4
edits
Changes
→NATIVE_FIRM: fix 11.16, never try to type your self...
| 0x004
| 0x004
| 4
| 4
| Reserved1
| Boot priority (highest value = max prio), this is normally zero.
|-
|-
| 0x008
| 0x008
| 0x010
| 0x010
| 0x030
| 0x030
| Reserved2
| Reserved
|-
|-
| 0x040
| 0x040
| 0x00C
| 0x00C
| 4
| 4
| Firmware Type ('0'=ARM9/'1'=ARM11) Process9 doesn't use this field at all.
| Copy-method (0 = NDMA, 1 = XDMA, 2 = CPU mem-copy), Process9 ignores this field. Boot9 doesn't immediately throw an error when this isn't 0..2. In that case it will jump over section-data-loading which then results in the hash verification with the below hash being done with the hash already stored in the SHA hardware.
|-
|-
| 0x010
| 0x010
| SHA-256 Hash of Firmware Section
| SHA-256 Hash of Firmware Section
|}
|}
The contents of individual sections ''may'' be encrypted if the FIRM is not meant to be booted from NAND, i.e. if it is meant to be booted from SPI flash or NTR cartridge. If hash checks fail for all FIRM sections if treated as plaintext, it may be worth trying to check if the sections are encrypted. The encryption is detailed on [[Bootloader#Non-NAND_FIRM_boot|the bootloader page]].
== [[New_3DS]] FIRM ==
== [[New_3DS]] FIRM ==
| Added keyX initialization for keyslot 0x16(see above), and added code for clearing keyslot 0x11 immediately after the code finishes using keyslot 0x11. The keyslot used for arm9bin decryption was changed from 0x15 to 0x16. Added code for clearing keyslot 0x16 when control-block decryption fails. Added code for using arm9bin_hdr+0x50 with a nop instruction, at the very beginning of the main arm9-loader function. Added two new 0x10-blocks to the arm9bin-hdr.
| Added keyX initialization for keyslot 0x16(see above), and added code for clearing keyslot 0x11 immediately after the code finishes using keyslot 0x11. The keyslot used for arm9bin decryption was changed from 0x15 to 0x16. Added code for clearing keyslot 0x16 when control-block decryption fails. Added code for using arm9bin_hdr+0x50 with a nop instruction, at the very beginning of the main arm9-loader function. Added two new 0x10-blocks to the arm9bin-hdr.
|-
|-
| [[9.6.0-24|9.6.0-X]] - [[10.4.0-29|10.4.0-X]]
| [[9.6.0-24|9.6.0-X]] - [[11.3.0-36|11.3.0-X]]
| See above and [[9.6.0-24|here]].
| See above and [[9.6.0-24|here]].
|}
|}
! old 3DS hex title contentID
! old 3DS hex title contentID
! Kernel/FIRM version (old 3DS/new 3DS)
! Kernel/FIRM version (old 3DS/new 3DS)
! FIRM ARM11-sysmodule Product Code
|-
|-
| [[Factory_Setup|Factory]] FIRM (titleID 00040001-00000002)
| [[Factory_Setup|Factory]] FIRM (titleID 00040001-00000002)
| 00
| 00
| 2.3-0
| 2.3-0
|-
| Pre-1.0. Referenced in the v1.0 Home Menu NCCH plain-region.
|
|
| 2.23-X
|-
|-
| [[1.0.0-0|1.0.0]]
| [[1.0.0-0|1.0.0]]
| 0B
| 0B
| 2.30-18
| 2.30-18
| 0608builder
|-
|-
| [[2.2.0-X|2.2.0]]
| [[2.2.0-X|2.2.0]]
| 0F
| 0F
| 2.31-40
| 2.31-40
| 0909builder
|-
|-
| [[3.0.0-5|3.0.0]]
| [[3.0.0-5|3.0.0]]
| 18
| 18
| 2.32-15
| 2.32-15
| 1128builder
|-
|-
| [[4.0.0-7|4.0.0]]
| [[4.0.0-7|4.0.0]]
| 1D
| 1D
| 2.33-4
| 2.33-4
| 0406builder
|-
|-
| [[4.1.0-8|4.1.0]]
| [[4.1.0-8|4.1.0]]
| 1F
| 1F
| 2.34-0
| 2.34-0
| 0508builder
|-
|-
| [[5.0.0-11|5.0.0]]
| [[5.0.0-11|5.0.0]]
| 25
| 25
| 2.35-6
| 2.35-6
| 0228builder
|-
|-
| [[5.1.0-11|5.1.0]]
| [[5.1.0-11|5.1.0]]
| 26
| 26
| 2.36-0
| 2.36-0
| 0401builder
|-
|-
| [[6.0.0-11|6.0.0]]
| [[6.0.0-11|6.0.0]]
| 29
| 29
| 2.37-0
| 2.37-0
| 0520builder
|-
|-
| [[6.1.0-11|6.1.0]]
| [[6.1.0-11|6.1.0]]
| 2A
| 2A
| 2.38-0
| 2.38-0
| 0625builder
|-
|-
| [[7.0.0-13|7.0.0]]
| [[7.0.0-13|7.0.0]]
| 2E
| 2E
| 2.39-4
| 2.39-4
| 1125builder
|-
|-
| [[7.2.0-17|7.2.0]]
| [[7.2.0-17|7.2.0]]
| 30
| 30
| 2.40-0
| 2.40-0
| 0404builder
|-
|-
| [[8.0.0-18|8.0.0]]
| [[8.0.0-18|8.0.0]]
| 37
| 37
| 2.44-6
| 2.44-6
| 0701builder
|-
|-
| [[8.1.0-0_New3DS]]
| [[8.1.0-0_New3DS]]
| 38
| 38
| 2.46-0
| 2.46-0
| 0828builder
|-
|-
| [[9.3.0-21|9.3.0]]
| [[9.3.0-21|9.3.0]]
| 3F
| 3F
| 2.48-3
| 2.48-3
| 1125builder
|-
|-
| [[9.5.0-22|9.5.0]]
| [[9.5.0-22|9.5.0]]
| 40
| 40
| 2.49-0
| 2.49-0
| 0126builder
|-
|-
| [[9.6.0-24|9.6.0]]
| [[9.6.0-24|9.6.0]]
| 49
| 49
| 2.50-1
| 2.50-1
| 0311builder
|-
|-
| [[10.0.0-27|10.0.0]]
| [[10.0.0-27|10.0.0]]
| 4B
| 4B
| 2.50-7
| 2.50-7
| 0812builder
|-
|-
| [[10.2.0-28|10.2.0]]
| [[10.2.0-28|10.2.0]]
| 4C
| 4C
| 2.50-9
| 2.50-9
| 1009builder
|-
|-
| [[10.4.0-29|10.4.0]]
| [[10.4.0-29|10.4.0]]
| 50
| 50
| 2.50-11
| 2.50-11
| 1224builder
|-
| [[11.0.0-33|11.0.0]]
| v24368
| 52
| 2.51-0
| 0406builder
|-
| [[11.1.0-34|11.1.0]]
| v25396
| 56
| 2.51-2
| 0805builder
|-
| [[11.2.0-35|11.2.0]]
| v26432
| 58
| 2.52-0
| 1015builder
|-
| [[11.3.0-36|11.3.0]]
| v27476
| 5C
| 2.53-0
| 0126builder
|-
| [[11.4.0-37|11.4.0]]
| v28512
| 5E
| 2.54-0
| 0314builder
|-
| [[11.8.0-41|11.8.0]]
| v29557
| 64
| 2.55-0
| 0710pseg-ciuser
|-
| [[11.12.0-44|11.12.0]]
| v30593
| 66
| 2.56-0
| 1021pseg-ciuser
|-
| [[11.14.0-46|11.14.0]]
| v31633
| 69
| 2.57-0
| 0929pseg-ciuser
|-
| [[11.16.0-48|11.16.0]]
| v32673
| 6C
| 2.58-0
| 0701pseg-ciuser
|}
|}
=== SAFE_MODE_FIRM ===
=== SAFE_MODE_FIRM ===
SAFE_MODE is used for running the [[System_Settings#System_Updater|System Updater]]. SAFE_MODE_FIRM and NATIVE_FIRM for the initial versions are exactly the same, except for the system core version fields.
SAFE_MODE is used for running the [[System_Settings#System_Updater|System Updater]]. SAFE_MODE_FIRM and NATIVE_FIRM for the initial versions are exactly the same, except for the system core version fields. Kernel/FIRM versions for SAFE_MODE_FIRM are: (old3ds) v432 = 3.27-0, v5632 = 3.32-0, (new3ds) v16081 = 3.45-3.
=== TWL_FIRM ===
=== TWL_FIRM ===
== FIRM Launch Parameters ==
== FIRM Launch Parameters ==
The FIRM-launch parameters structure is located at FCRAM+0, size 0x1000-bytes. The ARM11-kernel copies this structure elsewhere, then clears the 0x1000-bytes at FCRAM+0. It will not handle an existing structure at FCRAM+0 if [[CONFIG Registers#CFG_BOOTENV|CFG_BOOTENV]] is zero. The ARM9 kernel [[Configuration_Memory#0x1FF80016|writes some values]] about the boot environment to AXI WRAM during init to enable this.
The FIRM-launch parameters structure is located at FCRAM+0, size 0x1000-bytes. The ARM11-kernel copies this structure elsewhere, then clears the 0x1000-bytes at FCRAM+0. It will not handle an existing structure at FCRAM+0 if [[CONFIG Registers#CFG_BOOTENV|CFG_BOOTENV]] is zero. The ARM9 kernel [[Configuration_Memory#0x1FF80016|writes some values]] about the boot environment to AXI WRAM during init to enable this.
Note: it seems NATIVE_FIRM ARM11-kernel didn't parse this during boot until [[3.0.0-5|3.0.0-X]]?
{| class="wikitable" border="1"
{| class="wikitable" border="1"
! SIZE
! SIZE
! DESCRIPTION
! DESCRIPTION
|-
| 0x000
| 0x300
| TWL auto-load parameters, passed as-is onto the new title. NS will only read the oldTitleId field from it and add it to the TWL title list if it's a CTR titleId
|-
|-
| 0x300
| 0x300
| 0x40
| 0x40
| This is used by [[APT:LoadSysMenuArg]] and [[APT:StoreSysMenuArg]].
| This is used by [[APT:LoadSysMenuArg]] and [[APT:StoreSysMenuArg]].
|-
| 0xD50
| 0x20
| Atheros WiFi configuration struct
|-
|-
| 0xD70
| 0xD70
| 0x3
| 0x3
| Setting bit0 here enables overriding the FIRM_* fields in [[Configuration_Memory]].
| Setting bit0 here enables overriding the FIRM_* fields in [[Configuration_Memory]].
|}
Atheros WiFi configuration struct for booting TWL_FIRM, from offset 0xD50. This struct is copied directly to 0x20005E0 in DSi memory. Since DSi cartridge ROMs include SDIO drivers for the wireless card and can't be updated, this structure allows interoperability between the original DSi wireless cards (AR6002/DWM-W015 and AR6013/DWM-W024) as well as the 3DS's AR6014/DWM-W028.
{| class="wikitable" border="1"
|-
! OFFSET
! SIZE
! DESCRIPTION
|-
| 0x0
| 0x1
| WiFi Board Type (1=DWM-W015, 2=DWM-W024, 3=DWM-W028; 0x03 on 3DS)
|-
| 0x1
| 0x1
| Unknown (0x00)
|-
| 0x2
| 0x2
| CRC16 from 0x4 to 0x20 (0x1C bytes)
|-
| 0x4
| 0x4
| Atheros RAM Vars/Host Interest address (0x520000 on 3DS)
|-
| 0x8
| 0x4
| Atheros RAM base (0x520000 on 3DS)
|-
| 0xC
| 0x4
| Atheros RAM size (0x20000 on 3DS)
|-
| 0x10
| 0x10
| Unknown (Zeroed)
|}
|}
| 0x0
| 0x0
| 0x1
| 0x1
| Config block 0x30000.
| RTC compensation value (config block 0x30000).
|-
|-
| 0x1
| 0x1
| 0x1
| 0x1
| Config block 0x70001.
| Sound output mode (config block 0x70001).
|-
|-
| 0x2
| 0x2
| 0x1
| 0x1
| System language (Config block 0xA0002).
| System language (config block 0xA0002).
|-
|-
| 0x3
| 0x3
| 0x13
| 0x13
| 0x1
| 0x1
| Config block 0x100002.
| TWL country code (config block 0x100002).
|-
|-
| 0x14
| 0x14
| 0x10
| 0x10
| Config block 0x100003.
| TWL "movable" UID, used for DSiWare exports (config block 0x100003).
|-
|-
| 0x24
| 0x24
| 0x2
| 0x2
| Config block 0x100000.
| TWL EULA info (config block 0x100000).
|-
|-
| 0x26
| 0x26
| 0x28
| 0x28
| 0x94
| 0x94
| Config block 0x100001.
| TWL parental control data (config block 0x100001).
|-
|-
| 0xBC
| 0xBC
| 0x2
| 0x2
| Config block 0x50000.
| LCD flicker calibration data (config block 0x50000).
|-
|-
| 0xBE
| 0xBE
| 0x2
| 0x2
| Config block 0x50001.
| Backlight data (config block 0x50001).
|-
|-
| 0xC0
| 0xC0
| 0x38
| 0x38
| Config block 0x50002.
| Backlight PWM table (config block 0x50002).
|-
|-
| 0xF8
| 0xF8
| 0x20
| 0x20
| Config block 0x50004.
| Power saving mode (ABL) calibration (config block 0x50004).
|-
|-
| 0x118
| 0x118
| 0x134
| 0x134
| Config block 0x20000.
| CODEC calibration data (config block 0x20000).
|-
|-
| 0x24C
| 0x24C
| 0x10
| 0x10
| Config block 0x40000.
| Touch screen calibration data (config block 0x40000).
|-
|-
| 0x25C
| 0x25C
| 0x1C
| 0x1C
| Config block 0x40001.
| Analog stick calibration data (config block 0x40001).
|-
|-
| 0x278
| 0x278
| 0x280
| 0x280
| 0x8
| 0x8
| Config block 0x30001.
| User time offset (config block 0x30001).
|-
|-
| 0x288
| 0x288
| 0x28A
| 0x28A
| 0x2
| 0x2
| If non-zero, the size (below) is hardcoded (currently) to value 0x288, otherwise the size field below is used.
| Version, maybe? If non-zero, the size (below) is hardcoded (currently) to value 0x288, otherwise the size field below is used.
|-
|-
| 0x28C
| 0x28C