Cafe OS

Cafe OS is the operating system running on the PowerPC in Wii U mode. It consists of the Cafe OS kernel, the executable loader, and system libraries. Unlike on the Wii, where each game provided its own copy of Revolution OS with no isolation between libraries, Wii U applications run under the supervision of a common PowerPC kernel, isolating them from each other. All applications are modified ELFs, as are the libraries themselves, and applications dynamically link with them to gain access to OS services. Cafe OS also contains a few system processes, like the home menu and error handler.

Architecture

Kernel

The kernel runs in supervisor mode on the PowerPC, and performs the basic tasks of a microkernel. It is responsible for process isolation, memory management, and interrupt dispatching, as well as communication with IOSU. Cafe OS applications run as user mode processes, with separate address spaces and W^X memory protection. The kernel provides basic syscalls for running processes.

Processes

A process in Cafe OS represents a single running application, with its own code, memory, and permissions. Cafe OS only executes the code of a single process at a time, but it can hold the data of multiple processes in memory simultaneously, and switch between them. Rather than allowing arbitrary process creation, there is RAM reserved for a single foreground app, a single background app, and various other special processes. Each running process is assigned a unique identifier called a RAMPID:

RAMPID	Description	IOS Name
0	Cafe OS	COS-KERNEL
1	root.rpx	COS-ROOT
2	???	COS-02
3	???	COS-03
4	Background app	COS-OVERLAY
5	Home Menu	COS-HBM
6	Error display	COS-ERROR
7	Foreground app	COS-MASTER

In addition to RAMPID, Cafe OS processes have another type of process ID called a fixed process ID (PFID). Rather than representing which part of memory a process occupies, PFID actually specifies which specific app/task is running (browser, game, eShop, etc.). Cafe OS maps PFIDs to the RAMPID that they occupy when running (for example, a game is RAMPID 7 due to running in the foreground):

PFID	Description	RAMPID
0	Cafe OS kernel	0
1	root.rpx	1
2	Wii U Menu	7
3	TVii	???
4	E-Manual	???
5	Home Menu	5
6	Error Display	6
7	"MiniMiiverse"	???
8	Internet Browser	4
9	Miiverse	???
10	eShop	???
11	COS-FLV	???
12	Download Manager	???
13	COS-RSVD-13	???
14	COS-RSVD-14	???
15	Game	7

Loader

Main article: Loader

The loader is responsible for loading RPL formatted libraries and executables into memory. It is a standard ELF executable named loader.elf. It includes a statically linked copy of zlib, probably for decompressing sections of RPL files.

Libraries

Cafe OS applications dynamically link with system libraries to get access to OS services. These OS services include memory management, graphics, audio, and controller input. All libraries are RPL files, a modification of the standard ELF format with compressed sections and more Windows-like dynamic linking. The main system libraries are listed below, with some having their own pages of documentation:

avm.rpl - Audio/Video Manager
camera.rpl - Gamepad camera
coreinit.rpl - Kernel, memory, and FS
dc.rpl - Display Controller
dmae.rpl - DMA (Direct Memory Access)
drmapp.rpl - Digital Rights Management
erreula.rpl - Error Viewer
gx2.rpl - Graphics
h264.rpl - Support for H.264
lzma920.rpl - LZMA compression
mic.rpl - Gamepad microphone
nfc.rpl - Low-level NFC library
nio_prof.rpl - IO Profiler
nlibcurl.rpl - libcurl 7.21.7, functions match official library, has extra options for curl_easy_setopt
nlibnss.rpl - libnss
nlibnss2.rpl
nn_ac.rpl - Nintendo Network Auto Connection
nn_acp.rpl - Nintendo Network Account/Access Protection
nn_act.rpl - Nintendo Network Accounts
nn_aoc.rpl - Nintendo Network Add-On Content
nn_boss.rpl - Nintendo Network BOSS (SpotPass)
nn_ccr.rpl
nn_cmpt.rpl - Handles transition into vWii
nn_dlp.rpl - 3DS Download Play hosting library
nn_ec.rpl - Nintendo Network E-Commerce
nn_fp.rpl - Nintendo Network Friend Presence
nn_hai.rpl - Helper library for interfacing nn_cmpt.rpl with Wii VC titles.
nn_hpad.rpl - Something related to controllers. Probably for the Gamecube controller adapter?
nn_idbe.rpl - Downloads and decrypts game icons from an online icon database
nn_ndm.rpl - Daemons???
nn_nets2.rpl - More network functions
nn_nfp.rpl - Nintendo Network Nintendo Figurine Platform (Amiibo)
nn_nim.rpl
nn_olv.rpl - Olive/OLV - Miiverse
nn_pdm.rpl - System Play related data (play times etc.)
nn_save.rpl - Savefile access
nn_sl.rpl
nn_spm.rpl - Storage related functions (USB?)
nn_temp.rpl - TEMP library (for temporary files)
nn_uds.rpl - Library for hosting 3DS Local-WLAN networks
nn_vctl.rpl
nsysccr.rpl - DRH communication (input and RPC)
nsyshid.rpl - Human Interface Device library
nsyskbd.rpl - USB keyboard library
nsysnet.rpl - BSD sockets, network configuration, and SSL
nsysuhs.rpl - Low-level USB access
nsysuvd.rpl
ntag.rpl - NTAG high level NFC library
padscore.rpl - Wii Remote and Balance Board
proc_ui.rpl
snd_core.rpl - Sound-1 Core
snd_user.rpl - Sound-1 User
sndcore2.rpl - Sound-2 Core
snduser2.rpl - Sound-2 User
swkbd.rpl - Onscreen keyboard
sysapp.rpl
tcl.rpl - Texture Core library
tve.rpl - TV Engine
uac.rpl - DRH communication (Gamepad microphone)
uac_rpl.rpl
usb_mic.rpl
uvc.rpl - DRH communication (Gamepad camera)
uvd.rpl - AMD's OpenVideo Decode library, with some different function names
vpad.rpl - Gamepad input
vpadbase.rpl - Gamepad base library
zlib125.rpl - ZLIB 1.2.5, functions match official library

Virtual Memory Map

Virtual address range/start	Physical address range/start	Size	Description
0x01000000 - 0x01800000	0x32000000 - 0x32800000	0x800000	Loader and system libraries
0x01800000	?		This is the codegen/JIT memory area, only available under processes which have it enabled under cos.xml(the size comes from cos.xml too).
0x0??????? - 0x10000000	End of app MEM2 region (see here)		App executable and libraries (start varies, but end is always 0x10000000)
0x10000000 - 0x50000000	App MEM2 region (see here)	0x40000000	Application/library data area (may be smaller)
0xa0000000 - 0xe0000000		0x40000000	Overlay of application memory (used by loader?)
0xe0000000 - 0xe4000000	0x14000000 - 0x18000000	0x04000000	Some sort of hardware communication area
0xefe00000 - 0xefe80000			Loader data area (only mapped when running loader)
0xf4000000 - 0xf6000000	0x00000000 - 0x02000000	0x02000000	MEM1
0xf6000000 - 0xf6800000	0x1b000000 - 0x1b800000	0x00800000	Loader chunk buffer
0xf8000000 - 0xfb000000	0x18000000 - 0x1b000000	0x03000000	Read-only shared data (system fonts mostly)
0xfc000000 - 0xfc400000	0x0c000000 - 0x0c400000	0x00400000	Espresso IO registers.
0xfc000000 - 0xfc0c0000	0x0c000000 - 0x0c0c0000	0x000c0000	Processor Interface
0xfc200000 - 0xfc280000	0x0c200000 - 0x0c280000	0x00080000	GX2 Registers
0xfc280000 - 0xfc2a0000	0x0c280000 - 0x0c2a0000	0x00020000	DSP registers
0xfc2a0000 - 0xfc2c0000	0x0c2a0000 - 0x0c2c0000	0x00020000	GX2 FIFO space? (Radeon PKT3 sent here)
0xfc320000 - 0xfc400000	0x0c320000 - 0x0c400000	0x000e0000	Espresso OTP (and other stuff?)
0xfd000000 - 0xfd??????	0x0d000000		Latte Registers
0xfd040250 - 0xfd046c00	0x0d040250 - 0x0d046c00	0x000069b0	I2C registers
0xfd046e00 - 0xfd060520	0x0d046e00 - 0x0d060520	0x00019720	AI registers?
0xff200000 - 0xff280000	0x1b800000 - 0x1b880000	0x00080000	Kernel heap
0xffc00000 - 0xffc20000	?	0x00020000	Codegen area used with OSCodegenCopy. It's unknown when this contains actual proper data.
0xffc40000 - 0xffc60000	?	0x00020000	Codegen area used with OSCodegenCopy. It's unknown when this contains actual proper data.
0xffc80000 - 0xffca0000	?	0x00020000	Codegen area used with OSCodegenCopy. It's unknown when this contains actual proper data.
0xffe00000 - 0xfff20000	0xffe00000 - 0xfff20000	0x00120000	Kernel ancast image
0xffffffe0(?) - 0xfffffffc(?)			Per-thread data (e.g. pointer to thread descriptor and thread queue)