Changes

  00000230  00 6e 02 00 88 75 02 00  00 80 7b 03 00 76 02 00  |.n...u....{..v..|

  00000230  00 6e 02 00 88 75 02 00  00 80 7b 03 00 76 02 00  |.n...u....{..v..|

  00000240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

  00000240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

This is describing two chunks of the stage2 loader: the ARM9-binary 0x26410 bytes in length at address 0x800, and the ARM7-binary 0x27588 bytes at address 0x26e00.

This is describing two chunks of the stage2 loader: the ARM9-binary 0x26410 bytes in length at address 0x800, and the ARM7-binary 0x27588 bytes at address 0x26e00.

|-

|-

| 0x1AC

| 0x1AC

| 0x4

| 0x3

| Global MBK9 Slot Master Setting

| Global MBK9 Slot Master Setting

|-

|-

| 0x1B0

| 0x1B0

| 6

| 6

| 0x40

| 0x40

| When booting from NWRAM, use an 8 MHz SPI clock. If 0, use a 4 MHz SPI clock. Not used for non-NVRAM boots.

| When booting from NVRAM, use an 8 MHz SPI clock. If 0, use a 4 MHz SPI clock. Not used for non-NVRAM boots.

|-

|-

| 7

| 7

|}

|}

The RSA public keys (the one for 3DS and the other one for DSi) for the below signature can be obtained from 3DS TWL_FIRM Process9 (this is required for getting the binaries' keyY). It is also found in the DSi's ARM9 boot ROM, but this is never copied to some place outside the boot ROM. (The bootroms copy _some_ keys to WRAM/ITCM, but not this one.)

The RSA public keys (the one for 3DS and the other one for DSi) for the below signature _for NAND boots_ can be obtained from 3DS TWL_FIRM Process9 (this is required for getting the binaries' keyY). It is also found in the DSi's ARM9 boot ROM, but this is never copied to some place outside the boot ROM. (The bootroms copy _some_ keys to WRAM/ITCM, but not this one.) Public keys for NVRAM and game cartridge boots are only available from the DSi ARM9 boot ROM, and all differ from the NAND RSA public key.

Structure of the 0x74-byte "hash-data" stored in the RSA message:

Structure of the 0x74-byte "hash-data" stored in the RSA message:

| 0x10

| 0x10

| 0x14

| 0x14

| SHA1 hash, calculated over the first 0x28-bytes of [[NAND]], then the first 0x100-bytes of the header, then the last 0x80-bytes of the header (following the signature). This works with both the bootloader contained in TWL_FIRM, and the real DSi ARM9 boot ROM.

| SHA1 hash, calculated over the first 0x28-bytes of [[NVRAM]], then the first 0x100-bytes of the header, then the last 0x80-bytes of the header (following the signature). The bootloader contained in TWL_FIRM uses the first 0x28-bytes from NAND. For non-NAND boot mediums, this hash is calculated the same except there's no 0x28-byte block.

|-

|-

| 0x24

| 0x24

| 0x4C

| 0x4C

| 0x14

| 0x14

| Unknown, not used by 3DS TWL_FIRM nor DSi bootrom. Normally all-zero.

| Unknown, not used by 3DS TWL_FIRM. Normally all-zero. Copied to 0x01FFC880 by ARM9 [[Stage1]].

|-

|-

| 0x60

| 0x60

| 0x14

| 0x14

| SHA1 of all previous fields in the RSA messasge, used to prevent RSA signature forgery. Not used by 3DS TWL_FIRM(?).

| SHA1 of all previous fields in the RSA message, used to prevent RSA signature forgery. Not used by 3DS TWL_FIRM(?).

|}

|}

After Stage 2 is loaded:

After Stage 2 is loaded:

# Main RAM (aka FCRAM aka DRAM) is allowed bus access (using the EXMEMCNT MMIO register) and initialized.

# Main RAM (aka FCRAM aka DRAM) is allowed bus access (using the EXMEMCNT MMIO register) and initialized.

# The NAND flash is partially re-initialized

# The NAND flash is partially re-initialized

# Sector 0 is read from the NAND. This is an (encrypted) DOS-style MBR.

# Sector 0 is read from the NAND. This is an (encrypted) DOS-style MBR.

# The MBR signature and the type of the first partition are verified.

# The MBR signature and the type of the first partition are verified.