Hardware/SEEPROM
< Hardware
Jump to navigation
Jump to search
General
The Latte package contains a 93C66 (or similar) SPI EEPROM, organized as 256 16-bit words, making it twice the size of the EEPROM found in the Wii's Hollywood package. It is accessed by twiddling some of the Starbuck GPIO lines in the exact same way as it was done on the Wii's Starlet GPIO lines.
SEEPROM Contents
Most of the data here is written once at the factory and never changed, but some fields are updated fairly frequently:
| Offset (word index * 2) | Size | Description |
|---|---|---|
| 0x000 (0x00 * 2) | 0x12 bytes | Empty. |
| 0x012 (0x09 * 2) | 0x08 bytes | SEEPROM PRNG seed.
Incremented every time IOS-CRYPTO starts. Used with the OTP's RNG key and the OTP's RNG seed to setup IOSU's PRNG. |
| 0x01A (0x0D * 2) | 0x06 bytes | Empty. |
| 0x020 (0x10 * 2) | 0x04 bytes | PPC PVR (0x70010201). |
| 0x024 (0x12 * 2) | 0x06 bytes | ASCII tag. |
| 0x02A (0x15 * 2) | 0x06 bytes | Unknown. |
| 0x030 (0x18 * 2) | 0x08 bytes | ASCII tag (same as the OTP's tag). |
| 0x038 (0x1C * 2) | 0x08 bytes | Unknown. |
| 0x040 (0x20 * 2) | 0x04 bytes | ASCII tag. |
| 0x044 (0x22 * 2) | 0x02 bytes | Unknown. |
| 0x046 (0x23 * 2) | 0x02 bytes | ASCII tag. |
| 0x048 (0x24 * 2) | 0x08 bytes | Unknown. |
| 0x050 (0x28 * 2) | 0x10 bytes | Unknown. |
| 0x060 (0x30 * 2) | 0x20 bytes | Empty. |
| 0x080 (0x40 * 2) | 0x10 bytes | Wii U drive key. |
| 0x090 (0x48 * 2) | 0x10 bytes | Wii U factory key (cleared by IOS-MCP). |
| 0x0A0 (0x50 * 2) | 0x10 bytes | Wii U devkit key (?). |
| 0x0B0 (0x58 * 2) | 0x10 bytes | Wii U 0x12-keyhandle key.
This key is crypted then used to set the /dev/crypto 0x12-keyhandle keydata. The first 4 bytes of this key must match the last 4 bytes of a 0x10 seed stored in the OTP. |
| 0x0C0 (0x60 * 2) | 0x02 bytes | Drive key's status flag.
If the flag is 0xFFFF, the drive key is set and encrypted with the Wii U SEEPROM key. If the flag is 0x0000, the drive key is set and in plain form. |
| 0x0C2 (0x61 * 2) | 0x02 bytes | 0x12-keyhandle key's status flag. |
| 0x0C4 (0x62 * 2) | 0x02 bytes | Devkit key's status flag.
If the flag is 0xFFFF, the devkit key is set and encrypted with a key from OTP. If the flag is 0x0000, the devkit key is not set. |
| 0x0C6 (0x63 * 2) | 0x6A bytes | Empty. |
| 0x130 (0x98 * 2) | 0x04 bytes | Unknown. |
| 0x134 (0x9A * 2) | 0x04 bytes | Unknown. |
| 0x138 (0x9C * 2) | 0x08 bytes | Unknown. |
| 0x140 (0xA0 * 2) | 0x04 bytes | slc:sys_prod.version |
| 0x144 (0xA2 * 2) | 0x04 bytes | slc:sys_prod.eeprom_version |
| 0x148 (0xA4 * 2) | 0x04 bytes | slc:sys_prod.product_area |
| 0x14C (0xA6 * 2) | 0x04 bytes | slc:sys_prod.game_region |
| 0x150 (0xA8 * 2) | 0x04 bytes | slc:sys_prod.ntsc_pal |
| 0x154 (0xAA * 2) | 0x02 bytes | slc:sys_prod.5ghz_country_code |
| 0x156 (0xAB * 2) | 0x02 bytes | slc:sys_prod.5ghz_country_code_revision |
| 0x158 (0xAC * 2) | 0x08 bytes | slc:sys_prod.code_id |
| 0x160 (0xB0 * 2) | 0x10 bytes | slc:sys_prod.serial_id |
| 0x170 (0xB8 * 2) | 0x10 bytes | slc:sys_prod.model_number |
| 0x180 (0xC0 * 2) | 0x04 bytes | Unknown. |
| 0x184 (0xC2 * 2) | 0x0C bytes | Unknown. |
| 0x190 (0xC8 * 2) | 0x10 bytes | Unknown. |
| 0x1A0 (0xD0 * 2) | 0x08 bytes | Unknown. |
| 0x1A8 (0xD4 * 2) | 0x08 bytes | ASCII tag. |
| 0x1B0 (0xD8 * 2) | 0x10 bytes | Unknown. |
| 0x1C0 (0xE0 * 2) | 0x10 bytes | NAND counter? (encrypted with Wii U SEEPROM key). |
| 0x1D0 (0xE8 * 2) | 0x10 bytes | NAND counter? (encrypted with Wii U SEEPROM key). |
| 0x1E0 (0xF0 * 2) | 0x10 bytes | NAND counter? (encrypted with Wii U SEEPROM key). |
| 0x1F0 (0xF8 * 2) | 0x10 bytes | Empty. |