Line 1: |
Line 1: |
| The DSi contains a 128KB block (organized into 256-byte pages) of memory referred to as "NVRAM"; it is stored in a SPI flash chip onboard the WiFi dongle. On the DS, this was the system's firmware, plus it included writeable areas for user preferences and wifi connection settings. On the DSi, this chip is maintained for backward compatibility, but it is mostly empty. | | The DSi contains a 128KB block (organized into 256-byte pages) of memory referred to as "NVRAM"; it is stored in a SPI flash chip onboard the WiFi dongle. On the DS, this was the system's firmware, plus it included writeable areas for user preferences and wifi connection settings. On the DSi, this chip is maintained for backward compatibility, but it is mostly empty. |
| | | |
− | (khmann: data actually seems to follow the format of http://www.daftcode.net/gbatek/ds#dsfirmwareheader quite closely to my eyes) | + | (khmann: data actually seems to follow the format of https://problemkaputt.de/gbatek-ds-cartridge-header.htm quite closely to my eyes) |
| | | |
− | There is some new unknown data near the beginning of NVRAM which is involved in the boot process. The NVRAM is read very early in boot, before the [[NAND]] flash is initialized. An unreadable NVRAM chip will hang the boot process in an infinite retry loop, and errors in this portion of NVRAM will cause a stage1 [[Bootloader]] error. | + | There is some new unknown data near the beginning of NVRAM (the first 0x28 bytes, and the singular byte at 0x2ff) which is involved in the boot process. The NVRAM is read very early in boot, before the [[NAND]] flash is initialized. An unreadable NVRAM chip will hang the boot process in an infinite retry loop, and errors in this portion of NVRAM will cause a [[Stage1|stage1 bootloader]] error. |
| | | |
| Most of the address space is blank, with the exception of the following data: | | Most of the address space is blank, with the exception of the following data: |
Line 12: |
Line 12: |
| 00020: c03f 0000 0000 0000 ffff e861 3801 000f .?.........a8... | | 00020: c03f 0000 0000 0000 ffff e861 3801 000f .?.........a8... |
| 00030: ffff ffff ff00 0022 4cd8 968a fe3f ffff ......."L....?.. | | 00030: ffff ffff ff00 0022 4cd8 968a fe3f ffff ......."L....?.. |
− | 00040: 0394 2902 0200 1700 2600 1818 4800 4048 ..).....&...H.@H | + | 00040: 0394 2902 0200 1700 2600 1818 4800 4048 ..).....&...H..H |
| 00050: 5800 4200 4601 6480 e6e6 4324 0e00 0100 X.B.F.d...C$.... | | 00050: 5800 4200 4601 6480 e6e6 4324 0e00 0100 X.B.F.d...C$.... |
− | 00060: 0100 0204 0316 4000 1b6c 4880 3800 3507 ......@..lH.8.5. | + | 00060: 0100 0204 0316 4000 1b6c 4880 3800 3507 .........lH.8.5. |
| 00070: 0000 0000 0000 0000 b000 0000 0000 00c7 ................ | | 00070: 0000 0000 0000 0000 b000 0000 0000 00c7 ................ |
| 00080: bb01 247f 5a01 3f01 3f36 1d00 7835 5512 ..$.Z.?.?6..x5U. | | 00080: bb01 247f 5a01 3f01 3f36 1d00 7835 5512 ..$.Z.?.?6..x5U. |
Line 27: |
Line 27: |
| 00100: 1414 1414 1616 1626 2223 2324 2424 2526 .......&"##$$$%& | | 00100: 1414 1414 1616 1626 2223 2324 2424 2526 .......&"##$$$%& |
| 00110: 2626 2728 2818 014b 4b4b 4b4c 4c4c 4c4c &&'((..KKKKLLLLL | | 00110: 2626 2728 2818 014b 4b4b 4b4c 4c4c 4c4c &&'((..KKKKLLLLL |
− | 00120: 4c4c 4d4d 4d02 6c71 765b 4045 4a2f 3439 LLMMM.lqv[@EJ/49 | + | 00120: 4c4c 4d4d 4d02 6c71 765b 4045 4a2f 3439 LLMMM.lqv[.EJ/49 |
| 00130: 3e03 0814 ffff ffff ffff ffff ffff ffff >............... | | 00130: 3e03 0814 ffff ffff ffff ffff ffff ffff >............... |
| 00140: ffff ffff ffff ffff ffff ffff ffff ffff ................ | | 00140: ffff ffff ffff ffff ffff ffff ffff ffff ................ |
Line 42: |
Line 42: |
| 001f0: ffff ffff ffff ffff ffff ffff ff01 20ff .............. . | | 001f0: ffff ffff ffff ffff ffff ffff ff01 20ff .............. . |
| | | |
− | any changes between 0x00 and 0x27, yields bootloader error 0000FEFE | + | any changes between 0x00 and 0x27, yields bootloader error 0000FEFE, as this area is always included in the SHA1 hash of the [[stage2|stage2 header]] (part of the RSA signature) for some unknown reason. |
| | | |
− | NVRAM u8 0x1FD is used by launcher to determine which binary to load from the wififw title content, that id *must* match one of the entries in that title content otherwise launcher will display a black error screen while booting. Apparently there are two options for DSi 1.4.4: 01 and 02. Perhaps this is used to identify DWM-W015 vs DWM-W024 | + | NVRAM u8 0x1FD is used by launcher to determine which binary to load from the wifi firmware title content, that id *must* match one of the entries in that title content otherwise launcher will display a black error screen while booting. There are two options: 01 and 02.This is used to identify DWM-W015 vs DWM-W024. |
| | | |
| | | |
Line 52: |
Line 52: |
| 002f0: 0000 0000 0000 0000 0000 0000 0000 0080 ................ | | 002f0: 0000 0000 0000 0000 0000 0000 0000 0080 ................ |
| | | |
− | If bit 7 of 0x2FF = 0, bootloader error 0000FE00, this particular error makes it sound like the DSi is being told to boot from some other area, or with a different encryption. | + | If bit 7 of 0x2FF = 0, [[stage1]] will attempt to boot from NVRAM instead of NAND. This will fail, as the stage2 area in NVRAM (0x200..0x2ff) is all-zeros, and RSA signature verification will fail. |
| | | |
| | | |
| | | |
| | | |
− | There are 10 pages starting at 0x1f400 (page 0xFA) that describe the WiFi settings (2 pages per slot?) | + | There are 10 pages starting at 0x1f400 (page 0xFA) that describe the WiFi settings (2 pages per slot) |
| | | |
| 1f400: 0000 0000 0000 0000 0000 0000 0000 0000 ................ | | 1f400: 0000 0000 0000 0000 0000 0000 0000 0000 ................ |
Line 78: |
Line 78: |
| 1fe40: 0000 0000 0000 0000 0000 0000 0000 0000 ................ | | 1fe40: 0000 0000 0000 0000 0000 0000 0000 0000 ................ |
| 1fe50: 0000 0000 0000 0000 8102 1603 2020 a30d ............ .. | | 1fe50: 0000 0000 0000 0000 8102 1603 2020 a30d ............ .. |
− | 1fe60: 970c e0a0 00fc 0900 4010 db10 0000 0000 ........@....... | + | 1fe60: 970c e0a0 00fc 0900 4010 db10 0000 0000 ................ |
| 1fe70: 0900 84dd 0100 0300 0000 0000 0000 0000 ................ | | 1fe70: 0900 84dd 0100 0300 0000 0000 0000 0000 ................ |
| 1fe80: 0000 0000 0000 0000 0000 0000 0000 0000 ................ | | 1fe80: 0000 0000 0000 0000 0000 0000 0000 0000 ................ |