7
edits
Changes
→BIT, BCT
= IRAM =
= IRAM =
== [[BCT|BCT]] ==
== [[BIT|BIT]] ==
When copied to IRAM at address 0x40000000, the BCT has an additional header as follows.
When copied to IRAM at address 0x40000000, the BCT has an additional header called Boot Info Table as follows.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
| 0x00
| 0x00
| 0x50
| 0x04
| bct_global_header
| unk_version0
|
|
0x00210001
|-
|-
| 0x50
| 0x04
| 0x18
| 0x04
| bootloader0_header
| unk_version1
|
|
0x00210001
|-
|-
| 0x68
| 0x08
| 0x18
| 0x04
| bootloader1_header
| unk_version2
|
|
0x00210001
|-
|-
| 0x80
| 0x0C
| 0x18
| 0x04
| bootloader2_header
| boot_type
|
|
BOOT_TYPE_COLD = 1
BOOT_TYPE_RECOVERY = 2
BOOT_TYPE_UART = 3
BOOT_TYPE_EXIT_RCM = 4
|-
|-
| 0x98
0x4C: bct_data_addr (address of the actual BCT)
| 0x18
|-
| bootloader3_header
| 0x50
| 0x18*4
| bootloader_headers[4]
|
|
0x00: is_active (if set to 0x01, bootloader3 is used)
{| class="wikitable" border="1"
|-
! Offset
! Size
! Field
|-
| 0x00
| 0x04
| is_active
|-
| 0x04
| 0x04
| start_block
|-
| 0x08
| 0x04
| start_page
|-
| 0x0C
| 0x04
| length
|-
| 0x10
| 0x04
| signed_start
|-
| 0x14
| 0x04
| signature
|-
|}
|-
|-
| 0xB0
| 0xB0
| 0x50
| 0x40
|
|
|-
| 0xF0
| 0x04
|
|
bct_end_addr
|-
| 0xF4
| 0x0C
|
|
|
|
|-
|-
|}
|}
bct_data_addr should pint to a bct that contains the keyblob.
It's used in key generation in PK1.
PK11 checks boot_type to be cold, if it's not it panics.
bootloader_headers[0] or bootloader_headers[1] should be set to active. It is also checked by PK11.
= Notes =
= Notes =