Cafe OS: Difference between revisions

Processes: Add PFID list
Spletz (talk | contribs)
m "uac_rpl.rpl" -> "uac.rpl"
 
(64 intermediate revisions by 13 users not shown)
Line 1: Line 1:
Cafe OS is the operating system running on the PowerPC in Wii U mode. It consists of the Cafe OS kernel, the executable loader, and system libraries. Unlike on the Wii, where games ran with full hardware access, Wii U applications run under the supervision of the kernel, isolating them from each other. All applications are [[RPL|modified ELFs]], as are the libraries themselves, and applications dynamically link with them to gain access to OS services. Cafe OS also contains a few system processes, like the home menu and error handler.
Cafe OS is the operating system running on the PowerPC in Wii U mode. It consists of the Cafe OS kernel, the executable loader, and system libraries. Unlike on the Wii, where each game provided its own copy of [https://wiibrew.org/wiki/Revolution_OS Revolution OS] with no isolation between libraries, Wii U applications run under the supervision of a common PowerPC kernel, isolating them from each other. All applications are [[RPL|modified ELFs]], as are the libraries themselves, and applications dynamically link with them to gain access to OS services. Cafe OS also contains a few system processes, like the home menu and error handler.


==Architecture==
= Kernel =
===Kernel===
The kernel runs in supervisor mode on the PowerPC, and performs the basic tasks of a microkernel. It is responsible for process isolation, memory management, and interrupt dispatching, as well as communication with [[IOSU]]. Cafe OS applications run as user mode processes, with separate address spaces and W^X memory protection.
{{Main|Cafe_OS_Kernel}}


The kernel runs in supervisor mode on the PowerPC, and performs the basic tasks of a microkernel. It is responsible for process isolation, memory management, and interrupt dispatching, as well as communication with [[IOSU]]. Cafe OS applications run as user mode processes, with separate address spaces and W^X memory protection. The kernel provides basic [[Cafe_OS_Syscalls|syscalls]] for running processes.
== Syscalls ==
Cafe OS syscalls are issued by doing the following:
li r0, 0x0100 # load syscall value->r0
sc            # syscall instruction
blr          # return control to program


===Processes===
When you send a call to the kernel, it goes to 0xFFF00C00, which then jumps to 0xFFF021A0 + (fastcall << 5).
 
Normal syscalls are divisible by 0x100, so all of them will jump to 0xFFF0021A0 itself, which is a jump to the table dispatcher.
 
The dispatcher uses a RAMPID and the syscall dispatch tables at 0xFFEAAA40 (user table in 5.5.1) and 0xFFE84850 (loader table in 5.5.1) to get the secondary table each RAMPID is able to access.
 
RAMPIDs 0 (Kernel), 2, and 3 all use an empty table, while RAMPID 1 (root.rpx) has its own table with a few unique calls. RAMPIDs 4 (background app), 5 (home menu), and 6 (error display) share the same table and RAMPID 7 (foreground app) has it's own.
 
=== ProcessSysCallTable ===
{| class="wikitable sortable"
|-
! scope="col" | #
! scope="col" | Name
! scope="col" style="width: 24px;" | Root
! scope="col" style="width: 24px;" | SystemService
! scope="col" style="width: 24px;" | Browser
! scope="col" style="width: 24px;" | Game
|-
| 0x0 || KeConsoleWrite || X || X || X || X
|-
| 0x100 || KeAppPanic || X || X || X || X
|-
| 0x200 || KeEffectiveToPhysical || X || X || X || X
|-
| 0x300 || KePhysicalToEffectiveCached || X || X || X || X
|-
| 0x400 || KePhysicalToEffectiveUncached || X || X || X || X
|-
| 0x500 || KeValidateAddressSpaceRange || X || X || X || X
|-
| 0x600 || KeUpdateCoretime || X || X || X || X
|-
| 0x700 || - || - || - || - || -
|-
| 0x800 || KeSetUserModeExHandler || X || X || X || X
|-
| 0x900-0xA00 || - || - || - || - || -
|-
| 0xB00 || KeAllocateTimer || X || X || X || X
|-
| 0xC00 || KeFreeTimer || X || X || X || X
|-
| 0xD00 || KePrimeTimer || X || X || X || X
|-
| 0xE00 || KeStopTimer || X || X || X || X
|-
| 0xF00 || KeDumpModuleList || X || X || X || X
|-
| 0x1000 || KeSetInterruptHandler || X || X || X || X
|-
| 0x1100 || KeGetInterruptHandler || X || X || X || X
|-
| 0x1200 || KeDisableInterrupt || X || X || X || X
|-
| 0x1300 || KeEnableInterrupt || X || X || X || X
|-
| 0x1400 || KeClearAndEnableInterrupt || X || X || X || X
|-
| 0x1500 || KeGetInterruptStatus || X || X || X || X
|-
| 0x1600 || KeClearInterruptStatus || X || X || X || X
|-
| 0x1700 || KeFindClosestRPLandSymbol || X || X || X || X
|-
| 0x1800 || KeTestAssist ||  ||  ||  ||
|-
| 0x1900 || KeAppExit || X || X || X || X
|-
| 0x1A00 || KeGetInfo || X || X || X || X
|-
| 0x1B00 || KeSetInfo || X || X || X || X
|-
| 0x1C00 || KeReleaseCore || X || X || X || X
|-
| 0x1D00 || KeSendICI || X || X || X || X
|-
| 0x1E00 || KeIPCKDriver_UserOpen || X || X || X || X
|-
| 0x1F00 || KeIPCKDriver_UserClose || X || X || X || X
|-
| 0x2000 || KeIPCKDriver_SubmitUserRequest || X || X || X || X
|-
| 0x2100 || KeFindRPLExport || X || X || X || X
|-
| 0x2200 || KiGetEnvironmentVariable || X || X || X || X
|-
| 0x2300-0x2600 || - || - || - || - || -
|-
| 0x2700 || KeGetProcNotifyTarget || X || X || X || X
|-
| 0x2800 || KeProcReleaseForeground || X || X || X || X
|-
| 0x2900 || KeProcGetForeground || X || X || X || X
|-
| 0x2A00 || KeProcRequestSwitch || X || X || X || X
|-
| 0x2B00 || KeLaunchTitle || X || X || X || X
|-
| 0x2C00 || KeProcYieldCore || X || X || X || X
|-
| 0x2D00 || - || - || - || - || -
|-
| 0x2E00 || KeProcGetSysMessage || X || X || X || X
|-
| 0x2F00 || KeProcGetCallArgs || X || X || X || X
|-
| 0x3000 || KeGetAbsoluteSystemTime || X || X || X || X
|-
| 0x3100 || KeSetAbsoluteSystemTime || X || X || X || X
|-
| 0x3200 || KeProcDriverGetInstance || X || X || X || X
|-
| 0x3300 || KeProcDriverPurgeMaster || X || X || X || X
|-
| 0x3400-0x3700 || - || - || - || - || -
|-
| 0x3800 || KeAllocVirtAddr || X || X || X || X
|-
| 0x3900 || KeFreeVirtAddr || X || X || X || X
|-
| 0x3A00 || KeGetMapVirtAddrRange || X || X || X || X
|-
| 0x3B00 || KeGetDataPhysAddrRange || X || X || X || X
|-
| 0x3C00 || KeGetAvailPhysAddrRange || X || X || X || X
|-
| 0x3D00 || KeMapMemory || X || X || X || X
|-
| 0x3E00 || KeUnmapMemory || X || X || X || X
|-
| 0x3F00 || KeLogBuffer || X || X || X || X
|-
| 0x4000 || KeLogArgs || X || X || X || X
|-
| 0x4100 || KeLogFunc || X || X || X || X
|-
| 0x4200 || KeLogReport || X || X || X || X
|-
| 0x4300 || KeLogRetrieve || X || X || X || X
|-
| 0x4400 || KeDeferLoadContext || X || X || X || X
|-
| 0x4500 || KeDeferYieldCore || X || X || X || X
|-
| 0x4600 || KeFlushFPUContext || X || X || X || X
|-
| 0x4700 || KeProcDriverCopyFromSave || X || X || X || X
|-
| 0x4800 || KeProcDriverCopyToSave || X || X || X || X
|-
| 0x4900 || KeProcReadyToRelease || X || X || X || X
|-
| 0x4A00 || KeDeliverInterrupts || X || X || X || X
|-
| 0x4B00 || KeSetDABR || X || X || X || X
|-
| 0x4C00 || KeSetIABR || X || X || X || X
|-
| 0x4D00 || KeGetProcessInfo || X || X || X || X
|-
| 0x4E00 || KeGetCodegenVirtAddrRange || X || X || X || X
|-
| 0x4F00 || KeRPLLoaderEntry || X || X || X || X
|-
| 0x5000-0x5800 || - || - || - || - || -
|-
| 0x5900 || KeGetSharedArea || X || X || X || X
|-
| 0x5A00 || KeProcSendPolicy || X || X || X || X
|-
| 0x5B00-0x5C00 || - || - || - || - || -
|-
| 0x5D00 || KeBlockLogSaveHiLo || X || X || X || X
|-
| 0x5E00-0x6000 || - || - || - || - || -
|-
| 0x6100 || KeProcQuerySwitchReady || X || X || X || X
|-
| 0x6200 || KeLaunchTitleByPath || X || X || X || X
|-
| 0x6300 || KeQueryLaunchReady || X || X || X || X
|-
| 0x6400 || KeSetTime ||  || X ||  ||
|-
| 0x6500 || KeGetProfileLog || X || X || X || X
|-
| 0x6600 || - || - || - || - || -
|-
| 0x6700 || KeProcRequestExit || X || X || X || X
|-
| 0x6800 || KeProcCoreInitDone || X || X || X || X
|-
| 0x6900 || KeProcGetSwitchTarget || X || X || X || X
|-
| 0x6A00 || KeProcAcquireDone || X || X || X || X
|-
| 0x6B00 || KeProcGetBuiltSDKVersion || X || X || X || X
|-
| 0x6C00 || KeProcSystemFatal || X || X || X || X
|-
| 0x6D00 || - || - || - || - || -
|-
| 0x6E00 || KeSwitchSecCodeGenMode || X || X || X || X
|-
| 0x6F00 || KeIopShell_RegisterCallback || X || X || X || X
|-
| 0x7000 || Proc_GetTitleVersion || X || X || X || X
|-
| 0x7100 || Proc_IsTestKernel || X || X || X || X
|-
| 0x7200 || ForceFullRelaunch || X || X || X || X
|-
| 0x7300 || Proc_Recycle || X ||  ||  ||
|-
| 0x7400 || GetFlags || X || X || X || X
|-
| 0x7500 || QueryVirtAddr || X || X || X || X
|-
| 0x7600 || GetCodegenInfo || X || X || X || X
|-
| 0x7700 || GetSecCodeGenMode || X || X || X || X
|-
| 0x7800 || CodegenCopy || X || X || X || X
|-
| 0x7900 || Proc_LoadShared || X ||  ||  ||
|-
| 0x7A00 || SetExceptionCallback || X || X || X || X
|-
| 0x7B00 || IopShell_InjectCommand || X || X || X || X
|-
| 0x7C00 || Proc_Kill || X || X || X || X
|-
| 0x7D00 || EnableOverlayArena || X || X || X || X
|-
| 0x7E00 || DisableOverlayArena || X || X || X || X
|-
| 0x7F00 || GetSystemMode || X || X || X || X
|-
| 0x8000 || SystemMode_RegisterCallback || X || X || X || X
|-
| 0x8100 || ZeroProcessMemory || X ||  ||  ||
|-
| 0x8200 || - || - || - || - || -
|-
| 0x8300 || ConsoleTimestamp || X || X || X || X
|-
| 0x8400-0xFF00 || - || - || - || - || -
|}
 
=== LoaderSysCallTable ===
{| class="wikitable sortable"
|-
! scope="col" | #
! scope="col" | Name
|-
| 0x0 || KeConsoleWrite
|-
| 0x100 || KeAppPanic
|-
| 0x200-0x400 || -
|-
| 0x500 || KeValidateAddressSpaceRange
|-
| 0x600-0xE00 || -
|-
| 0xF00 || KeDumpModuleList
|-
| 0x1000-0x1600 || -
|-
| 0x1700 || KeLoaderGetSymbolName
|-
| 0x1800-0x1D00 || -
|-
| 0x1E00 || KeIPCKDriver_LoaderReset
|-
| 0x1F00 || KeIPCKDriver_LoaderReset
|-
| 0x2000 || KeIPCKDriver_SubmitLoaderRequest
|-
| 0x2100-0x3E00 || -
|-
| 0x3F00 || KeLogBuffer
|-
| 0x4000 || KeLogArgs
|-
| 0x4100 || KeLogFunc
|-
| 0x4200 || KeLogReport
|-
| 0x4300 || KeLogRetrieve
|-
| 0x4400-0x4F00 || -
|-
| 0x5000 || KeRPLLoader_ResumeUserContext
|-
| 0x5100 || -
|-
| 0x5200 || KiWaitIopComplete
|-
| 0x5300 || KeLoaderFlushCode
|-
| 0x5400 || KeLoaderFlushData
|-
| 0x5500 || KiUpdateAllHeartBeats
|-
| 0x5600 || KiLogPrintf
|-
| 0x5700 || KiMemclr
|-
| 0x5800 || KeLoaderBusClockSpeed
|-
| 0x5900-0x5A00 || -
|-
| 0x5B00 || GetProcessIndex
|-
| 0x5C00 || KeIPCKDriver_PollLoaderCompletion
|-
| 0x5D00 || -
|-
| 0x5E00 || KeProcess_FinishInitAndPreload
|-
| 0x5F00 || KeContinueStartCore1
|-
| 0x6000 || KeOpenMCP
|-
| 0x6100-0x6500 || -
|-
| 0x6600 || KeLoaderProfile
|-
| 0x6700-0x6C00 || -
|-
| 0x6D00 || KeProcess_FinishChainLoad
|-
| 0x6E00-0x7300 || -
|-
| 0x7400 || GetFlags
|-
| 0x7500-0x8100 || -
|-
| 0x8200 || HandlePowerEvents
|-
| 0x8300 || ConsoleTimestamp
|-
| 0x8400 || ValidateOverlayRange
|-
| 0x8500-0xFF00 || -
|}
 
== Fastcalls ==
Fastcalls, on the other hand, are system calls that aren't routed through the dispatcher and can be accessed by any RAMPID.
Attempting to access an unimplemented fastcall will redirect the code flow to syscall 0x0100 (AppPanic).
 
Below is a list of all the currently supported fastcalls.
 
{| class="wikitable sortable"
|-
! scope="col" | #
! scope="col" | Name
|-
| 0x0 || KsDispatchToKernel
|-
| 0x1 || KsMemoryBarrier
|-
| 0x2 || KsEnableInterrupts (reserved)
|-
| 0x3 || KsDisableInterrupts (reserved)
|-
| 0x4 || KsGetInterruptsEnabled (reserved)
|-
| 0x5 || KsRestoreInterrupts (reserved)
|-
| 0x6 || KsLoadContext
|-
| 0x7 || KsGetMSR
|-
| 0x8 || KsSetCurrentContext
|-
| 0x9 || KsGetCurrentFPUContext
|-
| 0xA || KsSetCurrentFPUContext
|-
| 0xB || KsCompareAndSwapCurrentFPUContext
|-
| 0xC || KsWGReset
|-
| 0xD || KsSetPerformanceMonitor
|-
| 0xE || KsWriteDMAUL
|-
| 0xF || KsUpdateCoretime
|-
| 0x10 || KsFlushFPUContext
|-
| 0x11 || [[#KsReadRegister32Ex|KsReadRegister32Ex]]
|-
| 0x12 || [[#KsWriteRegister32Ex|KsWriteRegister32Ex]]
|-
| 0x13 || KsWGInit
|-
| 0x14 || KsWGInitBaseAndTop
|-
| 0x15 || KsWGInitWritePtr
|-
| 0x16 || KsWGInitThreshold
|-
| 0x17 || KsWGReadWritePtr
|-
| 0x18 || KsEnableFPU
|-
| 0x19 || KsGetSecurityLevel_u32
|-
| 0x1A || KsFastCall26 (reserved)
|-
| 0x1B || KsFastCall27 (reserved)
|-
| 0x1C || KsFastCall28 (reserved)
|-
| 0x1D || KsFastCall29 (reserved)
|-
| 0x1E || KsFastCall30 (reserved)
|-
| 0x1F || KsFastCall31 (reserved)
|}
 
=== KsReadRegister32Ex ===
Takes two u32s '''WhitelistIndex''' and '''RegisterIndex'''. Returns an u32 '''RegisterValue'''.
 
Reads a hardware register from the following whitelist:
0                // Invalid
0xFD020068      // 2 registers at 0x0D000068 (HW_I2CIOPINTEN to HW_I2CIOPINTSTS)
0xFD0100C0      // 1 registers at 0x0D0000C0 (HW_GPIOPPCOUT)
0xFD04021C      // 4 registers at 0x0D00021C (HW_VIIOPDATA to HW_VIIOPCTRL)
0xFD040250      // 4 registers at 0x0D000250 (HW_I2CMCTRL to HW_I2CMDATARD)
0xFD060520      // 6 registers at 0x0D000520 (LT_GPIOPPCOUT to LT_GPIOPPCINTEN)
0xFD106400      // 16 registers at 0x0D006400 (SI0_OUTBUF to SIEXI_LOCK)
0xFD046C00      // 4 registers at 0x0D006C00 (AI_CR to AI_IT)
0xFD046E00      // 4 registers at 0x0D006E00
0xFD0F6800      // 15 registers at 0x0D006800 (EXI0_CSR to EXI2_DATA)
0                // Invalid
0                // Invalid
0                // Invalid
0                // Invalid
0                // Invalid
0                // Invalid
 
=== KsWriteRegister32Ex ===
Takes three u32s '''WhitelistIndex''', '''RegisterIndex''' and '''RegisterValue'''. No output.
 
Same as [[#KsReadRegister32Ex|KsReadRegister32Ex]], but for writing to a whitelisted hardware register instead.
 
== OSPlatformInfo ==
This is a structure mapped to address 0x1FFF000 in MEM1 for communicating with the [[IOSU|MCP]] process.
 
{| class="wikitable" border="1"
|-
! Offset || Size || Description
|-
| 0x0 || 0x4 || Version (0x5726)
|-
| 0x4 || 0x4 || Size (0x40C)
|-
| 0x8 || 0x4 || [[#Flags|Flags]]
|-
| 0xC || 0x4 || ConsoleType
|-
| 0x10 || 0x4 || Iop2x
|-
| 0x14 || 0x4 || Bperf
|-
| 0x18 || 0x4 || PpcSystemClockFrequency
|-
| 0x1C || 0x4 || PpcCore0L2Size
|-
| 0x20 || 0x4 || PpcCore0L2LineSize
|-
| 0x24 || 0x4 || PpcCore0L2SectorSize
|-
| 0x28 || 0x4 || PpcCore0L2FetchSize
|-
| 0x2C || 0x4 || PpcCore0L2SetAssociativity
|-
| 0x30 || 0x4 || PpcCore1L2Size
|-
| 0x34 || 0x4 || PpcCore1L2LineSize
|-
| 0x38 || 0x4 || PpcCore1L2SectorSize
|-
| 0x3C || 0x4 || PpcCore1L2FetchSize
|-
| 0x40 || 0x4 || PpcCore1L2SetAssociativity
|-
| 0x44 || 0x4 || PpcCore2L2Size
|-
| 0x48 || 0x4 || PpcCore2L2LineSize
|-
| 0x4C || 0x4 || PpcCore2L2SectorSize
|-
| 0x50 || 0x4 || PpcCore2L2FetchSize
|-
| 0x54 || 0x4 || PpcCore2L2SetAssociativity
|-
| 0x58 || 0x64 || Reserved
|-
| 0xBC || 0x4 || PpcCorePropertiesCount
|-
| 0xC0 || 0x4 || PpcCorePropertiesFlags
|-
| 0xC4 || 0x4 || PpcMem0Id
|-
| 0xC8 || 0x4 || PpcMem0BaseAddress
|-
| 0xCC || 0x4 || PpcMem0Size
|-
| 0xD0 || 0x4 || PpcMem1Id
|-
| 0xD4 || 0x4 || PpcMem1BaseAddress
|-
| 0xD8 || 0x4 || PpcMem1Size
|-
| 0xDC || 0x4 || PpcMem2Id
|-
| 0xE0 || 0x4 || PpcMem2BaseAddress
|-
| 0xE4 || 0x4 || PpcMem2Size
|-
| 0xE8 || 0x3C || Reserved
|-
| 0x124 || 0x4 || PpcMemRegionCount
|-
| 0x128 || 0x4 || PpcMemRegionFlags
|-
| 0x12C || 0x244 || Reserved
|-
| 0x370 || 0x4 || HardwareVersion
|-
| 0x374 || 0x40 || Reserved
|-
| 0x3B4 || 0x4 || SmdBaseAddress
|-
| 0x3B8 || 0x44 || Reserved
|-
| 0x3FC || 0x4 || [[#OSPackage|OSPackageAddress]]
|-
| 0x400 || 0x4 || LastPMState
|-
| 0x404 || 0x4 || CurrentPMState
|-
| 0x408 || 0x4 || [[Boot1#PowerFlags|BootPMFlags]]
|}
 
=== Flags ===
{| class="wikitable" border="1"
|-
! Bits
! Description
|-
| 0-25
|
|-
| 26
| IsEnterBgNormalMode
|-
| 27
| IsDevMode
|-
| 28
| IsFastRelaunch
|-
| 29
| IsColdBoot
|-
| 30
| IsSynchronousPrintingEnabled
|-
| 31
|
|}
 
== OSPackage ==
{| class="wikitable" border="1"
|-
! Offset || Size || Description
|-
| 0x0 || 0x8 || [[#OSPackageHeader|OSPackageHeader]]
|-
| 0x8 || Variable || Array of [[#OSPackageInfo|OSPackageInfo]]
|-
| Variable || 0x4 || OSArgc
|-
| Variable || Variable || OSArgv
|}
 
=== OSPackageHeader ===
{| class="wikitable" border="1"
|-
! Offset || Size || Description
|-
| 0x0 || 0x4 || Flags
|-
| 0x4 || 0x4 || NumPackages
|}
 
=== OSPackageInfo ===
{| class="wikitable" border="1"
|-
! Offset || Size || Description
|-
| 0x0 || 0x4 || Address
|-
| 0x4 || 0x4 || Size
|-
| 0x8 || 0x4 ||
|-
| 0xC || 0x4 ||
|-
| 0x10 || 0x4 ||
|-
| 0x14 || 0x4 ||
|-
| 0x18 || 0x4 ||
|-
| 0x1C || 0x4 ||
|}
 
== OSContext ==
{| class="wikitable" border="1"
|-
! Offset || Size || Description
|-
| 0x0 || 0x8 || Tag
|-
| 0x8 || 0x80 || Gpr
|-
| 0x88 || 0x4 || Cr
|-
| 0x8C || 0x4 || Lr
|-
| 0x90 || 0x4 || Ctr
|-
| 0x94 || 0x4 || Xer
|-
| 0x98 || 0x4 || Srr0
|-
| 0x9C || 0x4 || Srr1
|-
| 0xA0 || 0x4 || Dsisr
|-
| 0xA4 || 0x4 || Dar
|-
| 0xA8 || 0x4 || CrashType
|-
| 0xAC || 0x4 || Reserved
|-
| 0xB0 || 0x4 || FpscrHigh
|-
| 0xB4 || 0x4 || FpscrLow
|-
| 0xB8 || 0x100 || Fpr
|-
| 0x1B8 || 0x2 || SpinLockCount
|-
| 0x1BA || 0x2 || ContextState
|-
| 0x1BC || 0x20 || Ugqr
|-
| 0x1DC || 0x4 || Pir
|-
| 0x1E0 || 0x100 || Psf
|-
| 0x2E0 || 0x18 || Coretime
|-
| 0x2F8 || 0x8 || Starttime
|-
| 0x300 || 0x4 || Error
|-
| 0x304 || 0x4 || Attributes
|-
| 0x308 || 0x4 || Pmc1
|-
| 0x30C || 0x4 || Pmc2
|-
| 0x310 || 0x4 || Pmc3
|-
| 0x314 || 0x4 || Pmc4
|-
| 0x318 || 0x4 || Mmcr0
|-
| 0x31C || 0x4 || Mmcr1
|}
 
== CoreControl ==
{| class="wikitable" border="1"
|-
! Offset || Size || Description
|-
| 0x0 || 0x40 ||
|-
| 0x40 || 0x4 || BootStage
|-
| 0x44 || 0x4 || CoreInitFunc
|-
| 0x48 || 0x4 || CoreState
|-
| 0x4C || 0x4 ||
|-
| 0x50 || 0x4 ||
|-
| 0x54 || 0x4 || IsKernelPanic
|-
| 0x58 || 0x4 || InterruptedContext
|-
| 0x5C || 0x4 || CurrentFpuContext
|-
| 0x60 || 0x4 || CurrentCoreControl
|-
| 0x64 || 0x4 || SysCallTableAddress
|-
| 0x68 || 0x4 || FastCallBaseAddress
|-
| 0x6C || 0x4 || NonRecoverableExceptionHandlerTableAddress
|-
| 0x70 || 0x4 || RecoverableExceptionHandlerTableAddress
|-
| 0x74 || 0x2 ||
|-
| 0x76 || 0x2 ||
|-
| 0x78 || 0x4 || LoadPerfMonContext
|-
| 0x7C || 0x4 || CurrentSysCallAddress
|-
| 0x80 || 0x4 || CurrentSysCallCallback
|-
| 0x84 || 0x4 || NonRecoverableExceptionContextAddress
|-
| 0x88 || 0x4 || RecoverableExceptionContextAddress
|-
| 0x8C || 0x4 || NormalSysCalls
|-
| 0x90 || 0x4 || FpuExceptions
|-
| 0x94 || 0x4 || DsiExceptions
|-
| 0x98 || 0x4 || IciExceptions
|-
| 0x9C || 0x4 ||
|-
| 0xA0 || 0x4 || Ps0
|-
| 0xA4 || 0x4 || Ps1
|-
| 0xA8 || 0x8 || ProcessWork
|-
| 0xB0 || 0x4 ||
|-
| 0xB4 || 0x4 || RamPid
|-
| 0xB8 || 0x4 || Upid
|-
| 0xBC || 0x4 || Mem1Address
|-
| 0xC0 || 0x4 || InterceptedLoadContext
|-
| 0xC4 || 0x4 || SintEnableAfterKernelExit
|-
| 0xC8 || 0x4 || AddrConfig
|-
| 0xCC || 0x20 || SysCallCallbackGpr
|-
| 0xEC || 0x4 || EaDataBegin
|-
| 0xF0 || 0x4 || EaDataEnd
|-
| 0xF4 || 0x18 ||
|-
| 0x10C || 0x4 || WriteGatherDataOffset
|-
| 0x110 || 0x30 || [[#ExceptionInfo|ExceptionInfo]]
|-
| 0x140 || 0x4 || OverwriteGprOnExceptionExit
|-
| 0x144 || 0x28 || ExceptionExitGpr
|-
| 0x16C || 0x28 || [[#PostException|PostException]]
|-
| 0x194 || 0x4 ||
|-
| 0x198 || 0x128 || [[#ExceptionContext|RecoverableExceptionContext]]
|-
| 0x2C0 || 0x14 ||
|-
| 0x2D8 || 0x128 || [[#ExceptionContext|NonRecoverableExceptionContext]]
|}
 
== ExceptionContext ==
{| class="wikitable" border="1"
|-
! Offset || Size || Description
|-
| 0x0 || 0x8 || Tbr64
|-
| 0x8 || 0x80 || Gpr
|-
| 0x88 || 0x4 || Cr
|-
| 0x8C || 0x4 || Lr
|-
| 0x90 || 0x4 || Ctr
|-
| 0x94 || 0x4 || Xer
|-
| 0x98 || 0x4 || Srr0
|-
| 0x9C || 0x4 || Srr1
|-
| 0xA0 || 0x88 ||
|}
 
== ExceptionInfo ==
{| class="wikitable" border="1"
|-
! Offset || Size || Description
|-
| 0x0 || 0x4 ||
|-
| 0x4 || 0x4 ||
|-
| 0x8 || 0x4 || UserStackPtr
|-
| 0xC || 0x4 || ExHandler
|-
| 0x10 || 0x4 || Msr
|-
| 0x14 || 0x4 || Sprg0
|-
| 0x18 || 0x4 || Dsisr
|-
| 0x1C || 0x4 || Dar
|-
| 0x20 || 0x4 ||
|-
| 0x24 || 0x4 ||
|-
| 0x28 || 0x4 ||
|-
| 0x2C || 0x4 || CallbackContext
|}
 
== PostException ==
{| class="wikitable" border="1"
|-
! Offset || Size || Description
|-
| 0x0 || 0x4 || OldUpid
|-
| 0x4 || 0x4 || TargetUpid
|-
| 0x8 || 0x4 || Exit
|-
| 0xC || 0x4 || Callback
|-
| 0x10 || 0x4 || CurrentExceptionContext
|-
| 0x14 || 0x4 || InterruptedContext
|-
| 0x18 || 0x4 ||
|-
| 0x1C || 0x4 ||
|-
| 0x20 || 0x4 ||
|-
| 0x24 || 0x4 ||
|}
 
== NewExecCtx ==
{| class="wikitable" border="1"
|-
! Offset || Size || Description
|-
| 0x0 || 0x4 || InterruptedContext
|-
| 0x4 || 0x4 || CurrentFpuContext
|-
| 0x8 || 0x4 ||
|-
| 0xC || 0x4 || FastCallBaseAddress
|-
| 0x10 || 0x4 || SintEnableAfterKernelExit
|-
| 0x14 || 0x4 ||
|-
| 0x18 || 0x4 ||
|-
| 0x1C || 0x4 || Dabr
|-
| 0x20 || 0x4 || Iabr
|-
| 0x24 || 0x4 || EaDataBegin
|-
| 0x24 || 0x4 || EaDataEnd
|-
| 0x28 || 0x1C ||
|-
| 0x48 || 0x4 || AddrConfig
|-
| 0x4C || 0x3C || [[#PerCore|PerCore]]
|}
 
== PerCore ==
This is a structure mapped to address 0xFFFFFFC0.
 
{| class="wikitable" border="1"
|-
! Offset || Size || Description
|-
| 0x0 || 0x18 ||
|-
| 0x18 || 0x4 || UserHeartBeat
|-
| 0x1C || 0x4 ||
|-
| 0x20 || 0x4 || CurrentThread
|-
| 0x24 || 0x4 || SoftIntEnabled
|-
| 0x28 || 0x4 || SoftIntPending
|-
| 0x2C || 0x4 || CurrentContext
|-
| 0x30 || 0x4 ||
|-
| 0x34 || 0x4 ||
|-
| 0x38 || 0x4 || ThreadQueue
|}
 
= Processes =
A process in Cafe OS represents a single running application, with its own code, memory, and permissions. Cafe OS only executes the code of a single process at a time, but it can hold the data of multiple processes in memory simultaneously, and switch between them. Rather than allowing arbitrary process creation, there is RAM reserved for a single foreground app, a single background app, and various other special processes. Each running process is assigned a unique identifier called a RAMPID:
A process in Cafe OS represents a single running application, with its own code, memory, and permissions. Cafe OS only executes the code of a single process at a time, but it can hold the data of multiple processes in memory simultaneously, and switch between them. Rather than allowing arbitrary process creation, there is RAM reserved for a single foreground app, a single background app, and various other special processes. Each running process is assigned a unique identifier called a RAMPID:
{| class="wikitable"
{| class="wikitable"
Line 13: Line 952:
! RAMPID
! RAMPID
! Description
! Description
! IOS Name
|-
|-
| 0
| 0
| Cafe OS
| Cafe OS
| COS-KERNEL
|-
|-
| 1
| 1
| root.rpx
| root.rpx
| COS-ROOT
|-
|-
| 2
| 2
| ???
| ???
| COS-02
|-
|-
| 3
| 3
| ???
| ???
| COS-03
|-
|-
| 4
| 4
| Background app
| Background app
| COS-OVERLAY
|-
|-
| 5
| 5
| Home Menu
| Home Menu
| COS-HBM
|-
|-
| 6
| 6
| Error display
| Error display
| COS-ERROR
|-
|-
| 7
| 7
| Foreground app
| Foreground app
| COS-MASTER
|}
|}


Line 47: Line 995:
|-
|-
| 0
| 0
| Cafe OS
| Cafe OS kernel
| 0
| 0
|-
|-
Line 59: Line 1,007:
|-
|-
| 3
| 3
| COS-RSVD-03
| TVii
| ???
| ???
|-
|-
| 4
| 4
| E-manual
| E-Manual
| ???
| ???
|-
|-
Line 71: Line 1,019:
|-
|-
| 6
| 6
| Error display
| Error Display
| 6
| 6
|-
|-
| 7
| 7
| COS-SYS-APP
| Miiverse Post App
| ???
| ???
|-
|-
Line 83: Line 1,031:
|-
|-
| 9
| 9
| COS-RSVD-09
| Miiverse
| ???
| ???
|-
|-
| 10
| 10
| COS-RSVD-10
| eShop
| ???
| ???
|-
|-
Line 95: Line 1,043:
|-
|-
| 12
| 12
| Download manager
| Download Manager
| ???
| ???
|-
|-
Line 109: Line 1,057:
| Game
| Game
| 7
| 7
|-
| 16
| AOC Overlay App
| ???
|-
| 17
| amiibo Settings
| ???
|-
| 31
| Test Overlay
| ???
|-
|}
|}


===Loader===
= Loader =
{{Main|Loader}}
{{Main|Loader}}


The loader is responsible for loading RPL formatted libraries and executables into memory. It is a standard ELF executable named loader.elf. It includes a statically linked copy of zlib, probably for decompressing sections of RPL files.
The loader is responsible for loading RPL formatted libraries and executables into memory. It is a standard ELF executable named loader.elf. It includes a statically linked copy of zlib, probably for decompressing sections of RPL files.


===Libraries===
= Libraries =
Cafe OS applications dynamically link with system libraries to get access to OS services. These OS services include memory management, graphics, audio, and controller input. All libraries are [[RPL|RPL files]], a modification of the standard ELF format with compressed sections and more Windows-like dynamic linking. The main system libraries are listed below, with some having their own pages of documentation:
Cafe OS applications dynamically link with system libraries to get access to OS services. These OS services include memory management, graphics, audio, and controller input. All libraries are [[RPL|RPL files]], a modification of the standard ELF format with compressed sections and more Windows-like dynamic linking. The main system libraries are listed below, with some having their own pages of documentation:
*[[avm.rpl]] - Audio/Video Manager
*[[avm.rpl]] - Audio/Video Manager
Line 138: Line 1,099:
*[[nn_act.rpl]] - Nintendo Network Accounts
*[[nn_act.rpl]] - Nintendo Network Accounts
*[[nn_aoc.rpl]] - Nintendo Network Add-On Content
*[[nn_aoc.rpl]] - Nintendo Network Add-On Content
*[[nn_boss.rpl]] - Nintendo Network BOSS (Streetpass)
*[[nn_boss.rpl]] - Nintendo Network Background Online Services (SpotPass)
*[[nn_ccr.rpl]]
*[[nn_ccr.rpl]]
*[[nn_cmpt.rpl]] - Nintendo Network Compatibility ???
*[[nn_cmpt.rpl]] - Handles transition into vWii
*[[nn_dlp.rpl]] - 3DS Download Play hosting library
*[[nn_ec.rpl]] - Nintendo Network E-Commerce
*[[nn_ec.rpl]] - Nintendo Network E-Commerce
*[[nn_fp.rpl]] - Nintendo Network Friend Presence
*[[nn_fp.rpl]] - Nintendo Network Friend Presence
*[[nn_hai.rpl]]
*[[nn_hai.rpl]] - Helper library for interfacing [[nn_cmpt.rpl]] with Wii VC titles.
*[[nn_hpad.rpl]] - Something related to controllers
*[[nn_hpad.rpl]] - Something related to controllers. Probably for the Gamecube controller adapter?
*[[nn_idbe.rpl]] - Downloads and decrypts game icons from an online icon database
*[[nn_idbe.rpl]] - Icon Database Entries (Downloads and decrypts game icons from an online icon database)
*[[nn_ndm.rpl]] - Daemons???
*[[nn_ndm.rpl]] - Daemons
*[[nn_nets2.rpl]] - More network functions
*[[nn_nets2.rpl]] - More network functions
*[[nn_nfp.rpl]] - Nintendo Network Nintendo Figurine Platform (Amiibo)
*[[nn_nfp.rpl]] - Nintendo Network Nintendo Figurine Platform (Amiibo)
*[[nn_nim.rpl]]
*[[nn_nim.rpl]] - Title installation
*[[nn_olv.rpl]] - Olive/OLV - Miiverse
*[[nn_olv.rpl]] - Olive/OLV - Miiverse
*[[nn_pdm.rpl]] - System Play related data (play times etc.)
*[[nn_pdm.rpl]] - System Play related data (play times etc.)
*[[nn_save.rpl]] - Savefile access
*[[nn_save.rpl]] - Save file access
*[[nn_sl.rpl]]
*[[nn_sl.rpl]] - GamePad Quick Start menu communication
*[[nn_spm.rpl]] - Storage related functions (USB?)
*[[nn_spm.rpl]] - Storage related functions (USB?)
*[[nn_temp.rpl]] - TEMP library (for temporary files)
*[[nn_temp.rpl]] - TEMP library (for temporary files)
*[[nn_uds.rpl]] - UDS/Local Connection library
*[[nn_uds.rpl]] - Library for hosting 3DS Local-WLAN networks
*[[nn_vctl.rpl]]
*[[nn_vctl.rpl]]
*[[nsysccr.rpl]] - DRH communication (input and RPC)
*[[nsysccr.rpl]] - DRH communication (input and RPC)
Line 167: Line 1,129:
*[[padscore.rpl]] - Wii Remote and Balance Board
*[[padscore.rpl]] - Wii Remote and Balance Board
*[[proc_ui.rpl]]
*[[proc_ui.rpl]]
*[[snd_core.rpl]]
*[[snd_core.rpl]] - Sound-1 Core
*[[snd_user.rpl]]
*[[snd_user.rpl]] - Sound-1 User
*[[sndcore2.rpl]]
*[[sndcore2.rpl]] - Sound-2 Core
*[[snduser2.rpl]]
*[[snduser2.rpl]] - Sound-2 User
*[[swkbd.rpl]] - Onscreen keyboard
*[[swkbd.rpl]] - Onscreen keyboard
*[[sysapp.rpl]]
*[[sysapp.rpl]] - Application jump/transition handling
*[[tcl.rpl]] - Texture Core library
*[[tcl.rpl]] - Texture Core library
*[[tve.rpl]] - TV Engine
*[[tve.rpl]] - TV Engine
*[[uac.rpl]] - DRH communication (Gamepad microphone)
*[[uac.rpl]] - DRH communication (Gamepad microphone)
*[[uac_rpl.rpl]]
*[[uac.rpl]]
*[[usb_mic.rpl]]
*[[usb_mic.rpl]]
*[[uvc.rpl]] - DRH communication (Gamepad camera)
*[[uvc.rpl]] - DRH communication (Gamepad camera)
*[[uvd.rpl]] - [http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2012/10/OpenVideo_Decode_API.PDF AMD's OpenVideo Decode library], with some different function names  
*[[uvd.rpl]] - [https://web.archive.org/web/20221108161252/https://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2012/10/OpenVideo_Decode_API.PDF AMD's OpenVideo Decode library], with some different function names  
*[[vpad.rpl]] - Gamepad input
*[[vpad.rpl]] - Gamepad input
*[[vpadbase.rpl]] - Gamepad base library
*[[vpadbase.rpl]] - Gamepad base library
*[https://github.com/madler/zlib/tree/9712272c78b9d9c93746d9c8e156a3728c65ca72 zlib125.rpl] - ZLIB 1.2.5, functions match official library
*[https://github.com/madler/zlib/tree/9712272c78b9d9c93746d9c8e156a3728c65ca72 zlib125.rpl] - ZLIB 1.2.5, functions match official library


==Virtual Memory Map==
= Virtual Memory Map =
*0x01000000 - 0x01800000 '''Loader and system libraries'''
{| class="wikitable"
*0x0??????? - 0x10000000 '''App executable and libraries''' (start varies, but end is always 0x10000000)
|-
*0x10000000 - 0x50000000 '''Application/library data area''' (may be smaller)
! Virtual address start
*0xa0000000 - 0xe0000000 '''Overlay of application memory''' (used by loader?)
! Virtual address size
*0xe0000000 - 0xe4000000 '''Some sort of hardware communication area'''
! Physical address start
*0xefe00000 - 0xefe80000 '''Loader data area''' (only mapped when running loader)
! Flags
*0xf4000000 - 0xf6000000 '''MEM1'''
! Description
*0xf6000000 - 0xf6800000 '''Unknown'''
|-
*0xf8000000 - 0xfb000000 '''Read-only shared data (system fonts mostly)'''
| 0x1000000
*0xfc000000 - 0xfc0c0000 '''{{hw|Processor Interface}}'''
| 0x800000
*0xfc200000 - 0xfc280000 '''GX2 TCL registers'''
| 0x32000000
*0xfc280000 - 0xfc2a0000 '''DSP registers'''
| 0x2CE08002
*0xfc2a0000 - 0xfc2c0000 '''GX2 FIFO space? (Radeon PKT3 sent here)'''
| Loader and system libraries
*0xfc320000 - 0xfd000000 '''Espresso OTP (and other stuff?)'''
|-
*0xfd000000 - 0xfd?????? '''{{hw|Latte registers}}'''
| 0x1800000
*0xfd040250 - 0xfd046c00 '''I2C registers'''
| 0x20000
*0xfd046e00 - 0xfd060520 '''AI registers?'''
| 0
*0xff200000 - 0xff280000 '''Kernel heap'''
| 0x28101200
*0xffe00000 - 0xfff20000 '''Kernel ancast image'''
| This is the [[Coreinit.rpl|codegen]]/JIT memory area, only available under processes which have it enabled under cos.xml (the size comes from cos.xml too)
*0xffffffe0(?) - 0xfffffffc(?) '''Per-thread data (e.g. pointer to thread descriptor and thread queue)'''
|-
| 0x2000000 (variable)
| 0xE000000 (variable)
| 0x72000000 or 0xB2000000 (variable)
| 0x2CF09400
| App executable and libraries (start varies, but end is always 0x10000000)
|-
| 0x10000000
| 0x52000000 or 0x92000000 (variable)
| 0x20000000 (variable)
| 0x28305800
| Application/library data area (may be smaller)
|-
| 0xA0000000
| 0x40000000
| 0
| 0x2000
| Overlay of application memory (used by loader?)
|-
| 0xE0000000
| 0x4000000
| 0x14000000
| 0x28204004
| Some sort of hardware communication area
|-
| 0xE8000000
| 0x2000000
| 0xD0000000
| 0x78200004
|
|-
| 0xEFE00000
| 0x80000
| 0x1B900000
| 0x28109010
| Loader data area (only mapped when running loader)
|-
| 0xF4000000
| 0x2000000
| 0
| 0x28204004
| MEM1
|-
| 0xF6000000
| 0x800000
| 0x1B000000
| 0x3CA08002
| [[Loader]] chunk buffer
|-
| 0xF8000000
| 0x3000000
| 0x18000000
| 0x2CA08002
| Read-only shared data (system fonts mostly)
|-
| 0xFB000000
| 0x800000
| 0x1C800000
| 0x28200002
|
|-
| 0xFC000000
| 0xC0000
| 0xC000000
| 0x70100022
| {{hw|Processor Interface}}
|-
| 0xFC0C0000
| 0x120000
| 0xC0C0000
| 0x70100022
|
|-
| 0xFC1E0000
| 0x20000
| 0xC1E0000
| 0x78100024
| VI
|-
| 0xFC200000
| 0x80000
| 0xC200000
| 0x78100024
| GFXSP
|-
| 0xFC280000
| 0x20000
| 0xC280000
| 0x78100024
| DSP
|-
| 0xFC2A0000
| 0x20000
| 0xC2A0000
| 0x78100023
| Write Gather Pipe
|-
| 0xFC300000
| 0x20000
| 0xC300000
| 0x78100024
|
|-
| 0xFC320000
| 0xE0000
| 0xC320000
| 0x70100022
| Espresso eFuses
|-
| 0xFD000000
| 0x400000
| 0xD000000
| 0x70100022
| {{hw|Latte Registers}}
|-
| 0xFE000000
| 0x800000
| 0x1C000000
| 0x20200002
|
|-
| 0xFF200000
| 0x80000
| 0x1B800000
| 0x20100040
| Kernel heap
|-
| 0xFF280000
| 0x80000
| 0x1B880000
| 0x20100040
|
|-
| 0xFFC00000
| 0x20000
| 0xFFC00000
| 0x8100004
| Codegen area used with OSCodegenCopy
|-
| 0xFFC40000
| 0x20000
| 0xFFC40000
| 0x8100004
| Codegen area used with OSCodegenCopy
|-
| 0xFFC80000
| 0x20000
| 0xFFC80000
| 0x810000C
| Codegen area used with OSCodegenCopy
|-
| 0xFFCE0000
| 0x20000
| 0
| 0x50100004
|
|-
| 0xFFE00000
| 0x20000
| 0xFFE00000
| 0x20100040
| Kernel ancast image
|-
| 0xFFE40000
| 0x20000
| 0xFFE40000
| 0x20100040
|
|-
| 0xFFE80000
| 0x60000
| 0xFFE80000
| 0x20100040
|
|-
| 0xFFEE0000
| 0x20000
| 0xFFEE0000
| 0x20100040
|
|-
| 0xFFF00000
| 0x20000
| 0xFFF00000
| 0x20100040
|
|-
| 0xFFF60000
| 0x20000
| 0xFFE20000
| 0x20100080
|
|-
| 0xFFF80000
| 0x20000
| 0xFFE60000
| 0x2C100040
|
|-
| 0xFFFA0000
| 0x20000
| 0xFFE60000
| 0x20100080
|
|-
| 0xFFFC0000
| 0x20000
| 0x1BFE0000
| 0x24100002
|
|-
| 0xFFFE0000
| 0x20000
| 0x1BF80000
| 0x28100102
| Per-thread data (e.g. pointer to thread descriptor and thread queue) at 0xFFFFFFE0 - 0xFFFFFFFC.
|}