BCT: Difference between revisions

From Nintendo Switch Brew
Jump to navigation Jump to search
← Older edit
No edit summary
No edit summary
 
(One intermediate revision by one other user not shown)
Line 3: Line 3:
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.


The Erista BCT's data is only signed after offset 0x0510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.
The Erista BCT's data is only signed after offset 0x510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.


The Mariko BCT's data is signed starting at offset 0x420 and encrypted starting at offset 0x480, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used.
The Mariko BCT's data is signed starting at offset 0x420 and encrypted starting at offset 0x480, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used.


During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM at address 0x40000000.
During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in [[Memory_layout|IRAM]].


= Format =
= Format =
Line 18: Line 18:
!  Description
!  Description
|-
|-
0x0000
0x0
|  0x210
|  0x210
|  BadBlockTable
|  BadBlockTable
|  Table containing information on bad blocks
|  Table containing information on bad blocks
  0x0000: EntriesUsed (0x200)
  0x0:   EntriesUsed (0x200)
  0x0004: VirtualBlockSizeLog2 (0x0F)
  0x4:   VirtualBlockSizeLog2 (0xF)
  0x0005: BlockSizeLog2 (0x0E)
  0x5:   BlockSizeLog2 (0xE)
  0x0006: BadBlocks
  0x6:   BadBlocks
  0x0206: Reserved
  0x206: Reserved
|-
|-
0x0210
0x210
|  0x100
|  0x100
|  Key
|  Key
|  BCT RSA public key's modulus
|  BCT RSA public key's modulus
|-
|-
0x0310
0x310
|  0x110
|  0x110
|  Signature
|  Signature
|  BCT cryptographic signature
|  BCT cryptographic signature
  0x0310: CryptoHash (empty)
  0x310: CryptoHash (empty)
  0x0320: RsaPssSig
  0x320: RsaPssSig
|-
|-
0x0420
0x420
0x04
0x4
|  SecProvisioningKeyNumInsecure
|  SecProvisioningKeyNumInsecure
|  Used for Factory Secure Provisioning (always 0)
|  Used for Factory Secure Provisioning (always 0)
|-
|-
0x0424
0x424
|  0x20
|  0x20
|  SecProvisioningKey
|  SecProvisioningKey
Line 54: Line 54:
|  [[#CustomerData|CustomerData]]
|  [[#CustomerData|CustomerData]]
|  Data block available for the customer (used in key generation)
|  Data block available for the customer (used in key generation)
  0x0444: Reserved (0x0C bytes)
  0x444: Reserved
  0x0450: [[Flash_Filesystem#Keyblob|Keyblob]] (0xB0 bytes)
  0x450: [[Flash_Filesystem#Keyblob|Keyblob]]
  0x0500: Reserved (0x08 bytes)
  0x500: Reserved
|-
|-
0x0508
0x508
0x04
0x4
|  OdmData
|  OdmData
Legacy field (unused)
Empty
|-
|-
0x050C
0x50C
0x04
0x4
|  Reserved
|  Reserved
Legacy field (unused)
Empty
|-
|-
0x0510
0x510
|  0x10
|  0x10
|  RandomAesBlock
|  RandomAesBlock
Always empty
Empty
|-
|-
0x0520
0x520
|  0x10
|  0x10
|  UniqueChipId
|  UniqueChipId
Always empty
Empty
|-
|-
0x0530
0x530
0x04
0x4
|  BootDataVersion
|  BootDataVersion
|  Set to 0x00210001 (BOOTDATA_VERSION_T210)
|  Set to 0x210001 (BOOTDATA_VERSION_T210)
|-
|-
0x0534
0x534
0x04
0x4
|  BlockSizeLog2
|  BlockSizeLog2
|  Always 0x0E
|  Always 0xE
|-
|-
0x0538
0x538
0x04
0x4
|  PageSizeLog2
|  PageSizeLog2
|  Always 0x09
|  Always 0x9
|-
|-
0x053C
0x53C
0x04
0x4
|  PartitionSize
|  PartitionSize
|  Always 0x01000000
|  Always 0x1000000
|-
|-
0x0540
0x540
0x04
0x4
|  NumParamSets
|  NumParamSets
|  Number of device parameter sets (always 0x01)
|  Number of device parameter sets (always 0x1)
|-
|-
0x0544
0x544
0x04
0x4
|  DevType
|  DevType
|  Device type (0x04 == Sdmmc)
|  Device type (0x4 == Sdmmc)
|-
|-
0x0548
0x548
|  0x40
|  0x40
|  DevParams
|  DevParams
|  Device parameters
|  Device parameters
   0x0548: ClockDivider (0x09 == 24MHz)
   0x548: ClockDivider (0x9 == 24MHz)
   0x054C: DataWidth (0x02 == 8Bit)
   0x54C: DataWidth (0x2 == 8Bit)
|-
|-
0x0588
0x588
0x04
0x4
|  NumSdramSets
|  NumSdramSets
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|-
|-
0x058C
0x58C
|  0x768
|  0x768
|  SdramParams0
|  SdramParams0
|  Default values filled in
|  Default values filled in
|-
|-
0x0CF4
0xCF4
|  0x768
|  0x768
|  SdramParams1
|  SdramParams1
Line 141: Line 141:
|-
|-
|  0x232C
|  0x232C
0x04
0x4
|  BootLoadersUsed
|  BootLoadersUsed
|  Number of bootloaders installed (always 0x02, maximum is 0x04)
|  Number of bootloaders installed (always 0x2, maximum is 0x4)
|-
|-
|  0x2330
|  0x2330
Line 150: Line 150:
|  Configuration parameters for bootloader 0 (main)
|  Configuration parameters for bootloader 0 (main)
  0x2330: Version (variable)
  0x2330: Version (variable)
  0x2334: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe))
  0x2334: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe)
  0x2338: StartPage (0x00000000)
  0x2338: StartPage (0)
  0x233C: Length (variable)
  0x233C: Length (variable)
  0x2340: LoadAddress (0x40010000)
  0x2340: LoadAddress (0x40010000)
  0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2348: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe))
  0x2348: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe)
  0x234C: CryptoHash (empty)
  0x234C: CryptoHash (empty)
  0x235C: RsaPssSig
  0x235C: RsaPssSig
Line 164: Line 164:
|  Configuration parameters for bootloader 1 (backup)
|  Configuration parameters for bootloader 1 (backup)
  0x245C: Version (variable)
  0x245C: Version (variable)
  0x2460: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe))
  0x2460: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe)
  0x2464: StartPage (0x00000000)
  0x2464: StartPage (0)
  0x2468: Length (variable)
  0x2468: Length (variable)
  0x246C: LoadAddress (0x40010000)
  0x246C: LoadAddress (0x40010000)
  0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2474: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe))
  0x2474: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe)
  0x2478: CryptoHash (empty)
  0x2478: CryptoHash (empty)
  0x2488: RsaPssSig
  0x2488: RsaPssSig
Line 184: Line 184:
|-
|-
|  0x27E0
|  0x27E0
0x01
0x1
|  EnableFailBack
|  EnableFailBack
|  Always 0
|  Always 0
|-
|-
|  0x27E1
|  0x27E1
0x04
0x4
|  SecureJtagControl
|  SecureJtagControl
|  Always 0
|  Always 0
|-
|-
|  0x27E5
|  0x27E5
0x04
0x4
|  SecProvisioningKeyNumSecure
|  SecProvisioningKeyNumSecure
|  Used for Factory Secure Provisioning (always 0)
|  Used for Factory Secure Provisioning (always 0)
Line 204: Line 204:
|-
|-
|  0x27FB
|  0x27FB
0x05
0x5
|  Padding
|  Padding
|  Empty
|  Empty
Line 231: Line 231:


=== BootLoader0 ===
=== BootLoader0 ===
The version field controls which keyblob is used, where 0x01 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.
The version field controls which keyblob is used, where 0x1 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.


== Mariko ==
== Mariko ==
Line 241: Line 241:
!  Description
!  Description
|-
|-
0x0000
0x0
|  0x210
|  0x210
|  Pcp
|  Pcp
|  BCT public cryptographic parameters
|  BCT public cryptographic parameters
  0x0000: KeySize
  0x0:   KeySize
  0x0004: Reserved
  0x4:   Reserved
  0x0010: PublicKeyModulus
  0x10: PublicKeyModulus
  0x0110: PublicKeyExponent
  0x110: PublicKeyExponent
|-
|-
0x0210
0x210
|  0x110
|  0x110
|  Signature
|  Signature
|  BCT cryptographic signature
|  BCT cryptographic signature
  0x0210: CryptoHash (empty)
  0x210: CryptoHash (empty)
  0x0220: RsaPssSig
  0x220: RsaPssSig
|-
|  0x320
|  0x20
|  SecProvisioningKey
|  Used for Factory Secure Provisioning (always 0)
|-
|  0x340
|  0x4
|  SecProvisioningKeyNumInsecure
|  Used for Factory Secure Provisioning (always 0)
|-
|  0x344
|  0xC
|  Padding
|  Empty
|-
|  0x350
|  0xD0
|  CustomerData
|  Data block available for the customer
|-
|  0x420
|  0x10
|  RandomAesBlock
|-
|-
0x0320
0x430
0x160
0x10
|   
|   
|  Empty
|  Empty
|-
|-
0x0480
0x440
|  0x40
|  Empty
|-
|  0x480
|  0x10
|  0x10
RandomAesBlock
RandomAesBlock2
Not empty
|   
|-
|-
0x0490
0x490
|  0x10
|  0x10
|  UniqueChipId
|  UniqueChipId
Always empty
Empty
|-
|-
0x04A0
0x4A0
0x04
0x4
|  BootDataVersion
|  BootDataVersion
|  Set to 0x00210001 (BOOTDATA_VERSION_T210)
|  Set to 0x210001 (BOOTDATA_VERSION_T210)
|-
|-
0x04A4
0x4A4
0x04
0x4
|  BlockSizeLog2
|  BlockSizeLog2
|  Always 0x0E
|  Always 0xE
|-
|-
0x04A8
0x4A8
0x04
0x4
|  PageSizeLog2
|  PageSizeLog2
|  Always 0x09
|  Always 0x9
|-
|-
0x04AC
0x4AC
0x04
0x4
|  PartitionSize
|  PartitionSize
|  Always 0x01000000
|  Always 0x1000000
|-
|-
0x04B0
0x4B0
0x04
0x4
|  NumParamSets
|  NumParamSets
|  Number of device parameter sets (always 0x01)
|  Number of device parameter sets (always 0x1)
|-
|-
0x04B4
0x4B4
0x04
0x4
|  DevType
|  DevType
|  Device type (0x04 == Sdmmc)
|  Device type (0x4 == Sdmmc)
|-
|-
0x04B8
0x4B8
|  0x40
|  0x40
|  DevParams
|  DevParams
|  Device parameters
|  Device parameters
|-
|-
0x04F8
0x4F8
0x04
0x4
|  NumSdramSets
|  NumSdramSets
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|-
|-
0x04FC
0x4FC
|  0x838
|  0x838
|  SdramParams0
|  SdramParams0
|  Default values filled in
|  Default values filled in
|-
|-
0x0D34
0xD34
|  0x838
|  0x838
|  SdramParams1
|  SdramParams1
Line 335: Line 365:
|  0x04
|  0x04
|  BootLoadersUsed
|  BootLoadersUsed
|  Number of bootloaders installed (always 0x02, maximum is 0x04)
|  Number of bootloaders installed (always 0x2, maximum is 0x4)
|-
|-
|  0x25E0
|  0x25E0
Line 341: Line 371:
|  BootLoader0
|  BootLoader0
|  Configuration parameters for bootloader 0 (main)
|  Configuration parameters for bootloader 0 (main)
  0x25E0: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe))
  0x25E0: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe)
  0x25E4: StartPage (0x00000000)
  0x25E4: StartPage (0)
  0x25E8: Version (variable)
  0x25E8: Version (variable)
  0x25EC: Reserved
  0x25EC: Reserved
Line 350: Line 380:
|  BootLoader1
|  BootLoader1
|  Configuration parameters for bootloader 1 (backup)
|  Configuration parameters for bootloader 1 (backup)
  0x25F0: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe))
  0x25F0: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe)
  0x25F4: StartPage (0x00000000)
  0x25F4: StartPage (0)
  0x25F8: Version (variable)
  0x25F8: Version (variable)
  0x25FC: Reserved
  0x25FC: Reserved
Line 366: Line 396:
|-
|-
|  0x2620
|  0x2620
0x5C
0x4
|  SecureDebugControlNoneEcid
|  Empty
|-
|  0x2624
|  0x4
|  SecureDebugControlEcid
|  Empty
|-
|  0x2628
|  0x10
|   
|   
|  Empty
|  Empty
|-
|  0x2638
|  0x40
|  Empty
|-
|  0x2678
|  0x4
|  SecProvisioningKeyNumSecure
|  Used for Factory Secure Provisioning (always 0)
|-
|-
|  0x267C
|  0x267C

Latest revision as of 22:52, 23 July 2024

BCT (Boot Configuration Table) is a data structure present on Tegra based devices that supplies boot time configuration parameters.

The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's boot partition 0. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.

The Erista BCT's data is only signed after offset 0x510. Therefore, regions like CustomerData can be freely modified without resigning. This is done by NS when injecting a new keyblob during a system update, for example.

The Mariko BCT's data is signed starting at offset 0x420 and encrypted starting at offset 0x480, so the keyblob system is no longer used.

During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM.

Format

Erista

Offset Size Field Description
0x0 0x210 BadBlockTable Table containing information on bad blocks 
0x0:   EntriesUsed (0x200)
0x4:   VirtualBlockSizeLog2 (0xF)
0x5:   BlockSizeLog2 (0xE)
0x6:   BadBlocks
0x206: Reserved
0x210 0x100 Key BCT RSA public key's modulus
0x310 0x110 Signature BCT cryptographic signature 
0x310: CryptoHash (empty)
0x320: RsaPssSig
0x420 0x4 SecProvisioningKeyNumInsecure Used for Factory Secure Provisioning (always 0)
0x424 0x20 SecProvisioningKey Used for Factory Secure Provisioning (always 0)
0x0444 0xC4 CustomerData Data block available for the customer (used in key generation) 
0x444: Reserved
0x450: Keyblob
0x500: Reserved
0x508 0x4 OdmData Empty
0x50C 0x4 Reserved Empty
0x510 0x10 RandomAesBlock Empty
0x520 0x10 UniqueChipId Empty
0x530 0x4 BootDataVersion Set to 0x210001 (BOOTDATA_VERSION_T210)
0x534 0x4 BlockSizeLog2 Always 0xE
0x538 0x4 PageSizeLog2 Always 0x9
0x53C 0x4 PartitionSize Always 0x1000000
0x540 0x4 NumParamSets Number of device parameter sets (always 0x1)
0x544 0x4 DevType Device type (0x4 == Sdmmc)
0x548 0x40 DevParams Device parameters 
 0x548: ClockDivider (0x9 == 24MHz)
 0x54C: DataWidth (0x2 == 8Bit)
0x588 0x4 NumSdramSets Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
0x58C 0x768 SdramParams0 Default values filled in
0xCF4 0x768 SdramParams1 Default values filled in
0x145C 0x768 SdramParams2 Default values filled in
0x1BC4 0x768 SdramParams3 Default values filled in
0x232C 0x4 BootLoadersUsed Number of bootloaders installed (always 0x2, maximum is 0x4)
0x2330 0x12C BootLoader0 Configuration parameters for bootloader 0 (main) 
0x2330: Version (variable)
0x2334: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe)
0x2338: StartPage (0)
0x233C: Length (variable)
0x2340: LoadAddress (0x40010000)
0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
0x2348: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe)
0x234C: CryptoHash (empty)
0x235C: RsaPssSig
0x245C 0x12C BootLoader1 Configuration parameters for bootloader 1 (backup) 
0x245C: Version (variable)
0x2460: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe)
0x2464: StartPage (0)
0x2468: Length (variable)
0x246C: LoadAddress (0x40010000)
0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
0x2474: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe)
0x2478: CryptoHash (empty)
0x2488: RsaPssSig
0x2588 0x12C BootLoader2 Reserved space for bootloader 2 (unused)
0x26B4 0x12C BootLoader3 Reserved space for bootloader 3 (unused)
0x27E0 0x1 EnableFailBack Always 0
0x27E1 0x4 SecureJtagControl Always 0
0x27E5 0x4 SecProvisioningKeyNumSecure Used for Factory Secure Provisioning (always 0)
0x27E9 0x12 Reserved Always starts with 0x80000000 (NVBOOT padding pattern)
0x27FB 0x5 Padding Empty

CustomerData

This data block is ignored by the boot ROM, therefore is available for the programmer to use freely. The Switch uses 0xB0 bytes of this area, at offset 0x0450, to store the active keyblob. All remaining bytes are zero.

The first bootloader validates and decrypts this block for further key generation. The decrypted keyblob payload is as follows.

Offset Size Description
0x0 0x80 Array of master static key encryption keys
0x80 0x10 PK11 key

BootLoader0

The version field controls which keyblob is used, where 0x1 is the first one. See Cryptosystem for the keyblobs used by each system-version.

Mariko

Offset Size Field Description
0x0 0x210 Pcp BCT public cryptographic parameters 
0x0:   KeySize
0x4:   Reserved
0x10:  PublicKeyModulus
0x110: PublicKeyExponent
0x210 0x110 Signature BCT cryptographic signature 
0x210: CryptoHash (empty)
0x220: RsaPssSig
0x320 0x20 SecProvisioningKey Used for Factory Secure Provisioning (always 0)
0x340 0x4 SecProvisioningKeyNumInsecure Used for Factory Secure Provisioning (always 0)
0x344 0xC Padding Empty
0x350 0xD0 CustomerData Data block available for the customer
0x420 0x10 RandomAesBlock
0x430 0x10 Empty
0x440 0x40 Empty
0x480 0x10 RandomAesBlock2
0x490 0x10 UniqueChipId Empty
0x4A0 0x4 BootDataVersion Set to 0x210001 (BOOTDATA_VERSION_T210)
0x4A4 0x4 BlockSizeLog2 Always 0xE
0x4A8 0x4 PageSizeLog2 Always 0x9
0x4AC 0x4 PartitionSize Always 0x1000000
0x4B0 0x4 NumParamSets Number of device parameter sets (always 0x1)
0x4B4 0x4 DevType Device type (0x4 == Sdmmc)
0x4B8 0x40 DevParams Device parameters
0x4F8 0x4 NumSdramSets Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
0x4FC 0x838 SdramParams0 Default values filled in
0xD34 0x838 SdramParams1 Default values filled in
0x156C 0x838 SdramParams2 Default values filled in
0x1DA4 0x838 SdramParams3 Default values filled in
0x25DC 0x04 BootLoadersUsed Number of bootloaders installed (always 0x2, maximum is 0x4)
0x25E0 0x10 BootLoader0 Configuration parameters for bootloader 0 (main) 
0x25E0: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe)
0x25E4: StartPage (0)
0x25E8: Version (variable)
0x25EC: Reserved
0x25F0 0x10 BootLoader1 Configuration parameters for bootloader 1 (backup) 
0x25F0: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe)
0x25F4: StartPage (0)
0x25F8: Version (variable)
0x25FC: Reserved
0x2600 0x10 BootLoader2 Reserved space for bootloader 2 (unused)
0x2610 0x10 BootLoader3 Reserved space for bootloader 3 (unused)
0x2620 0x4 SecureDebugControlNoneEcid Empty
0x2624 0x4 SecureDebugControlEcid Empty
0x2628 0x10 Empty
0x2638 0x40 Empty
0x2678 0x4 SecProvisioningKeyNumSecure Used for Factory Secure Provisioning (always 0)
0x267C 0x184 Reserved Always starts with 0x80000000 (NVBOOT padding pattern)
Retrieved from "https://switchbrew.org/w/index.php?title=BCT&oldid=12863"