Difference between revisions of "Boot"

From Nintendo Switch Brew
Jump to navigation Jump to search
Line 1: Line 1:
 
boot is a built-in sysmodule.
 
boot is a built-in sysmodule.
 
[2.0.0+] all panic strings were removed/censored.
 
 
[2.1.0+] code was updated with changes to the ncm interface.
 
  
 
= Boot =
 
= Boot =
First up it initializes gpios and sets the gpio voltage to 1.8v.
+
First, it initializes gpios and sets the gpio voltage to 1.8v.
 
 
[2.0.0+] Code to initialize gpio differently for Copper/Icosa (based on spl HardwareType flag) was removed.
 
 
 
[2.0.0+] the "WecDriver" now uses svcReadWriteRegister instead of svcQueryIoMapping to write to 0x7000E400 io (PMC).
 
  
 
Then it checks battery charge and SoC temperature using i2c. If either is bad, it shows one of two different bitmaps from .data in the framebuffer.
 
Then it checks battery charge and SoC temperature using i2c. If either is bad, it shows one of two different bitmaps from .data in the framebuffer.
Line 16: Line 8:
 
Because most sysmodules have not yet booted, this all uses raw IO pokes when it comes to gpio and i2c interfacing.
 
Because most sysmodules have not yet booted, this all uses raw IO pokes when it comes to gpio and i2c interfacing.
  
Otherwise, it continues by reading the first two bytes of the BCT at +0xC000 of NAND partition 0.
+
Otherwise, it continues by reading the bad_block_table.num_entries field from the [[BCT|BCT]] located at offset 0x00C000 in the NAND [[Flash_Filesystem#Boot_Partitions|boot partition 0]] (safe mode backup).
  
If byte0 is non-zero, it does a repair with type=4. If byte1 is non-zero, it does a repair with type=5.
+
If bad_block_table.num_entries byte0 is non-zero, it does a repair with type=4. If byte1 is non-zero, it does a repair with type=5.
 +
The number of entires in the bad block table should always be 0x200 by default (represents partition_size). Values from 0x200 to 0x20F represent bad blocks in the NAND [[Flash_Filesystem#Boot_Partitions|boot partition 0]] while values from 0x210 to 0x21F represent bad blocks in NAND [[Flash_Filesystem#Boot_Partitions|boot partition 1]].
  
 
== Repair ==
 
== Repair ==
It uses ncm IContentMetaDatabase Iterate with supplied type value. The purpose of this ncm usage is to look up the "bip" title-id (0100000000000819 or 010000000000081A) for said type.
+
It uses the NCM [[NCM_services#IContentMetaDatabase|IContentMetaDatabase]] Iterate command with the supplied type value in order to look up the firmware package ("bip") title-id (0100000000000819 or 010000000000081A).
 
 
It mounts the found bip title-id at "bip", reads the "bip:/nx/bct" file in that filesystem. Then it reads the console-unique keyblobs from NAND, and injects the keyblob based on the u32-index at BCT+0x2330 into the BCT buffer+0x450.
 
  
It calculates a sha256 of this "constructed" bct buffer.
+
It then mounts the firmware package at "bip" and reads the [[BCT|BCT]] from the "bip:/nx/bct" file in that filesystem.
 +
Afterwards, the console's [[Flash_Filesystem#Keyblob|keyblob]] is read from the NAND keyblob array using [[BCT#bootloader0_info|bootloader0_info.version]] as index and the selected keyblob is then injected into the BCT's [[BCT#customer_data|customer_data]] region.
  
Then it hashes two bcts from actual in partition 0 (type4: NAND+0x0000 and NAND+0x8000, type5: NAND+0x4000 and NAND+0xC000). If either hash doesn't match the calculated one, it returns error 0xC9E.
+
A SHA-256 hash is then calculated over this new BCT and compared against calculated hashes of the actual BCTs stored in NAND.
 +
For a type4 repair process, the comparison is performed with "normal" and "normal backup" BCTs (offsets 0x0000 and 0x8000 in NAND).
 +
For a type5 repair process, the comparison is performed with "safe mode" and "safe mode backup" BCTs (offsets 0x4000 and 0xC000 in NAND).
 +
If either hash doesn't match the calculated one, it returns error 0xC9E.
  
Then it reads and hashes entire "bip:/nx/package1" using sha256. It checks if this matches a hash of the two real pkg1 stored in (type4: partition0 NAND+0x100000 and NAND+0x140000, type5: partition1 NAND+0 and NAND+0x40000). Same error is returned on hash mismatch.
+
The same process is repeated for the [[Package1|package1]] file in "bip:/nx/package1". This file's SHA-256 hash is compared against calculated hashes over the package1 copy stored in NAND.
 +
For a type4 repair process, the comparison is performed with "normal" and "normal backup" package1 (offsets 0x100000 and 0x140000 in NAND boot partition 0).
 +
For a type5 repair process, the comparison is performed with "safe mode" and "safe mode backup" package1 (offsets 0x00000 and 0x40000 in NAND boot partition 1).
 +
If either hash doesn't match the calculated one, it returns error 0xC9E.
  
After that it also checks the hash of "nx/package2" against two pkg2s stored in NAND, also error 0xC9E if hash doesn't match.
+
Finally, the process is repeated once more for the "bip:/nx/package2". Error 0xC9E is returned in case of mismatch.
  
 
If this function returns 0xC9E, it calls a function to repair the NAND.
 
If this function returns 0xC9E, it calls a function to repair the NAND.
  
 
== Done ==
 
== Done ==
 +
When done it calls the [[Process_Manager_services|pm:shell]] NotifyBootCompleted (which launches [[boot2]]), and exits itself.
 +
 +
= Changelog =
 +
== 2.0.0 ==
 +
* All panic strings were removed/censored.
 +
* Code to initialize gpio differently for Copper/Icosa (based on spl HardwareType flag) was removed.
 +
* The "WecDriver" now uses svcReadWriteRegister instead of svcQueryIoMapping to write to 0x7000E400 MMIO (PMC).
  
When done it calls the [[Process_Manager_services|pm:shell]] NotifyBootCompleted (which launches [[boot2]]), and exits itself.
+
== 2.1.0 ==
 +
* Code was updated with changes to the NCM interface.

Revision as of 18:13, 24 August 2017

boot is a built-in sysmodule.

Boot

First, it initializes gpios and sets the gpio voltage to 1.8v.

Then it checks battery charge and SoC temperature using i2c. If either is bad, it shows one of two different bitmaps from .data in the framebuffer.

Because most sysmodules have not yet booted, this all uses raw IO pokes when it comes to gpio and i2c interfacing.

Otherwise, it continues by reading the bad_block_table.num_entries field from the BCT located at offset 0x00C000 in the NAND boot partition 0 (safe mode backup).

If bad_block_table.num_entries byte0 is non-zero, it does a repair with type=4. If byte1 is non-zero, it does a repair with type=5. The number of entires in the bad block table should always be 0x200 by default (represents partition_size). Values from 0x200 to 0x20F represent bad blocks in the NAND boot partition 0 while values from 0x210 to 0x21F represent bad blocks in NAND boot partition 1.

Repair

It uses the NCM IContentMetaDatabase Iterate command with the supplied type value in order to look up the firmware package ("bip") title-id (0100000000000819 or 010000000000081A).

It then mounts the firmware package at "bip" and reads the BCT from the "bip:/nx/bct" file in that filesystem. Afterwards, the console's keyblob is read from the NAND keyblob array using bootloader0_info.version as index and the selected keyblob is then injected into the BCT's customer_data region.

A SHA-256 hash is then calculated over this new BCT and compared against calculated hashes of the actual BCTs stored in NAND. For a type4 repair process, the comparison is performed with "normal" and "normal backup" BCTs (offsets 0x0000 and 0x8000 in NAND). For a type5 repair process, the comparison is performed with "safe mode" and "safe mode backup" BCTs (offsets 0x4000 and 0xC000 in NAND). If either hash doesn't match the calculated one, it returns error 0xC9E.

The same process is repeated for the package1 file in "bip:/nx/package1". This file's SHA-256 hash is compared against calculated hashes over the package1 copy stored in NAND. For a type4 repair process, the comparison is performed with "normal" and "normal backup" package1 (offsets 0x100000 and 0x140000 in NAND boot partition 0). For a type5 repair process, the comparison is performed with "safe mode" and "safe mode backup" package1 (offsets 0x00000 and 0x40000 in NAND boot partition 1). If either hash doesn't match the calculated one, it returns error 0xC9E.

Finally, the process is repeated once more for the "bip:/nx/package2". Error 0xC9E is returned in case of mismatch.

If this function returns 0xC9E, it calls a function to repair the NAND.

Done

When done it calls the pm:shell NotifyBootCompleted (which launches boot2), and exits itself.

Changelog

2.0.0

  • All panic strings were removed/censored.
  • Code to initialize gpio differently for Copper/Icosa (based on spl HardwareType flag) was removed.
  • The "WecDriver" now uses svcReadWriteRegister instead of svcQueryIoMapping to write to 0x7000E400 MMIO (PMC).

2.1.0

  • Code was updated with changes to the NCM interface.