Line 80: |
Line 80: |
| * Writes value <code>0xFFFF</code> to 32-bit register <code>0x17E10000</code>+<code>0x77C</code>. | | * Writes value <code>0xFFFF</code> to 32-bit register <code>0x17E10000</code>+<code>0x77C</code>. |
| * Waits for bit 0 in 32-bit register <code>0x17E10000</code>+<code>0x730</code> to become clear. | | * Waits for bit 0 in 32-bit register <code>0x17E10000</code>+<code>0x730</code> to become clear. |
− | * Writes value <code>0x0<code> to 32-bit register <code>0x17E10000</code>+<code>0x0</code>. | + | * Writes value <code>0x0</code> to 32-bit register <code>0x17E10000</code>+<code>0x0</code>. |
| * Clears bit 0 in 32-bit register <code>0x17E10000</code>+<code>0x100</code>. | | * Clears bit 0 in 32-bit register <code>0x17E10000</code>+<code>0x100</code>. |
| | | |
Line 152: |
Line 152: |
| | 0xFFF00000 | | | 0xFFF00000 |
| | 0x00004000 | | | 0x00004000 |
− | | Data TCM (Mapped during bootrom) | + | | Data TCM (Mapped during bootrom). Enabled at the time Boot9 jumps to FIRM, however Kernel9+arm9loader disables it. |
| |- | | |- |
| | style="background: green" | Yes | | | style="background: green" | Yes |
Line 366: |
Line 366: |
| | RO | | | RO |
| |} | | |} |
| + | |
| + | ===[[Bootloader|Boot9]]=== |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! Region |
| + | ! Address |
| + | ! Size |
| + | ! Privileged-mode data permissions |
| + | ! User-mode data permissions |
| + | ! Privileged-mode instruction permissions |
| + | ! User-mode instruction permissions |
| + | |- |
| + | | 0 |
| + | | 0x20000000 |
| + | | 0x08000000 |
| + | | None |
| + | | None |
| + | | None |
| + | | None |
| + | |- |
| + | | 1 |
| + | | 0x10000000 |
| + | | 0x10000000 |
| + | | RW |
| + | | RW |
| + | | None |
| + | | None |
| + | |- |
| + | | 2 |
| + | | 0x08000000 |
| + | | 0x00100000 |
| + | | RW |
| + | | RW |
| + | | None |
| + | | None |
| + | |- |
| + | | 3 |
| + | | 0x08000000 |
| + | | 0x00000400 |
| + | | RW |
| + | | RW |
| + | | RO |
| + | | RO |
| + | |- |
| + | | 4 |
| + | | 0xFFF00000 |
| + | | 0x00004000 |
| + | | RW |
| + | | RW |
| + | | None |
| + | | None |
| + | |- |
| + | | 5 |
| + | | 0x07FF8000 |
| + | | 0x00008000 |
| + | | RW |
| + | | RW |
| + | | RO |
| + | | RO |
| + | |- |
| + | | 6 |
| + | | 0xFFFF0000 |
| + | | 0x00010000 |
| + | | RO |
| + | | RO |
| + | | RO |
| + | | RO |
| + | |- |
| + | | 7 |
| + | | 0x1FFFE000 |
| + | | 0x00000800 |
| + | | RW |
| + | | RW |
| + | | None |
| + | | None |
| + | |} |
| + | |
| + | * Instruction cachable bits = 0x40(only enabled for region6). |
| + | * Data cachable bits = 0x44(only enabled for region2 and region6). |
| + | * Data bufferable bits = 0x44(only enabled for region2 and region6). |
| + | |
| + | These are the same for both Old3DS/New3DS. |
| | | |
| ==ARM9 ITCM== | | ==ARM9 ITCM== |
Line 391: |
Line 473: |
| | | | | |
| | 0x3800 | | | 0x3800 |
− | | 0x4 | + | | 0x100 |
− | | This is always 0xDEADB00F.
| + | | This is the first 0x90 bytes of [[OTP_Registers#Plaintext_OTP|plaintext OTP]] when OTP hash verification is successful. The remaining 0x70 bytes are cleared. |
− | |-
| |
− | | 0x01FFB804
| |
− | |
| |
− | | 0x3804
| |
− | | 0x4
| |
− | | This is the u32 DeviceId.
| |
− | |-
| |
− | | 0x01FFB808
| |
− | |
| |
− | | 0x3808
| |
− | | 0x10
| |
− | | This is the fall-back keyY used for movable.sed keyY when movable.sed doesn't exist in NAND(the last two words here are used on retail for generating console-unique TWL keydata/etc). This is also used for "LocalFriendCodeSeed", etc.
| |
− | |-
| |
− | | 0x01FFB818
| |
− | |
| |
− | | 0x3818
| |
− | | 0x1
| |
− | | ?
| |
− | |-
| |
− | | 0x01FFB819
| |
− | |
| |
− | | 0x3819
| |
− | | 0x1
| |
− | | This is the [[CTCert]] issuer type: 0 = retail "Nintendo CA - G3_NintendoCTR2prod", non-zero = dev "Nintendo CA - G3_NintendoCTR2dev". | |
− | |-
| |
− | | 0x01FFB81A
| |
− | |
| |
− | | 0x381A
| |
− | | 0x6
| |
− | | ?
| |
− | |-
| |
− | | 0x01FFB820
| |
− | |
| |
− | | 0x3820
| |
− | | 0x4
| |
− | | This is the CTCert ECDSA exponent, this is byte-swapped when *((u8*)(0x01FFB800+0x18)) is >=5.
| |
− | |-
| |
− | | 0x01FFB824
| |
− | |
| |
− | | 0x3824
| |
− | | 0x2
| |
− | | ?
| |
− | |-
| |
− | | 0x01FFB826
| |
− | |
| |
− | | 0x3826
| |
− | | 0x1E
| |
− | | This is the CTCert ECDSA privk.
| |
− | |-
| |
− | | 0x01FFB844
| |
− | |
| |
− | | 0x3844
| |
− | | 0x3C
| |
− | | This is the CTCert ECDSA signature.
| |
| |- | | |- |
| | 0x01FFB880 | | | 0x01FFB880 |
| | | | | |
− | | 0x3880 | + | | 0x3890 |
− | | 0x80 | + | | 0x70 |
− | | This is all-zero. | + | | This is all zeros; boot ROM does not reveal the console-specific keys or the OTP hash in ITCM. |
| |- | | |- |
| | 0x01FFB900 | | | 0x01FFB900 |
Line 464: |
Line 492: |
| | 0x3B00 | | | 0x3B00 |
| | 0x200 | | | 0x200 |
− | | This is the 0x200-bytes from the plaintext NAND firm partition FIRM header, read by bootrom. | + | | This is the 0x200-bytes from the plaintext FIRM header for the FIRM which was loaded by [[Bootloader|Boot9]]. This is the only location Boot9 uses for storing the loaded FIRM headers internally, it's not stored anywhere else. |
| |- | | |- |
| | 0x01FFBD00 | | | 0x01FFBD00 |
Line 553: |
Line 581: |
| | 0xB90 | | | 0xB90 |
| | Uninitialized memory. | | | Uninitialized memory. |
− | 0x01FFFC00 size 0x100-bytes starting with [[9.5.0-22|9.5.0-X]] is the FIRM header used during FIRM-launching. | + | |- |
| + | | 0x01FFFC00 |
| + | | |
| + | | 0x7C00 |
| + | | 0x100 |
| + | | Starting with [[9.5.0-22|9.5.0-X]] is the FIRM header used during FIRM-launching. |
| |} | | |} |
| | | |