Line 3: |
Line 3: |
| The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup. | | The Switch's BCT is included in the firmware package titles (0100000000000819 and 010000000000081A) and is installed into eMMC storage's [[Flash_Filesystem#Boot_Partitions|boot partition 0]]. A total of four BCT copies can be installed into the system: normal, normal backup, safe mode and safe mode backup. |
| | | |
− | The Erista BCT's data is only signed after offset 0x0510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example. | + | The Erista BCT's data is only signed after offset 0x510. Therefore, regions like [[#CustomerData|CustomerData]] can be freely modified without resigning. This is done by [[NS_Services|NS]] when injecting a new [[Flash_Filesystem#Keyblob|keyblob]] during a system update, for example. |
| | | |
| The Mariko BCT's data is signed starting at offset 0x420 and encrypted starting at offset 0x480, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used. | | The Mariko BCT's data is signed starting at offset 0x420 and encrypted starting at offset 0x480, so the [[Flash_Filesystem#Keyblob|keyblob]] system is no longer used. |
Line 18: |
Line 18: |
| ! Description | | ! Description |
| |- | | |- |
− | | 0x0000 | + | | 0x0 |
| | 0x210 | | | 0x210 |
| | BadBlockTable | | | BadBlockTable |
| | Table containing information on bad blocks | | | Table containing information on bad blocks |
− | 0x0000: EntriesUsed (0x200) | + | 0x0: EntriesUsed (0x200) |
− | 0x0004: VirtualBlockSizeLog2 (0x0F) | + | 0x4: VirtualBlockSizeLog2 (0xF) |
− | 0x0005: BlockSizeLog2 (0x0E) | + | 0x5: BlockSizeLog2 (0xE) |
− | 0x0006: BadBlocks | + | 0x6: BadBlocks |
− | 0x0206: Reserved | + | 0x206: Reserved |
| |- | | |- |
− | | 0x0210 | + | | 0x210 |
| | 0x100 | | | 0x100 |
| | Key | | | Key |
| | BCT RSA public key's modulus | | | BCT RSA public key's modulus |
| |- | | |- |
− | | 0x0310 | + | | 0x310 |
| | 0x110 | | | 0x110 |
| | Signature | | | Signature |
| | BCT cryptographic signature | | | BCT cryptographic signature |
− | 0x0310: CryptoHash (empty) | + | 0x310: CryptoHash (empty) |
− | 0x0320: RsaPssSig | + | 0x320: RsaPssSig |
| |- | | |- |
− | | 0x0420 | + | | 0x420 |
− | | 0x04 | + | | 0x4 |
| | SecProvisioningKeyNumInsecure | | | SecProvisioningKeyNumInsecure |
| | Used for Factory Secure Provisioning (always 0) | | | Used for Factory Secure Provisioning (always 0) |
| |- | | |- |
− | | 0x0424 | + | | 0x424 |
| | 0x20 | | | 0x20 |
| | SecProvisioningKey | | | SecProvisioningKey |
Line 54: |
Line 54: |
| | [[#CustomerData|CustomerData]] | | | [[#CustomerData|CustomerData]] |
| | Data block available for the customer (used in key generation) | | | Data block available for the customer (used in key generation) |
− | 0x0444: Reserved (0x0C bytes) | + | 0x444: Reserved |
− | 0x0450: [[Flash_Filesystem#Keyblob|Keyblob]] (0xB0 bytes) | + | 0x450: [[Flash_Filesystem#Keyblob|Keyblob]] |
− | 0x0500: Reserved (0x08 bytes) | + | 0x500: Reserved |
| |- | | |- |
− | | 0x0508 | + | | 0x508 |
− | | 0x04 | + | | 0x4 |
| | OdmData | | | OdmData |
− | | Legacy field (unused) | + | | Empty |
| |- | | |- |
− | | 0x050C | + | | 0x50C |
− | | 0x04 | + | | 0x4 |
| | Reserved | | | Reserved |
− | | Legacy field (unused) | + | | Empty |
| |- | | |- |
− | | 0x0510 | + | | 0x510 |
| | 0x10 | | | 0x10 |
| | RandomAesBlock | | | RandomAesBlock |
− | | Always empty | + | | Empty |
| |- | | |- |
− | | 0x0520 | + | | 0x520 |
| | 0x10 | | | 0x10 |
| | UniqueChipId | | | UniqueChipId |
− | | Always empty | + | | Empty |
| |- | | |- |
− | | 0x0530 | + | | 0x530 |
− | | 0x04 | + | | 0x4 |
| | BootDataVersion | | | BootDataVersion |
− | | Set to 0x00210001 (BOOTDATA_VERSION_T210) | + | | Set to 0x210001 (BOOTDATA_VERSION_T210) |
| |- | | |- |
− | | 0x0534 | + | | 0x534 |
− | | 0x04 | + | | 0x4 |
| | BlockSizeLog2 | | | BlockSizeLog2 |
− | | Always 0x0E | + | | Always 0xE |
| |- | | |- |
− | | 0x0538 | + | | 0x538 |
− | | 0x04 | + | | 0x4 |
| | PageSizeLog2 | | | PageSizeLog2 |
− | | Always 0x09 | + | | Always 0x9 |
| |- | | |- |
− | | 0x053C | + | | 0x53C |
− | | 0x04 | + | | 0x4 |
| | PartitionSize | | | PartitionSize |
− | | Always 0x01000000 | + | | Always 0x1000000 |
| |- | | |- |
− | | 0x0540 | + | | 0x540 |
− | | 0x04 | + | | 0x4 |
| | NumParamSets | | | NumParamSets |
− | | Number of device parameter sets (always 0x01) | + | | Number of device parameter sets (always 0x1) |
| |- | | |- |
− | | 0x0544 | + | | 0x544 |
− | | 0x04 | + | | 0x4 |
| | DevType | | | DevType |
− | | Device type (0x04 == Sdmmc) | + | | Device type (0x4 == Sdmmc) |
| |- | | |- |
− | | 0x0548 | + | | 0x548 |
| | 0x40 | | | 0x40 |
| | DevParams | | | DevParams |
| | Device parameters | | | Device parameters |
− | 0x0548: ClockDivider (0x09 == 24MHz) | + | 0x548: ClockDivider (0x9 == 24MHz) |
− | 0x054C: DataWidth (0x02 == 8Bit) | + | 0x54C: DataWidth (0x2 == 8Bit) |
| |- | | |- |
− | | 0x0588 | + | | 0x588 |
− | | 0x04 | + | | 0x4 |
| | NumSdramSets | | | NumSdramSets |
| | Number of SDRAM parameter sets (always set to 0, but parameters are used despite this) | | | Number of SDRAM parameter sets (always set to 0, but parameters are used despite this) |
| |- | | |- |
− | | 0x058C | + | | 0x58C |
| | 0x768 | | | 0x768 |
| | SdramParams0 | | | SdramParams0 |
| | Default values filled in | | | Default values filled in |
| |- | | |- |
− | | 0x0CF4 | + | | 0xCF4 |
| | 0x768 | | | 0x768 |
| | SdramParams1 | | | SdramParams1 |
Line 141: |
Line 141: |
| |- | | |- |
| | 0x232C | | | 0x232C |
− | | 0x04 | + | | 0x4 |
| | BootLoadersUsed | | | BootLoadersUsed |
− | | Number of bootloaders installed (always 0x02, maximum is 0x04) | + | | Number of bootloaders installed (always 0x2, maximum is 0x4) |
| |- | | |- |
| | 0x2330 | | | 0x2330 |
Line 150: |
Line 150: |
| | Configuration parameters for bootloader 0 (main) | | | Configuration parameters for bootloader 0 (main) |
| 0x2330: Version (variable) | | 0x2330: Version (variable) |
− | 0x2334: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe)) | + | 0x2334: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe) |
− | 0x2338: StartPage (0x00000000) | + | 0x2338: StartPage (0) |
| 0x233C: Length (variable) | | 0x233C: Length (variable) |
| 0x2340: LoadAddress (0x40010000) | | 0x2340: LoadAddress (0x40010000) |
| 0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+) | | 0x2344: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+) |
− | 0x2348: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe)) | + | 0x2348: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe) |
| 0x234C: CryptoHash (empty) | | 0x234C: CryptoHash (empty) |
| 0x235C: RsaPssSig | | 0x235C: RsaPssSig |
Line 164: |
Line 164: |
| | Configuration parameters for bootloader 1 (backup) | | | Configuration parameters for bootloader 1 (backup) |
| 0x245C: Version (variable) | | 0x245C: Version (variable) |
− | 0x2460: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe)) | + | 0x2460: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe) |
− | 0x2464: StartPage (0x00000000) | + | 0x2464: StartPage (0) |
| 0x2468: Length (variable) | | 0x2468: Length (variable) |
| 0x246C: LoadAddress (0x40010000) | | 0x246C: LoadAddress (0x40010000) |
| 0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+) | | 0x2470: EntryPoint (0x40010020 for 1.0.0-3.0.2, 0x40010040 for 4.0.0+) |
− | 0x2474: Attribute (0x00000000 (BootImagePackage), 0x00000001 (BootImagePackageSafe)) | + | 0x2474: Attribute (0 for BootImagePackage, 1 for BootImagePackageSafe) |
| 0x2478: CryptoHash (empty) | | 0x2478: CryptoHash (empty) |
| 0x2488: RsaPssSig | | 0x2488: RsaPssSig |
Line 184: |
Line 184: |
| |- | | |- |
| | 0x27E0 | | | 0x27E0 |
− | | 0x01 | + | | 0x1 |
| | EnableFailBack | | | EnableFailBack |
| | Always 0 | | | Always 0 |
| |- | | |- |
| | 0x27E1 | | | 0x27E1 |
− | | 0x04 | + | | 0x4 |
| | SecureJtagControl | | | SecureJtagControl |
| | Always 0 | | | Always 0 |
| |- | | |- |
| | 0x27E5 | | | 0x27E5 |
− | | 0x04 | + | | 0x4 |
| | SecProvisioningKeyNumSecure | | | SecProvisioningKeyNumSecure |
| | Used for Factory Secure Provisioning (always 0) | | | Used for Factory Secure Provisioning (always 0) |
Line 204: |
Line 204: |
| |- | | |- |
| | 0x27FB | | | 0x27FB |
− | | 0x05 | + | | 0x5 |
| | Padding | | | Padding |
| | Empty | | | Empty |
Line 231: |
Line 231: |
| | | |
| === BootLoader0 === | | === BootLoader0 === |
− | The version field controls which keyblob is used, where 0x01 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version. | + | The version field controls which keyblob is used, where 0x1 is the first one. See [[Cryptosystem]] for the keyblobs used by each system-version. |
| | | |
| == Mariko == | | == Mariko == |
Line 241: |
Line 241: |
| ! Description | | ! Description |
| |- | | |- |
− | | 0x0000 | + | | 0x0 |
| | 0x210 | | | 0x210 |
| | Pcp | | | Pcp |
| | BCT public cryptographic parameters | | | BCT public cryptographic parameters |
− | 0x0000: KeySize | + | 0x0: KeySize |
− | 0x0004: Reserved | + | 0x4: Reserved |
− | 0x0010: PublicKeyModulus | + | 0x10: PublicKeyModulus |
− | 0x0110: PublicKeyExponent | + | 0x110: PublicKeyExponent |
| |- | | |- |
− | | 0x0210 | + | | 0x210 |
| | 0x110 | | | 0x110 |
| | Signature | | | Signature |
| | BCT cryptographic signature | | | BCT cryptographic signature |
− | 0x0210: CryptoHash (empty) | + | 0x210: CryptoHash (empty) |
− | 0x0220: RsaPssSig | + | 0x220: RsaPssSig |
| + | |- |
| + | | 0x320 |
| + | | 0x20 |
| + | | SecProvisioningKey |
| + | | Used for Factory Secure Provisioning (always 0) |
| + | |- |
| + | | 0x340 |
| + | | 0x4 |
| + | | SecProvisioningKeyNumInsecure |
| + | | Used for Factory Secure Provisioning (always 0) |
| + | |- |
| + | | 0x344 |
| + | | 0xC |
| + | | Padding |
| + | | Empty |
| + | |- |
| + | | 0x350 |
| + | | 0xD0 |
| + | | CustomerData |
| + | | Data block available for the customer |
| + | |- |
| + | | 0x420 |
| + | | 0x10 |
| + | | RandomAesBlock |
| + | | |
| |- | | |- |
− | | 0x0320 | + | | 0x430 |
− | | 0x160 | + | | 0x10 |
| | | | | |
| | Empty | | | Empty |
| |- | | |- |
− | | 0x0480 | + | | 0x440 |
| + | | 0x40 |
| + | | |
| + | | Empty |
| + | |- |
| + | | 0x480 |
| | 0x10 | | | 0x10 |
− | | RandomAesBlock | + | | RandomAesBlock2 |
− | | Not empty | + | | |
| |- | | |- |
− | | 0x0490 | + | | 0x490 |
| | 0x10 | | | 0x10 |
| | UniqueChipId | | | UniqueChipId |
− | | Always empty | + | | Empty |
| |- | | |- |
− | | 0x04A0 | + | | 0x4A0 |
− | | 0x04 | + | | 0x4 |
| | BootDataVersion | | | BootDataVersion |
− | | Set to 0x00210001 (BOOTDATA_VERSION_T210) | + | | Set to 0x210001 (BOOTDATA_VERSION_T210) |
| |- | | |- |
− | | 0x04A4 | + | | 0x4A4 |
− | | 0x04 | + | | 0x4 |
| | BlockSizeLog2 | | | BlockSizeLog2 |
− | | Always 0x0E | + | | Always 0xE |
| |- | | |- |
− | | 0x04A8 | + | | 0x4A8 |
− | | 0x04 | + | | 0x4 |
| | PageSizeLog2 | | | PageSizeLog2 |
− | | Always 0x09 | + | | Always 0x9 |
| |- | | |- |
− | | 0x04AC | + | | 0x4AC |
− | | 0x04 | + | | 0x4 |
| | PartitionSize | | | PartitionSize |
− | | Always 0x01000000 | + | | Always 0x1000000 |
| |- | | |- |
− | | 0x04B0 | + | | 0x4B0 |
− | | 0x04 | + | | 0x4 |
| | NumParamSets | | | NumParamSets |
− | | Number of device parameter sets (always 0x01) | + | | Number of device parameter sets (always 0x1) |
| |- | | |- |
− | | 0x04B4 | + | | 0x4B4 |
− | | 0x04 | + | | 0x4 |
| | DevType | | | DevType |
− | | Device type (0x04 == Sdmmc) | + | | Device type (0x4 == Sdmmc) |
| |- | | |- |
− | | 0x04B8 | + | | 0x4B8 |
| | 0x40 | | | 0x40 |
| | DevParams | | | DevParams |
| | Device parameters | | | Device parameters |
| |- | | |- |
− | | 0x04F8 | + | | 0x4F8 |
− | | 0x04 | + | | 0x4 |
| | NumSdramSets | | | NumSdramSets |
| | Number of SDRAM parameter sets (always set to 0, but parameters are used despite this) | | | Number of SDRAM parameter sets (always set to 0, but parameters are used despite this) |
| |- | | |- |
− | | 0x04FC | + | | 0x4FC |
| | 0x838 | | | 0x838 |
| | SdramParams0 | | | SdramParams0 |
| | Default values filled in | | | Default values filled in |
| |- | | |- |
− | | 0x0D34 | + | | 0xD34 |
| | 0x838 | | | 0x838 |
| | SdramParams1 | | | SdramParams1 |
Line 335: |
Line 365: |
| | 0x04 | | | 0x04 |
| | BootLoadersUsed | | | BootLoadersUsed |
− | | Number of bootloaders installed (always 0x02, maximum is 0x04) | + | | Number of bootloaders installed (always 0x2, maximum is 0x4) |
| |- | | |- |
| | 0x25E0 | | | 0x25E0 |
Line 341: |
Line 371: |
| | BootLoader0 | | | BootLoader0 |
| | Configuration parameters for bootloader 0 (main) | | | Configuration parameters for bootloader 0 (main) |
− | 0x25E0: StartBlock (0x00000040 (BootImagePackage), 0x00000100 (BootImagePackageSafe)) | + | 0x25E0: StartBlock (0x40 for BootImagePackage, 0x100 for BootImagePackageSafe) |
− | 0x25E4: StartPage (0x00000000) | + | 0x25E4: StartPage (0) |
| 0x25E8: Version (variable) | | 0x25E8: Version (variable) |
| 0x25EC: Reserved | | 0x25EC: Reserved |
Line 350: |
Line 380: |
| | BootLoader1 | | | BootLoader1 |
| | Configuration parameters for bootloader 1 (backup) | | | Configuration parameters for bootloader 1 (backup) |
− | 0x25F0: StartBlock (0x00000050 (BootImagePackage), 0x00000110 (BootImagePackageSafe)) | + | 0x25F0: StartBlock (0x50 for BootImagePackage, 0x110 for BootImagePackageSafe) |
− | 0x25F4: StartPage (0x00000000) | + | 0x25F4: StartPage (0) |
| 0x25F8: Version (variable) | | 0x25F8: Version (variable) |
| 0x25FC: Reserved | | 0x25FC: Reserved |
Line 366: |
Line 396: |
| |- | | |- |
| | 0x2620 | | | 0x2620 |
− | | 0x5C | + | | 0x4 |
| + | | SecureDebugControlNoneEcid |
| + | | Empty |
| + | |- |
| + | | 0x2624 |
| + | | 0x4 |
| + | | SecureDebugControlEcid |
| + | | Empty |
| + | |- |
| + | | 0x2628 |
| + | | 0x10 |
| | | | | |
| | Empty | | | Empty |
| + | |- |
| + | | 0x2638 |
| + | | 0x40 |
| + | | |
| + | | Empty |
| + | |- |
| + | | 0x2678 |
| + | | 0x4 |
| + | | SecProvisioningKeyNumSecure |
| + | | Used for Factory Secure Provisioning (always 0) |
| |- | | |- |
| | 0x267C | | | 0x267C |