75
edits
Changes
Jump to navigation
Jump to search
Line 10:
Line 10: + + Line 80:
Line 82: − + + + + + Line 122:
Line 128: − + Line 143:
Line 149: − + Line 155:
Line 161: − + − + Line 182:
Line 188: + +
WRAMCNT setting in stage2 header
00000230 00 6e 02 00 88 75 02 00 00 80 7b 03 00 76 02 00 |.n...u....{..v..|
00000230 00 6e 02 00 88 75 02 00 00 80 7b 03 00 76 02 00 |.n...u....{..v..|
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
There's two header sectors [[NAND|following]] this, however stage1 ignores these.
This is describing two chunks of the stage2 loader: the ARM9-binary 0x26410 bytes in length at address 0x800, and the ARM7-binary 0x27588 bytes at address 0x26e00.
This is describing two chunks of the stage2 loader: the ARM9-binary 0x26410 bytes in length at address 0x800, and the ARM7-binary 0x27588 bytes at address 0x26e00.
|-
|-
| 0x1AC
| 0x1AC
| 0x4
| 0x3
| Global MBK9 Slot Master Setting
| Global MBK9 Slot Master Setting
|-
| 0x1AF
| 0x1
| Global WRAMCNT Setting
|-
|-
| 0x1B0
| 0x1B0
| 6
| 6
| 0x40
| 0x40
| When booting from NWRAM, use an 8 MHz SPI clock. If 0, use a 4 MHz SPI clock. Not used for non-NVRAM boots.
| When booting from NVRAM, use an 8 MHz SPI clock. If 0, use a 4 MHz SPI clock. Not used for non-NVRAM boots.
|-
|-
| 7
| 7
| 0x10
| 0x10
| 0x14
| 0x14
| SHA1 hash, calculated over the first 0x28-bytes of [[NAND]], then the first 0x100-bytes of the header, then the last 0x80-bytes of the header (following the signature). This works with both the bootloader contained in TWL_FIRM, and the real DSi ARM9 boot ROM.
| SHA1 hash, calculated over the first 0x28-bytes of [[NVRAM]], then the first 0x100-bytes of the header, then the last 0x80-bytes of the header (following the signature). The bootloader contained in TWL_FIRM uses the first 0x28-bytes from NAND. For non-NAND boot mediums, this hash is calculated the same except there's no 0x28-byte block.
|-
|-
| 0x24
| 0x24
| 0x4C
| 0x4C
| 0x14
| 0x14
| Unknown, not used by 3DS TWL_FIRM nor DSi bootrom. Normally all-zero.
| Unknown, not used by 3DS TWL_FIRM. Normally all-zero. Copied to 0x01FFC880 by ARM9 [[Stage1]].
|-
|-
| 0x60
| 0x60
| 0x14
| 0x14
| SHA1 of all previous fields in the RSA messasge, used to prevent RSA signature forgery. Not used by 3DS TWL_FIRM(?).
| SHA1 of all previous fields in the RSA message, used to prevent RSA signature forgery. Not used by 3DS TWL_FIRM(?).
|}
|}
After Stage 2 is loaded:
After Stage 2 is loaded:
# Main RAM (aka FCRAM aka DRAM) is allowed bus access (using the EXMEMCNT MMIO register) and initialized.
# Main RAM (aka FCRAM aka DRAM) is allowed bus access (using the EXMEMCNT MMIO register) and initialized.
# The status registers of the BPTWL are read to check whether this is a warmboot. The powerbutton action of the BPTWL is reset as well.
# The NAND flash is partially re-initialized
# The NAND flash is partially re-initialized
# Various hardware components, such as the touchscreen/sound controller, Wifi chip, etc. are initialized. (Cameras aren't initialized, though.)
# Sector 0 is read from the NAND. This is an (encrypted) DOS-style MBR.
# Sector 0 is read from the NAND. This is an (encrypted) DOS-style MBR.
# The MBR signature and the type of the first partition are verified.
# The MBR signature and the type of the first partition are verified.