From Nintendo Switch Brew
(Redirected from 2.1)
Jump to navigation Jump to search

The 2.1.0 system update was released on March 27, 2017. This update was released for all regions.

Security flaws fixed: yes.


This is the official changelog from Nintendo regarding this update:

Improvements Included in Version 2.1.0

  • General system stability improvements to enhance the user's experience

System Titles

Exactly the following titles were updated:

  • The following sysmodules were updated:
    • nifm
    • ptm
    • hid
    • wlan
    • nvservices
    • nvnflinger
    • ns
    • am
    • nim
    • erpt
    • pctl
    • eupld
    • fatal
    • creport (See here for changes)
  • The only updated 01000000000008XX titles are: shareddata, 0100000000000816, FIRM-packages(see below), and System_Version_Title.
  • The only updated 01000000000010XX titles are: "System applet"(qlaunch), 0100000000001008, 010000000000100A, ShopN, 010000000000100F, Whitelisted-applet, and WifiWebAuthApplet.


A browser vuln was fixed, see also here for v2.1 browser details.

FIRM Packages

The only changes in titles 0100000000000819 and 010000000000081A was that "/nx/package2" in the FS were updated. 010000000000081B firm was also updated.


Kernel was not changed.


  • All 3 codebin sections in the following sysmodules were updated: boot, FS, Loader, and NCM. Offset of the RW section for FS increased by 0x1000.
  • For ProcessMana and sm, only the RO section changed. The only change was the builid hash at the very end of the section, following the "GNU" string.
  • spl wasn't updated.
    • Loader: Only changes in .text was a rebuild with latest SDK, now has the same additional IPC cmd code as NS(see below).
    • boot: .text now has latest SDK changes + various other changes.


There were two changes with IDeviceOperator commands:

  • Code eventually executed for cmd216 was updated. Instead of directly writing to the output struct which is then copied to final output later, a tmpbuf is used which is then copied to the output struct. The 0x10-byte output struct is cleared at the start, and the only u16s copied to output struct from tmpbuf when successful are: +0, +4, +8, +14, and +12.
  • New command 217 was added.
  • See also below SDK section.

Rest of the changes:

  • HFS0 error handling was updated.
  • The error returned in one case for a certain func was changed.
  • Code was moved into a separate func, which is now called by the func which was using that code. Similar-ish code in a different func was removed.
  • A certain func no longer writes an error to stack.
  • Various memwrite/memclear changes.
  • Various u16 counters are now incremented in some cases.
  • In a certain func an u32 field is now incremented at _this+16 in some cases.
  • Minor other change(s).


Every system-title with this system-version which uses FS now has IPC code for using the new IDeviceOperator cmd, including FS-module itself.




  • "/message/{dirname}/option.msbt.szs": Updated
  • "/message/{dirname}/setting.msbt.szs": Updated
 diff --git a/{...}/0100000000001000/v65796/message_USen_option.msbt.szs.decom_wstrs b/{...}/0100000000001000/v131162/message_USen_option.msbt.szs.decom_wstrs
 index 53fe4b3..3a97770 100644
 --- a/{...}/0100000000001000/v65796/message_USen_option.msbt.szs.decom_wstrs
 +++ b/{...}/0100000000001000/v131162/message_USen_option.msbt.szs.decom_wstrs
 @@ -20,7 +20,7 @@ Archive Software
  Data for this software will be deleted to free storage space. After this, only save data and the icon on the HOME Menu will remain.
  Data for this software will be deleted to free storage space. After this, only save data and the icon on the HOME Menu will remain. You can redownload the data to use the software again.
  Delete Software
 -The software and icon on the HOME Menu will be deleted. You can redownload the software from Nintendo eShop. Remaining user data can be deleted from Manage Save Data/Screenshots in Data Management.
 +Save data will not be deleted.
  This software will now be deleted.
  Deleted software and downloadable content can be redownloaded from Nintendo eShop.
  The software icon will be removed from
 diff --git a/{...}/0100000000001000/v65796/message_USen_setting.msbt.szs.decom_wstrs b/{...}/0100000000001000/v131162/message_USen_setting.msbt.szs.decom_wstrs
 index e0a50f7..d419d95 100644
 --- a/{...}/0100000000001000/v65796/message_USen_setting.msbt.szs.decom_wstrs
 +++ b/{...}/0100000000001000/v131162/message_USen_setting.msbt.szs.decom_wstrs
 @@ -123,7 +123,8 @@ Check for Corrupt Data
  Archive Software
  The software will be deleted to free storage space. You can redownload the software by selecting the icon on the HOME Menu. Remaining user data can be deleted from Manage Save Data/Screenshots in Data Management.
  Delete Software
 -The software and icon on the HOME Menu will be deleted. You can redownload the software from Nintendo eShop. Remaining user data can be deleted from Manage Save Data/Screenshots in Data Management.
 +The software and icon on the HOME Menu will be deleted to manage storage space. Digital software can be redownloaded from the Nintendo eShop. Other user data for the game, such as save data or screenshots, will not be deleted and can be managed in System Settings 
 + Data Management.
  Archive this software?
  Only the software icon on the HOME Menu will remain. You can use the software again by redownloading the data.

Application crashes

As documented here, a fatal-error is no longer thrown when applications crash. Instead, qlaunch displays an error message, without requiring a reboot. It appears 2.0.0 qlaunch already had the message string for this, which is: "The software was closed because an error occurred."



The following strings were added to the codebin: "GameCardInsertionCount", "GameCardRemovalCount", and "GameCardAsicInitializeCount".


Only 1 func was changed: L_30f20, which is at L_30f20 in prev ver.

Strings containing paths were changed. For example, "D:/Home/teamcity/work/hr/3rdparty/hos-ddk-minimal/ddk/Programs/Chris/Include\nn/spl/spl_Api.h" is now "C:/dvs/git/dirty/git-master_hos/3rdparty/hos-ddk-minimal/ddk/Programs/Chris/Include\nn/spl/spl_Api.h".

Also, "D:/Home/teamcity/work/hr/hos/services/src/libs/nnmem/mem_StandardAllocator.cpp" is now "C:/dvs/git/dirty/git-master_hos/hos/services/src/libs/nnmem/mem_StandardAllocator.cpp", etc.


The NS-sysmodule was updated. 4 new funcs were added and 29 funcs were updated.

The ASLR'd codebin base(rtld+0) for the below addrs is 0x6f0c00000. For "prev ver" it's 0x5381800000.

 new func.
 called via vtable funcptr.
 return L_6f0c2814c(inx0+8, inx1, w2=0xd9) & 0xffffffff;
 inx0=_this inx1=0x40-byte outbuf copied from cmdreply inw2=cmdid
 new func.
 Sends an ipc cmd, service unknown.
 only called by L_6f0c26f84.
 updated, prev ver @ L_5381837284.
 For the func call executed from the first branch(L_6f0c377e8()), x1 and x2 are now set: x1 = *(0x6f0d9d000+0xfc0)+0x90, x2 = 0x6f0d44000+0xb36("ncm")
 updated, prev ver @ L_5381837640.
 Basically, instead of hard-coded inputs for various stuff, code now loads those using the additional input params.
 updated, prev ver @ L_538183771c.
 ipc related func.
 After the first func call, instead of "if(inx0==0 || ret^1)return;" this now just does "if(ret==0)return;" and "objptr = *(inx0+32);" afterwards.
 The code at the end was replaced with code for calling a vtable funcptr from the objptr.
 updated, prev ver @ L_5381837874.
 Instead of writing 0 to sp8, this now writes *(inx0+32) there.
 updated, prev ver @ L_5381837904.
 Same change as L_6f0c379fc.
 updated, prev ver @ L_5381837a60.
 Loads stuff from input instead of hard-coding basically.
 {3 funcs with same changes as elsewhere}
 updated, prev ver @ L_538183a480.
 Calls a different func and calls another func.
 updated, prev ver @ L_538183b494.
 Error-related(?) code changed.
 updated, prev ver @ L_538183ff24.
 A bunch of func calls were added after the bne.
 updated, prev ver @ L_5381847394.
 An additional check was added at 6f0c47748.
 Some code at the end of the func was adjusted.
 updated, prev ver @ L_5381849650.
 Some sort of error(?) parsing func.
 updated, prev ver @ L_5381851d2c.
 w7 passed to L_6f0c3a83c() with both calls is now value 7 instead of 0.
 This also now calls L_6f0c3af70() when the retval from the previous func-call is zero.
 {3 error(?) parsing funcs which were updated}
 updated, prev ver @ L_5381859114.
 Code was added inbetween the last func-call and the memwrite after that.
 updated, prev ver @ L_538185a254
 Code was added at 0x6f0c5a6d4(prev 0x538185a400): L_6f0c67938(inx0+0xf0, 0, 0); u8 *(inx0+0x110) = 0;
 updated, prev ver @ L_5381860a78.
 Updated for the additional argument passed to creport.
 Code was updated starting at 0x6f0c61190(prev 0x5381860ea8). An additional param is passed to the snprintf call as well.
 Some code was added at the end before the last branch.
 updated, prev ver @ L_5381861b5c.
 Code was added at 0x6f0c61f24(prev 0x5381861bc4).
 new func.
 called via vtable funcptr.
 new func.
 called via vtable funcptr.
 updated, prev ver @ L_53818f7940.
 Code was added at 0x6f0cf7ec4(prev 0x53818f7b00). "L_6f0c6798c(x21); w28 = u8 *(x19+0xf0); L_6f0c67a78(x21); <branch if w28!=0> if(u16 *(x26+16) <= x22)<branch to assert>"
 The code at 0x6f0cf7fac(prev 0x53818f7bc8) now sets w8 to 0x15 instead of 0x13(likewise for the same instruction after the branch).
 updated, prev ver @ L_53818f7d2c.
 Some flag is determined differently now.
 updated, prev ver @ L_53818f8e7c.
 Added a call to L_6f0c67984 after the memwrite.
 {3 funcs with the same changes as L_6f0cf92d8}
Nintendo Switch System Versions