BCT: Difference between revisions

From Nintendo Switch Brew
Jump to navigation Jump to search
← Older editNewer edit →
Liam (talk | contribs)
23 edits
No edit summary
(27 intermediate revisions by 5 users not shown)
Line 1: Line 1:
BCT (Boot Configuration Table) is a data structure present on Tegra based devices that supplies boot time configuration parameters.
BCT (Boot Configuration Table) is a data structure present on Tegra based devices that supplies boot time configuration parameters.


The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[#Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.
 
The Erista BCT's data is only signed after offset 0x0510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.
 
The Mariko BCT's data is signed and encrypted after offset 0x0480, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used.


During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM at address 0x40000000.
During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM at address 0x40000000.


= Structure =
= Format =
== NAND ==
== Erista ==
Below is the BCT structure used by the Switch, which is a minimal variation of the Tegra 210 BCT format.
 
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 18: Line 20:
|  0x0000
|  0x0000
|  0x210
|  0x210
bad_block_table
BadBlockTable
|  Table containing information on bad blocks
|  Table containing information on bad blocks
  0x0000: num_entries (0x200)
  0x0000: EntriesUsed (0x200)
  0x0004: virtual_block_size (0x0F)
  0x0004: VirtualBlockSizeLog2 (0x0F)
  0x0005: block_size (0x0E)
  0x0005: BlockSizeLog2 (0x0E)
  0x0006: bad_blocks
  0x0006: BadBlocks
  0x0206: reserved
  0x0206: Reserved
|-
|-
|  0x0210
|  0x0210
|  0x100
|  0x100
bct_key
Key
|  BCT RSA key modulus
|  BCT RSA public key's modulus
|-
|-
|  0x0310
|  0x0310
0x30
0x110
bct_signature
Signature
|  BCT object signature
|  BCT cryptographic signature
  0x0310: hash (empty)
  0x0310: CryptoHash (empty)
  0x0320: rsa_pss_signature
  0x0320: RsaPssSig
|-
|-
|  0x0420
|  0x0420
|  0x04
|  0x04
sec_provisioning_key_num_insecure
SecProvisioningKeyNumInsecure
|  Used for Factory Secure Provisioning. Always 0.
|  Used for Factory Secure Provisioning (always 0)
|-
|-
|  0x0424
|  0x0424
|  0x20
|  0x20
sec_provisioning_key
SecProvisioningKey
|  Used for Factory Secure Provisioning. Always empty.
|  Used for Factory Secure Provisioning (always 0)
|-
|-
|  0x0444
|  0x0444
0xCC
0xC4
|  [[#customer_data|customer_data]]
|  [[#CustomerData|CustomerData]]
|  Data block available for the customer. Used in key generation.
|  Data block available for the customer (used in key generation)
  0x0444: padding_0x0C
  0x0444: Reserved (0x0C bytes)
  0x0450: keyblob_0xB0
  0x0450: [[Flash_Filesystem#Keyblob|Keyblob]] (0xB0 bytes)
  0x0500: padding_0x08
  0x0500: Reserved (0x08 bytes)
|-
|-
|  0x0508
|  0x0508
|  0x04
|  0x04
odm_data
OdmData
|  Legacy field. Unused.
|  Legacy field (unused)
|-
|-
|  0x050C
|  0x050C
|  0x04
|  0x04
reserved0
Reserved
|  Legacy field. Unused.
|  Legacy field (unused)
|-
|-
|  0x0510
|  0x0510
|  0x10
|  0x10
random_aes_block
RandomAesBlock
|  Always empty.
|  Always empty
|-
|-
|  0x0520
|  0x0520
|  0x10
|  0x10
unique_chip_id
UniqueChipId
|  Always empty.
|  Always empty
|-
|-
|  0x0530
|  0x0530
|  0x04
|  0x04
boot_data_version
BootDataVersion
|  Set to 0x00210001.
|  Set to 0x00210001 (BOOTDATA_VERSION_T210)
|-
|-
|  0x0534
|  0x0534
|  0x04
|  0x04
block_size_log2
BlockSizeLog2
|  Always 0x0E.
|  Always 0x0E
|-
|-
|  0x0538
|  0x0538
|  0x04
|  0x04
page_size_log2
PageSizeLog2
|  Always 0x09.
|  Always 0x09
|-
|-
|  0x053C
|  0x053C
|  0x04
|  0x04
partition_size
PartitionSize
|  Always 0x01000000.
|  Always 0x01000000
|-
|-
|  0x0540
|  0x0540
|  0x04
|  0x04
num_param_sets
NumParamSets
|  Number of device parameter sets. Always 0x01.
|  Number of device parameter sets (always 0x01)
|-
|-
|  0x0544
|  0x0544
|  0x04
|  0x04
dev_type
DevType
|  Device type. Set to 0x04 (dev_type_sdmmc).
|  Device type (0x04 == Sdmmc)
|-
|-
|  0x0548
|  0x0548
|  0x40
|  0x40
dev_params
DevParams
| Device parameters
| Device parameters
   0x0548: sdmmc_clock_divider (0x09 == 24MHz)
   0x0548: ClockDivider (0x09 == 24MHz)
   0x054C: sdmmc_data_width (0x02 == sdmmc_data_width_8bit)
   0x054C: DataWidth (0x02 == 8Bit)
|-
|-
|  0x0588
|  0x0588
|  0x04
|  0x04
num_sdram_sets
NumSdramSets
|  Number of SDRAM parameter sets. Set to 0?
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|-
|-
|  0x058C
|  0x058C
|  0x768
|  0x768
sdram_params0
SdramParams0
|   
Default values filled in
|-
|-
|  0x0CF4
|  0x0CF4
|  0x768
|  0x768
sdram_params1
SdramParams1
|   
Default values filled in
|-
|-
|  0x145C
|  0x145C
|  0x768
|  0x768
sdram_params2
SdramParams2
|   
Default values filled in
|-
|-
|  0x1BC4
|  0x1BC4
|  0x768
|  0x768
sdram_params3
SdramParams3
|   
Default values filled in
|-
|-
|  0x232C
|  0x232C
|  0x04
|  0x04
num_bootloaders
BootLoadersUsed
|  Number of bootloaders installed. Always 0x02 (maximum is 0x04).
|  Number of bootloaders installed (always 0x02, maximum is 0x04)
|-
|-
|  0x2330
|  0x2330
|  0x12C
|  0x12C
|  [[#bootloader0_info|bootloader0_info]]
|  [[#BootLoader0|BootLoader0]]
|  Configuration parameters for bootloader 0 (normal).
|  Configuration parameters for bootloader 0 (main)
  0x2330: version (variable)
  0x2330: Version (variable)
  0x2334: start_block (0x00000040)
  0x2334: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe))
  0x2338: start_page (0x00000000)
  0x2338: StartPage (0x00000000)
  0x233C: length (variable)
  0x233C: Length (variable)
  0x2340: load_addr (0x40010000)
  0x2340: LoadAddress (0x40010000)
  0x2344: entry_point (0x40010020)
  0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2348: attribute (0x00000000)
  0x2348: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe))
  0x234C: bootloader0_hash (empty)
  0x234C: CryptoHash (empty)
  0x235C: bootloader0_rsa_pss_signature
  0x235C: RsaPssSig
|-
|-
|  0x245C
|  0x245C
|  0x12C
|  0x12C
bootloader1_info
BootLoader1
|  Configuration parameters for bootloader 1 (safe mode).
|  Configuration parameters for bootloader 1 (backup)
  0x245C: version (variable)
  0x245C: Version (variable)
  0x2460: start_block (0x00000050)
  0x2460: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe))
  0x2464: start_page (0x00000000)
  0x2464: StartPage (0x00000000)
  0x2468: length (variable)
  0x2468: Length (variable)
  0x246C: load_addr (0x40010000)
  0x246C: LoadAddress (0x40010000)
  0x2470: entry_point (0x40010020)
  0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
  0x2474: attribute (0x00000000)
  0x2474: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe))
  0x2478: bootloader1_hash (empty)
  0x2478: CryptoHash (empty)
  0x2488: bootloader1_rsa_pss_signature
  0x2488: RsaPssSig
|-
|-
|  0x2588
|  0x2588
0x258
0x12C
reserved1
BootLoader2
|  Reserved space for bootloaders 2 and 3 (currently unused).
|  Reserved space for bootloader 2 (unused)
|-
|  0x26B4
|  0x12C
|  BootLoader3
|  Reserved space for bootloader 3 (unused)
|-
|-
|  0x27E0
|  0x27E0
0x04
0x01
enable_fail_back
EnableFailBack
|  Always 0.
|  Always 0
|-
|-
0x27E4
0x27E1
|  0x04
|  0x04
secure_debug_control
SecureJtagControl
|  Always 0.
|  Always 0
|-
|-
0x27E8
0x27E5
|  0x04
|  0x04
sec_provisioning_key_num_secure
SecProvisioningKeyNumSecure
Always 0.
Used for Factory Secure Provisioning (always 0)
|-
|-
0x27EC
0x27E9
0x04
0x12
unk0
Reserved
|  Always 0x08?
|  Always starts with 0x80000000 (NVBOOT padding pattern)
|-
|  0x27F0
|  0x10
|  reserved2
|  Empty.
|-
|-
|  0x27FB
|  0x05
|  Padding
|  Empty
|}
|}


=== customer_data ===
=== CustomerData ===
This data block is ignored by the boot ROM, therefore is available for the programmer to use freely.
This data block is ignored by the boot ROM, therefore is available for the programmer to use freely.
The Switch uses 0xB0 bytes of this area, at offset 0x0450, to store the active [[#Flash_Filesystem#Keyblob|keyblob]]. All remaining bytes are zero.
The Switch uses 0xB0 bytes of this area, at offset 0x0450, to store the active [[Flash_Filesystem#Keyblob|keyblob]]. All remaining bytes are zero.


The first bootloader validates and decrypts this block for further key generation.
The first bootloader validates and decrypts this block for further key generation.
Line 221: Line 227:
| 0x80
| 0x80
| 0x10  
| 0x10  
| [[Package1#Stage_1|Stage 1]] key
| [[Package1#PK11_Blob|PK11]] key
|}
|}


=== bootloader0_info ===
=== BootLoader0 ===
==== 1.0.0 - 2.3.0 ====
The version field controls which keyblob is used, where 0x01 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.
The version field is set to 0x01, meaning that the first keyblob is to be used.
 
==== 3.0.0 ====
The version field was changed to 0x02, meaning that the second keyblob is now used.
 
==== 3.0.1 ====
The version field was changed to 0x03, meaning that the third keyblob is now used.
 
== IRAM ==
When copied to IRAM, the BCT has an additional header as follows.


== Mariko ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 244: Line 241:
!  Description
!  Description
|-
|-
0x00
0x0000
0x50
0x210
bct_global_header
Pcp
Contains pointers to actual BCT data.
|  BCT public cryptographic parameters
  0x4C: bct_data_addr (address of the actual BCT)
  0x0000: KeySize
0x0004: Reserved
0x0010: PublicKeyModulus
0x0110: PublicKeyExponent
|-
|  0x0210
|  0x110
|  Signature
|  BCT cryptographic signature
0x0210: CryptoHash (empty)
0x0220: RsaPssSig
|-
|  0x0320
|  0x160
|  Empty
|-
|-
0x50
0x0480
0x18
0x10
bootloader0_header
RandomAesBlock
Unknown structure.
Not empty
0x00: is_active (if set to 0x01, bootloader0 is used)
|-
|-
0x68
0x0490
0x18
0x10
bootloader1_header
UniqueChipId
Unknown structure.
Always empty
0x00: is_active (if set to 0x01, bootloader1 is used)
|-
|-
0x80
0x04A0
0x18
0x04
bootloader2_header
BootDataVersion
Unknown structure.
Set to 0x00210001 (BOOTDATA_VERSION_T210)
0x00: is_active (if set to 0x01, bootloader2 is used)  
|-
|-
0x98
0x04A4
0x18
0x04
bootloader3_header
BlockSizeLog2
Unknown structure.
Always 0x0E
  0x00: is_active (if set to 0x01, bootloader3 is used)  
|-
|  0x04A8
|  0x04
|  PageSizeLog2
|  Always 0x09
|-
|  0x04AC
|  0x04
|  PartitionSize
|  Always 0x01000000
|-
|  0x04B0
|  0x04
|  NumParamSets
|  Number of device parameter sets (always 0x01)
|-
|  0x04B4
|  0x04
|  DevType
|  Device type (0x04 == Sdmmc)
|-
|  0x04B8
|  0x40
|  DevParams
|  Device parameters
|-
|  0x04F8
| 0x04
|  NumSdramSets
|  Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|-
|  0x04FC
|  0x838
|  SdramParams0
|  Default values filled in
|-
|  0x0D34
|  0x838
|  SdramParams1
|  Default values filled in
|-
|  0x156C
|  0x838
|  SdramParams2
|  Default values filled in
|-
|  0x1DA4
|  0x838
|  SdramParams3
|  Default values filled in
|-
|  0x25DC
|  0x04
|  BootLoadersUsed
|  Number of bootloaders installed (always 0x02, maximum is 0x04)
|-
|  0x25E0
|  0x10
|  BootLoader0
|  Configuration parameters for bootloader 0 (main)
0x25E0: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe))
0x25E4: StartPage (0x00000000)
0x25E8: Version (variable)
0x25EC: Reserved
|-
|  0x25F0
|  0x10
|  BootLoader1
|  Configuration parameters for bootloader 1 (backup)
0x25F0: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe))
0x25F4: StartPage (0x00000000)
0x25F8: Version (variable)
0x25FC: Reserved
|-
|  0x2600
|  0x10
|  BootLoader2
|  Reserved space for bootloader 2 (unused)
|-
|  0x2610
|  0x10
|  BootLoader3
|  Reserved space for bootloader 3 (unused)
|-
|  0x2620
|  0x5C
|  Empty
|-
|-
|  0x267C
|  0x184
|  Reserved
|  Always starts with 0x80000000 (NVBOOT padding pattern)
|}
|}

Revision as of 02:57, 18 July 2020

BCT (Boot Configuration Table) is a data structure present on Tegra based devices that supplies boot time configuration parameters.

The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's boot partition 0. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.

The Erista BCT's data is only signed after offset 0x0510. Therefore, regions like CustomerData can be freely modified without resigning. This is done by NS when injecting a new keyblob during a system update, for example.

The Mariko BCT's data is signed and encrypted after offset 0x0480, so the keyblob system is no longer used.

During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM at address 0x40000000.

Format

Erista

Offset Size Field Description
0x0000 0x210 BadBlockTable Table containing information on bad blocks 
0x0000: EntriesUsed (0x200)
0x0004: VirtualBlockSizeLog2 (0x0F)
0x0005: BlockSizeLog2 (0x0E)
0x0006: BadBlocks
0x0206: Reserved
0x0210 0x100 Key BCT RSA public key's modulus
0x0310 0x110 Signature BCT cryptographic signature 
0x0310: CryptoHash (empty)
0x0320: RsaPssSig
0x0420 0x04 SecProvisioningKeyNumInsecure Used for Factory Secure Provisioning (always 0)
0x0424 0x20 SecProvisioningKey Used for Factory Secure Provisioning (always 0)
0x0444 0xC4 CustomerData Data block available for the customer (used in key generation) 
0x0444: Reserved (0x0C bytes)
0x0450: Keyblob (0xB0 bytes)
0x0500: Reserved (0x08 bytes)
0x0508 0x04 OdmData Legacy field (unused)
0x050C 0x04 Reserved Legacy field (unused)
0x0510 0x10 RandomAesBlock Always empty
0x0520 0x10 UniqueChipId Always empty
0x0530 0x04 BootDataVersion Set to 0x00210001 (BOOTDATA_VERSION_T210)
0x0534 0x04 BlockSizeLog2 Always 0x0E
0x0538 0x04 PageSizeLog2 Always 0x09
0x053C 0x04 PartitionSize Always 0x01000000
0x0540 0x04 NumParamSets Number of device parameter sets (always 0x01)
0x0544 0x04 DevType Device type (0x04 == Sdmmc)
0x0548 0x40 DevParams Device parameters 
 0x0548: ClockDivider (0x09 == 24MHz)
 0x054C: DataWidth (0x02 == 8Bit)
0x0588 0x04 NumSdramSets Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
0x058C 0x768 SdramParams0 Default values filled in
0x0CF4 0x768 SdramParams1 Default values filled in
0x145C 0x768 SdramParams2 Default values filled in
0x1BC4 0x768 SdramParams3 Default values filled in
0x232C 0x04 BootLoadersUsed Number of bootloaders installed (always 0x02, maximum is 0x04)
0x2330 0x12C BootLoader0 Configuration parameters for bootloader 0 (main) 
0x2330: Version (variable)
0x2334: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe))
0x2338: StartPage (0x00000000)
0x233C: Length (variable)
0x2340: LoadAddress (0x40010000)
0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
0x2348: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe))
0x234C: CryptoHash (empty)
0x235C: RsaPssSig
0x245C 0x12C BootLoader1 Configuration parameters for bootloader 1 (backup) 
0x245C: Version (variable)
0x2460: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe))
0x2464: StartPage (0x00000000)
0x2468: Length (variable)
0x246C: LoadAddress (0x40010000)
0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
0x2474: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe))
0x2478: CryptoHash (empty)
0x2488: RsaPssSig
0x2588 0x12C BootLoader2 Reserved space for bootloader 2 (unused)
0x26B4 0x12C BootLoader3 Reserved space for bootloader 3 (unused)
0x27E0 0x01 EnableFailBack Always 0
0x27E1 0x04 SecureJtagControl Always 0
0x27E5 0x04 SecProvisioningKeyNumSecure Used for Factory Secure Provisioning (always 0)
0x27E9 0x12 Reserved Always starts with 0x80000000 (NVBOOT padding pattern)
0x27FB 0x05 Padding Empty

CustomerData

This data block is ignored by the boot ROM, therefore is available for the programmer to use freely. The Switch uses 0xB0 bytes of this area, at offset 0x0450, to store the active keyblob. All remaining bytes are zero.

The first bootloader validates and decrypts this block for further key generation. The decrypted keyblob payload is as follows.

Offset Size Description
0x0 0x80 Array of master static key encryption keys
0x80 0x10 PK11 key

BootLoader0

The version field controls which keyblob is used, where 0x01 is the first one. See Cryptosystem for the keyblobs used by each system-version.

Mariko

Offset Size Field Description
0x0000 0x210 Pcp BCT public cryptographic parameters 
0x0000: KeySize
0x0004: Reserved
0x0010: PublicKeyModulus
0x0110: PublicKeyExponent
0x0210 0x110 Signature BCT cryptographic signature 
0x0210: CryptoHash (empty)
0x0220: RsaPssSig
0x0320 0x160 Empty
0x0480 0x10 RandomAesBlock Not empty
0x0490 0x10 UniqueChipId Always empty
0x04A0 0x04 BootDataVersion Set to 0x00210001 (BOOTDATA_VERSION_T210)
0x04A4 0x04 BlockSizeLog2 Always 0x0E
0x04A8 0x04 PageSizeLog2 Always 0x09
0x04AC 0x04 PartitionSize Always 0x01000000
0x04B0 0x04 NumParamSets Number of device parameter sets (always 0x01)
0x04B4 0x04 DevType Device type (0x04 == Sdmmc)
0x04B8 0x40 DevParams Device parameters
0x04F8 0x04 NumSdramSets Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
0x04FC 0x838 SdramParams0 Default values filled in
0x0D34 0x838 SdramParams1 Default values filled in
0x156C 0x838 SdramParams2 Default values filled in
0x1DA4 0x838 SdramParams3 Default values filled in
0x25DC 0x04 BootLoadersUsed Number of bootloaders installed (always 0x02, maximum is 0x04)
0x25E0 0x10 BootLoader0 Configuration parameters for bootloader 0 (main) 
0x25E0: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe))
0x25E4: StartPage (0x00000000)
0x25E8: Version (variable)
0x25EC: Reserved
0x25F0 0x10 BootLoader1 Configuration parameters for bootloader 1 (backup) 
0x25F0: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe))
0x25F4: StartPage (0x00000000)
0x25F8: Version (variable)
0x25FC: Reserved
0x2600 0x10 BootLoader2 Reserved space for bootloader 2 (unused)
0x2610 0x10 BootLoader3 Reserved space for bootloader 3 (unused)
0x2620 0x5C Empty
0x267C 0x184 Reserved Always starts with 0x80000000 (NVBOOT padding pattern)
Retrieved from "https://switchbrew.org/w/index.php?title=BCT&oldid=9784"