Talk:SC EEPROM
Memory test diagnosis NVS flag
There is a NVS flag which enables a special diagnostic mode at startup. This flag is enabled on Proto/DECR. It allows memtest diagnose.
Pseudo-code:
def check_bootrom_diag_mode(mode, param)
diag_mode = get_eeprom_bootrom_diag()
if diag_mode & 0x1:
if diag_mode & 0x100:
return 0
mode = (diag_mode >> 3) & 0x1
param = (diag_mode >> 3) & 0x1
else:
mode = (diag_mode >> 1) & 0x1
param = -1
return 1
EEPROM Dumps
EEPROM Strings (CP memory dump, DECR)
http://pastie.org/private/usd2zi8mw3igycsh1a395q -> DEAD LINK
Bus Pirate stuff
http://i.imgur.com/48rbR51.png
(needs more wikifying)
On standby
- Note: during this time the plaintext EEPROM is never read even once!
- Additionally, the areas 0x26B0, 0x26D0 are not read
- Checks status
- Unlocks Write Command
- Reads PATCH top half region
- Reads PATCH bottom half region
- Reads 0x2790?(0x20)
- Reads 0x27B0?(0x10)
- Reads 0x26D0 (0x10)
- Reads some configs? (around >0x31XX area)
- Reads 0x0 (0x10)
- Reads some configs?
- Reads 0x10(0x280) (EID1)?
- Reads 0x3A00 (0x1)
- Reads 0x290 (0x10) (EID1 CMAC?)
- Reads 0x2A0 (0x20)
- Reads 0x2C0 (0x20)
- Reads 0x2E0 (0x20)
- Writes some stuff to 0x2C0/0x2E0/0x2A0 (mostly ff's)
- ReReads EID1 and CMAC
- Reads 0x360
- Reads 0x370
- Writes (again) mostly ff's to 0x360 and 0x370
- ReReads EID1 and CMAC
- Does same process with 0x460 and 0x470
- Reads 0x2710 and 0x2730 (0x20,0x10) ???
- Reads 0x2700 (0x10)
- fini!
MemoryMap Syscon BB Chip
0x1000-0x1FFF:PTCH Region (patch written here)
Nice read about Syscon EEPROM
http://rmscrypt.wordpress.com/2011/02/01/lets-look-at-syscon/
BE Count region
The format of this region is weird, in mullions have a size of 0x200 but it was reduced to 0x100 for sherwoods
In sherwoods it seems to start with 2 bytes (bringup counter), 2 bytes (shutdown counter), 4 bytes (total runtime in seconds), 4 bytes (unknown, but the last 2 bytes are always 0000), then value 0x3CEF0000 (unknown, seems to be static). The rest of the region is filled with FF, some consoles have 2 bytes used at relative offset 0x20 (as example, with value 0x55AA)
Example (CokR40, REX-001emmc, SW3-304)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000800 05 B6 05 23 00 3D AD FA F4 80 00 00 3C EF 00 00 .¶.#.=úô€..<ï.. 00000810 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000820 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000830 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000840 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000850 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000860 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000870 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000880 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000890 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000008A0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000008B0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000008C0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000008D0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000008E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000008F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Example (CokG11, DYN-001, SW2-301)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000800 07 C8 07 94 00 9E 23 A6 F4 80 00 00 3C EF 00 00 .È.”.ž#¦ô€..<ï.. 00000810 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000820 55 AA FF FF FF FF FF FF FF FF FF FF FF FF FF FF Uªÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000830 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000840 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000850 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000860 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000870 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000880 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00000890 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000008A0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000008B0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000008C0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000008D0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000008E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000008F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
- Note the bytes at relative offset 0x20 with value 0x55AA, this bytes are a rarity, only found in 1 syscon dump from 10 checked
Experimental table
The goal is to join together all the "memory map" info in a single table
Area | SPI / UART | Syscall 863 | Data Name | Wikitable builder Notes (temporal) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Name | Size | csum | Mullion | Sherwood | whitelist | Block ID NVS Region |
whitelist | Offset | Size | |||||
32KB | 20KB | SW/2/3(emu) | EEP | lv1/DM | UM | SCM | ||||||||
Authenticated Data | 0x2560 | No | 0x0000 | 0x0000 | ? | Exploit | No | Patch | Patch | Patch | ? | Data table (0x160+(0x9*0x400)) ? | ||
? | 0x150 | No | 0x2560 | 0x2560 | ? | Exploit | No | Patch | Patch | Patch | ? | Filled with FF's ? | ||
System Info | 0x150 | No | 0x26B0 | 0x26B0 | 0x0000~ ? | Exploit | No | Patch | Patch | Patch | ? | This wikitable row needs to be splitted up to 5+ rows | ||
Patch 1 | 0x400 | No | 0x2800 | 0x2800 | 0x2000(flash) | Exploit | No | Patch | Patch | Patch | ? | 0x400 | Syscon Firmware Patch (top half) | |
- | 0x300 | No | 0x2C00 | 0x2C00 | 0x0B00 | Yes/UART | No | Patch | Patch | Patch | ? | 0x300 | not used | Filled with FF's |
Industry Area | 0x100 | No | 0x2F00 | 0x2F00 | 0x0E00 | Yes/UART | 0x10 | Patch | Yes | Yes | 0x02F00 | This wikitable row needs to be splitted up to 20+ rows | ||
Customer Service Area | 0x100 | No | 0x3000 | 0x3000 | 0x0F00 | Yes/UART | 0x20 | Patch | Yes | Yes | 0x03000 | 0x100 | Filled with FF's ? | |
Platform Config | 0x100 | Yes | 0x3100 | 0x3100 | 0x0040~ | Yes/UART | No | Patch | Patch | Patch | ? | 0x100 | This wikitable row needs to be splitted up to 5+ rows | |
Hardware Config | 0x100 | Yes | 0x3200 | 0x3200 | 0x0140~ | Yes/UART | No | Patch | Patch | Patch | ? | 0x100 | This wikitable row needs to be splitted up to 40+ rows | |
Thermal Config | 0x200 | Yes | 0x3300 | 0x3300 | 0x0250 (size 0x1B0) | Yes/UART | No | Patch | Patch | Patch | ? | 0x200 | Data table. See: Syscon Thermal Configs | |
BE Count | 0x200 | No | 0x3500 | 0x3500 | 0x0800 (size 0x100) | Yes/UART | No | Patch | Patch | Patch | ? | 0x200 | Data table | |
Error Log | 0x100 | No | 0x3700 | 0x3700 | 0x0900 | Yes/UART | No | Patch | Patch | Patch | ? | 0x100 | Data table. See: Syscon Error Codes | |
- | 0x100 | No | 0x3800 | 0x3800 | N/A ? | Yes/UART | No | Patch | Patch | Patch | ? | 0x100 | not used | Filled with FF's |
Board Config/Debug | 0x100 | Yes | 0x3900 | 0x3900 | 0x0000~ ? | Yes/UART | No | Patch | Patch | Patch | ? | 0x100 | This wikitable row needs to be splitted up to 15+ rows | |
HDMI/DVE Config | 0x100 | No | 0x3A00 | 0x3A00 | 0x0A00 | Yes/UART | No | Patch | Patch | Patch | ? | 0x100 | This wikitable row needs to be splitted up to 5+ rows | |
- | 0x100 | No | 0x3B00 | 0x3B00 | N/A ? | Yes/UART | No | Patch | Patch | Patch | ? | 0x100 | not used | Filled with FF's |
Config Ring | 0x200 | Yes | 0x3C00 | 0x3C00 | 0x0400 ? | Yes/UART | No | Patch | Patch | Patch | ? | 0x200 | not used | Filled with FF's |
Debug 2 | 0x200 | Yes | 0x3E00 | 0x3E00 | 0x0600 ? | Yes/UART | No | Patch | Patch | Patch | ? | 0x200 | not used | Filled with FF's |
- | 0x3000 | No | 0x4000 | N/A | N/A | Yes/UART | No | Patch | Patch | Patch | ? | 0x3000 | reserved | Filled with FF's |
System Config ? | 0x100 | No | 0x7000 | 0x4000 | 0x1000 | Yes/UART | 0x0 | Patch | Patch | Yes | 0x48000 | 0x100 | Filled with FF's ? | |
System Event Log ? | 0x100 | No | 0x7100 | 0x4100 | 0x1100 | Yes/UART | 0x1 | Patch | Patch | Yes | 0x48800 | Data table (0x10+(0x6*0x28)) | Header + Data table ? | |
Flags and Tokens | 0x100 | No | 0x7200 | 0x4200 | 0x1200 | Yes/UART | 0x2 | Patch | Yes or Patch* |
Yes | 0x48C00 | This wikitable row needs to be splitted up to 50+ rows | ||
System Data ? | 0x100 | No | 0x7300 | 0x4300 | 0x1300 | Yes/UART | 0x3 | Patch | Patch | Yes | 0x48D00 | 0x100 | Filled with FF's ? | |
Patch 2 | 0xC00 | No | 0x7400 | 0x4400 | 0x2000(flash) | Exploit | No | Patch | Patch | Patch | ? | 0xC00 | Syscon Firmware Patch (bottom half) |