https://www.3dbrew.org/w/api.php?action=feedcontributions&user=Neobrain&feedformat=atom3dbrew - User contributions [en]2024-03-19T09:33:41ZUser contributionsMediaWiki 1.35.8https://www.3dbrew.org/w/index.php?title=KSession&diff=18440KSession2016-10-20T21:22:54Z<p>Neobrain: </p>
<hr />
<div>[[Category:Kernel objects]]<br />
class [[KSession]] extends [[KAutoObject]];<br />
<br />
Size : 0x4C bytes<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Type<br />
! Description<br />
|-<br />
| 0x0<br />
| [[KAutoObject]]<br />
| Base object<br />
|-<br />
| 0x20<br />
| [[KThread]]*<br />
| X ?<br />
|-<br />
| 0x24<br />
| [[KThread]]*<br />
| Y ?<br />
|-<br />
| 0x2C<br />
| [[KThread]]*<br />
| Z ?<br />
|}<br />
It seems X=Y=Z. X, Y and Z can be NULL.<br />
<br />
<br />
Structure for [[7.0.0-13]] NATIVE_FIRM upward:<br />
<br />
Size : 0x4C bytes<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Type<br />
! Description<br />
|-<br />
| 0x0<br />
| [[KAutoObject]]<br />
| Base object<br />
|-<br />
| 0x8<br />
| [[KServerSession]]<br />
| Server side object for the session<br />
|-<br />
| 0x2C<br />
| [[KClientSession]]<br />
| Client side object for the session<br />
|-</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Titles_With_Code_Symbols&diff=18439Titles With Code Symbols2016-10-20T18:55:47Z<p>Neobrain: </p>
<hr />
<div>This page lists titles containing any kind of useful symbol information.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Title name<br />
! Notes<br />
|-<br />
| Brunswick Pro Bowling<br />
| Contains an ELF binary with full symbol information in its RomFS root<br />
|-<br />
| Fire Emblem: If/Fates<br />
| All released versions of the game contain "name.StackTrace" and "addr.StackTrace" files in the "debug" folder in the RomFS, which provide full function names/signatures for the game's code.bin<br />
|-<br />
| Inazuma Eleven 3 Lightning Bolt / Team Ogre Attacks / Bomb Blast<br />
| CRO/CRS contains symbols<br />
|-<br />
| Mario Kart 7<br />
| Only the DLP-child has symbols, not the main app/update-title<br />
|-<br />
| Megaman Legacy Collection<br />
| CRO/CRS contains symbols<br />
|-<br />
| Pokémon Sun and Moon (demo)<br />
| CROs and ExeFS code binary contain symbols<br />
|-<br />
| Puzzle & Dragons Z + Puzzle & Dragons Super Mario Bros. Edition<br />
| CRO/CRS contains symbols<br />
|-<br />
| Rhythm Thief & the Emperor's Treasure<br />
| Code binary contains debug strings (the calls to functions referring to them are replaced by nops, though)<br />
|-<br />
| Steel Diver: Sub Wars<br />
| Newer versions of the update-title don't have the "map" file any more<br />
|-<br />
| Super Smash Bros.<br />
| CRO/CRS contains symbols<br />
|}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Titles_With_Code_Symbols&diff=18438Titles With Code Symbols2016-10-20T18:48:47Z<p>Neobrain: Typography</p>
<hr />
<div>This page lists titles containing symbols in the RomFS for the ExeFS codebin.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Title name<br />
! Notes<br />
|-<br />
| Brunswick Pro Bowling<br />
| Contains an ELF binary with full symbol information in its RomFS root<br />
|-<br />
| Fire Emblem: If/Fates<br />
| All released versions of the game contain "name.StackTrace" and "addr.StackTrace" files in the "debug" folder in the RomFS, which provide full function names/signatures for the game's code.bin<br />
|-<br />
| Inazuma Eleven 3 Lightning Bolt / Team Ogre Attacks / Bomb Blast<br />
| CRO/CRS contains symbols<br />
|-<br />
| Mario Kart 7<br />
| Only the DLP-child has symbols, not the main app/update-title<br />
|-<br />
| Megaman Legacy Collection<br />
| CRO/CRS contains symbols<br />
|-<br />
| Pokémon Sun and Moon (demo)<br />
| CROs and ExeFS code binary contain symbols<br />
|-<br />
| Puzzle & Dragons Z + Puzzle & Dragons Super Mario Bros. Edition<br />
| CRO/CRS contains symbols<br />
|-<br />
| Steel Diver: Sub Wars<br />
| Newer versions of the update-title don't have the "map" file any more<br />
|-<br />
| Super Smash Bros.<br />
| CRO/CRS contains symbols<br />
|}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Titles_With_Code_Symbols&diff=18437Titles With Code Symbols2016-10-20T18:48:13Z<p>Neobrain: </p>
<hr />
<div>This page lists titles containing symbols in the RomFS for the ExeFS codebin.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Title name<br />
! Notes<br />
|-<br />
| Brunswick Pro Bowling<br />
| Contains an ELF binary with full symbol information in its RomFS root.<br />
|-<br />
| Fire Emblem: If/Fates<br />
| All released versions of the game contain "name.StackTrace" and "addr.StackTrace" files in the "debug" folder in the RomFS, which provide full function names/signatures for the game's code.bin.<br />
|-<br />
| Inazuma Eleven 3 Lightning Bolt / Team Ogre Attacks / Bomb Blast<br />
| CRO/CRS contains symbols.<br />
|-<br />
| Mario Kart 7<br />
| Only the DLP-child has symbols, not the main app/update-title.<br />
|-<br />
| Megaman Legacy Collection<br />
| CRO/CRS contains symbols.<br />
|-<br />
| Pokémon Sun and Moon (demo)<br />
| CROs and ExeFS code binary contain symbols<br />
|-<br />
| Puzzle & Dragons Z + Puzzle & Dragons Super Mario Bros. Edition<br />
| CRO/CRS contains symbols.<br />
|-<br />
| Steel Diver: Sub Wars<br />
| Newer versions of the update-title don't have the "map" file any more.<br />
|-<br />
| Super Smash Bros.<br />
| CRO/CRS contains symbols.<br />
|}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Titles_With_Code_Symbols&diff=18429Titles With Code Symbols2016-10-18T08:58:46Z<p>Neobrain: \o/</p>
<hr />
<div>This page lists titles containing symbols in the RomFS for the ExeFS codebin.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Title name<br />
! Notes<br />
|-<br />
| Brunswick Pro Bowling<br />
| Contains an ELF binary with full symbol information in its RomFS root.<br />
|-<br />
| Fire Emblem: If/Fates<br />
| All released versions of the game contain "name.StackTrace" and "addr.StackTrace" files in the "debug" folder in the RomFS, which provide full function names/signatures for the game's code.bin.<br />
|-<br />
| Inazuma Eleven 3 Lightning Bolt / Team Ogre Attacks / Bomb Blast<br />
| CRO/CRS contains symbols.<br />
|-<br />
| Mario Kart 7<br />
| Only the DLP-child has symbols, not the main app/update-title.<br />
|-<br />
| Megaman Legacy Collection<br />
| CRO/CRS contains symbols.<br />
|-<br />
| Pokémon Sun and Moon (demo)<br />
|<br />
|-<br />
| Puzzle & Dragons Z + Puzzle & Dragons Super Mario Bros. Edition<br />
| CRO/CRS contains symbols.<br />
|-<br />
| Steel Diver: Sub Wars<br />
| Newer versions of the update-title don't have the "map" file any more.<br />
|-<br />
| Super Smash Bros.<br />
| CRO/CRS contains symbols.<br />
|}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Titles_With_Code_Symbols&diff=18428Titles With Code Symbols2016-10-18T08:57:16Z<p>Neobrain: </p>
<hr />
<div>This page lists titles containing symbols in the RomFS for the ExeFS codebin.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Title name<br />
! Notes<br />
|-<br />
| Brunswick Pro Bowling<br />
| Contains an ELF binary with full symbol information in its RomFS root.<br />
|-<br />
| Fire Emblem: If/Fates<br />
| All released versions of the game contain "name.StackTrace" and "addr.StackTrace" files in the "debug" folder in the RomFS, which provide full function names/signatures for the game's code.bin.<br />
|-<br />
| Inazuma Eleven 3 Lightning Bolt / Team Ogre Attacks / Bomb Blast<br />
| CRO/CRS contains symbols.<br />
|-<br />
| Mario Kart 7<br />
| Only the DLP-child has symbols, not the main app/update-title.<br />
|-<br />
| Megaman Legacy Collection<br />
| CRO/CRS contains symbols.<br />
|-<br />
| Puzzle & Dragons Z + Puzzle & Dragons Super Mario Bros. Edition<br />
| CRO/CRS contains symbols.<br />
|-<br />
| Steel Diver: Sub Wars<br />
| Newer versions of the update-title don't have the "map" file any more.<br />
|-<br />
| Super Smash Bros.<br />
| CRO/CRS contains symbols.<br />
|}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Filesystem_services&diff=18425Filesystem services2016-10-17T08:39:16Z<p>Neobrain: (conclusion drawn from https://www.3dbrew.org/w/index.php?title=AM:ImportTwlBackup&curid=793&diff=18423&oldid=16892 )</p>
<hr />
<div>[[Category:Services]]<br />
<br />
= Services =<br />
== Filesystem service "fs:USER" ==<br />
You can at most have 32 FS archive handles.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Available since system version <br />
! Description<br />
! scope="col" width="400" | Required [[NCCH/Extended_Header|exheader]] access info bitmask<br />
|-<br />
| 0x000100C6<br />
|?<br />
| [[FS:Dummy1|Dummy1]]<br />
| None<br />
|-<br />
| 0x040100C4<br />
|?<br />
| [[FS:Control|Control]]<br />
| None<br />
|-<br />
| 0x08010002<br />
|?<br />
| [[FS:Initialize|Initialize]]<br />
| None<br />
|-<br />
| 0x080201C2<br />
|?<br />
| [[FS:OpenFile|OpenFile]]<br />
| None<br />
|-<br />
| 0x08030204<br />
|?<br />
| [[FS:OpenFileDirectly|OpenFileDirectly]]<br />
| None<br />
|-<br />
| 0x08040142<br />
|?<br />
| [[FS:DeleteFile|DeleteFile]]<br />
| None<br />
|-<br />
| 0x08050244<br />
|?<br />
| [[FS:RenameFile|RenameFile]]<br />
| None<br />
|-<br />
| 0x08060142<br />
|?<br />
| [[FS:DeleteDirectory|DeleteDirectory]]<br />
| None<br />
|-<br />
| 0x08070142<br />
|?<br />
| [[FS:DeleteDirectoryRecursively|DeleteDirectoryRecursively]]<br />
| None<br />
|-<br />
| 0x08080202<br />
|?<br />
| [[FS:CreateFile|CreateFile]]<br />
| None<br />
|-<br />
| 0x08090182<br />
|?<br />
| [[FS:CreateDirectory|CreateDirectory]]<br />
| None<br />
|-<br />
| 0x080A0244<br />
|?<br />
| [[FS:RenameDirectory|RenameDirectory]]<br />
| None<br />
|-<br />
| 0x080B0102<br />
|?<br />
| [[FS:OpenDirectory|OpenDirectory]]<br />
| None<br />
|-<br />
| 0x080C00C2<br />
|?<br />
| [[FS:OpenArchive|OpenArchive]]<br />
| Each archive ID code has separate access info bitmasks, if it has any<br />
|-<br />
| 0x080D0144<br />
|?<br />
| [[FS:ControlArchive|ControlArchive]]<br />
| None<br />
|-<br />
| 0x080E0080<br />
|?<br />
| [[FS:CloseArchive|CloseArchive]]<br />
| None<br />
|-<br />
| 0x080F0180<br />
|?<br />
| [[FS:Obsoleted_2_0_FormatThisUserSaveData|Obsoleted_2_0_FormatThisUserSaveData]]<br />
| None<br />
|-<br />
| 0x08100200<br />
|?<br />
| [[FS:Obsoleted_3_0_CreateSystemSaveData|Obsoleted_3_0_CreateSystemSaveData]]<br />
| 0x4, for when the input saveID doesn't match the exheader saveID<br />
|-<br />
| 0x08110040<br />
|?<br />
| [[FS:Obsoleted_3_0_DeleteSystemSaveData|Obsoleted_3_0_DeleteSystemSaveData]]<br />
| 0x1004, for when the input saveID doesn't match the exheader saveID<br />
|-<br />
| 0x08120080<br />
|?<br />
| [[FS:GetFreeBytes|GetFreeBytes]]<br />
| None<br />
|-<br />
| 0x08130000<br />
|?<br />
| [[FS:GetCardType|GetCardType]]<br />
| 0x1017<br />
|-<br />
| 0x08140000<br />
|?<br />
| [[FS:GetSdmcArchiveResource|GetSdmcArchiveResource]]<br />
| None<br />
|-<br />
| 0x08150000<br />
|?<br />
| [[FS:GetNandArchiveResource|GetNandArchiveResource]]<br />
| 0x1007<br />
|-<br />
| 0x08160000<br />
|?<br />
| [[FS:GetSdmcFatfsError|GetSdmcFatfsError]]<br />
| 0x2<br />
|-<br />
| 0x08170000<br />
|?<br />
| [[FS:IsSdmcDetected|IsSdmcDetected]]<br />
| None<br />
|-<br />
| 0x08180000<br />
|?<br />
| [[FS:IsSdmcWritable|IsSdmcWritable]]<br />
| None<br />
|-<br />
| 0x08190042<br />
|?<br />
| [[FS:GetSdmcCid|GetSdmcCid]]<br />
| 0x2<br />
|-<br />
| 0x081A0042<br />
|?<br />
| [[FS:GetNandCid|GetNandCid]]<br />
| 0x2<br />
|-<br />
| 0x081B0000<br />
|?<br />
| [[FS:GetSdmcSpeedInfo|GetSdmcSpeedInfo]]<br />
| 0x2<br />
|-<br />
| 0x081C0000<br />
|?<br />
| [[FS:GetNandSpeedInfo|GetNandSpeedInfo]]<br />
| 0x2<br />
|-<br />
| 0x081D0042<br />
|?<br />
| [[FS:GetSdmcLog|GetSdmcLog]]<br />
| 0x2<br />
|-<br />
| 0x081E0042<br />
|?<br />
| [[FS:GetNandLog|GetNandLog]]<br />
| 0x2<br />
|-<br />
| 0x081F0000<br />
|?<br />
| [[FS:ClearSdmcLog|ClearSdmcLog]]<br />
| 0x2<br />
|-<br />
| 0x08200000<br />
|?<br />
| [[FS:ClearNandLog|ClearNandLog]]<br />
| 0x2<br />
|-<br />
| 0x08210000<br />
|?<br />
| [[FS:CardSlotIsInserted|CardSlotIsInserted]]<br />
| 0x1017<br />
|-<br />
| 0x08220000<br />
|?<br />
| [[FS:CardSlotPowerOn|CardSlotPowerOn]]<br />
| 0x2<br />
|-<br />
| 0x08230000<br />
|?<br />
| [[FS:CardSlotPowerOff|CardSlotPowerOff]]<br />
| 0x2<br />
|-<br />
| 0x08240000<br />
|?<br />
| [[FS:CardSlotGetCardIFPowerStatus|CardSlotGetCardIFPowerStatus]]<br />
| 0x2<br />
|-<br />
| 0x08250040<br />
|?<br />
| [[FS:CardNorDirectCommand|CardNorDirectCommand]]<br />
| 0x2<br />
|-<br />
| 0x08260080<br />
|?<br />
| [[FS:CardNorDirectCommandWithAddress|CardNorDirectCommandWithAddress]]<br />
| 0x2<br />
|-<br />
| 0x08270082<br />
|?<br />
| [[FS:CardNorDirectRead|CardNorDirectRead]]<br />
| 0x2<br />
|-<br />
| 0x082800C2<br />
|?<br />
| [[FS:CardNorDirectReadWithAddress|CardNorDirectReadWithAddress]]<br />
| 0x2<br />
|-<br />
| 0x08290082<br />
|?<br />
| [[FS:CardNorDirectWrite|CardNorDirectWrite]]<br />
| 0x2<br />
|-<br />
| 0x082A00C2<br />
|?<br />
| [[FS:CardNorDirectWriteWithAddress|CardNorDirectWriteWithAddress]]<br />
| 0x2<br />
|-<br />
| 0x082B00C2<br />
|?<br />
| [[FS:CardNorDirectRead_4xIO|CardNorDirectRead_4xIO]]<br />
| 0x2<br />
|-<br />
| 0x082C0082<br />
|?<br />
| [[FS:CardNorDirectCpuWriteWithoutVerify|CardNorDirectCpuWriteWithoutVerify]]<br />
| 0x2<br />
|-<br />
| 0x082D0040<br />
|?<br />
| [[FS:CardNorDirectSectorEraseWithoutVerify|CardNorDirectSectorEraseWithoutVerify]]<br />
| 0x2<br />
|-<br />
| 0x082E0040<br />
|?<br />
| [[FS:GetProductInfo|GetProductInfo]]<br />
| 0x1005<br />
|-<br />
| 0x082F0040<br />
|?<br />
| [[FS:GetProgramLaunchInfo|GetProgramLaunchInfo]]<br />
| 0x1005<br />
|-<br />
| 0x08300182<br />
|?<br />
| [[FS:Obsoleted_3_0_CreateExtSaveData|Obsoleted_3_0_CreateExtSaveData]]<br />
| 0xC, for when the input extdataID doesn't match the exheader extdataID<br />
|-<br />
| 0x08310180<br />
|?<br />
| [[FS:Obsoleted_3_0_CreateSharedExtSaveData|Obsoleted_3_0_CreateSharedExtSaveData]]<br />
| 0x1005<br />
|-<br />
| 0x08320102<br />
|?<br />
| [[FS:Obsoleted_3_0_ReadExtSaveDataIcon|Obsoleted_3_0_ReadExtSaveDataIcon]]<br />
| 0x100D, for when the input extdataID doesn't match the exheader extdataID<br />
|-<br />
| 0x08330082<br />
|?<br />
| [[FS:Obsoleted_3_0_EnumerateExtSaveData|Obsoleted_3_0_EnumerateExtSaveData]]<br />
| 0x1005<br />
|-<br />
| 0x08340082<br />
|?<br />
| [[FS:Obsoleted_3_0_EnumerateSharedExtSaveData|Obsoleted_3_0_EnumerateSharedExtSaveData]]<br />
| 0x1005<br />
|-<br />
| 0x08350080<br />
|?<br />
| [[FS:Obsoleted_3_0_DeleteExtSaveData|Obsoleted_3_0_DeleteExtSaveData]]<br />
| 0x100D, for when the input extdataID doesn't match the exheader extdataID<br />
|-<br />
| 0x08360080<br />
|?<br />
| [[FS:Obsoleted_3_0_DeleteSharedExtSaveData|Obsoleted_3_0_DeleteSharedExtSaveData]]<br />
| 0x1005<br />
|-<br />
| 0x08370040<br />
|?<br />
| [[FS:SetCardSpiBaudRate|SetCardSpiBaudRate]]<br />
| 0x2<br />
|-<br />
| 0x08380040<br />
|?<br />
| [[FS:SetCardSpiBusMode|SetCardSpiBusMode]]<br />
| 0x2<br />
|-<br />
| 0x08390000<br />
|?<br />
| [[FS:SendInitializeInfoTo9|SendInitializeInfoTo9]]<br />
| None<br />
|-<br />
| 0x083A0100<br />
|?<br />
| [[FS:GetSpecialContentIndex|GetSpecialContentIndex]]<br />
| 0x1005<br />
|-<br />
| 0x083B00C2<br />
|?<br />
| [[FS:GetLegacyRomHeader|GetLegacyRomHeader]]<br />
| 0x1015<br />
|-<br />
| 0x083C00C2<br />
|?<br />
| [[FS:GetLegacyBannerData|GetLegacyBannerData]]<br />
| 0x1015<br />
|-<br />
| 0x083D0100<br />
|?<br />
| [[FS:CheckAuthorityToAccessExtSaveData|CheckAuthorityToAccessExtSaveData]]<br />
| 0x44<br />
|-<br />
| 0x083E00C2<br />
|?<br />
| [[FS:QueryTotalQuotaSize|QueryTotalQuotaSize]]<br />
| None<br />
|-<br />
| 0x083F00C0<br />
|?<br />
| [[FS:Obsoleted_3_0_GetExtDataBlockSize|Obsoleted_3_0_GetExtDataBlockSize]]<br />
| None<br />
|-<br />
| 0x08400040<br />
|?<br />
| [[FS:AbnegateAccessRight|AbnegateAccessRight]]<br />
|?<br />
|-<br />
| 0x08410000<br />
|?<br />
| [[FS:DeleteSdmcRoot|DeleteSdmcRoot]]<br />
| 0x1005<br />
|-<br />
| 0x08420040<br />
|?<br />
| [[FS:DeleteAllExtSaveDataOnNand|DeleteAllExtSaveDataOnNand]]<br />
| 0x1005<br />
|-<br />
| 0x08430000<br />
|?<br />
| [[FS:InitializeCtrFileSystem|InitializeCtrFileSystem]]<br />
| None<br />
|-<br />
| 0x08440000<br />
|?<br />
| [[FS:CreateSeed|CreateSeed]]<br />
| 0x2<br />
|-<br />
| 0x084500C2<br />
|?<br />
| [[FS:GetFormatInfo|GetFormatInfo]]<br />
|?<br />
|-<br />
| 0x08460102<br />
|?<br />
| [[FS:GetLegacyRomHeader2|GetLegacyRomHeader2]]<br />
| 0x1015<br />
|-<br />
| 0x08470180<br />
|?<br />
| [[FS:Obsoleted_2_0_FormatCtrCardUserSaveData|Obsoleted_2_0_FormatCtrCardUserSaveData]]<br />
| 0x6<br />
|-<br />
| 0x08480042<br />
|?<br />
| [[FS:GetSdmcCtrRootPath|GetSdmcCtrRootPath]]<br />
| 0x100D<br />
|-<br />
| 0x08490040<br />
|?<br />
| [[FS:GetArchiveResource|GetArchiveResource]]<br />
|?<br />
|-<br />
| 0x084A0002<br />
|?<br />
| [[FS:ExportIntegrityVerificationSeed|ExportIntegrityVerificationSeed]]<br />
| 0x4000<br />
|-<br />
| 0x084B0002<br />
|?<br />
| [[FS:ImportIntegrityVerificationSeed|ImportIntegrityVerificationSeed]]<br />
| 0x4000<br />
|-<br />
| 0x084C0242<br />
|?<br />
| [[FS:FormatSaveData|FormatSaveData]]<br />
| 0x6, in some cases this write isn't needed however<br />
|-<br />
| 0x084D0102<br />
|?<br />
| [[FS:GetLegacySubBannerData|GetLegacySubBannerData]]<br />
| 0x1015<br />
|-<br />
| 0x084E0342<br />
|?<br />
| [[FS:UpdateSha256Context|UpdateSha256Context]]<br />
| 0x5<br />
|-<br />
| 0x084F0102<br />
|?<br />
| [[FS:ReadSpecialFile|ReadSpecialFile]]<br />
| None<br />
|-<br />
| 0x08500040<br />
|?<br />
| [[FS:GetSpecialFileSize|GetSpecialFileSize]]<br />
| None<br />
|-<br />
| 0x08510242<br />
| [[3.0.0-5]]<br />
| [[FS:CreateExtSaveData|CreateExtSaveData]]<br />
| Shared extdata: 0x101005. Regular extdata in certain cases: 0xC<br />
|-<br />
| 0x08520100<br />
| [[3.0.0-5]]<br />
| [[FS:DeleteExtSaveData|DeleteExtSaveData]]<br />
| Shared extdata: 0x101005. Regular extdata in certain cases: 0x10100D<br />
|-<br />
| 0x08530142<br />
| [[3.0.0-5]]<br />
| [[FS:ReadExtSaveDataIcon|ReadExtSaveDataIcon]]<br />
| 0x10100D (this doesn't apply in certain cases, however)<br />
|-<br />
| 0x085400C0<br />
| [[3.0.0-5]]<br />
| [[FS:GetExtDataBlockSize|GetExtDataBlockSize]]<br />
| 0x10100D (this doesn't apply in certain cases, however)<br />
|-<br />
| 0x08550102<br />
| [[3.0.0-5]]<br />
| [[FS:EnumerateExtSaveData|EnumerateExtSaveData]]<br />
| 0x101005<br />
|-<br />
| 0x08560240<br />
| [[3.0.0-5]]<br />
| [[FS:CreateSystemSaveData|CreateSystemSaveData]]<br />
| 0x4 (this doesn't apply in certain cases, however)<br />
|-<br />
| 0x08570080<br />
| [[3.0.0-5]]<br />
| [[FS:DeleteSystemSaveData|DeleteSystemSaveData]]<br />
| 0x1004 (this doesn't apply in certain cases, however)<br />
|-<br />
| 0x08580000<br />
| [[3.0.0-5]]<br />
| [[FS:StartDeviceMoveAsSource|StartDeviceMoveAsSource]]<br />
| 0x2004<br />
|-<br />
| 0x08590200<br />
| [[3.0.0-5]]<br />
| [[FS:StartDeviceMoveAsDestination|StartDeviceMoveAsDestination]]<br />
| 0x2004<br />
|-<br />
| 0x085A00C0<br />
| [[3.0.0-5]]<br />
| [[FS:SetArchivePriority|SetArchivePriority]]<br />
| None<br />
|-<br />
| 0x085B0080<br />
| [[3.0.0-5]]<br />
| [[FS:GetArchivePriority|GetArchivePriority]]<br />
| None<br />
|-<br />
| 0x085C00C0<br />
| [[3.0.0-5]]<br />
| [[FS:SetCtrCardLatencyParameter|SetCtrCardLatencyParameter]]<br />
| 0xE<br />
|-<br />
| 0x085D01C0<br />
| [[3.0.0-5]]<br />
| [[FS:SetFsCompatibilityInfo|SetFsCompatibilityInfo]]<br />
| 0x100001<br />
|-<br />
| 0x085E0040<br />
| [[3.0.0-5]]<br />
| [[FS:ResetCardCompatibilityParameter|ResetCardCompatibilityParameter]]<br />
| 0xE<br />
|-<br />
| 0x085F0040<br />
| [[3.0.0-5]]<br />
| [[FS:SwitchCleanupInvalidSaveData|SwitchCleanupInvalidSaveData]]<br />
| 0x12004<br />
|-<br />
| 0x08600042<br />
| [[3.0.0-5]]<br />
| [[FS:EnumerateSystemSaveData|EnumerateSystemSaveData]]<br />
| 0x2004<br />
|-<br />
| 0x08610042<br />
| [[3.0.0-5]]<br />
| [[FS:InitializeWithSdkVersion|InitializeWithSdkVersion]]<br />
| None<br />
|-<br />
| 0x08620040<br />
| [[3.0.0-5]]<br />
| [[FS:SetPriority|SetPriority]]<br />
| None<br />
|-<br />
| 0x08630000<br />
| [[3.0.0-5]]<br />
| [[FS:GetPriority|GetPriority]]<br />
| None<br />
|-<br />
| 0x08640000<br />
| [[3.0.0-5]]<br />
| [[FS:Obsoleted_4_0_GetNandInfo|Obsoleted_4_0_GetNandInfo]]<br />
| Stubbed, this returns an error<br />
|-<br />
| 0x08650140<br />
| [[4.0.0-7]]<br />
| [[FS:SetSaveDataSecureValue|SetSaveDataSecureValue]]<br />
| 0x121004 (in certain cases this doesn't apply, however)<br />
|-<br />
| 0x086600C0<br />
| [[4.0.0-7]]<br />
| [[FS:GetSaveDataSecureValue|GetSaveDataSecureValue]]<br />
| 0x121004 (in certain cases this doesn't apply, however)<br />
|-<br />
| 0x086700C4<br />
| [[4.0.0-7]]<br />
| [[FS:ControlSecureSave|ControlSecureSave]]<br />
| 0x121004<br />
|-<br />
| 0x08680000<br />
| [[4.0.0-7]]<br />
| [[FS:GetMediaType|GetMediaType]]<br />
| None<br />
|-<br />
| 0x08690000<br />
| [[4.0.0-7]]<br />
| [[FS:Obsoleted_4_0_GetNandEraseCount|Obsoleted_4_0_GetNandEraseCount]]<br />
| Stubbed, this returns an error.<br />
|-<br />
| 0x086A0082<br />
| [[4.0.0-7]]<br />
| [[FS:ReadNandReport|ReadNandReport]]<br />
| None<br />
|-<br />
| 0x086B00C2<br />
|?<br />
|?<br />
| 00121004<br />
|-<br />
| 0x086C00C2<br />
|?<br />
|?<br />
| 00121004<br />
|-<br />
| 0x086D0040<br />
|?<br />
|?<br />
| 00020004<br />
|-<br />
| 0x086E00C0<br />
|?<br />
|?<br />
|None?<br />
|-<br />
| 0x086F0040<br />
|?<br />
|?<br />
| 0xE<br />
|-<br />
| 0x087000C2<br />
|?<br />
|?<br />
|None?<br />
|-<br />
| 0x08710100<br />
|?<br />
|?<br />
| 0xC<br />
|-<br />
| 0x087201C0<br />
|?<br />
|?<br />
| 00080004<br />
|-<br />
| 0x087300C0<br />
|?<br />
|?<br />
| 00080004<br />
|-<br />
| 0x08740000<br />
|?<br />
|?<br />
| 00080004<br />
|-<br />
| 0x08750140<br />
|?<br />
|?<br />
|None?<br />
|-<br />
| 0x087600C0<br />
|?<br />
|?<br />
|None?<br />
|-<br />
| 0x08770100<br />
|?<br />
|?<br />
|?<br />
|-<br />
| 0x087800C0<br />
|?<br />
|?<br />
|?<br />
|-<br />
| 0x087900C2<br />
| ?<br />
| Same as GetLegacyBannerData, except for the last parameter this passes u8 value 0x1 instead of 0x0, for the FSPXI command.<br />
| 0x00101015<br />
|-<br />
| 0x087A0180<br />
| [[9.6.0-24|9.6.0-X]]<br />
| [[FS:AddSeed|AddSeed]]<br />
| 0x00200000<br />
|-<br />
| 0x087B....<br />
| [[9.6.0-24|9.6.0-X]]<br />
| Wrapper for the code internally used for command <0x087A....>.<br />
| 0x00200000<br />
|-<br />
| 0x087C....<br />
| [[9.6.0-24|9.6.0-X]]<br />
| Eventually calls same code as command <0x087A....>.<br />
| 0x00200000<br />
|-<br />
| 0x087D0000<br />
| [[9.6.0-24|9.6.0-X]]<br />
| Writes an u32 from state to cmdreply[2]. Probably the total number of titles in the SEEDDB?<br />
| 0x00200000<br />
|-<br />
| 0x087E0042<br />
| [[9.6.0-24|9.6.0-X]]<br />
| Eventually calls same code as command <0x087A....>. Writes a list of titleIDs to the outbuf, this is for titles with content-lock-seed(s) stored in SEEDDB. (u32 total_titleids_probably, ((Size<<4) <nowiki>|</nowiki> 12), outbufptr)<br />
| 0x00200000<br />
|-<br />
| 0x087F....<br />
| [[9.6.0-24|9.6.0-X]]<br />
| ?<br />
| 0x00200000<br />
|-<br />
| 0x0880....<br />
| [[9.6.0-24|9.6.0-X]]<br />
| Eventually calls same code as command <0x087A....>.<br />
| 0x00200000<br />
|-<br />
| 0x0881....<br />
| [[9.6.0-24|9.6.0-X]]<br />
| Eventually calls same code as command <0x087A....>.<br />
| 0x00200000<br />
|-<br />
| 0x0882....<br />
| [[9.6.0-24|9.6.0-X]]<br />
| Eventually calls same code as command <0x087A....>.<br />
| 0x00200000<br />
|-<br />
| 0x08830000<br />
| [[9.6.0-24|9.6.0-X]]<br />
| Writes an output value to cmdreply[2].<br />
| 0x00200000<br />
|-<br />
| 0x08840042<br />
| [[9.6.0-24|9.6.0-X]]<br />
| Eventually calls same code as command <0x087A....>.<br />
| 0x00200000<br />
|-<br />
| 0x0885....<br />
| [[9.6.0-24|9.6.0-X]]<br />
| ?<br />
| 0x00200000<br />
|-<br />
| 0x088600C0<br />
| [[11.1.0-34|11.1.0-X]]<br />
| [[FS:CheckUpdatedDat|CheckUpdatedDat]]<br />
| 0x00080000<br />
|}<br />
<br />
Note: The question marks from Dummy1 to GetSpecialFileSize on the "available since system version" field are mainly there because I think that most of these are necessary for the main system to function, so theoretically that would mean that since the creation of the 3DS these were available, or since launch if that makes more sense. But because of the peculiar nature of some of the functions, they will remain question marks until they can be confirmed 100%.<br />
<br />
When access rights are required for a command, at least one of the bits in the process access info specified in the above table for the command must be set. Error 0xD9004676 is returned when a process attempts to use a command which it doesn't have access rights for the command. The exheader access info field is all zero's for most applications. Note that the permissions listed in the above table is for system-version v2.x, therefore permission bit(s) added with newer FIRM may be missing from this.<br />
<br />
Each session for fs:USER has separate permissions, initially these are set to all zero's for new fs:USER sessions. The permissions/etc for fs:USER sessions are initialized via [[FS:Initialize]](loaded from the user process exheader).<br />
<br />
== Filesystem service "fs:LDR" ==<br />
This service is identical to fs:USER, except [[FS:OpenArchive]] archive 0x2345678E can only be accessed with fs:LDR.<br />
<br />
== ProgramRegistry service "fs:REG" ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x000100C6<br />
| [[FSReg:Dummy1|Dummy1]]<br />
|-<br />
| 0x040103C0<br />
| [[FSReg:Register|Register]]<br />
|-<br />
| 0x04020040<br />
| [[FSReg:Unregister|Unregister]]<br />
|-<br />
| 0x040300C0<br />
| [[FSReg:GetProgramInfo|GetProgramInfo]]<br />
|-<br />
| 0x04040100<br />
| [[FSReg:LoadProgram|LoadProgram]]<br />
|-<br />
| 0x04050080<br />
| [[FSReg:UnloadProgram|UnloadProgram]]<br />
|-<br />
| 0x04060080<br />
| [[FSReg:CheckHostLoadId|CheckHostLoadId]]<br />
|}<br />
<br />
Only two sessions can be opened for this service at a time, hence no other processes can use this due to [[Process_Manager_Services|pm-module]] and [[Loader_Services|loader]] using this.<br />
<br />
=File and directory access=<br />
<br />
Files and directories are represented through handles returned by e.g. [[FS:OpenFile]] and [[FS:OpenDirectory]]. Contrary to kernel object handles, these are global and hence can easily be shared between any two processes.<br />
<br />
==Files==<br />
File session handles obtained via [[FS:OpenFile]] et al can be used to access files through a service-like interface, despite not being an actual service registered using [[SRV:RegisterService]].<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x000100C6<br />
| [[FSFile:Dummy1|Dummy1]]<br />
|-<br />
| 0x040100C4<br />
| [[FSFile:Control|Control]]<br />
|-<br />
| 0x08010100<br />
| [[FSFile:OpenSubFile|OpenSubFile]]<br />
|-<br />
| 0x080200C2<br />
| [[FSFile:Read|Read]]<br />
|-<br />
| 0x08030102<br />
| [[FSFile:Write|Write]]<br />
|-<br />
| 0x08040000<br />
| [[FSFile:GetSize|GetSize]]<br />
|-<br />
| 0x08050080<br />
| [[FSFile:SetSize|SetSize]]<br />
|-<br />
| 0x08060000<br />
| [[FSFile:GetAttributes|GetAttributes]]<br />
|-<br />
| 0x08070040<br />
| [[FSFile:SetAttributes|SetAttributes]]<br />
|-<br />
| 0x08080000<br />
| [[FSFile:Close|Close]]<br />
|-<br />
| 0x08090000<br />
| [[FSFile:Flush|Flush]]<br />
|-<br />
| 0x080A0040<br />
| [[FSFile:SetPriority|SetPriority]]<br />
|-<br />
| 0x080B0000<br />
| [[FSFile:GetPriority|GetPriority]]<br />
|-<br />
| 0x080C0000<br />
| [[FSFile:OpenLinkFile|OpenLinkFile]]<br />
|-<br />
| 0x0C010100<br />
| [[FSFile:GetAvailable|GetAvailable]]<br />
|}<br />
<br />
==Directories==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Available since system version<br />
! Description<br />
|-<br />
| 0x000100C6<br />
| [[1.0.0-0]]<br />
| [[FSDir:Dummy1|Dummy1]]<br />
|-<br />
| 0x040100C4<br />
| [[1.0.0-0]]<br />
| [[FSDir:Control|Control]]<br />
|-<br />
| 0x08010042<br />
| [[1.0.0-0]]<br />
| [[FSDir:Read|Read]]<br />
|-<br />
| 0x08020000<br />
| [[1.0.0-0]]<br />
| [[FSDir:Close|Close]]<br />
|-<br />
| 0x08030040<br />
| ?<br />
| [[FSDir:SetPriority|SetPriority]]<br />
|-<br />
| 0x08040000<br />
| ?<br />
| [[FSDir:GetPriority|GetPriority]]<br />
|}<br />
<br />
= Archives =<br />
{| class="wikitable" border="1"<br />
|-<br />
! ArchiveId<br />
! Description<br />
! Accessible via [[Filesystem_services|FS]]<br />
! Accessible via [[Filesystem_services_PXI|FSPXI]]<br />
! Only accessible by Process9 internally<br />
! Requires binary [[FS:OpenFile|Lowpath]]<br />
! Required exheader FS access info bitmask<br />
|-<br />
| 0x00000003<br />
| Application [[#RomFS|RomFS]]<br />
| Yes<br />
| No<br />
| No<br />
| No<br />
| None<br />
|-<br />
| 0x00000004<br />
| SaveData (the saveID/mediatype for this is loaded from data originally from the user process' exheader)<br />
| Yes<br />
| No<br />
| No<br />
| No<br />
| None<br />
|-<br />
| 0x00000006<br />
| ExtSaveData<br />
| Yes<br />
| No<br />
| No<br />
| Yes<br />
| 0x100D, when the input extdataID isn't listed in the exheader.<br />
|-<br />
| 0x00000007<br />
| Shared ExtSaveData<br />
| Yes<br />
| No<br />
| No<br />
| Yes<br />
| None<br />
|-<br />
| 0x00000008<br />
| SystemSaveData<br />
| Yes<br />
| No<br />
| No<br />
| Yes<br />
| 0x4, when the input saveID doesn't match the exheader system-saveID.<br />
|-<br />
| 0x00000009<br />
| SDMC<br />
| Yes<br />
| Yes<br />
| No<br />
| No<br />
| 0x8E<br />
|-<br />
| 0x0000000A<br />
| SDMC Write-Only<br />
| Yes<br />
| No<br />
| No<br />
| No<br />
| 0x808E<br />
|-<br />
| 0x12345678<br />
| ExtSaveData for BOSS<br />
| Yes<br />
| No<br />
| No<br />
| Yes<br />
| 0x44<br />
|-<br />
| 0x12345679<br />
| CARD SPI FS<br />
| Yes<br />
| Yes<br />
| No<br />
| No<br />
| 0x16<br />
|-<br />
| 0x1234567B<br />
| ExtSaveData, and ExtSaveData for BOSS<br />
| No<br />
| Yes<br />
| No<br />
| Yes<br />
| <br />
|-<br />
| 0x1234567C<br />
| SystemSaveData<br />
| No<br />
| Yes<br />
| No<br />
| Yes<br />
| <br />
|-<br />
| 0x1234567D<br />
| NAND RW<br />
| Yes<br />
| Yes<br />
| No<br />
| No<br />
| 0x800<br />
|-<br />
| 0x1234567E<br />
| NAND RO<br />
| Yes<br />
| Yes<br />
| No<br />
| No<br />
| 0x200<br />
|-<br />
| 0x1234567F<br />
| NAND RO Write FS<br />
| No<br />
| Yes<br />
| No<br />
| No<br />
| ?<br />
|-<br />
| 0x12345680<br />
| Unknown. There's code for this in spider v9.9, but that code isn't actually used.<br />
| Yes<br />
| ?<br />
| No<br />
| Yes<br />
| ?<br />
|-<br />
| 0x12345681<br />
| Unknown. Accessed by FS service.<br />
| ?<br />
| ?<br />
| No<br />
| ?<br />
| ?<br />
|-<br />
| 0x12345682<br />
| Unknown. There's code for this in spider v9.9, but that code isn't actually used.<br />
| Yes<br />
| ?<br />
| No<br />
| Yes<br />
| ?<br />
|-<br />
| 0x2345678A<br />
| Used for accessing general NCCH data. With FSPXI this also allows savedata access.<br />
| Yes<br />
| Yes<br />
| No<br />
| Yes<br />
| 0x1005<br />
|-<br />
| 0x2345678B<br />
| ?<br />
| No<br />
| No<br />
| Yes<br />
| Yes<br />
| <br />
|-<br />
| 0x2345678C<br />
| Used internally to access [[Title_Database|/dbs]] files?<br />
| No<br />
| No<br />
| Yes<br />
| Yes<br />
| <br />
|-<br />
| 0x2345678D<br />
| ?<br />
| No<br />
| No<br />
| Yes<br />
| No<br />
| <br />
|-<br />
| 0x2345678E<br />
| FSPXI: Similar to archive 0x2345678A. For fs:LDR(used by the "loader" FIRM ARM11-process), only ExeFS. Not accessible with fs:USER.<br />
| Yes<br />
| Yes<br />
| No<br />
| Yes<br />
| None, see description.<br />
|-<br />
| 0x567890AB<br />
| NAND CTR FS<br />
| No<br />
| Yes<br />
| No<br />
| No<br />
| ?<br />
|-<br />
| 0x567890AC<br />
| TWL PHOTO<br />
| Yes<br />
| Yes<br />
| No<br />
| No<br />
| ?<br />
|-<br />
| 0x567890AD<br />
| TWLS (DSi Sound stores recordings here). This is mapped to the FAT12 image stored in the file at [[Twln/shared2/0000]].<br />
| No<br />
| Yes<br />
| No<br />
| No<br />
| ?<br />
|-<br />
| 0x567890AE<br />
| NAND TWL FS<br />
| Yes<br />
| Yes<br />
| No<br />
| No<br />
| 0x100<br />
|-<br />
| 0x567890AF<br />
| NAND W FS<br />
| Yes<br />
| Yes<br />
| No<br />
| No<br />
| 0x100<br />
|-<br />
| 0x567890B0<br />
| ?<br />
| No<br />
| Yes<br />
| No<br />
| No<br />
| <br />
|-<br />
| 0x567890B1<br />
| Gamecard SaveData (for check). This is a wrapper for UserSaveDataForCheck: the OpenArchive code for that is called with archive-lowpath TID=0/mediatype=2(gamecard).<br />
| Yes<br />
| No<br />
| No<br />
| No<br />
| 0x6<br />
|-<br />
| 0x567890B2<br />
| UserSaveData (for check). This is the same as the regular SaveData archive, except with this the savedata ID and mediatype is loaded from the input archive lowpath.<br />
| Yes<br />
| No<br />
| No<br />
| Yes<br />
| 0x6<br />
|-<br />
| 0x567890B4<br />
| ? SaveData from Demo Version of Retail Game<br />
| Yes<br />
| No<br />
| No<br />
| No<br />
| ?<br />
|}<br />
<br />
Archives listed as not requiring a binary lowpath, use lowpath type [[FS:OpenFile|empty]].<br />
<br />
The above permission bitmasks are from v2.x, see the above Services section for how these are handled.<br />
<br />
Archives CTR NAND, NAND RO Write FS, TWL NAND, NAND W FS, and CARD SPI FS require the corresponding process exheader access control mount flag to be set, in the exheader for any of the currently running ARM11 processes, for [[Filesystem_services_PXI|FSPXI]]. The access rights checked by [[Filesystem services|FS]] module for archive mounting with fs:USER, are stored in the process' exheader accessinfo.<br />
<br />
The CARDSPI archive allows access to the gamecard CARD1 raw savedata flash(aka "cardspi:/" in [[FIRM|Process9]]), the file lowpath must be WCHAR "/". The "NAND W FS" archive allows access to the raw NAND image(aka "wnand:/" in Process9), the file lowpath must be WCHAR "/".<br />
<br />
= Filenames and Paths =<br />
PathType:<br />
{| class="wikitable" border="1"<br />
|-<br />
! Value<br />
! Description<br />
|-<br />
| -1<br />
| Returned internally by Process9, when errors occur it seems(in particular when no nul-terminator was found in the input path). The data ptr is set to NULL.<br />
|-<br />
| 0x0<br />
| INVALID - Specifies an invalid path<br />
|-<br />
| 0x1<br />
| EMPTY - Specifies an empty path<br />
|-<br />
| 0x2<br />
| BINARY - Non-text based path. Meaning is per-archive<br />
|-<br />
| 0x3<br />
| ASCII - Text-based path with 7-bit ASCII characters padded to 8-bits each (signed char)<br />
|-<br />
| 0x4<br />
| UTF16 - Text-based path with UTF-16 characters<br />
|}<br />
<br />
In IPC requests, sizes of ASCII and UTF16 paths must include space for the null-terminator. <br />
<br />
== Binary LowPath ==<br />
The format of the data that a binary LowPath points to is custom per archive.<br />
<br />
=== SystemSaveData Archive Path Data Format ===<br />
==== FS ====<br />
{| class="wikitable" border="1"<br />
|-<br />
! Index word<br />
! Description<br />
|-<br />
| 0 <br />
| [[Mediatypes|Mediatype]] (must be zero for NAND)<br />
|-<br />
| 1<br />
| saveid<br />
|}<br />
The file/directory lowpath is a text lowpath in the [[Savegames|savegame]] filesystem.<br />
<br />
==== FSPXI ====<br />
{| class="wikitable" border="1"<br />
|-<br />
! Index word<br />
! Description<br />
|-<br />
| 0 <br />
| u8 [[Mediatypes|Mediatype]] (must be zero for NAND)<br />
|}<br />
The file lowpath is a binary lowpath containing the u64 saveid, however the high word of the saveid is always zero. The mounted file is the cleartext savegame image. Up to 32 SystemSaveData image files can be opened under a single mounted FSPXI archive.<br />
<br />
=== UserSaveDataForCheck Archive Path Data Format ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Index word<br />
! Description<br />
|-<br />
| 0 <br />
| [[Mediatypes|Mediatype]] (must be non-zero)<br />
|-<br />
| 1<br />
| Lower word saveid<br />
|-<br />
| 2<br />
| Upper word saveid<br />
|}<br />
The file/directory lowpath for this FS archive is a text path in the [[Savegames|savegame]] filesystem.<br />
<br />
=== ExtSaveData Archive Path Data Format ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Index word<br />
! Description<br />
|-<br />
| 0 <br />
| [[Mediatypes|Mediatype]]<br />
|-<br />
| 1<br />
| Lower word saveid<br />
|-<br />
| 2<br />
| Upper word saveid<br />
|}<br />
For FS, the file/directory lowpath is a text path in the [[extdata]] filesystem. For FSPXI, the file lowpath is a text path relative to the "/extdata/<ExtdataIDHigh>/<ExtdataIDLow>" directory on SD/NAND, for the cleartext extdata image to mount.<br />
<br />
=== 0x2345678A Archive Path Data Format ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Index word<br />
! Description<br />
|-<br />
| 0<br />
| Lower word programID<br />
|-<br />
| 1<br />
| Upper word programID<br />
|-<br />
| 2 <br />
| [[Mediatypes|Mediatype]]<br />
|-<br />
| 3<br />
| Reserved<br />
|}<br />
<br />
File lowpath:<br />
{| class="wikitable" border="1"<br />
|-<br />
! Index word<br />
! Description<br />
|-<br />
| 0<br />
| 0 for NCCH data, 1 for savedata. The latter is only valid for FSPXI. Value 2 is allowed via archive 0x3, it's unknown what this is.<br />
|-<br />
| 1<br />
| TMD content index / NCSD partition index.<br />
|-<br />
| 2<br />
| Type: 0=romfs(0 for non-NCCH as well), 1=exefs ".code"(?), 2=exefs "icon"/"banner"/"logo", 3=unknown, 4=unknown, 5=unknown.<br />
|-<br />
| 3-4<br />
| Filename for ExeFS.<br />
|}<br />
<br />
The 0x14-byte lowpath is all-zero for accessing the title's main RomFS.<br />
<br />
=== [[RomFS]] ===<br />
<br />
Archives 0x3 and 0x2345678E both allow for accessing the [[RomFS#Level_3_Format|level-3 IVFC images]] for RomFS access. The main CXI RomFS is accessible via an all-zero 0xc-byte binary file-lowpath. The update RomFS can be accessed with the first u32 in the binary file-lowpath being set to 0x5. The user must handle parsing the filesystem used in the exposed image itself.<br />
<br />
The 0x3 archive is an interface for the 0x2345678E archive with the current process programID+mediatype. The file lowpath is 3-words. These words are written to 0x2345678E-archive file_lowpath+0, with the rest of that lowpath set to all-zero(lowpath is different from archive 0x2345678A). File lowpath:<br />
{| class="wikitable" border="1"<br />
|-<br />
! Index word<br />
! Description<br />
|-<br />
| 0<br />
| See above. The only values which FS-module doesn't allow to be used here are:<br />
* 0x1: Error 0xE0E046BE.<br />
* 0x3: Error 0xE0E046BE.<br />
* 0x4: FS-module executes svcBreak when using this.<br />
|-<br />
| 1-2<br />
| See above. Not validated by FS-module.<br />
|}<br />
<br />
=SEEDDB=<br />
With [[9.6.0-24|9.6.0-X]] new [[System_SaveData]] with saveID 0001000F was added, this seems to be handled by FS-module itself, probably via the new service-cmds added to fsuser. [[Home Menu]] and [[NIM_Services|NIM]] module have access to those commands.<br />
<br />
The SEEDDB savedata contains the title-unique seed-data used for the new [[NCCH]] keyY generation added with FIRM [[9.6.0-24|9.6.0-X]].<br />
<br />
= Common Types =<br />
== MediaType ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Value<br />
! Description<br />
|-<br />
| 0<br />
| NAND<br />
|-<br />
| 1<br />
| SD<br />
|-<br />
| 2<br />
| Game Card<br />
|}<br />
<br />
== SystemMediaType ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Value<br />
! Description<br />
|-<br />
| 0<br />
| CTR NAND<br />
|-<br />
| 1<br />
| TWL NAND<br />
|-<br />
| 2<br />
| SD<br />
|-<br />
| 2<br />
| TWL Photo<br />
|}<br />
<br />
== OpenFlags ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Bit<br />
! Description<br />
|-<br />
| 0<br />
| Read<br />
|-<br />
| 1<br />
| Write<br />
|-<br />
| 2<br />
| Create<br />
|}<br />
<br />
== Attributes ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x1<br />
| Is Directory<br />
|-<br />
| 0x1<br />
| 0x1<br />
| Is Hidden<br />
|-<br />
| 0x2<br />
| 0x1<br />
| Is Archive<br />
|-<br />
| 0x3<br />
| 0x1<br />
| Is Read-Only<br />
|}<br />
<br />
== WriteOption ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x1<br />
| Flush<br />
|-<br />
| 0x1<br />
| 0x1<br />
| Update Time Stamp<br />
|-<br />
| 0x2<br />
| 0x1<br />
| Reserved<br />
|-<br />
| 0x3<br />
| 0x1<br />
| Reserved<br />
|}<br />
<br />
== DirectoryEntry ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x20C<br />
| UTF-16 Entry Name<br />
|-<br />
| 0x20C<br />
| 0xA<br />
| 8.3 short filename name<br />
|-<br />
| 0x216<br />
| 0x4<br />
| 8.3 short filename extension<br />
|-<br />
| 0x21A<br />
| 0x1<br />
| Always 1<br />
|-<br />
| 0x21B<br />
| 0x1<br />
| Reserved<br />
|-<br />
| 0x21C<br />
| 0x4<br />
| [[Filesystem_services#Attributes|Attributes]]<br />
|-<br />
| 0x220<br />
| 0x8<br />
| Entry Size<br />
|}<br />
<br />
== ArchiveResource ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x4<br />
| Sector byte-size<br />
|-<br />
| 0x4<br />
| 0x4<br />
| Cluster byte-size<br />
|-<br />
| 0x8<br />
| 0x4<br />
| Partition capacity in clusters<br />
|-<br />
| 0xC<br />
| 0x4<br />
| Available free space in clusters<br />
|}<br />
<br />
== ProgramInfo ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x8<br />
| Program ID<br />
|-<br />
| 0x8<br />
| 0x1<br />
| [[Filesystem_services#MediaType|Media Type]]<br />
|-<br />
| 0x9<br />
| 0x7<br />
| Padding<br />
|}<br />
<br />
== ProductInfo ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x10<br />
| Product Code<br />
|-<br />
| 0x10<br />
| 0x2<br />
| Company Code<br />
|-<br />
| 0x12<br />
| 0x2<br />
| Remaster Version<br />
|}<br />
<br />
== IntegrityVerificationSeed ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x10<br />
| AES-CBC MAC over a SHA256 hash, which hashes the first 0x110-bytes of the cleartext SEED.<br />
|-<br />
| 0x10<br />
| 0x120<br />
| The [[nand/private/movable.sed]], encrypted with AES-CTR using the above MAC for the counter.<br />
|}<br />
<br />
== ExtSaveDataInfo ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x1<br />
| [[Filesystem_services#MediaType|Media Type]]<br />
|-<br />
| 0x1<br />
| 0x1<br />
| Unknown<br />
|-<br />
| 0x2<br />
| 0x2<br />
| Reserved<br />
|-<br />
| 0x4<br />
| 0x8<br />
| Save ID<br />
|-<br />
| 0xC<br />
| 0x4<br />
| Reserved<br />
|}<br />
<br />
== SystemSaveDataInfo ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x1<br />
| [[Filesystem_services#MediaType|Media Type]]<br />
|-<br />
| 0x1<br />
| 0x1<br />
| Unknown<br />
|-<br />
| 0x2<br />
| 0x2<br />
| Reserved<br />
|-<br />
| 0x4<br />
| 0x4<br />
| Save ID<br />
|}<br />
<br />
== SecureValueSlot ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Value<br />
! Description<br />
|-<br />
| 0x1000<br />
| SD Application<br />
|}<br />
<br />
== CardSpiBaudRate ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Value<br />
! Description<br />
|-<br />
| 0x0<br />
| 512KHz<br />
|-<br />
| 0x1<br />
| 1MHz<br />
|-<br />
| 0x2<br />
| 2MHz<br />
|-<br />
| 0x3<br />
| 4MHz<br />
|-<br />
| 0x4<br />
| 8MHz<br />
|-<br />
| 0x5<br />
| 16MHz<br />
|}<br />
<br />
== CardSpiBusMode ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Value<br />
! Description<br />
|-<br />
| 0x0<br />
| 1-bit<br />
|-<br />
| 0x1<br />
| 4-bit<br />
|}<br />
<br />
== SpecialContentType ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Value<br />
! Description<br />
|-<br />
| 0x1<br />
| Update<br />
|-<br />
| 0x2<br />
| Manual<br />
|-<br />
| 0x3<br />
| DLP Child<br />
|}<br />
<br />
== DeviceMoveContext ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x10<br />
| IVs<br />
|-<br />
| 0x10<br />
| 0x10<br />
| Encrypt Parameter<br />
|}<br />
<br />
=Errors=<br />
See [[Filesystem_services_PXI]].</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Multi-threading&diff=18416Multi-threading2016-10-12T20:48:59Z<p>Neobrain: /* Threads */</p>
<hr />
<div>This page documents all kernel functionality for managing multiple processes and threads as well as handling synchronization between them.<br />
<br />
= Processes =<br />
<br />
Each process is given an array of [[NCCH/Extended_Header#ARM11_Kernel_Capabilities|kernel capability descriptors]] upon creation (see CreateProcess). Official software forwards the descriptors specified in the [[NCCH#Extended_Header|NCCH exheader]].<br />
<br />
Any process can only use SVCs which are enabled in its kernel capability descriptors. This is enforced by the ARM11 kernel SVC handler by checking the syscall access control mask stored on the SVC-mode stack. If the SVC isn't enabled, a kernelpanic() is triggered. Each process has a separate SVC-mode stack; this stack and the syscall access mask stored here are initialized when the process is started. Applications normally only have access to SVCs <=0x3D, however not all SVCs <=0x3D are accessible to the application. The majority of the SVCs accessible to applications are unused by the application.<br />
<br />
Each process has a separate handle-table, the size of which is stored in the kernel capability descriptor. The handles in a handle-table can't be used in the context of other processes, since those handles don't exist in other handle-tables.<br />
<br />
0xFFFF8001 is a handle alias for the current process.<br />
<br />
Calling svcBreak on retail will only terminate the process which called this SVC.<br />
<br />
== Usage ==<br />
<br />
=== CreateCodeSet ===<br />
(behavior unconfirmed)<br />
<br />
Allocates memory for a process according to the given CodeSetInfo contents and copies the segment data from the given memory locations to the allocated memory.<br />
<br />
=== CreateProcess ===<br />
(behavior unconfirmed)<br />
<br />
Sets up a process using the segments managed by the given CodeSet handle.<br />
<br />
This system call furthermore processes the [[NCCH/Extended_Header#ARM11_Kernel_Capabilities|kernel capabilities]] from the [[NCCH/Extended_Header|ExHeader]], hence setting up virtual address mappings, CPU clock frequency/L2 cache configuration, and other things.<br />
<br />
=== Run ===<br />
(behavior unconfirmed)<br />
<br />
Sets up the main process thread and appends it to the scheduler queue.<br />
<br />
The argc, argv, and envp fields from the given StartupInfo structure are ignored.<br />
<br />
== struct CodeSetInfo ==<br />
All addresses are given virtual for the process to be created.<br />
All sizes are given in 0x1000-pages.<br />
<br />
{| class="wikitable" border="1"<br />
! Type<br />
! Field<br />
|-<br />
| u8[8]<br />
| Codeset Name<br />
|-<br />
| u16<br />
| Unknown, this is written to field 0x5A of KCodeSet<br />
|-<br />
| u16<br />
| Unknown/padding<br />
|-<br />
| u32<br />
| Unknown/padding<br />
|-<br />
| u32<br />
| .text addr<br />
|-<br />
| u32<br />
| .text size<br />
|-<br />
| u32<br />
| .rodata start<br />
|-<br />
| u32<br />
| .rodata size<br />
|-<br />
| u32<br />
| RW addr (.data + .bss)<br />
|-<br />
| u32<br />
| RW size (.data + .bss)<br />
|-<br />
| u32<br />
| Total .text pages<br />
|-<br />
| u32<br />
| Total .rodata pages<br />
|-<br />
| u32<br />
| Total RW pages (.data + .bss)<br />
|-<br />
| u32<br />
| Unknown/padding<br />
|-<br />
| u8[8]<br />
| Program ID<br />
|}<br />
<br />
= Threads =<br />
<br />
For Kernel implementation details, see [[KThread]].<br />
<br />
Though it is possible to run multi-threaded programs, running those on different cores is not possible "as-is". One core is always dedicated to the OS, hence you will never get 100% of both cores.<br />
<br />
Using CloseHandle() with a KThread handle will terminate the specified thread only if the reference count reaches 0.<br />
<br />
Lower priority values give the thread higher priority. For userland apps, priorities between 0x18 and 0x3F are allowed. The priority of the app's main thread seems to be 0x30.<br />
<br />
The [[Glossary#appcore|appcore]] thread scheduler primarily uses a cooperative design, therefore if a thread takes up all the CPU time (for example if it enters an endless loop), all the other threads that run on the same CPU core won't get a chance to run. The main way of yielding another thread is using an address arbiter. In certain cases, execution of the current task may be preempted regardless, for instance when a thread was waiting on svcSendSyncRequest to return.<br />
<br />
0xFFFF8000 is a handle alias for the currently active thread.<br />
<br />
== Usage ==<br />
<br />
=== CreateThread ===<br />
'''svc''' : 0x08<br />
<br />
'''Signature'''<br />
Result CreateThread(Handle* thread, func entrypoint, u32 arg, u32 stacktop, s32 threadpriority, s32 processorid);<br />
<br />
'''Configuration'''<br />
R0=s32 threadpriority<br />
R1=func entrypoint<br />
R2=u32 arg<br />
R3=u32 stacktop<br />
R4=s32 processorid<br />
<br />
Result result=R0<br />
Handle* thread=R1<br />
<br />
'''Details'''<br />
<br />
Creates a new thread in the current process which will begin execution at the given entrypoint. The SP CPU register will be initialized to stacktop, while r0 will be initialized to the given arg.<br />
<br />
The input address used for Entrypoint_Param and StackTop are normally the same, but they may be chosen arbitrarily. For the main thread (created in svcRun), the Entrypoint_Param is value 0.<br />
<br />
The stacktop must be aligned to 0x8-bytes, otherwise when not aligned to 0x8-bytes the ARM11 kernel clears the low 3-bits of the stacktop address.<br />
<br />
The processorid parameter specifies which processor the thread can run on. Non-negative values correspond to a specific CPU. (e.g. 0 for the Appcore and 1 for the Syscore on Old3DS) Special value -1 means all CPUs, and -2 means the default CPU for the process (Read from the [[NCCH/Extended Header|Exheader]], usually 0 for applications, 1 for system services). Games usually create threads using -2.<br />
<br />
The thread priority value must be in the range 0x0..0x3F. Otherwise, error 0xE0E01BFD is returned.<br />
<br />
With the Old3DS kernel, the s32 processorid must be <=2 (for the processorid validation check in the kernel). With the New3DS kernel, the processorid validation check requires processorid to be less than or equal to <total cores(MPCore "SCU Configuration Register" CPU number value + 1)>, and a number of additional constraints apply: When processorid==0x2 and the process is not a BASE mem-region process, exheader kernel-flags bitmask 0x2000 must be set (otherwise error 0xD9001BEA is returned). When processorid==0x3 and the process is not a BASE mem-region process, error 0xD9001BEA is returned. These are the only restriction checks done by the kernel for processorid.<br />
<br />
=== ExitThread ===<br />
'''svc''' : 0x09<br />
<br />
'''Signature'''<br />
void ExitThread(void);<br />
<br />
=== SleepThread ===<br />
'''svc''' : 0x0A<br />
<br />
'''Signature'''<br />
void SleepThread(s64 nanoseconds);<br />
<br />
=== GetThreadPriority ===<br />
'''svc''' : 0x0B<br />
<br />
'''Signature'''<br />
Result GetThreadPriority(s32* priority, Handle thread);<br />
<br />
'''asm'''<br />
.global svcGetThreadPriority<br />
.type svcGetThreadPriority, %function<br />
svcGetThreadPriority:<br />
str r0, [sp, #-0x4]!<br />
svc 0x0B<br />
ldr r3, [sp], #4<br />
str r1, [r3]<br />
bx lr<br />
<br />
=== SetThreadPriority ===<br />
'''svc''' : 0x0C<br />
<br />
'''Signature'''<br />
Result SetThreadPriority(Handle thread, s32 priority);<br />
<br />
=== OpenThread ===<br />
'''svc''' : 0x34<br />
<br />
'''Signature'''<br />
Result OpenThread(Handle* thread, Handle process, u32 threadId);<br />
<br />
=== GetProcessIdOfThread ===<br />
'''svc''' : 0x36<br />
<br />
'''Signature'''<br />
Result GetProcessIdOfThread(u32* processId, Handle thread);<br />
<br />
=== GetThreadId ===<br />
'''svc''' : 0x37<br />
<br />
'''Signature'''<br />
Result GetThreadId(u32* threadId, Handle thread);<br />
<br />
'''Details'''<br />
It seems that only the thread itself or one of its parent can get the ID. Calling this on the handle of a sibling or parent seems to always yield the ID 0.<br />
<br />
=== GetThreadInfo ===<br />
'''svc''' : 0x2C<br />
<br />
'''Signature'''<br />
Result GetThreadInfo(s64* out, Handle thread, ThreadInfoType type);<br />
<br />
''' Details '''<br />
This requests always return an error when called, it only checks if the handle is a thread or not. <br />
Hence, it will return 0xD8E007ED (BAD_ENUM) if the Handle is a Thread Handle, 0xD8E007F7 (BAD_HANDLE) if it isn't.<br />
<br />
=== GetThreadContext ===<br />
'''svc''' : 0x3B<br />
<br />
'''Signature'''<br />
Result GetThreadContext(ThreadContext* context, Handle thread);<br />
<br />
'''Details'''<br />
Stubbed?<br />
<br />
== Core affinity == <br />
<br />
The cores are numbered from 0 to 1 for Old 3DS and 0 to 3 for the new 3DS.<br />
<br />
=== GetThreadAffinityMask ===<br />
'''svc''' : 0x0D<br />
<br />
'''Signature'''<br />
Result GetThreadAffinityMask(u8* affinitymask, Handle thread, s32 processorcount);<br />
<br />
=== SetThreadAffinityMask ===<br />
'''svc''' : 0x0E<br />
<br />
'''Signature'''<br />
Result SetThreadAffinityMask(Handle thread, u8* affinitymask, s32 processorcount);<br />
<br />
=== GetThreadIdealProcessor ===<br />
'''svc''' : 0x0F<br />
<br />
'''Signature'''<br />
Result GetThreadIdealProcessor(s32* processorid, Handle thread);<br />
<br />
=== SetThreadIdealProcessor ===<br />
'''svc''' : 0x10<br />
<br />
=== APT:SetApplicationCpuTimeLimit ===<br />
<br />
See [[APT:SetApplicationCpuTimeLimit]].<br />
<br />
You are not able to use the system core (core1) by default. You have to first assign the amount of time dedicated to the system.<br />
The value is in percent, the higher it is, the more the system will be available for your application. <br />
<br />
For example if you set this value to 25%, it means that your application will be able to use 25% of the system core at most, even if you never issue system calls.<br />
<br />
If you set the value to a non-zero value, you will not be able to set it back to 0%.<br />
Keep in mind that if your application is heavily dependant on the system, setting a high value for your application might yield poorer performance than if you had set a low value.<br />
<br />
=== APT:GetApplicationCpuTimeLimit ===<br />
<br />
See [[APT:GetApplicationCpuTimeLimit]].<br />
<br />
== Debug == <br />
<br />
=== GetThreadList ===<br />
<br />
=== GetDebugThreadContext ===<br />
<br />
=== SetDebugThreadContext ===<br />
<br />
=== GetDebugThreadParam ===<br />
<br />
= Synchronization =<br />
<br />
Synchronization can be performed via WaitSynchronization on any handles deriving from [[KSynchronizationObject]]. The semantic meaning of the call depends on the particular object type referred to by the given handle:<br />
<br />
* KClientPort: Wakes if max sessions not reached (free session available)<br />
* KClientSession: Always false?<br />
* KDebug: ???<br />
* KDmaObject: ???<br />
* KEvent: Waits until the event is signaled<br />
* KInterruptEvent: ???<br />
* KMutex: Acquires a lock on the mutex (blocks until this succeeds)<br />
* KProcess: Waits until the process exits<br />
* KSemaphore: This consumes a value from the semaphore count, if possible, otherwise continues to wait<br />
* KServerPort: Waits for a new client connection, upon which svcAcceptSession is ready to be called<br />
* KServerSession: Waits for an IPC command to be submitted to the server process<br />
* KThread: Waits until the thread terminates<br />
* KTimer: Wakes when timer activates (this also clears the timer if it is oneshot)<br />
<br />
Most synchronization systems seem to have both a "normal" and "light-weight" version<br />
<br />
== Mutex ==<br />
<br />
For Kernel implementation details, see [[KMutex]]<br />
<br />
=== CreateMutex ===<br />
<br />
/!\ It seems that the mutex will not be available once the thread that created it is destroyed <br />
<br />
=== ReleaseMutex ===<br />
<br />
== Semaphore ==<br />
<br />
== Event ==<br />
<br />
== Address Arbiters ==<br />
<br />
Address arbiters are a low-level primitive to implement synchronization based on a counter stored at some user-specified virtual memory address. Address arbiters are used to put the current thread to sleep until the counter is signaled. Both of these tasks are implemented in ArbitrateAddress.<br />
<br />
Address arbiters are implemented by [[KAddressArbiter]].<br />
<br />
===CreateAddressArbiter===<br />
Result CreateAddressArbiter(Handle* arbiter)<br />
<br />
Creates an address arbiter handle for use with ArbitrateAddress.<br />
<br />
=== ArbitrateAddress ===<br />
Result ArbitrateAddress(Handle arbiter, u32 addr, ArbitrationType type, s32 value, s64 nanoseconds)<br />
<br />
if <code>type</code> is SIGNAL, the ArbitrateAddress call will resume up to <code>value</code> of the threads waiting on <code>addr</code> using an arbiter, starting with the highest-priority threads. If <code>value</code> is negative, all of these threads are released. <code>nanoseconds</code> remains unused in this mode.<br />
<br />
The other modes are used to (conditionally) put the current thread to sleep based on the memory word at virtual address <code>addr</code> until another thread signals that address using ArbitrateAddress with the <code>type</code> SIGNAL. WAIT_IF_LESS_THAN will put the current thread to sleep if that word is smaller than <code>value</code>. DECREMENT_AND_WAIT_IF_LESS_THAN will furthermore decrement the memory value before the comparison. WAIT_IF_LESS_THAN_TIMEOUT and DECREMENT_AND_WAIT_IF_LESS_THAN_TIMEOUT will do the same as their counterparts, but will have thread execution resume if <code>nanoseconds</code> nanoseconds pass without <code>addr</code> being signaled.<br />
<br />
=== enum ArbitrationType ===<br />
{| class="wikitable" border="1"<br />
! Address arbitration type<br />
! Value<br />
|-<br />
| SIGNAL<br />
| 0<br />
|-<br />
| WAIT_IF_LESS_THAN<br />
| 1<br />
|-<br />
| DECREMENT_AND_WAIT_IF_LESS_THAN<br />
| 2<br />
|-<br />
| WAIT_IF_LESS_THAN_TIMEOUT<br />
| 3<br />
|-<br />
| DECREMENT_AND_WAIT_IF_LESS_THAN_TIMEOUT<br />
| 4<br />
|}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Template:IPC/RequestEntryRange&diff=18364Template:IPC/RequestEntryRange2016-10-07T16:47:56Z<p>Neobrain: This should hopefully work</p>
<hr />
<div>|-<br />
| {{#var:ipc_offset}}-{{#expr: {{#var:ipc_offset}} + {{{1}}} - 1}}{{#vardefine:ipc_offset|{{#expr: {{#var:ipc_offset}} + {{{1}}}}}}}<br />
| {{{2}}}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Template:IPC/RequestEntryRange&diff=18363Template:IPC/RequestEntryRange2016-10-07T16:46:05Z<p>Neobrain: testing.</p>
<hr />
<div>|-<br />
| {{#var:ipc_offset}}-{{#expr: {{#var:ipc_offset}} + 1}}{{#vardefine:ipc_offset|{{#expr: {{#var:ipc_offset}} + {{1}}}}}}<br />
| {{{2}}}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Template:IPC/RequestEntryRange&diff=18362Template:IPC/RequestEntryRange2016-10-07T16:43:20Z<p>Neobrain: Created page with "|- | {{#var:ipc_offset}}-{{#expr: {{#var:ipc_offset}} + {{1}} - 1}}{{#vardefine:ipc_offset|{{#expr: {{#var:ipc_offset}} + {{1}}}}}} | {{{2}}}"</p>
<hr />
<div>|-<br />
| {{#var:ipc_offset}}-{{#expr: {{#var:ipc_offset}} + {{1}} - 1}}{{#vardefine:ipc_offset|{{#expr: {{#var:ipc_offset}} + {{1}}}}}}<br />
| {{{2}}}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=3DS_System_Flaws&diff=183083DS System Flaws2016-09-27T16:43:31Z<p>Neobrain: </p>
<hr />
<div>Exploits are used to execute unofficial code (homebrew) on the Nintendo 3DS. This page is a list of publicly known system flaws, for userland applications/applets flaws see [[3DS_Userland_Flaws|here]].<br />
<br />
=Stale / Rejected Efforts=<br />
* Neimod has been working on a RAM dumping setup for a little while now. He's de-soldered the 3DS's RAM chip and hooked it and the RAM pinouts on the 3DS' PCB up to a custom RAM dumping setup. A while ago he published photos showing his setup to be working quite well, with the 3DS successfully booting up. However, his flickr stream is now private along with most of his work.<br />
<br />
* Someone (who will remain unnamed) has released CFW and CIA installers, all of which is copied from the work of others, or copyrighted material.<br />
<br />
==Tips and info==<br />
The 3DS uses the XN feature of the ARM11 processor. There's no official way from applications to enable executable permission for memory containing arbitrary unsigned code(there's a [[SVC]] for this, but only [[RO_Services|RO-module]] has access to it). An usable userland exploit would still be useful: you could only do return-oriented-programming with it initially. From ROP one could then exploit system flaw(s), see below.<br />
<br />
SD card [[extdata]] and SD savegames can be attacked, for consoles where the console-unique [[Nand/private/movable.sed|movable.sed]] was dumped(accessing SD data is far easier by running code on the target 3DS however).<br />
<br />
=System flaws=<br />
== Hardware ==<br />
{| class="wikitable" border="1"<br />
! Summary<br />
! Description<br />
! Fixed with hardware model/revision<br />
! Newest hardware model/revision this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| ARM9/ARM11 bootrom vectors point at unitialized RAM<br />
| ARM9's and ARM11's exception vectors are hardcoded to point at the CPU's internal memory (0x08000000 region for ARM9, AXIWRAM for ARM11). While the bootrom does set them up to point to an endless loop at some point during boot, it does not do so immediately. As such, a carefully-timed fault injection (via hardware) to trigger an exception (such as an invalid instruction) will cause execution to fall into ARM9 RAM. <br />
Since RAM isn't cleared on boot (see below), one can immediately start execution of their own code here to dump bootrom, OTP, etc.<br />
The ARM9 bootrom does the following at reset: reset vector branches to another instruction, then branches to bootrom+0x8000. Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized.<br />
<br />
This requires *very* *precise* timing for triggering the hardware fault: it's unknown if anyone actually exploited this successfully at the time of writing(the one who attempted+discovered it *originally* as listed in this wiki section hasn't).<br />
| None: all available 3DS models at the time of writing have the exact same ARM9/ARM11 bootrom for the unprotected areas.<br />
| New3DS<br />
| End of February 2014<br />
| [[User:Derrek|derrek]], WulfyStylez (May 2015) independently<br />
|-<br />
| Missing AES key clearing<br />
| The hardware AES engine does not clear keys when doing a hard reset/reboot.<br />
| None<br />
| New3DS<br />
| August 2014<br />
| Mathieulh/Others<br />
|-<br />
| No RAM clearing on reboots<br />
| On an MCU-triggered reboot all RAM including FCRAM/ARM9 memory/AXIWRAM/VRAM keeps its contents.<br />
| None<br />
| New3DS<br />
| March 2014<br />
| [[User:Derrek|derrek]]<br />
|-<br />
| 32bits of actual console-unique TWLNAND keydata<br />
| On retail the 8-bytes at ARM9 address [[Memory_layout|0x01FFB808]] are XORed with hard-coded data, to generate the TWL console-unique keys, including TWLNAND. On Old3DS the high u32 is always 0x0, while on New3DS that u32 is always 0x2. On top of this, the lower u32's highest bit is always ORed. only 31 bits of the TWL console-unique keydata / TWL consoleID are actually console-unique.<br />
This allows one to easily bruteforce the TWL console-unique keydata with *just* data from TWLNAND. On DSi the actual console-unique data for key generation is 8-bytes(all bytes actually set).<br />
| None<br />
| New3DS<br />
| 2012?<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| DSi / 3DS-TWL key-generator<br />
| After using the key generator to generate the normal-key, you could overwrite parts of the normal-key with your own data and then recover the key-generator output by comparing the new crypto output with the original crypto output. From the normal-key outputs, you could deduce the TWL key-generator function.<br />
This applies to the keyX/keyY too.<br />
<br />
This attack does not work for the 3DS key-generator because keyslots 0-3 are only for TWL keys.<br />
| None<br />
| New3DS<br />
| 2011<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| 3DS key-generator<br />
| The algorithm for generating the normal-keys for keyslots is cryptographically weak. As a result, it is easily susceptible to differential cryptanalysis if the normal-key corresponding to any scrambler-generated keyslot is discovered.<br />
<br />
Several such pairs of matching normal-keys and KeyY values were found, leading to deducing the key-generator function.<br />
| None<br />
| New3DS<br />
| February 2015<br />
| [[User:Yellows8|Yellows8]], [[User:Plutooo|plutoo]]<br />
|-<br />
| FIRM partitions known-plaintext<br />
| The [[Flash_Filesystem|FIRM partitions]] are encrypted with AES-CTR without a MAC. Since this works by XOR'ing data with a static (per-console in this case) keystream, one can deduce the keystream of a portion of each FIRM partition if they have the actual FIRM binary stored in it.<br />
<br />
This can be paired with many exploits. For example, it allows minor FIRM downgrades (i.e. 10.4 to 9.6 or 9.5 to 9.4, but not 9.6 to 9.5).<br />
<br />
This can be somewhat addressed by having a FIRM header skip over previously used section offsets, but this would just air-gap newer FIRMs without fixing the core bug. This can also only be done a limited number of times due to the size of FIRM versus the size of the partitions.<br />
| None<br />
| New3DS<br />
| <br />
| Everyone<br />
|}<br />
<br />
== ARM9 software ==<br />
=== arm9loader ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| Rearrangable keys in the NAND keystore<br />
| Due to the keystore being encrypted with AES-ECB, one can rearrange blocks and still have the NAND keystore decrypt in a deterministic way. Combining this with the arm9loaderhax and uncleared hash keydata vulnerabilities, one can achieve arm9loaderhax without downgrading to a system version that exposes the OTP data, or using a hardware method. The NAND keystore must be encrypted with console-unique data; therefore, this is not achievable on Old 3DS or 2DS.<br />
| arm9loaderhax achieveable with no extra hardware and without downgrading to a system version which exposes the OTP.<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| Early 2016<br />
| 27 September 2016<br />
| Everyone (not neobrain though, nor a bunch of other people), #Cakey on Freenode, Myria, [[User:Dark samus|dark_samus]]; mathieulh (independently); [[User:Plutooo|plutoo]] (independently)<br />
|-<br />
| Uncleared OTP hash keydata in console-unique 0x11 key-generation<br />
| Kernel9Loader does not clear the [[SHA_Registers#SHA_HASH|SHA_HASH register]] after use. As a result, the data stored here as K9L hands over to Kernel9 is the hash of [[OTP_Registers|OTP data]] used to seed the [[FIRM#New_3DS_FIRM|console-unique NAND keystore decryption key]] set on keyslot 0x11.<br />
<br />
Retrieving this keydata and the [[Flash_Filesystem#0x12C00|NAND keystore]] of the same device allows calculating the decrypted New3DS NAND keystore (non-unique, common to all New3DS units), which contains AES normal keys, also set on keyslot 0x11, which are then used to derive all current [[AES_Registers#Keyslots|New3DS-only AES keyXs]] including the newer batch introduced in [[9.6.0-24#arm9loader|9.6.0-X]]. From there, it is trivial to perform the same key derivation in order to initialize those keys on any system version, and even on Old3DS.<br />
<br />
This can be performed by exploiting the "arm9loaderhax" vulnerability to obtain post-K9L code execution after an MCU reboot (the bootrom section-loading fail is not relevant here, this attack was performed without OTP data by brute-forcing keys), and using this to dump the SHA_HASH register. This attack works on any FIRM version shipping a vulnerable version of K9L, whereas OTP dumping required a boot of <[[3.0.0-6|3.0.0-X]].<br />
<br />
This attack results in obtaining the entire (0x200-bytes) NAND keystore - it was confirmed at a later date that this keystore is encrypted with the same key (by comparing the decrypted data from multiple units), and therefore using another key in this store will not remedy the issue as all keys are known (i.e. later, unused keys decrypt to the same 0x200-bytes constant with the same OTP hash). Later keys could have been encrypted differently but this is not the case. As a result of this, it is not possible for Nintendo to use K9L again in its current format for its intended purpose, though this was not news from the moment people dumped a New3DS OTP.<br />
| Derivation of all New3DS keys generated via the NAND keystore (0x1B "Secure4" etc.)<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| ~April 2015, implemented in May 2015<br />
| 13 January 2016<br />
| [[User:WulfyStylez|WulfyStylez]], [[User:Dazzozo|Dazzozo]], [[User:Shinyquagsire23|shinyquagsire23]] (complimentary + implemented), [[User:Plutooo|plutoo]], Normmatt (discovered independently)<br />
|-<br />
| enhanced-arm9loaderhax<br />
| See the 32c3 3ds talk.<br />
Since this is a combination of a trick with the arm9-bootrom + arm9loaderhax, and since you have to manually write FIRM to the firm0/firm1 NAND partitions, this can't be completely fixed. Any system with existing ARM9 code execution and an OTP/OTP hash dump can exploit this. Additionally, by using the FIRM partition known-plaintext bug and bruteforcing the second entry in the keystore, this can currently be exploited on all New3DS systems without any other prerequisite hacks.<br />
| arm9loaderhax which automatically occurs at hard-boot.<br />
| See arm9loaderhax / description.<br />
| See arm9loaderhax / description.<br />
| Theorized around mid July, 2015. Later implemented+tested by [[User:Plutooo|plutoo]] and derrek.<br />
| 32c3 3ds talk (December 27, 2015)<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Missing verification-block for the 9.6 keys (arm9loaderhax)<br />
| Starting with [[9.6.0-24|9.6.0-X]] a new set of NAND-based keys were introduced. However, no verification block was added to verify that the new key read from NAND is correct. This was technically an issue from [[9.5.0-22|9.5.0-X]] with the original sector+0 keydata, however the below is only possible with [[9.6.0-24|9.6.0-X]] since keyslots 0x15 and 0x16 are generated from different 0x11 keyXs.<br />
<br />
Writing an incorrect key to NAND will cause arm9loader to decrypt the ARM9 kernel as garbage and then jump to it.<br />
<br />
This allows an hardware-based attack where you can boot into an older exploited firmware, fill all memory with NOP sleds/jump-instructions, and then reboot into executing garbage. By automating this process with various input keydata, eventually you'll find some garbage that jumps to your code.<br />
<br />
This gives very early ARM9 code execution (pre-ARM9 kernel). As such, it is possible to dump RSA keyslots with this and calculate the 6.x [[Savegames#6.0.0-11_Savegame_keyY|save]], and 7.x [[NCCH]] keys. This cannot be used to recover keys initialized by arm9loader itself. This is due to it wiping the area used for its stack during NAND sector decryption and keyslot init. <br />
<br />
Due to FIRMs on both Old and New 3DS using the same RSA data, this can be exploited on Old3DS as well, but only if one already has the actual plaintext normalkey from New3DS NAND sector 0x96 offset-0 and has dumped the OTP area of the Old3DS.<br />
| Recovery of 6.x [[Savegames#6.0.0-11_Savegame_keyY|save key]]/7.x [[NCCH]] key<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| March, 2015<br />
| <br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| Uncleared New3DS keyslot 0x11<br />
| Originally the New3DS [[FIRM]] arm9bin loader only cleared keyslot 0x11 when it gets executed at firmlaunch. This was fixed with [[9.5.0-22|9.5.0-X]] by completely clearing keyslot 0x11 immediately after the loader finishes using keyslot 0x11.<br />
This means that any ARM9 code that can execute before the loader clears the keyslot at firmlaunch(including firmlaunch-hax) can get access to the uncleared keyslot 0x11, which then allows one to generate all <=v9.5 New3DS keyXs which are generated by keyslot 0x11.<br />
<br />
Therefore, to completely fix this the loader would have to generate more keys using different keyslot 0x11 keydata. This was done with [[9.6.0-24|9.6.0-X]].<br />
| New3DS keyXs generation<br />
| Mostly fixed with [[9.5.0-22|9.5.0-X]], completely fixed with new keys with [[9.6.0-24|9.6.0-X]].<br />
| <br />
| February 3, 2015 (one day after [[9.5.0-22|9.5.0-X]] release)<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== Process9 ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| Leak of normal-key matching a key-scrambler key<br />
| New 3DS firmware versions [[8.1.0-0 New3DS|8.1.0]] through [[9.2.0-20|9.2.0]] set the encryption key for [[Amiibo]] data using a hardcoded normal-key in Process9. In firmware [[9.3.0-21|9.3.0]], Nintendo "fixed" this by using the key scrambler instead, by calculating the keyY value for keyslot 0x39 that results in the same normal-key, then hardcoding that keyY into Process9.<br />
<br />
Nintendo's fix is actually the problem: Nintendo revealed the normal-key matching an unknown keyX and a known keyY. Combined with the key scrambler using an insecure scrambling algorithm (see "Hardware" above), the key scrambler function could be deduced.<br />
| Deducing the keyX for keyslot 0x39 and the key scrambler algorithm<br />
| New 3DS [[9.3.0-21|9.3.0-X]], sort of<br />
| [[10.0.0-27|10.0.0-X]]<br />
| Sometime in 2015 after the hardware key-generator was broken.<br />
| 32c3 3ds talk (December 27, 2015)<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Leak of normal-key matching a key-generator key<br />
| During the 3DS' development (June/July 2010) Nintendo added support installing encrypted content ([[CIA]]). Common-key index1 was intended to be a [[AES|hardware generated key]]. However while they added code to generate the key in hardware, they forgot to remove the normal-key for index1 (used elsewhere, likely old debug code). Nintendo later removed the normal key sometime before the first non-prototype firmware release.<br />
<br />
<br />
Knowing the keyY and the normal-key for common-key index1, the devkit key-generator algorithm can be deduced (see "Hardware" above). Additionally the remaining devkit common-keys can be generated once the common-key keyX is recovered.<br />
<br />
Note the devkit key-generator was discovered to be the same as the retail key-generator.<br />
| Deducing the keyX for keyslot 0x3D and hardware key-generator algorithm. Generate remaining devkit common-keys.<br />
| pre-[[1.0.0-0|1.0.0-X]]<br />
| <br />
| Shortly after the key-generator was revealed to be flawed at the 32c3 3ds talk<br />
| January 20, 2016<br />
| [[User:Jakcron|jakcron]]<br />
|-<br />
| ntrcardhax<br />
| <br />
| ARM9 code execution<br />
| 10.4.0-29<br />
| <br />
| March 2015<br />
| 32c3 3ds talk (December 27, 2015)<br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| Title downgrading via [[Application_Manager_Services|AM]]([[Application_Manager_Services_PXI|PXI]])<br />
| When a title is *already* installed, Process9 will compare the installed title-version with the title-version being installed. When the one being installed is older, Process9 would return an error.<br />
<br />
However, this can be bypassed by just deleting the title first via the service command(s) for that: with the title removed from the [[Title_Database]], Process9 can't compare the input title-version with anything. Hence, titles can be downgraded this way.<br />
<br />
[[11.0.0-33|11.0.0-X]] fixed this for key system titles (MSET, Home Menu, spider, ErrDisp, SKATER, NATIVE_FIRM, and every retail system module), by checking the version of the title to install against a hard-coded list of (titleID, minimumVersionRequired) pairs.<br />
| Bypassing title version check at installation, which then allows downgrading any title.<br />
| [[11.0.0-33|11.0.0-X]], for key system titles.<br />
| NATIVE_FIRM / AM-sysmodule [[11.0.0-33|11.0.0-X]]<br />
| ?<br />
| <br />
| ?<br />
|-<br />
| FAT FS code null-deref<br />
| When FSFile:Read is used with a file which is corrupted on a FAT filesystem(in particular SD), Process9 can crash. This particular crash is caused by a function returning NULL instead of an actual ptr due to an error. The caller of that function doesn't check for NULL which then triggers a read based at NULL.<br />
<br />
Sample "fsck.vfat -n -v -V <fat image backup>" output for the above crash:<br />
<br />
<pre>...<br />
Starting check/repair pass.<br />
<FilePath0> and<br />
<FilePath1><br />
share clusters.<br />
Truncating second to 3375104 bytes.<br />
<FilePath1><br />
File size is 2787392 bytes, cluster chain length is 16384 bytes.<br />
Truncating file to 16384 bytes.<br />
Checking for unused clusters.<br />
Reclaimed 1 unused cluster (16384 bytes).<br />
Checking free cluster summary.<br />
Free cluster summary wrong (1404490 vs. really 1404491)<br />
Auto-correcting.<br />
Starting verification pass.<br />
Checking for unused clusters.<br />
Leaving filesystem unchanged.</pre><br />
| Useless null-based-read<br />
| None<br />
| [[9.6.0-24|9.6.0-X]]<br />
| July 8-9, 2015<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| RSA signature padding checks<br />
| The TWL_FIRM RSA sig padding check code used for all TWL RSA sig-checks has issues, see [[FIRM|here]].<br />
The main 3DS RSA padding check code(non-certificate, including NATIVE_FIRM) uses the function used with the above to extract more padding + the actual hash from the additional padding. This isn't really a problem here because there's proper padding check code which is executed prior to this.<br />
| <br />
| None<br />
| [[9.5.0-22|9.5.0-X]]<br />
| March 2015<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[AMPXI:ValidateDSiWareSectionMAC]] [[AES_Registers|AES]] keyslot reuse<br />
| When the input DSiWare section index is higher than <max number of DSiWare sections supported by this FIRM>, Process9 uses keyid 0x40 for calculating the AESMAC, which translates to keyslot 0x40. The result is that the keyslot is left at whatever was already selected before, since the AES selectkeyslot code will immediately return when keyslot is >=0x40. However, actually exploiting this is difficult: the calculated AESMAC is never returned, this command just compares the calculated AESMAC with the input AESMAC(result-code depends on whether the AESMACs match). It's unknown whether a timing attack would work with this.<br />
This is basically a different form of the pxips9 keyslot vuln, except with AESMAC etc.<br />
| See description.<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| March 15, 2015<br />
| December 29, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| pxips9 [[AES_Registers|AES]] keyslot reuse<br />
| This requires access to the [[Process_Services|ps:ps]]/pxi:ps9 services. One way to get access to this would be snshax on system-version <=10.1.0-X(see 32c3 3ds talk).<br />
When an invalid key-type value is passed to any of the PS commands, Process9 will try to select keyslot 0x40. That aesengine_setkeyslot() code will then immediately return due to the invalid keyslot value. Since that function doesn't return any errors, Process9 will just continue to do crypto with whatever AES keyslot was selected before the PS command was sent.<br />
| Reusing the previously used keyslot, for crypto with PS.<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| Roughly the same time(same day?) as firmlaunch-hax.<br />
| December 29, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| firmlaunch-hax: FIRM header ToCToU<br />
| This can't be exploited from ARM11 userland.<br />
During [[FIRM]] launch, the only FIRM header the ARM9 uses at all is stored in FCRAM, this is 0x200-bytes(the actual used FIRM RSA signature is read to the Process9 stack however). The ARM9 doesn't expect "anything" besides the ARM9 to access this data.<br />
With [[9.5.0-22]] the address of this FIRM header was changed from a FCRAM address, to ARM9-only address 0x01fffc00.<br />
| ARM9 code execution<br />
| [[9.5.0-22]]<br />
| <br />
| 2012, 3 days after [[User:Yellows8|Yellows8]] started Process9 code RE.<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Uninitialized data output for (PXI) command replies<br />
| PXI commands for various services(including some [[Filesystem_services_PXI|here]] and many others) can write uninitialized data (like from ARM registers) to the command reply. This happens with stubbed commands, but this can also occur with certain commands when returning an error.<br />
Certain ARM11 service commands have this same issue as well.<br />
| <br />
| None<br />
| [[9.3.0-21|9.3.0-X]]<br />
| ?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[Filesystem_services_PXI|FSPXI]] OpenArchive SD permissions<br />
| Process9 does not use the exheader ARM9 access-mount permission flag for SD at all.<br />
This would mean ARM11-kernelmode code / fs-module itself could directly use FSPXI to access SD card without ARM9 checking for SD access, but this is rather useless since a process is usually running with SD access(Home Menu for example) anyway.<br />
| <br />
| None<br />
| [[9.3.0-21|9.3.0-X]]<br />
| 2012<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[AMPXI:ExportDSiWare]] export path<br />
| Process9 allocates memory on Process9 heap for the export path then verifies that the actual allocated size matches the input size. Then Process9 copies the input path from FCRAM to this buffer, and uses it with the Process9 FS openfile code, which use paths in the form of "<mountpoint>:/<path>".<br />
Process9 does not check the contents of this path at all before passing it to the FS code, besides writing a NUL-terminator to the end of the buffer.<br />
| Exporting of DSiWare to arbitrary Process9 file-paths, such as "nand:/<path>" etc. This isn't really useful since the data which gets written can't be controlled.<br />
| None<br />
| [[9.5.0-22]]<br />
| April 2013<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[DSiWare_Exports]] [[CTCert]] verification<br />
| Just like DSi originally did, 3DS verifies the APCert for DSiWare on SD with the CTCert also in the DSiWare .bin. On DSi this was fixed with with system-version 1.4.2 by verifying with the actual console-unique cert instead(stored in NAND), while on 3DS it's still not(?) fixed.<br />
On 3DS however this is rather useless, due to the entire DSiWare .bin being encrypted with the console-unique movable.sed keyY.<br />
| When the movable.sed keyY for the target 3DS is known and the target 3DS CTCert private-key is unknown, importing of modified DSiWare SD .bin files.<br />
| Unknown, probably none.<br />
| ?<br />
| April 2013<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[Gamecard_Services_PXI]] unchecked REG_CTRCARDCNT transfer-size<br />
| The u8 REG_CTRCARDCNT transfer-size parameter for the [[Gamecard_Services_PXI]] read/write CTRCARD commands is used as an index for an array of u16 values. Before [[5.0.0-11|5.0.0-X]] this u8 value wasn't checked, thus out-of-bounds reads could be triggered(which is rather useless in this case).<br />
| Out-of-bounds read for a value which gets written to a register.<br />
| [[5.0.0-11|5.0.0-X]]<br />
| <br />
| 2013?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[PXI_Registers|PXI]] cmdbuf buffer overrun<br />
| The Process9 code responsible [[PXI_Registers|PXI]] communications didn't verify the size of the incoming command before writing it to a C++ member variable. <br />
| Probably ARM9 code execution<br />
| [[5.0.0-11|5.0.0-11]]<br />
| <br />
| March 2015, original timeframe if any unknown<br />
| <br />
| [[User:Plutooo|plutoo]]/[[User:Yellows8|Yellows8]]/maybe others(?)<br />
|-<br />
| [[Application_Manager_Services_PXI|PXIAM]] command 0x003D0108(See also [[Application_Manager_Services|this]])<br />
| When handling this command, Process9 allocates a 0x2800-byte heap buffer, then copies the 4 FCRAM input buffers to this heap buffer without checking the sizes at all(only the buffers with non-zero sizes are copied). Starting with [[5.0.0-11|5.0.0-X]], the total combined size of the input data must be <=0x2800.<br />
| ARM9 code execution<br />
| [[5.0.0-11|5.0.0-X]]<br />
| <br />
| May 2013<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[Process_Services_PXI|PS RSA]] commands buffer overflows<br />
| pxips9 cmd1(not accessible via ps:ps) and VerifyRsaSha256: unchecked copy to a buffer in Process9's .bss, from the input FCRAM buffer. The buffer is located before the pxi cmdhandler threads' stacks. SignRsaSha256 also has a buf overflow, but this isn't exploitable.<br />
The buffer for this is the buffer for the signature data. With v5.0, the signature buffer was moved to stack, with a check for the signature data size. When the signature data size is too large, Process9 uses [[SVC|svcBreak]].<br />
| ARM9 code execution<br />
| [[5.0.0-11|5.0.0-X]]<br />
| <br />
| 2012<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[PXI_Registers|PXI]] pxi_id bad check<br />
| The Process9 code responsible for [[PXI_Registers|PXI]] communications read pxi_id as a signed char. There were two flaws:<br />
* They used it as index to a lookup-table without checking the value at all.<br />
* Another function verified that pxi_id < 7, allowing negative values to pass the check. This would also cause an out-of-range table-lookup.<br />
| Maybe ARM9 code execution<br />
| [[3.0.0-5|3.0.0-5]]<br />
|<br />
| March 2015, originally 2012 for the first issue at least<br />
| <br />
| [[User:Plutooo|plutoo]], [[User:Yellows8|Yellows8]], maybe others(?)<br />
|}<br />
<br />
=== Kernel9 ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit1 not set by Kernel9<br />
| Old versions of Kernel9 never set bit1 of [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]]. This leaves the [[OTP Registers|0x10012000]]-region unprotected (this region should be locked early during boot!). Since it's never locked, you can dump it once you get ARM9 code execution.<br />
<br />
From [[3.0.0-5|3.0.0-X]] this was fixed by setting the bit in Kernel9 after poking some registers in that region. On New3DS arm9loader sets this bit instead of Kernel9, which is exploitable through a hardware + software vulnerability (see arm9loaderhax / description).<br />
<br />
This flaw resurged when it gained a new practical use: retrieving the OTP data for a New3DS console in order to decrypt the key data used in arm9loader (see enhanced-arm9loaderhax / description). This was performed by downgrading to a vulnerable system version. By accounting for differences in CTR-NAND crypto (0x05 -> 0x04, see partition encryption types [[Flash_Filesystem#NAND_structure|here]]), it is possible to boot a New3DS using Old3DS firmware 1.0-2.X and an Old3DS [[NCSD#NCSD_header|NCSD Header]] to retrieve the required OTP data using this flaw.<br />
| Dumping of the [[OTP Registers|OTP]] area<br />
| [[3.0.0-5|3.0.0-X]]<br />
|<br />
| February 2015<br />
| [[User:Plutooo|plutoo]], Normmatt independently<br />
|}<br />
<br />
== ARM11 software ==<br />
=== Kernel11 ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[SVC]] table too small<br />
| The table of function pointers for SVC's only contains entries up to 0x7D, but the biggest allowed SVC for the table is 0x7F. Thus, executing SVC7E or SVC7F would make the SVC-handler read after the buffer, and interpret some ARM instructions as function pointers.<br />
<br />
However, this would require patching the kernel .text or modifying SVC-access-control. Even if you could get these to execute, they would still jump to memory that isn't mapped as executable.<br />
| <br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| 2012<br />
| Everyone<br />
|-<br />
| [[SVC|svcBackdoor (0x7B)]]<br />
| This backdoor allows executing SVC-mode code at the user-specified code-address. This is used by Process9, using this on the ARM11 (with NATIVE_FIRM) required patching the kernel .text or modifying SVC-access-control.<br />
| See description<br />
| [[11.0.0-33|11.0.0-X]] (deleted)<br />
| <br />
|<br />
| Everyone<br />
|-<br />
| [[Memory_layout#ARM11_Detailed_virtual_memory_map|0xEFF00000]] / 0xDFF00000 ARM11 kernel virtual-memory<br />
| The ARM11 kernel-mode 0xEFF00000/0xDFF00000 virtual-memory(size 0x100000) is mapped to phys-mem 0x1FF00000(entire DSP-mem + entire AXIWRAM), with permissions RW-. This is used during ARM11 kernel startup for loading the FIRM-modules from the FIRM section located in DSP-mem, this never seems to be used after that, however. This is never unmapped either.<br />
| <br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| <br />
| <br />
|-<br />
| memchunkhax2.1<br />
| Nintendo's fix for memchunkhax2 in [[10.4.0-29|10.4.0-X]] did not fix the GPU case: one may cause the requisite ToCToU race using gspwn, bypassing the new validation.<br />
derrek's original 32c3 presentation for memchunkhax2 commented that a GPU-based attack was possible, but would be difficult. However, memchunkhax2.1 showed that it was possible to do fairly reliably.<br />
| ARM11 kernel code execution<br />
| None<br />
| [[10.4.0-29|10.4.0-X]]<br />
|<br />
| derrek, aliaspider<br />
|-<br />
| memchunkhax2<br />
| <br />
| ARM11 kernel code execution<br />
| [[10.4.0-29|10.4.0-X]] (partially)<br />
| [[10.4.0-29|10.4.0-X]]<br />
|<br />
| derrek<br />
|-<br />
| heaphax<br />
| Can change the size of free memchunk structures stored in FCRAM using DMA, which leads to the ability to allocate memory chunks over already-allocated memory. This can be used in the SYSTEM region to allocate RW memory over any part of the NS system module, which is enough to take it over.<br />
| Code execution with access to all of NS's privileges. (including downgrading) Code execution within any applet.<br />
| [[11.0.0-33|11.0.0-X]], via the new [[Memory_Management#MemoryBlockHeader|memchunkhdr]] MAC which prevents modifying memchunkhdr data with DMA.<br />
| [[11.0.0-33|11.0.0-X]]<br />
| April 2015 ?<br />
| smea<br />
|-<br />
| snshax<br />
| Can force creation of Safe NS process into gspwn-able memory, allowing for takeover.<br />
| Code execution with access to all of NS's privileges. (including downgrading)<br />
| [[10.1.0-27|10.1.0-X]]<br />
| [[10.1.0-27|10.1.0-X]]<br />
| April 2015 ?<br />
| smea<br />
|-<br />
| AffinityMask/processorid validation<br />
| With [[10.0.0-27|10.0.0-X]] the following functions were updated: svcGetThreadAffinityMask, svcGetProcessAffinityMask, svcSetProcessAffinityMask, and svcCreateThread. The code changes for all but svcCreateThread are identical.<br />
The original code with the first 3 did the following: <br />
* if(u32_processorcount > ~0x80000001)return 0xe0e01bfd;<br />
* if(s32_processorcount > <total_cores>)return 0xd8e007fd;<br />
The following code replaced the above:<br />
* if(u32_processorcount >= <total_cores+1>)return 0xd8e007fd;<br />
In theory the latter should catch everything that the former did, so it's unknown if this was really a security issue.<br />
<br />
The svcCreateThread changes with [[10.0.0-27|10.0.0-X]] definitely did fix a security issue.<br />
* Original code: "if(s32_processorid > <total_cores>)return 0xd8e007fd;"<br />
* New code: "if(s32_processorid >= <total_cores> || s32_processorid <= -4)return 0xd8e007fd;"<br />
This fixed an off-by-one issue: if one would use processorid=total_cores, which isn't actually a valid value, svcCreateThread would accept that value on <[[10.0.0-27|10.0.0-X]]. This results in data being written out-of-bounds(baseaddr = arrayaddr + entrysize*processorid), which has the following result:<br />
* Old3DS: Useless kernel-mode crash due to accessing unmapped memory.<br />
* New3DS: uncontrolled data write into a kernel-mode L1 MMU-table. This isn't really useful: the data can't be controlled, and the data which gets overwritten is all-zero anyway(this isn't anywhere near MMU L1 entries for actually mapped memory).<br />
The previous version also allowed large negative s32_processorid values(negative processorid values are special values not actual procids), but it appears using values like that won't actually do anything(meaning no crash) besides the thread not running / thread not running for a while(besides triggering a kernelpanic with certain s32_processorid value(s)).<br />
| Nothing useful<br />
| [[10.0.0-27|10.0.0-X]]<br />
| [[10.0.0-27|10.0.0-X]]<br />
| svcCreateThread issue: May 31, 2015. The rest: September 8, 2015, via v9.6->v10.0 ARM11-kernel code-diff.<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| memchunkhax<br />
| The kernel originally did not validate the data stored in the FCRAM kernel heap [[Memchunkhdr|memchunk-headers]] for free-memory at all. Exploiting this requires raw R/W access to these memchunk-headers, like physical-memory access with gspwn.<br />
<br />
There are ''multiple'' ways to exploit this, but the end-result for most of these is the same: overwrite code in AXIWRAM via the 0xEFF00000/0xDFF00000 kernel virtual-memory mapping.<br />
<br />
This was fixed in [[9.3.0-21|9.3.0-X]] by checking that the memchunk(including size, next, and prev ptrs) is located within the currently used heap memory. The kernel may also check that the next/prev ptrs are valid compared to other memchunk-headers basically. When any of these checks fail, kernelpanic() is called.<br />
| When combined with other flaws: ARM11-kernelmode code execution<br />
| [[9.3.0-21|9.3.0-21]]<br />
| <br />
| February 2014<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Multiple [[KLinkedListNode|KLinkedListNode]] SlabHeap use after free bugs<br />
| The ARM11-kernel did access the 'key' field of [[KLinkedListNode|KLinkedListNode]] objects, which are located on the SlabHeap, after freeing them. Thus, triggering an allocation of a new [[KLinkedListNode|KLinkedListNode]] object at the right time could result in a type-confusion. Pseudo-code:<br />
SlabHeap_free(KLinkedListNode);<br />
KObject *obj = KLinkedListNode->key; // the object there might have changed!<br />
This bug appeared all over the place.<br />
| ARM11-kernelmode code exec maybe<br />
| [[8.0.0-18|8.0.0-18]]<br />
| <br />
| April 2015<br />
| [[User:Derrek|derrek]]<br />
|-<br />
| PXI [[RPC_Command_Structure|Command]] input/output buffer permissions<br />
| Originally the ARM11-kernel didn't check permissions for PXI input/output buffers for commands. Starting with [[6.0.0-11|6.0.0]] PXI input/output buffers must have RW permissions, otherwise kernelpanic is triggered.<br />
| <br />
| [[6.0.0-11|6.0.0-11]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SVC|svcStartInterProcessDma]]<br />
| For svcStartInterProcessDma, the kernel code had the following flaws:<br />
<br />
* Originally the ARM11-kernel read the input DmaConfig structure directly in kernel-mode(ldr(b/h) instructions), without checking whether the DmaConfig address is readable under userland. This was fixed by copying that structure to the SVC-mode stack, using the ldrbt instruction.<br />
<br />
* Integer overflows for srcaddr+size and dstaddr+size are now checked(with [[6.0.0-11]]), which were not checked before.<br />
<br />
* The kernel now also checks whether the srcaddr/dstaddr (+size) is within userland memory (0x20000000), the kernel now (with [[6.0.0-11]]) returns an error when the address is beyond userland memory. Using an address >=0x20000000 would result in the kernel reading from the process L1 MMU table, beyond the memory allocated for that MMU table(for vaddr->physaddr conversion). <br />
| <br />
| [[6.0.0-11]]<br />
| <br />
| DmaConfig issue: unknown. The rest: 2014<br />
| [[User:Plutooo|plutoo]], [[User:Yellows8|Yellows8]] independently<br />
|-<br />
| [[SVC|svcControlMemory]] Parameter checks<br />
| For svcControlMemory the parameter check had these two flaws:<br />
<br />
* The allowed range for addr0, addr1, size parameters depends on which MemoryOperation is being specified. The limitation for GSP heap was only checked if op=(u32)0x10003. By setting a random bit in op that has no meaning (like bit17?), op would instead be (u32)0x30003, and the range-check would be less strict and not accurate. However, the kernel doesn't actually use the input address for LINEAR memory-mapping at all besides the range-checks, so this isn't actually useful. This was fixed in the kernel by just checking for the LINEAR bit, instead of comparing the entire MemoryOperation value with 0x10003.<br />
<br />
* Integer overflows on (addr0+size) are now checked that previously weren't (this also applies to most other address checks elsewhere in the kernel).<br />
<br />
| <br />
| [[5.0.0-11]]<br />
| <br />
|<br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| [[RPC_Command_Structure|Command]] request/response buffer overflow<br />
| Originally the kernel did not check the word-values from the command-header. Starting with [[5.0.0-11]], the kernel will trigger a kernelpanic() when the total word-size of the entire command(including the cmd-header) is larger than 0x40-words (0x100-bytes). This allows overwriting threadlocalstorage+0x180 in the destination thread. However, since the data written there would be translate parameters (such as header-words + buffer addresses), exploiting this would likely be very difficult, if possible at all.<br />
<br />
If the two words at threadlocalstorage+0x180 could be overwritten with controlled data this way, one could then use a command with a buffer-header of <nowiki>((size<<14) | 2)</nowiki> to write arbitrary memory to any RW userland memory in the destination process.<br />
| <br />
| [[5.0.0-11]]<br />
| <br />
| v4.1 FIRM -> v5.0 code diff<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SVC|SVC stack allocation overflows]]<br />
| <br />
* Syscalls that allocate a variable-length array on stack, only checked bit31 before multiplying by 4/16 (when calculating how much memory to allocate). If a large integer was passed as input to one of these syscalls, an integer overflow would occur, and too little memory would have been allocated on stack resulting in a buffer overrun. <br />
* The alignment (size+7)&~7 calculation before allocation was not checked for integer overflow.<br />
<br />
This might allow for ARM11 kernel code-execution.<br />
<br />
(Applies to svcSetResourceLimitValues, svcGetThreadList, svcGetProcessList, svcReplyAndReceive, svcWaitSynchronizationN.)<br />
| <br />
| [[5.0.0-11]]<br />
| <br />
| v4.1 FIRM -> v5.0 code diff<br />
| [[User:Plutooo|plutoo]], [[User:Yellows8|Yellows8]] complementary<br />
|-<br />
| [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions<br />
| svcControlMemory with MemoryOperation=MAP allows mapping the already-mapped process virtual-mem at addr1, to addr0. The lowest address permitted for addr1 is 0x00100000. Originally the ARM11 kernel didn't check memory permissions for addr1. Therefore .text as addr1 could be mapped elsewhere as RW- memory, which allowed ARM11 userland code-execution.<br />
| <br />
| [[4.1.0-8]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[RPC_Command_Structure|Command]] input/output buffer permissions<br />
| Originally the ARM11 kernel didn't check memory permissions for the input/output buffers for commands. Starting with [[4.0.0-7]] the ARM11 kernel will trigger a kernelpanic() if the input/output buffers don't have the required memory permissions. For example, this allowed a FSUSER file-read to .text, which therefore allowed ARM11-userland code execution.<br />
| <br />
| [[4.0.0-7]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions<br />
| Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs.<br />
| <br />
| [[4.0.0-7]]<br />
| <br />
| 2012?<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== [[FIRM]] Sysmodules ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[Services|"srv:pm"]] process registration<br />
| Originally any process had access to the port "srv:pm". The PID's used for the (un)registration commands are not checked either. This allowed any process to re-register itself with "srv:pm", and therefore allowed the process to give itself access to any service, bypassing the exheader service-access-control list.<br />
<br />
This was fixed in [[7.0.0-13]]: starting with [[7.0.0-13]] "srv:pm" is now a service instead of a globally accessible port. Only processes with PID's less than 6 (in other words: fs, ldr, sm, pm, pxi modules) have access to it. With [[7.0.0-13]] there can only be one session for "srv:pm" open at a time(this is used by pm module), svcBreak will be executed if more sessions are opened by the processes which can access this.<br />
<br />
This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).<br />
| Access to arbitrary services<br />
| [[7.0.0-13]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| FSDIR null-deref<br />
| [[Filesystem_services|FS]]-module may crash in some cases when handling directory reading. The trigger seems to be due to using [[FSDir:Close]] without closing the dir-handle afterwards?(Perhaps this is caused by out-of-memory?) This seems to be useless since it's just a null-deref.<br />
| <br />
| None<br />
| [[9.6.0-24|9.6.0-X]]<br />
| May 19(?)-20, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== Standalone Sysmodules ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in system-module system-version<br />
! Last system-module system-version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Timeframe this was added to wiki<br />
! Discovered by<br />
|-<br />
| [[MVD_Services|MVD]]: Stack buffer overflow with [[MVDSTD:SetupOutputBuffers]].<br />
| The input total_entries is not validated when initially processing the input entry-list. This fixed-size input entry-list is copied to stack from the command request. The loop for processing this initializes a global table, the converted linearmem->physaddrs used there are also copied to stack(0x8-bytes of physaddrs per entry).<br />
<br />
If total_entries is too large, MVD-sysmodule will crash due to reading unmapped memory following the stack(0x10000000). Afterwards if the out-of-bounds total_entries is smaller than that, it will crash due accessing address 0x0, hence this useless.<br />
| MVD-sysmodule crash.<br />
| None<br />
| [[9.0.0-20]]<br />
| April 22, 2016 (Tested on the 25th)<br />
| April 25, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NWM_Services|NWM]]: Using CTRSDK heap with UDS sharedmem from the user-process.<br />
| See the HTTP-sysmodule section below.<br />
<br />
CTRSDK heap is used with the sharedmem from [[NWMUDS:InitializeWithVersion]]. Buffers are allocated/freed under this heap using [[NWMUDS:Bind]] and [[NWMUDS:Unbind]].<br />
<br />
Hence, overwriting sharedmem with gspwn then using [[NWMUDS:Unbind]] results in the usual controlled CTRSDK memchunk-header write, similar to HTTP-sysmodule.<br />
<br />
This could be done by creating an UDS network, without any other nodes on the network.<br />
<br />
Besides CTRSDK memchunk-headers, there are no addresses stored under this sharedmem.<br />
| ROP under NWM-module.<br />
| None<br />
| [[9.0.0-20|9.0.0-X]]<br />
| April 10, 2016<br />
| April 16, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[DLP_Services|DLP]]: Out-of-bounds memory access during spectator [[Download_Play|data-frame]] checksum calculation<br />
| DLP doesn't validate the frame_size when receiving spectator data-frames at all, unlike non-spectator data-frames. The actual spectator data-frame parsing code doesn't use that field either. However, the data-frame checksum calculation code called during checksum verification does use the frame_size for loading the size of the framebuf.<br />
<br />
Hence, using a large frame_size like 0xFFFF will result in the checksum calculation code reading data out-of-bounds. This isn't really useful, you could trigger a remote local-WLAN DLP-sysmodule crash while a 3DS system is scanning for DLP networks(due to accessing unmapped memory), but that's about all(trying to infoleak with this likely isn't useful either).<br />
| DLP-sysmodule crash, handled by dlplay system-application by a "connection interrupted" error eventually then a fatal-error via ErrDisp.<br />
| None<br />
| [[10.0.0-27|10.0.0-X]]<br />
| April 8, 2016 (Tested on the 10th)<br />
| April 10, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[DLP_Services|DLP]]: Out-of-bounds output data writing during spectator sysupdate titlelist [[Download_Play|data-frame]] handling<br />
| The total_entries and out_entryindex fields for the titlelist DLP spectator data-frames are not validated. This is parsed during DLP network scanning. Hence, the specified titlelist data can be written out-of-bounds using the specified out_entryindex and total_entries. A crash will occur while reading the input data-frame titlelist if total_entries is larger than 0x27A, due to accessing unmapped memory.<br />
<br />
There's not much non-zero data to overwrite following the output buffer(located in sharedmem), any ptrs are located in sharedmem. Overwriting certain ptr(s) are only known to cause a crash when attempting to use the DLP-client shutdown service-command.<br />
<br />
There's no known way to exploit the above crash, since the linked-list code involves writes zeros(with a controlled start ptr).<br />
| <br />
| None<br />
| [[10.0.0-27|10.0.0-X]]<br />
| April 8-9, 2016<br />
| April 10, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[IR_Services|IR]]: Stack buffer overflow with custom hardware<br />
| Originally IR sysmodule used the read value from the I2C-IR registers TXLVL and RXLVL without validating them at all. See [[10.6.0-31|here]] for the fix. This is the size used for reading the data-recv FIFO, etc. The output buffer for reading is located on the stack.<br />
<br />
This should be exploitable if one could successfully setup the custom hardware for this and if the entire intended sizes actually get read from I2C.<br />
| ROP under IR sysmodule.<br />
| [[10.6.0-31|10.6.0-31]]<br />
| <br />
| February 23, 2016 (Unknown if it was noticed before then)<br />
| February 23, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[HTTP_Services|HTTP]]: Using CTRSDK heap with sharedmem from the user-process.<br />
| The data from httpcAddPostDataAscii and other commands is stored under a CTRSDK heap. That heap is the sharedmem specified by the user-process via the HTTPC Initialize command.<br />
Normally this sharedmem isn't accessible to the user-process once the sysmodule maps it, hence using it is supposed to be "safe".<br />
<br />
This isn't the case due to gspwn however. Since CTRSDK heap code is so insecure in general, one can use gspwn to locate the HTTPC sharedmem + read/write it, then trigger a mem-write under the sysmodule. This can then be used to get ROP going under HTTP-sysmodule.<br />
<br />
This is exploited by [https://github.com/yellows8/ctr-httpwn/ctr-httpwn ctr-httpwn].<br />
| ROP under HTTP sysmdule.<br />
| None<br />
| [[9.6.0-24|9.6.0-X]] (Latest sysmodule version as of [[10.7.0-32|10.7.0-32]])<br />
| Late 2015<br />
| March 22, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NIM_Services|NIM]]: Downloading old title-versions from eShop<br />
| Multiple NIM service commands(such as [[NIMS:StartDownload]]) use a title-version value specified by the user-process, NIM does not validate that this input version matches the latest version available via SOAP. Therefore, when combined with AM(PXI) [[#Process9|title-downgrading]] via deleting the target eShop title with System Settings Data Management(if the title was already installed), this allows downloading+installing any title-version from eShop ''if'' it's still available from CDN.<br />
The easiest way to exploit this is to just patch the eShop system-application code using these NIM commands(ideally the code which loads the title-version).<br />
<br />
Originally this was tested with a debugging-system via modded-FIRM, eventually smea implemented it in HANS for the 32c3 release.<br />
| Downloading old title-versions from eShop<br />
| None<br />
| [[10.0.0-27|10.0.0-X]]<br />
| October 24, 2015 (Unknown when exactly the first eShop title downgrade was actually tested, maybe November)<br />
| January 7, 2016 (Same day Ironfall v1.0 was removed from CDN via the main-CXI files)<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SPI_Services|SPI]] service out-of-bounds write<br />
| cmd1 has out-of-bounds write allowing overwrite of some static variables in .data.<br />
| <br />
| None<br />
| [[9.5.0-22]]<br />
| March 2015<br />
| <br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| [[NFC_Services|NFC]] module service command buf-overflows<br />
| NFC module copies data with certain commands, from command input buffers to stack without checking the size. These commands include the following, it's unknown if there's more commands with similar issues: "nfc:dev" <0x000C....> and "nfc:s" <0x0037....>.<br />
Since both of these commands are stubbed in the Old3DS NFC module from the very first version(those just return an error), these issues only affect the New3DS NFC module.<br />
<br />
There's no known retail titles which have access to either of these services.<br />
| ROP under NFC module.<br />
| New3DS: None<br />
| New3DS: [[9.5.0-22]]<br />
| December 2014?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[News_Services|NEWSS]] service command notificationID validation failure<br />
| This module does not validate the input notificationID for <nowiki>"news:s"</nowiki> service commands. This is an out-of-bounds array index bug. For example, [[NEWSS:SetNotificationHeader]] could be used to exploit news module: this copies the input data(size is properly checked) to: out = newsdb_savedata+0x10 + (someu32array[notificationID]*0x70).<br />
| ROP under news module.<br />
| None<br />
| [[9.7.0-25|9.7.0-X]]<br />
| December 2014<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NWMUDS:DecryptBeaconData]] heap buffer overflow<br />
| input_size = 0x1E * <value the u8 from input_[[NWM_Services|networkstruct]]+0x1D>. Then input_tag0 is copied to a heap buffer. When input_size is larger than 0xFA-bytes, it will then copy input_tag1 to <end_address_of_previous_outbuf>, with size=input_size-0xFA.<br />
<br />
This can be triggered by either using this command directly, or by boadcasting a wifi beacon which triggers it while a 3DS system running the target process is in range, when the process is scanning for hosts to connect to. Processes will only pass tag data to this command when the wlancommID and other thing(s) match the values for the process.<br />
<br />
There's no known way to actually exploit this for getting ROP under NWM-module, at the time of originally adding this to the wiki. This is because the data which gets copied out-of-bounds *and* actually causes crash(es), can't be controlled it seems(with just broadcasting a beacon at least). It's unknown whether this could be exploited from just using NWMUDS service-cmd(s) directly.<br />
| Without any actual way to exploit this: NWM-module DoS, resulting in process termination(process crash). This breaks *everything* involving wifi comms, a reboot is required to recover from this.<br />
| None<br />
| [[9.0.0-20]]<br />
| ~September 23, 2014(see the [[NWMUDS:DecryptBeaconData]] page history)<br />
| August 3, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[HID_Services|HID]] module shared-mem<br />
| HID module does not validate the index values in [[HID_Shared_Memory|sharedmem]](just changes index to 0 when index == maxval when updating), therefore large values will result in HID module writing HID data to arbitrary addresses.<br />
| ROP under HID module, but this is *very* unlikely to be exploitable since the data written is HID data.<br />
| None<br />
| [[9.3.0-21]]<br />
| 2014?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| gspwn<br />
| GSP module does not validate addresses given to the GPU. This allows a user-mode application/applet to read/write to a large part of physical FCRAM using GPU DMA. From this, you can overwrite the .text segment of the application you're running under, and gain real code-execution from a ROP-chain. Normally applets' .text([[Home Menu]], [[Internet Browser]], etc) is located beyond the area accessible by the GPU, except for [[RO_Services|CROs]] used by applets([[Internet Browser]] for example).<br />
<br />
FCRAM is gpu-accessible up to physaddr 0x26800000 on Old3DS, and 0x2DC00000 on New3DS. This is BASE_memregion_start(aka SYSTEM_memregion_end)-0x400000 with the default memory-layout on Old3DS/New3DS.<br />
| User-mode code execution.<br />
| None<br />
| [[9.6.0-24|9.6.0-X]]<br />
| Early 2014<br />
| <br />
| smea, [[User:Yellows8|Yellows8]]/others before then<br />
|-<br />
| rohax<br />
| Using gspwn, it is possible to overwrite a loaded [[CRO0]]/[[CRR0]] after its RSA-signature has been validated. Badly validated [[CRO0]] header leads to arbitrary read/write of memory in the ro-process. This gives code-execution in the ro module, who has access to [[SVC|syscalls]] 0x70-0x72, 0x7D.<br />
<br />
This was fixed after [[ninjhax]] release by adding checks on [[CRO0]]-based pointers before writing to them.<br />
| Memory-mapping syscalls.<br />
| [[9.3.0-21]]<br />
| [[9.4.0-21]]<br />
| <br />
| <br />
| smea, [[User:Plutooo|plutoo]] joint effort<br />
|-<br />
| Region free<br />
| Only [[Home Menu]] itself checks gamecards' region when launching them. Therefore, any application launch that is done directly with [[NS]] without signaling Home Menu to launch the app, will result in region checks being bypassed.<br />
This essentially means launching the gamecard with the [[NS_and_APT_Services|"ns:s"]] service. The main way to exploit this is to trigger a FIRM launch with an application specified, either with a normal FIRM launch or a hardware [[NSS:RebootSystem|reboot]].<br />
| Launching gamecards from any region + bypassing Home Menu gamecard-sysupdate installation<br />
| None<br />
| Last tested with [[10.1.0-27|10.1.0-X]].<br />
| June(?) 2014<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NWM_Services|NWM]] service-cmd state null-ptr deref<br />
| The NWMUDS service command code loads a ptr from .data, adds an offset to that, then passes that as the state address for the actual command-handler function. The value of the ptr loaded from .data is not checked, therefore this will cause crashes due to that being 0x0 when NWMUDS was not properly initialized.<br />
It's unknown whether any NWM services besides NWMUDS have this issue.<br />
| This is rather useless since it's only a crash caused by a state ptr based at 0x0.<br />
| None<br />
| [[9.0.0-20]]<br />
| 2013?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== General/CTRSDK ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in version<br />
! Last version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[NWM_Services|UDS]] beacon additional-data buffer overflow<br />
| Originally CTRSDK did not validate the UDS additional-data size before using that size to copy the additional-data to a [[NWM_Services|networkstruct]]. This was eventually fixed.<br />
This was discovered while doing code RE with an old dlp-module version. It's unknown in what specific CTRSDK version this was fixed, or even what system-version updated titles with a fixed version.<br />
<br />
It's unknown if there's any titles using a vulnerable CTRSDK version which are also exploitable with this(dlp module can't be exploited with this).<br />
<br />
The maximum number of bytes that can be written beyond the end of the outbuf is 0x37-bytes, with additionaldata_size=0xFF.<br />
| Perhaps ROP, very difficult if possible with anything at all<br />
| ?<br />
| <br />
| September(?) 2014<br />
| [[User:Yellows8|Yellows8]]<br />
|}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=NCCH/Extended_Header&diff=18301NCCH/Extended Header2016-09-26T09:44:15Z<p>Neobrain: /* ARM11 Kernel Capabilities */</p>
<hr />
<div>This page documents the format of the '''NCCH Extended Header''', or '''exheader''' for short.<br />
<br />
The exheader has two sections:<br />
<br />
* The actual exheader data, containing System Control Info (SCI) and Access Control Info (ACI);<br />
* A signed copy of NCCH HDR public key, and exheader ACI. This version of the ACI is used as limitation to the actual ACI.<br />
<br />
== Main Structure ==<br />
All values are little endian unless otherwise specified.<br />
<br />
See also: [https://github.com/profi200/Project_CTR/blob/master/ctrtool/exheader.h]<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| <code>0x0</code><br />
| <code>0x200</code><br />
| SCI<br />
|-<br />
| <code>0x200</code><br />
| <code>0x200</code><br />
| ACI<br />
|-<br />
| <code>0x400</code><br />
| <code>0x100</code><br />
| <code>AccessDesc</code> signature (RSA-2048-SHA256)<br />
|-<br />
| <code>0x500</code><br />
| <code>0x100</code><br />
| NCCH HDR RSA-2048 public key<br />
|-<br />
| <code>0x600</code><br />
| <code>0x200</code><br />
| ACI (for limitation of first ACI)<br />
|}<br />
<br />
The <code>AccessDesc</code> signature covers the NCCH HDR public key and second ACI. The <code>AccessDesc</code> public key is initialised by the boot ROM.<br />
<br />
When loading the exheader, [[FIRM|Process9]] compares the exheader data with the data in the <code>AccessDesc</code> (note that not everything is compared here). When these don't match, an error is returned. The Process9 code handling this validation was updated with [[6.0.0-11|v6.0]]; the only change in this function seems to be the check for the "Ideal processor" field.<br />
<br />
== System Control Info ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| <code>0x0</code><br />
| <code>0x8</code><br />
| Application title<br />
|-<br />
| <code>0x8</code><br />
| <code>0x5</code><br />
| Reserved<br />
|-<br />
| <code>0xD</code><br />
| <code>0x1</code><br />
| Flag (bit 0: <code>CompressExefsCode</code>, bit 1: <code>SDApplication</code>)<br />
|-<br />
| <code>0xE</code><br />
| <code>0x2</code><br />
| Remaster version<br />
|-<br />
| <code>0x10</code><br />
| <code>0xC</code><br />
| Text code set info<br />
|-<br />
| <code>0x1C</code><br />
| <code>0x4</code><br />
| Stack size<br />
|-<br />
| <code>0x20</code><br />
| <code>0xC</code><br />
| Read-only code set info<br />
|-<br />
| <code>0x2C</code><br />
| <code>0x4</code><br />
| Reserved<br />
|-<br />
| <code>0x30</code><br />
| <code>0xC</code><br />
| Data code set info<br />
|-<br />
| <code>0x3C</code><br />
| <code>0x4</code><br />
| BSS size<br />
|-<br />
| <code>0x40</code><br />
| <code>0x180</code> (<code>48*8</code>)<br />
| Dependency [[Title list#00040130 - System Modules|module]] (program ID) list<br />
|-<br />
| <code>0x1C0</code><br />
| <code>0x40</code><br />
| <code>SystemInfo</code><br />
|}<br />
<br />
Most of these fields are used in [[LOADER:LoadProcess]].<br />
<br />
=== Code Set Info ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| <code>0x0</code><br />
| <code>4</code><br />
| Address<br />
|-<br />
| <code>0x4</code><br />
| <code>4</code><br />
| Physical region size (in page-multiples)<br />
|-<br />
| <code>0x8</code><br />
| <code>4</code><br />
| Size (in bytes)<br />
|}<br />
<br />
=== System Info ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| <code>0x0</code><br />
| <code>0x8</code><br />
| <code>SaveData</code> Size<br />
|-<br />
| <code>0x8</code><br />
| <code>0x8</code><br />
| Jump ID<br />
|-<br />
| <code>0x10</code><br />
| <code>0x30</code><br />
| Reserved<br />
|}<br />
<br />
== Access Control Info ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| <code>0x0</code><br />
| <code>0x170</code><br />
| [[#ARM11 Local System Capabilities|ARM11 local system capabilities]]<br />
|-<br />
| <code>0x170</code><br />
| <code>0x80</code><br />
| [[#ARM11 Kernel Capabilities|ARM11 kernel capabilities]]<br />
|-<br />
| <code>0x1F0</code><br />
| <code>0x10</code><br />
| [[#ARM9 Access Control|ARM9 access control]]<br />
|}<br />
<br />
=== ARM11 Local System Capabilities ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| <code>0x0</code><br />
| <code>0x8</code><br />
| Program ID<br />
|-<br />
| <code>0x8</code><br />
| <code>0x4</code><br />
| Core version (The Title ID low of the required [[FIRM]])<br />
|-<br />
| <code>0xC</code><br />
| <code>0x2</code><br />
| [[#Flag1|Flag1]] and [[#Flag2|Flag2]] (both implemented starting from [[8.0.0-18]]).<br />
|-<br />
| <code>0xE</code><br />
| <code>0x1</code><br />
| [[#Flag0|Flag0]]<br />
|-<br />
| <code>0xF</code><br />
| <code>0x1</code><br />
| Priority<br />
|-<br />
| <code>0x10</code><br />
| <code>0x20</code> (<code>16*2</code>)<br />
| Resource limit descriptors. The first byte here controls the maximum allowed [[PMApp:SetAppResourceLimit|<code>CpuTime</code>]].<br />
|-<br />
| <code>0x30</code><br />
| <code>0x20</code><br />
| [[#Storage Info|Storage info]]<br />
|-<br />
| <code>0x50</code><br />
| <code>0x100</code> (<code>32*8</code>)<br />
| [[#Service Access Control|Service access control]]<br />
|-<br />
| <code>0x150</code><br />
| <code>0x10</code> (<code>2*8</code>)<br />
| Extended service access control, support for this was implemented with [[9.3.0-21|9.3.0-X]].<br />
|-<br />
| <code>0x160</code><br />
| <code>0xF</code><br />
| Reserved<br />
|-<br />
| <code>0x16F</code><br />
| <code>0x1</code><br />
| Resource limit category. (0 = <code>APPLICATION</code>, 1 = <code>SYS_APPLET</code>, 2 = <code>LIB_APPLET</code>, 3 = <code>OTHER</code> (sysmodules running under the BASE memregion))<br />
|}<br />
<br />
==== Flag0 ====<br />
{| class="wikitable" border="1"<br />
|-<br />
! Bits<br />
! Description<br />
|-<br />
| <code>0-1</code><br />
| Ideal processor<br />
|-<br />
| <code>2-3</code><br />
| Affinity mask<br />
|-<br />
| <code>4-7</code><br />
| Old3DS system mode<br />
|}<br />
<br />
===== Old3DS System Mode =====<br />
{| class="wikitable" border="1"<br />
|-<br />
! Value<br />
! Description<br />
|-<br />
| <code>0</code><br />
| <code>Prod</code> (64MB of usable application memory)<br />
|-<br />
| <code>1</code><br />
| <code>Undefined</code> (unusable)<br />
|-<br />
| <code>2</code><br />
| <code>Dev1</code> (96MB of usable application memory)<br />
|-<br />
| <code>3</code><br />
| <code>Dev2</code> (80MB of usable application memory)<br />
|-<br />
| <code>4</code><br />
| <code>Dev3</code> (72MB of usable application memory)<br />
|-<br />
| <code>5</code><br />
| <code>Dev4</code> (32MB of usable application memory)<br />
|-<br />
| <code>6-7</code><br />
| <code>Undefined</code> Same as <code>Prod</code>?<br />
|}<br />
<br />
In the exheader data, the ideal processor field is a bit-index, while in the <code>AccessDesc</code> the ideal processor field is a bitmask. When the bit specified by the exheader field is not set in the <code>AccessDesc</code> field, an error is returned.<br />
<br />
<pre>if((1 << exheaderval) & accessdescval == 0) return error</pre><br />
<br />
During a FIRM-launch when a <code>TitleInfo</code> structure was specified, the field at offset [[FIRM#FIRM_Launch_Parameters|0x400]] in the FIRM-launch parameters is set to the SystemMode of the specified title, however in some cases other values are written there. With [[8.0.0-18]] NS will now check the output of [[PTM|PTMSYSM]] command <code>0x040A0000</code>, when the output is non-zero and a certain NS state field is value-zero, the following is executed otherwise this is skipped. With that check passed on [[8.0.0-18]], NS will then check (<code>Flag2 & 0xF</code>). When that is <code>value2</code>, the output value (used for the FIRM-launcher parameter field mentioned above) is set to <code>value7</code>. Otherwise, when that value is non-zero, the output value is set to 6.<br />
<br />
==== Flag1 ====<br />
{| class="wikitable" border="1"<br />
|-<br />
! Bits<br />
! Description<br />
|-<br />
| <code>0</code><br />
| <code>EnableL2Cache</code> (Unknown what this actually does, New3DS-only presumably)<br />
|-<br />
| <code>1</code><br />
| <code>cpuspeed_804MHz</code> (Default "cpuspeed" when not set)<br />
|-<br />
| <code>2-7</code><br />
| Unused<br />
|}<br />
<br />
In order for the exheader to have any of the above new bits set, the <code>AccessDesc</code> must have the corresponding bit set, otherwise the invalid-exheader error is returned.<br />
<br />
Homebrew which runs under a title which has the above <code>cpuspeed</code> flag set, runs much faster on New3DS. It's unknown how exactly the system handles these flags.<br />
<br />
When launching titles / perhaps other things with [[APT]], [[NS]] uses [[PTMSYSM:ConfigureNew3DSCPU]] with data which originally came from these flags; NS does this regardless of what the running 3DS system is. However, due to a bug(?) in NS the value sent to that command is always either 0x0 or 0x3. When calculating that value, the code only ever uses the cpuspeed field, not the cache field: code to actually load and check the value of the cache field appears to be missing.<br />
<br />
==== Flag2 ====<br />
{| class="wikitable" border="1"<br />
|-<br />
! Bit<br />
! Description<br />
|-<br />
| <code>0-3</code><br />
| New3DS system mode<br />
|-<br />
| <code>4-7</code><br />
| Unused<br />
|}<br />
<br />
===== New3DS System Mode =====<br />
{| class="wikitable" border="1"<br />
|-<br />
! Value<br />
! Description<br />
|-<br />
| <code>0</code><br />
| <code>Legacy</code> (use Old3DS system mode)<br />
|-<br />
| <code>1</code><br />
| <code>Prod</code> (124MB of usable application memory)<br />
|-<br />
| <code>2</code><br />
| <code>Dev1</code> (178MB of usable application memory)<br />
|-<br />
| <code>3</code><br />
| <code>Dev2</code> (124MB of usable application memory)<br />
|-<br />
| <code>4-7</code><br />
| <code>Undefined</code> Same as <code>Prod</code>?<br />
|}<br />
<br />
When in <code>Legacy</code> mode, the actual memory layout is the same as in <code>New3DS Prod</code>, except the available application memory as reported to the application is reduced to the Old3DS size.<br />
<br />
The exheader value for the New3DS system mode value must be ≤ to the <code>AccessDesc</code> value, otherwise the invalid-exheader error is returned.<br />
<br />
==== Storage Info ====<br />
Used in [[FSReg:Register]].<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| <code>0x0</code><br />
| <code>8</code><br />
| Extdata ID<br />
|-<br />
| <code>0x8</code><br />
| <code>8</code><br />
| System savedata IDs<br />
|-<br />
| <code>0x10</code><br />
| <code>8</code><br />
| Storage accessible unique IDs<br />
|-<br />
| <code>0x18</code><br />
| <code>7</code><br />
| Filesystem access info<br />
|-<br />
| <code>0x1F</code><br />
| <code>1</code><br />
| Other attributes<br />
|}<br />
<br />
File System Access Info:<br />
{| class="wikitable" border="1"<br />
|-<br />
! Bit and bitmask<br />
! Description<br />
|-<br />
| <code>0</code>, <code>0x1</code><br />
| Category system application<br />
|-<br />
| <code>1</code>, <code>0x2</code><br />
| Category hardware check<br />
|-<br />
| <code>2</code>, <code>0x4</code><br />
| Category filesystem tool<br />
|-<br />
| <code>3</code>, <code>0x8</code><br />
| Debug<br />
|-<br />
| <code>4</code>, <code>0x10</code><br />
| TWL card backup<br />
|-<br />
| <code>5</code>, <code>0x20</code><br />
| TWL NAND data<br />
|-<br />
| <code>6</code>, <code>0x40</code><br />
| BOSS<br />
|-<br />
| <code>7</code>, <code>0x80</code><br />
| [[FS:OpenArchive|<code>sdmc:/</code>]]<br />
|-<br />
| <code>8</code>, <code>0x100</code><br />
| Core<br />
|-<br />
| <code>9</code>, <code>0x200</code><br />
| [[Flash Filesystem|<code>nand:/ro/</code>]] (Read Only)<br />
|-<br />
| <code>10</code>, <code>0x400</code><br />
| [[Flash Filesystem|<code>nand:/rw/</code>]]<br />
|-<br />
| <code>11</code>, <code>0x800</code><br />
| [[Flash Filesystem|<code>nand:/ro/</code>]] (Write Access)<br />
|-<br />
| <code>12</code>, <code>0x1000</code><br />
| Category system settings<br />
|-<br />
| <code>13</code>, <code>0x2000</code><br />
| Cardboard<br />
|-<br />
| <code>14</code>, <code>0x4000</code><br />
| Export/Import IVS<br />
|-<br />
| <code>15</code>, <code>0x8000</code><br />
| [[FS:OpenArchive|<code>sdmc:/</code>]] (Write-only)<br />
|-<br />
| <code>16</code>, <code>0x10000</code><br />
| Switch cleanup (Introduced in [[3.0.0-5|3.0.0]]?) <br />
|-<br />
| <code>17</code>, <code>0x20000</code><br />
| Savedata move (Introduced in [[5.0.0-11|5.0.0]]) <br />
|-<br />
| <code>18</code>, <code>0x40000</code><br />
| Shop (Introduced in [[5.0.0-11|5.0.0]]) <br />
|-<br />
| <code>19</code>, <code>0x80000</code><br />
| Shell (Introduced in [[5.0.0-11|5.0.0]]) <br />
|-<br />
| <code>20</code>, <code>0x100000</code><br />
| Category home menu (Introduced in [[6.0.0-11|6.0.0]])<br />
|-<br />
| <code>21</code>, <code>0x200000</code><br />
| Seed DB. Introduced in [[9.6.0-24|9.6.0-X]] [[FIRM]]. [[Home Menu]] has this bit set starting with [[9.6.0-24|9.6.0-X]].<br />
|}<br />
<br />
====Other Attributes====<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Bit<br />
! Description<br />
|-<br />
| <code>0</code><br />
| Not use ROMFS<br />
|-<br />
| <code>1</code><br />
| Use Extended savedata access.<br />
|}<br />
<br />
When Bit1 is set, the "Extdata ID" and "Storage Accessable Unique IDs" regions are used to store a total of 6 "Accessible Save IDs". Introduced in [[6.0.0-11|6.0.0]].<br />
<br />
==== Service Access Control ====<br />
This is the list of [[Services_API|services]] which the process is allowed to access, this is registered with the [[Services|services]] manager. Each service listed in the exheader must be listed in the <code>AccessDesc</code>, otherwise the invalid exheader error is returned. The order of the services for exheader/<code>AccessDesc</code> doesn't matter. The <code>AccessDesc</code> can list services which are not in the exheader, but normally the service-access-control data for exheader/<code>AccessDesc</code> are exactly the same.<br />
<br />
This list is submitted to [[SRVPM:RegisterProcess]].<br />
<br />
=== ARM11 Kernel Capabilities ===<br />
The kernel capability descriptors are passed to [[SVC|svcCreateProcess]].<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| <code>0x0</code><br />
| <code>0x70</code> (<code>28*4</code>)<br />
| Descriptors<br />
|-<br />
| <code>0x70</code><br />
| <code>0x10</code><br />
| Reserved<br />
|}<br />
<br />
There are different descriptor types, determined by the number of leading ones in the binary value representation of bits 20-31. The different types are laid out as follows:<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Pattern of bits 20-31<br />
! Type<br />
! Fields<br />
|-<br />
| <code>0b1110xxxxxxxx</code><br />
| Interrupt info<br />
|<br />
|-<br />
| <code>0b11110xxxxxxx</code><br />
| System call mask<br />
| Bits 24-26: System call mask table index; Bits 0-23: mask<br />
|-<br />
| <code>0b1111110xxxxx</code><br />
| Kernel release version<br />
| Bits 8-15: Major version; Bits 0-7: Minor version<br />
|-<br />
| <code>0b11111110xxxx</code><br />
| Handle table size<br />
| Bits 0-18: size<br />
|-<br />
| <code>0b111111110xxx</code><br />
| [[#ARM11_Kernel_Flags|Kernel flags]]<br />
| See below<br />
|-<br />
| <code>0b11111111100x</code><br />
| Map address range<br />
| Describes a memory mapping like the 0b111111111110 descriptor, but an entire range rather than a single page is mapped. Usually, another 0b11111111100x descriptor follows this one to denote the (exclusive) end of the address range to map, but it has been observed that sometimes the range is not explicitly closed, which presumably indicates a single-page mapping.<br />
|-<br />
| <code>0b111111111110</code><br />
| Map memory page<br />
| Bits 0-19: page index to map (virtual address >> 12; the physical address is determined per-page according to [[Memory layout]]); Bit 20: Map read-only (otherwise read-write)<br />
|}<br />
<br />
==== ARM11 Kernel Flags ====<br />
{| class="wikitable" border="1"<br />
|-<br />
! Bit<br />
! Description<br />
|-<br />
| <code>0</code><br />
| Allow debug<br />
|-<br />
| <code>1</code><br />
| Force debug<br />
|-<br />
| <code>2</code><br />
| Allow non-alphanum<br />
|-<br />
| <code>3</code><br />
| Shared page writing<br />
|-<br />
| <code>4</code><br />
| Privilege priority<br />
|-<br />
| <code>5</code><br />
| Allow <code>main()</code> args<br />
|-<br />
| <code>6</code><br />
| Shared device memory<br />
|-<br />
| <code>7</code><br />
| Runnable on sleep<br />
|-<br />
| <code>8-11</code><br />
| Memory type (1: application, 2: system, 3: base)<br />
|-<br />
| <code>12</code><br />
| [[Memory_layout#NATIVE_FIRM.2FSAFE_MODE_FIRM_Userland_Memory|Special memory]]<br />
|-<br />
| <code>13</code><br />
| Process has access to CPU core 2 (New3DS only)<br />
|}<br />
<br />
=== ARM9 Access Control ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| <code>0x0</code><br />
| <code>15</code><br />
| Descriptors<br />
|-<br />
| <code>0xF</code><br />
| <code>1</code><br />
| ARM9 Descriptor Version. Originally this value had to be ≥ 2. Starting with [[9.3.0-21|9.3.0-X]] this value has to be either value 2 or value 3.<br />
|}<br />
<br />
Descriptors:<br />
{| class="wikitable" border="1"<br />
|-<br />
! Bit<br />
! Description<br />
|-<br />
| <code>0</code><br />
| Mount [[Flash Filesystem|<code>nand:/</code>]]<br />
|-<br />
| <code>1</code><br />
| Mount [[Flash Filesystem|<code>nand:/ro/</code>]] (Write Access)<br />
|-<br />
| <code>2</code><br />
| Mount [[Flash Filesystem|<code>twln:/</code>]]<br />
|-<br />
| <code>3</code><br />
| Mount [[Flash Filesystem|<code>wnand:/</code>]]<br />
|-<br />
| <code>4</code><br />
| Mount card SPI<br />
|-<br />
| <code>5</code><br />
| Use SDIF3<br />
|-<br />
| <code>6</code><br />
| Create seed<br />
|-<br />
| <code>7</code><br />
| Use card SPI<br />
|-<br />
| <code>8</code><br />
| SD application (Not checked)<br />
|-<br />
| <code>9</code><br />
| Mount [[SD Filesystem|sdmc:/]] (Write Access)<br />
|}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=CTR_API&diff=18286CTR API2016-09-25T11:01:47Z<p>Neobrain: </p>
<hr />
<div>This page lists the spare knowledge people bothered to document on the official CTR API.<br />
<br />
= Synchronization Primitives =<br />
<br />
These are to be considered in extension to the system calls outlined in [[Multi-threading]].<br />
<br />
== Critical Section (light-weight mutex) ==<br />
<br />
Similar to a mutex, but faster and no priority inheritance. Therefore problems such as priority inversion may occur.<br />
<br />
=== CriticalSection::Initialize ===<br />
<br />
Creates an object<br />
<br />
=== CriticalSection::Enter ===<br />
<br />
Locks out threads from accessing a critical section.<br />
<br />
=== CriticalSection::Leave ===<br />
<br />
Unlocks and allows for access to a critical section.<br />
<br />
== Light Semaphore ==<br />
API unknown.<br />
<br />
== Light Event ==<br />
API unknown.</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Multi-threading&diff=18285Multi-threading2016-09-25T10:58:21Z<p>Neobrain: Content moved to CTR API</p>
<hr />
<div>This page documents all kernel functionality for managing multiple processes and threads as well as handling synchronization between them.<br />
<br />
= Processes =<br />
<br />
Each process is given an array of [[NCCH/Extended_Header#ARM11_Kernel_Capabilities|kernel capability descriptors]] upon creation (see CreateProcess). Official software forwards the descriptors specified in the [[NCCH#Extended_Header|NCCH exheader]].<br />
<br />
Any process can only use SVCs which are enabled in its kernel capability descriptors. This is enforced by the ARM11 kernel SVC handler by checking the syscall access control mask stored on the SVC-mode stack. If the SVC isn't enabled, a kernelpanic() is triggered. Each process has a separate SVC-mode stack; this stack and the syscall access mask stored here are initialized when the process is started. Applications normally only have access to SVCs <=0x3D, however not all SVCs <=0x3D are accessible to the application. The majority of the SVCs accessible to applications are unused by the application.<br />
<br />
Each process has a separate handle-table, the size of which is stored in the kernel capability descriptor. The handles in a handle-table can't be used in the context of other processes, since those handles don't exist in other handle-tables.<br />
<br />
0xFFFF8001 is a handle alias for the current process.<br />
<br />
Calling svcBreak on retail will only terminate the process which called this SVC.<br />
<br />
== Usage ==<br />
<br />
=== CreateCodeSet ===<br />
(behavior unconfirmed)<br />
<br />
Allocates memory for a process according to the given CodeSetInfo contents and copies the segment data from the given memory locations to the allocated memory.<br />
<br />
=== CreateProcess ===<br />
(behavior unconfirmed)<br />
<br />
Sets up a process using the segments managed by the given CodeSet handle.<br />
<br />
This system call furthermore processes the [[NCCH/Extended_Header#ARM11_Kernel_Capabilities|kernel capabilities]] from the [[NCCH/Extended_Header|ExHeader]], hence setting up virtual address mappings, CPU clock frequency/L2 cache configuration, and other things.<br />
<br />
=== Run ===<br />
(behavior unconfirmed)<br />
<br />
Sets up the main process thread and appends it to the scheduler queue.<br />
<br />
The argc, argv, and envp fields from the given StartupInfo structure are ignored.<br />
<br />
== struct CodeSetInfo ==<br />
All addresses are given virtual for the process to be created.<br />
All sizes are given in 0x1000-pages.<br />
<br />
{| class="wikitable" border="1"<br />
! Type<br />
! Field<br />
|-<br />
| u8[8]<br />
| Codeset Name<br />
|-<br />
| u16<br />
| Unknown, this is written to field 0x5A of KCodeSet<br />
|-<br />
| u16<br />
| Unknown/padding<br />
|-<br />
| u32<br />
| Unknown/padding<br />
|-<br />
| u32<br />
| .text addr<br />
|-<br />
| u32<br />
| .text size<br />
|-<br />
| u32<br />
| .rodata start<br />
|-<br />
| u32<br />
| .rodata size<br />
|-<br />
| u32<br />
| RW addr (.data + .bss)<br />
|-<br />
| u32<br />
| RW size (.data + .bss)<br />
|-<br />
| u32<br />
| Total .text pages<br />
|-<br />
| u32<br />
| Total .rodata pages<br />
|-<br />
| u32<br />
| Total RW pages (.data + .bss)<br />
|-<br />
| u32<br />
| Unknown/padding<br />
|-<br />
| u8[8]<br />
| Program ID<br />
|}<br />
<br />
= Threads =<br />
<br />
For Kernel implementation details, see [[KThread]].<br />
<br />
Though it is possible to run multi-threaded programs, running those on different cores is not possible "as-is". One core is always dedicated to the OS, hence you will never get 100% of both cores.<br />
<br />
Using CloseHandle() with a KThread handle will terminate the specified thread only if the reference count reaches 0.<br />
<br />
Lower priority values give the thread higher priority. For userland apps, priorities between 0x18 and 0x3F are allowed. The priority of the app's main thread seems to be 0x30.<br />
<br />
The thread scheduler is cooperative, therefore if a thread takes up all the CPU time (for example if it enters an endless loop), all the other threads that run on the same CPU core won't get a chance to run. The main way of yielding another thread is using an address arbiter.<br />
<br />
0xFFFF8000 is a handle alias for the currently active thread.<br />
<br />
== Usage ==<br />
<br />
=== CreateThread ===<br />
'''svc''' : 0x08<br />
<br />
'''Signature'''<br />
Result CreateThread(Handle* thread, func entrypoint, u32 arg, u32 stacktop, s32 threadpriority, s32 processorid);<br />
<br />
'''Configuration'''<br />
R0=s32 threadpriority<br />
R1=func entrypoint<br />
R2=u32 arg<br />
R3=u32 stacktop<br />
R4=s32 processorid<br />
<br />
Result result=R0<br />
Handle* thread=R1<br />
<br />
'''Details'''<br />
<br />
Creates a new thread in the current process which will begin execution at the given entrypoint. The SP CPU register will be initialized to stacktop, while r0 will be initialized to the given arg.<br />
<br />
The input address used for Entrypoint_Param and StackTop are normally the same, but they may be chosen arbitrarily. For the main thread (created in svcRun), the Entrypoint_Param is value 0.<br />
<br />
The stacktop must be aligned to 0x8-bytes, otherwise when not aligned to 0x8-bytes the ARM11 kernel clears the low 3-bits of the stacktop address.<br />
<br />
The processorid parameter specifies which processor the thread can run on. Non-negative values correspond to a specific CPU. (e.g. 0 for the Appcore and 1 for the Syscore on Old3DS) Special value -1 means all CPUs, and -2 means the default CPU for the process (Read from the [[NCCH/Extended Header|Exheader]], usually 0 for applications, 1 for system services). Games usually create threads using -2.<br />
<br />
The thread priority value must be in the range 0x0..0x3F. Otherwise, error 0xE0E01BFD is returned.<br />
<br />
With the Old3DS kernel, the s32 processorid must be <=2 (for the processorid validation check in the kernel). With the New3DS kernel, the processorid validation check requires processorid to be less than or equal to <total cores(MPCore "SCU Configuration Register" CPU number value + 1)>, and a number of additional constraints apply: When processorid==0x2 and the process is not a BASE mem-region process, exheader kernel-flags bitmask 0x2000 must be set (otherwise error 0xD9001BEA is returned). When processorid==0x3 and the process is not a BASE mem-region process, error 0xD9001BEA is returned. These are the only restriction checks done by the kernel for processorid.<br />
<br />
=== ExitThread ===<br />
'''svc''' : 0x09<br />
<br />
'''Signature'''<br />
void ExitThread(void);<br />
<br />
=== SleepThread ===<br />
'''svc''' : 0x0A<br />
<br />
'''Signature'''<br />
void SleepThread(s64 nanoseconds);<br />
<br />
=== GetThreadPriority ===<br />
'''svc''' : 0x0B<br />
<br />
'''Signature'''<br />
Result GetThreadPriority(s32* priority, Handle thread);<br />
<br />
'''asm'''<br />
.global svcGetThreadPriority<br />
.type svcGetThreadPriority, %function<br />
svcGetThreadPriority:<br />
str r0, [sp, #-0x4]!<br />
svc 0x0B<br />
ldr r3, [sp], #4<br />
str r1, [r3]<br />
bx lr<br />
<br />
=== SetThreadPriority ===<br />
'''svc''' : 0x0C<br />
<br />
'''Signature'''<br />
Result SetThreadPriority(Handle thread, s32 priority);<br />
<br />
=== OpenThread ===<br />
'''svc''' : 0x34<br />
<br />
'''Signature'''<br />
Result OpenThread(Handle* thread, Handle process, u32 threadId);<br />
<br />
=== GetProcessIdOfThread ===<br />
'''svc''' : 0x36<br />
<br />
'''Signature'''<br />
Result GetProcessIdOfThread(u32* processId, Handle thread);<br />
<br />
=== GetThreadId ===<br />
'''svc''' : 0x37<br />
<br />
'''Signature'''<br />
Result GetThreadId(u32* threadId, Handle thread);<br />
<br />
'''Details'''<br />
It seems that only the thread itself or one of its parent can get the ID. Calling this on the handle of a sibling or parent seems to always yield the ID 0.<br />
<br />
=== GetThreadInfo ===<br />
'''svc''' : 0x2C<br />
<br />
'''Signature'''<br />
Result GetThreadInfo(s64* out, Handle thread, ThreadInfoType type);<br />
<br />
''' Details '''<br />
This requests always return an error when called, it only checks if the handle is a thread or not. <br />
Hence, it will return 0xD8E007ED (BAD_ENUM) if the Handle is a Thread Handle, 0xD8E007F7 (BAD_HANDLE) if it isn't.<br />
<br />
=== GetThreadContext ===<br />
'''svc''' : 0x3B<br />
<br />
'''Signature'''<br />
Result GetThreadContext(ThreadContext* context, Handle thread);<br />
<br />
'''Details'''<br />
Stubbed?<br />
<br />
== Core affinity == <br />
<br />
The cores are numbered from 0 to 1 for Old 3DS and 0 to 3 for the new 3DS.<br />
<br />
=== GetThreadAffinityMask ===<br />
'''svc''' : 0x0D<br />
<br />
'''Signature'''<br />
Result GetThreadAffinityMask(u8* affinitymask, Handle thread, s32 processorcount);<br />
<br />
=== SetThreadAffinityMask ===<br />
'''svc''' : 0x0E<br />
<br />
'''Signature'''<br />
Result SetThreadAffinityMask(Handle thread, u8* affinitymask, s32 processorcount);<br />
<br />
=== GetThreadIdealProcessor ===<br />
'''svc''' : 0x0F<br />
<br />
'''Signature'''<br />
Result GetThreadIdealProcessor(s32* processorid, Handle thread);<br />
<br />
=== SetThreadIdealProcessor ===<br />
'''svc''' : 0x10<br />
<br />
=== APT:SetApplicationCpuTimeLimit ===<br />
<br />
See [[APT:SetApplicationCpuTimeLimit]].<br />
<br />
You are not able to use the system core (core1) by default. You have to first assign the amount of time dedicated to the system.<br />
The value is in percent, the higher it is, the more the system will be available for your application. <br />
<br />
For example if you set this value to 25%, it means that your application will be able to use 25% of the system core at most, even if you never issue system calls.<br />
<br />
If you set the value to a non-zero value, you will not be able to set it back to 0%.<br />
Keep in mind that if your application is heavily dependant on the system, setting a high value for your application might yield poorer performance than if you had set a low value.<br />
<br />
=== APT:GetApplicationCpuTimeLimit ===<br />
<br />
See [[APT:GetApplicationCpuTimeLimit]].<br />
<br />
== Debug == <br />
<br />
=== GetThreadList ===<br />
<br />
=== GetDebugThreadContext ===<br />
<br />
=== SetDebugThreadContext ===<br />
<br />
=== GetDebugThreadParam ===<br />
<br />
= Synchronization =<br />
<br />
Synchronization can be performed via WaitSynchronization on any handles deriving from [[KSynchronizationObject]]. The semantic meaning of the call depends on the particular object type referred to by the given handle:<br />
<br />
* KClientPort: Wakes if max sessions not reached (free session available)<br />
* KClientSession: Always false?<br />
* KDebug: ???<br />
* KDmaObject: ???<br />
* KEvent: Waits until the event is signaled<br />
* KInterruptEvent: ???<br />
* KMutex: Acquires a lock on the mutex (blocks until this succeeds)<br />
* KProcess: Waits until the process exits<br />
* KSemaphore: This consumes a value from the semaphore count, if possible, otherwise continues to wait<br />
* KServerPort: Waits for a new client connection, upon which svcAcceptSession is ready to be called<br />
* KServerSession: Waits for an IPC command to be submitted to the server process<br />
* KThread: Waits until the thread terminates<br />
* KTimer: Wakes when timer activates (this also clears the timer if it is oneshot)<br />
<br />
Most synchronization systems seem to have both a "normal" and "light-weight" version<br />
<br />
== Mutex ==<br />
<br />
For Kernel implementation details, see [[KMutex]]<br />
<br />
=== CreateMutex ===<br />
<br />
/!\ It seems that the mutex will not be available once the thread that created it is destroyed <br />
<br />
=== ReleaseMutex ===<br />
<br />
== Semaphore ==<br />
<br />
== Event ==<br />
<br />
== Address Arbiters ==<br />
<br />
Address arbiters are a low-level primitive to implement synchronization based on a counter stored at some user-specified virtual memory address. Address arbiters are used to put the current thread to sleep until the counter is signaled. Both of these tasks are implemented in ArbitrateAddress.<br />
<br />
Address arbiters are implemented by [[KAddressArbiter]].<br />
<br />
===CreateAddressArbiter===<br />
Result CreateAddressArbiter(Handle* arbiter)<br />
<br />
Creates an address arbiter handle for use with ArbitrateAddress.<br />
<br />
=== ArbitrateAddress ===<br />
Result ArbitrateAddress(Handle arbiter, u32 addr, ArbitrationType type, s32 value, s64 nanoseconds)<br />
<br />
if <code>type</code> is SIGNAL, the ArbitrateAddress call will resume up to <code>value</code> of the threads waiting on <code>addr</code> using an arbiter, starting with the highest-priority threads. If <code>value</code> is negative, all of these threads are released. <code>nanoseconds</code> remains unused in this mode.<br />
<br />
The other modes are used to (conditionally) put the current thread to sleep based on the memory word at virtual address <code>addr</code> until another thread signals that address using ArbitrateAddress with the <code>type</code> SIGNAL. WAIT_IF_LESS_THAN will put the current thread to sleep if that word is smaller than <code>value</code>. DECREMENT_AND_WAIT_IF_LESS_THAN will furthermore decrement the memory value before the comparison. WAIT_IF_LESS_THAN_TIMEOUT and DECREMENT_AND_WAIT_IF_LESS_THAN_TIMEOUT will do the same as their counterparts, but will have thread execution resume if <code>nanoseconds</code> nanoseconds pass without <code>addr</code> being signaled.<br />
<br />
=== enum ArbitrationType ===<br />
{| class="wikitable" border="1"<br />
! Address arbitration type<br />
! Value<br />
|-<br />
| SIGNAL<br />
| 0<br />
|-<br />
| WAIT_IF_LESS_THAN<br />
| 1<br />
|-<br />
| DECREMENT_AND_WAIT_IF_LESS_THAN<br />
| 2<br />
|-<br />
| WAIT_IF_LESS_THAN_TIMEOUT<br />
| 3<br />
|-<br />
| DECREMENT_AND_WAIT_IF_LESS_THAN_TIMEOUT<br />
| 4<br />
|}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=CTR_API&diff=18284CTR API2016-09-25T10:57:58Z<p>Neobrain: Moved from Multi-threading because it doesn't fit there but seems to be considered valuable information by some</p>
<hr />
<div>This page lists the spare knowledge we have on the official CTR API.<br />
<br />
= Synchronization Primitives =<br />
<br />
These are to be considered in extension to the system calls outlined in [[Multi-threading]].<br />
<br />
== Critical Section (light-weight mutex) ==<br />
<br />
Similar to a mutex, but faster and no priority inheritance. Therefore problems such as priority inversion may occur.<br />
<br />
=== CriticalSection::Initialize ===<br />
<br />
Creates an object<br />
<br />
=== CriticalSection::Enter ===<br />
<br />
Locks out threads from accessing a critical section.<br />
<br />
=== CriticalSection::Leave ===<br />
<br />
Unlocks and allows for access to a critical section.<br />
<br />
== Light Semaphore ==<br />
API unknown.<br />
<br />
== Light Event ==<br />
API unknown.</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=GPIO:BindInterrupt&diff=18283GPIO:BindInterrupt2016-09-25T10:53:14Z<p>Neobrain: </p>
<hr />
<div>=Request=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Index Word<br />
! Description<br />
|-<br />
| 0<br />
| Header code [0x00090082]<br />
|-<br />
| 1<br />
| u32, interrupt bitmask<br />
|-<br />
| 2<br />
| s32, priority<br />
|-<br />
| 3<br />
| Must be value [[IPC#Message_Structure|0x00000000]], otherwise error 0xD9001830<br />
|-<br />
| 4<br />
| Handle syncObject<br />
|}<br />
<br />
=Response=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Index Word<br />
! Description<br />
|-<br />
| 0<br />
| Header code<br />
|-<br />
| 1<br />
| Result code<br />
|}<br />
<br />
=Description=<br />
This binds an interrupt in gpio-module's [[NCCH/Extended Header#ARM11_Kernel_Capabilities|interrupt ACL]] to the specified syncObject (using [[SVC|svcBindInterrupt]]).<br />
<br />
=Supported values=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Bitmask<br />
! Interrupt<br />
|-<br />
| 0x2<br />
| 0x63<br />
|-<br />
| 0x4<br />
| 0x60<br />
|-<br />
| 0x8<br />
| 0x64<br />
|-<br />
| 0x10<br />
| 0x66<br />
|-<br />
| 0x40<br />
| 0x68<br />
|-<br />
| 0x80<br />
| 0x69<br />
|-<br />
| 0x100<br />
| 0x6A<br />
|-<br />
| 0x200<br />
| 0x6B<br />
|-<br />
| 0x400<br />
| 0x6C<br />
|-<br />
| 0x800<br />
| 0x6D<br />
|-<br />
| 0x1000<br />
| 0x6E<br />
|-<br />
| 0x2000<br />
| 0x6F<br />
|-<br />
| 0x4000<br />
| 0x70<br />
|-<br />
| 0x8000<br />
| 0x71<br />
|-<br />
| 0x10000<br />
| 0x72<br />
|-<br />
| 0x20000<br />
| 0x73<br />
|}<br />
<br />
See also [[ARM11 Interrupts]].<br />
<br />
=Interrupts bound by modules=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Module<br />
! Bound interrupts (bitmask)<br />
|-<br />
| [[CDC_Services|cdc]]<br />
| 0x8<br />
|-<br />
| [[HID_Services|hid]]<br />
| 0x100<br />
|-<br />
| [[IR_Services|ir]]<br />
| 0x40<br />
|-<br />
| [[MCU_Services|mcu]]<br />
| 0x8000<br />
|}<br />
<br />
See [[GPIO:BindInterrupt#Supported_values]] for the bitmask <-> IRQ number correspondence table.</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=GPIO:BindInterrupt&diff=18282GPIO:BindInterrupt2016-09-25T10:53:00Z<p>Neobrain: </p>
<hr />
<div>=Request=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Index Word<br />
! Description<br />
|-<br />
| 0<br />
| Header code [0x00090082]<br />
|-<br />
| 1<br />
| u32, interrupt bitmask<br />
|-<br />
| 2<br />
| s32, priority<br />
|-<br />
| 3<br />
| Must be value [[IPC#Message_Structure|0x00000000]], otherwise error 0xD9001830<br />
|-<br />
| 4<br />
| Handle syncObject<br />
|}<br />
<br />
=Response=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Index Word<br />
! Description<br />
|-<br />
| 0<br />
| Header code<br />
|-<br />
| 1<br />
| Result code<br />
|}<br />
<br />
=Description=<br />
This binds an interrupt in gpio-module's [[NCCH/Extended Header#ARM11_Kernel_Capabilities|interrupt ACL]] to the specified syncObject (using [[SVC|svcBindInterrupt]]).<br />
<br />
=Supported values=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Bitmask<br />
! Interrupt<br />
|-<br />
| 0x2<br />
| 0x63<br />
|-<br />
| 0x4<br />
| 0x60<br />
|-<br />
| 0x8<br />
| 0x64<br />
|-<br />
| 0x10<br />
| 0x66<br />
|-<br />
| 0x40<br />
| 0x68<br />
|-<br />
| 0x80<br />
| 0x69<br />
|-<br />
| 0x100<br />
| 0x6A<br />
|-<br />
| 0x200<br />
| 0x6B<br />
|-<br />
| 0x400<br />
| 0x6C<br />
|-<br />
| 0x800<br />
| 0x6D<br />
|-<br />
| 0x1000<br />
| 0x6E<br />
|-<br />
| 0x2000<br />
| 0x6F<br />
|-<br />
| 0x4000<br />
| 0x70<br />
|-<br />
| 0x8000<br />
| 0x71<br />
|-<br />
| 0x10000<br />
| 0x72<br />
|-<br />
| 0x20000<br />
| 0x73<br />
|}<br />
<br />
See also [[ARM11 Interrupts]].<br />
<br />
=Interrupts binded by modules=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Module<br />
! Bound interrupts (bitmask)<br />
|-<br />
| [[CDC_Services|cdc]]<br />
| 0x8<br />
|-<br />
| [[HID_Services|hid]]<br />
| 0x100<br />
|-<br />
| [[IR_Services|ir]]<br />
| 0x40<br />
|-<br />
| [[MCU_Services|mcu]]<br />
| 0x8000<br />
|}<br />
<br />
See [[GPIO:BindInterrupt#Supported_values]] for the bitmask <-> IRQ number correspondence table.</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=IO_Registers&diff=18281IO Registers2016-09-25T10:52:38Z<p>Neobrain: /* Overview */</p>
<hr />
<div>= Overview =<br />
<br />
{| class="wikitable" border="1"<br />
! Old3DS<br />
! A9/A11<br />
! Category<br />
! Physaddr<br />
! Used by<br />
! Comments<br />
|-<br />
| style="background: green" | Yes<br />
| A9<br />
| [[CONFIG Registers]]<br />
| 0x10000000<br />
| Boot9, Process9<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| A9<br />
| [[IRQ Registers]]<br />
| 0x10001000<br />
| Boot9, Process9, Kernel9<br />
| ARM9 Interrupt Masking<br />
|-<br />
| style="background: green" | Yes<br />
| A9<br />
| [[NDMA Registers]]<br />
| 0x10002000<br />
| Boot9, Process9<br />
| DMA Engine<br />
|-<br />
| style="background: green" | Yes<br />
| A9<br />
| [[TIMER Registers]]<br />
| 0x10003000<br />
| Boot9, Process9<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| A9<br />
| [[CTRCARD Registers]]<br />
| 0x10004000 / 0x10005000<br />
| Process9<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| A9<br />
| [[EMMC Registers]]<br />
| 0x10006000 / 0x10007000<br />
| Boot9, Process9<br />
| 0x10007000 is normally not enabled on retail, all-zeros when read.<br />
|-<br />
| style="background: green" | Yes<br />
| A9<br />
| [[PXI Registers]]<br />
| 0x10008000<br />
| Boot9, Process9<br />
| <br />
|-<br />
| style="background: green" | Yes<br />
| A9<br />
| [[AES Registers]]<br />
| 0x10009000<br />
| Boot9, Process9<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| A9<br />
| [[SHA Registers]]<br />
| 0x1000A000<br />
| Boot9, Process9<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| A9<br />
| [[RSA Registers]]<br />
| 0x1000B000<br />
| Boot9, Process9<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| A9<br />
| [[Corelink DMA Engines|XDMA Registers]]<br />
| 0x1000C000<br />
| Boot9, Kernel9<br />
| [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0424d/index.html CoreLink™ DMA-330] (single-channel).<br />
|-<br />
| style="background: green" | Yes<br />
| A9<br />
| [[SPICARD Registers]]<br />
| 0x1000D800<br />
| Process9<br />
|<br />
|-style="border-top: double"<br />
| style="background: green" | Yes<br />
| A9<br />
| [[CONFIG Registers]]<br />
| 0x10010000<br />
| Process9<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| A9<br />
| PRNG Registers<br />
| 0x10011000<br />
| Process9<br />
| Used as entropy-source for seeding random number generators.<br />
|-<br />
| style="background: green" | Yes<br />
| A9<br />
| [[OTP Registers]]<br />
| 0x10012000<br />
| Kernel9, NewKernel9Loader<br />
| Top secret.<br />
|-<br />
| style="background: green" | Yes<br />
| A9<br />
| [[ARM7|ARM7 Registers]]<br />
| 0x10018000<br />
| TwlProcess9<br />
| Used to setup the ARM7 core for AGB/TWL<br />
|-style="border-top: double"<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| Debug WIFI SDIO Registers?<br />
| 0x10100000<br />
| <br />
| An SDIO controller is mapped here, NWM references this controller but doesn't have access to it.<br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[HASH Registers]]<br />
| 0x10101000<br />
| [[Filesystem services]]<br />
| <br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[Camera Registers]]<br />
| 0x10102000<br />
| [[Camera Services]]<br />
| y2r<br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[CSND Registers]] / [[DSP Registers]]<br />
| 0x10103000<br />
| TwlBg, [[CDC Services]], [[CSND Services]], [[DSP Services]]<br />
| Sound hardware. For DSP regs, see the "DSi XpertTeak" section in [http://problemkaputt.de/gba.htm no$gba] help.<br />
|-style="border-top: double"<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| LGYFB0<br />
| 0x10110000<br />
| TwlBg<br />
| IO registers used to access legacy output framebuffer, as well as configure the upscaling filter.<br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| LGYFB1<br />
| 0x10111000<br />
| TwlBg<br />
| IO registers used to access legacy output framebuffer, as well as configure the upscaling filter.<br />
|-style="border-top: double"<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[Camera Registers]] <br />
| 0x10120000<br />
| [[Camera Services]]<br />
| <br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[Camera Registers]]<br />
| 0x10121000<br />
| [[Camera Services]]<br />
| Mirror of 0x10120000?<br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[WIFI Registers]]<br />
| 0x10122000<br />
| [[NWM Services]]<br />
| WIFI SDIO bus registers<br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| ?<br />
| 0x10123000<br />
| [[NWM Services]]<br />
| WIFI?<br />
|-style="border-top: double"<br />
| style="background: red" | No<br />
| A11/A9<br />
| [[MVD Registers]]<br />
| 0x10130000<br />
| [[MVD Services]]<br />
| <br />
|-<br />
| style="background: red" | No<br />
| A11/A9<br />
| [[MVD Registers]]<br />
| 0x10131000<br />
| [[MVD Services]]<br />
| <br />
|-<br />
| style="background: red" | No<br />
| A11/A9<br />
| [[MVD Registers]]<br />
| 0x10132000<br />
| [[MVD Services]]<br />
| <br />
|-style="border-top: double"<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[PDN Registers]]<br />
| 0x10140000<br />
| Process9, Boot11, Kernel11, TwlBg, [[DSP Services]], [[NWM Services]], [[SPI Services]]<br />
| Power management. <br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[PDN Registers]]<br />
| 0x10141000<br />
| Process9, Boot11, Kernel11, TwlBg, [[CDC Services]], [[NWM Services]], [[SPI Services]], [[PDN Services]]<br />
| Power management<br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[SPI Registers]]<br />
| 0x10142000<br />
| TwlBg, [[SPI Services]]<br />
| <br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[SPI Registers]]<br />
| 0x10143000<br />
| TwlBg, dmnt Module<br />
| Debugger related?<br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[I2C Registers]]<br />
| 0x10144000<br />
| Boot11, Kernel11, TwlBg, [[I2C Services]]<br />
| <br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[CDC Registers]]<br />
| 0x10145000<br />
| TwlBg, [[CDC Services]]<br />
| <br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[HID Registers]]<br />
| 0x10146000<br />
| Boot11, Kernel11, TwlBg, [[HID Services]], dlp Services<br />
| See [[PAD]].<br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[GPIO Registers]]<br />
| 0x10147000<br />
| Boot11, TwlBg, [[GPIO Services]], [[DSP Services]](v0)<br />
| <br />
|- <br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[I2C Registers]]<br />
| 0x10148000<br />
| TwlBg, [[I2C Services]]<br />
| <br />
|-style="border-top: double"<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[SPI Registers]]<br />
| 0x10160000<br />
| Boot9, TwlBg, [[SPI Services]]<br />
| <br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[I2C Registers]]<br />
| 0x10161000<br />
| Boot11, TwlBg, [[I2C Services]]<br />
| See [http://problemkaputt.de/gba.htm no$gba] help for some clues maybe.<br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[MIC Registers]]<br />
| 0x10162000<br />
| [[MIC Services]]<br />
| <br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[PXI Registers]]<br />
| 0x10163000<br />
| Boot11, Kernel11, TwlBg, [[PXI Services]]<br />
| <br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[NTRCARD Registers]]<br />
| 0x10164000<br />
| Boot9, Process9<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[MP Registers]]<br />
| 0x10165000<br />
| [[MP Services]]<br />
|<br />
|-style="border-top: double"<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[MP Registers]]<br />
| 0x10170000<br />
| [[MP Services]]<br />
| NTR WIFI Registers, see [http://problemkaputt.de/gbatek.htm#dswirelesscommunications GBATek].<br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[MP Registers]]<br />
| 0x10171000<br />
| [[MP Services]]<br />
| NTR WIFI Registers (mirror)<br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
|?<br />
| 0x10172000<br />
|?<br />
| NTR WIFI Unused?<br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
|?<br />
| 0x10173000<br />
|?<br />
| NTR WIFI Unused?<br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[MP Registers]]<br />
| 0x10174000<br />
| [[MP Services]]<br />
| NTR WIFI RAM<br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[MP Registers]]<br />
| 0x10175000<br />
|?<br />
| NTR WIFI RAM<br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[MP Registers]]<br />
| 0x10176000<br />
|?<br />
| NTR WIFI Registers (mirror)<br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[MP Registers]]<br />
| 0x10177000<br />
|?<br />
| NTR WIFI Registers (mirror)<br />
|-<br />
| style="background: green" | Yes<br />
| A11/A9<br />
| [[MP Registers]]<br />
| 0x10178000 - 0x10180000<br />
| [[MP Services]]<br />
| NTR WIFI WS1 Region<br />
|-style="border-top: double"<br />
| style="background: green" | Yes<br />
| A11<br />
| [[Corelink DMA Engines|CDMA]]<br />
| 0x10200000<br />
| Boot11, Kernel11<br />
| [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0424d/index.html CoreLink™ DMA-330]. Only used by bootrom on New3DS.<br />
|-<br />
| style="background: green" | Yes<br />
| A11<br />
| ?<br />
| 0x10201000<br />
| TwlBg<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| A11<br />
| [[LCD Registers]]<br />
| 0x10202000<br />
| TwlBg, Kernel11, [[GSP Services]]<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| A11<br />
| [[DSP Registers]]<br />
| 0x10203000<br />
| [[DSP Services]]<br />
| <br />
|-<br />
| style="background: green" | Yes<br />
| A11<br />
| ?<br />
| 0x10204000<br />
| <br />
|<br />
|-style="border-top: double"<br />
| style="background: red" | No<br />
| A11<br />
| [[Corelink DMA Engines|CDMA]]<br />
| 0x10206000<br />
| NewKernel11<br />
| CDMA was moved (mirrored?) here on New 3DS. [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0424d/index.html CoreLink™ DMA-330].<br />
|-<br />
| style="background: red" | No<br />
| A11<br />
| [[MVD Registers]]<br />
| 0x10207000<br />
| [[MVD Services]]<br />
| New 3DS only?<br />
|-style="border-top: double"<br />
| style="background: green" | Yes<br />
| A11<br />
| AXI<br />
| 0x1020F000<br />
| TwlBg, [[GSP Services]]<br />
| [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0422a/CHDGHIID.html CoreLink™ NIC-301 r1p0].<br />
|-style="border-top: double"<br />
| style="background: green" | Yes<br />
| A11<br />
| DMA region<br />
| 0x10300000-0x10400000<br />
|<br />
| CDMA wants these addresses. Each page in this region corresponds to the same page in the 0x10100000-0x10200000 region. It is unknown if this is just a separate bus and/or if there are any differences in the registers.<br />
|-style="border-top: double"<br />
| style="background: green" | Yes<br />
| A11<br />
| [[GPU/External_Registers|GPU Registers]]<br />
| 0x10400000<br />
| Boot11, Kernel11, [[GSP Services]]<br />
||<br />
|}<br />
<br />
IO registers starting at physical address 0x10200000 are not accessible from the ARM9 (which includes all LCD/GPU registers). It seems IO registers below physical address 0x10100000 are not accessible from the ARM11 bus.<br />
<br />
ARM11 kernel virtual address mappings for these registers varies for different builds. For ARM11 user mode applications you have:<br />
physaddr = virtaddr - 0x1EC00000 + 0x10100000</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Title_list&diff=18280Title list2016-09-25T10:51:48Z<p>Neobrain: /* 00040130 - System Modules */</p>
<hr />
<div>NOTE: This Title list is a condensed version, only the System Titles lists are full lists. For a full list of titles on Nintendo's CDN, see [http://mtheall.com/~mtheall/tmdlist.php here]. The reports/title-lists from [https://yls8.mtheall.com/ninupdates/reports.php here] are automatically obtained from the system update SOAP.<br />
<br />
== CTR System Titles ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! System Category<br />
! Bit Mask(s)<br />
! Category Bit Mask<br />
|-<br />
| Application (SYSTEM_APPLICATION)<br />
| Normal<nowiki>|</nowiki>System<br />
| 0x0010<br />
|-<br />
| System Data Archives (SYSTEM_CONTENT)<br />
| Contents<nowiki>|</nowiki>CannotExecution<nowiki>|</nowiki>System<br />
| 0x001B<br />
|-<br />
| Shared Data Archives (SHARED_CONTENT)<br />
| Contents<nowiki>|</nowiki>CannotExecution<nowiki>|</nowiki>System<nowiki>|</nowiki>NotRequireRightForMount<br />
| 0x009B<br />
|-<br />
| System Data Archives (AUTO_UPDATE_CONTENT)<br />
| Contents<nowiki>|</nowiki>CannotExecution<nowiki>|</nowiki>System<nowiki>|</nowiki>NotRequireUserApproval<nowiki>|</nowiki>NotRequireRightForMount<br />
| 0x00DB<br />
|-<br />
| Applet (APPLET)<br />
| Normal<nowiki>|</nowiki>System<nowiki>|</nowiki>RequireBatchUpdate<br />
| 0x0030<br />
|-<br />
| Module (BASE)<br />
| Normal<nowiki>|</nowiki>System<nowiki>|</nowiki>RequireBatchUpdate<nowiki>|</nowiki>CanSkipConvertJumpId<br />
| 0x0130<br />
|-<br />
| Firmware (FIRMWARE)<br />
| Normal<nowiki>|</nowiki>CannotExecution<nowiki>|</nowiki>System<nowiki>|</nowiki>RequireBatchUpdate<nowiki>|</nowiki>CanSkipConvertJumpId<br />
| 0x0138<br />
|}<br />
<br />
=== 00040010 - System Applications ===<br />
The versions for CHN, KOR, and TWN are separate from the other regions.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! JPN TIDLow<br />
! USA TIDLow<br />
! EUR TIDLow<br />
! CHN TIDLow<br />
! KOR TIDLow<br />
! TWN TIDLow<br />
! [[Product code]]<br />
! Description<br />
! JPN Versions<br />
! EUR Versions<br />
! USA Versions<br />
! CHN Versions<br />
! KOR Versions<br />
! TWN Versions<br />
! Status<br />
|-<br />
| 00020000<br />
| 00021000<br />
| 00022000<br />
| 00026000<br />
| 00027000<br />
| 00028000<br />
| CTR-N-HAS?<br />
| [[System Settings]] (mset)<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1027]], [[3.0.0-5|v2060]], [[4.0.0-7|v3074]], [[5.0.0-11|v4097]], [[6.0.0-11|v5127]], [[7.0.0-13|v6157]], [[7.2.0-17|v7173]], [[8.1.0-0_New3DS|v8198]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v9224]], [[9.6.0-24|v10245]], [[10.6.0-31|v10256]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1027]], [[3.0.0-5|v2061]], [[4.0.0-7|v3075]], [[5.0.0-11|v4097]], [[6.0.0-11|v5127]], [[7.0.0-13|v6157]], [[7.2.0-17|v7174]], [[9.0.0-20|v8202]], [[9.6.0-24|v9220]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1027]], [[3.0.0-5|v2062]], [[4.0.0-7|v3078]], [[5.0.0-11|v4098]], [[6.0.0-11|v5128]], [[7.0.0-13|v6157]], [[7.2.0-17|v7174]], [[9.0.0-20|v8203]], [[9.6.0-24|v9221]]<br />
| [[4.0.0-7|v8]], [[4.4.0-10|v1024]](CHN-only sysupdate for just mset), [[5.0.0-11|v2049]], [[7.0.0-13|v3075]]<br />
| [[4.0.0-7|v1026]], [[5.0.0-11|v2049]], [[7.0.0-13|v4098]]<br />
| [[4.1.0-8|v8]], [[4.2.0-9|v1024]], [[5.0.0-11|v2050]], [[7.0.0-13|v3074]]<br />
| Active<br />
|-<br />
| 00020100<br />
| 00021100<br />
| 00022100<br />
| 00026100<br />
| 00027100<br />
| 00028100<br />
| CTR-N-HDL?<br />
| [[Download Play]] (dlplay)<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1026]], [[4.0.0-7|v2051]], [[9.0.0-20|v3072]](Also for [[8.1.0-0_New3DS]])<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1026]], [[4.0.0-7|v2051]], [[9.0.0-20|v3073]]<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1026]], [[4.0.0-7|v2051]], [[9.0.0-20|v3073]]<br />
| [[4.0.0-7|v4]]<br />
| [[4.0.0-7|v1027]]<br />
| [[4.1.0-8|v4]]<br />
| Active<br />
|-<br />
| 00020200<br />
| 00021200<br />
| 00022200<br />
| 00026200<br />
| 00027200<br />
| 00028200<br />
| CTR-N-HMK?<br />
| [[Activity Log]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[3.0.0-5|v2051]], [[10.6.0-31|v2080]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[3.0.0-5|v2054]], [[7.0.0-13|v2064]]<br />
| Same as EUR<br />
| [[4.0.0-7|v3]]<br />
| [[4.0.0-7|v2]], [[7.0.0-13|v16]]<br />
| [[4.1.0-8|v2]]<br />
| Active<br />
|-<br />
| 00020300<br />
| 00021300<br />
| 00022300<br />
| 00026300<br />
| 00027300<br />
| 00028300<br />
| ?<br />
| [[Health and Safety Information]] (safe)<br />
| [[1.0.0-0|v0]], [[4.0.0-7|v1024]], [[6.0.0-11|v2050]]<br />
| [[1.0.0-0|v0]], [[3.0.0-5|v1024]], [[4.0.0-7|v2050]], [[6.0.0-11|v3077]]<br />
| [[1.0.0-0|v0]], [[4.0.0-7|v1026]], [[6.1.0-12U|v2051]]<br />
| [[4.0.0-7|v5]]<br />
| [[4.0.0-7|v2]]<br />
| [[4.1.0-8|v5]]<br />
| Active<br />
|-<br />
| 20020300<br />
| 20021300<br />
| 20022300<br />
| N/A<br />
| 20027300<br />
| N/A<br />
| CTR-N-HAC?<br />
| [[New_3DS]] [[Health and Safety Information]]<br />
| [[8.1.0-0_New3DS|v2]], [[9.3.0-21|v17]]<br />
| [[8.1.0-0_New3DS|v1]]<br />
| Same as EUR.<br />
| N/A<br />
| [[9.6.0-24|v2]]<br />
| N/A<br />
| Active<br />
|-<br />
| 00020400<br />
| 00021400<br />
| 00022400<br />
| 00026400<br />
| 00027400<br />
| 00028400<br />
| CTR-N-HEP?<br />
| [[Nintendo 3DS Camera]] (CtrApp)<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v16]], [[3.0.0-5|v1038]], [[4.0.0-7|v2048]], [[6.0.0-11|v3073]], [[9.0.0-20|v4097]](Also for [[8.1.0-0_New3DS]]), [[10.6.0-31|v4112]]<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v16]], [[3.0.0-5|v1039]], [[4.0.0-7|v2048]], [[6.0.0-11|v3073]], [[7.0.0-13|v3088]], [[9.0.0-20|v4097]]<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v16]], [[3.0.0-5|v1039]], [[4.0.0-7|v2048]], [[6.1.0-12U|v3074]], [[7.0.0-13|v3088]], [[9.0.0-20|v4097]]<br />
| [[4.0.0-7|v3]]<br />
| [[4.0.0-7|v2]], [[7.0.0-13|v1040]]<br />
| [[4.1.0-8|v3]]<br />
| Active<br />
|-<br />
| 00020500<br />
| 00021500<br />
| 00022500<br />
| 00026500<br />
| 00027500<br />
| 00028500<br />
| CTR-N-HES?<br />
| [[Nintendo 3DS Sound]] (CtrApp)<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1027]], [[3.0.0-5|v2049]], [[4.0.0-7|v3072]], [[7.0.0-13|v3089]], [[10.6.0-31|3104]]<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1027]], [[3.0.0-5|v2049]], [[4.0.0-7|v3072]], [[7.0.0-13|v3088]]<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1027]], [[3.0.0-5|v2049]], [[4.0.0-7|v3072]], [[7.0.0-13|v3088]]<br />
| [[4.0.0-7|v2]]<br />
| [[4.0.0-7|v2]], [[7.0.0-13|v16]]<br />
| [[4.1.0-8|v3]]<br />
| Active<br />
|-<br />
| 00020700<br />
| 00021700<br />
| 00022700<br />
| 00026700<br />
| 00027700<br />
| 00028700<br />
| CTR-N-HED?<br />
| [[Mii Maker]] (EDIT)<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[7.0.0-13|v2055]], [[10.6.0-31|v2064]]<br />
| Same as JPN<br />
| Same as JPN<br />
| [[4.0.0-7|v1]]<br />
| [[4.0.0-7|v1]], [[7.0.0-13|v16]]<br />
| [[4.1.0-8|v2]]<br />
| Active<br />
|-<br />
| 00020800<br />
| 00021800<br />
| 00022800<br />
| 00026800<br />
| 00027800<br />
| 00028800<br />
| CTR-N-HME?<br />
| [[StreetPass Mii Plaza]] (MEET)<br />
| [[1.0.0-0|v0]], v1027, [[2.1.0-4|v2048]], [[3.0.0-5|v3087]], [[3.0.0-6|v4096]], [[6.0.0-11|v5121]]<br />
| [[1.0.0-0|v0]], v1027, [[2.1.0-4|v2048]], [[3.0.0-5|v3087]], [[3.0.0-6|v4096]], [[6.0.0-11|v5122]]<br />
| [[1.0.0-0|v0]], v1027, [[2.1.0-4|v2048]], [[3.0.0-5|v3087]], [[3.0.0-6|v4096]], [[6.1.0-12U|v5124]], [[7.0.0-13|v5136]]<br />
| [[4.0.0-7|v0]], [[4.4.0-10|v4096]]<br />
| [[4.0.0-7|v1]], [[4.4.0-10|v4096]], [[7.0.0-13|v5120]]<br />
| [[4.1.0-8|v1]], [[4.4.0-10|v4096]]<br />
| Active<br />
|-<br />
| 00020900<br />
| 00021900<br />
| 00022900<br />
| N/A<br />
| 00027900<br />
| 00028900<br />
| CTR-N-HGR?<br />
| [[eShop]] (tiger)<br />
| [[2.0.0-2|v4]], [[2.1.0-3|v1026]], [[3.0.0-5|v2057]], [[4.0.0-7|v3081]], [[4.1.0-8|v4096]], [[4.2.0-9|v5123]], [[4.3.0-10|v6146]], [[5.0.0-11|v7169]], [[7.0.0-13|v8206]], [[7.1.0-14|v9231]], [[7.2.0-17|v10245]], [[8.0.0-18|v11265]], [[8.1.0-19|v12288]], [[9.0.0-20|v13320]], [[9.3.0-21|v15366]], [[9.5.0-22|v16384]], [[9.6.0-24|v17421]], [[9.7.0-25|v18432]], [[10.0.0-27|v19465]], [[10.4.0-29|v20483]], [[10.7.0-32|v21504]]<br />
| [[2.0.0-2|v4]], [[2.1.0-3|v1026]], [[3.0.0-5|v2058]], [[4.0.0-7|v3081]], [[4.1.0-8|v4096]], [[4.2.0-9|v5123]], [[4.3.0-10|v6146]], [[5.0.0-11|v7171]], [[7.0.0-13|v8206]], [[7.1.0-14|v9231]], [[7.2.0-17|v10245]], [[8.0.0-18|v11265]], [[8.1.0-19|v12288]], [[9.0.0-20|v13320]], [[9.3.0-21|v15366]], [[9.5.0-22|v16384]], [[9.6.0-24|v17421]], [[9.7.0-25|v18432]], [[10.0.0-27|v19465]], [[10.4.0-29|v20482]], [[10.7.0-32|v21505]]<br />
| [[2.0.0-2|v4]], [[2.1.0-3|v1026]], [[3.0.0-5|v2058]], [[4.0.0-7|v3081]], [[4.1.0-8|v4096]], [[4.2.0-9|v5123]], [[4.3.0-10|v6146]], [[5.0.0-11|v7170]], [[7.0.0-13|v8206]], [[7.1.0-14|v9231]], [[7.2.0-17|v10246]], [[8.0.0-18|v11265]], [[8.1.0-19|v12288]], [[9.0.0-20|v13321]], [[9.3.0-21|v15366]], [[9.5.0-22|v16384]], [[9.6.0-24|v17422]], [[9.7.0-25|v18432]], [[10.0.0-27|v19465]], [[10.4.0-29|v20482]], [[10.7.0-32|v21506]]<br />
| N/A<br />
| [[4.0.0-7|v3082]], [[4.1.0-8|v4096]], [[4.2.0-9|v5123]], [[4.3.0-10|v6146]], [[5.0.0-11|v7169]], [[7.0.0-13|v8205]], [[7.1.0-14|v9231]], [[8.1.0-19|v12288]], [[9.0.0-20|v13320]], [[9.3.0-21|v15366]], [[9.5.0-22|v16384]], [[9.6.0-24|v17420]], [[9.7.0-25|v18432]], [[10.0.0-27|v19465]], [[10.4.0-29|v20482]]<br />
| [[4.1.0-8|v4096]], [[4.2.0-9|v5123]], [[4.3.0-10|v6146]], [[5.0.0-11|v7170]], [[7.0.0-13|v8205]], [[7.1.0-14|v9231]], [[8.1.0-19|v12288]], [[9.3.0-21|v15366]], [[9.5.0-22|v16384]], [[9.6.0-24|v17421]], [[9.7.0-25|v18432]], [[10.0.0-27|v19465]]<br />
| Active<br />
|-<br />
| 00020A00<br />
| 00021A00<br />
| 00022A00<br />
| N/A<br />
| 00027A00<br />
| 00028A00<br />
| CTR-N-HCB?<br />
| [[System Transfer]] (CARDBOARD)<br />
| [[2.0.0-2|v4]], [[3.0.0-5|v1035]], [[4.0.0-7|v2050]], [[5.0.0-11|v3074]], [[7.0.0-13|v4109]], [[9.0.0-20|v5130]], [[9.6.0-24|v6154]]<br />
| [[2.0.0-2|v4]], [[3.0.0-5|v1035]], [[4.0.0-7|v2050]], [[5.0.0-11|v3073]], [[7.0.0-13|v4109]], [[9.0.0-20|v5131]], [[9.6.0-24|v6155]]<br />
| [[2.0.0-2|v4]], [[3.0.0-5|v1035]], [[4.0.0-7|v2051]], [[5.0.0-11|v3073]], [[7.0.0-13|v4109]], [[9.0.0-20|v5131]], [[9.6.0-24|v6156]]<br />
| N/A<br />
| [[4.0.0-7|v2]], [[5.0.0-11|v1025]], [[7.0.0-13|v2061]], [[9.0.0-20|v3082]]<br />
| [[4.1.0-8|v2]], [[5.0.0-11|v1025]], [[7.0.0-13|v2061]]<br />
| Active<br />
|-<br />
| 00020B00<br />
| 00021B00<br />
| 00022B00<br />
| N/A<br />
| N/A<br />
| N/A<br />
| CTR-N-HMA?<br />
| [[Nintendo Zone]] ("Nintendo")<br />
| [[1.0.0-0|v0]], [[3.0.0-5|v1034]]<br />
| Same as JPN<br />
| Same as JPN<br />
| N/A<br />
| N/A<br />
| N/A<br />
| Active<br />
|-<br />
| 00020D00<br />
| 00021D00<br />
| 00022D00<br />
| 00026D00<br />
| 00027D00<br />
| 00028D00<br />
| CTR-N-HCH?<br />
| [[Face Raiders]]<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1028]]<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1028]], [[7.0.0-13|v1040]]<br />
| Same as EUR<br />
| [[4.0.0-7|v0]]<br />
| [[4.0.0-7|v0]]<br />
| [[4.1.0-8|v2]]<br />
| Active<br />
|-<br />
| 20020D00<br />
| 20021D00<br />
| 20022D00<br />
| N/A<br />
| 20027D00<br />
| N/A<br />
| ?<br />
| [[New_3DS]] [[Face Raiders]]<br />
| [[8.1.0-0_New3DS|v2050]]<br />
| [[8.1.0-0_New3DS|v2049]]<br />
| Same as EUR.<br />
| N/A<br />
| [[9.6.0-24|v2049]]<br />
| N/A<br />
| Active<br />
|-<br />
| 00020E00<br />
| 00021E00<br />
| 00022E00<br />
| 00026E00<br />
| 00027E00<br />
| 00028E00<br />
| CTR-N-HAR?<br />
| [[AR Games]] (AR_ACT)<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1026]]<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1026]], [[7.0.0-13|v1040]]<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1027]], [[7.0.0-13|v1040]]<br />
| [[4.0.0-7|v0]]<br />
| [[4.0.0-7|v0]], [[7.0.0-13|v16]]<br />
| [[4.1.0-8|v1]]<br />
| Active<br />
|-<br />
| 00020F00<br />
| 00021F00<br />
| 00022F00<br />
| 00026F00<br />
| 00027F00<br />
| 00028F00<br />
| CTR-N-HSH?<br />
| SAFE_MODE [[System Settings#System Updater|System Updater]] (mset)<br />
| [[1.0.0-0|v0]], [[3.0.0-5|v1024]], [[6.0.0-11|v2049]]<br />
| [[1.0.0-0|v0]], [[3.0.0-5|v1024]], [[6.0.0-11|v2050]]<br />
| Same as JPN<br />
| [[4.0.0-7|v1]], [[6.0.0-11|v1026]]<br />
| [[4.0.0-7|v1]]<br />
| [[4.1.0-8|v1]]<br />
| Active<br />
|-<br />
| 00023000<br />
| 00024000<br />
| 00025000<br />
| N/A<br />
| N/A<br />
| N/A<br />
| (Variable?)<br />
| Promotional video<br />
| [[1.1.0-1|v2]], [[2.0.0-2|v2048]]<br />
| [[1.1.0-1|v<unknown>]], [[2.0.0-2|v2048]]<br />
| [[1.1.0-1|v0]], [[2.0.0-2|v2048]]<br />
| N/A<br />
| N/A<br />
| N/A<br />
| Stubbed<br />
|-<br />
| 0002BF00<br />
| 0002C000<br />
| 0002C100<br />
| N/A<br />
| N/A<br />
| N/A<br />
| CTR-N-HAF?<br />
| Nintendo Network ID Settings (act)<br />
| [[7.0.0-13|v14]], [[7.2.0-17|v1029]], [[9.0.0-20|v2051]], [[9.3.0-21|v3072]]<br />
| Same as JPN<br />
| Same as JPN<br />
| N/A<br />
| N/A<br />
| N/A<br />
| Active<br />
|-<br />
| 20023100<br />
| 20024100<br />
| 20025100<br />
| N/A<br />
| N/A<br />
| N/A<br />
| CTR-N-HAJ?<br />
| [[microSD Management]] ('mcopy') ([[New_3DS]]-only)<br />
| [[8.1.0-0_New3DS|v8]], [[9.0.0-20|v1024]]<br />
| [[8.1.0-0_New3DS|v4]]<br />
| [[8.1.0-0_New3DS|v5]]<br />
| N/A<br />
| N/A<br />
| N/A<br />
| Available<br />
|-<br />
| 2002C800<br />
| 2002CF00<br />
| 2002D000<br />
| N/A<br />
| 2002D700<br />
| N/A<br />
| CTR-P-CTAP<br />
| [[New_3DS]]-only, currently stubbed. "HOME menu/menu".<br />
| [[8.1.0-0_New3DS|v2]], [[9.0.0-20|v18]], [[9.3.0-21|v34]], [[9.6.0-24|v50]]<br />
| [[8.1.0-0_New3DS|v1]], [[9.3.0-21|v17]], [[9.6.0-24|v34]]<br />
| [[8.1.0-0_New3DS|v1]], [[9.3.0-21|v18]], [[9.6.0-24|v33]]<br />
| N/A<br />
| [[9.6.0-24|v2]]<br />
| N/A<br />
| Stubbed<br />
|-<br />
| 2002C900<br />
| 2002D100<br />
| 2002D200<br />
| N/A<br />
| 2002D800<br />
| N/A<br />
| CTR-P-CTAP<br />
| [[New_3DS]]-only, currently stubbed. "Friends list/friend".<br />
| [[8.1.0-0_New3DS|v1]]<br />
| Same as JPN.<br />
| [[8.1.0-0_New3DS|v0]], [[9.3.0-21|v16]]<br />
| N/A<br />
| [[9.6.0-24|v2]]<br />
| N/A<br />
| Stubbed<br />
|-<br />
| 2002CA00<br />
| 2002D300<br />
| 2002D400<br />
| N/A<br />
| 2002D900<br />
| N/A<br />
| CTR-P-CTAP<br />
| [[New_3DS]]-only, currently stubbed. "Notifications/newslist".<br />
| [[8.1.0-0_New3DS|v0]], v1([[Home_Menu|JPN-only]] Oct 2, 2014 "sysupdate", actually uploaded on 09-29-14. Identical to v0, same TMDs besides title-versions)<br />
| [[8.1.0-0_New3DS|v2]]<br />
| [[8.1.0-0_New3DS|v0]]<br />
| N/A<br />
| [[9.6.0-24|v2]]<br />
| N/A<br />
| Stubbed<br />
|-<br />
| 2002CB00<br />
| 2002D500<br />
| 2002D600<br />
| N/A<br />
| 2002DA00<br />
| N/A<br />
| CTR-P-CTAP<br />
| [[New_3DS]]-only, currently stubbed. "Game notes/cherry".<br />
| [[8.1.0-0_New3DS|v0]], [[9.0.0-20|v1]]<br />
| [[8.1.0-0_New3DS|v2]]<br />
| Same as EUR.<br />
| N/A<br />
| [[9.6.0-24|v1]]<br />
| N/A<br />
| Stubbed<br />
|}<br />
<br />
The "act" application seems to use a web browser with webkit?<br />
<br />
Regardless of version, the ExeFS:/.code for mset is the same for USA/EUR/JPN. The [[4.0.0-7]] version of mset([[4.1.0-8]] for TWN) has the same ExeFS:/.code for all regions(JPN, USA, EUR, CHN, KOR, TWN). The [[5.0.0-11]] mset ExeFS:/.code is the same for all regions as well, except for CHN. The [[7.0.0-13]] mset ExeFS:/.code is unique for the following regions: CHN, KOR, and TWN.<br />
<br />
=== 0004001B - [[NCCH#CFA|System Data Archives]] ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! TitleID Low<br />
! Description<br />
! Versions<br />
|-<br />
| 00010002<br />
| [[ClCertA]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 00010702<br />
| [[NS CFA]]<br />
| [[3.0.0-5|v0]], [[6.0.0-11|v1028]], [[6.3.0-12|v2048]], [[7.0.0-13|v3073]], [[9.0.0-20|v4096]](also for [[8.1.0-0_New3DS]])<br />
|-<br />
| 00010802<br />
| This CFA only contains a 1-byte "dummy.txt" in the RomFS, which contains '0'.<br />
| [[6.3.0-12|v0]], [[9.5.0-23|v1024]], [[10.5.0-30|v2048]], [[11.0.0-33|v3072]]<br />
|-<br />
| 00018002<br />
| Same contents as 00010802. Starting with [[7.1.0-15]], the "dummy.txt" file was removed from RomFS: this CFA RomFS now contains web-browser data(similar to 00018102) for NNID / networking, etc.<br />
| [[7.0.0-13|v14]], [[7.1.0-15|v1025]], [[7.2.0-17|v2055]], [[9.0.0-20|v3078]], [[9.3.0-21|v4096]], [[9.6.0-24|v5120]]<br />
|-<br />
| 00018102<br />
| This contains local web-browser data(html/js, gfx, etc) for the Miiverse Offline-mode.<br />
| [[7.0.0-13|v11]], [[9.0.0-20|v1025]](also for [[8.1.0-0_New3DS]])<br />
|-<br />
| 00018202<br />
| This contains the webkit/OSS [[CRO0|CROs]] used with the Miiverse applet and the "act" application.<br />
| [[7.0.0-13|v7]], [[8.1.0-0_New3DS|v1026]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v2050]]<br />
|-<br />
| 00019002<br />
| [[Fangate_updater]]<br />
| [[9.3.0-21|v2]], [[9.6.0-24|v1026]]<br />
|}<br />
<br />
=== 00040030 - Applets===<br />
{| class="wikitable" border="1"<br />
|-<br />
! JPN TitleIDLow<br />
! USA TitleIDLow<br />
! EUR TitleIDLow<br />
! CHN TitleIDLow<br />
! KOR TitleIDLow<br />
! TWN TitleIDLow<br />
! [[Product code]]<br />
! Description<br />
! JPN Versions<br />
! USA Versions<br />
! EUR Versions<br />
|-<br />
|colspan=6| 00008102<br />
| CTR-P-CTAP<br />
| [[NS#Alternate menu|Test Menu]] (Demo1)<br />
|colspan=3| ..., v64, ..., v27648<br />
|-<br />
| 00008202<br />
| 00008F02<br />
| 00009802<br />
| 0000A102<br />
| 0000A902<br />
| 0000B102<br />
| CTR-P-HMM?<br />
| [[Home Menu]] (menu)<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1027]], [[2.1.0-3|v2049]], [[2.2.0-X|v3075]], [[3.0.0-5|v4111]], [[4.0.0-7|v5131]], [[4.2.0-9|v6146]], [[5.0.0-11|v7172]], [[6.0.0-11|v8198]], [[7.0.0-13|v9230]], [[8.1.0-0_New3DS|v10250]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v13313]], [[9.1.0-20J|v14336]], [[9.2.0-20|v15360]], [[9.3.0-21|v16402]], [[9.4.0-21|v17408]], [[9.5.0-22|v18432]], [[9.6.0-24|v19476]], [[9.7.0-25|v20487]], [[9.8.0-25|v22528]], [[10.1.0-27|v23552]], [[10.2.0-28|v24576]], [[10.3.0-28|v25600]], [[10.4.0-29|v26626]], [[10.6.0-31|v27648]], [[11.1.0-34|v28672]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1027]], [[2.1.0-3|v2049]], [[2.2.0-X|v3075]], [[3.0.0-5|v4111]], [[4.0.0-7|v5131]], [[4.2.0-9|v6146]], [[5.0.0-11|v7172]], [[6.0.0-11|v8198]], [[7.0.0-13|v9230]], [[9.0.0-20|v11272]], [[9.2.0-20|v12288]], [[9.3.0-21|v13330]], [[9.4.0-21|v14336]], [[9.5.0-22|v15360]], [[9.6.0-24|v16404]], [[9.7.0-25|v17415]], [[9.8.0-25|v19456]], [[9.9.0-26|v20480]], [[10.1.0-27|v21504]], [[10.2.0-28|v22528]], [[10.3.0-28|v23552]], [[10.4.0-29|v24578]], [[10.6.0-31|v25600]], [[11.1.0-34|v26624]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1027]], [[2.1.0-3|v2049]], [[2.2.0-X|v3075]], [[3.0.0-5|v4111]], [[4.0.0-7|v5131]], [[4.2.0-9|v6146]], [[5.0.0-11|v7172]], [[6.0.0-11|v8198]], [[7.0.0-13|v9230]], [[9.0.0-20|v11272]], [[9.2.0-20|v12288]], [[9.3.0-21|v13330]], [[9.4.0-21|v14336]], [[9.5.0-22|v15360]], [[9.6.0-24|v16404]], [[9.7.0-25|v17415]], [[9.8.0-25|v19456]], [[10.1.0-27|v20480]], [[10.2.0-28|v21504]], [[10.3.0-28|v22528]], [[10.4.0-29|v23554]], [[10.6.0-31|v24576]], [[11.1.0-34|v25600]]<br />
|-<br />
| 00008402<br />
| 00009002<br />
| 00009902<br />
| 0000A202<br />
| 0000AA02<br />
| 0000B202<br />
| CTR-N-HCS?<br />
| Camera applet used by Home-menu (CtrApp)<br />
|colspan=3| v0, v1036, [[9.0.0-20|v2049]](Also for [[8.1.0-0_New3DS]])<br />
|-<br />
| 00008502<br />
| 00009102<br />
| 00009A02<br />
| ?<br />
| ?<br />
| ?<br />
| ?<br />
| Not available on CDN<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| 00008602<br />
| 00009202<br />
| 00009B02<br />
| 0000A402<br />
| 0000AC02<br />
| 0000B402<br />
| <br />
| Instruction Manual, applet for displaying instruction manuals<br />
|colspan=3| v0, v1026, v2048, v3072, [[5.0.0-11|v4097]], [[9.0.0-20|v5120]](Also for [[8.1.0-0_New3DS]])<br />
|-<br />
| 00008702<br />
| 00009302<br />
| 00009C02<br />
| 0000A502<br />
| 0000AD02<br />
| 0000B502<br />
| CTR-N-HGM?<br />
| Game Notes (Cherry)<br />
|colspan=3| v0, v1026, v2049, [[5.0.0-11|v3073]], [[9.0.0-20|v4096]](Also for [[8.1.0-0_New3DS]])<br />
|-<br />
| 00008802<br />
| 00009402<br />
| 00009D02<br />
| 0000A602<br />
| 0000AE02<br />
| 0000B602<br />
| <br />
| [[Internet Browser]] (spider)<br />
|colspan=3| [[2.0.0-2|v6]], [[2.1.0-4|v1024]], [[4.0.0-7|v2050]], [[5.0.0-11|v3074 (EUR)/v3075(USA,JAP)]], [[7.0.0-13|v3088]], [[7.1.0-16|v4096]], [[9.5.0-23|v5121]], [[9.9.0-26|v6149]], [[10.2.0-28|v7168]], [[10.6.0-31|v8192]], [[10.7.0-32|v9232]], [[11.1.0-34|v10240]]<br />
|-<br />
| 20008802<br />
| 20009402<br />
| 20009D02<br />
| ?<br />
| 2000AE02<br />
| N/A<br />
| CTR-N-HBR?<br />
| [[New 3DS]] [[Internet Browser]] (SKATER)<br />
|colspan=3| [[8.1.0-0_New3DS|v10]], [[9.3.0-21|v1027]], [[9.6.0-24|v2051]], [[9.9.0-26|v3077]], [[10.2.0-28|v4096]], [[10.4.0-29|v5121]], [[10.6.0-31|v6144]], [[10.7.0-32|v7184]], [[11.1.0-34|v8192]]<br />
|-<br />
|colspan=6| 00008A02<br />
| <br />
| Fatal error viewer ([[ErrDisp]])<br />
|colspan=3| v0, v1025, [[2.2.0-X|v2048]], [[3.0.0-5|v3072]], [[4.0.0-7|v4096]], [[5.0.0-11|v5121]], [[8.0.0-18|v6144]], [[9.0.0-20|v7168]](Also for [[8.1.0-0_New3DS]])<br />
|-<br />
|colspan=6| 00008A03<br />
| <br />
| SAFE_MODE [[ErrDisp]]<br />
|colspan=3| v0<br />
|-<br />
| 20008A03<br />
| 20008A03<br />
| 20008A03<br />
| ?<br />
| 20008A03<br />
| N/A<br />
| <br />
| [[New_3DS]] SAFE_MODE [[ErrDisp]]<br />
|colspan=3| [[8.1.0-0_New3DS|v7169]]<br />
|-<br />
| 00008D02<br />
| 00009602<br />
| 00009F02<br />
| 0000A702<br />
| 0000AF02<br />
| 0000B702<br />
| CTR-N-HFR?<br />
| Friend List (friend)<br />
|colspan=3| v0, v1026, [[2.2.0-X|v2051]], v3082, v4099, [[7.0.0-13|v5120]], [[9.0.0-20|v6144]](Also for [[8.1.0-0_New3DS]]) (EUR v6, v1024, v3082, v4099, [[7.0.0-13|v5120]], [[9.0.0-20|v6144]])<br />
|-<br />
| 00008E02<br />
| 00009702<br />
| 0000A002<br />
| 0000A802<br />
| 0000B002<br />
| 0000B802<br />
| CTR-N-HCR?<br />
| Notifications (newslist)<br />
|colspan=3| v0, v1029, v2054, v3075, [[9.0.0-20|v4097]] (EUR v6, v1024, v2054, v3075, [[9.0.0-20|v4097]]) (JPN: ..., [[8.1.0-0_New3DS|v4096]], [[9.0.0-20|v5121]])<br />
|-<br />
| 0000C002<br />
| 0000C802<br />
| 0000D002<br />
| 0000D802<br />
| 0000DE02<br />
| 0000E402<br />
| CTR-N-HKY?<br />
| Software Keyboard (swkbd)<br />
|colspan=3| v0, v1026, v2053, [[7.0.0-13|v3072]], [[9.0.0-20|v4096]](Also for [[8.1.0-0_New3DS]])<br />
|-<br />
| 0000C003<br />
| 0000C803<br />
| 0000D003<br />
| 0000D803<br />
| 0000DE03<br />
| 0000E403<br />
| <br />
| SAFE_MODE Software Keyboard (swkbd)<br />
|colspan=3| v0<br />
|-<br />
| 2000C003<br />
| 2000C803<br />
| 2000D003<br />
| ?<br />
| 2000DE03<br />
| N/A<br />
| <br />
| [[New 3DS]] SAFE_MODE Software Keyboard (swkbd)<br />
| [[8.1.0-0_New3DS|v1024]]<br />
|colspan=2|[[9.0.0-20|v0]]<br />
|-<br />
| 0000C102<br />
| 0000C902<br />
| 0000D102<br />
| 0000D902<br />
| 0000DF02<br />
| 0000E502<br />
| <br />
| Mii picker (appletEd)<br />
|colspan=3| v0, v1026, [[9.0.0-20|v2048]](Also for [[8.1.0-0_New3DS]]), [[9.3.0-21|v3077]]<br />
|-<br />
| 0000C302<br />
| 0000CB02<br />
| 0000D302<br />
| 0000DB02<br />
| 0000E102<br />
| 0000E702<br />
| <br />
| Picture picker (PNOTE_AP)<br />
|colspan=3| v0, v1024, [[8.1.0-0_New3DS|v2049]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v3075]], [[9.3.0-21|v4096]]<br />
|-<br />
| 0000C402<br />
| 0000CC02<br />
| 0000D402<br />
| 0000DC02<br />
| 0000E202<br />
| 0000E802<br />
| <br />
| [[Nintendo 3DS Sound|Voice memo]] picker (SNOTE_AP)<br />
|colspan=3| v0, v3, [[8.0.0-18|v1026]], [[9.0.0-20|v2048]](Also for [[8.1.0-0_New3DS]])<br />
|-<br />
|colspan=3| 0000C502<br />
|colspan=3| 0000CF02<br />
| <br />
| Non-critical (online, etc) error display (error)<br />
|colspan=3| v0, v1026, v2053, v3074, [[8.1.0-0_New3DS|v4096]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v5128]], [[9.6.0-24|v6145]]<br />
|-<br />
|colspan=3| 0000C503<br />
|colspan=3| 0000CF03<br />
| <br />
| SAFE_MODE error applet<br />
|colspan=3| v0<br />
|-<br />
| 2000C503<br />
| 2000C503<br />
| 2000C503<br />
| ?<br />
| 2000CF03<br />
| N/A<br />
| <br />
| [[New 3DS]] SAFE_MODE error applet<br />
|colspan=3| [[8.1.0-0_New3DS|v1024]]<br />
|-<br />
|colspan=3| 0000CD02<br />
|colspan=3| 0000D502<br />
| <br />
| [[Circle Pad Pro]] test/calibration applet (extrapad)<br />
|colspan=3| v1, v1026, [[8.1.0-0_New3DS|v2048]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v3073]]<br />
|-<br />
| 0000C602<br />
| 0000CE02<br />
| 0000D602<br />
| N/A<br />
| 0000E302<br />
| 0000E902<br />
| CTR-N-HAA?<br />
| eShop applet, used by applications for accessing the eShop, for DLC/etc. Also used by the eShop application itself. (mint)<br />
|colspan=3| v5, v1028, [[4.2.0-9|v2050]], [[5.0.0-11|v3072]], [[7.0.0-13|v4109]], [[7.2.0-17|v5125]](v5123 for JPN), [[8.0.0-18|v6145]], [[8.1.0-0_New3DS|v7168]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v8200]], [[9.3.0-21|v9224]], [[9.6.0-24|v10247]], [[9.8.0-25|v11264]], [[10.0.0-27|v12293]], [[10.1.0-27|v13312]], [[10.3.0-28|v14337]], [[10.4.0-29|v15360]], [[10.7.0-32|v16384]]<br />
|-<br />
| 0000BC02<br />
| 0000BD02<br />
| 0000BE02<br />
| ?<br />
| ?<br />
| ?<br />
| CTR-N-HAE?<br />
| Miiverse (olv)<br />
|colspan=3| [[7.0.0-13|v14]], [[7.2.0-17|v1024]], [[9.0.0-20|v2048]](Also for [[8.1.0-0_New3DS]]), [[9.3.0-21|v3072]], [[9.6.0-24|v4096]]<br />
|-<br />
| 0000F602<br />
| 0000F602<br />
| 0000F602<br />
| ?<br />
| ?<br />
| ?<br />
| <br />
| Likely the "system library" for Miiverse (memolib)<br />
|colspan=3| [[7.0.0-13|v5]], [[8.1.0-0_New3DS|v1024]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v2050]], [[9.3.0-21|v3072]]<br />
|-<br />
| 00008302<br />
| 00008B02<br />
| 0000BA02<br />
| ?<br />
| ?<br />
| ?<br />
| CTR-N-HAH?<br />
| In-app Miiverse-posting applet (solv3)<br />
|colspan=3| [[9.0.0-20|v6]]<br />
|-<br />
| 00009502<br />
| 00009E02<br />
| 0000B902<br />
| ?<br />
| 00008C02<br />
| ?<br />
| CTR-N-HA3?<br />
| Cabinet ([[amiibo Settings]])<br />
|colspan=3| [[9.3.0-21|v7]], [[9.6.0-24|v1031]]<br />
|}<br />
<br />
Most of these processes are applets, see [[NS_and_APT_Services|here]] for details.<br />
<br />
All of the above processes use the "SYSTEM" [[SVC|memory-region]].<br />
<br />
The ExeFS for Home Menu is exactly the same for USA/EUR/JPN.<br />
<br />
The Miiverse applet seems to use a web browser with webkit.<br />
<br />
=== 0004009B - [[NCCH#CFA|System Data Archives]] (Shared Archives) ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! JPN TitleIDLow<br />
! USA TitleIDLow<br />
! EUR TitleIDLow<br />
! KOR TitleIDLow<br />
! Description<br />
! Versions<br />
|-<br />
| 00010202<br />
| 00010202<br />
| 00010202<br />
| 00010202<br />
| Probably Mii-related, contains "CFL_Res.dat" in the RomFS.<br />
| v0<br />
|-<br />
| 00010302<br />
| 00010302<br />
| 00010302<br />
|<br />
| Only exists for dev-units.<br />
| v0, v2052<br />
|-<br />
| 00010402<br />
| 00010402<br />
| 00010402<br />
| 00010402<br />
| Mounted as "area:", contains Country and Region names<br />
| v0, v1024, v2050, v3072, [[7.0.0-13|v4098]], [[9.6.0-24|v5122]]<br />
|-<br />
| 00010502<br />
| 00010502<br />
| 00010502<br />
|<br />
| Only exists for dev-units.<br />
| v0, v1024, v2048<br />
|-<br />
| 00010602<br />
| 00010602<br />
| 00010602<br />
| 00010602<br />
| Non-Nintendo TLS Root-CA Certificates (RomFS contains files with filename "CACERT_PUBLIC_CA_<val>.der", where <val> is 5..8)<br />
| v2, [[10.5.0-30|v1024]]<br />
|-<br />
| <br />
| <br />
| 00011202<br />
|<br />
| "NL/NL" dictionary.<br />
| v0<br />
|-<br />
| <br />
| <br />
| 00011302<br />
|<br />
| "EN/GB" dictionary.<br />
| v0<br />
|-<br />
| <br />
| 00011402<br />
|<br />
| <br />
| "EN/US" dictionary.<br />
| v0<br />
|-<br />
| <br />
| <br />
| 00011502<br />
|<br />
| "FR/FR/regular" dictionary.<br />
| v0<br />
|-<br />
| <br />
| 00011602<br />
|<br />
| <br />
| "FR/CA/regular" dictionary.<br />
| v0<br />
|-<br />
| <br />
| <br />
| 00011702<br />
|<br />
| "DE/regular" dictionary.<br />
| v0<br />
|-<br />
| <br />
| <br />
| 00011802<br />
|<br />
| "IT/IT" dictionary.<br />
| v0<br />
|-<br />
| 00011902<br />
| <br />
|<br />
| <br />
| "JA_small/32" dictionary.<br />
| v0<br />
|-<br />
| <br />
| <br />
|<br />
| 00011A02<br />
| ?<br />
| v1<br />
|-<br />
| <br />
| <br />
| 00011B02<br />
|<br />
| "PT/PT/regular" dictionary.<br />
| v0<br />
|-<br />
| <br />
| <br />
| 00011C02<br />
|<br />
| "RU/regular" dictionary.<br />
| v0<br />
|-<br />
| <br />
| 00011D02<br />
| 00011D02<br />
|<br />
| "ES/ES" dictionary.<br />
| v0<br />
|-<br />
| <br />
| 00011E02<br />
|<br />
| <br />
| "PT/BR/regular" dictionary.<br />
| v0<br />
|-<br />
| 00012202<br />
| 00012302<br />
| 00012102<br />
| 00012502<br />
| ?contains a lists with error strings<br />
| v1026, v2053, v3073, [[4.2.0-9|v4096]], [[5.0.0-11|v5120]], [[7.0.0-13|v6149]], [[7.2.0-17|v7168]], [[8.0.0-18|v8192]], [[9.0.0-20|v9218]], [[9.3.0-21|v10242]], [[9.6.0-24|v11269]], [[10.0.0-27|v12289]], [[10.4.0-29|v13312]], [[10.7.0-32|v13313]] (JPN: [[11.1.0-34|v14336]]) (KOR: [[9.6.0-24|v6148]], [[10.0.0-27|v7169]], [[10.3.0-28|v8193]], [[10.4.0-29|v9216]], [[11.1.0-34|v10240]])<br />
|-<br />
| 00013202<br />
| 00013302<br />
| 00013102<br />
| 00013502<br />
| Mounted as "eula:"<br />
| v0, v1024, v2049 USA: v1024, v2051, [[7.0.0-13|v3074]], [[7.2.0-17|v4100]](EUR-only), [[9.0.0-20|v4099]], [[9.9.0-26|v6144]], [[10.4.0-29|v7168]] (KOR: [[9.7.0-25|v1025]])<br />
|-<br />
| 00014002<br />
| 00014002<br />
| 00014002<br />
| 00014002<br />
| JPN/EUR/USA [[System Font]] ("font:")<br />
| v0<br />
|-<br />
| 00014102<br />
| 00014102<br />
| 00014102<br />
| 00014102<br />
| CHN [[System Font]] ("font:")<br />
| v0, v1024<br />
|-<br />
| 00014202<br />
| 00014202<br />
| 00014202<br />
| 00014202<br />
| KOR [[System Font]] ("font:")<br />
| v0, v1024<br />
|-<br />
| 00014302<br />
| 00014302<br />
| 00014302<br />
| 00014302<br />
| TWN [[System Font]] ("font:")<br />
| v0, v1024<br />
|-<br />
| 00015202<br />
| 00015302<br />
| 00015102<br />
| 00015502<br />
| Mounted as "rate:"<br />
| v0 (EUR: v0, v1024) (KOR: v1024)<br />
|}<br />
<br />
=== 000400DB - [[NCCH#CFA|System Data Archives]] ===<br />
These [[NVer]] titleIDs can be found @ offset 0x320 in every [[CCI]].<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! EUR TitleIDLow<br />
! JPN TitleIDLow<br />
! USA TitleIDLow<br />
! CHN TitleIDLow<br />
! KOR TitleIDLow<br />
! TWN TitleIDLow<br />
! Description<br />
! USA/EUR/JPN Versions<br />
! CHN Versions<br />
! TWN Versions<br />
! KOR Versions<br />
|-<br />
| 00010302<br />
| 00010302<br />
| 00010302<br />
| 00010302<br />
| 00010302<br />
| 00010302<br />
| NGWord bad word list<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1024]], [[3.0.0-5|v2052]], [[4.0.0-7|v3072]], [[4.3.0-10|v4096]], [[5.0.0-11|v5120]], [[9.0.0-20|v6144]], [[9.3.0-21|v7168]], [[9.6.0-24|v8192]], [[11.1.0-34|v9217]]<br />
| Same as USA<br />
| Same as USA<br />
| Same as USA<br />
|-<br />
| 00010502<br />
| 00010502<br />
| 00010502<br />
| 00010502<br />
| 00010502<br />
| 00010502<br />
| [[Nintendo Zone]] hotspot list<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1024]], [[3.0.0-5|v2048]], [[4.0.0-7|v3073]], [[4.3.0-10|v4096]], [[4.4.0-10|v5120]], [[4.5.0-10|v6144]], [[5.0.0-11|v7169]], [[6.0.0-11|v8192]], [[6.2.0-12|v9216]], [[7.0.0-13|v10242]], [[7.2.0-17|v11267]], [[8.0.0-18|v12288]], [[9.0.0-20|v14336]], [[9.3.0-21|v15360]], [[9.6.0-24|v16386]], [[10.0.0-27|v17409]], [[10.4.0-29|v18432]], [[11.1.0-34|v19457]]<br />
| Same as USA<br />
| Same as USA<br />
| Same as USA<br />
|-<br />
| 00016102<br />
| 00016202<br />
| 00016302<br />
| 00016402<br />
| 00016502<br />
| 00016602<br />
| [[NVer]]<br />
| [[1.0.0-0|v0]], [[1.1.0-1|v16]], [[2.0.0-2|v32]], [[2.1.0-3|v48]], [[2.1.0-4|v64]], [[3.0.0-5|v80]], [[3.0.0-6|v96]], [[4.0.0-7|v112]], [[4.1.0-8|v128]], [[4.2.0-9|v144]], [[4.3.0-10|v160]], [[5.0.0-11|v176]], non-USA=[[6.0.0-11|v192]]/USA=[[6.1.0-12U|v192]], [[7.0.0-13|v208]], [[7.1.0-14|v224]], [[7.1.0-15|v240]], [[7.1.0-16|v256]], [[7.2.0-17|v272]], [[8.0.0-18|v288]], [[8.1.0-19|v304]], [[9.0.0-20|v320]], [[9.3.0-21|v336]], [[9.5.0-22|v352]], [[9.5.0-23|v368]], [[9.6.0-24|v384]], [[9.7.0-25|v400]], [[9.9.0-26|v416]], [[10.0.0-27|v432]], [[10.2.0-28|v448]], [[10.4.0-29|v464]], [[10.5.0-30|v480]], [[10.6.0-31|v496]], [[10.7.0-32|v512]], [[11.0.0-33|v528]], [[11.1.0-34|v544]]<br />
| [[4.0.0-7|v113]], [[4.2.0-9|v128]], [[5.0.0-11|v129]], [[7.1.0-16|v130]], [[7.2.0-17|v272]], [[9.5.0-23|v131]], [[9.9.0-26|v132]]<br />
| [[4.1.0-8|v114]], [[4.2.0-9|v133]], [[4.3.0-10|v134]], [[5.0.0-11|v136]], [[7.0.0-13|v144]], [[7.1.0-14|v160]] [[7.1.0-16|v192]], [[7.2.0-17|v272]], [[8.0.0-18|v208]], [[8.1.0-19|v224]], [[9.0.0-20|v240]], [[9.5.0-22|v272]], [[9.5.0-23|v288]], [[9.6.0-24|v304]], [[9.7.0-25|v320]], [[9.9.0-26|v336]], [[10.0.0-27|v352]], [[10.2.0-28|v368]], [[10.4.0-29|v384]], [[10.5.0-30|v400]], [[10.6.0-31|v416]], [[10.7.0-32|v432]], [[11.0.0-33|v448]], [[11.1.0-34|v464]]<br />
| [[4.0.0-7|v113]], [[4.1.0-8|v114]], [[4.2.0-9|v133]], [[4.3.0-10|v134]], [[5.0.0-11|v136]], [[7.0.0-13|v160]], [[7.1.0-14|v176]], [[7.1.0-16|v176]], [[7.2.0-17|v272]], [[8.0.0-18|v224]], [[8.1.0-19|v240]], [[9.0.0-20|v256]], [[9.3.0-21|v272]], [[9.5.0-22|v288]], [[9.5.0-23|v304]], [[9.6.0-24|v320]], [[9.7.0-25|v336]], [[9.9.0-26|v352]], [[10.0.0-27|v368]], [[10.2.0-28|v384]], [[10.4.0-29|v400]], [[10.5.0-30|v416]], [[10.6.0-31|v432]], [[10.7.0-32|v448]], [[11.0.0-33|v464]], [[11.1.0-34|v480]]<br />
|-<br />
| 20016102<br />
| 20016202<br />
| 20016302<br />
| N/A<br />
| 20016502<br />
| N/A<br />
| [[New_3DS]] [[NVer]]<br />
| [[8.1.0-0_New3DS|v0]], [[9.0.0-20|v320]], [[9.3.0-21|v336]], [[9.5.0-22|v352]], [[9.5.0-22|v352]], [[9.5.0-23|v368]], [[9.6.0-24|v384]], [[9.7.0-25|v400]], [[9.9.0-26|v416]], [[10.0.0-27|v432]], [[10.2.0-28|v448]], [[10.4.0-29|v464]], [[10.5.0-30|v480]], [[10.6.0-31|v496]], [[10.7.0-32|v512]], [[11.0.0-33|v528]], [[11.1.0-34|v544]]<br />
| N/A<br />
| N/A<br />
| [[9.6.0-24|v320]], [[9.7.0-25|v336]], [[9.9.0-26|v352]], [[10.0.0-27|v368]], [[10.2.0-28|v384]], [[10.4.0-29|v400]], [[10.5.0-30|v416]], [[10.6.0-31|v432]], [[10.7.0-32|v448]], [[11.0.0-33|v464]]<br />
|-<br />
| 00017102<br />
| 00017202<br />
| 00017302<br />
| 00017402<br />
| 00017502<br />
| 00017602<br />
| [[CVer]]<br />
| [[1.0.0-0|v1024]], [[1.1.0-1|v1045]], [[2.0.0-2|v2049]], [[2.1.0-3|v2069]], [[2.2.0-X|v2088]] [[3.0.0-5|v3088]], [[4.0.0-7|v4098]], [[4.1.0-8|v4113]], [[4.2.0-9|v4130]], [[4.3.0-10|v4145]], [[4.4.0-10|v4163]], [[4.5.0-10|v4176]], [[5.0.0-11|v5120]], [[5.1.0-11|v5136]], [[6.0.0-11|v6146]], [[6.1.0-11|v6160]], [[6.2.0-12|v6178]], [[6.3.0-12|v6192]], [[7.0.0-13|v7175]], [[7.1.0-14|v7187]], [[7.2.0-17|v7203]], [[8.0.0-18|v8196]], [[8.1.0-18|v8208]], [[8.1.0-0_New3DS|v8215]](8.1.0-0_New3DS), [[9.0.0-20|v9218]], [[9.1.0-20J|v9232]](JPN-only), [[9.2.0-20|v9248]], [[9.3.0-21|v9264]], [[9.4.0-21|v9280]], [[9.5.0-22|v9296]], [[9.6.0-24|v9319]], [[9.7.0-25|v9328]], [[9.8.0-25|v9344]], [[9.9.0-26|v9360]], [[10.0.0-27|v10240]], [[10.1.0-27|v10256]], [[10.2.0-28|v10272]], [[10.3.0-28|v10288]], [[10.4.0-29|v10304]], [[10.5.0-30|v10320]], [[10.6.0-31|v10336]], [[10.7.0-32|v10352]], [[11.0.0-33|v11264]], [[11.1.0-34|v11280]]<br />
| [[1.0.0-0|v1024]], [[1.1.0-1|v1045]], [[2.0.0-2|v2049]], [[2.1.0-3|v2069]], [[2.2.0-X|v2088]] [[3.0.0-5|v3088]], [[4.0.0-7|v4098]], [[4.1.0-8|v4113]], [[4.2.0-9|v4130]], [[4.3.0-10|v4145]], [[4.4.0-10|v4163]], [[4.5.0-10|v4176]], [[5.0.0-11|v5120]], [[5.1.0-11|v5136]], [[6.0.0-11|v6146]], [[6.1.0-11|v6160]], [[6.2.0-12|v6178]], [[6.3.0-12|v6192]], [[7.0.0-13|v7175]], [[7.1.0-14|v7187]], [[7.2.0-17|v7203]], [[8.0.0-18|v8196]], [[8.1.0-18|v8208]], [[9.0.0-20|v9217]], [[9.3.0-21|v9264]], [[9.5.0-22|v9296]], [[9.6.0-24|v9319]], [[9.7.0-25|v9328]], [[9.8.0-25|v9344]], [[9.9.0-26|v9360]], [[10.0.0-27|v10240]], [[10.2.0-28|v10272]], [[10.4.0-29|v10304]], [[10.5.0-30|v10320]], [[10.6.0-31|v10336]], [[10.7.0-32|v10352]]<br />
| Same as CHN<br />
| Same as CHN, [[11.1.0-34|v11280]]<br />
|}<br />
<br />
=== 00040130 - System [[Services API|Modules]] ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! TitleID Low<br />
! Description<br />
! Versions<br />
|-<br />
| 00001002<br />
| [[Services|sm]] (Stored in [[FIRM|NATIVE_FIRM]])<br />
| N/A<br />
|-<br />
| 00001003<br />
| SAFE_MODE [[Services|sm]] (Stored in SAFE_MODE NATIVE_FIRM)<br />
| N/A<br />
|-<br />
| 00001102<br />
| [[Filesystem services|fs]] (Stored in [[FIRM|NATIVE_FIRM]])<br />
| N/A<br />
|-<br />
| 00001103<br />
| SAFE_MODE [[Filesystem services|fs]] (Stored in SAFE_MODE NATIVE_FIRM)<br />
| N/A<br />
|-<br />
| 00001202<br />
| [[Process Manager Services|pm]] (Stored in [[FIRM|NATIVE_FIRM]])<br />
| N/A<br />
|-<br />
| 00001203<br />
| SAFE_MODE [[Process Manager Services|pm]] (Stored in SAFE_MODE NATIVE_FIRM)<br />
| N/A<br />
|-<br />
| 00001302<br />
| [[Loader Services|loader]] (Stored in [[FIRM|NATIVE_FIRM]])<br />
| N/A<br />
|-<br />
| 00001303<br />
| SAFE_MODE [[Loader Services|loader]] (Stored in SAFE_MODE NATIVE_FIRM)<br />
| N/A<br />
|-<br />
| 00001402<br />
| [[PXI Services|pxi]] (Stored in [[FIRM|NATIVE_FIRM]])<br />
| N/A<br />
|-<br />
| 00001403<br />
| SAFE_MODE [[PXI Services|pxi]] (Stored in SAFE_MODE NATIVE_FIRM)<br />
| N/A<br />
|-<br />
| 00001502<br />
| [[Application Manager Services|AM]] ( Application Manager )<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[3.0.0-5|v2053]], [[4.0.0-7|v3072]], [[5.0.0-11|v4098]], [[6.0.0-11|v5120]], [[8.0.0-18|v6148]], [[8.1.0-0_New3DS|v7168]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v8192]], [[10.0.0-27|v9217]]<br />
|-<br />
| 00001503<br />
| SAFE_MODE [[Application Manager Services|AM]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20001503<br />
| [[New_3DS]] SAFE_MODE [[Application Manager Services|AM]]<br />
| [[8.1.0-0_New3DS|v7169]]<br />
|-<br />
| 00001602<br />
| [[Camera Services|Camera]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[3.0.0-5|v2048]], [[4.0.0-7|v3074]], [[5.0.0-11|v4098]], [[6.0.0-11|v5120]], [[7.1.0-14|v6146]], [[8.0.0-18|v7172]], [[9.0.0-20|v9216]], [[9.3.0-21|v10242]], [[10.0.0-27|v11265]]<br />
|-<br />
| 20001602<br />
| [[New_3DS]] [[Camera Services|Camera]]<br />
| [[8.1.0-0_New3DS|v8200]], [[9.0.0-20|v9218]], [[9.3.0-21|v10242]], [[10.0.0-27|v11265]]<br />
|-<br />
| 00001702<br />
| [[Config Services|Config]] (cfg)<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1024]], [[3.0.0-5|v2049]], v3072, [[4.0.0-7|v4096]], [[5.0.0-11|v5122]], [[6.0.0-11|v6145]], [[6.1.0-11|v7168]], [[7.0.0-13|v8196]], [[7.2.0-17|v9220]], [[8.0.0-18|v10243]], [[8.1.0-0_New3DS|v11265]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v12290]], [[9.3.0-21|v13315]], [[9.6.0-24|v14342]]<br />
|-<br />
| 00001703<br />
| SAFE_MODE [[Config Services|Config]] (cfg)<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20001703<br />
| [[New_3DS]] SAFE_MODE [[Config Services|Config]] (cfg)<br />
| [[8.1.0-0_New3DS|v11265]]<br />
|-<br />
| 00001802<br />
| [[CDC Services|CDC]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1025]], [[2.2.0-X|v2048]], [[3.0.0-5|v3072]], [[5.0.0-11|v4098]], [[7.0.0-13|v5120]], [[8.0.0-18|v6144]], [[9.0.0-20|v7168]](Also for [[8.1.0-0_New3DS]])<br />
|-<br />
| 00001803<br />
| SAFE_MODE [[CDC Services|CDC]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20001803<br />
| [[New_3DS]] SAFE_MODE [[CDC Services|CDC]]<br />
| [[8.1.0-0_New3DS|v7169]]<br />
|-<br />
| 00001902<br />
| dmnt, debugger sysmodule. This use devunit-only HIO for devunit<>pc comms. This only exists for development units(launched by NS during startup depending on certain [[Configuration_Memory]] fields' values). This is installed at the [[Factory_Setup|factory]], then later deleted at the factory on retail units.<br />
| <br />
|-<br />
| 00001A02<br />
| [[DSP Services|DSP]]<br />
| [[1.0.0-0|v0]], [[3.0.0-5|v1024]], [[4.0.0-7|v2048]], [[5.0.0-11|v3074]], [[6.0.0-11|v4096]], [[8.0.0-18|v5120]], [[9.7.0-25|v6145]], [[11.1.0-34|v7169]]<br />
|-<br />
| 00001A03<br />
| SAFE_MODE [[DSP Services|DSP]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20001A03<br />
| [[New_3DS]] SAFE_MODE [[DSP Services|DSP]]<br />
| [[8.1.0-0_New3DS|v6145]]<br />
|-<br />
| 00001B02<br />
| [[GPIO Services|GPIO]]<br />
| [[1.0.0-0|v0]], [[5.0.0-11|v1025]], [[8.0.0-18|v2048]], [[9.5.0-22|v3073]]<br />
|-<br />
| 00001B03<br />
| SAFE_MODE [[GPIO Services|GPIO]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20001B03<br />
| [[New_3DS]] SAFE_MODE [[GPIO Services|GPIO]]<br />
| [[8.1.0-0_New3DS|v3073]]<br />
|-<br />
| 00001C02<br />
| [[GSP Services|GSP]]<br />
| [[1.0.0-0|v0]], [[1.1.0-1|v1040]], [[2.0.0-2|v2049]], [[3.0.0-5|v3075]], v4098, [[4.0.0-7|v5120]], [[5.0.0-11|v6145]], [[6.0.0-11|v7168]], [[8.0.0-18|v8196]], [[9.0.0-20|v10240]], [[9.3.0-21|v11264]], [[9.6.0-24|v12294]]<br />
|-<br />
| 20001C02<br />
| [[New_3DS]] [[GSP Services|GSP]]<br />
| [[8.1.0-0_New3DS|v10243]], [[9.3.0-21|v11267]], [[9.6.0-24|v12294]]<br />
|-<br />
| 00001C03<br />
| SAFE_MODE [[GSP Services|GSP]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20001C03<br />
| [[New_3DS]] SAFE_MODE [[GSP Services|GSP]]<br />
| [[8.1.0-0_New3DS|v9217]]<br />
|-<br />
| 00001D02<br />
| [[HID Services|HID]] (Human Interface Devices) <br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1025]], [[2.2.0-X|v2048]], [[3.0.0-5|v3072]], [[4.0.0-7|v4096]], [[5.0.0-11|v5121]], [[7.2.0-17|v6148]], [[8.0.0-18|v7168]], [[8.1.0-0_New3DS|v8192]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v9216]], [[9.3.0-21|v10240]]<br />
|-<br />
| 00001D03<br />
| SAFE_MODE [[HID Services|HID]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20001D03<br />
| [[New_3DS]] SAFE_MODE [[HID Services|HID]]<br />
| [[8.1.0-0_New3DS|v8193]]<br />
|-<br />
| 00001E02<br />
| [[I2C Services|i2c]]<br />
| [[1.0.0-0|v0]], [[3.0.0-5|v1024]], [[5.0.0-11|v2049]], [[8.0.0-18|v3076]], [[9.3.0-21|v5120]]<br />
|-<br />
| 20001E02<br />
| [[New_3DS]] [[I2C Services|i2c]]<br />
| [[8.1.0-0_New3DS|v4096]], [[9.3.0-21|v5121]]<br />
|- <br />
| 00001E03<br />
| SAFE_MODE [[I2C Services|i2c]]<br />
| [[1.0.0-0|v0]]<br />
|- <br />
| 20001E03<br />
| [[New_3DS]] SAFE_MODE [[I2C Services|i2c]]<br />
| [[8.1.0-0_New3DS|v4097]]<br />
|-<br />
| 00001F02<br />
| [[MCU Services|MCU]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[2.1.0-3|v2048]], [[3.0.0-5|v3072]], [[4.0.0-7|v4102]], [[5.0.0-11|v5122]], [[6.0.0-11|v6145]], [[7.0.0-13|v7168]], [[8.0.0-18|v8192]]<br />
|-<br />
| 20001F02<br />
| [[New_3DS]] [[MCU Services|MCU]]<br />
| [[8.1.0-0_New3DS|v8192]]<br />
|-<br />
| 00001F03<br />
| SAFE_MODE [[MCU Services|MCU]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20001F03<br />
| [[New_3DS]] SAFE_MODE [[MCU Services|MCU]]<br />
| [[8.1.0-0_New3DS|v9217]]<br />
|-<br />
| 00002002<br />
| [[MIC Services|MIC]] (Microphone)<br />
| [[1.0.0-0|v0]], [[5.0.0-11|v1025]], [[8.0.0-18|v2048]]<br />
|-<br />
| 00002102<br />
| [[PDN Services|PDN]]<br />
| [[1.0.0-0|v0]], [[5.0.0-11|v1025]], [[8.0.0-18|v2048]]<br />
|-<br />
| 00002103<br />
| SAFE_MODE [[PDN Services|PDN]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20002103<br />
| [[New_3DS]] SAFE_MODE [[PDN Services|PDN]]<br />
| [[8.1.0-0_New3DS|v3073]]<br />
|-<br />
| 00002202<br />
| [[PTM Services|PTM]] (Play time, pedometer, and battery manager)<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[2.2.0-X|v2048]], [[3.0.0-5|v3075]], v4096, [[4.0.0-7|v5120]], [[5.0.0-11|v6146]], [[6.0.0-11|v7168]], [[7.0.0-13|v8192]], [[8.0.0-18|v9219]], [[9.6.0-24|v11264]]<br />
|-<br />
| 20002202<br />
| [[New_3DS]] [[PTM Services|PTM]] (Play time, pedometer, and battery manager)<br />
| [[8.1.0-0_New3DS|v10240]], [[9.6.0-24|v11264]]<br />
|-<br />
| 00002203<br />
| SAFE_MODE [[PTM Services|PTM]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20002203<br />
| [[New_3DS]] SAFE_MODE [[PTM Services|PTM]]<br />
| [[8.1.0-0_New3DS|v10241]]<br />
|-<br />
| 00002302<br />
| [[SPI Services|spi]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1025]], [[5.0.0-11|v2049]], [[8.0.0-18|v3072]]<br />
|-<br />
| 20002302<br />
| [[New_3DS]] [[SPI Services|spi]]<br />
| [[8.1.0-0_New3DS|v4096]]<br />
|-<br />
| 00002303<br />
| SAFE_MODE [[SPI Services|spi]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20002303<br />
| [[New_3DS]] SAFE_MODE [[SPI Services|spi]]<br />
| [[8.1.0-0_New3DS|v4097]]<br />
|-<br />
| 00002402<br />
| [[AC Services|AC]] (Network manager)<br />
| [[1.0.0-0|v0]], [[1.1.0-1|v1024]], [[2.0.0-2|v2052]], [[2.1.0-3|v3072]], [[3.0.0-5|v4101]], [[5.0.0-11|v5122]], [[7.0.0-13|v6145]], [[8.0.0-18|v7172]], [[9.0.0-20|v8192]](Also for [[8.1.0-0_New3DS]]), [[9.3.0-21|v9216]]<br />
|-<br />
| 00002403<br />
| SAFE_MODE [[AC Services|AC]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20002403<br />
| [[New_3DS]] SAFE_MODE [[AC Services|AC]]<br />
| [[8.1.0-0_New3DS|v8193]]<br />
|-<br />
| 00002602<br />
| [[CECD Services|Cecd]] (StreetPass)<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[2.2.0-X|v2048]], [[3.0.0-5|v3073]], [[4.0.0-7|v4097]], [[5.0.0-11|v5122]], [[6.0.0-11|v6144]], [[6.2.0-12|v7170]], [[7.0.0-13|v8193]], [[8.0.0-18|v9216]], [[9.0.0-20|v10240]]<br />
|-<br />
| 00002702<br />
| [[CSND Services|CSND]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1025]], [[4.0.0-7|v2048]], [[5.0.0-11|v3073]], [[8.0.0-18|v4096]], [[9.0.0-20|v5120]]<br />
|-<br />
| 00002703<br />
| SAFE_MODE [[CSND Services|CSND]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20002703<br />
| [[New_3DS]] SAFE_MODE [[CSND Services|CSND]]<br />
| [[8.1.0-0_New3DS|v5121]]<br />
|-<br />
| 00002802<br />
| [[DLP Services|DLP]] ([[Download Play]])<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[2.2.0-X|v2048]], [[3.0.0-5|v3078]], [[5.0.0-11|v4099]], [[8.0.0-18|v5123]], [[9.0.0-20|v6145]](Also for [[8.1.0-0_New3DS]]), [[9.6.0-24|v7174]], [[10.0.0-27|v8192]]<br />
|-<br />
| 00002902<br />
| [[HTTP Services|HTTP]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[2.1.0-3|v2049]], [[2.2.0-X|v3072]], [[3.0.0-5|v4099]], [[4.0.0-7|v5122]], [[5.0.0-11|v6145]], [[7.0.0-13|v7171]], [[7.1.0-14|v8192]], [[8.0.0-18|v9220]], [[8.1.0-18|v10245]], [[8.1.0-0_New3DS|v11264]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v12288]], [[9.6.0-24|v13318]]<br />
|-<br />
| 00002903<br />
| SAFE_MODE [[HTTP Services|HTTP]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20002903<br />
| [[New_3DS]] SAFE_MODE [[HTTP Services|HTTP]]<br />
| [[8.1.0-0_New3DS|v10241]]<br />
|-<br />
| 00002A02<br />
| [[MP Services|MP]]<br />
| [[1.0.0-0|v0]], [[5.0.0-11|v1025]], [[8.0.0-18|v2048]]<br />
|-<br />
| 00002A03<br />
| SAFE_MODE [[MP Services|MP]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 00002B02<br />
| [[NDM Services|NDM]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1025]], [[3.0.0-5|v2049]], [[4.0.0-7|v3072]], [[5.0.0-11|v4098]], [[8.0.0-18|v5124]], [[8.1.0-0_New3DS|v6144]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v7169]]<br />
|-<br />
| 00002C02<br />
| [[NIM Services|NIM]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1028]], [[3.0.0-5|v2055]], [[4.0.0-7|v3074]], [[5.0.0-11|v4100]], [[6.0.0-11|v5120]], [[7.0.0-13|v6148]], [[7.2.0-17|v7174]], [[8.0.0-18|v8195]], [[8.1.0-0_New3DS|v9217]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v10249]], [[9.3.0-21|v11267]], [[9.6.0-24|v12296]], [[10.0.0-27|v13313]]<br />
|-<br />
| 00002C03<br />
| SAFE_MODE [[NIM Services|NIM]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20002C03<br />
| [[New_3DS]] SAFE_MODE [[NIM Services|NIM]]<br />
| [[8.1.0-0_New3DS|v9217]]<br />
|-<br />
| 00002D02<br />
| [[NWM Services|NWM]] ( Low-level wifi manager )<br />
| [[1.0.0-0|v0]], [[1.1.0-1|v1024]], [[2.0.0-2|v2052]], [[2.2.0-X|v3072]], [[3.0.0-5|v4101]], [[4.0.0-7|v5120]], [[5.0.0-11|v6148]], [[6.0.0-11|v7169]], [[7.2.0-17|v8196]], [[8.0.0-18|v9216]], [[9.0.0-20|v10240]]<br />
|-<br />
| 00002D03<br />
| SAFE_MODE [[NWM Services|NWM]]<br />
| [[1.0.0-0|v0]], [[6.0.0-11|v5120]]<br />
|-<br />
| 20002D03<br />
| [[New_3DS]] SAFE_MODE [[NWM Services|NWM]]<br />
| [[8.1.0-0_New3DS|v10241]]<br />
|-<br />
| 00002E02<br />
| [[Socket Services|Sockets]]<br />
| [[1.0.0-0|v0]], [[1.1.0-1|v1024]], [[2.0.0-2|v2053]], [[3.0.0-5|v3075]], [[4.0.0-7|v4096]], [[5.0.0-11|v5121]], [[8.0.0-18|v6144]], [[9.0.0-20|v7168]], [[10.6.0-31|v8192]]<br />
|-<br />
| 00002E03<br />
| SAFE_MODE [[Socket Services|Sockets]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20002E03<br />
| [[New_3DS]] SAFE_MODE [[Socket Services|Sockets]]<br />
| [[8.1.0-0_New3DS|v7169]]<br />
|-<br />
| 00002F02<br />
| [[SSL Services|SSL]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1024]], [[2.1.0-3|v2048]], [[3.0.0-5|v3072]], [[4.0.0-7|v4096]], [[5.0.0-11|v5122]], [[8.0.0-18|v6144]], [[9.0.0-20|v7168]], [[9.6.0-24|v8198]]<br />
|-<br />
| 00002F03<br />
| SAFE_MODE [[SSL Services|SSL]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20002F03<br />
| [[New_3DS]] SAFE_MODE [[SSL Services|SSL]]<br />
| [[8.1.0-0_New3DS|v7169]]<br />
|-<br />
| 00003000<br />
| [[FIRM|Process9]] (in SAFE_MODE and normal NATIVE_FIRM)<br />
| N/A<br />
|-<br />
| 00003102<br />
| [[Process Services|PS]] ( Process Manager )<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1025]], [[5.0.0-11|v2049]], [[6.0.0-11|v3072]], [[8.0.0-18|v4096]], [[9.0.0-20|v5120]]<br />
|-<br />
| 00003103<br />
| SAFE_MODE [[Process Services|PS]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20003103<br />
| [[New_3DS]] SAFE_MODE [[Process Services|PS]]<br />
| [[8.1.0-0_New3DS|v5121]]<br />
|-<br />
| 00003202<br />
| [[Friend Services|friends]] (Friends list)<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1028]], [[2.2.0-X|v2048]], [[3.0.0-5|v3072]], [[4.0.0-7|v4096]], [[5.0.0-11|v5122]], [[7.0.0-13|v6145]], [[8.0.0-18|v7172]], [[9.0.0-20|v8192]](Also for [[8.1.0-0_New3DS]]), [[10.5.0-30|v9216]], [[10.7.0-32|v10240]], [[11.0.0-33|v11264]], [[11.1.0-34|v12288]]<br />
|-<br />
| 00003203<br />
| SAFE_MODE [[Friend Services|friends]] (Friends list)<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20003203<br />
| [[New_3DS]] SAFE_MODE [[Friend Services|friends]] (Friends list)<br />
| [[8.1.0-0_New3DS|v8193]]<br />
|-<br />
| 00003302<br />
| [[IR Services|IR]] (Infrared)<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[2.2.0-X|v2048]], [[3.0.0-5|v3072]], [[4.0.0-7|v4096]], [[5.0.0-11|v5121]], [[8.0.0-18|v6148]], [[8.1.0-0_New3DS|v7170]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v8192]], [[9.3.0-21|v9216]], [[9.6.0-24|v10246]], [[10.0.0-27|v11265]], [[10.6.0-31|v12289]]<br />
|-<br />
| 00003303<br />
| SAFE_MODE [[IR Services|IR]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20003303<br />
| [[New_3DS]] SAFE_MODE [[IR Services|IR]]<br />
| [[8.1.0-0_New3DS|v7169]]<br />
|- <br />
| 00003402<br />
| [[BOSS Services|BOSS]] (SpotPass)<br />
| [[1.0.0-0|v0]], [[1.1.0-1|v1024]], [[2.0.0-2|v2053]], [[2.2.0-X|v3073]], [[3.0.0-5|v4101]], [[4.0.0-7|v5122]], [[5.0.0-11|v6146]], [[6.0.0-11|v7169]], [[6.2.0-12|v8193]], [[7.0.0-13|v9222]], [[8.0.0-18|v10240]], [[9.0.0-20|v11266]], [[10.0.0-27|v12289]], [[10.4.0-29|v13314]]<br />
|-<br />
| 00003502<br />
| [[News Services|News]] (Notifications)<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1028]], [[2.2.0-X|v2048]], [[3.0.0-5|v3072]], [[5.0.0-11|v4097]], [[8.0.0-18|v5120]], [[9.0.0-20|v6147]], [[9.7.0-25|v7168]]<br />
|-<br />
| 00003602<br />
| "debugger". This only exist for development units(launched by NS during startup depending on certain [[Configuration_Memory]] fields' values).<br />
| <br />
|-<br />
| 00003702<br />
| [[RO_Services|RO]]<br />
| [[2.0.0-2|v0]], [[4.0.0-7|v1024]], [[5.0.0-11|v2049]], [[7.2.0-17|v3074]], [[8.0.0-18|v4096]], [[9.0.0-20|v5120]](Also for [[8.1.0-0_New3DS]]), [[9.3.0-21|v6148]]<br />
|-<br />
| 00003802<br />
| [[ACT Services|act]] (handles Nintendo Network '''a'''c'''c'''oun'''t'''s)<br />
| [[7.0.0-13|v1029]], [[7.1.0-14|v2050]], [[7.2.0-17|v3077]], [[8.0.0-18|v4099]], [[8.1.0-0_New3DS|v5120]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v6144]], [[9.3.0-21|v7168]], [[9.6.0-24|v8198]]<br />
|-<br />
| 00004002<br />
| Old3DS [[NFC_Services|nfc]]<br />
| [[9.3.0-21|v2053]], [[9.6.0-24|v4106]], [[9.7.0-25|v5121]], [[10.0.0-27|v6145]], [[10.6.0-31|v7168]], [[10.7.0-32|v8192]]<br />
|-<br />
| 20004002<br />
| [[New_3DS]] [[NFC_Services|nfc]]<br />
| [[8.1.0-0_New3DS|v0]], [[9.0.0-20|v1024]], [[9.3.0-21|v2053]], [[9.5.0-22|v3073]], [[9.6.0-24|v4102]], [[10.0.0-27|v6145]], [[10.6.0-31|v7168]]<br />
|-<br />
| 20004102<br />
| [[New_3DS]] [[MVD Services|mvd]]<br />
| [[8.1.0-0_New3DS|v0]], [[9.0.0-20|v1024]]<br />
|-<br />
| 20004202<br />
| [[New_3DS]] [[QTM Services|qtm]]<br />
| [[8.1.0-0_New3DS|v8]], [[9.0.0-20|v1024]], [[9.3.0-21|v2052]]<br />
|-<br />
| 00008002<br />
| [[NS]] (Memory-region: "SYSTEM")<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1028]], [[2.2.0-X|v2048]], [[3.0.0-5|v3077]], v4096, [[4.0.0-7|v5121]], [[5.0.0-11|v6148]], [[5.1.0-11|v7168]], [[6.0.0-11|v8193]], [[6.1.0-11|v9216]], [[7.0.0-13|v10248]], [[7.2.0-17|v11268]], [[8.0.0-18|v12291]], [[8.1.0-0_New3DS|v13312]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v14336]], [[9.3.0-21|v15360]], [[9.6.0-24|v16390]], [[9.8.0-25|v17408]], [[10.0.0-27|v18433]], [[10.4.0-29|v19458]], [[11.1.0-34|v20482]]<br />
|-<br />
| 00008003<br />
| SAFE_MODE [[NS]] (Memory-region: "SYSTEM")<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20008003<br />
| [[New_3DS]] SAFE_MODE [[NS]] (Memory-region: "SYSTEM")<br />
| [[8.1.0-0_New3DS|v13313]]<br />
|}<br />
<br />
Once Home Menu finishes loading, all of the above system modules are running, except for MP, RO, and act which are automatically [[Process_Manager_Services|loaded]] when a process requires them. When [[Process_Manager_Services|PM]]-module terminates processes, it will check whether the processes listed as dependencies for this process are listed as dependencies for other processes. Any processes which are no longer listed in any processes dependencies lists are then terminated. On [[New_3DS]], the only New3DS-specific system-module which automatically gets loaded during system boot is qtm.<br />
<br />
All of the above system modules use the "BASE" [[SVC|memory-region]](specified in the exheader), except when listed otherwise for certain modules.<br />
<br />
When handling the exheader dependency list starting with [[8.0.0-18]], Old3DS FIRM [[Process_Manager_Services|PM]]-module now skips handling titles in this list which have any bits in programID-low bitmask 0xF0000000 set(with [[8.0.0-18]] this is hard-coded). The exheader dependency list handling change is for the [[New 3DS]] system-module(s), which do not exist on Old3DS. When the New3DS pm-module is launching any title except [[NS]], it first attempts to launch the title with programID-low bitmask 0x20000000 set, then with that bitmask clear if launching fails.<br />
<br />
=== 00040138 - [[FIRM|System Firmware]] ===<br />
NATIVE_FIRM and SAFE_MODE_FIRM for the initial versions are exactly the same, besides [[Configuration_Memory|core-version]] fields. SAFE_MODE_FIRM is used for running SAFE_MODE titles, on retail SAFE_MODE_FIRM seems to be only used for running the [[System_Settings#System_Updater|System Updater]] application. When a GBA VC title is launched, AGB_FIRM is launched to handle running this title. GBA VC savegames stored under SD card /title/<TID>/data use a custom format, this is handled by AGB_FIRM.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! TitleID Low<br />
! Description<br />
! USA/EUR/JPN Versions<br />
! CHN Versions<br />
! KOR Versions<br />
! TWN Versions<br />
|-<br />
| 00000001<br />
| Unknown, very similar to SAFE_MODE_FIRM. Exists only on dev units and seems to only be used by SystemUpdaters.<br />
| v0<br />
| <br />
| <br />
| <br />
|-<br />
| 00000002<br />
| NATIVE_FIRM (Native Firmware)<br />
| [[1.0.0-0|v432]], [[1.1.0-1|v1472]], [[2.0.0-2|v2516]], [[2.1.0-3|v3553]], [[2.2.0-X|v4595]], [[3.0.0-5|v5647]], [[4.0.0-7|v6677]], [[4.1.0-8|v7712]], [[5.0.0-11|v8758]], [[5.1.0-11|v9792]], [[6.0.0-11|v10833]], [[6.1.0-11|v11872]], [[7.0.0-13|v12916]], [[7.2.0-17|v13956]], v15043, [[8.0.0-18|v15047]], [[9.0.0-20|v17120]], [[9.3.0-21|v18182]], [[9.5.0-22|v19216]], [[9.6.0-24|v20262]], [[10.0.0-27|v21288]], [[10.2.0-28|v22313]], [[10.4.0-29|v23341]], [[11.0.0-33|v24368]], [[11.1.0-34|v25396]]<br />
| Same as USA/EUR/JPN starting with the USA/EUR/JPN [[4.0.0-7]] title-version<br />
| Same as CHN.<br />
| Same as CHN.<br />
|-<br />
| 20000002<br />
| [[New_3DS]] NATIVE_FIRM (Native Firmware)<br />
| [[8.1.0-0_New3DS|v16085]], [[9.0.0-20|v17120]], [[9.3.0-21|v18182]], [[9.5.0-22|v19218]], [[9.6.0-24|v20262]], [[10.0.0-27|v21288]], [[10.2.0-28|v22313]], [[10.4.0-29|v23341]], [[11.0.0-33|v24368]], [[11.1.0-34|v25396]]<br />
| N/A<br />
| Same as CHN.<br />
| Same as CHN.<br />
|-<br />
| 00000003<br />
| SAFE_MODE_FIRM <br />
| [[1.0.0-0|v432]], [[3.0.0-5|v5632]]<br />
| Same as USA/EUR/JPN starting with the USA/EUR/JPN [[3.0.0-5]] title-version<br />
| Same as CHN.<br />
| Same as CHN.<br />
|-<br />
| 20000003<br />
| [[New_3DS]] SAFE_MODE_FIRM <br />
| [[8.1.0-0_New3DS|v16081]]<br />
| N/A<br />
| Same as CHN.<br />
| Same as CHN.<br />
|-<br />
| 00000102 <br />
| TWL_FIRM ( DSi Firmware )<br />
| [[1.0.0-0|v432]], [[2.0.0-2|v1489]], [[3.0.0-5|v2565]], v3601, [[4.0.0-7|v4625]], [[4.4.0-10|v5681]], [[4.5.0-10|v6704]], [[6.0.0-11|v7762]], [[6.2.0-12|v8817]]<br />
| Same as USA/EUR/JPN starting with the USA/EUR/JPN [[4.0.0-7]] title-version<br />
| Same as CHN.<br />
| Same as CHN.<br />
|-<br />
| 20000102 <br />
| [[New_3DS]] TWL_FIRM ( DSi Firmware )<br />
| [[8.1.0-0_New3DS|v9936]]<br />
| N/A<br />
| Same as CHN.<br />
| Same as CHN.<br />
|- <br />
| 00000202<br />
| AGB_FIRM ( GBA Firmware )<br />
| [[3.0.0-5|v519]], v1553, [[4.0.0-7|v2576]], [[6.0.0-11|v3665]]<br />
| [[4.0.0-7|v2576]]<br />
| [[4.0.0-7|v2576]], [[6.0.0-11|v3665]]<br />
| Same as CHN.<br />
|- <br />
| 20000202<br />
| [[New_3DS]] AGB_FIRM ( GBA Firmware )<br />
| [[8.1.0-0_New3DS|v4816]]<br />
| N/A<br />
| N/A<br />
| N/A<br />
|}<br />
<br />
== Application Titles ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Content Category<br />
! Bit Mask(s)<br />
! Category Bit Mask<br />
|-<br />
| [[Title list/eShop Titles|Application]] (eShop Title)<br />
| Normal<br />
| 0x0000<br />
|-<br />
| DLP Child<br />
| DlpChild<br />
| 0x0001<br />
|-<br />
| [[EShop Demos|Demo]]<br />
| Demo<br />
| 0x0002<br />
|-<br />
| [[Title list/Patches|Patch]]<br />
| CannotExecution<nowiki>|</nowiki>Patch<br />
| 0x000E<br />
|-<br />
| [[Title list/DLC|Add-on Content]] (DLC)<br />
| NotRequireRightForMount<nowiki>|</nowiki>CannotExecution<nowiki>|</nowiki>AddOnContents<br />
| 0x008C<br />
|}<br />
<br />
=== 00040001 - [[Download Play]] Titles ===<br />
This titleID-high/programID-high is used for the titles sent over [[Download Play]]. Only one 00040001 Download Play title is installed to NAND /title at a time. There can be a maximum of 255 Download Play child titles per Unique ID, indexed by Title ID Variation. The legal index range: 0x0 - 0xff.<br />
<br />
<br />
== TWL (DSi) Titles ==<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Content Category<br />
! Bit Mask(s)<br />
! Category Bit Mask<br />
|-<br />
| Application (DSiWare)<br />
| TWL<nowiki>|</nowiki>0x4<br />
| 0x8004<br />
|-<br />
| System Application<br />
| TWL<nowiki>|</nowiki>0x1<nowiki>|</nowiki>0x4<br />
| 0x8005<br />
|-<br />
| System Archive<br />
| TWL<nowiki>|</nowiki>0x1<nowiki>|</nowiki>0x2<nowiki>|</nowiki>0x4<nowiki>|</nowiki>0x8<br />
| 0x800F<br />
|-<br />
| Developer Tool<br />
| TWL<nowiki>|</nowiki>0x1<nowiki>|</nowiki>0x4<nowiki>|</nowiki>0x10<br />
| 0x8015<br />
|}<br />
<br />
Bitmask 0x1 for TWL titles denotes a system title (determining whether the title will be updated during a System Update). It appears to be sufficient, but not necessary, to make the title invisible on the [[Home Menu]].<br />
<br />
Bitmask 0x2 for TWL titles may indicate no-execute.<br />
<br />
Bitmask 0x4 for TWL titles indicates internal storage.<br />
<br />
Bitmask 0x10 for TWL titles is found on developer tools.<br />
<br />
=== 00048005 - System Applications===<br />
{| class="wikitable" border="1"<br />
|-<br />
! TitleID Low<br />
! Region<br />
! Description<br />
! Versions<br />
! Information<br />
|-<br />
| 42383841(B88A)<br />
| ALL<br />
| [[DS Internet]]<br />
| v0, [[2.1.0-4|v1025]], [[3.0.0-5|v2048]]<br />
| [[DS Internet]] is the DS-mode application, (also integrated in every online-enabled DS game) and now accessible through [[System Settings]] for configuring network settings for DS software. <br />
|-<br />
| 484E4441(HNDA)<br />
| ALL<br />
| [[Download Play]]<br />
| v1024<br />
| This [[Download Play]] application is the DS-mode Download Play client, launched by the 3DS-mode Download Play application.<br />
|-<br />
| 484E4443(HNDC)<br />
| CHN<br />
| [[Download Play]]<br />
| v1024<br />
| See Above Description.<br />
|-<br />
| 484E444B(HNDK)<br />
| KOR<br />
| [[Download Play]]<br />
| v1024<br />
| See Above Description.<br />
|}<br />
<br />
=== 0004800F - System Data Archives===<br />
{| class="wikitable" border="1"<br />
|-<br />
! TitleID Low<br />
! Description<br />
! Versions<br />
|-<br />
| 484E4841(HNHA)<br />
| [[Nintendo DS Cart Whitelist]]<br />
| v0, [[2.0.0-2|v1026]], [[2.2.0-X|v2048]], [[3.0.0-5|v3072]], [[4.0.0-7|v4096]], [[4.2.0-9|v5120]], [[4.3.0-10|v6145]], [[4.4.0-10|v7168]], [[4.5.0-10|v8192]], [[5.0.0-11|v9216]], [[6.0.0-11|v10240]], [[7.0.0-13|v11264]]<br />
|-<br />
| 484E4C41(HNLA)<br />
| [[Version Data]]<br />
| v0<br />
|}<br />
<br />
New system updates only block DS flash-cards when the above whitelist was updated, or when TWL_FIRM was updated. The whitelist contains the data used for detecting flash-cards, this is used by TWL_FIRM.<br />
<br />
<br />
=== 00048004 - DSiWare ===<br />
Although these have a titleID high separate from DSi and a titleID is stored in the SRLs, the content of these SRLs are identical to DSi.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! TitleID Low<br />
! Region<br />
! Description<br />
! Versions<br />
|-<br />
| 4B4B5456(KKTV)<br />
| EUR<br />
| Cut the Rope<br />
| v0, v64<br />
|-<br />
| 4B4E5256(KNRV)<br />
| EUR<br />
| A Little Bit of... Brain Training™: Maths Edition <br />
| v0<br />
|-<br />
| 4B5A4C56(KZLV)<br />
| EUR<br />
| Plants vs. Zombies™<br />
| v0<br />
|-<br />
| 4B454256(KEBV)<br />
| EUR<br />
| ELECTROPLANKTON (Hanenbow)<br />
| v0<br />
|-<br />
| 4B513956(KQ9V)<br />
| EUR<br />
| Zelda: Four Swords Anniversary Edition<br />
| v16<br />
|-<br />
| 4B574256(KWBV)<br />
| EUR<br />
| Mario Calculator <br />
| v0<br />
|-<br />
| 4B574656(KWFV)<br />
| EUR<br />
| Mario Clock <br />
| v0<br />
|}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=SPI_Services&diff=18279SPI Services2016-09-25T10:51:08Z<p>Neobrain: /* SPI Service Names */</p>
<hr />
<div>[[Category:Services]]<br />
= SPI Service Names =<br />
* "SPI::NOR" (used by cfg:NOR)<br />
* "SPI::CD2" (used by [[CDC Services]])<br />
* "SPI::CS2"<br />
* "SPI::CS3"<br />
* "SPI::DEF"<br />
<br />
= SPI Service Commands =<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x0001....<br />
| SetDeviceState(u8 deviceid, u8 state)<br />
|-<br />
| 0x0002....<br />
| Stubbed, only returns zero.<br />
|-<br />
| 0x0003....<br />
| ReadWriteDevice(u8 deviceid, ...)<br />
|-<br />
| 0x0004....<br />
| ReadWriteDevice2(u8 deviceid, ...)<br />
|-<br />
| 0x0005....<br />
| WriteDevice(u8 deviceid, ...)<br />
|-<br />
| 0x00060102<br />
| ReadWriteDeviceArray(u8 deviceid, ...)<br />
|-<br />
| 0x00070102<br />
| ReadWriteDevice2Array(u8 deviceid, ...)<br />
|-<br />
| 0x000800C0<br />
| EnableSpiBus(u8 deviceid, bool onoff, u8 state)<br />
|-<br />
| 0x00090040<br />
| EnableTwlSpiBus?(bool onoff)<br />
|}<br />
<br />
<br />
0,1,2: 0x1EC60800<br />
3,4,5: 0x1EC42800<br />
6: 0x1EC43800</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Services_API&diff=18278Services API2016-09-25T10:41:07Z<p>Neobrain: </p>
<hr />
<div>Nintendo provides application developers with an API, which communicate with certain services. Services, in this sense, are [[Title_list#00040130_-_System_Modules|system processes running in the background]] which wait for incoming requests. When a process wants to communicate with a service, it first needs to get a handle to the named service, and then it can communicate with the service via interprocess communication. Each service has a name up to 8 characters, for example "nim:u".<br />
<br />
Handles for services are retrieved from the [[Services|service manager port]], "srv:". Services are an abstraction of ports, they operate the same way except regular ports can have their handles retrieved directly from a SVC.<br />
<br />
For a description of how commands and arguments are passed to services, see [[IPC Command Structure]].<br />
<br />
List of services (grouped by the process which provides them):<br />
{| class="wikitable" border="1"<br />
|-<br />
! Old3ds<br />
! Services<br />
! Service names<br />
! scope="col" width="200" | Notes<br />
|-<br />
| style="background: green" | Yes<br />
| [[Filesystem services]]<br />
| fs:USER, fs:LDR, fs:REG<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[Process Services]]<br />
| ps:ps<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[PXI Services]]<br />
| PxiFS0, PxiFS1, PxiFSB, PxiFSR, PxiPM, pxi:am9, pxi:dev, pxi:mc, pxi:ps9<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[Application Manager Services]]<br />
| am:app, am:net, am:u, am:sys, am:pipe<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[Process Manager Services]]<br />
| pm:app, pm:dbg<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[NIM Services]]<br />
| nim:aoc, nim:ndm, nim:s, nim:u<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[Config Services]]<br />
| cfg:u, cfg:s, cfg:i, cfg:nor<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[NS|NS and APT Services]]<br />
| ns:s, ns:p, ns:c, APT:A, APT:S, APT:U<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[RO Services]]<br />
| ldr:ro<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[NDM Services]]<br />
| ndm:u<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[CSND Services]]<br />
| csnd:SND<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[Camera Services]]<br />
| cam:u, y2r:u, cam:s, cam:c, cam:q (New3DS only)<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[CDC Services]]<br />
| cdc:HID, cdc:MIC, cdc:CSN, cdc:DSP, cdc:LGY, cdc:CHK<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[DLP Services]]<br />
| dlp:CLNT, dlp:FKCL, dlp:SRVR<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[DSP Services]]<br />
| dsp::DSP<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[GSP Services]]<br />
| gsp::Lcd, gsp::Gpu<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[BOSS Services]]<br />
| boss:U<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[CECD Services]]<br />
| cecd:u, cecd:s, cecd:ndm<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[IR Services]]<br />
| <br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[I2C Services]]<br />
| i2c::MCU, i2c::CAM, i2c::LCD, i2c::DEB, i2c::HID, i2c::IR, i2c::EEP, i2c::NFC, i2c::QTM<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[GPIO Services]]<br />
| gpio:CDC, gpio:MCU, gpio:HID, gpio:NWM, gpio:IR, gpio:NFC, gpio:QTM<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[HID Services]]<br />
| hid:NFC, hid:QTM, hid:SPVR, hid:USER <br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[PTM Services]]<br />
| ptm:gets, ptm:play, ptm:s, ptm:sets, ptm:sysm, ptm:u<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[NWM Services]]<br />
| nwm::UDS<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[HTTP Services]]<br />
| http:C<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[SSL Services]]<br />
| ssl:C<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[Socket Services]]<br />
| soc:P, soc:U<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[AC Services]]<br />
| ac:i, ac:u<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[Friend Services]]<br />
| frd:a, frd:u, frd:n<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[News Services]]<br />
| <br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[PDN Services]]<br />
| pdn:s, pdn:d, pdn:i, pdn:g, pdn:c<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[SPI Services]]<br />
| SPI::NOR, SPI::CD2, SPI::CS2, SPI::CS3, SPI::DEF<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[Loader Services]]<br />
| Loader<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[MCU Services]]<br />
| mcu::CAM, mcu::GPU, mcu::HID, mcu::RTC, mcu::SND, mcu::NWM, mcu::HWC, mcu::PLS, mcu::CDC<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[MIC Services]]<br />
| mic:u<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[ACT Services]]<br />
| act:a, act:u<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[NFC Services]]<br />
| <br />
|<br />
|-<br />
| style="background: red" | No<br />
| [[MVD Services]]<br />
| <br />
|<br />
|-<br />
| style="background: red" | No<br />
| [[QTM Services]]<br />
| <br />
|<br />
|}<br />
<br />
List of PXI services:<br />
* [[Filesystem services PXI]]<br />
* [[Process Services PXI]]<br />
* [[Application Manager Services PXI]]<br />
* [[Process Manager Services PXI]]<br />
* [[Development Services PXI]]<br />
* [[Gamecard Services PXI]]<br />
* [[Legacy FIRM PXI]] (TWL_FIRM/AGB_FIRM)<br />
<br />
List of ports:<br />
* [[ErrDisp]]<br />
* [[Services]]<br />
<br />
<br />
See [[Error codes]].</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Codec_Services&diff=18276Codec Services2016-09-25T10:40:41Z<p>Neobrain: Neobrain moved page Codec Services to CDC Services: This has nothing to do with "codec" stuff at all</p>
<hr />
<div>=HID Codec "cdc:HID"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x00010000<br />
| [[Cdc:HID:GetData|GetData]]<br />
|-<br />
| 0x00020000<br />
| Initialize<br />
|-<br />
| 0x00030000<br />
| Finalize<br />
|}<br />
<br />
== Touchscreen ==<br />
The touchscreen is the SPI [[SPI_Registers#SPI_NEW_CNT|device number 3]], so it uses the [[SPI_Services|0x10142XXX]] SPI registers. It is initialized by issuing the following SPI commands:<br />
spi_select_reg(3, 0x67);<br />
spi_offset_mask(3, 0x26, 0x80, 0x80);<br />
spi_select_reg(3, 0x67);<br />
spi_offset_mask(3, 0x24, 0, 0x80);<br />
spi_select_reg(3, 0x67);<br />
spi_offset_mask(3, 0x25, 0x10, 0x3C);<br />
<br />
Once the touchscreen is initialized, you can start polling touch data:<br />
u8 raw_touchdata[0x40];<br />
spi_select_reg(3, 0x67);<br />
spi_read_offset(3, 0x26); //The return value of this is checked against "& 2"<br />
spi_select_reg(3, 0xFB);<br />
spi_read_offset_array(3, 1, raw_touchdata, 0x34);<br />
<br />
This is the format of the touchdata report:<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Width<br />
! Description<br />
|-<br />
| 0x00<br />
| 2*5<br />
| Five Touchscreen X Coordinates (big-endian MSB,LSB each. 12 bits number)<br />
|-<br />
| 0x0A<br />
| 2*5<br />
| Five Touchscreen Y Coordinates (big-endian MSB,LSB each. 12 bits number)<br />
|-<br />
| 0x20<br />
| ??<br />
| ??<br />
|}<br />
<br />
When the touchscreen is not touched, all the coordinates report 0xFFFF, and since touch coordinates have only 12 bits, you can check if the touchscreen is pressed by checking the 4th bit of the MSB. For example: pendown = !(raw_touchdata[0] & BIT(4))<br />
<br />
=MIC Codec "cdc:MIC"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|}<br />
<br />
=CSN Codec "cdc:CSN"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|}<br />
<br />
=DSP Codec "cdc:DSP"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|}<br />
<br />
=Legacy Codec "cdc:LGY"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|}<br />
<br />
=CHK Codec "cdc:CHK"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=MCU_Services&diff=18266MCU Services2016-09-22T13:58:46Z<p>Neobrain: /* MCU HID service "mcu::HID" */</p>
<hr />
<div>Only one session can be open per service at a time. If a session is already open for a service, MCU module will wait for the thread handling the session to terminate(triggered by the session being closed by the user process), then it accepts the new session. The commands for each service are handled by separate threads.<br />
<br />
=MCU camera service "mcu::CAM"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x0001....<br />
| ?<br />
|-<br />
| 0x0002....<br />
| ?<br />
|}<br />
<br />
=MCU GPU service "mcu::GPU"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x00010000<br />
| GetLcdPowerState. This writes the value of I2C-MCU register 0xf bit6 to u8 cmdreply[2], and the value of bit5 from that register to u8 cmdreply[3].<br />
|-<br />
| 0x00020080<br />
| SetLcdPowerState. This writes the upper LCD bits of MCU register 0x22.<br />
|-<br />
| 0x00030000<br />
| GetGpuLcdInterfaceState. This writes the value of I2C-MCU register 0xf bit7 to u8 cmdreply[2].<br />
|-<br />
| 0x00040040<br />
| SetGpuLcdInterfaceState. This writes the lower two bits of MCU register 0x22.<br />
|-<br />
| 0x0005....<br />
| ?<br />
|-<br />
| 0x0006....<br />
| ?<br />
|-<br />
| 0x0007....<br />
| ?<br />
|-<br />
| 0x0008....<br />
| ?<br />
|-<br />
| 0x00090000<br />
| GetMcuFwVerHigh. Called by GSP module<br />
|-<br />
| 0x000A0000<br />
| GetMcuFwVerLow. Called by GSP module<br />
|-<br />
| 0x000B....<br />
| Set3dLedState<br />
|-<br />
| 0x000C....<br />
| Get3dLedState<br />
|-<br />
| 0x000D0000<br />
| GetMcuGpuEventHandle. Event handle written to TLS+0x8c. MCU notifications 24 to 29 signal this.<br />
|-<br />
| 0x000E0000<br />
| GetMcuGpuEventReason. Writes some value to TLS+0x88. Called by GSP module<br />
|}<br />
<br />
=MCU HID service "mcu::HID"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x00010040<br />
| ?<br />
|-<br />
| 0x0002....<br />
| ?<br />
|-<br />
| 0x0003....<br />
| ?<br />
|-<br />
| 0x0004....<br />
| ?<br />
|-<br />
| 0x0005....<br />
| ?<br />
|-<br />
| 0x0006....<br />
| ?<br />
|-<br />
| 0x00070000<br />
| Get3dSliderState<br />
|-<br />
| 0x0008....<br />
| ?<br />
|-<br />
| 0x00090000<br />
| ?<br />
|-<br />
| 0x000A0000<br />
| ?<br />
|-<br />
| 0x000B....<br />
| ?<br />
|-<br />
| 0x000C0000<br />
| GetMcuHidEventHandle. MCU notifications 11 and 12 signal this.<br />
|-<br />
| 0x000D0000<br />
| GetMcuHidEventReason<br />
|-<br />
| 0x000E0000<br />
| [[MCUHID:GetSoundVolume|GetSoundVolume]]<br />
|-<br />
| 0x000F0040<br />
| SetAccelerometerState(int enable). 1 = enable, 0 = disable accelerometer<br />
|}<br />
<br />
=MCU service "mcu::RTC"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x0001....<br />
| SetSystemClock (RTC)<br />
|-<br />
| 0x0002....<br />
| GetSystemClock (RTC)<br />
|-<br />
| 0x0003....<br />
| ?<br />
|-<br />
| 0x0004....<br />
| ?<br />
|-<br />
| 0x0005....<br />
| ?<br />
|-<br />
| 0x0006....<br />
| ?<br />
|-<br />
| 0x0007....<br />
| ?<br />
|-<br />
| 0x0008....<br />
| ?<br />
|-<br />
| 0x0009....<br />
| ?<br />
|-<br />
| 0x000A....<br />
| ?<br />
|-<br />
| 0x000B....<br />
| ?<br />
|-<br />
| 0x000C....<br />
| ?<br />
|-<br />
| 0x000D....<br />
| ?<br />
|-<br />
| 0x000E....<br />
| ?<br />
|-<br />
| 0x000F....<br />
| ?<br />
|-<br />
| 0x0010....<br />
| ?<br />
|-<br />
| 0x0011....<br />
| ?<br />
|-<br />
| 0x0012....<br />
| ?<br />
|-<br />
| 0x0013....<br />
| ?<br />
|-<br />
| 0x0014....<br />
| ?<br />
|-<br />
| 0x0015....<br />
| ?<br />
|-<br />
| 0x0016....<br />
| ?<br />
|-<br />
| 0x0017....<br />
| ?<br />
|-<br />
| 0x0018....<br />
| ?<br />
|-<br />
| 0x0019....<br />
| ?<br />
|-<br />
| 0x001A....<br />
| ?<br />
|-<br />
| 0x001B....<br />
| ?<br />
|-<br />
| 0x001C....<br />
| ?<br />
|-<br />
| 0x001D....<br />
| ?<br />
|-<br />
| 0x001E....<br />
| ?<br />
|-<br />
| 0x001F0040<br />
| SetPedometerRecordingMode<br />
|-<br />
| 0x00200000<br />
| GetPedometerState<br />
|-<br />
| 0x0021....<br />
| ?<br />
|-<br />
| 0x0022....<br />
| ?<br />
|-<br />
| 0x0023....<br />
| ?<br />
|-<br />
| 0x0024....<br />
| GetMcuRtcEventHandle. MCU notifications 1, 8, 9, 10, 13, 14 and 15 signal this.<br />
|-<br />
| 0x0025....<br />
| GetMcuRtcEventReason<br />
|-<br />
| 0x0026....<br />
| ?<br />
|-<br />
| 0x0027....<br />
| ?<br />
|-<br />
| 0x0028....<br />
| ?<br />
|-<br />
| 0x0029....<br />
| ?<br />
|-<br />
| 0x002A0000<br />
| GetShellState. This writes the value of I2C-MCU register 0xf bit1 to u8 cmdreply[2].<br />
|-<br />
| 0x002B0000<br />
| GetAdapterState. This writes the value of I2C-MCU register 0xf bit3 to u8 cmdreply[2].<br />
|-<br />
| 0x002C0000<br />
| GetBatteryChargeState. This writes the value of I2C-MCU register 0xf bit4 to u8 cmdreply[2].<br />
|-<br />
| 0x002D0000<br />
| [[MCURTC:GetBatteryLevel|GetBatteryLevel]]<br />
|-<br />
| 0x002E....<br />
| ?<br />
|-<br />
| 0x002F....<br />
| ?<br />
|-<br />
| 0x0030....<br />
| ?<br />
|-<br />
| 0x0031....<br />
| ?<br />
|-<br />
| 0x0032....<br />
| [[MCURTC:PowerOff|PowerOff]] (writes 0x1 to i2c MCU device, reg 0x20)<br />
|-<br />
| 0x0033....<br />
| [[MCURTC:HardwareReboot|HardwareReboot]] (writes 0x4 to i2c MCU device, reg 0x20)<br />
|-<br />
| 0x0034....<br />
| ?<br />
|-<br />
| 0x0035....<br />
| Writes 0x10 to i2c MCU device, reg 0x20<br />
|-<br />
| 0x0036....<br />
| SetWatchdogTimer<br />
|-<br />
| 0x0037....<br />
| GetWatchdogTimer<br />
|-<br />
| 0x0038....<br />
| ?<br />
|-<br />
| 0x0039....<br />
| ?<br />
|-<br />
| 0x003A....<br />
| ?<br />
|-<br />
| 0x003B0640<br />
| [[MCURTC:SetInfoLEDPattern|SetInfoLEDPattern]]<br />
|-<br />
| 0x003C0040<br />
| [[MCURTC:SetInfoLEDPatternHeader|SetInfoLEDPatternHeader]]<br />
|-<br />
| 0x003D0000<br />
| [[MCURTC:GetInfoLEDStatus|GetInfoLEDStatus]]<br />
|-<br />
| 0x003E....<br />
| ?<br />
|-<br />
| 0x003F....<br />
| ?<br />
|-<br />
| 0x0040....<br />
| ?<br />
|-<br />
| 0x0041....<br />
| ?<br />
|-<br />
| 0x00420040<br />
| [[MCURTC:SetBatteryEmptyLEDPattern|SetBatteryEmptyLEDPattern]]<br />
|-<br />
| 0x0043....<br />
| ?<br />
|-<br />
| 0x0044....<br />
| ?<br />
|-<br />
| 0x0045....<br />
| ?<br />
|-<br />
| 0x0046....<br />
| ?<br />
|-<br />
| 0x0047....<br />
| ?<br />
|-<br />
| 0x0048....<br />
| ?<br />
|-<br />
| 0x0049....<br />
| ?<br />
|-<br />
| 0x004A....<br />
| ?<br />
|-<br />
| 0x004B....<br />
| ?<br />
|-<br />
| 0x004C....<br />
| ?<br />
|-<br />
| 0x004D....<br />
| [[MCURTC:ReadHidFlagRegister|ReadHidFlagRegister]] (reads i2c MCU device, reg 0x10)<br />
|-<br />
| 0x004E0040<br />
| [[MCURTC:PublishNotifications|PublishNotifications]]<br />
|-<br />
| 0x004F....<br />
| Sets some flag (otherwise set when uploading MCU firmware)<br />
|-<br />
| 0x0050....<br />
| Returns the above flag<br />
|-<br />
| 0x00510040<br />
| [[MCURTC:SetSoftwareClosedFlag|SetSoftwareClosedFlag]]<br />
|-<br />
| 0x00520000<br />
| [[MCURTC:GetSoftwareClosedFlag|GetSoftwareClosedFlag]]<br />
|-<br />
| 0x0053....<br />
| ?<br />
|-<br />
| 0x0054....<br />
| ?<br />
|-<br />
| 0x0055....<br />
| ?<br />
|-<br />
| 0x0056....<br />
| ?<br />
|-<br />
| 0x0057....<br />
| ?<br />
|-<br />
| 0x0058....<br />
| ?<br />
|-<br />
| 0x00590040<br />
| [[MCURTC:SetLegacyJumpProhibitedFlag|SetLegacyJumpProhibitedFlag]]<br />
|-<br />
| 0x005A0000<br />
| [[MCURTC:GetLegacyJumpProhibitedFlag|GetLegacyJumpProhibitedFlag]]<br />
|}<br />
<br />
Note that using invalid input with these InfoLED/SetBatteryEmptyLEDPattern commands(especially SetInfoLEDPattern) can cause the system to be bricked(however the boot failure may not begin immediately after using the invalid parameters).<br />
<br />
=MCU sound service "mcu::SND"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x0001....<br />
| GetSoundVolume<br />
|-<br />
| 0x0002....<br />
| ?<br />
|-<br />
| 0x0003....<br />
| ?<br />
|}<br />
<br />
=MCU wifi service "mcu::NWM"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x0001....<br />
| SetWirelessLedState<br />
|-<br />
| 0x0002....<br />
| GetWirelessLedState<br />
|-<br />
| 0x0003....<br />
| Sets GPIO 0x20 high/low?<br />
|-<br />
| 0x0004....<br />
| Gets GPIO 0x20 high/low?<br />
|-<br />
| 0x0005....<br />
| Sets GPIO 0x40000 high/low?<br />
|-<br />
| 0x0006....<br />
| Gets GPIO 0x40000 high/low?<br />
|-<br />
| 0x0007....<br />
| [[MCUNWM:SetWirelessDisabledFlag|SetWirelessDisabledFlag]]<br />
|-<br />
| 0x0008....<br />
| [[MCUNWM:GetWirelessDisabledFlag|GetWirelessDisabledFlag]]<br />
|}<br />
<br />
=MCU service "mcu::HWC"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x00010082<br />
| [[MCUHWC:ReadRegister|ReadRegister]]<br />
|-<br />
| 0x00020082<br />
| [[MCUHWC:WriteRegister|WriteRegister]]<br />
|-<br />
| 0x00030042<br />
| [[MCUHWC:GetInfoRegisters|GetInfoRegisters]]<br />
|-<br />
| 0x00040000<br />
| [[MCUHWC:GetBatteryVoltage|GetBatteryVoltage]]<br />
|-<br />
| 0x00050000<br />
| [[MCUHWC:GetBatteryLevel|GetBatteryLevel]]<br />
|-<br />
| 0x00060040<br />
| [[MCUHWC:SetPowerLEDPattern|SetPowerLEDPattern]]<br />
|-<br />
| 0x00070040<br />
| [[MCUHWC:SetWifiLEDState|SetWifiLEDState]]<br />
|-<br />
| 0x00080040<br />
| [[MCUHWC:SetCameraLEDPattern|SetCameraLEDPattern]]<br />
|-<br />
| 0x00090040<br />
| [[MCUHWC:Set3DLEDState|Set3DLEDState]]<br />
|-<br />
| 0x000A0640<br />
| This is the same as [[MCURTC:SetInfoLEDPattern]].<br />
|-<br />
| 0x000B0000<br />
| [[MCUHWC:GetSoundVolume|GetSoundVolume]]<br />
|-<br />
| 0x000C....<br />
| ?<br />
|-<br />
| 0x000D....<br />
| ?<br />
|-<br />
| 0x000E....<br />
| ?<br />
|-<br />
| 0x000F....<br />
| GetRtcTime<br />
|-<br />
| 0x00100000<br />
| GetMcuFwVerHigh<br />
|-<br />
| 0x00110000<br />
| GetMcuFwVerLow<br />
|}<br />
<br />
=MCU service "mcu::PLS"=<br />
<br />
RTC-related? Each of these seems to retrieve a second counter from a different RTC register.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x0001....<br />
| ?<br />
|-<br />
| 0x0002....<br />
| ?<br />
|-<br />
| 0x0003....<br />
| ?<br />
|-<br />
| 0x0004....<br />
| ?<br />
|-<br />
| 0x0005....<br />
| ?<br />
|-<br />
| 0x0006....<br />
| ?<br />
|-<br />
| 0x0007....<br />
| ?<br />
|-<br />
| 0x0008....<br />
| ?<br />
|-<br />
| 0x0009....<br />
| ?<br />
|}<br />
<br />
=MCU codec service "mcu::CDC"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x00010000<br />
| ?<br />
|}<br />
<br />
=New3DS=<br />
The Old3DS/New3DS MCU sysmodules are identical except that the MCU firmware binary written via I2C is different. The size of that binary is the same. The only different words in .text are for the version of that MCU fw binary.<br />
<br />
=MCU firmware versions=<br />
<br />
These reside in mcu-module .rodata, are uploaded to MCU register 0x05 and are usually size 0x4003 bytes. (0x4000 bytes with 3 byte magic "jhl"?)<br />
<br />
There exists an alternate code path where uploading is done using register 0x3B (decided by making some nonsense conclusions about registers 0x0F and 0x10). This may be a "hack" around early versions of MCU? Register 0x3B is RTC-related on recent versions of MCU, and the "nonsense" condition is not met even on factory MCU firmware.<br />
<br />
On dev-units, the user-facing representation of this firmware version is displayed by first subtracting 0x10 from the major field (raw register 0x00). It is these user-facing versions that are displayed in the table below. It is unknown what bit4 (0x10) actually represents, but it is seemingly always set.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Title version<br />
! Firmware<br />
|-<br />
| New3DS v8192/safe v9217 (latest)<br />
| 3.56<br />
|-<br />
| Old3DS v6145 to v8192 (latest)<br />
| 2.37<br />
|-<br />
| Old3DS v5122<br />
| 2.35<br />
|-<br />
| Old3DS v4102<br />
| 2.30<br />
|-<br />
| Old3DS v3072<br />
| 2.16<br />
|-<br />
| Old3DS v2048<br />
| 1.52<br />
|-<br />
| Old3DS v1026<br />
| 1.51<br />
|-<br />
| Old3DS v0/safe v0<br />
| 1.20<br />
|-<br />
| Old3DS factory<br />
| 1.07<br />
|}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=MCU_Services&diff=18265MCU Services2016-09-22T13:55:20Z<p>Neobrain: /* MCU GPU service "mcu::GPU" */</p>
<hr />
<div>Only one session can be open per service at a time. If a session is already open for a service, MCU module will wait for the thread handling the session to terminate(triggered by the session being closed by the user process), then it accepts the new session. The commands for each service are handled by separate threads.<br />
<br />
=MCU camera service "mcu::CAM"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x0001....<br />
| ?<br />
|-<br />
| 0x0002....<br />
| ?<br />
|}<br />
<br />
=MCU GPU service "mcu::GPU"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x00010000<br />
| GetLcdPowerState. This writes the value of I2C-MCU register 0xf bit6 to u8 cmdreply[2], and the value of bit5 from that register to u8 cmdreply[3].<br />
|-<br />
| 0x00020080<br />
| SetLcdPowerState. This writes the upper LCD bits of MCU register 0x22.<br />
|-<br />
| 0x00030000<br />
| GetGpuLcdInterfaceState. This writes the value of I2C-MCU register 0xf bit7 to u8 cmdreply[2].<br />
|-<br />
| 0x00040040<br />
| SetGpuLcdInterfaceState. This writes the lower two bits of MCU register 0x22.<br />
|-<br />
| 0x0005....<br />
| ?<br />
|-<br />
| 0x0006....<br />
| ?<br />
|-<br />
| 0x0007....<br />
| ?<br />
|-<br />
| 0x0008....<br />
| ?<br />
|-<br />
| 0x00090000<br />
| GetMcuFwVerHigh. Called by GSP module<br />
|-<br />
| 0x000A0000<br />
| GetMcuFwVerLow. Called by GSP module<br />
|-<br />
| 0x000B....<br />
| Set3dLedState<br />
|-<br />
| 0x000C....<br />
| Get3dLedState<br />
|-<br />
| 0x000D0000<br />
| GetMcuGpuEventHandle. Event handle written to TLS+0x8c. MCU notifications 24 to 29 signal this.<br />
|-<br />
| 0x000E0000<br />
| GetMcuGpuEventReason. Writes some value to TLS+0x88. Called by GSP module<br />
|}<br />
<br />
=MCU HID service "mcu::HID"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x00010000<br />
| ? (observed command header 0x00010040)<br />
|-<br />
| 0x0002....<br />
| ?<br />
|-<br />
| 0x0003....<br />
| ?<br />
|-<br />
| 0x0004....<br />
| ?<br />
|-<br />
| 0x0005....<br />
| ?<br />
|-<br />
| 0x0006....<br />
| ?<br />
|-<br />
| 0x00070000<br />
| Get3dSliderState<br />
|-<br />
| 0x0008....<br />
| ?<br />
|-<br />
| 0x00090000<br />
| ?<br />
|-<br />
| 0x000A0000<br />
| ?<br />
|-<br />
| 0x000B....<br />
| ?<br />
|-<br />
| 0x000C0000<br />
| GetMcuHidEventHandle. MCU notifications 11 and 12 signal this.<br />
|-<br />
| 0x000D0000<br />
| GetMcuHidEventReason<br />
|-<br />
| 0x000E0000<br />
| [[MCUHID:GetSoundVolume|GetSoundVolume]]<br />
|-<br />
| 0x000F0040<br />
| SetAccelerometerState(int enable). 1 = enable, 0 = disable accelerometer<br />
|}<br />
<br />
=MCU service "mcu::RTC"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x0001....<br />
| SetSystemClock (RTC)<br />
|-<br />
| 0x0002....<br />
| GetSystemClock (RTC)<br />
|-<br />
| 0x0003....<br />
| ?<br />
|-<br />
| 0x0004....<br />
| ?<br />
|-<br />
| 0x0005....<br />
| ?<br />
|-<br />
| 0x0006....<br />
| ?<br />
|-<br />
| 0x0007....<br />
| ?<br />
|-<br />
| 0x0008....<br />
| ?<br />
|-<br />
| 0x0009....<br />
| ?<br />
|-<br />
| 0x000A....<br />
| ?<br />
|-<br />
| 0x000B....<br />
| ?<br />
|-<br />
| 0x000C....<br />
| ?<br />
|-<br />
| 0x000D....<br />
| ?<br />
|-<br />
| 0x000E....<br />
| ?<br />
|-<br />
| 0x000F....<br />
| ?<br />
|-<br />
| 0x0010....<br />
| ?<br />
|-<br />
| 0x0011....<br />
| ?<br />
|-<br />
| 0x0012....<br />
| ?<br />
|-<br />
| 0x0013....<br />
| ?<br />
|-<br />
| 0x0014....<br />
| ?<br />
|-<br />
| 0x0015....<br />
| ?<br />
|-<br />
| 0x0016....<br />
| ?<br />
|-<br />
| 0x0017....<br />
| ?<br />
|-<br />
| 0x0018....<br />
| ?<br />
|-<br />
| 0x0019....<br />
| ?<br />
|-<br />
| 0x001A....<br />
| ?<br />
|-<br />
| 0x001B....<br />
| ?<br />
|-<br />
| 0x001C....<br />
| ?<br />
|-<br />
| 0x001D....<br />
| ?<br />
|-<br />
| 0x001E....<br />
| ?<br />
|-<br />
| 0x001F0040<br />
| SetPedometerRecordingMode<br />
|-<br />
| 0x00200000<br />
| GetPedometerState<br />
|-<br />
| 0x0021....<br />
| ?<br />
|-<br />
| 0x0022....<br />
| ?<br />
|-<br />
| 0x0023....<br />
| ?<br />
|-<br />
| 0x0024....<br />
| GetMcuRtcEventHandle. MCU notifications 1, 8, 9, 10, 13, 14 and 15 signal this.<br />
|-<br />
| 0x0025....<br />
| GetMcuRtcEventReason<br />
|-<br />
| 0x0026....<br />
| ?<br />
|-<br />
| 0x0027....<br />
| ?<br />
|-<br />
| 0x0028....<br />
| ?<br />
|-<br />
| 0x0029....<br />
| ?<br />
|-<br />
| 0x002A0000<br />
| GetShellState. This writes the value of I2C-MCU register 0xf bit1 to u8 cmdreply[2].<br />
|-<br />
| 0x002B0000<br />
| GetAdapterState. This writes the value of I2C-MCU register 0xf bit3 to u8 cmdreply[2].<br />
|-<br />
| 0x002C0000<br />
| GetBatteryChargeState. This writes the value of I2C-MCU register 0xf bit4 to u8 cmdreply[2].<br />
|-<br />
| 0x002D0000<br />
| [[MCURTC:GetBatteryLevel|GetBatteryLevel]]<br />
|-<br />
| 0x002E....<br />
| ?<br />
|-<br />
| 0x002F....<br />
| ?<br />
|-<br />
| 0x0030....<br />
| ?<br />
|-<br />
| 0x0031....<br />
| ?<br />
|-<br />
| 0x0032....<br />
| [[MCURTC:PowerOff|PowerOff]] (writes 0x1 to i2c MCU device, reg 0x20)<br />
|-<br />
| 0x0033....<br />
| [[MCURTC:HardwareReboot|HardwareReboot]] (writes 0x4 to i2c MCU device, reg 0x20)<br />
|-<br />
| 0x0034....<br />
| ?<br />
|-<br />
| 0x0035....<br />
| Writes 0x10 to i2c MCU device, reg 0x20<br />
|-<br />
| 0x0036....<br />
| SetWatchdogTimer<br />
|-<br />
| 0x0037....<br />
| GetWatchdogTimer<br />
|-<br />
| 0x0038....<br />
| ?<br />
|-<br />
| 0x0039....<br />
| ?<br />
|-<br />
| 0x003A....<br />
| ?<br />
|-<br />
| 0x003B0640<br />
| [[MCURTC:SetInfoLEDPattern|SetInfoLEDPattern]]<br />
|-<br />
| 0x003C0040<br />
| [[MCURTC:SetInfoLEDPatternHeader|SetInfoLEDPatternHeader]]<br />
|-<br />
| 0x003D0000<br />
| [[MCURTC:GetInfoLEDStatus|GetInfoLEDStatus]]<br />
|-<br />
| 0x003E....<br />
| ?<br />
|-<br />
| 0x003F....<br />
| ?<br />
|-<br />
| 0x0040....<br />
| ?<br />
|-<br />
| 0x0041....<br />
| ?<br />
|-<br />
| 0x00420040<br />
| [[MCURTC:SetBatteryEmptyLEDPattern|SetBatteryEmptyLEDPattern]]<br />
|-<br />
| 0x0043....<br />
| ?<br />
|-<br />
| 0x0044....<br />
| ?<br />
|-<br />
| 0x0045....<br />
| ?<br />
|-<br />
| 0x0046....<br />
| ?<br />
|-<br />
| 0x0047....<br />
| ?<br />
|-<br />
| 0x0048....<br />
| ?<br />
|-<br />
| 0x0049....<br />
| ?<br />
|-<br />
| 0x004A....<br />
| ?<br />
|-<br />
| 0x004B....<br />
| ?<br />
|-<br />
| 0x004C....<br />
| ?<br />
|-<br />
| 0x004D....<br />
| [[MCURTC:ReadHidFlagRegister|ReadHidFlagRegister]] (reads i2c MCU device, reg 0x10)<br />
|-<br />
| 0x004E0040<br />
| [[MCURTC:PublishNotifications|PublishNotifications]]<br />
|-<br />
| 0x004F....<br />
| Sets some flag (otherwise set when uploading MCU firmware)<br />
|-<br />
| 0x0050....<br />
| Returns the above flag<br />
|-<br />
| 0x00510040<br />
| [[MCURTC:SetSoftwareClosedFlag|SetSoftwareClosedFlag]]<br />
|-<br />
| 0x00520000<br />
| [[MCURTC:GetSoftwareClosedFlag|GetSoftwareClosedFlag]]<br />
|-<br />
| 0x0053....<br />
| ?<br />
|-<br />
| 0x0054....<br />
| ?<br />
|-<br />
| 0x0055....<br />
| ?<br />
|-<br />
| 0x0056....<br />
| ?<br />
|-<br />
| 0x0057....<br />
| ?<br />
|-<br />
| 0x0058....<br />
| ?<br />
|-<br />
| 0x00590040<br />
| [[MCURTC:SetLegacyJumpProhibitedFlag|SetLegacyJumpProhibitedFlag]]<br />
|-<br />
| 0x005A0000<br />
| [[MCURTC:GetLegacyJumpProhibitedFlag|GetLegacyJumpProhibitedFlag]]<br />
|}<br />
<br />
Note that using invalid input with these InfoLED/SetBatteryEmptyLEDPattern commands(especially SetInfoLEDPattern) can cause the system to be bricked(however the boot failure may not begin immediately after using the invalid parameters).<br />
<br />
=MCU sound service "mcu::SND"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x0001....<br />
| GetSoundVolume<br />
|-<br />
| 0x0002....<br />
| ?<br />
|-<br />
| 0x0003....<br />
| ?<br />
|}<br />
<br />
=MCU wifi service "mcu::NWM"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x0001....<br />
| SetWirelessLedState<br />
|-<br />
| 0x0002....<br />
| GetWirelessLedState<br />
|-<br />
| 0x0003....<br />
| Sets GPIO 0x20 high/low?<br />
|-<br />
| 0x0004....<br />
| Gets GPIO 0x20 high/low?<br />
|-<br />
| 0x0005....<br />
| Sets GPIO 0x40000 high/low?<br />
|-<br />
| 0x0006....<br />
| Gets GPIO 0x40000 high/low?<br />
|-<br />
| 0x0007....<br />
| [[MCUNWM:SetWirelessDisabledFlag|SetWirelessDisabledFlag]]<br />
|-<br />
| 0x0008....<br />
| [[MCUNWM:GetWirelessDisabledFlag|GetWirelessDisabledFlag]]<br />
|}<br />
<br />
=MCU service "mcu::HWC"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x00010082<br />
| [[MCUHWC:ReadRegister|ReadRegister]]<br />
|-<br />
| 0x00020082<br />
| [[MCUHWC:WriteRegister|WriteRegister]]<br />
|-<br />
| 0x00030042<br />
| [[MCUHWC:GetInfoRegisters|GetInfoRegisters]]<br />
|-<br />
| 0x00040000<br />
| [[MCUHWC:GetBatteryVoltage|GetBatteryVoltage]]<br />
|-<br />
| 0x00050000<br />
| [[MCUHWC:GetBatteryLevel|GetBatteryLevel]]<br />
|-<br />
| 0x00060040<br />
| [[MCUHWC:SetPowerLEDPattern|SetPowerLEDPattern]]<br />
|-<br />
| 0x00070040<br />
| [[MCUHWC:SetWifiLEDState|SetWifiLEDState]]<br />
|-<br />
| 0x00080040<br />
| [[MCUHWC:SetCameraLEDPattern|SetCameraLEDPattern]]<br />
|-<br />
| 0x00090040<br />
| [[MCUHWC:Set3DLEDState|Set3DLEDState]]<br />
|-<br />
| 0x000A0640<br />
| This is the same as [[MCURTC:SetInfoLEDPattern]].<br />
|-<br />
| 0x000B0000<br />
| [[MCUHWC:GetSoundVolume|GetSoundVolume]]<br />
|-<br />
| 0x000C....<br />
| ?<br />
|-<br />
| 0x000D....<br />
| ?<br />
|-<br />
| 0x000E....<br />
| ?<br />
|-<br />
| 0x000F....<br />
| GetRtcTime<br />
|-<br />
| 0x00100000<br />
| GetMcuFwVerHigh<br />
|-<br />
| 0x00110000<br />
| GetMcuFwVerLow<br />
|}<br />
<br />
=MCU service "mcu::PLS"=<br />
<br />
RTC-related? Each of these seems to retrieve a second counter from a different RTC register.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x0001....<br />
| ?<br />
|-<br />
| 0x0002....<br />
| ?<br />
|-<br />
| 0x0003....<br />
| ?<br />
|-<br />
| 0x0004....<br />
| ?<br />
|-<br />
| 0x0005....<br />
| ?<br />
|-<br />
| 0x0006....<br />
| ?<br />
|-<br />
| 0x0007....<br />
| ?<br />
|-<br />
| 0x0008....<br />
| ?<br />
|-<br />
| 0x0009....<br />
| ?<br />
|}<br />
<br />
=MCU codec service "mcu::CDC"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x00010000<br />
| ?<br />
|}<br />
<br />
=New3DS=<br />
The Old3DS/New3DS MCU sysmodules are identical except that the MCU firmware binary written via I2C is different. The size of that binary is the same. The only different words in .text are for the version of that MCU fw binary.<br />
<br />
=MCU firmware versions=<br />
<br />
These reside in mcu-module .rodata, are uploaded to MCU register 0x05 and are usually size 0x4003 bytes. (0x4000 bytes with 3 byte magic "jhl"?)<br />
<br />
There exists an alternate code path where uploading is done using register 0x3B (decided by making some nonsense conclusions about registers 0x0F and 0x10). This may be a "hack" around early versions of MCU? Register 0x3B is RTC-related on recent versions of MCU, and the "nonsense" condition is not met even on factory MCU firmware.<br />
<br />
On dev-units, the user-facing representation of this firmware version is displayed by first subtracting 0x10 from the major field (raw register 0x00). It is these user-facing versions that are displayed in the table below. It is unknown what bit4 (0x10) actually represents, but it is seemingly always set.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Title version<br />
! Firmware<br />
|-<br />
| New3DS v8192/safe v9217 (latest)<br />
| 3.56<br />
|-<br />
| Old3DS v6145 to v8192 (latest)<br />
| 2.37<br />
|-<br />
| Old3DS v5122<br />
| 2.35<br />
|-<br />
| Old3DS v4102<br />
| 2.30<br />
|-<br />
| Old3DS v3072<br />
| 2.16<br />
|-<br />
| Old3DS v2048<br />
| 1.52<br />
|-<br />
| Old3DS v1026<br />
| 1.51<br />
|-<br />
| Old3DS v0/safe v0<br />
| 1.20<br />
|-<br />
| Old3DS factory<br />
| 1.07<br />
|}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=MCU_Services&diff=18264MCU Services2016-09-22T13:42:17Z<p>Neobrain: /* MCU GPU service "mcu::GPU" */</p>
<hr />
<div>Only one session can be open per service at a time. If a session is already open for a service, MCU module will wait for the thread handling the session to terminate(triggered by the session being closed by the user process), then it accepts the new session. The commands for each service are handled by separate threads.<br />
<br />
=MCU camera service "mcu::CAM"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x0001....<br />
| ?<br />
|-<br />
| 0x0002....<br />
| ?<br />
|}<br />
<br />
=MCU GPU service "mcu::GPU"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x00010000<br />
| GetLcdPowerState. This writes the value of I2C-MCU register 0xf bit6 to u8 cmdreply[2], and the value of bit5 from that register to u8 cmdreply[3].<br />
|-<br />
| 0x00020080<br />
| SetLcdPowerState. This writes the upper LCD bits of MCU register 0x22.<br />
|-<br />
| 0x00030000<br />
| GetGpuLcdInterfaceState. This writes the value of I2C-MCU register 0xf bit7 to u8 cmdreply[2].<br />
|-<br />
| 0x0004....<br />
| SetGpuLcdInterfaceState. This writes the lower two bits of MCU register 0x22.<br />
|-<br />
| 0x0005....<br />
| ?<br />
|-<br />
| 0x0006....<br />
| ?<br />
|-<br />
| 0x0007....<br />
| ?<br />
|-<br />
| 0x0008....<br />
| ?<br />
|-<br />
| 0x00090000<br />
| GetMcuFwVerHigh. Called by GSP module<br />
|-<br />
| 0x000A0000<br />
| GetMcuFwVerLow. Called by GSP module<br />
|-<br />
| 0x000B....<br />
| Set3dLedState<br />
|-<br />
| 0x000C....<br />
| Get3dLedState<br />
|-<br />
| 0x000D0000<br />
| GetMcuGpuEventHandle. Event handle written to TLS+0x8c. MCU notifications 24 to 29 signal this.<br />
|-<br />
| 0x000E0000<br />
| GetMcuGpuEventReason. Writes some value to TLS+0x88. Called by GSP module<br />
|}<br />
<br />
=MCU HID service "mcu::HID"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x00010000<br />
| ? (observed command header 0x00010040)<br />
|-<br />
| 0x0002....<br />
| ?<br />
|-<br />
| 0x0003....<br />
| ?<br />
|-<br />
| 0x0004....<br />
| ?<br />
|-<br />
| 0x0005....<br />
| ?<br />
|-<br />
| 0x0006....<br />
| ?<br />
|-<br />
| 0x00070000<br />
| Get3dSliderState<br />
|-<br />
| 0x0008....<br />
| ?<br />
|-<br />
| 0x00090000<br />
| ?<br />
|-<br />
| 0x000A0000<br />
| ?<br />
|-<br />
| 0x000B....<br />
| ?<br />
|-<br />
| 0x000C0000<br />
| GetMcuHidEventHandle. MCU notifications 11 and 12 signal this.<br />
|-<br />
| 0x000D0000<br />
| GetMcuHidEventReason<br />
|-<br />
| 0x000E0000<br />
| [[MCUHID:GetSoundVolume|GetSoundVolume]]<br />
|-<br />
| 0x000F0040<br />
| SetAccelerometerState(int enable). 1 = enable, 0 = disable accelerometer<br />
|}<br />
<br />
=MCU service "mcu::RTC"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x0001....<br />
| SetSystemClock (RTC)<br />
|-<br />
| 0x0002....<br />
| GetSystemClock (RTC)<br />
|-<br />
| 0x0003....<br />
| ?<br />
|-<br />
| 0x0004....<br />
| ?<br />
|-<br />
| 0x0005....<br />
| ?<br />
|-<br />
| 0x0006....<br />
| ?<br />
|-<br />
| 0x0007....<br />
| ?<br />
|-<br />
| 0x0008....<br />
| ?<br />
|-<br />
| 0x0009....<br />
| ?<br />
|-<br />
| 0x000A....<br />
| ?<br />
|-<br />
| 0x000B....<br />
| ?<br />
|-<br />
| 0x000C....<br />
| ?<br />
|-<br />
| 0x000D....<br />
| ?<br />
|-<br />
| 0x000E....<br />
| ?<br />
|-<br />
| 0x000F....<br />
| ?<br />
|-<br />
| 0x0010....<br />
| ?<br />
|-<br />
| 0x0011....<br />
| ?<br />
|-<br />
| 0x0012....<br />
| ?<br />
|-<br />
| 0x0013....<br />
| ?<br />
|-<br />
| 0x0014....<br />
| ?<br />
|-<br />
| 0x0015....<br />
| ?<br />
|-<br />
| 0x0016....<br />
| ?<br />
|-<br />
| 0x0017....<br />
| ?<br />
|-<br />
| 0x0018....<br />
| ?<br />
|-<br />
| 0x0019....<br />
| ?<br />
|-<br />
| 0x001A....<br />
| ?<br />
|-<br />
| 0x001B....<br />
| ?<br />
|-<br />
| 0x001C....<br />
| ?<br />
|-<br />
| 0x001D....<br />
| ?<br />
|-<br />
| 0x001E....<br />
| ?<br />
|-<br />
| 0x001F0040<br />
| SetPedometerRecordingMode<br />
|-<br />
| 0x00200000<br />
| GetPedometerState<br />
|-<br />
| 0x0021....<br />
| ?<br />
|-<br />
| 0x0022....<br />
| ?<br />
|-<br />
| 0x0023....<br />
| ?<br />
|-<br />
| 0x0024....<br />
| GetMcuRtcEventHandle. MCU notifications 1, 8, 9, 10, 13, 14 and 15 signal this.<br />
|-<br />
| 0x0025....<br />
| GetMcuRtcEventReason<br />
|-<br />
| 0x0026....<br />
| ?<br />
|-<br />
| 0x0027....<br />
| ?<br />
|-<br />
| 0x0028....<br />
| ?<br />
|-<br />
| 0x0029....<br />
| ?<br />
|-<br />
| 0x002A0000<br />
| GetShellState. This writes the value of I2C-MCU register 0xf bit1 to u8 cmdreply[2].<br />
|-<br />
| 0x002B0000<br />
| GetAdapterState. This writes the value of I2C-MCU register 0xf bit3 to u8 cmdreply[2].<br />
|-<br />
| 0x002C0000<br />
| GetBatteryChargeState. This writes the value of I2C-MCU register 0xf bit4 to u8 cmdreply[2].<br />
|-<br />
| 0x002D0000<br />
| [[MCURTC:GetBatteryLevel|GetBatteryLevel]]<br />
|-<br />
| 0x002E....<br />
| ?<br />
|-<br />
| 0x002F....<br />
| ?<br />
|-<br />
| 0x0030....<br />
| ?<br />
|-<br />
| 0x0031....<br />
| ?<br />
|-<br />
| 0x0032....<br />
| [[MCURTC:PowerOff|PowerOff]] (writes 0x1 to i2c MCU device, reg 0x20)<br />
|-<br />
| 0x0033....<br />
| [[MCURTC:HardwareReboot|HardwareReboot]] (writes 0x4 to i2c MCU device, reg 0x20)<br />
|-<br />
| 0x0034....<br />
| ?<br />
|-<br />
| 0x0035....<br />
| Writes 0x10 to i2c MCU device, reg 0x20<br />
|-<br />
| 0x0036....<br />
| SetWatchdogTimer<br />
|-<br />
| 0x0037....<br />
| GetWatchdogTimer<br />
|-<br />
| 0x0038....<br />
| ?<br />
|-<br />
| 0x0039....<br />
| ?<br />
|-<br />
| 0x003A....<br />
| ?<br />
|-<br />
| 0x003B0640<br />
| [[MCURTC:SetInfoLEDPattern|SetInfoLEDPattern]]<br />
|-<br />
| 0x003C0040<br />
| [[MCURTC:SetInfoLEDPatternHeader|SetInfoLEDPatternHeader]]<br />
|-<br />
| 0x003D0000<br />
| [[MCURTC:GetInfoLEDStatus|GetInfoLEDStatus]]<br />
|-<br />
| 0x003E....<br />
| ?<br />
|-<br />
| 0x003F....<br />
| ?<br />
|-<br />
| 0x0040....<br />
| ?<br />
|-<br />
| 0x0041....<br />
| ?<br />
|-<br />
| 0x00420040<br />
| [[MCURTC:SetBatteryEmptyLEDPattern|SetBatteryEmptyLEDPattern]]<br />
|-<br />
| 0x0043....<br />
| ?<br />
|-<br />
| 0x0044....<br />
| ?<br />
|-<br />
| 0x0045....<br />
| ?<br />
|-<br />
| 0x0046....<br />
| ?<br />
|-<br />
| 0x0047....<br />
| ?<br />
|-<br />
| 0x0048....<br />
| ?<br />
|-<br />
| 0x0049....<br />
| ?<br />
|-<br />
| 0x004A....<br />
| ?<br />
|-<br />
| 0x004B....<br />
| ?<br />
|-<br />
| 0x004C....<br />
| ?<br />
|-<br />
| 0x004D....<br />
| [[MCURTC:ReadHidFlagRegister|ReadHidFlagRegister]] (reads i2c MCU device, reg 0x10)<br />
|-<br />
| 0x004E0040<br />
| [[MCURTC:PublishNotifications|PublishNotifications]]<br />
|-<br />
| 0x004F....<br />
| Sets some flag (otherwise set when uploading MCU firmware)<br />
|-<br />
| 0x0050....<br />
| Returns the above flag<br />
|-<br />
| 0x00510040<br />
| [[MCURTC:SetSoftwareClosedFlag|SetSoftwareClosedFlag]]<br />
|-<br />
| 0x00520000<br />
| [[MCURTC:GetSoftwareClosedFlag|GetSoftwareClosedFlag]]<br />
|-<br />
| 0x0053....<br />
| ?<br />
|-<br />
| 0x0054....<br />
| ?<br />
|-<br />
| 0x0055....<br />
| ?<br />
|-<br />
| 0x0056....<br />
| ?<br />
|-<br />
| 0x0057....<br />
| ?<br />
|-<br />
| 0x0058....<br />
| ?<br />
|-<br />
| 0x00590040<br />
| [[MCURTC:SetLegacyJumpProhibitedFlag|SetLegacyJumpProhibitedFlag]]<br />
|-<br />
| 0x005A0000<br />
| [[MCURTC:GetLegacyJumpProhibitedFlag|GetLegacyJumpProhibitedFlag]]<br />
|}<br />
<br />
Note that using invalid input with these InfoLED/SetBatteryEmptyLEDPattern commands(especially SetInfoLEDPattern) can cause the system to be bricked(however the boot failure may not begin immediately after using the invalid parameters).<br />
<br />
=MCU sound service "mcu::SND"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x0001....<br />
| GetSoundVolume<br />
|-<br />
| 0x0002....<br />
| ?<br />
|-<br />
| 0x0003....<br />
| ?<br />
|}<br />
<br />
=MCU wifi service "mcu::NWM"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x0001....<br />
| SetWirelessLedState<br />
|-<br />
| 0x0002....<br />
| GetWirelessLedState<br />
|-<br />
| 0x0003....<br />
| Sets GPIO 0x20 high/low?<br />
|-<br />
| 0x0004....<br />
| Gets GPIO 0x20 high/low?<br />
|-<br />
| 0x0005....<br />
| Sets GPIO 0x40000 high/low?<br />
|-<br />
| 0x0006....<br />
| Gets GPIO 0x40000 high/low?<br />
|-<br />
| 0x0007....<br />
| [[MCUNWM:SetWirelessDisabledFlag|SetWirelessDisabledFlag]]<br />
|-<br />
| 0x0008....<br />
| [[MCUNWM:GetWirelessDisabledFlag|GetWirelessDisabledFlag]]<br />
|}<br />
<br />
=MCU service "mcu::HWC"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x00010082<br />
| [[MCUHWC:ReadRegister|ReadRegister]]<br />
|-<br />
| 0x00020082<br />
| [[MCUHWC:WriteRegister|WriteRegister]]<br />
|-<br />
| 0x00030042<br />
| [[MCUHWC:GetInfoRegisters|GetInfoRegisters]]<br />
|-<br />
| 0x00040000<br />
| [[MCUHWC:GetBatteryVoltage|GetBatteryVoltage]]<br />
|-<br />
| 0x00050000<br />
| [[MCUHWC:GetBatteryLevel|GetBatteryLevel]]<br />
|-<br />
| 0x00060040<br />
| [[MCUHWC:SetPowerLEDPattern|SetPowerLEDPattern]]<br />
|-<br />
| 0x00070040<br />
| [[MCUHWC:SetWifiLEDState|SetWifiLEDState]]<br />
|-<br />
| 0x00080040<br />
| [[MCUHWC:SetCameraLEDPattern|SetCameraLEDPattern]]<br />
|-<br />
| 0x00090040<br />
| [[MCUHWC:Set3DLEDState|Set3DLEDState]]<br />
|-<br />
| 0x000A0640<br />
| This is the same as [[MCURTC:SetInfoLEDPattern]].<br />
|-<br />
| 0x000B0000<br />
| [[MCUHWC:GetSoundVolume|GetSoundVolume]]<br />
|-<br />
| 0x000C....<br />
| ?<br />
|-<br />
| 0x000D....<br />
| ?<br />
|-<br />
| 0x000E....<br />
| ?<br />
|-<br />
| 0x000F....<br />
| GetRtcTime<br />
|-<br />
| 0x00100000<br />
| GetMcuFwVerHigh<br />
|-<br />
| 0x00110000<br />
| GetMcuFwVerLow<br />
|}<br />
<br />
=MCU service "mcu::PLS"=<br />
<br />
RTC-related? Each of these seems to retrieve a second counter from a different RTC register.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x0001....<br />
| ?<br />
|-<br />
| 0x0002....<br />
| ?<br />
|-<br />
| 0x0003....<br />
| ?<br />
|-<br />
| 0x0004....<br />
| ?<br />
|-<br />
| 0x0005....<br />
| ?<br />
|-<br />
| 0x0006....<br />
| ?<br />
|-<br />
| 0x0007....<br />
| ?<br />
|-<br />
| 0x0008....<br />
| ?<br />
|-<br />
| 0x0009....<br />
| ?<br />
|}<br />
<br />
=MCU codec service "mcu::CDC"=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Command Header<br />
! Description<br />
|-<br />
| 0x00010000<br />
| ?<br />
|}<br />
<br />
=New3DS=<br />
The Old3DS/New3DS MCU sysmodules are identical except that the MCU firmware binary written via I2C is different. The size of that binary is the same. The only different words in .text are for the version of that MCU fw binary.<br />
<br />
=MCU firmware versions=<br />
<br />
These reside in mcu-module .rodata, are uploaded to MCU register 0x05 and are usually size 0x4003 bytes. (0x4000 bytes with 3 byte magic "jhl"?)<br />
<br />
There exists an alternate code path where uploading is done using register 0x3B (decided by making some nonsense conclusions about registers 0x0F and 0x10). This may be a "hack" around early versions of MCU? Register 0x3B is RTC-related on recent versions of MCU, and the "nonsense" condition is not met even on factory MCU firmware.<br />
<br />
On dev-units, the user-facing representation of this firmware version is displayed by first subtracting 0x10 from the major field (raw register 0x00). It is these user-facing versions that are displayed in the table below. It is unknown what bit4 (0x10) actually represents, but it is seemingly always set.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Title version<br />
! Firmware<br />
|-<br />
| New3DS v8192/safe v9217 (latest)<br />
| 3.56<br />
|-<br />
| Old3DS v6145 to v8192 (latest)<br />
| 2.37<br />
|-<br />
| Old3DS v5122<br />
| 2.35<br />
|-<br />
| Old3DS v4102<br />
| 2.30<br />
|-<br />
| Old3DS v3072<br />
| 2.16<br />
|-<br />
| Old3DS v2048<br />
| 1.52<br />
|-<br />
| Old3DS v1026<br />
| 1.51<br />
|-<br />
| Old3DS v0/safe v0<br />
| 1.20<br />
|-<br />
| Old3DS factory<br />
| 1.07<br />
|}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Homebrew_Exploits&diff=18262Homebrew Exploits2016-09-21T13:23:22Z<p>Neobrain: Please stop making changes to this wiki when you have nothing to contribute.</p>
<hr />
<div>==Payload==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Description<br />
! Supported firmwares<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://smealum.github.io/3ds/ *hax payload]<br />
| Booted by all of the below non-sysmodule exploits.<br />
| From '''9.0.0-7''' up to and including '''11.1.0-34'''.<br />
|}<br />
<br />
For the rest of this page, "Supported firmwares" refers to the exploit ''itself'', not whether *hax payload supports it.<br />
<br />
==Standalone Homebrew Launcher Exploits==<br />
The following homebrew exploits can be executed on a previously un-exploited system. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ninjhax|Ninjhax 1.1b]]<br />
| From '''4.0.0-7''' up to and including '''9.2.0-20'''.<br />
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".<br />
| smea<br />
| [http://smealum.net/ninjhax/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[ninjhax|Ninjhax 2.x]]<br />
| From '''9.0.0-7''' up to and including '''11.1.0-34'''.<br />
| A cartridge or eShop version (JPN-only, not available anymore for purchase) of "Cubic Ninja".<br />
| smea<br />
| [https://smealum.github.io/ninjhax2/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://plutooo.github.io/freakyhax/ freakyhax]<br />
| From '''9.0.0-7''' up to and including '''11.1.0-34'''.<br />
| A cartridge or eShop version (USA/EUR/JAP, not available anymore for purchase) of "Freakyform Deluxe".<br />
| plutoo<br />
| [http://plutooo.github.io/freakyhax/ Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [http://plutooo.github.io/smilehax/ smilehax]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''<br />
| SmileBASIC (JPN all versions up to 3.32 excluded, USA 3.31 only)<br />
| plutoo<br />
| [http://plutooo.github.io/smilehax/ Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [http://mrnbayoh.github.io/basicsploit/ BASICSploit]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''<br />
| SmileBASIC (USA all versions)<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basicsploit/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[smashbroshax|smashbroshax]] (beaconhax)<br />
| (New 3DS only) From '''9.0.0-X''' up to and including '''11.1.0-34'''.<br />
| Super Smash Bros 3DS (full-game) and a way to broadcast raw wifi beacons. The demo (prior to the updated November 2015 [https://github.com/yellows8/3ds_smashbroshax version]) isn't usable with the *hax payloads. Game-version v1.1.3 fixed the vuln used with this, see the repo for a workaround for that.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_smashbroshax Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]]<br />
| From '''9.0.0-2''' to '''11.0.0-33'''<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| A USA, EUR, JPN, or KOR system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [http://yls8.mtheall.com/3dsbrowserhax.php Install]<br />
|}<br />
<br />
Note that ninjhax 1.x is still not obsolete. Even though ninjhax 2.x can be run on 9.3+, this was made possible (amongst other things) by sacrificing the memory remapping exploit used in ninjhax 1.x (rohax). Therefore, things like JIT engines for emulators can only be supported on ninjhax 1.x. Furthermore, ninjhax 2.x does not run on system versions below 9.0.0-X, while ninjhax 1.x does.<br />
<br />
==Secondary Exploits==<br />
Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ironhax]]<br />
| From '''9.5.0-X''' up to and including '''10.3.0-X''', for '''X''' up to and including 28.<br />
| A copy of "Ironfall: Invasion" downloaded from eShop before August 11th, 2015. Note the updated version that was released on October 13th, 2015 is not supported.<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://vegaroxas.github.io/ steelhax]<br />
| From '''9.0.0-X''' up to and including '''11.1.0-X''', for '''X''' up to and including 34.<br />
| A copy of Steel Diver: Sub wars<br />
| Vegaroxas<br />
| [https://github.com/VegaRoXas/vegaroxas.github.io/raw/master/files/steelhax-installer.zip Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/oot3dhax oot3dhax]<br />
| From '''9.0.0-X''' up to and including '''11.1.0-X''', for '''X''' up to and including 34.<br />
| A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. Besides using the installer app, writing raw saveimages with a save dongle for example is another option. Before compression was introduced in the 2016-7-18 release, the size of the *hax payload meant the exploit can't coexist with regular saves on a physical version of the game.<br />
| Yellows8 / smea et al.<br />
| See [https://smealum.github.io/3ds/ here].<br />
|-<br />
| style="background: salmon" | No<br />
| [[menuhax]]<br />
| JPN/USA/EUR: From '''9.0.0-X''' up to and including '''11.0.0-X'''.<br />
KOR: From '''9.6.0-X''' up to and including '''11.0.0-X'''.<br />
| JPN/USA/EUR: Having created [[Home_Menu#Home_Menu_Theme_SD_ExtData|theme extdata]] through opening the official theme selector at least once.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_homemenuhax/releases Download]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/shinyquagsire23/supermysterychunkhax supermysterychunkhax]<br />
| From '''9.9.0-X''' (USA/JPN) / '''10.2.0-X''' (EUR) up to and including '''11.1.0-X''', for '''X''' up to and including 34.<br />
| A gamecard or eShop-install of Pokémon Super Mystery Dungeon.<br />
| Shiny Quagsire / SALT team<br />
| [https://smd.salthax.org/ Install].<br />
|-<br />
| style="background: salmon" | No, exploit update required.<br />
| [https://github.com/shinyquagsire23/v_hax (v*)hax]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
Note that '''9.0.0-X''' is only required for the Homebrew Launcher - the game itself only requires '''2.1.0-X''' for primitive userland code execution.<br />
| A copy of VVVVVV downloaded after March 2012 (v1). The game is not available anymore for purchase.<br />
| Shiny Quagsire / SALT team<br />
| [https://vvvvvv.salthax.org/ Install].<br />
|-<br />
| style="background: salmon" | No, exploit update required.<br />
| [https://github.com/Dazzozo/humblehax humblehax]<br />
| From '''9.0.0-X''' (USA/EUR) up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
| An eShop-install of Citizens of Earth (either v1 or v2), featured in the Humble "Friends of Nintendo" Bundle.<br />
| Dazzozo / SALT team<br />
| [https://citizens.salthax.org/ Install].<br />
|-<br />
| style="background: salmon" | No, exploit update required.<br />
| [http://mrnbayoh.github.io/basehaxx/ basehaxx]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
| A gamecard or eShop-install of Pokémon Omega Ruby / Alpha Sapphire.<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basehaxx/ install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/stickerhax stickerhax]<br />
| From '''9.0.0-X''' up to and including '''11.1.0-X'''.<br />
| A gamecard or eShop-install of Paper Mario: Sticker Star.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/stickerhax Here]<br />
|}<br />
<br />
==Exploits without Homebrew Launcher (Not recommended)==<br />
<br />
<u>'''Warning:'''</u> The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]] (Without the loader in the 3ds_browserhax_common repo)<br />
| (Old3DS) From '''5.0.0-2''' to '''11.0.0-33''' (Pre-v5.0 is supported for some versions if you manually modify the source)<br />
<br />
(New3DS) From '''9.0.0-20''' to '''11.0.0-33'''<br />
<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| An USA, EUR, or JPN system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [[browserhax|Install]]<br />
|-<br />
| style="background: salmon" | No<br />
| Ninjhax (with specialized payloads)<br />
| Up to '''9.2.0-20'''?<br />
| <br />
| smea + independent developers<br />
| N/A<br />
|}<br />
<br />
==Previous Exploits==<br />
<u>'''Warning:'''</u> These exploits '''do not work'''. They are exploits which no longer function at all, regardless of software or firmware revision.<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[tubehax|Tubehax]]<br />
| None. '''Was''': From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.<br />
| The YouTube application and an Internet connection. As of October 15, 2015, this is no longer usable due to an update being released which fixes the vuln used by tubehax + app update being forced (see [[YouTube|here]]).<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|}<br />
<br />
==Other Homebrew Loaders==<br />
The [https://github.com/yellows8/hblauncher_loader hblauncher_loader] title can be used when running under modded-FIRM which allows running unsigned titles, to boot the *hax payloads.<br />
<br />
==Sysmodule Exploits==<br />
This section is for system-module exploits, which can be run from the *hax payloads.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
|-<br />
| Yes, that's not the intended default use however.<br />
| [https://github.com/yellows8/ctr-httpwn/releases ctr-httpwn]<br />
| From '''9.6.0-X''' up to and including '''11.1.0-X'''.<br />
| None<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
==WebKit vuln testing==<br />
See [https://github.com/yellows8/3ds_browserhax_common/issues/28 here].</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Flash_Filesystem&diff=18249Flash Filesystem2016-09-19T19:21:56Z<p>Neobrain: Reorder and rephase for clarity</p>
<hr />
<div>The Nintendo 3DS has a 1GB NAND Flash chip. Due to the NCSD header, the actual used size of the Old3DS NAND is 0x3AF00000-bytes(943MiB). On New3DS, the actual NAND size and the total size used by the partitions, is 0x4D800000-bytes(1240MiB).<br />
<br />
===Format===<br />
Reading of the flash chip is possible through pinouts on the motherboard and has been performed successfully but the data is encrypted and can't be understood without first decrypting it.<br />
<br />
===Region Changing===<br />
See [https://gist.github.com/yellows8/f15be7a51c38cea14f2c here].<br />
<br />
===Redirection to SD card===<br />
See [[NAND_Redirection]].<br />
<br />
===Encryption===<br />
<br />
The NAND file system is encrypted using [[AES|AES-CTR]]. The TWL regions of NAND use the TWL NAND [[AES|keyslot]], while the CTR regions use the CTR NAND [[AES|keyslots]]. The keyslot used for each partition is determined by the NCSD partition FS type and encryption type. The TWL/CTR NAND regions are specified by the NCSD header. The first 0x0B100000 bytes of NAND is encrypted with the TWL keyslot, however before 0x00012E00 only the MBR partition table is encrypted with the TWL keyslot. That region contains the TWL partitions listed below.<br />
<br />
The New3DS CTRNAND partition uses a [[AES|keyslot]] separate from the Old3DS one.<br />
<br />
Note that re-encrypting a NAND image alone from another 3DS for use on a different 3DS is not enough to use that NAND image on a different 3DS: certain files in the "nand" partition would need modified/replaced as well.<br />
<br />
===NAND structure===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Old3DS<br />
! New3DS<br />
! Partition name<br />
! Offset<br />
! Size<br />
! NCSD partition FS type<br />
! NCSD partition encryption type<br />
! NCSD partition index<br />
! [[AES_Registers|AES]] engine keyslot<br />
! Description<br />
|-<br />
| style="background: green" | Yes<br />
| style="background: green" | Yes<br />
| <br />
| 0x0<br />
| 0x200<br />
| <br />
| <br />
| <br />
| <br />
| [[NCSD]] header, this contains the offsets/sizes of the below CTR-NAND partitions. This block also contains the TWL-NAND MBR partition table.<br />
|-<br />
| style="background: green" | Yes<br />
| style="background: green" | Yes<br />
| <br />
| 0x00000000<br />
| 0x0B100000<br />
| 0x01<br />
| 0x01<br />
| 0x00<br />
| 0x03<br />
| TWL NAND region<br />
|-<br />
| style="background: red" | No<br />
| style="background: green" | Yes<br />
| <br />
| 0x00012C00<br />
| 0x200<br />
| <br />
| <br />
| <br />
| See below.<br />
| Console-unique encrypted New3DS key-storage, see below.<br />
|-<br />
| style="background: green" | Yes<br />
| style="background: green" | Yes<br />
| twln<br />
| 0x00012E00<br />
| 0x08FB5200<br />
| <br />
| <br />
| <br />
| 0x03<br />
| TWL-NAND FAT16 File System. (DSi)<br />
|-<br />
| style="background: green" | Yes<br />
| style="background: green" | Yes<br />
| twlp<br />
| 0x09011A00<br />
| 0x020B6600<br />
| <br />
| <br />
| <br />
| 0x03<br />
| TWL-NAND PHOTO FAT12 File System. (DSi)<br />
|-<br />
| style="background: green" | Yes<br />
| style="background: green" | Yes<br />
| <br />
| 0x0B100000<br />
| 0x00030000<br />
| 0x04<br />
| 0x02<br />
| 0x01<br />
| 0x07<br />
| By default this partition is empty(only contains 0x00/0xFF bytes since it was never written to), when AGB_FIRM was never launched. This contains the AGB_FIRM GBA savegame.<br />
|-<br />
| style="background: green" | Yes<br />
| style="background: green" | Yes<br />
| firm0<br />
| 0x0B130000<br />
| 0x00400000<br />
| 0x03<br />
| 0x02<br />
| 0x02<br />
| 0x06<br />
| [[FIRM|Firmware]] partition.<br />
|-<br />
| style="background: green" | Yes<br />
| style="background: green" | Yes<br />
| firm1<br />
| 0x0B530000<br />
| 0x00400000<br />
| 0x03<br />
| 0x02<br />
| 0x03<br />
| 0x06<br />
| [[FIRM|Firmware]] partition.(Backup partition, same as above)<br />
|-<br />
| style="background: green" | Yes<br />
| style="background: red" | No<br />
| <br />
| 0x0B930000<br />
| 0x2F5D0000<br />
| 0x01<br />
| 0x02<br />
| 0x04<br />
| 0x04<br />
| CTR-NAND partition. (3DS)<br />
|-<br />
| style="background: green" | Yes<br />
| style="background: red" | No<br />
| nand<br />
| 0x0B95CA00<br />
| 0x2F3E3600<br />
| <br />
| <br />
| <br />
| 0x04<br />
| CTR-NAND FAT16 File System.<br />
|-<br />
| style="background: red" | No<br />
| style="background: green" | Yes<br />
| <br />
| 0x0B930000<br />
| 0x41ED0000<br />
| 0x01<br />
| 0x03<br />
| 0x04<br />
| 0x05<br />
| CTR-NAND partition. (New3DS)<br />
|-<br />
| style="background: red" | No<br />
| style="background: green" | Yes<br />
| nand<br />
| 0x0B95AE00<br />
| 0x41D2D200<br />
| <br />
| <br />
| <br />
| 0x05<br />
| CTR-NAND FAT16 File System. <br />
|}<br />
<br />
3DS TWL NAND FAT partitions has FAT volume name "TWL", for CTR FAT partitions this is "CTR". The offset/size for TWL partitions are stored in the MBR partition table, while the CTR partition table info is stored in the NAND NCSD header. Sector0 in the CTR-NAND partition contains a MBR partition table for the nand FAT16 filesystem, and the MBR signature at +0x1fe.<br />
<br />
NAND sectors which were never written to before only contain plaintext 0x00 or 0xFF bytes.<br />
<br />
None of the NAND partitions are normally accessible from the ARM11, except for twlp. CTR/TWL NAND FS can only be accessed when the exheader access control descriptor for those are enabled. Normally the CTR/TWL NAND descriptors are never enabled for retail ARM11 [[NCCH#CXI|CXI]] processes. The ARM11 can only access "nand:/rw/" mounted as the nandrw [[FS:OpenArchive|archive]], and "nand:/ro/" mounted as the nandro archive below.<br />
<br />
==== 0x4000 ====<br />
On some 3DS systems(such as 3DS XL), there's a plaintext FAT16 boot record located at NAND offset 0x4000. This block does not exist for launch-day 3DS systems. This is the only plaintext block for this "partition".<br />
<br />
==== 0x12C00 ====<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x10<br />
| Normal-key for keyslot 0x11, used for generating the rest of the New3DS keyslots' keyX by decrypting various data with AES-ECB. With [[9.6.0-24|9.6.0-X]] this is only used for generating the keyX for keyslots 0x15 and 0x18.<br />
|-<br />
| 0x10<br />
| 0x10<br />
| [[9.6.0-24|9.6.0-X]]: Additional normal-key for keyslot 0x11, used for generating the keyX for keyslots 0x16 and 0x19..0x1F.<br />
|-<br />
| 0x20<br />
| 0x1E0<br />
| Not yet used as of New3DS FIRM [[9.6.0-24|9.6.0-X]].<br />
|}<br />
<br />
This 0x200-byte sector contains New3DS keys, this entire sector is encrypted with a console-unique keyX+keyY. The keyX+keyY for this is generated by the New3DS [[FIRM|arm9bin-loader]]. Once the arm9bin-loader finishes decrypting this data, the keyX+keyY in the keyslot are then cleared, then the memory used for generating the keydata is disabled(after it finishes using it for TWL key init).<br />
<br />
This entire sector is encrypted with AES-ECB, the entire plaintext sector is identical for all retail New3DS systems(unknown for devunits).<br />
<br />
=CTR partition=<br />
The structure of [[nand/title]] appears to be exactly the same as [[SD Filesystem|SD]], except savegames are stored under the [[System SaveData|nand/data/<ID0>/sysdata]] directory instead.<br />
The sub-directory name under [[nand/data]] is the SHA256 hash over the [[nand/private/movable.sed|movable.sed]] keyY. This nand/data/<ID0> directory is the NAND equivalent of the "sdmc/Nintendo 3DS/<ID0>/<ID1>" directory, however the data contained here is stored in cleartext. The movable.sed keyY is only used for AES MACs for nand/data/<ID0>. The nand/data/<ID0>/extdata directory contains the shared [[extdata]], and is structured exactly the same way as SD extdata.<br />
<br />
nand<br />
├── __journal.nn_<br />
├── [[nand/data|data]]<br />
│ └── <ID0><br />
│ ├── [[Extdata|extdata]] <br />
│ └── [[System SaveData|sysdata]]<br />
├── [[Title Database|dbs]]<br />
├── [[nand/fixdata|fixdata]]<br />
│ └── [[nand/fixdata/sysdata|sysdata]]<br />
├── private<br />
│ └── [[nand/private/movable.sed|movable.sed]]<br />
├── [[nand/ro|ro]]<br />
├── [[nand/rw|rw]]<br />
├── [[nand/ticket|ticket]] (This directory is empty since tickets are stored in [[Title Database|ticket.db]])<br />
├── [[Title Data Structure|title]]<br />
└── [[nand/tmp|tmp]] (This is usually empty, even when installation for a system update still needs [[AMNet:FinishInstallToMedia|finalized]])<br />
<br />
The "ro" and "rw" directories are accessible through the "nandrw" and "nandro" [[FS:OpenArchive|archives]], respectively. Their contents are as follows:<br />
<br />
ro<br />
├── [[nandro/private|private]]<br />
├── [[nandro/shared|shared]]<br />
└── [[nandro/sys|sys]]<br />
├── [[nandro/sys/HWCAL0.dat|HWCAL0.dat]]<br />
└── [[nandro/sys/HWCAL1.dat|HWCAL1.dat]]<br />
rw<br />
├── [[nandrw/shared|shared]]<br />
└── [[nandrw/sys|sys]]<br />
├── [[nandrw/sys/lgy.log|lgy.log]] (This is written to by [[FIRM|TWL_FIRM]] when errors occur, this is equivalent to native.log)<br />
├── [[nandrw/sys/LocalFriendCodeSeed_B|LocalFriendCodeSeed_B]]<br />
├── [[nandrw/sys/native.log|native.log]] (This is written to by [[ErrDisp]])<br />
├── [[nandrw/sys/rand_seed|rand_seed]]<br />
├── [[nandrw/sys/SecureInfo_A|SecureInfo_A]]<br />
└── [[nandrw/sys/updater.log|updater.log]]<br />
<br />
=TWL partition=<br />
The structure of these TWL partitions is mostly the same as DSi, except tickets are stored in the CTR FAT FS. The twlp partition is exactly the same as DSi.<br />
The structure of [[twln/title]] is exactly the same as CTR NAND/SD, except the .cmd file is a cleartext file.(This is likely a dummy file) The data directory under system titles' /title directory does not exist, this likely only exists for DSiWare.<br />
The directory names titleID-High used under [[twln/title]] is from DSi.<br />
<br />
twln<br />
├── [[twln/import/|import]]<br />
├── [[twln/shared1/|shared1]]<br />
├── [[twln/shared2/|shared2]]<br />
│ └── [[twln/shared2/0000|0000]]<br />
├── [[twln/sys|sys]]<br />
│ ├── [[twln/sys/TWLFontTable.dat|TWLFontTable.dat]]<br />
│ └── [[twln/sys/log/|log]]<br />
│ ├── [[twln/sys/log/inspect.log|inspect.log]]<br />
│ └── [[twln/sys/log/product.log|product.log]]<br />
├── [[twln/ticket/|ticket]]<br />
├── [[twln/title/|title]]<br />
└── [[twln/tmp/|tmp]]<br />
<br />
twlp<br />
└── [[twlp/photo/|photo]]</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Template:IPC/MapPointerRW&diff=18118Template:IPC/MapPointerRW2016-09-10T12:20:47Z<p>Neobrain: </p>
<hr />
<div>{{IPC/RequestEntry|{{Tooltip|Descriptor|0x0000000e {{!}} (size <nowiki><<</nowiki> 4)}} for mapping a [[IPC#Buffer_Mapping_Translation|read/write buffer]] in the target process}}<br />
{{IPC/RequestEntry|{{{1}}}}}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Template:IPC/MapPointerW&diff=18117Template:IPC/MapPointerW2016-09-10T12:20:16Z<p>Neobrain: </p>
<hr />
<div>{{IPC/RequestEntry|{{Tooltip|Descriptor|0x0000000c {{!}} (size <nowiki><<</nowiki> 4)}} for mapping a [[IPC#Buffer_Mapping_Translation|write-only buffer]] in the target process}}<br />
{{IPC/RequestEntry|{{{1}}}}}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Template:IPC/MapPointerR&diff=18116Template:IPC/MapPointerR2016-09-10T12:19:58Z<p>Neobrain: </p>
<hr />
<div>{{IPC/RequestEntry|{{Tooltip|Descriptor|0x0000000a {{!}} (size <nowiki><<</nowiki> 4)}} for mapping a [[IPC#Buffer_Mapping_Translation|read-only buffer]] in the target process}}<br />
{{IPC/RequestEntry|{{{1}}}}}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Template:IPC/TranslateStaticBuffer&diff=18115Template:IPC/TranslateStaticBuffer2016-09-10T12:17:19Z<p>Neobrain: </p>
<hr />
<div>{{IPC/RequestEntry|{{Tooltip|Descriptor|0x00000002 {{!}} (size <nowiki><<</nowiki> 14) {{!}} (static_buffer_id <nowiki><<</nowiki> 10)}} for [[IPC#Static_Buffer_Translation|static buffer]]| (id {{{2}}})}}<br />
{{IPC/RequestEntry|{{{1}}}}}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Template:IPC/ProcessID&diff=18114Template:IPC/ProcessID2016-09-10T12:15:14Z<p>Neobrain: </p>
<hr />
<div>{{IPC/RequestEntry|{{Tooltip|Descriptor|0x20}} for [[IPC#Handle_Translation|process ID]]}}<br />
{{IPC/RequestEntry|Placeholder for process ID}}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Template:IPC/TranslateStaticBuffer&diff=18112Template:IPC/TranslateStaticBuffer2016-09-10T12:10:20Z<p>Neobrain: </p>
<hr />
<div>{{IPC/RequestEntry|{{Tooltip|Descriptor|0x00000002 {{!}} (size <nowiki><<</nowiki> 14) {{!}} (static_buffer_id 10)}} for [[IPC#Static_Buffer_Translation|static buffer]]| (id {{{2}}})}}<br />
{{IPC/RequestEntry|{{{1}}}}}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Template:IPC/TranslateStaticBuffer&diff=18111Template:IPC/TranslateStaticBuffer2016-09-10T12:09:04Z<p>Neobrain: </p>
<hr />
<div>{{IPC/RequestEntry|{{Tooltip|[[IPC#Static_Buffer_Translation|Static buffer descriptor]]|0x00000002 {{!}} (size <nowiki><<</nowiki> 14) {{!}} (static_buffer_id 10)}} (id {{{2}}})}}<br />
{{IPC/RequestEntry|{{{1}}}}}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Template:Tooltip&diff=18109Template:Tooltip2016-09-10T12:01:57Z<p>Neobrain: Undo revision 18108 by Neobrain (talk)</p>
<hr />
<div><includeonly><span style="cursor:help;<!--<br />
ability to turn off underline dash if required (derivative use), $nodash or $3<br />
--> {{#ifeq:{{{nodash|{{{3}}}}}}|nodash||border-bottom:thin dotted cornflowerblue;}}"<!--<br />
--> title="{{#if:{{{texttip|{{{2|}}}}}}|}}">{{{target|{{{1}}}}}}</span></includeonly><noinclude><br />
{{documentation}}<br />
</noinclude></div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Template:Tooltip&diff=18108Template:Tooltip2016-09-10T12:00:35Z<p>Neobrain: </p>
<hr />
<div><span style="cursor:help;border-bottom:thin dotted cornflowerblue;" title="{{{texttip|{{{2|}}}}}}">{{{target|{{{1}}}}}}</span></div>Neobrainhttps://www.3dbrew.org/w/index.php?title=IPCCommandExample&diff=18106IPCCommandExample2016-09-10T11:53:15Z<p>Neobrain: Testing stuff</p>
<hr />
<div>=Request=<br />
{{IPC/Request}}<br />
{{#vardefine:ipc_offset|0}}<br />
{{IPC/RequestEntry|Header code [0x00040080]}}<br />
{{IPC/RequestEntry|[[GPU]] address based at 0x1EB00000, must be word-aligned}}<br />
{{IPC/RequestEntry|1 = Size, must be <=0x80 and word-aligned}}<br />
{{IPC/RequestEnd}}<br />
<br />
{{IPC/RequestStaticBuffers}}<br />
{{#vardefine:ipc_offset|0}}<br />
{{IPC/RequestEntry|Header code [0x00040080]}}<br />
{{IPC/TranslateStaticBuffer|Output buffer address|0}}<br />
{{IPC/RequestEnd}}<br />
<br />
=Response=<br />
{{IPC/Request}}<br />
{{#vardefine:ipc_offset|0}}<br />
{{IPC/RequestEntry|Header code}}<br />
{{IPC/RequestEntry|Result code}}<br />
{{IPC/TranslateStaticBuffer|{{Tooltip|Output data pointer|bla}}|0}}<br />
{{IPC/RequestEnd}}<br />
<br />
=Description=<br />
The GPU register offset must be <0x420000.</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Template:Tooltip&diff=18105Template:Tooltip2016-09-10T11:49:39Z<p>Neobrain: Created page with "<includeonly><span style="cursor:help;<!-- ability to turn off underline dash if required (derivative use), $nodash or $3 --> {{#ifeq:{{{nodash|{{{3}}}}}}|nodash||border-botto..."</p>
<hr />
<div><includeonly><span style="cursor:help;<!--<br />
ability to turn off underline dash if required (derivative use), $nodash or $3<br />
--> {{#ifeq:{{{nodash|{{{3}}}}}}|nodash||border-bottom:thin dotted cornflowerblue;}}"<!--<br />
--> title="{{#if:{{{texttip|{{{2|}}}}}}|{{#invoke:String|replace|{{{texttip|{{{2}}}}}}|"|&quot;}}}}">{{{target|{{{1}}}}}}</span></includeonly><noinclude><br />
{{documentation}}<br />
</noinclude></div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Memory_layout&diff=18104Memory layout2016-09-10T11:43:05Z<p>Neobrain: /* FCRAM memory-regions layout */</p>
<hr />
<div>= Physical Memory =<br />
<br />
== ARM11 ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Old 3DS<br />
! Address<br />
! Size<br />
! Description<br />
|-<br />
| style="background: green" | Yes<br />
| 0x00000000<br />
| 0x00010000<br />
| Bootrom (super secret code/data @ 0x8000)<br />
|-<br />
| style="background: green" | Yes<br />
| 0x00010000<br />
| 0x00010000<br />
| Bootrom mirror<br />
|-<br />
| style="background: green" | Yes<br />
| 0x10000000<br />
|?<br />
| [[IO]] memory<br />
|-<br />
| style="background: green" | Yes<br />
| 0x17E00000<br />
| 0x00002000<br />
| MPCore private memory region<br />
<br />
|-<br />
| style="background: red" | No<br />
| 0x17E10000<br />
| 0x00001000<br />
| L2C-310 Level 2 Cache Controller (2MB)<br />
|-<br />
| style="background: green" | Yes<br />
| 0x18000000<br />
| 0x00600000<br />
| VRAM (divided in two banks, VRAM and VRAMB)<br />
|-<br />
| style="background: red" | No<br />
| 0x1F000000<br />
| 0x00400000<br />
| [[New_3DS]] additional memory<br />
|-<br />
| style="background: green" | Yes<br />
| 0x1FF00000<br />
| 0x00080000<br />
| DSP memory<br />
|-<br />
| style="background: green" | Yes<br />
| 0x1FF80000<br />
| 0x00080000<br />
| AXI WRAM<br />
|-<br />
| style="background: green" | Yes<br />
| 0x20000000<br />
| 0x08000000<br />
| FCRAM<br />
|-<br />
| style="background: red" | No<br />
| 0x28000000<br />
| 0x08000000<br />
| [[New_3DS]] FCRAM extension<br />
|-<br />
| style="background: green" | Yes<br />
| 0xFFFF0000<br />
| 0x00010000<br />
| Bootrom mirror<br />
|}<br />
<br />
===0x17E10000===<br />
The 32-bit register at <code>0x17E10000</code>+<code>0x100</code> only has bit 0 set when, on New 3DS, [[PTMSYSM:ConfigureNew3DSCPU]] was used with bit 1 set for the input value (the L2 cache flag). All other bits in this register are normally all-zero. Therefore, bit 0 set = new cache hardware enabled, bit 0 clear = new cache hardware disabled. This bit is how the ARM11 kernel checks whether the additional cache hardware is enabled).<br />
<br />
To enable the additional cache hardware, the following is used by the ARM11 kernel:<br />
* Sets bit 0 in 32-bit register <code>0x17E10000</code>+<code>0x100</code>.<br />
<br />
To disable the additional cache hardware, the following is used by the ARM11 kernel:<br />
* Writes value <code>0xFFFF</code> to 32-bit register <code>0x17E10000</code>+<code>0x77C</code>.<br />
* Waits for bit 0 in 32-bit register <code>0x17E10000</code>+<code>0x730</code> to become clear.<br />
* Writes value <code>0x0<code> to 32-bit register <code>0x17E10000</code>+<code>0x0</code>.<br />
* Clears bit 0 in 32-bit register <code>0x17E10000</code>+<code>0x100</code>.<br />
<br />
=== <code>0x1F000000</code> ([[New 3DS]] only) ===<br />
This area is used by [[QTM Services]],starting at offset <code>0x200000</code>, size <code>0x180000</code>. This area is not accessible to the GPU on the old 3DS. The old 3DS and New 3DS GSP module has <code>vaddr-&gt;physaddr</code> conversion code for this entire region. On the New 3DS, only the first <code>0x200000</code> bytes (half of this memory) are accessible to the GPU.<br />
<br />
== ARM9 ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Old 3DS<br />
! Address<br />
! Size<br />
! Description<br />
|-<br />
| style="background: green" | Yes<br />
| 0x00000000<br />
| 0x08000000<br />
| Instruction TCM, repeating each 0x8000 bytes.<br />
|-<br />
| style="background: green" | Yes<br />
| 0x01FF8000<br />
| 0x00008000<br />
| Instruction TCM (Accessed by the kernel and process by this address)<br />
|-<br />
| style="background: green" | Yes<br />
| 0x07FF8000<br />
| 0x00008000<br />
| Instruction TCM (Accessed by bootrom by this address)<br />
|-<br />
| style="background: green" | Yes<br />
| 0x08000000<br />
| 0x00100000<br />
| ARM9-only internal memory (ARM7's internal regions are mapped here as well)<br />
|-<br />
| style="background: red" | No<br />
| 0x08100000<br />
| 0x00080000<br />
| [[New_3DS]] ARM9-only extension, only enabled when a certain [[CONFIG_Registers|CONFIG]] register is set.<br />
|-<br />
| style="background: green" | Yes<br />
| 0x10000000<br />
| 0x08000000<br />
| [[IO]] memory<br />
|-<br />
| style="background: green" | Yes<br />
| 0x18000000<br />
| 0x00600000<br />
| VRAM (divided in two banks, VRAM and VRAMB) <br />
|-<br />
| style="background: green" | Yes<br />
| 0x1FF00000<br />
| 0x00080000<br />
| DSP memory<br />
|-<br />
| style="background: green" | Yes<br />
| 0x1FF80000<br />
| 0x00080000<br />
| AXI WRAM<br />
|-<br />
| style="background: green" | Yes<br />
| 0x20000000<br />
| 0x08000000<br />
| FCRAM<br />
|-<br />
| style="background: red" | No<br />
| 0x28000000<br />
| 0x08000000<br />
| [[New_3DS]] FCRAM extension<br />
|-<br />
| style="background: green" | Yes<br />
| 0xFFF00000<br />
| 0x00004000<br />
| Data TCM (Mapped during bootrom)<br />
|-<br />
| style="background: green" | Yes<br />
| 0xFFFF0000<br />
| 0x00010000<br />
| Bootrom, the main region is at +0x8000, which is disabled during system boot.<br />
|}<br />
<br />
==ARM9 MPU Regions==<br />
For the below instruction permissions: RO = memory is executable, while None = not-executable.<br />
<br />
===NATIVE_FIRM/SAFE_MODE_FIRM ARM9 kernel===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Region<br />
! Address<br />
! Size<br />
! Privileged-mode data permissions<br />
! User-mode data permissions<br />
! Privileged-mode instruction permissions<br />
! User-mode instruction permissions<br />
|-<br />
| 0<br />
| 0xFFFF0000<br />
| 32KB/0x8000<br />
| RO<br />
| None<br />
| RO<br />
| None<br />
|-<br />
| 1<br />
| 0x01FF8000<br />
| 32KB/0x8000<br />
| RW<br />
| RW<br />
| RO<br />
| RO<br />
|-<br />
| 2<br />
| 0x08000000<br />
| 1MB/0x100000. >=[[8.0.0-18|8.0.0-X]]: 2MB/0x200000.<br />
| RW<br />
| RW<br />
| RO<br />
| RO<br />
|-<br />
| 3<br />
| 0x10000000<br />
| 128KB/0x20000<br />
| RW<br />
| RW<br />
| None<br />
| None<br />
|-<br />
| 4<br />
| 0x10100000<br />
| 512KB/0x80000<br />
| RW<br />
| RW<br />
| None<br />
| None<br />
|-<br />
| 5<br />
| 0x20000000<br />
| 128MB/0x8000000. >=[[8.0.0-18|8.0.0-X]]: 256MB/0x10000000.<br />
| RW<br />
| RW<br />
| None<br />
| None<br />
|-<br />
| 6<br />
| 0x08000000<br />
| 128KB/0x20000<br />
| RW<br />
| None<br />
| RO<br />
| None<br />
|-<br />
| 7<br />
| 0x08020000<br />
| <[[3.0.0-5]]: 64KB/0x10000. >=[[3.0.0-5]]: 32KB/0x8000.<br />
| RW<br />
| None<br />
| RO<br />
| None<br />
|}<br />
<br />
The above is the MPU region settings setup by the ARM9-kernel in the crt0.<br />
<br />
The New3DS ARM9-kernel MPU region settings are the same as the Old3DS MPU region settings for >=[[8.0.0-18|8.0.0-X]].<br />
<br />
At the start of the Process9 function executed in kernel-mode via svc7b during firm-launching, it changes some MPU region settings. At the end of that function, before it uses the ARM9/ARM11 entrypoint fields, it disables MPU.<br />
<br />
===New3DS [[FIRM|ARM9-loader]]===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Region<br />
! Address<br />
! Size<br />
! Privileged-mode data permissions<br />
! User-mode data permissions<br />
! Privileged-mode instruction permissions<br />
! User-mode instruction permissions<br />
|-<br />
| 0<br />
| 0xFFFF0000<br />
| 32KB/0x8000<br />
| RO<br />
| None<br />
| RO<br />
| None<br />
|-<br />
| 1<br />
| 0x01FF8000<br />
| 32KB/0x8000<br />
| RW<br />
| None<br />
| RO<br />
| None<br />
|-<br />
| 2<br />
| 0x08000000<br />
| 2MB/0x200000<br />
| RW<br />
| None<br />
| RO<br />
| None<br />
|-<br />
| 3<br />
| 0x10000000<br />
| 128KB/0x20000<br />
| RW<br />
| None<br />
| None<br />
| None<br />
|}<br />
<br />
MPU regions 4-7 are disabled. Note that the entire ARM9-loader runs in SVC-mode.<br />
<br />
===TWL_FIRM/AGB_FIRM ARM9 kernel===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Region<br />
! Address<br />
! Size<br />
! Privileged-mode data permissions<br />
! User-mode data permissions<br />
! Privileged-mode instruction permissions<br />
! User-mode instruction permissions<br />
|-<br />
| 0<br />
| 0xFFFF0000<br />
| 32KB/0x8000<br />
| RO<br />
| None<br />
| RO<br />
| None<br />
|-<br />
| 1<br />
| 0x01FF8000<br />
| 32KB/0x8000<br />
| RW<br />
| RW<br />
| RO<br />
| RO<br />
|-<br />
| 2<br />
| 0x08000000<br />
| 1MB/0x100000. New3DS: 2MB/0x200000.<br />
| RW<br />
| RW<br />
| RO<br />
| RO<br />
|-<br />
| 3<br />
| 0x10000000<br />
| 2MB/0x200000.<br />
| RW<br />
| RW<br />
| None<br />
| None<br />
|-<br />
| 4<br />
| 0x1FF00000<br />
| 512KB/0x80000<br />
| RW<br />
| RW<br />
| None<br />
| None<br />
|-<br />
| 5<br />
| 0x20000000<br />
| 128MB/0x8000000. New3DS: 256MB/0x10000000.<br />
| RW<br />
| RW<br />
| None<br />
| None<br />
|-<br />
| 6<br />
| 0x08000000<br />
| <[[3.0.0-5|3.0.0-X]]: 256KB/0x40000. >=[[3.0.0-5|3.0.0-X]]: 128KB/0x20000<br />
| RW<br />
| None<br />
| RO<br />
| None<br />
|-<br />
| 7<br />
| 0x08080000<br />
| 128KB/0x20000<br />
| RW<br />
| RW<br />
| RO<br />
| RO<br />
|}<br />
<br />
==ARM9 ITCM==<br />
{| class="wikitable" border="1"<br />
|-<br />
! ITCM mirror address<br />
! ITCM bootrom mirror address<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x01FF8000<br />
| <br />
| 0x0<br />
| 0x3700<br />
| Uninitialized memory.<br />
|-<br />
| 0x01FFB700<br />
| 0x07FFB700<br />
| 0x3700<br />
| 0x100<br />
| The unprotected ARM9-bootrom code copies code from unprotected bootrom to 0x07FFB700(ITCM mirror) size 0x100, then calls the code at 0x07FFB700. The code located here is the code used for disabling access to the bootroms.<br />
|-<br />
| 0x01FFB800<br />
| <br />
| 0x3800<br />
| 0x4<br />
| This is always 0xDEADB00F.<br />
|-<br />
| 0x01FFB804<br />
| <br />
| 0x3804<br />
| 0x4<br />
| This is the u32 DeviceId.<br />
|-<br />
| 0x01FFB808<br />
| <br />
| 0x3808<br />
| 0x10<br />
| This is the fall-back keyY used for movable.sed keyY when movable.sed doesn't exist in NAND(the last two words here are used on retail for generating console-unique TWL keydata/etc). This is also used for "LocalFriendCodeSeed", etc.<br />
|-<br />
| 0x01FFB818<br />
| <br />
| 0x3818<br />
| 0x1<br />
| ?<br />
|-<br />
| 0x01FFB819<br />
| <br />
| 0x3819<br />
| 0x1<br />
| This is the [[CTCert]] issuer type: 0 = retail "Nintendo CA - G3_NintendoCTR2prod", non-zero = dev "Nintendo CA - G3_NintendoCTR2dev".<br />
|-<br />
| 0x01FFB81A<br />
| <br />
| 0x381A<br />
| 0x6<br />
| ?<br />
|-<br />
| 0x01FFB820<br />
| <br />
| 0x3820<br />
| 0x4<br />
| This is the CTCert ECDSA exponent, this is byte-swapped when *((u8*)(0x01FFB800+0x18)) is >=5.<br />
|-<br />
| 0x01FFB824<br />
| <br />
| 0x3824<br />
| 0x2<br />
| ?<br />
|-<br />
| 0x01FFB826<br />
| <br />
| 0x3826<br />
| 0x1E<br />
| This is the CTCert ECDSA privk.<br />
|-<br />
| 0x01FFB844<br />
| <br />
| 0x3844<br />
| 0x3C<br />
| This is the CTCert ECDSA signature.<br />
|-<br />
| 0x01FFB880<br />
| <br />
| 0x3880<br />
| 0x80<br />
| This is all-zero.<br />
|-<br />
| 0x01FFB900<br />
| <br />
| 0x3900<br />
| 0x200<br />
| This is the 0x200-bytes from NAND sector0.<br />
|-<br />
| 0x01FFBB00<br />
| <br />
| 0x3B00<br />
| 0x200<br />
| This is the 0x200-bytes from the plaintext NAND firm partition FIRM header, read by bootrom.<br />
|-<br />
| 0x01FFBD00<br />
| <br />
| 0x3D00<br />
| 0x100<br />
| This is the RSA-2048 modulus for [[RSA_Registers|RSA]]-engine slot0 set by bootrom.<br />
|-<br />
| 0x01FFBE00<br />
| <br />
| 0x3E00<br />
| 0x100<br />
| This is the RSA-2048 modulus for RSA-engine slot1 set by bootrom.<br />
|-<br />
| 0x01FFBF00<br />
| <br />
| 0x3F00<br />
| 0x100<br />
| This is the RSA-2048 modulus for RSA-engine slot2.<br />
|-<br />
| 0x01FFC000<br />
| <br />
| 0x4000<br />
| 0x100<br />
| This is the RSA-2048 modulus for RSA-engine slot3.<br />
|-<br />
| 0x01FFC100<br />
| <br />
| 0x4100<br />
| 0x800<br />
| These are RSA-2048 keys: 4 slots, each slot is 0x200-bytes. Slot+0 is the modulus, slot+0x100 is the private exponent. This can be confirmed by RSA-decrypting a message into a signature, then RSA-encrypting the signature back into a message, and comparing the original message with the output from the last operation.<br />
<br />
[[FIRM]] doesn't seem to ever use these. None of these are related to RSA-keyslot0 used for v6.0/v7.0 key generation. These moduli are separate from all other moduli used elsewhere.<br />
|-<br />
| 0x01FFC900<br />
| 0x07FFC900<br />
| 0x4900<br />
| 0x400<br />
| The unprotected ARM9-bootrom copies data to 0x07FFC900(mirror of 0x01FFC900) size 0x400. This data is copied from AXI WRAM, initialized by ARM11-bootrom(the addr used for the src is determined by [[CONFIG_Registers|REG_UNITINFO]]). These are RSA moduli: retailsrcptr = 0x1FFFD000, devsrvptr = 0x1FFFD400.<br />
* The first 0x100-bytes here is the RSA-2048 modulus for the CFA NCCH header, and for the gamecard NCSD header.<br />
* 0x01FFCA00 is the RSA-2048 modulus for the CXI accessdesc signature, written to rsaengine keyslot1 by NATIVE_FIRM.<br />
* 0x01FFCB00 size 0x200 is unknown, probably RSA related, these aren't used by [[FIRM]](these are not console-unique).<br />
|-<br />
| 0x01FFCD00<br />
| <br />
| 0x4D00<br />
| 0x80<br />
| Unknown, not used by [[FIRM]]. This isn't console-unique.<br />
The first 0x10-bytes are checked by the v6.0/v7.0 NATIVE_FIRM keyinit function, when non-zero it clears this block and continues to do the key generation. Otherwise when this block was already all-zero, it immediately returns. This memclear was probably an attempt at destroying the RSA slot0 modulus, that missed (exactly 0x1000-bytes away). Even though they "failed" here, one would still need to derive the private exponent, which would require obtaining a ciphertext and plaintext.<br />
|-<br />
| 0x01FFCD80<br />
| <br />
| 0x4D80<br />
| 0x64<br />
| 0x01FFCD84 size 0x10-bytes is the NAND CID(the 0x64-byte region at 0x01FFCD80 is initialized by Process9 + ARM9-bootrom). The u32 at 0x01FFCDC4 is the total number of NAND sectors, read from a MMC command.<br />
|-<br />
| 0x01FFCDE4<br />
| <br />
| 0x4DE4<br />
| 0x21C<br />
| Uninitialized memory.<br />
|-<br />
| 0x01FFD000<br />
| 0x07FFD000<br />
| 0x5000<br />
| 0x2470<br />
| The unprotected ARM9-bootrom copies 0x1FFFA000(AXIWRAM mem initialized by ARM11-bootrom) size 0x2470 to 0x07FFD000(mirror of 0x01FFD000). This block contains DSi keys.<br />
* 0x01FFD000 is the RSA-1024 modulus for the retail System Menu<br />
* 0x01FFD080 is the RSA-1024 modulus for DSi Wifi firmware and DSi Sound<br />
* 0x01FFD100 is the RSA-1024 modulus for base DSi apps (Settings, Shop, etc.)<br />
* 0x01FFD180 is the RSA-1024 modulus for DSiWare and RSA-signed cartridge headers<br />
* 0x01FFD210 is the keyY for per-console-encrypted ES blocks<br />
* 0x01FFD220 is the keyY for fixed-keyX ES blocks<br />
* 0x01FFD300 is the DSi common (normal)key<br />
* 0x01FFD350 is a normalkey set on keyslot 0x02, and is likely only used during boot<br />
* 0x01FFD380 is the keyslot 0x00 keyX and the first half of the retail keyX for modcrypt crypto "Nintendo"<br />
* 0x01FFD398 is the keyX used for 'Tad' crypto, usually in keyslot 0x02 "Nintendo DS", ..<br />
* 0x01FFD3A8 is set as the middle two words of keyslot 0x03's keyX, before being overwritten "NINTENDO"<br />
* 0x01FFD3BC is the keyY for keyslot 0x01, see below<br />
* 0x01FFD3C8 is the fixed keyY used for eMMC partition crypto on retail DSi, see below (keyslot 0x03)<br />
* 0x01FFD3E0 is the 0x1048-byte Blowfish data for DSi cart crypto<br />
* 0x01FFE428 is the 0x1048-byte Blowfish data for DS cart crypto<br />
On the 3DS, keyslots 0x01 and 0x03 have the last word set as 0xE1A00005 instead of the next word in ITCM. This is consistent with retail DSis.<br />
|-<br />
| 0x01FFF470<br />
| <br />
| 0x7470<br />
| 0xB90<br />
| Uninitialized memory.<br />
0x01FFFC00 size 0x100-bytes starting with [[9.5.0-22|9.5.0-X]] is the FIRM header used during FIRM-launching.<br />
|}<br />
<br />
=Memory map by firmware=<br />
* [[Virtual address mapping FW0B]]<br />
* [[Virtual address mapping FW1F]]<br />
* [[Virtual address mapping FW25]]<br />
* [[Virtual address mapping FW2E]]<br />
* [[Virtual address mapping FW37]]<br />
* [[Virtual address mapping FW38]]<br />
* [[Virtual address mapping FW3F]]<br />
* FW49([[9.6.0-24|9.6.0-X]]) and [[10.0.0-27|10.0.0-X]] ARM11-kernel vmem mapping is identical to FW40([[9.5.0-22|9.5.0-X]]).<br />
<br />
<br />
* [[Virtual address mapping TWLFIRM04]]<br />
<br />
<br />
* [[Virtual address mapping New3DS v8.1]]<br />
* [[Virtual address mapping New3DS v9.0]]<br />
* [[Virtual address mapping New3DS v9.2]]<br />
<br />
=ARM11 Detailed physical memory map=<br />
18000000 - 18600000: VRAM<br />
<br />
1FF80000 - 1FFAB000: Kernel code<br />
1FFAB000 - 1FFF0000: SlabHeap [temporarily contains boot processes]<br />
1FFF0000 - 1FFF1000: ?<br />
1FFF1000 - 1FFF2000: ?<br />
1FFF2000 - 1FFF3000: ?<br />
1FFF3000 - 1FFF4000: ?<br />
1FFF4000 - 1FFF5000: Exception vectors<br />
1FFF5000 - 1FFF5800: Unused?<br />
1FFF5800 - 1FFF5C00: 256-entry L2 MMU table for VA FF4xx000<br />
1FFF5C00 - 1FFF6000: 256-entry L2 MMU table for VA FF5xx000<br />
1FFF6000 - 1FFF6400: 256-entry L2 MMU table for VA FF6xx000<br />
1FFF6400 - 1FFF6800: 256-entry L2 MMU table for VA FF7xx000<br />
1FFF6800 - 1FFF6C00: 256-entry L2 MMU table for VA FF8xx000<br />
1FFF6C00 - 1FFF7000: 256-entry L2 MMU table for VA FF9xx000<br />
1FFF7000 - 1FFF7400: 256-entry L2 MMU table for VA FFAxx000<br />
1FFF7400 - 1FFF7800: 256-entry L2 MMU table for VA FFBxx000<br />
1FFF7800 - 1FFF7C00: MMU table but unused?<br />
1FFF7C00 - 1FFF8000: 256-entry L2 MMU table for VA FFFxx000 <br />
1FFF8000 - 1FFFC000: 4096-entry L1 MMU table for VA xxx00000 (CPU 0)<br />
1FFFC000 - 20000000: 4096-entry L1 MMU table for VA xxx00000 (CPU 1)<br />
20000000 - 28000000: Main memory<br />
<br />
The entire FCRAM is cleared during NATIVE_FIRM boot. This is done by the ARM11 kernel in order by region as it initializes after loading [[FIRM]] launch parameters from FCRAM.<br />
<br />
== FCRAM memory-regions layout ==<br />
FCRAM is partitioned into three regions of memory (APPLICATION, SYSTEM, and BASE). Most applications can only allocate memory from one of these regions (which is encoded in the [[NCCH/Extended_Header#ARM11_Kernel_Flags|process kernel flags]]). There is a fixed set of possible size of each memory region, determined by the APPMEMTYPE value in [[Configuration_Memory#APPMEMTYPE|configuration memory]] (which in turn is set up according to the [[FIRM#FIRM_Launch_Parameters|firmware launch parameters]]).<br />
<br />
Support for APPMEMTYPEs 6 and 7 was implemented in [[NS]] with [[8.0.0-18]]. These configurations are only supported in the [[New_3DS]] ARM11-kernel, and are in fact the only ones supported there at all. Applications only get access to the larger memory regions when this is specified in their [[NCCH/Extended Header#New3DS System Mode|extended header]].<br />
<br />
{| class="wikitable" border="1"<br />
! APPMEMTYPE<br />
! APPLICATION starting address (relative to FCRAM)<br />
! APPLICATION region size<br />
! SYSTEM starting address (relative to FCRAM)<br />
! SYSTEM region size<br />
! BASE starting address (relative to FCRAM)<br />
! BASE region size<br />
|-<br />
| 0 (default with regular 3DS kernel, used when the type is not 2-5)<br />
| 0x0<br />
| 0x04000000(64MB)<br />
| 0x04000000<br />
| 0x02C00000<br />
| 0x06C00000<br />
| 0x01400000<br />
|-<br />
| 2<br />
| 0x0<br />
| 0x06000000(96MB)<br />
| 0x06000000<br />
| 0x00C00000<br />
| 0x06C00000<br />
| 0x01400000<br />
|-<br />
| 3<br />
| 0x0<br />
| 0x05000000(80MB)<br />
| 0x05000000<br />
| 0x01C00000<br />
| 0x06C00000<br />
| 0x01400000<br />
|-<br />
| 4<br />
| 0x0<br />
| 0x04800000(72MB)<br />
| 0x04800000<br />
| 0x02400000<br />
| 0x06C00000<br />
| 0x01400000<br />
|-<br />
| 5<br />
| 0x0<br />
| 0x02000000(32MB)<br />
| 0x02000000<br />
| 0x04C00000<br />
| 0x06C00000<br />
| 0x01400000<br />
|-<br />
| 6 (This is the default on New3DS. With [[New_3DS]] kernel this is the type used when the value is not 7)<br />
| 0x0<br />
| 0x07C00000(124MB)<br />
| 0x07C00000<br />
| 0x06400000<br />
| 0x0E000000<br />
| 0x02000000<br />
|-<br />
| 7<br />
| 0x0<br />
| 0x0B200000(178MB)<br />
| 0x0B200000<br />
| 0x02E00000<br />
| 0x0E000000<br />
| 0x02000000<br />
|}<br />
<br />
The SYSTEM mem-region size is calculated with: size = FCRAMTOTALSIZE - (APPLICATION_MEMREGIONSIZE + BASE_MEMREGIONSIZE).<br />
<br />
All memory allocated by the kernel itself for kernel use is located under BASE. Most system-modules run under the BASE memregion too.<br />
<br />
Free/used memory on [[4.5.0-10]] with Home Menu / Internet Browser, with the default APPMEMTYPE on retail:<br />
{| class="wikitable" border="1"<br />
! Region<br />
! Base address relative to FCRAM+0<br />
! Region size<br />
! Used memory once [[Home Menu]] finishes loading for system boot, on [[4.5.0-10]]<br />
! Used memory with [[Internet Browser]] running instead of [[Home Menu]], on [[4.5.0-10]]<br />
! Free memory once [[Home Menu]] finishes loading for system boot, on [[4.5.0-10]]<br />
! Free memory with [[Internet Browser]] running instead of [[Home Menu]], on [[4.5.0-10]]<br />
|-<br />
| APPLICATION<br />
| 0x0<br />
| 0x04000000<br />
| 0x0<br />
| <br />
| 0x04000000<br />
| <br />
|-<br />
| SYSTEM<br />
| 0x04000000<br />
| 0x02C00000<br />
| 0x01488000<br />
| 0x02A50000<br />
| 0x01778000<br />
| 0x001B0000<br />
|-<br />
| BASE<br />
| 0x06C00000<br />
| 0x01400000<br />
| 0x01202000<br />
| 0x01236000<br />
| 0x001FE000<br />
| 0x001CA000<br />
|}<br />
<br />
=ARM11 Detailed virtual memory map=<br />
(valid only for FW0B, see [[#Memory map by firmware|Memory map by firmware]] for subsequent versions)<br />
<br />
E8000000 - E8600000: mapped VRAM (18000000 - 18600000)<br />
<br />
EFF00000 - F0000000: mapped Internal memory (1FF00000 - 20000000)<br />
F0000000 - F8000000: mapped Main memory<br />
<br />
FF401000 - FF402000: mapped ? (27FC7000 - 27FC8000)<br />
<br />
FF403000 - FF404000: mapped ? (27FC2000 - 27FC3000)<br />
<br />
FF405000 - FF406000: mapped ? (27FBB000 - 27FBC000)<br />
<br />
FF407000 - FF408000: mapped ? (27FB3000 - 27FB4000)<br />
<br />
FF409000 - FF40A000: mapped ? (27F8E000 - 27F8F000)<br />
<br />
FFF00000 - FFF45000: mapped SlabHeap <br />
<br />
FFF60000 - FFF8B000: mapped Kernel code<br />
<br />
FFFCC000 - FFFCD000: mapped IO [[I2C|I2C]] second bus (10144000 - 10145000)<br />
<br />
FFFCE000 - FFFCF000: mapped IO PDC([[LCD]]) (10400000 - 10401000)<br />
<br />
FFFD0000 - FFFD1000: mapped IO PDN (10141000 - 10142000)<br />
<br />
FFFD2000 - FFFD3000: mapped IO PXI (10163000 - 10164000)<br />
<br />
FFFD4000 - FFFD5000: mapped IO PAD (10146000 - 10147000)<br />
<br />
FFFD6000 - FFFD7000: mapped IO LCD (10202000 - 10203000)<br />
<br />
FFFD8000 - FFFD9000: mapped IO DSP (10140000 - 10141000)<br />
<br />
FFFDA000 - FFFDB000: mapped IO XDMA (10200000 - 10201000)<br />
<br />
FFFDC000 - FFFE0000: mapped ? (1FFF8000 - 1FFFC000)<br />
<br />
FFFE1000 - FFFE2000: mapped ? (1FFF0000 - 1FFF1000)<br />
<br />
FFFE3000 - FFFE4000: mapped ? (1FFF2000 - 1FFF3000)<br />
<br />
FFFE5000 - FFFE9000: mapped L1 MMU table for VA xxx00000<br />
<br />
FFFEA000 - FFFEB000: mapped ? (1FFF1000 - 1FFF2000)<br />
<br />
FFFEC000 - FFFED000: mapped ? (1FFF3000 - 1FFF4000)<br />
<br />
FFFEE000 - FFFF0000: mapped IO IRQ (17E00000 - 17E02000)<br />
<br />
FFFF0000 - FFFF1000: mapped Exception vectors<br />
<br />
FFFF2000 - FFFF6000: mapped L1 MMU table for VA xxx00000<br />
<br />
FFFF7000 - FFFF8000: mapped ? (1FFF1000 - 1FFF2000)<br />
<br />
FFFF9000 - FFFFA000: mapped ? (1FFF3000 - 1FFF4000)<br />
<br />
FFFFB000 - FFFFE000: mapped L2 MMU tables (1FFF5000 - 1FFF8000)<br />
<br />
==0xFF4XX000==<br />
Each [[KThread|thread]] is allocated a 0x1000-byte page in this region for the [[KThreadContext|thread context]]: the first page at 0xFF401000 is for the first created thread, 0xFF403000 for the second thread. This region is used to store the SVC-mode stack for the thread, and thread context data used for context switching. When the IRQ handler, prefetch/data abort handlers, and undefined instruction handler are entered where the SPSR-mode=user, these handlers then store LR+SPSR for the current mode on the SVC-mode stack, then these handlers switch to SVC-mode.<br />
<br />
This page does not contain a dedicated block for storing R0-PC(etc). For user-mode, the user-mode regs are instead saved on the SVC-mode stack when IRQs such as timers for context switching are triggered.<br />
<br />
<br />
For NATIVE_FIRM the memory pages for this region are located in FCRAM, however for TWL_FIRM these are located in AXI WRAM. For TWL_FIRM v6704 the first thread's page for this region is located at physical address 0x1FF93000, the next one at 0x1FF92000, etc.<br />
<br />
== IO Process virtual addressing equivalence ==<br />
It seems an IO register's process virtual address can be calculated by adding 0xEB00000 to its physical address. However for kernel mappings there is no fixed address equivalence.<br />
<br />
=ARM11 User-land memory regions=<br />
==NATIVE_FIRM/SAFE_MODE_FIRM Userland Memory==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Virtual Address Base<br />
! Physical Address Base<br />
! Region Max Size<br />
! Address-range available for svcMapMemoryBlock<br />
! Description<br />
|-<br />
| 0x00100000 / 0x14000000<br />
| <br />
| 0x03F00000<br />
| No<br />
| The [[ExeFS]]:/.code is loaded here, executables must be loaded to the 0x00100000 region when the exheader "special memory" flag is clear. The 0x03F00000-byte size restriction only applies when this flag is clear. Executables are usually loaded to 0x14000000 when the exheader "special memory" flag is set, however this address can be arbitrary.<br />
|-<br />
| 0x04000000<br />
| ?<br />
| ?<br />
| No<br />
| Used for mapping buffers during IPC, see [[IPC Command Structure]].<br />
|-<br />
| 0x08000000<br />
| Main stack physaddr - <heap size for the allocated vaddr 0x08000000 memory><br />
| 0x08000000<br />
| Yes<br />
| Heap mapped by [[SVC|ControlMemory]]<br />
|-<br />
| 0x10000000-StackSize<br />
| .bss physical address - total stack pages<br />
| StackSize from process exheader<br />
| <br />
| Stack for the main-thread, initialized by the ARM11 kernel. The StackSize from the exheader is usually 0x4000, therefore the stack-bottom is usually 0x0FFFC000. The stack for the other threads is normally located in the process .data section however this can be arbitrary.<br />
|-<br />
| 0x10000000<br />
| <br />
| 0x04000000<br />
| Yes<br />
| [[SVC|Shared]] memory<br />
|-<br />
| 0x14000000<br />
| FCRAM+0<br />
| 0x08000000<br />
| No<br />
| Can be mapped by [[SVC|ControlMemory]], this is used for processes' [[SVC|LINEAR]]/GSP heap.<br />
|-<br />
| 0x1E800000<br />
| 0x1F000000<br />
| 0x00400000<br />
| No<br />
| [[New_3DS]] additional memory, access to this is specified by the exheader. Added with [[8.0.0-18]], see above section regarding this memory.<br />
|-<br />
| 0x1EC00000<br />
| 0x10100000<br />
| 0x00400000<br />
| No<br />
| [[IO]] registers, the mapped IO pages which each process can access is specified in the [[NCCH/Extended_Header|exheader]]. (Applications normally don't have access to registers in this range)<br />
|-<br />
| 0x1F000000<br />
| 0x18000000<br />
| 0x00600000<br />
| No<br />
| VRAM, access to this is specified by the exheader.<br />
|-<br />
| 0x1FF00000<br />
| 0x1FF00000<br />
| 0x00080000<br />
| No<br />
| DSP memory, access to this is specified by the exheader.<br />
|-<br />
| 0x1FF80000<br />
| FCRAM memory page allocated by the ARM11 kernel.<br />
| 0x1000<br />
| No<br />
| [[Configuration Memory]], all processes have read-only access to this.<br />
|-<br />
| 0x1FF81000<br />
| FCRAM memory page allocated by the ARM11 kernel.<br />
| 0x1000<br />
| No<br />
| [[Configuration Memory|Shared]] page, all processes have read-access to this. Write access to this is specified by the exheader "Shared page writing" kernel flag.<br />
|-<br />
| 0x1FF82000<br />
| Dynamically taken from the BASE region of FCRAM<br />
| Number of threads * 0x1000 / 8<br />
| No<br />
| [[Thread Local Storage]]<br />
|-<br />
| 0x30000000<br />
| FCRAM+0<br />
| 0x08000000(Old3DS) / 0x10000000([[New_3DS]])<br />
| No<br />
| This LINEAR memory mapping was added with [[8.0.0-18]], see [[SVC#enum_MemoryOperation|here]]. This replaces the original 0x14000000 mapping, for system(memory-region=BASE)/newer titles. The Old3DS kernel uses size 0x08000000 for LINEAR-memory address range checks, while the New3DS kernel uses size 0x10000000 for those range checks. Old3DS/New3DS system-module code doing vaddr->phys-addr conversion uses size 0x10000000.<br />
|-<br />
| 0x20000000 / 0x40000000<br />
| <br />
| <br />
| <br />
| This is the end-address of userland memory, memory under this address is process-unique. Memory starting at this address is only accessible in privileged-mode. This address was changed from 0x20000000 to 0x40000000 with [[8.0.0-18]].<br />
|}<br />
<br />
All executable pages are read-only, and data pages have the execute-never permission set. Normally .text from the loaded ExeFS:/.code is the only mapped executable memory. Executable [[RO Services|CROs]] can be loaded into memory, once loaded the CRO .text section memory page permissions are changed via [[SVC|ControlProcessMemory]] from RW- to R-X. The address and size of each ExeFS:/.code section is stored in the exheader, the permissions for each section is: .text R-X, .rodata R--, .data RW-, and .bss RW-. The loaded .code is mapped to the addresses specified in the exheader by the ARM11 kernel. The stack permissions is initialized by the ARM11 kernel: RW-. The heap permissions is normally RW-.<br />
<br />
All userland memory is mapped with RW permissions for privileged-mode. However, normally the ARM11 kernel only uses userland read/write instructions(or checks that the memory can be written from userland first) for accessing memory specified by [[SVC|SVCs]].<br />
<br />
Processes can't directly access memory for other processes. When service [[Services API|commands]] are used, the kernel maps memory in the destination process for input/output buffers, where the addresses in the command received by the process is replaced by this mapped memory. When this is an input buffer, the buffer data is copied to the mapped memory. When this is an output buffer, the data stored in the mapped memory is copied to the destination buffer specified in the command.<br />
<br />
The physical address which memory for the application memory-type is mapped to begins at FCRAM+0, the total memory allocated for this memory-type is stored in [[Configuration_Memory]]. Applications' .text + .rodata + .data under the application memory-type is mapped at FCRAM + APPMEMALLOC - (aligned page-size for .text + .rodata + .data). The application .bss is mapped at CODEADDR - .bss size aligned down to the page size.<br />
<br />
==TWL_FIRM Userland Memory==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Virtual Address Base<br />
! Physical Address Base<br />
! Size<br />
! Description<br />
|-<br />
| 0x00100000<br />
| 0x1FFAB000 (with newer TWL_FIRM such as v6704 this is located at 0x1FFAC000)<br />
| 0x00055000<br />
| Code + .(ro)data copied from the process 0x00300000 region is located here(.bss is located here as well).<br />
|-<br />
| 0x00155000<br />
| 0x18555000<br />
| 0x000AB000<br />
| <br />
|-<br />
| 0x00200000<br />
| 0x18500000<br />
| 0x00100000<br />
| <br />
|-<br />
| 0x00300000<br />
| 0x24000000<br />
| 0x04000000<br />
| The beginning of the ARM11 process .text is located here.<br />
|-<br />
| 0x08000000<br />
| 0x20000000<br />
| 0x07E00000<br />
| <br />
|-<br />
| 0x1EC00000<br />
| 0x10100000<br />
| 0x00400000<br />
| [[IO]]<br />
|-<br />
| 0x1F000000<br />
| 0x18000000<br />
| 0x00600000<br />
| VRAM<br />
|-<br />
| 0x1FF00000<br />
| 0x1FF00000<br />
| 0x00080000<br />
| This is mapped to the DSP memory.<br />
|}<br />
<br />
The above regions are mapped by the ARM11 kernel. Later when the ARM11 process uses [[SVC|svcKernelSetState]] with type4, the kernel unmaps(?) the following regions: 0x00300000..0x04300000, 0x08000000..0x0FE00000, and 0x10000000..0xF8000000.<br />
<br />
=== Detailed TWL_FIRM ARM11 Memory ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Process Virtual Address<br />
! Physical Address<br />
! Size<br />
! Description<br />
|-<br />
| 0x08000000<br />
| 0x20000000<br />
| 0x01000000*4<br />
| DS(i) 0x02000000 RAM. Vaddr = (DSRAMOffset*4) + 0x08000000, where DSRAMOffset is DSRAMAddr-0x02000000.<br />
|-<br />
| 0x0FC00000<br />
| 0x27C00000<br />
| <br />
| Loaded SRL binary, initially the dev DSi launcher SRL is located here(copied here by the ARM11 process).<br />
|-<br />
| 0x0FD00000<br />
| 0x27D00000<br />
| <br />
| The data located here is copied to here by the ARM11 process. The data located here is a TWL NAND [http://dsibrew.org/wiki/Bootloader bootloader] image, using the same format+encryption/verification methods as the DSi NAND bootloader(stage2). The keyX for this bootloader keyslot is initially set to the retail DSi key-data, however when TWL_FIRM is launched this keyX key-data is replaced with a separate keyX. TWL_FIRM can use either the retail DSi bootloader RSA-1024 modulus, or a seperate modulus: normally only the latter is used(the former is only used when loading the image from FS instead of FCRAM). When using the image from FCRAM(default code-path), TWL_FIRM will not calculate+check the hashes for the bootloader code binaries(this is done when loading from FS however).<br />
|-<br />
| 0x0FDF7000<br />
| 0x27DF7000<br />
| 0x1000<br />
| SRL header<br />
|}<br />
<br />
= System memory details =<br />
0xFFFF9000 Pointer to the current KThread instance<br />
0xFFFF9004 Pointer to the current KProcess instance<br />
0xFFFF9008 Pointer to the current KScheduler instance<br />
0xFFFF9010 Pointer to the last KThread to encounter an exception<br />
<br />
0x8000040 Pointer to the current KThread instance on the ARM9<br />
0x8000044 Pointer to the current KProcess instance on the ARM9<br />
0x8000048 Pointer to the current KScheduler instance on the ARM9<br />
<br />
= VRAM Map While Running System Applets =<br />
*0x1E6000-0x22C500 -- top screen 3D left framebuffer 0(240x400x3) (The "3D right first-framebuf" addr stored in the LCD register is set to this, when the 3D is set to "off")<br />
*0x22C800-0x272D00 -- top screen 3D right framebuffer 0(240x400x3)<br />
*0x273000-0x2B9500 -- top screen 3D left framebuffer 1(240x400x3)<br />
*0x2B9800-0x2FFD00 -- top screen 3D right framebuffer 1(240x400x3)<br />
*0x48F000-0x4C7400 -- bottom screen framebuffer 0(240x320x3)<br />
*0x4C7800-0x4FF800 -- bottom screen framebuffer 1(240x320x3)<br />
<br />
These LCD framebuffer addresses are not changed by the system when launching regular applications, the application itself handles that if needed. These VRAM framebuffers are cleared when launching regular applications.</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Memory_layout&diff=18103Memory layout2016-09-10T11:41:18Z<p>Neobrain: /* FCRAM memory-regions layout */</p>
<hr />
<div>= Physical Memory =<br />
<br />
== ARM11 ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Old 3DS<br />
! Address<br />
! Size<br />
! Description<br />
|-<br />
| style="background: green" | Yes<br />
| 0x00000000<br />
| 0x00010000<br />
| Bootrom (super secret code/data @ 0x8000)<br />
|-<br />
| style="background: green" | Yes<br />
| 0x00010000<br />
| 0x00010000<br />
| Bootrom mirror<br />
|-<br />
| style="background: green" | Yes<br />
| 0x10000000<br />
|?<br />
| [[IO]] memory<br />
|-<br />
| style="background: green" | Yes<br />
| 0x17E00000<br />
| 0x00002000<br />
| MPCore private memory region<br />
<br />
|-<br />
| style="background: red" | No<br />
| 0x17E10000<br />
| 0x00001000<br />
| L2C-310 Level 2 Cache Controller (2MB)<br />
|-<br />
| style="background: green" | Yes<br />
| 0x18000000<br />
| 0x00600000<br />
| VRAM (divided in two banks, VRAM and VRAMB)<br />
|-<br />
| style="background: red" | No<br />
| 0x1F000000<br />
| 0x00400000<br />
| [[New_3DS]] additional memory<br />
|-<br />
| style="background: green" | Yes<br />
| 0x1FF00000<br />
| 0x00080000<br />
| DSP memory<br />
|-<br />
| style="background: green" | Yes<br />
| 0x1FF80000<br />
| 0x00080000<br />
| AXI WRAM<br />
|-<br />
| style="background: green" | Yes<br />
| 0x20000000<br />
| 0x08000000<br />
| FCRAM<br />
|-<br />
| style="background: red" | No<br />
| 0x28000000<br />
| 0x08000000<br />
| [[New_3DS]] FCRAM extension<br />
|-<br />
| style="background: green" | Yes<br />
| 0xFFFF0000<br />
| 0x00010000<br />
| Bootrom mirror<br />
|}<br />
<br />
===0x17E10000===<br />
The 32-bit register at <code>0x17E10000</code>+<code>0x100</code> only has bit 0 set when, on New 3DS, [[PTMSYSM:ConfigureNew3DSCPU]] was used with bit 1 set for the input value (the L2 cache flag). All other bits in this register are normally all-zero. Therefore, bit 0 set = new cache hardware enabled, bit 0 clear = new cache hardware disabled. This bit is how the ARM11 kernel checks whether the additional cache hardware is enabled).<br />
<br />
To enable the additional cache hardware, the following is used by the ARM11 kernel:<br />
* Sets bit 0 in 32-bit register <code>0x17E10000</code>+<code>0x100</code>.<br />
<br />
To disable the additional cache hardware, the following is used by the ARM11 kernel:<br />
* Writes value <code>0xFFFF</code> to 32-bit register <code>0x17E10000</code>+<code>0x77C</code>.<br />
* Waits for bit 0 in 32-bit register <code>0x17E10000</code>+<code>0x730</code> to become clear.<br />
* Writes value <code>0x0<code> to 32-bit register <code>0x17E10000</code>+<code>0x0</code>.<br />
* Clears bit 0 in 32-bit register <code>0x17E10000</code>+<code>0x100</code>.<br />
<br />
=== <code>0x1F000000</code> ([[New 3DS]] only) ===<br />
This area is used by [[QTM Services]],starting at offset <code>0x200000</code>, size <code>0x180000</code>. This area is not accessible to the GPU on the old 3DS. The old 3DS and New 3DS GSP module has <code>vaddr-&gt;physaddr</code> conversion code for this entire region. On the New 3DS, only the first <code>0x200000</code> bytes (half of this memory) are accessible to the GPU.<br />
<br />
== ARM9 ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Old 3DS<br />
! Address<br />
! Size<br />
! Description<br />
|-<br />
| style="background: green" | Yes<br />
| 0x00000000<br />
| 0x08000000<br />
| Instruction TCM, repeating each 0x8000 bytes.<br />
|-<br />
| style="background: green" | Yes<br />
| 0x01FF8000<br />
| 0x00008000<br />
| Instruction TCM (Accessed by the kernel and process by this address)<br />
|-<br />
| style="background: green" | Yes<br />
| 0x07FF8000<br />
| 0x00008000<br />
| Instruction TCM (Accessed by bootrom by this address)<br />
|-<br />
| style="background: green" | Yes<br />
| 0x08000000<br />
| 0x00100000<br />
| ARM9-only internal memory (ARM7's internal regions are mapped here as well)<br />
|-<br />
| style="background: red" | No<br />
| 0x08100000<br />
| 0x00080000<br />
| [[New_3DS]] ARM9-only extension, only enabled when a certain [[CONFIG_Registers|CONFIG]] register is set.<br />
|-<br />
| style="background: green" | Yes<br />
| 0x10000000<br />
| 0x08000000<br />
| [[IO]] memory<br />
|-<br />
| style="background: green" | Yes<br />
| 0x18000000<br />
| 0x00600000<br />
| VRAM (divided in two banks, VRAM and VRAMB) <br />
|-<br />
| style="background: green" | Yes<br />
| 0x1FF00000<br />
| 0x00080000<br />
| DSP memory<br />
|-<br />
| style="background: green" | Yes<br />
| 0x1FF80000<br />
| 0x00080000<br />
| AXI WRAM<br />
|-<br />
| style="background: green" | Yes<br />
| 0x20000000<br />
| 0x08000000<br />
| FCRAM<br />
|-<br />
| style="background: red" | No<br />
| 0x28000000<br />
| 0x08000000<br />
| [[New_3DS]] FCRAM extension<br />
|-<br />
| style="background: green" | Yes<br />
| 0xFFF00000<br />
| 0x00004000<br />
| Data TCM (Mapped during bootrom)<br />
|-<br />
| style="background: green" | Yes<br />
| 0xFFFF0000<br />
| 0x00010000<br />
| Bootrom, the main region is at +0x8000, which is disabled during system boot.<br />
|}<br />
<br />
==ARM9 MPU Regions==<br />
For the below instruction permissions: RO = memory is executable, while None = not-executable.<br />
<br />
===NATIVE_FIRM/SAFE_MODE_FIRM ARM9 kernel===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Region<br />
! Address<br />
! Size<br />
! Privileged-mode data permissions<br />
! User-mode data permissions<br />
! Privileged-mode instruction permissions<br />
! User-mode instruction permissions<br />
|-<br />
| 0<br />
| 0xFFFF0000<br />
| 32KB/0x8000<br />
| RO<br />
| None<br />
| RO<br />
| None<br />
|-<br />
| 1<br />
| 0x01FF8000<br />
| 32KB/0x8000<br />
| RW<br />
| RW<br />
| RO<br />
| RO<br />
|-<br />
| 2<br />
| 0x08000000<br />
| 1MB/0x100000. >=[[8.0.0-18|8.0.0-X]]: 2MB/0x200000.<br />
| RW<br />
| RW<br />
| RO<br />
| RO<br />
|-<br />
| 3<br />
| 0x10000000<br />
| 128KB/0x20000<br />
| RW<br />
| RW<br />
| None<br />
| None<br />
|-<br />
| 4<br />
| 0x10100000<br />
| 512KB/0x80000<br />
| RW<br />
| RW<br />
| None<br />
| None<br />
|-<br />
| 5<br />
| 0x20000000<br />
| 128MB/0x8000000. >=[[8.0.0-18|8.0.0-X]]: 256MB/0x10000000.<br />
| RW<br />
| RW<br />
| None<br />
| None<br />
|-<br />
| 6<br />
| 0x08000000<br />
| 128KB/0x20000<br />
| RW<br />
| None<br />
| RO<br />
| None<br />
|-<br />
| 7<br />
| 0x08020000<br />
| <[[3.0.0-5]]: 64KB/0x10000. >=[[3.0.0-5]]: 32KB/0x8000.<br />
| RW<br />
| None<br />
| RO<br />
| None<br />
|}<br />
<br />
The above is the MPU region settings setup by the ARM9-kernel in the crt0.<br />
<br />
The New3DS ARM9-kernel MPU region settings are the same as the Old3DS MPU region settings for >=[[8.0.0-18|8.0.0-X]].<br />
<br />
At the start of the Process9 function executed in kernel-mode via svc7b during firm-launching, it changes some MPU region settings. At the end of that function, before it uses the ARM9/ARM11 entrypoint fields, it disables MPU.<br />
<br />
===New3DS [[FIRM|ARM9-loader]]===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Region<br />
! Address<br />
! Size<br />
! Privileged-mode data permissions<br />
! User-mode data permissions<br />
! Privileged-mode instruction permissions<br />
! User-mode instruction permissions<br />
|-<br />
| 0<br />
| 0xFFFF0000<br />
| 32KB/0x8000<br />
| RO<br />
| None<br />
| RO<br />
| None<br />
|-<br />
| 1<br />
| 0x01FF8000<br />
| 32KB/0x8000<br />
| RW<br />
| None<br />
| RO<br />
| None<br />
|-<br />
| 2<br />
| 0x08000000<br />
| 2MB/0x200000<br />
| RW<br />
| None<br />
| RO<br />
| None<br />
|-<br />
| 3<br />
| 0x10000000<br />
| 128KB/0x20000<br />
| RW<br />
| None<br />
| None<br />
| None<br />
|}<br />
<br />
MPU regions 4-7 are disabled. Note that the entire ARM9-loader runs in SVC-mode.<br />
<br />
===TWL_FIRM/AGB_FIRM ARM9 kernel===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Region<br />
! Address<br />
! Size<br />
! Privileged-mode data permissions<br />
! User-mode data permissions<br />
! Privileged-mode instruction permissions<br />
! User-mode instruction permissions<br />
|-<br />
| 0<br />
| 0xFFFF0000<br />
| 32KB/0x8000<br />
| RO<br />
| None<br />
| RO<br />
| None<br />
|-<br />
| 1<br />
| 0x01FF8000<br />
| 32KB/0x8000<br />
| RW<br />
| RW<br />
| RO<br />
| RO<br />
|-<br />
| 2<br />
| 0x08000000<br />
| 1MB/0x100000. New3DS: 2MB/0x200000.<br />
| RW<br />
| RW<br />
| RO<br />
| RO<br />
|-<br />
| 3<br />
| 0x10000000<br />
| 2MB/0x200000.<br />
| RW<br />
| RW<br />
| None<br />
| None<br />
|-<br />
| 4<br />
| 0x1FF00000<br />
| 512KB/0x80000<br />
| RW<br />
| RW<br />
| None<br />
| None<br />
|-<br />
| 5<br />
| 0x20000000<br />
| 128MB/0x8000000. New3DS: 256MB/0x10000000.<br />
| RW<br />
| RW<br />
| None<br />
| None<br />
|-<br />
| 6<br />
| 0x08000000<br />
| <[[3.0.0-5|3.0.0-X]]: 256KB/0x40000. >=[[3.0.0-5|3.0.0-X]]: 128KB/0x20000<br />
| RW<br />
| None<br />
| RO<br />
| None<br />
|-<br />
| 7<br />
| 0x08080000<br />
| 128KB/0x20000<br />
| RW<br />
| RW<br />
| RO<br />
| RO<br />
|}<br />
<br />
==ARM9 ITCM==<br />
{| class="wikitable" border="1"<br />
|-<br />
! ITCM mirror address<br />
! ITCM bootrom mirror address<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x01FF8000<br />
| <br />
| 0x0<br />
| 0x3700<br />
| Uninitialized memory.<br />
|-<br />
| 0x01FFB700<br />
| 0x07FFB700<br />
| 0x3700<br />
| 0x100<br />
| The unprotected ARM9-bootrom code copies code from unprotected bootrom to 0x07FFB700(ITCM mirror) size 0x100, then calls the code at 0x07FFB700. The code located here is the code used for disabling access to the bootroms.<br />
|-<br />
| 0x01FFB800<br />
| <br />
| 0x3800<br />
| 0x4<br />
| This is always 0xDEADB00F.<br />
|-<br />
| 0x01FFB804<br />
| <br />
| 0x3804<br />
| 0x4<br />
| This is the u32 DeviceId.<br />
|-<br />
| 0x01FFB808<br />
| <br />
| 0x3808<br />
| 0x10<br />
| This is the fall-back keyY used for movable.sed keyY when movable.sed doesn't exist in NAND(the last two words here are used on retail for generating console-unique TWL keydata/etc). This is also used for "LocalFriendCodeSeed", etc.<br />
|-<br />
| 0x01FFB818<br />
| <br />
| 0x3818<br />
| 0x1<br />
| ?<br />
|-<br />
| 0x01FFB819<br />
| <br />
| 0x3819<br />
| 0x1<br />
| This is the [[CTCert]] issuer type: 0 = retail "Nintendo CA - G3_NintendoCTR2prod", non-zero = dev "Nintendo CA - G3_NintendoCTR2dev".<br />
|-<br />
| 0x01FFB81A<br />
| <br />
| 0x381A<br />
| 0x6<br />
| ?<br />
|-<br />
| 0x01FFB820<br />
| <br />
| 0x3820<br />
| 0x4<br />
| This is the CTCert ECDSA exponent, this is byte-swapped when *((u8*)(0x01FFB800+0x18)) is >=5.<br />
|-<br />
| 0x01FFB824<br />
| <br />
| 0x3824<br />
| 0x2<br />
| ?<br />
|-<br />
| 0x01FFB826<br />
| <br />
| 0x3826<br />
| 0x1E<br />
| This is the CTCert ECDSA privk.<br />
|-<br />
| 0x01FFB844<br />
| <br />
| 0x3844<br />
| 0x3C<br />
| This is the CTCert ECDSA signature.<br />
|-<br />
| 0x01FFB880<br />
| <br />
| 0x3880<br />
| 0x80<br />
| This is all-zero.<br />
|-<br />
| 0x01FFB900<br />
| <br />
| 0x3900<br />
| 0x200<br />
| This is the 0x200-bytes from NAND sector0.<br />
|-<br />
| 0x01FFBB00<br />
| <br />
| 0x3B00<br />
| 0x200<br />
| This is the 0x200-bytes from the plaintext NAND firm partition FIRM header, read by bootrom.<br />
|-<br />
| 0x01FFBD00<br />
| <br />
| 0x3D00<br />
| 0x100<br />
| This is the RSA-2048 modulus for [[RSA_Registers|RSA]]-engine slot0 set by bootrom.<br />
|-<br />
| 0x01FFBE00<br />
| <br />
| 0x3E00<br />
| 0x100<br />
| This is the RSA-2048 modulus for RSA-engine slot1 set by bootrom.<br />
|-<br />
| 0x01FFBF00<br />
| <br />
| 0x3F00<br />
| 0x100<br />
| This is the RSA-2048 modulus for RSA-engine slot2.<br />
|-<br />
| 0x01FFC000<br />
| <br />
| 0x4000<br />
| 0x100<br />
| This is the RSA-2048 modulus for RSA-engine slot3.<br />
|-<br />
| 0x01FFC100<br />
| <br />
| 0x4100<br />
| 0x800<br />
| These are RSA-2048 keys: 4 slots, each slot is 0x200-bytes. Slot+0 is the modulus, slot+0x100 is the private exponent. This can be confirmed by RSA-decrypting a message into a signature, then RSA-encrypting the signature back into a message, and comparing the original message with the output from the last operation.<br />
<br />
[[FIRM]] doesn't seem to ever use these. None of these are related to RSA-keyslot0 used for v6.0/v7.0 key generation. These moduli are separate from all other moduli used elsewhere.<br />
|-<br />
| 0x01FFC900<br />
| 0x07FFC900<br />
| 0x4900<br />
| 0x400<br />
| The unprotected ARM9-bootrom copies data to 0x07FFC900(mirror of 0x01FFC900) size 0x400. This data is copied from AXI WRAM, initialized by ARM11-bootrom(the addr used for the src is determined by [[CONFIG_Registers|REG_UNITINFO]]). These are RSA moduli: retailsrcptr = 0x1FFFD000, devsrvptr = 0x1FFFD400.<br />
* The first 0x100-bytes here is the RSA-2048 modulus for the CFA NCCH header, and for the gamecard NCSD header.<br />
* 0x01FFCA00 is the RSA-2048 modulus for the CXI accessdesc signature, written to rsaengine keyslot1 by NATIVE_FIRM.<br />
* 0x01FFCB00 size 0x200 is unknown, probably RSA related, these aren't used by [[FIRM]](these are not console-unique).<br />
|-<br />
| 0x01FFCD00<br />
| <br />
| 0x4D00<br />
| 0x80<br />
| Unknown, not used by [[FIRM]]. This isn't console-unique.<br />
The first 0x10-bytes are checked by the v6.0/v7.0 NATIVE_FIRM keyinit function, when non-zero it clears this block and continues to do the key generation. Otherwise when this block was already all-zero, it immediately returns. This memclear was probably an attempt at destroying the RSA slot0 modulus, that missed (exactly 0x1000-bytes away). Even though they "failed" here, one would still need to derive the private exponent, which would require obtaining a ciphertext and plaintext.<br />
|-<br />
| 0x01FFCD80<br />
| <br />
| 0x4D80<br />
| 0x64<br />
| 0x01FFCD84 size 0x10-bytes is the NAND CID(the 0x64-byte region at 0x01FFCD80 is initialized by Process9 + ARM9-bootrom). The u32 at 0x01FFCDC4 is the total number of NAND sectors, read from a MMC command.<br />
|-<br />
| 0x01FFCDE4<br />
| <br />
| 0x4DE4<br />
| 0x21C<br />
| Uninitialized memory.<br />
|-<br />
| 0x01FFD000<br />
| 0x07FFD000<br />
| 0x5000<br />
| 0x2470<br />
| The unprotected ARM9-bootrom copies 0x1FFFA000(AXIWRAM mem initialized by ARM11-bootrom) size 0x2470 to 0x07FFD000(mirror of 0x01FFD000). This block contains DSi keys.<br />
* 0x01FFD000 is the RSA-1024 modulus for the retail System Menu<br />
* 0x01FFD080 is the RSA-1024 modulus for DSi Wifi firmware and DSi Sound<br />
* 0x01FFD100 is the RSA-1024 modulus for base DSi apps (Settings, Shop, etc.)<br />
* 0x01FFD180 is the RSA-1024 modulus for DSiWare and RSA-signed cartridge headers<br />
* 0x01FFD210 is the keyY for per-console-encrypted ES blocks<br />
* 0x01FFD220 is the keyY for fixed-keyX ES blocks<br />
* 0x01FFD300 is the DSi common (normal)key<br />
* 0x01FFD350 is a normalkey set on keyslot 0x02, and is likely only used during boot<br />
* 0x01FFD380 is the keyslot 0x00 keyX and the first half of the retail keyX for modcrypt crypto "Nintendo"<br />
* 0x01FFD398 is the keyX used for 'Tad' crypto, usually in keyslot 0x02 "Nintendo DS", ..<br />
* 0x01FFD3A8 is set as the middle two words of keyslot 0x03's keyX, before being overwritten "NINTENDO"<br />
* 0x01FFD3BC is the keyY for keyslot 0x01, see below<br />
* 0x01FFD3C8 is the fixed keyY used for eMMC partition crypto on retail DSi, see below (keyslot 0x03)<br />
* 0x01FFD3E0 is the 0x1048-byte Blowfish data for DSi cart crypto<br />
* 0x01FFE428 is the 0x1048-byte Blowfish data for DS cart crypto<br />
On the 3DS, keyslots 0x01 and 0x03 have the last word set as 0xE1A00005 instead of the next word in ITCM. This is consistent with retail DSis.<br />
|-<br />
| 0x01FFF470<br />
| <br />
| 0x7470<br />
| 0xB90<br />
| Uninitialized memory.<br />
0x01FFFC00 size 0x100-bytes starting with [[9.5.0-22|9.5.0-X]] is the FIRM header used during FIRM-launching.<br />
|}<br />
<br />
=Memory map by firmware=<br />
* [[Virtual address mapping FW0B]]<br />
* [[Virtual address mapping FW1F]]<br />
* [[Virtual address mapping FW25]]<br />
* [[Virtual address mapping FW2E]]<br />
* [[Virtual address mapping FW37]]<br />
* [[Virtual address mapping FW38]]<br />
* [[Virtual address mapping FW3F]]<br />
* FW49([[9.6.0-24|9.6.0-X]]) and [[10.0.0-27|10.0.0-X]] ARM11-kernel vmem mapping is identical to FW40([[9.5.0-22|9.5.0-X]]).<br />
<br />
<br />
* [[Virtual address mapping TWLFIRM04]]<br />
<br />
<br />
* [[Virtual address mapping New3DS v8.1]]<br />
* [[Virtual address mapping New3DS v9.0]]<br />
* [[Virtual address mapping New3DS v9.2]]<br />
<br />
=ARM11 Detailed physical memory map=<br />
18000000 - 18600000: VRAM<br />
<br />
1FF80000 - 1FFAB000: Kernel code<br />
1FFAB000 - 1FFF0000: SlabHeap [temporarily contains boot processes]<br />
1FFF0000 - 1FFF1000: ?<br />
1FFF1000 - 1FFF2000: ?<br />
1FFF2000 - 1FFF3000: ?<br />
1FFF3000 - 1FFF4000: ?<br />
1FFF4000 - 1FFF5000: Exception vectors<br />
1FFF5000 - 1FFF5800: Unused?<br />
1FFF5800 - 1FFF5C00: 256-entry L2 MMU table for VA FF4xx000<br />
1FFF5C00 - 1FFF6000: 256-entry L2 MMU table for VA FF5xx000<br />
1FFF6000 - 1FFF6400: 256-entry L2 MMU table for VA FF6xx000<br />
1FFF6400 - 1FFF6800: 256-entry L2 MMU table for VA FF7xx000<br />
1FFF6800 - 1FFF6C00: 256-entry L2 MMU table for VA FF8xx000<br />
1FFF6C00 - 1FFF7000: 256-entry L2 MMU table for VA FF9xx000<br />
1FFF7000 - 1FFF7400: 256-entry L2 MMU table for VA FFAxx000<br />
1FFF7400 - 1FFF7800: 256-entry L2 MMU table for VA FFBxx000<br />
1FFF7800 - 1FFF7C00: MMU table but unused?<br />
1FFF7C00 - 1FFF8000: 256-entry L2 MMU table for VA FFFxx000 <br />
1FFF8000 - 1FFFC000: 4096-entry L1 MMU table for VA xxx00000 (CPU 0)<br />
1FFFC000 - 20000000: 4096-entry L1 MMU table for VA xxx00000 (CPU 1)<br />
20000000 - 28000000: Main memory<br />
<br />
The entire FCRAM is cleared during NATIVE_FIRM boot. This is done by the ARM11 kernel in order by region as it initializes after loading [[FIRM]] launch parameters from FCRAM.<br />
<br />
== FCRAM memory-regions layout ==<br />
FCRAM is partitioned into three regions of memory (APPLICATION, SYSTEM, and BASE). Most applications can only allocate memory from one of these regions (which is encoded in the [[NCCH/Extended_Header#ARM11_Kernel_Flags|process kernel flags]]). There is a fixed set of possible size of each memory region, determined by the APPMEMTYPE value in [[Configuration_Memory#APPMEMTYPE|configuration memory]] (which in turn is set up according to the [[FIRM#FIRM_Launch_Parameters|firmware launch parameters]]).<br />
<br />
Support for APPMEMTYPEs 6 and 7 was implemented in [[NS]] with [[8.0.0-18]]. These configurations are only supported in the [[New_3DS]] ARM11-kernel, and are in fact the only ones supported there at all. Applications only get access to the larger memory regions when this is specified in their [[NCCH/Extended Header#New3DS System Mode|extended header]].<br />
<br />
{| class="wikitable" border="1"<br />
! APPMEMTYPE Value<br />
! Base address relative to FCRAM+0, for APPLICATION mem-region<br />
! Region size, for APPLICATION mem-region<br />
! Base address relative to FCRAM+0, for SYSTEM mem-region<br />
! Region size, for SYSTEM mem-region<br />
! Base address relative to FCRAM+0, for BASE mem-region<br />
! Region size, for BASE mem-region<br />
|-<br />
| 0 (default with regular 3DS kernel, used when the type is not 2-5)<br />
| 0x0<br />
| 0x04000000(64MB)<br />
| 0x04000000<br />
| 0x02C00000<br />
| 0x06C00000<br />
| 0x01400000<br />
|-<br />
| 2<br />
| 0x0<br />
| 0x06000000(96MB)<br />
| 0x06000000<br />
| 0x00C00000<br />
| 0x06C00000<br />
| 0x01400000<br />
|-<br />
| 3<br />
| 0x0<br />
| 0x05000000(80MB)<br />
| 0x05000000<br />
| 0x01C00000<br />
| 0x06C00000<br />
| 0x01400000<br />
|-<br />
| 4<br />
| 0x0<br />
| 0x04800000(72MB)<br />
| 0x04800000<br />
| 0x02400000<br />
| 0x06C00000<br />
| 0x01400000<br />
|-<br />
| 5<br />
| 0x0<br />
| 0x02000000(32MB)<br />
| 0x02000000<br />
| 0x04C00000<br />
| 0x06C00000<br />
| 0x01400000<br />
|-<br />
| 6 (This is the default on New3DS. With [[New_3DS]] kernel this is the type used when the value is not 7)<br />
| 0x0<br />
| 0x07C00000(124MB)<br />
| 0x07C00000<br />
| 0x06400000<br />
| 0x0E000000<br />
| 0x02000000<br />
|-<br />
| 7<br />
| 0x0<br />
| 0x0B200000(178MB)<br />
| 0x0B200000<br />
| 0x02E00000<br />
| 0x0E000000<br />
| 0x02000000<br />
|}<br />
<br />
The SYSTEM mem-region size is calculated with: size = FCRAMTOTALSIZE - (APPLICATION_MEMREGIONSIZE + BASE_MEMREGIONSIZE).<br />
<br />
All memory allocated by the kernel itself for kernel use is located under BASE. Most system-modules run under the BASE memregion too.<br />
<br />
Free/used memory on [[4.5.0-10]] with Home Menu / Internet Browser, with the default APPMEMTYPE on retail:<br />
{| class="wikitable" border="1"<br />
! Region<br />
! Base address relative to FCRAM+0<br />
! Region size<br />
! Used memory once [[Home Menu]] finishes loading for system boot, on [[4.5.0-10]]<br />
! Used memory with [[Internet Browser]] running instead of [[Home Menu]], on [[4.5.0-10]]<br />
! Free memory once [[Home Menu]] finishes loading for system boot, on [[4.5.0-10]]<br />
! Free memory with [[Internet Browser]] running instead of [[Home Menu]], on [[4.5.0-10]]<br />
|-<br />
| APPLICATION<br />
| 0x0<br />
| 0x04000000<br />
| 0x0<br />
| <br />
| 0x04000000<br />
| <br />
|-<br />
| SYSTEM<br />
| 0x04000000<br />
| 0x02C00000<br />
| 0x01488000<br />
| 0x02A50000<br />
| 0x01778000<br />
| 0x001B0000<br />
|-<br />
| BASE<br />
| 0x06C00000<br />
| 0x01400000<br />
| 0x01202000<br />
| 0x01236000<br />
| 0x001FE000<br />
| 0x001CA000<br />
|}<br />
<br />
=ARM11 Detailed virtual memory map=<br />
(valid only for FW0B, see [[#Memory map by firmware|Memory map by firmware]] for subsequent versions)<br />
<br />
E8000000 - E8600000: mapped VRAM (18000000 - 18600000)<br />
<br />
EFF00000 - F0000000: mapped Internal memory (1FF00000 - 20000000)<br />
F0000000 - F8000000: mapped Main memory<br />
<br />
FF401000 - FF402000: mapped ? (27FC7000 - 27FC8000)<br />
<br />
FF403000 - FF404000: mapped ? (27FC2000 - 27FC3000)<br />
<br />
FF405000 - FF406000: mapped ? (27FBB000 - 27FBC000)<br />
<br />
FF407000 - FF408000: mapped ? (27FB3000 - 27FB4000)<br />
<br />
FF409000 - FF40A000: mapped ? (27F8E000 - 27F8F000)<br />
<br />
FFF00000 - FFF45000: mapped SlabHeap <br />
<br />
FFF60000 - FFF8B000: mapped Kernel code<br />
<br />
FFFCC000 - FFFCD000: mapped IO [[I2C|I2C]] second bus (10144000 - 10145000)<br />
<br />
FFFCE000 - FFFCF000: mapped IO PDC([[LCD]]) (10400000 - 10401000)<br />
<br />
FFFD0000 - FFFD1000: mapped IO PDN (10141000 - 10142000)<br />
<br />
FFFD2000 - FFFD3000: mapped IO PXI (10163000 - 10164000)<br />
<br />
FFFD4000 - FFFD5000: mapped IO PAD (10146000 - 10147000)<br />
<br />
FFFD6000 - FFFD7000: mapped IO LCD (10202000 - 10203000)<br />
<br />
FFFD8000 - FFFD9000: mapped IO DSP (10140000 - 10141000)<br />
<br />
FFFDA000 - FFFDB000: mapped IO XDMA (10200000 - 10201000)<br />
<br />
FFFDC000 - FFFE0000: mapped ? (1FFF8000 - 1FFFC000)<br />
<br />
FFFE1000 - FFFE2000: mapped ? (1FFF0000 - 1FFF1000)<br />
<br />
FFFE3000 - FFFE4000: mapped ? (1FFF2000 - 1FFF3000)<br />
<br />
FFFE5000 - FFFE9000: mapped L1 MMU table for VA xxx00000<br />
<br />
FFFEA000 - FFFEB000: mapped ? (1FFF1000 - 1FFF2000)<br />
<br />
FFFEC000 - FFFED000: mapped ? (1FFF3000 - 1FFF4000)<br />
<br />
FFFEE000 - FFFF0000: mapped IO IRQ (17E00000 - 17E02000)<br />
<br />
FFFF0000 - FFFF1000: mapped Exception vectors<br />
<br />
FFFF2000 - FFFF6000: mapped L1 MMU table for VA xxx00000<br />
<br />
FFFF7000 - FFFF8000: mapped ? (1FFF1000 - 1FFF2000)<br />
<br />
FFFF9000 - FFFFA000: mapped ? (1FFF3000 - 1FFF4000)<br />
<br />
FFFFB000 - FFFFE000: mapped L2 MMU tables (1FFF5000 - 1FFF8000)<br />
<br />
==0xFF4XX000==<br />
Each [[KThread|thread]] is allocated a 0x1000-byte page in this region for the [[KThreadContext|thread context]]: the first page at 0xFF401000 is for the first created thread, 0xFF403000 for the second thread. This region is used to store the SVC-mode stack for the thread, and thread context data used for context switching. When the IRQ handler, prefetch/data abort handlers, and undefined instruction handler are entered where the SPSR-mode=user, these handlers then store LR+SPSR for the current mode on the SVC-mode stack, then these handlers switch to SVC-mode.<br />
<br />
This page does not contain a dedicated block for storing R0-PC(etc). For user-mode, the user-mode regs are instead saved on the SVC-mode stack when IRQs such as timers for context switching are triggered.<br />
<br />
<br />
For NATIVE_FIRM the memory pages for this region are located in FCRAM, however for TWL_FIRM these are located in AXI WRAM. For TWL_FIRM v6704 the first thread's page for this region is located at physical address 0x1FF93000, the next one at 0x1FF92000, etc.<br />
<br />
== IO Process virtual addressing equivalence ==<br />
It seems an IO register's process virtual address can be calculated by adding 0xEB00000 to its physical address. However for kernel mappings there is no fixed address equivalence.<br />
<br />
=ARM11 User-land memory regions=<br />
==NATIVE_FIRM/SAFE_MODE_FIRM Userland Memory==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Virtual Address Base<br />
! Physical Address Base<br />
! Region Max Size<br />
! Address-range available for svcMapMemoryBlock<br />
! Description<br />
|-<br />
| 0x00100000 / 0x14000000<br />
| <br />
| 0x03F00000<br />
| No<br />
| The [[ExeFS]]:/.code is loaded here, executables must be loaded to the 0x00100000 region when the exheader "special memory" flag is clear. The 0x03F00000-byte size restriction only applies when this flag is clear. Executables are usually loaded to 0x14000000 when the exheader "special memory" flag is set, however this address can be arbitrary.<br />
|-<br />
| 0x04000000<br />
| ?<br />
| ?<br />
| No<br />
| Used for mapping buffers during IPC, see [[IPC Command Structure]].<br />
|-<br />
| 0x08000000<br />
| Main stack physaddr - <heap size for the allocated vaddr 0x08000000 memory><br />
| 0x08000000<br />
| Yes<br />
| Heap mapped by [[SVC|ControlMemory]]<br />
|-<br />
| 0x10000000-StackSize<br />
| .bss physical address - total stack pages<br />
| StackSize from process exheader<br />
| <br />
| Stack for the main-thread, initialized by the ARM11 kernel. The StackSize from the exheader is usually 0x4000, therefore the stack-bottom is usually 0x0FFFC000. The stack for the other threads is normally located in the process .data section however this can be arbitrary.<br />
|-<br />
| 0x10000000<br />
| <br />
| 0x04000000<br />
| Yes<br />
| [[SVC|Shared]] memory<br />
|-<br />
| 0x14000000<br />
| FCRAM+0<br />
| 0x08000000<br />
| No<br />
| Can be mapped by [[SVC|ControlMemory]], this is used for processes' [[SVC|LINEAR]]/GSP heap.<br />
|-<br />
| 0x1E800000<br />
| 0x1F000000<br />
| 0x00400000<br />
| No<br />
| [[New_3DS]] additional memory, access to this is specified by the exheader. Added with [[8.0.0-18]], see above section regarding this memory.<br />
|-<br />
| 0x1EC00000<br />
| 0x10100000<br />
| 0x00400000<br />
| No<br />
| [[IO]] registers, the mapped IO pages which each process can access is specified in the [[NCCH/Extended_Header|exheader]]. (Applications normally don't have access to registers in this range)<br />
|-<br />
| 0x1F000000<br />
| 0x18000000<br />
| 0x00600000<br />
| No<br />
| VRAM, access to this is specified by the exheader.<br />
|-<br />
| 0x1FF00000<br />
| 0x1FF00000<br />
| 0x00080000<br />
| No<br />
| DSP memory, access to this is specified by the exheader.<br />
|-<br />
| 0x1FF80000<br />
| FCRAM memory page allocated by the ARM11 kernel.<br />
| 0x1000<br />
| No<br />
| [[Configuration Memory]], all processes have read-only access to this.<br />
|-<br />
| 0x1FF81000<br />
| FCRAM memory page allocated by the ARM11 kernel.<br />
| 0x1000<br />
| No<br />
| [[Configuration Memory|Shared]] page, all processes have read-access to this. Write access to this is specified by the exheader "Shared page writing" kernel flag.<br />
|-<br />
| 0x1FF82000<br />
| Dynamically taken from the BASE region of FCRAM<br />
| Number of threads * 0x1000 / 8<br />
| No<br />
| [[Thread Local Storage]]<br />
|-<br />
| 0x30000000<br />
| FCRAM+0<br />
| 0x08000000(Old3DS) / 0x10000000([[New_3DS]])<br />
| No<br />
| This LINEAR memory mapping was added with [[8.0.0-18]], see [[SVC#enum_MemoryOperation|here]]. This replaces the original 0x14000000 mapping, for system(memory-region=BASE)/newer titles. The Old3DS kernel uses size 0x08000000 for LINEAR-memory address range checks, while the New3DS kernel uses size 0x10000000 for those range checks. Old3DS/New3DS system-module code doing vaddr->phys-addr conversion uses size 0x10000000.<br />
|-<br />
| 0x20000000 / 0x40000000<br />
| <br />
| <br />
| <br />
| This is the end-address of userland memory, memory under this address is process-unique. Memory starting at this address is only accessible in privileged-mode. This address was changed from 0x20000000 to 0x40000000 with [[8.0.0-18]].<br />
|}<br />
<br />
All executable pages are read-only, and data pages have the execute-never permission set. Normally .text from the loaded ExeFS:/.code is the only mapped executable memory. Executable [[RO Services|CROs]] can be loaded into memory, once loaded the CRO .text section memory page permissions are changed via [[SVC|ControlProcessMemory]] from RW- to R-X. The address and size of each ExeFS:/.code section is stored in the exheader, the permissions for each section is: .text R-X, .rodata R--, .data RW-, and .bss RW-. The loaded .code is mapped to the addresses specified in the exheader by the ARM11 kernel. The stack permissions is initialized by the ARM11 kernel: RW-. The heap permissions is normally RW-.<br />
<br />
All userland memory is mapped with RW permissions for privileged-mode. However, normally the ARM11 kernel only uses userland read/write instructions(or checks that the memory can be written from userland first) for accessing memory specified by [[SVC|SVCs]].<br />
<br />
Processes can't directly access memory for other processes. When service [[Services API|commands]] are used, the kernel maps memory in the destination process for input/output buffers, where the addresses in the command received by the process is replaced by this mapped memory. When this is an input buffer, the buffer data is copied to the mapped memory. When this is an output buffer, the data stored in the mapped memory is copied to the destination buffer specified in the command.<br />
<br />
The physical address which memory for the application memory-type is mapped to begins at FCRAM+0, the total memory allocated for this memory-type is stored in [[Configuration_Memory]]. Applications' .text + .rodata + .data under the application memory-type is mapped at FCRAM + APPMEMALLOC - (aligned page-size for .text + .rodata + .data). The application .bss is mapped at CODEADDR - .bss size aligned down to the page size.<br />
<br />
==TWL_FIRM Userland Memory==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Virtual Address Base<br />
! Physical Address Base<br />
! Size<br />
! Description<br />
|-<br />
| 0x00100000<br />
| 0x1FFAB000 (with newer TWL_FIRM such as v6704 this is located at 0x1FFAC000)<br />
| 0x00055000<br />
| Code + .(ro)data copied from the process 0x00300000 region is located here(.bss is located here as well).<br />
|-<br />
| 0x00155000<br />
| 0x18555000<br />
| 0x000AB000<br />
| <br />
|-<br />
| 0x00200000<br />
| 0x18500000<br />
| 0x00100000<br />
| <br />
|-<br />
| 0x00300000<br />
| 0x24000000<br />
| 0x04000000<br />
| The beginning of the ARM11 process .text is located here.<br />
|-<br />
| 0x08000000<br />
| 0x20000000<br />
| 0x07E00000<br />
| <br />
|-<br />
| 0x1EC00000<br />
| 0x10100000<br />
| 0x00400000<br />
| [[IO]]<br />
|-<br />
| 0x1F000000<br />
| 0x18000000<br />
| 0x00600000<br />
| VRAM<br />
|-<br />
| 0x1FF00000<br />
| 0x1FF00000<br />
| 0x00080000<br />
| This is mapped to the DSP memory.<br />
|}<br />
<br />
The above regions are mapped by the ARM11 kernel. Later when the ARM11 process uses [[SVC|svcKernelSetState]] with type4, the kernel unmaps(?) the following regions: 0x00300000..0x04300000, 0x08000000..0x0FE00000, and 0x10000000..0xF8000000.<br />
<br />
=== Detailed TWL_FIRM ARM11 Memory ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Process Virtual Address<br />
! Physical Address<br />
! Size<br />
! Description<br />
|-<br />
| 0x08000000<br />
| 0x20000000<br />
| 0x01000000*4<br />
| DS(i) 0x02000000 RAM. Vaddr = (DSRAMOffset*4) + 0x08000000, where DSRAMOffset is DSRAMAddr-0x02000000.<br />
|-<br />
| 0x0FC00000<br />
| 0x27C00000<br />
| <br />
| Loaded SRL binary, initially the dev DSi launcher SRL is located here(copied here by the ARM11 process).<br />
|-<br />
| 0x0FD00000<br />
| 0x27D00000<br />
| <br />
| The data located here is copied to here by the ARM11 process. The data located here is a TWL NAND [http://dsibrew.org/wiki/Bootloader bootloader] image, using the same format+encryption/verification methods as the DSi NAND bootloader(stage2). The keyX for this bootloader keyslot is initially set to the retail DSi key-data, however when TWL_FIRM is launched this keyX key-data is replaced with a separate keyX. TWL_FIRM can use either the retail DSi bootloader RSA-1024 modulus, or a seperate modulus: normally only the latter is used(the former is only used when loading the image from FS instead of FCRAM). When using the image from FCRAM(default code-path), TWL_FIRM will not calculate+check the hashes for the bootloader code binaries(this is done when loading from FS however).<br />
|-<br />
| 0x0FDF7000<br />
| 0x27DF7000<br />
| 0x1000<br />
| SRL header<br />
|}<br />
<br />
= System memory details =<br />
0xFFFF9000 Pointer to the current KThread instance<br />
0xFFFF9004 Pointer to the current KProcess instance<br />
0xFFFF9008 Pointer to the current KScheduler instance<br />
0xFFFF9010 Pointer to the last KThread to encounter an exception<br />
<br />
0x8000040 Pointer to the current KThread instance on the ARM9<br />
0x8000044 Pointer to the current KProcess instance on the ARM9<br />
0x8000048 Pointer to the current KScheduler instance on the ARM9<br />
<br />
= VRAM Map While Running System Applets =<br />
*0x1E6000-0x22C500 -- top screen 3D left framebuffer 0(240x400x3) (The "3D right first-framebuf" addr stored in the LCD register is set to this, when the 3D is set to "off")<br />
*0x22C800-0x272D00 -- top screen 3D right framebuffer 0(240x400x3)<br />
*0x273000-0x2B9500 -- top screen 3D left framebuffer 1(240x400x3)<br />
*0x2B9800-0x2FFD00 -- top screen 3D right framebuffer 1(240x400x3)<br />
*0x48F000-0x4C7400 -- bottom screen framebuffer 0(240x320x3)<br />
*0x4C7800-0x4FF800 -- bottom screen framebuffer 1(240x320x3)<br />
<br />
These LCD framebuffer addresses are not changed by the system when launching regular applications, the application itself handles that if needed. These VRAM framebuffers are cleared when launching regular applications.</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=CECDU:WriteMessageWithHMAC&diff=18099CECDU:WriteMessageWithHMAC2016-09-10T08:25:54Z<p>Neobrain: </p>
<hr />
<div>=Request=<br />
{{IPC/Request}}<br />
{{#vardefine:ipc_offset|0}}<br />
{{IPC/RequestEntry|Header code [0x00070106]}}<br />
{{IPC/RequestEntry|NCCH Program ID}}<br />
{{IPC/RequestEntry|bool is_out_box?}}<br />
{{IPC/RequestEntry|message ID size (unused, always 8)}}<br />
{{IPC/RequestEntry|buffer size (unused)}}<br />
{{IPC/MapPointerR|buffer address}}<br />
{{IPC/MapPointerR|HMAC key address}}<br />
{{IPC/MapPointerRW|message ID address}}<br />
{{IPC/RequestEnd}}<br />
<br />
=Response=<br />
{{IPC/Request}}<br />
{{#vardefine:ipc_offset|0}}<br />
{{IPC/RequestEntry|Header code [0x00070046]}}<br />
{{IPC/RequestEntry|Result code}}<br />
{{IPC/MapPointerR|buffer address}}<br />
{{IPC/MapPointerR|HMAC key address}}<br />
{{IPC/MapPointerRW|message ID address}}<br />
{{IPC/RequestEnd}}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=CECDU:WriteMessageWithHMAC&diff=18098CECDU:WriteMessageWithHMAC2016-09-10T08:24:07Z<p>Neobrain: Fix request header (still need to figure out the response header)</p>
<hr />
<div>=Request=<br />
{{IPC/Request}}<br />
{{#vardefine:ipc_offset|0}}<br />
{{IPC/RequestEntry|Header code [0x00070106]}}<br />
{{IPC/RequestEntry|NCCH Program ID}}<br />
{{IPC/RequestEntry|bool is_out_box?}}<br />
{{IPC/RequestEntry|message ID size (unused, always 8)}}<br />
{{IPC/RequestEntry|buffer size (unused)}}<br />
{{IPC/MapPointerR|buffer address}}<br />
{{IPC/MapPointerR|HMAC key address}}<br />
{{IPC/MapPointerRW|message ID address}}<br />
{{IPC/RequestEnd}}<br />
<br />
=Response=<br />
{{IPC/Request}}<br />
{{#vardefine:ipc_offset|0}}<br />
{{IPC/RequestEntry|Header code [0x0007????]}}<br />
{{IPC/RequestEntry|Result code}}<br />
{{IPC/MapPointerR|buffer address}}<br />
{{IPC/MapPointerR|HMAC key address}}<br />
{{IPC/MapPointerRW|message ID address}}<br />
{{IPC/RequestEnd}}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=IPCCommandExample&diff=18086IPCCommandExample2016-09-09T14:46:54Z<p>Neobrain: As suggested by wwylele</p>
<hr />
<div>=Request=<br />
{{IPC/Request}}<br />
{{#vardefine:ipc_offset|0}}<br />
{{IPC/RequestEntry|Header code [0x00040080]}}<br />
{{IPC/RequestEntry|[[GPU]] address based at 0x1EB00000, must be word-aligned}}<br />
{{IPC/RequestEntry|1 = Size, must be <=0x80 and word-aligned}}<br />
{{IPC/RequestEnd}}<br />
<br />
{{IPC/RequestStaticBuffers}}<br />
{{#vardefine:ipc_offset|0}}<br />
{{IPC/RequestEntry|Header code [0x00040080]}}<br />
{{IPC/TranslateStaticBuffer|Output buffer address|0}}<br />
{{IPC/RequestEnd}}<br />
<br />
=Response=<br />
{{IPC/Request}}<br />
{{#vardefine:ipc_offset|0}}<br />
{{IPC/RequestEntry|Header code}}<br />
{{IPC/RequestEntry|Result code}}<br />
{{IPC/TranslateStaticBuffer|Output data pointer|0}}<br />
{{IPC/RequestEnd}}<br />
<br />
=Description=<br />
The GPU register offset must be <0x420000.</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Template:IPC/RequestStaticBuffers&diff=18085Template:IPC/RequestStaticBuffers2016-09-09T14:46:27Z<p>Neobrain: Created page with "The handler for this IPC command expects the following 0x100-bytes after the beginning of the above command buffer: {{IPC/Request}}"</p>
<hr />
<div>The handler for this IPC command expects the following 0x100-bytes after the beginning of the above command buffer:<br />
{{IPC/Request}}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=IPCCommandExample2&diff=18084IPCCommandExample22016-09-09T14:03:21Z<p>Neobrain: Created page with "Adapted from PS:EncryptDecryptAes to illustrate the new IPC command templates. =Request= {{IPC/Request}} {{#vardefine:ipc_offset|0}} {{IPC/RequestEntry|Header code [0x000..."</p>
<hr />
<div>Adapted from [[PS:EncryptDecryptAes]] to illustrate the new IPC command templates.<br />
<br />
=Request=<br />
{{IPC/Request}}<br />
{{#vardefine:ipc_offset|0}}<br />
{{IPC/RequestEntry|Header code [0x00040204]}}<br />
{{IPC/RequestEntry|Size in bytes}}<br />
{{IPC/RequestEntry|Destination size in bytes (Unused)}}<br />
{{IPC/RequestEntry|IV / CTR}}<br />
{{IPC/RequestEntry|IV / CTR}}<br />
{{IPC/RequestEntry|IV / CTR}}<br />
{{IPC/RequestEntry|IV / CTR}}<br />
{{IPC/RequestEntry|u8 Algorithm [[PSPXI:EncryptDecryptAes|Type]] (0..5)}}<br />
{{IPC/RequestEntry|u8 Key [[PSPXI:EncryptDecryptAes|Type]] (0..7)}}<br />
{{IPC/MapPointerR|Source pointer}}<br />
{{IPC/MapPointerW|Destination pointer}}<br />
{{IPC/RequestEnd}}<br />
<br />
=Response=<br />
{{IPC/Request}}<br />
{{#vardefine:ipc_offset|0}}<br />
{{IPC/RequestEntry|Header code [0x00040144]}}<br />
{{IPC/RequestEntry|Result code}}<br />
|-<br />
| 2-5<br />
| See [[PSPXI:EncryptDecryptAes|here]].<br />
{{IPC/RequestEnd}}<br />
<br />
=Description=<br />
This is a wrapper for [[PSPXI:EncryptDecryptAes]]. Before using this PSPXI command, PS module will check whether the algorithm type is AES-CCM. PS module will return error-code 0xC90107E8 when the algorithm type is AES-CCM, since [[PSPXI:EncryptDecryptAes]] doesn't support AES-CCM. When the algorithm type is AES-CBC, PS module will clear the low 4-bits of the data size.</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Template:IPC/MapPointerRW&diff=18083Template:IPC/MapPointerRW2016-09-09T14:02:50Z<p>Neobrain: </p>
<hr />
<div>{{IPC/RequestEntry|[[IPC#Buffer_Mapping_Translation|Buffer mapping descriptor]] for read/write access in the target process}}<br />
{{IPC/RequestEntry|{{{1}}}}}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Template:IPC/MapPointerW&diff=18082Template:IPC/MapPointerW2016-09-09T14:02:40Z<p>Neobrain: </p>
<hr />
<div>{{IPC/RequestEntry|[[IPC#Buffer_Mapping_Translation|Buffer mapping descriptor]] for write access in the target process}}<br />
{{IPC/RequestEntry|{{{1}}}}}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Template:IPC/MapPointerR&diff=18081Template:IPC/MapPointerR2016-09-09T14:02:34Z<p>Neobrain: </p>
<hr />
<div>{{IPC/RequestEntry|[[IPC#Buffer_Mapping_Translation|Buffer mapping descriptor]] for read access in the target process}}<br />
{{IPC/RequestEntry|{{{1}}}}}</div>Neobrainhttps://www.3dbrew.org/w/index.php?title=Template:IPC/MapPointerRW&diff=18080Template:IPC/MapPointerRW2016-09-09T13:56:52Z<p>Neobrain: Created page with "{{IPC/RequestEntry|Buffer mapping descriptor for read/write access in the target process}} {{IPC/RequestEntry|{{{1}}} ({{{2}}} bytes)}}"</p>
<hr />
<div>{{IPC/RequestEntry|[[IPC#Buffer_Mapping_Translation|Buffer mapping descriptor]] for read/write access in the target process}}<br />
{{IPC/RequestEntry|{{{1}}} ({{{2}}} bytes)}}</div>Neobrain