WiiU Gamepad Technical Documentation

User Tools

Site Tools

Trace:
flash_layout

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
flash_layout [2024/11/19 12:42] – created arisoturaflash_layout [2025/01/19 20:42] (current) garyodernichts
Line 6: Line 6:
 ===== Memory map ===== ===== Memory map =====
  
-^ Address   ^ Description ^ +^ Address   ^ Internal name ^ Description ^ 
-| 0x0000000 | Second-stage bootloader | +| 0x0000000 | SPL           | Second-stage bootloader | 
-| 0x000E000 | Subsector used to write error data | +| 0x000E000 | ErrorLog      | Subsector used to write error data | 
-| 0x000F000 | Active firmware partition | +| 0x000F000 | Bank          | Active firmware partition | 
-| 0x0100000 | Firmware partition 0 | +| 0x0100000 | Product1      | Firmware partition 0 | 
-| 0x0500000 | Firmware partition 1 | +| 0x0500000 | Product2      | Firmware partition 1 | 
-| 0x0900000 | Language bank 0 | +| 0x0900000 | Lang1         | Language bank partition 0 | 
-| 0x1100000 | Language bank 1 | +| 0x1100000 | Lang2         | Language bank partition 1 | 
-| 0x1900000 | Unknown (maybe related to IR remote functionality) | +| 0x1900000 | TVcode        | Remote control data | 
-0x1C00000 Diagnostics firmware partition |+| 0x1B00000 | Screen1       | ?? | 
 +| 0x1B80000 | Screen2       | ?? | 
 +| 0x1C00000 | Service       | Diagnostics firmware partition | 
 +| 0x1FDE000 | InspData      | Diagnostics use | 
 +| 0x1FDF000 | Seq&Conf      | Diagnostics use | 
 +| 0x1FE0000 | InspLog1      | Diagnostics use | 
 +| 0x1FF0000 | InspLog2      | Diagnostics use | 
 + 
 +The internal names come from the diagnostics firmware's FLASH viewer utility. 
 + 
 + 
 +===== Second-stage bootloader ===== 
 + 
 +The second-stage bootloader is responsible for setting up the hardware and loading and booting the actual firmware. 
 + 
 +The bootloader layout is simple: 
 + 
 +^ Offset ^ Length ^ Description ^ 
 +| 0x00   | 4      | Length of bootloader code | 
 +| 0x04   | 64     | Exception vectors | 
 +| 0x44   | N      | Bootloader code | 
 + 
 +The exception vectors are loaded at 0x0 in main RAM, and the bootloader code is loaded at 0x3F0000. 
 + 
 +The boot process is as follows: 
 + 
 +  - If the UIC state is 7, the diagnostics firmware is loaded 
 +  - Otherwise, the byte at 0xF000 indicates which firmware partition to load from: 0 = 0x100000, 1 = 0x500000 
 + 
 + 
 +===== Firmware partitions ===== 
 + 
 +Each firmware partition starts with a small partition table. 
 + 
 +The table is made of 16-byte entries: 
 + 
 +^ Offset ^ Length ^ Description ^ 
 +| 0x00   | 4      | Data offset (relative to partition start) | 
 +0x04   4      | Data length | 
 +| 0x08   | 4      | Entry identifier | 
 +| 0x0C   | 4      | Version | 
 + 
 +The following entries are found (in the following order) in stock firmwares: 
 + 
 +^ Identifier ^ Description ^ 
 +| INDX       | Describes the partition table itself | 
 +| VER_       | Firmware version | 
 +| LVC_       | ARM9 binary | 
 +| WIFI       | BCM4319 firmware 
 +| ERR_       | Error screen bitmap | 
 +| UMI_       | UIC firmware | 
 +| IMG_       | Resource table | 
 + 
 +The partition table in a stock firmware is thus 0x70 bytes long. One can use the INDX entry to determine how many entries are in the table. 
 + 
 +When loading the firmware, the second stage bootloader assumes the third entry to be the ARM9 binary, and loads it at 0x0 in main RAM. 
 + 
 +Similarly, the stock firmware assumes the table to be laid out in the order above. 
 + 
 +The firmware is responsible for loading the BCM4319 and UIC firmwares. The BCM4319 firmware needs to be loaded on each boot. The UIC firmware is only loaded when an update is needed. 
 + 
 + 
 +===== Resource tables ===== 
 + 
 +Resource tables are used to store graphics and sound effects. The IMG_ blobs in firmware partitions and the language bank partitions use the same format.  
 + 
 +The resource table is laid out as follows: 
 + 
 +^ Offset ^ Length ^ Description ^ 
 +0x00   | 4      | Number of entries | 
 +| 0x04   | 24*N   | Resource entries | 
 +| 4+(24*N) | x    | Resource data | 
 + 
 +Each entry is 24 bytes long and laid out as follows: 
 + 
 +^ Offset ^ Length ^ Description ^ 
 +| 0x00   | 2      | Resource type 
 +  Bitmap = 0 
 +  Sound = 1 
 +  Unknown = 2 
 +
 +| 0x02   | 2      | Resource ID | 
 +| 0x04   | 4      | Data offset (relative to the start of resource data) | 
 +| 0x08   | 4      | Data length | 
 +| 0x0C   | 12     | Parameters | 
 + 
 +For bitmap data, the following parameters are used: 
 + 
 +^ Offset ^ Length ^ Description ^ 
 +| 0x00   | 4      | ??? (Format / BPP)? Always 8. | 
 +| 0x04   | 4      | Width | 
 +| 0x08   | 4      | Height | 
 + 
 +The data starts with 256 32-bit ARGB palette entries, followed by 8-bit paletted bitmap data. 
 + 
 +For sound data, the following parameters are used: 
 + 
 +^ Offset ^ Length ^ Description ^ 
 +| 0x00   | 2      | ??? (Format)? | 
 +| 0x02   | 2      | Bits per sample? Always 16. | 
 +| 0x04   | 4      | Channels? Always 1. | 
 +| 0x08   | 4      | Frequency | 
 + 
 +The data itself are PCM samples. 
 + 
 +===== Language bank ===== 
 + 
 +The current language bank partition is selected by UIC configuration data. (TODO: precise which) 
 + 
 +The FLASH might only contain a valid resource table in one of the two partitions. If this doesn't match the UIC configuration data, the firmware will fail to load localized assets, with error 165-8418. 
 + 
 + 
 +===== Remote control data ===== 
 + 
 +It is not yet known how the remote control data works.
  
flash_layout.1732020137.txt.gz · Last modified: 2024/11/19 12:42 by arisotura
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki