Changes

Fuses (view source)

Revision as of 02:33, 18 June 2019

12,320 bytes added , 02:33, 18 June 2019

→‎Anti-downgrade

Line 35: Line 35:

| 0x7000F81C

|-

−

| FUSE_PRIV2INTFC

+

| [[#FUSE_PRIV2INTFC|FUSE_PRIV2INTFC]]

| 0x7000F820

|-

Line 53: Line 53:

| 0x7000F834

|-

+

| FUSE_PRIV2RESHIFT

+

| 0x7000F83C

+

|-

+

| FUSE_TIME_RD3

+

| 0x7000F84C

+

|-

+

| FUSE_PRIVATE_KEY0_NONZERO

+

| 0x7000F880

+

|-

+

| FUSE_PRIVATE_KEY1_NONZERO

+

| 0x7000F884

+

|-

+

| FUSE_PRIVATE_KEY2_NONZERO

+

| 0x7000F888

+

|-

+

| FUSE_PRIVATE_KEY3_NONZERO

+

| 0x7000F88C

+

|-

+

| FUSE_PRIVATE_KEY4_NONZERO

+

| 0x7000F890

|}

Line 62: Line 82:

| 0-1

| Fuse command (1 = FUSE_READ; 2 = FUSE_WRITE; 3 = FUSE_SENSE)

+

|-

+

| 16-20

+

| Fuse state (4 = STATE_IDLE)

|-

| 26

| Fuse power down mode flag (FUSE_CTRL_PD)

|-

+

| 30

+

| Fuse sense status (FUSE_CTRL_SENSE_DONE)

|}

Line 82: Line 107:

==== FUSE_TIME_PGM2 ====

This register takes the fuse programming pulse (0xC0 == 19200 kHz).

+

==== FUSE_PRIV2INTFC ====

+

{| class="wikitable" border="1"

+

! Bits

+

! Description

+

|-

+

| 0

+

| FUSE_PRIV2INTFC_SDATA

+

|-

+

| 1

+

| FUSE_PRIV2INTFC_SKIP_RECORDS

+

|}

==== FUSE_DIS_PGM ====

Line 88: Line 125:

==== FUSE_WRITE_ACCESS ====

If set to 0x01, this register disables software writes to the fuse driver registers.

−

=== Cache registers ===

Line 97: Line 133:

| FUSE_PRODUCTION_MODE

| 0x7000F900

+

|-

+

| FUSE_JTAG_SECUREID_VALID

+

| 0x7000F904

+

|-

+

| FUSE_ODM_LOCK

+

| 0x7000F908

+

|-

+

| FUSE_OPT_OPENGL_EN

+

| 0x7000F90C

|-

| [[#FUSE_SKU_INFO|FUSE_SKU_INFO]]

| 0x7000F910

|-

−

| ~~FUSE_CPU_SPEEDO_0~~

+

| FUSE_CPU_SPEEDO_0_CALIB

| 0x7000F914

|-

−

| ~~FUSE_CPU_IDDQ~~

+

| FUSE_CPU_IDDQ_CALIB

| 0x7000F918

|-

−

| ~~FUSE_FT_REV~~

+

| FUSE_DAC_CRT_CALIB

+

| 0x7000F91C

+

|-

+

| FUSE_DAC_HDTV_CALIB

+

| 0x7000F920

+

|-

+

| FUSE_DAC_SDTV_CALIB

+

| 0x7000F924

+

|-

+

| [[#FUSE_OPT_FT_REV|FUSE_OPT_FT_REV]]

| 0x7000F928

|-

−

| ~~FUSE_CPU_SPEEDO_1~~

+

| FUSE_CPU_SPEEDO_1_CALIB

| 0x7000F92C

|-

−

| ~~FUSE_CPU_SPEEDO_2~~

+

| FUSE_CPU_SPEEDO_2_CALIB

| 0x7000F930

|-

−

| ~~FUSE_SOC_SPEEDO_0~~

+

| FUSE_SOC_SPEEDO_0_CALIB

| 0x7000F934

|-

−

| [[#~~FUSE_SOC_SPEEDO_1~~|~~FUSE_SOC_SPEEDO_1~~]]

+

| [[#FUSE_SOC_SPEEDO_1_CALIB|FUSE_SOC_SPEEDO_1_CALIB]]

| 0x7000F938

|-

−

| ~~FUSE_SOC_SPEEDO_2~~

+

| FUSE_SOC_SPEEDO_2_CALIB

| 0x7000F93C

|-

−

| ~~FUSE_SOC_IDDQ~~

+

| FUSE_SOC_IDDQ_CALIB

| 0x7000F940

+

|-

+

| FUSE_RESERVED_PRODUCTION_WP

+

| 0x7000F944

|-

| [[#FUSE_FA|FUSE_FA]]

| 0x7000F948

+

|-

+

| FUSE_RESERVED_PRODUCTION

+

| 0x7000F94C

+

|-

+

| FUSE_HDMI_LANE0_CALIB

+

| 0x7000F950

+

|-

+

| FUSE_HDMI_LANE1_CALIB

+

| 0x7000F954

+

|-

+

| FUSE_HDMI_LANE2_CALIB

+

| 0x7000F958

+

|-

+

| FUSE_HDMI_LANE3_CALIB

+

| 0x7000F95C

+

|-

+

| FUSE_ENCRYPTION_RATE

+

| 0x7000F960

|-

| [[#FUSE_PUBLIC_KEY|FUSE_PUBLIC_KEY0]]

Line 155: Line 230:

| 0x7000F980

|-

−

| ~~FUSE_TSENSOR_1~~

+

| FUSE_TSENSOR1_CALIB

| 0x7000F984

|-

−

| ~~FUSE_TSENSOR_2~~

+

| FUSE_TSENSOR2_CALIB

| 0x7000F988

|-

−

| ~~FUSE_CP_REV~~

+

| FUSE_VSENSOR_CALIB

+

| 0x7000F98C

+

|-

+

| [[#FUSE_OPT_CP_REV|FUSE_OPT_CP_REV]]

| 0x7000F990

|-

−

| ~~FUSE_TSENSOR_0~~

+

| FUSE_OPT_PFG

+

| 0x7000F994

+

|-

+

| FUSE_TSENSOR0_CALIB

| 0x7000F998

|-

−

| ~~FUSE_FIRST_BOOTROM_PATCH_SIZE_REG~~

+

| FUSE_FIRST_BOOTROM_PATCH_SIZE

| 0x7000F99C

|-

Line 187: Line 268:

| [[#FUSE_PRIVATE_KEY|FUSE_PRIVATE_KEY4]]

| 0x7000F9B4

+

|-

+

| FUSE_ARM_JTAG_DIS

+

| 0x7000F9B8

|-

| FUSE_BOOT_DEVICE_INFO

Line 194: Line 278:

| 0x7000F9C0

|-

−

| ~~FUSE_VP8_ENABLE~~

+

| FUSE_OPT_VP9_DISABLE

| 0x7000F9C4

|-

Line 221: Line 305:

| 0x7000F9E4

|-

−

| ~~FUSE_SKU_USB_CALIB~~

+

| FUSE_OBS_DIS

+

| 0x7000F9E8

+

|-

+

| FUSE_NOR_INFO

+

| 0x7000F9EC

+

|-

+

| FUSE_USB_CALIB

| 0x7000F9F0

|-

Line 227: Line 317:

| 0x7000F9F4

|-

−

| ~~FUSE_VENDOR_CODE~~

+

| FUSE_KFUSE_PRIVKEY_CTRL

+

| 0x7000F9F8

+

|-

+

| FUSE_PACKAGE_INFO

+

| 0x7000F9FC

+

|-

+

| FUSE_OPT_VENDOR_CODE

| 0x7000FA00

|-

−

| ~~FUSE_FAB_CODE~~

+

| FUSE_OPT_FAB_CODE

| 0x7000FA04

|-

−

| ~~FUSE_LOT_CODE_0~~

+

| FUSE_OPT_LOT_CODE_0

| 0x7000FA08

|-

−

| ~~FUSE_LOT_CODE_1~~

+

| FUSE_OPT_LOT_CODE_1

| 0x7000FA0C

|-

−

| ~~FUSE_WAFER_ID~~

+

| FUSE_OPT_WAFER_ID

| 0x7000FA10

|-

−

| ~~FUSE_X_COORDINATE~~

+

| FUSE_OPT_X_COORDINATE

| 0x7000FA14

|-

−

| ~~FUSE_Y_COORDINATE~~

+

| FUSE_OPT_Y_COORDINATE

| 0x7000FA18

+

|-

+

| FUSE_OPT_SEC_DEBUG_EN

+

| 0x7000FA1C

+

|-

+

| FUSE_OPT_OPS_RESERVED

+

| 0x7000FA20

|-

| FUSE_SATA_CALIB

| 0x7000FA24

|-

−

| ~~FUSE_GPU_IDDQ~~

+

| FUSE_GPU_IDDQ_CALIB

| 0x7000FA28

|-

−

| ~~FUSE_TSENSOR_3~~

+

| FUSE_TSENSOR3_CALIB

| 0x7000FA2C

+

|-

+

| FUSE_SKU_BOND_OUT_L

+

| 0x7000FA30

+

|-

+

| FUSE_SKU_BOND_OUT_H

+

| 0x7000FA34

+

|-

+

| FUSE_SKU_BOND_OUT_U

+

| 0x7000FA38

+

|-

+

| FUSE_SKU_BOND_OUT_V

+

| 0x7000FA3C

+

|-

+

| FUSE_SKU_BOND_OUT_W

+

| 0x7000FA40

+

|-

+

| FUSE_OPT_SAMPLE_TYPE

+

| 0x7000FA44

|-

| FUSE_OPT_SUBREVISION

| 0x7000FA48

|-

−

| ~~FUSE_TSENSOR_4~~

+

| FUSE_OPT_SW_RESERVED_0

+

| 0x7000FA4C

+

|-

+

| FUSE_OPT_SW_RESERVED_1

+

| 0x7000FA50

+

|-

+

| FUSE_TSENSOR4_CALIB

| 0x7000FA54

|-

−

| ~~FUSE_TSENSOR_5~~

+

| FUSE_TSENSOR5_CALIB

| 0x7000FA58

|-

−

| ~~FUSE_TSENSOR_6~~

+

| FUSE_TSENSOR6_CALIB

| 0x7000FA5C

|-

−

| ~~FUSE_TSENSOR_7~~

+

| FUSE_TSENSOR7_CALIB

| 0x7000FA60

|-

−

| ~~FUSE_OPT_PRIV_SEC_DIS~~

+

| FUSE_OPT_PRIV_SEC_EN

| 0x7000FA64

|-

| [[#FUSE_PKC_DISABLE|FUSE_PKC_DISABLE]]

| 0x7000FA68

+

|-

+

| FUSE_FUSE2TSEC_DEBUG_DISABLE

+

| 0x7000FA7C

|-

| FUSE_TSENSOR_COMMON

| 0x7000FA80

|-

−

| ~~FUSE_DEBUG_AUTH_OVERRIDE~~

+

| FUSE_OPT_CP_BIN

+

| 0x7000FA84

+

|-

+

| FUSE_OPT_GPU_DISABLE

+

| 0x7000FA88

+

|-

+

| FUSE_OPT_FT_BIN

+

| 0x7000FA8C

+

|-

+

| FUSE_OPT_DONE_MAP

+

| 0x7000FA90

+

|-

+

| FUSE_APB2JTAG_DISABLE

+

| 0x7000FA98

+

|-

+

| FUSE_ODM_INFO

| 0x7000FA9C

|-

−

| ~~FUSE_TSENSOR_8~~

+

| FUSE_ARM_CRYPT_DE_FEATURE

+

| 0x7000FAA8

+

|-

+

| FUSE_WOA_SKU_FLAG

+

| 0x7000FAC0

+

|-

+

| FUSE_ECO_RESERVE_1

+

| 0x7000FAC4

+

|-

+

| FUSE_GCPLEX_CONFIG_FUSE

+

| 0x7000FAC8

+

|-

+

| FUSE_PRODUCTION_MONTH

+

| 0x7000FACC

+

|-

+

| FUSE_RAM_REPAIR_INDICATOR

+

| 0x7000FAD0

+

|-

+

| FUSE_TSENSOR9_CALIB

| 0x7000FAD4

+

|-

+

| FUSE_VMIN_CALIBRATION

+

| 0x7000FADC

+

|-

+

| FUSE_AGING_SENSOR_CALIBRATION

+

| 0x7000FAE0

+

|-

+

| FUSE_DEBUG_AUTHENTICATION

+

| 0x7000FAE4

|-

| FUSE_SECURE_PROVISION_INDEX

| 0x7000FAE8

|-

−

| ~~FUSE_RESERVED_CALIB~~

+

| FUSE_SECURE_PROVISION_INFO

+

| 0x7000FAEC

+

|-

+

| FUSE_OPT_GPU_DISABLE_CP1

+

| 0x7000FAF0

+

|-

+

| FUSE_SPARE_ENDIS

+

| 0x7000FAF4

+

|-

+

| FUSE_ECO_RESERVE_0

+

| 0x7000FAF8

+

|-

+

| FUSE_SPARE_REALIGNMENT_REG_OLD

+

| 0x7000FAFC

+

|-

+

| FUSE_RESERVED_CALIB0

| 0x7000FB04

|-

−

| ~~FUSE_TSENSOR_9~~

+

| FUSE_RESERVED_CALIB1

+

| 0x7000FB08

+

|-

+

| FUSE_OPT_GPU_TPC0_DISABLE

+

| 0x7000FB0C

+

|-

+

| FUSE_OPT_GPU_TPC0_DISABLE_CP1

+

| 0x7000FB10

+

|-

+

| FUSE_OPT_CPU_DISABLE

+

| 0x7000FB14

+

|-

+

| FUSE_OPT_CPU_DISABLE_CP1

+

| 0x7000FB18

+

|-

+

| FUSE_TSENSOR10_CALIB

| 0x7000FB1C

+

|-

+

| FUSE_TSENSOR10_CALIB_AUX

+

| 0x7000FB20

+

|-

+

| FUSE_OPT_RAM_SVOP_DP

+

| 0x7000FB24

+

|-

+

| FUSE_OPT_RAM_SVOP_PDP

+

| 0x7000FB28

+

|-

+

| FUSE_OPT_RAM_SVOP_REG

+

| 0x7000FB2C

+

|-

+

| FUSE_OPT_RAM_SVOP_SP

+

| 0x7000FB30

+

|-

+

| FUSE_OPT_RAM_SVOP_SMPDP

+

| 0x7000FB34

+

|-

+

| FUSE_OPT_GPU_TPC0_DISABLE_CP2

+

| 0x7000FB38

+

|-

+

| FUSE_OPT_GPU_TPC1_DISABLE

+

| 0x7000FB3C

+

|-

+

| FUSE_OPT_GPU_TPC1_DISABLE_CP1

+

| 0x7000FB40

+

|-

+

| FUSE_OPT_GPU_TPC1_DISABLE_CP2

+

| 0x7000FB44

+

|-

+

| FUSE_OPT_CPU_DISABLE_CP2

+

| 0x7000FB48

+

|-

+

| FUSE_OPT_GPU_DISABLE_CP2

+

| 0x7000FB4C

|-

| FUSE_USB_CALIB_EXT

| 0x7000FB50

+

|-

+

| FUSE_RESERVED_FIELD

+

| 0x7000FB54

+

|-

+

| FUSE_OPT_ECC_EN

+

| 0x7000FB58

+

|-

+

| FUSE_SPARE_REALIGNMENT_REG

+

| 0x7000FB7C

|-

| FUSE_SPARE_BIT_0

Line 305: Line 551:

| 0x7000FB84

|-

−

| FUSE_SPARE_BIT_2

+

| [[#FUSE_SPARE_BIT_2|FUSE_SPARE_BIT_2]]

| 0x7000FB88

|-

−

| FUSE_SPARE_BIT_3

+

| [[#FUSE_SPARE_BIT_3|FUSE_SPARE_BIT_3]]

| 0x7000FB8C

|-

−

| FUSE_SPARE_BIT_4

+

| [[#FUSE_SPARE_BIT_4|FUSE_SPARE_BIT_4]]

| 0x7000FB90

|-

Line 394: Line 640:

| FUSE_SPARE_BIT_31

| 0x7000FBFC

−

|-

|}

==== FUSE_SKU_INFO ====

Stores the SKU ID (must be 0x83).

+

==== FUSE_OPT_FT_REV ====

+

Stores the FT (Final Test) revision.

+

Original launch units have this value set to 0xA0 (revision 5.0). The first batch of patched units have this value set to 0xC0 (revision 6.0). The second batch of patched units have this value set to 0xE0 (revision 7.0)

==== FUSE_FA ====

Stores failure analysis mode.

−

==== ~~FUSE_SOC_SPEEDO_1~~ ====

+

==== FUSE_SOC_SPEEDO_1_CALIB ====

Stores the bootrom patch version.

==== FUSE_RESERVED_ODM0 ====

−

This ~~appears to store~~ an hardware ID.

+

This stores an hardware ID.

==== FUSE_RESERVED_ODM1 ====

−

This ~~appears to store~~ an hardware ID.

+

This stores an hardware ID.

==== FUSE_RESERVED_ODM2 ====

Line 418: Line 668:

|-

| 0-4

−

| [5.0.0+] Used as key generation

+

| [5.0.0+] Used as key generation (patched units only)

|}

−

This ~~appears to store~~ an hardware ID.

+

This stores an hardware ID in original launch units, but in patched units it stores a single value (key generation).

==== FUSE_RESERVED_ODM3 ====

−

This ~~appears to store~~ an hardware ID.

+

This stores an hardware ID in original launch units, but in patched units it's empty.

==== FUSE_RESERVED_ODM4 ====

Line 439: Line 689:

| [1.0.0-3.0.2] 3-5

[4.0.0+] 3-7

−

| DRAM id

+

| DRAM ID

|-

| 8

Line 448: Line 698:

|-

| 10

−

| [4.0.0+] Kiosk mode (0 = retail; 1 = kiosk)

+

| [3.0.0+] Kiosk mode (0 = retail; 1 = kiosk)

|-

| 11

−

| [5.0.0+] ~~SoC variant~~ (0 = ~~T210~~; 1 = ~~T214~~)

+

| [5.0.0+] Unit patch flag (0 = unpatched; 1 = patched)

|-

| 16-19

−

| [4.0.0+] New unit type

+

| [4.0.0+] New unit type (0 = Erista; 1 = Mariko)

|}

Line 465: Line 715:

This register returns the value programmed into index 0x3C of the fuse array.

−

==== ~~FUSE_SPARE_BIT_5~~ ====

+

==== FUSE_PUBLIC_KEY ====

−

~~Must be non~~-~~zero on retail units, otherwise~~ the ~~first bootloader panics~~.

+

This stores the SHA256 hash of the 2048-bit RSA key expected at BCT+0x210.

−

~~On debug~~ units ~~it can be zero, which tells the bootloader~~ to ~~choose from two debug master key seeds~~. If set to ~~non-zero on a debug unit, it tells the bootloader to choose from two retail master key seeds~~ (~~only the last one matches the retail master key seed~~).

+

==== FUSE_OPT_CP_REV ====

+

Stores the CP (Chip Probing) revision.

+

Original launch units have this value set to 0xA0 (revision 5.0). Patched units have this value set to 0x103 (revision 8.3).

==== FUSE_PRIVATE_KEY ====

This stores the 160-bit private key (128 bit SBK + 32-bit device key).

Reads to these registers after the SBK is locked out produce all-FF output.

−

~~==== FUSE_PUBLIC_KEY ====~~

−

~~This stores the SHA256 hash of the 2048-bit RSA key expected at BCT+0x210.~~

==== FUSE_RESERVED_SW ====

Line 501: Line 752:

This caches the value of the sw_reserved fuse from the hardware array.

+

Original launch units have the RCM USB controller mode set to USB 2.0, while the first batch of patched units have the RCM USB controller mode set to XUSB.

==== FUSE_PKC_DISABLE ====

This caches the value of the pkc_disable fuse from the hardware array.

+

==== FUSE_SPARE_BIT_2 ====

+

Stores part of the speedo fusing revision.

+

==== FUSE_SPARE_BIT_3 ====

+

Stores part of the speedo fusing revision.

+

==== FUSE_SPARE_BIT_4 ====

+

Stores part of the speedo fusing revision.

+

==== FUSE_SPARE_BIT_5 ====

+

Must be non-zero on retail units, otherwise the first bootloader panics.

+

On debug units it can be zero, which tells the bootloader to choose from two debug master key seeds. If set to non-zero on a debug unit, it tells the bootloader to choose from two master key seeds (with the second one being the retail master key seed).

+

[4.0.0+] This value is no longer used during boot.

== eFuses ==

Line 563: Line 831:

| 0x52

| 1

+

|-

+

| debug_authentication

+

| 0x5A

+

| 5

+

|-

+

| aid

+

| 0x67

+

| 32

|-

| [[#bootrom_ipatch|bootrom_ipatch]]

| 0x72

| 624

−

|-

|}

Line 576: Line 851:

=== bootrom_ipatch ===

Tegra210 based hardware such as the Switch provides support for bootrom patches. The patch data is burned to the hardware fuse array using a specific format (see [https://gist.github.com/shuffle2/f8728159da100e9df2606d43925de0af shuffle2's ipatch decoder]). The bootrom reads these fuses in order to initialize the IPATCH hardware, which allows overriding data returned for code and data fetches done by BPMP.

−

~~The revision stored in FUSE_CP_REV indicates the unique set of values stored in ipatch fuses.~~

The following represents the patch data dumped from a Switch console:

Line 585: Line 858:

RAM:00000000

RAM:00000000 irom_svc_dispatch

−

RAM:00000000 STMFD SP!, {R0-R2} ; ipatches:

+

RAM:00000000 STMFD SP!, {R0-R2} ; ipatches (new):

+

RAM:00000000 ; 0 b57df00 16ae df00 : svc #0x00 (offset 0x48)

+

RAM:00000000 ; 1 1820df22 3040 df22 : svc #0x22 (offset 0x8c)

+

RAM:00000000 ; 2 3797df26 6f2e df26 : svc #0x26 (offset 0x94)

+

RAM:00000000 ; 3 3b4d2100 769a 2100 : movs r1, #0x00

+

RAM:00000000 ; 4 42bdf2c 856 df2c : svc #0x2c (offset 0xa0)

+

RAM:00000000 ; 5 37aadf42 6f54 df42 : svc #0x42 (offset 0xcc)

+

RAM:00000000 ; 6 972df4b 12e4 df4b : svc #0x4b (offset 0xde)

+

RAM:00000000 ; 7 2293df54 4526 df54 : svc #0x54 (offset 0xf0)

+

RAM:00000000 ; 8 21fadf5d 43f4 df5d : svc #0x5d (offset 0x102)

+

RAM:00000000 ; 9 bba2ac57 17744 ac57 : data

+

RAM:00000000 ; 10 bbac3d19 17758 3d19 : data

+

RAM:00000000 ; 11 1e952001 3d2a 2001 : movs r0, #0x01

+

RAM:00000000 ;

+

RAM:00000000 ; ipatches (old):

RAM:00000000 ; 0 b57df00 16ae df00 : svc #0x00 (offset 0x48)

RAM:00000000 ; 1 1820df22 3040 df22 : svc #0x22 (offset 0x8c)

Line 815: Line 1,102:

The last 4 patches are exclusive to the Switch, while the remaining ones are often included in most Tegra210 based devices.

+

==== ipatch 0 ====

+

This patch configures clock enables and clock gate overrides for new hardware.

+

+

u32 CLK_ENB_H_SET = 0x60006328;

+

u32 CLK_ENB_L_SET = 0x60006320;

+

u32 CLK_ENB_U_SET = 0x60006330;

+

u32 CLK_ENB_V_SET = 0x60006440;

+

u32 CLK_ENB_W_SET = 0x60006448;

+

u32 CLK_ENB_X_SET = 0x60006284;

+

u32 CLK_ENB_Y_SET = 0x6000629C;

+

u32 LVL2_CLK_GATE_OVRA = 0x600060F8;

+

u32 LVL2_CLK_GATE_OVRB = 0x600060FC;

+

u32 LVL2_CLK_GATE_OVRC = 0x600063A0;

+

u32 LVL2_CLK_GATE_OVRD = 0x600063A4;

+

u32 LVL2_CLK_GATE_OVRE = 0x60006554;

+

u32 CLK_SOURCE_VI = 0x60006148;

+

u32 CLK_SOURCE_HOST1X = 0x60006180;

+

u32 CLK_SOURCE_NVENC = 0x600066A0;

+

// Set all clock enables and overrides

+

*(u32 *)CLK_ENB_V_SET = 0xFFFFFFFF;

+

*(u32 *)CLK_ENB_W_SET = 0xFFFFFFFF;

+

*(u32 *)LVL2_CLK_GATE_OVRA = 0xFFFFFFFF;

+

*(u32 *)LVL2_CLK_GATE_OVRB = 0xFFFFFFFF;

+

*(u32 *)CLK_ENB_X_SET = 0xFFFFFFFF;

+

*(u32 *)CLK_ENB_Y_SET = 0xFFFFFFFF;

+

*(u32 *)CLK_ENB_L_SET = 0xFFFFFFFF;

+

*(u32 *)CLK_ENB_H_SET = 0xFFFFFFFF;

+

*(u32 *)CLK_ENB_U_SET = 0xFFFFFFFF;

+

*(u32 *)LVL2_CLK_GATE_OVRC = 0xFFFFFFFF;

+

*(u32 *)LVL2_CLK_GATE_OVRD = 0xFFFFFFFF;

+

*(u32 *)LVL2_CLK_GATE_OVRE = 0xFFFFFFFF;

+

// Set VI, HOST1X and NVENC clock sources to CLK_M

+

*(u32 *)CLK_SOURCE_VI = 0xA0000000;

+

*(u32 *)CLK_SOURCE_HOST1X = 0xA0000000;

+

*(u32 *)CLK_SOURCE_NVENC = 0xE0000000;

+

/*

+

Untranslated instructions:

+

MOVS R1, #0

+

MOVS R0, #0xE

+

*/

+

return;

+

</syntaxhighlight>

+

==== ipatch 1 ====

+

This patch is a bugfix.

+

LP0 resume code expects APBDEV_PMC_SCRATCH190_0 to be set to 0x01, but the bootrom didn't set it.

+

+

u32 APBDEV_PMC_SCRATCH190_0 = 0x7000EC18;

+

u32 pmc_scratch190_val = *(u32 *)APBDEV_PMC_SCRATCH190_0;

+

return (pmc_scratch190_val | 0x01);

+

</syntaxhighlight>

+

==== ipatch 2 ====

+

This patch adjusts USB configurations.

+

+

u32 USB1_UTMIP_SPARE_CFG0_0 = 0x7D000834;

+

u32 USB1_UTMIP_BIAS_CFG2_0 = 0x7D000850;

+

// Increase UTMIP_HSSQUELCH_LEVEL_NEW by 0x02

+

*(u32 *)USB1_UTMIP_BIAS_CFG2_0 += 0x02;

+

// Clear FUSE_HS_IREF_CAP_CFG

+

*(u32 *)USB1_UTMIP_SPARE_CFG0_0 = ((*(u32 *)USB1_UTMIP_SPARE_CFG0_0 & ~(0x118)) - 0x80);

+

return;

+

</syntaxhighlight>

+

==== ipatch 3 ====

+

This patch ensures that waiting on PRC_PENDING from the XUSB_DEV register T_XUSB_DEV_XHCI_PORTSC never fails.

+

In the second batch of patched units ([[#FUSE_OPT_FT_REV|FUSE_OPT_FT_REV]] set to revision 7.0) this patch has been replaced with a fix for [[Switch_System_Flaws#Hardware|CVE-2018-6242]] (arbitrary copy when handling USB control requests in RCM). By setting R1 to 0 at address 0x0010769A in the bootrom, the upper 16 bits of the USB control request's wLength field are cleared out, effectively limiting the request's size to a maximum of 255 bytes.

+

==== ipatch 4 ====

+

This patch allows backing up and restoring strapping options for warmboot.

+

+

u32 APBDEV_PMC_SCRATCH0_0 = 0x7000E450;

+

u32 APBDEV_PMC_RST_STATUS_0 = 0x7000E5B4;

+

u32 APBDEV_PMC_SEC_DISABLE8_0 = 0x7000E9C0;

+

u32 APBDEV_PMC_SECURE_SCRATCH111_0 = 0x7000EF14;

+

u32 APB_MISC_PP_STRAPPING_OPT_A_0 = 0x70000008;

+

u32 reset_status = *(u32 *)APBDEV_PMC_RST_STATUS_0;

+

// Check for regular power on

+

if (reset_status == 0)

+

{

+

// Set all buttons in RCM_STRAPS and backup to PMC scratch

+

*(u32 *)APBDEV_PMC_SECURE_SCRATCH111_0 = (*(u32 *)APB_MISC_PP_STRAPPING_OPT_A_0 | 0x1C00);

+

}

+

else

+

{

+

// Restore strapping options from PMC scratch

+

*(u32 *)APB_MISC_PP_STRAPPING_OPT_A_0 = *(u32 *)APBDEV_PMC_SECURE_SCRATCH111_0;

+

}

+

// Disable write access to APBDEV_PMC_SECURE_SCRATCH111_0

+

*(u32 *)APBDEV_PMC_SEC_DISABLE8_0 |= 0x4000;

+

return *(u32 *)APBDEV_PMC_SCRATCH0_0;

+

</syntaxhighlight>

+

==== ipatch 5 ====

+

This patch adjusts USB configurations.

+

+

u32 USB1_UTMIP_HSRX_CFG0_0 = 0x7D000810;

+

u32 USB1_UTMIP_BIAS_CFG2_0 = 0x7D000850;

+

// Clear UTMIP_IDLE_WAIT, UTMIP_ELASTIC_LIMIT and UTMIP_PCOUNT_UPDN_DIV,

+

// and set UTMIP_IDLE_WAIT to 0x11 and UTMIP_ELASTIC_LIMIT to 0x10

+

*(u32 *)USB1_UTMIP_HSRX_CFG0_0 = ((*(u32 *)USB1_UTMIP_HSRX_CFG0_0 & ~(0xF8000) + 0x88000 & ~(0x7C00) + 0x4000) & ~(0xF000000));

+

// Clear UTMIP_HSSQUELCH_LEVEL_NEW

+

*(u32 *)USB1_UTMIP_BIAS_CFG2_0 &= ~(0x07);

+

return;

+

</syntaxhighlight>

+

==== ipatch 6 ====

+

This patch is a factory backdoor.

+

It allows controlling the debug authentication configuration using a fuse.

+

+

u32 FUSE_ODM_INFO = 0x7000FA9C;

+

u32 odm_info = *(u32 *)FUSE_ODM_INFO;

+

debug_auth_override_val = ((odm_info >> 0x08) << 0x01);

+

// Override debug authentication value stored in IRAM

+

*(u32 *)0x400028E4 &= ~(debug_auth_override_val);

+

/*

+

Untranslated instructions:

+

CMP R0, #0

+

*/

+

return;

+

</syntaxhighlight>

+

==== ipatch 7 ====

+

This patch is a bugfix.

+

It prevents overflowing IRAM (0x40010000) when copying the warmboot binary from DRAM.

+

+

u32 APBDEV_PMC_CNTRL_0 = 0x7000E400;

+

u32 warmboot_header_addr = 0x400049F0;

+

u32 warmboot_bin_size = *(u32 *)warmboot_bin_header_addr;

+

// Invalid warmboot binary size

+

if (warmboot_size >> 0x11)

+

{

+

// Assert MAIN_RST

+

// 0x40004BF0 comes from R4 and the bootrom doesn't bother to change it

+

*(u32 *)APBDEV_PMC_CNTRL_0 = 0x40004BF0;

+

// Deadlock

+

while(1);

+

}

+

/*

+

Untranslated instructions:

+

LDR R0, =0x40010000

+

LDR R2, [warmboot_bin_header_addr]

+

*/

+

return;

+

</syntaxhighlight>

+

==== ipatch 8 ====

+

This patch is a bugfix.

+

It sets the correct warmboot binary entrypoint address for RSA signature verification, which would be done in DRAM instead of IRAM without this patch.

+

+

u32 warmboot_addr_ptr = 0x40010238;

+

u32 warmboot_entry_addr_ptr = 0x40004C28;

+

*(u32 *)warmboot_entry_addr_ptr = *(u32 *)warmboot_addr_ptr;

+

/*

+

Untranslated instructions:

+

LDR R2, [warmboot_addr_ptr]

+

*/

+

return;

+

</syntaxhighlight>

+

==== ipatches 9 and 10 ====

+

These patches modify the 256-bit Secure Provisioning AES key with index 0x3A.

+

==== ipatch 11 ====

+

This patch forces the value of [[Security_Engine|SE_TZRAM_SECURITY]] to be 0x01 instead of restoring it from the saved SE context.

== Anti-downgrade ==

Line 846: Line 1,343:

| 1

|-

−

| 5.0.0

+

| 5.0.0-5.1.0

| 6

+

| 1

+

|-

+

| 6.0.0-6.1.0

+

| 7

+

| 1

+

|-

+

| 6.2.0

+

| 8

+

| 1

+

|-

+

| 7.0.0-8.0.1

+

| 9

+

| 1

+

|-

+

| 8.1.0

+

| 10

| 1

|}

Hexkyz

Bureaucrats, Administrators

2,783

edits

Changes

Fuses (view source)

Revision as of 02:33, 18 June 2019

Navigation menu

Search