Editing Flash:cvtrm
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
| Latest revision | Your text | ||
| Line 10: | Line 10: | ||
* [[Talk:Flash#VTRM]] | * [[Talk:Flash#VTRM]] | ||
* [[Hypervisor Reverse Engineering#VTRM]] | * [[Hypervisor Reverse Engineering#VTRM]] | ||
* [[SC Manager#0x9000 - SC Manager]] | * [[SC Manager#0x9000 - SC Manager]] | ||
* [[Talk:System Controller Firmware]] | * [[Talk:System Controller Firmware]] | ||
| Line 16: | Line 15: | ||
* [[PARAM.PFD]] | * [[PARAM.PFD]] | ||
* [[Ps3vuart-tools#ps3dm]] | * [[Ps3vuart-tools#ps3dm]] | ||
* [[ | * [[Fixing DRL and CRL Hashes]] | ||
* [[RSOD Fix]] | * [[RSOD Fix]] | ||
| Line 64: | Line 63: | ||
In the third copypaste, the value that indicates the offset points to the 'exception' hash inside the '''hash_table''' (bytes from 0xEFE68C up to 0xEFE6A0 are copypasted to 0xEC0108 up to 0xEC011C), but instead of copying the 'exception' hash it copypastes the default hash value | In the third copypaste, the value that indicates the offset points to the 'exception' hash inside the '''hash_table''' (bytes from 0xEFE68C up to 0xEFE6A0 are copypasted to 0xEC0108 up to 0xEC011C), but instead of copying the 'exception' hash it copypastes the default hash value | ||
At this point the creation process is near completed, the only thing left is to fill the 0x10 bytes at the beginning in the first vtrm block (at 0xEC0000), this small area is going to work as the entry point when reading the whole vtrm, and this is when is written the 'magic_scei' that is unique (is the only value from this blocks in common between NAND and NOR), the other thing that indicates this area (with the value 0xA8) is the | At this point the creation process is near completed, the only thing left is to fill the 0x10 bytes at the beginning in the first vtrm block (at 0xEC0000), this small area is going to work as the entry point when reading the whole vtrm, and this is when is written the 'magic_scei' that is unique (is the only value from this blocks in common between NAND and NOR), the other thing that indicates this area (with the value 0xA8) is the lenght of the areas that has been copypasted below (but only the sum of the first two copypastes, for some reason the third copypaste is not included in this sum, also the position where the third copypaste happens is a bit weird i dont get why that position, is because the 0x40 gap but that gap makes no sense, the point is the gap is there and is related with the reason why the third copypaste to not be included in this sum) | ||
---- | ---- | ||
| Line 75: | Line 74: | ||
==Notes, speculation, brainstorming== | ==Notes, speculation, brainstorming== | ||
*the start offset of some unknown areas can be find by searching for 0x1070. Is the start of an area of 8 bytes lenght (2+3+3) that probably are the offset or sizes of the next areas (and probably in blocks of 512 bytes). Some examples (ctrl+f in webbrower to search for them in the page) | |||
**10 70 00 00 02 00 00 01 | |||
**10 70 00 00 39 00 00 01 | |||
** 10 70 00 00 02 00 00 01 | **10 70 00 00 03 00 00 02 | ||
** | **10 70 00 05 FF 00 00 01 | ||
**04 00 00 00 02 00 00 05 (this one doesnt starts with 0x1070 as explained above, but seems to have the same purpose) | |||
** 10 70 00 | |||
** 10 70 00 | |||
** | |||
=VTRM hashes and how to generate them= | =VTRM hashes and how to generate them= | ||
| Line 122: | Line 96: | ||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ||
00EC0000 <span style="background:#000000; color:#ffffff;">53 43 45 49</span> <span style="background:#000000; color:#ffffff;">56 54 52 4D</span> <span style="background:#000000; color:#ffffff;">00 00 00 00 00 00 00 A8</span> SCEIVTRM.......¨ | 00EC0000 <span style="background:#000000; color:#ffffff;">53 43 45 49</span> <span style="background:#000000; color:#ffffff;">56 54 52 4D</span> <span style="background:#000000; color:#ffffff;">00 00 00 00 00 00 00 A8</span> SCEIVTRM.......¨ <-- '''magic_scei''', '''magic_vtrm''', '''copypasted_total_used_len''' | ||
00EC0010 <span style="background:#33ff33;">00 00 00 00 00 E8 02 00</span> <span style="background:#33ff33;">00 00 00 00 00 00 00 28</span> .....è.........( | 00EC0010 <span style="background:#33ff33;">00 00 00 00 00 E8 02 00</span> <span style="background:#33ff33;">00 00 00 00 00 00 00 28</span> .....è.........( <-- '''copypaste_offset''', '''copypaste_len''' | ||
00EC0020 <span style="background:#000000; color:#ffffff;">00 00 00 00</span> <span style="background:#000000; color:#ffffff;">56 54 52 4D</span> <span style="background:#000000; color:#ffffff;">00 00 00 00 00 00 00 04</span> ....VTRM........ | 00EC0020 <span style="background:#000000; color:#ffffff;">00 00 00 00</span> <span style="background:#000000; color:#ffffff;">56 54 52 4D</span> <span style="background:#000000; color:#ffffff;">00 00 00 00 00 00 00 04</span> ....VTRM........ <-- '''copypasted_data''' | ||
00EC0030 <span style="background:# | 00EC0030 <span style="background:#dd00dd;">FE 6D 0B C4</span> <span style="background:#dd00dd;">FA D5 CE DB 93 86 FC A1 32 3B 71 47</span> þm.ÄúÕÎÛ“†ü¡2;qG <-- '''copypasted_data''' | ||
00EC0040 <span style="background:# | 00EC0040 <span style="background:#dd00dd;">3B A5 C6 F9 C0 00 B6 70</span> <span style="background:#33ff33;">00 00 00 00 00 E8 27 80</span> ;¥ÆùÀ.¶p.....è'€ <-- '''copypasted_data''', '''copypaste_offset''' | ||
00EC0050 <span style="background:#33ff33;">00 00 00 00 00 00 00 60</span> <span style="background:# | 00EC0050 <span style="background:#33ff33;">00 00 00 00 00 00 00 60</span> <span style="background:#cc6666;">00 00 00 00 00 00 09 20</span> .......`....... <-- '''copypaste_len''', '''copypasted_data''' | ||
00EC0060 <span style="background:# | 00EC0060 <span style="background:#ff9999;">04 00</span> <span style="background:#ffaaaa;">00 00 02</span> <span style="background:#ffaaaa;">00 00 05</span> <span style="background:#ff8888;">10 70</span> <span style="background:#ffaaaa;">00 05 FF</span> <span style="background:#ffaaaa;">00 00 01</span> .........p..ÿ... <-- '''copypasted_data''' | ||
00EC0070 <span style="background:#ff6666;">0C 1C 05 9C AA B5 97 A5 9C D6 46 2D EA 22 46 BE</span> ...œªµ—¥œÖF-ê"F¾ <-- '''copypasted_data''' | |||
00EC0080 <span style="background:#ff6666;">D1 84 A9 1E 34 5F E7 90 55 49 11 82 51 9D 4A 3F</span> Ñ„©.4_ç.UI.‚Q.J? <-- '''copypasted_data''' | |||
00EC0090 <span style="background:#ff6666;">EF 43 19 E8 4F 6A 5B FF DA 31 E9 F0 76 C8 B2 6B</span> ïC.èOj[ÿÚ1éðvȲk <-- '''copypasted_data''' | |||
00EC00A0 <span style="background:#ff6666;">0B A7 47 8E BE 42 28 9F 2B 88 73 0B A5 B6 F2 1D</span> .§GŽ¾B(Ÿ+ˆs.¥¶ò. <-- '''copypasted_data''' | |||
00EC00B0 <span style="background:#ff9999;">00 00 00 00 00 00 00 00</span> <span style="background:#bbbbbb;">FF FF FF FF FF FF FF FF</span> ........ÿÿÿÿÿÿÿÿ <-- '''copypasted_data''', '''weird_gap''' | |||
[...] <span style="background:#bbbbbb;">FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</span> ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <-- '''weird_gap''' | |||
00EC00F0 <span style="background:#bbbbbb;">FF FF FF FF FF FF FF FF</span> <span style="background:#33ff33;">00 00 00 00 00 EB E4 8C</span> ÿÿÿÿÿÿÿÿ.....ëäŒ <-- '''weird_gap''', '''copypaste_offset''' | |||
00EC0100 <span style="background:#33ff33;">00 00 00 00 00 00 00 14</span> <span style="background:# | 00EC0100 <span style="background:#33ff33;">00 00 00 00 00 00 00 14</span> <span style="background:#6666ff;">39 17 52 0B 31 70 F5 05</span> ........9.R.1põ. <-- '''copypaste_len''', '''copypasted_data''' | ||
00EC0110 <span style="background:# | 00EC0110 <span style="background:#6666ff;">02 5A C6 F8 81 F8 54 96 2F EF F3 81</span> <span style="background:#777777;">FF FF FF FF</span> .ZÆø.øT–/ïó.ÿÿÿÿ <-- '''copypasted_data''', '''erased_bytes''' | ||
[...] <span style="background:#777777;">FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</span> ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | [...] <span style="background:#777777;">FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</span> ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <-- '''erased_bytes''' <--- to fill up to 512 bytes or 0x400 (2 blocks) | ||
00EC0400 <span style="background:#000000; color:#ffffff;">00 00 00 00</span> <span style="background:#000000; color:#ffffff;">56 54 52 4D</span> <span style="background:#000000; color:#ffffff;">00 00 00 00 00 00 00 04</span> ....VTRM........ | 00EC0400 <span style="background:#000000; color:#ffffff;">00 00 00 00</span> <span style="background:#000000; color:#ffffff;">56 54 52 4D</span> <span style="background:#000000; color:#ffffff;">00 00 00 00 00 00 00 04</span> ....VTRM........ <-- '''magic_void''' + '''magic_vtrm''' + '''next_unknown_stuff_len''' ? <---- inner vtrm | ||
00EC0410 <span style="background:# | 00EC0410 <span style="background:#dd00dd;">FE 6D 0B C4</span> <span style="background:#dd00dd;">FA D5 CE DB 93 86 FC A1 32 3B 71 47</span> þm.ÄúÕÎÛ“†ü¡2;qG <-- 0x14 bytes hash, same value as 0xEC0030 | ||
00EC0420 <span style="background:# | 00EC0420 <span style="background:#dd00dd;">3B A5 C6 F9 C0 00 B6 70</span> <span style="background:#33ff33;">00 00 00 00 00 00 04 90</span> ;¥ÆùÀ.¶p........ <-- '''entry_num''' = 0x490 (1168 in decimal, 8 bytes each entry) | ||
00EC0430 <span style="background:# | 00EC0430 <span style="background:#ff3377;">00 00 00 00 00 00 09 20</span> <span style="background:#ff3377;">00 00 00 00 00 00 00 03</span> ....... ........ <-- '''entry_num_double''' = 0x920 (2336 in decimal, is also used as the default value for entries) + '''entry_used_slots''' = 0x3 | ||
00EC0440 <span style="background:# | 00EC0440 <span style="background:#bbbb66;">00 00 00 00 00 00 09 20</span> <span style="background:#bbbb66;">00 00 00 00 00 00 09 20</span> ....... ....... <-- 0x8 bytes repetive pattern <--- table starts here | ||
[...] <span style="background:# | [...] <span style="background:#bbbb66;">00 00 00 00 00 00 09 20</span> <span style="background:#bbbb66;">00 00 00 00 00 00 09 20</span> ....... ....... <-- 0x8 bytes repetive pattern | ||
00EC1930 <span style="background:#ffff66;">00 00 00 00 00 00 00 01</span> <span style="background:# | 00EC1930 <span style="background:#ffff66;">00 00 00 00 00 00 00 01</span> <span style="background:#bbbb66;">00 00 00 00 00 00 09 20</span> ............... <-- 0x8 bytes pattern exception ! | ||
[...] <span style="background:# | [...] <span style="background:#bbbb66;">00 00 00 00 00 00 09 20</span> <span style="background:#bbbb66;">00 00 00 00 00 00 09 20</span> ....... ....... <-- 0x8 bytes repetive pattern | ||
00EC21F0 <span style="background:#ffff66;">00 00 00 00 00 00 00 02</span> <span style="background:# | 00EC21F0 <span style="background:#ffff66;">00 00 00 00 00 00 00 02</span> <span style="background:#bbbb66;">00 00 00 00 00 00 09 20</span> ............... <-- 0x8 bytes pattern exception ! | ||
[...] <span style="background:# | [...] <span style="background:#bbbb66;">00 00 00 00 00 00 09 20</span> <span style="background:#bbbb66;">00 00 00 00 00 00 09 20</span> ....... ....... <-- 0x8 bytes repetive pattern | ||
00EC24F0 <span style="background:# | 00EC24F0 <span style="background:#bbbb66;">00 00 00 00 00 00 09 20</span> <span style="background:#ffff66;">00 00 00 00 00 00 00 00</span> ....... ........ <-- 0x8 bytes pattern exception ! | ||
[...] <span style="background:# | [...] <span style="background:#bbbb66;">00 00 00 00 00 00 09 20</span> <span style="background:#bbbb66;">00 00 00 00 00 00 09 20</span> ....... ....... <-- 0x8 bytes repetive pattern | ||
00EC28C0 <span style="background:# | 00EC28C0 <span style="background:#cc6666;">00 00 00 00 00 00 09 20</span> <span style="background:#ff8888;">10 70</span> <span style="background:#ffaaaa;">00 00 02</span> <span style="background:#ffaaaa;">00 00 01</span> ....... .p...... <-- encrypted data related info | ||
00EC28D0 <span style="background:#ff8888;">10 70</span> <span style="background:#ffaaaa;">00 00 39</span> <span style="background:#ffaaaa;">00 00 01</span> <span style="background:#ff6666;">22 66 39 B3 0E 7A 1C E7</span> .p..9..."f9³.z.ç <-- encrypted data | |||
00EC28E0 <span style="background:# | 00EC28E0 <span style="background:#ff6666;">68 85 F9 94 A8 30 BE C4 0B 85 D0 92 1E C0 8F 28</span> h…ù”¨0¾Ä.…Ð’.À.( | ||
00EC28F0 <span style="background:# | 00EC28F0 <span style="background:#ff6666;">7F 70 ED 15 D6 22 06 24 D9 08 64 0B C0 D7 97 29</span> .pí.Ö".$Ù.d.À×—) | ||
00EC2900 <span style="background:#ff6666;">BE A1 FE 91 D1 F2 D4 88 25 EF 24 86 E0 A3 CB 98</span> ¾¡þ‘ÑòÔˆ%ï$†à£Ë˜ | |||
00EC2910 <span style="background:# | 00EC2910 <span style="background:#ff6666;">AF 17 6F B1 64 A0 56 E5</span> <span style="background:#ff9999;">00 00 00 00 00 00 00 01</span> ¯.o±d Vå........ | ||
00EC2920 <span style="background:# | 00EC2920 <span style="background:#cc6666;">00 00 00 00 00 00 09 20</span> <span style="background:#ff8888;">10 70</span> <span style="background:#ffaaaa;">00 00 02</span> <span style="background:#ffaaaa;">00 00 01</span> ....... .p...... <-- encrypted data related info | ||
00EC2930 <span style="background:# | 00EC2930 <span style="background:#ff8888;">10 70</span> <span style="background:#ffaaaa;">00 00 03</span> <span style="background:#ffaaaa;">00 00 02</span> <span style="background:#ff6666;">F9 D9 6A 84 0C F2 D8 E7</span> .p......ùÙj„.òØç <-- encrypted data | ||
00EC2940 <span style="background:#ff6666;">D4 44 5C 3C DF D5 DF 0F B8 DC 3E 81 9A A4 71 8F</span> ÔD\<ßÕß.¸Ü>.š¤q. | |||
00EC2950 <span style="background:# | 00EC2950 <span style="background:#ff6666;">0A A8 8B 90 1B 2C A1 D1 66 84 AA EE 65 D1 46 9A</span> .¨‹..,¡Ñf„ªîeÑFš | ||
00EC2960 <span style="background:#ff6666;">D7 38 83 F2 78 47 D1 8E E5 FA EB 39 CF 26 E8 25</span> ×8ƒòxGÑŽåúë9Ï&è% | |||
00EC2970 <span style="background:# | 00EC2970 <span style="background:#ff6666;">85 DE 3B C6 0B C3 45 D5</span> <span style="background:#ff9999;">00 00 00 00 00 00 00 00</span> …Þ;Æ.ÃEÕ........ | ||
00EC2980 <span style="background:# | 00EC2980 <span style="background:#cc6666;">00 00 00 00 00 00 09 20</span> <span style="background:#ff8888;">04 00</span> <span style="background:#ffaaaa;">00 00 02</span> <span style="background:#ffaaaa;">00 00 05</span> ....... ........ <-- encrypted data related info, same 0x60 bytes at 0xEC0058 | ||
00EC2990 <span style="background:# | 00EC2990 <span style="background:#ff8888;">10 70</span> <span style="background:#ffaaaa;">00 05 FF</span> <span style="background:#ffaaaa;">00 00 01</span> <span style="background:#ff6666;">0C 1C 05 9C AA B5 97 A5</span> .p..ÿ......œªµ—¥ <-- encrypted data | ||
00EC29A0 <span style="background:#ff6666;">9C D6 46 2D EA 22 46 BE D1 84 A9 1E 34 5F E7 90</span> œÖF-ê"F¾Ñ„©.4_ç. | |||
00EC29B0 <span style="background:# | 00EC29B0 <span style="background:#ff6666;">55 49 11 82 51 9D 4A 3F EF 43 19 E8 4F 6A 5B FF</span> UI.‚Q.J?ïC.èOj[ÿ | ||
00EC29C0 <span style="background:#ff6666;">DA 31 E9 F0 76 C8 B2 6B 0B A7 47 8E BE 42 28 9F</span> Ú1éðvȲk.§GŽ¾B(Ÿ | |||
00EC29D0 <span style="background:# | 00EC29D0 <span style="background:#ff6666;">2B 88 73 0B A5 B6 F2 1D</span> <span style="background:#ff9999;">00 00 00 00 00 00 00 00</span> +ˆs.¥¶ò......... | ||
[...] <span style="background:# | [...] <span style="background:#bbbbbb;">FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</span> ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <-- not-used slots for encrypted data ? | ||
00EF94C0 <span style="background:# | 00EF94C0 <span style="background:#6666ff;">39 17 52 0B 31 70 F5 05 02 5A C6 F8 81 F8 54 96</span> 9.R.1põ..ZÆø.øT– <-- '''hashes_table_start''', 0x490 entries (1168 in decimal), 0x14 bytes entry lenght, default hash is same than 0xEC0108 | ||
00EF94D0 <span style="background:# | 00EF94D0 <span style="background:#6666ff;">2F EF F3 81</span> /ïó. | ||
[...] | [...] the same hash repeated, with some exceptions <-- exception at 0xEFE68C and then it continues after 0xEFE69F | ||
00EFEFE0 <span style="background:#6666ff;">39 17 52 0B</span> 9.R. | |||
00EFEFF0 <span style="background:# | 00EFEFF0 <span style="background:#6666ff;">31 70 F5 05 02 5A C6 F8 81 F8 54 96 2F EF F3 81</span> 1põ..ZÆø.øT–/ïó. <-- 0x14 bytes lenght hashes table end | ||
[...] <span style="background:#777777;">00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | [...] <span style="background:#777777;">00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</span> ................ <-- 0x00's filled up to end of file (0x7800 blocks) | ||
00EFFFF0 <span style="background:#777777;">00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</span> ................ | 00EFFFF0 <span style="background:#777777;">00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</span> ................ | ||
==NOR Example== | ==NOR Example== | ||
| Line 183: | Line 157: | ||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ||
00EC0000 53 43 45 49 FF FF FF FF FF FF FF FF FF FF FF FF SCEIÿÿÿÿÿÿÿÿÿÿÿÿ | |||
00EC0010 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | |||
... | |||
00EC3FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | |||
00EC4000 00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04 ....VTRM........ | |||
00EC4010 0D 20 53 4F EE E8 06 E3 E7 AC 57 E1 E9 64 6C BF . SOîè.ãç¬Wáédl¿ | |||
00EC4020 ED BE 69 E1 00 00 00 E0 00 00 00 00 00 00 02 09 í¾iá...à........ | |||
00EC4030 00 00 00 00 00 00 04 12 00 00 00 00 00 00 00 02 ................ | |||
00EC4040 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ | |||
00EC4050 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ | |||
00EC4060 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ | |||
00EC4070 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ | |||
00EC4080 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ | |||
00EC4090 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ | |||
00EC40A0 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ | |||
00EC40B0 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ | |||
00EC40C0 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ | |||
00EC40D0 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ | |||
00EC40E0 00 00 00 00 00 00 04 12 00 00 | |||
{{Flash}} | {{Flash}} | ||
<noinclude>[[Category:Main]]</noinclude> | <noinclude>[[Category:Main]]</noinclude> | ||