Hardware/eFuse
| eFuse | |
| Latte Registers | |
| Access | |
|---|---|
| Espresso | None |
| Starbuck | Full |
| Registers | |
| Base | 0x0d8001ec |
| Length | 0x8 |
| Access size | 32 bits |
| Byte order | Big Endian |
General
The One Time Programmable memory is programmed sometime during the factory process and can never be changed afterwards. The Wii U's OTP is much larger than the Wii's (1KB split across 8 banks of 128 bytes each) and contains an assortment of read-only data, including the console's encryption/decryption keys.
Register List
| Latte GPIOs | |||
|---|---|---|---|
| Address | Bits | Name | Description |
| 0x0d8001ec | 32 | HW_OTP_COMMAND | OTP command |
| 0x0d8001f0 | 32 | HW_OTP_DATA | OTP data |
General Registers
| HW_OTP_COMMAND (0x0d8001ec) | ||||||||||||||||
| 31 | 30 | 29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | 19 | 18 | 17 | 16 | |
| Access | R/W | U | ||||||||||||||
| Field | RD | |||||||||||||||
| 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | |
| Access | U | R/W | ||||||||||||||
| Field | ADDR | |||||||||||||||
| Field | Description |
| RD | Set to one to execute a read command. If clear, then the data in HW_OTP_DATA is unchanged. |
| ADDR | Word address to read. 0x00 to 0x1F (32 4byte words) ORed with the bank's number (0x000 to 0x700). |
This register contains the command sent to the OTP. It is unknown whether is register is also used during the factory process to program the OTP.
| HW_OTP_DATA (0x0d8001f0) | |
| 310 | |
| Access | R |
This register contains the output data for the last issued OTP read command. The execution of a read operation via the HW_OTP_COMMAND register immediately changes this register without any delay.
IOSU
The Wii U's IOSU interacts with the OTP by setting it's respective Latte registers. In addition to this, the IOS-CRYPTO process is also able to access the OTP indirectly through syscall 0x22, which takes the OTP word index, a buffer to store the result and the requested size as parameters. The IOS-KERNEL then converts the word index:
int read_otp_internal(int index, void* out_buf, u32 size)
{
generate_control_bits();
if (size != 0)
{
int step = 0;
while (step < size)
{
int word_addr = index + (step >> 2);
int word_offset = word_addr & 0x1F; // Each OTP bank has 0x20 * 4 = 0x80 bytes. Valid word indexes go from 0x00 to 0x1F.
word_addr = word_addr << 3;
word_offset = word_offset | 0x80000000; // Set OTP read flag.
word_addr = word_addr & 0x700; // OTP bank goes from 0x000 to 0x700.
word_addr = word_addr | word_offset;
*(u32*)0x0D8001EC = word_addr; // HW_OTPCMD
// Keep checking the read flag.
if (!((*(u32*)0x0D8001EC) & 0x80000000))
break;
*(u32*)(out_buf + step) = *(u32*)0x0D8001F0; // HW_OTPDATA
step += 4;
}
}
generate_control_bits();
return 0;
}
syscall_0x22(index, out_buf, size)
{
// Do some permission checks.
...
// Internal IOS-KERNEL function.
read_otp_internal(index, out_buf, size);
}
OTP Contents
The following things are stored inside the OTP and requested by the IOSU kernel at some point:
| Bank | Address | Size | Description |
|---|---|---|---|
| 0 (vWii bank) | 0x005 to 0x009 | 0x10 bytes | Possibly old Wii key. |
| 0 (vWii bank) | 0x011 to 0x016 | 0x14 bytes | Possibly old Wii hash. |
| 0 (vWii bank) | 0x016 to 0x01A | 0x10 bytes | Possibly old Wii key. |
| 1 (unknown) | 0x100 to 0x101 | 0x04 bytes | Unknown. Syscall 0x20 checks this value. |
| 1 (unknown) | 0x104 to 0x108 | 0x10 bytes | Unknown. |
| 1 (unknown) | 0x108 to 0x10C | 0x10 bytes | Unknown. |
| 1 (unknown) | 0x114 to 0x118 | 0x10 bytes | Unknown. |
| 1 (unknown) | 0x118 to 0x11C | 0x10 bytes | Unknown. |
| 2 (unknown) | 0x208 to 0x20C | 0x10 bytes | Unknown. |
| 2 (unknown) | 0x20C to 0x210 | 0x10 bytes | Unknown. |
| 2 (unknown) | 0x210 to 0x214 | 0x10 bytes | Unknown. |
| 2 (unknown) | 0x214 to 0x218 | 0x10 bytes | Unknown. |
| 2 (unknown) | 0x218 to 0x21C | 0x10 bytes | Unknown. |
| 2 (unknown) | 0x21C to 0x300 | 0x10 bytes | Unknown. |
| 3 (unknown) | 0x300 to 0x304 | 0x04 bytes | Unknown. |
| 3 (unknown) | 0x304 to 0x308 | 0x10 bytes | Unknown. |
| 3 (unknown) | 0x308 to 0x30C | 0x10 bytes | Unknown. |
| 3 (unknown) | 0x318 to 0x31D | 0x14 bytes | Unknown. |
| 4 (unknown) | 0x407 to 0x408 | 0x04 bytes | Unknown. |
| 4 (unknown) | 0x408 to 0x410 | 0x20 bytes | Unknown. |
| 4 (unknown) | 0x410 to 0x418 | 0x20 bytes | Unknown. |
| 4 (unknown) | 0x418 to 0x41C | 0x10 bytes | Unknown. |
| 5 (unknown) | 0x500 to 0x501 | 0x04 bytes | Unknown. |
| 5 (unknown) | 0x501 to 0x502 | 0x04 bytes | Unknown. |
| 5 (unknown) | 0x502 to 0x503 | 0x04 bytes | Unknown. |
| 5 (unknown) | 0x503 to 0x513 | 0x40 bytes | Unknown. |
| 6 (SEEPROM bank) | 0x600 to 0x618 | 0x60 bytes | Possibly the old SEEPROM certificate data. |
| 6 (SEEPROM bank) | 0x618 to 0x700 | 0x20 bytes | Unknown. |
| 7 (unknown) | 0x700 to 0x800 | 0x80 bytes | Unknown. Doesn't seem to be used. |