Difference between revisions of "Calibration"

From Nintendo Switch Brew
Jump to navigation Jump to search
Line 297: Line 297:
 
|  0x3D70
 
|  0x3D70
 
|  0x240
 
|  0x240
|  [5.0.0+] unk_key0
+
|  [5.0.0+] device_cert_rsa
|   
+
Device certificate (RSA-2048 version).
 
|-
 
|-
 
|  0x3FC0
 
|  0x3FC0
 
|  0x240
 
|  0x240
|  [5.0.0+] unk_key1
+
|  [5.0.0+] device_ext_key_rsa
|   
+
Extended device key (RSA-2048 version).
 
|-
 
|-
 
|  0x4210
 
|  0x4210
 
|  0x04
 
|  0x04
|  [5.0.0+] unk_id
+
|  [5.0.0+] usb_type_c_power_source_circuit_version
 
|   
 
|   
 
|-
 
|-
 
|  0x4310
 
|  0x4310
 
|  0x04
 
|  0x04
|  [6.0.0+] unk_id2
+
|  [6.0.0+] unk_id
 
|   
 
|   
 
|-
 
|-

Revision as of 17:00, 25 September 2018

During factory setup, the Switch goes through calibration and the generated data from this process is written to two NAND user partitions (PRODINFO and PRODINFOF).

PRODINFOF is a FAT12 compliant filesystem and it's structure can be found here. It's mainly used to keep calibration logs and other assorted files.

PRODINFO is a raw binary blob containing the main calibration data, which ranges from hardware IDs to system keys.

CAL0

This is the raw data stored under the PRODINFO partition.

Offset Size Field Description
0x0000 0x04 magic "CAL0" header magic.
0x0004 0x04 unk Always 0x07.
0x0008 0x04 calib_data_size Total size of calibration data minus 0x40 bytes (header + calib_data_sha256).
0x000C 0x02 version Always 0x01.
0x000E 0x02 revision Increases each time calibration data is installed.
0x0020 0x20 calib_data_sha256 SHA256 hash calculated over calibration data.
0x0040 0x1D config_id1 Configuration ID string.
0x0060 0x20 reserved Empty.
0x0080 0x04 wlan_country_codes_num Number of elements in the wlan_country_codes array.
0x0084 0x04 wlan_country_codes_last_idx Index of the last element in the wlan_country_codes array.
0x0088 0x180 wlan_country_codes Array of WLAN country code strings. Each element is 3 bytes (code + NULL terminator).
0x0210 0x06 wlan_mac_addr
0x0220 0x06 bd_addr
0x0230 0x06 accelerometer_offset
0x0238 0x06 accelerometer_scale
0x0240 0x06 gyroscope_offset
0x0248 0x06 gyroscope_scale
0x0250 0x18 serial_number
0x0270 0x30 device_key_ecc_p256 Device key (ECC-P256 version; empty and unused).
0x02B0 0x180 device_cert_ecc_p256 Device certificate (ECC-P256 version; empty and unused).
0x0440 0x30 device_key_ecc_b233 Device key (ECC-B233 version; empty and unused).
0x0480 0x180 device_cert_ecc_b233 Device certificate (ECC-B233 version; active).
0x0610 0x30 eticket_key_ecc_p256 ETicket key (ECC-P256 version; empty and unused).
0x0650 0x180 eticket_cert_ecc_p256 ETicket certificate (ECC-P256 version; empty and unused).
0x07E0 0x30 eticket_key_ecc_b233 ETicket key (ECC-B233 version; empty and unused).
0x0820 0x180 eticket_cert_ecc_b233 ETicket certificate (ECC-B233 version; empty and unused).
0x09B0 0x110 ssl_key SSL key (empty and unused).
0x0AD0 0x04 ssl_cert_size Total size of the SSL certificate.
0x0AE0 0x800 ssl_cert SSL certificate. Only ssl_cert_size bytes are used.
0x12E0 0x20 ssl_cert_sha256 SHA256 over the SSL certificate.
0x1300 0x1000 random_number Random generated data.
0x2300 0x20 random_number_sha256 SHA256 over the random data block.
0x2320 0x110 gamecard_key GameCard key (empty and unused).
0x2440 0x400 gamecard_cert GameCard certificate.
0x2840 0x20 gamecard_cert_sha256 SHA256 over the GameCard certificate.
0x2860 0x220 eticket_key_rsa ETicket key (RSA-2048 version; empty and unused).
0x2A90 0x240 eticket_cert_rsa ETicket certificate (RSA-2048 version; active).
0x2CE0 0x18 battery_lot Battery lot string ID.
0x2D00 0x800 speaker_calib_value Speaker calibration values. Only 0x5A bytes are used.
0x3510 0x04 region_code
0x3520 0x50 amiibo_key Amiibo key (ECQV and ECDSA versions).
0x3580 0x14 amiibo_cert_ecqv Amiibo certificate (ECQV version).
0x35A0 0x70 amiibo_cert_ecdsa Amiibo certificate (ECDSA version).
0x3620 0x40 amiibo_key_ecqv_bls Amiibo key (ECQV-BLS version).
0x3670 0x20 amiibo_cert_ecqv_bls Amiibo certificate (ECQV-BLS version).
0x36A0 0x90 amiibo_root_cert_ecqv_bls Amiibo root certificate (ECQV-BLS version).
0x3740 0x04 product_model
0x3750 0x06 color_variation
0x3760 0x0C lcd_backlight_brightness_mapping
0x3770 0x50 device_ext_key_ecc_b233 Extended device key (ECC-B233 version; active).
0x37D0 0x50 eticket_ext_key_ecc_p256 Extended ETicket key (ECC-P256 version; empty and unused).
0x3830 0x50 eticket_ext_key_ecc_b233 Extended ETicket key (ECC-B233 version; empty and unused).
0x3890 0x240 eticket_ext_key_rsa Extended ETicket key (RSA-2048 version; active).
0x3AE0 0x130 ssl_ext_key Extended SSL key (active).
0x3C20 0x130 gamecard_ext_key Extended GameCard key (active).
0x3D60 0x04 lcd_vendor_id
0x3D70 0x240 [5.0.0+] device_cert_rsa Device certificate (RSA-2048 version).
0x3FC0 0x240 [5.0.0+] device_ext_key_rsa Extended device key (RSA-2048 version).
0x4210 0x04 [5.0.0+] usb_type_c_power_source_circuit_version
0x4310 0x04 [6.0.0+] unk_id

Error detection

Each block of raw calibration data (with the exception of blocks with SHA256 hashes) is padded to 16 bytes, being the last 2 bytes a CRC-16 over said block.

XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
00 00 00 00 00 00 00 00 00 00 00 00 00 00 YY YY

XX == data
00 == padding
YY == crc

The CRC-16 is generated as follows:

unsigned int crc_16_table[16] = {
 0x0000, 0xCC01, 0xD801, 0x1400, 0xF001, 0x3C00, 0x2800, 0xE401,
 0xA001, 0x6C00, 0x7800, 0xB401, 0x5000, 0x9C01, 0x8801, 0x4400 };

unsigned short int get_crc_16 (char *p, int n) {
 unsigned short int crc = 0x55AA;
 int r;

 while (n-- > 0) {
   r = crc_16_table[crc & 0xF];
   crc = (crc >> 4) & 0x0FFF;
   crc = crc ^ r ^ crc_16_table[*p & 0xF];

   r = crc_16_table[crc & 0xF];
   crc = (crc >> 4) & 0x0FFF;
   crc = crc ^ r ^ crc_16_table[(*p >> 4) & 0xF];

   p++;
 }

 return(crc);
}