Difference between revisions of "NCCH/Extended Header"
Line 433: | Line 433: | ||
|} | |} | ||
− | There are different descriptor types, | + | There are different descriptor types, determined by the number of leading "1"s in the binary value representation of bits 20-31. The different types are laid out as follows: |
{| class="wikitable" border="1" | {| class="wikitable" border="1" |
Revision as of 15:06, 4 November 2015
Overview
This page documents the format of the NCCH Extended Header (exheader for short).
The exheader, has two sections:
- The actual exheader data, containing System Control Info and Access Control Info,
- And a signed copy of NCCH HDR public key, and exheader Access Control Info. (This version of the Access Control Info is used as limitation to the actual Access Control Info)
Main Structure
All values are little endian unless otherwise specified.
Offset | Size | Description |
---|---|---|
0x0 | 0x200 | System Control Info |
0x200 | 0x200 | Access Control Info |
0x400 | 0x100 | AccessDesc Signature (RSA-2048-SHA256) |
0x500 | 0x100 | NCCH Hdr RSA-2048 Public Key |
0x600 | 0x200 | Access Control Info (For limitation of first Access Control Info) |
The AccessDesc Signature covers the NCCH Hdr Public Key and second Access Control Info. The AccessDesc public key is initialised by the bootrom.
When loading the exheader, Process9 compares the exheader data with the data in the accessdesc(note that not everything is compared here). When these don't match, an error is returned. The Process9 code handling this validation was updated with v6.0(the only change in this function seems to be the check for the "Ideal Processor" field).
System Control Info
Offset | Size | Description |
---|---|---|
0x0 | 0x8 | Application Title |
0x8 | 0x5 | Reserved |
0xD | 0x1 | Flag (Bit0: CompressExefsCode, Bit1: SDApplication) |
0xE | 0x2 | Remaster Version |
0x10 | 0xC | Text Code Set Info |
0x1C | 0x4 | Stack Size |
0x20 | 0xC | ReadOnly Code Set Info |
0x2C | 0x4 | Reserved |
0x30 | 0xC | Data Code Set Info |
0x3C | 0x4 | BSS Size |
0x40 | 0x180 (48*8) | Dependency Module (Program ID) List |
0x1C0 | 0x40 | SystemInfo |
Code Set Info
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | Address |
0x4 | 0x4 | Physical region size (in page-multiples) |
0x8 | 0x4 | Size (in bytes) |
System Info
Offset | Size | Description |
---|---|---|
0x0 | 0x8 | SaveData Size |
0x8 | 0x8 | Jump ID |
0x10 | 0x30 | Reserved |
Access Control Info
Offset | Size | Description |
---|---|---|
0x0 | 0x170 | ARM11 Local System Capabilities |
0x170 | 0x80 | ARM11 Kernel Capabilities |
0x1F0 | 0x10 | ARM9 Access Control |
ARM11 Local System Capabilities
Offset | Size | Description |
---|---|---|
0x0 | 0x8 | Program ID |
0x8 | 0x4 | Core Version (The Title ID low of the required FIRM) |
0xC | 0x2 | Flag1 and Flag2 |
0xE | 0x1 | Flag0 |
0xF | 0x1 | Priority |
0x10 | 0x20 (16*2) | Resource Limit Descriptors |
0x30 | 0x20 | Storage Info |
0x50 | 0x100 (32*8) | Service Access Control |
0x150 | 0x10 (2*8) | Extended Service Access Control, support for this was implemented with 9.3.0-X. |
0x160 | 0xF | Reserved |
0x16F | 0x1 | Resource Limit Category. (0 = APPLICATION, 1 = SYS_APPLET, 2 = LIB_APPLET, 3 = OTHER(sysmodules running under the BASE memregion)) |
ARM11 Kernel Flags
Bit | Description |
---|---|
0 | Allow debug |
1 | Force debug |
2 | Allow non-alphanum |
3 | Shared page writing |
4 | Privilege priority |
5 | Allow main() args |
6 | Shared device mem |
7 | Runnable on sleep |
8-11 | Memory type (1: application, 2: system, 3: base) |
12 | Special memory |
13 | Process has access to CPU core 2 (New3DS only) |
Flag0
This stores the System Mode, Affinity Mask and Ideal Processor values in one byte. They are stored as follows:
u8 Flag0 = (SystemMode << 4 | AffinityMask << 2 | IdealProcessor);
And can be retrieved as follows:
u8 SystemMode = (Flag0>>4)&0xF; u8 AffinityMask = (Flag0>>2)&0x3; u8 IdealProcessor = (Flag0>>0)&0x3;
In the exheader data, the IdealProcessor field is a bit-index, while in the accessdesc the IdealProcessor field is a bitmask. When the bit specified by the exheader field is not set in the accessdesc field, an error is returned. "if((1<<exheaderval) & accessdescval == 0)return error"
During a FIRM-launch when a titleinfo structure was specified, the field at offset 0x400 in the FIRM-launch parameters is set to the SystemMode of the specified title(however in some cases other values are written there). With 8.0.0-18 NS will now check the output of PTMSYSM command 0x040A0000, when the output is non-zero and a certain NS state field is value-zero, the following is executed otherwise this is skipped. With that check passed on 8.0.0-18, NS will then check (Flag2 & 0xf). When that's value2, the output value(used for the FIRM-launcher parameter field mentioned above) is set to value7. Otherwise, when that value is non-zero, the output value is set to 6.
Flag1 and Flag2
Support for these two u8 fields were implemented with 8.0.0-18.
Flag1
Bit | Description |
---|---|
0 | "EnableL2Cache" (Unknown what this actually does, New3DS-only presumably) |
1 | "cpuspeed_804MHz" (Default "cpuspeed" when not set) |
2-7 | Unused |
In order for the exheader to have any of the above new bits set, the accessdesc must have the corresponding bit set, otherwise the invalid-exheader error is returned.
Homebrew which runs under a title which has the above cpuspeed flag set, runs much faster on New3DS. It's unknown how exactly the system handles these flags.
When launching titles / perhaps other things with APT, NS uses PTMSYSM:ConfigureNew3DSCPU with data which originally came from these flags(NS does this regardless of what the running 3DS system is). However, due to a bug(?) in NS the value sent to that command is always either 0x0 or 0x3. When calculating that value, the code only ever uses the cpuspeed field, not the cache field: code to actually load and check the value of the cache field appears to be missing.
Flag2
Bit | Description |
---|---|
0-3 | ? |
4-7 | Unused |
The exheader value for the above 4-bit value must be <= to the accessdesc value, otherwise the invalid-exheader error is returned.
Storage Info
Offset | Size | Description |
---|---|---|
0x0 | 0x8 | Extdata ID |
0x8 | 0x8 | System Save Data Ids |
0x10 | 0x8 | Storage Accessable Unique Ids |
0x18 | 0x7 | File System Access Info |
0x1F | 0x1 | Other Attributes |
File System Access Info:
Bit and bitmask | Description |
---|---|
0, 0x1 | Category System Application |
1, 0x2 | Category Hardware Check |
2, 0x4 | Category File System Tool |
3, 0x8 | Debug |
4, 0x10 | TWL Card Backup |
5, 0x20 | TWL Nand Data |
6, 0x40 | BOSS |
7, 0x80 | sdmc:/ |
8, 0x100 | Core |
9, 0x200 | nand:/ro/ (Read Only) |
10, 0x400 | nand:/rw/ |
11, 0x800 | nand:/ro/ (Write Access) |
12, 0x1000 | Category System Settings |
13, 0x2000 | Card Board |
14, 0x4000 | Export Import IVS |
15, 0x8000 | sdmc:/ (Write-only) |
16, 0x10000 | Switch Cleanup (Introduced in 3.0.0?) |
17, 0x20000 | Save Data Move (Introduced in 5.0.0) |
18, 0x40000 | Shop (Introduced in 5.0.0) |
19, 0x80000 | Shell (Introduced in 5.0.0) |
20, 0x100000 | Category HomeMenu (Introduced in 6.0.0) |
21, 0x200000 | Unknown. Introduced in 9.6.0-X FIRM. Home Menu has this bit set starting with 9.6.0-X. |
Other Attributes:
Bit | Description |
---|---|
0 | Not use RomFS |
1 | Use Extended Save Data Access. When this is set, the Extdata ID and Storage Accessable Unique Ids regions are used to store a total of 6 Accessible Save Ids. Introduced in 6.0.0. |
Service Access Control
This is the list of services which the process is allowed to access, this is registered with the services manager. Each service listed in the exheader must be listed in the accessdesc, otherwise the invalid exheader error is returned. The order of the services for exheader/accessdesc doesn't matter. The accessdesc can list services which are not in the exheader, but normally the service-access-control data for exheader/accessdesc are exactly the same.
ARM11 Kernel Capabilities
Offset | Size | Description |
---|---|---|
0x0 | 0x70 (28*4) | Descriptors |
0x70 | 0x10 | Reserved |
There are different descriptor types, determined by the number of leading "1"s in the binary value representation of bits 20-31. The different types are laid out as follows:
Pattern of bits 20-31 | Type | Fields |
---|---|---|
0b1110xxxxxxxx | Interrupt info | |
0b11110xxxxxxx | System call mask | Bits 24-26: System call mask table index; Bits 0-23: mask |
0b1111110xxxxx | Kernel release version | Bits 8-15: Major version; Bits 0-7: Minor version |
0b11111110xxxx | Handle table size | Bits 0-18: size |
0b111111110xxx | Kernel flags | See above |
0b11111111100x | Mapping static address | |
0b111111111110 | Mapping IO address |
ARM9 Access Control
Offset | Size | Description |
---|---|---|
0x0 | 0xF | Descriptors |
0xF | 0x1 | ARM9 Descriptor Version. Originally this value had to be >=2. Starting with 9.3.0-X this value has to be either value 2 or value 3. |
Descriptors:
Bit | Description |
---|---|
0 | Mount nand:/ |
1 | Mount nand:/ro/ (Write Access) |
2 | Mount twln:/ |
3 | Mount wnand:/ |
4 | Mount Card SPI |
5 | Use SDIF3 |
6 | Create Seed |
7 | Use Card SPI |
8 | SD Application (Not checked) |
9 | Mount sdmc:/ (Write Access) |