Difference between revisions of "SVC"
Jump to navigation
Jump to search
| Line 467: | Line 467: | ||
| 0x4 || Code || .data | | 0x4 || Code || .data | ||
|- | |- | ||
| − | | 0x17EBD05 || Heap || | + | | 0x17EBD05 || Heap || Mapped using [[#svcSetHeapSize]]. |
|- | |- | ||
| − | | 0x402006 || Shared memory block || | + | | 0x402006 || Shared memory block || Mapped using [[#svcMapSharedMemory]]. |
|- | |- | ||
| − | | 0x482907 || Weird mapped memory || | + | | 0x482907 || Weird mapped memory || Mapped using [[#svcMapMemory]]. |
|- | |- | ||
| − | | 0x8 || Module code static || . | + | | 0x8 || Module code static || Mapped during [[#svcCreateProcess]]. |
|- | |- | ||
| 0x9 || Module code || .data | | 0x9 || Module code || .data | ||
|- | |- | ||
| − | | 0x5C3C0B || Mapped memory || | + | | 0x5C3C0B || Mapped memory || Mapped using [[#svcMapMemory]]. |
|- | |- | ||
| − | | 0xC || Thread local storage || | + | | 0xC || Thread local storage || Mapped during [[#svcCreateThread]]. |
|- | |- | ||
| − | | 0x15C3C0D || Weird transfer memory || | + | | 0x15C3C0D || Weird transfer memory || Mapped using [[#svcMapTransferMemory]]. |
|- | |- | ||
| − | | 0x5C380E || Transfer memory || | + | | 0x5C380E || Transfer memory || Mapped using [[#svcMapTransferMemory]]. |
|- | |- | ||
| − | | 0x10|| Reserved || | + | | 0x40380F || Process memory || Mapped using [[#svcMapProcessMemory]]. |
| + | |- | ||
| + | | 0x10 || Reserved || | ||
|} | |} | ||
Revision as of 20:01, 16 July 2017
System calls
| Id | Name | In | Out |
|---|---|---|---|
| 0x1 | #svcSetHeapSize | W1=size | W0=result, X1=outaddr |
| 0x2 | #svcSetMemoryPermission | X0=addr, X1=size, W2=prot | W0=result |
| 0x3 | #svcSetMemoryAttribute | X0=addr, X1=size, W2=state0, W3=state1 | W0=result |
| 0x4 | #svcMapMemory | X0=dstaddr, X1=srcaddr, X2=size | W0=result |
| 0x5 | svcUnmapMemory | X0=dstaddr, X1=srcaddr, X2=size | W0=result |
| 0x6 | svcQueryMemory | X0=meminfo_ptr, X2=addr | W0=result, W1=pageinfo |
| 0x7 | svcExitProcess | None | |
| 0x8 | #svcCreateThread | X1=entry, X2=arg, X3=stacktop, W4=prio, W5=processor_id | W0=result, W1=handle |
| 0x9 | svcStartThread | W0=thread_handle | |
| 0xA | svcExitThread | None | |
| 0xB | #svcSleepThread | X0=nano | |
| 0xC | svcGetThreadPriority | W1=thread_handle | W0=result, W1=prio |
| 0xD | svcSetThreadPriority | W0=thread_handle, W1=prio | W0=result |
| 0xE | svcGetThreadCoreMask | W2=thread_handle | W0=result, W1=out, X2=out |
| 0xF | svcSetThreadCoreMask | W0=thread_handle, W1=in, X2=in2 | W0=result |
| 0x10 | svcGetCurrentProcessorNumber | None | W0/X0=cpuid |
| 0x11 | svcSignalEvent | W0=handle | ? |
| 0x12 | svcClearEvent | W0=handle | ? |
| 0x13 | #svcMapSharedMemory | W0=memblk_handle, X1=addr, X2=size, W3=perm | W0=result |
| 0x14 | svcUnmapSharedMemory | W0=memblk_handle, X1=addr, X2=size | W0=result |
| 0x15 | #svcCreateTransferMemory | X1=addr, X2=size, W3=perm | W0=result, W1=handle |
| 0x16 | svcCloseHandle | W0=handle | W0=result |
| 0x17 | svcResetSignal | W0=handle | W0=result |
| 0x18 | #svcWaitSynchronization | X1=handles_ptr, W2=num_handles. X3=timeout | W0=result, W1=handle_idx |
| 0x19 | svcCancelSynchronization | W0=handle | W0=result |
| 0x1A | svcArbitrateLock | W0=cur_thread_handle, X1=ptr, W2=req_thread_handle | |
| 0x1B | svcArbitrateUnlock | X0=ptr | |
| 0x1C | svcWaitProcessWideKeyAtomic | X0=ptr0, X1=ptr, W2=thread_handle, X3=timeout | W0=result |
| 0x1D | svcSignalProcessWideKey | X0=ptr, W1=value | W0=result |
| 0x1E | svcGetSystemTick | ||
| 0x1F | svcConnectToNamedPort | X1=port_name_str | W0=result, W1=handle |
| 0x20 | svcSendSyncRequestLight | ||
| 0x21 | svcSendSyncRequest | X0=handle | W0=result |
| 0x22 | #svcSendSyncRequestWithUserBuffer | X0=cmdbufptr, X1=size, X2=handle | W0=result |
| 0x23 | svcSendAsyncRequestWithUserBuffer | ||
| 0x24 | svcGetProcessId | ||
| 0x25 | svcGetThreadId | W0=thread_handle | W0=result, X1=out |
| 0x26 | svcBreak | X0,X1,X2=info | ? |
| 0x27 | svcOutputDebugString | X0=str, X1=size | |
| 0x28 | svcReturnFromException | X0=result | |
| 0x29 | #svcGetInfo | X1=info_id, X2=handle, X3=info_sub_id | W0=result, X1=out |
| 0x2A | svcFlushEntireDataCache | ||
| 0x2B | svcFlushDataCache | ||
| 0x2C | [ 3.0.0+ ] svcMapPhysicalMemory | ||
| 0x2D | [ 3.0.0+ ] svcUnmapPhysicalMemory | ||
| .... | ? | ? | ? |
| 0x2F | svcGetLastThreadInfo | ||
| 0x30 | svcGetResourceLimitLimitValue | ||
| 0x31 | svcGetResourceLimitCurrentValue | ||
| 0x32 | svcSetThreadActivity | ||
| 0x33 | svcGetThreadContext3 | ||
| .... | ? | ? | ? |
| 0x3C | svcDumpInfo | ||
| .... | ? | ? | ? |
| 0x40 | svcCreateSession | W2=?, X3=? | W0=result, W1=client_handle, W2=server_handle |
| 0x41 | svcAcceptSession | W1=port_handle | W0=result, W1=session_handle |
| 0x42 | svcReplyAndReceiveLight | ||
| 0x43 | svcReplyAndReceive | X1=ptr_handles, W2=num_handles, X3=?, X4=timeout | W0=result, W1=handle_idx |
| 0x44 | svcReplyAndReceiveWithUserBuffer | X1=buf, X2=sz, X3=ptr_handles, W4=num_handles, X5=?, X6=timeout | W0=result, W1=handle_idx |
| 0x45 | svcCreateEvent | None | W0=result, W1=client_handle ?, W2=server_handle ? |
| .... | ? | ? | ? |
| 0x4D | svcSleepSystem | ||
| 0x4E | #svcReadWriteRegister | X1=reg_addr, W2=rw_mask, W3=in_val | W0=result, W1=out_val |
| 0x4F | svcSetProcessActivity | ||
| 0x50 | #svcCreateSharedMemory | W1=size?, W2=myperm, W3=otherperm | W0=result, W1=handle |
| 0x51 | #svcMapTransferMemory | X0=mirror_handle, X1=addr, X2=size, W3=perm | W0=result |
| 0x52 | #svcUnmapTransferMemory | W0=mirror_handle, X1=addr, X2=size | W0=result |
| 0x53 | svcCreateInterruptEvent | X1=irq_id | W0=result, W1=handle |
| 0x54 | #svcQueryPhysicalAddress | ||
| 0x55 | #svcQueryIoMapping | X0=physaddr, X1=size | X0=virtaddr |
| 0x56 | svcCreateDeviceAddressSpace | X1=dev_addr, X2=dev_size | W0=result, W1=handle |
| 0x57 | #svcAttachDeviceAddressSpace | W0=device, X1=handle | W0=result |
| 0x58 | #svcDetachDeviceAddressSpace | W0=device, X1=handle | W0=result |
| 0x59 | svcMapDeviceAddressSpaceByForce | W0=handle, W1=proc_handle, X2=dev_addr, X3=dev_size, X4=map_addr, W5=perm | W0=result |
| 0x5A | svcMapDeviceAddressSpaceAligned | ||
| 0x5B | svcMapDeviceAddressSpace | ||
| 0x5C | svcUnmapDeviceAddressSpace | W0=handle, W1=proc_handle, X2=map_addr, X3=map_size, W4=perm | W0=result |
| 0x5D | svcInvalidateProcessDataCache | ||
| 0x5E | svcStoreProcessDataCache | ||
| 0x5F | svcFlushProcessDataCache | ||
| 0x60 | svcDebugActiveProcess | ||
| 0x61 | svcBreakDebugProcess | ||
| 0x62 | svcTerminateDebugProcess | ||
| 0x63 | svcGetDebugEvent | ||
| 0x64 | svcContinueDebugEvent | ||
| 0x65 | svcGetProcessList | ||
| 0x66 | svcGetThreadList | ||
| 0x67 | svcGetDebugThreadContext | ||
| 0x68 | svcSetDebugThreadContext | ||
| 0x69 | svcQueryDebugProcessMemory | ||
| 0x6A | svcReadDebugProcessMemory | ||
| 0x6B | svcWriteDebugProcessMemory | ||
| 0x6C | svcSetHardwareBreakPoint | ||
| 0x6D | svcGetDebugThreadParam | ||
| .... | ? | ? | ? |
| 0x70 | svcCreatePort | ||
| 0x71 | svcManageNamedPort | ||
| 0x72 | svcConnectToPort | ||
| 0x73 | svcSetProcessMemoryPermission | ||
| 0x74 | svcMapProcessMemory | X0=srcaddr, W1=process_handle, X2=dstaddr, X3=size | W0=result |
| 0x75 | svcUnmapProcessMemory | W0=process_handle, X1=dstaddr, X2=srcaddr, X3=size | W0=result |
| 0x76 | svcQueryProcessMemory | ||
| 0x77 | svcMapProcessCodeMemory | W0=process_handle, X21dstaddr, X2=srcaddr, X3=size | W0=result |
| 0x78 | svcUnmapProcessCodeMemory | W0=process_handle, X1=dstaddr, X2=srcaddr, X3=size | W0=result |
| 0x79 | #svcCreateProcess | X1=procinfo_ptr, X2=caps_ptr, W3=cap_num | W0=result, W1=process_handle |
| 0x7A | svcStartProcess | ||
| 0x7B | svcTerminateProcess | ||
| 0x7C | svcGetProcessInfo | ||
| 0x7D | svcCreateResourceLimit | ||
| 0x7E | svcSetResourceLimitLimitValue | ||
| 0x7F | svcCallSecureMonitor |
svcSetHeapSize
Size must be a multiple of 0x2000000. The heap base-address is written to out.
It allows both extending and shrinking the heap.
svcSetMemoryPermission
Bit2 of permission (exec) is not allowed.
Setting write-only is not allowed either (bit1).
svcSetMemoryAttribute
| State0 | State1 | Action |
|---|---|---|
| 0 | 0 | Clear bit35 in #MemoryAttribute. |
| 8 | 0 | Clear bit35 in #MemoryAttribute. |
| 8 | 8 | Set bit35 in #MemoryAttribute. |
This might used for switching between cached and non-cached mappings.
svcMapMemory
Memory is only allowed to be mapped into a special region.
Code can get the range of this region from #svcGetInfo.
The source region gets reprotected to ---, and sets bit32 is set in #MemoryAttribute.
svcCreateThread
Processor_id must be 0,1,2,3 or -2.
svcSleepThread
Setting nano=0 means "yield thread".
Maps the block supplied by the handle. The required permissions are different for the process that created the handle and all other processes.
svcCreateTransferMemory
This one reprotects the src block with perms you give it. It also sets bit32 into #MemoryAttribute.
Executable bit perm not allowed.
Closing all handles automatically causes the bit32 in #MemoryAttribute to clear, and the permission to reset.
svcWaitSynchronization
Works with num_handles <= 0x40, error on num_handles == 0.
Does not accept 0xFFFF8001 or 0xFFFF8000 as handles.
svcSendSyncRequestWithUserBuffer
Size must be 0x1000-aligned.
svcBreak
When used on retail where inx0 bit31 is clear, the system will throw a fatal-error. Otherwise when bit31 is set, it will return 0.
svcGetInfo
| Handle type | Id0 | Id1 | Description |
|---|---|---|---|
| Process | 0 | 0 | Core available mask. Always 0xF meaning all 4 cores available. |
| Process | 1 | 0 | Always 0xfffffffff0000000. |
| Process | 2 | 0 | Randomized unknown base-address. |
| Process | 3 | 0 | Always 0x1000000000. |
| Process | 4 | 0 | Heap base. Randomized. |
| Process | 5 | 0 | Heap region size. Always 0x180000000. |
| Process | 6 | 0 | Total memory usage? |
| Process | 7 | 0 | Process heap size. |
| Zero | 8 | 0 | Always 0. Used during exception handling. |
| Zero | 9 | 0 | This creates and returns an unknown handle. |
| Zero | 10 | -1, {current coreid} | Unknown. Output data changes each time this SVC is used. Global and core-specific tick-count? |
| Zero | 11 | 0-3 | Returns random from TRNG. Used to seed usermode PRNGs. Unknown what exactly causes this output to change, however it does change when exiting+launching a process. |
| Process | 12 | 0 | Address space start. Always 0x8000000. |
| Process | 13 | 0 | Address space size. Always 0x7ff8000000. |
| Process | 14 | 0 | Map region base. Randomized. |
| Process | 15 | 0 | Map region size. |
| Process | 18 | 0 | Title-id, introduced with 3.0.0 |
| ? | 0xF0000002 | 0 | Unknown. Uses the input handle. Returns a tick-count? |
svcReadWriteRegister
Read/write Tegra hardware registers, input address is physical-address.
rw_mask is 0 for reading and -1 for writing.
Registers
| Address | Register Name | Description |
|---|---|---|
| 0x700192E8 | MC_LATENCY_ALLOWANCE_DC_0_0 | Latency allowance settings for DC clients |
| 0x700192EC | MC_LATENCY_ALLOWANCE_DC_1_0 | Latency allowance settings for DC clients |
| 0x700192F0 | MC_LATENCY_ALLOWANCE_DC_2_0 | Latency allowance settings for DC clients |
| 0x700192F4 | MC_LATENCY_ALLOWANCE_DCB_0_0 | Latency allowance settings for DCB clients |
| 0x700192F8 | MC_LATENCY_ALLOWANCE_DCB_1_0 | Latency allowance settings for DCB clients |
| 0x7001941C | MC_DIS_PTSA_RATE_0 | DDA rate for dis PTSA |
| 0x70019420 | MC_DIS_PTSA_MIN_0 | DDA minimum value for direct client dis PTSA. |
| 0x70019424 | MC_DIS_PTSA_MAX_0 | DDA maximum value for direct client dis PTSA. |
| 0x70019428 | MC_DISB_PTSA_RATE_0 | DDA rate for disb PTSA |
| 0x7001942C | MC_DISB_PTSA_MIN_0 | DDA minimum value for direct client disb PTSA |
| 0x70019430 | MC_DISB_PTSA_MAX_0 | DDA maximum value for direct client disb PTSA |
| 0x7001944C | MC_MLL_MPCORER_PTSA_RATE_0 | DDA rate for mll_mpcorer PTSA |
| 0x7001947C | MC_RING1_PTSA_RATE_0 | DDA rate for ring1 PTSA |
| 0x70019480 | MC_RING1_PTSA_MIN_0 | DDA minimum value for direct client ring1 PTSA |
| 0x70019484 | MC_RING1_PTSA_MAX_0 | DDA maximum value for direct client ring1 PTSA |
| 0x7001950C | MC_FTOP_PTSA_RATE_0 | DDA rate for ftop PTSA |
| 0x70019670 | MC_SEC_CARVEOUT_BOM_0 | Baseaddress for the SEC carveout address space. |
| 0x70019674 | MC_SEC_CARVEOUT_SIZE_MB_0 | Size in MB for the SEC carveout region |
| 0x70019690 | MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0A_0 | Scaled Latency Allowance settings for DISPLAY0A |
| 0x70019694 | MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0AB_0 | Scaled Latency Allowance settings for DISPLAY0AB |
| 0x70019698 | MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0B_0 | Scaled Latency Allowance settings for DISPLAY0B |
| 0x7001969C | MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0BB_0 | Scaled Latency Allowance settings for DISPLAY0BB |
| 0x700196A0 | MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0C_0 | Scaled Latency Allowance settings for DISPLAY0C |
| 0x700196A4 | MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0CB_0 | Scaled Latency Allowance settings for DISPLAY0CB |
| 0x70019C5C |
Other perm can be used to enforce permission 1, 3, or 0x10000000 if don't care.
svcMapTransferMemory
The newly mapped pages will have #MemoryAttribute type 0xE.
You must pass same size and permissions as given in svcCreateMemoryMirror, otherwise error.
svcUnmapTransferMemory
Size must match size given in map syscall, otherwise there's an invalid-size error.
svcQueryPhysicalAddress
The inverse operation of #svcQueryIoMapping.
svcQueryIoMapping
svcCreateProcess
Takes a #CreateProcessInfo as input.
svcAttachDeviceAddressSpace / svcDetachDeviceAddressSpace
These take a device id and a device address space handle.
| Device | Name | Description |
|---|---|---|
| 0x0A | APBDMA | Tegra's APB DMA controller. |
Structures
CreateProcessInfo
| Offset | Length | Description |
|---|---|---|
| 0 | 8 | |
| 8 | 2 | |
| 0xA | 2 | |
| 0x18 | 8 | Code base |
| 0x20 | 4 | Number of code pages |
| 0x24 | 4 | MemoryManagement flags. Bit0: is_64bit (maybe?), bit3-1: MMU table size? (0=32-bit, 1=64-bit 0x800000000, 2=64-bit 0x400000000), bit5, bit6 |
| 0x28 | 4 | ResourceLimit handle |
| 0x2C | 4 |
MemoryAttribute
| Bits | Description |
|---|---|
| 7-0 | Type |
| 8 | Can be used with #svcSetMemoryPermission |
| 14 | Can be used with #svcSetProcessMemoryPermission |
| 15 | Can be used with #svcMapMemory |
| 17 | Can be used with #svcCreateTransferMemory |
| 21 | Can be used with #svcSendSyncRequestWithUserBuffer |
| 24 | Can be used with #svcSetMemoryAttribute |
| Value | Type | Meaning |
|---|---|---|
| 0x0 | Unmapped | |
| 0x2001 | IO | |
| 0x42002 | IO | |
| 0xDC7E03 | Code static | .text and .rodata |
| 0x4 | Code | .data |
| 0x17EBD05 | Heap | Mapped using #svcSetHeapSize. |
| 0x402006 | Shared memory block | Mapped using #svcMapSharedMemory. |
| 0x482907 | Weird mapped memory | Mapped using #svcMapMemory. |
| 0x8 | Module code static | Mapped during #svcCreateProcess. |
| 0x9 | Module code | .data |
| 0x5C3C0B | Mapped memory | Mapped using #svcMapMemory. |
| 0xC | Thread local storage | Mapped during #svcCreateThread. |
| 0x15C3C0D | Weird transfer memory | Mapped using #svcMapTransferMemory. |
| 0x5C380E | Transfer memory | Mapped using #svcMapTransferMemory. |
| 0x40380F | Process memory | Mapped using #svcMapProcessMemory. |
| 0x10 | Reserved |
Bit32: is_mirrored Bit34: is_device_mapped Bit35: is_uncached?
Exception Handling
There appears to be userland code for handling exceptions, however this doesn't seem to be executed on retail.
On usermode exception, it jumps to main code binary entrypoint (main_binary_address+0) with X0=exception_info_ptr and X1=exception_info2_ptr. On boot, X0 is set to 0 triggering normal crt0 setup.