13 files changed, 683 insertions, 41 deletions
diff --git a/src/core/hle/function_wrappers.h b/src/core/hle/function_wrappers.h
index 18b6e7017..5e6002f4e 100644
--- a/src/core/hle/function_wrappers.h
+++ b/src/core/hle/function_wrappers.h
@@ -16,9 +16,6 @@ namespace HLE {
 
 #define PARAM(n) Core::CPU().GetReg(n)
 
-/// An invalid result code that is meant to be overwritten when a thread resumes from waiting
-static const ResultCode RESULT_INVALID(0xDEADC0DE);
-
 /**
  * HLE a function return from the current ARM11 userland process
  * @param res Result to return
@@ -68,10 +65,18 @@ void Wrap() {
                       (PARAM(3) != 0), (((s64)PARAM(4) << 32) | PARAM(0)))
                      .raw;
 
-    if (retval != RESULT_INVALID.raw) {
-        Core::CPU().SetReg(1, (u32)param_1);
-        FuncReturn(retval);
-    }
+    Core::CPU().SetReg(1, (u32)param_1);
+    FuncReturn(retval);
+}
+
+template <ResultCode func(s32*, u32*, s32, u32)>
+void Wrap() {
+    s32 param_1 = 0;
+    u32 retval =
+        func(&param_1, (Kernel::Handle*)Memory::GetPointer(PARAM(1)), (s32)PARAM(2), PARAM(3)).raw;
+
+    Core::CPU().SetReg(1, (u32)param_1);
+    FuncReturn(retval);
 }
 
 template <ResultCode func(u32, u32, u32, u32, s64)>
@@ -92,9 +97,7 @@ template <ResultCode func(u32, s64)>
 void Wrap() {
     s32 retval = func(PARAM(0), (((s64)PARAM(3) << 32) | PARAM(2))).raw;
 
-    if (retval != RESULT_INVALID.raw) {
-        FuncReturn(retval);
-    }
+    FuncReturn(retval);
 }
 
 template <ResultCode func(MemoryInfo*, PageInfo*, u32)>
@@ -226,9 +229,18 @@ void Wrap() {
     u32 retval = func(&param_1, &param_2,
                       reinterpret_cast<const char*>(Memory::GetPointer(PARAM(2))), PARAM(3))
                      .raw;
-    // The first out parameter is moved into R2 and the second is moved into R1.
-    Core::CPU().SetReg(1, param_2);
-    Core::CPU().SetReg(2, param_1);
+    Core::CPU().SetReg(1, param_1);
+    Core::CPU().SetReg(2, param_2);
+    FuncReturn(retval);
+}
+
+template <ResultCode func(Kernel::Handle*, Kernel::Handle*)>
+void Wrap() {
+    Kernel::Handle param_1 = 0;
+    Kernel::Handle param_2 = 0;
+    u32 retval = func(&param_1, &param_2).raw;
+    Core::CPU().SetReg(1, param_1);
+    Core::CPU().SetReg(2, param_2);
     FuncReturn(retval);
 }
 
diff --git a/src/core/hle/kernel/client_session.cpp b/src/core/hle/kernel/client_session.cpp
index fef97af1f..646a5cc64 100644
--- a/src/core/hle/kernel/client_session.cpp
+++ b/src/core/hle/kernel/client_session.cpp
@@ -9,6 +9,7 @@
 #include "core/hle/kernel/hle_ipc.h"
 #include "core/hle/kernel/server_session.h"
 #include "core/hle/kernel/session.h"
+#include "core/hle/kernel/thread.h"
 
 namespace Kernel {
 
@@ -27,19 +28,24 @@ ClientSession::~ClientSession() {
 
         // TODO(Subv): Force a wake up of all the ServerSession's waiting threads and set
         // their WaitSynchronization result to 0xC920181A.
+
+        // Clean up the list of client threads with pending requests, they are unneeded now that the
+        // client endpoint is closed.
+        server->pending_requesting_threads.clear();
+        server->currently_handling = nullptr;
     }
 
     parent->client = nullptr;
 }
 
-ResultCode ClientSession::SendSyncRequest() {
+ResultCode ClientSession::SendSyncRequest(SharedPtr<Thread> thread) {
     // Keep ServerSession alive until we're done working with it.
     SharedPtr<ServerSession> server = parent->server;
     if (server == nullptr)
         return ERR_SESSION_CLOSED_BY_REMOTE;
 
     // Signal the server session that new data is available
-    return server->HandleSyncRequest();
+    return server->HandleSyncRequest(std::move(thread));
 }
 
 } // namespace
diff --git a/src/core/hle/kernel/client_session.h b/src/core/hle/kernel/client_session.h
index 2de379c09..daf521529 100644
--- a/src/core/hle/kernel/client_session.h
+++ b/src/core/hle/kernel/client_session.h
@@ -14,6 +14,7 @@ namespace Kernel {
 
 class ServerSession;
 class Session;
+class Thread;
 
 class ClientSession final : public Object {
 public:
@@ -34,9 +35,10 @@ public:
 
     /**
      * Sends an SyncRequest from the current emulated thread.
+     * @param thread Thread that initiated the request.
      * @return ResultCode of the operation.
      */
-    ResultCode SendSyncRequest();
+    ResultCode SendSyncRequest(SharedPtr<Thread> thread);
 
     std::string name; ///< Name of client port (optional)
 
diff --git a/src/core/hle/kernel/errors.h b/src/core/hle/kernel/errors.h
index b3b60e7df..64aa61460 100644
--- a/src/core/hle/kernel/errors.h
+++ b/src/core/hle/kernel/errors.h
@@ -13,6 +13,7 @@ enum {
     OutOfHandles = 19,
     SessionClosedByRemote = 26,
     PortNameTooLong = 30,
+    NoPendingSessions = 35,
     WrongPermission = 46,
     InvalidBufferDescriptor = 48,
     MaxConnectionsReached = 52,
@@ -94,5 +95,9 @@ constexpr ResultCode ERR_OUT_OF_RANGE_KERNEL(ErrorDescription::OutOfRange, Error
                                              ErrorLevel::Permanent); // 0xD8E007FD
 constexpr ResultCode RESULT_TIMEOUT(ErrorDescription::Timeout, ErrorModule::OS,
                                     ErrorSummary::StatusChanged, ErrorLevel::Info);
+/// Returned when Accept() is called on a port with no sessions to be accepted.
+constexpr ResultCode ERR_NO_PENDING_SESSIONS(ErrCodes::NoPendingSessions, ErrorModule::OS,
+                                             ErrorSummary::WouldBlock,
+                                             ErrorLevel::Permanent); // 0xD8401823
 
 } // namespace Kernel
diff --git a/src/core/hle/kernel/hle_ipc.cpp b/src/core/hle/kernel/hle_ipc.cpp
index 1cac1d0c9..5ebe2eca4 100644
--- a/src/core/hle/kernel/hle_ipc.cpp
+++ b/src/core/hle/kernel/hle_ipc.cpp
@@ -67,10 +67,13 @@ ResultCode HLERequestContext::PopulateFromIncomingCommandBuffer(const u32_le* sr
             ASSERT(i + num_handles <= command_size); // TODO(yuriks): Return error
             for (u32 j = 0; j < num_handles; ++j) {
                 Handle handle = src_cmdbuf[i];
-                SharedPtr<Object> object = src_table.GetGeneric(handle);
-                ASSERT(object != nullptr); // TODO(yuriks): Return error
-                if (descriptor == IPC::DescriptorType::MoveHandle) {
-                    src_table.Close(handle);
+                SharedPtr<Object> object = nullptr;
+                if (handle != 0) {
+                    object = src_table.GetGeneric(handle);
+                    ASSERT(object != nullptr); // TODO(yuriks): Return error
+                    if (descriptor == IPC::DescriptorType::MoveHandle) {
+                        src_table.Close(handle);
+                    }
                 }
 
                 cmd_buf[i++] = AddOutgoingHandle(std::move(object));
@@ -112,9 +115,11 @@ ResultCode HLERequestContext::WriteToOutgoingCommandBuffer(u32_le* dst_cmdbuf, P
             ASSERT(i + num_handles <= command_size);
             for (u32 j = 0; j < num_handles; ++j) {
                 SharedPtr<Object> object = GetIncomingHandle(cmd_buf[i]);
-
-                // TODO(yuriks): Figure out the proper error handling for if this fails
-                Handle handle = dst_table.Create(object).Unwrap();
+                Handle handle = 0;
+                if (object != nullptr) {
+                    // TODO(yuriks): Figure out the proper error handling for if this fails
+                    handle = dst_table.Create(object).Unwrap();
+                }
                 dst_cmdbuf[i++] = handle;
             }
             break;
diff --git a/src/core/hle/kernel/server_port.cpp b/src/core/hle/kernel/server_port.cpp
index 4d20c39a1..49a9cdfa3 100644
--- a/src/core/hle/kernel/server_port.cpp
+++ b/src/core/hle/kernel/server_port.cpp
@@ -5,8 +5,10 @@
 #include <tuple>
 #include "common/assert.h"
 #include "core/hle/kernel/client_port.h"
+#include "core/hle/kernel/errors.h"
 #include "core/hle/kernel/kernel.h"
 #include "core/hle/kernel/server_port.h"
+#include "core/hle/kernel/server_session.h"
 #include "core/hle/kernel/thread.h"
 
 namespace Kernel {
@@ -14,6 +16,16 @@ namespace Kernel {
 ServerPort::ServerPort() {}
 ServerPort::~ServerPort() {}
 
+ResultVal<SharedPtr<ServerSession>> ServerPort::Accept() {
+    if (pending_sessions.empty()) {
+        return ERR_NO_PENDING_SESSIONS;
+    }
+
+    auto session = std::move(pending_sessions.back());
+    pending_sessions.pop_back();
+    return MakeResult(std::move(session));
+}
+
 bool ServerPort::ShouldWait(Thread* thread) const {
     // If there are no pending sessions, we wait until a new one is added.
     return pending_sessions.size() == 0;
diff --git a/src/core/hle/kernel/server_port.h b/src/core/hle/kernel/server_port.h
index f1419cd46..6fe7c7f2f 100644
--- a/src/core/hle/kernel/server_port.h
+++ b/src/core/hle/kernel/server_port.h
@@ -14,6 +14,7 @@
 namespace Kernel {
 
 class ClientPort;
+class ServerSession;
 class SessionRequestHandler;
 
 class ServerPort final : public WaitObject {
@@ -41,6 +42,12 @@ public:
     }
 
     /**
+     * Accepts a pending incoming connection on this port. If there are no pending sessions, will
+     * return ERR_NO_PENDING_SESSIONS.
+     */
+    ResultVal<SharedPtr<ServerSession>> Accept();
+
+    /**
      * Sets the HLE handler template for the port. ServerSessions crated by connecting to this port
      * will inherit a reference to this handler.
      */
@@ -50,8 +57,8 @@ public:
 
     std::string name; ///< Name of port (optional)
 
-    std::vector<SharedPtr<WaitObject>>
-        pending_sessions; ///< ServerSessions waiting to be accepted by the port
+    /// ServerSessions waiting to be accepted by the port
+    std::vector<SharedPtr<ServerSession>> pending_sessions;
 
     /// This session's HLE request handler template (optional)
     /// ServerSessions created from this port inherit a reference to this handler.
diff --git a/src/core/hle/kernel/server_session.cpp b/src/core/hle/kernel/server_session.cpp
index d197137c3..337896abf 100644
--- a/src/core/hle/kernel/server_session.cpp
+++ b/src/core/hle/kernel/server_session.cpp
@@ -32,22 +32,29 @@ ResultVal<SharedPtr<ServerSession>> ServerSession::Create(std::string name) {
     SharedPtr<ServerSession> server_session(new ServerSession);
 
     server_session->name = std::move(name);
-    server_session->signaled = false;
     server_session->parent = nullptr;
 
     return MakeResult(std::move(server_session));
 }
 
 bool ServerSession::ShouldWait(Thread* thread) const {
-    return !signaled;
+    // Closed sessions should never wait, an error will be returned from svcReplyAndReceive.
+    if (parent->client == nullptr)
+        return false;
+    // Wait if we have no pending requests, or if we're currently handling a request.
+    return pending_requesting_threads.empty() || currently_handling != nullptr;
 }
 
 void ServerSession::Acquire(Thread* thread) {
     ASSERT_MSG(!ShouldWait(thread), "object unavailable!");
-    signaled = false;
+    // We are now handling a request, pop it from the stack.
+    // TODO(Subv): What happens if the client endpoint is closed before any requests are made?
+    ASSERT(!pending_requesting_threads.empty());
+    currently_handling = pending_requesting_threads.back();
+    pending_requesting_threads.pop_back();
 }
 
-ResultCode ServerSession::HandleSyncRequest() {
+ResultCode ServerSession::HandleSyncRequest(SharedPtr<Thread> thread) {
     // The ServerSession received a sync request, this means that there's new data available
     // from its ClientSession, so wake up any threads that may be waiting on a svcReplyAndReceive or
     // similar.
@@ -60,11 +67,14 @@ ResultCode ServerSession::HandleSyncRequest() {
             return result;
         hle_handler->HandleSyncRequest(SharedPtr<ServerSession>(this));
         // TODO(Subv): Translate the response command buffer.
+    } else {
+        // Add the thread to the list of threads that have issued a sync request with this
+        // server.
+        pending_requesting_threads.push_back(std::move(thread));
     }
 
     // If this ServerSession does not have an HLE implementation, just wake up the threads waiting
     // on it.
-    signaled = true;
     WakeupAllWaitingThreads();
     return RESULT_SUCCESS;
 }
@@ -90,4 +100,4 @@ ResultCode TranslateHLERequest(ServerSession* server_session) {
     // TODO(Subv): Implement this function once multiple concurrent processes are supported.
     return RESULT_SUCCESS;
 }
-}
+} // namespace Kernel
diff --git a/src/core/hle/kernel/server_session.h b/src/core/hle/kernel/server_session.h
index 5365605da..f4360ddf3 100644
--- a/src/core/hle/kernel/server_session.h
+++ b/src/core/hle/kernel/server_session.h
@@ -67,20 +67,30 @@ public:
 
     /**
      * Handle a sync request from the emulated application.
+     * @param thread Thread that initiated the request.
      * @returns ResultCode from the operation.
      */
-    ResultCode HandleSyncRequest();
+    ResultCode HandleSyncRequest(SharedPtr<Thread> thread);
 
     bool ShouldWait(Thread* thread) const override;
 
     void Acquire(Thread* thread) override;
 
     std::string name;                ///< The name of this session (optional)
-    bool signaled;                   ///< Whether there's new data available to this ServerSession
     std::shared_ptr<Session> parent; ///< The parent session, which links to the client endpoint.
     std::shared_ptr<SessionRequestHandler>
         hle_handler; ///< This session's HLE request handler (optional)
 
+    /// List of threads that are pending a response after a sync request. This list is processed in
+    /// a LIFO manner, thus, the last request will be dispatched first.
+    /// TODO(Subv): Verify if this is indeed processed in LIFO using a hardware test.
+    std::vector<SharedPtr<Thread>> pending_requesting_threads;
+
+    /// Thread whose request is currently being handled. A request is considered "handled" when a
+    /// response is sent via svcReplyAndReceive.
+    /// TODO(Subv): Find a better name for this.
+    SharedPtr<Thread> currently_handling;
+
 private:
     ServerSession();
     ~ServerSession() override;
diff --git a/src/core/hle/service/nwm/nwm_uds.cpp b/src/core/hle/service/nwm/nwm_uds.cpp
index a7149c9e8..6dbdff044 100644
--- a/src/core/hle/service/nwm/nwm_uds.cpp
+++ b/src/core/hle/service/nwm/nwm_uds.cpp
@@ -15,6 +15,7 @@
 #include "core/hle/result.h"
 #include "core/hle/service/nwm/nwm_uds.h"
 #include "core/hle/service/nwm/uds_beacon.h"
+#include "core/hle/service/nwm/uds_data.h"
 #include "core/memory.h"
 
 namespace Service {
@@ -373,6 +374,80 @@ static void DestroyNetwork(Interface* self) {
 }
 
 /**
+ * NWM_UDS::SendTo service function.
+ * Sends a data frame to the UDS network we're connected to.
+ *  Inputs:
+ *      0 : Command header.
+ *      1 : Unknown.
+ *      2 : u16 Destination network node id.
+ *      3 : u8 Data channel.
+ *      4 : Buffer size >> 2
+ *      5 : Data size
+ *      6 : Flags
+ *      7 : Input buffer descriptor
+ *      8 : Input buffer address
+ *  Outputs:
+ *      0 : Return header
+ *      1 : Result of function, 0 on success, otherwise error code
+ */
+static void SendTo(Interface* self) {
+    IPC::RequestParser rp(Kernel::GetCommandBuffer(), 0x17, 6, 2);
+
+    rp.Skip(1, false);
+    u16 dest_node_id = rp.Pop<u16>();
+    u8 data_channel = rp.Pop<u8>();
+    rp.Skip(1, false);
+    u32 data_size = rp.Pop<u32>();
+    u32 flags = rp.Pop<u32>();
+
+    size_t desc_size;
+    const VAddr input_address = rp.PopStaticBuffer(&desc_size, false);
+    ASSERT(desc_size == data_size);
+
+    IPC::RequestBuilder rb = rp.MakeBuilder(1, 0);
+
+    if (connection_status.status != static_cast<u32>(NetworkStatus::ConnectedAsClient) &&
+        connection_status.status != static_cast<u32>(NetworkStatus::ConnectedAsHost)) {
+        rb.Push(ResultCode(ErrorDescription::NotAuthorized, ErrorModule::UDS,
+                           ErrorSummary::InvalidState, ErrorLevel::Status));
+        return;
+    }
+
+    if (dest_node_id == connection_status.network_node_id) {
+        rb.Push(ResultCode(ErrorDescription::NotFound, ErrorModule::UDS,
+                           ErrorSummary::WrongArgument, ErrorLevel::Status));
+        return;
+    }
+
+    // TODO(Subv): Do something with the flags.
+
+    constexpr size_t MaxSize = 0x5C6;
+    if (data_size > MaxSize) {
+        rb.Push(ResultCode(ErrorDescription::TooLarge, ErrorModule::UDS,
+                           ErrorSummary::WrongArgument, ErrorLevel::Usage));
+        return;
+    }
+
+    std::vector<u8> data(data_size);
+    Memory::ReadBlock(input_address, data.data(), data.size());
+
+    // TODO(Subv): Increment the sequence number after each sent packet.
+    u16 sequence_number = 0;
+    std::vector<u8> data_payload = GenerateDataPayload(
+        data, data_channel, dest_node_id, connection_status.network_node_id, sequence_number);
+
+    // TODO(Subv): Retrieve the MAC address of the dest_node_id and our own to encrypt
+    // and encapsulate the payload.
+
+    // TODO(Subv): Send the frame.
+
+    rb.Push(RESULT_SUCCESS);
+
+    LOG_WARNING(Service_NWM, "(STUB) called dest_node_id=%u size=%u flags=%u channel=%u",
+                static_cast<u32>(dest_node_id), data_size, flags, static_cast<u32>(data_channel));
+}
+
+/**
  * NWM_UDS::GetChannel service function.
  * Returns the WiFi channel in which the network we're connected to is transmitting.
  *  Inputs:
@@ -600,7 +675,7 @@ const Interface::FunctionInfo FunctionTable[] = {
     {0x00130040, nullptr, "Unbind"},
     {0x001400C0, nullptr, "PullPacket"},
     {0x00150080, nullptr, "SetMaxSendDelay"},
-    {0x00170182, nullptr, "SendTo"},
+    {0x00170182, SendTo, "SendTo"},
     {0x001A0000, GetChannel, "GetChannel"},
     {0x001B0302, InitializeWithVersion, "InitializeWithVersion"},
     {0x001D0044, BeginHostingNetwork, "BeginHostingNetwork"},
diff --git a/src/core/hle/service/nwm/uds_data.cpp b/src/core/hle/service/nwm/uds_data.cpp
new file mode 100644
index 000000000..8c6742dba
--- /dev/null
+++ b/src/core/hle/service/nwm/uds_data.cpp
@@ -0,0 +1,278 @@
+// Copyright 2017 Citra Emulator Project
+// Licensed under GPLv2 or any later version
+// Refer to the license.txt file included.
+
+#include <cstring>
+#include <cryptopp/aes.h>
+#include <cryptopp/ccm.h>
+#include <cryptopp/filters.h>
+#include <cryptopp/md5.h>
+#include <cryptopp/modes.h>
+#include "core/hle/service/nwm/nwm_uds.h"
+#include "core/hle/service/nwm/uds_data.h"
+#include "core/hw/aes/key.h"
+
+namespace Service {
+namespace NWM {
+
+using MacAddress = std::array<u8, 6>;
+
+/*
+ * Generates a SNAP-enabled 802.2 LLC header for the specified protocol.
+ * @returns a buffer with the bytes of the generated header.
+ */
+static std::vector<u8> GenerateLLCHeader(EtherType protocol) {
+    LLCHeader header{};
+    header.protocol = static_cast<u16>(protocol);
+
+    std::vector<u8> buffer(sizeof(header));
+    memcpy(buffer.data(), &header, sizeof(header));
+
+    return buffer;
+}
+
+/*
+ * Generates a Nintendo UDS SecureData header with the specified parameters.
+ * @returns a buffer with the bytes of the generated header.
+ */
+static std::vector<u8> GenerateSecureDataHeader(u16 data_size, u8 channel, u16 dest_node_id,
+                                                u16 src_node_id, u16 sequence_number) {
+    SecureDataHeader header{};
+    header.protocol_size = data_size + sizeof(SecureDataHeader);
+    // Note: This size includes everything except the first 4 bytes of the structure,
+    // reinforcing the hypotheses that the first 4 bytes are actually the header of
+    // another container protocol.
+    header.securedata_size = data_size + sizeof(SecureDataHeader) - 4;
+    // Frames sent by the emulated application are never UDS management frames
+    header.is_management = 0;
+    header.data_channel = channel;
+    header.sequence_number = sequence_number;
+    header.dest_node_id = dest_node_id;
+    header.src_node_id = src_node_id;
+
+    std::vector<u8> buffer(sizeof(header));
+    memcpy(buffer.data(), &header, sizeof(header));
+
+    return buffer;
+}
+
+/*
+ * Calculates the CTR used for the AES-CTR process that calculates
+ * the CCMP crypto key for data frames.
+ * @returns The CTR used for data frames crypto key generation.
+ */
+static std::array<u8, CryptoPP::MD5::DIGESTSIZE> GetDataCryptoCTR(const NetworkInfo& network_info) {
+    DataFrameCryptoCTR data{};
+
+    data.host_mac = network_info.host_mac_address;
+    data.wlan_comm_id = network_info.wlan_comm_id;
+    data.id = network_info.id;
+    data.network_id = network_info.network_id;
+
+    std::array<u8, CryptoPP::MD5::DIGESTSIZE> hash;
+    CryptoPP::MD5().CalculateDigest(hash.data(), reinterpret_cast<u8*>(&data), sizeof(data));
+
+    return hash;
+}
+
+/*
+ * Generates the key used for encrypting the 802.11 data frames generated by UDS.
+ * @returns The key used for data frames crypto.
+ */
+static std::array<u8, CryptoPP::AES::BLOCKSIZE> GenerateDataCCMPKey(
+    const std::vector<u8>& passphrase, const NetworkInfo& network_info) {
+    // Calculate the MD5 hash of the input passphrase.
+    std::array<u8, CryptoPP::MD5::DIGESTSIZE> passphrase_hash;
+    CryptoPP::MD5().CalculateDigest(passphrase_hash.data(), passphrase.data(), passphrase.size());
+
+    std::array<u8, CryptoPP::AES::BLOCKSIZE> ccmp_key;
+
+    // The CCMP key is the result of encrypting the MD5 hash of the passphrase with AES-CTR using
+    // keyslot 0x2D.
+    using CryptoPP::AES;
+    std::array<u8, CryptoPP::MD5::DIGESTSIZE> counter = GetDataCryptoCTR(network_info);
+    std::array<u8, AES::BLOCKSIZE> key = HW::AES::GetNormalKey(HW::AES::KeySlotID::UDSDataKey);
+    CryptoPP::CTR_Mode<AES>::Encryption aes;
+    aes.SetKeyWithIV(key.data(), AES::BLOCKSIZE, counter.data());
+    aes.ProcessData(ccmp_key.data(), passphrase_hash.data(), passphrase_hash.size());
+
+    return ccmp_key;
+}
+
+/*
+ * Generates the Additional Authenticated Data (AAD) for an UDS 802.11 encrypted data frame.
+ * @returns a buffer with the bytes of the AAD.
+ */
+static std::vector<u8> GenerateCCMPAAD(const MacAddress& sender, const MacAddress& receiver,
+                                       const MacAddress& bssid, u16 frame_control) {
+    // Reference: IEEE 802.11-2007
+
+    // 8.3.3.3.2 Construct AAD (22-30 bytes)
+    // The AAD is constructed from the MPDU header. The AAD does not include the header Duration
+    // field, because the Duration field value can change due to normal IEEE 802.11 operation (e.g.,
+    // a rate change during retransmission). For similar reasons, several subfields in the Frame
+    // Control field are masked to 0.
+    struct {
+        u16_be FC; // MPDU Frame Control field
+        MacAddress A1;
+        MacAddress A2;
+        MacAddress A3;
+        u16_be SC; // MPDU Sequence Control field
+    } aad_struct{};
+
+    constexpr u16 AADFrameControlMask = 0x8FC7;
+    aad_struct.FC = frame_control & AADFrameControlMask;
+    aad_struct.SC = 0;
+
+    bool to_ds = (frame_control & (1 << 0)) != 0;
+    bool from_ds = (frame_control & (1 << 1)) != 0;
+    // In the 802.11 standard, ToDS = 1 and FromDS = 1 is a valid configuration,
+    // however, the 3DS doesn't seem to transmit frames with such combination.
+    ASSERT_MSG(to_ds != from_ds, "Invalid combination");
+
+    // The meaning of the address fields depends on the ToDS and FromDS fields.
+    if (from_ds) {
+        aad_struct.A1 = receiver;
+        aad_struct.A2 = bssid;
+        aad_struct.A3 = sender;
+    }
+
+    if (to_ds) {
+        aad_struct.A1 = bssid;
+        aad_struct.A2 = sender;
+        aad_struct.A3 = receiver;
+    }
+
+    std::vector<u8> aad(sizeof(aad_struct));
+    std::memcpy(aad.data(), &aad_struct, sizeof(aad_struct));
+
+    return aad;
+}
+
+/*
+ * Decrypts the payload of an encrypted 802.11 data frame using the specified key.
+ * @returns The decrypted payload.
+ */
+static std::vector<u8> DecryptDataFrame(const std::vector<u8>& encrypted_payload,
+                                        const std::array<u8, CryptoPP::AES::BLOCKSIZE>& ccmp_key,
+                                        const MacAddress& sender, const MacAddress& receiver,
+                                        const MacAddress& bssid, u16 sequence_number,
+                                        u16 frame_control) {
+
+    // Reference: IEEE 802.11-2007
+
+    std::vector<u8> aad = GenerateCCMPAAD(sender, receiver, bssid, frame_control);
+
+    std::vector<u8> packet_number{0,
+                                  0,
+                                  0,
+                                  0,
+                                  static_cast<u8>((sequence_number >> 8) & 0xFF),
+                                  static_cast<u8>(sequence_number & 0xFF)};
+
+    // 8.3.3.3.3 Construct CCM nonce (13 bytes)
+    std::vector<u8> nonce;
+    nonce.push_back(0);                                                    // priority
+    nonce.insert(nonce.end(), sender.begin(), sender.end());               // Address 2
+    nonce.insert(nonce.end(), packet_number.begin(), packet_number.end()); // PN
+
+    try {
+        CryptoPP::CCM<CryptoPP::AES, 8>::Decryption d;
+        d.SetKeyWithIV(ccmp_key.data(), ccmp_key.size(), nonce.data(), nonce.size());
+        d.SpecifyDataLengths(aad.size(), encrypted_payload.size() - 8, 0);
+
+        CryptoPP::AuthenticatedDecryptionFilter df(
+            d, nullptr, CryptoPP::AuthenticatedDecryptionFilter::MAC_AT_END |
+                            CryptoPP::AuthenticatedDecryptionFilter::THROW_EXCEPTION);
+        // put aad
+        df.ChannelPut(CryptoPP::AAD_CHANNEL, aad.data(), aad.size());
+
+        // put cipher with mac
+        df.ChannelPut(CryptoPP::DEFAULT_CHANNEL, encrypted_payload.data(),
+                      encrypted_payload.size() - 8);
+        df.ChannelPut(CryptoPP::DEFAULT_CHANNEL,
+                      encrypted_payload.data() + encrypted_payload.size() - 8, 8);
+
+        df.ChannelMessageEnd(CryptoPP::AAD_CHANNEL);
+        df.ChannelMessageEnd(CryptoPP::DEFAULT_CHANNEL);
+        df.SetRetrievalChannel(CryptoPP::DEFAULT_CHANNEL);
+
+        int size = df.MaxRetrievable();
+
+        std::vector<u8> pdata(size);
+        df.Get(pdata.data(), size);
+        return pdata;
+    } catch (CryptoPP::Exception&) {
+        LOG_ERROR(Service_NWM, "failed to decrypt");
+    }
+
+    return {};
+}
+
+/*
+ * Encrypts the payload of an 802.11 data frame using the specified key.
+ * @returns The encrypted payload.
+ */
+static std::vector<u8> EncryptDataFrame(const std::vector<u8>& payload,
+                                        const std::array<u8, CryptoPP::AES::BLOCKSIZE>& ccmp_key,
+                                        const MacAddress& sender, const MacAddress& receiver,
+                                        const MacAddress& bssid, u16 sequence_number,
+                                        u16 frame_control) {
+    // Reference: IEEE 802.11-2007
+
+    std::vector<u8> aad = GenerateCCMPAAD(sender, receiver, bssid, frame_control);
+
+    std::vector<u8> packet_number{0,
+                                  0,
+                                  0,
+                                  0,
+                                  static_cast<u8>((sequence_number >> 8) & 0xFF),
+                                  static_cast<u8>(sequence_number & 0xFF)};
+
+    // 8.3.3.3.3 Construct CCM nonce (13 bytes)
+    std::vector<u8> nonce;
+    nonce.push_back(0);                                                    // priority
+    nonce.insert(nonce.end(), sender.begin(), sender.end());               // Address 2
+    nonce.insert(nonce.end(), packet_number.begin(), packet_number.end()); // PN
+
+    try {
+        CryptoPP::CCM<CryptoPP::AES, 8>::Encryption d;
+        d.SetKeyWithIV(ccmp_key.data(), ccmp_key.size(), nonce.data(), nonce.size());
+        d.SpecifyDataLengths(aad.size(), payload.size(), 0);
+
+        CryptoPP::AuthenticatedEncryptionFilter df(d);
+        // put aad
+        df.ChannelPut(CryptoPP::AAD_CHANNEL, aad.data(), aad.size());
+        df.ChannelMessageEnd(CryptoPP::AAD_CHANNEL);
+
+        // put plaintext
+        df.ChannelPut(CryptoPP::DEFAULT_CHANNEL, payload.data(), payload.size());
+        df.ChannelMessageEnd(CryptoPP::DEFAULT_CHANNEL);
+
+        df.SetRetrievalChannel(CryptoPP::DEFAULT_CHANNEL);
+
+        int size = df.MaxRetrievable();
+
+        std::vector<u8> cipher(size);
+        df.Get(cipher.data(), size);
+        return cipher;
+    } catch (CryptoPP::Exception&) {
+        LOG_ERROR(Service_NWM, "failed to encrypt");
+    }
+
+    return {};
+}
+
+std::vector<u8> GenerateDataPayload(const std::vector<u8>& data, u8 channel, u16 dest_node,
+                                    u16 src_node, u16 sequence_number) {
+    std::vector<u8> buffer = GenerateLLCHeader(EtherType::SecureData);
+    std::vector<u8> securedata_header =
+        GenerateSecureDataHeader(data.size(), channel, dest_node, src_node, sequence_number);
+
+    buffer.insert(buffer.end(), securedata_header.begin(), securedata_header.end());
+    buffer.insert(buffer.end(), data.begin(), data.end());
+    return buffer;
+}
+
+} // namespace NWM
+} // namespace Service
diff --git a/src/core/hle/service/nwm/uds_data.h b/src/core/hle/service/nwm/uds_data.h
new file mode 100644
index 000000000..a23520a41
--- /dev/null
+++ b/src/core/hle/service/nwm/uds_data.h
@@ -0,0 +1,78 @@
+// Copyright 2017 Citra Emulator Project
+// Licensed under GPLv2 or any later version
+// Refer to the license.txt file included.
+
+#pragma once
+
+#include <array>
+#include <vector>
+#include "common/common_types.h"
+#include "common/swap.h"
+#include "core/hle/service/service.h"
+
+namespace Service {
+namespace NWM {
+
+enum class SAP : u8 { SNAPExtensionUsed = 0xAA };
+
+enum class PDUControl : u8 { UnnumberedInformation = 3 };
+
+enum class EtherType : u16 { SecureData = 0x876D, EAPoL = 0x888E };
+
+/*
+ * 802.2 header, UDS packets always use SNAP for these headers,
+ * which means the dsap and ssap are always SNAPExtensionUsed (0xAA)
+ * and the OUI is always 0.
+ */
+struct LLCHeader {
+    u8 dsap = static_cast<u8>(SAP::SNAPExtensionUsed);
+    u8 ssap = static_cast<u8>(SAP::SNAPExtensionUsed);
+    u8 control = static_cast<u8>(PDUControl::UnnumberedInformation);
+    std::array<u8, 3> OUI = {};
+    u16_be protocol;
+};
+
+static_assert(sizeof(LLCHeader) == 8, "LLCHeader has the wrong size");
+
+/*
+ * Nintendo SecureData header, every UDS packet contains one,
+ * it is used to store metadata about the transmission such as
+ * the source and destination network node ids.
+ */
+struct SecureDataHeader {
+    // TODO(Subv): It is likely that the first 4 bytes of this header are
+    // actually part of another container protocol.
+    u16_be protocol_size;
+    INSERT_PADDING_BYTES(2);
+    u16_be securedata_size;
+    u8 is_management;
+    u8 data_channel;
+    u16_be sequence_number;
+    u16_be dest_node_id;
+    u16_be src_node_id;
+};
+
+static_assert(sizeof(SecureDataHeader) == 14, "SecureDataHeader has the wrong size");
+
+/*
+ * The raw bytes of this structure are the CTR used in the encryption (AES-CTR)
+ * process used to generate the CCMP key for data frame encryption.
+ */
+struct DataFrameCryptoCTR {
+    u32_le wlan_comm_id;
+    u32_le network_id;
+    std::array<u8, 6> host_mac;
+    u16_le id;
+};
+
+static_assert(sizeof(DataFrameCryptoCTR) == 16, "DataFrameCryptoCTR has the wrong size");
+
+/**
+ * Generates an unencrypted 802.11 data payload.
+ * @returns The generated frame payload.
+ */
+std::vector<u8> GenerateDataPayload(const std::vector<u8>& data, u8 channel, u16 dest_node,
+                                    u16 src_node, u16 sequence_number);
+
+} // namespace NWM
+} // namespace Service
diff --git a/src/core/hle/svc.cpp b/src/core/hle/svc.cpp
index e68b9f16a..e4b803046 100644
--- a/src/core/hle/svc.cpp
+++ b/src/core/hle/svc.cpp
@@ -25,6 +25,7 @@
 #include "core/hle/kernel/semaphore.h"
 #include "core/hle/kernel/server_port.h"
 #include "core/hle/kernel/server_session.h"
+#include "core/hle/kernel/session.h"
 #include "core/hle/kernel/shared_memory.h"
 #include "core/hle/kernel/thread.h"
 #include "core/hle/kernel/timer.h"
@@ -36,8 +37,9 @@
 ////////////////////////////////////////////////////////////////////////////////////////////////////
 // Namespace SVC
 
-using Kernel::SharedPtr;
 using Kernel::ERR_INVALID_HANDLE;
+using Kernel::Handle;
+using Kernel::SharedPtr;
 
 namespace SVC {
 
@@ -236,7 +238,7 @@ static ResultCode SendSyncRequest(Kernel::Handle handle) {
 
     // TODO(Subv): svcSendSyncRequest should put the caller thread to sleep while the server
     // responds and cause a reschedule.
-    return session->SendSyncRequest();
+    return session->SendSyncRequest(Kernel::GetCurrentThread());
 }
 
 /// Close a handle
@@ -397,6 +399,112 @@ static ResultCode WaitSynchronizationN(s32* out, Kernel::Handle* handles, s32 ha
     }
 }
 
+/// In a single operation, sends a IPC reply and waits for a new request.
+static ResultCode ReplyAndReceive(s32* index, Kernel::Handle* handles, s32 handle_count,
+                                  Kernel::Handle reply_target) {
+    // 'handles' has to be a valid pointer even if 'handle_count' is 0.
+    if (handles == nullptr)
+        return Kernel::ERR_INVALID_POINTER;
+
+    // Check if 'handle_count' is invalid
+    if (handle_count < 0)
+        return Kernel::ERR_OUT_OF_RANGE;
+
+    using ObjectPtr = SharedPtr<Kernel::WaitObject>;
+    std::vector<ObjectPtr> objects(handle_count);
+
+    for (int i = 0; i < handle_count; ++i) {
+        auto object = Kernel::g_handle_table.Get<Kernel::WaitObject>(handles[i]);
+        if (object == nullptr)
+            return ERR_INVALID_HANDLE;
+        objects[i] = object;
+    }
+
+    // We are also sending a command reply.
+    // Do not send a reply if the command id in the command buffer is 0xFFFF.
+    u32* cmd_buff = Kernel::GetCommandBuffer();
+    IPC::Header header{cmd_buff[0]};
+    if (reply_target != 0 && header.command_id != 0xFFFF) {
+        auto session = Kernel::g_handle_table.Get<Kernel::ServerSession>(reply_target);
+        if (session == nullptr)
+            return ERR_INVALID_HANDLE;
+
+        auto request_thread = std::move(session->currently_handling);
+
+        // Mark the request as "handled".
+        session->currently_handling = nullptr;
+
+        // Error out if there's no request thread or the session was closed.
+        // TODO(Subv): Is the same error code (ClosedByRemote) returned for both of these cases?
+        if (request_thread == nullptr || session->parent->client == nullptr) {
+            *index = -1;
+            return Kernel::ERR_SESSION_CLOSED_BY_REMOTE;
+        }
+
+        // TODO(Subv): Perform IPC translation from the current thread to request_thread.
+
+        // Note: The scheduler is not invoked here.
+        request_thread->ResumeFromWait();
+    }
+
+    if (handle_count == 0) {
+        *index = 0;
+        // The kernel uses this value as a placeholder for the real error, and returns it when we
+        // pass no handles and do not perform any reply.
+        if (reply_target == 0 || header.command_id == 0xFFFF)
+            return ResultCode(0xE7E3FFFF);
+
+        return RESULT_SUCCESS;
+    }
+
+    auto thread = Kernel::GetCurrentThread();
+
+    // Find the first object that is acquirable in the provided list of objects
+    auto itr = std::find_if(objects.begin(), objects.end(), [thread](const ObjectPtr& object) {
+        return !object->ShouldWait(thread);
+    });
+
+    if (itr != objects.end()) {
+        // We found a ready object, acquire it and set the result value
+        Kernel::WaitObject* object = itr->get();
+        object->Acquire(thread);
+        *index = std::distance(objects.begin(), itr);
+
+        if (object->GetHandleType() == Kernel::HandleType::ServerSession) {
+            auto server_session = static_cast<Kernel::ServerSession*>(object);
+            if (server_session->parent->client == nullptr)
+                return Kernel::ERR_SESSION_CLOSED_BY_REMOTE;
+
+            // TODO(Subv): Perform IPC translation from the ServerSession to the current thread.
+        }
+        return RESULT_SUCCESS;
+    }
+
+    // No objects were ready to be acquired, prepare to suspend the thread.
+
+    // TODO(Subv): Perform IPC translation upon wakeup.
+
+    // Put the thread to sleep
+    thread->status = THREADSTATUS_WAIT_SYNCH_ANY;
+
+    // Add the thread to each of the objects' waiting threads.
+    for (size_t i = 0; i < objects.size(); ++i) {
+        Kernel::WaitObject* object = objects[i].get();
+        object->AddWaitingThread(thread);
+    }
+
+    thread->wait_objects = std::move(objects);
+
+    Core::System::GetInstance().PrepareReschedule();
+
+    // Note: The output of this SVC will be set to RESULT_SUCCESS if the thread resumes due to a
+    // signal in one of its wait objects, or to 0xC8A01836 if there was a translation error.
+    // By default the index is set to -1.
+    thread->wait_set_output = true;
+    *index = -1;
+    return RESULT_SUCCESS;
+}
+
 /// Create an address arbiter (to allocate access to shared resources)
 static ResultCode CreateAddressArbiter(Kernel::Handle* out_handle) {
     using Kernel::AddressArbiter;
@@ -933,7 +1041,6 @@ static ResultCode CreatePort(Kernel::Handle* server_port, Kernel::Handle* client
 
     using Kernel::ServerPort;
     using Kernel::ClientPort;
-    using Kernel::SharedPtr;
 
     auto ports = ServerPort::CreatePortPair(max_sessions);
     CASCADE_RESULT(*client_port, Kernel::g_handle_table.Create(
@@ -947,6 +1054,41 @@ static ResultCode CreatePort(Kernel::Handle* server_port, Kernel::Handle* client
     return RESULT_SUCCESS;
 }
 
+static ResultCode CreateSessionToPort(Handle* out_client_session, Handle client_port_handle) {
+    using Kernel::ClientPort;
+    SharedPtr<ClientPort> client_port = Kernel::g_handle_table.Get<ClientPort>(client_port_handle);
+    if (client_port == nullptr)
+        return ERR_INVALID_HANDLE;
+
+    CASCADE_RESULT(auto session, client_port->Connect());
+    CASCADE_RESULT(*out_client_session, Kernel::g_handle_table.Create(std::move(session)));
+    return RESULT_SUCCESS;
+}
+
+static ResultCode CreateSession(Handle* server_session, Handle* client_session) {
+    auto sessions = Kernel::ServerSession::CreateSessionPair();
+
+    auto& server = std::get<SharedPtr<Kernel::ServerSession>>(sessions);
+    CASCADE_RESULT(*server_session, Kernel::g_handle_table.Create(std::move(server)));
+
+    auto& client = std::get<SharedPtr<Kernel::ClientSession>>(sessions);
+    CASCADE_RESULT(*client_session, Kernel::g_handle_table.Create(std::move(client)));
+
+    LOG_TRACE(Kernel_SVC, "called");
+    return RESULT_SUCCESS;
+}
+
+static ResultCode AcceptSession(Handle* out_server_session, Handle server_port_handle) {
+    using Kernel::ServerPort;
+    SharedPtr<ServerPort> server_port = Kernel::g_handle_table.Get<ServerPort>(server_port_handle);
+    if (server_port == nullptr)
+        return ERR_INVALID_HANDLE;
+
+    CASCADE_RESULT(auto session, server_port->Accept());
+    CASCADE_RESULT(*out_server_session, Kernel::g_handle_table.Create(std::move(session)));
+    return RESULT_SUCCESS;
+}
+
 static ResultCode GetSystemInfo(s64* out, u32 type, s32 param) {
     using Kernel::MemoryRegion;
 
@@ -1121,14 +1263,14 @@ static const FunctionDef SVC_Table[] = {
     {0x45, nullptr, "Unknown"},
     {0x46, nullptr, "Unknown"},
     {0x47, HLE::Wrap<CreatePort>, "CreatePort"},
-    {0x48, nullptr, "CreateSessionToPort"},
-    {0x49, nullptr, "CreateSession"},
-    {0x4A, nullptr, "AcceptSession"},
+    {0x48, HLE::Wrap<CreateSessionToPort>, "CreateSessionToPort"},
+    {0x49, HLE::Wrap<CreateSession>, "CreateSession"},
+    {0x4A, HLE::Wrap<AcceptSession>, "AcceptSession"},
     {0x4B, nullptr, "ReplyAndReceive1"},
     {0x4C, nullptr, "ReplyAndReceive2"},
     {0x4D, nullptr, "ReplyAndReceive3"},
     {0x4E, nullptr, "ReplyAndReceive4"},
-    {0x4F, nullptr, "ReplyAndReceive"},
+    {0x4F, HLE::Wrap<ReplyAndReceive>, "ReplyAndReceive"},
     {0x50, nullptr, "BindInterrupt"},
     {0x51, nullptr, "UnbindInterrupt"},
     {0x52, nullptr, "InvalidateProcessDataCache"},