| Line 1: |
Line 1: |
| − | For the Gamecard partitions that can be [[Filesystem_services|mounted]], see [[Gamecard_Partition|here]].
| + | This page documents the Nintendo Switch Gamecard. |
| − | | |
| − | For the format of the Gamecard image, see [[Gamecard_Format|here]].
| |
| − | | |
| − | = Gamecard controller =
| |
| − | The gamecard controller (known internally as the LOTUS3) is a separate chip on the motherboard responsible for communicating with the gamecard.
| |
| − | | |
| − | [[Filesystem_services|FS]] flashes the appropriate gamecard controller's firmware (Lotus ASIC Firmware or LAFW) which is encrypted, signed and follows the format below.
| |
| | | | |
| − | {| class="wikitable" border="1"
| |
| − | |-
| |
| − | ! Offset
| |
| − | ! Size
| |
| − | ! Description
| |
| − | |-
| |
| − | | 0x0
| |
| − | | 0x100
| |
| − | | RSA-PKCS#1 signature
| |
| − | |-
| |
| − | | 0x100
| |
| − | | 0x4
| |
| − | | Magic ("LAFW")
| |
| − | |-
| |
| − | | 0x104
| |
| − | | 0x4
| |
| − | | Unknown (0xFF000000, 0xFFFF0000 or 0xFFFFFF00)
| |
| − | |-
| |
| − | | 0x108
| |
| − | | 0x4
| |
| − | |
| |
| − | |-
| |
| − | | 0x10C
| |
| − | | 0x4
| |
| − | |
| |
| − | |-
| |
| − | | 0x110
| |
| − | | 0x4
| |
| − | | Version (0, 1 or 3)
| |
| − | |-
| |
| − | | 0x114
| |
| − | | 0x4
| |
| − | | Unknown (0x80000000)
| |
| − | |-
| |
| − | | 0x118
| |
| − | | 0x4
| |
| − | | Data size
| |
| − | |-
| |
| − | | 0x11C
| |
| − | | 0x4
| |
| − | |
| |
| − | |-
| |
| − | | 0x120
| |
| − | | 0x10
| |
| − | | Data hash
| |
| − | |-
| |
| − | | 0x130
| |
| − | | 0x10
| |
| − | | Placeholder string ("IDIDIDIDIDIDIDID")
| |
| − | |-
| |
| − | | 0x140
| |
| − | | 0x40
| |
| − | | Empty
| |
| − | |-
| |
| − | | 0x180
| |
| − | | 0x7680
| |
| − | | Encrypted data
| |
| − | |}
| |
| − |
| |
| − | = Hardware =
| |
| | {| style="float:right; margin-left: 0px;" | | {| style="float:right; margin-left: 0px;" |
| | |- | | |- |
| Line 77: |
Line 10: |
| | |- | | |- |
| | |[[File:CartridgeFrontBare.jpeg|200px|thumb|right|Close-up of stripped frontside PCB]] | | |[[File:CartridgeFrontBare.jpeg|200px|thumb|right|Close-up of stripped frontside PCB]] |
| − | |
| |
| − | |-
| |
| | |} | | |} |
| | | | |
| − | == Pinout ==
| + | For the Gamecard partitions that can be [[Filesystem_services|mounted]], see [[Gamecard_Partition|here]]. |
| | + | |
| | + | For the Gamecard image format, see [[Gamecard_Format|here]]. |
| | + | |
| | + | For the Gamecard ASIC, see [[Gamecard_ASIC|here]]. |
| | + | |
| | + | = Pinout = |
| | [[File:Gamecard-pinout.png|400px]] | | [[File:Gamecard-pinout.png|400px]] |
| | | | |
| Line 174: |
Line 111: |
| | All IO use 1.8V for logic HIGH and 0V for logic LOW. | | All IO use 1.8V for logic HIGH and 0V for logic LOW. |
| | | | |
| − | == Protocol ==
| + | = Protocol = |
| | Switch game cartridges use a simple (but Nintendo proprietery) SPI-like bus with 8-bit width (DAT7..0). It is very similar to the bus interface of 3DS game cartridges, except with very different commands. | | Switch game cartridges use a simple (but Nintendo proprietery) SPI-like bus with 8-bit width (DAT7..0). It is very similar to the bus interface of 3DS game cartridges, except with very different commands. |
| | | | |
| Line 187: |
Line 124: |
| | The actual response bytes are also followed immediately by a 4-byte CRC-32 over the actual data response bytes. | | The actual response bytes are also followed immediately by a 4-byte CRC-32 over the actual data response bytes. |
| | | | |
| − | == Commands ==
| |
| | A typical boot up sequence of a game cartridge (in this case, the game "1,2 Switch") looks like this: | | A typical boot up sequence of a game cartridge (in this case, the game "1,2 Switch") looks like this: |
| | | | |
| Line 257: |
Line 193: |
| | |} | | |} |
| | | | |
| − | The meaning of some these commands are currently unknown.
| + | = Manufacturers = |
| − | | |
| − | == Observations ==
| |
| − | * The "update" and "normal" partitions can be dumped using the plaintext 5B commands
| |
| − | * The "secure" partition can only be read from encrypted mode.
| |
| − | | |
| − | == Encryption ==
| |
| − | After a few initial plaintext commands, the Switch instructs the game cartridge to enter into encrypted mode. From that point on, commands and responses are sent encrypted over the bus. The encryption algorithm used is currently unknown.
| |
| − | | |
| − | There appear to be 2 kinds of crypto mode.
| |
| − | | |
| − | Crypto mode1 is initiated solely by the HOST-RANDOM as random session seed. In that mode, the Switch host requests for the game cartridge random seed, and then sends a command to enter crypto mode2.
| |
| − | | |
| − | Crypto mode2 takes into account the CART-RANDOM seed generated by the cartridge, and possibly the previous HOST-RANDOM.
| |
| − | The game cartridge will always send a different CART-RANDOM even if the exact same command sequence is replayed and thus with this scheme replay attacks are not possible.
| |
| − | | |
| − | == Manufacturers ==
| |
| | ;Macronix (MX) | | ;Macronix (MX) |
| | : Uses package: LGA | | : Uses package: LGA |