Cmep Key Ring Base: Difference between revisions
Jump to navigation
Jump to search
| Line 27: | Line 27: | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Slot !! Mode !! Protection !! Per-console !! Description | ! Slot !! Mode !! Initial Protection !! Booted Protection !! Per-console !! Description | ||
|- | |- | ||
| 0 || 3 || 0x0442 || ? || ? | | 0 || 3 || 0x0442 || 0x0442 || ? || ? | ||
|- | |- | ||
| 1 || 1 || 0x0442 || ? || ? | | 1 || 1 || 0x0442 || 0x0442 || ? || ? | ||
|- | |- | ||
| 2-7 || 1 || 0x0040 || ? || ? | | 2-7 || 1 || 0x0442 || 0x0040 || ? || ? | ||
|- | |- | ||
| 8 || 3 || 0x0081 || Yes. || enp per-console key | | 8 || 3 || 0x049F || 0x0081 || Yes. || enp per-console key | ||
|- | |- | ||
| 9 || 1 || 0x0080 || ? || ? | | 9 || 1 || 0x049F || 0x0080 || ? || ? | ||
|- | |- | ||
| 0xA-0xF || 3 || 0x0080 || ? || ? | | 0xA-0xF || 3 || 0x049F || 0x0080 || ? || ? | ||
|- | |- | ||
| 0x10 || 1 || 0x0502 || ? || supports decryption only | | 0x10 || 1 || 0x0502 || 0x0502 || ? || supports decryption only | ||
|- | |- | ||
| 0x11-0x1F || 1 || 0x0100 || ? || ? | | 0x11-0x1F || 1 || 0x0502 || 0x0100 || ? || ? | ||
|- | |- | ||
| 0x20 || 3 || 0x0200 || ? || Derived from 0x344, used for hmac-sha256 over enc files | | 0x20 || 3 || 0x061F || 0x0200 || ? || Derived from 0x344, used for hmac-sha256 over enc files | ||
|- | |- | ||
| 0x21-0x24 || 1 || 0x061F || ? || supports encryption and decryption | | 0x21-0x24 || 1 || 0x061F || 0x061F || ? || supports encryption and decryption | ||
|- | |- | ||
| 0x25-0x2F || 1 || 0x0200 || ? || ? | | 0x25-0x2F || 1 || 0x061F || 0x0200 || ? || ? | ||
|- | |- | ||
| 0x30-0x34 || 1 || 0x041F || ? || ? | | 0x30-0x34 || 1 || 0x041F || 0x041F || ? || ? | ||
|- | |- | ||
| 0x35-0x7F || 1 || 0x0000 || ? || ? | | 0x35-0x7F || 1 || 0x041F || 0x0000 || ? || ? | ||
|- | |- | ||
| 0x80-0xFF || 0 || 0x0000 || ? || | | 0x80-0xFF || 0 || 0x0000 || 0x0000 || ? || Not used | ||
|- | |- | ||
| 0x100 || 1 || 0x041F || ? || ? | | 0x100 || 1 || 0x041F || 0x041F || ? || ? | ||
|- | |- | ||
| 0x101-0x17F || 1 || 0x0000 || ? || ? | | 0x101-0x17F || 1 || 0x041F || 0x0000 || ? || ? | ||
|- | |- | ||
| 0x180-0x1FF || 0 || 0x0000 || ? || | | 0x180-0x1FF || 0 || 0x0000 || 0x0000 || ? || Not used | ||
|- | |- | ||
| 0x200-0x203 || 3 || 0x0000 || ? || ? | | 0x200-0x203 || 3 || 0x0002 || 0x0000 || ? || ? | ||
|- | |- | ||
| 0x204-0x205 || 3 || 0x006F || ? || ? | | 0x204-0x205 || 3 || 0x006F || 0x006F || ? || ? | ||
|- | |- | ||
| 0x206 || 3 || 0x00A0 || ? || Used to derive key used to decrypt personalized layer over enc. Should be per-console. | | 0x206 || 3 || 0x00AF || 0x00A0 || ? || Used to derive key used to decrypt personalized layer over enc. Should be per-console. | ||
|- | |- | ||
| 0x207 || 3 || 0x00A0 || ? || Used instead of the above key when secret debug mode is set. (Possibly non-per-console?) | | 0x207 || 3 || 0x00AF || 0x00A0 || ? || Used instead of the above key when secret debug mode is set. (Possibly non-per-console?) | ||
|- | |- | ||
| 0x208-0x20D || 3 || 0x00A0 || ? || 6 keys used to decrypt enc metadata, which one is used depends on key revision in enc header | | 0x208-0x20D || 3 || 0x00AF || 0x00A0 || ? || 6 keys used to decrypt enc metadata, which one is used depends on key revision in enc header | ||
|- | |- | ||
| 0x20E-0x20F || 3 || 0x0010 || ? || Maybe per-console emmc crypto keys? Protected by second_loader. | | 0x20E-0x20F || 3 || 0x0010 || 0x0010 || ? || Maybe per-console emmc crypto keys? Protected by second_loader. | ||
|- | |- | ||
| 0x210-0x211 || 3 || 0x0000 || ? || ? | | 0x210-0x211 || 3 || 0x001F || 0x0000 || ? || ? | ||
|- | |- | ||
| 0x212 || 3|| 0x001F || ? || ? | | 0x212 || 3|| 0x001F || 0x001F || ? || ? | ||
|- | |- | ||
| 0x213 || 3|| 0x001F || ? || Used to derive SMI keys, which are used for factory fw decryption. Per-console. | | 0x213 || 3|| 0x001F || 0x001F || ? || Used to derive SMI keys, which are used for factory fw decryption. Per-console. | ||
|- | |- | ||
| 0x214 || 3|| 0x0000 || ? || Used to derive keyslots 0x514, 0x515 in second_loader | | 0x214 || 3|| 0x001F || 0x0000 || ? || Used to derive keyslots 0x514, 0x515 in second_loader | ||
|- | |- | ||
| 0x215 || 3|| 0x0000 || ? || ? | | 0x215 || 3|| 0x001F || 0x0000 || ? || ? | ||
|- | |- | ||
| 0x216 || 3|| 0x001F || ? || Derive 0x502-0x504 by encrypting data in second_loader. | | 0x216 || 3|| 0x001F || 0x001F || ? || Derive 0x502-0x504 by encrypting data in second_loader. | ||
|- | |- | ||
| 0x217 || 3 || 0x0000 || ? || ? | | 0x217 || 3 || 0x001F || 0x0000 || ? || ? | ||
|- | |- | ||
| 0x218-0x2FF || 0 || 0x0000 || ? || | | 0x218-0x2FF || 0 || 0x0000 || 0x0000 || ? || Not used | ||
|- | |- | ||
| 0x300-0x33F || 3 || 0x0000 || ? || ? | | 0x300-0x33F || 3 || 0x0002 || 0x0000 || ? || ? | ||
|- | |- | ||
| 0x340 || 3 || 0x012F || ? || Used to decrypt keys into the 0x10 key slot | | 0x340 || 3 || 0x012F || 0x012F || ? || Used to decrypt keys into the 0x10 key slot | ||
|- | |- | ||
| 0x341-0x343 || 3 || 0x0120 || ? || ? | | 0x341-0x343 || 3 || 0x012F || 0x0120 || ? || ? | ||
|- | |- | ||
| 0x344 || 3 || 0x0220 || ? || Used to derive key 0x20 in brom. | | 0x344 || 3 || 0x022F || 0x0220 || ? || Used to derive key 0x20 in brom. | ||
|- | |- | ||
| 0x345-0x348 || 3 || 0x022F || ? || Used to decrypt keys into one of the 0x21-0x24 key slot | | 0x345-0x348 || 3 || 0x022F || 0x022F || ? || Used to decrypt keys into one of the 0x21-0x24 key slot | ||
|- | |- | ||
| 0x349-0x353 || 3 || 0x0220 || ? || ? | | 0x349-0x353 || 3 || 0x022F ||0x0220 || ? || ? | ||
|- | |- | ||
| 0x354-0x3FF || 3 || 0x0000 || ? || ? | | 0x354-0x3FF || 3 || 0x001F || 0x0000 || ? || ? | ||
|- | |- | ||
| 0x400-0x47F || 1 || 0x0000 || ? || ? | | 0x400-0x47F || 1 || 0x1800 || 0x0000 || ? || ? | ||
|- | |- | ||
| 0x480-0x4FF || 0 || 0x0000 || ? || | | 0x480-0x4FF || 0 || 0x0000 || 0x0000 || ? || Not used | ||
|- | |- | ||
| 0x500 || 1 || 0x1800 || ? || ? | | 0x500 || 1 || 0x1800 || 0x1800 || ? || ? | ||
|- | |- | ||
| 0x501 || 7 || 0x1000 || No || Used by bootrom first_loader to figure out whether to load from eMMC or ARM comms after reset | | 0x501 || 7 || 0x1800 || 0x1000 || No || Used by bootrom first_loader to figure out whether to load from eMMC or ARM comms after reset | ||
|- | |- | ||
| 0x502-0x504 || 3 || 0x1800 || Yes || Related to Ernie SNVS | | 0x502-0x504 || 3 || 0x1800 || 0x1800 || Yes || Related to Ernie SNVS | ||
|- | |- | ||
| 0x505 || 1 || 0x0000 || ? || ? | | 0x505 || 1 || 0x1800 || 0x0000 || ? || ? | ||
|- | |- | ||
| 0x506 || 3 || 0x1800 || ? || ? | | 0x506 || 3 || 0x1800 || 0x1800 || ? || ? | ||
|- | |- | ||
| 0x507 || 3 || 0x1800 || No || ? | | 0x507 || 3 || 0x1800 || 0x1800 || No || ? | ||
|- | |- | ||
| 0x508 || 3 || 0x1800 || No || Ernie HW version (from syscon cmd 0x1). Set to 0x100060D on 1.692, 0x100010A on 1.05, 0x0100010B on 1.50 | | 0x508 || 3 || 0x1800 || 0x1800 || No || Ernie HW version (from syscon cmd 0x1). Set to 0x100060D on 1.692, 0x100010A on 1.05, 0x0100010B on 1.50 | ||
|- | |- | ||
| 0x509 || 3 || 0x1800 || Yes || IDPS of unit (console id) | | 0x509 || 3 || 0x1800 || 0x1800 || Yes || IDPS of unit (console id) | ||
|- | |- | ||
| 0x50A || 3 || 0x1800 || ? || Byte15bit0,byte14bit0,byte14bit1,byte11bit4: Revocation related. Byte13bit0: Enable F00D debug prints. | | 0x50A || 3 || 0x1800 || 0x1800 || ? || Byte15bit0,byte14bit0,byte14bit1,byte11bit4: Revocation related. Byte13bit0: Enable F00D debug prints. | ||
|- | |- | ||
| 0x50B || 3 || 0x1800 || ? || From 0xD2 SNVS block 0, 8 bytes | | 0x50B || 3 || 0x1800 || 0x1800 || ? || From 0xD2 SNVS block 0, 8 bytes | ||
|- | |- | ||
| 0x50C || 3 || 0x1800 || No || Flags. Set to 1 on 1.692 and newer, 0 on older | | 0x50C || 3 || 0x1800 || 0x1800 || No || Flags. Set to 1 on 1.692 and newer, 0 on older | ||
|- | |- | ||
| 0x50D || 3 || 0x1800 || Yes || OpenPSID | | 0x50D || 3 || 0x1800 || 0x1800 || Yes || OpenPSID | ||
|- | |- | ||
| 0x50E || 3 || 0x1800 || Yes || Current firmware version. Comes from SNVS. | | 0x50E || 3 || 0x1800 || 0x1800 || Yes || Current firmware version. Comes from SNVS. | ||
|- | |- | ||
| 0x50F || 3 || 0x1800 || Yes || Factory firmware version. Comes from idstorage. | | 0x50F || 3 || 0x1800 || 0x1800 || Yes || Factory firmware version. Comes from idstorage. | ||
|- | |- | ||
| 0x510 || 3 || 0x1800 || Yes || Some bit flags, comes from syscon cmd 0x90 offset 0xE0 | | 0x510 || 3 || 0x1800 || 0x1800 || Yes || Some bit flags, comes from syscon cmd 0x90 offset 0xE0 | ||
|- | |- | ||
| 0x511 || 3 || 0x1800 || Yes || Unique per boot session id, Syscon shared 0xD0 session key | | 0x511 || 3 || 0x1800 || 0x1800 || Yes || Unique per boot session id, Syscon shared 0xD0 session key | ||
|- | |- | ||
| 0x512 || 7 || 0x1800 || Yes || Tick count? Used in Syscon encrypted communication. Set to a random value when session key is set. | | 0x512 || 7 || 0x1800 || 0x1800 || Yes || Tick count? Used in Syscon encrypted communication. Set to a random value when session key is set. | ||
|- | |- | ||
| 0x513 || 3 || 0x1800 || No || DRAM size. Set to 0x20000000 on retail, 0x40000000 on devkit. | | 0x513 || 3 || 0x1800 || 0x1800 || No || DRAM size. Set to 0x20000000 on retail, 0x40000000 on devkit. | ||
|- | |- | ||
| 0x514 || 3 || 0x1800 || No? || F00d-cmd F01 AES-256-CMAC key. Protected on 1.05. | | 0x514 || 3 || 0x1800 || 0x1800 || No? || F00d-cmd F01 AES-256-CMAC key. Protected on 1.05. | ||
|- | |- | ||
| 0x515 || 3 || 0x1800 || No? || F00d-cmd F01 AES-256-CBC key. Protected on 1.05. | | 0x515 || 3 || 0x1800 || 0x1800 || No? || F00d-cmd F01 AES-256-CBC key. Protected on 1.05. | ||
|- | |- | ||
| 0x516 || 3 || 0x1800 || ? || F00d-cmd F01 writes (u32)1 here when exporting the infoblk. Next time main() executes this flag is cleared. | | 0x516 || 3 || 0x1800 || 0x1800 || ? || F00d-cmd F01 writes (u32)1 here when exporting the infoblk. Next time main() executes this flag is cleared. | ||
|- | |- | ||
| 0x517 || 3 || 0x1800 || || When initializing the EEPROM, this is zeroed if 0x50D has bit8 clear (on 1.692). | | 0x517 || 3 || 0x1800 || 0x1800 || || When initializing the EEPROM, this is zeroed if 0x50D has bit8 clear (on 1.692). | ||
|- | |- | ||
| 0x518 || 3 || 0x1800 || No || Another current FW version (3.60+?) Comes from SNVS. | | 0x518 || 3 || 0x1800 || 0x1800 || No || Another current FW version (3.60+?) Comes from SNVS. | ||
|- | |- | ||
| 0x519 || 3 || 0x1800 || No || 00s | | 0x519 || 3 || 0x1800 || 0x1800 || No || 00s | ||
|- | |- | ||
| 0x51A || 3 || 0x1800 || Yes || Randomized 0x20 byte key unique every boot/reboot/resume used for kernel coredump encryption | | 0x51A || 3 || 0x1800 || 0x1800 || Yes || Randomized 0x20 byte key unique every boot/reboot/resume used for kernel coredump encryption | ||
|- | |- | ||
| 0x51B || 3 || 0x1800 || No || Some kind of model info 0x406000 on retail and 0x416000 on devkit, obtained from syscon command 5 | | 0x51B || 3 || 0x1800 || 0x1800 || No || Some kind of model info 0x406000 on retail and 0x416000 on devkit, obtained from syscon command 5 | ||
|- | |- | ||
| 0x51C-0x57F || 1 || 0x0000 || ? || ? | | 0x51C-0x57F || 1 || 0x1800 || 0x0000 || ? || ? | ||
|- | |- | ||
| 0x580-0x5FF || 0 || 0x0000 || ? || | | 0x580-0x5FF || 0 || 0x0000 || 0x0000 || ? || Not used | ||
|- | |- | ||
| 0x600 || 3 || 0x1000 || Yes || <code>aimgr_sm.self</code> cmd 0x3 return, VisibleId/FuseId | | 0x600 || 3 || 0x1000 || 0x1000 || Yes || <code>aimgr_sm.self</code> cmd 0x3 return, VisibleId/FuseId | ||
|- | |- | ||
| 0x601 || 3 || 0x1000 || Yes || ? | | 0x601 || 3 || 0x1000 || 0x1000 || Yes || ? | ||
|- | |- | ||
| 0x602 || 3 || 0x1000 || Yes || ? | | 0x602 || 3 || 0x1000 || 0x1000 || Yes || ? | ||
|- | |- | ||
| 0x603 || 3 || 0x1000 || No || ? | | 0x603 || 3 || 0x1000 || 0x1000 || No || ? | ||
|- | |- | ||
| 0x604 || 3 || 0x1000 || No || ? | | 0x604 || 3 || 0x1000 || 0x1000 || No || ? | ||
|- | |- | ||
| 0x605-0x607 || 3 || 0x0000 || ? || ? | | 0x605-0x607 || 3 || 0x1000 || 0x0000 || ? || ? | ||
|- | |- | ||
| 0x608-0x6FF || 0 || 0x0000 || ? || | | 0x608-0x6FF || 0 || 0x0000 || 0x0000 || ? || Not used | ||
|- | |- | ||
| 0x700-0x7FF || 3 || 0x0000 || ? || 16 public RSA keys for enc, which one is used depends on public key revision from enc header. | | 0x700-0x7FF || 3 || 0x1000 || 0x0000 || ? || 16 public RSA keys for enc, which one is used depends on public key revision from enc header. | ||
|} | |} | ||
Revision as of 22:37, 4 October 2018
Address = 0xE0058000 + 32 * Slot
Permission bits
| Bit | Function |
|---|---|
| 0x01 | accessible for bigmac encrypt |
| 0x02 | accessible for bigmac decrypt |
| 0x10 | ? |
| 0x20 | crypto operation supports a keyslot dst |
| 0x80 | related to bootrom functionality. If set then permissions for this slot can be reset |
| 0x400 | dst can be memory |
| 0x800 | can be written directly by f00d (?) |
| 0x1000 | can be read directly by f00d |
Key Ring Slots 0xE0058000
| Slot | Mode | Initial Protection | Booted Protection | Per-console | Description |
|---|---|---|---|---|---|
| 0 | 3 | 0x0442 | 0x0442 | ? | ? |
| 1 | 1 | 0x0442 | 0x0442 | ? | ? |
| 2-7 | 1 | 0x0442 | 0x0040 | ? | ? |
| 8 | 3 | 0x049F | 0x0081 | Yes. | enp per-console key |
| 9 | 1 | 0x049F | 0x0080 | ? | ? |
| 0xA-0xF | 3 | 0x049F | 0x0080 | ? | ? |
| 0x10 | 1 | 0x0502 | 0x0502 | ? | supports decryption only |
| 0x11-0x1F | 1 | 0x0502 | 0x0100 | ? | ? |
| 0x20 | 3 | 0x061F | 0x0200 | ? | Derived from 0x344, used for hmac-sha256 over enc files |
| 0x21-0x24 | 1 | 0x061F | 0x061F | ? | supports encryption and decryption |
| 0x25-0x2F | 1 | 0x061F | 0x0200 | ? | ? |
| 0x30-0x34 | 1 | 0x041F | 0x041F | ? | ? |
| 0x35-0x7F | 1 | 0x041F | 0x0000 | ? | ? |
| 0x80-0xFF | 0 | 0x0000 | 0x0000 | ? | Not used |
| 0x100 | 1 | 0x041F | 0x041F | ? | ? |
| 0x101-0x17F | 1 | 0x041F | 0x0000 | ? | ? |
| 0x180-0x1FF | 0 | 0x0000 | 0x0000 | ? | Not used |
| 0x200-0x203 | 3 | 0x0002 | 0x0000 | ? | ? |
| 0x204-0x205 | 3 | 0x006F | 0x006F | ? | ? |
| 0x206 | 3 | 0x00AF | 0x00A0 | ? | Used to derive key used to decrypt personalized layer over enc. Should be per-console. |
| 0x207 | 3 | 0x00AF | 0x00A0 | ? | Used instead of the above key when secret debug mode is set. (Possibly non-per-console?) |
| 0x208-0x20D | 3 | 0x00AF | 0x00A0 | ? | 6 keys used to decrypt enc metadata, which one is used depends on key revision in enc header |
| 0x20E-0x20F | 3 | 0x0010 | 0x0010 | ? | Maybe per-console emmc crypto keys? Protected by second_loader. |
| 0x210-0x211 | 3 | 0x001F | 0x0000 | ? | ? |
| 0x212 | 3 | 0x001F | 0x001F | ? | ? |
| 0x213 | 3 | 0x001F | 0x001F | ? | Used to derive SMI keys, which are used for factory fw decryption. Per-console. |
| 0x214 | 3 | 0x001F | 0x0000 | ? | Used to derive keyslots 0x514, 0x515 in second_loader |
| 0x215 | 3 | 0x001F | 0x0000 | ? | ? |
| 0x216 | 3 | 0x001F | 0x001F | ? | Derive 0x502-0x504 by encrypting data in second_loader. |
| 0x217 | 3 | 0x001F | 0x0000 | ? | ? |
| 0x218-0x2FF | 0 | 0x0000 | 0x0000 | ? | Not used |
| 0x300-0x33F | 3 | 0x0002 | 0x0000 | ? | ? |
| 0x340 | 3 | 0x012F | 0x012F | ? | Used to decrypt keys into the 0x10 key slot |
| 0x341-0x343 | 3 | 0x012F | 0x0120 | ? | ? |
| 0x344 | 3 | 0x022F | 0x0220 | ? | Used to derive key 0x20 in brom. |
| 0x345-0x348 | 3 | 0x022F | 0x022F | ? | Used to decrypt keys into one of the 0x21-0x24 key slot |
| 0x349-0x353 | 3 | 0x022F | 0x0220 | ? | ? |
| 0x354-0x3FF | 3 | 0x001F | 0x0000 | ? | ? |
| 0x400-0x47F | 1 | 0x1800 | 0x0000 | ? | ? |
| 0x480-0x4FF | 0 | 0x0000 | 0x0000 | ? | Not used |
| 0x500 | 1 | 0x1800 | 0x1800 | ? | ? |
| 0x501 | 7 | 0x1800 | 0x1000 | No | Used by bootrom first_loader to figure out whether to load from eMMC or ARM comms after reset |
| 0x502-0x504 | 3 | 0x1800 | 0x1800 | Yes | Related to Ernie SNVS |
| 0x505 | 1 | 0x1800 | 0x0000 | ? | ? |
| 0x506 | 3 | 0x1800 | 0x1800 | ? | ? |
| 0x507 | 3 | 0x1800 | 0x1800 | No | ? |
| 0x508 | 3 | 0x1800 | 0x1800 | No | Ernie HW version (from syscon cmd 0x1). Set to 0x100060D on 1.692, 0x100010A on 1.05, 0x0100010B on 1.50 |
| 0x509 | 3 | 0x1800 | 0x1800 | Yes | IDPS of unit (console id) |
| 0x50A | 3 | 0x1800 | 0x1800 | ? | Byte15bit0,byte14bit0,byte14bit1,byte11bit4: Revocation related. Byte13bit0: Enable F00D debug prints. |
| 0x50B | 3 | 0x1800 | 0x1800 | ? | From 0xD2 SNVS block 0, 8 bytes |
| 0x50C | 3 | 0x1800 | 0x1800 | No | Flags. Set to 1 on 1.692 and newer, 0 on older |
| 0x50D | 3 | 0x1800 | 0x1800 | Yes | OpenPSID |
| 0x50E | 3 | 0x1800 | 0x1800 | Yes | Current firmware version. Comes from SNVS. |
| 0x50F | 3 | 0x1800 | 0x1800 | Yes | Factory firmware version. Comes from idstorage. |
| 0x510 | 3 | 0x1800 | 0x1800 | Yes | Some bit flags, comes from syscon cmd 0x90 offset 0xE0 |
| 0x511 | 3 | 0x1800 | 0x1800 | Yes | Unique per boot session id, Syscon shared 0xD0 session key |
| 0x512 | 7 | 0x1800 | 0x1800 | Yes | Tick count? Used in Syscon encrypted communication. Set to a random value when session key is set. |
| 0x513 | 3 | 0x1800 | 0x1800 | No | DRAM size. Set to 0x20000000 on retail, 0x40000000 on devkit. |
| 0x514 | 3 | 0x1800 | 0x1800 | No? | F00d-cmd F01 AES-256-CMAC key. Protected on 1.05. |
| 0x515 | 3 | 0x1800 | 0x1800 | No? | F00d-cmd F01 AES-256-CBC key. Protected on 1.05. |
| 0x516 | 3 | 0x1800 | 0x1800 | ? | F00d-cmd F01 writes (u32)1 here when exporting the infoblk. Next time main() executes this flag is cleared. |
| 0x517 | 3 | 0x1800 | 0x1800 | When initializing the EEPROM, this is zeroed if 0x50D has bit8 clear (on 1.692). | |
| 0x518 | 3 | 0x1800 | 0x1800 | No | Another current FW version (3.60+?) Comes from SNVS. |
| 0x519 | 3 | 0x1800 | 0x1800 | No | 00s |
| 0x51A | 3 | 0x1800 | 0x1800 | Yes | Randomized 0x20 byte key unique every boot/reboot/resume used for kernel coredump encryption |
| 0x51B | 3 | 0x1800 | 0x1800 | No | Some kind of model info 0x406000 on retail and 0x416000 on devkit, obtained from syscon command 5 |
| 0x51C-0x57F | 1 | 0x1800 | 0x0000 | ? | ? |
| 0x580-0x5FF | 0 | 0x0000 | 0x0000 | ? | Not used |
| 0x600 | 3 | 0x1000 | 0x1000 | Yes | aimgr_sm.self cmd 0x3 return, VisibleId/FuseId
|
| 0x601 | 3 | 0x1000 | 0x1000 | Yes | ? |
| 0x602 | 3 | 0x1000 | 0x1000 | Yes | ? |
| 0x603 | 3 | 0x1000 | 0x1000 | No | ? |
| 0x604 | 3 | 0x1000 | 0x1000 | No | ? |
| 0x605-0x607 | 3 | 0x1000 | 0x0000 | ? | ? |
| 0x608-0x6FF | 0 | 0x0000 | 0x0000 | ? | Not used |
| 0x700-0x7FF | 3 | 0x1000 | 0x0000 | ? | 16 public RSA keys for enc, which one is used depends on public key revision from enc header. |