Changes

== Physical layout ==

== Physical layout ==

The NAND flash device is divided into 4096 blocks of 8 clusters. Each cluster is 8 pages. Each page is 2048 bytes of data and 64 bytes of "spare data" (used for error-correction (ECC) data and HMAC signatures on individual clusters).

The NAND flash device is divided into 4096 blocks of 8 clusters. Each cluster is 8 pages. Each page is 2048 bytes of data and 64 bytes of "spare data" (used for error-correction (ECC) data and HMAC signatures on individual clusters).

* Block 0 (pages 0-0x3F): boot1

* Block 0 (pages 0-0x3F): boot1

** boot1 is the second-stage bootloader; it is decrypted by boot0, which resides on a read-only mask rom inside the Starlet coprocessor. Its primary function is to load and decrypt boot2.

** boot1 is the second-stage bootloader; it is decrypted by boot0, which resides on a read-only mask rom inside the Starlet coprocessor. Its primary function is to load and decrypt boot2.

** Block 0 is guaranteed by the manufacturer to be valid, so there is no bad block map necessary.

** Block 0 is guaranteed by the manufacturer to be valid, so there is no bad block map necessary.

* Blocks 1-7 (Pages 0x40 - 0x1ff) : boot2 (two copies and blockmaps)

* Blocks 1-7 (Pages 0x40 - 0x1ff) : boot2 (two copies and blockmaps)

** boot2 is the third-stage bootloader; it is stored in a modified WAD format, including a [[ticket]] that is encrypted with the common key and signed.

** boot2 is the third-stage bootloader; it is stored in a modified WAD format, including a [[ticket]] that is encrypted with the common key and signed.

* Block 8 / Cluster 0x40 / Page 0x200: beginning of per-console unique data

* Block 8 / Cluster 0x40 / Page 0x200: beginning of per-console unique data

* Clusters 0x40 - 0x7EFF: Encrypted filesystem data. Data is encrypted with a per-console AES key, and then signed with a (separate, per-console) HMAC key.

* Clusters 0x40 - 0x7EFF: Encrypted filesystem data. Data is encrypted with a per-console AES key, and then signed with a (separate, per-console) HMAC key.

* Clusters 0x7F00-0x7FFF: Filesystem metadata (SFFS, unencrypted). There are 16 superblocks contained therein -- one every 16 clusters.

* Clusters 0x7F00-0x7FFF: Filesystem metadata (SFFS, unencrypted). There are 16 superblocks contained therein -- one every 16 clusters.

== Metadata layout ==

== Metadata layout ==

The authoritative source of information about the Wii's metadata layout is [http://git.infradead.org/users/segher/wii.git?a=blob;f=zestig.c Segher's zestig.c], but here is an attempt to describe that in English.

The authoritative source of information about the Wii's metadata layout is [http://git.infradead.org/users/segher/wii.git?a=blob;f=zestig.c Segher's zestig.c], but here is an attempt to describe that in English.

Each metadata "superblock" starts with the 4 magic bytes "SFFS", followed by a 4-byte "generation number" and another 4-byte number (always 0x10?). When accessing the FS, IOS will choose the superblock with the highest generation number and use it; whenever it modifies the filesystem in any way, it will increment the generation number by 1 and write out an entirely new superblock in the next slot (in round-robin order).

Each metadata "superblock" starts with the 4 magic bytes "SFFS", followed by a 4-byte "generation number" and another 4-byte number (always 0x10?). When accessing the FS, IOS will choose the superblock with the highest generation number and use it; whenever it modifies the filesystem in any way, it will increment the generation number by 1 and write out an entirely new superblock in the next slot (in round-robin order).

The next 0x10000 bytes (bytes 0xc:0x1000c within the superblock) are 0x8000 2-byte cluster numbers, and comprise the FAT. The FAT is followed by the FST -- the tree structure containing the directory hierarchy and (plaintext!) filenames.

The next 0x10000 bytes (bytes 0xc:0x1000c within the superblock) are 0x8000 2-byte cluster numbers, and comprise the FAT. The FAT is followed by the FST -- the tree structure containing the directory hierarchy and (plaintext!) filenames.

=== FAT ===

=== FAT ===

The FAT contains cluster chain / allocation information for the entire NAND chip, including parts of it which are not technically part of the filesystem!

The FAT contains cluster chain / allocation information for the entire NAND chip, including parts of it which are not technically part of the filesystem!

The first 64 entries will always be 0xFFFC, which indicates that this cluster is "reserved".   These correspond to the first 64 clusters or 8 blocks -- which is where boot1 and boot2 are stored.

The first 64 entries will always be 0xFFFC, which indicates that this cluster is "reserved". These correspond to the first 64 clusters or 8 blocks -- which is where boot1 and boot2 are stored.

Special values include:

Special values include:

* 0xFFFE

* 0xFFFE

Otherwise, the value stored within a slot in the FAT for a given cluster points to the next cluster in the chain, similar to the FAT used in DOS. Therefore, in order to figure out what clusters belong to what file, you must use the information in the FST to find the starting cluster for each file, and then follow each cluster chain.

Otherwise, the value stored within a slot in the FAT for a given cluster points to the next cluster in the chain, similar to the FAT used in DOS. Therefore, in order to figure out what clusters belong to what file, you must use the information in the FST to find the starting cluster for each file, and then follow each cluster chain.

=== FST ===

=== FST ===

=== HMAC info ===

=== HMAC info ===

The filesystem data and metadata clusters are "signed" with an HMAC to prevent tampering. The HMAC key is a 20-byte key stored in OTP, but each cluster is also seeded with a non-standard "salt".   This 0x40-byte piece of data is generated in memory and then fed into the HMAC algorithm, and then the unencrypted contents of a cluster is fed through the HMAC algorithm. Two copies of the resulting 20-byte HMAC value is stored in the spare / OOB area of the cluster, in the 7th and 8th pages within that cluster.

The filesystem data and metadata clusters are "signed" with an HMAC to prevent tampering. The HMAC key is a 20-byte key stored in OTP, but each cluster is also seeded with a non-standard "salt". This 0x40-byte piece of data is generated in memory and then fed into the HMAC algorithm, and then the unencrypted contents of a cluster is fed through the HMAC algorithm. Two copies of the resulting 20-byte HMAC value is stored in the spare / OOB area of the cluster, in the 7th and 8th pages within that cluster.

Salt format for file data:

Salt format for file data:

It is not known why the IOS driver supports chips smaller than 512MB.

It is not known why the IOS driver supports chips smaller than 512MB.

[[Category:Hardware]]

[[Category:Hardware]]