In memory of Ben “bushing” Byer, who passed away on Monday, February 8th, 2016.

IOS

From WiiUBrew
Revision as of 05:43, 25 October 2015 by Marionumber1 (talk | contribs) (→‎IPC: Clarify how IPC requests are sent, and the kernel's role)
Jump to navigation Jump to search

IOSU is the operating system running on the ARM in Wii U mode. It is the Wii U equivalent of IOS on the Wii, and similar in some regards, but it is a complete rewrite with many changes. IOSU implements the Wii U's security policy, which includes titles and hardware access. One of its primary responsibilities is enforcing code signing, verifying all titles before installation and launch. Another one of its jobs is managing access to most hardware, such as storage, network, USB, and the Gamepad. The PowerPC can talk to IOSU through an IPC interface, and make security and hardware requests.

See Also

Architecture

IOSU is an embedded operating system written by Nintendo, with a microkernel architecture. It contains a simple kernel that implements memory management and process and thread management. Device drivers and security handlers run as processes in the ARM user mode. These processes, called resource managers (RMs), can register as request handlers for resources, which are represented as nodes under /dev in a virtual filesystem. They communicate with each other through the kernel, using standard Unix file operations (open/close/read/write/seek/ioctl/ioctlv).

IPC

PowerPC code is able to call IOSU drivers through an IPC interface. It uses the same call interface as IOSU does internally. Userspace code submits IOSU requests with the IPCKDriver_SubmitRequest() syscall in the Cafe OS kernel. The kernel includes information to identify which Cafe OS process sent the request, allowing IOSU to check permissions on a per-app basis. Requests are contained in a struct, sent through a hardware interface, and marshalled by the IOSU kernel to a target process. 

IPC request struct (size = 0x48, align = 0x20)

0x00: CMD (1=open, 2=close, 3=read, 4=write, 5=seek, 6=ioctl, 7=ioctlv)
0x04: Reply to client
0x08: Client FD
0x0C: Flags (always 0)
0x10: Client CPU (0=ARM internal, 1-3=PPC cores 0-2)
0x14: Client PID (PFID in older versions, RAMPID more recently?)
0x18: Client group ID (Title ID, upper)
0x1C: Client group ID (Title ID, lower)
0x20: Server handle (written by IOSU)
0x24: Arg0
0x28: Arg1
0x2C: Arg2
0x30: Arg3
0x34: Arg4
0x38: CMD (previous)
0x3C: Client FD (previous)
0x40: Virt0 (PPC virtual addresses to be translated)
0x44: Virt1 (PPC virtual addresses to be translated)

IPC commands

0x00 -> IOS_COMMAND_INVALID
0x01 -> IOS_OPEN
0x02 -> IOS_CLOSE
0x03 -> IOS_READ
0x04 -> IOS_WRITE
0x05 -> IOS_SEEK
0x06 -> IOS_IOCTL
0x07 -> IOS_IOCTLV
0x08 -> IOS_REPLY (internal to IOSU)
0x09 -> IOS_IPC_MSG0 (internal to IOSU)
0x0A -> IOS_IPC_MSG1 (internal to IOSU)
0x0B -> IOS_IPC_MSG2 (internal to IOSU)
0x0C -> IOS_SUSPEND (internal to IOSU)
0x0D -> IOS_RESUME (internal to IOSU)
0x0E -> IOS_SVCMSG (internal to IOSU)

IPC client PIDs

On older versions of IOSU, it seems to match the PFID list (shown below). More recently, it appears to use the RAMPID.

0x00 -> COS-KERNEL
0x01 -> COS-ROOT
0x02 -> COS-CAFE-MENU
0x03 -> COS-RSVD-03
0x04 -> COS-E-MANUAL
0x05 -> COS-HBM
0x06 -> COS-ERROR
0x07 -> COS-SYS-APP
0x08 -> COS-BROWSER
0x09 -> COS-RSVD-09
0x0A -> COS-RSVD-10
0x0B -> COS-FLV
0x0C -> COS-DOWNLOAD-MGR
0x0D -> COS-RSVD-13
0x0E -> COS-RSVD-14
0x0F -> COS-APP

IPC arguments

Open CMD:   Client FD == 0
            Arg0 = name
            Arg1 = name_size
            Arg2 = mode (0 = none, 1 = read, 2 = write)

Close CMD:  Client FD != 0

Read CMD:   Client FD != 0
            Arg0 = outPtr
            Arg1 = outLen

Write CMD:  Client FD != 0
            Arg0 = inPtr
            Arg1 = inLen

Seek CMD:   Client FD != 0
            Arg0 = where
            Arg1 = whence

IOCtl CMD:  Client FD != 0
            Arg0 = cmd
            Arg1 = inPtr
            Arg2 = inLen
            Arg3 = outPtr
            Arg4 = outLen

IOCtlv CMD: Client FD != 0
            Arg0 = cmd
            Arg1 = readCount
            Arg2 = writeCount
            Arg3 = vector

Modules

Similarly to the Wii, IOS modules roughly map to processes and drivers inside the kernel.

IOS-CRYPTO

Cryptography services.

IOS-MCP

Master title operations such as title launching and cafe2wii booting.

IOS-USB

USB controllers and devices.

IOS-FS

File system services.

IOS-PAD

Gamepad controllers and devices.

IOS-NET

Network services.

IOS-ACP

User level application management.

IOS-NSEC

Network security services.

IOS-NIM-BOSS

Nintendo's proprietary online services such as update installations.

  • /dev/nim - Nintendo installation manager? (installs updates)
  • /dev/boss - BOSS service

IOS-FPD

Nintendo's proprietary friend system.

IOS-TEST

Debugging and testing services.

IOS-AUXIL

Auxiliary services.

IOS-BSP

Hardware.

  • /dev/bsp - Board support package? (hardware interface)

Others

These are not real /dev nodes. Instead, they represent internal mappings of system volumes.

Virtual Memory Map

  • 0x04000000 - 0x04030000 IOS-CRYPTO
  • 0x05000000 - 0x050C0000 IOS-MCP
  • 0x05100000 - 0x05120000 Unknown
  • 0x08120000 - 0x081C0000 IOS-KERNEL
  • 0x10000000 - 0x10100000 Unknown
  • 0x10100000 - 0x104D0000 IOS-USB
  • 0x10800000 - 0x11EE0000 IOS-FS
  • 0x11F00000 - 0x12160000 IOS-PAD
  • 0x12300000 - 0x12890000 IOS-NET
  • 0x1D000000 - 0x1FB00000 Global heap
  • 0x1FB00000 - 0x1FE00000 Global IOB (input/output block)
  • 0x1FE00000 - 0x1FE20000 Unknown
  • 0x1FE40000 - 0x20000000 Unknown
  • 0x20000000 - 0x28000000 Unknown
  • 0xE0000000 - 0xE0270000 IOS-ACP
  • 0xE1000000 - 0xE12F0000 IOS-NSEC
  • 0xE2000000 - 0xE26D0000 IOS-NIM-BOSS
  • 0xE3000000 - 0xE3300000 IOS-FPD
  • 0xE4000000 - 0xE4160000 IOS-TEST
  • 0xE5000000 - 0xE5070000 IOS-AUXIL
  • 0xE6000000 - 0xE6050000 IOS-BSP
  • 0xE7000000 - 0xE7001000 Unknown
  • 0xEFF00000 - 0xEFF08000 Unknown
  • 0xFFFF0000 - 0xFFFFFFFF Kernel SRAM
Retrieved from "https://wiiubrew.org/w/index.php?title=IOS&oldid=1432"