Changes

During the boot process, boot0 loads boot1 from NAND and decrypts it using an AES key stored in the console's [[Hardware/OTP | OTP]]. Immediately after, boot0 permanently disables access to this key by clearing the appropriate value in the [[Hardware/Latte_Registers#LT_OTPPROT | LT_OTPPROT]] register.

During the boot process, boot0 loads boot1 from NAND and decrypts it using an AES key stored in the console's [[Hardware/OTP | OTP]]. Immediately after, boot0 permanently disables access to this key by clearing the appropriate value in the [[Hardware/Latte_Registers#LT_OTPPROT | LT_OTPPROT]] register.

Thanks to this mechanism, the contents of boot1 and it's key still remain unknown. However, it's possible to predict boot1's role in the boot process to some extent.

Thanks to this mechanism, the contents of boot1 and it's key still remain unknown to the public; derrekr6 managed to decrypt the boot1 and see its contents. It's possible to predict boot1's role in the boot process to some extent.

boot1 is responsible for loading the [[IOSU]] from NAND, therefore it must read it, verify it's signature and decrypt it. It's also speculated that boot1 must configure external DDR3 memory.

boot1 is responsible for loading the [[IOSU]] from NAND, therefore it must read it, verify it's signature and decrypt it. It's also speculated that boot1 must configure external DDR3 memory.

Attempting to read the LT_OTPPROT register immediately after the IOSU begins executing will return the value 0xCF7FFFFF.

Attempting to read the LT_OTPPROT register immediately after the IOSU begins executing will return the value 0xCF7FFFFF.

boot0 only sets LT_OTPPROT once to 0xDFFFFFFF, which means that boot1 also locks 2 additional OTP blocks for unknown reasons.

boot0 only sets LT_OTPPROT once to 0xDFFFFFFF, which means that boot1 also locks 2 additional OTP blocks for unknown reasons.