Difference between revisions of "Package2"
(Created page with "Present in the firmware package titles (0100000000000819, 010000000000081A, 010000000000081B and 010000000000081C) and installed into eMMC storage's Flash_Filesystem#User_Pa...") |
(No difference)
|
Revision as of 16:36, 31 December 2017
Present in the firmware package titles (0100000000000819, 010000000000081A, 010000000000081B and 010000000000081C) and installed into eMMC storage's BCPKG2 partitions, "package2" contains the Switch kernel and the built-in system modules.
Format
Package2 is distributed in an already encrypted format. Therefore, it's not additionally encrypted when installed into the flash filesystem.
Offset | Size | Description |
---|---|---|
0x0 | 0x100 | RSA-2048 signature |
0x100 | 0x100 | Encrypted header |
0x200 | Variable | Encrypted body |
Encryption
Package2's contents are AES-CTR encrypted with a key known only by TrustZone.
The encrypted header's CTR is stored as it's first 0x10 bytes (offset 0x100). The encrypted body is divided in up to 4 sections, each one with a CTR stored inside the decrypted header.
Header
When decrypted, package2's header is as follows.
Offset | Size | Description |
---|---|---|
0x0 | 0x10 | Decrypted header's CTR |
0x10 | 0x10 | Section 0 CTR |
0x20 | 0x10 | Section 1 CTR |
0x30 | 0x10 | Section 2 CTR |
0x40 | 0x10 | Section 3 CTR |
0x50 | 0x4 | Magic "PK21" |
0x54 | 0x4 | Unknown |
0x58 | 0x4 | Unknown |
0x5C | 0x4 | Unknown |
0x60 | 0x4 | Section 0 size |
0x64 | 0x4 | Section 1 size |
0x68 | 0x4 | Section 2 size |
0x6C | 0x4 | Section 3 size |
0x70 | 0x4 | Unknown |
0x74 | 0x4 | Unknown |
0x78 | 0x4 | Unknown |
0x7C | 0x4 | Unknown |
0x80 | 0x20 | SHA-256 hash over encrypted section 0 |
0xA0 | 0x20 | SHA-256 hash over encrypted section 1 |
0xC0 | 0x20 | SHA-256 hash over encrypted section 2 |
0xE0 | 0x20 | SHA-256 hash over encrypted section 3 |
Each section follows each other immediately and is encrypted with the same key used for encrypting the header.
Section 0
When decrypted, this section contains the plaintext Switch kernel binary.
Section 1
When decrypted, this section contains the built-in system modules encapsulated in a custom format.
INI1
Offset | Type | Description |
---|---|---|
0x0 | u32 | Magic "INI1" |
0x4 | u32 | Size |
0x8 | u32 | NumberProcesses |
0xC | u32 | Zero |
KIP1
Kernel internal process?
Offset | Type | Description |
---|---|---|
0x0 | u32 | Magic "KIP1" |
0x4 | char[12] | Name |
0x10 | u64 | TitleId |
0x18 | u32 | |
0x1C | u32 | Flags / etc. Byte3 bit0-2: compression-enable for each section, when set. |
0x20 | #SectionHeader[3] | Sections |
0x50 | char[0x20] | Padding |
0x70 | u64[0x20] | KernelCaps |
SectionHeader
Offset | Type | Description |
---|---|---|
0x0 | u32 | OutOffset |
0x4 | u32 | DecompressedSize |
0x8 | u32 | CompressedSize |
0xC | u32 |
Compression
The compression used here is BLZ, with a modified footer since 3ds. The footer is now 0xC bytes instead of 0x8, and has the form u32 compressed_data_len; u32 initial_index; u32 additional_len_when_uncompressed;
Section 2
This section has a valid CTR and SHA-256 hash (over NULL) stored in the package2's header, but it's size is always 0. Likely reserved for future expansion.
Section 3
This section is not present (CTR and SHA-256 hash in package2's header are NULL). Likely reserved for future expansion.