4,628
edits
Changes
mLine 1:
Line 1: − + Line 47:
Line 47: − <fill this in (manually) later>+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
→System Titles
The Switch 6.0.0 system update was released on September 18, 2018. This Switch update was released for the following regions: ALL.
The Switch 6.0.0 system update was released on September 18, 2018. This Switch update was released for the following regions: ALL.
Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.
Security flaws fixed: Yes.
==Change-log==
==Change-log==
==System Titles==
==System Titles==
* All sysmodules were updated.
* Most 8XX titles were updated.
* All applets except "error" and "cabinet" were updated.
* 1 new title was added: olsc-sysmodule.
* New services were added, see [[Services_API|here]].
[[SSL_services#CertStore|CertStore]] RomFs: "/ssl_CaFingerprints.bdf" was added and "/ssl_TrustedCerts.bdf" was updated.
===[[USB_services|USB-sysmodule]]===
===[[USB_services|USB-sysmodule]]===
The only sysmodule with any changes for accessible IO in the [[NPDM]] was USB-sysmodule. The IO page for the [[Fuses|fuse registers]] is now accessible by this sysmodule.
The only sysmodule with any changes for accessible IO in the [[NPDM]] was USB-sysmodule. The IO page for the [[Fuses|fuse registers]] is now accessible by this sysmodule.
===[[NV_services|nvservices-sysmodule]]===
Among various changes, the [[Switch_System_Flaws#System_Modules|"Transfer Memory leak in nvservices system module"]] system flaw was patched in the following way:
* [[NV_services#Initialize|Initialize]] and [[NV_services#InitializeDevtools|InitializeDevtools]] now keep track of the size of the transfer memory supplied by the user.
* L_34B90 (nvdrv's destructor) now calls L_B4C30 (memset) on the entire transfer memory region (using the size saved previously) before calling [[SVC#svcUnmapTransferMemory|svcUnmapTransferMemory]].
===olsc-sysmodule===
This new sysmodule handles cloud saves.
===FIRM===
====Secure Monitor====
.rwdata was reduced in size from two pages to one page. Additionally:
Changes were made relating to security engine usage:
* Many functions which previously used an inline GetSecurityEngine() call to get the security engine register address now take in a register base as an argument. This is presumably to facilitate moved Security Engine MMIO on the Mariko SoC.
* Keyslots 0-8, 0xA, 0xC-0xE now have flags 0x1FF set, and keyslot 0xB now additionally has flags 0x17F set.
* The Test Vector used to ensure keyslot contents do not change during wake-from-sleep now uses 256-bit AES instead of 128-bit AES (thus the high parts of the keyslot contents are now verified).
Some changes were made to initial SoC setup:
* Additional magic numbers (0x83 = SKU ID, 0x2 = ?, 0x210 = Tegra 210) are now written into the GPU microcode in DRAM for runtime configuration.
* The warmboot firmware's firmware revision magic was changed from 0x6 to 0x87.
* The GPU microcode carveout setup was moved to later during initialization (after package2 has been fully loaded and verified).
* The IRAM addresses from which [[BootConfig]] warmboot firmware are loaded were changed.
In addition, there were changes to the [[SMC]] interface:
* SMCs which take in a keyslot parameter have been changed to allow use of up to 6 keyslots instead of 4.
* smcUnwrapRsaOaepWrappedTitleKey now takes in a "type" parameter, and the kek used in key generation is now selected from an array based on this parameter. (smcUnwrapAesWrappedTitlekey hardcodes type 0.)
* GetConfig(HardwareType) now returns 4 when it previously would have returned 3.
Additionally, security flaws were addressed in smcCpuSuspend (aiming to further mitigate jamais vu/deja vu):
* The number of devices checked to be held in reset at the time of smcCpuSuspend is called is now greatly increased.
* BPMP SC7 Entry Firmware is now only started ''after'' the following have been done, instead of before:
** TZRAM contents have been encrypted and MAC'd with a random AES-256 key
** The PMC scratch registers where the MAC are stored have been verified not to be read or write-locked.
** The MAC is written into the PMC scratch registers, which are then write-locked.
** The PMC scratch registers are verified to have been write-locked.
** The PMC scratch registers are verified to contain the MAC TZ has written into them.
** The PMC scratch registers are read-locked.
** The PMC scratch registers are verified to be both read and write-locked.
** The BPMP's firmware is copied from TZRAM into IRAM
** memcmp(BPMP firmware in IRAM, BPMP firmware in TZRAM, sizeof(BPMP firmware)) is verified to be zero.
====Kernel====
* Accidentially exported symbols have been renamed:
** Namespace <code>nn::kern::ARM64</code> is now <code>nn::kern::arch::ARM64</code>
** Namespace <code>nn::kern::NX</code> is now <code>nn::kern::board::NX</code> and now contains the class <code>KSystemControl</code>
** <code>ResumeEntry</code> is now a non-static method of <code>KSystemControl</code>
* Kernel now reserves 1024 pages (1MB) of memory in SYSTEM memregion/pool for use by applets (1 at a time) for personal mmheap.
* Memory regions arrange changed, APPLET has 6MB less in all memory arranges.
* Maximum number of sessions and events both increased by 100.
* Kernel mmheap size decreased to 0x10DF000 bytes (was 0x1117000), the both KMemoryBlock pools' capacity is unchanged, but less page tables can be allocated.
* Kernel now properly reports DRAM size in default reslimit.
* Two new svcGetInfoTypes: types 21 and 22. These are like type 6 and 7, but without the contiguous, in-security-carveout, personalmmheap allocation.
* KASLR was changed to invoke smcGetRandomBytes(8) each time, instead of using Mersenne Twister.
* Another layer of randomization has been added to slabheaps (before, it was just the order of slabheaps): an array of N (= 21 = number of slabheaps) random integers, in range (0, 0x200000) is now constructed, sorted via bubble sort; at each slabheap construction the heap offset is further incremented by <code>array[id+1]-array[id]</code> , then page rounded.
* With the exception of KSessionRequest which is not in any KObjectAllocator, all KAutoObject types now use an intrusive rbtree instead of an intrusive list for their KObjectAllocator membership. Comparison key is PID for processes, thread ID for threads, address for others (using a new virtual method).
* A new anonymous KAutoObject type, which sole purpose is to hold a comparison key, is now used for thread lookup by ID.
* Breaking changes in svcGetFutureThreadInfo, which has potentially been renamed. Signature and use case have radically changed, it is now: <code>Result svcGetFutureThreadInfo(ThreadInfo *outThreadInfo, u64 *outTid, Handle debugHandle, s64 timeout)</code>.
* Huge scheduler force-pause and last thread reporting refactor:
** Scheduling flags are now u16 and force-pause flags are 3-nibble-long instead of 1.
** The requirements and mechanism for force-pausing (activity svc, debug, etc.) threads have been considerably simplified:
*** It used to delay the force-pause after end-of-svc, and used some convoluted mechanism.
*** The condition is now "a thread is force-pausable iff no thread is waiting for a kernel mutex it is holding", mechanism is just ORRing scheduling status with force-pause flags now. Appropriate changes have been made to accomodate for this change.
*** Abovementionned convoluted mechanism has been refactored, too, but remains unused.
** When the scheduler selects a process's thread, it now stored the selected thread in an array in the KProcess, for information. It also stores in itself and in array in the selected KProcess the number of times it detected a core being idle before load balancing. Used by BreakDebugProcess.<br />
* All threads created and started in kernel main() are started force-paused with flags=0x100. This fixes the hypotetical case where a compromised KIP would perform gmmuhax and dump the INI1 (which is stored in APPLICATION -- KIPs are only started after all of them have been loaded). They are unpaused after all KIPs have been created.
* GetThreadContext3 (unprivileged SVC) now dumps TPIDR_EL0.
* DebugActiveProcess now returns 0xFA01 if an attempt to debug the current process is made -- instead of possibly deadlocking
* GetDebugThreadContext and SetDebugThreadContext now return 0xF001 if flags > 15. Additionally, their functionality is now restricted to threads that have been force-paused for debug, not just any kind of force-paused threads anymore.
* ContinueDebugEvent now returns 0xF001 if flags > 15 as well.
* svcSleepSystem has been refactored. Instead of the initiator thread manually starting the sleep handler threads then storing a weak reference to itself, the handler threads are started in kernel init in main() immediately after their creation, and two mutexes are used: one for the initiator/covering svcSleepSystem, another for the handler threads. This likely fixes an UaF or race condition.
* If svcReturnFromException passes the exception the KDebug, ie. if the argument errorCode is not 0, and if the latter has DontCatchExceptions set, the process is terminated (unless errorCode is 0x10001).
* Performance improvements to svcInvalidateProcessDataCache.
* Redundant calls to smcGetConfig(12) have been reduced (12 calls -> 4 calls) during memory setup
====FIRM Sysmodules====
All FIRM sysmodules were updated. Specific diffs for a few sysmodules are below:
=====[[Loader services|Loader]]=====
* A single null byte stack overflow due to strcat usage was fixed in content path parsing. See [[Switch System Flaws]] for details.
* System Resource Size ([[NPDM]] +0x14) is now allowed to be non-zero for applets in addition to applications.
=====[[Process Manager services|PM]]=====
Memory management initialization was greatly changed:
* PM no longer hardcodes five memory profiles, and no longer calls smcGetConfig to determine which profile to use.
* Instead, PM now uses [[SVC|svcGetResourceLimitLimitValue]] to determine how much space the kernel has allotted for Application + Applet regions and [[SVC|svcGetSystemInfo]] to determine the total physical memory available, and sets the System region size to (Total Memory Size - Application region size - Applet region size - 5 MiB).
==See Also==
==See Also==
System update report(s):
System update report(s):
* [https://yls8.mtheall.com/ninupdates/reports.php?date=09-18-18_08-35-09&sys=hac]
* [https://yls8.mtheall.com/ninupdates/reports.php?date=09-18-18_08-35-09&sys=hac]
{{NavboxVersions}}
[[Category:System versions]]