Difference between revisions of "SVC"
Misson20000 (talk | contribs) m (→svcWaitSynchronization: add note about 0xec01 result) |
Misson20000 (talk | contribs) (Add svcCancelSynchronization section) |
||
Line 53: | Line 53: | ||
| 0x18 || [[#svcWaitSynchronization]] || X1=handles_ptr, W2=num_handles. X3=timeout || W0=result, W1=handle_idx | | 0x18 || [[#svcWaitSynchronization]] || X1=handles_ptr, W2=num_handles. X3=timeout || W0=result, W1=handle_idx | ||
|- | |- | ||
− | | 0x19 || svcCancelSynchronization || W0=thread_handle || W0=result | + | | 0x19 || [[#svcCancelSynchronization]] || W0=thread_handle || W0=result |
|- | |- | ||
| 0x1A || svcArbitrateLock || W0=cur_thread_handle, X1=ptr, W2=req_thread_handle || | | 0x1A || svcArbitrateLock || W0=cur_thread_handle, X1=ptr, W2=req_thread_handle || | ||
Line 665: | Line 665: | ||
'''0xec01:''' Interrupted. Returns when another thread uses [[#svcCancelSynchronization]] to cancel this thread. | '''0xec01:''' Interrupted. Returns when another thread uses [[#svcCancelSynchronization]] to cancel this thread. | ||
+ | |||
+ | == svcCancelSynchronization == | ||
+ | |||
+ | <div style="display: inline-block;"> | ||
+ | {| class="wikitable" border="1" | ||
+ | |- | ||
+ | ! Argument || Type || Name | ||
+ | |- | ||
+ | | (In) W0 || Handle<Thread> || Handle | ||
+ | |- | ||
+ | | (Out) W0 || [[#Result]] || Ret | ||
+ | |} | ||
+ | </div> | ||
+ | |||
+ | If the referenced thread is currently in an [[#svcWaitSynchronization]] call, that call will be interrupted and return 0xec01. | ||
+ | If that thread is not currently executing [[#svcWaitSynchronization]], the next call to [[#svcWaitSynchronization]] will return 0xec01. | ||
+ | |||
+ | === Result codes === | ||
+ | |||
+ | '''0x0:''' Success. The thread was either interrupted or has had its flag set. | ||
+ | |||
+ | '''0xe401:''' Invalid handle. The handle given was either invalid or not a thread handle. | ||
== svcGetSystemTick == | == svcGetSystemTick == |
Revision as of 00:29, 24 September 2018
System calls
Id | Name | In | Out |
---|---|---|---|
0x1 | #svcSetHeapSize | W1=size | W0=result, X1=outaddr |
0x2 | #svcSetMemoryPermission | X0=addr, X1=size, W2=prot | W0=result |
0x3 | #svcSetMemoryAttribute | X0=addr, X1=size, W2=state0, W3=state1 | W0=result |
0x4 | #svcMapMemory | X0=dstaddr, X1=srcaddr, X2=size | W0=result |
0x5 | #svcUnmapMemory | X0=dstaddr, X1=srcaddr, X2=size | W0=result |
0x6 | #svcQueryMemory | X0=MemoryInfo*, X2=addr | W0=result, W1=PageInfo |
0x7 | #svcExitProcess | None | |
0x8 | #svcCreateThread | X1=entry, X2=thread_context, X3=stacktop, W4=prio, W5=processor_id | W0=result, W1=handle |
0x9 | #svcStartThread | W0=thread_handle | W0=result |
0xA | #svcExitThread | None | |
0xB | #svcSleepThread | X0=nano | W0=result |
0xC | #svcGetThreadPriority | W1=thread_handle | W0=result, W1=prio |
0xD | #svcSetThreadPriority | W0=thread_handle, W1=prio | W0=result |
0xE | #svcGetThreadCoreMask | W2=thread_handle | W0=result, W1=out, X2=out |
0xF | #svcSetThreadCoreMask | W0=thread_handle, W1=in, X2=in2 | W0=result |
0x10 | #svcGetCurrentProcessorNumber | None | W0/X0=cpuid |
0x11 | svcSignalEvent | W0=wevent_handle | W0=result |
0x12 | svcClearEvent | W0=wevent_or_revent_handle | W0=result |
0x13 | #svcMapSharedMemory | W0=shmem_handle, X1=addr, X2=size, W3=perm | W0=result |
0x14 | svcUnmapSharedMemory | W0=shmem_handle, X1=addr, X2=size | W0=result |
0x15 | #svcCreateTransferMemory | X1=addr, X2=size, W3=perm | W0=result, W1=tmem_handle |
0x16 | svcCloseHandle | W0=handle | W0=result |
0x17 | svcResetSignal | W0=revent_or_process_handle | W0=result |
0x18 | #svcWaitSynchronization | X1=handles_ptr, W2=num_handles. X3=timeout | W0=result, W1=handle_idx |
0x19 | #svcCancelSynchronization | W0=thread_handle | W0=result |
0x1A | svcArbitrateLock | W0=cur_thread_handle, X1=ptr, W2=req_thread_handle | |
0x1B | svcArbitrateUnlock | X0=ptr | |
0x1C | svcWaitProcessWideKeyAtomic | X0=ptr0, X1=ptr, W2=thread_handle, X3=timeout | W0=result |
0x1D | svcSignalProcessWideKey | X0=ptr, W1=value | W0=result |
0x1E | #svcGetSystemTick | None | X0={value of cntpct_el0} |
0x1F | svcConnectToNamedPort | X1=port_name_str | W0=result, W1=handle |
0x20 | svcSendSyncRequestLight | W0=light_session_handle, X1=? | W0=result |
0x21 | svcSendSyncRequest | X0=normal_session_handle | W0=result |
0x22 | #svcSendSyncRequestWithUserBuffer | X0=cmdbufptr, X1=size, X2=handle | W0=result |
0x23 | svcSendAsyncRequestWithUserBuffer | X1=cmdbufptr, X2=size, X3=handle | W0=result, W1=revent_handle |
0x24 | svcGetProcessId | W1=thread_or_process_or_debug_handle | W0=result, X1=pid |
0x25 | svcGetThreadId | W1=thread_handle | W0=result, X1=out |
0x26 | #svcBreak | X0=break_reason,X1,X2=info | W0=result = 0 |
0x27 | svcOutputDebugString | X0=str, X1=size | W0=result |
0x28 | svcReturnFromException | X0=result | |
0x29 | #svcGetInfo | X1=info_id, X2=handle, X3=info_sub_id | W0=result, X1=out |
0x2A | svcFlushEntireDataCache | None | None |
0x2B | svcFlushDataCache | X0=addr, X1=size | W0=result |
0x2C | [3.0.0+] #svcMapPhysicalMemory | X0=addr, X1=size | W0=result |
0x2D | [3.0.0+] svcUnmapPhysicalMemory | X0=addr, X1=size | W0=result |
0x2E | [5.0.0+] svcGetFutureThreadInfo | X3=timeout | W0=result, bunch of crap |
0x2F | svcGetLastThreadInfo | None | W0=result, W1,W2,W3,W4=unk, W5=truncated_u64, W6=bool |
0x30 | svcGetResourceLimitLimitValue | W1=reslimit_handle, W2=#LimitableResource | W0=result, X1=value |
0x31 | svcGetResourceLimitCurrentValue | W1=reslimit_handle, W2=#LimitableResource | W0=result, X1=value |
0x32 | svcSetThreadActivity | W0=thread_handle, W1=bool | W0=result |
0x33 | svcGetThreadContext3 | X0=#ThreadContext*, W1=thread_handle | W0=result |
0x34 | [4.0.0+] svcWaitForAddress | X0=ptr, W1=#ArbitrationType, X2=value X3=timeout | |
0x35 | [4.0.0+] svcSignalToAddress | X0=ptr, W1=#SignalType, X2=value W3=num_to_signal | |
0x3C | #svcDumpInfo | ||
0x3D | [4.0.0+] svcDumpInfoNew | ||
0x40 | svcCreateSession | W2=is_light, X3=? | W0=result, W1=server_handle, W2=client_handle |
0x41 | #svcAcceptSession | W1=port_handle | W0=result, W1=session_handle |
0x42 | svcReplyAndReceiveLight | W0=light_session_handle | W0=result, W1,W2,W3,W4,W5,W6,W7=out |
0x43 | #svcReplyAndReceive | X1=ptr_handles, W2=num_handles, X3=replytarget_handle(0=none), X4=timeout | W0=result, W1=handle_idx |
0x44 | svcReplyAndReceiveWithUserBuffer | X1=buf, X2=sz, X3=ptr_handles, W4=num_handles, X5=replytarget_handle(0=none), X6=timeout | W0=result, W1=handle_idx |
0x45 | svcCreateEvent | None | W0=result, W1=wevent_handle, W2=revent_handle |
0x48 | [5.0.0+] #svcMapPhysicalMemoryUnsafe | X0=addr, X1=size | W0=result |
0x49 | [5.0.0+] svcUnmapPhysicalMemoryUnsafe | X0=addr, X1=size | W0=result |
0x4A | [5.0.0+] svcSetUnsafeLimit | X0=size | W0=result |
0x4B | [4.0.0+] #svcCreateCodeMemory | X1=addr, X2=size | W0=result, W1=code_memory_handle |
0x4C | [4.0.0+] #svcControlCodeMemory | W0=code_memory_handle, W1=#CodeMemoryOperation, X2=dstaddr, X3=size, W4=perm | W0=result |
0x4D | svcSleepSystem | None | None |
0x4E | #svcReadWriteRegister | X1=reg_addr, W2=rw_mask, W3=in_val | W0=result, W1=out_val |
0x4F | svcSetProcessActivity | W0=process_handle, W1=bool | W0=result |
0x50 | #svcCreateSharedMemory | W1=size, W2=myperm, W3=otherperm | W0=result, W1=shmem_handle |
0x51 | #svcMapTransferMemory | X0=tmem_handle, X1=addr, X2=size, W3=perm | W0=result |
0x52 | #svcUnmapTransferMemory | W0=tmemhandle, X1=addr, X2=size | W0=result |
0x53 | svcCreateInterruptEvent | X1=irq_num, W2=flag | W0=result, W1=handle |
0x54 | #svcQueryPhysicalAddress | X1=addr | W0=result, X1=physaddr, X2=kerneladdr, X3=size |
0x55 | #svcQueryIoMapping | X1=physaddr, X2=size | W0=result, X1=virtaddr |
0x56 | #svcCreateDeviceAddressSpace | X1=dev_as_start_addr, X2=dev_as_end_addr | W0=result, W1=dev_as_handle |
0x57 | #svcAttachDeviceAddressSpace | W0=device, X1=dev_as_handle | W0=result |
0x58 | #svcDetachDeviceAddressSpace | W0=device, X1=dev_as_handle | W0=result |
0x59 | #svcMapDeviceAddressSpaceByForce | W0=dev_as_handle, W1=proc_handle, X2=dev_map_addr, X3=dev_as_size, X4=dev_as_addr, W5=perm | W0=result |
0x5A | #svcMapDeviceAddressSpaceAligned | W0=dev_as_handle, W1=proc_handle, X2=dev_map_addr, X3=dev_as_size, X4=dev_as_addr, W5=perm | W0=result |
0x5B | svcMapDeviceAddressSpace | ||
0x5C | #svcUnmapDeviceAddressSpace | W0=dev_as_handle, W1=proc_handle, X2=dev_map_addr, X3=dev_as_size, X4=dev_as_addr | W0=result |
0x5D | svcInvalidateProcessDataCache | W0=process_handle, X1=addr, X2=size | W0=size |
0x5E | svcStoreProcessDataCache | W0=process_handle, X1=addr, X2=size | W0=size |
0x5F | svcFlushProcessDataCache | W0=process_handle, X1=addr, X2=size | W0=size |
0x60 | svcDebugActiveProcess | X1=pid | W0=result, W1=debug_handle |
0x61 | svcBreakDebugProcess | W0=debug_handle | W0=result |
0x62 | svcTerminateDebugProcess | W0=debug_handle | W0=result |
0x63 | svcGetDebugEvent | X0=#DebugEventInfo*, W1=debug_handle | W0=result |
0x64 | svcContinueDebugEvent | [1.0.0-2.3.0] W0=debug_handle, W1=#ContinueDebugFlagsOld, X2=thread_id
[3.0.0+] W0=debug_handle, W1=#ContinueDebugFlags, X2=thread_id_list(u64 *), W3=num_tids (max 64, 0 means "all threads") |
W0=result |
0x65 | svcGetProcessList | X1=pids_out_ptr, W2=max_out | W0=result, W1=num_out |
0x66 | svcGetThreadList | X1=tids_out_ptr, W2=max_out, W3=debug_handle_or_zero | W0=result, X1=num_out |
0x67 | svcGetDebugThreadContext | X0=ThreadContext*, X1=debug_handle, X2=thread_id, W3=#ThreadContextFlags | W0=result |
0x68 | svcSetDebugThreadContext | W0=debug_handle, W1=#ThreadContextFlags, X2=ThreadContext*, X3=thread_id | W0=result |
0x69 | svcQueryDebugProcessMemory | X0=#MemoryInfo*, X2=debug_handle, X3=addr | W0=result, W1=PageInfo |
0x6A | svcReadDebugProcessMemory | X0=buffer*, X1=debug_handle, X2=src_addr, X3=size | W0=result |
0x6B | svcWriteDebugProcessMemory | X0=debug_handle, X1=buffer*, X2=dst_addr, X3=size | W0=result |
0x6C | #svcSetHardwareBreakPoint | W0=HardwareBreakpointId, X1=watchpoint_flags/breakpoint_flags, X2=watchpoint_value/debug_handle | |
0x6D | svcGetDebugThreadParam | X2=debug_handle, X3=thread_id, W4=#DebugThreadParam | W0=result, X1=out0, W2=out1 |
0x6F | [5.0.0+] #svcGetSystemInfo | X1=info_id, X2=handle, X3=info_sub_id | W0=result, X1=out |
0x70 | svcCreatePort | W2=max_sessions, W3=unk_bool, X4=name_ptr | W0=result, W1=clientport_handle, W2=serverport_handle |
0x71 | svcManageNamedPort | X1=name_ptr, W2=max_sessions | W0=result, W1=serverport_handle |
0x72 | svcConnectToPort | W1=clientport_handle | W0=result, W1=session_handle |
0x73 | #svcSetProcessMemoryPermission | W0=process_handle, X1=addr, X2=size, W3=perm | W0=result |
0x74 | #svcMapProcessMemory | X0=dstaddr, W1=process_handle, X2=srcaddr, X3=size | W0=result |
0x75 | #svcUnmapProcessMemory | X0=dstaddr, W1=process_handle, X2=srcaddr, X3=size | W0=result |
0x76 | #svcQueryProcessMemory | X0=meminfo_ptr, W2=process_handle, X3=addr | W0=result, W1=pageinfo |
0x77 | #svcMapProcessCodeMemory | W0=process_handle, X1=dstaddr, X2=srcaddr, X3=size | W0=result |
0x78 | #svcUnmapProcessCodeMemory | W0=process_handle, X1=dstaddr, X2=srcaddr, X3=size | W0=result |
0x79 | #svcCreateProcess | X1=procinfo_ptr, X2=caps_ptr, W3=cap_num | W0=result, W1=process_handle |
0x7A | svcStartProcess | W0=process_handle, W1=main_thread_prio, W2=default_cpuid, W3=main_thread_stacksz | W0=result |
0x7B | svcTerminateProcess | W0=process_handle | W0=result |
0x7C | #svcGetProcessInfo | W0=process_handle, W1=#ProcessInfoType | W0=result, X1=#ProcessState |
0x7D | svcCreateResourceLimit | None | W0=result, W1=reslimit_handle |
0x7E | svcSetResourceLimitLimitValue | W0=reslimit_handle, W1=#LimitableResource, X2=value | W0=result |
0x7F | svcCallSecureMonitor | X0=smc_sub_id, X1,X2,X3,X4,X5,X6,X7=smc_args | X0,X1,X2,X3,X4,X5,X6,X7=result |
svcSetHeapSize
Argument | Type | Name |
---|---|---|
(In) W1 | u64 | Size |
(Out) W0 | #Result | Ret |
(Out) X1 | u64 | OutAddr |
Description: Set the process heap to a given Size. It can both extend and shrink the heap.
Size must be a multiple of 0x200000 (2MB).
On success, the heap base-address (which is fixed by kernel, aslr'd) is written to OutAddr.
Uses current process pool partition.
[2.0.0+] Size must be less than or equal to 4GB.
svcSetMemoryPermission
Argument | Type | Name |
---|---|---|
(In) X0 | void* | Addr |
(In) X1 | u64 | Size |
(In) W2 | #Permission | Prot |
(Out) W0 | #Result | Ret |
Description: Change permission of page-aligned memory region.
Bit2 of permission (exec) is not allowed. Setting write-only is not allowed either (bit1).
This can be used to move back and forth between ---, r-- and rw-.
svcSetMemoryAttribute
Argument | Type | Name |
---|---|---|
(In) X0 | void* | Addr |
(In) X1 | u64 | Size |
(In) W2 | u32 | State0 |
(In) W3 | u32 | State1 |
(Out) W0 | #Result | Ret |
Description: Change attribute of page-aligned memory region.
This is used to turn on/off caching for a given memory area. Useful when talking to devices such as the GPU.
What happens "under the hood" is the "Memory Attribute Indirection Register" index is changed from 2 to 3 in the MMU descriptor.
State0 | State1 | Action |
---|---|---|
0 | 0 | Clear bit3 in #MemoryAttribute. |
8 | 0 | Clear bit3 in #MemoryAttribute. |
8 | 8 | Set bit3 in #MemoryAttribute. |
svcMapMemory
Argument | Type | Name |
---|---|---|
(In) X0 | void* | DstAddr |
(In) X1 | void* | SrcAddr |
(In) X2 | u64 | Size |
(Out) W0 | #Result | Ret |
Description: Maps a memory range into a different range.
Mainly used for adding guard pages around stack.
Source range gets reprotected to --- (it can no longer be accessed), and bit0 is set in the source #MemoryAttribute.
If dstaddr >= LowerTreshold, the dst-range is enforced to be within the process' "MapRegion". Code can get the range of this region from #svcGetInfo id0=2,3.
In this case, the mapped memory will have state 0x5C3C0B.
As long as (dstaddr+size) < LowerThreshold, then you can map anywhere but the mapped memory will have state 0x482907 instead.
LowerTreshold is 0x80000000 for 36-bit address spaces, and 0x40000000 for 32-bit ones.
[2.0.0+] Support for the 0x482907 mappings outside the "MapRegion" were removed.
svcUnmapMemory
Argument | Type | Name |
---|---|---|
(In) X0 | void* | DstAddr |
(In) X1 | void* | SrcAddr |
(In) X2 | u64 | Size |
(Out) W0 | #Result | Ret |
Description: Unmaps a region that was previously mapped with #svcMapMemory.
It's possible to unmap ranges partially, you don't need to unmap the entire range "in one go".
The srcaddr/dstaddr must match what was given when the pages were originally mapped.
svcQueryMemory
Argument | Type | Name |
---|---|---|
(In) X0 | #MemoryInfo* | MemInfo |
(In) X2 | void* | Addr |
(Out) W0 | #Result | Ret |
(Out) W1 | PageInfo | PageInfo |
Description: Query information about an address. Will always fetch the lowest page-aligned mapping that contains the provided address.
Outputs a #MemoryInfo struct.
svcExitProcess
Argument | Type | Name |
---|---|---|
(In) None | ||
(Out) None |
Description: Exits the current process.
svcCreateThread
Argument | Type | Name |
---|---|---|
(In) X1 | void(*)(void*) | Entry |
(In) X2 | void* | ThreadContext |
(In) X3 | void* | StackTop |
(In) W4 | u32 | Priority |
(In) W5 | u32 | ProcessorId |
(Out) W0 | #Result | Ret |
(Out) W1 | Handle<Thread> | Handle |
Description: Create a thread in the current process.
Processor_id must be 0,1,2,3 or -2, where -2 uses the default cpuid for process.
svcStartThread
Argument | Type | Name |
---|---|---|
(In) W0 | Handle<Thread> | Handle |
(Out) None |
Description: Starts the thread for the provided handle.
svcExitThread
Argument | Type | Name |
---|---|---|
(In) None | ||
(Out) None |
Description: Exits the current thread.
svcSleepThread
Argument | Type | Name |
---|---|---|
(In) X0 | u64 | Nano |
(Out) W0 | #Result | Ret |
Description: Sleep for a specified amount of time, or yield thread.
Setting nano=0 means "yield thread".
svcGetThreadPriority
Argument | Type | Name |
---|---|---|
(In) W1 | Handle<Thread> | Handle |
(Out) W0 | #Result | Ret |
(Out) W1 | u64 | Priority |
Description: Get priority of provided thread handle.
svcSetThreadPriority
Argument | Type | Name |
---|---|---|
(In) W0 | Handle<Thread> | Handle |
(In) W1 | u32 | Priority |
(Out) W0 | #Result | Ret |
Description: Set priority of provided thread handle.
Priority is a number 0-0x3F. Lower value means higher priority.
svcGetThreadCoreMask
Argument | Type | Name |
---|---|---|
(In) W2 | Handle<Thread> | Handle |
(Out) W0 | #Result | Ret |
(Out) W1 | u32 | Out0 |
(Out) X2 | u64 | Out1 |
Description: Get affinity mask of provided thread handle.
svcSetThreadCoreMask
Argument | Type | Name |
---|---|---|
(In) W0 | Handle<Thread> | Handle |
(In) W1 | u32 | In0 |
(In) X2 | u64 | In1 |
(Out) W0 | #Result | Ret |
Description: Set affinity mask of provided thread handle.
svcGetCurrentProcessorNumber
Argument | Type | Name |
---|---|---|
(In) None | ||
(Out) W0/X0 | u64 | CpuId |
Description: Get which cpu is executing the current thread.
Cpu-id is an integer in the range 0-3.
Argument | Type | Name |
---|---|---|
(In) W0 | Handle<SharedMemory> | MemHandle |
(In) X1 | void* | Addr |
(In) X2 | u64 | Size |
(In) W3 | #Permission | Permissions |
(Out) W0 | #Result | Ret |
Maps the block supplied by the handle. The required permissions are different for the process that created the handle and all other processes.
Increases reference count for the KSharedMemory object. Thus in order to release the memory associated with the object, all handles to it must be closed and all mappings must be unmapped.
svcCreateTransferMemory
Argument | Type | Name |
---|---|---|
(In) X1 | void* | Addr |
(In) X2 | u64 | Size |
(In) W3 | #Permission | Permissions |
(Out) W0 | #Result | Ret |
(Out) W1 | Handle<TransferMemory> | Handle |
This one reprotects the src block with perms you give it. It also sets bit0 into #MemoryAttribute.
Executable bit perm not allowed.
Closing all handles automatically causes the bit0 in #MemoryAttribute to clear, and the permission to reset.
svcWaitSynchronization
Argument | Type | Name |
---|---|---|
(In) X1 | Handle* | HandlesPtr |
(In) W2 | u64 | HandlesNum |
(In) X3 | u64 | Timeout |
(Out) W0 | #Result | Ret |
(Out) W1 | u64 | HandleIndex |
Works with num_handles <= 0x40, error on num_handles == 0.
Does not accept 0xFFFF8001 or 0xFFFF8000 as handles.
Object types
Port: signals when there is an incoming connection waiting to be accepted.
Session (server-side): signals when there is an incoming message waiting to be received or the pipe is closed.
Result codes
0x0: Success. One of the objects was signalled before the timeout expired. Handle index is updated to indicate which object signalled.
0xe401: Invalid handle. Returned when one of the handles passed is invalid. Handle index is not updated.
0xea01: Timeout. Returned when no objects have been signalled within the timeout. Handle index is not updated.
0xec01: Interrupted. Returns when another thread uses #svcCancelSynchronization to cancel this thread.
svcCancelSynchronization
Argument | Type | Name |
---|---|---|
(In) W0 | Handle<Thread> | Handle |
(Out) W0 | #Result | Ret |
If the referenced thread is currently in an #svcWaitSynchronization call, that call will be interrupted and return 0xec01. If that thread is not currently executing #svcWaitSynchronization, the next call to #svcWaitSynchronization will return 0xec01.
Result codes
0x0: Success. The thread was either interrupted or has had its flag set.
0xe401: Invalid handle. The handle given was either invalid or not a thread handle.
svcGetSystemTick
Argument | Type | Name |
---|---|---|
(Out) X0 | u64 | Ticks |
Returns the value of cntpct_el0.
The frequency is 19200000 Hz (constant from official sw).
Official sw reads cntpct_el0 directly from usermode without using this SVC. sdk-nso has this SVC, but it's not known to be called anywhere.
svcSendSyncRequestWithUserBuffer
Argument | Type | Name |
---|---|---|
(In) X0 | void* | CmdPtr |
(In) X1 | u64 | Size |
(In) W2 | Handle<Session> | Handle |
(Out) W0 | #Result | Ret |
Size must be 0x1000-aligned.
svcBreak
Argument | Type | Name |
---|---|---|
(In) X0 | u64 | Break Reason |
(In) X1 | u64 | |
(In) X2 | u64 | Info |
(Out) W0 | Result | 0 (Success) |
If the process is attached, report the Break event. Then, if svcContinueDebugEvent didn't apply IgnoreException on the thread: if TPIDR_EL0 is 0, adjust ELR_EL1 to retry to svc instruction (and set TPIDR_EL0 to 1).
Otherwise, if bit31 in reason isn't set, perform crash reporting (see Exception Handling section below), if it doesn't terminate the process adjust ELR_EL1 as well.
Otherwise just return 0.
svcGetInfo
Argument | Type | Name |
---|---|---|
(In) X1 | u64 | InfoId |
(In) W2 | Handle | Handle |
(In) X3 | u64 | InfoSubId |
(Out) W0 | #Result | Ret |
(Out) X1 | u64 | Out |
Handle type | Id0 | Id1 | Description |
---|---|---|---|
Process | 0 | 0 | AllowedCpuIdBitmask |
Process | 1 | 0 | AllowedThreadPrioBitmask |
Process | 2 | 0 | MapRegionBaseAddr |
Process | 3 | 0 | MapRegionSize |
Process | 4 | 0 | HeapRegionBaseAddr |
Process | 5 | 0 | HeapRegionSize |
Process | 6 | 0 | TotalMemoryAvailable. Total memory available(free+used). |
Process | 7 | 0 | TotalMemoryUsage. Total used size of codebin memory + main-thread stack + allocated heap. |
Zero | 8 | 0 | IsCurrentProcessBeingDebugged |
Zero | 9 | 0 | Returns ResourceLimit handle for current process. Used by PM. |
Zero | 10 | -1, {current coreid} | IdleTickCount |
Zero | 11 | 0-3 | RandomEntropy from current process. TRNG. Used to seed usermode PRNGs. |
Process | 12 | 0 | [2.0.0+] AddressSpaceBaseAddr |
Process | 13 | 0 | [2.0.0+] AddressSpaceSize |
Process | 14 | 0 | [2.0.0+] NewMapRegionBaseAddr |
Process | 15 | 0 | [2.0.0+] NewMapRegionSize |
Process | 16 | 0 | [3.0.0+] PersonalMmHeapSize |
Process | 17 | 0 | [3.0.0+] PersonalMmHeapUsage |
Process | 18 | 0 | [3.0.0+] TitleId |
Zero | 19 | 0 | [4.0.0-4.1.0] PrivilegedProcessId_LowerBound |
Zero | 19 | 1 | [4.0.0-4.1.0] PrivilegedProcessId_UpperBound |
Process | 20 | 0 | [5.0.0+] UserExceptionContextAddr |
Thread | 0xF0000002 | 0 | Performance counter related. |
svcMapPhysicalMemory
This is like svcSetHeapSize except you can allocate heap at any address you'd like.
Uses current process pool partition.
svcDumpInfo
Argument | Type | Name |
---|---|---|
(In) None | ||
(Out) None |
Does nothing, just returns with registers set to all-zero.
svcAcceptSession
Argument | Type | Name |
---|---|---|
(In) W1 | Handle<Port> | Port |
(Out) W0 | #Result | Result |
(Out) W1 | Handle<ServerSession> | Session |
Result codes
0xf201: No session waiting to be accepted
svcReplyAndReceive
Argument | Type | Name |
---|---|---|
(In) W1 | *Handle<Port or ServerSession> | Handles |
(In) W2 | u32 | NumHandles |
(In) W3 | Handle<ServerSession> | ReplyTarget |
(In) X4 | u64 (nanoseconds) | Timeout |
(Out) W0 | #Result | Result |
(Out) W1 | u32 | HandleIndex |
If ReplyTarget is not zero, a reply from the TLS will be sent to that session. Then it will wait until either of the passed sessions has an incoming message, is closed, a passed port has an incoming connection, or the timeout expires. If there is an incoming message, it is copied to the TLS.
After being validated, passed handles will be enumerated in order; even if a session has been closed, if one that appears earlier in the list has an incoming message, it will take priority and a result code of 0x0 will be returned.
Result codes
0x0: Success. Either a session has an incoming message or a port has an incoming connection. HandleIndex is set appropriately.
0xea01: Timeout. No handles were signalled before the timeout expired. HandleIndex is not updated.
0xf601: Port remote dead. One of the sessions has been closed. HandleIndex is set appropriately.
svcMapPhysicalMemoryUnsafe
Same as #svcMapPhysicalMemory except it always uses pool partition 0.
svcCreateCodeMemory
Takes an address range with backing memory to create the code memory object.
The memory is initially memset to 0xFF after being locked.
svcControlCodeMemory
Maps the backing memory for a Code memory object into the current process.
For CodeMemoryOperation_MapOwner, memory permission must be RW-.
For CodeMemoryOperation_MapSlave, memory permission must be R-- or R-X.
Operations CodeMemoryOperation_UnmapOwner/CodeMemoryOperation_UnmapSlave unmap memory that was previously mapped this way.
This allows one "secure JIT" process to map the code memory as RW-, and the other "slave" process to map it R-X.
[5.0.0+] Error 0xE401 is now returned when the process owner of the Code memory object is the same as the current process.
svcReadWriteRegister
Argument | Type | Name |
---|---|---|
(In) X1 | u64 | RegAddr |
(In) W2 | u64 | RwMask |
(In) W3 | u64 | InValue |
(Out) W0 | #Result | Ret |
(Out) W1 | u64 | OutValue |
Read/write IO registers with a hardcoded whitelist. Input address is physical-address and must be aligned to 4.
rw_mask is 0 for reading and 0xffffffff for writing. You can also write individual bits by using a mask value.
You can only write to registers inside physical pages 0x70019000 (MC), 0x7001C000 (MC0), 0x7001D000 (MC1), and they all share the same whitelist.
The whitelist is same for writing as for reading.
The whitelist is:
0x054, 0x090, 0x094, 0x098, 0x09c, 0x0a0, 0x0a4, 0x0a8, 0x0ac, 0x0b0, 0x0b4, 0x0b8, 0x0bc, 0x0c0, 0x0c4, 0x0c8, 0x0d0, 0x0d4, 0x0d8, 0x0dc, 0x0e0, 0x100, 0x108, 0x10c, 0x118, 0x11c, 0x124, 0x128, 0x12c, 0x130, 0x134, 0x138, 0x13c, 0x158, 0x15c, 0x164, 0x168, 0x16c, 0x170, 0x174, 0x178, 0x17c, 0x200, 0x204, 0x2e4, 0x2e8, 0x2ec, 0x2f4, 0x2f8, 0x310, 0x314, 0x320, 0x328, 0x344, 0x348, 0x370, 0x374, 0x37c, 0x380, 0x390, 0x394, 0x398, 0x3ac, 0x3b8, 0x3bc, 0x3c0, 0x3c4, 0x3d8, 0x3e8, 0x41c, 0x420, 0x424, 0x428, 0x42c, 0x430, 0x44c, 0x47c, 0x480, 0x484, 0x50c, 0x554, 0x558, 0x55c, 0x670, 0x674, 0x690, 0x694, 0x698, 0x69c, 0x6a0, 0x6a4, 0x6c0, 0x6c4, 0x6f0, 0x6f4, 0x960, 0x970, 0x974, 0xa20, 0xa24, 0xb88, 0xb8c, 0xbc4, 0xbc8, 0xbcc, 0xbd0, 0xbd4, 0xbd8, 0xbdc, 0xbe0, 0xbe4, 0xbe8, 0xbec, 0xc00, 0xc5c, 0xcac
[2.0.0+] Whitelist was extended with 0x4c4, 0x4c8, 0x4cc, 0x584, 0x588, 0x58c.
[2.0.0+] The IO registers in range 0x7000E400 (PMC) size 0xC00 skip the whitelist, and do a TrustZone call using SMC Id1 0xC3000008(ReadWriteRegister).
[4.0.0+] Access to the Memory Controller (0x70019000) also uses smcReadWriteRegister.
Here is the whitelist imposed by that SMC, relative to the start of the PMC registers:
0x000, 0x00c, 0x010, 0x014, 0x01c, 0x020, 0x02c, 0x030, 0x034, 0x038, 0x03c, 0x040, 0x044, 0x048, 0x0dc, 0x0e0, 0x0e4, 0x160, 0x164, 0x168, 0x170, 0x1a8, 0x1b8, 0x1bc, 0x1c0, 0x1c4, 0x1c8, 0x2b4, 0x2d4, 0x440, 0x4d8
Here is the whitelist imposed by smcReadWriteRegister (checked in addition to the whitelist in svcReadWriteRegister), relative to the start of the MC registers:
0x000, 0x004, 0x008, 0x00C, 0x010, 0x01C, 0x020, 0x030, 0x034, 0x050, 0x054, 0x090, 0x094, 0x098, 0x09C, 0x0A0, 0x0A4, 0x0A8, 0x0AC, 0x0B0, 0x0B4, 0x0B8, 0x0BC, 0x0C0, 0x0C4, 0x0C8, 0x0D0, 0x0D4, 0x0D8, 0x0DC, 0x0E0, 0x100, 0x108, 0x10C, 0x118, 0x11C, 0x124, 0x128, 0x12C, 0x130, 0x134, 0x138, 0x13C, 0x158, 0x15C, 0x164, 0x168, 0x16C, 0x170, 0x174, 0x178, 0x17C, 0x200, 0x204, 0x238, 0x240, 0x244, 0x250, 0x254, 0x258, 0x264, 0x268, 0x26C, 0x270, 0x274, 0x280, 0x284, 0x288, 0x28C, 0x294, 0x2E4, 0x2E8, 0x2EC, 0x2F4, 0x2F8, 0x310, 0x314, 0x320, 0x328, 0x344, 0x348, 0x370, 0x374, 0x37C, 0x380, 0x390, 0x394, 0x398, 0x3AC, 0x3B8, 0x3BC, 0x3C0, 0x3C4, 0x3D8, 0x3E8, 0x41C, 0x420, 0x424, 0x428, 0x42C, 0x430, 0x44C, 0x47C, 0x480, 0x484, 0x4C4, 0x4C8, 0x4CC, 0x50C, 0x554, 0x558, 0x55C, 0x584, 0x588, 0x58C, 0x670, 0x674, 0x690, 0x694, 0x698, 0x69C, 0x6A0, 0x6A4, 0x6C0, 0x6C4, 0x6F0, 0x6F4, 0x960, 0x970, 0x974, 0x9B8, 0xA20, 0xA24, 0xA88, 0xA94, 0xA98, 0xA9C, 0xAA0, 0xAA4, 0xAA8, 0xAAC, 0xAB0, 0xAB4, 0xAB8, 0xABC, 0xAC0, 0xAC4, 0xAC8, 0xACC, 0xAD0, 0xAD4, 0xAD8, 0xADC, 0xAE0, 0xB88, 0xB8C, 0xBC4, 0xBC8, 0xBCC, 0xBD0, 0xBD4, 0xBD8, 0xBDC, 0xBE0, 0xBE4, 0xBE8, 0xBEC, 0xC00, 0xC5C, 0xCAC
Argument | Type | Name |
---|---|---|
(In) W1 | u64 | Size |
(In) W2 | #Permission | LocalPerm |
(In) W3 | #Permission | RemotePerm |
(Out) W0 | #Result | Ret |
(Out) W1 | Handle<SharedMemory> | MemHandle |
Other perm can be used to enforce permission 1, 3, or 0x10000000 if don't care.
Allocates memory from the current process' pool partition.
svcMapTransferMemory
Argument | Type | Name |
---|---|---|
(In) X0 | Handle<TransferMemory> | MemHandle |
(In) X1 | void* | Addr |
(In) X2 | u64 | Size |
(In) W3 | #Permission | Permissions |
(Out) W0 | #Result | Ret |
The newly mapped pages will have #MemoryState type 0xE.
You must pass same size and permissions as given in svcCreateMemoryMirror, otherwise error.
svcUnmapTransferMemory
Argument | Type | Name |
---|---|---|
(In) X0 | Handle<TransferMemory> | MemHandle |
(In) X1 | void* | Addr |
(In) X2 | u64 | Size |
(Out) W0 | #Result | Ret |
Size must match size given in map syscall, otherwise there's an invalid-size error.
svcQueryPhysicalAddress
Argument | Type | Name |
---|---|---|
(In) X1 | u64 | Addr |
(Out) W0 | #Result | Ret |
(Out) X1 | u64 | PhysAddr |
(Out) X2 | u64 | KernelAddr |
(Out) X3 | u64 | Size |
svcQueryIoMapping
Argument | Type | Name |
---|---|---|
(In) X1 | u64 | PhysAddr |
(In) X2 | u64 | Size |
(Out) W0 | #Result | Ret |
(Out) X1 | void* | VirtAddr |
Description: Returns a virtual address mapped to a given IO range.
svcCreateDeviceAddressSpace
Argument | Type | Name |
---|---|---|
(In) X1 | u64 | StartAddr |
(In) X2 | u64 | EndAddr |
(Out) W0 | #Result | Ret |
(Out) W1 | Handle<DeviceAddressSpace> | AddressSpaceHandle |
Description: Creates a virtual address space for binding device address spaces and returns a handle.
dev_as_start_addr is normally set to 0 and dev_as_end_addr is normally set to 0xFFFFFFFF.
svcAttachDeviceAddressSpace
Argument | Type | Name |
---|---|---|
(In) W0 | #DeviceName | DeviceId |
(In) X1 | Handle<DeviceAddressSpace> | DeviceAsHandle |
(Out) W0 | #Result | Ret |
Description: Attaches a device address space to a device.
svcDetachDeviceAddressSpace
Argument | Type | Name |
---|---|---|
(In) W0 | #DeviceName | DeviceId |
(In) X1 | Handle<DeviceAddressSpace> | DeviceAsHandle |
(Out) W0 | #Result | Ret |
Description: Detaches a device address space from a device.
svcMapDeviceAddressSpaceByForce
Argument | Type | Name |
---|---|---|
(In) W0 | Handle<DeviceAddressSpace> | DeviceAsHandle |
(In) W1 | Handle<Process> | ProcessHandle |
(In) X2 | void* | SrcAddr |
(In) X3 | u64 | DeviceAsSize |
(In) X4 | u64 | DeviceAsAddr |
(In) W5 | #Permission | Permissions |
(Out) W0 | #Result | Ret |
Description: Maps an attached device address space to an userspace address.
dev_map_addr is the userspace destination address, while dev_as_addr is the source address between dev_as_start_addr and dev_as_end_addr (passed to #svcCreateDeviceAddressSpace).
The userspace destination address must have the MapDeviceAllowed bit set. Bit IsDeviceMapped will be set after mapping.
svcMapDeviceAddressSpaceAligned
Argument | Type | Name |
---|---|---|
(In) W0 | Handle<DeviceAddressSpace> | DeviceAsHandle |
(In) W1 | Handle<Process> | ProcessHandle |
(In) X2 | void* | SrcAddr |
(In) X3 | u64 | DeviceAsSize |
(In) X4 | u64 | DeviceAsAddr |
(In) W5 | #Permission | Permissions |
(Out) W0 | #Result | Ret |
Description: Maps an attached device address space to an userspace address.
Same as #svcMapDeviceAddressSpaceByForce, but the userspace destination address must have the MapDeviceAlignedAllowed bit set instead.
svcUnmapDeviceAddressSpace
Argument | Type | Name |
---|---|---|
(In) W0 | Handle<DeviceAddressSpace> | DeviceAsHandle |
(In) W1 | Handle<Process> | ProcessHandle |
(In) X2 | void* | SrcAddr |
(In) X3 | u64 | DeviceAsSize |
(In) X4 | u64 | DeviceAsAddr |
(Out) W0 | #Result | Ret |
Description: Unmaps an attached device address space from an userspace address.
svcGetSystemInfo
Argument | Type | Name |
---|---|---|
(In) X1 | u64 | InfoId |
(In) W2 | Handle | Handle |
(In) X3 | u64 | InfoSubId |
(Out) W0 | #Result | Ret |
(Out) X1 | u64 | Out |
Handle type | Id0 | Id1 | Description |
---|---|---|---|
Zero | 0 | 0 | TotalMemorySize_Application |
Zero | 0 | 1 | TotalMemorySize_Applet |
Zero | 0 | 2 | TotalMemorySize_System |
Zero | 0 | 3 | TotalMemorySize_SystemUnsafe |
Zero | 1 | 0 | CurrentMemorySize_Application |
Zero | 1 | 1 | CurrentMemorySize_Applet |
Zero | 1 | 2 | CurrentMemorySize_System |
Zero | 1 | 3 | CurrentMemorySize_SystemUnsafe |
Zero | 2 | 0 | PrivilegedProcessId_LowerBound |
Zero | 2 | 1 | PrivilegedProcessId_UpperBound |
svcSetProcessMemoryPermission
Argument | Type | Name |
---|---|---|
(In) W0 | Handle<Process> | ProcessHandle |
(In) X1 | u64 | Addr |
(In) X2 | u64 | Size |
(In) W3 | void* | Perm |
(Out) W0 | #Result | Ret |
This sets the memory permissions for the specified memory with the supplied process handle.
This throws an error(0xD801) when the input perm is >0x5, hence -WX and RWX are not allowed.
svcMapProcessMemory
Argument | Type | Name |
---|---|---|
(In) X0 | u64 | DstAddr |
(In) W1 | Handle<Process> | ProcessHandle |
(In) X2 | void* | SrcAddr |
(In) X3 | u64 | Size |
(Out) W0 | #Result | Ret |
Maps the src address from the supplied process handle into the current process.
This allows mapping code and rodata with RW- permission.
svcUnmapProcessMemory
Argument | Type | Name |
---|---|---|
(In) X0 | void* | DstAddr |
(In) W1 | Handle<Process> | ProcessHandle |
(In) X2 | u64 | SrcAddr |
(In) X3 | u64 | Size |
(Out) W0 | #Result | Ret |
Unmaps what was mapped by #svcMapProcessMemory.
svcQueryProcessMemory
Argument | Type | Name |
---|---|---|
(In) X0 | #MemoryInfo* | MemInfoPtr |
(In) W2 | Handle<Process> | ProcessHandle |
(In) X3 | u64 | Addr |
(Out) W0 | #Result | Ret |
(Out) W1 | PageInfo | PageInfo |
Equivalent to #svcQueryMemory except takes a process handle.
svcMapProcessCodeMemory
Argument | Type | Name |
---|---|---|
(In) W0 | Handle<Process> | ProcessHandle |
(In) X1 | u64 | DstAddr |
(In) X2 | u64 | SrcAddr |
(In) X3 | u64 | Size |
(Out) W0 | #Result | Ret |
Takes a process handle, and maps normal heap in that process as executable code in that process. Used when loading NROs. This does not support using the current-process handle alias.
svcUnmapProcessCodeMemory
Argument | Type | Name |
---|---|---|
(In) W0 | Handle<Process> | ProcessHandle |
(In) X1 | u64 | DstAddr |
(In) X2 | u64 | SrcAddr |
(In) X3 | u64 | Size |
(Out) W0 | #Result | Ret |
Unmaps what was mapped by #svcMapProcessCodeMemory.
svcCreateProcess
Argument | Type | Name |
---|---|---|
(In) X1 | #CreateProcessInfo* | InfoPtr |
(In) X2 | u64 | CapabilitiesPtr |
(In) X3 | u64 | CapabilitiesNum |
(Out) W0 | #Result | Ret |
(Out) W1 | Handle<Process> | ProcessHandle |
Takes a #CreateProcessInfo as input.
svcGetProcessInfo
Argument | Type | Name |
---|---|---|
(In) W0 | Handle<Process> | ProcessHandle |
(Out) W0 | #Result | Ret |
(Out) W1 | #ProcessState | State |
Returns an enum with value 0-7.
Debugging
[2.0.0+] Exactly 6 debug SVCs require that IsDebugMode is non-zero. Error 0x4201 is returned otherwise.
- svcBreakDebugProcess
- svcContinueDebugEvent
- svcWriteDebugProcessMemory
- svcSetDebugThreadContext
- svcTerminateDebugProcess
- svcSetHardwareBreakPoint
svcDebugActiveProcess stops execution of the target process, the normal method for resuming it requires svcContinueDebugEvent(see above). Closing the debug handle also results in execution being resumed.
svcSetHardwareBreakPoint
Argument | Type | Name |
---|---|---|
(In) W0 | u32 | hardware_breakpoint_id |
(In) W1 | u64 | flags |
(In) W2 | u64 | value |
(Out) W0 | #Result | Ret |
Sets one of the AArch64 hardware breakpoints. The nintendo switch has 6 hardware breakpoints, and 4 hardware watchpoints. The syscall has two behaviors depending on the value of hardware_breakpoint_id:
If hardware_breakpoint_id < 0x10, then it sets one of the AArch64 hardware breakpoints. Flags will go to DBGBCRn_EL1, and value to DBGBVRn_EL1. The only flags the user is allowed to set are those in the bitmask 0x7F01E1. Furthermore, the kernel will or it with 0x4004, in order to set various security flags to guarantee the watchpoints only triggers for code in EL0. If the user asks for a Breakpoint Type of ContextIDR match, the kernel shall use the given debug_handle to set DBGBVRn_EL1 to the ContextID of the debugged process.
If hardware_breakpoint_id is between 0x10 and 0x20 (exclusive), then it sets one of the AArch64 hardware watchpoints. Flags will go to DBGWCRn_EL1, and the value to DBGWVRn_EL1. The only flags the user is allowed to set are those in the bitmask 0xFF0F1FF9. Furthermore, the kernel will or it with 0x104004. This will set various security flags, and set the watchpoint type to be a Linked Watchpoint. This means that you need to link it to a Linked ContextIDR breakpoint. Check the ARM documentation for more information.
Note that hardware_breakpoint_id 0 to 4 match only to Virtual Address, while hardware_breakpoint_id 5 and 6 match against either Virtual Address, ContextID, or VMID. As such, if you are configuring a breakpoint to link for a watchpoint, make sure you use hardware_breakpoint_id 5 or 6.
For more documentation for hardware breakpoints, check out the AArch64 documentation for the DBGBCRn_EL1 register and the DBGWCRn_EL1 register
Enum/Structures
ThreadContextRequestFlags
Bitfield of one of more of these:
Bit | Bitmask | Name |
---|---|---|
0 | 1 | NormalContext |
1 | 2 | |
2 | 4 | |
3 | 8 |
DeviceName
Value | Name |
---|---|
0 | DeviceName_AFI |
1 | DeviceName_AVPC |
2 | DeviceName_DC |
3 | DeviceName_DCB |
4 | DeviceName_HC |
5 | DeviceName_HDA |
6 | DeviceName_ISP2 |
7 | DeviceName_MSENCNVENC |
8 | DeviceName_NV |
9 | DeviceName_NV2 |
10 | DeviceName_PPCS |
11 | DeviceName_SATA |
12 | DeviceName_VI |
13 | DeviceName_VIC |
14 | DeviceName_XUSB_HOST |
15 | DeviceName_XUSB_DEV |
16 | DeviceName_TSEC |
17 | DeviceName_PPCS1 |
18 | DeviceName_DC1 |
19 | DeviceName_SDMMC1A |
20 | DeviceName_SDMMC2A |
21 | DeviceName_SDMMC3A |
22 | DeviceName_SDMMC4A |
23 | DeviceName_ISP2B |
24 | DeviceName_GPU |
25 | DeviceName_GPUB |
26 | DeviceName_PPCS2 |
27 | DeviceName_NVDEC |
28 | DeviceName_APE |
29 | DeviceName_SE |
30 | DeviceName_NVJPG |
31 | DeviceName_HC1 |
32 | DeviceName_SE1 |
33 | DeviceName_AXIAP |
34 | DeviceName_ETR |
35 | DeviceName_TSECB |
36 | DeviceName_TSEC1 |
37 | DeviceName_TSECB1 |
38 | DeviceName_NVDEC1 |
CodeMemoryOperation
Value | Name |
---|---|
0 | CodeMemoryOperation_MapOwner |
1 | CodeMemoryOperation_MapSlave |
2 | CodeMemoryOperation_UnmapOwner |
3 | CodeMemoryOperation_UnmapSlave |
LimitableResource
Value | Name |
---|---|
0 | LimitableResource_Memory |
1 | LimitableResource_Threads |
2 | LimitableResource_Events |
3 | LimitableResource_TransferMemories |
4 | LimitableResource_Sessions |
ProcessInfoType
Value | Name |
---|---|
0 | ProcessInfoType_ProcessState |
ProcessState
Value | Name | Notes |
---|---|---|
0 | ProcessState_Created | |
1 | ProcessState_CreatedAttached | |
2 | ProcessState_Started | |
3 | ProcessState_Crashed | Processes will not enter this state unless they were created with EnableDebug. |
4 | ProcessState_StartedAttached | |
5 | ProcessState_Exiting | |
6 | ProcessState_Exited | |
7 | ProcessState_DebugSuspended |
DebugThreadParam
Value | Name |
---|---|
0 | DebugThreadParam_DynamicPriority |
1 | DebugThreadParam_SchedulingStatus |
2 | DebugThreadParam_PreferredCpuCore |
3 | DebugThreadParam_CurrentCpuCore |
4 | DebugThreadParam_AffinityMask |
Dynamic priority: output in out2
Scheduling status: out1 contains bit0: is debug-suspended, bit1: is user-suspended (svcSetThreadActivity 1 or svcSetProcessActivity 1). Out2 contains {suspended, idle, running, terminating} => {5, 0, 1, 4}
DebugThreadParam_PreferredCpuCore: output in out2
DebugThreadParam_CurrentCpuCore: output in out2
DebugThreadParam_AffinityMask: output in out1
CreateProcessInfo
Offset | Length | Bits | Description |
---|---|---|---|
0 | 12 | ProcessName (doesn't have to be null-terminated) | |
0 | 4 | ProcessCategory (0: regular title, 1: kernel built-in) | |
0x10 | 8 | TitleId | |
0x18 | 8 | CodeAddr | |
0x20 | 4 | CodeNumPages | |
0x24 | 4 | MmuFlags | |
Bit0 | IsAarch64 | ||
Bit3-1 | #AddressSpaceType | ||
Bit4 | [2.0.0+] EnableDebug | ||
Bit5 | EnableAslr | ||
Bit6 | UseSystemMemBlocks | ||
Bit7 | [4.0.0] ? | ||
Bit10-7 | [5.0.0+] PoolPartition (0=Application, 1=Applet, 2=Sysmodule, 3=Nvservices) | ||
0x28 | 4 | ResourceLimitHandle | |
0x2C | 4 | [3.0.0+] PersonalMmHeapNumPages |
On [1.0.0] there's only one pool.
On [2.0.0-4.0.0] PoolPartition is 1 for built-ins and 0 for rest.
On [5.0.0] PoolPartition is specified in CreateProcessArgs. There are now 4 pool partitions.
AddressSpaceType
Type | Name | Width | Description |
---|---|---|---|
0 | Normal_32Bit | 32 | |
1 | Normal_36Bit | 36 | |
2 | WithoutMap_32Bit | 32 | Appears to be missing map region [?] |
3 | [2.0.0+] Normal_39Bit | 39 |
MemoryInfo
Offset | Length | Description |
---|---|---|
0 | 8 | BaseAddress |
8 | 8 | Size |
0x10 | 4 | MemoryType: lower 8 bits of #MemoryState |
0x14 | 4 | #MemoryAttribute |
0x18 | 4 | Permission (bit0: R, bit1: W, bit2: X) |
0x1C | 4 | IpcRefCount |
0x20 | 4 | DeviceRefCount |
0x24 | 4 | Padding: always zero |
MemoryAttribute
Bits | Description |
---|---|
0 | IsBorrowed |
1 | IsIpcMapped: when IpcRefCount > 0. |
2 | IsDeviceMapped: when DeviceRefCount > 0. |
3 | IsUncached |
MemoryState
Bits | Description |
---|---|
7-0 | Type |
8 | PermissionChangeAllowed |
9 | ForceReadWritableByDebugSyscalls |
10 | IpcSendAllowed_Type0 |
11 | IpcSendAllowed_Type3 |
12 | IpcSendAllowed_Type1 |
14 | ProcessPermissionChangeAllowed |
15 | MapAllowed |
16 | UnmapProcessCodeMemoryAllowed |
17 | TransferMemoryAllowed |
18 | QueryPhysicalAddressAllowed |
19 | MapDeviceAllowed (#svcMapDeviceAddressSpace and #svcMapDeviceAddressSpaceByForce) |
20 | MapDeviceAlignedAllowed |
21 | IpcBufferAllowed |
22 | IsPoolAllocated/IsReferenceCounted |
23 | MapProcessAllowed |
24 | AttributeChangeAllowed |
25 | [4.0.0+] CodeMemoryAllowed |
Value | Type | Meaning |
---|---|---|
0x00000000 | MemoryType_Unmapped | |
0x00002001 | MemoryType_Io | Mapped by kernel capability parsing in #svcCreateProcess. |
0x00042002 | MemoryType_Normal | Mapped by kernel capability parsing in #svcCreateProcess. |
0x00DC7E03 | MemoryType_CodeStatic | Mapped during #svcCreateProcess. |
[1.0.0+]
0x01FEBD04 [4.0.0+] 0x03FEBD04 |
MemoryType_CodeMutable | Transition from 0xDC7E03 performed by #svcSetProcessMemoryPermission. |
[1.0.0+]
0x017EBD05 [4.0.0+] 0x037EBD05 |
MemoryType_Heap | Mapped using #svcSetHeapSize. |
0x00402006 | MemoryType_SharedMemory | Mapped using #svcMapSharedMemory. |
0x00482907 | [1.0.0] MemoryType_WeirdMappedMemory | Mapped using #svcMapMemory. |
0x00DD7E08 | MemoryType_ModuleCodeStatic | Mapped using #svcMapProcessCodeMemory. |
[1.0.0+]
0x01FFBD09 [4.0.0+] 0x03FFBD09 |
MemoryType_ModuleCodeMutable | Transition from 0xDD7E08 performed by #svcSetProcessMemoryPermission. |
0x005C3C0A | MemoryType_IpcBuffer0 | IPC buffers with descriptor flags=0. |
0x005C3C0B | MemoryType_MappedMemory | Mapped using #svcMapMemory. |
0x0040200C | MemoryType_ThreadLocal | Mapped during #svcCreateThread. |
0x015C3C0D | MemoryType_TransferMemoryIsolated | Mapped using #svcMapTransferMemory when the owning process has perm=0. |
0x005C380E | MemoryType_TransferMemory | Mapped using #svcMapTransferMemory when the owning process has perm!=0. |
0x0040380F | MemoryType_ProcessMemory | Mapped using #svcMapProcessMemory. |
0x00000010 | MemoryType_Reserved | |
0x005C3811 | MemoryType_IpcBuffer1 | IPC buffers with descriptor flags=1. |
0x004C2812 | MemoryType_IpcBuffer3 | IPC buffers with descriptor flags=3. |
0x00002013 | MemoryType_KernelStack | Mapped in kernel during #svcCreateThread. |
0x00402214 | [4.0.0+] MemoryType_CodeReadOnly | Mapped in kernel during #svcControlCodeMemory. |
0x00402015 | [4.0.0+] MemoryType_CodeWritable | Mapped in kernel during #svcControlCodeMemory. |
ArbitrationType
Value | Type |
---|---|
0x0 | WaitIfLessThan |
0x1 | DecrementAndWaitIfLessThan |
0x2 | WaitIfEqual |
SignalType
Value | Type |
---|---|
0x0 | Signal |
0x1 | SignalAndIncrementIfEqual |
0x2 | SignalAndModifyBasedOnWaitingThreadCountIfEqual |
ContinueDebugFlagsOld
[1.0.0-2.3.0]
Bit | Bitmask | Description |
---|---|---|
0 | 1 | IgnoreException (note: ResumeAllThreads or debug-suspended-thread-id needed) |
1 | 2 | SwallowException |
2 | 4 | ResumeAllThreads |
ContinueDebugFlags
[3.0.0+]
Bit | Bitmask | Description |
---|---|---|
0 | 1 | IgnoreException (note: doesn't need to be set in the same call than Resume) |
1 | 2 | DontCatchExceptions |
2 | 4 | Resume |
3 | 8 | IgnoreOtherThreadsExceptions |
IgnoreExceptionsOfOthers is like IgnoreException but acts on all threads that aren't in the input list. The affected threads are resumed.
Only one of of Resume and IgnoreOtherThreadsExceptions can be set at a time.
If the input number of threads is 0, this means "all threads".
DebugEventInfo
The below table is for the Aarch64 version of the system call. For A32, all u64 fields but title/process/thread id are actually u32, making the structure 0x28-byte-big (0x40 for a64).
Size: 0x40
Offset | Length | Description |
---|---|---|
0 | u32 | EventType |
4 | u32 | Flags (bit0: NeedsContinue) |
8 | u64 | ThreadId |
0x10 | PerTypeSpecifics |
AttachProcess specific:
Offset | Length | Description |
---|---|---|
0x10 | u64 | TitleId |
0x18 | u64 | ProcessId |
0x20 | char[12] | ProcessName |
0x2C | u32 | MmuFlags |
0x30 | u64 | [5.0.0+] UserExceptionContextAddr |
AttachThread specific:
Offset | Length | Description |
---|---|---|
0x10 | u64 | ThreadId |
0x18 | u64 | TlsPtr |
0x20 | u64 | Entrypoint |
Exit specific:
Offset | Length | Description |
---|---|---|
0x10 | u32 | Type (0=PausedThread, 1=RunningThread, 2=ExitedProcess, 3=TerminatedProcess) |
Exception specific:
Offset | Length | Description |
---|---|---|
0x10 | u32 | ExceptionType |
0x18 | u64 | FaultRegister |
0x20 | PerExceptionSpecifics |
DebugEventType
Value | Name |
---|---|
0 | DebugEvent_AttachProcess |
1 | DebugEvent_AttachThread |
2 | DebugEvent_ExitProcess |
3 | DebugEvent_ExitThread |
4 | DebugEvent_Exception |
DebugExceptionType
Value | Name |
---|---|
0 | Exception_Trap (*) |
1 | Exception_InstructionAbort |
2 | Exception_DataAbortMisc (**) |
3 | Exception_PcSpAlignmentFault |
4 | Exception_DebuggerAttached |
5 | Exception_BreakPoint |
6 | Exception_UserBreak |
7 | Exception_DebuggerBreak |
8 | Exception_BadSvcId |
9 | Exception_SError [not in 1.0.0] |
- Undefined instructions, software breakpoints, some other traps.
- Data aborts, FP traps, and everything else that doesn't belong to any of the above.
Trap specifics:
Offset | Length | Description |
---|---|---|
0x20 | u32 | Opcode |
BreakPoint specifics:
Offset | Length | Description |
---|---|---|
0x20 | u32 | IsWatchpoint |
UserBreak specifics:
Offset | Length | Description |
---|---|---|
0x20 | u32 | Info0 |
0x28 | u64 | Info1 |
0x30 | u64 | Info2 |
BadSvcId specifics:
Offset | Length | Description |
---|---|---|
0x20 | u32 | SvcId |
Exception handling
First of all, a function that might be called by synchronous exception handler and that is called by the SError handler fetches the exception info, adjusts PC, panics on exceptions taken from EL1, then dispatches the exception.
The dispatcher has two mutually exclusive exception reporting methods:
- by storing information at the start of the process's TLS memregion (TPIDRRO_EL0) and jumping back to the crt0
- by using KDebug
KDebug dispatching is used when at least one of the following conditions are met:
- SMC ConfigItem KernelMemConfig bit 1 is NOT set (it isn't on retail), unless: this is a software or hardware breakpoint, or a watchpoint, or [4.0.0+?] the process is attached and this is a Google PNaCl trap instruction (see LLVM source)
- PC doesn't point to a valid address in mapped-readable CodeStatic memory (i.e. this is the case for NRO and JIT memory) or this one of the following exceptions (it particular, that doesn't include FP exceptions occuring in CodeStatic memory):
- Uncategorized
- IllegalState
- SupervisorCallA32
- SupervisorCallA64
- PCAlignment
- SPAlignment
- SError
- BreakpointLowerEl
- SoftwareStepLowerEl (note: no way set single-step flag; not parsed)
- WatchpointLowerEl
- SoftwareBreakpointA32 (note: not parsed)
- SoftwareBreakpointA64 (note: not parsed)
In all other cases the userland-handled exception path is taken.
KDebug path:
If the process is attached, the exception is reported to the KDebug. If the thread was continued using flag IgnoreExceptions, it returns from the exception as if nothing happened.
If the latter is not the case, or if the process isn't attached, process to [2.0.0+] crash reporting (or in [1.0.0] just terminate the process): if EnableDebug is set, and depending on the process state (more than one crash per process isn't permitted) it may signal itself with ProcessState_Crashed so that PM asks NS to start creport so that creports attaches to it and reports the crashes. Otherwise, just terminate.
Userland reporting path and svcReturnFromException:
TLS region start (A64):
Offset | Length | Description |
---|---|---|
0x0 | 0x148 | Exception stack |
0x148 | 0x78 | Frame: x0..x30, sp, elr_el1=unadjusted PC, pstate & 0xFF0FFE20,
afsr0, afsr1, esr, pc (stored using the regs' own size) |
TLS region start (A32):
Offset | Length | Description |
---|---|---|
0x0 | 0x178 | Exception stack |
0x148 | 0x30 | Frame: r0..r14, elr_el1=unadjusted PC, tpidr_el0 = 1, cpsr & 0xFF0FFE20,
afsr0, afsr1, esr, pc (stored using the regs' own size) |
In that case, after storing the regs in the TLS, the exception handler returns to the application's crt0 (entrypoint), with X0=<error description code> (see below) and X1=SP=frame=<stack top> (see above)
Desc. code | Meaning |
---|---|
0x100 | Instruction abort |
0x102 | Misaligned PC |
0x103 | Misaligned SP |
0x106 | SError [not in 1.0.0?] |
0x301 | Bad SVC |
0x104 | Uncategorized, CP15RTTrap, CP15RRTTrap, CP14RTTrap, CP14RRTTrap, IllegalState, SystemRegisterTrap |
0x101 | None of the above, EC <= 0x34 and not a breakpoint |
(During normal app boot the process is invoked with X0=0 and X1=main_thread_handle. The crt0 of retail apps determines whether to boot normally or handle an exception if X0 is set to 0 or not)
The application is supposed to promptly update the contents of elr_el1 to a user handler (and any other regs it sees fit) and call svcReturnFromException (error code) to call that handler. The latter is then expected to promptly abort the program.
svcReturnFromException updates the contents of the kernel stack frame with what the user provided in the TLS structure, sets TPIDR_EL0 to 1, then:
- if the provided error code is 0, gracefully pivots and returns from exception
- if it is not, replays the exception and pass it to the KDebug (see above). One can pass 0x10001 to prevent process termination. If the process is attached, this also prevents crash-collection/termination (different from the exception handler behavior)
Note that if a thread that wasn't faulting calls svcReturnFromException, it signals an "invalid syscall" exception