Nintendo Switch Brew

BCT: Difference between revisions

← Older edit
No edit summary
No edit summary
 
(8 intermediate revisions by 3 users not shown)
Line 3: Line 3:
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.


The Erista BCT's data is only signed after offset 0x0510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.
The Erista BCT's data is only signed after offset 0x510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.


The Mariko BCT's data is signed and encrypted, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used.
The Mariko BCT's data is signed starting at offset 0x420 and encrypted starting at offset 0x480, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used.


During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM at address 0x40000000.
During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in [[Memory_layout|IRAM]].


= Format =
= Format =
Below are the BCT structure formats used by the Switch.
== Erista ==
== Erista ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 20: Line 18:
!  Description
!  Description
|-
|-
0x0000
0x0
|  0x210
|  0x210
|  BadBlockTable
|  BadBlockTable
|  Table containing information on bad blocks
|  Table containing information on bad blocks
  0x0000: EntriesUsed (0x200)
  0x0:   EntriesUsed (0x200)
  0x0004: VirtualBlockSizeLog2 (0x0F)
  0x4:   VirtualBlockSizeLog2 (0xF)
  0x0005: BlockSizeLog2 (0x0E)
  0x5:   BlockSizeLog2 (0xE)
  0x0006: BadBlocks
  0x6:   BadBlocks
  0x0206: Reserved
  0x206: Reserved
|-
|-
0x0210
0x210
|  0x100
|  0x100
|  Key
|  Key
|  BCT RSA public key's modulus
|  BCT RSA public key's modulus
|-
|-
0x0310
0x310
|  0x110
|  0x110
|  Signature
|  Signature
|  BCT cryptographic signature
|  BCT cryptographic signature
  0x0310: CryptoHash (empty)
  0x310: CryptoHash (empty)
  0x0320: RsaPssSig
  0x320: RsaPssSig
|-
|-
0x0420
0x420
0x04
0x4
|  SecProvisioningKeyNumInsecure
|  SecProvisioningKeyNumInsecure
|  Used for Factory Secure Provisioning (always 0)
|  Used for Factory Secure Provisioning (always 0)
|-
|-
0x0424
0x424
|  0x20
|  0x20
|  SecProvisioningKey
|  SecProvisioningKey
Line 56: Line 54:
|  [[#CustomerData|CustomerData]]
|  [[#CustomerData|CustomerData]]
|  Data block available for the customer (used in key generation)
|  Data block available for the customer (used in key generation)
  0x0444: Reserved (0x0C bytes)
  0x444: Reserved
  0x0450: [[Flash_Filesystem#Keyblob|Keyblob]] (0xB0 bytes)
  0x450: [[Flash_Filesystem#Keyblob|Keyblob]]
  0x0500: Reserved (0x08 bytes)
  0x500: Reserved
|-
|-
0x0508
0x508
0x04
0x4
|  OdmData
|  OdmData
Legacy field (unused)
Empty
|-
|-
0x050C
0x50C
0x04
0x4
|  Reserved
|  Reserved
Legacy field (unused)
Empty
|-
|-
0x0510
0x510
|  0x10
|  0x10
|  RandomAesBlock
|  RandomAesBlock
Always empty
Empty
|-
|-
0x0520
0x520
|  0x10
|  0x10
|  UniqueChipId
|  UniqueChipId
Always empty
Empty
|-
|-
0x0530
0x530
0x04
0x4
|  BootDataVersion
|  BootDataVersion
|  Set to 0x00210001 (BOOTDATA_VERSION_T210)
|  Set to 0x210001 (BOOTDATA_VERSION_T210)
|-
|-
0x0534
0x534
0x04
0x4
|  BlockSizeLog2
|  BlockSizeLog2
|  Always 0x0E
|  Always 0xE
|-
|-
0x0538
0x538
0x04
0x4
|  PageSizeLog2
|  PageSizeLog2
|  Always 0x09
|  Always 0x9
|-
|-
0x053C
0x53C
0x04
0x4
|  PartitionSize
|  PartitionSize
|  Always 0x01000000
|  Always 0x1000000
|-
|-
0x0540
0x540
0x04
0x4
|  NumParamSets
|  NumParamSets
|  Number of device parameter sets (always 0x01)
|  Number of device parameter sets (always 0x1)
|-
|-
0x0544
0x544
0x04
0x4
|  DevType
|  DevType
|  Device type (0x04 == Sdmmc)
|  Device type (0x4 == Sdmmc)
|-
|-
0x0548
0x548
|  0x40
|  0x40
|  DevParams
|  DevParams
|  Device parameters
|  Device parameters
   0x0548: ClockDivider (0x09 == 24MHz)
   0x548: ClockDivider (0x9 == 24MHz)
   0x054C: DataWidth (0x02 == 8Bit)
   0x54C: DataWidth (0x2 == 8Bit)
|-
|-
0x0588
0x588
0x04
0x4
|  NumSdramSets
|  NumSdramSets
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|-
|-
0x058C
0x58C
|  0x768
|  0x768
|  SdramParams0
|  SdramParams0
|  Default values filled in
|  Default values filled in
|-
|-
0x0CF4
0xCF4
|  0x768
|  0x768
|  SdramParams1
|  SdramParams1
Line 143: Line 141:
|-
|-
|  0x232C
|  0x232C
0x04
0x4
|  BootLoadersUsed
|  BootLoadersUsed
|  Number of bootloaders installed (always 0x02, maximum is 0x04)
|  Number of bootloaders installed (always 0x2, maximum is 0x4)
|-
|-
|  0x2330
|  0x2330
|  0x12C
|  0x12C
|  [[#BootLoader0|BootLoader0]]
|  [[#BootLoader0|BootLoader0]]
|  Configuration parameters for bootloader 0 (normal)
|  Configuration parameters for bootloader 0 (main)
  0x2330: Version (variable)
  0x2330: Version (variable)
  0x2334: StartBlock (0x00000040)
  0x2334: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe)
  0x2338: StartPage (0x00000000)
  0x2338: StartPage (0)
  0x233C: Length (variable)
  0x233C: Length (variable)
  0x2340: LoadAddress (0x40010000)
  0x2340: LoadAddress (0x40010000)
  0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2348: Attribute (0x00000000)
  0x2348: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe)
  0x234C: CryptoHash (empty)
  0x234C: CryptoHash (empty)
  0x235C: RsaPssSig
  0x235C: RsaPssSig
Line 164: Line 162:
|  0x12C
|  0x12C
|  BootLoader1
|  BootLoader1
|  Configuration parameters for bootloader 1 (safe mode)
|  Configuration parameters for bootloader 1 (backup)
  0x245C: Version (variable)
  0x245C: Version (variable)
  0x2460: StartBlock (0x00000050)
  0x2460: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe)
  0x2464: StartPage (0x00000000)
  0x2464: StartPage (0)
  0x2468: Length (variable)
  0x2468: Length (variable)
  0x246C: LoadAddress (0x40010000)
  0x246C: LoadAddress (0x40010000)
  0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2474: Attribute (0x00000000)
  0x2474: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe)
  0x2478: CryptoHash (empty)
  0x2478: CryptoHash (empty)
  0x2488: RsaPssSig
  0x2488: RsaPssSig
Line 186: Line 184:
|-
|-
|  0x27E0
|  0x27E0
0x01
0x1
|  EnableFailBack
|  EnableFailBack
|  Always 0
|  Always 0
|-
|-
|  0x27E1
|  0x27E1
0x04
0x4
|  SecureJtagControl
|  SecureJtagControl
|  Always 0
|  Always 0
|-
|-
|  0x27E5
|  0x27E5
0x04
0x4
|  SecProvisioningKeyNumSecure
|  SecProvisioningKeyNumSecure
|  Used for Factory Secure Provisioning (always 0)
|  Used for Factory Secure Provisioning (always 0)
Line 206: Line 204:
|-
|-
|  0x27FB
|  0x27FB
0x05
0x5
|  Padding
|  Padding
|  Empty
|  Empty
Line 233: Line 231:


=== BootLoader0 ===
=== BootLoader0 ===
The version field controls which keyblob is used, where 0x01 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.
The version field controls which keyblob is used, where 0x1 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.


== Mariko ==
== Mariko ==
Line 243: Line 241:
!  Description
!  Description
|-
|-
0x0000
0x0
0x0210
0x210
|  Pcp
|  Pcp
|  BCT public cryptographic parameters
|  BCT public cryptographic parameters
  0x0000: KeySize
  0x0:   KeySize
  0x0004: Reserved
  0x4:   Reserved
  0x0010: PublicKeyModulus
  0x10: PublicKeyModulus
  0x0110: PublicKeyExponent
  0x110: PublicKeyExponent
|-
|-
0x0210
0x210
0x0110
0x110
|  Signature
|  Signature
|  BCT cryptographic signature
|  BCT cryptographic signature
  0x0210: CryptoHash (empty)
  0x210: CryptoHash (empty)
  0x0220: RsaPssSig
  0x220: RsaPssSig
|-
|  0x320
|  0x20
|  SecProvisioningKey
|  Used for Factory Secure Provisioning (always 0)
|-
|  0x340
|  0x4
|  SecProvisioningKeyNumInsecure
|  Used for Factory Secure Provisioning (always 0)
|-
|  0x344
|  0xC
|  Padding
|  Empty
|-
|  0x350
|  0xD0
|  CustomerData
|  Data block available for the customer
|-
|  0x420
|  0x10
|  RandomAesBlock
|-
|-
0x0320
0x430
0x0160
0x10
|  Empty
|-
|  0x440
|  0x40
|   
|   
|  Empty
|  Empty
|-
|-
0x0480
0x480
0x2380
0x10
|  RandomAesBlock2
|   
|   
Encrypted BCT data
|-
0x490
|  0x10
|  UniqueChipId
|  Empty
|-
|  0x4A0
|  0x4
|  BootDataVersion
|  Set to 0x210001 (BOOTDATA_VERSION_T210)
|-
|  0x4A4
|  0x4
|  BlockSizeLog2
|  Always 0xE
|-
|  0x4A8
|  0x4
|  PageSizeLog2
|  Always 0x9
|-
|  0x4AC
|  0x4
|  PartitionSize
|  Always 0x1000000
|-
|  0x4B0
|  0x4
|  NumParamSets
|  Number of device parameter sets (always 0x1)
|-
|  0x4B4
|  0x4
|  DevType
|  Device type (0x4 == Sdmmc)
|-
|  0x4B8
|  0x40
|  DevParams
|  Device parameters
|-
|  0x4F8
|  0x4
|  NumSdramSets
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|-
|  0x4FC
|  0x838
|  SdramParams0
|  Default values filled in
|-
|  0xD34
|  0x838
|  SdramParams1
|  Default values filled in
|-
|  0x156C
|  0x838
|  SdramParams2
|  Default values filled in
|-
|  0x1DA4
|  0x838
|  SdramParams3
|  Default values filled in
|-
|  0x25DC
|  0x04
|  BootLoadersUsed
|  Number of bootloaders installed (always 0x2, maximum is 0x4)
|-
|  0x25E0
|  0x10
|  BootLoader0
|  Configuration parameters for bootloader 0 (main)
0x25E0: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe)
0x25E4: StartPage (0)
0x25E8: Version (variable)
0x25EC: Reserved
|-
|  0x25F0
|  0x10
|  BootLoader1
|  Configuration parameters for bootloader 1 (backup)
0x25F0: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe)
0x25F4: StartPage (0)
0x25F8: Version (variable)
0x25FC: Reserved
|-
|  0x2600
|  0x10
|  BootLoader2
|  Reserved space for bootloader 2 (unused)
|-
|  0x2610
|  0x10
|  BootLoader3
|  Reserved space for bootloader 3 (unused)
|-
|  0x2620
|  0x4
|  SecureDebugControlNoneEcid
|  Empty
|-
|  0x2624
|  0x4
|  SecureDebugControlEcid
|  Empty
|-
|  0x2628
|  0x10
|  Empty
|-
|  0x2638
|  0x40
|  Empty
|-
|  0x2678
|  0x4
|  SecProvisioningKeyNumSecure
|  Used for Factory Secure Provisioning (always 0)
|-
|  0x267C
|  0x184
|  Reserved
|  Always starts with 0x80000000 (NVBOOT padding pattern)
|}
|}
Retrieved from "https://switchbrew.org/wiki/BCT"