Hardware/eFuse

From WiiUBrew
< Hardware(Redirected from Hardware/OTP)
Jump to navigation Jump to search

General

Both the Latte and the Espresso hardware use eFuses for holding an assortment of read-only data, including the console's encryption/decryption keys.

Latte

eFuse
Latte Registers
Access
EspressoNone
StarbuckFull
Registers
Base0x0d8001ec
Length0x8
Access size32 bits
Byte orderBig Endian
This box: view  talk  edit

Register List

eFuse
Address Bits Name Description
0x0d8001ec 32 HW_EFUSEADDR eFuse address
0x0d8001f0 32 HW_EFUSEDATA eFuse data
0x0d800510 32 LT_EFUSEPROT eFuse access control

Register Details

HW_EFUSEADDR (0x0d8001ec)
  31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16
Access R/W U
Field RD
  15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Access U R/W U R/W
Field BANK ADDR
Field Description
RD Set to one to execute a read command. If clear, then the data in HW_EFUSEDATA is unchanged.
BANK Bank's number (0x0 to 0x7).
ADDR Word address to read, 0x00 to 0x1F (32 4byte words).

This register contains the address sent to the eFuse driver.


HW_EFUSEDATA (0x0d8001f0)
  310
Access R

This register contains the output data for the last issued eFuse read command. The execution of a read operation via the HW_EFUSEADDR register immediately changes this register without any delay.


LT_EFUSEPROT (0x0d800510)
  31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16
Access R/W
Field
  15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Access R/W
Field

This register is a bitmask for locking out chunks of eFuses. Each bit clears out 0x20 bytes starting from the bottom (bank 7 is 0xF0000000) to the top (bank 0 is 0x0000000F).

Contents

All data here is written during manufacturing. Items listed as reserved are not known to be used and are either empty or random.

Bank Offset (word index * 4) Size Description
0 0x000 (0x00 * 4) 0x14 bytes Wii boot1 SHA-1 hash
0 0x014 (0x05 * 4) 0x10 bytes Wii common key
0 0x024 (0x09 * 4) 0x04 bytes Wii device ID
0 0x028 (0x0A * 4) 0x1C bytes Wii device private key
0 0x044 (0x11 * 4) 0x14 bytes Wii NAND HMAC key (overlaps with device private key)
0 0x058 (0x16 * 4) 0x10 bytes Wii NAND key
0 0x068 (0x1A * 4) 0x10 bytes Wii backup key
0 0x078 (0x1E * 4) 0x08 bytes Reserved
1 0x080 (0x20 * 4) 0x04 bytes FuseType 
Production: 0x90000000
Development: 0x88000000
Evaluation: 0x00000000
1 0x084 (0x21 * 4) 0x04 bytes IOStrength configuration flags 
Production: 0x00000000

Flag 0x00008000 sets register HW_IOSTRCTRL0.
Flags 0x00000008, 0x00000080, 0x00000800, 0x00002000 set register HW_IOSTRCTRL1.
1 0x088 (0x22 * 4) 0x04 bytes Pulse length for SEEPROM manual CLK 
Production: 0x00000000 (defaults to 0xFA in boot0)
1 0x08C (0x23 * 4) 0x04 bytes Signature type? 
Production: 0x00010000
Development: 0x00000000
1 0x090 (0x24 * 4) 0x10 bytes Starbuck ancast key
1 0x0A0 (0x28 * 4) 0x10 bytes SEEPROM key
1 0x0B0 (0x2C * 4) 0x10 bytes Reserved
1 0x0C0 (0x30 * 4) 0x10 bytes Reserved
1 0x0D0 (0x34 * 4) 0x10 bytes vWii common key
1 0x0E0 (0x38 * 4) 0x10 bytes Wii U common key
1 0x0F0 (0x3C * 4) 0x10 bytes Reserved
2 0x100 (0x40 * 4) 0x10 bytes Reserved
2 0x110 (0x44 * 4) 0x10 bytes Reserved
2 0x120 (0x48 * 4) 0x10 bytes SSL RSA key encryption key
2 0x130 (0x4C * 4) 0x10 bytes IVS key
2 0x140 (0x50 * 4) 0x10 bytes Wii media title key
2 0x150 (0x54 * 4) 0x10 bytes XOR key
2 0x160 (0x58 * 4) 0x10 bytes Wii U backup key
2 0x170 (0x5C * 4) 0x10 bytes SLC NAND key
3 0x180 (0x60 * 4) 0x10 bytes MLC NAND key
3 0x190 (0x64 * 4) 0x10 bytes SHDD key
3 0x1A0 (0x68 * 4) 0x10 bytes DRH WLAN data key
3 0x1B0 (0x6C * 4) 0x30 bytes Reserved
3 0x1E0 (0x78 * 4) 0x14 bytes SLC NAND HMAC key
3 0x1F4 (0x7D * 4) 0x0C bytes Reserved
4 0x200 (0x80 * 4) 0x10 bytes Reserved
4 0x210 (0x84 * 4) 0x0C bytes Reserved
4 0x21C (0x87 * 4) 0x04 bytes Wii U device ID
4 0x220 (0x88 * 4) 0x20 bytes Wii U device private key 
Only 0x1E bytes are used.
4 0x240 (0x90 * 4) 0x20 bytes Wii U device unique certificate private key 
Only 0x1E bytes are used.
4 0x260 (0x98 * 4) 0x10 bytes RNG seed 
Only the first 0x04 bytes are used.
4 0x270 (0x9C * 4) 0x10 bytes Reserved
5 0x280 (0xA0 * 4) 0x04 bytes Wii U device unique certificate manufacturing (MS) ID 
Production: 0x00000012
Development: 0x00000003
5 0x284 (0xA1 * 4) 0x04 bytes Wii U device unique certificate authority (CA) ID 
Production: 0x00000003
Development: 0x00000002
5 0x288 (0xA2 * 4) 0x04 bytes Wii U device unique certificate manufacturing date (seconds elapsed since 1950-01-01)
5 0x28C (0xA3 * 4) 0x3C bytes Wii U device unique certificate signature
5 0x2C8 (0xB2 * 4) 0x18 bytes Reserved
5 0x2E0 (0xB8 * 4) 0x20 bytes Reserved (locked out by boot1)
6 0x300 (0xC0 * 4) 0x04 bytes Wii U device authentication common certificate manufacturing (MS) ID 
Production: 0x00000002
Development: 0x00000003
6 0x304 (0xC1 * 4) 0x04 bytes Wii U device authentication common certificate authority (CA) ID 
Production: 0x00000001
Development: 0x00000002
6 0x308 (0xC2 * 4) 0x04 bytes Wii U device authentication common certificate manufacturing date (seconds elapsed since 1950-01-01)
6 0x30C (0xC3 * 4) 0x3C bytes Wii U device authentication common certificate signature
6 0x348 (0xD2 * 4) 0x10 bytes Wii common2 key (for Korea)
6 0x358 (0xD6 * 4) 0x08 bytes Reserved
6 0x360 (0xD8 * 4) 0x20 bytes Wii U device authentication common certificate private key 
Only 0x1E bytes are used.
7 0x380 (0xE0 * 4) 0x20 bytes Reserved (locked out by boot1)
7 0x3A0 (0xE8 * 4) 0x10 bytes Boot1 key (locked out by boot0)
7 0x3B0 (0xEC * 4) 0x10 bytes Reserved (locked out by boot0)
7 0x3C0 (0xF0 * 4) 0x20 bytes Reserved
7 0x3E0 (0xF8 * 4) 0x04 bytes Reserved
7 0x3E4 (0xF9 * 4) 0x04 bytes Latte package wafer X and Y positions
7 0x3E8 (0xFA * 4) 0x04 bytes
7 0x3EC (0xFB * 4) 0x04 bytes
7 0x3F0 (0xFC * 4) 0x08 bytes LattePackageId
7 0x3F8 (0xFE * 4) 0x04 bytes Reserved
7 0x3FC (0xFF * 4) 0x04 bytes Control flag? 
Flag 0x00000001 is set in production mode.
Flag 0x00000080 disables JTAG.

FuseType

Bits Description
0-26 Reserved
27 Development
28 Production
29
30 Causes an error in boot0
31 Disables evaluation mode

LattePackageId

This identifier is composed by a three digit date code, followed by two letters (possibly identifying the manufacturing site) and three characters (possibly a lot trace code). The Latte SoC includes this identifier in its shield's markings, but prefixed with the number "1".

Example: 226LP734 (SoC shield's marking is 1226LP734)

"226" translates to the 26th week of year 2012, while "LP" appears to indicate the manufacturing site and "734" appears to be a lot trace code.

Espresso

eFuse
Access
EspressoFull
StarbuckFull
Registers
Base0x0c320000
Length0x40
Access size32 bits
Byte orderBig Endian
This box: view  talk  edit

Contents

All data here is written during manufacturing. Items listed as reserved are not known to be used and are either empty or random.

Offset Size Description
0x000 0x10 bytes Espresso Wii U ancast key
0x010 0x10 bytes Espresso vWii ancast key
0x020 0x1C bytes Reserved
0x03C 0x4 bytes FuseType 
Production: 0xB4000001
Development: 0xAC000001

FuseType

Bits Description
0
1-25 Reserved
26 Disables evaluation mode
27 Development
28 Production
29
30
31
Retrieved from "https://wiiubrew.org/w/index.php?title=Hardware/eFuse&oldid=3949"