Changes

3,452 bytes added ,  23:59, 6 March 2015
Line 141: Line 141:  
| 0x00010000
 
| 0x00010000
 
| Bootrom, the main region is at +0x8000, which is disabled during system boot.
 
| Bootrom, the main region is at +0x8000, which is disabled during system boot.
 +
|}
 +
 +
==ARM9 ITCM==
 +
{| class="wikitable" border="1"
 +
|-
 +
!  ITCM mirror address
 +
!  ITCM bootrom mirror address
 +
!  Offset
 +
!  Size
 +
!  Description
 +
|-
 +
| 0x01FF8000
 +
|
 +
| 0x0
 +
| 0x3700
 +
| Uninitialized memory.
 +
|-
 +
| 0x01FFB700
 +
| 0x07FFB700
 +
| 0x700
 +
| 0x100
 +
| The unprotected ARM9-bootrom code copies code from unprotected bootrom to 0x07FFB700(ITCM mirror) size 0x100, then calls the code at 0x07FFB700. The code located here is the code used for disabling access to the bootroms.
 +
|-
 +
| 0x01FFB800
 +
|
 +
| 0x3800
 +
| 0x4
 +
| This is always 0xDEADB00F.
 +
|-
 +
| 0x01FFB804
 +
|
 +
| 0x3804
 +
| 0x4
 +
| This is the u32 DeviceId.
 +
|-
 +
| 0x01FFB808
 +
|
 +
| 0x3808
 +
| 0x10
 +
| This is the fall-back keyY used for movable.sed keyY when movable.sed doesn't exist in NAND(the last two words here are used on retail for generating console-unique TWL keydata/etc). This is also used for "LocalFriendCodeSeed", etc.
 +
|-
 +
| 0x01FFB819
 +
|
 +
| 0x3819
 +
| 0x1
 +
| This is the [[CTCert]] issuer type: 0 = retail "Nintendo CA - G3_NintendoCTR2prod", non-zero = dev "Nintendo CA - G3_NintendoCTR2dev".
 +
|-
 +
| 0x01FFB820
 +
|
 +
| 0x3820
 +
| 0x4
 +
| This is the CTCert ECDSA exponent, this is byte-swapped when *((u8*)(0x01FFB800+0x18)) is >=5.
 +
|-
 +
| 0x01FFB826
 +
|
 +
| 0x3826
 +
| 0x1E
 +
| This is the CTCert ECDSA privk.
 +
|-
 +
| 0x01FFB844
 +
|
 +
| 0x3844
 +
| 0x3C
 +
| This is the CTCert ECDSA signature.
 +
|-
 +
| 0x01FFB880
 +
|
 +
| 0x3880
 +
| 0x80
 +
| This is all-zero.
 +
|-
 +
| 0x01FFB900
 +
|
 +
| 0x3900
 +
| 0x200
 +
| This is the 0x200-bytes from NAND sector0.
 +
|-
 +
| 0x01FFBB00
 +
|
 +
| 0x3B00
 +
| 0x200
 +
| This is the 0x200-bytes from the plaintext NAND firm partition FIRM header, read by bootrom.
 +
|-
 +
| 0x01FFBC00
 +
|
 +
| 0x3C00
 +
| 0x200
 +
| Unknown, not used by [[FIRM]].
 +
|-
 +
| 0x01FFBF00
 +
|
 +
| 0x3F00
 +
| 0x100
 +
| This is the RSA-2048 modulo for [[RSA_Registers|RSA]]-engine slot2.
 +
|-
 +
| 0x01FFC000
 +
|
 +
| 0x4000
 +
| 0x100
 +
| This is the RSA-2048 modulo for RSA-engine slot3.
 +
|-
 +
| 0x01FFC900
 +
| 0x07FFC900
 +
| 0x4900
 +
| 0x400
 +
| The unprotected ARM9-bootrom copies data to 0x07FFC900(mirror of 0x01FFC900) size 0x400. This data is copied from AXI WRAM, initialized by ARM11-bootrom(the addr used for the src is determined by [[CONFIG_Registers|REG_UNITINFO]]). These are RSA modulus: retailsrcptr = 0x1FFFD000, devsrvptr = 0x1FFFD400.
 +
* The first 0x100-bytes here is the RSA-2048 modulo for the CFA NCCH header, and for the gamecard NCSD header.
 +
* 0x01FFCA00 is the RSA-2048 modulo for the CXI accessdesc signature, written to rsaengine keyslot1 by NATIVE_FIRM.
 +
* 0x01FFCB00 size 0x200 is unknown, probably RSA related, these aren't used by [[FIRM]].
 +
|-
 +
| 0x01FFCD00
 +
|
 +
| 0x4D00
 +
| 0x10
 +
| This is checked by the v6.0/v7.0 NATIVE_FIRM keyinit function, when non-zero it clears this block and continues to do the key generation. Otherwise when this block was already all-zero, it immediately returns.
 +
|-
 +
| 0x01FFCD80
 +
|
 +
| 0x4D80
 +
| 0x64
 +
| 0x01FFCD84 size 0x10-bytes is the NAND CID, read by NATIVE_FIRM(the 0x64-byte region at 0x01FFCD80 is initialized by NATIVE_FIRM). The u32 at 0x01FFCDC4 is the total number of NAND sectors, read from a MMC command.
 +
|-
 +
| 0x01FFCDE4
 +
|
 +
| 0x4DE4
 +
| 0x21C
 +
| Uninitialized memory.
 +
|-
 +
| 0x01FFD000
 +
| 0x07FFD000
 +
| 0x5000
 +
| 0x2470
 +
| The unprotected ARM9-bootrom copies 0x1FFFA000(AXIWRAM mem initialized by ARM11-bootrom) size 0x2470 to 0x07FFD000(mirror of 0x01FFD000). This block contains DSi keys.
 +
|-
 +
| 0x01FFF470
 +
|
 +
| 0x7470
 +
| 0xB90
 +
| Uninitialized memory.
 +
0x01FFFC00 size 0x100-bytes starting with [[9.5.0-22|9.5.0-X]] is the FIRM header used during FIRM-launching.
 
|}
 
|}