https://www.3dbrew.org/w/api.php?action=feedcontributions&user=Dark+samus&feedformat=atom3dbrew - User contributions [en]2024-03-28T21:08:10ZUser contributionsMediaWiki 1.35.8https://www.3dbrew.org/w/index.php?title=ARM7_Registers&diff=20998ARM7 Registers2019-06-08T06:24:27Z<p>Dark samus: </p>
<hr />
<div>The 3DS utilizes an onboard ARM7 core to handle <code>TWL_FIRM</code> and <code>AGB_FIRM</code>'s ARM7 requirements. This is due to the fact that much of the hardware used by both ARM7 and ARM9 is (evidently) not physically hooked up to ARM11. Thus, ARM11 cannot simply emulate ARM7.<br />
<br />
ARM7 has the GBA BIOS implemented in hardware. The BIOS is completely identical to the original GBA BIOS. The system is booted silently by calling <code>SWI 0x1</code> (a.k.a. <code>RegisterRamReset</code>), followed by jumping to the code that does <code>SWI 0x0</code> (a.k.a. <code>SoftReset</code>) to finish booting. The boot splash is still in BIOS, however, and can be seen by calling or replacing one of the previous interrupts with <code>SWI 0x26</code> (a.k.a. <code>HardReset</code>).<br />
<br />
==Registers==<br />
ARM9 interfaces with the ARM7 through the following registers:<br />
<br />
{| class="wikitable"<br />
|-<br />
! Type<br />
! Address<br />
! Name<br />
! Size (bytes)<br />
|-<br />
| <code>u8</code><br />
| <code>0x10018000</code><br />
| <code>ARM7_CNT</code><br />
| 1 <br />
|-<br />
| Code<br />
| <code>0x10018080</code><br />
| <code>ARM7_CODE</code><br />
| 32<br />
|-<br />
| <code>u16</code><br />
| <code>0x10018100</code><br />
| <code>ARM7_SAVE_MODE</code><br />
| 2<br />
|-<br />
| <code>u16</code><br />
| <code>0x10018104</code><br />
| <code>ARM7_?_CNT</code><br />
| 2<br />
|-<br />
| <code>u16</code><br />
| <code>0x10018108</code><br />
| <code>ARM7_RTC_CNT?</code><br />
| 2<br />
|-<br />
| <code>u32</code><br />
| <code>0x10018110</code><br />
| <code>ARM7_RTC_VAL_LO</code><br />
| 4<br />
|-<br />
| <code>u32</code><br />
| <code>0x10018114</code><br />
| <code>ARM7_RTC_VAL_HI</code><br />
| 4<br />
|-<br />
| <code>u32</code><br />
| <code>0x10018118</code><br />
| <code>ARM7_RTC_LO?</code><br />
| 4<br />
|-<br />
| <code>u32</code><br />
| <code>0x1001811C</code><br />
| <code>ARM7_RTC_HI?</code><br />
| 4<br />
|-<br />
| <code>arm7_save_cfg_t</code><br />
| <code>0x10018120</code><br />
| <code>ARM7_SAVE_CFG</code><br />
| 16<br />
|}<br />
<br />
===ARM7_CNT===<br />
This seems to control the mode of the ARM7. 1 = TWL, 2 = GBA.<br />
<br />
===ARM7_CODE===<br />
This region is an arm7 bootrom overlay, over the vector table at address 0. Once the ARM7 is taken out of reset by <code>TwlProcess9</code>, the reset vector will be jumped to, beginning execution. <code>TwlProcess9</code> uses this to put ARM7 in a loop (TWL), and to set the <code>POSTFLG</code> and branch to more copied code (GBA). Execution is started by writing <code>0x8001</code> to [[CONFIG11_Registers#CFG11_TWLMODE_0|CFG11_TWLMODE_0]] after setting the mode via <code>ARM7_CNT</code>. Later, this overlay is disabled by the ARM7 via the "biosprot" register (0x04000308).<br />
<br />
Reading uninitialized data in this 32-byte region leads to both screens displaying solid green (exception), and the CPU locking up.<br />
<br />
===ARM7_SAVE_MODE===<br />
This tells the save storage emulation hardware which device type to emulate (64k EEPROM, a 512k Flash chip model, and SRAM are all that have been used officially; several other 512k Flash chip models, two 1 Mbit Flash chip models and 8k EEPROM are also supported). This comes directly from the [[3DS_Virtual_Console#Footer|ROM footer]].<br />
<br />
===ARM7_RTC_VAL===<br />
These registers are set to the current LgyP9 date+time before ARM7_RTC_CNT/ARM7_RTC_? registers are used.<br />
They contain the following structure, set up on the stack then both u32 registers are written one after the other:<br />
<br />
s8 year_since_2000_bcd;<br />
s8 month_bcd;<br />
s8 day_bcd;<br />
s8 day_of_week;<br />
s8 hour_bcd;<br />
s8 minute_bcd;<br />
s8 second_bcd;<br />
<br />
===ARM7_RTC ''?''===<br />
These registers may be used to control a real-time clock. To set or read the data here, first <code>ARM7_RTC_CNT</code>'s bit 15 is waited on. Next <code>ARM7_RTC_CNT</code> is set to zero. <br />
<br />
For a write: the two registers are written, a 1 is written to <code>ARM7_RTC_CNT</code>, and it is waited on the same as before. Afterwards if bit 14 is not set in <code>ARM7_RTC_CNT</code>, the value was set successfully.<br />
<br />
For a read: a 2 is written to <code>ARM7_RTC_CNT</code>, it's waited on again. Afterwards, if bit 14 is not set, the RTC can be read. Presumably the hardware can be re-enabled by writing a zero to <code>ARM7_RTC_CNT</code> at this point, but <code>AGB_FIRM</code> does not.<br />
<br />
===ARM7_SAVE_CFG===<br />
This is copied from rom footer + <code>0x10</code>. It presumably configures details about storage, such as IDs, and likely allows enabling the RTC for games which need it. Format of this data is unknown, and slightly difficult to determine without some hardware poking.<br />
<br />
==Memory map==<br />
The virtual memory mapping for the ARM7 is the same as for the [[Memory_layout#TWL_FIRM_Userland_Memory|other core]]. However, it has additional internal memory mapped to it. Interestingly enough, much of this memory seems to lie within ARM9's own internal memory.<br />
<br />
* <code>0x08060000</code> → <code>0x03800000</code>, ARM7 WRAM (64KiB)<br />
* <code>0x080B0000</code> → <code>0x03000000</code>, GBA IWRAM (32KiB)<br />
* <code>0x08080000</code> → EEPROM/SRAM/Flash 512k/Flash 1Mbit (the 2 512k banks are contiguous in memory). Appears to be mirrored at <code>0x080C0000</code>, maybe first mapping is read-only and second is writable? <code>0x10018104</code> must be set to 1 before reading memory here, and restored to its previous value afterwards<br />
* <code>0x01FFC000</code> → <code>0x01000000</code>, ARM9 ITCM under TWL (16KiB)</div>Dark samushttps://www.3dbrew.org/w/index.php?title=ARM7_Registers&diff=20997ARM7 Registers2019-06-08T06:13:10Z<p>Dark samus: </p>
<hr />
<div>The 3DS utilizes an onboard ARM7 core to handle <code>TWL_FIRM</code> and <code>AGB_FIRM</code>'s ARM7 requirements. This is due to the fact that much of the hardware used by both ARM7 and ARM9 is (evidently) not physically hooked up to ARM11. Thus, ARM11 cannot simply emulate ARM7.<br />
<br />
ARM7 has the GBA BIOS implemented in hardware. The BIOS is completely identical to the original GBA BIOS. The system is booted silently by calling <code>SWI 0x1</code> (a.k.a. <code>RegisterRamReset</code>), followed by jumping to the code that does <code>SWI 0x0</code> (a.k.a. <code>SoftReset</code>) to finish booting. The boot splash is still in BIOS, however, and can be seen by calling or replacing one of the previous interrupts with <code>SWI 0x26</code> (a.k.a. <code>HardReset</code>).<br />
<br />
==Registers==<br />
ARM9 interfaces with the ARM7 through the following registers:<br />
<br />
{| class="wikitable"<br />
|-<br />
! Type<br />
! Address<br />
! Name<br />
! Size (bytes)<br />
|-<br />
| <code>u8</code><br />
| <code>0x10018000</code><br />
| <code>ARM7_CNT</code><br />
| 1 <br />
|-<br />
| Code<br />
| <code>0x10018080</code><br />
| <code>ARM7_CODE</code><br />
| 32<br />
|-<br />
| <code>u16</code><br />
| <code>0x10018100</code><br />
| <code>ARM7_SAVE_MODE</code><br />
| 2<br />
|-<br />
| <code>u16</code><br />
| <code>0x10018104</code><br />
| <code>ARM7_?_CNT</code><br />
| 2<br />
|-<br />
| <code>u16</code><br />
| <code>0x10018108</code><br />
| <code>ARM7_RTC_CNT?</code><br />
| 2<br />
|-<br />
| <code>u32</code><br />
| <code>0x10018110</code><br />
| <code>ARM7_RTC_VAL_LO</code><br />
| 4<br />
|-<br />
| <code>u32</code><br />
| <code>0x10018114</code><br />
| <code>ARM7_RTC_VAL_HI</code><br />
| 4<br />
|-<br />
| <code>u32</code><br />
| <code>0x10018118</code><br />
| <code>ARM7_RTC_LO?</code><br />
| 4<br />
|-<br />
| <code>u32</code><br />
| <code>0x1001811C</code><br />
| <code>ARM7_RTC_HI?</code><br />
| 4<br />
|-<br />
| <code>arm7_save_cfg_t</code><br />
| <code>0x10018120</code><br />
| <code>ARM7_SAVE_CFG</code><br />
| 16<br />
|}<br />
<br />
===ARM7_CNT===<br />
This seems to control the mode of the ARM7. 1 = TWL, 2 = GBA.<br />
<br />
===ARM7_CODE===<br />
This region is an arm7 bootrom overlay, over the vector table at address 0. Once the ARM7 is taken out of reset by <code>TwlProcess9</code>, the reset vector will be jumped to, beginning execution. <code>TwlProcess9</code> uses this to put ARM7 in a loop (TWL), and to set the <code>POSTFLG</code> and branch to more copied code (GBA). Execution is started by writing <code>0x8001</code> to [[CONFIG11_Registers#CFG11_TWLMODE_0|CFG11_TWLMODE_0]]. Later, this overlay is disabled by the ARM7 via the "biosprot" register (0x04000308).<br />
<br />
Reading uninitialized data in this 32-byte region leads to both screens displaying solid green (exception), and the CPU locking up.<br />
<br />
===ARM7_SAVE_MODE===<br />
This tells the save storage emulation hardware which device type to emulate (64k EEPROM, a 512k Flash chip model, and SRAM are all that have been used officially; several other 512k Flash chip models, two 1 Mbit Flash chip models and 8k EEPROM are also supported). This comes directly from the [[3DS_Virtual_Console#Footer|ROM footer]].<br />
<br />
===ARM7_RTC_VAL===<br />
These registers are set to the current LgyP9 date+time before ARM7_RTC_CNT/ARM7_RTC_? registers are used.<br />
They contain the following structure, set up on the stack then both u32 registers are written one after the other:<br />
<br />
s8 year_since_2000_bcd;<br />
s8 month_bcd;<br />
s8 day_bcd;<br />
s8 day_of_week;<br />
s8 hour_bcd;<br />
s8 minute_bcd;<br />
s8 second_bcd;<br />
<br />
===ARM7_RTC ''?''===<br />
These registers may be used to control a real-time clock. To set or read the data here, first <code>ARM7_RTC_CNT</code>'s bit 15 is waited on. Next <code>ARM7_RTC_CNT</code> is set to zero. <br />
<br />
For a write: the two registers are written, a 1 is written to <code>ARM7_RTC_CNT</code>, and it is waited on the same as before. Afterwards if bit 14 is not set in <code>ARM7_RTC_CNT</code>, the value was set successfully.<br />
<br />
For a read: a 2 is written to <code>ARM7_RTC_CNT</code>, it's waited on again. Afterwards, if bit 14 is not set, the RTC can be read. Presumably the hardware can be re-enabled by writing a zero to <code>ARM7_RTC_CNT</code> at this point, but <code>AGB_FIRM</code> does not.<br />
<br />
===ARM7_SAVE_CFG===<br />
This is copied from rom footer + <code>0x10</code>. It presumably configures details about storage, such as IDs, and likely allows enabling the RTC for games which need it. Format of this data is unknown, and slightly difficult to determine without some hardware poking.<br />
<br />
==Memory map==<br />
The virtual memory mapping for the ARM7 is the same as for the [[Memory_layout#TWL_FIRM_Userland_Memory|other core]]. However, it has additional internal memory mapped to it. Interestingly enough, much of this memory seems to lie within ARM9's own internal memory.<br />
<br />
* <code>0x08060000</code> → <code>0x03800000</code>, ARM7 WRAM (64KiB)<br />
* <code>0x080B0000</code> → <code>0x03000000</code>, GBA IWRAM (32KiB)<br />
* <code>0x08080000</code> → EEPROM/SRAM/Flash 512k/Flash 1Mbit (the 2 512k banks are contiguous in memory). Appears to be mirrored at <code>0x080C0000</code>, maybe first mapping is read-only and second is writable? <code>0x10018104</code> must be set to 1 before reading memory here, and restored to its previous value afterwards<br />
* <code>0x01FFC000</code> → <code>0x01000000</code>, ARM9 ITCM under TWL (16KiB)</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Pinouts&diff=20667Pinouts2018-03-27T03:25:25Z<p>Dark samus: More info on the MCU. Rotate the pinout to match the datasheet of a similar MCU, add a few more pin names</p>
<hr />
<div>== CTR CPU B ==<br />
<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;width:100%;table-layout:fixed;"<br />
| style="background: #bbbbbb" | G || style="background: #cc9900" | 0? || style="background: #336600" | CS1 || style="background: #336600" | ? || style="background: #336600" | ? || style="background: #a060a0" | D5 || style="background: #a060a0" | D2 || || style="background: #a060a0" | RST || style="background: #a060a0" | CLK || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #ff0000" | X || style="background: #ff0000" | X || style="background: #d9ffb3" | 3v3 || style="background: #d9ffb3" | 3v3 || || style="background: #d9ffb3" | 3v3 || || || || || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || || style="background: #666633" | IRIRQ || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #bbbbbb" | G<br />
|-<br />
| style="background: #cc9900" | 1? || style="background: #cc9900" | 2? || style="background: #336600" | CSx || style="background: #336600" | CSy || style="background: #336600" | ? || style="background: #a060a0" | D6 || style="background: #a060a0" | D3 || style="background: #a060a0" | D0 || style="background: #a060a0" | IRQ || style="background: #a060a0" | CS1 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || || style="background: #d9ffb3" | 3v3 || || style="background: #bbbbbb" | G || || || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || || || || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #cc9900" | 3? || ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || ||style="background: #ffffff" | || style="background: #d9ffb3" | 3v3 || || style="background: #a060a0" | D7 || style="background: #a060a0" | D4 || style="background: #a060a0" | D1 || style="background: #a060a0" | DET || style="background: #a060a0" | CS2 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #d9ffb3" | 3v3 || style="background: #d9ffb3" | 3v3 || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #666633" | IRTX || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ffff00" | CLK || style="background: #ffff00" | D0 ||style="background: #ffffff" | || || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ffff00" | D1 || style="background: #ffff00" | D2 ||style="background: #ffffff" | || style="background: #ffff00" | D3 || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ffff00" | CMD || style="background: #ffff00" | IRQ ||style="background: #ffffff" | || style="background: #ffff00" | WP || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #00aaee" | CLK || style="background: #00aaee" | D0 ||style="background: #ffffff" | || || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #00aaee" | D1 || style="background: #00aaee" | D2 ||style="background: #ffffff" | || style="background: #00aaee" | D3 || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || style="background: #00aaee" | CMD ||style="background: #ffffff" | || || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #20b2aa" | ? || style="background: #20b2aa" | ? ||style="background: #ffffff" | || style="background: #20b2aa" | ? || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || style="background: #20b2aa" | ? ||style="background: #ffffff" | || style="background: #20b2aa" | ? || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || ||style="background: #ffffff" | || || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || ||style="background: #ffffff" | || || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #33ffff" | SCL || ||style="background: #ffffff" | || || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #33ffff" | SDA || ||style="background: #ffffff" | || || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || <br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || <br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #bbbbbb" | G || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || style="background: #73e600" | ? || style="background: #476b6b" | 3? || style="background: #476b6b" | 4? || style="background: #476b6b" | 5? || || || || || style="background: #ff69b4" | B || style="background: #ff69b4" | PADR || style="background: #ff69b4" | PADD || style="background: #bbbbbb" | G || style="background: #4d4d33" | ? || style="background: #4d4d33" | ? || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || style="background: #73e600" | ? || style="background: #8efab4" | SDA || style="background: #476b6b" | 1? || style="background: #476b6b" | 2? || || || || || style="background: #ff69b4" | A || style="background: #ff69b4" | STRT || style="background: #ff69b4" | PADU || style="background: #ff69b4" | L || style="background: #ff69b4" | Y || style="background: #4d4d33" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #bbbbbb" | G || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || style="background: #8efab4" | SCL || style="background: #476b6b" | 0? || || || || || || || style="background: #ff69b4" | SLCT || style="background: #ff69b4" | PADL || style="background: #ff69b4" | R || style="background: #ff69b4" | X || style="background: #4d4d33" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #bbbbbb" | G<br />
|}<br />
<br />
legend:<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;table-layout:fixed;"<br />
| style="background: #ff0000" | SoC clock crystal<br />
|-<br />
| style="background: #ffaaaa" | RTC clock crystal<br />
|-<br />
| style="background: #a060a0" | Gamecard<br />
|-<br />
| style="background: #ffff00" | SDCARD SDIO<br />
|-<br />
| style="background: #00aaee" | NAND SDIO<br />
|-<br />
| style="background: #20b2aa" | WIFI SDIO<br />
|-<br />
| style="background: #336600" | SPI<br />
|-<br />
| style="background: #73e600" | I2C-1<br />
|-<br />
| style="background: #8efab4" | I2C-2<br />
|-<br />
| style="background: #33ffff" | I2C-3<br />
|-<br />
| style="background: #ff69b4" | Pad<br />
|-<br />
| style="background: #ff2a7f" | FCRAM<br />
|-<br />
| style="background: #b19cd9" | Camera<br />
|-<br />
| style="background: #a52a2a" | WIFI<br />
|-<br />
| style="background: #666633" | GPIO<br />
|-<br />
| style="background: #ff8000" | LCD0 (small)<br />
|-<br />
| style="background: #cc6600" | LCD1 (big)<br />
|-<br />
| style="background: #cc9900" | CODEC0 (unknown)<br />
|-<br />
| style="background: #476b6b" | CODEC1 (unknown)<br />
|-<br />
| style="background: #4d4d33" | MCU (unknown)<br />
|-<br />
| style="background: #d9ffb3" | POWER<br />
|-<br />
| style="background: #bbbbbb" | Ground<br />
|}<br />
<br />
Orientation: Triangle bottom right on the PCB.<br />
<br />
== UC CTR ==<br />
<br />
This MCU seems to be a customized 64 pin FLGA version of this: https://www.renesas.com/ko-kr/doc/products/mpumcu/doc/rl78/r01ds0053ej0330-rl78g14.pdf<br />
<br />
The pin layouts are similar, but not the same<br />
<br />
Orientation: Pin 1 marker in bottom left corner<br />
<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;width:100%;table-layout:fixed;width:26%;"<br />
| style="background: #d9ffb3" | + || style="background: #bbbbbb" | G || || || TP75 || style="background: #ffaaaa" | X || style="background: #ffaaaa" | X || style="background: #4d4d33" | ? <br />
|-<br />
| style="background: #73e600" | SCL || || style="background: #bbbbbb" | G || || /RESET || style="background: #4d4d33" | ? || style="background: #4d4d33" | ? || style="background: #d9ffb3" | + <br />
|-<br />
| style="background: #73e600" | SDA || || style="background: #d9ffb3" | + || TP77 || TP76 || || || style="background: #d9ffb3" | + <br />
|-<br />
| style="background: #4d4d33" | ? || || TP78 || PWRLED1 || || || || CHRGLED<br />
|-<br />
| || || || || || || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G <br />
|-<br />
| || PWRBTN || || || || || BATTTHM ||<br />
|-<br />
| || || || PWRLED0 || || || HOMEBTN ||<br />
|-<br />
| style="background: #d9ffb3" | + || || || || style="background: #8efab4" | SCL || style="background: #8efab4" | SDA || || style="background: #bbbbbb" | G <br />
|}<br />
<br />
== CODEC ==<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;width:100%;table-layout:fixed;width:36%;"<br />
| || style="background: #476b6b" | 4? || style="background: #d9ffb3" | 3v3 || || style="background: #cc9900" | 3? || style="background: #cc9900" | 0? || style="background: #336600" | ? || style="background: #336600" | ? || || style="background: #bbbbbb" | G ||<br />
|-<br />
| || style="background: #476b6b" | 3? || style="background: #476b6b" | 5? || style="background: #bbbbbb" | G || || style="background: #cc9900" | 1? || style="background: #336600" | CSx || style="background: #336600" | ? || || style="background: #bbbbbb" | G ||<br />
|-<br />
| style="background: #bbbbbb" | G || style="background: #476b6b" | 2? || style="background: #476b6b" | 0? || style="background: #bbbbbb" | G || || style="background: #cc9900" | 2? || style="background: #336600" | CSy || || || || SPEAKER1<br />
|-<br />
| TOUCH || TOUCH || style="background: #476b6b" | 1? || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || || SPEAKER1<br />
|-<br />
| TOUCH || TOUCH || || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || ||<br />
|-<br />
| CPAD || CPAD || || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || ||<br />
|-<br />
| || || || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || || SPEAKER2<br />
|-<br />
| MIC || || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || || SPEAKER2<br />
|-<br />
| JACK_R || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || || style="background: #bbbbbb" | G || || || || || || style="background: #bbbbbb" | G<br />
|-<br />
| style="background: #d9ffb3" | 3v3 || || || || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || || ||<br />
|-<br />
| || || style="background: #bbbbbb" | G || || || || JACK_L || || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G ||<br />
|}</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Config_Savegame&diff=20511Config Savegame2017-12-27T04:35:19Z<p>Dark samus: fixed links for moved page</p>
<hr />
<div>This page describes the format of the [[Config_Services|Cfg]] [[System_SaveData|NAND]] savegame. These blocks can be accessed with the Cfg service commands.<br />
<br />
==Structure of save-file "/config"==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x2<br />
| Total entries<br />
|-<br />
| 0x2<br />
| 0x2<br />
| Data entries offset<br />
|-<br />
| 0x4<br />
| 0x4558<br />
| Block entries<br />
|-<br />
| 0x455C<br />
| <br />
| Data for the entries<br />
|}<br />
<br />
The filesize for this /config file is 0x8000-bytes.<br />
<br />
==Configuration block entry ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x4<br />
| BlkID<br />
|-<br />
| 0x4<br />
| 0x4<br />
| Offset to the data for this block when size is >4, otherwise this word is the data for this block<br />
|-<br />
| 0x8<br />
| 0x2<br />
| Size<br />
|-<br />
| 0xA<br />
| 0x2<br />
| Flags<br />
|}<br />
<br />
==Configuration blocks==<br />
{| class="wikitable" border="1"<br />
|-<br />
! BlkID<br />
! Size<br />
! Flags<br />
! Description<br />
|-<br />
| 0x00000000<br />
| 0x2<br />
| 0xC<br />
| Config savegame version?<br />
|-<br />
| 0x00010000<br />
| 0x1<br />
| 0xC<br />
| [[Hardware_calibration#RTC|RTC compensation value]]<br />
|-<br />
| 0x00020000<br />
| 0x134<br />
| 0xC<br />
| [[Hardware_calibration#CDC|Codec]]<br />
|-<br />
| 0x00030000<br />
| 0x1<br />
| 0xC<br />
| ??? (HWCAL block 0x28)<br />
|-<br />
| 0x00030001<br />
| 0x8<br />
| 0xE<br />
| User time offset (read by CECD)<br />
|-<br />
| 0x00030002<br />
| 0x8<br />
| 0xC<br />
| ?<br />
|-<br />
| 0x00040000<br />
| 0x10<br />
| 0xC<br />
| [[Hardware_calibration#Touch|Touch calibration]] (read by HID)<br />
|-<br />
| 0x00040001<br />
| 0x1C<br />
| 0xC<br />
| Analog Stick Calibration Param?(read by HID)<br />
|-<br />
| 0x00040002<br />
| 0x12<br />
| 0xC<br />
| [[Hardware_calibration#Gyro|Gyroscope]] (read by HID)<br />
|-<br />
| 0x00040003<br />
| 0xC<br />
| 0xC<br />
| [[Hardware_calibration#Accel|Accelerometer]] (read by HID)<br />
|-<br />
| 0x00040004<br />
| 0x1C<br />
| 0xC<br />
| [[Hardware_calibration#CStick|CStick calibration data]]<br />
|-<br />
| 0x00050000<br />
| 0x2<br />
| 0xC<br />
| [[Hardware_calibration#Screen_flicker|Screen flicker]]<br />
|-<br />
| 0x00050001<br />
| 0x2<br />
| 0xC<br />
| Backlight controls (u8 ABL_powersave_enable, u8 brightness_level) (read by GSP)<br />
|-<br />
| 0x00050002<br />
| 0x38<br />
| 0xC<br />
| [[Hardware_calibration#BLPWM|Backlight PWM]] (read by GSP)<br />
|-<br />
| 0x00050003<br />
| 0x20<br />
| 0xC<br />
| [[Hardware_calibration#ABL|Power saving mode (ABL) calibration]] (read by GSP)<br />
|-<br />
| 0x00050004<br />
| 0x20<br />
| 0xC<br />
| [[Hardware_calibration#ABL|Power saving mode (ABL) calibration]] <br />
|-<br />
| 0x00050005<br />
| 0x20<br />
| 0xE<br />
| Stereo display settings (HWCAL block 0x470)<br />
|-<br />
| 0x00050006<br />
| 0x2<br />
| 0xC<br />
| [[Hardware_calibration#ULCD_delay|3D switching delay]]<br />
|-<br />
| 0x00050007<br />
| 0x4<br />
| 0xC<br />
| ?<br />
|-<br />
| 0x00050008<br />
| 0x10C<br />
| 0xC<br />
| [[Hardware_calibration#ABL_extra|Power saving mode (ABL) extra config]]<br />
|-<br />
| 0x00050009<br />
| 0x8<br />
| 0xC<br />
| new3DS only(?) backlight control (5th byte: auto-brightness enable)<br />
|-<br />
| 0x00060000<br />
| 0x96<br />
| 0xC<br />
| ??? (HWCAL block 0x500)<br />
|-<br />
| 0x00070000<br />
| 0x214<br />
| 0xE<br />
| [[Hardware_calibration#3D_filters|3D filters]]<br />
|-<br />
| 0x00070001<br />
| 0x1<br />
| 0xE<br />
| Sound output mode (mono=0, stereo=1, surround=2)<br />
|-<br />
| 0x00070002<br />
| 0x8<br />
| 0xE<br />
| [[Hardware_calibration#Microphone_echo_cancel|Microphone echo cancellation params]]<br />
|-<br />
| 0x00080000<br />
| 0xC00<br />
| 0xC<br />
| WiFi configuration slot 0<br />
|-<br />
| 0x00080001<br />
| 0xC00<br />
| 0xC<br />
| WiFi configuration slot 1<br />
|-<br />
| 0x00080002<br />
| 0xC00<br />
| 0xC<br />
| WiFi configuration slot 2<br />
|-<br />
| 0x00090000<br />
| 0x8<br />
| 0xE<br />
| This contains a u64 ID, used by processes using [[NWMUDS:InitializeWithVersion]]. The first word is the same as [[CfgS:GetLocalFriendCodeSeed|LocalFriendCodeSeed]], while the latter is a separate word.<br />
|-<br />
| 0x00090001<br />
| 0x8<br />
| 0xE<br />
| Same content as 0x0009000? This console-unique u64 is used by [[Cfg:GenHashConsoleUnique|GenHashConsoleUnique]]. It is generated by <code>((0x3FFFFFFFF) & LocalFriendCodeSeed) | (random16 << 48))</code>, where random16 is generated by [[PSPXI:GenerateRandomBytes|GenerateRandomBytes]]<br />
|-<br />
| 0x00090002<br />
| 0x4<br />
| 0xE<br />
| The first two bytes are the same random16 used in 0x00090001. The second two bytes are zeros.<br />
|-<br />
| 0x000A0000<br />
| 0x1C<br />
| 0xE<br />
| Username in UTF16<br />
|-<br />
| 0x000A0001<br />
| 0x2<br />
| 0xE<br />
| Birthday (u8 month, u8 day)<br />
|-<br />
| 0x000A0002<br />
| 0x1<br />
| 0xE<br />
| Language<br />
|-<br />
| 0x000B0000<br />
| 0x4<br />
| 0xE<br />
| CountryInfo<br />
|-<br />
| 0x000B0001<br />
| 0x800<br />
| 0xE<br />
| Country name in UTF-16, every 0x80-bytes is an entry for each language, in the order of the Language table below (not all entries are set)<br />
|-<br />
| 0x000B0002<br />
| 0x800<br />
| 0xE<br />
| State name in UTF-16, every 0x80-bytes is an entry for each language<br />
|-<br />
| 0x000B0003<br />
| 0x4<br />
| 0xE<br />
| Coordinates. A pair of s16 represents latitude and longitude, respectively. One need to multiply both value by 180/32768 to get coordinates in degrees<br />
<br />
|-<br />
| 0x000C0000<br />
| 0xC0<br />
| 0xE<br />
| Restricted photo exchange data, and other info (includes a mirror of Parental Restrictions PIN/Secret Answer)<br />
|-<br />
| 0x000C0001<br />
| 0x14<br />
| 0xE<br />
| COPPACS restriction data<br />
|-<br />
| 0x000C0002<br />
| 0x200<br />
| 0xE<br />
| ? Contains the email address set during Parental Restriction setup.<br />
|-<br />
| 0x000D0000<br />
| 0x4<br />
| 0xE<br />
| u16 at offset 0x0: [[SMDH#EULA_Version|EULA Version]] which was agreed to.<br />
|-<br />
| 0x000E0000<br />
| 0x1<br />
| 0xE<br />
| ?<br />
|-<br />
| 0x000F0000<br />
| 0x10<br />
| 0xC<br />
| Debug configuration, read by [[NS]] on dev-units: on startup, NS does <code>svcKernelSetState(6, 1, (u64)debug_flags & 1); <br />
svcKernelSetState(6, 2, (u64)debug_flags & 2);</code> (see [[SVC#KernelSetState|here]]) where <code>debug_flags</code> is the u32 located at offset 0xC in this struct. Then it compares the u32 from +8 in this config-block with the [[Configuration_Memory#APPMEMTYPE|APPMEMTYPE]]. When those don't match NS starts a FIRM-launch (with the same FIRM titleID as the currently running one) to boot into a FIRM with the APPMEMTYPE value from this config-block. The byte at offset 0x0 is related to the memtype as well.<br />
|-<br />
| 0x000F0001<br />
| 0x8<br />
| 0xC<br />
| ?<br />
|-<br />
| 0x000F0003<br />
| 0x1<br />
| 0xC<br />
| ?<br />
|-<br />
| 0x000F0004<br />
| 0x4<br />
| 0xC<br />
| The first u8 is the System-Model [[Cfg:GetSystemModel|value]], the last 3-bytes are unknown<br />
|-<br />
| 0x000F0005<br />
| 0x4<br />
| 0xC<br />
| The first u8 indicates whether network updates are enabled (however, NIM only checks this flag with developer [[Configuration_Memory#ENVINFO|ENVINFO]]).<br />
|-<br />
| 0x000F0006<br />
| 0x28<br />
| 0xC<br />
| ?<br />
|-<br />
| 0x00100000<br />
| 0x2<br />
| 0xC<br />
| ?<br />
|-<br />
| 0x00100001<br />
| 0x94<br />
| 0xC<br />
| Stores Parental Restrictions PIN/Secret Answer and other info<br />
|-<br />
| 0x00100002<br />
| 0x1<br />
| 0xC<br />
| ?<br />
|-<br />
| 0x00100003<br />
| 0x10<br />
| 0xC<br />
| ?<br />
|-<br />
| 0x00110000<br />
| 0x4<br />
| 0xC<br />
| The low u16 indicates whether the system setup is required, such as when the system is booted for the first time or after doing a [[System Settings|System Format]]: 0 = setup required, non-zero = no setup required<br />
|-<br />
| 0x00110001<br />
| 0x8<br />
| 0xC<br />
| TitleID of the menu to launch, used by [[NS]] on dev units (this block can be edited on dev units with [[3DS Development Unit Software#Config|Config]])<br />
|-<br />
| 0x00120000<br />
| 0x8<br />
| 0xC<br />
| [[Hardware_calibration#MCU|MCU volume slider related]] (read by HID)<br />
|-<br />
| 0x00130000<br />
| 0x4<br />
| 0xE<br />
| If response is 0x100 then debug mode is enabled.<br />
|-<br />
| 0x00150000<br />
| 0x4<br />
| 0xC<br />
| ?<br />
|-<br />
| 0x00150001<br />
| 0x8<br />
| 0xC<br />
| ?<br />
|-<br />
| 0x00150002<br />
| 0x4<br />
| 0xE<br />
| ?<br />
|-<br />
| 0x00160000<br />
| 0x4<br />
| 0xE<br />
| Unknown, first byte is used by config service-cmd [[Config_Services|0x00070040]]. (Unknown whether the last 3-bytes are used)<br />
|-<br />
| 0x00170000<br />
| 0x4<br />
| 0xE<br />
| Miiverse (OLV) access key<br />
|-<br />
| 0x00180000<br />
| 0x4<br />
| 0xC<br />
| QTM Infrared LED related, can be 0 or 1<br />
|-<br />
| 0x00180001<br />
| 0x18<br />
| 0xC<br />
| [[Hardware_calibration#QTM|QTM calibration data]]<br />
|-<br />
| 0x00190000<br />
| 0x1<br />
| 0xC<br />
| Unknown. NFC-module checks for value1/non-value1.<br />
|}<br />
<br />
The developer unit TID block only exists on developer units.<br />
<br />
===Stereo Display Settings===<br />
All values are hard-coded in cfg module.<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Value<br />
! Description<br />
|-<br />
| 0x0<br />
| 4<br />
| 62.0f<br />
|assumed pupillary distance in mm?<br />
|-<br />
| 0x4<br />
| 4<br />
| 289.0f<br />
|assumed distance in mm between player's eyes and upper screen?<br />
|-<br />
| 0x8<br />
| 4<br />
| 76.80f<br />
|width in mm of (old) 3DS upper screen (doesn't vary for different models?)<br />
|-<br />
| 0xC<br />
| 4<br />
| 46.08f<br />
|height in mm of (old) 3DS upper screen (doesn't vary for different models?)<br />
|-<br />
| 0x10<br />
| 4<br />
| 10.0f<br />
|<br />
|-<br />
| 0x14<br />
| 4<br />
| 5.0f<br />
|<br />
|-<br />
| 0x18<br />
| 4<br />
| 55.58f<br />
|<br />
|-<br />
| 0x1C<br />
| 4<br />
| 21.57f<br />
|<br />
|}<br />
<br />
===Languages===<br />
{| class="wikitable" border="1"<br />
|-<br />
! ID<br />
! Description<br />
|-<br />
| 0<br />
| JP<br />
|-<br />
| 1<br />
| EN<br />
|-<br />
| 2<br />
| FR<br />
|-<br />
| 3<br />
| DE<br />
|-<br />
| 4<br />
| IT<br />
|-<br />
| 5<br />
| ES<br />
|-<br />
| 6<br />
| ZH<br />
|-<br />
| 7<br />
| KO<br />
|-<br />
| 8<br />
| NL<br />
|-<br />
| 9<br />
| PT<br />
|-<br />
| 10<br />
| RU<br />
|-<br />
| 11<br />
| TW<br />
|}<br />
<br />
===CountryInfo===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Byte<br />
! Description<br />
|-<br />
| 0<br />
|?<br />
|-<br />
| 1<br />
|?<br />
|-<br />
| 2<br />
| State/Province code.<br />
|-<br />
| 3<br />
| Country code, same as DSi/Wii country codes. Value 0xFF is invalid.<br />
|}<br />
<br />
===0x000A0000 Block===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Byte<br />
! Description<br />
|-<br />
| 0x0-0x13<br />
| UTF-16 username, with no NULL-terminator.<br />
|-<br />
| 0x14-17<br />
| Usually zero?<br />
|-<br />
| 0x18-0x1B<br />
| u32 NGWord version the username was last checked with. If this value is less than the u32 stored in the NGWord CFA "romfs:/version.dat", the system then checks the username string with the bad-word list CFA again, then updates this field with the value from the CFA<br />
|}<br />
<br />
<br />
<br />
===WiFi Slot Structure===<br />
<br />
====Network structure====<br />
This is used twice in the actual WiFi slot structure.<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x1<br />
| Whether the network was set or not?<br />
|-<br />
| 0x1<br />
| 0x1<br />
| Whether to use this network strucutre to connect?<br />
|-<br />
| 0x2<br />
| 0x1<br />
| Whether this structure is the first (0) or the second (1) in the larger WiFi slot structure?<br />
|-<br />
| 0x3<br />
| 0x1<br />
| Padding ?<br />
|-<br />
| 0x4<br />
| 0x20<br />
| SSID of the network, without a trailing nullbyte.<br />
|-<br />
| 0x24<br />
| 0x1<br />
| Length of the SSID.<br />
|-<br />
| 0x25<br />
| 0x1<br />
| [[Nintendo_Zone#Beacon_payload_format|AP crypto key type]]<br />
|-<br />
| 0x26<br />
| 0x2<br />
| Padding ?<br />
|-<br />
| 0x28<br />
| 0x40<br />
| Plaintext of the passphrase of the network, without a trailing nullbyte.<br />
|-<br />
| 0x68<br />
| 0x20<br />
| PBKDF2 of the passphrase and SSID (http://jorisvr.nl/wpapsk.html).<br />
|-<br />
|}<br />
<br />
====Actual structure====<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x2<br />
| ?<br />
|-<br />
| 0x2<br />
| 0x2<br />
| [https://github.com/lammertb/libcrc/blob/v2.0/src/crc16.c#L43-L76 CRC-16 checksum] of the next 0x410 bytes.<br />
|-<br />
| 0x4<br />
| 0x88<br />
| First network structure. Only set if the network was set "normally", or was the last to be set using WPS during the session.<br />
|-<br />
| 0x8C<br />
| 0x20<br />
| Padding.<br />
|-<br />
| 0xAC<br />
| 0x88<br />
| Second network structure. Only set if the network was set using WPS, otherwise 0-filled.<br />
|-<br />
| 0x134<br />
| 0x20C<br />
| Padding.<br />
|-<br />
| 0x340<br />
| 0x1<br />
| Whether to automatically get the IP address (use DHCP) or not, defaults to 1.<br />
|-<br />
| 0x341<br />
| 0x1<br />
| Whether to automatically get the DNS or not, defaults to 1.<br />
|-<br />
| 0x342<br />
| 0x2<br />
| Padding ?<br />
|-<br />
| 0x344<br />
| 0x4<br />
| IP address, to use if 0x340 is false.<br />
|-<br />
| 0x348<br />
| 0x4<br />
| IP address of the gateway, to use if 0x340 is false.<br />
|-<br />
| 0x34C<br />
| 0x4<br />
| Subnetwork mask, to use if 0x340 is false.<br />
|-<br />
| 0x350<br />
| 0x4<br />
| IP address of the primary DNS , to use if 0x341 is false.<br />
|-<br />
| 0x354<br />
| 0x4<br />
| IP address of the secondary DNS, to use if 0x341 is false.<br />
|-<br />
| 0x358<br />
| 0x4<br />
| Always 0x01050000 ? Only set if the network was the last to be set during the session.<br />
|-<br />
| 0x35C<br />
| 0x4<br />
| IP address to use. Only set if the network was the last to be set during the session.<br />
|-<br />
| 0x360<br />
| 0x6<br />
| MAC address of the AP. Only set if the network was the last to be set during the session.<br />
|-<br />
| 0x366<br />
| 0x1<br />
| Channel. Only set if the network was the last to be set during the session.<br />
|-<br />
| 0x367<br />
| 0x1<br />
| Padding ? Only set if the network was the last to be set during the session.<br />
|-<br />
| 0x368<br />
| 0x1<br />
| Whether to use a proxy or not, defaults to 0.<br />
|-<br />
| 0x369<br />
| 0x1<br />
| Whether to use a basic authentication for the proxy, defaults to 0.<br />
|-<br />
| 0x36A<br />
| 0x2<br />
| Port to use for the proxy, defaults to 1.<br />
|-<br />
| 0x36C<br />
| 0x30<br />
| URL/address of the proxy, including a trailing nullbyte.<br />
|-<br />
| 0x39C<br />
| 0x34<br />
| Padding.<br />
|-<br />
| 0x3D0<br />
| 0x20<br />
| Username to use for basic authentication, including a trailing nullbyte.<br />
|-<br />
| 0x3F0<br />
| 0x20<br />
| Password to use for basic authentication, including a trailing nullbyte.<br />
|-<br />
| 0x410<br />
| 0x2<br />
| Padding ?<br />
|-<br />
| 0x412<br />
| 0x2<br />
| MTU value, defaults to 1400 and ranges between 576 and 1500, inclusive.<br />
|-<br />
| 0x414<br />
| 0x7EC<br />
| Padding.<br />
|-<br />
|}<br />
<br />
===LCD display config===<br />
There seems to be some sort of LCD display configuration stored in this cfg. When using the cfg-save from an Old3DS on a New3DS without formatting the cfg first, the bottom-screen display is somewhat off(which is fixed by formatting the cfg-save).<br />
<br />
<br />
===Parental control Block 0x00100001===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Byte<br />
! Size in bytes<br />
! Description<br />
|-<br />
| 0x0<br />
| 0xD<br />
| Unknown.<br />
|-<br />
| 0xD<br />
| 0x4<br />
| PIN<br />
|-<br />
| 0x11<br />
| 0x20<br />
| Secret answer in UTF-16<br />
|}<br />
<br />
===Parental Control setting block 0xC0000===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x00<br />
| 0x04<br />
| [[#Parental Control restriction bitmask|Parental Control restriction bitmask]]<br />
|-<br />
| 0x0C<br />
| 0x04<br />
| Parental Controls PIN code<br />
|}<br />
<br />
====Parental Control restriction bitmask====<br />
{| class="wikitable" border="1"<br />
|-<br />
! Bit<br />
! Restriction name<br />
|-<br />
| 0<br />
| Global Parental Controls enable<br />
|-<br />
| 3<br />
| Sharing Images/Audio/Video/Long Text Data<br />
|-<br />
| 4<br />
| Internet Browser<br />
|-<br />
| 5<br />
| StreetPass<br />
|-<br />
| 6<br />
| Friend Registration<br />
|-<br />
| 8<br />
| eShop<br />
|-<br />
| 10<br />
| Miiverse (view)<br />
|-<br />
| 11<br />
| Miiverse (post)<br />
|-<br />
| 31<br />
| "Child Online Privacy Protection" (see [[Cfg:GetRegionCanadaUSA|CFG:IsCoppacsSupported]])<br />
|}</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Hardware_callibration&diff=20510Hardware callibration2017-12-27T04:34:21Z<p>Dark samus: Dark samus moved page Hardware callibration to Hardware calibration: fix typo</p>
<hr />
<div>#REDIRECT [[Hardware calibration]]</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Hardware_calibration&diff=20509Hardware calibration2017-12-27T04:34:21Z<p>Dark samus: Dark samus moved page Hardware callibration to Hardware calibration: fix typo</p>
<hr />
<div>=File format=<br />
The file consists out of a 0x200 big header (though the actual header is only 0x30 bytes, the rest is zerofilled), plus data whose size is indicated in the header.<br />
<br />
==Header==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x4<br />
| Magic "CCAL"<br />
|-<br />
| 0x4<br />
| 0x4<br />
| Version<br />
|-<br />
| 0x8<br />
| 0x4<br />
| Data size, always 0x7D0<br />
|-<br />
| 0xC<br />
| 0x1<br />
| Model version (?)<br />
|-<br />
| 0xD<br />
| 0x1<br />
| ???<br />
|-<br />
| 0xE<br />
| 0x2<br />
| [[#Aging masks|Bitmask of successful Aging tests]]<br />
|-<br />
| 0x10<br />
| 0x20<br />
| On devunits and if 0x1FF81006 is 3 or 4 or 7 or 8 or 9 then SHA256,<br />
otherwise HMACSHA256 signature of the data section<br />
|-<br />
| 0x30<br />
| 0x1D0<br />
| Zerofilled, padding for the 512byte block size<br />
|}<br />
<br />
==Aging masks==<br />
{| class="wikitable" border="1"<br />
! Bit<br />
! Description<br />
|-<br />
| 0<br />
| FCRAM<br />
|-<br />
| 1<br />
| LCD flicker (always successful)<br />
|-<br />
| 2<br />
| Camera<br />
|-<br />
| 3<br />
| Touch panel (always successful)<br />
|-<br />
| 4<br />
| Circle pad (analog stick)<br />
|-<br />
| 5<br />
| Codec<br />
|-<br />
| 6<br />
| Gyroscope<br />
|-<br />
| 7<br />
| RTC<br />
|-<br />
| 8<br />
| Accelerometer<br />
|-<br />
| 9<br />
| Surround<br />
|-<br />
| A<br />
| Power saving mode (ABL)<br />
|-<br />
| B<br />
| 3D screen (ULCD)<br />
|-<br />
| C<br />
| Backlight PWM<br />
|-<br />
| D<br />
| Analog stick A (???)<br />
|-<br />
| E<br />
| Camera extensions<br />
|-<br />
| F<br />
| Power saving mode (ABL) in legacy (DSi/GBA) mode<br />
|}<br />
<br />
==Data blocks==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Size<br />
! [[Config_Savegame#Configuration_blocks|ConfigInfoBlk]]<br />
! Description<br />
|-<br />
| 0x00<br />
| 0x10<br />
| 00040000<br />
| [[#Touch|Touch panel]]<br />
|-<br />
| 0x14<br />
| 0x08<br />
| ???<br />
| [[#Circle_pad|Circle pad]]<br />
|-<br />
| 0x20<br />
| 2*<br />
| 00050000<br />
| [[#Screen_flicker|Screen flicker]]<br />
|-<br />
| 0x24<br />
| 1*<br />
| ???<br />
| [[#RTC|RTC]]<br />
|-<br />
| 0x28<br />
| 1*<br />
| ???<br />
| DSPRAM related<br />
|-<br />
| 0x30<br />
| 0x8A<br />
| ???<br />
| [[#Camera_position|Camera position]]<br />
|-<br />
| 0xBC<br />
| 0x12<br />
| ???<br />
| [[#Gyro|Gyroscope]]<br />
|-<br />
| 0xD0<br />
| 0xC<br />
| ???<br />
| [[#Accel|Accelerometer]]<br />
|-<br />
| 0xE0<br />
| 0x134<br />
| ???<br />
| [[#CDC|Codec]]<br />
|-<br />
| 0x218<br />
| 0x06<br />
| ???<br />
| [[#PIT|Programmable Infrared Transmitter (PIT)]]<br />
|-<br />
| 0x220<br />
| 0x214<br />
| ???<br />
| [[#3D_filters|3D filters]]<br />
|-<br />
| 0x440<br />
| 0x20<br />
| ???<br />
| [[#ABL|Power saving mode]]<br />
|-<br />
| 0x470<br />
| 0x20<br />
| ???<br />
| ???<br />
|-<br />
| 0x4A0<br />
| 0x38<br />
| 0x00050002<br />
| [[#BLPWM|Backlight PWM]]<br />
|-<br />
| 0x4E0<br />
| 0x18<br />
| ???<br />
| [[#Circle_pad_extra|Circle pad extra]]<br />
|-<br />
| 0x500<br />
| 0xC<br />
| ???<br />
| ???<br />
|-<br />
| 0x510<br />
| 0x20<br />
| ???<br />
| ???<br />
|-<br />
| 0x540<br />
| 0x08<br />
| ???<br />
| [[#MCU|MCU]]<br />
|-<br />
| 0x550<br />
| 0x02<br />
| ???<br />
| [[#ULCD_delay|3D screen (ULCD) delay]]<br />
|-<br />
| 0x560<br />
| 0x08<br />
| ???<br />
| [[#Microphone_echo_cancel|Microphone echo cancellation]]<br />
|-<br />
| 0x570<br />
| 0x10C<br />
| ???<br />
| [[#ABL_extra|Power saving mode (ABL) extra]]<br />
|-<br />
| 0x680<br />
| 0x08<br />
| ???<br />
| [[#CStick|CStick (Right stick)]]<br />
|-<br />
| 0x690<br />
| 0x18<br />
| ???<br />
| [[#QTM|Quad Tracking Module (QTM)]]<br />
|}<br />
<br />
=Data block formats=<br />
<br />
==Touch==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0x00<br />
| s16 RawX0<br />
|-<br />
| 0x02<br />
| s16 RawY0<br />
|-<br />
| 0x04<br />
| s16 PointX0<br />
|-<br />
| 0x06<br />
| s16 PointY0<br />
|-<br />
| 0x08<br />
| s16 RawX1<br />
|-<br />
| 0x0A<br />
| s16 RawY1<br />
|-<br />
| 0x0C<br />
| s16 PointX1<br />
|-<br />
| 0x0E<br />
| s16 PointY1<br />
|}<br />
<br />
==Circle pad==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0x00<br />
| s16 CenterX<br />
|-<br />
| 0x02<br />
| s16 CenterY<br />
|}<br />
<br />
==Screen flicker==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0<br />
| u8 FlickerTop<br />
|-<br />
| 1<br />
| u8 FlickerBottom<br />
|-<br />
| 2*<br />
| Checksum low byte, NOT THIS[0]<br />
|-<br />
| 3*<br />
| Checksum high byte, THIS[1]<br />
|}<br />
<br />
==RTC==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0<br />
| u8 CompensationValue (???)<br />
|-<br />
| 1*<br />
| Checksum byte, NOT THIS[0]<br />
|}<br />
<br />
==Camera position==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0x00<br />
| u32 flags<br />
|-<br />
| 0x04<br />
| float scale<br />
|-<br />
| 0x08<br />
| float RotationZ<br />
|-<br />
| 0x0C<br />
| float TranslationX<br />
|-<br />
| 0x10<br />
| float TranslationY<br />
|-<br />
| 0x14<br />
| float RotationX<br />
|-<br />
| 0x18<br />
| float RotationY<br />
|-<br />
| 0x1C<br />
| float ViewAngleRight<br />
|-<br />
| 0x20<br />
| float ViewAngleLeft<br />
|-<br />
| 0x24<br />
| float ChartDistance(???)<br />
|-<br />
| 0x28<br />
| float CameraDistance<br />
|-<br />
| 0x2C<br />
| s16 ImageWidth<br />
|-<br />
| 0x2E<br />
| s16 ImageHeight<br />
|-<br />
| 0x30<br />
| u8 reserved[0x10]<br />
|-<br />
| 0x40<br />
| u8 ???[0x40]<br />
|-<br />
| 0x80<br />
| s16 aeBaseTarget(???)<br />
|-<br />
| 0x82<br />
| s16 kRL<br />
|-<br />
| 0x84<br />
| s16 kGL<br />
|-<br />
| 0x86<br />
| s16 kBL<br />
|-<br />
| 0x88<br />
| s16 ccmPosition<br />
|}<br />
<br />
==Gyro==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0x00<br />
| s16 ZeroX<br />
|-<br />
| 0x02<br />
| s16 PlusX<br />
|-<br />
| 0x04<br />
| s16 MinusX<br />
|-<br />
| 0x06<br />
| s16 ZeroY<br />
|-<br />
| 0x08<br />
| s16 PlusY<br />
|-<br />
| 0x0A<br />
| s16 MinusY<br />
|-<br />
| 0x0C<br />
| s16 ZeroZ<br />
|-<br />
| 0x0E<br />
| s16 PlusZ<br />
|-<br />
| 0x10<br />
| s16 MinusZ<br />
|}<br />
<br />
==Accel==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0x00<br />
| s16 OffsetX<br />
|-<br />
| 0x02<br />
| s16 ScaleX<br />
|-<br />
| 0x04<br />
| s16 OffsetY<br />
|-<br />
| 0x06<br />
| s16 ScaleY<br />
|-<br />
| 0x08<br />
| s16 OffsetZ<br />
|-<br />
| 0x0A<br />
| s16 ScaleZ<br />
|}<br />
<br />
==CDC==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0x00<br />
| u8 DriverGainHP<br />
|-<br />
| 0x01<br />
| u8 DriverGainSP<br />
|-<br />
| 0x02<br />
| u8 AnalogVolumeHP<br />
|-<br />
| 0x03<br />
| u8 AnalogVolumeSP<br />
|-<br />
| 0x04<br />
| s8 ShutterVolume[2]<br />
|-<br />
| 0x06<br />
| u8 MicrophoneBias<br />
|-<br />
| 0x07<br />
| u8 QuickCharge (???)<br />
|-<br />
| 0x08<br />
| u8 PGA_GAIN (microphone gain)<br />
|-<br />
| 0x09<br />
| u8 reserved[3]<br />
|-<br />
| 0x0C<br />
| s16 FilterHP32[3*5]<br />
|-<br />
| 0x2A<br />
| s16 FilterHP47[3*5]<br />
|-<br />
| 0x48<br />
| s16 FilterSP32[3*5]<br />
|-<br />
| 0x66<br />
| s16 FilterSP47[3*5]<br />
|-<br />
| 0x84<br />
| s16 FilterMic32[(1+2)+((1+4)*5)]<br />
|-<br />
| 0xBC<br />
| s16 FilterMic47[(1+2)+((1+4)*5)]<br />
|-<br />
| 0xF4<br />
| s16 FilterFree[(1+2)+((1+4)*5)]<br />
|-<br />
| 0x12C<br />
| u8 AnalogInterval<br />
|-<br />
| 0x12D<br />
| u8 AnalogStabilize<br />
|-<br />
| 0x12E<br />
| u8 AnalogPrecharge<br />
|-<br />
| 0x12F<br />
| u8 AnalogSense<br />
|-<br />
| 0x130<br />
| u8 AnalogDebounce<br />
|-<br />
| 0x131<br />
| u8 Analog_XP_Pullup<br />
|-<br />
| 0x132<br />
| u8 YM_Driver<br />
|-<br />
| 0x133<br />
| u8 reserved<br />
|}<br />
<br />
==PIT==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0x00<br />
| u16 VisibleFactor<br />
|-<br />
| 0x02<br />
| u16 IRFactor<br />
|}<br />
<br />
==3D filters==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0x00<br />
| u16 SpecialFilter[0x100]<br />
|-<br />
| 0x200<br />
| u32 IIRSurroundFilter[5]<br />
|}<br />
<br />
==ABL==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0x00<br />
| u32 DitherPattern<br />
|-<br />
| 0x04<br />
| s16 StartX<br />
|-<br />
| 0x06<br />
| s16 StartY<br />
|-<br />
| 0x08<br />
| u16 SizeX<br />
|-<br />
| 0x0A<br />
| u16 SizeY<br />
|-<br />
| 0x0C<br />
| s16 GTH_Ratio<br />
|-<br />
| 0x0E<br />
| u8 DitherMode<br />
|-<br />
| 0x0F<br />
| u8 MinRS<br />
|-<br />
| 0x10<br />
| u8 MaxRS<br />
|-<br />
| 0x11<br />
| u8 MinGTH<br />
|-<br />
| 0x12<br />
| u8 MinMax (???)<br />
|-<br />
| 0x13<br />
| u8 ExMax (???)<br />
|-<br />
| 0x14<br />
| u8 inertia<br />
|-<br />
| 0x15<br />
| u8 LutListRS[9]<br />
|-<br />
| 0x1E<br />
| u8 reserved[2]<br />
|}<br />
<br />
==BLPWM==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0x00<br />
| float coefficient[3][3]<br />
|-<br />
| 0x24<br />
| u8 NumLevels<br />
|-<br />
| 0x25<br />
| u8 padding<br />
|-<br />
| 0x26<br />
| u16 brightnesses[7];<br />
|-<br />
| 0x34<br />
| u16 BaseDivisor<br />
|-<br />
| 0x36<br />
| u16 MinimumBrightnessHw<br />
|}<br />
<br />
==Circle pad extra==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0x00<br />
| float ScaleX<br />
|-<br />
| 0x04<br />
| float ScaleY<br />
|-<br />
| 0x08<br />
| s16 MaxX<br />
|-<br />
| 0x0A<br />
| s16 MinX<br />
|-<br />
| 0x0C<br />
| s16 MaxY<br />
|-<br />
| 0x0E<br />
| s16 MinY<br />
|-<br />
| 0x10<br />
| s16 type<br />
|-<br />
| 0x12<br />
| u8 unknown_padding[6]<br />
|}<br />
<br />
==MCU==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0x00<br />
| s16 SVR2_Min (???)<br />
|-<br />
| 0x02<br />
| s16 SVR2_Max (???)<br />
|-<br />
| 0x04<br />
| s16 VolumeSliderMin<br />
|-<br />
| 0x06<br />
| s16 VolumeSliderMax<br />
|}<br />
<br />
==ULCD delay==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0x00<br />
| u8 To2D<br />
|-<br />
| 0x01<br />
| u8 To3D<br />
|}<br />
<br />
==Microphone echo cancel==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0x00<br />
| s8 params[8]<br />
|}<br />
<br />
==ABL extra==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0x00<br />
| u8 MaxInertia<br />
|-<br />
| 0x01<br />
| u8 pad<br />
|-<br />
| 0x02<br />
| u16 PWM_CNT_EX<br />
|-<br />
| 0x04<br />
| u32 Histogram1<br />
|-<br />
| 0x08<br />
| u32 Histogram2<br />
|-<br />
| 0x0C<br />
| u32 adjust[0x40]<br />
|}<br />
<br />
==CStick==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0x00<br />
| u8 ThinningCountX(???)<br />
|-<br />
| 0x01<br />
| u8 ThinningCountY(???)<br />
|-<br />
| 0x02<br />
| u16 reserved[3]<br />
|}<br />
<br />
==QTM==<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Description<br />
|-<br />
| 0x00<br />
| float DivisorAtZero (???)<br />
|-<br />
| 0x04<br />
| float TranslationX<br />
|-<br />
| 0x08<br />
| float TranslationY<br />
|-<br />
| 0x0C<br />
| float RotationZ<br />
|-<br />
| 0x10<br />
| float HorizontalAngle<br />
|-<br />
| 0x14<br />
| float OptimalDistance<br />
|}<br />
<br />
=Reading=<br />
If 0x1FF81006 is 3 or 4 or 7 or 8 or 9 then the callibration data is read from the EEPROM using the <code>i2c:EEP</code> service command 0x001000C0, using offset 0x000 for HWCAL0, and offset 0x800 for HWCAL1.<br />
Otherwise attempt is made to read <code>CTRNAND:/ro/sys/HWCAL(0|1).dat</code> instead.</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Title_list&diff=20026Title list2017-05-22T05:03:56Z<p>Dark samus: removed inaccurate(?) version from title list.</p>
<hr />
<div>==== CTR Title List Notes ====<br />
Reports/title-lists [https://yls8.mtheall.com/ninupdates/reports.php here] are automatically obtained from the system update SOAP.<br />
<br />
== CTR System Titles ==<br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! Category Bit Mask<br />
! Title Type<br />
! Internal Description<br />
! Bit Mask(s)<br />
|-<br />
| 0x0010<br />
| Application<br />
| SYSTEM_APPLICATION<br />
| Normal<nowiki> | </nowiki>System<br />
|-<br />
| 0x001B<br />
| System Data Archives<br />
| SYSTEM_CONTENT<br />
| Contents<nowiki> | </nowiki>CannotExecution<nowiki> | </nowiki>System<br />
|-<br />
| 0x009B<br />
| Shared Data Archives<br />
| SHARED_CONTENT<br />
| Contents<nowiki> | </nowiki>CannotExecution<nowiki> | </nowiki>System<nowiki> | </nowiki>NotRequireRightForMount<br />
|-<br />
| 0x00DB<br />
| System Data Archives<br />
| AUTO_UPDATE_CONTENT<br />
| Contents<nowiki> | </nowiki>CannotExecution<nowiki> | </nowiki>System<nowiki> | </nowiki>NotRequireUserApproval<nowiki> | </nowiki>NotRequireRightForMount<br />
|-<br />
| 0x0030<br />
| Applet<br />
| APPLET<br />
| Normal<nowiki> | </nowiki>System<nowiki> | </nowiki>RequireBatchUpdate<br />
|-<br />
| 0x0130<br />
| Module<br />
| BASE<br />
| Normal<nowiki> | </nowiki>System<nowiki> | </nowiki>RequireBatchUpdate<nowiki> | </nowiki>CanSkipConvertJumpId<br />
|-<br />
| 0x0138<br />
| Firmware <br />
| FIRMWARE<br />
| Normal<nowiki> | </nowiki>CannotExecution<nowiki> | </nowiki>System<nowiki> | </nowiki>RequireBatchUpdate<nowiki> | </nowiki>CanSkipConvertJumpId<br />
|}<br />
<br />
=== 00040010 - System Applications ===<br />
==== System Application Notes ====<br />
System Application titles have a unique title low that varies by region.<br />
Regardless of version, the ExeFS:/.code for mset is the same for USA/EUR/JPN. <br />
The [[4.0.0-7]] version of mset([[4.1.0-8]] for TWN) has the same ExeFS:/.code for all regions(JPN, USA, EUR, CHN, KOR, TWN). <br />
The [[5.0.0-11]] mset ExeFS:/.code is the same for all regions as well, except for CHN. The [[7.0.0-13]] mset ExeFS:/.code is unique for the following regions: CHN, KOR, and TWN.<br />
The ''only'' system-applications included with gamecard-sysupdates are: [[System Settings]], [[Download Play]], and SAFE_MODE [[System Settings#System Updater|System Updater]]. <br />
The only system-applications included with the New3DS gamecard-sysupdate partition are: "menu" stub and "friend" stub.<br />
<br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! JPN TIDLow<br />
! USA TIDLow<br />
! EUR TIDLow<br />
! CHN TIDLow<br />
! KOR TIDLow<br />
! TWN TIDLow<br />
! [[Product code]]<br />
! Description<br />
! JPN Versions<br />
! EUR Versions<br />
! USA Versions<br />
! CHN Versions<br />
! KOR Versions<br />
! TWN Versions<br />
! Status<br />
|-<br />
| 00020000<br />
| 00021000<br />
| 00022000<br />
| 00026000<br />
| 00027000<br />
| 00028000<br />
| CTR-N-HAS?<br />
| [[System Settings]] (mset)<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1027]], [[3.0.0-5|v2060]], [[4.0.0-7|v3074]], [[5.0.0-11|v4097]], [[6.0.0-11|v5127]], [[7.0.0-13|v6157]], [[7.2.0-17|v7173]], [[8.1.0-0_New3DS|v8198]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v9224]], [[9.6.0-24|v10245]], [[10.6.0-31|v10256]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1027]], [[3.0.0-5|v2061]], [[4.0.0-7|v3075]], [[5.0.0-11|v4097]], [[6.0.0-11|v5127]], [[7.0.0-13|v6157]], [[7.2.0-17|v7174]], [[9.0.0-20|v8202]], [[9.6.0-24|v9220]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1027]], [[3.0.0-5|v2062]], [[4.0.0-7|v3078]], [[5.0.0-11|v4098]], [[6.0.0-11|v5128]], [[7.0.0-13|v6157]], [[7.2.0-17|v7174]], [[9.0.0-20|v8203]], [[9.6.0-24|v9221]]<br />
| [[4.0.0-7|v8]], [[4.4.0-10|v1024]](CHN-only sysupdate for just mset), [[5.0.0-11|v2049]], [[7.0.0-13|v3075]]<br />
| [[4.0.0-7|v1026]], [[5.0.0-11|v2049]], [[7.0.0-13|v4098]]<br />
| [[4.1.0-8|v8]], [[4.2.0-9|v1024]], [[5.0.0-11|v2050]], [[7.0.0-13|v3074]]<br />
| Active<br />
|-<br />
| 00020100<br />
| 00021100<br />
| 00022100<br />
| 00026100<br />
| 00027100<br />
| 00028100<br />
| CTR-N-HDL?<br />
| [[Download Play]] (dlplay)<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1026]], [[4.0.0-7|v2051]], [[9.0.0-20|v3072]](Also for [[8.1.0-0_New3DS]])<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1026]], [[4.0.0-7|v2051]], [[9.0.0-20|v3073]]<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1026]], [[4.0.0-7|v2051]], [[9.0.0-20|v3073]]<br />
| [[4.0.0-7|v4]]<br />
| [[4.0.0-7|v1027]]<br />
| [[4.1.0-8|v4]]<br />
| Active<br />
|-<br />
| 00020200<br />
| 00021200<br />
| 00022200<br />
| 00026200<br />
| 00027200<br />
| 00028200<br />
| CTR-N-HMK?<br />
| [[Activity Log]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[3.0.0-5|v2051]], [[10.6.0-31|v2080]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[3.0.0-5|v2054]], [[7.0.0-13|v2064]]<br />
| Same as EUR<br />
| [[4.0.0-7|v3]]<br />
| [[4.0.0-7|v2]], [[7.0.0-13|v16]]<br />
| [[4.1.0-8|v2]]<br />
| Active<br />
|-<br />
| 00020300<br />
| 00021300<br />
| 00022300<br />
| 00026300<br />
| 00027300<br />
| 00028300<br />
| ?<br />
| [[Health and Safety Information]] (safe)<br />
| [[1.0.0-0|v0]], [[4.0.0-7|v1024]], [[6.0.0-11|v2050]]<br />
| [[1.0.0-0|v0]], [[3.0.0-5|v1024]], [[4.0.0-7|v2050]], [[6.0.0-11|v3077]]<br />
| [[1.0.0-0|v0]], [[4.0.0-7|v1026]], [[6.1.0-12U|v2051]]<br />
| [[4.0.0-7|v5]]<br />
| [[4.0.0-7|v2]]<br />
| [[4.1.0-8|v5]]<br />
| Active<br />
|-<br />
| 20020300<br />
| 20021300<br />
| 20022300<br />
| N/A<br />
| 20027300<br />
| N/A<br />
| CTR-N-HAC?<br />
| [[New_3DS]] [[Health and Safety Information]]<br />
| [[8.1.0-0_New3DS|v2]], [[9.3.0-21|v17]]<br />
| [[8.1.0-0_New3DS|v1]]<br />
| Same as EUR.<br />
| N/A<br />
| [[9.6.0-24|v2]]<br />
| N/A<br />
| Active<br />
|-<br />
| 00020400<br />
| 00021400<br />
| 00022400<br />
| 00026400<br />
| 00027400<br />
| 00028400<br />
| CTR-N-HEP?<br />
| [[Nintendo 3DS Camera]] (CtrApp)<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v16]], [[3.0.0-5|v1038]], [[4.0.0-7|v2048]], [[6.0.0-11|v3073]], [[9.0.0-20|v4097]](Also for [[8.1.0-0_New3DS]]), [[10.6.0-31|v4112]]<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v16]], [[3.0.0-5|v1039]], [[4.0.0-7|v2048]], [[6.0.0-11|v3073]], [[7.0.0-13|v3088]], [[9.0.0-20|v4097]]<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v16]], [[3.0.0-5|v1039]], [[4.0.0-7|v2048]], [[6.1.0-12U|v3074]], [[7.0.0-13|v3088]], [[9.0.0-20|v4097]]<br />
| [[4.0.0-7|v3]]<br />
| [[4.0.0-7|v2]], [[7.0.0-13|v1040]]<br />
| [[4.1.0-8|v3]]<br />
| Active<br />
|-<br />
| 00020500<br />
| 00021500<br />
| 00022500<br />
| 00026500<br />
| 00027500<br />
| 00028500<br />
| CTR-N-HES?<br />
| [[Nintendo 3DS Sound]] (CtrApp)<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1027]], [[3.0.0-5|v2049]], [[4.0.0-7|v3072]], [[7.0.0-13|v3089]], [[11.4.0-37|v4096]]<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1027]], [[3.0.0-5|v2049]], [[4.0.0-7|v3072]], [[7.0.0-13|v3088]], [[11.4.0-37|v4096]]<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1027]], [[3.0.0-5|v2049]], [[4.0.0-7|v3072]], [[7.0.0-13|v3088]], [[11.4.0-37|v4096]]<br />
| [[4.0.0-7|v2]], [[11.4.0-37|v1024]]<br />
| [[4.0.0-7|v2]], [[7.0.0-13|v16]],[[11.4.0-37|v4096]]<br />
| [[4.1.0-8|v3]], [[11.4.0-37|v1024]]<br />
| Active<br />
|-<br />
| 00020700<br />
| 00021700<br />
| 00022700<br />
| 00026700<br />
| 00027700<br />
| 00028700<br />
| CTR-N-HED?<br />
| [[Mii Maker]] (EDIT)<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[7.0.0-13|v2055]], [[10.6.0-31|v2064]]<br />
| Same as JPN<br />
| Same as JPN<br />
| [[4.0.0-7|v1]]<br />
| [[4.0.0-7|v1]], [[7.0.0-13|v16]]<br />
| [[4.1.0-8|v2]]<br />
| Active<br />
|-<br />
| 00020800<br />
| 00021800<br />
| 00022800<br />
| 00026800<br />
| 00027800<br />
| 00028800<br />
| CTR-N-HME?<br />
| [[StreetPass Mii Plaza]] (MEET)<br />
| [[1.0.0-0|v0]], v1027, [[2.1.0-4|v2048]], [[3.0.0-5|v3087]], [[3.0.0-6|v4096]], [[6.0.0-11|v5121]]<br />
| [[1.0.0-0|v0]], v1027, [[2.1.0-4|v2048]], [[3.0.0-5|v3087]], [[3.0.0-6|v4096]], [[6.0.0-11|v5122]]<br />
| [[1.0.0-0|v0]], v1027, [[2.1.0-4|v2048]], [[3.0.0-5|v3087]], [[3.0.0-6|v4096]], [[6.1.0-12U|v5124]], [[7.0.0-13|v5136]]<br />
| [[4.0.0-7|v0]], [[4.4.0-10|v4096]]<br />
| [[4.0.0-7|v1]], [[4.4.0-10|v4096]], [[7.0.0-13|v5120]]<br />
| [[4.1.0-8|v1]], [[4.4.0-10|v4096]]<br />
| Active<br />
|-<br />
| 00020900<br />
| 00021900<br />
| 00022900<br />
| N/A<br />
| 00027900<br />
| 00028900<br />
| CTR-N-HGR?<br />
| [[eShop]] (tiger)<br />
| [[2.0.0-2|v4]], [[2.1.0-3|v1026]], [[3.0.0-5|v2057]], [[4.0.0-7|v3081]], [[4.1.0-8|v4096]], [[4.2.0-9|v5123]], [[4.3.0-10|v6146]], [[5.0.0-11|v7169]], [[7.0.0-13|v8206]], [[7.1.0-14|v9231]], [[7.2.0-17|v10245]], [[8.0.0-18|v11265]], [[8.1.0-19|v12288]], [[9.0.0-20|v13320]], [[9.3.0-21|v15366]], [[9.5.0-22|v16384]], [[9.6.0-24|v17421]], [[9.7.0-25|v18432]], [[10.0.0-27|v19465]], [[10.4.0-29|v20483]], [[10.7.0-32|v21504]], [[11.3.0-36|v23552]]<br />
| [[2.0.0-2|v4]], [[2.1.0-3|v1026]], [[3.0.0-5|v2058]], [[4.0.0-7|v3081]], [[4.1.0-8|v4096]], [[4.2.0-9|v5123]], [[4.3.0-10|v6146]], [[5.0.0-11|v7171]], [[7.0.0-13|v8206]], [[7.1.0-14|v9231]], [[7.2.0-17|v10245]], [[8.0.0-18|v11265]], [[8.1.0-19|v12288]], [[9.0.0-20|v13320]], [[9.3.0-21|v15366]], [[9.5.0-22|v16384]], [[9.6.0-24|v17421]], [[9.7.0-25|v18432]], [[10.0.0-27|v19465]], [[10.4.0-29|v20482]], [[10.7.0-32|v21505]], [[11.2.0-35|v22528]], [[11.3.0-36|v23552]]<br />
| [[2.0.0-2|v4]], [[2.1.0-3|v1026]], [[3.0.0-5|v2058]], [[4.0.0-7|v3081]], [[4.1.0-8|v4096]], [[4.2.0-9|v5123]], [[4.3.0-10|v6146]], [[5.0.0-11|v7170]], [[7.0.0-13|v8206]], [[7.1.0-14|v9231]], [[7.2.0-17|v10246]], [[8.0.0-18|v11265]], [[8.1.0-19|v12288]], [[9.0.0-20|v13321]], [[9.3.0-21|v15366]], [[9.5.0-22|v16384]], [[9.6.0-24|v17422]], [[9.7.0-25|v18432]], [[10.0.0-27|v19465]], [[10.4.0-29|v20482]], [[10.7.0-32|v21506]], [[11.3.0-36|v23552]]<br />
| N/A<br />
| [[4.0.0-7|v3082]], [[4.1.0-8|v4096]], [[4.2.0-9|v5123]], [[4.3.0-10|v6146]], [[5.0.0-11|v7169]], [[7.0.0-13|v8205]], [[7.1.0-14|v9231]], [[8.1.0-19|v12288]], [[9.0.0-20|v13320]], [[9.3.0-21|v15366]], [[9.5.0-22|v16384]], [[9.6.0-24|v17420]], [[9.7.0-25|v18432]], [[10.0.0-27|v19465]], [[10.4.0-29|v20482]]<br />
| [[4.1.0-8|v4096]], [[4.2.0-9|v5123]], [[4.3.0-10|v6146]], [[5.0.0-11|v7170]], [[7.0.0-13|v8205]], [[7.1.0-14|v9231]], [[8.1.0-19|v12288]], [[9.3.0-21|v15366]], [[9.5.0-22|v16384]], [[9.6.0-24|v17421]], [[9.7.0-25|v18432]], [[10.0.0-27|v19465]]<br />
| Active<br />
|-<br />
| 00020A00<br />
| 00021A00<br />
| 00022A00<br />
| N/A<br />
| 00027A00<br />
| 00028A00<br />
| CTR-N-HCB?<br />
| [[System Transfer]] (CARDBOARD)<br />
| [[2.0.0-2|v4]], [[3.0.0-5|v1035]], [[4.0.0-7|v2050]], [[5.0.0-11|v3074]], [[7.0.0-13|v4109]], [[9.0.0-20|v5130]], [[9.6.0-24|v6154]]<br />
| [[2.0.0-2|v4]], [[3.0.0-5|v1035]], [[4.0.0-7|v2050]], [[5.0.0-11|v3073]], [[7.0.0-13|v4109]], [[9.0.0-20|v5131]], [[9.6.0-24|v6155]]<br />
| [[2.0.0-2|v4]], [[3.0.0-5|v1035]], [[4.0.0-7|v2051]], [[5.0.0-11|v3073]], [[7.0.0-13|v4109]], [[9.0.0-20|v5131]], [[9.6.0-24|v6156]]<br />
| N/A<br />
| [[4.0.0-7|v2]], [[5.0.0-11|v1025]], [[7.0.0-13|v2061]], [[9.0.0-20|v3082]]<br />
| [[4.1.0-8|v2]], [[5.0.0-11|v1025]], [[7.0.0-13|v2061]]<br />
| Active<br />
|-<br />
| 00020B00<br />
| 00021B00<br />
| 00022B00<br />
| N/A<br />
| N/A<br />
| N/A<br />
| CTR-N-HMA?<br />
| [[Nintendo Zone]] ("Nintendo")<br />
| [[1.0.0-0|v0]], [[3.0.0-5|v1034]]<br />
| Same as JPN<br />
| Same as JPN<br />
| N/A<br />
| N/A<br />
| N/A<br />
| Active<br />
|-<br />
| 00020D00<br />
| 00021D00<br />
| 00022D00<br />
| 00026D00<br />
| 00027D00<br />
| 00028D00<br />
| CTR-N-HCH?<br />
| [[Face Raiders]]<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1028]]<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1028]], [[7.0.0-13|v1040]]<br />
| Same as EUR<br />
| [[4.0.0-7|v0]]<br />
| [[4.0.0-7|v0]]<br />
| [[4.1.0-8|v2]]<br />
| Active<br />
|-<br />
| 20020D00<br />
| 20021D00<br />
| 20022D00<br />
| N/A<br />
| 20027D00<br />
| N/A<br />
| ?<br />
| [[New_3DS]] [[Face Raiders]]<br />
| [[8.1.0-0_New3DS|v2050]]<br />
| [[8.1.0-0_New3DS|v2049]]<br />
| Same as EUR.<br />
| N/A<br />
| [[9.6.0-24|v2049]]<br />
| N/A<br />
| Active<br />
|-<br />
| 00020E00<br />
| 00021E00<br />
| 00022E00<br />
| 00026E00<br />
| 00027E00<br />
| 00028E00<br />
| CTR-N-HAR?<br />
| [[AR Games]] (AR_ACT)<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1026]]<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1026]], [[7.0.0-13|v1040]]<br />
| [[1.0.0-0|v0]], [[2.1.0-4|v1027]], [[7.0.0-13|v1040]]<br />
| [[4.0.0-7|v0]]<br />
| [[4.0.0-7|v0]], [[7.0.0-13|v16]]<br />
| [[4.1.0-8|v1]]<br />
| Active<br />
|-<br />
| 00020F00<br />
| 00021F00<br />
| 00022F00<br />
| 00026F00<br />
| 00027F00<br />
| 00028F00<br />
| CTR-N-HSH?<br />
| SAFE_MODE [[System Settings#System Updater|System Updater]] (mset)<br />
| [[1.0.0-0|v0]], [[3.0.0-5|v1024]], [[6.0.0-11|v2049]]<br />
| [[1.0.0-0|v0]], [[3.0.0-5|v1024]], [[6.0.0-11|v2050]]<br />
| Same as JPN<br />
| [[4.0.0-7|v1]], [[6.0.0-11|v1026]]<br />
| [[4.0.0-7|v1]]<br />
| [[4.1.0-8|v1]]<br />
| Active<br />
|-<br />
| 00023000<br />
| 00024000<br />
| 00025000<br />
| N/A<br />
| N/A<br />
| N/A<br />
| (Variable?)<br />
| Promotional video<br />
| [[1.1.0-1|v2]], [[2.0.0-2|v2048]]<br />
| [[1.1.0-1|v<unknown>]], [[2.0.0-2|v2048]]<br />
| [[1.1.0-1|v0]], [[2.0.0-2|v2048]]<br />
| N/A<br />
| N/A<br />
| N/A<br />
| Stubbed<br />
|-<br />
| 0002BF00<br />
| 0002C000<br />
| 0002C100<br />
| N/A<br />
| N/A<br />
| N/A<br />
| CTR-N-HAF?<br />
| [[Nintendo Network ID Settings]] (act)<br />
| [[7.0.0-13|v14]], [[7.2.0-17|v1029]], [[9.0.0-20|v2051]], [[9.3.0-21|v3072]]<br />
| Same as JPN<br />
| Same as JPN<br />
| N/A<br />
| N/A<br />
| N/A<br />
| Active<br />
|-<br />
| 20023100<br />
| 20024100<br />
| 20025100<br />
| N/A<br />
| N/A<br />
| N/A<br />
| CTR-N-HAJ?<br />
| [[microSD Management]] ('mcopy') ([[New_3DS]]-only)<br />
| [[8.1.0-0_New3DS|v8]], [[9.0.0-20|v1024]]<br />
| [[8.1.0-0_New3DS|v4]]<br />
| [[8.1.0-0_New3DS|v5]]<br />
| N/A<br />
| N/A<br />
| N/A<br />
| Available<br />
|-<br />
| 2002C800<br />
| 2002CF00<br />
| 2002D000<br />
| N/A<br />
| 2002D700<br />
| N/A<br />
| CTR-P-CTAP<br />
| [[New_3DS]]-only, currently stubbed. "HOME menu/menu".<br />
| [[8.1.0-0_New3DS|v2]], [[9.0.0-20|v18]], [[9.3.0-21|v34]], [[9.6.0-24|v50]]<br />
| [[8.1.0-0_New3DS|v1]], [[9.3.0-21|v17]], [[9.6.0-24|v34]]<br />
| [[8.1.0-0_New3DS|v1]], [[9.3.0-21|v18]], [[9.6.0-24|v33]]<br />
| N/A<br />
| [[9.6.0-24|v2]]<br />
| N/A<br />
| Stubbed<br />
|-<br />
| 2002C900<br />
| 2002D100<br />
| 2002D200<br />
| N/A<br />
| 2002D800<br />
| N/A<br />
| CTR-P-CTAP<br />
| [[New_3DS]]-only, currently stubbed. "Friends list/friend".<br />
| [[8.1.0-0_New3DS|v1]]<br />
| Same as JPN.<br />
| [[8.1.0-0_New3DS|v0]], [[9.3.0-21|v16]]<br />
| N/A<br />
| [[9.6.0-24|v2]]<br />
| N/A<br />
| Stubbed<br />
|-<br />
| 2002CA00<br />
| 2002D300<br />
| 2002D400<br />
| N/A<br />
| 2002D900<br />
| N/A<br />
| CTR-P-CTAP<br />
| [[New_3DS]]-only, currently stubbed. "Notifications/newslist".<br />
| [[8.1.0-0_New3DS|v0]], v1([[Home_Menu|JPN-only]] Oct 2, 2014 "sysupdate", actually uploaded on 09-29-14. Identical to v0, same TMDs besides title-versions)<br />
| [[8.1.0-0_New3DS|v2]]<br />
| [[8.1.0-0_New3DS|v0]]<br />
| N/A<br />
| [[9.6.0-24|v2]]<br />
| N/A<br />
| Stubbed<br />
|-<br />
| 2002CB00<br />
| 2002D500<br />
| 2002D600<br />
| N/A<br />
| 2002DA00<br />
| N/A<br />
| CTR-P-CTAP<br />
| [[New_3DS]]-only, currently stubbed. "Game notes/cherry".<br />
| [[8.1.0-0_New3DS|v0]], [[9.0.0-20|v1]]<br />
| [[8.1.0-0_New3DS|v2]]<br />
| Same as EUR.<br />
| N/A<br />
| [[9.6.0-24|v1]]<br />
| N/A<br />
| Stubbed<br />
|}<br />
<br />
=== 0004001B - [[NCCH#CFA|System Data Archives]] ===<br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! TitleID Low<br />
! Description<br />
! Versions<br />
|-<br />
| 00010002<br />
| [[ClCertA]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 00010702<br />
| [[NS CFA]]<br />
| [[3.0.0-5|v0]], [[6.0.0-11|v1028]], [[6.3.0-12|v2048]], [[7.0.0-13|v3073]], [[9.0.0-20|v4096]](also for [[8.1.0-0_New3DS]])<br />
|-<br />
| 00010802<br />
| This CFA only contains a 1-byte "dummy.txt" in the RomFS, which contains '0'.<br />
| [[6.3.0-12|v0]], [[9.5.0-23|v1024]], [[10.5.0-30|v2048]], [[11.0.0-33|v3072]]<br />
|-<br />
| 00018002<br />
| Same contents as 00010802. Starting with [[7.1.0-15]], the "dummy.txt" file was removed from RomFS: this CFA RomFS now contains web-browser data(similar to 00018102) for NNID / networking, etc.<br />
| [[7.0.0-13|v14]], [[7.1.0-15|v1025]], [[7.2.0-17|v2055]], [[9.0.0-20|v3078]], [[9.3.0-21|v4096]], [[9.6.0-24|v5120]]<br />
|-<br />
| 00018102<br />
| This contains local web-browser data(html/js, gfx, etc) for the Miiverse Offline-mode.<br />
| [[7.0.0-13|v11]], [[9.0.0-20|v1025]](also for [[8.1.0-0_New3DS]])<br />
|-<br />
| 00018202<br />
| This contains the webkit/OSS [[CRO0|CROs]] used with the Miiverse applet and the "act" application.<br />
| [[7.0.0-13|v7]], [[8.1.0-0_New3DS|v1026]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v2050]]<br />
|-<br />
| 00019002<br />
| [[Fangate_updater]]<br />
| [[9.3.0-21|v2]], [[9.6.0-24|v1026]]<br />
|}<br />
<br />
=== 00040030 - System Applets===<br />
==== System Applet Notes ====<br />
Most of these processes are applets, see [[NS_and_APT_Services|here]] for details.<br />
All of the below processes use the "SYSTEM" [[SVC|memory-region]].<br />
The ExeFS for Home Menu is exactly the same for USA/EUR/JPN.<br />
The Miiverse applet seems to use a web browser with webkit.<br />
<br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! JPN TitleIDLow<br />
! USA TitleIDLow<br />
! EUR TitleIDLow<br />
! CHN TitleIDLow<br />
! KOR TitleIDLow<br />
! TWN TitleIDLow<br />
! [[Product code]]<br />
! Description<br />
! JPN Versions<br />
! USA Versions<br />
! EUR Versions<br />
|-<br />
|colspan=6 align=center| 00008102<br />
| CTR-P-CTAP<br />
| [[NS#Alternate menu|Test Menu]] (Demo1)<br />
|colspan=3 align=center| ..., v64, ..., v27648<br />
|-<br />
| 00008202<br />
| 00008F02<br />
| 00009802<br />
| 0000A102<br />
| 0000A902<br />
| 0000B102<br />
| CTR-P-HMM?<br />
| [[Home Menu]] (menu)<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1027]], [[2.1.0-3|v2049]], [[2.2.0-X|v3075]], [[3.0.0-5|v4111]], [[4.0.0-7|v5131]], [[4.2.0-9|v6146]], [[5.0.0-11|v7172]], [[6.0.0-11|v8198]], [[7.0.0-13|v9230]], [[8.1.0-0_New3DS|v10250]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v13313]], [[9.1.0-20J|v14336]], [[9.2.0-20|v15360]], [[9.3.0-21|v16402]], [[9.4.0-21|v17408]], [[9.5.0-22|v18432]], [[9.6.0-24|v19476]], [[9.7.0-25|v20487]], [[9.8.0-25|v22528]], [[10.1.0-27|v23552]], [[10.2.0-28|v24576]], [[10.3.0-28|v25600]], [[10.4.0-29|v26626]], [[10.6.0-31|v27648]], [[11.1.0-34|v28672]], [[11.3.0-36|v29696]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1027]], [[2.1.0-3|v2049]], [[2.2.0-X|v3075]], [[3.0.0-5|v4111]], [[4.0.0-7|v5131]], [[4.2.0-9|v6146]], [[5.0.0-11|v7172]], [[6.0.0-11|v8198]], [[7.0.0-13|v9230]], [[9.0.0-20|v11272]], [[9.2.0-20|v12288]], [[9.3.0-21|v13330]], [[9.4.0-21|v14336]], [[9.5.0-22|v15360]], [[9.6.0-24|v16404]], [[9.7.0-25|v17415]], [[9.8.0-25|v19456]], [[9.9.0-26|v20480]], [[10.1.0-27|v21504]], [[10.2.0-28|v22528]], [[10.3.0-28|v23552]], [[10.4.0-29|v24578]], [[10.6.0-31|v25600]], [[11.1.0-34|v26624]], [[11.3.0-36|v27648]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1027]], [[2.1.0-3|v2049]], [[2.2.0-X|v3075]], [[3.0.0-5|v4111]], [[4.0.0-7|v5131]], [[4.2.0-9|v6146]], [[5.0.0-11|v7172]], [[6.0.0-11|v8198]], [[7.0.0-13|v9230]], [[9.0.0-20|v11272]], [[9.2.0-20|v12288]], [[9.3.0-21|v13330]], [[9.4.0-21|v14336]], [[9.5.0-22|v15360]], [[9.6.0-24|v16404]], [[9.7.0-25|v17415]], [[9.8.0-25|v19456]], [[10.1.0-27|v20480]], [[10.2.0-28|v21504]], [[10.3.0-28|v22528]], [[10.4.0-29|v23554]], [[10.6.0-31|v24576]], [[11.1.0-34|v25600]], [[11.3.0-36|v26624]]<br />
|-<br />
| 00008402<br />
| 00009002<br />
| 00009902<br />
| 0000A202<br />
| 0000AA02<br />
| 0000B202<br />
| CTR-N-HCS?<br />
| Camera applet used by Home-menu (CtrApp)<br />
|colspan=3| v0, v1036, [[9.0.0-20|v2049]](Also for [[8.1.0-0_New3DS]])<br />
|-<br />
| 00008502<br />
| 00009102<br />
| 00009A02<br />
| ?<br />
| ?<br />
| ?<br />
| ?<br />
| Not available on CDN<br />
| ?<br />
| ?<br />
| ?<br />
|-<br />
| 00008602<br />
| 00009202<br />
| 00009B02<br />
| 0000A402<br />
| 0000AC02<br />
| 0000B402<br />
| <br />
| Instruction Manual, applet for displaying instruction manuals<br />
|colspan=3| v0, v1026, v2048, v3072, [[5.0.0-11|v4097]], [[9.0.0-20|v5120]](Also for [[8.1.0-0_New3DS]])<br />
|-<br />
| 00008702<br />
| 00009302<br />
| 00009C02<br />
| 0000A502<br />
| 0000AD02<br />
| 0000B502<br />
| CTR-N-HGM?<br />
| Game Notes (Cherry)<br />
|colspan=3| v0, v1026, v2049, [[5.0.0-11|v3073]], [[9.0.0-20|v4096]](Also for [[8.1.0-0_New3DS]])<br />
|-<br />
| 00008802<br />
| 00009402<br />
| 00009D02<br />
| 0000A602<br />
| 0000AE02<br />
| 0000B602<br />
| <br />
| [[Internet Browser]] (spider)<br />
|colspan=3| [[2.0.0-2|v6]], [[2.1.0-4|v1024]], [[4.0.0-7|v2050]], [[5.0.0-11|v3074 (EUR)/v3075(USA,JAP)]], [[7.0.0-13|v3088]], [[7.1.0-16|v4096]], [[9.5.0-23|v5121]], [[9.9.0-26|v6149]], [[10.2.0-28|v7168]], [[10.6.0-31|v8192]], [[10.7.0-32|v9232]], [[11.1.0-34|v10240]]<br />
|-<br />
| 20008802<br />
| 20009402<br />
| 20009D02<br />
| ?<br />
| 2000AE02<br />
| N/A<br />
| CTR-N-HBR?<br />
| [[New 3DS]] [[Internet Browser]] (SKATER)<br />
|colspan=3| [[8.1.0-0_New3DS|v10]], [[9.3.0-21|v1027]], [[9.6.0-24|v2051]], [[9.9.0-26|v3077]], [[10.2.0-28|v4096]], [[10.4.0-29|v5121]], [[10.6.0-31|v6144]], [[10.7.0-32|v7184]], [[11.1.0-34|v8192]]<br />
|-<br />
|colspan=6| 00008A02<br />
| <br />
| Fatal error viewer ([[ErrDisp]])<br />
|colspan=3| v0, v1025, [[2.2.0-X|v2048]], [[3.0.0-5|v3072]], [[4.0.0-7|v4096]], [[5.0.0-11|v5121]], [[8.0.0-18|v6144]], [[9.0.0-20|v7168]](Also for [[8.1.0-0_New3DS]])<br />
|-<br />
|colspan=6| 00008A03<br />
| <br />
| SAFE_MODE [[ErrDisp]]<br />
|colspan=3| v0<br />
|-<br />
| 20008A03<br />
| 20008A03<br />
| 20008A03<br />
| ?<br />
| 20008A03<br />
| N/A<br />
| <br />
| [[New_3DS]] SAFE_MODE [[ErrDisp]]<br />
|colspan=3| [[8.1.0-0_New3DS|v7169]]<br />
|-<br />
| 00008D02<br />
| 00009602<br />
| 00009F02<br />
| 0000A702<br />
| 0000AF02<br />
| 0000B702<br />
| CTR-N-HFR?<br />
| Friend List (friend)<br />
|colspan=3| v0, v1026, [[2.2.0-X|v2051]], v3082, v4099, [[7.0.0-13|v5120]], [[9.0.0-20|v6144]](Also for [[8.1.0-0_New3DS]]) (EUR v6, v1024, v3082, v4099, [[7.0.0-13|v5120]], [[9.0.0-20|v6144]])<br />
|-<br />
| 00008E02<br />
| 00009702<br />
| 0000A002<br />
| 0000A802<br />
| 0000B002<br />
| 0000B802<br />
| CTR-N-HCR?<br />
| Notifications (newslist)<br />
|colspan=3| v0, v1029, v2054, v3075, [[9.0.0-20|v4097]] (EUR v6, v1024, v2054, v3075, [[9.0.0-20|v4097]]) (JPN: ..., [[8.1.0-0_New3DS|v4096]], [[9.0.0-20|v5121]])<br />
|-<br />
| 0000C002<br />
| 0000C802<br />
| 0000D002<br />
| 0000D802<br />
| 0000DE02<br />
| 0000E402<br />
| CTR-N-HKY?<br />
| Software Keyboard (swkbd)<br />
|colspan=3| v0, v1026, v2053, [[7.0.0-13|v3072]], [[9.0.0-20|v4096]](Also for [[8.1.0-0_New3DS]])<br />
|-<br />
| 0000C003<br />
| 0000C803<br />
| 0000D003<br />
| 0000D803<br />
| 0000DE03<br />
| 0000E403<br />
| <br />
| SAFE_MODE Software Keyboard (swkbd)<br />
|colspan=3| v0<br />
|-<br />
| 2000C003<br />
| 2000C803<br />
| 2000D003<br />
| ?<br />
| 2000DE03<br />
| N/A<br />
| <br />
| [[New 3DS]] SAFE_MODE Software Keyboard (swkbd)<br />
| [[8.1.0-0_New3DS|v1024]]<br />
|colspan=2|[[9.0.0-20|v0]]<br />
|-<br />
| 0000C102<br />
| 0000C902<br />
| 0000D102<br />
| 0000D902<br />
| 0000DF02<br />
| 0000E502<br />
| <br />
| Mii picker (appletEd)<br />
|colspan=3| v0, v1026, [[9.0.0-20|v2048]](Also for [[8.1.0-0_New3DS]]), [[9.3.0-21|v3077]]<br />
|-<br />
| 0000C302<br />
| 0000CB02<br />
| 0000D302<br />
| 0000DB02<br />
| 0000E102<br />
| 0000E702<br />
| <br />
| Picture picker (PNOTE_AP)<br />
|colspan=3| v0, v1024, [[8.1.0-0_New3DS|v2049]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v3075]], [[9.3.0-21|v4096]]<br />
|-<br />
| 0000C402<br />
| 0000CC02<br />
| 0000D402<br />
| 0000DC02<br />
| 0000E202<br />
| 0000E802<br />
| <br />
| [[Nintendo 3DS Sound|Voice memo]] picker (SNOTE_AP)<br />
|colspan=3| v0, v3, [[8.0.0-18|v1026]], [[9.0.0-20|v2048]](Also for [[8.1.0-0_New3DS]])<br />
|-<br />
|colspan=3| 0000C502<br />
|colspan=3| 0000CF02<br />
| <br />
| Non-critical (online, etc) error display (error)<br />
|colspan=3| v0, v1026, v2053, v3074, [[8.1.0-0_New3DS|v4096]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v5128]], [[9.6.0-24|v6145]]<br />
|-<br />
|colspan=3| 0000C503<br />
|colspan=3| 0000CF03<br />
| <br />
| SAFE_MODE error applet<br />
|colspan=3| v0<br />
|-<br />
| 2000C503<br />
| 2000C503<br />
| 2000C503<br />
| ?<br />
| 2000CF03<br />
| N/A<br />
| <br />
| [[New 3DS]] SAFE_MODE error applet<br />
|colspan=3| [[8.1.0-0_New3DS|v1024]]<br />
|-<br />
|colspan=3| 0000CD02<br />
|colspan=3| 0000D502<br />
| <br />
| [[Circle Pad Pro]] test/calibration applet (extrapad)<br />
|colspan=3| v1, v1026, [[8.1.0-0_New3DS|v2048]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v3073]]<br />
|-<br />
| 0000C602<br />
| 0000CE02<br />
| 0000D602<br />
| N/A<br />
| 0000E302<br />
| 0000E902<br />
| CTR-N-HAA?<br />
| eShop applet, used by applications for accessing the eShop, for DLC/etc. Also used by the eShop application itself. (mint)<br />
|colspan=3| v5, v1028, [[4.2.0-9|v2050]], [[5.0.0-11|v3072]], [[7.0.0-13|v4109]], [[7.2.0-17|v5125]](v5123 for JPN), [[8.0.0-18|v6145]], [[8.1.0-0_New3DS|v7168]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v8200]], [[9.3.0-21|v9224]], [[9.6.0-24|v10247]], [[9.8.0-25|v11264]], [[10.0.0-27|v12293]], [[10.1.0-27|v13312]], [[10.3.0-28|v14337]], [[10.4.0-29|v15360]], [[10.7.0-32|v16384]], [[11.2.0-35|v17408]](EUR), [[11.3.0-36|v18432]]<br />
|-<br />
| 0000BC02<br />
| 0000BD02<br />
| 0000BE02<br />
| ?<br />
| ?<br />
| ?<br />
| CTR-N-HAE?<br />
| Miiverse (olv)<br />
|colspan=3| [[7.0.0-13|v14]], [[7.2.0-17|v1024]], [[9.0.0-20|v2048]](Also for [[8.1.0-0_New3DS]]), [[9.3.0-21|v3072]], [[9.6.0-24|v4096]]<br />
|-<br />
| 0000F602<br />
| 0000F602<br />
| 0000F602<br />
| ?<br />
| ?<br />
| ?<br />
| <br />
| Likely the "system library" for Miiverse (memolib)<br />
|colspan=3| [[7.0.0-13|v5]], [[8.1.0-0_New3DS|v1024]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v2050]], [[9.3.0-21|v3072]]<br />
|-<br />
| 00008302<br />
| 00008B02<br />
| 0000BA02<br />
| ?<br />
| ?<br />
| ?<br />
| CTR-N-HAH?<br />
| In-app Miiverse-posting applet (solv3)<br />
|colspan=3| [[9.0.0-20|v6]]<br />
|-<br />
| 00009502<br />
| 00009E02<br />
| 0000B902<br />
| ?<br />
| 00008C02<br />
| 0000BF02<br />
| CTR-N-HA3?<br />
| Cabinet ([[amiibo Settings]])<br />
|colspan=3| [[9.3.0-21|v7]], (v1024 for TWN), [[9.6.0-24|v1031]]<br />
|}<br />
<br />
=== 0004009B - [[NCCH#CFA|Shared Data Archives]] ===<br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! JPN TitleIDLow<br />
! USA TitleIDLow<br />
! EUR TitleIDLow<br />
! CHN TitleIDLow<br />
! KOR TitleIDLow<br />
! TWN TitleIDLow<br />
! Description<br />
! Versions<br />
|-<br />
| 00010202<br />
| 00010202<br />
| 00010202<br />
| 00010202<br />
| 00010202<br />
| 00010202<br />
| Probably Mii-related, contains "CFL_Res.dat" in the RomFS.<br />
| v0<br />
|-<br />
| 00010402<br />
| 00010402<br />
| 00010402<br />
| 00010402<br />
| 00010402<br />
| 00010402<br />
| Region Manifest. Mounted as "area:"<br />
| v0, v1024, v2050, v3072, [[7.0.0-13|v4098]], [[9.6.0-24|v5122]]<br />
|-<br />
| 00010602<br />
| 00010602<br />
| 00010602<br />
| 00010602<br />
| 00010602<br />
| 00010602<br />
| Non-Nintendo TLS Root-CA Certificates (RomFS contains files with filename "CACERT_PUBLIC_CA_<val>.der", where <val> is 5..8)<br />
| v2, [[10.5.0-30|v1024]]<br />
|-<br />
|<br />
|<br />
|<br />
| 00011002<br />
| <br />
| <br />
| "CHN/CN" Dictionary.<br />
| v1<br />
|-<br />
| <br />
| <br />
|<br />
|<br />
|<br />
| 00011102 <br />
| "TWN/TN" dictionary.<br />
| v1<br />
|-<br />
| <br />
| <br />
| 00011202<br />
|<br />
|<br />
| <br />
| "NL/NL" dictionary.<br />
| v0<br />
|-<br />
| <br />
| <br />
| 00011302<br />
|<br />
|<br />
| <br />
| "EN/GB" dictionary.<br />
| v0<br />
|-<br />
| <br />
| 00011402<br />
|<br />
| <br />
| <br />
|<br />
| "EN/US" dictionary.<br />
| v0<br />
|-<br />
| <br />
| <br />
| 00011502<br />
|<br />
|<br />
| <br />
| "FR/FR/regular" dictionary.<br />
| v0<br />
|-<br />
| <br />
| 00011602<br />
|<br />
|<br />
| <br />
| <br />
| "FR/CA/regular" dictionary.<br />
| v0<br />
|-<br />
| <br />
| <br />
| 00011702<br />
|<br />
| <br />
| <br />
| "DE/regular" dictionary.<br />
| v0<br />
|-<br />
| <br />
| <br />
| 00011802<br />
|<br />
| <br />
| <br />
| "IT/IT" dictionary.<br />
| v0<br />
|-<br />
| 00011902<br />
| <br />
|<br />
| <br />
|<br />
| <br />
| "JA_small/32" dictionary.<br />
| v0<br />
|-<br />
| <br />
| <br />
|<br />
|<br />
| 00011A02<br />
| <br />
| "KO/KO" dictionary.<br />
| v1<br />
|-<br />
| <br />
| <br />
| 00011B02<br />
|<br />
|<br />
| <br />
| "PT/PT/regular" dictionary.<br />
| v0<br />
|-<br />
| <br />
| <br />
| 00011C02<br />
|<br />
|<br />
| <br />
| "RU/regular" dictionary.<br />
| v0<br />
|-<br />
| <br />
| 00011D02<br />
| 00011D02<br />
|<br />
|<br />
| <br />
| "ES/ES" dictionary.<br />
| v0<br />
|-<br />
| <br />
| 00011E02<br />
|<br />
| <br />
|<br />
| <br />
| "PT/BR/regular" dictionary.<br />
| v0<br />
|-<br />
| 00012202<br />
| 00012302<br />
| 00012102<br />
| 00012402<br />
| 00012502<br />
| 00012602<br />
| ?contains a lists with error strings<br />
| v1026, v2053, v3073, [[4.2.0-9|v4096]], [[5.0.0-11|v5120]], [[7.0.0-13|v6149]], [[7.2.0-17|v7168]], [[8.0.0-18|v8192]], [[9.0.0-20|v9218]], [[9.3.0-21|v10242]], [[9.6.0-24|v11269]], [[10.0.0-27|v12289]], [[10.4.0-29|v13312]], [[10.7.0-32|v13313]] (JPN: [[11.1.0-34|v14336]]) (KOR: [[9.6.0-24|v6148]], [[10.0.0-27|v7169]], [[10.3.0-28|v8193]], [[10.4.0-29|v9216]], [[11.1.0-34|v10240]])<br />
|-<br />
| 00013202<br />
| 00013302<br />
| 00013102<br />
| 00013502<br />
| <br />
| <br />
| Mounted as "eula:"<br />
| v0, v1024, v2049 USA: v1024, v2051, [[7.0.0-13|v3074]], [[7.2.0-17|v4100]](EUR-only), [[9.0.0-20|v4099]], [[9.9.0-26|v6144]], [[10.4.0-29|v7168]] (KOR: [[9.7.0-25|v1025]])<br />
|-<br />
| 00014002<br />
| 00014002<br />
| 00014002<br />
| 00014002<br />
| 00014002<br />
| 00014002<br />
| JPN/EUR/USA [[System Font]] ("font:")<br />
| v0<br />
|-<br />
| 00014102<br />
| 00014102<br />
| 00014102<br />
| 00014102<br />
| 00014102<br />
| 00014102<br />
| CHN [[System Font]] ("font:")<br />
| v0, v1024<br />
|-<br />
| 00014202<br />
| 00014202<br />
| 00014202<br />
| 00014202<br />
| 00014202<br />
| 00014202<br />
| KOR [[System Font]] ("font:")<br />
| v0, v1024<br />
|-<br />
| 00014302<br />
| 00014302<br />
| 00014302<br />
| 00014302<br />
| 00014302<br />
| 00014302<br />
| TWN [[System Font]] ("font:")<br />
| v0, v1024<br />
|-<br />
| 00015202<br />
| 00015302<br />
| 00015102<br />
| N/A<br />
| 00015502<br />
| 0015602<br />
| Mounted as "rate:"<br />
| v0 (EUR: v0, v1024) (KOR: v1024)<br />
|}<br />
<br />
=== 000400DB - [[NCCH#CFA|System Data Archives]] ===<br />
==== System Data Archive Notes ====<br />
These [[NVer]] titleIDs can be found @ offset 0x320 in every [[CCI]].<br />
<br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! EUR TitleIDLow<br />
! JPN TitleIDLow<br />
! USA TitleIDLow<br />
! CHN TitleIDLow<br />
! KOR TitleIDLow<br />
! TWN TitleIDLow<br />
! Description<br />
! USA/EUR/JPN Versions<br />
! CHN Versions<br />
! TWN Versions<br />
! KOR Versions<br />
|-<br />
| 00010302<br />
| 00010302<br />
| 00010302<br />
| 00010302<br />
| 00010302<br />
| 00010302<br />
| NGWord bad word list<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1024]], [[3.0.0-5|v2052]], [[4.0.0-7|v3072]], [[4.3.0-10|v4096]], [[5.0.0-11|v5120]], [[9.0.0-20|v6144]], [[9.3.0-21|v7168]], [[9.6.0-24|v8192]], [[11.1.0-34|v9217]]<br />
| Same as USA<br />
| Same as USA<br />
| Same as USA<br />
|-<br />
| 00010502<br />
| 00010502<br />
| 00010502<br />
| 00010502<br />
| 00010502<br />
| 00010502<br />
| [[Nintendo Zone]] hotspot list<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1024]], [[3.0.0-5|v2048]], [[4.0.0-7|v3073]], [[4.3.0-10|v4096]], [[4.4.0-10|v5120]], [[4.5.0-10|v6144]], [[5.0.0-11|v7169]], [[6.0.0-11|v8192]], [[6.2.0-12|v9216]], [[7.0.0-13|v10242]], [[7.2.0-17|v11267]], [[8.0.0-18|v12288]], [[9.0.0-20|v14336]], [[9.3.0-21|v15360]], [[9.6.0-24|v16386]], [[10.0.0-27|v17409]], [[10.4.0-29|v18432]], [[11.1.0-34|v19457]]<br />
| Same as USA<br />
| Same as USA<br />
| Same as USA<br />
|-<br />
| 00016102<br />
| 00016202<br />
| 00016302<br />
| 00016402<br />
| 00016502<br />
| 00016602<br />
| [[NVer]]<br />
| [[1.0.0-0|v0]], [[1.1.0-1|v16]], [[2.0.0-2|v32]], [[2.1.0-3|v48]], [[2.1.0-4|v64]], [[3.0.0-5|v80]], [[3.0.0-6|v96]], [[4.0.0-7|v112]], [[4.1.0-8|v128]], [[4.2.0-9|v144]], [[4.3.0-10|v160]], [[5.0.0-11|v176]], non-USA=[[6.0.0-11|v192]]/USA=[[6.1.0-12U|v192]], [[7.0.0-13|v208]], [[7.1.0-14|v224]], [[7.1.0-15|v240]], [[7.1.0-16|v256]], [[7.2.0-17|v272]], [[8.0.0-18|v288]], [[8.1.0-19|v304]], [[9.0.0-20|v320]], [[9.3.0-21|v336]], [[9.5.0-22|v352]], [[9.5.0-23|v368]], [[9.6.0-24|v384]], [[9.7.0-25|v400]], [[9.9.0-26|v416]], [[10.0.0-27|v432]], [[10.2.0-28|v448]], [[10.4.0-29|v464]], [[10.5.0-30|v480]], [[10.6.0-31|v496]], [[10.7.0-32|v512]], [[11.0.0-33|v528]], [[11.1.0-34|v544]], [[11.2.0-35|v560]], [[11.3.0-36|v576]]<br />
| [[4.0.0-7|v113]], [[4.2.0-9|v128]], [[5.0.0-11|v129]], [[7.1.0-16|v130]], [[7.2.0-17|v272]], [[9.5.0-23|v131]], [[9.9.0-26|v132]]<br />
| [[4.1.0-8|v114]], [[4.2.0-9|v133]], [[4.3.0-10|v134]], [[5.0.0-11|v136]], [[7.0.0-13|v144]], [[7.1.0-14|v160]] [[7.1.0-16|v192]], [[7.2.0-17|v272]], [[8.0.0-18|v208]], [[8.1.0-19|v224]], [[9.0.0-20|v240]], [[9.5.0-22|v272]], [[9.5.0-23|v288]], [[9.6.0-24|v304]], [[9.7.0-25|v320]], [[9.9.0-26|v336]], [[10.0.0-27|v352]], [[10.2.0-28|v368]], [[10.4.0-29|v384]], [[10.5.0-30|v400]], [[10.6.0-31|v416]], [[10.7.0-32|v432]], [[11.0.0-33|v448]], [[11.1.0-34|v464]], [[11.2.0-35|v480]], [[11.3.0-36|v496]]<br />
| [[4.0.0-7|v113]], [[4.1.0-8|v114]], [[4.2.0-9|v133]], [[4.3.0-10|v134]], [[5.0.0-11|v136]], [[7.0.0-13|v160]], [[7.1.0-14|v176]], [[7.1.0-16|v176]], [[7.2.0-17|v272]], [[8.0.0-18|v224]], [[8.1.0-19|v240]], [[9.0.0-20|v256]], [[9.3.0-21|v272]], [[9.5.0-22|v288]], [[9.5.0-23|v304]], [[9.6.0-24|v320]], [[9.7.0-25|v336]], [[9.9.0-26|v352]], [[10.0.0-27|v368]], [[10.2.0-28|v384]], [[10.4.0-29|v400]], [[10.5.0-30|v416]], [[10.6.0-31|v432]], [[10.7.0-32|v448]], [[11.0.0-33|v464]], [[11.1.0-34|v480]], [[11.2.0-35|v496]], [[11.3.0-36|v512]]<br />
|-<br />
| 20016102<br />
| 20016202<br />
| 20016302<br />
| N/A<br />
| 20016502<br />
| N/A<br />
| [[New_3DS]] [[NVer]]<br />
| [[8.1.0-0_New3DS|v0]], [[9.0.0-20|v320]], [[9.3.0-21|v336]], [[9.5.0-22|v352]], [[9.5.0-22|v352]], [[9.5.0-23|v368]], [[9.6.0-24|v384]], [[9.7.0-25|v400]], [[9.9.0-26|v416]], [[10.0.0-27|v432]], [[10.2.0-28|v448]], [[10.4.0-29|v464]], [[10.5.0-30|v480]], [[10.6.0-31|v496]], [[10.7.0-32|v512]], [[11.0.0-33|v528]], [[11.1.0-34|v544]], [[11.2.0-35|v560]], [[11.3.0-36|v576]]<br />
| N/A<br />
| N/A<br />
| [[9.6.0-24|v320]], [[9.7.0-25|v336]], [[9.9.0-26|v352]], [[10.0.0-27|v368]], [[10.2.0-28|v384]], [[10.4.0-29|v400]], [[10.5.0-30|v416]], [[10.6.0-31|v432]], [[10.7.0-32|v448]], [[11.0.0-33|v464]], [[11.2.0-35|v496]], [[11.3.0-36|v512]]<br />
|-<br />
| 00017102<br />
| 00017202<br />
| 00017302<br />
| 00017402<br />
| 00017502<br />
| 00017602<br />
| [[CVer]]<br />
| [[1.0.0-0|v1024]], [[1.1.0-1|v1045]], [[2.0.0-2|v2049]], [[2.1.0-3|v2069]], [[2.2.0-X|v2088]] [[3.0.0-5|v3088]], [[4.0.0-7|v4098]], [[4.1.0-8|v4113]], [[4.2.0-9|v4130]], [[4.3.0-10|v4145]], [[4.4.0-10|v4163]], [[4.5.0-10|v4176]], [[5.0.0-11|v5120]], [[5.1.0-11|v5136]], [[6.0.0-11|v6146]], [[6.1.0-11|v6160]], [[6.2.0-12|v6178]], [[6.3.0-12|v6192]], [[7.0.0-13|v7175]], [[7.1.0-14|v7187]], [[7.2.0-17|v7203]], [[8.0.0-18|v8196]], [[8.1.0-18|v8208]], [[8.1.0-0_New3DS|v8215]](8.1.0-0_New3DS), [[9.0.0-20|v9218]], [[9.1.0-20J|v9232]](JPN-only), [[9.2.0-20|v9248]], [[9.3.0-21|v9264]], [[9.4.0-21|v9280]], [[9.5.0-22|v9296]], [[9.6.0-24|v9319]], [[9.7.0-25|v9328]], [[9.8.0-25|v9344]], [[9.9.0-26|v9360]], [[10.0.0-27|v10240]], [[10.1.0-27|v10256]], [[10.2.0-28|v10272]], [[10.3.0-28|v10288]], [[10.4.0-29|v10304]], [[10.5.0-30|v10320]], [[10.6.0-31|v10336]], [[10.7.0-32|v10352]], [[11.0.0-33|v11264]], [[11.1.0-34|v11280]], [[11.2.0-35|v11296]], [[11.3.0-36|v11312]]<br />
| [[1.0.0-0|v1024]], [[1.1.0-1|v1045]], [[2.0.0-2|v2049]], [[2.1.0-3|v2069]], [[2.2.0-X|v2088]] [[3.0.0-5|v3088]], [[4.0.0-7|v4098]], [[4.1.0-8|v4113]], [[4.2.0-9|v4130]], [[4.3.0-10|v4145]], [[4.4.0-10|v4163]], [[4.5.0-10|v4176]], [[5.0.0-11|v5120]], [[5.1.0-11|v5136]], [[6.0.0-11|v6146]], [[6.1.0-11|v6160]], [[6.2.0-12|v6178]], [[6.3.0-12|v6192]], [[7.0.0-13|v7175]], [[7.1.0-14|v7187]], [[7.2.0-17|v7203]], [[8.0.0-18|v8196]], [[8.1.0-18|v8208]], [[9.0.0-20|v9217]], [[9.3.0-21|v9264]], [[9.5.0-22|v9296]], [[9.6.0-24|v9319]], [[9.7.0-25|v9328]], [[9.8.0-25|v9344]], [[9.9.0-26|v9360]], [[10.0.0-27|v10240]], [[10.2.0-28|v10272]], [[10.4.0-29|v10304]], [[10.5.0-30|v10320]], [[10.6.0-31|v10336]], [[10.7.0-32|v10352]], [[11.2.0-35|v11296]], [[11.3.0-36|v11312]]<br />
| Same as CHN<br />
| Same as CHN + [[11.1.0-34|v11280]]<br />
|}<br />
<br />
=== 00040130 - System [[Services API|Modules]] ===<br />
==== System Module Notes ====<br />
Once Home Menu finishes loading, all of the below system modules are running, except for MP, RO, and act which are automatically [[Process_Manager_Services|loaded]] when a process requires them. <br />
When [[Process_Manager_Services|PM]]-module terminates processes, it will check whether the processes listed as dependencies for this process are listed as dependencies for other processes. <br />
Any processes which are no longer listed in any processes dependencies lists are then terminated. On [[New_3DS]], the only New3DS-specific system-module which automatically gets loaded during system boot is qtm.<br />
All of the below system modules use the "BASE" [[SVC|memory-region]](specified in the exheader), except when listed otherwise for certain modules.<br />
When handling the exheader dependency list starting with [[8.0.0-18]], Old3DS FIRM [[Process_Manager_Services|PM]]-module now skips handling titles in this list which have any bits in programID-low bitmask 0xF0000000 set(with [[8.0.0-18]] this is hard-coded). <br />
The exheader dependency list handling change is for the [[New 3DS]] system-module(s), which do not exist on Old3DS. <br />
When the New3DS pm-module is launching any title except [[NS]], it first attempts to launch the title with programID-low bitmask 0x20000000 set, then with that bitmask clear if launching fails.<br />
<br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! TitleID Low<br />
! Description<br />
! Versions<br />
|-<br />
| 00001002<br />
| [[Services|sm]] (Stored in [[FIRM|NATIVE_FIRM]])<br />
| N/A<br />
|-<br />
| 00001003<br />
| SAFE_MODE [[Services|sm]] (Stored in SAFE_MODE NATIVE_FIRM)<br />
| N/A<br />
|-<br />
| 00001102<br />
| [[Filesystem services|fs]] (Stored in [[FIRM|NATIVE_FIRM]])<br />
| N/A<br />
|-<br />
| 00001103<br />
| SAFE_MODE [[Filesystem services|fs]] (Stored in SAFE_MODE NATIVE_FIRM)<br />
| N/A<br />
|-<br />
| 00001202<br />
| [[Process Manager Services|pm]] (Stored in [[FIRM|NATIVE_FIRM]])<br />
| N/A<br />
|-<br />
| 00001203<br />
| SAFE_MODE [[Process Manager Services|pm]] (Stored in SAFE_MODE NATIVE_FIRM)<br />
| N/A<br />
|-<br />
| 00001302<br />
| [[Loader Services|loader]] (Stored in [[FIRM|NATIVE_FIRM]])<br />
| N/A<br />
|-<br />
| 00001303<br />
| SAFE_MODE [[Loader Services|loader]] (Stored in SAFE_MODE NATIVE_FIRM)<br />
| N/A<br />
|-<br />
| 00001402<br />
| [[PXI Services|pxi]] (Stored in [[FIRM|NATIVE_FIRM]])<br />
| N/A<br />
|-<br />
| 00001403<br />
| SAFE_MODE [[PXI Services|pxi]] (Stored in SAFE_MODE NATIVE_FIRM)<br />
| N/A<br />
|-<br />
| 00001502<br />
| [[Application Manager Services|AM]] ( Application Manager )<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[3.0.0-5|v2053]], [[4.0.0-7|v3072]], [[5.0.0-11|v4098]], [[6.0.0-11|v5120]], [[8.0.0-18|v6148]], [[8.1.0-0_New3DS|v7168]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v8192]], [[10.0.0-27|v9217]]<br />
|-<br />
| 00001503<br />
| SAFE_MODE [[Application Manager Services|AM]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20001503<br />
| [[New_3DS]] SAFE_MODE [[Application Manager Services|AM]]<br />
| [[8.1.0-0_New3DS|v7169]]<br />
|-<br />
| 00001602<br />
| [[Camera Services|Camera]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[3.0.0-5|v2048]], [[4.0.0-7|v3074]], [[5.0.0-11|v4098]], [[6.0.0-11|v5120]], [[7.1.0-14|v6146]], [[8.0.0-18|v7172]], [[9.0.0-20|v9216]], [[9.3.0-21|v10242]], [[10.0.0-27|v11265]]<br />
|-<br />
| 20001602<br />
| [[New_3DS]] [[Camera Services|Camera]]<br />
| [[8.1.0-0_New3DS|v8200]], [[9.0.0-20|v9218]], [[9.3.0-21|v10242]], [[10.0.0-27|v11265]]<br />
|-<br />
| 00001702<br />
| [[Config Services|Config]] (cfg)<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1024]], [[3.0.0-5|v2049]], v3072, [[4.0.0-7|v4096]], [[5.0.0-11|v5122]], [[6.0.0-11|v6145]], [[6.1.0-11|v7168]], [[7.0.0-13|v8196]], [[7.2.0-17|v9220]], [[8.0.0-18|v10243]], [[8.1.0-0_New3DS|v11265]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v12290]], [[9.3.0-21|v13315]], [[9.6.0-24|v14342]]<br />
|-<br />
| 00001703<br />
| SAFE_MODE [[Config Services|Config]] (cfg)<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20001703<br />
| [[New_3DS]] SAFE_MODE [[Config Services|Config]] (cfg)<br />
| [[8.1.0-0_New3DS|v11265]]<br />
|-<br />
| 00001802<br />
| [[Codec Services|Codec]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1025]], [[2.2.0-X|v2048]], [[3.0.0-5|v3072]], [[5.0.0-11|v4098]], [[7.0.0-13|v5120]], [[8.0.0-18|v6144]], [[9.0.0-20|v7168]](Also for [[8.1.0-0_New3DS]])<br />
|-<br />
| 00001803<br />
| SAFE_MODE [[Codec Services|Codec]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20001803<br />
| [[New_3DS]] SAFE_MODE [[Codec Services|Codec]]<br />
| [[8.1.0-0_New3DS|v7169]]<br />
|-<br />
| 00001A02<br />
| [[DSP Services|DSP]]<br />
| [[1.0.0-0|v0]], [[3.0.0-5|v1024]], [[4.0.0-7|v2048]], [[5.0.0-11|v3074]], [[6.0.0-11|v4096]], [[8.0.0-18|v5120]], [[9.7.0-25|v6145]], [[11.1.0-34|v7169]]<br />
|-<br />
| 00001A03<br />
| SAFE_MODE [[DSP Services|DSP]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20001A03<br />
| [[New_3DS]] SAFE_MODE [[DSP Services|DSP]]<br />
| [[8.1.0-0_New3DS|v6145]]<br />
|-<br />
| 00001B02<br />
| [[GPIO Services|GPIO]]<br />
| [[1.0.0-0|v0]], [[5.0.0-11|v1025]], [[8.0.0-18|v2048]], [[9.5.0-22|v3073]]<br />
|-<br />
| 00001B03<br />
| SAFE_MODE [[GPIO Services|GPIO]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20001B03<br />
| [[New_3DS]] SAFE_MODE [[GPIO Services|GPIO]]<br />
| [[8.1.0-0_New3DS|v3073]]<br />
|-<br />
| 00001C02<br />
| [[GSP Services|GSP]]<br />
| [[1.0.0-0|v0]], [[1.1.0-1|v1040]], [[2.0.0-2|v2049]], [[3.0.0-5|v3075]], v4098, [[4.0.0-7|v5120]], [[5.0.0-11|v6145]], [[6.0.0-11|v7168]], [[8.0.0-18|v8196]], [[9.0.0-20|v10240]], [[9.3.0-21|v11264]], [[9.6.0-24|v12294]], [[11.3.0-36|v13312]]<br />
|-<br />
| 20001C02<br />
| [[New_3DS]] [[GSP Services|GSP]]<br />
| [[8.1.0-0_New3DS|v10243]], [[9.3.0-21|v11267]], [[9.6.0-24|v12294]], [[11.3.0-36|v13312]]<br />
|-<br />
| 00001C03<br />
| SAFE_MODE [[GSP Services|GSP]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20001C03<br />
| [[New_3DS]] SAFE_MODE [[GSP Services|GSP]]<br />
| [[8.1.0-0_New3DS|v9217]]<br />
|-<br />
| 00001D02<br />
| [[HID Services|HID]] (Human Interface Devices) <br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1025]], [[2.2.0-X|v2048]], [[3.0.0-5|v3072]], [[4.0.0-7|v4096]], [[5.0.0-11|v5121]], [[7.2.0-17|v6148]], [[8.0.0-18|v7168]], [[8.1.0-0_New3DS|v8192]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v9216]], [[9.3.0-21|v10240]]<br />
|-<br />
| 00001D03<br />
| SAFE_MODE [[HID Services|HID]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20001D03<br />
| [[New_3DS]] SAFE_MODE [[HID Services|HID]]<br />
| [[8.1.0-0_New3DS|v8193]]<br />
|-<br />
| 00001E02<br />
| [[I2C Services|i2c]]<br />
| [[1.0.0-0|v0]], [[3.0.0-5|v1024]], [[5.0.0-11|v2049]], [[8.0.0-18|v3076]], [[9.3.0-21|v5120]]<br />
|-<br />
| 20001E02<br />
| [[New_3DS]] [[I2C Services|i2c]]<br />
| [[8.1.0-0_New3DS|v4096]], [[9.3.0-21|v5121]]<br />
|- <br />
| 00001E03<br />
| SAFE_MODE [[I2C Services|i2c]]<br />
| [[1.0.0-0|v0]]<br />
|- <br />
| 20001E03<br />
| [[New_3DS]] SAFE_MODE [[I2C Services|i2c]]<br />
| [[8.1.0-0_New3DS|v4097]]<br />
|-<br />
| 00001F02<br />
| [[MCU Services|MCU]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[2.1.0-3|v2048]], [[3.0.0-5|v3072]], [[4.0.0-7|v4102]], [[5.0.0-11|v5122]], [[6.0.0-11|v6145]], [[7.0.0-13|v7168]], [[8.0.0-18|v8192]]<br />
|-<br />
| 20001F02<br />
| [[New_3DS]] [[MCU Services|MCU]]<br />
| [[8.1.0-0_New3DS|v8192]]<br />
|-<br />
| 00001F03<br />
| SAFE_MODE [[MCU Services|MCU]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20001F03<br />
| [[New_3DS]] SAFE_MODE [[MCU Services|MCU]]<br />
| [[8.1.0-0_New3DS|v9217]]<br />
|-<br />
| 00002002<br />
| [[MIC Services|MIC]] (Microphone)<br />
| [[1.0.0-0|v0]], [[5.0.0-11|v1025]], [[8.0.0-18|v2048]]<br />
|-<br />
| 00002102<br />
| [[PDN Services|PDN]]<br />
| [[1.0.0-0|v0]], [[5.0.0-11|v1025]], [[8.0.0-18|v2048]]<br />
|-<br />
| 00002103<br />
| SAFE_MODE [[PDN Services|PDN]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20002103<br />
| [[New_3DS]] SAFE_MODE [[PDN Services|PDN]]<br />
| [[8.1.0-0_New3DS|v3073]]<br />
|-<br />
| 00002202<br />
| [[PTM Services|PTM]] (Play time, pedometer, and battery manager)<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[2.2.0-X|v2048]], [[3.0.0-5|v3075]], v4096, [[4.0.0-7|v5120]], [[5.0.0-11|v6146]], [[6.0.0-11|v7168]], [[7.0.0-13|v8192]], [[8.0.0-18|v9219]], [[9.6.0-24|v11264]]<br />
|-<br />
| 20002202<br />
| [[New_3DS]] [[PTM Services|PTM]] (Play time, pedometer, and battery manager)<br />
| [[8.1.0-0_New3DS|v10240]], [[9.6.0-24|v11264]]<br />
|-<br />
| 00002203<br />
| SAFE_MODE [[PTM Services|PTM]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20002203<br />
| [[New_3DS]] SAFE_MODE [[PTM Services|PTM]]<br />
| [[8.1.0-0_New3DS|v10241]]<br />
|-<br />
| 00002302<br />
| [[SPI Services|spi]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1025]], [[5.0.0-11|v2049]], [[8.0.0-18|v3072]]<br />
|-<br />
| 20002302<br />
| [[New_3DS]] [[SPI Services|spi]]<br />
| [[8.1.0-0_New3DS|v4096]]<br />
|-<br />
| 00002303<br />
| SAFE_MODE [[SPI Services|spi]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20002303<br />
| [[New_3DS]] SAFE_MODE [[SPI Services|spi]]<br />
| [[8.1.0-0_New3DS|v4097]]<br />
|-<br />
| 00002402<br />
| [[AC Services|AC]] (Network manager)<br />
| [[1.0.0-0|v0]], [[1.1.0-1|v1024]], [[2.0.0-2|v2052]], [[2.1.0-3|v3072]], [[3.0.0-5|v4101]], [[5.0.0-11|v5122]], [[7.0.0-13|v6145]], [[8.0.0-18|v7172]], [[9.0.0-20|v8192]](Also for [[8.1.0-0_New3DS]]), [[9.3.0-21|v9216]]<br />
|-<br />
| 00002403<br />
| SAFE_MODE [[AC Services|AC]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20002403<br />
| [[New_3DS]] SAFE_MODE [[AC Services|AC]]<br />
| [[8.1.0-0_New3DS|v8193]]<br />
|-<br />
| 00002602<br />
| [[CECD Services|Cecd]] (StreetPass)<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[2.2.0-X|v2048]], [[3.0.0-5|v3073]], [[4.0.0-7|v4097]], [[5.0.0-11|v5122]], [[6.0.0-11|v6144]], [[6.2.0-12|v7170]], [[7.0.0-13|v8193]], [[8.0.0-18|v9216]], [[9.0.0-20|v10240]]<br />
|-<br />
| 00002702<br />
| [[CSND Services|CSND]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1025]], [[4.0.0-7|v2048]], [[5.0.0-11|v3073]], [[8.0.0-18|v4096]], [[9.0.0-20|v5120]]<br />
|-<br />
| 00002703<br />
| SAFE_MODE [[CSND Services|CSND]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20002703<br />
| [[New_3DS]] SAFE_MODE [[CSND Services|CSND]]<br />
| [[8.1.0-0_New3DS|v5121]]<br />
|-<br />
| 00002802<br />
| [[DLP Services|DLP]] ([[Download Play]])<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[2.2.0-X|v2048]], [[3.0.0-5|v3078]], [[5.0.0-11|v4099]], [[8.0.0-18|v5123]], [[9.0.0-20|v6145]](Also for [[8.1.0-0_New3DS]]), [[9.6.0-24|v7174]], [[10.0.0-27|v8192]]<br />
|-<br />
| 00002902<br />
| [[HTTP Services|HTTP]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[2.1.0-3|v2049]], [[2.2.0-X|v3072]], [[3.0.0-5|v4099]], [[4.0.0-7|v5122]], [[5.0.0-11|v6145]], [[7.0.0-13|v7171]], [[7.1.0-14|v8192]], [[8.0.0-18|v9220]], [[8.1.0-18|v10245]], [[8.1.0-0_New3DS|v11264]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v12288]], [[9.6.0-24|v13318]]<br />
|-<br />
| 00002903<br />
| SAFE_MODE [[HTTP Services|HTTP]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20002903<br />
| [[New_3DS]] SAFE_MODE [[HTTP Services|HTTP]]<br />
| [[8.1.0-0_New3DS|v10241]]<br />
|-<br />
| 00002A02<br />
| [[MP Services|MP]]<br />
| [[1.0.0-0|v0]], [[5.0.0-11|v1025]], [[8.0.0-18|v2048]]<br />
|-<br />
| 00002A03<br />
| SAFE_MODE [[MP Services|MP]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 00002B02<br />
| [[NDM Services|NDM]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1025]], [[3.0.0-5|v2049]], [[4.0.0-7|v3072]], [[5.0.0-11|v4098]], [[8.0.0-18|v5124]], [[8.1.0-0_New3DS|v6144]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v7169]]<br />
|-<br />
| 00002C02<br />
| [[NIM Services|NIM]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1028]], [[3.0.0-5|v2055]], [[4.0.0-7|v3074]], [[5.0.0-11|v4100]], [[6.0.0-11|v5120]], [[7.0.0-13|v6148]], [[7.2.0-17|v7174]], [[8.0.0-18|v8195]], [[8.1.0-0_New3DS|v9217]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v10249]], [[9.3.0-21|v11267]], [[9.6.0-24|v12296]], [[10.0.0-27|v13313]]<br />
|-<br />
| 00002C03<br />
| SAFE_MODE [[NIM Services|NIM]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20002C03<br />
| [[New_3DS]] SAFE_MODE [[NIM Services|NIM]]<br />
| [[8.1.0-0_New3DS|v9217]]<br />
|-<br />
| 00002D02<br />
| [[NWM Services|NWM]] ( Low-level wifi manager )<br />
| [[1.0.0-0|v0]], [[1.1.0-1|v1024]], [[2.0.0-2|v2052]], [[2.2.0-X|v3072]], [[3.0.0-5|v4101]], [[4.0.0-7|v5120]], [[5.0.0-11|v6148]], [[6.0.0-11|v7169]], [[7.2.0-17|v8196]], [[8.0.0-18|v9216]], [[9.0.0-20|v10240]]<br />
|-<br />
| 00002D03<br />
| SAFE_MODE [[NWM Services|NWM]]<br />
| [[1.0.0-0|v0]], [[6.0.0-11|v5120]]<br />
|-<br />
| 20002D03<br />
| [[New_3DS]] SAFE_MODE [[NWM Services|NWM]]<br />
| [[8.1.0-0_New3DS|v10241]]<br />
|-<br />
| 00002E02<br />
| [[Socket Services|Sockets]]<br />
| [[1.0.0-0|v0]], [[1.1.0-1|v1024]], [[2.0.0-2|v2053]], [[3.0.0-5|v3075]], [[4.0.0-7|v4096]], [[5.0.0-11|v5121]], [[8.0.0-18|v6144]], [[9.0.0-20|v7168]], [[10.6.0-31|v8192]]<br />
|-<br />
| 00002E03<br />
| SAFE_MODE [[Socket Services|Sockets]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20002E03<br />
| [[New_3DS]] SAFE_MODE [[Socket Services|Sockets]]<br />
| [[8.1.0-0_New3DS|v7169]]<br />
|-<br />
| 00002F02<br />
| [[SSL Services|SSL]]<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1024]], [[2.1.0-3|v2048]], [[3.0.0-5|v3072]], [[4.0.0-7|v4096]], [[5.0.0-11|v5122]], [[8.0.0-18|v6144]], [[9.0.0-20|v7168]], [[9.6.0-24|v8198]]<br />
|-<br />
| 00002F03<br />
| SAFE_MODE [[SSL Services|SSL]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20002F03<br />
| [[New_3DS]] SAFE_MODE [[SSL Services|SSL]]<br />
| [[8.1.0-0_New3DS|v7169]]<br />
|-<br />
| 00003000<br />
| [[FIRM|Process9]] (in SAFE_MODE and normal NATIVE_FIRM)<br />
| <br />
|-<br />
| 00003102<br />
| [[Process Services|PS]] ( Process Manager )<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1025]], [[5.0.0-11|v2049]], [[6.0.0-11|v3072]], [[8.0.0-18|v4096]], [[9.0.0-20|v5120]]<br />
|-<br />
| 00003103<br />
| SAFE_MODE [[Process Services|PS]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20003103<br />
| [[New_3DS]] SAFE_MODE [[Process Services|PS]]<br />
| [[8.1.0-0_New3DS|v5121]]<br />
|-<br />
| 00003202<br />
| [[Friend Services|friends]] (Friends list)<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1028]], [[2.2.0-X|v2048]], [[3.0.0-5|v3072]], [[4.0.0-7|v4096]], [[5.0.0-11|v5122]], [[7.0.0-13|v6145]], [[8.0.0-18|v7172]], [[9.0.0-20|v8192]](Also for [[8.1.0-0_New3DS]]), [[10.5.0-30|v9216]], [[10.7.0-32|v10240]], [[11.0.0-33|v11264]], [[11.1.0-34|v12288]], [[11.2.0-35|v13312]], [[11.3.0-36|v14336]]<br />
|-<br />
| 00003203<br />
| SAFE_MODE [[Friend Services|friends]] (Friends list)<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20003203<br />
| [[New_3DS]] SAFE_MODE [[Friend Services|friends]] (Friends list)<br />
| [[8.1.0-0_New3DS|v8193]]<br />
|-<br />
| 00003302<br />
| [[IR Services|IR]] (Infrared)<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1026]], [[2.2.0-X|v2048]], [[3.0.0-5|v3072]], [[4.0.0-7|v4096]], [[5.0.0-11|v5121]], [[8.0.0-18|v6148]], [[8.1.0-0_New3DS|v7170]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v8192]], [[9.3.0-21|v9216]], [[9.6.0-24|v10246]], [[10.0.0-27|v11265]], [[10.6.0-31|v12289]]<br />
|-<br />
| 00003303<br />
| SAFE_MODE [[IR Services|IR]]<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20003303<br />
| [[New_3DS]] SAFE_MODE [[IR Services|IR]]<br />
| [[8.1.0-0_New3DS|v7169]]<br />
|- <br />
| 00003402<br />
| [[BOSS Services|BOSS]] (SpotPass)<br />
| [[1.0.0-0|v0]], [[1.1.0-1|v1024]], [[2.0.0-2|v2053]], [[2.2.0-X|v3073]], [[3.0.0-5|v4101]], [[4.0.0-7|v5122]], [[5.0.0-11|v6146]], [[6.0.0-11|v7169]], [[6.2.0-12|v8193]], [[7.0.0-13|v9222]], [[8.0.0-18|v10240]], [[9.0.0-20|v11266]], [[10.0.0-27|v12289]], [[10.4.0-29|v13314]]<br />
|-<br />
| 00003502<br />
| [[News Services|News]] (Notifications)<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1028]], [[2.2.0-X|v2048]], [[3.0.0-5|v3072]], [[5.0.0-11|v4097]], [[8.0.0-18|v5120]], [[9.0.0-20|v6147]], [[9.7.0-25|v7168]]<br />
|-<br />
| 00003702<br />
| [[RO_Services|RO]]<br />
| [[2.0.0-2|v0]], [[4.0.0-7|v1024]], [[5.0.0-11|v2049]], [[7.2.0-17|v3074]], [[8.0.0-18|v4096]], [[9.0.0-20|v5120]](Also for [[8.1.0-0_New3DS]]), [[9.3.0-21|v6148]]<br />
|-<br />
| 00003802<br />
| [[ACT Services|act]] (handles Nintendo Network '''a'''c'''c'''oun'''t'''s)<br />
| [[7.0.0-13|v1029]], [[7.1.0-14|v2050]], [[7.2.0-17|v3077]], [[8.0.0-18|v4099]], [[8.1.0-0_New3DS|v5120]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v6144]], [[9.3.0-21|v7168]], [[9.6.0-24|v8198]]<br />
|-<br />
| 00004002<br />
| Old3DS [[NFC_Services|nfc]]<br />
| [[9.3.0-21|v2053]], [[9.6.0-24|v4106]], [[9.7.0-25|v5121]], [[10.0.0-27|v6145]], [[10.6.0-31|v7168]], [[10.7.0-32|v8192]]<br />
|-<br />
| 20004002<br />
| [[New_3DS]] [[NFC_Services|nfc]]<br />
| [[8.1.0-0_New3DS|v0]], [[9.0.0-20|v1024]], [[9.3.0-21|v2053]], [[9.5.0-22|v3073]], [[9.6.0-24|v4102]], [[10.0.0-27|v6145]], [[10.6.0-31|v7168]]<br />
|-<br />
| 20004102<br />
| [[New_3DS]] [[MVD Services|mvd]]<br />
| [[8.1.0-0_New3DS|v0]], [[9.0.0-20|v1024]]<br />
|-<br />
| 20004202<br />
| [[New_3DS]] [[QTM Services|qtm]]<br />
| [[8.1.0-0_New3DS|v8]], [[9.0.0-20|v1024]], [[9.3.0-21|v2052]]<br />
|-<br />
| 00008002<br />
| [[NS]] (Memory-region: "SYSTEM")<br />
| [[1.0.0-0|v0]], [[2.0.0-2|v1028]], [[2.2.0-X|v2048]], [[3.0.0-5|v3077]], v4096, [[4.0.0-7|v5121]], [[5.0.0-11|v6148]], [[5.1.0-11|v7168]], [[6.0.0-11|v8193]], [[6.1.0-11|v9216]], [[7.0.0-13|v10248]], [[7.2.0-17|v11268]], [[8.0.0-18|v12291]], [[8.1.0-0_New3DS|v13312]]([[8.1.0-0_New3DS]]), [[9.0.0-20|v14336]], [[9.3.0-21|v15360]], [[9.6.0-24|v16390]], [[9.8.0-25|v17408]], [[10.0.0-27|v18433]], [[10.4.0-29|v19458]], [[11.1.0-34|v20482]], [[11.3.0-36|v21504]]<br />
|-<br />
| 00008003<br />
| SAFE_MODE [[NS]] (Memory-region: "SYSTEM")<br />
| [[1.0.0-0|v0]]<br />
|-<br />
| 20008003<br />
| [[New_3DS]] SAFE_MODE [[NS]] (Memory-region: "SYSTEM")<br />
| [[8.1.0-0_New3DS|v13313]]<br />
|}<br />
<br />
=== 00040138 - [[FIRM|System Firmware]] ===<br />
==== System Firmare Notes ====<br />
NATIVE_FIRM and SAFE_MODE_FIRM for the initial versions are exactly the same, besides [[Configuration_Memory|core-version]] fields. SAFE_MODE_FIRM is used for running SAFE_MODE titles, on retail SAFE_MODE_FIRM seems to be only used for running the [[System_Settings#System_Updater|System Updater]] application. When a GBA VC title is launched, AGB_FIRM is launched to handle running this title. GBA VC savegames stored under SD card /title/<TID>/data use a custom format, this is handled by AGB_FIRM.<br />
<br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! TitleID Low<br />
! Description<br />
! USA/EUR/JPN Versions<br />
! CHN Versions<br />
! KOR Versions<br />
! TWN Versions<br />
|-<br />
| 00000001<br />
| Unknown, very similar to SAFE_MODE_FIRM. Exists only on dev units and seems to only be used by SystemUpdaters.<br />
| v0<br />
| <br />
| <br />
| <br />
|-<br />
| 00000002<br />
| NATIVE_FIRM (Native Firmware)<br />
| [[1.0.0-0|v432]], [[1.1.0-1|v1472]], [[2.0.0-2|v2516]], [[2.1.0-3|v3553]], [[2.2.0-X|v4595]], [[3.0.0-5|v5647]], [[4.0.0-7|v6677]], [[4.1.0-8|v7712]], [[5.0.0-11|v8758]], [[5.1.0-11|v9792]], [[6.0.0-11|v10833]], [[6.1.0-11|v11872]], [[7.0.0-13|v12916]], [[7.2.0-17|v13956]], v15043, [[8.0.0-18|v15047]], [[9.0.0-20|v17120]], [[9.3.0-21|v18182]], [[9.5.0-22|v19216]], [[9.6.0-24|v20262]], [[10.0.0-27|v21288]], [[10.2.0-28|v22313]], [[10.4.0-29|v23341]], [[11.0.0-33|v24368]], [[11.1.0-34|v25396]], [[11.2.0-35|v26432]], [[11.3.0-36|v27476]]<br />
| Same as USA/EUR/JPN starting with the USA/EUR/JPN [[4.0.0-7]] title-version<br />
| Same as CHN.<br />
| Same as CHN.<br />
|-<br />
| 20000002<br />
| [[New_3DS]] NATIVE_FIRM (Native Firmware)<br />
| [[8.1.0-0_New3DS|v16085]], [[9.0.0-20|v17120]], [[9.3.0-21|v18182]], [[9.5.0-22|v19218]], [[9.6.0-24|v20262]], [[10.0.0-27|v21288]], [[10.2.0-28|v22313]], [[10.4.0-29|v23341]], [[11.0.0-33|v24368]], [[11.1.0-34|v25396]], [[11.2.0-35|v26432]], [[11.3.0-36|v27476]]<br />
| N/A<br />
| Same as CHN.<br />
| Same as CHN.<br />
|-<br />
| 00000003<br />
| SAFE_MODE_FIRM <br />
| [[1.0.0-0|v432]], [[3.0.0-5|v5632]]<br />
| Same as USA/EUR/JPN starting with the USA/EUR/JPN [[3.0.0-5]] title-version<br />
| Same as CHN.<br />
| Same as CHN.<br />
|-<br />
| 20000003<br />
| [[New_3DS]] SAFE_MODE_FIRM <br />
| [[8.1.0-0_New3DS|v16081]]<br />
| N/A<br />
| Same as CHN.<br />
| Same as CHN.<br />
|-<br />
| 00000102 <br />
| TWL_FIRM ( DSi Firmware )<br />
| [[1.0.0-0|v432]], [[2.0.0-2|v1489]], [[3.0.0-5|v2565]], v3601, [[4.0.0-7|v4625]], [[4.4.0-10|v5681]], [[4.5.0-10|v6704]], [[6.0.0-11|v7762]], [[6.2.0-12|v8817]]<br />
| Same as USA/EUR/JPN starting with the USA/EUR/JPN [[4.0.0-7]] title-version<br />
| Same as CHN.<br />
| Same as CHN.<br />
|-<br />
| 20000102 <br />
| [[New_3DS]] TWL_FIRM ( DSi Firmware )<br />
| [[8.1.0-0_New3DS|v9936]]<br />
| N/A<br />
| Same as CHN.<br />
| Same as CHN.<br />
|- <br />
| 00000202<br />
| AGB_FIRM ( GBA Firmware )<br />
| [[3.0.0-5|v519]], v1553, [[4.0.0-7|v2576]], [[6.0.0-11|v3665]]<br />
| [[4.0.0-7|v2576]]<br />
| [[4.0.0-7|v2576]], [[6.0.0-11|v3665]]<br />
| Same as CHN.<br />
|- <br />
| 20000202<br />
| [[New_3DS]] AGB_FIRM ( GBA Firmware )<br />
| [[8.1.0-0_New3DS|v4816]]<br />
| N/A<br />
| N/A<br />
| N/A<br />
|}<br />
<br />
== Application Titles ==<br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! Category Bit Mask<br />
! Content Category<br />
! Bit Mask(s)<br />
|-<br />
| 0x0000<br />
| [[Title list/eShop Titles|Application / eShop]]<br />
| Normal<br />
|-<br />
| 0x0001<br />
| Download Play Child<br />
| DlpChild<br />
|-<br />
| 0x0002<br />
| [[EShop Demos|Demo]]<br />
| Demo<br />
|-<br />
| 0x000E<br />
| [[Title list/Patches|Patch]]<br />
| CannotExecution<nowiki> | </nowiki>Patch<br />
|-<br />
| 0x008C<br />
| [[Title list/DLC|Downloadable Content]]<br />
| NotRequireRightForMount<nowiki> | </nowiki>CannotExecution<nowiki> | </nowiki>AddOnContents<br />
|}<br />
<br />
=== 00040001 - [[Download Play]] Titles ===<br />
==== Download Play Notes ====<br />
This titleID-high/programID-high is used for the titles sent over [[Download Play]]. Only one 00040001 Download Play title is installed to NAND /title at a time. There can be a maximum of 255 Download Play child titles per Unique ID, indexed by Title ID Variation. The legal index range: 0x0 - 0xff.<br />
<br />
== Factory Titles ==<br />
==== Factory Titles Notes ====<br />
This section is for hard-coded titleIDs referenced in codebins on retail. This can include [[Factory_Setup|factory]]/[[Nintendo_Service_Center_Tools|repair]] titles as well.<br />
<br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! TitleID<br />
! Description<br />
! Versions<br />
|-<br />
| 000400000F802A00<br />
| Unknown. Appears to be a [[9.8.0-25|gamecard]] title. See also [[11.3.0-36|here]].<br />
Used during [[Nintendo_Service_Center_Tools|repair]], first non-system title listed in [[PTM_Services|playlog]] from repair.<br />
| ?<br />
|-<br />
| 000400000F802100<br />
| Used during [[Nintendo_Service_Center_Tools|repair]], second non-system title listed in [[PTM_Services|playlog]] from repair.<br />
| ?<br />
|-<br />
| 000400000F802200<br />
| Used during [[Nintendo_Service_Center_Tools|repair]], third non-system title listed in [[PTM_Services|playlog]] from repair.<br />
| ?<br />
|-<br />
| 000400000FFFFD00<br />
| Used by retail NS for appID 0xF11, but this isn't available on retail CDN.<br />
| ?<br />
|-<br />
| 000400000FFFFC00<br />
| Used by retail NS for appID 0xF12, but this isn't available on retail CDN.<br />
| ?<br />
|-<br />
| 000400000FFFFB00<br />
| Used by retail NS for appID 0xF13, but this isn't available on retail CDN.<br />
| ?<br />
|-<br />
| 000400000FFFF900<br />
| Used by retail NS for appID 0xF14, but this isn't available on retail CDN.<br />
| ?<br />
|-<br />
| 000400000FFFF800<br />
| Used by retail NS for appID 0xF15, but this isn't available on retail CDN.<br />
| ?<br />
|-<br />
| 000400000FFFF700<br />
| Used by retail NS for appID 0xF16, but this isn't available on retail CDN.<br />
| ?<br />
|-<br />
| 000400000FFFF600<br />
| Used by retail NS for appID 0xF17, but this isn't available on retail CDN.<br />
| ?<br />
|-<br />
| 000400000FFFF500<br />
| Used by retail NS for appID 0xF18, but this isn't available on retail CDN.<br />
| ?<br />
|-<br />
| 0004003000008900<br />
| Used by retail NS for appID 0xF10, but this isn't available on retail CDN.<br />
| ?<br />
|-<br />
| 0004013000001902<br />
| dmnt, debugger sysmodule. This use devunit-only HIO for devunit<>pc comms. This only exists for development units(launched by NS during startup depending on certain [[Configuration_Memory]] fields' values). <br />
This is installed at the [[Factory_Setup|factory]], then later deleted at the factory on retail units.<br />
| ?<br />
|-<br />
| 0004013000003602<br />
| "debugger". This only exist for development units(launched by NS during startup depending on certain [[Configuration_Memory]] fields' values).<br />
| ?<br />
|}<br />
<br />
== TWL (DSi) Titles ==<br />
==== TWL Title Notes ====<br />
Bitmask 0x1 for TWL titles denotes a system title (determining whether the title will be updated during a System Update).<br />
<br />
It appears to be sufficient, but not necessary, to make the title invisible on the [[Home Menu]].<br />
<br />
Bitmask 0x2 for TWL titles may indicate no-execute.<br />
<br />
Bitmask 0x4 for TWL titles indicates internal storage.<br />
<br />
Bitmask 0x10 for TWL titles is found on developer tools.<br />
<br />
<br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! Content Category<br />
! Bit Mask(s)<br />
! Category Bit Mask<br />
|-<br />
| Application (DSiWare)<br />
| TWL<nowiki> | </nowiki>0x4<br />
| 0x8004<br />
|-<br />
| System Application<br />
| TWL<nowiki> | </nowiki>0x1<nowiki> | </nowiki>0x4<br />
| 0x8005<br />
|-<br />
| System Archive<br />
| TWL<nowiki> | </nowiki>0x1<nowiki> | </nowiki>0x2<nowiki> | </nowiki>0x4<nowiki> | </nowiki>0x8<br />
| 0x800F<br />
|-<br />
| Developer Tool<br />
| TWL<nowiki> | </nowiki>0x1<nowiki> | </nowiki>0x4<nowiki> | </nowiki>0x10<br />
| 0x8015<br />
|}<br />
<br />
<br />
=== 00048005 - System Applications===<br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! TitleID Low<br />
! Region<br />
! Description<br />
! Versions<br />
! Information<br />
|-<br />
| 42383841(B88A)<br />
| ALL<br />
| [[DS Internet]]<br />
| v0, [[2.1.0-4|v1025]], [[3.0.0-5|v2048]]<br />
| [[DS Internet]] is the DS-mode application, (also integrated in every online-enabled DS game) and now accessible through [[System Settings]] for configuring network settings for DS software. <br />
|-<br />
| 484E4441(HNDA)<br />
| ALL<br />
| [[Download Play]]<br />
| v1024<br />
| This [[Download Play]] application is the DS-mode Download Play client, launched by the 3DS-mode Download Play application.<br />
|-<br />
| 484E4443(HNDC)<br />
| CHN<br />
| [[Download Play]]<br />
| v1024<br />
| See Above Description.<br />
|-<br />
| 484E444B(HNDK)<br />
| KOR<br />
| [[Download Play]]<br />
| v1024<br />
| See Above Description.<br />
|}<br />
<br />
=== 0004800F - System Data Archives===<br />
==== System Data Archive Notes ====<br />
New system updates only block DS flash-cards when whitelist is updated, or when TWL_FIRM is updated. <br />
The whitelist contains the data used for detecting flash-cards, this is used by TWL_FIRM.<br />
<br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! TitleID Low<br />
! Description<br />
! Versions<br />
|-<br />
| 484E4841(HNHA)<br />
| [[Nintendo DS Cart Whitelist]] - <br />
| v0, [[2.0.0-2|v1026]], [[2.2.0-X|v2048]], [[3.0.0-5|v3072]], [[4.0.0-7|v4096]], [[4.2.0-9|v5120]], [[4.3.0-10|v6145]], [[4.4.0-10|v7168]], [[4.5.0-10|v8192]], [[5.0.0-11|v9216]], [[6.0.0-11|v10240]], [[7.0.0-13|v11264]]<br />
|-<br />
| 484E4C41(HNLA)<br />
| [[Version Data]]<br />
| v0<br />
|}<br />
<br />
=== 00048004 - DSiWare Ports ===<br />
==== DSiWare Port Notes ====<br />
Although these have a titleID high separate from DSi and a titleID is stored in the SRLs, the content of these SRLs are identical to DSi.<br />
See [[3DS DSiWare Titles]] for a complete list.</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Bootloader&diff=20008Bootloader2017-05-12T21:46:01Z<p>Dark samus: /* SDMMC */</p>
<hr />
<div>The bootloader is the binary code stored in the ARM9 and ARM11 boot ROMs and hence is ran when the 3DS is powered on. It's purpose is initializing hardware and loading the [[FIRM|system firmware]] from the internal [[Flash_Filesystem|NAND memory]].<br />
<br />
Besides NATIVE_FIRM, the bootloader is also capable of booting other firmwares (such as TWL_FIRM and AGB_FIRM). However, this will result either in a japanese error-screen or a system shutdown, directly after FIRM-Launching.<br />
<br />
== Boot ROM ==<br />
Upon boot, parts of the ARM9 and ARM11 boot ROMs are protected by writing to [[CONFIG#CFG_SYSPROT9|CFG_SYSPROT9]] and [[CONFIG#CFG_SYSPROT11|CFG_SYSPROT11]], respectively. The ARM9 and ARM11 boot ROMs are identical for all Old 3DS, 2DS and New 3DS consoles.<br />
<br />
== NAND FIRM boot ==<br />
Boot9 is not hard-coded to only handle 2 FIRM partitions: it parses all 8 NCSD partitions for this. Boot9 will attempt to use every partition listed in the NCSD which is an actual FIRM partition, in the same order listed in the NCSD, until booting one of them succeeds. Among the not-yet-processed partitions, the FIRM which has the highest value at u32 firmhdr+4 will have a FIRM-boot attempted first. Since that value is normally 0x0, the order of FIRM-partition processing is normally identical to the order of the NCSD partitions.<br />
<br />
Boot9 is hard-coded for using [[AES_Registers|AES]] keyslot 0x6 for NAND crypto.<br />
<br />
== Non-NAND FIRM boot ==<br />
Boot9 can also boot from non-NAND. For this a different set of RSA pubks are used(separate pubks for retail/devunit like NAND). The spiflash FIRM image for this is also encrypted with AES-CBC using a normalkey stored in prot_boot9(separate for retail/devunit). This encryption is basically used instead of what is used for NAND-firm-partitions. This encryption is only used for the FIRM sections, the FIRM header is used raw. The AES keyslot for this is only overwritten afterwards when booting from non-NAND fails. AES keyslot 0x3F is used for this.<br />
<br />
CTR_word[0] = firmimageoffset;//FIRM section offset from FIRM header<br />
CTR_word[1] = outbufaddr;//FIRM section load addr<br />
CTR_word[2] = readsize;//FIRM section size<br />
CTR_word[3] = readsize;//FIRM section size<br />
<br />
When booting from NAND fails, boot9 will then attempt to boot from Wifi SPI-flash(this only triggers when the wifi module hw is properly accessible/connected, which is normally the case). The base offset for spiflash FIRM is 0x400. Note that this region(all data prior to offset 0x1F300) is write-protected by the spiflash(not writable from 3DS-mode / DS-mode).<br />
<br />
For non-NAND booting, NCSD / FIRM-backup is not used.<br />
<br />
== SDMMC ==<br />
<br />
Boot9 has code implemented for using SD(HC) cards, but the input deviceids used by boot9 for those functions are hard-coded for NAND. However, it is possible to use an SD(HC) card in place of the NAND if the NAND chip is first disconnected, and a SD card connected to the bus. Due to the CID being different, partitions will need to be re-encrypted and TWL mode will not work, due to the MBR being in the NCSD header. Using sighax, it may be possible to replace the NCSD header.<br />
<br />
== Boot9 RSA keyslots ==<br />
<br />
The following are initialized during main() startup, by initialize_rsakeyslots_pubk(). Each of these, for the ones which are actually set, have different keydata for retail/devunit.<br />
* 0: Not set.<br />
* 1: Used for the NAND FIRM signature.<br />
* 2: Used for the non-NAND-FIRM signature.<br />
* 3: Used for the NAND-NCSD FIRM signature.<br />
<br />
When FIRM loading is successful, initialize_x07ffbd00_x07ffc100_rsakeyslotsprivk() is called, right before calling the final function in main(). Besides ITCM writing, this overwrites all 4 RSA keyslots with modulus + private-exponents loaded from boot9 data.<br />
<br />
initialize_x07ffbd00_x07ffc100_rsakeyslotsprivk():<br />
This initializes the 4 0x100-byte/0x200-byte chunks at 0x07ffb800+0x500(0x07ffbd00)/0x07ffb800+0x900(0x07ffc100). End address of the first section is 0x07ffc100(start addr of the second section), end address of the second section is 0x07ffc900. Hence, the first section total size is 0x400-bytes, while the second section total size is 0x800-bytes.<br />
<br />
These are initialized using via the boot9 data image, with ptrs from DTCM. Seperate keydata is used for retail/devunit.<br />
<br />
When initializing the first ITCM area: rsa_setkeyslot_privk() is called for all 4 RSA keyslots. The modulo for each one is also copied to (index*0x100) + 0x07ffb800 + 0x500. The private exponent is not copied into ITCM.<br />
<br />
The second ITCM area is initialized by copying 4 0x200-byte entries in a loop. These are RSA pubks+privks, which Boot9 doesn't use itself at all besides this copy loop.<br />
<br />
== Boot9 image data memory layout ==<br />
0xffffb088 is the beginning of the boot9 image data section.<br />
<br />
* 0xffffb088 size 0x38-bytes: This is the array used during FIRM-section-loading for the memory-range blacklist for FIRM sections.<br />
* 0xffffb0c0(end-addr of the above area) size 0x20-bytes: Unknown.<br />
* 0xffffb0e0(end-addr of the above area) size 0x2f80-bytes: This is *all* of the keys stored in the image.<br />
* 0xffffe060(end addr of the above key-area) size 0x230-bytes: This is the initial DTCM image @ 0xFFF00000, see below.<br />
* 0xffffe290(DTCM_image_end) - {boot9 image end}: All-zero.<br />
<br />
Layout of the 0x2f80-byte key-area at 0xffffb0e0:<br />
* 0xffffb0e0 size 0x2600-bytes: This is the RSA key-data, see below.<br />
* 0xffffd6e0(end-addr of the above area) size 0x40-bytes: This is the keydata used for crypting the entire OTP with keyslot 0x3f, used by main(). The first 0x20-bytes is for retail, the remaining 0x20-bytes starting at 0xffffd700 is for devunit. Chunk+0(retail=0xffffd6e0 devunit=0xffffd700) is the normalkey, chunk+0x10(retail=0xffffd6f0 devunit=0xffffd710) is the AES-IV.<br />
* ...<br />
* 0xffffd760: size 0x100-bytes: First 0x80-bytes is for retail, the remaining 0x80-bytes at 0xffffd7e0 is for devunit. This 0x80-byte block is copied to 0x07ffcd00 by a Boot9 function, however that code actually does the copy in two 0x40-bytes chunks.<br />
* 0xffffd860(end-addr of the above area) size 0x400-bytes: This is the bootrom_dataptr passed to the aes-keyinit function for retail. See the below Tools section for how this is processed.<br />
* 0xffffdc60(end-addr of the above area) size 0x400-bytes: This is the devunit version of the above the 0x400-byte chunk. This is very last chunk of data in the boot9 data-section key-area: end addr for this area is 0xffffe060.<br />
<br />
Layout of the 0x2600-byte RSA key-data at 0xffffb0e0: <br />
First 0x1300-bytes is for retail, the remaining 0x1300-bytes starting at 0xffffc3e0 is for devunit.<br />
* +0x0 retail=0xffffb0e0 devunit=0xffffc3e0: RSA modulo for keyslot3, initialized by initialize_rsakeyslots_pubk().<br />
* +0x100 retail=0xffffb1e0 devunit=0xffffc4e0: RSA modulo for keyslot1, initialized by initialize_rsakeyslots_pubk().<br />
* +0x200 retail=0xffffb2e0 devunit=0xffffc5e0: RSA modulo for keyslot2, initialized by initialize_rsakeyslots_pubk().<br />
* +0x300 size 0x200, retail=0xffffb3e0 devunit=0xffffc6e0: First 0x100-bytes is the RSA modulo, then the following 0x100-bytes is the RSA privk(private-exponent). This is for RSA-engine keyslot0 with initialize_x07ffbd00_x07ffc100_rsakeyslotsprivk(), which also copies this modulo to the array starting at 0x07ffbd00.<br />
* +0x500 size 0x200, retail=0xffffb5e0 devunit=0xffffc8e0: Used the same as the above block except for slot1.<br />
* +0x700 size 0x200, retail=0xffffb7e0 devunit=0xffffcae0: Used the same as the above block except for slot2.<br />
* +0x900 size 0x200, retail=0xffffb9e0 devunit=0xffffcce0: Used the same as the above block except for slot3.<br />
* +0xb00 size 0x200, retail=0xffffbbe0 devunit=0xffffcee0: First 0x100-bytes is the RSA modulo, then the following 0x100-bytes is the RSA privk(private-exponent). The 0x200-bytes here is copied to slot0 in the array at 0x07ffc100 by initialize_x07ffbd00_x07ffc100_rsakeyslotsprivk().<br />
* +0xd00 size 0x200, retail=0xffffbde0 devunit=0xffffd0e0: Used the same as the above block except for slot1.<br />
* +0xf00 size 0x200, retail=0xffffbfe0 devunit=0xffffd2e0: Used the same as the above block except for slot2.<br />
* +0x1100 size 0x200, retail=0xffffc1e0 devunit=0xffffd4e0: Used the same as the above block except for slot3.<br />
<br />
== Boot9 DTCM layout ==<br />
Most of this is just ptrs / other unknown data, not actual keys. However, there is an unknown 0x10-byte block @ +0x124(there's a ptr initialized for this block elsewhere).<br />
<br />
== Boot11 image data memory layout ==<br />
0x0001817c..0x000181f4 size 0x78-bytes: This seems to be the bootrom error screen font gfx data. This begins at the exact end-address of the crt0 code, the rest of the protected boot11 code begins at this end-address(0x000181f4). <br />
<br />
0x00019400 is the beginning of the boot11 data area, the first 8-bytes here are unknown.<br />
* 0x00019408..0x0001b498 size 0x2090-bytes: This is the blowfish keydata which gets copied to arm9itcm_twlkeydata+0x3e0 later.<br />
* ...<br />
* 0x0001c498..0x0001c4f8 size 0x60-bytes: This is the data which eventually gets copied to arm9itcm_twlkeydata+0x380.<br />
* 0x0001c4f8..0x0001c538 size 0x40-bytes: This is the data which eventually gets copied to arm9itcm_twlkeydata+0x340.<br />
* 0x0001c538..0x0001c578 size 0x40-bytes: This is the data which eventually gets copied to arm9itcm_twlkeydata+0x300.<br />
* 0x0001c578..0x0001c5f8 size 0x80-bytes: This is the data which eventually gets copied to arm9itcm_twlkeydata+0x280.<br />
* 0x0001c5f8..0x0001c678 size 0x80-bytes: This is the data which eventually gets copied to arm9itcm_twlkeydata+0x0.<br />
* 0x0001c678..0x0001c878 size 0x200-bytes: This is the data which eventually gets copied to arm9itcm_twlkeydata+0x80.<br />
* 0x0001c878..0x0001d078 size 0x800-bytes: These are the 3DS RSA-2048 modulus which are eventually copied to arm9_itcm+0x4900: on retail the first 4 are copied there by boot9, on devunit the last 4 are copied to itcm.<br />
* 0x0001d078 size 0x120-bytes is the initial data for the .data section @ 0x1ffe8000, this is the very end of the protected arm11-bootrom.<br />
<br />
== AES keys ==<br />
See the Tools section for how Boot9 initializes the keyslots.<br />
<br />
See also [[AES_Registers|here]].<br />
<br />
For an issue with console-unique key-init, see [[OTP_Registers|here]].<br />
<br />
== BootROM Errors ==<br />
Sample error-screen(where firm0+firm1 RSA signatures were corrupted):<br />
<br />
BOOTROM 8046<br />
ERRCODE: 00F800FF<br />
DEDEFFFF FFFFFFFF<br />
00000000 00000000<br />
<br />
* 1st line is: <code>print_string(..., "BOOTROM %X", 0x8046);//This last param comes from the .pool.</code><br />
* 2nd line is: <code>print_string(..., "ERRCODE: %08X", *((unsigned int*)(0x1FFFE000+0xC)));//See below memory notes.</code><br />
* 3rd line is: <code>print_string(..., "%08X %08X", *((unsigned int*)(0x1FFFE000+0x10))`, `*((unsigned int*)(0x1fffe000+0x14)));//See below memory notes.</code><br />
* 4th line is: <code>print_string(..., "%08X %08X",*((unsigned int*)(0x1FFFE000+0x18))`, `*((unsigned int*)(0x1fffe000+0x1C)));//See below memory notes.</code><br />
<br />
== 0x1FFFE000 memory ==<br />
This memory is used by boot9 mainly for sending info to the arm11 for the error-screen. The data in this region is still stored in memory by the time the ARM9+ARM11 jumps to FIRM.<br />
<br />
Among boot9/boot11, the 3 words at 0x1FFFE000 seem to be ''only'' accessed by the boot11 function initializing those words.<br />
<br />
* u32 0x1FFFE000+0: ARM11 MPCore "Cycle Counter Register (CCNT)".<br />
* u32 0x1FFFE000+4: ARM11 MPCore "Count Register 0 (PMN0)".<br />
* u32 0x1FFFE000+8: ARM11 MPCore "Count Register 1 (PMN0)".<br />
* 8bit-entry-array 0x1FFFE000+0xC: 8bit status-codes initialized by boot9 main(), for the FIRM-boot devices. +0 is NAND and +2 is wifi-spiflash.<br />
* ...<br />
* 8bit-entry-array 0x1FFFE000+0x10: Status-codes originally from nand_findfirmpartition_loadfirm(), for each of the 8 NCSD partitions.<br />
<br />
== BootROM Status Codes ==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Value<br />
! Description<br />
|-<br />
| 0x00<br />
| Success<br />
|-<br />
| 0xEE(~17)<br />
| NCSD header validation function failed: NCSD magicnum is invalid or RSA verification failed.<br />
|-<br />
| 0xDE(~33)<br />
| FIRM header validation function failed: FIRM magicnum is invalid or RSA verification failed.<br />
|-<br />
| 0xDF(~32)<br />
| Failed to read sector data from the device.<br />
|-<br />
| 0xF7(~8)<br />
| A NAND FIRM from another partition was already found with a priority(firmhdr+4) >= to the value for the current partition's FIRM priority.<br />
|-<br />
| 0xF8(~7)<br />
| The FIRM magicnum(firmhdr+0) is invalid.<br />
|-<br />
| 0xFF(~0)<br />
| Initial value for each entry in the 8-entry array of status-codes for the NAND NCSD partitions. Indicates that the partition is not a FIRM partition(partition fs type isn't 0x3 or partition fs crypt-type isn't 0x2).<br />
|}<br />
<br />
== Boot9 startup ==<br />
<br />
0xffff0000 jumps to 0xffff8000. 0xffff8000 is crt0:<br />
* Very first thing this does is clear u8 register 0x10000002 ([[CONFIG_Registers#CFG_RST11|CFG_RST11]]) bit 0 to zero.<br />
* Then sp is initialized for each cpumode, IRQs/FIQs are disabled during the first mode-switch.<br />
* Order of mode-switches + sp initialization: svc-mode = 0xfff04000, irq-mode = 0xfff03f00, system-mode = 0xfff03b00. Hence, the rest of the code following this runs in system-mode.<br />
* Then L_ffff80cc/mpu_init() is called.<br />
* Then L_ffff0038() is called, which initializes the exception-handler addresses @ 0x08000000.<br />
* Then L_ffff81b8() is called(r4 + lr are saved on the DTCM stack), which after calling a memclear function which doesn't do anything, it then clears 0x08000030 size 0x10. Here the DTCM at 0xfff00000 size 0x4000 is cleared.<br />
* Then L_ffff81b4() is called, which branches to DTCM_init(). This copies the initial DTCM data from the Boot9 data image into boot9, then it clears 0xFFF00230 - 0xFFF01AC0.<br />
* Then LT_ffff8228/main is jumped to, with LR set to the address of an infinite-branch-loop instruction.<br />
<br />
mpu_init():<br />
* Bitmask 0x000f9005 is cleared in the cp15 control register. MCR instructions which do then following are then executed: flush entire instruction cache, flush entire data cache, and drain write buffer.<br />
* Then the 8 [[Memory_layout|MPU]] memregions are initialized.<br />
* ITCM memregion reg = 0x24: baseaddr=0x0, size = 128MB(0x08000000).<br />
* DTCM memregion reg = 0xfff0000a: baseaddr=0xfff00000, size=16KB(0x00004000).<br />
* Then instruction cachable and data cachable/bufferable bits for the MPU regions are setup.<br />
* Then the instruction/data access permissions for the MPU regions are setup.<br />
* Lastly bitmask 0x0005707d is orred in the cp15 control register.<br />
<br />
== Boot9 main() ==<br />
<br />
The following functions are called: LT_ffff2024(), LT_ffff1ff8(), pxi_init(), rsa_init(), initialize_rsakeyslots_pubk(), crypto_initialize(), and aesengine_reset().<br />
Then AES keyslot 0x3F is setup: aesengine_setnormalkey(0x3f, 5, ptr) is called. ptr on retail(CFG_UNITINFO check) is 0xffffd6e0, 0xffffd700 for devunit. Then essentially, aesengine_setctr(5, ptr+0x10) is executed.<br />
Then AES keyslot 0x3f is selected.<br />
When calling the following functions, if any of them return zero, it will immediately jump to setting ptr to 0x10012000(otp), otherwise when all of them return non-zero ptr = sp+0x94. otp_decrypt(sp+4), otp_verify(sp+4), initialize_consoleunique_itcm(sp+4, 0x07ffb800).<br />
Then the following is executed: initialize_aeskeys_wrap(ptr, 0x70);<br />
Then sp+4 size 0x100 is cleared to zero.<br />
<br />
...<br />
<br />
NAND firm-boot code-block, is described below. Note that boot9 is basically hard-coded to use deviceid NAND, not SD.<br />
{<br />
timer_updatestoredstate() is called, then the AES keyslot for NAND-FIRM is selected(0x6).<br />
Then LT_ffff56c8() is called, if that returns non-zero the statuscode variable is set to ~2 then it jumps to NAND_BOOTEND.<br />
Then LT_ffff5774(0x201) is called, if that returns non-zero the statuscode variable is set to ~1 then it jumps to NAND_BOOTEND.<br />
Then fsdriver_setup_mmc() is called. Then nand_findfirmpartition_loadfirm(0) is called, with the statuscode variable set to the retval.<br />
Executes a loop which runs 8 times: write the output from get_errorcode_arrayentry_xfff005e8(loopindex) to u8 0x1fffe000+0x10+loopindex(copy the array of 32bit error-codes for all 8 NCSD partitions initialized by nand_findfirmpartition_loadfirm() to the array of 8bit entries at 0x1fffe000+0x10).<br />
<br />
NAND_BOOTEND:<br />
Then the statuscode variable is written to u8 0x1fffe000+0xc.<br />
Then LT_ffff5690(0x201, 0x1fffe018, 0x1fffe01c) is called.<br />
Then LT_ffff5644() is called.<br />
Then timer_updatestoredstate() is called.<br />
When statuscode==0 for success, it jumps to FIRMLOAD_END. Otherwise, it continues to the next code-block.<br />
}<br />
<br />
Wifi spi-flash firm-boot code-block, executed when no FIRM was loaded successfully so far.<br />
{<br />
timer_updatestoredstate() is called.<br />
<br />
Then spi_wififlash_cmdgetstatusreg(sp+0x100) is executed. When bit0 of the output u8 at sp+0x100 is clear, it will continue this code-block, otherwise it will set the statuscode variable to ~1 then jump to SPIFLASH_BOOTEND.<br />
Then fsdriver_setup_wififlash() is called.<br />
Here read_firmhdr_validate_loadfirm(0, 2) is called, with the statuscode variable set to the retval.<br />
<br />
SPIFLASH_BOOTEND:<br />
Then the statuscode variable is written to u8 0x1fffe000+0xe.<br />
Then timer_updatestoredstate() is called.<br />
When statuscode==0 for success, it jumps to FIRMLOAD_END. Otherwise, it executes writenormalkey_keyslot3f(), then jumps to FIRMLOAD_FAILURE.<br />
}<br />
<br />
FIRMLOAD_END:<br />
Here it calls firmhdr_getarm11_entrypoint() and firmhdr_getarm9_entrypoint(). Immediately after calling each function it checks if the retval is 0, if so it then jumps to FIRMLOAD_FAILURE.<br />
After calling initialize_x07ffbd00_x07ffc100_rsakeyslotsprivk(), it jumps to FIRMLOAD_EXIT.<br />
<br />
FIRMLOAD_FAILURE:<br />
Here it clears 0x07ffb800 size 0x3c70 to zero, endaddr = 0x07fff470.<br />
Then it continues to FIRMLOAD_EXIT.<br />
<br />
FIRMLOAD_EXIT:<br />
Here firmboot() is called, which should never return. The instruction after this bl is a call for panic().<br />
<br />
== Boot11 ==<br />
<br />
* ...<br />
<br />
main():<br />
LT_1263c();<br />
...<br />
LT_13944()<br />
...<br />
pxi_init();<br />
initializefuncptr_firmboot_start(firmbootbegin_funcptr);<br />
firmboot();<br />
return;<br />
<br />
LT_12220/initializefuncptr_firmboot_start<br />
inr0=funcptr<br />
This writes inr0 to address 0x1ffe8028, then returns.<br />
This initializes the funcptr which firmboot() can call after the very first func-call.<br />
<br />
LT_13944<br />
if([[I2C_Registers|i2cmcu_readregf]](sp+0)==0)<br />
{<br />
return (*((u8*)0x10147000) >> 4) & 1;//Reads [[GPIO_Registers|GPIO]] when reading I2C fails.<br />
}<br />
Here it basically does "return <byte loaded from sp+0> ^ 0x2". Hence in this case, it will return 0x2 when the system shell is closed(sleep-mode), otherwise 0x0 is returned.<br />
<br />
LT_12454/firmboot<br />
This is the arm11 version of the boot9 firmboot() function, like boot9 this is the final function called from main(). The functionality for these two functions are identical, minus addresses.<br />
ptr = firmboot_loadentrypoint11();<br />
funcptr = *(0x1ffe8028);<br />
if(funcptr)funcptr(ptr);<br />
LT_11ffc(ptr);<br />
return;<br />
<br />
== Boot Procedure ==<br />
<br />
* 0 seconds - unit is powered on. The ARM9 and ARM11 [[Memory_layout|bootroms]] begin execution.<br />
* <= ~1 second - BootROMs fully run, load FIRM, etc. The loaded FIRM begins running.<br />
**The ARM11 sysmodules included with FIRM are launched by ARM11-kernel, etc.<br />
**The [[Process_Manager_Services|PM]] module launches [[NS]].<br />
**If [[Home_Menu#Auto-Boot_Function|auto-booting]] is needed, NS will [[NS#Auto-boot|auto-boot]] titles.<br />
**Otherwise, NS will instead launch [[ErrDisp]] and the [[Configuration Memory#ACTIVEMENUTID|current active menu]] via the PM module. For retail units, this menu is usually the [[Home Menu]]. Note that the PM module first launches the module dependencies when launching a process, prior to actually launching the process.<br />
**The further Home Menu startup process is described [[Home_Menu#Home_Menu_startup|here]]. This includes Home Menu manually launching various sysmodules.<br />
<br />
* 4 seconds - the LCD screens are initialized.<br />
<br />
* 7 seconds - [[Home Menu]] is fully initialized/loaded.<br />
<br />
== NAND Reads during Boot ==<br />
During a successful boot on 6.x, the bootloader (and firm) reads the following sectors from NAND (in this order):<br />
00000000 (NCSD Partition Table)<br />
<br />
Only verify 'FIRM' magic? (A second Header-read will be attempted even if everything except the magic is 0xFF...)<br />
0B130000 (FIRM Partition)<br />
0B530000 (Secondary FIRM Partition)<br />
<br />
Verify RSA signature and parse Header:<br />
0B130000 (FIRM: Header)<br />
0B130200 (FIRM: Section 1)<br />
0B163E00 (FIRM: Section 2)<br />
0B193E00 (FIRM: Section 3)<br />
<br />
00013000 .. Below is probably NATIVE_FIRM booting ..<br />
00014000<br />
00015000<br />
00016000<br />
00017000<br />
<br />
09011A00<br />
09011C00<br />
09012000<br />
09012400<br />
...<br />
<br />
== Error Codes ==<br />
When the 3DS does not find the NAND chip, the following error is displayed:<br />
<br />
[[Image:CTR_Bootrom_Error.jpg|240px]]<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Error<br />
! Description<br />
|-<br />
| <tt>00F800FE 00000000 00000000 00000200 00000000</tt><br />
| Error when having SD-card reader connected to NAND during boot.<br />
|-<br />
| <tt>00F800FE 00000000 00000000 00000400 00000000</tt><br />
| NAND not found error (?)<br />
|-<br />
| <tt>00F800FE FFFFFFFF FFFFFFFF 00000080 00800000</tt><br />
| NAND error when DAT1 was used as DAT0.<br />
|-<br />
| <tt>00F800FE FFFFFFFF FFFFFFFF 00000005 00800000</tt><br />
| NAND error when DAT2 was used as DAT0.<br />
|-<br />
| <tt>00F800FE FFFFFFFF FFFFFFFF 00000005 00000000</tt><br />
| NAND error when DAT3 was used as DAT0.<br />
|-<br />
| <tt>00F800FF F8F8FFFF FFFFFFFF 00000000 00000000</tt><br />
| Both the firm0 and firm1 partitions are corrupt (failed signature checks).<br />
|-<br />
| <tt>00F800EE FFFFFFFF FFFFFFFF 00000000 00000000</tt><br />
| [[NCSD]] header in sector 0 is corrupt (failed signature check).<br />
|}<br />
<br />
== Tools ==<br />
* [https://github.com/yellows8/boot9_tools boot9_tools]</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Pinouts&diff=19368Pinouts2017-01-22T19:35:33Z<p>Dark samus: Yes, I know which is which</p>
<hr />
<div>== CTR CPU B ==<br />
<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;width:100%;table-layout:fixed;"<br />
| style="background: #bbbbbb" | G || style="background: #cc9900" | ? || style="background: #336600" | CS1 || style="background: #336600" | ? || style="background: #336600" | ? || style="background: #a060a0" | D5 || style="background: #a060a0" | D2 || || style="background: #a060a0" | RST || style="background: #a060a0" | CLK || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #ff0000" | X || style="background: #ff0000" | X || style="background: #d9ffb3" | 3v3 || style="background: #d9ffb3" | 3v3 || || style="background: #d9ffb3" | 3v3 || || || || || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || || style="background: #666633" | IRIRQ || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #bbbbbb" | G<br />
|-<br />
| style="background: #cc9900" | ? || style="background: #cc9900" | ? || style="background: #336600" | CSx || style="background: #336600" | CSy || style="background: #336600" | ? || style="background: #a060a0" | D6 || style="background: #a060a0" | D3 || style="background: #a060a0" | D0 || style="background: #a060a0" | IRQ || style="background: #a060a0" | CS1 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || || style="background: #d9ffb3" | 3v3 || || style="background: #bbbbbb" | G || || || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || || || || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #cc9900" | ? || ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ffff00" | CLK || style="background: #ffff00" | D0 ||style="background: #ffffff" | || + || || style="background: #a060a0" | D7 || style="background: #a060a0" | D4 || style="background: #a060a0" | D1 || style="background: #a060a0" | DET || style="background: #a060a0" | CS2 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #d9ffb3" | 3v3 || style="background: #d9ffb3" | 3v3 || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #666633" | IRTX || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ffff00" | D1 || style="background: #ffff00" | D2 ||style="background: #ffffff" | || style="background: #ffff00" | D3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ffff00" | CMD || style="background: #ffff00" | IRQ ||style="background: #ffffff" | || style="background: #ffff00" | WP || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #00aaee" | CLK || style="background: #00aaee" | D0 ||style="background: #ffffff" | || || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #00aaee" | D1 || style="background: #00aaee" | D2 ||style="background: #ffffff" | || style="background: #00aaee" | D3 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || style="background: #00aaee" | CMD ||style="background: #ffffff" | || || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || ||style="background: #ffffff" | || || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #20b2aa" | ? || style="background: #20b2aa" | ? ||style="background: #ffffff" | || style="background: #20b2aa" | ? || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || style="background: #20b2aa" | ? ||style="background: #ffffff" | || style="background: #20b2aa" | ? || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || ||style="background: #ffffff" | || || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || ||style="background: #ffffff" | || || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #33ffff" | SCL || ||style="background: #ffffff" | || || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #33ffff" | SDA || ||style="background: #ffffff" | || || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || <br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || <br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #bbbbbb" | G || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || || || || style="background: #73e600" | ? || style="background: #cc9900" | ? || style="background: #cc9900" | ? || style="background: #cc9900" | ? || style="background: #cc9900" | ? || || || || style="background: #ff69b4" | B || style="background: #ff69b4" | PADR || style="background: #ff69b4" | PADD || style="background: #bbbbbb" | G || style="background: #4d4d33" | ? || style="background: #4d4d33" | ? || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #b19cd9" | ? || || || || || || || || style="background: #73e600" | ? || style="background: #8efab4" | ? || style="background: #cc9900" | ? || style="background: #cc9900" | ? || || || || || style="background: #ff69b4" | A || style="background: #ff69b4" | STRT || style="background: #ff69b4" | PADU || style="background: #ff69b4" | L || style="background: #ff69b4" | Y || style="background: #4d4d33" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #bbbbbb" | G || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || || || || || || || || style="background: #b19cd9" | ? || style="background: #8efab4" | ? || style="background: #cc9900" | ? || || || || || || || style="background: #ff69b4" | SLCT || style="background: #ff69b4" | PADL || style="background: #ff69b4" | R || style="background: #ff69b4" | X || style="background: #4d4d33" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #bbbbbb" | G<br />
|}<br />
<br />
legend:<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;table-layout:fixed;"<br />
| style="background: #ff0000" | Main<br />
|-<br />
| style="background: #a060a0" | Gamecard<br />
|-<br />
| style="background: #ffff00" | SDCARD SDIO<br />
|-<br />
| style="background: #00aaee" | NAND SDIO<br />
|-<br />
| style="background: #20b2aa" | WIFI SDIO<br />
|-<br />
| style="background: #336600" | SPI<br />
|-<br />
| style="background: #73e600" | I2C-1<br />
|-<br />
| style="background: #8efab4" | I2C-2<br />
|-<br />
| style="background: #33ffff" | I2C-3<br />
|-<br />
| style="background: #ff69b4" | Pad<br />
|-<br />
| style="background: #ff2a7f" | FCRAM<br />
|-<br />
| style="background: #b19cd9" | Camera<br />
|-<br />
| style="background: #a52a2a" | WIFI<br />
|-<br />
| style="background: #666633" | GPIO<br />
|-<br />
| style="background: #ff8000" | LCD0 (small)<br />
|-<br />
| style="background: #cc6600" | LCD1 (big)<br />
|-<br />
| style="background: #cc9900" | CODEC (unknown)<br />
|-<br />
| style="background: #4d4d33" | MCU (unknown)<br />
|-<br />
| style="background: #d9ffb3" | POWER<br />
|-<br />
| style="background: #bbbbbb" | Ground<br />
|}<br />
<br />
Orientation: Triangle bottom right on the PCB.<br />
<br />
== UC CTR ==<br />
<br />
<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;width:100%;table-layout:fixed;width:26%;"<br />
| style="background: #4d4d33" | ? || style="background: #d9ffb3" | +? || style="background: #d9ffb3" | +? || CHRGLED || style="background: #bbbbbb" | G || || || style="background: #bbbbbb" | G<br />
|-<br />
| || style="background: #4d4d33" | ? || || || style="background: #bbbbbb" | G || BATTTEMP || HOMEBTN ||<br />
|-<br />
| || style="background: #4d4d33" | ? || || || || || || style="background: #8efab4" | SDA<br />
|-<br />
| || || || || || || || style="background: #8efab4" | SCL <br />
|-<br />
| || || || PWRLED1 || || || PWRLED0 ||<br />
|-<br />
| || style="background: #bbbbbb" | G || style="background: #d9ffb3" | + || || || || ||<br />
|-<br />
| style="background: #bbbbbb" | G || || || || || || ||<br />
|-<br />
| || style="background: #73e600" | ? || style="background: #73e600" | ? || style="background: #4d4d33" | ? || || || || style="background: #d9ffb3" | +<br />
|}</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Pinouts&diff=19358Pinouts2017-01-22T14:57:39Z<p>Dark samus: /* UC CTR */</p>
<hr />
<div>== CTR CPU B ==<br />
<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;width:100%;table-layout:fixed;"<br />
| style="background: #bbbbbb" | G || style="background: #cc9900" | ? || style="background: #336600" | CS1 || style="background: #336600" | ? || style="background: #336600" | ? || style="background: #a060a0" | D5 || style="background: #a060a0" | D2 || || style="background: #a060a0" | RST || style="background: #a060a0" | CLK || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #ff0000" | X || style="background: #ff0000" | X || style="background: #d9ffb3" | 3v3 || style="background: #d9ffb3" | 3v3 || || style="background: #d9ffb3" | 3v3 || || || || || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || || style="background: #666633" | IRIRQ || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #bbbbbb" | G<br />
|-<br />
| style="background: #cc9900" | ? || style="background: #cc9900" | ? || style="background: #336600" | CSx || style="background: #336600" | CSy || style="background: #336600" | ? || style="background: #a060a0" | D6 || style="background: #a060a0" | D3 || style="background: #a060a0" | D0 || style="background: #a060a0" | IRQ || style="background: #a060a0" | CS1 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || || style="background: #d9ffb3" | 3v3 || || style="background: #bbbbbb" | G || || || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || || || || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #cc9900" | ? || ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ffff00" | CLK || style="background: #ffff00" | D0 ||style="background: #ffffff" | || + || || style="background: #a060a0" | D7 || style="background: #a060a0" | D4 || style="background: #a060a0" | D1 || style="background: #a060a0" | DET || style="background: #a060a0" | CS2 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #d9ffb3" | 3v3 || style="background: #d9ffb3" | 3v3 || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #666633" | IRRX || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ffff00" | D1 || style="background: #ffff00" | D2 ||style="background: #ffffff" | || style="background: #ffff00" | D3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ffff00" | CMD || style="background: #ffff00" | IRQ ||style="background: #ffffff" | || style="background: #ffff00" | WP || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #00aaee" | CLK || style="background: #00aaee" | D0 ||style="background: #ffffff" | || || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #00aaee" | D1 || style="background: #00aaee" | D2 ||style="background: #ffffff" | || style="background: #00aaee" | D3 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || style="background: #00aaee" | CMD ||style="background: #ffffff" | || || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || ||style="background: #ffffff" | || || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #20b2aa" | ? || style="background: #20b2aa" | ? ||style="background: #ffffff" | || style="background: #20b2aa" | ? || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || style="background: #20b2aa" | ? ||style="background: #ffffff" | || style="background: #20b2aa" | ? || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || ||style="background: #ffffff" | || || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || ||style="background: #ffffff" | || || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #33ffff" | SCL || ||style="background: #ffffff" | || || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #33ffff" | SDA || ||style="background: #ffffff" | || || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || <br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || <br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #bbbbbb" | G || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || || || || style="background: #73e600" | ? || style="background: #cc9900" | ? || style="background: #cc9900" | ? || style="background: #cc9900" | ? || style="background: #cc9900" | ? || || || || style="background: #ff69b4" | B || style="background: #ff69b4" | PADR || style="background: #ff69b4" | PADD || style="background: #bbbbbb" | G || style="background: #4d4d33" | ? || style="background: #4d4d33" | ? || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #b19cd9" | ? || || || || || || || || style="background: #73e600" | ? || style="background: #8efab4" | ? || style="background: #cc9900" | ? || style="background: #cc9900" | ? || || || || || style="background: #ff69b4" | A || style="background: #ff69b4" | STRT || style="background: #ff69b4" | PADU || style="background: #ff69b4" | L || style="background: #ff69b4" | Y || style="background: #4d4d33" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #bbbbbb" | G || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || || || || || || || || style="background: #b19cd9" | ? || style="background: #8efab4" | ? || style="background: #cc9900" | ? || || || || || || || style="background: #ff69b4" | SLCT || style="background: #ff69b4" | PADL || style="background: #ff69b4" | R || style="background: #ff69b4" | X || style="background: #4d4d33" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #bbbbbb" | G<br />
|}<br />
<br />
legend:<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;table-layout:fixed;"<br />
| style="background: #ff0000" | Main<br />
|-<br />
| style="background: #a060a0" | Gamecard<br />
|-<br />
| style="background: #ffff00" | SDCARD SDIO<br />
|-<br />
| style="background: #00aaee" | NAND SDIO<br />
|-<br />
| style="background: #20b2aa" | WIFI SDIO<br />
|-<br />
| style="background: #336600" | SPI<br />
|-<br />
| style="background: #73e600" | I2C-1<br />
|-<br />
| style="background: #8efab4" | I2C-2<br />
|-<br />
| style="background: #33ffff" | I2C-3<br />
|-<br />
| style="background: #ff69b4" | Pad<br />
|-<br />
| style="background: #ff2a7f" | FCRAM<br />
|-<br />
| style="background: #b19cd9" | Camera<br />
|-<br />
| style="background: #a52a2a" | WIFI<br />
|-<br />
| style="background: #666633" | GPIO<br />
|-<br />
| style="background: #ff8000" | LCD0 (small)<br />
|-<br />
| style="background: #cc6600" | LCD1 (big)<br />
|-<br />
| style="background: #cc9900" | CODEC (unknown)<br />
|-<br />
| style="background: #4d4d33" | MCU (unknown)<br />
|-<br />
| style="background: #d9ffb3" | POWER<br />
|-<br />
| style="background: #bbbbbb" | Ground<br />
|}<br />
<br />
Orientation: Triangle bottom right on the PCB.<br />
<br />
== UC CTR ==<br />
<br />
<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;width:100%;table-layout:fixed;width:26%;"<br />
| style="background: #4d4d33" | ? || || || CHRGLED || style="background: #bbbbbb" | G || || || style="background: #bbbbbb" | G<br />
|-<br />
| || style="background: #4d4d33" | ? || || || style="background: #bbbbbb" | G || || HOMEBTN ||<br />
|-<br />
| || style="background: #4d4d33" | ? || || || || || || style="background: #8efab4" | SDA<br />
|-<br />
| || || || || || || || style="background: #8efab4" | SCL <br />
|-<br />
| || || || PWRLED1 || || || PWRLED0 ||<br />
|-<br />
| || style="background: #bbbbbb" | G || || || || || ||<br />
|-<br />
| style="background: #bbbbbb" | G || || || || || || ||<br />
|-<br />
| || style="background: #73e600" | ? || style="background: #73e600" | ? || style="background: #4d4d33" | ? || || || ||<br />
|}</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Pinouts&diff=19352Pinouts2017-01-22T03:17:40Z<p>Dark samus: </p>
<hr />
<div>== CTR CPU B ==<br />
<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;width:100%;table-layout:fixed;"<br />
| style="background: #bbbbbb" | G || style="background: #cc9900" | ? || style="background: #336600" | CS1 || style="background: #336600" | ? || style="background: #336600" | ? || style="background: #a060a0" | D5 || style="background: #a060a0" | D2 || || style="background: #a060a0" | RST || style="background: #a060a0" | CLK || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #ff0000" | X || style="background: #ff0000" | X || style="background: #d9ffb3" | 3v3 || style="background: #d9ffb3" | 3v3 || || style="background: #d9ffb3" | 3v3 || || || || || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || || style="background: #666633" | IRIRQ || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #bbbbbb" | G<br />
|-<br />
| style="background: #cc9900" | ? || style="background: #cc9900" | ? || style="background: #336600" | CSx || style="background: #336600" | CSy || style="background: #336600" | ? || style="background: #a060a0" | D6 || style="background: #a060a0" | D3 || style="background: #a060a0" | D0 || style="background: #a060a0" | IRQ || style="background: #a060a0" | CS1 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || || style="background: #d9ffb3" | 3v3 || || style="background: #bbbbbb" | G || || || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || || || || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #cc9900" | ? || ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ffff00" | CLK || style="background: #ffff00" | D0 ||style="background: #ffffff" | || + || || style="background: #a060a0" | D7 || style="background: #a060a0" | D4 || style="background: #a060a0" | D1 || style="background: #a060a0" | DET || style="background: #a060a0" | CS2 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #d9ffb3" | 3v3 || style="background: #d9ffb3" | 3v3 || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #a52a2a" | ? || style="background: #666633" | IRRX || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ffff00" | D1 || style="background: #ffff00" | D2 ||style="background: #ffffff" | || style="background: #ffff00" | D3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ffff00" | CMD || style="background: #ffff00" | IRQ ||style="background: #ffffff" | || style="background: #ffff00" | WP || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #00aaee" | CLK || style="background: #00aaee" | D0 ||style="background: #ffffff" | || || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #00aaee" | D1 || style="background: #00aaee" | D2 ||style="background: #ffffff" | || style="background: #00aaee" | D3 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || style="background: #00aaee" | CMD ||style="background: #ffffff" | || || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || ||style="background: #ffffff" | || || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #20b2aa" | ? || style="background: #20b2aa" | ? ||style="background: #ffffff" | || style="background: #20b2aa" | ? || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || style="background: #20b2aa" | ? ||style="background: #ffffff" | || style="background: #20b2aa" | ? || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || ||style="background: #ffffff" | || || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || ||style="background: #ffffff" | || || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #33ffff" | SCL || ||style="background: #ffffff" | || || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 3v3 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #33ffff" | SDA || ||style="background: #ffffff" | || || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 3v3 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || <br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || <br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #bbbbbb" | G || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #bbbbbb" | G ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v8 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v2 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #d9ffb3" | 1v2 ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #d9ffb3" | 1v8 || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #d9ffb3" | 1v8 || style="background: #d9ffb3" | 1v2 || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | || style="background: #cc6600" | ? || || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || || || || style="background: #73e600" | ? || style="background: #cc9900" | ? || style="background: #cc9900" | ? || style="background: #cc9900" | ? || style="background: #cc9900" | ? || || || || style="background: #ff69b4" | B || style="background: #ff69b4" | PADR || style="background: #ff69b4" | PADD || style="background: #bbbbbb" | G || style="background: #4d4d33" | ? || style="background: #4d4d33" | ? || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | ||style="background: #ffffff" | || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #b19cd9" | ? || || || || || || || || style="background: #73e600" | ? || style="background: #8efab4" | ? || style="background: #cc9900" | ? || style="background: #cc9900" | ? || || || || || style="background: #ff69b4" | A || style="background: #ff69b4" | STRT || style="background: #ff69b4" | PADU || style="background: #ff69b4" | L || style="background: #ff69b4" | Y || style="background: #4d4d33" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #bbbbbb" | G || style="background: #b19cd9" | ? || style="background: #b19cd9" | ? || || || || || || || || style="background: #b19cd9" | ? || style="background: #8efab4" | ? || style="background: #cc9900" | ? || || || || || || || style="background: #ff69b4" | SLCT || style="background: #ff69b4" | PADL || style="background: #ff69b4" | R || style="background: #ff69b4" | X || style="background: #4d4d33" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #bbbbbb" | G<br />
|}<br />
<br />
legend:<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;table-layout:fixed;"<br />
| style="background: #ff0000" | Main<br />
|-<br />
| style="background: #a060a0" | Gamecard<br />
|-<br />
| style="background: #ffff00" | SDCARD SDIO<br />
|-<br />
| style="background: #00aaee" | NAND SDIO<br />
|-<br />
| style="background: #20b2aa" | WIFI SDIO<br />
|-<br />
| style="background: #336600" | SPI<br />
|-<br />
| style="background: #73e600" | I2C-1<br />
|-<br />
| style="background: #8efab4" | I2C-2<br />
|-<br />
| style="background: #33ffff" | I2C-3<br />
|-<br />
| style="background: #ff69b4" | Pad<br />
|-<br />
| style="background: #ff2a7f" | FCRAM<br />
|-<br />
| style="background: #b19cd9" | Camera<br />
|-<br />
| style="background: #a52a2a" | WIFI<br />
|-<br />
| style="background: #666633" | GPIO<br />
|-<br />
| style="background: #ff8000" | LCD0 (small)<br />
|-<br />
| style="background: #cc6600" | LCD1 (big)<br />
|-<br />
| style="background: #cc9900" | CODEC (unknown)<br />
|-<br />
| style="background: #4d4d33" | MCU (unknown)<br />
|-<br />
| style="background: #d9ffb3" | POWER<br />
|-<br />
| style="background: #bbbbbb" | Ground<br />
|}<br />
<br />
Orientation: Triangle bottom right on the PCB.</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Pinouts&diff=19310Pinouts2017-01-19T15:20:43Z<p>Dark samus: add FCRAM pins</p>
<hr />
<div>== CTR CPU B ==<br />
<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;width:100%;table-layout:fixed;"<br />
| style="background: #bbbbbb" | G || || || || || style="background: #a060a0" | D5 || style="background: #a060a0" | D2 || || style="background: #a060a0" | RST || style="background: #a060a0" | CLK || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #ff0000" | X || style="background: #ff0000" | X || style="background: #00ff00" | 3v3 || style="background: #00ff00" | 3v3 || || style="background: #00ff00" | 3v3 || || || || || || || || || || || || style="background: #bbbbbb" | G<br />
|-<br />
| || || || || || style="background: #a060a0" | D6 || style="background: #a060a0" | D3 || style="background: #a060a0" | D0 || style="background: #a060a0" | IRQ || style="background: #a060a0" | CS1 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || || style="background: #00ff00" | 3v3 || || style="background: #bbbbbb" | G || || || || || || || || || || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ffff00" | CLK || style="background: #ffff00" | D0 || . || + || || style="background: #a060a0" | D7 || style="background: #a060a0" | D4 || style="background: #a060a0" | D1 || || style="background: #a060a0" | CS2 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #00ff00" | 3v3 || style="background: #00ff00" | 3v3 || || || || || || || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ffff00" | D1 || style="background: #ffff00" | D2 || . || style="background: #ffff00" | D3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ffff00" | CMD || style="background: #ffff00" | IRQ || . || style="background: #ffff00" | WP || style="background: #00ff00" | 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #007f00" | 1v2 || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #00aaee" | CLK || style="background: #00aaee" | D0 || . || || style="background: #007f00" | 1v2 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00cf00" | 1v8 || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #00aaee" | D1 || style="background: #00aaee" | D2 || . || style="background: #00aaee" | D3 || style="background: #bbbbbb" | G || . || . || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || style="background: #00aaee" | CMD || . || || style="background: #00ff00" | 3v3 || . || . || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || . || . || style="background: #007f00" | 1v2 || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || || . || || style="background: #007f00" | 1v2 || . || . || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || . || . || style="background: #00cf00" | 1v8 || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || . || . || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || || . || || style="background: #00ff00" | 3v3 || . || . || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || . || . || style="background: #007f00" | 1v2 || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || || . || || style="background: #007f00" | 1v2 || . || . || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || . || . || style="background: #00cf00" | 1v8 || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || . || . || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #33ffff" | SCL || || . || || style="background: #00ff00" | 3v3 || . || . || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || . || . || style="background: #007f00" | 1v2 || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #33ffff" | SDA || || . || || style="background: #007f00" | 1v2 || . || . || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #00cf00" | 1v8 || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| || style="background: #cc6600" | ? || . || style="background: #cc6600" | ? || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || . || . || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || <br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? || . || style="background: #cc6600" | ? || style="background: #00cf00" | 1v8 || . || . || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #007f00" | 1v2 || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || <br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? || . || style="background: #cc6600" | ? || style="background: #007f00" | 1v2 || . || . || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || . || . || style="background: #00cf00" | 1v8 || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? || . || style="background: #cc6600" | ? || style="background: #bbbbbb" | G || . || . || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #cc6600" | ? || style="background: #cc6600" | ? || . || style="background: #cc6600" | ? || style="background: #00cf00" | 1v8 || . || . || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || . || . || style="background: #007f00" | 1v2 || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #bbbbbb" | G || style="background: #cc6600" | ? || . || style="background: #cc6600" | ? || style="background: #007f00" | 1v2 || . || . || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #00cf00" | 1v8 || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? || . || style="background: #cc6600" | ? || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || . || . || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? || . || style="background: #cc6600" | ? || style="background: #00cf00" | 1v8 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #007f00" | 1v2 || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? || . || style="background: #cc6600" | ? || style="background: #007f00" | 1v2 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00cf00" | 1v8 || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? || . || style="background: #cc6600" | ? || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? || . || style="background: #cc6600" | ? || || || || || || || style="background: #9400d3" | ? || || || || || || || || style="background: #ff69b4" | B || style="background: #ff69b4" | PADR || style="background: #ff69b4" | PADD || style="background: #bbbbbb" | G || || || style="background: #bbbbbb" | G || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #ff8000" | ? || style="background: #cc6600" | ? || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || || || || || || || || || style="background: #9400d3" | ? || style="background: #9400d3" | ? || || || || || || || style="background: #ff69b4" | A || style="background: #ff69b4" | STRT || style="background: #ff69b4" | PADU || style="background: #ff69b4" | L || style="background: #ff69b4" | Y || || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ?<br />
|-<br />
| style="background: #bbbbbb" | G || || || || || || || || || || style="background: #9400d3" | ? || style="background: #9400d3" | ? || || || || || || || || style="background: #ff69b4" | SLCT || style="background: #ff69b4" | PADL || style="background: #ff69b4" | R || style="background: #ff69b4" | X || || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #ff2a7f" | ? || style="background: #bbbbbb" | G<br />
|}<br />
<br />
legend:<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;table-layout:fixed;"<br />
| style="background: #ff0000" | Main<br />
|-<br />
| style="background: #a060a0" | Gamecard<br />
|-<br />
| style="background: #ffff00" | SD card<br />
|-<br />
| style="background: #00aaee" | NAND<br />
|-<br />
| style="background: #33ffff" | I2C-3<br />
|-<br />
| style="background: #ff69b4" | Pad<br />
|-<br />
| style="background: #ff2a7f" | FCRAM<br />
|-<br />
| style="background: #9400d3" | Camera<br />
|-<br />
| style="background: #ff8000" | LCD0 (small)<br />
|-<br />
| style="background: #cc6600" | LCD1 (big)<br />
|-<br />
| style="background: #007f00" | 1.2v rail<br />
|-<br />
| style="background: #00cf00" | 1.8v rail<br />
|-<br />
| style="background: #00ff00" | 3.3v rail<br />
|-<br />
| style="background: #bbbbbb" | Ground<br />
|}<br />
<br />
Orientation: Triangle bottom right on the PCB.</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Pinouts&diff=19281Pinouts2017-01-17T01:14:36Z<p>Dark samus: make new colors more readable.</p>
<hr />
<div>== CTR B ==<br />
<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;width:100%;table-layout:fixed;"<br />
| style="background: #bbbbbb" | G || || || || || style="background: #a060a0" | D5 || style="background: #a060a0" | D2 || || style="background: #a060a0" | RST || style="background: #a060a0" | CLK || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #ff0000" | X || style="background: #ff0000" | X || style="background: #00ff00" | 3v3 || style="background: #00ff00" | 3v3 || || style="background: #00ff00" | 3v3 || || || || || || || || || || || || style="background: #bbbbbb" | G<br />
|-<br />
| || || || || || style="background: #a060a0" | D6 || style="background: #a060a0" | D3 || style="background: #a060a0" | D0 || style="background: #a060a0" | IRQ || style="background: #a060a0" | CS1 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || || style="background: #00ff00" | 3v3 || || style="background: #bbbbbb" | G || || || || || || || || || || || <br />
|-<br />
| || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || <br />
|-<br />
| style="background: #ffff00" | CLK || style="background: #ffff00" | D0 || . || + || || style="background: #a060a0" | D7 || style="background: #a060a0" | D4 || style="background: #a060a0" | D1 || || style="background: #a060a0" | CS2 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #00ff00" | 3v3 || style="background: #00ff00" | 3v3 || || || || || || || || . || || <br />
|-<br />
| style="background: #ffff00" | D1 || style="background: #ffff00" | D2 || . || style="background: #ffff00" | D3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| style="background: #ffff00" | CMD || style="background: #ffff00" | IRQ || . || style="background: #ffff00" | WP || style="background: #00ff00" | 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #007f00" | 1v2 || || . || || <br />
|-<br />
| style="background: #00aaee" | CLK || style="background: #00aaee" | D0 || . || || style="background: #007f00" | 1v2 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00cf00" | 1v8 || || . || || <br />
|-<br />
| style="background: #00aaee" | D1 || style="background: #00aaee" | D2 || . || style="background: #00aaee" | D3 || style="background: #bbbbbb" | G || . || . || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || style="background: #00aaee" | CMD || . || || style="background: #00ff00" | 3v3 || . || . || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || . || . || style="background: #007f00" | 1v2 || || . || || <br />
|-<br />
| || || . || || style="background: #007f00" | 1v2 || . || . || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || . || . || style="background: #00cf00" | 1v8 || || . || || <br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || . || . || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || || . || || style="background: #00ff00" | 3v3 || . || . || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || . || . || style="background: #007f00" | 1v2 || || . || || <br />
|-<br />
| || || . || || style="background: #007f00" | 1v2 || . || . || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || . || . || style="background: #00cf00" | 1v8 || || . || || <br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || . || . || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| style="background: #33ffff" | SCL || || . || || style="background: #00ff00" | 3v3 || . || . || style="background: #bbbbbb" | G || style="background: #00ff00" | 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || . || . || style="background: #007f00" | 1v2 || || . || || <br />
|-<br />
| style="background: #33ffff" | SDA || || . || || style="background: #007f00" | 1v2 || . || . || style="background: #00ff00" | 3v3 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #00cf00" | 1v8 || || . || || <br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || . || . || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || || . || || style="background: #00cf00" | 1v8 || . || . || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #007f00" | 1v2 || || . || || <br />
|-<br />
| || || . || || style="background: #007f00" | 1v2 || . || . || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || . || . || style="background: #00cf00" | 1v8 || || . || || <br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || . || . || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || || . || || style="background: #00cf00" | 1v8 || . || . || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || . || . || style="background: #007f00" | 1v2 || || . || || <br />
|-<br />
| || || . || || style="background: #007f00" | 1v2 || . || . || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #00cf00" | 1v8 || || . || || <br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #bbbbbb" | G || style="background: #007f00" | 1v2 || . || . || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || || . || || style="background: #00cf00" | 1v8 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #007f00" | 1v2 || || . || || <br />
|-<br />
| || || . || || style="background: #007f00" | 1v2 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00cf00" | 1v8 || || . || || <br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || style="background: #00cf00" | 1v8 || style="background: #007f00" | 1v2 || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || || . || || || || || || || || || || || || || || || || || || || style="background: #bbbbbb" | G || || || style="background: #bbbbbb" | G || || || . || || <br />
|-<br />
| || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || <br />
|-<br />
| style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || || || || || || || || || || || || || || || || || || || || || || || || || || || || <br />
|-<br />
| style="background: #bbbbbb" | G || || || || || || || || || || || || || || || || || || || || || || || || || || || || || style="background: #bbbbbb" | G<br />
|}<br />
<br />
legend:<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;table-layout:fixed;"<br />
| style="background: #ff0000" | Main<br />
|-<br />
| style="background: #a060a0" | Gamecard<br />
|-<br />
| style="background: #ffff00" | SD card<br />
|-<br />
| style="background: #00aaee" | NAND<br />
|-<br />
| style="background: #33ffff" | I2C-3<br />
|-<br />
| style="background: #007f00" | 1.2v rail<br />
|-<br />
| style="background: #00cf00" | 1.8v rail<br />
|-<br />
| style="background: #00ff00" | 3.3v rail<br />
|-<br />
| style="background: #bbbbbb" | Ground<br />
|}<br />
<br />
Orientation: Triangle bottom right on the PCB.</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Pinouts&diff=19275Pinouts2017-01-16T12:24:02Z<p>Dark samus: A few more ground locations</p>
<hr />
<div>== CTR B ==<br />
<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;width:100%;table-layout:fixed;"<br />
| style="background: #bbbbbb" | G || || || || || style="background: #ffccbb" | D5 || style="background: #ffccbb" | D2 || || style="background: #ffccbb" | RST || style="background: #ffccbb" | CLK || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || || || style="background: #ffbb00" | 3v3 || style="background: #ffbb00" | 3v3 || || style="background: #ffbb00" | 3v3 || || || || || || || || || || || || style="background: #bbbbbb" | G<br />
|-<br />
| || || || || || style="background: #ffccbb" | D6 || style="background: #ffccbb" | D3 || style="background: #ffccbb" | D0 || style="background: #ffccbb" | IRQ || style="background: #ffccbb" | CS1 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || || style="background: #ffbb00" | 3v3 || || style="background: #ffbb00" | 3v3 || || style="background: #bbbbbb" | G || || || || || || || || || || || <br />
|-<br />
| || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || <br />
|-<br />
| style="background: #ccffbb" | CLK || style="background: #ccffbb" | D0 || . || + || || style="background: #ffccbb" | D7 || style="background: #ffccbb" | D4 || style="background: #ffccbb" | D1 || || style="background: #ffccbb" | CS2 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #ffbb00" | 3v3 || style="background: #ffbb00" | 3v3 || || || || || || || || . || || <br />
|-<br />
| style="background: #ccffbb" | D1 || style="background: #ccffbb" | D2 || . || style="background: #ccffbb" | D3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| style="background: #ccffbb" | CMD || style="background: #ccffbb" | IRQ || . || style="background: #ccffbb" | WP || style="background: #ffbb00" | 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #eeff77" | 1v2 || || . || || <br />
|-<br />
| style="background: #77ff99" | CLK || style="background: #77ff99" | D0 || . || || style="background: #eeff77" | 1v2 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00aaee" | 1v8 || || . || || <br />
|-<br />
| style="background: #77ff99" | D1 || style="background: #77ff99" | D2 || . || style="background: #77ff99" | D3 || style="background: #bbbbbb" | G || . || . || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || style="background: #77ff99" | CMD || . || || style="background: #ffbb00" | 3v3 || . || . || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || . || . || style="background: #eeff77" | 1v2 || || . || || <br />
|-<br />
| || || . || || style="background: #eeff77" | 1v2 || . || . || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || . || . || style="background: #00aaee" | 1v8 || || . || || <br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || . || . || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || || . || || style="background: #ffbb00" | 3v3 || . || . || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || . || . || style="background: #eeff77" | 1v2 || || . || || <br />
|-<br />
| || || . || || style="background: #eeff77" | 1v2 || . || . || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || . || . || style="background: #00aaee" | 1v8 || || . || || <br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || . || . || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || || . || || style="background: #ffbb00" | 3v3 || . || . || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || . || . || style="background: #eeff77" | 1v2 || || . || || <br />
|-<br />
| || || . || || style="background: #eeff77" | 1v2 || . || . || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #00aaee" | 1v8 || || . || || <br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || . || . || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || || . || || style="background: #00aaee" | 1v8 || . || . || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #eeff77" | 1v2 || || . || || <br />
|-<br />
| || || . || || style="background: #eeff77" | 1v2 || . || . || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || . || . || style="background: #00aaee" | 1v8 || || . || || <br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || . || . || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || || . || || style="background: #00aaee" | 1v8 || . || . || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || . || . || style="background: #eeff77" | 1v2 || || . || || <br />
|-<br />
| || || . || || style="background: #eeff77" | 1v2 || . || . || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #00aaee" | 1v8 || || . || || <br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || . || . || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || || . || || style="background: #00aaee" | 1v8 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #eeff77" | 1v2 || || . || || <br />
|-<br />
| || || . || || style="background: #eeff77" | 1v2 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00aaee" | 1v8 || || . || || <br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || || . || || || || || || || || || || || || || || || || || || || style="background: #bbbbbb" | G || || || style="background: #bbbbbb" | G || || || . || || <br />
|-<br />
| || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || <br />
|-<br />
| style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || || || || || || || || || || || || || || || || || || || || || || || || || || || || <br />
|-<br />
| style="background: #bbbbbb" | G || || || || || || || || || || || || || || || || || || || || || || || || || || || || || style="background: #bbbbbb" | G<br />
|}<br />
<br />
legend:<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;table-layout:fixed;"<br />
| style="background: #ffccbb" | Gamecard<br />
|-<br />
| style="background: #ccffbb" | SD card<br />
|-<br />
| style="background: #77ff99" | NAND<br />
|-<br />
| style="background: #eeff77" | 1.2v rail<br />
|-<br />
| style="background: #00aaee" | 1.8v rail<br />
|-<br />
| style="background: #ffbb00" | 3.3v rail<br />
|-<br />
| style="background: #bbbbbb" | Ground<br />
|}<br />
<br />
Orientation: Triangle bottom right on the PCB.</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Pinouts&diff=19273Pinouts2017-01-16T02:17:00Z<p>Dark samus: Add some color for differentiating I/O</p>
<hr />
<div>== CTR B ==<br />
<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;width:100%;table-layout:fixed;"<br />
| style="background: #bbbbbb" | G || || || || || style="background: #ffccbb" | D5 || style="background: #ffccbb" | D2 || || style="background: #ffccbb" | RST || style="background: #ffccbb" | CLK || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || || || style="background: #ffbb00" | 3v3 || style="background: #ffbb00" | 3v3 || || style="background: #ffbb00" | 3v3 || || || || || || || || || || || || style="background: #bbbbbb" | G<br />
|-<br />
| || || || || || style="background: #ffccbb" | D6 || style="background: #ffccbb" | D3 || style="background: #ffccbb" | D0 || style="background: #ffccbb" | IRQ || style="background: #ffccbb" | CS1 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || || style="background: #ffbb00" | 3v3 || || style="background: #ffbb00" | 3v3 || || || || || || || || || || || || || <br />
|-<br />
| || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || <br />
|-<br />
| style="background: #ccffbb" | CLK || style="background: #ccffbb" | D0 || . || + || || style="background: #ffccbb" | D7 || style="background: #ffccbb" | D4 || style="background: #ffccbb" | D1 || || style="background: #ffccbb" | CS2 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #ffbb00" | 3v3 || style="background: #ffbb00" | 3v3 || || || || || || || || . || || <br />
|-<br />
| style="background: #ccffbb" | D1 || style="background: #ccffbb" | D2 || . || style="background: #ccffbb" | D3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| style="background: #ccffbb" | CMD || style="background: #ccffbb" | IRQ || . || style="background: #ccffbb" | WP || style="background: #ffbb00" | 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #eeff77" | 1v2 || || . || || <br />
|-<br />
| style="background: #77ff99" | CLK || style="background: #77ff99" | D0 || . || || style="background: #eeff77" | 1v2 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00aaee" | 1v8 || || . || || <br />
|-<br />
| style="background: #77ff99" | D1 || style="background: #77ff99" | D2 || . || style="background: #77ff99" | D3 || style="background: #bbbbbb" | G || . || . || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || style="background: #77ff99" | CMD || . || || style="background: #ffbb00" | 3v3 || . || . || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || . || . || style="background: #eeff77" | 1v2 || || . || || <br />
|-<br />
| || || . || || style="background: #eeff77" | 1v2 || . || . || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || . || . || style="background: #00aaee" | 1v8 || || . || || <br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || . || . || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || || . || || style="background: #ffbb00" | 3v3 || . || . || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || . || . || style="background: #eeff77" | 1v2 || || . || || <br />
|-<br />
| || || . || || style="background: #eeff77" | 1v2 || . || . || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || . || . || style="background: #00aaee" | 1v8 || || . || || <br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || . || . || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || || . || || style="background: #ffbb00" | 3v3 || . || . || style="background: #bbbbbb" | G || style="background: #ffbb00" | 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || . || . || style="background: #eeff77" | 1v2 || || . || || <br />
|-<br />
| || || . || || style="background: #eeff77" | 1v2 || . || . || style="background: #ffbb00" | 3v3 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #00aaee" | 1v8 || || . || || <br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || . || . || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || || . || || style="background: #00aaee" | 1v8 || . || . || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #eeff77" | 1v2 || || . || || <br />
|-<br />
| || || . || || style="background: #eeff77" | 1v2 || . || . || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || . || . || style="background: #00aaee" | 1v8 || || . || || <br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || . || . || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || || . || || style="background: #00aaee" | 1v8 || . || . || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || . || . || style="background: #eeff77" | 1v2 || || . || || <br />
|-<br />
| || || . || || style="background: #eeff77" | 1v2 || . || . || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || . || . || style="background: #00aaee" | 1v8 || || . || || <br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || . || . || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #bbbbbb" | G || style="background: #eeff77" | 1v2 || . || . || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || || . || || style="background: #00aaee" | 1v8 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #eeff77" | 1v2 || || . || || <br />
|-<br />
| || || . || || style="background: #eeff77" | 1v2 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || style="background: #00aaee" | 1v8 || || . || || <br />
|-<br />
| || || . || || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || style="background: #00aaee" | 1v8 || style="background: #eeff77" | 1v2 || style="background: #bbbbbb" | G || || . || || <br />
|-<br />
| || || . || || || || || || || || || || || || || || || || || || || || || || || || || . || || <br />
|-<br />
| || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || <br />
|-<br />
| style="background: #bbbbbb" | G || style="background: #bbbbbb" | G || || || || || || || || || || || || || || || || || || || || || || || || || || || || <br />
|-<br />
| style="background: #bbbbbb" | G || || || || || || || || || || || || || || || || || || || || || || || || || || || || || style="background: #bbbbbb" | G<br />
|}<br />
<br />
legend:<br />
{| class="wikitable" style="font-family:Monospace;text-align:center;table-layout:fixed;"<br />
| style="background: #ffccbb" | Gamecard<br />
|-<br />
| style="background: #ccffbb" | SD card<br />
|-<br />
| style="background: #77ff99" | NAND<br />
|-<br />
| style="background: #eeff77" | 1.2v rail<br />
|-<br />
| style="background: #00aaee" | 1.8v rail<br />
|-<br />
| style="background: #ffbb00" | 3.3v rail<br />
|-<br />
| style="background: #bbbbbb" | Ground<br />
|}<br />
<br />
Orientation: Triangle bottom right on the PCB.</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Pinouts&diff=19270Pinouts2017-01-16T01:18:33Z<p>Dark samus: restore info</p>
<hr />
<div>== CTR B ==<br />
<br />
{| class="wikitable" style="font-family:Monospace;"<br />
| G || || || || || D5 || D2 || || RST || CLK || G || G || || || 3v3 || 3v3 || || 3v3 || || || || || || || || || || || || G<br />
|-<br />
| || || || || || D6 || D3 || D0 || IRQ || CS1 || G || G || G || || 3v3 || || 3v3 || || || || || || || || || || || || || <br />
|-<br />
| || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || <br />
|-<br />
| CLK || D0 || . || + || || D7 || D4 || D1 || || CS2 || G || G || G || 3v3 || || 3v3 || G || 3v3 || 3v3 || 3v3 || || || || || || || || . || || <br />
|-<br />
| D1 || D2 || . || D3 || G || 1v2 || 3v3 || G || 1v2 || 3v3 || G || 1v2 || G || G || 1v2 || 3v3 || G || 1v2 || 3v3 || G || 1v2 || 3v3 || G || 1v2 || 3v3 || G || || . || || <br />
|-<br />
| CMD || IRQ || . || WP || 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || 1v2 || || . || || <br />
|-<br />
| CLK || D0 || . || || 1v2 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || 1v8 || || . || || <br />
|-<br />
| D1 || D2 || . || D3 || G || . || . || 3v3 || G || 3v3 || G || 1v2 || G || 3v3 || G || 1v2 || G || 3v3 || G || 1v2 || G || 3v3 || G || . || . || G || || . || || <br />
|-<br />
| || CMD || . || || 3v3 || . || . || G || 3v3 || G || 3v3 || G || 3v3 || G || 3v3 || G || 3v3 || G || 3v3 || G || 3v3 || G || 1v2 || . || . || 1v2 || || . || || <br />
|-<br />
| || || . || || 1v2 || . || . || 1v2 || G || . || . || . || . || . || . || . || . || . || . || . || . || 1v2 || G || . || . || 1v8 || || . || || <br />
|-<br />
| || || . || || G || . || . || G || 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || G || 1v8 || . || . || G || || . || || <br />
|-<br />
| || || . || || 3v3 || . || . || 3v3 || G || . || . || . || . || . || . || . || . || . || . || . || . || 1v2 || G || . || . || 1v2 || || . || || <br />
|-<br />
| || || . || || 1v2 || . || . || G || 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || G || 1v8 || . || . || 1v8 || || . || || <br />
|-<br />
| || || . || || G || . || . || 1v2 || G || . || . || . || . || . || . || . || . || . || . || . || . || 1v8 || G || . || . || G || || . || || <br />
|-<br />
| || || . || || 3v3 || . || . || G || 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || G || 1v2 || . || . || 1v2 || || . || || <br />
|-<br />
| || || . || || 1v2 || . || . || 3v3 || G || . || . || . || . || . || . || . || . || . || . || . || . || 1v8 || G || . || . || 1v8 || || . || || <br />
|-<br />
| || || . || || G || . || . || G || 1v2 || . || . || . || . || . || . || . || . || . || . || . || . || G || 1v8 || . || . || G || || . || || <br />
|-<br />
| || || . || || 1v8 || . || . || 1v2 || G || . || . || . || . || . || . || . || . || . || . || . || . || 1v8 || G || . || . || 1v2 || || . || || <br />
|-<br />
| || || . || || 1v2 || . || . || G || 1v8 || . || . || . || . || . || . || . || . || . || . || . || . || G || 1v2 || . || . || 1v8 || || . || || <br />
|-<br />
| || || . || || G || . || . || 1v8 || G || . || . || . || . || . || . || . || . || . || . || . || . || 1v8 || G || . || . || G || || . || || <br />
|-<br />
| || || . || || 1v8 || . || . || G || 1v8 || . || . || . || . || . || . || . || . || . || . || . || . || G || 1v8 || . || . || 1v2 || || . || || <br />
|-<br />
| || || . || || 1v2 || . || . || 1v2 || G || 1v8 || G || 1v8 || G || 1v8 || G || 1v2 || G || 1v8 || G || 1v8 || G || 1v8 || G || . || . || 1v8 || || . || || <br />
|-<br />
| || || . || || G || . || . || G || 1v8 || G || 1v2 || G || 1v8 || G || 1v2 || G || 1v8 || G || 1v2 || G || 1v8 || G || 1v2 || . || . || G || || . || || <br />
|-<br />
| || || . || || 1v8 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || 1v2 || || . || || <br />
|-<br />
| || || . || || 1v2 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || 1v8 || || . || || <br />
|-<br />
| || || . || || G || 1v8 || 1v2 || G || 1v8 || 1v2 || G || 1v8 || 1v2 || G || 1v8 || 1v2 || G || 1v8 || 1v2 || G || 1v8 || 1v2 || G || 1v8 || 1v2 || G || || . || || <br />
|-<br />
| || || . || || || || || || || || || || || || || || || || || || || || || || || || || . || || <br />
|-<br />
| || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || <br />
|-<br />
| G || G || || || || || || || || || || || || || || || || || || || || || || || || || || || || <br />
|-<br />
| G || || || || || || || || || || || || || || || || || || || || || || || || || || || || || G<br />
|}<br />
<br />
Orientation: Triangle bottom right.</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Pinouts&diff=19269Pinouts2017-01-16T01:14:56Z<p>Dark samus: voltages</p>
<hr />
<div>{| class="wikitable" style="font-family:Monospace;"<br />
| G || || || || || D5 || D2 || || RST || CLK || G || G || || || 3v3 || 3v3 || || 3v3 || || || || || || || || || || || || G<br />
|-<br />
| || || || || || D6 || D3 || D0 || IRQ || CS1 || G || G || G || || 3v3 || || 3v3 || || || || || || || || || || || || || <br />
|-<br />
| || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || <br />
|-<br />
| CLK || D0 || . || + || || D7 || D4 || D1 || || CS2 || G || G || G || 3v3 || || 3v3 || G || 3v3 || 3v3 || 3v3 || || || || || || || || . || || <br />
|-<br />
| D1 || D2 || . || D3 || G || 1v2 || 3v3 || G || 1v2 || 3v3 || G || 1v2 || G || G || 1v2 || 3v3 || G || 1v2 || 3v3 || G || 1v2 || 3v3 || G || 1v2 || 3v3 || G || || . || || <br />
|-<br />
| CMD || IRQ || . || WP || 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || 1v2 || || . || || <br />
|-<br />
| CLK || D0 || . || || 1v2 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || 1v8 || || . || || <br />
|-<br />
| D1 || D2 || . || D3 || G || . || . || 3v3 || G || 3v3 || G || 1v2 || G || 3v3 || G || 1v2 || G || 3v3 || G || 1v2 || G || 3v3 || G || . || . || G || || . || || <br />
|-<br />
| || CMD || . || || 3v3 || . || . || G || 3v3 || G || 3v3 || G || 3v3 || G || 3v3 || G || 3v3 || G || 3v3 || G || 3v3 || G || 1v2 || . || . || 1v2 || || . || || <br />
|-<br />
| || || . || || 1v2 || . || . || 1v2 || G || . || . || . || . || . || . || . || . || . || . || . || . || 1v2 || G || . || . || 1v8 || || . || || <br />
|-<br />
| || || . || || G || . || . || G || 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || G || 1v8 || . || . || G || || . || || <br />
|-<br />
| || || . || || 3v3 || . || . || 3v3 || G || . || . || . || . || . || . || . || . || . || . || . || . || 1v2 || G || . || . || 1v2 || || . || || <br />
|-<br />
| || || . || || 1v2 || . || . || G || 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || G || 1v8 || . || . || 1v8 || || . || || <br />
|-<br />
| || || . || || G || . || . || 1v2 || G || . || . || . || . || . || . || . || . || . || . || . || . || 1v8 || G || . || . || G || || . || || <br />
|-<br />
| || || . || || 3v3 || . || . || G || 3v3 || . || . || . || . || . || . || . || . || . || . || . || . || G || 1v2 || . || . || 1v2 || || . || || <br />
|-<br />
| || || . || || 1v2 || . || . || 3v3 || G || . || . || . || . || . || . || . || . || . || . || . || . || 1v8 || G || . || . || 1v8 || || . || || <br />
|-<br />
| || || . || || G || . || . || G || 1v2 || . || . || . || . || . || . || . || . || . || . || . || . || G || 1v8 || . || . || G || || . || || <br />
|-<br />
| || || . || || 1v8 || . || . || 1v2 || G || . || . || . || . || . || . || . || . || . || . || . || . || 1v8 || G || . || . || 1v2 || || . || || <br />
|-<br />
| || || . || || 1v2 || . || . || G || 1v8 || . || . || . || . || . || . || . || . || . || . || . || . || G || 1v2 || . || . || 1v8 || || . || || <br />
|-<br />
| || || . || || G || . || . || 1v8 || G || . || . || . || . || . || . || . || . || . || . || . || . || 1v8 || G || . || . || G || || . || || <br />
|-<br />
| || || . || || 1v8 || . || . || G || 1v8 || . || . || . || . || . || . || . || . || . || . || . || . || G || 1v8 || . || . || 1v2 || || . || || <br />
|-<br />
| || || . || || 1v2 || . || . || 1v2 || G || 1v8 || G || 1v8 || G || 1v8 || G || 1v2 || G || 1v8 || G || 1v8 || G || 1v8 || G || . || . || 1v8 || || . || || <br />
|-<br />
| || || . || || G || . || . || G || 1v8 || G || 1v2 || G || 1v8 || G || 1v2 || G || 1v8 || G || 1v2 || G || 1v8 || G || 1v2 || . || . || G || || . || || <br />
|-<br />
| || || . || || 1v8 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || 1v2 || || . || || <br />
|-<br />
| || || . || || 1v2 || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || 1v8 || || . || || <br />
|-<br />
| || || . || || G || 1v8 || 1v2 || G || 1v8 || 1v2 || G || 1v8 || 1v2 || G || 1v8 || 1v2 || G || 1v8 || 1v2 || G || 1v8 || 1v2 || G || 1v8 || 1v2 || G || || . || || <br />
|-<br />
| || || . || || || || || || || || || || || || || || || || || || || || || || || || || . || || <br />
|-<br />
| || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || <br />
|-<br />
| G || G || || || || || || || || || || || || || || || || || || || || || || || || || || || || <br />
|-<br />
| G || || || || || || || || || || || || || || || || || || || || || || || || || || || || || G<br />
|}</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Pinouts&diff=19267Pinouts2017-01-15T18:04:46Z<p>Dark samus: more grounds</p>
<hr />
<div>{| class="wikitable" style="font-family:Monospace;"<br />
| G || || || || || D5 || D2 || || RST || CLK || G || G || || || || || || || || || || || || || || || || || || G<br />
|-<br />
| || || || || || D6 || D3 || D0 || IRQ || CS1 || G || G || G || || || || || || || || || || || || || || || || || <br />
|-<br />
| || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || <br />
|-<br />
| CLK || D0 || . || + || || D7 || D4 || D1 || || CS2 || G || G || G || || || || G || || || || || || || || || || || . || || <br />
|-<br />
| D1 || D2 || . || D3 || G || || || G || || || G || || G || G || || || G || || || G || || || G || || || G || || . || || <br />
|-<br />
| CMD || IRQ || . || WP || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || || . || || <br />
|-<br />
| CLK || D0 || . || || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || || . || || <br />
|-<br />
| D1 || D2 || . || D3 || G || . || . || + || G || + || G || + || G || + || G || + || G || + || G || + || G || + || G || . || . || G || || . || || <br />
|-<br />
| || CMD || . || || || . || . || G || + || G || + || G || + || G || + || G || + || G || + || G || + || G || + || . || . || || || . || || <br />
|-<br />
| || || . || || || . || . || + || G || . || . || . || . || . || . || . || . || . || . || . || . || + || G || . || . || || || . || || <br />
|-<br />
| || || . || || G || . || . || G || + || . || . || . || . || . || . || . || . || . || . || . || . || G || + || . || . || G || || . || || <br />
|-<br />
| || || . || || || . || . || + || G || . || . || . || . || . || . || . || . || . || . || . || . || + || G || . || . || || || . || || <br />
|-<br />
| || || . || || || . || . || G || + || . || . || . || . || . || . || . || . || . || . || . || . || G || + || . || . || || || . || || <br />
|-<br />
| || || . || || G || . || . || + || G || . || . || . || . || . || . || . || . || . || . || . || . || + || G || . || . || G || || . || || <br />
|-<br />
| || || . || || || . || . || G || + || . || . || . || . || . || . || . || . || . || . || . || . || G || + || . || . || || || . || || <br />
|-<br />
| || || . || || || . || . || + || G || . || . || . || . || . || . || . || . || . || . || . || . || + || G || . || . || || || . || || <br />
|-<br />
| || || . || || G || . || . || G || + || . || . || . || . || . || . || . || . || . || . || . || . || G || + || . || . || G || || . || || <br />
|-<br />
| || || . || || || . || . || + || G || . || . || . || . || . || . || . || . || . || . || . || . || + || G || . || . || || || . || || <br />
|-<br />
| || || . || || || . || . || G || + || . || . || . || . || . || . || . || . || . || . || . || . || G || + || . || . || || || . || || <br />
|-<br />
| || || . || || G || . || . || + || G || . || . || . || . || . || . || . || . || . || . || . || . || + || G || . || . || G || || . || || <br />
|-<br />
| || || . || || || . || . || G || + || . || . || . || . || . || . || . || . || . || . || . || . || G || + || . || . || || || . || || <br />
|-<br />
| || || . || || || . || . || + || G || + || G || + || G || + || G || + || G || + || G || + || G || + || G || . || . || || || . || || <br />
|-<br />
| || || . || || G || . || . || G || + || G || + || G || + || G || + || G || + || G || + || G || + || G || + || . || . || G || || . || || <br />
|-<br />
| || || . || || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || || . || || <br />
|-<br />
| || || . || || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || || . || || <br />
|-<br />
| || || . || || G || || || G || || || G || || || G || || || G || || || G || || || G || || || G || || . || || <br />
|-<br />
| || || . || || || || || || || || || || || || || || || || || || || || || || || || || . || || <br />
|-<br />
| || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || <br />
|-<br />
| G || G || || || || || || || || || || || || || || || || || || || || || || || || || || || || <br />
|-<br />
| G || || || || || || || || || || || || || || || || || || || || || || || || || || || || || G<br />
|}</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Pinouts&diff=19266Pinouts2017-01-15T18:01:11Z<p>Dark samus: off-by-one</p>
<hr />
<div>{| class="wikitable" style="font-family:Monospace;"<br />
| G || || || || || D5 || D2 || || RST || CLK || || || || || || || || || || || || || || || || || || || || G<br />
|-<br />
| || || || || || D6 || D3 || D0 || IRQ || CS1 || || || || || || || || || || || || || || || || || || || || <br />
|-<br />
| || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || <br />
|-<br />
| CLK || D0 || . || + || || D7 || D4 || D1 || || CS2 || || || || || || || || || || || || || || || || || || . || || <br />
|-<br />
| D1 || D2 || . || D3 || G || || || G || || || G || || || G || || || G || || || G || || || G || || || G || || . || || <br />
|-<br />
| CMD || IRQ || . || WP || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || || . || || <br />
|-<br />
| CLK || D0 || . || || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || || . || || <br />
|-<br />
| D1 || D2 || . || D3 || G || . || . || + || G || + || G || + || G || + || G || + || G || + || G || + || G || + || G || . || . || G || || . || || <br />
|-<br />
| || CMD || . || || || . || . || G || + || G || + || G || + || G || + || G || + || G || + || G || + || G || + || . || . || || || . || || <br />
|-<br />
| || || . || || || . || . || + || G || . || . || . || . || . || . || . || . || . || . || . || . || + || G || . || . || || || . || || <br />
|-<br />
| || || . || || G || . || . || G || + || . || . || . || . || . || . || . || . || . || . || . || . || G || + || . || . || G || || . || || <br />
|-<br />
| || || . || || || . || . || + || G || . || . || . || . || . || . || . || . || . || . || . || . || + || G || . || . || || || . || || <br />
|-<br />
| || || . || || || . || . || G || + || . || . || . || . || . || . || . || . || . || . || . || . || G || + || . || . || || || . || || <br />
|-<br />
| || || . || || G || . || . || + || G || . || . || . || . || . || . || . || . || . || . || . || . || + || G || . || . || G || || . || || <br />
|-<br />
| || || . || || || . || . || G || + || . || . || . || . || . || . || . || . || . || . || . || . || G || + || . || . || || || . || || <br />
|-<br />
| || || . || || || . || . || + || G || . || . || . || . || . || . || . || . || . || . || . || . || + || G || . || . || || || . || || <br />
|-<br />
| || || . || || G || . || . || G || + || . || . || . || . || . || . || . || . || . || . || . || . || G || + || . || . || G || || . || || <br />
|-<br />
| || || . || || || . || . || + || G || . || . || . || . || . || . || . || . || . || . || . || . || + || G || . || . || || || . || || <br />
|-<br />
| || || . || || || . || . || G || + || . || . || . || . || . || . || . || . || . || . || . || . || G || + || . || . || || || . || || <br />
|-<br />
| || || . || || G || . || . || + || G || . || . || . || . || . || . || . || . || . || . || . || . || + || G || . || . || G || || . || || <br />
|-<br />
| || || . || || || . || . || G || + || . || . || . || . || . || . || . || . || . || . || . || . || G || + || . || . || || || . || || <br />
|-<br />
| || || . || || || . || . || + || G || + || G || + || G || + || G || + || G || + || G || + || G || + || G || . || . || || || . || || <br />
|-<br />
| || || . || || G || . || . || G || + || G || + || G || + || G || + || G || + || G || + || G || + || G || + || . || . || G || || . || || <br />
|-<br />
| || || . || || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || || . || || <br />
|-<br />
| || || . || || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || || . || || <br />
|-<br />
| || || . || || G || || || G || || || G || || || G || || || G || || || G || || || G || || || G || || . || || <br />
|-<br />
| || || . || || || || || || || || || || || || || || || || || || || || || || || || || . || || <br />
|-<br />
| || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || <br />
|-<br />
| G || G || || || || || || || || || || || || || || || || || || || || || || || || || || || || <br />
|-<br />
| G || || || || || || || || || || || || || || || || || || || || || || || || || || || || || G<br />
|}</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Pinouts&diff=19265Pinouts2017-01-15T18:00:08Z<p>Dark samus: Cart pinouts</p>
<hr />
<div>{| class="wikitable" style="font-family:Monospace;"<br />
| G || || || || || D5 || D2 || || RST || CLK || || || || || || || || || || || || || || || || || || || || G<br />
|-<br />
| || || || || || D6 || D3 || D0 || IRQ || CS1 || || || || || || || || || || || || || || || || || || || || <br />
|-<br />
| || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || <br />
|-<br />
| CLK || D0 || . || + || D7 || D4 || D1 || || CS2 || || || || || || || || || || || || || || || || || || || . || || <br />
|-<br />
| D1 || D2 || . || D3 || G || || || G || || || G || || || G || || || G || || || G || || || G || || || G || || . || || <br />
|-<br />
| CMD || IRQ || . || WP || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || || . || || <br />
|-<br />
| CLK || D0 || . || || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || || . || || <br />
|-<br />
| D1 || D2 || . || D3 || G || . || . || + || G || + || G || + || G || + || G || + || G || + || G || + || G || + || G || . || . || G || || . || || <br />
|-<br />
| || CMD || . || || || . || . || G || + || G || + || G || + || G || + || G || + || G || + || G || + || G || + || . || . || || || . || || <br />
|-<br />
| || || . || || || . || . || + || G || . || . || . || . || . || . || . || . || . || . || . || . || + || G || . || . || || || . || || <br />
|-<br />
| || || . || || G || . || . || G || + || . || . || . || . || . || . || . || . || . || . || . || . || G || + || . || . || G || || . || || <br />
|-<br />
| || || . || || || . || . || + || G || . || . || . || . || . || . || . || . || . || . || . || . || + || G || . || . || || || . || || <br />
|-<br />
| || || . || || || . || . || G || + || . || . || . || . || . || . || . || . || . || . || . || . || G || + || . || . || || || . || || <br />
|-<br />
| || || . || || G || . || . || + || G || . || . || . || . || . || . || . || . || . || . || . || . || + || G || . || . || G || || . || || <br />
|-<br />
| || || . || || || . || . || G || + || . || . || . || . || . || . || . || . || . || . || . || . || G || + || . || . || || || . || || <br />
|-<br />
| || || . || || || . || . || + || G || . || . || . || . || . || . || . || . || . || . || . || . || + || G || . || . || || || . || || <br />
|-<br />
| || || . || || G || . || . || G || + || . || . || . || . || . || . || . || . || . || . || . || . || G || + || . || . || G || || . || || <br />
|-<br />
| || || . || || || . || . || + || G || . || . || . || . || . || . || . || . || . || . || . || . || + || G || . || . || || || . || || <br />
|-<br />
| || || . || || || . || . || G || + || . || . || . || . || . || . || . || . || . || . || . || . || G || + || . || . || || || . || || <br />
|-<br />
| || || . || || G || . || . || + || G || . || . || . || . || . || . || . || . || . || . || . || . || + || G || . || . || G || || . || || <br />
|-<br />
| || || . || || || . || . || G || + || . || . || . || . || . || . || . || . || . || . || . || . || G || + || . || . || || || . || || <br />
|-<br />
| || || . || || || . || . || + || G || + || G || + || G || + || G || + || G || + || G || + || G || + || G || . || . || || || . || || <br />
|-<br />
| || || . || || G || . || . || G || + || G || + || G || + || G || + || G || + || G || + || G || + || G || + || . || . || G || || . || || <br />
|-<br />
| || || . || || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || || . || || <br />
|-<br />
| || || . || || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || || . || || <br />
|-<br />
| || || . || || G || || || G || || || G || || || G || || || G || || || G || || || G || || || G || || . || || <br />
|-<br />
| || || . || || || || || || || || || || || || || || || || || || || || || || || || || . || || <br />
|-<br />
| || || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || . || || <br />
|-<br />
| G || G || || || || || || || || || || || || || || || || || || || || || || || || || || || || <br />
|-<br />
| G || || || || || || || || || || || || || || || || || || || || || || || || || || || || || G<br />
|}</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Hardware&diff=19159Hardware2017-01-05T16:56:31Z<p>Dark samus: I thought I fixed you</p>
<hr />
<div>This page lists and describes the hardware found inside the Nintendo 3DS. Many of these parts are custom made and are expanded upon here or in other pages.<br />
<br />
== Common hardware ==<br />
{| class="wikitable"<br />
! Type !! Description<br />
|-<br />
| ARM11 Processor Core || Old3DS: [http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0360f/index.html ARM11 2x MPCore & 2x VFPv2 Co-Processor] 268MHz(~268111855.956 Hz).<br />
<br />
New3DS: 4x MPCore, 4x VFPv2, able to run up to 804MHz (see below). It also has an optional 2MB L2 cache.<br />
|-<br />
| ARM9 Processor Core || [http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0201d/index.html ARM946] 134MHz(~134055927.861 Hz),<br />
|-<br />
| GPU || [http://en.wikipedia.org/wiki/PICA200 DMP PICA] 268MHz,<br />
|-<br />
| VRAM || 6 MB within SoC.<br />
|-<br />
| Top screen || 800x240, with only 400 usable pixels per eye per line.<br />
|-<br />
| Bottom screen || 320x240, with resistive touch overlay.<br />
|-<br />
| DSP || [https://twitter.com/CEVADSP/status/177172880918986752 CEVA TeakLite]. 134Mhz. 24ch 32728Hz sampling rates.<br />
|}<br />
<br />
New3DS exclusives are able to clock the CPU at 804MHz, but this appears to be limited to the currently running application/app cores. Timed by running svcGetSystemTick on either side of a long idle loop to stay in the current process context. svcGetSystemTick uses a tick counter running at 268MHz in this mode.<br />
<br />
On New3DS: when Home Menu is active, the system runs at 804MHz. For everything else, it's 268MHz, except when the app(let) has the required flag set. See [[NCCH/Extended_Header|here]] and [[PDN_Registers|here]] for details, regarding clock-rate and cache.<br />
<br />
For New3DS-only there are multiple clock-rate multiplier values available in [[PDN_Registers|hardware]], but since the relevant code is only implemented in the New3DS ARM11-kernel, the only non-normal clock-rate available with official kernel code is 3x.<br />
<br />
== Specifications ==<br />
{| class="wikitable"<br />
! Type !! 3DS !! 3DSXL !! 2DS !! N3DS !! N3DSXL<br />
|-<br />
| SoC || CPU CTR (1048 0H)<br />
CPU CTR (1214 32)<br />
|| CPU CTR A (1226 60)<br />
CPU CTR (1037 21)<br />
|| CPU CTR B (??) || CPU LGR A (1444 86) || CPU LGR A (1446 17)<br />
|-<br />
| FCRAM || [http://www.fujitsu.com/downloads/MICRO/fma/pdf/MB81EDS516545_e511463.pdf 2x64MB Fujitsu MB82M8080-07L] || Fujitsu MB82DBS16641 || Fujitsu MB82DBS1664 || ?? || Fujitsu MB82MK9A9A<br />
|-<br />
| Top Screen || 3.53 in, 3D || 4.88 in, 3D || 3.53 in(?) cropped from a single panel || 3.88 in, 3D || 4.88 in, 3D<br />
|-<br />
| Bottom Screen || 3.00 in || 4.18 in || 3.00 in(?) cropped from a single panel || 3.33 in || 4.18 in<br />
|-<br />
| Storage ||colspan="3"| Toshiba THGBM2G3P1FBAI8 1GB ||colspan="2"| Samsung KLM4G1YEQC 4GB (in 1.3GiB SLC mode)<br />
Toshiba THGBMBG4P1KBAIT 2GB (MLC, approx. 1.8GiB usable)<br />
|-<br />
| Audio Codec || TI PAIC3010B 0AA37DW || ?? || ?? || TI AIC3010B 39C4ETW || TI AIC3010D 48C01JW<br />
|-<br />
| Gyroscope || [http://dl-web.dropbox.com/u/20520664/references/PS-ITG-3200-00-01.4.pdf Invensense ITG-3270 MEMS Gyroscope] || ?? || ?? || ?? || ??<br />
|-<br />
| Accelerometer || ST Micro 2048 33DH X1MAQ Accelerometer Model LIS331DH || ?? || ?? || ?? || ??<br />
|-<br />
| Wifi || Atheros AR6014 || ?? || ?? || ?? || Atheros AR6014G-AL1C<br />
|-<br />
| Infrared IC || NXP S750 0803 TSD031C || ?? || ?? || ?? || NXP S750 1603 TSD438C<br />
|-<br />
| Custom Microcontroller || Renesas UC CTR || ?? || Renesas UC CTR 324KM47 KG10 || Renesas UC KTR || Renesas UC KTR 442KM13 TK14<br />
|-<br />
| PMIC? || TI 93045A4 OAAH86W || ?? || ?? || TI 93045A4 38A6TYW G2 || TI 93045A4 49AF3NW G2<br />
|}<br />
<br />
* [11] Official Documentation<br />
<br />
* [5],[10] According to iFixit.com ([http://www.ifixit.com/Teardown/Nintendo-3DS-Teardown/5029/1#s22696 source]):<br />
<br />
* Datasheet for memory is for a chip in the same series, it has less memory than the one inside the 3DS (128mbits vs 512mbits).<br />
<br />
* There is a trove of data on the FCC website at [https://fjallfoss.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=462292&fcc_id=%27EW4DWMW028%27].<br />
<br />
* [12] This IC is somewhat similar to [http://www.alldatasheet.net/datasheet-pdf/pdf/347838/NXP/SC16IS750IBS.html this].<br />
<br />
== FCRAM ==<br />
<br />
There is one FCRAM (Fast Cycle RAM) IC in the 3DS, produced by Fujitsu and branded as MB82M8080-07L. The Fujitsu MB82M8080-07L chip internally contains 2 dies, where each die is branded MB81EDS516545 and MB82DBS08645.<br />
<br />
The MB81EDS516545 die is a CMOS Fast Cycle Random Access Memory (FCRAM) with Low Power Double Data Rate (LPDDR) SDRAM Interface containing 512MBit storage accessible in a 64-bit format. The MB81EDS516545 is suited for consumer applications requiring high data bandwidth with low power consumption.<br />
<br />
<br />
== SoC ==<br />
<br />
The 3DS has much of it's internals housed in a SoC (System on Chip) just like it's predecessors. This is done to reduce build costs, cut down on power consumption, as well as make the PCB layout less complex and make the system harder to tamper with. The SoC, branded as the Nintendo 1048 0H, contains the CPU, GPU, DSP and VRAM.<br />
<br />
According to official documents, the CPU used is a dual-core ARM11 CPU, clocked at 268MHz. One core is dedicated to system software, while the other is used for application programming, each known as the syscore and appcore, respectively.<br />
<br />
<br />
== GPU ==<br />
<br />
Designed by Digital Media Professionals Inc. (DMP) and codenamed PICA200, 268Mhz.<br />
<br />
Block diagram of an ULTRAY2000 based architecture PICA200:<br />
<br />
[[File:Pica200BlockDiagram.png]]<br />
<br />
PICA200 is compatible with OpenGL ES 1.1. It furthermore provides unique functionality for:<br />
* Per-fragment lighting ("Lighting Maestro")<br />
* Hard- and soft-shadowing ("Shadow Maestro")<br />
* Polygon subdivision ("Figure Maestro")<br />
* Bump mapping and procedural textures ("Mapping Maestro")<br />
* Rendering of gaseous objects ("Particle Maestro")<br />
<br />
Some parts of the extended functionality are provided in hardware by an extended geometry pipeline. Most importantly, PICA200 has three programmable vertex processors. There is furthermore a unit called [[GPU/Primitive_Engine|Primitive Engine]], which is a geometry shader unit (using the same instruction set as vertex shaders) with support for variable-size primitives. The Primitive Engine functionality may be disabled, and the geometry shader unit then acts as a fourth vertex processor. See [[Shader_Instruction_Set]] for more information on the shader instruction set.<br />
<br />
[[GPU/Fragment Lighting|Fragment lighting]] is implemented as an optional pipeline step during pixel processing. It's implemented by having the vertex shader output an additional attribute describing the transformation (represented by a quaternion) to surface-local space. This per-vertex quaternion can then be interpolated across screen space to calculate dot products relevant for lighting (e.g. light vector dot normal vector). To provide support for advanced lighting models, these dot products are used as indices into programmable lookup tables. With this setup, PICA200 in particular supports the shading models Blinn-Phong, Cook-Terrance, Ward, and microfacet-based BRDF-models.<br />
<br />
PICA200 supports four texture units, the fourth of which is used exclusively for [[GPU/Procedural Texture Generation|procedural texture generation]].<br />
<br />
== SDIO controller ==<br />
<br />
Nintendo recommends SD cards up to 32 GB however the internal SDIO controller seems to support SD cards up to 2.19 Terabyte (32-bit sector number). It's unknown if it really can handle that much. 128 GB was tested and works fine however it causes a major slowdown of the system especially at boot.<br />
<br />
== Images ==<br />
<br />
=== Front ===<br />
<br />
[[Image:CTR_Front.jpg|600px]]<br />
<br />
[http://guide-images.ifixit.net/igi/ishJaSCOwLkvbLYK High Resolution]<br />
<br />
=== Back ===<br />
<br />
[[Image:CTR_Back.jpg]]<br />
<br />
[http://guide-images.ifixit.net/igi/n1CKAdbPrHyNPNuW High Resolution]<br />
<br />
=== NAND pinout ===<br />
<br />
NAND dumping has been successful, but the image is encrypted.<br />
<br />
==== Normal model ====<br />
<br />
[[Image:CTR_NAND_pinout.png]]<br />
<br />
==== XL model ====<br />
<br />
[[Image:CTR_NAND_pinout_XL.jpg|500px]]<br />
<br />
==== 2DS ====<br />
<br />
[[Image:2DSeMMC.jpg|500px]]<br />
<br />
==== New 3DS ====<br />
<br />
[[Image:N3DSeMMC.jpg]]<br />
<br />
==== New 3DS XL ====<br />
<br />
[[Image:N3DSXLeMMC.jpg]]<br />
<br />
=== WiFi dongle pinout ===<br />
[[Image:CTR_WiFiDongle_pinout.png|600px]]<br />
<br />
SDIO interface is colored red: <br />
* CLK<br />
* CMD<br />
* D0, D1, D2, D3<br />
<br />
This is the interface for the 'NEW' WiFi module (based on Atheros AR6002) first included in DSi.<br />
<br />
The proprietary DS-mode WiFi is colored yellow, pins are unknown.<br />
<br />
I²C eeprom is colored blue:<br />
* SCL<br />
* SDA<br />
<br />
SPI Flash is colored purple:<br />
* CLK<br />
* CS#<br />
* SI<br />
* SO<br />
* WP#<br />
* NC<br />
<br />
=== Auxiliary Microcontroller (MCU) ===<br />
[[Image:CTR_UC.png|600px]]<br />
<br />
Monitors HOME button, WiFi switch, 3D slider, volume control slider.<br />
Controls LEDs, various power supplies via an I²C connection to the PMIC.<br />
<br />
Two I²C buses are attached to the MCU. For one, the SoC is the master; for the other, the MCU is the master.<br />
<br />
Devices attached to MCU master I²C bus:<br />
* MCU (master)<br />
* Fuel Gauge<br />
* Accelerometer (slave address 0x18)<br />
* PMIC<br />
* maybe more?<br />
<br />
Devices attached to the SoC master I²C bus:<br />
* SoC (master)<br />
* MCU<br />
* LCD<br />
* Camera<br />
* QTM (New3DS-only)<br />
<br />
The MCU uses the [http://mcs.uwsuper.edu/sb/327/Resources/RL78.pdf RL78 ISA].<br />
<br />
The MCU uses some custom Special Function Registers, but documentation for much of the hardware protocol/general SFRs can be found [http://courses.ee.sun.ac.za/Computer_Systems_245/Dokumentasie/RL78%20hardware%20manual%20(registers).pdf here].</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Hardware&diff=19153Hardware2017-01-05T00:30:58Z<p>Dark samus: </p>
<hr />
<div>This page lists and describes the hardware found inside the Nintendo 3DS. Many of these parts are custom made and are expanded upon here or in other pages.<br />
<br />
== Common hardware ==<br />
{| class="wikitable"<br />
! Type !! Description<br />
|-<br />
| ARM11 Processor Core || Old3DS: [http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0360f/index.html ARM11 2x MPCore & 2x VFPv2 Co-Processor] 268MHz(~268111855.956 Hz).<br />
<br />
New3DS: 4x MPCore, 4x VFPv2, able to run up to 804MHz (see below). It also has an optional 2MB L2 cache.<br />
|-<br />
| ARM9 Processor Core || [http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0201d/index.html ARM946] 134MHz(~134055927.861 Hz),<br />
|-<br />
| GPU || [http://en.wikipedia.org/wiki/PICA200 DMP PICA] 268MHz,<br />
|-<br />
| VRAM || 6 MB within SoC.<br />
|-<br />
| Top screen || 800x240, with only 400 usable pixels per eye per line.<br />
|-<br />
| Bottom screen || 320x240, with resistive touch overlay.<br />
|-<br />
| DSP || [https://twitter.com/CEVADSP/status/177172880918986752 CEVA TeakLite]. 134Mhz. 24ch 32728Hz sampling rates.<br />
|}<br />
<br />
New3DS exclusives are able to clock the CPU at 804MHz, but this appears to be limited to the currently running application/app cores. Timed by running svcGetSystemTick on either side of a long idle loop to stay in the current process context. svcGetSystemTick uses a tick counter running at 268MHz in this mode.<br />
<br />
On New3DS: when Home Menu is active, the system runs at 804MHz. For everything else, it's 268MHz, except when the app(let) has the required flag set. See [[NCCH/Extended_Header|here]] and [[PDN_Registers|here]] for details, regarding clock-rate and cache.<br />
<br />
For New3DS-only there are multiple clock-rate multiplier values available in [[PDN_Registers|hardware]], but since the relevant code is only implemented in the New3DS ARM11-kernel, the only non-normal clock-rate available with official kernel code is 3x.<br />
<br />
== Specifications ==<br />
{| class="wikitable"<br />
! Type !! 3DS !! 3DSXL !! 2DS !! N3DS !! N3DSXL<br />
|-<br />
| SoC || CPU CTR (1048 0H)<br />
CPU CTR (1214 32)<br />
|| CPU CTR A (1226 60)<br />
CPU CTR (1037 21)<br />
|| CPU CTR B (??) || CPU LGR A (1444 86) || CPU LGR A (1446 17)<br />
|-<br />
| FCRAM || [http://www.fujitsu.com/downloads/MICRO/fma/pdf/MB81EDS516545_e511463.pdf 2x64MB Fujitsu MB82M8080-07L] || Fujitsu MB82DBS16641 || Fujitsu MB82DBS1664 || ?? || Fujitsu MB82MK9A9A<br />
|-<br />
| Top Screen || 3.53 in, 3D || 4.88 in, 3D || 3.53 in(?) cropped from a single panel || 3.88 in, 3D || 4.88 in, 3D<br />
|-<br />
| Bottom Screen || 3.00 in || 4.18 in || 3.00 in(?) cropped from a single panel || 3.33 in || 4.18 in<br />
|-<br />
| Storage ||colspan="3"| Toshiba THGBM2G3P1FBAI8 1GB ||colspan="2"| Samsung KLM4G1YEQC 4GB (in 1.3GiB SLC mode)<br />
Toshiba THGBMBG4P1KBAIT 2GB (MLC, approx. 1.8GiB usable)<br />
|-<br />
| Audio Codec || TI PAIC3010B 0AA37DW || ?? || ?? || TI AIC3010B 39C4ETW || TI AIC3010D 48C01JW<br />
|-<br />
| Gyroscope || [http://dl-web.dropbox.com/u/20520664/references/PS-ITG-3200-00-01.4.pdf Invensense ITG-3270 MEMS Gyroscope] || ?? || ?? || ?? || ??<br />
|-<br />
| Accelerometer || ST Micro 2048 33DH X1MAQ Accelerometer Model LIS331DH || ?? || ?? || ?? || ??<br />
|-<br />
| Wifi || Atheros AR6014 || ?? || ?? || ?? || Atheros AR6014G-AL1C<br />
|-<br />
| Infrared IC || NXP S750 0803 TSD031C || ?? || ?? || ?? || NXP S750 1603 TSD438C<br />
|-<br />
| Custom Microcontroller || Renesas UC CTR || ?? || Renesas UC CTR 324KM47 KG10 || Renesas UC KTR || Renesas UC KTR 442KM13 TK14<br />
|-<br />
| PMIC? || TI 93045A4 OAAH86W || ?? || ?? || TI 93045A4 38A6TYW G2 || TI 93045A4 49AF3NW G2<br />
|}<br />
<br />
* [11] Official Documentation<br />
<br />
* [5],[10] According to iFixit.com ([http://www.ifixit.com/Teardown/Nintendo-3DS-Teardown/5029/1#s22696 source]):<br />
<br />
* Datasheet for memory is for a chip in the same series, it has less memory than the one inside the 3DS (128mbits vs 512mbits).<br />
<br />
* There is a trove of data on the FCC website at [https://fjallfoss.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=462292&fcc_id=%27EW4DWMW028%27].<br />
<br />
* [12] This IC is somewhat similar to [http://www.alldatasheet.net/datasheet-pdf/pdf/347838/NXP/SC16IS750IBS.html this].<br />
<br />
== FCRAM ==<br />
<br />
There is one FCRAM (Fast Cycle RAM) IC in the 3DS, produced by Fujitsu and branded as MB82M8080-07L. The Fujitsu MB82M8080-07L chip internally contains 2 dies, where each die is branded MB81EDS516545 and MB82DBS08645.<br />
<br />
The MB81EDS516545 die is a CMOS Fast Cycle Random Access Memory (FCRAM) with Low Power Double Data Rate (LPDDR) SDRAM Interface containing 512MBit storage accessible in a 64-bit format. The MB81EDS516545 is suited for consumer applications requiring high data bandwidth with low power consumption.<br />
<br />
<br />
== SoC ==<br />
<br />
The 3DS has much of it's internals housed in a SoC (System on Chip) just like it's predecessors. This is done to reduce build costs, cut down on power consumption, as well as make the PCB layout less complex and make the system harder to tamper with. The SoC, branded as the Nintendo 1048 0H, contains the CPU, GPU, DSP and VRAM.<br />
<br />
According to official documents, the CPU used is a dual-core ARM11 CPU, clocked at 268MHz. One core is dedicated to system software, while the other is used for application programming, each known as the syscore and appcore, respectively.<br />
<br />
<br />
== GPU ==<br />
<br />
Designed by Digital Media Professionals Inc. (DMP) and codenamed PICA200, 268Mhz.<br />
<br />
Block diagram of an ULTRAY2000 based architecture PICA200:<br />
<br />
[[File:Pica200BlockDiagram.png]]<br />
<br />
PICA200 is compatible with OpenGL ES 1.1. It furthermore provides unique functionality for:<br />
* Per-fragment lighting ("Lighting Maestro")<br />
* Hard- and soft-shadowing ("Shadow Maestro")<br />
* Polygon subdivision ("Figure Maestro")<br />
* Bump mapping and procedural textures ("Mapping Maestro")<br />
* Rendering of gaseous objects ("Particle Maestro")<br />
<br />
Some parts of the extended functionality are provided in hardware by an extended geometry pipeline. Most importantly, PICA200 has three programmable vertex processors. There is furthermore a unit called [[GPU/Primitive_Engine|Primitive Engine]], which is a geometry shader unit (using the same instruction set as vertex shaders) with support for variable-size primitives. The Primitive Engine functionality may be disabled, and the geometry shader unit then acts as a fourth vertex processor. See [[Shader_Instruction_Set]] for more information on the shader instruction set.<br />
<br />
[[GPU/Fragment Lighting|Fragment lighting]] is implemented as an optional pipeline step during pixel processing. It's implemented by having the vertex shader output an additional attribute describing the transformation (represented by a quaternion) to surface-local space. This per-vertex quaternion can then be interpolated across screen space to calculate dot products relevant for lighting (e.g. light vector dot normal vector). To provide support for advanced lighting models, these dot products are used as indices into programmable lookup tables. With this setup, PICA200 in particular supports the shading models Blinn-Phong, Cook-Terrance, Ward, and microfacet-based BRDF-models.<br />
<br />
PICA200 supports four texture units, the fourth of which is used exclusively for [[GPU/Procedural Texture Generation|procedural texture generation]].<br />
<br />
== SDIO controller ==<br />
<br />
Nintendo recommends SD cards up to 32 GB however the internal SDIO controller seems to support SD cards up to 2.19 Terabyte (32-bit sector number). It's unknown if it really can handle that much. 128 GB was tested and works fine however it causes a major slowdown of the system especially at boot.<br />
<br />
== Images ==<br />
<br />
=== Front ===<br />
<br />
[[Image:CTR_Front.jpg|600px]]<br />
<br />
[http://guide-images.ifixit.net/igi/ishJaSCOwLkvbLYK High Resolution]<br />
<br />
=== Back ===<br />
<br />
[[Image:CTR_Back.jpg]]<br />
<br />
[http://guide-images.ifixit.net/igi/n1CKAdbPrHyNPNuW High Resolution]<br />
<br />
=== NAND pinout ===<br />
<br />
NAND dumping has been successful, but the image is encrypted.<br />
<br />
==== Normal model ====<br />
<br />
[[Image:CTR_NAND_pinout.png]]<br />
<br />
==== XL model ====<br />
<br />
[[Image:CTR_NAND_pinout_XL.jpg|500px]]<br />
<br />
==== 2DS ====<br />
<br />
[[Image:2DSeMMC.jpg|500px]]<br />
<br />
==== New 3DS ====<br />
<br />
[[Image:N3DSeMMC.jpg]]<br />
<br />
==== New 3DS XL ====<br />
<br />
[[Image:N3DSXLeMMC.jpg]]<br />
<br />
=== WiFi dongle pinout ===<br />
[[Image:CTR_WiFiDongle_pinout.png|600px]]<br />
<br />
SDIO interface is colored red: <br />
* CLK<br />
* CMD<br />
* D0, D1, D2, D3<br />
<br />
This is the interface for the 'NEW' WiFi module (based on Atheros AR6002) first included in DSi.<br />
<br />
The proprietary DS-mode WiFi is colored yellow, pins are unknown.<br />
<br />
I²C eeprom is colored blue:<br />
* SCL<br />
* SDA<br />
<br />
SPI Flash is colored purple:<br />
* CLK<br />
* CS#<br />
* SI<br />
* SO<br />
* WP#<br />
* NC<br />
<br />
=== Auxiliary Microcontroller (MCU) ===<br />
[[Image:CTR_UC.png|600px]]<br />
<br />
Monitors HOME button, WiFi switch, 3D slider, volume control slider.<br />
Controls LEDs, various power supplies via an I²C connection to the PMIC.<br />
<br />
Two I²C buses are attached to the MCU. For one, the SoC is the master; for the other, the MCU is the master.<br />
<br />
Devices attached to MCU master I²C bus:<br />
* MCU (master)<br />
* Fuel Gauge<br />
* Accelerometer (slave address 0x18)<br />
* PMIC<br />
* maybe more?<br />
<br />
Devices attached t0 the SoC master I²C bus:<br />
* SoC (master)<br />
* MCU<br />
* LCD<br />
* Camera<br />
* QTM (New3DS-only)<br />
<br />
The MCU uses the [http://mcs.uwsuper.edu/sb/327/Resources/RL78.pdf RL78 ISA].<br />
<br />
The MCU uses some custom Special Function Registers, but documentation for much of the hardware protocol/general SFRs can be found [http://courses.ee.sun.ac.za/Computer_Systems_245/Dokumentasie/RL78%20hardware%20manual%20(registers).pdf here].</div>Dark samushttps://www.3dbrew.org/w/index.php?title=FirmwareNews&diff=19148FirmwareNews2017-01-04T05:53:36Z<p>Dark samus: </p>
<hr />
<div>As of this writing, the latest firmware is ''' 11.2.0-35'''.<br />
<br />
See [[Homebrew Exploits|here]] regarding running homebrew.<br />
<br />
----<br />
<br />
Full system control exploits are only public for system versions up to and including '''11.2.0-X'''.</div>Dark samushttps://www.3dbrew.org/w/index.php?title=CONFIG9_Registers&diff=19133CONFIG9 Registers2017-01-03T00:34:55Z<p>Dark samus: </p>
<hr />
<div>= Registers =<br />
{| class="wikitable" border="1"<br />
! Old3DS<br />
! Name<br />
! Address<br />
! Width<br />
! Used by<br />
|-<br />
| style="background: green" | Yes<br />
| [[#CFG_SYSPROT9|CFG_SYSPROT9]]<br />
| 0x10000000<br />
| 1<br />
| Boot9<br />
|-<br />
| style="background: green" | Yes<br />
| [[#CFG_SYSPROT11|CFG_SYSPROT11]]<br />
| 0x10000001<br />
| 1<br />
| Boot9<br />
|-<br />
| style="background: green" | Yes<br />
| [[#CFG_RST11|CFG_RST11]]<br />
| 0x10000002<br />
| 1<br />
| Boot9<br />
|-<br />
| style="background: green" | Yes<br />
| CFG_DEBUGUNIT<br />
| 0x10000004<br />
| 4<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| ?<br />
| 0x10000008<br />
| 1<br />
| TwlProcess9<br />
|-<br />
| style="background: green" | Yes<br />
| [[#CFG_CARDCONF|CFG_CARDCONF]]<br />
| 0x1000000C<br />
| 2<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| <br />
| 0x10000010<br />
| 1<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| ?<br />
| 0x10000011<br />
| 1<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| ?<br />
| 0x10000012<br />
| 2<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| ?<br />
| 0x10000014<br />
| 2<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| ?<br />
| 0x10000020<br />
| 2<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| ?<br />
| 0x10000100<br />
| 2<br />
|<br />
|-<br />
| style="background: red" | No<br />
| [[#CFG_EXTMEMCNT9|CFG_EXTMEMCNT9]]<br />
| 0x10000200<br />
| 1<br />
| NewKernel9<br />
|-<br />
| style="background: green" | Yes<br />
| [[#CFG_MPCORECFG|CFG_MPCORECFG]]<br />
| 0x10000FFC<br />
| 4<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[#CFG_BOOTENV|CFG_BOOTENV]]<br />
| 0x10010000<br />
| 4<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[#CFG_UNITINFO|CFG_UNITINFO]]<br />
| 0x10010010<br />
| 1<br />
| Process9<br />
|-<br />
| style="background: green" | Yes<br />
| [[#CFG_TWLUNITINFO|CFG_TWLUNITINFO]]<br />
| 0x10010014<br />
| 1<br />
| Process9<br />
|}<br />
<br />
== CFG_SYSPROT9 == <br />
CFG_SYSPROT9 is used to permanently disable certain security-sensitive ARM9 memory areas until the next hard reset.<br />
<br />
{| class="wikitable" border="1"<br />
! Bit<br />
! Description<br />
|-<br />
| 0<br />
| Disables ARM9 [[Memory_layout|bootrom]](+0x8000) when set to 1. This register is oneshot.<br />
|-<br />
| 1<br />
| Disables [[OTP_Registers|OTP area]] when set to 1. This register is oneshot.<br />
|}<br />
<br />
On Old 3DS, NATIVE_FIRM reads CFG_SYSPROT9 to know whether it has previously initialized the TWL console-unique keys using the OTP data. After setting the TWL console-unique keys, NATIVE_FIRM sets CFG_SYSPROT9 bit 1 to disable the OTP area. In subsequent FIRM launches prior to the next reset, NATIVE_FIRM will see that the OTP area is disabled, and skip this step.<br />
<br />
On New 3DS, the above is instead done by the [[FIRM#New_3DS_FIRM|Kernel9 loader]]. In addition to using the OTP data for initializing the TWL console-unique keys, the Kernel9 loader will generate the decryption key for NATIVE_FIRM. The final keyslot for NATIVE_FIRM is preserved, so that at a non-reset FIRM launch, the keyslot can be reused, since the OTP would then be inaccessible.<br />
<br />
It is not possible to set any other bits.<br />
<br />
== CFG_SYSPROT11 == <br />
ARM11 bootrom (+0x8000) is disabled by writing bit0. It is not possible to set any other bits. This register is oneshot.<br />
<br />
== CFG_RST11 == <br />
ARM9 bootrom clears bit0, this probably makes ARM11 leave reset. This register is oneshot.<br />
<br />
== CFG_CARDCONF ==<br />
{| class="wikitable" border="1"<br />
! Bit<br />
! Description<br />
|-<br />
| 1-0<br />
| Gamecard active controller select (0=NTRCARD, 1=?, 2=CTRCARD1, 3=CTRCARD2)<br />
|-<br />
| 8<br />
| ?<br />
|}<br />
<br />
Depending on the gamecard controller that has been selected, one of the following gamecard registers will become active:<br />
* Selecting NTRCARD will activate the register space at [[NTRCARD|0x10164000]].<br />
* Selecting CTRCARD1 will activate the register space at [[CTRCARD|0x10004000]].<br />
* Selecting CTRCARD2 will activate the register space at [[CTRCARD|0x10005000]].<br />
<br />
== 0x10000010 ==<br />
When a gamecard isn't inserted, this register value is 0x01.<br />
<br />
== CFG_EXTMEMCNT9 ==<br />
This register is New3DS-only. Only bit0 is writable: 0 = disable New3DS ARM9 memory at 0x08100000 size 0x80000, 1 = enable.<br />
<br />
This bit is set by New3DS ARM9-kernel crt0.<br />
<br />
The data in this extended memory doesn't change when disabling the memory, then re-enabling the memory. Reading this extended memory while disabled results in zeros.<br />
<br />
== CFG_MPCORECFG ==<br />
Identical to [[PDN#PDN_MPCORE_CFG|PDN_MPCORE_CFG]].<br />
<br />
== CFG_BOOTENV ==<br />
This register is used to determine what the previous running FIRM was. Its value is kept following an MCU reboot. Its initial value (on a cold boot) is 0. NATIVE_FIRM [[Development_Services_PXI|sets it to 1]] on shutdown/FIRM launch. [[Legacy_FIRM_PXI|LGY FIRM]] writes value 3 here when launching a TWL title, and writes value 7 when launching an AGB title.<br />
<br />
NATIVE_FIRM will only launch titles if this is not value 0, and will only save the [[Flash_Filesystem|AGB_FIRM savegame]] to SD if this is value 7.<br />
<br />
== CFG_UNITINFO ==<br />
This 8-bit register is value zero for retail, non-zero for dev/debug units.<br />
<br />
== CFG_TWLUNITINFO ==<br />
In the console-unique TWL key-init/etc function the ARM9 copies the u8 value from REG_UNITINFO to this register.<br />
<br />
This is also used by TWL_FIRM Process9.</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Hardware&diff=19118Hardware2017-01-01T07:45:50Z<p>Dark samus: </p>
<hr />
<div>This page lists and describes the hardware found inside the Nintendo 3DS. Many of these parts are custom made and are expanded upon here or in other pages.<br />
<br />
== Common hardware ==<br />
{| class="wikitable"<br />
! Type !! Description<br />
|-<br />
| ARM11 Processor Core || Old3DS: [http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0360f/index.html ARM11 2x MPCore & 2x VFPv2 Co-Processor] 268MHz(~268111855.956 Hz).<br />
<br />
New3DS: 4x MPCore, 4x VFPv2, able to run up to 804MHz (see below). It also has an optional 2MB L2 cache.<br />
|-<br />
| ARM9 Processor Core || [http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0201d/index.html ARM946] 134MHz(~134055927.861 Hz),<br />
|-<br />
| GPU || [http://en.wikipedia.org/wiki/PICA200 DMP PICA] 268MHz,<br />
|-<br />
| VRAM || 6 MB within SoC.<br />
|-<br />
| Top screen || 800x240, with only 400 usable pixels per eye per line.<br />
|-<br />
| Bottom screen || 320x240, with resistive touch overlay.<br />
|-<br />
| DSP || [https://twitter.com/CEVADSP/status/177172880918986752 CEVA TeakLite]. 134Mhz. 24ch 32728Hz sampling rates.<br />
|}<br />
<br />
New3DS exclusives are able to clock the CPU at 804MHz, but this appears to be limited to the currently running application/app cores. Timed by running svcGetSystemTick on either side of a long idle loop to stay in the current process context. svcGetSystemTick uses a tick counter running at 268MHz in this mode.<br />
<br />
On New3DS: when Home Menu is active, the system runs at 804MHz. For everything else, it's 268MHz, except when the app(let) has the required flag set. See [[NCCH/Extended_Header|here]] and [[PDN_Registers|here]] for details, regarding clock-rate and cache.<br />
<br />
For New3DS-only there are multiple clock-rate multiplier values available in [[PDN_Registers|hardware]], but since the relevant code is only implemented in the New3DS ARM11-kernel, the only non-normal clock-rate available with official kernel code is 3x.<br />
<br />
== Specifications ==<br />
{| class="wikitable"<br />
! Type !! 3DS !! 3DSXL !! 2DS !! N3DS !! N3DSXL<br />
|-<br />
| SoC || CPU CTR (1048 0H)<br />
CPU CTR (1214 32)<br />
|| CPU CTR A (1226 60)<br />
CPU CTR (1037 21)<br />
|| CPU CTR B (??) || CPU LGR A (1444 86) || CPU LGR A (1446 17)<br />
|-<br />
| FCRAM || [http://www.fujitsu.com/downloads/MICRO/fma/pdf/MB81EDS516545_e511463.pdf 2x64MB Fujitsu MB82M8080-07L] || Fujitsu MB82DBS16641 || Fujitsu MB82DBS1664 || ?? || Fujitsu MB82MK9A9A<br />
|-<br />
| Top Screen || 3.53 in, 3D || 4.88 in, 3D || 3.53 in(?) cropped from a single panel || 3.88 in, 3D || 4.88 in, 3D<br />
|-<br />
| Bottom Screen || 3.00 in || 4.18 in || 3.00 in(?) cropped from a single panel || 3.33 in || 4.18 in<br />
|-<br />
| Storage ||colspan="3"| Toshiba THGBM2G3P1FBAI8 1GB ||colspan="2"| Samsung KLM4G1YEQC 4GB (in 1.3GiB SLC mode)<br />
Toshiba THGBMBG4P1KBAIT 2GB (MLC, approx. 1.8GiB usable)<br />
|-<br />
| Audio Codec || TI PAIC3010B 0AA37DW || ?? || ?? || TI AIC3010B 39C4ETW || TI AIC3010D 48C01JW<br />
|-<br />
| Gyroscope || [http://dl-web.dropbox.com/u/20520664/references/PS-ITG-3200-00-01.4.pdf Invensense ITG-3270 MEMS Gyroscope] || ?? || ?? || ?? || ??<br />
|-<br />
| Accelerometer || ST Micro 2048 33DH X1MAQ Accelerometer Model LIS331DH || ?? || ?? || ?? || ??<br />
|-<br />
| Wifi || Atheros AR6014 || ?? || ?? || ?? || Atheros AR6014G-AL1C<br />
|-<br />
| Infrared IC || NXP S750 0803 TSD031C || ?? || ?? || ?? || NXP S750 1603 TSD438C<br />
|-<br />
| Custom Microcontroller || Renesas UC CTR || ?? || Renesas UC CTR 324KM47 KG10 || Renesas UC KTR || Renesas UC KTR 442KM13 TK14<br />
|-<br />
| PMIC? || TI 93045A4 OAAH86W || ?? || ?? || TI 93045A4 38A6TYW G2 || TI 93045A4 49AF3NW G2<br />
|}<br />
<br />
* [11] Official Documentation<br />
<br />
* [5],[10] According to iFixit.com ([http://www.ifixit.com/Teardown/Nintendo-3DS-Teardown/5029/1#s22696 source]):<br />
<br />
* Datasheet for memory is for a chip in the same series, it has less memory than the one inside the 3DS (128mbits vs 512mbits).<br />
<br />
* There is a trove of data on the FCC website at [https://fjallfoss.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=462292&fcc_id=%27EW4DWMW028%27].<br />
<br />
* [12] This IC is somewhat similar to [http://www.alldatasheet.net/datasheet-pdf/pdf/347838/NXP/SC16IS750IBS.html this].<br />
<br />
== FCRAM ==<br />
<br />
There is one FCRAM (Fast Cycle RAM) IC in the 3DS, produced by Fujitsu and branded as MB82M8080-07L. The Fujitsu MB82M8080-07L chip internally contains 2 dies, where each die is branded MB81EDS516545 and MB82DBS08645.<br />
<br />
The MB81EDS516545 die is a CMOS Fast Cycle Random Access Memory (FCRAM) with Low Power Double Data Rate (LPDDR) SDRAM Interface containing 512MBit storage accessible in a 64-bit format. The MB81EDS516545 is suited for consumer applications requiring high data bandwidth with low power consumption.<br />
<br />
<br />
== SoC ==<br />
<br />
The 3DS has much of it's internals housed in a SoC (System on Chip) just like it's predecessors. This is done to reduce build costs, cut down on power consumption, as well as make the PCB layout less complex and make the system harder to tamper with. The SoC, branded as the Nintendo 1048 0H, contains the CPU, GPU, DSP and VRAM.<br />
<br />
According to official documents, the CPU used is a dual-core ARM11 CPU, clocked at 268MHz. One core is dedicated to system software, while the other is used for application programming, each known as the syscore and appcore, respectively.<br />
<br />
<br />
== GPU ==<br />
<br />
Designed by Digital Media Professionals Inc. (DMP) and codenamed PICA200, 268Mhz.<br />
<br />
Block diagram of an ULTRAY2000 based architecture PICA200:<br />
<br />
[[File:Pica200BlockDiagram.png]]<br />
<br />
PICA200 is compatible with OpenGL ES 1.1. It furthermore provides unique functionality for:<br />
* Per-fragment lighting ("Lighting Maestro")<br />
* Hard- and soft-shadowing ("Shadow Maestro")<br />
* Polygon subdivision ("Figure Maestro")<br />
* Bump mapping and procedural textures ("Mapping Maestro")<br />
* Rendering of gaseous objects ("Particle Maestro")<br />
<br />
Some parts of the extended functionality are provided in hardware by an extended geometry pipeline. Most importantly, PICA200 has three programmable vertex processors. There is furthermore a unit called [[GPU/Primitive_Engine|Primitive Engine]], which is a geometry shader unit (using the same instruction set as vertex shaders) with support for variable-size primitives. The Primitive Engine functionality may be disabled, and the geometry shader unit then acts as a fourth vertex processor. See [[Shader_Instruction_Set]] for more information on the shader instruction set.<br />
<br />
[[GPU/Fragment Lighting|Fragment lighting]] is implemented as an optional pipeline step during pixel processing. It's implemented by having the vertex shader output an additional attribute describing the transformation (represented by a quaternion) to surface-local space. This per-vertex quaternion can then be interpolated across screen space to calculate dot products relevant for lighting (e.g. light vector dot normal vector). To provide support for advanced lighting models, these dot products are used as indices into programmable lookup tables. With this setup, PICA200 in particular supports the shading models Blinn-Phong, Cook-Terrance, Ward, and microfacet-based BRDF-models.<br />
<br />
PICA200 supports four texture units, the fourth of which is used exclusively for [[GPU/Procedural Texture Generation|procedural texture generation]].<br />
<br />
== SDIO controller ==<br />
<br />
Nintendo recommends SD cards up to 32 GB however the internal SDIO controller seems to support SD cards up to 2.19 Terabyte (32-bit sector number). It's unknown if it really can handle that much. 128 GB was tested and works fine however it causes a major slowdown of the system especially at boot.<br />
<br />
== Images ==<br />
<br />
=== Front ===<br />
<br />
[[Image:CTR_Front.jpg|600px]]<br />
<br />
[http://guide-images.ifixit.net/igi/ishJaSCOwLkvbLYK High Resolution]<br />
<br />
=== Back ===<br />
<br />
[[Image:CTR_Back.jpg]]<br />
<br />
[http://guide-images.ifixit.net/igi/n1CKAdbPrHyNPNuW High Resolution]<br />
<br />
=== NAND pinout ===<br />
<br />
NAND dumping has been successful, but the image is encrypted.<br />
<br />
==== Normal model ====<br />
<br />
[[Image:CTR_NAND_pinout.png]]<br />
<br />
==== XL model ====<br />
<br />
[[Image:CTR_NAND_pinout_XL.jpg|500px]]<br />
<br />
==== 2DS ====<br />
<br />
[[Image:2DSeMMC.jpg|500px]]<br />
<br />
==== New 3DS ====<br />
<br />
[[Image:N3DSeMMC.jpg]]<br />
<br />
==== New 3DS XL ====<br />
<br />
[[Image:N3DSXLeMMC.jpg]]<br />
<br />
=== WiFi dongle pinout ===<br />
[[Image:CTR_WiFiDongle_pinout.png|600px]]<br />
<br />
SDIO interface is colored red: <br />
* CLK<br />
* CMD<br />
* D0, D1, D2, D3<br />
<br />
This is the interface for the 'NEW' WiFi module (based on Atheros AR6002) first included in DSi.<br />
<br />
The proprietary DS-mode WiFi is colored yellow, pins are unknown.<br />
<br />
I²C eeprom is colored blue:<br />
* SCL<br />
* SDA<br />
<br />
SPI Flash is colored purple:<br />
* CLK<br />
* CS#<br />
* SI<br />
* SO<br />
* WP#<br />
* NC<br />
<br />
=== Auxiliary Microcontroller (MCU) ===<br />
[[Image:CTR_UC.png|600px]]<br />
<br />
Monitors HOME button, WiFi switch, 3D slider, volume control slider.<br />
Controls LEDs, various power supplies via an I²C connection to the PMIC.<br />
<br />
Two I²C buses are attached to the MCU. For one, the SoC is the master; for the other, the MCU is the master.<br />
<br />
Devices attached to MCU master I²C bus:<br />
* MCU (master)<br />
* Fuel Gauge<br />
* Accelerometer (slave address 0x18)<br />
* PMIC<br />
* maybe more?<br />
<br />
Devices attached the the SoC master I²C bus:<br />
* SoC (master)<br />
* MCU<br />
* LCD<br />
* Camera<br />
* QTM (New3DS-only)<br />
<br />
The MCU uses the [http://mcs.uwsuper.edu/sb/327/Resources/RL78.pdf RL78 ISA].<br />
<br />
The MCU uses some custom Special Function Registers, but documentation for much of the hardware protocol/general SFRs can be found [http://courses.ee.sun.ac.za/Computer_Systems_245/Dokumentasie/RL78%20hardware%20manual%20(registers).pdf here].</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Hardware&diff=19117Hardware2017-01-01T07:30:35Z<p>Dark samus: </p>
<hr />
<div>This page lists and describes the hardware found inside the Nintendo 3DS. Many of these parts are custom made and are expanded upon here or in other pages.<br />
<br />
== Common hardware ==<br />
{| class="wikitable"<br />
! Type !! Description<br />
|-<br />
| ARM11 Processor Core || Old3DS: [http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0360f/index.html ARM11 2x MPCore & 2x VFPv2 Co-Processor] 268MHz(~268111855.956 Hz).<br />
<br />
New3DS: 4x MPCore, 4x VFPv2, able to run up to 804MHz (see below). It also has an optional 2MB L2 cache.<br />
|-<br />
| ARM9 Processor Core || [http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0201d/index.html ARM946] 134MHz(~134055927.861 Hz),<br />
|-<br />
| GPU || [http://en.wikipedia.org/wiki/PICA200 DMP PICA] 268MHz,<br />
|-<br />
| VRAM || 6 MB within SoC.<br />
|-<br />
| Top screen || 800x240, with only 400 usable pixels per eye per line.<br />
|-<br />
| Bottom screen || 320x240, with resistive touch overlay.<br />
|-<br />
| DSP || [https://twitter.com/CEVADSP/status/177172880918986752 CEVA TeakLite]. 134Mhz. 24ch 32728Hz sampling rates.<br />
|}<br />
<br />
New3DS exclusives are able to clock the CPU at 804MHz, but this appears to be limited to the currently running application/app cores. Timed by running svcGetSystemTick on either side of a long idle loop to stay in the current process context. svcGetSystemTick uses a tick counter running at 268MHz in this mode.<br />
<br />
On New3DS: when Home Menu is active, the system runs at 804MHz. For everything else, it's 268MHz, except when the app(let) has the required flag set. See [[NCCH/Extended_Header|here]] and [[PDN_Registers|here]] for details, regarding clock-rate and cache.<br />
<br />
For New3DS-only there are multiple clock-rate multiplier values available in [[PDN_Registers|hardware]], but since the relevant code is only implemented in the New3DS ARM11-kernel, the only non-normal clock-rate available with official kernel code is 3x.<br />
<br />
== Specifications ==<br />
{| class="wikitable"<br />
! Type !! 3DS !! 3DSXL !! 2DS !! N3DS !! N3DSXL<br />
|-<br />
| SoC || CPU CTR (1048 0H)<br />
CPU CTR (1214 32)<br />
|| CPU CTR A (1226 60)<br />
CPU CTR (1037 21)<br />
|| CPU CTR B (??) || CPU LGR A (1444 86) || CPU LGR A (1446 17)<br />
|-<br />
| FCRAM || [http://www.fujitsu.com/downloads/MICRO/fma/pdf/MB81EDS516545_e511463.pdf 2x64MB Fujitsu MB82M8080-07L] || Fujitsu MB82DBS16641 || Fujitsu MB82DBS1664 || ?? || Fujitsu MB82MK9A9A<br />
|-<br />
| Top Screen || 3.53 in, 3D || 4.88 in, 3D || 3.53 in(?) cropped from a single panel || 3.88 in, 3D || 4.88 in, 3D<br />
|-<br />
| Bottom Screen || 3.00 in || 4.18 in || 3.00 in(?) cropped from a single panel || 3.33 in || 4.18 in<br />
|-<br />
| Storage ||colspan="3"| Toshiba THGBM2G3P1FBAI8 1GB ||colspan="2"| Samsung KLM4G1YEQC 4GB (in 1.3GiB SLC mode)<br />
Toshiba THGBMBG4P1KBAIT 2GB (MLC, approx. 1.8GiB usable)<br />
|-<br />
| Audio Codec || TI PAIC3010B 0AA37DW || ?? || ?? || TI AIC3010B 39C4ETW || TI AIC3010D 48C01JW<br />
|-<br />
| Gyroscope || [http://dl-web.dropbox.com/u/20520664/references/PS-ITG-3200-00-01.4.pdf Invensense ITG-3270 MEMS Gyroscope] || ?? || ?? || ?? || ??<br />
|-<br />
| Accelerometer || ST Micro 2048 33DH X1MAQ Accelerometer Model LIS331DH || ?? || ?? || ?? || ??<br />
|-<br />
| Wifi || Atheros AR6014 || ?? || ?? || ?? || Atheros AR6014G-AL1C<br />
|-<br />
| Infrared IC || NXP S750 0803 TSD031C || ?? || ?? || ?? || NXP S750 1603 TSD438C<br />
|-<br />
| Custom Microcontroller || Renesas UC CTR || ?? || Renesas UC CTR 324KM47 KG10 || Renesas UC KTR || Renesas UC KTR 442KM13 TK14<br />
|-<br />
| PMIC? || TI 93045A4 OAAH86W || ?? || ?? || TI 93045A4 38A6TYW G2 || TI 93045A4 49AF3NW G2<br />
|}<br />
<br />
* [11] Official Documentation<br />
<br />
* [5],[10] According to iFixit.com ([http://www.ifixit.com/Teardown/Nintendo-3DS-Teardown/5029/1#s22696 source]):<br />
<br />
* Datasheet for memory is for a chip in the same series, it has less memory than the one inside the 3DS (128mbits vs 512mbits).<br />
<br />
* There is a trove of data on the FCC website at [https://fjallfoss.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=462292&fcc_id=%27EW4DWMW028%27].<br />
<br />
* [12] This IC is somewhat similar to [http://www.alldatasheet.net/datasheet-pdf/pdf/347838/NXP/SC16IS750IBS.html this].<br />
<br />
== FCRAM ==<br />
<br />
There is one FCRAM (Fast Cycle RAM) IC in the 3DS, produced by Fujitsu and branded as MB82M8080-07L. The Fujitsu MB82M8080-07L chip internally contains 2 dies, where each die is branded MB81EDS516545 and MB82DBS08645.<br />
<br />
The MB81EDS516545 die is a CMOS Fast Cycle Random Access Memory (FCRAM) with Low Power Double Data Rate (LPDDR) SDRAM Interface containing 512MBit storage accessible in a 64-bit format. The MB81EDS516545 is suited for consumer applications requiring high data bandwidth with low power consumption.<br />
<br />
<br />
== SoC ==<br />
<br />
The 3DS has much of it's internals housed in a SoC (System on Chip) just like it's predecessors. This is done to reduce build costs, cut down on power consumption, as well as make the PCB layout less complex and make the system harder to tamper with. The SoC, branded as the Nintendo 1048 0H, contains the CPU, GPU, DSP and VRAM.<br />
<br />
According to official documents, the CPU used is a dual-core ARM11 CPU, clocked at 268MHz. One core is dedicated to system software, while the other is used for application programming, each known as the syscore and appcore, respectively.<br />
<br />
<br />
== GPU ==<br />
<br />
Designed by Digital Media Professionals Inc. (DMP) and codenamed PICA200, 268Mhz.<br />
<br />
Block diagram of an ULTRAY2000 based architecture PICA200:<br />
<br />
[[File:Pica200BlockDiagram.png]]<br />
<br />
PICA200 is compatible with OpenGL ES 1.1. It furthermore provides unique functionality for:<br />
* Per-fragment lighting ("Lighting Maestro")<br />
* Hard- and soft-shadowing ("Shadow Maestro")<br />
* Polygon subdivision ("Figure Maestro")<br />
* Bump mapping and procedural textures ("Mapping Maestro")<br />
* Rendering of gaseous objects ("Particle Maestro")<br />
<br />
Some parts of the extended functionality are provided in hardware by an extended geometry pipeline. Most importantly, PICA200 has three programmable vertex processors. There is furthermore a unit called [[GPU/Primitive_Engine|Primitive Engine]], which is a geometry shader unit (using the same instruction set as vertex shaders) with support for variable-size primitives. The Primitive Engine functionality may be disabled, and the geometry shader unit then acts as a fourth vertex processor. See [[Shader_Instruction_Set]] for more information on the shader instruction set.<br />
<br />
[[GPU/Fragment Lighting|Fragment lighting]] is implemented as an optional pipeline step during pixel processing. It's implemented by having the vertex shader output an additional attribute describing the transformation (represented by a quaternion) to surface-local space. This per-vertex quaternion can then be interpolated across screen space to calculate dot products relevant for lighting (e.g. light vector dot normal vector). To provide support for advanced lighting models, these dot products are used as indices into programmable lookup tables. With this setup, PICA200 in particular supports the shading models Blinn-Phong, Cook-Terrance, Ward, and microfacet-based BRDF-models.<br />
<br />
PICA200 supports four texture units, the fourth of which is used exclusively for [[GPU/Procedural Texture Generation|procedural texture generation]].<br />
<br />
== SDIO controller ==<br />
<br />
Nintendo recommends SD cards up to 32 GB however the internal SDIO controller seems to support SD cards up to 2.19 Terabyte (32-bit sector number). It's unknown if it really can handle that much. 128 GB was tested and works fine however it causes a major slowdown of the system especially at boot.<br />
<br />
== Images ==<br />
<br />
=== Front ===<br />
<br />
[[Image:CTR_Front.jpg|600px]]<br />
<br />
[http://guide-images.ifixit.net/igi/ishJaSCOwLkvbLYK High Resolution]<br />
<br />
=== Back ===<br />
<br />
[[Image:CTR_Back.jpg]]<br />
<br />
[http://guide-images.ifixit.net/igi/n1CKAdbPrHyNPNuW High Resolution]<br />
<br />
=== NAND pinout ===<br />
<br />
NAND dumping has been successful, but the image is encrypted.<br />
<br />
==== Normal model ====<br />
<br />
[[Image:CTR_NAND_pinout.png]]<br />
<br />
==== XL model ====<br />
<br />
[[Image:CTR_NAND_pinout_XL.jpg|500px]]<br />
<br />
==== 2DS ====<br />
<br />
[[Image:2DSeMMC.jpg|500px]]<br />
<br />
==== New 3DS ====<br />
<br />
[[Image:N3DSeMMC.jpg]]<br />
<br />
==== New 3DS XL ====<br />
<br />
[[Image:N3DSXLeMMC.jpg]]<br />
<br />
=== WiFi dongle pinout ===<br />
[[Image:CTR_WiFiDongle_pinout.png|600px]]<br />
<br />
SDIO interface is colored red: <br />
* CLK<br />
* CMD<br />
* D0, D1, D2, D3<br />
<br />
This is the interface for the 'NEW' WiFi module (based on Atheros AR6002) first included in DSi.<br />
<br />
The proprietary and by now ancient DS-mode WiFi is colored yellow, pins are unknown.<br />
<br />
I²C eeprom is colored blue:<br />
* SCL<br />
* SDA<br />
<br />
SPI Flash is colored purple:<br />
* CLK<br />
* CS#<br />
* SI<br />
* SO<br />
* WP#<br />
* NC<br />
<br />
=== Auxiliary Microcontroller (MCU) ===<br />
[[Image:CTR_UC.png|600px]]<br />
<br />
Monitors HOME button, WiFi switch, 3D slider, volume control slider.<br />
Controls LEDs, various power supplies via an I²C connection to the PMIC.<br />
<br />
Two I²C buses are attached to the MCU. For one, the SoC is the master; for the other, the MCU is the master.<br />
<br />
Devices attached to MCU master I²C bus:<br />
* MCU (master)<br />
* Fuel Gauge<br />
* Accelerometer (slave address 0x18)<br />
* PMIC<br />
* maybe more?<br />
<br />
Devices attached the the SoC master I²C bus:<br />
* SoC (master)<br />
* MCU<br />
* LCD<br />
* Camera<br />
* QTM (New3DS-only)<br />
<br />
The MCU uses the [http://mcs.uwsuper.edu/sb/327/Resources/RL78.pdf RL78 ISA].<br />
<br />
The MCU uses some custom Special Function Registers, but documentation for much of the hardware protocol/general SFRs can be found [http://courses.ee.sun.ac.za/Computer_Systems_245/Dokumentasie/RL78%20hardware%20manual%20(registers).pdf here].</div>Dark samushttps://www.3dbrew.org/w/index.php?title=I2C_Registers&diff=18902I2C Registers2016-12-14T23:40:51Z<p>Dark samus: /* Device 3 */</p>
<hr />
<div>= Registers =<br />
{| class="wikitable" border="1"<br />
! Old3DS<br />
! Name<br />
! Address<br />
! Width<br />
! Used by<br />
|-<br />
| style="background: green" | Yes<br />
| I2C1_DATA<br />
| 0x10161000<br />
| 1<br />
| I2C bus 1 devices<br />
|-<br />
| style="background: green" | Yes<br />
| [[#I2C_CNT|I2C1_CNT]]<br />
| 0x10161001<br />
| 1<br />
| I2C bus 1 devices<br />
|-<br />
| style="background: green" | Yes<br />
| I2C1_CNTEX<br />
| 0x10161002<br />
| 2<br />
| I2C bus 1 devices<br />
|-<br />
| style="background: green" | Yes<br />
| I2C1_SCL<br />
| 0x10161004<br />
| 2<br />
| I2C bus 1 devices<br />
|-<br />
| style="background: green" | Yes<br />
| I2C2_DATA<br />
| 0x10144000<br />
| 1<br />
| I2C bus 2 devices<br />
|-<br />
| style="background: green" | Yes<br />
| [[#I2C_CNT|I2C2_CNT]]<br />
| 0x10144001<br />
| 1<br />
| I2C bus 2 devices<br />
|-<br />
| style="background: green" | Yes<br />
| I2C2_CNTEX<br />
| 0x10144002<br />
| 2<br />
| I2C bus 2 devices<br />
|-<br />
| style="background: green" | Yes<br />
| I2C2_SCL<br />
| 0x10144004<br />
| 2<br />
| I2C bus 2 devices<br />
|-<br />
| style="background: green" | Yes<br />
| I2C3_DATA<br />
| 0x10148000<br />
| 1<br />
| I2C bus 3 devices<br />
|-<br />
| style="background: green" | Yes<br />
| [[#I2C_CNT|I2C3_CNT]]<br />
| 0x10148001<br />
| 1<br />
| I2C bus 3 devices<br />
|-<br />
| style="background: green" | Yes<br />
| I2C3_CNTEX<br />
| 0x10148002<br />
| 2<br />
| I2C bus 3 devices<br />
|-<br />
| style="background: green" | Yes<br />
| I2C3_SCL<br />
| 0x10148004<br />
| 2<br />
| I2C bus 3 devices<br />
|}<br />
<br />
== I2C_CNT ==<br />
{| class="wikitable" border="1"<br />
! BIT<br />
! DESCRIPTION<br />
|-<br />
| 0<br />
| Stop (0=No, 1=Stop/last byte)<br />
|-<br />
| 1<br />
| Start (0=No, 1=Start/first byte)<br />
|-<br />
| 2<br />
| Pause (0=Transfer Data, 1=Pause after Error, used with/after Stop)<br />
|-<br />
| 4<br />
| Ack Flag (0=Error, 1=Okay) (For DataRead: W, for DataWrite: R)<br />
|-<br />
| 5<br />
| Data Direction (0=Write, 1=Read)<br />
|-<br />
| 6<br />
| Interrupt Enable (0=Disable, 1=Enable)<br />
|-<br />
| 7<br />
| Start/busy (0=Ready, 1=Start/busy)<br />
|}<br />
<br />
= I2C Devices =<br />
{| class="wikitable" border="1"<br />
! [[I2C_Registers|Device id]]<br />
! Device bus id<br />
! Device Write Address<br />
! Accessible via I2C [[I2C_Services|service]]<br />
! Device description<br />
|-<br />
| 0<br />
| 1<br />
| 0x4a<br />
| "i2c::MCU"<br />
| Power management?(same device addr as the DSi power-management)<br />
|-<br />
| 1<br />
| 1<br />
| 0x7a<br />
| "i2c::CAM"<br />
| Camera0?(same dev-addr as DSi cam0)<br />
|-<br />
| 2<br />
| 1<br />
| 0x78<br />
| "i2c::CAM"<br />
| Camera1?(same dev-addr as DSi cam1)<br />
|-<br />
| 3<br />
| 2<br />
| 0x4a<br />
| "i2c::MCU"<br />
| MCU<br />
|-<br />
| 4<br />
| 2<br />
| 0x78<br />
| "i2c::CAM"<br />
| ?<br />
|-<br />
| 5<br />
| 2<br />
| 0x2c<br />
| "i2c::LCD"<br />
| ?<br />
|-<br />
| 6<br />
| 2<br />
| 0x2e<br />
| "i2c::LCD"<br />
| ?<br />
|-<br />
| 7<br />
| 2<br />
| 0x40<br />
| "i2c::DEB"<br />
| ?<br />
|-<br />
| 8<br />
| 2<br />
| 0x44<br />
| "i2c::DEB"<br />
| ?<br />
|-<br />
| 9<br />
| 3<br />
| 0xa6<br />
| "i2c::HID"<br />
| Unknown. The device table in I2C-module had the device address changed from 0xA6 to 0xD6 with [[8.0.0-18]].<br />
|-<br />
| 10<br />
| 3<br />
| 0xd0<br />
| "i2c::HID"<br />
| Gyroscope<br />
|-<br />
| 11<br />
| 3<br />
| 0xd2<br />
| "i2c::HID"<br />
| ?<br />
|-<br />
| 12<br />
| 3<br />
| 0xa4<br />
| "i2c::HID"<br />
| DebugPad<br />
|-<br />
| 13<br />
| 3<br />
| 0x9a<br />
| "i2c::IR"<br />
| IR<br />
|-<br />
| 14<br />
| 3<br />
| 0xa0<br />
| "i2c::EEP"<br />
| eeprom?<br />
|-<br />
| 15<br />
| 2<br />
| 0xee<br />
| "i2c::NFC"<br />
| New3DS-only [[NFC_Services|NFC]]<br />
|-<br />
| 16<br />
| 1<br />
| 0x40<br />
| "i2c::QTM"<br />
| New3DS-only [[QTM_Services|QTM]]<br />
|-<br />
| 17<br />
| 3<br />
| 0x54<br />
| "i2c::IR"<br />
| Used by IR-module starting with [[8.0.0-18]], for New3DS-only HID via "ir:rst". This deviceid doesn't seem to be supported by i2c module on [[8.0.0-18]](actual support was later added in New3DS i2c module).<br />
|}<br />
<br />
'''Notice''': These device addresses are used for writing to the respective device, for reading bit0 must be set (see I2C protocol). Thus, the actual device address is >> 1.<br />
<br />
== Device 3 ==<br />
{| class="wikitable" border="1"<br />
! REGISTER<br />
! WIDTH<br />
! DESCRIPTION <br />
|-<br />
| 0x00<br />
| 1<br />
| Version high<br />
|-<br />
| 0x01<br />
| 1<br />
| Version low<br />
|-<br />
| 0x03<br />
| 8<br />
| ?<br />
|-<br />
| 0x04<br />
| 8<br />
| ?<br />
|-<br />
| 0x05<br />
| 0x4003?<br />
| Danger zone - [[MCU_Services#MCU_firmware_versions|MCU firmware]] is uploaded here<br />
|-<br />
| 0x08<br />
| 1<br />
| 3D slider position 0x9..0xFB<br />
|-<br />
| 0x09<br />
| 1<br />
| Sound volume: 0x0..0x3F.<br />
|-<br />
| 0xB<br />
| 1<br />
| Battery level: 0x0..0x40.<br />
|-<br />
| 0xF<br />
| 1<br />
| Flags: bit7-5 are read via [[MCU_Services|mcu::GPU]]. The rest of these are read via [[MCU_Services|mcu::RTC]]: bit4 = BatteryChargeState. bit3 = AdapterState. bit1 = ShellState.<br />
|-<br />
| 0x10<br />
| 1<br />
| Special HID status flags: bit0 = power button pressed, bit1 = power button pressed long, bit2 = home button pressed, bit3 = home button released, bit4 = wifi slider enabled, bit5 = shell got closed, bit6 = shell got opened. If nothing has changed this register is 0.<br />
|-<br />
| 0x12<br />
| 1<br />
| 0x40 if volume slider position changed<br />
|-<br />
| 0x18<br />
| 8<br />
| ?<br />
|-<br />
| 0x20<br />
| 8<br />
| System power control - bit0 = power off, bit1 = reboot (unused?). bit2 = reboot (used by mcu-module and LgyBg). bit3 = used by LgyBg to power off, causes hangs in 3DS-mode. bit4 = doesn't seem to do anything, but an mcu::RTC command uses this. Other bits are unused, and seem to do nothing.<br />
|-<br />
| 0x22<br />
| 8<br />
| Used to set LCD states. bit0 = don't push to LCDs, bit1 = push to LCDs, bit2 = bottom screen backlight off, bit3 = bottom screen backlight on, bit4 = top screen backlight off, bit5 = top screen backlight on<br />
|-<br />
| 0x23<br />
| 8<br />
| ?<br />
|-<br />
| 0x24<br />
| 8<br />
| Watchdog timer. This must be set *before* the timer is triggered, otherwise the old value is used. Value zero disables the watchdog.<br />
|-<br />
| 0x28<br />
| 8<br />
| Brightness of the WiFi/Power LED<br />
|-<br />
| 0x29<br />
| 8<br />
| ?<br />
|-<br />
| 0x2A<br />
| 8<br />
| Setting bits 0-7 enable the WiFi LED<br />
|-<br />
| 0x2B<br />
| 8<br />
| Camera LED, Setting bit 0 makes the LED blink, setting bit 1 makes the LED stay on<br />
|-<br />
| 0x2C<br />
| 8<br />
| setting bits 0-7 turn on the 3D LED on the original 3ds<br />
|-<br />
| 0x2D<br />
| 0x64<br />
| This is used for [[MCURTC:SetInfoLEDPattern|controlling]] the notification LED(see [[MCURTC:SetInfoLEDPatternHeader]] as well), when this register is written.<br />
|-<br />
| 0x2E<br />
| 1<br />
| This [[MCURTC:GetInfoLEDStatus|returns]] the notification LED status when read.<br />
|-<br />
| 0x30<br />
| 8<br />
| RTC time (system clock). 7 bytes are read from this. The upper nibble of each byte encodes 10s (BCD), so each byte is post-processed with (byte & 0xF) + (10 * (byte >> 4)). Byte 0 encodes seconds, byte 1 minutes, byte 2 hours, byte *4* days, byte 5 months and byte 6 years (byte 3 is unused?)<br />
|-<br />
| 0x31<br />
| 8<br />
| ?<br />
|-<br />
| 0x32<br />
| 8<br />
| ?<br />
|-<br />
| 0x33<br />
| 8<br />
| ?<br />
|-<br />
| 0x34<br />
| 8<br />
| ?<br />
|-<br />
| 0x35<br />
| 8<br />
| ?<br />
|-<br />
| 0x36<br />
| 8<br />
| ?<br />
|-<br />
| 0x37<br />
| 8<br />
| ?<br />
|-<br />
| 0x38<br />
| 8<br />
| ?<br />
|-<br />
| 0x39<br />
| 8<br />
| ?<br />
|-<br />
| 0x3A<br />
| 8<br />
| ?<br />
|-<br />
| 0x3B<br />
| 8<br />
| ?<br />
|-<br />
| 0x3C<br />
| 8<br />
| ?<br />
|-<br />
| 0x41<br />
| 8<br />
| ?<br />
|-<br />
| 0x43<br />
| 8<br />
| ?<br />
|-<br />
| 0x4E<br />
| 8<br />
| ?<br />
|-<br />
| 0x50<br />
| 8<br />
| ?<br />
|-<br />
| 0x51<br />
| 8<br />
| ?<br />
|-<br />
| 0x58<br />
| 8<br />
| ?<br />
|-<br />
| 0x60<br />
| 8<br />
| Offset in u8 array accessed via address 0x61 (written before any read/write below)<br />
|-<br />
| 0x61<br />
| 0x100<br />
| Reads/writes to an MCU u8 array, repeats after 0x100 bytes? The first byte is used to store flags for managing FIRM/NS state - bit0 = "WirelessDisabled", bit1 = "SoftwareClosed", bit2 = "PowerOffInitiated", bit4 = "LegacyJumpProhibited". This register survives power-off, but does not seem to be saved to non-volatile storage (does not survive battery pulls). This register doesn't seem to actually control MCU behaviour by itself, it just seems to be used for storing arbitrary data.<br />
|}<br />
<br />
== Device 5 & 6 ==<br />
LCD controllers for main/sub displays, most likely.<br />
<br />
{| class="wikitable" border="1"<br />
! Register<br />
! Width<br />
! Name<br />
! Description<br />
|-<br />
| 0x1<br />
| 8<br />
| ?<br />
| <br />
|-<br />
| 0x11<br />
| 8<br />
| ?<br />
| <br />
|-<br />
| 0x40<br />
| 8<br />
| CMD_IN/CMD_RESULT1<br />
| Write to trigger a command? Seen commands: 0xFF=Reset?, 0x62=IsFinished?. Result is stored in CMD_RESULT1:CMD_RESULT0.<br />
|-<br />
| 0x41<br />
| 8<br />
| CMD_RESULT0<br />
| Read result <br />
|-<br />
| 0x50<br />
| 8<br />
| ?<br />
| <br />
|-<br />
| 0x60<br />
| 8<br />
| ?<br />
| <br />
|-<br />
| 0xFE<br />
| 8<br />
| ?<br />
| <br />
|}<br />
<br />
== Device 10 ==<br />
See the datasheet linked to on the [[Hardware]] page for reference.<br />
<br />
== Device 12 ==<br />
{| class="wikitable" border="1"<br />
! REGISTER<br />
! WIDTH<br />
! DESCRIPTION <br />
|-<br />
| 0x0<br />
| 21<br />
| DebugPad state.<br />
|}<br />
<br />
This is the DebugPad device, see [[HID_Shared_Memory|here]].<br />
<br />
== Device 13 ==<br />
{| class="wikitable" border="1"<br />
! Raw I2C register address<br />
! Internal register address<br />
! Width<br />
! Description <br />
|-<br />
| 0x0<br />
| 0x0<br />
| 0x40<br />
| RHR / THR (data receive/send FIFO)<br />
|-<br />
| 0x8<br />
| 0x1<br />
| 0x1<br />
| IER<br />
|-<br />
| 0x10<br />
| 0x2<br />
| 0x1<br />
| FCR/IIR<br />
|-<br />
| 0x18<br />
| 0x3<br />
| 0x1<br />
| LCR<br />
|-<br />
| 0x20<br />
| 0x4<br />
| 0x1<br />
| MCR<br />
|-<br />
| 0x28<br />
| 0x5<br />
| 0x1<br />
| LSR<br />
|-<br />
| 0x30<br />
| 0x6<br />
| 0x1<br />
| MSR/TCR<br />
|-<br />
| 0x38<br />
| 0x7<br />
| 0x1<br />
| SPR/TLR<br />
|-<br />
| 0x40<br />
| 0x8<br />
| 0x1<br />
| TXLVL<br />
|-<br />
| 0x48<br />
| 0x9<br />
| 0x1<br />
| RXLVL<br />
|-<br />
| 0x50<br />
| 0xA<br />
| 0x1<br />
| IODir<br />
|-<br />
| 0x58<br />
| 0xB<br />
| 0x1<br />
| IOState<br />
|-<br />
| 0x60<br />
| 0xC<br />
| 0x1<br />
| IoIntEna<br />
|-<br />
| 0x68<br />
| 0xD<br />
| 0x1<br />
| reserved<br />
|-<br />
| 0x70<br />
| 0xE<br />
| 0x1<br />
| IOControl<br />
|-<br />
| 0x78<br />
| 0xF<br />
| 0x1<br />
| EFCR<br />
|}<br />
<br />
See the [http://www.alldatasheet.net/datasheet-pdf/pdf/347838/NXP/SC16IS750IBS.html datasheet] linked to on the [[Hardware]] page for reference. From that datasheet, for the structure of the I2C register address u8: "Bit 0 is not used, bits 2:1 select the channel, bits 6:3 select one of the UART internal registers. Bit 7 is not used with the I2C-bus interface, but it is used by the SPI interface to indicate a read or a write operation."<br />
<br />
== Device 15 ==<br />
This the New3DS [[NFC_Services|NFC]] controller "I2C" interface. This device is accessed via the WriteDeviceRaw/ReadDeviceRaw I2C service [[I2C_Services|commands]].<br />
<br />
Since the *Raw commands are used with this, this device has no I2C registers. Instead, raw data is transfered after the I2C device is selected. Hence, WriteDeviceRaw is used for sending commands to the controller, while ReadDeviceRaw is for receiving responses from the controller. Certain commands may return multiple command responses.<br />
<br />
Command request / response structure:<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x1<br />
| Normally 0x10?<br />
|-<br />
| 0x1<br />
| 0x1<br />
| Command source / destination.<br />
|-<br />
| 0x2<br />
| 0x1<br />
| CmdID<br />
|-<br />
| 0x3<br />
| 0x1<br />
| Payload size.<br />
|}<br />
<br />
Following the above header is the payload data(when payload size is non-zero), with the size specified in the header. The command response payload is usually at least 1-byte, where that byte appears to be normally 0x0. For command requests the payload data is the command parameters.<br />
<br />
For command requests sent to the NFC tag itself, Cmd[1]=0x0 and CmdID=0x0. The command request payload data here is the actual command request data for the NFC tag, starting with the CmdID u8 at payload+0.<br />
<br />
During NFC module startup, a certain command is sent to the controller which eventually(after various cmd-reply headers etc) returns the following the payload after the first byte in the payload:<br />
000000: 44 65 63 20 32 32 20 32 30 31 32 31 34 3a 35 33 Dec 22 201214:53 <br />
000010: 3a 35 30 01 05 0d 46 05 1b 79 20 07 32 30 37 39 :50...F..y .2079<br />
000020: 31 42 35 1B5<br />
<br />
Or that is: "Dec 22 201214:53:50<binary>20791B5". Therefore, this appears to return the part-number of the NFC controller(other command request(s) / response(s) use this part-number value too).<br />
<br />
=== NFC controller commands ===<br />
{| class="wikitable" border="1"<br />
! CmdRequest[1]<br />
! CmdID<br />
! Payload data for parameters<br />
! Description<br />
|-<br />
| 0x2E<br />
| 0x2F<br />
| Firmware image for this chunk, size varies.<br />
| This is used during NFC module startup to upload the firmware image to the NFC controller. This is used repeatedly to upload multiple chunks of the image.<br />
|}</div>Dark samushttps://www.3dbrew.org/w/index.php?title=3DS_System_Flaws&diff=183103DS System Flaws2016-09-27T18:02:48Z<p>Dark samus: hopefully stop the edit wars :P</p>
<hr />
<div>Exploits are used to execute unofficial code (homebrew) on the Nintendo 3DS. This page is a list of publicly known system flaws, for userland applications/applets flaws see [[3DS_Userland_Flaws|here]].<br />
<br />
=Stale / Rejected Efforts=<br />
* Neimod has been working on a RAM dumping setup for a little while now. He's de-soldered the 3DS's RAM chip and hooked it and the RAM pinouts on the 3DS' PCB up to a custom RAM dumping setup. A while ago he published photos showing his setup to be working quite well, with the 3DS successfully booting up. However, his flickr stream is now private along with most of his work.<br />
<br />
* Someone (who will remain unnamed) has released CFW and CIA installers, all of which is copied from the work of others, or copyrighted material.<br />
<br />
==Tips and info==<br />
The 3DS uses the XN feature of the ARM11 processor. There's no official way from applications to enable executable permission for memory containing arbitrary unsigned code(there's a [[SVC]] for this, but only [[RO_Services|RO-module]] has access to it). An usable userland exploit would still be useful: you could only do return-oriented-programming with it initially. From ROP one could then exploit system flaw(s), see below.<br />
<br />
SD card [[extdata]] and SD savegames can be attacked, for consoles where the console-unique [[Nand/private/movable.sed|movable.sed]] was dumped(accessing SD data is far easier by running code on the target 3DS however).<br />
<br />
=System flaws=<br />
== Hardware ==<br />
{| class="wikitable" border="1"<br />
! Summary<br />
! Description<br />
! Fixed with hardware model/revision<br />
! Newest hardware model/revision this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| ARM9/ARM11 bootrom vectors point at unitialized RAM<br />
| ARM9's and ARM11's exception vectors are hardcoded to point at the CPU's internal memory (0x08000000 region for ARM9, AXIWRAM for ARM11). While the bootrom does set them up to point to an endless loop at some point during boot, it does not do so immediately. As such, a carefully-timed fault injection (via hardware) to trigger an exception (such as an invalid instruction) will cause execution to fall into ARM9 RAM. <br />
Since RAM isn't cleared on boot (see below), one can immediately start execution of their own code here to dump bootrom, OTP, etc.<br />
The ARM9 bootrom does the following at reset: reset vector branches to another instruction, then branches to bootrom+0x8000. Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized.<br />
<br />
This requires *very* *precise* timing for triggering the hardware fault: it's unknown if anyone actually exploited this successfully at the time of writing(the one who attempted+discovered it *originally* as listed in this wiki section hasn't).<br />
| None: all available 3DS models at the time of writing have the exact same ARM9/ARM11 bootrom for the unprotected areas.<br />
| New3DS<br />
| End of February 2014<br />
| [[User:Derrek|derrek]], WulfyStylez (May 2015) independently<br />
|-<br />
| Missing AES key clearing<br />
| The hardware AES engine does not clear keys when doing a hard reset/reboot.<br />
| None<br />
| New3DS<br />
| August 2014<br />
| Mathieulh/Others<br />
|-<br />
| No RAM clearing on reboots<br />
| On an MCU-triggered reboot all RAM including FCRAM/ARM9 memory/AXIWRAM/VRAM keeps its contents.<br />
| None<br />
| New3DS<br />
| March 2014<br />
| [[User:Derrek|derrek]]<br />
|-<br />
| 32bits of actual console-unique TWLNAND keydata<br />
| On retail the 8-bytes at ARM9 address [[Memory_layout|0x01FFB808]] are XORed with hard-coded data, to generate the TWL console-unique keys, including TWLNAND. On Old3DS the high u32 is always 0x0, while on New3DS that u32 is always 0x2. On top of this, the lower u32's highest bit is always ORed. only 31 bits of the TWL console-unique keydata / TWL consoleID are actually console-unique.<br />
This allows one to easily bruteforce the TWL console-unique keydata with *just* data from TWLNAND. On DSi the actual console-unique data for key generation is 8-bytes(all bytes actually set).<br />
| None<br />
| New3DS<br />
| 2012?<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| DSi / 3DS-TWL key-generator<br />
| After using the key generator to generate the normal-key, you could overwrite parts of the normal-key with your own data and then recover the key-generator output by comparing the new crypto output with the original crypto output. From the normal-key outputs, you could deduce the TWL key-generator function.<br />
This applies to the keyX/keyY too.<br />
<br />
This attack does not work for the 3DS key-generator because keyslots 0-3 are only for TWL keys.<br />
| None<br />
| New3DS<br />
| 2011<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| 3DS key-generator<br />
| The algorithm for generating the normal-keys for keyslots is cryptographically weak. As a result, it is easily susceptible to differential cryptanalysis if the normal-key corresponding to any scrambler-generated keyslot is discovered.<br />
<br />
Several such pairs of matching normal-keys and KeyY values were found, leading to deducing the key-generator function.<br />
| None<br />
| New3DS<br />
| February 2015<br />
| [[User:Yellows8|Yellows8]], [[User:Plutooo|plutoo]]<br />
|-<br />
| FIRM partitions known-plaintext<br />
| The [[Flash_Filesystem|FIRM partitions]] are encrypted with AES-CTR without a MAC. Since this works by XOR'ing data with a static (per-console in this case) keystream, one can deduce the keystream of a portion of each FIRM partition if they have the actual FIRM binary stored in it.<br />
<br />
This can be paired with many exploits. For example, it allows minor FIRM downgrades (i.e. 10.4 to 9.6 or 9.5 to 9.4, but not 9.6 to 9.5).<br />
<br />
This can be somewhat addressed by having a FIRM header skip over previously used section offsets, but this would just air-gap newer FIRMs without fixing the core bug. This can also only be done a limited number of times due to the size of FIRM versus the size of the partitions.<br />
| None<br />
| New3DS<br />
| <br />
| Everyone<br />
|}<br />
<br />
== ARM9 software ==<br />
=== arm9loader ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| Rearrangable keys in the NAND keystore<br />
| Due to the keystore being encrypted with AES-ECB, one can rearrange blocks and still have the NAND keystore decrypt in a deterministic way. Combining this with the arm9loaderhax and uncleared hash keydata vulnerabilities, one can achieve arm9loaderhax without downgrading to a system version that exposes the OTP data, or using a hardware method. The NAND keystore must be encrypted with console-unique data; therefore, this is not achievable on Old 3DS or 2DS.<br />
| arm9loaderhax achieveable with no extra hardware and without downgrading to a system version which exposes the OTP.<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| Early 2016<br />
| 27 September 2016<br />
| Myria, [[User:Dark samus|dark_samus]]; mathieulh (independently); [[User:Plutooo|plutoo]] (independently) + others<br />
|-<br />
| Uncleared OTP hash keydata in console-unique 0x11 key-generation<br />
| Kernel9Loader does not clear the [[SHA_Registers#SHA_HASH|SHA_HASH register]] after use. As a result, the data stored here as K9L hands over to Kernel9 is the hash of [[OTP_Registers|OTP data]] used to seed the [[FIRM#New_3DS_FIRM|console-unique NAND keystore decryption key]] set on keyslot 0x11.<br />
<br />
Retrieving this keydata and the [[Flash_Filesystem#0x12C00|NAND keystore]] of the same device allows calculating the decrypted New3DS NAND keystore (non-unique, common to all New3DS units), which contains AES normal keys, also set on keyslot 0x11, which are then used to derive all current [[AES_Registers#Keyslots|New3DS-only AES keyXs]] including the newer batch introduced in [[9.6.0-24#arm9loader|9.6.0-X]]. From there, it is trivial to perform the same key derivation in order to initialize those keys on any system version, and even on Old3DS.<br />
<br />
This can be performed by exploiting the "arm9loaderhax" vulnerability to obtain post-K9L code execution after an MCU reboot (the bootrom section-loading fail is not relevant here, this attack was performed without OTP data by brute-forcing keys), and using this to dump the SHA_HASH register. This attack works on any FIRM version shipping a vulnerable version of K9L, whereas OTP dumping required a boot of <[[3.0.0-6|3.0.0-X]].<br />
<br />
This attack results in obtaining the entire (0x200-bytes) NAND keystore - it was confirmed at a later date that this keystore is encrypted with the same key (by comparing the decrypted data from multiple units), and therefore using another key in this store will not remedy the issue as all keys are known (i.e. later, unused keys decrypt to the same 0x200-bytes constant with the same OTP hash). Later keys could have been encrypted differently but this is not the case. As a result of this, it is not possible for Nintendo to use K9L again in its current format for its intended purpose, though this was not news from the moment people dumped a New3DS OTP.<br />
| Derivation of all New3DS keys generated via the NAND keystore (0x1B "Secure4" etc.)<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| ~April 2015, implemented in May 2015<br />
| 13 January 2016<br />
| [[User:WulfyStylez|WulfyStylez]], [[User:Dazzozo|Dazzozo]], [[User:Shinyquagsire23|shinyquagsire23]] (complimentary + implemented), [[User:Plutooo|plutoo]], Normmatt (discovered independently)<br />
|-<br />
| enhanced-arm9loaderhax<br />
| See the 32c3 3ds talk.<br />
Since this is a combination of a trick with the arm9-bootrom + arm9loaderhax, and since you have to manually write FIRM to the firm0/firm1 NAND partitions, this can't be completely fixed. Any system with existing ARM9 code execution and an OTP/OTP hash dump can exploit this. Additionally, by using the FIRM partition known-plaintext bug and bruteforcing the second entry in the keystore, this can currently be exploited on all New3DS systems without any other prerequisite hacks.<br />
| arm9loaderhax which automatically occurs at hard-boot.<br />
| See arm9loaderhax / description.<br />
| See arm9loaderhax / description.<br />
| Theorized around mid July, 2015. Later implemented+tested by [[User:Plutooo|plutoo]] and derrek.<br />
| 32c3 3ds talk (December 27, 2015)<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Missing verification-block for the 9.6 keys (arm9loaderhax)<br />
| Starting with [[9.6.0-24|9.6.0-X]] a new set of NAND-based keys were introduced. However, no verification block was added to verify that the new key read from NAND is correct. This was technically an issue from [[9.5.0-22|9.5.0-X]] with the original sector+0 keydata, however the below is only possible with [[9.6.0-24|9.6.0-X]] since keyslots 0x15 and 0x16 are generated from different 0x11 keyXs.<br />
<br />
Writing an incorrect key to NAND will cause arm9loader to decrypt the ARM9 kernel as garbage and then jump to it.<br />
<br />
This allows an hardware-based attack where you can boot into an older exploited firmware, fill all memory with NOP sleds/jump-instructions, and then reboot into executing garbage. By automating this process with various input keydata, eventually you'll find some garbage that jumps to your code.<br />
<br />
This gives very early ARM9 code execution (pre-ARM9 kernel). As such, it is possible to dump RSA keyslots with this and calculate the 6.x [[Savegames#6.0.0-11_Savegame_keyY|save]], and 7.x [[NCCH]] keys. This cannot be used to recover keys initialized by arm9loader itself. This is due to it wiping the area used for its stack during NAND sector decryption and keyslot init. <br />
<br />
Due to FIRMs on both Old and New 3DS using the same RSA data, this can be exploited on Old3DS as well, but only if one already has the actual plaintext normalkey from New3DS NAND sector 0x96 offset-0 and has dumped the OTP area of the Old3DS.<br />
| Recovery of 6.x [[Savegames#6.0.0-11_Savegame_keyY|save key]]/7.x [[NCCH]] key<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| March, 2015<br />
| <br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| Uncleared New3DS keyslot 0x11<br />
| Originally the New3DS [[FIRM]] arm9bin loader only cleared keyslot 0x11 when it gets executed at firmlaunch. This was fixed with [[9.5.0-22|9.5.0-X]] by completely clearing keyslot 0x11 immediately after the loader finishes using keyslot 0x11.<br />
This means that any ARM9 code that can execute before the loader clears the keyslot at firmlaunch(including firmlaunch-hax) can get access to the uncleared keyslot 0x11, which then allows one to generate all <=v9.5 New3DS keyXs which are generated by keyslot 0x11.<br />
<br />
Therefore, to completely fix this the loader would have to generate more keys using different keyslot 0x11 keydata. This was done with [[9.6.0-24|9.6.0-X]].<br />
| New3DS keyXs generation<br />
| Mostly fixed with [[9.5.0-22|9.5.0-X]], completely fixed with new keys with [[9.6.0-24|9.6.0-X]].<br />
| <br />
| February 3, 2015 (one day after [[9.5.0-22|9.5.0-X]] release)<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== Process9 ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| Leak of normal-key matching a key-scrambler key<br />
| New 3DS firmware versions [[8.1.0-0 New3DS|8.1.0]] through [[9.2.0-20|9.2.0]] set the encryption key for [[Amiibo]] data using a hardcoded normal-key in Process9. In firmware [[9.3.0-21|9.3.0]], Nintendo "fixed" this by using the key scrambler instead, by calculating the keyY value for keyslot 0x39 that results in the same normal-key, then hardcoding that keyY into Process9.<br />
<br />
Nintendo's fix is actually the problem: Nintendo revealed the normal-key matching an unknown keyX and a known keyY. Combined with the key scrambler using an insecure scrambling algorithm (see "Hardware" above), the key scrambler function could be deduced.<br />
| Deducing the keyX for keyslot 0x39 and the key scrambler algorithm<br />
| New 3DS [[9.3.0-21|9.3.0-X]], sort of<br />
| [[10.0.0-27|10.0.0-X]]<br />
| Sometime in 2015 after the hardware key-generator was broken.<br />
| 32c3 3ds talk (December 27, 2015)<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Leak of normal-key matching a key-generator key<br />
| During the 3DS' development (June/July 2010) Nintendo added support installing encrypted content ([[CIA]]). Common-key index1 was intended to be a [[AES|hardware generated key]]. However while they added code to generate the key in hardware, they forgot to remove the normal-key for index1 (used elsewhere, likely old debug code). Nintendo later removed the normal key sometime before the first non-prototype firmware release.<br />
<br />
<br />
Knowing the keyY and the normal-key for common-key index1, the devkit key-generator algorithm can be deduced (see "Hardware" above). Additionally the remaining devkit common-keys can be generated once the common-key keyX is recovered.<br />
<br />
Note the devkit key-generator was discovered to be the same as the retail key-generator.<br />
| Deducing the keyX for keyslot 0x3D and hardware key-generator algorithm. Generate remaining devkit common-keys.<br />
| pre-[[1.0.0-0|1.0.0-X]]<br />
| <br />
| Shortly after the key-generator was revealed to be flawed at the 32c3 3ds talk<br />
| January 20, 2016<br />
| [[User:Jakcron|jakcron]]<br />
|-<br />
| ntrcardhax<br />
| <br />
| ARM9 code execution<br />
| 10.4.0-29<br />
| <br />
| March 2015<br />
| 32c3 3ds talk (December 27, 2015)<br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| Title downgrading via [[Application_Manager_Services|AM]]([[Application_Manager_Services_PXI|PXI]])<br />
| When a title is *already* installed, Process9 will compare the installed title-version with the title-version being installed. When the one being installed is older, Process9 would return an error.<br />
<br />
However, this can be bypassed by just deleting the title first via the service command(s) for that: with the title removed from the [[Title_Database]], Process9 can't compare the input title-version with anything. Hence, titles can be downgraded this way.<br />
<br />
[[11.0.0-33|11.0.0-X]] fixed this for key system titles (MSET, Home Menu, spider, ErrDisp, SKATER, NATIVE_FIRM, and every retail system module), by checking the version of the title to install against a hard-coded list of (titleID, minimumVersionRequired) pairs.<br />
| Bypassing title version check at installation, which then allows downgrading any title.<br />
| [[11.0.0-33|11.0.0-X]], for key system titles.<br />
| NATIVE_FIRM / AM-sysmodule [[11.0.0-33|11.0.0-X]]<br />
| ?<br />
| <br />
| ?<br />
|-<br />
| FAT FS code null-deref<br />
| When FSFile:Read is used with a file which is corrupted on a FAT filesystem(in particular SD), Process9 can crash. This particular crash is caused by a function returning NULL instead of an actual ptr due to an error. The caller of that function doesn't check for NULL which then triggers a read based at NULL.<br />
<br />
Sample "fsck.vfat -n -v -V <fat image backup>" output for the above crash:<br />
<br />
<pre>...<br />
Starting check/repair pass.<br />
<FilePath0> and<br />
<FilePath1><br />
share clusters.<br />
Truncating second to 3375104 bytes.<br />
<FilePath1><br />
File size is 2787392 bytes, cluster chain length is 16384 bytes.<br />
Truncating file to 16384 bytes.<br />
Checking for unused clusters.<br />
Reclaimed 1 unused cluster (16384 bytes).<br />
Checking free cluster summary.<br />
Free cluster summary wrong (1404490 vs. really 1404491)<br />
Auto-correcting.<br />
Starting verification pass.<br />
Checking for unused clusters.<br />
Leaving filesystem unchanged.</pre><br />
| Useless null-based-read<br />
| None<br />
| [[9.6.0-24|9.6.0-X]]<br />
| July 8-9, 2015<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| RSA signature padding checks<br />
| The TWL_FIRM RSA sig padding check code used for all TWL RSA sig-checks has issues, see [[FIRM|here]].<br />
The main 3DS RSA padding check code(non-certificate, including NATIVE_FIRM) uses the function used with the above to extract more padding + the actual hash from the additional padding. This isn't really a problem here because there's proper padding check code which is executed prior to this.<br />
| <br />
| None<br />
| [[9.5.0-22|9.5.0-X]]<br />
| March 2015<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[AMPXI:ValidateDSiWareSectionMAC]] [[AES_Registers|AES]] keyslot reuse<br />
| When the input DSiWare section index is higher than <max number of DSiWare sections supported by this FIRM>, Process9 uses keyid 0x40 for calculating the AESMAC, which translates to keyslot 0x40. The result is that the keyslot is left at whatever was already selected before, since the AES selectkeyslot code will immediately return when keyslot is >=0x40. However, actually exploiting this is difficult: the calculated AESMAC is never returned, this command just compares the calculated AESMAC with the input AESMAC(result-code depends on whether the AESMACs match). It's unknown whether a timing attack would work with this.<br />
This is basically a different form of the pxips9 keyslot vuln, except with AESMAC etc.<br />
| See description.<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| March 15, 2015<br />
| December 29, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| pxips9 [[AES_Registers|AES]] keyslot reuse<br />
| This requires access to the [[Process_Services|ps:ps]]/pxi:ps9 services. One way to get access to this would be snshax on system-version <=10.1.0-X(see 32c3 3ds talk).<br />
When an invalid key-type value is passed to any of the PS commands, Process9 will try to select keyslot 0x40. That aesengine_setkeyslot() code will then immediately return due to the invalid keyslot value. Since that function doesn't return any errors, Process9 will just continue to do crypto with whatever AES keyslot was selected before the PS command was sent.<br />
| Reusing the previously used keyslot, for crypto with PS.<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| Roughly the same time(same day?) as firmlaunch-hax.<br />
| December 29, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| firmlaunch-hax: FIRM header ToCToU<br />
| This can't be exploited from ARM11 userland.<br />
During [[FIRM]] launch, the only FIRM header the ARM9 uses at all is stored in FCRAM, this is 0x200-bytes(the actual used FIRM RSA signature is read to the Process9 stack however). The ARM9 doesn't expect "anything" besides the ARM9 to access this data.<br />
With [[9.5.0-22]] the address of this FIRM header was changed from a FCRAM address, to ARM9-only address 0x01fffc00.<br />
| ARM9 code execution<br />
| [[9.5.0-22]]<br />
| <br />
| 2012, 3 days after [[User:Yellows8|Yellows8]] started Process9 code RE.<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Uninitialized data output for (PXI) command replies<br />
| PXI commands for various services(including some [[Filesystem_services_PXI|here]] and many others) can write uninitialized data (like from ARM registers) to the command reply. This happens with stubbed commands, but this can also occur with certain commands when returning an error.<br />
Certain ARM11 service commands have this same issue as well.<br />
| <br />
| None<br />
| [[9.3.0-21|9.3.0-X]]<br />
| ?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[Filesystem_services_PXI|FSPXI]] OpenArchive SD permissions<br />
| Process9 does not use the exheader ARM9 access-mount permission flag for SD at all.<br />
This would mean ARM11-kernelmode code / fs-module itself could directly use FSPXI to access SD card without ARM9 checking for SD access, but this is rather useless since a process is usually running with SD access(Home Menu for example) anyway.<br />
| <br />
| None<br />
| [[9.3.0-21|9.3.0-X]]<br />
| 2012<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[AMPXI:ExportDSiWare]] export path<br />
| Process9 allocates memory on Process9 heap for the export path then verifies that the actual allocated size matches the input size. Then Process9 copies the input path from FCRAM to this buffer, and uses it with the Process9 FS openfile code, which use paths in the form of "<mountpoint>:/<path>".<br />
Process9 does not check the contents of this path at all before passing it to the FS code, besides writing a NUL-terminator to the end of the buffer.<br />
| Exporting of DSiWare to arbitrary Process9 file-paths, such as "nand:/<path>" etc. This isn't really useful since the data which gets written can't be controlled.<br />
| None<br />
| [[9.5.0-22]]<br />
| April 2013<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[DSiWare_Exports]] [[CTCert]] verification<br />
| Just like DSi originally did, 3DS verifies the APCert for DSiWare on SD with the CTCert also in the DSiWare .bin. On DSi this was fixed with with system-version 1.4.2 by verifying with the actual console-unique cert instead(stored in NAND), while on 3DS it's still not(?) fixed.<br />
On 3DS however this is rather useless, due to the entire DSiWare .bin being encrypted with the console-unique movable.sed keyY.<br />
| When the movable.sed keyY for the target 3DS is known and the target 3DS CTCert private-key is unknown, importing of modified DSiWare SD .bin files.<br />
| Unknown, probably none.<br />
| ?<br />
| April 2013<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[Gamecard_Services_PXI]] unchecked REG_CTRCARDCNT transfer-size<br />
| The u8 REG_CTRCARDCNT transfer-size parameter for the [[Gamecard_Services_PXI]] read/write CTRCARD commands is used as an index for an array of u16 values. Before [[5.0.0-11|5.0.0-X]] this u8 value wasn't checked, thus out-of-bounds reads could be triggered(which is rather useless in this case).<br />
| Out-of-bounds read for a value which gets written to a register.<br />
| [[5.0.0-11|5.0.0-X]]<br />
| <br />
| 2013?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[PXI_Registers|PXI]] cmdbuf buffer overrun<br />
| The Process9 code responsible [[PXI_Registers|PXI]] communications didn't verify the size of the incoming command before writing it to a C++ member variable. <br />
| Probably ARM9 code execution<br />
| [[5.0.0-11|5.0.0-11]]<br />
| <br />
| March 2015, original timeframe if any unknown<br />
| <br />
| [[User:Plutooo|plutoo]]/[[User:Yellows8|Yellows8]]/maybe others(?)<br />
|-<br />
| [[Application_Manager_Services_PXI|PXIAM]] command 0x003D0108(See also [[Application_Manager_Services|this]])<br />
| When handling this command, Process9 allocates a 0x2800-byte heap buffer, then copies the 4 FCRAM input buffers to this heap buffer without checking the sizes at all(only the buffers with non-zero sizes are copied). Starting with [[5.0.0-11|5.0.0-X]], the total combined size of the input data must be <=0x2800.<br />
| ARM9 code execution<br />
| [[5.0.0-11|5.0.0-X]]<br />
| <br />
| May 2013<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[Process_Services_PXI|PS RSA]] commands buffer overflows<br />
| pxips9 cmd1(not accessible via ps:ps) and VerifyRsaSha256: unchecked copy to a buffer in Process9's .bss, from the input FCRAM buffer. The buffer is located before the pxi cmdhandler threads' stacks. SignRsaSha256 also has a buf overflow, but this isn't exploitable.<br />
The buffer for this is the buffer for the signature data. With v5.0, the signature buffer was moved to stack, with a check for the signature data size. When the signature data size is too large, Process9 uses [[SVC|svcBreak]].<br />
| ARM9 code execution<br />
| [[5.0.0-11|5.0.0-X]]<br />
| <br />
| 2012<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[PXI_Registers|PXI]] pxi_id bad check<br />
| The Process9 code responsible for [[PXI_Registers|PXI]] communications read pxi_id as a signed char. There were two flaws:<br />
* They used it as index to a lookup-table without checking the value at all.<br />
* Another function verified that pxi_id < 7, allowing negative values to pass the check. This would also cause an out-of-range table-lookup.<br />
| Maybe ARM9 code execution<br />
| [[3.0.0-5|3.0.0-5]]<br />
|<br />
| March 2015, originally 2012 for the first issue at least<br />
| <br />
| [[User:Plutooo|plutoo]], [[User:Yellows8|Yellows8]], maybe others(?)<br />
|}<br />
<br />
=== Kernel9 ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit1 not set by Kernel9<br />
| Old versions of Kernel9 never set bit1 of [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]]. This leaves the [[OTP Registers|0x10012000]]-region unprotected (this region should be locked early during boot!). Since it's never locked, you can dump it once you get ARM9 code execution.<br />
<br />
From [[3.0.0-5|3.0.0-X]] this was fixed by setting the bit in Kernel9 after poking some registers in that region. On New3DS arm9loader sets this bit instead of Kernel9, which is exploitable through a hardware + software vulnerability (see arm9loaderhax / description).<br />
<br />
This flaw resurged when it gained a new practical use: retrieving the OTP data for a New3DS console in order to decrypt the key data used in arm9loader (see enhanced-arm9loaderhax / description). This was performed by downgrading to a vulnerable system version. By accounting for differences in CTR-NAND crypto (0x05 -> 0x04, see partition encryption types [[Flash_Filesystem#NAND_structure|here]]), it is possible to boot a New3DS using Old3DS firmware 1.0-2.X and an Old3DS [[NCSD#NCSD_header|NCSD Header]] to retrieve the required OTP data using this flaw.<br />
| Dumping of the [[OTP Registers|OTP]] area<br />
| [[3.0.0-5|3.0.0-X]]<br />
|<br />
| February 2015<br />
| [[User:Plutooo|plutoo]], Normmatt independently<br />
|}<br />
<br />
== ARM11 software ==<br />
=== Kernel11 ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[SVC]] table too small<br />
| The table of function pointers for SVC's only contains entries up to 0x7D, but the biggest allowed SVC for the table is 0x7F. Thus, executing SVC7E or SVC7F would make the SVC-handler read after the buffer, and interpret some ARM instructions as function pointers.<br />
<br />
However, this would require patching the kernel .text or modifying SVC-access-control. Even if you could get these to execute, they would still jump to memory that isn't mapped as executable.<br />
| <br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| 2012<br />
| Everyone<br />
|-<br />
| [[SVC|svcBackdoor (0x7B)]]<br />
| This backdoor allows executing SVC-mode code at the user-specified code-address. This is used by Process9, using this on the ARM11 (with NATIVE_FIRM) required patching the kernel .text or modifying SVC-access-control.<br />
| See description<br />
| [[11.0.0-33|11.0.0-X]] (deleted)<br />
| <br />
|<br />
| Everyone<br />
|-<br />
| [[Memory_layout#ARM11_Detailed_virtual_memory_map|0xEFF00000]] / 0xDFF00000 ARM11 kernel virtual-memory<br />
| The ARM11 kernel-mode 0xEFF00000/0xDFF00000 virtual-memory(size 0x100000) is mapped to phys-mem 0x1FF00000(entire DSP-mem + entire AXIWRAM), with permissions RW-. This is used during ARM11 kernel startup for loading the FIRM-modules from the FIRM section located in DSP-mem, this never seems to be used after that, however. This is never unmapped either.<br />
| <br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| <br />
| <br />
|-<br />
| memchunkhax2.1<br />
| Nintendo's fix for memchunkhax2 in [[10.4.0-29|10.4.0-X]] did not fix the GPU case: one may cause the requisite ToCToU race using gspwn, bypassing the new validation.<br />
derrek's original 32c3 presentation for memchunkhax2 commented that a GPU-based attack was possible, but would be difficult. However, memchunkhax2.1 showed that it was possible to do fairly reliably.<br />
| ARM11 kernel code execution<br />
| None<br />
| [[10.4.0-29|10.4.0-X]]<br />
|<br />
| derrek, aliaspider<br />
|-<br />
| memchunkhax2<br />
| <br />
| ARM11 kernel code execution<br />
| [[10.4.0-29|10.4.0-X]] (partially)<br />
| [[10.4.0-29|10.4.0-X]]<br />
|<br />
| derrek<br />
|-<br />
| heaphax<br />
| Can change the size of free memchunk structures stored in FCRAM using DMA, which leads to the ability to allocate memory chunks over already-allocated memory. This can be used in the SYSTEM region to allocate RW memory over any part of the NS system module, which is enough to take it over.<br />
| Code execution with access to all of NS's privileges. (including downgrading) Code execution within any applet.<br />
| [[11.0.0-33|11.0.0-X]], via the new [[Memory_Management#MemoryBlockHeader|memchunkhdr]] MAC which prevents modifying memchunkhdr data with DMA.<br />
| [[11.0.0-33|11.0.0-X]]<br />
| April 2015 ?<br />
| smea<br />
|-<br />
| snshax<br />
| Can force creation of Safe NS process into gspwn-able memory, allowing for takeover.<br />
| Code execution with access to all of NS's privileges. (including downgrading)<br />
| [[10.1.0-27|10.1.0-X]]<br />
| [[10.1.0-27|10.1.0-X]]<br />
| April 2015 ?<br />
| smea<br />
|-<br />
| AffinityMask/processorid validation<br />
| With [[10.0.0-27|10.0.0-X]] the following functions were updated: svcGetThreadAffinityMask, svcGetProcessAffinityMask, svcSetProcessAffinityMask, and svcCreateThread. The code changes for all but svcCreateThread are identical.<br />
The original code with the first 3 did the following: <br />
* if(u32_processorcount > ~0x80000001)return 0xe0e01bfd;<br />
* if(s32_processorcount > <total_cores>)return 0xd8e007fd;<br />
The following code replaced the above:<br />
* if(u32_processorcount >= <total_cores+1>)return 0xd8e007fd;<br />
In theory the latter should catch everything that the former did, so it's unknown if this was really a security issue.<br />
<br />
The svcCreateThread changes with [[10.0.0-27|10.0.0-X]] definitely did fix a security issue.<br />
* Original code: "if(s32_processorid > <total_cores>)return 0xd8e007fd;"<br />
* New code: "if(s32_processorid >= <total_cores> || s32_processorid <= -4)return 0xd8e007fd;"<br />
This fixed an off-by-one issue: if one would use processorid=total_cores, which isn't actually a valid value, svcCreateThread would accept that value on <[[10.0.0-27|10.0.0-X]]. This results in data being written out-of-bounds(baseaddr = arrayaddr + entrysize*processorid), which has the following result:<br />
* Old3DS: Useless kernel-mode crash due to accessing unmapped memory.<br />
* New3DS: uncontrolled data write into a kernel-mode L1 MMU-table. This isn't really useful: the data can't be controlled, and the data which gets overwritten is all-zero anyway(this isn't anywhere near MMU L1 entries for actually mapped memory).<br />
The previous version also allowed large negative s32_processorid values(negative processorid values are special values not actual procids), but it appears using values like that won't actually do anything(meaning no crash) besides the thread not running / thread not running for a while(besides triggering a kernelpanic with certain s32_processorid value(s)).<br />
| Nothing useful<br />
| [[10.0.0-27|10.0.0-X]]<br />
| [[10.0.0-27|10.0.0-X]]<br />
| svcCreateThread issue: May 31, 2015. The rest: September 8, 2015, via v9.6->v10.0 ARM11-kernel code-diff.<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| memchunkhax<br />
| The kernel originally did not validate the data stored in the FCRAM kernel heap [[Memchunkhdr|memchunk-headers]] for free-memory at all. Exploiting this requires raw R/W access to these memchunk-headers, like physical-memory access with gspwn.<br />
<br />
There are ''multiple'' ways to exploit this, but the end-result for most of these is the same: overwrite code in AXIWRAM via the 0xEFF00000/0xDFF00000 kernel virtual-memory mapping.<br />
<br />
This was fixed in [[9.3.0-21|9.3.0-X]] by checking that the memchunk(including size, next, and prev ptrs) is located within the currently used heap memory. The kernel may also check that the next/prev ptrs are valid compared to other memchunk-headers basically. When any of these checks fail, kernelpanic() is called.<br />
| When combined with other flaws: ARM11-kernelmode code execution<br />
| [[9.3.0-21|9.3.0-21]]<br />
| <br />
| February 2014<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Multiple [[KLinkedListNode|KLinkedListNode]] SlabHeap use after free bugs<br />
| The ARM11-kernel did access the 'key' field of [[KLinkedListNode|KLinkedListNode]] objects, which are located on the SlabHeap, after freeing them. Thus, triggering an allocation of a new [[KLinkedListNode|KLinkedListNode]] object at the right time could result in a type-confusion. Pseudo-code:<br />
SlabHeap_free(KLinkedListNode);<br />
KObject *obj = KLinkedListNode->key; // the object there might have changed!<br />
This bug appeared all over the place.<br />
| ARM11-kernelmode code exec maybe<br />
| [[8.0.0-18|8.0.0-18]]<br />
| <br />
| April 2015<br />
| [[User:Derrek|derrek]]<br />
|-<br />
| PXI [[RPC_Command_Structure|Command]] input/output buffer permissions<br />
| Originally the ARM11-kernel didn't check permissions for PXI input/output buffers for commands. Starting with [[6.0.0-11|6.0.0]] PXI input/output buffers must have RW permissions, otherwise kernelpanic is triggered.<br />
| <br />
| [[6.0.0-11|6.0.0-11]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SVC|svcStartInterProcessDma]]<br />
| For svcStartInterProcessDma, the kernel code had the following flaws:<br />
<br />
* Originally the ARM11-kernel read the input DmaConfig structure directly in kernel-mode(ldr(b/h) instructions), without checking whether the DmaConfig address is readable under userland. This was fixed by copying that structure to the SVC-mode stack, using the ldrbt instruction.<br />
<br />
* Integer overflows for srcaddr+size and dstaddr+size are now checked(with [[6.0.0-11]]), which were not checked before.<br />
<br />
* The kernel now also checks whether the srcaddr/dstaddr (+size) is within userland memory (0x20000000), the kernel now (with [[6.0.0-11]]) returns an error when the address is beyond userland memory. Using an address >=0x20000000 would result in the kernel reading from the process L1 MMU table, beyond the memory allocated for that MMU table(for vaddr->physaddr conversion). <br />
| <br />
| [[6.0.0-11]]<br />
| <br />
| DmaConfig issue: unknown. The rest: 2014<br />
| [[User:Plutooo|plutoo]], [[User:Yellows8|Yellows8]] independently<br />
|-<br />
| [[SVC|svcControlMemory]] Parameter checks<br />
| For svcControlMemory the parameter check had these two flaws:<br />
<br />
* The allowed range for addr0, addr1, size parameters depends on which MemoryOperation is being specified. The limitation for GSP heap was only checked if op=(u32)0x10003. By setting a random bit in op that has no meaning (like bit17?), op would instead be (u32)0x30003, and the range-check would be less strict and not accurate. However, the kernel doesn't actually use the input address for LINEAR memory-mapping at all besides the range-checks, so this isn't actually useful. This was fixed in the kernel by just checking for the LINEAR bit, instead of comparing the entire MemoryOperation value with 0x10003.<br />
<br />
* Integer overflows on (addr0+size) are now checked that previously weren't (this also applies to most other address checks elsewhere in the kernel).<br />
<br />
| <br />
| [[5.0.0-11]]<br />
| <br />
|<br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| [[RPC_Command_Structure|Command]] request/response buffer overflow<br />
| Originally the kernel did not check the word-values from the command-header. Starting with [[5.0.0-11]], the kernel will trigger a kernelpanic() when the total word-size of the entire command(including the cmd-header) is larger than 0x40-words (0x100-bytes). This allows overwriting threadlocalstorage+0x180 in the destination thread. However, since the data written there would be translate parameters (such as header-words + buffer addresses), exploiting this would likely be very difficult, if possible at all.<br />
<br />
If the two words at threadlocalstorage+0x180 could be overwritten with controlled data this way, one could then use a command with a buffer-header of <nowiki>((size<<14) | 2)</nowiki> to write arbitrary memory to any RW userland memory in the destination process.<br />
| <br />
| [[5.0.0-11]]<br />
| <br />
| v4.1 FIRM -> v5.0 code diff<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SVC|SVC stack allocation overflows]]<br />
| <br />
* Syscalls that allocate a variable-length array on stack, only checked bit31 before multiplying by 4/16 (when calculating how much memory to allocate). If a large integer was passed as input to one of these syscalls, an integer overflow would occur, and too little memory would have been allocated on stack resulting in a buffer overrun. <br />
* The alignment (size+7)&~7 calculation before allocation was not checked for integer overflow.<br />
<br />
This might allow for ARM11 kernel code-execution.<br />
<br />
(Applies to svcSetResourceLimitValues, svcGetThreadList, svcGetProcessList, svcReplyAndReceive, svcWaitSynchronizationN.)<br />
| <br />
| [[5.0.0-11]]<br />
| <br />
| v4.1 FIRM -> v5.0 code diff<br />
| [[User:Plutooo|plutoo]], [[User:Yellows8|Yellows8]] complementary<br />
|-<br />
| [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions<br />
| svcControlMemory with MemoryOperation=MAP allows mapping the already-mapped process virtual-mem at addr1, to addr0. The lowest address permitted for addr1 is 0x00100000. Originally the ARM11 kernel didn't check memory permissions for addr1. Therefore .text as addr1 could be mapped elsewhere as RW- memory, which allowed ARM11 userland code-execution.<br />
| <br />
| [[4.1.0-8]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[RPC_Command_Structure|Command]] input/output buffer permissions<br />
| Originally the ARM11 kernel didn't check memory permissions for the input/output buffers for commands. Starting with [[4.0.0-7]] the ARM11 kernel will trigger a kernelpanic() if the input/output buffers don't have the required memory permissions. For example, this allowed a FSUSER file-read to .text, which therefore allowed ARM11-userland code execution.<br />
| <br />
| [[4.0.0-7]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions<br />
| Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs.<br />
| <br />
| [[4.0.0-7]]<br />
| <br />
| 2012?<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== [[FIRM]] Sysmodules ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[Services|"srv:pm"]] process registration<br />
| Originally any process had access to the port "srv:pm". The PID's used for the (un)registration commands are not checked either. This allowed any process to re-register itself with "srv:pm", and therefore allowed the process to give itself access to any service, bypassing the exheader service-access-control list.<br />
<br />
This was fixed in [[7.0.0-13]]: starting with [[7.0.0-13]] "srv:pm" is now a service instead of a globally accessible port. Only processes with PID's less than 6 (in other words: fs, ldr, sm, pm, pxi modules) have access to it. With [[7.0.0-13]] there can only be one session for "srv:pm" open at a time(this is used by pm module), svcBreak will be executed if more sessions are opened by the processes which can access this.<br />
<br />
This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).<br />
| Access to arbitrary services<br />
| [[7.0.0-13]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| FSDIR null-deref<br />
| [[Filesystem_services|FS]]-module may crash in some cases when handling directory reading. The trigger seems to be due to using [[FSDir:Close]] without closing the dir-handle afterwards?(Perhaps this is caused by out-of-memory?) This seems to be useless since it's just a null-deref.<br />
| <br />
| None<br />
| [[9.6.0-24|9.6.0-X]]<br />
| May 19(?)-20, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== Standalone Sysmodules ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in system-module system-version<br />
! Last system-module system-version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Timeframe this was added to wiki<br />
! Discovered by<br />
|-<br />
| [[MVD_Services|MVD]]: Stack buffer overflow with [[MVDSTD:SetupOutputBuffers]].<br />
| The input total_entries is not validated when initially processing the input entry-list. This fixed-size input entry-list is copied to stack from the command request. The loop for processing this initializes a global table, the converted linearmem->physaddrs used there are also copied to stack(0x8-bytes of physaddrs per entry).<br />
<br />
If total_entries is too large, MVD-sysmodule will crash due to reading unmapped memory following the stack(0x10000000). Afterwards if the out-of-bounds total_entries is smaller than that, it will crash due accessing address 0x0, hence this useless.<br />
| MVD-sysmodule crash.<br />
| None<br />
| [[9.0.0-20]]<br />
| April 22, 2016 (Tested on the 25th)<br />
| April 25, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NWM_Services|NWM]]: Using CTRSDK heap with UDS sharedmem from the user-process.<br />
| See the HTTP-sysmodule section below.<br />
<br />
CTRSDK heap is used with the sharedmem from [[NWMUDS:InitializeWithVersion]]. Buffers are allocated/freed under this heap using [[NWMUDS:Bind]] and [[NWMUDS:Unbind]].<br />
<br />
Hence, overwriting sharedmem with gspwn then using [[NWMUDS:Unbind]] results in the usual controlled CTRSDK memchunk-header write, similar to HTTP-sysmodule.<br />
<br />
This could be done by creating an UDS network, without any other nodes on the network.<br />
<br />
Besides CTRSDK memchunk-headers, there are no addresses stored under this sharedmem.<br />
| ROP under NWM-module.<br />
| None<br />
| [[9.0.0-20|9.0.0-X]]<br />
| April 10, 2016<br />
| April 16, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[DLP_Services|DLP]]: Out-of-bounds memory access during spectator [[Download_Play|data-frame]] checksum calculation<br />
| DLP doesn't validate the frame_size when receiving spectator data-frames at all, unlike non-spectator data-frames. The actual spectator data-frame parsing code doesn't use that field either. However, the data-frame checksum calculation code called during checksum verification does use the frame_size for loading the size of the framebuf.<br />
<br />
Hence, using a large frame_size like 0xFFFF will result in the checksum calculation code reading data out-of-bounds. This isn't really useful, you could trigger a remote local-WLAN DLP-sysmodule crash while a 3DS system is scanning for DLP networks(due to accessing unmapped memory), but that's about all(trying to infoleak with this likely isn't useful either).<br />
| DLP-sysmodule crash, handled by dlplay system-application by a "connection interrupted" error eventually then a fatal-error via ErrDisp.<br />
| None<br />
| [[10.0.0-27|10.0.0-X]]<br />
| April 8, 2016 (Tested on the 10th)<br />
| April 10, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[DLP_Services|DLP]]: Out-of-bounds output data writing during spectator sysupdate titlelist [[Download_Play|data-frame]] handling<br />
| The total_entries and out_entryindex fields for the titlelist DLP spectator data-frames are not validated. This is parsed during DLP network scanning. Hence, the specified titlelist data can be written out-of-bounds using the specified out_entryindex and total_entries. A crash will occur while reading the input data-frame titlelist if total_entries is larger than 0x27A, due to accessing unmapped memory.<br />
<br />
There's not much non-zero data to overwrite following the output buffer(located in sharedmem), any ptrs are located in sharedmem. Overwriting certain ptr(s) are only known to cause a crash when attempting to use the DLP-client shutdown service-command.<br />
<br />
There's no known way to exploit the above crash, since the linked-list code involves writes zeros(with a controlled start ptr).<br />
| <br />
| None<br />
| [[10.0.0-27|10.0.0-X]]<br />
| April 8-9, 2016<br />
| April 10, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[IR_Services|IR]]: Stack buffer overflow with custom hardware<br />
| Originally IR sysmodule used the read value from the I2C-IR registers TXLVL and RXLVL without validating them at all. See [[10.6.0-31|here]] for the fix. This is the size used for reading the data-recv FIFO, etc. The output buffer for reading is located on the stack.<br />
<br />
This should be exploitable if one could successfully setup the custom hardware for this and if the entire intended sizes actually get read from I2C.<br />
| ROP under IR sysmodule.<br />
| [[10.6.0-31|10.6.0-31]]<br />
| <br />
| February 23, 2016 (Unknown if it was noticed before then)<br />
| February 23, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[HTTP_Services|HTTP]]: Using CTRSDK heap with sharedmem from the user-process.<br />
| The data from httpcAddPostDataAscii and other commands is stored under a CTRSDK heap. That heap is the sharedmem specified by the user-process via the HTTPC Initialize command.<br />
Normally this sharedmem isn't accessible to the user-process once the sysmodule maps it, hence using it is supposed to be "safe".<br />
<br />
This isn't the case due to gspwn however. Since CTRSDK heap code is so insecure in general, one can use gspwn to locate the HTTPC sharedmem + read/write it, then trigger a mem-write under the sysmodule. This can then be used to get ROP going under HTTP-sysmodule.<br />
<br />
This is exploited by [https://github.com/yellows8/ctr-httpwn/ctr-httpwn ctr-httpwn].<br />
| ROP under HTTP sysmdule.<br />
| None<br />
| [[9.6.0-24|9.6.0-X]] (Latest sysmodule version as of [[10.7.0-32|10.7.0-32]])<br />
| Late 2015<br />
| March 22, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NIM_Services|NIM]]: Downloading old title-versions from eShop<br />
| Multiple NIM service commands(such as [[NIMS:StartDownload]]) use a title-version value specified by the user-process, NIM does not validate that this input version matches the latest version available via SOAP. Therefore, when combined with AM(PXI) [[#Process9|title-downgrading]] via deleting the target eShop title with System Settings Data Management(if the title was already installed), this allows downloading+installing any title-version from eShop ''if'' it's still available from CDN.<br />
The easiest way to exploit this is to just patch the eShop system-application code using these NIM commands(ideally the code which loads the title-version).<br />
<br />
Originally this was tested with a debugging-system via modded-FIRM, eventually smea implemented it in HANS for the 32c3 release.<br />
| Downloading old title-versions from eShop<br />
| None<br />
| [[10.0.0-27|10.0.0-X]]<br />
| October 24, 2015 (Unknown when exactly the first eShop title downgrade was actually tested, maybe November)<br />
| January 7, 2016 (Same day Ironfall v1.0 was removed from CDN via the main-CXI files)<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SPI_Services|SPI]] service out-of-bounds write<br />
| cmd1 has out-of-bounds write allowing overwrite of some static variables in .data.<br />
| <br />
| None<br />
| [[9.5.0-22]]<br />
| March 2015<br />
| <br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| [[NFC_Services|NFC]] module service command buf-overflows<br />
| NFC module copies data with certain commands, from command input buffers to stack without checking the size. These commands include the following, it's unknown if there's more commands with similar issues: "nfc:dev" <0x000C....> and "nfc:s" <0x0037....>.<br />
Since both of these commands are stubbed in the Old3DS NFC module from the very first version(those just return an error), these issues only affect the New3DS NFC module.<br />
<br />
There's no known retail titles which have access to either of these services.<br />
| ROP under NFC module.<br />
| New3DS: None<br />
| New3DS: [[9.5.0-22]]<br />
| December 2014?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[News_Services|NEWSS]] service command notificationID validation failure<br />
| This module does not validate the input notificationID for <nowiki>"news:s"</nowiki> service commands. This is an out-of-bounds array index bug. For example, [[NEWSS:SetNotificationHeader]] could be used to exploit news module: this copies the input data(size is properly checked) to: out = newsdb_savedata+0x10 + (someu32array[notificationID]*0x70).<br />
| ROP under news module.<br />
| None<br />
| [[9.7.0-25|9.7.0-X]]<br />
| December 2014<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NWMUDS:DecryptBeaconData]] heap buffer overflow<br />
| input_size = 0x1E * <value the u8 from input_[[NWM_Services|networkstruct]]+0x1D>. Then input_tag0 is copied to a heap buffer. When input_size is larger than 0xFA-bytes, it will then copy input_tag1 to <end_address_of_previous_outbuf>, with size=input_size-0xFA.<br />
<br />
This can be triggered by either using this command directly, or by boadcasting a wifi beacon which triggers it while a 3DS system running the target process is in range, when the process is scanning for hosts to connect to. Processes will only pass tag data to this command when the wlancommID and other thing(s) match the values for the process.<br />
<br />
There's no known way to actually exploit this for getting ROP under NWM-module, at the time of originally adding this to the wiki. This is because the data which gets copied out-of-bounds *and* actually causes crash(es), can't be controlled it seems(with just broadcasting a beacon at least). It's unknown whether this could be exploited from just using NWMUDS service-cmd(s) directly.<br />
| Without any actual way to exploit this: NWM-module DoS, resulting in process termination(process crash). This breaks *everything* involving wifi comms, a reboot is required to recover from this.<br />
| None<br />
| [[9.0.0-20]]<br />
| ~September 23, 2014(see the [[NWMUDS:DecryptBeaconData]] page history)<br />
| August 3, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[HID_Services|HID]] module shared-mem<br />
| HID module does not validate the index values in [[HID_Shared_Memory|sharedmem]](just changes index to 0 when index == maxval when updating), therefore large values will result in HID module writing HID data to arbitrary addresses.<br />
| ROP under HID module, but this is *very* unlikely to be exploitable since the data written is HID data.<br />
| None<br />
| [[9.3.0-21]]<br />
| 2014?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| gspwn<br />
| GSP module does not validate addresses given to the GPU. This allows a user-mode application/applet to read/write to a large part of physical FCRAM using GPU DMA. From this, you can overwrite the .text segment of the application you're running under, and gain real code-execution from a ROP-chain. Normally applets' .text([[Home Menu]], [[Internet Browser]], etc) is located beyond the area accessible by the GPU, except for [[RO_Services|CROs]] used by applets([[Internet Browser]] for example).<br />
<br />
FCRAM is gpu-accessible up to physaddr 0x26800000 on Old3DS, and 0x2DC00000 on New3DS. This is BASE_memregion_start(aka SYSTEM_memregion_end)-0x400000 with the default memory-layout on Old3DS/New3DS.<br />
| User-mode code execution.<br />
| None<br />
| [[9.6.0-24|9.6.0-X]]<br />
| Early 2014<br />
| <br />
| smea, [[User:Yellows8|Yellows8]]/others before then<br />
|-<br />
| rohax<br />
| Using gspwn, it is possible to overwrite a loaded [[CRO0]]/[[CRR0]] after its RSA-signature has been validated. Badly validated [[CRO0]] header leads to arbitrary read/write of memory in the ro-process. This gives code-execution in the ro module, who has access to [[SVC|syscalls]] 0x70-0x72, 0x7D.<br />
<br />
This was fixed after [[ninjhax]] release by adding checks on [[CRO0]]-based pointers before writing to them.<br />
| Memory-mapping syscalls.<br />
| [[9.3.0-21]]<br />
| [[9.4.0-21]]<br />
| <br />
| <br />
| smea, [[User:Plutooo|plutoo]] joint effort<br />
|-<br />
| Region free<br />
| Only [[Home Menu]] itself checks gamecards' region when launching them. Therefore, any application launch that is done directly with [[NS]] without signaling Home Menu to launch the app, will result in region checks being bypassed.<br />
This essentially means launching the gamecard with the [[NS_and_APT_Services|"ns:s"]] service. The main way to exploit this is to trigger a FIRM launch with an application specified, either with a normal FIRM launch or a hardware [[NSS:RebootSystem|reboot]].<br />
| Launching gamecards from any region + bypassing Home Menu gamecard-sysupdate installation<br />
| None<br />
| Last tested with [[10.1.0-27|10.1.0-X]].<br />
| June(?) 2014<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NWM_Services|NWM]] service-cmd state null-ptr deref<br />
| The NWMUDS service command code loads a ptr from .data, adds an offset to that, then passes that as the state address for the actual command-handler function. The value of the ptr loaded from .data is not checked, therefore this will cause crashes due to that being 0x0 when NWMUDS was not properly initialized.<br />
It's unknown whether any NWM services besides NWMUDS have this issue.<br />
| This is rather useless since it's only a crash caused by a state ptr based at 0x0.<br />
| None<br />
| [[9.0.0-20]]<br />
| 2013?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== General/CTRSDK ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in version<br />
! Last version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[NWM_Services|UDS]] beacon additional-data buffer overflow<br />
| Originally CTRSDK did not validate the UDS additional-data size before using that size to copy the additional-data to a [[NWM_Services|networkstruct]]. This was eventually fixed.<br />
This was discovered while doing code RE with an old dlp-module version. It's unknown in what specific CTRSDK version this was fixed, or even what system-version updated titles with a fixed version.<br />
<br />
It's unknown if there's any titles using a vulnerable CTRSDK version which are also exploitable with this(dlp module can't be exploited with this).<br />
<br />
The maximum number of bytes that can be written beyond the end of the outbuf is 0x37-bytes, with additionaldata_size=0xFF.<br />
| Perhaps ROP, very difficult if possible with anything at all<br />
| ?<br />
| <br />
| September(?) 2014<br />
| [[User:Yellows8|Yellows8]]<br />
|}</div>Dark samushttps://www.3dbrew.org/w/index.php?title=3DS_System_Flaws&diff=183063DS System Flaws2016-09-27T16:26:59Z<p>Dark samus: /* arm9loader */</p>
<hr />
<div>Exploits are used to execute unofficial code (homebrew) on the Nintendo 3DS. This page is a list of publicly known system flaws, for userland applications/applets flaws see [[3DS_Userland_Flaws|here]].<br />
<br />
=Stale / Rejected Efforts=<br />
* Neimod has been working on a RAM dumping setup for a little while now. He's de-soldered the 3DS's RAM chip and hooked it and the RAM pinouts on the 3DS' PCB up to a custom RAM dumping setup. A while ago he published photos showing his setup to be working quite well, with the 3DS successfully booting up. However, his flickr stream is now private along with most of his work.<br />
<br />
* Someone (who will remain unnamed) has released CFW and CIA installers, all of which is copied from the work of others, or copyrighted material.<br />
<br />
==Tips and info==<br />
The 3DS uses the XN feature of the ARM11 processor. There's no official way from applications to enable executable permission for memory containing arbitrary unsigned code(there's a [[SVC]] for this, but only [[RO_Services|RO-module]] has access to it). An usable userland exploit would still be useful: you could only do return-oriented-programming with it initially. From ROP one could then exploit system flaw(s), see below.<br />
<br />
SD card [[extdata]] and SD savegames can be attacked, for consoles where the console-unique [[Nand/private/movable.sed|movable.sed]] was dumped(accessing SD data is far easier by running code on the target 3DS however).<br />
<br />
=System flaws=<br />
== Hardware ==<br />
{| class="wikitable" border="1"<br />
! Summary<br />
! Description<br />
! Fixed with hardware model/revision<br />
! Newest hardware model/revision this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| ARM9/ARM11 bootrom vectors point at unitialized RAM<br />
| ARM9's and ARM11's exception vectors are hardcoded to point at the CPU's internal memory (0x08000000 region for ARM9, AXIWRAM for ARM11). While the bootrom does set them up to point to an endless loop at some point during boot, it does not do so immediately. As such, a carefully-timed fault injection (via hardware) to trigger an exception (such as an invalid instruction) will cause execution to fall into ARM9 RAM. <br />
Since RAM isn't cleared on boot (see below), one can immediately start execution of their own code here to dump bootrom, OTP, etc.<br />
The ARM9 bootrom does the following at reset: reset vector branches to another instruction, then branches to bootrom+0x8000. Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized.<br />
<br />
This requires *very* *precise* timing for triggering the hardware fault: it's unknown if anyone actually exploited this successfully at the time of writing(the one who attempted+discovered it *originally* as listed in this wiki section hasn't).<br />
| None: all available 3DS models at the time of writing have the exact same ARM9/ARM11 bootrom for the unprotected areas.<br />
| New3DS<br />
| End of February 2014<br />
| [[User:Derrek|derrek]], WulfyStylez (May 2015) independently<br />
|-<br />
| Missing AES key clearing<br />
| The hardware AES engine does not clear keys when doing a hard reset/reboot.<br />
| None<br />
| New3DS<br />
| August 2014<br />
| Mathieulh/Others<br />
|-<br />
| No RAM clearing on reboots<br />
| On an MCU-triggered reboot all RAM including FCRAM/ARM9 memory/AXIWRAM/VRAM keeps its contents.<br />
| None<br />
| New3DS<br />
| March 2014<br />
| [[User:Derrek|derrek]]<br />
|-<br />
| 32bits of actual console-unique TWLNAND keydata<br />
| On retail the 8-bytes at ARM9 address [[Memory_layout|0x01FFB808]] are XORed with hard-coded data, to generate the TWL console-unique keys, including TWLNAND. On Old3DS the high u32 is always 0x0, while on New3DS that u32 is always 0x2. On top of this, the lower u32's highest bit is always ORed. only 31 bits of the TWL console-unique keydata / TWL consoleID are actually console-unique.<br />
This allows one to easily bruteforce the TWL console-unique keydata with *just* data from TWLNAND. On DSi the actual console-unique data for key generation is 8-bytes(all bytes actually set).<br />
| None<br />
| New3DS<br />
| 2012?<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| DSi / 3DS-TWL key-generator<br />
| After using the key generator to generate the normal-key, you could overwrite parts of the normal-key with your own data and then recover the key-generator output by comparing the new crypto output with the original crypto output. From the normal-key outputs, you could deduce the TWL key-generator function.<br />
This applies to the keyX/keyY too.<br />
<br />
This attack does not work for the 3DS key-generator because keyslots 0-3 are only for TWL keys.<br />
| None<br />
| New3DS<br />
| 2011<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| 3DS key-generator<br />
| The algorithm for generating the normal-keys for keyslots is cryptographically weak. As a result, it is easily susceptible to differential cryptanalysis if the normal-key corresponding to any scrambler-generated keyslot is discovered.<br />
<br />
Several such pairs of matching normal-keys and KeyY values were found, leading to deducing the key-generator function.<br />
| None<br />
| New3DS<br />
| February 2015<br />
| [[User:Yellows8|Yellows8]], [[User:Plutooo|plutoo]]<br />
|-<br />
| FIRM partitions known-plaintext<br />
| The [[Flash_Filesystem|FIRM partitions]] are encrypted with AES-CTR without a MAC. Since this works by XOR'ing data with a static (per-console in this case) keystream, one can deduce the keystream of a portion of each FIRM partition if they have the actual FIRM binary stored in it.<br />
<br />
This can be paired with many exploits. For example, it allows minor FIRM downgrades (i.e. 10.4 to 9.6 or 9.5 to 9.4, but not 9.6 to 9.5).<br />
<br />
This can be somewhat addressed by having a FIRM header skip over previously used section offsets, but this would just air-gap newer FIRMs without fixing the core bug. This can also only be done a limited number of times due to the size of FIRM versus the size of the partitions.<br />
| None<br />
| New3DS<br />
| <br />
| Everyone<br />
|}<br />
<br />
== ARM9 software ==<br />
=== arm9loader ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| Rearrangable keys in the NAND keystore<br />
| Due to the keystore being encrypted with AES-ECB, one can rearrange blocks and still have the NAND keystore decrypt in a deterministic way. Combining this with the arm9loaderhax and uncleared hash keydata vulnerabilities, one can achieve arm9loaderhax without downgrading to a system version that exposes the OTP data, or using a hardware method. The NAND keystore must be encrypted with console-unique data; therefore, this is not achievable on Old 3DS or 2DS.<br />
| arm9loaderhax achieveable with no extra hardware and without downgrading to a system version which exposes the OTP.<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| Early 2016<br />
| 27 September 2016<br />
| [[User:Dark samus|dark_samus]], mathieulh, [[User:Plutooo|plutoo]] (independently)<br />
|-<br />
| Uncleared OTP hash keydata in console-unique 0x11 key-generation<br />
| Kernel9Loader does not clear the [[SHA_Registers#SHA_HASH|SHA_HASH register]] after use. As a result, the data stored here as K9L hands over to Kernel9 is the hash of [[OTP_Registers|OTP data]] used to seed the [[FIRM#New_3DS_FIRM|console-unique NAND keystore decryption key]] set on keyslot 0x11.<br />
<br />
Retrieving this keydata and the [[Flash_Filesystem#0x12C00|NAND keystore]] of the same device allows calculating the decrypted New3DS NAND keystore (non-unique, common to all New3DS units), which contains AES normal keys, also set on keyslot 0x11, which are then used to derive all current [[AES_Registers#Keyslots|New3DS-only AES keyXs]] including the newer batch introduced in [[9.6.0-24#arm9loader|9.6.0-X]]. From there, it is trivial to perform the same key derivation in order to initialize those keys on any system version, and even on Old3DS.<br />
<br />
This can be performed by exploiting the "arm9loaderhax" vulnerability to obtain post-K9L code execution after an MCU reboot (the bootrom section-loading fail is not relevant here, this attack was performed without OTP data by brute-forcing keys), and using this to dump the SHA_HASH register. This attack works on any FIRM version shipping a vulnerable version of K9L, whereas OTP dumping required a boot of <[[3.0.0-6|3.0.0-X]].<br />
<br />
This attack results in obtaining the entire (0x200-bytes) NAND keystore - it was confirmed at a later date that this keystore is encrypted with the same key (by comparing the decrypted data from multiple units), and therefore using another key in this store will not remedy the issue as all keys are known (i.e. later, unused keys decrypt to the same 0x200-bytes constant with the same OTP hash). Later keys could have been encrypted differently but this is not the case. As a result of this, it is not possible for Nintendo to use K9L again in its current format for its intended purpose, though this was not news from the moment people dumped a New3DS OTP.<br />
| Derivation of all New3DS keys generated via the NAND keystore (0x1B "Secure4" etc.)<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| ~April 2015, implemented in May 2015<br />
| 13 January 2016<br />
| [[User:WulfyStylez|WulfyStylez]], [[User:Dazzozo|Dazzozo]], [[User:Shinyquagsire23|shinyquagsire23]] (complimentary + implemented), [[User:Plutooo|plutoo]], Normmatt (discovered independently)<br />
|-<br />
| enhanced-arm9loaderhax<br />
| See the 32c3 3ds talk.<br />
Since this is a combination of a trick with the arm9-bootrom + arm9loaderhax, and since you have to manually write FIRM to the firm0/firm1 NAND partitions, this can't be completely fixed. Any system with existing ARM9 code execution and an OTP/OTP hash dump can exploit this. Additionally, by using the FIRM partition known-plaintext bug and bruteforcing the second entry in the keystore, this can currently be exploited on all New3DS systems without any other prerequisite hacks.<br />
| arm9loaderhax which automatically occurs at hard-boot.<br />
| See arm9loaderhax / description.<br />
| See arm9loaderhax / description.<br />
| Theorized around mid July, 2015. Later implemented+tested by [[User:Plutooo|plutoo]] and derrek.<br />
| 32c3 3ds talk (December 27, 2015)<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Missing verification-block for the 9.6 keys (arm9loaderhax)<br />
| Starting with [[9.6.0-24|9.6.0-X]] a new set of NAND-based keys were introduced. However, no verification block was added to verify that the new key read from NAND is correct. This was technically an issue from [[9.5.0-22|9.5.0-X]] with the original sector+0 keydata, however the below is only possible with [[9.6.0-24|9.6.0-X]] since keyslots 0x15 and 0x16 are generated from different 0x11 keyXs.<br />
<br />
Writing an incorrect key to NAND will cause arm9loader to decrypt the ARM9 kernel as garbage and then jump to it.<br />
<br />
This allows an hardware-based attack where you can boot into an older exploited firmware, fill all memory with NOP sleds/jump-instructions, and then reboot into executing garbage. By automating this process with various input keydata, eventually you'll find some garbage that jumps to your code.<br />
<br />
This gives very early ARM9 code execution (pre-ARM9 kernel). As such, it is possible to dump RSA keyslots with this and calculate the 6.x [[Savegames#6.0.0-11_Savegame_keyY|save]], and 7.x [[NCCH]] keys. This cannot be used to recover keys initialized by arm9loader itself. This is due to it wiping the area used for its stack during NAND sector decryption and keyslot init. <br />
<br />
Due to FIRMs on both Old and New 3DS using the same RSA data, this can be exploited on Old3DS as well, but only if one already has the actual plaintext normalkey from New3DS NAND sector 0x96 offset-0 and has dumped the OTP area of the Old3DS.<br />
| Recovery of 6.x [[Savegames#6.0.0-11_Savegame_keyY|save key]]/7.x [[NCCH]] key<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| March, 2015<br />
| <br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| Uncleared New3DS keyslot 0x11<br />
| Originally the New3DS [[FIRM]] arm9bin loader only cleared keyslot 0x11 when it gets executed at firmlaunch. This was fixed with [[9.5.0-22|9.5.0-X]] by completely clearing keyslot 0x11 immediately after the loader finishes using keyslot 0x11.<br />
This means that any ARM9 code that can execute before the loader clears the keyslot at firmlaunch(including firmlaunch-hax) can get access to the uncleared keyslot 0x11, which then allows one to generate all <=v9.5 New3DS keyXs which are generated by keyslot 0x11.<br />
<br />
Therefore, to completely fix this the loader would have to generate more keys using different keyslot 0x11 keydata. This was done with [[9.6.0-24|9.6.0-X]].<br />
| New3DS keyXs generation<br />
| Mostly fixed with [[9.5.0-22|9.5.0-X]], completely fixed with new keys with [[9.6.0-24|9.6.0-X]].<br />
| <br />
| February 3, 2015 (one day after [[9.5.0-22|9.5.0-X]] release)<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== Process9 ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| Leak of normal-key matching a key-scrambler key<br />
| New 3DS firmware versions [[8.1.0-0 New3DS|8.1.0]] through [[9.2.0-20|9.2.0]] set the encryption key for [[Amiibo]] data using a hardcoded normal-key in Process9. In firmware [[9.3.0-21|9.3.0]], Nintendo "fixed" this by using the key scrambler instead, by calculating the keyY value for keyslot 0x39 that results in the same normal-key, then hardcoding that keyY into Process9.<br />
<br />
Nintendo's fix is actually the problem: Nintendo revealed the normal-key matching an unknown keyX and a known keyY. Combined with the key scrambler using an insecure scrambling algorithm (see "Hardware" above), the key scrambler function could be deduced.<br />
| Deducing the keyX for keyslot 0x39 and the key scrambler algorithm<br />
| New 3DS [[9.3.0-21|9.3.0-X]], sort of<br />
| [[10.0.0-27|10.0.0-X]]<br />
| Sometime in 2015 after the hardware key-generator was broken.<br />
| 32c3 3ds talk (December 27, 2015)<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Leak of normal-key matching a key-generator key<br />
| During the 3DS' development (June/July 2010) Nintendo added support installing encrypted content ([[CIA]]). Common-key index1 was intended to be a [[AES|hardware generated key]]. However while they added code to generate the key in hardware, they forgot to remove the normal-key for index1 (used elsewhere, likely old debug code). Nintendo later removed the normal key sometime before the first non-prototype firmware release.<br />
<br />
<br />
Knowing the keyY and the normal-key for common-key index1, the devkit key-generator algorithm can be deduced (see "Hardware" above). Additionally the remaining devkit common-keys can be generated once the common-key keyX is recovered.<br />
<br />
Note the devkit key-generator was discovered to be the same as the retail key-generator.<br />
| Deducing the keyX for keyslot 0x3D and hardware key-generator algorithm. Generate remaining devkit common-keys.<br />
| pre-[[1.0.0-0|1.0.0-X]]<br />
| <br />
| Shortly after the key-generator was revealed to be flawed at the 32c3 3ds talk<br />
| January 20, 2016<br />
| [[User:Jakcron|jakcron]]<br />
|-<br />
| ntrcardhax<br />
| <br />
| ARM9 code execution<br />
| 10.4.0-29<br />
| <br />
| March 2015<br />
| 32c3 3ds talk (December 27, 2015)<br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| Title downgrading via [[Application_Manager_Services|AM]]([[Application_Manager_Services_PXI|PXI]])<br />
| When a title is *already* installed, Process9 will compare the installed title-version with the title-version being installed. When the one being installed is older, Process9 would return an error.<br />
<br />
However, this can be bypassed by just deleting the title first via the service command(s) for that: with the title removed from the [[Title_Database]], Process9 can't compare the input title-version with anything. Hence, titles can be downgraded this way.<br />
<br />
[[11.0.0-33|11.0.0-X]] fixed this for key system titles (MSET, Home Menu, spider, ErrDisp, SKATER, NATIVE_FIRM, and every retail system module), by checking the version of the title to install against a hard-coded list of (titleID, minimumVersionRequired) pairs.<br />
| Bypassing title version check at installation, which then allows downgrading any title.<br />
| [[11.0.0-33|11.0.0-X]], for key system titles.<br />
| NATIVE_FIRM / AM-sysmodule [[11.0.0-33|11.0.0-X]]<br />
| ?<br />
| <br />
| ?<br />
|-<br />
| FAT FS code null-deref<br />
| When FSFile:Read is used with a file which is corrupted on a FAT filesystem(in particular SD), Process9 can crash. This particular crash is caused by a function returning NULL instead of an actual ptr due to an error. The caller of that function doesn't check for NULL which then triggers a read based at NULL.<br />
<br />
Sample "fsck.vfat -n -v -V <fat image backup>" output for the above crash:<br />
<br />
<pre>...<br />
Starting check/repair pass.<br />
<FilePath0> and<br />
<FilePath1><br />
share clusters.<br />
Truncating second to 3375104 bytes.<br />
<FilePath1><br />
File size is 2787392 bytes, cluster chain length is 16384 bytes.<br />
Truncating file to 16384 bytes.<br />
Checking for unused clusters.<br />
Reclaimed 1 unused cluster (16384 bytes).<br />
Checking free cluster summary.<br />
Free cluster summary wrong (1404490 vs. really 1404491)<br />
Auto-correcting.<br />
Starting verification pass.<br />
Checking for unused clusters.<br />
Leaving filesystem unchanged.</pre><br />
| Useless null-based-read<br />
| None<br />
| [[9.6.0-24|9.6.0-X]]<br />
| July 8-9, 2015<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| RSA signature padding checks<br />
| The TWL_FIRM RSA sig padding check code used for all TWL RSA sig-checks has issues, see [[FIRM|here]].<br />
The main 3DS RSA padding check code(non-certificate, including NATIVE_FIRM) uses the function used with the above to extract more padding + the actual hash from the additional padding. This isn't really a problem here because there's proper padding check code which is executed prior to this.<br />
| <br />
| None<br />
| [[9.5.0-22|9.5.0-X]]<br />
| March 2015<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[AMPXI:ValidateDSiWareSectionMAC]] [[AES_Registers|AES]] keyslot reuse<br />
| When the input DSiWare section index is higher than <max number of DSiWare sections supported by this FIRM>, Process9 uses keyid 0x40 for calculating the AESMAC, which translates to keyslot 0x40. The result is that the keyslot is left at whatever was already selected before, since the AES selectkeyslot code will immediately return when keyslot is >=0x40. However, actually exploiting this is difficult: the calculated AESMAC is never returned, this command just compares the calculated AESMAC with the input AESMAC(result-code depends on whether the AESMACs match). It's unknown whether a timing attack would work with this.<br />
This is basically a different form of the pxips9 keyslot vuln, except with AESMAC etc.<br />
| See description.<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| March 15, 2015<br />
| December 29, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| pxips9 [[AES_Registers|AES]] keyslot reuse<br />
| This requires access to the [[Process_Services|ps:ps]]/pxi:ps9 services. One way to get access to this would be snshax on system-version <=10.1.0-X(see 32c3 3ds talk).<br />
When an invalid key-type value is passed to any of the PS commands, Process9 will try to select keyslot 0x40. That aesengine_setkeyslot() code will then immediately return due to the invalid keyslot value. Since that function doesn't return any errors, Process9 will just continue to do crypto with whatever AES keyslot was selected before the PS command was sent.<br />
| Reusing the previously used keyslot, for crypto with PS.<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| Roughly the same time(same day?) as firmlaunch-hax.<br />
| December 29, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| firmlaunch-hax: FIRM header ToCToU<br />
| This can't be exploited from ARM11 userland.<br />
During [[FIRM]] launch, the only FIRM header the ARM9 uses at all is stored in FCRAM, this is 0x200-bytes(the actual used FIRM RSA signature is read to the Process9 stack however). The ARM9 doesn't expect "anything" besides the ARM9 to access this data.<br />
With [[9.5.0-22]] the address of this FIRM header was changed from a FCRAM address, to ARM9-only address 0x01fffc00.<br />
| ARM9 code execution<br />
| [[9.5.0-22]]<br />
| <br />
| 2012, 3 days after [[User:Yellows8|Yellows8]] started Process9 code RE.<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Uninitialized data output for (PXI) command replies<br />
| PXI commands for various services(including some [[Filesystem_services_PXI|here]] and many others) can write uninitialized data (like from ARM registers) to the command reply. This happens with stubbed commands, but this can also occur with certain commands when returning an error.<br />
Certain ARM11 service commands have this same issue as well.<br />
| <br />
| None<br />
| [[9.3.0-21|9.3.0-X]]<br />
| ?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[Filesystem_services_PXI|FSPXI]] OpenArchive SD permissions<br />
| Process9 does not use the exheader ARM9 access-mount permission flag for SD at all.<br />
This would mean ARM11-kernelmode code / fs-module itself could directly use FSPXI to access SD card without ARM9 checking for SD access, but this is rather useless since a process is usually running with SD access(Home Menu for example) anyway.<br />
| <br />
| None<br />
| [[9.3.0-21|9.3.0-X]]<br />
| 2012<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[AMPXI:ExportDSiWare]] export path<br />
| Process9 allocates memory on Process9 heap for the export path then verifies that the actual allocated size matches the input size. Then Process9 copies the input path from FCRAM to this buffer, and uses it with the Process9 FS openfile code, which use paths in the form of "<mountpoint>:/<path>".<br />
Process9 does not check the contents of this path at all before passing it to the FS code, besides writing a NUL-terminator to the end of the buffer.<br />
| Exporting of DSiWare to arbitrary Process9 file-paths, such as "nand:/<path>" etc. This isn't really useful since the data which gets written can't be controlled.<br />
| None<br />
| [[9.5.0-22]]<br />
| April 2013<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[DSiWare_Exports]] [[CTCert]] verification<br />
| Just like DSi originally did, 3DS verifies the APCert for DSiWare on SD with the CTCert also in the DSiWare .bin. On DSi this was fixed with with system-version 1.4.2 by verifying with the actual console-unique cert instead(stored in NAND), while on 3DS it's still not(?) fixed.<br />
On 3DS however this is rather useless, due to the entire DSiWare .bin being encrypted with the console-unique movable.sed keyY.<br />
| When the movable.sed keyY for the target 3DS is known and the target 3DS CTCert private-key is unknown, importing of modified DSiWare SD .bin files.<br />
| Unknown, probably none.<br />
| ?<br />
| April 2013<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[Gamecard_Services_PXI]] unchecked REG_CTRCARDCNT transfer-size<br />
| The u8 REG_CTRCARDCNT transfer-size parameter for the [[Gamecard_Services_PXI]] read/write CTRCARD commands is used as an index for an array of u16 values. Before [[5.0.0-11|5.0.0-X]] this u8 value wasn't checked, thus out-of-bounds reads could be triggered(which is rather useless in this case).<br />
| Out-of-bounds read for a value which gets written to a register.<br />
| [[5.0.0-11|5.0.0-X]]<br />
| <br />
| 2013?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[PXI_Registers|PXI]] cmdbuf buffer overrun<br />
| The Process9 code responsible [[PXI_Registers|PXI]] communications didn't verify the size of the incoming command before writing it to a C++ member variable. <br />
| Probably ARM9 code execution<br />
| [[5.0.0-11|5.0.0-11]]<br />
| <br />
| March 2015, original timeframe if any unknown<br />
| <br />
| [[User:Plutooo|plutoo]]/[[User:Yellows8|Yellows8]]/maybe others(?)<br />
|-<br />
| [[Application_Manager_Services_PXI|PXIAM]] command 0x003D0108(See also [[Application_Manager_Services|this]])<br />
| When handling this command, Process9 allocates a 0x2800-byte heap buffer, then copies the 4 FCRAM input buffers to this heap buffer without checking the sizes at all(only the buffers with non-zero sizes are copied). Starting with [[5.0.0-11|5.0.0-X]], the total combined size of the input data must be <=0x2800.<br />
| ARM9 code execution<br />
| [[5.0.0-11|5.0.0-X]]<br />
| <br />
| May 2013<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[Process_Services_PXI|PS RSA]] commands buffer overflows<br />
| pxips9 cmd1(not accessible via ps:ps) and VerifyRsaSha256: unchecked copy to a buffer in Process9's .bss, from the input FCRAM buffer. The buffer is located before the pxi cmdhandler threads' stacks. SignRsaSha256 also has a buf overflow, but this isn't exploitable.<br />
The buffer for this is the buffer for the signature data. With v5.0, the signature buffer was moved to stack, with a check for the signature data size. When the signature data size is too large, Process9 uses [[SVC|svcBreak]].<br />
| ARM9 code execution<br />
| [[5.0.0-11|5.0.0-X]]<br />
| <br />
| 2012<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[PXI_Registers|PXI]] pxi_id bad check<br />
| The Process9 code responsible for [[PXI_Registers|PXI]] communications read pxi_id as a signed char. There were two flaws:<br />
* They used it as index to a lookup-table without checking the value at all.<br />
* Another function verified that pxi_id < 7, allowing negative values to pass the check. This would also cause an out-of-range table-lookup.<br />
| Maybe ARM9 code execution<br />
| [[3.0.0-5|3.0.0-5]]<br />
|<br />
| March 2015, originally 2012 for the first issue at least<br />
| <br />
| [[User:Plutooo|plutoo]], [[User:Yellows8|Yellows8]], maybe others(?)<br />
|}<br />
<br />
=== Kernel9 ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit1 not set by Kernel9<br />
| Old versions of Kernel9 never set bit1 of [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]]. This leaves the [[OTP Registers|0x10012000]]-region unprotected (this region should be locked early during boot!). Since it's never locked, you can dump it once you get ARM9 code execution.<br />
<br />
From [[3.0.0-5|3.0.0-X]] this was fixed by setting the bit in Kernel9 after poking some registers in that region. On New3DS arm9loader sets this bit instead of Kernel9, which is exploitable through a hardware + software vulnerability (see arm9loaderhax / description).<br />
<br />
This flaw resurged when it gained a new practical use: retrieving the OTP data for a New3DS console in order to decrypt the key data used in arm9loader (see enhanced-arm9loaderhax / description). This was performed by downgrading to a vulnerable system version. By accounting for differences in CTR-NAND crypto (0x05 -> 0x04, see partition encryption types [[Flash_Filesystem#NAND_structure|here]]), it is possible to boot a New3DS using Old3DS firmware 1.0-2.X and an Old3DS [[NCSD#NCSD_header|NCSD Header]] to retrieve the required OTP data using this flaw.<br />
| Dumping of the [[OTP Registers|OTP]] area<br />
| [[3.0.0-5|3.0.0-X]]<br />
|<br />
| February 2015<br />
| [[User:Plutooo|plutoo]], Normmatt independently<br />
|}<br />
<br />
== ARM11 software ==<br />
=== Kernel11 ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[SVC]] table too small<br />
| The table of function pointers for SVC's only contains entries up to 0x7D, but the biggest allowed SVC for the table is 0x7F. Thus, executing SVC7E or SVC7F would make the SVC-handler read after the buffer, and interpret some ARM instructions as function pointers.<br />
<br />
However, this would require patching the kernel .text or modifying SVC-access-control. Even if you could get these to execute, they would still jump to memory that isn't mapped as executable.<br />
| <br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| 2012<br />
| Everyone<br />
|-<br />
| [[SVC|svcBackdoor (0x7B)]]<br />
| This backdoor allows executing SVC-mode code at the user-specified code-address. This is used by Process9, using this on the ARM11 (with NATIVE_FIRM) required patching the kernel .text or modifying SVC-access-control.<br />
| See description<br />
| [[11.0.0-33|11.0.0-X]] (deleted)<br />
| <br />
|<br />
| Everyone<br />
|-<br />
| [[Memory_layout#ARM11_Detailed_virtual_memory_map|0xEFF00000]] / 0xDFF00000 ARM11 kernel virtual-memory<br />
| The ARM11 kernel-mode 0xEFF00000/0xDFF00000 virtual-memory(size 0x100000) is mapped to phys-mem 0x1FF00000(entire DSP-mem + entire AXIWRAM), with permissions RW-. This is used during ARM11 kernel startup for loading the FIRM-modules from the FIRM section located in DSP-mem, this never seems to be used after that, however. This is never unmapped either.<br />
| <br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| <br />
| <br />
|-<br />
| memchunkhax2.1<br />
| Nintendo's fix for memchunkhax2 in [[10.4.0-29|10.4.0-X]] did not fix the GPU case: one may cause the requisite ToCToU race using gspwn, bypassing the new validation.<br />
derrek's original 32c3 presentation for memchunkhax2 commented that a GPU-based attack was possible, but would be difficult. However, memchunkhax2.1 showed that it was possible to do fairly reliably.<br />
| ARM11 kernel code execution<br />
| None<br />
| [[10.4.0-29|10.4.0-X]]<br />
|<br />
| derrek, aliaspider<br />
|-<br />
| memchunkhax2<br />
| <br />
| ARM11 kernel code execution<br />
| [[10.4.0-29|10.4.0-X]] (partially)<br />
| [[10.4.0-29|10.4.0-X]]<br />
|<br />
| derrek<br />
|-<br />
| heaphax<br />
| Can change the size of free memchunk structures stored in FCRAM using DMA, which leads to the ability to allocate memory chunks over already-allocated memory. This can be used in the SYSTEM region to allocate RW memory over any part of the NS system module, which is enough to take it over.<br />
| Code execution with access to all of NS's privileges. (including downgrading) Code execution within any applet.<br />
| [[11.0.0-33|11.0.0-X]], via the new [[Memory_Management#MemoryBlockHeader|memchunkhdr]] MAC which prevents modifying memchunkhdr data with DMA.<br />
| [[11.0.0-33|11.0.0-X]]<br />
| April 2015 ?<br />
| smea<br />
|-<br />
| snshax<br />
| Can force creation of Safe NS process into gspwn-able memory, allowing for takeover.<br />
| Code execution with access to all of NS's privileges. (including downgrading)<br />
| [[10.1.0-27|10.1.0-X]]<br />
| [[10.1.0-27|10.1.0-X]]<br />
| April 2015 ?<br />
| smea<br />
|-<br />
| AffinityMask/processorid validation<br />
| With [[10.0.0-27|10.0.0-X]] the following functions were updated: svcGetThreadAffinityMask, svcGetProcessAffinityMask, svcSetProcessAffinityMask, and svcCreateThread. The code changes for all but svcCreateThread are identical.<br />
The original code with the first 3 did the following: <br />
* if(u32_processorcount > ~0x80000001)return 0xe0e01bfd;<br />
* if(s32_processorcount > <total_cores>)return 0xd8e007fd;<br />
The following code replaced the above:<br />
* if(u32_processorcount >= <total_cores+1>)return 0xd8e007fd;<br />
In theory the latter should catch everything that the former did, so it's unknown if this was really a security issue.<br />
<br />
The svcCreateThread changes with [[10.0.0-27|10.0.0-X]] definitely did fix a security issue.<br />
* Original code: "if(s32_processorid > <total_cores>)return 0xd8e007fd;"<br />
* New code: "if(s32_processorid >= <total_cores> || s32_processorid <= -4)return 0xd8e007fd;"<br />
This fixed an off-by-one issue: if one would use processorid=total_cores, which isn't actually a valid value, svcCreateThread would accept that value on <[[10.0.0-27|10.0.0-X]]. This results in data being written out-of-bounds(baseaddr = arrayaddr + entrysize*processorid), which has the following result:<br />
* Old3DS: Useless kernel-mode crash due to accessing unmapped memory.<br />
* New3DS: uncontrolled data write into a kernel-mode L1 MMU-table. This isn't really useful: the data can't be controlled, and the data which gets overwritten is all-zero anyway(this isn't anywhere near MMU L1 entries for actually mapped memory).<br />
The previous version also allowed large negative s32_processorid values(negative processorid values are special values not actual procids), but it appears using values like that won't actually do anything(meaning no crash) besides the thread not running / thread not running for a while(besides triggering a kernelpanic with certain s32_processorid value(s)).<br />
| Nothing useful<br />
| [[10.0.0-27|10.0.0-X]]<br />
| [[10.0.0-27|10.0.0-X]]<br />
| svcCreateThread issue: May 31, 2015. The rest: September 8, 2015, via v9.6->v10.0 ARM11-kernel code-diff.<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| memchunkhax<br />
| The kernel originally did not validate the data stored in the FCRAM kernel heap [[Memchunkhdr|memchunk-headers]] for free-memory at all. Exploiting this requires raw R/W access to these memchunk-headers, like physical-memory access with gspwn.<br />
<br />
There are ''multiple'' ways to exploit this, but the end-result for most of these is the same: overwrite code in AXIWRAM via the 0xEFF00000/0xDFF00000 kernel virtual-memory mapping.<br />
<br />
This was fixed in [[9.3.0-21|9.3.0-X]] by checking that the memchunk(including size, next, and prev ptrs) is located within the currently used heap memory. The kernel may also check that the next/prev ptrs are valid compared to other memchunk-headers basically. When any of these checks fail, kernelpanic() is called.<br />
| When combined with other flaws: ARM11-kernelmode code execution<br />
| [[9.3.0-21|9.3.0-21]]<br />
| <br />
| February 2014<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Multiple [[KLinkedListNode|KLinkedListNode]] SlabHeap use after free bugs<br />
| The ARM11-kernel did access the 'key' field of [[KLinkedListNode|KLinkedListNode]] objects, which are located on the SlabHeap, after freeing them. Thus, triggering an allocation of a new [[KLinkedListNode|KLinkedListNode]] object at the right time could result in a type-confusion. Pseudo-code:<br />
SlabHeap_free(KLinkedListNode);<br />
KObject *obj = KLinkedListNode->key; // the object there might have changed!<br />
This bug appeared all over the place.<br />
| ARM11-kernelmode code exec maybe<br />
| [[8.0.0-18|8.0.0-18]]<br />
| <br />
| April 2015<br />
| [[User:Derrek|derrek]]<br />
|-<br />
| PXI [[RPC_Command_Structure|Command]] input/output buffer permissions<br />
| Originally the ARM11-kernel didn't check permissions for PXI input/output buffers for commands. Starting with [[6.0.0-11|6.0.0]] PXI input/output buffers must have RW permissions, otherwise kernelpanic is triggered.<br />
| <br />
| [[6.0.0-11|6.0.0-11]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SVC|svcStartInterProcessDma]]<br />
| For svcStartInterProcessDma, the kernel code had the following flaws:<br />
<br />
* Originally the ARM11-kernel read the input DmaConfig structure directly in kernel-mode(ldr(b/h) instructions), without checking whether the DmaConfig address is readable under userland. This was fixed by copying that structure to the SVC-mode stack, using the ldrbt instruction.<br />
<br />
* Integer overflows for srcaddr+size and dstaddr+size are now checked(with [[6.0.0-11]]), which were not checked before.<br />
<br />
* The kernel now also checks whether the srcaddr/dstaddr (+size) is within userland memory (0x20000000), the kernel now (with [[6.0.0-11]]) returns an error when the address is beyond userland memory. Using an address >=0x20000000 would result in the kernel reading from the process L1 MMU table, beyond the memory allocated for that MMU table(for vaddr->physaddr conversion). <br />
| <br />
| [[6.0.0-11]]<br />
| <br />
| DmaConfig issue: unknown. The rest: 2014<br />
| [[User:Plutooo|plutoo]], [[User:Yellows8|Yellows8]] independently<br />
|-<br />
| [[SVC|svcControlMemory]] Parameter checks<br />
| For svcControlMemory the parameter check had these two flaws:<br />
<br />
* The allowed range for addr0, addr1, size parameters depends on which MemoryOperation is being specified. The limitation for GSP heap was only checked if op=(u32)0x10003. By setting a random bit in op that has no meaning (like bit17?), op would instead be (u32)0x30003, and the range-check would be less strict and not accurate. However, the kernel doesn't actually use the input address for LINEAR memory-mapping at all besides the range-checks, so this isn't actually useful. This was fixed in the kernel by just checking for the LINEAR bit, instead of comparing the entire MemoryOperation value with 0x10003.<br />
<br />
* Integer overflows on (addr0+size) are now checked that previously weren't (this also applies to most other address checks elsewhere in the kernel).<br />
<br />
| <br />
| [[5.0.0-11]]<br />
| <br />
|<br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| [[RPC_Command_Structure|Command]] request/response buffer overflow<br />
| Originally the kernel did not check the word-values from the command-header. Starting with [[5.0.0-11]], the kernel will trigger a kernelpanic() when the total word-size of the entire command(including the cmd-header) is larger than 0x40-words (0x100-bytes). This allows overwriting threadlocalstorage+0x180 in the destination thread. However, since the data written there would be translate parameters (such as header-words + buffer addresses), exploiting this would likely be very difficult, if possible at all.<br />
<br />
If the two words at threadlocalstorage+0x180 could be overwritten with controlled data this way, one could then use a command with a buffer-header of <nowiki>((size<<14) | 2)</nowiki> to write arbitrary memory to any RW userland memory in the destination process.<br />
| <br />
| [[5.0.0-11]]<br />
| <br />
| v4.1 FIRM -> v5.0 code diff<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SVC|SVC stack allocation overflows]]<br />
| <br />
* Syscalls that allocate a variable-length array on stack, only checked bit31 before multiplying by 4/16 (when calculating how much memory to allocate). If a large integer was passed as input to one of these syscalls, an integer overflow would occur, and too little memory would have been allocated on stack resulting in a buffer overrun. <br />
* The alignment (size+7)&~7 calculation before allocation was not checked for integer overflow.<br />
<br />
This might allow for ARM11 kernel code-execution.<br />
<br />
(Applies to svcSetResourceLimitValues, svcGetThreadList, svcGetProcessList, svcReplyAndReceive, svcWaitSynchronizationN.)<br />
| <br />
| [[5.0.0-11]]<br />
| <br />
| v4.1 FIRM -> v5.0 code diff<br />
| [[User:Plutooo|plutoo]], [[User:Yellows8|Yellows8]] complementary<br />
|-<br />
| [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions<br />
| svcControlMemory with MemoryOperation=MAP allows mapping the already-mapped process virtual-mem at addr1, to addr0. The lowest address permitted for addr1 is 0x00100000. Originally the ARM11 kernel didn't check memory permissions for addr1. Therefore .text as addr1 could be mapped elsewhere as RW- memory, which allowed ARM11 userland code-execution.<br />
| <br />
| [[4.1.0-8]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[RPC_Command_Structure|Command]] input/output buffer permissions<br />
| Originally the ARM11 kernel didn't check memory permissions for the input/output buffers for commands. Starting with [[4.0.0-7]] the ARM11 kernel will trigger a kernelpanic() if the input/output buffers don't have the required memory permissions. For example, this allowed a FSUSER file-read to .text, which therefore allowed ARM11-userland code execution.<br />
| <br />
| [[4.0.0-7]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions<br />
| Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs.<br />
| <br />
| [[4.0.0-7]]<br />
| <br />
| 2012?<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== [[FIRM]] Sysmodules ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[Services|"srv:pm"]] process registration<br />
| Originally any process had access to the port "srv:pm". The PID's used for the (un)registration commands are not checked either. This allowed any process to re-register itself with "srv:pm", and therefore allowed the process to give itself access to any service, bypassing the exheader service-access-control list.<br />
<br />
This was fixed in [[7.0.0-13]]: starting with [[7.0.0-13]] "srv:pm" is now a service instead of a globally accessible port. Only processes with PID's less than 6 (in other words: fs, ldr, sm, pm, pxi modules) have access to it. With [[7.0.0-13]] there can only be one session for "srv:pm" open at a time(this is used by pm module), svcBreak will be executed if more sessions are opened by the processes which can access this.<br />
<br />
This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).<br />
| Access to arbitrary services<br />
| [[7.0.0-13]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| FSDIR null-deref<br />
| [[Filesystem_services|FS]]-module may crash in some cases when handling directory reading. The trigger seems to be due to using [[FSDir:Close]] without closing the dir-handle afterwards?(Perhaps this is caused by out-of-memory?) This seems to be useless since it's just a null-deref.<br />
| <br />
| None<br />
| [[9.6.0-24|9.6.0-X]]<br />
| May 19(?)-20, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== Standalone Sysmodules ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in system-module system-version<br />
! Last system-module system-version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Timeframe this was added to wiki<br />
! Discovered by<br />
|-<br />
| [[MVD_Services|MVD]]: Stack buffer overflow with [[MVDSTD:SetupOutputBuffers]].<br />
| The input total_entries is not validated when initially processing the input entry-list. This fixed-size input entry-list is copied to stack from the command request. The loop for processing this initializes a global table, the converted linearmem->physaddrs used there are also copied to stack(0x8-bytes of physaddrs per entry).<br />
<br />
If total_entries is too large, MVD-sysmodule will crash due to reading unmapped memory following the stack(0x10000000). Afterwards if the out-of-bounds total_entries is smaller than that, it will crash due accessing address 0x0, hence this useless.<br />
| MVD-sysmodule crash.<br />
| None<br />
| [[9.0.0-20]]<br />
| April 22, 2016 (Tested on the 25th)<br />
| April 25, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NWM_Services|NWM]]: Using CTRSDK heap with UDS sharedmem from the user-process.<br />
| See the HTTP-sysmodule section below.<br />
<br />
CTRSDK heap is used with the sharedmem from [[NWMUDS:InitializeWithVersion]]. Buffers are allocated/freed under this heap using [[NWMUDS:Bind]] and [[NWMUDS:Unbind]].<br />
<br />
Hence, overwriting sharedmem with gspwn then using [[NWMUDS:Unbind]] results in the usual controlled CTRSDK memchunk-header write, similar to HTTP-sysmodule.<br />
<br />
This could be done by creating an UDS network, without any other nodes on the network.<br />
<br />
Besides CTRSDK memchunk-headers, there are no addresses stored under this sharedmem.<br />
| ROP under NWM-module.<br />
| None<br />
| [[9.0.0-20|9.0.0-X]]<br />
| April 10, 2016<br />
| April 16, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[DLP_Services|DLP]]: Out-of-bounds memory access during spectator [[Download_Play|data-frame]] checksum calculation<br />
| DLP doesn't validate the frame_size when receiving spectator data-frames at all, unlike non-spectator data-frames. The actual spectator data-frame parsing code doesn't use that field either. However, the data-frame checksum calculation code called during checksum verification does use the frame_size for loading the size of the framebuf.<br />
<br />
Hence, using a large frame_size like 0xFFFF will result in the checksum calculation code reading data out-of-bounds. This isn't really useful, you could trigger a remote local-WLAN DLP-sysmodule crash while a 3DS system is scanning for DLP networks(due to accessing unmapped memory), but that's about all(trying to infoleak with this likely isn't useful either).<br />
| DLP-sysmodule crash, handled by dlplay system-application by a "connection interrupted" error eventually then a fatal-error via ErrDisp.<br />
| None<br />
| [[10.0.0-27|10.0.0-X]]<br />
| April 8, 2016 (Tested on the 10th)<br />
| April 10, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[DLP_Services|DLP]]: Out-of-bounds output data writing during spectator sysupdate titlelist [[Download_Play|data-frame]] handling<br />
| The total_entries and out_entryindex fields for the titlelist DLP spectator data-frames are not validated. This is parsed during DLP network scanning. Hence, the specified titlelist data can be written out-of-bounds using the specified out_entryindex and total_entries. A crash will occur while reading the input data-frame titlelist if total_entries is larger than 0x27A, due to accessing unmapped memory.<br />
<br />
There's not much non-zero data to overwrite following the output buffer(located in sharedmem), any ptrs are located in sharedmem. Overwriting certain ptr(s) are only known to cause a crash when attempting to use the DLP-client shutdown service-command.<br />
<br />
There's no known way to exploit the above crash, since the linked-list code involves writes zeros(with a controlled start ptr).<br />
| <br />
| None<br />
| [[10.0.0-27|10.0.0-X]]<br />
| April 8-9, 2016<br />
| April 10, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[IR_Services|IR]]: Stack buffer overflow with custom hardware<br />
| Originally IR sysmodule used the read value from the I2C-IR registers TXLVL and RXLVL without validating them at all. See [[10.6.0-31|here]] for the fix. This is the size used for reading the data-recv FIFO, etc. The output buffer for reading is located on the stack.<br />
<br />
This should be exploitable if one could successfully setup the custom hardware for this and if the entire intended sizes actually get read from I2C.<br />
| ROP under IR sysmodule.<br />
| [[10.6.0-31|10.6.0-31]]<br />
| <br />
| February 23, 2016 (Unknown if it was noticed before then)<br />
| February 23, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[HTTP_Services|HTTP]]: Using CTRSDK heap with sharedmem from the user-process.<br />
| The data from httpcAddPostDataAscii and other commands is stored under a CTRSDK heap. That heap is the sharedmem specified by the user-process via the HTTPC Initialize command.<br />
Normally this sharedmem isn't accessible to the user-process once the sysmodule maps it, hence using it is supposed to be "safe".<br />
<br />
This isn't the case due to gspwn however. Since CTRSDK heap code is so insecure in general, one can use gspwn to locate the HTTPC sharedmem + read/write it, then trigger a mem-write under the sysmodule. This can then be used to get ROP going under HTTP-sysmodule.<br />
<br />
This is exploited by [https://github.com/yellows8/ctr-httpwn/ctr-httpwn ctr-httpwn].<br />
| ROP under HTTP sysmdule.<br />
| None<br />
| [[9.6.0-24|9.6.0-X]] (Latest sysmodule version as of [[10.7.0-32|10.7.0-32]])<br />
| Late 2015<br />
| March 22, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NIM_Services|NIM]]: Downloading old title-versions from eShop<br />
| Multiple NIM service commands(such as [[NIMS:StartDownload]]) use a title-version value specified by the user-process, NIM does not validate that this input version matches the latest version available via SOAP. Therefore, when combined with AM(PXI) [[#Process9|title-downgrading]] via deleting the target eShop title with System Settings Data Management(if the title was already installed), this allows downloading+installing any title-version from eShop ''if'' it's still available from CDN.<br />
The easiest way to exploit this is to just patch the eShop system-application code using these NIM commands(ideally the code which loads the title-version).<br />
<br />
Originally this was tested with a debugging-system via modded-FIRM, eventually smea implemented it in HANS for the 32c3 release.<br />
| Downloading old title-versions from eShop<br />
| None<br />
| [[10.0.0-27|10.0.0-X]]<br />
| October 24, 2015 (Unknown when exactly the first eShop title downgrade was actually tested, maybe November)<br />
| January 7, 2016 (Same day Ironfall v1.0 was removed from CDN via the main-CXI files)<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SPI_Services|SPI]] service out-of-bounds write<br />
| cmd1 has out-of-bounds write allowing overwrite of some static variables in .data.<br />
| <br />
| None<br />
| [[9.5.0-22]]<br />
| March 2015<br />
| <br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| [[NFC_Services|NFC]] module service command buf-overflows<br />
| NFC module copies data with certain commands, from command input buffers to stack without checking the size. These commands include the following, it's unknown if there's more commands with similar issues: "nfc:dev" <0x000C....> and "nfc:s" <0x0037....>.<br />
Since both of these commands are stubbed in the Old3DS NFC module from the very first version(those just return an error), these issues only affect the New3DS NFC module.<br />
<br />
There's no known retail titles which have access to either of these services.<br />
| ROP under NFC module.<br />
| New3DS: None<br />
| New3DS: [[9.5.0-22]]<br />
| December 2014?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[News_Services|NEWSS]] service command notificationID validation failure<br />
| This module does not validate the input notificationID for <nowiki>"news:s"</nowiki> service commands. This is an out-of-bounds array index bug. For example, [[NEWSS:SetNotificationHeader]] could be used to exploit news module: this copies the input data(size is properly checked) to: out = newsdb_savedata+0x10 + (someu32array[notificationID]*0x70).<br />
| ROP under news module.<br />
| None<br />
| [[9.7.0-25|9.7.0-X]]<br />
| December 2014<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NWMUDS:DecryptBeaconData]] heap buffer overflow<br />
| input_size = 0x1E * <value the u8 from input_[[NWM_Services|networkstruct]]+0x1D>. Then input_tag0 is copied to a heap buffer. When input_size is larger than 0xFA-bytes, it will then copy input_tag1 to <end_address_of_previous_outbuf>, with size=input_size-0xFA.<br />
<br />
This can be triggered by either using this command directly, or by boadcasting a wifi beacon which triggers it while a 3DS system running the target process is in range, when the process is scanning for hosts to connect to. Processes will only pass tag data to this command when the wlancommID and other thing(s) match the values for the process.<br />
<br />
There's no known way to actually exploit this for getting ROP under NWM-module, at the time of originally adding this to the wiki. This is because the data which gets copied out-of-bounds *and* actually causes crash(es), can't be controlled it seems(with just broadcasting a beacon at least). It's unknown whether this could be exploited from just using NWMUDS service-cmd(s) directly.<br />
| Without any actual way to exploit this: NWM-module DoS, resulting in process termination(process crash). This breaks *everything* involving wifi comms, a reboot is required to recover from this.<br />
| None<br />
| [[9.0.0-20]]<br />
| ~September 23, 2014(see the [[NWMUDS:DecryptBeaconData]] page history)<br />
| August 3, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[HID_Services|HID]] module shared-mem<br />
| HID module does not validate the index values in [[HID_Shared_Memory|sharedmem]](just changes index to 0 when index == maxval when updating), therefore large values will result in HID module writing HID data to arbitrary addresses.<br />
| ROP under HID module, but this is *very* unlikely to be exploitable since the data written is HID data.<br />
| None<br />
| [[9.3.0-21]]<br />
| 2014?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| gspwn<br />
| GSP module does not validate addresses given to the GPU. This allows a user-mode application/applet to read/write to a large part of physical FCRAM using GPU DMA. From this, you can overwrite the .text segment of the application you're running under, and gain real code-execution from a ROP-chain. Normally applets' .text([[Home Menu]], [[Internet Browser]], etc) is located beyond the area accessible by the GPU, except for [[RO_Services|CROs]] used by applets([[Internet Browser]] for example).<br />
<br />
FCRAM is gpu-accessible up to physaddr 0x26800000 on Old3DS, and 0x2DC00000 on New3DS. This is BASE_memregion_start(aka SYSTEM_memregion_end)-0x400000 with the default memory-layout on Old3DS/New3DS.<br />
| User-mode code execution.<br />
| None<br />
| [[9.6.0-24|9.6.0-X]]<br />
| Early 2014<br />
| <br />
| smea, [[User:Yellows8|Yellows8]]/others before then<br />
|-<br />
| rohax<br />
| Using gspwn, it is possible to overwrite a loaded [[CRO0]]/[[CRR0]] after its RSA-signature has been validated. Badly validated [[CRO0]] header leads to arbitrary read/write of memory in the ro-process. This gives code-execution in the ro module, who has access to [[SVC|syscalls]] 0x70-0x72, 0x7D.<br />
<br />
This was fixed after [[ninjhax]] release by adding checks on [[CRO0]]-based pointers before writing to them.<br />
| Memory-mapping syscalls.<br />
| [[9.3.0-21]]<br />
| [[9.4.0-21]]<br />
| <br />
| <br />
| smea, [[User:Plutooo|plutoo]] joint effort<br />
|-<br />
| Region free<br />
| Only [[Home Menu]] itself checks gamecards' region when launching them. Therefore, any application launch that is done directly with [[NS]] without signaling Home Menu to launch the app, will result in region checks being bypassed.<br />
This essentially means launching the gamecard with the [[NS_and_APT_Services|"ns:s"]] service. The main way to exploit this is to trigger a FIRM launch with an application specified, either with a normal FIRM launch or a hardware [[NSS:RebootSystem|reboot]].<br />
| Launching gamecards from any region + bypassing Home Menu gamecard-sysupdate installation<br />
| None<br />
| Last tested with [[10.1.0-27|10.1.0-X]].<br />
| June(?) 2014<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NWM_Services|NWM]] service-cmd state null-ptr deref<br />
| The NWMUDS service command code loads a ptr from .data, adds an offset to that, then passes that as the state address for the actual command-handler function. The value of the ptr loaded from .data is not checked, therefore this will cause crashes due to that being 0x0 when NWMUDS was not properly initialized.<br />
It's unknown whether any NWM services besides NWMUDS have this issue.<br />
| This is rather useless since it's only a crash caused by a state ptr based at 0x0.<br />
| None<br />
| [[9.0.0-20]]<br />
| 2013?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== General/CTRSDK ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in version<br />
! Last version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[NWM_Services|UDS]] beacon additional-data buffer overflow<br />
| Originally CTRSDK did not validate the UDS additional-data size before using that size to copy the additional-data to a [[NWM_Services|networkstruct]]. This was eventually fixed.<br />
This was discovered while doing code RE with an old dlp-module version. It's unknown in what specific CTRSDK version this was fixed, or even what system-version updated titles with a fixed version.<br />
<br />
It's unknown if there's any titles using a vulnerable CTRSDK version which are also exploitable with this(dlp module can't be exploited with this).<br />
<br />
The maximum number of bytes that can be written beyond the end of the outbuf is 0x37-bytes, with additionaldata_size=0xFF.<br />
| Perhaps ROP, very difficult if possible with anything at all<br />
| ?<br />
| <br />
| September(?) 2014<br />
| [[User:Yellows8|Yellows8]]<br />
|}</div>Dark samushttps://www.3dbrew.org/w/index.php?title=3DS_System_Flaws&diff=183033DS System Flaws2016-09-27T05:34:21Z<p>Dark samus: /* arm9loader */</p>
<hr />
<div>Exploits are used to execute unofficial code (homebrew) on the Nintendo 3DS. This page is a list of publicly known system flaws, for userland applications/applets flaws see [[3DS_Userland_Flaws|here]].<br />
<br />
=Stale / Rejected Efforts=<br />
* Neimod has been working on a RAM dumping setup for a little while now. He's de-soldered the 3DS's RAM chip and hooked it and the RAM pinouts on the 3DS' PCB up to a custom RAM dumping setup. A while ago he published photos showing his setup to be working quite well, with the 3DS successfully booting up. However, his flickr stream is now private along with most of his work.<br />
<br />
* Someone (who will remain unnamed) has released CFW and CIA installers, all of which is copied from the work of others, or copyrighted material.<br />
<br />
==Tips and info==<br />
The 3DS uses the XN feature of the ARM11 processor. There's no official way from applications to enable executable permission for memory containing arbitrary unsigned code(there's a [[SVC]] for this, but only [[RO_Services|RO-module]] has access to it). An usable userland exploit would still be useful: you could only do return-oriented-programming with it initially. From ROP one could then exploit system flaw(s), see below.<br />
<br />
SD card [[extdata]] and SD savegames can be attacked, for consoles where the console-unique [[Nand/private/movable.sed|movable.sed]] was dumped(accessing SD data is far easier by running code on the target 3DS however).<br />
<br />
=System flaws=<br />
== Hardware ==<br />
{| class="wikitable" border="1"<br />
! Summary<br />
! Description<br />
! Fixed with hardware model/revision<br />
! Newest hardware model/revision this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| ARM9/ARM11 bootrom vectors point at unitialized RAM<br />
| ARM9's and ARM11's exception vectors are hardcoded to point at the CPU's internal memory (0x08000000 region for ARM9, AXIWRAM for ARM11). While the bootrom does set them up to point to an endless loop at some point during boot, it does not do so immediately. As such, a carefully-timed fault injection (via hardware) to trigger an exception (such as an invalid instruction) will cause execution to fall into ARM9 RAM. <br />
Since RAM isn't cleared on boot (see below), one can immediately start execution of their own code here to dump bootrom, OTP, etc.<br />
The ARM9 bootrom does the following at reset: reset vector branches to another instruction, then branches to bootrom+0x8000. Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized.<br />
<br />
This requires *very* *precise* timing for triggering the hardware fault: it's unknown if anyone actually exploited this successfully at the time of writing(the one who attempted+discovered it *originally* as listed in this wiki section hasn't).<br />
| None: all available 3DS models at the time of writing have the exact same ARM9/ARM11 bootrom for the unprotected areas.<br />
| New3DS<br />
| End of February 2014<br />
| [[User:Derrek|derrek]], WulfyStylez (May 2015) independently<br />
|-<br />
| Missing AES key clearing<br />
| The hardware AES engine does not clear keys when doing a hard reset/reboot.<br />
| None<br />
| New3DS<br />
| August 2014<br />
| Mathieulh/Others<br />
|-<br />
| No RAM clearing on reboots<br />
| On an MCU-triggered reboot all RAM including FCRAM/ARM9 memory/AXIWRAM/VRAM keeps its contents.<br />
| None<br />
| New3DS<br />
| March 2014<br />
| [[User:Derrek|derrek]]<br />
|-<br />
| 32bits of actual console-unique TWLNAND keydata<br />
| On retail the 8-bytes at ARM9 address [[Memory_layout|0x01FFB808]] are XORed with hard-coded data, to generate the TWL console-unique keys, including TWLNAND. On Old3DS the high u32 is always 0x0, while on New3DS that u32 is always 0x2. On top of this, the lower u32's highest bit is always ORed. only 31 bits of the TWL console-unique keydata / TWL consoleID are actually console-unique.<br />
This allows one to easily bruteforce the TWL console-unique keydata with *just* data from TWLNAND. On DSi the actual console-unique data for key generation is 8-bytes(all bytes actually set).<br />
| None<br />
| New3DS<br />
| 2012?<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| DSi / 3DS-TWL key-generator<br />
| After using the key generator to generate the normal-key, you could overwrite parts of the normal-key with your own data and then recover the key-generator output by comparing the new crypto output with the original crypto output. From the normal-key outputs, you could deduce the TWL key-generator function.<br />
This applies to the keyX/keyY too.<br />
<br />
This attack does not work for the 3DS key-generator because keyslots 0-3 are only for TWL keys.<br />
| None<br />
| New3DS<br />
| 2011<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| 3DS key-generator<br />
| The algorithm for generating the normal-keys for keyslots is cryptographically weak. As a result, it is easily susceptible to differential cryptanalysis if the normal-key corresponding to any scrambler-generated keyslot is discovered.<br />
<br />
Several such pairs of matching normal-keys and KeyY values were found, leading to deducing the key-generator function.<br />
| None<br />
| New3DS<br />
| February 2015<br />
| [[User:Yellows8|Yellows8]], [[User:Plutooo|plutoo]]<br />
|-<br />
| FIRM partitions known-plaintext<br />
| The [[Flash_Filesystem|FIRM partitions]] are encrypted with AES-CTR without a MAC. Since this works by XOR'ing data with a static (per-console in this case) keystream, one can deduce the keystream of a portion of each FIRM partition if they have the actual FIRM binary stored in it.<br />
<br />
This can be paired with many exploits. For example, it allows minor FIRM downgrades (i.e. 10.4 to 9.6 or 9.5 to 9.4, but not 9.6 to 9.5).<br />
<br />
This can be somewhat addressed by having a FIRM header skip over previously used section offsets, but this would just air-gap newer FIRMs without fixing the core bug. This can also only be done a limited number of times due to the size of FIRM versus the size of the partitions.<br />
| None<br />
| New3DS<br />
| <br />
| Everyone<br />
|}<br />
<br />
== ARM9 software ==<br />
=== arm9loader ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| Rearrangable keys in the NAND keystore<br />
| Due to the keystore being encrypted with AES-ECB, one can rearrange blocks and still have the NAND keystore decrypt in a deterministic way. Combining this with the arm9loaderhax and uncleared hash keydata vulnerabilities, one can achieve arm9loaderhax without downgrading to a system version that exposes the OTP data, or using a hardware method. The NAND keystore must be encrypted with console-unique data; therefore, this is not achievable on Old 3DS or 2DS.<br />
| arm9loaderhax achieveable with no extra hardware and without downgrading to a system version which exposes the OTP.<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| Early 2016<br />
| 27 September 2016<br />
| [[User:Dark samus|dark_samus]]<br />
|-<br />
| Uncleared OTP hash keydata in console-unique 0x11 key-generation<br />
| Kernel9Loader does not clear the [[SHA_Registers#SHA_HASH|SHA_HASH register]] after use. As a result, the data stored here as K9L hands over to Kernel9 is the hash of [[OTP_Registers|OTP data]] used to seed the [[FIRM#New_3DS_FIRM|console-unique NAND keystore decryption key]] set on keyslot 0x11.<br />
<br />
Retrieving this keydata and the [[Flash_Filesystem#0x12C00|NAND keystore]] of the same device allows calculating the decrypted New3DS NAND keystore (non-unique, common to all New3DS units), which contains AES normal keys, also set on keyslot 0x11, which are then used to derive all current [[AES_Registers#Keyslots|New3DS-only AES keyXs]] including the newer batch introduced in [[9.6.0-24#arm9loader|9.6.0-X]]. From there, it is trivial to perform the same key derivation in order to initialize those keys on any system version, and even on Old3DS.<br />
<br />
This can be performed by exploiting the "arm9loaderhax" vulnerability to obtain post-K9L code execution after an MCU reboot (the bootrom section-loading fail is not relevant here, this attack was performed without OTP data by brute-forcing keys), and using this to dump the SHA_HASH register. This attack works on any FIRM version shipping a vulnerable version of K9L, whereas OTP dumping required a boot of <[[3.0.0-6|3.0.0-X]].<br />
<br />
This attack results in obtaining the entire (0x200-bytes) NAND keystore - it was confirmed at a later date that this keystore is encrypted with the same key (by comparing the decrypted data from multiple units), and therefore using another key in this store will not remedy the issue as all keys are known (i.e. later, unused keys decrypt to the same 0x200-bytes constant with the same OTP hash). Later keys could have been encrypted differently but this is not the case. As a result of this, it is not possible for Nintendo to use K9L again in its current format for its intended purpose, though this was not news from the moment people dumped a New3DS OTP.<br />
| Derivation of all New3DS keys generated via the NAND keystore (0x1B "Secure4" etc.)<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| ~April 2015, implemented in May 2015<br />
| 13 January 2016<br />
| [[User:WulfyStylez|WulfyStylez]], [[User:Dazzozo|Dazzozo]], [[User:Shinyquagsire23|shinyquagsire23]] (complimentary + implemented), [[User:Plutooo|plutoo]], Normmatt (discovered independently)<br />
|-<br />
| enhanced-arm9loaderhax<br />
| See the 32c3 3ds talk.<br />
Since this is a combination of a trick with the arm9-bootrom + arm9loaderhax, and since you have to manually write FIRM to the firm0/firm1 NAND partitions, this can't be completely fixed. Any system with existing ARM9 code execution and an OTP/OTP hash dump can exploit this. Additionally, by using the FIRM partition known-plaintext bug and bruteforcing the second entry in the keystore, this can currently be exploited on all New3DS systems without any other prerequisite hacks.<br />
| arm9loaderhax which automatically occurs at hard-boot.<br />
| See arm9loaderhax / description.<br />
| See arm9loaderhax / description.<br />
| Theorized around mid July, 2015. Later implemented+tested by [[User:Plutooo|plutoo]] and derrek.<br />
| 32c3 3ds talk (December 27, 2015)<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Missing verification-block for the 9.6 keys (arm9loaderhax)<br />
| Starting with [[9.6.0-24|9.6.0-X]] a new set of NAND-based keys were introduced. However, no verification block was added to verify that the new key read from NAND is correct. This was technically an issue from [[9.5.0-22|9.5.0-X]] with the original sector+0 keydata, however the below is only possible with [[9.6.0-24|9.6.0-X]] since keyslots 0x15 and 0x16 are generated from different 0x11 keyXs.<br />
<br />
Writing an incorrect key to NAND will cause arm9loader to decrypt the ARM9 kernel as garbage and then jump to it.<br />
<br />
This allows an hardware-based attack where you can boot into an older exploited firmware, fill all memory with NOP sleds/jump-instructions, and then reboot into executing garbage. By automating this process with various input keydata, eventually you'll find some garbage that jumps to your code.<br />
<br />
This gives very early ARM9 code execution (pre-ARM9 kernel). As such, it is possible to dump RSA keyslots with this and calculate the 6.x [[Savegames#6.0.0-11_Savegame_keyY|save]], and 7.x [[NCCH]] keys. This cannot be used to recover keys initialized by arm9loader itself. This is due to it wiping the area used for its stack during NAND sector decryption and keyslot init. <br />
<br />
Due to FIRMs on both Old and New 3DS using the same RSA data, this can be exploited on Old3DS as well, but only if one already has the actual plaintext normalkey from New3DS NAND sector 0x96 offset-0 and has dumped the OTP area of the Old3DS.<br />
| Recovery of 6.x [[Savegames#6.0.0-11_Savegame_keyY|save key]]/7.x [[NCCH]] key<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| March, 2015<br />
| <br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| Uncleared New3DS keyslot 0x11<br />
| Originally the New3DS [[FIRM]] arm9bin loader only cleared keyslot 0x11 when it gets executed at firmlaunch. This was fixed with [[9.5.0-22|9.5.0-X]] by completely clearing keyslot 0x11 immediately after the loader finishes using keyslot 0x11.<br />
This means that any ARM9 code that can execute before the loader clears the keyslot at firmlaunch(including firmlaunch-hax) can get access to the uncleared keyslot 0x11, which then allows one to generate all <=v9.5 New3DS keyXs which are generated by keyslot 0x11.<br />
<br />
Therefore, to completely fix this the loader would have to generate more keys using different keyslot 0x11 keydata. This was done with [[9.6.0-24|9.6.0-X]].<br />
| New3DS keyXs generation<br />
| Mostly fixed with [[9.5.0-22|9.5.0-X]], completely fixed with new keys with [[9.6.0-24|9.6.0-X]].<br />
| <br />
| February 3, 2015 (one day after [[9.5.0-22|9.5.0-X]] release)<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== Process9 ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| Leak of normal-key matching a key-scrambler key<br />
| New 3DS firmware versions [[8.1.0-0 New3DS|8.1.0]] through [[9.2.0-20|9.2.0]] set the encryption key for [[Amiibo]] data using a hardcoded normal-key in Process9. In firmware [[9.3.0-21|9.3.0]], Nintendo "fixed" this by using the key scrambler instead, by calculating the keyY value for keyslot 0x39 that results in the same normal-key, then hardcoding that keyY into Process9.<br />
<br />
Nintendo's fix is actually the problem: Nintendo revealed the normal-key matching an unknown keyX and a known keyY. Combined with the key scrambler using an insecure scrambling algorithm (see "Hardware" above), the key scrambler function could be deduced.<br />
| Deducing the keyX for keyslot 0x39 and the key scrambler algorithm<br />
| New 3DS [[9.3.0-21|9.3.0-X]], sort of<br />
| [[10.0.0-27|10.0.0-X]]<br />
| Sometime in 2015 after the hardware key-generator was broken.<br />
| 32c3 3ds talk (December 27, 2015)<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Leak of normal-key matching a key-generator key<br />
| During the 3DS' development (June/July 2010) Nintendo added support installing encrypted content ([[CIA]]). Common-key index1 was intended to be a [[AES|hardware generated key]]. However while they added code to generate the key in hardware, they forgot to remove the normal-key for index1 (used elsewhere, likely old debug code). Nintendo later removed the normal key sometime before the first non-prototype firmware release.<br />
<br />
<br />
Knowing the keyY and the normal-key for common-key index1, the devkit key-generator algorithm can be deduced (see "Hardware" above). Additionally the remaining devkit common-keys can be generated once the common-key keyX is recovered.<br />
<br />
Note the devkit key-generator was discovered to be the same as the retail key-generator.<br />
| Deducing the keyX for keyslot 0x3D and hardware key-generator algorithm. Generate remaining devkit common-keys.<br />
| pre-[[1.0.0-0|1.0.0-X]]<br />
| <br />
| Shortly after the key-generator was revealed to be flawed at the 32c3 3ds talk<br />
| January 20, 2016<br />
| [[User:Jakcron|jakcron]]<br />
|-<br />
| ntrcardhax<br />
| <br />
| ARM9 code execution<br />
| 10.4.0-29<br />
| <br />
| March 2015<br />
| 32c3 3ds talk (December 27, 2015)<br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| Title downgrading via [[Application_Manager_Services|AM]]([[Application_Manager_Services_PXI|PXI]])<br />
| When a title is *already* installed, Process9 will compare the installed title-version with the title-version being installed. When the one being installed is older, Process9 would return an error.<br />
<br />
However, this can be bypassed by just deleting the title first via the service command(s) for that: with the title removed from the [[Title_Database]], Process9 can't compare the input title-version with anything. Hence, titles can be downgraded this way.<br />
<br />
[[11.0.0-33|11.0.0-X]] fixed this for key system titles (MSET, Home Menu, spider, ErrDisp, SKATER, NATIVE_FIRM, and every retail system module), by checking the version of the title to install against a hard-coded list of (titleID, minimumVersionRequired) pairs.<br />
| Bypassing title version check at installation, which then allows downgrading any title.<br />
| [[11.0.0-33|11.0.0-X]], for key system titles.<br />
| NATIVE_FIRM / AM-sysmodule [[11.0.0-33|11.0.0-X]]<br />
| ?<br />
| <br />
| ?<br />
|-<br />
| FAT FS code null-deref<br />
| When FSFile:Read is used with a file which is corrupted on a FAT filesystem(in particular SD), Process9 can crash. This particular crash is caused by a function returning NULL instead of an actual ptr due to an error. The caller of that function doesn't check for NULL which then triggers a read based at NULL.<br />
<br />
Sample "fsck.vfat -n -v -V <fat image backup>" output for the above crash:<br />
<br />
<pre>...<br />
Starting check/repair pass.<br />
<FilePath0> and<br />
<FilePath1><br />
share clusters.<br />
Truncating second to 3375104 bytes.<br />
<FilePath1><br />
File size is 2787392 bytes, cluster chain length is 16384 bytes.<br />
Truncating file to 16384 bytes.<br />
Checking for unused clusters.<br />
Reclaimed 1 unused cluster (16384 bytes).<br />
Checking free cluster summary.<br />
Free cluster summary wrong (1404490 vs. really 1404491)<br />
Auto-correcting.<br />
Starting verification pass.<br />
Checking for unused clusters.<br />
Leaving filesystem unchanged.</pre><br />
| Useless null-based-read<br />
| None<br />
| [[9.6.0-24|9.6.0-X]]<br />
| July 8-9, 2015<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| RSA signature padding checks<br />
| The TWL_FIRM RSA sig padding check code used for all TWL RSA sig-checks has issues, see [[FIRM|here]].<br />
The main 3DS RSA padding check code(non-certificate, including NATIVE_FIRM) uses the function used with the above to extract more padding + the actual hash from the additional padding. This isn't really a problem here because there's proper padding check code which is executed prior to this.<br />
| <br />
| None<br />
| [[9.5.0-22|9.5.0-X]]<br />
| March 2015<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[AMPXI:ValidateDSiWareSectionMAC]] [[AES_Registers|AES]] keyslot reuse<br />
| When the input DSiWare section index is higher than <max number of DSiWare sections supported by this FIRM>, Process9 uses keyid 0x40 for calculating the AESMAC, which translates to keyslot 0x40. The result is that the keyslot is left at whatever was already selected before, since the AES selectkeyslot code will immediately return when keyslot is >=0x40. However, actually exploiting this is difficult: the calculated AESMAC is never returned, this command just compares the calculated AESMAC with the input AESMAC(result-code depends on whether the AESMACs match). It's unknown whether a timing attack would work with this.<br />
This is basically a different form of the pxips9 keyslot vuln, except with AESMAC etc.<br />
| See description.<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| March 15, 2015<br />
| December 29, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| pxips9 [[AES_Registers|AES]] keyslot reuse<br />
| This requires access to the [[Process_Services|ps:ps]]/pxi:ps9 services. One way to get access to this would be snshax on system-version <=10.1.0-X(see 32c3 3ds talk).<br />
When an invalid key-type value is passed to any of the PS commands, Process9 will try to select keyslot 0x40. That aesengine_setkeyslot() code will then immediately return due to the invalid keyslot value. Since that function doesn't return any errors, Process9 will just continue to do crypto with whatever AES keyslot was selected before the PS command was sent.<br />
| Reusing the previously used keyslot, for crypto with PS.<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| Roughly the same time(same day?) as firmlaunch-hax.<br />
| December 29, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| firmlaunch-hax: FIRM header ToCToU<br />
| This can't be exploited from ARM11 userland.<br />
During [[FIRM]] launch, the only FIRM header the ARM9 uses at all is stored in FCRAM, this is 0x200-bytes(the actual used FIRM RSA signature is read to the Process9 stack however). The ARM9 doesn't expect "anything" besides the ARM9 to access this data.<br />
With [[9.5.0-22]] the address of this FIRM header was changed from a FCRAM address, to ARM9-only address 0x01fffc00.<br />
| ARM9 code execution<br />
| [[9.5.0-22]]<br />
| <br />
| 2012, 3 days after [[User:Yellows8|Yellows8]] started Process9 code RE.<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Uninitialized data output for (PXI) command replies<br />
| PXI commands for various services(including some [[Filesystem_services_PXI|here]] and many others) can write uninitialized data (like from ARM registers) to the command reply. This happens with stubbed commands, but this can also occur with certain commands when returning an error.<br />
Certain ARM11 service commands have this same issue as well.<br />
| <br />
| None<br />
| [[9.3.0-21|9.3.0-X]]<br />
| ?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[Filesystem_services_PXI|FSPXI]] OpenArchive SD permissions<br />
| Process9 does not use the exheader ARM9 access-mount permission flag for SD at all.<br />
This would mean ARM11-kernelmode code / fs-module itself could directly use FSPXI to access SD card without ARM9 checking for SD access, but this is rather useless since a process is usually running with SD access(Home Menu for example) anyway.<br />
| <br />
| None<br />
| [[9.3.0-21|9.3.0-X]]<br />
| 2012<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[AMPXI:ExportDSiWare]] export path<br />
| Process9 allocates memory on Process9 heap for the export path then verifies that the actual allocated size matches the input size. Then Process9 copies the input path from FCRAM to this buffer, and uses it with the Process9 FS openfile code, which use paths in the form of "<mountpoint>:/<path>".<br />
Process9 does not check the contents of this path at all before passing it to the FS code, besides writing a NUL-terminator to the end of the buffer.<br />
| Exporting of DSiWare to arbitrary Process9 file-paths, such as "nand:/<path>" etc. This isn't really useful since the data which gets written can't be controlled.<br />
| None<br />
| [[9.5.0-22]]<br />
| April 2013<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[DSiWare_Exports]] [[CTCert]] verification<br />
| Just like DSi originally did, 3DS verifies the APCert for DSiWare on SD with the CTCert also in the DSiWare .bin. On DSi this was fixed with with system-version 1.4.2 by verifying with the actual console-unique cert instead(stored in NAND), while on 3DS it's still not(?) fixed.<br />
On 3DS however this is rather useless, due to the entire DSiWare .bin being encrypted with the console-unique movable.sed keyY.<br />
| When the movable.sed keyY for the target 3DS is known and the target 3DS CTCert private-key is unknown, importing of modified DSiWare SD .bin files.<br />
| Unknown, probably none.<br />
| ?<br />
| April 2013<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[Gamecard_Services_PXI]] unchecked REG_CTRCARDCNT transfer-size<br />
| The u8 REG_CTRCARDCNT transfer-size parameter for the [[Gamecard_Services_PXI]] read/write CTRCARD commands is used as an index for an array of u16 values. Before [[5.0.0-11|5.0.0-X]] this u8 value wasn't checked, thus out-of-bounds reads could be triggered(which is rather useless in this case).<br />
| Out-of-bounds read for a value which gets written to a register.<br />
| [[5.0.0-11|5.0.0-X]]<br />
| <br />
| 2013?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[PXI_Registers|PXI]] cmdbuf buffer overrun<br />
| The Process9 code responsible [[PXI_Registers|PXI]] communications didn't verify the size of the incoming command before writing it to a C++ member variable. <br />
| Probably ARM9 code execution<br />
| [[5.0.0-11|5.0.0-11]]<br />
| <br />
| March 2015, original timeframe if any unknown<br />
| <br />
| [[User:Plutooo|plutoo]]/[[User:Yellows8|Yellows8]]/maybe others(?)<br />
|-<br />
| [[Application_Manager_Services_PXI|PXIAM]] command 0x003D0108(See also [[Application_Manager_Services|this]])<br />
| When handling this command, Process9 allocates a 0x2800-byte heap buffer, then copies the 4 FCRAM input buffers to this heap buffer without checking the sizes at all(only the buffers with non-zero sizes are copied). Starting with [[5.0.0-11|5.0.0-X]], the total combined size of the input data must be <=0x2800.<br />
| ARM9 code execution<br />
| [[5.0.0-11|5.0.0-X]]<br />
| <br />
| May 2013<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[Process_Services_PXI|PS RSA]] commands buffer overflows<br />
| pxips9 cmd1(not accessible via ps:ps) and VerifyRsaSha256: unchecked copy to a buffer in Process9's .bss, from the input FCRAM buffer. The buffer is located before the pxi cmdhandler threads' stacks. SignRsaSha256 also has a buf overflow, but this isn't exploitable.<br />
The buffer for this is the buffer for the signature data. With v5.0, the signature buffer was moved to stack, with a check for the signature data size. When the signature data size is too large, Process9 uses [[SVC|svcBreak]].<br />
| ARM9 code execution<br />
| [[5.0.0-11|5.0.0-X]]<br />
| <br />
| 2012<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[PXI_Registers|PXI]] pxi_id bad check<br />
| The Process9 code responsible for [[PXI_Registers|PXI]] communications read pxi_id as a signed char. There were two flaws:<br />
* They used it as index to a lookup-table without checking the value at all.<br />
* Another function verified that pxi_id < 7, allowing negative values to pass the check. This would also cause an out-of-range table-lookup.<br />
| Maybe ARM9 code execution<br />
| [[3.0.0-5|3.0.0-5]]<br />
|<br />
| March 2015, originally 2012 for the first issue at least<br />
| <br />
| [[User:Plutooo|plutoo]], [[User:Yellows8|Yellows8]], maybe others(?)<br />
|}<br />
<br />
=== Kernel9 ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit1 not set by Kernel9<br />
| Old versions of Kernel9 never set bit1 of [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]]. This leaves the [[OTP Registers|0x10012000]]-region unprotected (this region should be locked early during boot!). Since it's never locked, you can dump it once you get ARM9 code execution.<br />
<br />
From [[3.0.0-5|3.0.0-X]] this was fixed by setting the bit in Kernel9 after poking some registers in that region. On New3DS arm9loader sets this bit instead of Kernel9, which is exploitable through a hardware + software vulnerability (see arm9loaderhax / description).<br />
<br />
This flaw resurged when it gained a new practical use: retrieving the OTP data for a New3DS console in order to decrypt the key data used in arm9loader (see enhanced-arm9loaderhax / description). This was performed by downgrading to a vulnerable system version. By accounting for differences in CTR-NAND crypto (0x05 -> 0x04, see partition encryption types [[Flash_Filesystem#NAND_structure|here]]), it is possible to boot a New3DS using Old3DS firmware 1.0-2.X and an Old3DS [[NCSD#NCSD_header|NCSD Header]] to retrieve the required OTP data using this flaw.<br />
| Dumping of the [[OTP Registers|OTP]] area<br />
| [[3.0.0-5|3.0.0-X]]<br />
|<br />
| February 2015<br />
| [[User:Plutooo|plutoo]], Normmatt independently<br />
|}<br />
<br />
== ARM11 software ==<br />
=== Kernel11 ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[SVC]] table too small<br />
| The table of function pointers for SVC's only contains entries up to 0x7D, but the biggest allowed SVC for the table is 0x7F. Thus, executing SVC7E or SVC7F would make the SVC-handler read after the buffer, and interpret some ARM instructions as function pointers.<br />
<br />
However, this would require patching the kernel .text or modifying SVC-access-control. Even if you could get these to execute, they would still jump to memory that isn't mapped as executable.<br />
| <br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| 2012<br />
| Everyone<br />
|-<br />
| [[SVC|svcBackdoor (0x7B)]]<br />
| This backdoor allows executing SVC-mode code at the user-specified code-address. This is used by Process9, using this on the ARM11 (with NATIVE_FIRM) required patching the kernel .text or modifying SVC-access-control.<br />
| See description<br />
| [[11.0.0-33|11.0.0-X]] (deleted)<br />
| <br />
|<br />
| Everyone<br />
|-<br />
| [[Memory_layout#ARM11_Detailed_virtual_memory_map|0xEFF00000]] / 0xDFF00000 ARM11 kernel virtual-memory<br />
| The ARM11 kernel-mode 0xEFF00000/0xDFF00000 virtual-memory(size 0x100000) is mapped to phys-mem 0x1FF00000(entire DSP-mem + entire AXIWRAM), with permissions RW-. This is used during ARM11 kernel startup for loading the FIRM-modules from the FIRM section located in DSP-mem, this never seems to be used after that, however. This is never unmapped either.<br />
| <br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| <br />
| <br />
|-<br />
| memchunkhax2.1<br />
| Nintendo's fix for memchunkhax2 in [[10.4.0-29|10.4.0-X]] did not fix the GPU case: one may cause the requisite ToCToU race using gspwn, bypassing the new validation.<br />
derrek's original 32c3 presentation for memchunkhax2 commented that a GPU-based attack was possible, but would be difficult. However, memchunkhax2.1 showed that it was possible to do fairly reliably.<br />
| ARM11 kernel code execution<br />
| None<br />
| [[10.4.0-29|10.4.0-X]]<br />
|<br />
| derrek, aliaspider<br />
|-<br />
| memchunkhax2<br />
| <br />
| ARM11 kernel code execution<br />
| [[10.4.0-29|10.4.0-X]] (partially)<br />
| [[10.4.0-29|10.4.0-X]]<br />
|<br />
| derrek<br />
|-<br />
| heaphax<br />
| Can change the size of free memchunk structures stored in FCRAM using DMA, which leads to the ability to allocate memory chunks over already-allocated memory. This can be used in the SYSTEM region to allocate RW memory over any part of the NS system module, which is enough to take it over.<br />
| Code execution with access to all of NS's privileges. (including downgrading) Code execution within any applet.<br />
| [[11.0.0-33|11.0.0-X]], via the new [[Memory_Management#MemoryBlockHeader|memchunkhdr]] MAC which prevents modifying memchunkhdr data with DMA.<br />
| [[11.0.0-33|11.0.0-X]]<br />
| April 2015 ?<br />
| smea<br />
|-<br />
| snshax<br />
| Can force creation of Safe NS process into gspwn-able memory, allowing for takeover.<br />
| Code execution with access to all of NS's privileges. (including downgrading)<br />
| [[10.1.0-27|10.1.0-X]]<br />
| [[10.1.0-27|10.1.0-X]]<br />
| April 2015 ?<br />
| smea<br />
|-<br />
| AffinityMask/processorid validation<br />
| With [[10.0.0-27|10.0.0-X]] the following functions were updated: svcGetThreadAffinityMask, svcGetProcessAffinityMask, svcSetProcessAffinityMask, and svcCreateThread. The code changes for all but svcCreateThread are identical.<br />
The original code with the first 3 did the following: <br />
* if(u32_processorcount > ~0x80000001)return 0xe0e01bfd;<br />
* if(s32_processorcount > <total_cores>)return 0xd8e007fd;<br />
The following code replaced the above:<br />
* if(u32_processorcount >= <total_cores+1>)return 0xd8e007fd;<br />
In theory the latter should catch everything that the former did, so it's unknown if this was really a security issue.<br />
<br />
The svcCreateThread changes with [[10.0.0-27|10.0.0-X]] definitely did fix a security issue.<br />
* Original code: "if(s32_processorid > <total_cores>)return 0xd8e007fd;"<br />
* New code: "if(s32_processorid >= <total_cores> || s32_processorid <= -4)return 0xd8e007fd;"<br />
This fixed an off-by-one issue: if one would use processorid=total_cores, which isn't actually a valid value, svcCreateThread would accept that value on <[[10.0.0-27|10.0.0-X]]. This results in data being written out-of-bounds(baseaddr = arrayaddr + entrysize*processorid), which has the following result:<br />
* Old3DS: Useless kernel-mode crash due to accessing unmapped memory.<br />
* New3DS: uncontrolled data write into a kernel-mode L1 MMU-table. This isn't really useful: the data can't be controlled, and the data which gets overwritten is all-zero anyway(this isn't anywhere near MMU L1 entries for actually mapped memory).<br />
The previous version also allowed large negative s32_processorid values(negative processorid values are special values not actual procids), but it appears using values like that won't actually do anything(meaning no crash) besides the thread not running / thread not running for a while(besides triggering a kernelpanic with certain s32_processorid value(s)).<br />
| Nothing useful<br />
| [[10.0.0-27|10.0.0-X]]<br />
| [[10.0.0-27|10.0.0-X]]<br />
| svcCreateThread issue: May 31, 2015. The rest: September 8, 2015, via v9.6->v10.0 ARM11-kernel code-diff.<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| memchunkhax<br />
| The kernel originally did not validate the data stored in the FCRAM kernel heap [[Memchunkhdr|memchunk-headers]] for free-memory at all. Exploiting this requires raw R/W access to these memchunk-headers, like physical-memory access with gspwn.<br />
<br />
There are ''multiple'' ways to exploit this, but the end-result for most of these is the same: overwrite code in AXIWRAM via the 0xEFF00000/0xDFF00000 kernel virtual-memory mapping.<br />
<br />
This was fixed in [[9.3.0-21|9.3.0-X]] by checking that the memchunk(including size, next, and prev ptrs) is located within the currently used heap memory. The kernel may also check that the next/prev ptrs are valid compared to other memchunk-headers basically. When any of these checks fail, kernelpanic() is called.<br />
| When combined with other flaws: ARM11-kernelmode code execution<br />
| [[9.3.0-21|9.3.0-21]]<br />
| <br />
| February 2014<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Multiple [[KLinkedListNode|KLinkedListNode]] SlabHeap use after free bugs<br />
| The ARM11-kernel did access the 'key' field of [[KLinkedListNode|KLinkedListNode]] objects, which are located on the SlabHeap, after freeing them. Thus, triggering an allocation of a new [[KLinkedListNode|KLinkedListNode]] object at the right time could result in a type-confusion. Pseudo-code:<br />
SlabHeap_free(KLinkedListNode);<br />
KObject *obj = KLinkedListNode->key; // the object there might have changed!<br />
This bug appeared all over the place.<br />
| ARM11-kernelmode code exec maybe<br />
| [[8.0.0-18|8.0.0-18]]<br />
| <br />
| April 2015<br />
| [[User:Derrek|derrek]]<br />
|-<br />
| PXI [[RPC_Command_Structure|Command]] input/output buffer permissions<br />
| Originally the ARM11-kernel didn't check permissions for PXI input/output buffers for commands. Starting with [[6.0.0-11|6.0.0]] PXI input/output buffers must have RW permissions, otherwise kernelpanic is triggered.<br />
| <br />
| [[6.0.0-11|6.0.0-11]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SVC|svcStartInterProcessDma]]<br />
| For svcStartInterProcessDma, the kernel code had the following flaws:<br />
<br />
* Originally the ARM11-kernel read the input DmaConfig structure directly in kernel-mode(ldr(b/h) instructions), without checking whether the DmaConfig address is readable under userland. This was fixed by copying that structure to the SVC-mode stack, using the ldrbt instruction.<br />
<br />
* Integer overflows for srcaddr+size and dstaddr+size are now checked(with [[6.0.0-11]]), which were not checked before.<br />
<br />
* The kernel now also checks whether the srcaddr/dstaddr (+size) is within userland memory (0x20000000), the kernel now (with [[6.0.0-11]]) returns an error when the address is beyond userland memory. Using an address >=0x20000000 would result in the kernel reading from the process L1 MMU table, beyond the memory allocated for that MMU table(for vaddr->physaddr conversion). <br />
| <br />
| [[6.0.0-11]]<br />
| <br />
| DmaConfig issue: unknown. The rest: 2014<br />
| [[User:Plutooo|plutoo]], [[User:Yellows8|Yellows8]] independently<br />
|-<br />
| [[SVC|svcControlMemory]] Parameter checks<br />
| For svcControlMemory the parameter check had these two flaws:<br />
<br />
* The allowed range for addr0, addr1, size parameters depends on which MemoryOperation is being specified. The limitation for GSP heap was only checked if op=(u32)0x10003. By setting a random bit in op that has no meaning (like bit17?), op would instead be (u32)0x30003, and the range-check would be less strict and not accurate. However, the kernel doesn't actually use the input address for LINEAR memory-mapping at all besides the range-checks, so this isn't actually useful. This was fixed in the kernel by just checking for the LINEAR bit, instead of comparing the entire MemoryOperation value with 0x10003.<br />
<br />
* Integer overflows on (addr0+size) are now checked that previously weren't (this also applies to most other address checks elsewhere in the kernel).<br />
<br />
| <br />
| [[5.0.0-11]]<br />
| <br />
|<br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| [[RPC_Command_Structure|Command]] request/response buffer overflow<br />
| Originally the kernel did not check the word-values from the command-header. Starting with [[5.0.0-11]], the kernel will trigger a kernelpanic() when the total word-size of the entire command(including the cmd-header) is larger than 0x40-words (0x100-bytes). This allows overwriting threadlocalstorage+0x180 in the destination thread. However, since the data written there would be translate parameters (such as header-words + buffer addresses), exploiting this would likely be very difficult, if possible at all.<br />
<br />
If the two words at threadlocalstorage+0x180 could be overwritten with controlled data this way, one could then use a command with a buffer-header of <nowiki>((size<<14) | 2)</nowiki> to write arbitrary memory to any RW userland memory in the destination process.<br />
| <br />
| [[5.0.0-11]]<br />
| <br />
| v4.1 FIRM -> v5.0 code diff<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SVC|SVC stack allocation overflows]]<br />
| <br />
* Syscalls that allocate a variable-length array on stack, only checked bit31 before multiplying by 4/16 (when calculating how much memory to allocate). If a large integer was passed as input to one of these syscalls, an integer overflow would occur, and too little memory would have been allocated on stack resulting in a buffer overrun. <br />
* The alignment (size+7)&~7 calculation before allocation was not checked for integer overflow.<br />
<br />
This might allow for ARM11 kernel code-execution.<br />
<br />
(Applies to svcSetResourceLimitValues, svcGetThreadList, svcGetProcessList, svcReplyAndReceive, svcWaitSynchronizationN.)<br />
| <br />
| [[5.0.0-11]]<br />
| <br />
| v4.1 FIRM -> v5.0 code diff<br />
| [[User:Plutooo|plutoo]], [[User:Yellows8|Yellows8]] complementary<br />
|-<br />
| [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions<br />
| svcControlMemory with MemoryOperation=MAP allows mapping the already-mapped process virtual-mem at addr1, to addr0. The lowest address permitted for addr1 is 0x00100000. Originally the ARM11 kernel didn't check memory permissions for addr1. Therefore .text as addr1 could be mapped elsewhere as RW- memory, which allowed ARM11 userland code-execution.<br />
| <br />
| [[4.1.0-8]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[RPC_Command_Structure|Command]] input/output buffer permissions<br />
| Originally the ARM11 kernel didn't check memory permissions for the input/output buffers for commands. Starting with [[4.0.0-7]] the ARM11 kernel will trigger a kernelpanic() if the input/output buffers don't have the required memory permissions. For example, this allowed a FSUSER file-read to .text, which therefore allowed ARM11-userland code execution.<br />
| <br />
| [[4.0.0-7]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions<br />
| Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs.<br />
| <br />
| [[4.0.0-7]]<br />
| <br />
| 2012?<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== [[FIRM]] Sysmodules ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[Services|"srv:pm"]] process registration<br />
| Originally any process had access to the port "srv:pm". The PID's used for the (un)registration commands are not checked either. This allowed any process to re-register itself with "srv:pm", and therefore allowed the process to give itself access to any service, bypassing the exheader service-access-control list.<br />
<br />
This was fixed in [[7.0.0-13]]: starting with [[7.0.0-13]] "srv:pm" is now a service instead of a globally accessible port. Only processes with PID's less than 6 (in other words: fs, ldr, sm, pm, pxi modules) have access to it. With [[7.0.0-13]] there can only be one session for "srv:pm" open at a time(this is used by pm module), svcBreak will be executed if more sessions are opened by the processes which can access this.<br />
<br />
This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).<br />
| Access to arbitrary services<br />
| [[7.0.0-13]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| FSDIR null-deref<br />
| [[Filesystem_services|FS]]-module may crash in some cases when handling directory reading. The trigger seems to be due to using [[FSDir:Close]] without closing the dir-handle afterwards?(Perhaps this is caused by out-of-memory?) This seems to be useless since it's just a null-deref.<br />
| <br />
| None<br />
| [[9.6.0-24|9.6.0-X]]<br />
| May 19(?)-20, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== Standalone Sysmodules ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in system-module system-version<br />
! Last system-module system-version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Timeframe this was added to wiki<br />
! Discovered by<br />
|-<br />
| [[MVD_Services|MVD]]: Stack buffer overflow with [[MVDSTD:SetupOutputBuffers]].<br />
| The input total_entries is not validated when initially processing the input entry-list. This fixed-size input entry-list is copied to stack from the command request. The loop for processing this initializes a global table, the converted linearmem->physaddrs used there are also copied to stack(0x8-bytes of physaddrs per entry).<br />
<br />
If total_entries is too large, MVD-sysmodule will crash due to reading unmapped memory following the stack(0x10000000). Afterwards if the out-of-bounds total_entries is smaller than that, it will crash due accessing address 0x0, hence this useless.<br />
| MVD-sysmodule crash.<br />
| None<br />
| [[9.0.0-20]]<br />
| April 22, 2016 (Tested on the 25th)<br />
| April 25, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NWM_Services|NWM]]: Using CTRSDK heap with UDS sharedmem from the user-process.<br />
| See the HTTP-sysmodule section below.<br />
<br />
CTRSDK heap is used with the sharedmem from [[NWMUDS:InitializeWithVersion]]. Buffers are allocated/freed under this heap using [[NWMUDS:Bind]] and [[NWMUDS:Unbind]].<br />
<br />
Hence, overwriting sharedmem with gspwn then using [[NWMUDS:Unbind]] results in the usual controlled CTRSDK memchunk-header write, similar to HTTP-sysmodule.<br />
<br />
This could be done by creating an UDS network, without any other nodes on the network.<br />
<br />
Besides CTRSDK memchunk-headers, there are no addresses stored under this sharedmem.<br />
| ROP under NWM-module.<br />
| None<br />
| [[9.0.0-20|9.0.0-X]]<br />
| April 10, 2016<br />
| April 16, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[DLP_Services|DLP]]: Out-of-bounds memory access during spectator [[Download_Play|data-frame]] checksum calculation<br />
| DLP doesn't validate the frame_size when receiving spectator data-frames at all, unlike non-spectator data-frames. The actual spectator data-frame parsing code doesn't use that field either. However, the data-frame checksum calculation code called during checksum verification does use the frame_size for loading the size of the framebuf.<br />
<br />
Hence, using a large frame_size like 0xFFFF will result in the checksum calculation code reading data out-of-bounds. This isn't really useful, you could trigger a remote local-WLAN DLP-sysmodule crash while a 3DS system is scanning for DLP networks(due to accessing unmapped memory), but that's about all(trying to infoleak with this likely isn't useful either).<br />
| DLP-sysmodule crash, handled by dlplay system-application by a "connection interrupted" error eventually then a fatal-error via ErrDisp.<br />
| None<br />
| [[10.0.0-27|10.0.0-X]]<br />
| April 8, 2016 (Tested on the 10th)<br />
| April 10, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[DLP_Services|DLP]]: Out-of-bounds output data writing during spectator sysupdate titlelist [[Download_Play|data-frame]] handling<br />
| The total_entries and out_entryindex fields for the titlelist DLP spectator data-frames are not validated. This is parsed during DLP network scanning. Hence, the specified titlelist data can be written out-of-bounds using the specified out_entryindex and total_entries. A crash will occur while reading the input data-frame titlelist if total_entries is larger than 0x27A, due to accessing unmapped memory.<br />
<br />
There's not much non-zero data to overwrite following the output buffer(located in sharedmem), any ptrs are located in sharedmem. Overwriting certain ptr(s) are only known to cause a crash when attempting to use the DLP-client shutdown service-command.<br />
<br />
There's no known way to exploit the above crash, since the linked-list code involves writes zeros(with a controlled start ptr).<br />
| <br />
| None<br />
| [[10.0.0-27|10.0.0-X]]<br />
| April 8-9, 2016<br />
| April 10, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[IR_Services|IR]]: Stack buffer overflow with custom hardware<br />
| Originally IR sysmodule used the read value from the I2C-IR registers TXLVL and RXLVL without validating them at all. See [[10.6.0-31|here]] for the fix. This is the size used for reading the data-recv FIFO, etc. The output buffer for reading is located on the stack.<br />
<br />
This should be exploitable if one could successfully setup the custom hardware for this and if the entire intended sizes actually get read from I2C.<br />
| ROP under IR sysmodule.<br />
| [[10.6.0-31|10.6.0-31]]<br />
| <br />
| February 23, 2016 (Unknown if it was noticed before then)<br />
| February 23, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[HTTP_Services|HTTP]]: Using CTRSDK heap with sharedmem from the user-process.<br />
| The data from httpcAddPostDataAscii and other commands is stored under a CTRSDK heap. That heap is the sharedmem specified by the user-process via the HTTPC Initialize command.<br />
Normally this sharedmem isn't accessible to the user-process once the sysmodule maps it, hence using it is supposed to be "safe".<br />
<br />
This isn't the case due to gspwn however. Since CTRSDK heap code is so insecure in general, one can use gspwn to locate the HTTPC sharedmem + read/write it, then trigger a mem-write under the sysmodule. This can then be used to get ROP going under HTTP-sysmodule.<br />
<br />
This is exploited by [https://github.com/yellows8/ctr-httpwn/ctr-httpwn ctr-httpwn].<br />
| ROP under HTTP sysmdule.<br />
| None<br />
| [[9.6.0-24|9.6.0-X]] (Latest sysmodule version as of [[10.7.0-32|10.7.0-32]])<br />
| Late 2015<br />
| March 22, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NIM_Services|NIM]]: Downloading old title-versions from eShop<br />
| Multiple NIM service commands(such as [[NIMS:StartDownload]]) use a title-version value specified by the user-process, NIM does not validate that this input version matches the latest version available via SOAP. Therefore, when combined with AM(PXI) [[#Process9|title-downgrading]] via deleting the target eShop title with System Settings Data Management(if the title was already installed), this allows downloading+installing any title-version from eShop ''if'' it's still available from CDN.<br />
The easiest way to exploit this is to just patch the eShop system-application code using these NIM commands(ideally the code which loads the title-version).<br />
<br />
Originally this was tested with a debugging-system via modded-FIRM, eventually smea implemented it in HANS for the 32c3 release.<br />
| Downloading old title-versions from eShop<br />
| None<br />
| [[10.0.0-27|10.0.0-X]]<br />
| October 24, 2015 (Unknown when exactly the first eShop title downgrade was actually tested, maybe November)<br />
| January 7, 2016 (Same day Ironfall v1.0 was removed from CDN via the main-CXI files)<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SPI_Services|SPI]] service out-of-bounds write<br />
| cmd1 has out-of-bounds write allowing overwrite of some static variables in .data.<br />
| <br />
| None<br />
| [[9.5.0-22]]<br />
| March 2015<br />
| <br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| [[NFC_Services|NFC]] module service command buf-overflows<br />
| NFC module copies data with certain commands, from command input buffers to stack without checking the size. These commands include the following, it's unknown if there's more commands with similar issues: "nfc:dev" <0x000C....> and "nfc:s" <0x0037....>.<br />
Since both of these commands are stubbed in the Old3DS NFC module from the very first version(those just return an error), these issues only affect the New3DS NFC module.<br />
<br />
There's no known retail titles which have access to either of these services.<br />
| ROP under NFC module.<br />
| New3DS: None<br />
| New3DS: [[9.5.0-22]]<br />
| December 2014?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[News_Services|NEWSS]] service command notificationID validation failure<br />
| This module does not validate the input notificationID for <nowiki>"news:s"</nowiki> service commands. This is an out-of-bounds array index bug. For example, [[NEWSS:SetNotificationHeader]] could be used to exploit news module: this copies the input data(size is properly checked) to: out = newsdb_savedata+0x10 + (someu32array[notificationID]*0x70).<br />
| ROP under news module.<br />
| None<br />
| [[9.7.0-25|9.7.0-X]]<br />
| December 2014<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NWMUDS:DecryptBeaconData]] heap buffer overflow<br />
| input_size = 0x1E * <value the u8 from input_[[NWM_Services|networkstruct]]+0x1D>. Then input_tag0 is copied to a heap buffer. When input_size is larger than 0xFA-bytes, it will then copy input_tag1 to <end_address_of_previous_outbuf>, with size=input_size-0xFA.<br />
<br />
This can be triggered by either using this command directly, or by boadcasting a wifi beacon which triggers it while a 3DS system running the target process is in range, when the process is scanning for hosts to connect to. Processes will only pass tag data to this command when the wlancommID and other thing(s) match the values for the process.<br />
<br />
There's no known way to actually exploit this for getting ROP under NWM-module, at the time of originally adding this to the wiki. This is because the data which gets copied out-of-bounds *and* actually causes crash(es), can't be controlled it seems(with just broadcasting a beacon at least). It's unknown whether this could be exploited from just using NWMUDS service-cmd(s) directly.<br />
| Without any actual way to exploit this: NWM-module DoS, resulting in process termination(process crash). This breaks *everything* involving wifi comms, a reboot is required to recover from this.<br />
| None<br />
| [[9.0.0-20]]<br />
| ~September 23, 2014(see the [[NWMUDS:DecryptBeaconData]] page history)<br />
| August 3, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[HID_Services|HID]] module shared-mem<br />
| HID module does not validate the index values in [[HID_Shared_Memory|sharedmem]](just changes index to 0 when index == maxval when updating), therefore large values will result in HID module writing HID data to arbitrary addresses.<br />
| ROP under HID module, but this is *very* unlikely to be exploitable since the data written is HID data.<br />
| None<br />
| [[9.3.0-21]]<br />
| 2014?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| gspwn<br />
| GSP module does not validate addresses given to the GPU. This allows a user-mode application/applet to read/write to a large part of physical FCRAM using GPU DMA. From this, you can overwrite the .text segment of the application you're running under, and gain real code-execution from a ROP-chain. Normally applets' .text([[Home Menu]], [[Internet Browser]], etc) is located beyond the area accessible by the GPU, except for [[RO_Services|CROs]] used by applets([[Internet Browser]] for example).<br />
<br />
FCRAM is gpu-accessible up to physaddr 0x26800000 on Old3DS, and 0x2DC00000 on New3DS. This is BASE_memregion_start(aka SYSTEM_memregion_end)-0x400000 with the default memory-layout on Old3DS/New3DS.<br />
| User-mode code execution.<br />
| None<br />
| [[9.6.0-24|9.6.0-X]]<br />
| Early 2014<br />
| <br />
| smea, [[User:Yellows8|Yellows8]]/others before then<br />
|-<br />
| rohax<br />
| Using gspwn, it is possible to overwrite a loaded [[CRO0]]/[[CRR0]] after its RSA-signature has been validated. Badly validated [[CRO0]] header leads to arbitrary read/write of memory in the ro-process. This gives code-execution in the ro module, who has access to [[SVC|syscalls]] 0x70-0x72, 0x7D.<br />
<br />
This was fixed after [[ninjhax]] release by adding checks on [[CRO0]]-based pointers before writing to them.<br />
| Memory-mapping syscalls.<br />
| [[9.3.0-21]]<br />
| [[9.4.0-21]]<br />
| <br />
| <br />
| smea, [[User:Plutooo|plutoo]] joint effort<br />
|-<br />
| Region free<br />
| Only [[Home Menu]] itself checks gamecards' region when launching them. Therefore, any application launch that is done directly with [[NS]] without signaling Home Menu to launch the app, will result in region checks being bypassed.<br />
This essentially means launching the gamecard with the [[NS_and_APT_Services|"ns:s"]] service. The main way to exploit this is to trigger a FIRM launch with an application specified, either with a normal FIRM launch or a hardware [[NSS:RebootSystem|reboot]].<br />
| Launching gamecards from any region + bypassing Home Menu gamecard-sysupdate installation<br />
| None<br />
| Last tested with [[10.1.0-27|10.1.0-X]].<br />
| June(?) 2014<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NWM_Services|NWM]] service-cmd state null-ptr deref<br />
| The NWMUDS service command code loads a ptr from .data, adds an offset to that, then passes that as the state address for the actual command-handler function. The value of the ptr loaded from .data is not checked, therefore this will cause crashes due to that being 0x0 when NWMUDS was not properly initialized.<br />
It's unknown whether any NWM services besides NWMUDS have this issue.<br />
| This is rather useless since it's only a crash caused by a state ptr based at 0x0.<br />
| None<br />
| [[9.0.0-20]]<br />
| 2013?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== General/CTRSDK ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in version<br />
! Last version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[NWM_Services|UDS]] beacon additional-data buffer overflow<br />
| Originally CTRSDK did not validate the UDS additional-data size before using that size to copy the additional-data to a [[NWM_Services|networkstruct]]. This was eventually fixed.<br />
This was discovered while doing code RE with an old dlp-module version. It's unknown in what specific CTRSDK version this was fixed, or even what system-version updated titles with a fixed version.<br />
<br />
It's unknown if there's any titles using a vulnerable CTRSDK version which are also exploitable with this(dlp module can't be exploited with this).<br />
<br />
The maximum number of bytes that can be written beyond the end of the outbuf is 0x37-bytes, with additionaldata_size=0xFF.<br />
| Perhaps ROP, very difficult if possible with anything at all<br />
| ?<br />
| <br />
| September(?) 2014<br />
| [[User:Yellows8|Yellows8]]<br />
|}</div>Dark samushttps://www.3dbrew.org/w/index.php?title=3DS_System_Flaws&diff=183023DS System Flaws2016-09-27T05:30:45Z<p>Dark samus: /* arm9loader */</p>
<hr />
<div>Exploits are used to execute unofficial code (homebrew) on the Nintendo 3DS. This page is a list of publicly known system flaws, for userland applications/applets flaws see [[3DS_Userland_Flaws|here]].<br />
<br />
=Stale / Rejected Efforts=<br />
* Neimod has been working on a RAM dumping setup for a little while now. He's de-soldered the 3DS's RAM chip and hooked it and the RAM pinouts on the 3DS' PCB up to a custom RAM dumping setup. A while ago he published photos showing his setup to be working quite well, with the 3DS successfully booting up. However, his flickr stream is now private along with most of his work.<br />
<br />
* Someone (who will remain unnamed) has released CFW and CIA installers, all of which is copied from the work of others, or copyrighted material.<br />
<br />
==Tips and info==<br />
The 3DS uses the XN feature of the ARM11 processor. There's no official way from applications to enable executable permission for memory containing arbitrary unsigned code(there's a [[SVC]] for this, but only [[RO_Services|RO-module]] has access to it). An usable userland exploit would still be useful: you could only do return-oriented-programming with it initially. From ROP one could then exploit system flaw(s), see below.<br />
<br />
SD card [[extdata]] and SD savegames can be attacked, for consoles where the console-unique [[Nand/private/movable.sed|movable.sed]] was dumped(accessing SD data is far easier by running code on the target 3DS however).<br />
<br />
=System flaws=<br />
== Hardware ==<br />
{| class="wikitable" border="1"<br />
! Summary<br />
! Description<br />
! Fixed with hardware model/revision<br />
! Newest hardware model/revision this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| ARM9/ARM11 bootrom vectors point at unitialized RAM<br />
| ARM9's and ARM11's exception vectors are hardcoded to point at the CPU's internal memory (0x08000000 region for ARM9, AXIWRAM for ARM11). While the bootrom does set them up to point to an endless loop at some point during boot, it does not do so immediately. As such, a carefully-timed fault injection (via hardware) to trigger an exception (such as an invalid instruction) will cause execution to fall into ARM9 RAM. <br />
Since RAM isn't cleared on boot (see below), one can immediately start execution of their own code here to dump bootrom, OTP, etc.<br />
The ARM9 bootrom does the following at reset: reset vector branches to another instruction, then branches to bootrom+0x8000. Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized.<br />
<br />
This requires *very* *precise* timing for triggering the hardware fault: it's unknown if anyone actually exploited this successfully at the time of writing(the one who attempted+discovered it *originally* as listed in this wiki section hasn't).<br />
| None: all available 3DS models at the time of writing have the exact same ARM9/ARM11 bootrom for the unprotected areas.<br />
| New3DS<br />
| End of February 2014<br />
| [[User:Derrek|derrek]], WulfyStylez (May 2015) independently<br />
|-<br />
| Missing AES key clearing<br />
| The hardware AES engine does not clear keys when doing a hard reset/reboot.<br />
| None<br />
| New3DS<br />
| August 2014<br />
| Mathieulh/Others<br />
|-<br />
| No RAM clearing on reboots<br />
| On an MCU-triggered reboot all RAM including FCRAM/ARM9 memory/AXIWRAM/VRAM keeps its contents.<br />
| None<br />
| New3DS<br />
| March 2014<br />
| [[User:Derrek|derrek]]<br />
|-<br />
| 32bits of actual console-unique TWLNAND keydata<br />
| On retail the 8-bytes at ARM9 address [[Memory_layout|0x01FFB808]] are XORed with hard-coded data, to generate the TWL console-unique keys, including TWLNAND. On Old3DS the high u32 is always 0x0, while on New3DS that u32 is always 0x2. On top of this, the lower u32's highest bit is always ORed. only 31 bits of the TWL console-unique keydata / TWL consoleID are actually console-unique.<br />
This allows one to easily bruteforce the TWL console-unique keydata with *just* data from TWLNAND. On DSi the actual console-unique data for key generation is 8-bytes(all bytes actually set).<br />
| None<br />
| New3DS<br />
| 2012?<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| DSi / 3DS-TWL key-generator<br />
| After using the key generator to generate the normal-key, you could overwrite parts of the normal-key with your own data and then recover the key-generator output by comparing the new crypto output with the original crypto output. From the normal-key outputs, you could deduce the TWL key-generator function.<br />
This applies to the keyX/keyY too.<br />
<br />
This attack does not work for the 3DS key-generator because keyslots 0-3 are only for TWL keys.<br />
| None<br />
| New3DS<br />
| 2011<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| 3DS key-generator<br />
| The algorithm for generating the normal-keys for keyslots is cryptographically weak. As a result, it is easily susceptible to differential cryptanalysis if the normal-key corresponding to any scrambler-generated keyslot is discovered.<br />
<br />
Several such pairs of matching normal-keys and KeyY values were found, leading to deducing the key-generator function.<br />
| None<br />
| New3DS<br />
| February 2015<br />
| [[User:Yellows8|Yellows8]], [[User:Plutooo|plutoo]]<br />
|-<br />
| FIRM partitions known-plaintext<br />
| The [[Flash_Filesystem|FIRM partitions]] are encrypted with AES-CTR without a MAC. Since this works by XOR'ing data with a static (per-console in this case) keystream, one can deduce the keystream of a portion of each FIRM partition if they have the actual FIRM binary stored in it.<br />
<br />
This can be paired with many exploits. For example, it allows minor FIRM downgrades (i.e. 10.4 to 9.6 or 9.5 to 9.4, but not 9.6 to 9.5).<br />
<br />
This can be somewhat addressed by having a FIRM header skip over previously used section offsets, but this would just air-gap newer FIRMs without fixing the core bug. This can also only be done a limited number of times due to the size of FIRM versus the size of the partitions.<br />
| None<br />
| New3DS<br />
| <br />
| Everyone<br />
|}<br />
<br />
== ARM9 software ==<br />
=== arm9loader ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| Rearrangable keys in the NAND keystore<br />
| Due to the keystore being encrypted with AES-ECB, one can rearrange blocks and still have the NAND keystore decrypt in a deterministic way. Combining this with the arm9loaderhax and uncleared hash keydata vulnerabilities, one can achieve arm9loaderhax without downgrading to a system version that exposes the OTP data, or using a hardware method. The NAND keystore must be encrypted with console-unique data; therefore, this is not achievable on Old 3DS or 2DS.<br />
| arm9loaderhax achieveable with no extra hardware and without downgrading to a system version which exposes the OTP.<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| Early 2016<br />
| 27 Sepetember 2016<br />
| [[User:Dark samus|dark_samus]]<br />
|-<br />
| Uncleared OTP hash keydata in console-unique 0x11 key-generation<br />
| Kernel9Loader does not clear the [[SHA_Registers#SHA_HASH|SHA_HASH register]] after use. As a result, the data stored here as K9L hands over to Kernel9 is the hash of [[OTP_Registers|OTP data]] used to seed the [[FIRM#New_3DS_FIRM|console-unique NAND keystore decryption key]] set on keyslot 0x11.<br />
<br />
Retrieving this keydata and the [[Flash_Filesystem#0x12C00|NAND keystore]] of the same device allows calculating the decrypted New3DS NAND keystore (non-unique, common to all New3DS units), which contains AES normal keys, also set on keyslot 0x11, which are then used to derive all current [[AES_Registers#Keyslots|New3DS-only AES keyXs]] including the newer batch introduced in [[9.6.0-24#arm9loader|9.6.0-X]]. From there, it is trivial to perform the same key derivation in order to initialize those keys on any system version, and even on Old3DS.<br />
<br />
This can be performed by exploiting the "arm9loaderhax" vulnerability to obtain post-K9L code execution after an MCU reboot (the bootrom section-loading fail is not relevant here, this attack was performed without OTP data by brute-forcing keys), and using this to dump the SHA_HASH register. This attack works on any FIRM version shipping a vulnerable version of K9L, whereas OTP dumping required a boot of <[[3.0.0-6|3.0.0-X]].<br />
<br />
This attack results in obtaining the entire (0x200-bytes) NAND keystore - it was confirmed at a later date that this keystore is encrypted with the same key (by comparing the decrypted data from multiple units), and therefore using another key in this store will not remedy the issue as all keys are known (i.e. later, unused keys decrypt to the same 0x200-bytes constant with the same OTP hash). Later keys could have been encrypted differently but this is not the case. As a result of this, it is not possible for Nintendo to use K9L again in its current format for its intended purpose, though this was not news from the moment people dumped a New3DS OTP.<br />
| Derivation of all New3DS keys generated via the NAND keystore (0x1B "Secure4" etc.)<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| ~April 2015, implemented in May 2015<br />
| 13 January 2016<br />
| [[User:WulfyStylez|WulfyStylez]], [[User:Dazzozo|Dazzozo]], [[User:Shinyquagsire23|shinyquagsire23]] (complimentary + implemented), [[User:Plutooo|plutoo]], Normmatt (discovered independently)<br />
|-<br />
| enhanced-arm9loaderhax<br />
| See the 32c3 3ds talk.<br />
Since this is a combination of a trick with the arm9-bootrom + arm9loaderhax, and since you have to manually write FIRM to the firm0/firm1 NAND partitions, this can't be completely fixed. Any system with existing ARM9 code execution and an OTP/OTP hash dump can exploit this. Additionally, by using the FIRM partition known-plaintext bug and bruteforcing the second entry in the keystore, this can currently be exploited on all New3DS systems without any other prerequisite hacks.<br />
| arm9loaderhax which automatically occurs at hard-boot.<br />
| See arm9loaderhax / description.<br />
| See arm9loaderhax / description.<br />
| Theorized around mid July, 2015. Later implemented+tested by [[User:Plutooo|plutoo]] and derrek.<br />
| 32c3 3ds talk (December 27, 2015)<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Missing verification-block for the 9.6 keys (arm9loaderhax)<br />
| Starting with [[9.6.0-24|9.6.0-X]] a new set of NAND-based keys were introduced. However, no verification block was added to verify that the new key read from NAND is correct. This was technically an issue from [[9.5.0-22|9.5.0-X]] with the original sector+0 keydata, however the below is only possible with [[9.6.0-24|9.6.0-X]] since keyslots 0x15 and 0x16 are generated from different 0x11 keyXs.<br />
<br />
Writing an incorrect key to NAND will cause arm9loader to decrypt the ARM9 kernel as garbage and then jump to it.<br />
<br />
This allows an hardware-based attack where you can boot into an older exploited firmware, fill all memory with NOP sleds/jump-instructions, and then reboot into executing garbage. By automating this process with various input keydata, eventually you'll find some garbage that jumps to your code.<br />
<br />
This gives very early ARM9 code execution (pre-ARM9 kernel). As such, it is possible to dump RSA keyslots with this and calculate the 6.x [[Savegames#6.0.0-11_Savegame_keyY|save]], and 7.x [[NCCH]] keys. This cannot be used to recover keys initialized by arm9loader itself. This is due to it wiping the area used for its stack during NAND sector decryption and keyslot init. <br />
<br />
Due to FIRMs on both Old and New 3DS using the same RSA data, this can be exploited on Old3DS as well, but only if one already has the actual plaintext normalkey from New3DS NAND sector 0x96 offset-0 and has dumped the OTP area of the Old3DS.<br />
| Recovery of 6.x [[Savegames#6.0.0-11_Savegame_keyY|save key]]/7.x [[NCCH]] key<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| March, 2015<br />
| <br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| Uncleared New3DS keyslot 0x11<br />
| Originally the New3DS [[FIRM]] arm9bin loader only cleared keyslot 0x11 when it gets executed at firmlaunch. This was fixed with [[9.5.0-22|9.5.0-X]] by completely clearing keyslot 0x11 immediately after the loader finishes using keyslot 0x11.<br />
This means that any ARM9 code that can execute before the loader clears the keyslot at firmlaunch(including firmlaunch-hax) can get access to the uncleared keyslot 0x11, which then allows one to generate all <=v9.5 New3DS keyXs which are generated by keyslot 0x11.<br />
<br />
Therefore, to completely fix this the loader would have to generate more keys using different keyslot 0x11 keydata. This was done with [[9.6.0-24|9.6.0-X]].<br />
| New3DS keyXs generation<br />
| Mostly fixed with [[9.5.0-22|9.5.0-X]], completely fixed with new keys with [[9.6.0-24|9.6.0-X]].<br />
| <br />
| February 3, 2015 (one day after [[9.5.0-22|9.5.0-X]] release)<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== Process9 ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Public disclosure timeframe<br />
! Discovered by<br />
|-<br />
| Leak of normal-key matching a key-scrambler key<br />
| New 3DS firmware versions [[8.1.0-0 New3DS|8.1.0]] through [[9.2.0-20|9.2.0]] set the encryption key for [[Amiibo]] data using a hardcoded normal-key in Process9. In firmware [[9.3.0-21|9.3.0]], Nintendo "fixed" this by using the key scrambler instead, by calculating the keyY value for keyslot 0x39 that results in the same normal-key, then hardcoding that keyY into Process9.<br />
<br />
Nintendo's fix is actually the problem: Nintendo revealed the normal-key matching an unknown keyX and a known keyY. Combined with the key scrambler using an insecure scrambling algorithm (see "Hardware" above), the key scrambler function could be deduced.<br />
| Deducing the keyX for keyslot 0x39 and the key scrambler algorithm<br />
| New 3DS [[9.3.0-21|9.3.0-X]], sort of<br />
| [[10.0.0-27|10.0.0-X]]<br />
| Sometime in 2015 after the hardware key-generator was broken.<br />
| 32c3 3ds talk (December 27, 2015)<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Leak of normal-key matching a key-generator key<br />
| During the 3DS' development (June/July 2010) Nintendo added support installing encrypted content ([[CIA]]). Common-key index1 was intended to be a [[AES|hardware generated key]]. However while they added code to generate the key in hardware, they forgot to remove the normal-key for index1 (used elsewhere, likely old debug code). Nintendo later removed the normal key sometime before the first non-prototype firmware release.<br />
<br />
<br />
Knowing the keyY and the normal-key for common-key index1, the devkit key-generator algorithm can be deduced (see "Hardware" above). Additionally the remaining devkit common-keys can be generated once the common-key keyX is recovered.<br />
<br />
Note the devkit key-generator was discovered to be the same as the retail key-generator.<br />
| Deducing the keyX for keyslot 0x3D and hardware key-generator algorithm. Generate remaining devkit common-keys.<br />
| pre-[[1.0.0-0|1.0.0-X]]<br />
| <br />
| Shortly after the key-generator was revealed to be flawed at the 32c3 3ds talk<br />
| January 20, 2016<br />
| [[User:Jakcron|jakcron]]<br />
|-<br />
| ntrcardhax<br />
| <br />
| ARM9 code execution<br />
| 10.4.0-29<br />
| <br />
| March 2015<br />
| 32c3 3ds talk (December 27, 2015)<br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| Title downgrading via [[Application_Manager_Services|AM]]([[Application_Manager_Services_PXI|PXI]])<br />
| When a title is *already* installed, Process9 will compare the installed title-version with the title-version being installed. When the one being installed is older, Process9 would return an error.<br />
<br />
However, this can be bypassed by just deleting the title first via the service command(s) for that: with the title removed from the [[Title_Database]], Process9 can't compare the input title-version with anything. Hence, titles can be downgraded this way.<br />
<br />
[[11.0.0-33|11.0.0-X]] fixed this for key system titles (MSET, Home Menu, spider, ErrDisp, SKATER, NATIVE_FIRM, and every retail system module), by checking the version of the title to install against a hard-coded list of (titleID, minimumVersionRequired) pairs.<br />
| Bypassing title version check at installation, which then allows downgrading any title.<br />
| [[11.0.0-33|11.0.0-X]], for key system titles.<br />
| NATIVE_FIRM / AM-sysmodule [[11.0.0-33|11.0.0-X]]<br />
| ?<br />
| <br />
| ?<br />
|-<br />
| FAT FS code null-deref<br />
| When FSFile:Read is used with a file which is corrupted on a FAT filesystem(in particular SD), Process9 can crash. This particular crash is caused by a function returning NULL instead of an actual ptr due to an error. The caller of that function doesn't check for NULL which then triggers a read based at NULL.<br />
<br />
Sample "fsck.vfat -n -v -V <fat image backup>" output for the above crash:<br />
<br />
<pre>...<br />
Starting check/repair pass.<br />
<FilePath0> and<br />
<FilePath1><br />
share clusters.<br />
Truncating second to 3375104 bytes.<br />
<FilePath1><br />
File size is 2787392 bytes, cluster chain length is 16384 bytes.<br />
Truncating file to 16384 bytes.<br />
Checking for unused clusters.<br />
Reclaimed 1 unused cluster (16384 bytes).<br />
Checking free cluster summary.<br />
Free cluster summary wrong (1404490 vs. really 1404491)<br />
Auto-correcting.<br />
Starting verification pass.<br />
Checking for unused clusters.<br />
Leaving filesystem unchanged.</pre><br />
| Useless null-based-read<br />
| None<br />
| [[9.6.0-24|9.6.0-X]]<br />
| July 8-9, 2015<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| RSA signature padding checks<br />
| The TWL_FIRM RSA sig padding check code used for all TWL RSA sig-checks has issues, see [[FIRM|here]].<br />
The main 3DS RSA padding check code(non-certificate, including NATIVE_FIRM) uses the function used with the above to extract more padding + the actual hash from the additional padding. This isn't really a problem here because there's proper padding check code which is executed prior to this.<br />
| <br />
| None<br />
| [[9.5.0-22|9.5.0-X]]<br />
| March 2015<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[AMPXI:ValidateDSiWareSectionMAC]] [[AES_Registers|AES]] keyslot reuse<br />
| When the input DSiWare section index is higher than <max number of DSiWare sections supported by this FIRM>, Process9 uses keyid 0x40 for calculating the AESMAC, which translates to keyslot 0x40. The result is that the keyslot is left at whatever was already selected before, since the AES selectkeyslot code will immediately return when keyslot is >=0x40. However, actually exploiting this is difficult: the calculated AESMAC is never returned, this command just compares the calculated AESMAC with the input AESMAC(result-code depends on whether the AESMACs match). It's unknown whether a timing attack would work with this.<br />
This is basically a different form of the pxips9 keyslot vuln, except with AESMAC etc.<br />
| See description.<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| March 15, 2015<br />
| December 29, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| pxips9 [[AES_Registers|AES]] keyslot reuse<br />
| This requires access to the [[Process_Services|ps:ps]]/pxi:ps9 services. One way to get access to this would be snshax on system-version <=10.1.0-X(see 32c3 3ds talk).<br />
When an invalid key-type value is passed to any of the PS commands, Process9 will try to select keyslot 0x40. That aesengine_setkeyslot() code will then immediately return due to the invalid keyslot value. Since that function doesn't return any errors, Process9 will just continue to do crypto with whatever AES keyslot was selected before the PS command was sent.<br />
| Reusing the previously used keyslot, for crypto with PS.<br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| Roughly the same time(same day?) as firmlaunch-hax.<br />
| December 29, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| firmlaunch-hax: FIRM header ToCToU<br />
| This can't be exploited from ARM11 userland.<br />
During [[FIRM]] launch, the only FIRM header the ARM9 uses at all is stored in FCRAM, this is 0x200-bytes(the actual used FIRM RSA signature is read to the Process9 stack however). The ARM9 doesn't expect "anything" besides the ARM9 to access this data.<br />
With [[9.5.0-22]] the address of this FIRM header was changed from a FCRAM address, to ARM9-only address 0x01fffc00.<br />
| ARM9 code execution<br />
| [[9.5.0-22]]<br />
| <br />
| 2012, 3 days after [[User:Yellows8|Yellows8]] started Process9 code RE.<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Uninitialized data output for (PXI) command replies<br />
| PXI commands for various services(including some [[Filesystem_services_PXI|here]] and many others) can write uninitialized data (like from ARM registers) to the command reply. This happens with stubbed commands, but this can also occur with certain commands when returning an error.<br />
Certain ARM11 service commands have this same issue as well.<br />
| <br />
| None<br />
| [[9.3.0-21|9.3.0-X]]<br />
| ?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[Filesystem_services_PXI|FSPXI]] OpenArchive SD permissions<br />
| Process9 does not use the exheader ARM9 access-mount permission flag for SD at all.<br />
This would mean ARM11-kernelmode code / fs-module itself could directly use FSPXI to access SD card without ARM9 checking for SD access, but this is rather useless since a process is usually running with SD access(Home Menu for example) anyway.<br />
| <br />
| None<br />
| [[9.3.0-21|9.3.0-X]]<br />
| 2012<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[AMPXI:ExportDSiWare]] export path<br />
| Process9 allocates memory on Process9 heap for the export path then verifies that the actual allocated size matches the input size. Then Process9 copies the input path from FCRAM to this buffer, and uses it with the Process9 FS openfile code, which use paths in the form of "<mountpoint>:/<path>".<br />
Process9 does not check the contents of this path at all before passing it to the FS code, besides writing a NUL-terminator to the end of the buffer.<br />
| Exporting of DSiWare to arbitrary Process9 file-paths, such as "nand:/<path>" etc. This isn't really useful since the data which gets written can't be controlled.<br />
| None<br />
| [[9.5.0-22]]<br />
| April 2013<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[DSiWare_Exports]] [[CTCert]] verification<br />
| Just like DSi originally did, 3DS verifies the APCert for DSiWare on SD with the CTCert also in the DSiWare .bin. On DSi this was fixed with with system-version 1.4.2 by verifying with the actual console-unique cert instead(stored in NAND), while on 3DS it's still not(?) fixed.<br />
On 3DS however this is rather useless, due to the entire DSiWare .bin being encrypted with the console-unique movable.sed keyY.<br />
| When the movable.sed keyY for the target 3DS is known and the target 3DS CTCert private-key is unknown, importing of modified DSiWare SD .bin files.<br />
| Unknown, probably none.<br />
| ?<br />
| April 2013<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[Gamecard_Services_PXI]] unchecked REG_CTRCARDCNT transfer-size<br />
| The u8 REG_CTRCARDCNT transfer-size parameter for the [[Gamecard_Services_PXI]] read/write CTRCARD commands is used as an index for an array of u16 values. Before [[5.0.0-11|5.0.0-X]] this u8 value wasn't checked, thus out-of-bounds reads could be triggered(which is rather useless in this case).<br />
| Out-of-bounds read for a value which gets written to a register.<br />
| [[5.0.0-11|5.0.0-X]]<br />
| <br />
| 2013?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[PXI_Registers|PXI]] cmdbuf buffer overrun<br />
| The Process9 code responsible [[PXI_Registers|PXI]] communications didn't verify the size of the incoming command before writing it to a C++ member variable. <br />
| Probably ARM9 code execution<br />
| [[5.0.0-11|5.0.0-11]]<br />
| <br />
| March 2015, original timeframe if any unknown<br />
| <br />
| [[User:Plutooo|plutoo]]/[[User:Yellows8|Yellows8]]/maybe others(?)<br />
|-<br />
| [[Application_Manager_Services_PXI|PXIAM]] command 0x003D0108(See also [[Application_Manager_Services|this]])<br />
| When handling this command, Process9 allocates a 0x2800-byte heap buffer, then copies the 4 FCRAM input buffers to this heap buffer without checking the sizes at all(only the buffers with non-zero sizes are copied). Starting with [[5.0.0-11|5.0.0-X]], the total combined size of the input data must be <=0x2800.<br />
| ARM9 code execution<br />
| [[5.0.0-11|5.0.0-X]]<br />
| <br />
| May 2013<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[Process_Services_PXI|PS RSA]] commands buffer overflows<br />
| pxips9 cmd1(not accessible via ps:ps) and VerifyRsaSha256: unchecked copy to a buffer in Process9's .bss, from the input FCRAM buffer. The buffer is located before the pxi cmdhandler threads' stacks. SignRsaSha256 also has a buf overflow, but this isn't exploitable.<br />
The buffer for this is the buffer for the signature data. With v5.0, the signature buffer was moved to stack, with a check for the signature data size. When the signature data size is too large, Process9 uses [[SVC|svcBreak]].<br />
| ARM9 code execution<br />
| [[5.0.0-11|5.0.0-X]]<br />
| <br />
| 2012<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[PXI_Registers|PXI]] pxi_id bad check<br />
| The Process9 code responsible for [[PXI_Registers|PXI]] communications read pxi_id as a signed char. There were two flaws:<br />
* They used it as index to a lookup-table without checking the value at all.<br />
* Another function verified that pxi_id < 7, allowing negative values to pass the check. This would also cause an out-of-range table-lookup.<br />
| Maybe ARM9 code execution<br />
| [[3.0.0-5|3.0.0-5]]<br />
|<br />
| March 2015, originally 2012 for the first issue at least<br />
| <br />
| [[User:Plutooo|plutoo]], [[User:Yellows8|Yellows8]], maybe others(?)<br />
|}<br />
<br />
=== Kernel9 ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit1 not set by Kernel9<br />
| Old versions of Kernel9 never set bit1 of [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]]. This leaves the [[OTP Registers|0x10012000]]-region unprotected (this region should be locked early during boot!). Since it's never locked, you can dump it once you get ARM9 code execution.<br />
<br />
From [[3.0.0-5|3.0.0-X]] this was fixed by setting the bit in Kernel9 after poking some registers in that region. On New3DS arm9loader sets this bit instead of Kernel9, which is exploitable through a hardware + software vulnerability (see arm9loaderhax / description).<br />
<br />
This flaw resurged when it gained a new practical use: retrieving the OTP data for a New3DS console in order to decrypt the key data used in arm9loader (see enhanced-arm9loaderhax / description). This was performed by downgrading to a vulnerable system version. By accounting for differences in CTR-NAND crypto (0x05 -> 0x04, see partition encryption types [[Flash_Filesystem#NAND_structure|here]]), it is possible to boot a New3DS using Old3DS firmware 1.0-2.X and an Old3DS [[NCSD#NCSD_header|NCSD Header]] to retrieve the required OTP data using this flaw.<br />
| Dumping of the [[OTP Registers|OTP]] area<br />
| [[3.0.0-5|3.0.0-X]]<br />
|<br />
| February 2015<br />
| [[User:Plutooo|plutoo]], Normmatt independently<br />
|}<br />
<br />
== ARM11 software ==<br />
=== Kernel11 ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[SVC]] table too small<br />
| The table of function pointers for SVC's only contains entries up to 0x7D, but the biggest allowed SVC for the table is 0x7F. Thus, executing SVC7E or SVC7F would make the SVC-handler read after the buffer, and interpret some ARM instructions as function pointers.<br />
<br />
However, this would require patching the kernel .text or modifying SVC-access-control. Even if you could get these to execute, they would still jump to memory that isn't mapped as executable.<br />
| <br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| 2012<br />
| Everyone<br />
|-<br />
| [[SVC|svcBackdoor (0x7B)]]<br />
| This backdoor allows executing SVC-mode code at the user-specified code-address. This is used by Process9, using this on the ARM11 (with NATIVE_FIRM) required patching the kernel .text or modifying SVC-access-control.<br />
| See description<br />
| [[11.0.0-33|11.0.0-X]] (deleted)<br />
| <br />
|<br />
| Everyone<br />
|-<br />
| [[Memory_layout#ARM11_Detailed_virtual_memory_map|0xEFF00000]] / 0xDFF00000 ARM11 kernel virtual-memory<br />
| The ARM11 kernel-mode 0xEFF00000/0xDFF00000 virtual-memory(size 0x100000) is mapped to phys-mem 0x1FF00000(entire DSP-mem + entire AXIWRAM), with permissions RW-. This is used during ARM11 kernel startup for loading the FIRM-modules from the FIRM section located in DSP-mem, this never seems to be used after that, however. This is never unmapped either.<br />
| <br />
| None<br />
| [[11.1.0-34|11.1.0-X]]<br />
| <br />
| <br />
|-<br />
| memchunkhax2.1<br />
| Nintendo's fix for memchunkhax2 in [[10.4.0-29|10.4.0-X]] did not fix the GPU case: one may cause the requisite ToCToU race using gspwn, bypassing the new validation.<br />
derrek's original 32c3 presentation for memchunkhax2 commented that a GPU-based attack was possible, but would be difficult. However, memchunkhax2.1 showed that it was possible to do fairly reliably.<br />
| ARM11 kernel code execution<br />
| None<br />
| [[10.4.0-29|10.4.0-X]]<br />
|<br />
| derrek, aliaspider<br />
|-<br />
| memchunkhax2<br />
| <br />
| ARM11 kernel code execution<br />
| [[10.4.0-29|10.4.0-X]] (partially)<br />
| [[10.4.0-29|10.4.0-X]]<br />
|<br />
| derrek<br />
|-<br />
| heaphax<br />
| Can change the size of free memchunk structures stored in FCRAM using DMA, which leads to the ability to allocate memory chunks over already-allocated memory. This can be used in the SYSTEM region to allocate RW memory over any part of the NS system module, which is enough to take it over.<br />
| Code execution with access to all of NS's privileges. (including downgrading) Code execution within any applet.<br />
| [[11.0.0-33|11.0.0-X]], via the new [[Memory_Management#MemoryBlockHeader|memchunkhdr]] MAC which prevents modifying memchunkhdr data with DMA.<br />
| [[11.0.0-33|11.0.0-X]]<br />
| April 2015 ?<br />
| smea<br />
|-<br />
| snshax<br />
| Can force creation of Safe NS process into gspwn-able memory, allowing for takeover.<br />
| Code execution with access to all of NS's privileges. (including downgrading)<br />
| [[10.1.0-27|10.1.0-X]]<br />
| [[10.1.0-27|10.1.0-X]]<br />
| April 2015 ?<br />
| smea<br />
|-<br />
| AffinityMask/processorid validation<br />
| With [[10.0.0-27|10.0.0-X]] the following functions were updated: svcGetThreadAffinityMask, svcGetProcessAffinityMask, svcSetProcessAffinityMask, and svcCreateThread. The code changes for all but svcCreateThread are identical.<br />
The original code with the first 3 did the following: <br />
* if(u32_processorcount > ~0x80000001)return 0xe0e01bfd;<br />
* if(s32_processorcount > <total_cores>)return 0xd8e007fd;<br />
The following code replaced the above:<br />
* if(u32_processorcount >= <total_cores+1>)return 0xd8e007fd;<br />
In theory the latter should catch everything that the former did, so it's unknown if this was really a security issue.<br />
<br />
The svcCreateThread changes with [[10.0.0-27|10.0.0-X]] definitely did fix a security issue.<br />
* Original code: "if(s32_processorid > <total_cores>)return 0xd8e007fd;"<br />
* New code: "if(s32_processorid >= <total_cores> || s32_processorid <= -4)return 0xd8e007fd;"<br />
This fixed an off-by-one issue: if one would use processorid=total_cores, which isn't actually a valid value, svcCreateThread would accept that value on <[[10.0.0-27|10.0.0-X]]. This results in data being written out-of-bounds(baseaddr = arrayaddr + entrysize*processorid), which has the following result:<br />
* Old3DS: Useless kernel-mode crash due to accessing unmapped memory.<br />
* New3DS: uncontrolled data write into a kernel-mode L1 MMU-table. This isn't really useful: the data can't be controlled, and the data which gets overwritten is all-zero anyway(this isn't anywhere near MMU L1 entries for actually mapped memory).<br />
The previous version also allowed large negative s32_processorid values(negative processorid values are special values not actual procids), but it appears using values like that won't actually do anything(meaning no crash) besides the thread not running / thread not running for a while(besides triggering a kernelpanic with certain s32_processorid value(s)).<br />
| Nothing useful<br />
| [[10.0.0-27|10.0.0-X]]<br />
| [[10.0.0-27|10.0.0-X]]<br />
| svcCreateThread issue: May 31, 2015. The rest: September 8, 2015, via v9.6->v10.0 ARM11-kernel code-diff.<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| memchunkhax<br />
| The kernel originally did not validate the data stored in the FCRAM kernel heap [[Memchunkhdr|memchunk-headers]] for free-memory at all. Exploiting this requires raw R/W access to these memchunk-headers, like physical-memory access with gspwn.<br />
<br />
There are ''multiple'' ways to exploit this, but the end-result for most of these is the same: overwrite code in AXIWRAM via the 0xEFF00000/0xDFF00000 kernel virtual-memory mapping.<br />
<br />
This was fixed in [[9.3.0-21|9.3.0-X]] by checking that the memchunk(including size, next, and prev ptrs) is located within the currently used heap memory. The kernel may also check that the next/prev ptrs are valid compared to other memchunk-headers basically. When any of these checks fail, kernelpanic() is called.<br />
| When combined with other flaws: ARM11-kernelmode code execution<br />
| [[9.3.0-21|9.3.0-21]]<br />
| <br />
| February 2014<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Multiple [[KLinkedListNode|KLinkedListNode]] SlabHeap use after free bugs<br />
| The ARM11-kernel did access the 'key' field of [[KLinkedListNode|KLinkedListNode]] objects, which are located on the SlabHeap, after freeing them. Thus, triggering an allocation of a new [[KLinkedListNode|KLinkedListNode]] object at the right time could result in a type-confusion. Pseudo-code:<br />
SlabHeap_free(KLinkedListNode);<br />
KObject *obj = KLinkedListNode->key; // the object there might have changed!<br />
This bug appeared all over the place.<br />
| ARM11-kernelmode code exec maybe<br />
| [[8.0.0-18|8.0.0-18]]<br />
| <br />
| April 2015<br />
| [[User:Derrek|derrek]]<br />
|-<br />
| PXI [[RPC_Command_Structure|Command]] input/output buffer permissions<br />
| Originally the ARM11-kernel didn't check permissions for PXI input/output buffers for commands. Starting with [[6.0.0-11|6.0.0]] PXI input/output buffers must have RW permissions, otherwise kernelpanic is triggered.<br />
| <br />
| [[6.0.0-11|6.0.0-11]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SVC|svcStartInterProcessDma]]<br />
| For svcStartInterProcessDma, the kernel code had the following flaws:<br />
<br />
* Originally the ARM11-kernel read the input DmaConfig structure directly in kernel-mode(ldr(b/h) instructions), without checking whether the DmaConfig address is readable under userland. This was fixed by copying that structure to the SVC-mode stack, using the ldrbt instruction.<br />
<br />
* Integer overflows for srcaddr+size and dstaddr+size are now checked(with [[6.0.0-11]]), which were not checked before.<br />
<br />
* The kernel now also checks whether the srcaddr/dstaddr (+size) is within userland memory (0x20000000), the kernel now (with [[6.0.0-11]]) returns an error when the address is beyond userland memory. Using an address >=0x20000000 would result in the kernel reading from the process L1 MMU table, beyond the memory allocated for that MMU table(for vaddr->physaddr conversion). <br />
| <br />
| [[6.0.0-11]]<br />
| <br />
| DmaConfig issue: unknown. The rest: 2014<br />
| [[User:Plutooo|plutoo]], [[User:Yellows8|Yellows8]] independently<br />
|-<br />
| [[SVC|svcControlMemory]] Parameter checks<br />
| For svcControlMemory the parameter check had these two flaws:<br />
<br />
* The allowed range for addr0, addr1, size parameters depends on which MemoryOperation is being specified. The limitation for GSP heap was only checked if op=(u32)0x10003. By setting a random bit in op that has no meaning (like bit17?), op would instead be (u32)0x30003, and the range-check would be less strict and not accurate. However, the kernel doesn't actually use the input address for LINEAR memory-mapping at all besides the range-checks, so this isn't actually useful. This was fixed in the kernel by just checking for the LINEAR bit, instead of comparing the entire MemoryOperation value with 0x10003.<br />
<br />
* Integer overflows on (addr0+size) are now checked that previously weren't (this also applies to most other address checks elsewhere in the kernel).<br />
<br />
| <br />
| [[5.0.0-11]]<br />
| <br />
|<br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| [[RPC_Command_Structure|Command]] request/response buffer overflow<br />
| Originally the kernel did not check the word-values from the command-header. Starting with [[5.0.0-11]], the kernel will trigger a kernelpanic() when the total word-size of the entire command(including the cmd-header) is larger than 0x40-words (0x100-bytes). This allows overwriting threadlocalstorage+0x180 in the destination thread. However, since the data written there would be translate parameters (such as header-words + buffer addresses), exploiting this would likely be very difficult, if possible at all.<br />
<br />
If the two words at threadlocalstorage+0x180 could be overwritten with controlled data this way, one could then use a command with a buffer-header of <nowiki>((size<<14) | 2)</nowiki> to write arbitrary memory to any RW userland memory in the destination process.<br />
| <br />
| [[5.0.0-11]]<br />
| <br />
| v4.1 FIRM -> v5.0 code diff<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SVC|SVC stack allocation overflows]]<br />
| <br />
* Syscalls that allocate a variable-length array on stack, only checked bit31 before multiplying by 4/16 (when calculating how much memory to allocate). If a large integer was passed as input to one of these syscalls, an integer overflow would occur, and too little memory would have been allocated on stack resulting in a buffer overrun. <br />
* The alignment (size+7)&~7 calculation before allocation was not checked for integer overflow.<br />
<br />
This might allow for ARM11 kernel code-execution.<br />
<br />
(Applies to svcSetResourceLimitValues, svcGetThreadList, svcGetProcessList, svcReplyAndReceive, svcWaitSynchronizationN.)<br />
| <br />
| [[5.0.0-11]]<br />
| <br />
| v4.1 FIRM -> v5.0 code diff<br />
| [[User:Plutooo|plutoo]], [[User:Yellows8|Yellows8]] complementary<br />
|-<br />
| [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions<br />
| svcControlMemory with MemoryOperation=MAP allows mapping the already-mapped process virtual-mem at addr1, to addr0. The lowest address permitted for addr1 is 0x00100000. Originally the ARM11 kernel didn't check memory permissions for addr1. Therefore .text as addr1 could be mapped elsewhere as RW- memory, which allowed ARM11 userland code-execution.<br />
| <br />
| [[4.1.0-8]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[RPC_Command_Structure|Command]] input/output buffer permissions<br />
| Originally the ARM11 kernel didn't check memory permissions for the input/output buffers for commands. Starting with [[4.0.0-7]] the ARM11 kernel will trigger a kernelpanic() if the input/output buffers don't have the required memory permissions. For example, this allowed a FSUSER file-read to .text, which therefore allowed ARM11-userland code execution.<br />
| <br />
| [[4.0.0-7]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions<br />
| Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs.<br />
| <br />
| [[4.0.0-7]]<br />
| <br />
| 2012?<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== [[FIRM]] Sysmodules ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in [[FIRM]] system version<br />
! Last [[FIRM]] system version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[Services|"srv:pm"]] process registration<br />
| Originally any process had access to the port "srv:pm". The PID's used for the (un)registration commands are not checked either. This allowed any process to re-register itself with "srv:pm", and therefore allowed the process to give itself access to any service, bypassing the exheader service-access-control list.<br />
<br />
This was fixed in [[7.0.0-13]]: starting with [[7.0.0-13]] "srv:pm" is now a service instead of a globally accessible port. Only processes with PID's less than 6 (in other words: fs, ldr, sm, pm, pxi modules) have access to it. With [[7.0.0-13]] there can only be one session for "srv:pm" open at a time(this is used by pm module), svcBreak will be executed if more sessions are opened by the processes which can access this.<br />
<br />
This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).<br />
| Access to arbitrary services<br />
| [[7.0.0-13]]<br />
| <br />
| 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| FSDIR null-deref<br />
| [[Filesystem_services|FS]]-module may crash in some cases when handling directory reading. The trigger seems to be due to using [[FSDir:Close]] without closing the dir-handle afterwards?(Perhaps this is caused by out-of-memory?) This seems to be useless since it's just a null-deref.<br />
| <br />
| None<br />
| [[9.6.0-24|9.6.0-X]]<br />
| May 19(?)-20, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== Standalone Sysmodules ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in system-module system-version<br />
! Last system-module system-version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Timeframe this was added to wiki<br />
! Discovered by<br />
|-<br />
| [[MVD_Services|MVD]]: Stack buffer overflow with [[MVDSTD:SetupOutputBuffers]].<br />
| The input total_entries is not validated when initially processing the input entry-list. This fixed-size input entry-list is copied to stack from the command request. The loop for processing this initializes a global table, the converted linearmem->physaddrs used there are also copied to stack(0x8-bytes of physaddrs per entry).<br />
<br />
If total_entries is too large, MVD-sysmodule will crash due to reading unmapped memory following the stack(0x10000000). Afterwards if the out-of-bounds total_entries is smaller than that, it will crash due accessing address 0x0, hence this useless.<br />
| MVD-sysmodule crash.<br />
| None<br />
| [[9.0.0-20]]<br />
| April 22, 2016 (Tested on the 25th)<br />
| April 25, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NWM_Services|NWM]]: Using CTRSDK heap with UDS sharedmem from the user-process.<br />
| See the HTTP-sysmodule section below.<br />
<br />
CTRSDK heap is used with the sharedmem from [[NWMUDS:InitializeWithVersion]]. Buffers are allocated/freed under this heap using [[NWMUDS:Bind]] and [[NWMUDS:Unbind]].<br />
<br />
Hence, overwriting sharedmem with gspwn then using [[NWMUDS:Unbind]] results in the usual controlled CTRSDK memchunk-header write, similar to HTTP-sysmodule.<br />
<br />
This could be done by creating an UDS network, without any other nodes on the network.<br />
<br />
Besides CTRSDK memchunk-headers, there are no addresses stored under this sharedmem.<br />
| ROP under NWM-module.<br />
| None<br />
| [[9.0.0-20|9.0.0-X]]<br />
| April 10, 2016<br />
| April 16, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[DLP_Services|DLP]]: Out-of-bounds memory access during spectator [[Download_Play|data-frame]] checksum calculation<br />
| DLP doesn't validate the frame_size when receiving spectator data-frames at all, unlike non-spectator data-frames. The actual spectator data-frame parsing code doesn't use that field either. However, the data-frame checksum calculation code called during checksum verification does use the frame_size for loading the size of the framebuf.<br />
<br />
Hence, using a large frame_size like 0xFFFF will result in the checksum calculation code reading data out-of-bounds. This isn't really useful, you could trigger a remote local-WLAN DLP-sysmodule crash while a 3DS system is scanning for DLP networks(due to accessing unmapped memory), but that's about all(trying to infoleak with this likely isn't useful either).<br />
| DLP-sysmodule crash, handled by dlplay system-application by a "connection interrupted" error eventually then a fatal-error via ErrDisp.<br />
| None<br />
| [[10.0.0-27|10.0.0-X]]<br />
| April 8, 2016 (Tested on the 10th)<br />
| April 10, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[DLP_Services|DLP]]: Out-of-bounds output data writing during spectator sysupdate titlelist [[Download_Play|data-frame]] handling<br />
| The total_entries and out_entryindex fields for the titlelist DLP spectator data-frames are not validated. This is parsed during DLP network scanning. Hence, the specified titlelist data can be written out-of-bounds using the specified out_entryindex and total_entries. A crash will occur while reading the input data-frame titlelist if total_entries is larger than 0x27A, due to accessing unmapped memory.<br />
<br />
There's not much non-zero data to overwrite following the output buffer(located in sharedmem), any ptrs are located in sharedmem. Overwriting certain ptr(s) are only known to cause a crash when attempting to use the DLP-client shutdown service-command.<br />
<br />
There's no known way to exploit the above crash, since the linked-list code involves writes zeros(with a controlled start ptr).<br />
| <br />
| None<br />
| [[10.0.0-27|10.0.0-X]]<br />
| April 8-9, 2016<br />
| April 10, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[IR_Services|IR]]: Stack buffer overflow with custom hardware<br />
| Originally IR sysmodule used the read value from the I2C-IR registers TXLVL and RXLVL without validating them at all. See [[10.6.0-31|here]] for the fix. This is the size used for reading the data-recv FIFO, etc. The output buffer for reading is located on the stack.<br />
<br />
This should be exploitable if one could successfully setup the custom hardware for this and if the entire intended sizes actually get read from I2C.<br />
| ROP under IR sysmodule.<br />
| [[10.6.0-31|10.6.0-31]]<br />
| <br />
| February 23, 2016 (Unknown if it was noticed before then)<br />
| February 23, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[HTTP_Services|HTTP]]: Using CTRSDK heap with sharedmem from the user-process.<br />
| The data from httpcAddPostDataAscii and other commands is stored under a CTRSDK heap. That heap is the sharedmem specified by the user-process via the HTTPC Initialize command.<br />
Normally this sharedmem isn't accessible to the user-process once the sysmodule maps it, hence using it is supposed to be "safe".<br />
<br />
This isn't the case due to gspwn however. Since CTRSDK heap code is so insecure in general, one can use gspwn to locate the HTTPC sharedmem + read/write it, then trigger a mem-write under the sysmodule. This can then be used to get ROP going under HTTP-sysmodule.<br />
<br />
This is exploited by [https://github.com/yellows8/ctr-httpwn/ctr-httpwn ctr-httpwn].<br />
| ROP under HTTP sysmdule.<br />
| None<br />
| [[9.6.0-24|9.6.0-X]] (Latest sysmodule version as of [[10.7.0-32|10.7.0-32]])<br />
| Late 2015<br />
| March 22, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NIM_Services|NIM]]: Downloading old title-versions from eShop<br />
| Multiple NIM service commands(such as [[NIMS:StartDownload]]) use a title-version value specified by the user-process, NIM does not validate that this input version matches the latest version available via SOAP. Therefore, when combined with AM(PXI) [[#Process9|title-downgrading]] via deleting the target eShop title with System Settings Data Management(if the title was already installed), this allows downloading+installing any title-version from eShop ''if'' it's still available from CDN.<br />
The easiest way to exploit this is to just patch the eShop system-application code using these NIM commands(ideally the code which loads the title-version).<br />
<br />
Originally this was tested with a debugging-system via modded-FIRM, eventually smea implemented it in HANS for the 32c3 release.<br />
| Downloading old title-versions from eShop<br />
| None<br />
| [[10.0.0-27|10.0.0-X]]<br />
| October 24, 2015 (Unknown when exactly the first eShop title downgrade was actually tested, maybe November)<br />
| January 7, 2016 (Same day Ironfall v1.0 was removed from CDN via the main-CXI files)<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[SPI_Services|SPI]] service out-of-bounds write<br />
| cmd1 has out-of-bounds write allowing overwrite of some static variables in .data.<br />
| <br />
| None<br />
| [[9.5.0-22]]<br />
| March 2015<br />
| <br />
| [[User:Plutooo|plutoo]]<br />
|-<br />
| [[NFC_Services|NFC]] module service command buf-overflows<br />
| NFC module copies data with certain commands, from command input buffers to stack without checking the size. These commands include the following, it's unknown if there's more commands with similar issues: "nfc:dev" <0x000C....> and "nfc:s" <0x0037....>.<br />
Since both of these commands are stubbed in the Old3DS NFC module from the very first version(those just return an error), these issues only affect the New3DS NFC module.<br />
<br />
There's no known retail titles which have access to either of these services.<br />
| ROP under NFC module.<br />
| New3DS: None<br />
| New3DS: [[9.5.0-22]]<br />
| December 2014?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[News_Services|NEWSS]] service command notificationID validation failure<br />
| This module does not validate the input notificationID for <nowiki>"news:s"</nowiki> service commands. This is an out-of-bounds array index bug. For example, [[NEWSS:SetNotificationHeader]] could be used to exploit news module: this copies the input data(size is properly checked) to: out = newsdb_savedata+0x10 + (someu32array[notificationID]*0x70).<br />
| ROP under news module.<br />
| None<br />
| [[9.7.0-25|9.7.0-X]]<br />
| December 2014<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NWMUDS:DecryptBeaconData]] heap buffer overflow<br />
| input_size = 0x1E * <value the u8 from input_[[NWM_Services|networkstruct]]+0x1D>. Then input_tag0 is copied to a heap buffer. When input_size is larger than 0xFA-bytes, it will then copy input_tag1 to <end_address_of_previous_outbuf>, with size=input_size-0xFA.<br />
<br />
This can be triggered by either using this command directly, or by boadcasting a wifi beacon which triggers it while a 3DS system running the target process is in range, when the process is scanning for hosts to connect to. Processes will only pass tag data to this command when the wlancommID and other thing(s) match the values for the process.<br />
<br />
There's no known way to actually exploit this for getting ROP under NWM-module, at the time of originally adding this to the wiki. This is because the data which gets copied out-of-bounds *and* actually causes crash(es), can't be controlled it seems(with just broadcasting a beacon at least). It's unknown whether this could be exploited from just using NWMUDS service-cmd(s) directly.<br />
| Without any actual way to exploit this: NWM-module DoS, resulting in process termination(process crash). This breaks *everything* involving wifi comms, a reboot is required to recover from this.<br />
| None<br />
| [[9.0.0-20]]<br />
| ~September 23, 2014(see the [[NWMUDS:DecryptBeaconData]] page history)<br />
| August 3, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[HID_Services|HID]] module shared-mem<br />
| HID module does not validate the index values in [[HID_Shared_Memory|sharedmem]](just changes index to 0 when index == maxval when updating), therefore large values will result in HID module writing HID data to arbitrary addresses.<br />
| ROP under HID module, but this is *very* unlikely to be exploitable since the data written is HID data.<br />
| None<br />
| [[9.3.0-21]]<br />
| 2014?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| gspwn<br />
| GSP module does not validate addresses given to the GPU. This allows a user-mode application/applet to read/write to a large part of physical FCRAM using GPU DMA. From this, you can overwrite the .text segment of the application you're running under, and gain real code-execution from a ROP-chain. Normally applets' .text([[Home Menu]], [[Internet Browser]], etc) is located beyond the area accessible by the GPU, except for [[RO_Services|CROs]] used by applets([[Internet Browser]] for example).<br />
<br />
FCRAM is gpu-accessible up to physaddr 0x26800000 on Old3DS, and 0x2DC00000 on New3DS. This is BASE_memregion_start(aka SYSTEM_memregion_end)-0x400000 with the default memory-layout on Old3DS/New3DS.<br />
| User-mode code execution.<br />
| None<br />
| [[9.6.0-24|9.6.0-X]]<br />
| Early 2014<br />
| <br />
| smea, [[User:Yellows8|Yellows8]]/others before then<br />
|-<br />
| rohax<br />
| Using gspwn, it is possible to overwrite a loaded [[CRO0]]/[[CRR0]] after its RSA-signature has been validated. Badly validated [[CRO0]] header leads to arbitrary read/write of memory in the ro-process. This gives code-execution in the ro module, who has access to [[SVC|syscalls]] 0x70-0x72, 0x7D.<br />
<br />
This was fixed after [[ninjhax]] release by adding checks on [[CRO0]]-based pointers before writing to them.<br />
| Memory-mapping syscalls.<br />
| [[9.3.0-21]]<br />
| [[9.4.0-21]]<br />
| <br />
| <br />
| smea, [[User:Plutooo|plutoo]] joint effort<br />
|-<br />
| Region free<br />
| Only [[Home Menu]] itself checks gamecards' region when launching them. Therefore, any application launch that is done directly with [[NS]] without signaling Home Menu to launch the app, will result in region checks being bypassed.<br />
This essentially means launching the gamecard with the [[NS_and_APT_Services|"ns:s"]] service. The main way to exploit this is to trigger a FIRM launch with an application specified, either with a normal FIRM launch or a hardware [[NSS:RebootSystem|reboot]].<br />
| Launching gamecards from any region + bypassing Home Menu gamecard-sysupdate installation<br />
| None<br />
| Last tested with [[10.1.0-27|10.1.0-X]].<br />
| June(?) 2014<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[NWM_Services|NWM]] service-cmd state null-ptr deref<br />
| The NWMUDS service command code loads a ptr from .data, adds an offset to that, then passes that as the state address for the actual command-handler function. The value of the ptr loaded from .data is not checked, therefore this will cause crashes due to that being 0x0 when NWMUDS was not properly initialized.<br />
It's unknown whether any NWM services besides NWMUDS have this issue.<br />
| This is rather useless since it's only a crash caused by a state ptr based at 0x0.<br />
| None<br />
| [[9.0.0-20]]<br />
| 2013?<br />
| <br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
=== General/CTRSDK ===<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Successful exploitation result<br />
! Fixed in version<br />
! Last version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| [[NWM_Services|UDS]] beacon additional-data buffer overflow<br />
| Originally CTRSDK did not validate the UDS additional-data size before using that size to copy the additional-data to a [[NWM_Services|networkstruct]]. This was eventually fixed.<br />
This was discovered while doing code RE with an old dlp-module version. It's unknown in what specific CTRSDK version this was fixed, or even what system-version updated titles with a fixed version.<br />
<br />
It's unknown if there's any titles using a vulnerable CTRSDK version which are also exploitable with this(dlp module can't be exploited with this).<br />
<br />
The maximum number of bytes that can be written beyond the end of the outbuf is 0x37-bytes, with additionaldata_size=0xFF.<br />
| Perhaps ROP, very difficult if possible with anything at all<br />
| ?<br />
| <br />
| September(?) 2014<br />
| [[User:Yellows8|Yellows8]]<br />
|}</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Homebrew_Exploits&diff=17670Homebrew Exploits2016-07-11T12:46:41Z<p>Dark samus: /* Standalone Homebrew Launcher Exploits */</p>
<hr />
<div>==Standalone Homebrew Launcher Exploits==<br />
The following homebrew exploits can be executed on a previously un-exploited system.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ninjhax|Ninjhax 1.1b]]<br />
| From '''4.0.0-7''' up to and including '''9.2.0-20'''.<br />
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".<br />
| smea<br />
| [http://smealum.net/ninjhax/ Install]<br />
|-<br />
| style="background: orange" | No; needs update.<br />
| [[ninjhax|Ninjhax 2.x]]<br />
| From '''9.0.0-7''' up to and including '''10.7.0-32'''.<br />
| A cartridge or eShop version (JPN-only) of "Cubic Ninja". (note that this can be used on 11.0.0-33, but the savegame cannot be installed via the QR scanner, due to httpc access being revoked)<br />
| smea<br />
| [https://smealum.github.io/ninjhax2/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://plutooo.github.io/freakyhax/ freakyhax]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''.<br />
| A cartridge or eShop version (USA/EUR/JAP) of "Freakyform Deluxe".<br />
| plutoo<br />
| [http://plutooo.github.io/freakyhax/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[smashbroshax|smashbroshax]] (beaconhax)<br />
| (New 3DS only) From '''9.0.0-X''' up to and including '''11.0.0-33'''.<br />
| Super Smash Bros 3DS (full-game) and a way to broadcast raw wifi beacons. The demo (prior to the updated November 2015 [https://github.com/yellows8/3ds_smashbroshax version]) isn't usable with the *hax payloads. Game-version v1.1.3 fixed the vuln used with this, see the repo for a workaround for that.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_smashbroshax Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]]<br />
| (Old 3DS) From '''9.0.0-16''' to '''9.5.0-22''', '''9.5.0-23''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
(New 3DS) From '''9.0.0-20''' to '''9.2.0-20''', '''9.3.0-21''' to '''9.5.0-23''', '''9.6.0-24''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| An USA, EUR, or JPN system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [http://yls8.mtheall.com/3dsbrowserhax.php Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://mrnbayoh.github.io/basicsploit/ BASICSploit]<br />
| From '''9.0.0''' up to and including '''11.0.0'''<br />
| SmileBASIC (USA only, JPN to be supported soon.) downloaded from the eShop. This vuln is not yet fixed as of v3.3.1.<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basicsploit/ Install]<br />
|}<br />
<br />
Note that ninjhax 1.x is still not obsolete. Even though ninjhax 2.x can be run on 9.3+, this was made possible (amongst other things) by sacrificing the memory remapping exploit used in ninjhax 1.x (rohax). Therefore, things like JIT engines for emulators can only be supported on ninjhax 1.x. Furthermore, ninjhax 2.x does not run on system versions below 9.0.0-X, while ninjhax 1.x does.<br />
<br />
==Secondary Exploits==<br />
Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ironhax]]<br />
| From '''9.5.0-X''' up to and including '''10.3.0-X''', for '''X''' up to and including 28.<br />
| A copy of "Ironfall: Invasion" downloaded from eShop before August 11th, 2015. Note the updated version that was released on October 13th, 2015 is not supported.<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/oot3dhax oot3dhax]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 32.<br />
| A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. Besides using the installer app, writing raw saveimages with a save dongle for example is another option. Due to lack of free space with the size of the *hax payload, the only save-slot that can exist in the *gamecard* savedata is the oot3dhax save-slot.<br />
| Yellows8 / smea et al.<br />
| See [https://smealum.github.io/3ds/ here].<br />
|-<br />
| style="background: salmon" | No<br />
| [[menuhax]]<br />
| From '''9.0.0-X''' up to and including '''10.5.0-X''', for '''X''' up to and including 30.<br />
|<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_homemenuhax/releases Download]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/shinyquagsire23/supermysterychunkhax supermysterychunkhax]<br />
| From '''9.9.0-X''' (USA/JPN) / '''10.2.0-X''' (EUR) up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
| A gamecard or eShop-install of Pokémon Super Mystery Dungeon.<br />
| Shiny Quagsire / SALT team<br />
| [https://smd.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/shinyquagsire23/v_hax (v*)hax]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
Note that '''9.0.0-X''' is only required for the Homebrew Launcher - the game itself only requires '''2.1.0-X''' for primitive userland code execution.<br />
| A copy of VVVVVV downloaded after March 2012 (v1)<br />
| Shiny Quagsire / SALT team<br />
| [https://vvvvvv.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/Dazzozo/humblehax humblehax]<br />
| From '''9.0.0-X''' (USA/EUR) up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
| An eShop-install of Citizens of Earth, featured in the Humble "Friends of Nintendo" Bundle.<br />
| Dazzozo / SALT team<br />
| [https://citizens.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://mrnbayoh.github.io/basehaxx/ basehaxx]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
| A gamecard or eShop-install of Pokémon Omega Ruby / Alpha Sapphire.<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basehaxx/ install]<br />
|}<br />
<br />
==Exploits without Homebrew Launcher (Not recommended)==<br />
<br />
<u>'''Warning:'''</u> The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]] (Without the loader in the 3ds_browserhax_common repo)<br />
| (Old3DS) From '''2.1.0-4''' to '''3.0.0-6''', '''4.0.0-7''' to '''4.5.0-10''', '''5.0.0-11''' to '''7.0.0-13''', '''7.1.0-16''' to '''9.5.0-22''', '''9.5.0-23''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
(New3DS) From '''9.0.0-20''' to '''9.2.0-20''', '''9.3.0-21''' to '''9.5.0-23''', '''9.6.0-24''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| An USA, EUR, or JPN system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [[browserhax|Install]]<br />
|}<br />
<br />
==Previous Exploits==<br />
<u>'''Warning:'''</u> These exploits '''do not work'''. They are exploits which no longer function at all, regardless of software or firmware revision.<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[tubehax|Tubehax]]<br />
| None. '''Was''': From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.<br />
| The YouTube application and an Internet connection. As of October 15, 2015, this is no longer usable due to an update being released which fixes the vuln used by tubehax + app update being forced(see [[YouTube|here]]).<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|}<br />
<br />
==Other Homebrew Loaders==<br />
The [https://github.com/yellows8/hblauncher_loader hblauncher_loader] title can be used when running under modded-FIRM which allows running unsigned titles, to boot the *hax payloads.<br />
<br />
==Sysmodule Exploits==<br />
This section is for system-module exploits, which can be run from the *hax payloads.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
|-<br />
| Yes, that's not the intended default use however.<br />
| [https://github.com/yellows8/ctr-httpwn/releases ctr-httpwn]<br />
| From '''9.6.0-X''' up to and including '''11.0.0-X'''.<br />
| None<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
==WebKit vuln testing==<br />
See [https://github.com/yellows8/3ds_browserhax_common/issues/28 here].</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Homebrew_Exploits&diff=17669Homebrew Exploits2016-07-11T12:42:10Z<p>Dark samus: Undo revision 17667 by Yario (talk)</p>
<hr />
<div>==Standalone Homebrew Launcher Exploits==<br />
The following homebrew exploits can be executed on a previously un-exploited system.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ninjhax|Ninjhax 1.1b]]<br />
| From '''4.0.0-7''' up to and including '''9.2.0-20'''.<br />
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".<br />
| smea<br />
| [http://smealum.net/ninjhax/ Install]<br />
|-<br />
| style="background: salmon" | No; needs update.<br />
| [[ninjhax|Ninjhax 2.x]]<br />
| From '''9.0.0-7''' up to and including '''10.7.0-32'''.<br />
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".<br />
| smea<br />
| [https://smealum.github.io/ninjhax2/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://plutooo.github.io/freakyhax/ freakyhax]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''.<br />
| A cartridge or eShop version (USA/EUR/JAP) of "Freakyform Deluxe".<br />
| plutoo<br />
| [http://plutooo.github.io/freakyhax/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[smashbroshax|smashbroshax]] (beaconhax)<br />
| (New 3DS only) From '''9.0.0-X''' up to and including '''11.0.0-33'''.<br />
| Super Smash Bros 3DS (full-game) and a way to broadcast raw wifi beacons. The demo (prior to the updated November 2015 [https://github.com/yellows8/3ds_smashbroshax version]) isn't usable with the *hax payloads. Game-version v1.1.3 fixed the vuln used with this, see the repo for a workaround for that.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_smashbroshax Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]]<br />
| (Old 3DS) From '''9.0.0-16''' to '''9.5.0-22''', '''9.5.0-23''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
(New 3DS) From '''9.0.0-20''' to '''9.2.0-20''', '''9.3.0-21''' to '''9.5.0-23''', '''9.6.0-24''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| An USA, EUR, or JPN system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [http://yls8.mtheall.com/3dsbrowserhax.php Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://mrnbayoh.github.io/basicsploit/ BASICSploit]<br />
| From '''9.0.0''' up to and including '''11.0.0'''<br />
| SmileBASIC (USA only, JPN to be supported soon.) downloaded from the eShop. This vuln is not yet fixed as of v3.3.1.<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basicsploit/ Install]<br />
|}<br />
<br />
Note that ninjhax 1.x is still not obsolete. Even though ninjhax 2.x can be run on 9.3+, this was made possible (amongst other things) by sacrificing the memory remapping exploit used in ninjhax 1.x (rohax). Therefore, things like JIT engines for emulators can only be supported on ninjhax 1.x. Furthermore, ninjhax 2.x does not run on system versions below 9.0.0-X, while ninjhax 1.x does.<br />
<br />
==Secondary Exploits==<br />
Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ironhax]]<br />
| From '''9.5.0-X''' up to and including '''10.3.0-X''', for '''X''' up to and including 28.<br />
| A copy of "Ironfall: Invasion" downloaded from eShop before August 11th, 2015. Note the updated version that was released on October 13th, 2015 is not supported.<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/oot3dhax oot3dhax]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 32.<br />
| A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. Besides using the installer app, writing raw saveimages with a save dongle for example is another option. Due to lack of free space with the size of the *hax payload, the only save-slot that can exist in the *gamecard* savedata is the oot3dhax save-slot.<br />
| Yellows8 / smea et al.<br />
| See [https://smealum.github.io/3ds/ here].<br />
|-<br />
| style="background: salmon" | No<br />
| [[menuhax]]<br />
| From '''9.0.0-X''' up to and including '''10.5.0-X''', for '''X''' up to and including 30.<br />
|<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_homemenuhax/releases Download]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/shinyquagsire23/supermysterychunkhax supermysterychunkhax]<br />
| From '''9.9.0-X''' (USA/JPN) / '''10.2.0-X''' (EUR) up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
| A gamecard or eShop-install of Pokémon Super Mystery Dungeon.<br />
| Shiny Quagsire / SALT team<br />
| [https://smd.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/shinyquagsire23/v_hax (v*)hax]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
Note that '''9.0.0-X''' is only required for the Homebrew Launcher - the game itself only requires '''2.1.0-X''' for primitive userland code execution.<br />
| A copy of VVVVVV downloaded after March 2012 (v1)<br />
| Shiny Quagsire / SALT team<br />
| [https://vvvvvv.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/Dazzozo/humblehax humblehax]<br />
| From '''9.0.0-X''' (USA/EUR) up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
| An eShop-install of Citizens of Earth, featured in the Humble "Friends of Nintendo" Bundle.<br />
| Dazzozo / SALT team<br />
| [https://citizens.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://mrnbayoh.github.io/basehaxx/ basehaxx]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
| A gamecard or eShop-install of Pokémon Omega Ruby / Alpha Sapphire.<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basehaxx/ install]<br />
|}<br />
<br />
==Exploits without Homebrew Launcher (Not recommended)==<br />
<br />
<u>'''Warning:'''</u> The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]] (Without the loader in the 3ds_browserhax_common repo)<br />
| (Old3DS) From '''2.1.0-4''' to '''3.0.0-6''', '''4.0.0-7''' to '''4.5.0-10''', '''5.0.0-11''' to '''7.0.0-13''', '''7.1.0-16''' to '''9.5.0-22''', '''9.5.0-23''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
(New3DS) From '''9.0.0-20''' to '''9.2.0-20''', '''9.3.0-21''' to '''9.5.0-23''', '''9.6.0-24''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| An USA, EUR, or JPN system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [[browserhax|Install]]<br />
|}<br />
<br />
==Previous Exploits==<br />
<u>'''Warning:'''</u> These exploits '''do not work'''. They are exploits which no longer function at all, regardless of software or firmware revision.<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[tubehax|Tubehax]]<br />
| None. '''Was''': From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.<br />
| The YouTube application and an Internet connection. As of October 15, 2015, this is no longer usable due to an update being released which fixes the vuln used by tubehax + app update being forced(see [[YouTube|here]]).<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|}<br />
<br />
==Other Homebrew Loaders==<br />
The [https://github.com/yellows8/hblauncher_loader hblauncher_loader] title can be used when running under modded-FIRM which allows running unsigned titles, to boot the *hax payloads.<br />
<br />
==Sysmodule Exploits==<br />
This section is for system-module exploits, which can be run from the *hax payloads.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
|-<br />
| Yes, that's not the intended default use however.<br />
| [https://github.com/yellows8/ctr-httpwn/releases ctr-httpwn]<br />
| From '''9.6.0-X''' up to and including '''11.0.0-X'''.<br />
| None<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
==WebKit vuln testing==<br />
See [https://github.com/yellows8/3ds_browserhax_common/issues/28 here].</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Homebrew_Exploits&diff=17666Homebrew Exploits2016-07-11T12:19:17Z<p>Dark samus: </p>
<hr />
<div>==Standalone Homebrew Launcher Exploits==<br />
The following homebrew exploits can be executed on a previously un-exploited system.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ninjhax|Ninjhax 1.1b]]<br />
| From '''4.0.0-7''' up to and including '''9.2.0-20'''.<br />
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".<br />
| smea<br />
| [http://smealum.net/ninjhax/ Install]<br />
|-<br />
| style="background: salmon" | No; needs update.<br />
| [[ninjhax|Ninjhax 2.x]]<br />
| From '''9.0.0-7''' up to and including '''10.7.0-32'''.<br />
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".<br />
| smea<br />
| [https://smealum.github.io/ninjhax2/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://plutooo.github.io/freakyhax/ freakyhax]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''.<br />
| A cartridge or eShop version (USA/EUR/JAP) of "Freakyform Deluxe".<br />
| plutoo<br />
| [http://plutooo.github.io/freakyhax/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[smashbroshax|smashbroshax]] (beaconhax)<br />
| (New 3DS only) From '''9.0.0-X''' up to and including '''11.0.0-33'''.<br />
| Super Smash Bros 3DS (full-game) and a way to broadcast raw wifi beacons. The demo (prior to the updated November 2015 [https://github.com/yellows8/3ds_smashbroshax version]) isn't usable with the *hax payloads. Game-version v1.1.3 fixed the vuln used with this, see the repo for a workaround for that.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_smashbroshax Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]]<br />
| (Old 3DS) From '''9.0.0-16''' to '''9.5.0-22''', '''9.5.0-23''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
(New 3DS) From '''9.0.0-20''' to '''9.2.0-20''', '''9.3.0-21''' to '''9.5.0-23''', '''9.6.0-24''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| An USA, EUR, or JPN system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [http://yls8.mtheall.com/3dsbrowserhax.php Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://mrnbayoh.github.io/basicsploit/ BASICSploit]<br />
| From '''9.0.0''' up to and including '''11.0.0'''<br />
| SmileBASIC (USA only, JPN to be supported soon.) downloaded from the eShop. This vuln is not yet fixed as of v3.3.1.<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basicsploit/ Install]<br />
|}<br />
<br />
Note that ninjhax 1.x is still not obsolete. Even though ninjhax 2.x can be run on 9.3+, this was made possible (amongst other things) by sacrificing the memory remapping exploit used in ninjhax 1.x (rohax). Therefore, things like JIT engines for emulators can only be supported on ninjhax 1.x. Furthermore, ninjhax 2.x does not run on system versions below 9.0.0-X, while ninjhax 1.x does.<br />
<br />
==Secondary Exploits==<br />
Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ironhax]]<br />
| From '''9.5.0-X''' up to and including '''10.3.0-X''', for '''X''' up to and including 28.<br />
| A copy of "Ironfall: Invasion" downloaded from eShop before August 11th, 2015. Note the updated version that was released on October 13th, 2015 is not supported.<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/oot3dhax oot3dhax]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 32.<br />
| A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. Besides using the installer app, writing raw saveimages with a save dongle for example is another option. Due to lack of free space with the size of the *hax payload, the only save-slot that can exist in the *gamecard* savedata is the oot3dhax save-slot.<br />
| Yellows8 / smea et al.<br />
| See [https://smealum.github.io/3ds/ here].<br />
|-<br />
| style="background: salmon" | No<br />
| [[menuhax]]<br />
| From '''9.0.0-X''' up to and including '''10.5.0-X''', for '''X''' up to and including 30.<br />
|<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_homemenuhax/releases Download]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/shinyquagsire23/supermysterychunkhax supermysterychunkhax]<br />
| From '''9.9.0-X''' (USA/JPN) / '''10.2.0-X''' (EUR) up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
| A gamecard or eShop-install of Pokémon Super Mystery Dungeon.<br />
| Shiny Quagsire / SALT team<br />
| [https://smd.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/shinyquagsire23/v_hax (v*)hax]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
Note that '''9.0.0-X''' is only required for the Homebrew Launcher - the game itself only requires '''2.1.0-X''' for primitive userland code execution.<br />
| A copy of VVVVVV downloaded after March 2012 (v1)<br />
| Shiny Quagsire / SALT team<br />
| [https://vvvvvv.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/Dazzozo/humblehax humblehax]<br />
| From '''9.0.0-X''' (USA/EUR) up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
| An eShop-install of Citizens of Earth, featured in the Humble "Friends of Nintendo" Bundle.<br />
| Dazzozo / SALT team<br />
| [https://citizens.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://mrnbayoh.github.io/basehaxx/ basehaxx]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
| A gamecard or eShop-install of Pokémon Omega Ruby / Alpha Sapphire.<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basehaxx/ install]<br />
|}<br />
<br />
==Exploits without Homebrew Launcher (Not recommended)==<br />
<br />
<u>'''Warning:'''</u> The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]] (Without the loader in the 3ds_browserhax_common repo)<br />
| (Old3DS) From '''2.1.0-4''' to '''3.0.0-6''', '''4.0.0-7''' to '''4.5.0-10''', '''5.0.0-11''' to '''7.0.0-13''', '''7.1.0-16''' to '''9.5.0-22''', '''9.5.0-23''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
(New3DS) From '''9.0.0-20''' to '''9.2.0-20''', '''9.3.0-21''' to '''9.5.0-23''', '''9.6.0-24''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| An USA, EUR, or JPN system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [[browserhax|Install]]<br />
|}<br />
<br />
==Previous Exploits==<br />
<u>'''Warning:'''</u> These exploits '''do not work'''. They are exploits which no longer function at all, regardless of software or firmware revision.<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[tubehax|Tubehax]]<br />
| None. '''Was''': From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.<br />
| The YouTube application and an Internet connection. As of October 15, 2015, this is no longer usable due to an update being released which fixes the vuln used by tubehax + app update being forced(see [[YouTube|here]]).<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|}<br />
<br />
==Other Homebrew Loaders==<br />
The [https://github.com/yellows8/hblauncher_loader hblauncher_loader] title can be used when running under modded-FIRM which allows running unsigned titles, to boot the *hax payloads.<br />
<br />
==Sysmodule Exploits==<br />
This section is for system-module exploits, which can be run from the *hax payloads.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
|-<br />
| Yes, that's not the intended default use however.<br />
| [https://github.com/yellows8/ctr-httpwn/releases ctr-httpwn]<br />
| From '''9.6.0-X''' up to and including '''11.0.0-X'''.<br />
| None<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
==WebKit vuln testing==<br />
See [https://github.com/yellows8/3ds_browserhax_common/issues/28 here].</div>Dark samushttps://www.3dbrew.org/w/index.php?title=Homebrew_Exploits&diff=17665Homebrew Exploits2016-07-11T12:18:18Z<p>Dark samus: </p>
<hr />
<div>==Standalone Homebrew Launcher Exploits==<br />
The following homebrew exploits can be executed on a previously un-exploited system.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ninjhax|Ninjhax 1.1b]]<br />
| From '''4.0.0-7''' up to and including '''9.2.0-20'''.<br />
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".<br />
| smea<br />
| [http://smealum.net/ninjhax/ Install]<br />
|-<br />
| style="background: salmon" | No; needs update.<br />
| [[ninjhax|Ninjhax 2.x]]<br />
| From '''9.0.0-7''' up to and including '''10.7.0-32'''.<br />
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".<br />
| smea<br />
| [https://smealum.github.io/ninjhax2/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://plutooo.github.io/freakyhax/ freakyhax]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''.<br />
| A cartridge or eShop version (USA/EUR/JAP) of "Freakyform Deluxe".<br />
| plutoo<br />
| [http://plutooo.github.io/freakyhax/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[smashbroshax|smashbroshax]] (beaconhax)<br />
| (New 3DS only) From '''9.0.0-X''' up to and including '''11.0.0-33'''.<br />
| Super Smash Bros 3DS (full-game) and a way to broadcast raw wifi beacons. The demo (prior to the updated November 2015 [https://github.com/yellows8/3ds_smashbroshax version]) isn't usable with the *hax payloads. Game-version v1.1.3 fixed the vuln used with this, see the repo for a workaround for that.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_smashbroshax Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]]<br />
| (Old 3DS) From '''9.0.0-16''' to '''9.5.0-22''', '''9.5.0-23''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
(New 3DS) From '''9.0.0-20''' to '''9.2.0-20''', '''9.3.0-21''' to '''9.5.0-23''', '''9.6.0-24''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| An USA, EUR, or JPN system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [http://yls8.mtheall.com/3dsbrowserhax.php Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://mrnbayoh.github.io/basicsploit/ BASICSploit]<br />
| From '''9.0.0''' up to and including '''11.0.0'''<br />
| SmileBASIC (USA only, JPN to be supported soon.) downloaded from the eShop. This vuln is not yet fixed as of v3.3.1.<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basicsploit/ Install]<br />
|}<br />
<br />
Note that ninjhax 1.x is still not obsolete. Even though ninjhax 2.x can be run on 9.3+, this was made possible (amongst other things) by sacrificing the memory remapping exploit used in ninjhax 1.x (rohax). Therefore, things like JIT engines for emulators can only be supported on ninjhax 1.x. Furthermore, ninjhax 2.x does not run on system versions below 9.0.0-X, while ninjhax 1.x does.<br />
<br />
==Secondary Exploits==<br />
Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ironhax]]<br />
| From '''9.5.0-X''' up to and including '''10.3.0-X''', for '''X''' up to and including 28.<br />
| A copy of "Ironfall: Invasion" downloaded from eShop before August 11th, 2015. Note the updated version that was released on October 13th, 2015 is not supported.<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes;<br />
| [https://github.com/yellows8/oot3dhax oot3dhax]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 32.<br />
| A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. Besides using the installer app, writing raw saveimages with a save dongle for example is another option. Due to lack of free space with the size of the *hax payload, the only save-slot that can exist in the *gamecard* savedata is the oot3dhax save-slot.<br />
| Yellows8 / smea et al.<br />
| See [https://smealum.github.io/3ds/ here].<br />
|-<br />
| style="background: salmon" | No<br />
| [[menuhax]]<br />
| From '''9.0.0-X''' up to and including '''10.5.0-X''', for '''X''' up to and including 30.<br />
|<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_homemenuhax/releases Download]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/shinyquagsire23/supermysterychunkhax supermysterychunkhax]<br />
| From '''9.9.0-X''' (USA/JPN) / '''10.2.0-X''' (EUR) up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
| A gamecard or eShop-install of Pokémon Super Mystery Dungeon.<br />
| Shiny Quagsire / SALT team<br />
| [https://smd.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/shinyquagsire23/v_hax (v*)hax]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
Note that '''9.0.0-X''' is only required for the Homebrew Launcher - the game itself only requires '''2.1.0-X''' for primitive userland code execution.<br />
| A copy of VVVVVV downloaded after March 2012 (v1)<br />
| Shiny Quagsire / SALT team<br />
| [https://vvvvvv.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/Dazzozo/humblehax humblehax]<br />
| From '''9.0.0-X''' (USA/EUR) up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
| An eShop-install of Citizens of Earth, featured in the Humble "Friends of Nintendo" Bundle.<br />
| Dazzozo / SALT team<br />
| [https://citizens.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://mrnbayoh.github.io/basehaxx/ basehaxx]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
| A gamecard or eShop-install of Pokémon Omega Ruby / Alpha Sapphire.<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basehaxx/ install]<br />
|}<br />
<br />
==Exploits without Homebrew Launcher (Not recommended)==<br />
<br />
<u>'''Warning:'''</u> The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]] (Without the loader in the 3ds_browserhax_common repo)<br />
| (Old3DS) From '''2.1.0-4''' to '''3.0.0-6''', '''4.0.0-7''' to '''4.5.0-10''', '''5.0.0-11''' to '''7.0.0-13''', '''7.1.0-16''' to '''9.5.0-22''', '''9.5.0-23''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
(New3DS) From '''9.0.0-20''' to '''9.2.0-20''', '''9.3.0-21''' to '''9.5.0-23''', '''9.6.0-24''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| An USA, EUR, or JPN system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [[browserhax|Install]]<br />
|}<br />
<br />
==Previous Exploits==<br />
<u>'''Warning:'''</u> These exploits '''do not work'''. They are exploits which no longer function at all, regardless of software or firmware revision.<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[tubehax|Tubehax]]<br />
| None. '''Was''': From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.<br />
| The YouTube application and an Internet connection. As of October 15, 2015, this is no longer usable due to an update being released which fixes the vuln used by tubehax + app update being forced(see [[YouTube|here]]).<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|}<br />
<br />
==Other Homebrew Loaders==<br />
The [https://github.com/yellows8/hblauncher_loader hblauncher_loader] title can be used when running under modded-FIRM which allows running unsigned titles, to boot the *hax payloads.<br />
<br />
==Sysmodule Exploits==<br />
This section is for system-module exploits, which can be run from the *hax payloads.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
|-<br />
| Yes, that's not the intended default use however.<br />
| [https://github.com/yellows8/ctr-httpwn/releases ctr-httpwn]<br />
| From '''9.6.0-X''' up to and including '''11.0.0-X'''.<br />
| None<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
==WebKit vuln testing==<br />
See [https://github.com/yellows8/3ds_browserhax_common/issues/28 here].</div>Dark samushttps://www.3dbrew.org/w/index.php?title=I2C_Registers&diff=15908I2C Registers2016-02-24T08:42:14Z<p>Dark samus: /* Device 3 */</p>
<hr />
<div>= Registers =<br />
{| class="wikitable" border="1"<br />
! Old3DS<br />
! Name<br />
! Address<br />
! Width<br />
! Used by<br />
|-<br />
| style="background: green" | Yes<br />
| I2C1_DATA<br />
| 0x10161000<br />
| 1<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[#I2C_CNT|I2C1_CNT]]<br />
| 0x10161001<br />
| 1<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| I2C1_CNTEX<br />
| 0x10161002<br />
| 2<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| I2C1_SCL<br />
| 0x10161004<br />
| 2<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| I2C2_DATA<br />
| 0x10144000<br />
| 1<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[#I2C_CNT|I2C2_CNT]]<br />
| 0x10144001<br />
| 1<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| I2C2_CNTEX<br />
| 0x10144002<br />
| 2<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| I2C2_SCL<br />
| 0x10144004<br />
| 2<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| I2C3_DATA<br />
| 0x10148000<br />
| 1<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[#I2C_CNT|I2C3_CNT]]<br />
| 0x10148001<br />
| 1<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| I2C3_CNTEX<br />
| 0x10148002<br />
| 2<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| I2C3_SCL<br />
| 0x10148004<br />
| 2<br />
|<br />
|}<br />
<br />
== I2C_CNT ==<br />
{| class="wikitable" border="1"<br />
! BIT<br />
! DESCRIPTION<br />
|-<br />
| 0<br />
| Stop (0=No, 1=Stop/last byte)<br />
|-<br />
| 1<br />
| Start (0=No, 1=Start/first byte)<br />
|-<br />
| 2<br />
| Pause (0=Transfer Data, 1=Pause after Error, used with/after Stop)<br />
|-<br />
| 4<br />
| Ack Flag (0=Error, 1=Okay) (For DataRead: W, for DataWrite: R)<br />
|-<br />
| 5<br />
| Data Direction (0=Write, 1=Read)<br />
|-<br />
| 6<br />
| Interrupt Enable (0=Disable, 1=Enable)<br />
|-<br />
| 7<br />
| Start/busy (0=Ready, 1=Start/busy)<br />
|}<br />
<br />
= I2C Devices =<br />
{| class="wikitable" border="1"<br />
! [[I2C_Registers|Device id]]<br />
! Device bus id<br />
! Device Write Address<br />
! Accessible via I2C [[I2C_Services|service]]<br />
! Device description<br />
|-<br />
| 0<br />
| 1<br />
| 0x4a<br />
| "i2c::MCU"<br />
| Power management?(same device addr as the DSi power-management)<br />
|-<br />
| 1<br />
| 1<br />
| 0x7a<br />
| "i2c::CAM"<br />
| Camera0?(same dev-addr as DSi cam0)<br />
|-<br />
| 2<br />
| 1<br />
| 0x78<br />
| "i2c::CAM"<br />
| Camera1?(same dev-addr as DSi cam1)<br />
|-<br />
| 3<br />
| 2<br />
| 0x4a<br />
| "i2c::MCU"<br />
| MCU<br />
|-<br />
| 4<br />
| 2<br />
| 0x78<br />
| "i2c::CAM"<br />
| ?<br />
|-<br />
| 5<br />
| 2<br />
| 0x2c<br />
| "i2c::LCD"<br />
| ?<br />
|-<br />
| 6<br />
| 2<br />
| 0x2e<br />
| "i2c::LCD"<br />
| ?<br />
|-<br />
| 7<br />
| 2<br />
| 0x40<br />
| "i2c::DEB"<br />
| ?<br />
|-<br />
| 8<br />
| 2<br />
| 0x44<br />
| "i2c::DEB"<br />
| ?<br />
|-<br />
| 9<br />
| 3<br />
| 0xa6<br />
| "i2c::HID"<br />
| Unknown. The device table in I2C-module had the device address changed from 0xA6 to 0xD6 with [[8.0.0-18]].<br />
|-<br />
| 10<br />
| 3<br />
| 0xd0<br />
| "i2c::HID"<br />
| Gyroscope<br />
|-<br />
| 11<br />
| 3<br />
| 0xd2<br />
| "i2c::HID"<br />
| ?<br />
|-<br />
| 12<br />
| 3<br />
| 0xa4<br />
| "i2c::HID"<br />
| DebugPad<br />
|-<br />
| 13<br />
| 3<br />
| 0x9a<br />
| "i2c::IR"<br />
| IR<br />
|-<br />
| 14<br />
| 3<br />
| 0xa0<br />
| "i2c::EEP"<br />
| eeprom?<br />
|-<br />
| 15<br />
| 2<br />
| 0xee<br />
| "i2c::NFC"<br />
| New3DS-only [[NFC_Services|NFC]]<br />
|-<br />
| 16<br />
| 1<br />
| 0x40<br />
| "i2c::QTM"<br />
| New3DS-only [[QTM_Services|QTM]]<br />
|-<br />
| 17<br />
| 3<br />
| 0x54<br />
| "i2c::IR"<br />
| Used by IR-module starting with [[8.0.0-18]], for New3DS-only HID via "ir:rst". This deviceid doesn't seem to be supported by i2c module on [[8.0.0-18]](actual support was later added in New3DS i2c module).<br />
|}<br />
<br />
'''Notice''': These device addresses are used for writing to the respective device, for reading bit0 must be set (see I2C protocol). Thus, the actual device address is >> 1.<br />
<br />
== Device 3 ==<br />
{| class="wikitable" border="1"<br />
! REGISTER<br />
! WIDTH<br />
! DESCRIPTION <br />
|-<br />
| 0x03<br />
| 8<br />
| ?<br />
|-<br />
| 0x04<br />
| 8<br />
| ?<br />
|-<br />
| 0x08<br />
| 1<br />
| 3D slider position 0x9..0xFB<br />
|-<br />
| 0x09<br />
| 1<br />
| Sound volume: 0x0..0x3F.<br />
|-<br />
| 0xB<br />
| 1<br />
| Battery level: 0x0..0x40.<br />
|-<br />
| 0xF<br />
| 1<br />
| Flags: bit7-5 are read via [[MCU_Services|mcu::GPU]]. The rest of these are read via [[MCU_Services|mcu::RTC]]: bit4 = BatteryChargeState. bit3 = AdapterState. bit1 = ShellState.<br />
|-<br />
| 0x10<br />
| 1<br />
| Special HID status flags: bit0 = power button pressed, bit1 = power button pressed long, bit2 = home button pressed, bit3 = home button released, bit4 = wifi slider enabled, bit5 = shell got closed, bit6 = shell got opened. If nothing has changed this register is 0.<br />
|-<br />
| 0x12<br />
| 1<br />
| 0x40 if volume slider position changed<br />
|-<br />
| 0x18<br />
| 8<br />
| ?<br />
|-<br />
| 0x20<br />
| 8<br />
| Writing u8 value 4 here triggers a hardware system reboot. Writing u8 value 1 (repeatedly) triggers a shutdown via power-off?<br />
|-<br />
| 0x22<br />
| 8<br />
| Used to set LCD states. bit0 = don't push to LCDs, bit1 = push to LCDs, bit2 = bottom screen backlight off, bit3 = bottom screen backlight on, bit4 = top screen backlight off, bit5 = top screen backlight on<br />
|-<br />
| 0x23<br />
| 8<br />
| ?<br />
|-<br />
| 0x24<br />
| 8<br />
| ?<br />
|-<br />
| 0x28<br />
| 8<br />
| ?<br />
|-<br />
| 0x29<br />
| 8<br />
| ?<br />
|-<br />
| 0x2A<br />
| 8<br />
| ?<br />
|-<br />
| 0x2B<br />
| 8<br />
| ?<br />
|-<br />
| 0x2C<br />
| 8<br />
| setting bits 1, 3 and 4 turn on the 3D LED on the original 3ds<br />
|-<br />
| 0x2D<br />
| 0x64<br />
| This is used for [[MCURTC:SetInfoLEDPattern|controlling]] the notification LED(see [[MCURTC:SetInfoLEDPatternHeader]] as well), when this register is written.<br />
|-<br />
| 0x2E<br />
| 1<br />
| This [[MCURTC:GetInfoLEDStatus|returns]] the notification LED status when read.<br />
|-<br />
| 0x30<br />
| 8<br />
| RTC time (system clock)<br />
|-<br />
| 0x31<br />
| 8<br />
| ?<br />
|-<br />
| 0x32<br />
| 8<br />
| ?<br />
|-<br />
| 0x33<br />
| 8<br />
| ?<br />
|-<br />
| 0x34<br />
| 8<br />
| ?<br />
|-<br />
| 0x35<br />
| 8<br />
| ?<br />
|-<br />
| 0x36<br />
| 8<br />
| ?<br />
|-<br />
| 0x37<br />
| 8<br />
| ?<br />
|-<br />
| 0x38<br />
| 8<br />
| ?<br />
|-<br />
| 0x39<br />
| 8<br />
| ?<br />
|-<br />
| 0x3A<br />
| 8<br />
| ?<br />
|-<br />
| 0x3B<br />
| 8<br />
| ?<br />
|-<br />
| 0x3C<br />
| 8<br />
| ?<br />
|-<br />
| 0x41<br />
| 8<br />
| ?<br />
|-<br />
| 0x43<br />
| 8<br />
| ?<br />
|-<br />
| 0x4E<br />
| 8<br />
| ?<br />
|-<br />
| 0x50<br />
| 8<br />
| ?<br />
|-<br />
| 0x51<br />
| 8<br />
| ?<br />
|-<br />
| 0x58<br />
| 8<br />
| ?<br />
|-<br />
| 0x60<br />
| 8<br />
| Offset in u8 array accessed via address 0x61 (written before any read/write below)<br />
|-<br />
| 0x61<br />
| 0x100<br />
| Reads/writes to an MCU u8 array, repeats after 0x100 bytes?<br />
|}<br />
<br />
== Device 5 & 6 ==<br />
LCD controllers for main/sub displays, most likely.<br />
<br />
{| class="wikitable" border="1"<br />
! Register<br />
! Width<br />
! Name<br />
! Description<br />
|-<br />
| 0x1<br />
| 8<br />
| ?<br />
| <br />
|-<br />
| 0x11<br />
| 8<br />
| ?<br />
| <br />
|-<br />
| 0x40<br />
| 8<br />
| CMD_IN/CMD_RESULT1<br />
| Write to trigger a command? Seen commands: 0xFF=Reset?, 0x62=IsFinished?. Result is stored in CMD_RESULT1:CMD_RESULT0.<br />
|-<br />
| 0x41<br />
| 8<br />
| CMD_RESULT0<br />
| Read result <br />
|-<br />
| 0x50<br />
| 8<br />
| ?<br />
| <br />
|-<br />
| 0x60<br />
| 8<br />
| ?<br />
| <br />
|-<br />
| 0xFE<br />
| 8<br />
| ?<br />
| <br />
|}<br />
<br />
== Device 10 ==<br />
See the datasheet linked to on the [[Hardware]] page for reference.<br />
<br />
== Device 12 ==<br />
{| class="wikitable" border="1"<br />
! REGISTER<br />
! WIDTH<br />
! DESCRIPTION <br />
|-<br />
| 0x0<br />
| 21<br />
| DebugPad state.<br />
|}<br />
<br />
This is the DebugPad device, see [[HID_Shared_Memory|here]].<br />
<br />
== Device 13 ==<br />
{| class="wikitable" border="1"<br />
! Raw I2C register address<br />
! Internal register address<br />
! Width<br />
! Description <br />
|-<br />
| 0x0<br />
| 0x0<br />
| 0x40<br />
| RHR / THR (data receive/send FIFO)<br />
|-<br />
| 0x8<br />
| 0x1<br />
| 0x1<br />
| IER<br />
|-<br />
| 0x10<br />
| 0x2<br />
| 0x1<br />
| FCR/IIR<br />
|-<br />
| 0x18<br />
| 0x3<br />
| 0x1<br />
| LCR<br />
|-<br />
| 0x20<br />
| 0x4<br />
| 0x1<br />
| MCR<br />
|-<br />
| 0x28<br />
| 0x5<br />
| 0x1<br />
| LSR<br />
|-<br />
| 0x30<br />
| 0x6<br />
| 0x1<br />
| MSR/TCR<br />
|-<br />
| 0x38<br />
| 0x7<br />
| 0x1<br />
| SPR/TLR<br />
|-<br />
| 0x40<br />
| 0x8<br />
| 0x1<br />
| TXLVL<br />
|-<br />
| 0x48<br />
| 0x9<br />
| 0x1<br />
| RXLVL<br />
|-<br />
| 0x50<br />
| 0xA<br />
| 0x1<br />
| IODir<br />
|-<br />
| 0x58<br />
| 0xB<br />
| 0x1<br />
| IOState<br />
|-<br />
| 0x60<br />
| 0xC<br />
| 0x1<br />
| IoIntEna<br />
|-<br />
| 0x68<br />
| 0xD<br />
| 0x1<br />
| reserved<br />
|-<br />
| 0x70<br />
| 0xE<br />
| 0x1<br />
| IOControl<br />
|-<br />
| 0x78<br />
| 0xF<br />
| 0x1<br />
| EFCR<br />
|}<br />
<br />
See the datasheet linked to on the [[Hardware]] page for reference. From that datasheet, for the structure of the I2C register address u8: "Bit 0 is not used, bits 2:1 select the channel, bits 6:3 select one of the UART internal registers. Bit 7 is not used with the I2C-bus interface, but it is used by the SPI interface to indicate a read or a write operation."<br />
<br />
== Device 15 ==<br />
This the New3DS [[NFC_Services|NFC]] controller "I2C" interface. This device is accessed via the WriteDeviceRaw/ReadDeviceRaw I2C service [[I2C_Services|commands]].<br />
<br />
Since the *Raw commands are used with this, this device has no I2C registers. Instead, raw data is transfered after the I2C device is selected. Hence, WriteDeviceRaw is used for sending commands to the controller, while ReadDeviceRaw is for receiving responses from the controller. Certain commands may return multiple command responses.<br />
<br />
Command request / response structure:<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x1<br />
| Normally 0x10?<br />
|-<br />
| 0x1<br />
| 0x1<br />
| Command source / destination.<br />
|-<br />
| 0x2<br />
| 0x1<br />
| CmdID<br />
|-<br />
| 0x3<br />
| 0x1<br />
| Payload size.<br />
|}<br />
<br />
Following the above header is the payload data(when payload size is non-zero), with the size specified in the header. The command response payload is usually at least 1-byte, where that byte appears to be normally 0x0. For command requests the payload data is the command parameters.<br />
<br />
For command requests sent to the NFC tag itself, Cmd[1]=0x0 and CmdID=0x0. The command request payload data here is the actual command request data for the NFC tag, starting with the CmdID u8 at payload+0.<br />
<br />
During NFC module startup, a certain command is sent to the controller which eventually(after various cmd-reply headers etc) returns the following the payload after the first byte in the payload:<br />
000000: 44 65 63 20 32 32 20 32 30 31 32 31 34 3a 35 33 Dec 22 201214:53 <br />
000010: 3a 35 30 01 05 0d 46 05 1b 79 20 07 32 30 37 39 :50...F..y .2079<br />
000020: 31 42 35 1B5<br />
<br />
Or that is: "Dec 22 201214:53:50<binary>20791B5". Therefore, this appears to return the part-number of the NFC controller(other command request(s) / response(s) use this part-number value too).<br />
<br />
=== NFC controller commands ===<br />
{| class="wikitable" border="1"<br />
! CmdRequest[1]<br />
! CmdID<br />
! Payload data for parameters<br />
! Description<br />
|-<br />
| 0x2E<br />
| 0x2F<br />
| Firmware image for this chunk, size varies.<br />
| This is used during NFC module startup to upload the firmware image to the NFC controller. This is used repeatedly to upload multiple chunks of the image.<br />
|}</div>Dark samushttps://www.3dbrew.org/w/index.php?title=I2C_Registers&diff=15900I2C Registers2016-02-23T10:41:20Z<p>Dark samus: /* Device 3 */</p>
<hr />
<div>= Registers =<br />
{| class="wikitable" border="1"<br />
! Old3DS<br />
! Name<br />
! Address<br />
! Width<br />
! Used by<br />
|-<br />
| style="background: green" | Yes<br />
| I2C1_DATA<br />
| 0x10161000<br />
| 1<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[#I2C_CNT|I2C1_CNT]]<br />
| 0x10161001<br />
| 1<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| I2C1_CNTEX<br />
| 0x10161002<br />
| 2<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| I2C1_SCL<br />
| 0x10161004<br />
| 2<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| I2C2_DATA<br />
| 0x10144000<br />
| 1<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[#I2C_CNT|I2C2_CNT]]<br />
| 0x10144001<br />
| 1<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| I2C2_CNTEX<br />
| 0x10144002<br />
| 2<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| I2C2_SCL<br />
| 0x10144004<br />
| 2<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| I2C3_DATA<br />
| 0x10148000<br />
| 1<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| [[#I2C_CNT|I2C3_CNT]]<br />
| 0x10148001<br />
| 1<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| I2C3_CNTEX<br />
| 0x10148002<br />
| 2<br />
|<br />
|-<br />
| style="background: green" | Yes<br />
| I2C3_SCL<br />
| 0x10148004<br />
| 2<br />
|<br />
|}<br />
<br />
== I2C_CNT ==<br />
{| class="wikitable" border="1"<br />
! BIT<br />
! DESCRIPTION<br />
|-<br />
| 0<br />
| Stop (0=No, 1=Stop/last byte)<br />
|-<br />
| 1<br />
| Start (0=No, 1=Start/first byte)<br />
|-<br />
| 2<br />
| Pause (0=Transfer Data, 1=Pause after Error, used with/after Stop)<br />
|-<br />
| 4<br />
| Ack Flag (0=Error, 1=Okay) (For DataRead: W, for DataWrite: R)<br />
|-<br />
| 5<br />
| Data Direction (0=Write, 1=Read)<br />
|-<br />
| 6<br />
| Interrupt Enable (0=Disable, 1=Enable)<br />
|-<br />
| 7<br />
| Start/busy (0=Ready, 1=Start/busy)<br />
|}<br />
<br />
= I2C Devices =<br />
{| class="wikitable" border="1"<br />
! [[I2C_Registers|Device id]]<br />
! Device bus id<br />
! Device Write Address<br />
! Accessible via I2C [[I2C_Services|service]]<br />
! Device description<br />
|-<br />
| 0<br />
| 1<br />
| 0x4a<br />
| "i2c::MCU"<br />
| Power management?(same device addr as the DSi power-management)<br />
|-<br />
| 1<br />
| 1<br />
| 0x7a<br />
| "i2c::CAM"<br />
| Camera0?(same dev-addr as DSi cam0)<br />
|-<br />
| 2<br />
| 1<br />
| 0x78<br />
| "i2c::CAM"<br />
| Camera1?(same dev-addr as DSi cam1)<br />
|-<br />
| 3<br />
| 2<br />
| 0x4a<br />
| "i2c::MCU"<br />
| MCU<br />
|-<br />
| 4<br />
| 2<br />
| 0x78<br />
| "i2c::CAM"<br />
| ?<br />
|-<br />
| 5<br />
| 2<br />
| 0x2c<br />
| "i2c::LCD"<br />
| ?<br />
|-<br />
| 6<br />
| 2<br />
| 0x2e<br />
| "i2c::LCD"<br />
| ?<br />
|-<br />
| 7<br />
| 2<br />
| 0x40<br />
| "i2c::DEB"<br />
| ?<br />
|-<br />
| 8<br />
| 2<br />
| 0x44<br />
| "i2c::DEB"<br />
| ?<br />
|-<br />
| 9<br />
| 3<br />
| 0xa6<br />
| "i2c::HID"<br />
| Unknown. The device table in I2C-module had the device address changed from 0xA6 to 0xD6 with [[8.0.0-18]].<br />
|-<br />
| 10<br />
| 3<br />
| 0xd0<br />
| "i2c::HID"<br />
| Gyroscope<br />
|-<br />
| 11<br />
| 3<br />
| 0xd2<br />
| "i2c::HID"<br />
| ?<br />
|-<br />
| 12<br />
| 3<br />
| 0xa4<br />
| "i2c::HID"<br />
| DebugPad<br />
|-<br />
| 13<br />
| 3<br />
| 0x9a<br />
| "i2c::IR"<br />
| IR<br />
|-<br />
| 14<br />
| 3<br />
| 0xa0<br />
| "i2c::EEP"<br />
| eeprom?<br />
|-<br />
| 15<br />
| 2<br />
| 0xee<br />
| "i2c::NFC"<br />
| New3DS-only [[NFC_Services|NFC]]<br />
|-<br />
| 16<br />
| 1<br />
| 0x40<br />
| "i2c::QTM"<br />
| New3DS-only [[QTM_Services|QTM]]<br />
|-<br />
| 17<br />
| 3<br />
| 0x54<br />
| "i2c::IR"<br />
| Used by IR-module starting with [[8.0.0-18]], for New3DS-only HID via "ir:rst". This deviceid doesn't seem to be supported by i2c module on [[8.0.0-18]](actual support was later added in New3DS i2c module).<br />
|}<br />
<br />
'''Notice''': These device addresses are used for writing to the respective device, for reading bit0 must be set (see I2C protocol). Thus, the actual device address is >> 1.<br />
<br />
== Device 3 ==<br />
{| class="wikitable" border="1"<br />
! REGISTER<br />
! WIDTH<br />
! DESCRIPTION <br />
|-<br />
| 0x03<br />
| 8<br />
| ?<br />
|-<br />
| 0x04<br />
| 8<br />
| ?<br />
|-<br />
| 0x08<br />
| 1<br />
| 3D slider position 0x9..0xFB<br />
|-<br />
| 0x09<br />
| 1<br />
| Sound volume: 0x0..0x3F.<br />
|-<br />
| 0xB<br />
| 1<br />
| Battery level: 0x0..0x40.<br />
|-<br />
| 0xF<br />
| 1<br />
| Flags: bit7-5 are read via [[MCU_Services|mcu::GPU]]. The rest of these are read via [[MCU_Services|mcu::RTC]]: bit4 = BatteryChargeState. bit3 = AdapterState. bit1 = ShellState.<br />
|-<br />
| 0x10<br />
| 1<br />
| Special HID status flags: bit0 = power button pressed, bit1 = power button pressed long, bit2 = home button pressed, bit3 = home button released, bit4 = wifi slider enabled, bit5 = shell got closed, bit6 = shell got opened. If nothing has changed this register is 0.<br />
|-<br />
| 0x12<br />
| 1<br />
| 0x40 if volume slider position changed<br />
|-<br />
| 0x18<br />
| 8<br />
| ?<br />
|-<br />
| 0x20<br />
| 8<br />
| Writing u8 value 4 here triggers a hardware system reboot. Writing u8 value 1 (repeatedly) triggers a shutdown via power-off?<br />
|-<br />
| 0x22<br />
| 8<br />
| ?<br />
|-<br />
| 0x23<br />
| 8<br />
| ?<br />
|-<br />
| 0x24<br />
| 8<br />
| ?<br />
|-<br />
| 0x28<br />
| 8<br />
| ?<br />
|-<br />
| 0x29<br />
| 8<br />
| ?<br />
|-<br />
| 0x2A<br />
| 8<br />
| ?<br />
|-<br />
| 0x2B<br />
| 8<br />
| ?<br />
|-<br />
| 0x2C<br />
| 8<br />
| setting bits 1, 3 and 4 turn on the 3D LED on the original 3ds<br />
|-<br />
| 0x2D<br />
| 0x64<br />
| This is used for [[MCURTC:SetInfoLEDPattern|controlling]] the notification LED(see [[MCURTC:SetInfoLEDPatternHeader]] as well), when this register is written.<br />
|-<br />
| 0x2E<br />
| 1<br />
| This [[MCURTC:GetInfoLEDStatus|returns]] the notification LED status when read.<br />
|-<br />
| 0x30<br />
| 8<br />
| RTC time (system clock)<br />
|-<br />
| 0x31<br />
| 8<br />
| ?<br />
|-<br />
| 0x32<br />
| 8<br />
| ?<br />
|-<br />
| 0x33<br />
| 8<br />
| ?<br />
|-<br />
| 0x34<br />
| 8<br />
| ?<br />
|-<br />
| 0x35<br />
| 8<br />
| ?<br />
|-<br />
| 0x36<br />
| 8<br />
| ?<br />
|-<br />
| 0x37<br />
| 8<br />
| ?<br />
|-<br />
| 0x38<br />
| 8<br />
| ?<br />
|-<br />
| 0x39<br />
| 8<br />
| ?<br />
|-<br />
| 0x3A<br />
| 8<br />
| ?<br />
|-<br />
| 0x3B<br />
| 8<br />
| ?<br />
|-<br />
| 0x3C<br />
| 8<br />
| ?<br />
|-<br />
| 0x41<br />
| 8<br />
| ?<br />
|-<br />
| 0x43<br />
| 8<br />
| ?<br />
|-<br />
| 0x4E<br />
| 8<br />
| ?<br />
|-<br />
| 0x50<br />
| 8<br />
| ?<br />
|-<br />
| 0x51<br />
| 8<br />
| ?<br />
|-<br />
| 0x58<br />
| 8<br />
| ?<br />
|-<br />
| 0x60<br />
| 8<br />
| Offset in u8 array accessed via address 0x61 (written before any read/write below)<br />
|-<br />
| 0x61<br />
| 0x100<br />
| Reads/writes to an MCU u8 array, repeats after 0x100 bytes?<br />
|}<br />
<br />
== Device 5 & 6 ==<br />
LCD controllers for main/sub displays, most likely.<br />
<br />
{| class="wikitable" border="1"<br />
! Register<br />
! Width<br />
! Name<br />
! Description<br />
|-<br />
| 0x1<br />
| 8<br />
| ?<br />
| <br />
|-<br />
| 0x11<br />
| 8<br />
| ?<br />
| <br />
|-<br />
| 0x40<br />
| 8<br />
| CMD_IN/CMD_RESULT1<br />
| Write to trigger a command? Seen commands: 0xFF=Reset?, 0x62=IsFinished?. Result is stored in CMD_RESULT1:CMD_RESULT0.<br />
|-<br />
| 0x41<br />
| 8<br />
| CMD_RESULT0<br />
| Read result <br />
|-<br />
| 0x50<br />
| 8<br />
| ?<br />
| <br />
|-<br />
| 0x60<br />
| 8<br />
| ?<br />
| <br />
|-<br />
| 0xFE<br />
| 8<br />
| ?<br />
| <br />
|}<br />
<br />
== Device 10 ==<br />
See the datasheet linked to on the [[Hardware]] page for reference.<br />
<br />
== Device 12 ==<br />
{| class="wikitable" border="1"<br />
! REGISTER<br />
! WIDTH<br />
! DESCRIPTION <br />
|-<br />
| 0x0<br />
| 21<br />
| DebugPad state.<br />
|}<br />
<br />
This is the DebugPad device, see [[HID_Shared_Memory|here]].<br />
<br />
== Device 13 ==<br />
{| class="wikitable" border="1"<br />
! Raw I2C register address<br />
! Internal register address<br />
! Width<br />
! Description <br />
|-<br />
| 0x0<br />
| 0x0<br />
| 0x40<br />
| RHR / THR (data receive/send FIFO)<br />
|-<br />
| 0x8<br />
| 0x1<br />
| 0x1<br />
| IER<br />
|-<br />
| 0x10<br />
| 0x2<br />
| 0x1<br />
| FCR/IIR<br />
|-<br />
| 0x18<br />
| 0x3<br />
| 0x1<br />
| LCR<br />
|-<br />
| 0x20<br />
| 0x4<br />
| 0x1<br />
| MCR<br />
|-<br />
| 0x28<br />
| 0x5<br />
| 0x1<br />
| LSR<br />
|-<br />
| 0x30<br />
| 0x6<br />
| 0x1<br />
| MSR/TCR<br />
|-<br />
| 0x38<br />
| 0x7<br />
| 0x1<br />
| SPR/TLR<br />
|-<br />
| 0x40<br />
| 0x8<br />
| 0x1<br />
| TXLVL<br />
|-<br />
| 0x48<br />
| 0x9<br />
| 0x1<br />
| RXLVL<br />
|-<br />
| 0x50<br />
| 0xA<br />
| 0x1<br />
| IODir<br />
|-<br />
| 0x58<br />
| 0xB<br />
| 0x1<br />
| IOState<br />
|-<br />
| 0x60<br />
| 0xC<br />
| 0x1<br />
| IoIntEna<br />
|-<br />
| 0x68<br />
| 0xD<br />
| 0x1<br />
| reserved<br />
|-<br />
| 0x70<br />
| 0xE<br />
| 0x1<br />
| IOControl<br />
|-<br />
| 0x78<br />
| 0xF<br />
| 0x1<br />
| EFCR<br />
|}<br />
<br />
See the datasheet linked to on the [[Hardware]] page for reference. From that datasheet, for the structure of the I2C register address u8: "Bit 0 is not used, bits 2:1 select the channel, bits 6:3 select one of the UART internal registers. Bit 7 is not used with the I2C-bus interface, but it is used by the SPI interface to indicate a read or a write operation."<br />
<br />
== Device 15 ==<br />
This the New3DS [[NFC_Services|NFC]] controller "I2C" interface. This device is accessed via the WriteDeviceRaw/ReadDeviceRaw I2C service [[I2C_Services|commands]].<br />
<br />
Since the *Raw commands are used with this, this device has no I2C registers. Instead, raw data is transfered after the I2C device is selected. Hence, WriteDeviceRaw is used for sending commands to the controller, while ReadDeviceRaw is for receiving responses from the controller. Certain commands may return multiple command responses.<br />
<br />
Command request / response structure:<br />
{| class="wikitable" border="1"<br />
! Offset<br />
! Size<br />
! Description<br />
|-<br />
| 0x0<br />
| 0x1<br />
| Normally 0x10?<br />
|-<br />
| 0x1<br />
| 0x1<br />
| Command source / destination.<br />
|-<br />
| 0x2<br />
| 0x1<br />
| CmdID<br />
|-<br />
| 0x3<br />
| 0x1<br />
| Payload size.<br />
|}<br />
<br />
Following the above header is the payload data(when payload size is non-zero), with the size specified in the header. The command response payload is usually at least 1-byte, where that byte appears to be normally 0x0. For command requests the payload data is the command parameters.<br />
<br />
For command requests sent to the NFC tag itself, Cmd[1]=0x0 and CmdID=0x0. The command request payload data here is the actual command request data for the NFC tag, starting with the CmdID u8 at payload+0.<br />
<br />
During NFC module startup, a certain command is sent to the controller which eventually(after various cmd-reply headers etc) returns the following the payload after the first byte in the payload:<br />
000000: 44 65 63 20 32 32 20 32 30 31 32 31 34 3a 35 33 Dec 22 201214:53 <br />
000010: 3a 35 30 01 05 0d 46 05 1b 79 20 07 32 30 37 39 :50...F..y .2079<br />
000020: 31 42 35 1B5<br />
<br />
Or that is: "Dec 22 201214:53:50<binary>20791B5". Therefore, this appears to return the part-number of the NFC controller(other command request(s) / response(s) use this part-number value too).<br />
<br />
=== NFC controller commands ===<br />
{| class="wikitable" border="1"<br />
! CmdRequest[1]<br />
! CmdID<br />
! Payload data for parameters<br />
! Description<br />
|-<br />
| 0x2E<br />
| 0x2F<br />
| Firmware image for this chunk, size varies.<br />
| This is used during NFC module startup to upload the firmware image to the NFC controller. This is used repeatedly to upload multiple chunks of the image.<br />
|}</div>Dark samus