Difference between revisions of "eFuse"
| Line 1: | Line 1: | ||
{{DISPLAYTITLE:eFuse}} | {{DISPLAYTITLE:eFuse}} | ||
| + | |||
<span style="background: #F1EBEB; border: 2px #CACACA solid; padding: 2px 1px 2px 4px;"> | <span style="background: #F1EBEB; border: 2px #CACACA solid; padding: 2px 1px 2px 4px;"> | ||
| − | [[File:Wii.png | + | [[File:Wii.png |30px]] This topic has a Wiibrew article. For more information, check [https://wiibrew.org/wiki/Hardware/OTP here].</span> |
| − | The ''' | + | The '''eFuses''' (also known as 'OTP' unofficially) are a region of non-volatile memory on various Nintendo systems which can only be written once. Depending on the system, this area may only be writable at the time of chip manufacturing, or it might be writable at any time but with bits only ever being flippable once (referred to as 'cutting fuses'). This is used to store various secure information such as hashes, encryption keys, and downgrade protection (on the Switch). |
| − | == | + | ==Wii== |
| − | The | + | The Wii stores a small amount of data here; some of it is Wii-specific (such as NAND keys), but the hash of the version of boot1 used in that Wii is also stored (making boot1 impossible to update) and the common key used in the Wii. |
| − | === | + | ===eFuse Contents=== |
| − | The following things are stored inside the | + | The following things are stored inside the eFuses: |
{| style="border: 1px solid #bbb; border-collapse: collapse; background-color: #eef; padding: 0.2em 0.2em 0.2em 0.2em;" border="1" cellpadding="2" | {| style="border: 1px solid #bbb; border-collapse: collapse; background-color: #eef; padding: 0.2em 0.2em 0.2em 0.2em;" border="1" cellpadding="2" | ||
|- style="background-color: #ddd;" | |- style="background-color: #ddd;" | ||
| − | ! Address | + | !Address |
| − | ! Description | + | !Description |
|- | |- | ||
| − | | 0-4 || | + | |0-4||[[boot1]] hash |
|- | |- | ||
| − | | 5-8 || common key | + | |5-8||common key |
|- | |- | ||
| − | | 9 || NG id | + | |9||NG ([[NNGC]]) id |
|- | |- | ||
| − | | a-11 || NG private key | + | |a-11||NG private key |
|- | |- | ||
| − | | 11-15 || NAND HMAC (overlaps with NG private key) | + | |11-15||NAND HMAC (overlaps with NG private key) |
|- | |- | ||
| − | | 16-19 || NAND key | + | |16-19||NAND key |
|- | |- | ||
| − | | 1a-1d || RNG key | + | |1a-1d||RNG key |
|- | |- | ||
| − | | 1e-1f || | + | |1e-1f||Feature enable flags (JTAG, debug boot, etc) |
|- | |- | ||
|} | |} | ||
| − | {{Template:WiiNavbox}} | + | === eFuse Programming === |
| + | The Wii's eFuses are programmed via JTAG at chip manufacture time with a special power pin. Since the JTAG has a disabling flag in the eFuse region itself which is normally set on most [[Hollywood]] chips, the eFuses can never be programmed again once this flag is set and this is the case for almost all Wii units in existence (including final devkits). | ||
| + | |||
| + | There are known to be 3 types of Hollywood chips marked based on their eFuse configuration; 'fully programmed' (used for retail systems), 'partially programmed' (boot1 hash and possibly other things absent, used for devkits), and 'blank' (used for prototypes and possibly other internal/bringup chips). Blank chips are extremely rare and there are not known to be any in the wild; if there was such a chip, it could be used for unrestricted access to the Wii's hardware and software. | ||
| + | |||
| + | One of the features toggled in the Wii's eFuse is "debug boot", which allows for the [[Broadway]] to be booted directly from [[EXI]] (as with the GameCube) using a [[Barnacle]]. This is disabled in all known non-blank configurations.{{Template:WiiNavbox}} | ||
[[Category:Wii]] | [[Category:Wii]] | ||
[[Category:Hardware]] | [[Category:Hardware]] | ||
Revision as of 06:13, 11 September 2020
This topic has a Wiibrew article. For more information, check here.
The eFuses (also known as 'OTP' unofficially) are a region of non-volatile memory on various Nintendo systems which can only be written once. Depending on the system, this area may only be writable at the time of chip manufacturing, or it might be writable at any time but with bits only ever being flippable once (referred to as 'cutting fuses'). This is used to store various secure information such as hashes, encryption keys, and downgrade protection (on the Switch).
Wii
The Wii stores a small amount of data here; some of it is Wii-specific (such as NAND keys), but the hash of the version of boot1 used in that Wii is also stored (making boot1 impossible to update) and the common key used in the Wii.
eFuse Contents
The following things are stored inside the eFuses:
| Address | Description |
|---|---|
| 0-4 | boot1 hash |
| 5-8 | common key |
| 9 | NG (NNGC) id |
| a-11 | NG private key |
| 11-15 | NAND HMAC (overlaps with NG private key) |
| 16-19 | NAND key |
| 1a-1d | RNG key |
| 1e-1f | Feature enable flags (JTAG, debug boot, etc) |
eFuse Programming
The Wii's eFuses are programmed via JTAG at chip manufacture time with a special power pin. Since the JTAG has a disabling flag in the eFuse region itself which is normally set on most Hollywood chips, the eFuses can never be programmed again once this flag is set and this is the case for almost all Wii units in existence (including final devkits).
There are known to be 3 types of Hollywood chips marked based on their eFuse configuration; 'fully programmed' (used for retail systems), 'partially programmed' (boot1 hash and possibly other things absent, used for devkits), and 'blank' (used for prototypes and possibly other internal/bringup chips). Blank chips are extremely rare and there are not known to be any in the wild; if there was such a chip, it could be used for unrestricted access to the Wii's hardware and software.
One of the features toggled in the Wii's eFuse is "debug boot", which allows for the Broadway to be booted directly from EXI (as with the GameCube) using a Barnacle. This is disabled in all known non-blank configurations.
