2,781
edits
Changes
Jump to navigation
Jump to search
Line 35:
Line 35: − + Line 53:
Line 53: + + + + + + + + + + + + + + + + + + + + Line 62:
Line 82: + + + + + Line 82:
Line 107: + + + + + + + + + + + + Line 96:
Line 133: + + + + + + + + + − + − + − + + + + + + + + + + − + − + − + − + − + − + + + + + + + + + + + + + + + + + + + + + + Line 154:
Line 230: − + − + − + + + + − + + + + − + Line 186:
Line 268: + + + Line 193:
Line 278: − + Line 220:
Line 305: − + + + + + + + Line 226:
Line 317: − + + + + + + + − + − + − + − + − + − + + + + + + + − + − + + + + + + + + + + + + + + + + + + + − + + + + + + + − + − + − + − + + + + − + + + + + + + + + + + + + + + + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + − + + + + + + + + + + + + + + + + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 304:
Line 551: − + − + − + Line 393:
Line 640: − |- + + + + + − + − + − + Line 417:
Line 668: − + − + − + Line 438:
Line 689: − + Line 447:
Line 698: − + − + − + Line 464:
Line 715: − + − Must be non-zero on retail units, otherwise the first bootloader panics.+ − On debug units it can be zero, which tells the bootloader to choose from two debug master key seeds. If set to non-zero on a debug unit, it tells the bootloader to choose from two retail master key seeds (only the last one matches the retail master key seed).+ + + + + − − ==== FUSE_PUBLIC_KEY ==== − This stores the SHA256 hash of the 2048-bit RSA key expected at BCT+0x210. Line 500:
Line 752: + + + + + + + + + + + + + + + + + Line 562:
Line 831: + + + + + + + + − |- Line 574:
Line 850: − + Line 582:
Line 858: − + + + + + + + + + + + + + + + Line 891:
Line 1,181: − + + + Line 946:
Line 1,238: − + − + − + Line 1,019:
Line 1,311: − + Line 1,055:
Line 1,347: − + − + + + + + + + + + + + + +
→Anti-downgrade
| 0x7000F81C
| 0x7000F81C
|-
|-
| FUSE_PRIV2INTFC
| [[#FUSE_PRIV2INTFC|FUSE_PRIV2INTFC]]
| 0x7000F820
| 0x7000F820
|-
|-
| 0x7000F834
| 0x7000F834
|-
|-
| FUSE_PRIV2RESHIFT
| 0x7000F83C
|-
| FUSE_TIME_RD3
| 0x7000F84C
|-
| FUSE_PRIVATE_KEY0_NONZERO
| 0x7000F880
|-
| FUSE_PRIVATE_KEY1_NONZERO
| 0x7000F884
|-
| FUSE_PRIVATE_KEY2_NONZERO
| 0x7000F888
|-
| FUSE_PRIVATE_KEY3_NONZERO
| 0x7000F88C
|-
| FUSE_PRIVATE_KEY4_NONZERO
| 0x7000F890
|}
|}
| 0-1
| 0-1
| Fuse command (1 = FUSE_READ; 2 = FUSE_WRITE; 3 = FUSE_SENSE)
| Fuse command (1 = FUSE_READ; 2 = FUSE_WRITE; 3 = FUSE_SENSE)
|-
| 16-20
| Fuse state (4 = STATE_IDLE)
|-
|-
| 26
| 26
| Fuse power down mode flag (FUSE_CTRL_PD)
| Fuse power down mode flag (FUSE_CTRL_PD)
|-
|-
| 30
| Fuse sense status (FUSE_CTRL_SENSE_DONE)
|}
|}
==== FUSE_TIME_PGM2 ====
==== FUSE_TIME_PGM2 ====
This register takes the fuse programming pulse (0xC0 == 19200 kHz).
This register takes the fuse programming pulse (0xC0 == 19200 kHz).
==== FUSE_PRIV2INTFC ====
{| class="wikitable" border="1"
! Bits
! Description
|-
| 0
| FUSE_PRIV2INTFC_SDATA
|-
| 1
| FUSE_PRIV2INTFC_SKIP_RECORDS
|}
==== FUSE_DIS_PGM ====
==== FUSE_DIS_PGM ====
| FUSE_PRODUCTION_MODE
| FUSE_PRODUCTION_MODE
| 0x7000F900
| 0x7000F900
|-
| FUSE_JTAG_SECUREID_VALID
| 0x7000F904
|-
| FUSE_ODM_LOCK
| 0x7000F908
|-
| FUSE_OPT_OPENGL_EN
| 0x7000F90C
|-
|-
| [[#FUSE_SKU_INFO|FUSE_SKU_INFO]]
| [[#FUSE_SKU_INFO|FUSE_SKU_INFO]]
| 0x7000F910
| 0x7000F910
|-
|-
| FUSE_CPU_SPEEDO_0
| FUSE_CPU_SPEEDO_0_CALIB
| 0x7000F914
| 0x7000F914
|-
|-
| FUSE_CPU_IDDQ
| FUSE_CPU_IDDQ_CALIB
| 0x7000F918
| 0x7000F918
|-
|-
| FUSE_FT_REV
| FUSE_DAC_CRT_CALIB
| 0x7000F91C
|-
| FUSE_DAC_HDTV_CALIB
| 0x7000F920
|-
| FUSE_DAC_SDTV_CALIB
| 0x7000F924
|-
| [[#FUSE_OPT_FT_REV|FUSE_OPT_FT_REV]]
| 0x7000F928
| 0x7000F928
|-
|-
| FUSE_CPU_SPEEDO_1
| FUSE_CPU_SPEEDO_1_CALIB
| 0x7000F92C
| 0x7000F92C
|-
|-
| FUSE_CPU_SPEEDO_2
| FUSE_CPU_SPEEDO_2_CALIB
| 0x7000F930
| 0x7000F930
|-
|-
| FUSE_SOC_SPEEDO_0
| FUSE_SOC_SPEEDO_0_CALIB
| 0x7000F934
| 0x7000F934
|-
|-
| [[#FUSE_SOC_SPEEDO_1|FUSE_SOC_SPEEDO_1]]
| [[#FUSE_SOC_SPEEDO_1_CALIB|FUSE_SOC_SPEEDO_1_CALIB]]
| 0x7000F938
| 0x7000F938
|-
|-
| FUSE_SOC_SPEEDO_2
| FUSE_SOC_SPEEDO_2_CALIB
| 0x7000F93C
| 0x7000F93C
|-
|-
| FUSE_SOC_IDDQ
| FUSE_SOC_IDDQ_CALIB
| 0x7000F940
| 0x7000F940
|-
| FUSE_RESERVED_PRODUCTION_WP
| 0x7000F944
|-
|-
| [[#FUSE_FA|FUSE_FA]]
| [[#FUSE_FA|FUSE_FA]]
| 0x7000F948
| 0x7000F948
|-
| FUSE_RESERVED_PRODUCTION
| 0x7000F94C
|-
| FUSE_HDMI_LANE0_CALIB
| 0x7000F950
|-
| FUSE_HDMI_LANE1_CALIB
| 0x7000F954
|-
| FUSE_HDMI_LANE2_CALIB
| 0x7000F958
|-
| FUSE_HDMI_LANE3_CALIB
| 0x7000F95C
|-
| FUSE_ENCRYPTION_RATE
| 0x7000F960
|-
|-
| [[#FUSE_PUBLIC_KEY|FUSE_PUBLIC_KEY0]]
| [[#FUSE_PUBLIC_KEY|FUSE_PUBLIC_KEY0]]
| 0x7000F980
| 0x7000F980
|-
|-
| FUSE_TSENSOR_1
| FUSE_TSENSOR1_CALIB
| 0x7000F984
| 0x7000F984
|-
|-
| FUSE_TSENSOR_2
| FUSE_TSENSOR2_CALIB
| 0x7000F988
| 0x7000F988
|-
|-
| FUSE_CP_REV
| FUSE_VSENSOR_CALIB
| 0x7000F98C
|-
| [[#FUSE_OPT_CP_REV|FUSE_OPT_CP_REV]]
| 0x7000F990
| 0x7000F990
|-
|-
| FUSE_TSENSOR_0
| FUSE_OPT_PFG
| 0x7000F994
|-
| FUSE_TSENSOR0_CALIB
| 0x7000F998
| 0x7000F998
|-
|-
| FUSE_FIRST_BOOTROM_PATCH_SIZE_REG
| FUSE_FIRST_BOOTROM_PATCH_SIZE
| 0x7000F99C
| 0x7000F99C
|-
|-
| [[#FUSE_PRIVATE_KEY|FUSE_PRIVATE_KEY4]]
| [[#FUSE_PRIVATE_KEY|FUSE_PRIVATE_KEY4]]
| 0x7000F9B4
| 0x7000F9B4
|-
| FUSE_ARM_JTAG_DIS
| 0x7000F9B8
|-
|-
| FUSE_BOOT_DEVICE_INFO
| FUSE_BOOT_DEVICE_INFO
| 0x7000F9C0
| 0x7000F9C0
|-
|-
| FUSE_VP8_ENABLE
| FUSE_OPT_VP9_DISABLE
| 0x7000F9C4
| 0x7000F9C4
|-
|-
| 0x7000F9E4
| 0x7000F9E4
|-
|-
| FUSE_SKU_USB_CALIB
| FUSE_OBS_DIS
| 0x7000F9E8
|-
| FUSE_NOR_INFO
| 0x7000F9EC
|-
| FUSE_USB_CALIB
| 0x7000F9F0
| 0x7000F9F0
|-
|-
| 0x7000F9F4
| 0x7000F9F4
|-
|-
| FUSE_VENDOR_CODE
| FUSE_KFUSE_PRIVKEY_CTRL
| 0x7000F9F8
|-
| FUSE_PACKAGE_INFO
| 0x7000F9FC
|-
| FUSE_OPT_VENDOR_CODE
| 0x7000FA00
| 0x7000FA00
|-
|-
| FUSE_FAB_CODE
| FUSE_OPT_FAB_CODE
| 0x7000FA04
| 0x7000FA04
|-
|-
| FUSE_LOT_CODE_0
| FUSE_OPT_LOT_CODE_0
| 0x7000FA08
| 0x7000FA08
|-
|-
| FUSE_LOT_CODE_1
| FUSE_OPT_LOT_CODE_1
| 0x7000FA0C
| 0x7000FA0C
|-
|-
| FUSE_WAFER_ID
| FUSE_OPT_WAFER_ID
| 0x7000FA10
| 0x7000FA10
|-
|-
| FUSE_X_COORDINATE
| FUSE_OPT_X_COORDINATE
| 0x7000FA14
| 0x7000FA14
|-
|-
| FUSE_Y_COORDINATE
| FUSE_OPT_Y_COORDINATE
| 0x7000FA18
| 0x7000FA18
|-
| FUSE_OPT_SEC_DEBUG_EN
| 0x7000FA1C
|-
| FUSE_OPT_OPS_RESERVED
| 0x7000FA20
|-
|-
| FUSE_SATA_CALIB
| FUSE_SATA_CALIB
| 0x7000FA24
| 0x7000FA24
|-
|-
| FUSE_GPU_IDDQ
| FUSE_GPU_IDDQ_CALIB
| 0x7000FA28
| 0x7000FA28
|-
|-
| FUSE_TSENSOR_3
| FUSE_TSENSOR3_CALIB
| 0x7000FA2C
| 0x7000FA2C
|-
| FUSE_SKU_BOND_OUT_L
| 0x7000FA30
|-
| FUSE_SKU_BOND_OUT_H
| 0x7000FA34
|-
| FUSE_SKU_BOND_OUT_U
| 0x7000FA38
|-
| FUSE_SKU_BOND_OUT_V
| 0x7000FA3C
|-
| FUSE_SKU_BOND_OUT_W
| 0x7000FA40
|-
| FUSE_OPT_SAMPLE_TYPE
| 0x7000FA44
|-
|-
| FUSE_OPT_SUBREVISION
| FUSE_OPT_SUBREVISION
| 0x7000FA48
| 0x7000FA48
|-
|-
| FUSE_TSENSOR_4
| FUSE_OPT_SW_RESERVED_0
| 0x7000FA4C
|-
| FUSE_OPT_SW_RESERVED_1
| 0x7000FA50
|-
| FUSE_TSENSOR4_CALIB
| 0x7000FA54
| 0x7000FA54
|-
|-
| FUSE_TSENSOR_5
| FUSE_TSENSOR5_CALIB
| 0x7000FA58
| 0x7000FA58
|-
|-
| FUSE_TSENSOR_6
| FUSE_TSENSOR6_CALIB
| 0x7000FA5C
| 0x7000FA5C
|-
|-
| FUSE_TSENSOR_7
| FUSE_TSENSOR7_CALIB
| 0x7000FA60
| 0x7000FA60
|-
|-
| FUSE_OPT_PRIV_SEC_DIS
| FUSE_OPT_PRIV_SEC_EN
| 0x7000FA64
| 0x7000FA64
|-
|-
| [[#FUSE_PKC_DISABLE|FUSE_PKC_DISABLE]]
| [[#FUSE_PKC_DISABLE|FUSE_PKC_DISABLE]]
| 0x7000FA68
| 0x7000FA68
|-
| FUSE_FUSE2TSEC_DEBUG_DISABLE
| 0x7000FA7C
|-
|-
| FUSE_TSENSOR_COMMON
| FUSE_TSENSOR_COMMON
| 0x7000FA80
| 0x7000FA80
|-
|-
| FUSE_DEBUG_AUTH_OVERRIDE
| FUSE_OPT_CP_BIN
| 0x7000FA84
|-
| FUSE_OPT_GPU_DISABLE
| 0x7000FA88
|-
| FUSE_OPT_FT_BIN
| 0x7000FA8C
|-
| FUSE_OPT_DONE_MAP
| 0x7000FA90
|-
| FUSE_APB2JTAG_DISABLE
| 0x7000FA98
|-
| FUSE_ODM_INFO
| 0x7000FA9C
| 0x7000FA9C
|-
|-
| FUSE_TSENSOR_8
| FUSE_ARM_CRYPT_DE_FEATURE
| 0x7000FAA8
|-
| FUSE_WOA_SKU_FLAG
| 0x7000FAC0
|-
| FUSE_ECO_RESERVE_1
| 0x7000FAC4
|-
| FUSE_GCPLEX_CONFIG_FUSE
| 0x7000FAC8
|-
| FUSE_PRODUCTION_MONTH
| 0x7000FACC
|-
| FUSE_RAM_REPAIR_INDICATOR
| 0x7000FAD0
|-
| FUSE_TSENSOR9_CALIB
| 0x7000FAD4
| 0x7000FAD4
|-
| FUSE_VMIN_CALIBRATION
| 0x7000FADC
|-
| FUSE_AGING_SENSOR_CALIBRATION
| 0x7000FAE0
|-
| FUSE_DEBUG_AUTHENTICATION
| 0x7000FAE4
|-
|-
| FUSE_SECURE_PROVISION_INDEX
| FUSE_SECURE_PROVISION_INDEX
| 0x7000FAE8
| 0x7000FAE8
|-
|-
| FUSE_RESERVED_CALIB
| FUSE_SECURE_PROVISION_INFO
| 0x7000FAEC
|-
| FUSE_OPT_GPU_DISABLE_CP1
| 0x7000FAF0
|-
| FUSE_SPARE_ENDIS
| 0x7000FAF4
|-
| FUSE_ECO_RESERVE_0
| 0x7000FAF8
|-
| FUSE_SPARE_REALIGNMENT_REG_OLD
| 0x7000FAFC
|-
| FUSE_RESERVED_CALIB0
| 0x7000FB04
| 0x7000FB04
|-
|-
| FUSE_TSENSOR_9
| FUSE_RESERVED_CALIB1
| 0x7000FB08
|-
| FUSE_OPT_GPU_TPC0_DISABLE
| 0x7000FB0C
|-
| FUSE_OPT_GPU_TPC0_DISABLE_CP1
| 0x7000FB10
|-
| FUSE_OPT_CPU_DISABLE
| 0x7000FB14
|-
| FUSE_OPT_CPU_DISABLE_CP1
| 0x7000FB18
|-
| FUSE_TSENSOR10_CALIB
| 0x7000FB1C
| 0x7000FB1C
|-
| FUSE_TSENSOR10_CALIB_AUX
| 0x7000FB20
|-
| FUSE_OPT_RAM_SVOP_DP
| 0x7000FB24
|-
| FUSE_OPT_RAM_SVOP_PDP
| 0x7000FB28
|-
| FUSE_OPT_RAM_SVOP_REG
| 0x7000FB2C
|-
| FUSE_OPT_RAM_SVOP_SP
| 0x7000FB30
|-
| FUSE_OPT_RAM_SVOP_SMPDP
| 0x7000FB34
|-
| FUSE_OPT_GPU_TPC0_DISABLE_CP2
| 0x7000FB38
|-
| FUSE_OPT_GPU_TPC1_DISABLE
| 0x7000FB3C
|-
| FUSE_OPT_GPU_TPC1_DISABLE_CP1
| 0x7000FB40
|-
| FUSE_OPT_GPU_TPC1_DISABLE_CP2
| 0x7000FB44
|-
| FUSE_OPT_CPU_DISABLE_CP2
| 0x7000FB48
|-
| FUSE_OPT_GPU_DISABLE_CP2
| 0x7000FB4C
|-
|-
| FUSE_USB_CALIB_EXT
| FUSE_USB_CALIB_EXT
| 0x7000FB50
| 0x7000FB50
|-
| FUSE_RESERVED_FIELD
| 0x7000FB54
|-
| FUSE_OPT_ECC_EN
| 0x7000FB58
|-
| FUSE_SPARE_REALIGNMENT_REG
| 0x7000FB7C
|-
|-
| FUSE_SPARE_BIT_0
| FUSE_SPARE_BIT_0
| 0x7000FB84
| 0x7000FB84
|-
|-
| FUSE_SPARE_BIT_2
| [[#FUSE_SPARE_BIT_2|FUSE_SPARE_BIT_2]]
| 0x7000FB88
| 0x7000FB88
|-
|-
| FUSE_SPARE_BIT_3
| [[#FUSE_SPARE_BIT_3|FUSE_SPARE_BIT_3]]
| 0x7000FB8C
| 0x7000FB8C
|-
|-
| FUSE_SPARE_BIT_4
| [[#FUSE_SPARE_BIT_4|FUSE_SPARE_BIT_4]]
| 0x7000FB90
| 0x7000FB90
|-
|-
| FUSE_SPARE_BIT_31
| FUSE_SPARE_BIT_31
| 0x7000FBFC
| 0x7000FBFC
|}
|}
==== FUSE_SKU_INFO ====
==== FUSE_SKU_INFO ====
Stores the SKU ID (must be 0x83).
Stores the SKU ID (must be 0x83).
==== FUSE_OPT_FT_REV ====
Stores the FT (Final Test) revision.
Original launch units have this value set to 0xA0 (revision 5.0). The first batch of patched units have this value set to 0xC0 (revision 6.0). The second batch of patched units have this value set to 0xE0 (revision 7.0)
==== FUSE_FA ====
==== FUSE_FA ====
Stores failure analysis mode.
Stores failure analysis mode.
==== FUSE_SOC_SPEEDO_1 ====
==== FUSE_SOC_SPEEDO_1_CALIB ====
Stores the bootrom patch version.
Stores the bootrom patch version.
==== FUSE_RESERVED_ODM0 ====
==== FUSE_RESERVED_ODM0 ====
This appears to store an hardware ID.
This stores an hardware ID.
==== FUSE_RESERVED_ODM1 ====
==== FUSE_RESERVED_ODM1 ====
This appears to store an hardware ID.
This stores an hardware ID.
==== FUSE_RESERVED_ODM2 ====
==== FUSE_RESERVED_ODM2 ====
|-
|-
| 0-4
| 0-4
| [5.0.0+] Used as key generation
| [5.0.0+] Used as key generation (patched units only)
|}
|}
This appears to store an hardware ID.
This stores an hardware ID in original launch units, but in patched units it stores a single value (key generation).
==== FUSE_RESERVED_ODM3 ====
==== FUSE_RESERVED_ODM3 ====
This appears to store an hardware ID.
This stores an hardware ID in original launch units, but in patched units it's empty.
==== FUSE_RESERVED_ODM4 ====
==== FUSE_RESERVED_ODM4 ====
| [1.0.0-3.0.2] 3-5
| [1.0.0-3.0.2] 3-5
[4.0.0+] 3-7
[4.0.0+] 3-7
| DRAM id
| DRAM ID
|-
|-
| 8
| 8
|-
|-
| 10
| 10
| [4.0.0+] Kiosk mode (0 = retail; 1 = kiosk)
| [3.0.0+] Kiosk mode (0 = retail; 1 = kiosk)
|-
|-
| 11
| 11
| [5.0.0+] SoC variant (0 = T210; 1 = T214)
| [5.0.0+] Unit patch flag (0 = unpatched; 1 = patched)
|-
|-
| 16-19
| 16-19
| [4.0.0+] New unit type
| [4.0.0+] New unit type (0 = Erista; 1 = Mariko)
|}
|}
This register returns the value programmed into index 0x3C of the fuse array.
This register returns the value programmed into index 0x3C of the fuse array.
==== FUSE_SPARE_BIT_5 ====
==== FUSE_PUBLIC_KEY ====
This stores the SHA256 hash of the 2048-bit RSA key expected at BCT+0x210.
==== FUSE_OPT_CP_REV ====
Stores the CP (Chip Probing) revision.
Original launch units have this value set to 0xA0 (revision 5.0). Patched units have this value set to 0x103 (revision 8.3).
==== FUSE_PRIVATE_KEY ====
==== FUSE_PRIVATE_KEY ====
This stores the 160-bit private key (128 bit SBK + 32-bit device key).
This stores the 160-bit private key (128 bit SBK + 32-bit device key).
Reads to these registers after the SBK is locked out produce all-FF output.
Reads to these registers after the SBK is locked out produce all-FF output.
==== FUSE_RESERVED_SW ====
==== FUSE_RESERVED_SW ====
This caches the value of the sw_reserved fuse from the hardware array.
This caches the value of the sw_reserved fuse from the hardware array.
Original launch units have the RCM USB controller mode set to USB 2.0, while the first batch of patched units have the RCM USB controller mode set to XUSB.
==== FUSE_PKC_DISABLE ====
==== FUSE_PKC_DISABLE ====
This caches the value of the pkc_disable fuse from the hardware array.
This caches the value of the pkc_disable fuse from the hardware array.
==== FUSE_SPARE_BIT_2 ====
Stores part of the speedo fusing revision.
==== FUSE_SPARE_BIT_3 ====
Stores part of the speedo fusing revision.
==== FUSE_SPARE_BIT_4 ====
Stores part of the speedo fusing revision.
==== FUSE_SPARE_BIT_5 ====
Must be non-zero on retail units, otherwise the first bootloader panics.
On debug units it can be zero, which tells the bootloader to choose from two debug master key seeds. If set to non-zero on a debug unit, it tells the bootloader to choose from two master key seeds (with the second one being the retail master key seed).
[4.0.0+] This value is no longer used during boot.
== eFuses ==
== eFuses ==
| 0x52
| 0x52
| 1
| 1
|-
| debug_authentication
| 0x5A
| 5
|-
| aid
| 0x67
| 32
|-
|-
| [[#bootrom_ipatch|bootrom_ipatch]]
| [[#bootrom_ipatch|bootrom_ipatch]]
| 0x72
| 0x72
| 624
| 624
|}
|}
=== bootrom_ipatch ===
=== bootrom_ipatch ===
Tegra210 based hardware such as the Switch provides support for bootrom patches. The patch data is burned to the hardware fuse array using a specific format (see [https://gist.github.com/shuffle2/f8728159da100e9df2606d43925de0af shuffle2's ipatch decoder]). The bootrom reads these fuses in order to initialize the IPATCH hardware, which allows overriding data returned for code and data fetches done by BPMP. The revision stored in FUSE_CP_REV indicates the unique set of values stored in ipatch fuses.
Tegra210 based hardware such as the Switch provides support for bootrom patches. The patch data is burned to the hardware fuse array using a specific format (see [https://gist.github.com/shuffle2/f8728159da100e9df2606d43925de0af shuffle2's ipatch decoder]). The bootrom reads these fuses in order to initialize the IPATCH hardware, which allows overriding data returned for code and data fetches done by BPMP.
The following represents the patch data dumped from a Switch console:
The following represents the patch data dumped from a Switch console:
RAM:00000000
RAM:00000000
RAM:00000000 irom_svc_dispatch
RAM:00000000 irom_svc_dispatch
RAM:00000000 STMFD SP!, {R0-R2} ; ipatches:
RAM:00000000 STMFD SP!, {R0-R2} ; ipatches (new):
RAM:00000000 ; 0 b57df00 16ae df00 : svc #0x00 (offset 0x48)
RAM:00000000 ; 1 1820df22 3040 df22 : svc #0x22 (offset 0x8c)
RAM:00000000 ; 2 3797df26 6f2e df26 : svc #0x26 (offset 0x94)
RAM:00000000 ; 3 3b4d2100 769a 2100 : movs r1, #0x00
RAM:00000000 ; 4 42bdf2c 856 df2c : svc #0x2c (offset 0xa0)
RAM:00000000 ; 5 37aadf42 6f54 df42 : svc #0x42 (offset 0xcc)
RAM:00000000 ; 6 972df4b 12e4 df4b : svc #0x4b (offset 0xde)
RAM:00000000 ; 7 2293df54 4526 df54 : svc #0x54 (offset 0xf0)
RAM:00000000 ; 8 21fadf5d 43f4 df5d : svc #0x5d (offset 0x102)
RAM:00000000 ; 9 bba2ac57 17744 ac57 : data
RAM:00000000 ; 10 bbac3d19 17758 3d19 : data
RAM:00000000 ; 11 1e952001 3d2a 2001 : movs r0, #0x01
RAM:00000000 ;
RAM:00000000 ; ipatches (old):
RAM:00000000 ; 0 b57df00 16ae df00 : svc #0x00 (offset 0x48)
RAM:00000000 ; 0 b57df00 16ae df00 : svc #0x00 (offset 0x48)
RAM:00000000 ; 1 1820df22 3040 df22 : svc #0x22 (offset 0x8c)
RAM:00000000 ; 1 1820df22 3040 df22 : svc #0x22 (offset 0x8c)
==== ipatch 3 ====
==== ipatch 3 ====
This patch pertains to XHCI IRQ clearing checks and forces a result code to be 0.
This patch ensures that waiting on PRC_PENDING from the XUSB_DEV register T_XUSB_DEV_XHCI_PORTSC never fails.
In the second batch of patched units ([[#FUSE_OPT_FT_REV|FUSE_OPT_FT_REV]] set to revision 7.0) this patch has been replaced with a fix for [[Switch_System_Flaws#Hardware|CVE-2018-6242]] (arbitrary copy when handling USB control requests in RCM). By setting R1 to 0 at address 0x0010769A in the bootrom, the upper 16 bits of the USB control request's wLength field are cleared out, effectively limiting the request's size to a maximum of 255 bytes.
==== ipatch 4 ====
==== ipatch 4 ====
<syntaxhighlight lang="c">
<syntaxhighlight lang="c">
u32 FUSE_DEBUG_AUTH_OVERRIDE = 0x7000FA9C;
u32 FUSE_ODM_INFO = 0x7000FA9C;
u32 debug_auth_override_val = *(u32 *)FUSE_DEBUG_AUTH_OVERRIDE;
u32 odm_info = *(u32 *)FUSE_ODM_INFO;
debug_auth_override_val = ((debug_auth_override_val >> 0x08) << 0x01);
debug_auth_override_val = ((odm_info >> 0x08) << 0x01);
// Override debug authentication value stored in IRAM
// Override debug authentication value stored in IRAM
==== ipatch 11 ====
==== ipatch 11 ====
This patch pertains to the [[Security_Engine|Security Engine]] context restore process and forces SE_OPERATION_UNK1 to be 0x01.
This patch forces the value of [[Security_Engine|SE_TZRAM_SECURITY]] to be 0x01 instead of restoring it from the saved SE context.
== Anti-downgrade ==
== Anti-downgrade ==
| 1
| 1
|-
|-
| 6.0.0
| 6.0.0-6.1.0
| 7
| 7
|
| 1
|-
| 6.2.0
| 8
| 1
|-
| 7.0.0-8.0.1
| 9
| 1
|-
| 8.1.0
| 10
| 1
|}
|}