Line 235: |
Line 235: |
| | 0xCD6 | | | 0xCD6 |
| | Reserved | | | Reserved |
| + | |- |
| + | | 0x1000 |
| + | | 0x200 |
| + | | InitialData |
| + | |} |
| + | |
| + | === InitialData === |
| + | |
| + | This data is returned by [[Gamecards|16-byte cartridge command]] 0x82. |
| + | |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! OFFSET |
| + | ! SIZE |
| + | ! DESCRIPTION |
| + | |- |
| + | | 0x00 |
| + | | 0x10 |
| + | | Seed (keyY used to decrypt the title key - keyX is keyslot 0x3B for production cards, or a key of all zeroes for development cards), consisting of the title ID (little-endian) followed by reserved data (normally all-zero) |
| + | |- |
| + | | 0x10 |
| + | | 0x10 |
| + | | TitleKey (AES-CCM encrypted) |
| + | |- |
| + | | 0x20 |
| + | | 0x10 |
| + | | AES-CCM MAC |
| + | |- |
| + | | 0x30 |
| + | | 0xC |
| + | | AES-CCM nonce |
| + | |- |
| + | | 0x3C |
| + | | 0xC4 |
| + | | Reserved (normally all-zero) |
| + | |- |
| + | | 0x100 |
| + | | 0x100 |
| + | | NcchHeader (copy of the first NCCH header, excluding the RSA signature) |
| |} | | |} |
| | | |
Line 243: |
Line 282: |
| ! SIZE | | ! SIZE |
| ! DESCRIPTION | | ! DESCRIPTION |
− | |-
| |
− | | 0x1000
| |
− | | 0x200
| |
− | | InitialData
| |
| |- | | |- |
| | 0x1200 | | | 0x1200 |
Line 269: |
Line 304: |
| The CardDeviceReserved areas have random-looking data whose purpose is unknown, other than perhaps to hide the TitleKey. | | The CardDeviceReserved areas have random-looking data whose purpose is unknown, other than perhaps to hide the TitleKey. |
| | | |
− | Note that a particular flashcard vendor puts what many refer to as "private headers" here in place of actual development card information. This header is constituted by a cartridge-unique ID obtained from [[Process_Services_PXI|pxi:ps9::GetRomId]] and the title-unique cart ID (identical for all carts of the same title; can be retrieved using the NTR gamecard protocol command 0x90 or through the CTR protocol commands 0x90 or 0xA2). | + | Note that a particular flashcard vendor, namely Gateway, puts what many refer to as "private headers" at CardDeviceReserved1 in place of actual development card information. This header consists of: |
| | | |
− | === InitialData ===
| |
| {| class="wikitable" border="1" | | {| class="wikitable" border="1" |
| |- | | |- |
Line 279: |
Line 313: |
| |- | | |- |
| | 0x0 | | | 0x0 |
− | | 0x10 | + | | 0x40 |
− | | Seed (keyY used to decrypt the title key - keyX is keyslot 0x3B for production cards, or a key of all zeroes for development cards) | + | | Unique cartridge ID; only the first 0x10 bytes are meaningful, the rest are 0xff; obtainable using encrypted [[Gamecards|16-byte cartridge command]] 0xc6; the first 0x10 bytes can also be obtained in userland via [[Process_Services_PXI|pxi:ps9::GetRomId]] |
| |- | | |- |
− | | 0x10 | + | | 0x40 |
− | | 0x10 | + | | 0x4 |
− | | TitleKey (AES-CCM encrypted) | + | | Cartridge ID1; obtainable using 8-byte cartridge command 0x90 or 16-byte cartridge command 0xa2 |
| |- | | |- |
− | | 0x20 | + | | 0x44 |
− | | 0x10 | + | | 0x4 |
− | | Mac | + | | Cartridge ID2; obtainable using 8-byte cartridge command 0xa0 or 16-byte cartridge command 0xa4 |
| |- | | |- |
− | | 0x30 | + | | 0x48 |
− | | 0xC | + | | 0x8 |
− | | Nonce | + | | Padding (all-0xff) |
− | |-
| |
− | | 0x3C
| |
− | | 0xC4
| |
− | | Reserved
| |
− | |-
| |
− | | 0x100
| |
− | | 0x100
| |
− | | NcchHeader (copy of the first NCCH header, excluding the RSA signature)
| |
| |} | | |} |
| + | |
| + | The legitimacy of the unique cartridge ID can be validated by online services. |
| + | |
| + | Some dumping tools, notably GodMode9 as of 2024-05-26, erroneously always write 0x00000000 into the position of the Cartridge ID2. This is presumably because the cartridge ID2 is always zero for retail carts. |
| | | |
| === TestData === | | === TestData === |