Stage2: Difference between revisions

(2 intermediate revisions by 2 users not shown)

Line 10:

00000230 00 6e 02 00 88 75 02 00 00 80 7b 03 00 76 02 00 |.n...u....{..v..|

00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

There's two header sectors [[NAND|following]] this, however stage1 ignores these.

This is describing two chunks of the stage2 loader: the ARM9-binary 0x26410 bytes in length at address 0x800, and the ARM7-binary 0x27588 bytes at address 0x26e00.

Line 80:

Line 82:

|-

| 0x1AC

| ~~0x4~~

| 0x3

| Global MBK9 Slot Master Setting

|-

| 0x1AF

| 0x1

| Global WRAMCNT Setting

|-

| 0x1B0

Line 122:

Line 128:

| 6

| 0x40

| When booting from ~~NWRAM~~, use an 8 MHz SPI clock. If 0, use a 4 MHz SPI clock. Not used for non-NVRAM boots.

| When booting from NVRAM, use an 8 MHz SPI clock. If 0, use a 4 MHz SPI clock. Not used for non-NVRAM boots.

|-

| 7

Line 143:

Line 149:

| 0x10

| 0x14

| SHA1 hash, calculated over the first 0x28-bytes of [[~~NAND~~]], then the first 0x100-bytes of the header, then the last 0x80-bytes of the header (following the signature). ~~This works with both the~~ bootloader contained in TWL_FIRM, ~~and~~ the ~~real DSi ARM9 boot ROM~~.

| SHA1 hash, calculated over the first 0x28-bytes of [[NVRAM]], then the first 0x100-bytes of the header, then the last 0x80-bytes of the header (following the signature). The bootloader contained in TWL_FIRM uses the first 0x28-bytes from NAND. For non-NAND boot mediums, this hash is calculated the same except there's no 0x28-byte block.

|-

| 0x24

Line 155:

Line 161:

| 0x4C

| 0x14

| Unknown, not used by 3DS TWL_FIRM ~~nor DSi bootrom~~. Normally all-zero.

| Unknown, not used by 3DS TWL_FIRM. Normally all-zero. Copied to 0x01FFC880 by ARM9 [[Stage1]].

|-

| 0x60

| 0x14

| SHA1 of all previous fields in the RSA ~~messasge~~, used to prevent RSA signature forgery. Not used by 3DS TWL_FIRM(?).

| SHA1 of all previous fields in the RSA message, used to prevent RSA signature forgery. Not used by 3DS TWL_FIRM(?).

|}

Line 182:

Line 188:

After Stage 2 is loaded:

# Main RAM (aka FCRAM aka DRAM) is allowed bus access (using the EXMEMCNT MMIO register) and initialized.

# The status registers of the BPTWL are read to check whether this is a warmboot. The powerbutton action of the BPTWL is reset as well.

# The NAND flash is partially re-initialized

# Various hardware components, such as the touchscreen/sound controller, Wifi chip, etc. are initialized. (Cameras aren't initialized, though.)

# Sector 0 is read from the NAND. This is an (encrypted) DOS-style MBR.

# The MBR signature and the type of the first partition are verified.

@@ Line 10: / Line 10: @@
   00000230  00 6e 02 00 88 75 02 00  00 80 7b 03 00 76 02 00  |.n...u....{..v..|
   00000240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+There's two header sectors [[NAND|following]] this, however stage1 ignores these.
 This is describing two chunks of the stage2 loader: the ARM9-binary 0x26410 bytes in length at address 0x800, and the ARM7-binary 0x27588 bytes at address 0x26e00.
@@ Line 80: / Line 82: @@
 |-
 | 0x1AC
-| 0x4
+| 0x3
 | Global MBK9 Slot Master Setting
+|-
+| 0x1AF
+| 0x1
+| Global WRAMCNT Setting
 |-
 | 0x1B0
@@ Line 122: / Line 128: @@
 | 6
 | 0x40
-| When booting from NWRAM, use an 8 MHz SPI clock. If 0, use a 4 MHz SPI clock. Not used for non-NVRAM boots.
+| When booting from NVRAM, use an 8 MHz SPI clock. If 0, use a 4 MHz SPI clock. Not used for non-NVRAM boots.
 |-
 | 7
@@ Line 143: / Line 149: @@
 | 0x10
 | 0x14
-| SHA1 hash, calculated over the first 0x28-bytes of [[NAND]], then the first 0x100-bytes of the header, then the last 0x80-bytes of the header (following the signature). This works with both the bootloader contained in TWL_FIRM, and the real DSi ARM9 boot ROM.
+| SHA1 hash, calculated over the first 0x28-bytes of [[NVRAM]], then the first 0x100-bytes of the header, then the last 0x80-bytes of the header (following the signature). The bootloader contained in TWL_FIRM uses the first 0x28-bytes from NAND. For non-NAND boot mediums, this hash is calculated the same except there's no 0x28-byte block.
 |-
 | 0x24
@@ Line 155: / Line 161: @@
 | 0x4C
 | 0x14
-| Unknown, not used by 3DS TWL_FIRM nor DSi bootrom. Normally all-zero.
+| Unknown, not used by 3DS TWL_FIRM. Normally all-zero. Copied to 0x01FFC880 by ARM9 [[Stage1]].
 |-
 | 0x60
 | 0x14
-| SHA1 of all previous fields in the RSA messasge, used to prevent RSA signature forgery. Not used by 3DS TWL_FIRM(?).
+| SHA1 of all previous fields in the RSA message, used to prevent RSA signature forgery. Not used by 3DS TWL_FIRM(?).
 |}
@@ Line 182: / Line 188: @@
 After Stage 2 is loaded:
 # Main RAM (aka FCRAM aka DRAM) is allowed bus access (using the EXMEMCNT MMIO register) and initialized.
+# The status registers of the BPTWL are read to check whether this is a warmboot. The powerbutton action of the BPTWL is reset as well.
 # The NAND flash is partially re-initialized
+# Various hardware components, such as the touchscreen/sound controller, Wifi chip, etc. are initialized. (Cameras aren't initialized, though.)
 # Sector 0 is read from the NAND. This is an (encrypted) DOS-style MBR.
 # The MBR signature and the type of the first partition are verified.