Changes

Flash Filesystem (view source)

Revision as of 16:40, 21 October 2018

9,095 bytes added , 16:40, 21 October 2018

Line 1: Line 1:

= NAND structure =

+

The Switch's eMMC storage features a large user area, two smaller boot partitions and a replay-protected memory block which is unused (no authentication key is programmed).

+

All official partition names come from [[SystemInitializer]].

== Boot Partitions ==

'''Boot Partition 0 (0 of 1)'''

+

The official name for this partition is "BootPartition1Root" and it has [[Filesystem_services|Bis]] Partition ID == 0.

+

{| class="wikitable" border="1"

|-

Line 12: Line 18:

| 0x000000

| 0x4000

−

| Title 0100000000000819 ~~BCT~~

+

| Normal Firmware [[BCT|BCT]] from [[Title_list#System_Data_Archives|Title 0100000000000819]]

|-

| 0x004000

| 0x4000

−

| Title 010000000000081A ~~BCT~~

+

| SafeMode Firmware [[BCT|BCT]] from [[Title_list#System_Data_Archives|Title 010000000000081A]]

|-

| 0x008000

| 0x4000

−

| Title 0100000000000819 ~~BCT~~

+

| Normal Firmware [[BCT|BCT]] from [[Title_list#System_Data_Archives|Title 0100000000000819]] (backup)

|-

| 0x00C000

| 0x4000

−

| Title 010000000000081A ~~BCT~~

+

| SafeMode Firmware [[BCT|BCT]] from [[Title_list#System_Data_Archives|Title 010000000000081A]] (backup)

+

|-

+

| 0x010000

+

| 0xEC000

+

| 59 additional BCTs, normally unused/empty on retail systems.

+

|-

+

| 0x0FC000

+

| 0x4000

+

| [[#System Update Control|System Update Control area]]

|-

| 0x100000

| 0x40000

−

| Title 0100000000000819 ~~"package1"~~

+

| Normal Firmware [[Package1|package1]] from [[Title_list#System_Data_Archives|Title 0100000000000819]]

|-

| 0x140000

| 0x40000

−

| Title 0100000000000819 ~~"package1"~~ (~~Backup~~)

+

| Normal Firmware [[Package1|package1]] from [[Title_list#System_Data_Archives|Title 0100000000000819]] (backup)

|-

| 0x180000

| 0x4000

−

| Keyblob area

+

| [[#Keyblob|Keyblob area]]

|-

| 0x184000

−

| ~~0x20~~

+

| 0x200

−

| ~~Unknown pseudorandom data, often changes on reboot~~. ~~All zero on 1~~.0.

+

| [2.0.0+] [[#NAND Patrol|NAND Patrol area]]

−

|-

−

~~| 0x184020~~

−

| ~~0x8?~~

−

~~| Increments on every boot until hitting a certain number? Bottom 10 bits (0x3FF) are always zero. All zero on 1.0.~~

|}

'''Boot Partition 1 (1 of 1)'''

+

The official name for this partition is "BootPartition2Root" and it has [[Filesystem_services|Bis]] Partition ID == 10.

+

{| class="wikitable" border="1"

|-

Line 56: Line 69:

| 0x000000

| 0x40000

−

| Title 010000000000081A ~~"package1"~~

+

| SafeMode Firmware [[Package1|package1]] from [[Title_list#System_Data_Archives|Title 010000000000081A]]

|-

| 0x040000

| 0x40000

−

| Title 010000000000081A ~~"package1"~~ (~~Backup~~)

+

| SafeMode Firmware [[Package1|package1]] from [[Title_list#System_Data_Archives|Title 010000000000081A]] (backup)

|-

| 0x080000

| 0x40000

−

|

+

| Reserved

|-

| 0x0C0000

| 0x40000

−

|

+

| Reserved

+

|}

+

=== System Update Control ===

+

The 0x4000 bytes at offset 0xFC000 are used by [[NS_Services|NS]] and [[Boot|boot]] for keeping track of the status of a system update. This area is used by the [[NS_Services#ns:su|ISystemUpdateControl]] commands "ApplyDownloadedUpdate", "ApplyCardUpdate" and "ApplyReceivedUpdate".

+

{| class="wikitable" border="1"

+

|-

+

! Offset

+

! Size

+

! Description

+

|-

+

| 0x0

+

| 0x1

+

| BootImages status. Set to 1 by [[NS_Services|NS]] during a system update and cleared by [[Boot|boot]] after restarting.

+

|-

+

| 0x1

+

| 0x1

+

| BootImagesSafe status. Set to 1 by [[NS_Services|NS]] during a system update and cleared by [[Boot|boot]] after restarting.

|}

=== Keyblob ===

+

Starting at offset 0x180000 is an array of 0x200-byte entries, for a total of 32 keyblobs. Each one is unique compared to the others and they are all console unique. This is officially known as the "EKS" (encryption key source) area.

+

From each 0x200-byte entry only the first 0xB0 bytes effectively form the keyblob as below.

+

{| class="wikitable" border="1"

|-

Line 80: Line 115:

| 0x0

| 0x10

−

| Keyblob AES-CMAC over the ~~remaining~~ 0xA0-bytes (~~Checked with a mem-diff function which is~~ safe against timing attacks~~, calls the general panic() func on failure~~)

+

| Keyblob AES-CMAC over the next 0xA0 bytes (safe against timing attacks)

|-

| 0x10

Line 95: Line 130:

|}

−

~~Starting at 0x180000 is~~ an ~~array of 0x200-byte entries, for a total of 32 keyblobs~~. ~~Each one is unique compared~~ to the ~~others. They are all console unique~~.

+

The active bootloader's version (offset 0x2330 in the BCT) acts as an index to control which keyblob should be installed into the system.

+

[[NS_Services|NS]] uses this during system updates to install the keyblob into the [[BCT#customer_data|customer data]] section in BCTs (offset 0x450).

−

~~The 0xB0-byte keyblob is installed to the "customer data" section in BCTs (BCT+0x450)~~.

+

[[Boot]] also uses this index for repairing corrupt sectors.

−

~~BCT offset 0x2330~~ is ~~the field controlling which keyblob gets used. NS uses this to inject the appropriate keyblob on system update. [[Boot]] also uses this index for repairing corrupt sectors~~.

+

The currently active keyblob is officially known as "SecureInfo".

−

~~With [~~ [[~~3.0.0]~~] + ] ~~index 2 is used instead~~ of ~~index 1~~.

+

=== NAND Patrol ===

+

The 0x200 bytes at offset 0x184000 are used by [[Filesystem_services|FS]] for keeping track of NAND patrolling.

−

~~The Tegra 210 BCT format can be found in nvidia~~'s ~~cbootimage [https://github.com/thierryreding/tegra~~-~~avp/blob/35f467996e532357db54894c975acab93293d219/include/avp/tegra210/bct~~.~~h#L521]~~

+

{| class="wikitable" border="1"

+

|-

+

! Offset

+

! Size

+

! Description

+

|-

+

| 0x0

+

| 0x20

+

| HMAC-SHA-256 over the next 0x1E0 bytes

+

|-

+

| 0x20

+

| 0x4

+

| Last patrolled NAND block's offset

+

|-

+

| 0x24

+

| 0x4

+

| NAND patrol count

+

|-

+

| 0x28

+

| 0x1D8

+

| Unused, all-zero.

+

|}

== User Partitions ==

Line 112: Line 170:

! Size

! [[Filesystem_services|Bis]] Partition ID

+

! Encrypted

! Description

|-

Line 118: Line 177:

|

| 20

−

| GPT header, Bis-storage also allows raw access to the entire NAND eMMC sectors starting at sector0.

+

| No

+

| GPT header, Bis-storage also allows raw access to the entire NAND eMMC sectors starting at sector0. The official name for this partition is "UserDataRoot".

|-

−

| PRODINFO

+

| [[Calibration|PRODINFO]]

| 0x00004400

| 0x003FBC00

| 27

−

| "CAL0" raw partition containing set:cal data.

+

| Yes (Bis key 0)

+

| "CAL0" raw partition containing set:cal data. The official name for this partition is "CalibrationBinary".

|-

−

| PRODINFOF

+

| [[Calibration|PRODINFOF]]

| 0x00400000

| 28

−

| FAT12 filesystem, additional calibration.

+

| Yes (Bis key 0)

+

| FAT12 filesystem, additional calibration. The official name for this partition is "CalibrationFile".

|-

| BCPKG2-1-Normal-Main

Line 136: Line 198:

| 0x00800000

| 21

−

| ~~For all these packages, data starts at offset~~ 0x4000 and ~~is not console-unique. This is installed~~ from ~~"package2" in firmware package A (~~0100000000000819) by default. With the exFAT update installed, ~~this~~ is switched to ~~firmware package C (~~010000000000081B). The ~~data stored here matches the raw /nx/package2 file stored in the 81[9AB] data archives -- there~~ is ~~no additional encryption~~.

+

| No

+

| Raw partition where the first 0x4000 bytes (usually empty) contain the [[BootConfig]] and the remaining space contains the [[Package2|package2]] image from [[Title_list#System_Data_Archives|Title 0100000000000819]] by default. With the exFAT update installed, the [[Package2|package2]] image is switched to the one from [[Title_list#System_Data_Archives|Title 010000000000081B]]. The official name for this partition is "BootConfigAndPackage2Part1".

|-

| BCPKG2-2-Normal-Sub

Line 142: Line 205:

| 0x00800000

| 22

−

| ~~Identical to~~ BCPKG2-1-Normal-Main~~, probably used as a backup~~ partition.

+

| No

+

| Backup partition for BCPKG2-1-Normal-Main. The official name for this partition is "BootConfigAndPackage2Part2".

|-

| BCPKG2-3-SafeMode-Main

Line 148: Line 212:

| 0x00800000

| 23

−

| ~~This~~ is ~~installed~~ from "~~package2~~" ~~in firmware package B (010000000000081A)~~.

+

| No

+

| Raw partition where the first 0x4000 bytes (usually empty) contain the [[BootConfig]] and the remaining space contains the [[Package2|package2]] image from [[Title_list#System_Data_Archives|Title 010000000000081A]] by default. On [4.0.0+] and with the exFAT update installed, the [[Package2|package2]] image is switched to the one from [[Title_list#System_Data_Archives|Title 010000000000081C]]. The official name for this partition is "BootConfigAndPackage2Part3".

|-

| BCPKG2-4-SafeMode-Sub

Line 154: Line 219:

| 0x00800000

| 24

−

| ~~Identical to~~ BCPKG2-3-SafeMode-Main.

+

| No

+

| Backup partition for BCPKG2-3-SafeMode-Main. The official name for this partition is "BootConfigAndPackage2Part4".

|-

| BCPKG2-5-Repair-Main

Line 160: Line 226:

| 0x00800000

| 25

−

| Installed at the factory.

+

| No

+

| Installed at the factory, never written afterwards on retail. In one case this is identical to normal [[1.0.0]] [[Package2|package2]], except this has encrypted data at the end padded for 0x1000-byte alignment. The official name for this partition is "BootConfigAndPackage2Part5".

|-

| BCPKG2-6-Repair-Sub

Line 166: Line 233:

| 0x00800000

| 26

−

| ~~Identical to~~ BCPKG2-5-Repair-Main.

+

| No

+

| Backup partition for BCPKG2-5-Repair-Main. The official name for this partition is "BootConfigAndPackage2Part6".

|-

| SAFE

Line 172: Line 240:

| 0x04000000

| 29

−

| FAT32 filesystem.

+

| Yes (Bis key 1)

+

| FAT32 filesystem. The official name for this partition is "SafeMode".

|-

| SYSTEM

| 0x07800000

| 0xA0000000

−

| 31 (~~and 32?~~)

+

| 31, 32 and 33

−

| FAT32 filesystem.

+

| Yes (Bis key 2)

+

| FAT32 filesystem. The official names for these partitions are "System", "SystemProperEncryption" and "SystemProperPartition".

|-

| USER

Line 184: Line 254:

| 0x680000000

| 30

+

| Yes (Bis key 3)

| FAT32 filesystem.

|-

Line 190: Line 261:

| 0x200

|

−

| This is the backup GPT header specified by the main GPT header. This is also the last sector readable with Bis-storage paritionID 20.

+

| No

+

| This is the backup GPT header specified by the main GPT header. This is also the last sector readable with Bis-storage paritionID 20.

|}

If the client process lacks the relevant permission for any of the above partition IDs, error 0x2EE202 is returned.

−

[[NCA]]s stored in NAND are raw, identical to the data readable with [[~~Content_Manager_services~~#~~ReadEntryRaw~~]].

+

[[NCA]]s stored in NAND are raw, identical to the data readable with [[NCM_services#ReadContentIdFile]].

The filenames for saveimages is just "<lower-case hex u64 saveID>". SYSTEM-partition saveIDs are specified by [[Filesystem_services|FS]] commands, while USER-partition saveIDs are determined by FS-module internally. The high u32 of the saveID is normally either 0x00000000 or 0x80000000.

+

Encrypted partitions use AES-XTS using the same non-standard tweak (tweak[0] = sectorIdx[MSB] .. tweak[15] = sectorIdx[LSB], if using 32bit sectorIdx that means tweak[0]..tweak[11] are 0, with tweak[12]..tweak[15] containing big-endian sectorIdx) as other Nintendo AES-XTS code, initial_sector = 0, and sector size 0x4000. All encrypted partitions use console unique keydata.

=== PRODINFOF ===

Line 279: Line 353:

{| class="wikitable" border="1"

−

! SaveID || Owner || Notes

+

! SaveID || Owner || Mount || Notes

+

|-

+

| 0x8000000000000000 || fs || <nowiki>saveDataIxrDb:/</nowiki>, <nowiki>saveDataIxrDbSf:/</nowiki>, <nowiki>saveDataIxrDbPr:/</nowiki>, <nowiki>saveDataIxrDbSd:/</nowiki> || Contains [[IMKV|imkvdb.arc]] and "lastPublishedId".

+

|-

+

| 0x8000000000000010 || account || <nowiki>account:/</nowiki> || Account database.

+

|-

+

| 0x8000000000000011 || account || <nowiki>idgen:/</nowiki> ||

+

|-

+

| 0x8000000000000020 || nfc || <nowiki>data:/</nowiki> || NFC data and backups.

+

|-

+

| 0x8000000000000030 || ns || <nowiki>mii:/</nowiki> || Mii database.

+

|-

+

| 0x8000000000000031 || ns || <nowiki>mii:/</nowiki> || Mii test mode database.

+

|-

+

| 0x8000000000000040 || ns || <nowiki>apprecdb:/</nowiki> ||

+

|-

+

| 0x8000000000000041 || ns || <nowiki>nsaccache:/</nowiki> || Home menu icondata/lru list for recently played games.

+

|-

+

| 0x8000000000000043 || ns || <nowiki>ns_appman:/</nowiki> ||

+

|-

+

| 0x8000000000000044 || ns || <nowiki>ns_sysup:/</nowiki> || Content update context.

+

|-

+

| 0x8000000000000045 || ns || <nowiki>vmdb:/</nowiki> || Version List/Required Version List storage.

+

|-

+

| 0x8000000000000046 || ns || <nowiki>dtlman:/</nowiki> ||

+

|-

+

| 0x8000000000000047 || ns || <nowiki>ns_exfat:/</nowiki> ||

+

|-

+

| 0x8000000000000048 || ns || <nowiki>ns_systemseed:/</nowiki> ||

+

|-

+

| 0x8000000000000049 || ns || <nowiki>ns_ssversion:/</nowiki> || Safe System version.

+

|-

+

| 0x8000000000000050 || settings || <nowiki>SystemSettings:/</nowiki> ||

+

|-

+

| 0x8000000000000051 || settings || <nowiki>FwdbgSettingsS:/</nowiki> ||

+

|-

+

| 0x8000000000000052 || settings || <nowiki>PrivateSettings:/</nowiki> ||

+

|-

+

| 0x8000000000000053 || settings || <nowiki>DeviceSettings:/</nowiki> ||

+

|-

+

| 0x8000000000000054 || settings || <nowiki>ApplnSettings:/</nowiki> ||

+

|-

+

| 0x8000000000000060 || ssl || <nowiki>SslSave:/</nowiki> ||

+

|-

+

| 0x8000000000000070 || nim || <nowiki>nim_sys:/</nowiki> ||

+

|-

+

| 0x8000000000000071 || nim || <nowiki>nim_net:/</nowiki> ||

+

|-

+

| 0x8000000000000072 || nim || <nowiki>nim_tmp:/</nowiki> ||

+

|-

+

| 0x8000000000000073 || nim || <nowiki>nim_dac:/</nowiki> ||

+

|-

+

| 0x8000000000000074 || nim || <nowiki>nim_delta:/</nowiki> ||

+

|-

+

| 0x8000000000000075 || nim || <nowiki>nim_vac:/</nowiki> ||

+

|-

+

| 0x8000000000000076 || nim || <nowiki>nim_local:/</nowiki> ||

+

|-

+

| 0x8000000000000077 || nim || <nowiki>nim_lsys:/</nowiki> ||

+

|-

+

| 0x8000000000000078 || nim || <nowiki>nim_eca_dbg:/</nowiki> ||

+

|-

+

| 0x8000000000000080 || friends || <nowiki>friends:/</nowiki> ||

+

|-

+

| 0x8000000000000081 || friends || <nowiki>friends-sys:/</nowiki> ||

+

|-

+

| 0x8000000000000082 || friends || <nowiki>friends-image:/</nowiki> ||

+

|-

+

| 0x8000000000000090 || bcat || <nowiki>news:/</nowiki> || Actual news msgpack archives.

+

|-

+

| 0x8000000000000091 || bcat || <nowiki>news-sys:/</nowiki> || News metadata, tasklist, history, database, required system version, etc.

+

|-

+

| 0x8000000000000092 || bcat || <nowiki>news-dl:/</nowiki> || Storage for newly(?) downloaded news list/data.

+

|-

+

| 0x80000000000000A0 || bcat || <nowiki>prepo-sys:/</nowiki> || Play Report system information.

+

|-

+

| 0x80000000000000A1 || bcat || <nowiki>prepo:/</nowiki> || Play Report msgpack archives.

+

|-

+

| 0x80000000000000A2 || bcat || <nowiki>prepo-ap:/</nowiki> ||

+

|-

+

| 0x80000000000000B0 || bsdsockets || <nowiki>nsdsave:/</nowiki> || Socket configuration saved data.

+

|-

+

| 0x80000000000000C1 || bcat || <nowiki>bcat-sys:/</nowiki> ||

+

|-

+

| 0x80000000000000C2 || bcat || <nowiki>bcat-dl:/</nowiki> ||

+

|-

+

| 0x80000000000000D1 || erpt || <nowiki>save:/</nowiki> || Contains "/journal" report listing + actual crash reports ("/%08x-%04x-%04x-%02x%02x-%04x%08x"), which are serialized via [http://msgpack.org/ MsgPack].

+

|-

+

| 0x80000000000000E0 || es || <nowiki>escertificate:/</nowiki> ||

+

|-

+

| 0x80000000000000E1 || es || <nowiki>escommon:/</nowiki> ||

+

|-

+

| 0x80000000000000E2 || es || <nowiki>espersonalized:/</nowiki> ||

+

|-

+

| 0x80000000000000E3 || es || <nowiki>esmetarecord:/</nowiki> ||

+

|-

+

| 0x80000000000000E4 || es || <nowiki>eselicense:/</nowiki> ||

+

|-

+

| 0x80000000000000F0 || ns || <nowiki>pdm:/</nowiki> || Play Data log.

+

|-

+

| 0x8000000000000100 || pctl || <nowiki>pctlss:/</nowiki> || Parental Control settings.

+

|-

+

| 0x8000000000000110 || npns || <nowiki>npns_save:/</nowiki> || Push notifications persistent storage.

+

|-

+

| 0x8000000000000120 || ncm || ? || meta/[[IMKV|imkvdb.arc]] for system partition. Cache of data extracted from the [[NCA|.cnmt]] for installed titles?(Including 816)

+

|-

+

| 0x8000000000000121 || ncm || ? || meta/[[IMKV|imkvdb.arc]] for sd partition. In some cases this save only contains a "meta/" directory without any file.

+

|-

+

| 0x8000000000000122 || || ||

+

|-

+

| 0x8000000000001010 || || || Contains "savedata.dat".

+

|-

+

| 0x8000000000001040 || || ||

+

|-

+

| 0x8000000000001050 || || || Contains "database.dat". Possibly Mii data and Mii texture data?

+

|-

+

| 0x8000000000001060 || || ||

+

|-

+

| 0x8000000000001070 || || ||

+

|-

+

| 0x80000000000010B0 || || || Contains "savedata.dat".

+

|-

+

| 0x0000000000000001 || || ||

+

|-

+

| 0x0000000000000003 || || ||

+

|-

+

| 0x0000000000000004 || || ||

+

|-

+

| 0x0000000000000005 || || ||

+

|-

+

| 0x0000000000000006 || || ||

+

|-

+

| 0x0000000000000007 || || ||

+

|-

+

| 0x0000000000000008 || || ||

+

|-

+

| 0x0000000000000009 || || ||

+

|-

+

| 0x000000000000000A || || ||

+

|-

+

| 0x000000000000000C || || ||

+

|-

+

| 0x000000000000000D || || ||

+

|-

+

| 0x000000000000000F || || ||

|-

−

| ~~0x80000000000000d1~~ || ~~erpt~~ || ~~Contains "/journal" report listing + actual crash reports ("/%08x-%04x-%04x-%02x%02x-%04x%08x"), which are serialized via [http://msgpack.org/ MsgPack].~~

+

| 0x0000000000000010 || || ||

|}

Hexkyz

Bureaucrats, Administrators

2,781

edits

Changes

Flash Filesystem (view source)

Revision as of 16:40, 21 October 2018

Navigation menu

Search