Cafe OS
Cafe OS is the operating system running on the PowerPC in Wii U mode. It consists of the Cafe OS kernel, the executable loader, and system libraries. Unlike on the Wii, where each game provided its own copy of Revolution OS with no isolation between libraries, Wii U applications run under the supervision of a common PowerPC kernel, isolating them from each other. All applications are modified ELFs, as are the libraries themselves, and applications dynamically link with them to gain access to OS services. Cafe OS also contains a few system processes, like the home menu and error handler.
Kernel
The kernel runs in supervisor mode on the PowerPC, and performs the basic tasks of a microkernel. It is responsible for process isolation, memory management, and interrupt dispatching, as well as communication with IOSU. Cafe OS applications run as user mode processes, with separate address spaces and W^X memory protection.
SysCalls
Cafe OS syscalls are issued by doing the following:
li r0, 0x0100 # load syscall value->r0 sc # syscall instruction blr # return control to program
When you send a call to the kernel, it goes to 0xFFF00C00, which then jumps to 0xFFF021A0 + (fastcall << 5).
Normal syscalls are divisible by 0x100, so all of them will jump to 0xFFF0021A0 itself, which is a jump to the table dispatcher.
The dispatcher uses a RAMPID and the syscall dispatch tables at 0xFFEAAA40 (user table in 5.5.1) and 0xFFE84850 (loader table in 5.5.1) to get the secondary table each RAMPID is able to access.
RAMPIDs 0 (Kernel), 2, and 3 all use an empty table, while RAMPID 1 (root.rpx) has its own table with a few unique calls. RAMPIDs 4 (background app), 5 (home menu), and 6 (error display) share the same table and RAMPID 7 (foreground app) has it's own.
Below is a list of what all of them, as well as the loader which has its own bare-bones table, have access to call. (sp) indicates that the loader uses a separate function for that syscall. Additionally, the loader uses the same function for IPCKDriver_Open/Close.
| # | Name | root | Sys | App | Ldr |
|---|---|---|---|---|---|
| 0x0 | ConsoleWrite | X | X | X | X (sp) |
| 0x100 | AppPanic | X | X | X | X |
| 0x200 | EffectiveToPhysical | X | X | X | |
| 0x300 | PhysicalToEffectiveCached | X | X | X | |
| 0x400 | PhysicalToEffectiveUncached | X | X | X | |
| 0x500 | ValidateAddressSpaceRange | X | X | X | X |
| 0x600 | UpdateCoretime | X | X | X | |
| 0x700 | - | - | - | - | - |
| 0x800 | SetUserModeExHandler | X | X | X | |
| 0x900 | - | - | - | - | - |
| 0xA00 | - | - | - | - | - |
| 0xB00 | AllocateTimer | X | X | X | |
| 0xC00 | FreeTimer | X | X | X | |
| 0xD00 | PrimeTimer | X | X | X | |
| 0xE00 | StopTimer | X | X | X | |
| 0xF00 | DynLoad_DumpModuleList | X | X | X | |
| 0x1000 | SetInterruptHandler | X | X | X | |
| 0x1100 | GetInterruptHandler | X | X | X | |
| 0x1200 | DisableInterrupt | X | X | X | |
| 0x1300 | EnableInterrupt | X | X | X | |
| 0x1400 | ClearAndEnableInterrupt | X | X | X | |
| 0x1500 | GetInterruptStatus | X | X | X | |
| 0x1600 | ClearInterruptStatus | X | X | X | |
| 0x1700 | FindClosestSymbol | X | X | X | X (sp) |
| 0x1800 | Test_Assist | ||||
| 0x1900 | Exit | X | X | X | |
| 0x1A00 | GetInfo | X | X | X | |
| 0x1B00 | SetInfo | X | X | X | |
| 0x1C00 | ReleaseCore | X | X | X | |
| 0x1D00 | SendICI | X | X | X | |
| 0x1E00 | IPCKDriver_{Loader|User}Open | X | X | X | X (sp) |
| 0x1F00 | IPCKDriver_{Loader|User}Close | X | X | X | X (sp) |
| 0x2000 | IPCKDriver_SubmitRequest | X | X | X | X (sp) |
| 0x2100 | - | - | - | - | - |
| 0x2200 | GetEnvironmentVariable | X | X | X | |
| 0x2300 | - | - | - | - | - |
| 0x2400 | - | - | - | - | - |
| 0x2500 | - | - | - | - | - |
| 0x2600 | - | - | - | - | - |
| 0x2700 | Proc_GetNotifyTarget | X | X | X | |
| 0x2800 | Proc_ReleaseForeground | X | X | X | |
| 0x2900 | Proc_GetForegroundBucket | X | X | X | |
| 0x2A00 | Proc_RequestSwitch | X | X | X | |
| 0x2B00 | LaunchTitleArgvStr | X | X | X | |
| 0x2C00 | Proc_YieldCore | X | X | X | |
| 0x2D00 | - | - | - | - | - |
| 0x2E00 | Proc_GetSystemMessage | X | X | X | |
| 0x2F00 | Proc_GetCallArgs | X | X | X | |
| 0x3000 | GetAbsoluteSystemTimeInternal | X | X | X | |
| 0x3100 | SetAbsoluteSystemTimeInternal | X | X | X | |
| 0x3200 | Drivers_GetInstance | X | X | X | |
| 0x3300 | Drivers_PurgeMaster | X | X | X | |
| 0x3400 | - | - | - | - | - |
| 0x3500 | - | - | - | - | - |
| 0x3600 | - | - | - | - | - |
| 0x3700 | - | - | - | - | - |
| 0x3800 | AllocVirtAddr | X | X | X | |
| 0x3900 | FreeVirtAddr | X | X | X | |
| 0x3A00 | GetMapVirtAddrRange | X | X | X | |
| 0x3B00 | GetDataPhysAddrRange | X | X | X | |
| 0x3C00 | GetAvailPhysAddrRange | X | X | X | |
| 0x3D00 | MapMemory | X | X | X | |
| 0x3E00 | UnmapMemory | X | X | X | |
| 0x3F00 | LogBuffer | X | X | X | X |
| 0x4000 | LogArgs | X | X | X | X |
| 0x4100 | LogFunc | X | X | X | X |
| 0x4200 | LogReportKernel | X | X | X | X |
| 0x4300 | LogRetrieve | X | X | X | X |
| 0x4400 | LoadUserContext | X | X | X | |
| 0x4500 | FlushUserContext | X | X | X | |
| 0x4600 | FlushUserFPUContext | X | X | X | |
| 0x4700 | Drivers_CopyFromSaveArea | X | X | X | |
| 0x4800 | Drivers_CopyToSaveArea | X | X | X | |
| 0x4900 | Proc_ReadyToRelease | X | X | X | |
| 0x4A00 | FlushInterrupts | X | X | X | |
| 0x4B00 | SetDABR | X | X | X | |
| 0x4C00 | SetIABR | X | X | X | |
| 0x4D00 | Proc_GetProcessInfo | X | X | X | |
| 0x4E00 | GetCodegenVirtAddrRange | X | X | X | |
| 0x4F00 | DynLoad_RPLLoaderEntry | X | X | X | |
| 0x5000 | RPLLoaderResumeContext | X | |||
| 0x5100 | - | - | - | - | - |
| 0x5200 | WaitIopComplete | X | |||
| 0x5300 | FlushCode | X | |||
| 0x5400 | FlushData | X | |||
| 0x5500 | UpdateHeartbeat | X | |||
| 0x5600 | LogEntry | X | |||
| 0x5700 | FastClearMemory | X | |||
| 0x5800 | GetBusClockSpeed | X | |||
| 0x5900 | Shared_GetArea | X | X | X | |
| 0x5A00 | Proc_SendPolicy | X | X | X | |
| 0x5B00 | GetProcessIndex | X | |||
| 0x5C00 | IPCKDriver_PollLoaderCompletion | X | |||
| 0x5D00 | BlockLogSaveHiLo | X | X | X | |
| 0x5E00 | FinishInitAndPreload | X | |||
| 0x5F00 | ContinueStartProcess | X | |||
| 0x6000 | OpenMCP | X | |||
| 0x6100 | Proc_QuerySwitchReady | X | X | X | |
| 0x6200 | Launch | X | X | X | |
| 0x6300 | Call | X | X | X | |
| 0x6400 | SetTimeInternal | X | |||
| 0x6500 | X | X | X | ||
| 0x6600 | ProfileEntry | X | |||
| 0x6700 | Proc_RequestExit | X | X | X | |
| 0x6800 | Proc_CoreInitDone | X | X | X | |
| 0x6900 | Proc_GetSwitchTarget | X | X | X | |
| 0x6A00 | Proc_AcquireDone | X | X | X | |
| 0x6B00 | Proc_GetBuiltSDKVersion | X | X | X | |
| 0x6C00 | Proc_SystemFatal | X | X | X | |
| 0x6D00 | - | - | - | - | - |
| 0x6E00 | SwitchSecCodeGenMode | X | X | X | |
| 0x6F00 | IopShell_RegisterCallback | X | X | X | |
| 0x7000 | Proc_GetTitleVersion | X | X | X | |
| 0x7100 | Proc_IsTestKernel | X | X | X | |
| 0x7200 | ForceFullRelaunch | X | X | X | |
| 0x7300 | Proc_Recycle | X | |||
| 0x7400 | GetFlags | X | X | X | X |
| 0x7500 | QueryVirtAddr | X | X | X | |
| 0x7600 | GetCodegenInfo | X | X | X | |
| 0x7700 | GetSecCodeGenMode | X | X | X | |
| 0x7800 | CodegenCopy | X | X | X | |
| 0x7900 | Proc_LoadShared | X | |||
| 0x7A00 | SetExceptionCallback | X | X | X | |
| 0x7B00 | IopShell_InjectCommand | X | X | X | |
| 0x7C00 | Proc_Kill | X | X | X | |
| 0x7D00 | EnableOverlayArena | X | X | X | |
| 0x7E00 | DisableOverlayArena | X | X | X | |
| 0x7F00 | GetSystemMode | X | X | X | |
| 0x8000 | SystemMode_RegisterCallback | X | X | X | |
| 0x8100 | ZeroProcessMemory | X | |||
| 0x8200 | HandlePowerEvents | X | |||
| 0x8300 | ConsoleTimestamp | X | X | X | X |
| 0x8400 | ValidateOverlayRange | X | |||
| 0x8500-0xFF00 | BadSysCall (jump to null on purpose) | X | X | X | X |
FastCalls
Fastcalls, on the other hand, are system calls that aren't routed through the dispatcher and can be accessed by any RAMPID. Attempting to access an unimplemented fastcall will redirect the code flow to syscall 0x0100 (AppPanic).
Below is a list of all the currently supported fastcalls.
| # | Name |
|---|---|
| 0x0 | SysCall (default branch to syscall dispatcher) |
| 0x1 | MemoryBarrier |
| 0x2 | EnableInterrupts (deprecated, jumps to error) |
| 0x3 | DisableInterrupts (deprecated, jumps to error) |
| 0x4 | IsInterruptEnabled (deprecated, jumps to error) |
| 0x5 | RestoreInterrupts (deprecated, jumps to error) |
| 0x6 | LoadContext |
| 0x7 | GetMSR |
| 0x8 | SetCurrentContext |
| 0x9 | GetCurrentFPUContext |
| 0xA | SetCurrentFPUContext |
| 0xB | CompareAndSwapCurrentFPUContext |
| 0xC | WriteGatherInit |
| 0xD | SetPerformanceMonitor |
| 0xE | SetUserDMA |
| 0xF | ReturnFromInterrupt |
| 0x10 | FlushFPUContext |
| 0x11 | ReadRegister32Ex |
| 0x12 | WriteRegister32Ex |
| 0x13 | |
| 0x14 | |
| 0x15 | WriteGatherInitWritePtr |
| 0x16 | |
| 0x17 | WriteGatherReadWritePtr |
| 0x18 | EnableFPU |
| 0x19 | GetSecurityLevel |
| 0x1A-0x1F | BadFastCall (jump to error on purpose) |
ReadRegister32Ex
Takes two u32s WhitelistIndex and RegisterIndex. Returns an u32 RegisterValue.
Reads a hardware register from the following whitelist:
0 // Invalid 0xFD020068 // 2 registers at 0x0D000068 (HW_I2CIOPINTEN to HW_I2CIOPINTSTS) 0xFD0100C0 // 1 registers at 0x0D0000C0 (HW_GPIOPPCOUT) 0xFD04021C // 4 registers at 0x0D00021C 0xFD040250 // 4 registers at 0x0D000250 (HW_I2CMCTRL to HW_I2CMDATARD) 0xFD060520 // 6 registers at 0x0D000520 (LT_GPIOPPCOUT to LT_GPIOPPCINTEN) 0xFD106400 // 16 registers at 0x0D006400 0xFD046C00 // 4 registers at 0x0D006C00 0xFD046E00 // 4 registers at 0x0D006E00 0xFD0F6800 // 15 registers at 0x0D006800 (EXI0_CSR to EXI2_DATA) 0 // Invalid 0 // Invalid 0 // Invalid 0 // Invalid 0 // Invalid 0 // Invalid
WriteRegister32Ex
Takes three u32s WhitelistIndex, RegisterIndex and RegisterValue. No output.
Same as ReadRegister32Ex, but for writing to a whitelisted hardware register instead.
OSPlatformInfo
This is a structure mapped to address 0x1FFF000 in MEM1 for communicating with the MCP process.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Magic (0x5726) |
| 0x4 | 0x4 | Size (0x40C) |
| 0x8 | 0x4 | Flags |
| 0xC | 0x4 | ConsoleType |
| 0x10 | 0x4 | Iop2x |
| 0x14 | 0x4 | Bperf |
| 0x18 | 0x4 | PpcSystemClockFrequency |
| 0x1C | 0x4 | PpcCore0L2Size |
| 0x20 | 0x4 | PpcCore0L2LineSize |
| 0x24 | 0x4 | PpcCore0L2SectorSize |
| 0x28 | 0x4 | PpcCore0L2FetchSize |
| 0x2C | 0x4 | PpcCore0L2SetAssociativity |
| 0x30 | 0x4 | PpcCore1L2Size |
| 0x34 | 0x4 | PpcCore1L2LineSize |
| 0x38 | 0x4 | PpcCore1L2SectorSize |
| 0x3C | 0x4 | PpcCore1L2FetchSize |
| 0x40 | 0x4 | PpcCore1L2SetAssociativity |
| 0x44 | 0x4 | PpcCore2L2Size |
| 0x48 | 0x4 | PpcCore2L2LineSize |
| 0x4C | 0x4 | PpcCore2L2SectorSize |
| 0x50 | 0x4 | PpcCore2L2FetchSize |
| 0x54 | 0x4 | PpcCore2L2SetAssociativity |
| 0x58 | 0x64 | Reserved |
| 0xBC | 0x4 | PpcCorePropertiesCount |
| 0xC0 | 0x4 | PpcCorePropertiesFlags |
| 0xC4 | 0x4 | PpcMem0Id |
| 0xC8 | 0x4 | PpcMem0BaseAddress |
| 0xCC | 0x4 | PpcMem0Size |
| 0xD0 | 0x4 | PpcMem1Id |
| 0xD4 | 0x4 | PpcMem1BaseAddress |
| 0xD8 | 0x4 | PpcMem1Size |
| 0xDC | 0x4 | PpcMem2Id |
| 0xE0 | 0x4 | PpcMem2BaseAddress |
| 0xE4 | 0x4 | PpcMem2Size |
| 0xE8 | 0x3C | Reserved |
| 0x124 | 0x4 | PpcMemRegionCount |
| 0x128 | 0x4 | PpcMemRegionFlags |
| 0x12C | 0x244 | Reserved |
| 0x370 | 0x4 | HardwareVersion |
| 0x374 | 0x40 | Reserved |
| 0x3B4 | 0x4 | SmdBaseAddress |
| 0x3B8 | 0x48 | Reserved |
| 0x400 | 0x4 | LastPMState |
| 0x404 | 0x4 | CurrentPMState |
| 0x408 | 0x4 | BootPMFlags |
Flags
| Bits | Description |
|---|---|
| 0-25 | |
| 26 | IsEnterBgNormalMode |
| 27 | IsDevMode |
| 28 | IsFastRelaunch |
| 29 | IsColdBoot |
| 30 | IsSynchronousPrintingEnabled |
| 31 |
OSContext
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x8 | Tag |
| 0x8 | 0x80 | Gpr |
| 0x88 | 0x4 | Cr |
| 0x8C | 0x4 | Lr |
| 0x90 | 0x4 | Ctr |
| 0x94 | 0x4 | Xer |
| 0x98 | 0x4 | Srr0 |
| 0x9C | 0x4 | Srr1 |
| 0xA0 | 0x4 | Dsisr |
| 0xA4 | 0x4 | Dar |
| 0xA8 | 0x4 | CrashType |
| 0xAC | 0x4 | Reserved |
| 0xB0 | 0x4 | FpscrHigh |
| 0xB4 | 0x4 | FpscrLow |
| 0xB8 | 0x100 | Fpr |
| 0x1B8 | 0x2 | SpinLockCount |
| 0x1BA | 0x2 | ContextState |
| 0x1BC | 0x20 | Ugqr |
| 0x1DC | 0x4 | Pir |
| 0x1E0 | 0x100 | Psf |
| 0x2E0 | 0x18 | Coretime |
| 0x2F8 | 0x8 | Starttime |
| 0x300 | 0x4 | Error |
| 0x304 | 0x4 | Attributes |
| 0x308 | 0x4 | Pmc1 |
| 0x30C | 0x4 | Pmc2 |
| 0x310 | 0x4 | Pmc3 |
| 0x314 | 0x4 | Pmc4 |
| 0x318 | 0x4 | Mmcr0 |
| 0x31C | 0x4 | Mmcr1 |
CoreControl
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x40 | |
| 0x40 | 0x4 | BootStage |
| 0x44 | 0x4 | CoreInitFunc |
| 0x48 | 0x4 | CoreState |
| 0x4C | 0x4 | |
| 0x50 | 0x4 | |
| 0x54 | 0x4 | IsKernelPanic |
| 0x58 | 0x4 | InterruptedContext |
| 0x5C | 0x4 | CurrentFpuContext |
| 0x60 | 0x4 | CurrentCoreControl |
| 0x64 | 0x4 | SysCallTableAddress |
| 0x68 | 0x4 | FastCallBaseAddress |
| 0x6C | 0x4 | NonRecoverableExceptionHandlerTableAddress |
| 0x70 | 0x4 | RecoverableExceptionHandlerTableAddress |
| 0x74 | 0x2 | |
| 0x76 | 0x2 | |
| 0x78 | 0x4 | LoadPerfMonContext |
| 0x7C | 0x4 | CurrentSysCallAddress |
| 0x80 | 0x4 | CurrentSysCallCallback |
| 0x84 | 0x4 | NonRecoverableExceptionContextAddress |
| 0x88 | 0x4 | RecoverableExceptionContextAddress |
| 0x8C | 0x4 | NormalSysCalls |
| 0x90 | 0x4 | FpuExceptions |
| 0x94 | 0x4 | DsiExceptions |
| 0x98 | 0x4 | IciExceptions |
| 0x9C | 0x4 | |
| 0xA0 | 0x4 | Ps0 |
| 0xA4 | 0x4 | Ps1 |
| 0xA8 | 0x8 | ProcessWork |
| 0xB0 | 0x4 | |
| 0xB4 | 0x4 | RamPid |
| 0xB8 | 0x4 | Upid |
| 0xBC | 0x4 | Mem1Address |
| 0xC0 | 0x4 | InterceptedLoadContext |
| 0xC4 | 0x4 | SintEnableAfterKernelExit |
| 0xC8 | 0x4 | AddrConfig |
| 0xCC | 0x20 | SysCallCallbackGpr |
| 0xEC | 0x4 | EaDataBegin |
| 0xF0 | 0x4 | EaDataEnd |
| 0xF4 | 0x18 | |
| 0x10C | 0x4 | WriteGatherDataOffset |
| 0x110 | 0x30 | ExceptionInfo |
| 0x140 | 0x4 | OverwriteGprOnExceptionExit |
| 0x144 | 0x28 | ExceptionExitGpr |
| 0x16C | 0x28 | PostException |
| 0x194 | 0x4 | |
| 0x198 | 0x128 | RecoverableExceptionContext |
| 0x2C0 | 0x14 | |
| 0x2D8 | 0x128 | NonRecoverableExceptionContext |
ExceptionContext
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x8 | Tbr64 |
| 0x8 | 0x80 | Gpr |
| 0x88 | 0x4 | Cr |
| 0x8C | 0x4 | Lr |
| 0x90 | 0x4 | Ctr |
| 0x94 | 0x4 | Xer |
| 0x98 | 0x4 | Srr0 |
| 0x9C | 0x4 | Srr1 |
| 0xA0 | 0x88 |
ExceptionInfo
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | |
| 0x4 | 0x4 | |
| 0x8 | 0x4 | UserStackPtr |
| 0xC | 0x4 | ExHandler |
| 0x10 | 0x4 | Msr |
| 0x14 | 0x4 | Sprg0 |
| 0x18 | 0x4 | Dsisr |
| 0x1C | 0x4 | Dar |
| 0x20 | 0x4 | |
| 0x24 | 0x4 | |
| 0x28 | 0x4 | |
| 0x2C | 0x4 | CallbackContext |
PostException
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | OldUpid |
| 0x4 | 0x4 | TargetUpid |
| 0x8 | 0x4 | Exit |
| 0xC | 0x4 | Callback |
| 0x10 | 0x4 | CurrentExceptionContext |
| 0x14 | 0x4 | InterruptedContext |
| 0x18 | 0x4 | |
| 0x1C | 0x4 | |
| 0x20 | 0x4 | |
| 0x24 | 0x4 |
NewExecCtx
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | InterruptedContext |
| 0x4 | 0x4 | CurrentFpuContext |
| 0x8 | 0x4 | |
| 0xC | 0x4 | FastCallBaseAddress |
| 0x10 | 0x4 | SintEnableAfterKernelExit |
| 0x14 | 0x4 | |
| 0x18 | 0x4 | |
| 0x1C | 0x4 | Dabr |
| 0x20 | 0x4 | Iabr |
| 0x24 | 0x4 | EaDataBegin |
| 0x24 | 0x4 | EaDataEnd |
| 0x28 | 0x1C | |
| 0x48 | 0x4 | AddrConfig |
| 0x4C | 0x3C | PerCore |
PerCore
This is a structure mapped to address 0xFFFFFFC0.
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x18 | |
| 0x18 | 0x4 | UserHeartBeat |
| 0x1C | 0x4 | |
| 0x20 | 0x4 | CurrentThread |
| 0x24 | 0x4 | SoftIntEnabled |
| 0x28 | 0x4 | SoftIntPending |
| 0x2C | 0x4 | CurrentContext |
| 0x30 | 0x4 | |
| 0x34 | 0x4 | |
| 0x38 | 0x4 | ThreadQueue |
Processes
A process in Cafe OS represents a single running application, with its own code, memory, and permissions. Cafe OS only executes the code of a single process at a time, but it can hold the data of multiple processes in memory simultaneously, and switch between them. Rather than allowing arbitrary process creation, there is RAM reserved for a single foreground app, a single background app, and various other special processes. Each running process is assigned a unique identifier called a RAMPID:
| RAMPID | Description | IOS Name |
|---|---|---|
| 0 | Cafe OS | COS-KERNEL |
| 1 | root.rpx | COS-ROOT |
| 2 | ??? | COS-02 |
| 3 | ??? | COS-03 |
| 4 | Background app | COS-OVERLAY |
| 5 | Home Menu | COS-HBM |
| 6 | Error display | COS-ERROR |
| 7 | Foreground app | COS-MASTER |
In addition to RAMPID, Cafe OS processes have another type of process ID called a fixed process ID (PFID). Rather than representing which part of memory a process occupies, PFID actually specifies which specific app/task is running (browser, game, eShop, etc.). Cafe OS maps PFIDs to the RAMPID that they occupy when running (for example, a game is RAMPID 7 due to running in the foreground):
| PFID | Description | RAMPID |
|---|---|---|
| 0 | Cafe OS kernel | 0 |
| 1 | root.rpx | 1 |
| 2 | Wii U Menu | 7 |
| 3 | TVii | ??? |
| 4 | E-Manual | ??? |
| 5 | Home Menu | 5 |
| 6 | Error Display | 6 |
| 7 | "MiniMiiverse" | ??? |
| 8 | Internet Browser | 4 |
| 9 | Miiverse | ??? |
| 10 | eShop | ??? |
| 11 | COS-FLV | ??? |
| 12 | Download Manager | ??? |
| 13 | COS-RSVD-13 | ??? |
| 14 | COS-RSVD-14 | ??? |
| 15 | Game | 7 |
Loader
The loader is responsible for loading RPL formatted libraries and executables into memory. It is a standard ELF executable named loader.elf. It includes a statically linked copy of zlib, probably for decompressing sections of RPL files.
Libraries
Cafe OS applications dynamically link with system libraries to get access to OS services. These OS services include memory management, graphics, audio, and controller input. All libraries are RPL files, a modification of the standard ELF format with compressed sections and more Windows-like dynamic linking. The main system libraries are listed below, with some having their own pages of documentation:
- avm.rpl - Audio/Video Manager
- camera.rpl - Gamepad camera
- coreinit.rpl - Kernel, memory, and FS
- dc.rpl - Display Controller
- dmae.rpl - DMA (Direct Memory Access)
- drmapp.rpl - Digital Rights Management
- erreula.rpl - Error Viewer
- gx2.rpl - Graphics
- h264.rpl - Support for H.264
- lzma920.rpl - LZMA compression
- mic.rpl - Gamepad microphone
- nfc.rpl - Low-level NFC library
- nio_prof.rpl - IO Profiler
- nlibcurl.rpl - libcurl 7.21.7, functions match official library, has extra options for curl_easy_setopt
- nlibnss.rpl - libnss
- nlibnss2.rpl
- nn_ac.rpl - Nintendo Network Auto Connection
- nn_acp.rpl - Nintendo Network Account/Access Protection
- nn_act.rpl - Nintendo Network Accounts
- nn_aoc.rpl - Nintendo Network Add-On Content
- nn_boss.rpl - Nintendo Network BOSS (SpotPass)
- nn_ccr.rpl
- nn_cmpt.rpl - Handles transition into vWii
- nn_dlp.rpl - 3DS Download Play hosting library
- nn_ec.rpl - Nintendo Network E-Commerce
- nn_fp.rpl - Nintendo Network Friend Presence
- nn_hai.rpl - Helper library for interfacing nn_cmpt.rpl with Wii VC titles.
- nn_hpad.rpl - Something related to controllers. Probably for the Gamecube controller adapter?
- nn_idbe.rpl - Downloads and decrypts game icons from an online icon database
- nn_ndm.rpl - Daemons???
- nn_nets2.rpl - More network functions
- nn_nfp.rpl - Nintendo Network Nintendo Figurine Platform (Amiibo)
- nn_nim.rpl
- nn_olv.rpl - Olive/OLV - Miiverse
- nn_pdm.rpl - System Play related data (play times etc.)
- nn_save.rpl - Savefile access
- nn_sl.rpl
- nn_spm.rpl - Storage related functions (USB?)
- nn_temp.rpl - TEMP library (for temporary files)
- nn_uds.rpl - Library for hosting 3DS Local-WLAN networks
- nn_vctl.rpl
- nsysccr.rpl - DRH communication (input and RPC)
- nsyshid.rpl - Human Interface Device library
- nsyskbd.rpl - USB keyboard library
- nsysnet.rpl - BSD sockets, network configuration, and SSL
- nsysuhs.rpl - Low-level USB access
- nsysuvd.rpl
- ntag.rpl - NTAG high level NFC library
- padscore.rpl - Wii Remote and Balance Board
- proc_ui.rpl
- snd_core.rpl - Sound-1 Core
- snd_user.rpl - Sound-1 User
- sndcore2.rpl - Sound-2 Core
- snduser2.rpl - Sound-2 User
- swkbd.rpl - Onscreen keyboard
- sysapp.rpl
- tcl.rpl - Texture Core library
- tve.rpl - TV Engine
- uac.rpl - DRH communication (Gamepad microphone)
- uac_rpl.rpl
- usb_mic.rpl
- uvc.rpl - DRH communication (Gamepad camera)
- uvd.rpl - AMD's OpenVideo Decode library, with some different function names
- vpad.rpl - Gamepad input
- vpadbase.rpl - Gamepad base library
- zlib125.rpl - ZLIB 1.2.5, functions match official library
Virtual Memory Map
| Virtual address start | Virtual address size | Physical address start | Flags | Description |
|---|---|---|---|---|
| 0x1000000 | 0x800000 | 0x32000000 | 0x2CE08002 | Loader and system libraries |
| 0x1800000 | 0x20000 | 0 | 0x28101200 | This is the codegen/JIT memory area, only available under processes which have it enabled under cos.xml (the size comes from cos.xml too) |
| 0x2000000 (variable) | 0xE000000 (variable) | 0x72000000 or 0xB2000000 (variable) | 0x2CF09400 | App executable and libraries (start varies, but end is always 0x10000000) |
| 0x10000000 | 0x52000000 or 0x92000000 (variable) | 0x20000000 (variable) | 0x28305800 | Application/library data area (may be smaller) |
| 0xA0000000 | 0x40000000 | 0 | 0x2000 | Overlay of application memory (used by loader?) |
| 0xE0000000 | 0x4000000 | 0x14000000 | 0x28204004 | Some sort of hardware communication area |
| 0xE8000000 | 0x2000000 | 0xD0000000 | 0x78200004 | |
| 0xEFE00000 | 0x80000 | 0x1B900000 | 0x28109010 | Loader data area (only mapped when running loader) |
| 0xF4000000 | 0x2000000 | 0 | 0x28204004 | MEM1 |
| 0xF6000000 | 0x800000 | 0x1B000000 | 0x3CA08002 | Loader chunk buffer |
| 0xF8000000 | 0x3000000 | 0x18000000 | 0x2CA08002 | Read-only shared data (system fonts mostly) |
| 0xFB000000 | 0x800000 | 0x1C800000 | 0x28200002 | |
| 0xFC000000 | 0xC0000 | 0xC000000 | 0x70100022 | Processor Interface |
| 0xFC0C0000 | 0x120000 | 0xC0C0000 | 0x70100022 | |
| 0xFC1E0000 | 0x20000 | 0xC1E0000 | 0x78100024 | VI |
| 0xFC200000 | 0x80000 | 0xC200000 | 0x78100024 | GFXSP |
| 0xFC280000 | 0x20000 | 0xC280000 | 0x78100024 | DSP |
| 0xFC2A0000 | 0x20000 | 0xC2A0000 | 0x78100023 | Write Gather Pipe |
| 0xFC300000 | 0x20000 | 0xC300000 | 0x78100024 | |
| 0xFC320000 | 0xE0000 | 0xC320000 | 0x70100022 | Espresso eFuses |
| 0xFD000000 | 0x400000 | 0xD000000 | 0x70100022 | Latte Registers |
| 0xFE000000 | 0x800000 | 0x1C000000 | 0x20200002 | |
| 0xFF200000 | 0x80000 | 0x1B800000 | 0x20100040 | Kernel heap |
| 0xFF280000 | 0x80000 | 0x1B880000 | 0x20100040 | |
| 0xFFC00000 | 0x20000 | 0xFFC00000 | 0x8100004 | Codegen area used with OSCodegenCopy |
| 0xFFC40000 | 0x20000 | 0xFFC40000 | 0x8100004 | Codegen area used with OSCodegenCopy |
| 0xFFC80000 | 0x20000 | 0xFFC80000 | 0x810000C | Codegen area used with OSCodegenCopy |
| 0xFFCE0000 | 0x20000 | 0 | 0x50100004 | |
| 0xFFE00000 | 0x20000 | 0xFFE00000 | 0x20100040 | Kernel ancast image |
| 0xFFE40000 | 0x20000 | 0xFFE40000 | 0x20100040 | |
| 0xFFE80000 | 0x60000 | 0xFFE80000 | 0x20100040 | |
| 0xFFEE0000 | 0x20000 | 0xFFEE0000 | 0x20100040 | |
| 0xFFF00000 | 0x20000 | 0xFFF00000 | 0x20100040 | |
| 0xFFF60000 | 0x20000 | 0xFFE20000 | 0x20100080 | |
| 0xFFF80000 | 0x20000 | 0xFFE60000 | 0x2C100040 | |
| 0xFFFA0000 | 0x20000 | 0xFFE60000 | 0x20100080 | |
| 0xFFFC0000 | 0x20000 | 0x1BFE0000 | 0x24100002 | |
| 0xFFFE0000 | 0x20000 | 0x1BF80000 | 0x28100102 | Per-thread data (e.g. pointer to thread descriptor and thread queue) at 0xFFFFFFE0 - 0xFFFFFFFC. |