BCT: Difference between revisions - Nintendo Switch Brew

Line 3:

The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.

~~By design, the~~ BCT's data is only signed after offset 0x0510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.

The Erista BCT's data is only signed after offset 0x0510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.

The Mariko BCT's data is signed and encrypted, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used.

During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM at address 0x40000000.

= Structure =

Below is the BCT ~~structure~~ used by the Switch~~, which is a minimal variation of the Tegra 210 BCT format~~.

Below are the BCT structures used by the Switch.

== Erista ==

{| class="wikitable" border="1"

|-

Line 35:

Line 38:

| 0x110

| Signature

| BCT ~~object~~ signature

| BCT cryptographic signature

0x0310: CryptoHash (empty)

0x0320: RsaPssSig

Line 208:

Line 211:

|}

== CustomerData ==

=== CustomerData ===

This data block is ignored by the boot ROM, therefore is available for the programmer to use freely.

The Switch uses 0xB0 bytes of this area, at offset 0x0450, to store the active [[Flash_Filesystem#Keyblob|keyblob]]. All remaining bytes are zero.

Line 229:

Line 232:

|}

== BootLoader0 ==

=== BootLoader0 ===

The version field controls which keyblob is used, where 0x01 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.

== Mariko ==

{| class="wikitable" border="1"

|-

! Offset

! Size

! Field

! Description

|-

| 0x0000

| 0x0210

| Pcp

| BCT public cryptographic parameters

0x0000: KeySize

0x0004: Reserved

0x0010: PublicKeyModulus

0x0110: PublicKeyExponent

|-

| 0x0210

| 0x0110

| Signature

| BCT cryptographic signature

0x0210: CryptoHash (empty)

0x0220: RsaPssSig

|-

| 0x0320

| 0x0160

|

| Empty.

|-

| 0x0480

| 0x2380

|

| Encrypted BCT data.

|}

@@ Line 3: / Line 3: @@
 The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.
-By design, the BCT's data is only signed after offset 0x0510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.
+The Erista BCT's data is only signed after offset 0x0510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.
+The Mariko BCT's data is signed and encrypted, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used.
 During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM at address 0x40000000.
 = Structure =
-Below is the BCT structure used by the Switch, which is a minimal variation of the Tegra 210 BCT format.
+Below are the BCT structures used by the Switch.
+== Erista ==
 {| class="wikitable" border="1"
 |-
@@ Line 35: / Line 38: @@
 |  0x110
 |  Signature
-|  BCT object signature
+|  BCT cryptographic signature
 x0310: CryptoHash (empty)
 x0320: RsaPssSig
@@ Line 208: / Line 211: @@
 |}
-== CustomerData ==
+=== CustomerData ===
 This data block is ignored by the boot ROM, therefore is available for the programmer to use freely.
 The Switch uses 0xB0 bytes of this area, at offset 0x0450, to store the active [[Flash_Filesystem#Keyblob|keyblob]]. All remaining bytes are zero.
@@ Line 229: / Line 232: @@
 |}
-== BootLoader0 ==
+=== BootLoader0 ===
 The version field controls which keyblob is used, where 0x01 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.
+== Mariko ==
+{| class="wikitable" border="1"
+|-
+!  Offset
+!  Size
+!  Field
+!  Description
+|-
+|  0x0000
+|  0x0210
+|  Pcp
+|  BCT public cryptographic parameters
+x0000: KeySize
+x0004: Reserved
+x0010: PublicKeyModulus
+x0110: PublicKeyExponent
+|-
+|  0x0210
+|  0x0110
+|  Signature
+|  BCT cryptographic signature
+x0210: CryptoHash (empty)
+x0220: RsaPssSig
+|-
+|  0x0320
+|  0x0160
+|
+|  Empty.
+|-
+|  0x0480
+|  0x2380
+|
+|  Encrypted BCT data.
+|}