Difference between revisions of "Stage2"

From DSiBrew
Jump to navigation Jump to search
(More about the stage2 bootloader errors.)
Line 48: Line 48:
 
After Stage 2 is loaded:
 
After Stage 2 is loaded:
 
# The NAND flash is partially re-initialized
 
# The NAND flash is partially re-initialized
# Sector 0 is read from the NAND. This may be an (encrypted) partition table.
+
# Sector 0 is read from the NAND. This appears to be an (encrypted) DOS-style MBR.
 +
# The MBR signature and the type of the first partition are verified.
 
# Filesystem metadata is read from sectors starting around 0x100000. The metadata appears to be in FAT32 format with long filenames.
 
# Filesystem metadata is read from sectors starting around 0x100000. The metadata appears to be in FAT32 format with long filenames.
 
# A file is loaded from 0x790000 (just below 8MB). This may be the DSi Menu. If the "stage 2" loader ''is'' the DSi Menu, this may be data for the photo application that runs on the top screen.
 
# A file is loaded from 0x790000 (just below 8MB). This may be the DSi Menu. If the "stage 2" loader ''is'' the DSi Menu, this may be data for the photo application that runs on the top screen.
Line 57: Line 58:
 
! Text  !!  Description
 
! Text  !!  Description
 
|-
 
|-
| "Error: 1-2435-8325" || Modified byte 0x1c2 of sector 0.
+
| "Error: 1-2435-8325" || Invalid signature or partition type in MBR, invalid starting LBA.
 
|-
 
|-
 
| "Error: 3-2435-8325" || Modified the file at 0x790000 (likely the DSi Menu)
 
| "Error: 3-2435-8325" || Modified the file at 0x790000 (likely the DSi Menu)
 
|-
 
|-
 
|}
 
|}

Revision as of 05:59, 18 August 2009

Stage 1

When the Stage 1 bootloader (in ROM) fails, it displays a 32-bit hexadecimal number on the top screen.

The first stage of the DSi's bootloader lives in ROM, presumably on the CPU die. It loads further encrypted (and probably signed) stages from NAND flash, starting with a (partially unencrypted) offset table in the sector at 0x200.

Not much is known about this bootloader yet, but it presumably knows how to:

  1. Initialize the encryption hardware
  2. Read blocks (but not files) from the NAND flash
  3. Perform some variety of integrity check on all data it reads (signature, CRC, ?)
  4. Display basic hexadecimal error codes
  5. Possibly factory-programming the NAND flash?
  6. Might also do basic power-on self test of peripherals

Known error codes:

Error Code Description
0000FE00 Error communicating with NAND chip. (It's missing, CLK is shorted, etc.)
0000FEFC Integrity error in first block of Stage 2 (address at 0x220)
0000FEFD Integrity error in second block of Stage 2 (address at 0x230)
0000FEFE Boot sector integrity error (Sector 0x200 not valid)


Stage 2

This may have been a Stage 2 bootloader error.

Not much concrete information is known about the second-stage bootloader. This may be an actual bootloader, or it's possible that this stage is the DSi Menu itself. The Stage 2 loader was not modified by the System Menu 1.4 update. This is still earlier in the boot process than the "Health and Safety" warning.

The first stage bootloader reads sector 0x200 in order to find a table of offsets to the Stage 2 bootloader:

00000220  00 08 00 00 10 64 02 00  00 80 7b 03 00 66 02 00  |.....d....{..f..|
00000230  00 6e 02 00 88 75 02 00  00 80 7b 03 00 76 02 00  |.n...u....{..v..|
00000240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

This appears to be describing two chunks of the stage2 loader, one 0x26410 bytes in length at address 0x800, and one 0x27588 bytes at address 0x26e00.

Note that this sector (and two similar ones at 0x400 and 0x600) appear to be the only unencrypted blocks on the NAND flash.

It is unclear why there are two pieces which are nearly but not quite the same size. Passive traces of the boot sequence confirm that the 0x26e00 chunk is slightly larger, and it's loaded first. The 0x800 chunk is read immediately after the 0x26e00 chunk.

After Stage 2 is loaded:

  1. The NAND flash is partially re-initialized
  2. Sector 0 is read from the NAND. This appears to be an (encrypted) DOS-style MBR.
  3. The MBR signature and the type of the first partition are verified.
  4. Filesystem metadata is read from sectors starting around 0x100000. The metadata appears to be in FAT32 format with long filenames.
  5. A file is loaded from 0x790000 (just below 8MB). This may be the DSi Menu. If the "stage 2" loader is the DSi Menu, this may be data for the photo application that runs on the top screen.

All errors show before the health and safety screen. It appears that stage2 errors from a cold power-on always cause the DSi to hang at a black screen, whereas stage2 errors after reset (pressing but not holding the power button) will give an error message screen. Known errors:

Text Description
"Error: 1-2435-8325" Invalid signature or partition type in MBR, invalid starting LBA.
"Error: 3-2435-8325" Modified the file at 0x790000 (likely the DSi Menu)