Flash Filesystem

From 3dbrew
Revision as of 18:35, 21 October 2013 by Yellows8 (talk | contribs)
Jump to navigation Jump to search

The Nintendo 3DS has a 1GB NAND Flash chip.

Format

Reading of the flash chip is possible through pinouts on the motherboard and has been performed successfully but the data is encrypted and can't be understood without first decrypting it.

Encryption

The NAND file system is encrypted using AES-CTR. The TWL regions of NAND use the TWL NAND keyslot, while the CTR regions use the CTR NAND keyslots. The keyslot used for CTR-NAND partitions is determined by the NCSD partition FS type. The TWL/CTR NAND regions are specified by the NCSD header. The first 0x0B100000 bytes of NAND is encrypted with the TWL keyslot, however before 0x00012E00 only the MBR partition table is encrypted with the TWL keyslot. That region contains the TWL partitions listed below.

NAND structure

Partition name Offset Size NCSD partition FS type Description
0x0 0x200 NCSD header, this contains the offsets/sizes of the below CTR-NAND partitions. This block also contains the TWL-NAND MBR partition table.
twln 0x00012E00 0x08FB5200 TWL-NAND FAT16 File System. (DSi)
twlp 0x09011A00 0x020B6600 TWL-NAND PHOTO FAT12 File System. (DSi)
0x0B100000 0x00030000 0x04 By default this partition is empty(only contains 0x00/0xFF bytes since it was never written to), when AGB_FIRM was never launched. This contains the AGB_FIRM GBA savegame.
firm0 0x0B130000 0x00400000 0x03 Firmware partition.
firm1 0x0B530000 0x00400000 0x03 Firmware partition.(Backup partition, same as above)
0x0B930000 0x2F5D0000 0x01 CTR-NAND partition. (3DS)
nand 0x0B95CA00 0x2F3E3600 CTR-NAND FAT16 File System.

3DS TWL NAND FAT partitions has FAT volume name "TWL", for CTR FAT partitions this is "CTR". The offset/size for TWL partitions are stored in the MBR partition table, while the CTR partition table info is stored in the NAND NCSD header. Sector0 in the CTR-NAND partition contains a MBR partition table for the TWL-NAND partitions, and the MBR signature at +0x1fe.

NAND sectors which were never written to before only contain plaintext 0x00 or 0xFF bytes.

None of the above physical NAND partitions are normally accessible from the ARM11, except for twlp. CTR/TWL NAND FS can only be accessed when the exheader access control descriptor for those are enabled. Normally the CTR/TWL NAND descriptors are never enabled for retail ARM11 CXI processes. The ARM11 can only access "nand:/rw/" mounted as the nandrw archive, and "nand:/ro/" mounted as the nandro archive below.

0x4000

On some 3DS systems(such as 3DS XL), there's a plaintext FAT16 boot record located at NAND offset 0x4000. This block does not exist for launch-day 3DS systems. This is the only plaintext block for this "partition".

CTR partition

The structure of nand/title appears to be exactly the same as SD, except savegames are stored under the nand/data/<ID0>/sysdata directory instead. The sub-directory name under nand/data is the SHA256 hash over the movable.sed keyY. This nand/data/<ID0> directory is the NAND equivalent of the "sdmc/Nintendo 3DS/<ID0>/<ID1>" directory, however the data contained here is stored in cleartext. The movable.sed keyY is only used for AES MACs for nand/data/<ID0>. The nand/data/<ID0>/extdata directory contains the shared extdata, and is structured exactly the same way as SD extdata.

The "nandrw" archive is mounted at "nand:/rw/", while the "nandro" archive is mounted at "nand:/ro/".

nandro
├── private
├── shared
└── sys
    ├── HWCAL0.dat
    └── HWCAL1.dat
nandrw
├── shared
└── sys
    ├── lgy.log (This is written to by TWL_FIRM when errors occur)
    ├── LocalFriendCodeSeed_B
    ├── native.log (This is written to by ErrDisp)
    ├── rand_seed
    ├── SecureInfo_A
    └── updater.log
nand
├── __journal.nn_
├── data
│   └── <ID0>
│       ├── extdata          
│       └── sysdata
├── dbs
├── fixdata
│   └── sysdata
├── private
│   └── movable.sed
├── ro
├── rw
├── ticket (This directory is empty since tickets are stored in ticket.db)
├── title
└── tmp (This is usually empty, even when installation for a system update still needs finalized)

TWL partition

The structure of these TWL partitions is mostly the same as DSi, except tickets are stored in the CTR FAT FS. The twlp partition is exactly the same as DSi. The structure of twln/title is exactly the same as CTR NAND/SD, except the .cmd file is a cleartext file.(This is likely a dummy file) The data directory under system titles' /title directory does not exist, this likely only exists for DSiWare. The directory names titleID-High used under twln/title is from DSi.

twln
├── import
├── shared1
├── shared2
│   └── 0000
├── sys
│   ├── TWLFontTable.dat
│   └── log
│       ├── inspect.log
│       └── product.log
├── ticket
├── title
└── tmp
twlp
└── photo