IOS

IOSU is the operating system running on the ARM in Wii U mode. It is the Wii U equivalent of IOS on the Wii, and similar in some regards, but it is a complete rewrite with many changes. IOSU implements the Wii U's security policy, which includes titles and hardware access. One of its primary responsibilities is enforcing code signing, verifying all titles before installation and launch. Another one of its jobs is managing access to most hardware, such as storage, network, USB, and the Gamepad. The PowerPC can talk to IOSU through an IPC interface, and make security and hardware requests.

See Also

• IOSU Syscalls

Architecture

IOSU is an embedded operating system written by Nintendo, with a microkernel architecture. It contains a simple kernel that implements memory management and process and thread management. Device drivers and security handlers run as processes in the ARM user mode. These processes, called resource managers (RMs), can register as request handlers for resources, which are represented as nodes under /dev in a virtual filesystem. They communicate with each other through the kernel, using standard Unix file operations (open/close/read/write/seek/ioctl/ioctlv).

IPC

PowerPC code is able to call IOSU drivers through an IPC interface. It uses the same call interface as IOSU does internally. Userspace code submits IOSU requests with the IPCKDriver_SubmitRequest() syscall in the Cafe OS kernel. The kernel includes information to identify which Cafe OS process sent the request, allowing IOSU to check permissions on a per-app basis. Requests are contained in a struct, sent through a hardware interface, and marshalled by the IOSU kernel to a target process.

IPC request struct (size = 0x48, align = 0x20)

0x00: CMD (1=open, 2=close, 3=read, 4=write, 5=seek, 6=ioctl, 7=ioctlv)
0x04: Reply to client
0x08: Client FD
0x0C: Flags (always 0)
0x10: Client CPU (0=ARM internal, 1-3=PPC cores 0-2)
0x14: Client PID (PFID in older versions, RAMPID more recently?)
0x18: Client group ID (Title ID, upper)
0x1C: Client group ID (Title ID, lower)
0x20: Server handle (written by IOSU)
0x24: Arg0
0x28: Arg1
0x2C: Arg2
0x30: Arg3
0x34: Arg4
0x38: CMD (previous)
0x3C: Client FD (previous)
0x40: Virt0 (PPC virtual addresses to be translated)
0x44: Virt1 (PPC virtual addresses to be translated)

IPC commands

0x00 -> IOS_COMMAND_INVALID
0x01 -> IOS_OPEN
0x02 -> IOS_CLOSE
0x03 -> IOS_READ
0x04 -> IOS_WRITE
0x05 -> IOS_SEEK
0x06 -> IOS_IOCTL
0x07 -> IOS_IOCTLV
0x08 -> IOS_REPLY (internal to IOSU)
0x09 -> IOS_IPC_MSG0 (internal to IOSU)
0x0A -> IOS_IPC_MSG1 (internal to IOSU)
0x0B -> IOS_IPC_MSG2 (internal to IOSU)
0x0C -> IOS_SUSPEND (internal to IOSU)
0x0D -> IOS_RESUME (internal to IOSU)
0x0E -> IOS_SVCMSG (internal to IOSU)

IPC client PIDs

On older versions of IOSU, it seems to match the PFID list (shown below). More recently, it appears to use the RAMPID.

0x00 -> COS-KERNEL
0x01 -> COS-ROOT
0x02 -> COS-CAFE-MENU
0x03 -> COS-RSVD-03
0x04 -> COS-E-MANUAL
0x05 -> COS-HBM
0x06 -> COS-ERROR
0x07 -> COS-SYS-APP
0x08 -> COS-BROWSER
0x09 -> COS-RSVD-09
0x0A -> COS-RSVD-10
0x0B -> COS-FLV
0x0C -> COS-DOWNLOAD-MGR
0x0D -> COS-RSVD-13
0x0E -> COS-RSVD-14
0x0F -> COS-APP

IPC arguments

Open CMD:   Client FD == 0
            Arg0 = name
            Arg1 = name_size
            Arg2 = mode (0 = none, 1 = read, 2 = write)

Close CMD:  Client FD != 0

Read CMD:   Client FD != 0
            Arg0 = outPtr
            Arg1 = outLen

Write CMD:  Client FD != 0
            Arg0 = inPtr
            Arg1 = inLen

Seek CMD:   Client FD != 0
            Arg0 = where
            Arg1 = whence

IOCtl CMD:  Client FD != 0
            Arg0 = cmd
            Arg1 = inPtr
            Arg2 = inLen
            Arg3 = outPtr
            Arg4 = outLen

IOCtlv CMD: Client FD != 0
            Arg0 = cmd
            Arg1 = readCount
            Arg2 = writeCount
            Arg3 = vector

Modules

Similarly to the Wii, IOS modules roughly map to processes and drivers inside the kernel.

IOS-CRYPTO

Cryptography services.

• /dev/crypto - Cryptography API

IOS-MCP

Master title operations such as title launching and cafe2wii booting.

• /dev/mcp - Master title launching (also encapsulates ES from the Wii)
• /dev/mcp_recovery - Master title launching (recovery mode)
• /dev/volflush - Volume cache flushing service
• /dev/pm - Power management
• /dev/syslog - System logging
• /dev/usb_syslog - USB system logging
• /dev/dk_syslog - DevKit system logging
• /dev/ppc_app - PPC application service
• /dev/ppc_kernel - PPC kernel service

IOS-USB

USB controllers and devices.

• /dev/usbproc1 - USB internal process
• /dev/usbproc2 - USB internal recovery process
• /dev/uhs/0 - USB host stack (external ports)
• /dev/usb_cdc - USB communications device class
• /dev/usb_hid - USB human interface device
• /dev/usb_uac - USB audio class
• /dev/usb_midi - USB musical instrument digital interface

IOS-FS

File system services.

• /dev/fsa - Virtual file system API
• /dev/dk - DevKit file system API
• /dev/odm - Optical disk manager
• /dev/ramdisk_svc - RAM disk service
• /dev/ums - USB mass storage
• /dev/df - Disk format?
• /dev/atfs - Optical disk file system
• /dev/isfs - Internal storage file system
• /dev/wfs - Wii file system
• /dev/pcfs - PC file system (only available in DEBUG or TEST mode)
• /dev/rbfs - ?????
• /dev/fat - SD card file system (file allocation table)
• /dev/fla - ?????
• /dev/ahcimgr - Advanced host controller interface manager
• /dev/shdd - SATA hard disk drive
• /dev/md - Memory device?
• /dev/scfm - NAND file manager
• /dev/mmc - MultiMediaCard?
• /dev/timetrace - File IO time tracer

IOS-PAD

Gamepad controllers and devices.

• /dev/uhs/1 - USB host stack (internal devices)
• /dev/ccr_io - Gamepad main service
• /dev/ccr_cdc - Gamepad RPC (CDC = Communications Device Class)
• /dev/ccr_hid - Gamepad input (HID = Human Interface Device)
• /dev/ccr_nfc - Gamepad NFC reader
• /dev/ccr_uac - Gamepad microphone (UAC = USB Audio Class)
• /dev/ccr_uvc - Gamepad camera (UVC = USB Video Class)
• /dev/usb/btrm - Bluetooth module (for Wii Remote and Pro Controller)
• /dev/usb/early_btrm - Secondary Bluetooth module

IOS-NET

Network services.

• /dev/network - Network main service
• /dev/socket - BSD sockets API
• /dev/ifnet - Network interface
• /dev/net/ifmgr - Network interface manager
• /dev/net/ifmgr/wd - Wireless device?
• /dev/net/ifmgr/ncl - Network configuration
• /dev/net/ifmgr/usbeth - Ethernet over USB
• /dev/ifuds - UDS interface
• /dev/udscntrl - UDS control
• /dev/wl0 - Wireless interface
• /dev/wifidata - ?????
• /dev/wifi24 - Standby mode?
• /dev/ac_main - Access point?
• /dev/ndm - ?????
• /dev/dlp - Data loss prevention

IOS-ACP

User level application management.

• /dev/acpproc - Application management internal process
• /dev/acp_main - Application management main service
• /dev/emd - ?????
• /dev/pdm - Play data manager? (stores applications' statistics)
• /dev/nnsm - Nintendo Network service manager?
• /dev/nnmisc - Nintendo Network miscellaneous?

IOS-NSEC

Network security services.

• /dev/nsec - Network security
• /dev/nsec/nss - Network security services
• /dev/nsec/nssl - Network SSL API

IOS-NIM-BOSS

Nintendo's proprietary online services such as update installations.

• /dev/nim - Nintendo installation manager? (installs updates)
• /dev/boss - BOSS service

IOS-FPD

Nintendo's proprietary friend system.

• /dev/fpd - Friend system
• /dev/act - Authentication account library

IOS-TEST

Debugging and testing services.

• /dev/testproc1 - Test process
• /dev/testproc2 - Test process
• /dev/iopsh - IOP shell?
• /dev/cbl - Cafe OS block log
• /debug/prof - Profiler (DEBUG mode only)
• /test/ppcprotviol - PPC protocol violation (TEST mode only)
• /test/sp - System profiler (TEST mode only)
• /test/test_rm - Resource manager test (TEST mode only)

IOS-AUXIL

Auxiliary services.

• /dev/auxilproc - Auxiliary service's internal process
• /dev/im - Home menu
• /dev/usr_cfg - User configuration

IOS-BSP

Hardware.

• /dev/bsp - Board support package? (hardware interface)

Others

These are not real /dev nodes. Instead, they represent internal mappings of system volumes.

• /dev/slccmpt01 - NAND SLC (vWii compatible)
• /dev/slc01 - NAND SLC
• /dev/ramdisk01 - RAM disk
• /dev/mlc01 - NAND MLC
• /dev/hfio01 - Host file IO
• /dev/odd01 - Optical disk drive
• /dev/sdcard01 - SD card

Virtual Memory Map

• 0x04000000 - 0x04030000 IOS-CRYPTO
• 0x05000000 - 0x050C0000 IOS-MCP
• 0x05100000 - 0x05120000 IOS-MCP (debug and recovery mode)
• 0x08120000 - 0x081C0000 IOS-KERNEL
• 0x10000000 - 0x10100000 Unknown
• 0x10100000 - 0x104D0000 IOS-USB
• 0x10800000 - 0x11EE0000 IOS-FS
• 0x11F00000 - 0x12160000 IOS-PAD
• 0x12300000 - 0x12890000 IOS-NET
• 0x1D000000 - 0x1FB00000 Global heap
• 0x1FB00000 - 0x1FE00000 Global IOB (input/output block)
• 0x1FE00000 - 0x1FE20000 Unknown
• 0x1FE40000 - 0x20000000 Unknown
• 0x20000000 - 0x28000000 Unknown
• 0xE0000000 - 0xE0270000 IOS-ACP
• 0xE1000000 - 0xE12F0000 IOS-NSEC
• 0xE2000000 - 0xE26D0000 IOS-NIM-BOSS
• 0xE3000000 - 0xE3300000 IOS-FPD
• 0xE4000000 - 0xE4160000 IOS-TEST
• 0xE5000000 - 0xE5070000 IOS-AUXIL
• 0xE6000000 - 0xE6050000 IOS-BSP
• 0xE7000000 - 0xE7001000 Unknown
• 0xEFF00000 - 0xEFF08000 Unknown
• 0xFFFF0000 - 0xFFFFFFFF Kernel SRAM