Line 10: |
Line 10: |
| 00000230 00 6e 02 00 88 75 02 00 00 80 7b 03 00 76 02 00 |.n...u....{..v..| | | 00000230 00 6e 02 00 88 75 02 00 00 80 7b 03 00 76 02 00 |.n...u....{..v..| |
| 00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | | 00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| |
| + | |
| + | There's two header sectors [[NAND|following]] this, however stage1 ignores these. |
| | | |
| This is describing two chunks of the stage2 loader: the ARM9-binary 0x26410 bytes in length at address 0x800, and the ARM7-binary 0x27588 bytes at address 0x26e00. | | This is describing two chunks of the stage2 loader: the ARM9-binary 0x26410 bytes in length at address 0x800, and the ARM7-binary 0x27588 bytes at address 0x26e00. |
Line 80: |
Line 82: |
| |- | | |- |
| | 0x1AC | | | 0x1AC |
− | | 0x4 | + | | 0x3 |
| | Global MBK9 Slot Master Setting | | | Global MBK9 Slot Master Setting |
| + | |- |
| + | | 0x1AF |
| + | | 0x1 |
| + | | Global WRAMCNT Setting |
| |- | | |- |
| | 0x1B0 | | | 0x1B0 |
Line 122: |
Line 128: |
| | 6 | | | 6 |
| | 0x40 | | | 0x40 |
− | | When booting from NWRAM, use an 8 MHz SPI clock. If 0, use a 4 MHz SPI clock. Not used for non-NVRAM boots. | + | | When booting from NVRAM, use an 8 MHz SPI clock. If 0, use a 4 MHz SPI clock. Not used for non-NVRAM boots. |
| |- | | |- |
| | 7 | | | 7 |
Line 143: |
Line 149: |
| | 0x10 | | | 0x10 |
| | 0x14 | | | 0x14 |
− | | SHA1 hash, calculated over the first 0x28-bytes of [[NAND]], then the first 0x100-bytes of the header, then the last 0x80-bytes of the header (following the signature). This works with both the bootloader contained in TWL_FIRM, and the real DSi ARM9 boot ROM. | + | | SHA1 hash, calculated over the first 0x28-bytes of [[NVRAM]], then the first 0x100-bytes of the header, then the last 0x80-bytes of the header (following the signature). The bootloader contained in TWL_FIRM uses the first 0x28-bytes from NAND. For non-NAND boot mediums, this hash is calculated the same except there's no 0x28-byte block. |
| |- | | |- |
| | 0x24 | | | 0x24 |
Line 155: |
Line 161: |
| | 0x4C | | | 0x4C |
| | 0x14 | | | 0x14 |
− | | Unknown, not used by 3DS TWL_FIRM nor DSi bootrom. Normally all-zero. | + | | Unknown, not used by 3DS TWL_FIRM. Normally all-zero. Copied to 0x01FFC880 by ARM9 [[Stage1]]. |
| |- | | |- |
| | 0x60 | | | 0x60 |
| | 0x14 | | | 0x14 |
− | | SHA1 of all previous fields in the RSA messasge, used to prevent RSA signature forgery. Not used by 3DS TWL_FIRM(?). | + | | SHA1 of all previous fields in the RSA message, used to prevent RSA signature forgery. Not used by 3DS TWL_FIRM(?). |
| |} | | |} |
| | | |
Line 182: |
Line 188: |
| After Stage 2 is loaded: | | After Stage 2 is loaded: |
| # Main RAM (aka FCRAM aka DRAM) is allowed bus access (using the EXMEMCNT MMIO register) and initialized. | | # Main RAM (aka FCRAM aka DRAM) is allowed bus access (using the EXMEMCNT MMIO register) and initialized. |
| + | # The status registers of the BPTWL are read to check whether this is a warmboot. The powerbutton action of the BPTWL is reset as well. |
| # The NAND flash is partially re-initialized | | # The NAND flash is partially re-initialized |
| + | # Various hardware components, such as the touchscreen/sound controller, Wifi chip, etc. are initialized. (Cameras aren't initialized, though.) |
| # Sector 0 is read from the NAND. This is an (encrypted) DOS-style MBR. | | # Sector 0 is read from the NAND. This is an (encrypted) DOS-style MBR. |
| # The MBR signature and the type of the first partition are verified. | | # The MBR signature and the type of the first partition are verified. |