Nintendo Switch Brew

BCT: Difference between revisions

← Older edit
No edit summary
No edit summary
 
Line 3: Line 3:
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.


The Erista BCT's data is only signed after offset 0x0510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.
The Erista BCT's data is only signed after offset 0x510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.


The Mariko BCT's data is signed starting at offset 0x420 and encrypted starting at offset 0x480, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used.
The Mariko BCT's data is signed starting at offset 0x420 and encrypted starting at offset 0x480, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used.
Line 18: Line 18:
!  Description
!  Description
|-
|-
0x0000
0x0
|  0x210
|  0x210
|  BadBlockTable
|  BadBlockTable
|  Table containing information on bad blocks
|  Table containing information on bad blocks
  0x0000: EntriesUsed (0x200)
  0x0:   EntriesUsed (0x200)
  0x0004: VirtualBlockSizeLog2 (0x0F)
  0x4:   VirtualBlockSizeLog2 (0xF)
  0x0005: BlockSizeLog2 (0x0E)
  0x5:   BlockSizeLog2 (0xE)
  0x0006: BadBlocks
  0x6:   BadBlocks
  0x0206: Reserved
  0x206: Reserved
|-
|-
0x0210
0x210
|  0x100
|  0x100
|  Key
|  Key
|  BCT RSA public key's modulus
|  BCT RSA public key's modulus
|-
|-
0x0310
0x310
|  0x110
|  0x110
|  Signature
|  Signature
|  BCT cryptographic signature
|  BCT cryptographic signature
  0x0310: CryptoHash (empty)
  0x310: CryptoHash (empty)
  0x0320: RsaPssSig
  0x320: RsaPssSig
|-
|-
0x0420
0x420
0x04
0x4
|  SecProvisioningKeyNumInsecure
|  SecProvisioningKeyNumInsecure
|  Used for Factory Secure Provisioning (always 0)
|  Used for Factory Secure Provisioning (always 0)
|-
|-
0x0424
0x424
|  0x20
|  0x20
|  SecProvisioningKey
|  SecProvisioningKey
Line 54: Line 54:
|  [[#CustomerData|CustomerData]]
|  [[#CustomerData|CustomerData]]
|  Data block available for the customer (used in key generation)
|  Data block available for the customer (used in key generation)
  0x0444: Reserved (0x0C bytes)
  0x444: Reserved
  0x0450: [[Flash_Filesystem#Keyblob|Keyblob]] (0xB0 bytes)
  0x450: [[Flash_Filesystem#Keyblob|Keyblob]]
  0x0500: Reserved (0x08 bytes)
  0x500: Reserved
|-
|-
0x0508
0x508
0x04
0x4
|  OdmData
|  OdmData
Legacy field (unused)
Empty
|-
|-
0x050C
0x50C
0x04
0x4
|  Reserved
|  Reserved
Legacy field (unused)
Empty
|-
|-
0x0510
0x510
|  0x10
|  0x10
|  RandomAesBlock
|  RandomAesBlock
Always empty
Empty
|-
|-
0x0520
0x520
|  0x10
|  0x10
|  UniqueChipId
|  UniqueChipId
Always empty
Empty
|-
|-
0x0530
0x530
0x04
0x4
|  BootDataVersion
|  BootDataVersion
|  Set to 0x00210001 (BOOTDATA_VERSION_T210)
|  Set to 0x210001 (BOOTDATA_VERSION_T210)
|-
|-
0x0534
0x534
0x04
0x4
|  BlockSizeLog2
|  BlockSizeLog2
|  Always 0x0E
|  Always 0xE
|-
|-
0x0538
0x538
0x04
0x4
|  PageSizeLog2
|  PageSizeLog2
|  Always 0x09
|  Always 0x9
|-
|-
0x053C
0x53C
0x04
0x4
|  PartitionSize
|  PartitionSize
|  Always 0x01000000
|  Always 0x1000000
|-
|-
0x0540
0x540
0x04
0x4
|  NumParamSets
|  NumParamSets
|  Number of device parameter sets (always 0x01)
|  Number of device parameter sets (always 0x1)
|-
|-
0x0544
0x544
0x04
0x4
|  DevType
|  DevType
|  Device type (0x04 == Sdmmc)
|  Device type (0x4 == Sdmmc)
|-
|-
0x0548
0x548
|  0x40
|  0x40
|  DevParams
|  DevParams
|  Device parameters
|  Device parameters
   0x0548: ClockDivider (0x09 == 24MHz)
   0x548: ClockDivider (0x9 == 24MHz)
   0x054C: DataWidth (0x02 == 8Bit)
   0x54C: DataWidth (0x2 == 8Bit)
|-
|-
0x0588
0x588
0x04
0x4
|  NumSdramSets
|  NumSdramSets
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|-
|-
0x058C
0x58C
|  0x768
|  0x768
|  SdramParams0
|  SdramParams0
|  Default values filled in
|  Default values filled in
|-
|-
0x0CF4
0xCF4
|  0x768
|  0x768
|  SdramParams1
|  SdramParams1
Line 141: Line 141:
|-
|-
|  0x232C
|  0x232C
0x04
0x4
|  BootLoadersUsed
|  BootLoadersUsed
|  Number of bootloaders installed (always 0x02, maximum is 0x04)
|  Number of bootloaders installed (always 0x2, maximum is 0x4)
|-
|-
|  0x2330
|  0x2330
Line 150: Line 150:
|  Configuration parameters for bootloader 0 (main)
|  Configuration parameters for bootloader 0 (main)
  0x2330: Version (variable)
  0x2330: Version (variable)
  0x2334: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe))
  0x2334: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe)
  0x2338: StartPage (0x00000000)
  0x2338: StartPage (0)
  0x233C: Length (variable)
  0x233C: Length (variable)
  0x2340: LoadAddress (0x40010000)
  0x2340: LoadAddress (0x40010000)
  0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2348: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe))
  0x2348: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe)
  0x234C: CryptoHash (empty)
  0x234C: CryptoHash (empty)
  0x235C: RsaPssSig
  0x235C: RsaPssSig
Line 164: Line 164:
|  Configuration parameters for bootloader 1 (backup)
|  Configuration parameters for bootloader 1 (backup)
  0x245C: Version (variable)
  0x245C: Version (variable)
  0x2460: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe))
  0x2460: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe)
  0x2464: StartPage (0x00000000)
  0x2464: StartPage (0)
  0x2468: Length (variable)
  0x2468: Length (variable)
  0x246C: LoadAddress (0x40010000)
  0x246C: LoadAddress (0x40010000)
  0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2474: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe))
  0x2474: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe)
  0x2478: CryptoHash (empty)
  0x2478: CryptoHash (empty)
  0x2488: RsaPssSig
  0x2488: RsaPssSig
Line 184: Line 184:
|-
|-
|  0x27E0
|  0x27E0
0x01
0x1
|  EnableFailBack
|  EnableFailBack
|  Always 0
|  Always 0
|-
|-
|  0x27E1
|  0x27E1
0x04
0x4
|  SecureJtagControl
|  SecureJtagControl
|  Always 0
|  Always 0
|-
|-
|  0x27E5
|  0x27E5
0x04
0x4
|  SecProvisioningKeyNumSecure
|  SecProvisioningKeyNumSecure
|  Used for Factory Secure Provisioning (always 0)
|  Used for Factory Secure Provisioning (always 0)
Line 204: Line 204:
|-
|-
|  0x27FB
|  0x27FB
0x05
0x5
|  Padding
|  Padding
|  Empty
|  Empty
Line 231: Line 231:


=== BootLoader0 ===
=== BootLoader0 ===
The version field controls which keyblob is used, where 0x01 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.
The version field controls which keyblob is used, where 0x1 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.


== Mariko ==
== Mariko ==
Line 241: Line 241:
!  Description
!  Description
|-
|-
0x0000
0x0
|  0x210
|  0x210
|  Pcp
|  Pcp
|  BCT public cryptographic parameters
|  BCT public cryptographic parameters
  0x0000: KeySize
  0x0:   KeySize
  0x0004: Reserved
  0x4:   Reserved
  0x0010: PublicKeyModulus
  0x10: PublicKeyModulus
  0x0110: PublicKeyExponent
  0x110: PublicKeyExponent
|-
|-
0x0210
0x210
|  0x110
|  0x110
|  Signature
|  Signature
|  BCT cryptographic signature
|  BCT cryptographic signature
  0x0210: CryptoHash (empty)
  0x210: CryptoHash (empty)
  0x0220: RsaPssSig
  0x220: RsaPssSig
|-
|  0x320
|  0x20
|  SecProvisioningKey
|  Used for Factory Secure Provisioning (always 0)
|-
|  0x340
|  0x4
|  SecProvisioningKeyNumInsecure
|  Used for Factory Secure Provisioning (always 0)
|-
|  0x344
|  0xC
|  Padding
|  Empty
|-
|  0x350
|  0xD0
|  CustomerData
|  Data block available for the customer
|-
|  0x420
|  0x10
|  RandomAesBlock
|-
|-
0x0320
0x430
0x160
0x10
|   
|   
|  Empty
|  Empty
|-
|-
0x0480
0x440
|  0x40
|  Empty
|-
|  0x480
|  0x10
|  0x10
RandomAesBlock
RandomAesBlock2
Not empty
|   
|-
|-
0x0490
0x490
|  0x10
|  0x10
|  UniqueChipId
|  UniqueChipId
Always empty
Empty
|-
|-
0x04A0
0x4A0
0x04
0x4
|  BootDataVersion
|  BootDataVersion
|  Set to 0x00210001 (BOOTDATA_VERSION_T210)
|  Set to 0x210001 (BOOTDATA_VERSION_T210)
|-
|-
0x04A4
0x4A4
0x04
0x4
|  BlockSizeLog2
|  BlockSizeLog2
|  Always 0x0E
|  Always 0xE
|-
|-
0x04A8
0x4A8
0x04
0x4
|  PageSizeLog2
|  PageSizeLog2
|  Always 0x09
|  Always 0x9
|-
|-
0x04AC
0x4AC
0x04
0x4
|  PartitionSize
|  PartitionSize
|  Always 0x01000000
|  Always 0x1000000
|-
|-
0x04B0
0x4B0
0x04
0x4
|  NumParamSets
|  NumParamSets
|  Number of device parameter sets (always 0x01)
|  Number of device parameter sets (always 0x1)
|-
|-
0x04B4
0x4B4
0x04
0x4
|  DevType
|  DevType
|  Device type (0x04 == Sdmmc)
|  Device type (0x4 == Sdmmc)
|-
|-
0x04B8
0x4B8
|  0x40
|  0x40
|  DevParams
|  DevParams
|  Device parameters
|  Device parameters
|-
|-
0x04F8
0x4F8
0x04
0x4
|  NumSdramSets
|  NumSdramSets
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|-
|-
0x04FC
0x4FC
|  0x838
|  0x838
|  SdramParams0
|  SdramParams0
|  Default values filled in
|  Default values filled in
|-
|-
0x0D34
0xD34
|  0x838
|  0x838
|  SdramParams1
|  SdramParams1
Line 335: Line 365:
|  0x04
|  0x04
|  BootLoadersUsed
|  BootLoadersUsed
|  Number of bootloaders installed (always 0x02, maximum is 0x04)
|  Number of bootloaders installed (always 0x2, maximum is 0x4)
|-
|-
|  0x25E0
|  0x25E0
Line 341: Line 371:
|  BootLoader0
|  BootLoader0
|  Configuration parameters for bootloader 0 (main)
|  Configuration parameters for bootloader 0 (main)
  0x25E0: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe))
  0x25E0: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe)
  0x25E4: StartPage (0x00000000)
  0x25E4: StartPage (0)
  0x25E8: Version (variable)
  0x25E8: Version (variable)
  0x25EC: Reserved
  0x25EC: Reserved
Line 350: Line 380:
|  BootLoader1
|  BootLoader1
|  Configuration parameters for bootloader 1 (backup)
|  Configuration parameters for bootloader 1 (backup)
  0x25F0: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe))
  0x25F0: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe)
  0x25F4: StartPage (0x00000000)
  0x25F4: StartPage (0)
  0x25F8: Version (variable)
  0x25F8: Version (variable)
  0x25FC: Reserved
  0x25FC: Reserved
Line 366: Line 396:
|-
|-
|  0x2620
|  0x2620
0x5C
0x4
|  SecureDebugControlNoneEcid
|  Empty
|-
|  0x2624
|  0x4
|  SecureDebugControlEcid
|  Empty
|-
|  0x2628
|  0x10
|   
|   
|  Empty
|  Empty
|-
|  0x2638
|  0x40
|  Empty
|-
|  0x2678
|  0x4
|  SecProvisioningKeyNumSecure
|  Used for Factory Secure Provisioning (always 0)
|-
|-
|  0x267C
|  0x267C
Retrieved from "https://switchbrew.org/wiki/BCT"