Difference between revisions of "NPDM"

From Nintendo Switch Brew
Jump to navigation Jump to search
Line 30: Line 30:
 
| 0x4
 
| 0x4
 
| Magic "META".
 
| Magic "META".
 +
|-
 +
| 0x4
 +
|
 +
|
 
|-
 
|-
 
| 0xE
 
| 0xE
 
| 1
 
| 1
|  
+
| MainThreadPrio
 
|-
 
|-
 
| 0xF
 
| 0xF
 
| 1
 
| 1
|  
+
| DefaultCpuId
 +
|-
 +
| 0x10
 +
|
 +
|
 
|-
 
|-
 
| 0x1C
 
| 0x1C
 
| 4
 
| 4
|  
+
| MainStackSize
 
|-
 
|-
 
| 0x20
 
| 0x20

Revision as of 15:20, 14 September 2017

This is the Switch equivalent of 3DS exheader. This is the file with extension ".npdm" in {Switch ExeFS}. The size of this file varies.

Offset Size Description
0x0 0x80 META
0x80 <Varies> ACID
<See META> <See META> ACI0

META

Offset Size Description
0x0 0x4 Magic "META".
0x4
0xE 1 MainThreadPrio
0xF 1 DefaultCpuId
0x10
0x1C 4 MainStackSize
0x20 ? Title name
0x70 0x4 #ACI0 offset
0x74 0x4 #ACI0 size
0x78 0x4 #ACID offset
0x7C 0x4 #ACID size

ACID

Offset Size Description
0 0x100 RSA-2048 signature, seems to verify the data starting at 0x100 with the size field from 0x204.
0x100 0x100 RSA-2048 public key, seems to be used for the second NCA signature.
0x200 0x4 Magic "ACID".
0x204 0x4 s32 Size field used with the above signature(?).
0x208 0x4 Zeroes
0x20C 0x4 Retail flag. Must be 1 on retail, on devunit 0 is also allowed.
0x210 0x8 Title id
0x218 0x8 Title id again
0x220 0x4 #FS Access Control offset
0x224 0x4 #FS Access Control size
0x228 0x4 #Service Access Control offset
0x22C 0x4 #Service Access Control size
0x230 4 #Kernel Access Control offset
0x234 4 #Kernel Access Control size
0x238 0x8 Padding

ACI0

Looks like an old crappy version of ACID. It has the guessed version field 0 instead of 1.

FS Access Control

Offset Size Description
0x0 0x1 Version? Always 1. Must be non-zero.
0x1 0x3 Padding
0x4 0x8 Permissions bitmask
... ... ...

Permissions bitmask:

Bit Description
0 MountContent* is accessible when set.
34 Enables access to Bis partitionID 27 and 28?
63 Enables access to everything: all permission-types which check a bitmask have this bit set.

For bit62 in permissions, see here.

Web-applets permissions:

  • "LibAppletWeb" and "LibAppletOff" have same access control: bit0 and bit3 set, and bit62 set.
  • Rest of the web-applets: Same as above except bit0 isn't set.

Service Access Control

This is a list of service-name strings which the title has access to, with the following structure:

 +0: control_byte
 +1: {service-name without nul-terminator}

Bitmask 0x0F in control_byte is the {length of the service-name without nul-terminator} - 1.

Bitmask 0x80 in control_byte means service is allowed to be registered.

The service string can contain a wildcard * character.

Kernel Access Control

On Switch, descriptors are identified by pattern 01..11 in low bits.

Pattern of lower bits Lowest clear bitmask/bit Type Fields
0bxxxxxxxxxxxx0111 Bit3 KernelFlags Bit31-24: Highest allowed cpu id, bit23-16: Lowest allowed cpu id, bit15-10: Highest allowed thread prio, bit9-4: Lowest allowed thread prio
0bxxxxxxxxxxx01111 Bit4 SyscallMask Bits 29-31: Syscall mask table index; Bits 5-28: Mask
0bxxxxxxxxx0111111 Bit6 MapIoOrNormalRange Bits 7-30: Alternating start page and number of pages, bit31: Alternating read-only flag then MemoryAttribute 0x2001/0x42002 selector flag
0bxxxxxxxx01111111 Bit7 MapNormalPage (RW) Bits 7-31: Page
0bxxxx011111111111 Bit11 InterruptPair Bits 12-21: Irq0, bits 20-31: Irq1, 0x3FF means empty.
0bxx01111111111111 Bit13 ? Bit15-14: ?
0bx011111111111111 Bit14 KernelReleaseVersion Bits 15-X: Version. The raw descriptor is compared with 0x80000, when less than an error is returned. This is equivalent to comparing the bits starting at bit15 with 0x10. This enforces a minimum required version, not a maximum.
0b0111111111111111 Bit15 HandleTableSize Bit25-16: Number of handles the table shall fit.
0b1111111111111111 Bit16 DebugFlags Bit17: can be debugged, bit18: can debug others
All ones Ignored

Only certain memory ranges are allowed to be mapped via these descriptors.