-
Notifications
You must be signed in to change notification settings - Fork 9
BootROM
The BootROM is made up of two parts, the "bootstrap", and the "loader". It's located at physical address 0x1FC00000 and is accessed via non-cached kseg1. The ROM is accessed upon hardware reset, software reset, or NMI. When this occurs, the Status flags are set in the COP0 Status register with following bits set: Boot Exception Vector=1 and Error Level = 1. If its a hardware reset, Software Reset (SR) = 0, or if NMI or software reset it is 1. At this point the PC is set to 0xBFC00000 and it begins to execute instructions. Since this is currently in ROM mode, only registers can be modified.
Because the BootROM is stored in non-volatile read-only memory it can't use variables, so the bootstrap of the BootROM copies the loader BootROM (the payload) to the CPU's scratchpad RAM (the only RAM available at this time, along with another 4KB block of RAM and the 2MB EDRAM — normal DDR SDRAM hasnt been initialised yet).
The first thing checked is the 0xBC100000 value, if non-zero, it typically means a NMI exception and it either jumps to the exception vector in COP0 Control Register $9, or if that is not set, to the exception vector in COP0 Status Register $25. On a normal reset (hardware or software), the loader code of the ROM is copied to scratch pad at physical address 0x10000 in cached mode (0x80010000). At this point it jumps to the real BootROM loader at 0x80010000. A stack is created at 0x80013FF0 as the top of the stack. This allows to the loader to use more typical local variables and memory in addition to registers.
Now the CPU is executing from the scratchpad RAM (the BootROM Loader).
The BootROM loader inits the NAND hardware and reads the IPL nand-block-table (a table with the physical block numbers of the encrypted IPL's location on the NAND). The table is located at the 4th physical block of the nand (offset 0x10000), and is repeated for the next 7 blocks. This is so that if a bad block occurs in any of these blocks, the table can still be read. Though if all 8 blocks become bad blocks, its a non-recoverable brick as the BootROM can no longer locate the IPL's location (the only solution to this problem is to either boot from MS instead, or use a custom IPL to patch the BootROM to remap the table - both of which would still require Pandora).
If the SysCON has set 0xBE240004 has the 0x10 bit set, the memory stick is used instead of the NAND for IPL.
The entire raw IPL is stored on the nand encrypted.
The BootROM Loader uses a 4KB RAM (this RAM is mapped to physical address 0x1FD00000 (uncached accessed at 0xBFD00000), but will later be remapped to 0x1FC00000 to be used for the ME CPU reset exception vector) as a temporary location to load & decrypt each encrypted IPL block. Because this RAM is only 4KB in size, the encrypted IPL is organised as 4KB blocks on the nand. As the pre-IPL decrypts each of the 4KB IPL blocks, it loads the decrypted blocks to the IPL entry address 0x040F0000 (up to FW 5.50) or 0x40EC000 (FW 6+) (this address is located in the 2MB EDRAM which is normally used as VRAM, normal DDR RAM still has not been initialised yet). When the BootROM has finished decrypting and loading all the encrypted IPL blocks it jumps to the IPL entry address.