333
edits
Changes
Jump to navigation
Jump to search
Line 594:
Line 594: − + Line 978:
Line 978: − + + + + + + Line 1,006:
Line 1,011: − + + + Line 1,080:
Line 1,087: − + Line 1,093:
Line 1,100: + + + Line 1,147:
Line 1,157: + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 1,179:
Line 1,217: − + − + Line 1,190:
Line 1,228: − Same registers as in the Erista's fuse [[#Driver|driver]]. − − === Cache === − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + + + + + + + − + − + − + − + − | 0x7000F8F0+ + + + + + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + + + + + + + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + + + + + + + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − ==== FUSE_OPT_NVJTAG_PROTECTION_ENABLE ====+ − Controls the NVJTAG protection feature. If enabled, this will permanently disable access to all DFT (Design for Test) functions which include the ability put the chip in FA (Failure Analysis) mode. − − ==== FUSE_RESERVED_ODM28 ==== − {| class="wikitable" border="1" − ! Bits − ! Description − + − + − |} − − ==== FUSE_BOOT_SECURITY_INFO ==== − {| class="wikitable" border="1" − ! Bits − ! Description − + − + − + − + − + − + − + − + − + − + − Stores configuration values for the new boot security mechanism.+ − − Mariko units have authentication set to PKC_RSA, encryption enabled, fuse encryption enabled and fuse encryption select set to OEM_KEY_1 (development) or OEM_KEY_2 (retail). − − = Bitmap = − The actual hardware fuses are stored in a bitmap and may be programmed through the fuse driver after enabling fuse programming. − − Fuse numbers are relative to the start of the fuse bitmap where each element is a 4 byte word and has a redundant alias. A single fuse write operation must always write the same value to '''fuse_bitmap + ((fuse_number + 0) << 2)''' (PRIMARY_ALIAS) and '''fuse_bitmap + ((fuse_number + 1) << 2)''' (REDUNDANT_ALIAS). However, spare bits and all fuses afterwards in the fuse bitmap, no longer have a redundant alias. − − == Erista == − {| class="wikitable" border="1" − ! Name − ! Number − ! Redundant number − ! Bits − + − + − | 1 − | 0 − + − + − | 1 − | 1 − + − + − | 1 − | 2 − + − + − | 1 − | 3 − + − + − | 1 − | 4 − + − + − | 1 − | 5 − + − + − | 1 − | 6-9 − + − + − | 1 − | 10 − + − + − | 1 − | 11 − + − + − | 1 − | 12 − + − + − | 1 − | 13 − + − + − + − + + + + + + + + + + + + + + + − + − | 12+ − | 13 − − + − + − + − + + + + + + + + − + − + − + − + + + + + − + − | 14+ − | 15 − − + − | 16+ − | 17 − − + − + − | 17 − | 30-31 − + − | 18+ − | 19 − − + − + − + − + + + + + + + + + + + + + + + + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + + + + + + + + + + + + + + + + + + + + + + + + + + − + − + − + − + − + − + − + − | None − | 17 − |- − | spare_bit_18 − | 101 − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + + + + + + + + + + + − + − + − + − + − + − + − === reserved_odm6 ===+ − Used for [[#Anti-downgrade|anti-downgrade]] control.+ − + − === reserved_odm7 ===+ − Used for [[#Anti-downgrade|anti-downgrade]] control.+ − + − === irom_patch ===+ − Bootrom patches are burned to the hardware fuse bitmap using a specific format (see [https://gist.github.com/hexkyz/98c28e292597d8fc7bef7a2200e792d7 ipatch decoder]). The bootrom reads these fuses in order to initialize the IPATCH hardware, which allows overriding data returned for code and data fetches done by BPMP.+ − + − The following represents the patch data dumped from a Switch console:+ − <syntaxhighlight>+ − RAM:00000000 ; =============== S U B R O U T I N E =======================================+ − RAM:00000000+ − RAM:00000000+ − RAM:00000000 irom_svc_dispatch+ − RAM:00000000 STMFD SP!, {R0-R2} ; ipatches (new):+ − RAM:00000000 ; 0: 0x0b57df00 0x001016ae 0x0000df00 : svc #0x00 (offset 0x48)+ − RAM:00000000 ; 1: 0x1820df22 0x00103040 0x0000df22 : svc #0x22 (offset 0x8c)+ − RAM:00000000 ; 2: 0x3797df26 0x00106f2e 0x0000df26 : svc #0x26 (offset 0x94)+ − RAM:00000000 ; 3: 0x3b4d2100 0x0010769a 0x00002100 : movs r1, #0x00+ − RAM:00000000 ; 4: 0x042bdf2c 0x00100856 0x0000df2c : svc #0x2c (offset 0xa0)+ − RAM:00000000 ; 5: 0x37aadf42 0x00106f54 0x0000df42 : svc #0x42 (offset 0xcc)+ − RAM:00000000 ; 6: 0x0972df4b 0x001012e4 0x0000df4b : svc #0x4b (offset 0xde)+ − RAM:00000000 ; 7: 0x2293df54 0x00104526 0x0000df54 : svc #0x54 (offset 0xf0)+ − RAM:00000000 ; 8: 0x21fadf5d 0x001043f4 0x0000df5d : svc #0x5d (offset 0x102)+ − RAM:00000000 ; 9: 0xbba2ac57 0x00117744 0x0000ac57 : data+ − RAM:00000000 ; 10: 0xbbac3d19 0x00117758 0x00003d19 : data+ − + − RAM:00000000 ; + − RAM:00000000 ; ipatches (old):+ − + − + − + − + − + − + − + − + − + − + − + − + − + − + − RAM:0000000C LDR R2, [R2]+ − + − + − RAM:00000018 LDR R0, =0x1007B0+ − + − RAM:00000020 SUB R1, R1, R0+ − + − + − RAM:0000002C ADD R2, R2, R0+ − RAM:00000030 ORR R2, R2, #1+ − + − RAM:00000038 BX R2+ − + − + − + − RAM:0000003C dword_3C DCD 0x1007B0 ; DATA XREF: irom_svc_dispatch+18↑r+ − + − + − + − + − + − + − + − + − + − + − + − + − RAM:00000050 STR R2, [R1,#0x38]+ − RAM:00000052 LDR R1, =0x600060F8+ − RAM:00000054 STR R2, [R1]+ − + − + − + − + − RAM:0000005E ADDS R1, #0x80+ − RAM:00000060 ADDS R1, #0x1C+ − RAM:00000062 STR R2, [R1]+ − + − + − + − + − + − + − + − + − + − + − + − RAM:0000007C STR R2, [R1]+ − + − + − + − + − + − + − + − + − + − RAM:0000008C ; =============== S U B R O U T I N E =======================================+ − + − RAM:0000008C+ − RAM:0000008C sub_8C+ − RAM:0000008C LDR R0, [R1,#0x18] ; 1: 0x1820df22 0x00103040 0x0000df22 : svc #0x22 (offset 0x8c)+ − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − RAM:0000009E B pop_r2_mov_pc_lr+ − RAM:0000009E ; End of function sub_94+ − + − + − + − + − + − + − + − RAM:000000A0 ; FUNCTION CHUNK AT RAM:00000148 SIZE 00000004 BYTES+ − RAM:000000A0+ − + − + − + − + − RAM:000000AA CMP R2, #0+ − + − + − + − + − + − + − + − + − + − + − + − RAM:000000BC+ − RAM:000000BC loc_BC ; CODE XREF: sub_A0+12↑j+ − + − + − + − + − + − + − + − + − RAM:000000CA+ − RAM:000000CC+ − RAM:000000CC ; =============== S U B R O U T I N E =======================================+ − + − + − RAM:000000CC sub_CC+ − + − + − + − + − + − + − + − + − + − + − + − RAM:000000DE ; =============== S U B R O U T I N E =======================================+ − + − + − + − + − + − + − + − + − + − + − + − RAM:000000EE B pop_r2_mov_pc_lr+ − + − + − + − + − + − + − + − + − RAM:000000F0 arg_0= 0+ − RAM:000000F0+ − RAM:000000F0 LDR R0, =0x400049F0 ; 7: 0x2293df54 0x00104526 0x0000df54 : svc #0x54 (offset 0xf0)+ − + − + − + − RAM:000000F8 LSRS R2, R2, #17+ − + − + − + − RAM:000000FC LDR R0, =APBDEV_PMC_CNTRL_0+ − + − + − + − + − + − RAM:00000100+ − RAM:00000102+ − RAM:00000102 ; =============== S U B R O U T I N E =======================================+ − + − + − + − + − + − + − + − + − RAM:00000106 LDR R2, [R2,#0x18]+ − + − + − + − + − + − + − + − + − RAM:00000110 off_110 DCD 0x60006410 ; DATA XREF: sub_48+4↑r+ − RAM:00000114 off_114 DCD 0x600060F8 ; DATA XREF: sub_48+A↑r+ − RAM:00000118 off_118 DCD 0x60006284 ; DATA XREF: sub_48+10↑r+ − + − + − + − + − + − + − + − + − + − + − RAM:00000144 off_144 DCD 0x40010220 ; DATA XREF: sub_102↑r+ − RAM:00000148 ; ---------------------------------------------------------------------------+ − + − + − + − + − + − + − + − </syntaxhighlight>+ − + − The last 4 patches are exclusive to the Switch, while the remaining ones are often included in most Tegra210 based devices.+ − + − ==== IROM patch 0 ====+ − This patch configures clock enables and clock gate overrides for new hardware.+ − + − <syntaxhighlight lang="c">+ − u32 CLK_ENB_H_SET = 0x60006328;+ − u32 CLK_ENB_L_SET = 0x60006320;+ − u32 CLK_ENB_U_SET = 0x60006330; + − u32 CLK_ENB_V_SET = 0x60006440;+ − u32 CLK_ENB_W_SET = 0x60006448;+ − u32 CLK_ENB_X_SET = 0x60006284;+ − u32 CLK_ENB_Y_SET = 0x6000629C;+ − u32 LVL2_CLK_GATE_OVRA = 0x600060F8;+ − u32 LVL2_CLK_GATE_OVRB = 0x600060FC;+ − u32 LVL2_CLK_GATE_OVRC = 0x600063A0;+ − u32 LVL2_CLK_GATE_OVRD = 0x600063A4;+ − u32 LVL2_CLK_GATE_OVRE = 0x60006554;+ − u32 CLK_SOURCE_VI = 0x60006148;+ − u32 CLK_SOURCE_HOST1X = 0x60006180;+ − u32 CLK_SOURCE_NVENC = 0x600066A0; + − + − // Set all clock enables and overrides+ − *(u32 *)CLK_ENB_V_SET = 0xFFFFFFFF;+ − *(u32 *)CLK_ENB_W_SET = 0xFFFFFFFF;+ − *(u32 *)LVL2_CLK_GATE_OVRA = 0xFFFFFFFF;+ − *(u32 *)LVL2_CLK_GATE_OVRB = 0xFFFFFFFF;+ − *(u32 *)CLK_ENB_X_SET = 0xFFFFFFFF;+ − *(u32 *)CLK_ENB_Y_SET = 0xFFFFFFFF;+ − *(u32 *)CLK_ENB_L_SET = 0xFFFFFFFF;+ − *(u32 *)CLK_ENB_H_SET = 0xFFFFFFFF;+ − *(u32 *)CLK_ENB_U_SET = 0xFFFFFFFF;+ − *(u32 *)LVL2_CLK_GATE_OVRC = 0xFFFFFFFF;+ − *(u32 *)LVL2_CLK_GATE_OVRD = 0xFFFFFFFF;+ − *(u32 *)LVL2_CLK_GATE_OVRE = 0xFFFFFFFF;+ − + − // Set VI, HOST1X and NVENC clock sources to CLK_M+ − *(u32 *)CLK_SOURCE_VI = 0xA0000000;+ − *(u32 *)CLK_SOURCE_HOST1X = 0xA0000000;+ − *(u32 *)CLK_SOURCE_NVENC = 0xE0000000;+ − + − /*+ − Untranslated instructions:+ − + − MOVS R1, #0+ − MOVS R0, #0xE+ − */+ − + − return;+ + + + + + + + + + + + + + + + + + + + − ==== IROM patch 1 ====+ − This patch is a bugfix. − LP0 resume code expects APBDEV_PMC_SCRATCH190_0 to be set to 0x01, but the bootrom didn't set it.+ + − + − + − + − return (pmc_scratch190_val | 0x01); + − </syntaxhighlight>+ + + + + + + + + + + − + − This patch adjusts USB configurations.+ + + + + + + + + + + + − + − + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 2,748:
Line 2,886: − + Line 2,798:
Line 2,936: − + − − It allows controlling the debug authentication configuration using a fuse. Line 2,821:
Line 2,957: − + − − It prevents overflowing IRAM (0x40010000) when copying the warmboot binary from DRAM. Line 2,853:
Line 2,987: − + − − It sets the correct warmboot binary entrypoint address for RSA signature verification, which would be done in DRAM instead of IRAM without this patch. Line 3,283:
Line 3,415: − + Line 3,482:
Line 3,614: − + Line 3,573:
Line 3,705: − + − The first bootloader verifies [[#FUSE_RESERVED_ODM7|FUSE_RESERVED_ODM7]] to prevent downgrading.+ − How many fuses are expected to be burnt depends the device's unit type as below.+ + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + − + − + Line 3,645:
Line 3,880: + + + + + + + + + + + + + + + +
no edit summary
| 0x7000F9B4
| 0x7000F9B4
|-
|-
| FUSE_ARM_JTAG_DIS
| [[#FUSE_ARM_JTAG_DIS|FUSE_ARM_JTAG_DIS]]
| 0x7000F9B8
| 0x7000F9B8
|-
|-
Stores the 160-bit private key (128 bit SBK + 32-bit device key).
Stores the 160-bit private key (128 bit SBK + 32-bit device key).
Reads to these registers after the SBK is locked out produce all-FF output.
Reads to these registers after [[#FUSE_PRIVATEKEYDISABLE|FUSE_PRIVATEKEYDISABLE]] is set produce all-FF output.
==== FUSE_ARM_JTAG_DIS ====
Controls access to the Arm JTAG interface.
Production Erista and Mariko units have this value set to 0x1, while development Erista and Mariko units do not.
==== FUSE_RESERVED_SW ====
==== FUSE_RESERVED_SW ====
Stores software reserved configuration values.
Stores software reserved configuration values.
Original Erista units have the RCM USB controller mode set to USB 2.0, while the first batch of patched Erista units have the RCM USB controller mode set to XUSB.
Production Erista and Mariko units have the forced RCM two button mode set, while development Erista and Mariko units do not.
Original Erista units have the RCM USB controller mode set to USB 2.0, while the first batch of patched Erista units have the RCM USB controller mode set to XUSB. Mariko ignores this and uses XUSB regardless for RCM.
==== FUSE_RESERVED_ODM0 ====
==== FUSE_RESERVED_ODM0 ====
| [1.0.0-3.0.2] 3-5
| [1.0.0-3.0.2] 3-5
[4.0.0+] 3-7
[4.0.0+] 3-7
| DramId
| [15.0.0+] DramId1 ([4.0.0-14.1.2] DramId)
|-
|-
| 8
| 8
| 11
| 11
| [5.0.0+] FormatVersion
| [5.0.0+] FormatVersion
|-
| 12-14
| [15.0.0+] DramId2
|-
|-
| 16-19
| 16-19
==== FUSE_PKC_DISABLE ====
==== FUSE_PKC_DISABLE ====
Returns if public key crypto is used or not.
Returns if public key crypto is used or not.
==== FUSE_ODM_INFO ====
{| class="wikitable" border="1"
! Bits
! Description
|-
| 0-7
| Reserved
|-
| 8
| Disable DBGEN
|-
| 9
| Disable NIDEN
|-
| 10
| Disable SPIDEN
|-
| 11
| Disable SPNIDEN
|-
| 12
| Disable DEVICEEN
|}
Production Erista and Mariko units have this value set to 0x1F00 (all signals disabled).
Development Erista and Mariko units have this value set to 0x0000 (all signals enabled).
==== FUSE_ECO_RESERVE_0 ====
==== FUSE_ECO_RESERVE_0 ====
==== FUSE_SPARE_BIT_5 ====
==== FUSE_SPARE_BIT_5 ====
Must be non-zero on retail units, otherwise the first bootloader panics.
Must be non-zero on production units, otherwise the first bootloader panics.
On prototype units it can be zero, which tells the bootloader to choose from two pre-production master key seeds. If set to non-zero on a prototype unit, it tells the bootloader to choose from two master key seeds (with the second one being the same as the retail master key seed).
On prototype units it can be zero, which tells the bootloader to choose from two pre-production master key seeds. If set to non-zero on a prototype unit, it tells the bootloader to choose from two master key seeds (with the second one being the same as the production master key seed).
[4.0.0+] This value is no longer used during boot.
[4.0.0+] This value is no longer used during boot.
=== Driver ===
=== Driver ===
{| class="wikitable" border="1"
{| class="wikitable" border="1"
! Name
! Name
! Address
! Address
|-
|-
| FUSE_RESERVED_ODM8
| [[#FUSE_FUSECTRL|FUSE_FUSECTRL]]
| 0x7000F898
| 0x7000F800
|-
|-
| FUSE_RESERVED_ODM9
| [[#FUSE_FUSEADDR|FUSE_FUSEADDR]]
| 0x7000F89C
| 0x7000F804
|-
|-
| FUSE_RESERVED_ODM10
| [[#FUSE_FUSERDATA|FUSE_FUSERDATA]]
| 0x7000F8A0
| 0x7000F808
|-
|-
| FUSE_RESERVED_ODM11
| [[#FUSE_FUSEWDATA|FUSE_FUSEWDATA]]
| 0x7000F8A4
| 0x7000F80C
|-
|-
| FUSE_RESERVED_ODM12
| [[#FUSE_FUSETIME_RD1|FUSE_FUSETIME_RD1]]
| 0x7000F8A8
| 0x7000F810
|-
|-
| FUSE_RESERVED_ODM13
| [[#FUSE_FUSETIME_RD2|FUSE_FUSETIME_RD2]]
| 0x7000F8AC
| 0x7000F814
|-
|-
| FUSE_RESERVED_ODM14
| [[#FUSE_FUSETIME_PGM1|FUSE_FUSETIME_PGM1]]
| 0x7000F8B0
| 0x7000F818
|-
|-
| FUSE_RESERVED_ODM15
| [[#FUSE_FUSETIME_PGM2|FUSE_FUSETIME_PGM2]]
| 0x7000F8B4
| 0x7000F81C
|-
|-
| FUSE_RESERVED_ODM16
| [[#FUSE_PRIV2INTFC_START|FUSE_PRIV2INTFC_START]]
| 0x7000F8B8
| 0x7000F820
|-
|-
| FUSE_RESERVED_ODM17
| [[#FUSE_FUSEBYPASS|FUSE_FUSEBYPASS]]
| 0x7000F8BC
| 0x7000F824
|-
|-
| FUSE_RESERVED_ODM18
| [[#FUSE_PRIVATEKEYDISABLE|FUSE_PRIVATEKEYDISABLE]]
| 0x7000F8C0
| 0x7000F828
|-
|-
| FUSE_RESERVED_ODM19
| [[#FUSE_DISABLEREGPROGRAM|FUSE_DISABLEREGPROGRAM]]
| 0x7000F8C4
| 0x7000F82C
|-
|-
| FUSE_RESERVED_ODM20
| [[#FUSE_WRITE_ACCESS_SW|FUSE_WRITE_ACCESS_SW]]
| 0x7000F8C8
| 0x7000F830
|-
|-
| FUSE_RESERVED_ODM21
| [[#FUSE_PRIV2RESHIFT|FUSE_PRIV2RESHIFT]]
| 0x7000F8CC
| 0x7000F83C
|-
|-
| FUSE_KEK00
| [[#FUSE_FUSETIME_RD3|FUSE_FUSETIME_RD3]]
| 0x7000F8D0
| 0x7000F84C
|-
|-
| FUSE_KEK01
| [[#FUSE_SPARE_ADDR_START|FUSE_SPARE_ADDR_START]]
| 0x7000F8D4
| 0x7000F860
|-
|-
| FUSE_KEK02
| [[#FUSE_PRIVATE_KEY0_NONZERO|FUSE_PRIVATE_KEY0_NONZERO]]
| 0x7000F8D8
| 0x7000F880
|-
|-
| FUSE_KEK03
| [[#FUSE_PRIVATE_KEY1_NONZERO|FUSE_PRIVATE_KEY1_NONZERO]]
| 0x7000F8DC
| 0x7000F884
|-
|-
| FUSE_BEK00
| [[#FUSE_PRIVATE_KEY2_NONZERO|FUSE_PRIVATE_KEY2_NONZERO]]
| 0x7000F8E0
| 0x7000F888
|-
|-
| FUSE_BEK01
| [[#FUSE_PRIVATE_KEY3_NONZERO|FUSE_PRIVATE_KEY3_NONZERO]]
| 0x7000F8E4
| 0x7000F88C
|-
|-
| FUSE_BEK02
| [[#FUSE_PRIVATE_KEY4_NONZERO|FUSE_PRIVATE_KEY4_NONZERO]]
| 0x7000F8E8
| 0x7000F890
|}
==== FUSE_SPARE_ADDR_START ====
{| class="wikitable" border="1"
! Bits
! Description
|-
|-
| FUSE_BEK03
| 0-31
| 0x7000F8EC
| FUSE_SPARE_ADDR_START_DATA
|-
|}
|
Returns the offset of the spare bit fuse registers (always 0x380).
=== Cache ===
{| class="wikitable" border="1"
! Name
! Address
|-
|-
|
| FUSE_RESERVED_ODM8
| 0x7000F8F4
| 0x7000F898
|-
|-
|
| FUSE_RESERVED_ODM9
| 0x7000F8F8
| 0x7000F89C
|-
|-
|
| FUSE_RESERVED_ODM10
| 0x7000F8FC
| 0x7000F8A0
|-
|-
| FUSE_PRODUCTION_MODE
| FUSE_RESERVED_ODM11
| 0x7000F900
| 0x7000F8A4
|-
|-
| FUSE_JTAG_SECUREID_VALID
| FUSE_RESERVED_ODM12
| 0x7000F904
| 0x7000F8A8
|-
|-
| FUSE_ODM_LOCK
| FUSE_RESERVED_ODM13
| 0x7000F908
| 0x7000F8AC
|-
|-
| FUSE_OPT_OPENGL_EN
| FUSE_RESERVED_ODM14
| 0x7000F90C
| 0x7000F8B0
|-
|-
| FUSE_SKU_INFO
| FUSE_RESERVED_ODM15
| 0x7000F910
| 0x7000F8B4
|-
|-
| FUSE_CPU_SPEEDO_0_CALIB
| FUSE_RESERVED_ODM16
| 0x7000F914
| 0x7000F8B8
|-
|-
| FUSE_CPU_IDDQ_CALIB
| FUSE_RESERVED_ODM17
| 0x7000F918
| 0x7000F8BC
|-
|-
| FUSE_RESERVED_ODM22
| FUSE_RESERVED_ODM18
| 0x7000F91C
| 0x7000F8C0
|-
|-
| FUSE_RESERVED_ODM23
| FUSE_RESERVED_ODM19
| 0x7000F920
| 0x7000F8C4
|-
|-
| FUSE_RESERVED_ODM24
| FUSE_RESERVED_ODM20
| 0x7000F924
| 0x7000F8C8
|-
|-
| FUSE_OPT_FT_REV
| FUSE_RESERVED_ODM21
| 0x7000F928
| 0x7000F8CC
|-
|-
| FUSE_CPU_SPEEDO_1_CALIB
| [[#FUSE_KEK|FUSE_KEK00]]
| 0x7000F92C
| 0x7000F8D0
|-
|-
| FUSE_CPU_SPEEDO_2_CALIB
| [[#FUSE_KEK|FUSE_KEK01]]
| 0x7000F930
| 0x7000F8D4
|-
|-
| FUSE_SOC_SPEEDO_0_CALIB
| [[#FUSE_KEK|FUSE_KEK02]]
| 0x7000F934
| 0x7000F8D8
|-
|-
| FUSE_SOC_SPEEDO_1_CALIB
| [[#FUSE_KEK|FUSE_KEK03]]
| 0x7000F938
| 0x7000F8DC
|-
|-
| FUSE_SOC_SPEEDO_2_CALIB
| [[#FUSE_BEK|FUSE_BEK00]]
| 0x7000F93C
| 0x7000F8E0
|-
|-
| FUSE_SOC_IDDQ_CALIB
| [[#FUSE_BEK|FUSE_BEK01]]
| 0x7000F940
| 0x7000F8E4
|-
|-
| FUSE_RESERVED_ODM25
| [[#FUSE_BEK|FUSE_BEK02]]
| 0x7000F944
| 0x7000F8E8
|-
|-
| FUSE_FA
| [[#FUSE_BEK|FUSE_BEK03]]
| 0x7000F948
| 0x7000F8EC
|-
|-
| FUSE_RESERVED_PRODUCTION
| FUSE_OPT_RAM_RTSEL_TSMCSP_PO4SVT
| 0x7000F94C
| 0x7000F8F0
|-
|-
| FUSE_HDMI_LANE0_CALIB
| FUSE_OPT_RAM_WTSEL_TSMCSP_PO4SVT
| 0x7000F950
| 0x7000F8F4
|-
|-
| FUSE_HDMI_LANE1_CALIB
| FUSE_OPT_RAM_RTSEL_TSMCPDP_PO4SVT
| 0x7000F954
| 0x7000F8F8
|-
|-
| FUSE_HDMI_LANE2_CALIB
| FUSE_OPT_RAM_MTSEL_TSMCPDP_PO4SVT
| 0x7000F958
| 0x7000F8FC
|-
|-
| FUSE_HDMI_LANE3_CALIB
| FUSE_PRODUCTION_MODE
| 0x7000F95C
| 0x7000F900
|-
|-
| FUSE_ENCRYPTION_RATE
| FUSE_JTAG_SECUREID_VALID
| 0x7000F960
| 0x7000F904
|-
|-
| FUSE_PUBLIC_KEY0
| FUSE_ODM_LOCK
| 0x7000F964
| 0x7000F908
|-
|-
| FUSE_PUBLIC_KEY1
| FUSE_OPT_OPENGL_EN
| 0x7000F968
| 0x7000F90C
|-
|-
| FUSE_PUBLIC_KEY2
| FUSE_SKU_INFO
| 0x7000F96C
| 0x7000F910
|-
|-
| FUSE_PUBLIC_KEY3
| FUSE_CPU_SPEEDO_0_CALIB
| 0x7000F970
| 0x7000F914
|-
|-
| FUSE_PUBLIC_KEY4
| FUSE_CPU_IDDQ_CALIB
| 0x7000F974
| 0x7000F918
|-
|-
| FUSE_PUBLIC_KEY5
| FUSE_RESERVED_ODM22
| 0x7000F978
| 0x7000F91C
|-
|-
| FUSE_PUBLIC_KEY6
| FUSE_RESERVED_ODM23
| 0x7000F97C
| 0x7000F920
|-
|-
| FUSE_PUBLIC_KEY7
| FUSE_RESERVED_ODM24
| 0x7000F980
| 0x7000F924
|-
|-
| FUSE_TSENSOR1_CALIB
| FUSE_OPT_FT_REV
| 0x7000F984
| 0x7000F928
|-
|-
| FUSE_TSENSOR2_CALIB
| FUSE_CPU_SPEEDO_1_CALIB
| 0x7000F988
| 0x7000F92C
|-
|-
| FUSE_OPT_SECURE_SCC_DIS
| FUSE_CPU_SPEEDO_2_CALIB
| 0x7000F98C
| 0x7000F930
|-
|-
| FUSE_OPT_CP_REV
| FUSE_SOC_SPEEDO_0_CALIB
| 0x7000F990
| 0x7000F934
|-
|-
| FUSE_OPT_PFG
| FUSE_SOC_SPEEDO_1_CALIB
| 0x7000F994
| 0x7000F938
|-
|-
| FUSE_TSENSOR0_CALIB
| FUSE_SOC_SPEEDO_2_CALIB
| 0x7000F998
| 0x7000F93C
|-
|-
| FUSE_FIRST_BOOTROM_PATCH_SIZE
| FUSE_SOC_IDDQ_CALIB
| 0x7000F99C
| 0x7000F940
|-
|-
| FUSE_SECURITY_MODE
| FUSE_RESERVED_ODM25
| 0x7000F9A0
| 0x7000F944
|-
|-
| FUSE_PRIVATE_KEY0
| FUSE_FA
| 0x7000F9A4
| 0x7000F948
|-
|-
| FUSE_PRIVATE_KEY1
| [[#FUSE_RESERVED_PRODUCTION|FUSE_RESERVED_PRODUCTION]]
| 0x7000F9A8
| 0x7000F94C
|-
|-
| FUSE_PRIVATE_KEY2
| FUSE_HDMI_LANE0_CALIB
| 0x7000F9AC
| 0x7000F950
|-
|-
| FUSE_PRIVATE_KEY3
| FUSE_HDMI_LANE1_CALIB
| 0x7000F9B0
| 0x7000F954
|-
|-
| FUSE_PRIVATE_KEY4
| FUSE_HDMI_LANE2_CALIB
| 0x7000F9B4
| 0x7000F958
|-
|-
| FUSE_ARM_JTAG_DIS
| FUSE_HDMI_LANE3_CALIB
| 0x7000F9B8
| 0x7000F95C
|-
|-
| FUSE_BOOT_DEVICE_INFO
| FUSE_ENCRYPTION_RATE
| 0x7000F9BC
| 0x7000F960
|-
|-
| FUSE_RESERVED_SW
| FUSE_PUBLIC_KEY0
| 0x7000F9C0
| 0x7000F964
|-
|-
| FUSE_OPT_VP9_DISABLE
| FUSE_PUBLIC_KEY1
| 0x7000F9C4
| 0x7000F968
|-
|-
| FUSE_RESERVED_ODM0
| FUSE_PUBLIC_KEY2
| 0x7000F9C8
| 0x7000F96C
|-
|-
| FUSE_RESERVED_ODM1
| FUSE_PUBLIC_KEY3
| 0x7000F9CC
| 0x7000F970
|-
|-
| FUSE_RESERVED_ODM2
| FUSE_PUBLIC_KEY4
| 0x7000F9D0
| 0x7000F974
|-
|-
| FUSE_RESERVED_ODM3
| FUSE_PUBLIC_KEY5
| 0x7000F9D4
| 0x7000F978
|-
|-
| FUSE_RESERVED_ODM4
| FUSE_PUBLIC_KEY6
| 0x7000F9D8
| 0x7000F97C
|-
|-
| FUSE_RESERVED_ODM5
| FUSE_PUBLIC_KEY7
| 0x7000F9DC
| 0x7000F980
|-
|-
| FUSE_RESERVED_ODM6
| FUSE_TSENSOR1_CALIB
| 0x7000F9E0
| 0x7000F984
|-
|-
| FUSE_RESERVED_ODM7
| FUSE_TSENSOR2_CALIB
| 0x7000F9E4
| 0x7000F988
|-
|-
| FUSE_OBS_DIS
| FUSE_OPT_SECURE_SCC_DIS
| 0x7000F9E8
| 0x7000F98C
|-
|-
| [[#FUSE_OPT_NVJTAG_PROTECTION_ENABLE|FUSE_OPT_NVJTAG_PROTECTION_ENABLE]]
| FUSE_OPT_CP_REV
| 0x7000F9EC
| 0x7000F990
|-
|-
| FUSE_USB_CALIB
| FUSE_OPT_PFG
| 0x7000F9F0
| 0x7000F994
|-
|-
| FUSE_SKU_DIRECT_CONFIG
| FUSE_TSENSOR0_CALIB
| 0x7000F9F4
| 0x7000F998
|-
|-
| FUSE_KFUSE_PRIVKEY_CTRL
| FUSE_FIRST_BOOTROM_PATCH_SIZE
| 0x7000F9F8
| 0x7000F99C
|-
|-
| FUSE_PACKAGE_INFO
| FUSE_SECURITY_MODE
| 0x7000F9FC
| 0x7000F9A0
|-
|-
| FUSE_OPT_VENDOR_CODE
| FUSE_PRIVATE_KEY0
| 0x7000FA00
| 0x7000F9A4
|-
|-
| FUSE_OPT_FAB_CODE
| FUSE_PRIVATE_KEY1
| 0x7000FA04
| 0x7000F9A8
|-
|-
| FUSE_OPT_LOT_CODE_0
| FUSE_PRIVATE_KEY2
| 0x7000FA08
| 0x7000F9AC
|-
|-
| FUSE_OPT_LOT_CODE_1
| FUSE_PRIVATE_KEY3
| 0x7000FA0C
| 0x7000F9B0
|-
|-
| FUSE_OPT_WAFER_ID
| FUSE_PRIVATE_KEY4
| 0x7000FA10
| 0x7000F9B4
|-
|-
| FUSE_OPT_X_COORDINATE
| FUSE_ARM_JTAG_DIS
| 0x7000FA14
| 0x7000F9B8
|-
|-
| FUSE_OPT_Y_COORDINATE
| FUSE_BOOT_DEVICE_INFO
| 0x7000FA18
| 0x7000F9BC
|-
|-
| FUSE_OPT_SEC_DEBUG_EN
| FUSE_RESERVED_SW
| 0x7000FA1C
| 0x7000F9C0
|-
|-
| FUSE_OPT_OPS_RESERVED
| FUSE_OPT_VP9_DISABLE
| 0x7000FA20
| 0x7000F9C4
|-
|-
|
| FUSE_RESERVED_ODM0
| 0x7000FA24
| 0x7000F9C8
|-
|-
| FUSE_GPU_IDDQ_CALIB
| FUSE_RESERVED_ODM1
| 0x7000FA28
| 0x7000F9CC
|-
|-
| FUSE_TSENSOR3_CALIB
| FUSE_RESERVED_ODM2
| 0x7000FA2C
| 0x7000F9D0
|-
|-
| FUSE_CLOCK_BONDOUT0
| FUSE_RESERVED_ODM3
| 0x7000FA30
| 0x7000F9D4
|-
|-
| FUSE_CLOCK_BONDOUT1
| FUSE_RESERVED_ODM4
| 0x7000FA34
| 0x7000F9D8
|-
|-
| FUSE_RESERVED_ODM26
| FUSE_RESERVED_ODM5
| 0x7000FA38
| 0x7000F9DC
|-
|-
| FUSE_RESERVED_ODM27
| FUSE_RESERVED_ODM6
| 0x7000FA3C
| 0x7000F9E0
|-
|-
| [[#FUSE_RESERVED_ODM28|FUSE_RESERVED_ODM28]]
| FUSE_RESERVED_ODM7
| 0x7000FA40
| 0x7000F9E4
|-
|-
| FUSE_OPT_SAMPLE_TYPE
| FUSE_OBS_DIS
| 0x7000FA44
| 0x7000F9E8
|-
|-
| FUSE_OPT_SUBREVISION
| [[#FUSE_OPT_NVJTAG_PROTECTION_ENABLE|FUSE_OPT_NVJTAG_PROTECTION_ENABLE]]
| 0x7000FA48
| 0x7000F9EC
|-
|-
| FUSE_OPT_SW_RESERVED_0
| FUSE_USB_CALIB
| 0x7000FA4C
| 0x7000F9F0
|-
|-
| FUSE_OPT_SW_RESERVED_1
| FUSE_SKU_DIRECT_CONFIG
| 0x7000FA50
| 0x7000F9F4
|-
|-
| FUSE_TSENSOR4_CALIB
| FUSE_KFUSE_PRIVKEY_CTRL
| 0x7000FA54
| 0x7000F9F8
|-
|-
| FUSE_TSENSOR5_CALIB
| FUSE_PACKAGE_INFO
| 0x7000FA58
| 0x7000F9FC
|-
|-
| FUSE_TSENSOR6_CALIB
| FUSE_OPT_VENDOR_CODE
| 0x7000FA5C
| 0x7000FA00
|-
|-
| FUSE_TSENSOR7_CALIB
| FUSE_OPT_FAB_CODE
| 0x7000FA60
| 0x7000FA04
|-
|-
| FUSE_OPT_PRIV_SEC_DIS
| FUSE_OPT_LOT_CODE_0
| 0x7000FA64
| 0x7000FA08
|-
|-
| [[#FUSE_BOOT_SECURITY_INFO|FUSE_BOOT_SECURITY_INFO]]
| FUSE_OPT_LOT_CODE_1
| 0x7000FA68
| 0x7000FA0C
|-
|-
|
| FUSE_OPT_WAFER_ID
| 0x7000FA6C
| 0x7000FA10
|-
| FUSE_OPT_X_COORDINATE
| 0x7000FA14
|-
| FUSE_OPT_Y_COORDINATE
| 0x7000FA18
|-
|-
|
| FUSE_OPT_SEC_DEBUG_EN
| 0x7000FA70
| 0x7000FA1C
|-
|-
|
| FUSE_OPT_OPS_RESERVED
| 0x7000FA74
| 0x7000FA20
|-
|-
|
|
| 0x7000FA78
| 0x7000FA24
|-
|-
| FUSE_FUSE2TSEC_DEBUG_DISABLE
| FUSE_GPU_IDDQ_CALIB
| 0x7000FA7C
| 0x7000FA28
|-
|-
| FUSE_TSENSOR_COMMON
| FUSE_TSENSOR3_CALIB
| 0x7000FA80
| 0x7000FA2C
|-
|-
| FUSE_OPT_CP_BIN
| FUSE_CLOCK_BONDOUT0
| 0x7000FA84
| 0x7000FA30
|-
|-
| FUSE_OPT_GPU_DISABLE
| FUSE_CLOCK_BONDOUT1
| 0x7000FA88
| 0x7000FA34
|-
|-
| FUSE_OPT_FT_BIN
| FUSE_RESERVED_ODM26
| 0x7000FA8C
| 0x7000FA38
|-
|-
| FUSE_OPT_DONE_MAP
| FUSE_RESERVED_ODM27
| 0x7000FA90
| 0x7000FA3C
|-
|-
| FUSE_RESERVED_ODM29
| [[#FUSE_RESERVED_ODM28|FUSE_RESERVED_ODM28]]
| 0x7000FA94
| 0x7000FA40
|-
|-
| FUSE_APB2JTAG_DISABLE
| FUSE_OPT_SAMPLE_TYPE
| 0x7000FA98
| 0x7000FA44
|-
|-
| FUSE_ODM_INFO
| FUSE_OPT_SUBREVISION
| 0x7000FA9C
| 0x7000FA48
|-
|-
| FUSE_ARM_CRYPT_DE_FEATURE
| FUSE_OPT_SW_RESERVED_0
| 0x7000FAA8
| 0x7000FA4C
|-
|-
|
| FUSE_OPT_SW_RESERVED_1
| 0x7000FAB0
| 0x7000FA50
|-
|-
|
| FUSE_TSENSOR4_CALIB
| 0x7000FAB4
| 0x7000FA54
|-
|-
|
| FUSE_TSENSOR5_CALIB
| 0x7000FAB8
| 0x7000FA58
|-
|-
|
| FUSE_TSENSOR6_CALIB
| 0x7000FABC
| 0x7000FA5C
|-
|-
| FUSE_WOA_SKU_FLAG
| FUSE_TSENSOR7_CALIB
| 0x7000FAC0
| 0x7000FA60
|-
|-
| FUSE_ECO_RESERVE_1
| FUSE_OPT_PRIV_SEC_DIS
| 0x7000FAC4
| 0x7000FA64
|-
|-
| FUSE_GCPLEX_CONFIG_FUSE
| [[#FUSE_BOOT_SECURITY_INFO|FUSE_BOOT_SECURITY_INFO]]
| 0x7000FAC8
| 0x7000FA68
|-
|-
| FUSE_PRODUCTION_MONTH
| FUSE_OPT_RAM_RTSEL_TSMCSP_PO4HVT
| 0x7000FACC
| 0x7000FA6C
|-
|-
| FUSE_RAM_REPAIR_INDICATOR
| FUSE_OPT_RAM_WTSEL_TSMCSP_PO4HVT
| 0x7000FAD0
| 0x7000FA70
|-
|-
| FUSE_TSENSOR9_CALIB
| FUSE_OPT_RAM_RTSEL_TSMCPDP_PO4HVT
| 0x7000FAD4
| 0x7000FA74
|-
|-
| FUSE_VMIN_CALIBRATION
| FUSE_OPT_RAM_MTSEL_TSMCPDP_PO4HVT
| 0x7000FADC
| 0x7000FA78
|-
|-
| FUSE_AGING_SENSOR_CALIBRATION
| FUSE_FUSE2TSEC_DEBUG_DISABLE
| 0x7000FAE0
| 0x7000FA7C
|-
|-
| FUSE_DEBUG_AUTHENTICATION
| FUSE_TSENSOR_COMMON
| 0x7000FAE4
| 0x7000FA80
|-
|-
| FUSE_SECURE_PROVISION_INDEX
| FUSE_OPT_CP_BIN
| 0x7000FAE8
| 0x7000FA84
|-
|-
| FUSE_SECURE_PROVISION_INFO
| FUSE_OPT_GPU_DISABLE
| 0x7000FAEC
| 0x7000FA88
|-
|-
| FUSE_OPT_GPU_DISABLE_CP1
| FUSE_OPT_FT_BIN
| 0x7000FAF0
| 0x7000FA8C
|-
|-
| FUSE_SPARE_ENDIS
| FUSE_OPT_DONE_MAP
| 0x7000FAF4
| 0x7000FA90
|-
|-
| FUSE_ECO_RESERVE_0
| FUSE_RESERVED_ODM29
| 0x7000FAF8
| 0x7000FA94
|-
|-
| FUSE_RESERVED_CALIB0
| FUSE_APB2JTAG_DISABLE
| 0x7000FB04
| 0x7000FA98
|-
|-
| FUSE_RESERVED_CALIB1
| FUSE_ODM_INFO
| 0x7000FB08
| 0x7000FA9C
|-
|-
| FUSE_OPT_GPU_TPC0_DISABLE
| FUSE_ARM_CRYPT_DE_FEATURE
| 0x7000FB0C
| 0x7000FAA8
|-
|-
| FUSE_OPT_GPU_TPC0_DISABLE_CP1
| FUSE_OPT_RAM_WTSEL_TSMCPDP_PO4SVT
| 0x7000FB10
| 0x7000FAB0
|-
|-
| FUSE_OPT_CPU_DISABLE
| FUSE_OPT_RAM_RCT_TSMCDP_PO4SVT
| 0x7000FB14
| 0x7000FAB4
|-
|-
| FUSE_OPT_CPU_DISABLE_CP1
| FUSE_OPT_RAM_WCT_TSMCDP_PO4SVT
| 0x7000FB18
| 0x7000FAB8
|-
|-
| FUSE_TSENSOR10_CALIB
| FUSE_OPT_RAM_KP_TSMCDP_PO4SVT
| 0x7000FB1C
| 0x7000FABC
|-
|-
| FUSE_TSENSOR10_CALIB_AUX
| FUSE_WOA_SKU_FLAG
| 0x7000FB20
| 0x7000FAC0
|-
|-
|
| FUSE_ECO_RESERVE_1
| 0x7000FB24
| 0x7000FAC4
|-
|-
|
| FUSE_GCPLEX_CONFIG_FUSE
| 0x7000FB28
| 0x7000FAC8
|-
|-
|
| FUSE_PRODUCTION_MONTH
| 0x7000FB2C
| 0x7000FACC
|-
|-
|
| FUSE_RAM_REPAIR_INDICATOR
| 0x7000FB30
| 0x7000FAD0
|-
|-
|
| FUSE_TSENSOR9_CALIB
| 0x7000FB34
| 0x7000FAD4
|-
|-
| FUSE_OPT_GPU_TPC0_DISABLE_CP2
| FUSE_VMIN_CALIBRATION
| 0x7000FB38
| 0x7000FADC
|-
|-
| FUSE_OPT_GPU_TPC1_DISABLE
| FUSE_AGING_SENSOR_CALIBRATION
| 0x7000FB3C
| 0x7000FAE0
|-
|-
| FUSE_OPT_GPU_TPC1_DISABLE_CP1
| FUSE_DEBUG_AUTHENTICATION
| 0x7000FB40
| 0x7000FAE4
|-
|-
| FUSE_OPT_GPU_TPC1_DISABLE_CP2
| FUSE_SECURE_PROVISION_INDEX
| 0x7000FB44
| 0x7000FAE8
|-
|-
| FUSE_OPT_CPU_DISABLE_CP2
| FUSE_SECURE_PROVISION_INFO
| 0x7000FB48
| 0x7000FAEC
|-
|-
| FUSE_OPT_GPU_DISABLE_CP2
| FUSE_OPT_GPU_DISABLE_CP1
| 0x7000FB4C
| 0x7000FAF0
|-
|-
| FUSE_USB_CALIB_EXT
| FUSE_SPARE_ENDIS
| 0x7000FB50
| 0x7000FAF4
|-
|-
| FUSE_RESERVED_FIELD
| FUSE_ECO_RESERVE_0
| 0x7000FB54
| 0x7000FAF8
|-
|-
| FUSE_SPARE_REALIGNMENT_REG
| FUSE_RESERVED_CALIB0
| 0x7000FB7C
| 0x7000FB04
|-
|-
| FUSE_SPARE_BIT_0
| FUSE_RESERVED_CALIB1
| 0x7000FB80
| 0x7000FB08
|-
|-
| FUSE_SPARE_BIT_1
| FUSE_OPT_GPU_TPC0_DISABLE
| 0x7000FB84
| 0x7000FB0C
|-
|-
| FUSE_SPARE_BIT_2
| FUSE_OPT_GPU_TPC0_DISABLE_CP1
| 0x7000FB88
| 0x7000FB10
|-
|-
| FUSE_SPARE_BIT_3
| FUSE_OPT_CPU_DISABLE
| 0x7000FB8C
| 0x7000FB14
|-
|-
| FUSE_SPARE_BIT_4
| FUSE_OPT_CPU_DISABLE_CP1
| 0x7000FB90
| 0x7000FB18
|-
|-
| FUSE_SPARE_BIT_5
| FUSE_TSENSOR10_CALIB
| 0x7000FB94
| 0x7000FB1C
|-
|-
| FUSE_SPARE_BIT_6
| FUSE_TSENSOR10_CALIB_AUX
| 0x7000FB98
| 0x7000FB20
|-
|-
| FUSE_SPARE_BIT_7
| FUSE_OPT_RAM_WTSEL_TSMCPDP_PO4HVT
| 0x7000FB9C
| 0x7000FB24
|-
|-
| FUSE_SPARE_BIT_8
| FUSE_OPT_RAM_RCT_TSMCDP_PO4HVT
| 0x7000FBA0
| 0x7000FB28
|-
|-
| FUSE_SPARE_BIT_9
| FUSE_OPT_RAM_WCT_TSMCDP_PO4HVT
| 0x7000FBA4
| 0x7000FB2C
|-
|-
| FUSE_SPARE_BIT_10
| FUSE_OPT_RAM_KP_TSMCDP_PO4HVT
| 0x7000FBA8
| 0x7000FB30
|-
|-
| FUSE_SPARE_BIT_11
|
| 0x7000FBAC
| 0x7000FB34
|-
|-
| FUSE_SPARE_BIT_12
| FUSE_OPT_GPU_TPC0_DISABLE_CP2
| 0x7000FBB0
| 0x7000FB38
|-
|-
| FUSE_SPARE_BIT_13
| FUSE_OPT_GPU_TPC1_DISABLE
| 0x7000FBB4
| 0x7000FB3C
|-
|-
| FUSE_SPARE_BIT_14
| FUSE_OPT_GPU_TPC1_DISABLE_CP1
| 0x7000FBB8
| 0x7000FB40
|-
|-
| FUSE_SPARE_BIT_15
| FUSE_OPT_GPU_TPC1_DISABLE_CP2
| 0x7000FBBC
| 0x7000FB44
|-
|-
| FUSE_SPARE_BIT_16
| FUSE_OPT_CPU_DISABLE_CP2
| 0x7000FBC0
| 0x7000FB48
|-
|-
| FUSE_SPARE_BIT_17
| FUSE_OPT_GPU_DISABLE_CP2
| 0x7000FBC4
| 0x7000FB4C
|-
|-
| FUSE_SPARE_BIT_18
| FUSE_USB_CALIB_EXT
| 0x7000FBC8
| 0x7000FB50
|-
|-
| FUSE_SPARE_BIT_19
| FUSE_RESERVED_FIELD
| 0x7000FBCC
| 0x7000FB54
|-
|-
| FUSE_SPARE_BIT_20
| FUSE_SPARE_REALIGNMENT_REG
| 0x7000FBD0
| 0x7000FB7C
|-
|-
| FUSE_SPARE_BIT_21
| FUSE_SPARE_BIT_0
| 0x7000FBD4
| 0x7000FB80
|-
|-
| FUSE_SPARE_BIT_22
| FUSE_SPARE_BIT_1
| 0x7000FBD8
| 0x7000FB84
|-
| FUSE_SPARE_BIT_2
| 0x7000FB88
|-
| FUSE_SPARE_BIT_3
| 0x7000FB8C
|-
|-
| FUSE_SPARE_BIT_23
| FUSE_SPARE_BIT_4
| 0x7000FBDC
| 0x7000FB90
|-
|-
| FUSE_SPARE_BIT_24
| FUSE_SPARE_BIT_5
| 0x7000FBE0
| 0x7000FB94
|-
|-
| FUSE_SPARE_BIT_25
| FUSE_SPARE_BIT_6
| 0x7000FBE4
| 0x7000FB98
|-
|-
| FUSE_SPARE_BIT_26
| FUSE_SPARE_BIT_7
| 0x7000FBE8
| 0x7000FB9C
|-
|-
| FUSE_SPARE_BIT_27
| FUSE_SPARE_BIT_8
| 0x7000FBEC
| 0x7000FBA0
|-
|-
| FUSE_SPARE_BIT_28
| FUSE_SPARE_BIT_9
| 0x7000FBF0
| 0x7000FBA4
|-
|-
| FUSE_SPARE_BIT_29
| FUSE_SPARE_BIT_10
| 0x7000FBF4
| 0x7000FBA8
|}
|-
| FUSE_SPARE_BIT_11
| 0x7000FBAC
|-
|-
| 0
| FUSE_SPARE_BIT_12
| RegulatorType
| 0x7000FBB0
|-
|-
| 0-1
| FUSE_SPARE_BIT_13
| Authentication (0 = AES_CMAC, 1 = PKC_RSA)
| 0x7000FBB4
|-
|-
| 2
| FUSE_SPARE_BIT_14
| Encryption (0 = DISABLE, 1 = ENABLE)
| 0x7000FBB8
|-
|-
| 3
| FUSE_SPARE_BIT_15
| Fuse encryption (0 = DISABLE, 1 = ENABLE)
| 0x7000FBBC
|-
|-
| 4-6
| FUSE_SPARE_BIT_16
| Fuse encryption select (0 = TEST_KEY, 1 = NVIDIA_KEY, 2 to 7 = OEM_KEY_1 to OEM_KEY_6)
| 0x7000FBC0
|}
|-
| FUSE_SPARE_BIT_17
| 0x7000FBC4
|-
|-
| enable_fuse_program
| FUSE_SPARE_BIT_18
| 0
| 0x7000FBC8
|-
|-
| disable_fuse_program
| FUSE_SPARE_BIT_19
| 0
| 0x7000FBCC
|-
|-
| bypass_fuses
| FUSE_SPARE_BIT_20
| 0
| 0x7000FBD0
|-
|-
| jtag_direct_access_disable
| FUSE_SPARE_BIT_21
| 0
| 0x7000FBD4
|-
|-
| production_mode
| FUSE_SPARE_BIT_22
| 0
| 0x7000FBD8
|-
|-
| jtag_secureid_valid
| FUSE_SPARE_BIT_23
| 0
| 0x7000FBDC
|-
|-
| odm_lock
| FUSE_SPARE_BIT_24
| 0
| 0x7000FBE0
|-
|-
| fa_mode
| FUSE_SPARE_BIT_25
| 0
| 0x7000FBE4
|-
|-
| security_mode
| FUSE_SPARE_BIT_26
| 0
| 0x7000FBE8
|-
|-
| arm_debug_dis
| FUSE_SPARE_BIT_27
| 0
| 0x7000FBEC
|-
|-
| obs_dis
| FUSE_SPARE_BIT_28
| 0
| 0x7000FBF0
|-
|-
| public_key0
| FUSE_SPARE_BIT_29
| 10
| 0x7000FBF4
| 11
|}
| 30-31
==== FUSE_KEK ====
Stores the 128-bit KEK (Key Encryption Key) encrypted with the FEK (Fuse Encryption Key) selected by [[#FUSE_RESERVED_PRODUCTION|FUSE_RESERVED_PRODUCTION]] and [[#FUSE_BOOT_SECURITY_INFO|FUSE_BOOT_SECURITY_INFO]].
Reads to these registers after [[#FUSE_PRIVATEKEYDISABLE|FUSE_PRIVATEKEYDISABLE]] is set produce all-FF output.
==== FUSE_BEK ====
Stores the 128-bit BEK (Boot Encryption Key) encrypted with the FEK (Fuse Encryption Key) selected by [[#FUSE_RESERVED_PRODUCTION|FUSE_RESERVED_PRODUCTION]] and [[#FUSE_BOOT_SECURITY_INFO|FUSE_BOOT_SECURITY_INFO]].
Reads to these registers after [[#FUSE_PRIVATEKEYDISABLE|FUSE_PRIVATEKEYDISABLE]] is set produce all-FF output.
==== FUSE_RESERVED_PRODUCTION ====
{| class="wikitable" border="1"
! Bits
! Description
|-
|-
| public_key0
| 0-1
| Reserved
| 0-29
|-
|-
| public_key1
| 2
| 12
| FEK bank select
| 13
|}
| 30-31
==== FUSE_OPT_NVJTAG_PROTECTION_ENABLE ====
Controls the NVJTAG protection feature. If enabled, this will permanently disable access to all DFT (Design for Test) functions which include the ability put the chip in FA (Failure Analysis) mode.
==== FUSE_RESERVED_ODM28 ====
{| class="wikitable" border="1"
! Bits
! Description
|-
|-
| public_key1
| 0
| 14
| RegulatorType
| 15
|}
| 0-29
==== FUSE_BOOT_SECURITY_INFO ====
{| class="wikitable" border="1"
! Bits
! Description
|-
|-
| public_key2
| 0-1
| Authentication (0 = AES_CMAC, 1 = PKC_RSA)
| 30-31
|-
|-
| public_key2
| 2
| Encryption (0 = DISABLE, 1 = ENABLE)
| 0-29
|-
|-
| public_key3
| 3
| 16
| Fuse encryption (0 = DISABLE, 1 = ENABLE)
|-
|-
| public_key3
| 4-6
| Fuse encryption select (0 = TEST_KEY, 1 = NVIDIA_KEY, 2 to 7 = OEM_KEY_0 to OEM_KEY_5)
| 0-29
|-
|-
| public_key4
| 7
| 18
| SE atomic context save (0 = DISABLE, 1 = ENABLE)
| 19
|}
| 30-31
Stores configuration values for the new boot security mechanism.
Mariko units have authentication set to PKC_RSA, encryption enabled, fuse encryption enabled and fuse encryption select set to OEM_KEY_0 (development units) or OEM_KEY_1 (production units).
= Bitmap =
The actual hardware fuses are stored in a bitmap and may be programmed through the fuse driver after enabling fuse programming.
Fuse numbers are relative to the start of the fuse bitmap where each element is a 4 byte word and has a redundant alias. A single fuse write operation must always write the same value to '''fuse_bitmap + ((fuse_number + 0) << 2)''' (PRIMARY_ALIAS) and '''fuse_bitmap + ((fuse_number + 1) << 2)''' (REDUNDANT_ALIAS). However, spare bits and all fuses afterwards in the fuse bitmap, no longer have a redundant alias.
== Erista ==
{| class="wikitable" border="1"
! Name
! Number
! Redundant number
! Bits
|-
|-
| public_key4
| enable_fuse_program
| 20
| 0
| 21
| 1
| 0-29
| 0
|-
|-
| public_key5
| disable_fuse_program
| 20
| 0
| 21
| 1
| 30-31
| 1
|-
|-
| public_key5
| bypass_fuses
| 22
| 0
| 23
| 1
| 0-29
| 2
|-
|-
| public_key6
| jtag_direct_access_disable
| 22
| 0
| 23
| 1
| 30-31
| 3
|-
|-
| public_key6
| production_mode
| 24
| 0
| 25
| 1
| 0-29
| 4
|-
|-
| public_key7
| jtag_secureid_valid
| 24
| 0
| 25
| 1
| 30-31
| 5
|-
|-
| public_key7
| odm_lock
| 26
| 0
| 27
| 1
| 0-29
| 6-9
|-
|-
| private_key0
| fa_mode
| 34
| 0
| 35
| 1
| 12-31
| 10
|-
|-
| private_key0
| security_mode
| 36
| 0
| 37
| 1
| 0-11
| 11
|-
|-
| private_key1
| arm_debug_dis
| 36
| 0
| 37
| 1
| 12-31
| 12
|-
|-
| private_key1
| obs_dis
| 38
| 0
| 39
| 1
| 0-11
| 13
|-
|-
| private_key2
| public_key0
| 38
| 10
| 39
| 11
| 12-31
| 30-31
|-
|-
| private_key2
| public_key0
| 40
| 12
| 41
| 13
| 0-11
| 0-29
|-
|-
| private_key3
| public_key1
| 40
| 12
| 41
| 13
| 12-31
| 30-31
|-
|-
| private_key3
| public_key1
| 42
| 14
| 43
| 15
| 0-11
| 0-29
|-
|-
| private_key4
| public_key2
| 42
| 14
| 43
| 15
| 12-31
| 30-31
|-
|-
| private_key4
| public_key2
| 44
| 16
| 45
| 17
| 0-11
| 0-29
|-
|-
| boot_device_info
| public_key3
| 44
| 16
| 45
| 17
| 12-27
| 30-31
|-
|-
| reserved_sw
| public_key3
| 44
| 18
| 45
| 19
| 28-31
| 0-29
|-
|-
| reserved_sw
| public_key4
| 46
| 18
| 47
| 19
| 0-3
| 30-31
|-
|-
| reserved_odm0
| public_key4
| 46
| 20
| 47
| 21
| 5-31
| 0-29
|-
|-
| reserved_odm0
| public_key5
| 48
| 20
| 49
| 21
| 0-4
| 30-31
|-
|-
| reserved_odm1
| public_key5
| 48
| 22
| 49
| 23
| 5-31
| 0-29
|-
|-
| reserved_odm1
| public_key6
| 50
| 22
| 51
| 23
| 0-4
| 30-31
|-
|-
| reserved_odm2
| public_key6
| 50
| 24
| 51
| 25
| 5-31
| 0-29
|-
|-
| reserved_odm2
| public_key7
| 52
| 24
| 53
| 25
| 0-4
| 30-31
|-
|-
| reserved_odm3
| public_key7
| 52
| 26
| 53
| 27
| 5-31
| 0-29
|-
|-
| reserved_odm3
| private_key0
| 54
| 34
| 55
| 35
| 0-4
| 12-31
|-
|-
| reserved_odm4
| private_key0
| 54
| 36
| 55
| 37
| 5-31
| 0-11
|-
|-
| reserved_odm4
| private_key1
| 56
| 36
| 57
| 37
| 0-4
| 12-31
|-
|-
| reserved_odm5
| private_key1
| 56
| 38
| 57
| 39
| 5-31
| 0-11
|-
|-
| reserved_odm5
| private_key2
| 58
| 38
| 59
| 39
| 0-4
| 12-31
|-
|-
| [[#reserved_odm6|reserved_odm6]]
| private_key2
| 58
| 40
| 59
| 41
| 5-31
| 0-11
|-
|-
| [[#reserved_odm6|reserved_odm6]]
| private_key3
| 60
| 40
| 61
| 41
| 0-4
| 12-31
|-
|-
| [[#reserved_odm7|reserved_odm7]]
| private_key3
| 60
| 42
| 61
| 43
| 5-31
| 0-11
|-
|-
| [[#reserved_odm7|reserved_odm7]]
| private_key4
| 62
| 42
| 63
| 43
| 0-4
| 12-31
|-
|-
| kfuse_privkey_ctrl
| private_key4
| 64
| 44
| 65
| 45
| 13-14
| 0-11
|-
|-
| package_info
| boot_device_info
| 64
| 44
| 65
| 45
| 15-18
| 12-27
|-
|-
| opt_vendor_code
| reserved_sw
| 64
| 44
| 65
| 45
| 19-22
| 28-31
|-
|-
| opt_fab_code
| reserved_sw
| 64
| 46
| 65
| 47
| 23-28
| 0-3
|-
|-
| opt_lot_code_0
| reserved_odm0
| 64
| 46
| 65
| 47
| 29-31
| 5-31
|-
|-
| opt_lot_code_0
| reserved_odm0
| 66
| 48
| 67
| 49
| 0-28
| 0-4
|-
|-
| opt_lot_code_1
| reserved_odm1
| 66
| 48
| 67
| 49
| 29-31
| 5-31
|-
|-
| opt_lot_code_1
| reserved_odm1
| 68
| 50
| 69
| 51
| 0-24
| 0-4
|-
|-
| opt_wafer_id
| reserved_odm2
| 68
| 50
| 69
| 51
| 25-30
| 5-31
|-
|-
| opt_x_coordinate
| reserved_odm2
| 68
| 52
| 69
| 53
| 31
| 0-4
|-
|-
| opt_x_coordinate
| reserved_odm3
| 70
| 52
| 71
| 53
| 0-7
| 5-31
|-
|-
| opt_y_coordinate
| reserved_odm3
| 70
| 54
| 71
| 55
| 8-16
| 0-4
|-
|-
| opt_sec_debug_en
| reserved_odm4
| 70
| 54
| 71
| 55
| 17
| 5-31
|-
|-
| opt_ops_reserved
| reserved_odm4
| 70
| 56
| 71
| 57
| 18-23
| 0-4
|-
|-
| sata_calib
| reserved_odm5
| 70
| 56
| 71
| 57
| 24-25
| 5-31
|-
|-
| opt_priv_sec_en
| reserved_odm5
| 90
| 58
| 91
| 59
| 8
| 0-4
|-
|-
| pkc_disable
| [[#reserved_odm6|reserved_odm6]]
| 90
| 58
| 91
| 59
| 9
| 5-31
|-
|-
| fuse2tsec_debug_disable
| [[#reserved_odm6|reserved_odm6]]
| 90
| 60
| 91
| 61
| 10
| 0-4
|-
|-
| secure_provision_index
| [[#reserved_odm7|reserved_odm7]]
| 90
| 60
| 91
| 61
| 24-27
| 5-31
|-
|-
| secure_provision_info
| [[#reserved_odm7|reserved_odm7]]
| 90
| 62
| 91
| 63
| 28-29
| 0-4
|-
|-
| spare_bit_0
| kfuse_privkey_ctrl
| 100
| 64
| None
| 65
| 16
| 13-14
|-
|-
| spare_bit_1
| package_info
| 100
| 64
| None
| 65
| 17
| 15-18
|-
|-
| spare_bit_2
| opt_vendor_code
| 100
| 64
| None
| 65
| 18
| 19-22
|-
|-
| spare_bit_3
| opt_fab_code
| 100
| 64
| None
| 65
| 19
| 23-28
|-
|-
| spare_bit_4
| opt_lot_code_0
| 100
| 64
| None
| 65
| 20
| 29-31
|-
|-
| spare_bit_5
| opt_lot_code_0
| 100
| 66
| None
| 67
| 21
| 0-28
|-
|-
| spare_bit_6
| opt_lot_code_1
| 100
| 66
| None
| 67
| 22
| 29-31
|-
|-
| spare_bit_7
| opt_lot_code_1
| 100
| 68
| None
| 69
| 23
| 0-24
|-
|-
| spare_bit_8
| opt_wafer_id
| 100
| 68
| None
| 69
| 24
| 25-30
|-
|-
| spare_bit_9
| opt_x_coordinate
| 100
| 68
| None
| 69
| 25
| 31
|-
|-
| spare_bit_10
| opt_x_coordinate
| 100
| 70
| None
| 71
| 26
| 0-7
|-
|-
| spare_bit_11
| opt_y_coordinate
| 100
| 70
| None
| 71
| 27
| 8-16
|-
|-
| spare_bit_12
| opt_sec_debug_en
| 100
| 70
| None
| 71
| 28
| 17
|-
|-
| spare_bit_13
| opt_ops_reserved
| 100
| 70
| None
| 71
| 29
| 18-23
|-
|-
| spare_bit_14
| sata_calib
| 100
| 70
| None
| 71
| 30
| 24-25
|-
| opt_priv_sec_en
| 90
| 91
| 8
|-
| pkc_disable
| 90
| 91
| 9
|-
| fuse2tsec_debug_disable
| 90
| 91
| 10
|-
| secure_provision_index
| 90
| 91
| 24-27
|-
| secure_provision_info
| 90
| 91
| 28-29
|-
|-
| spare_bit_15
| spare_bit_0
| 100
| 100
| None
| None
| 31
| 16
|-
|-
| spare_bit_16
| spare_bit_1
| 101
| 100
| None
| None
| 16
| 17
|-
|-
| spare_bit_17
| spare_bit_2
| 101
| 100
| None
| None
| 18
| 18
|-
|-
| spare_bit_19
| spare_bit_3
| 101
| 100
| None
| None
| 19
| 19
|-
|-
| spare_bit_20
| spare_bit_4
| 101
| 100
| None
| None
| 20
| 20
|-
|-
| spare_bit_21
| spare_bit_5
| 101
| 100
| None
| None
| 21
| 21
|-
|-
| spare_bit_22
| spare_bit_6
| 101
| 100
| None
| None
| 22
| 22
|-
|-
| spare_bit_23
| spare_bit_7
| 101
| 100
| None
| None
| 23
| 23
|-
|-
| spare_bit_24
| spare_bit_8
| 101
| 100
| None
| None
| 24
| 24
|-
|-
| spare_bit_25
| spare_bit_9
| 101
| 100
| None
| None
| 25
| 25
|-
|-
| spare_bit_26
| spare_bit_10
| 101
| 100
| None
| None
| 26
| 26
|-
|-
| spare_bit_27
| spare_bit_11
| 101
| 100
| None
| None
| 27
| 27
|-
|-
| spare_bit_28
| spare_bit_12
| 101
| 100
| None
| None
| 28
| 28
|-
|-
| spare_bit_29
| spare_bit_13
| 101
| 100
| None
| None
| 29
| 29
|-
|-
| spare_bit_30
| spare_bit_14
| 101
| 100
| None
| None
| 30
| 30
|-
|-
| spare_bit_31
| spare_bit_15
| 101
| 100
| None
| None
| 31
| 31
|-
|-
| aid
| spare_bit_16
| 103
| 101
| None
| None
| 2-31
| 16
|-
|-
| aid
| spare_bit_17
| 104
| 101
| None
| None
| 0-1
| 17
|-
|-
| reshift_records
| spare_bit_18
| 106
| 101
| None
| 18
|-
| spare_bit_19
| 101
| None
| 19
|-
| spare_bit_20
| 101
| None
| None
| 0-192
| 20
|-
|-
| [[#irom_patch|irom_patch]]
| spare_bit_21
| 112
| 101
| None
| None
| 0-2560
| 21
|}
|-
| spare_bit_22
| 101
| None
| 22
|-
| spare_bit_23
| 101
| None
| 23
|-
| spare_bit_24
| 101
| None
| 24
|-
| spare_bit_25
| 101
| None
| 25
|-
| spare_bit_26
| 101
| None
| 26
|-
| spare_bit_27
| 101
| None
RAM:00000000 ; 11: 0x1e952001 0x00103d2a 0x00002001 : movs r0, #0x01
| 27
|-
| spare_bit_28
RAM:00000000 ; 0: 0x0b57df00 0x001016ae 0x0000df00 : svc #0x00 (offset 0x48)
| 101
RAM:00000000 ; 1: 0x1820df22 0x00103040 0x0000df22 : svc #0x22 (offset 0x8c)
| None
RAM:00000000 ; 2: 0x3797df26 0x00106f2e 0x0000df26 : svc #0x26 (offset 0x94)
| 28
RAM:00000000 ; 3: 0x7d9e2000 0x0010fb3c 0x00002000 : movs r0, #0x00
|-
RAM:00000000 ; 4: 0x042bdf2c 0x00100856 0x0000df2c : svc #0x2c (offset 0xa0)
| spare_bit_29
RAM:00000000 ; 5: 0x37aadf42 0x00106f54 0x0000df42 : svc #0x42 (offset 0xcc)
| 101
RAM:00000000 ; 6: 0x0972df4b 0x001012e4 0x0000df4b : svc #0x4b (offset 0xde)
| None
RAM:00000000 ; 7: 0x2293df54 0x00104526 0x0000df54 : svc #0x54 (offset 0xf0)
| 29
RAM:00000000 ; 8: 0x21fadf5d 0x001043f4 0x0000df5d : svc #0x5d (offset 0x102)
|-
RAM:00000000 ; 9: 0xbba2ac57 0x00117744 0x0000ac57 : data
| spare_bit_30
RAM:00000000 ; 10: 0xbbac3d19 0x00117758 0x00003d19 : data
| 101
RAM:00000000 ; 11: 0x1e952001 0x00103d2a 0x00002001 : movs r0, #0x01
| None
RAM:00000004 MOV R2, LR
| 30
RAM:00000008 SUB R2, R2, #2
|-
| spare_bit_31
RAM:00000010 AND R2, R2, #0xFF
| 101
RAM:00000014 MOV R2, R2,LSL#1
| None
| 31
RAM:0000001C LDR R1, =0x1007F8
|-
| aid
RAM:00000024 LDR R0, =0x40004C30
| 103
RAM:00000028 ADD R0, R0, R1
| None
| 2-31
|-
RAM:00000034 LDMFD SP!, {R0,R1}
| aid
| 104
RAM:00000038 ; End of function irom_svc_dispatch
| None
RAM:00000038
| 0-1
RAM:00000038 ; ---------------------------------------------------------------------------
|-
| reshift_records
RAM:00000040 dword_40 DCD 0x1007F8 ; DATA XREF: irom_svc_dispatch+1C↑r
| 106
RAM:00000044 dword_44 DCD 0x40004C30 ; DATA XREF: irom_svc_dispatch+24↑r
| None
RAM:00000048 CODE16
| 0-192
RAM:00000048
|-
RAM:00000048 ; =============== S U B R O U T I N E =======================================
| [[#irom_patch|irom_patch]]
RAM:00000048
| 112
RAM:00000048
| None
RAM:00000048 sub_48
| 0-2560
RAM:00000048 MOVS R2, #0 ; 0: 0x0b57df00 0x001016ae 0x0000df00 : svc #0x00 (offset 0x48)
|}
RAM:0000004A MVNS R2, R2
RAM:0000004C LDR R1, =0x60006410
=== reserved_odm6 ===
RAM:0000004E STR R2, [R1,#0x30]
Used for [[#Anti-downgrade|anti-downgrade]] control.
=== reserved_odm7 ===
Used for [[#Anti-downgrade|anti-downgrade]] control.
RAM:00000056 STR R2, [R1,#4]
RAM:00000058 LDR R1, =0x60006284
=== irom_patch ===
RAM:0000005A STR R2, [R1]
Bootrom patches are burned to the hardware fuse bitmap using a specific format (see [https://gist.github.com/hexkyz/98c28e292597d8fc7bef7a2200e792d7 ipatch decoder]). The bootrom reads these fuses in order to initialize the IPATCH hardware, which allows overriding data returned for code and data fetches done by BPMP.
RAM:0000005C STR R2, [R1,#0x18]
The following represents the patch data dumped from a Switch console:
<syntaxhighlight>
RAM:00000000 ; =============== S U B R O U T I N E =======================================
RAM:00000064 STR R2, [R1,#8]
RAM:00000000
RAM:00000066 STR R2, [R1,#0x10]
RAM:00000000
RAM:00000068 ADDS R1, #0x80
RAM:00000000 irom_svc_dispatch
RAM:0000006A STR R2, [R1]
RAM:00000000 STMFD SP!, {R0-R2} ; ipatches (new):
RAM:0000006C STR R2, [R1,#4]
RAM:00000000 ; 0: 0x0b57df00 0x001016ae 0x0000df00 : svc #0x00 (offset 0x48)
RAM:0000006E LDR R1, =0x60006554
RAM:00000000 ; 1: 0x1820df22 0x00103040 0x0000df22 : svc #0x22 (offset 0x8c)
RAM:00000070 STR R2, [R1]
RAM:00000000 ; 2: 0x3797df26 0x00106f2e 0x0000df26 : svc #0x26 (offset 0x94)
RAM:00000072 MOVS R2, #0xA0000000
RAM:00000000 ; 3: 0x3b4d2100 0x0010769a 0x00002100 : movs r1, #0x00
RAM:00000076 LDR R1, =0x60006148
RAM:00000000 ; 4: 0x042bdf2c 0x00100856 0x0000df2c : svc #0x2c (offset 0xa0)
RAM:00000078 STR R2, [R1]
RAM:00000000 ; 5: 0x37aadf42 0x00106f54 0x0000df42 : svc #0x42 (offset 0xcc)
RAM:0000007A ADDS R1, #0x38 ; '8'
RAM:00000000 ; 6: 0x0972df4b 0x001012e4 0x0000df4b : svc #0x4b (offset 0xde)
RAM:00000000 ; 7: 0x2293df54 0x00104526 0x0000df54 : svc #0x54 (offset 0xf0)
RAM:0000007E MOVS R2, #0xE0000000
RAM:00000000 ; 8: 0x21fadf5d 0x001043f4 0x0000df5d : svc #0x5d (offset 0x102)
RAM:00000082 LDR R1, =0x600066A0
RAM:00000000 ; 9: 0xbba2ac57 0x00117744 0x0000ac57 : data
RAM:00000084 STR R2, [R1]
RAM:00000000 ; 10: 0xbbac3d19 0x00117758 0x00003d19 : data
RAM:00000086 MOVS R1, #0
RAM:00000000 ; 11: 0x1e952001 0x00103d2a 0x00002001 : movs r0, #0x01
RAM:00000088 MOVS R0, #0xE
RAM:00000000 ;
RAM:0000008A B pop_r2_mov_pc_lr
RAM:00000000 ; ipatches (old):
RAM:0000008A ; End of function sub_48
RAM:00000000 ; 0: 0x0b57df00 0x001016ae 0x0000df00 : svc #0x00 (offset 0x48)
RAM:0000008A
RAM:00000000 ; 1: 0x1820df22 0x00103040 0x0000df22 : svc #0x22 (offset 0x8c)
RAM:0000008C
RAM:00000000 ; 2: 0x3797df26 0x00106f2e 0x0000df26 : svc #0x26 (offset 0x94)
RAM:00000000 ; 3: 0x7d9e2000 0x0010fb3c 0x00002000 : movs r0, #0x00
RAM:0000008C
RAM:00000000 ; 4: 0x042bdf2c 0x00100856 0x0000df2c : svc #0x2c (offset 0xa0)
RAM:00000000 ; 5: 0x37aadf42 0x00106f54 0x0000df42 : svc #0x42 (offset 0xcc)
RAM:00000000 ; 6: 0x0972df4b 0x001012e4 0x0000df4b : svc #0x4b (offset 0xde)
RAM:00000000 ; 7: 0x2293df54 0x00104526 0x0000df54 : svc #0x54 (offset 0xf0)
RAM:0000008E MOVS R2, #1
RAM:00000000 ; 8: 0x21fadf5d 0x001043f4 0x0000df5d : svc #0x5d (offset 0x102)
RAM:00000090 ORRS R0, R2
RAM:00000000 ; 9: 0xbba2ac57 0x00117744 0x0000ac57 : data
RAM:00000092 B pop_r2_mov_pc_lr
RAM:00000000 ; 10: 0xbbac3d19 0x00117758 0x00003d19 : data
RAM:00000092 ; End of function sub_8C
RAM:00000000 ; 11: 0x1e952001 0x00103d2a 0x00002001 : movs r0, #0x01
RAM:00000092
RAM:00000004 MOV R2, LR
RAM:00000094
RAM:00000008 SUB R2, R2, #2
RAM:00000094 ; =============== S U B R O U T I N E =======================================
RAM:0000000C LDR R2, [R2]
RAM:00000094
RAM:00000010 AND R2, R2, #0xFF
RAM:00000094
RAM:00000014 MOV R2, R2,LSL#1
RAM:00000094 sub_94
RAM:00000018 LDR R0, =0x1007B0
RAM:00000094 LDR R2, [R4,#0x50] ; 2: 0x3797df26 0x00106f2e 0x0000df26 : svc #0x26 (offset 0x94)
RAM:0000001C LDR R1, =0x1007F8
RAM:00000096 ADDS R2, R2, #2
RAM:00000020 SUB R1, R1, R0
RAM:00000098 STR R2, [R4,#0x50]
RAM:00000024 LDR R0, =0x40004C30
RAM:0000009A SUBS R1, #0x80
RAM:00000028 ADD R0, R0, R1
RAM:0000009C STR R1, [R4,#0x34]
RAM:0000002C ADD R2, R2, R0
RAM:00000030 ORR R2, R2, #1
RAM:00000034 LDMFD SP!, {R0,R1}
RAM:0000009E
RAM:00000038 BX R2
RAM:000000A0
RAM:00000038 ; End of function irom_svc_dispatch
RAM:000000A0 ; =============== S U B R O U T I N E =======================================
RAM:00000038
RAM:000000A0
RAM:00000038 ; ---------------------------------------------------------------------------
RAM:000000A0
RAM:0000003C dword_3C DCD 0x1007B0 ; DATA XREF: irom_svc_dispatch+18↑r
RAM:000000A0 sub_A0
RAM:00000040 dword_40 DCD 0x1007F8 ; DATA XREF: irom_svc_dispatch+1C↑r
RAM:000000A0
RAM:00000044 dword_44 DCD 0x40004C30 ; DATA XREF: irom_svc_dispatch+24↑r
RAM:00000048 CODE16
RAM:00000048
RAM:000000A0 MOVS R0, #0x70000000 ; 4: 0x042bdf2c 0x00100856 0x0000df2c : svc #0x2c (offset 0xa0)
RAM:00000048 ; =============== S U B R O U T I N E =======================================
RAM:000000A4 LDR R6, =dword_7000EF14
RAM:00000048
RAM:000000A6 LDR R2, =dword_7000E5B4
RAM:00000048
RAM:000000A8 LDR R2, [R2]
RAM:00000048 sub_48
RAM:00000048 MOVS R2, #0 ; 0: 0x0b57df00 0x001016ae 0x0000df00 : svc #0x00 (offset 0x48)
RAM:000000AC BEQ loc_B4
RAM:0000004A MVNS R2, R2
RAM:000000AE LDR R2, [R6]
RAM:0000004C LDR R1, =0x60006410
RAM:000000B0 STR R2, [R0,#8]
RAM:0000004E STR R2, [R1,#0x30]
RAM:000000B2 B loc_BC
RAM:00000050 STR R2, [R1,#0x38]
RAM:000000B4 ; ---------------------------------------------------------------------------
RAM:00000052 LDR R1, =0x600060F8
RAM:000000B4
RAM:00000054 STR R2, [R1]
RAM:000000B4 loc_B4 ; CODE XREF: sub_A0+C↑j
RAM:00000056 STR R2, [R1,#4]
RAM:000000B4 LDR R2, [R0,#8]
RAM:00000058 LDR R1, =0x60006284
RAM:000000B6 LSRS R0, R0, #0x12
RAM:0000005A STR R2, [R1]
RAM:000000B8 ORRS R2, R0
RAM:0000005C STR R2, [R1,#0x18]
RAM:000000BA STR R2, [R6]
RAM:0000005E ADDS R1, #0x80
RAM:00000060 ADDS R1, #0x1C
RAM:00000062 STR R2, [R1]
RAM:000000BC LDR R6, =dword_7000E9C0
RAM:00000064 STR R2, [R1,#8]
RAM:000000BE LDR R0, [R6]
RAM:00000066 STR R2, [R1,#0x10]
RAM:000000C0 MOVS R2, #0x4000
RAM:00000068 ADDS R1, #0x80
RAM:000000C4 ORRS R2, R0
RAM:0000006A STR R2, [R1]
RAM:000000C6 STR R2, [R6]
RAM:0000006C STR R2, [R1,#4]
RAM:000000C8 LDR R0, [R5,#0x10]
RAM:0000006E LDR R1, =0x60006554
RAM:000000CA B pop_r2_mov_pc_lr
RAM:00000070 STR R2, [R1]
RAM:000000CA ; End of function sub_A0
RAM:00000072 MOVS R2, #0xA0000000
RAM:00000076 LDR R1, =0x60006148
RAM:00000078 STR R2, [R1]
RAM:0000007A ADDS R1, #0x38 ; '8'
RAM:000000CC
RAM:0000007C STR R2, [R1]
RAM:000000CC
RAM:0000007E MOVS R2, #0xE0000000
RAM:00000082 LDR R1, =0x600066A0
RAM:000000CC MOVS R2, #0xF000000 ; 5: 0x37aadf42 0x00106f54 0x0000df42 : svc #0x42 (offset 0xcc)
RAM:00000084 STR R2, [R1]
RAM:000000D0 BICS R1, R2
RAM:00000086 MOVS R1, #0
RAM:000000D2 STR R1, [R4,#0x10]
RAM:00000088 MOVS R0, #0xE
RAM:000000D4 LDR R1, [R4,#0x50]
RAM:0000008A B pop_r2_mov_pc_lr
RAM:000000D6 MOVS R2, #7
RAM:0000008A ; End of function sub_48
RAM:000000D8 BICS R1, R2
RAM:0000008A
RAM:000000DA STR R1, [R4,#0x50]
RAM:0000008C
RAM:000000DC B pop_r2_mov_pc_lr
RAM:0000008C ; =============== S U B R O U T I N E =======================================
RAM:000000DC ; End of function sub_CC
RAM:0000008C
RAM:000000DC
RAM:0000008C
RAM:000000DE
RAM:0000008C sub_8C
RAM:0000008C LDR R0, [R1,#0x18] ; 1: 0x1820df22 0x00103040 0x0000df22 : svc #0x22 (offset 0x8c)
RAM:000000DE
RAM:0000008E MOVS R2, #1
RAM:000000DE
RAM:00000090 ORRS R0, R2
RAM:000000DE sub_DE
RAM:00000092 B pop_r2_mov_pc_lr
RAM:000000DE LDR R2, =dword_7000FA9C ; 6: 0x0972df4b 0x001012e4 0x0000df4b : svc #0x4b (offset 0xde)
RAM:00000092 ; End of function sub_8C
RAM:000000E0 LDR R2, [R2]
RAM:00000092
RAM:000000E2 LSRS R2, R2, #8
RAM:00000094
RAM:000000E4 LSLS R2, R2, #1
RAM:00000094 ; =============== S U B R O U T I N E =======================================
RAM:000000E6 LDR R1, [R4]
RAM:00000094
RAM:000000E8 BICS R1, R2
RAM:00000094
RAM:000000EA STR R1, [R4]
RAM:00000094 sub_94
RAM:000000EC CMP R0, #0
RAM:00000094 LDR R2, [R4,#0x50] ; 2: 0x3797df26 0x00106f2e 0x0000df26 : svc #0x26 (offset 0x94)
RAM:00000096 ADDS R2, R2, #2
RAM:000000EE ; End of function sub_DE
RAM:00000098 STR R2, [R4,#0x50]
RAM:000000EE
RAM:0000009A SUBS R1, #0x80
RAM:000000F0
RAM:0000009C STR R1, [R4,#0x34]
RAM:000000F0 ; =============== S U B R O U T I N E =======================================
RAM:0000009E B pop_r2_mov_pc_lr
RAM:000000F0
RAM:0000009E ; End of function sub_94
RAM:000000F0
RAM:0000009E
RAM:000000F0 sub_F0
RAM:000000A0
RAM:000000F0
RAM:000000A0 ; =============== S U B R O U T I N E =======================================
RAM:000000A0
RAM:000000A0
RAM:000000A0 sub_A0
RAM:000000F2 LDR R2, [R0]
RAM:000000A0
RAM:000000F4 STR R2, [SP,#arg_0]
RAM:000000A0 ; FUNCTION CHUNK AT RAM:00000148 SIZE 00000004 BYTES
RAM:000000F6 LDR R0, =0x40010000
RAM:000000A0
RAM:000000A0 MOVS R0, #0x70000000 ; 4: 0x042bdf2c 0x00100856 0x0000df2c : svc #0x2c (offset 0xa0)
RAM:000000FA BEQ pop_r2_mov_pc_lr ; if ([0x400049F0] >> 17) == 0) {
RAM:000000A4 LDR R6, =dword_7000EF14
RAM:000000FA ; r2 = [0x400049F0];
RAM:000000A6 LDR R2, =dword_7000E5B4
RAM:000000FA ; } else {
RAM:000000A8 LDR R2, [R2]
RAM:000000AA CMP R2, #0
RAM:000000FE STR R4, [R0] ; write APBDEV_PMC_CNTRL
RAM:000000AC BEQ loc_B4
RAM:00000100
RAM:000000AE LDR R2, [R6]
RAM:00000100 loc_100 ; CODE XREF: sub_F0:loc_100↓j
RAM:000000B0 STR R2, [R0,#8]
RAM:00000100 B loc_100 ; hang
RAM:000000B2 B loc_BC
RAM:00000100 ; End of function sub_F0 ; }
RAM:000000B4 ; ---------------------------------------------------------------------------
RAM:000000B4
RAM:000000B4 loc_B4 ; CODE XREF: sub_A0+C↑j
RAM:000000B4 LDR R2, [R0,#8]
RAM:00000102
RAM:000000B6 LSRS R0, R0, #0x12
RAM:00000102
RAM:000000B8 ORRS R2, R0
RAM:00000102 sub_102
RAM:000000BA STR R2, [R6]
RAM:00000102
RAM:000000BC
RAM:00000102 arg_0= 0
RAM:000000BC loc_BC ; CODE XREF: sub_A0+12↑j
RAM:00000102
RAM:000000BC LDR R6, =dword_7000E9C0
RAM:00000102 LDR R2, =0x40010220 ; 8: 0x21fadf5d 0x001043f4 0x0000df5d : svc #0x5d (offset 0x102)
RAM:000000BE LDR R0, [R6]
RAM:00000104 STR R2, [SP,#arg_0] ; set r2 retval = [0x40010220]
RAM:000000C0 MOVS R2, #0x4000
RAM:000000C4 ORRS R2, R0
RAM:00000108 ADDS R0, #0xFC
RAM:000000C6 STR R2, [R6]
RAM:0000010A STR R2, [R0,#0x1C] ; [r0+0x118] = [0x40010220 + 0x18]
RAM:000000C8 LDR R0, [R5,#0x10]
RAM:0000010C B pop_r2_mov_pc_lr
RAM:000000CA B pop_r2_mov_pc_lr
RAM:0000010C ; End of function sub_102
RAM:000000CA ; End of function sub_A0
RAM:0000010C
RAM:000000CA
RAM:0000010C ; ---------------------------------------------------------------------------
RAM:000000CC
RAM:0000010E DCB 0
RAM:000000CC ; =============== S U B R O U T I N E =======================================
RAM:0000010F DCB 0
RAM:000000CC
RAM:000000CC
RAM:000000CC sub_CC
RAM:000000CC MOVS R2, #0xF000000 ; 5: 0x37aadf42 0x00106f54 0x0000df42 : svc #0x42 (offset 0xcc)
RAM:0000011C off_11C DCD 0x60006554 ; DATA XREF: sub_48+26↑r
RAM:000000D0 BICS R1, R2
RAM:00000120 off_120 DCD 0x60006148 ; DATA XREF: sub_48+2E↑r
RAM:000000D2 STR R1, [R4,#0x10]
RAM:00000124 off_124 DCD 0x600066A0 ; DATA XREF: sub_48+3A↑r
RAM:000000D4 LDR R1, [R4,#0x50]
RAM:00000128 off_128 DCD dword_7000EF14 ; DATA XREF: sub_A0+4↑r
RAM:000000D6 MOVS R2, #7
RAM:0000012C off_12C DCD dword_7000E5B4 ; DATA XREF: sub_A0+6↑r
RAM:000000D8 BICS R1, R2
RAM:00000130 off_130 DCD dword_7000E9C0 ; DATA XREF: sub_A0:loc_BC↑r
RAM:000000DA STR R1, [R4,#0x50]
RAM:00000134 off_134 DCD dword_7000FA9C ; DATA XREF: sub_DE↑r
RAM:000000DC B pop_r2_mov_pc_lr
RAM:00000138 off_138 DCD 0x400049F0 ; DATA XREF: sub_F0↑r
RAM:000000DC ; End of function sub_CC
RAM:0000013C dword_13C DCD 0x40010000 ; DATA XREF: sub_F0+6↑r
RAM:000000DC
RAM:00000140 off_140 DCD APBDEV_PMC_CNTRL_0 ; DATA XREF: sub_F0+C↑r
RAM:000000DE
RAM:000000DE ; =============== S U B R O U T I N E =======================================
RAM:000000DE
RAM:00000148 ; START OF FUNCTION CHUNK FOR sub_A0
RAM:000000DE
RAM:00000148
RAM:000000DE sub_DE
RAM:00000148 pop_r2_mov_pc_lr ; CODE XREF: sub_48+42↑j
RAM:000000DE LDR R2, =dword_7000FA9C ; 6: 0x0972df4b 0x001012e4 0x0000df4b : svc #0x4b (offset 0xde)
RAM:00000148 ; sub_8C+6↑j ...
RAM:000000E0 LDR R2, [R2]
RAM:00000148 POP {R2}
RAM:000000E2 LSRS R2, R2, #8
RAM:0000014A MOV PC, LR
RAM:000000E4 LSLS R2, R2, #1
RAM:0000014A ; END OF FUNCTION CHUNK FOR sub_A0
RAM:000000E6 LDR R1, [R4]
RAM:000000E8 BICS R1, R2
RAM:000000EA STR R1, [R4]
RAM:000000EC CMP R0, #0
RAM:000000EE B pop_r2_mov_pc_lr
RAM:000000EE ; End of function sub_DE
RAM:000000EE
RAM:000000F0
RAM:000000F0 ; =============== S U B R O U T I N E =======================================
RAM:000000F0
RAM:000000F0
RAM:000000F0 sub_F0
RAM:000000F0
RAM:000000F0 arg_0= 0
RAM:000000F0
RAM:000000F0 LDR R0, =0x400049F0 ; 7: 0x2293df54 0x00104526 0x0000df54 : svc #0x54 (offset 0xf0)
RAM:000000F2 LDR R2, [R0]
RAM:000000F4 STR R2, [SP,#arg_0]
RAM:000000F6 LDR R0, =0x40010000
RAM:000000F8 LSRS R2, R2, #17
RAM:000000FA BEQ pop_r2_mov_pc_lr ; if ([0x400049F0] >> 17) == 0) {
RAM:000000FA ; r2 = [0x400049F0];
RAM:000000FA ; } else {
RAM:000000FC LDR R0, =APBDEV_PMC_CNTRL_0
RAM:000000FE STR R4, [R0] ; write APBDEV_PMC_CNTRL
RAM:00000100
RAM:00000100 loc_100 ; CODE XREF: sub_F0:loc_100↓j
RAM:00000100 B loc_100 ; hang
RAM:00000100 ; End of function sub_F0 ; }
RAM:00000100
RAM:00000102
RAM:00000102 ; =============== S U B R O U T I N E =======================================
RAM:00000102
RAM:00000102
RAM:00000102 sub_102
RAM:00000102
RAM:00000102 arg_0= 0
RAM:00000102
RAM:00000102 LDR R2, =0x40010220 ; 8: 0x21fadf5d 0x001043f4 0x0000df5d : svc #0x5d (offset 0x102)
RAM:00000104 STR R2, [SP,#arg_0] ; set r2 retval = [0x40010220]
RAM:00000106 LDR R2, [R2,#0x18]
RAM:00000108 ADDS R0, #0xFC
RAM:0000010A STR R2, [R0,#0x1C] ; [r0+0x118] = [0x40010220 + 0x18]
RAM:0000010C B pop_r2_mov_pc_lr
RAM:0000010C ; End of function sub_102
RAM:0000010C
RAM:0000010C ; ---------------------------------------------------------------------------
RAM:0000010E DCB 0
RAM:0000010F DCB 0
RAM:00000110 off_110 DCD 0x60006410 ; DATA XREF: sub_48+4↑r
RAM:00000114 off_114 DCD 0x600060F8 ; DATA XREF: sub_48+A↑r
RAM:00000118 off_118 DCD 0x60006284 ; DATA XREF: sub_48+10↑r
RAM:0000011C off_11C DCD 0x60006554 ; DATA XREF: sub_48+26↑r
RAM:00000120 off_120 DCD 0x60006148 ; DATA XREF: sub_48+2E↑r
RAM:00000124 off_124 DCD 0x600066A0 ; DATA XREF: sub_48+3A↑r
RAM:00000128 off_128 DCD dword_7000EF14 ; DATA XREF: sub_A0+4↑r
RAM:0000012C off_12C DCD dword_7000E5B4 ; DATA XREF: sub_A0+6↑r
RAM:00000130 off_130 DCD dword_7000E9C0 ; DATA XREF: sub_A0:loc_BC↑r
RAM:00000134 off_134 DCD dword_7000FA9C ; DATA XREF: sub_DE↑r
RAM:00000138 off_138 DCD 0x400049F0 ; DATA XREF: sub_F0↑r
RAM:0000013C dword_13C DCD 0x40010000 ; DATA XREF: sub_F0+6↑r
RAM:00000140 off_140 DCD APBDEV_PMC_CNTRL_0 ; DATA XREF: sub_F0+C↑r
RAM:00000144 off_144 DCD 0x40010220 ; DATA XREF: sub_102↑r
RAM:00000148 ; ---------------------------------------------------------------------------
RAM:00000148 ; START OF FUNCTION CHUNK FOR sub_A0
RAM:00000148
RAM:00000148 pop_r2_mov_pc_lr ; CODE XREF: sub_48+42↑j
RAM:00000148 ; sub_8C+6↑j ...
RAM:00000148 POP {R2}
RAM:0000014A MOV PC, LR
RAM:0000014A ; END OF FUNCTION CHUNK FOR sub_A0
</syntaxhighlight>
</syntaxhighlight>
The last 4 patches are exclusive to the Switch, while the remaining ones are often included in most Tegra210 based devices.
==== IROM patch 0 ====
This patch configures clock enables and clock gate overrides for new hardware.
<syntaxhighlight lang="c">
<syntaxhighlight lang="c">
u32 APBDEV_PMC_SCRATCH190_0 = 0x7000EC18;
u32 CLK_ENB_H_SET = 0x60006328;
u32 pmc_scratch190_val = *(u32 *)APBDEV_PMC_SCRATCH190_0;
u32 CLK_ENB_L_SET = 0x60006320;
u32 CLK_ENB_U_SET = 0x60006330;
u32 CLK_ENB_V_SET = 0x60006440;
u32 CLK_ENB_W_SET = 0x60006448;
u32 CLK_ENB_X_SET = 0x60006284;
u32 CLK_ENB_Y_SET = 0x6000629C;
u32 LVL2_CLK_GATE_OVRA = 0x600060F8;
u32 LVL2_CLK_GATE_OVRB = 0x600060FC;
u32 LVL2_CLK_GATE_OVRC = 0x600063A0;
u32 LVL2_CLK_GATE_OVRD = 0x600063A4;
u32 LVL2_CLK_GATE_OVRE = 0x60006554;
u32 CLK_SOURCE_VI = 0x60006148;
u32 CLK_SOURCE_HOST1X = 0x60006180;
u32 CLK_SOURCE_NVENC = 0x600066A0;
==== IROM patch 2 ====
// Set all clock enables and overrides
*(u32 *)CLK_ENB_V_SET = 0xFFFFFFFF;
*(u32 *)CLK_ENB_W_SET = 0xFFFFFFFF;
*(u32 *)LVL2_CLK_GATE_OVRA = 0xFFFFFFFF;
*(u32 *)LVL2_CLK_GATE_OVRB = 0xFFFFFFFF;
*(u32 *)CLK_ENB_X_SET = 0xFFFFFFFF;
*(u32 *)CLK_ENB_Y_SET = 0xFFFFFFFF;
*(u32 *)CLK_ENB_L_SET = 0xFFFFFFFF;
*(u32 *)CLK_ENB_H_SET = 0xFFFFFFFF;
*(u32 *)CLK_ENB_U_SET = 0xFFFFFFFF;
*(u32 *)LVL2_CLK_GATE_OVRC = 0xFFFFFFFF;
*(u32 *)LVL2_CLK_GATE_OVRD = 0xFFFFFFFF;
*(u32 *)LVL2_CLK_GATE_OVRE = 0xFFFFFFFF;
<syntaxhighlight lang="c">
// Set VI, HOST1X and NVENC clock sources to CLK_M
u32 USB1_UTMIP_SPARE_CFG0_0 = 0x7D000834;
*(u32 *)CLK_SOURCE_VI = 0xA0000000;
u32 USB1_UTMIP_BIAS_CFG2_0 = 0x7D000850;
*(u32 *)CLK_SOURCE_HOST1X = 0xA0000000;
*(u32 *)CLK_SOURCE_NVENC = 0xE0000000;
/*
Untranslated instructions:
MOVS R1, #0
MOVS R0, #0xE
*/
return;
</syntaxhighlight>
==== IROM patch 1 ====
This patch sets APBDEV_PMC_SCRATCH190_0 to 0x01, which LP0 resume code expects.
<syntaxhighlight lang="c">
u32 APBDEV_PMC_SCRATCH190_0 = 0x7000EC18;
u32 pmc_scratch190_val = *(u32 *)APBDEV_PMC_SCRATCH190_0;
return (pmc_scratch190_val | 0x01);
</syntaxhighlight>
==== IROM patch 2 ====
This patch adjusts USB configurations.
<syntaxhighlight lang="c">
u32 USB1_UTMIP_SPARE_CFG0_0 = 0x7D000834;
u32 USB1_UTMIP_BIAS_CFG2_0 = 0x7D000850;
// Increase UTMIP_HSSQUELCH_LEVEL_NEW by 0x02
// Increase UTMIP_HSSQUELCH_LEVEL_NEW by 0x02
This patch ensures that waiting on PRC_PENDING from the XUSB_DEV register T_XUSB_DEV_XHCI_PORTSC never fails.
This patch ensures that waiting on PRC_PENDING from the XUSB_DEV register T_XUSB_DEV_XHCI_PORTSC never fails.
In the second batch of patched units ([[#FUSE_OPT_FT_REV|FUSE_OPT_FT_REV]] set to revision 7.0) this patch has been replaced with a fix for [[Switch_System_Flaws#Hardware|CVE-2018-6242]] (arbitrary copy when handling USB control requests in RCM). By setting R1 to 0 at address 0x0010769A in the bootrom, the upper 16 bits of the USB control request's wLength field are cleared out, effectively limiting the request's size to a maximum of 255 bytes.
In the second batch of patched units ([[#FUSE_OPT_FT_REV|FUSE_OPT_FT_REV]] set to revision 7.0) this patch has been replaced with a fix for [[Switch_System_Flaws#Hardware|CVE-2018-6242]] (arbitrary copy when handling USB control requests in RCM). By setting R1 to 0 at address 0x0010769A in the bootrom, the upper 8 bits of the USB control request's wLength field are cleared out, effectively limiting the request's size to a maximum of 255 bytes.
==== IROM patch 4 ====
==== IROM patch 4 ====
==== IROM patch 6 ====
==== IROM patch 6 ====
This patch is a factory backdoor.
This patch allows controlling the debug authentication configuration using a fuse.
<syntaxhighlight lang="c">
<syntaxhighlight lang="c">
==== IROM patch 7 ====
==== IROM patch 7 ====
This patch is a bugfix.
This patch prevents overflowing IRAM (0x40010000) when copying the warmboot binary from DRAM.
<syntaxhighlight lang="c">
<syntaxhighlight lang="c">
==== IROM patch 8 ====
==== IROM patch 8 ====
This patch is a bugfix.
This patch sets the correct warmboot binary entrypoint address for RSA signature verification, which would be done in DRAM instead of IRAM without this patch.
<syntaxhighlight lang="c">
<syntaxhighlight lang="c">
RAM:00000000 ; 6: 0x4103df2b 0x00108206 0x0000df2b : svc #0x2b (offset 0x9e)
RAM:00000000 ; 6: 0x4103df2b 0x00108206 0x0000df2b : svc #0x2b (offset 0x9e)
RAM:00000000 ; 7: 0x495c0060 0x001092b8 0x00000060 : lsls r0, r4, #1
RAM:00000000 ; 7: 0x495c0060 0x001092b8 0x00000060 : lsls r0, r4, #1
RAM:00000000 ; 8: 0x62e3ef5b 0x0010c5c6 0x0000ef5b
RAM:00000000 ; 8: 0x62e3ef5b 0x0010c5c6 0x0000ef5b : svc #0x5b (offset 0xfe)
RAM:00000000 ; 9: 0x10d1df6a 0x001021a2 0x0000df6a : svc #0x6a (offset 0x11c)
RAM:00000000 ; 9: 0x10d1df6a 0x001021a2 0x0000df6a : svc #0x6a (offset 0x11c)
RAM:00000004 MOV R2, LR
RAM:00000004 MOV R2, LR
RAM:000000FE
RAM:000000FE
RAM:000000FE
RAM:000000FE
RAM:000000FE sub_FE
RAM:000000FE sub_FE ; 8: 0x62e3ef5b 0x0010c5c6 0x0000ef5b : svc #0x5b (offset 0xfe)
RAM:000000FE POP {R2}
RAM:000000FE POP {R2}
RAM:00000100 MOV R4, SP
RAM:00000100 MOV R4, SP
</syntaxhighlight>
</syntaxhighlight>
= Anti-downgrade =
==== IROM patch 1 ====
This patch stubs the function responsible for disabling read access for the SE AES keyslots.
Due to a programming mistake, when loading the OEM AES keys the aforementioned function would be called with the wrong arguments. The patch prevents this by simply stubbing the function altogether, which is only acceptable because the Mariko's SE hardware already boots with keyslot reading permanently disabled.
{| class="wikitable" border="1"
==== IROM patch 2 ====
This patch forces the function responsible for checking if SE context atomic save is enabled (by checking a fuse) to always return true.
Some Mariko units have been found to not have the relevant fuse bit (bit 7 in [[#FUSE_BOOT_SECURITY_INFO|FUSE_BOOT_SECURITY_INFO]]) burned, so the patch serves as a workaround for this.
==== IROM patch 3 ====
This patch forces a jump to the same routine used by [[#IROM_patch_0_2|IROM patch 0]] if loading a bootloader failed.
By setting all IRAM memory from 0x4000FC20 to 0x40040000 to 0xEAFFFFFE, a bootloader that somehow failed validation is effectively erased from memory.
==== IROM patch 4 ====
This patch stores a stack cookie (value 0x5A55F0E1) after a RCM message is received and before it's validated.
==== IROM patch 5 ====
This patch checks the stack cookie stored by [[#IROM_patch_4_2|IROM patch 4]] right after a RCM message is validated.
If the stack cookie's value is still 0x5A55F0E1, the bootrom jumps to a panic. If it changed to anything other than 0, the same routine used by [[#IROM_patch_0_2|IROM patch 0]] is called. Presumably, this is an attempt at mitigating fault injection attacks against skipping the validation of RCM messages.
==== IROM patch 6 ====
This patch sanitizes the crypto context right before receiving a RCM message.
<syntaxhighlight lang="c">
u32 FUSE_PRIVATEKEYDISABLE = 0x7000F828;
u32 SE1_CRYPTO_KEYTABLE_ADDR = 0x7001231C;
u32 SE2_CRYPTO_KEYTABLE_ADDR = 0x7041231C;
u32 SE1_CRYPTO_KEYTABLE_DATA = 0x70012320;
u32 SE2_CRYPTO_KEYTABLE_DATA = 0x70412320;
// Hide the private key fuses
*(u32 *)FUSE_PRIVATEKEYDISABLE = 0x1;
u32 crypto_keytable_val = 0xE0;
// Clear SE1/SE2 keyslot 0xE (contains the SBK)
for (int i = 0; i < 0x7; i++) {
*(u32 *)SE1_CRYPTO_KEYTABLE_ADDR = crypto_keytable_val;
*(u32 *)SE1_CRYPTO_KEYTABLE_DATA = 0;
*(u32 *)SE2_CRYPTO_KEYTABLE_ADDR = crypto_keytable_val;
*(u32 *)SE2_CRYPTO_KEYTABLE_DATA = 0;
crypto_keytable_val++;
}
crypto_keytable_val = 0xF0;
// Clear SE1/SE2 keyslot 0xF (contains the SSK)
for (int i = 0; i < 0x07; i++) {
*(u32 *)SE1_CRYPTO_KEYTABLE_ADDR = crypto_keytable_val;
*(u32 *)SE1_CRYPTO_KEYTABLE_DATA = 0;
*(u32 *)SE2_CRYPTO_KEYTABLE_ADDR = crypto_keytable_val;
*(u32 *)SE2_CRYPTO_KEYTABLE_DATA = 0;
crypto_keytable_val++;
}
crypto_keytable_val = 0xC0;
// Clear SE1/SE2 keyslot 0xC (contains the KEK)
for (int i = 0; i < 0x7; i++) {
*(u32 *)SE1_CRYPTO_KEYTABLE_ADDR = crypto_keytable_val;
*(u32 *)SE1_CRYPTO_KEYTABLE_DATA = 0;
*(u32 *)SE2_CRYPTO_KEYTABLE_ADDR = crypto_keytable_val;
*(u32 *)SE2_CRYPTO_KEYTABLE_DATA = 0;
crypto_keytable_val++;
}
u8 se_instance = 0; // SE1
u8 se_src_key_slot = 0xD;
u8 se_src_key_size = 0; // 128 bits
u8 se_dst_key_slot = 0xD;
u8 se_dst_key_size = 0; // 128 bits
u8 *se_src_key_data = 0x40004164;
// Overwrite SE1 keyslot 0xD (contains the BEK)
se_decrypt_key_into_key_slot(se_instance, se_src_key_slot, se_src_key_size, se_dst_key_slot, se_dst_key_size, se_src_key_data);
se_instance = 1; // SE2
// Overwrite SE2 keyslot 0xD (contains the BEK)
se_decrypt_key_into_key_slot(se_instance, se_src_key_slot, se_src_key_size, se_dst_key_slot, se_dst_key_size, se_src_key_data);
/*
Untranslated instructions:
LDR R0, =0x4000FC20
MOV R8, R0
*/
return;
</syntaxhighlight>
==== IROM patch 7 ====
This patch doubles the maximum value passed to the function responsible for generating random numbers with the SE. These values are then used for randomizing the duration of wait loops scattered around the bootrom.
==== IROM patch 8 ====
This patch forces memcpy to always fall outside of current stack limits.
==== IROM patch 9 ====
This patch forces TZRAM to be cleared on any boot type (instead of clearing it only on coldboot).
= Anti-downgrade =
The first bootloader verifies [[#FUSE_RESERVED_ODM7|FUSE_RESERVED_ODM7]] to prevent downgrading.
How many fuses are expected to be burnt depends the device's unit type as below.
{| class="wikitable" border="1"
|-
|-
! System version
! System version
! Expected number of burnt fuses (retail)
! Expected number of burnt fuses (production)
! Expected number of burnt fuses (non-retail)
! Expected number of burnt fuses (development)
|-
|-
| 1.0.0
| 1.0.0
| 13.2.1-14.1.2
| 13.2.1-14.1.2
| 16
| 16
| 1
|-
| 15.0.0-15.0.1
| 17
| 1
|-
| 16.0.0-16.1.0
| 18
| 1
|-
| 17.0.0-18.1.0
| 19
| 1
|-
| 19.0.0-19.0.1
| 20
| 1
| 1
|}
|}