Memory layout: Difference between revisions
No edit summary |
mNo edit summary |
||
| (3 intermediate revisions by 2 users not shown) | |||
| Line 27: | Line 27: | ||
== ASLR Implementation == | == ASLR Implementation == | ||
The kernel uses a MT19937 random number generator, seeded by [[SMC# | The kernel uses a MT19937 random number generator, seeded by [[SMC#GenerateRandomBytes|smcGenerateRandomBytes]]. | ||
=== 1.0.0 === | === 1.0.0 === | ||
| Line 1,285: | Line 1,285: | ||
= IRAM = | = IRAM = | ||
== BIT == | == BIT == | ||
During boot, the BootROM saves the BCT in IRAM at address 0x40000100. The preceding 0x100 bytes (IRAM memory range from 0x40000000 to 0x40000100) contain a structure called BIT (Boot Info Table) which encapsulates the BCT in IRAM and is initialized by the BootROM as follows: | During boot, the BootROM saves the [[BCT]] in IRAM at address 0x40000100 with Erista, and 0x40000464 with Mariko. The preceding 0x100 bytes (IRAM memory range from 0x40000000 to 0x40000100) contain a structure called BIT (Boot Info Table) which encapsulates the BCT in IRAM and is initialized by the BootROM as follows: | ||
=== Erista === | |||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
|- | |- | ||
| Line 1,330: | Line 1,331: | ||
|- | |- | ||
| 0x18 | | 0x18 | ||
| 0x04 | | 0x04*0x04 | ||
| BootTimeLogInit | | BootTimeLog | ||
| | | | ||
{| class="wikitable" border="1" | |||
|- | |||
! Offset | |||
! Size | |||
! Field | |||
|- | |||
| 0x00 | |||
| 0x04 | |||
| BootTimeLogInit | |||
|- | |||
| 0x04 | |||
| 0x04 | |||
| BootTimeLogExit | |||
|- | |||
| 0x08 | |||
| 0x04 | |||
| BootReadBctTickCnt | |||
|- | |||
| 0x0C | |||
| 0x04 | |||
| BootReadBLTickCnt | |||
|} | |||
|- | |- | ||
| | | 0x28 | ||
| 0x04 | | 0x04 | ||
| | | OscFrequency | ||
| | | Value from CLK_RST_CONTROLLER_OSC_CTRL. | ||
|- | |- | ||
| 0x2C | |||
| 0x01 | |||
| 0x2C | |||
| 0x01 | |||
| DevInitialized | | DevInitialized | ||
| Set to 1 after the boot device is initialized. | | Set to 1 after the boot device is initialized. | ||
| Line 1,424: | Line 1,432: | ||
|- | |- | ||
| 0x50 | | 0x50 | ||
| 0x18* | | 0x18*0x04 | ||
| BlState | | BlState | ||
| Contains the state of attempts to load each bootloader. | | Contains the state of attempts to load each bootloader. | ||
| Line 1,527: | Line 1,535: | ||
| 0x10 | | 0x10 | ||
| 0x10 | | 0x10 | ||
| Cid | | Cid | ||
|- | |- | ||
| 0x20 | | 0x20 | ||
| 0x04 | | 0x04 | ||
| NumPagesRead | | NumPagesRead | ||
|- | |- | ||
| 0x24 | | 0x24 | ||
| 0x04 | | 0x04 | ||
| NumCrcErrors | | NumCrcErrors | ||
|- | |- | ||
| 0x25 | | 0x25 | ||
| 0x01 | | 0x01 | ||
| BootFromBootPartition | | BootFromBootPartition | ||
|- | |- | ||
| 0x27 | | 0x26 | ||
| 0x15 | | 0x01 | ||
| Reserved | | BootModeReadSuccessful | ||
|} | |- | ||
|- | | 0x27 | ||
| 0xEC | | 0x15 | ||
| 0x04 | | Reserved | ||
| UsbChargingStatus | |} | ||
|- | |||
| 0xEC | |||
| 0x04 | |||
| UsbChargingStatus | |||
| | |||
|- | |||
| 0xF0 | |||
| 0x04 | |||
| SafeStartAddr | |||
| Pointer to the end of the BCT in IRAM (0x40002900). | |||
|- | |||
| 0xF4 | |||
| 0x0C | |||
| Reserved | |||
| Must be empty. | |||
|} | |||
=== Mariko === | |||
{| class="wikitable" border="1" | |||
|- | |||
! Offset | |||
! Size | |||
! Field | |||
! Description | |||
|- | |||
| 0x00 | |||
| 0x04 | |||
| BootRomVersion | |||
| Set to 0x00210001 (BOOTDATA_VERSION_T210). | |||
|- | |||
| 0x04 | |||
| 0x04 | |||
| DataVersion | |||
| Set to 0x00210001 (BOOTDATA_VERSION_T210). | |||
|- | |||
| 0x08 | |||
| 0x04 | |||
| RcmVersion | |||
| Set to 0x00210001 (BOOTDATA_VERSION_T210). | |||
|- | |||
| 0x0C | |||
| 0x04 | |||
| BootType | |||
| | |||
None = 0 | |||
Cold = 1 | |||
Recovery = 2 | |||
Uart = 3 | |||
ExitRcm = 4 | |||
|- | |||
| 0x10 | |||
| 0x04 | |||
| PrimaryDevice | |||
| Set to 0x05 (IROM) on coldboot. | |||
|- | |||
| 0x14 | |||
| 0x04 | |||
| SecondaryDevice | |||
| Set to 0x04 (SDMMC) on coldboot. | |||
|- | |||
| 0x18 | |||
| 0x04 | |||
| AuthenticationScheme | |||
| | |||
|- | |||
| 0x1C | |||
| 0x01 | |||
| EncryptionEnabled | |||
| | |||
|- | |||
| 0x1D | |||
| 0x03 | |||
| Reserved | |||
| | |||
|- | |||
| 0x20 | |||
| 0x04 | |||
| BootROMtracker | |||
| | |||
|- | |||
| 0x24 | |||
| 0x05*0x04 | |||
| BootTimeLog | |||
| | |||
{| class="wikitable" border="1" | |||
|- | |||
! Offset | |||
! Size | |||
! Field | |||
|- | |||
| 0x00 | |||
| 0x04 | |||
| BootTimeLogInit | |||
|- | |||
| 0x04 | |||
| 0x04 | |||
| BootTimeLogExit | |||
|- | |||
| 0x08 | |||
| 0x04 | |||
| BootSetupTickCnt | |||
|- | |||
| 0x0C | |||
| 0x04 | |||
| BootReadBctTickCnt | |||
|- | |||
| 0x10 | |||
| 0x04 | |||
| BootReadBLTickCnt | |||
|} | |||
|- | |||
| 0x38 | |||
| 0x10*0x28 | |||
| BootFlowLog | |||
| | |||
{| class="wikitable" border="1" | |||
|- | |||
! Offset | |||
! Size | |||
! Field | |||
|- | |||
| 0x00 | |||
| 0x04 | |||
| BootFlowLogInit | |||
|- | |||
| 0x04 | |||
| 0x04 | |||
| BootFlowLogExit | |||
|- | |||
| 0x08 | |||
| 0x04 | |||
| BootFlowFuncId | |||
|- | |||
| 0x0C | |||
| 0x04 | |||
| BootFlowFuncStatus | |||
|} | |||
|- | |||
| 0x2B8 | |||
| 0x04 | |||
| OscFrequency | |||
| Value from CLK_RST_CONTROLLER_OSC_CTRL. | |||
|- | |||
| 0x2BC | |||
| 0x01 | |||
| DevInitialized | |||
| Set to 1 after the boot device is initialized. | |||
|- | |||
| 0x2BD | |||
| 0x01 | |||
| SdramInitialized | |||
| Set to 1 after the SDRAM parameters are parsed. | |||
|- | |||
| 0x2BE | |||
| 0x01 | |||
| ClearedForceRecovery | |||
| Set to 1 if bit 2 was set in APBDEV_PMC_SCRATCH0. | |||
|- | |||
| 0x2BF | |||
| 0x01 | |||
| ClearedFailBack | |||
| Set to 1 if bit 4 was set in APBDEV_PMC_SCRATCH0. | |||
|- | |||
| 0x2C0 | |||
| 0x01 | |||
| InvokedFailBack | |||
| Set to 1 if the bootloaders have different versions in the BCT. | |||
|- | |||
| 0x2C1 | |||
| 0x01 | |||
| IRomPatchStatus | |||
| | |||
|- | |||
| 0x2C2 | |||
| 0x01 | |||
| BctSizeValid | |||
| | |||
|- | |||
| 0x2C3 | |||
| 0x09 | |||
| BctSizeStatus | |||
| | |||
|- | |||
| 0x2CC | |||
| 0x04 | |||
| BctSizeLastJournalRead | |||
| | |||
|- | |||
| 0x2D0 | |||
| 0x04 | |||
| BctSizeBlock | |||
| | |||
|- | |||
| 0x2D4 | |||
| 0x04 | |||
| BctSizePage | |||
| | |||
|- | |||
| 0x2D8 | |||
| 0x01 | |||
| BctValid | |||
| Set to 1 if the BCT was parsed successfully. | |||
|- | |||
| 0x2D9 | |||
| 0x09 | |||
| BctStatus | |||
| Each bit contains the status for BCT reads in a given block. | |||
|- | |||
| 0x2E2 | |||
| 0x02 | |||
| Reserved | |||
| | |||
|- | |||
| 0x2E4 | |||
| 0x04 | |||
| BctLastJournalRead | |||
| Contains the status of the last journal block read. | |||
None = 0 | |||
Success = 1 | |||
ValidationFailure = 2 | |||
DeviceReadError = 3 | |||
|- | |||
| 0x2E8 | |||
| 0x04 | |||
| BctBlock | |||
| Block number where the BCT was found. | |||
|- | |||
| 0x2EC | |||
| 0x04 | |||
| BctPage | |||
| Page number where the BCT was found. | |||
|- | |||
| 0x2F0 | |||
| 0x04 | |||
| BctSize | |||
| Size of the BCT in IRAM. | |||
|- | |||
| 0x2F4 | |||
| 0x04 | |||
| BctPtr | |||
| Pointer to the BCT in IRAM. | |||
|- | |||
| 0x2F8 | |||
| 0x18*0x04 | |||
| BlState | |||
| Contains the state of attempts to load each bootloader. | |||
{| class="wikitable" border="1" | |||
|- | |||
! Offset | |||
! Size | |||
! Field | |||
|- | |||
| 0x00 | |||
| 0x04 | |||
| Status | |||
|- | |||
| 0x04 | |||
| 0x04 | |||
| FirstEccBlock | |||
|- | |||
| 0x08 | |||
| 0x04 | |||
| FirstEccPage | |||
|- | |||
| 0x0C | |||
| 0x04 | |||
| FirstCorrectedEccBlock | |||
|- | |||
| 0x10 | |||
| 0x04 | |||
| FirstCorrectedEccPage | |||
|- | |||
| 0x14 | |||
| 0x01 | |||
| HadEccError | |||
|- | |||
| 0x15 | |||
| 0x01 | |||
| HadCrcError | |||
|- | |||
| 0x16 | |||
| 0x01 | |||
| HadCorrectedEccError | |||
|- | |||
| 0x17 | |||
| 0x01 | |||
| UsedForEccRecovery | |||
|} | |||
|- | |||
| 0x358 | |||
| 0x100 | |||
| SecondaryDevStatus | |||
| Structure to hold secondary boot device status. | |||
|- | |||
| 0x458 | |||
| 0x03 | |||
| Reserved | |||
| | |||
|- | |||
| 0x45B | |||
| 0x04 | |||
| UsbChargingStatus | |||
| | |||
|- | |||
| 0x45F | |||
| 0x01 | |||
| PmuBootSelReadError | |||
| | | | ||
|- | |- | ||
| | | 0x460 | ||
| 0x04 | | 0x04 | ||
| SafeStartAddr | | SafeStartAddr | ||
| Pointer to the end of the BCT in IRAM | | Pointer to the end of the BCT in IRAM. | ||
|} | |} | ||