Difference between revisions of "6.0.0"

From Nintendo Switch Brew
Jump to navigation Jump to search
 
(9 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
The Switch 6.0.0 system update was released on September 18, 2018. This Switch update was released for the following regions: ALL.
 
The Switch 6.0.0 system update was released on September 18, 2018. This Switch update was released for the following regions: ALL.
  
Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.
+
Security flaws fixed: Yes.
  
 
==Change-log==
 
==Change-log==
Line 52: Line 52:
 
* 1 new title was added: olsc-sysmodule.
 
* 1 new title was added: olsc-sysmodule.
 
* New services were added, see [[Services_API|here]].
 
* New services were added, see [[Services_API|here]].
 +
 +
[[SSL_services#CertStore|CertStore]] RomFs: "/ssl_CaFingerprints.bdf" was added and "/ssl_TrustedCerts.bdf" was updated.
  
 
===[[USB_services|USB-sysmodule]]===
 
===[[USB_services|USB-sysmodule]]===
 
The only sysmodule with any changes for accessible IO in the [[NPDM]] was USB-sysmodule. The IO page for the [[Fuses|fuse registers]] is now accessible by this sysmodule.
 
The only sysmodule with any changes for accessible IO in the [[NPDM]] was USB-sysmodule. The IO page for the [[Fuses|fuse registers]] is now accessible by this sysmodule.
 +
 +
===[[NV_services|nvservices-sysmodule]]===
 +
Among various changes, the [[Switch_System_Flaws#System_Modules|"Transfer Memory leak in nvservices system module"]] system flaw was patched in the following way:
 +
* [[NV_services#Initialize|Initialize]] and [[NV_services#InitializeDevtools|InitializeDevtools]] now keep track of the size of the transfer memory supplied by the user.
 +
* L_34B90 (nvdrv's destructor) now calls L_B4C30 (memset) on the entire transfer memory region (using the size saved previously) before calling [[SVC#svcUnmapTransferMemory|svcUnmapTransferMemory]].
  
 
===olsc-sysmodule===
 
===olsc-sysmodule===
 
This new sysmodule handles cloud saves.
 
This new sysmodule handles cloud saves.
 +
 +
===FIRM===
 +
 +
====Secure Monitor====
 +
 +
.rwdata was reduced in size from two pages to one page. Additionally:
 +
 +
Changes were made relating to security engine usage:
 +
* Many functions which previously used an inline GetSecurityEngine() call to get the security engine register address now take in a register base as an argument. This is presumably to facilitate moved Security Engine MMIO on the Mariko SoC.
 +
* Keyslots 0-8, 0xA, 0xC-0xE now have flags 0x1FF set, and keyslot 0xB now additionally has flags 0x17F set.
 +
* The Test Vector used to ensure keyslot contents do not change during wake-from-sleep now uses 256-bit AES instead of 128-bit AES (thus the high parts of the keyslot contents are now verified).
 +
 +
Some changes were made to initial SoC setup:
 +
* Additional magic numbers (0x83 = SKU ID, 0x2 = ?, 0x210 = Tegra 210) are now written into the GPU microcode in DRAM for runtime configuration.
 +
* The warmboot firmware's firmware revision magic was changed from 0x6 to 0x87.
 +
* The GPU microcode carveout setup was moved to later during initialization (after package2 has been fully loaded and verified).
 +
* The IRAM addresses from which [[BootConfig]] warmboot firmware are loaded were changed.
 +
 +
In addition, there were changes to the [[SMC]] interface:
 +
 +
* SMCs which take in a keyslot parameter have been changed to allow use of up to 6 keyslots instead of 4.
 +
* smcUnwrapRsaOaepWrappedTitleKey now takes in a "type" parameter, and the kek used in key generation is now selected from an array based on this parameter. (smcUnwrapAesWrappedTitlekey hardcodes type 0.)
 +
* GetConfig(HardwareType) now returns 4 when it previously would have returned 3.
 +
 +
Additionally, security flaws were addressed in smcCpuSuspend (aiming to further mitigate jamais vu/deja vu):
 +
 +
* The number of devices checked to be held in reset at the time of smcCpuSuspend is called is now greatly increased.
 +
* BPMP SC7 Entry Firmware is now only started ''after'' the following have been done, instead of before:
 +
** TZRAM contents have been encrypted and MAC'd with a random AES-256 key
 +
** The PMC scratch registers where the MAC are stored have been verified not to be read or write-locked.
 +
** The MAC is written into the PMC scratch registers, which are then write-locked.
 +
** The PMC scratch registers are verified to have been write-locked.
 +
** The PMC scratch registers are verified to contain the MAC TZ has written into them.
 +
** The PMC scratch registers are read-locked.
 +
** The PMC scratch registers are verified to be both read and write-locked.
 +
** The BPMP's firmware is copied from TZRAM into IRAM
 +
** memcmp(BPMP firmware in IRAM, BPMP firmware in TZRAM, sizeof(BPMP firmware)) is verified to be zero.
 +
 +
 +
====Kernel====
 +
* Accidentially exported symbols have been renamed:
 +
** Namespace <code>nn::kern::ARM64</code> is now <code>nn::kern::arch::ARM64</code>
 +
** Namespace <code>nn::kern::NX</code> is now <code>nn::kern::board::NX</code> and now contains the class <code>KSystemControl</code>
 +
** <code>ResumeEntry</code> is now a non-static method of <code>KSystemControl</code>
 +
* Kernel now reserves 1024 pages (1MB) of memory in SYSTEM memregion/pool for use by applets (1 at a time) for personal mmheap.
 +
* Memory regions arrange changed, APPLET has 6MB less in all memory arranges.
 +
* Maximum number of sessions and events both increased by 100.
 +
* Kernel mmheap size decreased to 0x10DF000 bytes (was 0x1117000), the both KMemoryBlock pools' capacity is unchanged, but less page tables can be allocated.
 +
* Kernel now properly reports DRAM size in default reslimit.
 +
* Two new svcGetInfoTypes: types 21 and 22. These are like type 6 and 7, but without the contiguous, in-security-carveout, personalmmheap allocation.
 +
* KASLR was changed to invoke smcGetRandomBytes(8) each time, instead of using Mersenne Twister.
 +
* Another layer of randomization has been added to slabheaps (before, it was just the order of slabheaps): an array of N (= 21 = number of slabheaps) random integers, in range (0, 0x200000) is now constructed, sorted via bubble sort; at each slabheap construction the heap offset is further incremented by <code>array[id+1]-array[id]</code> , then page rounded.
 +
* With the exception of KSessionRequest which is not in any KObjectAllocator, all KAutoObject types now use an intrusive rbtree instead of an intrusive list for their KObjectAllocator membership. Comparison key is PID for processes, thread ID for threads, address for others (using a new virtual method).
 +
* A new anonymous KAutoObject type, which sole purpose is to hold a comparison key, is now used for thread lookup by ID.
 +
* Breaking changes in svcGetFutureThreadInfo, which has potentially been renamed. Signature and use case have radically changed, it is now: <code>Result svcGetFutureThreadInfo(ThreadInfo *outThreadInfo, u64 *outTid, Handle debugHandle, s64 timeout)</code>.
 +
* Huge scheduler force-pause and last thread reporting refactor:
 +
** Scheduling flags are now u16 and force-pause flags are 3-nibble-long instead of 1.
 +
** The requirements and mechanism for force-pausing (activity svc, debug, etc.) threads have been considerably simplified:
 +
*** It used to delay the force-pause after end-of-svc, and used some convoluted mechanism.
 +
*** The condition is now &quot;a thread is force-pausable iff no thread is waiting for a kernel mutex it is holding&quot;, mechanism is just ORRing scheduling status with force-pause flags now. Appropriate changes have been made to accomodate for this change.
 +
*** Abovementionned convoluted mechanism has been refactored, too, but remains unused.
 +
** When the scheduler selects a process's thread, it now stored the selected thread in an array in the KProcess, for information. It also stores in itself and in array in the selected KProcess the number of times it detected a core being idle before load balancing. Used by BreakDebugProcess.<br />
 +
 +
* All threads created and started in kernel main() are started force-paused with flags=0x100. This fixes the hypotetical case where a compromised KIP would perform gmmuhax and dump the INI1 (which is stored in APPLICATION -- KIPs are only started after all of them have been loaded). They are unpaused after all KIPs have been created.
 +
* GetThreadContext3 (unprivileged SVC) now dumps TPIDR_EL0.
 +
* DebugActiveProcess now returns 0xFA01 if an attempt to debug the current process is made -- instead of possibly deadlocking
 +
* GetDebugThreadContext and SetDebugThreadContext now return 0xF001 if flags &gt; 15. Additionally, their functionality is now restricted to threads that have been force-paused for debug, not just any kind of force-paused threads anymore.
 +
* ContinueDebugEvent now returns 0xF001 if flags &gt; 15 as well.
 +
* svcSleepSystem has been refactored. Instead of the initiator thread manually starting the sleep handler threads then storing a weak reference to itself, the handler threads are started in kernel init in main() immediately after their creation, and two mutexes are used: one for the initiator/covering svcSleepSystem, another for the handler threads. This likely fixes an UaF or race condition.
 +
* If svcReturnFromException passes the exception the KDebug, ie. if the argument errorCode is not 0, and if the latter has DontCatchExceptions set, the process is terminated (unless errorCode is 0x10001).
 +
* Performance improvements to svcInvalidateProcessDataCache.
 +
* Redundant calls to smcGetConfig(12) have been reduced (12 calls -> 4 calls) during memory setup
 +
 +
====FIRM Sysmodules====
 +
All FIRM sysmodules were updated. Specific diffs for a few sysmodules are below:
 +
 +
=====[[Loader services|Loader]]=====
 +
* A single null byte stack overflow due to strcat usage was fixed in content path parsing. See [[Switch System Flaws]] for details.
 +
* System Resource Size ([[NPDM]] +0x14) is now allowed to be non-zero for applets in addition to applications.
 +
 +
=====[[Process Manager services|PM]]=====
 +
Memory management initialization was greatly changed:
 +
* PM no longer hardcodes five memory profiles, and no longer calls smcGetConfig to determine which profile to use.
 +
* Instead, PM now uses [[SVC|svcGetResourceLimitLimitValue]] to determine how much space the kernel has allotted for Application + Applet regions and [[SVC|svcGetSystemInfo]] to determine the total physical memory available, and sets the System region size to (Total Memory Size - Application region size - Applet region size - 5 MiB).
  
 
==See Also==
 
==See Also==
 
System update report(s):
 
System update report(s):
 
* [https://yls8.mtheall.com/ninupdates/reports.php?date=09-18-18_08-35-09&sys=hac]
 
* [https://yls8.mtheall.com/ninupdates/reports.php?date=09-18-18_08-35-09&sys=hac]
 +
 +
{{NavboxVersions}}
 +
 +
[[Category:System versions]]

Latest revision as of 21:02, 21 April 2020

The Switch 6.0.0 system update was released on September 18, 2018. This Switch update was released for the following regions: ALL.

Security flaws fixed: Yes.

Change-log

Official ALL change-log:

  • Nintendo Switch Online* features and functionality have been added, including:
  • Save Data Cloud Backup
  • User your internet connection to back up game save data for compatible games
  • Some games are not compatible with Save Data Cloud
  • To back up save data or download a previous backup, head to System Settings > Data Management > Save Data Cloud Backup
  • *Nintendo Switch Online membership (sold separately) and Nintendo Account required for online play. Not available in all countries. Internet access required for online features. Save Data Cloud backup available in compatible games. Terms apply. To learn more, click here.
  • Added the following system functionality
  • Upload up to four Album screenshots at once on supported social network services
  • Only one captured video can be uploaded at once
  • Select from six new Captain Toad icons for your user
  • To edit your user icon, head to your My Page on the top left of the Home Menu > Profile
  • Play your digital software and content on non-primary consoles by linking your Nintendo Account
  • The term "active console" has been renamed "primary console" in Nintendo eShops
  • Playing software in multiple consoles has certain restrictions
  • Display of Nintendo Switch News articles will be limited to match the restricted software parental controls setting selections
  • Please note that the restriction will only apply to News articles distributed after the release of version 6.0.0.
  • Change the layout of the USB keyboard to the desired language
  • To change the language, head to the System Settings > System > USB Keyboard
  • Removed the following system functionality
  • After installing the system update, it will no longer be possible to unlink your Nintendo Account from your Nintendo Switch user
  • General system stability improvements to enhance the user's experience, including:
  • Compatibility improvements have been made for a controller licensed by Nintendo

System Titles

  • All sysmodules were updated.
  • Most 8XX titles were updated.
  • All applets except "error" and "cabinet" were updated.
  • 1 new title was added: olsc-sysmodule.
  • New services were added, see here.

CertStore RomFs: "/ssl_CaFingerprints.bdf" was added and "/ssl_TrustedCerts.bdf" was updated.

USB-sysmodule

The only sysmodule with any changes for accessible IO in the NPDM was USB-sysmodule. The IO page for the fuse registers is now accessible by this sysmodule.

nvservices-sysmodule

Among various changes, the "Transfer Memory leak in nvservices system module" system flaw was patched in the following way:

  • Initialize and InitializeDevtools now keep track of the size of the transfer memory supplied by the user.
  • L_34B90 (nvdrv's destructor) now calls L_B4C30 (memset) on the entire transfer memory region (using the size saved previously) before calling svcUnmapTransferMemory.

olsc-sysmodule

This new sysmodule handles cloud saves.

FIRM

Secure Monitor

.rwdata was reduced in size from two pages to one page. Additionally:

Changes were made relating to security engine usage:

  • Many functions which previously used an inline GetSecurityEngine() call to get the security engine register address now take in a register base as an argument. This is presumably to facilitate moved Security Engine MMIO on the Mariko SoC.
  • Keyslots 0-8, 0xA, 0xC-0xE now have flags 0x1FF set, and keyslot 0xB now additionally has flags 0x17F set.
  • The Test Vector used to ensure keyslot contents do not change during wake-from-sleep now uses 256-bit AES instead of 128-bit AES (thus the high parts of the keyslot contents are now verified).

Some changes were made to initial SoC setup:

  • Additional magic numbers (0x83 = SKU ID, 0x2 = ?, 0x210 = Tegra 210) are now written into the GPU microcode in DRAM for runtime configuration.
  • The warmboot firmware's firmware revision magic was changed from 0x6 to 0x87.
  • The GPU microcode carveout setup was moved to later during initialization (after package2 has been fully loaded and verified).
  • The IRAM addresses from which BootConfig warmboot firmware are loaded were changed.

In addition, there were changes to the SMC interface:

  • SMCs which take in a keyslot parameter have been changed to allow use of up to 6 keyslots instead of 4.
  • smcUnwrapRsaOaepWrappedTitleKey now takes in a "type" parameter, and the kek used in key generation is now selected from an array based on this parameter. (smcUnwrapAesWrappedTitlekey hardcodes type 0.)
  • GetConfig(HardwareType) now returns 4 when it previously would have returned 3.

Additionally, security flaws were addressed in smcCpuSuspend (aiming to further mitigate jamais vu/deja vu):

  • The number of devices checked to be held in reset at the time of smcCpuSuspend is called is now greatly increased.
  • BPMP SC7 Entry Firmware is now only started after the following have been done, instead of before:
    • TZRAM contents have been encrypted and MAC'd with a random AES-256 key
    • The PMC scratch registers where the MAC are stored have been verified not to be read or write-locked.
    • The MAC is written into the PMC scratch registers, which are then write-locked.
    • The PMC scratch registers are verified to have been write-locked.
    • The PMC scratch registers are verified to contain the MAC TZ has written into them.
    • The PMC scratch registers are read-locked.
    • The PMC scratch registers are verified to be both read and write-locked.
    • The BPMP's firmware is copied from TZRAM into IRAM
    • memcmp(BPMP firmware in IRAM, BPMP firmware in TZRAM, sizeof(BPMP firmware)) is verified to be zero.


Kernel

  • Accidentially exported symbols have been renamed:
    • Namespace nn::kern::ARM64 is now nn::kern::arch::ARM64
    • Namespace nn::kern::NX is now nn::kern::board::NX and now contains the class KSystemControl
    • ResumeEntry is now a non-static method of KSystemControl
  • Kernel now reserves 1024 pages (1MB) of memory in SYSTEM memregion/pool for use by applets (1 at a time) for personal mmheap.
  • Memory regions arrange changed, APPLET has 6MB less in all memory arranges.
  • Maximum number of sessions and events both increased by 100.
  • Kernel mmheap size decreased to 0x10DF000 bytes (was 0x1117000), the both KMemoryBlock pools' capacity is unchanged, but less page tables can be allocated.
  • Kernel now properly reports DRAM size in default reslimit.
  • Two new svcGetInfoTypes: types 21 and 22. These are like type 6 and 7, but without the contiguous, in-security-carveout, personalmmheap allocation.
  • KASLR was changed to invoke smcGetRandomBytes(8) each time, instead of using Mersenne Twister.
  • Another layer of randomization has been added to slabheaps (before, it was just the order of slabheaps): an array of N (= 21 = number of slabheaps) random integers, in range (0, 0x200000) is now constructed, sorted via bubble sort; at each slabheap construction the heap offset is further incremented by array[id+1]-array[id] , then page rounded.
  • With the exception of KSessionRequest which is not in any KObjectAllocator, all KAutoObject types now use an intrusive rbtree instead of an intrusive list for their KObjectAllocator membership. Comparison key is PID for processes, thread ID for threads, address for others (using a new virtual method).
  • A new anonymous KAutoObject type, which sole purpose is to hold a comparison key, is now used for thread lookup by ID.
  • Breaking changes in svcGetFutureThreadInfo, which has potentially been renamed. Signature and use case have radically changed, it is now: Result svcGetFutureThreadInfo(ThreadInfo *outThreadInfo, u64 *outTid, Handle debugHandle, s64 timeout).
  • Huge scheduler force-pause and last thread reporting refactor:
    • Scheduling flags are now u16 and force-pause flags are 3-nibble-long instead of 1.
    • The requirements and mechanism for force-pausing (activity svc, debug, etc.) threads have been considerably simplified:
      • It used to delay the force-pause after end-of-svc, and used some convoluted mechanism.
      • The condition is now "a thread is force-pausable iff no thread is waiting for a kernel mutex it is holding", mechanism is just ORRing scheduling status with force-pause flags now. Appropriate changes have been made to accomodate for this change.
      • Abovementionned convoluted mechanism has been refactored, too, but remains unused.
    • When the scheduler selects a process's thread, it now stored the selected thread in an array in the KProcess, for information. It also stores in itself and in array in the selected KProcess the number of times it detected a core being idle before load balancing. Used by BreakDebugProcess.
  • All threads created and started in kernel main() are started force-paused with flags=0x100. This fixes the hypotetical case where a compromised KIP would perform gmmuhax and dump the INI1 (which is stored in APPLICATION -- KIPs are only started after all of them have been loaded). They are unpaused after all KIPs have been created.
  • GetThreadContext3 (unprivileged SVC) now dumps TPIDR_EL0.
  • DebugActiveProcess now returns 0xFA01 if an attempt to debug the current process is made -- instead of possibly deadlocking
  • GetDebugThreadContext and SetDebugThreadContext now return 0xF001 if flags > 15. Additionally, their functionality is now restricted to threads that have been force-paused for debug, not just any kind of force-paused threads anymore.
  • ContinueDebugEvent now returns 0xF001 if flags > 15 as well.
  • svcSleepSystem has been refactored. Instead of the initiator thread manually starting the sleep handler threads then storing a weak reference to itself, the handler threads are started in kernel init in main() immediately after their creation, and two mutexes are used: one for the initiator/covering svcSleepSystem, another for the handler threads. This likely fixes an UaF or race condition.
  • If svcReturnFromException passes the exception the KDebug, ie. if the argument errorCode is not 0, and if the latter has DontCatchExceptions set, the process is terminated (unless errorCode is 0x10001).
  • Performance improvements to svcInvalidateProcessDataCache.
  • Redundant calls to smcGetConfig(12) have been reduced (12 calls -> 4 calls) during memory setup

FIRM Sysmodules

All FIRM sysmodules were updated. Specific diffs for a few sysmodules are below:

Loader
  • A single null byte stack overflow due to strcat usage was fixed in content path parsing. See Switch System Flaws for details.
  • System Resource Size (NPDM +0x14) is now allowed to be non-zero for applets in addition to applications.
PM

Memory management initialization was greatly changed:

  • PM no longer hardcodes five memory profiles, and no longer calls smcGetConfig to determine which profile to use.
  • Instead, PM now uses svcGetResourceLimitLimitValue to determine how much space the kernel has allotted for Application + Applet regions and svcGetSystemInfo to determine the total physical memory available, and sets the System region size to (Total Memory Size - Application region size - Applet region size - 5 MiB).

See Also

System update report(s):

Nintendo Switch System Versions
1.0.0
2.0.02.1.02.2.02.3.0
3.0.03.0.13.0.2
4.0.04.0.14.1.0
5.0.05.0.15.0.25.1.0
6.0.06.0.16.1.06.2.0
7.0.07.0.1
8.0.08.0.18.1.08.1.1
9.0.09.0.19.1.09.2.0
10.0.010.0.110.0.210.0.310.0.410.1.010.1.110.2.0
11.0.011.0.1
12.0.012.0.112.0.212.0.312.1.0
13.0.013.1.013.2.013.2.1
14.0.014.1.014.1.114.1.2
15.0.015.0.1
16.0.016.0.116.0.216.0.316.1.0
17.0.017.0.1
18.0.018.0.118.1.0
19.0.019.0.1