Nintendo Switch Brew

BCT: Difference between revisions

← Older edit
No edit summary
No edit summary
 
(14 intermediate revisions by 3 users not shown)
Line 3: Line 3:
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.


By design, the BCT's data is only signed after offset 0x0510. Therefore, regions like [[#customer_data|customer_data]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.
The Erista BCT's data is only signed after offset 0x510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.


During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM at address 0x40000000.
The Mariko BCT's data is signed starting at offset 0x420 and encrypted starting at offset 0x480, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used.


= Structure =
During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in [[Memory_layout|IRAM]].
Below is the BCT structure used by the Switch, which is a minimal variation of the Tegra 210 BCT format.


= Format =
== Erista ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 17: Line 18:
!  Description
!  Description
|-
|-
0x0000
0x0
|  0x210
|  0x210
|  BadBlockTable
|  BadBlockTable
|  Table containing information on bad blocks
|  Table containing information on bad blocks
  0x0000: EntriesUsed (0x200)
  0x0:   EntriesUsed (0x200)
  0x0004: VirtualBlockSizeLog2 (0x0F)
  0x4:   VirtualBlockSizeLog2 (0xF)
  0x0005: BlockSizeLog2 (0x0E)
  0x5:   BlockSizeLog2 (0xE)
  0x0006: BadBlocks
  0x6:   BadBlocks
  0x0206: Reserved
  0x206: Reserved
|-
|-
0x0210
0x210
|  0x100
|  0x100
|  Key
|  Key
|  BCT RSA public key's modulus
|  BCT RSA public key's modulus
|-
|-
0x0310
0x310
|  0x110
|  0x110
|  Signature
|  Signature
|  BCT object signature
|  BCT cryptographic signature
  0x0310: CryptoHash (empty)
  0x310: CryptoHash (empty)
  0x0320: RsaPssSig
  0x320: RsaPssSig
|-
|-
0x0420
0x420
0x04
0x4
|  SecProvisioningKeyNumInsecure
|  SecProvisioningKeyNumInsecure
|  Used for Factory Secure Provisioning. Always 0.
|  Used for Factory Secure Provisioning (always 0)
|-
|-
0x0424
0x424
|  0x20
|  0x20
|  SecProvisioningKey
|  SecProvisioningKey
|  Used for Factory Secure Provisioning. Always empty.
|  Used for Factory Secure Provisioning (always 0)
|-
|-
|  0x0444
|  0x0444
|  0xC4
|  0xC4
|  [[#CustomerData|CustomerData]]
|  [[#CustomerData|CustomerData]]
|  Data block available for the customer. Used in key generation.
|  Data block available for the customer (used in key generation)
  0x0444: Reserved (0x0C bytes)
  0x444: Reserved
  0x0450: [[Flash_Filesystem#Keyblob|Keyblob]] (0xB0 bytes)
  0x450: [[Flash_Filesystem#Keyblob|Keyblob]]
  0x0500: Reserved (0x08 bytes)
  0x500: Reserved
|-
|-
0x0508
0x508
0x04
0x4
|  OdmData
|  OdmData
Legacy field. Unused.
Empty
|-
|-
0x050C
0x50C
0x04
0x4
|  Reserved
|  Reserved
Legacy field. Unused.
Empty
|-
|-
0x0510
0x510
|  0x10
|  0x10
|  RandomAesBlock
|  RandomAesBlock
Always empty.
Empty
|-
|-
0x0520
0x520
|  0x10
|  0x10
|  UniqueChipId
|  UniqueChipId
Always empty.
Empty
|-
|-
0x0530
0x530
0x04
0x4
|  BootDataVersion
|  BootDataVersion
|  Set to 0x00210001 (BOOTDATA_VERSION_T210).
|  Set to 0x210001 (BOOTDATA_VERSION_T210)
|-
|-
0x0534
0x534
0x04
0x4
|  BlockSizeLog2
|  BlockSizeLog2
|  Always 0x0E.
|  Always 0xE
|-
|-
0x0538
0x538
0x04
0x4
|  PageSizeLog2
|  PageSizeLog2
|  Always 0x09.
|  Always 0x9
|-
|-
0x053C
0x53C
0x04
0x4
|  PartitionSize
|  PartitionSize
|  Always 0x01000000.
|  Always 0x1000000
|-
|-
0x0540
0x540
0x04
0x4
|  NumParamSets
|  NumParamSets
|  Number of device parameter sets. Always 0x01.
|  Number of device parameter sets (always 0x1)
|-
|-
0x0544
0x544
0x04
0x4
|  DevType
|  DevType
|  Device type. Set to 0x04 (dev_type_sdmmc).
|  Device type (0x4 == Sdmmc)
|-
|-
0x0548
0x548
|  0x40
|  0x40
|  DevParams
|  DevParams
|  Device parameters
|  Device parameters
   0x0548: sdmmc_clock_divider (0x09 == 24MHz)
   0x548: ClockDivider (0x9 == 24MHz)
   0x054C: sdmmc_data_width (0x02 == sdmmc_data_width_8bit)
   0x54C: DataWidth (0x2 == 8Bit)
|-
|-
0x0588
0x588
0x04
0x4
|  NumSdramSets
|  NumSdramSets
|  Number of SDRAM parameter sets. Always set to 0, but parameters are used despite this.
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|-
|-
0x058C
0x58C
|  0x768
|  0x768
|  SdramParams0
|  SdramParams0
|  Default values filled in.
|  Default values filled in
|-
|-
0x0CF4
0xCF4
|  0x768
|  0x768
|  SdramParams1
|  SdramParams1
|  Default values filled in.
|  Default values filled in
|-
|-
|  0x145C
|  0x145C
|  0x768
|  0x768
|  SdramParams2
|  SdramParams2
|  Default values filled in.
|  Default values filled in
|-
|-
|  0x1BC4
|  0x1BC4
|  0x768
|  0x768
|  SdramParams3
|  SdramParams3
|  Default values filled in.
|  Default values filled in
|-
|-
|  0x232C
|  0x232C
0x04
0x4
|  BootLoadersUsed
|  BootLoadersUsed
|  Number of bootloaders installed. Always 0x02 (maximum is 0x04).
|  Number of bootloaders installed (always 0x2, maximum is 0x4)
|-
|-
|  0x2330
|  0x2330
|  0x12C
|  0x12C
|  [[#BootLoader0|BootLoader0]]
|  [[#BootLoader0|BootLoader0]]
|  Configuration parameters for bootloader 0 (normal).
|  Configuration parameters for bootloader 0 (main)
  0x2330: Version (variable)
  0x2330: Version (variable)
  0x2334: StartBlock (0x00000040)
  0x2334: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe)
  0x2338: StartPage (0x00000000)
  0x2338: StartPage (0)
  0x233C: Length (variable)
  0x233C: Length (variable)
  0x2340: LoadAddress (0x40010000)
  0x2340: LoadAddress (0x40010000)
  0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2348: Attribute (0x00000000)
  0x2348: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe)
  0x234C: CryptoHash (empty)
  0x234C: CryptoHash (empty)
  0x235C: RsaPssSig
  0x235C: RsaPssSig
Line 161: Line 162:
|  0x12C
|  0x12C
|  BootLoader1
|  BootLoader1
|  Configuration parameters for bootloader 1 (safe mode).
|  Configuration parameters for bootloader 1 (backup)
  0x245C: Version (variable)
  0x245C: Version (variable)
  0x2460: StartBlock (0x00000050)
  0x2460: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe)
  0x2464: StartPage (0x00000000)
  0x2464: StartPage (0)
  0x2468: Length (variable)
  0x2468: Length (variable)
  0x246C: LoadAddress (0x40010000)
  0x246C: LoadAddress (0x40010000)
  0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2474: Attribute (0x00000000)
  0x2474: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe)
  0x2478: CryptoHash (empty)
  0x2478: CryptoHash (empty)
  0x2488: RsaPssSig
  0x2488: RsaPssSig
Line 175: Line 176:
|  0x12C
|  0x12C
|  BootLoader2
|  BootLoader2
|  Reserved space for bootloader 2 (unused).
|  Reserved space for bootloader 2 (unused)
|-
|-
|  0x26B4
|  0x26B4
|  0x12C
|  0x12C
|  BootLoader3
|  BootLoader3
|  Reserved space for bootloader 3 (unused).
|  Reserved space for bootloader 3 (unused)
|-
|-
|  0x27E0
|  0x27E0
0x01
0x1
|  EnableFailBack
|  EnableFailBack
|  Always 0.
|  Always 0
|-
|-
|  0x27E1
|  0x27E1
0x04
0x4
|  SecureJtagControl
|  SecureJtagControl
|  Always 0.
|  Always 0
|-
|-
|  0x27E5
|  0x27E5
0x04
0x4
|  SecProvisioningKeyNumSecure
|  SecProvisioningKeyNumSecure
|  Used for Factory Secure Provisioning. Always 0.
|  Used for Factory Secure Provisioning (always 0)
|-
|-
|  0x27E9
|  0x27E9
|  0x12
|  0x12
|  Reserved
|  Reserved
|  Always starts with 0x80000000 (NVBOOT padding pattern).
|  Always starts with 0x80000000 (NVBOOT padding pattern)
|-
|-
|  0x27FB
|  0x27FB
0x05
0x5
|  Padding
|  Padding
|  Empty. Not part of BCT data.
|  Empty
|}
|}


== CustomerData ==
=== CustomerData ===
This data block is ignored by the boot ROM, therefore is available for the programmer to use freely.
This data block is ignored by the boot ROM, therefore is available for the programmer to use freely.
The Switch uses 0xB0 bytes of this area, at offset 0x0450, to store the active [[Flash_Filesystem#Keyblob|keyblob]]. All remaining bytes are zero.
The Switch uses 0xB0 bytes of this area, at offset 0x0450, to store the active [[Flash_Filesystem#Keyblob|keyblob]]. All remaining bytes are zero.
Line 229: Line 230:
|}
|}


== BootLoader0 ==
=== BootLoader0 ===
The version field controls which keyblob is used, where 0x01 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.
The version field controls which keyblob is used, where 0x1 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.
 
== Mariko ==
{| class="wikitable" border="1"
|-
!  Offset
!  Size
!  Field
!  Description
|-
|  0x0
|  0x210
|  Pcp
|  BCT public cryptographic parameters
0x0:  KeySize
0x4:  Reserved
0x10:  PublicKeyModulus
0x110: PublicKeyExponent
|-
|  0x210
|  0x110
|  Signature
|  BCT cryptographic signature
0x210: CryptoHash (empty)
0x220: RsaPssSig
|-
|  0x320
|  0x20
|  SecProvisioningKey
|  Used for Factory Secure Provisioning (always 0)
|-
|  0x340
|  0x4
|  SecProvisioningKeyNumInsecure
|  Used for Factory Secure Provisioning (always 0)
|-
|  0x344
|  0xC
|  Padding
|  Empty
|-
|  0x350
|  0xD0
|  CustomerData
|  Data block available for the customer
|-
|  0x420
|  0x10
|  RandomAesBlock
|-
|  0x430
|  0x10
|  Empty
|-
|  0x440
|  0x40
|  Empty
|-
|  0x480
|  0x10
|  RandomAesBlock2
|-
|  0x490
|  0x10
|  UniqueChipId
|  Empty
|-
|  0x4A0
|  0x4
|  BootDataVersion
|  Set to 0x210001 (BOOTDATA_VERSION_T210)
|-
|  0x4A4
|  0x4
|  BlockSizeLog2
|  Always 0xE
|-
|  0x4A8
|  0x4
|  PageSizeLog2
|  Always 0x9
|-
|  0x4AC
|  0x4
|  PartitionSize
|  Always 0x1000000
|-
|  0x4B0
|  0x4
|  NumParamSets
|  Number of device parameter sets (always 0x1)
|-
|  0x4B4
|  0x4
|  DevType
|  Device type (0x4 == Sdmmc)
|-
|  0x4B8
|  0x40
|  DevParams
|  Device parameters
|-
|  0x4F8
|  0x4
|  NumSdramSets
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|-
|  0x4FC
|  0x838
|  SdramParams0
|  Default values filled in
|-
|  0xD34
|  0x838
|  SdramParams1
|  Default values filled in
|-
|  0x156C
|  0x838
|  SdramParams2
|  Default values filled in
|-
|  0x1DA4
|  0x838
|  SdramParams3
|  Default values filled in
|-
|  0x25DC
|  0x04
|  BootLoadersUsed
|  Number of bootloaders installed (always 0x2, maximum is 0x4)
|-
|  0x25E0
|  0x10
|  BootLoader0
|  Configuration parameters for bootloader 0 (main)
0x25E0: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe)
0x25E4: StartPage (0)
0x25E8: Version (variable)
0x25EC: Reserved
|-
|  0x25F0
|  0x10
|  BootLoader1
|  Configuration parameters for bootloader 1 (backup)
0x25F0: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe)
0x25F4: StartPage (0)
0x25F8: Version (variable)
0x25FC: Reserved
|-
|  0x2600
|  0x10
|  BootLoader2
|  Reserved space for bootloader 2 (unused)
|-
|  0x2610
|  0x10
|  BootLoader3
|  Reserved space for bootloader 3 (unused)
|-
|  0x2620
|  0x4
|  SecureDebugControlNoneEcid
|  Empty
|-
|  0x2624
|  0x4
|  SecureDebugControlEcid
|  Empty
|-
|  0x2628
|  0x10
|  Empty
|-
|  0x2638
|  0x40
|  Empty
|-
|  0x2678
|  0x4
|  SecProvisioningKeyNumSecure
|  Used for Factory Secure Provisioning (always 0)
|-
|  0x267C
|  0x184
|  Reserved
|  Always starts with 0x80000000 (NVBOOT padding pattern)
|}
Retrieved from "https://switchbrew.org/wiki/BCT"