Line 201: |
Line 201: |
| |- | | |- |
| | 0x208 | | | 0x208 |
− | | 0x108 | + | | 0xF8 |
− | | Reserved1 | + | | Reserved |
| + | |- |
| + | | 0x300 |
| + | | 4 |
| + | | Filled size of cartridge |
| + | |- |
| + | | 0x304 |
| + | | 0xC |
| + | | Reserved |
| |- | | |- |
| | 0x310 | | | 0x310 |
Line 212: |
Line 220: |
| | Card revision | | | Card revision |
| |- | | |- |
− | | 0x208 | + | | 0x314 |
− | | 0xCEE | + | | 0xC |
− | | Reserved2 | + | | Reserved |
| + | |- |
| + | | 0x320 |
| + | | 8 |
| + | | Title ID of [[CVer]] in included update partition |
| + | |- |
| + | | 0x328 |
| + | | 2 |
| + | | Version number of [[CVer]] in included update partition |
| + | |- |
| + | | 0x32A |
| + | | 0xCD6 |
| + | | Reserved |
| + | |} |
| + | |
| + | == Development Card Info Header Extension == |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! OFFSET |
| + | ! SIZE |
| + | ! DESCRIPTION |
| |- | | |- |
| | 0x1000 | | | 0x1000 |
| + | | 0x200 |
| + | | InitialData |
| + | |- |
| + | | 0x1200 |
| + | | 0x200 |
| + | | CardDeviceReserved1 |
| + | |- |
| + | | 0x1400 |
| + | | 0x10 |
| + | | TitleKeyData |
| + | |- |
| + | | 0x1410 |
| + | | 0x1BF0 |
| + | | CardDeviceReserved2 |
| + | |- |
| + | | 0x3000 |
| + | | 0x1000 |
| + | | TestData |
| + | |} |
| + | |
| + | TitleKeyData contains the decrypted version of the title key found in the InitialData. This field appears to be what development--and maybe production?--cards read to know what card encryption seed to use in the CTR protocol. |
| + | |
| + | The CardDeviceReserved areas have random-looking data whose purpose is unknown, other than perhaps to hide the TitleKey. |
| + | |
| + | Note that a particular flashcard vendor puts what many refer to as "private headers" here in place of actual development card information. This header is constituted by a cartridge-unique ID obtained from [[Process_Services_PXI|pxi:ps9::GetRomId]] and the title-unique cart ID (identical for all carts of the same title; can be retrieved using the NTR gamecard protocol command 0x90 or through the CTR protocol commands 0x90 or 0xA2). |
| + | |
| + | === InitialData === |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! OFFSET |
| + | ! SIZE |
| + | ! DESCRIPTION |
| + | |- |
| + | | 0x0 |
| | 0x10 | | | 0x10 |
− | | Card seed keyY (first u64 is Media ID (same as first NCCH partitionId)) | + | | Seed (keyY used to decrypt the title key - keyX is keyslot 0x3B for production cards, or a key of all zeroes for development cards) |
| |- | | |- |
− | | 0x1010
| |
| | 0x10 | | | 0x10 |
− | | Encrypted card seed (AES-CCM, keyslot 0x3B for retail cards, see [[CTRCARD_Registers|CTRCARD_SECSEED]]) | + | | 0x10 |
| + | | TitleKey (AES-CCM encrypted) |
| |- | | |- |
− | | 0x1020 | + | | 0x20 |
| | 0x10 | | | 0x10 |
− | | Card seed AES-MAC | + | | Mac |
| |- | | |- |
− | | 0x1030 | + | | 0x30 |
| | 0xC | | | 0xC |
− | | Card seed nonce | + | | Nonce |
| |- | | |- |
− | | 0x103C | + | | 0x3C |
| | 0xC4 | | | 0xC4 |
− | | Reserved3 | + | | Reserved |
| |- | | |- |
− | | 0x1100
| |
| | 0x100 | | | 0x100 |
− | | Copy of first NCCH header (excluding RSA signature) | + | | 0x100 |
| + | | NcchHeader (copy of the first NCCH header, excluding the RSA signature) |
| |} | | |} |
| | | |
− | == Development Card Info Header Extension == | + | === TestData === |
| + | The test data is the same one encountered in development DS/DSi cartridges. Its layout is as follows: |
| {| class="wikitable" border="1" | | {| class="wikitable" border="1" |
| |- | | |- |
Line 248: |
Line 311: |
| ! DESCRIPTION | | ! DESCRIPTION |
| |- | | |- |
− | | 0x1200 | + | | 0x0 |
| + | | 0x8 |
| + | | The bytes FF 00 FF 00 AA 55 AA 55. |
| + | |- |
| + | | 0x8 |
| + | | 0x1F8 |
| + | | An ascending byte sequence equal to the offset mod 256 (08 09 0A ... FE FF 00 01 ... FF). |
| + | |- |
| + | | 0x200 |
| + | | 0x200 |
| + | | A descending byte sequence equal to 255 minus the offset mod 256 (FF FE FD ... 00 FF DE ... 00). |
| + | |- |
| + | | 0x400 |
| + | | 0x200 |
| + | | Filled with 00 (0b00000000) bytes. |
| + | |- |
| + | | 0x600 |
| + | | 0x200 |
| + | | Filled with FF (0b11111111) bytes. |
| + | |- |
| + | | 0x800 |
| + | | 0x200 |
| + | | Filled with 0F (0b00001111) bytes. |
| + | |- |
| + | | 0xA00 |
| + | | 0x200 |
| + | | Filled with F0 (0b11110000) bytes. |
| + | |- |
| + | | 0xC00 |
| | 0x200 | | | 0x200 |
− | | CardDeviceReserved1 | + | | Filled with 55 (0b01010101) bytes. |
| |- | | |- |
− | | 0x1400 | + | | 0xE00 |
− | | 0x10 | + | | 0x1FF |
− | | TitleKey | + | | Filled with AA (0b10101010) bytes. |
| |- | | |- |
− | | 0x1410 | + | | 0xFFF |
− | | 0xF0 | + | | 0x1 |
− | | CardDeviceReserved2 | + | | The final byte is 00 (0b00000000). |
| |} | | |} |
| | | |
− | Note that a particular flashcard vendor puts what many refer to as "private headers" here in place of actual development card information. This header is constituted by a cartridge-unique Id obtained from [[Process_Services_PXI|pxi:ps9::GetRomId]] and the title-unique cart ID (identical for all carts of the same title; can be retrieved using the NTR gamecard protocol command 0x90 or through the CTR protocol commands 0x90 or 0xA2).
| + | Production cards always return FF when attempting to read 0x1200-0x3FFF. They probably actually have the same data as development cards, but there's no way to read it. |
| | | |
| == Tools == | | == Tools == |