Legacy FIRM PXI
This page describes the PXI commands for TWL_FIRM/AGB_FIRM.
Command Header | Available since system version | Description |
---|---|---|
0x0001.... | 1.0.0-0 | ? |
0x00020080 | 1.0.0-0 | (u64 application_titleID) This launches the specified TWL title. |
0x00030080 | 1.0.0-0 | (u64 application_titleID) This launches the specified GBA VC title. |
0x00040080 | 1.0.0-0 | Process9 will eventually wait for the ARM11 to send this command, see here. The command input parameters are not used. |
0x0005.... | 1.0.0-0 | ? |
0x0006.... | 1.0.0-0 | ? |
0x0007.... | 1.0.0-0 | ? |
0x0008.... | 1.0.0-0 | Stubbed, returns 0xE0C0EC03... |
0x0009.... | 1.0.0-0 | Stubbed, returns 0xE0C0EC03... |
0x000A.... | 1.0.0-0 | ? |
0x000B0040 | 1.0.0-0 | This is used for TWL initialization, prior to using command 0x00020080. |
0x000C0800 | 1.0.0-0 | This writes the input 0x80-byte ASCII data to nand:/rw/sys/lgy.log. |
This PXI service seems to be based on Development Services PXI. Commands 0x8 and 0x9 in both are stubbed with the same function (returns 0xE0C0EC03), commands that seem useless under NATIVE_FIRM have a purpose on legacy FIRMs (command 0xC does some "unnecessary copying to stack" on NATIVE_FIRM, but this same copy (0x80-bytes) is used to write to lgy.log on legacy FIRMs), and commands that are essential (and only useful) on legacy FIRMs (0x2 and 0x3) are stubbed completely on NATIVE_FIRM.
Command 0x2
This does the following:
- Waits for an u8 state field to become non-zero.
- Clears DSi memory, etc.
- Loads the DS(i) application specified by the command request titleID. If this fails, it immediately returns the error for this.
- Initializes the DSi memory at 0x02fe7000 and 0x02fffc00.
- Loads the TWL launcher located at physical address 0x27C00000, which was written there by the TwlBg ARM11 process.
- Loads the TWL bootloader, see here.
- Initializes DSi memory/keys, 0x10018000 registers, etc.
- Writes value 0x3 to REG_BOOTENV, and value 0x1 to an u8 state field.
- Uses svcSignalEvent, then returns.