11.0.0: Difference between revisions

From Nintendo Switch Brew
Jump to navigation Jump to search
 
(10 intermediate revisions by 3 users not shown)
Line 85: Line 85:
** Several callsites now verify that last_address != 0xFFFF...
** Several callsites now verify that last_address != 0xFFFF...
* KMemoryRegionAllocator now uses a slabheap of count 200 instead of 1000.
* KMemoryRegionAllocator now uses a slabheap of count 200 instead of 1000.
* KLinkedListNode now has slab size = #KThreads instead of #KThreads * 17.
* "Virtual" cores now supported, KThread now stores core ID/affinity for both virtual and physical.
* "Virtual" cores now supported, KThread now stores core ID/affinity for both virtual and physical.
* New SVC 0x37 "GetResourceLimitPeakValue"
* New SVC 0x37 "GetResourceLimitPeakValue"
Line 101: Line 102:
** New nnSdk code relies on this behavior.
** New nnSdk code relies on this behavior.
* SetupStackForUserModeThreadStarter (KThreadContext::Initialize) now sets X18 to (<cryptographically random u64> | 1), this value is unique for each thread.
* SetupStackForUserModeThreadStarter (KThreadContext::Initialize) now sets X18 to (<cryptographically random u64> | 1), this value is unique for each thread.
** This is used for CFI changes in web browser.
** This is used for Pointer Authentication changes in web browser.
* KCoreLocalRegion deleted, replaced with pointer-to-current-thread
* KCoreLocalRegion deleted, replaced with pointer-to-current-thread
** TPIDR_EL1 != X18 now, and TPIDR_EL1 now always points to the exception thread stack.
** TPIDR_EL1 != X18 now, and TPIDR_EL1 now always points to the exception thread stack.
Line 235: Line 236:


The new Nintendo Switch Online menu (which can be launched via qlaunch) is handled by [[Internet_Browser#Whitelisted_Applets|LibraryAppletLoginShare]].
The new Nintendo Switch Online menu (which can be launched via qlaunch) is handled by [[Internet_Browser#Whitelisted_Applets|LibraryAppletLoginShare]].
=== [[HID_services|hid]]-sysmodule ===
Besides IPC changes, the ButtonConfig cmds updated the input s32 validation: when the input s32 is invalid (which now uses an unsigned compare), it now returns 0 or an error immediately, instead of Aborting.


=== [[LDN_services|ldn]]-sysmodule ===
=== [[LDN_services|ldn]]-sysmodule ===
Line 243: Line 247:


See also [[#OSS]].
See also [[#OSS]].
=== [[PGL_services|pgl]]-sysmodule ===
* pgl now has a new ipc command, which just returns "ResultNotImplemented()"
* pgl now detects when SnapShotDumper crashes, and launches creport in that case.
* pgl now passes an additional argument to creport ("%d", formatted with the value of jit_debug!enable_jit_debug).


=== [[Creport|creport]]-sysmodule ===
=== [[Creport|creport]]-sysmodule ===
* creport now takes in an additional argument "jit_debug_enabled", when this is "1" the target process is not terminated on report completion.
* creport now has access to fsp-srv, this is used to retrieve debugging information that is now attached to error reports. The following functions are called (with output/info attached to erpts):
* creport now has access to fsp-srv, this is used to retrieve debugging information that is now attached to error reports. The following functions are called (with output/info attached to erpts):
** GetSdCardSpeedMode
** GetSdCardSpeedMode
Line 264: Line 274:


=== [[Internet_Browser|Web-applets]] ===
=== [[Internet_Browser|Web-applets]] ===
These are now compiled with compiler CFI mitigations enabled. This does not apply to non-web-applets. This uses the crc32x instruction, and x18 as a cryptographically-random u64 provided by the kernel.
These are now compiled with compiler Pointer Authentication / CFI mitigations enabled. This does not apply to non-web-applets.
 
Pointer Authentication uses the crc32x instruction, and x18 as a cryptographically-random u64 provided by the kernel. The only userland code using x18 is the mul instruction for this, nothing else (applies to all NSOs/NROs).


This is used to add/subtract x30 starting with bit40, during functions entry/exit. The code for entry/exit is identical, except that entry does add, and exit uses subtract:
This is used to add/subtract x30 starting with bit40, during functions entry/exit. The code for entry/exit is identical, except that entry does add, and exit uses subtract:
Line 271: Line 283:
* Then the previously mentioned add/subtraction operation is done, with the output from the above shifted to bit40.
* Then the previously mentioned add/subtraction operation is done, with the output from the above shifted to bit40.


blr instructions no longer exist: when funcptrs are called, new functions are now called instead which handles the call. The u32 at funcptr_addr-4 must match 0xe7ffdefe, otherwise it will branch to undefined instruction 0x0000dead. Otherwise, it will jump to the funcptr_addr.
The x18 is OR'd by kernel with 1, to make sure it is odd. This means that the multiply is a bijection; in other words, no entropy is lost when doing the multiply. If this had not been done, a random value that is divisible by a large power of two (the attacker can just keep spawning threads until gets such a one), would have weak cookies that allows the scheme to be trivially broken.
 
CFI is implemented as follows: blr instructions no longer exist. When funcptrs are called, new functions are now called instead which handles the call. The u32 at funcptr_addr-4 must match 0xe7ffdefe, otherwise it will branch to undefined instruction 0x0000dead. Otherwise, it will jump to the funcptr_addr.


Almost all functions now have the above u32 at -4, therefore funcptr calls now have to start at the actual funcptr start. However, this doesn't apply to calls done during functions' exit: these directly br to the funcptr_addr without extra validation.
Almost all functions now have the above u32 at -4, therefore funcptr calls now have to start at the actual funcptr start. However, this doesn't apply to calls done during functions' exit: these directly br to the funcptr_addr without extra validation. The br instructions in the .plt were also replaced with branches to the function described above.


The above applies to all NSOs in ExeFs. The NROs in the BrowserDll SystemData have CFI enabled for "/nro/netfront/dll_1/", however "dll_0" doesn't have it enabled (which is used by LibraryAppletOfflineWeb).
The above applies to all NSOs in ExeFs, except for LibraryAppletOfflineWeb which doesn't have it enabled. The NROs in the BrowserDll SystemData have it enabled for "/nro/netfront/dll_1/", however "dll_0" doesn't have it enabled (which is used by LibraryAppletOfflineWeb).


This is referred to in the build-path strings as "NX-NXFP2-a64-cfi" (nnSdkEmpty), and "NX64-cfi" (OSS).
This is referred to in the build-path strings as "NX-NXFP2-a64-cfi" (nnSdkEmpty), and "NX64-cfi" (OSS).

Latest revision as of 04:08, 15 December 2020

The Switch 11.0.0 system update was released on December 1, 2020 (UTC). This Switch update was released for the following regions: ALL, and CHN.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

Change-log

Official ALL change-log:

  • Nintendo Switch Online was added to the HOME Menu.
  • Access all Nintendo Switch Online services, from getting the latest information to checking your membership status.
  • *This feature is not available in some countries/regions.
  • A new feature that automatically downloads backed up save data was added to the Save Data Cloud.
  • When using software with the same Nintendo Account linked to multiple systems, save data backed up from one console will automatically be downloaded to your other system(s).
  • *To use this feature, it must be enabled under System Settings > Data Management > Save Data Cloud.
  • *Save data will not be downloaded automatically unless save data for that software exists on the console. The first time only, users must download the save data manually.
  • *A Nintendo Switch Online membership is required to use the Save Data Cloud service.
  • A new Trending feature was added to the User Page.
  • Users can check what software their friends are playing or have started playing recently.
  • Information will not be displayed for friends who have their online status set to display to no one.
  • Users can now transfer screenshots and videos from Album to their smart devices.
  • Users can wirelessly connect their smart devices to Nintendo Switch to transfer the screenshots and videos saved within their Album.
  • For screenshots, users can transfer a maximum of 10 screenshots and 1 video capture at once.
  • *To connect, users must use their smart device to scan the QR Code displayed on the Nintendo Switch screen.
  • For more information, please refer to the Nintendo Support website.
  • *“QR Code” is a registered trademark of DENSO WAVE INCORPORATED.
  • A new Copy to a Computer via USB Connection feature was added under System Settings > Data Management > Manage Screenshots and Videos.
  • Users can use a USB cable to connect Nintendo Switch to their computers to copy the screenshots and videos saved under Album.
  • * A USB charging cable [model HAC-010] or a USB-IF certified USB cable that supports data transfer is required to connect to a computer.
  • For more information, please refer to the Nintendo Support website.
  • * Connection via the Nintendo Switch dock is not supported. Please connect the Nintendo Switch system directly to the computer.
  • Users can now select what download to prioritize when there are multiple downloads in progress.
  • When there are multiple software, update data, or downloadable content downloads in progress, users can now select which they want to download first.
  • You can set this under Download Options by selecting the icon for the software you want to download first on the HOME Menu.
  • User icons were added.
  • 12 user icons that commemorate the 35th anniversary of the Super Mario Bros. series were added.
  • Users can now name preset button mappings with the Change Button Mapping feature.
  • Brazilian Portuguese was added as a supported language.
  • When users set their region to the Americas and their language to Português, the language used on the HOME Menu and in certain software will be displayed in Brazilian Portuguese.
  • Several issues were fixed, and usability and stability were improved.

BootImagePackage

All files in RomFS were updated.

Secure Monitor

Secure Monitor was updated.

  • The firmware revision magic was changed from 0x1AD to 0x1CE.
  • Support was added for an additional DRAM model.

Warmboot

  • The firmware revision magic was changed from 0x1AD to 0x1CE.

Kernel

  • Kernel is now built with -Os instead of -O3
    • Many functions are no longer inlined.
  • crt0 deprivileging code now sets hypervisor EL2 registers.
  • Logic for flushing entire data cache and invalidating entire TLB during init is now a function called by JumpFromEL2ToEL1 and DisableMmuICacheAndDCache instead of being duplicated.
  • Initialize0 has had several things re-ordered/shuffled:
    • InsertDevicePhysicalMemoryBlocks is now called immediately after the KernelCode region is inserted.
    • "Needed device virtual space" is now calculated as 3 * (0x18000 + { sum of KernelAutoMap physical device regions } + GetUnknownDebugDeviceRegionSize()
    • KernelMisc region size is now util::AlignUp(std::max(needed_device_virtual_space, 32_MB), 2_MB).
    • Code for mapping the unknown debug address as UnknownDebug is no longer present.
    • Slab region is now memset to zero after the linear region is mapped instead of before.
    • Ranges are now more uniform; value in [range address / 2_MB, last_address / 2_MB] is generated and multipled by 2 MB instead of aligning down result.
  • KMemoryRegion now has a "last_address" member replacing its "size" member.
    • GetSize() now calculated as (last_address - address + 1)
  • KMemoryRegionTree::Insert now takes in last address instead of size.
    • Several callsites now verify that last_address != 0xFFFF...
  • KMemoryRegionAllocator now uses a slabheap of count 200 instead of 1000.
  • KLinkedListNode now has slab size = #KThreads instead of #KThreads * 17.
  • "Virtual" cores now supported, KThread now stores core ID/affinity for both virtual and physical.
  • New SVC 0x37 "GetResourceLimitPeakValue"
    • Returns the highest value that a resource limit's current has ever achieved.
    • KResourceLimit now stores an array of peak values to enable this
  • Two new kernel objects, KAlpha and KBeta (placeholder names, true object names are unknown and cannot be guessed without observing purpose).
    • KAlpha has size 0x50, KBeta has size 0x88
    • KObjectAllocators for KAlpha/KBeta receive counts 1, 6.
    • KProcess has a list of KBeta, intrusive list node is at KBeta + 0x68.
  • Four new SVCs, ID 0x39, 0x3A, 0x46, 0x47
    • These are likely for interacting with KAlpha and KBeta, but on NX they are (presumably) if-def'd to be "return svc::ResultNotImplemented()"
  • KThread had all of its members reordered and its unused members deleted
  • Most KThread waits now use KThreadWaiterListIntrusiveNode instead of KThreadQueue
  • KConditionVariable no longer uses global threads for the call to .nfind()
  • KConditionVariable now sets the cv_key u32 value in userspace to 1 when a condvar has waiters, and to 0 when it does not.
    • New nnSdk code relies on this behavior.
  • SetupStackForUserModeThreadStarter (KThreadContext::Initialize) now sets X18 to (<cryptographically random u64> | 1), this value is unique for each thread.
    • This is used for Pointer Authentication changes in web browser.
  • KCoreLocalRegion deleted, replaced with pointer-to-current-thread
    • TPIDR_EL1 != X18 now, and TPIDR_EL1 now always points to the exception thread stack.
  • KSynchronization was deleted, replaced with namespaced or static-on-ksynchronization-object functions
  • KSynchronizationObject now contains a pointer to thread queue, instead of an inline list
  • KInterruptEvent no longer has an InterruptEventTask member
  • KInterruptEventTask::Reset no longer calls KInterruptManager::ClearInterrupt, instead it calls a new function which returns a result
  • KInterruptEventTask now has a KLightLock member
  • KHardwareTimer is now an interrupt task again
  • KHardwareTimer now has a new member "maximum_time", set to std::numeric_limits<s64>::value().
    • Tasks will only be added to the task list if their time is <= maximum_time, this is in addition to the >= 1 checks previously.
  • KIntrusiveRedBlackTreeNode now has common member functions instead of templated, size is now packed to 0x1C instead of 0x20.
    • All Insert/Remove/etc operations are common regardless of the type the node is intrusive in.
  • KDebugLogImpl::Initialize() now assumes uart has been configured for logging by the secure monitor, and does not perform tegra uart init sequence
  • vsprintf, KDebugString::PutString are now fully inlined inside KVPrintf.
  • KObjectContainer::Insert now returns void instead of Result
    • Code which previously did R_TRY() now just calls.
  • KPageHeapBitmapRng now has TinyMt as a data member, instead of directly implementing KPageHeap.
    • This affects how constructor is invoked.
  • New InfoType 24 ("FreeThreadCount") was added, gets the number of threads a process can allocate before exhausting its resource limit.
  • KMemoryBlock/KMemoryInfo now has extra members tracking u8 non_contig_bitflags, u16 ipc_non_contig_lock_count, u16 device_non_contig_lock_count
  • KMemoryBlockManager Update now takes non-contig flags to determine where to coalesce (all coalescing must now happen forwards instead of either direction)
  • KMemoryBlockManagerUpdateAllocator no longer has a result member, instead it has ->Initialize() which takes in a number of blocks to allocate
  • KMemoryManager::Allocate, KMemoryManager::AllocatePageGroup, KMemoryManager::AllocatePageGroupForProcess, now call KPageGroup::Open on the returned page group.
    • All callsites for these functions no longer call open after allocating.
  • KMemoryManager::Open is now KMemoryManager::OpenAdditionalReference, now checks that refcount is >= 1 instead of >= 0
  • KPageTableBase now has an additional data member "disable_device_address_space_merge"
    • KProcessPageTable::Initialize now takes in (process flags & 0x1000) as a bool argument to set this.
  • Page table Query operations now return a number of blocks required to support the above when relevant
  • KPageTable now uses 4 sw-reserved bits instead of 1
    • Former bit 0x01.... ("Is Mapped") is now bit 0x40..... (PTE bit 58)
    • PTE bit 55 "contiguous not allowed" was reworked for significantly more fine-grained control
      • PTE bit 55 is now "start of block non-contiguous", coalescing cannot occur if the first block in a coalesce has this block set.
      • PTE bit 56 is now "not-end-of-block non-contiguous", coalescing cannot occur if a block other than the last in a coalesce has this bit set
      • PTE bit 57 is now "end of block non-contiguous", coalescing cannot occur if the last block in a coalesce has this bit set
      • The old non-contiguous semantics are equivalent to 56 + 57 together.
    • These bits are now returned by KPageTableImpl::Traverse
    • Upper byte of KPageProperties is now bitflags to control management of these bits.
    • Bit 0x1 = "Set/Clear PTE Bit55"
    • Bit 0x2 = "Set PTE Bit56"
    • Bit 0x4 = "Clear PTE Bit56"
    • Bit 0x8 = "Set PTE Bit57"
    • Bit 0x10 = "Clear PTE Bit57"
    • Bit 0x20 = Force-Clear 56+57 + attempt to merge
  • KMemoryBlockManager/KPageTable now prevent coalescing of blocks which are reprotected --- (for transfer memory, ipc, ...)
  • They also do not coalesce adjacent GPU mappings that were mapped separately.
  • They removed the 0x80 "AnyLocked" bit from KMemoryAttribute
  • KMemoryBlock/KMemoryInfo now have additional u16 "device_non_coalesce_right_count".
    • Like device_non_coalesce_left_count from previous 11.x, this now prevents merging with block to the right if set.
  • KMemoryBlock::Add now takes in the memory block to the right instead of the size of the block to the right.
    • This facilitates combining flags for the newly coalesced blocks.
  • KPageTableBase::SetProcessMemoryPermission no longer sets non-coalesce bit 24.
  • KDeviceAddressSpace::Map/KDeviceAddressSpace::Unmap now call new KPageTableBase function to update non-coalesce state according to partial map state.
  • KDevicePageTable::UnmapImpl now invalidates TlbGroup in the failure case of adding to the page group.
  • KPageTableBase::MakeAndOpenContiguousPageGroup is now KPageTableBase::MakePageGroupForDeviceAddressSpace, and now prevents coalescing until call completion.
    • non_coalesce_mask 0x10 is used for this.
  • KPageTableBase::UnmapCodeMemory no longer requires the whole range have the same state.
    • It now invalidates instruction cache if any pages are code.
  • KPageTable::UnknownVirtualFunction10 now takes in more arguments: _QWORD (address probably), _QWORD (size probably), two bools, _QWORD (address2 probably), _QWORD (size2 probably), void * (probably KAlpha * or KBeta *)
    • Returns whether a comparison between address_probably and address_2_probably holds depending on flags at pointer + 0x10.
  • KMemoryState_Io now goes to the alias code region in GetRegionAddress/Size (weird, seems like incorrect behavior)
    • Also very weird: KPageTableBase::MapIo maps IO into the kernel map region, but KPageTableBase::QueryMapping panics if it is not in the alias code region.
    • This "probably" causes kernel panic if mapping IO into process with 32-bit-no-alias address space type?

FIRM Sysmodules

FIRM sysmodules were updated. Specific diffs available below: <check back for more diffs later>

System Titles

  • All titles were updated, except for the following (minus stubbed titles): SharedFont, Dictionary, UrlBlackList, LibraryAppletMiiEdit.
  • The previously stubbed 010000000000001B sysmodule was replaced with capmtp.

The following sysmodules had IPC changes: usb, settings, bcat, ptm, bsdsockets, hid, audio, wlan, account, ns, psc, am, nim, vi, pctl, glue, es, sdb, olsc, pgl, fs, loader, sm, capsrv.

NPDM changes (see Services_API for service-hosting changes):

  • All updated NPDMs now have Flags bit5 set.
  • ptm: Access to hshl:set and ins:r were added.
  • ptm/hid: Various services were re-ordered in the Service Access Control.
  • wlan now has access to csrng.
  • ldn now has access to pl:u.
  • pcv now has access to hshl:set.
  • account now has access to ectx:w.
  • ns now has access to pl:u.
  • am: Access to the following was added: arp:r, aud:a, aud:d. Access to the following was removed: audin:a, audin:d, audout:a, audout:d, audren:a, audren:d. Access to hshl:set/hshl:sys was added.
  • erpt: Access to svcGetResourceLimitLimitValue and svc 0x37 were added. Access to ectx:r was added.
  • vi: The Handle Table Size was changed from 160 to 192. Access to the following services were added: erpt:c, gpio, i2c, lm, psc:m, pwm.
  • glue now has access to hshl:sys, and access to psm was removed.
  • creport now has access to fsp-srv.
  • sdb now has access to bcat:s and pm:info.
  • migration now has access to prepo:u.
  • qlaunch now has access to capmtp.
  • LibraryAppletController now has access to ngct:u.
  • LibraryAppletPlayerSelect now has access to olsc:s.
  • LibraryAppletPhotoViewer: Access to bsd:u was replaced with bsd:s. Access to lp2p:sys was added. Access to ns:am2 was replaced with ns:ro. FS permission bit0 is now clear, MountContent* is no longer accessible.
  • LibraryAppletLoginShare now has access to ns:web.

RomFs changes:

  • CertStore was updated.
  • ErrorMessage: New errors were added / localization changes.
  • BrowserDll: The following was updated: "/browser/ErrorPageFilteringTemplate.html", "/browser/MediaControls.css", "/browser/MediaControls.js", "/browser/RootCaEtc.pem", "/browser/RootCaSdkAdditional.pem", "/buildinfo/buildinfo.dat". The following was added: "/browser/MediaControlsInline.css", "/browser/MediaControlsInline.js".
    • "/dll_0" and "/dll_1" were moved into "/nro/netfront/dll_{0/1}".
    • "/lyt/Lhub.arc" was added.
    • "/message/USpt/" was added.
  • Help:
    • "/legallines.htdocs/index.html" updated
    • "/safe.htdocs/html/USpt/" added
    • "/safe.htdocs/img/recyclenintendo.jpg" updated
    • "/safe.htdocs/js/tapaction.js" updated
  • NgWord: updated
  • AvatarImage: More icons added.
  • LocalNews: Added "/message/revision.txt" and "/message/USpt/".
  • Eula:
    • "/revision.txt" updated
    • Updated "/EUru/Eula.msbt.szs", "/JPja/Eula.msbt.szs".
    • Added "/USpt/".
  • TimeZoneBinary: TZ info updated.
  • FontNintendoExtension: "/nintendo_ext_003.bfttf" and "/nintendo_ext2_003.bfttf" were updated.
  • FirmwareDebugSettings: updated
  • FatalMessage: Updated "/pt-BR/GeneralMessage" and "/pt-BR/QuestMessage" were updated.
  • ControllerIcon: "/lyt/ColorTable" updated
  • PlatformConfigIcosa/PlatformConfigCopper/PlatformConfigHoag/PlatformConfigIcosaMariko: updated
  • ControllerFirmware: "/TouchScreenFirmwareInfo.csv" updated
  • NgWord2: updated
  • FunctionBlackList:
    • "/blacklist.dat" was replaced with "/blacklist.json".
  • NgWordT: updated
  • Applets: Various UI/graphics/sound/localization changes.
  • Web-applets: "/buildinfo/buildinfo.dat" was updated, and "/.nrr/netfront.nrr" was renamed to "/.nrr/dll.nrr".
  • LibraryAppletPhotoViewer: In addition to the above, "/http/" was added, which contains the following:
    • "index.html"
    • "js/index.js"
    • "styles/index.css"

The new Nintendo Switch Online menu (which can be launched via qlaunch) is handled by LibraryAppletLoginShare.

hid-sysmodule

Besides IPC changes, the ButtonConfig cmds updated the input s32 validation: when the input s32 is invalid (which now uses an unsigned compare), it now returns 0 or an error immediately, instead of Aborting.

ldn-sysmodule

lp2p now supports using standard WPA2-PSK, which is used by #LibraryAppletPhotoViewer.

ssl-sysmodule

TLS 1.3 is now supported if the user-process enables it.

See also #OSS.

pgl-sysmodule

  • pgl now has a new ipc command, which just returns "ResultNotImplemented()"
  • pgl now detects when SnapShotDumper crashes, and launches creport in that case.
  • pgl now passes an additional argument to creport ("%d", formatted with the value of jit_debug!enable_jit_debug).

creport-sysmodule

  • creport now takes in an additional argument "jit_debug_enabled", when this is "1" the target process is not terminated on report completion.
  • creport now has access to fsp-srv, this is used to retrieve debugging information that is now attached to error reports. The following functions are called (with output/info attached to erpts):
    • GetSdCardSpeedMode
    • GetSdCardCid
    • GetSdCardUserAreaSize
    • GetSdCardProtectedAreaSize
    • GetAndClearSdCardErrorInfo
    • IsGameCardInserted
    • GetGameCardCid
    • GetGameCardErrorReportInfo
    • GetGameCardDeviceId
    • GetMmcSpeedMode
    • GetMmcCid
    • GetMmcPatrolCount
    • GetAndClearMmcErrorInfo
    • GetMmcExtendedCsd
    • GetAndClearMemoryReportInfo
    • GetAndClearFileSystemProxyErrorInfo

Web-applets

These are now compiled with compiler Pointer Authentication / CFI mitigations enabled. This does not apply to non-web-applets.

Pointer Authentication uses the crc32x instruction, and x18 as a cryptographically-random u64 provided by the kernel. The only userland code using x18 is the mul instruction for this, nothing else (applies to all NSOs/NROs).

This is used to add/subtract x30 starting with bit40, during functions entry/exit. The code for entry/exit is identical, except that entry does add, and exit uses subtract:

  • The low 40-bits of x30 are extracted, then multiplied with x18.
  • crc32x w17, wzr, x17 (which uses the above value)
  • Then the previously mentioned add/subtraction operation is done, with the output from the above shifted to bit40.

The x18 is OR'd by kernel with 1, to make sure it is odd. This means that the multiply is a bijection; in other words, no entropy is lost when doing the multiply. If this had not been done, a random value that is divisible by a large power of two (the attacker can just keep spawning threads until gets such a one), would have weak cookies that allows the scheme to be trivially broken.

CFI is implemented as follows: blr instructions no longer exist. When funcptrs are called, new functions are now called instead which handles the call. The u32 at funcptr_addr-4 must match 0xe7ffdefe, otherwise it will branch to undefined instruction 0x0000dead. Otherwise, it will jump to the funcptr_addr.

Almost all functions now have the above u32 at -4, therefore funcptr calls now have to start at the actual funcptr start. However, this doesn't apply to calls done during functions' exit: these directly br to the funcptr_addr without extra validation. The br instructions in the .plt were also replaced with branches to the function described above.

The above applies to all NSOs in ExeFs, except for LibraryAppletOfflineWeb which doesn't have it enabled. The NROs in the BrowserDll SystemData have it enabled for "/nro/netfront/dll_1/", however "dll_0" doesn't have it enabled (which is used by LibraryAppletOfflineWeb).

This is referred to in the build-path strings as "NX-NXFP2-a64-cfi" (nnSdkEmpty), and "NX64-cfi" (OSS).

LibraryAppletPhotoViewer

For details on the new sharing functionality in the Album applet, see here.

OSS

OSS was updated.

Besides WebKit, NSS/NSPR was updated:

  • NSPR was updated from 4.12 to 4.24.
  • #define NSSUTIL_VERSION "3.26" was changed to #define NSSUTIL_VERSION "3.49.1"

Both src_{versions} directories were updated, with the same changes:

  • "rocrt_nro.cpp" updated
  • "NX-NXFP2-a64-cfi/rocrt.AssemblyOffset.h" Addded, identical to "NX-NXFP2-a64/rocrt.AssemblyOffset.h".

See Also

System update report(s):


Nintendo Switch System Versions
1.0.0
2.0.02.1.02.2.02.3.0
3.0.03.0.13.0.2
4.0.04.0.14.1.0
5.0.05.0.15.0.25.1.0
6.0.06.0.16.1.06.2.0
7.0.07.0.1
8.0.08.0.18.1.08.1.1
9.0.09.0.19.1.09.2.0
10.0.010.0.110.0.210.0.310.0.410.1.010.1.110.2.0
11.0.011.0.1
12.0.012.0.112.0.212.0.312.1.0
13.0.013.1.013.2.013.2.1
14.0.014.1.014.1.114.1.2
15.0.015.0.1
16.0.016.0.116.0.216.0.316.1.0
17.0.017.0.1
18.0.018.0.118.1.0
19.0.019.0.1
20.0.020.0.120.1.020.1.120.1.520.2.020.3.020.4.020.5.0