16
edits
Changes
added all known NAND flash sizes
The Nintendo 3DS has a 1GB NAND Flash chip. Due to the NCSD header, the actual used size of the Old3DS NAND is 0x3AF00000-bytes(943MiB). On New3DS, the actual NAND size and the total size used by the partitions, is 0x4D800000-bytes(1240MiB).
The Nintendo 3DS has several differently sized NAND flash chips. Due to the NCSD header, the actual used size of the Old3DS NAND is 0x3AF00000-bytes(943MiB). On New3DS, the actual NAND size and the total size used by the partitions, is 0x4D800000-bytes(1240MiB).
===Physical Size===
{| class="wikitable" border="1"
! Device
! Manufacturer
! Size
|-
| 2DS
| Toshiba
| 0x3AF00000
|-
| 2DS
| Toshiba
| 0x76000000
|-
| 2DS
| Samsung
| 0x3BA00000
|-
| 2DS
| Samsung
| 0x4D800000
|-
| Old3DS
| Toshiba
| 0x3AF00000
|-
| Old3DS
| Samsung
| 0x3BA00000
|-
| New3DS
| Toshiba
| 0x76000000
|-
| New3DS
| Samsung
| 0x4D800000
|-
| New3DS
| Samsung
| 0x74800000
|}
===Format===
===Format===
Reading of the flash chip is possible through pinouts on the motherboard and has been performed successfully but the data is encrypted and can't be understood without first decrypting it.
Reading of the flash chip is possible through pinouts on the motherboard and has been performed successfully but the data is encrypted and can't be understood without first decrypting it.
===Region Changing===
See [https://gist.github.com/yellows8/f15be7a51c38cea14f2c here].
===Redirection to SD card===
See [[NAND_Redirection]].
===Encryption===
===Encryption===
! NCSD partition encryption type
! NCSD partition encryption type
! NCSD partition index
! NCSD partition index
! [[AES_Registers|AES]] engine keyslot
! Description
! Description
|-
|-
| style="background: green" | Yes
| style="background: #ccffbb" | Yes
| style="background: green" | Yes
| style="background: #ccffbb" | Yes
|
|
| 0x0
| 0x0
|
|
|
|
| NCSD header, this contains the offsets/sizes of the below CTR-NAND partitions. This block also contains the TWL-NAND MBR partition table.
|
| [[NCSD]] header, this contains the offsets/sizes of the below CTR-NAND partitions. This block also contains the TWL-NAND MBR partition table.
|-
|-
| style="background: green" | Yes
| style="background: #ccffbb" | Yes
| style="background: green" | Yes
| style="background: #ccffbb" | Yes
|
|
| 0x00000000
| 0x00000000
| 0x01
| 0x01
| 0x00
| 0x00
| 0x03
| TWL NAND region
| TWL NAND region
|-
|-
| style="background: green" | Yes
| style="background: #ffccbb" | No
| style="background: green" | Yes
| style="background: #ccffbb" | Yes
|
| 0x00012C00
| 0x200
|
|
|
| See below.
| Console-unique encrypted New3DS key-storage, see below.
|-
| style="background: #ccffbb" | Yes
| style="background: #ccffbb" | Yes
| twln
| twln
| 0x00012E00
| 0x00012E00
|
|
|
|
| 0x03
| TWL-NAND FAT16 File System. (DSi)
| TWL-NAND FAT16 File System. (DSi)
|-
|-
| style="background: green" | Yes
| style="background: #ccffbb" | Yes
| style="background: green" | Yes
| style="background: #ccffbb" | Yes
| twlp
| twlp
| 0x09011A00
| 0x09011A00
|
|
|
|
| 0x03
| TWL-NAND PHOTO FAT12 File System. (DSi)
| TWL-NAND PHOTO FAT12 File System. (DSi)
|-
|-
| style="background: green" | Yes
| style="background: #ccffbb" | Yes
| style="background: green" | Yes
| style="background: #ccffbb" | Yes
|
|
| 0x0B100000
| 0x0B100000
| 0x02
| 0x02
| 0x01
| 0x01
| 0x07
| By default this partition is empty(only contains 0x00/0xFF bytes since it was never written to), when AGB_FIRM was never launched. This contains the AGB_FIRM GBA savegame.
| By default this partition is empty(only contains 0x00/0xFF bytes since it was never written to), when AGB_FIRM was never launched. This contains the AGB_FIRM GBA savegame.
|-
|-
| style="background: green" | Yes
| style="background: #ccffbb" | Yes
| style="background: green" | Yes
| style="background: #ccffbb" | Yes
| firm0
| firm0
| 0x0B130000
| 0x0B130000
| 0x02
| 0x02
| 0x02
| 0x02
| 0x06
| [[FIRM|Firmware]] partition.
| [[FIRM|Firmware]] partition.
|-
|-
| style="background: green" | Yes
| style="background: #ccffbb" | Yes
| style="background: green" | Yes
| style="background: #ccffbb" | Yes
| firm1
| firm1
| 0x0B530000
| 0x0B530000
| 0x02
| 0x02
| 0x03
| 0x03
| 0x06
| [[FIRM|Firmware]] partition.(Backup partition, same as above)
| [[FIRM|Firmware]] partition.(Backup partition, same as above)
|-
|-
| style="background: green" | Yes
| style="background: #ccffbb" | Yes
| style="background: red" | No
| style="background: #ffccbb" | No
|
|
| 0x0B930000
| 0x0B930000
| 0x01
| 0x01
| 0x02
| 0x02
| 0x04
| 0x04
| 0x04
| CTR-NAND partition. (3DS)
| CTR-NAND partition. (3DS)
|-
|-
| style="background: green" | Yes
| style="background: #ccffbb" | Yes
| style="background: red" | No
| style="background: #ffccbb" | No
| nand
| nand
| 0x0B95CA00
| 0x0B95CA00
|
|
|
|
| 0x04
| CTR-NAND FAT16 File System.
| CTR-NAND FAT16 File System.
|-
|-
| style="background: red" | No
| style="background: #ffccbb" | No
| style="background: green" | Yes
| style="background: #ccffbb" | Yes
|
|
| 0x0B930000
| 0x0B930000
| 0x03
| 0x03
| 0x04
| 0x04
| 0x05
| CTR-NAND partition. (New3DS)
| CTR-NAND partition. (New3DS)
|-
|-
| style="background: red" | No
| style="background: #ffccbb" | No
| style="background: green" | Yes
| style="background: #ccffbb" | Yes
| nand
| nand
| 0x0B95AE00
| 0x0B95AE00
|
|
|
|
| 0x05
| CTR-NAND FAT16 File System.
| CTR-NAND FAT16 File System.
|}
|}
3DS TWL NAND FAT partitions has FAT volume name "TWL", for CTR FAT partitions this is "CTR". The offset/size for TWL partitions are stored in the MBR partition table, while the CTR partition table info is stored in the NAND NCSD header. Sector0 in the CTR-NAND partition contains a MBR partition table for the TWL-NAND partitions, and the MBR signature at +0x1fe.
3DS TWL NAND FAT partitions has FAT volume name "TWL", for CTR FAT partitions this is "CTR". The offset/size for TWL partitions are stored in the MBR partition table, while the CTR partition table info is stored in the NAND NCSD header. Sector0 in the CTR-NAND partition contains a MBR partition table for the nand FAT16 filesystem, and the MBR signature at +0x1fe.
NAND sectors which were never written to before only contain plaintext 0x00 or 0xFF bytes.
NAND sectors which were never written to before only contain plaintext 0x00 or 0xFF bytes.
==== 0x4000 ====
==== 0x4000 ====
On some 3DS systems(such as 3DS XL), there's a plaintext FAT16 boot record located at NAND offset 0x4000. This block does not exist for launch-day 3DS systems. This is the only plaintext block for this "partition".
On some 3DS systems(such as 3DS XL), there's a plaintext FAT16 boot record located at NAND offset 0x4000. This block does not exist for launch-day 3DS systems. This is the only plaintext block for this "partition".
==== 0x12C00 ====
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x10
| Normal-key for keyslot 0x11, used for generating the rest of the New3DS keyslots' keyX by decrypting various data with AES-ECB. With [[9.6.0-24|9.6.0-X]] this is only used for generating the keyX for keyslots 0x15 and 0x18.
|-
| 0x10
| 0x10
| [[9.6.0-24|9.6.0-X]]: Additional normal-key for keyslot 0x11, used for generating the keyX for keyslots 0x16 and 0x19..0x1F.
|-
| 0x20
| 0x1E0
| Not yet used as of New3DS FIRM [[9.6.0-24|9.6.0-X]].
|}
This 0x200-byte sector contains New3DS keys, this entire sector is encrypted with a console-unique keyX+keyY. The keyX+keyY for this is generated by the New3DS [[FIRM|arm9bin-loader]]. Once the arm9bin-loader finishes decrypting this data, the keyX+keyY in the keyslot are then cleared, then the memory used for generating the keydata is disabled(after it finishes using it for TWL key init).
This entire sector is encrypted with AES-ECB, the entire plaintext sector is identical for all retail and dev New3DS systems (differing between the two).
=CTR partition=
=CTR partition=
The structure of [[nand/title]] appears to be exactly the same as [[SD Filesystem|SD]], except savegames are stored under the [[System SaveData|nand/data/<ID0>/sysdata]] directory instead.
The structure of [[nand/title]] appears to be exactly the same as [[SD Filesystem|SD]], except savegames are stored under the [[System SaveData|nand/data/<ID0>/sysdata]] directory instead.
The sub-directory name under [[nand/data]] is the SHA256 hash over the [[nand/private/movable.sed|movable.sed]] keyY. This nand/data/<ID0> directory is the NAND equivalent of the "sdmc/Nintendo 3DS/<ID0>/<ID1>" directory, however the data contained here is stored in cleartext. The movable.sed keyY is only used for AES MACs for nand/data/<ID0>. The nand/data/<ID0>/extdata directory contains the shared [[extdata]], and is structured exactly the same way as SD extdata.
The sub-directory name under [[nand/data]] is the SHA256 hash over the [[nand/private/movable.sed|movable.sed]] keyY. This nand/data/<ID0> directory is the NAND equivalent of the "sdmc/Nintendo 3DS/<ID0>/<ID1>" directory, however the data contained here is stored in cleartext. The movable.sed keyY is only used for AES MACs for nand/data/<ID0>. The nand/data/<ID0>/extdata directory contains the shared [[extdata]], and is structured exactly the same way as SD extdata.
nand
nand
├── [[Title Data Structure|title]]
├── [[Title Data Structure|title]]
└── [[nand/tmp|tmp]] (This is usually empty, even when installation for a system update still needs [[AMNet:FinishInstallToMedia|finalized]])
└── [[nand/tmp|tmp]] (This is usually empty, even when installation for a system update still needs [[AMNet:FinishInstallToMedia|finalized]])
The "ro" and "rw" directories are accessible through the "nandrw" and "nandro" [[FS:OpenArchive|archives]], respectively. Their contents are as follows:
ro
├── [[nandro/private|private]]
├── [[nandro/shared|shared]]
└── [[nandro/sys|sys]]
├── [[nandro/sys/HWCAL0.dat|HWCAL0.dat]]
└── [[nandro/sys/HWCAL1.dat|HWCAL1.dat]]
rw
├── [[nandrw/shared|shared]]
└── [[nandrw/sys|sys]]
├── [[nandrw/sys/lgy.log|lgy.log]] (This is written to by [[FIRM|TWL_FIRM]] when errors occur, this is equivalent to native.log)
├── [[nandrw/sys/LocalFriendCodeSeed_B|LocalFriendCodeSeed_B]]
├── [[nandrw/sys/native.log|native.log]] (This is written to by [[ErrDisp]])
├── [[nandrw/sys/rand_seed|rand_seed]]
├── [[nandrw/sys/SecureInfo_A|SecureInfo_A]]
└── [[nandrw/sys/updater.log|updater.log]]
=TWL partition=
=TWL partition=