Table of Contents
FLASH layout
The gamepad's firmware data is stored in a 32MB FLASH memory. This page describes the layout of the data in that memory.
Memory map
| Address | Internal name | Description |
|---|---|---|
| 0x0000000 | SPL | Second-stage bootloader |
| 0x000E000 | ErrorLog | Subsector used to write error data |
| 0x000F000 | Bank | Active firmware partition |
| 0x0100000 | Product1 | Firmware partition 0 |
| 0x0500000 | Product2 | Firmware partition 1 |
| 0x0900000 | Lang1 | Language bank partition 0 |
| 0x1100000 | Lang2 | Language bank partition 1 |
| 0x1900000 | TVcode | Remote control data |
| 0x1B00000 | Screen1 | ?? |
| 0x1B80000 | Screen2 | ?? |
| 0x1C00000 | Service | Diagnostics firmware partition |
| 0x1FDE000 | InspData | Diagnostics use |
| 0x1FDF000 | Seq&Conf | Diagnostics use |
| 0x1FE0000 | InspLog1 | Diagnostics use |
| 0x1FF0000 | InspLog2 | Diagnostics use |
The internal names come from the diagnostics firmware's FLASH viewer utility.
Second-stage bootloader
The second-stage bootloader is responsible for setting up the hardware and loading and booting the actual firmware.
The bootloader layout is simple:
| Offset | Length | Description |
|---|---|---|
| 0x00 | 4 | Length of bootloader code |
| 0x04 | 64 | Exception vectors |
| 0x44 | N | Bootloader code |
The exception vectors are loaded at 0x0 in main RAM, and the bootloader code is loaded at 0x3F0000.
The boot process is as follows:
- If the UIC state is 7, the diagnostics firmware is loaded
- Otherwise, the byte at 0xF000 indicates which firmware partition to load from: 0 = 0x100000, 1 = 0x500000
Firmware partitions
Each firmware partition starts with a small partition table.
The table is made of 16-byte entries:
| Offset | Length | Description |
|---|---|---|
| 0x00 | 4 | Data offset (relative to partition start) |
| 0x04 | 4 | Data length |
| 0x08 | 4 | Entry identifier |
| 0x0C | 4 | Version |
The following entries are found (in the following order) in stock firmwares:
| Identifier | Description |
|---|---|
| INDX | Describes the partition table itself |
| VER_ | Firmware version |
| LVC_ | ARM9 binary |
| WIFI | BCM4319 firmware |
| ERR_ | Error screen bitmap |
| UMI_ | UIC firmware |
| IMG_ | Resource table |
The partition table in a stock firmware is thus 0x70 bytes long. One can use the INDX entry to determine how many entries are in the table.
When loading the firmware, the second stage bootloader assumes the third entry to be the ARM9 binary, and loads it at 0x0 in main RAM.
Similarly, the stock firmware assumes the table to be laid out in the order above.
The firmware is responsible for loading the BCM4319 and UIC firmwares. The BCM4319 firmware needs to be loaded on each boot. The UIC firmware is only loaded when an update is needed.
Resource tables
Resource tables are used to store graphics and sound effects. The IMG_ blobs in firmware partitions and the language bank partitions use the same format.
The resource table is laid out as follows:
| Offset | Length | Description |
|---|---|---|
| 0x00 | 4 | Number of entries |
| 0x04 | 24*N | Resource entries |
| 4+(24*N) | x | Resource data |
Each entry is 24 bytes long and laid out as follows:
| Offset | Length | Description |
|---|---|---|
| 0x00 | 4 | Resource ID |
| 0x04 | 4 | Data offset (relative to the start of resource data) |
| 0x08 | 4 | Data length |
| 0x0C | 4 | Resource type |
| 0x10 | 4 | Parameter 1 |
| 0x14 | 4 | Parameter 2 |
There are two possible resource types: 0x00000008 for bitmap data and 0x00100000 for sound data.
For bitmap data, parameters 1 and 2 are respectively the width and height of the bitmap. The data starts with 256 32-bit ARGB palette entries, followed by 8-bit paletted bitmap data.
For sound data, it isn't clear what parameters 1 and 2 mean. Parameter 2 is related to the data length. The data itself seems to be PCM16 samples.
Language bank
The current language bank partition is selected by UIC configuration data. (TODO: precise which)
The FLASH might only contain a valid resource table in one of the two partitions. If this doesn't match the UIC configuration data, the firmware will fail to load localized assets, with error 165-8418.
Remote control data
It is not yet known how the remote control data works.