NAND Boot Program
The NAND Boot Program is a DOL that is the boot content of every Broadway title (except the System Menu). It is linked with Revolution OS, though a separate copy from the game itself.
A special version can also be found in IOS15 and IOS21; this one lists "%s" as its version, and was probably added to those IOSes to cause error 001 to appear for IOS21 discs.
Similar to the System Menu, the NAND Boot Program is governed by its own BS2 with far fewer states.
A list of known functions can be found here.
Known global variables
This list contains both globals from Revolution OS and the NAND Boot Program, as it has not been determined which variables belong to which part of the DOL. r13 is the base pointer that all global variables (not constants) are stored relative to; it is initialized to 0x813735a0. They are stored at a negative offset, and the absolute value of the offset will be used for naming. For example, glob_7ec8 means -0x7ec8(r13).
- glob_7944 holds the total number of IOS IPC messages enqueued
- glob_7948 holds the number of pending IPC messages
- glob_7c40 is the lower 32 bits of the IOS heap range
- glob_7c50 is some counter that is decremented by 813394a8
- glob_7c54 and glob_7c58 are the ends of some linked list. This linked list has a function pointer, an unknown value, and then a next pointer, and finally a prev pointer.
- glob_7c60 is the pointer to the syscall table
- glob_7c90 is where all memory is allocated from (FUN_81333de4 in the Mii Channel v6 SDK); it is decreased every time memory is allocated.
- glob_7cb8 holds 0x80000000, probably as a base address to add offsets to.
- glob_7cdc is a boolean that stores whether OSInit has been called.
- glob_7d08 is the pointer to the bi2.bin buffer
- glob_7d20 is the current BS2 state
- glob_7d54 is a heap ID passed to AllocAligned
- glob_7d60-glob_7d58 form the string "/dev/es". It is not known why it is stored in the r13 area instead of as a normal global.
- glob_7ec8 seems to control whether error 001 shows; 1 means error 001 should be shown by the NAND Boot Program, anything else means don't show the error. It can be set to 1 by the function that is LAB_8134a6e8 in the Mii Channel v6 SDK.
- glob_7ee8 is 0 while the bi2.bin data is being processed by OSInit, 1 afterward
- glob_7f68 is the upper 32 bits of the IOS heap range
Versions
Several versions have been found: the %s
version in IOS15 and IOS21, the v1.1
version in some channels, and the v1.0
version in Forecast Channel dummy and News Channel dummy. v1.1 has a build string of release build: Oct 26 2006 16:22:40 (0x4199_60831)
, while %s has a build string of release build: Jul 31 2007 12:29:44 (0x4199_60831)
. The only other differences between v1.1 and %s seem to be that %s includes patches for the Internet Channel, and %s mentions RVA units.
v1.0's strings are identical to v1.1's, although the RVL_SDK - OS
that follows has a build date of Sep 15 2006 for v1.0, and Sep 21 2006 for v1.1.
ESP
Error messages for ES_InitLib
, ES_GetTitleId
, ESP_OpenContentFile
, ESP_ReadContentFile
, ESP_CloseContentFile
, and ESP_CloseLib
can be found in the bi2.bin reading function. It is not clear what "ESP" is; it may have been an older version of ES, possibly even used on the iQue Player, which did not have a concept of titles but had a title-like system where each title was a single content.
Dev units
There is a string in the %s version saying "Set Device Code : [RVA]", which probably means dev units used code RVA instead of RVL. Strings already exist in the System Menu that suggest that RVL is not used for dev units.
There also seems to be a file called /title/00000001/00000002/data/RVA.txt that is referenced.
Internet Channel patches
The %s version performs a "MEM1 patch" and a "MEM2 patch" on the Internet Channel. The details of this patch are currently not known.