Difference between revisions of "SVC"

From Nintendo Switch Brew
Jump to navigation Jump to search
Line 459: Line 459:
 
| 0x0 || Unmapped ||
 
| 0x0 || Unmapped ||
 
|-
 
|-
| 0x2001 || IO ||
+
| 0x2001 || IO || Mapped by kernel capability parsing in [[#svcCreateProcess]].
 
|-
 
|-
| 0x42002 || IO ||
+
| 0x42002 || IO || Mapped by kernel capability parsing in [[#svcCreateProcess]].
 
|-
 
|-
| 0xDC7E03 || Code static || .text and .rodata
+
| 0xDC7E03 || Code static || Mapped during [[#svcCreateProcess]].
 
|-
 
|-
 
| 0x4 || Code || .data
 
| 0x4 || Code || .data
Line 473: Line 473:
 
| 0x482907 || Weird mapped memory || Mapped using [[#svcMapMemory]].
 
| 0x482907 || Weird mapped memory || Mapped using [[#svcMapMemory]].
 
|-
 
|-
| 0x8 || Module code static || Mapped during [[#svcCreateProcess]].
+
| 0x8 || Module code static ||
 
|-
 
|-
 
| 0x9 || Module code || .data
 
| 0x9 || Module code || .data

Revision as of 20:03, 16 July 2017

System calls

Id Name In Out
0x1 #svcSetHeapSize W1=size W0=result, X1=outaddr
0x2 #svcSetMemoryPermission X0=addr, X1=size, W2=prot W0=result
0x3 #svcSetMemoryAttribute X0=addr, X1=size, W2=state0, W3=state1 W0=result
0x4 #svcMapMemory X0=dstaddr, X1=srcaddr, X2=size W0=result
0x5 svcUnmapMemory X0=dstaddr, X1=srcaddr, X2=size W0=result
0x6 svcQueryMemory X0=meminfo_ptr, X2=addr W0=result, W1=pageinfo
0x7 svcExitProcess None
0x8 #svcCreateThread X1=entry, X2=arg, X3=stacktop, W4=prio, W5=processor_id W0=result, W1=handle
0x9 svcStartThread W0=thread_handle
0xA svcExitThread None
0xB #svcSleepThread X0=nano
0xC svcGetThreadPriority W1=thread_handle W0=result, W1=prio
0xD svcSetThreadPriority W0=thread_handle, W1=prio W0=result
0xE svcGetThreadCoreMask W2=thread_handle W0=result, W1=out, X2=out
0xF svcSetThreadCoreMask W0=thread_handle, W1=in, X2=in2 W0=result
0x10 svcGetCurrentProcessorNumber None W0/X0=cpuid
0x11 svcSignalEvent W0=handle ?
0x12 svcClearEvent W0=handle ?
0x13 #svcMapSharedMemory W0=memblk_handle, X1=addr, X2=size, W3=perm W0=result
0x14 svcUnmapSharedMemory W0=memblk_handle, X1=addr, X2=size W0=result
0x15 #svcCreateTransferMemory X1=addr, X2=size, W3=perm W0=result, W1=handle
0x16 svcCloseHandle W0=handle W0=result
0x17 svcResetSignal W0=handle W0=result
0x18 #svcWaitSynchronization X1=handles_ptr, W2=num_handles. X3=timeout W0=result, W1=handle_idx
0x19 svcCancelSynchronization W0=handle W0=result
0x1A svcArbitrateLock W0=cur_thread_handle, X1=ptr, W2=req_thread_handle
0x1B svcArbitrateUnlock X0=ptr
0x1C svcWaitProcessWideKeyAtomic X0=ptr0, X1=ptr, W2=thread_handle, X3=timeout W0=result
0x1D svcSignalProcessWideKey X0=ptr, W1=value W0=result
0x1E svcGetSystemTick
0x1F svcConnectToNamedPort X1=port_name_str W0=result, W1=handle
0x20 svcSendSyncRequestLight
0x21 svcSendSyncRequest X0=handle W0=result
0x22 #svcSendSyncRequestWithUserBuffer X0=cmdbufptr, X1=size, X2=handle W0=result
0x23 svcSendAsyncRequestWithUserBuffer
0x24 svcGetProcessId
0x25 svcGetThreadId W0=thread_handle W0=result, X1=out
0x26 svcBreak X0,X1,X2=info ?
0x27 svcOutputDebugString X0=str, X1=size
0x28 svcReturnFromException X0=result
0x29 #svcGetInfo X1=info_id, X2=handle, X3=info_sub_id W0=result, X1=out
0x2A svcFlushEntireDataCache
0x2B svcFlushDataCache
0x2C [ 3.0.0+ ] svcMapPhysicalMemory
0x2D [ 3.0.0+ ] svcUnmapPhysicalMemory
.... ? ? ?
0x2F svcGetLastThreadInfo
0x30 svcGetResourceLimitLimitValue
0x31 svcGetResourceLimitCurrentValue
0x32 svcSetThreadActivity
0x33 svcGetThreadContext3
.... ? ? ?
0x3C svcDumpInfo
.... ? ? ?
0x40 svcCreateSession W2=?, X3=? W0=result, W1=client_handle, W2=server_handle
0x41 svcAcceptSession W1=port_handle W0=result, W1=session_handle
0x42 svcReplyAndReceiveLight
0x43 svcReplyAndReceive X1=ptr_handles, W2=num_handles, X3=?, X4=timeout W0=result, W1=handle_idx
0x44 svcReplyAndReceiveWithUserBuffer X1=buf, X2=sz, X3=ptr_handles, W4=num_handles, X5=?, X6=timeout W0=result, W1=handle_idx
0x45 svcCreateEvent None W0=result, W1=client_handle ?, W2=server_handle ?
.... ? ? ?
0x4D svcSleepSystem
0x4E #svcReadWriteRegister X1=reg_addr, W2=rw_mask, W3=in_val W0=result, W1=out_val
0x4F svcSetProcessActivity
0x50 #svcCreateSharedMemory W1=size?, W2=myperm, W3=otherperm W0=result, W1=handle
0x51 #svcMapTransferMemory X0=mirror_handle, X1=addr, X2=size, W3=perm W0=result
0x52 #svcUnmapTransferMemory W0=mirror_handle, X1=addr, X2=size W0=result
0x53 svcCreateInterruptEvent X1=irq_id W0=result, W1=handle
0x54 #svcQueryPhysicalAddress
0x55 #svcQueryIoMapping X0=physaddr, X1=size X0=virtaddr
0x56 svcCreateDeviceAddressSpace X1=dev_addr, X2=dev_size W0=result, W1=handle
0x57 #svcAttachDeviceAddressSpace W0=device, X1=handle W0=result
0x58 #svcDetachDeviceAddressSpace W0=device, X1=handle W0=result
0x59 svcMapDeviceAddressSpaceByForce W0=handle, W1=proc_handle, X2=dev_addr, X3=dev_size, X4=map_addr, W5=perm W0=result
0x5A svcMapDeviceAddressSpaceAligned
0x5B svcMapDeviceAddressSpace
0x5C svcUnmapDeviceAddressSpace W0=handle, W1=proc_handle, X2=map_addr, X3=map_size, W4=perm W0=result
0x5D svcInvalidateProcessDataCache
0x5E svcStoreProcessDataCache
0x5F svcFlushProcessDataCache
0x60 svcDebugActiveProcess
0x61 svcBreakDebugProcess
0x62 svcTerminateDebugProcess
0x63 svcGetDebugEvent
0x64 svcContinueDebugEvent
0x65 svcGetProcessList
0x66 svcGetThreadList
0x67 svcGetDebugThreadContext
0x68 svcSetDebugThreadContext
0x69 svcQueryDebugProcessMemory
0x6A svcReadDebugProcessMemory
0x6B svcWriteDebugProcessMemory
0x6C svcSetHardwareBreakPoint
0x6D svcGetDebugThreadParam
.... ? ? ?
0x70 svcCreatePort
0x71 svcManageNamedPort
0x72 svcConnectToPort
0x73 svcSetProcessMemoryPermission
0x74 svcMapProcessMemory X0=srcaddr, W1=process_handle, X2=dstaddr, X3=size W0=result
0x75 svcUnmapProcessMemory W0=process_handle, X1=dstaddr, X2=srcaddr, X3=size W0=result
0x76 svcQueryProcessMemory
0x77 svcMapProcessCodeMemory W0=process_handle, X21dstaddr, X2=srcaddr, X3=size W0=result
0x78 svcUnmapProcessCodeMemory W0=process_handle, X1=dstaddr, X2=srcaddr, X3=size W0=result
0x79 #svcCreateProcess X1=procinfo_ptr, X2=caps_ptr, W3=cap_num W0=result, W1=process_handle
0x7A svcStartProcess
0x7B svcTerminateProcess
0x7C svcGetProcessInfo
0x7D svcCreateResourceLimit
0x7E svcSetResourceLimitLimitValue
0x7F svcCallSecureMonitor

svcSetHeapSize

Size must be a multiple of 0x2000000. The heap base-address is written to out.

It allows both extending and shrinking the heap.

svcSetMemoryPermission

Bit2 of permission (exec) is not allowed.

Setting write-only is not allowed either (bit1).

svcSetMemoryAttribute

State0 State1 Action
0 0 Clear bit35 in #MemoryAttribute.
8 0 Clear bit35 in #MemoryAttribute.
8 8 Set bit35 in #MemoryAttribute.

This might used for switching between cached and non-cached mappings.

svcMapMemory

Memory is only allowed to be mapped into a special region.

Code can get the range of this region from #svcGetInfo.

The source region gets reprotected to ---, and sets bit32 is set in #MemoryAttribute.

svcCreateThread

Processor_id must be 0,1,2,3 or -2.

svcSleepThread

Setting nano=0 means "yield thread".

svcMapSharedMemory

Maps the block supplied by the handle. The required permissions are different for the process that created the handle and all other processes.

svcCreateTransferMemory

This one reprotects the src block with perms you give it. It also sets bit32 into #MemoryAttribute.

Executable bit perm not allowed.

Closing all handles automatically causes the bit32 in #MemoryAttribute to clear, and the permission to reset.

svcWaitSynchronization

Works with num_handles <= 0x40, error on num_handles == 0.

Does not accept 0xFFFF8001 or 0xFFFF8000 as handles.

svcSendSyncRequestWithUserBuffer

Size must be 0x1000-aligned.

svcBreak

When used on retail where inx0 bit31 is clear, the system will throw a fatal-error. Otherwise when bit31 is set, it will return 0.

svcGetInfo

Handle type Id0 Id1 Description
Process 0 0 Core available mask. Always 0xF meaning all 4 cores available.
Process 1 0 Always 0xfffffffff0000000.
Process 2 0 Randomized unknown base-address.
Process 3 0 Always 0x1000000000.
Process 4 0 Heap base. Randomized.
Process 5 0 Heap region size. Always 0x180000000.
Process 6 0 Total memory usage?
Process 7 0 Process heap size.
Zero 8 0 Always 0. Used during exception handling.
Zero 9 0 This creates and returns an unknown handle.
Zero 10 -1, {current coreid} Unknown. Output data changes each time this SVC is used. Global and core-specific tick-count?
Zero 11 0-3 Returns random from TRNG. Used to seed usermode PRNGs. Unknown what exactly causes this output to change, however it does change when exiting+launching a process.
Process 12 0 Address space start. Always 0x8000000.
Process 13 0 Address space size. Always 0x7ff8000000.
Process 14 0 Map region base. Randomized.
Process 15 0 Map region size.
Process 18 0 Title-id, introduced with 3.0.0
? 0xF0000002 0 Unknown. Uses the input handle. Returns a tick-count?

svcReadWriteRegister

Read/write Tegra hardware registers, input address is physical-address.

rw_mask is 0 for reading and -1 for writing.

Registers

Address Register Name Description
0x700192E8 MC_LATENCY_ALLOWANCE_DC_0_0 Latency allowance settings for DC clients
0x700192EC MC_LATENCY_ALLOWANCE_DC_1_0 Latency allowance settings for DC clients
0x700192F0 MC_LATENCY_ALLOWANCE_DC_2_0 Latency allowance settings for DC clients
0x700192F4 MC_LATENCY_ALLOWANCE_DCB_0_0 Latency allowance settings for DCB clients
0x700192F8 MC_LATENCY_ALLOWANCE_DCB_1_0 Latency allowance settings for DCB clients
0x7001941C MC_DIS_PTSA_RATE_0 DDA rate for dis PTSA
0x70019420 MC_DIS_PTSA_MIN_0 DDA minimum value for direct client dis PTSA.
0x70019424 MC_DIS_PTSA_MAX_0 DDA maximum value for direct client dis PTSA.
0x70019428 MC_DISB_PTSA_RATE_0 DDA rate for disb PTSA
0x7001942C MC_DISB_PTSA_MIN_0 DDA minimum value for direct client disb PTSA
0x70019430 MC_DISB_PTSA_MAX_0 DDA maximum value for direct client disb PTSA
0x7001944C MC_MLL_MPCORER_PTSA_RATE_0 DDA rate for mll_mpcorer PTSA
0x7001947C MC_RING1_PTSA_RATE_0 DDA rate for ring1 PTSA
0x70019480 MC_RING1_PTSA_MIN_0 DDA minimum value for direct client ring1 PTSA
0x70019484 MC_RING1_PTSA_MAX_0 DDA maximum value for direct client ring1 PTSA
0x7001950C MC_FTOP_PTSA_RATE_0 DDA rate for ftop PTSA
0x70019670 MC_SEC_CARVEOUT_BOM_0 Baseaddress for the SEC carveout address space.
0x70019674 MC_SEC_CARVEOUT_SIZE_MB_0 Size in MB for the SEC carveout region
0x70019690 MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0A_0 Scaled Latency Allowance settings for DISPLAY0A
0x70019694 MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0AB_0 Scaled Latency Allowance settings for DISPLAY0AB
0x70019698 MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0B_0 Scaled Latency Allowance settings for DISPLAY0B
0x7001969C MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0BB_0 Scaled Latency Allowance settings for DISPLAY0BB
0x700196A0 MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0C_0 Scaled Latency Allowance settings for DISPLAY0C
0x700196A4 MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0CB_0 Scaled Latency Allowance settings for DISPLAY0CB
0x70019C5C

svcCreateSharedMemory

Other perm can be used to enforce permission 1, 3, or 0x10000000 if don't care.

svcMapTransferMemory

The newly mapped pages will have #MemoryAttribute type 0xE.

You must pass same size and permissions as given in svcCreateMemoryMirror, otherwise error.

svcUnmapTransferMemory

Size must match size given in map syscall, otherwise there's an invalid-size error.

svcQueryPhysicalAddress

The inverse operation of #svcQueryIoMapping.

svcQueryIoMapping

svcCreateProcess

Takes a #CreateProcessInfo as input.

svcAttachDeviceAddressSpace / svcDetachDeviceAddressSpace

These take a device id and a device address space handle.

Device Name Description
0x0A APBDMA Tegra's APB DMA controller.

Structures

CreateProcessInfo

Offset Length Description
0 8
8 2
0xA 2
0x18 8 Code base
0x20 4 Number of code pages
0x24 4 MemoryManagement flags. Bit0: is_64bit (maybe?), bit3-1: MMU table size? (0=32-bit, 1=64-bit 0x800000000, 2=64-bit 0x400000000), bit5, bit6
0x28 4 ResourceLimit handle
0x2C 4

MemoryAttribute

Bits Description
7-0 Type
8 Can be used with #svcSetMemoryPermission
14 Can be used with #svcSetProcessMemoryPermission
15 Can be used with #svcMapMemory
17 Can be used with #svcCreateTransferMemory
21 Can be used with #svcSendSyncRequestWithUserBuffer
24 Can be used with #svcSetMemoryAttribute
Value Type Meaning
0x0 Unmapped
0x2001 IO Mapped by kernel capability parsing in #svcCreateProcess.
0x42002 IO Mapped by kernel capability parsing in #svcCreateProcess.
0xDC7E03 Code static Mapped during #svcCreateProcess.
0x4 Code .data
0x17EBD05 Heap Mapped using #svcSetHeapSize.
0x402006 Shared memory block Mapped using #svcMapSharedMemory.
0x482907 Weird mapped memory Mapped using #svcMapMemory.
0x8 Module code static
0x9 Module code .data
0x5C3C0B Mapped memory Mapped using #svcMapMemory.
0xC Thread local storage Mapped during #svcCreateThread.
0x15C3C0D Weird transfer memory Mapped using #svcMapTransferMemory.
0x5C380E Transfer memory Mapped using #svcMapTransferMemory.
0x40380F Process memory Mapped using #svcMapProcessMemory.
0x10 Reserved

Bit32: is_mirrored Bit34: is_device_mapped Bit35: is_uncached?

Exception Handling

There appears to be userland code for handling exceptions, however this doesn't seem to be executed on retail.

On usermode exception, it jumps to main code binary entrypoint (main_binary_address+0) with X0=exception_info_ptr and X1=exception_info2_ptr. On boot, X0 is set to 0 triggering normal crt0 setup.