*** Added command 35 - buffers: [0x21, 0x22], inbytes: 0x8, outbytes: 0x8
** nn::spsm::detail::IPowerStateInterface
*** Added command 12 - inbytes: 0x0, outbytes: 0x0
*** Added command 13 - inbytes: 0x0, outbytes: 0x0
*** Added command 14 - inbytes: 0x1, outbytes: 0x0
** nn::ts::server::IMeasurementServer
*** Removed command 0 - inbytes: 0x1, outbytes: 0x8
*** Removed command 1 - inbytes: 0x1, outbytes: 0x4
** nn::ts::server::ISession
*** Added command 5 - inbytes: 0x4, outbytes: 0x0
*** Added command 6 - inbytes: 0x4, outbytes: 0x0
*** Added command 7 - inbytes: 0x0, outbytes: 0x4
** nn::uart::IManager
*** Removed command 0 - inbytes: 0x4, outbytes: 0x1
*** Removed command 1 - inbytes: 0x4, outbytes: 0x1
*** Removed command 2 - inbytes: 0x8, outbytes: 0x1
*** Removed command 3 - inbytes: 0x8, outbytes: 0x1
*** Removed command 4 - inbytes: 0x8, outbytes: 0x1
*** Removed command 5 - inbytes: 0x8, outbytes: 0x1
*** Removed command 7 - inbytes: 0x8, outbytes: 0x1
*** Removed command 8 - inbytes: 0x8, outbytes: 0x1
*** Removed command 9 - inbytes: 0x8, outbytes: 0x1
*** Removed command 10 - inbytes: 0x8, outbytes: 0x1
** nn::wlan::detail::IPrivateWirelessCommunicationService
*** Removed command 1 - inbytes: 0x4, outbytes: 0x0
*** Changed command 19 - inbytes: 0x4 -> 0x1 (final state: inbytes: 0x1, outbytes: 0x0)
*** Removed command 20 - inbytes: 0x0, outbytes: 0x0
*** Removed command 21 - inbytes: 0x0, outbytes: 0x4
*** Removed command 22 - inbytes: 0x1, outbytes: 0x0
** nn::wlan::detail::IWirelessCommunicationService
*** Changed command 94 - buffer_entry_sizes: [0x20] -> [0x28] (final state: buffer_entry_sizes: [0x28], buffers: [0xA], inbytes: 0x0, outbytes: 0x4)
*** Added command 200 - inbytes: 0x4, outbytes: 0x0
*** Added command 201 - inbytes: 0x0, outbytes: 0x0
*** Added command 202 - inbytes: 0x0, outbytes: 0x4
*** Added command 203 - inbytes: 0x4, outbytes: 0x0

=== BootImagePackages ===
RomFs changes: all files updated.

Using updated master-key: master_key_10 (previously master_key_0f). See [[NCA]] for the KeyGeneration listing.

[[Package2|INI1]] changes:
* BootImagePackage:
** 0100000000000003 (ProcessMana): MainThreadStackSize updated: 0x1000 -> 0x3000.
** 0100000000000005 (boot): SVC access: added CreateEvent.
* BootImagePackageSafe:
** 0100000000000003 (ProcessMana): MainThreadStackSize updated: 0x1000 -> 0x3000.
** 0100000000000005 (boot): SVC access: added CreateEvent.
* BootImagePackageExFat:
** 0100000000000005 (boot): SVC access: added CreateEvent.
** 0100000000000003 (ProcessMana): MainThreadStackSize updated: 0x1000 -> 0x3000.
* BootImagePackageExFatSafe:
** 0100000000000003 (ProcessMana): MainThreadStackSize updated: 0x1000 -> 0x3000.
** 0100000000000005 (boot): SVC access: added CreateEvent.

The anti-downgrade fuses were [[Fuses#Anti-downgrade|updated]].

==== Kernel ====
* Compiler/libc changes:
** The kernel is now linked using RELR for relocations instead of RELA (see compiler support in lld for .relr.dyn).
** This greatly reduces the relocations segment size; it has decreased from 0x3A50 bytes in 16.0.0 to 0x90 in 17.0.0.
** Many minor optimization changes, e.g. mul+add -> madd, madd -> smaddl/umaddl, (a + b - 1) >> 36 is now (a + b) > 0x1000000000, various reordering.
* crt0 changes:
** crt0 is no longer located at _start, instead _start is `b crt0` followed by 0x7FC of zeroes.
** crt0 is now located at the start of .rodata.
*** The crt0 page is now identity-mapped R-X in .rodata instead of RWX at start-of-text.
** Many system registers which were previously set from KInitArguments are now set using a register constants table in the crt0 .rodata segment.
*** These are ttbr0_el1, ttbr1_el1, tcr_el1, mair_el1, and sctlr_el1.
*** This table is initially zeroes, and is initialized to the correct values by KernelLdr before returning to Kernel/setting permissions.
** Kernel Map now stores offsets relative to itself rather than relative to _start.
*** Kernel map also now stores an additional offset (to the "register constants").
** The big idea here is to make the crt0 page no longer executable after init.
*** This mitigates the ability to execute gadgets (via ROP/etc) to set TTBR1_EL1 (and other important registers) to user-controlled values.
**** The *only* ttbr1_el1 gadget in all of kernel now sets it to the constant in .rodata, which can't be modified after KernelLdr finishes.
*** This also enables setting the WXN bit while still identity-mapped, instead of having to do it later in boot.
* KernelLdr changes:
** INI1 is now used in-place, if KSystemControl does not have a preferred layout.
* Initialize0 changes:
** Initialize0 now receives the initial process binary size from KernelLdr and stores it in a global.
*** Initialize1 forwards this to the rest of the kernel as with the address.
** Initialize0 no longer memsets the slab region to zero before calling the ifdef'd out function for the unknown debug region.
*** This is now done by InitializeSlabHeaps().
* All exception returns now migitate post-eret speculative execution.
** All "eret" instructions are now "eret; dsb nsh; isb;"
* KInitialPageAllocator::Allocate(Aligned) now memsets the pages to zero before returning them to the caller.
** Correspondingly, KInitialPageTable no longer memsets those pages to zero after allocating them.
* KInitialProcessReader::CreateProcessParameter now ands sizes with 0x1FFFFF000 before overflow checking.
** This may actually just be compiler-garbage due to the types being u32-cast-to-higher-width?
* CreateAndStartInitialProcesses changes:
** A difference check is now an != when allocating page group.
** Segment loading/uncompressing has now been refactored:
*** The entire page group is no longer mapped while loading the segments.
*** KInitialProcessReader::Load is now responsible; it now takes the page group as argument, clears bss (using linear map), and then calls a helper to load each segment.
**** This helper creates a page group for just the pages relevant to the segment, copies the data (using linear map), and then if compressed maps the page group, uncompresses, and unmaps.
* KMemoryRegionType had a number of large changes:
** A new memory type is now inserted after the SecureAppletMemory region (id is 0xC200028E).
** Low 0x2 ID derivations changed to accommodate this.
** As a knock-on effect(?) type IDs for pool partitions changed substantially (likely due to derivation changes elsewhere).
* New KProcess field ("has application system resource").
** This is set to 1 when initializing a KProcess with CreateProcessFlag_IsApplication and system_resource_num_pages == 0.
** When this is true, svc::GetInfo() always returns 0 for InfoType_SystemResourceSizeTotal and InfoType_SystemResourceSizeUsed.
*** This also modifies the calculations for various SystemResourceSize calculations.
*** MapPhysicalMemory() and UnmapPhysicalMemory() will also now return svc::ResultInvalidState().
* The KProcess::Initialize() overload used by initial processes now supports system_resource_num_pages != 0 (and allocates a system resource in this case).
** NOTE: KInitialProcessReader::CreateProcessParameter still hardcodes param->system_resource_num_pages = 0 for all KIPs.
* Changes to KPageTable(Base) around KMemoryState:
** There is no longer a bijective mapping between svc::MemoryState and kern::KMemoryState.
** In particular, KMemoryState_Io has been split into two memory states:
*** KMemoryState_Io(Register) no longer has bit 13 (0x2000) set (new value is 0x180001).
*** For memory mapped with SvcMapIoRegion called with svc::MemoryMapping_Memory, KMemoryState_Io(Memory) retains that bit set (value is 0x182001).
*** KPageTableBase functions dealing with Io mappings now take in MemoryState arguments, and/or MemoryMapping arguments (for the IoRegion functions).
** KMemoryState_ThreadLocal no longer has bit 13 (0x2000) set (new value is 0x400000C).
** KMemoryState_Kernel no longer has bit 13 (0x2000) set (new value is 0x13).
** KMemoryState_Static no longer has bit 13 (0x2000) set (new value is 0x40002).
** KMemoryState_Insecure now supports FlagCanQueryPhysical (new value is 0x55C3817).
** To accommodate this, KPageTableBase::QueryMapping/Contains/GetRegionAddress/GetRegionSize now take an svc::MemoryState (u8) instead of the full KMemoryState.
*** In a (presumably) happy accident, this produces much, much better assembly for the switch statement.
** KPageTableBase::CheckMemoryState was made ALWAYS_INLINE and now calls an impl-func which takes KMemoryBlock * as argument.
* KPageTableBase::MapPageGroup no longer sets the io bit in page properties.
** This is the overload used by process creation.
* KMemoryBlockManager::UpdateIfMatch now takes set_disable_attr, clear_disable_attr.
** KPageTableBase::MapPhysicalMemory passes true for set_disable_attr if the address is exactly the start of the alias region.
* KPageTableBase::UnmapPhysicalMemory now passes clear_disable_attr = 1 to KMemoryManager::Update if the address is exactly the start of the alias region.
* KProcessPageTable::Initialize no longer has an unused truncated-process-id argument.
* Changes to KPageTable(Base) mapping for first-reference:
** KPageTable::Operate is no longer allowed to take MapFirst as operation.
** KPageTable::MapContiguousWithBaseAttribute no longer supports not_first argument, always calls OpenAdditionalReference.
** KPageTable::OperateOnPageGroup is now allowed to take MapFirst as operation, and MapWithPageGroup can now call OpenFirst or OpenAdditional for page group references.
** KPageTableBase::AllocatePageGroupAndOperate now passes MapFirst.
* Miscellaneous page table changes:
** KSupervisorPageTable::Initialize now checks that the WXN bit is set in sctlr_el1 instead of setting it.
** KPageTable::Finalize now calls a second OnFinalize() stub after NoteUpdated().
* KPageTableBase::MapStatic alignment checks were loosened/changed.
* New KMemoryAttribute bit 0x10 ("PermissionLocked").
** This can be set via SvcSetMemoryAttribute.
*** NOTE: Once set, this bit is irrevocable and can never be unset.
**** This is to enable relro (read only relocations).
*** This requires a new KMemoryStateFlag (bit 27) "FlagCanPermissionLock", which is set only on CodeData and AliasCodeData.
** KPageTable::SetMemoryAttribute now calls a new KMemoryBlockManager::UpdateAttributes function specifically for updating the attributes.
** This bit is allowed to be set when unmapped CodeMemory (as it can be set on (Alias)CodeData).
* HandleException now uses UserspaceAccess functions to retrieve the instruction when EsrEc is Unknown, IllegalState, Bkpt, or Brk.
* InvalidateProcessDataCache now special-cases being called on the current process, with a simpler (new) KPageTableBase function.
* Changes around signaling/thread termination.
** KThread::BeginTerminate no longer calls NotifyAvailable on the thread.
** KThread::DoWorkerTask now acquires the scheduler lock and calls NotifyAvailable on the thread.
** KThread and KProcess exit now use separate KWorkerTaskManagers (0 = Thread, 1 = Process).
*** Main() now initializes the two KWorkerTaskManagers, and now aborts if their priorities (both constant 11) are zero.
* KSleepManager's no longer saves and restores tcr_el1 when saving/restoring system registers.

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2023-10-11_00-15-06&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

17.0.0

2023-10-11T01:13:11Z

SciresM: Add 16 -> 17 ipc diff

The Switch 17.0.0 system update was released on October 11, 2023 (UTC). This Switch update was released for the following regions: ALL, and CHN.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* General system stability improvements to enhance the user's experience.

==System Titles==
* The following titles were updated:
** Sysmodules: usb, htc.stub, boot2.ProdBoot, settings, Bus, bluetooth, bcat, friends, nifm, ptm, bsdsocket, hid, audio, LogManager.Prod, wlan, ldn, nvservices, pcv, capmtp, nvnflinger, pcie, account, ns, nfc, psc, capsrv, am, ssl, nim, btm, erpt, vi, pctl, npns, eupld, glue, eclct, es, fatal, creport, ro, sdb, grc, migration, jpegdec, safemode, olsc, ngct, jit, pgl, omm, eth, ngc.
** SystemData (non-sysver): CertStore, ErrorMessage, MiiModel, BrowserDll, Help, NgWord, SsidList, TimeZoneBinary, FontNintendoExtension, FontStandard, FontKorean, FontChineseTraditional, FontChineseSimple, FirmwareDebugSettings, BootImagePackage, BootImagePackageSafe, BootImagePackageExFat, FatalMessage, PlatformConfigIcosa, PlatformConfigCopper, PlatformConfigHoag, ControllerFirmware, NgWord2, BootImagePackageExFatSafe, PlatformConfigIcosaMariko, ContentActionTable, NgWordT, PlatformConfigAula, AulaDockFirmware.
** Applets: qlaunch, controller, error, playerSelect, LibAppletWeb, LibAppletShop, LibAppletOff, LibAppletLns, LibAppletAuth.

[[NPDM]] changes (besides usual version-bump):
* nifm: Service access: added ifcfg, nettc:nd, nettc:nu, removed bsdcfg.
* bsdsocket: Service server access: added ifcfg.
* audio: Service access: removed set:fd.
* wlan: Name updated: wlan -> wlan.autogen.
* ldn: Service access: added ifcfg, removed bsdcfg.
* pcie: Service access: added i2c.
* account: Service access: added caps:dc.
* ns: Service access: added hid.
* npns: Service access: added time:u.
* migration: Fac.FsAccessFlag updated: set bitmask 0x0000000200001000 (ImageManager, SaveDataTransferVersion2).
* qlaunch: Service access: added htcs:sys.
* controller: Service access: added htcs:sys.
* error: Service access: added htcs:sys.
* playerSelect: Service access: added htcs:sys.
* LibAppletWeb: Service access: added htcs:sys.
* LibAppletShop: Service access: added htcs:sys.
* LibAppletOff: Service access: added htcs:sys.
* LibAppletLns: Service access: added htcs:sys.
* LibAppletAuth: Service access: added htcs:sys.

RomFs changes:
* ErrorMessage: updated
* BrowserDll:
** "/buildinfo/buildinfo.dat" updated
** "/nro/netfront/": Various data updated.
* Help: "/legallines.htdocs/index.html" updated
* NgWord: updated
* [[System_Version_Title|SystemVersion]]: All files updated.
* TimeZoneBinary: updated
* [[System_Settings|FirmwareDebugSettings/PlatformConfigAula]]: All files updated.
* NgWord2: updated
* RebootlessSystemUpdateVersion: All files updated.
* NgWordT: All files updated.
* qlaunch applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
* controller applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
* error applet: "/lyt/common.szs" updated, "/lyt/Error.szs" updated, "/message/KRko/common.msbt.szs" updated, "/message/Ocean.msbp.szs" updated
* playerSelect applet:
** "/lyt/": Various data updated.
** "/message/": Various data updated.
* [[Internet_Browser|LibAppletWeb/LibAppletShop/LibAppletOff/LibAppletLns/LibAppletAuth]]: All files updated.

=== IPC Interface Changes ===
* The following interfaces were removed:
** nn::fgm::sf::IDebugger
* The following interfaces were added:
** nn::account::nas::IDeviceHistoryRequest
** nn::hshl::IBridgeSession
* The following interfaces were changed:
** nn::account::IAccountEntityServiceForAccountPolicy
*** Added command 213 - inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IOAuthProcedureForUserRegistration']
*** Added command 214 - inbytes: 0x14, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IOAuthProcedureForUserRegistration']
*** Added command 215 - inbytes: 0x14, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IOAuthProcedureForUserRegistration']
** nn::account::IAccountServiceForAdministrator
*** Added command 213 - inbytes: 0x4, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IOAuthProcedureForUserRegistration']
*** Added command 214 - inbytes: 0x14, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IOAuthProcedureForUserRegistration']
*** Added command 215 - inbytes: 0x14, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IOAuthProcedureForUserRegistration']
** nn::account::baas::IAdministrator
*** Added command 170 - inbytes: 0x8, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IDeviceHistoryRequest']
** nn::account::baas::IManagerForSystemService
*** Added command 170 - inbytes: 0x8, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::account::nas::IDeviceHistoryRequest']
** nn::account::nas::IOAuthProcedureForUserRegistration
*** Added command 200 - buffers: [0x9], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
*** Added command 205 - inbytes: 0x0, outbytes: 0x10
*** Added command 210 - inbytes: 0x0, outbytes: 0x1
*** Added command 220 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
*** Added command 221 - buffers: [0x5], inbytes: 0x21, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
** nn::am::service::IAppletCommonFunctions
*** Added command 300 - inbytes: 0x0, outbytes: 0x8
** nn::am::service::ICommonStateGetter
*** Added command 600 - inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::am::service::IStorageChannel']
*** Added command 910 - inbytes: 0x0, outbytes: 0x8
** nn::am::service::IDebugFunctions
*** Added command 52 - inbytes: 0x4, outbytes: 0x8
** nn::am::service::ILibraryAppletSelfAccessor
*** Added command 160 - inbytes: 0x0, outbytes: 0x8
** nn::apm::ISystemManager
*** Added command 8 - inbytes: 0x0, outbytes: 0x4
** nn::arp::detail::IReader
*** Changed command 2 - outbytes: 0x1 -> 0x10 (final state: inbytes: 0x8, outbytes: 0x10)
** nn::arp::detail::IUpdater
*** Changed command 1 - inbytes: 0x10 -> 0x18 (final state: inbytes: 0x18, outbytes: 0x0)
** nn::audio::detail::IAudioDevice
*** Added command 15 - inbytes: 0x8, outbytes: 0x0, outhandles: [1]
*** Added command 16 - inbytes: 0x8, outbytes: 0x0
*** Added command 17 - inbytes: 0x8, outbytes: 0x0, outhandles: [1]
*** Added command 18 - inbytes: 0x8, outbytes: 0x0
** nn::audio::detail::IAudioSnoopManager
*** Removed command 1 - inbytes: 0x0, outbytes: 0x0
*** Removed command 6 - inbytes: 0x0, outbytes: 0x4
** nn::audioctrl::detail::IAudioController
*** Added command 19 - inbytes: 0x1, outbytes: 0x0
*** Added command 20 - inbytes: 0x0, outbytes: 0x1
*** Removed command 27 - buffer_entry_sizes: [0x4], buffers: [0x5], inbytes: 0x4, outbytes: 0x0
** nn::bsdsocket::cfg::ServerInterface
*** Added command 16 - buffers: [0x5, 0x6], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 17 - buffers: [0x5], inbytes: 0x8, outbytes: 0x8, pid: True
*** Added command 18 - buffers: [0x5, 0x6, 0x6, 0x6], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 19 - buffers: [0x5, 0x6], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 20 - buffers: [0x5, 0x6], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 21 - buffers: [0x5, 0x6], inbytes: 0x10, outbytes: 0x0, pid: True
*** Added command 22 - buffers: [0x5, 0x6, 0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 23 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, pid: True
*** Added command 50 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, pid: True
*** Added command 51 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 52 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 53 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 54 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, pid: True
*** Added command 55 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 56 - buffers: [0x5, 0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 57 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 58 - buffers: [0x5], inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 100 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0, pid: True
** nn::capsrv::sf::IAlbumAccessorService
*** Added command 120 - buffer_entry_sizes: [0x20, 0x0], buffers: [0x6, 0x21], inbytes: 0x18, outbytes: 0x8
*** Added command 130 - buffers: [0x6], inbytes: 0x20, outbytes: 0x8
*** Added command 140 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
*** Added command 150 - buffer_entry_sizes: [0x400], buffers: [0x16], inbytes: 0x18, outbytes: 0x0
*** Changed command 50000 - buffers: [0x6, 0x6] -> [0x6] (final state: buffers: [0x6], inbytes: 0x18, outbytes: 0x8)
** nn::capsrv::sf::IAlbumApplicationService
*** Added command 145 - buffer_entry_sizes: [0x20], buffers: [0x6], inbytes: 0x20, outbytes: 0x8, pid: True
*** Added command 146 - buffer_entry_sizes: [0x20], buffers: [0x6], inbytes: 0x30, outbytes: 0x8, pid: True
*** Added command 147 - buffer_entry_sizes: [0x20], buffers: [0x6], inbytes: 0x20, outbytes: 0x8, pid: True
** nn::capsrv::sf::IDecoderControlService
*** Added command 4001 - buffers: [0x46, 0x5], inbytes: 0x28, outbytes: 0x8
** nn::dp2hdmi::detail::IDp2hdmiController
*** Added command 9 - inbytes: 0x0, outbytes: 0x10
** nn::erpt::sf::IContext
*** Changed command 10 - inbytes: 0x8 -> 0xC (final state: buffers: [0x5, 0x5, 0x5], inbytes: 0xC, outbytes: 0x0)
*** Added command 12 - buffers: [0x5, 0x5, 0x5], inbytes: 0xC, outbytes: 0x0
** nn::es::IActiveRightsContext
*** Removed command 212 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** nn::es::IETicketService
*** Changed command 1006 - buffer_entry_sizes: [0x48, 0x10] -> [0x50, 0x10] (final state: buffer_entry_sizes: [0x50, 0x10], buffers: [0x6, 0x5], inbytes: 0x0, outbytes: 0x4)
*** Added command 1023 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x8, outbytes: 0x4
*** Added command 1024 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x10, outbytes: 0x4
*** Added command 1025 - buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x8, outbytes: 0x4
*** Added command 1026 - buffer_entry_sizes: [0x10, 0x0], buffers: [0x6, 0x5], inbytes: 0x8, outbytes: 0x4
*** Added command 1027 - buffer_entry_sizes: [0x10, 0x0], buffers: [0x6, 0x5], inbytes: 0x10, outbytes: 0x4
*** Removed command 2002 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
*** Removed command 2003 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
** nn::friends::detail::ipc::IServiceCreator
*** Changed command 2 - outinterfaces: ['0x710007990C'] -> ['0x710007AF24'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710007AF24'])
** nn::fssrv::sf::IDeviceOperator
*** Added command 6 - inbytes: 0x0, outbytes: 0xC
*** Added command 117 - inbytes: 0x18, outbytes: 0x0
*** Added command 221 - buffers: [0x6], inbytes: 0x8, outbytes: 0x0
** nn::fssrv::sf::IFileSystemProxy
*** Added command 618 - buffer_entry_sizes: [0x301], buffers: [0x19], inbytes: 0x1, outbytes: 0x8
** nn::fssrv::sf::IFileSystemProxyForLoader
*** Changed command 0 - buffer_entry_sizes: [0x124, 0x301] -> [0x301, 0x0], buffers: [0x1A, 0x19] -> [0x19, 0x6] (final state: buffer_entry_sizes: [0x301, 0x0], buffers: [0x19, 0x6], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IFileSystem'])
** nn::fssrv::sf::ISaveDataTransferManagerForSaveDataRepair
*** Changed command 110 - buffers: [0x5] -> [0x5, 0x5], inbytes: 0x28 -> 0x18 (final state: buffers: [0x5, 0x5], inbytes: 0x18, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter'])
** nn::fssrv::sf::ISaveDataTransferManagerWithDivision
*** Added command 63 - buffer_entry_sizes: [0x200, 0x0], buffers: [0x19, 0x5], inbytes: 0x2, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
*** Removed command 67 - buffers: [0x5], inbytes: 0x18, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::ISaveDataDivisionImporter']
** nn::gpio::IPadSession
*** Removed command 6 - inbytes: 0x0, outbytes: 0x4
*** Removed command 7 - inbytes: 0x0, outbytes: 0x0
** nn::grcsrv::IContinuousRecorder
*** Added command 4 - inbytes: 0x0, outbytes: 0x0
** nn::hid::IHidDebugServer
*** Added command 217 - inbytes: 0x10, inhandles: [1], outbytes: 0x8
*** Added command 351 - inbytes: 0x0, outbytes: 0x4
*** Added command 352 - inbytes: 0x0, outbytes: 0x0
** nn::hid::IHidServer
*** Added command 213 - inbytes: 0x20, outbytes: 0x0, pid: True
*** Added command 214 - buffer_entry_sizes: [0x4, 0x10], buffers: [0x9, 0x9], inbytes: 0x10, outbytes: 0x0
*** Added command 311 - inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 312 - inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 1004 - inbytes: 0x10, outbytes: 0x0, pid: True
** nn::hid::IHidSystemServer
*** Added command 1320 - inbytes: 0x0, outbytes: 0x0
*** Added command 1321 - inbytes: 0x0, outbytes: 0x0
** nn::hshl::IManager
*** Added command 9 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::hshl::IBridgeSession']
*** Added command 10 - inbytes: 0x0, outbytes: 0x1
** nn::hshl::ISetterManager
*** Added command 3 - inbytes: 0x1, outbytes: 0x0
** nn::migration::savedata::IClient
*** Added command 304 - buffer_entry_sizes: [0x8], buffers: [0x6], inbytes: 0x4, outbytes: 0x4
** nn::migration::savedata::IServer
*** Added command 3 - buffer_entry_sizes: [0x8], buffers: [0x6], inbytes: 0x4, outbytes: 0x4
** nn::migration::user::IService
*** Added command 1110 - buffer_entry_sizes: [0x100, 0x8], buffers: [0x19, 0x5], inbytes: 0x18, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::migration::savedata::IServer']
** nn::mnpp::detail::ipc::IServiceForWebBrowser
*** Added command 100 - buffers: [0x5, 0x5, 0x6], inbytes: 0x10, outbytes: 0x0
** nn::ncm::IContentMetaDatabase
*** Added command 26 - inbytes: 0x10, outbytes: 0x1
** nn::ncm::IContentStorage
*** Added command 30 - inbytes: 0x11, outbytes: 0x8
** nn::ndrm::low::detail::INdrmLowAdminInterface
*** Added command 45 - inbytes: 0x8, outbytes: 0x0, outhandles: [1]
** nn::nim::detail::INetworkInstallManager
*** Added command 142 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 143 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
*** Added command 144 - inbytes: 0x18, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
*** Added command 3000 - inbytes: 0x10, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
*** Added command 3001 - inbytes: 0x8, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData']
** nn::nim::detail::IShopServiceAccessServerInterface
*** Added command 5 - inbytes: 0x10, inhandles: [1], outbytes: 0x0, outinterfaces: ['nn::nim::detail::IShopServiceAccessServer'], pid: True
** nn::npns::INpnsSystem
*** Added command 35 - buffers: [0x5], inbytes: 0x10, outbytes: 0x0
*** Added command 36 - inbytes: 0x10, outbytes: 0x0
*** Added command 40 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
*** Added command 41 - inbytes: 0x0, outbytes: 0x10
*** Added command 42 - buffers: [0x9], inbytes: 0x10, outbytes: 0x0
*** Added command 43 - inbytes: 0x18, outbytes: 0x0
*** Added command 44 - buffer_entry_sizes: [0x10], buffers: [0x9], inbytes: 0x0, outbytes: 0x0
*** Added command 50 - buffers: [0x9, 0x5], inbytes: 0x0, outbytes: 0x0
** nn::ns::detail::IApplicationManagerInterface
*** Removed command 84 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
*** Removed command 2521 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
*** Added command 2523 - inbytes: 0x8, outbytes: 0x8
*** Added command 3100 - inbytes: 0x0, outbytes: 0x10
*** Added command 3101 - inbytes: 0x0, outbytes: 0x0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
*** Added command 3102 - inbytes: 0x0, outbytes: 0x0
** nn::olsc::srv::IOlscServiceForSystemService
*** Added command 10000 - inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::olsc::srv::IOlscServiceForSystemService']
** nn::omm::srv::IDisplayLayerControl
*** Removed command 600 - buffer_entry_sizes: [0x4B8], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
*** Added command 610 - buffer_entry_sizes: [0x4C8], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
*** Added command 611 - buffer_entry_sizes: [0x4C8], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
*** Added command 612 - buffer_entry_sizes: [0x4C8], buffers: [0x15], inbytes: 0x0, outbytes: 0x0
*** Added command 900 - buffers: [0x45], inbytes: 0x0, outbytes: 0x0
** nn::pdm::detail::INotifyService
*** Changed command 0 - inbytes: 0x10 -> 0x18 (final state: inbytes: 0x18, outbytes: 0x0)
** nn::pinmux::ISession
*** Added command 3 - inbytes: 0x1, outbytes: 0x0
*** Added command 4 - inbytes: 0x0, outbytes: 0x1
*** Added command 5 - inbytes: 0x1, outbytes: 0x0
*** Added command 6 - inbytes: 0x0, outbytes: 0x1
*** Added command 7 - inbytes: 0x4, outbytes: 0x0
*** Added command 8 - inbytes: 0x0, outbytes: 0x4
*** Added command 9 - inbytes: 0x4, outbytes: 0x0
*** Added command 10 - inbytes: 0x0, outbytes: 0x4
** nn::pl::detail::IPlatformServiceManagerForSystem
*** Added command 107 - inbytes: 0x18, outbytes: 0x0
** nn::psc::sf::IPmControl
*** Added command 7 - inbytes: 0xC, outbytes: 0x0
** nn::psm::IPsmServer
*** Changed command 17 - outbytes: 0x40 -> 0x54 (final state: inbytes: 0x0, outbytes: 0x54)
** nn::settings::ISystemSettingsServer
*** Added command 221 - inbytes: 0x0, outbytes: 0x1
*** Added command 222 - inbytes: 0x1, outbytes: 0x0
** nn::socket::sf::IClient_MC
*** Added command 35 - buffers: [0x21, 0x22], inbytes: 0x8, outbytes: 0x8
** nn::spsm::detail::IPowerStateInterface
*** Added command 12 - inbytes: 0x0, outbytes: 0x0
*** Added command 13 - inbytes: 0x0, outbytes: 0x0
*** Added command 14 - inbytes: 0x1, outbytes: 0x0
** nn::ts::server::IMeasurementServer
*** Removed command 0 - inbytes: 0x1, outbytes: 0x8
*** Removed command 1 - inbytes: 0x1, outbytes: 0x4
** nn::ts::server::ISession
*** Added command 5 - inbytes: 0x4, outbytes: 0x0
*** Added command 6 - inbytes: 0x4, outbytes: 0x0
*** Added command 7 - inbytes: 0x0, outbytes: 0x4
** nn::uart::IManager
*** Removed command 0 - inbytes: 0x4, outbytes: 0x1
*** Removed command 1 - inbytes: 0x4, outbytes: 0x1
*** Removed command 2 - inbytes: 0x8, outbytes: 0x1
*** Removed command 3 - inbytes: 0x8, outbytes: 0x1
*** Removed command 4 - inbytes: 0x8, outbytes: 0x1
*** Removed command 5 - inbytes: 0x8, outbytes: 0x1
*** Removed command 7 - inbytes: 0x8, outbytes: 0x1
*** Removed command 8 - inbytes: 0x8, outbytes: 0x1
*** Removed command 9 - inbytes: 0x8, outbytes: 0x1
*** Removed command 10 - inbytes: 0x8, outbytes: 0x1
** nn::wlan::detail::IPrivateWirelessCommunicationService
*** Removed command 1 - inbytes: 0x4, outbytes: 0x0
*** Changed command 19 - inbytes: 0x4 -> 0x1 (final state: inbytes: 0x1, outbytes: 0x0)
*** Removed command 20 - inbytes: 0x0, outbytes: 0x0
*** Removed command 21 - inbytes: 0x0, outbytes: 0x4
*** Removed command 22 - inbytes: 0x1, outbytes: 0x0
** nn::wlan::detail::IWirelessCommunicationService
*** Changed command 94 - buffer_entry_sizes: [0x20] -> [0x28] (final state: buffer_entry_sizes: [0x28], buffers: [0xA], inbytes: 0x0, outbytes: 0x4)
*** Added command 200 - inbytes: 0x4, outbytes: 0x0
*** Added command 201 - inbytes: 0x0, outbytes: 0x0
*** Added command 202 - inbytes: 0x0, outbytes: 0x4
*** Added command 203 - inbytes: 0x4, outbytes: 0x0

=== BootImagePackages ===
RomFs changes: all files updated.

Using updated master-key: master_key_10 (previously master_key_0f). See [[NCA]] for the KeyGeneration listing.

[[Package2|INI1]] changes:
* BootImagePackage:
** 0100000000000003 (ProcessMana): MainThreadStackSize updated: 0x1000 -> 0x3000.
** 0100000000000005 (boot): SVC access: added CreateEvent.
* BootImagePackageSafe:
** 0100000000000003 (ProcessMana): MainThreadStackSize updated: 0x1000 -> 0x3000.
** 0100000000000005 (boot): SVC access: added CreateEvent.
* BootImagePackageExFat:
** 0100000000000005 (boot): SVC access: added CreateEvent.
** 0100000000000003 (ProcessMana): MainThreadStackSize updated: 0x1000 -> 0x3000.
* BootImagePackageExFatSafe:
** 0100000000000003 (ProcessMana): MainThreadStackSize updated: 0x1000 -> 0x3000.
** 0100000000000005 (boot): SVC access: added CreateEvent.

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2023-10-11_00-15-06&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

16.0.3

2023-05-08T22:37:21Z

SciresM: /* System Titles */ Add FS diff

The Switch 16.0.3 system update was released on May 9, 2023 (UTC). This Switch update was released for the following regions: ALL, and CHN.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* General system stability improvements to enhance the user's experience.

==System Titles==

=== BootImagePackages ===
Only package2 was updated. The kernel was not updated. All KIPs other than FS were only re-built (only difference is GNU build hash).

====FS====
* Mutex lock and unlock were added to some SaveData functions which were previously missing them.
** In particular, this is nn::fs::save::SaveDataFileSystemCore::HasOpenedFiles and nn::fs::save::SaveDataFileSystemCore::HasOpenedEntries.

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2023-05-09_00-05-11&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

15.0.0

2023-04-30T21:57:56Z

SciresM: Move this to the sensible place.

The Switch 15.0.0 system update was released on October 11, 2022 (UTC). This Switch update was released for the following regions: ALL, and CHN.

Security flaws fixed: yes.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* The location of the Bluetooth® Audio menu within System Settings has moved.
* Screenshots can be taken using the Capture Button while in the Nintendo Switch Online application found on the Nintendo Switch HOME Menu. Video capture is not supported.
*
* General system stability improvements to enhance the user's experience.
*

==System Titles==
* All sysmodules were updated, except for lbl which was previously stubbed. New sysmodule eth was added.
* All SystemData were updated, except for the following: SharedFont, Dictionary, AvatarImage, Eula, ControllerIcon, ApplicationBlackList, FunctionBlackList.
* The following applets were updated: qlaunch, [[Controller_Applet|controller]], dataErase, error, netConnect, [[Profile_Selector|playerSelect]], [[Internet_Browser|web-applets]], OverlayApplet, [[Album_Applet|photoViewer]].

NPDM changes (see [[Services_API|here]] for service hosting changes):
* bluetooth: Access to srepo:u was added.
* bcat: Access to sprof:sp was removed.
* nifm: Access to ethc:c, ethc:i, and various wlan:* services were removed. Access to bsd:nu, eth:nd, wlan, and wlan:nd were added.
* bsdsocket: "Lowest Allowed CPU ID" was changed from 3 to 0. Access to usb:hs and the various wlan:* services were removed.
* wlan: Access to srepo:u was added.
* ldn: Access to psc:m and the various wlan:* services were removed. Access to the wlan service was added.
* ns: Access to audctl was removed. Access to csrng and dauth:0 was added.
* ssl: "Lowest Allowed CPU ID" was changed from 3 to 0.
* nim: Access to ssl was replaced with ssl:s.
* glue: FS permissions now has bitmask 0x0000004000000000 set.
* ro: Access to csrng was added.
* omm: FS permissions now has bitmask 0x0000000000100000 set.
* qlaunch: Access to mnpp:sys and spbg:sp were removed.

RomFs changes (besides sysver titles):
* [[SSL_services|CertStore]]: "/ssl_TrustedCerts.bdf" updated
* ErrorMessage: various error messages updated/added
* BrowserDll:
** "/browser/MediaControlsInline.css" updated
** "/browser/MediaControlsInline.js" updated
** "/buildinfo/buildinfo.dat" updated
** "/lyt/Browse/FocusNodeFrame.arc" updated
** "/message/": localization data updated
** "/nro/": The various NROs located under these sub-dirs were updated.
* Help:
** "/legallines.htdocs/img/HDMI.png" updated
** "/legallines.htdocs/index.html" updated
** "/safe.htdocs/html/{dir}/", where {dir} is "JPja", "KRko", and "TWzh":
*** "index.html", "page_02.html", "page_04.html": updated
* UrlBlackList:
** "/listCommon.txt" updated
* TimeZoneBinary: updated
* FirmwareDebugSettings/PlatformConfigIcosa/PlatformConfigCopper/PlatformConfigHoag/PlatformConfigIcosaMariko/PlatformConfigAula: [[System_Settings|updated]]
* [[HID_services|ControllerFirmware]]: "/FirmwareInfo.csv" and "/raizo_ep2_ota.bin" updated
* NgWordT: updated
* Applets: Various UI/localization data updated. For web-applets, the NRR and buildinfo.dat were also updated.

===BootImagePackages===
All files in RomFs were updated.

====Kernel====
* Compiler changes:
** Compiler upgrade
*** [What version of clang?]
*** Clang is optimizing much more aggressively in some places.
*** Notably, there are many code locations now where clang doesn't actually increment the KSchedulerLock's count field, presumably because it sees it will be decremented at end of scope...
**** This isn't exploitable, and it is """correct""", but it is worth noting to other reverse engineers because it is very confusing to see the count field unchanged or reloaded after function calls.
** Code is now compiled with -fomit-frame-pointer.
* Initialization changes:
** When the thread resource limit is increased, 24 MB of virtual space is now reserved for the Kernel stack region instead of 14 MB.
* In HorizonKernelMain:
** DoOnEachCoreInOrder is no longer inlined, when setting up the main/interrupt threads. It is still inlined in all other places.
* Multiple fixed-allocations from the system pool/resource limit were removed/revised, presumably to prevent them from unnecessarily fragmenting the pool forever.
** AppletSecureMemory is now allocated statically, instead of dynamically.
*** Previously, 4 MB was allocated from the system pool/resource limit during main.
*** Initialize0 now reserves the 4 MB immediately after the slab heaps for this.
**** DRAM layout is now like [tz reserved] [kernel] [slab heaps] [applet secure memory] [pt heap] [init pt] [memory pool partitions].
**** The virtual memory region type is 0x62; the physical memory region type is 0xC200018E.
** The KPageBuffer slab heap is no longer dynamically allocated from KMemoryManager.
*** Previously, the required number of pages were allocated from the system pool/resource limit to setup the heap *immediately* after KMemoryManager was initialized.
*** Now, it is set up during Kernel::InitializeResourceManagers, after setting up the page manager.
**** InitializeKPageBufferSlabHeap now takes heap and page manager as arguments; the slab heap's members are randomly allocated pages from the page manager.
***** This effectively randomizes the page buffer slabheap's page locations, where previously they were a contiguous range somewhere in the system pool.
***** To facilitate this, the page manager now has an Allocate(count) member function in addition to the previous single-page Allocate().
****** To facilitate this, the page manager now tracks the bitmap ends in addition to the bitmap starts, to enable a linear walk of the lowest bitmap layer.
*** This has an important knock-on effect: TLS pages are allocated from the page buffer slab, and correspondingly are no longer heap pages.
**** Correspondingly, KMemoryState_ThreadLocal no longer has the FlagReferenceCounted (0x400000) bit set.
**** However, removing this bit naively breaks IPC, which previously checked FlagReferenceCounted before copying to/from the message buffer.
**** Now, FlagReferenceCounted is checked if and only if the message buffer is a UserBuffer. If it is not, a new flag "FlagLinearMapped" (0x4000000) is checked.
***** This bit is set only on memory types guaranteed to be accessible via the kernel's linear mapping of non-kernel dram (physical ranges with memory region flag 0x80000000).
***** This new flag is set on all memory states other than Free, Io, Static, Inaccessible, Kernel, Coverage.
* Two new SVCs were added for a new "InsecureMemory" concept.
** Svc 0x90 is Result MapInsecureMemory(uintptr_t address, size_t size);
*** This allocates the requested size memory from a pool partition/resource limit, and map it with a new memory state ("KMemoryState_Insecure") at the user-specified address.
**** The resource limit/pool partition are gotten via new KSystemControl functions ("KSystemControl::GetInsecureMemoryResourceLimit", "KSystemControl::GetInsecureMemoryPool").
***** On NX board, these are the system resource limit, and Pool_SystemNonSecure respectively.
**** The specified address/size must be within the alias code region.
**** KMemoryState_Insecure has value 0x5583817.
***** This is type 0x17 with flags CanUseNonDeviceIpc, CanUseNonSecureIpc, Mapped, CanDeviceMap, CanAlignedDeviceMap, ReferenceCounted, CanChangeAttribute, LinearMapped.
** Svc 0x91 is Result UnmapInsecureMemory(uintptr_t address, size_t size);
*** This unmaps/deallocates/releases memory previously mapped with MapInsecureMemory.
* More changes to SvcMapDeviceAddressSpace(ByForce/Aligned).
** The argument which was previously a memory permission ("device_perm") is now an encoded u32 ("option").
*** The low 16 bits of this are the device permission.
*** The upper 16 bits of this are an enum (only defined values are 0 and 1).
** If the enum-arg is not 0 or 1, svc::ResultInvalidEnumValue() is now returned.
** If the enum-arg is 1 and the specified memory is IO, svc::ResultInvalidCombination is returned.
* Partial support was added for the KPageBuffer size being different from the hardware page size.
** There are now two globals, g_PageBufferSize = 0x1000, g_PageBufferCount = 0.
** The KPageBuffer slab heap is initialized with g_PageBufferCount blocks of g_PageBufferSize.
*** if g_PageBufferSize is 0x1000, g_PageBufferCount has the number of required TLS pages added to it (# processes + # threads + (# processes + #threads) / 8).
** KDynamicPageManager::Initialize now takes in an alignment argument for the page buffer size.
*** KSecureSystemResource always passes 0x1000.
** It is possible this is full support but ifdef'd, but on NX board at least all places which allocate/free to the heap panic if g_PageBufferSize != 0x1000...
* The page table heap now receives all but 64 of the available pages; prior to this, it was all but 70.
* KSessionRequest's additional mappings (when sending an IPC request with more than 8 buffers) are now slab-allocated, rather than using KPageBuffers.
** This slab has a count of 40; object size is 0x4A0 (exactly the maximum required size).
** 13.0.0+ Dynamic expansion is supported.
* Scoped setting/clearing of the 14.0.0 exception flag for cache operations has changed.
** Previously, |= on set, &= ~ on clear. Now, the flag is orr'd in only if it is not already set, and cleared only if it was newly set.
** This adds support for recursively setting these flags via a scoped setter, although there are no places in kernel where it is possible for this to occur.
** This applies to cpu::InvalidateDataCache, cpu::StoreDataCache, cpu::FlushDataCache
* The IsInUsermodeExceptionHandler exception flag management was changed:
** This is now cleared by RestoreContext (same place it clears other flags) rather than ClearExceptionSvcPermissions. It is still set by SetExceptionSvcPermissions.
* Changes in and surrounding page table logic:
** Devices can now theoretically (but not on the NX board) be given access to memory mapped as Io.
*** Why one would want to do this is unclear.
*** KMemoryState_Io now supports the CanAlignedDeviceMap and CanDeviceMap flags.
*** KPageTableBase::GetContiguousMemoryRangeWithState no longer checks that the passed memory address is heap.
**** KPageTable::MemoryRange now tracks whether the range is reference counted, and Close() only closes the pages if they are.
*** KPageTableBase::OpenMemoryRangeForMapDeviceAddressSpace no longer checks passes KMemoryState_FlagReferenceCounted.
*** KPageTableBase::LockForMapDeviceAddressSpace takes two new arguments, an output bool * to write whether the state was io, and a bool for whether to check KMemoryState_FlagReferenceCounted.
**** The bool is always passed on true on NX board, preventing this feature from being actually used.
*** KPageTableBase::LockForUnmapDeviceAddressSpace now takes a bool argument for whether to check KMemoryState_FlagReferenceCounted
**** The bool is always passed on true on NX board, preventing this feature from being actually used.
** Pages mapped via MapIoRegion now have KMemoryAttribute_Locked instead of KMemoryAttribute_None.
** Changes were made with respect to the way MapPhysicalMemory/UnmapPhysicalMemory are implemented:
*** KMemoryManager::AllocatePageGroupForProcess no longer calls KPageGroup::Open on the returned page group (essentially reverting the change in 11.0.0).
**** Other KMemoryManager::Allocate* functions still call KPageGroup::Open.
*** KPageTableBase::MapPhysicalMemory now calls a new KPageTable::Operate operation ("MapFirst"), which behaves the same as Map but calls KernelPanic() if the mapped pages have a non-zero reference count.
**** This enforces that MapPhysicalMemory is the first place the pages being mapped have been allocated/opened.
*** KPageTableBase::UnmapPhysicalMemory now calls a new KPageTable::Operate operation ("SeparatePages"), which performs page separation on the requested range.
**** SeparatePages is identical to the separation done at the prologue of ChangePermissions; practically, this just enforces that the pages exist.
*** KPageTableBase::UnmapPhysicalMemory now calls KernelPanic if the unmapping operation fails (since it is guaranteed to succeed by the success of SeparatePages).
**** Logic which previously existed for re-mapping on failure has been removed.
** New Kernel Objects ("KSystemResource", "KSecureSystemResource").
*** Type ID = 0x4600, KSystemResource : public KAutoObject, KSecureSystemResource : public KSystemResource
*** KSystemResource just stores pointers to the three kinds of dynamic resource managers required by processes/page tables.
*** KSecureSystemResource stores the pointed-to objects for these as members.
**** Previously, these were just KProcess members; they are no longer KProcess members and instead live in the KSecureSystemResource object.
*** The slab heap for KSecureSystemResource has capacity = KProcess slab heap.
*** When a process is created with system resource size > 0, it now creates a KSecureSystemResource (which manages allocation with KSystemControl).
**** All actual underlying logic is the same, this just abstracts the KSystemControl/secure memory interaction out of KProcess.
* KInterruptEventTask was removed and no longer exists.
** KInterruptEvent now inherits from KInterruptTask directly.
** There is no longer a global task table; KInterruptManager is expected to return ResultBusy if an interrupt is already bound (it already did this).
** KInterruptEvent::Finalize now unbinds the interrupt directly, and then calls KDpcManager::Request() with a no-op KDpcTask.
*** In practice, this unbinds the interrupt, and then creates an ordering to guarantee all cores will see the interrupt as unbound before continuing.
*** Trivia: this is the first use of KDpcManager::Request on non-debug kernels.
* Minor changes to KHandleTable:
** KHandleTable::KHandleTable now initializes the table_size, max_count, and next_id fields to zero, previously they were uninitialized until Initialize was called.
** KHandleTable::Initialize now instantiates a KScopedDisableDispatch while setting up the table.

====Loader====
The broken RNG for ASLR was [[Switch_System_Flaws|fixed]].

===[[Bluetooth_Driver_services|bluetooth]]===
Besides the various IPC changes, a vulnerable func was [[Switch_System_Flaws|fixed]].

===[[HID_services|hid]]===
Besides the various IPC changes, an infoleak vuln was [[Switch_System_Flaws|fixed]].

===[[WLAN_services|wlan]]===
Besides the various IPC changes, a vulnerable func was [[Switch_System_Flaws|fixed]].

===[[NS_Services|ns]]===
Besides the various IPC changes, vulnerable RNG usage was [[Switch_System_Flaws|fixed]] to properly use secure RNG where needed.

===[[RO_services|ro]]===
The broken RNG for ASLR was [[Switch_System_Flaws|fixed]].

===nnSdk===
<code>nn::diag::detail::VAbortImpl</code> when handling the retaddr for storing elsewhere, now uses instruction [https://developer.arm.com/documentation/dui0801/g/A64-General-Instructions/XPACD--XPACI--XPACLRI xpaclri]. PAC instructions are NOPs on ARM hardware which doesn't support it, which includes current NX consoles.

This is likely due to a LLVM [https://reviews.llvm.org/D84502 patch] where xpaclri is now always emitted and not related to actual Armv8.3 hardware.

=== IPC Interface Changes ===
* The following new interfaces were removed:
** nn::eth::sf::IEthInterface
** nn::eth::sf::IEthInterfaceGroup
** nn::socket::sf::IClient
** nn::wlan::detail::IDetectManager
** nn::wlan::detail::IInfraManager
** nn::wlan::detail::ILocalGetActionFrame
** nn::wlan::detail::ILocalGetFrame
** nn::wlan::detail::ILocalManager
** nn::wlan::detail::ISocketGetFrame
** nn::wlan::detail::ISocketManager
* The following new interfaces were added:
** nn::anif::detail::ISfAssignedNetworkInterfaceService
** nn::anif::detail::ISfDriverService
** nn::anif::detail::ISfDriverServiceCreator
** nn::anif::detail::ISfNetworkInterfaceService
** nn::anif::detail::ISfUserService
** nn::anif::detail::ISfUserServiceCreator
** nn::pl::detail::IPlatformServiceManager
** nn::prepo::detail::ipc::IAsyncContext
** nn::socket::sf::IClient_MC
** nn::srepo::detail::ipc::IAsyncContext
** nn::ssl::sf::ISslContextForSystem
** nn::ssl::sf::ISslServiceForSystem
** nn::wlan::detail::IGeneralServiceCreator
** nn::wlan::detail::IPrivateServiceCreator
** nn::wlan::detail::IPrivateWirelessCommunicationService
** nn::wlan::detail::IWirelessCommunicationService
* The following interfaces were changed:
** nn::account::baas::IAdministrator
*** Added command 143 - inbytes: 0, outbytes: 16
*** Added command 160 - inbytes: 0, outbytes: 0
** nn::account::baas::IManagerForSystemService
*** Added command 143 - inbytes: 0, outbytes: 16
*** Added command 160 - inbytes: 0, outbytes: 0
** nn::am::service::IAppletCommonFunctions
*** Added command 90 - inbytes: 16, outbytes: 0, outinterfaces: ['nn::am::service::IStorageChannel']
*** Added command 91 - inbytes: 16, outbytes: 0, outinterfaces: ['nn::am::service::IStorageChannel']
*** Added command 100 - inbytes: 4, outbytes: 0
** nn::am::service::IDebugFunctions
*** Added command 50 - inbytes: 16, outbytes: 0
*** Added command 200 - buffers: [5], inbytes: 8, outbytes: 0, outinterfaces: ['nn::am::service::IAllSystemAppletProxiesService'], pid: True
** nn::am::service::ILibraryAppletProxy
*** Added command 22 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::am::service::IHomeMenuFunctions']
*** Added command 23 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::am::service::IGlobalStateController']
** nn::am::service::IOverlayAppletProxy
*** Added command 23 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::am::service::IGlobalStateController']
** nn::arp::detail::IWriter
*** Added command 3 - inbytes: 8, outbytes: 0, outinterfaces: ['nn::arp::detail::IUpdater']
** nn::audio::detail::IAudioRenderer
*** Added command 12 - inbytes: 4, outbytes: 0
*** Added command 13 - inbytes: 0, outbytes: 4
** nn::audioctrl::detail::IAudioController
*** Removed command 26 - inbytes: 1, outbytes: 0
*** Removed command 35 - inbytes: 8, outbytes: 0
*** Removed command 36 - inbytes: 0, outbytes: 8
*** Removed command 37 - inbytes: 1, outbytes: 0
*** Removed command 38 - inbytes: 0, outbytes: 1
*** Removed command 39 - inbytes: 0, outbytes: 1
*** Changed command 40 - buffers: [26] -> [22] (final state: buffers: [22], inbytes: 0, outbytes: 0)
*** Added command 41 - inbytes: 8, outbytes: 0
*** Added command 42 - inbytes: 8, outbytes: 0
*** Added command 50000 - inbytes: 4, outbytes: 0
** nn::bluetooth::IBluetoothDriver
*** Added command 101 - inbytes: 0, outbytes: 0
*** Added command 102 - inbytes: 0, outbytes: 0
*** Added command 155 - inbytes: 6, outbytes: 1
** nn::btm::IBtm
*** Removed command 112 - inbytes: 7, outbytes: 0
*** Removed command 113 - inbytes: 6, outbytes: 1
*** Added command 116 - inbytes: 7, outbytes: 0
*** Added command 117 - inbytes: 6, outbytes: 1
** nn::btm::IBtmDebug
*** Added command 14 - inbytes: 8, outbytes: 0
*** Added command 15 - inbytes: 0, outbytes: 0
*** Added command 16 - inbytes: 0, outbytes: 0
*** Added command 17 - inbytes: 0, outbytes: 0
** nn::capsrv::sf::IAlbumAccessorService
*** Added command 110 - buffers: [6, 5], inbytes: 16, outbytes: 8
** nn::clkrst::IClkrstManager
*** Added command 6 - inbytes: 0, outbytes: 0
** nn::dauth::detail::IService
*** Added command 1000 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Added command 9000 - buffers: [5, 5], inbytes: 0, outbytes: 0
*** Added command 9010 - inbytes: 0, outbytes: 0
** nn::es::IActiveRightsContext
*** Removed command 5 - buffers: [5], inbytes: 0, outbytes: 0
*** Added command 216 - inbytes: 0, outbytes: 0, outhandles: [1]
** nn::es::IETicketService
*** Added command 1022 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::es::IActiveRightsContext']
** nn::fssrv::sf::IFileSystem
*** Added command 16 - inbytes: 0, outbytes: 192
** nn::fssrv::sf::IFileSystemProxy
*** Added command 207 - inbytes: 16, outbytes: 0, outinterfaces: ['nn::fssrv::sf::IFileSystem']
*** Added command 1400 - inbytes: 1, outbytes: 0
** nn::grcsrv::IGrcService
*** Changed command 1 - inbytes: 72 -> 32 (final state: inbytes: 32, inhandles: [1], outbytes: 0, outinterfaces: ['nn::grcsrv::IContinuousRecorder'])
** nn::hid::IHidDebugServer
*** Added command 137 - inbytes: 16, outbytes: 0, pid: True
** nn::hid::IHidServer
*** Added command 3000 - buffers: [26], inbytes: 0, outbytes: 0
*** Added command 3001 - buffers: [25], inbytes: 0, outbytes: 0
*** Added command 3002 - inbytes: 0, outbytes: 0
*** Added command 3003 - inbytes: 0, outbytes: 56
*** Added command 3004 - inbytes: 56, outbytes: 0
*** Added command 3005 - inbytes: 0, outbytes: 0
*** Added command 3006 - buffers: [26], inbytes: 4, outbytes: 0
*** Added command 3007 - buffers: [25], inbytes: 4, outbytes: 0
*** Added command 3008 - inbytes: 4, outbytes: 0
*** Added command 3009 - inbytes: 4, outbytes: 64
*** Added command 3010 - inbytes: 68, outbytes: 0
*** Added command 3011 - inbytes: 4, outbytes: 0
** nn::hid::IHidSystemServer
*** Added command 32 - inbytes: 48, outbytes: 0, pid: True
*** Added command 33 - inbytes: 0, outbytes: 0
*** Added command 1135 - inbytes: 8, outbytes: 0, pid: True
** nn::lr::IAddOnContentLocationResolver
*** Added command 5 - buffers: [22, 22], inbytes: 8, outbytes: 0
*** Added command 6 - buffers: [21], inbytes: 16, outbytes: 0
*** Added command 7 - buffers: [21, 21], inbytes: 16, outbytes: 0
** nn::lr::ILocationResolver
*** Added command 20 - inbytes: 0, outbytes: 0
** nn::lr::ILocationResolverManager
*** Added command 4 - buffers: [5], inbytes: 0, outbytes: 0
** nn::mnpp::detail::ipc::IServiceForSystem
*** Removed command 300 - inbytes: 0, outbytes: 1
*** Removed command 400 - inbytes: 0, outbytes: 1
** nn::ncm::IContentMetaDatabase
*** Added command 23 - inbytes: 16, outbytes: 1
*** Added command 24 - inbytes: 24, outbytes: 24
*** Added command 25 - inbytes: 24, outbytes: 24
** nn::ndrm::low::detail::INdrmLowAdminInterface
*** Changed command 3 - inbytes: 8 -> 24 (final state: buffers: [5], inbytes: 24, outbytes: 0)
*** Added command 40 - buffers: [6], inbytes: 8, outbytes: 4
*** Added command 42 - buffers: [6], inbytes: 16, outbytes: 4
*** Added command 43 - buffers: [6], inbytes: 16, outbytes: 4
*** Added command 44 - buffers: [6], inbytes: 16, outbytes: 4
** nn::nim::detail::INetworkInstallManager
*** Removed command 91 - buffers: [5], inbytes: 16, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 138 - buffers: [5], inbytes: 8, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 139 - inbytes: 0, outbytes: 0
*** Added command 140 - inbytes: 0, outbytes: 0
*** Added command 141 - inbytes: 0, outbytes: 1
** nn::nim::detail::IShopServiceManager
*** Removed command 102 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncValue']
*** Removed command 103 - inbytes: 0, outbytes: 32
*** Removed command 104 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncValue']
*** Removed command 105 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Removed command 106 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Removed command 501 - inbytes: 16, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** nn::ns::detail::IApplicationManagerInterface
*** Added command 90 - inbytes: 8, outbytes: 0
*** Changed command 607 - inbytes: 16 -> 8 (final state: buffers: [6], inbytes: 8, outbytes: 4)
*** Removed command 909 - inbytes: 8, outbytes: 0
*** Added command 2357 - inbytes: 0, outbytes: 0
*** Added command 2358 - inbytes: 0, outbytes: 0
*** Added command 2359 - inbytes: 0, outbytes: 1
*** Removed command 2516 - inbytes: 16, outbytes: 0
** nn::pdm::detail::IQueryService
*** Removed command 7 - buffers: [6, 5], inbytes: 0, outbytes: 4
*** Removed command 13 - buffers: [6, 5], inbytes: 0, outbytes: 4
*** Removed command 14 - buffers: [6], inbytes: 24, outbytes: 4
*** Removed command 15 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Removed command 16 - buffers: [6, 5], inbytes: 16, outbytes: 4
** nn::prepo::detail::ipc::IPrepoService
*** Added command 10500 - buffers: [9], inbytes: 40, inhandles: [1], outbytes: 0, outinterfaces: ['nn::prepo::detail::ipc::IAsyncContext'], pid: True
** nn::settings::ISystemSettingsServer
*** Removed command 119 - inbytes: 1, outbytes: 3
** nn::srepo::detail::ipc::ISrepoService
*** Added command 10300 - buffers: [9], inbytes: 40, inhandles: [1], outbytes: 0, outinterfaces: ['nn::srepo::detail::ipc::IAsyncContext']
*** Added command 20600 - inbytes: 20, outbytes: 0
** nn::usb::ds::IDsEndpoint
*** Removed command 8 - inbytes: 8, inhandles: [1], outbytes: 0
*** Removed command 9 - inbytes: 16, outbytes: 4
** nn::usb::ds::IDsInterface
*** Added command 12 - inbytes: 8, inhandles: [1], outbytes: 0
** nn::visrv::sf::IManagerDisplayService
*** Changed command 8293 - inbytes: 16 -> 40 (final state: buffers: [6], inbytes: 40, outbytes: 8)

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2022-10-11_00-15-06&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

15.0.0

2023-04-30T21:52:09Z

SciresM: /* Kernel */ Missed this during 14 -> 15 diffing, apparently.

The Switch 15.0.0 system update was released on October 11, 2022 (UTC). This Switch update was released for the following regions: ALL, and CHN.

Security flaws fixed: yes.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* The location of the Bluetooth® Audio menu within System Settings has moved.
* Screenshots can be taken using the Capture Button while in the Nintendo Switch Online application found on the Nintendo Switch HOME Menu. Video capture is not supported.
*
* General system stability improvements to enhance the user's experience.
*

==System Titles==
* All sysmodules were updated, except for lbl which was previously stubbed. New sysmodule eth was added.
* All SystemData were updated, except for the following: SharedFont, Dictionary, AvatarImage, Eula, ControllerIcon, ApplicationBlackList, FunctionBlackList.
* The following applets were updated: qlaunch, [[Controller_Applet|controller]], dataErase, error, netConnect, [[Profile_Selector|playerSelect]], [[Internet_Browser|web-applets]], OverlayApplet, [[Album_Applet|photoViewer]].

NPDM changes (see [[Services_API|here]] for service hosting changes):
* bluetooth: Access to srepo:u was added.
* bcat: Access to sprof:sp was removed.
* nifm: Access to ethc:c, ethc:i, and various wlan:* services were removed. Access to bsd:nu, eth:nd, wlan, and wlan:nd were added.
* bsdsocket: "Lowest Allowed CPU ID" was changed from 3 to 0. Access to usb:hs and the various wlan:* services were removed.
* wlan: Access to srepo:u was added.
* ldn: Access to psc:m and the various wlan:* services were removed. Access to the wlan service was added.
* ns: Access to audctl was removed. Access to csrng and dauth:0 was added.
* ssl: "Lowest Allowed CPU ID" was changed from 3 to 0.
* nim: Access to ssl was replaced with ssl:s.
* glue: FS permissions now has bitmask 0x0000004000000000 set.
* ro: Access to csrng was added.
* omm: FS permissions now has bitmask 0x0000000000100000 set.
* qlaunch: Access to mnpp:sys and spbg:sp were removed.

RomFs changes (besides sysver titles):
* [[SSL_services|CertStore]]: "/ssl_TrustedCerts.bdf" updated
* ErrorMessage: various error messages updated/added
* BrowserDll:
** "/browser/MediaControlsInline.css" updated
** "/browser/MediaControlsInline.js" updated
** "/buildinfo/buildinfo.dat" updated
** "/lyt/Browse/FocusNodeFrame.arc" updated
** "/message/": localization data updated
** "/nro/": The various NROs located under these sub-dirs were updated.
* Help:
** "/legallines.htdocs/img/HDMI.png" updated
** "/legallines.htdocs/index.html" updated
** "/safe.htdocs/html/{dir}/", where {dir} is "JPja", "KRko", and "TWzh":
*** "index.html", "page_02.html", "page_04.html": updated
* UrlBlackList:
** "/listCommon.txt" updated
* TimeZoneBinary: updated
* FirmwareDebugSettings/PlatformConfigIcosa/PlatformConfigCopper/PlatformConfigHoag/PlatformConfigIcosaMariko/PlatformConfigAula: [[System_Settings|updated]]
* [[HID_services|ControllerFirmware]]: "/FirmwareInfo.csv" and "/raizo_ep2_ota.bin" updated
* NgWordT: updated
* Applets: Various UI/localization data updated. For web-applets, the NRR and buildinfo.dat were also updated.

===BootImagePackages===
All files in RomFs were updated.

====Kernel====
* Compiler changes:
** Compiler upgrade
*** [What version of clang?]
*** Clang is optimizing much more aggressively in some places.
*** Notably, there are many code locations now where clang doesn't actually increment the KSchedulerLock's count field, presumably because it sees it will be decremented at end of scope...
**** This isn't exploitable, and it is """correct""", but it is worth noting to other reverse engineers because it is very confusing to see the count field unchanged or reloaded after function calls.
** Code is now compiled with -fomit-frame-pointer.
* Initialization changes:
** When the thread resource limit is increased, 24 MB of virtual space is now reserved for the Kernel stack region instead of 14 MB.
* In HorizonKernelMain:
** DoOnEachCoreInOrder is no longer inlined, when setting up the main/interrupt threads. It is still inlined in all other places.
* Multiple fixed-allocations from the system pool/resource limit were removed/revised, presumably to prevent them from unnecessarily fragmenting the pool forever.
** AppletSecureMemory is now allocated statically, instead of dynamically.
*** Previously, 4 MB was allocated from the system pool/resource limit during main.
*** Initialize0 now reserves the 4 MB immediately after the slab heaps for this.
**** DRAM layout is now like [tz reserved] [kernel] [slab heaps] [applet secure memory] [pt heap] [init pt] [memory pool partitions].
**** The virtual memory region type is 0x62; the physical memory region type is 0xC200018E.
** The KPageBuffer slab heap is no longer dynamically allocated from KMemoryManager.
*** Previously, the required number of pages were allocated from the system pool/resource limit to setup the heap *immediately* after KMemoryManager was initialized.
*** Now, it is set up during Kernel::InitializeResourceManagers, after setting up the page manager.
**** InitializeKPageBufferSlabHeap now takes heap and page manager as arguments; the slab heap's members are randomly allocated pages from the page manager.
***** This effectively randomizes the page buffer slabheap's page locations, where previously they were a contiguous range somewhere in the system pool.
***** To facilitate this, the page manager now has an Allocate(count) member function in addition to the previous single-page Allocate().
****** To facilitate this, the page manager now tracks the bitmap ends in addition to the bitmap starts, to enable a linear walk of the lowest bitmap layer.
*** This has an important knock-on effect: TLS pages are allocated from the page buffer slab, and correspondingly are no longer heap pages.
**** Correspondingly, KMemoryState_ThreadLocal no longer has the FlagReferenceCounted (0x400000) bit set.
**** However, removing this bit naively breaks IPC, which previously checked FlagReferenceCounted before copying to/from the message buffer.
**** Now, FlagReferenceCounted is checked if and only if the message buffer is a UserBuffer. If it is not, a new flag "FlagLinearMapped" (0x4000000) is checked.
***** This bit is set only on memory types guaranteed to be accessible via the kernel's linear mapping of non-kernel dram (physical ranges with memory region flag 0x80000000).
***** This new flag is set on all memory states other than Free, Io, Static, Inaccessible, Kernel, Coverage.
* Two new SVCs were added for a new "InsecureMemory" concept.
** Svc 0x90 is Result MapInsecureMemory(uintptr_t address, size_t size);
*** This allocates the requested size memory from a pool partition/resource limit, and map it with a new memory state ("KMemoryState_Insecure") at the user-specified address.
**** The resource limit/pool partition are gotten via new KSystemControl functions ("KSystemControl::GetInsecureMemoryResourceLimit", "KSystemControl::GetInsecureMemoryPool").
***** On NX board, these are the system resource limit, and Pool_SystemNonSecure respectively.
**** The specified address/size must be within the alias code region.
**** KMemoryState_Insecure has value 0x5583817.
***** This is type 0x17 with flags CanUseNonDeviceIpc, CanUseNonSecureIpc, Mapped, CanDeviceMap, CanAlignedDeviceMap, ReferenceCounted, CanChangeAttribute, LinearMapped.
** Svc 0x91 is Result UnmapInsecureMemory(uintptr_t address, size_t size);
*** This unmaps/deallocates/releases memory previously mapped with MapInsecureMemory.
* More changes to SvcMapDeviceAddressSpace(ByForce/Aligned).
** The argument which was previously a memory permission ("device_perm") is now an encoded u32 ("option").
*** The low 16 bits of this are the device permission.
*** The upper 16 bits of this are an enum (only defined values are 0 and 1).
** If the enum-arg is not 0 or 1, svc::ResultInvalidEnumValue() is now returned.
** If the enum-arg is 1 and the specified memory is IO, svc::ResultInvalidCombination is returned.
* Partial support was added for the KPageBuffer size being different from the hardware page size.
** There are now two globals, g_PageBufferSize = 0x1000, g_PageBufferCount = 0.
** The KPageBuffer slab heap is initialized with g_PageBufferCount blocks of g_PageBufferSize.
*** if g_PageBufferSize is 0x1000, g_PageBufferCount has the number of required TLS pages added to it (# processes + # threads + (# processes + #threads) / 8).
** KDynamicPageManager::Initialize now takes in an alignment argument for the page buffer size.
*** KSecureSystemResource always passes 0x1000.
** It is possible this is full support but ifdef'd, but on NX board at least all places which allocate/free to the heap panic if g_PageBufferSize != 0x1000...
* The page table heap now receives all but 64 of the available pages; prior to this, it was all but 70.
* KSessionRequest's additional mappings (when sending an IPC request with more than 8 buffers) are now slab-allocated, rather than using KPageBuffers.
** This slab has a count of 40; object size is 0x4A0 (exactly the maximum required size).
** 13.0.0+ Dynamic expansion is supported.
* Scoped setting/clearing of the 14.0.0 exception flag for cache operations has changed.
** Previously, |= on set, &= ~ on clear. Now, the flag is orr'd in only if it is not already set, and cleared only if it was newly set.
** This adds support for recursively setting these flags via a scoped setter, although there are no places in kernel where it is possible for this to occur.
** This applies to cpu::InvalidateDataCache, cpu::StoreDataCache, cpu::FlushDataCache
* The IsInUsermodeExceptionHandler exception flag management was changed:
** This is now cleared by RestoreContext (same place it clears other flags) rather than ClearExceptionSvcPermissions. It is still set by SetExceptionSvcPermissions.
* Changes in and surrounding page table logic:
** Devices can now theoretically (but not on the NX board) be given access to memory mapped as Io.
*** Why one would want to do this is unclear.
*** KMemoryState_Io now supports the CanAlignedDeviceMap and CanDeviceMap flags.
*** KPageTableBase::GetContiguousMemoryRangeWithState no longer checks that the passed memory address is heap.
*** KPageTableBase::OpenMemoryRangeForMapDeviceAddressSpace no longer checks passes KMemoryState_FlagReferenceCounted.
*** KPageTableBase::LockForMapDeviceAddressSpace takes two new arguments, an output bool * to write whether the state was io, and a bool for whether to check KMemoryState_FlagReferenceCounted.
**** The bool is always passed on true on NX board, preventing this feature from being actually used.
*** KPageTableBase::LockForUnmapDeviceAddressSpace now takes a bool argument for whether to check KMemoryState_FlagReferenceCounted
**** The bool is always passed on true on NX board, preventing this feature from being actually used.
** Pages mapped via MapIoRegion now have KMemoryAttribute_Locked instead of KMemoryAttribute_None.
** Changes were made with respect to the way MapPhysicalMemory/UnmapPhysicalMemory are implemented:
*** KMemoryManager::AllocatePageGroupForProcess no longer calls KPageGroup::Open on the returned page group (essentially reverting the change in 11.0.0).
**** Other KMemoryManager::Allocate* functions still call KPageGroup::Open.
*** KPageTableBase::MapPhysicalMemory now calls a new KPageTable::Operate operation ("MapFirst"), which behaves the same as Map but calls KernelPanic() if the mapped pages have a non-zero reference count.
**** This enforces that MapPhysicalMemory is the first place the pages being mapped have been allocated/opened.
*** KPageTableBase::UnmapPhysicalMemory now calls a new KPageTable::Operate operation ("SeparatePages"), which performs page separation on the requested range.
**** SeparatePages is identical to the separation done at the prologue of ChangePermissions; practically, this just enforces that the pages exist.
*** KPageTableBase::UnmapPhysicalMemory now calls KernelPanic if the unmapping operation fails (since it is guaranteed to succeed by the success of SeparatePages).
**** Logic which previously existed for re-mapping on failure has been removed.
** New Kernel Objects ("KSystemResource", "KSecureSystemResource").
*** Type ID = 0x4600, KSystemResource : public KAutoObject, KSecureSystemResource : public KSystemResource
*** KSystemResource just stores pointers to the three kinds of dynamic resource managers required by processes/page tables.
*** KSecureSystemResource stores the pointed-to objects for these as members.
**** Previously, these were just KProcess members; they are no longer KProcess members and instead live in the KSecureSystemResource object.
*** The slab heap for KSecureSystemResource has capacity = KProcess slab heap.
*** When a process is created with system resource size > 0, it now creates a KSecureSystemResource (which manages allocation with KSystemControl).
**** All actual underlying logic is the same, this just abstracts the KSystemControl/secure memory interaction out of KProcess.
* KPageTable::MemoryRange now tracks whether the range is reference counted, and Close() only closes the pages if they are.
* KInterruptEventTask was removed and no longer exists.
** KInterruptEvent now inherits from KInterruptTask directly.
** There is no longer a global task table; KInterruptManager is expected to return ResultBusy if an interrupt is already bound (it already did this).
** KInterruptEvent::Finalize now unbinds the interrupt directly, and then calls KDpcManager::Request() with a no-op KDpcTask.
*** In practice, this unbinds the interrupt, and then creates an ordering to guarantee all cores will see the interrupt as unbound before continuing.
*** Trivia: this is the first use of KDpcManager::Request on non-debug kernels.
* Minor changes to KHandleTable:
** KHandleTable::KHandleTable now initializes the table_size, max_count, and next_id fields to zero, previously they were uninitialized until Initialize was called.
** KHandleTable::Initialize now instantiates a KScopedDisableDispatch while setting up the table.

====Loader====
The broken RNG for ASLR was [[Switch_System_Flaws|fixed]].

===[[Bluetooth_Driver_services|bluetooth]]===
Besides the various IPC changes, a vulnerable func was [[Switch_System_Flaws|fixed]].

===[[HID_services|hid]]===
Besides the various IPC changes, an infoleak vuln was [[Switch_System_Flaws|fixed]].

===[[WLAN_services|wlan]]===
Besides the various IPC changes, a vulnerable func was [[Switch_System_Flaws|fixed]].

===[[NS_Services|ns]]===
Besides the various IPC changes, vulnerable RNG usage was [[Switch_System_Flaws|fixed]] to properly use secure RNG where needed.

===[[RO_services|ro]]===
The broken RNG for ASLR was [[Switch_System_Flaws|fixed]].

===nnSdk===
<code>nn::diag::detail::VAbortImpl</code> when handling the retaddr for storing elsewhere, now uses instruction [https://developer.arm.com/documentation/dui0801/g/A64-General-Instructions/XPACD--XPACI--XPACLRI xpaclri]. PAC instructions are NOPs on ARM hardware which doesn't support it, which includes current NX consoles.

This is likely due to a LLVM [https://reviews.llvm.org/D84502 patch] where xpaclri is now always emitted and not related to actual Armv8.3 hardware.

=== IPC Interface Changes ===
* The following new interfaces were removed:
** nn::eth::sf::IEthInterface
** nn::eth::sf::IEthInterfaceGroup
** nn::socket::sf::IClient
** nn::wlan::detail::IDetectManager
** nn::wlan::detail::IInfraManager
** nn::wlan::detail::ILocalGetActionFrame
** nn::wlan::detail::ILocalGetFrame
** nn::wlan::detail::ILocalManager
** nn::wlan::detail::ISocketGetFrame
** nn::wlan::detail::ISocketManager
* The following new interfaces were added:
** nn::anif::detail::ISfAssignedNetworkInterfaceService
** nn::anif::detail::ISfDriverService
** nn::anif::detail::ISfDriverServiceCreator
** nn::anif::detail::ISfNetworkInterfaceService
** nn::anif::detail::ISfUserService
** nn::anif::detail::ISfUserServiceCreator
** nn::pl::detail::IPlatformServiceManager
** nn::prepo::detail::ipc::IAsyncContext
** nn::socket::sf::IClient_MC
** nn::srepo::detail::ipc::IAsyncContext
** nn::ssl::sf::ISslContextForSystem
** nn::ssl::sf::ISslServiceForSystem
** nn::wlan::detail::IGeneralServiceCreator
** nn::wlan::detail::IPrivateServiceCreator
** nn::wlan::detail::IPrivateWirelessCommunicationService
** nn::wlan::detail::IWirelessCommunicationService
* The following interfaces were changed:
** nn::account::baas::IAdministrator
*** Added command 143 - inbytes: 0, outbytes: 16
*** Added command 160 - inbytes: 0, outbytes: 0
** nn::account::baas::IManagerForSystemService
*** Added command 143 - inbytes: 0, outbytes: 16
*** Added command 160 - inbytes: 0, outbytes: 0
** nn::am::service::IAppletCommonFunctions
*** Added command 90 - inbytes: 16, outbytes: 0, outinterfaces: ['nn::am::service::IStorageChannel']
*** Added command 91 - inbytes: 16, outbytes: 0, outinterfaces: ['nn::am::service::IStorageChannel']
*** Added command 100 - inbytes: 4, outbytes: 0
** nn::am::service::IDebugFunctions
*** Added command 50 - inbytes: 16, outbytes: 0
*** Added command 200 - buffers: [5], inbytes: 8, outbytes: 0, outinterfaces: ['nn::am::service::IAllSystemAppletProxiesService'], pid: True
** nn::am::service::ILibraryAppletProxy
*** Added command 22 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::am::service::IHomeMenuFunctions']
*** Added command 23 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::am::service::IGlobalStateController']
** nn::am::service::IOverlayAppletProxy
*** Added command 23 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::am::service::IGlobalStateController']
** nn::arp::detail::IWriter
*** Added command 3 - inbytes: 8, outbytes: 0, outinterfaces: ['nn::arp::detail::IUpdater']
** nn::audio::detail::IAudioRenderer
*** Added command 12 - inbytes: 4, outbytes: 0
*** Added command 13 - inbytes: 0, outbytes: 4
** nn::audioctrl::detail::IAudioController
*** Removed command 26 - inbytes: 1, outbytes: 0
*** Removed command 35 - inbytes: 8, outbytes: 0
*** Removed command 36 - inbytes: 0, outbytes: 8
*** Removed command 37 - inbytes: 1, outbytes: 0
*** Removed command 38 - inbytes: 0, outbytes: 1
*** Removed command 39 - inbytes: 0, outbytes: 1
*** Changed command 40 - buffers: [26] -> [22] (final state: buffers: [22], inbytes: 0, outbytes: 0)
*** Added command 41 - inbytes: 8, outbytes: 0
*** Added command 42 - inbytes: 8, outbytes: 0
*** Added command 50000 - inbytes: 4, outbytes: 0
** nn::bluetooth::IBluetoothDriver
*** Added command 101 - inbytes: 0, outbytes: 0
*** Added command 102 - inbytes: 0, outbytes: 0
*** Added command 155 - inbytes: 6, outbytes: 1
** nn::btm::IBtm
*** Removed command 112 - inbytes: 7, outbytes: 0
*** Removed command 113 - inbytes: 6, outbytes: 1
*** Added command 116 - inbytes: 7, outbytes: 0
*** Added command 117 - inbytes: 6, outbytes: 1
** nn::btm::IBtmDebug
*** Added command 14 - inbytes: 8, outbytes: 0
*** Added command 15 - inbytes: 0, outbytes: 0
*** Added command 16 - inbytes: 0, outbytes: 0
*** Added command 17 - inbytes: 0, outbytes: 0
** nn::capsrv::sf::IAlbumAccessorService
*** Added command 110 - buffers: [6, 5], inbytes: 16, outbytes: 8
** nn::clkrst::IClkrstManager
*** Added command 6 - inbytes: 0, outbytes: 0
** nn::dauth::detail::IService
*** Added command 1000 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Added command 9000 - buffers: [5, 5], inbytes: 0, outbytes: 0
*** Added command 9010 - inbytes: 0, outbytes: 0
** nn::es::IActiveRightsContext
*** Removed command 5 - buffers: [5], inbytes: 0, outbytes: 0
*** Added command 216 - inbytes: 0, outbytes: 0, outhandles: [1]
** nn::es::IETicketService
*** Added command 1022 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::es::IActiveRightsContext']
** nn::fssrv::sf::IFileSystem
*** Added command 16 - inbytes: 0, outbytes: 192
** nn::fssrv::sf::IFileSystemProxy
*** Added command 207 - inbytes: 16, outbytes: 0, outinterfaces: ['nn::fssrv::sf::IFileSystem']
*** Added command 1400 - inbytes: 1, outbytes: 0
** nn::grcsrv::IGrcService
*** Changed command 1 - inbytes: 72 -> 32 (final state: inbytes: 32, inhandles: [1], outbytes: 0, outinterfaces: ['nn::grcsrv::IContinuousRecorder'])
** nn::hid::IHidDebugServer
*** Added command 137 - inbytes: 16, outbytes: 0, pid: True
** nn::hid::IHidServer
*** Added command 3000 - buffers: [26], inbytes: 0, outbytes: 0
*** Added command 3001 - buffers: [25], inbytes: 0, outbytes: 0
*** Added command 3002 - inbytes: 0, outbytes: 0
*** Added command 3003 - inbytes: 0, outbytes: 56
*** Added command 3004 - inbytes: 56, outbytes: 0
*** Added command 3005 - inbytes: 0, outbytes: 0
*** Added command 3006 - buffers: [26], inbytes: 4, outbytes: 0
*** Added command 3007 - buffers: [25], inbytes: 4, outbytes: 0
*** Added command 3008 - inbytes: 4, outbytes: 0
*** Added command 3009 - inbytes: 4, outbytes: 64
*** Added command 3010 - inbytes: 68, outbytes: 0
*** Added command 3011 - inbytes: 4, outbytes: 0
** nn::hid::IHidSystemServer
*** Added command 32 - inbytes: 48, outbytes: 0, pid: True
*** Added command 33 - inbytes: 0, outbytes: 0
*** Added command 1135 - inbytes: 8, outbytes: 0, pid: True
** nn::lr::IAddOnContentLocationResolver
*** Added command 5 - buffers: [22, 22], inbytes: 8, outbytes: 0
*** Added command 6 - buffers: [21], inbytes: 16, outbytes: 0
*** Added command 7 - buffers: [21, 21], inbytes: 16, outbytes: 0
** nn::lr::ILocationResolver
*** Added command 20 - inbytes: 0, outbytes: 0
** nn::lr::ILocationResolverManager
*** Added command 4 - buffers: [5], inbytes: 0, outbytes: 0
** nn::mnpp::detail::ipc::IServiceForSystem
*** Removed command 300 - inbytes: 0, outbytes: 1
*** Removed command 400 - inbytes: 0, outbytes: 1
** nn::ncm::IContentMetaDatabase
*** Added command 23 - inbytes: 16, outbytes: 1
*** Added command 24 - inbytes: 24, outbytes: 24
*** Added command 25 - inbytes: 24, outbytes: 24
** nn::ndrm::low::detail::INdrmLowAdminInterface
*** Changed command 3 - inbytes: 8 -> 24 (final state: buffers: [5], inbytes: 24, outbytes: 0)
*** Added command 40 - buffers: [6], inbytes: 8, outbytes: 4
*** Added command 42 - buffers: [6], inbytes: 16, outbytes: 4
*** Added command 43 - buffers: [6], inbytes: 16, outbytes: 4
*** Added command 44 - buffers: [6], inbytes: 16, outbytes: 4
** nn::nim::detail::INetworkInstallManager
*** Removed command 91 - buffers: [5], inbytes: 16, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 138 - buffers: [5], inbytes: 8, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 139 - inbytes: 0, outbytes: 0
*** Added command 140 - inbytes: 0, outbytes: 0
*** Added command 141 - inbytes: 0, outbytes: 1
** nn::nim::detail::IShopServiceManager
*** Removed command 102 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncValue']
*** Removed command 103 - inbytes: 0, outbytes: 32
*** Removed command 104 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncValue']
*** Removed command 105 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Removed command 106 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Removed command 501 - inbytes: 16, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** nn::ns::detail::IApplicationManagerInterface
*** Added command 90 - inbytes: 8, outbytes: 0
*** Changed command 607 - inbytes: 16 -> 8 (final state: buffers: [6], inbytes: 8, outbytes: 4)
*** Removed command 909 - inbytes: 8, outbytes: 0
*** Added command 2357 - inbytes: 0, outbytes: 0
*** Added command 2358 - inbytes: 0, outbytes: 0
*** Added command 2359 - inbytes: 0, outbytes: 1
*** Removed command 2516 - inbytes: 16, outbytes: 0
** nn::pdm::detail::IQueryService
*** Removed command 7 - buffers: [6, 5], inbytes: 0, outbytes: 4
*** Removed command 13 - buffers: [6, 5], inbytes: 0, outbytes: 4
*** Removed command 14 - buffers: [6], inbytes: 24, outbytes: 4
*** Removed command 15 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Removed command 16 - buffers: [6, 5], inbytes: 16, outbytes: 4
** nn::prepo::detail::ipc::IPrepoService
*** Added command 10500 - buffers: [9], inbytes: 40, inhandles: [1], outbytes: 0, outinterfaces: ['nn::prepo::detail::ipc::IAsyncContext'], pid: True
** nn::settings::ISystemSettingsServer
*** Removed command 119 - inbytes: 1, outbytes: 3
** nn::srepo::detail::ipc::ISrepoService
*** Added command 10300 - buffers: [9], inbytes: 40, inhandles: [1], outbytes: 0, outinterfaces: ['nn::srepo::detail::ipc::IAsyncContext']
*** Added command 20600 - inbytes: 20, outbytes: 0
** nn::usb::ds::IDsEndpoint
*** Removed command 8 - inbytes: 8, inhandles: [1], outbytes: 0
*** Removed command 9 - inbytes: 16, outbytes: 4
** nn::usb::ds::IDsInterface
*** Added command 12 - inbytes: 8, inhandles: [1], outbytes: 0
** nn::visrv::sf::IManagerDisplayService
*** Changed command 8293 - inbytes: 16 -> 40 (final state: buffers: [6], inbytes: 40, outbytes: 8)

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2022-10-11_00-15-06&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

16.0.0

2023-03-08T17:31:59Z

SciresM: Improve IPC diff

The Switch 16.0.0 system update was released on February 21, 2023 (UTC). This Switch update was released for the following regions: ALL, CHN.

Security flaws fixed: yes.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* User nicknames that cannot be used will be replaced with “???” which can be updated from the profile settings.
* General system stability improvements to enhance the user's experience.
*

==System Titles==
* New sysmodule ngc was added (0100000000000050).
* All sysmodules were updated (excluding stubbed-lbl).
* Most SystemData were updated, except for: Chinese and Korean dictionaries, Dictionary, AvatarImage, UrlBlackList, ControllerIcon, ApplicationBlackList, FunctionBlackList.
* Most applets were updated, except for: cabinet, controller, netConnect, swkbd, miiEdit, starter, maintenance.

[[NPDM]] changes (besides usual version-bump):
* [[Boot2|boot2.ProdBoot]] now has access to [[NCM_services|ncm]].
* [[Friend_services|friends]] no longer has access to [[SPL_services|csrng]].
* nifm now has htc:nd access.
* nifm, ldn, ns: pl:u access was replaced with pl:s.
* ns now has access to ns:am2 and ns:su (for GetService).
* nim no longer has access to spl: (on older versions this was unused besides service-init).
* vi now has pl:u access.
* glue now has hosted-service pl:u access (moved from sdb) and access to svcCreateSharedMemory.
* fatal had access for the following removed: nvdrv:s, pl:u, vi:s.
* sdb had access for pl:u (hosted-service) and svcCreateSharedMemory removed.
* qlaunch, playerSelect, photoViewer, myPage: access to ngc:u was added.

The SafeMode bootpkgs KIP for PCV had "Default CPU Core" changed from 3 to 63.

RomFs changes:
* [[SSL_services|CertStore]]: "/ssl_TrustedCerts.bdf" updated and "/ssl_TrustedCerts.Ounce.bdf" added.
* ErrorMessage: updated
* BrowserDll:
** "/browser/MediaControlsInline.css" updated
** "/browser/MediaControlsInline.js" updated
** "/browser/UserCssCore0.dat" added
** "/browser/UserCss.dat" updated
** "/buildinfo/buildinfo.dat" updated
** "/gfxShader/" added, which contains "BrowserOffscreenDrawer.bnsh".
** "/lyt/Browse/Page.arc" updated
** "/nro/" The various NROs located under here were updated.
* Help: "/legallines.htdocs/img/HDMI.png" and "/legallines.htdocs/index.html" were updated.
* NgWord: updated.
* LocalNews: "/image/LnSupIntro/main_Other.jpg", "/message/EUnl/localNews.msbt.szs", "/message/revision.txt" updated.
* Eula: "/KRko/Eula.msbt.szs" and "/revision.txt" updated.
* FirmwareDebugSettings: [[System_Settings|updated]]
* NgWord2: updated. Added "/ac_similar_form_nx" and "/table_similar_form_nx".
* NgWordT: "/mars_dirty_words_db" updated
* applets: various UI/message/gfx data updated.
* web-applets: "/buildinfo/buildinfo.dat" and "/.nrr/modules.nrr" updated.

=== IPC Interface Changes ===
* The following interfaces were removed:
** nn::pl::detail::IPlatformServiceManager
* The following interfaces were added:
** nn::ngc::detail::IService
** nn::pl::sharedresource::detail::IPlatformSharedResourceManager
* The following interfaces were changed:
** nn::account::IAccountEntityServiceForAccountPolicy
*** Changed command 152 - buffer_entry_sizes: [0x401] -> [0x801] (final state: buffer_entry_sizes: [0x801], buffers: [0x1A], inbytes: 0x0, outbytes: 0x0)
*** Added command 910 - inbytes: 0x0, outbytes: 0x0
** nn::account::IAccountServiceForAdministrator
*** Changed command 152 - buffer_entry_sizes: [0x401] -> [0x801] (final state: buffer_entry_sizes: [0x801], buffers: [0x1A], inbytes: 0x0, outbytes: 0x0)
*** Added command 910 - inbytes: 0x0, outbytes: 0x0
** nn::account::IAccountServiceForSystemService
*** Changed command 152 - buffer_entry_sizes: [0x401] -> [0x801] (final state: buffer_entry_sizes: [0x801], buffers: [0x1A], inbytes: 0x0, outbytes: 0x0)
** nn::account::IAccountServiceForSystemServiceWithProfileEditor
*** Changed command 152 - buffer_entry_sizes: [0x401] -> [0x801] (final state: buffer_entry_sizes: [0x801], buffers: [0x1A], inbytes: 0x0, outbytes: 0x0)
** nn::account::baas::IAdministrator
*** Added command 161 - inbytes: 0x0, outbytes: 0x0
** nn::account::baas::IManagerForSystemService
*** Added command 161 - inbytes: 0x0, outbytes: 0x0
** nn::account::nas::IOAuthProcedureForNintendoAccountLinkage
*** Added command 200 - buffers: [0x9, 0x9, 0x9], inbytes: 0x0, outbytes: 0x0, outinterfaces: ['nn::account::detail::IAsyncContext']
** nn::am::service::IApplicationFunctions
*** Removed command 34 - buffers: [0x5], inbytes: 0x0, outbytes: 0x1
** nn::am::service::IDebugFunctions
*** Added command 51 - inbytes: 0x4, outbytes: 0x0
*** Added command 300 - inbytes: 0x0, outbytes: 0x0
** nn::am::service::IHomeMenuFunctions
*** Added command 50 - inbytes: 0x0, outbytes: 0x0
*** Added command 51 - inbytes: 0x0, outbytes: 0x0
** nn::aocsrv::detail::IAddOnContentManager
*** Added command 300 - inbytes: 0x8, outbytes: 0x0, pid: True
*** Added command 301 - buffers: [0x6], inbytes: 0x10, outbytes: 0x0, pid: True
*** Added command 302 - inbytes: 0x0, outbytes: 0x0
** nn::bsdsocket::cfg::ServerInterface
*** Added command 13 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
*** Added command 14 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
*** Added command 15 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
** nn::codec::detail::IHardwareOpusDecoderManager
*** Added command 8 - inbytes: 0x10, outbytes: 0x4
*** Added command 9 - buffer_entry_sizes: [0x118], buffers: [0x19], inbytes: 0x0, outbytes: 0x4
** nn::dauth::detail::IService
*** Added command 3 - inbytes: 0x8, outbytes: 0x10
*** Added command 13 - inbytes: 0x10, outbytes: 0x10
** nn::dp2hdmi::detail::IDp2hdmiController
*** Added command 7 - inbytes: 0x0, outbytes: 0x0
*** Added command 8 - inbytes: 0x4, inhandles: [1], outbytes: 0x0
** nn::ec::IContentsServiceManager
*** Added command 1 - buffers: [0x5], inbytes: 0x60, outbytes: 0x0, outhandles: [1], outinterfaces: [None], pid: True
** nn::es::IActiveRightsContext
*** Changed command 11 - inbytes: 0x8 -> 0x10 (final state: buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x10, outbytes: 0x4)
*** Changed command 16 - inbytes: 0x8 -> 0x10 (final state: buffer_entry_sizes: [0x10], buffers: [0x6], inbytes: 0x10, outbytes: 0x4)
*** Added command 18 - buffer_entry_sizes: [0x10, 0x0, 0x8], buffers: [0x6, 0x6, 0x6], inbytes: 0x10, outbytes: 0x8
** nn::es::IETicketService
*** Removed command 3001 - buffer_entry_sizes: [0x40, 0x248, 0x0], buffers: [0x16, 0x16, 0x5], inbytes: 0x0, outbytes: 0x0
*** Removed command 3002 - buffer_entry_sizes: [0x248], buffers: [0x16], inbytes: 0x0, outbytes: 0x0
** nn::fan::detail::IManager
*** Added command 1 - inbytes: 0x4, outbytes: 0x4
** nn::friends::detail::ipc::IServiceCreator
*** Changed command 2 - outinterfaces: ['0x7100078D58'] -> ['0x710007990C'] (final state: inbytes: 0x0, outbytes: 0x0, outinterfaces: ['0x710007990C'])
** nn::fssrv::sf::IFileSystemProxy
*** Added command 10 - buffer_entry_sizes: [0x301], buffers: [0x19], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IFileSystem']
*** Changed command 206 - inbytes: 0x4 -> 0x8 (final state: buffer_entry_sizes: [0x301], buffers: [0x19], inbytes: 0x8, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IStorage'])
*** Removed command 609 - buffer_entry_sizes: [0x301], buffers: [0x19], inbytes: 0x0, outbytes: 0x10
*** Changed command 610 - inbytes: 0x0 -> 0x1 (final state: buffer_entry_sizes: [0x301], buffers: [0x19], inbytes: 0x1, outbytes: 0x18)
** nn::fssrv::sf::IFileSystemProxyForLoader
*** Changed command 0 - inbytes: 0x8 -> 0x10 (final state: buffer_entry_sizes: [0x124, 0x301], buffers: [0x1A, 0x19], inbytes: 0x10, outbytes: 0x0, outinterfaces: ['nn::fssrv::sf::IFileSystem'])
** nn::hid::IHidDebugServer
*** Added command 25 - inbytes: 0x1C, outbytes: 0x0
*** Added command 26 - inbytes: 0x0, outbytes: 0x0
*** Added command 3000 - inbytes: 0x0, outbytes: 0x0
** nn::hid::IHidServer
*** Added command 26 - inbytes: 0x8, outbytes: 0x0, pid: True
** nn::hid::IHidSystemServer
*** Removed command 1130 - inbytes: 0x10, inhandles: [1], outbytes: 0x0, pid: True
** nn::ncm::IContentManager
*** Added command 15 - inbytes: 0x4, outbytes: 0x0
** nn::ncm::IContentStorage
*** Changed command 19 - inbytes: 0x10 -> 0x11 (final state: inbytes: 0x11, outbytes: 0x18)
*** Changed command 20 - inbytes: 0x10 -> 0x11 (final state: inbytes: 0x11, outbytes: 0x18)
*** Changed command 27 - inbytes: 0x20 -> 0x21 (final state: inbytes: 0x21, outbytes: 0x18)
** nn::nim::detail::INetworkInstallManager
*** Changed command 10 - outbytes: 0x58 -> 0x60 (final state: inbytes: 0x10, outbytes: 0x60)
** nn::ns::detail::IApplicationManagerInterface
*** Changed command 21 - outbytes: 0x0 -> 0x1 (final state: buffer_entry_sizes: [0x300], buffers: [0x16], inbytes: 0x10, outbytes: 0x1)
*** Removed command 604 - inbytes: 0x10, outbytes: 0x0
*** Added command 611 - inbytes: 0x10, outbytes: 0x0
** nn::ns::detail::IDocumentInterface
*** Changed command 21 - outbytes: 0x0 -> 0x1 (final state: buffer_entry_sizes: [0x300], buffers: [0x16], inbytes: 0x10, outbytes: 0x1)
** nn::ns::detail::IDynamicRightsInterface
*** Removed command 14 - buffers: [0x5], inbytes: 0x8, outbytes: 0x1
** nn::pdm::detail::IQueryService
*** Changed command 0 - buffer_entry_sizes: [0x18] -> [0x28] (final state: buffer_entry_sizes: [0x28], buffers: [0x6], inbytes: 0x8, outbytes: 0x4)
*** Changed command 4 - outbytes: 0x28 -> 0x48 (final state: inbytes: 0x10, outbytes: 0x48)
*** Changed command 5 - outbytes: 0x28 -> 0x48 (final state: inbytes: 0x20, outbytes: 0x48)
*** Changed command 10 - buffer_entry_sizes: [0x40] -> [0x38] (final state: buffer_entry_sizes: [0x38], buffers: [0x6], inbytes: 0x4, outbytes: 0x4)
** nn::pl::detail::IPlatformServiceManagerForSystem
*** Removed command 0 - inbytes: 0x4, outbytes: 0x0
*** Removed command 1 - inbytes: 0x4, outbytes: 0x4
*** Removed command 2 - inbytes: 0x4, outbytes: 0x4
*** Removed command 3 - inbytes: 0x4, outbytes: 0x4
*** Removed command 4 - inbytes: 0x0, outbytes: 0x0, outhandles: [1]
*** Removed command 5 - buffer_entry_sizes: [0x4, 0x4, 0x4], buffers: [0x6, 0x6, 0x6], inbytes: 0x8, outbytes: 0x8
*** Removed command 6 - buffer_entry_sizes: [0x4, 0x4, 0x4], buffers: [0x6, 0x6, 0x6], inbytes: 0x8, outbytes: 0x8
** nn::ssl::sf::ISslConnection
*** Added command 28 - buffers: [0x5], inbytes: 0x4, outbytes: 0x4
*** Added command 29 - buffers: [0x6], inbytes: 0x0, outbytes: 0x0
*** Added command 30 - inbytes: 0x8, outbytes: 0x0
*** Added command 31 - buffers: [0x5], inbytes: 0x0, outbytes: 0x0
*** Added command 32 - inbytes: 0x0, outbytes: 0x2
*** Added command 33 - buffers: [0x6, 0x5, 0x5], inbytes: 0x0, outbytes: 0x0
*** Added command 34 - inbytes: 0x4, outbytes: 0x0
*** Added command 35 - inbytes: 0x0, outbytes: 0x4
** nn::ssl::sf::ISslContext
*** Added command 12 - buffers: [0x5, 0x5], inbytes: 0x4, outbytes: 0x8
*** Added command 13 - buffers: [0x6, 0x6, 0x5], inbytes: 0x4, outbytes: 0x8
** nn::ssl::sf::ISslContextForSystem
*** Added command 12 - buffers: [0x5, 0x5], inbytes: 0x4, outbytes: 0x8
*** Added command 13 - buffers: [0x6, 0x6, 0x5], inbytes: 0x4, outbytes: 0x8
** nn::visrv::sf::IManagerDisplayService
*** Added command 2060 - inbytes: 0x4, outbytes: 0x0
*** Added command 2062 - buffers: [0x5], inbytes: 0x4, outbytes: 0x0
*** Added command 2063 - inbytes: 0x8, outbytes: 0x0
*** Added command 6014 - inbytes: 0x10, outbytes: 0x0
*** Added command 6015 - inbytes: 0x8, outbytes: 0x0
** nn::visrv::sf::IManagerRootService
*** Added command 100 - inbytes: 0x0, outbytes: 0x0
*** Added command 101 - inbytes: 0x0, outbytes: 0x0
*** Added command 102 - inbytes: 0x14, outbytes: 0x0
*** Added command 103 - buffer_entry_sizes: [0x4], buffers: [0x5], inbytes: 0x20, outbytes: 0x4
=== BootImagePackages ===
All files in RomFs were updated.

====Kernel====
* Compiler upgrade
** Version is currently unknown, probably ~LLVM 15?
** Many NOPs inserted to align branch destinations to 16 bytes, many ADRP + ADD pairs replaced with NOP + ADR
*** This probably corresponds to this commit? https://github.com/llvm/llvm-project/commit/4450a2a23df0e7081ca7fee3ec641774afedc2bc
**** Alexander Shaposhnikov, why did you do this, it makes diffing harder :(
** Compiler now more frequently detecting a reusable computed offset for load/store
* KThreadStackParameters:
** Stack parameters are now 0x10 larger.
** The additional 0x10 bytes appear to be completely unused, at least on prod NX builds of the kernel.
* KScheduler changes:
** Idle count tracking has been changed to use two fields ("idle count", "switch count").
*** In UpdateHighestThreads(), switching to the idle thread does idle_count = ++switch_count, and switching to a non-kernel thread does ++switch_count.
*** KProcess now has an additional array of counts ("running_thread_switch_counts"), UpdateHighestThreads() also sets running_thread_switch_counts[core] = switch_count.
** KDebug::GetRunningThreadInfo() now only succeeds if running_thread_switch_counts[core] == Scheduler->switch_count + 1.
*** Previously, this checked running_thread_idle_counts[core] == Scheduler->idle_count, which meant the thread had to have not switched to idle between its last execution and the GetRunningThreadInfo() wait finishing.
*** Now, this requires the core to have switched directly from the target thread to GetRunningThreadInfo(), which is to say the condition is "The thread is actually running at the target time".
*** In addition, now ResultNoThread is returned if switch_count == idle_count + 1, otherwise ResultUnknownThread is returned; previously only NoThread was returnable.
**** switch_count == idle_count + 1 implies that the switch to GetRunningThreadInfo() happened from idle thread, so ResultNoThread is returned exactly when the running thread was the idle thread.
**** Otherwise, if a thread other than the idle thread was the running thread, UnknownThread is returned.
** KSchedulerLock::Lock() now always increments count, instead of setting count = 1 when the lock owner is not the current thread.
** Note: Several KScheduler functions have big assembly changes, but this appears to be pure compiler optimization changes with no semantic differences.
* KProcess had the creation time member deleted.
* A new KPageTable::Operate operation was added ("ChangePermsAndRefreshWithFlushDataCache")
** Previously, all calls to Operate with ChangePermsAndRefresh would flush data cache; now, calls to ChangePermsAndRefresh do not flush data cache and calls to ChangePermsAndRefreshWithFlushDataCache do.
*** ChangePermsAndRefreshWithFlushDataCache is otherwise identical to ChangePermsAndRefresh semantically.
* QueryIoMapping now supports querying memory regions with KMemoryState_Static in addition to KMemoryState_Io.
* Some changes surrounding KIoRegion:
** KIoRegion now uses an intrusive red black tree member for the pool list, rather than an intrusive list node.
** KIoPool::AddIoRegion() uses the intrusive tree to check fewer regions for Contains().
** KPageTableBase::UnmapIoRegion now takes the MemoryMapping as argument (which was passed to CreateIoRegion).
*** When mapping is MemoryMapping_Memory, the mapping following is done before unmap:
**** The region is permission changed to be uncached, using ChangePermsAndRefresh (without FlushDataCache).
**** The table's lock is released.
**** cpu::FlushDataCache() is called to flush the mapping.
**** The table's lock is reacquired.
*** All fallible operations now call KernelPanic() on failure, rather than returning the result code
* KAddressSpaceInfo::GetAddressSpaceStart()/GetAddressSpaceSize() no longer use complicated switch logic to only examine the indices with the right bit-width, and instead just iterate all indices with an if to check bit width.
* Big changes to KThread waiting/priority inheritance:
** m_waiter_list, m_lock_owner fields were deleted.
** New fields m_held_lock_info_list, m_waiting_lock_info were added.
*** This is an intrusive list of new type KThreadLockInfo (storing info on all locks held), and a pointer to the lock this thread is waiting on, if any.
*** There is one lock info for each address key.
*** KThreadLockInfo is slab allocated, count = # of KThreads
*** KThreadLockInfo has the following fields:
**** LockWithPriorityInheritanceThreadTree m_cv_tree; // Tree of threads waiting on the lock, this re-uses the node for condvar/arbiter.
**** KProcessAddress m_address_key;
**** KThread *m_owner;
**** u32 m_waiter_count;
** This greatly simplifies RemoveWaiterByKey (as there is a single KThreadLockInfo representing all threads waiting on the key).
*** RemoveWaiterByKey now also has an output bool pointer for whether the lock still has waiters, rather than an output s32 pointer for # of waiters.
** RestorePriority has been shuffled to ensure the new CV tree inside lock info has its invariants maintained across the priority set.
** Several calls to RestorePriority are now guarded by if statements, to only invoke RestorePriority if there is a possible change in inherited priority.
* Big changes to crt0/Initialize0/KInitialPageTable/Sleep Manager:
** KInitialPageTable::Map (and others) now take a new physical-to-virtual-offset argument, and add this to L1 table etc.
** Changes to Initial Arguments:
*** Initial arguments are now size 0x80.
*** Initial argument pointers are no longer used; Init arguments array addresses are used directly, with presumption that no page boundary is crossed.
*** Initial arguments no longer use setup function/etc.
*** Instead of setting ep = HorizonKernelMain, Initial arguments now set ep = InvokeMain (this function was previously "InvokeEntryPoint")
*** idle stack is now retrieved from KMemoryLayout inside InvokeMain, instead of being a field inside Initial Arguments.
** After setting up initial arguments, Initialize0 now returns to crt0, which sets sp = InitArguments[0]->sp and calls new function ("Initialize1").
*** All KInitialPageTable calls from here onward now pass g_LinearPhysToVirtDiff, and thus page table accesses are done using the Linear mapping set up by Initialize0.
** Initialize1 does the following:
*** The initial identity mapping is unmapped in its entirety.
**** The single-page containing crt0 + interrupt vectors is re-identity-mapped as R-X.
**** PageAllocator for this is an extremely simplified new InitialPageAllocator type, which always has exactly two free pages to be allocated.
*** All remaining logic which used to be in Initialize0 happens here, with no changes.
** TurnOnAllCores now calls a helper function ("TurnOnCore") to turn on the cores.
*** void TurnOnCore(__int64 core, InitArguments *argument);
*** TurnOnCore does virt->phys translation lookup (using at s1e1r) on StartOtherCore (from crt0 page) + argument, and calls smc::CpuOn directly.
**** TurnOnCore is "probably" a KSystemControl function.
** Sleep handler thread function now sets resume entry addr = StartOtherCore, and sets up an InitArguments for each core.
*** ResumeEntry and ResumeEntryVirtual are now merged/simplified.
* Changes to pool allocations:
** Minimum non-secure system pool size is now ~2MB larger (0x2C04000 vs 0x2A0C000).
** Slab heap gaps size is now 0x9000 smaller (0x1A7000 vs 0x1B0000).
* KSystemControl::Initialize has been restructured (operations reordered), and now calls a helper which sets up the MT, creates system resource limit, etc.
** This helper also modifies the KAddressSpaceInfo tables, when memory is large (these were previously read-only).
** In particular, the following modifications are made to the 39-bit address space infos based on the total memory size:
*** size <= 8 GB: No changes (Heap Region = 8 GB, Alias region = 64 GB)
*** 8 GB < size <= 16 GB: Heap Region = size, Alias Region = 8 * size
*** 16 GB < size <= 32 GB: Heap region = size, Alias region = 128 GB
*** 32 GB <= size: Heap region = 32 GB, Alias region = 128 GB
* KSystemControl::Init::GenerateRandomRange now supports min=0, max=0xFFFFFFFFFFFFFFFF (previously it was incorrect for this case).
* New InfoType (0x1B) ("IoRegionHint")
** This takes a handle to a KIoRegion, and returns the low bits of the region's address.
*** If the region's size is < 0x10000, this is the low 12 bits, otherwise if size < 0x200000, this is the low 16 bits, otherwise it's the low 21 bits.
* UserspaceAccess functions no longer do adr X30, fail in the loop, now do adr X#, fail before the loop and mov X30, X# in the loop.
* All code which sets ThreadContext's pstate field now uses the mask 0xF0000000 for aarch64 threads and 0xFE0FFE20 for aarch32 threads.
** Previously, this used the mask 0xFF0FFE20 for both.
** This removes the ability to get/set the DIT bit for both aarch64 and aarch32, and removes many other bits for aarch64 only.
* Interrupt disable logic was removed from a number of functions:
** KAddressArbiter::SignalAndIncrementIfEqual, KAddressArbiter::SignalAndModifyBasedOnWaitingThreadCount, KAddressArbiter::WaitIfLessThan, KConditionVariable::SignalConditionVariableImpl
* KConditionVariable::SignalToAddress now does dmb before copying updated value to userspace.
* KDebugBase functions for DebugEvents were changed to take pointer to params + count, instead of 5 parameter arguments.
** This propagates up to many/all caller functions.
** The only variable length parameter counts are DebugEvent_Exception + DebugException_UserBreak/DebugException_DebuggerBreak
*** This copies the variable-count parameters directly to the result exception info without maximum size check.
**** This is not exploitable, because there is no way for userspace to control parameter count, and it will always remain in bounds.
**** Presumably exception info type is larger if compiling for a target with more than 4 CPUs, to prevent out-of-bounds copies.

=== [[USB_services|usb]] ===
A vuln was [[Switch_System_Flaws|fixed]].

=== [[Bluetooth_Driver_services|bluetooth]] ===
An IPC vuln due to a regression was [[Switch_System_Flaws|fixed]].

=== [[Error_Applet|LibraryAppletError]] ===

As described [[Title_list|here]], nnSdk now supports two ErrorMessage SystemDataIds. NX LibraryAppletError is hard-coded for using the original ErrorMessage SystemDataId, the new ErrorMessage SystemData doesn't exist on NX retail.

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2023-02-21_00-05-09&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

NPDM

2023-02-22T20:35:29Z

SciresM: /* MemoryRegionMap */

This is the Switch equivalent of 3DS [https://www.3dbrew.org/wiki/NCCH/Extended_Header exheader]. This is the file with extension ".npdm" in {Switch ExeFS}. The size of this file varies.

{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x80
| [[#META|META]]
|-
| 0x80
| <Varies>
| [[#ACID|ACID]]
|-
| <See META>
| <See META>
| [[#ACI0|ACI0]]
|}

= META =
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x4
| Magic ("META")
|-
| 0x4
| 0x4
| [9.0.0+] SignatureKeyGeneration
|-
| 0x8
| 0x4
| Reserved
|-
| 0xC
| 0x1
| [[#Flags|Flags]]
|-
| 0xD
| 0x1
| Reserved
|-
| 0xE
| 0x1
| [[#MainThreadPriority|MainThreadPriority]]
|-
| 0xF
| 0x1
| MainThreadCoreNumber
|-
| 0x10
| 0x4
| Reserved
|-
| 0x14
| 0x4
| [3.0.0+] [[#SystemResourceSize|SystemResourceSize]]
|-
| 0x18
| 0x4
| [[#Version|Version]]
|-
| 0x1C
| 0x4
| [[#MainThreadStackSize|MainThreadStackSize]]
|-
| 0x20
| 0x10
| Name (usually/always "Application")
|-
| 0x30
| 0x10
| ProductCode (usually/always all zeroes)
|-
| 0x40
| 0x30
| Reserved
|-
| 0x70
| 0x4
| [[#ACI0|AciOffset]]
|-
| 0x74
| 0x4
| [[#ACI0|AciSize]]
|-
| 0x78
| 0x4
| [[#ACID|AcidOffset]]
|-
| 0x7C
| 0x4
| [[#ACID|AcidSize]]
|}

== Flags ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 0
| Is64BitInstruction
|-
| 1-3
| ProcessAddressSpace (0x00 = AddressSpace32Bit, 0x01 = AddressSpace64BitOld, 0x02 = AddressSpace32BitNoReserved, 0x03 = AddressSpace64Bit)
|-
| 4
| [7.0.0+] OptimizeMemoryAllocation
|-
| 5
| [11.0.0+] DisableDeviceAddressSpaceMerge
|}

== MainThreadPriority ==
Ranges from 0 to 0x3F.

== SystemResourceSize ==
When this is non-zero, the kernel reserves this amount of memory and dynamically uses it as needed for page table pages, KMemoryBlocks, and KBlockInfos. When this is zero, the process uses global shared heaps for these.

This enables a process to sacrifice some of the memory available to it in order to have higher limits on these resources, thus enabling the use of SvcMapPhysicalMemory.

Maximum size as is 0x1FE00000.

== Version ==
0 for all titles.

[8.1.0+] Now set to 1 for certain titles.

[9.0.0+] Now set to a proper version field for all titles.

== MainThreadStackSize ==
Must be aligned to 0x1000. If zero, kernel will start the process's initial thread with sp=0.

= ACID =
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x100
| RSA-2048 signature over the data starting at 0x100 with the size field from 0x204
|-
| 0x100
| 0x100
| RSA-2048 public key for the second [[NCA_Format|NCA]] signature
|-
| 0x200
| 0x4
| Magic ("ACID")
|-
| 0x204
| 0x4
| Size
|-
| 0x208
| 0x1
| [9.0.0+] Version
|-
| 0x209
| 0x1
| [14.0.0+]
|-
| 0x20A
| 0x2
| Reserved
|-
| 0x20C
| 0x4
| [[#Flags_2|Flags]]
|-
| 0x210
| 0x8
| ProgramIdMin
|-
| 0x218
| 0x8
| ProgramIdMax
|-
| 0x220
| 0x4
| [[#FsAccessControl|FacOffset]]
|-
| 0x224
| 0x4
| [[#FsAccessControl|FacSize]]
|-
| 0x228
| 0x4
| [[#SrvAccessControl|SacOffset]]
|-
| 0x22C
| 0x4
| [[#SrvAccessControl|SacSize]]
|-
| 0x230
| 0x4
| [[#KernelCapability|KcOffset]]
|-
| 0x234
| 0x4
| [[#KernelCapability|KcSize]]
|-
| 0x238
| 0x8
| Reserved
|}

== Flags ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 0
| ProductionFlag
|-
| 1
| UnqualifiedApproval
|-
| 2-5
| [5.0.0+] MemoryRegion (0 = Application, 1 = Applet, 2 = SecureSystem, 3 = NonSecureSystem)
|}

MemoryRegion is set to Application for "starter" and NonSecureSystem for "nvservices".

= ACI0 =
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x4
| Magic ("ACI0")
|-
| 0x4
| 0xC
| Reserved
|-
| 0x10
| 0x8
| ProgramId
|-
| 0x18
| 0x8
| Reserved
|-
| 0x20
| 0x4
| [[#FsAccessControl|FacOffset]]
|-
| 0x24
| 0x4
| [[#FsAccessControl|FacSize]]
|-
| 0x28
| 0x4
| [[#SrvAccessControl|SacOffset]]
|-
| 0x2C
| 0x4
| [[#SrvAccessControl|SacSize]]
|-
| 0x30
| 0x4
| [[#KernelCapability|KcOffset]]
|-
| 0x34
| 0x4
| [[#KernelCapability|KcSize]]
|-
| 0x38
| 0x8
| Reserved
|}

= FsAccessControl =
For [[#ACID|ACID]] this is a simple descriptor as follows:
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x1
| Version (always 1, must be non-zero)
|-
| 0x1
| 0x1
| [5.0.0+] ContentOwnerIdCount
|-
| 0x2
| 0x1
| [5.0.0+] SaveDataOwnerIdCount
|-
| 0x3
| 0x1
| Padding
|-
| 0x4
| 0x8
| [[#FsAccessFlag|FsAccessFlag]]
|-
| 0xC
| 0x8
| ContentOwnerIdMin
|-
| 0x14
| 0x8
| ContentOwnerIdMax
|-
| 0x1C
| 0x8
| SaveDataOwnerIdMin
|-
| 0x24
| 0x8
| SaveDataOwnerIdMax
|-
| 0x2C
| 0x8 * ContentOwnerIdCount
| [5.0.0+] ContentOwnerIds
|-
| Variable
| 0x8 * SaveDataOwnerIdCount
| [5.0.0+] SaveDataOwnerIds
|}

For [[#ACI0|ACI0]] this embeds data as follows:
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x1
| Version (always 1, must be non-zero)
|-
| 0x1
| 0x3
| Padding
|-
| 0x4
| 0x8
| [[#FsAccessFlag|FsAccessFlag]]
|-
| 0xC
| 0x4
| ContentOwnerInfoOffset
|-
| 0x10
| 0x4
| ContentOwnerInfoSize
|-
| 0x14
| 0x4
| SaveDataOwnerInfoOffset
|-
| 0x18
| 0x4
| SaveDataOwnerInfoSize
|-
| 0x1C
| 0x4
| (Optional) ContentOwnerIdCount
|-
| 0x1C
| 0x8 * ContentOwnerIdCount
| ContentOwnerIds
|-
| Variable
| 0x4
| SaveDataOwnerIdCount
|-
| Variable
| 0x1 * SaveDataOwnerIdCount
| Accessibilities (1=Read, 2=Write, 3=ReadWrite)
|-
| Variable (padded to nearest 4 bytes)
| 0x8 * SaveDataOwnerIdCount
| SaveDataOwnerIds
|}

== FsAccessFlag ==
{| class="wikitable" border="1"
|-
! Bits
! Name
! Description
|-
| 0
| ApplicationInfo
| MountContent* is accessible when set.
|-
| 1
| BootModeControl
|
|-
| 2
| Calibration
|
|-
| 3
| SystemSaveData
|
|-
| 4
| GameCard
|
|-
| 5
| SaveDataBackUp
|
|-
| 6
| SaveDataManagement
|
|-
| 7
| BisAllRaw
|
|-
| 8
| GameCardRaw
|
|-
| 9
| GameCardPrivate
|
|-
| 10
| SetTime
|
|-
| 11
| ContentManager
|
|-
| 12
| ImageManager
|
|-
| 13
| CreateSaveData
|
|-
| 14
| SystemSaveDataManagement
|
|-
| 15
| BisFileSystem
|
|-
| 16
| SystemUpdate
|
|-
| 17
| SaveDataMeta
|
|-
| 18
| DeviceSaveData
|
|-
| 19
| SettingsControl
|
|-
| 20
| SystemData
|
|-
| 21
| SdCard
|
|-
| 22
| Host
|
|-
| 23
| FillBis
|
|-
| 24
| CorruptSaveData
|
|-
| 25
| SaveDataForDebug
|
|-
| 26
| FormatSdCard
|
|-
| 27
| GetRightsId
|
|-
| 28
| RegisterExternalKey
|
|-
| 29
| RegisterUpdatePartition
|
|-
| 30
| SaveDataTransfer
|
|-
| 31
| DeviceDetection
|
|-
| 32
| AccessFailureResolution
|
|-
| 33
| SaveDataTransferVersion2
|
|-
| 34
| RegisterProgramIndexMapInfo
|
|-
| 35
| CreateOwnSaveData
|
|-
| 36
| MoveCacheStorage
|
|-
| 37
| DeviceTreeBlob
|
|-
| 38
| NotifyErrorContextServiceReady
|
|-
| 39-61
| Reserved
|
|-
| 62
| Debug
| See [[SPL_services#GetConfig|here]].
|-
| 63
| FullPermission
| Enables access to everything: all [[Filesystem_services#Permissions|permission types]] which check a bitmask have this bit set.
|}

Controls the [[Filesystem_services#Permissions|filesystem permissions]].

Web-applets permissions:
* "LibAppletWeb" and "LibAppletOff" have same access control: bit0 and bit3 set, and bit62 set.
* Rest of the web-applets: Same as above except bit0 isn't set.

= Service Access Control =
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 0-2
| Size (length of the service-name without null-terminator minus 1)
|-
| 7
| IsServer (service is allowed to be registered)
|-
| Variable
| Name
|}

This is a list of [[Services_API|service]]-name strings which the title has access to.

The service name string starts after the first byte and supports the wildcard <code>*</code> character.

= KernelCapability =
{| class="wikitable" border="1"
|-
! Pattern of lower bits
! Lowest clear bitmask/bit
! Description
|-
| <code>0bxxxxxxxxxxxx0111</code>
| Bit3
| [[#ThreadInfo]]
|-
| <code>0bxxxxxxxxxxx01111</code>
| Bit4
| [[#EnableSystemCalls]]
|-
| <code>0bxxxxxxxxx0111111</code>
| Bit6
| [[#MemoryMap]]
|-
| <code>0bxxxxxxxx01111111</code>
| Bit7
| [[#IoMemoryMap]]
|-
| <code>0bxxxxx01111111111</code>
| Bit10
| [8.0.0+] [[#MemoryRegionMap]]
|-
| <code>0bxxxx011111111111</code>
| Bit11
| [[#EnableInterrupts]]
|-
| <code>0bxx01111111111111</code>
| Bit13
| [[#MiscParams]]
|-
| <code>0bx011111111111111</code>
| Bit14
| [[#KernelVersion]]
|-
| <code>0b0111111111111111</code>
| Bit15
| [[#HandleTableSize]]
|-
| <code>0b1111111111111111</code>
| Bit16
| [[#MiscFlags]]
|-
| All ones
|
| Invalid
|}

These descriptors are identified by pattern 01..11 in low bits.

== ThreadInfo ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 4-9
| LowestPriority
|-
| 10-15
| HighestPriority
|-
| 16-23
| MinCoreNumber
|-
| 24-31
| MaxCoreNumber
|}

== EnableSystemCalls ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 5-28
| SystemCallId
|-
| 29-31
| Index
|}

== MemoryMap ==
MemoryMap entries are stored in pairs. The first pair will contain BeginAddress and PermissionType, while the second pair will contain Size and MappingType.
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 7-30
| BeginAddress
|-
| 31
| PermissionType (0=RW, 1=RO)
|}

{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 7-26
| Size
|-
| 27-30
| Reserved
|-
| 31
| MappingType (0=Io, 1=Static)
|}

=== Restrictions ===
The physaddr range 0x80060000-0x2000000000 is not allowed to be mapped as IO.
The physaddr range 0x80000000-0x2000000000 is not allowed to be mapped as Normal.

[2.0.0-4.1.0] The range for IO was changed into 0x80060000-0x81D3FFFF.

[2.0.0-4.1.0] A blacklist was added for IO and Normal mappings:
* 0x50040000-0x50060000 (ARM, Interrupt Controller)
* 0x6000F000 (Exception Vectors)
* 0x6001DC00-0x6001E000 (IPATCH)
* 0x7000E000 (RTC/PMC)
* 0x70019000 (MC)
* 0x7001C000 (MC0)
* 0x7001D000 (MC1)

[5.0.0+] For IO, this blacklist was abandoned and instead two range checks were added. For Normal mappings it is still applied

== IoMemoryMap ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 8-31
| BeginAddress
|}

== MemoryRegionMap ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 11-16
| RegionType0 (0 = NoMapping, 1 = KernelTraceBuffer, 2 = OnMemoryBootImage, 3 = DTB)
|-
| 17
| RegionIsReadOnly0
|-
| 18-23
| RegionType1 (0 = NoMapping, 1 = KernelTraceBuffer, 2 = OnMemoryBootImage, 3 = DTB)
|-
| 24
| RegionIsReadOnly1
|-
| 25-30
| RegionType2 (0 = NoMapping, 1 = KernelTraceBuffer, 2 = OnMemoryBootImage, 3 = DTB)
|-
| 31
| RegionIsReadOnly2
|}

== EnableInterrupts ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 12-21
| InterruptNumber0
|-
| 22-31
| InterruptNumber1
|}

0x3FF means empty.

== MiscParams ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 14-16
| ProgramType (0 = System, 1 = Application, 2 = Applet)
|}

ProgramType is parsed by [[Process Manager services]]. Defaults to 0 if descriptor doesn't exist. Can only run 1 application at a time.

== KernelVersion ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 15-18
| MinorVersion
|-
| 19-31
| MajorVersion
|}

This encodes the intended kernel version for the program.

The kernel requires that the intended version is >= the minimum supported version (3.0 for all released kernels), and <= the current version.

Kernel version is derived from/equivalent to SDK version:
* Kernel Major = SDK Major + 4
* Kernel Minor = SDK Minor

=== Versions ===
{| class="wikitable" border="1"
|-
! Firmware || Kernel Version || Corresponding SDK Version
|-
| 1.0.0 || 5.0 || 1.0.0.0
|-
| 2.0.0 || 6.1 || 2.1.0.0
|-
| 3.0.0 || 7.4 || 3.4.0.0
|-
| 3.0.2 || 7.4 || 3.4.0.0
|-
| 5.0.0 || 9.3 || 5.3.0.0
|-
| 10.0.0 || 14.4 || 10.4.0.0
|-
| 11.0.0 || 15.4 || 11.4.0.0
|-
| 11.0.1 || 15.4 || 11.4.0.0
|}

== HandleTableSize ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 16-25
| HandleTableSize
|}

== MiscFlags ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 17
| EnableDebug
|-
| 18
| ForceDebug
|}

Switch System Flaws

2023-02-21T17:00:07Z

SciresM: imagine knowing what month it is

Exploits are used to execute unofficial code (homebrew) on the Nintendo Switch. This page is a list of publicly known Switch system flaws.

= Hardware =
Flaws in this category pertain to the underlying hardware that powers the Switch.

This includes components shared across Tegra based devices such as the [[TSEC]], the [[Security_Engine|Security Engine]], the [[GPU]] and so on.

{| class="wikitable" border="1"
! Summary
! Description
! Fixed with hardware model/revision
! Newest hardware model/revision this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| GMMU DMA attack
| The Switch's GPU includes a separate MMU (GMMU) that is allowed to bypass the system's IOMMU (SMMU). By accessing the GPU's MMIO region and manipulating the page table entries in the GMMU, an attacker can read/write any portion of the DRAM (except memory carveouts).

[5.0.0+] Works around this hardware flaw by using memory pool partitioning. You can no longer escalate into sysmodules with GPU DMA because all their memory is allocated using heap that's carved out.

HAC-001-01 (Mariko/Tegra214/Tegra210b01): Fixes this by adding a new register which restricts what memory untranslated DMA requests may access. Untranslated GPU DMA may now only access the GPU carveout (physmem 0x80002000-0x80006000), which the GPU already has legitimate and exclusive access to.
| HAC-001-01 (Mariko/Tegra214/Tegra210b01)
| HAC-001 (Tegra210)
| Summer 2017
| December 28, 2017
| [[User:hexkyz|hexkyz]], [[User:SciresM|SciresM]] and [[User:qlutoo|qlutoo]]
|-
| Weak Security Engine context validation
| The Tegra X1 supports a "deep sleep" feature, where everything but DRAM and the PMC registers lose their content (and the SoC loses power). Upon awaking, the bootrom re-executes, restoring system state. Among these stored states is the Security Engine's saved state, which uses AES-128-CBC with a random key and all-zeroes IV. However, the bootrom doesn't perform a MAC on this data, and only validates the last block. This allows one to control most of security engine's state upon wakeup, if one has a way to modify the encrypted state buffer.

With a way to modify the encrypted state buffer, one can thus dump keys from "write-only" keyslots, etc.

This also bypasses the SBK protection of the bootROM: indeed, at warmboot, bootROM will always clear keyslot 0xE to prevent malicious code from saving the SBK. Moving the SBK to another keyslot in the saved context renders this protection moot.

HAC-001-01 (Mariko/Tegra214/Tegra210b01): Fixes this by streamlining the context save process; security engine contexts are now saved to protected memory which the CPU cannot access or modify.
| HAC-001-01 (Mariko/Tegra214/Tegra210b01)
| HAC-001 (Tegra210)
| December 2017
| January 20, 2018
| [[User:SciresM|SciresM]] and [[User:motezazer|motezazer]]
|-
| Security Engine keyslots vulnerable to partial overwrite attack
|
The Tegra X1 security engine supports writing keyslot data to the engine with syntax as follows:

SECURITY_ENGINE->AES_KEYTABLE_ADDR = (keyslot << 4) | (dword_index_in_keyslot);

SECURITY_ENGINE->AES_KEYTABLE_DATA = readle32(key, dword_index_in_keyslot * 4);

However, the Security Engine flushes writes to the internal key tables immediately when AES_KEYTABLE_DATA is written -- this allows one to overwrite a single dword of a key at a time, and thus brute force the contents of keyslots in time (2^32 * 8) = 2^35 instead of 2^256.
| None
| HAC-001 (Tegra210)
| Theorized Summer 2017 due to suggestive syntax, confirmed April 9, 2018
| April 9, 2018
| [[User:SciresM|SciresM]], almost surely others (independently).
|-
| CVE-2018-6242 (leveraged by the ShofEL2 and Fusée Gelée exploits)
| The USB software stack provided inside the boot instruction rom (IROM/bootROM) contains a copy operation whose length can be controlled by an attacker. By carefully constructing a USB control request, an attacker can leverage this vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, gaining control of the Boot and Power Management processor (BPMP) before any lock-outs or privilege reductions occur. This execution can then be used to exfiltrate secrets and to load arbitrary code onto the main CPU Complex (CCPLEX) "application processors" at the highest possible level of privilege (typically as the TrustZone Secure Monitor at PL3/EL3).
| HAC-001-01 (Mariko/Tegra214/Tegra210b01) (also fixed independently on Tegra186).
| HAC-001 (Tegra210)
| January 2018
| April 23, 2018
| [[User:Shuffle2|shuffle2]] and fail0verflow (originally),<br> [[User:Ktemkin|ktemkin]] and ReSwitched Team (independently),<br> [[User:Naehrwert|naehrwert]] (independently),<br> [[User:Hexkyz|hexkyz]] (independently),<br> st4rk with [[User:Shinyquagsire23|Shiny Quagsire]] and Dazzozo (independently),<br> and many others (independently).
|-
| Poor validation of bootrom SDRAM configuration parameters leads to arbitrary writes in bootrom
|
The Tegra X1 bootrom supports saving SDRAM parameters to scratch registers, and using the saved configuration to enable DRAM during warmboot.

The code that parses these parameters does if (params->EmcBctSpareN) *params->EmcBctSpareN = params->EmcBctSpareNPlusOne for most N, without validating either the address or value written to it.
There are other arbitrary writes in this code, as well (e.g. BootromPatch parameters intended for patching MISC registers do not check a relative offset to 0x7000000, etc).

This allows a user with access to the PMC registers (via pre-sleep bpmp execution, or otherwise) to gain arbitrary bootrom code execution.

HAC-001-01 (Mariko/Tegra214/Tegra210b01): Fixes this by validating that the spare writes/bootrom patch before performing them.
| HAC-001-01 (Mariko/Tegra214/Tegra210b01)
| HAC-001 (Tegra210)
| 2017
| December 16, 2018
| Everyone (independently).
|-
| TSEC ROM does not clear crypto registers after signature verification
|
TSEC supports executing signed-microcode at a greater privilege level than normal payloads.

When jumping to signed microcode, the caller is expected to load hardware crypto register $c6 = <signature>, $c7 = <seed (zero for all officially-signed microcode)>.

TSEC ROM then calculates the expected signature and compares it to the user-supplied one in $c6. On match, the secure payload is executed, and on failure an exception is raised.

However, TSEC ROM fails to clear the crypto registers used to calculate the expected signature in either of the success/failure cases.

Thus, with some way of obtaining the contents of crypto registers (e.g. ROP under some secure payload), an attacker can dump intermediary values from signature calculation.

With enough data/trial/error, this is enough to reconstruct the signature algorithm:
* mac = <davies meyer hash of (page || address of page) for each 0x100 page in the payload>
* key = AES-ENCRYPT(hardware csecret 0x1, seed)
* signature = AES-ENCRYPT(key, mac)

| None
| HAC-001 (Tegra210)
| Late 2018/Early 2019
| August 2020
| [[User:qlutoo|qlutoo]]/[[User:Hexkyz|hexkyz]]/[[User:Shuffle2|shuffle2]], [[User:SciresM|SciresM]]/[[User:motezazer|motezazer]] (independently).
|-
| TSEC signature validation design flaw leads to fake-signing
|
As mentioned above, when jumping to signed microcode the caller is expected to load hardware crypto register $c6 = <signature>, $c7 = <seed (zero for all officially-signed microcode)>.

However, TSEC ROM performs no validation on the input seed used to generate the signing key.

This leads to the following attack:
* Attacker gains rop under any secure microcode payload with signature = S.
* Attacker uses the "csigenc" instruction to obtain K = AES-ENCRYPT(hardware csecret 0x1, S).
* Attacker jumps to their own microcode with $c6 = <signature calculated on pc using K>, $c7 = S
* TSEC ROM calculates key = AES-ENCRYPT(hardware csecret 0x1, S) = K, and the signature check passes.
* Attackers microcode is executed in secure mode as though it were signed by NVidia.

Thus an attacker who has exploited *any* secure payload may use this to obtain a "fake signature key", which can be used to sign and execute arbitrary microcode in secure mode.

Note: this does not break the TSEC cryptosystem, as the csigenc mechanism relies on the signature of the executing microcode, and fakesigning produces different signatures from NVidia that cannot be controlled.
| None
| HAC-001 (Tegra210)
| Late 2018/Early 2019
| August 2020
| [[User:qlutoo|qlutoo]]/[[User:Hexkyz|hexkyz]]/[[User:Shuffle2|shuffle2]], [[User:SciresM|SciresM]]/[[User:motezazer|motezazer]] (independently).
|-
| ROP under TSEC secure bootrom via DMA engine stack overwrite (--xploit)
| TSEC DMA engine does not stop when entering TSEC secure bootrom. By pointing TSEC DMA to current stack before secure bootrom entry, stack can be controlled.

One can then use blind ROP against the TSEC secure bootrom (which is execute only, and cannot be dumped).

With sufficient effort, an attacker can construct a ROP chain that leads to csigcmp being executed with fully controlled arguments.

This allows for arbitrary heavy secure mode code execution with the current signature set to an arbitrary value.

This completely breaks the TSEC cryptosystem, by allowing one to obtain the result of csigenc with signature = <any desired value>.

This has many uses/results, notably including dumping the "true" signature key (set signature = zeroes, perform csigenc using csecret 0x1).
| None
| TSEC for all Tegra devices
| Late 2018
| January 2021
| [[User:Hexkyz|hexkyz]]/[[User:SciresM|SciresM]], [[User:Vale|Vale]]/[[User:Thog|Thog]] (independently), [[User:Tatsuko|Tatsuko]] (independently), possibly others (independently).
|-
| Boot straps are not relatched on watchdog resets (strapwn)
| On boot, the BOOTSELECT, RCM and RAM_CODE straps are latched from external GPIO to determine which boot medium to use and verify from in bootrom. However, APB_MISC_PP_STRAPPING_OPT_A can be overwritten with arbitrary values following bootrom. Write access to PP_STRAPPING_OPT_A would otherwise be mundane, however these straps are not relatched during a watchdog reset (despite being latched during other software resets), allowing for arbitrary straps to be selected and executed in bootrom.

This allows setting NVPROD_UART on some hardware configurations where it would normally be unavailable (ie on Jetson Nano boards), but is otherwise mostly useless and/or useful for testing unintended boot options (such as USB Mass Storage boot) without having to move boot strap resistors.
| Unknown
| HAC-001 (Tegra210)
| May 2020
| April 30, 2021
| [[User:Shinyquagsire23|Shiny Quagsire]]
|}

= Firmware =
Flaws in this category pertain to the firmware running on hardware devices, such as wifi/bluetooth, etc. Firmware is generally uploaded by sysmodules.

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Broadpwn (CVE-2017-9417)
| See [https://blog.exodusintel.com/2017/07/26/broadpwn/ here] and [https://www.blackhat.com/docs/us-17/thursday/us-17-Artenstein-Broadpwn-Remotely-Compromising-Android-And-iOS-Via-A-Bug-In-Broadcoms-Wifi-Chipsets.pdf here].
| Code execution on the wifi controller (untested on Switch).
| [[4.0.0]]
| [[4.0.0]]
| Switch: July 2022
| Switch: July 30, 2022
| Switch: [[User:Yellows8|yellows8]]
|}

= Software =
== Bootloader ==
Flaws in this category pertain to any bootloader component such as the [[Package1#Package1ldr|package1ldr]], the [[Package1#Section_1|NX bootloader]] or the [[Package1#Section_0|warmboot binary]].

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Null-dereference in panic()
| The Switch's stage 1 bootloader, on panic(), clears the stack and then attempts to clear the Security Engine. However, it does so by dereferencing a pointer to the SE in .bss (initially NULL), and this pointer doesn't get initialized until partway into the bootloader's main() after several functions that might panic() are called. Thus, a panic() caused prior to SE initialization would result in the SE pointer still being NULL when dereferenced.
The BPMP doesn't have an active MPU and the bus won't data abort on an invalid address, so no exception will be entered: it'll end up overwriting some exception vectors with NULL before halting.

In 3.0.0, this was fixed by moving the security engine initialization earlier in main(), before the first function that could potentially panic().
| Some exception vectors overwritten with NULL, before SBK/other keyslots are cleared. Probably useless for anything more interesting.
| [[3.0.0]]
| [[3.0.0]]
| Early July, 2017
| July 30, 2017
| Everyone who diff'd 2.3.0 and 3.0.0 Package1
|-
| FUSE_DIS_PGM not written by package1
| The switch's hardware fuse driver contains a write-once bit in a register called "FUSE_DIS_PGM", which disables burning fuses until the next reboot. While Nintendo's bootloader code for waking up from sleep writes this on all firmware, the actual package1 initial bootloader forgets to write to it on cold reboot.

This isn't too big of a problem because another fuse is burnt on retail devices (production mode), which prevents burning *all* fuses other than ODM_RESERVED ones in hardware.

This was fixed in 3.0.0 by writing to the register on cold boot (although the write happens in TZ instead of package1 where it should take place, possibly to obfuscate the fact that they made this mistake).
| Burning arbitrary ODM reserved fuses with TZ code execution, which should never be possible for non-bootloader code.

Warning: one could irreparably brick one's console by playing with this.
| [[3.0.0]]
| [[3.0.0]]
| Late summer/early fall 2017
| December 31, 2017
| [[User:SciresM|SciresM]], [[User:motezazer|motezazer]]
|-
| maconstack (TSEC firmware leaves MAC on the stack)
| Package1ldr loads a firmware blob into TSEC early on boot. This piece of code runs on the TSEC in Authenticated Mode and has the sole purpose of generating the per-console TSEC key (see [[Cryptosystem]]).

As a way to mitigate attacks, the TSEC firmware blob is split into 3 stages: [[TSEC_Firmware#Boot|Boot]] which is unencrypted and unsigned, [[TSEC_Firmware#KeygenLdr|KeygenLdr]] which is unencrypted but signed and [[TSEC_Firmware#Keygen|Keygen]] which is encrypted and signed.
Boot loads a static pre-generated signature into the Falcon's CPU crypto registers, loads KeygenLdr into the Falcon's CODE region and jumps to it. Execution will proceed into KeygenLdr in Heavy Secure Mode if, and only if, the loaded signature matches the one Falcon calculates internally for KeygenLdr.

Among various things, KeygenLdr will attempt to do a "backwards" security check by calculating a CMAC over Boot and comparing it with a known hash stored in the TSEC firmware's key data (a small buffer stored after Boot's code). If the hashes don't match, execution aborts.

KeygenLdr stores the calculated Boot's CMAC in the stack, but forgets to clear it. Since the stack is located in Falcon's DATA region, loading the TSEC firmware blob and dumping the DATA region afterwards (via MMIO) will reveal the calculated hash.
This allows using KeygenLdr as an oracle to generate a valid CMAC for arbitrary Boot code. Replacing the CMAC in the TSEC firmware's key data region results in KeygenLdr accepting any Boot code, thus rendering this security measure useless.

Additionally, since signed Falcon code can't be revoked without an hardware revision, an attacker can always reuse the flawed KeygenLdr code even if a fix is issued.
| Running TSEC firmware's KeygenLdr in a user controlled environment.
| None
| [[5.0.2]]
| January 2018
| April 29, 2018
| [[User:Hexkyz|hexkyz]], [[User:Rei|Reisyukaku]] (independently), probably others (independently).
|-
| pk1ldrhax
| Package1ldr decrypts and verifies the keyblob inside of the current BCT in order to get the package1 key, and then uses the package1 key to decrypt package1. It then validates package1 before jumping to it by checking the PK11 magic number, and that the section sizes sum to the expected size (and are individually less than the expected size).

However, package1ldr does not actually validate the package1 key against a fixed vector (much like kernel9loader forgot to do so on the 3ds). This would normally not matter, as keyblobs are validated -- however, with bootrom code execution one can dump SBK and forge keyblobs, and thus control the package1 key.

Thus ('''in theory, but not in practice due to the size of the brute force required''') one can replace the package1 key with garbage, causing package1 to decrypt into garbage, and hope that this garbage passes validation checks and that package1ldr jumping into the garbage will do something useful.

This was fixed incidentally in [[6.2.0]], as pk1ldr does not use keyblob data to decrypt package1 any more.

| With a large enough brute force: arbitrary package1 code execution from coldboot.

However, a usable brute force is on the order of >= ~2^80, so '''this is almost certainly not actually usable in any meaningful context'''.
| [[6.2.0]]
| [[6.2.0]]
| Early 2017 (as soon as plaintext package1ldr was first dumped)
| November 20, 2018
| Everyone
|-
| Stack smash in TSEC firmware's KeygenLdr
| Given that we can control the [[TSEC_Firmware#Key_data|key data]] (which is not authenticated) and the [[TSEC_Firmware#Boot|Boot]] blob (see "maconstack"), as well as the fact Non-secure and Heavy Secure code share the same stack, we can use this to attack KeygenLdr. KeygenLdr uses memcpy to copy over a payload to DMEM to verify it, which can be abused to smash the stack (in DMEM) and write over the return address of said function.
| ROP under KeygenLdr in Heavy Secure mode.
| None
| [[8.0.1]]
| Early 2018
| May 21, 2019
| Everyone (independently).
|}

== TrustZone ==
Flaws in this category pertain exclusively to the [[Package1#Section_2|Secure Monitor]].

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Non-atomic mutexes
| When an [[SMC]] is called, TrustZone sets a global variable to mark that an SMC is in progress, so that two SMCs using shared resources (like the security engine) do not trample on one another. On 1.0.0, this global variable was written using non-atomic writes, and thus a race condition is possible.

However, the SMC handler enforces that all SMCs must be called from core #3, unless the top-level handler ID is 1 (SMCs internal to the kernel). Thus, the only SMCs that can be run side-by-side are [any userland smc] and smcGetRandomBytesForKernel, and this turns out to not really be abusable.
| Mostly useless. Maybe some oob-write into unused (and thus useless) memory if running smcGetRandomBytesForKernel and smcGetRandomBytesForUser at the same time.
| [[2.0.0]]
| [[2.0.0]]
| December 2017 (Probably earlier by others)
| January 18, 2018
| [[User:SciresM|SciresM]], probably others (independently).
|-
| jamais vu (non-secure world access to PMC MMIO and pre-deep sleep firmware)
| On [[1.0.0]], one could map in the PMC registers in userland. In addition, [[AM_services|am]] ran a little-kernel based firmware on the BPMP at runtime. With code execution under am, one could modify the BPMP's little-kernel firmware to hook deep sleep entry, and modify TrustZone/Security engine state.

This was fixed in [[2.0.0]] by making the PMC secure-world only, blacklisting the BPMP's exception vectors from being mapped, and thoroughly checking for malicious behavior on deep sleep entry.
| Arbitrary TrustZone code execution.
| [[2.0.0]]
| [[2.0.0]]
| December, 2017
| January 20, 2018
| [[User:SciresM|SciresM]] and [[User:motezazer|motezazer]]
|-
| Missed BPMP Exception Vector Writes
| Starting in [[2.0.0]], the BPMP is asleep at runtime, and is turned on by TrustZone during [[SMC|smcCpuSuspend]] in order to initiate the deep sleep process. When it does so, it is held in RESET, and TrustZone attempts to write to the BPMP exception vectors at 0x6000F200 to register EVP_RESET = lp0_entry_fw_crt0, and all other EVPs to a function that simply reboots. However, while they successfully write EVP_RESET, they miss all the other vectors, accidentally writing to the 0x6000F004-0x6000F020 region instead of the 0x6000F204-0x6000F220 region they want to write to. This results in all the exception vectors for the BPMP other than RESET being "undefined" (attacker controlled).

With some way of causing an exception vector to be taken at the right time, this would give pre-sleep code execution (and thus arbitrary TrustZone code execution, via the security engine flaw). However, none of the abort vectors are really triggerable, and interrupts are disabled for the BPMP when it is taken out of reset. Thus, this is useless in practice.

This was fixed in [[4.0.0]] by writing to the correct registers.
| Theoretically: Arbitrary TrustZone code execution. In practice: Useless.
| [[4.0.0]]
| [[4.0.0]]
| January, 2018
| February 23, 2018
| [[User:SciresM|SciresM]] and [[User:motezazer|motezazer]], [[User:Naehrwert|naehrwert]], [[User:Hexkyz|hexkyz]], probably others (independently).
|-
| TSEC has access to the secure kernel carveout
| TrustZone is responsible for managing security carveouts to prevent DMA controllers from accessing the carveout which contains the kernel, sysmodules, and other critical operating system data.

Until [[8.0.0]], the list of devices that could access the carveout included the TSEC. However, the TSEC can bypass the SMMU when in authenticated mode by writing to a certain register. Thus, pwning nvservices would allow one to take over the TSEC, and use it to write to normally protected mmio/memory.

In [[8.0.0]], this was fixed by removing TSEC access, and adding TSECB access (TSECB cannot bypass the SMMU).
| With access to the TSEC mmio (nvservices ROP) and code execution in TSEC Heavy Secure mode, kernel code execution, probably.
| [[8.0.0]]
| [[8.0.0]]
| 2017 (when TrustZone code plaintext was first obtained).
| April 15, 2019
| Everyone
|-
| deja vu (insufficient system state validation on suspend leads to pre-sleep BPMP code execution)
| Jamais Vu was fixed in [[2.0.0]] by making the PMC secure-world only, blacklisting the BPMP's exception vectors from being mapped, and thoroughly checking for malicious behavior on deep sleep entry, since gaining pre-sleep code execution on the BPMP compromises the system.

However, the state validation performed by Nintendo's Secure Monitor was insufficient to prevent pre-sleep execution from being obtained.

Prior to [[6.0.0]], one could use a DMA controller that had access to IRAM and was not held in reset (there were multiple) to race TrustZone's writes to the BPMP firmware in IRAM, and thus overwrite Nintendo's firmware with an attacker's to gain pre-sleep code execution.

[[6.0.0]] addressed this by performing TrustZone state MAC writes and locking PMC scratch *before* turning on the BPMP, fixing the original Jamais Vu exploit entirely. In addition, the BPMP firmware in TrustZone's .rodata is now memcmp'd to the actual data after it is written to IRAM. This mitigates race attacks that modify the firmware.

However, Nintendo both forgot to validate the BPMP exception vectors after writing them, and forgot to hold in reset a DMA controller that can write to the BPMP's exception vectors.

AHB-DMA is not blacklisted by kernel mapping whitelist (Nintendo probably forgot it, because the TX1 TRM does not really document that it's present, although the MMIO works as documented in older (Tegra 3 and before) TRMs).

Thus, with kernel code execution (or some other way of accessing AHB-DMA, e.g. nspwn on <= 4.1.0, TSEC hax, or other arbitrary mmio access flaws), one can DMA to the BPMP's exception vectors as they are written, causing TrustZone to start the BPMP executing an attacker's firmware at a different location than TrustZone intends/validates.

This was fixed in [[8.0.0]] by blocking AHB-DMA arbitration and verifying it is held in reset during suspend, and thus there are no more devices that can write to the relevant MMIO at the right time.

| Arbitrary TrustZone/BootROM code execution, by using either the original Jamais Vu flaw (prior to [[6.0.0]] or a warmboot bootrom exploit (any firmware where pre-sleep execution can be gained).
| [[8.0.0]]
| [[8.0.0]]
| December 2017
| April 15, 2019
| [[User:SciresM|SciresM]], [[User:motezazer|motezazer]] and ktemkin, [[User:Naehrwert|naehrwert]] (independently), almost certainly others (independently)
|-
| TrustZone allows using imported RSA exponents with arbitrary modulus
| TrustZone supports "importing" RSA private exponents for use by userland -- these are stored encrypted with TrustZone only keydata in NAND, and decrypted only to TZRAM. This prevents a console that has compromised userland from learning the private exponents of these keys and doing calculations with them offline. In practice, this is used for FS (gamecard communications), ES (drm), and SSL (console client cert communications).

However, the actual SMC API only imports the RSA exponent, and not the modulus, which is passed separately by userland in each call. There is no validation done on the modulus passed in -- this means that userland can pass in any message and modulus it chooses, and obtain the result of (message ^ private exponent) % modulus back from the secure monitor.

By choosing a prime number modulus P such that P has "smooth" order (totient(P) == P-1 is divisible only by "small" primes), one can efficiently use the [[wikipedia:Pohlig-Hellman algorithm|Pohlig-Hellman algorithm]] to calculate the discrete logarithm of such a result directly, and thus obtain the private exponent.

This is mostly useless in practice, given the general availability of other exploits to obtain these decrypted exponents.

This was fixed in 10.0.0 by importing the modulus in addition to the exponent for the ES device key and ES client cert key. For backwards compatibility reasons the SSL key and Lotus key still only import the exponent.

StorageExpMod also now validates that the exponentiation of "DDDDD..." about the provided modulus by the imported exponent and then the fixed public exponent returns "DDDDD...", and returns invalid argument if validation fails.
| With userland privileges sufficient to use an imported RSA key: obtaining that RSA key's private exponent.
| [[10.0.0]]
| [[10.0.0]]
| August 14, 2019
| August 14, 2019
| [[User:SciresM|SciresM]]
|}

== Kernel ==
Flaws in this category pertain exclusively to the [[Package2#Section_0|HorizonOS Kernel]].

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Syscall Infoleaks
| Many syscalls leaked kernel pointers on sad paths (for example svcSetHeapSize and svcQueryMemory), until they landed a bunch of fixes in 2.0.0.
| Nothing really.
| [[2.0.0]]
| [[2.0.0]]
|
| 2017
| Everyone
|-
| svcWaitSynchronization/svcReplyAndReceive bad cleanup on error
| If there is a page fault when fetching handles from the userspace array, it cleans up by dereferencing all objects despite having only loaded first N. Allows the attacker to make arbitrary decrefs on any kernel synchronization object, and thus can be used to get UAF. Haven't actually been tried on real HW though, but should work (tm).
| Kernel code execution
| [[2.0.0]]
| [[2.0.0]]
|
| April 24, 2017
| [[User:qlutoo|qlutoo]]
|-
| Bad irq_id check in CreateInterruptEvent
| CreateInterruptEvent syscall is designed to work only for irq_id >= 32. All irq_ids < 32 are "per-core" and reserved for kernel use (watchdog/scheduling/core communications).
On 1.0.0 you could supply irq_id < 32 and it would write outside the SharedIrqs table.
| You can register irq's in the Core3Irqs table, and thus register per-core irqs for core3, that are normally reserved for kernel. Useless.
| [[2.0.0]]
| [[2.0.0]]
| October 2017
| October 17, 2017
| [[User:qlutoo|qlutoo]]
|-
| Kernel .text mapped executable in usermode
| Prior to [[3.0.2]] the kernel .text was [[Memory_layout|mapped]] in usermode as executable. This can be used for usermode ROP for bypassing ASLR, but SVCs/IPC are not usable by running kernel .text in usermode.
| Executing kernel .text in usermode
| [[3.0.2]]
| [[3.0.2]]
|
| December 28, 2017 (34c3)
| [[User:qlutoo|qlutoo]]
|-
| Memory Controller not properly secured
| The Switch OS originally had the memory controller not set to be accessible only by the secure-world, which was problematic because insecure access can compromise the kernel.

This was fixed partially in [[2.0.0]] by blacklisting the memory controller from being mapped by user-processes, and was fixed entirely in [[4.0.0]] by making the memory controller TZ-only and making all kernel accesses go through [[SMC|smcReadWriteRegister]].
| With some way to access the memory controller MMIO, arbitrary kernel code execution.
| [[4.0.0]]
| [[4.0.0]]
| January 2018
| January 2018
| [[User:SciresM|SciresM]], [[User:Yellows8|yellows8]]
|-
| Potential [[SVC|svcWaitForAddress]] thread use-after-free
| Between [[4.0.0]], where svcWaitForAddress was introduced, and [[7.0.0]], there was a second intrusive rbtree node in KThread for the WaitForAddress tree (the key being (address, priority), sorted lexicographically). Unlike the WaitProcessWideKeyAtomic tree, the kernel forgot to reinsert the WaitForAddress node when the thread's priority changed (priority inheritance and/or SetPriority), breaking the rbtree invariants; and since the kernel walks through the entire tree to remove intrusive nodes, you could cause threads to stay in the tree even after their deletion.

[[7.0.0]] fixed the issue by using the same intrusive node for both trees. The thread/node knows which tree it is in, and the latter is correctly updated when thread priority changes.
| It unluckily didn't look exploitable
| [[7.0.0]]
| [[7.0.0]]
| July 2018
| February 2019
| [[User:TuxSH|TuxSH]]
|-
| Kernel RWX identity mapping never unmapped
| During init, the kernel binary is identity-mapped as RWX at 0x80060000; this is necessary to facilitate the transitionary period while the MMU is being enabled but mappings for e.g. KASLR are not yet determined, and also to enable smooth MMU enable transition during wake-from-sleep.

However, the identity mapping was never unmapped, and thus the whole kernel code bin remained permanently mapped as RWX for all kernel threads (any thread which does not have an owner process and thus uses the KSupervisorPageTable TTBR0).

Thus, any theoretical exploit which would give kernel memory corruption or ROP under a kernel thread would allow making use of this mapping to modify kernel text + bypass KASLR.

This was fixed in [[16.0.0]] by unmapping the identity-mapping during init, and re identity-mapping only the very first page of kernel .text as R-X (for use by wake-from-sleep), which fixes the shellcode problem and mostly fixes the ROP problem, since this page mostly lacks interesting gadgets.
| In theory, with another exploitable kernel memory corruption (or ROP under kernel thread) bug: bypassing KASLR + modifying kernel .text.

However, no such bugs are known.
| [[16.0.0]]
| [[16.0.0]]
| Summer 2018
| February 2023
| Everyone
|}

== FIRM-package System Modules ==
Flaws in this category pertain to any of the [[Package2#Section_1|built-in system modules]].

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Service access control bypass (sm:h, smhax, probably other names)
| Prior to [[3.0.1]], the ''service manager'' (sm) built-in system module treats a user as though it has full permissions if the user creates a new "sm:" port session but bypasses [[Services_API#Initialize|initialization]]. This is due to the other sm commands skipping the service ACL check for Pids <= 7 (i.e. all kernel bundled modules) and that skipping the initialization command leaves the Pid field uninitialized.
In [[3.0.1]], sm returns error code 0x415 if [[Services_API#Initialize|Initialize]] has not been called yet.
| Acquiring, registering, and unregistering arbitrary services
| [[3.0.1]]
| [[3.0.1]]
| May 2017
| August 17, 2017
| Everyone
|-
| Overly permissive SPL service
| The concept behind the switch's [[SMC|Secure Monitor]] is that all cryptographic keydata is located in userspace, but stored as "access keys" encrypted with "keks" that never leave TrustZone. The [[SPL services|spl]] ("security processor liaison"?) service serves as an interface between the rest of the system and the secure monitor. Prior to [[4.0.0]], spl exposed only a single service "spl:", which provided all TrustZone wrapper functions to all sysmodules with access to it. Thus anyone with access to the spl: service (via smhax or by pwning a sysmodule with access) could do crypto with any access keys they knew.

This was fixed in [[4.0.0]] by splitting spl: into spl:, spl:mig, spl:ssl, spl:es, and spl:fs.
| Arbitrary spl: crypto with any access keys one knows. For example, one could use the SSL module's access keys to decrypt their console's SSL certificate private key without having to pwn the SSL sysmodule.
| [[4.0.0]]
| [[4.0.0]]
| Summer 2017 (after smhax was discovered).
| December 23, 2017
| Everyone
|-
| Single session services not really single session
| Several "critical" services (like fsp-ldr, fsp-pr, sm:m, etc) are meant to only ever hold a single session with a specific sysmodule. However, when a sysmodule dies, all its service session handles are released -- and thus killing the holder of a single session handle would allow one (via sm:hax etc) to get access to that service.

This was fixed in [[4.0.0]] by adding a semaphore to these critical single-session services, so that even if one gets access to them an error code will be returned when attempting to use any of their commands.
| With some way to access these services and kill their session holders (like expLDR): dumping sysmodule code, arbitrary service access, elevated filesystem permissions, etc.
| [[4.0.0]]
| [[4.0.0]]
| May/June 2017 (basically immediately after smhax was discovered)
| December 30, 2017
| Everyone
|-
| nspwn
| fsp-ldr command 0 "MountCode" takes in a Content Path (retrieved from NCM by Loader), and returns an IFileSystem for the resulting ExeFS. These content paths, are normally NCAs, but MountCode also supports a number of other formats, including ".nsp" -- which is just a PFS0.

When a path ending in ".nsp" is parsed by MountCode, the PFS0 is treated as a raw ExeFS. Because there is no NCA header, the ACID signatures are not validated -- and because there are no other signatures in a PFS0, this results in no signature checking happening at all.

The actual .nsp handling is eventually done by {content mounting function} called by MountCode and other FS commands.

Thus, by placing an ExeFS (NSOs + "main.npdm") and setting one's desired title ID to "@Sdcard:/some_title.nsp" or "@User:/some_title.nsp" etc one can launch arbitrary unsigned code, with arbitrary unsigned NPDMs.

This appears to have been fixed by only allowing .nsp when the input fstype==7 for the internal content-mounting function, returning 0x2EE202 otherwise.
| With access to "lr": Arbitrary code execution with full system privileges.
| [[5.0.0]]
| [[5.0.0]]
| Late 2017
| April 23, 2018
| Everyone
|-
| Single null-byte stack overflow in Loader ContentPath parsing
| Previously, loader content path parsing looked like this, where path_from_lr was up to 0x300 bytes and not necessarily null-terminated:

char nca_path[0x300] = {0};
strcat(nca_path, path_from_lr);
for (int i = 0; nca_path[i]; i++) {
if (nca_path[i] == '\\') { nca_path[i] = '/'); }
}

Thus, a content path of the maximum length (0x300 bytes) would result in strcat writing a NULL terminator past the end of the nca_path buffer.

This was fixed in [[6.0.0]], the new code looks like this:

char nca_path[0x300];
strncpy(nca_path, path_from_lr, sizeof(nca_path));
for (int i = 0; i < sizeof(nca_path) && nca_path[i]; i++) {
if (nca_path[i] == '\\') { nca_path[i] = '/'); }
}

| With access to "lr": single null-byte stack overflow in Loader. Maybe (but probably not) loader code execution.
| [[6.0.0]]
| [[6.0.0]]
| September 2, 2018
| September 19, 2018
| [[User:SciresM|SciresM]]
|-
| System modules vulnerable to selective downgrade attacks
| Horizon has no mechanism for specifying the specific title version to Loader on process creation.

Observing this, one can note that after a system update one could install a downgraded version of a specific system module (e.g. nvservices) while leaving the rest of the OS at the same version.

Unless there was some breaking API change, this allows one to make a console vulnerable once more to an exploit in a sysmodule by downgrading it and nothing else.

This was fixed in [[8.1.0]] by incrementing a version field in NPDM, and checking it against a hardcoded list for certain titles in Loader's process creation func.
| With access to content installation commands (or a vulnerable lower version to selectively install newer titles), reintroducing bugs in vulnerable system modules on newer firmware versions.
| [[8.1.0]]
| [[8.1.0]]
| When FIRM was first dumped in 2017.
| June 17, 2019
| Everyone
|-
| Broken RNG for [[Loader_services|Loader]] ASLR
| The RNG used for generating the ASLR slide is only seeded with 32bits, with the data from [[SVC|svcGetInfo]]. Hence, one could bruteforce the seed if one has infoleaks from any programs. This can be successfully bruteforced with at least 2 sample codebin addrs from different programs (with only 1 sample a lot of invalid seeds are found), however in some cases more than 1 seed might be found.

With [15.0.0+] Loader now uses csrng_GenerateRandomBytes for determining the ASLR slide.

See also [https://github.com/switchbrew/loader-aslr-solver loader-aslr-solver].
| Breaking ASLR for all non-KIP processes, allowing predicting the main-codebin base addr for all non-KIP processes until the next reboot.
| [[15.0.0]]
| [[15.0.0]]
| January 30, 2022 (presumably found much earlier?)
| October 11, 2022
| Everyone
|}

== System Modules ==
Flaws in this category pertain to any non-built-in system module.

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| OOB Read in NS system module (pl:utoohax, pl:utonium, maybe other names)
| Prior to [[3.0.0]], pl:u (Shared Font services implemented in the NS sysmodule) service commands 1,2,3 took in a signed 32-bit index and returned that index of an array but did not check that index at all. This allowed for an arbitrary read within a 34-bit range (33-bit signed) from NS .bss. In [[3.0.0]], sending out of range indexes causes error code 0x60A to be returned.
| Dumping full NS .text, .rodata and .data, infoleak, etc
| [[3.0.0]]
| [[3.0.0]]
| April 2017
| June 19, 2017
| [[User:qlutoo|qlutoo]], ReSwitched Team (independently)
|-
| Unchecked domain ID in common IPC code
| Prior to [[2.0.0]], object IDs in [[IPC_Marshalling#Domain_message|domain messages]] are not bounds checked. This out-of-bounds read could be exploited to brute-force ASLR and get PC control in some services that support domain messages.
|
| [[2.0.0]]
| [[2.0.0]]
| July 2017
| July 20, 2017‎
| [[User:hthh|hthh]]
|-
| Out-of-bounds array read for [[BCAT_Content_Container]] secret-data index
| The [[BCAT_Content_Container]] secret-data index is not validated at all. This is handled before the RSA-signature(?) is ever used. Since the field is an u8, a total of 0x800-bytes relative to the array start can be accessed.
This is not useful since the string loaded from this array is only involved with key-generation.
|
| Unknown
| [[2.0.0]]
| August 4, 2017
| August 6, 2017
| [[User: shinyquagsire23|Shiny Quagsire]], [[User:Yellows8|yellows8]] (independently)
|-
| expLDR (sysmodule handle table exhaustion)
| Most sysmodules share common template code to handle IPC control messages. The command DuplicateSession (type 5 command 2)'s template code will abort() if it fails to duplicate a session's handle for the requester. Because many sysmodules have limited handle table size (smaller than the browser/other entrypoints), repeatedly requesting to duplicate one's session will cause the sysmodule to run out of handle table space and abort, causing the service to release all its handles cleanly.
| Sysmodule crashes. Most usefully, crashing ldr allows access to fsp-ldr and crashing pm allows access to fsp-pr. Useless after [[4.0.0]], which mitigated a number of single-session service access issues.
| Unfixed
| [[4.1.0]]
| June 24, 2017
| March 8, 2018
| [[User:daeken|daeken]]
|-
| Transfer Memory leak in nvservices system module
| The nvservices sysmodule does not clear most of its transfer memory prior to release.
| The calling process can read key bits of memory, including breaking ASLR (by revealing the image base) and exposing the address of other transfer memory to set up attacks. More details here: [https://daeken.svbtle.com/nintendo-switch-nvservices-info-leak transfermeme (nvservices info leak)] by [[User:daeken|daeken]]
| [[6.0.0]]
| [[6.0.0]]
| June 2017
| October 16, 2018
| [[User:qlutoo|qlutoo]] and [[User:hexkyz|hexkyz]],
[[User:daeken|daeken]] (independently)
|-
| OOB write in audio system module
| Prior to [[2.0.0]], the [[Audio_services#audout:u|AppendAudioOutBuffer]] and [[Audio_services#audin:u|AppendAudioInBuffer]] IPC commands would blindly increment the appended buffers' count while using said count value as an index to where the user data should be copied into. This resulted in an 0x28 bytes, user controlled, out-of-bounds memory write into the [[Audio_services|audio]] sysmodule's memory space.
Combined with the [[Audio_services#audout:u|GetReleasedAudioOutBuffer]] or [[Audio_services#audin:u|GetReleasedAudioInBuffer]] commands, this could also be used as an 8 byte infoleak.

In [[2.0.0]], the commands now return error code 0x1099 if the number of unreleased buffers exceeds 0x1F.
| Code execution under audio sysmodule
| [[2.0.0]]
| [[2.0.0]]
|
| November 2, 2018
| [[User:hexkyz|hexkyz]], probably others (independently).
|-
| Infoleak in nvservices system module
| The [[NV_services|nvservices]] ioctl [[NV_services#NVMAP_IOC_ALLOC|NVMAP_IOC_ALLOC]] takes an optional argument "addr" which allows the calling process to pass a pointer to user allocated memory for backing a nvmap object. If "addr" is left as 0, nvservices uses the transfer memory region (donated by the user during initialization) instead, when allocating memory for the nvmap object.
By design, freeing the nvmap object by calling the ioctl [[NV_services#NVMAP_IOC_FREE|NVMAP_IOC_FREE]] returns, in its "refcount" argument, the user address previously supplied if the reference count reaches 0.
However, prior to [[6.2.0]], the case where the transfer memory region is used to allocate the nvmap object was not taken into account, thus resulting in [[NV_services#NVMAP_IOC_FREE|NVMAP_IOC_FREE]] leaking back an address from within the transfer memory region mapped in nvservices' memory space.

In [[6.2.0]], [[NV_services#NVMAP_IOC_FREE|NVMAP_IOC_FREE]] no longer returns the address when the transfer memory region is used instead of user supplied memory.
| Combined with other vulnerabilities: Defeating ASLR in nvservices sysmodule.
| [[6.2.0]]
| [[6.2.0]]
| April 2017
| November 24, 2018
| Everyone
|-
| nvhax (memory corruption in nvservices system module)
| Prior to [[6.2.0]], the [[NV_services|nvservices]] ioctl [[NV_services#.2Fdev.2Fnvhost-ctrl-gpu|NVGPU_GPU_IOCTL_WAIT_FOR_PAUSE]] would take a single "pwarpstate" argument which would be interpreted by nvservices as a memory pointer for writing 2 "warpstate" structs (one for each Streaming Multiprocessor).
This resulted in nvservices attempting to blindly memcpy into this user supplied address and trigger a crash. However, if paired with an infoleak, this could be used to arbitrarily write 0x30 bytes anywhere in nvservices' memory space.
Additionally, the "warpstate" struct itself was never initialized, which means nvservices would leak the 0x30 bytes from the stack. By invoking other ioctls it was also possible to partially control the stack contents and achieve a usable arbitrary memory write primitive.

In [[6.2.0]], [[NV_services#.2Fdev.2Fnvhost-ctrl-gpu|NVGPU_GPU_IOCTL_WAIT_FOR_PAUSE]] now takes 2 inline "warpstate" structs instead of a "pwarpstate" pointer, thus effectively avoiding the bad memcpy.
| Code execution under nvservices sysmodule
| [[6.2.0]]
| [[6.2.0]]
| April 5, 2017
| November 24, 2018
| [[User:hexkyz|hexkyz]]
|-
| [[Applet_Manager_services#IStorage|AM IStorage]] infoleak
| Originally the buffer allocated by [[Applet_Manager_services#CreateStorage|CreateStorage]] using the specified input size was not cleared. With [8.0.0+] this was fixed by adding a memset() for the buffer after successful allocation.

Hence, IStorage->IStorageAccessor->Read will return uninitialized memory when the Write cmd was not previously used with the specified region.
| Infoleak from the main [[Applet_Manager_services#IStorage|AM]] heap, allowing defeating ASLR by reading addresses from previously allocated objects.
| [[8.0.0]]
| [[8.1.0]]
| December 2018
| August 9, 2019
| [[User:Yellows8|yellows8]]
|-
| [[HID_services#hid:sys|hid:sys]] ButtonConfig s32 array-index not validated
| The input s32 array-index for [[HID_services#hid:sys|hid:sys]] ButtonConfig cmds 1255-1270 was originally not validated. Using a negative or >=5 index results in accessing out-of-bounds data, with an array stored on stack.
[10.1.0-10.2.0] Each of these cmds will now Abort if the s32 is negative or >=5. [11.0.0+] Now an unsigned compare is used, with 0 or an error being immediately returned when the value is invalid.
| hid infoleak, out-of-bounds mem-write anywhere in hid address-space relative to the stack array (with constraints on the data).
| [[10.1.0]]
| [[11.0.1]]
| April 18, 2020
| July 14, 2020
| [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|Bluetooth]] sdp_server.cc process_service_search() continuation request p_req validation
| With [5.0.0+], the following was added to the if-block prior to loading cont_offset from p_req: <code>(p_req + sizeof(cont_offset) > p_req_end)</code> (which verifies that cont_offset is within message bounds).
| Bluetooth-sysmodule out-of-bounds read from heap, probably not useful since the read value must match a state field, etc.
| [[5.0.0]]
| [[11.0.0]]
| Switch: December 2020
| Switch: December 25, 2020
| Switch: [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|Bluetooth]] A-63146698
| [https://android.googlesource.com/platform/system/bt/+/226ea26684d4cd609a5b456d3d2cc762453c2d75 A-63146698] / CVE-2017-0785. See also [https://info.armis.com/rs/645-PDC-047/images/BlueBorne%20Technical%20White%20Paper_20171130.pdf here].
| Bluetooth-sysmodule stack infoleak, which allows defeating ASLR (note: not tested on hw).
| [[5.0.0]]
| [[11.0.0]]
| Switch: December 2020
| Switch: December 25, 2020
| Switch: [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|bluetooth]] GetAdapterProperty/SetAdapterProperty unchecked memcpy size
| GetAdapterProperty copies data from stack to the output buffer using the buffer size, without checking the size (when not handling the Name type). SetAdapterProperty copies data to stack from the input buffer using the buffer size, without checking the size.
This requires access to the btdrv service, only hid and btm have access.

This was fixed with [[12.0.0]] by replacing the buffer data with a fixed-size-struct.
| Stack infoleak with GetAdapterProperty, stack buffer overflow (and hence ROP) with SetAdapterProperty.
| [[12.0.0]]
| [[12.0.0]]
| July 17, 2020
| April 7, 2021
| [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|bluetooth]] stack buffer overflow with HID DATA packets
| The BSA (bt-stack) func bta_hh_co_data copies data from a HID DATA packet to stack without checking the size, then sends it over Uipc. [7.0.0+] The user Uipc callback also copies the input data to stack without checking the size, then sends it to the sharedmem CircularBuffer.
With [12.0.2+] this was fixed in bta_hh_co_data by clamping the size to a maximum of 0x2BB. The aforementioned buffer overflow in the Uipc callback can't be triggered since at that point the size was already clamped.

Before this bta_hh_co_data func is reached, there is no validation of the size (such as comparing against the L2CAP MTU) when Basic Mode is being used.

Actually triggering this requires using a data-size larger than the normal L2CAP MTU. This can be done by for example, using raw HCI to send the packet from the remote bluetooth device.

Note that when the remote device is configured as an audio device for [12.0.0+] where [[Settings_services#BluetoothDevicesSettings|BluetoothDevicesSettings]].TrustedServices was only ever set for audio since system-boot, it is not possible for the remote device to connect to the Switch for HID.
| ROP under [[Bluetooth_Driver_services|bluetooth]] via HID DATA packet sent by a paired HID bluetooth device. This can be triggered at any time while not in sleep-mode, when not in airplane-mode. The earliest is while the Nintendo Switch logo screen is displayed during system boot.
| [[12.0.2]]
| [[12.0.2]]
| July-August 2020
| May 11, 2021
| [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|bluetooth]] WriteHidData/WriteHidData2/SetHidReport unchecked memcpy size
| WriteHidData/SetHidReport copies the input struct to stack, then passes it to the funcptr/vfunc call. WriteHidData2 passes the input buffer addr directly to the funcptr/vfunc call. The called func eventually copies the input data to the stack struct using the specified size without validating it.
This requires access to the btdrv service, only hid and btm have access.

This was fixed with [[12.1.0]] in WriteHidData/SetHidReport by doing a fixed-size copy into another tmp struct, with the size field being clamped to a maximum of 0x2BB afterwards. This struct is then used when calling the vfunc. The vfuncs called by WriteHidData/WriteHidData2/SetHidReport were also updated to clamp the size to the required maximum value.
| Stack buffer overflow
| [[12.1.0]]
| [[12.1.0]]
| July 16, 2020
| July 6, 2021
| [[User:Yellows8|yellows8]]
|-
| Infoleak with [[HID_services|hid:sys]] SetButtonConfigStorage{name}Deprecated
| These cmds pass a stack ptr for the StorageName when calling the internal func. Nothing is written to this StorageName. Hence, stack infoleak (data is copied as a NUL-terminated string), which can be later read by the GetButtonConfigStorage{name} cmds.

This was fixed by removing the Deprecated cmds in [[13.0.0]].
| Infoleak of hid stack from a StorageName readable via GetButtonConfigStorage{name}, up to the NUL-terminator.
| [[13.0.0]]
| [[13.0.0]]
| December 11, 2020
| September 27, 2021
| [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|bluetooth]] EventInfo infoleak
| The various funcs which send messages to the thread which handles writing to EventInfo, didn't clear the stack msgbuf. Hence, the various get-EventInfo cmds could return leaked stack data. This likely affected most (?) get-EventInfo cmds, besides CircularBuffer-GetHidReportEventInfo.

This only matters for events where there's uninitialized regions of the EventInfo, such as events with variable-size data without a memset.

This was fixed by clearing the msgbuf in a number of funcs.
| Bluetooth-sysmodule stack infoleak, which allows defeating ASLR
| [[13.0.0]]
| [[13.1.0]]
|
| During initial [[13.0.0|diff]]. Added to this page on: December 12, 2021
| [[User:Yellows8|yellows8]]
|-
| [[SSL_services|ssl]] CVE-2021-43527
| CVE-2021-43527, see also [https://bugs.chromium.org/p/project-zero/issues/detail?id=2237 here] and [https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html here].
Using BigSig where the server cert sig is RSA-PSS results in the remote server throwing {no shared cipher} error when Switch connects. If however one creates a rootCA using BigSig (RSA-PSS), which then signs a server cert where the server key is RSA (not PSS), the vuln can be triggered (if the rootCA is trusted, via using the import service-cmd). It's unknown whether there's other ways to trigger the vuln.

The crash occurs in VFY_Begin when using the previously overwritten data. A bitsize of <code>$((16384 + 32 + 64 + 64 + 64))</code> is only enough to overwrite cx->hashcx, to fully overwrite cx->hashobj an additional 0xC-bytes (additional 96 bits) is needed.
Note that partial overwrite isn't an option: this is the func that initializes those fields to begin with, it just does deinit first before initializing hashcx/hashobj (prior to that these fields would be all-zero when not overwritten by the buf-overflow).
| Heap buffer overflow in [[SSL_services|ssl]], overwriting data including a ptr to an object which is later used to load a funcptr.
| [[13.2.1]]
| [[13.2.1]]
| Switch: December 1-2, 2021
| Switch: January 19, 2022
|
|-
| [[Bluetooth_Driver_services|bluetooth]] BSA gatt_process_notification stack buffer overflow
| gatt_process_notification is the GATT handler for processing notification/indication messages. gatt_process_notification does memcpy to stack from the input bt msg data, without size validation. The input len param isn't validated in this func either - if the remaining len following op_code is less than 2, a negative value will be used for the data copy to stack.
These were fixed by adding a bounds check for the size, size==0 is also checked for now.
| Bluetooth-sysmodule stack buffer overflow, with data received from a bluetooth message
| [[13.2.1]]
| [[13.2.1]]
| November 2021
| January 19, 2022
| [[User:Yellows8|yellows8]]
|-
| [[Applet_Manager_services#IDisplayController|AM IDisplayController]] TakeScreenShotOfOwnLayer OOB
| The captureBuf is used as an array index without validation. Data used from this array includes calling a funcptr from the array entry, if set. Eventually this is also used to write bools into this array, one of which is from the command input.
With [5.0.0+] a func is eventually called to get a ptr determined by the input captureBuf, with nullptr being returned for captureBuf>=0x10. The caller will Abort if nullptr was returned.
| OOB array access
| [[5.0.0]]
| [[13.1.0]]
| ~July 31, 2019
| January 26, 2022
| [[User:Yellows8|yellows8]]
|-
| [[Applet_Manager_services#IDisplayController|AM IDisplayController]] ClearCaptureBuffer OOB
| The captureBuf is used as an array index without proper validation. There is code validating it, but on failure it just skips over a code-block, with code using captureBuf still being used afterwards. Then this is used to write bools into a global array, one of which is from the command input.
This was fixed with [9.1.0+] by requiring captureBuf = 0-1.
| OOB bool writes into an array
| [[9.1.0]]
| [[13.1.0]]
| ~July 31, 2019
| January 26, 2022
| [[User:Yellows8|yellows8]]
|-
| [[Sockets_services|bsdsockets]] ioctl SIOCGIFCONF infoleak
| Originally bsd ioctl SIOCGIFCONF was handled by setting the data in IPC outbuf0 to the size/addr of IPC outbuf1. These buffers are HipcAutoSelect, so if buf1 is small enough for HipcPointer (otherwise it would be HipcMapAlias) the IPC-buf-ptr leaked into outbuf0 would be located in the codebin-region. Since this is done before the actual ioctl-handling, it doesn't matter whether the fd is valid.
This was fixed in [5.0.0+] by using a tmp struct on stack instead of buf0.
| bsdsockets-sysmodule codebin-region addr infoleak, which allows defeating ASLR.
| [[5.0.0]]
| [[13.1.0]]
| February 14, 2022 (probably earlier)
| February 14, 2022
| [[User:Yellows8|yellows8]], probably others
|-
| [[Sockets_services|bsdsockets]] ioctl SIOCGIFMEDIA input can contain ptr
| Originally bsd ioctl SIOCGIFMEDIA used the user-specified ifmediareq structure directly from the input buffer. This includes a ptr. This ptr probably isn't actually used?
With [5.0.0+] the structure used as input for the ioctl was changed to using <code>int ifm_ulist[1]</code> instead of <code>int *ifm_ulist</code> (which is unused). The input structure is copied to a tmp struct which is used as the original ifmediareq structure, with ifm_ulist always NULL. The user can still specify a non-zero ifm_count value, however that's not useful with ifm_ulist being always NULL.
| Useless?
| [[5.0.0]]
| [[13.1.0]]
| February 14, 2022
| February 14, 2022
| [[User:Yellows8|yellows8]], probably others
|-
| Infoleak with [[Joy-Con]] HidCommand PairingIn
| The joycon protocol handler for PairingIn copies data from stack to the response cmd-buf for sending PairingOut. Only the first byte is set to a type value, the rest is uninitialized stack data.

This was fixed with [15.0.0+] by directly writing to the response data without using stack data.
| Infoleak of hid stack via a bluetooth/uart message+response with a connected hid controller. This returns addrs for the main-codebin/stack, which allows defeating ASLR.
| [[15.0.0]]
| [[15.0.0]]
| September 4, 2020
| October 10, 2022
| [[User:Yellows8|yellows8]]
|-
| Broken RNG for [[RO_services|ro]] ASLR
| The RNG used to determine where to randomly map NROs in the target process was TinyMT (nn::os::detail::RngManager output, seeded by 128 bits of entropy). However, TinyMT is not cryptographically secure (and can in fact be analytically solved).

Thus, with a few NRO mapping addresses, one could learn the TinyMT state and derive all previous/future RNG outputs, breaking NRO aslr for all processes.

With [15.0.0+] ro now uses csrng_GenerateRandomBytes to determine the random map address for NROs.
| Breaking ASLR for all NROs loaded in all processes, allowing predicting all NRO mappings for all processes until the next reboot.
| [[15.0.0]]
| [[15.0.0]]
| Late 2021/Early 2022
| October 11, 2022
| Everyone
|-
| Broken RNG used by [[NS_Services|ns]]
| The code generating the sd seed and the data for the [[SD_Filesystem|sd]] private/private1 file, all use nn::os::GenerateRandomBytes, not csrng. The sd-seed is generated first, then private, then private1. This allows deriving sd-seed from private since this uses TinyMT, as long as the system shipped from factory on [2.0.0+]. private1 is only useful if the system shipped with [4.0.0+].

There's various other code in ns using nn::os::GenerateRandomBytes as well. This includes the code generating ns_systemseed when it doesn't exist. ns_systemseed is generated at some point after the various sd-seed-related code (both are called from the same func). Hence, ns_systemseed can be recovered with the above method as well, if it wasn't recreated at some point without regenerating the above nand-save used with the above.

With [15.0.0+] ns now uses csrng_GenerateRandomBytes for sd-seed/private and ns_systemseed, etc. This only matters when the file is newly generated, which is usually only for factory-fresh systems which ship with this version. This would also apply after being deleted during {System Settings -> Formatting Options -> Initialize Console}, and also with a refurbished console.
| Generation of a system's sd-seed allowing decryption of the NAX0 layer of data on [[SD_Filesystem|SD]], derived using the private file from SD. Applies to systems which factory-shipped with a system-version prior to [[15.0.0]] (that is, [2.0.0-14.1.2]).
| [[15.0.0]], for newly generated files
| [[15.0.0]]
| December ~12, 2021
| October 11, 2022
| [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|bluetooth]] BSA bsa_sv_av_cback stack buffer overflow
| bsa_sv_av_cback checks for two input type values (0xC/0xD), on match it copies the input data to stack without size validation. Then it sends an internal request with this data (likewise when the type values don't match, except the input data is passed directly with a small size), then it returns.
This requires the AV functionality added with [13.0.0+], however this func is only reachable with [14.0.0+] where the required functionality was enabled.

This requires message data that's larger than the MTU, so fragmentation must be used, or manually send the ACL data to bypass the MTU.

This can be triggered via an AVRC message with opcode=0x0 (vendor). The above type 0xC is reached via AVRC ctype 0..4, while 0xD is reached with ctype>=0x9.

With [15.0.0+] the size value for the memcpy (which is also written to the request struct) is clamped to a max value.
| Bluetooth-sysmodule stack buffer overflow on [14.0.0-14.1.2], with data received from an AVRC bluetooth message with a bluetooth-audio device.
| [[15.0.0]]
| [[15.0.0]]
| November 2021
| October 11, 2022
| [[User:Yellows8|yellows8]]
|-
| [[WLAN_services|wlan]] SetMulticastList heap buffer overflow
| The [[WLAN_services#SetMulticastList|SetMulticastList]] command allocates a 0x31-bytes sized buffer and copies to it as much [[WLAN_services#MacAddress|MacAddress]] values from the input [[WLAN_services#MulticastList|MulticastList]] as specified by the "Count" field, but this field is never validated.

With [15.0.0+] error code 0x1906B is now returned if "Count" is larger than 8.
| wlan-sysmodule heap buffer overflow.
| [[15.0.0]]
| [[15.0.0]]
| June 6, 2022
| November 9, 2022
| [[User:Hexkyz|hexkyz]]
|}

== Internet Browser ==
{| class="wikitable" border="1"
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| CVE-2016-4657
| WebKit vuln discovered around August 2016. Most notably used in the iOS 9.3.X exploit. A simple PoC can be found [https://github.com/LiveOverflow/lo_nintendoswitch/blob/master/poc1.html here]. This was later exploited by [https://twitter.com/qwertyoruiopz Qwertyoruiop] using an adjusted version of his iOS 9.3 webkit exploit (others exploited this prior to then).
|
| [[2.1.0]]
| [[2.0.0]]
| Original: August 2016
Switch: March 3rd-4th 2017
|
| Everyone
|-
| CVE-2017-7005
| WebKit type confusion.
|
| [[3.0.1]]
| [[3.0.1]]
|
|
| Everyone
|-
| CVE-2016-4622
| WebKit memory corruption bug. This bug was incorrectly re-introduced in [[4.0.0]]. See [http://www.phrack.org/papers/attacking_javascript_engines.html here] for a detailed write-up from the author.
|
| [[6.1.0]]
| [[6.1.0]]
|
|
| Everyone
|-
| CVE-2018-4441
| WebKit memory corruption bug. See [https://bugs.chromium.org/p/project-zero/issues/detail?id=1685&desc=2 here].
|
| [[7.0.0]]
| [[7.0.0]]
|
|
| Everyone
|}

=== Whitelist ===
This section documents [[Internet_Browser|WebApplet]] whitelist issues in applications. These can be used to load your own browser content over plain HTTP, which then for example could be used for web-applet exploitation.

{| class="wikitable" border="1"
! Application
! Description
! Fixed with app version
! Newest app version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Sonic Mania
| Originally this game launched web-applet with a plain-http URL for displaying the manual, this was later changed to https. Originally the whitelist only had 1 entry for a http URL, this was later replaced with various https-only URLs.
| 1.04, unknown if fixed with an earlier update
| 1.04
| January (?) 2022
| February 23, 2022
| [[User:Yellows8|yellows8]]
|}

== NintendoSDK ==
This section documents vulnerabilities for NSOs in NintendoSDK.

=== nnSdk ===
This section documents vulnerabilities for nnSdk (sdknso).

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in SDK [[System_Versions|version]]
! Last SDK version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| [[HID_services|hidbus]] GetJoyPollingReceivedData buffer overflow
| hidbus GetJoyPollingReceivedData doesn't validate the u8 size used for memcpy, when copying the data to the output JoyPollingReceivedData. With 11.x, the size is now clamped to a maximum of 0x2C (regardless of polling-mode). Note that 0x2C is the data-size for JoyButtonOnlyPollingDataAccessor, the other polling-modes have a smaller size.

The hid-sysmodule code which writes data here does handle it properly: size is clamped to a max size, and the data-read uses a fixed-size anyway (hence there's no way to trigger this sdknso vuln with the hid-sysmodule tmem writing code).

This could only be exploited if one directly writes to the tmem when one has previously compromised hid-sysmodule, without using the normal tmem-writing func for this.

There are only a few [[HID_services#ExternalDevices|apps]] which use hidbus.
| Triggering a buffer overflow in an application which uses hidbus GetJoyPollingReceivedData, from a previously compromised hid-sysmodule.
| 11.x.0
| 11.4.0
| March 2020
| December 3, 2020
| [[User:Yellows8|yellows8]]
|-
| [[Profile_Selector|Profile Selector]] uninitialized input data
| Originally unused regions of [[Profile_Selector]] UiSettings/UserSelectionSettings were not cleared prior to being sent to the applet. With 1.x.x these are now properly memset().
| Stack infoleak from user-process, sent to the applet.
| 1.x.x
| 11.4.0
| November-December 2019
| December 31, 2020
| [[User:Yellows8|yellows8]]
|}

=== Pia ===
This section documents vulnerabilities for [https://github.com/Kinnay/NintendoClients/wiki/Pia-Overview Pia].

In v5.11.3 (exact starting version unknown) the fixes aren't present for the below vulns which were fixed in v5.9.3, while in v5.18.98 these are present (exact starting version unknown). This probably indicates that the vuln fixes were backported from a newer Pia version to v5.9.3.

The Pia packet handlers are only active when the game is using multiplayer. LanProtocol is only active in the games which are actively using the LAN-mode option (not Ldn) - only certain games support LAN-mode. The LanProtocol Pia packet handler can be reached while in a lobby or searching for one.

Most Pia packets require an active StationProtocol connection to be active with {InetAddr which the packet was received from}, otherwise the packet is filtered out. The only protocols which don't use filtering are the following: NatTraversalProtocol, LanProtocol, StationProtocol, LocalProtocol.

Note that broadcast IP-dest Pia packets are accepted - this can be used to target every device on the network which is using Pia (which is really only useful with {above protocols} due to the filtering mentioned above, unless one also handles StationProtocol).

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in Pia version
! Last Pia version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| nn::pia::session::RelayRouteManageJob::UpdateConnectionReport buffer overflow
| nn::pia::session::RelayRouteManageJob::UpdateConnectionReport() checks that the input size is at least {value}, but there's no max size check. This is used to memcpy from the input to elsewhere - hence buf-overflow if size is too large. The dst buffer is allocated on the pead heap - this buffer is probably small.
Note that there's various requirements before it would actually reach the memcpy, such as <code><nn::pia::session::Mesh::IsHost() const></code> must return true.

In fixed versions immediately after the StationIndex validation it now does: <code>if(statefield+0x10<input_size) return;</code>

This is called from nn::pia::session::MeshProtocol::ParseConnectionReport().
| Heap buffer overflow triggered by a Pia MeshProtocol message sent to a host device.
| v5.9.3, see above.
| v5.9.1/v5.9.2/v5.9.3
| November 11, 2022
| November 15, 2022
| [[User:Yellows8|yellows8]]
|-
| nn::pia::lan::LanProtocol::ParseSessionMessage buffer overflow
| nn::pia::lan::LanProtocol::ParseSessionMessage() calls nn::pia::lan::LanSessionMessage::Deserialize() to deserialize the message payload data buffer into the LanSessionMessage object on stack. LanSessionMessage::Deserialize (among other things) memcpys data from the input buffer to the object, using an u32 from the input buffer - there is no size validation in Deserialize itself.
There is a size check immediately after calling Deserialize() to verify <code>payloadsize=={u32val}+{constant}</code>, returning on fail - but this doesn't matter for too-large-size.

In fixed versions Deserialize now does bounds checking, both for the minimum message size and clamping the memcpy size to a constant. An error is thrown if the clamped memcpy size is larger than the message size. The caller now checks the ret properly, previously it was ignored.

Following the size check in ParseSessionMessage() it calls <code><nn::pia::session::Mesh::IsProcessingLeaveMesh() const></code>, returning if ret is false.

Then it calls nn::pia::lan::LanProtocol::ReceivedFragmentData::Receive(), with the memcpy'd buffer/size from the above LanSessionMessage, and other fields from LanSessionMessage. This eventually memcpys the input buffer to object+{offset}+{chunksize_field}*inputu8, there is no validation for size or inputu8 (except for the above size check). Hence, if the u8 is large enough, this would result in a heap buffer overflow.

In fixed versions ReceivedFragmentData::Receive added a bunch of validation before the memcpy.
| Stack/heap buffer overflow triggered by a Pia LanProtocol message.
| v5.9.3, see above.
| v5.9.1/v5.9.2/v5.9.3
| November 14, 2022
| November 15, 2022
| [[User:Yellows8|yellows8]]
|-
| nn::pia::session::SessionProtocol::ParseLeaveMeshInvitation buffer overflow
| <code><nn::pia::session::SessionProtocol::ParseLeaveMeshInvitation(nn::pia::transport::ReceivedMessageAccessor const&)></code> This immediately returns if *(ReceivedMessageAccessor+16) is 0. Then the input data is deserialized. The input u64 array is deserialized to stack, the u8 arraycount field from input is not validated.

Hence, stack buffer overflow. Note that there's similar loop code in nearby funcs, which do validate the count properly.

In fixed versions the arraycount field is now validated.

SessionProtocol uses ReliableSlidingWindow MessageHeader, with a maximum message size of 0x100. The allocated size used for the above u64 array is also 0x100-bytes. Hence, when triggering a buf overflow the data after the buffer is uncontrolled data from the SessionProtocol object.
| Stack buffer overflow triggered by a Pia SessionProtocol message.
| v5.9.3, see above.
| v5.9.1/v5.9.2/v5.9.3
| November 14, 2022
| November 15, 2022
| [[User:Yellows8|yellows8]]
|-
| Optional Pia packet encryption
| Pia packet encryption is optional. If the encryption flag is disabled, the packet handler will accept it and skip crypto.
In fixed versions immediately after grabbing a packet, it now checks the crypto flag. If it's plaintext the packet is dropped.

This can be used to send a plaintext Pia packet without needing to handle encryption, especially useful if the session-key can't be obtained (online-play matchmaking). This could be combined with other vulns if wanted.
| Sending a plaintext Pia packet without needing to handle encryption.
| v5.9.3, see above.
| v5.9.3 (and later versions)
|
| November 19, 2022
|
|-
| nn::pia::session::{JoinMeshJob/ProcessUpdateMeshJob}::SetStationDataList OOB read/write/vfunc-call
| <code>nn::pia::session::JoinMeshJob::SetStationDataList</code>is called by <code>nn::pia::session::MeshProtocol::ParseJoinResponse(nn::pia::transport::ReceivedMessageAccessor const&)></code> with the ReceivedMessageAccessor buffer.
SetStationDataList will update state and immediately return if the join was denied. It will also validate the num_mesh_stations field against state. ParseJoinResponse also essentially verifies that the message was received from the host device.

The input buffer size is ignored.

The num_fragments field must be value 1 or <=3 otherwise it will return, there's two seperate code blocks handling these.

Other than the checks at the start, there's no validation for the index fields. So large enough values could result in OOB-reads.

When handling multiple fragments, it will loop through the stationinfo list. There is no validation for the u8 count field or the baseindex field. It calls a vfunc from obj baseptr+index*{entrysize} with data from the buffer, where index starts with the above baseindex field. Afterwards, an u8 is copied into an u32 array (with certain versions an u16 is deserialized into an u16 array).

<code>nn::pia::session::ProcessUpdateMeshJob::UpdateStationDataList</code> is (eventually) called from <code>nn::pia::session::MeshProtocol::ParseUpdateMesh</code>, which has similar issues to the above.

Note that ParseJoinResponse/ParseUpdateMesh essentially require the message to be received from the host device.

With fixed versions (v5.18.98, exact version unknown) various validation was added. Additional/updated validation was added in a later version (v5.31.0, exact version unknown).
| OOB read/write / vfunc call where the object is selected by an OOB index, triggered by a Pia MeshProtocol message.
| v5.18.98 and v5.31.0 (exact versions unknown).
| v5.31.0
| November 18, 2022
| November 21, 2022
| [[User:Yellows8|yellows8]]
|-
| Insecure encryption
| Originally Pia packets used AES-ECB encryption. As documented [https://github.com/Kinnay/NintendoClients/wiki/Pia-Overview here] it was later changed with v5.7.0 to AES-GCM. Each 0x10-byte block would have the same encrypted block output where the plaintext 0x10-byte data is the same.
The mechanism for generating the Pia SessionKey for LAN has also changed over time.

The [https://github.com/Kinnay/NintendoClients/wiki/LAN-Protocol LAN] non-Pia-encapsulated packets were also originally sent in plaintext, however at some point it was changed to mostly encrypted.
|
| AES-GCM fix: v5.7.0
|
|
|
|
|-
| nn::pia::transport::UnreliableProtocol::Dispatch buffer overflow
| <code>nn::pia::transport::UnreliableProtocol::Dispatch</code> memcpys data from the message into a list entry, without size validation. If the pia packet is the max size, it will only overwrite the 0xC-bytes which were written to immediately before the memcpy: the u32 size and the 8-byte StationAddress (depending on the version there can also be 4-byte padding after the size for alignment).
However, nn::pia::transport::UnreliableProtocol::Receive will clamp the size from the list entry to the outbuf size when doing the memcpy. So this is probably useless.

It's unknown whether there's a version where more data could be overwritten, and whether that would be useful.

This is fixed in v5.31.0, exact version unknown. The message is dropped if too large in Dispatch.
| Small buffer overflow triggered by a Pia UnreliableProtocol message.
| v5.31.0, exact version unknown.
| v5.18.98/v5.31.0
| November 2022
| November 29, 2022
| [[User:Yellows8|yellows8]]
|-
| Uncleared input structs for [[LDN_services|LDN]]
| The Pia code using ldn CreateNetwork*/ConnectNetwork*/Scan doesn't properly memset the input data for SecurityConfig/ScanFilter (when keysize is less than 0x40 for the former). Hence, infoleak from games is sent to ldn (structs are located on stack, so stack data is leaked). This requires ldn compromise/mitm to obtain the leaked data - these are not sent over the network.
With v6.20.1 (exact version unknown - fix isn't present in v5.32.0), the code using Scan* now clears the input ScanFilter properly. With v6.25.1 (exact version unknown - fix isn't present in v6.23.3), the code using CreateNetwork*/ConnectNetwork* now clears the input SecurityConfig properly.
| Infoleak from games with LDN cmds, requires compromised sysmodule/mitm.
| v6.20.1 and v6.25.1, exact versions unknown.
| v5.32.0/v6.20.1/v6.23.3/v6.25.1
|
| December 7, 2022
|
|}

=== ENL ===
This section documents vulnerabilities for [https://github.com/kinnay/NintendoClients/wiki/ENL-Protocol ENL].
A framework used by Nintendo games including Mario Kart 8 Deluxe, Splatoon 2 / 3, Mario Maker 2, and more.

Fun fact, this library appears to re-use network code and concepts from older Nintendo titles such as Mario Kart 7 and some Wii multiplayer games.

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in Enl version
! Last Enl version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| enl::TransportManager::updateReceiveBuffer_() nullptr deref
| enl::TransportManager::updateReceiveBuffer_() is called when the ENL framework receives a PIA packet from a client, it will fully trust the ENL header which includes a "ContentTransporter" type (ID) and a length.
The function will try to fetch the content transporter by ID using <code>enl::TransportManager::getContentTransporter(unsigned char const &)</code>, it returns NULL if there's no content transporter with the same ID

*NOTE: The function may be inlined

Then it will try to call a virtual method: <code>virtual size_t readyReceiveStream(enl::RamReadStream&, enl::Buffer*, size_t)</code>, dereferencing the pointer to fetch the vtable ptr

[https://gist.github.com/Rambo6Glaz/c088e2ed7a12db08f6322e9f7a3c4911 Pseudocode of the function before it was fixed]

| nullptr dereference triggered by an invalid content transporter type in the ENL header (it will crash the game/process)
| Unknown
| Depends on the game
| Early April 2022
| November 16, 2022
| [[User:Rambo6Glaz|Rambo6Glaz]], Kinnay (massive RE help)
|}

There's another one more interesting but it will have to wait a bit :)

Switch System Flaws

2023-02-21T16:57:14Z

SciresM: /* Kernel */ rip

Exploits are used to execute unofficial code (homebrew) on the Nintendo Switch. This page is a list of publicly known Switch system flaws.

= Hardware =
Flaws in this category pertain to the underlying hardware that powers the Switch.

This includes components shared across Tegra based devices such as the [[TSEC]], the [[Security_Engine|Security Engine]], the [[GPU]] and so on.

{| class="wikitable" border="1"
! Summary
! Description
! Fixed with hardware model/revision
! Newest hardware model/revision this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| GMMU DMA attack
| The Switch's GPU includes a separate MMU (GMMU) that is allowed to bypass the system's IOMMU (SMMU). By accessing the GPU's MMIO region and manipulating the page table entries in the GMMU, an attacker can read/write any portion of the DRAM (except memory carveouts).

[5.0.0+] Works around this hardware flaw by using memory pool partitioning. You can no longer escalate into sysmodules with GPU DMA because all their memory is allocated using heap that's carved out.

HAC-001-01 (Mariko/Tegra214/Tegra210b01): Fixes this by adding a new register which restricts what memory untranslated DMA requests may access. Untranslated GPU DMA may now only access the GPU carveout (physmem 0x80002000-0x80006000), which the GPU already has legitimate and exclusive access to.
| HAC-001-01 (Mariko/Tegra214/Tegra210b01)
| HAC-001 (Tegra210)
| Summer 2017
| December 28, 2017
| [[User:hexkyz|hexkyz]], [[User:SciresM|SciresM]] and [[User:qlutoo|qlutoo]]
|-
| Weak Security Engine context validation
| The Tegra X1 supports a "deep sleep" feature, where everything but DRAM and the PMC registers lose their content (and the SoC loses power). Upon awaking, the bootrom re-executes, restoring system state. Among these stored states is the Security Engine's saved state, which uses AES-128-CBC with a random key and all-zeroes IV. However, the bootrom doesn't perform a MAC on this data, and only validates the last block. This allows one to control most of security engine's state upon wakeup, if one has a way to modify the encrypted state buffer.

With a way to modify the encrypted state buffer, one can thus dump keys from "write-only" keyslots, etc.

This also bypasses the SBK protection of the bootROM: indeed, at warmboot, bootROM will always clear keyslot 0xE to prevent malicious code from saving the SBK. Moving the SBK to another keyslot in the saved context renders this protection moot.

HAC-001-01 (Mariko/Tegra214/Tegra210b01): Fixes this by streamlining the context save process; security engine contexts are now saved to protected memory which the CPU cannot access or modify.
| HAC-001-01 (Mariko/Tegra214/Tegra210b01)
| HAC-001 (Tegra210)
| December 2017
| January 20, 2018
| [[User:SciresM|SciresM]] and [[User:motezazer|motezazer]]
|-
| Security Engine keyslots vulnerable to partial overwrite attack
|
The Tegra X1 security engine supports writing keyslot data to the engine with syntax as follows:

SECURITY_ENGINE->AES_KEYTABLE_ADDR = (keyslot << 4) | (dword_index_in_keyslot);

SECURITY_ENGINE->AES_KEYTABLE_DATA = readle32(key, dword_index_in_keyslot * 4);

However, the Security Engine flushes writes to the internal key tables immediately when AES_KEYTABLE_DATA is written -- this allows one to overwrite a single dword of a key at a time, and thus brute force the contents of keyslots in time (2^32 * 8) = 2^35 instead of 2^256.
| None
| HAC-001 (Tegra210)
| Theorized Summer 2017 due to suggestive syntax, confirmed April 9, 2018
| April 9, 2018
| [[User:SciresM|SciresM]], almost surely others (independently).
|-
| CVE-2018-6242 (leveraged by the ShofEL2 and Fusée Gelée exploits)
| The USB software stack provided inside the boot instruction rom (IROM/bootROM) contains a copy operation whose length can be controlled by an attacker. By carefully constructing a USB control request, an attacker can leverage this vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, gaining control of the Boot and Power Management processor (BPMP) before any lock-outs or privilege reductions occur. This execution can then be used to exfiltrate secrets and to load arbitrary code onto the main CPU Complex (CCPLEX) "application processors" at the highest possible level of privilege (typically as the TrustZone Secure Monitor at PL3/EL3).
| HAC-001-01 (Mariko/Tegra214/Tegra210b01) (also fixed independently on Tegra186).
| HAC-001 (Tegra210)
| January 2018
| April 23, 2018
| [[User:Shuffle2|shuffle2]] and fail0verflow (originally),<br> [[User:Ktemkin|ktemkin]] and ReSwitched Team (independently),<br> [[User:Naehrwert|naehrwert]] (independently),<br> [[User:Hexkyz|hexkyz]] (independently),<br> st4rk with [[User:Shinyquagsire23|Shiny Quagsire]] and Dazzozo (independently),<br> and many others (independently).
|-
| Poor validation of bootrom SDRAM configuration parameters leads to arbitrary writes in bootrom
|
The Tegra X1 bootrom supports saving SDRAM parameters to scratch registers, and using the saved configuration to enable DRAM during warmboot.

The code that parses these parameters does if (params->EmcBctSpareN) *params->EmcBctSpareN = params->EmcBctSpareNPlusOne for most N, without validating either the address or value written to it.
There are other arbitrary writes in this code, as well (e.g. BootromPatch parameters intended for patching MISC registers do not check a relative offset to 0x7000000, etc).

This allows a user with access to the PMC registers (via pre-sleep bpmp execution, or otherwise) to gain arbitrary bootrom code execution.

HAC-001-01 (Mariko/Tegra214/Tegra210b01): Fixes this by validating that the spare writes/bootrom patch before performing them.
| HAC-001-01 (Mariko/Tegra214/Tegra210b01)
| HAC-001 (Tegra210)
| 2017
| December 16, 2018
| Everyone (independently).
|-
| TSEC ROM does not clear crypto registers after signature verification
|
TSEC supports executing signed-microcode at a greater privilege level than normal payloads.

When jumping to signed microcode, the caller is expected to load hardware crypto register $c6 = <signature>, $c7 = <seed (zero for all officially-signed microcode)>.

TSEC ROM then calculates the expected signature and compares it to the user-supplied one in $c6. On match, the secure payload is executed, and on failure an exception is raised.

However, TSEC ROM fails to clear the crypto registers used to calculate the expected signature in either of the success/failure cases.

Thus, with some way of obtaining the contents of crypto registers (e.g. ROP under some secure payload), an attacker can dump intermediary values from signature calculation.

With enough data/trial/error, this is enough to reconstruct the signature algorithm:
* mac = <davies meyer hash of (page || address of page) for each 0x100 page in the payload>
* key = AES-ENCRYPT(hardware csecret 0x1, seed)
* signature = AES-ENCRYPT(key, mac)

| None
| HAC-001 (Tegra210)
| Late 2018/Early 2019
| August 2020
| [[User:qlutoo|qlutoo]]/[[User:Hexkyz|hexkyz]]/[[User:Shuffle2|shuffle2]], [[User:SciresM|SciresM]]/[[User:motezazer|motezazer]] (independently).
|-
| TSEC signature validation design flaw leads to fake-signing
|
As mentioned above, when jumping to signed microcode the caller is expected to load hardware crypto register $c6 = <signature>, $c7 = <seed (zero for all officially-signed microcode)>.

However, TSEC ROM performs no validation on the input seed used to generate the signing key.

This leads to the following attack:
* Attacker gains rop under any secure microcode payload with signature = S.
* Attacker uses the "csigenc" instruction to obtain K = AES-ENCRYPT(hardware csecret 0x1, S).
* Attacker jumps to their own microcode with $c6 = <signature calculated on pc using K>, $c7 = S
* TSEC ROM calculates key = AES-ENCRYPT(hardware csecret 0x1, S) = K, and the signature check passes.
* Attackers microcode is executed in secure mode as though it were signed by NVidia.

Thus an attacker who has exploited *any* secure payload may use this to obtain a "fake signature key", which can be used to sign and execute arbitrary microcode in secure mode.

Note: this does not break the TSEC cryptosystem, as the csigenc mechanism relies on the signature of the executing microcode, and fakesigning produces different signatures from NVidia that cannot be controlled.
| None
| HAC-001 (Tegra210)
| Late 2018/Early 2019
| August 2020
| [[User:qlutoo|qlutoo]]/[[User:Hexkyz|hexkyz]]/[[User:Shuffle2|shuffle2]], [[User:SciresM|SciresM]]/[[User:motezazer|motezazer]] (independently).
|-
| ROP under TSEC secure bootrom via DMA engine stack overwrite (--xploit)
| TSEC DMA engine does not stop when entering TSEC secure bootrom. By pointing TSEC DMA to current stack before secure bootrom entry, stack can be controlled.

One can then use blind ROP against the TSEC secure bootrom (which is execute only, and cannot be dumped).

With sufficient effort, an attacker can construct a ROP chain that leads to csigcmp being executed with fully controlled arguments.

This allows for arbitrary heavy secure mode code execution with the current signature set to an arbitrary value.

This completely breaks the TSEC cryptosystem, by allowing one to obtain the result of csigenc with signature = <any desired value>.

This has many uses/results, notably including dumping the "true" signature key (set signature = zeroes, perform csigenc using csecret 0x1).
| None
| TSEC for all Tegra devices
| Late 2018
| January 2021
| [[User:Hexkyz|hexkyz]]/[[User:SciresM|SciresM]], [[User:Vale|Vale]]/[[User:Thog|Thog]] (independently), [[User:Tatsuko|Tatsuko]] (independently), possibly others (independently).
|-
| Boot straps are not relatched on watchdog resets (strapwn)
| On boot, the BOOTSELECT, RCM and RAM_CODE straps are latched from external GPIO to determine which boot medium to use and verify from in bootrom. However, APB_MISC_PP_STRAPPING_OPT_A can be overwritten with arbitrary values following bootrom. Write access to PP_STRAPPING_OPT_A would otherwise be mundane, however these straps are not relatched during a watchdog reset (despite being latched during other software resets), allowing for arbitrary straps to be selected and executed in bootrom.

This allows setting NVPROD_UART on some hardware configurations where it would normally be unavailable (ie on Jetson Nano boards), but is otherwise mostly useless and/or useful for testing unintended boot options (such as USB Mass Storage boot) without having to move boot strap resistors.
| Unknown
| HAC-001 (Tegra210)
| May 2020
| April 30, 2021
| [[User:Shinyquagsire23|Shiny Quagsire]]
|}

= Firmware =
Flaws in this category pertain to the firmware running on hardware devices, such as wifi/bluetooth, etc. Firmware is generally uploaded by sysmodules.

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Broadpwn (CVE-2017-9417)
| See [https://blog.exodusintel.com/2017/07/26/broadpwn/ here] and [https://www.blackhat.com/docs/us-17/thursday/us-17-Artenstein-Broadpwn-Remotely-Compromising-Android-And-iOS-Via-A-Bug-In-Broadcoms-Wifi-Chipsets.pdf here].
| Code execution on the wifi controller (untested on Switch).
| [[4.0.0]]
| [[4.0.0]]
| Switch: July 2022
| Switch: July 30, 2022
| Switch: [[User:Yellows8|yellows8]]
|}

= Software =
== Bootloader ==
Flaws in this category pertain to any bootloader component such as the [[Package1#Package1ldr|package1ldr]], the [[Package1#Section_1|NX bootloader]] or the [[Package1#Section_0|warmboot binary]].

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Null-dereference in panic()
| The Switch's stage 1 bootloader, on panic(), clears the stack and then attempts to clear the Security Engine. However, it does so by dereferencing a pointer to the SE in .bss (initially NULL), and this pointer doesn't get initialized until partway into the bootloader's main() after several functions that might panic() are called. Thus, a panic() caused prior to SE initialization would result in the SE pointer still being NULL when dereferenced.
The BPMP doesn't have an active MPU and the bus won't data abort on an invalid address, so no exception will be entered: it'll end up overwriting some exception vectors with NULL before halting.

In 3.0.0, this was fixed by moving the security engine initialization earlier in main(), before the first function that could potentially panic().
| Some exception vectors overwritten with NULL, before SBK/other keyslots are cleared. Probably useless for anything more interesting.
| [[3.0.0]]
| [[3.0.0]]
| Early July, 2017
| July 30, 2017
| Everyone who diff'd 2.3.0 and 3.0.0 Package1
|-
| FUSE_DIS_PGM not written by package1
| The switch's hardware fuse driver contains a write-once bit in a register called "FUSE_DIS_PGM", which disables burning fuses until the next reboot. While Nintendo's bootloader code for waking up from sleep writes this on all firmware, the actual package1 initial bootloader forgets to write to it on cold reboot.

This isn't too big of a problem because another fuse is burnt on retail devices (production mode), which prevents burning *all* fuses other than ODM_RESERVED ones in hardware.

This was fixed in 3.0.0 by writing to the register on cold boot (although the write happens in TZ instead of package1 where it should take place, possibly to obfuscate the fact that they made this mistake).
| Burning arbitrary ODM reserved fuses with TZ code execution, which should never be possible for non-bootloader code.

Warning: one could irreparably brick one's console by playing with this.
| [[3.0.0]]
| [[3.0.0]]
| Late summer/early fall 2017
| December 31, 2017
| [[User:SciresM|SciresM]], [[User:motezazer|motezazer]]
|-
| maconstack (TSEC firmware leaves MAC on the stack)
| Package1ldr loads a firmware blob into TSEC early on boot. This piece of code runs on the TSEC in Authenticated Mode and has the sole purpose of generating the per-console TSEC key (see [[Cryptosystem]]).

As a way to mitigate attacks, the TSEC firmware blob is split into 3 stages: [[TSEC_Firmware#Boot|Boot]] which is unencrypted and unsigned, [[TSEC_Firmware#KeygenLdr|KeygenLdr]] which is unencrypted but signed and [[TSEC_Firmware#Keygen|Keygen]] which is encrypted and signed.
Boot loads a static pre-generated signature into the Falcon's CPU crypto registers, loads KeygenLdr into the Falcon's CODE region and jumps to it. Execution will proceed into KeygenLdr in Heavy Secure Mode if, and only if, the loaded signature matches the one Falcon calculates internally for KeygenLdr.

Among various things, KeygenLdr will attempt to do a "backwards" security check by calculating a CMAC over Boot and comparing it with a known hash stored in the TSEC firmware's key data (a small buffer stored after Boot's code). If the hashes don't match, execution aborts.

KeygenLdr stores the calculated Boot's CMAC in the stack, but forgets to clear it. Since the stack is located in Falcon's DATA region, loading the TSEC firmware blob and dumping the DATA region afterwards (via MMIO) will reveal the calculated hash.
This allows using KeygenLdr as an oracle to generate a valid CMAC for arbitrary Boot code. Replacing the CMAC in the TSEC firmware's key data region results in KeygenLdr accepting any Boot code, thus rendering this security measure useless.

Additionally, since signed Falcon code can't be revoked without an hardware revision, an attacker can always reuse the flawed KeygenLdr code even if a fix is issued.
| Running TSEC firmware's KeygenLdr in a user controlled environment.
| None
| [[5.0.2]]
| January 2018
| April 29, 2018
| [[User:Hexkyz|hexkyz]], [[User:Rei|Reisyukaku]] (independently), probably others (independently).
|-
| pk1ldrhax
| Package1ldr decrypts and verifies the keyblob inside of the current BCT in order to get the package1 key, and then uses the package1 key to decrypt package1. It then validates package1 before jumping to it by checking the PK11 magic number, and that the section sizes sum to the expected size (and are individually less than the expected size).

However, package1ldr does not actually validate the package1 key against a fixed vector (much like kernel9loader forgot to do so on the 3ds). This would normally not matter, as keyblobs are validated -- however, with bootrom code execution one can dump SBK and forge keyblobs, and thus control the package1 key.

Thus ('''in theory, but not in practice due to the size of the brute force required''') one can replace the package1 key with garbage, causing package1 to decrypt into garbage, and hope that this garbage passes validation checks and that package1ldr jumping into the garbage will do something useful.

This was fixed incidentally in [[6.2.0]], as pk1ldr does not use keyblob data to decrypt package1 any more.

| With a large enough brute force: arbitrary package1 code execution from coldboot.

However, a usable brute force is on the order of >= ~2^80, so '''this is almost certainly not actually usable in any meaningful context'''.
| [[6.2.0]]
| [[6.2.0]]
| Early 2017 (as soon as plaintext package1ldr was first dumped)
| November 20, 2018
| Everyone
|-
| Stack smash in TSEC firmware's KeygenLdr
| Given that we can control the [[TSEC_Firmware#Key_data|key data]] (which is not authenticated) and the [[TSEC_Firmware#Boot|Boot]] blob (see "maconstack"), as well as the fact Non-secure and Heavy Secure code share the same stack, we can use this to attack KeygenLdr. KeygenLdr uses memcpy to copy over a payload to DMEM to verify it, which can be abused to smash the stack (in DMEM) and write over the return address of said function.
| ROP under KeygenLdr in Heavy Secure mode.
| None
| [[8.0.1]]
| Early 2018
| May 21, 2019
| Everyone (independently).
|}

== TrustZone ==
Flaws in this category pertain exclusively to the [[Package1#Section_2|Secure Monitor]].

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Non-atomic mutexes
| When an [[SMC]] is called, TrustZone sets a global variable to mark that an SMC is in progress, so that two SMCs using shared resources (like the security engine) do not trample on one another. On 1.0.0, this global variable was written using non-atomic writes, and thus a race condition is possible.

However, the SMC handler enforces that all SMCs must be called from core #3, unless the top-level handler ID is 1 (SMCs internal to the kernel). Thus, the only SMCs that can be run side-by-side are [any userland smc] and smcGetRandomBytesForKernel, and this turns out to not really be abusable.
| Mostly useless. Maybe some oob-write into unused (and thus useless) memory if running smcGetRandomBytesForKernel and smcGetRandomBytesForUser at the same time.
| [[2.0.0]]
| [[2.0.0]]
| December 2017 (Probably earlier by others)
| January 18, 2018
| [[User:SciresM|SciresM]], probably others (independently).
|-
| jamais vu (non-secure world access to PMC MMIO and pre-deep sleep firmware)
| On [[1.0.0]], one could map in the PMC registers in userland. In addition, [[AM_services|am]] ran a little-kernel based firmware on the BPMP at runtime. With code execution under am, one could modify the BPMP's little-kernel firmware to hook deep sleep entry, and modify TrustZone/Security engine state.

This was fixed in [[2.0.0]] by making the PMC secure-world only, blacklisting the BPMP's exception vectors from being mapped, and thoroughly checking for malicious behavior on deep sleep entry.
| Arbitrary TrustZone code execution.
| [[2.0.0]]
| [[2.0.0]]
| December, 2017
| January 20, 2018
| [[User:SciresM|SciresM]] and [[User:motezazer|motezazer]]
|-
| Missed BPMP Exception Vector Writes
| Starting in [[2.0.0]], the BPMP is asleep at runtime, and is turned on by TrustZone during [[SMC|smcCpuSuspend]] in order to initiate the deep sleep process. When it does so, it is held in RESET, and TrustZone attempts to write to the BPMP exception vectors at 0x6000F200 to register EVP_RESET = lp0_entry_fw_crt0, and all other EVPs to a function that simply reboots. However, while they successfully write EVP_RESET, they miss all the other vectors, accidentally writing to the 0x6000F004-0x6000F020 region instead of the 0x6000F204-0x6000F220 region they want to write to. This results in all the exception vectors for the BPMP other than RESET being "undefined" (attacker controlled).

With some way of causing an exception vector to be taken at the right time, this would give pre-sleep code execution (and thus arbitrary TrustZone code execution, via the security engine flaw). However, none of the abort vectors are really triggerable, and interrupts are disabled for the BPMP when it is taken out of reset. Thus, this is useless in practice.

This was fixed in [[4.0.0]] by writing to the correct registers.
| Theoretically: Arbitrary TrustZone code execution. In practice: Useless.
| [[4.0.0]]
| [[4.0.0]]
| January, 2018
| February 23, 2018
| [[User:SciresM|SciresM]] and [[User:motezazer|motezazer]], [[User:Naehrwert|naehrwert]], [[User:Hexkyz|hexkyz]], probably others (independently).
|-
| TSEC has access to the secure kernel carveout
| TrustZone is responsible for managing security carveouts to prevent DMA controllers from accessing the carveout which contains the kernel, sysmodules, and other critical operating system data.

Until [[8.0.0]], the list of devices that could access the carveout included the TSEC. However, the TSEC can bypass the SMMU when in authenticated mode by writing to a certain register. Thus, pwning nvservices would allow one to take over the TSEC, and use it to write to normally protected mmio/memory.

In [[8.0.0]], this was fixed by removing TSEC access, and adding TSECB access (TSECB cannot bypass the SMMU).
| With access to the TSEC mmio (nvservices ROP) and code execution in TSEC Heavy Secure mode, kernel code execution, probably.
| [[8.0.0]]
| [[8.0.0]]
| 2017 (when TrustZone code plaintext was first obtained).
| April 15, 2019
| Everyone
|-
| deja vu (insufficient system state validation on suspend leads to pre-sleep BPMP code execution)
| Jamais Vu was fixed in [[2.0.0]] by making the PMC secure-world only, blacklisting the BPMP's exception vectors from being mapped, and thoroughly checking for malicious behavior on deep sleep entry, since gaining pre-sleep code execution on the BPMP compromises the system.

However, the state validation performed by Nintendo's Secure Monitor was insufficient to prevent pre-sleep execution from being obtained.

Prior to [[6.0.0]], one could use a DMA controller that had access to IRAM and was not held in reset (there were multiple) to race TrustZone's writes to the BPMP firmware in IRAM, and thus overwrite Nintendo's firmware with an attacker's to gain pre-sleep code execution.

[[6.0.0]] addressed this by performing TrustZone state MAC writes and locking PMC scratch *before* turning on the BPMP, fixing the original Jamais Vu exploit entirely. In addition, the BPMP firmware in TrustZone's .rodata is now memcmp'd to the actual data after it is written to IRAM. This mitigates race attacks that modify the firmware.

However, Nintendo both forgot to validate the BPMP exception vectors after writing them, and forgot to hold in reset a DMA controller that can write to the BPMP's exception vectors.

AHB-DMA is not blacklisted by kernel mapping whitelist (Nintendo probably forgot it, because the TX1 TRM does not really document that it's present, although the MMIO works as documented in older (Tegra 3 and before) TRMs).

Thus, with kernel code execution (or some other way of accessing AHB-DMA, e.g. nspwn on <= 4.1.0, TSEC hax, or other arbitrary mmio access flaws), one can DMA to the BPMP's exception vectors as they are written, causing TrustZone to start the BPMP executing an attacker's firmware at a different location than TrustZone intends/validates.

This was fixed in [[8.0.0]] by blocking AHB-DMA arbitration and verifying it is held in reset during suspend, and thus there are no more devices that can write to the relevant MMIO at the right time.

| Arbitrary TrustZone/BootROM code execution, by using either the original Jamais Vu flaw (prior to [[6.0.0]] or a warmboot bootrom exploit (any firmware where pre-sleep execution can be gained).
| [[8.0.0]]
| [[8.0.0]]
| December 2017
| April 15, 2019
| [[User:SciresM|SciresM]], [[User:motezazer|motezazer]] and ktemkin, [[User:Naehrwert|naehrwert]] (independently), almost certainly others (independently)
|-
| TrustZone allows using imported RSA exponents with arbitrary modulus
| TrustZone supports "importing" RSA private exponents for use by userland -- these are stored encrypted with TrustZone only keydata in NAND, and decrypted only to TZRAM. This prevents a console that has compromised userland from learning the private exponents of these keys and doing calculations with them offline. In practice, this is used for FS (gamecard communications), ES (drm), and SSL (console client cert communications).

However, the actual SMC API only imports the RSA exponent, and not the modulus, which is passed separately by userland in each call. There is no validation done on the modulus passed in -- this means that userland can pass in any message and modulus it chooses, and obtain the result of (message ^ private exponent) % modulus back from the secure monitor.

By choosing a prime number modulus P such that P has "smooth" order (totient(P) == P-1 is divisible only by "small" primes), one can efficiently use the [[wikipedia:Pohlig-Hellman algorithm|Pohlig-Hellman algorithm]] to calculate the discrete logarithm of such a result directly, and thus obtain the private exponent.

This is mostly useless in practice, given the general availability of other exploits to obtain these decrypted exponents.

This was fixed in 10.0.0 by importing the modulus in addition to the exponent for the ES device key and ES client cert key. For backwards compatibility reasons the SSL key and Lotus key still only import the exponent.

StorageExpMod also now validates that the exponentiation of "DDDDD..." about the provided modulus by the imported exponent and then the fixed public exponent returns "DDDDD...", and returns invalid argument if validation fails.
| With userland privileges sufficient to use an imported RSA key: obtaining that RSA key's private exponent.
| [[10.0.0]]
| [[10.0.0]]
| August 14, 2019
| August 14, 2019
| [[User:SciresM|SciresM]]
|}

== Kernel ==
Flaws in this category pertain exclusively to the [[Package2#Section_0|HorizonOS Kernel]].

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Syscall Infoleaks
| Many syscalls leaked kernel pointers on sad paths (for example svcSetHeapSize and svcQueryMemory), until they landed a bunch of fixes in 2.0.0.
| Nothing really.
| [[2.0.0]]
| [[2.0.0]]
|
| 2017
| Everyone
|-
| svcWaitSynchronization/svcReplyAndReceive bad cleanup on error
| If there is a page fault when fetching handles from the userspace array, it cleans up by dereferencing all objects despite having only loaded first N. Allows the attacker to make arbitrary decrefs on any kernel synchronization object, and thus can be used to get UAF. Haven't actually been tried on real HW though, but should work (tm).
| Kernel code execution
| [[2.0.0]]
| [[2.0.0]]
|
| April 24, 2017
| [[User:qlutoo|qlutoo]]
|-
| Bad irq_id check in CreateInterruptEvent
| CreateInterruptEvent syscall is designed to work only for irq_id >= 32. All irq_ids < 32 are "per-core" and reserved for kernel use (watchdog/scheduling/core communications).
On 1.0.0 you could supply irq_id < 32 and it would write outside the SharedIrqs table.
| You can register irq's in the Core3Irqs table, and thus register per-core irqs for core3, that are normally reserved for kernel. Useless.
| [[2.0.0]]
| [[2.0.0]]
| October 2017
| October 17, 2017
| [[User:qlutoo|qlutoo]]
|-
| Kernel .text mapped executable in usermode
| Prior to [[3.0.2]] the kernel .text was [[Memory_layout|mapped]] in usermode as executable. This can be used for usermode ROP for bypassing ASLR, but SVCs/IPC are not usable by running kernel .text in usermode.
| Executing kernel .text in usermode
| [[3.0.2]]
| [[3.0.2]]
|
| December 28, 2017 (34c3)
| [[User:qlutoo|qlutoo]]
|-
| Memory Controller not properly secured
| The Switch OS originally had the memory controller not set to be accessible only by the secure-world, which was problematic because insecure access can compromise the kernel.

This was fixed partially in [[2.0.0]] by blacklisting the memory controller from being mapped by user-processes, and was fixed entirely in [[4.0.0]] by making the memory controller TZ-only and making all kernel accesses go through [[SMC|smcReadWriteRegister]].
| With some way to access the memory controller MMIO, arbitrary kernel code execution.
| [[4.0.0]]
| [[4.0.0]]
| January 2018
| January 2018
| [[User:SciresM|SciresM]], [[User:Yellows8|yellows8]]
|-
| Potential [[SVC|svcWaitForAddress]] thread use-after-free
| Between [[4.0.0]], where svcWaitForAddress was introduced, and [[7.0.0]], there was a second intrusive rbtree node in KThread for the WaitForAddress tree (the key being (address, priority), sorted lexicographically). Unlike the WaitProcessWideKeyAtomic tree, the kernel forgot to reinsert the WaitForAddress node when the thread's priority changed (priority inheritance and/or SetPriority), breaking the rbtree invariants; and since the kernel walks through the entire tree to remove intrusive nodes, you could cause threads to stay in the tree even after their deletion.

[[7.0.0]] fixed the issue by using the same intrusive node for both trees. The thread/node knows which tree it is in, and the latter is correctly updated when thread priority changes.
| It unluckily didn't look exploitable
| [[7.0.0]]
| [[7.0.0]]
| July 2018
| February 2019
| [[User:TuxSH|TuxSH]]
|-
| Kernel RWX identity mapping never unmapped
| During init, the kernel binary is identity-mapped as RWX at 0x80060000; this is necessary to facilitate the transitionary period while the MMU is being enabled but mappings for e.g. KASLR are not yet determined, and also to enable smooth MMU enable transition during wake-from-sleep.

However, the identity mapping was never unmapped, and thus the whole kernel code bin remained permanently mapped as RWX for all kernel threads (any thread which does not have an owner process and thus uses the KSupervisorPageTable TTBR0).

Thus, any theoretical exploit which would give kernel memory corruption or ROP under a kernel thread would allow making use of this mapping to modify kernel text + bypass KASLR.

This was fixed in [[16.0.0]] by unmapping the identity-mapping during init, and re identity-mapping only the very first page of kernel .text as R-X (for use by wake-from-sleep), which fixes the shellcode problem and mostly fixes the ROP problem, since this page mostly lacks interesting gadgets.
| In theory, with another exploitable kernel memory corruption (or ROP under kernel thread) bug: bypassing KASLR + modifying kernel .text.

However, no such bugs are known.
| [[16.0.0]]
| [[16.0.0]]
| Summer 2018
| January 2023
| Everyone
|}

== FIRM-package System Modules ==
Flaws in this category pertain to any of the [[Package2#Section_1|built-in system modules]].

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Service access control bypass (sm:h, smhax, probably other names)
| Prior to [[3.0.1]], the ''service manager'' (sm) built-in system module treats a user as though it has full permissions if the user creates a new "sm:" port session but bypasses [[Services_API#Initialize|initialization]]. This is due to the other sm commands skipping the service ACL check for Pids <= 7 (i.e. all kernel bundled modules) and that skipping the initialization command leaves the Pid field uninitialized.
In [[3.0.1]], sm returns error code 0x415 if [[Services_API#Initialize|Initialize]] has not been called yet.
| Acquiring, registering, and unregistering arbitrary services
| [[3.0.1]]
| [[3.0.1]]
| May 2017
| August 17, 2017
| Everyone
|-
| Overly permissive SPL service
| The concept behind the switch's [[SMC|Secure Monitor]] is that all cryptographic keydata is located in userspace, but stored as "access keys" encrypted with "keks" that never leave TrustZone. The [[SPL services|spl]] ("security processor liaison"?) service serves as an interface between the rest of the system and the secure monitor. Prior to [[4.0.0]], spl exposed only a single service "spl:", which provided all TrustZone wrapper functions to all sysmodules with access to it. Thus anyone with access to the spl: service (via smhax or by pwning a sysmodule with access) could do crypto with any access keys they knew.

This was fixed in [[4.0.0]] by splitting spl: into spl:, spl:mig, spl:ssl, spl:es, and spl:fs.
| Arbitrary spl: crypto with any access keys one knows. For example, one could use the SSL module's access keys to decrypt their console's SSL certificate private key without having to pwn the SSL sysmodule.
| [[4.0.0]]
| [[4.0.0]]
| Summer 2017 (after smhax was discovered).
| December 23, 2017
| Everyone
|-
| Single session services not really single session
| Several "critical" services (like fsp-ldr, fsp-pr, sm:m, etc) are meant to only ever hold a single session with a specific sysmodule. However, when a sysmodule dies, all its service session handles are released -- and thus killing the holder of a single session handle would allow one (via sm:hax etc) to get access to that service.

This was fixed in [[4.0.0]] by adding a semaphore to these critical single-session services, so that even if one gets access to them an error code will be returned when attempting to use any of their commands.
| With some way to access these services and kill their session holders (like expLDR): dumping sysmodule code, arbitrary service access, elevated filesystem permissions, etc.
| [[4.0.0]]
| [[4.0.0]]
| May/June 2017 (basically immediately after smhax was discovered)
| December 30, 2017
| Everyone
|-
| nspwn
| fsp-ldr command 0 "MountCode" takes in a Content Path (retrieved from NCM by Loader), and returns an IFileSystem for the resulting ExeFS. These content paths, are normally NCAs, but MountCode also supports a number of other formats, including ".nsp" -- which is just a PFS0.

When a path ending in ".nsp" is parsed by MountCode, the PFS0 is treated as a raw ExeFS. Because there is no NCA header, the ACID signatures are not validated -- and because there are no other signatures in a PFS0, this results in no signature checking happening at all.

The actual .nsp handling is eventually done by {content mounting function} called by MountCode and other FS commands.

Thus, by placing an ExeFS (NSOs + "main.npdm") and setting one's desired title ID to "@Sdcard:/some_title.nsp" or "@User:/some_title.nsp" etc one can launch arbitrary unsigned code, with arbitrary unsigned NPDMs.

This appears to have been fixed by only allowing .nsp when the input fstype==7 for the internal content-mounting function, returning 0x2EE202 otherwise.
| With access to "lr": Arbitrary code execution with full system privileges.
| [[5.0.0]]
| [[5.0.0]]
| Late 2017
| April 23, 2018
| Everyone
|-
| Single null-byte stack overflow in Loader ContentPath parsing
| Previously, loader content path parsing looked like this, where path_from_lr was up to 0x300 bytes and not necessarily null-terminated:

char nca_path[0x300] = {0};
strcat(nca_path, path_from_lr);
for (int i = 0; nca_path[i]; i++) {
if (nca_path[i] == '\\') { nca_path[i] = '/'); }
}

Thus, a content path of the maximum length (0x300 bytes) would result in strcat writing a NULL terminator past the end of the nca_path buffer.

This was fixed in [[6.0.0]], the new code looks like this:

char nca_path[0x300];
strncpy(nca_path, path_from_lr, sizeof(nca_path));
for (int i = 0; i < sizeof(nca_path) && nca_path[i]; i++) {
if (nca_path[i] == '\\') { nca_path[i] = '/'); }
}

| With access to "lr": single null-byte stack overflow in Loader. Maybe (but probably not) loader code execution.
| [[6.0.0]]
| [[6.0.0]]
| September 2, 2018
| September 19, 2018
| [[User:SciresM|SciresM]]
|-
| System modules vulnerable to selective downgrade attacks
| Horizon has no mechanism for specifying the specific title version to Loader on process creation.

Observing this, one can note that after a system update one could install a downgraded version of a specific system module (e.g. nvservices) while leaving the rest of the OS at the same version.

Unless there was some breaking API change, this allows one to make a console vulnerable once more to an exploit in a sysmodule by downgrading it and nothing else.

This was fixed in [[8.1.0]] by incrementing a version field in NPDM, and checking it against a hardcoded list for certain titles in Loader's process creation func.
| With access to content installation commands (or a vulnerable lower version to selectively install newer titles), reintroducing bugs in vulnerable system modules on newer firmware versions.
| [[8.1.0]]
| [[8.1.0]]
| When FIRM was first dumped in 2017.
| June 17, 2019
| Everyone
|-
| Broken RNG for [[Loader_services|Loader]] ASLR
| The RNG used for generating the ASLR slide is only seeded with 32bits, with the data from [[SVC|svcGetInfo]]. Hence, one could bruteforce the seed if one has infoleaks from any programs. This can be successfully bruteforced with at least 2 sample codebin addrs from different programs (with only 1 sample a lot of invalid seeds are found), however in some cases more than 1 seed might be found.

With [15.0.0+] Loader now uses csrng_GenerateRandomBytes for determining the ASLR slide.

See also [https://github.com/switchbrew/loader-aslr-solver loader-aslr-solver].
| Breaking ASLR for all non-KIP processes, allowing predicting the main-codebin base addr for all non-KIP processes until the next reboot.
| [[15.0.0]]
| [[15.0.0]]
| January 30, 2022 (presumably found much earlier?)
| October 11, 2022
| Everyone
|}

== System Modules ==
Flaws in this category pertain to any non-built-in system module.

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| OOB Read in NS system module (pl:utoohax, pl:utonium, maybe other names)
| Prior to [[3.0.0]], pl:u (Shared Font services implemented in the NS sysmodule) service commands 1,2,3 took in a signed 32-bit index and returned that index of an array but did not check that index at all. This allowed for an arbitrary read within a 34-bit range (33-bit signed) from NS .bss. In [[3.0.0]], sending out of range indexes causes error code 0x60A to be returned.
| Dumping full NS .text, .rodata and .data, infoleak, etc
| [[3.0.0]]
| [[3.0.0]]
| April 2017
| June 19, 2017
| [[User:qlutoo|qlutoo]], ReSwitched Team (independently)
|-
| Unchecked domain ID in common IPC code
| Prior to [[2.0.0]], object IDs in [[IPC_Marshalling#Domain_message|domain messages]] are not bounds checked. This out-of-bounds read could be exploited to brute-force ASLR and get PC control in some services that support domain messages.
|
| [[2.0.0]]
| [[2.0.0]]
| July 2017
| July 20, 2017‎
| [[User:hthh|hthh]]
|-
| Out-of-bounds array read for [[BCAT_Content_Container]] secret-data index
| The [[BCAT_Content_Container]] secret-data index is not validated at all. This is handled before the RSA-signature(?) is ever used. Since the field is an u8, a total of 0x800-bytes relative to the array start can be accessed.
This is not useful since the string loaded from this array is only involved with key-generation.
|
| Unknown
| [[2.0.0]]
| August 4, 2017
| August 6, 2017
| [[User: shinyquagsire23|Shiny Quagsire]], [[User:Yellows8|yellows8]] (independently)
|-
| expLDR (sysmodule handle table exhaustion)
| Most sysmodules share common template code to handle IPC control messages. The command DuplicateSession (type 5 command 2)'s template code will abort() if it fails to duplicate a session's handle for the requester. Because many sysmodules have limited handle table size (smaller than the browser/other entrypoints), repeatedly requesting to duplicate one's session will cause the sysmodule to run out of handle table space and abort, causing the service to release all its handles cleanly.
| Sysmodule crashes. Most usefully, crashing ldr allows access to fsp-ldr and crashing pm allows access to fsp-pr. Useless after [[4.0.0]], which mitigated a number of single-session service access issues.
| Unfixed
| [[4.1.0]]
| June 24, 2017
| March 8, 2018
| [[User:daeken|daeken]]
|-
| Transfer Memory leak in nvservices system module
| The nvservices sysmodule does not clear most of its transfer memory prior to release.
| The calling process can read key bits of memory, including breaking ASLR (by revealing the image base) and exposing the address of other transfer memory to set up attacks. More details here: [https://daeken.svbtle.com/nintendo-switch-nvservices-info-leak transfermeme (nvservices info leak)] by [[User:daeken|daeken]]
| [[6.0.0]]
| [[6.0.0]]
| June 2017
| October 16, 2018
| [[User:qlutoo|qlutoo]] and [[User:hexkyz|hexkyz]],
[[User:daeken|daeken]] (independently)
|-
| OOB write in audio system module
| Prior to [[2.0.0]], the [[Audio_services#audout:u|AppendAudioOutBuffer]] and [[Audio_services#audin:u|AppendAudioInBuffer]] IPC commands would blindly increment the appended buffers' count while using said count value as an index to where the user data should be copied into. This resulted in an 0x28 bytes, user controlled, out-of-bounds memory write into the [[Audio_services|audio]] sysmodule's memory space.
Combined with the [[Audio_services#audout:u|GetReleasedAudioOutBuffer]] or [[Audio_services#audin:u|GetReleasedAudioInBuffer]] commands, this could also be used as an 8 byte infoleak.

In [[2.0.0]], the commands now return error code 0x1099 if the number of unreleased buffers exceeds 0x1F.
| Code execution under audio sysmodule
| [[2.0.0]]
| [[2.0.0]]
|
| November 2, 2018
| [[User:hexkyz|hexkyz]], probably others (independently).
|-
| Infoleak in nvservices system module
| The [[NV_services|nvservices]] ioctl [[NV_services#NVMAP_IOC_ALLOC|NVMAP_IOC_ALLOC]] takes an optional argument "addr" which allows the calling process to pass a pointer to user allocated memory for backing a nvmap object. If "addr" is left as 0, nvservices uses the transfer memory region (donated by the user during initialization) instead, when allocating memory for the nvmap object.
By design, freeing the nvmap object by calling the ioctl [[NV_services#NVMAP_IOC_FREE|NVMAP_IOC_FREE]] returns, in its "refcount" argument, the user address previously supplied if the reference count reaches 0.
However, prior to [[6.2.0]], the case where the transfer memory region is used to allocate the nvmap object was not taken into account, thus resulting in [[NV_services#NVMAP_IOC_FREE|NVMAP_IOC_FREE]] leaking back an address from within the transfer memory region mapped in nvservices' memory space.

In [[6.2.0]], [[NV_services#NVMAP_IOC_FREE|NVMAP_IOC_FREE]] no longer returns the address when the transfer memory region is used instead of user supplied memory.
| Combined with other vulnerabilities: Defeating ASLR in nvservices sysmodule.
| [[6.2.0]]
| [[6.2.0]]
| April 2017
| November 24, 2018
| Everyone
|-
| nvhax (memory corruption in nvservices system module)
| Prior to [[6.2.0]], the [[NV_services|nvservices]] ioctl [[NV_services#.2Fdev.2Fnvhost-ctrl-gpu|NVGPU_GPU_IOCTL_WAIT_FOR_PAUSE]] would take a single "pwarpstate" argument which would be interpreted by nvservices as a memory pointer for writing 2 "warpstate" structs (one for each Streaming Multiprocessor).
This resulted in nvservices attempting to blindly memcpy into this user supplied address and trigger a crash. However, if paired with an infoleak, this could be used to arbitrarily write 0x30 bytes anywhere in nvservices' memory space.
Additionally, the "warpstate" struct itself was never initialized, which means nvservices would leak the 0x30 bytes from the stack. By invoking other ioctls it was also possible to partially control the stack contents and achieve a usable arbitrary memory write primitive.

In [[6.2.0]], [[NV_services#.2Fdev.2Fnvhost-ctrl-gpu|NVGPU_GPU_IOCTL_WAIT_FOR_PAUSE]] now takes 2 inline "warpstate" structs instead of a "pwarpstate" pointer, thus effectively avoiding the bad memcpy.
| Code execution under nvservices sysmodule
| [[6.2.0]]
| [[6.2.0]]
| April 5, 2017
| November 24, 2018
| [[User:hexkyz|hexkyz]]
|-
| [[Applet_Manager_services#IStorage|AM IStorage]] infoleak
| Originally the buffer allocated by [[Applet_Manager_services#CreateStorage|CreateStorage]] using the specified input size was not cleared. With [8.0.0+] this was fixed by adding a memset() for the buffer after successful allocation.

Hence, IStorage->IStorageAccessor->Read will return uninitialized memory when the Write cmd was not previously used with the specified region.
| Infoleak from the main [[Applet_Manager_services#IStorage|AM]] heap, allowing defeating ASLR by reading addresses from previously allocated objects.
| [[8.0.0]]
| [[8.1.0]]
| December 2018
| August 9, 2019
| [[User:Yellows8|yellows8]]
|-
| [[HID_services#hid:sys|hid:sys]] ButtonConfig s32 array-index not validated
| The input s32 array-index for [[HID_services#hid:sys|hid:sys]] ButtonConfig cmds 1255-1270 was originally not validated. Using a negative or >=5 index results in accessing out-of-bounds data, with an array stored on stack.
[10.1.0-10.2.0] Each of these cmds will now Abort if the s32 is negative or >=5. [11.0.0+] Now an unsigned compare is used, with 0 or an error being immediately returned when the value is invalid.
| hid infoleak, out-of-bounds mem-write anywhere in hid address-space relative to the stack array (with constraints on the data).
| [[10.1.0]]
| [[11.0.1]]
| April 18, 2020
| July 14, 2020
| [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|Bluetooth]] sdp_server.cc process_service_search() continuation request p_req validation
| With [5.0.0+], the following was added to the if-block prior to loading cont_offset from p_req: <code>(p_req + sizeof(cont_offset) > p_req_end)</code> (which verifies that cont_offset is within message bounds).
| Bluetooth-sysmodule out-of-bounds read from heap, probably not useful since the read value must match a state field, etc.
| [[5.0.0]]
| [[11.0.0]]
| Switch: December 2020
| Switch: December 25, 2020
| Switch: [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|Bluetooth]] A-63146698
| [https://android.googlesource.com/platform/system/bt/+/226ea26684d4cd609a5b456d3d2cc762453c2d75 A-63146698] / CVE-2017-0785. See also [https://info.armis.com/rs/645-PDC-047/images/BlueBorne%20Technical%20White%20Paper_20171130.pdf here].
| Bluetooth-sysmodule stack infoleak, which allows defeating ASLR (note: not tested on hw).
| [[5.0.0]]
| [[11.0.0]]
| Switch: December 2020
| Switch: December 25, 2020
| Switch: [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|bluetooth]] GetAdapterProperty/SetAdapterProperty unchecked memcpy size
| GetAdapterProperty copies data from stack to the output buffer using the buffer size, without checking the size (when not handling the Name type). SetAdapterProperty copies data to stack from the input buffer using the buffer size, without checking the size.
This requires access to the btdrv service, only hid and btm have access.

This was fixed with [[12.0.0]] by replacing the buffer data with a fixed-size-struct.
| Stack infoleak with GetAdapterProperty, stack buffer overflow (and hence ROP) with SetAdapterProperty.
| [[12.0.0]]
| [[12.0.0]]
| July 17, 2020
| April 7, 2021
| [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|bluetooth]] stack buffer overflow with HID DATA packets
| The BSA (bt-stack) func bta_hh_co_data copies data from a HID DATA packet to stack without checking the size, then sends it over Uipc. [7.0.0+] The user Uipc callback also copies the input data to stack without checking the size, then sends it to the sharedmem CircularBuffer.
With [12.0.2+] this was fixed in bta_hh_co_data by clamping the size to a maximum of 0x2BB. The aforementioned buffer overflow in the Uipc callback can't be triggered since at that point the size was already clamped.

Before this bta_hh_co_data func is reached, there is no validation of the size (such as comparing against the L2CAP MTU) when Basic Mode is being used.

Actually triggering this requires using a data-size larger than the normal L2CAP MTU. This can be done by for example, using raw HCI to send the packet from the remote bluetooth device.

Note that when the remote device is configured as an audio device for [12.0.0+] where [[Settings_services#BluetoothDevicesSettings|BluetoothDevicesSettings]].TrustedServices was only ever set for audio since system-boot, it is not possible for the remote device to connect to the Switch for HID.
| ROP under [[Bluetooth_Driver_services|bluetooth]] via HID DATA packet sent by a paired HID bluetooth device. This can be triggered at any time while not in sleep-mode, when not in airplane-mode. The earliest is while the Nintendo Switch logo screen is displayed during system boot.
| [[12.0.2]]
| [[12.0.2]]
| July-August 2020
| May 11, 2021
| [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|bluetooth]] WriteHidData/WriteHidData2/SetHidReport unchecked memcpy size
| WriteHidData/SetHidReport copies the input struct to stack, then passes it to the funcptr/vfunc call. WriteHidData2 passes the input buffer addr directly to the funcptr/vfunc call. The called func eventually copies the input data to the stack struct using the specified size without validating it.
This requires access to the btdrv service, only hid and btm have access.

This was fixed with [[12.1.0]] in WriteHidData/SetHidReport by doing a fixed-size copy into another tmp struct, with the size field being clamped to a maximum of 0x2BB afterwards. This struct is then used when calling the vfunc. The vfuncs called by WriteHidData/WriteHidData2/SetHidReport were also updated to clamp the size to the required maximum value.
| Stack buffer overflow
| [[12.1.0]]
| [[12.1.0]]
| July 16, 2020
| July 6, 2021
| [[User:Yellows8|yellows8]]
|-
| Infoleak with [[HID_services|hid:sys]] SetButtonConfigStorage{name}Deprecated
| These cmds pass a stack ptr for the StorageName when calling the internal func. Nothing is written to this StorageName. Hence, stack infoleak (data is copied as a NUL-terminated string), which can be later read by the GetButtonConfigStorage{name} cmds.

This was fixed by removing the Deprecated cmds in [[13.0.0]].
| Infoleak of hid stack from a StorageName readable via GetButtonConfigStorage{name}, up to the NUL-terminator.
| [[13.0.0]]
| [[13.0.0]]
| December 11, 2020
| September 27, 2021
| [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|bluetooth]] EventInfo infoleak
| The various funcs which send messages to the thread which handles writing to EventInfo, didn't clear the stack msgbuf. Hence, the various get-EventInfo cmds could return leaked stack data. This likely affected most (?) get-EventInfo cmds, besides CircularBuffer-GetHidReportEventInfo.

This only matters for events where there's uninitialized regions of the EventInfo, such as events with variable-size data without a memset.

This was fixed by clearing the msgbuf in a number of funcs.
| Bluetooth-sysmodule stack infoleak, which allows defeating ASLR
| [[13.0.0]]
| [[13.1.0]]
|
| During initial [[13.0.0|diff]]. Added to this page on: December 12, 2021
| [[User:Yellows8|yellows8]]
|-
| [[SSL_services|ssl]] CVE-2021-43527
| CVE-2021-43527, see also [https://bugs.chromium.org/p/project-zero/issues/detail?id=2237 here] and [https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html here].
Using BigSig where the server cert sig is RSA-PSS results in the remote server throwing {no shared cipher} error when Switch connects. If however one creates a rootCA using BigSig (RSA-PSS), which then signs a server cert where the server key is RSA (not PSS), the vuln can be triggered (if the rootCA is trusted, via using the import service-cmd). It's unknown whether there's other ways to trigger the vuln.

The crash occurs in VFY_Begin when using the previously overwritten data. A bitsize of <code>$((16384 + 32 + 64 + 64 + 64))</code> is only enough to overwrite cx->hashcx, to fully overwrite cx->hashobj an additional 0xC-bytes (additional 96 bits) is needed.
Note that partial overwrite isn't an option: this is the func that initializes those fields to begin with, it just does deinit first before initializing hashcx/hashobj (prior to that these fields would be all-zero when not overwritten by the buf-overflow).
| Heap buffer overflow in [[SSL_services|ssl]], overwriting data including a ptr to an object which is later used to load a funcptr.
| [[13.2.1]]
| [[13.2.1]]
| Switch: December 1-2, 2021
| Switch: January 19, 2022
|
|-
| [[Bluetooth_Driver_services|bluetooth]] BSA gatt_process_notification stack buffer overflow
| gatt_process_notification is the GATT handler for processing notification/indication messages. gatt_process_notification does memcpy to stack from the input bt msg data, without size validation. The input len param isn't validated in this func either - if the remaining len following op_code is less than 2, a negative value will be used for the data copy to stack.
These were fixed by adding a bounds check for the size, size==0 is also checked for now.
| Bluetooth-sysmodule stack buffer overflow, with data received from a bluetooth message
| [[13.2.1]]
| [[13.2.1]]
| November 2021
| January 19, 2022
| [[User:Yellows8|yellows8]]
|-
| [[Applet_Manager_services#IDisplayController|AM IDisplayController]] TakeScreenShotOfOwnLayer OOB
| The captureBuf is used as an array index without validation. Data used from this array includes calling a funcptr from the array entry, if set. Eventually this is also used to write bools into this array, one of which is from the command input.
With [5.0.0+] a func is eventually called to get a ptr determined by the input captureBuf, with nullptr being returned for captureBuf>=0x10. The caller will Abort if nullptr was returned.
| OOB array access
| [[5.0.0]]
| [[13.1.0]]
| ~July 31, 2019
| January 26, 2022
| [[User:Yellows8|yellows8]]
|-
| [[Applet_Manager_services#IDisplayController|AM IDisplayController]] ClearCaptureBuffer OOB
| The captureBuf is used as an array index without proper validation. There is code validating it, but on failure it just skips over a code-block, with code using captureBuf still being used afterwards. Then this is used to write bools into a global array, one of which is from the command input.
This was fixed with [9.1.0+] by requiring captureBuf = 0-1.
| OOB bool writes into an array
| [[9.1.0]]
| [[13.1.0]]
| ~July 31, 2019
| January 26, 2022
| [[User:Yellows8|yellows8]]
|-
| [[Sockets_services|bsdsockets]] ioctl SIOCGIFCONF infoleak
| Originally bsd ioctl SIOCGIFCONF was handled by setting the data in IPC outbuf0 to the size/addr of IPC outbuf1. These buffers are HipcAutoSelect, so if buf1 is small enough for HipcPointer (otherwise it would be HipcMapAlias) the IPC-buf-ptr leaked into outbuf0 would be located in the codebin-region. Since this is done before the actual ioctl-handling, it doesn't matter whether the fd is valid.
This was fixed in [5.0.0+] by using a tmp struct on stack instead of buf0.
| bsdsockets-sysmodule codebin-region addr infoleak, which allows defeating ASLR.
| [[5.0.0]]
| [[13.1.0]]
| February 14, 2022 (probably earlier)
| February 14, 2022
| [[User:Yellows8|yellows8]], probably others
|-
| [[Sockets_services|bsdsockets]] ioctl SIOCGIFMEDIA input can contain ptr
| Originally bsd ioctl SIOCGIFMEDIA used the user-specified ifmediareq structure directly from the input buffer. This includes a ptr. This ptr probably isn't actually used?
With [5.0.0+] the structure used as input for the ioctl was changed to using <code>int ifm_ulist[1]</code> instead of <code>int *ifm_ulist</code> (which is unused). The input structure is copied to a tmp struct which is used as the original ifmediareq structure, with ifm_ulist always NULL. The user can still specify a non-zero ifm_count value, however that's not useful with ifm_ulist being always NULL.
| Useless?
| [[5.0.0]]
| [[13.1.0]]
| February 14, 2022
| February 14, 2022
| [[User:Yellows8|yellows8]], probably others
|-
| Infoleak with [[Joy-Con]] HidCommand PairingIn
| The joycon protocol handler for PairingIn copies data from stack to the response cmd-buf for sending PairingOut. Only the first byte is set to a type value, the rest is uninitialized stack data.

This was fixed with [15.0.0+] by directly writing to the response data without using stack data.
| Infoleak of hid stack via a bluetooth/uart message+response with a connected hid controller. This returns addrs for the main-codebin/stack, which allows defeating ASLR.
| [[15.0.0]]
| [[15.0.0]]
| September 4, 2020
| October 10, 2022
| [[User:Yellows8|yellows8]]
|-
| Broken RNG for [[RO_services|ro]] ASLR
| The RNG used to determine where to randomly map NROs in the target process was TinyMT (nn::os::detail::RngManager output, seeded by 128 bits of entropy). However, TinyMT is not cryptographically secure (and can in fact be analytically solved).

Thus, with a few NRO mapping addresses, one could learn the TinyMT state and derive all previous/future RNG outputs, breaking NRO aslr for all processes.

With [15.0.0+] ro now uses csrng_GenerateRandomBytes to determine the random map address for NROs.
| Breaking ASLR for all NROs loaded in all processes, allowing predicting all NRO mappings for all processes until the next reboot.
| [[15.0.0]]
| [[15.0.0]]
| Late 2021/Early 2022
| October 11, 2022
| Everyone
|-
| Broken RNG used by [[NS_Services|ns]]
| The code generating the sd seed and the data for the [[SD_Filesystem|sd]] private/private1 file, all use nn::os::GenerateRandomBytes, not csrng. The sd-seed is generated first, then private, then private1. This allows deriving sd-seed from private since this uses TinyMT, as long as the system shipped from factory on [2.0.0+]. private1 is only useful if the system shipped with [4.0.0+].

There's various other code in ns using nn::os::GenerateRandomBytes as well. This includes the code generating ns_systemseed when it doesn't exist. ns_systemseed is generated at some point after the various sd-seed-related code (both are called from the same func). Hence, ns_systemseed can be recovered with the above method as well, if it wasn't recreated at some point without regenerating the above nand-save used with the above.

With [15.0.0+] ns now uses csrng_GenerateRandomBytes for sd-seed/private and ns_systemseed, etc. This only matters when the file is newly generated, which is usually only for factory-fresh systems which ship with this version. This would also apply after being deleted during {System Settings -> Formatting Options -> Initialize Console}, and also with a refurbished console.
| Generation of a system's sd-seed allowing decryption of the NAX0 layer of data on [[SD_Filesystem|SD]], derived using the private file from SD. Applies to systems which factory-shipped with a system-version prior to [[15.0.0]] (that is, [2.0.0-14.1.2]).
| [[15.0.0]], for newly generated files
| [[15.0.0]]
| December ~12, 2021
| October 11, 2022
| [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|bluetooth]] BSA bsa_sv_av_cback stack buffer overflow
| bsa_sv_av_cback checks for two input type values (0xC/0xD), on match it copies the input data to stack without size validation. Then it sends an internal request with this data (likewise when the type values don't match, except the input data is passed directly with a small size), then it returns.
This requires the AV functionality added with [13.0.0+], however this func is only reachable with [14.0.0+] where the required functionality was enabled.

This requires message data that's larger than the MTU, so fragmentation must be used, or manually send the ACL data to bypass the MTU.

This can be triggered via an AVRC message with opcode=0x0 (vendor). The above type 0xC is reached via AVRC ctype 0..4, while 0xD is reached with ctype>=0x9.

With [15.0.0+] the size value for the memcpy (which is also written to the request struct) is clamped to a max value.
| Bluetooth-sysmodule stack buffer overflow on [14.0.0-14.1.2], with data received from an AVRC bluetooth message with a bluetooth-audio device.
| [[15.0.0]]
| [[15.0.0]]
| November 2021
| October 11, 2022
| [[User:Yellows8|yellows8]]
|-
| [[WLAN_services|wlan]] SetMulticastList heap buffer overflow
| The [[WLAN_services#SetMulticastList|SetMulticastList]] command allocates a 0x31-bytes sized buffer and copies to it as much [[WLAN_services#MacAddress|MacAddress]] values from the input [[WLAN_services#MulticastList|MulticastList]] as specified by the "Count" field, but this field is never validated.

With [15.0.0+] error code 0x1906B is now returned if "Count" is larger than 8.
| wlan-sysmodule heap buffer overflow.
| [[15.0.0]]
| [[15.0.0]]
| June 6, 2022
| November 9, 2022
| [[User:Hexkyz|hexkyz]]
|}

== Internet Browser ==
{| class="wikitable" border="1"
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| CVE-2016-4657
| WebKit vuln discovered around August 2016. Most notably used in the iOS 9.3.X exploit. A simple PoC can be found [https://github.com/LiveOverflow/lo_nintendoswitch/blob/master/poc1.html here]. This was later exploited by [https://twitter.com/qwertyoruiopz Qwertyoruiop] using an adjusted version of his iOS 9.3 webkit exploit (others exploited this prior to then).
|
| [[2.1.0]]
| [[2.0.0]]
| Original: August 2016
Switch: March 3rd-4th 2017
|
| Everyone
|-
| CVE-2017-7005
| WebKit type confusion.
|
| [[3.0.1]]
| [[3.0.1]]
|
|
| Everyone
|-
| CVE-2016-4622
| WebKit memory corruption bug. This bug was incorrectly re-introduced in [[4.0.0]]. See [http://www.phrack.org/papers/attacking_javascript_engines.html here] for a detailed write-up from the author.
|
| [[6.1.0]]
| [[6.1.0]]
|
|
| Everyone
|-
| CVE-2018-4441
| WebKit memory corruption bug. See [https://bugs.chromium.org/p/project-zero/issues/detail?id=1685&desc=2 here].
|
| [[7.0.0]]
| [[7.0.0]]
|
|
| Everyone
|}

=== Whitelist ===
This section documents [[Internet_Browser|WebApplet]] whitelist issues in applications. These can be used to load your own browser content over plain HTTP, which then for example could be used for web-applet exploitation.

{| class="wikitable" border="1"
! Application
! Description
! Fixed with app version
! Newest app version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Sonic Mania
| Originally this game launched web-applet with a plain-http URL for displaying the manual, this was later changed to https. Originally the whitelist only had 1 entry for a http URL, this was later replaced with various https-only URLs.
| 1.04, unknown if fixed with an earlier update
| 1.04
| January (?) 2022
| February 23, 2022
| [[User:Yellows8|yellows8]]
|}

== NintendoSDK ==
This section documents vulnerabilities for NSOs in NintendoSDK.

=== nnSdk ===
This section documents vulnerabilities for nnSdk (sdknso).

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in SDK [[System_Versions|version]]
! Last SDK version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| [[HID_services|hidbus]] GetJoyPollingReceivedData buffer overflow
| hidbus GetJoyPollingReceivedData doesn't validate the u8 size used for memcpy, when copying the data to the output JoyPollingReceivedData. With 11.x, the size is now clamped to a maximum of 0x2C (regardless of polling-mode). Note that 0x2C is the data-size for JoyButtonOnlyPollingDataAccessor, the other polling-modes have a smaller size.

The hid-sysmodule code which writes data here does handle it properly: size is clamped to a max size, and the data-read uses a fixed-size anyway (hence there's no way to trigger this sdknso vuln with the hid-sysmodule tmem writing code).

This could only be exploited if one directly writes to the tmem when one has previously compromised hid-sysmodule, without using the normal tmem-writing func for this.

There are only a few [[HID_services#ExternalDevices|apps]] which use hidbus.
| Triggering a buffer overflow in an application which uses hidbus GetJoyPollingReceivedData, from a previously compromised hid-sysmodule.
| 11.x.0
| 11.4.0
| March 2020
| December 3, 2020
| [[User:Yellows8|yellows8]]
|-
| [[Profile_Selector|Profile Selector]] uninitialized input data
| Originally unused regions of [[Profile_Selector]] UiSettings/UserSelectionSettings were not cleared prior to being sent to the applet. With 1.x.x these are now properly memset().
| Stack infoleak from user-process, sent to the applet.
| 1.x.x
| 11.4.0
| November-December 2019
| December 31, 2020
| [[User:Yellows8|yellows8]]
|}

=== Pia ===
This section documents vulnerabilities for [https://github.com/Kinnay/NintendoClients/wiki/Pia-Overview Pia].

In v5.11.3 (exact starting version unknown) the fixes aren't present for the below vulns which were fixed in v5.9.3, while in v5.18.98 these are present (exact starting version unknown). This probably indicates that the vuln fixes were backported from a newer Pia version to v5.9.3.

The Pia packet handlers are only active when the game is using multiplayer. LanProtocol is only active in the games which are actively using the LAN-mode option (not Ldn) - only certain games support LAN-mode. The LanProtocol Pia packet handler can be reached while in a lobby or searching for one.

Most Pia packets require an active StationProtocol connection to be active with {InetAddr which the packet was received from}, otherwise the packet is filtered out. The only protocols which don't use filtering are the following: NatTraversalProtocol, LanProtocol, StationProtocol, LocalProtocol.

Note that broadcast IP-dest Pia packets are accepted - this can be used to target every device on the network which is using Pia (which is really only useful with {above protocols} due to the filtering mentioned above, unless one also handles StationProtocol).

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in Pia version
! Last Pia version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| nn::pia::session::RelayRouteManageJob::UpdateConnectionReport buffer overflow
| nn::pia::session::RelayRouteManageJob::UpdateConnectionReport() checks that the input size is at least {value}, but there's no max size check. This is used to memcpy from the input to elsewhere - hence buf-overflow if size is too large. The dst buffer is allocated on the pead heap - this buffer is probably small.
Note that there's various requirements before it would actually reach the memcpy, such as <code><nn::pia::session::Mesh::IsHost() const></code> must return true.

In fixed versions immediately after the StationIndex validation it now does: <code>if(statefield+0x10<input_size) return;</code>

This is called from nn::pia::session::MeshProtocol::ParseConnectionReport().
| Heap buffer overflow triggered by a Pia MeshProtocol message sent to a host device.
| v5.9.3, see above.
| v5.9.1/v5.9.2/v5.9.3
| November 11, 2022
| November 15, 2022
| [[User:Yellows8|yellows8]]
|-
| nn::pia::lan::LanProtocol::ParseSessionMessage buffer overflow
| nn::pia::lan::LanProtocol::ParseSessionMessage() calls nn::pia::lan::LanSessionMessage::Deserialize() to deserialize the message payload data buffer into the LanSessionMessage object on stack. LanSessionMessage::Deserialize (among other things) memcpys data from the input buffer to the object, using an u32 from the input buffer - there is no size validation in Deserialize itself.
There is a size check immediately after calling Deserialize() to verify <code>payloadsize=={u32val}+{constant}</code>, returning on fail - but this doesn't matter for too-large-size.

In fixed versions Deserialize now does bounds checking, both for the minimum message size and clamping the memcpy size to a constant. An error is thrown if the clamped memcpy size is larger than the message size. The caller now checks the ret properly, previously it was ignored.

Following the size check in ParseSessionMessage() it calls <code><nn::pia::session::Mesh::IsProcessingLeaveMesh() const></code>, returning if ret is false.

Then it calls nn::pia::lan::LanProtocol::ReceivedFragmentData::Receive(), with the memcpy'd buffer/size from the above LanSessionMessage, and other fields from LanSessionMessage. This eventually memcpys the input buffer to object+{offset}+{chunksize_field}*inputu8, there is no validation for size or inputu8 (except for the above size check). Hence, if the u8 is large enough, this would result in a heap buffer overflow.

In fixed versions ReceivedFragmentData::Receive added a bunch of validation before the memcpy.
| Stack/heap buffer overflow triggered by a Pia LanProtocol message.
| v5.9.3, see above.
| v5.9.1/v5.9.2/v5.9.3
| November 14, 2022
| November 15, 2022
| [[User:Yellows8|yellows8]]
|-
| nn::pia::session::SessionProtocol::ParseLeaveMeshInvitation buffer overflow
| <code><nn::pia::session::SessionProtocol::ParseLeaveMeshInvitation(nn::pia::transport::ReceivedMessageAccessor const&)></code> This immediately returns if *(ReceivedMessageAccessor+16) is 0. Then the input data is deserialized. The input u64 array is deserialized to stack, the u8 arraycount field from input is not validated.

Hence, stack buffer overflow. Note that there's similar loop code in nearby funcs, which do validate the count properly.

In fixed versions the arraycount field is now validated.

SessionProtocol uses ReliableSlidingWindow MessageHeader, with a maximum message size of 0x100. The allocated size used for the above u64 array is also 0x100-bytes. Hence, when triggering a buf overflow the data after the buffer is uncontrolled data from the SessionProtocol object.
| Stack buffer overflow triggered by a Pia SessionProtocol message.
| v5.9.3, see above.
| v5.9.1/v5.9.2/v5.9.3
| November 14, 2022
| November 15, 2022
| [[User:Yellows8|yellows8]]
|-
| Optional Pia packet encryption
| Pia packet encryption is optional. If the encryption flag is disabled, the packet handler will accept it and skip crypto.
In fixed versions immediately after grabbing a packet, it now checks the crypto flag. If it's plaintext the packet is dropped.

This can be used to send a plaintext Pia packet without needing to handle encryption, especially useful if the session-key can't be obtained (online-play matchmaking). This could be combined with other vulns if wanted.
| Sending a plaintext Pia packet without needing to handle encryption.
| v5.9.3, see above.
| v5.9.3 (and later versions)
|
| November 19, 2022
|
|-
| nn::pia::session::{JoinMeshJob/ProcessUpdateMeshJob}::SetStationDataList OOB read/write/vfunc-call
| <code>nn::pia::session::JoinMeshJob::SetStationDataList</code>is called by <code>nn::pia::session::MeshProtocol::ParseJoinResponse(nn::pia::transport::ReceivedMessageAccessor const&)></code> with the ReceivedMessageAccessor buffer.
SetStationDataList will update state and immediately return if the join was denied. It will also validate the num_mesh_stations field against state. ParseJoinResponse also essentially verifies that the message was received from the host device.

The input buffer size is ignored.

The num_fragments field must be value 1 or <=3 otherwise it will return, there's two seperate code blocks handling these.

Other than the checks at the start, there's no validation for the index fields. So large enough values could result in OOB-reads.

When handling multiple fragments, it will loop through the stationinfo list. There is no validation for the u8 count field or the baseindex field. It calls a vfunc from obj baseptr+index*{entrysize} with data from the buffer, where index starts with the above baseindex field. Afterwards, an u8 is copied into an u32 array (with certain versions an u16 is deserialized into an u16 array).

<code>nn::pia::session::ProcessUpdateMeshJob::UpdateStationDataList</code> is (eventually) called from <code>nn::pia::session::MeshProtocol::ParseUpdateMesh</code>, which has similar issues to the above.

Note that ParseJoinResponse/ParseUpdateMesh essentially require the message to be received from the host device.

With fixed versions (v5.18.98, exact version unknown) various validation was added. Additional/updated validation was added in a later version (v5.31.0, exact version unknown).
| OOB read/write / vfunc call where the object is selected by an OOB index, triggered by a Pia MeshProtocol message.
| v5.18.98 and v5.31.0 (exact versions unknown).
| v5.31.0
| November 18, 2022
| November 21, 2022
| [[User:Yellows8|yellows8]]
|-
| Insecure encryption
| Originally Pia packets used AES-ECB encryption. As documented [https://github.com/Kinnay/NintendoClients/wiki/Pia-Overview here] it was later changed with v5.7.0 to AES-GCM. Each 0x10-byte block would have the same encrypted block output where the plaintext 0x10-byte data is the same.
The mechanism for generating the Pia SessionKey for LAN has also changed over time.

The [https://github.com/Kinnay/NintendoClients/wiki/LAN-Protocol LAN] non-Pia-encapsulated packets were also originally sent in plaintext, however at some point it was changed to mostly encrypted.
|
| AES-GCM fix: v5.7.0
|
|
|
|
|-
| nn::pia::transport::UnreliableProtocol::Dispatch buffer overflow
| <code>nn::pia::transport::UnreliableProtocol::Dispatch</code> memcpys data from the message into a list entry, without size validation. If the pia packet is the max size, it will only overwrite the 0xC-bytes which were written to immediately before the memcpy: the u32 size and the 8-byte StationAddress (depending on the version there can also be 4-byte padding after the size for alignment).
However, nn::pia::transport::UnreliableProtocol::Receive will clamp the size from the list entry to the outbuf size when doing the memcpy. So this is probably useless.

It's unknown whether there's a version where more data could be overwritten, and whether that would be useful.

This is fixed in v5.31.0, exact version unknown. The message is dropped if too large in Dispatch.
| Small buffer overflow triggered by a Pia UnreliableProtocol message.
| v5.31.0, exact version unknown.
| v5.18.98/v5.31.0
| November 2022
| November 29, 2022
| [[User:Yellows8|yellows8]]
|-
| Uncleared input structs for [[LDN_services|LDN]]
| The Pia code using ldn CreateNetwork*/ConnectNetwork*/Scan doesn't properly memset the input data for SecurityConfig/ScanFilter (when keysize is less than 0x40 for the former). Hence, infoleak from games is sent to ldn (structs are located on stack, so stack data is leaked). This requires ldn compromise/mitm to obtain the leaked data - these are not sent over the network.
With v6.20.1 (exact version unknown - fix isn't present in v5.32.0), the code using Scan* now clears the input ScanFilter properly. With v6.25.1 (exact version unknown - fix isn't present in v6.23.3), the code using CreateNetwork*/ConnectNetwork* now clears the input SecurityConfig properly.
| Infoleak from games with LDN cmds, requires compromised sysmodule/mitm.
| v6.20.1 and v6.25.1, exact versions unknown.
| v5.32.0/v6.20.1/v6.23.3/v6.25.1
|
| December 7, 2022
|
|}

=== ENL ===
This section documents vulnerabilities for [https://github.com/kinnay/NintendoClients/wiki/ENL-Protocol ENL].
A framework used by Nintendo games including Mario Kart 8 Deluxe, Splatoon 2 / 3, Mario Maker 2, and more.

Fun fact, this library appears to re-use network code and concepts from older Nintendo titles such as Mario Kart 7 and some Wii multiplayer games.

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in Enl version
! Last Enl version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| enl::TransportManager::updateReceiveBuffer_() nullptr deref
| enl::TransportManager::updateReceiveBuffer_() is called when the ENL framework receives a PIA packet from a client, it will fully trust the ENL header which includes a "ContentTransporter" type (ID) and a length.
The function will try to fetch the content transporter by ID using <code>enl::TransportManager::getContentTransporter(unsigned char const &)</code>, it returns NULL if there's no content transporter with the same ID

*NOTE: The function may be inlined

Then it will try to call a virtual method: <code>virtual size_t readyReceiveStream(enl::RamReadStream&, enl::Buffer*, size_t)</code>, dereferencing the pointer to fetch the vtable ptr

[https://gist.github.com/Rambo6Glaz/c088e2ed7a12db08f6322e9f7a3c4911 Pseudocode of the function before it was fixed]

| nullptr dereference triggered by an invalid content transporter type in the ENL header (it will crash the game/process)
| Unknown
| Depends on the game
| Early April 2022
| November 16, 2022
| [[User:Rambo6Glaz|Rambo6Glaz]], Kinnay (massive RE help)
|}

There's another one more interesting but it will have to wait a bit :)

16.0.0

2023-02-21T09:40:55Z

SciresM: /* IPC Interface Changes */

The Switch 16.0.0 system update was released on February 21, 2023 (UTC). This Switch update was released for the following regions: ALL, CHN.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* User nicknames that cannot be used will be replaced with “???” which can be updated from the profile settings.
* General system stability improvements to enhance the user's experience.
*

==System Titles==
* New sysmodule ngc was added (0100000000000050).
* All sysmodules were updated (excluding stubbed-lbl).
* Most SystemData were updated, except for: Chinese and Korean dictionaries, Dictionary, AvatarImage, UrlBlackList, ControllerIcon, ApplicationBlackList, FunctionBlackList.
* Most applets were updated, except for: cabinet, controller, netConnect, swkbd, miiEdit, starter, maintenance.

[[NPDM]] changes (besides usual version-bump):
* [[Boot2|boot2.ProdBoot]] now has access to [[NCM_services|ncm]].
* [[Friend_services|friends]] no longer has access to [[SPL_services|csrng]].
* nifm now has htc:nd access.
* nifm, ldn, ns: pl:u access was replaced with pl:s.
* ns now has access to ns:am2 and ns:su (for GetService).
* nim no longer has access to spl: (on older versions this was unused besides service-init).
* vi now has pl:u access.
* glue now has hosted-service pl:u access (moved from sdb) and access to svcCreateSharedMemory.
* fatal had access for the following removed: nvdrv:s, pl:u, vi:s.
* sdb had access for pl:u (hosted-service) and svcCreateSharedMemory removed.
* qlaunch, playerSelect, photoViewer, myPage: access to ngc:u was added.

The SafeMode bootpkgs KIP for PCV had "Default CPU Core" changed from 3 to 63.

RomFs changes:
* [[SSL_services|CertStore]]: "/ssl_TrustedCerts.bdf" updated and "/ssl_TrustedCerts.Ounce.bdf" added.
* ErrorMessage: updated
* BrowserDll:
** "/browser/MediaControlsInline.css" updated
** "/browser/MediaControlsInline.js" updated
** "/browser/UserCssCore0.dat" added
** "/browser/UserCss.dat" updated
** "/buildinfo/buildinfo.dat" updated
** "/gfxShader/" added, which contains "BrowserOffscreenDrawer.bnsh".
** "/lyt/Browse/Page.arc" updated
** "/nro/" The various NROs located under here were updated.
* Help: "/legallines.htdocs/img/HDMI.png" and "/legallines.htdocs/index.html" were updated.
* NgWord: updated.
* LocalNews: "/image/LnSupIntro/main_Other.jpg", "/message/EUnl/localNews.msbt.szs", "/message/revision.txt" updated.
* Eula: "/KRko/Eula.msbt.szs" and "/revision.txt" updated.
* FirmwareDebugSettings: [[System_Settings|updated]]
* NgWord2: updated. Added "/ac_similar_form_nx" and "/table_similar_form_nx".
* NgWordT: "/mars_dirty_words_db" updated
* applets: various UI/message/gfx data updated.
* web-applets: "/buildinfo/buildinfo.dat" and "/.nrr/modules.nrr" updated.

=== IPC Interface Changes ===
* The following interfaces were removed:
** nn::pl::detail::IPlatformServiceManager
* The following interfaces were added:
** nn::ngc::detail::IService
** nn::pl::sharedresource::detail::IPlatformSharedResourceManager
* The following interfaces were changed:
** nn::account::IAccountEntityServiceForAccountPolicy
*** Added command 910 - inbytes: 0, outbytes: 0
** nn::account::IAccountServiceForAdministrator
*** Added command 910 - inbytes: 0, outbytes: 0
** nn::account::baas::IAdministrator
*** Added command 161 - inbytes: 0, outbytes: 0
** nn::account::baas::IManagerForSystemService
*** Added command 161 - inbytes: 0, outbytes: 0
** nn::account::nas::IOAuthProcedureForNintendoAccountLinkage
*** Added command 200 - buffers: [9, 9, 9], inbytes: 0, outbytes: 0, outinterfaces: ['nn::account::detail::IAsyncContext']
** nn::am::service::IApplicationFunctions
*** Removed command 34 - buffers: [5], inbytes: 0, outbytes: 1
** nn::am::service::IDebugFunctions
*** Added command 51 - inbytes: 4, outbytes: 0
*** Added command 300 - inbytes: 0, outbytes: 0
** nn::am::service::IHomeMenuFunctions
*** Added command 50 - inbytes: 0, outbytes: 0
*** Added command 51 - inbytes: 0, outbytes: 0
** nn::aocsrv::detail::IAddOnContentManager
*** Added command 300 - inbytes: 8, outbytes: 0, pid: True
*** Added command 301 - buffers: [6], inbytes: 16, outbytes: 0, pid: True
*** Added command 302 - inbytes: 0, outbytes: 0
** nn::bsdsocket::cfg::ServerInterface
*** Added command 13 - buffers: [5], inbytes: 0, outbytes: 0
*** Added command 14 - buffers: [5], inbytes: 0, outbytes: 0
*** Added command 15 - buffers: [5], inbytes: 0, outbytes: 0
** nn::codec::detail::IHardwareOpusDecoderManager
*** Added command 8 - inbytes: 16, outbytes: 4
*** Added command 9 - buffers: [25], inbytes: 0, outbytes: 4
** nn::dauth::detail::IService
*** Added command 3 - inbytes: 8, outbytes: 16
*** Added command 13 - inbytes: 16, outbytes: 16
** nn::dp2hdmi::detail::IDp2hdmiController
*** Added command 7 - inbytes: 0, outbytes: 0
*** Added command 8 - inbytes: 4, inhandles: [1], outbytes: 0
** nn::ec::IContentsServiceManager
*** Added command 1 - buffers: [5], inbytes: 96, outbytes: 0, outhandles: [1], outinterfaces: [None], pid: True
** nn::es::IActiveRightsContext
*** Changed command 11 - inbytes: 8 -> 16 (final state: buffers: [6], inbytes: 16, outbytes: 4)
*** Changed command 16 - inbytes: 8 -> 16 (final state: buffers: [6], inbytes: 16, outbytes: 4)
*** Added command 18 - buffers: [6, 6, 6], inbytes: 16, outbytes: 8
** nn::es::IETicketService
*** Removed command 3001 - buffers: [22, 22, 5], inbytes: 0, outbytes: 0
*** Removed command 3002 - buffers: [22], inbytes: 0, outbytes: 0
** nn::fan::detail::IManager
*** Added command 1 - inbytes: 4, outbytes: 4
** nn::friends::detail::ipc::IServiceCreator
*** Changed command 2 - outinterfaces: ['0x7100078D58'] -> ['0x710007990C'] (final state: inbytes: 0, outbytes: 0, outinterfaces: ['0x710007990C'])
** nn::fssrv::sf::IFileSystemProxy
*** Added command 10 - buffers: [25], inbytes: 16, outbytes: 0, outinterfaces: ['nn::fssrv::sf::IFileSystem']
*** Changed command 206 - inbytes: 4 -> 8 (final state: buffers: [25], inbytes: 8, outbytes: 0, outinterfaces: ['nn::fssrv::sf::IStorage'])
*** Removed command 609 - buffers: [25], inbytes: 0, outbytes: 16
*** Changed command 610 - inbytes: 0 -> 1 (final state: buffers: [25], inbytes: 1, outbytes: 24)
** nn::fssrv::sf::IFileSystemProxyForLoader
*** Changed command 0 - inbytes: 8 -> 16 (final state: buffers: [26, 25], inbytes: 16, outbytes: 0, outinterfaces: ['nn::fssrv::sf::IFileSystem'])
** nn::hid::IHidDebugServer
*** Added command 25 - inbytes: 28, outbytes: 0
*** Added command 26 - inbytes: 0, outbytes: 0
*** Added command 3000 - inbytes: 0, outbytes: 0
** nn::hid::IHidServer
*** Added command 26 - inbytes: 8, outbytes: 0, pid: True
** nn::hid::IHidSystemServer
*** Removed command 1130 - inbytes: 16, inhandles: [1], outbytes: 0, pid: True
** nn::ncm::IContentManager
*** Added command 15 - inbytes: 4, outbytes: 0
** nn::ncm::IContentStorage
*** Changed command 19 - inbytes: 16 -> 17 (final state: inbytes: 17, outbytes: 24)
*** Changed command 20 - inbytes: 16 -> 17 (final state: inbytes: 17, outbytes: 24)
*** Changed command 27 - inbytes: 32 -> 33 (final state: inbytes: 33, outbytes: 24)
** nn::nim::detail::INetworkInstallManager
*** Changed command 10 - outbytes: 88 -> 96 (final state: inbytes: 16, outbytes: 96)
** nn::ns::detail::IApplicationManagerInterface
*** Changed command 21 - outbytes: 0 -> 1 (final state: buffers: [22], inbytes: 16, outbytes: 1)
*** Removed command 604 - inbytes: 16, outbytes: 0
*** Added command 611 - inbytes: 16, outbytes: 0
** nn::ns::detail::IDocumentInterface
*** Changed command 21 - outbytes: 0 -> 1 (final state: buffers: [22], inbytes: 16, outbytes: 1)
** nn::ns::detail::IDynamicRightsInterface
*** Removed command 14 - buffers: [5], inbytes: 8, outbytes: 1
** nn::pdm::detail::IQueryService
*** Changed command 4 - outbytes: 40 -> 72 (final state: inbytes: 16, outbytes: 72)
*** Changed command 5 - outbytes: 40 -> 72 (final state: inbytes: 32, outbytes: 72)
** nn::pl::detail::IPlatformServiceManagerForSystem
*** Removed command 0 - inbytes: 4, outbytes: 0
*** Removed command 1 - inbytes: 4, outbytes: 4
*** Removed command 2 - inbytes: 4, outbytes: 4
*** Removed command 3 - inbytes: 4, outbytes: 4
*** Removed command 4 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Removed command 5 - buffers: [6, 6, 6], inbytes: 8, outbytes: 8
*** Removed command 6 - buffers: [6, 6, 6], inbytes: 8, outbytes: 8
** nn::ssl::sf::ISslConnection
*** Added command 28 - buffers: [5], inbytes: 4, outbytes: 4
*** Added command 29 - buffers: [6], inbytes: 0, outbytes: 0
*** Added command 30 - inbytes: 8, outbytes: 0
*** Added command 31 - buffers: [5], inbytes: 0, outbytes: 0
*** Added command 32 - inbytes: 0, outbytes: 2
*** Added command 33 - buffers: [6, 5, 5], inbytes: 0, outbytes: 0
*** Added command 34 - inbytes: 4, outbytes: 0
*** Added command 35 - inbytes: 0, outbytes: 4
** nn::ssl::sf::ISslContext
*** Added command 12 - buffers: [5, 5], inbytes: 4, outbytes: 8
*** Added command 13 - buffers: [6, 6, 5], inbytes: 4, outbytes: 8
** nn::ssl::sf::ISslContextForSystem
*** Added command 12 - buffers: [5, 5], inbytes: 4, outbytes: 8
*** Added command 13 - buffers: [6, 6, 5], inbytes: 4, outbytes: 8
** nn::visrv::sf::IManagerDisplayService
*** Added command 2060 - inbytes: 4, outbytes: 0
*** Added command 2062 - buffers: [5], inbytes: 4, outbytes: 0
*** Added command 2063 - inbytes: 8, outbytes: 0
*** Added command 6014 - inbytes: 16, outbytes: 0
*** Added command 6015 - inbytes: 8, outbytes: 0
** nn::visrv::sf::IManagerRootService
*** Added command 100 - inbytes: 0, outbytes: 0
*** Added command 101 - inbytes: 0, outbytes: 0
*** Added command 102 - inbytes: 20, outbytes: 0
*** Added command 103 - buffers: [5], inbytes: 32, outbytes: 4

=== BootImagePackages ===
All files in RomFs were updated.

====Kernel====
* Compiler upgrade
** Version is currently unknown, probably ~LLVM 15?
** Many NOPs inserted to align branch destinations to 16 bytes, many ADRP + ADD pairs replaced with NOP + ADR
*** This probably corresponds to this commit? https://github.com/llvm/llvm-project/commit/4450a2a23df0e7081ca7fee3ec641774afedc2bc
**** Alexander Shaposhnikov, why did you do this, it makes diffing harder :(
** Compiler now more frequently detecting a reusable computed offset for load/store
* KThreadStackParameters:
** Stack parameters are now 0x10 larger.
** The additional 0x10 bytes appear to be completely unused, at least on prod NX builds of the kernel.
* KScheduler changes:
** Idle count tracking has been changed to use two fields ("idle count", "switch count").
*** In UpdateHighestThreads(), switching to the idle thread does idle_count = ++switch_count, and switching to a non-kernel thread does ++switch_count.
*** KProcess now has an additional array of counts ("running_thread_switch_counts"), UpdateHighestThreads() also sets running_thread_switch_counts[core] = switch_count.
** KDebug::GetRunningThreadInfo() now only succeeds if running_thread_switch_counts[core] == Scheduler->switch_count + 1.
*** Previously, this checked running_thread_idle_counts[core] == Scheduler->idle_count, which meant the thread had to have not switched to idle between its last execution and the GetRunningThreadInfo() wait finishing.
*** Now, this requires the core to have switched directly from the target thread to GetRunningThreadInfo(), which is to say the condition is "The thread is actually running at the target time".
*** In addition, now ResultNoThread is returned if switch_count == idle_count + 1, otherwise ResultUnknownThread is returned; previously only NoThread was returnable.
**** switch_count == idle_count + 1 implies that the switch to GetRunningThreadInfo() happened from idle thread, so ResultNoThread is returned exactly when the running thread was the idle thread.
**** Otherwise, if a thread other than the idle thread was the running thread, UnknownThread is returned.
** KSchedulerLock::Lock() now always increments count, instead of setting count = 1 when the lock owner is not the current thread.
** Note: Several KScheduler functions have big assembly changes, but this appears to be pure compiler optimization changes with no semantic differences.
* KProcess had the creation time member deleted.
* A new KPageTable::Operate operation was added ("ChangePermsAndRefreshWithFlushDataCache")
** Previously, all calls to Operate with ChangePermsAndRefresh would flush data cache; now, calls to ChangePermsAndRefresh do not flush data cache and calls to ChangePermsAndRefreshWithFlushDataCache do.
*** ChangePermsAndRefreshWithFlushDataCache is otherwise identical to ChangePermsAndRefresh semantically.
* QueryIoMapping now supports querying memory regions with KMemoryState_Static in addition to KMemoryState_Io.
* Some changes surrounding KIoRegion:
** KIoRegion now uses an intrusive red black tree member for the pool list, rather than an intrusive list node.
** KIoPool::AddIoRegion() uses the intrusive tree to check fewer regions for Contains().
** KPageTableBase::UnmapIoRegion now takes the MemoryMapping as argument (which was passed to CreateIoRegion).
*** When mapping is MemoryMapping_Memory, the mapping following is done before unmap:
**** The region is permission changed to be uncached, using ChangePermsAndRefresh (without FlushDataCache).
**** The table's lock is released.
**** cpu::FlushDataCache() is called to flush the mapping.
**** The table's lock is reacquired.
*** All fallible operations now call KernelPanic() on failure, rather than returning the result code
* KAddressSpaceInfo::GetAddressSpaceStart()/GetAddressSpaceSize() no longer use complicated switch logic to only examine the indices with the right bit-width, and instead just iterate all indices with an if to check bit width.
* Big changes to KThread waiting/priority inheritance:
** m_waiter_list, m_lock_owner fields were deleted.
** New fields m_held_lock_info_list, m_waiting_lock_info were added.
*** This is an intrusive list of new type KThreadLockInfo (storing info on all locks held), and a pointer to the lock this thread is waiting on, if any.
*** There is one lock info for each address key.
*** KThreadLockInfo is slab allocated, count = # of KThreads
*** KThreadLockInfo has the following fields:
**** LockWithPriorityInheritanceThreadTree m_cv_tree; // Tree of threads waiting on the lock, this re-uses the node for condvar/arbiter.
**** KProcessAddress m_address_key;
**** KThread *m_owner;
**** u32 m_waiter_count;
** This greatly simplifies RemoveWaiterByKey (as there is a single KThreadLockInfo representing all threads waiting on the key).
*** RemoveWaiterByKey now also has an output bool pointer for whether the lock still has waiters, rather than an output s32 pointer for # of waiters.
** RestorePriority has been shuffled to ensure the new CV tree inside lock info has its invariants maintained across the priority set.
** Several calls to RestorePriority are now guarded by if statements, to only invoke RestorePriority if there is a possible change in inherited priority.
* Big changes to crt0/Initialize0/KInitialPageTable/Sleep Manager:
** KInitialPageTable::Map (and others) now take a new physical-to-virtual-offset argument, and add this to L1 table etc.
** Changes to Initial Arguments:
*** Initial arguments are now size 0x80.
*** Initial argument pointers are no longer used; Init arguments array addresses are used directly, with presumption that no page boundary is crossed.
*** Initial arguments no longer use setup function/etc.
*** Instead of setting ep = HorizonKernelMain, Initial arguments now set ep = InvokeMain (this function was previously "InvokeEntryPoint")
*** idle stack is now retrieved from KMemoryLayout inside InvokeMain, instead of being a field inside Initial Arguments.
** After setting up initial arguments, Initialize0 now returns to crt0, which sets sp = InitArguments[0]->sp and calls new function ("Initialize1").
*** All KInitialPageTable calls from here onward now pass g_LinearPhysToVirtDiff, and thus page table accesses are done using the Linear mapping set up by Initialize0.
** Initialize1 does the following:
*** The initial identity mapping is unmapped in its entirety.
**** The single-page containing crt0 + interrupt vectors is re-identity-mapped as R-X.
**** PageAllocator for this is an extremely simplified new InitialPageAllocator type, which always has exactly two free pages to be allocated.
*** All remaining logic which used to be in Initialize0 happens here, with no changes.
** TurnOnAllCores now calls a helper function ("TurnOnCore") to turn on the cores.
*** void TurnOnCore(__int64 core, InitArguments *argument);
*** TurnOnCore does virt->phys translation lookup (using at s1e1r) on StartOtherCore (from crt0 page) + argument, and calls smc::CpuOn directly.
**** TurnOnCore is "probably" a KSystemControl function.
** Sleep handler thread function now sets resume entry addr = StartOtherCore, and sets up an InitArguments for each core.
*** ResumeEntry and ResumeEntryVirtual are now merged/simplified.
* Changes to pool allocations:
** Minimum non-secure system pool size is now ~2MB larger (0x2C04000 vs 0x2A0C000).
** Slab heap gaps size is now 0x9000 smaller (0x1A7000 vs 0x1B0000).
* KSystemControl::Initialize has been restructured (operations reordered), and now calls a helper which sets up the MT, creates system resource limit, etc.
** This helper also modifies the KAddressSpaceInfo tables, when memory is large (these were previously read-only).
** In particular, the following modifications are made to the 39-bit address space infos based on the total memory size:
*** size <= 8 GB: No changes (Heap Region = 8 GB, Alias region = 64 GB)
*** 8 GB < size <= 16 GB: Heap Region = size, Alias Region = 8 * size
*** 16 GB < size <= 32 GB: Heap region = size, Alias region = 128 GB
*** 32 GB <= size: Heap region = 32 GB, Alias region = 128 GB
* KSystemControl::Init::GenerateRandomRange now supports min=0, max=0xFFFFFFFFFFFFFFFF (previously it was incorrect for this case).
* New InfoType (0x1B) ("IoRegionHint")
** This takes a handle to a KIoRegion, and returns the low bits of the region's address.
*** If the region's size is < 0x10000, this is the low 12 bits, otherwise if size < 0x200000, this is the low 16 bits, otherwise it's the low 21 bits.
* UserspaceAccess functions no longer do adr X30, fail in the loop, now do adr X#, fail before the loop and mov X30, X# in the loop.
* All code which sets ThreadContext's pstate field now uses the mask 0xF0000000 for aarch64 threads and 0xFE0FFE20 for aarch32 threads.
** Previously, this used the mask 0xFF0FFE20 for both.
** This removes the ability to get/set the DIT bit for both aarch64 and aarch32, and removes many other bits for aarch64 only.
* Interrupt disable logic was removed from a number of functions:
** KAddressArbiter::SignalAndIncrementIfEqual, KAddressArbiter::SignalAndModifyBasedOnWaitingThreadCount, KAddressArbiter::WaitIfLessThan, KConditionVariable::SignalConditionVariableImpl
* KConditionVariable::SignalToAddress now does dmb before copying updated value to userspace.
* KDebugBase functions for DebugEvents were changed to take pointer to params + count, instead of 5 parameter arguments.
** This propagates up to many/all caller functions.
** The only variable length parameter counts are DebugEvent_Exception + DebugException_UserBreak/DebugException_DebuggerBreak
*** This copies the variable-count parameters directly to the result exception info without maximum size check.
**** This is not exploitable, because there is no way for userspace to control parameter count, and it will always remain in bounds.
**** Presumably exception info type is larger if compiling for a target with more than 4 CPUs, to prevent out-of-bounds copies.

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2023-02-21_00-05-09&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

16.0.0

2023-02-21T08:23:56Z

SciresM: Add kernel diff

The Switch 16.0.0 system update was released on February 21, 2023 (UTC). This Switch update was released for the following regions: ALL, CHN.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* User nicknames that cannot be used will be replaced with “???” which can be updated from the profile settings.
* General system stability improvements to enhance the user's experience.
*

==System Titles==
* New sysmodule ngc was added (0100000000000050).
* All sysmodules were updated (excluding stubbed-lbl).
* Most SystemData were updated, except for: Chinese and Korean dictionaries, Dictionary, AvatarImage, UrlBlackList, ControllerIcon, ApplicationBlackList, FunctionBlackList.
* Most applets were updated, except for: cabinet, controller, netConnect, swkbd, miiEdit, starter, maintenance.

[[NPDM]] changes (besides usual version-bump):
* [[Boot2|boot2.ProdBoot]] now has access to [[NCM_services|ncm]].
* [[Friend_services|friends]] no longer has access to [[SPL_services|csrng]].
* nifm now has htc:nd access.
* nifm, ldn, ns: pl:u access was replaced with pl:s.
* ns now has access to ns:am2 and ns:su (for GetService).
* nim no longer has access to spl: (on older versions this was unused besides service-init).
* vi now has pl:u access.
* glue now has hosted-service pl:u access (moved from sdb) and access to svcCreateSharedMemory.
* fatal had access for the following removed: nvdrv:s, pl:u, vi:s.
* sdb had access for pl:u (hosted-service) and svcCreateSharedMemory removed.
* qlaunch, playerSelect, photoViewer, myPage: access to ngc:u was added.

The SafeMode bootpkgs KIP for PCV had "Default CPU Core" changed from 3 to 63.

RomFs changes:
* [[SSL_services|CertStore]]: "/ssl_TrustedCerts.bdf" updated and "/ssl_TrustedCerts.Ounce.bdf" added.
* ErrorMessage: updated
* BrowserDll:
** "/browser/MediaControlsInline.css" updated
** "/browser/MediaControlsInline.js" updated
** "/browser/UserCssCore0.dat" added
** "/browser/UserCss.dat" updated
** "/buildinfo/buildinfo.dat" updated
** "/gfxShader/" added, which contains "BrowserOffscreenDrawer.bnsh".
** "/lyt/Browse/Page.arc" updated
** "/nro/" The various NROs located under here were updated.
* Help: "/legallines.htdocs/img/HDMI.png" and "/legallines.htdocs/index.html" were updated.
* NgWord: updated.
* LocalNews: "/image/LnSupIntro/main_Other.jpg", "/message/EUnl/localNews.msbt.szs", "/message/revision.txt" updated.
* Eula: "/KRko/Eula.msbt.szs" and "/revision.txt" updated.
* FirmwareDebugSettings: [[System_Settings|updated]]
* NgWord2: updated. Added "/ac_similar_form_nx" and "/table_similar_form_nx".
* NgWordT: "/mars_dirty_words_db" updated
* applets: various UI/message/gfx data updated.
* web-applets: "/buildinfo/buildinfo.dat" and "/.nrr/modules.nrr" updated.

=== IPC Interface Changes ===
* The following interfaces were removed:
** nn::pl::detail::IPlatformServiceManager
* The following interfaces were added:
** nn::ngc::detail::IService
** [ID = 0xb74e5372]
* The following interfaces were changed:
** nn::account::IAccountEntityServiceForAccountPolicy
*** Added command 910 - inbytes: 0, outbytes: 0
** nn::account::IAccountServiceForAdministrator
*** Added command 910 - inbytes: 0, outbytes: 0
** nn::account::baas::IAdministrator
*** Added command 161 - inbytes: 0, outbytes: 0
** nn::account::baas::IManagerForSystemService
*** Added command 161 - inbytes: 0, outbytes: 0
** nn::account::nas::IOAuthProcedureForNintendoAccountLinkage
*** Added command 200 - buffers: [9, 9, 9], inbytes: 0, outbytes: 0, outinterfaces: ['nn::account::detail::IAsyncContext']
** nn::am::service::IApplicationFunctions
*** Removed command 34 - buffers: [5], inbytes: 0, outbytes: 1
** nn::am::service::IDebugFunctions
*** Added command 51 - inbytes: 4, outbytes: 0
*** Added command 300 - inbytes: 0, outbytes: 0
** nn::am::service::IHomeMenuFunctions
*** Added command 50 - inbytes: 0, outbytes: 0
*** Added command 51 - inbytes: 0, outbytes: 0
** nn::aocsrv::detail::IAddOnContentManager
*** Added command 300 - inbytes: 8, outbytes: 0, pid: True
*** Added command 301 - buffers: [6], inbytes: 16, outbytes: 0, pid: True
*** Added command 302 - inbytes: 0, outbytes: 0
** nn::bsdsocket::cfg::ServerInterface
*** Added command 13 - buffers: [5], inbytes: 0, outbytes: 0
*** Added command 14 - buffers: [5], inbytes: 0, outbytes: 0
*** Added command 15 - buffers: [5], inbytes: 0, outbytes: 0
** nn::codec::detail::IHardwareOpusDecoderManager
*** Added command 8 - inbytes: 16, outbytes: 4
*** Added command 9 - buffers: [25], inbytes: 0, outbytes: 4
** nn::dauth::detail::IService
*** Added command 3 - inbytes: 8, outbytes: 16
*** Added command 13 - inbytes: 16, outbytes: 16
** nn::dp2hdmi::detail::IDp2hdmiController
*** Added command 7 - inbytes: 0, outbytes: 0
*** Added command 8 - inbytes: 4, inhandles: [1], outbytes: 0
** nn::ec::IContentsServiceManager
*** Added command 1 - buffers: [5], inbytes: 96, outbytes: 0, outhandles: [1], outinterfaces: [None], pid: True
** nn::es::IActiveRightsContext
*** Changed command 11 - inbytes: 8 -> 16 (final state: buffers: [6], inbytes: 16, outbytes: 4)
*** Changed command 16 - inbytes: 8 -> 16 (final state: buffers: [6], inbytes: 16, outbytes: 4)
*** Added command 18 - buffers: [6, 6, 6], inbytes: 16, outbytes: 8
** nn::es::IETicketService
*** Removed command 3001 - buffers: [22, 22, 5], inbytes: 0, outbytes: 0
*** Removed command 3002 - buffers: [22], inbytes: 0, outbytes: 0
** nn::fan::detail::IManager
*** Added command 1 - inbytes: 4, outbytes: 4
** nn::friends::detail::ipc::IServiceCreator
*** Changed command 2 - outinterfaces: ['0x7100078D58'] -> ['0x710007990C'] (final state: inbytes: 0, outbytes: 0, outinterfaces: ['0x710007990C'])
** nn::fssrv::sf::IFileSystemProxy
*** Added command 10 - buffers: [25], inbytes: 16, outbytes: 0, outinterfaces: ['nn::fssrv::sf::IFileSystem']
*** Changed command 206 - inbytes: 4 -> 8 (final state: buffers: [25], inbytes: 8, outbytes: 0, outinterfaces: ['nn::fssrv::sf::IStorage'])
*** Removed command 609 - buffers: [25], inbytes: 0, outbytes: 16
*** Changed command 610 - inbytes: 0 -> 1 (final state: buffers: [25], inbytes: 1, outbytes: 24)
** nn::fssrv::sf::IFileSystemProxyForLoader
*** Changed command 0 - inbytes: 8 -> 16 (final state: buffers: [26, 25], inbytes: 16, outbytes: 0, outinterfaces: ['nn::fssrv::sf::IFileSystem'])
** nn::hid::IHidDebugServer
*** Added command 25 - inbytes: 28, outbytes: 0
*** Added command 26 - inbytes: 0, outbytes: 0
*** Added command 3000 - inbytes: 0, outbytes: 0
** nn::hid::IHidServer
*** Added command 26 - inbytes: 8, outbytes: 0, pid: True
** nn::hid::IHidSystemServer
*** Removed command 1130 - inbytes: 16, inhandles: [1], outbytes: 0, pid: True
** nn::ncm::IContentManager
*** Added command 15 - inbytes: 4, outbytes: 0
** nn::ncm::IContentStorage
*** Changed command 19 - inbytes: 16 -> 17 (final state: inbytes: 17, outbytes: 24)
*** Changed command 20 - inbytes: 16 -> 17 (final state: inbytes: 17, outbytes: 24)
*** Changed command 27 - inbytes: 32 -> 33 (final state: inbytes: 33, outbytes: 24)
** nn::nim::detail::INetworkInstallManager
*** Changed command 10 - outbytes: 88 -> 96 (final state: inbytes: 16, outbytes: 96)
** nn::ns::detail::IApplicationManagerInterface
*** Changed command 21 - outbytes: 0 -> 1 (final state: buffers: [22], inbytes: 16, outbytes: 1)
*** Removed command 604 - inbytes: 16, outbytes: 0
*** Added command 611 - inbytes: 16, outbytes: 0
** nn::ns::detail::IDocumentInterface
*** Changed command 21 - outbytes: 0 -> 1 (final state: buffers: [22], inbytes: 16, outbytes: 1)
** nn::ns::detail::IDynamicRightsInterface
*** Removed command 14 - buffers: [5], inbytes: 8, outbytes: 1
** nn::pdm::detail::IQueryService
*** Changed command 4 - outbytes: 40 -> 72 (final state: inbytes: 16, outbytes: 72)
*** Changed command 5 - outbytes: 40 -> 72 (final state: inbytes: 32, outbytes: 72)
** nn::pl::detail::IPlatformServiceManagerForSystem
*** Removed command 0 - inbytes: 4, outbytes: 0
*** Removed command 1 - inbytes: 4, outbytes: 4
*** Removed command 2 - inbytes: 4, outbytes: 4
*** Removed command 3 - inbytes: 4, outbytes: 4
*** Removed command 4 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Removed command 5 - buffers: [6, 6, 6], inbytes: 8, outbytes: 8
*** Removed command 6 - buffers: [6, 6, 6], inbytes: 8, outbytes: 8
** nn::ssl::sf::ISslConnection
*** Added command 28 - buffers: [5], inbytes: 4, outbytes: 4
*** Added command 29 - buffers: [6], inbytes: 0, outbytes: 0
*** Added command 30 - inbytes: 8, outbytes: 0
*** Added command 31 - buffers: [5], inbytes: 0, outbytes: 0
*** Added command 32 - inbytes: 0, outbytes: 2
*** Added command 33 - buffers: [6, 5, 5], inbytes: 0, outbytes: 0
*** Added command 34 - inbytes: 4, outbytes: 0
*** Added command 35 - inbytes: 0, outbytes: 4
** nn::ssl::sf::ISslContext
*** Added command 12 - buffers: [5, 5], inbytes: 4, outbytes: 8
*** Added command 13 - buffers: [6, 6, 5], inbytes: 4, outbytes: 8
** nn::ssl::sf::ISslContextForSystem
*** Added command 12 - buffers: [5, 5], inbytes: 4, outbytes: 8
*** Added command 13 - buffers: [6, 6, 5], inbytes: 4, outbytes: 8
** nn::visrv::sf::IManagerDisplayService
*** Added command 2060 - inbytes: 4, outbytes: 0
*** Added command 2062 - buffers: [5], inbytes: 4, outbytes: 0
*** Added command 2063 - inbytes: 8, outbytes: 0
*** Added command 6014 - inbytes: 16, outbytes: 0
*** Added command 6015 - inbytes: 8, outbytes: 0
** nn::visrv::sf::IManagerRootService
*** Added command 100 - inbytes: 0, outbytes: 0
*** Added command 101 - inbytes: 0, outbytes: 0
*** Added command 102 - inbytes: 20, outbytes: 0
*** Added command 103 - buffers: [5], inbytes: 32, outbytes: 4

=== BootImagePackages ===
All files in RomFs were updated.

====Kernel====
* Compiler upgrade
** Version is currently unknown, probably ~LLVM 15?
** Many NOPs inserted to align branch destinations to 16 bytes, many ADRP + ADD pairs replaced with NOP + ADR
*** This probably corresponds to this commit? https://github.com/llvm/llvm-project/commit/4450a2a23df0e7081ca7fee3ec641774afedc2bc
**** Alexander Shaposhnikov, why did you do this, it makes diffing harder :(
** Compiler now more frequently detecting a reusable computed offset for load/store
* KThreadStackParameters:
** Stack parameters are now 0x10 larger.
** The additional 0x10 bytes appear to be completely unused, at least on prod NX builds of the kernel.
* KScheduler changes:
** Idle count tracking has been changed to use two fields ("idle count", "switch count").
*** In UpdateHighestThreads(), switching to the idle thread does idle_count = ++switch_count, and switching to a non-kernel thread does ++switch_count.
*** KProcess now has an additional array of counts ("running_thread_switch_counts"), UpdateHighestThreads() also sets running_thread_switch_counts[core] = switch_count.
** KDebug::GetRunningThreadInfo() now only succeeds if running_thread_switch_counts[core] == Scheduler->switch_count + 1.
*** Previously, this checked running_thread_idle_counts[core] == Scheduler->idle_count, which meant the thread had to have not switched to idle between its last execution and the GetRunningThreadInfo() wait finishing.
*** Now, this requires the core to have switched directly from the target thread to GetRunningThreadInfo(), which is to say the condition is "The thread is actually running at the target time".
*** In addition, now ResultNoThread is returned if switch_count == idle_count + 1, otherwise ResultUnknownThread is returned; previously only NoThread was returnable.
**** switch_count == idle_count + 1 implies that the switch to GetRunningThreadInfo() happened from idle thread, so ResultNoThread is returned exactly when the running thread was the idle thread.
**** Otherwise, if a thread other than the idle thread was the running thread, UnknownThread is returned.
** KSchedulerLock::Lock() now always increments count, instead of setting count = 1 when the lock owner is not the current thread.
** Note: Several KScheduler functions have big assembly changes, but this appears to be pure compiler optimization changes with no semantic differences.
* KProcess had the creation time member deleted.
* A new KPageTable::Operate operation was added ("ChangePermsAndRefreshWithFlushDataCache")
** Previously, all calls to Operate with ChangePermsAndRefresh would flush data cache; now, calls to ChangePermsAndRefresh do not flush data cache and calls to ChangePermsAndRefreshWithFlushDataCache do.
*** ChangePermsAndRefreshWithFlushDataCache is otherwise identical to ChangePermsAndRefresh semantically.
* QueryIoMapping now supports querying memory regions with KMemoryState_Static in addition to KMemoryState_Io.
* Some changes surrounding KIoRegion:
** KIoRegion now uses an intrusive red black tree member for the pool list, rather than an intrusive list node.
** KIoPool::AddIoRegion() uses the intrusive tree to check fewer regions for Contains().
** KPageTableBase::UnmapIoRegion now takes the MemoryMapping as argument (which was passed to CreateIoRegion).
*** When mapping is MemoryMapping_Memory, the mapping following is done before unmap:
**** The region is permission changed to be uncached, using ChangePermsAndRefresh (without FlushDataCache).
**** The table's lock is released.
**** cpu::FlushDataCache() is called to flush the mapping.
**** The table's lock is reacquired.
*** All fallible operations now call KernelPanic() on failure, rather than returning the result code
* KAddressSpaceInfo::GetAddressSpaceStart()/GetAddressSpaceSize() no longer use complicated switch logic to only examine the indices with the right bit-width, and instead just iterate all indices with an if to check bit width.
* Big changes to KThread waiting/priority inheritance:
** m_waiter_list, m_lock_owner fields were deleted.
** New fields m_held_lock_info_list, m_waiting_lock_info were added.
*** This is an intrusive list of new type KThreadLockInfo (storing info on all locks held), and a pointer to the lock this thread is waiting on, if any.
*** There is one lock info for each address key.
*** KThreadLockInfo is slab allocated, count = # of KThreads
*** KThreadLockInfo has the following fields:
**** LockWithPriorityInheritanceThreadTree m_cv_tree; // Tree of threads waiting on the lock, this re-uses the node for condvar/arbiter.
**** KProcessAddress m_address_key;
**** KThread *m_owner;
**** u32 m_waiter_count;
** This greatly simplifies RemoveWaiterByKey (as there is a single KThreadLockInfo representing all threads waiting on the key).
*** RemoveWaiterByKey now also has an output bool pointer for whether the lock still has waiters, rather than an output s32 pointer for # of waiters.
** RestorePriority has been shuffled to ensure the new CV tree inside lock info has its invariants maintained across the priority set.
** Several calls to RestorePriority are now guarded by if statements, to only invoke RestorePriority if there is a possible change in inherited priority.
* Big changes to crt0/Initialize0/KInitialPageTable/Sleep Manager:
** KInitialPageTable::Map (and others) now take a new physical-to-virtual-offset argument, and add this to L1 table etc.
** Changes to Initial Arguments:
*** Initial arguments are now size 0x80.
*** Initial argument pointers are no longer used; Init arguments array addresses are used directly, with presumption that no page boundary is crossed.
*** Initial arguments no longer use setup function/etc.
*** Instead of setting ep = HorizonKernelMain, Initial arguments now set ep = InvokeMain (this function was previously "InvokeEntryPoint")
*** idle stack is now retrieved from KMemoryLayout inside InvokeMain, instead of being a field inside Initial Arguments.
** After setting up initial arguments, Initialize0 now returns to crt0, which sets sp = InitArguments[0]->sp and calls new function ("Initialize1").
*** All KInitialPageTable calls from here onward now pass g_LinearPhysToVirtDiff, and thus page table accesses are done using the Linear mapping set up by Initialize0.
** Initialize1 does the following:
*** The initial identity mapping is unmapped in its entirety.
**** The single-page containing crt0 + interrupt vectors is re-identity-mapped as R-X.
**** PageAllocator for this is an extremely simplified new InitialPageAllocator type, which always has exactly two free pages to be allocated.
*** All remaining logic which used to be in Initialize0 happens here, with no changes.
** TurnOnAllCores now calls a helper function ("TurnOnCore") to turn on the cores.
*** void TurnOnCore(__int64 core, InitArguments *argument);
*** TurnOnCore does virt->phys translation lookup (using at s1e1r) on StartOtherCore (from crt0 page) + argument, and calls smc::CpuOn directly.
**** TurnOnCore is "probably" a KSystemControl function.
** Sleep handler thread function now sets resume entry addr = StartOtherCore, and sets up an InitArguments for each core.
*** ResumeEntry and ResumeEntryVirtual are now merged/simplified.
* Changes to pool allocations:
** Minimum non-secure system pool size is now ~2MB larger (0x2C04000 vs 0x2A0C000).
** Slab heap gaps size is now 0x9000 smaller (0x1A7000 vs 0x1B0000).
* KSystemControl::Initialize has been restructured (operations reordered), and now calls a helper which sets up the MT, creates system resource limit, etc.
** This helper also modifies the KAddressSpaceInfo tables, when memory is large (these were previously read-only).
** In particular, the following modifications are made to the 39-bit address space infos based on the total memory size:
*** size <= 8 GB: No changes (Heap Region = 8 GB, Alias region = 64 GB)
*** 8 GB < size <= 16 GB: Heap Region = size, Alias Region = 8 * size
*** 16 GB < size <= 32 GB: Heap region = size, Alias region = 128 GB
*** 32 GB <= size: Heap region = 32 GB, Alias region = 128 GB
* KSystemControl::Init::GenerateRandomRange now supports min=0, max=0xFFFFFFFFFFFFFFFF (previously it was incorrect for this case).
* New InfoType (0x1B) ("IoRegionHint")
** This takes a handle to a KIoRegion, and returns the low bits of the region's address.
*** If the region's size is < 0x10000, this is the low 12 bits, otherwise if size < 0x200000, this is the low 16 bits, otherwise it's the low 21 bits.
* UserspaceAccess functions no longer do adr X30, fail in the loop, now do adr X#, fail before the loop and mov X30, X# in the loop.
* All code which sets ThreadContext's pstate field now uses the mask 0xF0000000 for aarch64 threads and 0xFE0FFE20 for aarch32 threads.
** Previously, this used the mask 0xFF0FFE20 for both.
** This removes the ability to get/set the DIT bit for both aarch64 and aarch32, and removes many other bits for aarch64 only.
* Interrupt disable logic was removed from a number of functions:
** KAddressArbiter::SignalAndIncrementIfEqual, KAddressArbiter::SignalAndModifyBasedOnWaitingThreadCount, KAddressArbiter::WaitIfLessThan, KConditionVariable::SignalConditionVariableImpl
* KConditionVariable::SignalToAddress now does dmb before copying updated value to userspace.
* KDebugBase functions for DebugEvents were changed to take pointer to params + count, instead of 5 parameter arguments.
** This propagates up to many/all caller functions.
** The only variable length parameter counts are DebugEvent_Exception + DebugException_UserBreak/DebugException_DebuggerBreak
*** This copies the variable-count parameters directly to the result exception info without maximum size check.
**** This is not exploitable, because there is no way for userspace to control parameter count, and it will always remain in bounds.
**** Presumably exception info type is larger if compiling for a target with more than 4 CPUs, to prevent out-of-bounds copies.

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2023-02-21_00-05-09&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

16.0.0

2023-02-21T01:08:12Z

SciresM: Add 15 -> 16 ipc diff

15.0.0

2022-10-15T18:27:37Z

SciresM: fix added -> removed for some removed commands

The Switch 15.0.0 system update was released on October 11, 2022 (UTC). This Switch update was released for the following regions: ALL, and CHN.

Security flaws fixed: yes.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* The location of the Bluetooth® Audio menu within System Settings has moved.
* Screenshots can be taken using the Capture Button while in the Nintendo Switch Online application found on the Nintendo Switch HOME Menu. Video capture is not supported.
*
* General system stability improvements to enhance the user's experience.
*

==System Titles==
* All sysmodules were updated, except for lbl which was previously stubbed. New sysmodule eth was added.
* All SystemData were updated, except for the following: SharedFont, Dictionary, AvatarImage, Eula, ControllerIcon, ApplicationBlackList, FunctionBlackList.
* The following applets were updated: qlaunch, [[Controller_Applet|controller]], dataErase, error, netConnect, [[Profile_Selector|playerSelect]], [[Internet_Browser|web-applets]], OverlayApplet, [[Album_Applet|photoViewer]].

NPDM changes (see [[Services_API|here]] for service hosting changes):
* bluetooth: Access to srepo:u was added.
* bcat: Access to sprof:sp was removed.
* nifm: Access to ethc:c, ethc:i, and various wlan:* services were removed. Access to bsd:nu, eth:nd, wlan, and wlan:nd were added.
* bsdsocket: "Lowest Allowed CPU ID" was changed from 3 to 0. Access to usb:hs and the various wlan:* services were removed.
* wlan: Access to srepo:u was added.
* ldn: Access to psc:m and the various wlan:* services were removed. Access to the wlan service was added.
* ns: Access to audctl was removed. Access to csrng and dauth:0 was added.
* ssl: "Lowest Allowed CPU ID" was changed from 3 to 0.
* nim: Access to ssl was replaced with ssl:s.
* glue: FS permissions now has bitmask 0x0000004000000000 set.
* ro: Access to csrng was added.
* omm: FS permissions now has bitmask 0x0000000000100000 set.
* qlaunch: Access to mnpp:sys and spbg:sp were removed.

RomFs changes (besides sysver titles):
* [[SSL_services|CertStore]]: "/ssl_TrustedCerts.bdf" updated
* ErrorMessage: various error messages updated/added
* BrowserDll:
** "/browser/MediaControlsInline.css" updated
** "/browser/MediaControlsInline.js" updated
** "/buildinfo/buildinfo.dat" updated
** "/lyt/Browse/FocusNodeFrame.arc" updated
** "/message/": localization data updated
** "/nro/": The various NROs located under these sub-dirs were updated.
* Help:
** "/legallines.htdocs/img/HDMI.png" updated
** "/legallines.htdocs/index.html" updated
** "/safe.htdocs/html/{dir}/", where {dir} is "JPja", "KRko", and "TWzh":
*** "index.html", "page_02.html", "page_04.html": updated
* UrlBlackList:
** "/listCommon.txt" updated
* TimeZoneBinary: updated
* FirmwareDebugSettings/PlatformConfigIcosa/PlatformConfigCopper/PlatformConfigHoag/PlatformConfigIcosaMariko/PlatformConfigAula: [[System_Settings|updated]]
* [[HID_services|ControllerFirmware]]: "/FirmwareInfo.csv" and "/raizo_ep2_ota.bin" updated
* NgWordT: updated
* Applets: Various UI/localization data updated. For web-applets, the NRR and buildinfo.dat were also updated.

===BootImagePackages===
All files in RomFs were updated.

====Kernel====
* Compiler changes:
** Compiler upgrade
*** [What version of clang?]
*** Clang is optimizing much more aggressively in some places.
*** Notably, there are many code locations now where clang doesn't actually increment the KSchedulerLock's count field, presumably because it sees it will be decremented at end of scope...
**** This isn't exploitable, and it is """correct""", but it is worth noting to other reverse engineers because it is very confusing to see the count field unchanged or reloaded after function calls.
** Code is now compiled with -fomit-frame-pointer.
* Initialization changes:
** When the thread resource limit is increased, 24 MB of virtual space is now reserved for the Kernel stack region instead of 14 MB.
* In HorizonKernelMain:
** DoOnEachCoreInOrder is no longer inlined, when setting up the main/interrupt threads. It is still inlined in all other places.
* Multiple fixed-allocations from the system pool/resource limit were removed/revised, presumably to prevent them from unnecessarily fragmenting the pool forever.
** AppletSecureMemory is now allocated statically, instead of dynamically.
*** Previously, 4 MB was allocated from the system pool/resource limit during main.
*** Initialize0 now reserves the 4 MB immediately after the slab heaps for this.
**** DRAM layout is now like [tz reserved] [kernel] [slab heaps] [applet secure memory] [pt heap] [init pt] [memory pool partitions].
**** The virtual memory region type is 0x62; the physical memory region type is 0xC200018E.
** The KPageBuffer slab heap is no longer dynamically allocated from KMemoryManager.
*** Previously, the required number of pages were allocated from the system pool/resource limit to setup the heap *immediately* after KMemoryManager was initialized.
*** Now, it is set up during Kernel::InitializeResourceManagers, after setting up the page manager.
**** InitializeKPageBufferSlabHeap now takes heap and page manager as arguments; the slab heap's members are randomly allocated pages from the page manager.
***** This effectively randomizes the page buffer slabheap's page locations, where previously they were a contiguous range somewhere in the system pool.
***** To facilitate this, the page manager now has an Allocate(count) member function in addition to the previous single-page Allocate().
****** To facilitate this, the page manager now tracks the bitmap ends in addition to the bitmap starts, to enable a linear walk of the lowest bitmap layer.
*** This has an important knock-on effect: TLS pages are allocated from the page buffer slab, and correspondingly are no longer heap pages.
**** Correspondingly, KMemoryState_ThreadLocal no longer has the FlagReferenceCounted (0x400000) bit set.
**** However, removing this bit naively breaks IPC, which previously checked FlagReferenceCounted before copying to/from the message buffer.
**** Now, FlagReferenceCounted is checked if and only if the message buffer is a UserBuffer. If it is not, a new flag "FlagLinearMapped" (0x4000000) is checked.
***** This bit is set only on memory types guaranteed to be accessible via the kernel's linear mapping of non-kernel dram (physical ranges with memory region flag 0x80000000).
***** This new flag is set on all memory states other than Free, Io, Static, Inaccessible, Kernel, Coverage.
* Two new SVCs were added for a new "InsecureMemory" concept.
** Svc 0x90 is Result MapInsecureMemory(uintptr_t address, size_t size);
*** This allocates the requested size memory from a pool partition/resource limit, and map it with a new memory state ("KMemoryState_Insecure") at the user-specified address.
**** The resource limit/pool partition are gotten via new KSystemControl functions ("KSystemControl::GetInsecureMemoryResourceLimit", "KSystemControl::GetInsecureMemoryPool").
***** On NX board, these are the system resource limit, and Pool_SystemNonSecure respectively.
**** The specified address/size must be within the alias code region.
**** KMemoryState_Insecure has value 0x5583817.
***** This is type 0x17 with flags CanUseNonDeviceIpc, CanUseNonSecureIpc, Mapped, CanDeviceMap, CanAlignedDeviceMap, ReferenceCounted, CanChangeAttribute, LinearMapped.
** Svc 0x91 is Result UnmapInsecureMemory(uintptr_t address, size_t size);
*** This unmaps/deallocates/releases memory previously mapped with MapInsecureMemory.
* More changes to SvcMapDeviceAddressSpace(ByForce/Aligned).
** The argument which was previously a memory permission ("device_perm") is now an encoded u32 ("option").
*** The low 16 bits of this are the device permission.
*** The upper 16 bits of this are an enum (only defined values are 0 and 1).
** If the enum-arg is not 0 or 1, svc::ResultInvalidEnumValue() is now returned.
** If the enum-arg is 1 and the specified memory is IO, svc::ResultInvalidCombination is returned.
* Partial support was added for the KPageBuffer size being different from the hardware page size.
** There are now two globals, g_PageBufferSize = 0x1000, g_PageBufferCount = 0.
** The KPageBuffer slab heap is initialized with g_PageBufferCount blocks of g_PageBufferSize.
*** if g_PageBufferSize is 0x1000, g_PageBufferCount has the number of required TLS pages added to it (# processes + # threads + (# processes + #threads) / 8).
** KDynamicPageManager::Initialize now takes in an alignment argument for the page buffer size.
*** KSecureSystemResource always passes 0x1000.
** It is possible this is full support but ifdef'd, but on NX board at least all places which allocate/free to the heap panic if g_PageBufferSize != 0x1000...
* The page table heap now receives all but 64 of the available pages; prior to this, it was all but 70.
* KSessionRequest's additional mappings (when sending an IPC request with more than 8 buffers) are now slab-allocated, rather than using KPageBuffers.
** This slab has a count of 40; object size is 0x4A0 (exactly the maximum required size).
** 13.0.0+ Dynamic expansion is supported.
* Scoped setting/clearing of the 14.0.0 exception flag for cache operations has changed.
** Previously, |= on set, &= ~ on clear. Now, the flag is orr'd in only if it is not already set, and cleared only if it was newly set.
** This adds support for recursively setting these flags via a scoped setter, although there are no places in kernel where it is possible for this to occur.
** This applies to cpu::InvalidateDataCache, cpu::StoreDataCache, cpu::FlushDataCache
* The IsInUsermodeExceptionHandler exception flag management was changed:
** This is now cleared by RestoreContext (same place it clears other flags) rather than ClearExceptionSvcPermissions. It is still set by SetExceptionSvcPermissions.
* Changes in and surrounding page table logic:
** Devices can now theoretically (but not on the NX board) be given access to memory mapped as Io.
*** Why one would want to do this is unclear.
*** KMemoryState_Io now supports the CanAlignedDeviceMap and CanDeviceMap flags.
*** KPageTableBase::GetContiguousMemoryRangeWithState no longer checks that the passed memory address is heap.
*** KPageTableBase::OpenMemoryRangeForMapDeviceAddressSpace no longer checks passes KMemoryState_FlagReferenceCounted.
*** KPageTableBase::LockForMapDeviceAddressSpace takes two new arguments, an output bool * to write whether the state was io, and a bool for whether to check KMemoryState_FlagReferenceCounted.
**** The bool is always passed on true on NX board, preventing this feature from being actually used.
*** KPageTableBase::LockForUnmapDeviceAddressSpace now takes a bool argument for whether to check KMemoryState_FlagReferenceCounted
**** The bool is always passed on true on NX board, preventing this feature from being actually used.
** Pages mapped via MapIoRegion now have KMemoryAttribute_Locked instead of KMemoryAttribute_None.
** Changes were made with respect to the way MapPhysicalMemory/UnmapPhysicalMemory are implemented:
*** KMemoryManager::AllocatePageGroupForProcess no longer calls KPageGroup::Open on the returned page group (essentially reverting the change in 11.0.0).
**** Other KMemoryManager::Allocate* functions still call KPageGroup::Open.
*** KPageTableBase::MapPhysicalMemory now calls a new KPageTable::Operate operation ("MapFirst"), which behaves the same as Map but calls KernelPanic() if the mapped pages have a non-zero reference count.
**** This enforces that MapPhysicalMemory is the first place the pages being mapped have been allocated/opened.
*** KPageTableBase::UnmapPhysicalMemory now calls a new KPageTable::Operate operation ("SeparatePages"), which performs page separation on the requested range.
**** SeparatePages is identical to the separation done at the prologue of ChangePermissions; practically, this just enforces that the pages exist.
*** KPageTableBase::UnmapPhysicalMemory now calls KernelPanic if the unmapping operation fails (since it is guaranteed to succeed by the success of SeparatePages).
**** Logic which previously existed for re-mapping on failure has been removed.
** New Kernel Objects ("KSystemResource", "KSecureSystemResource").
*** Type ID = 0x4600, KSystemResource : public KAutoObject, KSecureSystemResource : public KSystemResource
*** KSystemResource just stores pointers to the three kinds of dynamic resource managers required by processes/page tables.
*** KSecureSystemResource stores the pointed-to objects for these as members.
**** Previously, these were just KProcess members; they are no longer KProcess members and instead live in the KSecureSystemResource object.
*** The slab heap for KSecureSystemResource has capacity = KProcess slab heap.
*** When a process is created with system resource size > 0, it now creates a KSecureSystemResource (which manages allocation with KSystemControl).
**** All actual underlying logic is the same, this just abstracts the KSystemControl/secure memory interaction out of KProcess.
* KInterruptEventTask was removed and no longer exists.
** KInterruptEvent now inherits from KInterruptTask directly.
** There is no longer a global task table; KInterruptManager is expected to return ResultBusy if an interrupt is already bound (it already did this).
** KInterruptEvent::Finalize now unbinds the interrupt directly, and then calls KDpcManager::Request() with a no-op KDpcTask.
*** In practice, this unbinds the interrupt, and then creates an ordering to guarantee all cores will see the interrupt as unbound before continuing.
*** Trivia: this is the first use of KDpcManager::Request on non-debug kernels.
* Minor changes to KHandleTable:
** KHandleTable::KHandleTable now initializes the table_size, max_count, and next_id fields to zero, previously they were uninitialized until Initialize was called.
** KHandleTable::Initialize now instantiates a KScopedDisableDispatch while setting up the table.

====Loader====
The broken RNG for ASLR was [[Switch_System_Flaws|fixed]].

===[[Bluetooth_Driver_services|bluetooth]]===
Besides the various IPC changes, a vulnerable func was [[Switch_System_Flaws|fixed]].

===[[HID_services|hid]]===
Besides the various IPC changes, an infoleak vuln was [[Switch_System_Flaws|fixed]].

===[[NS_Services|ns]]===
Besides the various IPC changes, vulnerable RNG usage was [[Switch_System_Flaws|fixed]] to properly use secure RNG where needed.

===[[RO_services|ro]]===
The broken RNG for ASLR was [[Switch_System_Flaws|fixed]].

=== IPC Interface Changes ===
* The following new interfaces were removed:
** nn::eth::sf::IEthInterface
** nn::eth::sf::IEthInterfaceGroup
** nn::socket::sf::IClient
** nn::wlan::detail::IDetectManager
** nn::wlan::detail::IInfraManager
** nn::wlan::detail::ILocalGetActionFrame
** nn::wlan::detail::ILocalGetFrame
** nn::wlan::detail::ILocalManager
** nn::wlan::detail::ISocketGetFrame
** nn::wlan::detail::ISocketManager
* The following new interfaces were added:
** nn::anif::detail::ISfAssignedNetworkInterfaceService
** nn::anif::detail::ISfDriverService
** nn::anif::detail::ISfDriverServiceCreator
** nn::anif::detail::ISfNetworkInterfaceService
** nn::anif::detail::ISfUserService
** nn::anif::detail::ISfUserServiceCreator
** nn::pl::detail::IPlatformServiceManager
** nn::prepo::detail::ipc::IAsyncContext
** nn::socket::sf::IClient_MC
** nn::srepo::detail::ipc::IAsyncContext
** nn::ssl::sf::ISslContextForSystem
** nn::ssl::sf::ISslServiceForSystem
** nn::wlan::detail::IGeneralServiceCreator
** nn::wlan::detail::IPrivateServiceCreator
** nn::wlan::detail::IPrivateWirelessCommunicationService
** nn::wlan::detail::IWirelessCommunicationService
* The following interfaces were changed:
** nn::account::baas::IAdministrator
*** Added command 143 - inbytes: 0, outbytes: 16
*** Added command 160 - inbytes: 0, outbytes: 0
** nn::account::baas::IManagerForSystemService
*** Added command 143 - inbytes: 0, outbytes: 16
*** Added command 160 - inbytes: 0, outbytes: 0
** nn::am::service::IAppletCommonFunctions
*** Added command 90 - inbytes: 16, outbytes: 0, outinterfaces: ['nn::am::service::IStorageChannel']
*** Added command 91 - inbytes: 16, outbytes: 0, outinterfaces: ['nn::am::service::IStorageChannel']
*** Added command 100 - inbytes: 4, outbytes: 0
** nn::am::service::IDebugFunctions
*** Added command 50 - inbytes: 16, outbytes: 0
*** Added command 200 - buffers: [5], inbytes: 8, outbytes: 0, outinterfaces: ['nn::am::service::IAllSystemAppletProxiesService'], pid: True
** nn::am::service::ILibraryAppletProxy
*** Added command 22 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::am::service::IHomeMenuFunctions']
*** Added command 23 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::am::service::IGlobalStateController']
** nn::am::service::IOverlayAppletProxy
*** Added command 23 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::am::service::IGlobalStateController']
** nn::arp::detail::IWriter
*** Added command 3 - inbytes: 8, outbytes: 0, outinterfaces: ['nn::arp::detail::IUpdater']
** nn::audio::detail::IAudioRenderer
*** Added command 12 - inbytes: 4, outbytes: 0
*** Added command 13 - inbytes: 0, outbytes: 4
** nn::audioctrl::detail::IAudioController
*** Removed command 26 - inbytes: 1, outbytes: 0
*** Removed command 35 - inbytes: 8, outbytes: 0
*** Removed command 36 - inbytes: 0, outbytes: 8
*** Removed command 37 - inbytes: 1, outbytes: 0
*** Removed command 38 - inbytes: 0, outbytes: 1
*** Removed command 39 - inbytes: 0, outbytes: 1
*** Changed command 40 - buffers: [26] -> [22] (final state: buffers: [22], inbytes: 0, outbytes: 0)
*** Added command 41 - inbytes: 8, outbytes: 0
*** Added command 42 - inbytes: 8, outbytes: 0
*** Added command 50000 - inbytes: 4, outbytes: 0
** nn::bluetooth::IBluetoothDriver
*** Added command 101 - inbytes: 0, outbytes: 0
*** Added command 102 - inbytes: 0, outbytes: 0
*** Added command 155 - inbytes: 6, outbytes: 1
** nn::btm::IBtm
*** Removed command 112 - inbytes: 7, outbytes: 0
*** Removed command 113 - inbytes: 6, outbytes: 1
*** Added command 116 - inbytes: 7, outbytes: 0
*** Added command 117 - inbytes: 6, outbytes: 1
** nn::btm::IBtmDebug
*** Added command 14 - inbytes: 8, outbytes: 0
*** Added command 15 - inbytes: 0, outbytes: 0
*** Added command 16 - inbytes: 0, outbytes: 0
*** Added command 17 - inbytes: 0, outbytes: 0
** nn::capsrv::sf::IAlbumAccessorService
*** Added command 110 - buffers: [6, 5], inbytes: 16, outbytes: 8
** nn::clkrst::IClkrstManager
*** Added command 6 - inbytes: 0, outbytes: 0
** nn::dauth::detail::IService
*** Added command 1000 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Added command 9000 - buffers: [5, 5], inbytes: 0, outbytes: 0
*** Added command 9010 - inbytes: 0, outbytes: 0
** nn::es::IActiveRightsContext
*** Removed command 5 - buffers: [5], inbytes: 0, outbytes: 0
*** Added command 216 - inbytes: 0, outbytes: 0, outhandles: [1]
** nn::es::IETicketService
*** Added command 1022 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::es::IActiveRightsContext']
** nn::fssrv::sf::IFileSystem
*** Added command 16 - inbytes: 0, outbytes: 192
** nn::fssrv::sf::IFileSystemProxy
*** Added command 207 - inbytes: 16, outbytes: 0, outinterfaces: ['nn::fssrv::sf::IFileSystem']
*** Added command 1400 - inbytes: 1, outbytes: 0
** nn::grcsrv::IGrcService
*** Changed command 1 - inbytes: 72 -> 32 (final state: inbytes: 32, inhandles: [1], outbytes: 0, outinterfaces: ['nn::grcsrv::IContinuousRecorder'])
** nn::hid::IHidDebugServer
*** Added command 137 - inbytes: 16, outbytes: 0, pid: True
** nn::hid::IHidServer
*** Added command 3000 - buffers: [26], inbytes: 0, outbytes: 0
*** Added command 3001 - buffers: [25], inbytes: 0, outbytes: 0
*** Added command 3002 - inbytes: 0, outbytes: 0
*** Added command 3003 - inbytes: 0, outbytes: 56
*** Added command 3004 - inbytes: 56, outbytes: 0
*** Added command 3005 - inbytes: 0, outbytes: 0
*** Added command 3006 - buffers: [26], inbytes: 4, outbytes: 0
*** Added command 3007 - buffers: [25], inbytes: 4, outbytes: 0
*** Added command 3008 - inbytes: 4, outbytes: 0
*** Added command 3009 - inbytes: 4, outbytes: 64
*** Added command 3010 - inbytes: 68, outbytes: 0
*** Added command 3011 - inbytes: 4, outbytes: 0
** nn::hid::IHidSystemServer
*** Added command 32 - inbytes: 48, outbytes: 0, pid: True
*** Added command 33 - inbytes: 0, outbytes: 0
*** Added command 1135 - inbytes: 8, outbytes: 0, pid: True
** nn::lr::IAddOnContentLocationResolver
*** Added command 5 - buffers: [22, 22], inbytes: 8, outbytes: 0
*** Added command 6 - buffers: [21], inbytes: 16, outbytes: 0
*** Added command 7 - buffers: [21, 21], inbytes: 16, outbytes: 0
** nn::lr::ILocationResolver
*** Added command 20 - inbytes: 0, outbytes: 0
** nn::lr::ILocationResolverManager
*** Added command 4 - buffers: [5], inbytes: 0, outbytes: 0
** nn::mnpp::detail::ipc::IServiceForSystem
*** Removed command 300 - inbytes: 0, outbytes: 1
*** Removed command 400 - inbytes: 0, outbytes: 1
** nn::ncm::IContentMetaDatabase
*** Added command 23 - inbytes: 16, outbytes: 1
*** Added command 24 - inbytes: 24, outbytes: 24
*** Added command 25 - inbytes: 24, outbytes: 24
** nn::ndrm::low::detail::INdrmLowAdminInterface
*** Changed command 3 - inbytes: 8 -> 24 (final state: buffers: [5], inbytes: 24, outbytes: 0)
*** Added command 40 - buffers: [6], inbytes: 8, outbytes: 4
*** Added command 42 - buffers: [6], inbytes: 16, outbytes: 4
*** Added command 43 - buffers: [6], inbytes: 16, outbytes: 4
*** Added command 44 - buffers: [6], inbytes: 16, outbytes: 4
** nn::nim::detail::INetworkInstallManager
*** Removed command 91 - buffers: [5], inbytes: 16, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 138 - buffers: [5], inbytes: 8, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 139 - inbytes: 0, outbytes: 0
*** Added command 140 - inbytes: 0, outbytes: 0
*** Added command 141 - inbytes: 0, outbytes: 1
** nn::nim::detail::IShopServiceManager
*** Removed command 102 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncValue']
*** Removed command 103 - inbytes: 0, outbytes: 32
*** Removed command 104 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncValue']
*** Removed command 105 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Removed command 106 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Removed command 501 - inbytes: 16, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** nn::ns::detail::IApplicationManagerInterface
*** Added command 90 - inbytes: 8, outbytes: 0
*** Changed command 607 - inbytes: 16 -> 8 (final state: buffers: [6], inbytes: 8, outbytes: 4)
*** Removed command 909 - inbytes: 8, outbytes: 0
*** Added command 2357 - inbytes: 0, outbytes: 0
*** Added command 2358 - inbytes: 0, outbytes: 0
*** Added command 2359 - inbytes: 0, outbytes: 1
*** Removed command 2516 - inbytes: 16, outbytes: 0
** nn::pdm::detail::IQueryService
*** Removed command 7 - buffers: [6, 5], inbytes: 0, outbytes: 4
*** Removed command 13 - buffers: [6, 5], inbytes: 0, outbytes: 4
*** Removed command 14 - buffers: [6], inbytes: 24, outbytes: 4
*** Removed command 15 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Removed command 16 - buffers: [6, 5], inbytes: 16, outbytes: 4
** nn::prepo::detail::ipc::IPrepoService
*** Added command 10500 - buffers: [9], inbytes: 40, inhandles: [1], outbytes: 0, outinterfaces: ['nn::prepo::detail::ipc::IAsyncContext'], pid: True
** nn::settings::ISystemSettingsServer
*** Removed command 119 - inbytes: 1, outbytes: 3
** nn::srepo::detail::ipc::ISrepoService
*** Added command 10300 - buffers: [9], inbytes: 40, inhandles: [1], outbytes: 0, outinterfaces: ['nn::srepo::detail::ipc::IAsyncContext']
*** Added command 20600 - inbytes: 20, outbytes: 0
** nn::usb::ds::IDsEndpoint
*** Removed command 8 - inbytes: 8, inhandles: [1], outbytes: 0
*** Removed command 9 - inbytes: 16, outbytes: 4
** nn::usb::ds::IDsInterface
*** Added command 12 - inbytes: 8, inhandles: [1], outbytes: 0
** nn::visrv::sf::IManagerDisplayService
*** Changed command 8293 - inbytes: 16 -> 40 (final state: buffers: [6], inbytes: 40, outbytes: 8)

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2022-10-11_00-15-06&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

SVC

2022-10-12T14:46:01Z

SciresM: Update SVCs to reflect 15.0.0

__NOTOC__

= System calls =
{| class=wikitable
! ID || Return Type || Name || Arguments
|-
| 0x01 || Result || [[#SetHeapSize|SetHeapSize]] || uintptr_t *out_address, size_t size
|-
| 0x02 || Result || [[#SetMemoryPermission|SetMemoryPermission]] || uintptr_t address, size_t size, MemoryPermission perm
|-
| 0x03 || Result || [[#SetMemoryAttribute|SetMemoryAttribute]] || uintptr_t address, size_t size, uint32_t mask, uint32_t attr
|-
| 0x04 || Result || [[#MapMemory|MapMemory]] || uintptr_t dst_address, uintptr_t src_address, size_t size
|-
| 0x05 || Result || [[#UnmapMemory|UnmapMemory]] || uintptr_t dst_address, uintptr_t src_address, size_t size
|-
| 0x06 || Result || [[#QueryMemory|QueryMemory]] || arch::MemoryInfo *out_memory_info, PageInfo *out_page_info, uintptr_t address
|-
| 0x07 || void || [[#ExitProcess|ExitProcess]] ||
|-
| 0x08 || Result || [[#CreateThread|CreateThread]] || Handle *out_handle, ThreadFunc func, uintptr_t arg, uintptr_t stack_bottom, int32_t priority, int32_t core_id
|-
| 0x09 || Result || [[#StartThread|StartThread]] || Handle thread_handle
|-
| 0x0A || void || [[#ExitThread|ExitThread]] ||
|-
| 0x0B || void || [[#SleepThread|SleepThread]] || int64_t ns
|-
| 0x0C || Result || [[#GetThreadPriority|GetThreadPriority]] || int32_t *out_priority, Handle thread_handle
|-
| 0x0D || Result || [[#SetThreadPriority|SetThreadPriority]] || Handle thread_handle, int32_t priority
|-
| 0x0E || Result || [[#GetThreadCoreMask|GetThreadCoreMask]] || int32_t *out_core_id, uint64_t *out_affinity_mask, Handle thread_handle
|-
| 0x0F || Result || [[#SetThreadCoreMask|SetThreadCoreMask]] || Handle thread_handle, int32_t core_id, uint64_t affinity_mask
|-
| 0x10 || int32_t || [[#GetCurrentProcessorNumber|GetCurrentProcessorNumber]] ||
|-
| 0x11 || Result || [[#SignalEvent|SignalEvent]] || Handle event_handle
|-
| 0x12 || Result || [[#ClearEvent|ClearEvent]] || Handle event_handle
|-
| 0x13 || Result || [[#MapSharedMemory|MapSharedMemory]] || Handle shmem_handle, uintptr_t address, size_t size, MemoryPermission map_perm
|-
| 0x14 || Result || [[#UnmapSharedMemory|UnmapSharedMemory]] || Handle shmem_handle, uintptr_t address, size_t size
|-
| 0x15 || Result || [[#CreateTransferMemory|CreateTransferMemory]] || Handle *out_handle, uintptr_t address, size_t size, MemoryPermission map_perm
|-
| 0x16 || Result || [[#CloseHandle|CloseHandle]] || Handle handle
|-
| 0x17 || Result || [[#ResetSignal|ResetSignal]] || Handle handle
|-
| 0x18 || Result || [[#WaitSynchronization|WaitSynchronization]] || int32_t *out_index, const Handle *handles, int32_t numHandles, int64_t timeout_ns
|-
| 0x19 || Result || [[#CancelSynchronization|CancelSynchronization]] || Handle handle
|-
| 0x1A || Result || [[#ArbitrateLock|ArbitrateLock]] || Handle thread_handle, uintptr_t address, uint32_t tag
|-
| 0x1B || Result || [[#ArbitrateUnlock|ArbitrateUnlock]] || uintptr_t address
|-
| 0x1C || Result || [[#WaitProcessWideKeyAtomic|WaitProcessWideKeyAtomic]] || uintptr_t address, uintptr_t cv_key, uint32_t tag, int64_t timeout_ns
|-
| 0x1D || void || [[#SignalProcessWideKey|SignalProcessWideKey]] || uintptr_t cv_key, int32_t count
|-
| 0x1E || int64_t || [[#GetSystemTick|GetSystemTick]] ||
|-
| 0x1F || Result || [[#ConnectToNamedPort|ConnectToNamedPort]] || Handle *out_handle, const char *name
|-
| 0x20 || Result || [[#SendSyncRequestLight|SendSyncRequestLight]] || Handle session_handle
|-
| 0x21 || Result || [[#SendSyncRequest|SendSyncRequest]] || Handle session_handle
|-
| 0x22 || Result || [[#SendSyncRequestWithUserBuffer|SendSyncRequestWithUserBuffer]] || uintptr_t message_buffer, size_t message_buffer_size, Handle session_handle
|-
| 0x23 || Result || [[#SendAsyncRequestWithUserBuffer|SendAsyncRequestWithUserBuffer]] || Handle *out_event_handle, uintptr_t message_buffer, size_t message_buffer_size, Handle session_handle
|-
| 0x24 || Result || [[#GetProcessId|GetProcessId]] || uint64_t *out_process_id, Handle process_handle
|-
| 0x25 || Result || [[#GetThreadId|GetThreadId]] || uint64_t *out_thread_id, Handle thread_handle
|-
| 0x26 || void || [[#Break|Break]] || BreakReason break_reason, uintptr_t arg, size_t size
|-
| 0x27 || Result || [[#OutputDebugString|OutputDebugString]] || const char *debug_str, size_t len
|-
| 0x28 || void || [[#ReturnFromException|ReturnFromException]] || Result result
|-
| 0x29 || Result || [[#GetInfo|GetInfo]] || uint64_t *out, InfoType info_type, Handle handle, uint64_t info_subtype
|-
| 0x2A || void || [[#FlushEntireDataCache|FlushEntireDataCache]] ||
|-
| 0x2B || Result || [[#FlushDataCache|FlushDataCache]] || uintptr_t address, size_t size
|-
| [3.0.0+] 0x2C || Result || [[#MapPhysicalMemory|MapPhysicalMemory]] || uintptr_t address, size_t size
|-
| [3.0.0+] 0x2D || Result || [[#UnmapPhysicalMemory|UnmapPhysicalMemory]] || uintptr_t address, size_t size
|-
| [5.0.0-5.1.0] 0x2E || Result || GetFutureThreadInfo || arch::LastThreadContext *out_context, uintptr_t *out_tls_address, uint32_t *out_flags, int64_t ns
|-
| [6.0.0+] 0x2E || Result || [[#GetDebugFutureThreadInfo|GetDebugFutureThreadInfo]] || arch::LastThreadContext *out_context, uint64_t *thread_id, Handle debug_handle, int64_t ns
|-
| 0x2F || Result || [[#GetLastThreadInfo|GetLastThreadInfo]] || arch::LastThreadContext *out_context, uintptr_t *out_tls_address, uint32_t *out_flags
|-
| 0x30 || Result || [[#GetResourceLimitLimitValue|GetResourceLimitLimitValue]] || int64_t *out_limit_value, Handle resource_limit_handle, LimitableResource which
|-
| 0x31 || Result || [[#GetResourceLimitCurrentValue|GetResourceLimitCurrentValue]] || int64_t *out_current_value, Handle resource_limit_handle, LimitableResource which
|-
| 0x32 || Result || [[#SetThreadActivity|SetThreadActivity]] || Handle thread_handle, ThreadActivity thread_activity
|-
| 0x33 || Result || [[#GetThreadContext3|GetThreadContext3]] || ThreadContext *out_context, Handle thread_handle
|-
| [4.0.0+] 0x34 || Result || [[#WaitForAddress|WaitForAddress]] || uintptr_t address, ArbitrationType arb_type, int32_t value, int64_t timeout_ns
|-
| [4.0.0+] 0x35 || Result || [[#SignalToAddress|SignalToAddress]] || uintptr_t address, SignalType signal_type, int32_t value, int32_t count
|-
| [8.0.0+] 0x36 || void || [[#SynchronizePreemptionState|SynchronizePreemptionState]] ||
|-
| [11.0.0+] 0x37 || Result || [[#GetResourceLimitPeakValue|GetResourceLimitPeakValue]] || int64_t *out_peak_value, Handle resource_limit_handle, LimitableResource which
|- style="border-top: double"
| [13.0.0+] 0x39 || Result || CreateIoPool || Handle *out_handle, IoPoolType which_pool
|-
| [13.0.0+] 0x3A || Result || CreateIoRegion || Handle *out_handle, Handle io_pool, PhysicalAddress physical_address, size_t size, MemoryMapping mapping, MemoryPermission perm
|- style="border-top: double"
| [1.0.0-3.0.2] 0x3C || void || [[#DumpInfo|DumpInfo]] || DumpInfoType dump_info_type, uint64_t arg
|-
| [4.0.0+] 0x3C || void || [[#KernelDebug|KernelDebug]] || KernelDebugType kern_debug_type, uint64_t arg0, uint64_t arg1, uint64_t arg2
|-
| [4.0.0+] 0x3D || void || [[#ChangeKernelTraceState|ChangeKernelTraceState]] || KernelTraceState kern_trace_state
|- style="border-top: double"
| 0x40 || Result || [[#CreateSession|CreateSession]] || Handle *out_server_session_handle, Handle *out_client_session_handle, bool is_light, uintptr_t name
|-
| 0x41 || Result || [[#AcceptSession|AcceptSession]] || Handle *out_handle, Handle port
|-
| 0x42 || Result || [[#ReplyAndReceiveLight|ReplyAndReceiveLight]] || Handle handle
|-
| 0x43 || Result || [[#ReplyAndReceive|ReplyAndReceive]] || int32_t *out_index, const Handle *handles, int32_t num_handles, Handle reply_target, int64_t timeout_ns
|-
| 0x44 || Result || [[#ReplyAndReceiveWithUserBuffer|ReplyAndReceiveWithUserBuffer]] || int32_t *out_index, uintptr_t message_buffer, size_t message_buffer_size, const Handle *handles, int32_t num_handles, Handle reply_target, int64_t timeout_ns
|-
| 0x45 || Result || [[#CreateEvent|CreateEvent]] || Handle *out_write_handle, Handle *out_read_handle
|-
| [13.0.0+] 0x46 || Result || MapIoRegion || Handle io_region, uintptr_t address, size_t size, MemoryPermission perm
|-
| [13.0.0+] 0x47 || Result || UnmapIoRegion || Handle io_region, uintptr_t address, size_t size
|-
| [5.0.0+] 0x48 || Result || [[#MapPhysicalMemoryUnsafe|MapPhysicalMemoryUnsafe]] || uintptr_t address, size_t size
|-
| [5.0.0+] 0x49 || Result || [[#UnmapPhysicalMemoryUnsafe|UnmapPhysicalMemoryUnsafe]] || uintptr_t address, size_t size
|-
| [5.0.0+] 0x4A || Result || [[#SetUnsafeLimit|SetUnsafeLimit]] || size_t limit
|-
| [4.0.0+] 0x4B || Result || [[#CreateCodeMemory|CreateCodeMemory]] || Handle *out_handle, uintptr_t address, size_t size
|-
| [4.0.0+] 0x4C || Result || [[#ControlCodeMemory|ControlCodeMemory]] || Handle code_memory_handle, CodeMemoryOperation operation, uint64_t address, uint64_t size, MemoryPermission perm
|-
| 0x4D || void || [[#SleepSystem|SleepSystem]] ||
|-
| 0x4E || Result || [[#ReadWriteRegister|ReadWriteRegister]] || uint32_t *out_value, PhysicalAddress address, uint32_t mask, uint32_t value
|-
| 0x4F || Result || [[#SetProcessActivity|SetProcessActivity]] || Handle process_handle, ProcessActivity process_activity
|-
| 0x50 || Result || [[#CreateSharedMemory|CreateSharedMemory]] || Handle *out_handle, size_t size, MemoryPermission owner_perm, MemoryPermission remote_perm
|-
| 0x51 || Result || [[#MapTransferMemory|MapTransferMemory]] || Handle trmem_handle, uintptr_t address, size_t size, MemoryPermission owner_perm
|-
| 0x52 || Result || [[#UnmapTransferMemory|UnmapTransferMemory]] || Handle trmem_handle, uintptr_t address, size_t size
|-
| 0x53 || Result || [[#CreateInterruptEvent|CreateInterruptEvent]] || Handle *out_read_handle, int32_t interrupt_id, InterruptType interrupt_type
|-
| 0x54 || Result || [[#QueryPhysicalAddress|QueryPhysicalAddress]] || arch::PhysicalMemoryInfo *out_info, uintptr_t address
|-
| 0x55 || Result || [[#QueryIoMapping|QueryIoMapping]] || uintptr_t *out_address, [10.0.0+] size_t *out_size, PhysicalAddress physical_address, size_t size
|-
| 0x56 || Result || [[#CreateDeviceAddressSpace|CreateDeviceAddressSpace]] || Handle *out_handle, uint64_t das_address, uint64_t das_size
|-
| 0x57 || Result || [[#AttachDeviceAddressSpace|AttachDeviceAddressSpace]] || DeviceName device_name, Handle das_handle
|-
| 0x58 || Result || [[#DetachDeviceAddressSpace|DetachDeviceAddressSpace]] || DeviceName device_name, Handle das_handle
|-
| 0x59 || Result || [[#MapDeviceAddressSpaceByForce|MapDeviceAddressSpaceByForce]] || Handle das_handle, Handle process_handle, uint64_t process_address, size_t size, uint64_t device_address, uint32_t option
|-
| 0x5A || Result || [[#MapDeviceAddressSpaceAligned|MapDeviceAddressSpaceAligned]] || Handle das_handle, Handle process_handle, uint64_t process_address, size_t size, uint64_t device_address, uint32_t option
|-
| [1.0.0-12.1.0] 0x5B || Result || [[#MapDeviceAddressSpace|MapDeviceAddressSpace]] || size_t *out_mapped_size, Handle das_handle, Handle process_handle, uint64_t process_address, size_t size, uint64_t device_address, MemoryPermission device_perm
|-
| 0x5C || Result || [[#UnmapDeviceAddressSpace|UnmapDeviceAddressSpace]] || Handle das_handle, Handle process_handle, uint64_t process_address, size_t size, uint64_t device_address
|-
| 0x5D || Result || [[#InvalidateProcessDataCache|InvalidateProcessDataCache]] || Handle process_handle, uint64_t address, uint64_t size
|-
| 0x5E || Result || [[#StoreProcessDataCache|StoreProcessDataCache]] || Handle process_handle, uint64_t address, uint64_t size
|-
| 0x5F || Result || [[#FlushProcessDataCache|FlushProcessDataCache]] || Handle process_handle, uint64_t address, uint64_t size
|-
| 0x60 || Result || [[#DebugActiveProcess|DebugActiveProcess]] || Handle *out_handle, uint64_t process_id
|-
| 0x61 || Result || [[#BreakDebugProcess|BreakDebugProcess]] || Handle debug_handle
|-
| 0x62 || Result || [[#TerminateDebugProcess|TerminateDebugProcess]] || Handle debug_handle
|-
| 0x63 || Result || [[#GetDebugEvent|GetDebugEvent]] || arch::DebugEventInfo *out_info, Handle debug_handle
|-
| 0x64 || Result || [[#ContinueDebugEvent|ContinueDebugEvent]] || Handle debug_handle, uint32_t flags, const uint64_t *thread_ids, int32_t num_thread_ids
|-
| 0x65 || Result || [[#GetProcessList|GetProcessList]] || int32_t *out_num_processes, uint64_t *out_process_ids, int32_t max_out_count
|-
| 0x66 || Result || [[#GetThreadList|GetThreadList]] || int32_t *out_num_threads, uint64_t *out_thread_ids, int32_t max_out_count, Handle debug_handle
|-
| 0x67 || Result || [[#GetDebugThreadContext|GetDebugThreadContext]] || ThreadContext *out_context, Handle debug_handle, uint64_t thread_id, uint32_t context_flags
|-
| 0x68 || Result || [[#SetDebugThreadContext|SetDebugThreadContext]] || Handle debug_handle, uint64_t thread_id, const ThreadContext *context, uint32_t context_flags
|-
| 0x69 || Result || [[#QueryDebugProcessMemory|QueryDebugProcessMemory]] || arch::MemoryInfo *out_memory_info, PageInfo *out_page_info, Handle process_handle, uintptr_t address
|-
| 0x6A || Result || [[#ReadDebugProcessMemory|ReadDebugProcessMemory]] || uintptr_t buffer, Handle debug_handle, uintptr_t address, size_t size
|-
| 0x6B || Result || [[#WriteDebugProcessMemory|WriteDebugProcessMemory]] || Handle debug_handle, uintptr_t buffer, uintptr_t address, size_t size
|-
| 0x6C || Result || [[#SetHardwareBreakPoint|SetHardwareBreakPoint]] || HardwareBreakPointRegisterName name, uint64_t flags, uint64_t value
|-
| 0x6D || Result || [[#GetDebugThreadParam|GetDebugThreadParam]] || uint64_t *out_64, uint32_t *out_32, Handle debug_handle, uint64_t thread_id, DebugThreadParam param
|- style="border-top: double"
| [5.0.0+] 0x6F || Result || [[#GetSystemInfo|GetSystemInfo]] || uint64_t *out, SystemInfoType info_type, Handle handle, uint64_t info_subtype
|-
| 0x70 || Result || [[#CreatePort|CreatePort]] || Handle *out_server_handle, Handle *out_client_handle, int32_t max_sessions, bool is_light, uintptr_t name
|-
| 0x71 || Result || [[#ManageNamedPort|ManageNamedPort]] || Handle *out_server_handle, const char *name, int32_t max_sessions
|-
| 0x72 || Result || [[#ConnectToPort|ConnectToPort]] || Handle *out_handle, Handle port
|-
| 0x73 || Result || [[#SetProcessMemoryPermission|SetProcessMemoryPermission]] || Handle process_handle, uint64_t address, uint64_t size, MemoryPermission perm
|-
| 0x74 || Result || [[#MapProcessMemory|MapProcessMemory]] || uintptr_t dst_address, Handle process_handle, uint64_t src_address, size_t size
|-
| 0x75 || Result || [[#UnmapProcessMemory|UnmapProcessMemory]] || uintptr_t dst_address, Handle process_handle, uint64_t src_address, size_t size
|-
| 0x76 || Result || [[#QueryProcessMemory|QueryProcessMemory]] || arch::MemoryInfo *out_memory_info, PageInfo *out_page_info, Handle process_handle, uint64_t address
|-
| 0x77 || Result || [[#MapProcessCodeMemory|MapProcessCodeMemory]] || Handle process_handle, uint64_t dst_address, uint64_t src_address, uint64_t size
|-
| 0x78 || Result || [[#UnmapProcessCodeMemory|UnmapProcessCodeMemory]] || Handle process_handle, uint64_t dst_address, uint64_t src_address, uint64_t size
|-
| 0x79 || Result || [[#CreateProcess|CreateProcess]] || Handle *out_handle, const arch::CreateProcessParameter *parameters, const uint32_t *caps, int32_t num_caps
|-
| 0x7A || Result || [[#StartProcess|StartProcess]] || Handle process_handle, int32_t priority, int32_t core_id, uint64_t main_thread_stack_size
|-
| 0x7B || Result || [[#TerminateProcess|TerminateProcess]] || Handle process_handle
|-
| 0x7C || Result || [[#GetProcessInfo|GetProcessInfo]] || int64_t *out_info, Handle process_handle, ProcessInfoType info_type
|-
| 0x7D || Result || [[#CreateResourceLimit|CreateResourceLimit]] || Handle *out_handle
|-
| 0x7E || Result || [[#SetResourceLimitLimitValue|SetResourceLimitLimitValue]] || Handle resource_limit_handle, LimitableResource which, int64_t limit_value
|-
| 0x7F || void || [[#CallSecureMonitor|CallSecureMonitor]] || SecureMonitorArguments *args
|- style="border-top: double"
| [15.0.0+] 0x90 || Result || MapInsecureMemory || uintptr_t address, size_t size
|-
| [15.0.0+] 0x91 || Result || UnmapInsecureMemory || uintptr_t address, size_t size
|-
|}

== SetHeapSize ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) X1 || void* || HeapAddress
|}
</div>

Sets the process heap to a given Size. It can both extend and shrink the heap.

Size must be a multiple of 0x200000 (2MB).

On success, the heap base-address (which is fixed by kernel, aslr'd, and always in the Heap memory region) is written to HeapAddress.

Uses current process pool partition. The memory allocated counts towards the caller's process Memory ResourceLimit.

[2.0.0+] Size must be less than or equal to 4GB.

=== Result codes ===
'''0x0:''' Success.

'''0xCA01:''' Invalid size passed. It's either bigger than 4GB, or misaligned.

'''0xD001:''' Size is bigger than the Heap Region size.

'''0xCE01:''' KMemoryBlockAllocator slab allocator exhausted.

'''0xD401:''' The memory region is in an invalid state. Likely because a mapping was made in the heap region.

'''0x10801:''' Memory resource limit reached.

== SetMemoryPermission ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (In) X1 || uint64_t || Size
|-
| (In) W2 || [[#MemoryPermission]] || MemoryPermission
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Changes permission of page-aligned memory region.

Bit2 of permission (exec) is not allowed. Setting write-only is not allowed either (bit1).

This can be used to move back and forth between ---, r-- and rw-.

=== Result codes ===
'''0x0:''' Success. The memory region was reprotected.

'''0xCC01:''' Unaligned address specified.

'''0xCA01:''' Unaligned or zero size specified.

'''0xD401:''' The provided memory region does not fall within the userland address space.

'''0xD801:''' Invalid permission specified. Valid permissions are ---, r-- and rw-.

'''0xD401:''' The provided memory region was in an invalid state. The region must have the [[#MemoryState|FlagCanReprotect]] state, and must not have the [[#MemoryAttribute|Locked]] or [[#MemoryAttribute|Uncached]] attributes.

'''0xCE01:''' Kernel resource exhausted.

== SetMemoryAttribute ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (In) X1 || uint64_t || Size
|-
| (In) W2 || uint32_t || Mask
|-
| (In) W3 || uint32_t || Value
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Changes attribute of page-aligned memory region. The only allowed combination of Value and Mask is 0x8, which means only bit3 in [[#MemoryAttribute]] can be set or cleared.

This is used to turn on/off caching for a given memory area. Useful when talking to devices such as the GPU.

What happens "under the hood" is the "Memory Attribute Indirection Register" index is changed from 2 to 3 in the MMU descriptor.

== MapMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || DstAddress
|-
| (In) X1 || void* || SrcAddress
|-
| (In) X2 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Maps a memory range into a different range.

Mainly used for adding guard pages around stack.

Source range gets reprotected to --- (it can no longer be accessed), and bit0 is set in the source [[#MemoryAttribute]].

[1.0.0] This could be used to map into either the Alias Region or the Stack region.

[2.0.0+] This can only be used to map into the Stack region.

Code can get the range of the Alias region from [[#GetInfo]] id0=2,3, and on 2.0.0+ the range of the Stack region via [[#GetInfo]] id0=14, 15 (on 1.0.0, the Stack region had hardcoded limits).

When mapped into the Alias region, the mapped memory will have state 0x482907.

When mapped into the Stack region, the mapped memory will have state 0x5C3C0B.

== UnmapMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || DstAddress
|-
| (In) X1 || void* || SrcAddress
|-
| (In) X2 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Unmaps a region that was previously mapped with [[#MapMemory]].

It's possible to unmap ranges partially, you don't need to unmap the entire range "in one go".

The srcaddr/dstaddr must match what was given when the pages were originally mapped.

== QueryMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || [[#MemoryInfo]]* || MemoryInfo
|-
| (In) X2 || void* || Address
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || [[#PageInfo]] || PageInfo
|}
</div>

Queries information about an address. Will always fetch the lowest page-aligned mapping that contains the provided address.

Outputs a [[#MemoryInfo]] struct.

== ExitProcess ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) None || ||
|-
| (Out) None || ||
|}
</div>

Exits the current process.

== CreateThread ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R1 || void(*)(void*) || Entry
|-
| (In) X2 || R2 || void* || ThreadContext
|-
| (In) X3 || R3 || void* || StackTop
|-
| (In) W4 || R0 || int32_t || Priority
|-
| (In) W5 || R4 || int32_t || ProcessorId
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || Handle<Thread> || ThreadHandle
|}
</div>

Creates a thread in the current process.

ProcessorId must be 0,1,2,3 or -2, where -2 uses the default CpuId for process.

== StartThread ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Thread> || ThreadHandle
|-
| (Out) None || ||
|}
</div>

Starts the thread for the provided handle.

== ExitThread ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) None || ||
|-
| (Out) None || ||
|}
</div>

Exits the current thread.

== SleepThread ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X0 || R0, R1 || uint64_t || Nanoseconds
|}
</div>

Sleeps for a specified amount of time, or yields the thread.

Setting nanoseconds to 0, -1, or -2 indicates a yielding type.

<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Value || Type
|-
| 0 || Yielding without core migration
|-
| -1 || Yielding with core migration
|-
| -2 || Yielding to any other thread
|}
</div>

== GetThreadPriority ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W1|| Handle<Thread> || ThreadHandle
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || int32_t || Priority
|}
</div>

Gets the priority of provided thread handle.

== SetThreadPriority ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0|| Handle<Thread> || ThreadHandle
|-
| (In) W1|| int32_t || Priority
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Sets the priority of provided thread handle.

Priority is a number 0-0x3F. Lower value means higher priority.

== GetThreadCoreMask ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W2 || R2 || Handle<Thread> || ThreadHandle
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || int32_t || CoreMask0
|-
| (Out) X2 || R2, R3 || uint64_t || CoreMask1
|}
</div>

Gets the affinity mask of provided thread handle.

== SetThreadCoreMask ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Thread> || ThreadHandle
|-
| (In) W1 || R1 || int32_t || CoreMask0
|-
| (In) X2 || R2, R3 || uint64_t || CoreMask1
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Sets the affinity mask of provided thread handle.

== GetCurrentProcessorNumber ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) None || ||
|-
| (Out) W0 || uint32_t || CpuId
|}
</div>

Gets which cpu is executing the current thread.

CpuId is an integer in the range 0-3.

== SignalEvent ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<WritableEvent> || EventHandle
|-
| (Out) X0 || [[#Result]] || Result
|}
</div>

Puts the given event in the signaled state.

Will wake up any thread currently waiting on this event. Can potentially trigger a reschedule.

Any calls to [[#WaitSynchronization]] on this handle will return immediately, until the event's signaled state is reset.

=== Result codes ===
'''0x0:''' Success. Event is now in signaled state.

'''0xE401:''' Invalid handle. The handle either does not exist, or is not a WritableEvent.

== ClearEvent ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<WritableEvent> or Handle<ReadableEvent> || EventHandle
|-
| (Out) X0 || [[#Result]] || Result
|}
</div>

Takes the given event out of the signaled state.

=== Result codes ===
'''0x0:''' Success, the event is now in the not-signaled state.

'''0xE401:''' Invalid handle. The handle either does not exist, or is not a ReadableEvent nor a WritableEvent.

'''0xFA01:''' The handle was not in a signaled state.

== MapSharedMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<SharedMemory> || SharedMemoryHandle
|-
| (In) X1 || void* || Address
|-
| (In) X2 || uint64_t || Size
|-
| (In) W3 || [[#MemoryPermission]] || MemoryPermission
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Maps the block supplied by the handle. The required permissions are different for the process that created the handle and all other processes.

Increases reference count for the KSharedMemory object. Thus in order to release the memory associated with the object, all handles to it must be closed and all mappings must be unmapped.

== UnmapSharedMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<SharedMemory> || SharedMemoryHandle
|-
| (In) X1 || void* || Address
|-
| (In) X2 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== CreateTransferMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || void* || Address
|-
| (In) X2 || uint64_t || Size
|-
| (In) W3 || [[#MemoryPermission]] || MemoryPermission
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<TransferMemory> || TransferMemoryHandle
|}
</div>

This one reprotects the src block with perms you give it. It also sets bit0 into [[#MemoryAttribute]].

Executable bit perm not allowed.

Closing all handles automatically causes the bit0 in [[#MemoryAttribute]] to clear, and the permission to reset.

== CloseHandle ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle || Handle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== ResetSignal ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<ReadableEvent> or Handle<Process> || Handle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Resets the signal on the given handle, ensuring future calls to [[#WaitSynchronization]] on this handle will sleep until the handle is signaled again. If the handle is a ReadableEvent, this is equivalent to calling ClearEvent() on the handle.

If the handle is a Process, it will clear the signaled state (which is set when the process changes [[#ProcessState]]. Once the process enters the Exited state, calling ResetSignal on the process will no longer have an effect (the process is permanently signaled), and the syscall will return 0xFA01.

=== Result codes ===
'''0x0:''' Success. The signal was reset.

'''0xE401:''' The handle is invalid or of the wrong type.

'''0xFA01:''' The handle was not signaled, or the process is in exited state, causing it to be permanently signaled.

== WaitSynchronization ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R1 || Handle* || HandlesPtr
|-
| (In) W2 || R2 || int32_t || HandlesNum
|-
| (In) X3 || R0, R3 || int64_t || Timeout
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || uint64_t || HandleIndex
|}
</div>

Works with HandlesNum <= 0x40.

When zero handles are passed, this will wait forever until either timeout or cancellation occurs.

Does not accept 0xFFFF8001 or 0xFFFF8000 as handles.

=== Object types ===
'''KDebug:''' signals when there is a new [[#DebugEventInfo|DebugEvent]] (retrievable via [[#GetDebugEvent]]).

'''KClientPort:''' signals when the number of sessions is less than the maximum allowed.

'''KProcess:''' signals when the process undergoes a state change (retrievable via [[#GetProcessInfo]]).

'''KReadableEvent:''' signals when the event's corresponding KWritableEvent has been signaled via [[#SignalEvent]].

'''KServerPort:''' signals when there is an incoming connection waiting to be [[#AcceptSession|accepted]].

'''KServerSession:''' signals when there is an incoming message waiting to be [[#ReplyAndReceive|received]] or the pipe is closed.

'''KThread:''' signals when the thread has exited.

=== Result codes ===
'''0x0:''' Success. One of the objects was signaled before the timeout expired, or one of the objects is a Session with a closed remote. Handle index is updated to indicate which object signaled.

'''0x7601:''' Thread termination requested. Handle index is not updated.

'''0xe401:''' Invalid handle. Returned when one of the handles passed is invalid. Handle index is not updated.

'''0xe601:''' Invalid address. Returned when the handles pointer is not a readable address. Handle index is not updated.

'''0xea01:''' Timeout. Returned when no objects have been signaled within the timeout. Handle index is not updated.

'''0xec01:''' Interrupted. Returned when another thread uses [[#CancelSynchronization]] to cancel this thread. Handle index is not updated.

'''0xee01:''' Too many handles. Returned when the number of handles passed is > 0x40.

== CancelSynchronization ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Thread> || ThreadHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

If the referenced thread is currently in a synchronization call ([[#WaitSynchronization]], [[#ReplyAndReceive]] or [[#ReplyAndReceiveLight]]), that call will be interrupted and return 0xec01.
If that thread is not currently executing such a synchronization call, the next call to a synchronization call will return 0xec01.

This doesn't take force-pause (activity/debug pause) into account.

=== Result codes ===
'''0x0:''' Success. The thread was either interrupted or has had its flag set.

'''0xe401:''' Invalid handle. The handle given was either invalid or not a thread handle.

== ArbitrateLock ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Thread> || ThreadHandle
|-
| (In) X1 || void* || Address
|-
| (In) W2 || uint32_t || Tag
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== ArbitrateUnlock ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== WaitProcessWideKeyAtomic ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X0 || R0 || void* || KeyAddress
|-
| (In) X1 || R1 || void* || TagAddress
|-
| (In) W2 || R2 || uint32_t || Tag
|-
| (In) X3 || R3, R4 || int64_t || Timeout
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== SignalProcessWideKey ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (In) W1 || int32_t || Value
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== GetSystemTick ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (Out) X0 || R0, R1 || uint64_t || Ticks
|}
</div>

Returns the value of cntpct_el0.

The frequency is 19200000 Hz (constant from official sw).

Official sw reads cntpct_el0 directly from usermode without using this SVC. [[ExeFS|sdk-nso]] has this SVC, but it's not known to be called anywhere.

== ConnectToNamedPort ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || char* || PortName
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<Session> || SessionHandle
|}
</div>

== SendSyncRequestLight ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Session> || SessionHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== SendSyncRequest ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Session> || SessionHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== SendSyncRequestWithUserBuffer ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (In) X1 || uint64_t || Size
|-
| (In) W2 || Handle<Session> || SessionHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Size and Address must be 0x1000-aligned.

=== Result codes ===
'''0x0:''' Success.

'''0xcc01:''' Address is not 0x1000-aligned.

'''0xca01:''' Size is not 0x1000-aligned.

'''0xce01:''' KSessionRequest allocation failed (unlikely) or pointer buffer size exceeded.

'''0xe401:''' Handles does not exist, or handle is not an instance of KClientSession.

== SendAsyncRequestWithUserBuffer ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || void* || Address
|-
| (In) X2 || uint64_t || Size
|-
| (In) W3 || Handle<Session> || SessionHandle
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<ReadableEvent> || EventHandle
|}
</div>

Size and Address must be 0x1000-aligned.

== GetProcessId ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W1 || R1 || Handle<Process> || ProcessHandle
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1, R2 || uint64_t || ProcessId
|}
</div>

== GetThreadId ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W1 || R1 || Handle<Thread> || ThreadHandle
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1, R2 || uint64_t || ThreadId
|}
</div>

== Break ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || [[#BreakReason]] || BreakReason
|-
| (In) X1 || uint64_t ||
|-
| (In) X2 || uint64_t || Info
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

If the process is attached, report the Break event. Then, if [[#ContinueDebugEvent]] didn't apply IgnoreException on the thread: if TPIDR_EL0 is 0, adjust ELR_EL1 to retry to svc instruction (and set TPIDR_EL0 to 1).

Otherwise, if bit31 in reason isn't set, perform crash reporting (see Exception Handling section below), if it doesn't terminate the process adjust ELR_EL1 as well.

Otherwise just return 0.

== OutputDebugString ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || char* || String
|-
| (In) X1 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== ReturnFromException ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || [[#Result]] || Result
|}
</div>

== GetInfo ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W1 || R1 || [[#InfoType]] || InfoType
|-
| (In) W2 || R2 || Handle || Handle
|-
| (In) X3 || R0, R3 || uint64_t || InfoSubType
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1, R2 || uint64_t || Info
|}
</div>

== FlushEntireDataCache ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) None || ||
|-
| (Out) None || ||
|}
</div>

== FlushDataCache ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (In) X1 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== MapPhysicalMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (In) X1 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Acts like [[#SetHeapSize]] except you can allocate heap at any address you'd like.

Uses current process pool partition.

=== Result codes ===
'''0x0:''' Success.

'''0xCA01:''' Invalid size passed. It's either zero or not 4k-aligned

'''0xCC01:''' Invalid address. (not 4k-aligned)

'''0xDC01:''' Invalid memory range. It's either causes overflow, or does not fall into "reserved" address range (aka Alias). See AliasRegionAddress at [[#InfoType]]

'''0xFA01:''' Invalid state. (not enough SystemResource (see [[NPDM#SystemResourceSize]]))

== UnmapPhysicalMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (In) X1 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== GetDebugFutureThreadInfo ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X3 || R0, R1 || uint64_t || Timeout
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || uint64_t || LastThreadContextParam0
|-
| (Out) X2 || uint64_t || LastThreadContextParam1
|-
| (Out) X3 || uint64_t || LastThreadContextParam2
|-
| (Out) X4 || uint64_t || LastThreadContextParam3
|-
| (Out) X5 || uint64_t ||
|-
| (Out) W6 || uint32_t ||
|}
</div>

== GetLastThreadInfo ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) None || ||
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) X1 || uint64_t || LastThreadContextParam0
|-
| (Out) X2 || uint64_t || LastThreadContextParam1
|-
| (Out) X3 || uint64_t || LastThreadContextParam2
|-
| (Out) X4 || uint64_t || LastThreadContextParam3
|-
| (Out) X5 || uint64_t ||
|-
| (Out) W6 || uint32_t ||
|}
</div>

== GetResourceLimitLimitValue ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W1 || R1 || Handle<ResourceLimit> || ResourceLimitHandle
|-
| (In) W2 || R2 || [[#LimitableResource]] || LimitableResource
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1, R2 || int64_t || LimitValue
|}
</div>

== GetResourceLimitCurrentValue ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W1 || R1 || Handle<ResourceLimit> || ResourceLimitHandle
|-
| (In) W2 || R2 || [[#LimitableResource]] || LimitableResource
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1, R2 || int64_t || CurrentValue
|}
</div>

== SetThreadActivity ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Thread> || ThreadHandle
|-
| (In) W1 || [[#ThreadActivity]] || ThreadActivity
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== GetThreadContext3 ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || [[#ThreadContext]]* || ThreadContext
|-
| (In) W1 || Handle<Thread> || ThreadHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== WaitForAddress ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X0 || R0 || void* || Address
|-
| (In) W1 || R1 || [[#ArbitrationType]] || ArbitrationType
|-
| (In) W2 || R2 || uint32_t || Value
|-
| (In) X3 || R3, R4 || uint64_t || Timeout
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== SignalToAddress ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X0 || R0 || void* || Address
|-
| (In) W1 || R1 || [[#SignalType]] || SignalType
|-
| (In) W2 || R2 || uint32_t || Value
|-
| (In) W3 || R3 || uint32_t || NumToSignal
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== SynchronizePreemptionState ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) None || ||
|-
| (Out) None || ||
|}
</div>

== GetResourceLimitPeakValue ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W1 || R1 || Handle<ResourceLimit> || ResourceLimitHandle
|-
| (In) W2 || R2 || [[#LimitableResource]] || LimitableResource
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1, R2 || int64_t || PeakValue
|}
</div>

== DumpInfo ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || [[#DumpInfoType]] || DumpInfoType
|-
| (In) X1 || uint64_t || DumpInfoSubType
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Stubbed in retail kernel.

[4.0.0+] This function was removed and replaced by [[#KernelDebug]].

== KernelDebug ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || [[#KernelDebugType]] || KernelDebugType
|-
| (In) X1 || uint64_t ||
|-
| (In) X2 || uint64_t ||
|-
| (In) X3 || uint64_t ||
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Stubbed in retail kernel.

== ChangeKernelTraceState ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || [[#KernelTraceState]] || KernelTraceState
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Stubbed in retail kernel.

== CreateSession ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W2 || bool || IsLight
|-
| (In) X3 || uint64_t || Name
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<ServerSession> || ServerSessionHandle
|-
| (Out) W2 || Handle<ClientSession> || ClientSessionHandle
|}
</div>

== AcceptSession ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W1 || Handle<Port> || PortHandle
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<ServerSession> || ServerSessionHandle
|}
</div>

=== Result codes ===
'''0xf201:''' No session waiting to be accepted

== ReplyAndReceiveLight ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Port> or Handle<ServerSession> || Handle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== ReplyAndReceive ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R1 || Handle<Port>* or Handle<ServerSession>* || Handles
|-
| (In) W2 || R2 || uint32_t || NumHandles
|-
| (In) W3 || R3 || Handle<ServerSession> || ReplyTargetSessionHandle
|-
| (In) X4 || R0, R4 || uint64_t || Timeout
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || uint32_t || HandleIndex
|}
</div>

If ReplyTargetSessionHandle is not zero, a reply from the TLS will be sent to that session.
Then it will wait until either of the passed sessions has an incoming message, is closed, a passed port has an incoming connection, or the timeout expires.
If there is an incoming message, it is copied to the TLS.

If ReplyTargetSessionHandle is zero, the TLS should contain a blank message. If this message has a C descriptor, the buffer it points to will be used as the pointer buffer. See [[IPC_Marshalling#IPC_buffers]]. Note that a pointer buffer cannot be specified if ReplyTargetSessionHandle is not zero.

After being validated, passed handles will be enumerated in order; even if a session has been closed, if one that appears earlier in the list has an incoming message, it will take priority and a result code of 0x0 will be returned.

=== Result codes ===
'''0x0:''' Success. Either a session has an incoming message or a port has an incoming connection. HandleIndex is set appropriately.

'''0xea01:''' Timeout. No handles were signalled before the timeout expired. HandleIndex is not updated.

'''0xf601:''' Port remote dead. One of the sessions has been closed. HandleIndex is set appropriately.

== ReplyAndReceiveWithUserBuffer ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R1 || void* || Address
|-
| (In) X2 || R2 || uint64_t || Size
|-
| (In) X3 || R3 || Handle<Port>* or Handle<ServerSession>* || Handles
|-
| (In) W4 || R0 || uint32_t || NumHandles
|-
| (In) W5 || R4 || Handle<ServerSession> || ReplyTargetSessionHandle
|-
| (In) X6 || R5, R6 || uint64_t || Timeout
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || uint32_t || HandleIndex
|}
</div>

== CreateEvent ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) None || ||
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<WritableEvent> || WritableEventHandle
|-
| (Out) W2 || Handle<ReadableEvent> || ReadableEventHandle
|}
</div>

== MapPhysicalMemoryUnsafe ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (In) X1 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Same as [[#MapPhysicalMemory]] except it always uses pool partition 0.

== UnmapPhysicalMemoryUnsafe ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || Address
|-
| (In) X1 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== SetUnsafeLimit ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || uint64_t || Limit
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== CreateCodeMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || void* || Address
|-
| (In) X2 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<CodeMemory> || CodeMemoryHandle
|}
</div>

Takes an address range with backing memory to create the code memory object.

The memory is initially memset to 0xFF after being locked.

== ControlCodeMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<CodeMemory> || CodeMemoryHandle
|-
| (In) W1 || R1 || [[#CodeMemoryOperation]] || CodeMemoryOperation
|-
| (In) X2 || R2, R3 || void* || Address
|-
| (In) X3 || R4, R5 || uint64_t || Size
|-
| (In) W4 || R6 || [[#MemoryPermission]] || MemoryPermission
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Maps the backing memory for a CodeMemory object into the current process.

For [[#CodeMemoryOperation|MapOwner]], memory permission must be RW-.

For [[#CodeMemoryOperation|MapSlave]], memory permission must be R-- or R-X.

Operations [[#CodeMemoryOperation|UnmapOwner/UnmapSlave]] unmap memory that was previously mapped this way.

This allows one "secure JIT" process to map the code memory as RW-, and the other "slave" process to map it R-X.

[5.0.0+] Error 0xE401 is now returned when the process owner of the Code memory object is the same as the current process.

== SleepSystem ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) None || ||
|-
| (Out) None || ||
|}
</div>

== ReadWriteRegister ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R2, R3 || uint64_t || RegisterAddress
|-
| (In) W2 || R0 || uint32_t || RwMask
|-
| (In) W3 || R1 || uint32_t || InValue
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || uint32_t || OutValue
|}
</div>

Read/write IO registers with a hardcoded whitelist. Input address is physical-address and must be aligned to 4.

rw_mask is 0 for reading and 0xffffffff for writing. You can also write individual bits by using a mask value.

You can only write to registers inside physical pages 0x70019000 (MC), 0x7001C000 (MC0), 0x7001D000 (MC1), and they all share the same whitelist.

The whitelist is same for writing as for reading.

The whitelist is:

0x054, 0x090, 0x094, 0x098, 0x09c, 0x0a0, 0x0a4, 0x0a8, 0x0ac, 0x0b0, 0x0b4, 0x0b8, 0x0bc, 0x0c0, 0x0c4, 0x0c8, 0x0d0, 0x0d4, 0x0d8, 0x0dc, 0x0e0, 0x100, 0x108, 0x10c, 0x118, 0x11c, 0x124, 0x128, 0x12c, 0x130, 0x134, 0x138, 0x13c, 0x158, 0x15c, 0x164, 0x168, 0x16c, 0x170, 0x174, 0x178, 0x17c, 0x200, 0x204, 0x2e4, 0x2e8, 0x2ec, 0x2f4, 0x2f8, 0x310, 0x314, 0x320, 0x328, 0x344, 0x348, 0x370, 0x374, 0x37c, 0x380, 0x390, 0x394, 0x398, 0x3ac, 0x3b8, 0x3bc, 0x3c0, 0x3c4, 0x3d8, 0x3e8, 0x41c, 0x420, 0x424, 0x428, 0x42c, 0x430, 0x44c, 0x47c, 0x480, 0x484, 0x50c, 0x554, 0x558, 0x55c, 0x670, 0x674, 0x690, 0x694, 0x698, 0x69c, 0x6a0, 0x6a4, 0x6c0, 0x6c4, 0x6f0, 0x6f4, 0x960, 0x970, 0x974, 0xa20, 0xa24, 0xb88, 0xb8c, 0xbc4, 0xbc8, 0xbcc, 0xbd0, 0xbd4, 0xbd8, 0xbdc, 0xbe0, 0xbe4, 0xbe8, 0xbec, 0xc00, 0xc5c, 0xcac

[2.0.0+] Whitelist was extended with 0x4c4, 0x4c8, 0x4cc, 0x584, 0x588, 0x58c.

[2.0.0+] The IO registers in range 0x7000E400 (PMC) size 0xC00 skip the whitelist, and do a TrustZone call using [[SMC#ReadWriteRegister|ReadWriteRegister]].

[4.0.0+] Access to the Memory Controller (0x70019000) also uses smcReadWriteRegister.

Here is the whitelist imposed by that SMC, relative to the start of the PMC registers:

0x000, 0x00c, 0x010, 0x014, 0x01c, 0x020, 0x02c, 0x030, 0x034, 0x038, 0x03c, 0x040, 0x044, 0x048, 0x0dc, 0x0e0, 0x0e4, 0x160, 0x164, 0x168, 0x170, 0x1a8, 0x1b8, 0x1bc, 0x1c0, 0x1c4, 0x1c8, 0x2b4, 0x2d4, 0x440, 0x4d8

Here is the whitelist imposed by the SMC [[SMC#ReadWriteRegister|ReadWriteRegister]] (checked in addition to the whitelist in the ReadWriteRegister SVC), relative to the start of the MC registers:

0x000, 0x004, 0x008, 0x00C, 0x010, 0x01C, 0x020, 0x030, 0x034, 0x050, 0x054, 0x090, 0x094, 0x098, 0x09C, 0x0A0, 0x0A4, 0x0A8, 0x0AC, 0x0B0, 0x0B4, 0x0B8, 0x0BC, 0x0C0, 0x0C4, 0x0C8, 0x0D0, 0x0D4, 0x0D8, 0x0DC, 0x0E0, 0x100, 0x108, 0x10C, 0x118, 0x11C, 0x124, 0x128, 0x12C, 0x130, 0x134, 0x138, 0x13C, 0x158, 0x15C, 0x164, 0x168, 0x16C, 0x170, 0x174, 0x178, 0x17C, 0x200, 0x204, 0x238, 0x240, 0x244, 0x250, 0x254, 0x258, 0x264, 0x268, 0x26C, 0x270, 0x274, 0x280, 0x284, 0x288, 0x28C, 0x294, 0x2E4, 0x2E8, 0x2EC, 0x2F4, 0x2F8, 0x310, 0x314, 0x320, 0x328, 0x344, 0x348, 0x370, 0x374, 0x37C, 0x380, 0x390, 0x394, 0x398, 0x3AC, 0x3B8, 0x3BC, 0x3C0, 0x3C4, 0x3D8, 0x3E8, 0x41C, 0x420, 0x424, 0x428, 0x42C, 0x430, 0x44C, 0x47C, 0x480, 0x484, 0x4C4, 0x4C8, 0x4CC, 0x50C, 0x554, 0x558, 0x55C, 0x584, 0x588, 0x58C, 0x670, 0x674, 0x690, 0x694, 0x698, 0x69C, 0x6A0, 0x6A4, 0x6C0, 0x6C4, 0x6F0, 0x6F4, 0x960, 0x970, 0x974, 0x9B8, 0xA20, 0xA24, 0xA88, 0xA94, 0xA98, 0xA9C, 0xAA0, 0xAA4, 0xAA8, 0xAAC, 0xAB0, 0xAB4, 0xAB8, 0xABC, 0xAC0, 0xAC4, 0xAC8, 0xACC, 0xAD0, 0xAD4, 0xAD8, 0xADC, 0xAE0, 0xB88, 0xB8C, 0xBC4, 0xBC8, 0xBCC, 0xBD0, 0xBD4, 0xBD8, 0xBDC, 0xBE0, 0xBE4, 0xBE8, 0xBEC, 0xC00, 0xC5C, 0xCAC

== SetProcessActivity ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Process> || ProcessHandle
|-
| (In) W1 || [[#ProcessActivity]] || ProcessActivity
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== CreateSharedMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W1 || uint64_t || Size
|-
| (In) W2 || [[#MemoryPermission]] || LocalMemoryPermission
|-
| (In) W3 || [[#MemoryPermission]] || RemoteMemoryPermission
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<SharedMemory> || SharedMemoryHandle
|}
</div>

Other perm can be used to enforce permission 1, 3, or 0x10000000 if don't care.

Allocates memory from the current process' pool partition.

== MapTransferMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || Handle<TransferMemory> || TransferMemoryHandle
|-
| (In) X1 || void* || Address
|-
| (In) X2 || uint64_t || Size
|-
| (In) W3 || [[#MemoryPermission]] || MemoryPermission
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

You must pass same size and permissions as given in [[#CreateTransferMemory]], otherwise error.

== UnmapTransferMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || Handle<TransferMemory> || TransferMemoryHandle
|-
| (In) X1 || void* || Address
|-
| (In) X2 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Size must match size given in map syscall, otherwise there's an invalid-size error.

== CreateInterruptEvent ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || [[#Interrupt]] || Interrupt
|-
| (In) W2 || [[#InterruptType]] || InterruptType
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<ReadableEvent> || ReadableEventHandle
|}
</div>

Creates an event handle for the given IRQ number. Waiting on this handle will wait until the IRQ is triggered. The InterruptType argument configures the triggering. If it is 0, the IRQ is active HIGH level sensitive, if it is 1 it is rising-edge sensitive.

=== Result codes ===
'''0x0:''' Success.

'''0xF001:''' Flags was > 1

'''0xF201:''' IRQ above 0x3FF or outside the [[NPDM#Kernel_Access_Control|IRQ access mask]] was given.

'''0xCE01:''' A SlabHeap was exhausted (too many interrupts created).

'''0xF401:''' IRQ already has an event registered.

'''0xD201:''' The handle table is full. Try closing some handles.

== QueryPhysicalAddress ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || void* || VirtualAddress
|-
| (Out) W0 || [[#Result]]|| Result
|-
| (Out) X1 || uint64_t || PhysicalMemoryInfoAddress
|-
| (Out) X2 || uint64_t || PhysicalMemoryInfoBaseAddress
|-
| (Out) X3 || uint64_t || PhysicalMemoryInfoSize
|}
</div>

Queries the physical address of a virtual address. Will always fetch the lowest page-aligned mapping that contains the provided physical address.

The returned PhysicalMemoryInfoBaseAddress is the virtual address of that page-aligned mapping, while PhysicalMemoryInfoAddress is the physical address of that page. PhysicalMemoryInfoSize is the amount of continuous physical memory in that mapping.

== QueryIoMapping ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R2, R3 || uint64_t || IoAddress
|-
| (In) X2 || R0 || uint64_t || Size
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1 || void* || VirtualAddress
|}
</div>

Returns a virtual address mapped to a given IO range.

== CreateDeviceAddressSpace ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R2, R3 || uint64_t || DeviceAddressSpaceStartAddress
|-
| (In) X2 || R0, R1 || uint64_t || DeviceAddressSpaceEndAddress
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || Handle<DeviceAddressSpace> || DeviceAddressSpaceHandle
|}
</div>

Creates a virtual address space for binding device address spaces and returns a handle.

StartAddr is normally set to 0 and EndAddr is normally set to 0xFFFFFFFF.

== AttachDeviceAddressSpace ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || [[#DeviceName]] || DeviceName
|-
| (In) X1 || Handle<DeviceAddressSpace> || DeviceAddressSpaceHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Attaches a device address space to a [[#DeviceName|device]].

== DetachDeviceAddressSpace ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || [[#DeviceName]] || DeviceName
|-
| (In) X1 || Handle<DeviceAddressSpace> || DeviceAddressSpaceHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

Detaches a device address space from a [[#DeviceName|device]].

== MapDeviceAddressSpaceByForce ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<DeviceAddressSpace> || DeviceAddressSpaceHandle
|-
| (In) W1 || R1 || Handle<Process> || ProcessHandle
|-
| (In) X2 || R2, R3 || void* || Address
|-
| (In) X3 || R4 || uint64_t || DeviceAddressSpaceSize
|-
| (In) X4 || R5, R6 || uint64_t || DeviceAddressSpaceAddress
|-
| (In) W5 || R7 || uint32_t || Option
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Maps an attached device address space to an userspace address.

Address is the userspace destination address, while DeviceAddressSpaceAddress is the source address between DeviceAddressSpaceStartAddress and DeviceAddressSpaceEndAddress (passed to [[#CreateDeviceAddressSpace]]).

The userspace destination address must have the [[SVC#MemoryState|FlagCanDeviceMap]] bit set. Bit [[SVC#MemoryAttribute|DeviceShared]] will be set after mapping.

The Option encodes a [[#MemoryPermission]] in the low 16 bits, and an indicator of IO mapping in the high bits.

== MapDeviceAddressSpaceAligned ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<DeviceAddressSpace> || DeviceAddressSpaceHandle
|-
| (In) W1 || R1 || Handle<Process> || ProcessHandle
|-
| (In) X2 || R2, R3 || void* || Address
|-
| (In) X3 || R4 || uint64_t || DeviceAddressSpaceSize
|-
| (In) X4 || R5, R6 || uint64_t || DeviceAddressSpaceAddress
|-
| (In) W5 || R7 || uint32_t || Option
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Maps an attached device address space to an userspace address.

Same as [[#MapDeviceAddressSpaceByForce]], but the userspace destination address must have the [[SVC#MemoryState|FlagCanAlignedDeviceMap]] bit set instead.

The Option encodes a [[#MemoryPermission]] in the low 16 bits, and an indicator of IO mapping in the high bits.

== MapDeviceAddressSpace ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W1 || R1 || Handle<DeviceAddressSpace> || DeviceAddressSpaceHandle
|-
| (In) W2 || R2 || Handle<Process> || ProcessHandle
|-
| (In) X3 || R0, R3 || void* || Address
|-
| (In) X4 || R4 || uint64_t || DeviceAddressSpaceSize
|-
| (In) X5 || R5, R6 || uint64_t || DeviceAddressSpaceAddress
|-
| (In) W6 || R7 || [[#MemoryPermission]] || MemoryPermission
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1 || uint64_t || Size
|}
</div>

== UnmapDeviceAddressSpace ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<DeviceAddressSpace> || DeviceAddressSpaceHandle
|-
| (In) W1 || R1 || Handle<Process> || ProcessHandle
|-
| (In) X2 || R2, R3 || void* || Address
|-
| (In) X3 || R4 || uint64_t || DeviceAddressSpaceSize
|-
| (In) X4 || R5, R6 || uint64_t || DeviceAddressSpaceAddress
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Unmaps an attached device address space from an userspace address.

== InvalidateProcessDataCache ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Process> || ProcessHandle
|-
| (In) X1 || R2, R3 || void* || Address
|-
| (In) X2 || R1, R4 || uint64_t || Size
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== StoreProcessDataCache ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Process> || ProcessHandle
|-
| (In) X1 || R2, R3 || void* || Address
|-
| (In) X2 || R1, R4 || uint64_t || Size
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== FlushProcessDataCache ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Process> || ProcessHandle
|-
| (In) X1 || R2, R3 || void* || Address
|-
| (In) X2 || R1, R4 || uint64_t || Size
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== DebugActiveProcess ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R2, R3 || uint64_t || ProcessId
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || Handle<Debug> || DebugHandle
|}
</div>

== BreakDebugProcess ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Debug> || DebugHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== TerminateDebugProcess ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Debug> || DebugHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== GetDebugEvent ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || [[#DebugEventInfo]]* || DebugEventInfo
|-
| (In) W1 || Handle<Debug> || DebugHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== ContinueDebugEvent ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Debug> || DebugHandle
|-
| (In) W1 || R1 || uint32_t || [[#ContinueDebugFlags]] ([1.0.0-2.3.0] [[#ContinueDebugFlagsOld]])
|-
| (In) X2 || R2 ([1.0.0-2.3.0] R2, R3) || uint64_t* ([1.0.0-2.3.0] uint64_t)|| ThreadIdList ([1.0.0-2.3.0] ThreadId)
|-
| (In) X3 || R3 || uint64_t || [3.0.0+] NumThreadIds
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Maximum NumThreadIds is 64. 0 means "all threads".

=== Result codes ===
'''0x0:''' Success. The process has been resumed.

'''0xe401:''' Invalid debug handle.

'''0xf401:''' Process has debug events queued or is already running.

== GetProcessList ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R1 || uint64_t* || ProcessIdBuffer
|-
| (In) W2 || R2 || uint32_t || ProcessIdBufferSize
|-
| (Out) X0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || uint32_t || NumProcesses
|}
</div>

Fills the provided array with the pids of currently living processes. A process "lives" so long as it is currently running or a handle to it still exists.

It returns the total number of processes currently alive. If this number is bigger than the size of ProcessIdBuffer, the user won't have all the pids.

=== Result codes ===
'''0x0:''' Success.

'''0xd401:''' The provided buffer is outside the process address space.

'''0xe601:''' copyToUser failed. The provided buffer is not user-accessible.

'''0xee01:''' The provided buffer size is too big. Max value is 0xFFFFFFF.

== GetThreadList ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X1 || R1 || uint64_t* || ThreadIdBuffer
|-
| (In) W2 || R2 || uint32_t || ThreadIdBufferSize
|-
| (In) W3 || R3 || Handle<Debug> || DebugHandle
|-
| (Out) X0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || uint32_t || NumThreads
|}
</div>

== GetDebugThreadContext ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X0 || R0 || [[#ThreadContext]]* || ThreadContext
|-
| (In) X1 || R1 || Handle<Debug> || DebugHandle
|-
| (In) X2 || R2, R3 || uint64_t || ThreadId
|-
| (In) W3 || R4 || uint32_t || [[#ThreadContextFlags]]
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== SetDebugThreadContext ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Debug> || DebugHandle
|-
| (In) X1 || R2, R3 || uint64_t || ThreadId
|-
| (In) X2 || R1 || [[#ThreadContext]]* || ThreadContext
|-
| (In) W3 || R4 || uint32_t || [[#ThreadContextFlags]]
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== QueryDebugProcessMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || [[#MemoryInfo]]* || MemoryInfo
|-
| (In) W2 || Handle<Debug> || DebugHandle
|-
| (In) X3 || void* || Address
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || [[#PageInfo]] || PageInfo
|}
</div>

== ReadDebugProcessMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X0 || void* || MemoryBufferAddress
|-
| (In) W1 || Handle<Debug> || DebugHandle
|-
| (In) X2 || void* || SrcAddress
|-
| (In) X3 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== WriteDebugProcessMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Debug> || DebugHandle
|-
| (In) X1 || void* || MemoryBufferAddress
|-
| (In) X2 || void* || DstAddress
|-
| (In) X3 || uint64_t || Size
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== SetHardwareBreakPoint ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || [[#HardwareBreakPointRegisterName]] || Name
|-
| (In) X1 || R2, R3 || uint64_t || Flags
|-
| (In) X2 || R1, R4 || uint64_t || Value
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Sets one of the AArch64 hardware breakpoints. The nintendo switch has 6 hardware breakpoints, and 4 hardware watchpoints. The syscall has two behaviors depending on the value of HardwareBreakPointRegisterName:

If HardwareBreakPointRegisterName < 0x10, then it sets one of the AArch64 hardware breakpoints. Flags will go to DBGBCRn_EL1, and value to DBGBVRn_EL1. The only flags the user is allowed to set are those in the bitmask 0x7F01E1. Furthermore, the kernel will or it with 0x4004, in order to set various security flags to guarantee the watchpoints only triggers for code in EL0. If the user asks for a Breakpoint Type of ContextIDR match, the kernel shall use the given DebugHandle to set DBGBVRn_EL1 to the ContextID of the debugged process.

If HardwareBreakPointRegisterName is between 0x10 and 0x20 (exclusive), then it sets one of the AArch64 hardware watchpoints. Flags will go to DBGWCRn_EL1, and the value to DBGWVRn_EL1. The only flags the user is allowed to set are those in the bitmask 0xFF0F1FF9. Furthermore, the kernel will or it with 0x104004. This will set various security flags, and set the watchpoint type to be a Linked Watchpoint. This means that you need to link it to a Linked ContextIDR breakpoint. Check the ARM documentation for more information.

Note that HardwareBreakPointRegisterName 0 to 4 match only to Virtual Address, while HardwareBreakPointRegisterName 5 and 6 match against either Virtual Address, ContextID, or VMID. As such, if you are configuring a breakpoint to link for a watchpoint, make sure you use hardware_breakpoint_id 5 or 6.

For more documentation for hardware breakpoints, check out the AArch64 documentation for the [http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0488h/way1382455558968.html DBGBCRn_EL1 register] and the [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0488h/way1382455560629.html DBGWCRn_EL1 register]

== GetDebugThreadParam ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X2 || R2 || Handle<Debug> || DebugHandle
|-
| (In) X3 || R0, R1 || uint64_t || ThreadId
|-
| (In) W4 || R3 || [[#DebugThreadParam]] || DebugThreadParam
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1, R2 || uint64_t || Out0
|-
| (Out) W2 || R3 || uint32_t || Out1
|}
</div>

== GetSystemInfo ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || [[#SystemInfoType]] || SystemInfoType
|-
| (In) W2 || Handle || Handle
|-
| (In) X3 || uint64_t || SystemInfoSubType
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) X1 || uint64_t || SystemInfo
|}
</div>

== CreatePort ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W2 || R2 || int32_t || MaxSessions
|-
| (In) W3 || R3 || bool || IsLight
|-
| (In) X4 || R0 || uint64_t || Name
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || Handle<Port> || ServerPortHandle
|-
| (Out) W2 || R2 || Handle<Port> || ClientPortHandle
|}
</div>

== ManageNamedPort ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || char* || Name
|-
| (In) W2 || int32_t || MaxSessions
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<Port> || ServerPortHandle
|}
</div>

== ConnectToPort ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W1 || Handle<Port> || ClientPortHandle
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<Session> || SessionHandle
|}
</div>

== SetProcessMemoryPermission ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Process> || ProcessHandle
|-
| (In) X1 || R2, R3 || void* || Addr
|-
| (In) X2 || R1, R4 || uint64_t || Size
|-
| (In) W3 || R5 || [[#MemoryPermission]] || MemoryPermission
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

This sets the memory permissions for the specified memory with the supplied process handle.

This throws an error(0xD801) when the input perm is >0x5, hence -WX and RWX are not allowed.

== MapProcessMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X0 || R0 || void* || DstAddress
|-
| (In) W1 || R1 || Handle<Process> || ProcessHandle
|-
| (In) X2 || R2, R3 || void* || SrcAddress
|-
| (In) X3 || R4 || uint64_t || Size
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Maps the src address from the supplied process handle into the current process.

This allows mapping code and rodata with RW- permission.

== UnmapProcessMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X0 || R0 || void* || DstAddress
|-
| (In) W1 || R1 || Handle<Process> || ProcessHandle
|-
| (In) X2 || R2, R3 || void* || SrcAddress
|-
| (In) X3 || R4 || uint64_t || Size
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Unmaps what was mapped by [[#MapProcessMemory]].

== QueryProcessMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X0 || R0 || [[#MemoryInfo]]* || MemoryInfo
|-
| (In) W2 || R2 || Handle<Process> || ProcessHandle
|-
| (In) X3 || R1, R3 || void* || Address
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) W1 || R1 || [[#PageInfo]] || PageInfo
|}
</div>

Equivalent to [[#QueryMemory]] except takes a process handle.

== MapProcessCodeMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Process> || ProcessHandle
|-
| (In) X1 || R2, R3 || void* || DstAddress
|-
| (In) X2 || R1, R4 || void* || SrcAddress
|-
| (In) X3 || R5, R6 || uint64_t || Size
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Takes a process handle, and maps normal heap in that process as executable code in that process. Used when loading NROs. This does not support using the current-process handle alias.

== UnmapProcessCodeMemory ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Process> || ProcessHandle
|-
| (In) X1 || R2, R3 || void* || DstAddress
|-
| (In) X2 || R1, R4 || void* || SrcAddress
|-
| (In) X3 || R5, R6 || uint64_t || Size
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

Unmaps what was mapped by [[#MapProcessCodeMemory]].

== CreateProcess ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) X1 || [[#CreateProcessParameter]]* || CreateProcessParameter
|-
| (In) X2 || uint32_t* || Capabilities
|-
| (In) X3 || int32_t || CapabilitiesNum
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<Process> || ProcessHandle
|}
</div>

Takes a [[#CreateProcessParameter]] as input.
Capabilities points to an array of [[NPDM#Kernel_Access_Control|kernel capabilities]].
CapabilitiesNum is a number of capabilities in the Capabilities array (number of element, not number of bytes).

=== Result codes ===
'''0x0:''' Success.

'''0xCA01:''' Attempted to map more code pages than available in address space.

'''0xCC01:''' Provided CodeAddr is invalid (make sure it's in range?)

'''0xE401:''' The resource handle passed is invalid.

'''0xE601:''' Attempt to copy procinfo from user-supplied pointer failed. Attempt to copy capabilities_num from user-supplied pointer failed.

'''0xE801:''' Attempted to create a 32-bit process with a 36-bit address space.

'''0xF001:''' Unused bits are set in mmuflags. Unknown address space type used.

== StartProcess ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<Process> || ProcessHandle
|-
| (In) W1 || R1 || int32_t || MainThreadPriority
|-
| (In) W2 || R2 || int32_t || DefaultCpuId
|-
| (In) X3 || R3, R4 || uint64_t || MainThreadStackSize
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== TerminateProcess ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) W0 || Handle<Process> || ProcessHandle
|-
| (Out) W0 || [[#Result]] || Result
|}
</div>

== GetProcessInfo ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R1 || Handle<Process> || ProcessHandle
|-
| (In) W1 || R2 || [[#ProcessInfoType]] || ProcessInfoType
|-
| (Out) W0 || R0 || [[#Result]] || Result
|-
| (Out) X1 || R1, R2 || uint64_t || [[#ProcessState]]
|}
</div>

Returns an enum with value 0-7.

== CreateResourceLimit ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument || Type || Name
|-
| (In) None || ||
|-
| (Out) W0 || [[#Result]] || Result
|-
| (Out) W1 || Handle<ResourceLimit> || ResourceLimitHandle
|}
</div>

== SetResourceLimitLimitValue ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) W0 || R0 || Handle<ResourceLimit> || ResourceLimitHandle
|-
| (In) W1 || R1 || [[#LimitableResource]] || LimitableResource
|-
| (In) X2 || R2, R3 || int64_t || LimitValue
|-
| (Out) W0 || R0 || [[#Result]] || Result
|}
</div>

== CallSecureMonitor ==
<div style="display: inline-block;">
{| class="wikitable" border="1"
|-
! Argument64 || Argument32 || Type || Name
|-
| (In) X0 || R0 || uint64_t || [[SMC#Secure_Monitor_calls|FunctionId]]
|-
| (In) X1-X7 || R1-R7 || uint64_t || SMC arguments
|-
| (Out) X0 || R0 || [[SMC#Result|Result]] || SMC result
|-
| (Out) X1-X7 || R1-R7 || uint64_t || SMC output
|}
</div>

Takes in a SMC function ID in X0, and arguments for that SMC function in X1-X7.

Passing an invalid SMC function ID or calling from a core other than core 3 will result in a secure monitor panic.

The kernel parses bits 9-15 in the passed SMC function ID (per the ARM SMC calling convention), and when set uses as an indicator to translate a pointer in the associated register (X1-X7) to a physical address. The kernel will translate any address mapped as R-W, other addresses (R--, R-X, or invalid pointers) will be translated as 0/NULL.

Output is returned raw from the Secure Monitor; X0 will be the untranslated SMC result and X1-X7 will contain other SMC output (or be unchanged, depending on the SMC).

== Debugging ==
[2.0.0+] Exactly 6 debug SVCs require that [[SPL_services#GetConfig|IsDebugMode]] is non-zero. Error 0x4201 is returned otherwise.
* BreakDebugProcess
* ContinueDebugEvent
* WriteDebugProcessMemory
* SetDebugThreadContext
* TerminateDebugProcess
* SetHardwareBreakPoint

DebugActiveProcess stops execution of the target process, the normal method for resuming it requires ContinueDebugEvent(see above). Closing the debug handle also results in execution being resumed.

= Enum/Structures =
== InfoType ==
{| class=wikitable
! Handle type || InfoType || InfoSubType || Description
|-
| Process || 0 || 0 || CoreMask
|-
| Process || 1 || 0 || PriorityMask
|-
| Process || 2 || 0 || AliasRegionAddress
|-
| Process || 3 || 0 || AliasRegionSize
|-
| Process || 4 || 0 || HeapRegionAddress
|-
| Process || 5 || 0 || HeapRegionSize
|-
| Process || 6 || 0 || TotalMemorySize. Total memory available(free+used).
|-
| Process || 7 || 0 || UsedMemorySize. Total used size of codebin memory + main-thread stack + allocated heap.
|-
| Zero || 8 || 0 || DebuggerAttached
|-
| Zero || 9 || 0 || ResourceLimit
|-
| Zero || 10 || -1, {current coreid} || IdleTickCount
|-
| Zero || 11 || 0-3 || RandomEntropy. Used to seed usermode PRNGs.
|-
| Process || 12 || 0 || [2.0.0+] AslrRegionAddress
|-
| Process || 13 || 0 || [2.0.0+] AslrRegionSize
|-
| Process || 14 || 0 || [2.0.0+] StackRegionAddress
|-
| Process || 15 || 0 || [2.0.0+] StackRegionSize
|-
| Process || 16 || 0 || [3.0.0+] SystemResourceSizeTotal
|-
| Process || 17 || 0 || [3.0.0+] SystemResourceSizeUsed
|-
| Process || 18 || 0 || [3.0.0+] ProgramId
|-
| Zero || 19 || 0 || [4.0.0-4.1.0] InitialProcessIdRange_LowerBound
|-
| Zero || 19 || 1 || [4.0.0-4.1.0] InitialProcessIdRange_UpperBound
|-
| Process || 20 || 0 || [5.0.0+] UserExceptionContextAddress
|-
| Process || 21 || 0 || [6.0.0+] TotalNonSystemMemorySize
|-
| Process || 22 || 0 || [6.0.0+] UsedNonSystemMemorySize
|-
| Process || 23 || 0 || [9.0.0+] IsApplication
|-
| Process || 24 || 0 || [11.0.0+] FreeThreadCount
|-
| Thread || 25 ([1.0.0-12.1.0] 0xF0000002) || 0-3, -1 || ThreadTickCount. When 0-3 are passed, gets specific core CPU ticks spent on thread. When -1 is passed, gets total CPU ticks spent on thread.
|-
| Process || 26 || 0 || [14.0.0+] IsSvcPermitted
|}

== SystemInfoType ==
{| class=wikitable
! Handle type || SystemInfoType || SystemInfoSubType || Description
|-
| Zero || 0 || 0 || TotalPhysicalMemorySize_Application
|-
| Zero || 0 || 1 || TotalPhysicalMemorySize_Applet
|-
| Zero || 0 || 2 || TotalPhysicalMemorySize_System
|-
| Zero || 0 || 3 || TotalPhysicalMemorySize_SystemUnsafe
|-
| Zero || 1 || 0 || UsedPhysicalMemorySize_Application
|-
| Zero || 1 || 1 || UsedPhysicalMemorySize_Applet
|-
| Zero || 1 || 2 || UsedPhysicalMemorySize_System
|-
| Zero || 1 || 3 || UsedPhysicalMemorySize_SystemUnsafe
|-
| Zero || 2 || 0 || InitialProcessIdRange_LowerBound
|-
| Zero || 2 || 1 || InitialProcessIdRange_UpperBound
|}

== ThreadContextFlags ==
Bitfield of one of more of these:

{| class=wikitable
! Bit || Bitmask || Name || Description
|-
| 0 || 1 || General-purpose registers || If in 64-bit mode, GPRs 0–28 will be read/written. If in 32-bit mode, GPRs 0–12 will be read/written.
|-
| 1 || 2 || Control registers || Reads/writes the FP, LR, PC, SP, PSTATE, and TPIDR registers.
|-
| 2 || 4 || Floating-point registers || Reads/writes the floating-point vector registers.
|-
| 3 || 8 || Floating-point control registers || Reads/writes the FPCR and FPSR registers.
|}

== DeviceName ==
{| class=wikitable
! Value || Name
|-
| 0 || AFI
|-
| 1 || AVPC
|-
| 2 || DC
|-
| 3 || DCB
|-
| 4 || HC
|-
| 5 || HDA
|-
| 6 || ISP2
|-
| 7 || MSENCNVENC
|-
| 8 || NV
|-
| 9 || NV2
|-
| 10 || PPCS
|-
| 11 || SATA
|-
| 12 || VI
|-
| 13 || VIC
|-
| 14 || XUSB_HOST
|-
| 15 || XUSB_DEV
|-
| 16 || TSEC
|-
| 17 || PPCS1
|-
| 18 || DC1
|-
| 19 || SDMMC1A
|-
| 20 || SDMMC2A
|-
| 21 || SDMMC3A
|-
| 22 || SDMMC4A
|-
| 23 || ISP2B
|-
| 24 || GPU
|-
| 25 || GPUB
|-
| 26 || PPCS2
|-
| 27 || NVDEC
|-
| 28 || APE
|-
| 29 || SE
|-
| 30 || NVJPG
|-
| 31 || HC1
|-
| 32 || SE1
|-
| 33 || AXIAP
|-
| 34 || ETR
|-
| 35 || TSECB
|-
| 36 || TSEC1
|-
| 37 || TSECB1
|-
| 38 || NVDEC1
|}

== CodeMemoryOperation ==
{| class=wikitable
! Value || Name
|-
| 0 || MapOwner
|-
| 1 || MapSlave
|-
| 2 || UnmapOwner
|-
| 3 || UnmapSlave
|}

== LimitableResource ==
{| class=wikitable
! Value || Name || Description
|-
| 0 || PhysicalMemoryMax || Bytes of memory a process may allocate.
|-
| 1 || ThreadCountMax || Amount of threads a process can create.
|-
| 2 || EventCountMax || Amount of events a process can create through [[#CreateEvent]] or [[#SendAsyncRequestWithUserBuffer]].
|-
| 3 || TransferMemoryCountMax || Amount of TransferMemory a process can create through [[#CreateTransferMemory]].
|-
| 4 || SessionCountMax || Amount of session a process can create through [[#CreateSession]], [[#ConnectToPort]] or [[#ConnectToNamedPort]].
|}

= ThreadActivity =
{| class=wikitable
! Value || Name
|-
| 0 || None
|-
| 1 || Runnable
|}

== ProcessActivity ==
{| class=wikitable
! Value || Name
|-
| 0 || None
|-
| 1 || Runnable
|}

== ProcessInfoType ==
{| class=wikitable
! Value || Name
|-
| 0 || [[#ProcessState|ProcessState]]
|}

== ProcessState ==
{| class=wikitable
! Value || Name || Notes
|-
| 0 || Created ||
|-
| 1 || CreatedAttached ||
|-
| 2 || Started ||
|-
| 3 || Crashed || Processes will not enter this state unless they were created with [[#CreateProcessParameter|EnableDebug]].
|-
| 4 || StartedAttached ||
|-
| 5 || Exiting ||
|-
| 6 || Exited ||
|-
| 7 || DebugSuspended ||
|}

== DebugThreadParam ==
{| class=wikitable
! Value || Name
|-
| 0 || DynamicPriority
|-
| 1 || SchedulingStatus
|-
| 2 || PreferredCpuCore
|-
| 3 || CurrentCpuCore
|-
| 4 || AffinityMask
|}

Dynamic priority: output in out2

Scheduling status: out1 contains bit0: is debug-suspended, bit1: is user-suspended ([[#SetThreadActivity]] 1 or [[#SetProcessActivity]] 1).
Out2 contains {suspended, idle, running, terminating} => {5, 0, 1, 4}

PreferredCpuCore: output in out2

CurrentCpuCore: output in out2

AffinityMask: output in out1

== CreateProcessParameter ==
{| class=wikitable
! Offset || Length || Bits || Description
|-
| 0 || 12 || || ProcessName (doesn't have to be null-terminated)
|-
| 0x0C || 4 || || ProcessCategory (0: regular title, 1: kernel built-in)
|-
| 0x10 || 8 || || TitleId
|-
| 0x18 || 8 || || CodeAddr
|-
| 0x20 || 4 || || CodeNumPages
|-
| 0x24 || 4 || || Flags
|-
| || || Bit0 || Is64BitInstruction
|-
| || || Bit3-1 || [[#AddressSpaceType]]
|-
| || || Bit4 || [2.0.0+] EnableDebug
|-
| || || Bit5 || EnableAslr
|-
| || || Bit6 || IsApplication
|-
| || || Bit7 || [4.0.0] UseSecureMemory
|-
| || || Bit10-7 || [5.0.0+] MemoryRegion (0 = Application, 1 = Applet, 2 = SecureSystem, 3 = NonSecureSystem)
|-
| || || Bit11 || [7.0.0+] OptimizeMemoryAllocation (only allowed in combination with IsApplication)
|-
| 0x28 || 4 || || ResourceLimitHandle (can be zero)
|-
| 0x2C || 4 || || [3.0.0+] SystemResourceNumPages
|}

On [1.0.0] there's only one MemoryRegion.

On [2.0.0-4.0.0] MemoryRegion is 1 for built-ins and 0 for rest.

On [5.0.0] MemoryRegion is specified in CreateProcessArgs. There are now 4 pool partitions.

On [5.0.0] (maybe lower?) a zero ResourceLimitHandle defaults to sysmodule limits and 0x12300000 bytes of memory.

The PersonalMmHeap are allocated as follows:
* For the application, normal insecure pool is used. Carveout 5 is used to provide protection.
* For the applet, a pre-allocated secure pool segment of size 0x400000 is used.
* For sysmodules, secure pool is allocated.

=== AddressSpaceType ===
{| class=wikitable
! Type || Name || Width || Description
|-
| 0 || AddressSpace32Bit || 32 ||
|-
| 1 || AddressSpace64BitOld || 36 ||
|-
| 2 || AddressSpace32BitNoReserved || 32 || Appears to be missing map region [?]
|-
| 3 || [2.0.0+] AddressSpace64Bit || 39 ||
|}

== MemoryInfo ==
{| class=wikitable
! Offset || Length || Description
|-
| 0 || 8 || BaseAddress
|-
| 8 || 8 || Size
|-
| 0x10 || 4 || [[#MemoryType]]
|-
| 0x14 || 4 || [[#MemoryAttribute]]
|-
| 0x18 || 4 || [[#MemoryPermission]]
|-
| 0x1C || 4 || IpcRefCount
|-
| 0x20 || 4 || DeviceRefCount
|-
| 0x24 || 4 || Padding: always zero
|}

== MemoryPermission ==
{| class=wikitable
! Bits || Name || Description
|-
| 0 || Read || Can be set by [[#SetMemoryPermission]].
|-
| 1 || Write || Can be set by [[#SetMemoryPermission]].
|-
| 2 || Execute || Can be set by [[#SetProcessMemoryPermission]] and [[#ControlCodeMemory]].
|-
| 28 || DontCare ||
|}

== MemoryAttribute ==
{| class=wikitable
! Bits || Name || Description
|-
| 0 || Locked || Used by MapMemory, as an async IPC user buffer.
|-
| 1 || IpcLocked || True when IpcRefCount > 0.
|-
| 2 || DeviceShared || True when DeviceRefCount > 0.
|-
| 3 || Uncached ||
|}

== MemoryState ==
{| class=wikitable
! Bits || Description || Meaning
|-
| 7-0 || [[#MemoryType]] ||
|-
| 8 || [[#SetMemoryPermission|FlagCanReprotect]] ||
|-
| 9 || FlagCanDebug || Allows using [[#WriteDebugProcessMemory]] on segments mapped read-only.
|-
| 10 || FlagCanUseIpc || Allows sending this region as an IPC A/B/W buffer with flags=0.
|-
| 11 || FlagCanUseNonDeviceIpc || Allows sending this region as an IPC A/B/W buffer with flags=1.
|-
| 12 || FlagCanUseNonSecureIpc || Allows sending this region as an IPC A/B/W buffer with flags=3.
|-
| 13 || FlagMapped ||
|-
| 14 || [[#SetProcessMemoryPermission|FlagCode]] ||
|-
| 15 || [[#MapMemory|FlagCanAlias]] ||
|-
| 16 || [[#MapProcessCodeMemory|FlagCanCodeAlias]] ||
|-
| 17 || [[#CreateTransferMemory|FlagCanTransfer]] ||
|-
| 18 || [[#QueryPhysicalAddress|FlagCanQueryPhysical]] ||
|-
| 19 || [[#MapDeviceAddressSpace|FlagCanDeviceMap]] ||
|-
| 20 || [[#MapDeviceAddressSpaceAligned|FlagCanAlignedDeviceMap]] ||
|-
| 21 || [[#SendSyncRequestWithUserBuffer|FlagCanIpcUserBuffer]] ||
|-
| 22 || FlagReferenceCounted || The physical memory blocks backing this region are refcounted.
|-
| 23 || [[#MapProcessMemory|FlagCanMapProcess]] ||
|-
| 24 || [[#SetMemoryAttribute|FlagCanChangeAttribute]] ||
|-
| 25 || [4.0.0+] [[#CreateCodeMemory|FlagCanCodeMemory]] ||
|}

=== MemoryType ===
{| class=wikitable
! Value || Type || Meaning
|-
| 0x00000000 || Free ||
|-
| 0x00002001 || Io || Mapped by kernel capability parsing in [[#CreateProcess]].
|-
| 0x00042002 || Static || Mapped by kernel capability parsing in [[#CreateProcess]].
|-
| 0x00DC7E03 || Code || Mapped during [[#CreateProcess]].
|-
| [1.0.0+]

0x01FEBD04

[4.0.0+]

0x03FEBD04
|| CodeData || Transition from 0xDC7E03 performed by [[#SetProcessMemoryPermission]].
|-
| [1.0.0+]
0x017EBD05

[4.0.0+]

0x037EBD05
|| Normal || Mapped using [[#SetHeapSize]].
|-
| 0x00402006 || Shared || Mapped using [[#MapSharedMemory]].
|-
| 0x00482907 || [1.0.0] Alias || Mapped using [[#MapMemory]].
|-
| 0x00DD7E08 || AliasCode || Mapped using [[#MapProcessCodeMemory]].
|-
| [1.0.0+]

0x01FFBD09

[4.0.0+]

0x03FFBD09
|| AliasCodeData || Transition from 0xDD7E08 performed by [[#SetProcessMemoryPermission]].
|-
| 0x005C3C0A || [[IPC_Marshalling|Ipc]] || IPC buffers with descriptor flags=0.
|-
| 0x005C3C0B || Stack || Mapped using [[#MapMemory]].
|-
| 0x0040200C || [[Thread Local Storage|ThreadLocal]] || Mapped during [[#CreateThread]].
|-
| 0x015C3C0D || Transfered || Mapped using [[#MapTransferMemory]] when the owning process has perm=0.
|-
| 0x005C380E || SharedTransfered || Mapped using [[#MapTransferMemory]] when the owning process has perm!=0.
|-
| 0x0040380F || SharedCode || Mapped using [[#MapProcessMemory]].
|-
| 0x00000010 || Inaccessible ||
|-
| 0x005C3811 || [[IPC_Marshalling|NonSecureIpc]] || IPC buffers with descriptor flags=1.
|-
| 0x004C2812 || [[IPC_Marshalling|NonDeviceIpc]] || IPC buffers with descriptor flags=3.
|-
| 0x00002013 || Kernel || Mapped in kernel during [[#CreateThread]].
|-
| 0x00402214 || [4.0.0+] GeneratedCode || Mapped in kernel during [[#ControlCodeMemory]].
|-
| 0x00402015 || [4.0.0+] CodeOut || Mapped in kernel during [[#ControlCodeMemory]].
|-
| 0x00002016 || [13.0.0+] Coverage ||
|}

== ArbitrationType ==
{| class=wikitable
! Value || Type
|-
| 0x0 || WaitIfLessThan
|-
| 0x1 || DecrementAndWaitIfLessThan
|-
| 0x2 || WaitIfEqual
|}

== SignalType ==
{| class=wikitable
! Value || Type
|-
| 0x0 || Signal
|-
| 0x1 || SignalAndIncrementIfEqual
|-
| 0x2 || SignalAndModifyBasedOnWaitingThreadCountIfEqual
|}

== ContinueDebugFlagsOld ==
[1.0.0-2.3.0]
{| class=wikitable
! Bit || Bitmask || Description
|-
| 0 || 1 || IgnoreException (note: ResumeAllThreads or debug-suspended-thread-id needed)
|-
| 1 || 2 || SwallowException
|-
| 2 || 4 || ResumeAllThreads
|}

== ContinueDebugFlags ==
[3.0.0+]
{| class=wikitable
! Bit || Bitmask || Description
|-
| 0 || 1 || IgnoreException (note: doesn't need to be set in the same call than Resume)
|-
| 1 || 2 || DontCatchExceptions
|-
| 2 || 4 || Resume
|-
| 3 || 8 || IgnoreOtherThreadsExceptions
|}

IgnoreExceptionsOfOthers is like IgnoreException but acts on all threads that aren't in the input list. The affected threads are resumed.

Only one of of Resume and IgnoreOtherThreadsExceptions can be set at a time.

If the input number of threads is 0, this means "all threads".

== DebugEventInfo ==
The below table is for the Aarch64 version of the system call. For A32, all u64 fields but title/process/thread id are actually u32, making the structure 0x28-byte-big (0x40 for a64).

Size: 0x40

{| class=wikitable
! Offset || Length || Description
|-
| 0 || u32 || EventType
|-
| 4 || u32 || Flags (bit0: NeedsContinue)
|-
| 8 || u64 || ThreadId
|-
| 0x10 || || PerTypeSpecifics
|}

AttachProcess specific:
{| class=wikitable
! Offset || Length || Description
|-
| 0x10 || u64 || TitleId
|-
| 0x18 || u64 || ProcessId
|-
| 0x20 || char[12] || ProcessName
|-
| 0x2C || u32 || MmuFlags
|-
| 0x30 || u64 || [5.0.0+] UserExceptionContextAddr
|}

AttachThread specific:
{| class=wikitable
! Offset || Length || Description
|-
| 0x10 || u64 || ThreadId
|-
| 0x18 || u64 || TlsPtr
|-
| 0x20 || u64 || Entrypoint
|}

Exit specific:
{| class=wikitable
! Offset || Length || Description
|-
| 0x10 || u32|| Type (0=PausedThread, 1=RunningThread, 2=ExitedProcess, 3=TerminatedProcess)
|}

Exception specific:
{| class=wikitable
! Offset || Length || Description
|-
| 0x10 || u32 || ExceptionType
|-
| 0x18 || u64 || FaultRegister
|-
| 0x20 || || PerExceptionSpecifics
|}

=== DebugEventType ===
{| class=wikitable
! Value || Name
|-
| 0 || AttachProcess
|-
| 1 || AttachThread
|-
| 2 || ExitProcess
|-
| 3 || ExitThread
|-
| 4 || Exception
|}

=== DebugExceptionType ===
{| class=wikitable
! Value || Name
|-
| 0 || Trap (*)
|-
| 1 || InstructionAbort
|-
| 2 || DataAbortMisc (**)
|-
| 3 || PcSpAlignmentFault
|-
| 4 || DebuggerAttached
|-
| 5 || BreakPoint
|-
| 6 || UserBreak
|-
| 7 || DebuggerBreak
|-
| 8 || BadSvcId
|-
| 9 || [2.0.0+] SError
|}

<nowiki>*</nowiki> Undefined instructions, software breakpoints, some other traps.

<nowiki>**</nowiki> Data aborts, FP traps, and everything else that doesn't belong to any of the above.

Trap specifics:
{| class=wikitable
! Offset || Length || Description
|-
| 0x20 || u32 || Opcode
|}

BreakPoint specifics:
{| class=wikitable
! Offset || Length || Description
|-
| 0x20 || u32 || IsWatchpoint
|}

UserBreak specifics:
{| class=wikitable
! Offset || Length || Description
|-
| 0x20 || u32 || Info0
|-
| 0x28 || u64 || Info1
|-
| 0x30 || u64 || Info2
|}

BadSvcId specifics:
{| class=wikitable
! Offset || Length || Description
|-
| 0x20 || u32 || SvcId
|}

= Exception handling =
First of all, a function that might be called by synchronous exception handler and that is called by the SError handler fetches the exception info, adjusts PC, panics on exceptions taken from EL1, then dispatches the exception.

The dispatcher has two mutually exclusive exception reporting methods:
* by storing information at the start of the process's TLS memregion (TPIDRRO_EL0) and jumping back to the crt0
* by using KDebug

KDebug dispatching is used when at least one of the following conditions are met:
* SMC ConfigItem KernelMemConfig bit 1 is NOT set (it isn't on retail), unless: this is a software or hardware breakpoint, or a watchpoint, or [4.0.0+?] the process is attached and this is a Google PNaCl trap instruction (see LLVM source)
* FAR doesn't point to a valid address in mapped-readable CodeStatic memory (i.e. this is the case for NRO and JIT memory) or this is one of the following exceptions (it particular, that doesn't include FP exceptions occurring in CodeStatic memory):
** Uncategorized
** IllegalState
** SupervisorCallA32
** SupervisorCallA64
** PCAlignment
** SPAlignment
** SError
** BreakpointLowerEl
** SoftwareStepLowerEl (note: no way set single-step flag; not parsed)
** WatchpointLowerEl
** SoftwareBreakpointA32 (note: not parsed)
** SoftwareBreakpointA64 (note: not parsed)

In all other cases the userland-handled exception path is taken.

KDebug path:

If the process is attached, the exception is reported to the KDebug. If the thread was continued using flag IgnoreExceptions, it returns from the exception as if nothing happened.

If the latter is not the case, or if the process isn't attached, proceed to [2.0.0+] crash reporting (or in [1.0.0] just terminate the process):
if EnableDebug is set, and depending on the process state (more than one crash per process isn't permitted) it may signal itself with ProcessState_Crashed so that PM asks NS to start creport so that creport attaches to it and reports the crashes. Otherwise, just terminate.

Userland reporting path and [[#ReturnFromException]]:

TLS region start (A64):
{| class=wikitable
! Offset || Length || Description
|-
| 0x0 || 0x148 || Exception stack
|-
| 0x148 || 0x78 || ExceptionFrameA64
|}

ExceptionFrameA64:
{| class=wikitable
! Offset || Length || Description
|-
| 0x0 || 0x48 (8*9) || GPRs 0..8.
|-
| 0x48 || 0x8 || lr
|-
| 0x50 || 0x8 || sp
|-
| 0x58 || 0x8 || pc (elr_el1)
|-
| 0x60 || 0x4 || pstate & 0xFF0FFE20
|-
| 0x64 || 0x4 || afsr0
|-
| 0x68 || 0x4 || afsr1
|-
| 0x6C || 0x4 || esr
|-
| 0x70 || 0x8 || far
|}

TLS region start (A32):
{| class=wikitable
! Offset || Length || Description
|-
| 0x0 || 0x178 || Exception stack
|-
| 0x148 || 0x44 || ExceptionFrameA32
|}

ExceptionFrameA32:
{| class=wikitable
! Offset || Length || Description
|-
| 0x0 || 0x20 (8*4) || GPRs 0..7.
|-
| 0x20 || 0x4 || sp
|-
| 0x24 || 0x4 || lr
|-
| 0x28 || 0x4 || pc (elr_el1)
|-
| 0x2C || 0x4 || tpidr_el0 = 1
|-
| 0x30 || 0x4 || cpsr & 0xFF0FFE20
|-
| 0x34 || 0x4 || afsr0
|-
| 0x38 || 0x4 || afsr1
|-
| 0x3C || 0x4 || esr
|-
| 0x40 || 0x4 || far
|}

In that case, after storing the regs in the TLS, the exception handler returns to the application's crt0 (entrypoint), with X0=<error description code> (see below) and X1=SP=frame=<stack top> (see above)

{| class=wikitable
! Desc. code || Meaning
|-
| 0x100 || Instruction abort
|-
| 0x102 || Misaligned PC
|-
| 0x103 || Misaligned SP
|-
| 0x106 || [2.0.0+] SError
|-
| 0x301 || Bad SVC
|-
| 0x104 || Uncategorized, CP15RTTrap, CP15RRTTrap, CP14RTTrap, CP14RRTTrap, IllegalState, SystemRegisterTrap
|-
| 0x101 || None of the above, EC <= 0x34 and not a breakpoint
|-
|}

(During normal app boot the process is invoked with X0=0 and X1=main_thread_handle. The crt0 of retail apps determines whether to boot normally or handle an exception if X0 is set to 0 or not)

The application is supposed to promptly update the contents of elr_el1 to a user handler (and any other regs it sees fit) and call [[#ReturnFromException]] (error code) to call that handler. The latter is then expected to promptly abort the program.

[[#ReturnFromException]] updates the contents of the kernel stack frame with what the user provided in the TLS structure, sets TPIDR_EL0 to 1, then:
* if the provided error code is 0, gracefully pivots and returns from exception
* if it is not, replays the exception and pass it to the KDebug (see above). One can pass 0x10001 to prevent process termination. If the process is attached, this also prevents crash-collection/termination (different from the exception handler behavior)

If an exception occurs from the above user handler, the entire exception handling process will repeat with the new exception.

Note that if a thread that wasn't faulting calls [[#ReturnFromException]], it signals an "invalid syscall" exception

Note that [[SMC|IsDebugMode]] is not used during exception-handling, except for enabling printing a message to UART-A. This UART code causes a system-hang on retail (likely due to a loop that doesn't exit). This printing doesn't seem to run when the process is attached for debugging?

Switch System Flaws

2022-10-12T02:17:27Z

SciresM: Move ro aslr flaw to non-firm sysmodules section

Exploits are used to execute unofficial code (homebrew) on the Nintendo Switch. This page is a list of publicly known Switch system flaws.

For userland applications/applets flaws see [[Switch_Userland_Flaws|here]].

= System flaws =
== Hardware ==
Flaws in this category pertain to the underlying hardware that powers the Switch.

This includes components shared across Tegra based devices such as the [[TSEC]], the [[Security_Engine|Security Engine]], the [[GPU]] and so on.

{| class="wikitable" border="1"
! Summary
! Description
! Fixed with hardware model/revision
! Newest hardware model/revision this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| CVE-2018-6242 (leveraged by the ShofEL2 and Fusée Gelée exploits)
| The USB software stack provided inside the boot instruction rom (IROM/bootROM) contains a copy operation whose length can be controlled by an attacker. By carefully constructing a USB control request, an attacker can leverage this vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, gaining control of the Boot and Power Management processor (BPMP) before any lock-outs or privilege reductions occur. This execution can then be used to exfiltrate secrets and to load arbitrary code onto the main CPU Complex (CCPLEX) "application processors" at the highest possible level of privilege (typically as the TrustZone Secure Monitor at PL3/EL3).
| HAC-001-01 (Mariko/Tegra214/Tegra210b01) (also fixed independently on Tegra186).
| HAC-001 (Tegra210)
| January 2018
| April 23, 2018
| [[User:Shuffle2|shuffle2]] and fail0verflow (originally),<br> [[User:Ktemkin|ktemkin]] and ReSwitched Team (independently),<br> [[User:Naehrwert|naehrwert]] (independently),<br> [[User:Hexkyz|hexkyz]] (independently),<br> st4rk with [[User:Shinyquagsire23|Shiny Quagsire]] and Dazzozo (independently),<br> and many others (independently).
|-
| GMMU DMA attack
| The Switch's GPU includes a separate MMU (GMMU) that is allowed to bypass the system's IOMMU (SMMU). By accessing the GPU's MMIO region and manipulating the page table entries in the GMMU, an attacker can read/write any portion of the DRAM (except memory carveouts).

[5.0.0+] Works around this hardware flaw by using memory pool partitioning. You can no longer escalate into sysmodules with GPU DMA because all their memory is allocated using heap that's carved out.

HAC-001-01 (Mariko/Tegra214/Tegra210b01): Fixes this by adding a new register which restricts what memory untranslated DMA requests may access. Untranslated GPU DMA may now only access the GPU carveout (physmem 0x80002000-0x80006000), which the GPU already has legitimate and exclusive access to.
| HAC-001-01 (Mariko/Tegra214/Tegra210b01)
| HAC-001 (Tegra210)
| Summer 2017
| December 28, 2017
| [[User:hexkyz|hexkyz]], [[User:SciresM|SciresM]] and [[User:qlutoo|qlutoo]]
|-
| Weak Security Engine context validation
| The Tegra X1 supports a "deep sleep" feature, where everything but DRAM and the PMC registers lose their content (and the SoC loses power). Upon awaking, the bootrom re-executes, restoring system state. Among these stored states is the Security Engine's saved state, which uses AES-128-CBC with a random key and all-zeroes IV. However, the bootrom doesn't perform a MAC on this data, and only validates the last block. This allows one to control most of security engine's state upon wakeup, if one has a way to modify the encrypted state buffer.

With a way to modify the encrypted state buffer, one can thus dump keys from "write-only" keyslots, etc.

This also bypasses the SBK protection of the bootROM: indeed, at warmboot, bootROM will always clear keyslot 0xE to prevent malicious code from saving the SBK. Moving the SBK to another keyslot in the saved context renders this protection moot.

HAC-001-01 (Mariko/Tegra214/Tegra210b01): Fixes this by streamlining the context save process; security engine contexts are now saved to protected memory which the CPU cannot access or modify.
| HAC-001-01 (Mariko/Tegra214/Tegra210b01)
| HAC-001 (Tegra210)
| December 2017
| January 20, 2018
| [[User:SciresM|SciresM]] and [[User:motezazer|motezazer]]
|-
| Security Engine keyslots vulnerable to partial overwrite attack
|
The Tegra X1 security engine supports writing keyslot data to the engine with syntax as follows:

SECURITY_ENGINE->AES_KEYTABLE_ADDR = (keyslot << 4) | (dword_index_in_keyslot);

SECURITY_ENGINE->AES_KEYTABLE_DATA = readle32(key, dword_index_in_keyslot * 4);

However, the Security Engine flushes writes to the internal key tables immediately when AES_KEYTABLE_DATA is written -- this allows one to overwrite a single dword of a key at a time, and thus brute force the contents of keyslots in time (2^32 * 8) = 2^35 instead of 2^256.
| None
| HAC-001 (Tegra210)
| Theorized Summer 2017 due to suggestive syntax, confirmed April 9, 2018
| April 9, 2018
| [[User:SciresM|SciresM]], almost surely others (independently).
|-
| Poor validation of bootrom SDRAM configuration parameters leads to arbitrary writes in bootrom
|
The Tegra X1 bootrom supports saving SDRAM parameters to scratch registers, and using the saved configuration to enable DRAM during warmboot.

The code that parses these parameters does if (params->EmcBctSpareN) *params->EmcBctSpareN = params->EmcBctSpareNPlusOne for most N, without validating either the address or value written to it.
There are other arbitrary writes in this code, as well (e.g. BootromPatch parameters intended for patching MISC registers do not check a relative offset to 0x7000000, etc).

This allows a user with access to the PMC registers (via pre-sleep bpmp execution, or otherwise) to gain arbitrary bootrom code execution.

HAC-001-01 (Mariko/Tegra214/Tegra210b01): Fixes this by validating that the spare writes/bootrom patch before performing them.
| HAC-001-01 (Mariko/Tegra214/Tegra210b01)
| HAC-001 (Tegra210)
| 2017
| December 16, 2018
| Everyone (independently).
|-
| TSEC ROM does not clear crypto registers after signature verification
|
TSEC supports executing signed-microcode at a greater privilege level than normal payloads.

When jumping to signed microcode, the caller is expected to load hardware crypto register $c6 = <signature>, $c7 = <seed (zero for all officially-signed microcode)>.

TSEC ROM then calculates the expected signature and compares it to the user-supplied one in $c6. On match, the secure payload is executed, and on failure an exception is raised.

However, TSEC ROM fails to clear the crypto registers used to calculate the expected signature in either of the success/failure cases.

Thus, with some way of obtaining the contents of crypto registers (e.g. ROP under some secure payload), an attacker can dump intermediary values from signature calculation.

With enough data/trial/error, this is enough to reconstruct the signature algorithm:
* mac = <davies meyer hash of (page || address of page) for each 0x100 page in the payload>
* key = AES-ENCRYPT(hardware csecret 0x1, seed)
* signature = AES-ENCRYPT(key, mac)

| None
| HAC-001 (Tegra210)
| Late 2018/Early 2019
| August 2020
| [[User:qlutoo|qlutoo]]/[[User:Hexkyz|hexkyz]]/[[User:Shuffle2|shuffle2]], [[User:SciresM|SciresM]]/[[User:motezazer|motezazer]] (independently).
|-
| TSEC signature validation design flaw leads to fake-signing
|
As mentioned above, when jumping to signed microcode the caller is expected to load hardware crypto register $c6 = <signature>, $c7 = <seed (zero for all officially-signed microcode)>.

However, TSEC ROM performs no validation on the input seed used to generate the signing key.

This leads to the following attack:
* Attacker gains rop under any secure microcode payload with signature = S.
* Attacker uses the "csigenc" instruction to obtain K = AES-ENCRYPT(hardware csecret 0x1, S).
* Attacker jumps to their own microcode with $c6 = <signature calculated on pc using K>, $c7 = S
* TSEC ROM calculates key = AES-ENCRYPT(hardware csecret 0x1, S) = K, and the signature check passes.
* Attackers microcode is executed in secure mode as though it were signed by NVidia.

Thus an attacker who has exploited *any* secure payload may use this to obtain a "fake signature key", which can be used to sign and execute arbitrary microcode in secure mode.

Note: this does not break the TSEC cryptosystem, as the csigenc mechanism relies on the signature of the executing microcode, and fakesigning produces different signatures from NVidia that cannot be controlled.
| None
| HAC-001 (Tegra210)
| Late 2018/Early 2019
| August 2020
| [[User:qlutoo|qlutoo]]/[[User:Hexkyz|hexkyz]]/[[User:Shuffle2|shuffle2]], [[User:SciresM|SciresM]]/[[User:motezazer|motezazer]] (independently).
|-
| ROP under TSEC secure bootrom via DMA engine stack overwrite (--xploit)
| TSEC DMA engine does not stop when entering TSEC secure bootrom. By pointing TSEC DMA to current stack before secure bootrom entry, stack can be controlled.

One can then use blind ROP against the TSEC secure bootrom (which is execute only, and cannot be dumped).

With sufficient effort, an attacker can construct a ROP chain that leads to csigcmp being executed with fully controlled arguments.

This allows for arbitrary heavy secure mode code execution with the current signature set to an arbitrary value.

This completely breaks the TSEC cryptosystem, by allowing one to obtain the result of csigenc with signature = <any desired value>.

This has many uses/results, notably including dumping the "true" signature key (set signature = zeroes, perform csigenc using csecret 0x1).
| None
| TSEC for all Tegra devices
| Late 2018
| Jan 2021
| [[User:Hexkyz|hexkyz]]/[[User:SciresM|SciresM]], [[User:Vale|Vale]]/[[User:Thog|Thog]] (independently), [[User:Tatsuko|Tatsuko]] (independently), possibly others (independently).
|-
| Boot straps are not relatched on watchdog resets (strapwn)
| On boot, the BOOTSELECT, RCM and RAM_CODE straps are latched from external GPIO to determine which boot medium to use and verify from in bootrom. However, APB_MISC_PP_STRAPPING_OPT_A can be overwritten with arbitrary values following bootrom. Write access to PP_STRAPPING_OPT_A would otherwise be mundane, however these straps are not relatched during a watchdog reset (despite being latched during other software resets), allowing for arbitrary straps to be selected and executed in bootrom.

This allows setting NVPROD_UART on some hardware configurations where it would normally be unavailable (ie on Jetson Nano boards), but is otherwise mostly useless and/or useful for testing unintended boot options (such as USB Mass Storage boot) without having to move boot strap resistors.
| Unknown
| HAC-001 (Tegra210)
| May 2020
| April 30, 2021
| [[User:Shinyquagsire23|Shiny Quagsire]]
|}

== Firmware ==
Flaws in this category pertain to the firmware running on hardware devices, such as wifi/bluetooth, etc. Firmware is generally uploaded by sysmodules.

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Broadpwn (CVE-2017-9417)
| See [https://blog.exodusintel.com/2017/07/26/broadpwn/ here] and [https://www.blackhat.com/docs/us-17/thursday/us-17-Artenstein-Broadpwn-Remotely-Compromising-Android-And-iOS-Via-A-Bug-In-Broadcoms-Wifi-Chipsets.pdf here].
| Code execution on the wifi controller (untested on Switch).
| [[4.0.0]]
| [[4.0.0]]
| Switch: July 2022
| Switch: July 30, 2022
| Switch: [[User:Yellows8|yellows8]]
|-
|}

== Software ==
=== Bootloader ===
Flaws in this category pertain to any bootloader component such as the [[Package1#Package1ldr|package1ldr]], the [[Package1#Section_1|NX bootloader]] or the [[Package1#Section_0|warmboot binary]].

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Null-dereference in panic()
| The Switch's stage 1 bootloader, on panic(), clears the stack and then attempts to clear the Security Engine. However, it does so by dereferencing a pointer to the SE in .bss (initially NULL), and this pointer doesn't get initialized until partway into the bootloader's main() after several functions that might panic() are called. Thus, a panic() caused prior to SE initialization would result in the SE pointer still being NULL when dereferenced.
The BPMP doesn't have an active MPU and the bus won't data abort on an invalid address, so no exception will be entered: it'll end up overwriting some exception vectors with NULL before halting.

In 3.0.0, this was fixed by moving the security engine initialization earlier in main(), before the first function that could potentially panic().
| Some exception vectors overwritten with NULL, before SBK/other keyslots are cleared. Probably useless for anything more interesting.
| [[3.0.0]]
| [[3.0.0]]
| Early July, 2017
| July 30, 2017
| Everyone who diff'd 2.3.0 and 3.0.0 Package1
|-
| FUSE_DIS_PGM not written by package1
| The switch's hardware fuse driver contains a write-once bit in a register called "FUSE_DIS_PGM", which disables burning fuses until the next reboot. While Nintendo's bootloader code for waking up from sleep writes this on all firmware, the actual package1 initial bootloader forgets to write to it on cold reboot.

This isn't too big of a problem because another fuse is burnt on retail devices (production mode), which prevents burning *all* fuses other than ODM_RESERVED ones in hardware.

This was fixed in 3.0.0 by writing to the register on cold boot (although the write happens in TZ instead of package1 where it should take place, possibly to obfuscate the fact that they made this mistake).
| Burning arbitrary ODM reserved fuses with TZ code execution, which should never be possible for non-bootloader code.

Warning: one could irreparably brick one's console by playing with this.
| [[3.0.0]]
| [[3.0.0]]
| Late summer/early fall 2017
| December 31, 2017
| [[User:SciresM|SciresM]], [[User:motezazer|motezazer]]
|-
| maconstack (TSEC firmware leaves MAC on the stack)
| Package1ldr loads a firmware blob into TSEC early on boot. This piece of code runs on the TSEC in Authenticated Mode and has the sole purpose of generating the per-console TSEC key (see [[Cryptosystem]]).

As a way to mitigate attacks, the TSEC firmware blob is split into 3 stages: [[TSEC_Firmware#Boot|Boot]] which is unencrypted and unsigned, [[TSEC_Firmware#KeygenLdr|KeygenLdr]] which is unencrypted but signed and [[TSEC_Firmware#Keygen|Keygen]] which is encrypted and signed.
Boot loads a static pre-generated signature into the Falcon's CPU crypto registers, loads KeygenLdr into the Falcon's CODE region and jumps to it. Execution will proceed into KeygenLdr in Heavy Secure Mode if, and only if, the loaded signature matches the one Falcon calculates internally for KeygenLdr.

Among various things, KeygenLdr will attempt to do a "backwards" security check by calculating a CMAC over Boot and comparing it with a known hash stored in the TSEC firmware's key data (a small buffer stored after Boot's code). If the hashes don't match, execution aborts.

KeygenLdr stores the calculated Boot's CMAC in the stack, but forgets to clear it. Since the stack is located in Falcon's DATA region, loading the TSEC firmware blob and dumping the DATA region afterwards (via MMIO) will reveal the calculated hash.
This allows using KeygenLdr as an oracle to generate a valid CMAC for arbitrary Boot code. Replacing the CMAC in the TSEC firmware's key data region results in KeygenLdr accepting any Boot code, thus rendering this security measure useless.

Additionally, since signed Falcon code can't be revoked without an hardware revision, an attacker can always reuse the flawed KeygenLdr code even if a fix is issued.
| Running TSEC firmware's KeygenLdr in a user controlled environment.
| None
| [[5.0.2]]
| January 2018
| April 29, 2018
| [[User:Hexkyz|hexkyz]], [[User:Rei|Reisyukaku]] (independently), probably others (independently).
|-
| Stack smash in TSEC firmware's KeygenLdr
| Given that we can control the [[TSEC_Firmware#Key_data|key data]] (which is not authenticated) and the [[TSEC_Firmware#Boot|Boot]] blob (see "maconstack"), as well as the fact Non-secure and Heavy Secure code share the same stack, we can use this to attack KeygenLdr. KeygenLdr uses memcpy to copy over a payload to DMEM to verify it, which can be abused to smash the stack (in DMEM) and write over the return address of said function.
| ROP under KeygenLdr in Heavy Secure mode.
| None
| [[8.0.1]]
| Early 2018
| May 21, 2019
| Everyone (independently).
|-
| pk1ldrhax
| Package1ldr decrypts and verifies the keyblob inside of the current BCT in order to get the package1 key, and then uses the package1 key to decrypt package1. It then validates package1 before jumping to it by checking the PK11 magic number, and that the section sizes sum to the expected size (and are individually less than the expected size).

However, package1ldr does not actually validate the package1 key against a fixed vector (much like kernel9loader forgot to do so on the 3ds). This would normally not matter, as keyblobs are validated -- however, with bootrom code execution one can dump SBK and forge keyblobs, and thus control the package1 key.

Thus ('''in theory, but not in practice due to the size of the brute force required''') one can replace the package1 key with garbage, causing package1 to decrypt into garbage, and hope that this garbage passes validation checks and that package1ldr jumping into the garbage will do something useful.

This was fixed incidentally in [[6.2.0]], as pk1ldr does not use keyblob data to decrypt package1 any more.

| With a large enough brute force: arbitrary package1 code execution from coldboot.

However, a usable brute force is on the order of >= ~2^80, so '''this is almost certainly not actually usable in any meaningful context'''.
| [[6.2.0]]
| [[6.2.0]]
| Early 2017 (as soon as plaintext package1ldr was first dumped)
| November 20, 2018
| Everyone
|}

=== TrustZone ===
Flaws in this category pertain exclusively to the [[Package1#Section_2|Secure Monitor]].

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Non-atomic mutexes
| When an [[SMC]] is called, TrustZone sets a global variable to mark that an SMC is in progress, so that two SMCs using shared resources (like the security engine) do not trample on one another. On 1.0.0, this global variable was written using non-atomic writes, and thus a race condition is possible.

However, the SMC handler enforces that all SMCs must be called from core #3, unless the top-level handler ID is 1 (SMCs internal to the kernel). Thus, the only SMCs that can be run side-by-side are [any userland smc] and smcGetRandomBytesForKernel, and this turns out to not really be abusable.
| Mostly useless. Maybe some oob-write into unused (and thus useless) memory if running smcGetRandomBytesForKernel and smcGetRandomBytesForUser at the same time.
| [[2.0.0]]
| [[2.0.0]]
| December 2017 (Probably earlier by others)
| January 18, 2018
| [[User:SciresM|SciresM]], probably others (independently).
|-
| jamais vu (non-secure world access to PMC MMIO and pre-deep sleep firmware)
| On [[1.0.0]], one could map in the PMC registers in userland. In addition, [[AM_services|am]] ran a little-kernel based firmware on the BPMP at runtime. With code execution under am, one could modify the BPMP's little-kernel firmware to hook deep sleep entry, and modify TrustZone/Security engine state.

This was fixed in [[2.0.0]] by making the PMC secure-world only, blacklisting the BPMP's exception vectors from being mapped, and thoroughly checking for malicious behavior on deep sleep entry.
| Arbitrary TrustZone code execution.
| [[2.0.0]]
| [[2.0.0]]
| December, 2017
| January 20, 2018
| [[User:SciresM|SciresM]] and [[User:motezazer|motezazer]]
|-
| Missed BPMP Exception Vector Writes
| Starting in [[2.0.0]], the BPMP is asleep at runtime, and is turned on by TrustZone during [[SMC|smcCpuSuspend]] in order to initiate the deep sleep process. When it does so, it is held in RESET, and TrustZone attempts to write to the BPMP exception vectors at 0x6000F200 to register EVP_RESET = lp0_entry_fw_crt0, and all other EVPs to a function that simply reboots. However, while they successfully write EVP_RESET, they miss all the other vectors, accidentally writing to the 0x6000F004-0x6000F020 region instead of the 0x6000F204-0x6000F220 region they want to write to. This results in all the exception vectors for the BPMP other than RESET being "undefined" (attacker controlled).

With some way of causing an exception vector to be taken at the right time, this would give pre-sleep code execution (and thus arbitrary TrustZone code execution, via the security engine flaw). However, none of the abort vectors are really triggerable, and interrupts are disabled for the BPMP when it is taken out of reset. Thus, this is useless in practice.

This was fixed in [[4.0.0]] by writing to the correct registers.
| Theoretically: Arbitrary TrustZone code execution. In practice: Useless.
| [[4.0.0]]
| [[4.0.0]]
| January, 2018
| February 23, 2018
| [[User:SciresM|SciresM]] and [[User:motezazer|motezazer]], [[User:Naehrwert|naehrwert]], [[User:Hexkyz|hexkyz]], probably others (independently).
|-
| TSEC has access to the secure kernel carveout
| TrustZone is responsible for managing security carveouts to prevent DMA controllers from accessing the carveout which contains the kernel, sysmodules, and other critical operating system data.

Until [[8.0.0]], the list of devices that could access the carveout included the TSEC. However, the TSEC can bypass the SMMU when in authenticated mode by writing to a certain register. Thus, pwning nvservices would allow one to take over the TSEC, and use it to write to normally protected mmio/memory.

In [[8.0.0]], this was fixed by removing TSEC access, and adding TSECB access (TSECB cannot bypass the SMMU).
| With access to the TSEC mmio (nvservices ROP) and code execution in TSEC Heavy Secure mode, kernel code execution, probably.
| [[8.0.0]]
| [[8.0.0]]
| 2017 (when TrustZone code plaintext was first obtained).
| April 15, 2019
| Everyone
|-
| deja vu (insufficient system state validation on suspend leads to pre-sleep BPMP code execution)
| Jamais Vu was fixed in [[2.0.0]] by making the PMC secure-world only, blacklisting the BPMP's exception vectors from being mapped, and thoroughly checking for malicious behavior on deep sleep entry, since gaining pre-sleep code execution on the BPMP compromises the system.

However, the state validation performed by Nintendo's Secure Monitor was insufficient to prevent pre-sleep execution from being obtained.

Prior to [[6.0.0]], one could use a DMA controller that had access to IRAM and was not held in reset (there were multiple) to race TrustZone's writes to the BPMP firmware in IRAM, and thus overwrite Nintendo's firmware with an attacker's to gain pre-sleep code execution.

[[6.0.0]] addressed this by performing TrustZone state MAC writes and locking PMC scratch *before* turning on the BPMP, fixing the original Jamais Vu exploit entirely. In addition, the BPMP firmware in TrustZone's .rodata is now memcmp'd to the actual data after it is written to IRAM. This mitigates race attacks that modify the firmware.

However, Nintendo both forgot to validate the BPMP exception vectors after writing them, and forgot to hold in reset a DMA controller that can write to the BPMP's exception vectors.

AHB-DMA is not blacklisted by kernel mapping whitelist (Nintendo probably forgot it, because the TX1 TRM does not really document that it's present, although the MMIO works as documented in older (Tegra 3 and before) TRMs).

Thus, with kernel code execution (or some other way of accessing AHB-DMA, e.g. nspwn on <= 4.1.0, TSEC hax, or other arbitrary mmio access flaws), one can DMA to the BPMP's exception vectors as they are written, causing TrustZone to start the BPMP executing an attacker's firmware at a different location than TrustZone intends/validates.

This was fixed in [[8.0.0]] by blocking AHB-DMA arbitration and verifying it is held in reset during suspend, and thus there are no more devices that can write to the relevant MMIO at the right time.

| Arbitrary TrustZone/BootROM code execution, by using either the original Jamais Vu flaw (prior to [[6.0.0]] or a warmboot bootrom exploit (any firmware where pre-sleep execution can be gained).
| [[8.0.0]]
| [[8.0.0]]
| December 2017
| April 15, 2019
| [[User:SciresM|SciresM]], [[User:motezazer|motezazer]] and ktemkin, [[User:Naehrwert|naehrwert]] (independently), almost certainly others (independently)
|-
| TrustZone allows using imported RSA exponents with arbitrary modulus
| TrustZone supports "importing" RSA private exponents for use by userland -- these are stored encrypted with TrustZone only keydata in NAND, and decrypted only to TZRAM. This prevents a console that has compromised userland from learning the private exponents of these keys and doing calculations with them offline. In practice, this is used for FS (gamecard communications), ES (drm), and SSL (console client cert communications).

However, the actual SMC API only imports the RSA exponent, and not the modulus, which is passed separately by userland in each call. There is no validation done on the modulus passed in -- this means that userland can pass in any message and modulus it chooses, and obtain the result of (message ^ private exponent) % modulus back from the secure monitor.

By choosing a prime number modulus P such that P has "smooth" order (totient(P) == P-1 is divisible only by "small" primes), one can efficiently use the [[wikipedia:Pohlig-Hellman algorithm|Pohlig-Hellman algorithm]] to calculate the discrete logarithm of such a result directly, and thus obtain the private exponent.

This is mostly useless in practice, given the general availability of other exploits to obtain these decrypted exponents.

This was fixed in 10.0.0 by importing the modulus in addition to the exponent for the ES device key and ES client cert key. For backwards compatibility reasons the SSL key and Lotus key still only import the exponent.

StorageExpMod also now validates that the exponentiation of "DDDDD..." about the provided modulus by the imported exponent and then the fixed public exponent returns "DDDDD...", and returns invalid argument if validation fails.
| With userland privileges sufficient to use an imported RSA key: obtaining that RSA key's private exponent.
| [[10.0.0]]
| [[10.0.0]]
| August 14, 2019
| August 14, 2019
| [[User:SciresM|SciresM]]
|}

=== Kernel ===
Flaws in this category pertain exclusively to the [[Package2#Section_0|HorizonOS Kernel]].

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Syscall Infoleaks
| Many syscalls leaked kernel pointers on sad paths (for example svcSetHeapSize and svcQueryMemory), until they landed a bunch of fixes in 2.0.0.
| Nothing really.
| [[2.0.0]]
| [[2.0.0]]
|
|
| ?
|-
| svcWaitSynchronization/svcReplyAndReceive bad cleanup on error
| If there is a page fault when fetching handles from the userspace array, it cleans up by dereferencing all objects despite having only loaded first N. Allows the attacker to make arbitrary decrefs on any kernel synchronization object, and thus can be used to get UAF. Haven't actually been tried on real HW though, but should work (tm).
| Kernel code execution
| [[2.0.0]]
| [[2.0.0]]
|
| 24 April
| [[User:qlutoo|qlutoo]]
|-
| Bad irq_id check in CreateInterruptEvent
| CreateInterruptEvent syscall is designed to work only for irq_id >= 32. All irq_ids < 32 are "per-core" and reserved for kernel use (watchdog/scheduling/core communications).
On 1.0.0 you could supply irq_id < 32 and it would write outside the SharedIrqs table.
| You can register irq's in the Core3Irqs table, and thus register per-core irqs for core3, that are normally reserved for kernel. Useless.
| [[2.0.0]]
| [[2.0.0]]
| ~October
| 17 October
| [[User:qlutoo|qlutoo]]
|-
| Kernel .text mapped executable in usermode
| Prior to [[3.0.2]] the kernel .text was [[Memory_layout|mapped]] in usermode as executable. This can be used for usermode ROP for bypassing ASLR, but SVCs/IPC are not usable by running kernel .text in usermode.
| Executing kernel .text in usermode
| [[3.0.2]]
| [[3.0.2]]
|
| 34c3 (December 28, 2017)
| [[User:qlutoo|qlutoo]]
|-
| Memory Controller not properly secured
| The Switch OS originally had the memory controller not set to be accessible only by the secure-world, which was problematic because insecure access can compromise the kernel.

This was fixed partially in [[2.0.0]] by blacklisting the memory controller from being mapped by user-processes, and was fixed entirely in [[4.0.0]] by making the memory controller TZ-only and making all kernel accesses go through [[SMC|smcReadWriteRegister]].
| With some way to access the memory controller MMIO, arbitrary kernel code execution.
| [[4.0.0]]
| [[4.0.0]]
| January 2018
| January 2018
| [[User:SciresM|SciresM]], [[User:Yellows8|yellows8]]
|-
| Potential [[SVC|svcWaitForAddress]] thread use-after-free
| Between [[4.0.0]], where svcWaitForAddress was introduced, and [[7.0.0]], there was a second intrusive rbtree node in KThread for the WaitForAddress tree (the key being (address, priority), sorted lexicographically). Unlike the WaitProcessWideKeyAtomic tree, the kernel forgot to reinsert the WaitForAddress node when the thread's priority changed (priority inheritance and/or SetPriority), breaking the rbtree invariants; and since the kernel walks through the entire tree to remove intrusive nodes, you could cause threads to stay in the tree even after their deletion.

[[7.0.0]] fixed the issue by using the same intrusive node for both trees. The thread/node knows which tree it is in, and the latter is correctly updated when thread priority changes.
| It unluckily didn't look exploitable
| [[7.0.0]]
| [[7.0.0]]
| July 2018
| February 2019
| [[User:TuxSH|TuxSH]]
|-
|}

=== FIRM-package System Modules ===
Flaws in this category pertain to any of the [[Package2#Section_1|built-in system modules]].

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Service access control bypass (sm:h, smhax, probably other names)
| Prior to [[3.0.1]], the ''service manager'' (sm) built-in system module treats a user as though it has full permissions if the user creates a new "sm:" port session but bypasses [[Services_API#Initialize|initialization]]. This is due to the other sm commands skipping the service ACL check for Pids <= 7 (i.e. all kernel bundled modules) and that skipping the initialization command leaves the Pid field uninitialized.
In [[3.0.1]], sm returns error code 0x415 if [[Services_API#Initialize|Initialize]] has not been called yet.
| Acquiring, registering, and unregistering arbitrary services
| [[3.0.1]]
| [[3.0.1]]
| May 2017
| August 17, 2017
| Everyone
|-
| Overly permissive SPL service
| The concept behind the switch's [[SMC|Secure Monitor]] is that all cryptographic keydata is located in userspace, but stored as "access keys" encrypted with "keks" that never leave TrustZone. The [[SPL services|spl]] ("security processor liaison"?) service serves as an interface between the rest of the system and the secure monitor. Prior to [[4.0.0]], spl exposed only a single service "spl:", which provided all TrustZone wrapper functions to all sysmodules with access to it. Thus anyone with access to the spl: service (via smhax or by pwning a sysmodule with access) could do crypto with any access keys they knew.

This was fixed in [[4.0.0]] by splitting spl: into spl:, spl:mig, spl:ssl, spl:es, and spl:fs.
| Arbitrary spl: crypto with any access keys one knows. For example, one could use the SSL module's access keys to decrypt their console's SSL certificate private key without having to pwn the SSL sysmodule.
| [[4.0.0]]
| [[4.0.0]]
| Summer 2017 (after smhax was discovered).
| December 23, 2017
| Everyone
|-
| Single session services not really single session
| Several "critical" services (like fsp-ldr, fsp-pr, sm:m, etc) are meant to only ever hold a single session with a specific sysmodule. However, when a sysmodule dies, all its service session handles are released -- and thus killing the holder of a single session handle would allow one (via sm:hax etc) to get access to that service.

This was fixed in [[4.0.0]] by adding a semaphore to these critical single-session services, so that even if one gets access to them an error code will be returned when attempting to use any of their commands.
| With some way to access these services and kill their session holders (like expLDR): dumping sysmodule code, arbitrary service access, elevated filesystem permissions, etc.
| [[4.0.0]]
| [[4.0.0]]
| May/June 2017 (basically immediately after smhax was discovered)
| December 30, 2017
| Everyone
|-
| nspwn
| fsp-ldr command 0 "MountCode" takes in a Content Path (retrieved from NCM by Loader), and returns an IFileSystem for the resulting ExeFS. These content paths, are normally NCAs, but MountCode also supports a number of other formats, including ".nsp" -- which is just a PFS0.

When a path ending in ".nsp" is parsed by MountCode, the PFS0 is treated as a raw ExeFS. Because there is no NCA header, the ACID signatures are not validated -- and because there are no other signatures in a PFS0, this results in no signature checking happening at all.

The actual .nsp handling is eventually done by {content mounting function} called by MountCode and other FS commands.

Thus, by placing an ExeFS (NSOs + "main.npdm") and setting one's desired title ID to "@Sdcard:/some_title.nsp" or "@User:/some_title.nsp" etc one can launch arbitrary unsigned code, with arbitrary unsigned NPDMs.

This appears to have been fixed by only allowing .nsp when the input fstype==7 for the internal content-mounting function, returning 0x2EE202 otherwise.
| With access to "lr": Arbitrary code execution with full system privileges.
| [[5.0.0]]
| [[5.0.0]]
| Late 2017
| April 23, 2018
| Everyone
|-
| Single null-byte stack overflow in Loader ContentPath parsing
| Previously, loader content path parsing looked like this, where path_from_lr was up to 0x300 bytes and not necessarily null-terminated:

char nca_path[0x300] = {0};
strcat(nca_path, path_from_lr);
for (int i = 0; nca_path[i]; i++) {
if (nca_path[i] == '\\') { nca_path[i] = '/'); }
}

Thus, a content path of the maximum length (0x300 bytes) would result in strcat writing a NULL terminator past the end of the nca_path buffer.

This was fixed in [[6.0.0]], the new code looks like this:

char nca_path[0x300];
strncpy(nca_path, path_from_lr, sizeof(nca_path));
for (int i = 0; i < sizeof(nca_path) && nca_path[i]; i++) {
if (nca_path[i] == '\\') { nca_path[i] = '/'); }
}

| With access to "lr": single null-byte stack overflow in Loader. Maybe (but probably not) loader code execution.
| [[6.0.0]]
| [[6.0.0]]
| September 2, 2018
| September 19, 2018
| SciresM
|-
| System modules vulnerable to selective downgrade attacks
| Horizon has no mechanism for specifying the specific title version to Loader on process creation.

Observing this, one can note that after a system update one could install a downgraded version of a specific system module (e.g. nvservices) while leaving the rest of the OS at the same version.

Unless there was some breaking API change, this allows one to make a console vulnerable once more to an exploit in a sysmodule by downgrading it and nothing else.

This was fixed in [[8.1.0]] by incrementing a version field in NPDM, and checking it against a hardcoded list for certain titles in Loader's process creation func.
| With access to content installation commands (or a vulnerable lower version to selectively install newer titles), reintroducing bugs in vulnerable system modules on newer firmware versions.
| [[8.1.0]]
| [[8.1.0]]
| When FIRM was first dumped in 2017.
| June 17, 2019
| Everyone
|-
| Broken RNG for [[Loader_services|Loader]] ASLR
| The RNG used for generating the ASLR slide is only seeded with 32bits, with the data from [[SVC|svcGetInfo]]. Hence, one could bruteforce the seed if one has infoleaks from any programs. This can be successfully bruteforced with at least 2 sample codebin addrs from different programs (with only 1 sample a lot of invalid seeds are found), however in some cases more than 1 seed might be found.

With [15.0.0+] Loader now uses csrng_GenerateRandomBytes for determining the ASLR slide.

See also [https://github.com/switchbrew/loader-aslr-solver loader-aslr-solver].
| Breaking ASLR for all non-KIP processes, allowing predicting the main-codebin base addr for all non-KIP processes until the next reboot.
| [[15.0.0]]
| [[15.0.0]]
| January 30, 2022 (presumably found much earlier?)
| October 11, 2022
| Everyone
|}

=== System Modules ===
Flaws in this category pertain to any non-built-in system module.

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| [[Bluetooth_Driver_services|bluetooth]] BSA bsa_sv_av_cback stack buffer overflow
| bsa_sv_av_cback checks for two input type values (0xC/0xD), on match it copies the input data to stack without size validation. Then it sends an internal request with this data (likewise when the type values don't match, except the input data is passed directly with a small size), then it returns.
This requires the AV functionality added with [13.0.0+], however this func is only reachable with [14.0.0+] where the required functionality was enabled.

This requires message data that's larger than the MTU, so fragmentation must be used, or manually send the ACL data to bypass the MTU.

This can be triggered via an AVRC message with opcode=0x0 (vendor). The above type 0xC is reached via AVRC ctype 0..4, while 0xD is reached with ctype>=0x9.

With [15.0.0+] the size value for the memcpy (which is also written to the request struct) is clamped to a max value.
| Bluetooth-sysmodule stack buffer overflow on [14.0.0-14.1.2], with data received from an AVRC bluetooth message with a bluetooth-audio device.
| [[15.0.0]]
| [[15.0.0]]
| November 2021
| October 11, 2022
| [[User:Yellows8|yellows8]]
|-
| Broken RNG used by [[NS_Services|ns]]
| The code generating the sd seed and the data for the [[SD_Filesystem|sd]] private/private1 file, all use nn::os::GenerateRandomBytes, not csrng. The sd-seed is generated first, then private, then private1. This allows deriving sd-seed from private since this uses TinyMT, as long as the system shipped from factory on [2.0.0+]. private1 is only useful if the system shipped with [4.0.0+].

There's various other code in ns using nn::os::GenerateRandomBytes as well. This includes the code generating ns_systemseed when it doesn't exist. ns_systemseed is generated at some point after the various sd-seed-related code (both are called from the same func). Hence, ns_systemseed can be recovered with the above method as well, if it wasn't recreated at some point without regenerating the above nand-save used with the above.

With [15.0.0+] ns now uses csrng_GenerateRandomBytes for sd-seed/private and ns_systemseed, etc. This only matters when the file is newly generated, which is usually only for factory-fresh systems which ship with this version.
| Generation of a system's sd-seed allowing decryption of the NAX0 layer of data on [[SD_Filesystem|SD]], derived using the private file from SD. Applies to systems which factory-shipped with a system-version prior to [[15.0.0]] (that is, [2.0.0-14.1.2]).
| [[15.0.0]], for newly generated files
| [[15.0.0]]
| December ~12, 2021
| October 11, 2022
| [[User:Yellows8|yellows8]]
|-
| Infoleak with [[Joy-Con]] HidCommand PairingIn
| The joycon protocol handler for PairingIn copies data from stack to the response cmd-buf for sending PairingOut. Only the first byte is set to a type value, the rest is uninitialized stack data.

This was fixed with [15.0.0+] by directly writing to the response data without using stack data.
| Infoleak of hid stack via a bluetooth/uart message+response with a connected hid controller. This returns addrs for the main-codebin/stack, which allows defeating ASLR.
| [[15.0.0]]
| [[15.0.0]]
| September 4, 2020
| October 10, 2022
| [[User:Yellows8|yellows8]]
|-
| [[Sockets_services|bsdsockets]] ioctl SIOCGIFMEDIA input can contain ptr
| Originally bsd ioctl SIOCGIFMEDIA used the user-specified ifmediareq structure directly from the input buffer. This includes a ptr. This ptr probably isn't actually used?
With [5.0.0+] the structure used as input for the ioctl was changed to using <code>int ifm_ulist[1]</code> instead of <code>int *ifm_ulist</code> (which is unused). The input structure is copied to a tmp struct which is used as the original ifmediareq structure, with ifm_ulist always NULL. The user can still specify a non-zero ifm_count value, however that's not useful with ifm_ulist being always NULL.
| Useless?
| [[5.0.0]]
| [[13.1.0]]
| February 14, 2022
| February 14, 2022
| [[User:Yellows8|yellows8]], probably others
|-
| [[Sockets_services|bsdsockets]] ioctl SIOCGIFCONF infoleak
| Originally bsd ioctl SIOCGIFCONF was handled by setting the data in IPC outbuf0 to the size/addr of IPC outbuf1. These buffers are HipcAutoSelect, so if buf1 is small enough for HipcPointer (otherwise it would be HipcMapAlias) the IPC-buf-ptr leaked into outbuf0 would be located in the codebin-region. Since this is done before the actual ioctl-handling, it doesn't matter whether the fd is valid.
This was fixed in [5.0.0+] by using a tmp struct on stack instead of buf0.
| bsdsockets-sysmodule codebin-region addr infoleak, which allows defeating ASLR.
| [[5.0.0]]
| [[13.1.0]]
| February 14, 2022 (probably earlier)
| February 14, 2022
| [[User:Yellows8|yellows8]], probably others
|-
| [[Bluetooth_Driver_services|bluetooth]] BSA gatt_process_notification stack buffer overflow
| gatt_process_notification is the GATT handler for processing notification/indication messages. gatt_process_notification does memcpy to stack from the input bt msg data, without size validation. The input len param isn't validated in this func either - if the remaining len following op_code is less than 2, a negative value will be used for the data copy to stack.
These were fixed by adding a bounds check for the size, size==0 is also checked for now.
| Bluetooth-sysmodule stack buffer overflow, with data received from a bluetooth message
| [[13.2.1]]
| [[13.2.1]]
| November 2021
| January 19, 2022
| [[User:Yellows8|yellows8]]
|-
| [[SSL_services|ssl]] CVE-2021-43527
| CVE-2021-43527, see also [https://bugs.chromium.org/p/project-zero/issues/detail?id=2237 here] and [https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html here].
Using BigSig where the server cert sig is RSA-PSS results in the remote server throwing {no shared cipher} error when Switch connects. If however one creates a rootCA using BigSig (RSA-PSS), which then signs a server cert where the server key is RSA (not PSS), the vuln can be triggered (if the rootCA is trusted, via using the import service-cmd). It's unknown whether there's other ways to trigger the vuln.

The crash occurs in VFY_Begin when using the previously overwritten data. A bitsize of <code>$((16384 + 32 + 64 + 64 + 64))</code> is only enough to overwrite cx->hashcx, to fully overwrite cx->hashobj an additional 0xC-bytes (additional 96 bits) is needed.
Note that partial overwrite isn't an option: this is the func that initializes those fields to begin with, it just does deinit first before initializing hashcx/hashobj (prior to that these fields would be all-zero when not overwritten by the buf-overflow).
| Heap buffer overflow in [[SSL_services|ssl]], overwriting data including a ptr to an object which is later used to load a funcptr.
| [[13.2.1]]
| [[13.2.1]]
| Switch: December 1-2, 2021
| Switch: January 19, 2022
|
|-
| [[Bluetooth_Driver_services|bluetooth]] EventInfo infoleak
| The various funcs which send messages to the thread which handles writing to EventInfo, didn't clear the stack msgbuf. Hence, the various get-EventInfo cmds could return leaked stack data. This likely affected most (?) get-EventInfo cmds, besides CircularBuffer-GetHidReportEventInfo.

This only matters for events where there's uninitialized regions of the EventInfo, such as events with variable-size data without a memset.

This was fixed by clearing the msgbuf in a number of funcs.
| Bluetooth-sysmodule stack infoleak, which allows defeating ASLR
| [[13.0.0]]
| [[13.1.0]]
|
| During initial [[13.0.0|diff]]. Added to this page on: December 12, 2021
| [[User:Yellows8|yellows8]]
|-
| Infoleak with [[HID_services|hid:sys]] SetButtonConfigStorage{name}Deprecated
| These cmds pass a stack ptr for the StorageName when calling the internal func. Nothing is written to this StorageName. Hence, stack infoleak (data is copied as a NUL-terminated string), which can be later read by the GetButtonConfigStorage{name} cmds.

This was fixed by removing the Deprecated cmds in [[13.0.0]].
| Infoleak of hid stack from a StorageName readable via GetButtonConfigStorage{name}, up to the NUL-terminator.
| [[13.0.0]]
| [[13.0.0]]
| December 11, 2020
| September 27, 2021
| [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|bluetooth]] WriteHidData/WriteHidData2/SetHidReport unchecked memcpy size
| WriteHidData/SetHidReport copies the input struct to stack, then passes it to the funcptr/vfunc call. WriteHidData2 passes the input buffer addr directly to the funcptr/vfunc call. The called func eventually copies the input data to the stack struct using the specified size without validating it.
This requires access to the btdrv service, only hid and btm have access.

This was fixed with [[12.1.0]] in WriteHidData/SetHidReport by doing a fixed-size copy into another tmp struct, with the size field being clamped to a maximum of 0x2BB afterwards. This struct is then used when calling the vfunc. The vfuncs called by WriteHidData/WriteHidData2/SetHidReport were also updated to clamp the size to the required maximum value.
| Stack buffer overflow
| [[12.1.0]]
| [[12.1.0]]
| July 16, 2020
| July 6, 2021
| [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|bluetooth]] stack buffer overflow with HID DATA packets
| The BSA (bt-stack) func bta_hh_co_data copies data from a HID DATA packet to stack without checking the size, then sends it over Uipc. [7.0.0+] The user Uipc callback also copies the input data to stack without checking the size, then sends it to the sharedmem CircularBuffer.
With [12.0.2+] this was fixed in bta_hh_co_data by clamping the size to a maximum of 0x2BB. The aforementioned buffer overflow in the Uipc callback can't be triggered since at that point the size was already clamped.

Before this bta_hh_co_data func is reached, there is no validation of the size (such as comparing against the L2CAP MTU) when Basic Mode is being used.

Actually triggering this requires using a data-size larger than the normal L2CAP MTU. This can be done by for example, using raw HCI to send the packet from the remote bluetooth device.

Note that when the remote device is configured as an audio device for [12.0.0+] where [[Settings_services#BluetoothDevicesSettings|BluetoothDevicesSettings]].TrustedServices was only ever set for audio since system-boot, it is not possible for the remote device to connect to the Switch for HID.
| ROP under [[Bluetooth_Driver_services|bluetooth]] via HID DATA packet sent by a paired HID bluetooth device. This can be triggered at any time while not in sleep-mode, when not in airplane-mode. The earliest is while the Nintendo Switch logo screen is displayed during system boot.
| [[12.0.2]]
| [[12.0.2]]
| July-August 2020
| May 11, 2021
| [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|bluetooth]] GetAdapterProperty/SetAdapterProperty unchecked memcpy size
| GetAdapterProperty copies data from stack to the output buffer using the buffer size, without checking the size (when not handling the Name type). SetAdapterProperty copies data to stack from the input buffer using the buffer size, without checking the size.
This requires access to the btdrv service, only hid and btm have access.

This was fixed with [[12.0.0]] by replacing the buffer data with a fixed-size-struct.
| Stack infoleak with GetAdapterProperty, stack buffer overflow (and hence ROP) with SetAdapterProperty.
| [[12.0.0]]
| [[12.0.0]]
| July 17, 2020
| April 7, 2021
| [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|Bluetooth]] A-63146698
| [https://android.googlesource.com/platform/system/bt/+/226ea26684d4cd609a5b456d3d2cc762453c2d75 A-63146698] / CVE-2017-0785. See also [https://info.armis.com/rs/645-PDC-047/images/BlueBorne%20Technical%20White%20Paper_20171130.pdf here].
| Bluetooth-sysmodule stack infoleak, which allows defeating ASLR (note: not tested on hw).
| [[5.0.0]]
| [[11.0.0]]
| Switch: December 2020
| Switch: December 25, 2020
| Switch: [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|Bluetooth]] sdp_server.cc process_service_search() continuation request p_req validation
| With [5.0.0+], the following was added to the if-block prior to loading cont_offset from p_req: <code>(p_req + sizeof(cont_offset) > p_req_end)</code> (which verifies that cont_offset is within message bounds).
| Bluetooth-sysmodule out-of-bounds read from heap, probably not useful since the read value must match a state field, etc.
| [[5.0.0]]
| [[11.0.0]]
| Switch: December 2020
| Switch: December 25, 2020
| Switch: [[User:Yellows8|yellows8]]
|-
| [[HID_services#hid:sys|hid:sys]] ButtonConfig s32 array-index not validated
| The input s32 array-index for [[HID_services#hid:sys|hid:sys]] ButtonConfig cmds 1255-1270 was originally not validated. Using a negative or >=5 index results in accessing out-of-bounds data, with an array stored on stack.
[10.1.0-10.2.0] Each of these cmds will now Abort if the s32 is negative or >=5. [11.0.0+] Now an unsigned compare is used, with 0 or an error being immediately returned when the value is invalid.
| hid infoleak, out-of-bounds mem-write anywhere in hid address-space relative to the stack array (with constraints on the data).
| [[10.1.0]]
| [[11.0.1]]
| April 18, 2020
| July 14, 2020
| [[User:Yellows8|yellows8]]
|-
| [[Applet_Manager_services#IDisplayController|AM IDisplayController]] ClearCaptureBuffer OOB
| The captureBuf is used as an array index without proper validation. There is code validating it, but on failure it just skips over a code-block, with code using captureBuf still being used afterwards. Then this is used to write bools into a global array, one of which is from the command input.
This was fixed with [9.1.0+] by requiring captureBuf = 0-1.
| OOB bool writes into an array
| [[9.1.0]]
| [[13.1.0]]
| ~July 31, 2019
| January 26, 2022
| [[User:Yellows8|yellows8]]
|-
| [[Applet_Manager_services#IDisplayController|AM IDisplayController]] TakeScreenShotOfOwnLayer OOB
| The captureBuf is used as an array index without validation. Data used from this array includes calling a funcptr from the array entry, if set. Eventually this is also used to write bools into this array, one of which is from the command input.
With [5.0.0+] a func is eventually called to get a ptr determined by the input captureBuf, with nullptr being returned for captureBuf>=0x10. The caller will Abort if nullptr was returned.
| OOB array access
| [[5.0.0]]
| [[13.1.0]]
| ~July 31, 2019
| January 26, 2022
| [[User:Yellows8|yellows8]]
|-
| [[Applet_Manager_services#IStorage|AM IStorage]] infoleak
| Originally the buffer allocated by [[Applet_Manager_services#CreateStorage|CreateStorage]] using the specified input size was not cleared. With [8.0.0+] this was fixed by adding a memset() for the buffer after successful allocation.

Hence, IStorage->IStorageAccessor->Read will return uninitialized memory when the Write cmd was not previously used with the specified region.
| Infoleak from the main [[Applet_Manager_services#IStorage|AM]] heap, allowing defeating ASLR by reading addresses from previously allocated objects.
| [[8.0.0]]
| [[8.1.0]]
| December 2018
| August 9, 2019
| [[User:Yellows8|yellows8]]
|-
| Out-of-bounds array read for [[BCAT_Content_Container]] secret-data index
| The [[BCAT_Content_Container]] secret-data index is not validated at all. This is handled before the RSA-signature(?) is ever used. Since the field is an u8, a total of 0x800-bytes relative to the array start can be accessed.
This is not useful since the string loaded from this array is only involved with key-generation.
|
| Unknown
| [[2.0.0]]
| August 4, 2017
| August 6, 2017
| [[User: shinyquagsire23|Shiny Quagsire]], [[User:Yellows8|yellows8]] (independently)
|-
| OOB Read in NS system module (pl:utoohax, pl:utonium, maybe other names)
| Prior to [[3.0.0]], pl:u (Shared Font services implemented in the NS sysmodule) service commands 1,2,3 took in a signed 32-bit index and returned that index of an array but did not check that index at all. This allowed for an arbitrary read within a 34-bit range (33-bit signed) from NS .bss. In [[3.0.0]], sending out of range indexes causes error code 0x60A to be returned.
| Dumping full NS .text, .rodata and .data, infoleak, etc
| [[3.0.0]]
| [[3.0.0]]
| April 2017
| On exploit's fix in [[3.0.0]]
| [[User:qlutoo|qlutoo]], ReSwitched Team (independently)
|-
| Unchecked domain ID in common IPC code
| Prior to [[2.0.0]], object IDs in [[IPC_Marshalling#Domain_message|domain messages]] are not bounds checked. This out-of-bounds read could be exploited to brute-force ASLR and get PC control in some services that support domain messages.
|
| [[2.0.0]]
| [[2.0.0]]
| ~July 2017
| 20 July 2017‎
| [[User:hthh|hthh]]
|-
| expLDR (sysmodule handle table exhaustion)
| Most sysmodules share common template code to handle IPC control messages. The command DuplicateSession (type 5 command 2)'s template code will abort() if it fails to duplicate a session's handle for the requester. Because many sysmodules have limited handle table size (smaller than the browser/other entrypoints), repeatedly requesting to duplicate one's session will cause the sysmodule to run out of handle table space and abort, causing the service to release all its handles cleanly.
| Sysmodule crashes. Most usefully, crashing ldr allows access to fsp-ldr and crashing pm allows access to fsp-pr. Useless after [[4.0.0]], which mitigated a number of single-session service access issues.
| Unfixed
| [[4.1.0]]
| 24 June 2017
| 8 March 2018
| [[User:daeken|daeken]]
|-
| Transfer Memory leak in nvservices system module
| The nvservices sysmodule does not clear most of its transfer memory prior to release.
| The calling process can read key bits of memory, including breaking ASLR (by revealing the image base) and exposing the address of other transfer memory to set up attacks. More details here: [https://daeken.svbtle.com/nintendo-switch-nvservices-info-leak transfermeme (nvservices info leak)] by [[User:daeken|daeken]]
| [[6.0.0]]
| [[6.0.0]]
| June 2017
| 16 October 2018
| [[User:qlutoo|qlutoo]] and [[User:hexkyz|hexkyz]],
[[User:daeken|daeken]] (independently)
|-
| OOB write in audio system module
| Prior to [[2.0.0]], the [[Audio_services#audout:u|AppendAudioOutBuffer]] and [[Audio_services#audin:u|AppendAudioInBuffer]] IPC commands would blindly increment the appended buffers' count while using said count value as an index to where the user data should be copied into. This resulted in an 0x28 bytes, user controlled, out-of-bounds memory write into the [[Audio_services|audio]] sysmodule's memory space.
Combined with the [[Audio_services#audout:u|GetReleasedAudioOutBuffer]] or [[Audio_services#audin:u|GetReleasedAudioInBuffer]] commands, this could also be used as an 8 byte infoleak.

In [[2.0.0]], the commands now return error code 0x1099 if the number of unreleased buffers exceeds 0x1F.
| Code execution under audio sysmodule
| [[2.0.0]]
| [[2.0.0]]
|
| November 2, 2018
| [[User:hexkyz|hexkyz]], probably others (independently).
|-
| nvhax (memory corruption in nvservices system module)
| Prior to [[6.2.0]], the [[NV_services|nvservices]] ioctl [[NV_services#.2Fdev.2Fnvhost-ctrl-gpu|NVGPU_GPU_IOCTL_WAIT_FOR_PAUSE]] would take a single "pwarpstate" argument which would be interpreted by nvservices as a memory pointer for writing 2 "warpstate" structs (one for each Streaming Multiprocessor).
This resulted in nvservices attempting to blindly memcpy into this user supplied address and trigger a crash. However, if paired with an infoleak, this could be used to arbitrarily write 0x30 bytes anywhere in nvservices' memory space.
Additionally, the "warpstate" struct itself was never initialized, which means nvservices would leak the 0x30 bytes from the stack. By invoking other ioctls it was also possible to partially control the stack contents and achieve a usable arbitrary memory write primitive.

In [[6.2.0]], [[NV_services#.2Fdev.2Fnvhost-ctrl-gpu|NVGPU_GPU_IOCTL_WAIT_FOR_PAUSE]] now takes 2 inline "warpstate" structs instead of a "pwarpstate" pointer, thus effectively avoiding the bad memcpy.
| Code execution under nvservices sysmodule
| [[6.2.0]]
| [[6.2.0]]
| April 5, 2017
| November 24, 2018
| [[User:hexkyz|hexkyz]]
|-
| Infoleak in nvservices system module
| The [[NV_services|nvservices]] ioctl [[NV_services#NVMAP_IOC_ALLOC|NVMAP_IOC_ALLOC]] takes an optional argument "addr" which allows the calling process to pass a pointer to user allocated memory for backing a nvmap object. If "addr" is left as 0, nvservices uses the transfer memory region (donated by the user during initialization) instead, when allocating memory for the nvmap object.
By design, freeing the nvmap object by calling the ioctl [[NV_services#NVMAP_IOC_FREE|NVMAP_IOC_FREE]] returns, in its "refcount" argument, the user address previously supplied if the reference count reaches 0.
However, prior to [[6.2.0]], the case where the transfer memory region is used to allocate the nvmap object was not taken into account, thus resulting in [[NV_services#NVMAP_IOC_FREE|NVMAP_IOC_FREE]] leaking back an address from within the transfer memory region mapped in nvservices' memory space.

In [[6.2.0]], [[NV_services#NVMAP_IOC_FREE|NVMAP_IOC_FREE]] no longer returns the address when the transfer memory region is used instead of user supplied memory.
| Combined with other vulnerabilities: Defeating ASLR in nvservices sysmodule.
| [[6.2.0]]
| [[6.2.0]]
| April 2017
| November 24, 2018
| Everyone
|-
| Broken RNG for [[RO_services|ro]] ASLR
| The RNG used to determine where to randomly map NROs in the target process was TinyMT (nn::os::detail::RngManager output, seeded by 128 bits of entropy). However, TinyMT is not cryptographically secure (and can in fact be analytically solved).

Thus, with a few NRO mapping addresses, one could learn the TinyMT state and derive all previous/future RNG outputs, breaking NRO aslr for all processes.

With [15.0.0+] ro now uses csrng_GenerateRandomBytes to determine the random map address for NROs.
| Breaking ASLR for all NROs loaded in all processes, allowing predicting all NRO mappings for all processes until the next reboot.
| [[15.0.0]]
| [[15.0.0]]
| Late 2021/Early 2022
| October 11, 2022
| Everyone
|}

Switch System Flaws

2022-10-12T02:11:46Z

SciresM: same conceptual aslr issue was fixed in ro, not just loader

Exploits are used to execute unofficial code (homebrew) on the Nintendo Switch. This page is a list of publicly known Switch system flaws.

For userland applications/applets flaws see [[Switch_Userland_Flaws|here]].

= System flaws =
== Hardware ==
Flaws in this category pertain to the underlying hardware that powers the Switch.

This includes components shared across Tegra based devices such as the [[TSEC]], the [[Security_Engine|Security Engine]], the [[GPU]] and so on.

{| class="wikitable" border="1"
! Summary
! Description
! Fixed with hardware model/revision
! Newest hardware model/revision this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| CVE-2018-6242 (leveraged by the ShofEL2 and Fusée Gelée exploits)
| The USB software stack provided inside the boot instruction rom (IROM/bootROM) contains a copy operation whose length can be controlled by an attacker. By carefully constructing a USB control request, an attacker can leverage this vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, gaining control of the Boot and Power Management processor (BPMP) before any lock-outs or privilege reductions occur. This execution can then be used to exfiltrate secrets and to load arbitrary code onto the main CPU Complex (CCPLEX) "application processors" at the highest possible level of privilege (typically as the TrustZone Secure Monitor at PL3/EL3).
| HAC-001-01 (Mariko/Tegra214/Tegra210b01) (also fixed independently on Tegra186).
| HAC-001 (Tegra210)
| January 2018
| April 23, 2018
| [[User:Shuffle2|shuffle2]] and fail0verflow (originally),<br> [[User:Ktemkin|ktemkin]] and ReSwitched Team (independently),<br> [[User:Naehrwert|naehrwert]] (independently),<br> [[User:Hexkyz|hexkyz]] (independently),<br> st4rk with [[User:Shinyquagsire23|Shiny Quagsire]] and Dazzozo (independently),<br> and many others (independently).
|-
| GMMU DMA attack
| The Switch's GPU includes a separate MMU (GMMU) that is allowed to bypass the system's IOMMU (SMMU). By accessing the GPU's MMIO region and manipulating the page table entries in the GMMU, an attacker can read/write any portion of the DRAM (except memory carveouts).

[5.0.0+] Works around this hardware flaw by using memory pool partitioning. You can no longer escalate into sysmodules with GPU DMA because all their memory is allocated using heap that's carved out.

HAC-001-01 (Mariko/Tegra214/Tegra210b01): Fixes this by adding a new register which restricts what memory untranslated DMA requests may access. Untranslated GPU DMA may now only access the GPU carveout (physmem 0x80002000-0x80006000), which the GPU already has legitimate and exclusive access to.
| HAC-001-01 (Mariko/Tegra214/Tegra210b01)
| HAC-001 (Tegra210)
| Summer 2017
| December 28, 2017
| [[User:hexkyz|hexkyz]], [[User:SciresM|SciresM]] and [[User:qlutoo|qlutoo]]
|-
| Weak Security Engine context validation
| The Tegra X1 supports a "deep sleep" feature, where everything but DRAM and the PMC registers lose their content (and the SoC loses power). Upon awaking, the bootrom re-executes, restoring system state. Among these stored states is the Security Engine's saved state, which uses AES-128-CBC with a random key and all-zeroes IV. However, the bootrom doesn't perform a MAC on this data, and only validates the last block. This allows one to control most of security engine's state upon wakeup, if one has a way to modify the encrypted state buffer.

With a way to modify the encrypted state buffer, one can thus dump keys from "write-only" keyslots, etc.

This also bypasses the SBK protection of the bootROM: indeed, at warmboot, bootROM will always clear keyslot 0xE to prevent malicious code from saving the SBK. Moving the SBK to another keyslot in the saved context renders this protection moot.

HAC-001-01 (Mariko/Tegra214/Tegra210b01): Fixes this by streamlining the context save process; security engine contexts are now saved to protected memory which the CPU cannot access or modify.
| HAC-001-01 (Mariko/Tegra214/Tegra210b01)
| HAC-001 (Tegra210)
| December 2017
| January 20, 2018
| [[User:SciresM|SciresM]] and [[User:motezazer|motezazer]]
|-
| Security Engine keyslots vulnerable to partial overwrite attack
|
The Tegra X1 security engine supports writing keyslot data to the engine with syntax as follows:

SECURITY_ENGINE->AES_KEYTABLE_ADDR = (keyslot << 4) | (dword_index_in_keyslot);

SECURITY_ENGINE->AES_KEYTABLE_DATA = readle32(key, dword_index_in_keyslot * 4);

However, the Security Engine flushes writes to the internal key tables immediately when AES_KEYTABLE_DATA is written -- this allows one to overwrite a single dword of a key at a time, and thus brute force the contents of keyslots in time (2^32 * 8) = 2^35 instead of 2^256.
| None
| HAC-001 (Tegra210)
| Theorized Summer 2017 due to suggestive syntax, confirmed April 9, 2018
| April 9, 2018
| [[User:SciresM|SciresM]], almost surely others (independently).
|-
| Poor validation of bootrom SDRAM configuration parameters leads to arbitrary writes in bootrom
|
The Tegra X1 bootrom supports saving SDRAM parameters to scratch registers, and using the saved configuration to enable DRAM during warmboot.

The code that parses these parameters does if (params->EmcBctSpareN) *params->EmcBctSpareN = params->EmcBctSpareNPlusOne for most N, without validating either the address or value written to it.
There are other arbitrary writes in this code, as well (e.g. BootromPatch parameters intended for patching MISC registers do not check a relative offset to 0x7000000, etc).

This allows a user with access to the PMC registers (via pre-sleep bpmp execution, or otherwise) to gain arbitrary bootrom code execution.

HAC-001-01 (Mariko/Tegra214/Tegra210b01): Fixes this by validating that the spare writes/bootrom patch before performing them.
| HAC-001-01 (Mariko/Tegra214/Tegra210b01)
| HAC-001 (Tegra210)
| 2017
| December 16, 2018
| Everyone (independently).
|-
| TSEC ROM does not clear crypto registers after signature verification
|
TSEC supports executing signed-microcode at a greater privilege level than normal payloads.

When jumping to signed microcode, the caller is expected to load hardware crypto register $c6 = <signature>, $c7 = <seed (zero for all officially-signed microcode)>.

TSEC ROM then calculates the expected signature and compares it to the user-supplied one in $c6. On match, the secure payload is executed, and on failure an exception is raised.

However, TSEC ROM fails to clear the crypto registers used to calculate the expected signature in either of the success/failure cases.

Thus, with some way of obtaining the contents of crypto registers (e.g. ROP under some secure payload), an attacker can dump intermediary values from signature calculation.

With enough data/trial/error, this is enough to reconstruct the signature algorithm:
* mac = <davies meyer hash of (page || address of page) for each 0x100 page in the payload>
* key = AES-ENCRYPT(hardware csecret 0x1, seed)
* signature = AES-ENCRYPT(key, mac)

| None
| HAC-001 (Tegra210)
| Late 2018/Early 2019
| August 2020
| [[User:qlutoo|qlutoo]]/[[User:Hexkyz|hexkyz]]/[[User:Shuffle2|shuffle2]], [[User:SciresM|SciresM]]/[[User:motezazer|motezazer]] (independently).
|-
| TSEC signature validation design flaw leads to fake-signing
|
As mentioned above, when jumping to signed microcode the caller is expected to load hardware crypto register $c6 = <signature>, $c7 = <seed (zero for all officially-signed microcode)>.

However, TSEC ROM performs no validation on the input seed used to generate the signing key.

This leads to the following attack:
* Attacker gains rop under any secure microcode payload with signature = S.
* Attacker uses the "csigenc" instruction to obtain K = AES-ENCRYPT(hardware csecret 0x1, S).
* Attacker jumps to their own microcode with $c6 = <signature calculated on pc using K>, $c7 = S
* TSEC ROM calculates key = AES-ENCRYPT(hardware csecret 0x1, S) = K, and the signature check passes.
* Attackers microcode is executed in secure mode as though it were signed by NVidia.

Thus an attacker who has exploited *any* secure payload may use this to obtain a "fake signature key", which can be used to sign and execute arbitrary microcode in secure mode.

Note: this does not break the TSEC cryptosystem, as the csigenc mechanism relies on the signature of the executing microcode, and fakesigning produces different signatures from NVidia that cannot be controlled.
| None
| HAC-001 (Tegra210)
| Late 2018/Early 2019
| August 2020
| [[User:qlutoo|qlutoo]]/[[User:Hexkyz|hexkyz]]/[[User:Shuffle2|shuffle2]], [[User:SciresM|SciresM]]/[[User:motezazer|motezazer]] (independently).
|-
| ROP under TSEC secure bootrom via DMA engine stack overwrite (--xploit)
| TSEC DMA engine does not stop when entering TSEC secure bootrom. By pointing TSEC DMA to current stack before secure bootrom entry, stack can be controlled.

One can then use blind ROP against the TSEC secure bootrom (which is execute only, and cannot be dumped).

With sufficient effort, an attacker can construct a ROP chain that leads to csigcmp being executed with fully controlled arguments.

This allows for arbitrary heavy secure mode code execution with the current signature set to an arbitrary value.

This completely breaks the TSEC cryptosystem, by allowing one to obtain the result of csigenc with signature = <any desired value>.

This has many uses/results, notably including dumping the "true" signature key (set signature = zeroes, perform csigenc using csecret 0x1).
| None
| TSEC for all Tegra devices
| Late 2018
| Jan 2021
| [[User:Hexkyz|hexkyz]]/[[User:SciresM|SciresM]], [[User:Vale|Vale]]/[[User:Thog|Thog]] (independently), [[User:Tatsuko|Tatsuko]] (independently), possibly others (independently).
|-
| Boot straps are not relatched on watchdog resets (strapwn)
| On boot, the BOOTSELECT, RCM and RAM_CODE straps are latched from external GPIO to determine which boot medium to use and verify from in bootrom. However, APB_MISC_PP_STRAPPING_OPT_A can be overwritten with arbitrary values following bootrom. Write access to PP_STRAPPING_OPT_A would otherwise be mundane, however these straps are not relatched during a watchdog reset (despite being latched during other software resets), allowing for arbitrary straps to be selected and executed in bootrom.

This allows setting NVPROD_UART on some hardware configurations where it would normally be unavailable (ie on Jetson Nano boards), but is otherwise mostly useless and/or useful for testing unintended boot options (such as USB Mass Storage boot) without having to move boot strap resistors.
| Unknown
| HAC-001 (Tegra210)
| May 2020
| April 30, 2021
| [[User:Shinyquagsire23|Shiny Quagsire]]
|}

== Firmware ==
Flaws in this category pertain to the firmware running on hardware devices, such as wifi/bluetooth, etc. Firmware is generally uploaded by sysmodules.

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Broadpwn (CVE-2017-9417)
| See [https://blog.exodusintel.com/2017/07/26/broadpwn/ here] and [https://www.blackhat.com/docs/us-17/thursday/us-17-Artenstein-Broadpwn-Remotely-Compromising-Android-And-iOS-Via-A-Bug-In-Broadcoms-Wifi-Chipsets.pdf here].
| Code execution on the wifi controller (untested on Switch).
| [[4.0.0]]
| [[4.0.0]]
| Switch: July 2022
| Switch: July 30, 2022
| Switch: [[User:Yellows8|yellows8]]
|-
|}

== Software ==
=== Bootloader ===
Flaws in this category pertain to any bootloader component such as the [[Package1#Package1ldr|package1ldr]], the [[Package1#Section_1|NX bootloader]] or the [[Package1#Section_0|warmboot binary]].

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Null-dereference in panic()
| The Switch's stage 1 bootloader, on panic(), clears the stack and then attempts to clear the Security Engine. However, it does so by dereferencing a pointer to the SE in .bss (initially NULL), and this pointer doesn't get initialized until partway into the bootloader's main() after several functions that might panic() are called. Thus, a panic() caused prior to SE initialization would result in the SE pointer still being NULL when dereferenced.
The BPMP doesn't have an active MPU and the bus won't data abort on an invalid address, so no exception will be entered: it'll end up overwriting some exception vectors with NULL before halting.

In 3.0.0, this was fixed by moving the security engine initialization earlier in main(), before the first function that could potentially panic().
| Some exception vectors overwritten with NULL, before SBK/other keyslots are cleared. Probably useless for anything more interesting.
| [[3.0.0]]
| [[3.0.0]]
| Early July, 2017
| July 30, 2017
| Everyone who diff'd 2.3.0 and 3.0.0 Package1
|-
| FUSE_DIS_PGM not written by package1
| The switch's hardware fuse driver contains a write-once bit in a register called "FUSE_DIS_PGM", which disables burning fuses until the next reboot. While Nintendo's bootloader code for waking up from sleep writes this on all firmware, the actual package1 initial bootloader forgets to write to it on cold reboot.

This isn't too big of a problem because another fuse is burnt on retail devices (production mode), which prevents burning *all* fuses other than ODM_RESERVED ones in hardware.

This was fixed in 3.0.0 by writing to the register on cold boot (although the write happens in TZ instead of package1 where it should take place, possibly to obfuscate the fact that they made this mistake).
| Burning arbitrary ODM reserved fuses with TZ code execution, which should never be possible for non-bootloader code.

Warning: one could irreparably brick one's console by playing with this.
| [[3.0.0]]
| [[3.0.0]]
| Late summer/early fall 2017
| December 31, 2017
| [[User:SciresM|SciresM]], [[User:motezazer|motezazer]]
|-
| maconstack (TSEC firmware leaves MAC on the stack)
| Package1ldr loads a firmware blob into TSEC early on boot. This piece of code runs on the TSEC in Authenticated Mode and has the sole purpose of generating the per-console TSEC key (see [[Cryptosystem]]).

As a way to mitigate attacks, the TSEC firmware blob is split into 3 stages: [[TSEC_Firmware#Boot|Boot]] which is unencrypted and unsigned, [[TSEC_Firmware#KeygenLdr|KeygenLdr]] which is unencrypted but signed and [[TSEC_Firmware#Keygen|Keygen]] which is encrypted and signed.
Boot loads a static pre-generated signature into the Falcon's CPU crypto registers, loads KeygenLdr into the Falcon's CODE region and jumps to it. Execution will proceed into KeygenLdr in Heavy Secure Mode if, and only if, the loaded signature matches the one Falcon calculates internally for KeygenLdr.

Among various things, KeygenLdr will attempt to do a "backwards" security check by calculating a CMAC over Boot and comparing it with a known hash stored in the TSEC firmware's key data (a small buffer stored after Boot's code). If the hashes don't match, execution aborts.

KeygenLdr stores the calculated Boot's CMAC in the stack, but forgets to clear it. Since the stack is located in Falcon's DATA region, loading the TSEC firmware blob and dumping the DATA region afterwards (via MMIO) will reveal the calculated hash.
This allows using KeygenLdr as an oracle to generate a valid CMAC for arbitrary Boot code. Replacing the CMAC in the TSEC firmware's key data region results in KeygenLdr accepting any Boot code, thus rendering this security measure useless.

Additionally, since signed Falcon code can't be revoked without an hardware revision, an attacker can always reuse the flawed KeygenLdr code even if a fix is issued.
| Running TSEC firmware's KeygenLdr in a user controlled environment.
| None
| [[5.0.2]]
| January 2018
| April 29, 2018
| [[User:Hexkyz|hexkyz]], [[User:Rei|Reisyukaku]] (independently), probably others (independently).
|-
| Stack smash in TSEC firmware's KeygenLdr
| Given that we can control the [[TSEC_Firmware#Key_data|key data]] (which is not authenticated) and the [[TSEC_Firmware#Boot|Boot]] blob (see "maconstack"), as well as the fact Non-secure and Heavy Secure code share the same stack, we can use this to attack KeygenLdr. KeygenLdr uses memcpy to copy over a payload to DMEM to verify it, which can be abused to smash the stack (in DMEM) and write over the return address of said function.
| ROP under KeygenLdr in Heavy Secure mode.
| None
| [[8.0.1]]
| Early 2018
| May 21, 2019
| Everyone (independently).
|-
| pk1ldrhax
| Package1ldr decrypts and verifies the keyblob inside of the current BCT in order to get the package1 key, and then uses the package1 key to decrypt package1. It then validates package1 before jumping to it by checking the PK11 magic number, and that the section sizes sum to the expected size (and are individually less than the expected size).

However, package1ldr does not actually validate the package1 key against a fixed vector (much like kernel9loader forgot to do so on the 3ds). This would normally not matter, as keyblobs are validated -- however, with bootrom code execution one can dump SBK and forge keyblobs, and thus control the package1 key.

Thus ('''in theory, but not in practice due to the size of the brute force required''') one can replace the package1 key with garbage, causing package1 to decrypt into garbage, and hope that this garbage passes validation checks and that package1ldr jumping into the garbage will do something useful.

This was fixed incidentally in [[6.2.0]], as pk1ldr does not use keyblob data to decrypt package1 any more.

| With a large enough brute force: arbitrary package1 code execution from coldboot.

However, a usable brute force is on the order of >= ~2^80, so '''this is almost certainly not actually usable in any meaningful context'''.
| [[6.2.0]]
| [[6.2.0]]
| Early 2017 (as soon as plaintext package1ldr was first dumped)
| November 20, 2018
| Everyone
|}

=== TrustZone ===
Flaws in this category pertain exclusively to the [[Package1#Section_2|Secure Monitor]].

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Non-atomic mutexes
| When an [[SMC]] is called, TrustZone sets a global variable to mark that an SMC is in progress, so that two SMCs using shared resources (like the security engine) do not trample on one another. On 1.0.0, this global variable was written using non-atomic writes, and thus a race condition is possible.

However, the SMC handler enforces that all SMCs must be called from core #3, unless the top-level handler ID is 1 (SMCs internal to the kernel). Thus, the only SMCs that can be run side-by-side are [any userland smc] and smcGetRandomBytesForKernel, and this turns out to not really be abusable.
| Mostly useless. Maybe some oob-write into unused (and thus useless) memory if running smcGetRandomBytesForKernel and smcGetRandomBytesForUser at the same time.
| [[2.0.0]]
| [[2.0.0]]
| December 2017 (Probably earlier by others)
| January 18, 2018
| [[User:SciresM|SciresM]], probably others (independently).
|-
| jamais vu (non-secure world access to PMC MMIO and pre-deep sleep firmware)
| On [[1.0.0]], one could map in the PMC registers in userland. In addition, [[AM_services|am]] ran a little-kernel based firmware on the BPMP at runtime. With code execution under am, one could modify the BPMP's little-kernel firmware to hook deep sleep entry, and modify TrustZone/Security engine state.

This was fixed in [[2.0.0]] by making the PMC secure-world only, blacklisting the BPMP's exception vectors from being mapped, and thoroughly checking for malicious behavior on deep sleep entry.
| Arbitrary TrustZone code execution.
| [[2.0.0]]
| [[2.0.0]]
| December, 2017
| January 20, 2018
| [[User:SciresM|SciresM]] and [[User:motezazer|motezazer]]
|-
| Missed BPMP Exception Vector Writes
| Starting in [[2.0.0]], the BPMP is asleep at runtime, and is turned on by TrustZone during [[SMC|smcCpuSuspend]] in order to initiate the deep sleep process. When it does so, it is held in RESET, and TrustZone attempts to write to the BPMP exception vectors at 0x6000F200 to register EVP_RESET = lp0_entry_fw_crt0, and all other EVPs to a function that simply reboots. However, while they successfully write EVP_RESET, they miss all the other vectors, accidentally writing to the 0x6000F004-0x6000F020 region instead of the 0x6000F204-0x6000F220 region they want to write to. This results in all the exception vectors for the BPMP other than RESET being "undefined" (attacker controlled).

With some way of causing an exception vector to be taken at the right time, this would give pre-sleep code execution (and thus arbitrary TrustZone code execution, via the security engine flaw). However, none of the abort vectors are really triggerable, and interrupts are disabled for the BPMP when it is taken out of reset. Thus, this is useless in practice.

This was fixed in [[4.0.0]] by writing to the correct registers.
| Theoretically: Arbitrary TrustZone code execution. In practice: Useless.
| [[4.0.0]]
| [[4.0.0]]
| January, 2018
| February 23, 2018
| [[User:SciresM|SciresM]] and [[User:motezazer|motezazer]], [[User:Naehrwert|naehrwert]], [[User:Hexkyz|hexkyz]], probably others (independently).
|-
| TSEC has access to the secure kernel carveout
| TrustZone is responsible for managing security carveouts to prevent DMA controllers from accessing the carveout which contains the kernel, sysmodules, and other critical operating system data.

Until [[8.0.0]], the list of devices that could access the carveout included the TSEC. However, the TSEC can bypass the SMMU when in authenticated mode by writing to a certain register. Thus, pwning nvservices would allow one to take over the TSEC, and use it to write to normally protected mmio/memory.

In [[8.0.0]], this was fixed by removing TSEC access, and adding TSECB access (TSECB cannot bypass the SMMU).
| With access to the TSEC mmio (nvservices ROP) and code execution in TSEC Heavy Secure mode, kernel code execution, probably.
| [[8.0.0]]
| [[8.0.0]]
| 2017 (when TrustZone code plaintext was first obtained).
| April 15, 2019
| Everyone
|-
| deja vu (insufficient system state validation on suspend leads to pre-sleep BPMP code execution)
| Jamais Vu was fixed in [[2.0.0]] by making the PMC secure-world only, blacklisting the BPMP's exception vectors from being mapped, and thoroughly checking for malicious behavior on deep sleep entry, since gaining pre-sleep code execution on the BPMP compromises the system.

However, the state validation performed by Nintendo's Secure Monitor was insufficient to prevent pre-sleep execution from being obtained.

Prior to [[6.0.0]], one could use a DMA controller that had access to IRAM and was not held in reset (there were multiple) to race TrustZone's writes to the BPMP firmware in IRAM, and thus overwrite Nintendo's firmware with an attacker's to gain pre-sleep code execution.

[[6.0.0]] addressed this by performing TrustZone state MAC writes and locking PMC scratch *before* turning on the BPMP, fixing the original Jamais Vu exploit entirely. In addition, the BPMP firmware in TrustZone's .rodata is now memcmp'd to the actual data after it is written to IRAM. This mitigates race attacks that modify the firmware.

However, Nintendo both forgot to validate the BPMP exception vectors after writing them, and forgot to hold in reset a DMA controller that can write to the BPMP's exception vectors.

AHB-DMA is not blacklisted by kernel mapping whitelist (Nintendo probably forgot it, because the TX1 TRM does not really document that it's present, although the MMIO works as documented in older (Tegra 3 and before) TRMs).

Thus, with kernel code execution (or some other way of accessing AHB-DMA, e.g. nspwn on <= 4.1.0, TSEC hax, or other arbitrary mmio access flaws), one can DMA to the BPMP's exception vectors as they are written, causing TrustZone to start the BPMP executing an attacker's firmware at a different location than TrustZone intends/validates.

This was fixed in [[8.0.0]] by blocking AHB-DMA arbitration and verifying it is held in reset during suspend, and thus there are no more devices that can write to the relevant MMIO at the right time.

| Arbitrary TrustZone/BootROM code execution, by using either the original Jamais Vu flaw (prior to [[6.0.0]] or a warmboot bootrom exploit (any firmware where pre-sleep execution can be gained).
| [[8.0.0]]
| [[8.0.0]]
| December 2017
| April 15, 2019
| [[User:SciresM|SciresM]], [[User:motezazer|motezazer]] and ktemkin, [[User:Naehrwert|naehrwert]] (independently), almost certainly others (independently)
|-
| TrustZone allows using imported RSA exponents with arbitrary modulus
| TrustZone supports "importing" RSA private exponents for use by userland -- these are stored encrypted with TrustZone only keydata in NAND, and decrypted only to TZRAM. This prevents a console that has compromised userland from learning the private exponents of these keys and doing calculations with them offline. In practice, this is used for FS (gamecard communications), ES (drm), and SSL (console client cert communications).

However, the actual SMC API only imports the RSA exponent, and not the modulus, which is passed separately by userland in each call. There is no validation done on the modulus passed in -- this means that userland can pass in any message and modulus it chooses, and obtain the result of (message ^ private exponent) % modulus back from the secure monitor.

By choosing a prime number modulus P such that P has "smooth" order (totient(P) == P-1 is divisible only by "small" primes), one can efficiently use the [[wikipedia:Pohlig-Hellman algorithm|Pohlig-Hellman algorithm]] to calculate the discrete logarithm of such a result directly, and thus obtain the private exponent.

This is mostly useless in practice, given the general availability of other exploits to obtain these decrypted exponents.

This was fixed in 10.0.0 by importing the modulus in addition to the exponent for the ES device key and ES client cert key. For backwards compatibility reasons the SSL key and Lotus key still only import the exponent.

StorageExpMod also now validates that the exponentiation of "DDDDD..." about the provided modulus by the imported exponent and then the fixed public exponent returns "DDDDD...", and returns invalid argument if validation fails.
| With userland privileges sufficient to use an imported RSA key: obtaining that RSA key's private exponent.
| [[10.0.0]]
| [[10.0.0]]
| August 14, 2019
| August 14, 2019
| [[User:SciresM|SciresM]]
|}

=== Kernel ===
Flaws in this category pertain exclusively to the [[Package2#Section_0|HorizonOS Kernel]].

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Syscall Infoleaks
| Many syscalls leaked kernel pointers on sad paths (for example svcSetHeapSize and svcQueryMemory), until they landed a bunch of fixes in 2.0.0.
| Nothing really.
| [[2.0.0]]
| [[2.0.0]]
|
|
| ?
|-
| svcWaitSynchronization/svcReplyAndReceive bad cleanup on error
| If there is a page fault when fetching handles from the userspace array, it cleans up by dereferencing all objects despite having only loaded first N. Allows the attacker to make arbitrary decrefs on any kernel synchronization object, and thus can be used to get UAF. Haven't actually been tried on real HW though, but should work (tm).
| Kernel code execution
| [[2.0.0]]
| [[2.0.0]]
|
| 24 April
| [[User:qlutoo|qlutoo]]
|-
| Bad irq_id check in CreateInterruptEvent
| CreateInterruptEvent syscall is designed to work only for irq_id >= 32. All irq_ids < 32 are "per-core" and reserved for kernel use (watchdog/scheduling/core communications).
On 1.0.0 you could supply irq_id < 32 and it would write outside the SharedIrqs table.
| You can register irq's in the Core3Irqs table, and thus register per-core irqs for core3, that are normally reserved for kernel. Useless.
| [[2.0.0]]
| [[2.0.0]]
| ~October
| 17 October
| [[User:qlutoo|qlutoo]]
|-
| Kernel .text mapped executable in usermode
| Prior to [[3.0.2]] the kernel .text was [[Memory_layout|mapped]] in usermode as executable. This can be used for usermode ROP for bypassing ASLR, but SVCs/IPC are not usable by running kernel .text in usermode.
| Executing kernel .text in usermode
| [[3.0.2]]
| [[3.0.2]]
|
| 34c3 (December 28, 2017)
| [[User:qlutoo|qlutoo]]
|-
| Memory Controller not properly secured
| The Switch OS originally had the memory controller not set to be accessible only by the secure-world, which was problematic because insecure access can compromise the kernel.

This was fixed partially in [[2.0.0]] by blacklisting the memory controller from being mapped by user-processes, and was fixed entirely in [[4.0.0]] by making the memory controller TZ-only and making all kernel accesses go through [[SMC|smcReadWriteRegister]].
| With some way to access the memory controller MMIO, arbitrary kernel code execution.
| [[4.0.0]]
| [[4.0.0]]
| January 2018
| January 2018
| [[User:SciresM|SciresM]], [[User:Yellows8|yellows8]]
|-
| Potential [[SVC|svcWaitForAddress]] thread use-after-free
| Between [[4.0.0]], where svcWaitForAddress was introduced, and [[7.0.0]], there was a second intrusive rbtree node in KThread for the WaitForAddress tree (the key being (address, priority), sorted lexicographically). Unlike the WaitProcessWideKeyAtomic tree, the kernel forgot to reinsert the WaitForAddress node when the thread's priority changed (priority inheritance and/or SetPriority), breaking the rbtree invariants; and since the kernel walks through the entire tree to remove intrusive nodes, you could cause threads to stay in the tree even after their deletion.

[[7.0.0]] fixed the issue by using the same intrusive node for both trees. The thread/node knows which tree it is in, and the latter is correctly updated when thread priority changes.
| It unluckily didn't look exploitable
| [[7.0.0]]
| [[7.0.0]]
| July 2018
| February 2019
| [[User:TuxSH|TuxSH]]
|-
|}

=== FIRM-package System Modules ===
Flaws in this category pertain to any of the [[Package2#Section_1|built-in system modules]].

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| Service access control bypass (sm:h, smhax, probably other names)
| Prior to [[3.0.1]], the ''service manager'' (sm) built-in system module treats a user as though it has full permissions if the user creates a new "sm:" port session but bypasses [[Services_API#Initialize|initialization]]. This is due to the other sm commands skipping the service ACL check for Pids <= 7 (i.e. all kernel bundled modules) and that skipping the initialization command leaves the Pid field uninitialized.
In [[3.0.1]], sm returns error code 0x415 if [[Services_API#Initialize|Initialize]] has not been called yet.
| Acquiring, registering, and unregistering arbitrary services
| [[3.0.1]]
| [[3.0.1]]
| May 2017
| August 17, 2017
| Everyone
|-
| Overly permissive SPL service
| The concept behind the switch's [[SMC|Secure Monitor]] is that all cryptographic keydata is located in userspace, but stored as "access keys" encrypted with "keks" that never leave TrustZone. The [[SPL services|spl]] ("security processor liaison"?) service serves as an interface between the rest of the system and the secure monitor. Prior to [[4.0.0]], spl exposed only a single service "spl:", which provided all TrustZone wrapper functions to all sysmodules with access to it. Thus anyone with access to the spl: service (via smhax or by pwning a sysmodule with access) could do crypto with any access keys they knew.

This was fixed in [[4.0.0]] by splitting spl: into spl:, spl:mig, spl:ssl, spl:es, and spl:fs.
| Arbitrary spl: crypto with any access keys one knows. For example, one could use the SSL module's access keys to decrypt their console's SSL certificate private key without having to pwn the SSL sysmodule.
| [[4.0.0]]
| [[4.0.0]]
| Summer 2017 (after smhax was discovered).
| December 23, 2017
| Everyone
|-
| Single session services not really single session
| Several "critical" services (like fsp-ldr, fsp-pr, sm:m, etc) are meant to only ever hold a single session with a specific sysmodule. However, when a sysmodule dies, all its service session handles are released -- and thus killing the holder of a single session handle would allow one (via sm:hax etc) to get access to that service.

This was fixed in [[4.0.0]] by adding a semaphore to these critical single-session services, so that even if one gets access to them an error code will be returned when attempting to use any of their commands.
| With some way to access these services and kill their session holders (like expLDR): dumping sysmodule code, arbitrary service access, elevated filesystem permissions, etc.
| [[4.0.0]]
| [[4.0.0]]
| May/June 2017 (basically immediately after smhax was discovered)
| December 30, 2017
| Everyone
|-
| nspwn
| fsp-ldr command 0 "MountCode" takes in a Content Path (retrieved from NCM by Loader), and returns an IFileSystem for the resulting ExeFS. These content paths, are normally NCAs, but MountCode also supports a number of other formats, including ".nsp" -- which is just a PFS0.

When a path ending in ".nsp" is parsed by MountCode, the PFS0 is treated as a raw ExeFS. Because there is no NCA header, the ACID signatures are not validated -- and because there are no other signatures in a PFS0, this results in no signature checking happening at all.

The actual .nsp handling is eventually done by {content mounting function} called by MountCode and other FS commands.

Thus, by placing an ExeFS (NSOs + "main.npdm") and setting one's desired title ID to "@Sdcard:/some_title.nsp" or "@User:/some_title.nsp" etc one can launch arbitrary unsigned code, with arbitrary unsigned NPDMs.

This appears to have been fixed by only allowing .nsp when the input fstype==7 for the internal content-mounting function, returning 0x2EE202 otherwise.
| With access to "lr": Arbitrary code execution with full system privileges.
| [[5.0.0]]
| [[5.0.0]]
| Late 2017
| April 23, 2018
| Everyone
|-
| Single null-byte stack overflow in Loader ContentPath parsing
| Previously, loader content path parsing looked like this, where path_from_lr was up to 0x300 bytes and not necessarily null-terminated:

char nca_path[0x300] = {0};
strcat(nca_path, path_from_lr);
for (int i = 0; nca_path[i]; i++) {
if (nca_path[i] == '\\') { nca_path[i] = '/'); }
}

Thus, a content path of the maximum length (0x300 bytes) would result in strcat writing a NULL terminator past the end of the nca_path buffer.

This was fixed in [[6.0.0]], the new code looks like this:

char nca_path[0x300];
strncpy(nca_path, path_from_lr, sizeof(nca_path));
for (int i = 0; i < sizeof(nca_path) && nca_path[i]; i++) {
if (nca_path[i] == '\\') { nca_path[i] = '/'); }
}

| With access to "lr": single null-byte stack overflow in Loader. Maybe (but probably not) loader code execution.
| [[6.0.0]]
| [[6.0.0]]
| September 2, 2018
| September 19, 2018
| SciresM
|-
| System modules vulnerable to selective downgrade attacks
| Horizon has no mechanism for specifying the specific title version to Loader on process creation.

Observing this, one can note that after a system update one could install a downgraded version of a specific system module (e.g. nvservices) while leaving the rest of the OS at the same version.

Unless there was some breaking API change, this allows one to make a console vulnerable once more to an exploit in a sysmodule by downgrading it and nothing else.

This was fixed in [[8.1.0]] by incrementing a version field in NPDM, and checking it against a hardcoded list for certain titles in Loader's process creation func.
| With access to content installation commands (or a vulnerable lower version to selectively install newer titles), reintroducing bugs in vulnerable system modules on newer firmware versions.
| [[8.1.0]]
| [[8.1.0]]
| When FIRM was first dumped in 2017.
| June 17, 2019
| Everyone
|-
| Broken RNG for [[Loader_services|Loader]] ASLR
| The RNG used for generating the ASLR slide is only seeded with 32bits, with the data from [[SVC|svcGetInfo]]. Hence, one could bruteforce the seed if one has infoleaks from any programs. This can be successfully bruteforced with at least 2 sample codebin addrs from different programs (with only 1 sample a lot of invalid seeds are found), however in some cases more than 1 seed might be found.

With [15.0.0+] Loader now uses csrng_GenerateRandomBytes for determining the ASLR slide.

See also [https://github.com/switchbrew/loader-aslr-solver loader-aslr-solver].
| Breaking ASLR for all non-KIP processes, allowing predicting the main-codebin base addr for all non-KIP processes until the next reboot.
| [[15.0.0]]
| [[15.0.0]]
| January 30, 2022 (presumably found much earlier?)
| October 11, 2022
| Everyone
|-
| Broken RNG for [[RO_services|ro]] ASLR
| The RNG used to determine where to randomly map NROs in the target process was TinyMT (nn::os::detail::RngManager output, seeded by 128 bits of entropy). However, TinyMT is not cryptographically secure (and can in fact be analytically solved).

Thus, with a few NRO mapping addresses, one could learn the TinyMT state and derive all previous/future RNG outputs, breaking NRO aslr for all processes.

With [15.0.0+] ro now uses csrng_GenerateRandomBytes to determine the random map address for NROs.
| Breaking ASLR for all NROs loaded in all processes, allowing predicting all NRO mappings for all processes until the next reboot.
| [[15.0.0]]
| [[15.0.0]]
| Late 2021/Early 2022
| October 11, 2022
| Everyone
|}

=== System Modules ===
Flaws in this category pertain to any non-built-in system module.

{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in system version
! Last system version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| [[Bluetooth_Driver_services|bluetooth]] BSA bsa_sv_av_cback stack buffer overflow
| bsa_sv_av_cback checks for two input type values (0xC/0xD), on match it copies the input data to stack without size validation. Then it sends an internal request with this data (likewise when the type values don't match, except the input data is passed directly with a small size), then it returns.
This requires the AV functionality added with [13.0.0+], however this func is only reachable with [14.0.0+] where the required functionality was enabled.

This requires message data that's larger than the MTU, so fragmentation must be used, or manually send the ACL data to bypass the MTU.

This can be triggered via an AVRC message with opcode=0x0 (vendor). The above type 0xC is reached via AVRC ctype 0..4, while 0xD is reached with ctype>=0x9.

With [15.0.0+] the size value for the memcpy (which is also written to the request struct) is clamped to a max value.
| Bluetooth-sysmodule stack buffer overflow on [14.0.0-14.1.2], with data received from an AVRC bluetooth message with a bluetooth-audio device.
| [[15.0.0]]
| [[15.0.0]]
| November 2021
| October 11, 2022
| [[User:Yellows8|yellows8]]
|-
| Broken RNG used by [[NS_Services|ns]]
| The code generating the sd seed and the data for the [[SD_Filesystem|sd]] private/private1 file, all use nn::os::GenerateRandomBytes, not csrng. The sd-seed is generated first, then private, then private1. This allows deriving sd-seed from private since this uses TinyMT, as long as the system shipped from factory on [2.0.0+]. private1 is only useful if the system shipped with [4.0.0+].

There's various other code in ns using nn::os::GenerateRandomBytes as well. This includes the code generating ns_systemseed when it doesn't exist. ns_systemseed is generated at some point after the various sd-seed-related code (both are called from the same func). Hence, ns_systemseed can be recovered with the above method as well, if it wasn't recreated at some point without regenerating the above nand-save used with the above.

With [15.0.0+] ns now uses csrng_GenerateRandomBytes for sd-seed/private and ns_systemseed, etc. This only matters when the file is newly generated, which is usually only for factory-fresh systems which ship with this version.
| Generation of a system's sd-seed allowing decryption of the NAX0 layer of data on [[SD_Filesystem|SD]], derived using the private file from SD. Applies to systems which factory-shipped with a system-version prior to [[15.0.0]] (that is, [2.0.0-14.1.2]).
| [[15.0.0]], for newly generated files
| [[15.0.0]]
| December ~12, 2021
| October 11, 2022
| [[User:Yellows8|yellows8]]
|-
| Infoleak with [[Joy-Con]] HidCommand PairingIn
| The joycon protocol handler for PairingIn copies data from stack to the response cmd-buf for sending PairingOut. Only the first byte is set to a type value, the rest is uninitialized stack data.

This was fixed with [15.0.0+] by directly writing to the response data without using stack data.
| Infoleak of hid stack via a bluetooth/uart message+response with a connected hid controller. This returns addrs for the main-codebin/stack, which allows defeating ASLR.
| [[15.0.0]]
| [[15.0.0]]
| September 4, 2020
| October 10, 2022
| [[User:Yellows8|yellows8]]
|-
| [[Sockets_services|bsdsockets]] ioctl SIOCGIFMEDIA input can contain ptr
| Originally bsd ioctl SIOCGIFMEDIA used the user-specified ifmediareq structure directly from the input buffer. This includes a ptr. This ptr probably isn't actually used?
With [5.0.0+] the structure used as input for the ioctl was changed to using <code>int ifm_ulist[1]</code> instead of <code>int *ifm_ulist</code> (which is unused). The input structure is copied to a tmp struct which is used as the original ifmediareq structure, with ifm_ulist always NULL. The user can still specify a non-zero ifm_count value, however that's not useful with ifm_ulist being always NULL.
| Useless?
| [[5.0.0]]
| [[13.1.0]]
| February 14, 2022
| February 14, 2022
| [[User:Yellows8|yellows8]], probably others
|-
| [[Sockets_services|bsdsockets]] ioctl SIOCGIFCONF infoleak
| Originally bsd ioctl SIOCGIFCONF was handled by setting the data in IPC outbuf0 to the size/addr of IPC outbuf1. These buffers are HipcAutoSelect, so if buf1 is small enough for HipcPointer (otherwise it would be HipcMapAlias) the IPC-buf-ptr leaked into outbuf0 would be located in the codebin-region. Since this is done before the actual ioctl-handling, it doesn't matter whether the fd is valid.
This was fixed in [5.0.0+] by using a tmp struct on stack instead of buf0.
| bsdsockets-sysmodule codebin-region addr infoleak, which allows defeating ASLR.
| [[5.0.0]]
| [[13.1.0]]
| February 14, 2022 (probably earlier)
| February 14, 2022
| [[User:Yellows8|yellows8]], probably others
|-
| [[Bluetooth_Driver_services|bluetooth]] BSA gatt_process_notification stack buffer overflow
| gatt_process_notification is the GATT handler for processing notification/indication messages. gatt_process_notification does memcpy to stack from the input bt msg data, without size validation. The input len param isn't validated in this func either - if the remaining len following op_code is less than 2, a negative value will be used for the data copy to stack.
These were fixed by adding a bounds check for the size, size==0 is also checked for now.
| Bluetooth-sysmodule stack buffer overflow, with data received from a bluetooth message
| [[13.2.1]]
| [[13.2.1]]
| November 2021
| January 19, 2022
| [[User:Yellows8|yellows8]]
|-
| [[SSL_services|ssl]] CVE-2021-43527
| CVE-2021-43527, see also [https://bugs.chromium.org/p/project-zero/issues/detail?id=2237 here] and [https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html here].
Using BigSig where the server cert sig is RSA-PSS results in the remote server throwing {no shared cipher} error when Switch connects. If however one creates a rootCA using BigSig (RSA-PSS), which then signs a server cert where the server key is RSA (not PSS), the vuln can be triggered (if the rootCA is trusted, via using the import service-cmd). It's unknown whether there's other ways to trigger the vuln.

The crash occurs in VFY_Begin when using the previously overwritten data. A bitsize of <code>$((16384 + 32 + 64 + 64 + 64))</code> is only enough to overwrite cx->hashcx, to fully overwrite cx->hashobj an additional 0xC-bytes (additional 96 bits) is needed.
Note that partial overwrite isn't an option: this is the func that initializes those fields to begin with, it just does deinit first before initializing hashcx/hashobj (prior to that these fields would be all-zero when not overwritten by the buf-overflow).
| Heap buffer overflow in [[SSL_services|ssl]], overwriting data including a ptr to an object which is later used to load a funcptr.
| [[13.2.1]]
| [[13.2.1]]
| Switch: December 1-2, 2021
| Switch: January 19, 2022
|
|-
| [[Bluetooth_Driver_services|bluetooth]] EventInfo infoleak
| The various funcs which send messages to the thread which handles writing to EventInfo, didn't clear the stack msgbuf. Hence, the various get-EventInfo cmds could return leaked stack data. This likely affected most (?) get-EventInfo cmds, besides CircularBuffer-GetHidReportEventInfo.

This only matters for events where there's uninitialized regions of the EventInfo, such as events with variable-size data without a memset.

This was fixed by clearing the msgbuf in a number of funcs.
| Bluetooth-sysmodule stack infoleak, which allows defeating ASLR
| [[13.0.0]]
| [[13.1.0]]
|
| During initial [[13.0.0|diff]]. Added to this page on: December 12, 2021
| [[User:Yellows8|yellows8]]
|-
| Infoleak with [[HID_services|hid:sys]] SetButtonConfigStorage{name}Deprecated
| These cmds pass a stack ptr for the StorageName when calling the internal func. Nothing is written to this StorageName. Hence, stack infoleak (data is copied as a NUL-terminated string), which can be later read by the GetButtonConfigStorage{name} cmds.

This was fixed by removing the Deprecated cmds in [[13.0.0]].
| Infoleak of hid stack from a StorageName readable via GetButtonConfigStorage{name}, up to the NUL-terminator.
| [[13.0.0]]
| [[13.0.0]]
| December 11, 2020
| September 27, 2021
| [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|bluetooth]] WriteHidData/WriteHidData2/SetHidReport unchecked memcpy size
| WriteHidData/SetHidReport copies the input struct to stack, then passes it to the funcptr/vfunc call. WriteHidData2 passes the input buffer addr directly to the funcptr/vfunc call. The called func eventually copies the input data to the stack struct using the specified size without validating it.
This requires access to the btdrv service, only hid and btm have access.

This was fixed with [[12.1.0]] in WriteHidData/SetHidReport by doing a fixed-size copy into another tmp struct, with the size field being clamped to a maximum of 0x2BB afterwards. This struct is then used when calling the vfunc. The vfuncs called by WriteHidData/WriteHidData2/SetHidReport were also updated to clamp the size to the required maximum value.
| Stack buffer overflow
| [[12.1.0]]
| [[12.1.0]]
| July 16, 2020
| July 6, 2021
| [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|bluetooth]] stack buffer overflow with HID DATA packets
| The BSA (bt-stack) func bta_hh_co_data copies data from a HID DATA packet to stack without checking the size, then sends it over Uipc. [7.0.0+] The user Uipc callback also copies the input data to stack without checking the size, then sends it to the sharedmem CircularBuffer.
With [12.0.2+] this was fixed in bta_hh_co_data by clamping the size to a maximum of 0x2BB. The aforementioned buffer overflow in the Uipc callback can't be triggered since at that point the size was already clamped.

Before this bta_hh_co_data func is reached, there is no validation of the size (such as comparing against the L2CAP MTU) when Basic Mode is being used.

Actually triggering this requires using a data-size larger than the normal L2CAP MTU. This can be done by for example, using raw HCI to send the packet from the remote bluetooth device.

Note that when the remote device is configured as an audio device for [12.0.0+] where [[Settings_services#BluetoothDevicesSettings|BluetoothDevicesSettings]].TrustedServices was only ever set for audio since system-boot, it is not possible for the remote device to connect to the Switch for HID.
| ROP under [[Bluetooth_Driver_services|bluetooth]] via HID DATA packet sent by a paired HID bluetooth device. This can be triggered at any time while not in sleep-mode, when not in airplane-mode. The earliest is while the Nintendo Switch logo screen is displayed during system boot.
| [[12.0.2]]
| [[12.0.2]]
| July-August 2020
| May 11, 2021
| [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|bluetooth]] GetAdapterProperty/SetAdapterProperty unchecked memcpy size
| GetAdapterProperty copies data from stack to the output buffer using the buffer size, without checking the size (when not handling the Name type). SetAdapterProperty copies data to stack from the input buffer using the buffer size, without checking the size.
This requires access to the btdrv service, only hid and btm have access.

This was fixed with [[12.0.0]] by replacing the buffer data with a fixed-size-struct.
| Stack infoleak with GetAdapterProperty, stack buffer overflow (and hence ROP) with SetAdapterProperty.
| [[12.0.0]]
| [[12.0.0]]
| July 17, 2020
| April 7, 2021
| [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|Bluetooth]] A-63146698
| [https://android.googlesource.com/platform/system/bt/+/226ea26684d4cd609a5b456d3d2cc762453c2d75 A-63146698] / CVE-2017-0785. See also [https://info.armis.com/rs/645-PDC-047/images/BlueBorne%20Technical%20White%20Paper_20171130.pdf here].
| Bluetooth-sysmodule stack infoleak, which allows defeating ASLR (note: not tested on hw).
| [[5.0.0]]
| [[11.0.0]]
| Switch: December 2020
| Switch: December 25, 2020
| Switch: [[User:Yellows8|yellows8]]
|-
| [[Bluetooth_Driver_services|Bluetooth]] sdp_server.cc process_service_search() continuation request p_req validation
| With [5.0.0+], the following was added to the if-block prior to loading cont_offset from p_req: <code>(p_req + sizeof(cont_offset) > p_req_end)</code> (which verifies that cont_offset is within message bounds).
| Bluetooth-sysmodule out-of-bounds read from heap, probably not useful since the read value must match a state field, etc.
| [[5.0.0]]
| [[11.0.0]]
| Switch: December 2020
| Switch: December 25, 2020
| Switch: [[User:Yellows8|yellows8]]
|-
| [[HID_services#hid:sys|hid:sys]] ButtonConfig s32 array-index not validated
| The input s32 array-index for [[HID_services#hid:sys|hid:sys]] ButtonConfig cmds 1255-1270 was originally not validated. Using a negative or >=5 index results in accessing out-of-bounds data, with an array stored on stack.
[10.1.0-10.2.0] Each of these cmds will now Abort if the s32 is negative or >=5. [11.0.0+] Now an unsigned compare is used, with 0 or an error being immediately returned when the value is invalid.
| hid infoleak, out-of-bounds mem-write anywhere in hid address-space relative to the stack array (with constraints on the data).
| [[10.1.0]]
| [[11.0.1]]
| April 18, 2020
| July 14, 2020
| [[User:Yellows8|yellows8]]
|-
| [[Applet_Manager_services#IDisplayController|AM IDisplayController]] ClearCaptureBuffer OOB
| The captureBuf is used as an array index without proper validation. There is code validating it, but on failure it just skips over a code-block, with code using captureBuf still being used afterwards. Then this is used to write bools into a global array, one of which is from the command input.
This was fixed with [9.1.0+] by requiring captureBuf = 0-1.
| OOB bool writes into an array
| [[9.1.0]]
| [[13.1.0]]
| ~July 31, 2019
| January 26, 2022
| [[User:Yellows8|yellows8]]
|-
| [[Applet_Manager_services#IDisplayController|AM IDisplayController]] TakeScreenShotOfOwnLayer OOB
| The captureBuf is used as an array index without validation. Data used from this array includes calling a funcptr from the array entry, if set. Eventually this is also used to write bools into this array, one of which is from the command input.
With [5.0.0+] a func is eventually called to get a ptr determined by the input captureBuf, with nullptr being returned for captureBuf>=0x10. The caller will Abort if nullptr was returned.
| OOB array access
| [[5.0.0]]
| [[13.1.0]]
| ~July 31, 2019
| January 26, 2022
| [[User:Yellows8|yellows8]]
|-
| [[Applet_Manager_services#IStorage|AM IStorage]] infoleak
| Originally the buffer allocated by [[Applet_Manager_services#CreateStorage|CreateStorage]] using the specified input size was not cleared. With [8.0.0+] this was fixed by adding a memset() for the buffer after successful allocation.

Hence, IStorage->IStorageAccessor->Read will return uninitialized memory when the Write cmd was not previously used with the specified region.
| Infoleak from the main [[Applet_Manager_services#IStorage|AM]] heap, allowing defeating ASLR by reading addresses from previously allocated objects.
| [[8.0.0]]
| [[8.1.0]]
| December 2018
| August 9, 2019
| [[User:Yellows8|yellows8]]
|-
| Out-of-bounds array read for [[BCAT_Content_Container]] secret-data index
| The [[BCAT_Content_Container]] secret-data index is not validated at all. This is handled before the RSA-signature(?) is ever used. Since the field is an u8, a total of 0x800-bytes relative to the array start can be accessed.
This is not useful since the string loaded from this array is only involved with key-generation.
|
| Unknown
| [[2.0.0]]
| August 4, 2017
| August 6, 2017
| [[User: shinyquagsire23|Shiny Quagsire]], [[User:Yellows8|yellows8]] (independently)
|-
| OOB Read in NS system module (pl:utoohax, pl:utonium, maybe other names)
| Prior to [[3.0.0]], pl:u (Shared Font services implemented in the NS sysmodule) service commands 1,2,3 took in a signed 32-bit index and returned that index of an array but did not check that index at all. This allowed for an arbitrary read within a 34-bit range (33-bit signed) from NS .bss. In [[3.0.0]], sending out of range indexes causes error code 0x60A to be returned.
| Dumping full NS .text, .rodata and .data, infoleak, etc
| [[3.0.0]]
| [[3.0.0]]
| April 2017
| On exploit's fix in [[3.0.0]]
| [[User:qlutoo|qlutoo]], ReSwitched Team (independently)
|-
| Unchecked domain ID in common IPC code
| Prior to [[2.0.0]], object IDs in [[IPC_Marshalling#Domain_message|domain messages]] are not bounds checked. This out-of-bounds read could be exploited to brute-force ASLR and get PC control in some services that support domain messages.
|
| [[2.0.0]]
| [[2.0.0]]
| ~July 2017
| 20 July 2017‎
| [[User:hthh|hthh]]
|-
| expLDR (sysmodule handle table exhaustion)
| Most sysmodules share common template code to handle IPC control messages. The command DuplicateSession (type 5 command 2)'s template code will abort() if it fails to duplicate a session's handle for the requester. Because many sysmodules have limited handle table size (smaller than the browser/other entrypoints), repeatedly requesting to duplicate one's session will cause the sysmodule to run out of handle table space and abort, causing the service to release all its handles cleanly.
| Sysmodule crashes. Most usefully, crashing ldr allows access to fsp-ldr and crashing pm allows access to fsp-pr. Useless after [[4.0.0]], which mitigated a number of single-session service access issues.
| Unfixed
| [[4.1.0]]
| 24 June 2017
| 8 March 2018
| [[User:daeken|daeken]]
|-
| Transfer Memory leak in nvservices system module
| The nvservices sysmodule does not clear most of its transfer memory prior to release.
| The calling process can read key bits of memory, including breaking ASLR (by revealing the image base) and exposing the address of other transfer memory to set up attacks. More details here: [https://daeken.svbtle.com/nintendo-switch-nvservices-info-leak transfermeme (nvservices info leak)] by [[User:daeken|daeken]]
| [[6.0.0]]
| [[6.0.0]]
| June 2017
| 16 October 2018
| [[User:qlutoo|qlutoo]] and [[User:hexkyz|hexkyz]],
[[User:daeken|daeken]] (independently)
|-
| OOB write in audio system module
| Prior to [[2.0.0]], the [[Audio_services#audout:u|AppendAudioOutBuffer]] and [[Audio_services#audin:u|AppendAudioInBuffer]] IPC commands would blindly increment the appended buffers' count while using said count value as an index to where the user data should be copied into. This resulted in an 0x28 bytes, user controlled, out-of-bounds memory write into the [[Audio_services|audio]] sysmodule's memory space.
Combined with the [[Audio_services#audout:u|GetReleasedAudioOutBuffer]] or [[Audio_services#audin:u|GetReleasedAudioInBuffer]] commands, this could also be used as an 8 byte infoleak.

In [[2.0.0]], the commands now return error code 0x1099 if the number of unreleased buffers exceeds 0x1F.
| Code execution under audio sysmodule
| [[2.0.0]]
| [[2.0.0]]
|
| November 2, 2018
| [[User:hexkyz|hexkyz]], probably others (independently).
|-
| nvhax (memory corruption in nvservices system module)
| Prior to [[6.2.0]], the [[NV_services|nvservices]] ioctl [[NV_services#.2Fdev.2Fnvhost-ctrl-gpu|NVGPU_GPU_IOCTL_WAIT_FOR_PAUSE]] would take a single "pwarpstate" argument which would be interpreted by nvservices as a memory pointer for writing 2 "warpstate" structs (one for each Streaming Multiprocessor).
This resulted in nvservices attempting to blindly memcpy into this user supplied address and trigger a crash. However, if paired with an infoleak, this could be used to arbitrarily write 0x30 bytes anywhere in nvservices' memory space.
Additionally, the "warpstate" struct itself was never initialized, which means nvservices would leak the 0x30 bytes from the stack. By invoking other ioctls it was also possible to partially control the stack contents and achieve a usable arbitrary memory write primitive.

In [[6.2.0]], [[NV_services#.2Fdev.2Fnvhost-ctrl-gpu|NVGPU_GPU_IOCTL_WAIT_FOR_PAUSE]] now takes 2 inline "warpstate" structs instead of a "pwarpstate" pointer, thus effectively avoiding the bad memcpy.
| Code execution under nvservices sysmodule
| [[6.2.0]]
| [[6.2.0]]
| April 5, 2017
| November 24, 2018
| [[User:hexkyz|hexkyz]]
|-
| Infoleak in nvservices system module
| The [[NV_services|nvservices]] ioctl [[NV_services#NVMAP_IOC_ALLOC|NVMAP_IOC_ALLOC]] takes an optional argument "addr" which allows the calling process to pass a pointer to user allocated memory for backing a nvmap object. If "addr" is left as 0, nvservices uses the transfer memory region (donated by the user during initialization) instead, when allocating memory for the nvmap object.
By design, freeing the nvmap object by calling the ioctl [[NV_services#NVMAP_IOC_FREE|NVMAP_IOC_FREE]] returns, in its "refcount" argument, the user address previously supplied if the reference count reaches 0.
However, prior to [[6.2.0]], the case where the transfer memory region is used to allocate the nvmap object was not taken into account, thus resulting in [[NV_services#NVMAP_IOC_FREE|NVMAP_IOC_FREE]] leaking back an address from within the transfer memory region mapped in nvservices' memory space.

In [[6.2.0]], [[NV_services#NVMAP_IOC_FREE|NVMAP_IOC_FREE]] no longer returns the address when the transfer memory region is used instead of user supplied memory.
| Combined with other vulnerabilities: Defeating ASLR in nvservices sysmodule.
| [[6.2.0]]
| [[6.2.0]]
| April 2017
| November 24, 2018
| Everyone
|-
|}

15.0.0

2022-10-12T01:17:48Z

SciresM: ro is not a firm sysmodule

The Switch 15.0.0 system update was released on October 11, 2022 (UTC). This Switch update was released for the following regions: ALL, and CHN.

Security flaws fixed: yes.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* The location of the Bluetooth® Audio menu within System Settings has moved.
* Screenshots can be taken using the Capture Button while in the Nintendo Switch Online application found on the Nintendo Switch HOME Menu. Video capture is not supported.
*
* General system stability improvements to enhance the user's experience.
*

==System Titles==
* All sysmodules were updated, except for lbl which was previously stubbed. New sysmodule eth was added.
* All SystemData were updated, except for the following: SharedFont, Dictionary, AvatarImage, Eula, ControllerIcon, ApplicationBlackList, FunctionBlackList.
* The following applets were updated: qlaunch, [[Controller_Applet|controller]], dataErase, error, netConnect, [[Profile_Selector|playerSelect]], [[Internet_Browser|web-applets]], OverlayApplet, [[Album_Applet|photoViewer]].

NPDM changes (see [[Services_API|here]] for service hosting changes):
* bluetooth: Access to srepo:u was added.
* bcat: Access to sprof:sp was removed.
* nifm: Access to ethc:c, ethc:i, and various wlan:* services were removed. Access to bsd:nu, eth:nd, wlan, and wlan:nd were added.
* bsdsocket: "Lowest Allowed CPU ID" was changed from 3 to 0. Access to usb:hs and the various wlan:* services were removed.
* wlan: Access to srepo:u was added.
* ldn: Access to psc:m and the various wlan:* services were removed. Access to the wlan service was added.
* ns: Access to audctl was removed. Access to csrng and dauth:0 was added.
* ssl: "Lowest Allowed CPU ID" was changed from 3 to 0.
* nim: Access to ssl was replaced with ssl:s.
* glue: FS permissions now has bitmask 0x0000004000000000 set.
* ro: Access to csrng was added.
* omm: FS permissions now has bitmask 0x0000000000100000 set.
* qlaunch: Access to mnpp:sys and spbg:sp were removed.

RomFs changes (besides sysver titles):
* [[SSL_services|CertStore]]: "/ssl_TrustedCerts.bdf" updated
* ErrorMessage: various error messages updated/added
* BrowserDll:
** "/browser/MediaControlsInline.css" updated
** "/browser/MediaControlsInline.js" updated
** "/buildinfo/buildinfo.dat" updated
** "/lyt/Browse/FocusNodeFrame.arc" updated
** "/message/": localization data updated
** "/nro/": The various NROs located under these sub-dirs were updated.
* Help:
** "/legallines.htdocs/img/HDMI.png" updated
** "/legallines.htdocs/index.html" updated
** "/safe.htdocs/html/{dir}/", where {dir} is "JPja", "KRko", and "TWzh":
*** "index.html", "page_02.html", "page_04.html": updated
* UrlBlackList:
** "/listCommon.txt" updated
* TimeZoneBinary: updated
* FirmwareDebugSettings/PlatformConfigIcosa/PlatformConfigCopper/PlatformConfigHoag/PlatformConfigIcosaMariko/PlatformConfigAula: [[System_Settings|updated]]
* [[HID_services|ControllerFirmware]]: "/FirmwareInfo.csv" and "/raizo_ep2_ota.bin" updated
* NgWordT: updated
* Applets: Various UI/localization data updated. For web-applets, the NRR and buildinfo.dat were also updated.

===BootImagePackages===
All files in RomFs were updated.

====Kernel====
* Compiler changes:
** Compiler upgrade
*** [What version of clang?]
*** Clang is optimizing much more aggressively in some places.
*** Notably, there are many code locations now where clang doesn't actually increment the KSchedulerLock's count field, presumably because it sees it will be decremented at end of scope...
**** This isn't exploitable, and it is """correct""", but it is worth noting to other reverse engineers because it is very confusing to see the count field unchanged or reloaded after function calls.
** Code is now compiled with -fomit-frame-pointer.
* Initialization changes:
** When the thread resource limit is increased, 24 MB of virtual space is now reserved for the Kernel stack region instead of 14 MB.
* In HorizonKernelMain:
** DoOnEachCoreInOrder is no longer inlined, when setting up the main/interrupt threads. It is still inlined in all other places.
* Multiple fixed-allocations from the system pool/resource limit were removed/revised, presumably to prevent them from unnecessarily fragmenting the pool forever.
** AppletSecureMemory is now allocated statically, instead of dynamically.
*** Previously, 4 MB was allocated from the system pool/resource limit during main.
*** Initialize0 now reserves the 4 MB immediately after the slab heaps for this.
**** DRAM layout is now like [tz reserved] [kernel] [slab heaps] [applet secure memory] [pt heap] [init pt] [memory pool partitions].
**** The virtual memory region type is 0x62; the physical memory region type is 0xC200018E.
** The KPageBuffer slab heap is no longer dynamically allocated from KMemoryManager.
*** Previously, the required number of pages were allocated from the system pool/resource limit to setup the heap *immediately* after KMemoryManager was initialized.
*** Now, it is set up during Kernel::InitializeResourceManagers, after setting up the page manager.
**** InitializeKPageBufferSlabHeap now takes heap and page manager as arguments; the slab heap's members are randomly allocated pages from the page manager.
***** This effectively randomizes the page buffer slabheap's page locations, where previously they were a contiguous range somewhere in the system pool.
***** To facilitate this, the page manager now has an Allocate(count) member function in addition to the previous single-page Allocate().
****** To facilitate this, the page manager now tracks the bitmap ends in addition to the bitmap starts, to enable a linear walk of the lowest bitmap layer.
*** This has an important knock-on effect: TLS pages are allocated from the page buffer slab, and correspondingly are no longer heap pages.
**** Correspondingly, KMemoryState_ThreadLocal no longer has the FlagReferenceCounted (0x400000) bit set.
**** However, removing this bit naively breaks IPC, which previously checked FlagReferenceCounted before copying to/from the message buffer.
**** Now, FlagReferenceCounted is checked if and only if the message buffer is a UserBuffer. If it is not, a new flag "FlagLinearMapped" (0x4000000) is checked.
***** This bit is set only on memory types guaranteed to be accessible via the kernel's linear mapping of non-kernel dram (physical ranges with memory region flag 0x80000000).
***** This new flag is set on all memory states other than Free, Io, Static, Inaccessible, Kernel, Coverage.
* Two new SVCs were added for a new "InsecureMemory" concept.
** Svc 0x90 is Result MapInsecureMemory(uintptr_t address, size_t size);
*** This allocates the requested size memory from a pool partition/resource limit, and map it with a new memory state ("KMemoryState_Insecure") at the user-specified address.
**** The resource limit/pool partition are gotten via new KSystemControl functions ("KSystemControl::GetInsecureMemoryResourceLimit", "KSystemControl::GetInsecureMemoryPool").
***** On NX board, these are the system resource limit, and Pool_SystemNonSecure respectively.
**** The specified address/size must be within the alias code region.
**** KMemoryState_Insecure has value 0x5583817.
***** This is type 0x17 with flags CanUseNonDeviceIpc, CanUseNonSecureIpc, Mapped, CanDeviceMap, CanAlignedDeviceMap, ReferenceCounted, CanChangeAttribute, LinearMapped.
** Svc 0x91 is Result UnmapInsecureMemory(uintptr_t address, size_t size);
*** This unmaps/deallocates/releases memory previously mapped with MapInsecureMemory.
* More changes to SvcMapDeviceAddressSpace(ByForce/Aligned).
** The argument which was previously a memory permission ("device_perm") is now an encoded u32 ("option").
*** The low 16 bits of this are the device permission.
*** The upper 16 bits of this are an enum (only defined values are 0 and 1).
** If the enum-arg is not 0 or 1, svc::ResultInvalidEnumValue() is now returned.
** If the enum-arg is 1 and the specified memory is IO, svc::ResultInvalidCombination is returned.
* Partial support was added for the KPageBuffer size being different from the hardware page size.
** There are now two globals, g_PageBufferSize = 0x1000, g_PageBufferCount = 0.
** The KPageBuffer slab heap is initialized with g_PageBufferCount blocks of g_PageBufferSize.
*** if g_PageBufferSize is 0x1000, g_PageBufferCount has the number of required TLS pages added to it (# processes + # threads + (# processes + #threads) / 8).
** KDynamicPageManager::Initialize now takes in an alignment argument for the page buffer size.
*** KSecureSystemResource always passes 0x1000.
** It is possible this is full support but ifdef'd, but on NX board at least all places which allocate/free to the heap panic if g_PageBufferSize != 0x1000...
* The page table heap now receives all but 64 of the available pages; prior to this, it was all but 70.
* KSessionRequest's additional mappings (when sending an IPC request with more than 8 buffers) are now slab-allocated, rather than using KPageBuffers.
** This slab has a count of 40; object size is 0x4A0 (exactly the maximum required size).
** 13.0.0+ Dynamic expansion is supported.
* Scoped setting/clearing of the 14.0.0 exception flag for cache operations has changed.
** Previously, |= on set, &= ~ on clear. Now, the flag is orr'd in only if it is not already set, and cleared only if it was newly set.
** This adds support for recursively setting these flags via a scoped setter, although there are no places in kernel where it is possible for this to occur.
** This applies to cpu::InvalidateDataCache, cpu::StoreDataCache, cpu::FlushDataCache
* The IsInUsermodeExceptionHandler exception flag management was changed:
** This is now cleared by RestoreContext (same place it clears other flags) rather than ClearExceptionSvcPermissions. It is still set by SetExceptionSvcPermissions.
* Changes in and surrounding page table logic:
** Devices can now theoretically (but not on the NX board) be given access to memory mapped as Io.
*** Why one would want to do this is unclear.
*** KMemoryState_Io now supports the CanAlignedDeviceMap and CanDeviceMap flags.
*** KPageTableBase::GetContiguousMemoryRangeWithState no longer checks that the passed memory address is heap.
*** KPageTableBase::OpenMemoryRangeForMapDeviceAddressSpace no longer checks passes KMemoryState_FlagReferenceCounted.
*** KPageTableBase::LockForMapDeviceAddressSpace takes two new arguments, an output bool * to write whether the state was io, and a bool for whether to check KMemoryState_FlagReferenceCounted.
**** The bool is always passed on true on NX board, preventing this feature from being actually used.
*** KPageTableBase::LockForUnmapDeviceAddressSpace now takes a bool argument for whether to check KMemoryState_FlagReferenceCounted
**** The bool is always passed on true on NX board, preventing this feature from being actually used.
** Pages mapped via MapIoRegion now have KMemoryAttribute_Locked instead of KMemoryAttribute_None.
** Changes were made with respect to the way MapPhysicalMemory/UnmapPhysicalMemory are implemented:
*** KMemoryManager::AllocatePageGroupForProcess no longer calls KPageGroup::Open on the returned page group (essentially reverting the change in 11.0.0).
**** Other KMemoryManager::Allocate* functions still call KPageGroup::Open.
*** KPageTableBase::MapPhysicalMemory now calls a new KPageTable::Operate operation ("MapFirst"), which behaves the same as Map but calls KernelPanic() if the mapped pages have a non-zero reference count.
**** This enforces that MapPhysicalMemory is the first place the pages being mapped have been allocated/opened.
*** KPageTableBase::UnmapPhysicalMemory now calls a new KPageTable::Operate operation ("SeparatePages"), which performs page separation on the requested range.
**** SeparatePages is identical to the separation done at the prologue of ChangePermissions; practically, this just enforces that the pages exist.
*** KPageTableBase::UnmapPhysicalMemory now calls KernelPanic if the unmapping operation fails (since it is guaranteed to succeed by the success of SeparatePages).
**** Logic which previously existed for re-mapping on failure has been removed.
** New Kernel Objects ("KSystemResource", "KSecureSystemResource").
*** Type ID = 0x4600, KSystemResource : public KAutoObject, KSecureSystemResource : public KSystemResource
*** KSystemResource just stores pointers to the three kinds of dynamic resource managers required by processes/page tables.
*** KSecureSystemResource stores the pointed-to objects for these as members.
**** Previously, these were just KProcess members; they are no longer KProcess members and instead live in the KSecureSystemResource object.
*** The slab heap for KSecureSystemResource has capacity = KProcess slab heap.
*** When a process is created with system resource size > 0, it now creates a KSecureSystemResource (which manages allocation with KSystemControl).
**** All actual underlying logic is the same, this just abstracts the KSystemControl/secure memory interaction out of KProcess.
* KInterruptEventTask was removed and no longer exists.
** KInterruptEvent now inherits from KInterruptTask directly.
** There is no longer a global task table; KInterruptManager is expected to return ResultBusy if an interrupt is already bound (it already did this).
** KInterruptEvent::Finalize now unbinds the interrupt directly, and then calls KDpcManager::Request() with a no-op KDpcTask.
*** In practice, this unbinds the interrupt, and then creates an ordering to guarantee all cores will see the interrupt as unbound before continuing.
*** Trivia: this is the first use of KDpcManager::Request on non-debug kernels.
* Minor changes to KHandleTable:
** KHandleTable::KHandleTable now initializes the table_size, max_count, and next_id fields to zero, previously they were uninitialized until Initialize was called.
** KHandleTable::Initialize now instantiates a KScopedDisableDispatch while setting up the table.

====Loader====
The broken RNG for ASLR was [[Switch_System_Flaws|fixed]].

===[[Bluetooth_Driver_services|bluetooth]]===
Besides the various IPC changes, a vulnerable func was [[Switch_System_Flaws|fixed]].

===[[HID_services|hid]]===
Besides the various IPC changes, an infoleak vuln was [[Switch_System_Flaws|fixed]].

===[[NS_Services|ns]]===
Besides the various IPC changes, vulnerable RNG usage was [[Switch_System_Flaws|fixed]] to properly use secure RNG where needed.

===[[RO_services|ro]]===
The broken RNG for ASLR was [[Switch_System_Flaws|fixed]].

=== IPC Interface Changes ===
* The following new interfaces were removed:
** nn::eth::sf::IEthInterface
** nn::eth::sf::IEthInterfaceGroup
** nn::socket::sf::IClient
** nn::wlan::detail::IDetectManager
** nn::wlan::detail::IInfraManager
** nn::wlan::detail::ILocalGetActionFrame
** nn::wlan::detail::ILocalGetFrame
** nn::wlan::detail::ILocalManager
** nn::wlan::detail::ISocketGetFrame
** nn::wlan::detail::ISocketManager
* The following new interfaces were added:
** nn::anif::detail::ISfAssignedNetworkInterfaceService
** nn::anif::detail::ISfDriverService
** nn::anif::detail::ISfDriverServiceCreator
** nn::anif::detail::ISfNetworkInterfaceService
** nn::anif::detail::ISfUserService
** nn::anif::detail::ISfUserServiceCreator
** nn::pl::detail::IPlatformServiceManager
** nn::prepo::detail::ipc::IAsyncContext
** nn::socket::sf::IClient_MC
** nn::srepo::detail::ipc::IAsyncContext
** nn::ssl::sf::ISslContextForSystem
** nn::ssl::sf::ISslServiceForSystem
** nn::wlan::detail::IGeneralServiceCreator
** nn::wlan::detail::IPrivateServiceCreator
** nn::wlan::detail::IPrivateWirelessCommunicationService
** nn::wlan::detail::IWirelessCommunicationService
* The following interfaces were changed:
** nn::account::baas::IAdministrator
*** Added command 143 - inbytes: 0, outbytes: 16
*** Added command 160 - inbytes: 0, outbytes: 0
** nn::account::baas::IManagerForSystemService
*** Added command 143 - inbytes: 0, outbytes: 16
*** Added command 160 - inbytes: 0, outbytes: 0
** nn::am::service::IAppletCommonFunctions
*** Added command 90 - inbytes: 16, outbytes: 0, outinterfaces: ['nn::am::service::IStorageChannel']
*** Added command 91 - inbytes: 16, outbytes: 0, outinterfaces: ['nn::am::service::IStorageChannel']
*** Added command 100 - inbytes: 4, outbytes: 0
** nn::am::service::IDebugFunctions
*** Added command 50 - inbytes: 16, outbytes: 0
*** Added command 200 - buffers: [5], inbytes: 8, outbytes: 0, outinterfaces: ['nn::am::service::IAllSystemAppletProxiesService'], pid: True
** nn::am::service::ILibraryAppletProxy
*** Added command 22 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::am::service::IHomeMenuFunctions']
*** Added command 23 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::am::service::IGlobalStateController']
** nn::am::service::IOverlayAppletProxy
*** Added command 23 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::am::service::IGlobalStateController']
** nn::arp::detail::IWriter
*** Added command 3 - inbytes: 8, outbytes: 0, outinterfaces: ['nn::arp::detail::IUpdater']
** nn::audio::detail::IAudioRenderer
*** Added command 12 - inbytes: 4, outbytes: 0
*** Added command 13 - inbytes: 0, outbytes: 4
** nn::audioctrl::detail::IAudioController
*** Removed command 26 - inbytes: 1, outbytes: 0
*** Removed command 35 - inbytes: 8, outbytes: 0
*** Removed command 36 - inbytes: 0, outbytes: 8
*** Removed command 37 - inbytes: 1, outbytes: 0
*** Removed command 38 - inbytes: 0, outbytes: 1
*** Removed command 39 - inbytes: 0, outbytes: 1
*** Changed command 40 - buffers: [26] -> [22] (final state: buffers: [22], inbytes: 0, outbytes: 0)
*** Added command 41 - inbytes: 8, outbytes: 0
*** Added command 42 - inbytes: 8, outbytes: 0
*** Added command 50000 - inbytes: 4, outbytes: 0
** nn::bluetooth::IBluetoothDriver
*** Added command 101 - inbytes: 0, outbytes: 0
*** Added command 102 - inbytes: 0, outbytes: 0
*** Added command 155 - inbytes: 6, outbytes: 1
** nn::btm::IBtm
*** Added command 112 - inbytes: 7, outbytes: 0
*** Added command 113 - inbytes: 6, outbytes: 1
*** Added command 116 - inbytes: 7, outbytes: 0
*** Added command 117 - inbytes: 6, outbytes: 1
** nn::btm::IBtmDebug
*** Added command 14 - inbytes: 8, outbytes: 0
*** Added command 15 - inbytes: 0, outbytes: 0
*** Added command 16 - inbytes: 0, outbytes: 0
*** Added command 17 - inbytes: 0, outbytes: 0
** nn::capsrv::sf::IAlbumAccessorService
*** Added command 110 - buffers: [6, 5], inbytes: 16, outbytes: 8
** nn::clkrst::IClkrstManager
*** Added command 6 - inbytes: 0, outbytes: 0
** nn::dauth::detail::IService
*** Added command 1000 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Added command 9000 - buffers: [5, 5], inbytes: 0, outbytes: 0
*** Added command 9010 - inbytes: 0, outbytes: 0
** nn::es::IActiveRightsContext
*** Removed command 5 - buffers: [5], inbytes: 0, outbytes: 0
*** Added command 216 - inbytes: 0, outbytes: 0, outhandles: [1]
** nn::es::IETicketService
*** Added command 1022 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::es::IActiveRightsContext']
** nn::fssrv::sf::IFileSystem
*** Added command 16 - inbytes: 0, outbytes: 192
** nn::fssrv::sf::IFileSystemProxy
*** Added command 207 - inbytes: 16, outbytes: 0, outinterfaces: ['nn::fssrv::sf::IFileSystem']
*** Added command 1400 - inbytes: 1, outbytes: 0
** nn::grcsrv::IGrcService
*** Changed command 1 - inbytes: 72 -> 32 (final state: inbytes: 32, inhandles: [1], outbytes: 0, outinterfaces: ['nn::grcsrv::IContinuousRecorder'])
** nn::hid::IHidDebugServer
*** Added command 137 - inbytes: 16, outbytes: 0, pid: True
** nn::hid::IHidServer
*** Added command 3000 - buffers: [26], inbytes: 0, outbytes: 0
*** Added command 3001 - buffers: [25], inbytes: 0, outbytes: 0
*** Added command 3002 - inbytes: 0, outbytes: 0
*** Added command 3003 - inbytes: 0, outbytes: 56
*** Added command 3004 - inbytes: 56, outbytes: 0
*** Added command 3005 - inbytes: 0, outbytes: 0
*** Added command 3006 - buffers: [26], inbytes: 4, outbytes: 0
*** Added command 3007 - buffers: [25], inbytes: 4, outbytes: 0
*** Added command 3008 - inbytes: 4, outbytes: 0
*** Added command 3009 - inbytes: 4, outbytes: 64
*** Added command 3010 - inbytes: 68, outbytes: 0
*** Added command 3011 - inbytes: 4, outbytes: 0
** nn::hid::IHidSystemServer
*** Added command 32 - inbytes: 48, outbytes: 0, pid: True
*** Added command 33 - inbytes: 0, outbytes: 0
*** Added command 1135 - inbytes: 8, outbytes: 0, pid: True
** nn::lr::IAddOnContentLocationResolver
*** Added command 5 - buffers: [22, 22], inbytes: 8, outbytes: 0
*** Added command 6 - buffers: [21], inbytes: 16, outbytes: 0
*** Added command 7 - buffers: [21, 21], inbytes: 16, outbytes: 0
** nn::lr::ILocationResolver
*** Added command 20 - inbytes: 0, outbytes: 0
** nn::lr::ILocationResolverManager
*** Added command 4 - buffers: [5], inbytes: 0, outbytes: 0
** nn::mnpp::detail::ipc::IServiceForSystem
*** Added command 300 - inbytes: 0, outbytes: 1
*** Added command 400 - inbytes: 0, outbytes: 1
** nn::ncm::IContentMetaDatabase
*** Added command 23 - inbytes: 16, outbytes: 1
*** Added command 24 - inbytes: 24, outbytes: 24
*** Added command 25 - inbytes: 24, outbytes: 24
** nn::ndrm::low::detail::INdrmLowAdminInterface
*** Changed command 3 - inbytes: 8 -> 24 (final state: buffers: [5], inbytes: 24, outbytes: 0)
*** Added command 40 - buffers: [6], inbytes: 8, outbytes: 4
*** Added command 42 - buffers: [6], inbytes: 16, outbytes: 4
*** Added command 43 - buffers: [6], inbytes: 16, outbytes: 4
*** Added command 44 - buffers: [6], inbytes: 16, outbytes: 4
** nn::nim::detail::INetworkInstallManager
*** Removed command 91 - buffers: [5], inbytes: 16, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 138 - buffers: [5], inbytes: 8, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 139 - inbytes: 0, outbytes: 0
*** Added command 140 - inbytes: 0, outbytes: 0
*** Added command 141 - inbytes: 0, outbytes: 1
** nn::nim::detail::IShopServiceManager
*** Added command 102 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncValue']
*** Added command 103 - inbytes: 0, outbytes: 32
*** Added command 104 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncValue']
*** Added command 105 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 106 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 501 - inbytes: 16, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** nn::ns::detail::IApplicationManagerInterface
*** Added command 90 - inbytes: 8, outbytes: 0
*** Changed command 607 - inbytes: 16 -> 8 (final state: buffers: [6], inbytes: 8, outbytes: 4)
*** Added command 909 - inbytes: 8, outbytes: 0
*** Added command 2357 - inbytes: 0, outbytes: 0
*** Added command 2358 - inbytes: 0, outbytes: 0
*** Added command 2359 - inbytes: 0, outbytes: 1
*** Added command 2516 - inbytes: 16, outbytes: 0
** nn::pdm::detail::IQueryService
*** Removed command 7 - buffers: [6, 5], inbytes: 0, outbytes: 4
*** Removed command 13 - buffers: [6, 5], inbytes: 0, outbytes: 4
*** Removed command 14 - buffers: [6], inbytes: 24, outbytes: 4
*** Removed command 15 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Removed command 16 - buffers: [6, 5], inbytes: 16, outbytes: 4
** nn::prepo::detail::ipc::IPrepoService
*** Added command 10500 - buffers: [9], inbytes: 40, inhandles: [1], outbytes: 0, outinterfaces: ['nn::prepo::detail::ipc::IAsyncContext'], pid: True
** nn::settings::ISystemSettingsServer
*** Added command 119 - inbytes: 1, outbytes: 3
** nn::srepo::detail::ipc::ISrepoService
*** Added command 10300 - buffers: [9], inbytes: 40, inhandles: [1], outbytes: 0, outinterfaces: ['nn::srepo::detail::ipc::IAsyncContext']
*** Added command 20600 - inbytes: 20, outbytes: 0
** nn::usb::ds::IDsEndpoint
*** Removed command 8 - inbytes: 8, inhandles: [1], outbytes: 0
*** Removed command 9 - inbytes: 16, outbytes: 4
** nn::usb::ds::IDsInterface
*** Added command 12 - inbytes: 8, inhandles: [1], outbytes: 0
** nn::visrv::sf::IManagerDisplayService
*** Changed command 8293 - inbytes: 16 -> 40 (final state: buffers: [6], inbytes: 40, outbytes: 8)

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2022-10-11_00-15-06&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

15.0.0

2022-10-12T01:16:58Z

SciresM: ro had same issue fixed

The Switch 15.0.0 system update was released on October 11, 2022 (UTC). This Switch update was released for the following regions: ALL, and CHN.

Security flaws fixed: yes.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* The location of the Bluetooth® Audio menu within System Settings has moved.
* Screenshots can be taken using the Capture Button while in the Nintendo Switch Online application found on the Nintendo Switch HOME Menu. Video capture is not supported.
*
* General system stability improvements to enhance the user's experience.
*

==System Titles==
* All sysmodules were updated, except for lbl which was previously stubbed. New sysmodule eth was added.
* All SystemData were updated, except for the following: SharedFont, Dictionary, AvatarImage, Eula, ControllerIcon, ApplicationBlackList, FunctionBlackList.
* The following applets were updated: qlaunch, [[Controller_Applet|controller]], dataErase, error, netConnect, [[Profile_Selector|playerSelect]], [[Internet_Browser|web-applets]], OverlayApplet, [[Album_Applet|photoViewer]].

NPDM changes (see [[Services_API|here]] for service hosting changes):
* bluetooth: Access to srepo:u was added.
* bcat: Access to sprof:sp was removed.
* nifm: Access to ethc:c, ethc:i, and various wlan:* services were removed. Access to bsd:nu, eth:nd, wlan, and wlan:nd were added.
* bsdsocket: "Lowest Allowed CPU ID" was changed from 3 to 0. Access to usb:hs and the various wlan:* services were removed.
* wlan: Access to srepo:u was added.
* ldn: Access to psc:m and the various wlan:* services were removed. Access to the wlan service was added.
* ns: Access to audctl was removed. Access to csrng and dauth:0 was added.
* ssl: "Lowest Allowed CPU ID" was changed from 3 to 0.
* nim: Access to ssl was replaced with ssl:s.
* glue: FS permissions now has bitmask 0x0000004000000000 set.
* ro: Access to csrng was added.
* omm: FS permissions now has bitmask 0x0000000000100000 set.
* qlaunch: Access to mnpp:sys and spbg:sp were removed.

RomFs changes (besides sysver titles):
* [[SSL_services|CertStore]]: "/ssl_TrustedCerts.bdf" updated
* ErrorMessage: various error messages updated/added
* BrowserDll:
** "/browser/MediaControlsInline.css" updated
** "/browser/MediaControlsInline.js" updated
** "/buildinfo/buildinfo.dat" updated
** "/lyt/Browse/FocusNodeFrame.arc" updated
** "/message/": localization data updated
** "/nro/": The various NROs located under these sub-dirs were updated.
* Help:
** "/legallines.htdocs/img/HDMI.png" updated
** "/legallines.htdocs/index.html" updated
** "/safe.htdocs/html/{dir}/", where {dir} is "JPja", "KRko", and "TWzh":
*** "index.html", "page_02.html", "page_04.html": updated
* UrlBlackList:
** "/listCommon.txt" updated
* TimeZoneBinary: updated
* FirmwareDebugSettings/PlatformConfigIcosa/PlatformConfigCopper/PlatformConfigHoag/PlatformConfigIcosaMariko/PlatformConfigAula: [[System_Settings|updated]]
* [[HID_services|ControllerFirmware]]: "/FirmwareInfo.csv" and "/raizo_ep2_ota.bin" updated
* NgWordT: updated
* Applets: Various UI/localization data updated. For web-applets, the NRR and buildinfo.dat were also updated.

===BootImagePackages===
All files in RomFs were updated.

====Kernel====
* Compiler changes:
** Compiler upgrade
*** [What version of clang?]
*** Clang is optimizing much more aggressively in some places.
*** Notably, there are many code locations now where clang doesn't actually increment the KSchedulerLock's count field, presumably because it sees it will be decremented at end of scope...
**** This isn't exploitable, and it is """correct""", but it is worth noting to other reverse engineers because it is very confusing to see the count field unchanged or reloaded after function calls.
** Code is now compiled with -fomit-frame-pointer.
* Initialization changes:
** When the thread resource limit is increased, 24 MB of virtual space is now reserved for the Kernel stack region instead of 14 MB.
* In HorizonKernelMain:
** DoOnEachCoreInOrder is no longer inlined, when setting up the main/interrupt threads. It is still inlined in all other places.
* Multiple fixed-allocations from the system pool/resource limit were removed/revised, presumably to prevent them from unnecessarily fragmenting the pool forever.
** AppletSecureMemory is now allocated statically, instead of dynamically.
*** Previously, 4 MB was allocated from the system pool/resource limit during main.
*** Initialize0 now reserves the 4 MB immediately after the slab heaps for this.
**** DRAM layout is now like [tz reserved] [kernel] [slab heaps] [applet secure memory] [pt heap] [init pt] [memory pool partitions].
**** The virtual memory region type is 0x62; the physical memory region type is 0xC200018E.
** The KPageBuffer slab heap is no longer dynamically allocated from KMemoryManager.
*** Previously, the required number of pages were allocated from the system pool/resource limit to setup the heap *immediately* after KMemoryManager was initialized.
*** Now, it is set up during Kernel::InitializeResourceManagers, after setting up the page manager.
**** InitializeKPageBufferSlabHeap now takes heap and page manager as arguments; the slab heap's members are randomly allocated pages from the page manager.
***** This effectively randomizes the page buffer slabheap's page locations, where previously they were a contiguous range somewhere in the system pool.
***** To facilitate this, the page manager now has an Allocate(count) member function in addition to the previous single-page Allocate().
****** To facilitate this, the page manager now tracks the bitmap ends in addition to the bitmap starts, to enable a linear walk of the lowest bitmap layer.
*** This has an important knock-on effect: TLS pages are allocated from the page buffer slab, and correspondingly are no longer heap pages.
**** Correspondingly, KMemoryState_ThreadLocal no longer has the FlagReferenceCounted (0x400000) bit set.
**** However, removing this bit naively breaks IPC, which previously checked FlagReferenceCounted before copying to/from the message buffer.
**** Now, FlagReferenceCounted is checked if and only if the message buffer is a UserBuffer. If it is not, a new flag "FlagLinearMapped" (0x4000000) is checked.
***** This bit is set only on memory types guaranteed to be accessible via the kernel's linear mapping of non-kernel dram (physical ranges with memory region flag 0x80000000).
***** This new flag is set on all memory states other than Free, Io, Static, Inaccessible, Kernel, Coverage.
* Two new SVCs were added for a new "InsecureMemory" concept.
** Svc 0x90 is Result MapInsecureMemory(uintptr_t address, size_t size);
*** This allocates the requested size memory from a pool partition/resource limit, and map it with a new memory state ("KMemoryState_Insecure") at the user-specified address.
**** The resource limit/pool partition are gotten via new KSystemControl functions ("KSystemControl::GetInsecureMemoryResourceLimit", "KSystemControl::GetInsecureMemoryPool").
***** On NX board, these are the system resource limit, and Pool_SystemNonSecure respectively.
**** The specified address/size must be within the alias code region.
**** KMemoryState_Insecure has value 0x5583817.
***** This is type 0x17 with flags CanUseNonDeviceIpc, CanUseNonSecureIpc, Mapped, CanDeviceMap, CanAlignedDeviceMap, ReferenceCounted, CanChangeAttribute, LinearMapped.
** Svc 0x91 is Result UnmapInsecureMemory(uintptr_t address, size_t size);
*** This unmaps/deallocates/releases memory previously mapped with MapInsecureMemory.
* More changes to SvcMapDeviceAddressSpace(ByForce/Aligned).
** The argument which was previously a memory permission ("device_perm") is now an encoded u32 ("option").
*** The low 16 bits of this are the device permission.
*** The upper 16 bits of this are an enum (only defined values are 0 and 1).
** If the enum-arg is not 0 or 1, svc::ResultInvalidEnumValue() is now returned.
** If the enum-arg is 1 and the specified memory is IO, svc::ResultInvalidCombination is returned.
* Partial support was added for the KPageBuffer size being different from the hardware page size.
** There are now two globals, g_PageBufferSize = 0x1000, g_PageBufferCount = 0.
** The KPageBuffer slab heap is initialized with g_PageBufferCount blocks of g_PageBufferSize.
*** if g_PageBufferSize is 0x1000, g_PageBufferCount has the number of required TLS pages added to it (# processes + # threads + (# processes + #threads) / 8).
** KDynamicPageManager::Initialize now takes in an alignment argument for the page buffer size.
*** KSecureSystemResource always passes 0x1000.
** It is possible this is full support but ifdef'd, but on NX board at least all places which allocate/free to the heap panic if g_PageBufferSize != 0x1000...
* The page table heap now receives all but 64 of the available pages; prior to this, it was all but 70.
* KSessionRequest's additional mappings (when sending an IPC request with more than 8 buffers) are now slab-allocated, rather than using KPageBuffers.
** This slab has a count of 40; object size is 0x4A0 (exactly the maximum required size).
** 13.0.0+ Dynamic expansion is supported.
* Scoped setting/clearing of the 14.0.0 exception flag for cache operations has changed.
** Previously, |= on set, &= ~ on clear. Now, the flag is orr'd in only if it is not already set, and cleared only if it was newly set.
** This adds support for recursively setting these flags via a scoped setter, although there are no places in kernel where it is possible for this to occur.
** This applies to cpu::InvalidateDataCache, cpu::StoreDataCache, cpu::FlushDataCache
* The IsInUsermodeExceptionHandler exception flag management was changed:
** This is now cleared by RestoreContext (same place it clears other flags) rather than ClearExceptionSvcPermissions. It is still set by SetExceptionSvcPermissions.
* Changes in and surrounding page table logic:
** Devices can now theoretically (but not on the NX board) be given access to memory mapped as Io.
*** Why one would want to do this is unclear.
*** KMemoryState_Io now supports the CanAlignedDeviceMap and CanDeviceMap flags.
*** KPageTableBase::GetContiguousMemoryRangeWithState no longer checks that the passed memory address is heap.
*** KPageTableBase::OpenMemoryRangeForMapDeviceAddressSpace no longer checks passes KMemoryState_FlagReferenceCounted.
*** KPageTableBase::LockForMapDeviceAddressSpace takes two new arguments, an output bool * to write whether the state was io, and a bool for whether to check KMemoryState_FlagReferenceCounted.
**** The bool is always passed on true on NX board, preventing this feature from being actually used.
*** KPageTableBase::LockForUnmapDeviceAddressSpace now takes a bool argument for whether to check KMemoryState_FlagReferenceCounted
**** The bool is always passed on true on NX board, preventing this feature from being actually used.
** Pages mapped via MapIoRegion now have KMemoryAttribute_Locked instead of KMemoryAttribute_None.
** Changes were made with respect to the way MapPhysicalMemory/UnmapPhysicalMemory are implemented:
*** KMemoryManager::AllocatePageGroupForProcess no longer calls KPageGroup::Open on the returned page group (essentially reverting the change in 11.0.0).
**** Other KMemoryManager::Allocate* functions still call KPageGroup::Open.
*** KPageTableBase::MapPhysicalMemory now calls a new KPageTable::Operate operation ("MapFirst"), which behaves the same as Map but calls KernelPanic() if the mapped pages have a non-zero reference count.
**** This enforces that MapPhysicalMemory is the first place the pages being mapped have been allocated/opened.
*** KPageTableBase::UnmapPhysicalMemory now calls a new KPageTable::Operate operation ("SeparatePages"), which performs page separation on the requested range.
**** SeparatePages is identical to the separation done at the prologue of ChangePermissions; practically, this just enforces that the pages exist.
*** KPageTableBase::UnmapPhysicalMemory now calls KernelPanic if the unmapping operation fails (since it is guaranteed to succeed by the success of SeparatePages).
**** Logic which previously existed for re-mapping on failure has been removed.
** New Kernel Objects ("KSystemResource", "KSecureSystemResource").
*** Type ID = 0x4600, KSystemResource : public KAutoObject, KSecureSystemResource : public KSystemResource
*** KSystemResource just stores pointers to the three kinds of dynamic resource managers required by processes/page tables.
*** KSecureSystemResource stores the pointed-to objects for these as members.
**** Previously, these were just KProcess members; they are no longer KProcess members and instead live in the KSecureSystemResource object.
*** The slab heap for KSecureSystemResource has capacity = KProcess slab heap.
*** When a process is created with system resource size > 0, it now creates a KSecureSystemResource (which manages allocation with KSystemControl).
**** All actual underlying logic is the same, this just abstracts the KSystemControl/secure memory interaction out of KProcess.
* KInterruptEventTask was removed and no longer exists.
** KInterruptEvent now inherits from KInterruptTask directly.
** There is no longer a global task table; KInterruptManager is expected to return ResultBusy if an interrupt is already bound (it already did this).
** KInterruptEvent::Finalize now unbinds the interrupt directly, and then calls KDpcManager::Request() with a no-op KDpcTask.
*** In practice, this unbinds the interrupt, and then creates an ordering to guarantee all cores will see the interrupt as unbound before continuing.
*** Trivia: this is the first use of KDpcManager::Request on non-debug kernels.
* Minor changes to KHandleTable:
** KHandleTable::KHandleTable now initializes the table_size, max_count, and next_id fields to zero, previously they were uninitialized until Initialize was called.
** KHandleTable::Initialize now instantiates a KScopedDisableDispatch while setting up the table.

====Loader====
The broken RNG for ASLR was [[Switch_System_Flaws|fixed]].

====Ro====
The broken RNG for ASLR was [[Switch_System_Flaws|fixed]].

===[[Bluetooth_Driver_services|bluetooth]]===
Besides the various IPC changes, a vulnerable func was [[Switch_System_Flaws|fixed]].

===[[HID_services|hid]]===
Besides the various IPC changes, an infoleak vuln was [[Switch_System_Flaws|fixed]].

===[[NS_Services|ns]]===
Besides the various IPC changes, vulnerable RNG usage was [[Switch_System_Flaws|fixed]] to properly use secure RNG where needed.

=== IPC Interface Changes ===
* The following new interfaces were removed:
** nn::eth::sf::IEthInterface
** nn::eth::sf::IEthInterfaceGroup
** nn::socket::sf::IClient
** nn::wlan::detail::IDetectManager
** nn::wlan::detail::IInfraManager
** nn::wlan::detail::ILocalGetActionFrame
** nn::wlan::detail::ILocalGetFrame
** nn::wlan::detail::ILocalManager
** nn::wlan::detail::ISocketGetFrame
** nn::wlan::detail::ISocketManager
* The following new interfaces were added:
** nn::anif::detail::ISfAssignedNetworkInterfaceService
** nn::anif::detail::ISfDriverService
** nn::anif::detail::ISfDriverServiceCreator
** nn::anif::detail::ISfNetworkInterfaceService
** nn::anif::detail::ISfUserService
** nn::anif::detail::ISfUserServiceCreator
** nn::pl::detail::IPlatformServiceManager
** nn::prepo::detail::ipc::IAsyncContext
** nn::socket::sf::IClient_MC
** nn::srepo::detail::ipc::IAsyncContext
** nn::ssl::sf::ISslContextForSystem
** nn::ssl::sf::ISslServiceForSystem
** nn::wlan::detail::IGeneralServiceCreator
** nn::wlan::detail::IPrivateServiceCreator
** nn::wlan::detail::IPrivateWirelessCommunicationService
** nn::wlan::detail::IWirelessCommunicationService
* The following interfaces were changed:
** nn::account::baas::IAdministrator
*** Added command 143 - inbytes: 0, outbytes: 16
*** Added command 160 - inbytes: 0, outbytes: 0
** nn::account::baas::IManagerForSystemService
*** Added command 143 - inbytes: 0, outbytes: 16
*** Added command 160 - inbytes: 0, outbytes: 0
** nn::am::service::IAppletCommonFunctions
*** Added command 90 - inbytes: 16, outbytes: 0, outinterfaces: ['nn::am::service::IStorageChannel']
*** Added command 91 - inbytes: 16, outbytes: 0, outinterfaces: ['nn::am::service::IStorageChannel']
*** Added command 100 - inbytes: 4, outbytes: 0
** nn::am::service::IDebugFunctions
*** Added command 50 - inbytes: 16, outbytes: 0
*** Added command 200 - buffers: [5], inbytes: 8, outbytes: 0, outinterfaces: ['nn::am::service::IAllSystemAppletProxiesService'], pid: True
** nn::am::service::ILibraryAppletProxy
*** Added command 22 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::am::service::IHomeMenuFunctions']
*** Added command 23 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::am::service::IGlobalStateController']
** nn::am::service::IOverlayAppletProxy
*** Added command 23 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::am::service::IGlobalStateController']
** nn::arp::detail::IWriter
*** Added command 3 - inbytes: 8, outbytes: 0, outinterfaces: ['nn::arp::detail::IUpdater']
** nn::audio::detail::IAudioRenderer
*** Added command 12 - inbytes: 4, outbytes: 0
*** Added command 13 - inbytes: 0, outbytes: 4
** nn::audioctrl::detail::IAudioController
*** Removed command 26 - inbytes: 1, outbytes: 0
*** Removed command 35 - inbytes: 8, outbytes: 0
*** Removed command 36 - inbytes: 0, outbytes: 8
*** Removed command 37 - inbytes: 1, outbytes: 0
*** Removed command 38 - inbytes: 0, outbytes: 1
*** Removed command 39 - inbytes: 0, outbytes: 1
*** Changed command 40 - buffers: [26] -> [22] (final state: buffers: [22], inbytes: 0, outbytes: 0)
*** Added command 41 - inbytes: 8, outbytes: 0
*** Added command 42 - inbytes: 8, outbytes: 0
*** Added command 50000 - inbytes: 4, outbytes: 0
** nn::bluetooth::IBluetoothDriver
*** Added command 101 - inbytes: 0, outbytes: 0
*** Added command 102 - inbytes: 0, outbytes: 0
*** Added command 155 - inbytes: 6, outbytes: 1
** nn::btm::IBtm
*** Added command 112 - inbytes: 7, outbytes: 0
*** Added command 113 - inbytes: 6, outbytes: 1
*** Added command 116 - inbytes: 7, outbytes: 0
*** Added command 117 - inbytes: 6, outbytes: 1
** nn::btm::IBtmDebug
*** Added command 14 - inbytes: 8, outbytes: 0
*** Added command 15 - inbytes: 0, outbytes: 0
*** Added command 16 - inbytes: 0, outbytes: 0
*** Added command 17 - inbytes: 0, outbytes: 0
** nn::capsrv::sf::IAlbumAccessorService
*** Added command 110 - buffers: [6, 5], inbytes: 16, outbytes: 8
** nn::clkrst::IClkrstManager
*** Added command 6 - inbytes: 0, outbytes: 0
** nn::dauth::detail::IService
*** Added command 1000 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Added command 9000 - buffers: [5, 5], inbytes: 0, outbytes: 0
*** Added command 9010 - inbytes: 0, outbytes: 0
** nn::es::IActiveRightsContext
*** Removed command 5 - buffers: [5], inbytes: 0, outbytes: 0
*** Added command 216 - inbytes: 0, outbytes: 0, outhandles: [1]
** nn::es::IETicketService
*** Added command 1022 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::es::IActiveRightsContext']
** nn::fssrv::sf::IFileSystem
*** Added command 16 - inbytes: 0, outbytes: 192
** nn::fssrv::sf::IFileSystemProxy
*** Added command 207 - inbytes: 16, outbytes: 0, outinterfaces: ['nn::fssrv::sf::IFileSystem']
*** Added command 1400 - inbytes: 1, outbytes: 0
** nn::grcsrv::IGrcService
*** Changed command 1 - inbytes: 72 -> 32 (final state: inbytes: 32, inhandles: [1], outbytes: 0, outinterfaces: ['nn::grcsrv::IContinuousRecorder'])
** nn::hid::IHidDebugServer
*** Added command 137 - inbytes: 16, outbytes: 0, pid: True
** nn::hid::IHidServer
*** Added command 3000 - buffers: [26], inbytes: 0, outbytes: 0
*** Added command 3001 - buffers: [25], inbytes: 0, outbytes: 0
*** Added command 3002 - inbytes: 0, outbytes: 0
*** Added command 3003 - inbytes: 0, outbytes: 56
*** Added command 3004 - inbytes: 56, outbytes: 0
*** Added command 3005 - inbytes: 0, outbytes: 0
*** Added command 3006 - buffers: [26], inbytes: 4, outbytes: 0
*** Added command 3007 - buffers: [25], inbytes: 4, outbytes: 0
*** Added command 3008 - inbytes: 4, outbytes: 0
*** Added command 3009 - inbytes: 4, outbytes: 64
*** Added command 3010 - inbytes: 68, outbytes: 0
*** Added command 3011 - inbytes: 4, outbytes: 0
** nn::hid::IHidSystemServer
*** Added command 32 - inbytes: 48, outbytes: 0, pid: True
*** Added command 33 - inbytes: 0, outbytes: 0
*** Added command 1135 - inbytes: 8, outbytes: 0, pid: True
** nn::lr::IAddOnContentLocationResolver
*** Added command 5 - buffers: [22, 22], inbytes: 8, outbytes: 0
*** Added command 6 - buffers: [21], inbytes: 16, outbytes: 0
*** Added command 7 - buffers: [21, 21], inbytes: 16, outbytes: 0
** nn::lr::ILocationResolver
*** Added command 20 - inbytes: 0, outbytes: 0
** nn::lr::ILocationResolverManager
*** Added command 4 - buffers: [5], inbytes: 0, outbytes: 0
** nn::mnpp::detail::ipc::IServiceForSystem
*** Added command 300 - inbytes: 0, outbytes: 1
*** Added command 400 - inbytes: 0, outbytes: 1
** nn::ncm::IContentMetaDatabase
*** Added command 23 - inbytes: 16, outbytes: 1
*** Added command 24 - inbytes: 24, outbytes: 24
*** Added command 25 - inbytes: 24, outbytes: 24
** nn::ndrm::low::detail::INdrmLowAdminInterface
*** Changed command 3 - inbytes: 8 -> 24 (final state: buffers: [5], inbytes: 24, outbytes: 0)
*** Added command 40 - buffers: [6], inbytes: 8, outbytes: 4
*** Added command 42 - buffers: [6], inbytes: 16, outbytes: 4
*** Added command 43 - buffers: [6], inbytes: 16, outbytes: 4
*** Added command 44 - buffers: [6], inbytes: 16, outbytes: 4
** nn::nim::detail::INetworkInstallManager
*** Removed command 91 - buffers: [5], inbytes: 16, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 138 - buffers: [5], inbytes: 8, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 139 - inbytes: 0, outbytes: 0
*** Added command 140 - inbytes: 0, outbytes: 0
*** Added command 141 - inbytes: 0, outbytes: 1
** nn::nim::detail::IShopServiceManager
*** Added command 102 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncValue']
*** Added command 103 - inbytes: 0, outbytes: 32
*** Added command 104 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncValue']
*** Added command 105 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 106 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 501 - inbytes: 16, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** nn::ns::detail::IApplicationManagerInterface
*** Added command 90 - inbytes: 8, outbytes: 0
*** Changed command 607 - inbytes: 16 -> 8 (final state: buffers: [6], inbytes: 8, outbytes: 4)
*** Added command 909 - inbytes: 8, outbytes: 0
*** Added command 2357 - inbytes: 0, outbytes: 0
*** Added command 2358 - inbytes: 0, outbytes: 0
*** Added command 2359 - inbytes: 0, outbytes: 1
*** Added command 2516 - inbytes: 16, outbytes: 0
** nn::pdm::detail::IQueryService
*** Removed command 7 - buffers: [6, 5], inbytes: 0, outbytes: 4
*** Removed command 13 - buffers: [6, 5], inbytes: 0, outbytes: 4
*** Removed command 14 - buffers: [6], inbytes: 24, outbytes: 4
*** Removed command 15 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Removed command 16 - buffers: [6, 5], inbytes: 16, outbytes: 4
** nn::prepo::detail::ipc::IPrepoService
*** Added command 10500 - buffers: [9], inbytes: 40, inhandles: [1], outbytes: 0, outinterfaces: ['nn::prepo::detail::ipc::IAsyncContext'], pid: True
** nn::settings::ISystemSettingsServer
*** Added command 119 - inbytes: 1, outbytes: 3
** nn::srepo::detail::ipc::ISrepoService
*** Added command 10300 - buffers: [9], inbytes: 40, inhandles: [1], outbytes: 0, outinterfaces: ['nn::srepo::detail::ipc::IAsyncContext']
*** Added command 20600 - inbytes: 20, outbytes: 0
** nn::usb::ds::IDsEndpoint
*** Removed command 8 - inbytes: 8, inhandles: [1], outbytes: 0
*** Removed command 9 - inbytes: 16, outbytes: 4
** nn::usb::ds::IDsInterface
*** Added command 12 - inbytes: 8, inhandles: [1], outbytes: 0
** nn::visrv::sf::IManagerDisplayService
*** Changed command 8293 - inbytes: 16 -> 40 (final state: buffers: [6], inbytes: 40, outbytes: 8)

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2022-10-11_00-15-06&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

15.0.0

2022-10-11T04:10:08Z

SciresM: Add kernel diff

The Switch 15.0.0 system update was released on October 11, 2022 (UTC). This Switch update was released for the following regions: ALL, and CHN.

Security flaws fixed: yes.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* The location of the Bluetooth® Audio menu within System Settings has moved.
* Screenshots can be taken using the Capture Button while in the Nintendo Switch Online application found on the Nintendo Switch HOME Menu.
*
* Video capture is not supported.
*
*
* General system stability improvements to enhance the user's experience.
*

==System Titles==
* All sysmodules were updated, except for lbl which was previously stubbed. New sysmodule eth was added.
* All SystemData were updated, except for the following: SharedFont, Dictionary, AvatarImage, Eula, ControllerIcon, ApplicationBlackList, FunctionBlackList.
* The following applets were updated: qlaunch, [[Controller_Applet|controller]], dataErase, error, netConnect, [[Profile_Selector|playerSelect]], [[Internet_Browser|web-applets]], OverlayApplet, [[Album_Applet|photoViewer]].

NPDM changes (see [[Services_API|here]] for service hosting changes):
* bluetooth: Access to srepo:u was added.
* bcat: Access to sprof:sp was removed.
* nifm: Access to ethc:c, ethc:i, and various wlan:* services were removed. Access to bsd:nu, eth:nd, wlan, and wlan:nd were added.
* bsdsocket: "Lowest Allowed CPU ID" was changed from 3 to 0. Access to usb:hs and the various wlan:* services were removed.
* wlan: Access to srepo:u was added.
* ldn: Access to psc:m and the various wlan:* services were removed. Access to the wlan service was added.
* ns: Access to audctl was removed. Access to csrng and dauth:0 was added.
* ssl: "Lowest Allowed CPU ID" was changed from 3 to 0.
* nim: Access to ssl was replaced with ssl:s.
* glue: FS permissions now has bitmask 0x0000004000000000 set.
* ro: Access to csrng was added.
* omm: FS permissions now has bitmask 0x0000000000100000 set.
* qlaunch: Access to mnpp:sys and spbg:sp were removed.

RomFs changes (besides sysver titles):
* [[SSL_services|CertStore]]: "/ssl_TrustedCerts.bdf" updated
* ErrorMessage: various error messages updated/added
* BrowserDll:
** "/browser/MediaControlsInline.css" updated
** "/browser/MediaControlsInline.js" updated
** "/buildinfo/buildinfo.dat" updated
** "/lyt/Browse/FocusNodeFrame.arc" updated
** "/message/": localization data updated
** "/nro/": The various NROs located under these sub-dirs were updated.
* Help:
** "/legallines.htdocs/img/HDMI.png" updated
** "/legallines.htdocs/index.html" updated
** "/safe.htdocs/html/{dir}/", where {dir} is "JPja", "KRko", and "TWzh":
*** "index.html", "page_02.html", "page_04.html": updated
* UrlBlackList:
** "/listCommon.txt" updated
* TimeZoneBinary: updated
* FirmwareDebugSettings/PlatformConfigIcosa/PlatformConfigCopper/PlatformConfigHoag/PlatformConfigIcosaMariko/PlatformConfigAula: [[System_Settings|updated]]
* [[HID_services|ControllerFirmware]]: "/FirmwareInfo.csv" and "/raizo_ep2_ota.bin" updated
* NgWordT: updated
* Applets: Various UI/localization data updated. For web-applets, the NRR and buildinfo.dat were also updated.

===BootImagePackages===
All files in RomFs were updated.

====Kernel====
* Compiler changes:
** Compiler upgrade
*** [What version of clang?]
*** Clang is optimizing much more aggressively in some places.
*** Notably, there are many code locations now where clang doesn't actually increment the KSchedulerLock's count field, presumably because it sees it will be decremented at end of scope...
**** This isn't exploitable, and it is """correct""", but it is worth noting to other reverse engineers because it is very confusing to see the count field unchanged or reloaded after function calls.
** Code is now compiled with -fomit-frame-pointer.
* Initialization changes:
** When the thread resource limit is increased, 24 MB of virtual space is now reserved for the Kernel stack region instead of 14 MB.
* In HorizonKernelMain:
** DoOnEachCoreInOrder is no longer inlined, when setting up the main/interrupt threads. It is still inlined in all other places.
* Multiple fixed-allocations from the system pool/resource limit were removed/revised, presumably to prevent them from unnecessarily fragmenting the pool forever.
** AppletSecureMemory is now allocated statically, instead of dynamically.
*** Previously, 4 MB was allocated from the system pool/resource limit during main.
*** Initialize0 now reserves the 4 MB immediately after the slab heaps for this.
**** DRAM layout is now like [tz reserved] [kernel] [slab heaps] [applet secure memory] [pt heap] [init pt] [memory pool partitions].
**** The virtual memory region type is 0x62; the physical memory region type is 0xC200018E.
** The KPageBuffer slab heap is no longer dynamically allocated from KMemoryManager.
*** Previously, the required number of pages were allocated from the system pool/resource limit to setup the heap *immediately* after KMemoryManager was initialized.
*** Now, it is set up during Kernel::InitializeResourceManagers, after setting up the page manager.
**** InitializeKPageBufferSlabHeap now takes heap and page manager as arguments; the slab heap's members are randomly allocated pages from the page manager.
***** This effectively randomizes the page buffer slabheap's page locations, where previously they were a contiguous range somewhere in the system pool.
***** To facilitate this, the page manager now has an Allocate(count) member function in addition to the previous single-page Allocate().
****** To facilitate this, the page manager now tracks the bitmap ends in addition to the bitmap starts, to enable a linear walk of the lowest bitmap layer.
*** This has an important knock-on effect: TLS pages are allocated from the page buffer slab, and correspondingly are no longer heap pages.
**** Correspondingly, KMemoryState_ThreadLocal no longer has the FlagReferenceCounted (0x400000) bit set.
**** However, removing this bit naively breaks IPC, which previously checked FlagReferenceCounted before copying to/from the message buffer.
**** Now, FlagReferenceCounted is checked if and only if the message buffer is a UserBuffer. If it is not, a new flag "FlagLinearMapped" (0x4000000) is checked.
***** This bit is set only on memory types guaranteed to be accessible via the kernel's linear mapping of non-kernel dram (physical ranges with memory region flag 0x80000000).
***** This new flag is set on all memory states other than Free, Io, Static, Inaccessible, Kernel, Coverage.
* Two new SVCs were added for a new "InsecureMemory" concept.
** Svc 0x90 is Result MapInsecureMemory(uintptr_t address, size_t size);
*** This allocates the requested size memory from a pool partition/resource limit, and map it with a new memory state ("KMemoryState_Insecure") at the user-specified address.
**** The resource limit/pool partition are gotten via new KSystemControl functions ("KSystemControl::GetInsecureMemoryResourceLimit", "KSystemControl::GetInsecureMemoryPool").
***** On NX board, these are the system resource limit, and Pool_SystemNonSecure respectively.
**** The specified address/size must be within the alias code region.
**** KMemoryState_Insecure has value 0x5583817.
***** This is type 0x17 with flags CanUseNonDeviceIpc, CanUseNonSecureIpc, Mapped, CanDeviceMap, CanAlignedDeviceMap, ReferenceCounted, CanChangeAttribute, LinearMapped.
** Svc 0x91 is Result UnmapInsecureMemory(uintptr_t address, size_t size);
*** This unmaps/deallocates/releases memory previously mapped with MapInsecureMemory.
* More changes to SvcMapDeviceAddressSpace(ByForce/Aligned).
** The argument which was previously a memory permission ("device_perm") is now an encoded u32 ("option").
*** The low 16 bits of this are the device permission.
*** The upper 16 bits of this are an enum (only defined values are 0 and 1).
** If the enum-arg is not 0 or 1, svc::ResultInvalidEnumValue() is now returned.
** If the enum-arg is 1 and the specified memory is IO, svc::ResultInvalidCombination is returned.
* Partial support was added for the KPageBuffer size being different from the hardware page size.
** There are now two globals, g_PageBufferSize = 0x1000, g_PageBufferCount = 0.
** The KPageBuffer slab heap is initialized with g_PageBufferCount blocks of g_PageBufferSize.
*** if g_PageBufferSize is 0x1000, g_PageBufferCount has the number of required TLS pages added to it (# processes + # threads + (# processes + #threads) / 8).
** KDynamicPageManager::Initialize now takes in an alignment argument for the page buffer size.
*** KSecureSystemResource always passes 0x1000.
** It is possible this is full support but ifdef'd, but on NX board at least all places which allocate/free to the heap panic if g_PageBufferSize != 0x1000...
* The page table heap now receives all but 64 of the available pages; prior to this, it was all but 70.
* KSessionRequest's additional mappings (when sending an IPC request with more than 8 buffers) are now slab-allocated, rather than using KPageBuffers.
** This slab has a count of 40; object size is 0x4A0 (exactly the maximum required size).
** 13.0.0+ Dynamic expansion is supported.
* Scoped setting/clearing of the 14.0.0 exception flag for cache operations has changed.
** Previously, |= on set, &= ~ on clear. Now, the flag is orr'd in only if it is not already set, and cleared only if it was newly set.
** This adds support for recursively setting these flags via a scoped setter, although there are no places in kernel where it is possible for this to occur.
** This applies to cpu::InvalidateDataCache, cpu::StoreDataCache, cpu::FlushDataCache
* The IsInUsermodeExceptionHandler exception flag management was changed:
** This is now cleared by RestoreContext (same place it clears other flags) rather than ClearExceptionSvcPermissions. It is still set by SetExceptionSvcPermissions.
* Changes in and surrounding page table logic:
** Devices can now theoretically (but not on the NX board) be given access to memory mapped as Io.
*** Why one would want to do this is unclear.
*** KMemoryState_Io now supports the CanAlignedDeviceMap and CanDeviceMap flags.
*** KPageTableBase::GetContiguousMemoryRangeWithState no longer checks that the passed memory address is heap.
*** KPageTableBase::OpenMemoryRangeForMapDeviceAddressSpace no longer checks passes KMemoryState_FlagReferenceCounted.
*** KPageTableBase::LockForMapDeviceAddressSpace takes two new arguments, an output bool * to write whether the state was io, and a bool for whether to check KMemoryState_FlagReferenceCounted.
**** The bool is always passed on true on NX board, preventing this feature from being actually used.
*** KPageTableBase::LockForUnmapDeviceAddressSpace now takes a bool argument for whether to check KMemoryState_FlagReferenceCounted
**** The bool is always passed on true on NX board, preventing this feature from being actually used.
** Pages mapped via MapIoRegion now have KMemoryAttribute_Locked instead of KMemoryAttribute_None.
** Changes were made with respect to the way MapPhysicalMemory/UnmapPhysicalMemory are implemented:
*** KMemoryManager::AllocatePageGroupForProcess no longer calls KPageGroup::Open on the returned page group (essentially reverting the change in 11.0.0).
**** Other KMemoryManager::Allocate* functions still call KPageGroup::Open.
*** KPageTableBase::MapPhysicalMemory now calls a new KPageTable::Operate operation ("MapFirst"), which behaves the same as Map but calls KernelPanic() if the mapped pages have a non-zero reference count.
**** This enforces that MapPhysicalMemory is the first place the pages being mapped have been allocated/opened.
*** KPageTableBase::UnmapPhysicalMemory now calls a new KPageTable::Operate operation ("SeparatePages"), which performs page separation on the requested range.
**** SeparatePages is identical to the separation done at the prologue of ChangePermissions; practically, this just enforces that the pages exist.
*** KPageTableBase::UnmapPhysicalMemory now calls KernelPanic if the unmapping operation fails (since it is guaranteed to succeed by the success of SeparatePages).
**** Logic which previously existed for re-mapping on failure has been removed.
** New Kernel Objects ("KSystemResource", "KSecureSystemResource").
*** Type ID = 0x4600, KSystemResource : public KAutoObject, KSecureSystemResource : public KSystemResource
*** KSystemResource just stores pointers to the three kinds of dynamic resource managers required by processes/page tables.
*** KSecureSystemResource stores the pointed-to objects for these as members.
**** Previously, these were just KProcess members; they are no longer KProcess members and instead live in the KSecureSystemResource object.
*** The slab heap for KSecureSystemResource has capacity = KProcess slab heap.
*** When a process is created with system resource size > 0, it now creates a KSecureSystemResource (which manages allocation with KSystemControl).
**** All actual underlying logic is the same, this just abstracts the KSystemControl/secure memory interaction out of KProcess.
* KInterruptEventTask was removed and no longer exists.
** KInterruptEvent now inherits from KInterruptTask directly.
** There is no longer a global task table; KInterruptManager is expected to return ResultBusy if an interrupt is already bound (it already did this).
** KInterruptEvent::Finalize now unbinds the interrupt directly, and then calls KDpcManager::Request() with a no-op KDpcTask.
*** In practice, this unbinds the interrupt, and then creates an ordering to guarantee all cores will see the interrupt as unbound before continuing.
*** Trivia: this is the first use of KDpcManager::Request on non-debug kernels.
* Minor changes to KHandleTable:
** KHandleTable::KHandleTable now initializes the table_size, max_count, and next_id fields to zero, previously they were uninitialized until Initialize was called.
** KHandleTable::Initialize now instantiates a KScopedDisableDispatch while setting up the table.

===[[HID_services|hid]]===
Besides the various IPC changes, an infoleak vuln was [[Switch_System_Flaws|fixed]].

=== IPC Interface Changes ===
* The following new interfaces were removed:
** nn::eth::sf::IEthInterface
** nn::eth::sf::IEthInterfaceGroup
** nn::socket::sf::IClient
** nn::wlan::detail::IDetectManager
** nn::wlan::detail::IInfraManager
** nn::wlan::detail::ILocalGetActionFrame
** nn::wlan::detail::ILocalGetFrame
** nn::wlan::detail::ILocalManager
** nn::wlan::detail::ISocketGetFrame
** nn::wlan::detail::ISocketManager
* The following new interfaces were added:
** nn::anif::detail::ISfAssignedNetworkInterfaceService
** nn::anif::detail::ISfDriverService
** nn::anif::detail::ISfDriverServiceCreator
** nn::anif::detail::ISfNetworkInterfaceService
** nn::anif::detail::ISfUserService
** nn::anif::detail::ISfUserServiceCreator
** nn::pl::detail::IPlatformServiceManager
** nn::prepo::detail::ipc::IAsyncContext
** nn::socket::sf::IClient_MC
** nn::srepo::detail::ipc::IAsyncContext
** nn::ssl::sf::ISslContextForSystem
** nn::ssl::sf::ISslServiceForSystem
** nn::wlan::detail::IGeneralServiceCreator
** nn::wlan::detail::IPrivateServiceCreator
** nn::wlan::detail::IPrivateWirelessCommunicationService
** nn::wlan::detail::IWirelessCommunicationService
* The following interfaces were changed:
** nn::account::baas::IAdministrator
*** Added command 143 - inbytes: 0, outbytes: 16
*** Added command 160 - inbytes: 0, outbytes: 0
** nn::account::baas::IManagerForSystemService
*** Added command 143 - inbytes: 0, outbytes: 16
*** Added command 160 - inbytes: 0, outbytes: 0
** nn::am::service::IAppletCommonFunctions
*** Added command 90 - inbytes: 16, outbytes: 0, outinterfaces: ['nn::am::service::IStorageChannel']
*** Added command 91 - inbytes: 16, outbytes: 0, outinterfaces: ['nn::am::service::IStorageChannel']
*** Added command 100 - inbytes: 4, outbytes: 0
** nn::am::service::IDebugFunctions
*** Added command 50 - inbytes: 16, outbytes: 0
*** Added command 200 - buffers: [5], inbytes: 8, outbytes: 0, outinterfaces: ['nn::am::service::IAllSystemAppletProxiesService'], pid: True
** nn::am::service::ILibraryAppletProxy
*** Added command 22 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::am::service::IHomeMenuFunctions']
*** Added command 23 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::am::service::IGlobalStateController']
** nn::am::service::IOverlayAppletProxy
*** Added command 23 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::am::service::IGlobalStateController']
** nn::arp::detail::IWriter
*** Added command 3 - inbytes: 8, outbytes: 0, outinterfaces: ['nn::arp::detail::IUpdater']
** nn::audio::detail::IAudioRenderer
*** Added command 12 - inbytes: 4, outbytes: 0
*** Added command 13 - inbytes: 0, outbytes: 4
** nn::audioctrl::detail::IAudioController
*** Removed command 26 - inbytes: 1, outbytes: 0
*** Removed command 35 - inbytes: 8, outbytes: 0
*** Removed command 36 - inbytes: 0, outbytes: 8
*** Removed command 37 - inbytes: 1, outbytes: 0
*** Removed command 38 - inbytes: 0, outbytes: 1
*** Removed command 39 - inbytes: 0, outbytes: 1
*** Changed command 40 - buffers: [26] -> [22] (final state: buffers: [22], inbytes: 0, outbytes: 0)
*** Added command 41 - inbytes: 8, outbytes: 0
*** Added command 42 - inbytes: 8, outbytes: 0
*** Added command 50000 - inbytes: 4, outbytes: 0
** nn::bluetooth::IBluetoothDriver
*** Added command 101 - inbytes: 0, outbytes: 0
*** Added command 102 - inbytes: 0, outbytes: 0
*** Added command 155 - inbytes: 6, outbytes: 1
** nn::btm::IBtm
*** Added command 112 - inbytes: 7, outbytes: 0
*** Added command 113 - inbytes: 6, outbytes: 1
*** Added command 116 - inbytes: 7, outbytes: 0
*** Added command 117 - inbytes: 6, outbytes: 1
** nn::btm::IBtmDebug
*** Added command 14 - inbytes: 8, outbytes: 0
*** Added command 15 - inbytes: 0, outbytes: 0
*** Added command 16 - inbytes: 0, outbytes: 0
*** Added command 17 - inbytes: 0, outbytes: 0
** nn::capsrv::sf::IAlbumAccessorService
*** Added command 110 - buffers: [6, 5], inbytes: 16, outbytes: 8
** nn::clkrst::IClkrstManager
*** Added command 6 - inbytes: 0, outbytes: 0
** nn::dauth::detail::IService
*** Added command 1000 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Added command 9000 - buffers: [5, 5], inbytes: 0, outbytes: 0
*** Added command 9010 - inbytes: 0, outbytes: 0
** nn::es::IActiveRightsContext
*** Removed command 5 - buffers: [5], inbytes: 0, outbytes: 0
*** Added command 216 - inbytes: 0, outbytes: 0, outhandles: [1]
** nn::es::IETicketService
*** Added command 1022 - inbytes: 0, outbytes: 0, outinterfaces: ['nn::es::IActiveRightsContext']
** nn::fssrv::sf::IFileSystem
*** Added command 16 - inbytes: 0, outbytes: 192
** nn::fssrv::sf::IFileSystemProxy
*** Added command 207 - inbytes: 16, outbytes: 0, outinterfaces: ['nn::fssrv::sf::IFileSystem']
*** Added command 1400 - inbytes: 1, outbytes: 0
** nn::grcsrv::IGrcService
*** Changed command 1 - inbytes: 72 -> 32 (final state: inbytes: 32, inhandles: [1], outbytes: 0, outinterfaces: ['nn::grcsrv::IContinuousRecorder'])
** nn::hid::IHidDebugServer
*** Added command 137 - inbytes: 16, outbytes: 0, pid: True
** nn::hid::IHidServer
*** Added command 3000 - buffers: [26], inbytes: 0, outbytes: 0
*** Added command 3001 - buffers: [25], inbytes: 0, outbytes: 0
*** Added command 3002 - inbytes: 0, outbytes: 0
*** Added command 3003 - inbytes: 0, outbytes: 56
*** Added command 3004 - inbytes: 56, outbytes: 0
*** Added command 3005 - inbytes: 0, outbytes: 0
*** Added command 3006 - buffers: [26], inbytes: 4, outbytes: 0
*** Added command 3007 - buffers: [25], inbytes: 4, outbytes: 0
*** Added command 3008 - inbytes: 4, outbytes: 0
*** Added command 3009 - inbytes: 4, outbytes: 64
*** Added command 3010 - inbytes: 68, outbytes: 0
*** Added command 3011 - inbytes: 4, outbytes: 0
** nn::hid::IHidSystemServer
*** Added command 32 - inbytes: 48, outbytes: 0, pid: True
*** Added command 33 - inbytes: 0, outbytes: 0
*** Added command 1135 - inbytes: 8, outbytes: 0, pid: True
** nn::lr::IAddOnContentLocationResolver
*** Added command 5 - buffers: [22, 22], inbytes: 8, outbytes: 0
*** Added command 6 - buffers: [21], inbytes: 16, outbytes: 0
*** Added command 7 - buffers: [21, 21], inbytes: 16, outbytes: 0
** nn::lr::ILocationResolver
*** Added command 20 - inbytes: 0, outbytes: 0
** nn::lr::ILocationResolverManager
*** Added command 4 - buffers: [5], inbytes: 0, outbytes: 0
** nn::mnpp::detail::ipc::IServiceForSystem
*** Added command 300 - inbytes: 0, outbytes: 1
*** Added command 400 - inbytes: 0, outbytes: 1
** nn::ncm::IContentMetaDatabase
*** Added command 23 - inbytes: 16, outbytes: 1
*** Added command 24 - inbytes: 24, outbytes: 24
*** Added command 25 - inbytes: 24, outbytes: 24
** nn::ndrm::low::detail::INdrmLowAdminInterface
*** Changed command 3 - inbytes: 8 -> 24 (final state: buffers: [5], inbytes: 24, outbytes: 0)
*** Added command 40 - buffers: [6], inbytes: 8, outbytes: 4
*** Added command 42 - buffers: [6], inbytes: 16, outbytes: 4
*** Added command 43 - buffers: [6], inbytes: 16, outbytes: 4
*** Added command 44 - buffers: [6], inbytes: 16, outbytes: 4
** nn::nim::detail::INetworkInstallManager
*** Removed command 91 - buffers: [5], inbytes: 16, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 138 - buffers: [5], inbytes: 8, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 139 - inbytes: 0, outbytes: 0
*** Added command 140 - inbytes: 0, outbytes: 0
*** Added command 141 - inbytes: 0, outbytes: 1
** nn::nim::detail::IShopServiceManager
*** Added command 102 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncValue']
*** Added command 103 - inbytes: 0, outbytes: 32
*** Added command 104 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncValue']
*** Added command 105 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 106 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Added command 501 - inbytes: 16, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
** nn::ns::detail::IApplicationManagerInterface
*** Added command 90 - inbytes: 8, outbytes: 0
*** Changed command 607 - inbytes: 16 -> 8 (final state: buffers: [6], inbytes: 8, outbytes: 4)
*** Added command 909 - inbytes: 8, outbytes: 0
*** Added command 2357 - inbytes: 0, outbytes: 0
*** Added command 2358 - inbytes: 0, outbytes: 0
*** Added command 2359 - inbytes: 0, outbytes: 1
*** Added command 2516 - inbytes: 16, outbytes: 0
** nn::pdm::detail::IQueryService
*** Removed command 7 - buffers: [6, 5], inbytes: 0, outbytes: 4
*** Removed command 13 - buffers: [6, 5], inbytes: 0, outbytes: 4
*** Removed command 14 - buffers: [6], inbytes: 24, outbytes: 4
*** Removed command 15 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Removed command 16 - buffers: [6, 5], inbytes: 16, outbytes: 4
** nn::prepo::detail::ipc::IPrepoService
*** Added command 10500 - buffers: [9], inbytes: 40, inhandles: [1], outbytes: 0, outinterfaces: ['nn::prepo::detail::ipc::IAsyncContext'], pid: True
** nn::settings::ISystemSettingsServer
*** Added command 119 - inbytes: 1, outbytes: 3
** nn::srepo::detail::ipc::ISrepoService
*** Added command 10300 - buffers: [9], inbytes: 40, inhandles: [1], outbytes: 0, outinterfaces: ['nn::srepo::detail::ipc::IAsyncContext']
*** Added command 20600 - inbytes: 20, outbytes: 0
** nn::usb::ds::IDsEndpoint
*** Removed command 8 - inbytes: 8, inhandles: [1], outbytes: 0
*** Removed command 9 - inbytes: 16, outbytes: 4
** nn::usb::ds::IDsInterface
*** Added command 12 - inbytes: 8, inhandles: [1], outbytes: 0
** nn::visrv::sf::IManagerDisplayService
*** Changed command 8293 - inbytes: 16 -> 40 (final state: buffers: [6], inbytes: 40, outbytes: 8)

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2022-10-11_00-15-06&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

15.0.0

2022-10-11T03:18:13Z

SciresM: Add autogeneraed IPC diff

NPDM

2022-08-18T17:54:33Z

SciresM: update SystemResourceSize description

This is the Switch equivalent of 3DS [https://www.3dbrew.org/wiki/NCCH/Extended_Header exheader]. This is the file with extension ".npdm" in {Switch ExeFS}. The size of this file varies.

{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x80
| [[#META|META]]
|-
| 0x80
| <Varies>
| [[#ACID|ACID]]
|-
| <See META>
| <See META>
| [[#ACI0|ACI0]]
|}

= META =
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x4
| Magic ("META")
|-
| 0x4
| 0x4
| [9.0.0+] SignatureKeyGeneration
|-
| 0x8
| 0x4
| Reserved
|-
| 0xC
| 0x1
| [[#Flags|Flags]]
|-
| 0xD
| 0x1
| Reserved
|-
| 0xE
| 0x1
| [[#MainThreadPriority|MainThreadPriority]]
|-
| 0xF
| 0x1
| MainThreadCoreNumber
|-
| 0x10
| 0x4
| Reserved
|-
| 0x14
| 0x4
| [3.0.0+] [[#SystemResourceSize|SystemResourceSize]]
|-
| 0x18
| 0x4
| [[#Version|Version]]
|-
| 0x1C
| 0x4
| [[#MainThreadStackSize|MainThreadStackSize]]
|-
| 0x20
| 0x10
| Name (usually/always "Application")
|-
| 0x30
| 0x10
| ProductCode (usually/always all zeroes)
|-
| 0x40
| 0x30
| Reserved
|-
| 0x70
| 0x4
| [[#ACI0|AciOffset]]
|-
| 0x74
| 0x4
| [[#ACI0|AciSize]]
|-
| 0x78
| 0x4
| [[#ACID|AcidOffset]]
|-
| 0x7C
| 0x4
| [[#ACID|AcidSize]]
|}

== Flags ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 0
| Is64BitInstruction
|-
| 1-3
| ProcessAddressSpace (0x00 = AddressSpace32Bit, 0x01 = AddressSpace64BitOld, 0x02 = AddressSpace32BitNoReserved, 0x03 = AddressSpace64Bit)
|-
| 4
| [7.0.0+] OptimizeMemoryAllocation
|-
| 5
| [11.0.0+] DisableDeviceAddressSpaceMerge
|}

== MainThreadPriority ==
Ranges from 0 to 0x3F.

== SystemResourceSize ==
When this is non-zero, the kernel reserves this amount of memory and dynamically uses it as needed for page table pages, KMemoryBlocks, and KBlockInfos. When this is zero, the process uses global shared heaps for these.

This enables a process to sacrifice some of the memory available to it in order to have higher limits on these resources, thus enabling the use of SvcMapPhysicalMemory.

Maximum size as is 0x1FE00000.

== Version ==
0 for all titles.

[8.1.0+] Now set to 1 for certain titles.

[9.0.0+] Now set to a proper version field for all titles.

== MainThreadStackSize ==
Must be aligned to 0x1000. If zero, kernel will start the process's initial thread with sp=0.

= ACID =
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x100
| RSA-2048 signature over the data starting at 0x100 with the size field from 0x204
|-
| 0x100
| 0x100
| RSA-2048 public key for the second [[NCA_Format|NCA]] signature
|-
| 0x200
| 0x4
| Magic ("ACID")
|-
| 0x204
| 0x4
| Size
|-
| 0x208
| 0x1
| [9.0.0+] Version
|-
| 0x209
| 0x1
| [14.0.0+]
|-
| 0x20A
| 0x2
| Reserved
|-
| 0x20C
| 0x4
| [[#Flags_2|Flags]]
|-
| 0x210
| 0x8
| ProgramIdMin
|-
| 0x218
| 0x8
| ProgramIdMax
|-
| 0x220
| 0x4
| [[#FsAccessControl|FacOffset]]
|-
| 0x224
| 0x4
| [[#FsAccessControl|FacSize]]
|-
| 0x228
| 0x4
| [[#SrvAccessControl|SacOffset]]
|-
| 0x22C
| 0x4
| [[#SrvAccessControl|SacSize]]
|-
| 0x230
| 0x4
| [[#KernelCapability|KcOffset]]
|-
| 0x234
| 0x4
| [[#KernelCapability|KcSize]]
|-
| 0x238
| 0x8
| Reserved
|}

== Flags ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 0
| ProductionFlag
|-
| 1
| UnqualifiedApproval
|-
| 2-5
| [5.0.0+] MemoryRegion (0 = Application, 1 = Applet, 2 = SecureSystem, 3 = NonSecureSystem)
|}

MemoryRegion is set to Application for "starter" and NonSecureSystem for "nvservices".

= ACI0 =
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x4
| Magic ("ACI0")
|-
| 0x4
| 0xC
| Reserved
|-
| 0x10
| 0x8
| ProgramId
|-
| 0x18
| 0x8
| Reserved
|-
| 0x20
| 0x4
| [[#FsAccessControl|FacOffset]]
|-
| 0x24
| 0x4
| [[#FsAccessControl|FacSize]]
|-
| 0x28
| 0x4
| [[#SrvAccessControl|SacOffset]]
|-
| 0x2C
| 0x4
| [[#SrvAccessControl|SacSize]]
|-
| 0x30
| 0x4
| [[#KernelCapability|KcOffset]]
|-
| 0x34
| 0x4
| [[#KernelCapability|KcSize]]
|-
| 0x38
| 0x8
| Reserved
|}

= FsAccessControl =
For [[#ACID|ACID]] this is a simple descriptor as follows:
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x1
| Version (always 1, must be non-zero)
|-
| 0x1
| 0x1
| [5.0.0+] ContentOwnerIdCount
|-
| 0x2
| 0x1
| [5.0.0+] SaveDataOwnerIdCount
|-
| 0x3
| 0x1
| Padding
|-
| 0x4
| 0x8
| [[#FsAccessFlag|FsAccessFlag]]
|-
| 0xC
| 0x8
| ContentOwnerIdMin
|-
| 0x14
| 0x8
| ContentOwnerIdMax
|-
| 0x1C
| 0x8
| SaveDataOwnerIdMin
|-
| 0x24
| 0x8
| SaveDataOwnerIdMax
|-
| 0x2C
| 0x8 * ContentOwnerIdCount
| [5.0.0+] ContentOwnerIds
|-
| Variable
| 0x8 * SaveDataOwnerIdCount
| [5.0.0+] SaveDataOwnerIds
|}

For [[#ACI0|ACI0]] this embeds data as follows:
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x1
| Version (always 1, must be non-zero)
|-
| 0x1
| 0x3
| Padding
|-
| 0x4
| 0x8
| [[#FsAccessFlag|FsAccessFlag]]
|-
| 0xC
| 0x4
| ContentOwnerInfoOffset
|-
| 0x10
| 0x4
| ContentOwnerInfoSize
|-
| 0x14
| 0x4
| SaveDataOwnerInfoOffset
|-
| 0x18
| 0x4
| SaveDataOwnerInfoSize
|-
| 0x1C
| 0x4
| (Optional) ContentOwnerIdCount
|-
| 0x1C
| 0x8 * ContentOwnerIdCount
| ContentOwnerIds
|-
| Variable
| 0x4
| SaveDataOwnerIdCount
|-
| Variable
| 0x1 * SaveDataOwnerIdCount
| Accessibilities (1=Read, 2=Write, 3=ReadWrite)
|-
| Variable (padded to nearest 4 bytes)
| 0x8 * SaveDataOwnerIdCount
| SaveDataOwnerIds
|}

== FsAccessFlag ==
{| class="wikitable" border="1"
|-
! Bits
! Name
! Description
|-
| 0
| ApplicationInfo
| MountContent* is accessible when set.
|-
| 1
| BootModeControl
|
|-
| 2
| Calibration
|
|-
| 3
| SystemSaveData
|
|-
| 4
| GameCard
|
|-
| 5
| SaveDataBackUp
|
|-
| 6
| SaveDataManagement
|
|-
| 7
| BisAllRaw
|
|-
| 8
| GameCardRaw
|
|-
| 9
| GameCardPrivate
|
|-
| 10
| SetTime
|
|-
| 11
| ContentManager
|
|-
| 12
| ImageManager
|
|-
| 13
| CreateSaveData
|
|-
| 14
| SystemSaveDataManagement
|
|-
| 15
| BisFileSystem
|
|-
| 16
| SystemUpdate
|
|-
| 17
| SaveDataMeta
|
|-
| 18
| DeviceSaveData
|
|-
| 19
| SettingsControl
|
|-
| 20
| SystemData
|
|-
| 21
| SdCard
|
|-
| 22
| Host
|
|-
| 23
| FillBis
|
|-
| 24
| CorruptSaveData
|
|-
| 25
| SaveDataForDebug
|
|-
| 26
| FormatSdCard
|
|-
| 27
| GetRightsId
|
|-
| 28
| RegisterExternalKey
|
|-
| 29
| RegisterUpdatePartition
|
|-
| 30
| SaveDataTransfer
|
|-
| 31
| DeviceDetection
|
|-
| 32
| AccessFailureResolution
|
|-
| 33
| SaveDataTransferVersion2
|
|-
| 34
| RegisterProgramIndexMapInfo
|
|-
| 35
| CreateOwnSaveData
|
|-
| 36
| MoveCacheStorage
|
|-
| 37-61
| Reserved
|
|-
| 62
| Debug
| See [[SPL_services#GetConfig|here]].
|-
| 63
| FullPermission
| Enables access to everything: all [[Filesystem_services#Permissions|permission types]] which check a bitmask have this bit set.
|}

Controls the [[Filesystem_services#Permissions|filesystem permissions]].

Web-applets permissions:
* "LibAppletWeb" and "LibAppletOff" have same access control: bit0 and bit3 set, and bit62 set.
* Rest of the web-applets: Same as above except bit0 isn't set.

= Service Access Control =
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 0-2
| Size (length of the service-name without null-terminator minus 1)
|-
| 7
| IsServer (service is allowed to be registered)
|-
| Variable
| Name
|}

This is a list of [[Services_API|service]]-name strings which the title has access to.

The service name string starts after the first byte and supports the wildcard <code>*</code> character.

= KernelCapability =
{| class="wikitable" border="1"
|-
! Pattern of lower bits
! Lowest clear bitmask/bit
! Description
|-
| <code>0bxxxxxxxxxxxx0111</code>
| Bit3
| [[#ThreadInfo]]
|-
| <code>0bxxxxxxxxxxx01111</code>
| Bit4
| [[#EnableSystemCalls]]
|-
| <code>0bxxxxxxxxx0111111</code>
| Bit6
| [[#MemoryMap]]
|-
| <code>0bxxxxxxxx01111111</code>
| Bit7
| [[#IoMemoryMap]]
|-
| <code>0bxxxxx01111111111</code>
| Bit10
| [8.0.0+] [[#MemoryRegionMap]]
|-
| <code>0bxxxx011111111111</code>
| Bit11
| [[#EnableInterrupts]]
|-
| <code>0bxx01111111111111</code>
| Bit13
| [[#MiscParams]]
|-
| <code>0bx011111111111111</code>
| Bit14
| [[#KernelVersion]]
|-
| <code>0b0111111111111111</code>
| Bit15
| [[#HandleTableSize]]
|-
| <code>0b1111111111111111</code>
| Bit16
| [[#MiscFlags]]
|-
| All ones
|
| Invalid
|}

These descriptors are identified by pattern 01..11 in low bits.

== ThreadInfo ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 4-9
| LowestPriority
|-
| 10-15
| HighestPriority
|-
| 16-23
| MinCoreNumber
|-
| 24-31
| MaxCoreNumber
|}

== EnableSystemCalls ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 5-28
| SystemCallId
|-
| 29-31
| Index
|}

== MemoryMap ==
MemoryMap entries are stored in pairs. The first pair will contain BeginAddress and PermissionType, while the second pair will contain Size and MappingType.
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 7-30
| BeginAddress
|-
| 31
| PermissionType (0=RW, 1=RO)
|}

{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 7-26
| Size
|-
| 27-30
| Reserved
|-
| 31
| MappingType (0=Io, 1=Static)
|}

=== Restrictions ===
The physaddr range 0x80060000-0x2000000000 is not allowed to be mapped as IO.
The physaddr range 0x80000000-0x2000000000 is not allowed to be mapped as Normal.

[2.0.0-4.1.0] The range for IO was changed into 0x80060000-0x81D3FFFF.

[2.0.0-4.1.0] A blacklist was added for IO and Normal mappings:
* 0x50040000-0x50060000 (ARM, Interrupt Controller)
* 0x6000F000 (Exception Vectors)
* 0x6001DC00-0x6001E000 (IPATCH)
* 0x7000E000 (RTC/PMC)
* 0x70019000 (MC)
* 0x7001C000 (MC0)
* 0x7001D000 (MC1)

[5.0.0+] For IO, this blacklist was abandoned and instead two range checks were added. For Normal mappings it is still applied

== IoMemoryMap ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 8-31
| BeginAddress
|}

== MemoryRegionMap ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 11-16
| RegionType0 (0 = NoMapping, 1 = KernelTraceBuffer, 2 = OnMemoryBootImage, 3 = DTB)
|-
| 17
| RegionIsReadOnly0
|-
| 18-23
| RegionType1 (0 = NoMapping, 1 = KernelTraceBuffer, 2 = OnMemoryBootImage, 3 = DTB)
|-
| 24
| RegionIsReadOnly1
|-
| 25-30
| RegionType2 (0 = NoMapping, 1 = KernelTraceBuffer, 2 = OnMemoryBootImage, 3 = DTB)
|-
| 31
| RegionIsReadOnly2
|}

MemoryRegionMap is supported by the kernel but not by [[Loader_services|Loader]]. Thus, only initial processes may possess this capability.

== EnableInterrupts ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 12-21
| InterruptNumber0
|-
| 22-31
| InterruptNumber1
|}

0x3FF means empty.

== MiscParams ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 14-16
| ProgramType (0 = System, 1 = Application, 2 = Applet)
|}

ProgramType is parsed by [[Process Manager services]]. Defaults to 0 if descriptor doesn't exist. Can only run 1 application at a time.

== KernelVersion ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 15-18
| MinorVersion
|-
| 19-31
| MajorVersion
|}

This encodes the intended kernel version for the program.

The kernel requires that the intended version is >= the minimum supported version (3.0 for all released kernels), and <= the current version.

Kernel version is derived from/equivalent to SDK version:
* Kernel Major = SDK Major + 4
* Kernel Minor = SDK Minor

=== Versions ===
{| class="wikitable" border="1"
|-
! Firmware || Kernel Version || Corresponding SDK Version
|-
| 1.0.0 || 5.0 || 1.0.0.0
|-
| 2.0.0 || 6.1 || 2.1.0.0
|-
| 3.0.0 || 7.4 || 3.4.0.0
|-
| 3.0.2 || 7.4 || 3.4.0.0
|-
| 5.0.0 || 9.3 || 5.3.0.0
|-
| 10.0.0 || 14.4 || 10.4.0.0
|-
| 11.0.0 || 15.4 || 11.4.0.0
|-
| 11.0.1 || 15.4 || 11.4.0.0
|}

== HandleTableSize ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 16-25
| HandleTableSize
|}

== MiscFlags ==
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 17
| EnableDebug
|-
| 18
| ForceDebug
|}

14.1.2

2022-06-28T08:16:35Z

SciresM: /* See Also */

The Switch 14.1.2 system update was released on June 14, 2022 (UTC). This Switch update was released for the following regions: ALL.

Additionally, a rebootless system update was released updating NgWord/NgWord2 for 14.1.2 on June 28, 2022 (UTC).

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* General system stability improvements to enhance the user's experience.

==System Titles==
The following was updated (besides sysver titles): [[Bus_services|Bus]], [[BTM_services|btm]], NgWord/NgWord2, BootImagePackages.

There was no IPC or NPDM changes (besides version bump).

RomFs changes:
* NgWord/NgWord2: updated

=== BootImagePackages ===
Only package2 was updated.

For non-safe mode, there are no changes to any binaries (kernel or any initial processes). For safe mode, only Bus sysmodule was updated.

=== [[Bus_services|Bus]] ===
Only 2 functions were changed, which now properly allow UART-D to be configured for baud rate 3000000.

=== [[BTM_services|btm]] ===
These changes seem to be minor?

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2022-06-14_00-05-05&sys=hac]
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2022-06-28_00-01-36&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

14.1.2

2022-06-14T06:00:46Z

SciresM: /* BootImagePackages */

The Switch 14.1.2 system update was released on June 14, 2022 (UTC). This Switch update was released for the following regions: ALL.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* General system stability improvements to enhance the user's experience.

==System Titles==
The following was updated (besides sysver titles): [[Bus_services|Bus]], [[BTM_services|btm]], NgWord/NgWord2, BootImagePackages.

There was no IPC or NPDM changes (besides version bump).

RomFs changes:
* NgWord/NgWord2: updated

=== BootImagePackages ===
Only package2 was updated.

For non-safe mode, there are no changes to any binaries (kernel or any initial processes). For safe mode, only Bus sysmodule was updated.

=== [[BTM_services|btm]] ===
These changes seem to be minor?

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2022-06-14_00-05-05&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]

Fatal services

2022-04-18T04:06:21Z

SciresM: /* fatal:p */ official command name

= fatal:u =
This is "nn::fatalsrv::IService".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || ThrowFatal
|-
| 1 || ThrowFatalWithPolicy
|-
| 2 || [[#ThrowFatalWithCpuContext]]
|}

== ThrowFatalWithCpuContext ==
Takes an input u64 errorcode and an unknown u64(TID maybe?). It also takes a type-0x15 error buffer and a pid-descriptor. The error buffer contains a stack trace.
The stack trace address count is stored at errorbuffer+0x240 and the addresses are stored at errorbuffer+0x130+i*8 where i = 0->address count

= fatal:p =
This is "nn::fatalsrv::IPrivateService".

{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || GetFatalEvent
|-
| 10 || [14.0.0+] GetFatalContext
|}

== FatalType ==
{| class="wikitable" border="1"
|-
! Value || Name
|-
| 0 || ErrorReportAndErrorScreen
|-
| 1 || ErrorReport
|-
| 2 || [3.0.0+] ErrorScreen
|}

[[Category:Services]]

HIPC

2022-03-22T16:45:46Z

SciresM: /* Data payload */

== IPC Command Structure ==
This is an array of u32's, usually located in [[Thread Local Storage]].

{| class="wikitable" border="1"
! Word || Bits || Description
|-
| 0 || 15-0 || [[#Type|Type]].
|-
| 0 || 19-16 || Number of buf X descriptors (each: 2 words).
|-
| 0 || 23-20 || Number of buf A descriptors (each: 3 words).
|-
| 0 || 27-24 || Number of buf B descriptors (each: 3 words).
|-
| 0 || 31-28 || Number of buf W desciptors (each: 3 words), not observed
|-
| 1 || 9-0 || Size of [[#Raw data section|raw data]] in u32s.
|-
| 1 || 13-10 || Flags for buf C descriptor.
|-
| 1 || 30-20 || Empty.
|-
| 1 || 31 || Enable handle descriptor.
|-
| ... || || [[#Handle descriptor|Handle descriptor]], if enabled.
|-
| ... || || [[#Buffer descriptor X "Pointer"|Buf X descriptors]], each one 2 words.
|-
| ... || || [[#Buffer descriptor A/B/W "Send"/"Receive"/"Exchange"|Buf A descriptors]], each one 3 words.
|-
| ... || || [[#Buffer descriptor A/B/W "Send"/"Receive"/"Exchange"|Buf B descriptors]], each one 3 words.
|-
| ... || || [[#Buffer descriptor A/B/W "Send"/"Receive"/"Exchange"|Buf W descriptors]], each one 3 words.
|-
| ... || || [[#Raw_data_section|Raw data section]] (including padding before and after aligned data section).
|-
| ... || || [[#Buffer descriptor C "ReceiveList"|Buf C descriptors]], each one 2 words.
|}

First two header u32's and handle descriptor (if enabled) are copied as-is from one process to the other.

=== Type ===
IPC commands can have different types which influence how the IPC server processes requests in "nn::sf::hipc::server::HipcServerSessionManagerBase::ProcessRequest".

{| class="wikitable" border="1"
|-
! Value || Name
|-
| 0 || Invalid
|-
| 1 || [[#LegacyRequest, LegacyControl|LegacyRequest]]
|-
| 2 || [[#Close|Close]]
|-
| 3 || [[#LegacyRequest, LegacyControl|LegacyControl]]
|-
| 4 || [[#Request, Control|Request]]
|-
| 5 || [[#Request, Control|Control]]
|-
| 6 || [5.0.0+] [[#RequestWithContext, ControlWithContext|RequestWithContext]]
|-
| 7 || [5.0.0+] [[#RequestWithContext, ControlWithContext|ControlWithContext]]
|}

==== Close ====
When processing a request of this type, the IPC server calls:
* "nn::sf::hipc::server::HipcServerSessionManager::DestroyServerSession"
* "nn::sf::hipc::CloseServerSessionHandle"

This ensures that the server session is destroyed internally and properly closed.

==== LegacyRequest, LegacyControl ====
These types are handled by calling:
* "nn::sf::hipc::detail::HipcMessageBufferAccessor::ParseHeader"
* "nn::sf::hipc::server::HipcServerSessionManager::ProcessMessage"
* "nn::sf::hipc::Reply"
* "nn::sf::hipc::server::HipcServerSessionManager::RegisterServerSessionToWaitBase"

It is speculated that these are part of an older message processing system where headers were further partitioned.

==== Request, Control ====
These types are handled by calling:
* "nn::sf::hipc::server::HipcServerSessionManager::ProcessMessage2"
* "nn::sf::hipc::server::HipcServerSessionManager::RegisterServerSessionToWaitBase"

This represents a more modern message handling system where contents follow the general marshalling structure.

==== RequestWithContext, ControlWithContext ====
These are identical to normal Request and Control types, but with the additional requirement of suppling a token in their [[#Data payload|data payload]].

This token is used by "nn::sf::cmif::SetInlineContext" which has the sole purpose of saving it into the TLS in order for it to be distributed to any IPC commands that are made while processing the current command. It's unknown if this token serves any purpose or if it's just a debug-tool to figure out what IPC command caused a particular chain of commands.

=== Handle descriptor ===
There can only be one of this descriptor type. It is enabled by bit31 of the second word.

{| class="wikitable" border="1"
! Word || Bits || Description
|-
| 0 || 0 || Send current PID.
|-
| 0 || 4-1 || Number of handles to copy
|-
| 0 || 8-5 || Number of handles to move
|-
| ... || || 8-byte PID if enabled
|-
| ... || || Handles to copy
|-
| ... || || Handles to move
|}

Sysmodules load the last u64 of rawdata when handling the PID. This is not written by kernel. For sysmodule handling:
* In some cases: these commands require a placeholder u64 value passed in the input parameters, as mentioned above. In these cases the OverwriteClientProcessId method is called to replace the value before it is used.
* In other cases: The rawdata_u64 is compared with the PID from the descriptor. On mismatch and when rawdata_u64!=0, error 0x60A is returned. The PID value passed to the cmdhandler vtable funcptr is the rawdata_u64.

Handle 0 is allowed, and just means no handle was sent.

=== Buffer descriptor X "Pointer" ===
This one is packed even worse than A, they inserted the bit38-36 of the address ''on top'' of the counter field.

Officially, the counter is known as "receive index". This one writes to the buffer described in the ReceiveList.

{| class="wikitable" border="1"
! Word || Bits || Description
|-
| 0 || 5-0 || Bits 5-0 of counter.
|-
| 0 || 8-6 || Bit 38-36 of address.
|-
| 0 || 11-9 || Bits 11-9 of counter.
|-
| 0 || 15-12 || Bit 35-32 of address.
|-
| 0 || 31-16 || Size
|-
| 1 || || Lower 32-bits of address.
|}

=== Buffer descriptor A/B/W "Send"/"Receive"/"Exchange" ===
This packing is so unnecessarily complex.

{| class="wikitable" border="1"
! Word || Bits || Description
|-
| 0 || || Lower 32-bits of size.
|-
| 1 || || Lower 32-bits of address.
|-
| 2 || 1-0 || Flags. Always set to 0, 1 or 3.
|-
| 2 || 4-2 || Bit 38-36 of address.
|-
| 2 || 27-24 || Bit 35-32 of size.
|-
| 2 || 31-28 || Bit 35-32 of address.
|}

A reply must not use A/B/W, svcReplyAndReceive will return 0xE801.

[[SVC|MemoryAttribute]] IsBorrowed and IsUncached are never allowed for the source address.

"Send" means buffer is sent from source process into service process.

"Receive" means that data is copied from service process into user process.

"Exchange" means both "Send" and "Receive".

==== Flags ====
Determines what [[SVC|MemoryState]] to use with the mapped memory in the sysmodule.

Used to enforce whether or not device mapping is allowed for src and dst buffers respectively.

* Ipc (flag=0): Device mapping *not* allowed for src or dst.
* NonSecureIpc (flag=1): Device mapping allowed for src and dst.
* NonDeviceIpc (flag=3): Device mapping allowed for src but not for dst.

=== Buffer descriptor C "ReceiveList" ===
There's a 4-bit flag in the main header controlling the behavior of C descriptors.

If it has value 0, the C descriptor functionality is disabled.

If it has value 1, there is an "inlined" C buffer after the raw data. Received data is copied to ROUND_UP(cmdbuf+raw_size+index, 16)

If it has value 2, there is a single C descriptor.

Otherwise it has (flag-2) C descriptors. In this case, index picks which C descriptor to copy received data to [instead of picking the offset into the buffer].

Data sent with this method must have MemoryState 0x4000000 mask set.

After reply, X descriptors are written to the sender containing the address, size and index that were copied to.

{| class="wikitable" border="1"
! Word || Bits || Description
|-
| 0 || || Lower 32-bits of address.
|-
| 1 || 15-0 || Rest of address.
|-
| 1 || 31-16 || Size
|}

=== IPC buffers ===
Buffer descriptor A/B/... map memory into the sysmodule process. For the mapped memory in the sysmodule the permissions are: desc-A = R--, desc-B = RW-. The buffer is automatically unmapped while the kernel handles the cmdreply, the sysmodule doesn't need to specify anything in the cmdreply to trigger this.

This memory is mapped in the sysmodule to the same vaddr from the original user-process cmd-request, except with with bits >=(~28(?)) changed to a different ASLR'd region.

No user-process->sysmodule memcpy is done for outbufs, only sysmodule->user-process.

Buffer descriptors C/X are somewhat different. Rather than mapping new memory into the server process, C/X descriptors copy data between existing buffers in different processes. Each X descriptor in a message has its data copied into a C descriptor on the other side. Each C descriptor in a message is used to reserve space for the other side's X descriptors to copy into.

When the kernel processes X descriptors, it must determine where to copy the data to. If the destination used C descriptors with flags >= 3, each X descriptor from the source is matched to a C descriptor in the destination by the X descriptor's index field. If the destination used a "single" C descriptor, the data from all the X descriptors is copied into the same buffer specified by the destination's C descriptor (causing error 0xce01 if there is not enough space) and the X descriptor index is ignored. The kernel then modifies the addresses in the X descriptors to indicate where the data was copied to in the destination.

Before receiving a request, if the IPC server is expecting X descriptors, it prepares a message with a "single" C descriptor (flags=2) in its message buffer before calling svcReplyAndReceive so that X descriptors from the client have a place to copy their data to. The usage of the flag-2 C descriptor allows the server to receive an arbitrary number of X descriptors, since they're all packed into the same buffer. If the server had used flag-3+ C descriptors, it would be limited in how many X descriptors it could receive since the X descriptors would have to be matched to distinct C descriptors. The buffer that the server's C descriptor points to is called the '''pointer buffer'''.

When the client sends X descriptors, data is copied into the server's pointer buffer. When the client sends C descriptors, no data is copied automatically. The server needs to use X descriptors to copy the data back to the client's C descriptors (using the index field to match X descriptors in the response back to the correct C descriptors).

== Raw data section ==
[[File:Ipc msg buffer type a example.png|thumb|An example of an IPC message with a type 0xA buffer in it. Red is headers/descriptors, yellow is padding, and blue is data/buffer lengths. Note that the size of the u16 array for type A lengths is padded to fill up a whole word.]]

{| class="wikitable" border="1"
! Word || Description
|-
| ... || Padding to align to 16 bytes.
|-
| ... || If sent to an object domain, a [[#Domain_message|domain message]], otherwise a [[#Data payload|data payload]]
|-
| ... || Padding
|-
| ... || Buffer type 0xA lengths (u16 array)
|}

The total amount of padding within the raw data section is always 0x10 bytes. This means that if no padding is required before the message, there will be 0x10 bytes of padding after the message (before the buffer type 0xA lengths).

=== Domains ===
Because the switch has relatively low limits on the total number of sessions available to the system (Kernel slabheap limits, sysmodule handle table size limits), HIPC supports a "Domains" feature that allows multiplexing multiple service sessions through a single handle. Domains store (effectively) a mapping from u32 object id to a SharedPointer<IServiceObject> -- When messages are sent to a domain, an extra header is sent in the raw data section (before anything else) with information about what object in the domain is being acted on; responses similarly contain an additional header. Official session code implements this by just using the dispatch table for the object in the map with the appropriate ID, instead of the dispatch table the session was initialized with.

Format for the extra request header for domain message:
{| class="wikitable" border="1"
! Word || Bits || Description
|-
| 0 || 7-0 || Command. 1=send message, 2=close virtual handle
|-
| 0 || 8-15 || Input object count
|-
| 0 || 31-16 || Length of [[IPC_Marshalling#Data_payload|data payload]] in bytes.
|-
| 1 || || Object ID (from cmd 0 in [[IPC_Marshalling#Control|Control]]).
|-
| 2 || || Padding
|-
| 3 || || [1.0.0-4.1.0] Padding [5.0.0+] Token (for NewRequest only)
|-
| 4... || || [[#Data payload|Data payload]]
|-
| ... || || Input object IDs (u32s, not aligned)
|}

Format for the extra response header for domain message:
{| class="wikitable" border="1"
! Word || Bits || Description
|-
| 0 || 31-0 || Output object count
|-
| 1-3 || || Padding
|-
|}

=== Data payload ===
This is an array of u32's, but individual parameters are generally stored as u64's.

Input Header:

{| class="wikitable" border="1"
! Word || Description
|-
| 0 || Magic ("SFCI) as u32.
|-
| 1 || Version as u32. 1 for NewRequest, 0 for Request.
|-
| 2 || Command id as u32
|-
| 3 || [1.0.0-4.1.0] Padding [5.0.0+] Token (for NewRequest only, non-domain messages).
|-
| 4... || Input parameters
|}

[5.0.0+] Version was incremented from 0 to 1, and a token value was introduced into raw_data+12 (regardless of domain or not, in either case it overlaps with padding).

Output Header:

{| class="wikitable" border="1"
! Word || Description
|-
| 0 || Magic ("SFCO") as u32.
|-
| 1 || Version as u32. Always 0.
|-
| 2 || [[Error_codes|Result]].
|-
| 3 || [1.0.0-13.2.1] Padding [14.0.0+] Interface ID
|-
| 4... || Return values
|}

[14.0.0+] Padding field at +12 is now interface ID, generated as little endian first four bytes of sha256(<fully qualified interface name>). The version field was not incremented.

The rawdata struct for input parameters/return values is generated by stable-sorting function parameters by alignment, from low to high. It is likely this is a mistake, as it generates structs with suboptimal possible padding -- Nintendo probably meant to sort from high to low (which would give minimized padding), but couldn't/can't change this without breaking backwards compatibility.

== Official marshalling code ==
The official marshalling function is called "nn::sf::hipc::client::Hipc2ClientCoreProcessorImpl::WriteBufferDataImpl" and takes:
* A pointer to a "nn::sf::hipc::detail::HipcMessageWriter" context;
* The number of (buf_ptr, size) pairs;
* An array of (buf_ptr, size) pairs (called "nn::sf::detail::PointerAndSize");
* A pointer to a type bitfield for each such pair;
* The offset of the main IPC command structure;
* The size of the IPC command's [[IPC_Marshalling#Raw_data_section|raw data]].

The type of an IPC command is described by a bitfield as below:
{| class="wikitable" border="1"
! Bits || Name || Description
|-
| 0 || In || Direction is input.
|-
| 1 || Out || Direction is output.
|-
| 2 || HipcMapAlias || Use buffer descriptors A ("Send"), B ("Receive") or W ("Exchange").
|-
| 3 || HipcPointer || Use buffer descriptors X ("Pointer") or C ("ReceiveList").
|-
| 4 || FixedSize || Skip saving the pointer buffer size in raw data.
|-
| 5 || HipcAutoSelect || Select which buffer descriptor to use automatically.
|-
| 6 || HipcMapTransferAllowsNonSecure || Use [[#Flags|NonSecureIpc flag]].
|-
| 7 || HipcMapTransferAllowsNonDevice || Use [[#Flags|NonDeviceIpc flag]].
|}

X and C (Pointer and ReceiveList) descriptors are backed by the "pointer buffer", a buffer in the service process. Its size is a u16, which is retrieved using the "QueryPointerBufferSize" control message. If the client code determines all buffers with flag 8 do not fit in the pointer buffer, it returns error 0x11A0B.

For buffers with flag 0x20 it creates two descriptors (A+X or B+C), but one descriptor is NULL (zero size and pointer), while the other holds the expected values. X/C descriptors are used as the non-NULL descriptor where possible, but if they don't fit in the pointer buffer, A/B descriptors are used instead. The code defers processing of type 0x20 buffers with sizes that fit in a u16 (and may therefore fit in the pointer buffer), which ensures all type 8 buffers get pointer-buffer space before any type 0x20. The order in which the deferred type 0x20 buffers are processed is determined by a convoluted loop.

== Official IPC Cmd Structure ==
Official struct that is stored for each IPC command. It contains precalculated offsets for different portions of the command structure.

All offsets are given is in number of u32 words.

struct IpcCmdStruct {
u8 unk0;
u8 has_handle_descriptor;
u8 pad0[2];
u32 cmd0;
u32 cmd1;
u32 offset_handle_descriptor;
u32 pad1;
u32 offset_handles;
u32 pad2;
u32 offset_x_descriptors;
u32 offset_a_descriptors;
u32 offset_b_descriptors;
u32 offset_w_descriptors; /* this is a guess */
u32 offset_raw_data;
u32 offset_c_descriptors;
u32 unk2;
u32 unk3;
}

== Control ==
When type is [[IPC_Marshalling#Request.2C_Control|Control]], you are talking to the IPC manager. These are processed by the sysmodule.

{| class="wikitable" border="1"
|-
! Cmd || Name || Arguments || Output
|-
| 0 || ConvertCurrentObjectToDomain || None || u32 CmifDomainObjectId
|-
| 1 || CopyFromCurrentDomain || u32 CmifDomainObjectId || u32 NativeHandle
|-
| 2 || CloneCurrentObject || None || u32 NativeHandle
|-
| 3 || QueryPointerBufferSize || None || u16 size
|-
| 4 || CloneCurrentObjectEx || u32 unknown || u32 NativeHandle
|}

14.0.0

2022-03-22T16:13:29Z

SciresM: /* Kernel */ fix for clarity

The Switch 14.0.0 system update was released on March 22, 2022 (UTC). This Switch update was released for the following regions: ALL.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

==Change-log==
[https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/nintendo%20switch%20system%20update Official] ALL change-log:
* "Groups" feature was added to the All Software menu.
*
* You can now create groups of software to help organize your software titles.
* Making groups for different game genres, developers, or whatever you’d like to organize by may make it easier to find the application you want.
*
* Up to 100 groups can be created with a max of 200 titles per group.
*
*
* The button to proceed to the "All Software" screen is displayed only when there are 13 or more software title icons on the system.
* For more information, see How to Create Groups of Software.
*
* Bluetooth® Audio volume behavior was changed.
*
* You can now adjust the volume of Bluetooth audio devices using either the Nintendo Switch™ console or through volume control buttons on the Bluetooth audio device.
*
* The Bluetooth audio device must support AVRCP profiles for these changes to work.
*
*
* The volume displayed on the console will reflect the Bluetooth audio volume when using the device’s control buttons.
* The maximum volume output for some Bluetooth audio devices has been increased.
*
* When first connecting a device, volume will be reduced to avoid sudden loudness.
* For more information, see How to Pair and Manage Bluetooth Audio Devices.
*
*
*
*

==System Titles==
* New sysmodule omm was added, various hosted services from am were moved here.
* Most system titles were updated, except for the following (besides stubs): both Dictionary SystemData, AvatarImage, Eula, UrlBlackList, ControllerIcon, ApplicationBlackList, FunctionBlackList.

[[NPDM]] changes:
* ptm had the order of various accessible-services changed.
* pcv: access to IO page 0x07009f000 was removed. The order of various hosted/accessible-services changed. Access to fsp-srv, pwm, and set:cal were removed.
* ns now has access to pm:info.
* am: access to svcSleepSystem was removed. FS permission bitmask 0x0000000080000000 was removed. Hosted services idle:sys, omm, and spsm were removed. Access to the following services were removed: bgtc:sc, bgtc:t, bpc, cec-mgr, gpio, hshl:set, hshl:sys, led, psc:c, psc:m, psm, tc, time:p, usb:hs, usb:pd, usb:pd:c, vi:m/vi:s, xcd:sys. Access to the following services were added: idle:sys, ommdisp, spsm.
* qlaunch had access to nd:sys removed.
* cabinet had a duplicate service-access entry for set:sys removed.
* playerSelect had a duplicate service-access entry for acc:su removed.
* starter now has access to audctl.

RomFs changes:
* ErrorMessage: various errors added / localization updated.
* BrowserDll:
** "/browser/ErrorPageFilteringTemplate.html" updated
** "/browser/ErrorPageSubFrameTemplate.html" updated
** "/browser/ErrorPageTemplate.html" updated
** "/browser/MediaControlsInline.css" updated
** "/browser/MediaControlsInline.js" updated
** "/browser/RootCaEtc.pem" and "/browser/RootCaSdkAdditional.pem" updated
** "/buildinfo/buildinfo.dat" updated
** "/lyt/Dialog/DAuthentication.arc" updated
** Various localization data under "/message/" was updated.
** The NROs under "/nro/netfront/core_0/" were moved to "/nro/netfront/core_0/default/cfi_disabled".
** The NROs under "/nro/netfront/core_1/" were moved to "/nro/netfront/core_2/default/cfi_enabled" (the core_1 directory was removed).
** "/sound/" was added, which contains "cruiser.bfsar".
* Help: "/legallines.htdocs/index.html" updated
* LocalNews: "/message/revision.txt" updated
* FirmwareDebugSettings/PlatformConfigIcosa/PlatformConfigCopper/PlatformConfigHoag/PlatformConfigIcosaMariko/PlatformConfigAula: [[System_Settings|updated]]
* ControllerFirmware:
** "/FirmwareInfo.csv" and "/TouchScreenFirmwareInfo.csv" updated
** "/FTS_50000001.ftb" removed
** "/FTS_50000002.ftb" added
** "/ukyosakyo_ep2_ota.bin" updated
* NgWordT: "/mars_dirty_words_db" updated
* Various graphics/UI/localization data was updated in various applets.
* web-applets: "/sound/" was removed, it's now located in BrowserDll. "/buildinfo/buildinfo.dat" and "/.nrr/modules.nrr" were updated.

=== BootImagePackage ===
All files in RomFs were updated.

====Secure Monitor====
* Compiler upgrade to latest llvm (now using same compiler revision as kernel).
** Secure Monitor is now compiled with -fomit-frame-pointer.
*** >:(
* GenerateSeTestVectorImpl now uses a helper to mix each key into the vector.
* ExceptionHandler is now linked in (@ .text + 0x3E04).
** Previously, this was garbage collected/only present in debug secure monitors.
** NOTE: This is unreachable, and stripped (as e.g. logging isn't emitted, likely because the macros are empty on release builds).

====Kernel====
* Kernel is now compiled with -O3 again instead of -Os
** >:(
* crt0 no longer supports booting in EL2.
** Infinite Loop/Panic is performed instead.
* Initialize0 changes:
** KernelStack setup now uses same helper to determine aslr as other random aligned regions.
** KernelTemp setup now uses same helper to determine aslr as other random aligned regions.
* Slab changes:
** When assigned extra resource, the slab heap is now 0x148000 larger instead of 0x68000 larger.
** Correspondingly, instead of increasing the thread resource limit by 160, the thread resource limit is now increased by 736.
*** This corresponds to changes in userland for pm management of resource limits.
*** Old Intended Resource Limits:
**** System (96 + 512) -> (256 + 512)
**** Applet 96 -> 96
**** Application 96 -> 96
*** New Intended Resource Limits:
**** System (96 + 512) -> 1024
**** Applet 96 -> 256
**** Application 96 -> 256
* SetupPoolPartitionMemoryRegions now panics if the end of the pool partition region is not coincidence with the end of dram.
* KThreadContext was completely revised.
** Most of KThreadContext is now stored inline in kernel stack.
*** Kernel stack layout is now u8 stack[0xDB0]; KThreadContext thread_context; KThreadStackParameters stack_parameters;
** KThreadContext now only stores the 8 callee-save FPU registers.
*** The remaining 24 caller-save FPU registers are stored inside KThread, where KThreadContext used to be.
*** NOTE that 32-bit fpu has 4 callee-save FPU registers and 12 caller-save registers, which use the start of the relevant 64-bit storages as usual.
** KThreadStackParameters was revised to facilitate this.
*** The pointer to KThreadContext previously stored in stack parameters now points to the external FPU register array.
*** The members at end of params are now: u16 disable_count; u8 current_svc_id; u8 unused_2c; u8 exception_flags; u8 is_pinned; u8 unused_2f;
**** The "exception_flags" field is a new set of bitflags (encoding old state was were previously separate bools + new state).
***** Bit 0x1 = is_calling_svc
***** Bit 0x2 = is_in_exception_handler
***** Bit 0x4 = is_fpu_state_restore_needed
***** Bit 0x8 = is_64_bit_fpu
***** Bit 0x10 = has_exception_svc_permissions
***** Bit 0x20 = is_in_cache_operation
***** Bit 0x40 = is_in_tlb_operation
** Exception exits now check is_fpu_state_restore_needed, and restore FPU registers only if needed (and clear is_fpu_state_restore_needed on restore).
*** is_fpu_state_restore_needed is set to true *only* on thread switch with FPU enabled.
**** Caller-save FPU registers are saved *only* if a thread is in an SVC and does not have exception svc permissions.
**** All other thread switches save only the 8 (or 4) callee-save FPU registers.
**** All thread switches now guarantee as post-condition that the fpu is disabled leaving the switch (it will be re-enabled on exception exit if needed).
*** On SVC exception return, all caller-save FPU registers are set to zero unless the thread has exception svc permissions.
** KThread::CloneFpuStatus now uses KScopedDisableInterrupt
* Various hw maintenance changes:
** KernelLdr no longer does cache maintenance by set/way when setting up initial identity mapping, no longer invalidates instruction cache/tlb, no longer does dsb after setting sctlr_el1.
** FlushEntireDataCacheLocal/Shared in init now perform dsb sy, FlushEntireDataCacheAndInvalidateTlbForInit no longer does after calling them.
** dsb sy/isb is now performed after setting sctlr_el1, when disabling mmu/icache.
** KInitialPageTable::Map no longer does dsb ish after all attribute writes.
*** Instead does it before writing table entries, and at the end of the function.
** KInitialPageTable::PhysicallyRandomize no longer does StoreEntireCacheForInit.
*** Now does dc cvac on randomized virtual address range, dsb ish, ic iallu, dsb ish, isb. (see weaker-barriers section of diff)
** KInitialPageTable::SwapBlocks now does dsb ish after memcpy to swap blocks.
** KInitialPageTable::Reprotect no longer does dsb ish before performing reprotection.
** KInitialProcessReader::Load no longer calls cpu::FlushEntireDataCache/cpu::InvalidateInstructionCache.
** Set/way cache operations now perform dsb sy before configuring csselr.
*** This affects InvalidateDataCacheForResumeEntry, FlushEntireDataCache, KCacheHelperInterruptHandler, and the initial cache maintenance when disabling the mmu.
** FlushEntireDataCache now does dsb sy after doing full set/way cache flush, instead of after each set/way op.
*** NOTE: This is still only a local flush without coherence guarantees, set/way aren't supposed to be used after multiple cores are online.
** KSystemControl::CpuSleepHandler no longer embeds unreachable cache maintenance assembly after CpuSuspend.
** Kernel now performs different hw maintenance if a thread is in a hw maintenance operation when interrupted:
*** If a thread is interrupted while performing cache maintenance in EL1 (tracked via new exception flags bit 0x20), KInterruptManager::OnHandleInterrupt performs dsb sy.
**** Set and cleared for scope of cpu::InvalidateDataCache instead of disabling core migration.
**** Set and cleared for scope of cpu::StoreDataCache instead of disabling core migration.
**** Set and cleared for scope of cpu::FlushDataCache instead of disabling core migration.
*** If a thread is interrupted while performing tlb maintenance in EL1 (tracked via new exception flags bit 0x40), KInterruptManager::OnHandleInterrupt performs dsb ish.
**** Set and cleared for scope of KPageTable::NoteUpdated
*** If a thread is interrupted while performing cache maintenance in EL0 (tracked via new bool @ TLS + 0x104), KInterruptManager::OnHandleInterrupt performs dsb sy.
**** This is equivalent to the EL1 cache maintenance tracking above, providing an opt-in way for userland to ensure its cache maintenance is coherent even when interrupted.
**** Note that official userland code now sets this bit before performing cache maintenance.
** Memory barriers were revised in many places -- barriers were weakened in many places, and some functions which previously lacked barriers had them added, including:
*** cpu::InvalidateEntireInstructionCache: dsb sy -> dsb ish
*** cpu::EnsureInstructionConsistency: dsb sy; isb; -> dsb ish; isb;
**** NOTE: Functions written in assembly still use the old pattern for ensuring instruction consistency.
*** KCacheInterruptHandler::RequestOperation: dsb sy -> dsb ish
*** KScheduler::EnableScheduling: dsb sy -> dsb ish
*** KScheduler::SwitchThread no longer does dsb sy before setting ttbr0/contextidr_el1.
*** KPageTable::NoteUpdated: dsb sy; if (m_kernel) { ... dsb sy; } else { ... dsb sy; isb; } -- dsb ishst; if (m_kernel) { ... dsb ish; } else { ... dsb ish; isb; }
**** KPageTable::NoteSingleKernelPageUpdated now similarly does dsb ishst for outer and dsb ish for inner barriers.
*** KPageTable::ClearPageTable: now does dsb ish after clearing page to zero via dc zva
*** KPageTable::MapContiguous: now does dsb ishst after merging pages.
*** KPageTable::MapPageGroup: now does dsb ishst after merging pages.
*** KPageTable::PteDataSynchronizationBarrier: now dmb ishst instead of dsb ish (probably KPageTable::PteDataMemoryBarrier, now?)
*** KPageTable::MapL2Blocks/MapL3Blocks: pattern for setting entry for new table went from Barrier(); WriteEntry(); Barrier(); -> Barrier(); WriteEntry();
**** This was PteDataSynchronizationBarrier(), and correspondingly asm is dsb ish; str; dsb ish; -> dmb ishst; str;
*** KSupervisorPageTable::SetTtbr0 no longer does dsb sy before setting ttbr0/contextidr_el1.
** UserspaceAccess::InvalidateInstructionCache was removed (previously unused).
* Various changes to KInterruptName/interrupt management:
** Enum values for IPIs were revised:
*** KInterruptName_ThreadTerminate 4 -> 0
*** KInterruptName_CacheOperation 5 -> 1
*** KInterruptName_Scheduler 6 -> 2
** New KInterruptName (KInterruptName_CoreBarrier) = 3
*** Interrupt handler for this is registered with KInterruptControllerPriority_Scheduler after ThreadTerminate handler is registered.
** Interrupt handler for the user cycle counter interrupt is no longer registered.
*** This is presumably now under the same ifdef that enables svc::InfoType_PerformanceCounter.
* KCapability now has a new member "physical_core_mask", which tracks what physical cores are allowable.
** KThread::FinishTermination now calls a new function (cpu::ForceSynchronizeAllCores) after waiting for the thread to not be current on any scheduler.
*** This function sends an IPI (KInterruptName_CoreBarrier) to all cores in a specified mask (other than the current one), and waits for them to acknowledge the interrupt.
* Changes to KMemoryManager allocation:
** KPageHeap now has an additional KPageHeapBitmapRng @ 0x328 to facilitate additional allocation randomization.
** KMemoryManager::AllocateAndOpenContinuous now uses a new KPageHeap method "AllocateRandomBlock"
*** KPhysicalAddress KPageHeap::AllocateRandomBlock(s32 index, size_t num_pages, size_t align_pages);
*** This method allocates `num_pages` pages (aligned to at least `align_pages`) at random.
**** First, the kernel chooses a random block index to allocate from.
***** This is done by increasing the block index until there are at least 4 possible random choices for the desired alignment, then selecting the block that corresponds to a random pick from those choices.
**** Next, the kernel allocates a random block from within that index.
**** Finally, the kernel selects a random (align_pages)-aligned offset within that block, frees the memory before/after the allocated chunk, and returns the memory.
** Allocation of KPageGroups still uses a `random` argument, however:
*** KPageHeap::PopBlock no longer takes a random argument.
*** KPageHeap::AllocateBlock now calls new new KPageHeap method "AllocateRandomBlock".
**** KPageHeap::AllocateRandomBlock(s32 index, size_t num_pages);
**** This is effectively the same logic as above, but with align_pages == # of pages for the argument block index.
* CreateProcess now calls a new function to validate the user-capabilities before creating the KProcess.
** This checks that the capabilities are user-readable and that the map region capabilities correspond to actually-present regions.
** This corresponds to changes in Loader allowing for map region capabilities (previously, these were only allowed via KIP, and Loader always rejected them).
* New InfoType 0x1A ("InfoType_IsSvcPermitted").
** Returns whether the current process can access a given SVC.
** Nintendo returns InvalidCombination when checking SVCs other than SynchronizePreemptionState.
*** Official userland code now aborts if the process does not have permission to use SynchronizePreemptionState before incrementing ThreadLocalRegion->disable_count for the first time.

=== IPC Interface Changes ===
* The following new interfaces were added:
** nn::sprofile::srv::IServiceGetter
* The following interfaces were changed:
** nn::account::detail::IUserStateManager
*** Added command 900 - inbytes: 24, outbytes: 0
*** Added command 901 - inbytes: 24, outbytes: 0
*** Added command 902 - buffers: [10], inbytes: 8, outbytes: 4
** nn::am::service::IAppletCommonFunctions
*** Added command 80 - inbytes: 1, outbytes: 0
*** Added command 81 - inbytes: 1, outbytes: 0
** nn::am::service::IApplicationFunctions
*** Added command 36 - inbytes: 0, outbytes: 1
*** Added command 37 - inbytes: 0, outbytes: 0, outhandles: [1]
** nn::am::service::IDebugFunctions
*** Added command 140 - inbytes: 0, outbytes: 0
** nn::am::service::IOverlayFunctions
*** Added command 21 - inbytes: 1, outbytes: 0
** nn::audioctrl::detail::IAudioController
*** Removed command 11 - inbytes: 4, outbytes: 0
*** Removed command 12 - inbytes: 0, outbytes: 4
*** Removed command 19 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Removed command 20 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Removed command 21 - inbytes: 0, outbytes: 4
*** Removed command 25 - inbytes: 0, outbytes: 9
*** Removed command 28 - inbytes: 0, outbytes: 4
*** Removed command 29 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Added command 35 - inbytes: 8, outbytes: 0
*** Added command 36 - inbytes: 0, outbytes: 8
*** Added command 37 - inbytes: 1, outbytes: 0
*** Added command 38 - inbytes: 0, outbytes: 1
*** Added command 39 - inbytes: 0, outbytes: 1
*** Added command 40 - buffers: [26], inbytes: 0, outbytes: 0
*** Added command 10100 - inbytes: 0, outbytes: 9
*** Added command 10101 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Added command 10102 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Added command 10103 - inbytes: 0, outbytes: 4
*** Added command 10104 - inbytes: 0, outbytes: 4
*** Added command 10105 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Added command 10106 - inbytes: 0, outbytes: 4
** nn::bluetooth::IBluetoothDriver
*** Removed command 144 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Removed command 145 - buffers: [10], inbytes: 0, outbytes: 4
*** Added command 150 - inbytes: 4, outbytes: 0, outhandles: [1]
*** Added command 151 - inbytes: 4, outbytes: 0, outhandles: [1]
*** Added command 152 - inbytes: 4, outbytes: 1
*** Added command 153 - inbytes: 8, outbytes: 0
*** Added command 154 - inbytes: 4, outbytes: 1
** nn::bpc::IBoardPowerControlManager
*** Removed command 6 - inbytes: 0, outbytes: 4
** nn::btm::IBtm
*** Added command 112 - inbytes: 7, outbytes: 0
*** Added command 113 - inbytes: 6, outbytes: 1
*** Added command 114 - inbytes: 6, outbytes: 1
*** Added command 115 - buffers: [10], inbytes: 4, outbytes: 4
** nn::clkrst::IClkrstSession
*** Added command 12 - inbytes: 4, outbytes: 1
*** Added command 13 - inbytes: 4, outbytes: 0
** nn::es::IActiveRightsContext
*** Added command 17 - buffers: [5, 5], inbytes: 1, outbytes: 0
*** Added command 214 - inbytes: 0, outbytes: 0, outhandles: [1]
*** Added command 215 - inbytes: 0, outbytes: 0
** nn::es::IETicketService
*** Removed command 4 - inbytes: 4, outbytes: 0
** nn::fatalsrv::IPrivateService
*** Added command 10 - buffers: [22], inbytes: 0, outbytes: 16
** nn::fssrv::sf::IFileSystemProxy
*** Added command 37 - buffers: [25], inbytes: 0, outbytes: 0
** nn::grcsrv::IRemoteVideoTransfer
*** Added command 3 - inbytes: 0, outbytes: 1
** nn::hid::IHidSystemServer
*** Added command 327 - buffers: [10], inbytes: 4, outbytes: 8
*** Added command 328 - inbytes: 16, outbytes: 1
*** Added command 329 - inbytes: 0, outbytes: 0
*** Added command 330 - inbytes: 8, outbytes: 0
*** Added command 506 - inbytes: 16, outbytes: 0
*** Added command 507 - inbytes: 16, outbytes: 0
** nn::mnpp::detail::ipc::IServiceForSystem
*** Removed command 200 - inbytes: 0, outbytes: 0
*** Added command 400 - inbytes: 0, outbytes: 1
** nn::mnpp::detail::ipc::IServiceForWebBrowser
*** Added command 1 - buffers: [5, 5, 6], inbytes: 16, outbytes: 0
*** Added command 10 - buffers: [6], inbytes: 16, outbytes: 1
*** Added command 20 - inbytes: 16, outbytes: 0
** nn::ndrm::low::detail::INdrmLowAdminInterface
*** Added command 37 - inbytes: 8, outbytes: 0, outhandles: [1]
*** Added command 38 - buffers: [6], inbytes: 8, outbytes: 4
*** Added command 39 - buffers: [6], inbytes: 8, outbytes: 4
*** Removed command 8003 - buffers: [6], inbytes: 8, outbytes: 4
** nn::nim::detail::INetworkInstallManager
*** Changed command 10 - outbytes: 72 -> 88 (final state: inbytes: 16, outbytes: 88)
*** Changed command 130 - inbytes: 0 -> 8 (final state: inbytes: 8, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncData'])
*** Added command 135 - inbytes: 0, outbytes: 0
*** Added command 136 - inbytes: 16, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncValue']
*** Added command 137 - inbytes: 16, outbytes: 4
** nn::nim::detail::IShopServiceManager
*** Added command 108 - buffers: [5], inbytes: 0, outbytes: 0
*** Removed command 303 - inbytes: 16, outbytes: 1
*** Removed command 305 - inbytes: 16, outbytes: 0, outhandles: [1], outinterfaces: ['nn::nim::detail::IAsyncResult']
*** Removed command 400 - inbytes: 4, outbytes: 16
*** Removed command 401 - inbytes: 16, outbytes: 4
*** Added command 600 - inbytes: 0, outbytes: 1
*** Added command 601 - inbytes: 0, outbytes: 0
** nn::ns::detail::IApplicationManagerInterface
*** Added command 610 - inbytes: 16, outbytes: 1
*** Added command 2522 - inbytes: 16, outbytes: 0
*** Added command 3050 - buffers: [6], inbytes: 0, outbytes: 4
** nn::ns::detail::IDevelopInterface
*** Added command 20 - inbytes: 8, outbytes: 8
** nn::ns::detail::IDynamicRightsInterface
*** Added command 22 - inbytes: 8, outbytes: 1
*** Added command 23 - inbytes: 8, outbytes: 0, outhandles: [1]
*** Added command 24 - inbytes: 8, outbytes: 0
*** Added command 25 - inbytes: 0, outbytes: 0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncResult']
** nn::ns::detail::IECommerceInterface
*** Added command 7 - inbytes: 16, outbytes: 0, outhandles: [1], outinterfaces: ['nn::ns::detail::IAsyncValue']
** nn::omm::detail::IOperationModeManager
*** Added command 500 - inbytes: 8, outbytes: 0
*** Added command 501 - inbytes: 8, outbytes: 0
*** Added command 900 - inbytes: 0, outbytes: 0
** nn::pcie::detail::ISession
*** Changed command 4 - outbytes: 24 -> 32 (final state: inbytes: 8, outbytes: 32)
** nn::pm::detail::IDebugMonitorInterface
*** Added command 7 - inbytes: 8, outbytes: 8
** nn::pm::detail::IInformationInterface
*** Added command 1 - inbytes: 0, outbytes: 24
*** Added command 2 - inbytes: 0, outbytes: 24
** nn::pm::detail::IShellInterface
*** Added command 10 - inbytes: 0, outbytes: 0
** nn::pwm::IChannelSession
*** Removed command 2 - inbytes: 4, outbytes: 0
*** Removed command 3 - inbytes: 0, outbytes: 4
** nn::settings::ISystemSettingsServer
*** Added command 207 - inbytes: 0, outbytes: 1
*** Added command 208 - inbytes: 1, outbytes: 0
*** Added command 209 - inbytes: 0, outbytes: 8
*** Added command 210 - inbytes: 8, outbytes: 0
** nn::ssl::sf::ISslService
*** Added command 9 - inbytes: 0, outbytes: 0
** nn::ts::server::IMeasurementServer
*** Removed command 2 - inbytes: 2, outbytes: 0
*** Removed command 3 - inbytes: 1, outbytes: 4
** nn::ts::server::ISession
*** Removed command 1 - inbytes: 0, outbytes: 4
*** Removed command 3 - inbytes: 0, outbytes: 4
** nn::uart::IPortSession
*** Added command 8 - inbytes: 40, inhandles: [1, 1], outbytes: 0

==See Also==
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=2022-03-22_00-05-06&sys=hac]

{{NavboxVersions}}

[[Category:System versions]]