Line 3: |
Line 3: |
| The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup. | | The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup. |
| | | |
− | By design, the BCT's data is only signed after offset 0x0510. Therefore, regions like [[#customer_data|customer_data]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.
| + | The Erista BCT's data is only signed after offset 0x0510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example. |
| + | |
| + | The Mariko BCT's data is signed and encrypted after offset 0x0480, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used. |
| | | |
| During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM at address 0x40000000. | | During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM at address 0x40000000. |
| | | |
− | = Structure = | + | = Format = |
− | Below is the BCT structure used by the Switch, which is a minimal variation of the Tegra 210 BCT format.
| + | == Erista == |
− | | |
| {| class="wikitable" border="1" | | {| class="wikitable" border="1" |
| |- | | |- |
Line 19: |
Line 20: |
| | 0x0000 | | | 0x0000 |
| | 0x210 | | | 0x210 |
− | | bad_block_table | + | | BadBlockTable |
| | Table containing information on bad blocks | | | Table containing information on bad blocks |
− | 0x0000: num_entries (0x200) | + | 0x0000: EntriesUsed (0x200) |
− | 0x0004: virtual_block_size (0x0F) | + | 0x0004: VirtualBlockSizeLog2 (0x0F) |
− | 0x0005: block_size (0x0E) | + | 0x0005: BlockSizeLog2 (0x0E) |
− | 0x0006: bad_blocks | + | 0x0006: BadBlocks |
− | 0x0206: reserved | + | 0x0206: Reserved |
| |- | | |- |
| | 0x0210 | | | 0x0210 |
| | 0x100 | | | 0x100 |
− | | bct_key | + | | Key |
− | | BCT RSA key modulus | + | | BCT RSA public key's modulus |
| |- | | |- |
| | 0x0310 | | | 0x0310 |
| | 0x110 | | | 0x110 |
− | | bct_signature | + | | Signature |
− | | BCT object signature | + | | BCT cryptographic signature |
− | 0x0310: hash (empty) | + | 0x0310: CryptoHash (empty) |
− | 0x0320: rsa_pss_signature | + | 0x0320: RsaPssSig |
| |- | | |- |
| | 0x0420 | | | 0x0420 |
| | 0x04 | | | 0x04 |
− | | sec_provisioning_key_num_insecure | + | | SecProvisioningKeyNumInsecure |
− | | Used for Factory Secure Provisioning. Always 0. | + | | Used for Factory Secure Provisioning (always 0) |
| |- | | |- |
| | 0x0424 | | | 0x0424 |
| | 0x20 | | | 0x20 |
− | | sec_provisioning_key | + | | SecProvisioningKey |
− | | Used for Factory Secure Provisioning. Always empty. | + | | Used for Factory Secure Provisioning (always 0) |
| |- | | |- |
| | 0x0444 | | | 0x0444 |
| | 0xC4 | | | 0xC4 |
− | | [[#customer_data|customer_data]] | + | | [[#CustomerData|CustomerData]] |
− | | Data block available for the customer. Used in key generation. | + | | Data block available for the customer (used in key generation) |
− | 0x0444: padding_0x0C | + | 0x0444: Reserved (0x0C bytes) |
− | 0x0450: keyblob_0xB0 | + | 0x0450: [[Flash_Filesystem#Keyblob|Keyblob]] (0xB0 bytes) |
− | 0x0500: padding_0x08 | + | 0x0500: Reserved (0x08 bytes) |
| |- | | |- |
| | 0x0508 | | | 0x0508 |
| | 0x04 | | | 0x04 |
− | | odm_data | + | | OdmData |
− | | Legacy field. Unused. | + | | Legacy field (unused) |
| |- | | |- |
| | 0x050C | | | 0x050C |
| | 0x04 | | | 0x04 |
− | | reserved0 | + | | Reserved |
− | | Legacy field. Unused. | + | | Legacy field (unused) |
| |- | | |- |
| | 0x0510 | | | 0x0510 |
| | 0x10 | | | 0x10 |
− | | random_aes_block | + | | RandomAesBlock |
− | | Always empty. | + | | Always empty |
| |- | | |- |
| | 0x0520 | | | 0x0520 |
| | 0x10 | | | 0x10 |
− | | unique_chip_id | + | | UniqueChipId |
− | | Always empty. | + | | Always empty |
| |- | | |- |
| | 0x0530 | | | 0x0530 |
| | 0x04 | | | 0x04 |
− | | boot_data_version | + | | BootDataVersion |
− | | Set to 0x00210001 (BOOTDATA_VERSION_T210). | + | | Set to 0x00210001 (BOOTDATA_VERSION_T210) |
| |- | | |- |
| | 0x0534 | | | 0x0534 |
| | 0x04 | | | 0x04 |
− | | block_size_log2 | + | | BlockSizeLog2 |
− | | Always 0x0E. | + | | Always 0x0E |
| |- | | |- |
| | 0x0538 | | | 0x0538 |
| | 0x04 | | | 0x04 |
− | | page_size_log2 | + | | PageSizeLog2 |
− | | Always 0x09. | + | | Always 0x09 |
| |- | | |- |
| | 0x053C | | | 0x053C |
| | 0x04 | | | 0x04 |
− | | partition_size | + | | PartitionSize |
− | | Always 0x01000000. | + | | Always 0x01000000 |
| |- | | |- |
| | 0x0540 | | | 0x0540 |
| | 0x04 | | | 0x04 |
− | | num_param_sets | + | | NumParamSets |
− | | Number of device parameter sets. Always 0x01. | + | | Number of device parameter sets (always 0x01) |
| |- | | |- |
| | 0x0544 | | | 0x0544 |
| | 0x04 | | | 0x04 |
− | | dev_type | + | | DevType |
− | | Device type. Set to 0x04 (dev_type_sdmmc). | + | | Device type (0x04 == Sdmmc) |
| |- | | |- |
| | 0x0548 | | | 0x0548 |
| | 0x40 | | | 0x40 |
− | | dev_params | + | | DevParams |
− | | Device parameters | + | | Device parameters |
− | 0x0548: sdmmc_clock_divider (0x09 == 24MHz) | + | 0x0548: ClockDivider (0x09 == 24MHz) |
− | 0x054C: sdmmc_data_width (0x02 == sdmmc_data_width_8bit) | + | 0x054C: DataWidth (0x02 == 8Bit) |
| |- | | |- |
| | 0x0588 | | | 0x0588 |
| | 0x04 | | | 0x04 |
− | | num_sdram_sets | + | | NumSdramSets |
− | | Number of SDRAM parameter sets. Always set to 0, but parameters are used despite this. | + | | Number of SDRAM parameter sets (always set to 0, but parameters are used despite this) |
| |- | | |- |
| | 0x058C | | | 0x058C |
| | 0x768 | | | 0x768 |
− | | sdram_params0 | + | | SdramParams0 |
− | | Default values filled in. | + | | Default values filled in |
| |- | | |- |
| | 0x0CF4 | | | 0x0CF4 |
| | 0x768 | | | 0x768 |
− | | sdram_params1 | + | | SdramParams1 |
− | | Default values filled in. | + | | Default values filled in |
| |- | | |- |
| | 0x145C | | | 0x145C |
| | 0x768 | | | 0x768 |
− | | sdram_params2 | + | | SdramParams2 |
− | | Default values filled in. | + | | Default values filled in |
| |- | | |- |
| | 0x1BC4 | | | 0x1BC4 |
| | 0x768 | | | 0x768 |
− | | sdram_params3 | + | | SdramParams3 |
− | | Default values filled in. | + | | Default values filled in |
| |- | | |- |
| | 0x232C | | | 0x232C |
| | 0x04 | | | 0x04 |
− | | num_bootloaders | + | | BootLoadersUsed |
− | | Number of bootloaders installed. Always 0x02 (maximum is 0x04). | + | | Number of bootloaders installed (always 0x02, maximum is 0x04) |
| |- | | |- |
| | 0x2330 | | | 0x2330 |
| | 0x12C | | | 0x12C |
− | | [[#bootloader0_info|bootloader0_info]] | + | | [[#BootLoader0|BootLoader0]] |
− | | Configuration parameters for bootloader 0 (normal). | + | | Configuration parameters for bootloader 0 (main) |
− | 0x2330: version (variable) | + | 0x2330: Version (variable) |
− | 0x2334: start_block (0x00000040) | + | 0x2334: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe)) |
− | 0x2338: start_page (0x00000000) | + | 0x2338: StartPage (0x00000000) |
− | 0x233C: length (variable) | + | 0x233C: Length (variable) |
− | 0x2340: load_addr (0x40010000) | + | 0x2340: LoadAddress (0x40010000) |
− | 0x2344: entry_point (0x40010020) | + | 0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+) |
− | 0x2348: attribute (0x00000000) | + | 0x2348: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe)) |
− | 0x234C: bootloader0_hash (empty) | + | 0x234C: CryptoHash (empty) |
− | 0x235C: bootloader0_rsa_pss_signature | + | 0x235C: RsaPssSig |
| |- | | |- |
| | 0x245C | | | 0x245C |
| | 0x12C | | | 0x12C |
− | | bootloader1_info | + | | BootLoader1 |
− | | Configuration parameters for bootloader 1 (safe mode). | + | | Configuration parameters for bootloader 1 (backup) |
− | 0x245C: version (variable) | + | 0x245C: Version (variable) |
− | 0x2460: start_block (0x00000050) | + | 0x2460: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe)) |
− | 0x2464: start_page (0x00000000) | + | 0x2464: StartPage (0x00000000) |
− | 0x2468: length (variable) | + | 0x2468: Length (variable) |
− | 0x246C: load_addr (0x40010000) | + | 0x246C: LoadAddress (0x40010000) |
− | 0x2470: entry_point (0x40010020) | + | 0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+) |
− | 0x2474: attribute (0x00000000) | + | 0x2474: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe)) |
− | 0x2478: bootloader1_hash (empty) | + | 0x2478: CryptoHash (empty) |
− | 0x2488: bootloader1_rsa_pss_signature | + | 0x2488: RsaPssSig |
| |- | | |- |
| | 0x2588 | | | 0x2588 |
− | | 0x258 | + | | 0x12C |
− | | reserved1 | + | | BootLoader2 |
− | | Reserved space for bootloaders 2 and 3 (currently unused). | + | | Reserved space for bootloader 2 (unused) |
| + | |- |
| + | | 0x26B4 |
| + | | 0x12C |
| + | | BootLoader3 |
| + | | Reserved space for bootloader 3 (unused) |
| |- | | |- |
| | 0x27E0 | | | 0x27E0 |
| | 0x01 | | | 0x01 |
− | | enable_fail_back | + | | EnableFailBack |
− | | Always 0. | + | | Always 0 |
| |- | | |- |
| | 0x27E1 | | | 0x27E1 |
| | 0x04 | | | 0x04 |
− | | secure_debug_control | + | | SecureJtagControl |
− | | Always 0. | + | | Always 0 |
| |- | | |- |
| | 0x27E5 | | | 0x27E5 |
| | 0x04 | | | 0x04 |
− | | sec_provisioning_key_num_secure | + | | SecProvisioningKeyNumSecure |
− | | Used for Factory Secure Provisioning. Always 0. | + | | Used for Factory Secure Provisioning (always 0) |
| |- | | |- |
| | 0x27E9 | | | 0x27E9 |
| | 0x12 | | | 0x12 |
− | | reserved2 | + | | Reserved |
− | | Always starts with 0x80000000 (NVBOOT padding pattern). | + | | Always starts with 0x80000000 (NVBOOT padding pattern) |
| |- | | |- |
| | 0x27FB | | | 0x27FB |
| | 0x05 | | | 0x05 |
− | | padding | + | | Padding |
− | | Empty. Not part of BCT data. | + | | Empty |
− | |-
| |
| |} | | |} |
| | | |
− | == customer_data == | + | === CustomerData === |
| This data block is ignored by the boot ROM, therefore is available for the programmer to use freely. | | This data block is ignored by the boot ROM, therefore is available for the programmer to use freely. |
| The Switch uses 0xB0 bytes of this area, at offset 0x0450, to store the active [[Flash_Filesystem#Keyblob|keyblob]]. All remaining bytes are zero. | | The Switch uses 0xB0 bytes of this area, at offset 0x0450, to store the active [[Flash_Filesystem#Keyblob|keyblob]]. All remaining bytes are zero. |
Line 225: |
Line 230: |
| |} | | |} |
| | | |
− | == bootloader0_info == | + | === BootLoader0 === |
− | === 1.0.0 - 2.3.0 ===
| + | The version field controls which keyblob is used, where 0x01 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version. |
− | The version field is set to 0x01, meaning that the first keyblob is to be used. | |
| | | |
− | === 3.0.0 === | + | == Mariko == |
− | The version field was changed to 0x02, meaning that the second keyblob is now used.
| + | {| class="wikitable" border="1" |
− | | + | |- |
− | === 3.0.1 - 3.0.2 === | + | ! Offset |
− | The version field was changed to 0x03, meaning that the third keyblob is now used.
| + | ! Size |
− | | + | ! Field |
− | === 4.0.0 - 4.1.0 ===
| + | ! Description |
− | The version field was changed to 0x04, meaning that the fourth keyblob is now used.
| + | |- |
− | | + | | 0x0000 |
− | === 5.0.0 ===
| + | | 0x210 |
− | The version field was changed to 0x05, meaning that the fifth keyblob is now used.
| + | | Pcp |
− | | + | | BCT public cryptographic parameters |
− | === 6.0.0 ===
| + | 0x0000: KeySize |
− | The version field was changed to 0x06, meaning that the sixth keyblob is now used.
| + | 0x0004: Reserved |
| + | 0x0010: PublicKeyModulus |
| + | 0x0110: PublicKeyExponent |
| + | |- |
| + | | 0x0210 |
| + | | 0x110 |
| + | | Signature |
| + | | BCT cryptographic signature |
| + | 0x0210: CryptoHash (empty) |
| + | 0x0220: RsaPssSig |
| + | |- |
| + | | 0x0320 |
| + | | 0x160 |
| + | | |
| + | | Empty |
| + | |- |
| + | | 0x0480 |
| + | | 0x10 |
| + | | RandomAesBlock |
| + | | Not empty |
| + | |- |
| + | | 0x0490 |
| + | | 0x10 |
| + | | UniqueChipId |
| + | | Always empty |
| + | |- |
| + | | 0x04A0 |
| + | | 0x04 |
| + | | BootDataVersion |
| + | | Set to 0x00210001 (BOOTDATA_VERSION_T210) |
| + | |- |
| + | | 0x04A4 |
| + | | 0x04 |
| + | | BlockSizeLog2 |
| + | | Always 0x0E |
| + | |- |
| + | | 0x04A8 |
| + | | 0x04 |
| + | | PageSizeLog2 |
| + | | Always 0x09 |
| + | |- |
| + | | 0x04AC |
| + | | 0x04 |
| + | | PartitionSize |
| + | | Always 0x01000000 |
| + | |- |
| + | | 0x04B0 |
| + | | 0x04 |
| + | | NumParamSets |
| + | | Number of device parameter sets (always 0x01) |
| + | |- |
| + | | 0x04B4 |
| + | | 0x04 |
| + | | DevType |
| + | | Device type (0x04 == Sdmmc) |
| + | |- |
| + | | 0x04B8 |
| + | | 0x40 |
| + | | DevParams |
| + | | Device parameters |
| + | |- |
| + | | 0x04F8 |
| + | | 0x04 |
| + | | NumSdramSets |
| + | | Number of SDRAM parameter sets (always set to 0, but parameters are used despite this) |
| + | |- |
| + | | 0x04FC |
| + | | 0x838 |
| + | | SdramParams0 |
| + | | Default values filled in |
| + | |- |
| + | | 0x0D34 |
| + | | 0x838 |
| + | | SdramParams1 |
| + | | Default values filled in |
| + | |- |
| + | | 0x156C |
| + | | 0x838 |
| + | | SdramParams2 |
| + | | Default values filled in |
| + | |- |
| + | | 0x1DA4 |
| + | | 0x838 |
| + | | SdramParams3 |
| + | | Default values filled in |
| + | |- |
| + | | 0x25DC |
| + | | 0x04 |
| + | | BootLoadersUsed |
| + | | Number of bootloaders installed (always 0x02, maximum is 0x04) |
| + | |- |
| + | | 0x25E0 |
| + | | 0x10 |
| + | | BootLoader0 |
| + | | Configuration parameters for bootloader 0 (main) |
| + | 0x25E0: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe)) |
| + | 0x25E4: StartPage (0x00000000) |
| + | 0x25E8: Version (variable) |
| + | 0x25EC: Reserved |
| + | |- |
| + | | 0x25F0 |
| + | | 0x10 |
| + | | BootLoader1 |
| + | | Configuration parameters for bootloader 1 (backup) |
| + | 0x25F0: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe)) |
| + | 0x25F4: StartPage (0x00000000) |
| + | 0x25F8: Version (variable) |
| + | 0x25FC: Reserved |
| + | |- |
| + | | 0x2600 |
| + | | 0x10 |
| + | | BootLoader2 |
| + | | Reserved space for bootloader 2 (unused) |
| + | |- |
| + | | 0x2610 |
| + | | 0x10 |
| + | | BootLoader3 |
| + | | Reserved space for bootloader 3 (unused) |
| + | |- |
| + | | 0x2620 |
| + | | 0x5C |
| + | | |
| + | | Empty |
| + | |- |
| + | | 0x267C |
| + | | 0x184 |
| + | | Reserved |
| + | | Always starts with 0x80000000 (NVBOOT padding pattern) |
| + | |} |