Installed into the first 0x4000 sector of the eMMC storage's BCPKG2 partitions, "BootConfig" contains data used to configure TrustZone/OS behaviors.
BootConfig is normally all-zero for retail units, however TrustZone additionally sets the loaded configuration to all-zero when running on a retail unit anyway.
Format
Despite having 0x4000 for storage, the actual loaded BootConfig is only 0x400 bytes, with the following format:
Unsigned Configuration
This is "nn::bconfig::BootConfig".
| Offset
|
Size
|
Description
|
| 0x0
|
0x4
|
Version (yyMMddHHmm in uint32)
|
| 0x4
|
0xC
|
Reserved
|
| 0x10
|
0x1
|
IsDebugMode (bit 1) and TakeExtabtSerrorToEl3 (bit 2)
|
| 0x11
|
0x1
|
KernelConfiguration (first byte)
|
| 0x12
|
0xF
|
Reserved
|
| 0x21
|
0x1
|
KernelConfiguration (second byte)
|
| 0x22
|
0x1
|
Reserved
|
| 0x23
|
0x1
|
MemoryMode
|
| 0x24
|
0x1
|
HasInitialTscValue
|
| 0x25
|
0xB
|
Reserved
|
| 0x30
|
0x8
|
InitialTscValue
|
| 0x38
|
0x1C8
|
Reserved
|
Signed Configuration
| Offset
|
Size
|
Description
|
| 0x0
|
0x8
|
Version
|
| 0x8
|
0x1
|
IsPackage2Plaintext (bit 0) and IsPackage2Unsigned (bit 1)
|
| 0x9
|
0x7
|
Reserved
|
| 0x10
|
0x10
|
HardwareInfo (must match the HardwareInfo read from fuses, or else the loaded Signed Config will be memset to 0 even if signed; this allows Nintendo to set signed configuration on a per-unit basis)
|
| 0x20
|
0x1
|
DisableProgramVerification (controls the default value for how to check NCA signatures)
|
| 0x21
|
0xDF
|
Reserved
|