Difference between revisions of "Factory Setup"

From 3dbrew
Jump to navigation Jump to search
 
(14 intermediate revisions by 4 users not shown)
Line 1: Line 1:
With certain 3DS nandimages, the following NCCH can be recovered from NAND(in some cases these are somewhat corrupted). In some cases, only 000400000F980000 is left, in other cases the NCCH headers for all of these are overwritten. All of these use the retail NCCH secure-crypto mode, the NCCH accessdesc uses the retail pubk too.
+
== Setup Process ==
  
Note that [[Nandrw/sys/updater.log]] gets written during Factory Setup.
+
[[Nandrw/sys/updater.log]], [[Twln/sys/log/inspect.log]] and [[Twln/sys/log/product.log]] get written during Factory Setup. CTRAging appears to do the product.log writing.
 +
 
 +
It is currently unknown how CTRAging is launched (Although they may use the ntrboot on the bootrom).
 +
 
 +
== Titles ==
 +
 
 +
=== Overview ===
 +
 
 +
Factory firmware is effectively a firmware that consists of NATIVE_FIRM, TWL_FIRM and AGB_FIRM, all system modules, TestMenu and CTRAging.
 +
 
 +
On O3DS, all system titles have TID high 00040001. This may just be convention of a very old firmware since [[FIRM#NATIVE_FIRM|NATIVE_FIRM in the factory]] is extremely old, being over 20 versions behind 1.0. TestMenu also has this TID high.
 +
 
 +
For N3DS, the title IDs match the [[Title_list|normal]] TID-highs. The entire N3DS factory firmware appears to be based on some firmware around 8.1. The TestMenu TID high was adjusted to match the TestMenu in the Nintendo CTR SDK as well.
 +
 
 +
Most, but apparently not all, units ship with tickets for all factory titles in ticket.db, signed with retail keys. All factory titles for retail units use the retail [[NCCH]] secure crypto; the [[NCCH/Extended_Header#Access_Control_Info|NCCH access desc]] uses the retail keys for signatures, too. This suggests that at the point the factory firmware is booted for the first time, the [[OTP_Registers|one-time programmable (OTP) region]] has already been programmed or that the bootroms set the keys for retail by default.
 +
 
 +
=== Title List ===
 +
 
 +
It is currently unknown whether these are all factory titles known or if there may be more.
  
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Line 24: Line 42:
 
| 00000202
 
| 00000202
 
| AGB_FIRM
 
| AGB_FIRM
 +
|-
 +
| 00040001
 +
| 00001802
 +
| codec sysmodule
 
|-
 
|-
 
| 00040001
 
| 00040001
 
| 00001902
 
| 00001902
|  
+
| dmnt sysmodule (Debugger sysmodule, see [[Title_list|here]])
 +
|-
 +
| 00040001
 +
| 00001A02
 +
| dsp sysmodule
 
|-
 
|-
 
| 00040001
 
| 00040001
 
| 00001B02
 
| 00001B02
|  
+
| gpio sysmodule
 
|-
 
|-
 
| 00040001
 
| 00040001
 
| 00001D02
 
| 00001D02
|  
+
| hid sysmodule
 
|-
 
|-
 
| 00040001
 
| 00040001
 
| 00001E02
 
| 00001E02
|  
+
| i2c sysmodule
 
|-
 
|-
 
| 00040001
 
| 00040001
 
| 00001F02
 
| 00001F02
|  
+
| mcu sysmodule
 
|-
 
|-
 
| 00040001
 
| 00040001
 
| 00002102
 
| 00002102
|  
+
| pdn sysmodule
 
|-
 
|-
 
| 00040001
 
| 00040001
 
| 00002302
 
| 00002302
|  
+
| spi sysmodule
 
|-
 
|-
 
| 00040001
 
| 00040001
 
| 00002702
 
| 00002702
|  
+
| csnd sysmodule
 
|-
 
|-
 
| 00040001
 
| 00040001
 
| 00002802
 
| 00002802
|  
+
| dlp sysmodule
 
|-
 
|-
 
| 00040001
 
| 00040001
 
| 00002A02
 
| 00002A02
|  
+
| mp sysmodule
 
|-
 
|-
 
| 00040001
 
| 00040001
 
| 00002B02
 
| 00002B02
|  
+
| ndm sysmodule
 
|-
 
|-
 
| 00040001
 
| 00040001
 
| 00002C02
 
| 00002C02
|  
+
| nim sysmodule
 
|-
 
|-
 
| 00040001
 
| 00040001
 
| 00002D02
 
| 00002D02
|  
+
| nwm sysmodule
 +
|-
 +
| 00040001
 +
| 00002E02
 +
| socket sysmodule
 
|-
 
|-
 
| 00040001
 
| 00040001
 
| 00003102
 
| 00003102
|  
+
| ps module
 
|-
 
|-
 
| 00040001
 
| 00040001
 
| 00003202
 
| 00003202
|  
+
| friends sysmodule
 
|-
 
|-
 
| 00040001
 
| 00040001
 
| 00003302
 
| 00003302
|  
+
| ir sysmodule
 
|-
 
|-
 
| 00040001
 
| 00040001
 
| 00003402
 
| 00003402
|  
+
| boss sysmodule
 
|-
 
|-
 
| 00040001
 
| 00040001
Line 99: Line 129:
 
| 00040001
 
| 00040001
 
| 00008102
 
| 00008102
| TestMenu
+
| TestMenu (O3DS)
 
|-
 
|-
 
| 00040001
 
| 00040001
 
| 00008A02
 
| 00008A02
 
| [[ErrDisp|DevErrDi]]
 
| [[ErrDisp|DevErrDi]]
 +
|-
 +
| 00040030
 +
| 00008102
 +
| TestMenu (some O3DS (?), all N3DS)
 
|-
 
|-
 
|}
 
|}
 +
 +
== TestMenu ==
 +
 +
TestMenu is similar to its [[3DS_Development_Unit_GUI#Test_Menu|Nintendo CTR SDK equivalent]].
 +
 +
On O3DS factory TestMenu, there are two strings that do not appear to be part of the standard Nintendo CTR SDK TestMenu: "run TWL test app" and "run AGB test app."
 +
 +
On N3DS, TestMenu appears to be identical to the Nintendo CTR SDK TestMenu revision.
 +
 +
No TestMenu version is capable of launching CTRAging directly: O3DS factory TestMenu can only launch [[3DS_Development_Unit_Software#Dev_Menu|DevMenu]] installed on [[Flash_Filesystem|NAND]], the inserted cartridge and the TWL/AGB test apps; N3DS factory TestMenu can only launch [[3DS_Development_Unit_Software#Dev_Menu|DevMenu]] installed on [[Flash_Filesystem|NAND]], the inserted cartridge and [[System_Settings|System Settings]].
 +
 +
== CTRAging ==
 +
 +
CTRAging appears to be a title used for hardware testing at the factory. This app also displays images, Chinese/Asian-language and text, both of which appear to be for system assembly/testing. CTRAging includes images for each 3DS model (which ones are included depends on the CTRAging version): original Old3DS, Old3DS XL, 2DS, regular New3DS, and New3DS XL. Some of the New3DS JPEG images have an EXIF last-modified timestamp of 2013, July-September.
 +
 +
Full dumps of CTRAging have only been possible on the N3DS. A menu can be pulled up by holding START. A video of the main testing routine is available at: https://www.youtube.com/watch?v=0nLiYZdn5Wg
 +
 +
On O3DS, [[ExeFS]]:/.code is consistently corrupted. It is unknown whether this is coincidential or whether CTRAging is destroyed intentionally during any part of the factory setup.
 +
 +
The O3DS version has ''vastly'' more services access compared to the N3DS version.

Latest revision as of 17:57, 28 May 2024

Setup Process[edit]

Nandrw/sys/updater.log, Twln/sys/log/inspect.log and Twln/sys/log/product.log get written during Factory Setup. CTRAging appears to do the product.log writing.

It is currently unknown how CTRAging is launched (Although they may use the ntrboot on the bootrom).

Titles[edit]

Overview[edit]

Factory firmware is effectively a firmware that consists of NATIVE_FIRM, TWL_FIRM and AGB_FIRM, all system modules, TestMenu and CTRAging.

On O3DS, all system titles have TID high 00040001. This may just be convention of a very old firmware since NATIVE_FIRM in the factory is extremely old, being over 20 versions behind 1.0. TestMenu also has this TID high.

For N3DS, the title IDs match the normal TID-highs. The entire N3DS factory firmware appears to be based on some firmware around 8.1. The TestMenu TID high was adjusted to match the TestMenu in the Nintendo CTR SDK as well.

Most, but apparently not all, units ship with tickets for all factory titles in ticket.db, signed with retail keys. All factory titles for retail units use the retail NCCH secure crypto; the NCCH access desc uses the retail keys for signatures, too. This suggests that at the point the factory firmware is booted for the first time, the one-time programmable (OTP) region has already been programmed or that the bootroms set the keys for retail by default.

Title List[edit]

It is currently unknown whether these are all factory titles known or if there may be more.

TID-high TID-low Description
00040000 0F980000 CTRAging ("Test Program")
00040001 00000002 NATIVE_FIRM
00040001 00000102 TWL_FIRM
00040001 00000202 AGB_FIRM
00040001 00001802 codec sysmodule
00040001 00001902 dmnt sysmodule (Debugger sysmodule, see here)
00040001 00001A02 dsp sysmodule
00040001 00001B02 gpio sysmodule
00040001 00001D02 hid sysmodule
00040001 00001E02 i2c sysmodule
00040001 00001F02 mcu sysmodule
00040001 00002102 pdn sysmodule
00040001 00002302 spi sysmodule
00040001 00002702 csnd sysmodule
00040001 00002802 dlp sysmodule
00040001 00002A02 mp sysmodule
00040001 00002B02 ndm sysmodule
00040001 00002C02 nim sysmodule
00040001 00002D02 nwm sysmodule
00040001 00002E02 socket sysmodule
00040001 00003102 ps module
00040001 00003202 friends sysmodule
00040001 00003302 ir sysmodule
00040001 00003402 boss sysmodule
00040001 00008002 NS
00040001 00008102 TestMenu (O3DS)
00040001 00008A02 DevErrDi
00040030 00008102 TestMenu (some O3DS (?), all N3DS)

TestMenu[edit]

TestMenu is similar to its Nintendo CTR SDK equivalent.

On O3DS factory TestMenu, there are two strings that do not appear to be part of the standard Nintendo CTR SDK TestMenu: "run TWL test app" and "run AGB test app."

On N3DS, TestMenu appears to be identical to the Nintendo CTR SDK TestMenu revision.

No TestMenu version is capable of launching CTRAging directly: O3DS factory TestMenu can only launch DevMenu installed on NAND, the inserted cartridge and the TWL/AGB test apps; N3DS factory TestMenu can only launch DevMenu installed on NAND, the inserted cartridge and System Settings.

CTRAging[edit]

CTRAging appears to be a title used for hardware testing at the factory. This app also displays images, Chinese/Asian-language and text, both of which appear to be for system assembly/testing. CTRAging includes images for each 3DS model (which ones are included depends on the CTRAging version): original Old3DS, Old3DS XL, 2DS, regular New3DS, and New3DS XL. Some of the New3DS JPEG images have an EXIF last-modified timestamp of 2013, July-September.

Full dumps of CTRAging have only been possible on the N3DS. A menu can be pulled up by holding START. A video of the main testing routine is available at: https://www.youtube.com/watch?v=0nLiYZdn5Wg

On O3DS, ExeFS:/.code is consistently corrupted. It is unknown whether this is coincidential or whether CTRAging is destroyed intentionally during any part of the factory setup.

The O3DS version has vastly more services access compared to the N3DS version.