Difference between revisions of "NVRAM"

From DSiBrew
Jump to navigation Jump to search
m (link nvram)
(update info (bootrom stuff, some other things have also been confirmed by now))
 
(3 intermediate revisions by one other user not shown)
Line 1: Line 1:
 
The DSi contains a 128KB block (organized into 256-byte pages) of memory referred to as "NVRAM"; it is stored in a SPI flash chip onboard the WiFi dongle.  On the DS, this was the system's firmware, plus it included writeable areas for user preferences and wifi connection settings. On the DSi, this chip is maintained for backward compatibility, but it is mostly empty.
 
The DSi contains a 128KB block (organized into 256-byte pages) of memory referred to as "NVRAM"; it is stored in a SPI flash chip onboard the WiFi dongle.  On the DS, this was the system's firmware, plus it included writeable areas for user preferences and wifi connection settings. On the DSi, this chip is maintained for backward compatibility, but it is mostly empty.
There is some new unknown data near the beginning of NVRAM which is involved in the boot process. The NVRAM is read very early in boot, before the NAND flash is initialized. An unreadable NVRAM chip will hang the boot process in an infinite retry loop, and errors in this portion of NVRAM will cause a stage1 [[Bootloader]] error.
+
 
 +
(khmann: data actually seems to follow the format of https://problemkaputt.de/gbatek-ds-cartridge-header.htm quite closely to my eyes)
 +
 
 +
There is some new unknown data near the beginning of NVRAM (the first 0x28 bytes, and the singular byte at 0x2ff) which is involved in the boot process. The NVRAM is read very early in boot, before the [[NAND]] flash is initialized. An unreadable NVRAM chip will hang the boot process in an infinite retry loop, and errors in this portion of NVRAM will cause a [[Stage1|stage1 bootloader]] error.
  
 
Most of the address space is blank, with the exception of the following data:
 
Most of the address space is blank, with the exception of the following data:
Line 9: Line 12:
 
  00020: c03f 0000 0000 0000 ffff e861 3801 000f  .?.........a8...
 
  00020: c03f 0000 0000 0000 ffff e861 3801 000f  .?.........a8...
 
  00030: ffff ffff ff00 0022 4cd8 968a fe3f ffff  ......."L....?..
 
  00030: ffff ffff ff00 0022 4cd8 968a fe3f ffff  ......."L....?..
  00040: 0394 2902 0200 1700 2600 1818 4800 4048  ..).....&...H.@H
+
  00040: 0394 2902 0200 1700 2600 1818 4800 4048  ..).....&...H..H
 
  00050: 5800 4200 4601 6480 e6e6 4324 0e00 0100  X.B.F.d...C$....
 
  00050: 5800 4200 4601 6480 e6e6 4324 0e00 0100  X.B.F.d...C$....
  00060: 0100 0204 0316 4000 1b6c 4880 3800 3507  ......@..lH.8.5.
+
  00060: 0100 0204 0316 4000 1b6c 4880 3800 3507  .........lH.8.5.
 
  00070: 0000 0000 0000 0000 b000 0000 0000 00c7  ................
 
  00070: 0000 0000 0000 0000 b000 0000 0000 00c7  ................
 
  00080: bb01 247f 5a01 3f01 3f36 1d00 7835 5512  ..$.Z.?.?6..x5U.
 
  00080: bb01 247f 5a01 3f01 3f36 1d00 7835 5512  ..$.Z.?.?6..x5U.
Line 24: Line 27:
 
  00100: 1414 1414 1616 1626 2223 2324 2424 2526  .......&"##$$$%&
 
  00100: 1414 1414 1616 1626 2223 2324 2424 2526  .......&"##$$$%&
 
  00110: 2626 2728 2818 014b 4b4b 4b4c 4c4c 4c4c  &&'((..KKKKLLLLL
 
  00110: 2626 2728 2818 014b 4b4b 4b4c 4c4c 4c4c  &&'((..KKKKLLLLL
  00120: 4c4c 4d4d 4d02 6c71 765b 4045 4a2f 3439  LLMMM.lqv[@EJ/49
+
  00120: 4c4c 4d4d 4d02 6c71 765b 4045 4a2f 3439  LLMMM.lqv[.EJ/49
 
  00130: 3e03 0814 ffff ffff ffff ffff ffff ffff  >...............
 
  00130: 3e03 0814 ffff ffff ffff ffff ffff ffff  >...............
 
  00140: ffff ffff ffff ffff ffff ffff ffff ffff  ................
 
  00140: ffff ffff ffff ffff ffff ffff ffff ffff  ................
Line 39: Line 42:
 
  001f0: ffff ffff ffff ffff ffff ffff ff01 20ff  .............. .
 
  001f0: ffff ffff ffff ffff ffff ffff ff01 20ff  .............. .
 
   
 
   
 +
any changes between 0x00 and 0x27, yields bootloader error 0000FEFE, as this area is always included in the SHA1 hash of the [[stage2|stage2 header]] (part of the RSA signature) for some unknown reason.
 +
 +
NVRAM u8 0x1FD is used by launcher to determine which binary to load from the wifi firmware title content, that id *must* match one of the entries in that title content otherwise launcher will display a black error screen while booting. There are two options: 01 and 02.This is used to identify DWM-W015 vs DWM-W024.
 +
 +
 
  00200: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 
  00200: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 
  **
 
  **
Line 44: Line 52:
 
  002f0: 0000 0000 0000 0000 0000 0000 0000 0080  ................
 
  002f0: 0000 0000 0000 0000 0000 0000 0000 0080  ................
  
There are 10 pages starting at 0x1f400 (page 0xFA) that describe the WiFi settings (2 pages per slot?)
+
If bit 7 of 0x2FF = 0, [[stage1]] will attempt to boot from NVRAM instead of NAND. This will fail, as the stage2 area in NVRAM (0x200..0x2ff) is all-zeros, and RSA signature verification will fail.
 +
 
 +
 
 +
 
 +
 
 +
There are 10 pages starting at 0x1f400 (page 0xFA) that describe the WiFi settings (2 pages per slot)
  
 
  1f400: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 
  1f400: 0000 0000 0000 0000 0000 0000 0000 0000  ................
Line 65: Line 78:
 
  1fe40: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 
  1fe40: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 
  1fe50: 0000 0000 0000 0000 8102 1603 2020 a30d  ............  ..
 
  1fe50: 0000 0000 0000 0000 8102 1603 2020 a30d  ............  ..
  1fe60: 970c e0a0 00fc 0900 4010 db10 0000 0000  ........@.......
+
  1fe60: 970c e0a0 00fc 0900 4010 db10 0000 0000  ................
 
  1fe70: 0900 84dd 0100 0300 0000 0000 0000 0000  ................
 
  1fe70: 0900 84dd 0100 0300 0000 0000 0000 0000  ................
 
  1fe80: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 
  1fe80: 0000 0000 0000 0000 0000 0000 0000 0000  ................

Latest revision as of 18:17, 18 December 2022

The DSi contains a 128KB block (organized into 256-byte pages) of memory referred to as "NVRAM"; it is stored in a SPI flash chip onboard the WiFi dongle. On the DS, this was the system's firmware, plus it included writeable areas for user preferences and wifi connection settings. On the DSi, this chip is maintained for backward compatibility, but it is mostly empty.

(khmann: data actually seems to follow the format of https://problemkaputt.de/gbatek-ds-cartridge-header.htm quite closely to my eyes)

There is some new unknown data near the beginning of NVRAM (the first 0x28 bytes, and the singular byte at 0x2ff) which is involved in the boot process. The NVRAM is read very early in boot, before the NAND flash is initialized. An unreadable NVRAM chip will hang the boot process in an infinite retry loop, and errors in this portion of NVRAM will cause a stage1 bootloader error.

Most of the address space is blank, with the exception of the following data:

Pages 0-2: Old partial NDS firmware header (for compatibility)

00000: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00010: 0000 0000 0000 0000 0000 0000 0057 ffff  .............W..
00020: c03f 0000 0000 0000 ffff e861 3801 000f  .?.........a8...
00030: ffff ffff ff00 0022 4cd8 968a fe3f ffff  ......."L....?..
00040: 0394 2902 0200 1700 2600 1818 4800 4048  ..).....&...H..H
00050: 5800 4200 4601 6480 e6e6 4324 0e00 0100  X.B.F.d...C$....
00060: 0100 0204 0316 4000 1b6c 4880 3800 3507  .........lH.8.5.
00070: 0000 0000 0000 0000 b000 0000 0000 00c7  ................
00080: bb01 247f 5a01 3f01 3f36 1d00 7835 5512  ..$.Z.?.?6..x5U.
00090: 341c 0001 0e38 0370 c52a 0a08 0401 0000  4....8.p.*......
000a0: 00ff fffe fefe fefc fcfa fafa fafa f8f8  ................
000b0: f600 1214 1241 2303 0470 350e 2c2c 0000  .....A#..p5.,,..
000c0: 0000 0000 0000 000e 0000 1228 1c00 314c  ...........(..1L
000d0: 4f21 0010 b008 fa15 26e7 fe3e 0e51 0500  O!......&..>.Q..
000e0: 6d12 0300 01ff 0e00 0200 0000 0205 0500  m...............
000f0: 0000 1800 0200 0002 1e12 1212 1414 1414  ................

00100: 1414 1414 1616 1626 2223 2324 2424 2526  .......&"##$$$%&
00110: 2626 2728 2818 014b 4b4b 4b4c 4c4c 4c4c  &&'((..KKKKLLLLL
00120: 4c4c 4d4d 4d02 6c71 765b 4045 4a2f 3439  LLMMM.lqv[.EJ/49
00130: 3e03 0814 ffff ffff ffff ffff ffff ffff  >...............
00140: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00150: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00160: ffff 1cff ffff ffff ffff ffff ffff ffff  ................
00170: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00180: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00190: ffff ffff ffff ffff ffff ffff ffff ffff  ................
001a0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
001b0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
001c0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
001d0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
001e0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
001f0: ffff ffff ffff ffff ffff ffff ff01 20ff  .............. .

any changes between 0x00 and 0x27, yields bootloader error 0000FEFE, as this area is always included in the SHA1 hash of the stage2 header (part of the RSA signature) for some unknown reason.

NVRAM u8 0x1FD is used by launcher to determine which binary to load from the wifi firmware title content, that id *must* match one of the entries in that title content otherwise launcher will display a black error screen while booting. There are two options: 01 and 02.This is used to identify DWM-W015 vs DWM-W024.


00200: 0000 0000 0000 0000 0000 0000 0000 0000  ................
**
002e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
002f0: 0000 0000 0000 0000 0000 0000 0000 0080  ................

If bit 7 of 0x2FF = 0, stage1 will attempt to boot from NVRAM instead of NAND. This will fail, as the stage2 area in NVRAM (0x200..0x2ff) is all-zeros, and RSA signature verification will fail.



There are 10 pages starting at 0x1f400 (page 0xFA) that describe the WiFi settings (2 pages per slot)

1f400: 0000 0000 0000 0000 0000 0000 0000 0000  ................
**
1f440: 3c65 7373 6964 3e0a 0000 0000 0000 0000  <essid>.......
1f450: 0000 0000 0000 0000 0000 0000 0000 0000  ................
**
1f4d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1f4e0: 0000 0000 0000 0000 0900 7805 0000 0001  ..........x.....
1f4f0: 0000 0000 0000 0000 0000 0000 0000 f80f  ................
1f500: 0000 0000 0000 0000 0000 0000 0000 0000  ................
**
1f5f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................

The last 2 pages store 2 identical copies of user settings.

1fe00: 0500 0b01 0100 6200 7500 7300 6800 6900  ......b.u.s.h.i.
1fe10: 6e00 6700 0000 0000 0000 0700 0000 0000  n.g.............
1fe20: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1fe30: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1fe40: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1fe50: 0000 0000 0000 0000 8102 1603 2020 a30d  ............  ..
1fe60: 970c e0a0 00fc 0900 4010 db10 0000 0000  ................
1fe70: 0900 84dd 0100 0300 0000 0000 0000 0000  ................
1fe80: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1fe90: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1fea0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1feb0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1fec0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1fed0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1fee0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1fef0: 0000 0000 0000 0000 0000 0000 0000 1fcf  ................

1ff00: 0500 0b01 0100 6200 7500 7300 6800 6900  ......b.u.s.h.i.
1ff10: 6e00 6700 0000 0000 0000 0700 0000 0000  n.g.............
1ff20: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1ff30: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1ff40: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1ff50: 0000 0000 0000 0000 8102 1603 2020 a30d  ............  ..
1ff60: 970c e0a0 00fc 0000 0000 0000 0000 0000  ................
1ff70: 0a00 922b 0100 0300 0000 0000 0000 0000  ...+............
1ff80: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1ff90: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1ffa0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1ffb0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1ffc0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1ffd0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1ffe0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
1fff0: 0000 0000 0000 0000 0000 0000 0000 1fcf  ................