Editing Flash

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 55: Line 55:
| {{perfirmware}} || 7 || colspan="2" | [[Flash:Revoke_Package#trvk_pkg1|trvk_pkg1]] || 0x0A0000 || 0x0BFFFF || 0x20000 || (131,072 bytes) || 500h ||
| {{perfirmware}} || 7 || colspan="2" | [[Flash:Revoke_Package#trvk_pkg1|trvk_pkg1]] || 0x0A0000 || 0x0BFFFF || 0x20000 || (131,072 bytes) || 500h ||
|-
|-
| {{perfirmware}} || 8 || colspan="2" | [[Flash:ROS#ros0|ros0]] || 0x0C0000 || 0x7BFFFF || 0x700000 || (7,340,032&nbsp;bytes) || 600h || <small>Contains CoreOS files, [[Boot_Order|filecontent depends on firmware version]]</small>
| {{perfirmware}} || 8 || colspan="2" | [[Flash:ROS#ros0|ros0]] || 0x0C0000 || 0x7BFFFF || 0x700000 || (7,340,032&nbsp;bytes) || 600h || <small>Contains CoreOS files, [http://www.ps3devwiki.com/index.php?title=Boot_Order#CoreOS_PKG_Filelisting filecontent depends on firmware version]</small>
|-
|-
| {{perfirmware}} || 9 || colspan="2" | [[Flash:ROS#ros1|ros1]] || 0x7C0000 || 0xEBFFFF || 0x700000 || (7,340,032&nbsp;bytes) || 3E00h || <small>Contains CoreOS files, [[Boot_Order|filecontent depends on firmware version]]</small>
| {{perfirmware}} || 9 || colspan="2" | [[Flash:ROS#ros1|ros1]] || 0x7C0000 || 0xEBFFFF || 0x700000 || (7,340,032&nbsp;bytes) || 3E00h || <small>Contains CoreOS files, [http://www.ps3devwiki.com/index.php?title=Boot_Order#CoreOS_PKG_Filelisting filecontent depends on firmware version]</small>
|-
|-
| {{perconsole}} || A || colspan="2" | [[Flash:cvtrm|cvtrm]] || 0xEC0000 || 0xEFFFFF || 0x40000 || (262,144&nbsp;bytes) || 7600h ||
| {{perconsole}} || A || colspan="2" | [[Flash:cvtrm|cvtrm]] || 0xEC0000 || 0xEFFFFF || 0x40000 || (262,144&nbsp;bytes) || 7600h ||
Line 129: Line 129:
| {{generic}} || 6 || colspan="2" | [[Flash:creserved_0|creserved_0]] || 0x0095800 || 0x00BFFFF || <abbr title="length is notated @ offset 0x004033D-0x004033F">0x2A800</abbr> || (174,080&nbsp;bytes) || 4ACh ||  
| {{generic}} || 6 || colspan="2" | [[Flash:creserved_0|creserved_0]] || 0x0095800 || 0x00BFFFF || <abbr title="length is notated @ offset 0x004033D-0x004033F">0x2A800</abbr> || (174,080&nbsp;bytes) || 4ACh ||  
|-
|-
| {{perfirmware}} || 7 || colspan="2" | [[Flash:ROS|ros]] || 0x00C0000 || 0x0EBFFFF || <abbr title="length of both ROS0+ROS1 combined is notated @ offset 0x004036D-0x004036F">0xE00000</abbr> || (14,680,064&nbsp;bytes) || 600h
| {{perfirmware}} || 7 || colspan="2" | [[Flash:ROS|ROS]] || 0x00C0000 || 0x0EBFFFF || <abbr title="length of both ROS0+ROS1 combined is notated @ offset 0x004036D-0x004036F">0xE00000</abbr> || (14,680,064&nbsp;bytes) || 600h
|-
|-
| {{perfirmware}} ||  || 0 || [[Flash:ROS##ros0|ros0]] || 0x00C0020 || 0x07C000F || 0x6FFFF0 || (7,340,016&nbsp;bytes) || || <small>Contains CoreOS files, [[Boot_Order|filecontent depends on firmware version]]</small>
| {{perfirmware}} ||  || 0 || [[Flash:ROS##ros0|ros0]] || 0x00C0020 || 0x07BFFFF || 0x700000 || (7,340,032&nbsp;bytes) || || <small>Contains CoreOS files, [http://www.ps3devwiki.com/index.php?title=Boot_Order#CoreOS_PKG_Filelisting filecontent depends on firmware version]</small>
|-
|-
| {{perfirmware}} ||  || 1 || [[Flash:ROS##ros1|ros1]] || 0x07C0010 || 0x0EBFFFF || 0x6FFFF0 || (7,340,016&nbsp;bytes) || || <small>Contains CoreOS files, [[Boot_Order|filecontent depends on firmware version]]</small>
| {{perfirmware}} ||  || 1 || [[Flash:ROS##ros1|ros1]] || 0x07C0010 || 0x0EBFFFF || 0x700000 || (7,340,032&nbsp;bytes) || || <small>Contains CoreOS files, [http://www.ps3devwiki.com/index.php?title=Boot_Order#CoreOS_PKG_Filelisting filecontent depends on firmware version]</small>
|-
|-
| {{perconsole}} || 8 || colspan="2" | [[Flash:cvtrm|cvtrm]] || 0x0EC0000 || 0x0EFFFFF || <abbr title="length is notated @ offset 0x004039D-0x004039F">0x40000</abbr> || (262,144&nbsp;bytes) || ||  
| {{perconsole}} || 8 || colspan="2" | [[Flash:cvtrm|cvtrm]] || 0x0EC0000 || 0x0EFFFFF || <abbr title="length is notated @ offset 0x004039D-0x004039F">0x40000</abbr> || (262,144&nbsp;bytes) || ||  
Line 143: Line 143:
| {{perconsole}} || || 1 || VTRM1 || ~varies || ~varies || ~varies || ~varies || || <small>magic header : 0x0D80400  00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04  ....VTRM........</small>
| {{perconsole}} || || 1 || VTRM1 || ~varies || ~varies || ~varies || ~varies || || <small>magic header : 0x0D80400  00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04  ....VTRM........</small>
|-
|-
| {{perconsole}} || colspan="3" | eFlash area || 0x0F00000 || 0xEFFFFFF || 0xE100000 || (235,929,600 bytes) || 7800h || <small>Note: eFlash region table & all dev_flash regions are encrypted with a per console keys by ENCDEC device.  
| {{perconsole}} || colspan="3" | VFlash area || 0x0F00000 || 0xEFFFFFF || 0xE100000 || (235,929,600 bytes) || 7800h || <small>Note: VFlash region table & all dev_flash regions are encrypted with a per console keys by ENCDEC device.  
magic header :0x0F00010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE .....¬ая....Ю.ъО</small>
magic header :0x0F00010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE .....¬ая....Ю.ъО</small>
|-
|-
| {{perconsole}} || 0 || colspan="2" |  eFlash region table || 0x0F000C0 ||  ||  ||  || || <small>There are 5 regions: /dev_flash, /dev_flash2, /dev_flash3, OtherOS & Unknown/FF-region.  Note: first 0x40000 bytes not counted because of masking bootldr by HV.</small>
| {{perconsole}} || 0 || colspan="2" |  VFlash region table || 0x0F000C0 ||  ||  ||  || || <small>There are 5 regions: /dev_flash, /dev_flash2, /dev_flash3, OtherOS & Unknown/FF-region.  Note: first 0x40000 bytes not counted because of masking bootldr by HV.</small>
|-
|-
| {{perconsole}} || 1 || {{perfirmware}} || /dev_flash (FAT16) [[Hypervisor_Reverse_Engineering#GameOS.27s_dev_flash|GameOS devflash]] || 0x0F40000 || 0xD6FFFFF || 0xC7C0000 || (209,453,056 bytes) || || <small>offset taken from region table (0x7800*0x200+0x40000=0x0F40000)</small>
| {{perconsole}} || 1 || {{perfirmware}} || /dev_flash (FAT16) [[Hypervisor_Reverse_Engineering#GameOS.27s_dev_flash|GameOS devflash]] || 0x0F40000 || 0xD6FFFFF || 0xC7C0000 || (209,453,056 bytes) || || <small>offset taken from region table (0x7800*0x200+0x40000=0x0F40000)</small>
Line 161: Line 161:
|-
|-
| {{perconsole}} || colspan="3" | [[Flash:bootldr|bootldr]] || 0xF000000 || 0xF03FFFF || 0x40000 || (262,144&nbsp;bytes) || 78000h || <small><abbr title="length of bootldr data seems notated @ offset 0x2-0x3">datasize</abbr> depends on bootldr revision</small>
| {{perconsole}} || colspan="3" | [[Flash:bootldr|bootldr]] || 0xF000000 || 0xF03FFFF || 0x40000 || (262,144&nbsp;bytes) || 78000h || <small><abbr title="length of bootldr data seems notated @ offset 0x2-0x3">datasize</abbr> depends on bootldr revision</small>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
|-
|-
| {{perconsole}} ||  || F || [[Flash:unreferenced_area|unreferenced area]] || 0xF040000 || 0xFFFFFFF || 0xFC0000 || (16,515,072&nbsp;bytes) || 78200h ||  
| {{perconsole}} ||  || F || [[Flash:unreferenced_area|unreferenced area]] || 0xF040000 || 0xFFFFFFF || 0xFC0000 || (16,515,072&nbsp;bytes) || 78200h ||  
Line 168: Line 169:
== Notes ==
== Notes ==
*All offsets on the index page are absolute. Offsets on subpages are relative within each section (unless otherwise mentioned)
*All offsets on the index page are absolute. Offsets on subpages are relative within each section (unless otherwise mentioned)
*eMMC is mapped in the same way as NAND. It uses 256Mb, the GameOS deviceID is identical & all the NAND offsets from the table above can be safely used.
 
*NOR and NAND are [http://en.wikipedia.org/wiki/Block_%28data_storage%29 blockdevices] and thus:
*NOR and NAND are [http://en.wikipedia.org/wiki/Block_%28data_storage%29 blockdevices] and thus:
**The minimal chunk of data that can be read/written is a block (with flashdevices also named page). A block that has never been written (only erased/formatted) is filled with 0xFF's. When bytes are written to a block, the entire block must be written. The write process fills the nonused bytes (slack space) at the remainder of the block with 0x00's
**The minimal chunk of data that can be read/written is a block (with flashdevices also named page). A block that has never been written (only erased/formatted) is filled with 0xFF's. When bytes are written to a block, the entire block must be written. The write process fills the nonused bytes (slack space) at the remainder of the block with 0x00's
Line 176: Line 177:


An access to the common flash interface can be enabled by writing to the physical address space of flash memory device, for example, you can use ps3sbmmio driver on Linux.
An access to the common flash interface can be enabled by writing to the physical address space of flash memory device, for example, you can use ps3sbmmio driver on Linux.
{{Keyboard|content=<syntaxhighlight lang="bash">


Enter CFI
# Enter CFI
{{Keyboard|content=<syntaxhighlight lang="bash">
printf '\x98\x98' | dd of=/dev/ps3sbmmio bs=1 count=2 seek=$((0x1f0000aa))
printf '\x98\x98' | dd of=/dev/ps3sbmmio bs=1 count=2 seek=$((0x1f0000aa))
</syntaxhighlight>}}


Dump CFI tables
# Dump CFI tables
{{Keyboard|content=<syntaxhighlight lang="bash">
for i in {0..127}; do dd if=/dev/ps3sbmmio bs=1 count=1 skip=$((0x1f000001+$i*2)) >> cfi_tables.bin 2>/dev/null; done;
for i in {0..127}; do dd if=/dev/ps3sbmmio bs=1 count=1 skip=$((0x1f000001+$i*2)) >> cfi_tables.bin 2>/dev/null; done;
xxd cfi_tables.bin
xxd cfi_tables.bin
</syntaxhighlight>}}


Exit from CFI
# Exit from CFI
{{Keyboard|content=<syntaxhighlight lang="bash">
printf '\xf0\xf0' | dd of=/dev/ps3sbmmio bs=1 count=2 seek=$((0x1f000000))
printf '\xf0\xf0' | dd of=/dev/ps3sbmmio bs=1 count=2 seek=$((0x1f000000))
</syntaxhighlight>}}
</syntaxhighlight>}}


Here is an output from Slim console (JTP-001):
Here is an output from Slim console (JTP-001):
'''Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F'''
<pre>
0000000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000000: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000010   <abbr title="'QRY' magic - CFI Query Identification String table">51 52 59</abbr> <abbr title="Manufacturer ID - Lower Byte">02</abbr> <abbr title="Manufacturer ID - Upper Byte">00</abbr> <abbr title="Starting Address for “Primary Vendor-Specific Extended Query” table - Lower Byte">40</abbr> <abbr title="Starting Address for “Primary Vendor-Specific Extended Query” table - Upper Byte">00</abbr> <abbr title="Alternate Manufacturer ID - Lower Byte">00</abbr> <abbr title="Alternate Manufacturer ID - Upper Byte">00</abbr> <abbr title="Starting Address for 'Alternate Vendor-Specific Extended Query' table - Upper Byte">00</abbr> <abbr title="Starting Address for 'Alternate Vendor-Specific Extended Query' table - Lower Byte">00</abbr> <abbr title="VCC lower limit">27</abbr> <abbr title="VCC upper limit">36</abbr> <abbr title="VPP lower limit (00 on single supply devices)">00</abbr> <abbr title="VCC upper limit (00 on single supply devices)">00</abbr> <abbr title="typical word programming time from Erase and Programming Performance table in datasheet (2powerN μs)">06</abbr> QRY..@.....'6...
0000010: 5152 5902 0040 0000 0000 0027 3600 0006 QRY..@.....'6...
0000020   <abbr title="typical buffer programming time (2powerN μs)">06</abbr> <abbr title="typical sector erase time (2powerN ms)">09</abbr> <abbr title="typical chip erase time (2powerN ms)">10</abbr> <abbr title="maximum word programming time (2powerN * typical word programming time)">03</abbr> <abbr title="maximum buffer programming time (2powerN * typical buffer programming time)">05</abbr> <abbr title="maximum sector erase time (2powerN * typical sector erase time)">03</abbr> <abbr title="maximum chip erase time (2powerN * typical chip erase time)">02</abbr> <abbr title="device density in 2powerN bytes">18</abbr> <abbr title="x8/x16 interface - Lower Byte">02</abbr> <abbr title="x8/x16 interface - Upper Byte">00</abbr> <abbr title="Buffer length - Lower Byte (2powerN)">06</abbr> <abbr title="Buffer length - Upper Byte (2powerN)">00</abbr> <abbr title="Number of Erase Block Regions">01</abbr> <abbr title="Region1: Number of sectors - Lower Byte">7f</abbr> <abbr title="Region1: Number of sectors - Upper Byte">00</abbr> <abbr title="Region1: Density - Lower Byte">00</abbr> ................
0000020: 0609 1003 0503 0218 0200 0600 017f 0000 ................
0000030   <abbr title="Region1: Density - Upper Byte">02</abbr> <abbr title="Region2: Number of sectors - Lower Byte">00</abbr> <abbr title="Region2: Number of sectors - Upper Byte">00</abbr> <abbr title="Region2: Density - Lower Byte">00</abbr> <abbr title="Region2: Density - Upper Byte">00</abbr> <abbr title="Region3: Number of sectors - Lower Byte">00</abbr> <abbr title="Region3: Number of sectors - Upper Byte">00</abbr> <abbr title="Region3: Density - Lower Byte">00</abbr> <abbr title="Region3: Density - Upper Byte">00</abbr> <abbr title="Region4: Number of sectors - Lower Byte">00</abbr> <abbr title="Region4: Number of sectors - Upper Byte">00</abbr> <abbr title="Region4: Density - Lower Byte">00</abbr> <abbr title="Region4: Density - Upper Byte">00</abbr> ff ff ff ................
0000030: 0200 0000 0000 0000 0000 0000 00ff ffff ................
0000040   <abbr title="'PRI' magic - Primary Vendor-Specific Extended Query table">50 52 49</abbr> <abbr title="CFI major version number in ASCII">31</abbr> <abbr title="CFI minor version number in ASCII">33</abbr> <abbr title="Address Sensitive Lock / Process technology">14</abbr> <abbr title="Erase Suspend support">02</abbr> <abbr title="Sector Group">01</abbr> <abbr title="Temporary Sector Unprotect support">00</abbr> <abbr title="Sector Protection Scheme">08</abbr> <abbr title="Number of Sectors Outside Bank 1">00</abbr> <abbr title="Burst Mode support">00</abbr> <abbr title="Page Mode support">02</abbr> <abbr title="Acceleration Power Supply Voltage lower limit">b5</abbr> <abbr title="Acceleration Power Supply Voltage upper limit">c5</abbr> <abbr title="Sector and WP# Pin Protection Scheme">04</abbr> PRI13...........
0000040: 5052 4931 3314 0201 0008 0000 02b5 c504 PRI13...........
0000050   <abbr title="Program Suspend support">01</abbr> ff ff ff ff ff ff <abbr title="Number of Banks (ff when nonbanked)">ff</abbr> <abbr title="Number of sectors in Bank A (ff when nonbanked)">ff</abbr> <abbr title="Number of sectors in Bank B (ff when nonbanked)">ff</abbr> <abbr title="Number of sectors in Bank C (ff when nonbanked)">ff</abbr> <abbr title="Number of sectors in Bank D (ff when nonbanked)">ff</abbr> ff ff ff ff ................
0000050: 01ff ffff ffff ffff ffff ffff ffff ffff ................
0000060   ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0000060: ffff ffff ffff ffff ffff ffff ffff ffff ................
0000070   ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0000070: ffff ffff ffff ffff ffff ffff ffff ffff ................
Mouseover for byte usage description as explained in the below linked Spansion Application Note for CFI
</pre>
 
=== Reference ===
* [http://www.spansion.com/Support/Application%20Notes/Quick_Guide_to_CFI_AN.pdf Quick Guide to Common Flash Interface]


{{Flash}}<noinclude>[[Category:Main]]</noinclude>
{{Flash}}<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)