In memory of Ben “bushing” Byer, who passed away on Monday, February 8th, 2016.

Difference between revisions of "Hardware/eFuse"

From WiiUBrew
Jump to navigation Jump to search
Line 178: Line 178:
 
| 4 (Wii U device bank) || 0x270 (0x9C * 4) || 0x10 bytes || Reserved
 
| 4 (Wii U device bank) || 0x270 (0x9C * 4) || 0x10 bytes || Reserved
 
|-
 
|-
| 5 (Wii U certificate bank) || 0x280 (0xA0 * 4) || 0x04 bytes || Wii U root certificate MS ID
+
| 5 (Wii U certificate bank) || 0x280 (0xA0 * 4) || 0x04 bytes || Wii U device certificate manufacturing (MS) ID
 
  Production: 0x00000012
 
  Production: 0x00000012
 
  Development: 0x00000003
 
  Development: 0x00000003
 
|-
 
|-
| 5 (Wii U certificate bank) || 0x284 (0xA1 * 4) || 0x04 bytes || Wii U root certificate CA ID
+
| 5 (Wii U certificate bank) || 0x284 (0xA1 * 4) || 0x04 bytes || Wii U device certificate authority (CA) ID
 
  Production: 0x00000003
 
  Production: 0x00000003
 
  Development: 0x00000002
 
  Development: 0x00000002
 
|-
 
|-
| 5 (Wii U certificate bank) || 0x288 (0xA2 * 4) || 0x04 bytes || Wii U root certificate device ID
+
| 5 (Wii U certificate bank) || 0x288 (0xA2 * 4) || 0x04 bytes || Wii U device certificate manufacturing date (seconds elapsed since 1950-01-01)
 
|-
 
|-
| 5 (Wii U certificate bank) || 0x28C (0xA3 * 4) || 0x3C bytes || Wii U root certificate device signature
+
| 5 (Wii U certificate bank) || 0x28C (0xA3 * 4) || 0x3C bytes || Wii U device certificate signature
 
|-
 
|-
 
| 5 (Wii U certificate bank) || 0x2C8 (0xB2 * 4) || 0x18 bytes || Reserved
 
| 5 (Wii U certificate bank) || 0x2C8 (0xB2 * 4) || 0x18 bytes || Reserved
Line 194: Line 194:
 
| 5 (Wii U certificate bank) || 0x2E0 (0xB8 * 4) || 0x20 bytes || Reserved (locked out by boot1)
 
| 5 (Wii U certificate bank) || 0x2E0 (0xB8 * 4) || 0x20 bytes || Reserved (locked out by boot1)
 
|-
 
|-
| 6 (Wii certificate bank) || 0x300 (0xC0 * 4) || 0x04 bytes || Wii root certificate MS ID
+
| 6 (Wii certificate bank) || 0x300 (0xC0 * 4) || 0x04 bytes || Wii device certificate manufacturing (MS) ID
 
  Production: 0x00000002
 
  Production: 0x00000002
 
  Development: 0x00000003
 
  Development: 0x00000003
 
|-
 
|-
| 6 (Wii certificate bank) || 0x304 (0xC1 * 4) || 0x04 bytes || Wii root certificate CA ID
+
| 6 (Wii certificate bank) || 0x304 (0xC1 * 4) || 0x04 bytes || Wii device certificate authority (CA) ID
 
  Production: 0x00000001
 
  Production: 0x00000001
 
  Development: 0x00000002
 
  Development: 0x00000002
 
|-
 
|-
| 6 (Wii certificate bank) || 0x308 (0xC2 * 4) || 0x04 bytes || Wii root certificate device ID
+
| 6 (Wii certificate bank) || 0x308 (0xC2 * 4) || 0x04 bytes || Wii device certificate manufacturing date (seconds elapsed since 1950-01-01)
 
|-
 
|-
| 6 (Wii certificate bank) || 0x30C (0xC3 * 4) || 0x3C bytes || Wii root certificate device signature
+
| 6 (Wii certificate bank) || 0x30C (0xC3 * 4) || 0x3C bytes || Wii device certificate signature
 
|-
 
|-
 
| 6 (Wii certificate bank) || 0x348 (0xD2 * 4) || 0x10 bytes || Wii common2 key (for Korea)
 
| 6 (Wii certificate bank) || 0x348 (0xD2 * 4) || 0x10 bytes || Wii common2 key (for Korea)

Revision as of 23:58, 25 November 2023

eFuse
Latte Registers
Access
EspressoNone
StarbuckFull
Registers
Base0x0d8001ec
Length0x8
Access size32 bits
Byte orderBig Endian
This box: view  talk  edit

General

The One Time Programmable memory is programmed sometime during the factory process and can never be changed afterwards. The Wii U's OTP is much larger than the Wii's (1KB split across 8 banks of 128 bytes each) and contains an assortment of read-only data, including the console's encryption/decryption keys.

Register List

OTP
Address Bits Name Description
0x0d8001ec 32 HW_EFUSEADDR OTP command
0x0d8001f0 32 HW_EFUSEDATA OTP data

General Registers

HW_EFUSEADDR (0x0d8001ec)
  31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16
Access R/W U
Field RD
  15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Access U R/W U R/W
Field BANK ADDR
Field Description
RD Set to one to execute a read command. If clear, then the data in HW_EFUSEDATA is unchanged.
BANK Bank's number (0x0 to 0x7).
ADDR Word address to read, 0x00 to 0x1F (32 4byte words).

This register contains the command sent to the OTP. It is unknown whether is register is also used during the factory process to program the OTP.

HW_EFUSEDATA (0x0d8001f0)
  310
Access R

This register contains the output data for the last issued OTP read command. The execution of a read operation via the HW_EFUSEADDR register immediately changes this register without any delay.

IOSU

The Wii U's IOSU interacts with the OTP by setting it's respective Latte registers. In addition to this, the IOS-CRYPTO process is also able to access the OTP indirectly through syscall 0x22, which takes the OTP word index, a buffer to store the result and the requested size as parameters. The IOS-KERNEL then converts the word index: 

int read_otp_internal(int index, void* out_buf, u32 size)
{
  int i_res = disable_interrupts();
  
  if (size != 0)
  {
    int step = 0;
    
    while (step < size)
    {
      int word_addr = index + (step >> 2);
      int word_offset = word_addr & 0x1F;      // Each OTP bank has 0x20 * 4 = 0x80 bytes. Valid word indexes go from 0x00 to 0x1F.
      word_addr = word_addr << 3;
      word_offset = word_offset | 0x80000000;  // Set OTP read flag.
      word_addr = word_addr & 0x700;           // OTP bank goes from 0x000 to 0x700.
      word_addr = word_addr | word_offset;
      
      *(u32*)0x0D8001EC = word_addr;                     // Write to HW_EFUSEADDR
       u32 temp = *(u32*)0x0D8001EC;                     // Read from HW_EFUSEADDR
      
      *(u32*)(out_buf + step) = *(u32*)0x0D8001F0;       // Copy from HW_EFUSEDATA
      
      step += 4;	
    }
  }
  
  enable_interrupts(i_res);
  return 0;
}

syscall_0x22(index, out_buf, size)
{
  // Do some permission checks.
  ...
  
  // Internal IOS-KERNEL function.
  read_otp_internal(index, out_buf, size);
}

Contents

All data here is written during manufacturing. Items listed as reserved are not known to be used and are either empty or random.

Bank Offset (word index * 4) Size Description
0 (Wii bank) 0x000 (0x00 * 4) 0x14 bytes Wii boot1 SHA-1 hash
0 (Wii bank) 0x014 (0x05 * 4) 0x10 bytes Wii common key
0 (Wii bank) 0x024 (0x09 * 4) 0x04 bytes Wii device ID
0 (Wii bank) 0x028 (0x0A * 4) 0x1C bytes Wii device private key
0 (Wii bank) 0x044 (0x11 * 4) 0x14 bytes Wii NAND HMAC (overlaps with device private key)
0 (Wii bank) 0x058 (0x16 * 4) 0x10 bytes Wii NAND key
0 (Wii bank) 0x068 (0x1A * 4) 0x10 bytes Wii backup key (for RNG)
0 (Wii bank) 0x078 (0x1E * 4) 0x08 bytes Reserved
1 (Wii U bank) 0x080 (0x20 * 4) 0x04 bytes FuseType 
Production: 0x90000000
Development: 0x88000000
Evaluation: 0x00000000
1 (Wii U bank) 0x084 (0x21 * 4) 0x04 bytes IOStrength configuration flags 
Production: 0x00000000

Flag 0x00008000 sets register HW_IOSTRCTRL0.
Flags 0x00000008, 0x00000080, 0x00000800, 0x00002000 set register HW_IOSTRCTRL1.
1 (Wii U bank) 0x088 (0x22 * 4) 0x04 bytes Pulse length for SEEPROM manual CLK 
Production: 0x00000000 (defaults to 0xFA in boot0)
1 (Wii U bank) 0x08C (0x23 * 4) 0x04 bytes Signature type? 
Production: 0x00010000
Development: 0x00000000
1 (Wii U bank) 0x090 (0x24 * 4) 0x10 bytes Starbuck ancast key
1 (Wii U bank) 0x0A0 (0x28 * 4) 0x10 bytes SEEPROM key
1 (Wii U bank) 0x0B0 (0x2C * 4) 0x10 bytes Reserved
1 (Wii U bank) 0x0C0 (0x30 * 4) 0x10 bytes Reserved
1 (Wii U bank) 0x0D0 (0x34 * 4) 0x10 bytes vWii common key
1 (Wii U bank) 0x0E0 (0x38 * 4) 0x10 bytes Wii U common key
1 (Wii U bank) 0x0F0 (0x3C * 4) 0x10 bytes Reserved
2 (Wii U bank) 0x100 (0x40 * 4) 0x10 bytes Reserved
2 (Wii U bank) 0x110 (0x44 * 4) 0x10 bytes Reserved
2 (Wii U bank) 0x120 (0x48 * 4) 0x10 bytes SSL RSA kek
2 (Wii U bank) 0x130 (0x4C * 4) 0x10 bytes IVS key
2 (Wii U bank) 0x140 (0x50 * 4) 0x10 bytes Unknown
2 (Wii U bank) 0x150 (0x54 * 4) 0x10 bytes XOR key
2 (Wii U bank) 0x160 (0x58 * 4) 0x10 bytes Wii U backup key (for RNG)
2 (Wii U bank) 0x170 (0x5C * 4) 0x10 bytes SLC key
3 (Wii U bank) 0x180 (0x60 * 4) 0x10 bytes MLC key
3 (Wii U bank) 0x190 (0x64 * 4) 0x10 bytes SHDD key
3 (Wii U bank) 0x1A0 (0x68 * 4) 0x10 bytes DRH WLAN data key
3 (Wii U bank) 0x1B0 (0x6C * 4) 0x30 bytes Reserved
3 (Wii U bank) 0x1E0 (0x78 * 4) 0x14 bytes SLC HMAC
3 (Wii U bank) 0x1F4 (0x7D * 4) 0x0C bytes Reserved
4 (Wii U device bank) 0x200 (0x80 * 4) 0x10 bytes Reserved
4 (Wii U device bank) 0x210 (0x84 * 4) 0x0C bytes Reserved
4 (Wii U device bank) 0x21C (0x87 * 4) 0x04 bytes Wii U device ID
4 (Wii U device bank) 0x220 (0x88 * 4) 0x20 bytes Wii U device private key 
Only 0x1E bytes are used.
4 (Wii U device bank) 0x240 (0x90 * 4) 0x20 bytes Wii U NSS device certificate private key 
Only 0x1E bytes are used.
4 (Wii U device bank) 0x260 (0x98 * 4) 0x10 bytes RNG seed 
Only the first 0x04 bytes are used.
4 (Wii U device bank) 0x270 (0x9C * 4) 0x10 bytes Reserved
5 (Wii U certificate bank) 0x280 (0xA0 * 4) 0x04 bytes Wii U device certificate manufacturing (MS) ID 
Production: 0x00000012
Development: 0x00000003
5 (Wii U certificate bank) 0x284 (0xA1 * 4) 0x04 bytes Wii U device certificate authority (CA) ID 
Production: 0x00000003
Development: 0x00000002
5 (Wii U certificate bank) 0x288 (0xA2 * 4) 0x04 bytes Wii U device certificate manufacturing date (seconds elapsed since 1950-01-01)
5 (Wii U certificate bank) 0x28C (0xA3 * 4) 0x3C bytes Wii U device certificate signature
5 (Wii U certificate bank) 0x2C8 (0xB2 * 4) 0x18 bytes Reserved
5 (Wii U certificate bank) 0x2E0 (0xB8 * 4) 0x20 bytes Reserved (locked out by boot1)
6 (Wii certificate bank) 0x300 (0xC0 * 4) 0x04 bytes Wii device certificate manufacturing (MS) ID 
Production: 0x00000002
Development: 0x00000003
6 (Wii certificate bank) 0x304 (0xC1 * 4) 0x04 bytes Wii device certificate authority (CA) ID 
Production: 0x00000001
Development: 0x00000002
6 (Wii certificate bank) 0x308 (0xC2 * 4) 0x04 bytes Wii device certificate manufacturing date (seconds elapsed since 1950-01-01)
6 (Wii certificate bank) 0x30C (0xC3 * 4) 0x3C bytes Wii device certificate signature
6 (Wii certificate bank) 0x348 (0xD2 * 4) 0x10 bytes Wii common2 key (for Korea)
6 (Wii certificate bank) 0x358 (0xD6 * 4) 0x08 bytes Reserved
6 (Wii certificate bank) 0x360 (0xD8 * 4) 0x20 bytes Wii NSS device certificate private key 
Only 0x1E bytes are used.
7 (Misc bank) 0x380 (0xE0 * 4) 0x20 bytes Reserved (locked out by boot1)
7 (Misc bank) 0x3A0 (0xE8 * 4) 0x10 bytes Boot1 key (locked out by boot0)
7 (Misc bank) 0x3B0 (0xEC * 4) 0x10 bytes Reserved (locked out by boot0)
7 (Misc bank) 0x3C0 (0xF0 * 4) 0x20 bytes Reserved
7 (Misc bank) 0x3E0 (0xF8 * 4) 0x04 bytes Reserved
7 (Misc bank) 0x3E4 (0xF9 * 4) 0x04 bytes Latte package wafer X and Y positions
7 (Misc bank) 0x3E8 (0xFA * 4) 0x04 bytes
7 (Misc bank) 0x3EC (0xFB * 4) 0x04 bytes
7 (Misc bank) 0x3F0 (0xFC * 4) 0x08 bytes LattePackageId
7 (Misc bank) 0x3F8 (0xFE * 4) 0x04 bytes Reserved
7 (Misc bank) 0x3FC (0xFF * 4) 0x04 bytes Control flag? 
Flag 0x00000001 is set in production mode.
Flag 0x00000080 disables JTAG.

FuseType

Bits Description
0-26 Reserved
27 Development
28 Production
29
30 Causes an error in boot0
31 Disables evaluation mode

LattePackageId

This identifier is composed by a three digit date code, followed by two letters (possibly identifying the manufacturing site) and three characters (possibly a lot trace code). The Latte SoC includes this identifier in its shield's markings, but prefixed with the number "1".

Example: 226LP734 (SoC shield's marking is 1226LP734)

"226" translates to the 26th week of year 2012, while "LP" appears to indicate the manufacturing site and "734" appears to be a lot trace code.

Retrieved from "https://wiiubrew.org/w/index.php?title=Hardware/eFuse&oldid=3785"