KBOOTI
KBOOTI also known as Kernel Boot Internal is an encrypted file used by the DEM-1000 and DTP-T1000 to start the Kernel. It is divided in two parts
KBOOTI can also be named differently such as: BOOTDISPI INITI FORMATI DFORMATI WRITEI WRITEI_SYS
| Type | Offset | Size |
|---|---|---|
| iplloader | 0x0 | 0x1000 |
| IPL | 0x1000 | N/A |
Both parts are encrypted and hashed The iplloader part is encrypted and hashed using the following algorithm:
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x10 | HMAC-MD5 or CMAC-MD5 |
| 0x10 | 0x2 | Data Size (in Little Endian) |
| 0x12 | Data Size value incremented to a multiple of 0x10 | Data, AES CBC Encrypted |
Because the boot code appears to only be able to decrypt in increments of 0x10, the decryption and hash checks are always performed in multiple of 0x10 regardless of the data size value. Decryption appears to be using a static key and iv (iv is most likely 0) and supposedly happens directly on tachyon at address 0xBFD00000, the boot code then resets tachyon which maps address 0xBFD00000 to 0xBFC00000 (0xBFD00000 becomes an invalid address), this also presumably unmaps the boot code. It is likely that the boot code is executed by having the CP binaries set either specific registers or exception vectors to the boot code address before starting tachyon.
The IPL part is either composed of multiple 0x1000 kirk1 blocks (decrypted using kirk command 1) or a single, large kirk block (in the case of 0.6 and older kbooti). 3.50+ DTP-T1000 IPL use an additional obfuscation step by xoring the IPL blocks header with an unknown 0x40 bytes value.