4.0.0: Difference between revisions

From Nintendo Switch Brew
Jump to navigation Jump to search
 
(3 intermediate revisions by 2 users not shown)
Line 52: Line 52:
** New MemoryType bit for "JIT allowed".
** New MemoryType bit for "JIT allowed".
** New MemoryTypes for JitWritable and JitReadOnly.
** New MemoryTypes for JitWritable and JitReadOnly.
* New synchronization syscalls 0x34, 0x35 added.
* New synchronization syscalls 0x34, 0x35 added: These ones allow implementation of synchronization primitives without a mutex+condvar pair. This is more efficient because when a thread wakes up from a condvar, the mutex is held and needs to perform a syscall to unlock it. If you have N threads blocking on a condvar, you need N-1 syscalls to wake all the threads. With the new syscalls, you can wake up all N with a single syscall.
 
* Added new syscall svcDumpInfoNew, but it's stubbed.
* Added new syscall svcDumpInfoNew, but it's stubbed.
* The linked-list node for KAutoObjects was added to the struct itself instead of being a separate allocation.
* The linked-list node for KAutoObjects was added to the struct itself instead of being a separate allocation.
* svcGetInfo now exposes the first and last process id for built-in modules.
* svcGetInfo now exposes the first and last process id for built-in modules.
** This is used by some services to make sure we can't connect to them from outside a privileged module.
** This is used by some services to make sure we can't connect to them from outside a privileged module.
* svcReadWriteRegister was updated.
* svcReadWriteRegister was updated, now always goes through TZ for both PMC and MC. Whitelist for MC remains the same.
* Support was added for loading non-KIP processes into the Secure pool via a flag in SvcCreateProcess.
** This is used by only for es, to prevent attackers from using GPU DMA to take over the es sysmodule to pirate games.
** Correspondingly, the KHeapArrange calculation of the secure pool size now has an extra 0x13A000 factored in (to ensure there is enough space for es).


===FIRM===
===FIRM===
Line 63: Line 67:


The package1 entrypoint address specified by BCT was increased by 0x20-bytes, since there's now an additional 0x20-bytes at the start of package1. The additional data is identical to the 0x20-byte block before it.
The package1 entrypoint address specified by BCT was increased by 0x20-bytes, since there's now an additional 0x20-bytes at the start of package1. The additional data is identical to the 0x20-byte block before it.
In SafeMode Firmware the [[Bus_services|Bus]], [[PCV_services|PCV]] and [[PSC_services|psc]] sysmodules are now bundled with the kernel.


Sysmodules:
Sysmodules:
Line 71: Line 77:
** spl:es was added, supporting crypto commands used by the es sysmodule.
** spl:es was added, supporting crypto commands used by the es sysmodule.
** spl:fs was added, supporting crypto commands used by the [[Filesystem services|fs]] FIRM sysmodule.
** spl:fs was added, supporting crypto commands used by the [[Filesystem services|fs]] FIRM sysmodule.


====Package1====
====Package1====

Latest revision as of 09:47, 25 August 2020

The Switch 4.0.0 system update was released on October 18, 2017. This Switch update was released for the following regions: ALL.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

Change-log

Official ALL change-log:

Added the following system functionality

  • Capture video on select games
    • To capture video, hold down the Capture Button during gameplay
    • Up to maximum of the previous 30 seconds will be saved in the Album. You can trim the beginning and end of each clip, and post to Facebook and Twitter.
    • As of October 18th, 2017, this feature is compatible with The Legend of Zelda: Breath of the Wild, Mario Kart 8 Deluxe, ARMS, and Splatoon 2
  • Select from 12 new Super Mario Odyssey and The Legend of Zelda: Breath of the Wild icons for your user
    • To edit your user icon, head to your My Page on the top left of the Home Menu > Profile
  • Transfer user and save data to another system
    • To transfer, head to System Settings > Users > Transfer Your User and Save Data
  • Pre-purchase option on Nintendo eShop
    • A pre-purchase option will be available for certain games. This option allows pre-load of the game to your system for quicker play when the game is released.
    • This feature will be supported by future game releases
  • News channel updates
    • The news feed has been updated with a new look.
    • Unfollowing a channel will remove that channel's content from the news feed and following the channel again will make it reappear.
  • Match software version with a group of local users
    • To create a group, head to the software's Options > Software Update > Match Version with Local Users
    • Everyone's software will be updated to match the most recent version in the group
    • All users must be on system menu version 4.0.0 or later to view and join a group

General system stability improvements to enhance the user's experience, including

  • Changed the specification which hid wireless networks using TKIP security from the network search results. Wireless networks using TKIP security will now display in search results as a grayed-out selection instead of not being displayed
    • The Nintendo Switch console supports WEP, WPA-PSK(AES), and WPA2-PSK(AES). If your router is using a different security type (e.g. WPA-PSK(TKIP)), you will need to change this security type within your router's settings.

Unofficial Changes

  • Added support for Wii U GameCube Adapter and Headsets over USB

System Titles

<fill this in (manually) later>

  • Every single system title was updated, except for: 0100000000000805("Chinese and Korean dictionaries"), 0100000000000808("European, English and Japanese dictionaries"), and 010000000000080C("EULA").
  • 4 new sysmodules were added, and new FIRM-package title 010000000000081C was added.
  • Flog was stubbed: official code for launching it was removed from the home menu, and *all* code was overwritten with garbage. Thus, even attempts to launch it manually will result in loader returning error 0xA09.

Kernel

  • Kernel startup code was updated:
    • A new (unused?) function was added, this is roughly the same as the code which originally directly read a MC register (0x70019050) for getting the DRAM size, except SMC ReadWriteRegister is used for the read instead.
    • The code which originally read the above register directly was replaced with an inlined version of the above function.
  • All RTTI symbols were removed, can no longer know official name of kernel objects. :(
  • JIT syscalls were added.
    • New MemoryType bit for "JIT allowed".
    • New MemoryTypes for JitWritable and JitReadOnly.
  • New synchronization syscalls 0x34, 0x35 added: These ones allow implementation of synchronization primitives without a mutex+condvar pair. This is more efficient because when a thread wakes up from a condvar, the mutex is held and needs to perform a syscall to unlock it. If you have N threads blocking on a condvar, you need N-1 syscalls to wake all the threads. With the new syscalls, you can wake up all N with a single syscall.
  • Added new syscall svcDumpInfoNew, but it's stubbed.
  • The linked-list node for KAutoObjects was added to the struct itself instead of being a separate allocation.
  • svcGetInfo now exposes the first and last process id for built-in modules.
    • This is used by some services to make sure we can't connect to them from outside a privileged module.
  • svcReadWriteRegister was updated, now always goes through TZ for both PMC and MC. Whitelist for MC remains the same.
  • Support was added for loading non-KIP processes into the Secure pool via a flag in SvcCreateProcess.
    • This is used by only for es, to prevent attackers from using GPU DMA to take over the es sysmodule to pirate games.
    • Correspondingly, the KHeapArrange calculation of the secure pool size now has an extra 0x13A000 factored in (to ensure there is enough space for es).

FIRM

Everything under RomFS was updated.

The package1 entrypoint address specified by BCT was increased by 0x20-bytes, since there's now an additional 0x20-bytes at the start of package1. The additional data is identical to the 0x20-byte block before it.

In SafeMode Firmware the Bus, PCV and psc sysmodules are now bundled with the kernel.

Sysmodules:

  • spl was updated to split the IGeneralService ("spl:") into many usage-case specific services.
    • spl: no longer contains commands for doing AES/RSA cryptographic operations
    • spl:mig was added, supporting crypto commands used by the new migration sysmodule.
    • spl:ssl was added, supporting crypto commands used by the ssl sysmodule
    • spl:es was added, supporting crypto commands used by the es sysmodule.
    • spl:fs was added, supporting crypto commands used by the fs FIRM sysmodule.

Package1

 setKeyslotFlags (LT_4001011a)
 Instead of writing ~flags directly to securityEngine->KEYSLOT_FLAGS[keyslot], this now preserves the high bits of the existing flags.
 
 getOdmFuse4Type (LT_40010614)
 This func now includes bits 16-19 in the OR'd flag used in the switch, and now returns 4 as a default invalid result instead of the low bit of FUSE_SPARE_BIT_5.
 
 checkFuseCoherency (LT_400106e4)
 This func was updated to take into account the new invalid retval for getOdmFuse4Type.
 Checks that were only enforced on retail prior to this update (bootROM patch must be < 0x7F and EKS must be provisionned) are now enforced for dev too.
 The now redundant bootROM patch version < 0x1F check was removed.
   
 decryptAndParsePK11 (LT_40010734)
 The entrypoint calculation code no longer adds *(package11Header + 0x4) to the address.
 
 generateKeys (LT_400107a2)
 setKeyslotFlags(keyslot, 0x15) is now additionally called on keyslots 14 and 15.
 The code for switching key generation method depending on fuses (unit type) and last byte of PKC modulus has been removed, and replaced with a call to a single key generation function.
 The code block inbetween the keyslot-config code was replaced with just a call to LT_40011264(same function mentioned above).
 setKeyslotFlags(keyslot, 0xFF) is now used on keyslots 12 and 15 instead of 12 and 13.
 
 downgradeFuseCheck (LT_400111cc)
 The burnt fuse information stored in .rodata now expects 5 fuses to be burnt for retail units, instead of 4.
 
 generateKeysFromBITAddress (LT_40011264)
 Instead of calling generateKeysLegacyMethod, this now calls generateKeysFromKeyblobAndKeyseeds (the main key generation function). Legacy key generation code has been removed.
 
 generateKeysFromKeyblobAndKeyseeds (LT_400112f0)
 The function now takes in two keyseeds and sizes, previously it only took in one (keyseed, size) pair.
 Keyslot 15 (initially SSK) is now used where keyslot 10 was used previously, and keyslot 15 is no longer cleared when keyslot 14 (initially SBK) is cleared.
 The Keyblob keyseed was updated for keyblob 4.
 code block following the keyblob clear code was updated:
 After the decrypted keyblob is cleared, decryptDataIntoKeyslot(KEYSLOT_14, KEYSLOT_12, secondKeySeed, secondKeySeedSize) is now called before decryptDataIntoKeyslot(KEYSLOT_12, KEYSLOT_12, firstKeySeed, firstKeySeedSize).
 At the end of the function, "decryptDataIntoKeyslot(KEYSLOT_13, KEYSLOT_10, perConsoleKeyseed2, 0x10); clearKeyslot(KEYSLOT_10);" has been replaced with "decryptDataIntoKeyslot(KEYSLOT_13, KEYSLOT_15, perConsoleKeyseed3, 0x10); decryptDataIntoKeyslot(KEYSLOT_15, KEYSLOT_15, perConsoleKeyseed2, 0x10);"

Keys

All of these updated titles now use the new NCA crypto for non-ncatype0(all content except .cnmt content), except for all of the FIRM-packages including the new one(required for FIRM installation).

Keyblob 4 is now used, instead of 3.

OSS

The updated OSS includes WebKit changes.

See Also

System update report(s):

Nintendo Switch System Versions
1.0.0
2.0.02.1.02.2.02.3.0
3.0.03.0.13.0.2
4.0.04.0.14.1.0
5.0.05.0.15.0.25.1.0
6.0.06.0.16.1.06.2.0
7.0.07.0.1
8.0.08.0.18.1.08.1.1
9.0.09.0.19.1.09.2.0
10.0.010.0.110.0.210.0.310.0.410.1.010.1.110.2.0
11.0.011.0.1
12.0.012.0.112.0.212.0.312.1.0
13.0.013.1.013.2.013.2.1
14.0.014.1.014.1.114.1.2
15.0.015.0.1
16.0.016.0.116.0.216.0.316.1.0
17.0.017.0.1
18.0.018.0.118.1.0
19.0.019.0.1
20.0.020.0.120.1.020.1.120.1.520.2.020.3.020.4.020.5.0