Nintendo Switch Brew

Memory layout: Difference between revisions

← Older edit
Mako (talk | contribs)
2 edits
mNo edit summary
 
(4 intermediate revisions by 2 users not shown)
Line 27: Line 27:


== ASLR Implementation ==
== ASLR Implementation ==
The kernel uses a MT19937 random number generator, seeded by [[SMC#GetRandomBytes|smcGetRandomBytes]].
The kernel uses a MT19937 random number generator, seeded by [[SMC#GenerateRandomBytes|smcGenerateRandomBytes]].


=== 1.0.0 ===
=== 1.0.0 ===
Line 1,047: Line 1,047:
| 0x40000000000300
| 0x40000000000300
| TZRAM (L3 Page Table)
| TZRAM (L3 Page Table)
|-
|}
|}


Line 1,282: Line 1,281:
| 0x40000000000300
| 0x40000000000300
| TZRAM (L3 Page Table)
| TZRAM (L3 Page Table)
|-
|}
|}


= IRAM =
= IRAM =
== BIT ==
== BIT ==
During boot, the BootROM saves the BCT in IRAM at address 0x40000100. The preceding 0x100 bytes (IRAM memory range from 0x40000000 to 0x40000100) contain a structure called BIT (Boot Info Table) which encapsulates the BCT in IRAM and is initialized by the BootROM as follows:
During boot, the BootROM saves the [[BCT]] in IRAM at address 0x40000100 with Erista, and 0x40000464 with Mariko. The preceding 0x100 bytes (IRAM memory range from 0x40000000 to 0x40000100) contain a structure called BIT (Boot Info Table) which encapsulates the BCT in IRAM and is initialized by the BootROM as follows:


=== Erista ===
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 1,332: Line 1,331:
|-
|-
|  0x18
|  0x18
|  0x04
0x04*0x04
|  BootTimeLogInit
|  BootTimeLog
Value from TIMERUS_CNTR_1US when the BootROM enters its main function.
{| class="wikitable" border="1"
|-
!  Offset
!  Size
!  Field
|-
|  0x00
|  0x04
|  BootTimeLogInit
|-
|  0x04
|  0x04
|  BootTimeLogExit
|-
|  0x08
0x04
|  BootReadBctTickCnt
|-
|  0x0C
|  0x04
|  BootReadBLTickCnt
|}
|-
|-
0x1C
0x28
|  0x04
|  0x04
BootTimeLogExit
OscFrequency
This is the value that gets written into SB_CSR before nvboot. (0x10)
Value from CLK_RST_CONTROLLER_OSC_CTRL.  
|-
|-
|  0x20
|  0x2C
|  0x04
|  0x01
|  BootReadBctTickCnt
|  Time spent reading the BCT.
|-
|  0x24
|  0x04
|  BootReadBLTickCnt
|  Time spent parsing the bootloader info from the BCT.
|-
|  0x28
|  0x04
|  OscFrequency
|  Value from CLK_RST_CONTROLLER_OSC_CTRL.
|-
|  0x2C
|  0x01
|  DevInitialized
|  DevInitialized
|  Set to 1 after the boot device is initialized.
|  Set to 1 after the boot device is initialized.
Line 1,426: Line 1,432:
|-
|-
|  0x50
|  0x50
|  0x18*4
|  0x18*0x04
|  BlState
|  BlState
|  Contains the state of attempts to load each bootloader.
|  Contains the state of attempts to load each bootloader.
Line 1,542: Line 1,548:
  |  0x01
  |  0x01
  |  BootFromBootPartition
  |  BootFromBootPartition
|-
|  0x26
|  0x01
|  BootModeReadSuccessful
  |-
  |-
  |  0x27
  |  0x27
Line 1,560: Line 1,570:
|  0xF4
|  0xF4
|  0x0C
|  0x0C
Padding
Reserved
|  Must be empty.
|  Must be empty.
|}
|}


= Carveouts =
=== Mariko ===
The MC (Memory Controller) provides multiple configurable memory carveouts which allow to protect and limit access to sensitive DRAM regions. Carveouts work on the physical access level, thus acting as the last protection barrier from unauthorized memory accesses.
{| class="wikitable" border="1"
 
|-
A total of 9 programmable carveouts are available from which 4 have a fixed function (TZDRAM, VPR, SEC and MTS) and 5 are generalized carevouts (GSCs 1 to 5).
!  Offset
 
!  Size
== TZDRAM Carveout ==
!  Field
Defines a DRAM region that can only be accessed by TrustZone-secure clients. Currently unused by the Switch.
!  Description
 
|-
This carveout is controlled by the following MC registers:
|  0x00
<pre>
|  0x04
MC_SECURITY_CFG0
|  BootRomVersion
MC_SECURITY_CFG1
|  Set to 0x00210001 (BOOTDATA_VERSION_T210).
MC_SECURITY_CFG3
|-
</pre>
|  0x04
 
|  0x04
== VPR Carveout ==
|  DataVersion
Defines a DRAM region that can only be accessed by clients that are part of the video decode and display process (Display, GPU, TSEC, VIC, NVENC, NVDEC and HDA). Currently unused by the Switch.
|  Set to 0x00210001 (BOOTDATA_VERSION_T210).
 
|-
This carveout is controlled by the following MC registers:
|  0x08
<pre>
|  0x04
MC_VIDEO_PROTECT_GPU_OVERRIDE_0
|  RcmVersion
MC_VIDEO_PROTECT_GPU_OVERRIDE_1
|  Set to 0x00210001 (BOOTDATA_VERSION_T210).
MC_VIDEO_PROTECT_BOM
|-
MC_VIDEO_PROTECT_SIZE_MB
|  0x0C
MC_VIDEO_PROTECT_REG_CTRL
|  0x04
</pre>
|  BootType
 
|
== SEC Carveout ==
None = 0
Defines a DRAM region that can only be accessed by the [[#TSEC|TSEC]]. Deprecated and unused by the Switch.
Cold = 1
 
Recovery = 2
This carveout is controlled by the following MC registers:
Uart = 3
<pre>
ExitRcm = 4
MC_SEC_CARVEOUT_BOM
|-
MC_SEC_CARVEOUT_SIZE_MB
|  0x10
MC_SEC_CARVEOUT_REG_CTRL
|  0x04
</pre>
|  PrimaryDevice
 
|  Set to 0x05 (IROM) on coldboot.
== MTS Carveout ==
|-
Defines a DRAM region for Falcon microcode. Deprecated and unused by the Switch.
|  0x14
 
|  0x04
This carveout is controlled by the following MC registers:
|  SecondaryDevice
<pre>
|  Set to 0x04 (SDMMC) on coldboot.
MC_MTS_CARVEOUT_BOM
|-
MC_MTS_CARVEOUT_SIZE_MB
|  0x18
MC_MTS_CARVEOUT_ADR_HI
|  0x04
MC_MTS_CARVEOUT_REG_CTRL
|  AuthenticationScheme
</pre>
 
|-
== Generalized Carveouts ==
|  0x1C
These carveouts can be freely configured for any client that supports them.
|  0x01
 
|  EncryptionEnabled
These carveouts are controlled by the following MC registers:
<pre>
|-
MC_SECURITY_CARVEOUT1/2/3/4/5_BOM
|  0x1D
MC_SECURITY_CARVEOUT1/2/3/4/5_BOM_HI
|  0x03
MC_SECURITY_CARVEOUT1/2/3/4/5_SIZE_128KB
|  Reserved
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_ACCESS0
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_ACCESS1
|-
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_ACCESS2
|  0x20
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_ACCESS3
|  0x04
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_ACCESS4
|  BootROMtracker
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_FORCE_INTERNAL_ACCESS0
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_FORCE_INTERNAL_ACCESS1
|-
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_FORCE_INTERNAL_ACCESS2
|  0x24
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_FORCE_INTERNAL_ACCESS3
|  0x05*0x04
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_FORCE_INTERNAL_ACCESS4
|  BootTimeLog
MC_SECURITY_CARVEOUT1/2/3/4/5_CFG0
</pre>
{| class="wikitable" border="1"
 
|-
=== GSC1 ===
!  Offset
This carveout is, by default, for NVDEC. In the Switch's case, this carveout is not used.
!  Size
 
!  Field
It is configured as follows:
|-
<pre>
|  0x00
*(u32 *)MC_SECURITY_CARVEOUT1_BOM = 0;
|  0x04
*(u32 *)MC_SECURITY_CARVEOUT1_BOM_HI = 0;
|  BootTimeLogInit
*(u32 *)MC_SECURITY_CARVEOUT1_SIZE_128KB = 0;
|-
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_ACCESS0 = 0;
|  0x04
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_ACCESS1 = 0;
|  0x04
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_ACCESS2 = 0;
|  BootTimeLogExit
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_ACCESS3 = 0;
|-
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_ACCESS4 = 0;
|  0x08
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_FORCE_INTERNAL_ACCESS0 = 0;
|  0x04
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_FORCE_INTERNAL_ACCESS1 = 0;
|  BootSetupTickCnt
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_FORCE_INTERNAL_ACCESS2 = 0;
|-
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_FORCE_INTERNAL_ACCESS3 = 0;
|  0x0C
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_FORCE_INTERNAL_ACCESS4 = 0;
|  0x04
*(u32 *)MC_SECURITY_CARVEOUT1_CFG0 = 0x4000006;
|  BootReadBctTickCnt
</pre>
|-
 
|  0x10
=== GSC2 ===
|  0x04
This carveout is, by default and in the Switch's case, for the GPU (WPR1).
|  BootReadBLTickCnt
 
|}
It is configured as follows:
|-
<pre>
|  0x38
*(u32 *)MC_SECURITY_CARVEOUT2_BOM = 0x80020000;
|  0x10*0x28
*(u32 *)MC_SECURITY_CARVEOUT2_BOM_HI = 0;
|  BootFlowLog
*(u32 *)MC_SECURITY_CARVEOUT2_SIZE_128KB = 2;
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_ACCESS0 = 0;
{| class="wikitable" border="1"
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_ACCESS1 = 0;
|-
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_ACCESS2 = 0x3000000;
!  Offset
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_ACCESS3 = 0;
!  Size
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_ACCESS4 = 0x300;
!  Field
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS0 = 0;
|-
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS1 = 0;
|  0x00
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS2 = 0;
|  0x04
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS3 = 0;
|  BootFlowLogInit
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS4 = 0;
|-
*(u32 *)MC_SECURITY_CARVEOUT2_CFG0 = 0x440167E;
|  0x04
</pre>
|  0x04
 
|  BootFlowLogExit
=== GSC3 ===
|-
This carveout is, by default, for the GPU (WPR2). In the Switch's case, this carveout is not used.
|  0x08
 
|  0x04
It is configured as follows:
|  BootFlowFuncId
<pre>
|-
*(u32 *)MC_SECURITY_CARVEOUT3_BOM = 0;
|  0x0C
*(u32 *)MC_SECURITY_CARVEOUT3_BOM_HI = 0;
|  0x04
*(u32 *)MC_SECURITY_CARVEOUT3_SIZE_128KB = 0;
|  BootFlowFuncStatus
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_ACCESS0 = 0;
|}
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_ACCESS1 = 0;
|-
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_ACCESS2 = 0x3000000;
|  0x2B8
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_ACCESS3 = 0;
|  0x04
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_ACCESS4 = 0x300;
|  OscFrequency
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS0 = 0;
|  Value from CLK_RST_CONTROLLER_OSC_CTRL.
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS1 = 0;
|-
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS2 = 0;
|  0x2BC
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS3 = 0;
|  0x01
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS4 = 0;
|  DevInitialized
*(u32 *)MC_SECURITY_CARVEOUT3_CFG0 = 0x4401E7E;
|  Set to 1 after the boot device is initialized.
</pre>
|-
 
|  0x2BD
=== GSC4 ===
|  0x01
This carveout is, by default, for TSECA. In the Switch's case, this carveout is used by the Kernel.
|  SdramInitialized
 
|  Set to 1 after the SDRAM parameters are parsed.
It is initially configured as follows:
|-
<pre>
|  0x2BE
*(u32 *)MC_SECURITY_CARVEOUT4_BOM = 0;
|  0x01
*(u32 *)MC_SECURITY_CARVEOUT4_BOM_HI = 0;
|  ClearedForceRecovery
*(u32 *)MC_SECURITY_CARVEOUT4_SIZE_128KB = 0;
|  Set to 1 if bit 2 was set in APBDEV_PMC_SCRATCH0.
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_ACCESS0 = 0;
|-
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_ACCESS1 = 0;
|  0x2BF
|  0x01
|  ClearedFailBack
|  Set to 1 if bit 4 was set in APBDEV_PMC_SCRATCH0.
|-
|  0x2C0
|  0x01
|  InvokedFailBack
|  Set to 1 if the bootloaders have different versions in the BCT.
|-
|  0x2C1
|  0x01
|  IRomPatchStatus
|-
|  0x2C2
|  0x01
|  BctSizeValid
|-
|  0x2C3
|  0x09
|  BctSizeStatus
|-
|  0x2CC
|  0x04
|  BctSizeLastJournalRead
|-
|  0x2D0
|  0x04
|  BctSizeBlock
|-
|  0x2D4
|  0x04
|  BctSizePage
|-
|  0x2D8
|  0x01
|  BctValid
|  Set to 1 if the BCT was parsed successfully.
|-
|  0x2D9
|  0x09
|  BctStatus
|  Each bit contains the status for BCT reads in a given block.
|-
|  0x2E2
|  0x02
|  Reserved
|-
|  0x2E4
|  0x04
|  BctLastJournalRead
|  Contains the status of the last journal block read.
None = 0
Success = 1
ValidationFailure = 2
DeviceReadError = 3
|-
|  0x2E8
|  0x04
|  BctBlock
|  Block number where the BCT was found.
|-
|  0x2EC
|  0x04
|  BctPage
|  Page number where the BCT was found.
|-
|  0x2F0
|  0x04
|  BctSize
|  Size of the BCT in IRAM.
|-
|  0x2F4
|  0x04
|  BctPtr
|  Pointer to the BCT in IRAM.
|-
|  0x2F8
|  0x18*0x04
|  BlState
|  Contains the state of attempts to load each bootloader.
{| class="wikitable" border="1"
|-
!  Offset
!  Size
!  Field
|-
|  0x00
|  0x04
|  Status
|-
|  0x04
|  0x04
|  FirstEccBlock
|-
|  0x08
|  0x04
|  FirstEccPage
|-
|  0x0C
|  0x04
|  FirstCorrectedEccBlock
|-
|  0x10
|  0x04
|  FirstCorrectedEccPage
|-
|  0x14
|  0x01
|  HadEccError
|-
|  0x15
|  0x01
|  HadCrcError
|-
|  0x16
|  0x01
|  HadCorrectedEccError
|-
|  0x17
|  0x01
|  UsedForEccRecovery
|}
|-
|  0x358
|  0x100
|  SecondaryDevStatus
|  Structure to hold secondary boot device status.
|-
|  0x458
|  0x03
|  Reserved
|-
|  0x45B
|  0x04
|  UsbChargingStatus
|-
|  0x45F
|  0x01
|  PmuBootSelReadError
|-
|  0x460
|  0x04
|  SafeStartAddr
|  Pointer to the end of the BCT in IRAM.
|}
 
= Carveouts =
The MC (Memory Controller) provides multiple configurable memory carveouts which allow to protect and limit access to sensitive DRAM regions. Carveouts work on the physical access level, thus acting as the last protection barrier from unauthorized memory accesses.
 
A total of 9 programmable carveouts are available from which 4 have a fixed function (TZDRAM, VPR, SEC and MTS) and 5 are generalized carevouts (GSCs 1 to 5).
 
== TZDRAM Carveout ==
Defines a DRAM region that can only be accessed by TrustZone-secure clients. Currently unused by the Switch.
 
This carveout is controlled by the following MC registers:
<pre>
MC_SECURITY_CFG0
MC_SECURITY_CFG1
MC_SECURITY_CFG3
</pre>
 
== VPR Carveout ==
Defines a DRAM region that can only be accessed by clients that are part of the video decode and display process (Display, GPU, TSEC, VIC, NVENC, NVDEC and HDA). Currently unused by the Switch.
 
This carveout is controlled by the following MC registers:
<pre>
MC_VIDEO_PROTECT_GPU_OVERRIDE_0
MC_VIDEO_PROTECT_GPU_OVERRIDE_1
MC_VIDEO_PROTECT_BOM
MC_VIDEO_PROTECT_SIZE_MB
MC_VIDEO_PROTECT_REG_CTRL
</pre>
 
== SEC Carveout ==
Defines a DRAM region that can only be accessed by the [[#TSEC|TSEC]]. Deprecated and unused by the Switch.
 
This carveout is controlled by the following MC registers:
<pre>
MC_SEC_CARVEOUT_BOM
MC_SEC_CARVEOUT_SIZE_MB
MC_SEC_CARVEOUT_REG_CTRL
</pre>
 
== MTS Carveout ==
Defines a DRAM region for Falcon microcode. Deprecated and unused by the Switch.
 
This carveout is controlled by the following MC registers:
<pre>
MC_MTS_CARVEOUT_BOM
MC_MTS_CARVEOUT_SIZE_MB
MC_MTS_CARVEOUT_ADR_HI
MC_MTS_CARVEOUT_REG_CTRL
</pre>
 
== Generalized Carveouts ==
These carveouts can be freely configured for any client that supports them.
 
These carveouts are controlled by the following MC registers:
<pre>
MC_SECURITY_CARVEOUT1/2/3/4/5_BOM
MC_SECURITY_CARVEOUT1/2/3/4/5_BOM_HI
MC_SECURITY_CARVEOUT1/2/3/4/5_SIZE_128KB
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_ACCESS0
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_ACCESS1
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_ACCESS2
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_ACCESS3
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_ACCESS4
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_FORCE_INTERNAL_ACCESS0
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_FORCE_INTERNAL_ACCESS1
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_FORCE_INTERNAL_ACCESS2
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_FORCE_INTERNAL_ACCESS3
MC_SECURITY_CARVEOUT1/2/3/4/5_CLIENT_FORCE_INTERNAL_ACCESS4
MC_SECURITY_CARVEOUT1/2/3/4/5_CFG0
</pre>
 
The client access registers (CLIENT_ACCESS0/1/2/3/4) are used to whitelist accesses from MC clients as follows:
{| class="wikitable" border="1"
!  Bits
!  ClientAccess0
!  ClientAccess1
!  ClientAccess2
!  ClientAccess3
!  ClientAccess4
|-
| 0
| CSR_PTCR
| Reserved
| CSW_VDEMBEW
| CSR_SDMMCRA
| CSR_SESRD
|-
| 1
| CSR_DISPLAY0A
| Reserved
| CSW_VDETPMW
| CSR_SDMMCRAA
| CSW_SESWR
|-
| 2
| CSR_DISPLAY0AB
| CSR_VDEBSEVR
| Reserved
| CSR_SDMMCR
| CSR_AXIAPR
|-
| 3
| CSR_DISPLAY0B
| CSR_VDEMBER
| Reserved
| CSR_SDMMCRAB
| CSW_AXIAPW
|-
| 4
| CSR_DISPLAY0BB
| CSR_VDEMCER
| CSR_ISPRA
| CSW_SDMMCWA
| CSR_ETRR
|-
| 5
| CSR_DISPLAY0C
| CSR_VDETPER
| Reserved
| CSW_SDMMCWAA
| CSW_ETRW
|-
| 6
| CSR_DISPLAY0CB
| CSR_MPCORELPR
| CSW_ISPWA
| CSW_SDMMCW
| CSR_TSECSRDB
|-
| 7
| Reserved
| CSR_MPCORER
| CSW_ISPWB
| CSW_SDMMCWAB
| CSW_TSECSWRB
|-
| 8
| Reserved
| Reserved
| Reserved
| Reserved
| CSR_GPUSRD2
|-
| 9
| Reserved
| Reserved
| Reserved
| Reserved
| CSW_GPUSWR2
|-
| 10
| Reserved
| Reserved
| CSR_XUSB_HOSTR
| Reserved
| Reserved
|-
| 11
| Reserved
| CSW_NVENCSWR
| CSW_XUSB_HOSTW
| Reserved
| Reserved
|-
| 12
| Reserved
| Reserved
| CSR_XUSB_DEVR
| CSR_VICSRD
| Reserved
|-
| 13
| Reserved
| Reserved
| CSW_XUSB_DEVW
| CSW_VICSWR
| Reserved
|-
| 14
| CSR_AFIR
| Reserved
| CSR_ISPRAB (Erista) or CSR_SE2SRD (Mariko)
| Reserved
| Reserved
|-
| 15
| CSR_AVPCARM7R
| Reserved
| Reserved
| Reserved
| Reserved
|-
| 16
| CSR_DISPLAYHC
| Reserved
| CSW_ISPWAB (Erista) or CSW_SE2SWR (Mariko)
| Reserved
| Reserved
|-
| 17
| CSR_DISPLAYHCB
| CSW_AFIW
| CSW_ISPWBB (Erista) or Reserved (Mariko)
| Reserved
| Reserved
|-
| 18
| Reserved
| CSW_AVPCARM7W
| Reserved
| CSW_VIW
| Reserved
|-
| 19
| Reserved
| Reserved
| Reserved
| CSR_DISPLAYD
| Reserved
|-
| 20
| Reserved
| Reserved
| CSR_TSECSRD
| Reserved
| Reserved
|-
| 21
| CSR_HDAR
| CSW_HDAW
| CSW_TSECSWR
| Reserved
| Reserved
|-
| 22
| CSR_HOST1XDMAR
| CSW_HOST1XW
| CSR_A9AVPSCR
| Reserved
| Reserved
|-
| 23
| CSR_HOST1XR
| Reserved
| CSW_A9AVPSCW
| Reserved
| Reserved
|-
| 24
| Reserved
| CSW_MPCORELPW
| CSR_GPUSRD
| CSR_NVDECSRD
| Reserved
|-
| 25
| Reserved
| CSW_MPCOREW
| CSW_GPUSWR
| CSW_NVDECSWR
| Reserved
|-
| 26
| Reserved
| Reserved
| CSR_DISPLAYT
| CSR_APER
| Reserved
|-
| 27
| Reserved
| CSW_PPCSAHBDMAW
| Reserved
| CSW_APEW
| Reserved
|-
| 28
| CSR_NVENCSRD
| CSW_PPCSAHBSLVW
| Reserved
| Reserved
| Reserved
|-
| 29
| CSR_PPCSAHBDMAR
| CSW_SATAW
| Reserved
| Reserved
| Reserved
|-
| 30
| CSR_PPCSAHBSLVR
| CSW_VDEBSEVW
| Reserved
| CSR_NVJPGSRD
| Reserved
|-
| 31
| CSR_SATAR
| CSW_VDEDBGW
| Reserved
| CSW_NVJPGSWR
| Reserved
|}
 
The configuration register (CFG0) is used to control the carveout's properties as follows:
{| class="wikitable" border="1"
!  Bits
!  Description
|-
| 0
| PROTECT_MODE
0: LOCKBIT_SECURE (registers cannot be modified after lock down)
1: TZ_SECURE (registers can be modified by TZ after lock down)
|-
| 1
| LOCK_MODE
0: UNLOCKED (registers can be modified at any time)
1: LOCKED (registers cannot be modified until reset)
|-
| 2
| ADDRESS_TYPE
0: ANY_ADDRESS
1: UNTRANSLATED_ONLY
|-
| 3-6
| READ_ACCESS_LEVEL
Bit 0: Access level 0 (default for all clients)
Bit 1: Access level 1 (unknown)
Bit 2: Access level 2 (Falcon clients in LS mode)
Bit 3: Access level 3 (Falcon clients in HS mode)
|-
| 7-10
| WRITE_ACCESS_LEVEL
Bit 0: Access level 0 (default for all clients)
Bit 1: Access level 1 (unknown)
Bit 2: Access level 2 (Falcon clients in LS mode)
Bit 3: Access level 3 (Falcon clients in HS mode)
|-
| 11-13
| APERTURE_ID
|-
| 14-17
| DISABLE_READ_CHECK_ACCESS_LEVEL
Bit 0: Disable read access level 0 check
Bit 1: Disable read access level 1 check
Bit 2: Disable read access level 2 check
Bit 3: Disable read access level 3 check
|-
| 18-21
| DISABLE_WRITE_CHECK_ACCESS_LEVEL
Bit 0: Disable write access level 0 check
Bit 1: Disable write access level 1 check
Bit 2: Disable write access level 2 check
Bit 3: Disable write access level 3 check
|-
| 22
| SEND_CFG_TO_GPU
0: DISABLED
1: ENABLED
|-
| 23
| TZ_GLOBAL_WR_EN
0: DISABLED
1: BYPASS_CHECK
|-
| 24
| TZ_GLOBAL_RD_EN
0: DISABLED
1: BYPASS_CHECK
|-
| 25
| ALLOW_APERTURE_ID_MISMATCH
0: DISABLED
1: ENABLED
|-
| 26
| FORCE_APERTURE_ID_MATCH
0: DISABLED
1: ENABLED
|-
| 27
| IS_WPR
0: DISABLED
1: ENABLED
|}
 
=== GSC1 ===
This carveout is, by default, for NVDEC. In the Switch's case, this carveout is not used.
 
It is configured as follows:
<pre>
*(u32 *)MC_SECURITY_CARVEOUT1_BOM = 0;
*(u32 *)MC_SECURITY_CARVEOUT1_BOM_HI = 0;
*(u32 *)MC_SECURITY_CARVEOUT1_SIZE_128KB = 0;
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_ACCESS0 = 0;
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_ACCESS1 = 0;
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_ACCESS2 = 0;
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_ACCESS3 = 0;
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_ACCESS4 = 0;
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_FORCE_INTERNAL_ACCESS0 = 0;
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_FORCE_INTERNAL_ACCESS1 = 0;
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_FORCE_INTERNAL_ACCESS2 = 0;
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_FORCE_INTERNAL_ACCESS3 = 0;
*(u32 *)MC_SECURITY_CARVEOUT1_CLIENT_FORCE_INTERNAL_ACCESS4 = 0;
*(u32 *)MC_SECURITY_CARVEOUT1_CFG0 = 0x4000006;
</pre>
 
=== GSC2 ===
This carveout is, by default and in the Switch's case, for the GPU (WPR1).
 
It is configured as follows:
<pre>
*(u32 *)MC_SECURITY_CARVEOUT2_BOM = 0x80020000;
*(u32 *)MC_SECURITY_CARVEOUT2_BOM_HI = 0;
*(u32 *)MC_SECURITY_CARVEOUT2_SIZE_128KB = 2;
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_ACCESS0 = 0;
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_ACCESS1 = 0;
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_ACCESS2 = 0x3000000;
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_ACCESS3 = 0;
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_ACCESS4 = 0x300;
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS0 = 0;
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS1 = 0;
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS2 = 0;
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS3 = 0;
*(u32 *)MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS4 = 0;
*(u32 *)MC_SECURITY_CARVEOUT2_CFG0 = 0x440167E;
</pre>
 
=== GSC3 ===
This carveout is, by default, for the GPU (WPR2). In the Switch's case, this carveout is not used.
 
It is configured as follows:
<pre>
*(u32 *)MC_SECURITY_CARVEOUT3_BOM = 0;
*(u32 *)MC_SECURITY_CARVEOUT3_BOM_HI = 0;
*(u32 *)MC_SECURITY_CARVEOUT3_SIZE_128KB = 0;
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_ACCESS0 = 0;
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_ACCESS1 = 0;
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_ACCESS2 = 0x3000000;
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_ACCESS3 = 0;
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_ACCESS4 = 0x300;
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS0 = 0;
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS1 = 0;
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS2 = 0;
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS3 = 0;
*(u32 *)MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS4 = 0;
*(u32 *)MC_SECURITY_CARVEOUT3_CFG0 = 0x4401E7E;
</pre>
 
=== GSC4 ===
This carveout is, by default, for TSECA. In the Switch's case, this carveout is used by the Kernel.
 
It is initially configured as follows:
<pre>
*(u32 *)MC_SECURITY_CARVEOUT4_BOM = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_BOM_HI = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_SIZE_128KB = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_ACCESS0 = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_ACCESS1 = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_ACCESS2 = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_ACCESS2 = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_ACCESS3 = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_ACCESS3 = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_ACCESS4 = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_ACCESS4 = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS0 = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS0 = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS1 = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS1 = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS2 = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS2 = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS3 = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS3 = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS4 = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS4 = 0;
*(u32 *)MC_SECURITY_CARVEOUT4_CFG0 = 0x8F;
*(u32 *)MC_SECURITY_CARVEOUT4_CFG0 = 0x8F;
</pre>
 
Then further configured using [[SMC#ConfigureCarveout|smcConfigureCarveout]].
 
=== GSC5 ===
This carveout is, by default, for TSECB. In the Switch's case, this carveout is used by the Kernel.
 
It is initially configured as follows:
<pre>
*(u32 *)MC_SECURITY_CARVEOUT5_BOM = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_BOM_HI = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_SIZE_128KB = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_ACCESS0 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_ACCESS1 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_ACCESS2 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_ACCESS3 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_ACCESS4 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_FORCE_INTERNAL_ACCESS0 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_FORCE_INTERNAL_ACCESS1 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_FORCE_INTERNAL_ACCESS2 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_FORCE_INTERNAL_ACCESS3 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_FORCE_INTERNAL_ACCESS4 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CFG0 = 0x8F;
</pre>
</pre>


Then further configured using [[SMC#ConfigureCarveout|smcConfigureCarveout]].
Then further configured using [[SMC#ConfigureCarveout|smcConfigureCarveout]].
=== GSC5 ===
This carveout is, by default, for TSECB. In the Switch's case, this carveout is reserved for the Kernel.
It is initially configured as follows:
<pre>
*(u32 *)MC_SECURITY_CARVEOUT5_BOM = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_BOM_HI = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_SIZE_128KB = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_ACCESS0 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_ACCESS1 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_ACCESS2 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_ACCESS3 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_ACCESS4 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_FORCE_INTERNAL_ACCESS0 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_FORCE_INTERNAL_ACCESS1 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_FORCE_INTERNAL_ACCESS2 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_FORCE_INTERNAL_ACCESS3 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CLIENT_FORCE_INTERNAL_ACCESS4 = 0;
*(u32 *)MC_SECURITY_CARVEOUT5_CFG0 = 0x8F;
</pre>
It can be further configured using [[SMC#ConfigureCarveout|smcConfigureCarveout]].
Retrieved from "https://switchbrew.org/wiki/Memory_layout"