NSO is the main executable format.
It starts with the "NSO" header and mainly describes .text, .rodata, and .data segments (like a short-form of ELF program headers):
Offset
|
Size
|
Description
|
0x0
|
4
|
file offset of data
|
0x4
|
4
|
memory offset loaded to
|
0x8
|
4
|
size of data copied to memory offset (i.e. size after decompression)
|
0xC
|
4
|
alignment used on memory size / size of .bss in the case of .data segment
|
.rodata-relative extent
Offset
|
Size
|
Description
|
0x0
|
4
|
offset (relative to .rodata)
|
0x4
|
4
|
size of region
|
Offset
|
Size
|
Description
|
0x0
|
4
|
Magic "NSO0"
|
0x4
|
4
|
|
0x8
|
4
|
|
0xC
|
4
|
Always 0x3f?
|
0x10
|
0x10 * 3
|
SegmentHeader for each segment
|
0x40
|
0x20
|
Value of "build id" from ELF's GNU .note section. Contains variable sized digest, up to 32bytes.
|
0x60
|
0x4 * 3
|
file size of each segment (i.e. LZ4-compressed size)
|
0x6c
|
0x24
|
Padding
|
0x90
|
8
|
.rodata-relative extents of .dynstr
|
0x98
|
8
|
.rodata-relative extents of .dynsym
|
0xA0
|
0x20 * 3
|
SHA256 hashes over the decompressed sections using the above byte-sizes: .text, .rodata, and .data.
|
0x100
|
|
Compressed sections
|
Most data in Switch binaries are standard ELF structures, however some are custom.
For example, the MOD header is essentially a replacement for a PT_DYNAMIC program header.
MOD
All offsets are signed 32bit values relative to the magic field.
The 32bits at image base + 4 must point to the magic field.
The MOD structure is designed such that it can be placed at image base and point to itself.
The 2 fields preceding the magic field get copied around with the structure, even if it is relocated to somewhere besides the image base.
Offset
|
Size
|
Description
|
0x00
|
4
|
zero padding
|
0x04
|
4
|
offset to magic. Always 8 (so it works when MOD is at image_base + 0).
|
0x08
|
4
|
magic "MOD0"
|
0x0C
|
4
|
.dynamic offset
|
0x10
|
4
|
.bss start offset
|
0x14
|
4
|
.bss end offset
|
0x18
|
4
|
.eh_frame start offset
|
0x1C
|
4
|
.eh_frame end offset
|
0x20
|
4
|
offset to runtime-generated module object. typically equal to .bss base.
|