108
edits
Changes
Jump to navigation
Jump to search
Line 5:
Line 5: − + Line 21:
Line 21: − + + Line 32:
Line 33: − + + + + + Line 101:
Line 106: − + − + Line 117:
Line 122: − + + Line 141:
Line 147: − + Line 149:
Line 155: − + Line 166:
Line 172: + + + + − + − + + + + + + + + + + + + + + + + + Line 181:
Line 207: − + Line 205:
Line 231: − + Line 256:
Line 282: − + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 264:
Line 318: − + − + + + + + + + + + + + + + Line 277:
Line 343: − + Line 297:
Line 363: − + Line 309:
Line 375: − + − + + + + + + + + + + + + + + + + + + + + + + + +
no edit summary
! OFFSET
! OFFSET
! SIZE
! SIZE
! DESCRIPTION
! DESCRIPTION - ORIGINAL NDS ENTRIES
|-
|-
| 0x000
| 0x000
| 0x012
| 0x012
| 1
| 1
| Unitcode
| Unitcode (00h=NDS, 02h=NDS+DSi, 03h=DSi) (bit1=DSi)
|-
|-
| 0x013
| 0x013
|-
|-
| 0x015
| 0x015
| 9
| 7
| Reserved
| Reserved
|-
| 0x01C
| 2
| Unknown (used by DSi titles)
|-
|-
| 0x01E
| 0x01E
| 0x058
| 0x058
| 4
| 4
| ARM9 overlay offset
| ARM7 overlay offset
|-
|-
| 0x05C
| 0x05C
| 4
| 4
| ARM9 overlay length
| ARM7 overlay length
|-
|-
| 0x060
| 0x060
| 0x068
| 0x068
| 4
| 4
| Icon Banner offset
| Icon Banner offset (same as NDS, but with new extra entries)
|-
|-
| 0x06C
| 0x06C
| 0x080
| 0x080
| 4
| 4
| NTR region ROM size
| NTR region ROM size (excluding DSi area)
|-
|-
| 0x084
| 0x084
| 0x088
| 0x088
| 56
| 56
| Reserved
| Reserved (0x88, 0x8C, 0x90 = Unknown, used by DSi)
|-
|-
| 0x0C0
| 0x0C0
| 32
| 32
| Debugger reserved
| Debugger reserved
|-
! OFFSET
! SIZE
! DESCRIPTION - EXTENDED DSi ENTRIES
|-
|-
| 0x180
| 0x180
| 52
| 20
| Config settings
| Global MBK1..MBK5 Settings
|-
| 0x194
| 12
| Local MBK6..MBK8 Settings for ARM9
|-
| 0x1A0
| 12
| Local MBK6..MBK8 Settings for ARM7
|-
| 0x1AC
| 4
| Global MBK9 Setting
|-
| 0x1B0
| 4
| Region Flags
|-
|-
| 0x1B4
| 0x1B4
| 0x1BC
| 0x1BC
| 4
| 4
| Reserved
| Reserved/flags? When bit2 of byte 0x1bf is set, usage of banner.sav from the title data dir is enabled.(additional banner data)
|-
|-
| 0x1C0
| 0x1C0
| 0x1D4
| 0x1D4
| 4
| 4
| Reserved
| Pointer to [[base address where various structures and parameters are passed to the title]] - what is that???
|-
|-
| 0x1D8
| 0x1D8
|-
|-
| 0x208
| 0x208
| 40
| 4
| Reserved
| Icon Banner Size (usually 0x23C0)
|-
| 0x20C
| 4
| Unknown (used by DSi)
|-
| 0x210
| 4
| NTR+TWL region ROM size (total size including DSi area)
|-
| 0x214
| 12
| Unknown (used by DSi)
|-
| 0x220
| 4
| Modcrypt area 1 offset
|-
| 0x224
| 4
| Modcrypt area 1 size
|-
| 0x228
| 4
| Modcrypt area 2 offset
|-
| 0x22C
| 4
| Modcrypt area 2 size
|-
|-
| 0x230
| 0x230
|-
|-
| 0x238
| 0x238
| 200
| 4
| Reserved
| DSiWare: "public.sav" size
|-
| 0x23C
| 4
| DSiWare: "private.sav" size
|-
| 0x240
| 176
| Reserved (zero)
|-
| 0x2F0
| 16
| Unknown (used by DSi)
|-
|-
| 0x300
| 0x300
| 0x328
| 0x328
| 20
| 20
| Digest Block Hashtable SHA1 HMAC hash
| Digest master SHA1 HMAC hash
|-
|-
| 0x33C
| 0x33C
| 0x3A0
| 0x3A0
| 20
| 20
| Unknown hash
| ARM9 (without secure area) SHA1 HMAC hash
|-
|-
| 0x3B4
| 0x3B4
| 0xF80
| 0xF80
| 0x80
| 0x80
| RSA signature
| RSA signature (the first 0xE00 bytes of the header are signed with an 1024-bit RSA signature).
|}
|}
The first 0xE00 bytes of the SRL header is signed with an 1024-bit RSA signature.
= Modcrypt =
Modcrypt is a new additional way of encrypting parts of the NDS ROM executable binary modules using AES CTR. It is mostly being used to encrypt the ARM9i and ARM7i binaries. For example, DSi hybrid card based games have only the ARM9i binary encrypted, while NAND based applications have both the ARM9i and ARM7i binaries encrypted. The modcrypt areas can span over any of the ARM9/ARM7/ARM9i/ARM7i areas.
The AES counter used for modcrypt area 1 is the first 16 bytes of the ARM9 SHA1 HMAC hash (0x300), and for area 2 the first 16 bytes of the ARM7 SHA1 HMAC hash (0x314). The AES key used is a little more complicated. The header can specify to use a secure or insecure key:
if ( (header[0x1C] & 4) || (header[0x1BF] & 0x80) )
keytype = INSECURE;
else
keytype = SECURE;
The insecure key is simply the first 16 bytes of the header. The secure key is constructed from a scrambled key pair, where one part is based on an 8-byte shared secret between all DSi's and an 8-byte expanded gamecode, and the other part is based on the first 16 bytes of the ARM9i SHA1 HMAC hash (0x350). The key pair is scrambled in an unknown way to form the final secure key.
It is likely that the insecure key is only used for a debug version of an application, since most card based and NAND based applications are using the secure key.
= Digests =
The NDS format has been extended with a hash tree to verify the entire contents of an NDS ROM. The NDS ROM is divided into sectors, and each sector will be hashed and have its hash stored in the digest sector hashtable. The size of a sector is defined in the header aswell. Furthermore, the sector hashtable is partitioned and hashed again to form block hashes. This block hashtable is hashed again into a single hash called the digest master hash. These hashtables can be used to verify that the sectors of a NDS ROM have not been tampered with, since the integrity of a sector hash can be verified by a block hash, which in turn can be verified by the master hash. And this hash is part of the header, which is signed with RSA.
The sector hashtable reaches over the NTR and TWL regions, respectively.
= See Also =
* [[Card hardware]] - cartridge bus protocol
* [[Bootloader]] - boot procedure