888
edits
Changes
→creport-sysmodule
*
*
* Several issues were fixed, and usability and stability were improved.
* Several issues were fixed, and usability and stability were improved.
===BootImagePackage===
All files in RomFS were updated.
====Secure Monitor====
Secure Monitor was updated.
* The firmware revision magic was changed from 0x1AD to 0x1CE.
* Support was added for an additional DRAM model.
====Warmboot====
* The firmware revision magic was changed from 0x1AD to 0x1CE.
====Kernel====
* Kernel is now built with -Os instead of -O3
** Many functions are no longer inlined.
* crt0 deprivileging code now sets hypervisor EL2 registers.
* Logic for flushing entire data cache and invalidating entire TLB during init is now a function called by JumpFromEL2ToEL1 and DisableMmuICacheAndDCache instead of being duplicated.
* Initialize0 has had several things re-ordered/shuffled:
** InsertDevicePhysicalMemoryBlocks is now called immediately after the KernelCode region is inserted.
** "Needed device virtual space" is now calculated as 3 * (0x18000 + { sum of KernelAutoMap physical device regions } + GetUnknownDebugDeviceRegionSize()
** KernelMisc region size is now util::AlignUp(std::max(needed_device_virtual_space, 32_MB), 2_MB).
** Code for mapping the unknown debug address as UnknownDebug is no longer present.
** Slab region is now memset to zero after the linear region is mapped instead of before.
** Ranges are now more uniform; value in [range address / 2_MB, last_address / 2_MB] is generated and multipled by 2 MB instead of aligning down result.
* KMemoryRegion now has a "last_address" member replacing its "size" member.
** GetSize() now calculated as (last_address - address + 1)
* KMemoryRegionTree::Insert now takes in last address instead of size.
** Several callsites now verify that last_address != 0xFFFF...
* KMemoryRegionAllocator now uses a slabheap of count 200 instead of 1000.
* KLinkedListNode now has slab size = #KThreads instead of #KThreads * 17.
* "Virtual" cores now supported, KThread now stores core ID/affinity for both virtual and physical.
* New SVC 0x37 "GetResourceLimitPeakValue"
** Returns the highest value that a resource limit's current has ever achieved.
** KResourceLimit now stores an array of peak values to enable this
* Two new kernel objects, KAlpha and KBeta (placeholder names, true object names are unknown and cannot be guessed without observing purpose).
** KAlpha has size 0x50, KBeta has size 0x88
** KObjectAllocators for KAlpha/KBeta receive counts 1, 6.
** KProcess has a list of KBeta, intrusive list node is at KBeta + 0x68.
* Four new SVCs, ID 0x39, 0x3A, 0x46, 0x47
** These are likely for interacting with KAlpha and KBeta, but on NX they are (presumably) if-def'd to be "return svc::ResultNotImplemented()"
* KThread had all of its members reordered and its unused members deleted
* Most KThread waits now use KThreadWaiterListIntrusiveNode instead of KThreadQueue
* KConditionVariable no longer uses global threads for the call to .nfind()
* KConditionVariable now sets the cv_key u32 value in userspace to 1 when a condvar has waiters, and to 0 when it does not.
** New nnSdk code relies on this behavior.
* SetupStackForUserModeThreadStarter (KThreadContext::Initialize) now sets X18 to (<cryptographically random u64> | 1), this value is unique for each thread.
** This is used for Pointer Authentication changes in web browser.
* KCoreLocalRegion deleted, replaced with pointer-to-current-thread
** TPIDR_EL1 != X18 now, and TPIDR_EL1 now always points to the exception thread stack.
* KSynchronization was deleted, replaced with namespaced or static-on-ksynchronization-object functions
* KSynchronizationObject now contains a pointer to thread queue, instead of an inline list
* KInterruptEvent no longer has an InterruptEventTask member
* KInterruptEventTask::Reset no longer calls KInterruptManager::ClearInterrupt, instead it calls a new function which returns a result
* KInterruptEventTask now has a KLightLock member
* KHardwareTimer is now an interrupt task again
* KHardwareTimer now has a new member "maximum_time", set to std::numeric_limits<s64>::value().
** Tasks will only be added to the task list if their time is <= maximum_time, this is in addition to the >= 1 checks previously.
* KIntrusiveRedBlackTreeNode now has common member functions instead of templated, size is now packed to 0x1C instead of 0x20.
** All Insert/Remove/etc operations are common regardless of the type the node is intrusive in.
* KDebugLogImpl::Initialize() now assumes uart has been configured for logging by the secure monitor, and does not perform tegra uart init sequence
* vsprintf, KDebugString::PutString are now fully inlined inside KVPrintf.
* KObjectContainer::Insert now returns void instead of Result
** Code which previously did R_TRY() now just calls.
* KPageHeapBitmapRng now has TinyMt as a data member, instead of directly implementing KPageHeap.
** This affects how constructor is invoked.
* New InfoType 24 ("FreeThreadCount") was added, gets the number of threads a process can allocate before exhausting its resource limit.
* KMemoryBlock/KMemoryInfo now has extra members tracking u8 non_contig_bitflags, u16 ipc_non_contig_lock_count, u16 device_non_contig_lock_count
* KMemoryBlockManager Update now takes non-contig flags to determine where to coalesce (all coalescing must now happen forwards instead of either direction)
* KMemoryBlockManagerUpdateAllocator no longer has a result member, instead it has ->Initialize() which takes in a number of blocks to allocate
* KMemoryManager::Allocate, KMemoryManager::AllocatePageGroup, KMemoryManager::AllocatePageGroupForProcess, now call KPageGroup::Open on the returned page group.
** All callsites for these functions no longer call open after allocating.
* KMemoryManager::Open is now KMemoryManager::OpenAdditionalReference, now checks that refcount is >= 1 instead of >= 0
* KPageTableBase now has an additional data member "disable_device_address_space_merge"
** KProcessPageTable::Initialize now takes in (process flags & 0x1000) as a bool argument to set this.
* Page table Query operations now return a number of blocks required to support the above when relevant
* KPageTable now uses 4 sw-reserved bits instead of 1
** Former bit 0x01.... ("Is Mapped") is now bit 0x40..... (PTE bit 58)
** PTE bit 55 "contiguous not allowed" was reworked for significantly more fine-grained control
*** PTE bit 55 is now "start of block non-contiguous", coalescing cannot occur if the first block in a coalesce has this block set.
*** PTE bit 56 is now "not-end-of-block non-contiguous", coalescing cannot occur if a block other than the last in a coalesce has this bit set
*** PTE bit 57 is now "end of block non-contiguous", coalescing cannot occur if the last block in a coalesce has this bit set
*** The old non-contiguous semantics are equivalent to 56 + 57 together.
** These bits are now returned by KPageTableImpl::Traverse
** Upper byte of KPageProperties is now bitflags to control management of these bits.
** Bit 0x1 = "Set/Clear PTE Bit55"
** Bit 0x2 = "Set PTE Bit56"
** Bit 0x4 = "Clear PTE Bit56"
** Bit 0x8 = "Set PTE Bit57"
** Bit 0x10 = "Clear PTE Bit57"
** Bit 0x20 = Force-Clear 56+57 + attempt to merge
* KMemoryBlockManager/KPageTable now prevent coalescing of blocks which are reprotected --- (for transfer memory, ipc, ...)
* They also do not coalesce adjacent GPU mappings that were mapped separately.
* They removed the 0x80 "AnyLocked" bit from KMemoryAttribute
* KMemoryBlock/KMemoryInfo now have additional u16 "device_non_coalesce_right_count".
** Like device_non_coalesce_left_count from previous 11.x, this now prevents merging with block to the right if set.
* KMemoryBlock::Add now takes in the memory block to the right instead of the size of the block to the right.
** This facilitates combining flags for the newly coalesced blocks.
* KPageTableBase::SetProcessMemoryPermission no longer sets non-coalesce bit 24.
* KDeviceAddressSpace::Map/KDeviceAddressSpace::Unmap now call new KPageTableBase function to update non-coalesce state according to partial map state.
* KDevicePageTable::UnmapImpl now invalidates TlbGroup in the failure case of adding to the page group.
* KPageTableBase::MakeAndOpenContiguousPageGroup is now KPageTableBase::MakePageGroupForDeviceAddressSpace, and now prevents coalescing until call completion.
** non_coalesce_mask 0x10 is used for this.
* KPageTableBase::UnmapCodeMemory no longer requires the whole range have the same state.
** It now invalidates instruction cache if any pages are code.
* KPageTable::UnknownVirtualFunction10 now takes in more arguments: _QWORD (address probably), _QWORD (size probably), two bools, _QWORD (address2 probably), _QWORD (size2 probably), void * (probably KAlpha * or KBeta *)
** Returns whether a comparison between address_probably and address_2_probably holds depending on flags at pointer + 0x10.
* KMemoryState_Io now goes to the alias code region in GetRegionAddress/Size (weird, seems like incorrect behavior)
** Also very weird: KPageTableBase::MapIo maps IO into the kernel map region, but KPageTableBase::QueryMapping panics if it is not in the alias code region.
** This "probably" causes kernel panic if mapping IO into process with 32-bit-no-alias address space type?
====FIRM Sysmodules====
FIRM sysmodules were updated. Specific diffs available below:
<check back for more diffs later>
==System Titles==
==System Titles==
* The previously stubbed 010000000000001B sysmodule was replaced with [[Capmtp_services|capmtp]].
* The previously stubbed 010000000000001B sysmodule was replaced with [[Capmtp_services|capmtp]].
[[NPDM]] changes:
The following sysmodules had IPC changes: [[USB_services|usb]], [[Settings_services|settings]], [[BCAT_services|bcat]], [[PTM_services|ptm]], [[Sockets_services|bsdsockets]], [[HID_services|hid]], [[Audio_services|audio]], [[WLAN_services|wlan]], [[Account_services|account]], [[NS_Services|ns]], [[PSC_services|psc]], [[Applet_Manager_services|am]], [[NIM_services|nim]], [[Display_services|vi]], [[Parental_Control_services|pctl]], [[Glue_services|glue]], [[ETicket_services|es]], [[Shared_Database_services|sdb]], [[OLSC_services|olsc]], [[PGL_services|pgl]], [[Filesystem_services|fs]], [[Loader_services|loader]], [[Services_API|sm]], [[Capture_services|capsrv]].
[[NPDM]] changes (see [[Services_API]] for service-hosting changes):
* All updated NPDMs now have [[NPDM#Flags|Flags]] bit5 set.
* All updated NPDMs now have [[NPDM#Flags|Flags]] bit5 set.
* ...
* ptm: Access to hshl:set and ins:r were added.
* ptm/hid: Various services were re-ordered in the Service Access Control.
* wlan now has access to csrng.
* ldn now has access to pl:u.
* pcv now has access to hshl:set.
* account now has access to ectx:w.
* ns now has access to pl:u.
* am: Access to the following was added: arp:r, aud:a, aud:d. Access to the following was removed: audin:a, audin:d, audout:a, audout:d, audren:a, audren:d. Access to hshl:set/hshl:sys was added.
* erpt: Access to svcGetResourceLimitLimitValue and svc 0x37 were added. Access to ectx:r was added.
* vi: The Handle Table Size was changed from 160 to 192. Access to the following services were added: erpt:c, gpio, i2c, lm, psc:m, pwm.
* glue now has access to hshl:sys, and access to psm was removed.
* creport now has access to fsp-srv.
* sdb now has access to bcat:s and pm:info.
* migration now has access to prepo:u.
* qlaunch now has access to [[Capmtp_services|capmtp]].
* [[Controller_Applet|LibraryAppletController]] now has access to [[NGCT_services|ngct:u]].
* [[Profile_Selector|LibraryAppletPlayerSelect]] now has access to [[OLSC_services|olsc:s]].
* [[Album_Applet|LibraryAppletPhotoViewer]]: Access to [[Sockets_services|bsd:u]] was replaced with [[Sockets_services|bsd:s]]. Access to [[LDN_services|lp2p:sys]] was added. Access to [[NS_Services|ns:am2]] was replaced with [[NS_Services|ns:ro]]. FS permission bit0 is now clear, MountContent* is no longer accessible.
* [[Internet_Browser|LibraryAppletLoginShare]] now has access to [[NS_Services|ns:web]].
RomFs changes:
* CertStore was [[SSL_services#CertStore|updated]].
* ErrorMessage: New errors were added / localization changes.
* BrowserDll: The following was updated: "/browser/ErrorPageFilteringTemplate.html", "/browser/MediaControls.css", "/browser/MediaControls.js", "/browser/RootCaEtc.pem", "/browser/RootCaSdkAdditional.pem", "/buildinfo/buildinfo.dat". The following was added: "/browser/MediaControlsInline.css", "/browser/MediaControlsInline.js".
** "/dll_0" and "/dll_1" were moved into "/nro/netfront/dll_{0/1}".
** "/lyt/Lhub.arc" was added.
** "/message/USpt/" was added.
* Help:
** "/legallines.htdocs/index.html" updated
** "/safe.htdocs/html/USpt/" added
** "/safe.htdocs/img/recyclenintendo.jpg" updated
** "/safe.htdocs/js/tapaction.js" updated
* NgWord: updated
* AvatarImage: More icons added.
* LocalNews: Added "/message/revision.txt" and "/message/USpt/".
* Eula:
** "/revision.txt" updated
** Updated "/EUru/Eula.msbt.szs", "/JPja/Eula.msbt.szs".
** Added "/USpt/".
* TimeZoneBinary: TZ info updated.
* FontNintendoExtension: "/nintendo_ext_003.bfttf" and "/nintendo_ext2_003.bfttf" were updated.
* FirmwareDebugSettings: updated
* FatalMessage: Updated "/pt-BR/GeneralMessage" and "/pt-BR/QuestMessage" were updated.
* ControllerIcon: "/lyt/ColorTable" updated
* PlatformConfigIcosa/PlatformConfigCopper/PlatformConfigHoag/PlatformConfigIcosaMariko: updated
* ControllerFirmware: "/TouchScreenFirmwareInfo.csv" updated
* NgWord2: updated
* FunctionBlackList:
** "/blacklist.dat" was replaced with "/blacklist.json".
* NgWordT: updated
* Applets: Various UI/graphics/sound/localization changes.
* Web-applets: "/buildinfo/buildinfo.dat" was updated, and "/.nrr/netfront.nrr" was renamed to "/.nrr/dll.nrr".
* [[Album_Applet|LibraryAppletPhotoViewer]]: In addition to the above, "/http/" was added, which contains the following:
** "index.html"
** "js/index.js"
** "styles/index.css"
The new Nintendo Switch Online menu (which can be launched via qlaunch) is handled by [[Internet_Browser#Whitelisted_Applets|LibraryAppletLoginShare]].
=== [[HID_services|hid]]-sysmodule ===
Besides IPC changes, the ButtonConfig cmds updated the input s32 validation: when the input s32 is invalid (which now uses an unsigned compare), it now returns 0 or an error immediately, instead of Aborting.
=== [[LDN_services|ldn]]-sysmodule ===
lp2p now supports using standard WPA2-PSK, which is used by [[#LibraryAppletPhotoViewer]].
=== [[SSL_services|ssl]]-sysmodule ===
TLS 1.3 is now [[SSL_services#SslVersion|supported]] if the user-process enables it.
See also [[#OSS]].
=== [[PGL_services|pgl]]-sysmodule ===
* pgl now has a new ipc command, which just returns "ResultNotImplemented()"
* pgl now detects when SnapShotDumper crashes, and launches creport in that case.
* pgl now passes an additional argument to creport ("%d", formatted with the value of jit_debug!enable_jit_debug).
=== [[Creport|creport]]-sysmodule ===
* creport now takes in an additional argument "jit_debug_enabled", when this is "1" the target process is not terminated on report completion.
* creport now has access to fsp-srv, this is used to retrieve debugging information that is now attached to error reports. The following functions are called (with output/info attached to erpts):
** GetSdCardSpeedMode
** GetSdCardCid
** GetSdCardUserAreaSize
** GetSdCardProtectedAreaSize
** GetAndClearSdCardErrorInfo
** IsGameCardInserted
** GetGameCardCid
** GetGameCardErrorReportInfo
** GetGameCardDeviceId
** GetMmcSpeedMode
** GetMmcCid
** GetMmcPatrolCount
** GetAndClearMmcErrorInfo
** GetMmcExtendedCsd
** GetAndClearMemoryReportInfo
** GetAndClearFileSystemProxyErrorInfo
=== [[Internet_Browser|Web-applets]] ===
These are now compiled with compiler Pointer Authentication / CFI mitigations enabled. This does not apply to non-web-applets.
Pointer Authentication uses the crc32x instruction, and x18 as a cryptographically-random u64 provided by the kernel. The only userland code using x18 is the mul instruction for this, nothing else (applies to all NSOs/NROs).
This is used to add/subtract x30 starting with bit40, during functions entry/exit. The code for entry/exit is identical, except that entry does add, and exit uses subtract:
* The low 40-bits of x30 are extracted, then multiplied with x18.
* <code>crc32x w17, wzr, x17</code> (which uses the above value)
* Then the previously mentioned add/subtraction operation is done, with the output from the above shifted to bit40.
The x18 is OR'd by kernel with 1, to make sure it is odd. This means that the multiply is a bijection; in other words, no entropy is lost when doing the multiply. If this had not been done, a random value that is divisible by a large power of two (the attacker can just keep spawning threads until gets such a one), would have weak cookies that allows the scheme to be trivially broken.
CFI is implemented as follows: blr instructions no longer exist. When funcptrs are called, new functions are now called instead which handles the call. The u32 at funcptr_addr-4 must match 0xe7ffdefe, otherwise it will branch to undefined instruction 0x0000dead. Otherwise, it will jump to the funcptr_addr.
Almost all functions now have the above u32 at -4, therefore funcptr calls now have to start at the actual funcptr start. However, this doesn't apply to calls done during functions' exit: these directly br to the funcptr_addr without extra validation. The br instructions in the .plt were also replaced with branches to the function described above.
The above applies to all NSOs in ExeFs, except for LibraryAppletOfflineWeb which doesn't have it enabled. The NROs in the BrowserDll SystemData have it enabled for "/nro/netfront/dll_1/", however "dll_0" doesn't have it enabled (which is used by LibraryAppletOfflineWeb).
This is referred to in the build-path strings as "NX-NXFP2-a64-cfi" (nnSdkEmpty), and "NX64-cfi" (OSS).
=== LibraryAppletPhotoViewer ===
For details on the new sharing functionality in the Album applet, see [[Album_Applet|here]].
== OSS ==
[https://www.nintendo.co.jp/support/oss/index.html OSS] was updated.
Besides WebKit, [[SSL_services|NSS/NSPR]] was updated:
* NSPR was updated from 4.12 to 4.24.
* <code>#define NSSUTIL_VERSION "3.26"</code> was changed to <code>#define NSSUTIL_VERSION "3.49.1"</code>
Both src_{versions} directories were updated, with the same changes:
* "rocrt_nro.cpp" updated
* "NX-NXFP2-a64-cfi/rocrt.AssemblyOffset.h" Addded, identical to "NX-NXFP2-a64/rocrt.AssemblyOffset.h".
==See Also==
==See Also==