Nintendo Switch Brew

Flash Filesystem: Difference between revisions

← Older edit
Package2 FIRM partition is stored raw.
No edit summary
 
(80 intermediate revisions by 13 users not shown)
Line 1: Line 1:
= NAND structure =
= NAND structure =
The Switch's eMMC storage features a large user area, two smaller boot partitions and a replay-protected memory block which is unused (no authentication key is programmed).
All official partition names come from [[SystemInitializer]].


== Boot Partitions ==
== Boot Partitions ==
'''Boot Partition 0 (0 of 1)'''
The official name for this partition is "BootPartition1Root" and it has [[Filesystem_services|Bis]] Partition ID == 0.


'''Boot Partition 0 (0 of 1)'''
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 11: Line 16:
|-
|-
|  0x000000
|  0x000000
|   
0x4000
|  Title 0100000000000819 BCT
Normal Firmware [[BCT|BCT]] from [[Title_list#System_Data_Archives|Title 0100000000000819]]
|-
|-
|  0x004000
|  0x004000
|   
0x4000
|  Title 010000000000081A BCT
SafeMode Firmware [[BCT|BCT]] from [[Title_list#System_Data_Archives|Title 010000000000081A]]
|-
|-
|  0x008000
|  0x008000
|   
0x4000
|  Title 0100000000000819 BCT
Normal Firmware [[BCT|BCT]] from [[Title_list#System_Data_Archives|Title 0100000000000819]] (backup)
|-
|-
|  0x00C000
|  0x00C000
|   
0x4000
|  Title 010000000000081A BCT
SafeMode Firmware [[BCT|BCT]] from [[Title_list#System_Data_Archives|Title 010000000000081A]] (backup)
|-
|  0x010000
|  0xEC000
|  59 additional BCTs, normally unused/empty on retail systems.
|-
|  0x0FC000
|  0x4000
|  [[#System Update Control|System Update Control area]]
|-
|-
|  0x100000
|  0x100000
|   
0x40000
|  Title 0100000000000819 "package1"
Normal Firmware [[Package1|package1]] from [[Title_list#System_Data_Archives|Title 0100000000000819]]
|-
|-
|  0x140000
|  0x140000
|   
0x40000
|  Title 0100000000000819 "package1" (Backup)
Normal Firmware [[Package1|package1]] from [[Title_list#System_Data_Archives|Title 0100000000000819]] (backup)
|-
|-
|  0x180000
|  0x180000
|  0x4000
|  0x4000
|  Keyblob area
[[#Keyblob|Keyblob area]]
|-
|-
|  0x184000
|  0x184000
|   
0x200
Unknown, 0x20-bytes hash (updated when bcpkg-2-1 updates) + one u64? (may be incremented on bcpkg update) All zero on 1.0.
[2.0.0+] [[#NAND Patrol|NAND Patrol area]]
|}
|}


'''Boot Partition 1 (1 of 1)'''
'''Boot Partition 1 (1 of 1)'''
The official name for this partition is "BootPartition2Root" and it has [[Filesystem_services|Bis]] Partition ID == 10.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 51: Line 67:
|-
|-
|  0x000000
|  0x000000
|   
0x40000
|  Title 010000000000081A "package1"
SafeMode Firmware [[Package1|package1]] from [[Title_list#System_Data_Archives|Title 010000000000081A]]
|-
|-
|  0x040000
|  0x040000
|   
0x40000
|  Title 010000000000081A "package1" (Backup)
SafeMode Firmware [[Package1|package1]] from [[Title_list#System_Data_Archives|Title 010000000000081A]] (backup)
|-
|  0x080000
|  0x40000
|  Reserved
|-
|  0x0C0000
|  0x40000
|  Reserved
|}
 
=== System Update Control ===
The 0x4000 bytes at offset 0xFC000 are used by [[NS_Services|NS]] and [[Boot|boot]] for keeping track of the status of a system update. This area is used by the [[NS_Services#ISystemUpdateControl|ISystemUpdateControl]] commands [[NS_Services#ApplyDownloadedUpdate|ApplyDownloadedUpdate]], [[NS_Services#ApplyCardUpdate|ApplyCardUpdate]] and [[NS_Services#ApplyReceivedUpdate|ApplyReceivedUpdate]].
 
{| class="wikitable" border="1"
|-
!  Offset
!  Size
!  Description
|-
| 0x0
| 0x1
| BootImages status. Set to 1 by [[NS_Services|NS]] during a system update and cleared by [[Boot|boot]] after restarting.
|-
| 0x1
| 0x1
| BootImagesSafe status. Set to 1 by [[NS_Services|NS]] during a system update and cleared by [[Boot|boot]] after restarting.
|}
|}


=== Keyblob ===
=== Keyblob ===
Starting at offset 0x180000 is an array of 0x200-byte entries, for a total of 32 keyblobs. Each one is unique compared to the others and they are all console unique. This is officially known as the "EKS" (encryption key source) area.
From each 0x200-byte entry only the first 0xB0 bytes effectively form the keyblob as below.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 68: Line 114:
| 0x0
| 0x0
| 0x10
| 0x10
| Keyblob AES-CMAC over the remaining 0xA0-bytes (Checked with a safe memcmp which won't abort early, calls the general panic() func on failure)
| Keyblob AES-CMAC over the next 0xA0 bytes (safe against timing attacks)
|-
|-
| 0x10
| 0x10
Line 83: Line 129:
|}
|}


The data at 0x180000 is an array of 0x200-byte entries, with a total of 32 entries. Therefore, there's 32 different keyblobs are stored here. The raw data for each one is unique compared to the others.
The active bootloader's version (offset 0x2330 in the BCT) acts as an index (<code>version-1</code>) to control which keyblob should be installed into the system.
[[NS_Services|NS]] uses this during system updates to install the keyblob into the [[BCT#customer_data|customer data]] section in BCTs (offset 0x450).


The 0xB0-byte keyblob is installed to the console-unique "customer data" section in BCTs(BCT+0x450), which is what gets used during system boot.
[[Boot]] also uses this index for repairing corrupt sectors.


Which keyblob is loaded from here during install is presumably somewhere in BCT? <v3.0 use index0, v3.0 uses index1. Hence, the installed keyblob was changed with v3.0.
The currently active keyblob is officially known as "SecureInfo".


BCT Offset 0x2330 is probably the field controlling this?(0x245C is a copy of this field?) There's at least 3 versions of package1: v1.0, v2.0, and v3.0, BCT was updated for all of these. With v1.0 and v2.0 these two fields are the same(0x1), however with v3.0 it's 0x2.
=== NAND Patrol ===
The 0x200 bytes at offset 0x184000 are used by [[Filesystem_services|FS]] for keeping track of NAND patrolling.


==== panic ====
{| class="wikitable" border="1"
The ARM7 panic() function does the following:
|-
* Clears memory.
!  Offset
* ...
!  Size
* Writes 0x1 to FUSE_DIS_PGM. From nvdia source: "check that fuse options write access hasn't been disabled".
!  Description
* ...
|-
* Executes: while(1)*((u32*)0x60007004) = 0x5<<28;
| 0x0
| 0x20
| HMAC-SHA-256 over the next 0x1E0 bytes
|-
| 0x20
| 0x4
| Last patrolled NAND block's offset
|-
| 0x24
| 0x4
| NAND patrol count
|-
| 0x28
| 0x1D8
| Unused, all-zero.
|}


== User Partitions ==
== User Partitions ==
Line 103: Line 166:
|-
|-
!  Partition name
!  Partition name
!  Partition type GUID
!  Offset
!  Offset
!  Size
!  Size
!  [[Filesystem_services|Bis]] Partition ID
!  [[Filesystem_services|Bis]] Partition ID
!  Encrypted
!  Description
!  Description
|-
|-
|  N/A
|  N/A
|
|  0x0
|  0x0
|
|  
|  20
|  20
|  GPT header, Bis-storage also allows raw access to the entire NAND eMMC sectors starting at sector0.
|  No
|  GPT header, Bis-storage also allows raw access to the entire NAND eMMC sectors starting at sector0. The official name for this partition is "UserDataRoot".
|-
|-
|  PRODINFO
[[Calibration#CalibrationBinary|PRODINFO]]
|  {98109E25-64E2-4C95-8A77-414916F5BCEB}
|  0x00004400
|  0x00004400
|  0x003FBC00
|  0x003FBC00
|  27
|  27
|  "CAL0" raw partition containing set:cal data.
|  Yes (Bis key 0)
|  "CAL0" raw partition containing set:cal data. The official name for this partition is "CalibrationBinary".
|-
|-
|  PRODINFOF
[[Calibration#CalibrationFile|PRODINFOF]]
|  {F3056AEC-5449-494C-9F2C-5FDCB75B6E6E}
|  0x00400000
|  0x00400000
|  0x00400000
|  0x00400000
|  28
|  28
|  FAT12 filesystem, additional calibration.
|  Yes (Bis key 0)
|  FAT12 filesystem, additional calibration. The official name for this partition is "CalibrationFile".
|-
|-
|  BCPKG2-1-Normal-Main
|  BCPKG2-1-Normal-Main
|  {5365DE36-911B-4BB4-8FF9-AA1EBCD73990}
|  0x00800000
|  0x00800000
|  0x00800000
|  0x00800000
|  21
|  21
For all these packages, data starts at offset 0x4000 and is not console-unique. This is installed from "package2" in firmware package A (0100000000000819) by default. With the exFAT update installed, this is switched to firmware package C (010000000000081B). The data stored here matches the raw /package2 file stored in the 81[9AB] data archives -- there is no additional encryption.
No
|  Raw partition where the first 0x4000 bytes (usually empty) contain the [[BootConfig]] and the remaining space contains the [[Package2|package2]] image from [[Title_list#System_Data_Archives|Title 0100000000000819]] by default. With the exFAT update installed, the [[Package2|package2]] image is switched to the one from [[Title_list#System_Data_Archives|Title 010000000000081B]]. The official name for this partition is "BootConfigAndPackage2Part1".
|-
|-
|  BCPKG2-2-Normal-Sub
|  BCPKG2-2-Normal-Sub
|  {8455717B-BD2B-4162-8454-91695218FC38}
|  0x01000000
|  0x01000000
|  0x00800000
|  0x00800000
|  22
|  22
Identical to BCPKG2-1-Normal-Main, probably used as a backup partition.
No
|  Backup partition for BCPKG2-1-Normal-Main. The official name for this partition is "BootConfigAndPackage2Part2".
|-
|-
|  BCPKG2-3-SafeMode-Main
|  BCPKG2-3-SafeMode-Main
|  {8ED6C9A6-9C48-490B-BBEB-001D17A4C0F7}
|  0x01800000
|  0x01800000
|  0x00800000
|  0x00800000
|  23
|  23
This is installed from "package2" in firmware package B (010000000000081A).
No
|  Raw partition where the first 0x4000 bytes (usually empty) contain the [[BootConfig]] and the remaining space contains the [[Package2|package2]] image from [[Title_list#System_Data_Archives|Title 010000000000081A]] by default. On [4.0.0+] and with the exFAT update installed, the [[Package2|package2]] image is switched to the one from [[Title_list#System_Data_Archives|Title 010000000000081C]]. The official name for this partition is "BootConfigAndPackage2Part3".
|-
|-
|  BCPKG2-4-SafeMode-Sub
|  BCPKG2-4-SafeMode-Sub
|  {5E99751C-56C9-47CC-AA30-B65039888917}
|  0x02000000
|  0x02000000
|  0x00800000
|  0x00800000
|  24
|  24
Identical to BCPKG2-3-SafeMode-Main.
No
|  Backup partition for BCPKG2-3-SafeMode-Main. The official name for this partition is "BootConfigAndPackage2Part4".
|-
|-
|  BCPKG2-5-Repair-Main
|  BCPKG2-5-Repair-Main
|  {C447D9A2-24B7-468A-98C8-595CD077165A}
|  0x02800000
|  0x02800000
|  0x00800000
|  0x00800000
|  25
|  25
|  Installed at the factory.
|  No
|  Installed at the factory, never written afterwards on retail. In one case this is identical to normal [[1.0.0]] [[Package2|package2]], except this has encrypted data at the end padded for 0x1000-byte alignment. The official name for this partition is "BootConfigAndPackage2Part5".
|-
|-
|  BCPKG2-6-Repair-Sub
|  BCPKG2-6-Repair-Sub
|  {9586E1A1-3AA2-4C90-91B3-2F4A5195B4D2}
|  0x03000000
|  0x03000000
|  0x00800000
|  0x00800000
|  26
|  26
Identical to BCPKG2-5-Repair-Main.
No
|  Backup partition for BCPKG2-5-Repair-Main. The official name for this partition is "BootConfigAndPackage2Part6".
|-
|-
|  SAFE
|  SAFE
|  {A44F9F6B-4ED3-441F-A34A-56AAA136BC6A}
|  0x03800000
|  0x03800000
|  0x04000000
|  0x04000000
|  29
|  29
|  FAT32 filesystem.
|  Yes (Bis key 1)
|  FAT32 filesystem. The official name for this partition is "SafeMode".
|-
|-
|  SYSTEM
|  SYSTEM
|  {ACB0CDF0-4F72-432D-AA0D-5388C733B224}
|  0x07800000  
|  0x07800000  
|  0xA0000000
|  0xA0000000
|  31 (and 32?)
|  31, 32 and 33
|  FAT32 filesystem.
|  Yes (Bis key 2)
|  FAT32 filesystem. The official names for these partitions are "System", "SystemProperEncryption" and "SystemProperPartition".
|-
|-
|  USER
|  USER
|  {2B777F63-E842-47AF-94C4-25A7F18B2280}
|  0xA7800000
|  0xA7800000
|  0x680000000
|  0x680000000
|  30
|  30
|  Yes (Bis key 3)
|  FAT32 filesystem.
|  FAT32 filesystem.
|-
|-
|
|  
|  
| 0x747BFFE00
| 0x747BFFE00
| 0x200
| 0x200
|  
|  
| This is the backup GPT header specified by the main GPT header. This is also the last sector readable with Bis-storage paritionID 20.
| No
This is the backup GPT header specified by the main GPT header. This is also the last sector readable with Bis-storage paritionID 20.
|}
|}


If the client process lacks the relevant permission for any of the above partition IDs, error 0x2EE202 is returned.
If the client process lacks the relevant permission for any of the above partition IDs, error 0x2EE202 is returned.


[[NCA]]s stored in NAND are raw, identical to the data readable with [[Content_Manager_services#ReadEntryRaw]].
[[NCA]]s stored in NAND are raw, identical to the data readable with [[NCM_services#ReadContentIdFile]].


The filenames for saveimages is just "<lower-case hex u64 saveID>". SYSTEM-partition saveIDs are specified by [[Filesystem_services|FS]] commands, while USER-partition saveIDs are determined by FS-module internally. The high u32 of the saveID is normally either 0x00000000 or 0x80000000.
The filenames for saveimages is just "<lower-case hex u64 saveID>". SYSTEM-partition saveIDs are specified by [[Filesystem_services|FS]] commands, while USER-partition saveIDs are determined by FS-module internally. The high u32 of the saveID is normally either 0x00000000 or 0x80000000.


=== PRODINFOF ===
Encrypted partitions use AES-XTS using the same non-standard tweak (tweak[0] = sectorIdx[MSB] .. tweak[15] = sectorIdx[LSB], if using 32bit sectorIdx that means tweak[0]..tweak[11] are 0, with tweak[12]..tweak[15] containing big-endian sectorIdx) as other Nintendo AES-XTS code, initial_sector = 0, and sector size 0x4000. All encrypted partitions use console unique keydata.
PRODINFOF
├── Certifications
│  └── WirelessCertification.png
└── ptd
    ├── DeviceIdWithEmsBit.dat
    ├── Ecid.dat
    ├── prodCode.dat
    └── log
        ├── Process_asm1.log
        ├── Process_board1.log
        ├── TestFlagLine.log
        ├── TestFlagQc.log
        ├── AGING
        │  └── Sequence.log
        ├── BOARD_TEST
        │  └── Sequence.log
        ├── BOARD_WIRELESS
        │  └── Sequence.log
        ├── FINAL_CHECK
        │  └── Sequence.log
        ├── LCD_AND_KEY
        │  └── Sequence.log
        └── USB_AND_HP
            └── Sequence.log
 
==== DeviceIdWithEmsBit.dat ====
Contains a 0x10-byte uppercase hex string, identical to the DeviceId in the [[Settings_services|DeviceCert]].


=== SYSTEM ===
=== SYSTEM ===
Line 267: Line 331:


On a v2.1 system with MountBis, the only thing under here is "PRF2SAFE.RCV".
On a v2.1 system with MountBis, the only thing under here is "PRF2SAFE.RCV".
== SystemSaveData ==
See [[SystemSaveData]].
Retrieved from "https://switchbrew.org/wiki/Flash_Filesystem"