Changes

'''IOS''' (unofficially known as '''IOSU''' for distinguishing between the Wii and Wii U variants) is the operating system running on the [[Hardware/Starbuck|Starbuck]] coprocessor in Wii U mode. It is the Wii U equivalent of [http://wiibrew.org/wiki/IOS IOS] on the Wii, and similar in some regards, but it is a complete rewrite with many changes. IOSU implements the Wii U's security policy, which includes titles and hardware access. One of its primary responsibilities is enforcing code signing, verifying all titles before installation and launch. Another one of its jobs is managing access to most hardware, such as storage, network, USB, and the Gamepad. The PowerPC can talk to IOSU through an IPC interface, and make security and hardware requests.

'''IOS''' (unofficially known as '''IOSU''' for distinguishing between the Wii and Wii U variants) is the operating system running on the [[Hardware/Starbuck|Starbuck]] coprocessor in Wii U mode. It is the Wii U equivalent of the [http://wiibrew.org/wiki/IOS IOS] on the Wii and, while similar in some aspects, is a complete rewrite with many changes.  

The IOSU is an embedded operating system written by Nintendo, with a microkernel architecture. It contains a simple kernel that implements memory management and process and thread management. Device drivers and security handlers run as processes in the ARM user mode. These processes, called resource managers (RMs), can register as request handlers for resources, which are represented as nodes under /dev in a virtual filesystem. They communicate with each other through the kernel, using standard Unix file operations (open/close/read/write/seek/ioctl/ioctlv).

While the kernel implements memory, process and thread management, device drivers and security handlers run as processes in the ARM user mode. These processes, called resource managers (RMs), can register as request handlers for resources, which are represented as nodes under "/dev" in a virtual filesystem. They communicate with each other through the kernel, using standard Unix file operations (open/close/read/write/seek/ioctl/ioctlv).

 

 

 

= Loader =

= Loader =

Each time the IOSU starts, the ELF loader is the first portion of code that runs in order to make preparations for the actual IOSU binary.

Each time the IOSU starts, the ELF loader is the first portion of code that runs in order to make preparations for the actual IOSU binary.

During the console's initial boot, [[boot1]] is responsible for fetching the IOSU's image and launch it (cold boot). However, IOS-MCP also has to do this when handling a system restart (warm boot).

During the console's initial boot, [[boot1]] is responsible for fetching the "fw.img" file from NAND, verifying, decrypting and launching it (cold boot). However, IOS-MCP also has to do this when handling a system restart (warm boot) for which it follows a similar path but, ultimately, uses the [[#LaunchOS|LaunchOS]] system call in order to disable memory protections and jump to the IOSU's ELF loader code.

The IOS-MCP module begins by clearing up MEM1 then fetches the fw.img file from NAND. It verifies the [[Ancast_Image|Ancast header]], decrypts it using the [[Encryption_Keys|Starbuck Ancast Key]] and finally makes use of the execute_privileged system call in order to disable memory protections and jump to the IOSU's ELF loader code.

This loader then does the following:

The loader does the following:

- Clear it's own small stack;

* Clears it's own stack;

- Set 0x20 in HW_SRNPROT register (if not set already);

* Sets 0x20 in HW_SRNPROT register, if not set already;

- Fetch e_phnum from the IOSU's ELF header;

* Fetches e_phnum from the IOSU's ELF header;

- Loop through the ELF's program header structs;

* Loops through the IOSU's ELF program header structs;

- For each program marked with PT_LOAD, copy it's code into the target physical memory;

* For each program marked with PT_LOAD, copies it's code into the target physical memory;

- Wipe the IOSU's ELF binary from MEM1;

* Wipes the IOSU's ELF binary from MEM1;

- Wipe itself from MEM1 (excluding the then running subroutine);

* Wipes itself from MEM1 (excluding the then running subroutine);

- Branch to 0xFFFF0000 (IOSU kernel boot).

* Jumps to 0xFFFF0000 (IOSU kernel boot).

= Kernel =

= Kernel =

| 0x5C || 0x52 || void || IOS_FlushDCache || void *ptr, u32 len

| 0x5C || 0x52 || void || IOS_FlushDCache || void *ptr, u32 len

|-

|-

| 0x5D || 0x53 || IOSError || [[#Launch|Launch]] || void *address

| 0x5D || 0x53 || IOSError || [[#LaunchOS|LaunchOS]] || [[#OSImageHeader|OSImageHeader]] *os_image

|-

|-

| 0x5E || 0x54 || void || GetOSVersion || u32 *major, u16 *minor

| 0x5E || 0x54 || void || GetOSVersion || u32 *major, u16 *minor

Associates a resource manager to the specified group ID. This ID appears to correspond to the cos.xml permissions groupid? This syscall isn't used with devices that don't require any permissions(and are PowerPC-accessible) it seems. It appears when this ID isn't listed in the cos.xml groupids at all, the device is ARM-only.

Associates a resource manager to the specified group ID. This ID appears to correspond to the cos.xml permissions groupid? This syscall isn't used with devices that don't require any permissions(and are PowerPC-accessible) it seems. It appears when this ID isn't listed in the cos.xml groupids at all, the device is ARM-only.

=== Launch ===

=== LaunchOS ===

Disables memory protection, cleans up executable memory areas and branches to the specified address. This can only be called by MCP, and will infinite loop on return.

Disables memory protection, cleans up executable memory areas and jumps to the specified address. This can only be called by MCP, and will infinite loop on return.

=== ValidateIopAddressSpaceRange ===

=== ValidateIopAddressSpaceRange ===

=== InitializePpc ===

=== InitializePpc ===

Fills range 0x00000000 to 0x00002000 in MEM1 with empty PPC branches

Fills range 0x00000000 to 0x00002000 in MEM1 with empty PPC branches.

=== LoadSystemConfiguration ===

=== LoadSystemConfiguration ===