Changes

Jump to navigation Jump to search

Lotus3 (view source)

Revision as of 23:52, 30 November 2024

9,946 bytes removed ,  30 November
no edit summary
Line 4: Line 4:     
= Protocol =
 
= Protocol =
All communication is done using the following MMC_SEND_MANUFACTURER commands.
+
All communication is done using custom MMC_SEND_MANUFACTURER commands.
    
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
! Command
+
! Value
! Name
+
! Description
 
|-
 
|-
 
| 60
 
| 60
Line 25: Line 25:     
== WriteOperation ==
 
== WriteOperation ==
Submits a Gamecard ASIC [[#ASIC commands|operation]] using a 0x40 byte sized [[#OperationBuffer|OperationBuffer]].
+
Sends a Gamecard ASIC [[#AsicOperation|operation]].
 +
 
 +
== FinishOperation ==
 +
Returns the status of a completed Gamecard ASIC operation.
   −
=== OperationBuffer ===
+
== Sleep ==
 +
Puts the Gamecard ASIC in sleep mode.
 +
 
 +
== UpdateKey ==
 +
Tells the Gamecard ASIC to generate new random key data.
 +
 
 +
= AsicOperation =
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Line 36: Line 45:  
| 0x0
 
| 0x0
 
| 0x1
 
| 0x1
| Gamecard ASIC [[#ASIC commands|operation command]]
+
| [[#OperationId|OperationId]]
 
|-
 
|-
 
| 0x1
 
| 0x1
 
| 0x1F
 
| 0x1F
| Operation specific data
+
| OperationData
 
|-
 
|-
 
| 0x20
 
| 0x20
 
| 0x20
 
| 0x20
| Command verification value (secure mode only)
+
| CvValue (secure mode only)
 
|}
 
|}
   −
== FinishOperation ==
+
== OperationId ==
Returns the status of a completed operation.
  −
 
  −
== Sleep ==
  −
Puts the Gamecard ASIC in sleep mode.
  −
 
  −
== UpdateKey ==
  −
Tells the Gamecard ASIC to generate new random key data.
  −
 
  −
= ASIC commands =
   
The Gamecard ASIC supports a total of 20 operation commands. These commands are passed to the ASIC using the [[#WriteOperation]] MMC command.
 
The Gamecard ASIC supports a total of 20 operation commands. These commands are passed to the ASIC using the [[#WriteOperation]] MMC command.
   −
Additional data buffers are then read/written using standard MMC read/write commands.
+
Additional data buffers are then read/written as pages of 0x200 bytes each, using standard MMC read/write commands.
    
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
! Command
+
! Value
! Name
+
! Description
 
|-
 
|-
 
| 0x01
 
| 0x01
Line 127: Line 127:  
|}
 
|}
   −
== SendFirmware ==
+
=== SendFirmware ===
Signals the Gamecard ASIC to receive a 0x7800 byte sized buffer containing the [[#User firmware|ASIC's user firmware]].
+
Signals the Gamecard ASIC to receive the [[#AsicFirmware|firmware]].  
   −
== ReceiveCertificate ==
+
This is the only operation handled by the Gamecard ASIC's bootrom.
Signals the Gamecard ASIC to send a 0x400 byte sized buffer containing the ASIC's certificate.
     −
== SendSocCertificate ==
+
=== ReceiveCertificate ===
Signals the Gamecard ASIC to receive a 0x400 byte sized buffer containing the certificate from [[Settings_services#GetGameCardCertificate|GetGameCardCertificate]].
+
Signals the Gamecard ASIC to send the ASIC's certificate.
   −
== ReceiveRandomValue ==
+
=== SendSocCertificate ===
Signals the Gamecard ASIC to send a 0x100 byte sized buffer containing a RSA-OAEP encrypted message to be decrypted by the host library. The decrypted message will be used to generate a common AES-128 (CBC and CTR) key and IV/CTR shared between the ASIC and the host library.
+
Signals the Gamecard ASIC to receive the certificate from [[Settings_services#GetGameCardCertificate|GetGameCardCertificate]].
   −
== SendRandomValue ==
+
=== ReceiveRandomValue ===
Signals the Gamecard ASIC to receive a 0x100 byte sized buffer containing a RSA-OAEP encrypted message to be decrypted by the ASIC. The decrypted message will be used to generate a common AES-128 (CBC and CTR) key and IV/CTR shared between the ASIC and the host library.
+
Signals the Gamecard ASIC to send a RSA-OAEP encrypted message to be decrypted by the host library.
 +
 
 +
The decrypted message will be used to generate a common AES-128 (CBC and CTR) key and IV/CTR shared between the ASIC and the host library.
 +
 
 +
=== SendRandomValue ===
 +
Signals the Gamecard ASIC to receive a RSA-OAEP encrypted message to be decrypted by the ASIC.
 +
 
 +
The decrypted message will be used to generate a common AES-128 (CBC and CTR) key and IV/CTR shared between the ASIC and the host library.
 +
 
 +
=== ReceiveDeviceChallenge ===
 +
Signals the Gamecard ASIC to send AES-128-CBC encrypted authentication data to be decrypted and hashed by the host library.
 +
 
 +
=== RespondDeviceChallenge ===
 +
Signals the Gamecard ASIC to receive the AES-128-CBC encrypted hash of the ASIC authentication data.
 +
 
 +
=== SendHostChallenge ===
 +
Signals the Gamecard ASIC to receive AES-128-CBC encrypted authentication data to be decrypted and hashed by the ASIC.
 +
 
 +
=== ReceiveChallengeResponse ===
 +
Signals the Gamecard ASIC to send the AES-128-CBC encrypted hash of the library authentication data.
 +
 
 +
=== ChangeModeToSecure ===
 +
Signals the Gamecard ASIC to enter secure mode.
 +
 
 +
In secure mode, all communication with the Gamecard ASIC must be AES-128-CTR encrypted.
 +
 
 +
=== WriteRegister ===
 +
Signals the Gamecard ASIC to write an internal register.
 +
 
 +
[[#AsicOperation|OperationData]] becomes:
 +
{| class="wikitable" border="1"
 +
|-
 +
! Offset
 +
! Size
 +
! Description
 +
|-
 +
| 0x0
 +
| 0x3
 +
| Reserved
 +
|-
 +
| 0x3
 +
| 0x4
 +
| RegisterAddress
 +
|-
 +
| 0x7
 +
| 0x18
 +
| Reserved
 +
|}
   −
== ReceiveDeviceChallenge ==
+
RegisterValue is passed in a data page.
Signals the Gamecard ASIC to send a 0x20 byte sized buffer containing AES-128-CBC encrypted authentication data to be decrypted and hashed by the host library.
     −
== RespondDeviceChallenge ==
+
=== ReadRegister ===
Signals the Gamecard ASIC to receive a 0x20 byte sized buffer containing the AES-128-CBC encrypted hash of the ASIC authentication data.
+
Signals the Gamecard ASIC to send the contents of its [[#AsicRegisters|registers]].
   −
== SendHostChallenge ==
+
=== ChangeGcModeToDebug ===
Signals the Gamecard ASIC to receive a 0x20 byte sized buffer containing AES-128-CBC encrypted authentication data to be decrypted and hashed by the ASIC.
+
Signals the Gamecard ASIC to change into debug mode and send information on the current Gamecard.
   −
== ReceiveChallengeResponse ==
+
=== GetCardHeader ===
Signals the Gamecard ASIC to send a 0x20 byte sized buffer containing the AES-128-CBC encrypted hash of the library authentication data.
+
Signals the Gamecard ASIC to send the current Gamecard's [[#CardHeader|header]].
   −
== ChangeModeToSecure ==
+
=== ChangeGcModeToSecure ===
Signals the Gamecard ASIC to enter secure mode. In secure mode, all communication with the Gamecard ASIC must be AES-128-CTR encrypted.
+
Signals the Gamecard ASIC to enable secure communication with the Gamecard and return its [[#CardKeyArea|key area]].
   −
== WriteRegister ==
+
=== SendCardCommand ===
Signals the Gamecard ASIC to write an internal register. The register value is passed in the first word of a 0x200 byte sized buffer while the register index is passed in the actual [[#OperationBuffer]] as follows:
+
Signals the Gamecard ASIC to relay commands to the Gamecard.
    +
[[#AsicOperation|OperationData]] becomes:
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Line 168: Line 214:  
| 0x0
 
| 0x0
 
| 0x1
 
| 0x1
| Gamecard ASIC operation command (0x0B)
+
| PageSize
 +
|-
 +
| 0x1
 +
| 0x1
 +
| Direction (0 = Read, 1 = Write)
 
|-
 
|-
 +
| 0x2
 
| 0x1
 
| 0x1
 +
| Reserved
 +
|-
 
| 0x3
 
| 0x3
| Padding
+
| 0x4
 +
| PageNumber
 
|-
 
|-
| 0x4
+
| 0x7
| 0x4
+
| 0x10
| Gamecard ASIC register index
+
| [[#CardCommand|CardCommand]]
 
|-
 
|-
 +
| 0x17
 
| 0x8
 
| 0x8
| 0x18
+
| Reserved
| Empty
+
|}
 +
 
 +
=== EnableCardBus ===
 +
Signals the Gamecard ASIC to enable the Gamecard's bus line.
 +
 
 +
=== ExchangeRandomValuesInSecureMode ===
 +
Signals the Gamecard ASIC to exchange random authentication values with the current Gamecard.
 +
 
 +
[[#AsicOperation|OperationData]] becomes:
 +
{| class="wikitable" border="1"
 +
|-
 +
! Offset
 +
! Size
 +
! Description
 +
|-
 +
| 0x0
 +
| 0x1F
 +
| RandomValues
 +
|}
 +
 
 +
The Gamecard's response is returned in a data page.
 +
 
 +
=== ReadRmaInformation ===
 +
Signals the Gamecard ASIC to send information on the Gamecard ASIC. This is called by [[Filesystem_services#IDeviceOperator|GetGameCardAsicInfo]].
 +
 
 +
=== ChallengeCardExistence ===
 +
Signals the Gamecard ASIC to exchange random values with the current Gamecard.
 +
 
 +
[[#AsicOperation|OperationData]] becomes:
 +
{| class="wikitable" border="1"
 +
|-
 +
! Offset
 +
! Size
 +
! Description
 
|-
 
|-
| 0x20
+
| 0x0
| 0x20
+
| 0x1F
| Command verification value
+
| RandomValues
 
|}
 
|}
   −
== ReadRegister ==
+
The Gamecard's response is returned in a data page.
Signals the Gamecard ASIC to send a 0x30 byte sized buffer containing the values of all ASIC registers as follows:
      +
= AsicRegisters =
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Line 245: Line 333:  
|}
 
|}
   −
== ChangeGcModeToDebug ==
+
= CardHeader =
Signals the Gamecard ASIC to change into debug mode and send a 0x200 byte sized buffer containing information on the current Gamecard.
  −
 
  −
== GetCardHeader ==
  −
Signals the Gamecard ASIC to send a 0x200 byte sized buffer containing the current Gamecard's header data as follows:
  −
 
   
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Line 278: Line 361:  
|}
 
|}
   −
== ChangeGcModeToSecure ==
+
= CardKeyArea =
Signals the Gamecard ASIC to send a 0x800 byte sized buffer containing the current Gamecard's key area sectors as follows:
  −
 
   
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Line 324: Line 405:  
|}
 
|}
   −
[11.0.0+] This now signals the Gamecard ASIC to send a 0x600 byte sized buffer containing the current Gamecard's key area sectors as follows:
+
[11.0.0+] This is now:
 
   
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Line 365: Line 445:  
|}
 
|}
   −
== SendCardCommand ==
+
= CardCommand =
Signals the Gamecard ASIC to relay a specific [[#Gamecard commands|command]] to the Gamecard. The command is sent to the Gamecard using the [[#OperationBuffer]] as follows:
  −
 
   
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Line 376: Line 454:  
| 0x0
 
| 0x0
 
| 0x1
 
| 0x1
| Gamecard ASIC operation command (0x10)
+
| [[#CommandId|CommandId]]
 
|-
 
|-
 
| 0x1
 
| 0x1
| 0x1
+
| 0xF
| Page size
+
| CommandData
|-
  −
| 0x2
  −
| 0x1
  −
| Direction (0 = read, 1 = write)
  −
|-
  −
| 0x3
  −
| 0x1
  −
| Padding
  −
|-
  −
| 0x4
  −
| 0x4
  −
| Page count
  −
|-
  −
| 0x8
  −
| 0x1
  −
| Gamecard command
  −
|-
  −
| 0x9
  −
| 0x17
  −
| Command specific data
  −
|-
  −
| 0x20
  −
| 0x20
  −
| Command verification value
   
|}
 
|}
   −
== EnableCardBus ==
+
== CommandId ==
Signals the Gamecard ASIC to enable the current Gamecard's bus line.
+
These commands are issued by the Gamecard ASIC to the actual Gamecard using the [[#AsicOperation|OperationData]] passed to [[#SendCardCommand]].
   −
== ExchangeRandomValuesInSecureMode ==
+
Additional data buffers are then read/written as pages of 0x200 bytes each, using standard MMC read/write commands.
Signals the Gamecard ASIC to exchange random authentication values with the current Gamecard. The Gamecard response values are returned in a 0x20 sized buffer while the host values are passed in the actual [[#OperationBuffer]] as follows:
      
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
! Offset
+
! Value
! Size
   
! Description
 
! Description
|-
  −
| 0x0
  −
| 0x1
  −
| Gamecard ASIC operation command (0x12)
  −
|-
  −
| 0x1
  −
| 0x1F
  −
| Random value from host
  −
|-
  −
| 0x20
  −
| 0x20
  −
| Command verification value
  −
|}
  −
  −
== ReadRmaInformation ==
  −
Signals the Gamecard ASIC to send a 0x200 byte sized buffer containing information on the Gamecard ASIC. This is called by [[Filesystem_services#IDeviceOperator|GetGameCardAsicInfo]].
  −
  −
== ChallengeCardExistence ==
  −
Signals the Gamecard ASIC to exchange random values with the current Gamecard. The Gamecard response values are returned in a 0x58 sized buffer while the host values are passed in the actual [[#OperationBuffer]] as follows:
  −
  −
{| class="wikitable" border="1"
  −
|-
  −
! Offset
  −
! Size
  −
! Description
  −
|-
  −
| 0x0
  −
| 0x1
  −
| Gamecard ASIC operation command (0x14)
  −
|-
  −
| 0x1
  −
| 0x1F
  −
| Random value from host
  −
|-
  −
| 0x20
  −
| 0x20
  −
| Command verification value
  −
|}
  −
  −
= Gamecard commands =
  −
These commands are issued by the Gamecard ASIC to the actual Gamecard using the [[#OperationBuffer]] passed to [[#SendCardCommand]].
  −
  −
Additional data buffers are then read/written using standard MMC read/write commands.
  −
  −
{| class="wikitable" border="1"
  −
|-
  −
! Command
  −
! Name
   
|-
 
|-
 
| 0x6
 
| 0x6
Line 474: Line 478:  
|-
 
|-
 
| 0x10
 
| 0x10
| [[#ReadId1|ReadId1Write]]
+
| ReadId1Write
 
|-
 
|-
 
| 0x11
 
| 0x11
| [[#ReadId2|ReadId2Write]]
+
| ReadId2Write
 
|-
 
|-
 
| 0x12
 
| 0x12
| [[#ReadId3|ReadId3Write]]
+
| ReadId3Write
 
|-
 
|-
 
| 0x13
 
| 0x13
Line 486: Line 490:  
|-
 
|-
 
| 0x15
 
| 0x15
| [[#ReadCrc|ReadCrc]]
+
| ReadCrc
 
|-
 
|-
 
| 0x16
 
| 0x16
| [[#WritePage|WritePage]]
+
| WritePage
 
|-
 
|-
 
| 0x17
 
| 0x17
Line 495: Line 499:  
|-
 
|-
 
| 0x18
 
| 0x18
| [[#Erase|Erase]]
+
| Erase
 
|-
 
|-
 
| 0x19
 
| 0x19
| [[#ReadParameter|ReadParameter]]
+
| ReadParameter
 
|-
 
|-
 
| 0x20
 
| 0x20
| [[#WriteParameter|WriteParameter]]
+
| WriteParameter
 
|-
 
|-
 
| 0x21
 
| 0x21
| [[#ReadPage|ReadPageSecure]]
+
| ReadPageSecure
 
|-
 
|-
 
| 0x28
 
| 0x28
| [[#ReadId2|ReadId2]]
+
| ReadId2
 
|-
 
|-
 
| 0x2E
 
| 0x2E
| [[#ChangeDebugDirect|ChangeDebugDirect]]
+
| ChangeDebugDirect
 
|-
 
|-
 
| 0x30
 
| 0x30
| [[#ReadId3|ReadId3Secure]]
+
| ReadId3Secure
 
|-
 
|-
 
| 0x39
 
| 0x39
| [[#SetKey|SetKey]]
+
| SetKey
 
|-
 
|-
 
| 0x56
 
| 0x56
| [[#ReadId1|ReadId1]]
+
| ReadId1
 
|-
 
|-
 
| 0x59
 
| 0x59
Line 525: Line 529:  
|-
 
|-
 
| 0x67
 
| 0x67
| [[#ReadId1|ReadId1Secure]]
+
| ReadId1Secure
 
|-
 
|-
 
| 0x5B
 
| 0x5B
| [[#ReadPage|ReadPage]]
+
| ReadPage
 
|-
 
|-
 
| 0x83
 
| 0x83
| [[#WritePage|WritePageSecure]]
+
| WritePageSecure
 
|-
 
|-
 
| 0x8A
 
| 0x8A
Line 537: Line 541:  
|-
 
|-
 
| 0xA5
 
| 0xA5
| [[#ReadId3|ReadId3]]
+
| ReadId3
 
|-
 
|-
 
| 0xB8
 
| 0xB8
| [[#Refresh|Refresh]]
+
| Refresh
 
|-
 
|-
 
| 0xC4
 
| 0xC4
| [[#ReadId2|ReadId2Secure]]
+
| ReadId2Secure
 
|-
 
|-
 
| 0xE0
 
| 0xE0
Line 597: Line 601:  
|}
 
|}
   −
== ReadId1 ==
+
= AsicFirmware =
Returns the Gamecard ID1 under one of the valid [[#Gamecard modes|Gamecard modes]].
+
This is the Gamecard ASIC's user firmware (Lotus ASIC Firmware or LAFW) uploaded through the [[#SendFirmware]] operation.
 
  −
The [[#OperationBuffer]] is as follows:
      
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Line 609: Line 611:  
|-
 
|-
 
| 0x0
 
| 0x0
| 0x1
+
| 0x100
| Gamecard ASIC operation command (0x10)
+
| RSA-2048 PKCS #1 signature over the firmware (data from 0x100 to 0x7800)
|-
  −
| 0x1
  −
| 0x1
  −
| Set to 1
  −
|-
  −
| 0x2
  −
| 0x1
  −
| Set to 0
  −
|-
  −
| 0x3
  −
| 0x1
  −
| Padding
   
|-
 
|-
 +
| 0x100
 
| 0x4
 
| 0x4
| 0x4
+
| Magic ("LAFW")
| Set to 0
   
|-
 
|-
| 0x8
+
| 0x104
| 0x1
  −
| Gamecard command (0x10, 0x56 or 0x67)
  −
|-
  −
| 0x9
  −
| 0x4
  −
| Set to 0
  −
|-
  −
| 0xD
  −
| 0x2
  −
| Set to 0
  −
|-
  −
| 0xF
  −
| 0x1
  −
| Set to 0
  −
|-
  −
| 0x10
  −
| 0x10
  −
| Empty
  −
|-
  −
| 0x20
  −
| 0x20
  −
| Command verification value
  −
|}
  −
 
  −
== ReadId2 ==
  −
Returns the Gamecard ID2 under one of the valid [[#Gamecard modes|Gamecard modes]].
  −
 
  −
The [[#OperationBuffer]] is as follows:
  −
 
  −
{| class="wikitable" border="1"
  −
|-
  −
! Offset
  −
! Size
  −
! Description
  −
|-
  −
| 0x0
   
| 0x1
 
| 0x1
| Gamecard ASIC operation command (0x10)
+
| ProductionFirmwareFlag
 
|-
 
|-
 +
| 0x105
 
| 0x1
 
| 0x1
| 0x1
+
| DevelopmentFirmwareFlag
| Set to 1
   
|-
 
|-
| 0x2
+
| 0x106
 
| 0x1
 
| 0x1
| Set to 0
+
| WriterFirmwareFlag
|-
  −
| 0x3
  −
| 0x1
  −
| Padding
  −
|-
  −
| 0x4
  −
| 0x4
  −
| Set to 0
  −
|-
  −
| 0x8
  −
| 0x1
  −
| Gamecard command (0x11, 0x28 or 0xC4)
   
|-
 
|-
 +
| 0x107
 
| 0x9
 
| 0x9
| 0x4
+
| Reserved
| Set to 0
  −
|-
  −
| 0xD
  −
| 0x2
  −
| Set to 0
  −
|-
  −
| 0xF
  −
| 0x1
  −
| Set to 0
  −
|-
  −
| 0x10
  −
| 0x10
  −
| Empty
  −
|-
  −
| 0x20
  −
| 0x20
  −
| Command verification value
  −
|}
  −
 
  −
== ReadId3 ==
  −
Returns the Gamecard ID3 under one of the valid [[#Gamecard modes|Gamecard modes]].
  −
 
  −
The [[#OperationBuffer]] is as follows:
  −
 
  −
{| class="wikitable" border="1"
  −
|-
  −
! Offset
  −
! Size
  −
! Description
  −
|-
  −
| 0x0
  −
| 0x1
  −
| Gamecard ASIC operation command (0x10)
  −
|-
  −
| 0x1
  −
| 0x1
  −
| Set to 1
  −
|-
  −
| 0x2
  −
| 0x1
  −
| Set to 0
  −
|-
  −
| 0x3
  −
| 0x1
  −
| Padding
  −
|-
  −
| 0x4
  −
| 0x4
  −
| Set to 0
   
|-
 
|-
 +
| 0x110
 
| 0x8
 
| 0x8
| 0x1
+
| [[#FirmwareVersion|FirmwareVersion]]
| Gamecard command (0x12, 0x30 or 0xA5)
   
|-
 
|-
| 0x9
+
| 0x118
 
| 0x4
 
| 0x4
| Set to 0
+
| FirmwareSize
|-
  −
| 0xD
  −
| 0x2
  −
| Set to 0
  −
|-
  −
| 0xF
  −
| 0x1
  −
| Set to 0
  −
|-
  −
| 0x10
  −
| 0x10
  −
| Empty
  −
|-
  −
| 0x20
  −
| 0x20
  −
| Command verification value
  −
|}
  −
 
  −
== ReadCrc ==
  −
Reads pages from the Gamecard, calculates their CRC and returns it. This command is only available in [[#Gamecard modes|Write]] mode.
  −
 
  −
The [[#OperationBuffer]] is as follows:
  −
 
  −
{| class="wikitable" border="1"
  −
|-
  −
! Offset
  −
! Size
  −
! Description
  −
|-
  −
| 0x0
  −
| 0x1
  −
| Gamecard ASIC operation command (0x10)
  −
|-
  −
| 0x1
  −
| 0x1
  −
| Set to 1
  −
|-
  −
| 0x2
  −
| 0x1
  −
| Set to 0
  −
|-
  −
| 0x3
  −
| 0x1
  −
| Padding
   
|-
 
|-
 +
| 0x11C
 
| 0x4
 
| 0x4
| 0x4
+
| Reserved
| Set to 0
  −
|-
  −
| 0x8
  −
| 0x1
  −
| Gamecard command (0x15)
  −
|-
  −
| 0x9
  −
| 0x4
  −
| Gamecard page offset
  −
|-
  −
| 0xD
  −
| 0x3
  −
| Gamecard page count
   
|-
 
|-
 +
| 0x120
 
| 0x10
 
| 0x10
| 0x10
+
| Iv
| Empty
   
|-
 
|-
| 0x20
+
| 0x130
| 0x20
  −
| Command verification value
  −
|}
  −
 
  −
== WritePage ==
  −
Writes Gamecard pages. This command is only available in [[#Gamecard modes|Write]] and [[#Gamecard modes|Secure]] modes.
  −
 
  −
The [[#OperationBuffer]] is as follows:
  −
 
  −
{| class="wikitable" border="1"
  −
|-
  −
! Offset
  −
! Size
  −
! Description
  −
|-
  −
| 0x0
  −
| 0x1
  −
| Gamecard ASIC operation command (0x10)
  −
|-
  −
| 0x1
  −
| 0x1
  −
| Set to 3
  −
|-
  −
| 0x2
  −
| 0x1
  −
| Set to 1
  −
|-
  −
| 0x3
  −
| 0x1
  −
| Padding
  −
|-
  −
| 0x4
  −
| 0x4
  −
| Gamecard page count (duplicate)
  −
|-
  −
| 0x8
  −
| 0x1
  −
| Gamecard command (0x16 or 0x83)
  −
|-
  −
| 0x9
  −
| 0x4
  −
| Gamecard page offset
  −
|-
  −
| 0xD
  −
| 0x3
  −
| Gamecard page count
  −
|-
  −
| 0x10
   
| 0x10
 
| 0x10
| Empty
+
| Lotus3DeviceId
 
|-
 
|-
| 0x20
+
| 0x140
| 0x20
+
| 0x40
| Command verification value
+
| Reserved
|}
  −
 
  −
== ReadPage ==
  −
Reads Gamecard pages. This command is only available in [[#Gamecard modes|Normal]] and [[#Gamecard modes|Secure]] modes.
  −
 
  −
The [[#OperationBuffer]] is as follows:
  −
 
  −
{| class="wikitable" border="1"
   
|-
 
|-
! Offset
+
| 0x180
! Size
+
| 0x7680
! Description
+
| FirmwareData
|-
  −
| 0x0
  −
| 0x1
  −
| Gamecard ASIC operation command (0x10)
  −
|-
  −
| 0x1
  −
| 0x1
  −
| Set to 3
  −
|-
  −
| 0x2
  −
| 0x1
  −
| Set to 0
  −
|-
  −
| 0x3
  −
| 0x1
  −
| Padding
  −
|-
  −
| 0x4
  −
| 0x4
  −
| Gamecard page count (duplicate)
  −
|-
  −
| 0x8
  −
| 0x1
  −
| Gamecard command (0x21 or 0x5B)
  −
|-
  −
| 0x9
  −
| 0x4
  −
| Gamecard page offset
  −
|-
  −
| 0xD
  −
| 0x3
  −
| Gamecard page count
  −
|-
  −
| 0x10
  −
| 0x10
  −
| Empty
  −
|-
  −
| 0x20
  −
| 0x20
  −
| Command verification value
  −
|}
  −
 
  −
== Erase ==
  −
Fully erases a Gamecard's contents. This command is only available in [[#Gamecard modes|Write]] mode.
  −
 
  −
The [[#OperationBuffer]] is as follows:
  −
 
  −
{| class="wikitable" border="1"
  −
|-
  −
! Offset
  −
! Size
  −
! Description
  −
|-
  −
| 0x0
  −
| 0x1
  −
| Gamecard ASIC operation command (0x10)
  −
|-
  −
| 0x1
  −
| 0x1
  −
| Set to 1
  −
|-
  −
| 0x2
  −
| 0x1
  −
| Set to 0
  −
|-
  −
| 0x3
  −
| 0x1
  −
| Padding
  −
|-
  −
| 0x4
  −
| 0x4
  −
| Set to 0
  −
|-
  −
| 0x8
  −
| 0x1
  −
| Gamecard command (0x18)
  −
|-
  −
| 0x9
  −
| 0x4
  −
| Set to 0
  −
|-
  −
| 0xD
  −
| 0x2
  −
| Set to 0
  −
|-
  −
| 0xF
  −
| 0x1
  −
| Set to 0
  −
|-
  −
| 0x10
  −
| 0x10
  −
| Empty
  −
|-
  −
| 0x20
  −
| 0x20
  −
| Command verification value
  −
|}
  −
 
  −
== ReadParameter ==
  −
Reads a development Gamecard's parameters. This command is only available in [[#Gamecard modes|Write]] mode.
  −
 
  −
The [[#OperationBuffer]] is as follows:
  −
 
  −
{| class="wikitable" border="1"
  −
|-
  −
! Offset
  −
! Size
  −
! Description
  −
|-
  −
| 0x0
  −
| 0x1
  −
| Gamecard ASIC operation command (0x10)
  −
|-
  −
| 0x1
  −
| 0x1
  −
| Set to 3
  −
|-
  −
| 0x2
  −
| 0x1
  −
| Set to 0
  −
|-
  −
| 0x3
  −
| 0x1
  −
| Padding
  −
|-
  −
| 0x4
  −
| 0x4
  −
| Set to 1
  −
|-
  −
| 0x8
  −
| 0x1
  −
| Gamecard command (0x19)
  −
|-
  −
| 0x9
  −
| 0x4
  −
| Set to 0
  −
|-
  −
| 0xD
  −
| 0x2
  −
| Set to 0
  −
|-
  −
| 0xF
  −
| 0x1
  −
| Set to 0
  −
|-
  −
| 0x10
  −
| 0x10
  −
| Empty
  −
|-
  −
| 0x20
  −
| 0x20
  −
| Command verification value
  −
|}
  −
 
  −
== WriteParameter ==
  −
Writes a development Gamecard's parameters. This command is only available in [[#Gamecard modes|Write]] mode.
  −
 
  −
The [[#OperationBuffer]] is as follows:
  −
 
  −
{| class="wikitable" border="1"
  −
|-
  −
! Offset
  −
! Size
  −
! Description
  −
|-
  −
| 0x0
  −
| 0x1
  −
| Gamecard ASIC operation command (0x10)
  −
|-
  −
| 0x1
  −
| 0x1
  −
| Set to 3
  −
|-
  −
| 0x2
  −
| 0x1
  −
| Set to 1
  −
|-
  −
| 0x3
  −
| 0x1
  −
| Padding
  −
|-
  −
| 0x4
  −
| 0x4
  −
| Set to 1
  −
|-
  −
| 0x8
  −
| 0x1
  −
| Gamecard command (0x20)
  −
|-
  −
| 0x9
  −
| 0x4
  −
| Set to 0
  −
|-
  −
| 0xD
  −
| 0x2
  −
| Set to 0
  −
|-
  −
| 0xF
  −
| 0x1
  −
| Set to 0
  −
|-
  −
| 0x10
  −
| 0x10
  −
| Empty
  −
|-
  −
| 0x20
  −
| 0x20
  −
| Command verification value
  −
|}
  −
 
  −
== SetKey ==
  −
Sets the Gamecard's internal key data. This command is only available in [[#Gamecard modes|Secure]] mode.
  −
 
  −
The [[#OperationBuffer]] is as follows:
  −
 
  −
{| class="wikitable" border="1"
  −
|-
  −
! Offset
  −
! Size
  −
! Description
  −
|-
  −
| 0x0
  −
| 0x1
  −
| Gamecard ASIC operation command (0x10)
  −
|-
  −
| 0x1
  −
| 0x1
  −
| Set to 0
  −
|-
  −
| 0x2
  −
| 0x1
  −
| Set to 0
  −
|-
  −
| 0x3
  −
| 0x1
  −
| Padding
  −
|-
  −
| 0x4
  −
| 0x4
  −
| Set to 0
  −
|-
  −
| 0x8
  −
| 0x1
  −
| Gamecard command (0x39)
  −
|-
  −
| 0x9
  −
| 0x4
  −
| Set to 0
  −
|-
  −
| 0xD
  −
| 0x2
  −
| Set to 0
  −
|-
  −
| 0xF
  −
| 0x1
  −
| Set to 0
  −
|-
  −
| 0x10
  −
| 0x10
  −
| Empty
  −
|-
  −
| 0x20
  −
| 0x20
  −
| Command verification value
  −
|}
  −
 
  −
== Refresh ==
  −
Resets the Gamecard's internal status. This command is only available in [[#Gamecard modes|Secure]] mode.
  −
 
  −
The [[#OperationBuffer]] is as follows:
  −
 
  −
{| class="wikitable" border="1"
  −
|-
  −
! Offset
  −
! Size
  −
! Description
  −
|-
  −
| 0x0
  −
| 0x1
  −
| Gamecard ASIC operation command (0x10)
  −
|-
  −
| 0x1
  −
| 0x1
  −
| Set to 2
  −
|-
  −
| 0x2
  −
| 0x1
  −
| Set to 0
  −
|-
  −
| 0x3
  −
| 0x1
  −
| Padding
  −
|-
  −
| 0x4
  −
| 0x4
  −
| Set to 0
  −
|-
  −
| 0x8
  −
| 0x1
  −
| Gamecard command (0xB8)
  −
|-
  −
| 0x9
  −
| 0x4
  −
| Set to 0
  −
|-
  −
| 0xD
  −
| 0x2
  −
| Set to 0
  −
|-
  −
| 0xF
  −
| 0x1
  −
| Set to 0
  −
|-
  −
| 0x10
  −
| 0x10
  −
| Empty
  −
|-
  −
| 0x20
  −
| 0x20
  −
| Command verification value
   
|}
 
|}
   −
== ChangeDebugDirect ==
+
== FirmwareVersion ==
Used by [[Filesystem_services#OpenGameCardStorage|OpenGameCardStorage]]. This command is only available in [[#Gamecard modes|Normal]] mode.
  −
 
  −
The [[#OperationBuffer]] is as follows:
  −
 
   
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
! Offset
+
! Bits
! Size
   
! Description
 
! Description
 
|-
 
|-
| 0x0
+
| 0-61
| 0x1
  −
| Gamecard ASIC operation command (0x10)
  −
|-
  −
| 0x1
  −
| 0x1
  −
| Set to 1
  −
|-
  −
| 0x2
  −
| 0x1
  −
| Set to 0
  −
|-
  −
| 0x3
  −
| 0x1
  −
| Padding
  −
|-
  −
| 0x4
  −
| 0x4
  −
| Set to 0
  −
|-
  −
| 0x8
  −
| 0x1
  −
| Gamecard command (0x2E)
  −
|-
  −
| 0x9
  −
| 0xF
  −
| Unlock password
  −
|-
  −
| 0x18
  −
| 0x8
  −
| Empty
  −
|-
  −
| 0x20
  −
| 0x20
  −
| Command verification value
  −
|}
  −
 
  −
= Modes =
  −
Both the Gamecard ASIC and the actual Gamecard can operate in different modes.
  −
 
  −
== ASIC modes ==
  −
{| class="wikitable" border="1"
  −
|-
  −
! Mode
  −
! Name
  −
|-
  −
| 0x00
  −
| Initial
  −
|-
  −
| 0x01
  −
| Secure
  −
|}
  −
 
  −
== Gamecard modes ==
  −
{| class="wikitable" border="1"
  −
|-
  −
! Mode
  −
! Name
  −
|-
  −
| 0x00
  −
| Initial
  −
|-
  −
| 0x01
  −
| Normal
  −
|-
  −
| 0x02
  −
| Secure
  −
|-
  −
| 0x03
  −
| Write
  −
|}
  −
 
  −
= User firmware =
  −
[[Filesystem_services|FS]] provides the appropriate Gamecard ASIC's user firmware (Lotus ASIC Firmware or LAFW) which is encrypted, signed and follows the format below:
  −
 
  −
{| class="wikitable" border="1"
  −
|-
  −
! Offset
  −
! Size
  −
! Description
  −
|-
  −
| 0x0
  −
| 0x100
  −
| RSA-2048 PKCS #1 signature over the firmware (data from 0x100 to 0x7800)
  −
|-
  −
| 0x100
  −
| 0x4
  −
| Magic ("LAFW")
  −
|-
  −
| 0x104
  −
| 0x4
  −
| Unknown (0xFF000000, 0xFFFF0000 or 0xFFFFFF00)
  −
|-
  −
| 0x108
  −
| 0x4
  −
| Empty
  −
|-
  −
| 0x10C
  −
| 0x4
  −
| Empty
  −
|-
  −
| 0x110
  −
| 0x4
   
| Version (0, 0x1, [4.0.0+] 0x3, [9.0.0+] 0x7, [11.0.0+] 0xF, [12.0.0+] 0x1F)
 
| Version (0, 0x1, [4.0.0+] 0x3, [9.0.0+] 0x7, [11.0.0+] 0xF, [12.0.0+] 0x1F)
 
|-
 
|-
| 0x114
+
| 62
| 0x4
+
| IsDevelopment
| Unknown (0x80000000)
   
|-
 
|-
| 0x118
+
| 63
| 0x4
+
| IsProduction
| Data size
  −
|-
  −
| 0x11C
  −
| 0x4
  −
| Empty
  −
|-
  −
| 0x120
  −
| 0x10
  −
| Encrypted data IV/CTR
  −
|-
  −
| 0x130
  −
| 0x10
  −
| Placeholder string ("IDIDIDIDIDIDIDID")
  −
|-
  −
| 0x140
  −
| 0x40
  −
| Empty
  −
|-
  −
| 0x180
  −
| 0x7680
  −
| Encrypted data
   
|}
 
|}
  −
== Types ==
  −
Depending on it's purpose, multiple user firmware blobs exist.
  −
  −
=== ReadFw ===
  −
Code for reading retail Gamecards. Only the normal and secure [[#Gamecard modes|Gamecard modes]] are supported.
  −
  −
Found inside [[Filesystem_services|FS]].
  −
  −
[4.0.0+] This firmware blob was updated to provide support for new Gamecards.
  −
  −
[9.0.0+] This firmware blob was updated.
  −
  −
[11.0.0+] This firmware blob was updated.
  −
  −
[12.0.0+] This firmware blob was updated.
  −
  −
[14.0.0+] This firmware blob was updated.
  −
  −
=== WriterFw ===
  −
Code for writing development Gamecards. Only the normal and write [[#Gamecard modes|Gamecard modes]] are supported.
  −
  −
Found inside [[Filesystem_services|FS]].
  −
  −
=== ReadDevFw ===
  −
Code for reading development Gamecards. Development Gamecards use common [[Gamecard_Format#Initial_Data|initial data]] which justifies the need for a specialized read firmware.
  −
  −
Found inside [[Filesystem_services|FS]].
  −
  −
[9.0.0+] This firmware blob was updated.
  −
  −
[11.0.0+] This firmware blob was updated.
  −
  −
[14.0.0+] This firmware blob was updated.
  −
  −
=== RmaFw ===
  −
Code for calling [[#ReadRmaInformation]]. Must be passed as an argument for [[Filesystem_services#IDeviceOperator|GetGameCardAsicInfo]].
  −
  −
Never observed (possibly factory only).
      
== Anti-downgrade ==
 
== Anti-downgrade ==
Loading an user firmware blob with a certain version field will lock the Gamecard ASIC to only allow running firmware blobs with the same or higher version number. Therefore, it is speculated that the Gamecard ASIC contains some sort of non-volatile memory bank which could be used for this purpose (among others).
+
Loading a firmware blob will burn as many OTP fuses as those specified by the [[#FirmwareVersion|Version]] field. This will lock the Gamecard ASIC to only allow running firmware blobs with the same or higher version number.
Retrieved from "https://switchbrew.org/wiki/Special:MobileDiff/13074"

Navigation menu