Editing SC EEPROM
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
Most of the information we have about the | Most of the information we have about the sc eeprom comes from graf_chokolo reverse engineering of the HV see [[Hypervisor Reverse Engineering]] | ||
Here is where system flags, tokens and hashes are stored. | |||
Right now | Right now most of the comunication we have with the sc eeprom is through linux using graf_chokolo ps3dm-utils and/or using his payloads. | ||
=Important Offsets= | |||
= | == EEPROM Offset Table - Flags and Tokens == | ||
Here is the table of EEPROM offsets that can be accessed through Update Manager (3.15): | |||
Here is the table of | |||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
Line 56: | Line 15: | ||
! Offset !! Size !! Description | ! Offset !! Size !! Description | ||
|- | |- | ||
| 0x02F00 || 8 || | | 0x02F00 || 8 || Downgrade Minimum Version String | ||
|- | |- | ||
| 0x02F08 || | | 0x02F08 || 0x10 || Downgrade Minimum Version Build + Date Build String | ||
|- | |- | ||
| 0x02F20 || 8 || | | 0x02F20 || 8 || [[Target ID]]? (HV bible lists the Target ID as 85 Europe, not 83 Japan) | ||
|- | |- | ||
| 0x02F28 || 0xD0 || Padding/undocumented | | 0x02F28 || 0xD0 || Padding/undocumented | ||
<pre> | <pre>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | FF FF FF FF FF FF FF FF FF FF FF FF FF FF xx xx | ||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF | xx xx xx FF FF xx xx xx xx xx xx xx xx xx xx xx | ||
xx xx 00 00 00 00 FF xx 00 xx xx FF FF FF FF FF | |||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | |||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | FF FF FF FF FF FF FF FF FF FF FF xx xx xx 00 00 | ||
FF FF FF FF FF FF FF FF FF FF FF | xx xx xx xx xx FF FF FF xx xx xx FF FF FF xx 00 </pre> | ||
</pre> | |||
|- | |- | ||
| 0x02FF8 || 1 || Factory Bit (0 = ?, 1 = reset, 2 = ?, 3 = (on retails)) | | 0x02FF8 || 1 || Factory Bit (0 = ?, 1 = reset, 2 = ?, 3 = (on retails)) | ||
|- | |- | ||
| 0x02FF9 || 0x7 || Padding/undocumented | | 0x02FF9 || 0x7 || Padding/undocumented | ||
<pre>00 00 00 | <pre>00 00 00 00 xx xx xx </pre> | ||
|- | |- | ||
|} | |} | ||
Line 91: | Line 48: | ||
|- | |- | ||
! colspan="2" | Offset !! Size !! Description | ! colspan="2" | Offset !! Size !! Description | ||
|- | |- | ||
| colspan="2" | 0x48000 || 0x13 || (lv0 NVS region 0 start) | | colspan="2" | 0x48000 || 0x13 || (lv0 NVS region 0 start) | ||
|- | |- | ||
| <abbr title="lv0 NVS region 0: 0x48000-0x48012"><small>0</small></abbr> || 0x48000 || 0x13 || (lv0 NVS region 0) | | <abbr title="lv0 NVS region 0: 0x48000-0x48012"><small>0</small></abbr> || 0x48000 || 0x13 || (lv0 NVS region 0) | ||
|- | |- | ||
| colspan="2" | 0x48012 || - || (lv0 NVS region 0 end) | | colspan="2" | 0x48012 || - || (lv0 NVS region 0 end) | ||
|- | |- | ||
Line 101: | Line 58: | ||
| colspan="2" | 0x48013 || 0x2A || QA Token ECDSA Signature (=> 3.60 firmwares) | | colspan="2" | 0x48013 || 0x2A || QA Token ECDSA Signature (=> 3.60 firmwares) | ||
|- | |- | ||
| colspan="2" | 0x48800 || | | colspan="2" | 0x48800 || 0x0C || (lv0 NVS region 1 start) | ||
|- | |- | ||
| rowspan=" | | rowspan="3" | <abbr title="lv0 NVS region 1: 0x48800-0x4880B"><small>1</small></abbr> || 0x48802 || 1 || | ||
|- | |- | ||
| | | 0x48804 || 4 || bootrom failure code | ||
|- | |- | ||
| | | 0x48808 || 4 || bootrom failure timestamp | ||
|- | |- | ||
| | | colspan="2" | 0x4880B || - || (lv0 NVS region 1 end) | ||
|- | |||
|- | |- | ||
| colspan="2" | 0x48C00 || 0x20 || (lv0 NVS region 2 start) | | colspan="2" | 0x48C00 || 0x20 || (lv0 NVS region 2 start) | ||
|- | |- | ||
| rowspan=" | | rowspan="19" | <abbr title="lv0 NVS region 2: 0x48C00-0x48C1F"><small>2</small></abbr> || 0x48C00 || 1 || load_image_in_rom flag (os_boot_order_flag) | ||
|- | |- | ||
| 0x48C01 || 1 || | | 0x48C01 || 1 || (force standalone mode related) | ||
|- | |- | ||
| 0x48C02 || 1 || | | 0x48C02 || 1 || debug interface (select_net_device) | ||
|- | |- | ||
| 0x48C03 || 1 || sys.dbgcard.dgbe.index (select_dgbe_device) | | 0x48C03 || 1 || sys.dbgcard.dgbe.index (select_dgbe_device) | ||
|- | |- | ||
| | | 0x48C05 || 1 || update_flag for CEB | ||
|- | |- | ||
| | | 0x48C06 || 1 || FSELF Control Flag / toggles release mode (fself_ctrl) | ||
|- | |- | ||
| | | 0x48C07 || 1 || Product Mode (UM allows to read this offset, it can be also written but only when already in product mode) | ||
|- | |- | ||
| | | 0x48C08 || 1 || (UNKNOWN {{unkn|debug}})) | ||
|- | |- | ||
| 0x48C0A || 1 || QA Flag | |||
| 0x48C0A || 1 || QA Flag | |||
|- | |- | ||
| 0x48C0B || 1 || mode_auth_flag / gx enable | | 0x48C0B || 1 || mode_auth_flag / gx enable | ||
|- | |- | ||
| 0x48C0C || 1 || | | 0x48C0C || 1 || bootrom diagnostic mode and parameter | ||
|- | |- | ||
| 0x48C0D || 1 || | | 0x48C0D || 1 || | ||
|- | |- | ||
| | | 0x48C0F || 2 || | ||
|- | |- | ||
| | | 0x48C11 || 1 || bootrom trace level (0x00: fatal errors, 0x01: errors, 0x02: information messages, 0x03: debug messages) | ||
|- | |- | ||
| | | 0x48C12 || 1 || | ||
|- | |- | ||
| | | 0x48C13 || 1 || Device Type (flash_ext_format) | ||
|- | |- | ||
| | | 0x48C14 || ? || cellos_spu_configure | ||
|- | |- | ||
| | | 0x48C18 || 4 || System Language [[XRegistry.sys#Settings]] ( /setting/system/language ) | ||
|- | |- | ||
| | | 0x48C1C || 4 || VSH Target (seems it can be 0xFFFFFFFE, 0xFFFFFFFF, 0x00000001 default: 0x00000000 /maybe QA,Debug,Retail,Kiosk?) | ||
|- | |- | ||
| colspan="2" | 0x48C1F || - || (lv0 NVS region 2 end) | | colspan="2" | 0x48C1F || - || (lv0 NVS region 2 end) | ||
|- | |- | ||
Line 196: | Line 123: | ||
| 0x48C23 || 1 || be ref clk (be_nclck_flag2) | | 0x48C23 || 1 || be ref clk (be_nclck_flag2) | ||
|- | |- | ||
| 0x48C24 || 1 || Bank #0 OS-Flag (ros0 if 0xFF else ros1 | | 0x48C24 || 1 || Bank #0 OS-Flag (ros0 if 0xFF else ros1) (os_bank_indicator) | ||
|- | |- | ||
| colspan="2" | 0x48C24 || - || (lv0 NVS region 3 end) | | colspan="2" | 0x48C24 || - || (lv0 NVS region 3 end) | ||
|- | |- | ||
Line 211: | Line 138: | ||
|- | |- | ||
| colspan="2" | 0x48C29 || 1 || Bank #1 rvkpkg-Flag | | colspan="2" | 0x48C29 || 1 || Bank #1 rvkpkg-Flag | ||
|- | |- | ||
| colspan="2" | 0x48C30 || 0x0D || (lv0 NVS region 4 start) | | colspan="2" | 0x48C30 || 0x0D || (lv0 NVS region 4 start) | ||
|- | |- | ||
| rowspan="3" | <abbr title="lv0 NVS region 4: 0x48C30-0x48C3C"><small>4</small></abbr> || 0x48C30 || 1 || | | rowspan="3" | <abbr title="lv0 NVS region 4: 0x48C30-0x48C3C"><small>4</small></abbr> || 0x48C30 || 1 || SPE number Usally 0x06, can be set to 0x07 to enable the 8 SPE (restrict_spu) | ||
|- | |||
| 0x48C31 || 4 || sata_param | |||
|- | |- | ||
| | | 0x48C35 || 8 || spr_tbuw_value (cellos_spu_configure) | ||
|- | |- | ||
| colspan="2" | 0x48C3C || - || (lv0 NVS region 4 end) | | colspan="2" | 0x48C3C || - || (lv0 NVS region 4 end) | ||
|- | |- | ||
| colspan="2" | 0x48C40 || 0x10 || (lv0 NVS region 5 start) | | colspan="2" | 0x48C40 || 0x10 || (lv0 NVS region 5 start) | ||
|- | |- | ||
| rowspan=" | | rowspan="6" | <abbr title="lv0 NVS region 5: 0x48C40-0x48C4F"><small>5</small></abbr> || 0x48C42 || 1 || HDD Copy Mode | ||
|- | |- | ||
| 0x48C43 || 4 || | | 0x48C43 || 4 || | ||
|- | |- | ||
| 0x48C47 || 1 || Analog Sunset Flag, will disable AACS video output without [[HDMI]] cable soon | | 0x48C47 || 1 || Analog Sunset Flag, will disable AACS video output without [[HDMI]] cable soon | ||
Line 240: | Line 167: | ||
| 0x48C61 || 1 || Recover Mode Flag | | 0x48C61 || 1 || Recover Mode Flag | ||
|- | |- | ||
| | | colspan="2" | 0x48C4F || - || (lv0 NVS region 5 end) | ||
|- | |- | ||
Line 265: | Line 176: | ||
|- | |- | ||
| 0x48C88 || 8 || (rsx.rdcy.1) | | 0x48C88 || 8 || (rsx.rdcy.1) | ||
|- | |- | ||
| colspan="2" | 0x48C8F || - || (lv0 NVS region 6 end) | | colspan="2" | 0x48C8F || - || (lv0 NVS region 6 end) | ||
|- | |- | ||
Line 280: | Line 191: | ||
| 0x48CA8 || 8 || (rsx.rdcy.5) | | 0x48CA8 || 8 || (rsx.rdcy.5) | ||
|- | |- | ||
| 0x48CB0 || 8 || (rsx.rdcy.6) | | 0x48CB0 || 8 || (rsx.rdcy.6) | ||
|- | |||
| 0x48CB8 || 8 || (rsx.rdcy.7) | |||
|- | |- | ||
| colspan="2" | 0x48CBF || - || (lv0 NVS region 7 end) | | colspan="2" | 0x48CBF || - || (lv0 NVS region 7 end) | ||
|- | |- | ||
Line 337: | Line 206: | ||
|- | |- | ||
| 0x48D08 || 4 || ip_gateway | | 0x48D08 || 4 || ip_gateway | ||
|- | |- | ||
| colspan="2" | 0x48D0B || - || (lv0 NVS region 8 end) | | colspan="2" | 0x48D0B || - || (lv0 NVS region 8 end) | ||
|- | |- | ||
Line 346: | Line 215: | ||
|- | |- | ||
| <abbr title="lv0 NVS region 9: 0x48D20-0x48D27"><small>9</small></abbr> || 0x48D20 || 8 || spider.gbe0.macaddr.0 (<code>0xFFFFFFFFFFFFFFFF</code> if unused/nonpresent) | | <abbr title="lv0 NVS region 9: 0x48D20-0x48D27"><small>9</small></abbr> || 0x48D20 || 8 || spider.gbe0.macaddr.0 (<code>0xFFFFFFFFFFFFFFFF</code> if unused/nonpresent) | ||
|- | |- | ||
| colspan="2" | 0x48D27 || - || (lv0 NVS region 9 end) | | colspan="2" | 0x48D27 || - || (lv0 NVS region 9 end) | ||
|- | |- | ||
Line 358: | Line 227: | ||
|- | |- | ||
| 0x48D38 || 8 || spider.gbe0.macaddr.3 (<code>FFFFFFFFFFFFFFFF</code> if unused/nonpresent) | | 0x48D38 || 8 || spider.gbe0.macaddr.3 (<code>FFFFFFFFFFFFFFFF</code> if unused/nonpresent) | ||
|- | |- | ||
| colspan="2" | 0x48D3F || - || (lv0 NVS region B end) | | colspan="2" | 0x48D3F || - || (lv0 NVS region B end) | ||
|- | |- | ||
Line 367: | Line 236: | ||
|- | |- | ||
| <abbr title="lv0 NVS region A: 0x48D3E-0x48D8D"><small>A</small></abbr> || 0x48D3E || 0x50 || QA Token - UM doesn't allow access to this offset but SC Manager can read/write it (qa_token) | | <abbr title="lv0 NVS region A: 0x48D3E-0x48D8D"><small>A</small></abbr> || 0x48D3E || 0x50 || QA Token - UM doesn't allow access to this offset but SC Manager can read/write it (qa_token) | ||
|- | |- | ||
| colspan="2" | 0x48D8D || - || (lv0 NVS region A end) | | colspan="2" | 0x48D8D || - || (lv0 NVS region A end) | ||
|- | |- | ||
| colspan="2" | 0x48D8E || 0x50 || mode_auth_data (read/cleared by ss_sc_init_pu, checked by spu_mode_auth | | colspan="2" | 0x48D8E || 0x50 || mode_auth_data (read/cleared by ss_sc_init_pu, checked by spu_mode_auth) | ||
|- | |- | ||
|} | |} | ||
Line 386: | Line 255: | ||
QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares) | QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares) | ||
== Undocumented | == Undocumented config == | ||
There is an unknown syscon response of 0x100 bytes when using NVS service with such params: BlockID=1, Offset=0, Size=0. | There is an unknown syscon response of 0x100 bytes when using NVS service with such params: BlockID=1, Offset=0, Size=0. | ||
<pre> | <pre> | ||
0000h: FF 02 FF FE FF 02 FF FF 19 FB E1 16 00 00 00 00 ÿ.ÿþÿ.ÿÿ.ûá..... | 0000h: FF 02 FF FE FF 02 FF FF 19 FB E1 16 00 00 00 00 ÿ.ÿþÿ.ÿÿ.ûá..... | ||
Line 439: | Line 277: | ||
</pre> | </pre> | ||
This is 0x48800 on EEPROM | |||
cech-c (NO BD Drive): http://pastie.org/private/grl0dc0dxajisa36chgm7w | |||
== lv0 SC EEPROM usage == | == lv0 SC EEPROM usage == | ||
<pre> | <pre> | ||
[*] lv0 NVS regions: | [*] lv0 NVS regions: | ||
Line 536: | Line 313: | ||
[*] lv0 SC EEPROM usage: | [*] lv0 SC EEPROM usage: | ||
name addr size structure | name addr size structure | ||
dgbe_config 0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway] | |||
restrict_spu 0x48C30 0x01 [0x01 flag] | restrict_spu 0x48C30 0x01 [0x01 flag] | ||
sata_param 0x48C31 0x04 [0x04 flag] | sata_param 0x48C31 0x04 [0x04 flag] | ||
os_bank_indicator 0x48C24 0x01 [0x01 flag] | |||
cellos_spu_configure 0x48C33 0x04 [0x04 config] | cellos_spu_configure 0x48C33 0x04 [0x04 config] | ||
flash_ext_format 0x48C13 0x01 [0x01 flag] | |||
cellos_flags 0x48C0F 0x02 [0x02 flags] | |||
qaf_enable 0x48C0A 0x01 [0x01 flag] | |||
UNKNOWN (debug?) 0x48C08 0x01 [0x01 flag] | |||
fself_ctrl 0x48C06 0x01 [0x01 flag] | |||
select_dgbe_device 0x48C03 0x01 [0x01 index] | |||
os_boot_order_flag 0x48C00 0x01 [0x01 flag] | |||
qa_token 0x48D3E 0x50 [0x50 token] | |||
UNKNOWN 0x48804 0x04 [0x04 value] | |||
UNKNOWN 0x48D20 0x08 [0x08 value] | |||
rsx.rdcy.7 0x48CB8 0x08 [0x08 value] | |||
rsx.rdcy.6 0x48CB0 0x08 [0x08 value] | |||
rsx.rdcy.5 0x48CA8 0x08 [0x08 value] | |||
rsx.rdcy.4 0x48CA0 0x08 [0x08 value] | |||
rsx.rdcy.3 0x48C98 0x08 [0x08 value] | |||
rsx.rdcy.2 0x48C90 0x08 [0x08 value] | |||
rsx.rdcy.1 0x48C88 0x08 [0x08 value] | |||
rsx.rdcy.0 0x48C80 0x08 [0x08 value] | |||
be_nclck_flag2 0x48C23 0x01 [0x01 flag] | |||
be_nclck_flag1 0x48C22 0x01 [0x01 flag] | |||
select_net_device 0x48C02 0x01 [0x01 index] | |||
spr_tbuw_value 0x48C35 0x08 [0x08 value] | spr_tbuw_value 0x48C35 0x08 [0x08 value] | ||
bootrom_trace_level 0x48C11 0x01 [0x01 level] | |||
</pre> | </pre> | ||
== System Data | == System Data From EEPROM == | ||
Here is the list of possible | Here is the list of possible EEPROM offsets: | ||
{|class="wikitable" | {|class="wikitable" | ||
|- | |- | ||
! Index !! SC EEPROM | ! Index !! SC EEPROM Offset !! Size Of Data !! Description | ||
|- | |- | ||
| 0 || 0x48D20 || 6 ||? | | 0 || 0x48D20 || 6 ||? | ||
Line 587: | Line 358: | ||
|- | |- | ||
| 3 || 0x48D38 || 6 ||? | | 3 || 0x48D38 || 6 ||? | ||
|- | |- | ||
| 4 || 0x48D00 || 4 ||? | |||
|- | |- | ||
| | | 5 || 0x48D04 || 4 ||? | ||
|- | |- | ||
| | | 6 || 0x48D08 || 4 ||? | ||
|} | |} | ||
== Dumpable | == Dumpable EEPROM Offset - Block ID and Block Offset Mapping Table (NVS Service) == | ||
Right now we only have read access to some portions of the eeprom to have access to this regions DM needs to be patched, see section dumping eeprom | |||
{|class="wikitable" | {|class="wikitable" | ||
|- | |- | ||
! | ! EEPROM Offset !! Block ID !! Block Offset !! Description !! Phisical Offset | ||
|- | |- | ||
| | | 0x48000 - 0x480FF || 0x00 || 0x48000 - 0x480FF || ? || 0x7000 | ||
|- | |- | ||
| | | 0x48800 - 0x488FF || 0x01 || 0x48800 - 0x488FF || ? || 0x7100 | ||
|- | |- | ||
| | | 0x48C00 - 0x48CFF || 0x02 || 0x48C00 - 0x48CFF || Contains flags and tokens/ see above || 0x7200 | ||
|- | |- | ||
| | | 0x48D00 - 0x48DFF || 0x03 || 0x48D00 - 0x48DFF || System Data Region || 0x7300 | ||
|- | |- | ||
| | | 0x2F00 - 0x2FFF || 0x10 || 0x2F00 - 0x2FFF || "Industry Area" aka OS Version Area || 0x2F00 | ||
|- | |- | ||
| | | 0x3000 - 0x30FF || 0x20 || 0x3000 - 0x30FF || "CS Area" || 0x3000 | ||
| | |||
| | |||
| | |||
| 0x3000-0x30FF || | |||
|- | |- | ||
| All other offsets || Invalid || Invalid || ? || | |||
|} | |} | ||
= | =Dumping your SC EEPROM= | ||
== | ==Linux== | ||
First you need graf_chokolo kernel ps3dm-utils and linux_hv_scripts. | |||
If you are ready. | |||
Patch DM using linux_hv_scripts | Patch DM using linux_hv_scripts | ||
<pre> | <pre> | ||
Line 739: | Line 403: | ||
</pre> | </pre> | ||
Read the data from the region you want for example (see tables above) | Read the data from the region you want for example (see tables above) | ||
<pre> | <pre> | ||
Line 745: | Line 409: | ||
</pre> | </pre> | ||
You can see some coolstuff containing dumps | You can see some coolstuff that containing dumps | ||
= Hashes = | =Hashes= | ||
Where exactly the hashes are stored is still a secret | Where exactly the hashes are stored is still a secret, it is said that those hashes are stored in SC EEPROM | ||
To retrieve the information about the packages you have installed you can also use ps3d_utils | To retrieve the information about the packages you have installed you can also use ps3d_utils | ||
== Linux == | ==Linux== | ||
=== Installed Package info === | ===Installed Package info=== | ||
<pre> | <pre> | ||
Line 769: | Line 433: | ||
0003004100000000 | 0003004100000000 | ||
</pre> | </pre> | ||
get_pkg_info 2 - Revoke List for program | get_pkg_info 2 - Revoke List for program | ||
Line 775: | Line 439: | ||
0003004100000000 | 0003004100000000 | ||
</pre> | </pre> | ||
get_pkg_info 3 - Revoke list for package | get_pkg_info 3 - Revoke list for package | ||
<pre> | <pre> | ||
0002003000000000 | 0002003000000000 | ||
</pre> | </pre> | ||
get_pkg_info 4 | get_pkg_info 4 | ||
<pre> | <pre> | ||
deadbeaffacebabe | deadbeaffacebabe | ||
</pre> | </pre> | ||
get_pkg_info 5 | get_pkg_info 5 | ||
<pre> | <pre> | ||
deadbeaffacebabe | deadbeaffacebabe | ||
Line 795: | Line 459: | ||
get_pkg_info 6 - Firmware Package | get_pkg_info 6 - Firmware Package | ||
<pre> | <pre> | ||
0003005000000000 | 0003005000000000 | ||
</pre> | </pre> | ||
=== Hashes === | You can find more information about this in [[Hypervisor Reverse Engineering]] | ||
===Hashes=== | |||
What algorithm is used and what exactly is hashed is still unknown | What algorithm is used and what exactly is hashed is still unknown (seems that the content of files is hashed by the SHA-1). | ||
<pre> | <pre> | ||
Line 816: | Line 482: | ||
region_data 0 - | region_data 0 - Core OS package | ||
<pre> | <pre> | ||
00 03 00 41 00 00 00 00 00 c3 eb 01 96 24 d0 1c 26 14 f3 1c a4 a2 ff ce 81 77 3a 4c f8 42 86 04 ee 34 bb db be 1c a7 51 e5 59 f1 95 61 07 a5 eb | 00 03 00 41 00 00 00 00 00 c3 eb 01 96 24 d0 1c 26 14 f3 1c a4 a2 ff ce 81 77 3a 4c f8 42 86 04 ee 34 bb db be 1c a7 51 e5 59 f1 95 61 07 a5 eb | ||
</pre> | </pre> | ||
region_data 1 | region_data 1 | ||
<pre> | <pre> | ||
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff | ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff | ||
</pre> | </pre> | ||
region_data 2 | region_data 2 | ||
<pre> | <pre> | ||
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff | ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff | ||
</pre> | </pre> | ||
region_data 3 | region_data 3 //Revoke List for program? | ||
<pre> | <pre> | ||
00 03 00 41 00 00 00 00 80 41 f6 b8 f2 d5 30 60 59 35 49 d7 f0 3d 58 57 87 00 88 11 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff | 00 03 00 41 00 00 00 00 80 41 f6 b8 f2 d5 30 60 59 35 49 d7 f0 3d 58 57 87 00 88 11 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff | ||
</pre> | </pre> | ||
region_data 4 | region_data 4 | ||
<pre> | <pre> | ||
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff | ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff | ||
</pre> | </pre> | ||
region_data 5 | region_data 5 //Revoke List for package? | ||
<pre> | <pre> | ||
00 02 00 30 00 00 00 00 ba 6e 1c d5 5f 48 5b 8b 3f cc c8 60 75 ce f6 83 b2 20 dc f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 02 00 30 00 00 00 00 ba 6e 1c d5 5f 48 5b 8b 3f cc c8 60 75 ce f6 83 b2 20 dc f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
</pre> | </pre> | ||
Line 880: | Line 522: | ||
<pre> | <pre> | ||
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | ||
</pre> | </pre> | ||
Line 890: | Line 528: | ||
<pre> | <pre> | ||
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | ||
</pre> | </pre> | ||
Line 899: | Line 533: | ||
<pre> | <pre> | ||
00 03 00 50 | 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
</pre> | </pre> | ||
Line 910: | Line 540: | ||
<pre> | <pre> | ||
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | ||
</pre> | </pre> | ||
Line 920: | Line 546: | ||
<pre> | <pre> | ||
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | ||
</pre> | </pre> | ||
Line 930: | Line 552: | ||
<pre> | <pre> | ||
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | ||
</pre> | </pre> | ||
Line 940: | Line 558: | ||
<pre> | <pre> | ||
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | ||
</pre> | </pre> | ||
Line 950: | Line 564: | ||
<pre> | <pre> | ||
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | ||
</pre> | </pre> | ||
Line 960: | Line 570: | ||
<pre> | <pre> | ||
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | ||
</pre> | </pre> | ||
Line 970: | Line 576: | ||
<pre> | <pre> | ||
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | ||
</pre> | </pre> | ||
region_data 16 - 47? | region_data 16 - 47? | ||
= Dumped data = | =Dumped data= | ||
Here is an example of data from syscon which stores VTRM block key, SRK/SRH, region data, etc. | |||
<pre> | <pre> | ||
0x0000: 00 00 00 03 C0 00 00 FF 00 00 00 00 00 00 00 00 ................ | |||
0x0010: 01 A2 F6 6C 26 54 1A 54 CE A3 F9 71 50 2B A8 20 ...l&T.T...qP+. | |||
0x0020: 33 0E F4 5F 77 19 96 A6 7A 84 5D C9 AE B9 50 73 3.._w...z.]...Ps | |||
0x0030: AE 45 5D 8E 6C BB 80 4D 7E C5 BF A4 AC 8E E1 E5 .E].l..M~....... | |||
0x0040: 82 9B 0A 57 9A 40 D9 0C 00 00 00 00 00 00 00 00 ...W.@.......... | |||
0x0050: 7F 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C ....|.PQ..0MQw| | |||
0x0000: 00 00 00 03 C0 00 00 FF 00 00 00 00 00 00 00 00 ................ | |||
0x0010: 01 A2 F6 6C 26 54 1A 54 CE A3 F9 71 50 2B A8 20 ...l&T.T...qP+. | |||
0x0020: 33 0E F4 5F 77 19 96 A6 7A 84 5D C9 AE B9 50 73 3.._w...z.]...Ps | |||
0x0030: AE 45 5D 8E 6C BB 80 4D 7E C5 BF A4 AC 8E E1 E5 .E].l..M~....... | |||
0x0040: 82 9B 0A 57 9A 40 D9 0C 00 00 00 00 00 00 00 00 ...W.@.......... | |||
0x0050: 7F 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C | |||
0x0060: 7C 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C |....|.PQ..0MQw| | 0x0060: 7C 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C |....|.PQ..0MQw| | ||
0x0070: 7D 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C }....|.PQ..0MQw| | 0x0070: 7D 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C }....|.PQ..0MQw| | ||
0x0080: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ | 0x0080: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ | ||
0x0090: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ | 0x0090: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ | ||
0x00A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ | 0x00A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ | ||
0x00B0: 00 03 00 55 00 00 00 00 50 12 F0 AD 3A 4F 9F 1B ...U....P...:O.. | 0x00B0: 00 03 00 55 00 00 00 00 50 12 F0 AD 3A 4F 9F 1B ...U....P...:O.. | ||
0x00C0: F9 F1 E1 D3 64 85 D4 01 19 9D 76 9E 5C 33 8D FE ....d.....v.\3.. | 0x00C0: F9 F1 E1 D3 64 85 D4 01 19 9D 76 9E 5C 33 8D FE ....d.....v.\3.. | ||
0x00D0: 39 75 10 9B 73 43 69 89 2B F6 EE 53 15 4A 3B 06 9u..sCi.+..S.J;. | 0x00D0: 39 75 10 9B 73 43 69 89 2B F6 EE 53 15 4A 3B 06 9u..sCi.+..S.J;. | ||
0x00E0: 00 03 00 55 00 00 00 00 7B C9 65 97 CF 0D 20 4B ...U....{.e... K | 0x00E0: 00 03 00 55 00 00 00 00 7B C9 65 97 CF 0D 20 4B ...U....{.e... K | ||
0x00F0: BB 6A B1 B9 B0 71 83 27 79 6F 16 08 FF FF FF FF .j...q.'yo...... | 0x00F0: BB 6A B1 B9 B0 71 83 27 79 6F 16 08 FF FF FF FF .j...q.'yo...... | ||
------------------------------------------------------------------------- | |||
0x0100: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ | |||
0x0110: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ | |||
0x0120: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ | |||
0x0130: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ | |||
0x0140: 00 01 00 00 00 00 00 00 B0 64 53 92 7F 5E 29 47 .........dS.^)G | |||
0x0150: 9C BC 84 58 4A F2 ED 0B 50 E1 BE F3 FF FF FF FF ...XJ...P....... | |||
0x0160: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ | |||
0x0170: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ | |||
0x0180: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ | |||
0x0190: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ | |||
0x01A0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x01B0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x01C0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x01D0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x01E0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x01F0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
------------------------------------------------------------------------- | |||
0x0200: 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 ...P............ | |||
0x0210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |||
0x0220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |||
0x0230: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x0240: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x0250: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x0260: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x0270: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x0280: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x0290: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x02A0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x02B0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x02C0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x02D0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x0300: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | 0x02E0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | ||
0x0310: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | 0x02F0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | ||
0x0320: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | ------------------------------------------------------------------------- | ||
0x0330: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | 0x0300: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | ||
0x0340: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | 0x0310: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | ||
0x0350: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | 0x0320: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | ||
0x0360: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | 0x0330: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | ||
0x0370: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | 0x0340: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | ||
0x0350: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x0360: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x0370: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ | |||
0x0380: 42 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C B....|.PQ..0MQw| | 0x0380: 42 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C B....|.PQ..0MQw| | ||
0x0390: 43 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C C....|.PQ..0MQw| | 0x0390: 43 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C C....|.PQ..0MQw| | ||
Line 1,413: | Line 652: | ||
0x03E0: 44 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C D....|.PQ..0MQw| | 0x03E0: 44 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C D....|.PQ..0MQw| | ||
0x03F0: 45 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C E....|.PQ..0MQw| | 0x03F0: 45 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C E....|.PQ..0MQw| | ||
</pre> | </pre> | ||
== More samples == | == More samples == | ||
* | * https://dl.dropboxusercontent.com/u/35197530/bin/eeprom.bin | ||
Tokens | =Tokens= | ||
Here we will document the different types off tokens known in the PS3 | |||
All tokens are tied? encrypted? using EID0. | |||
They enable additional repository nodes. | |||
==List== | |||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
|- | |- | ||
Line 1,640: | Line 671: | ||
| qa_token || sc_eeprom - 0x48D3E || 0x50 || spu_token_processor.self || | | qa_token || sc_eeprom - 0x48D3E || 0x50 || spu_token_processor.self || | ||
|- | |- | ||
| user_token || | | user_token || ? || ? || spu_utoken_processor.self || Encrypted/Signed | ||
|- | |- | ||
| token_seed || | | token_seed || ? || ? || ? || This is used to create the token with EID0 | ||
|} | |} | ||
== | ==Token Seed== | ||
? | |||
== Structure == | ==Structure== | ||
This section has to be corrected | This section has to be corrected, is only based on debug strings, we need to decrypt the tokens | ||
=== Token Seed === | ===Token Seed=== | ||
? | ? | ||
=== QA Token === | ===QA Token=== | ||
===User Token=== | |||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
|- | |- | ||
! | ! Address !! Size !! Description | ||
|- | |- | ||
| ? || ? || m_magic | | ? || ? || m_magic | ||
Line 1,704: | Line 704: | ||
| ? || ? || m_size | | ? || ? || m_size | ||
|- | |- | ||
| ? || ? || | | ? || ? || m_capability | ||
|- | |- | ||
| ? || ? || m_expire_date | | ? || ? || m_expire_date | ||
|- | |- | ||
| ? || ? || | | ? || ? || m_idps? | ||
|- | |- | ||
| ? || ? || m_attribute | | ? || ? || m_attribute | ||
Line 1,715: | Line 715: | ||
|} | |} | ||
For every | For every atribute in the token | ||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
|- | |- | ||
! | ! Address !! Size !! Description | ||
|- | |- | ||
| ? || ? || attr:m_type | | ? || ? || attr:m_type | ||
Line 1,727: | Line 727: | ||
| ? || ? || attr:m_data | | ? || ? || attr:m_data | ||
|} | |} | ||
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> | {{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> |