|
|
| (22 intermediate revisions by 7 users not shown) |
| Line 1: |
Line 1: |
| For the Gamecard partitions that can be [[Filesystem_services|mounted]], see [[Gamecard_Partition|here]].
| | This page documents the Nintendo Switch Gamecard. |
|
| |
|
| For the format of the Gamecard image, see [[Gamecard_Format|here]].
| |
|
| |
| = Firmware =
| |
| [[Filesystem_services|FS]] is responsible for setting up the communication with the Gamecard. During this process, firmware blobs (with a fixed size of 0x7800 bytes) are loaded into some sort of programmable logic on the Gamecard.
| |
|
| |
| The Gamecard firmware is encrypted, signed and follows the format below.
| |
|
| |
| {| class="wikitable" border="1"
| |
| |-
| |
| ! Offset
| |
| ! Size
| |
| ! Description
| |
| |-
| |
| | 0x0
| |
| | 0x100
| |
| | RSA-PKCS#1 signature
| |
| |-
| |
| | 0x100
| |
| | 0x4
| |
| | Magic ("LAFW")
| |
| |-
| |
| | 0x104
| |
| | 0x4
| |
| | Unknown (0xFF000000, 0xFFFF0000 or 0xFFFFFF00)
| |
| |-
| |
| | 0x108
| |
| | 0x4
| |
| |
| |
| |-
| |
| | 0x10C
| |
| | 0x4
| |
| |
| |
| |-
| |
| | 0x110
| |
| | 0x4
| |
| | Version (0, 1 or 3)
| |
| |-
| |
| | 0x114
| |
| | 0x4
| |
| | Unknown (0x80000000)
| |
| |-
| |
| | 0x118
| |
| | 0x4
| |
| | Data size
| |
| |-
| |
| | 0x11C
| |
| | 0x4
| |
| |
| |
| |-
| |
| | 0x120
| |
| | 0x10
| |
| | Data hash
| |
| |-
| |
| | 0x130
| |
| | 0x10
| |
| | Unknown string ("IDIDIDIDIDIDIDID")
| |
| |-
| |
| | 0x140
| |
| | 0x40
| |
| | Empty
| |
| |-
| |
| | 0x180
| |
| | 0x7680
| |
| | Encrypted data
| |
| |}
| |
|
| |
| = Hardware =
| |
| {| style="float:right; margin-left: 0px;" | | {| style="float:right; margin-left: 0px;" |
| |- | | |- |
| Line 77: |
Line 10: |
| |- | | |- |
| |[[File:CartridgeFrontBare.jpeg|200px|thumb|right|Close-up of stripped frontside PCB]] | | |[[File:CartridgeFrontBare.jpeg|200px|thumb|right|Close-up of stripped frontside PCB]] |
| |
| |
| |-
| |
| |} | | |} |
|
| |
|
| == Pinout ==
| | For the Gamecard image format, see [[XCI|here]]. |
| | |
| | For the Gamecard ASIC, see [[Lotus3|here]]. |
| | |
| | = Pinout = |
| | Note: Pins 1 and 2 act as one when receiving data from the ASIC chip. |
| | |
| [[File:Gamecard-pinout.png|400px]] | | [[File:Gamecard-pinout.png|400px]] |
|
| |
|
| Line 90: |
Line 27: |
| ! Description | | ! Description |
| |- | | |- |
| | 0 | | | 1 |
| | IRQ? | | | GND |
| | | Input |
| | | Ground |
| | |- |
| | | 2 |
| | | CD# |
| | Output | | | Output |
| | Always wired to GND inside game cartridge; Possibly used for interrupt signaling | | | Card Detect; Single pin on cartridge side (hardwired to GND). Bridges pin 1 (GND) and 2 (CD#) on slot side as cartridge is inserted |
| |- | | |- |
| | 1 | | | 3 |
| | | CLK |
| | | Input |
| | | Clock, 25MHz |
| | |- |
| | | 4 |
| | RCLK | | | RCLK |
| | Output | | | Output |
| | Return clock; Game cartridge sends back CLK signal delayed by a few ns | | | Return clock; Game cartridge sends back CLK signal delayed by a few ns |
| |- | | |- |
| | 2 | | | 5 |
| | CLK | | | CS# |
| | Input | | | Input |
| | Clock, 25MHz | | | Chip Select |
| |- | | |- |
| | 3 | | | 6 |
| | CS | | | DAT1 |
| | Input | | | Inout |
| | Chip select; Switch pulls this LOW during a transfer | | | Data bus pin 1 |
| |- | | |- |
| | 4 | | | 7 |
| | DAT0 | | | DAT0 |
| | Inout | | | Inout |
| | Data bus pin 0 | | | Data bus pin 0 |
| |- | | |- |
| | 5 | | | 8 |
| | DAT1 | | | VCC 3.1v |
| | | Input |
| | | Power (3.1V) for Internal Core |
| | |- |
| | | 9 |
| | | DAT3 |
| | Inout | | | Inout |
| | Data bus pin 1 | | | Data bus pin 3 |
| |-
| | |- |
| | 6
| | | 10 |
| | VCC 3.3v
| | | DAT2 |
| | Input
| |
| |
| |
| |- | |
| | 7 | |
| | DAT2 | |
| | Inout | | | Inout |
| | Data bus pin 2 | | | Data bus pin 2 |
| |- | | |- |
| | 8 | | | 11 |
| | DAT3
| | | VCC 1.8v |
| | Inout
| |
| | Data bus pin 3
| |
| |-
| |
| | 9
| |
| | VCC 1.8v | |
| | Input | | | Input |
| | | | | Power (1.8V) for I/O |
| |- | | |- |
| | 10 | | | 12 |
| | DAT4
| |
| | Inout
| |
| | Data bus pin 4
| |
| |-
| |
| | 11
| |
| | DAT5 | | | DAT5 |
| | Inout | | | Inout |
| | Data bus pin 5 | | | Data bus pin 5 |
| | |- |
| | | 13 |
| | | DAT4 |
| | | Inout |
| | | Data bus pin 4 |
| |- | | |- |
| | 12 | | | 14 |
| | DAT6 | | | DAT6 |
| | Inout | | | Inout |
| | Data bus pin 6 | | | Data bus pin 6 |
| |- | | |- |
| | 13 | | | 15 |
| | DAT7 | | | DAT7 |
| | Inout | | | Inout |
| | Data bus pin 7 | | | Data bus pin 7 |
| |- | | |- |
| | 14 | | | 16 |
| | GND | | | GND |
| |
| |
| |
| |
| |-
| |
| | 15
| |
| | RST
| |
| | Input | | | Input |
| | Reset, active LOW. | | | Ground |
| |- | | |- |
| | | 17 |
| | | RST# |
| | | Input |
| | | Reset |
| | |- |
| |} | | |} |
|
| |
|
| All IO use 1.8V for logic HIGH and 0V for logic LOW. | | All IO use 1.8V for logic HIGH and 0V for logic LOW. |
|
| |
|
| == Protocol == | | Data pins are approximately 0.75mm in width and are in order of length: 9mm (pin 16), 8mm (pins 17, 5), 6mm (pins 1&2) 3mm (pins 3, 4, 6, 7, 9, 10, 12, 13, 14, 15). |
| | |
| | = Slot Pinout = |
| | [[File:Card_slot.jpg|500px|thumb|right|Annotated slot pinout]] |
| | |
| | This just maps the [[#Pinout|cartridge pinout]] onto the slot on the console. |
| | |
| | {| class="wikitable" |
| | ! Pin |
| | ! Name |
| | |- |
| | | 1 |
| | | GND |
| | |- |
| | | 2 |
| | | CD# |
| | |- |
| | | 3 |
| | | CLK |
| | |- |
| | | 4 |
| | | RCLK |
| | |- |
| | | 5 |
| | | CS# |
| | |- |
| | | 6 |
| | | DAT1 |
| | |- |
| | | 7 |
| | | DAT0 |
| | |- |
| | | 8 |
| | | VCC 3.1v |
| | |- |
| | | 9 |
| | | DAT3 |
| | |- |
| | | 10 |
| | | DAT2 |
| | |- |
| | | 11 |
| | | VCC 1.8v |
| | |- |
| | | 12 |
| | | DAT5 |
| | |- |
| | | 13 |
| | | DAT4 |
| | |- |
| | | 14 |
| | | DAT6 |
| | |- |
| | | 15 |
| | | DAT7 |
| | |- |
| | | 16 |
| | | GND |
| | |- |
| | | 17 |
| | | RST# |
| | |- |
| | |} |
| | |
| | = Protocol = |
| Switch game cartridges use a simple (but Nintendo proprietery) SPI-like bus with 8-bit width (DAT7..0). It is very similar to the bus interface of 3DS game cartridges, except with very different commands. | | Switch game cartridges use a simple (but Nintendo proprietery) SPI-like bus with 8-bit width (DAT7..0). It is very similar to the bus interface of 3DS game cartridges, except with very different commands. |
|
| |
|
| Line 187: |
Line 193: |
| The actual response bytes are also followed immediately by a 4-byte CRC-32 over the actual data response bytes. | | The actual response bytes are also followed immediately by a 4-byte CRC-32 over the actual data response bytes. |
|
| |
|
| == Commands == | | = Manufacturers = |
| A typical boot up sequence of a game cartridge (in this case, the game "1,2 Switch") looks like this:
| | ;MegaChips (outsourced to Macronix) |
| | : Uses package: LGA, TSOP-48 |
| | : Uses card id: 0xC2 |
|
| |
|
| {| class="wikitable"
| | ;Lapis |
| ! Command
| | : Uses package: LGA, TSOP-48 |
| ! Size
| | : Uses card id: 0xAE |
| ! Description
| |
| |-
| |
| | <code>5B000000000000010000000000000000</code>
| |
| | 0x200
| |
| | Read sector 0, contains "HEAD" blob
| |
| |-
| |
| | <code>5B000000000000010000000000000000</code>
| |
| | 0x200
| |
| | Read sector 0, contains "HEAD" blob
| |
| |-
| |
| | <code>56000000000000000000000000000000</code>
| |
| | 0x4
| |
| | Read card id "AE F8 01 21"
| |
| |-
| |
| | <code>28000000000000000000000000000000</code>
| |
| | 0x4
| |
| | Read ??? "02 00 00 00"
| |
| |-
| |
| | <code>A5000000000000000000000000000000</code>
| |
| | 0x4
| |
| | Read ??? "00 00 00 00"
| |
| |-
| |
| | <code>56000000000000000000000000000000</code>
| |
| | 0x4
| |
| | Read card id "AE F8 01 21"
| |
| |-
| |
| | <code>28000000000000000000000000000000</code>
| |
| | 0x4
| |
| | Read ??? "02 00 00 00"
| |
| |-
| |
| | <code>5B000000380000010000000000000000</code>
| |
| | 0x200
| |
| | Read sector 0x38, contains "CERT" blob
| |
| |-
| |
| | <code>E2000000000000000000000000000000</code>
| |
| | 0x4
| |
| | Read ??? "01 00 00 00"
| |
| |-
| |
| | <code>E0000000000000000000000000000000</code>
| |
| | 0x200
| |
| | Read crypto-challenge header
| |
| |-
| |
| | <code>200838A25A344F818ABB6456694D4E8D</code>
| |
| | 0
| |
| | Enter crypto mode1 with HOST-RANDOM "0838A25A344F818ABB6456694D4E8D"
| |
| |-
| |
| | <code>7EE41FDF12C01C157CC899910673A0CF</code>
| |
| | 0x40
| |
| | Encrypted crypto mode1 command, reads CART-RANDOM
| |
| |-
| |
| | <code>263C8230EC15FAE3CE79365BD850F4BD</code>
| |
| | 0x0
| |
| | Encrypted mode1 command, enters crypto mode2 with (HOST-RANDOM, CART-RANDOM)
| |
| |-
| |
| | <code>B6FDA6F37FFA29E18831D0B217DFBDBE</code>
| |
| | 0x4
| |
| | Encrypted mode2 command, possibly read card id?
| |
| |-
| |
| | <code>7B97F7DF07240AA9870E1C974336FA8A</code>
| |
| | 0x4
| |
| | Encrypted mode2 command
| |
| |-
| |
| |}
| |
|
| |
|
| The meaning of some these commands are currently unknown.
| | ;LSI Logic (?) |
| | |
| == Observations ==
| |
| * The "update" and "normal" partitions can be dumped using the plaintext 5B commands
| |
| * The "secure" partition can only be read from encrypted mode.
| |
| | |
| == Encryption ==
| |
| After a few initial plaintext commands, the Switch instructs the game cartridge to enter into encrypted mode. From that point on, commands and responses are sent encrypted over the bus. The encryption algorithm used is currently unknown.
| |
| | |
| There appear to be 2 kinds of crypto mode.
| |
| | |
| Crypto mode1 is initiated solely by the HOST-RANDOM as random session seed. In that mode, the Switch host requests for the game cartridge random seed, and then sends a command to enter crypto mode2.
| |
| | |
| Crypto mode2 takes into account the CART-RANDOM seed generated by the cartridge, and possibly the previous HOST-RANDOM.
| |
| The game cartridge will always send a different CART-RANDOM even if the exact same command sequence is replayed and thus with this scheme replay attacks are not possible.
| |
| | |
| == Manufacturers ==
| |
| ;Macronix (MX) | |
| : Uses package: LGA | | : Uses package: LGA |
| : Uses card id: 0xC2 | | : Uses card id: 0x36 |
| ;OKI Semiconductor
| |
| : Uses package: TSOP-48
| |
| : Uses card id: 0xAE
| |
| ;SanDisk?
| |
| : Uses package: ??
| |
| : Uses card id: 0x45 ?
| |