2,939
edits
Changes
Jump to navigation
Jump to search
Line 3:
Line 3: − By design, the BCT's data is only signed after offset 0x0510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.+ + + − + + Line 35:
Line 38: − + Line 208:
Line 211: − + Line 229:
Line 232: − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Add Mariko format
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.
The Erista BCT's data is only signed after offset 0x0510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.
The Mariko BCT's data is signed and encrypted, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used.
During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM at address 0x40000000.
During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM at address 0x40000000.
= Structure =
= Structure =
Below is the BCT structure used by the Switch, which is a minimal variation of the Tegra 210 BCT format.
Below are the BCT structures used by the Switch.
== Erista ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
| 0x110
| 0x110
| Signature
| Signature
| BCT object signature
| BCT cryptographic signature
0x0310: CryptoHash (empty)
0x0310: CryptoHash (empty)
0x0320: RsaPssSig
0x0320: RsaPssSig
|}
|}
== CustomerData ==
=== CustomerData ===
This data block is ignored by the boot ROM, therefore is available for the programmer to use freely.
This data block is ignored by the boot ROM, therefore is available for the programmer to use freely.
The Switch uses 0xB0 bytes of this area, at offset 0x0450, to store the active [[Flash_Filesystem#Keyblob|keyblob]]. All remaining bytes are zero.
The Switch uses 0xB0 bytes of this area, at offset 0x0450, to store the active [[Flash_Filesystem#Keyblob|keyblob]]. All remaining bytes are zero.
|}
|}
== BootLoader0 ==
=== BootLoader0 ===
The version field controls which keyblob is used, where 0x01 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.
The version field controls which keyblob is used, where 0x01 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.
== Mariko ==
{| class="wikitable" border="1"
|-
! Offset
! Size
! Field
! Description
|-
| 0x0000
| 0x0210
| Pcp
| BCT public cryptographic parameters
0x0000: KeySize
0x0004: Reserved
0x0010: PublicKeyModulus
0x0110: PublicKeyExponent
|-
| 0x0210
| 0x0110
| Signature
| BCT cryptographic signature
0x0210: CryptoHash (empty)
0x0220: RsaPssSig
|-
| 0x0320
| 0x0160
|
| Empty.
|-
| 0x0480
| 0x2380
|
| Encrypted BCT data.
|}