Difference between revisions of "Flash Filesystem"

From Nintendo Switch Brew
Jump to navigation Jump to search
(keyblob incremented in 3.0.1)
(→‎System Savegames: add missing saves)
(43 intermediate revisions by 8 users not shown)
Line 1: Line 1:
 
= NAND structure =
 
= NAND structure =
The Switch's eMMC storage features a large user area, two smaller boot partitions, and a replay-protected memory block which is unused (no authentication key is programmed).
+
The Switch's eMMC storage features a large user area, two smaller boot partitions and a replay-protected memory block which is unused (no authentication key is programmed).
 +
 
 +
All official partition names come from [[SystemInitializer]].
  
 
== Boot Partitions ==
 
== Boot Partitions ==
  
 
'''Boot Partition 0 (0 of 1)'''
 
'''Boot Partition 0 (0 of 1)'''
 +
 +
The official name for this partition is "BootPartition1Root" and it has [[Filesystem_services|Bis]] Partition ID == 0.
 +
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Line 13: Line 18:
 
|  0x000000
 
|  0x000000
 
|  0x4000
 
|  0x4000
|  Title 0100000000000819 BCT
+
Normal Firmware [[BCT|BCT]] from [[Title_list#System_Data_Archives|Title 0100000000000819]]
 
|-
 
|-
 
|  0x004000
 
|  0x004000
 
|  0x4000
 
|  0x4000
|  Title 010000000000081A BCT
+
SafeMode Firmware [[BCT|BCT]] from [[Title_list#System_Data_Archives|Title 010000000000081A]]
 
|-
 
|-
 
|  0x008000
 
|  0x008000
 
|  0x4000
 
|  0x4000
|  Title 0100000000000819 BCT
+
Normal Firmware [[BCT|BCT]] from [[Title_list#System_Data_Archives|Title 0100000000000819]] (backup)
 
|-
 
|-
 
|  0x00C000
 
|  0x00C000
 
|  0x4000
 
|  0x4000
|  Title 010000000000081A BCT
+
SafeMode Firmware [[BCT|BCT]] from [[Title_list#System_Data_Archives|Title 010000000000081A]] (backup)
 +
|-
 +
|  0x010000
 +
|  0xEC000
 +
|  59 additional BCTs, normally unused/empty on retail systems.
 +
|-
 +
|  0x0FC000
 +
|  0x4000
 +
|  [[#System Update Control|System Update Control area]]
 
|-
 
|-
 
|  0x100000
 
|  0x100000
 
|  0x40000
 
|  0x40000
|  Title 0100000000000819 "package1"
+
Normal Firmware [[Package1|package1]] from [[Title_list#System_Data_Archives|Title 0100000000000819]]
 
|-
 
|-
 
|  0x140000
 
|  0x140000
 
|  0x40000
 
|  0x40000
|  Title 0100000000000819 "package1" (Backup)
+
Normal Firmware [[Package1|package1]] from [[Title_list#System_Data_Archives|Title 0100000000000819]] (backup)
 
|-
 
|-
 
|  0x180000
 
|  0x180000
 
|  0x4000
 
|  0x4000
|  Keyblob area
+
[[#Keyblob|Keyblob area]]
 
|-
 
|-
 
|  0x184000
 
|  0x184000
0x20
+
0x200
Unknown pseudorandom data, often changes on reboot. All zero on 1.0.
+
[2.0.0+] [[#NAND Patrol|NAND Patrol area]]
|-
 
|  0x184020
 
| 0x8?
 
| Increments on every boot until hitting a certain number? Bottom 10 bits (0x3FF) are always zero. All zero on 1.0.
 
 
|}
 
|}
  
 
'''Boot Partition 1 (1 of 1)'''
 
'''Boot Partition 1 (1 of 1)'''
 +
 +
The official name for this partition is "BootPartition2Root" and it has [[Filesystem_services|Bis]] Partition ID == 10.
 +
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Line 57: Line 69:
 
|  0x000000
 
|  0x000000
 
|  0x40000
 
|  0x40000
|  Title 010000000000081A "package1"
+
SafeMode Firmware [[Package1|package1]] from [[Title_list#System_Data_Archives|Title 010000000000081A]]
 
|-
 
|-
 
|  0x040000
 
|  0x040000
 
|  0x40000
 
|  0x40000
|  Title 010000000000081A "package1" (Backup)
+
SafeMode Firmware [[Package1|package1]] from [[Title_list#System_Data_Archives|Title 010000000000081A]] (backup)
 
|-
 
|-
 
|  0x080000
 
|  0x080000
 
|  0x40000
 
|  0x40000
|
+
| Reserved
 
|-
 
|-
 
|  0x0C0000
 
|  0x0C0000
 
|  0x40000
 
|  0x40000
|
+
| Reserved
 +
|}
 +
 
 +
=== System Update Control ===
 +
The 0x4000 bytes at offset 0xFC000 are used by [[NS_Services|NS]] and [[Boot|boot]] for keeping track of the status of a system update. This area is used by the [[NS_Services#ns:su|ISystemUpdateControl]] commands "ApplyDownloadedUpdate", "ApplyCardUpdate" and "ApplyReceivedUpdate".
 +
 
 +
{| class="wikitable" border="1"
 +
|-
 +
!  Offset
 +
!  Size
 +
!  Description
 +
|-
 +
| 0x0
 +
| 0x1
 +
| BootImages status. Set to 1 by [[NS_Services|NS]] during a system update and cleared by [[Boot|boot]] after restarting.
 +
|-
 +
| 0x1
 +
| 0x1
 +
| BootImagesSafe status. Set to 1 by [[NS_Services|NS]] during a system update and cleared by [[Boot|boot]] after restarting.
 
|}
 
|}
  
 
=== Keyblob ===
 
=== Keyblob ===
 +
Starting at offset 0x180000 is an array of 0x200-byte entries, for a total of 32 keyblobs. Each one is unique compared to the others and they are all console unique. This is officially known as the "EKS" (encryption key source) area.
 +
 +
From each 0x200-byte entry only the first 0xB0 bytes effectively form the keyblob as below.
 +
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Line 81: Line 115:
 
| 0x0
 
| 0x0
 
| 0x10
 
| 0x10
| Keyblob AES-CMAC over the remaining 0xA0-bytes (Checked with a mem-diff function which is safe against timing attacks, calls the general panic() func on failure)
+
| Keyblob AES-CMAC over the next 0xA0 bytes (safe against timing attacks)
 
|-
 
|-
 
| 0x10
 
| 0x10
Line 96: Line 130:
 
|}
 
|}
  
Decrypted Keydata format:
+
The active bootloader's version (offset 0x2330 in the BCT) acts as an index to control which keyblob should be installed into the system.
 +
[[NS_Services|NS]] uses this during system updates to install the keyblob into the [[BCT#customer_data|customer data]] section in BCTs (offset 0x450).
 +
 
 +
[[Boot]] also uses this index for repairing corrupt sectors.
 +
 
 +
The currently active keyblob is officially known as "SecureInfo".
 +
 
 +
=== NAND Patrol ===
 +
The 0x200 bytes at offset 0x184000 are used by [[Filesystem_services|FS]] for keeping track of NAND patrolling.
  
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
! Offset
+
! Offset
! Size
+
! Size
! Description
+
! Description
 
|-
 
|-
 
| 0x0
 
| 0x0
| 0x80
+
| 0x20
| Array of master static key encryption keys
+
| HMAC-SHA-256 over the next 0x1E0 bytes
 +
|-
 +
| 0x20
 +
| 0x4
 +
| Last patrolled NAND block's offset
 +
|-
 +
| 0x24
 +
| 0x4
 +
| NAND patrol count
 
|-
 
|-
| 0x80
+
| 0x28
| 0x10
+
| 0x1D8
| [[Package1|Stage 2]] key
+
| Unused, all-zero.
 
|}
 
|}
 
Starting at 0x180000 is an array of 0x200-byte entries, for a total of 32 keyblobs. Each one is unique compared to the others. They are all console unique.
 
 
The 0xB0-byte keyblob is installed to the "customer data" section in BCTs (BCT+0x450).
 
 
BCT offset 0x2330 is the field controlling which keyblob gets used. NS uses this to inject the appropriate keyblob on system update. [[Boot]] also uses this index for repairing corrupt sectors.
 
 
With [ [[3.0.0]] ] index 2 is used instead of index 1.
 
With [ [[3.0.1]] + ] index 3 is used instead of index 2.
 
 
 
The Tegra 210 BCT format can be found in nvidia's cbootimage [https://github.com/thierryreding/tegra-avp/blob/35f467996e532357db54894c975acab93293d219/include/avp/tegra210/bct.h#L521]
 
  
 
== User Partitions ==
 
== User Partitions ==
Line 132: Line 170:
 
!  Size
 
!  Size
 
!  [[Filesystem_services|Bis]] Partition ID
 
!  [[Filesystem_services|Bis]] Partition ID
 +
!  Encrypted
 
!  Description
 
!  Description
 
|-
 
|-
Line 138: Line 177:
 
|   
 
|   
 
|  20
 
|  20
|  GPT header, Bis-storage also allows raw access to the entire NAND eMMC sectors starting at sector0.
+
|  No
 +
|  GPT header, Bis-storage also allows raw access to the entire NAND eMMC sectors starting at sector0. The official name for this partition is "UserDataRoot".
 
|-
 
|-
|  PRODINFO
+
[[Calibration|PRODINFO]]
 
|  0x00004400
 
|  0x00004400
 
|  0x003FBC00
 
|  0x003FBC00
 
|  27
 
|  27
|  "CAL0" raw partition containing set:cal data.
+
|  Yes (Bis key 0)
 +
|  "CAL0" raw partition containing set:cal data. The official name for this partition is "CalibrationBinary".
 
|-
 
|-
|  PRODINFOF
+
[[Calibration|PRODINFOF]]
 
|  0x00400000
 
|  0x00400000
 
|  0x00400000
 
|  0x00400000
 
|  28
 
|  28
|  FAT12 filesystem, additional calibration.
+
|  Yes (Bis key 0)
 +
|  FAT12 filesystem, additional calibration. The official name for this partition is "CalibrationFile".
 
|-
 
|-
 
|  BCPKG2-1-Normal-Main
 
|  BCPKG2-1-Normal-Main
Line 156: Line 198:
 
|  0x00800000
 
|  0x00800000
 
|  21
 
|  21
For all these packages, data starts at offset 0x4000 and is not console-unique. This is installed from "package2" in firmware package A (0100000000000819) by default. With the exFAT update installed, this is switched to firmware package C (010000000000081B). The data stored here matches the raw /nx/package2 file stored in the 81[9AB] data archives -- there is no additional encryption.
+
No
 +
|  Raw partition where the first 0x4000 bytes (usually empty) contain the [[BootConfig]] and the remaining space contains the [[Package2|package2]] image from [[Title_list#System_Data_Archives|Title 0100000000000819]] by default. With the exFAT update installed, the [[Package2|package2]] image is switched to the one from [[Title_list#System_Data_Archives|Title 010000000000081B]]. The official name for this partition is "BootConfigAndPackage2Part1".
 
|-
 
|-
 
|  BCPKG2-2-Normal-Sub
 
|  BCPKG2-2-Normal-Sub
Line 162: Line 205:
 
|  0x00800000
 
|  0x00800000
 
|  22
 
|  22
Identical to BCPKG2-1-Normal-Main, probably used as a backup partition.
+
No
 +
|  Backup partition for BCPKG2-1-Normal-Main. The official name for this partition is "BootConfigAndPackage2Part2".
 
|-
 
|-
 
|  BCPKG2-3-SafeMode-Main
 
|  BCPKG2-3-SafeMode-Main
Line 168: Line 212:
 
|  0x00800000
 
|  0x00800000
 
|  23
 
|  23
This is installed from "package2" in firmware package B (010000000000081A).
+
No
 +
|  Raw partition where the first 0x4000 bytes (usually empty) contain the [[BootConfig]] and the remaining space contains the [[Package2|package2]] image from [[Title_list#System_Data_Archives|Title 010000000000081A]] by default. On [4.0.0+] and with the exFAT update installed, the [[Package2|package2]] image is switched to the one from [[Title_list#System_Data_Archives|Title 010000000000081C]]. The official name for this partition is "BootConfigAndPackage2Part3".
 
|-
 
|-
 
|  BCPKG2-4-SafeMode-Sub
 
|  BCPKG2-4-SafeMode-Sub
Line 174: Line 219:
 
|  0x00800000
 
|  0x00800000
 
|  24
 
|  24
Identical to BCPKG2-3-SafeMode-Main.
+
No
 +
|  Backup partition for BCPKG2-3-SafeMode-Main. The official name for this partition is "BootConfigAndPackage2Part4".
 
|-
 
|-
 
|  BCPKG2-5-Repair-Main
 
|  BCPKG2-5-Repair-Main
Line 180: Line 226:
 
|  0x00800000
 
|  0x00800000
 
|  25
 
|  25
|  Installed at the factory.
+
|  No
 +
|  Installed at the factory, never written afterwards on retail. In one case this is identical to normal [[1.0.0]] [[Package2|package2]], except this has encrypted data at the end padded for 0x1000-byte alignment. The official name for this partition is "BootConfigAndPackage2Part5".
 
|-
 
|-
 
|  BCPKG2-6-Repair-Sub
 
|  BCPKG2-6-Repair-Sub
Line 186: Line 233:
 
|  0x00800000
 
|  0x00800000
 
|  26
 
|  26
Identical to BCPKG2-5-Repair-Main.
+
No
 +
|  Backup partition for BCPKG2-5-Repair-Main. The official name for this partition is "BootConfigAndPackage2Part6".
 
|-
 
|-
 
|  SAFE
 
|  SAFE
Line 192: Line 240:
 
|  0x04000000
 
|  0x04000000
 
|  29
 
|  29
|  FAT32 filesystem.
+
|  Yes (Bis key 1)
 +
|  FAT32 filesystem. The official name for this partition is "SafeMode".
 
|-
 
|-
 
|  SYSTEM
 
|  SYSTEM
 
|  0x07800000  
 
|  0x07800000  
 
|  0xA0000000
 
|  0xA0000000
|  31 (and 32?)
+
|  31, 32 and 33
|  FAT32 filesystem.
+
|  Yes (Bis key 2)
 +
|  FAT32 filesystem. The official names for these partitions are "System", "SystemProperEncryption" and "SystemProperPartition".
 
|-
 
|-
 
|  USER
 
|  USER
Line 204: Line 254:
 
|  0x680000000
 
|  0x680000000
 
|  30
 
|  30
 +
|  Yes (Bis key 3)
 
|  FAT32 filesystem.
 
|  FAT32 filesystem.
 
|-
 
|-
Line 210: Line 261:
 
| 0x200
 
| 0x200
 
|  
 
|  
| This is the backup GPT header specified by the main GPT header. This is also the last sector readable with Bis-storage paritionID 20.
+
| No
 +
This is the backup GPT header specified by the main GPT header. This is also the last sector readable with Bis-storage paritionID 20.
 
|}
 
|}
  
 
If the client process lacks the relevant permission for any of the above partition IDs, error 0x2EE202 is returned.
 
If the client process lacks the relevant permission for any of the above partition IDs, error 0x2EE202 is returned.
  
[[NCA]]s stored in NAND are raw, identical to the data readable with [[Content_Manager_services#ReadEntryRaw]].
+
[[NCA]]s stored in NAND are raw, identical to the data readable with [[NCM_services#ReadContentIdFile]].
  
 
The filenames for saveimages is just "<lower-case hex u64 saveID>". SYSTEM-partition saveIDs are specified by [[Filesystem_services|FS]] commands, while USER-partition saveIDs are determined by FS-module internally. The high u32 of the saveID is normally either 0x00000000 or 0x80000000.
 
The filenames for saveimages is just "<lower-case hex u64 saveID>". SYSTEM-partition saveIDs are specified by [[Filesystem_services|FS]] commands, while USER-partition saveIDs are determined by FS-module internally. The high u32 of the saveID is normally either 0x00000000 or 0x80000000.
 +
 +
Encrypted partitions use AES-XTS using the same non-standard tweak (tweak[0] = sectorIdx[MSB] .. tweak[15] = sectorIdx[LSB], if using 32bit sectorIdx that means tweak[0]..tweak[11] are 0, with tweak[12]..tweak[15] containing big-endian sectorIdx) as other Nintendo AES-XTS code, initial_sector = 0, and sector size 0x4000. All encrypted partitions use console unique keydata.
  
 
=== PRODINFOF ===
 
=== PRODINFOF ===
Line 299: Line 353:
  
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
! SaveID || Owner || Notes
+
! SaveID || Owner || Mount || Notes
 +
|-
 +
| 0x8000000000000000 || fs || <nowiki>saveDataIxrDb:/</nowiki>, <nowiki>saveDataIxrDbSf:/</nowiki>, <nowiki>saveDataIxrDbPr:/</nowiki>, <nowiki>saveDataIxrDbSd:/</nowiki> || Contains [[IMKV|imkvdb.arc]] and "lastPublishedId".
 +
|-
 +
| 0x8000000000000010 || account || <nowiki>account:/</nowiki> || Account database.
 +
|-
 +
| 0x8000000000000011 || account || <nowiki>idgen:/</nowiki> ||
 +
|-
 +
| 0x8000000000000020 || nfc || <nowiki>data:/</nowiki> || NFC data and backups.
 +
|-
 +
| 0x8000000000000030 || ns || <nowiki>mii:/</nowiki> || Mii database.
 +
|-
 +
| 0x8000000000000031 || ns || <nowiki>mii:/</nowiki> || Mii test mode database.
 +
|-
 +
| 0x8000000000000040 || ns || <nowiki>apprecdb:/</nowiki> ||
 +
|-
 +
| 0x8000000000000041 || ns || <nowiki>nsaccache:/</nowiki> || Home menu icondata/lru list for recently played games.
 +
|-
 +
| 0x8000000000000043 || ns || <nowiki>ns_appman:/</nowiki> ||
 +
|-
 +
| 0x8000000000000044 || ns || <nowiki>ns_sysup:/</nowiki> || Content update context.
 +
|-
 +
| 0x8000000000000045 || ns || <nowiki>vmdb:/</nowiki> || Required Version List storage. Also contained Version List storage before 7.0.0.
 +
|-
 +
| 0x8000000000000046 || ns || <nowiki>dtlman:/</nowiki> ||
 +
|-
 +
| 0x8000000000000047 || ns || <nowiki>ns_exfat:/</nowiki> ||
 +
|-
 +
| 0x8000000000000048 || ns || <nowiki>ns_systemseed:/</nowiki> ||
 +
|-
 +
| 0x8000000000000049 || ns || <nowiki>ns_ssversion:/</nowiki> || Safe System version.
 +
|-
 +
| 0x8000000000000050 || settings || <nowiki>SystemSettings:/</nowiki> ||
 +
|-
 +
| 0x8000000000000051 || settings || <nowiki>FwdbgSettingsS:/</nowiki> ||
 +
|-
 +
| 0x8000000000000052 || settings || <nowiki>PrivateSettings:/</nowiki> ||
 +
|-
 +
| 0x8000000000000053 || settings || <nowiki>DeviceSettings:/</nowiki> ||
 +
|-
 +
| 0x8000000000000054 || settings || <nowiki>ApplnSettings:/</nowiki> ||
 +
|-
 +
| 0x8000000000000060 || ssl || <nowiki>SslSave:/</nowiki> ||
 +
|-
 +
| 0x8000000000000070 || nim || <nowiki>nim_sys:/</nowiki> ||
 +
|-
 +
| 0x8000000000000071 || nim || <nowiki>nim_net:/</nowiki> ||
 +
|-
 +
| 0x8000000000000072 || nim || <nowiki>nim_tmp:/</nowiki> ||
 +
|-
 +
| 0x8000000000000073 || nim || <nowiki>nim_dac:/</nowiki> ||
 +
|-
 +
| 0x8000000000000074 || nim || <nowiki>nim_delta:/</nowiki> ||
 +
|-
 +
| 0x8000000000000075 || nim || <nowiki>nim_vac:/</nowiki> ||
 +
|-
 +
| 0x8000000000000076 || nim || <nowiki>nim_local:/</nowiki> ||
 +
|-
 +
| 0x8000000000000077 || nim || <nowiki>nim_lsys:/</nowiki> ||
 +
|-
 +
| 0x8000000000000078 || nim || <nowiki>nim_eca_dbg:/</nowiki> ||
 +
|-
 +
| 0x8000000000000080 || friends || <nowiki>friends:/</nowiki> || Per-user savedata.
 +
|-
 +
| 0x8000000000000081 || friends || <nowiki>friends-sys:/</nowiki> ||
 +
|-
 +
| 0x8000000000000082 || friends || <nowiki>friends-image:/</nowiki> ||
 +
|-
 +
| 0x8000000000000090 || bcat || <nowiki>news:/</nowiki> || Actual news msgpack archives.
 +
|-
 +
| 0x8000000000000091 || bcat || <nowiki>news-sys:/</nowiki> || News metadata, tasklist, history, database, required system version, etc.
 +
|-
 +
| 0x8000000000000092 || bcat || <nowiki>news-dl:/</nowiki> || Storage for newly(?) downloaded news list/data.
 +
|-
 +
| 0x80000000000000A0 || bcat || <nowiki>prepo-sys:/</nowiki> || Play Report system information.
 +
|-
 +
| 0x80000000000000A1 || bcat || <nowiki>prepo:/</nowiki> || Play Report msgpack archives.
 +
|-
 +
| 0x80000000000000A2 || bcat || <nowiki>prepo-ap:/</nowiki> ||
 +
|-
 +
| 0x80000000000000B0 || bsdsockets || <nowiki>nsdsave:/</nowiki> || Socket configuration saved data.
 +
|-
 +
| 0x80000000000000C1 || bcat || <nowiki>bcat-sys:/</nowiki> ||
 +
|-
 +
| 0x80000000000000C2 || bcat || <nowiki>bcat-dl:/</nowiki> ||
 +
|-
 +
| 0x80000000000000D1 || erpt || <nowiki>save:/</nowiki> || Contains "/journal" report listing + actual crash reports ("/%08x-%04x-%04x-%02x%02x-%04x%08x"), which are serialized via [http://msgpack.org/ MsgPack].
 +
|-
 +
| 0x80000000000000E0 || es || <nowiki>escertificate:/</nowiki> ||
 +
|-
 +
| 0x80000000000000E1 || es || <nowiki>escommon:/</nowiki> ||
 +
|-
 +
| 0x80000000000000E2 || es || <nowiki>espersonalized:/</nowiki> ||
 +
|-
 +
| 0x80000000000000E3 || es || <nowiki>esmetarecord:/</nowiki> ||
 +
|-
 +
| 0x80000000000000E4 || es || <nowiki>eselicense:/</nowiki> ||
 +
|-
 +
| 0x80000000000000F0 || ns || <nowiki>pdm:/</nowiki> || Play Data log. Per-user savedata.
 +
|-
 +
| 0x8000000000000100 || pctl || <nowiki>pctlss:/</nowiki> || Parental Control settings.
 +
|-
 +
| 0x8000000000000110 || npns || <nowiki>npns_save:/</nowiki> || Push notifications persistent storage.
 +
|-
 +
| 0x8000000000000120 || ncm || ? || meta/[[IMKV|imkvdb.arc]] for system partition. Cache of data extracted from the [[CNMT]] for installed firmware titles (including 816).
 +
|-
 +
| 0x8000000000000121 || ncm || ? || meta/[[IMKV|imkvdb.arc]] for user partition. Cache of data extracted from the [[CNMT]] for installed game, update, and DLC titles.
 +
|-
 +
| 0x8000000000000122 || || ||
 +
|-
 +
| 0x8000000000000130 || migration || <nowiki>state:/</nowiki> ||
 +
|-
 +
| 0x8000000000000131 || migration || <nowiki>context:/</nowiki> ||
 +
|-
 +
| 0x8000000000000140 || capsrv || <nowiki>TM:/</nowiki> ||
 +
|-
 +
| 0x8000000000000150 || olsc || ? ||
 +
|-
 +
| 0x8000000000000153 || olsc || ? ||
 +
|-
 +
| 0x8000000000000180 || sdb || ? || Version list was moved here in 7.0.0 or 7.0.1
 +
|-
 +
| 0x8000000000000190 || glue || ? ||
 +
|-
 +
| 0x8000000000001010 || qlaunch || || Contains "savedata.dat".
 +
|-
 +
| 0x8000000000001020 || swkbd || || Per-user savedata.
 +
|-
 +
| 0x8000000000001040 || miiEdit || ||
 +
|-
 +
| 0x8000000000001050 || miiEdit || || Contains "database.dat". Possibly Mii data and Mii texture data?
 +
|-
 +
| 0x8000000000001060 || shop || ||
 +
|-
 +
| 0x8000000000001061 || shop || || Per-user savedata.
 +
|-
 +
| 0x8000000000001070 || web || ||
 +
|-
 +
| 0x8000000000001071 || web || || Per-user savedata.
 +
|-
 +
| 0x8000000000001091 || loginShare || || Per-user savedata.
 +
|-
 +
| 0x80000000000010B0 || playerSelect || || Contains "savedata.dat". Per-user savedata.
 +
|-
 +
| 0x80000000000010C0 || myPage || || Per-user savedata.
 +
|-
 +
| 0x8000000000010003 || bcat || ||
 
|-
 
|-
| 0x80000000000000d1 || erpt || Contains "/journal" report listing + actual crash reports ("/%08x-%04x-%04x-%02x%02x-%04x%08x"), which are serialized via [http://msgpack.org/ MsgPack].
+
| 0x8000000000010004 || bcat || ||  
 
|}
 
|}

Revision as of 22:24, 3 October 2019

NAND structure

The Switch's eMMC storage features a large user area, two smaller boot partitions and a replay-protected memory block which is unused (no authentication key is programmed).

All official partition names come from SystemInitializer.

Boot Partitions

Boot Partition 0 (0 of 1)

The official name for this partition is "BootPartition1Root" and it has Bis Partition ID == 0.

Offset Size Description
0x000000 0x4000 Normal Firmware BCT from Title 0100000000000819
0x004000 0x4000 SafeMode Firmware BCT from Title 010000000000081A
0x008000 0x4000 Normal Firmware BCT from Title 0100000000000819 (backup)
0x00C000 0x4000 SafeMode Firmware BCT from Title 010000000000081A (backup)
0x010000 0xEC000 59 additional BCTs, normally unused/empty on retail systems.
0x0FC000 0x4000 System Update Control area
0x100000 0x40000 Normal Firmware package1 from Title 0100000000000819
0x140000 0x40000 Normal Firmware package1 from Title 0100000000000819 (backup)
0x180000 0x4000 Keyblob area
0x184000 0x200 [2.0.0+] NAND Patrol area

Boot Partition 1 (1 of 1)

The official name for this partition is "BootPartition2Root" and it has Bis Partition ID == 10.

Offset Size Description
0x000000 0x40000 SafeMode Firmware package1 from Title 010000000000081A
0x040000 0x40000 SafeMode Firmware package1 from Title 010000000000081A (backup)
0x080000 0x40000 Reserved
0x0C0000 0x40000 Reserved

System Update Control

The 0x4000 bytes at offset 0xFC000 are used by NS and boot for keeping track of the status of a system update. This area is used by the ISystemUpdateControl commands "ApplyDownloadedUpdate", "ApplyCardUpdate" and "ApplyReceivedUpdate".

Offset Size Description
0x0 0x1 BootImages status. Set to 1 by NS during a system update and cleared by boot after restarting.
0x1 0x1 BootImagesSafe status. Set to 1 by NS during a system update and cleared by boot after restarting.

Keyblob

Starting at offset 0x180000 is an array of 0x200-byte entries, for a total of 32 keyblobs. Each one is unique compared to the others and they are all console unique. This is officially known as the "EKS" (encryption key source) area.

From each 0x200-byte entry only the first 0xB0 bytes effectively form the keyblob as below.

Offset Size Description
0x0 0x10 Keyblob AES-CMAC over the next 0xA0 bytes (safe against timing attacks)
0x10 0x10 Keyblob AES CTR
0x20 0x90 Keyblob encrypted payload
0xB0 0x150 Unused, all-zero.

The active bootloader's version (offset 0x2330 in the BCT) acts as an index to control which keyblob should be installed into the system. NS uses this during system updates to install the keyblob into the customer data section in BCTs (offset 0x450).

Boot also uses this index for repairing corrupt sectors.

The currently active keyblob is officially known as "SecureInfo".

NAND Patrol

The 0x200 bytes at offset 0x184000 are used by FS for keeping track of NAND patrolling.

Offset Size Description
0x0 0x20 HMAC-SHA-256 over the next 0x1E0 bytes
0x20 0x4 Last patrolled NAND block's offset
0x24 0x4 NAND patrol count
0x28 0x1D8 Unused, all-zero.

User Partitions

Partition name Offset Size Bis Partition ID Encrypted Description
N/A 0x0 20 No GPT header, Bis-storage also allows raw access to the entire NAND eMMC sectors starting at sector0. The official name for this partition is "UserDataRoot".
PRODINFO 0x00004400 0x003FBC00 27 Yes (Bis key 0) "CAL0" raw partition containing set:cal data. The official name for this partition is "CalibrationBinary".
PRODINFOF 0x00400000 0x00400000 28 Yes (Bis key 0) FAT12 filesystem, additional calibration. The official name for this partition is "CalibrationFile".
BCPKG2-1-Normal-Main 0x00800000 0x00800000 21 No Raw partition where the first 0x4000 bytes (usually empty) contain the BootConfig and the remaining space contains the package2 image from Title 0100000000000819 by default. With the exFAT update installed, the package2 image is switched to the one from Title 010000000000081B. The official name for this partition is "BootConfigAndPackage2Part1".
BCPKG2-2-Normal-Sub 0x01000000 0x00800000 22 No Backup partition for BCPKG2-1-Normal-Main. The official name for this partition is "BootConfigAndPackage2Part2".
BCPKG2-3-SafeMode-Main 0x01800000 0x00800000 23 No Raw partition where the first 0x4000 bytes (usually empty) contain the BootConfig and the remaining space contains the package2 image from Title 010000000000081A by default. On [4.0.0+] and with the exFAT update installed, the package2 image is switched to the one from Title 010000000000081C. The official name for this partition is "BootConfigAndPackage2Part3".
BCPKG2-4-SafeMode-Sub 0x02000000 0x00800000 24 No Backup partition for BCPKG2-3-SafeMode-Main. The official name for this partition is "BootConfigAndPackage2Part4".
BCPKG2-5-Repair-Main 0x02800000 0x00800000 25 No Installed at the factory, never written afterwards on retail. In one case this is identical to normal 1.0.0 package2, except this has encrypted data at the end padded for 0x1000-byte alignment. The official name for this partition is "BootConfigAndPackage2Part5".
BCPKG2-6-Repair-Sub 0x03000000 0x00800000 26 No Backup partition for BCPKG2-5-Repair-Main. The official name for this partition is "BootConfigAndPackage2Part6".
SAFE 0x03800000 0x04000000 29 Yes (Bis key 1) FAT32 filesystem. The official name for this partition is "SafeMode".
SYSTEM 0x07800000 0xA0000000 31, 32 and 33 Yes (Bis key 2) FAT32 filesystem. The official names for these partitions are "System", "SystemProperEncryption" and "SystemProperPartition".
USER 0xA7800000 0x680000000 30 Yes (Bis key 3) FAT32 filesystem.
0x747BFFE00 0x200 No This is the backup GPT header specified by the main GPT header. This is also the last sector readable with Bis-storage paritionID 20.

If the client process lacks the relevant permission for any of the above partition IDs, error 0x2EE202 is returned.

NCAs stored in NAND are raw, identical to the data readable with NCM_services#ReadContentIdFile.

The filenames for saveimages is just "<lower-case hex u64 saveID>". SYSTEM-partition saveIDs are specified by FS commands, while USER-partition saveIDs are determined by FS-module internally. The high u32 of the saveID is normally either 0x00000000 or 0x80000000.

Encrypted partitions use AES-XTS using the same non-standard tweak (tweak[0] = sectorIdx[MSB] .. tweak[15] = sectorIdx[LSB], if using 32bit sectorIdx that means tweak[0]..tweak[11] are 0, with tweak[12]..tweak[15] containing big-endian sectorIdx) as other Nintendo AES-XTS code, initial_sector = 0, and sector size 0x4000. All encrypted partitions use console unique keydata.

PRODINFOF

PRODINFOF
├── Certifications
│   └── WirelessCertification.png
└── ptd
    ├── DeviceIdWithEmsBit.dat
    ├── Ecid.dat
    ├── prodCode.dat
    └── log
        ├── Process_asm1.log
        ├── Process_board1.log
        ├── TestFlagLine.log
        ├── TestFlagQc.log
        ├── AGING
        │   └── Sequence.log
        ├── BOARD_TEST
        │   └── Sequence.log
        ├── BOARD_WIRELESS
        │   └── Sequence.log
        ├── FINAL_CHECK
        │   └── Sequence.log
        ├── LCD_AND_KEY
        │   └── Sequence.log
        └── USB_AND_HP
            └── Sequence.log

DeviceIdWithEmsBit.dat

Contains a 0x10-byte uppercase hex string, identical to the DeviceId in the DeviceCert.

SYSTEM

SYSTEM
├── PRF2SAFE.RCV
├── Contents
│   ├── registered
│   │   └── ... NCA
│   └── placehld
│       └── ... NCA
├── save
│   └── ...
└── saveMeta
    └── ... (empty?)

The saves stored under this partition are only for system-titles / etc.

USER

USER
├── PRF2SAFE.RCV
├── Album (Same layout as SD)
├── Contents
│   ├── registered
│   │   └── ... NCA
│   └── placehld
│       └── ... NCA
├── save
│   └── ...
├── saveMeta
│   └── ... 
└── temp

The saves for all non-system applications, regardless of where the application is located(storageID), is stored here. Each user account which has savedata has a separate saveimage. Save-common for an application is presumably a separate saveimage too. Every saveimage here is only for applications.

SAFE

SAFE
├── PRF2SAFE.RCV
├── Contents
│   ├── registered
│   │   └── ... NCA (nothing installed?)
│   └── placehld
│       └── ... NCA
└── save
    ├── 8000000000000000
    └── 8000000000000120

On a v2.1 system with MountBis, the only thing under here is "PRF2SAFE.RCV".

System Savegames

This is a listing of known System Savedata and what titles they correspond to.

SaveID Owner Mount Notes
0x8000000000000000 fs saveDataIxrDb:/, saveDataIxrDbSf:/, saveDataIxrDbPr:/, saveDataIxrDbSd:/ Contains imkvdb.arc and "lastPublishedId".
0x8000000000000010 account account:/ Account database.
0x8000000000000011 account idgen:/
0x8000000000000020 nfc data:/ NFC data and backups.
0x8000000000000030 ns mii:/ Mii database.
0x8000000000000031 ns mii:/ Mii test mode database.
0x8000000000000040 ns apprecdb:/
0x8000000000000041 ns nsaccache:/ Home menu icondata/lru list for recently played games.
0x8000000000000043 ns ns_appman:/
0x8000000000000044 ns ns_sysup:/ Content update context.
0x8000000000000045 ns vmdb:/ Required Version List storage. Also contained Version List storage before 7.0.0.
0x8000000000000046 ns dtlman:/
0x8000000000000047 ns ns_exfat:/
0x8000000000000048 ns ns_systemseed:/
0x8000000000000049 ns ns_ssversion:/ Safe System version.
0x8000000000000050 settings SystemSettings:/
0x8000000000000051 settings FwdbgSettingsS:/
0x8000000000000052 settings PrivateSettings:/
0x8000000000000053 settings DeviceSettings:/
0x8000000000000054 settings ApplnSettings:/
0x8000000000000060 ssl SslSave:/
0x8000000000000070 nim nim_sys:/
0x8000000000000071 nim nim_net:/
0x8000000000000072 nim nim_tmp:/
0x8000000000000073 nim nim_dac:/
0x8000000000000074 nim nim_delta:/
0x8000000000000075 nim nim_vac:/
0x8000000000000076 nim nim_local:/
0x8000000000000077 nim nim_lsys:/
0x8000000000000078 nim nim_eca_dbg:/
0x8000000000000080 friends friends:/ Per-user savedata.
0x8000000000000081 friends friends-sys:/
0x8000000000000082 friends friends-image:/
0x8000000000000090 bcat news:/ Actual news msgpack archives.
0x8000000000000091 bcat news-sys:/ News metadata, tasklist, history, database, required system version, etc.
0x8000000000000092 bcat news-dl:/ Storage for newly(?) downloaded news list/data.
0x80000000000000A0 bcat prepo-sys:/ Play Report system information.
0x80000000000000A1 bcat prepo:/ Play Report msgpack archives.
0x80000000000000A2 bcat prepo-ap:/
0x80000000000000B0 bsdsockets nsdsave:/ Socket configuration saved data.
0x80000000000000C1 bcat bcat-sys:/
0x80000000000000C2 bcat bcat-dl:/
0x80000000000000D1 erpt save:/ Contains "/journal" report listing + actual crash reports ("/%08x-%04x-%04x-%02x%02x-%04x%08x"), which are serialized via MsgPack.
0x80000000000000E0 es escertificate:/
0x80000000000000E1 es escommon:/
0x80000000000000E2 es espersonalized:/
0x80000000000000E3 es esmetarecord:/
0x80000000000000E4 es eselicense:/
0x80000000000000F0 ns pdm:/ Play Data log. Per-user savedata.
0x8000000000000100 pctl pctlss:/ Parental Control settings.
0x8000000000000110 npns npns_save:/ Push notifications persistent storage.
0x8000000000000120 ncm ? meta/imkvdb.arc for system partition. Cache of data extracted from the CNMT for installed firmware titles (including 816).
0x8000000000000121 ncm ? meta/imkvdb.arc for user partition. Cache of data extracted from the CNMT for installed game, update, and DLC titles.
0x8000000000000122
0x8000000000000130 migration state:/
0x8000000000000131 migration context:/
0x8000000000000140 capsrv TM:/
0x8000000000000150 olsc ?
0x8000000000000153 olsc ?
0x8000000000000180 sdb ? Version list was moved here in 7.0.0 or 7.0.1
0x8000000000000190 glue ?
0x8000000000001010 qlaunch Contains "savedata.dat".
0x8000000000001020 swkbd Per-user savedata.
0x8000000000001040 miiEdit
0x8000000000001050 miiEdit Contains "database.dat". Possibly Mii data and Mii texture data?
0x8000000000001060 shop
0x8000000000001061 shop Per-user savedata.
0x8000000000001070 web
0x8000000000001071 web Per-user savedata.
0x8000000000001091 loginShare Per-user savedata.
0x80000000000010B0 playerSelect Contains "savedata.dat". Per-user savedata.
0x80000000000010C0 myPage Per-user savedata.
0x8000000000010003 bcat
0x8000000000010004 bcat
Retrieved from "https://switchbrew.org/w/index.php?title=Flash_Filesystem&oldid=8060"