Changes

Hardware/eFuse (view source)

Revision as of 23:11, 12 May 2023

359 bytes removed , 23:11, 12 May 2023

no edit summary

Line 7: Line 7:

}}

−

== General ==

+

= General =

The '''O'''ne '''T'''ime '''P'''rogrammable memory is programmed sometime during the factory process and can never be changed afterwards. The Wii U's OTP is much larger than the Wii's (1KB split across 8 banks of 128 bytes each) and contains an assortment of read-only data, including the console's encryption/decryption keys.

−

== Register List ==

+

= Register List =

Line 16: Line 16:

|}

−

== General Registers ==

+

= General Registers =

{{reg32 | HW_EFUSEADDR | addr = 0x0d8001ec | hifields = 2 | lofields = 4 |

|1|15|

Line 35: Line 35:

This register contains the output data for the last issued OTP read command. The execution of a read operation via the HW_EFUSEADDR register immediately changes this register without any delay.

−

== IOSU ==

+

= IOSU =

The Wii U's IOSU interacts with the OTP by setting it's respective Latte registers. In addition to this, the IOS-CRYPTO process is also able to access the OTP indirectly through syscall 0x22, which takes the OTP word index, a buffer to store the result and the requested size as parameters. The IOS-KERNEL then converts the word index:

int read_otp_internal(int index, void* out_buf, u32 size)

Line 76: Line 76:

}

−

=~~= OTP~~ Contents ==

+

= Contents =

−

~~The following things are stored inside the OTP and requested by the IOSU kernel at some point:~~

{| style="border: 1px solid #bbb; border-collapse: collapse; background-color: #eef; padding: 0.2em 0.2em 0.2em 0.2em;" border="1" cellpadding="2"

|- style="background-color: #ddd;"

Line 89: Line 88:

| 0 (Wii bank) || 0x014 (0x05 * 4) || 0x10 bytes || Wii common key

|-

−

| 0 (Wii bank) || 0x024 (0x09 * 4) || 0x04 bytes || Wii NG ID

+

| 0 (Wii bank) || 0x024 (0x09 * 4) || 0x04 bytes || Wii device ID

|-

−

| 0 (Wii bank) || 0x028 (0x0A * 4) || 0x1C bytes || Wii NG private key

+

| 0 (Wii bank) || 0x028 (0x0A * 4) || 0x1C bytes || Wii device private key

|-

−

| 0 (Wii bank) || 0x044 (0x11 * 4) || 0x14 bytes || Wii NAND HMAC (overlaps with NG private key)

+

| 0 (Wii bank) || 0x044 (0x11 * 4) || 0x14 bytes || Wii NAND HMAC (overlaps with device private key)

|-

| 0 (Wii bank) || 0x058 (0x16 * 4) || 0x10 bytes || Wii NAND key

|-

−

| 0 (Wii bank) || 0x068 (0x1A * 4) || 0x10 bytes || Wii RNG ~~key~~

+

| 0 (Wii bank) || 0x068 (0x1A * 4) || 0x10 bytes || Wii backup key (for RNG)

|-

−

| 0 (Wii bank) || 0x078 (0x1E * 4) || 0x08 bytes || ~~Unknown (padding)~~

+

| 0 (Wii bank) || 0x078 (0x1E * 4) || 0x08 bytes || Reserved

|-

| 1 (Wii U bank) || 0x080 (0x20 * 4) || 0x04 bytes || Security level flag

Line 122: Line 121:

Production: 0x00000000 (defaults to 0xFA in boot0)

|-

−

| 1 (Wii U bank) || 0x08C (0x23 * 4) || 0x04 bytes || ~~Seems to be a signature~~ type

+

| 1 (Wii U bank) || 0x08C (0x23 * 4) || 0x04 bytes || Signature type?

Production: 0x00010000

Development: 0x00000000

|-

−

| 1 (Wii U bank) || 0x090 (0x24 * 4) || 0x10 bytes || ~~Wii U~~ Starbuck ancast key

+

| 1 (Wii U bank) || 0x090 (0x24 * 4) || 0x10 bytes || Starbuck ancast key

|-

−

| 1 (Wii U bank) || 0x0A0 (0x28 * 4) || 0x10 bytes || ~~Wii U~~ SEEPROM key

+

| 1 (Wii U bank) || 0x0A0 (0x28 * 4) || 0x10 bytes || SEEPROM key

|-

−

| 1 (Wii U bank) || 0x0B0 (0x2C * 4) || 0x10 bytes || ~~Unknown (unused)~~

+

| 1 (Wii U bank) || 0x0B0 (0x2C * 4) || 0x10 bytes || Reserved

|-

−

| 1 (Wii U bank) || 0x0C0 (0x30 * 4) || 0x10 bytes || ~~Unknown (unused)~~

+

| 1 (Wii U bank) || 0x0C0 (0x30 * 4) || 0x10 bytes || Reserved

|-

| 1 (Wii U bank) || 0x0D0 (0x34 * 4) || 0x10 bytes || vWii common key

Line 138: Line 137:

| 1 (Wii U bank) || 0x0E0 (0x38 * 4) || 0x10 bytes || Wii U common key

|-

−

| 1 (Wii U bank) || 0x0F0 (0x3C * 4) || 0x10 bytes || ~~Unknown (unused)~~

+

| 1 (Wii U bank) || 0x0F0 (0x3C * 4) || 0x10 bytes || Reserved

|-

−

| 2 (Wii U bank) || 0x100 (0x40 * 4) || 0x10 bytes || ~~Unknown (unused)~~

+

| 2 (Wii U bank) || 0x100 (0x40 * 4) || 0x10 bytes || Reserved

|-

−

| 2 (Wii U bank) || 0x110 (0x44 * 4) || 0x10 bytes || ~~Unknown (unused)~~

+

| 2 (Wii U bank) || 0x110 (0x44 * 4) || 0x10 bytes || Reserved

|-

−

| 2 (Wii U bank) || 0x120 (0x48 * 4) || 0x10 bytes || ~~Key to encrypt/decrypt~~ SSL RSA ~~key~~

+

| 2 (Wii U bank) || 0x120 (0x48 * 4) || 0x10 bytes || SSL RSA kek

|-

−

| 2 (Wii U bank) || 0x130 (0x4C * 4) || 0x10 bytes || ~~Key to encrypt/decrypt seeds for~~ USB storage ~~keys~~

+

| 2 (Wii U bank) || 0x130 (0x4C * 4) || 0x10 bytes || USB storage kek

|-

| 2 (Wii U bank) || 0x140 (0x50 * 4) || 0x10 bytes || Unknown

|-

−

| 2 (Wii U bank) || 0x150 (0x54 * 4) || 0x10 bytes || ~~Wii U~~ XOR key

+

| 2 (Wii U bank) || 0x150 (0x54 * 4) || 0x10 bytes || XOR key

|-

−

| 2 (Wii U bank) || 0x160 (0x58 * 4) || 0x10 bytes || ~~Wii U~~ RNG ~~key~~

+

| 2 (Wii U bank) || 0x160 (0x58 * 4) || 0x10 bytes || Backup key (for RNG)

|-

−

| 2 (Wii U bank) || 0x170 (0x5C * 4) || 0x10 bytes || ~~Wii U~~ SLC (NAND) key

+

| 2 (Wii U bank) || 0x170 (0x5C * 4) || 0x10 bytes || SLC (NAND) key

|-

−

| 3 (Wii U bank) || 0x180 (0x60 * 4) || 0x10 bytes || ~~Wii U~~ MLC (eMMC) key

+

| 3 (Wii U bank) || 0x180 (0x60 * 4) || 0x10 bytes || MLC (eMMC) key

|-

−

| 3 (Wii U bank) || 0x190 (0x64 * 4) || 0x10 bytes || ~~Key to encrypt/decrypt~~ SHDD ~~key~~

+

| 3 (Wii U bank) || 0x190 (0x64 * 4) || 0x10 bytes || SHDD kek

|-

−

| 3 (Wii U bank) || 0x1A0 (0x68 * 4) || 0x10 bytes || ~~Key to encrypt/decrypt~~ DRH WLAN data

+

| 3 (Wii U bank) || 0x1A0 (0x68 * 4) || 0x10 bytes || DRH WLAN data key

|-

−

| 3 (Wii U bank) || 0x1B0 (0x6C * 4) || 0x30 bytes || ~~Unknown (unused)~~

+

| 3 (Wii U bank) || 0x1B0 (0x6C * 4) || 0x30 bytes || Reserved

|-

−

| 3 (Wii U bank) || 0x1E0 (0x78 * 4) || 0x14 bytes || ~~Wii U~~ SLC (NAND) HMAC

+

| 3 (Wii U bank) || 0x1E0 (0x78 * 4) || 0x14 bytes || SLC (NAND) HMAC

|-

−

| 3 (Wii U bank) || 0x1F4 (0x7D * 4) || 0x0C bytes || ~~Unknown (padding)~~

+

| 3 (Wii U bank) || 0x1F4 (0x7D * 4) || 0x0C bytes || Reserved

|-

−

| 4 (Wii U NG bank) || 0x200 (0x80 * 4) || 0x10 bytes || ~~Unknown (unused)~~

+

| 4 (Wii U device bank) || 0x200 (0x80 * 4) || 0x10 bytes || Reserved

|-

−

| 4 (Wii U NG bank) || 0x210 (0x84 * 4) || 0x0C bytes || ~~Unknown (unused)~~

+

| 4 (Wii U device bank) || 0x210 (0x84 * 4) || 0x0C bytes || Reserved

|-

−

| 4 (Wii U NG bank) || 0x21C (0x87 * 4) || 0x04 bytes || Wii U NG ID

+

| 4 (Wii U device bank) || 0x21C (0x87 * 4) || 0x04 bytes || Wii U device ID

|-

−

| 4 (Wii U NG bank) || 0x220 (0x88 * 4) || 0x20 bytes || Wii U NG private key

+

| 4 (Wii U device bank) || 0x220 (0x88 * 4) || 0x20 bytes || Wii U device private key

Only 0x1E bytes are used.

|-

−

| 4 (Wii U NG bank) || 0x240 (0x90 * 4) || 0x20 bytes || Wii U ~~private key for~~ NSS device certificate

+

| 4 (Wii U device bank) || 0x240 (0x90 * 4) || 0x20 bytes || Wii U NSS device certificate private key

Only 0x1E bytes are used.

|-

−

| 4 (Wii U NG bank) || 0x260 (0x98 * 4) || 0x10 bytes || ~~Wii U OTP~~ RNG seed

+

| 4 (Wii U device bank) || 0x260 (0x98 * 4) || 0x10 bytes || RNG seed

Only the first 0x04 bytes are used.

|-

−

| 4 (Wii U NG bank) || 0x270 (0x9C * 4) || 0x10 bytes || ~~Unknown (unused)~~

+

| 4 (Wii U device bank) || 0x270 (0x9C * 4) || 0x10 bytes || Reserved

|-

| 5 (Wii U certificate bank) || 0x280 (0xA0 * 4) || 0x04 bytes || Wii U root certificate MS ID

Line 193: Line 192:

Development: 0x00000002

|-

−

| 5 (Wii U certificate bank) || 0x288 (0xA2 * 4) || 0x04 bytes || Wii U root certificate ~~NG key~~ ID

+

| 5 (Wii U certificate bank) || 0x288 (0xA2 * 4) || 0x04 bytes || Wii U root certificate device ID

|-

−

| 5 (Wii U certificate bank) || 0x28C (0xA3 * 4) || 0x3C bytes || Wii U root certificate NG signature

+

| 5 (Wii U certificate bank) || 0x28C (0xA3 * 4) || 0x3C bytes || Wii U root certificate device signature

|-

−

| 5 (Wii U certificate bank) || 0x2C8 (0xB2 * 4) || 0x18 bytes || ~~Unknown (unused)~~

+

| 5 (Wii U certificate bank) || 0x2C8 (0xB2 * 4) || 0x18 bytes || Reserved

|-

−

| 5 (Wii U certificate bank) || 0x2E0 (0xB8 * 4) || 0x20 bytes || ~~Unknown~~ (locked out by boot1~~, unused~~)

+

| 5 (Wii U certificate bank) || 0x2E0 (0xB8 * 4) || 0x20 bytes || Reserved (locked out by boot1)

|-

| 6 (Wii certificate bank) || 0x300 (0xC0 * 4) || 0x04 bytes || Wii root certificate MS ID

Line 209: Line 208:

Development: 0x00000002

|-

−

| 6 (Wii certificate bank) || 0x308 (0xC2 * 4) || 0x04 bytes || Wii root certificate ~~NG key~~ ID

+

| 6 (Wii certificate bank) || 0x308 (0xC2 * 4) || 0x04 bytes || Wii root certificate device ID

|-

−

| 6 (Wii certificate bank) || 0x30C (0xC3 * 4) || 0x3C bytes || Wii root certificate NG signature

+

| 6 (Wii certificate bank) || 0x30C (0xC3 * 4) || 0x3C bytes || Wii root certificate device signature

|-

−

| 6 (Wii certificate bank) || 0x348 (0xD2 * 4) || 0x10 bytes || Wii ~~Korean~~ key

+

| 6 (Wii certificate bank) || 0x348 (0xD2 * 4) || 0x10 bytes || Wii common2 key (for Korea)

|-

−

| 6 (Wii certificate bank) || 0x358 (0xD6 * 4) || 0x08 bytes || ~~Unknown (unused)~~

+

| 6 (Wii certificate bank) || 0x358 (0xD6 * 4) || 0x08 bytes || Reserved

|-

−

| 6 (Wii certificate bank) || 0x360 (0xD8 * 4) || 0x20 bytes || Wii ~~private key for~~ NSS device certificate

+

| 6 (Wii certificate bank) || 0x360 (0xD8 * 4) || 0x20 bytes || Wii NSS device certificate private key

Only 0x1E bytes are used.

|-

−

| 7 (Misc bank) || 0x380 (0xE0 * 4) || 0x20 bytes || ~~Unknown~~ (locked out by boot1~~, unused~~)

+

| 7 (Misc bank) || 0x380 (0xE0 * 4) || 0x20 bytes || Reserved (locked out by boot1)

|-

−

| 7 (Misc bank) || 0x3A0 (0xE8 * 4) || 0x10 bytes || ~~Wii U boot1~~ key (locked out by boot0)

+

| 7 (Misc bank) || 0x3A0 (0xE8 * 4) || 0x10 bytes || [[#Boot1|Boot1]] key (locked out by boot0)

|-

−

| 7 (Misc bank) || 0x3B0 (0xEC * 4) || 0x10 bytes || ~~Unknown~~ (locked out by boot0~~, unused~~)

+

| 7 (Misc bank) || 0x3B0 (0xEC * 4) || 0x10 bytes || Reserved (locked out by boot0)

|-

−

| 7 (Misc bank) || 0x3C0 (0xF0 * 4) || 0x20 bytes || ~~Empty~~

+

| 7 (Misc bank) || 0x3C0 (0xF0 * 4) || 0x20 bytes || Reserved

|-

−

| 7 (Misc bank) || 0x3E0 (0xF8 * 4) || 0x04 bytes || ~~Empty~~

+

| 7 (Misc bank) || 0x3E0 (0xF8 * 4) || 0x04 bytes ||

|-

−

| 7 (Misc bank) || 0x3E4 (0xF9 * 4) || 0x04 bytes || ~~OTP version and revision~~

+

| 7 (Misc bank) || 0x3E4 (0xF9 * 4) || 0x04 bytes ||

|-

−

| 7 (Misc bank) || 0x3E8 (0xFA * 4) || 0x08 bytes || ~~OTP date code~~

+

| 7 (Misc bank) || 0x3E8 (0xFA * 4) || 0x08 bytes ||

|-

−

| 7 (Misc bank) || 0x3F0 (0xFC * 4) || 0x08 bytes || ~~OTP version name string~~

+

| 7 (Misc bank) || 0x3F0 (0xFC * 4) || 0x08 bytes || Manufacturing code?

|-

−

| 7 (Misc bank) || 0x3F8 (0xFE * 4) || 0x04 bytes || ~~Empty~~

+

| 7 (Misc bank) || 0x3F8 (0xFE * 4) || 0x04 bytes ||

|-

| 7 (Misc bank) || 0x3FC (0xFF * 4) || 0x04 bytes || Control flag

Flag 0x00000001 is set in production mode.

Flag 0x00000080 disables JTAG.

−

|-

|}

Hexkyz

Bureaucrats, Interface administrators, Administrators

301

edits

Changes

Hardware/eFuse (view source)

Revision as of 23:11, 12 May 2023

Navigation menu

Search