Changes

511 bytes added ,  16:20, 15 December 2015
no edit summary
Line 1: Line 1: −
Keys seem to be stored here? Access to this region is disabled once the ARM9 writes 0x2 to [[CONFIG|REG_SYSPROT9]].
+
Console-unique keys seem to be derived from here, though it is unknown how. This is very likely the console-unique data store, including [[CTCert]] and other unit info values, that ends up in ITCM at 0x01FFB800. Bootrom would decrypt it, check for magic (0xDEADB00F), and then set CFG_UNITINFO, etc to match the specific console at hand. This is a guess based on the matching size of both sets of data (ITCM's is padded to 0x100, specifically) and the lack of another known source for this data on the system (it is not sourced from eMMC). Access to this region is disabled once the ARM9 writes 0x2 to [[CONFIG|REG_SYSPROT9]].
    
Originally the console-unique TWL keyinit + region disable was done by Kernel9. However, with the [[New_3DS]] FIRM ARM9 binary this is now done in the [[FIRM]] ARM9 binary loader, which also uses the 0x10012000 region for key generation.
 
Originally the console-unique TWL keyinit + region disable was done by Kernel9. However, with the [[New_3DS]] FIRM ARM9 binary this is now done in the [[FIRM]] ARM9 binary loader, which also uses the 0x10012000 region for key generation.
96

edits