Line 3: |
Line 3: |
| The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup. | | The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup. |
| | | |
− | By design, the BCT's data is only signed after offset 0x0510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.
| + | The Erista BCT's data is only signed after offset 0x0510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example. |
| + | |
| + | The Mariko BCT's data is signed and encrypted after offset 0x0480, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used. |
| | | |
| During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM at address 0x40000000. | | During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM at address 0x40000000. |
| | | |
− | = Structure = | + | = Format = |
− | Below is the BCT structure used by the Switch, which is a minimal variation of the Tegra 210 BCT format.
| + | == Erista == |
− | | |
| {| class="wikitable" border="1" | | {| class="wikitable" border="1" |
| |- | | |- |
Line 35: |
Line 36: |
| | 0x110 | | | 0x110 |
| | Signature | | | Signature |
− | | BCT object signature | + | | BCT cryptographic signature |
| 0x0310: CryptoHash (empty) | | 0x0310: CryptoHash (empty) |
| 0x0320: RsaPssSig | | 0x0320: RsaPssSig |
Line 42: |
Line 43: |
| | 0x04 | | | 0x04 |
| | SecProvisioningKeyNumInsecure | | | SecProvisioningKeyNumInsecure |
− | | Used for Factory Secure Provisioning. Always 0. | + | | Used for Factory Secure Provisioning (always 0) |
| |- | | |- |
| | 0x0424 | | | 0x0424 |
| | 0x20 | | | 0x20 |
| | SecProvisioningKey | | | SecProvisioningKey |
− | | Used for Factory Secure Provisioning. Always empty. | + | | Used for Factory Secure Provisioning (always 0) |
| |- | | |- |
| | 0x0444 | | | 0x0444 |
| | 0xC4 | | | 0xC4 |
| | [[#CustomerData|CustomerData]] | | | [[#CustomerData|CustomerData]] |
− | | Data block available for the customer. Used in key generation. | + | | Data block available for the customer (used in key generation) |
| 0x0444: Reserved (0x0C bytes) | | 0x0444: Reserved (0x0C bytes) |
| 0x0450: [[Flash_Filesystem#Keyblob|Keyblob]] (0xB0 bytes) | | 0x0450: [[Flash_Filesystem#Keyblob|Keyblob]] (0xB0 bytes) |
Line 60: |
Line 61: |
| | 0x04 | | | 0x04 |
| | OdmData | | | OdmData |
− | | Legacy field. Unused. | + | | Legacy field (unused) |
| |- | | |- |
| | 0x050C | | | 0x050C |
| | 0x04 | | | 0x04 |
| | Reserved | | | Reserved |
− | | Legacy field. Unused. | + | | Legacy field (unused) |
| |- | | |- |
| | 0x0510 | | | 0x0510 |
| | 0x10 | | | 0x10 |
| | RandomAesBlock | | | RandomAesBlock |
− | | Always empty. | + | | Always empty |
| |- | | |- |
| | 0x0520 | | | 0x0520 |
| | 0x10 | | | 0x10 |
| | UniqueChipId | | | UniqueChipId |
− | | Always empty. | + | | Always empty |
| |- | | |- |
| | 0x0530 | | | 0x0530 |
| | 0x04 | | | 0x04 |
| | BootDataVersion | | | BootDataVersion |
− | | Set to 0x00210001 (BOOTDATA_VERSION_T210). | + | | Set to 0x00210001 (BOOTDATA_VERSION_T210) |
| |- | | |- |
| | 0x0534 | | | 0x0534 |
| | 0x04 | | | 0x04 |
| | BlockSizeLog2 | | | BlockSizeLog2 |
− | | Always 0x0E. | + | | Always 0x0E |
| |- | | |- |
| | 0x0538 | | | 0x0538 |
| | 0x04 | | | 0x04 |
| | PageSizeLog2 | | | PageSizeLog2 |
− | | Always 0x09. | + | | Always 0x09 |
| |- | | |- |
| | 0x053C | | | 0x053C |
| | 0x04 | | | 0x04 |
| | PartitionSize | | | PartitionSize |
− | | Always 0x01000000. | + | | Always 0x01000000 |
| |- | | |- |
| | 0x0540 | | | 0x0540 |
| | 0x04 | | | 0x04 |
| | NumParamSets | | | NumParamSets |
− | | Number of device parameter sets. Always 0x01. | + | | Number of device parameter sets (always 0x01) |
| |- | | |- |
| | 0x0544 | | | 0x0544 |
| | 0x04 | | | 0x04 |
| | DevType | | | DevType |
− | | Device type. Set to 0x04 (Sdmmc). | + | | Device type (0x04 == Sdmmc) |
| |- | | |- |
| | 0x0548 | | | 0x0548 |
Line 117: |
Line 118: |
| | 0x04 | | | 0x04 |
| | NumSdramSets | | | NumSdramSets |
− | | Number of SDRAM parameter sets. Always set to 0, but parameters are used despite this. | + | | Number of SDRAM parameter sets (always set to 0, but parameters are used despite this) |
| |- | | |- |
| | 0x058C | | | 0x058C |
| | 0x768 | | | 0x768 |
| | SdramParams0 | | | SdramParams0 |
− | | Default values filled in. | + | | Default values filled in |
| |- | | |- |
| | 0x0CF4 | | | 0x0CF4 |
| | 0x768 | | | 0x768 |
| | SdramParams1 | | | SdramParams1 |
− | | Default values filled in. | + | | Default values filled in |
| |- | | |- |
| | 0x145C | | | 0x145C |
| | 0x768 | | | 0x768 |
| | SdramParams2 | | | SdramParams2 |
− | | Default values filled in. | + | | Default values filled in |
| |- | | |- |
| | 0x1BC4 | | | 0x1BC4 |
| | 0x768 | | | 0x768 |
| | SdramParams3 | | | SdramParams3 |
− | | Default values filled in. | + | | Default values filled in |
| |- | | |- |
| | 0x232C | | | 0x232C |
| | 0x04 | | | 0x04 |
| | BootLoadersUsed | | | BootLoadersUsed |
− | | Number of bootloaders installed. Always 0x02 (maximum is 0x04). | + | | Number of bootloaders installed (always 0x02, maximum is 0x04) |
| |- | | |- |
| | 0x2330 | | | 0x2330 |
| | 0x12C | | | 0x12C |
| | [[#BootLoader0|BootLoader0]] | | | [[#BootLoader0|BootLoader0]] |
− | | Configuration parameters for bootloader 0 (normal). | + | | Configuration parameters for bootloader 0 (main) |
| 0x2330: Version (variable) | | 0x2330: Version (variable) |
− | 0x2334: StartBlock (0x00000040) | + | 0x2334: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe)) |
| 0x2338: StartPage (0x00000000) | | 0x2338: StartPage (0x00000000) |
| 0x233C: Length (variable) | | 0x233C: Length (variable) |
| 0x2340: LoadAddress (0x40010000) | | 0x2340: LoadAddress (0x40010000) |
| 0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+) | | 0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+) |
− | 0x2348: Attribute (0x00000000) | + | 0x2348: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe)) |
| 0x234C: CryptoHash (empty) | | 0x234C: CryptoHash (empty) |
| 0x235C: RsaPssSig | | 0x235C: RsaPssSig |
Line 161: |
Line 162: |
| | 0x12C | | | 0x12C |
| | BootLoader1 | | | BootLoader1 |
− | | Configuration parameters for bootloader 1 (safe mode). | + | | Configuration parameters for bootloader 1 (backup) |
| 0x245C: Version (variable) | | 0x245C: Version (variable) |
− | 0x2460: StartBlock (0x00000050) | + | 0x2460: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe)) |
| 0x2464: StartPage (0x00000000) | | 0x2464: StartPage (0x00000000) |
| 0x2468: Length (variable) | | 0x2468: Length (variable) |
| 0x246C: LoadAddress (0x40010000) | | 0x246C: LoadAddress (0x40010000) |
| 0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+) | | 0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+) |
− | 0x2474: Attribute (0x00000000) | + | 0x2474: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe)) |
| 0x2478: CryptoHash (empty) | | 0x2478: CryptoHash (empty) |
| 0x2488: RsaPssSig | | 0x2488: RsaPssSig |
Line 175: |
Line 176: |
| | 0x12C | | | 0x12C |
| | BootLoader2 | | | BootLoader2 |
− | | Reserved space for bootloader 2 (unused). | + | | Reserved space for bootloader 2 (unused) |
| |- | | |- |
| | 0x26B4 | | | 0x26B4 |
| | 0x12C | | | 0x12C |
| | BootLoader3 | | | BootLoader3 |
− | | Reserved space for bootloader 3 (unused). | + | | Reserved space for bootloader 3 (unused) |
| |- | | |- |
| | 0x27E0 | | | 0x27E0 |
| | 0x01 | | | 0x01 |
| | EnableFailBack | | | EnableFailBack |
− | | Always 0. | + | | Always 0 |
| |- | | |- |
| | 0x27E1 | | | 0x27E1 |
| | 0x04 | | | 0x04 |
| | SecureJtagControl | | | SecureJtagControl |
− | | Always 0. | + | | Always 0 |
| |- | | |- |
| | 0x27E5 | | | 0x27E5 |
| | 0x04 | | | 0x04 |
| | SecProvisioningKeyNumSecure | | | SecProvisioningKeyNumSecure |
− | | Used for Factory Secure Provisioning. Always 0. | + | | Used for Factory Secure Provisioning (always 0) |
| |- | | |- |
| | 0x27E9 | | | 0x27E9 |
| | 0x12 | | | 0x12 |
| | Reserved | | | Reserved |
− | | Always starts with 0x80000000 (NVBOOT padding pattern). | + | | Always starts with 0x80000000 (NVBOOT padding pattern) |
| |- | | |- |
| | 0x27FB | | | 0x27FB |
| | 0x05 | | | 0x05 |
| | Padding | | | Padding |
− | | Empty. Not part of BCT data. | + | | Empty |
| |} | | |} |
| | | |
− | == CustomerData == | + | === CustomerData === |
| This data block is ignored by the boot ROM, therefore is available for the programmer to use freely. | | This data block is ignored by the boot ROM, therefore is available for the programmer to use freely. |
| The Switch uses 0xB0 bytes of this area, at offset 0x0450, to store the active [[Flash_Filesystem#Keyblob|keyblob]]. All remaining bytes are zero. | | The Switch uses 0xB0 bytes of this area, at offset 0x0450, to store the active [[Flash_Filesystem#Keyblob|keyblob]]. All remaining bytes are zero. |
Line 229: |
Line 230: |
| |} | | |} |
| | | |
− | == BootLoader0 == | + | === BootLoader0 === |
| The version field controls which keyblob is used, where 0x01 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version. | | The version field controls which keyblob is used, where 0x01 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version. |
| + | |
| + | == Mariko == |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! Offset |
| + | ! Size |
| + | ! Field |
| + | ! Description |
| + | |- |
| + | | 0x0000 |
| + | | 0x210 |
| + | | Pcp |
| + | | BCT public cryptographic parameters |
| + | 0x0000: KeySize |
| + | 0x0004: Reserved |
| + | 0x0010: PublicKeyModulus |
| + | 0x0110: PublicKeyExponent |
| + | |- |
| + | | 0x0210 |
| + | | 0x110 |
| + | | Signature |
| + | | BCT cryptographic signature |
| + | 0x0210: CryptoHash (empty) |
| + | 0x0220: RsaPssSig |
| + | |- |
| + | | 0x0320 |
| + | | 0x160 |
| + | | |
| + | | Empty |
| + | |- |
| + | | 0x0480 |
| + | | 0x10 |
| + | | RandomAesBlock |
| + | | Not empty |
| + | |- |
| + | | 0x0490 |
| + | | 0x10 |
| + | | UniqueChipId |
| + | | Always empty |
| + | |- |
| + | | 0x04A0 |
| + | | 0x04 |
| + | | BootDataVersion |
| + | | Set to 0x00210001 (BOOTDATA_VERSION_T210) |
| + | |- |
| + | | 0x04A4 |
| + | | 0x04 |
| + | | BlockSizeLog2 |
| + | | Always 0x0E |
| + | |- |
| + | | 0x04A8 |
| + | | 0x04 |
| + | | PageSizeLog2 |
| + | | Always 0x09 |
| + | |- |
| + | | 0x04AC |
| + | | 0x04 |
| + | | PartitionSize |
| + | | Always 0x01000000 |
| + | |- |
| + | | 0x04B0 |
| + | | 0x04 |
| + | | NumParamSets |
| + | | Number of device parameter sets (always 0x01) |
| + | |- |
| + | | 0x04B4 |
| + | | 0x04 |
| + | | DevType |
| + | | Device type (0x04 == Sdmmc) |
| + | |- |
| + | | 0x04B8 |
| + | | 0x40 |
| + | | DevParams |
| + | | Device parameters |
| + | |- |
| + | | 0x04F8 |
| + | | 0x04 |
| + | | NumSdramSets |
| + | | Number of SDRAM parameter sets (always set to 0, but parameters are used despite this) |
| + | |- |
| + | | 0x04FC |
| + | | 0x838 |
| + | | SdramParams0 |
| + | | Default values filled in |
| + | |- |
| + | | 0x0D34 |
| + | | 0x838 |
| + | | SdramParams1 |
| + | | Default values filled in |
| + | |- |
| + | | 0x156C |
| + | | 0x838 |
| + | | SdramParams2 |
| + | | Default values filled in |
| + | |- |
| + | | 0x1DA4 |
| + | | 0x838 |
| + | | SdramParams3 |
| + | | Default values filled in |
| + | |- |
| + | | 0x25DC |
| + | | 0x04 |
| + | | BootLoadersUsed |
| + | | Number of bootloaders installed (always 0x02, maximum is 0x04) |
| + | |- |
| + | | 0x25E0 |
| + | | 0x10 |
| + | | BootLoader0 |
| + | | Configuration parameters for bootloader 0 (main) |
| + | 0x25E0: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe)) |
| + | 0x25E4: StartPage (0x00000000) |
| + | 0x25E8: Version (variable) |
| + | 0x25EC: Reserved |
| + | |- |
| + | | 0x25F0 |
| + | | 0x10 |
| + | | BootLoader1 |
| + | | Configuration parameters for bootloader 1 (backup) |
| + | 0x25F0: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe)) |
| + | 0x25F4: StartPage (0x00000000) |
| + | 0x25F8: Version (variable) |
| + | 0x25FC: Reserved |
| + | |- |
| + | | 0x2600 |
| + | | 0x10 |
| + | | BootLoader2 |
| + | | Reserved space for bootloader 2 (unused) |
| + | |- |
| + | | 0x2610 |
| + | | 0x10 |
| + | | BootLoader3 |
| + | | Reserved space for bootloader 3 (unused) |
| + | |- |
| + | | 0x2620 |
| + | | 0x5C |
| + | | |
| + | | Empty |
| + | |- |
| + | | 0x267C |
| + | | 0x184 |
| + | | Reserved |
| + | | Always starts with 0x80000000 (NVBOOT padding pattern) |
| + | |} |