Difference between revisions of "BootConfig"

From Nintendo Switch Brew
Jump to navigation Jump to search
Line 44: Line 44:
| 0x10
| 0x10
| 0x1
| 0x1
| IsDebugMode (bit 1) and TakeExtabtSerrorToEl3 (bit 2)
| [[SMC#IsDebugMode|IsDebugMode]] (bit 1) and TakeExtabtSerrorToEl3 (bit 2)
| 0x11
| 0x11

Revision as of 19:35, 16 February 2020

Installed into the first 0x4000 sector of the eMMC storage's BCPKG2 partitions, "BootConfig" contains data used to configure TrustZone/OS behaviors.

BootConfig is normally all-zero for retail units, however TrustZone additionally sets the loaded configuration to all-zero when running on a retail unit anyway.


Despite having 0x4000 for storage, the actual loaded BootConfig is only 0x640 bytes, with the following format:

Offset Size Description
0x0 0x200 #Unsigned Configuration
0x200 0x100 RSA-PSS Signature
0x300 0x100 #Signed Configuration
0x400 0x240 Reserved

Unsigned Configuration

This is "nn::bconfig::BootConfig".

Offset Size Description
0x0 0x10
0x10 0x1 IsDebugMode (bit 1) and TakeExtabtSerrorToEl3 (bit 2)
0x11 0x1 KernelConfiguration (first byte)
0x12 0xF
0x21 0x1 KernelConfiguration (second byte)
0x22 0x1
0x23 0x1 MemoryMode
0x24 0x1 HasInitialTscValue
0x25 0xB
0x30 0x8 InitialTscValue
0x38 0x1C8

Signed Configuration

Offset Size Description
0x0 0x8
0x8 0x1 Package2 Configuration. Bit 0 set means Package2 is stored unencrypted. Bit 1 set means Package2 is unsigned.
0x9 0x7
0x10 0x10 Hardware Info. Must match the Hardware Info read from fuses, or else the loaded Signed Config will be memset to 0 even if signed. This allows Nintendo to set signed configuration on a per-unit basis.
0x20 0x1 DisableProgramVerification. Controls the default value for how to check NCA signatures.
0x21 0xDF