Changes

no edit summary
Line 3: Line 3:  
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.
 
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.
   −
The Erista BCT's data is only signed after offset 0x0510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.
+
The Erista BCT's data is only signed after offset 0x510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.
    
The Mariko BCT's data is signed starting at offset 0x420 and encrypted starting at offset 0x480, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used.
 
The Mariko BCT's data is signed starting at offset 0x420 and encrypted starting at offset 0x480, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used.
Line 18: Line 18:  
!  Description
 
!  Description
 
|-
 
|-
0x0000
+
0x0
 
|  0x210
 
|  0x210
 
|  BadBlockTable
 
|  BadBlockTable
 
|  Table containing information on bad blocks
 
|  Table containing information on bad blocks
  0x0000: EntriesUsed (0x200)
+
  0x0:   EntriesUsed (0x200)
  0x0004: VirtualBlockSizeLog2 (0x0F)
+
  0x4:   VirtualBlockSizeLog2 (0xF)
  0x0005: BlockSizeLog2 (0x0E)
+
  0x5:   BlockSizeLog2 (0xE)
  0x0006: BadBlocks
+
  0x6:   BadBlocks
  0x0206: Reserved
+
  0x206: Reserved
 
|-
 
|-
0x0210
+
0x210
 
|  0x100
 
|  0x100
 
|  Key
 
|  Key
 
|  BCT RSA public key's modulus
 
|  BCT RSA public key's modulus
 
|-
 
|-
0x0310
+
0x310
 
|  0x110
 
|  0x110
 
|  Signature
 
|  Signature
 
|  BCT cryptographic signature
 
|  BCT cryptographic signature
  0x0310: CryptoHash (empty)
+
  0x310: CryptoHash (empty)
  0x0320: RsaPssSig
+
  0x320: RsaPssSig
 
|-
 
|-
0x0420
+
0x420
0x04
+
0x4
 
|  SecProvisioningKeyNumInsecure
 
|  SecProvisioningKeyNumInsecure
 
|  Used for Factory Secure Provisioning (always 0)
 
|  Used for Factory Secure Provisioning (always 0)
 
|-
 
|-
0x0424
+
0x424
 
|  0x20
 
|  0x20
 
|  SecProvisioningKey
 
|  SecProvisioningKey
Line 54: Line 54:  
|  [[#CustomerData|CustomerData]]
 
|  [[#CustomerData|CustomerData]]
 
|  Data block available for the customer (used in key generation)
 
|  Data block available for the customer (used in key generation)
  0x0444: Reserved (0x0C bytes)
+
  0x444: Reserved
  0x0450: [[Flash_Filesystem#Keyblob|Keyblob]] (0xB0 bytes)
+
  0x450: [[Flash_Filesystem#Keyblob|Keyblob]]
  0x0500: Reserved (0x08 bytes)
+
  0x500: Reserved
 
|-
 
|-
0x0508
+
0x508
0x04
+
0x4
 
|  OdmData
 
|  OdmData
Legacy field (unused)
+
Empty
 
|-
 
|-
0x050C
+
0x50C
0x04
+
0x4
 
|  Reserved
 
|  Reserved
Legacy field (unused)
+
Empty
 
|-
 
|-
0x0510
+
0x510
 
|  0x10
 
|  0x10
 
|  RandomAesBlock
 
|  RandomAesBlock
Always empty
+
Empty
 
|-
 
|-
0x0520
+
0x520
 
|  0x10
 
|  0x10
 
|  UniqueChipId
 
|  UniqueChipId
Always empty
+
Empty
 
|-
 
|-
0x0530
+
0x530
0x04
+
0x4
 
|  BootDataVersion
 
|  BootDataVersion
|  Set to 0x00210001 (BOOTDATA_VERSION_T210)
+
|  Set to 0x210001 (BOOTDATA_VERSION_T210)
 
|-
 
|-
0x0534
+
0x534
0x04
+
0x4
 
|  BlockSizeLog2
 
|  BlockSizeLog2
|  Always 0x0E
+
|  Always 0xE
 
|-
 
|-
0x0538
+
0x538
0x04
+
0x4
 
|  PageSizeLog2
 
|  PageSizeLog2
|  Always 0x09
+
|  Always 0x9
 
|-
 
|-
0x053C
+
0x53C
0x04
+
0x4
 
|  PartitionSize
 
|  PartitionSize
|  Always 0x01000000
+
|  Always 0x1000000
 
|-
 
|-
0x0540
+
0x540
0x04
+
0x4
 
|  NumParamSets
 
|  NumParamSets
|  Number of device parameter sets (always 0x01)
+
|  Number of device parameter sets (always 0x1)
 
|-
 
|-
0x0544
+
0x544
0x04
+
0x4
 
|  DevType
 
|  DevType
|  Device type (0x04 == Sdmmc)
+
|  Device type (0x4 == Sdmmc)
 
|-
 
|-
0x0548
+
0x548
 
|  0x40
 
|  0x40
 
|  DevParams
 
|  DevParams
 
|  Device parameters
 
|  Device parameters
   0x0548: ClockDivider (0x09 == 24MHz)
+
   0x548: ClockDivider (0x9 == 24MHz)
   0x054C: DataWidth (0x02 == 8Bit)
+
   0x54C: DataWidth (0x2 == 8Bit)
 
|-
 
|-
0x0588
+
0x588
0x04
+
0x4
 
|  NumSdramSets
 
|  NumSdramSets
 
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
 
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
 
|-
 
|-
0x058C
+
0x58C
 
|  0x768
 
|  0x768
 
|  SdramParams0
 
|  SdramParams0
 
|  Default values filled in
 
|  Default values filled in
 
|-
 
|-
0x0CF4
+
0xCF4
 
|  0x768
 
|  0x768
 
|  SdramParams1
 
|  SdramParams1
Line 141: Line 141:  
|-
 
|-
 
|  0x232C
 
|  0x232C
0x04
+
0x4
 
|  BootLoadersUsed
 
|  BootLoadersUsed
|  Number of bootloaders installed (always 0x02, maximum is 0x04)
+
|  Number of bootloaders installed (always 0x2, maximum is 0x4)
 
|-
 
|-
 
|  0x2330
 
|  0x2330
Line 150: Line 150:  
|  Configuration parameters for bootloader 0 (main)
 
|  Configuration parameters for bootloader 0 (main)
 
  0x2330: Version (variable)
 
  0x2330: Version (variable)
  0x2334: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe))
+
  0x2334: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe)
  0x2338: StartPage (0x00000000)
+
  0x2338: StartPage (0)
 
  0x233C: Length (variable)
 
  0x233C: Length (variable)
 
  0x2340: LoadAddress (0x40010000)
 
  0x2340: LoadAddress (0x40010000)
 
  0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
 
  0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2348: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe))
+
  0x2348: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe)
 
  0x234C: CryptoHash (empty)
 
  0x234C: CryptoHash (empty)
 
  0x235C: RsaPssSig
 
  0x235C: RsaPssSig
Line 164: Line 164:  
|  Configuration parameters for bootloader 1 (backup)
 
|  Configuration parameters for bootloader 1 (backup)
 
  0x245C: Version (variable)
 
  0x245C: Version (variable)
  0x2460: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe))
+
  0x2460: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe)
  0x2464: StartPage (0x00000000)
+
  0x2464: StartPage (0)
 
  0x2468: Length (variable)
 
  0x2468: Length (variable)
 
  0x246C: LoadAddress (0x40010000)
 
  0x246C: LoadAddress (0x40010000)
 
  0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
 
  0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2474: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe))
+
  0x2474: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe)
 
  0x2478: CryptoHash (empty)
 
  0x2478: CryptoHash (empty)
 
  0x2488: RsaPssSig
 
  0x2488: RsaPssSig
Line 184: Line 184:  
|-
 
|-
 
|  0x27E0
 
|  0x27E0
0x01
+
0x1
 
|  EnableFailBack
 
|  EnableFailBack
 
|  Always 0
 
|  Always 0
 
|-
 
|-
 
|  0x27E1
 
|  0x27E1
0x04
+
0x4
 
|  SecureJtagControl
 
|  SecureJtagControl
 
|  Always 0
 
|  Always 0
 
|-
 
|-
 
|  0x27E5
 
|  0x27E5
0x04
+
0x4
 
|  SecProvisioningKeyNumSecure
 
|  SecProvisioningKeyNumSecure
 
|  Used for Factory Secure Provisioning (always 0)
 
|  Used for Factory Secure Provisioning (always 0)
Line 204: Line 204:  
|-
 
|-
 
|  0x27FB
 
|  0x27FB
0x05
+
0x5
 
|  Padding
 
|  Padding
 
|  Empty
 
|  Empty
Line 231: Line 231:     
=== BootLoader0 ===
 
=== BootLoader0 ===
The version field controls which keyblob is used, where 0x01 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.
+
The version field controls which keyblob is used, where 0x1 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.
    
== Mariko ==
 
== Mariko ==
Line 241: Line 241:  
!  Description
 
!  Description
 
|-
 
|-
0x0000
+
0x0
 
|  0x210
 
|  0x210
 
|  Pcp
 
|  Pcp
 
|  BCT public cryptographic parameters
 
|  BCT public cryptographic parameters
  0x0000: KeySize
+
  0x0:   KeySize
  0x0004: Reserved
+
  0x4:   Reserved
  0x0010: PublicKeyModulus
+
  0x10: PublicKeyModulus
  0x0110: PublicKeyExponent
+
  0x110: PublicKeyExponent
 
|-
 
|-
0x0210
+
0x210
 
|  0x110
 
|  0x110
 
|  Signature
 
|  Signature
 
|  BCT cryptographic signature
 
|  BCT cryptographic signature
  0x0210: CryptoHash (empty)
+
  0x210: CryptoHash (empty)
  0x0220: RsaPssSig
+
  0x220: RsaPssSig
 +
|-
 +
|  0x320
 +
|  0x20
 +
|  SecProvisioningKey
 +
|  Used for Factory Secure Provisioning (always 0)
 +
|-
 +
|  0x340
 +
|  0x4
 +
|  SecProvisioningKeyNumInsecure
 +
|  Used for Factory Secure Provisioning (always 0)
 +
|-
 +
|  0x344
 +
|  0xC
 +
|  Padding
 +
|  Empty
 +
|-
 +
|  0x350
 +
|  0xD0
 +
|  CustomerData
 +
|  Data block available for the customer
 +
|-
 +
|  0x420
 +
|  0x10
 +
|  RandomAesBlock
 +
 
|-
 
|-
0x0320
+
0x430
0x160
+
0x10
 
|   
 
|   
 
|  Empty
 
|  Empty
 
|-
 
|-
0x0480
+
0x440
 +
|  0x40
 +
 +
|  Empty
 +
|-
 +
|  0x480
 
|  0x10
 
|  0x10
RandomAesBlock
+
RandomAesBlock2
Not empty
+
|   
 
|-
 
|-
0x0490
+
0x490
 
|  0x10
 
|  0x10
 
|  UniqueChipId
 
|  UniqueChipId
Always empty
+
Empty
 
|-
 
|-
0x04A0
+
0x4A0
0x04
+
0x4
 
|  BootDataVersion
 
|  BootDataVersion
|  Set to 0x00210001 (BOOTDATA_VERSION_T210)
+
|  Set to 0x210001 (BOOTDATA_VERSION_T210)
 
|-
 
|-
0x04A4
+
0x4A4
0x04
+
0x4
 
|  BlockSizeLog2
 
|  BlockSizeLog2
|  Always 0x0E
+
|  Always 0xE
 
|-
 
|-
0x04A8
+
0x4A8
0x04
+
0x4
 
|  PageSizeLog2
 
|  PageSizeLog2
|  Always 0x09
+
|  Always 0x9
 
|-
 
|-
0x04AC
+
0x4AC
0x04
+
0x4
 
|  PartitionSize
 
|  PartitionSize
|  Always 0x01000000
+
|  Always 0x1000000
 
|-
 
|-
0x04B0
+
0x4B0
0x04
+
0x4
 
|  NumParamSets
 
|  NumParamSets
|  Number of device parameter sets (always 0x01)
+
|  Number of device parameter sets (always 0x1)
 
|-
 
|-
0x04B4
+
0x4B4
0x04
+
0x4
 
|  DevType
 
|  DevType
|  Device type (0x04 == Sdmmc)
+
|  Device type (0x4 == Sdmmc)
 
|-
 
|-
0x04B8
+
0x4B8
 
|  0x40
 
|  0x40
 
|  DevParams
 
|  DevParams
 
|  Device parameters
 
|  Device parameters
 
|-
 
|-
0x04F8
+
0x4F8
0x04
+
0x4
 
|  NumSdramSets
 
|  NumSdramSets
 
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
 
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
 
|-
 
|-
0x04FC
+
0x4FC
 
|  0x838
 
|  0x838
 
|  SdramParams0
 
|  SdramParams0
 
|  Default values filled in
 
|  Default values filled in
 
|-
 
|-
0x0D34
+
0xD34
 
|  0x838
 
|  0x838
 
|  SdramParams1
 
|  SdramParams1
Line 335: Line 365:  
|  0x04
 
|  0x04
 
|  BootLoadersUsed
 
|  BootLoadersUsed
|  Number of bootloaders installed (always 0x02, maximum is 0x04)
+
|  Number of bootloaders installed (always 0x2, maximum is 0x4)
 
|-
 
|-
 
|  0x25E0
 
|  0x25E0
Line 341: Line 371:  
|  BootLoader0
 
|  BootLoader0
 
|  Configuration parameters for bootloader 0 (main)
 
|  Configuration parameters for bootloader 0 (main)
  0x25E0: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe))
+
  0x25E0: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe)
  0x25E4: StartPage (0x00000000)
+
  0x25E4: StartPage (0)
 
  0x25E8: Version (variable)
 
  0x25E8: Version (variable)
 
  0x25EC: Reserved
 
  0x25EC: Reserved
Line 350: Line 380:  
|  BootLoader1
 
|  BootLoader1
 
|  Configuration parameters for bootloader 1 (backup)
 
|  Configuration parameters for bootloader 1 (backup)
  0x25F0: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe))
+
  0x25F0: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe)
  0x25F4: StartPage (0x00000000)
+
  0x25F4: StartPage (0)
 
  0x25F8: Version (variable)
 
  0x25F8: Version (variable)
 
  0x25FC: Reserved
 
  0x25FC: Reserved
Line 366: Line 396:  
|-
 
|-
 
|  0x2620
 
|  0x2620
0x5C
+
0x4
 +
|  SecureDebugControlNoneEcid
 +
|  Empty
 +
|-
 +
|  0x2624
 +
|  0x4
 +
|  SecureDebugControlEcid
 +
|  Empty
 +
|-
 +
|  0x2628
 +
|  0x10
 
|   
 
|   
 
|  Empty
 
|  Empty
 +
|-
 +
|  0x2638
 +
|  0x40
 +
 +
|  Empty
 +
|-
 +
|  0x2678
 +
|  0x4
 +
|  SecProvisioningKeyNumSecure
 +
|  Used for Factory Secure Provisioning (always 0)
 
|-
 
|-
 
|  0x267C
 
|  0x267C