Difference between revisions of "BCT"
(One intermediate revision by one other user not shown) | |||
Line 3: | Line 3: | ||
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup. | The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup. | ||
− | The Erista BCT's data is only signed after offset | + | The Erista BCT's data is only signed after offset 0x510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example. |
The Mariko BCT's data is signed starting at offset 0x420 and encrypted starting at offset 0x480, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used. | The Mariko BCT's data is signed starting at offset 0x420 and encrypted starting at offset 0x480, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used. | ||
− | During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM | + | During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in [[Memory_layout|IRAM]]. |
= Format = | = Format = | ||
Line 18: | Line 18: | ||
! Description | ! Description | ||
|- | |- | ||
− | | | + | | 0x0 |
| 0x210 | | 0x210 | ||
| BadBlockTable | | BadBlockTable | ||
| Table containing information on bad blocks | | Table containing information on bad blocks | ||
− | + | 0x0: EntriesUsed (0x200) | |
− | + | 0x4: VirtualBlockSizeLog2 (0xF) | |
− | + | 0x5: BlockSizeLog2 (0xE) | |
− | + | 0x6: BadBlocks | |
− | + | 0x206: Reserved | |
|- | |- | ||
− | | | + | | 0x210 |
| 0x100 | | 0x100 | ||
| Key | | Key | ||
| BCT RSA public key's modulus | | BCT RSA public key's modulus | ||
|- | |- | ||
− | | | + | | 0x310 |
| 0x110 | | 0x110 | ||
| Signature | | Signature | ||
| BCT cryptographic signature | | BCT cryptographic signature | ||
− | + | 0x310: CryptoHash (empty) | |
− | + | 0x320: RsaPssSig | |
|- | |- | ||
− | | | + | | 0x420 |
− | | | + | | 0x4 |
| SecProvisioningKeyNumInsecure | | SecProvisioningKeyNumInsecure | ||
| Used for Factory Secure Provisioning (always 0) | | Used for Factory Secure Provisioning (always 0) | ||
|- | |- | ||
− | | | + | | 0x424 |
| 0x20 | | 0x20 | ||
| SecProvisioningKey | | SecProvisioningKey | ||
Line 54: | Line 54: | ||
| [[#CustomerData|CustomerData]] | | [[#CustomerData|CustomerData]] | ||
| Data block available for the customer (used in key generation) | | Data block available for the customer (used in key generation) | ||
− | + | 0x444: Reserved | |
− | + | 0x450: [[Flash_Filesystem#Keyblob|Keyblob]] | |
− | + | 0x500: Reserved | |
|- | |- | ||
− | | | + | | 0x508 |
− | | | + | | 0x4 |
| OdmData | | OdmData | ||
− | | | + | | Empty |
|- | |- | ||
− | | | + | | 0x50C |
− | | | + | | 0x4 |
| Reserved | | Reserved | ||
− | | | + | | Empty |
|- | |- | ||
− | | | + | | 0x510 |
| 0x10 | | 0x10 | ||
| RandomAesBlock | | RandomAesBlock | ||
− | | | + | | Empty |
|- | |- | ||
− | | | + | | 0x520 |
| 0x10 | | 0x10 | ||
| UniqueChipId | | UniqueChipId | ||
− | | | + | | Empty |
|- | |- | ||
− | | | + | | 0x530 |
− | | | + | | 0x4 |
| BootDataVersion | | BootDataVersion | ||
− | | Set to | + | | Set to 0x210001 (BOOTDATA_VERSION_T210) |
|- | |- | ||
− | | | + | | 0x534 |
− | | | + | | 0x4 |
| BlockSizeLog2 | | BlockSizeLog2 | ||
− | | Always | + | | Always 0xE |
|- | |- | ||
− | | | + | | 0x538 |
− | | | + | | 0x4 |
| PageSizeLog2 | | PageSizeLog2 | ||
− | | Always | + | | Always 0x9 |
|- | |- | ||
− | | | + | | 0x53C |
− | | | + | | 0x4 |
| PartitionSize | | PartitionSize | ||
− | | Always | + | | Always 0x1000000 |
|- | |- | ||
− | | | + | | 0x540 |
− | | | + | | 0x4 |
| NumParamSets | | NumParamSets | ||
− | | Number of device parameter sets (always | + | | Number of device parameter sets (always 0x1) |
|- | |- | ||
− | | | + | | 0x544 |
− | | | + | | 0x4 |
| DevType | | DevType | ||
− | | Device type ( | + | | Device type (0x4 == Sdmmc) |
|- | |- | ||
− | | | + | | 0x548 |
| 0x40 | | 0x40 | ||
| DevParams | | DevParams | ||
| Device parameters | | Device parameters | ||
− | + | 0x548: ClockDivider (0x9 == 24MHz) | |
− | + | 0x54C: DataWidth (0x2 == 8Bit) | |
|- | |- | ||
− | | | + | | 0x588 |
− | | | + | | 0x4 |
| NumSdramSets | | NumSdramSets | ||
| Number of SDRAM parameter sets (always set to 0, but parameters are used despite this) | | Number of SDRAM parameter sets (always set to 0, but parameters are used despite this) | ||
|- | |- | ||
− | | | + | | 0x58C |
| 0x768 | | 0x768 | ||
| SdramParams0 | | SdramParams0 | ||
| Default values filled in | | Default values filled in | ||
|- | |- | ||
− | | | + | | 0xCF4 |
| 0x768 | | 0x768 | ||
| SdramParams1 | | SdramParams1 | ||
Line 141: | Line 141: | ||
|- | |- | ||
| 0x232C | | 0x232C | ||
− | | | + | | 0x4 |
| BootLoadersUsed | | BootLoadersUsed | ||
− | | Number of bootloaders installed (always | + | | Number of bootloaders installed (always 0x2, maximum is 0x4) |
|- | |- | ||
| 0x2330 | | 0x2330 | ||
Line 150: | Line 150: | ||
| Configuration parameters for bootloader 0 (main) | | Configuration parameters for bootloader 0 (main) | ||
0x2330: Version (variable) | 0x2330: Version (variable) | ||
− | 0x2334: StartBlock ( | + | 0x2334: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe) |
− | 0x2338: StartPage ( | + | 0x2338: StartPage (0) |
0x233C: Length (variable) | 0x233C: Length (variable) | ||
0x2340: LoadAddress (0x40010000) | 0x2340: LoadAddress (0x40010000) | ||
0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+) | 0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+) | ||
− | 0x2348: Attribute ( | + | 0x2348: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe) |
0x234C: CryptoHash (empty) | 0x234C: CryptoHash (empty) | ||
0x235C: RsaPssSig | 0x235C: RsaPssSig | ||
Line 164: | Line 164: | ||
| Configuration parameters for bootloader 1 (backup) | | Configuration parameters for bootloader 1 (backup) | ||
0x245C: Version (variable) | 0x245C: Version (variable) | ||
− | 0x2460: StartBlock ( | + | 0x2460: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe) |
− | 0x2464: StartPage ( | + | 0x2464: StartPage (0) |
0x2468: Length (variable) | 0x2468: Length (variable) | ||
0x246C: LoadAddress (0x40010000) | 0x246C: LoadAddress (0x40010000) | ||
0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+) | 0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+) | ||
− | 0x2474: Attribute ( | + | 0x2474: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe) |
0x2478: CryptoHash (empty) | 0x2478: CryptoHash (empty) | ||
0x2488: RsaPssSig | 0x2488: RsaPssSig | ||
Line 184: | Line 184: | ||
|- | |- | ||
| 0x27E0 | | 0x27E0 | ||
− | | | + | | 0x1 |
| EnableFailBack | | EnableFailBack | ||
| Always 0 | | Always 0 | ||
|- | |- | ||
| 0x27E1 | | 0x27E1 | ||
− | | | + | | 0x4 |
| SecureJtagControl | | SecureJtagControl | ||
| Always 0 | | Always 0 | ||
|- | |- | ||
| 0x27E5 | | 0x27E5 | ||
− | | | + | | 0x4 |
| SecProvisioningKeyNumSecure | | SecProvisioningKeyNumSecure | ||
| Used for Factory Secure Provisioning (always 0) | | Used for Factory Secure Provisioning (always 0) | ||
Line 204: | Line 204: | ||
|- | |- | ||
| 0x27FB | | 0x27FB | ||
− | | | + | | 0x5 |
| Padding | | Padding | ||
| Empty | | Empty | ||
Line 231: | Line 231: | ||
=== BootLoader0 === | === BootLoader0 === | ||
− | The version field controls which keyblob is used, where | + | The version field controls which keyblob is used, where 0x1 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version. |
== Mariko == | == Mariko == | ||
Line 241: | Line 241: | ||
! Description | ! Description | ||
|- | |- | ||
− | | | + | | 0x0 |
| 0x210 | | 0x210 | ||
| Pcp | | Pcp | ||
| BCT public cryptographic parameters | | BCT public cryptographic parameters | ||
− | + | 0x0: KeySize | |
− | + | 0x4: Reserved | |
− | + | 0x10: PublicKeyModulus | |
− | + | 0x110: PublicKeyExponent | |
|- | |- | ||
− | | | + | | 0x210 |
| 0x110 | | 0x110 | ||
| Signature | | Signature | ||
| BCT cryptographic signature | | BCT cryptographic signature | ||
− | + | 0x210: CryptoHash (empty) | |
− | + | 0x220: RsaPssSig | |
+ | |- | ||
+ | | 0x320 | ||
+ | | 0x20 | ||
+ | | SecProvisioningKey | ||
+ | | Used for Factory Secure Provisioning (always 0) | ||
+ | |- | ||
+ | | 0x340 | ||
+ | | 0x4 | ||
+ | | SecProvisioningKeyNumInsecure | ||
+ | | Used for Factory Secure Provisioning (always 0) | ||
+ | |- | ||
+ | | 0x344 | ||
+ | | 0xC | ||
+ | | Padding | ||
+ | | Empty | ||
+ | |- | ||
+ | | 0x350 | ||
+ | | 0xD0 | ||
+ | | CustomerData | ||
+ | | Data block available for the customer | ||
+ | |- | ||
+ | | 0x420 | ||
+ | | 0x10 | ||
+ | | RandomAesBlock | ||
+ | | | ||
|- | |- | ||
− | | | + | | 0x430 |
− | | | + | | 0x10 |
| | | | ||
| Empty | | Empty | ||
|- | |- | ||
− | | | + | | 0x440 |
+ | | 0x40 | ||
+ | | | ||
+ | | Empty | ||
+ | |- | ||
+ | | 0x480 | ||
| 0x10 | | 0x10 | ||
− | | | + | | RandomAesBlock2 |
− | | | + | | |
|- | |- | ||
− | | | + | | 0x490 |
| 0x10 | | 0x10 | ||
| UniqueChipId | | UniqueChipId | ||
− | | | + | | Empty |
|- | |- | ||
− | | | + | | 0x4A0 |
− | | | + | | 0x4 |
| BootDataVersion | | BootDataVersion | ||
− | | Set to | + | | Set to 0x210001 (BOOTDATA_VERSION_T210) |
|- | |- | ||
− | | | + | | 0x4A4 |
− | | | + | | 0x4 |
| BlockSizeLog2 | | BlockSizeLog2 | ||
− | | Always | + | | Always 0xE |
|- | |- | ||
− | | | + | | 0x4A8 |
− | | | + | | 0x4 |
| PageSizeLog2 | | PageSizeLog2 | ||
− | | Always | + | | Always 0x9 |
|- | |- | ||
− | | | + | | 0x4AC |
− | | | + | | 0x4 |
| PartitionSize | | PartitionSize | ||
− | | Always | + | | Always 0x1000000 |
|- | |- | ||
− | | | + | | 0x4B0 |
− | | | + | | 0x4 |
| NumParamSets | | NumParamSets | ||
− | | Number of device parameter sets (always | + | | Number of device parameter sets (always 0x1) |
|- | |- | ||
− | | | + | | 0x4B4 |
− | | | + | | 0x4 |
| DevType | | DevType | ||
− | | Device type ( | + | | Device type (0x4 == Sdmmc) |
|- | |- | ||
− | | | + | | 0x4B8 |
| 0x40 | | 0x40 | ||
| DevParams | | DevParams | ||
| Device parameters | | Device parameters | ||
|- | |- | ||
− | | | + | | 0x4F8 |
− | | | + | | 0x4 |
| NumSdramSets | | NumSdramSets | ||
| Number of SDRAM parameter sets (always set to 0, but parameters are used despite this) | | Number of SDRAM parameter sets (always set to 0, but parameters are used despite this) | ||
|- | |- | ||
− | | | + | | 0x4FC |
| 0x838 | | 0x838 | ||
| SdramParams0 | | SdramParams0 | ||
| Default values filled in | | Default values filled in | ||
|- | |- | ||
− | | | + | | 0xD34 |
| 0x838 | | 0x838 | ||
| SdramParams1 | | SdramParams1 | ||
Line 335: | Line 365: | ||
| 0x04 | | 0x04 | ||
| BootLoadersUsed | | BootLoadersUsed | ||
− | | Number of bootloaders installed (always | + | | Number of bootloaders installed (always 0x2, maximum is 0x4) |
|- | |- | ||
| 0x25E0 | | 0x25E0 | ||
Line 341: | Line 371: | ||
| BootLoader0 | | BootLoader0 | ||
| Configuration parameters for bootloader 0 (main) | | Configuration parameters for bootloader 0 (main) | ||
− | 0x25E0: StartBlock ( | + | 0x25E0: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe) |
− | 0x25E4: StartPage ( | + | 0x25E4: StartPage (0) |
0x25E8: Version (variable) | 0x25E8: Version (variable) | ||
0x25EC: Reserved | 0x25EC: Reserved | ||
Line 350: | Line 380: | ||
| BootLoader1 | | BootLoader1 | ||
| Configuration parameters for bootloader 1 (backup) | | Configuration parameters for bootloader 1 (backup) | ||
− | 0x25F0: StartBlock ( | + | 0x25F0: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe) |
− | 0x25F4: StartPage ( | + | 0x25F4: StartPage (0) |
0x25F8: Version (variable) | 0x25F8: Version (variable) | ||
0x25FC: Reserved | 0x25FC: Reserved | ||
Line 366: | Line 396: | ||
|- | |- | ||
| 0x2620 | | 0x2620 | ||
− | | | + | | 0x4 |
+ | | SecureDebugControlNoneEcid | ||
+ | | Empty | ||
+ | |- | ||
+ | | 0x2624 | ||
+ | | 0x4 | ||
+ | | SecureDebugControlEcid | ||
+ | | Empty | ||
+ | |- | ||
+ | | 0x2628 | ||
+ | | 0x10 | ||
| | | | ||
| Empty | | Empty | ||
+ | |- | ||
+ | | 0x2638 | ||
+ | | 0x40 | ||
+ | | | ||
+ | | Empty | ||
+ | |- | ||
+ | | 0x2678 | ||
+ | | 0x4 | ||
+ | | SecProvisioningKeyNumSecure | ||
+ | | Used for Factory Secure Provisioning (always 0) | ||
|- | |- | ||
| 0x267C | | 0x267C |
Latest revision as of 20:52, 23 July 2024
BCT (Boot Configuration Table) is a data structure present on Tegra based devices that supplies boot time configuration parameters.
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's boot partition 0. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.
The Erista BCT's data is only signed after offset 0x510. Therefore, regions like CustomerData can be freely modified without resigning. This is done by NS when injecting a new keyblob during a system update, for example.
The Mariko BCT's data is signed starting at offset 0x420 and encrypted starting at offset 0x480, so the keyblob system is no longer used.
During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM.
Format
Erista
Offset | Size | Field | Description |
---|---|---|---|
0x0 | 0x210 | BadBlockTable | Table containing information on bad blocks
0x0: EntriesUsed (0x200) 0x4: VirtualBlockSizeLog2 (0xF) 0x5: BlockSizeLog2 (0xE) 0x6: BadBlocks 0x206: Reserved |
0x210 | 0x100 | Key | BCT RSA public key's modulus |
0x310 | 0x110 | Signature | BCT cryptographic signature
0x310: CryptoHash (empty) 0x320: RsaPssSig |
0x420 | 0x4 | SecProvisioningKeyNumInsecure | Used for Factory Secure Provisioning (always 0) |
0x424 | 0x20 | SecProvisioningKey | Used for Factory Secure Provisioning (always 0) |
0x0444 | 0xC4 | CustomerData | Data block available for the customer (used in key generation)
0x444: Reserved 0x450: Keyblob 0x500: Reserved |
0x508 | 0x4 | OdmData | Empty |
0x50C | 0x4 | Reserved | Empty |
0x510 | 0x10 | RandomAesBlock | Empty |
0x520 | 0x10 | UniqueChipId | Empty |
0x530 | 0x4 | BootDataVersion | Set to 0x210001 (BOOTDATA_VERSION_T210) |
0x534 | 0x4 | BlockSizeLog2 | Always 0xE |
0x538 | 0x4 | PageSizeLog2 | Always 0x9 |
0x53C | 0x4 | PartitionSize | Always 0x1000000 |
0x540 | 0x4 | NumParamSets | Number of device parameter sets (always 0x1) |
0x544 | 0x4 | DevType | Device type (0x4 == Sdmmc) |
0x548 | 0x40 | DevParams | Device parameters
0x548: ClockDivider (0x9 == 24MHz) 0x54C: DataWidth (0x2 == 8Bit) |
0x588 | 0x4 | NumSdramSets | Number of SDRAM parameter sets (always set to 0, but parameters are used despite this) |
0x58C | 0x768 | SdramParams0 | Default values filled in |
0xCF4 | 0x768 | SdramParams1 | Default values filled in |
0x145C | 0x768 | SdramParams2 | Default values filled in |
0x1BC4 | 0x768 | SdramParams3 | Default values filled in |
0x232C | 0x4 | BootLoadersUsed | Number of bootloaders installed (always 0x2, maximum is 0x4) |
0x2330 | 0x12C | BootLoader0 | Configuration parameters for bootloader 0 (main)
0x2330: Version (variable) 0x2334: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe) 0x2338: StartPage (0) 0x233C: Length (variable) 0x2340: LoadAddress (0x40010000) 0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+) 0x2348: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe) 0x234C: CryptoHash (empty) 0x235C: RsaPssSig |
0x245C | 0x12C | BootLoader1 | Configuration parameters for bootloader 1 (backup)
0x245C: Version (variable) 0x2460: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe) 0x2464: StartPage (0) 0x2468: Length (variable) 0x246C: LoadAddress (0x40010000) 0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+) 0x2474: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe) 0x2478: CryptoHash (empty) 0x2488: RsaPssSig |
0x2588 | 0x12C | BootLoader2 | Reserved space for bootloader 2 (unused) |
0x26B4 | 0x12C | BootLoader3 | Reserved space for bootloader 3 (unused) |
0x27E0 | 0x1 | EnableFailBack | Always 0 |
0x27E1 | 0x4 | SecureJtagControl | Always 0 |
0x27E5 | 0x4 | SecProvisioningKeyNumSecure | Used for Factory Secure Provisioning (always 0) |
0x27E9 | 0x12 | Reserved | Always starts with 0x80000000 (NVBOOT padding pattern) |
0x27FB | 0x5 | Padding | Empty |
CustomerData
This data block is ignored by the boot ROM, therefore is available for the programmer to use freely. The Switch uses 0xB0 bytes of this area, at offset 0x0450, to store the active keyblob. All remaining bytes are zero.
The first bootloader validates and decrypts this block for further key generation. The decrypted keyblob payload is as follows.
Offset | Size | Description |
---|---|---|
0x0 | 0x80 | Array of master static key encryption keys |
0x80 | 0x10 | PK11 key |
BootLoader0
The version field controls which keyblob is used, where 0x1 is the first one. See Cryptosystem for the keyblobs used by each system-version.
Mariko
Offset | Size | Field | Description |
---|---|---|---|
0x0 | 0x210 | Pcp | BCT public cryptographic parameters
0x0: KeySize 0x4: Reserved 0x10: PublicKeyModulus 0x110: PublicKeyExponent |
0x210 | 0x110 | Signature | BCT cryptographic signature
0x210: CryptoHash (empty) 0x220: RsaPssSig |
0x320 | 0x20 | SecProvisioningKey | Used for Factory Secure Provisioning (always 0) |
0x340 | 0x4 | SecProvisioningKeyNumInsecure | Used for Factory Secure Provisioning (always 0) |
0x344 | 0xC | Padding | Empty |
0x350 | 0xD0 | CustomerData | Data block available for the customer |
0x420 | 0x10 | RandomAesBlock | |
0x430 | 0x10 | Empty | |
0x440 | 0x40 | Empty | |
0x480 | 0x10 | RandomAesBlock2 | |
0x490 | 0x10 | UniqueChipId | Empty |
0x4A0 | 0x4 | BootDataVersion | Set to 0x210001 (BOOTDATA_VERSION_T210) |
0x4A4 | 0x4 | BlockSizeLog2 | Always 0xE |
0x4A8 | 0x4 | PageSizeLog2 | Always 0x9 |
0x4AC | 0x4 | PartitionSize | Always 0x1000000 |
0x4B0 | 0x4 | NumParamSets | Number of device parameter sets (always 0x1) |
0x4B4 | 0x4 | DevType | Device type (0x4 == Sdmmc) |
0x4B8 | 0x40 | DevParams | Device parameters |
0x4F8 | 0x4 | NumSdramSets | Number of SDRAM parameter sets (always set to 0, but parameters are used despite this) |
0x4FC | 0x838 | SdramParams0 | Default values filled in |
0xD34 | 0x838 | SdramParams1 | Default values filled in |
0x156C | 0x838 | SdramParams2 | Default values filled in |
0x1DA4 | 0x838 | SdramParams3 | Default values filled in |
0x25DC | 0x04 | BootLoadersUsed | Number of bootloaders installed (always 0x2, maximum is 0x4) |
0x25E0 | 0x10 | BootLoader0 | Configuration parameters for bootloader 0 (main)
0x25E0: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe) 0x25E4: StartPage (0) 0x25E8: Version (variable) 0x25EC: Reserved |
0x25F0 | 0x10 | BootLoader1 | Configuration parameters for bootloader 1 (backup)
0x25F0: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe) 0x25F4: StartPage (0) 0x25F8: Version (variable) 0x25FC: Reserved |
0x2600 | 0x10 | BootLoader2 | Reserved space for bootloader 2 (unused) |
0x2610 | 0x10 | BootLoader3 | Reserved space for bootloader 3 (unused) |
0x2620 | 0x4 | SecureDebugControlNoneEcid | Empty |
0x2624 | 0x4 | SecureDebugControlEcid | Empty |
0x2628 | 0x10 | Empty | |
0x2638 | 0x40 | Empty | |
0x2678 | 0x4 | SecProvisioningKeyNumSecure | Used for Factory Secure Provisioning (always 0) |
0x267C | 0x184 | Reserved | Always starts with 0x80000000 (NVBOOT padding pattern) |