46
edits
Changes
Jump to navigation
Jump to search
mLine 16:
Line 16: − + Line 28:
Line 28: − + Line 61:
Line 61: − + Line 67:
Line 67: + + − + Line 149:
Line 151: − + Line 177:
Line 179: + Line 182:
Line 185: + + + + + Line 202:
Line 210: + Line 207:
Line 216: + Line 212:
Line 222: + Line 217:
Line 228: + Line 222:
Line 234: + Line 227:
Line 240: + Line 232:
Line 246: + Line 237:
Line 252: + Line 242:
Line 258: + Line 247:
Line 264: + Line 252:
Line 270: + Line 257:
Line 276: + Line 267:
Line 287: + Line 272:
Line 293: + Line 277:
Line 299: + Line 282:
Line 305: + Line 287:
Line 311: + Line 292:
Line 317: + Line 297:
Line 323: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 325:
Line 394: + + Line 370:
Line 441: − + − +
fix incorrect display version
| 0x004
| 0x004
| 4
| 4
| Reserved1
| Boot priority (highest value = max prio), this is normally zero.
|-
|-
| 0x008
| 0x008
| 0x010
| 0x010
| 0x030
| 0x030
| Reserved2
| Reserved
|-
|-
| 0x040
| 0x040
| 0x00C
| 0x00C
| 4
| 4
| Firmware Type ('0'=ARM9/'1'=ARM11) Process9 doesn't use this field at all.
| Copy-method (0 = NDMA, 1 = XDMA, 2 = CPU mem-copy), Process9 ignores this field. Boot9 doesn't immediately throw an error when this isn't 0..2. In that case it will jump over section-data-loading which then results in the hash verification with the below hash being done with the hash already stored in the SHA hardware.
|-
|-
| 0x010
| 0x010
| SHA-256 Hash of Firmware Section
| SHA-256 Hash of Firmware Section
|}
|}
The contents of individual sections ''may'' be encrypted if the FIRM is not meant to be booted from NAND, i.e. if it is meant to be booted from SPI flash or NTR cartridge. If hash checks fail for all FIRM sections if treated as plaintext, it may be worth trying to check if the sections are encrypted. The encryption is detailed on [[Bootloader#Non-NAND_FIRM_boot|the bootloader page]].
== [[New_3DS]] FIRM ==
== [[New_3DS]] FIRM ==
For New3DS firmwares (NATIVE_FIRM, TWL_FIRM, ..), the ARM9 FIRM binary has an additional layer of crypto. At the end of each ARM9 binary, there's a plaintext loader. The format of the FIRM header is identical to regular 3DS FIRM(the RSA modulo is the same as regular 3DS too).
For New3DS firmwares (NATIVE_FIRM, TWL_FIRM, ..), the ARM9 FIRM binary has an additional layer of crypto. At the end of each ARM9 binary, there's a plaintext loader. The format of the FIRM header is identical to regular 3DS FIRM(the RSA modulo is the same as regular 3DS too).
Before checking 0x10000000 the loader main() does the following:
Before checking [[CONFIG_Registers|CFG_SYSPROT9]] the loader main() does the following:
* On [[9.5.0-22|9.5.0-X]]: executes a nop instruction with r0=0 and r1=<address of arm9binhdr+0x50>.
* On [[9.5.0-22|9.5.0-X]]: executes a nop instruction with r0=0 and r1=<address of arm9binhdr+0x50>.
* Clears bit6 in [[AES_Registers|REG_AESKEYCNT]].
* Clears bit6 in [[AES_Registers|REG_AESKEYCNT]].
| Added keyX initialization for keyslot 0x16(see above), and added code for clearing keyslot 0x11 immediately after the code finishes using keyslot 0x11. The keyslot used for arm9bin decryption was changed from 0x15 to 0x16. Added code for clearing keyslot 0x16 when control-block decryption fails. Added code for using arm9bin_hdr+0x50 with a nop instruction, at the very beginning of the main arm9-loader function. Added two new 0x10-blocks to the arm9bin-hdr.
| Added keyX initialization for keyslot 0x16(see above), and added code for clearing keyslot 0x11 immediately after the code finishes using keyslot 0x11. The keyslot used for arm9bin decryption was changed from 0x15 to 0x16. Added code for clearing keyslot 0x16 when control-block decryption fails. Added code for using arm9bin_hdr+0x50 with a nop instruction, at the very beginning of the main arm9-loader function. Added two new 0x10-blocks to the arm9bin-hdr.
|-
|-
| [[9.6.0-24|9.6.0-X]] - [[10.4.0-29|10.4.0-X]]
| [[9.6.0-24|9.6.0-X]] - [[11.3.0-36|11.3.0-X]]
| See above and [[9.6.0-24|here]].
| See above and [[9.6.0-24|here]].
|}
|}
! old 3DS hex title contentID
! old 3DS hex title contentID
! Kernel/FIRM version (old 3DS/new 3DS)
! Kernel/FIRM version (old 3DS/new 3DS)
! FIRM ARM11-sysmodule Product Code
|-
|-
| [[Factory_Setup|Factory]] FIRM (titleID 00040001-00000002)
| [[Factory_Setup|Factory]] FIRM (titleID 00040001-00000002)
| 00
| 00
| 2.3-0
| 2.3-0
|-
| Pre-1.0. Referenced in the v1.0 Home Menu NCCH plain-region.
|
|
| 2.23-X
|-
|-
| [[1.0.0-0|1.0.0]]
| [[1.0.0-0|1.0.0]]
| 0B
| 0B
| 2.30-18
| 2.30-18
| 0608builder
|-
|-
| [[2.2.0-X|2.2.0]]
| [[2.2.0-X|2.2.0]]
| 0F
| 0F
| 2.31-40
| 2.31-40
| 0909builder
|-
|-
| [[3.0.0-5|3.0.0]]
| [[3.0.0-5|3.0.0]]
| 18
| 18
| 2.32-15
| 2.32-15
| 1128builder
|-
|-
| [[4.0.0-7|4.0.0]]
| [[4.0.0-7|4.0.0]]
| 1D
| 1D
| 2.33-4
| 2.33-4
| 0406builder
|-
|-
| [[4.1.0-8|4.1.0]]
| [[4.1.0-8|4.1.0]]
| 1F
| 1F
| 2.34-0
| 2.34-0
| 0508builder
|-
|-
| [[5.0.0-11|5.0.0]]
| [[5.0.0-11|5.0.0]]
| 25
| 25
| 2.35-6
| 2.35-6
| 0228builder
|-
|-
| [[5.1.0-11|5.1.0]]
| [[5.1.0-11|5.1.0]]
| 26
| 26
| 2.36-0
| 2.36-0
| 0401builder
|-
|-
| [[6.0.0-11|6.0.0]]
| [[6.0.0-11|6.0.0]]
| 29
| 29
| 2.37-0
| 2.37-0
| 0520builder
|-
|-
| [[6.1.0-11|6.1.0]]
| [[6.1.0-11|6.1.0]]
| 2A
| 2A
| 2.38-0
| 2.38-0
| 0625builder
|-
|-
| [[7.0.0-13|7.0.0]]
| [[7.0.0-13|7.0.0]]
| 2E
| 2E
| 2.39-4
| 2.39-4
| 1125builder
|-
|-
| [[7.2.0-17|7.2.0]]
| [[7.2.0-17|7.2.0]]
| 30
| 30
| 2.40-0
| 2.40-0
| 0404builder
|-
|-
| [[8.0.0-18|8.0.0]]
| [[8.0.0-18|8.0.0]]
| 37
| 37
| 2.44-6
| 2.44-6
| 0701builder
|-
|-
| [[8.1.0-0_New3DS]]
| [[8.1.0-0_New3DS]]
| 38
| 38
| 2.46-0
| 2.46-0
| 0828builder
|-
|-
| [[9.3.0-21|9.3.0]]
| [[9.3.0-21|9.3.0]]
| 3F
| 3F
| 2.48-3
| 2.48-3
| 1125builder
|-
|-
| [[9.5.0-22|9.5.0]]
| [[9.5.0-22|9.5.0]]
| 40
| 40
| 2.49-0
| 2.49-0
| 0126builder
|-
|-
| [[9.6.0-24|9.6.0]]
| [[9.6.0-24|9.6.0]]
| 49
| 49
| 2.50-1
| 2.50-1
| 0311builder
|-
|-
| [[10.0.0-27|10.0.0]]
| [[10.0.0-27|10.0.0]]
| 4B
| 4B
| 2.50-7
| 2.50-7
| 0812builder
|-
|-
| [[10.2.0-28|10.2.0]]
| [[10.2.0-28|10.2.0]]
| 4C
| 4C
| 2.50-9
| 2.50-9
| 1009builder
|-
|-
| [[10.4.0-29|10.4.0]]
| [[10.4.0-29|10.4.0]]
| 50
| 50
| 2.50-11
| 2.50-11
| 1224builder
|-
| [[11.0.0-33|11.0.0]]
| v24368
| 52
| 2.51-0
| 0406builder
|-
| [[11.1.0-34|11.1.0]]
| v25396
| 56
| 2.51-2
| 0805builder
|-
| [[11.2.0-35|11.2.0]]
| v26432
| 58
| 2.52-0
| 1015builder
|-
| [[11.3.0-36|11.3.0]]
| v27476
| 5C
| 2.53-0
| 0126builder
|-
| [[11.4.0-37|11.4.0]]
| v28512
| 5E
| 2.54-0
| 0314builder
|-
| [[11.8.0-41|11.8.0]]
| v29557
| 64
| 2.55-0
| 0710pseg-ciuser
|-
| [[11.12.0-44|11.12.0]]
| v30593
| 66
| 2.56-0
| 1021pseg-ciuser
|}
|}
== FIRM Launch Parameters ==
== FIRM Launch Parameters ==
The FIRM-launch parameters structure is located at FCRAM+0, size 0x1000-bytes. The ARM11-kernel copies this structure elsewhere, then clears the 0x1000-bytes at FCRAM+0. It will not handle an existing structure at FCRAM+0 if [[CONFIG Registers#CFG_BOOTENV|CFG_BOOTENV]] is zero. The ARM9 kernel [[Configuration_Memory#0x1FF80016|writes some values]] about the boot environment to AXI WRAM during init to enable this.
The FIRM-launch parameters structure is located at FCRAM+0, size 0x1000-bytes. The ARM11-kernel copies this structure elsewhere, then clears the 0x1000-bytes at FCRAM+0. It will not handle an existing structure at FCRAM+0 if [[CONFIG Registers#CFG_BOOTENV|CFG_BOOTENV]] is zero. The ARM9 kernel [[Configuration_Memory#0x1FF80016|writes some values]] about the boot environment to AXI WRAM during init to enable this.
Note: it seems NATIVE_FIRM ARM11-kernel didn't parse this during boot until [[3.0.0-5|3.0.0-X]]?
{| class="wikitable" border="1"
{| class="wikitable" border="1"
| 0x4A0
| 0x4A0
| 0x10
| 0x10
| This can be set by [[NSS:SetFIRMParams4A0]].
| This can be set by [[NSS:SetWirelessRebootInfo]].
|-
|-
| 0x4B0
| 0x4B0
| 0x14
| 0x14
| SHA1-HMAC of the banner for TWL/NTR titles. This can be set by [[NSS:SetFIRMParams4B0]].
| SHA1-HMAC of the banner for TWL/NTR titles. This can be set by [[NSS:SetTWLBannerHMAC]].
|-
|-
| 0x500
| 0x500