Difference between revisions of "CONFIG9 Registers"
WulfyStylez (talk | contribs) (actual usage, clean up some repetition that belongs on the LGY PXI page anyways) |
(Better explanation of CFG_SYSPROT9) |
||
| Line 105: | Line 105: | ||
==CFG_SYSPROT9 == | ==CFG_SYSPROT9 == | ||
| − | + | CFG_SYSPROT9 is used to permanently disable certain security-sensitive ARM9 memory areas until the next hard reset. | |
| − | + | {| class="wikitable" border="1" | |
| + | ! Bit | ||
| + | ! Description | ||
| + | |- | ||
| + | | 0 | ||
| + | | Disables ARM9 [[Memory_layout|bootrom]](+0x8000) when set to 1. Cannot be cleared to 0 once set to 1. | ||
| + | |- | ||
| + | | 1 | ||
| + | | Disables [[OTP_Registers|OTP area]] when set to 1. Cannot be cleared to 0 once set to 1. | ||
| + | |} | ||
| + | |||
| + | On Old 3DS, NATIVE_FIRM reads CFG_SYSPROT9 to know whether it has previously initialized the TWL console-unique keys using the OTP data. After setting the TWL console-unique keys, NATIVE_FIRM sets CFG_SYSPROT9 bit 1 to disable the OTP area. In subsequent FIRM launches prior to the next reset, NATIVE_FIRM will see that the OTP area is disabled, and skip this step. | ||
| + | |||
| + | On New 3DS, the above is instead done by the [[FIRM#New_3DS_FIRM|Kernel9 loader]]. In addition to using the OTP data for initializing the TWL console-unique keys, the Kernel9 loader will generate the decryption key for NATIVE_FIRM. The final keyslot for NATIVE_FIRM is preserved, so that at a non-reset FIRM launch, the keyslot can be reused, since the OTP would then be inaccessible. | ||
| + | |||
| + | It is not possible to set any other bits. | ||
== CFG_SYSPROT11 == | == CFG_SYSPROT11 == | ||
Revision as of 01:32, 8 March 2016
Registers
| Old3DS | Name | Address | Width | Used by |
|---|---|---|---|---|
| Yes | CFG_SYSPROT9 | 0x10000000 | 1 | Boot9 |
| Yes | CFG_SYSPROT11 | 0x10000001 | 1 | Boot9 |
| Yes | CFG_DEBUGUNIT | 0x10000004 | 4 | |
| Yes | ? | 0x10000008 | 1 | TwlProcess9 |
| Yes | CFG_CARDCONF | 0x1000000C | 2 | |
| Yes | 0x10000010 | 1 | ||
| Yes | ? | 0x10000011 | 1 | |
| Yes | ? | 0x10000012 | 2 | |
| Yes | ? | 0x10000014 | 2 | |
| Yes | ? | 0x10000020 | 2 | |
| Yes | ? | 0x10000100 | 2 | |
| No | CFG_EXTMEMCNT9 | 0x10000200 | 1 | NewKernel9 |
| Yes | CFG_MPCORECFG | 0x10000FFC | 4 | |
| Yes | CFG_BOOTENV | 0x10010000 | 4 | |
| Yes | CFG_UNITINFO | 0x10010010 | 1 | Process9 |
| Yes | CFG_TWLUNITINFO | 0x10010014 | 1 | Process9 |
CFG_SYSPROT9
CFG_SYSPROT9 is used to permanently disable certain security-sensitive ARM9 memory areas until the next hard reset.
| Bit | Description |
|---|---|
| 0 | Disables ARM9 bootrom(+0x8000) when set to 1. Cannot be cleared to 0 once set to 1. |
| 1 | Disables OTP area when set to 1. Cannot be cleared to 0 once set to 1. |
On Old 3DS, NATIVE_FIRM reads CFG_SYSPROT9 to know whether it has previously initialized the TWL console-unique keys using the OTP data. After setting the TWL console-unique keys, NATIVE_FIRM sets CFG_SYSPROT9 bit 1 to disable the OTP area. In subsequent FIRM launches prior to the next reset, NATIVE_FIRM will see that the OTP area is disabled, and skip this step.
On New 3DS, the above is instead done by the Kernel9 loader. In addition to using the OTP data for initializing the TWL console-unique keys, the Kernel9 loader will generate the decryption key for NATIVE_FIRM. The final keyslot for NATIVE_FIRM is preserved, so that at a non-reset FIRM launch, the keyslot can be reused, since the OTP would then be inaccessible.
It is not possible to set any other bits.
CFG_SYSPROT11
ARM11 bootrom (+0x8000) is disabled by writing bit0. It is not possible to set any other bits.
CFG_CARDCONF
| Bit | Description |
|---|---|
| 1-0 | Gamecard active controller select (0=NTRCARD, 1=?, 2=CTRCARD1, 3=CTRCARD2) |
| 8 | ? |
Depending on the gamecard controller that has been selected, one of the following gamecard registers will become active:
- Selecting NTRCARD will activate the register space at 0x10164000.
- Selecting CTRCARD1 will activate the register space at 0x10004000.
- Selecting CTRCARD2 will activate the register space at 0x10005000.
0x10000010
When a gamecard isn't inserted, this register value is 0x01, otherwise when a gamecard is inserted it's value 0x08.
CFG_EXTMEMCNT9
This register is presumably New3DS-only. Only bit0 is writable: 0 = disable New3DS ARM9 memory at 0x08100000 size 0x80000, 1 = enable.
This bit is set by New3DS ARM9-kernel crt0.
The data in this extended memory doesn't change when disabling the memory, then re-enabling the memory. Reading this extended memory while disabled results in zeros.
CFG_MPCORECFG
Identical to PDN_MPCORE_CFG.
CFG_BOOTENV
This register is used to determine what the previous running FIRM was. Its value is kept following an MCU reboot. Its initial value (on a cold boot) is 0. NATIVE_FIRM sets it to 1 on shutdown/FIRM launch. LGY FIRM writes value 3 here when launching a TWL title, and writes value 7 when launching an AGB title.
NATIVE_FIRM will only launch titles if this is not value 0, and will only save the AGB_FIRM savegame to SD if this is value 7.
CFG_UNITINFO
This 8-bit register is value zero for retail, non-zero for dev/debug units.
CFG_TWLUNITINFO
In the console-unique TWL key-init/etc function the ARM9 copies the u8 value from REG_UNITINFO to this register.
This is also used by TWL_FIRM Process9.