7
edits
Changes
Jump to navigation
Jump to search
Line 1,244:
Line 1,244: − + − + Line 1,255:
Line 1,255: − + − + − 0x00: unk_version0 (0x00210001) + − 0x04: unk_version1 (0x00210001) − 0x08: unk_version2 (0x00210001) − 0x0C: boot_type (1 (COLD) PK11 panics if it's not) − 0x4C: bct_data_addr (address of the actual BCT) − + − + − + − 0x00: is_active (if set to 0x01, bootloader0 is used) + − + − + − + − 0x00: is_active (if set to 0x01, bootloader1 is used) + − + − + − + − 0x00: is_active (if set to 0x01, bootloader2 is used) + + + + − + − + − + + + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + − + + + + + + + + + + + + − 0x40: bct_end_addr + + + + + + + +
→BIT, BCT
= IRAM =
= IRAM =
== [[BCT|BCT]] ==
== [[BIT|BIT]] ==
When copied to IRAM at address 0x40000000, the BCT has an additional header as follows.
When copied to IRAM at address 0x40000000, the BCT has an additional header called Boot Info Table as follows.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
| 0x00
| 0x00
| 0x50
| 0x04
| bct_global_header
| unk_version0
|
|
0x00210001
|-
|-
| 0x50
| 0x04
| 0x18
| 0x04
| bootloader0_header
| unk_version1
|
|
0x00210001
|-
|-
| 0x68
| 0x08
| 0x18
| 0x04
| bootloader1_header
| unk_version2
|
|
0x00210001
|-
|-
| 0x80
| 0x0C
| 0x18
| 0x04
| bootloader2_header
| boot_type
|
|
BOOT_TYPE_COLD = 1
BOOT_TYPE_RECOVERY = 2
BOOT_TYPE_UART = 3
BOOT_TYPE_EXIT_RCM = 4
|-
|-
| 0x98
0x4C: bct_data_addr (address of the actual BCT)
| 0x18
|-
| bootloader3_header
| 0x50
| 0x18*4
| bootloader_headers[4]
|
|
0x00: is_active (if set to 0x01, bootloader3 is used)
{| class="wikitable" border="1"
|-
! Offset
! Size
! Field
|-
| 0x00
| 0x04
| is_active
|-
| 0x04
| 0x04
| start_block
|-
| 0x08
| 0x04
| start_page
|-
| 0x0C
| 0x04
| length
|-
| 0x10
| 0x04
| signed_start
|-
| 0x14
| 0x04
| signature
|-
|}
|-
|-
| 0xB0
| 0xB0
| 0x50
| 0x40
|
|
|-
| 0xF0
| 0x04
|
|
bct_end_addr
|-
| 0xF4
| 0x0C
|
|
|
|
|-
|-
|}
|}
bct_data_addr should pint to a bct that contains the keyblob.
It's used in key generation in PK1.
PK11 checks boot_type to be cold, if it's not it panics.
bootloader_headers[0] or bootloader_headers[1] should be set to active. It is also checked by PK11.
= Notes =
= Notes =