Internet Browser: Difference between revisions

(25 intermediate revisions by 3 users not shown)

Line 1:

Nintendo Switch does not have a normal Internet Browser for user usage. However, there is multiple browser applets. It is the [https://web.archive.org/web/20170304075230/https://gl.access-company.com/news_event/archives/2017/170303/ NetFront NX] browser, which is based on Webkit.

When linking the Nintendo Account with Facebook, the Facebook Auth website will open, offering a search box that can be used to browse the Internet ("LoginApplet"). Alternatively, it can be accessed with ~~[https://gbatemp.net/threads/web-browser-kind-of-on-the-switch.463094/~~ custom DNS settings] which simulate a Wi-Fi login page ("WifiWebAuthApplet" for captive-portal).

When linking the Nintendo Account with Facebook, the Facebook Auth website will open, offering a search box that can be used to browse the Internet ("LoginApplet"). Alternatively, it can be accessed with custom DNS settings which simulate a Wi-Fi login page ([[#WifiWebAuthApplet|WifiWebAuthApplet]] for captive-portal).

At some point WebApplet started sending header "Upgrade-Insecure-Requests: 1" with all plain-HTTP requests (unknown whether other applets affected). This is only for server-use: plain-HTTP content and redirects to plain-HTTP URLs are still allowed (at least on S1).

== Known User Agent Strings ==

Line 34:

Line 36:

| [[6.1.0]]

| Mozilla/5.0 (Nintendo Switch; <appletname>) AppleWebKit/601.6 (KHTML, like Gecko) NF/4.0.0.10.14 NintendoBrowser/5.1.0.17806

|-

| [[10.0.0]]

| Mozilla/5.0 (Nintendo Switch; <appletname>) AppleWebKit/606.4 (KHTML, like Gecko) NF/6.0.1.15.4 NintendoBrowser/5.1.0.20389

|-

| [[20.1.0]]-[[20.1.1]]

| Mozilla/5.0 (Nintendo Switch; <appletname>) AppleWebKit/613.0 (KHTML, like Gecko) NF/6.0.3.27.11 NintendoBrowser/5.1.0.35219

[S2] Mozilla/5.0 (Nintendo Switch; <appletname>) AppleWebKit/613.0 (KHTML, like Gecko) NF/7.0.3.8.11 NintendoBrowser/5.2.0.35483

|}

The UA is generated with: "Mozilla/5.0 (Nintendo Switch; <appletname>) AppleWebKit/<webkitver> (KHTML, like Gecko) NF/<nfver0>.<nfver1>.<nfver2> NintendoBrowser/5.<ninver0>.<ninver1>.<ninver2>"

The full UA for Switch and Switch 2 are similar, on matching system-versions. The NF and NintendoBrowser versions are newer for S2 however.

== Browser Applets ==

Line 44:

Line 55:

! Invalid TLS cert handling

! Uses whitelist

! ~~Title ID~~

! [[Applet_Manager_services#AppletId|AppletId]]

! Notes

|-

Line 51:

Line 62:

| Displays an error dialog without an option to ignore it.

| Yes

| ~~010000000000100A~~

| 0x13

|

|-

Line 58:

Line 69:

| Just displays an error-code.

| Yes

| ~~010000000000100B~~

| 0x14

|

|-

Line 65:

Line 76:

|

| ~~010000000000100F~~

| 0x17

|

|-

Line 72:

Line 83:

| Just displays an error-code.

| Yes

| ~~0100000000001010~~

| 0x18

|

|-

Line 79:

Line 90:

| Just displays an error-code.

| Yes

| ~~0100000000001010~~

| 0x18

|

|-

Line 86:

Line 97:

| Just displays an error-code.

| Yes

| ~~0100000000001010~~

| 0x18

|

|-

| NsoApplet

| Nintendo Switch Online menu

|

| 0x18

|

|-

Line 93:

Line 111:

| Displays an error dialog with an option to ignore it.

| No

| ~~0100000000001011~~

| 0x19

|

|}

Line 101:

Line 119:

No known applets can directly access the SD card via mounting it. This includes ShareApplet (which posts screenshots from SD to social media).

== ~~OSS~~ ==

== BrowserDll ==

The NROs for the OSS are stored under ~~a separate~~ [[Title_list|~~title~~]]. All of the web-applets use the same OSS NROs via this ~~title~~.

The NROs for the OSS are stored under the BrowserDll [[Title_list|SystemData]]. All of the web-applets use the same OSS NROs via this SystemData.

String from v2.0 in oss_wkc.nro: "libcurl/7.50.1".

Almost all RomFs data for the web-applets is stored here.

S2 has the following changes for BrowserDll, compared to S1:

* Various data under "/browser/" was updated.

** Also, the following was added under "/browser/": "icudt62l.dat.lz4", "UserCssNxCompatibleLineHeight.dat".

* "/buildinfo/buildinfo.dat" differ.

* Added "/font/nintendo_private_ext.bfttf".

* Updated "/gfxShader/BrowserOffscreenDrawer.bnsh", added "/gfxShader/MediaPlayerCcDrawer.bnsh", updated "/gfxShader/MediaPlayerDrawer.bnsh".

* The contents of UrlBlackList were moved here to "/". These are the following:

** "listCommon.txt", "listEcChina.txt", "listEcGlobal.txt", "listIframe.txt", "listLnsChina.txt", "listLnsGlobal.txt", "listWebYouTubePlayerCommon.txt"

** These are identical except for "listLnsGlobal.txt", which adds a newline at end-of-file.

* Removed "/lyt/".

* The various localization data under "/message/" was updated, etc.

* "/nro/netfront/core_0/default":

** "cfi_disabled/" is now "cfi_enabled/".

* "/nro/netfront/core_3/":

** "default/" is now "mse/".

* Removed "/shader/".

* Moved "/sound/" from SystemData into the applet RomFs, with filename/content being updated.

* Added "/ui/".

== Video Playback ==

Line 120:

Line 159:

Prior to version [[3.0.0]], this applet was launched when attempting a system update from recovery mode if needed. This was changed to display a "This feature is not available." popup instead.

The conntest URL from [[#WebWifiPageArg]] is used to poll whether the connection is usable, with the SDK [[libcurl]].

In later versions the above domain was replaced with [[Network|ctest.{...}]].

==Whitelisted Applets==

Line 155:

Line 198:

You can invite friends to the room via

the Nintendo Switch Online Lounge app.

=== NsoApplet ===

[11.0.0+] This applet handles the new Nintendo Switch Online menu, which is launched from qlaunch.

The initial page loaded by this applet is: <nowiki>"https://%.nso.nintendo.net/</nowiki>{string from [[#TLVs|TLV]] 0x2}"

== ShopN ==

Line 191:

Line 239:

Minus TIDs, the [[NPDM]] is the same as 010000000000100A except 010000000000100A has access to more/other services.

== ~~Service/FS Access~~ ==

== [[NPDM]] ==

All ~~browser~~ applets have access to the following services: acc:u1, appletAE, audin:u, ~~audren~~:u, ~~audout~~:u, bsd:u, fatal:u, fsp-srv, hid, hid:sys, irs, ldn:m, ldr:ro, lm, ~~erpt~~:c, nifm:s, ns:am, nsd:u, nvdrv:a~~, mm:u~~, pl:u, prepo:s, set, set:sys, sfdnsres, ssl, time:u, vi:s

All web-applets have access to the following services: acc:u1, appletAE, audin:u, audout:u, audren:u, [7.0.0+] banana, bsd:u, bsdcfg, [12.1.0+] csrng, erpt:c, fatal:u, fsp-srv, hid, hid:sys, htc, htc:tenv, htcs, hwopus, irs, ldn:m, ldr:ro, lm, [9.1.0+] lp2p:m, mm:u, nifm:s, [3.0.0+] ns:vm, ns:am, nsd:u, nvdrv:a, pl:u, prepo:s, set, set:sys, sfdnsres, ssl, time:u, [1.0.0] tspm, vi:s

[3.0.0+] ns:am was replaced with ns:web.

[17.0.0+] htcs:sys access was added. [18.1.0+] htcs access was removed.

[19.0.0+] bsd:u was replaced with bsd:a.

WebApplet also has access to ntc. [3.0.0+] Added ntc access for Shop and LibAppletLns.

~~LoginApplet/ShareApplet/LobbyApplet have~~ access to the above + caps:a.

LibAppletLns has access to the above + caps:a. Also [13.1.0+] caps:ss, [13.1.0+] mnpp:web, [3.0.0+] pctl. [20.0.0+] ns:sweb is accessible instead of ns:web.

~~ShopN~~ has access to ~~the above~~ + nim:shp.

Shop also has access to [2.0.0+] nim:shp, [?+] <nowiki>news:c</nowiki>. Shop has access to ns:ec instead of ns:web.

Unlike the applets listed above, WebApplet ~~TID 010000000000100A has~~ access to ~~the~~ [[~~Filesystem_services~~|FS]] ~~MountContent* commands~~. This is so ~~that~~ it can ~~load~~ the whitelist from "/accessible-urls/accessible-urls.txt" in the mounted ~~FS, from [[NCA]]-type4 where titleID={application which launched this applet}~~.

Offline has access to nifm:u instead of nifm:s. Unlike the other applets, Offline doesn't have access to the following: ldn:m, lp2p:m, ssl.

Unlike the other applets, LibAppletAuth doesn't have access to following: [3.0.0+] mm:u, [3.0.0+] ns:web.

All web-applets have fs-permission [[NPDM|SystemSaveData]].

Unlike the applets listed above, WebApplet/Offline also have access to fs-permission [[NPDM|ApplicationInfo]]. This is so it can open the specified Manual content. With WebApplet this is used for loading the whitelist from "/accessible-urls/accessible-urls.txt" in the mounted content.

== Heap ==

The size used for [[SVC|svcSetHeapSize]] by the web-applets is 0x15600000. Under ShopN, the largest size that can be passed to this without an error being returned, is 0x1B400000.

The size used by title 010000000000100A (on 10.0.0 at least) is 0x14200000.

The ~~size used~~ for [~~[SVC|svcSetHeapSize]~~] by the ~~web~~-~~applets~~ is ~~0x15600000~~. ~~Under ShopN~~, the ~~largest~~ size ~~that can be~~ passed ~~to this~~ without ~~an error being returned~~, is ~~0x1B400000~~.

The heap for the main-codebin (<code>malloc</code>/<code>operator new</code>) uses nn::lmem::*ExpHeap. [8.0.0+] <code>malloc</code>/<code>operator new</code> now checks the return-addr (addr located in a relevant NRO), with wkc_malloc_crashonfailure being called for the allocation if the check passes, otherwise a normal allocation is done (the code which runs for this will Abort if allocation fails).

<code>malloc</code> passes the input size directly to the called func. <code>operator new</code> when handling normal non-wkc allocations passes the following to the called func: <code>sxtw x1, {inw0}</code> (for wkc allocations the size is passed directly). [12.1.0+] The size is now passed directly (64bit) without using sxtw.

[11.0.0+] There's now optional code for using [[SVC|svcMapPhysicalMemoryUnsafe]] etc, however it's unknown what sets the flag for this. An Abort string used this is: "{path}/TransferredMemoryManager.cpp"

== Applet Launching ==

The web-applets are launched using a storage containing the input arg data, on exit the output storage contains the "*ReturnValue" reply data ~~struct~~. ~~The~~ output ~~struct~~ is ~~specific to each applet~~.

The web-applets are launched using a storage containing the input arg data, on exit the output storage contains the "*ReturnValue" reply data.

Input/output storage size for TLV data is 0x2000-bytes.

=== Library Applet Versions ===

Line 219:

Line 290:

|-

| [6.0.0+] || 0x60000

|-

| [8.0.0+] || 0x80000

|}

Line 253:

Line 326:

| 7

| Lobby

|-

| 8

| [[#NsoApplet|Lhub]]

|}

Line 260:

Line 336:

This is for sending/receiving [[#SessionMessage]]s via applet Interactive storage.

During state init, max_messages is set to 0xA ~~and max_size is set to 0x5000~~, with message_count=0 and cur_size=0.

During state init, max_messages is set to 0xA ([7.0.0+] 0x10), with message_count=0 and cur_size=0. [5.0.0-5.1.0] max_size is set to 0x5000. [7.0.0+] Two queues are used for message_count/cur_size: first one is for BrowserEngineContent (max_size 0x8000 is used), the second one is for non-BrowserEngineContent (max_size 0x1000 is used).

When sending messages, there has to be an available message slot available (<code>max_messages!=message_count</code>), and there has to be enough space ~~avilable~~ (<code>msghdr_contentsize+0x10 + cur_size <= max_size</code>). After pushing the storage, message_count is incremented and cur_size is increased by <code>msghdr_contentsize+0x10</code>.

When sending messages, there has to be an available message slot available (<code>max_messages!=message_count</code>), and there has to be enough space available (<code>msghdr_contentsize+0x10 + cur_size <= max_size</code>). After pushing the storage, message_count is incremented and cur_size is increased by <code>msghdr_contentsize+0x10</code>.

When receiving messages, it will repeatedly pop Interactive output storage until no more are available. ~~If the ID is not 0x1000/0x0, the message is ignored~~. ~~Otherwise:~~

When receiving messages, it will repeatedly pop Interactive output storage until no more are available. Non-Ack messages are Acked.

* Ack: Verifies that message_count is not already 0, then decrements it. Then cur_size is decreased by the u32 loaded from msgcontent+0.

* 0x0: Does some validation~~. Copies the first 8-bytes from the header to the user [[#SessionMessage]]~~. Reads the message content into the user ~~[[#SessionMessage]]~~, when contentsize is non-zero. ~~Then~~ sends an Ack ~~with~~ the ~~storage size~~.

* 0x0: Does some validation. Reads the message content into the user buffer, when contentsize is non-zero. The original contentsize is written to an user output param. The last byte in the user buffer (contentsize clamped to the user max-buf-size, -1) is set to 0 for NUL-termination.

Next info was tested in 9.0.0

In the js side (which is only available when enabled via the JsExtensionEnabled TLV), there is a method called <code>window.nx.sendMessage(arg)</code> that sends data to the native side, this method returns a boolean indicating if sending was successful and accepts a string as an argument. The string is encoded like a C null terminated string in the message content. For receive messages from native part, there is a dom event called <code>message</code> which is dispatched when a message arrives. The event can be listened using <code>window.nx.addEventListener("message", callback)</code> being callback a function which first parameter is like a dom event arg and contains a member called <code>data</code> which contains the string decoded from the arrived message.

If messages aren't acked by the native part, js side will not longer receive messages. Ack to web applet '''must''' have 4 bytes after the message content or the applet will Abort.

==== SessionMessage ====

Line 282:

Line 364:

| Size from header

| Message content

|-

| After message content

| 0x4 if message is ack, 0x0 otherwise

| Padding

|}

Line 293:

Line 379:

| 0x0

| 0x4

| Message ID

| Message Kind ([[#WebSessionSendMessageKind]] / [[#WebSessionReceiveMessageKind]])

|-

| 0x4

| ~~Content~~ size following the header.

| Data size following the header.

|-

| 0x8

Line 304:

Line 390:

|}

==== ~~IDs~~ ====

==== WebSessionSendMessageKind ====

This is "nn::web::detail::WebSessionSendMessageKind".

{| class="wikitable" border="1"

|-

! ID

! Content size

! Description

|-

| 0x0

| Arbitrary

| BrowserEngine Content, NUL-terminated string. Used to communicate with the applet via JsExtensions used by the Js being run by the applet on the current page.

|-

| 0x100

| 0x0

| SystemMessage Appear. Requests the applet to Appear, this is only needed with [[#WebSessionBootMode]] AllForegroundInitiallyHidden.

|-

| 0x1000

| 0xC

| Ack. Content: first u32 is the entire storage size of the message being acked, the rest is not used.

|}

==== WebSessionReceiveMessageKind ====

This is "nn::web::detail::WebSessionReceiveMessageKind".

{| class="wikitable" border="1"

|-

Line 313:

Line 423:

| 0x0

| Arbitrary

| ~~Arbitrary content~~.

| BrowserEngine Content, see [[#WebSessionSendMessageKind]].

|-

| 0x1000

| ~~0x8~~

| 0xC

| Ack~~. Content: first u32 is the entire storage size of the message being acked, while the second u32 is 0.~~

| Ack BrowserEngine

|-

| 0x1001

| 0xC

| Ack SystemMessage

|}

Line 372:

Line 486:

|}

This is the 0x1010-byte output storage used by all non-WebWifi applets - except for Share which returns a TLV storage on [3.0.0+].

This is the 0x1010-byte output storage used by all non-WebWifi applets - except for Share which returns a TLV storage on [3.0.0+], and Web on [8.0.0+].

=== WebArgHeader ===

Line 847:

Line 961:

| u8 bool

| Enables using [[#WebSession]] when set.

|-

| [8.0.0+]

| Offline

| 0x43

| 0x1

| u8 bool

| MediaPlayerUiEnabled

|-

| [11.0.0+]

|

| 0x44

| 0x1

| bool

| TransferMemoryEnabled

|}

Line 859:

Line 987:

[6.0.0+] <code>AddAlbumEntryAndMediaData</code> was added:

* Looks for AlbumEntry{N} TLVs, when a TLV is not found it is written, then the associated AdditionalMediaData{N} TLV is written the same way as AdditionalMediaData0. If all AlbumEntry{N} TLVs already exist, this returns without writing anything.

TransferMemoryEnabled: sdknso only exposes this for the Web applet. The sdknso func uses <code>nn::os::QueryMemoryInfo</code> at the start of the func, however the output is unused. The applet doesn't seem to parse this TLV.

==== Output TLVs ====

Line 864:

Line 994:

|-

! System Version

! Applets

! Type

! Size

Line 870:

Line 1,001:

|-

| [3.0.0+]

| Share, Web

| 0x1

| 0x4

Line 876:

Line 1,008:

|-

| [3.0.0+]

| Share, Web

| 0x2

|

Line 882:

Line 1,015:

|-

| [3.0.0+]

| Share, Web

| 0x3

| 0x8

Line 888:

Line 1,022:

|-

| [3.0.0+]

| Share

| 0x4

Line 894:

Line 1,029:

|-

| [3.0.0+]

| Share

| 0x5

|

Line 900:

Line 1,036:

|-

| [3.0.0+]

| Share

| 0x6

| 0x8

Line 906:

Line 1,043:

|-

| [3.0.0+]

| Share

| 0x7

|

Line 912:

Line 1,050:

|-

| [3.0.0+]

| Share

| 0x8

| u64

| PostIdSize

|-

| [8.0.0+]

| Web

| 0x9

| 0x1

| u8 bool

| MediaPlayerAutoClosedByCompletion

|}

These are used for Share-applet. Official user-processes doesn't check the TLV size for any of these.

These are used for Share-applet on [3.0.0+], and with Web on [8.0.0+]. Official user-processes doesn't check the TLV size for any of these.

==== DocumentKind ====

Line 1,079:

Line 1,225:

==== WebSessionBootMode ====

This is "nn::web::WebSessionBootMode".

{| class="wikitable" border="1"

|-

Line 1,087:

Line 1,235:

| 0

|

| Normal (AllForeground)

| Normal/default (AllForeground)

|-

| 1

@@ Line 1: / Line 1: @@
 Nintendo Switch does not have a normal Internet Browser for user usage. However, there is multiple browser applets. It is the [https://web.archive.org/web/20170304075230/https://gl.access-company.com/news_event/archives/2017/170303/ NetFront NX] browser, which is based on Webkit.
-When linking the Nintendo Account with Facebook, the Facebook Auth website will open, offering a search box that can be used to browse the Internet ("LoginApplet"). Alternatively, it can be accessed with [https://gbatemp.net/threads/web-browser-kind-of-on-the-switch.463094/ custom DNS settings] which simulate a Wi-Fi login page ("WifiWebAuthApplet" for captive-portal).
+When linking the Nintendo Account with Facebook, the Facebook Auth website will open, offering a search box that can be used to browse the Internet ("LoginApplet"). Alternatively, it can be accessed with custom DNS settings which simulate a Wi-Fi login page ([[#WifiWebAuthApplet|WifiWebAuthApplet]] for captive-portal).
+At some point WebApplet started sending header "Upgrade-Insecure-Requests: 1" with all plain-HTTP requests (unknown whether other applets affected). This is only for server-use: plain-HTTP content and redirects to plain-HTTP URLs are still allowed (at least on S1).
 == Known User Agent Strings ==
@@ Line 34: / Line 36: @@
 | [[6.1.0]]
 | Mozilla/5.0 (Nintendo Switch; <appletname>) AppleWebKit/601.6 (KHTML, like Gecko) NF/4.0.0.10.14 NintendoBrowser/5.1.0.17806
+|-
+| [[10.0.0]]
+| Mozilla/5.0 (Nintendo Switch; <appletname>) AppleWebKit/606.4 (KHTML, like Gecko) NF/6.0.1.15.4 NintendoBrowser/5.1.0.20389
+|-
+| [[20.1.0]]-[[20.1.1]]
+| Mozilla/5.0 (Nintendo Switch; <appletname>) AppleWebKit/613.0 (KHTML, like Gecko) NF/6.0.3.27.11 NintendoBrowser/5.1.0.35219
+[S2] Mozilla/5.0 (Nintendo Switch; <appletname>) AppleWebKit/613.0 (KHTML, like Gecko) NF/7.0.3.8.11 NintendoBrowser/5.2.0.35483
 |}
 The UA is generated with: "Mozilla/5.0 (Nintendo Switch; <appletname>) AppleWebKit/<webkitver> (KHTML, like Gecko) NF/<nfver0>.<nfver1>.<nfver2> NintendoBrowser/5.<ninver0>.<ninver1>.<ninver2>"
+The full UA for Switch and Switch 2 are similar, on matching system-versions. The NF and NintendoBrowser versions are newer for S2 however.
 == Browser Applets ==
@@ Line 44: / Line 55: @@
 ! Invalid TLS cert handling
 ! Uses whitelist
-! Title ID
+! [[Applet_Manager_services#AppletId|AppletId]]
 ! Notes
 |-
@@ Line 51: / Line 62: @@
 | Displays an error dialog without an option to ignore it.
 | Yes
-| 010000000000100A
+| 0x13
 |
 |-
@@ Line 58: / Line 69: @@
 | Just displays an error-code.
 | Yes
-| 010000000000100B
+| 0x14
 |
 |-
@@ Line 65: / Line 76: @@
 |
 |
-| 010000000000100F
+| 0x17
 |
 |-
@@ Line 72: / Line 83: @@
 | Just displays an error-code.
 | Yes
-| 0100000000001010
+| 0x18
 |
 |-
@@ Line 79: / Line 90: @@
 | Just displays an error-code.
 | Yes
-| 0100000000001010
+| 0x18
 |
 |-
@@ Line 86: / Line 97: @@
 | Just displays an error-code.
 | Yes
-| 0100000000001010
+| 0x18
+|
+|-
+| NsoApplet
+| Nintendo Switch Online menu
+|
+|
+| 0x18
 |
 |-
@@ Line 93: / Line 111: @@
 | Displays an error dialog with an option to ignore it.
 | No
-| 0100000000001011
+| 0x19
 |
 |}
@@ Line 101: / Line 119: @@
 No known applets can directly access the SD card via mounting it. This includes ShareApplet (which posts screenshots from SD to social media).
-== OSS ==
+== BrowserDll ==
-The NROs for the OSS are stored under a separate [[Title_list|title]]. All of the web-applets use the same OSS NROs via this title.
+The NROs for the OSS are stored under the BrowserDll [[Title_list|SystemData]]. All of the web-applets use the same OSS NROs via this SystemData.
 String from v2.0 in oss_wkc.nro: "libcurl/7.50.1".
+Almost all RomFs data for the web-applets is stored here.
+S2 has the following changes for BrowserDll, compared to S1:
+* Various data under "/browser/" was updated.
+** Also, the following was added under "/browser/": "icudt62l.dat.lz4", "UserCssNxCompatibleLineHeight.dat".
+* "/buildinfo/buildinfo.dat" differ.
+* Added "/font/nintendo_private_ext.bfttf".
+* Updated "/gfxShader/BrowserOffscreenDrawer.bnsh", added "/gfxShader/MediaPlayerCcDrawer.bnsh", updated "/gfxShader/MediaPlayerDrawer.bnsh".
+* The contents of UrlBlackList were moved here to "/". These are the following:
+** "listCommon.txt", "listEcChina.txt", "listEcGlobal.txt", "listIframe.txt", "listLnsChina.txt", "listLnsGlobal.txt", "listWebYouTubePlayerCommon.txt"
+** These are identical except for "listLnsGlobal.txt", which adds a newline at end-of-file.
+* Removed "/lyt/".
+* The various localization data under "/message/" was updated, etc.
+* "/nro/netfront/core_0/default":
+** "cfi_disabled/" is now "cfi_enabled/".
+* "/nro/netfront/core_3/":
+** "default/" is now "mse/".
+* Removed "/shader/".
+* Moved "/sound/" from SystemData into the applet RomFs, with filename/content being updated.
+* Added "/ui/".
 == Video Playback ==
@@ Line 120: / Line 159: @@
 Prior to version [[3.0.0]], this applet was launched when attempting a system update from recovery mode if needed. This was changed to display a "This feature is not available." popup instead.
+The conntest URL from [[#WebWifiPageArg]] is used to poll whether the connection is usable, with the SDK [[libcurl]].
+In later versions the above domain was replaced with [[Network|ctest.{...}]].
 ==Whitelisted Applets==
@@ Line 155: / Line 198: @@
    You can invite friends to the room via
    the Nintendo Switch Online Lounge app.
+=== NsoApplet ===
+[11.0.0+] This applet handles the new Nintendo Switch Online menu, which is launched from qlaunch.
+The initial page loaded by this applet is: <nowiki>"https://%.nso.nintendo.net/</nowiki>{string from [[#TLVs|TLV]] 0x2}"
 == ShopN ==
@@ Line 191: / Line 239: @@
 Minus TIDs, the [[NPDM]] is the same as 010000000000100A except 010000000000100A has access to more/other services.
-== Service/FS Access ==
+== [[NPDM]] ==
-All browser applets have access to the following services: acc:u1, appletAE, audin:u, audren:u, audout:u, bsd:u, fatal:u, fsp-srv, hid, hid:sys, irs, ldn:m, ldr:ro, lm, erpt:c, nifm:s, ns:am, nsd:u, nvdrv:a, mm:u, pl:u, prepo:s, set, set:sys, sfdnsres, ssl, time:u, vi:s
+All web-applets have access to the following services: acc:u1, appletAE, audin:u, audout:u, audren:u, [7.0.0+] banana, bsd:u, bsdcfg, [12.1.0+] csrng, erpt:c, fatal:u, fsp-srv, hid, hid:sys, htc, htc:tenv, htcs, hwopus, irs, ldn:m, ldr:ro, lm, [9.1.0+] lp2p:m, mm:u, nifm:s, [3.0.0+] ns:vm, ns:am, nsd:u, nvdrv:a, pl:u, prepo:s, set, set:sys, sfdnsres, ssl, time:u, [1.0.0] tspm, vi:s
+[3.0.0+] ns:am was replaced with ns:web.
+[17.0.0+] htcs:sys access was added. [18.1.0+] htcs access was removed.
+[19.0.0+] bsd:u was replaced with bsd:a.
+WebApplet also has access to ntc. [3.0.0+] Added ntc access for Shop and LibAppletLns.
-LoginApplet/ShareApplet/LobbyApplet have access to the above + caps:a.
+LibAppletLns has access to the above + caps:a. Also [13.1.0+] caps:ss, [13.1.0+] mnpp:web, [3.0.0+] pctl. [20.0.0+] ns:sweb is accessible instead of ns:web.
-ShopN has access to the above + nim:shp.
+Shop also has access to [2.0.0+] nim:shp, [?+] <nowiki>news:c</nowiki>. Shop has access to ns:ec instead of ns:web.
-Unlike the applets listed above, WebApplet TID 010000000000100A has access to the [[Filesystem_services|FS]] MountContent* commands. This is so that it can load the whitelist from "/accessible-urls/accessible-urls.txt" in the mounted FS, from [[NCA]]-type4 where titleID={application which launched this applet}.
+Offline has access to nifm:u instead of nifm:s. Unlike the other applets, Offline doesn't have access to the following: ldn:m, lp2p:m, ssl.
+Unlike the other applets, LibAppletAuth doesn't have access to following: [3.0.0+] mm:u, [3.0.0+] ns:web.
+All web-applets have fs-permission [[NPDM|SystemSaveData]].
+Unlike the applets listed above, WebApplet/Offline also have access to fs-permission [[NPDM|ApplicationInfo]]. This is so it can open the specified Manual content. With WebApplet this is used for loading the whitelist from "/accessible-urls/accessible-urls.txt" in the mounted content.
 == Heap ==
+The size used for [[SVC|svcSetHeapSize]] by the web-applets is 0x15600000. Under ShopN, the largest size that can be passed to this without an error being returned, is 0x1B400000.
+The size used by title 010000000000100A (on 10.0.0 at least) is 0x14200000.
-The size used for [[SVC|svcSetHeapSize]] by the web-applets is 0x15600000. Under ShopN, the largest size that can be passed to this without an error being returned, is 0x1B400000.
+The heap for the main-codebin (<code>malloc</code>/<code>operator new</code>) uses nn::lmem::*ExpHeap. [8.0.0+] <code>malloc</code>/<code>operator new</code> now checks the return-addr (addr located in a relevant NRO), with wkc_malloc_crashonfailure being called for the allocation if the check passes, otherwise a normal allocation is done (the code which runs for this will Abort if allocation fails).
+<code>malloc</code> passes the input size directly to the called func. <code>operator new</code> when handling normal non-wkc allocations passes the following to the called func: <code>sxtw x1, {inw0}</code> (for wkc allocations the size is passed directly). [12.1.0+] The size is now passed directly (64bit) without using sxtw.
+[11.0.0+] There's now optional code for using [[SVC|svcMapPhysicalMemoryUnsafe]] etc, however it's unknown what sets the flag for this. An Abort string used this is: "{path}/TransferredMemoryManager.cpp"
 == Applet Launching ==
-The web-applets are launched using a storage containing the input arg data, on exit the output storage contains the "*ReturnValue" reply data struct. The output struct is specific to each applet.
+The web-applets are launched using a storage containing the input arg data, on exit the output storage contains the "*ReturnValue" reply data.
+Input/output storage size for TLV data is 0x2000-bytes.
 === Library Applet Versions ===
@@ Line 219: / Line 290: @@
 |-
 | [6.0.0+] || 0x60000
+|-
+| [8.0.0+] || 0x80000
 |}
@@ Line 253: / Line 326: @@
 | 7
 | Lobby
+|-
+| 8
+| [[#NsoApplet|Lhub]]
 |}
@@ Line 260: / Line 336: @@
 This is for sending/receiving [[#SessionMessage]]s via applet Interactive storage.
-During state init, max_messages is set to 0xA and max_size is set to 0x5000, with message_count=0 and cur_size=0.
+During state init, max_messages is set to 0xA ([7.0.0+] 0x10), with message_count=0 and cur_size=0. [5.0.0-5.1.0] max_size is set to 0x5000. [7.0.0+] Two queues are used for message_count/cur_size: first one is for BrowserEngineContent (max_size 0x8000 is used), the second one is for non-BrowserEngineContent (max_size 0x1000 is used).
-When sending messages, there has to be an available message slot available (<code>max_messages!=message_count</code>), and there has to be enough space avilable (<code>msghdr_contentsize+0x10 + cur_size <= max_size</code>). After pushing the storage, message_count is incremented and cur_size is increased by <code>msghdr_contentsize+0x10</code>.
+When sending messages, there has to be an available message slot available (<code>max_messages!=message_count</code>), and there has to be enough space available (<code>msghdr_contentsize+0x10 + cur_size <= max_size</code>). After pushing the storage, message_count is incremented and cur_size is increased by <code>msghdr_contentsize+0x10</code>.
-When receiving messages, it will repeatedly pop Interactive output storage until no more are available. If the ID is not 0x1000/0x0, the message is ignored. Otherwise:
+When receiving messages, it will repeatedly pop Interactive output storage until no more are available. Non-Ack messages are Acked.
 * Ack: Verifies that message_count is not already 0, then decrements it. Then cur_size is decreased by the u32 loaded from msgcontent+0.
-* 0x0: Does some validation. Copies the first 8-bytes from the header to the user [[#SessionMessage]]. Reads the message content into the user [[#SessionMessage]], when contentsize is non-zero. Then sends an Ack with the storage size.
+* 0x0: Does some validation. Reads the message content into the user buffer, when contentsize is non-zero. The original contentsize is written to an user output param. The last byte in the user buffer (contentsize clamped to the user max-buf-size, -1) is set to 0 for NUL-termination.
+Next info was tested in 9.0.0
+In the js side (which is only available when enabled via the JsExtensionEnabled TLV), there is a method called <code>window.nx.sendMessage(arg)</code> that sends data to the native side, this method returns a boolean indicating if sending was successful and accepts a string as an argument. The string is encoded like a C null terminated string in the message content. For receive messages from native part, there is a dom event called <code>message</code> which is dispatched when a message arrives. The event can be listened using <code>window.nx.addEventListener("message", callback)</code> being callback a function which first parameter is like a dom event arg and contains a member called <code>data</code> which contains the string decoded from the arrived message.
+If messages aren't acked by the native part, js side will not longer receive messages. Ack to web applet '''must''' have 4 bytes after the message content or the applet will Abort.
 ==== SessionMessage ====
@@ Line 282: / Line 364: @@
 | Size from header
 | Message content
+|-
+| After message content
+| 0x4 if message is ack, 0x0 otherwise
+| Padding
 |}
@@ Line 293: / Line 379: @@
 | 0x0
 | 0x4
-| Message ID
+| Message Kind ([[#WebSessionSendMessageKind]] / [[#WebSessionReceiveMessageKind]])
 |-
 | 0x4
 | 0x4
-| Content size following the header.
+| Data size following the header.
 |-
 | 0x8
@@ Line 304: / Line 390: @@
 |}
-==== IDs ====
+==== WebSessionSendMessageKind ====
+This is "nn::web::detail::WebSessionSendMessageKind".
+{| class="wikitable" border="1"
+|-
+!  ID
+!  Content size
+!  Description
+|-
+| 0x0
+| Arbitrary
+| BrowserEngine Content, NUL-terminated string. Used to communicate with the applet via JsExtensions used by the Js being run by the applet on the current page.
+|-
+| 0x100
+| 0x0
+| SystemMessage Appear. Requests the applet to Appear, this is only needed with [[#WebSessionBootMode]] AllForegroundInitiallyHidden.
+|-
+| 0x1000
+| 0xC
+| Ack. Content: first u32 is the entire storage size of the message being acked, the rest is not used.
+|}
+==== WebSessionReceiveMessageKind ====
+This is "nn::web::detail::WebSessionReceiveMessageKind".
 {| class="wikitable" border="1"
 |-
@@ Line 313: / Line 423: @@
 | 0x0
 | Arbitrary
-| Arbitrary content.
+| BrowserEngine Content, see [[#WebSessionSendMessageKind]].
 |-
 | 0x1000
-| 0x8
+| 0xC
-| Ack. Content: first u32 is the entire storage size of the message being acked, while the second u32 is 0.
+| Ack BrowserEngine
+|-
+| 0x1001
+| 0xC
+| Ack SystemMessage
 |}
@@ Line 372: / Line 486: @@
 |}
-This is the 0x1010-byte output storage used by all non-WebWifi applets - except for Share which returns a TLV storage on [3.0.0+].
+This is the 0x1010-byte output storage used by all non-WebWifi applets - except for Share which returns a TLV storage on [3.0.0+], and Web on [8.0.0+].
 === WebArgHeader ===
@@ Line 847: / Line 961: @@
 | u8 bool
 | Enables using [[#WebSession]] when set.
+|-
+| [8.0.0+]
+| Offline
+| 0x43
+| 0x1
+| u8 bool
+| MediaPlayerUiEnabled
+|-
+| [11.0.0+]
+|
+| 0x44
+| 0x1
+| bool
+| TransferMemoryEnabled
 |}
@@ Line 859: / Line 987: @@
 [6.0.0+] <code>AddAlbumEntryAndMediaData</code> was added:
 * Looks for AlbumEntry{N} TLVs, when a TLV is not found it is written, then the associated AdditionalMediaData{N} TLV is written the same way as AdditionalMediaData0. If all AlbumEntry{N} TLVs already exist, this returns without writing anything.
+TransferMemoryEnabled: sdknso only exposes this for the Web applet. The sdknso func uses <code>nn::os::QueryMemoryInfo</code> at the start of the func, however the output is unused. The applet doesn't seem to parse this TLV.
 ==== Output TLVs ====
@@ Line 864: / Line 994: @@
 |-
 !  System Version
+!  Applets
 !  Type
 !  Size
@@ Line 870: / Line 1,001: @@
 |-
 | [3.0.0+]
+| Share, Web
 | 0x1
 | 0x4
@@ Line 876: / Line 1,008: @@
 |-
 | [3.0.0+]
+| Share, Web
 | 0x2
 |
@@ Line 882: / Line 1,015: @@
 |-
 | [3.0.0+]
+| Share, Web
 | 0x3
 | 0x8
@@ Line 888: / Line 1,022: @@
 |-
 | [3.0.0+]
+| Share
 | 0x4
 | 0x4
@@ Line 894: / Line 1,029: @@
 |-
 | [3.0.0+]
+| Share
 | 0x5
 |
@@ Line 900: / Line 1,036: @@
 |-
 | [3.0.0+]
+| Share
 | 0x6
 | 0x8
@@ Line 906: / Line 1,043: @@
 |-
 | [3.0.0+]
+| Share
 | 0x7
 |
@@ Line 912: / Line 1,050: @@
 |-
 | [3.0.0+]
+| Share
 | 0x8
 | 0x8
 | u64
 | PostIdSize
+|-
+| [8.0.0+]
+| Web
+| 0x9
+| 0x1
+| u8 bool
+| MediaPlayerAutoClosedByCompletion
 |}
-These are used for Share-applet. Official user-processes doesn't check the TLV size for any of these.
+These are used for Share-applet on [3.0.0+], and with Web on [8.0.0+]. Official user-processes doesn't check the TLV size for any of these.
 ==== DocumentKind ====
@@ Line 1,079: / Line 1,225: @@
 ==== WebSessionBootMode ====
+This is "nn::web::WebSessionBootMode".
 {| class="wikitable" border="1"
 |-
@@ Line 1,087: / Line 1,235: @@
 | 0
 |
-| Normal (AllForeground)
+| Normal/default (AllForeground)
 |-
 | 1