Editing SC EEPROM

Most of the information we have about the sc eeprom comes from graf_chokolo reverse engineering of the HV see [[Hypervisor Reverse Engineering]] 

Here is where system flags, tokens and hashes are stored.

Right now most of the comunication we have with the sc eeprom is through linux using graf_chokolo ps3dm-utils and/or using his payloads.

=Important Offsets=

== EEPROM Offset Table - Flags and Tokens ==

Here is the table of EEPROM offsets that can be accessed through Update Manager (3.15): 

{| class="wikitable FCK__ShowTableBorders"
|-
! Offset ! Size ! Description
|-
| 0x48C06 | 1 | FSELF Control Flag
|-
| 0x48C07 | 1 | Product Mode (UM allows to read this offset, it can be also written but only when already in product mode)
|-
| 0x48C0A | 1 | QA Flag
|-
| 0x48C13 | 1 | Device Type
|-
| 0x48C42 | 1 | HDD Copy Mode
|-
| 0x48C50 | 0x10 | Debug Support Flag
|-
| 0x48C60 | 1 | Update Status
|-
| 0x48C61 | 1 | Recover Mode Flag
|-
| 0x48D3E | 0x50 | QA Token (UM doesn't allow access to this offset but SC Manager can read/write it)
|}

In a standard mostly untouched ps3 the common value for this flags is 0xFF wich means not active
To change this to an active status you have to write 0x00 to turn on the flag

Debug support flag is tied to EID which is supposed to be hashed and saves in SC EEPROM

QA flag is tied to QA token that is also saved in this part of the SC EEPROM

== System Data From EEPROM  ==

Here is the list of possible EEPROM offsets: 

{| class="wikitable FCK__ShowTableBorders"
|-
! Index ! SC EEPROM Offset ! Size Of Data ! Description
|-
| 0 | 0x48D20 | 6 |?
|-
| 1 | 0x48D28 | 6 |?
|-
| 2 | 0x48D30 | 6 |?
|-
| 3 | 0x48D38 | 6 |?
|-
| 4 | 0x48D00 | 4 |?
|-
| 5 | 0x48D04 | 4 |?
|-
| 6 | 0x48D08 | 4 |?
|}

== Dumpable EPROM Offset - Block ID and Block Offset Mapping Table (NVS Service) ==

Right now we only have read access to some portions of the eeprom to have access to this regions DM needs to be patched, see section dumping eeprom

{| class="wikitable FCK__ShowTableBorders"
|-
! EPROM Offset ! Block ID ! Block Offset ! Description
|-
| 0x48000 - 0x480FF | 0x00 | 0x48000 - 0x480FF | ?
|-
| 0x48800 - 0x488FF | 0x01 | 0x48800 - 0x488FF | ?
|-
| 0x48C00 - 0x48CFF | 0x02 | 0x48C00 - 0x48CFF | Contains flags and tokens/ see above
|-
| 0x48D00 - 0x48DFF | 0x03 | 0x48D00 - 0x48DFF | System Data Region
|-
| 0x2F00 - 0x2FFF | 0x10 | 0x2F00 - 0x2FFF | ?
|-
| 0x3000 - 0x30FF | 0x20 | 0x3000 - 0x30FF | ?
|-
| All other offsets | Invalid | Invalid | ?
|}

=Dumping your SC EEPROM=

==Linux==

First you need graf_chokolo kernel ps3dm-utils and linux_hv_scripts.

If you are ready.

Patch DM using linux_hv_scripts

<pre>
dmpatch.sh
</pre>

Read the data from the region you want for example (see tables above)

<pre>
ps3dm_scm /dev/ps3dmproxy 0x48000 0xFF
</pre>

You can see some coolstuff that containing dumps

=Hashes=

Where exactly the hashes are stored is still a secret, it is said that those hashes are stored in SC EEPROM

To retrive the information about the packages you have installed you can also use ps3d_utils

==Linux==

===Installed Package info===

<pre>
ps3dm_um /dev/ps3dmproxy get_pkg_info TYPE
</pre>

get_pkg_info 1 - Core OS package

<pre>	
		0003004100000000
</pre>	
	
get_pkg_info 2 - Revoke List for program

<pre>	
		0003004100000000
</pre>
		
get_pkg_info 3 - Revoke list for package
	
<pre>
		0002003000000000
</pre>
		
get_pkg_info 4
	
<pre>
		deadbeaffacebabe
</pre>
		
get_pkg_info 5
	
<pre>
		deadbeaffacebabe
</pre>

get_pkg_info 6 - Firmware Package
	
<pre>
		0003005000000000
</pre>	


You can find more information about this in [[Hypervisor Reverse Engineering]] 


===Hashes===

<pre>
ps3dm_scm /dev/ps3dmproxy get_region_data ID
</pre>

This hashes are checked by lv1 to make sure that the data has not been altered throgh '''scm_get_region_data: get_result: ret[X]: 0x%x
'''
region_data 0 - Core OS package

<pre>
00 03 00 41 00 00 00 00 00 c3 eb 01 96 24 d0 1c 26 14 f3 1c a4 a2 ff ce 81 77 3a 4c f8 42 86 04 ee 34 bb db be 1c a7 51 e5 59 f1 95 61 07 a5 eb 
</pre>

region_data 1

<pre>	
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
</pre>

region_data 2

<pre>	
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
</pre>

region_data 3 //Revoke List for program?

<pre>	
00 03 00 41 00 00 00 00 80 41 f6 b8 f2 d5 30 60 59 35 49 d7 f0 3d 58 57 87 00 88 11 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
</pre>

region_data 4

<pre>	
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
</pre>

region_data 5 //Revoke List for package?

<pre>		
00 02 00 30 00 00 00 00 ba 6e 1c d5 5f 48 5b 8b 3f cc c8 60 75 ce f6 83 b2 20 dc f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
</pre>

region_data 6

<pre>	
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 7
	
<pre>
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 
</pre>

region_data 8 //BD Firmware Package?

<pre>	
00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
</pre>

region_data 9
	
<pre>
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 
</pre>

region_data 10

<pre>	
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 
</pre>

region_data 11
	
<pre>
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 
</pre>

region_data 12
	
<pre>
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 
</pre>

region_data 13
	
<pre>
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 
</pre>

region_data 14
	
<pre>
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 
</pre>

region_data 15
	
<pre>
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 
</pre>