2,939
edits
Changes
Jump to navigation
Jump to search
Line 3:
Line 3: − + Line 18:
Line 18: − + − 0x0000: EntriesUsed (0x200) + − 0x0004: VirtualBlockSizeLog2 (0x0F) + − 0x0005: BlockSizeLog2 (0x0E) + − 0x0006: BadBlocks + − 0x0206: Reserved + − + − + − 0x0310: CryptoHash (empty) + − 0x0320: RsaPssSig + − + − + − + Line 54:
Line 54: − 0x0444: Reserved (0x0C bytes) + − 0x0450: [[Flash_Filesystem#Keyblob|Keyblob]] (0xB0 bytes) + − 0x0500: Reserved (0x08 bytes) + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − 0x0548: ClockDivider (0x09 == 24MHz) + − 0x054C: DataWidth (0x02 == 8Bit) + − + − + − + − + Line 141:
Line 141: − + − + Line 150:
Line 150: − + − + − + Line 164:
Line 164: − + − + − + Line 184:
Line 184: − + − + − + Line 204:
Line 204: − + Line 231:
Line 231: − + Line 241:
Line 241: − + − 0x0000: KeySize + − 0x0004: Reserved + − 0x0010: PublicKeyModulus + − 0x0110: PublicKeyExponent + − + − 0x0210: CryptoHash (empty) + − 0x0220: RsaPssSig + + + + + + + + + + + + + + + + + + + + + + + + + + − + − + − + + + + + + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + Line 335:
Line 365: − + Line 341:
Line 371: − + − + Line 350:
Line 380: − + − + Line 366:
Line 396: − + + + + + + + + + + + + + + + + + + + + +
no edit summary
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.
The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup.
The Erista BCT's data is only signed after offset 0x0510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.
The Erista BCT's data is only signed after offset 0x510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example.
The Mariko BCT's data is signed starting at offset 0x420 and encrypted starting at offset 0x480, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used.
The Mariko BCT's data is signed starting at offset 0x420 and encrypted starting at offset 0x480, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used.
! Description
! Description
|-
|-
| 0x0000
| 0x0
| 0x210
| 0x210
| BadBlockTable
| BadBlockTable
| Table containing information on bad blocks
| Table containing information on bad blocks
0x0: EntriesUsed (0x200)
0x4: VirtualBlockSizeLog2 (0xF)
0x5: BlockSizeLog2 (0xE)
0x6: BadBlocks
0x206: Reserved
|-
|-
| 0x0210
| 0x210
| 0x100
| 0x100
| Key
| Key
| BCT RSA public key's modulus
| BCT RSA public key's modulus
|-
|-
| 0x0310
| 0x310
| 0x110
| 0x110
| Signature
| Signature
| BCT cryptographic signature
| BCT cryptographic signature
0x310: CryptoHash (empty)
0x320: RsaPssSig
|-
|-
| 0x0420
| 0x420
| 0x04
| 0x4
| SecProvisioningKeyNumInsecure
| SecProvisioningKeyNumInsecure
| Used for Factory Secure Provisioning (always 0)
| Used for Factory Secure Provisioning (always 0)
|-
|-
| 0x0424
| 0x424
| 0x20
| 0x20
| SecProvisioningKey
| SecProvisioningKey
| [[#CustomerData|CustomerData]]
| [[#CustomerData|CustomerData]]
| Data block available for the customer (used in key generation)
| Data block available for the customer (used in key generation)
0x444: Reserved
0x450: [[Flash_Filesystem#Keyblob|Keyblob]]
0x500: Reserved
|-
|-
| 0x0508
| 0x508
| 0x04
| 0x4
| OdmData
| OdmData
| Legacy field (unused)
| Empty
|-
|-
| 0x050C
| 0x50C
| 0x04
| 0x4
| Reserved
| Reserved
| Legacy field (unused)
| Empty
|-
|-
| 0x0510
| 0x510
| 0x10
| 0x10
| RandomAesBlock
| RandomAesBlock
| Always empty
| Empty
|-
|-
| 0x0520
| 0x520
| 0x10
| 0x10
| UniqueChipId
| UniqueChipId
| Always empty
| Empty
|-
|-
| 0x0530
| 0x530
| 0x04
| 0x4
| BootDataVersion
| BootDataVersion
| Set to 0x00210001 (BOOTDATA_VERSION_T210)
| Set to 0x210001 (BOOTDATA_VERSION_T210)
|-
|-
| 0x0534
| 0x534
| 0x04
| 0x4
| BlockSizeLog2
| BlockSizeLog2
| Always 0x0E
| Always 0xE
|-
|-
| 0x0538
| 0x538
| 0x04
| 0x4
| PageSizeLog2
| PageSizeLog2
| Always 0x09
| Always 0x9
|-
|-
| 0x053C
| 0x53C
| 0x04
| 0x4
| PartitionSize
| PartitionSize
| Always 0x01000000
| Always 0x1000000
|-
|-
| 0x0540
| 0x540
| 0x04
| 0x4
| NumParamSets
| NumParamSets
| Number of device parameter sets (always 0x01)
| Number of device parameter sets (always 0x1)
|-
|-
| 0x0544
| 0x544
| 0x04
| 0x4
| DevType
| DevType
| Device type (0x04 == Sdmmc)
| Device type (0x4 == Sdmmc)
|-
|-
| 0x0548
| 0x548
| 0x40
| 0x40
| DevParams
| DevParams
| Device parameters
| Device parameters
0x548: ClockDivider (0x9 == 24MHz)
0x54C: DataWidth (0x2 == 8Bit)
|-
|-
| 0x0588
| 0x588
| 0x04
| 0x4
| NumSdramSets
| NumSdramSets
| Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
| Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|-
|-
| 0x058C
| 0x58C
| 0x768
| 0x768
| SdramParams0
| SdramParams0
| Default values filled in
| Default values filled in
|-
|-
| 0x0CF4
| 0xCF4
| 0x768
| 0x768
| SdramParams1
| SdramParams1
|-
|-
| 0x232C
| 0x232C
| 0x04
| 0x4
| BootLoadersUsed
| BootLoadersUsed
| Number of bootloaders installed (always 0x02, maximum is 0x04)
| Number of bootloaders installed (always 0x2, maximum is 0x4)
|-
|-
| 0x2330
| 0x2330
| Configuration parameters for bootloader 0 (main)
| Configuration parameters for bootloader 0 (main)
0x2330: Version (variable)
0x2330: Version (variable)
0x2334: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe))
0x2334: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe)
0x2338: StartPage (0x00000000)
0x2338: StartPage (0)
0x233C: Length (variable)
0x233C: Length (variable)
0x2340: LoadAddress (0x40010000)
0x2340: LoadAddress (0x40010000)
0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
0x2348: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe))
0x2348: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe)
0x234C: CryptoHash (empty)
0x234C: CryptoHash (empty)
0x235C: RsaPssSig
0x235C: RsaPssSig
| Configuration parameters for bootloader 1 (backup)
| Configuration parameters for bootloader 1 (backup)
0x245C: Version (variable)
0x245C: Version (variable)
0x2460: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe))
0x2460: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe)
0x2464: StartPage (0x00000000)
0x2464: StartPage (0)
0x2468: Length (variable)
0x2468: Length (variable)
0x246C: LoadAddress (0x40010000)
0x246C: LoadAddress (0x40010000)
0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+)
0x2474: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe))
0x2474: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe)
0x2478: CryptoHash (empty)
0x2478: CryptoHash (empty)
0x2488: RsaPssSig
0x2488: RsaPssSig
|-
|-
| 0x27E0
| 0x27E0
| 0x01
| 0x1
| EnableFailBack
| EnableFailBack
| Always 0
| Always 0
|-
|-
| 0x27E1
| 0x27E1
| 0x04
| 0x4
| SecureJtagControl
| SecureJtagControl
| Always 0
| Always 0
|-
|-
| 0x27E5
| 0x27E5
| 0x04
| 0x4
| SecProvisioningKeyNumSecure
| SecProvisioningKeyNumSecure
| Used for Factory Secure Provisioning (always 0)
| Used for Factory Secure Provisioning (always 0)
|-
|-
| 0x27FB
| 0x27FB
| 0x05
| 0x5
| Padding
| Padding
| Empty
| Empty
=== BootLoader0 ===
=== BootLoader0 ===
The version field controls which keyblob is used, where 0x01 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.
The version field controls which keyblob is used, where 0x1 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version.
== Mariko ==
== Mariko ==
! Description
! Description
|-
|-
| 0x0000
| 0x0
| 0x210
| 0x210
| Pcp
| Pcp
| BCT public cryptographic parameters
| BCT public cryptographic parameters
0x0: KeySize
0x4: Reserved
0x10: PublicKeyModulus
0x110: PublicKeyExponent
|-
|-
| 0x0210
| 0x210
| 0x110
| 0x110
| Signature
| Signature
| BCT cryptographic signature
| BCT cryptographic signature
0x210: CryptoHash (empty)
0x220: RsaPssSig
|-
| 0x320
| 0x20
| SecProvisioningKey
| Used for Factory Secure Provisioning (always 0)
|-
| 0x340
| 0x4
| SecProvisioningKeyNumInsecure
| Used for Factory Secure Provisioning (always 0)
|-
| 0x344
| 0xC
| Padding
| Empty
|-
| 0x350
| 0xD0
| CustomerData
| Data block available for the customer
|-
| 0x420
| 0x10
| RandomAesBlock
|
|-
|-
| 0x0320
| 0x430
| 0x160
| 0x10
|
|
| Empty
| Empty
|-
|-
| 0x0480
| 0x440
| 0x40
|
| Empty
|-
| 0x480
| 0x10
| 0x10
| RandomAesBlock
| RandomAesBlock2
| Not empty
|
|-
|-
| 0x0490
| 0x490
| 0x10
| 0x10
| UniqueChipId
| UniqueChipId
| Always empty
| Empty
|-
|-
| 0x04A0
| 0x4A0
| 0x04
| 0x4
| BootDataVersion
| BootDataVersion
| Set to 0x00210001 (BOOTDATA_VERSION_T210)
| Set to 0x210001 (BOOTDATA_VERSION_T210)
|-
|-
| 0x04A4
| 0x4A4
| 0x04
| 0x4
| BlockSizeLog2
| BlockSizeLog2
| Always 0x0E
| Always 0xE
|-
|-
| 0x04A8
| 0x4A8
| 0x04
| 0x4
| PageSizeLog2
| PageSizeLog2
| Always 0x09
| Always 0x9
|-
|-
| 0x04AC
| 0x4AC
| 0x04
| 0x4
| PartitionSize
| PartitionSize
| Always 0x01000000
| Always 0x1000000
|-
|-
| 0x04B0
| 0x4B0
| 0x04
| 0x4
| NumParamSets
| NumParamSets
| Number of device parameter sets (always 0x01)
| Number of device parameter sets (always 0x1)
|-
|-
| 0x04B4
| 0x4B4
| 0x04
| 0x4
| DevType
| DevType
| Device type (0x04 == Sdmmc)
| Device type (0x4 == Sdmmc)
|-
|-
| 0x04B8
| 0x4B8
| 0x40
| 0x40
| DevParams
| DevParams
| Device parameters
| Device parameters
|-
|-
| 0x04F8
| 0x4F8
| 0x04
| 0x4
| NumSdramSets
| NumSdramSets
| Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
| Number of SDRAM parameter sets (always set to 0, but parameters are used despite this)
|-
|-
| 0x04FC
| 0x4FC
| 0x838
| 0x838
| SdramParams0
| SdramParams0
| Default values filled in
| Default values filled in
|-
|-
| 0x0D34
| 0xD34
| 0x838
| 0x838
| SdramParams1
| SdramParams1
| 0x04
| 0x04
| BootLoadersUsed
| BootLoadersUsed
| Number of bootloaders installed (always 0x02, maximum is 0x04)
| Number of bootloaders installed (always 0x2, maximum is 0x4)
|-
|-
| 0x25E0
| 0x25E0
| BootLoader0
| BootLoader0
| Configuration parameters for bootloader 0 (main)
| Configuration parameters for bootloader 0 (main)
0x25E0: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe))
0x25E0: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe)
0x25E4: StartPage (0x00000000)
0x25E4: StartPage (0)
0x25E8: Version (variable)
0x25E8: Version (variable)
0x25EC: Reserved
0x25EC: Reserved
| BootLoader1
| BootLoader1
| Configuration parameters for bootloader 1 (backup)
| Configuration parameters for bootloader 1 (backup)
0x25F0: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe))
0x25F0: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe)
0x25F4: StartPage (0x00000000)
0x25F4: StartPage (0)
0x25F8: Version (variable)
0x25F8: Version (variable)
0x25FC: Reserved
0x25FC: Reserved
|-
|-
| 0x2620
| 0x2620
| 0x5C
| 0x4
| SecureDebugControlNoneEcid
| Empty
|-
| 0x2624
| 0x4
| SecureDebugControlEcid
| Empty
|-
| 0x2628
| 0x10
|
|
| Empty
| Empty
|-
| 0x2638
| 0x40
|
| Empty
|-
| 0x2678
| 0x4
| SecProvisioningKeyNumSecure
| Used for Factory Secure Provisioning (always 0)
|-
|-
| 0x267C
| 0x267C