23
edits
Changes
Jump to navigation
Jump to search
Line 3:
Line 3: − By design, the BCT's data is only signed after offset 0x0510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.+ + + − + − Below is the BCT structure used by the Switch, which is a minimal variation of the Tegra 210 BCT format.+ − Line 35:
Line 36: − + Line 42:
Line 43: − + − + − + Line 60:
Line 61: − + − + − + − + − + − + − + − + − + − + Line 117:
Line 118: − + − + − + − + − + − + − + − + − + Line 161:
Line 162: − + − + − + Line 175:
Line 176: − + − + − + − + − + − + − + − + Line 229:
Line 230: − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
no edit summary
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.
The Erista BCT's data is only signed after offset 0x0510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.
The Mariko BCT's data is signed and encrypted after offset 0x0480, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used.
During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM at address 0x40000000.
During boot, the boot ROM parses the appropriate BCT from eMMC storage and stores a copy of it in IRAM at address 0x40000000.
= Structure =
= Format =
== Erista ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
| 0x110
| 0x110
| Signature
| Signature
| BCT object signature
| BCT cryptographic signature
0x0310: CryptoHash (empty)
0x0310: CryptoHash (empty)
0x0320: RsaPssSig
0x0320: RsaPssSig
| 0x04
| 0x04
| SecProvisioningKeyNumInsecure
| SecProvisioningKeyNumInsecure
| Used for Factory Secure Provisioning. Always 0.
| Used for Factory Secure Provisioning (always 0)
|-
|-
| 0x0424
| 0x0424
| 0x20
| 0x20
| SecProvisioningKey
| SecProvisioningKey
| Used for Factory Secure Provisioning. Always empty.
| Used for Factory Secure Provisioning (always 0)
|-
|-
| 0x0444
| 0x0444
| 0xC4
| 0xC4
| [[#CustomerData|CustomerData]]
| [[#CustomerData|CustomerData]]
| Data block available for the customer. Used in key generation.
| Data block available for the customer (used in key generation)
0x0444: Reserved (0x0C bytes)
0x0444: Reserved (0x0C bytes)
0x0450: [[Flash_Filesystem#Keyblob|Keyblob]] (0xB0 bytes)
0x0450: [[Flash_Filesystem#Keyblob|Keyblob]] (0xB0 bytes)
| 0x04
| 0x04
| OdmData
| OdmData
| Legacy field. Unused.
| Legacy field (unused)
|-
|-
| 0x050C
| 0x050C
| 0x04
| 0x04
| Reserved
| Reserved
| Legacy field. Unused.
| Legacy field (unused)
|-
|-
| 0x0510
| 0x0510
| 0x10
| 0x10
| RandomAesBlock
| RandomAesBlock
| Always empty.
| Always empty
|-
|-
| 0x0520
| 0x0520
| 0x10
| 0x10
| UniqueChipId
| UniqueChipId
| Always empty.
| Always empty
|-
|-
| 0x0530
| 0x0530
| 0x04
| 0x04
| BootDataVersion
| BootDataVersion
| Set to 0x00210001 (BOOTDATA_VERSION_T210).
| Set to 0x00210001 (BOOTDATA_VERSION_T210)
|-
|-
| 0x0534
| 0x0534
| 0x04
| 0x04
| BlockSizeLog2
| BlockSizeLog2
| Always 0x0E.
| Always 0x0E
|-
|-
| 0x0538
| 0x0538
| 0x04
| 0x04
| PageSizeLog2
| PageSizeLog2
| Always 0x09.
| Always 0x09
|-
|-
| 0x053C
| 0x053C
| 0x04
| 0x04
| PartitionSize
| PartitionSize
| Always 0x01000000.
| Always 0x01000000
|-
|-
| 0x0540
| 0x0540
| 0x04
| 0x04
| NumParamSets
| NumParamSets
| Number of device parameter sets. Always 0x01.
| Number of device parameter sets (always 0x01)
|-
|-
| 0x0544
| 0x0544
| 0x04
| 0x04
| DevType
| DevType
| Device type. Set to 0x04 (Sdmmc).
| Device type (0x04 == Sdmmc)
|-
|-
| 0x0548
| 0x0548
| 0x04
| 0x04
| NumSdramSets
| NumSdramSets
| Number of SDRAM parameter sets. Always set to 0, but parameters are used despite this.
| Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|-
|-
| 0x058C
| 0x058C
| 0x768
| 0x768
| SdramParams0
| SdramParams0
| Default values filled in.
| Default values filled in
|-
|-
| 0x0CF4
| 0x0CF4
| 0x768
| 0x768
| SdramParams1
| SdramParams1
| Default values filled in.
| Default values filled in
|-
|-
| 0x145C
| 0x145C
| 0x768
| 0x768
| SdramParams2
| SdramParams2
| Default values filled in.
| Default values filled in
|-
|-
| 0x1BC4
| 0x1BC4
| 0x768
| 0x768
| SdramParams3
| SdramParams3
| Default values filled in.
| Default values filled in
|-
|-
| 0x232C
| 0x232C
| 0x04
| 0x04
| BootLoadersUsed
| BootLoadersUsed
| Number of bootloaders installed. Always 0x02 (maximum is 0x04).
| Number of bootloaders installed (always 0x02, maximum is 0x04)
|-
|-
| 0x2330
| 0x2330
| 0x12C
| 0x12C
| [[#BootLoader0|BootLoader0]]
| [[#BootLoader0|BootLoader0]]
| Configuration parameters for bootloader 0 (normal).
| Configuration parameters for bootloader 0 (main)
0x2330: Version (variable)
0x2330: Version (variable)
0x2334: StartBlock (0x00000040)
0x2334: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe))
0x2338: StartPage (0x00000000)
0x2338: StartPage (0x00000000)
0x233C: Length (variable)
0x233C: Length (variable)
0x2340: LoadAddress (0x40010000)
0x2340: LoadAddress (0x40010000)
0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
0x2348: Attribute (0x00000000)
0x2348: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe))
0x234C: CryptoHash (empty)
0x234C: CryptoHash (empty)
0x235C: RsaPssSig
0x235C: RsaPssSig
| 0x12C
| 0x12C
| BootLoader1
| BootLoader1
| Configuration parameters for bootloader 1 (safe mode).
| Configuration parameters for bootloader 1 (backup)
0x245C: Version (variable)
0x245C: Version (variable)
0x2460: StartBlock (0x00000050)
0x2460: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe))
0x2464: StartPage (0x00000000)
0x2464: StartPage (0x00000000)
0x2468: Length (variable)
0x2468: Length (variable)
0x246C: LoadAddress (0x40010000)
0x246C: LoadAddress (0x40010000)
0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
0x2474: Attribute (0x00000000)
0x2474: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe))
0x2478: CryptoHash (empty)
0x2478: CryptoHash (empty)
0x2488: RsaPssSig
0x2488: RsaPssSig
| 0x12C
| 0x12C
| BootLoader2
| BootLoader2
| Reserved space for bootloader 2 (unused).
| Reserved space for bootloader 2 (unused)
|-
|-
| 0x26B4
| 0x26B4
| 0x12C
| 0x12C
| BootLoader3
| BootLoader3
| Reserved space for bootloader 3 (unused).
| Reserved space for bootloader 3 (unused)
|-
|-
| 0x27E0
| 0x27E0
| 0x01
| 0x01
| EnableFailBack
| EnableFailBack
| Always 0.
| Always 0
|-
|-
| 0x27E1
| 0x27E1
| 0x04
| 0x04
| SecureJtagControl
| SecureJtagControl
| Always 0.
| Always 0
|-
|-
| 0x27E5
| 0x27E5
| 0x04
| 0x04
| SecProvisioningKeyNumSecure
| SecProvisioningKeyNumSecure
| Used for Factory Secure Provisioning. Always 0.
| Used for Factory Secure Provisioning (always 0)
|-
|-
| 0x27E9
| 0x27E9
| 0x12
| 0x12
| Reserved
| Reserved
| Always starts with 0x80000000 (NVBOOT padding pattern).
| Always starts with 0x80000000 (NVBOOT padding pattern)
|-
|-
| 0x27FB
| 0x27FB
| 0x05
| 0x05
| Padding
| Padding
| Empty. Not part of BCT data.
| Empty
|}
|}
== CustomerData ==
=== CustomerData ===
This data block is ignored by the boot ROM, therefore is available for the programmer to use freely.
This data block is ignored by the boot ROM, therefore is available for the programmer to use freely.
The Switch uses 0xB0 bytes of this area, at offset 0x0450, to store the active [[Flash_Filesystem#Keyblob|keyblob]]. All remaining bytes are zero.
The Switch uses 0xB0 bytes of this area, at offset 0x0450, to store the active [[Flash_Filesystem#Keyblob|keyblob]]. All remaining bytes are zero.
|}
|}
== BootLoader0 ==
=== BootLoader0 ===
The version field controls which keyblob is used, where 0x01 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.
The version field controls which keyblob is used, where 0x01 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.
== Mariko ==
{| class="wikitable" border="1"
|-
! Offset
! Size
! Field
! Description
|-
| 0x0000
| 0x210
| Pcp
| BCT public cryptographic parameters
0x0000: KeySize
0x0004: Reserved
0x0010: PublicKeyModulus
0x0110: PublicKeyExponent
|-
| 0x0210
| 0x110
| Signature
| BCT cryptographic signature
0x0210: CryptoHash (empty)
0x0220: RsaPssSig
|-
| 0x0320
| 0x160
|
| Empty
|-
| 0x0480
| 0x10
| RandomAesBlock
| Not empty
|-
| 0x0490
| 0x10
| UniqueChipId
| Always empty
|-
| 0x04A0
| 0x04
| BootDataVersion
| Set to 0x00210001 (BOOTDATA_VERSION_T210)
|-
| 0x04A4
| 0x04
| BlockSizeLog2
| Always 0x0E
|-
| 0x04A8
| 0x04
| PageSizeLog2
| Always 0x09
|-
| 0x04AC
| 0x04
| PartitionSize
| Always 0x01000000
|-
| 0x04B0
| 0x04
| NumParamSets
| Number of device parameter sets (always 0x01)
|-
| 0x04B4
| 0x04
| DevType
| Device type (0x04 == Sdmmc)
|-
| 0x04B8
| 0x40
| DevParams
| Device parameters
|-
| 0x04F8
| 0x04
| NumSdramSets
| Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|-
| 0x04FC
| 0x838
| SdramParams0
| Default values filled in
|-
| 0x0D34
| 0x838
| SdramParams1
| Default values filled in
|-
| 0x156C
| 0x838
| SdramParams2
| Default values filled in
|-
| 0x1DA4
| 0x838
| SdramParams3
| Default values filled in
|-
| 0x25DC
| 0x04
| BootLoadersUsed
| Number of bootloaders installed (always 0x02, maximum is 0x04)
|-
| 0x25E0
| 0x10
| BootLoader0
| Configuration parameters for bootloader 0 (main)
0x25E0: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe))
0x25E4: StartPage (0x00000000)
0x25E8: Version (variable)
0x25EC: Reserved
|-
| 0x25F0
| 0x10
| BootLoader1
| Configuration parameters for bootloader 1 (backup)
0x25F0: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe))
0x25F4: StartPage (0x00000000)
0x25F8: Version (variable)
0x25FC: Reserved
|-
| 0x2600
| 0x10
| BootLoader2
| Reserved space for bootloader 2 (unused)
|-
| 0x2610
| 0x10
| BootLoader3
| Reserved space for bootloader 3 (unused)
|-
| 0x2620
| 0x5C
|
| Empty
|-
| 0x267C
| 0x184
| Reserved
| Always starts with 0x80000000 (NVBOOT padding pattern)
|}