Nintendo Switch Brew

Fuses: Difference between revisions

← Older editNewer edit →
Line 811: Line 811:
[4.0.0+] This value is no longer used during boot.
[4.0.0+] This value is no longer used during boot.


== eFuses ==
== Bitmap ==
The actual hardware fuses can be programmed through the fuse driver after enabling fuse programming.
The actual hardware fuses are stored in a bitmap and may be programmed through the fuse driver after enabling fuse programming.


Below is a list of common fuse indexes used by Tegra devices (and applicable to the Switch).
Fuse numbers are relative to the start of the fuse bitmap where each element is a 4 byte word and has a redundant alias. A single fuse write operation must always write the same value to '''fuse_bitmap + ((fuse_number + 0) << 2)''' (PRIMARY_ALIAS) and '''fuse_bitmap + ((fuse_number + 1) << 2)''' (REDUNDANT_ALIAS). However, after offset 0x180 in the fuse bitmap, fuses no longer have a redundant alias.
Note that the indexes are relative to the start of the fuse array and each element is a 4 byte word. A single fuse write operation always writes the same word at both fuse_array + 0 (PRIMARY_ALIAS) and fuse_array + 1 (REDUNDANT_ALIAS).
 
Below is a list of common fuses used by Tegra devices (and applicable to the Switch).


{| class="wikitable" border="1"
{| class="wikitable" border="1"
!  Name
!  Name
Index
Number
!  Redundant number
!  Bits
!  Bits
|-
|-
| jtag_disable
| enable_fuse_program
| 0x00
| 0
| 1
| 0
|-
| disable_fuse_program
| 0
| 1
| 1
|-
| bypass_fuses
| 0
| 1
| 2
|-
| jtag_direct_access_disable
| 0
| 1
| 3
|-
| production_mode
| 0
| 1
| 1
| 4
|-
|-
| odm_production_mode
| jtag_secureid_valid
| 0x00
| 0
| 1
| 1
| 5
|-
|-
| odm_lock
| odm_lock
| 0x00
| 0
| 4
| 1
| 6-9
|-
| fa_mode
| 0
| 1
| 10
|-
| security_mode
| 0
| 1
| 11
|-
| arm_debug_dis
| 0
| 1
| 12
|-
| obs_dis
| 0
| 1
| 13
|-
| public_key0
| 10
| 11
| 30-31
|-
| public_key0
| 12
| 13
| 0-29
|-
| public_key1
| 12
| 13
| 30-31
|-
|-
| public_key
| public_key1
| 0x0C
| 14
| 256
| 15
| 0-29
|-
|-
| secure_boot_key
| public_key2
| 0x22
| 14
| 128
| 15
| 30-31
|-
|-
| device_key
| public_key2
| 0x2A
| 16
| 32
| 17
| 0-29
|-
|-
| sec_boot_dev_cfg
| public_key3
| 0x2C
| 16
| 16
| 17
| 30-31
|-
| public_key3
| 18
| 19
| 0-29
|-
| public_key4
| 18
| 19
| 30-31
|-
| public_key4
| 20
| 21
| 0-29
|-
| public_key5
| 20
| 21
| 30-31
|-
| public_key5
| 22
| 23
| 0-29
|-
| public_key6
| 22
| 23
| 30-31
|-
| public_key6
| 24
| 25
| 0-29
|-
| public_key7
| 24
| 25
| 30-31
|-
| public_key7
| 26
| 27
| 0-29
|-
| private_key0
| 34
| 35
| 12-31
|-
| private_key0
| 36
| 37
| 0-11
|-
| private_key1
| 36
| 37
| 12-31
|-
| private_key1
| 38
| 39
| 0-11
|-
| private_key2
| 38
| 39
| 12-31
|-
| private_key2
| 40
| 41
| 0-11
|-
| private_key3
| 40
| 41
| 12-31
|-
| private_key3
| 42
| 43
| 0-11
|-
| private_key4
| 42
| 43
| 12-31
|-
| private_key4
| 44
| 45
| 0-11
|-
| boot_device_info
| 44
| 45
| 12-27
|-
| reserved_sw
| 44
| 45
| 28-31
|-
| reserved_sw
| 46
| 47
| 0-3
|-
| reserved_odm0
| 46
| 47
| 5-31
|-
| reserved_odm0
| 48
| 49
| 0-4
|-
| reserved_odm1
| 48
| 49
| 5-31
|-
| reserved_odm1
| 50
| 51
| 0-4
|-
| reserved_odm2
| 50
| 51
| 5-31
|-
| reserved_odm2
| 52
| 53
| 0-4
|-
| reserved_odm3
| 52
| 53
| 5-31
|-
| reserved_odm3
| 54
| 55
| 0-4
|-
| reserved_odm4
| 54
| 55
| 5-31
|-
| reserved_odm4
| 56
| 57
| 0-4
|-
| reserved_odm5
| 56
| 57
| 5-31
|-
| reserved_odm5
| 58
| 59
| 0-4
|-
| [[#reserved_odm6|reserved_odm6]]
| 58
| 59
| 5-31
|-
| [[#reserved_odm6|reserved_odm6]]
| 60
| 61
| 0-4
|-
| [[#reserved_odm7|reserved_odm7]]
| 60
| 61
| 5-31
|-
| [[#reserved_odm7|reserved_odm7]]
| 62
| 63
| 0-4
|-
| kfuse_privkey_ctrl
| 64
| 65
| 13-14
|-
| package_info
| 64
| 65
| 15-18
|-
| opt_vendor_code
| 64
| 65
| 19-22
|-
| opt_fab_code
| 64
| 65
| 23-28
|-
| opt_lot_code_0
| 64
| 65
| 29-31
|-
| opt_lot_code_0
| 66
| 67
| 0-28
|-
| opt_lot_code_1
| 66
| 67
| 29-31
|-
| opt_lot_code_1
| 68
| 69
| 0-24
|-
| opt_wafer_id
| 68
| 69
| 25-30
|-
| opt_x_coordinate
| 68
| 69
| 31
|-
| opt_x_coordinate
| 70
| 71
| 0-7
|-
| opt_y_coordinate
| 70
| 71
| 8-16
|-
|-
| sec_boot_dev_sel
| opt_sec_debug_en
| 0x2C
| 70
| 3
| 71
| 17
|-
|-
| sw_reserved
| opt_ops_reserved
| 0x2E
| 70
| 12
| 71
| 18-23
|-
|-
| ignore_dev_sel_straps
| sata_calib
| 0x2E
| 70
| 1
| 71
| 24-25
|-
|-
| [[#odm_reserved|odm_reserved]]
| opt_priv_sec_en
| 0x2E
| 90
| 256
| 91
| 8
|-
|-
| pkc_disable
| pkc_disable
| 0x52
| 90
| 1
| 91
| 9
|-
| fuse2tsec_debug_disable
| 90
| 91
| 10
|-
| secure_provision_index
| 90
| 91
| 24-27
|-
|-
| debug_authentication
| secure_provision_info
| 0x5A
| 90
| 5
| 91
| 28-29
|-
|-
| aid
| aid
| 0x67
| 103
| 32
| None
| 0-31
|-
|-
| [[#bootrom_ipatch|bootrom_ipatch]]
| [[#bootrom_ipatch|bootrom_ipatch]]
| 0x72
| 114
| 624
| None
| Variable
|}
|}


=== odm_reserved ===
=== reserved_odm6 ===
The first bootloader only burns fuses in this region.
Used for anti-downgrade control.
Both fuse indexes 0x3A (odm_reserved + 0x0C) and 0x3C (odm_reserved + 0x0E) are used for anti-downgrade control. These fuses will have their values cached into [[#FUSE_RESERVED_ODM6|FUSE_RESERVED_ODM6]] and [[#FUSE_RESERVED_ODM7|FUSE_RESERVED_ODM7]].
 
=== reserved_odm7 ===
Used for anti-downgrade control.


=== bootrom_ipatch ===
=== bootrom_ipatch ===
Tegra210 based hardware such as the Switch provides support for bootrom patches. The patch data is burned to the hardware fuse array using a specific format (see [https://gist.github.com/shuffle2/f8728159da100e9df2606d43925de0af shuffle2's ipatch decoder]). The bootrom reads these fuses in order to initialize the IPATCH hardware, which allows overriding data returned for code and data fetches done by BPMP.
Tegra210 based hardware such as the Switch provides support for bootrom patches. The patch data is burned to the hardware fuse bitmap using a specific format (see [https://gist.github.com/shuffle2/f8728159da100e9df2606d43925de0af shuffle2's ipatch decoder]). The bootrom reads these fuses in order to initialize the IPATCH hardware, which allows overriding data returned for code and data fetches done by BPMP.


The following represents the patch data dumped from a Switch console:
The following represents the patch data dumped from a Switch console:
Line 1,141: Line 1,475:
The last 4 patches are exclusive to the Switch, while the remaining ones are often included in most Tegra210 based devices.
The last 4 patches are exclusive to the Switch, while the remaining ones are often included in most Tegra210 based devices.


==== ipatch 0 ====
==== IROM patch 0 ====
This patch configures clock enables and clock gate overrides for new hardware.
This patch configures clock enables and clock gate overrides for new hardware.


Line 1,190: Line 1,524:
</syntaxhighlight>
</syntaxhighlight>


==== ipatch 1 ====
==== IROM patch 1 ====
This patch is a bugfix.
This patch is a bugfix.


Line 1,202: Line 1,536:
</syntaxhighlight>
</syntaxhighlight>


==== ipatch 2 ====
==== IROM patch 2 ====
This patch adjusts USB configurations.
This patch adjusts USB configurations.


Line 1,218: Line 1,552:
</syntaxhighlight>
</syntaxhighlight>


==== ipatch 3 ====
==== IROM patch 3 ====
This patch ensures that waiting on PRC_PENDING from the XUSB_DEV register T_XUSB_DEV_XHCI_PORTSC never fails.
This patch ensures that waiting on PRC_PENDING from the XUSB_DEV register T_XUSB_DEV_XHCI_PORTSC never fails.


In the second batch of patched units ([[#FUSE_OPT_FT_REV|FUSE_OPT_FT_REV]] set to revision 7.0) this patch has been replaced with a fix for [[Switch_System_Flaws#Hardware|CVE-2018-6242]] (arbitrary copy when handling USB control requests in RCM). By setting R1 to 0 at address 0x0010769A in the bootrom, the upper 16 bits of the USB control request's wLength field are cleared out, effectively limiting the request's size to a maximum of 255 bytes.
In the second batch of patched units ([[#FUSE_OPT_FT_REV|FUSE_OPT_FT_REV]] set to revision 7.0) this patch has been replaced with a fix for [[Switch_System_Flaws#Hardware|CVE-2018-6242]] (arbitrary copy when handling USB control requests in RCM). By setting R1 to 0 at address 0x0010769A in the bootrom, the upper 16 bits of the USB control request's wLength field are cleared out, effectively limiting the request's size to a maximum of 255 bytes.


==== ipatch 4 ====
==== IROM patch 4 ====
This patch allows backing up and restoring strapping options for warmboot.
This patch allows backing up and restoring strapping options for warmboot.


Line 1,253: Line 1,587:
</syntaxhighlight>
</syntaxhighlight>


==== ipatch 5 ====
==== IROM patch 5 ====
This patch adjusts USB configurations.
This patch adjusts USB configurations.


Line 1,270: Line 1,604:
</syntaxhighlight>
</syntaxhighlight>


==== ipatch 6 ====
==== IROM patch 6 ====
This patch is a factory backdoor.
This patch is a factory backdoor.


Line 1,293: Line 1,627:
</syntaxhighlight>
</syntaxhighlight>


==== ipatch 7 ====
==== IROM patch 7 ====
This patch is a bugfix.
This patch is a bugfix.


Line 1,325: Line 1,659:
</syntaxhighlight>
</syntaxhighlight>


==== ipatch 8 ====
==== IROM patch 8 ====
This patch is a bugfix.
This patch is a bugfix.


Line 1,345: Line 1,679:
</syntaxhighlight>
</syntaxhighlight>


==== ipatches 9 and 10 ====
==== IROM patches 9 and 10 ====
These patches modify the 256-bit Secure Provisioning AES key with index 0x3A.
These patches modify the 256-bit Secure Provisioning AES key with index 0x3A.


==== ipatch 11 ====
==== IROM patch 11 ====
This patch forces the value of [[Security_Engine|SE_TZRAM_SECURITY]] to be 0x01 instead of restoring it from the saved SE context.
This patch forces the value of [[Security_Engine|SE_TZRAM_SECURITY]] to be 0x01 instead of restoring it from the saved SE context.


Retrieved from "https://switchbrew.org/wiki/Fuses"