Changes

816 bytes added ,  00:32, 8 March 2016
Better explanation of CFG_SYSPROT9
Line 105: Line 105:     
==CFG_SYSPROT9 ==  
 
==CFG_SYSPROT9 ==  
Writing values to SYSPROT sets the specified bitmask. The ARM9 [[Memory_layout|bootrom]](+0x8000) is disabled by writing bit0. bit1 is used by NATIVE_FIRM to make sure console-unique TWL AES-keys are only set at hard-boot. It is not possible to set any other bits.
+
CFG_SYSPROT9 is used to permanently disable certain security-sensitive ARM9 memory areas until the next hard reset.
   −
From disassembly of the New3DS process9, it appears that setting bit1 disables the 0x10012000+ region.
+
{| class="wikitable" border="1"
 +
!  Bit
 +
!  Description
 +
|-
 +
| 0
 +
| Disables ARM9 [[Memory_layout|bootrom]](+0x8000) when set to 1.  Cannot be cleared to 0 once set to 1.
 +
|-
 +
| 1
 +
| Disables [[OTP_Registers|OTP area]] when set to 1.  Cannot be cleared to 0 once set to 1.
 +
|}
 +
 
 +
On Old 3DS, NATIVE_FIRM reads CFG_SYSPROT9 to know whether it has previously initialized the TWL console-unique keys using the OTP data.  After setting the TWL console-unique keys, NATIVE_FIRM sets CFG_SYSPROT9 bit 1 to disable the OTP area.  In subsequent FIRM launches prior to the next reset, NATIVE_FIRM will see that the OTP area is disabled, and skip this step.
 +
 
 +
On New 3DS, the above is instead done by the [[FIRM#New_3DS_FIRM|Kernel9 loader]].  In addition to using the OTP data for initializing the TWL console-unique keys, the Kernel9 loader will generate the decryption key for NATIVE_FIRM.  The final keyslot for NATIVE_FIRM is preserved, so that at a non-reset FIRM launch, the keyslot can be reused, since the OTP would then be inaccessible.
 +
 
 +
It is not possible to set any other bits.
    
== CFG_SYSPROT11 ==  
 
== CFG_SYSPROT11 ==  
119

edits