Editing SC EEPROM

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
Most of the information we have about the Syscon EEPROM comes from graf_chokolo reverse engineering of the HV. See [[Hypervisor Reverse Engineering]]  
Most of the information we have about the sc eeprom comes from graf_chokolo reverse engineering of the HV see [[Hypervisor Reverse Engineering]]  


Syscon EEPROM is where system flags, tokens and hashes are stored.
Here is where system flags, tokens and hashes are stored.


Right now, most of the communication we have with the Syscon EEPROM is through Linux using graf_chokolo ps3dm-utils and/or using his payloads.
Right now most of the communication we have with the sc eeprom is through Linux using graf_chokolo ps3dm-utils and/or using his payloads.


See also {{talk}} page and [[User_talk:Zer0Tolerance|Zer0Tolerance]]
See also {{talk}} page and [[User_talk:Zer0Tolerance|Zer0Tolerance]]


= Information =
= SC EEPROM Info =
*On [[Mullion]] syscons '''the EEPROM "pins" are exposed externally''' so we can capture the EEPROM traffic by attaching devices like Logic Analyzers, Protocol Analyzers, etc...
SC EEPROM from fat consoles is a custom/proprietary EEPROM chip that uses a special non standard commands to read/write from EEPROM.
**On [[Syscon CXR713 Series]] the EEPROM consists of '''0x4000''' blocks, every block contains 2 bytes of data, so the total EEPROM size is '''0x8000''' bytes ('''32KB''').
We are so lucky that Sony had exposed EEROM chip legs out of Syscon, so we have a physical access to it and we could attach devices like "'''Logic Analyzer'''", "'''Protocol Analyzer'''", "'''Custom made MCU boards'''" to capture traffic between console and Syscon EEPROM.
**On [[Syscon CXR714 Series]] the EEPROM consists of '''0x2800''' blocks, every block contains 2 bytes of data, so the total EEPROM size is '''0x5000''' bytes ('''20KB''').
*On [[Sherwood]] syscons '''the EEPROM is virtualized inside FLASH menory''', so there is not physical access to the EEPROM.
**On [[Syscon SW Series]], [[Syscon SW2 Series]] and [[Syscon SW3 Series]] the virtual EEPROM consists of '''0x4000''' blocks, every block contains 2 bytes of data, so the total EEPROM size is '''0x8000''' bytes ('''32KB''').


For FAT console Syscon EEPROM consists of: 0x4000 blocks, and every block is consists of 2 bytes of data.
So the total EEPROM size is: 0x8000 byte length.


Dont confuse the SPI block access (using blocks of 2 bytes leght) with the '''"Block ID"''' used by the '''SERV_NVS''' [[SC_Communication#Syscon_Services|Syscon Service]]
And since the pin-out of Syscon chip for Slim & Super Slim consoles is not known till now, we can not be sure if the Syscon EEPROM pins are exposed outside or not so we can access it like in FAT console without handling Syscon it self.


== SPI Commands ==
== SC EEPROM Commands ==
Syscon EEPROM uses a standard SPI protocol with proprietary commands as following:
 
FAT console's SC EEPROM used a standard SPI protocol with a proprietary commands as flow:


{| class="wikitable"
{| class="wikitable"
Line 26: Line 26:
| Unlock Command || 0xA3 0x00 0x00 || This command must be send first before write command.
| Unlock Command || 0xA3 0x00 0x00 || This command must be send first before write command.
|-
|-
| Write Command || 0xA4 0xXX 0xXX || XX XX is a block to be written (in the range 0x0000 up to 0x3FFF for [[Syscon CXR713 Series]], or 0x0000 up to 0x27FF for [[Syscon CXR714 Series]])<br>The maximum data to be written in one command cycle is 32 byte length (16 blocks).
| Write Command || 0xA4 0xXX 0xXX || XX XX is a block id to be written (value 0x0000 to 0x3FFF), the maximum data to be written in one command cycle is 32 byte length (16 blocks).
|-
|-
| Read Command || 0xA8 0xXX 0xXX || XX XX is a block to be read (in the range 0x0000 up to 0x3FFF for [[Syscon CXR713 Series]], or range 0x0000 up to 0x27FF for [[Syscon CXR714 Series]])<br>There is no maximum limit for read command so we can send it once with block 0x00 0x00 then read the full SC EEPROM at once without sending read command again.
| Read Command || 0xA8 0xXX 0xXX || XX XX is a block id to be read (value 0x0000 to 0x3FFF), there is no maximum limit for read command so we can send it once with block id 0x00 0x00 then read the full EEPROM at once without sending read command again.
|-
|-
| Check Status Command || 0xA9 0x00 0x00 0x00 || The response of this command is 0xFFFFFFFF if there is no error, or any other value if there is error happened or SC EEPROM still busy doing something.
| Check Status Command || 0xA9 0x00 0x00 0x00 || The response of this command is 0xFFFFFFFF if there is no error, or any other value if there is error happened or EEPROM still busy doing something.
|}
|}


= Dumps =
= SC EEPROM dumps =
 
* https://mega.co.nz/#!Bt8klAhQ!-t5YVetoL9gz6iZucpqQB9Vl9chCkbhFiMfqjbmotoc {{MD5|B0E0551116B718A4921757B2B074693F}}
* https://mega.co.nz/#!Bt8klAhQ!-t5YVetoL9gz6iZucpqQB9Vl9chCkbhFiMfqjbmotoc {{MD5|B0E0551116B718A4921757B2B074693F}}
* https://mega.co.nz/#!B51wWJYA!zg8O-vCvRBOgK5mpzTQ1H2hgBZmykglmbksB5w1Mlfg {{MD5|3E0E73DACF7E10F2369624EA439C661B}} (partial: {{MD5|7E2BAD4DFDEE485494C8749B1C3E5676}} / {{MD5|05D9ED4B545C709C9C4564F047028DE8}})
* https://mega.co.nz/#!B51wWJYA!zg8O-vCvRBOgK5mpzTQ1H2hgBZmykglmbksB5w1Mlfg {{MD5|3E0E73DACF7E10F2369624EA439C661B}} (partial: {{MD5|7E2BAD4DFDEE485494C8749B1C3E5676}} / {{MD5|05D9ED4B545C709C9C4564F047028DE8}})
Line 42: Line 41:
* https://mega.nz/#!iV0nGY4I!94ByAd-sourgK8_l_4s-6BX_V7iVOrysQd55bI0N6ws {{MD5|1DB1CAA8E3D54256A59D08B6AF2B9BC5}} (Dumped by Syscon EEPROM Flasher done by me "'''Abkarino'''" using Arduino Mega).
* https://mega.nz/#!iV0nGY4I!94ByAd-sourgK8_l_4s-6BX_V7iVOrysQd55bI0N6ws {{MD5|1DB1CAA8E3D54256A59D08B6AF2B9BC5}} (Dumped by Syscon EEPROM Flasher done by me "'''Abkarino'''" using Arduino Mega).


* https://mega.nz/#!AwF1jIaB!5qei9JOCzisgUHARcjARCw0zvQENkkvtAdd_O0dRUfI DECR Syscon EEPROM dump from lv2 um_manager, needs documentation.
* https://mega.nz/#!AwF1jIaB!5qei9JOCzisgUHARcjARCw0zvQENkkvtAdd_O0dRUfI DECR eeprom dump from lv2 um_manager, needs documentation.


Note: different consoles have same initial 16 bytes -> maybe key/iv?
different consoles, same initial 16 bytes. maybe key/iv?


= Important offsets =
=Important Offsets=


== SC EEPROM Offset Table - Flags and Tokens ==
== EEPROM Offset Table - Flags and Tokens ==


Here is the table of SC EEPROM offsets that can be accessed through Update Manager (3.15):  
Here is the table of EEPROM offsets that can be accessed through Update Manager (3.15):  


{| class="wikitable FCK__ShowTableBorders"
{| class="wikitable FCK__ShowTableBorders"
Line 56: Line 55:
! Offset !! Size !! Description
! Offset !! Size !! Description
|-
|-
| 0x02F00 || 8 || Manufacturing Update Release Version String
| 0x02F00 || 8 || Downgrade Minimum Version String
|-
|-
| 0x02F08 || 0x18 || Manufacturing Update Build Version + Build Date String
| 0x02F08 || 0x10 || Downgrade Minimum Version Build + Date Build String
|-
|-
| 0x02F20 || 8 || Manufacturing Update Build Target ID (Can be 0x83(CEX-ww), 0x82(DEX-ww), 0x81(DevelopmentTool) or 0xDEAD. Written during the <br>manufacturing fw update process according to target string inside /dev_flash/vsh/etc/version.txt)
| 0x02F20 || 8 || [[Target ID]]? (HV bible lists the Target ID as 85 Europe, not 83 Japan)
|-
|-
| 0x02F28 || 0xD0 || Padding/undocumented (the sample below is from motherboard REX-001(eMMC), syscon SW3-304)
| 0x02F28 || 0xD0 || Padding/undocumented
<pre>
<pre>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF xx xx
FF FF FF FF FF FF FF FF FF FF FF FF FF FF D4 63
xx xx xx FF FF xx xx xx xx xx xx xx xx xx xx xx
4F 4C 95 5E 01 31 04 BA 7C 93 41 23 52 48 B0 E0
xx xx 00 00 00 00 FF xx 00 xx xx FF FF FF FF FF  
3E 02 10 00 00 00 FF 04 00 01 02 FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF xx xx xx 00 00  
FF FF FF FF FF FF FF FF FF FF FF 32 49 31 34 00
xx xx xx xx xx FF FF FF xx xx xx FF FF FF xx 00 </pre>
32 32 1D 26 26 FF FF FF 1D 26 26 FF FF FF 80 00
</pre>
|-
|-
| 0x02FF8 || 1 || Factory Bit (0 = ?, 1 = reset, 2 = ?, 3 = (on retails))
| 0x02FF8 || 1 || Factory Bit (0 = ?, 1 = reset, 2 = ?, 3 = (on retails))
|-
|-
| 0x02FF9 || 0x7 || Padding/undocumented
| 0x02FF9 || 0x7 || Padding/undocumented
<pre>00 00 00 01 01 01 00 </pre>
<pre>00 00 00 00 xx xx xx </pre>
|-
|-
|}
|}
Line 91: Line 88:
|-
|-
! colspan="2" | Offset !! Size !! Description
! colspan="2" | Offset !! Size !! Description
|-{{cellcolors|lightgrey}}
|-
| colspan="2" | 0x48000 || 0x13 || (lv0 NVS region 0 start)  
| colspan="2" | 0x48000 || 0x13 || (lv0 NVS region 0 start)  
|-
|-
| <abbr title="lv0 NVS region 0: 0x48000-0x48012"><small>0</small></abbr> || 0x48000 || 0x13 || (lv0 NVS region 0)
| <abbr title="lv0 NVS region 0: 0x48000-0x48012"><small>0</small></abbr> || 0x48000 || 0x13 || (lv0 NVS region 0)
|-{{cellcolors|lightgrey}}
|-
| colspan="2" | 0x48012 || - || (lv0 NVS region 0 end)
| colspan="2" | 0x48012 || - || (lv0 NVS region 0 end)
|-
|-
Line 101: Line 98:


| colspan="2" | 0x48013 || 0x2A || QA Token ECDSA Signature (=&gt; 3.60 firmwares)
| colspan="2" | 0x48013 || 0x2A || QA Token ECDSA Signature (=&gt; 3.60 firmwares)
|-{{cellcolors|lightgrey}}
|-




| colspan="2" | 0x48800 || 0x0F || (lv0 NVS region 1 start)  
| colspan="2" | 0x48800 || 0x0C || (lv0 NVS region 1 start)  
|-
| rowspan="6" | <abbr title="lv0 NVS region 1: 0x48800-0x4880F"><small>1</small></abbr> || 0x48800 || 1 || ?
|-
|-
| 0x48801 || 1 || - hv log settings/infos? -
| rowspan="4" | <abbr title="lv0 NVS region 1: 0x48800-0x4880B"><small>1</small></abbr> || 0x48801 || 0xFF || - hv log settings/infos? -
|-
|-
| 0x48802 || 2 || ? (lv0/lv1 CodeVerifier::spu_interrupt_handler_class2 related)
| 0x48802 || 1 ||  
|-
|-
| 0x48804 || 4 || bootrom failure code  
| 0x48804 || 4 || bootrom failure code  
Line 116: Line 111:
| 0x48808 || 4 || bootrom failure timestamp  
| 0x48808 || 4 || bootrom failure timestamp  
|-
|-
| 0x4880C || 4 || ?
|-{{cellcolors|lightgrey}}
| colspan="2" | 0x4880B || - || (lv0 NVS region 1 end)
| colspan="2" | 0x4880B || - || (lv0 NVS region 1 end)
|-{{cellcolors|lightgrey}}
|-




| colspan="2" | 0x48C00 || 0x20 || (lv0 NVS region 2 start)  
| colspan="2" | 0x48C00 || 0x20 || (lv0 NVS region 2 start)  
|-
|-
| rowspan="22" | <abbr title="lv0 NVS region 2: 0x48C00-0x48C1F"><small>2</small></abbr> || 0x48C00 || 1 || boot flag (load_image_in_rom flag (os_boot_order_flag)
| rowspan="19" | <abbr title="lv0 NVS region 2: 0x48C00-0x48C1F"><small>2</small></abbr> || 0x48C00 || 1 || load_image_in_rom flag (os_boot_order_flag)  
0 = network 1st
1 = flash 1st
|-
|-
| 0x48C01 || 1 || sys.dbgcard.hostpc (force standalone mode related)  
| 0x48C01 || 1 || (force standalone mode related)  
|-
|-
| 0x48C02 || 1 || Network Device Mode (sys.dbgcard.dgbe / debug interface (select_net_device)
| 0x48C02 || 1 || debug interface (select_net_device)  
-1: Ethernet 2
  0: IFB
  1: CP
  2: SB UART
  3: CP ch4
  5: Disabled (default)
|-
|-
| 0x48C03 || 1 || sys.dbgcard.dgbe.index (select_dgbe_device)  
| 0x48C03 || 1 || sys.dbgcard.dgbe.index (select_dgbe_device)  
|-
|-
| 0x48C04 || 1 || used to reset dgbe_config (only <= 0.85)
| 0x48C05 || 1 || update_flag for CEB
|-
| 0x48C05 || 1 || force update flag (update_flag for consoles with flash_format  0)
|-
|-
| 0x48C06 || 1 || FSELF Control Flag / toggles release mode (fself_ctrl used by lv0 for failsafe mode and by lv2 to bypass protection checks)
| 0x48C06 || 1 || FSELF Control Flag / toggles release mode (fself_ctrl)
|-
|-
| 0x48C07 || 1 || Non-secure Product Mode (only <= 0.85) / force Syscon remarry (only JIG firmwares)
| 0x48C07 || 1 || Product Mode (UM allows to read this offset, it can be also written but only when already in product mode)
|-
|-
| 0x48C08 || 1 || lv0 passes this to lv1ldr (not used on >= 0.82, maybe only CEB)  
| 0x48C08 || 1 || (UNKNOWN {{unkn|debug}}))
|-
|-
| 0x48C09 || 1 || boot_fir_config (lv0ldr, bit 1/2, delays setting of BE fault-iso-regs/SB params to lv0)
| 0x48C0A || 1 || QA Flag
|-
| 0x48C0A || 1 || QA Flag exist flag
|-
|-
| 0x48C0B || 1 || mode_auth_flag / gx enable
| 0x48C0B || 1 || mode_auth_flag / gx enable
|-
|-
| 0x48C0C || 1 || Memory Diag Flag (bootrom diagnostic mode and parameter (bootrom_diag))
| 0x48C0C || 1 || bootrom diagnostic mode and parameter
|-
|-
| 0x48C0D || 1 || Memory Diag Status (lv0ldr related)
| 0x48C0D || 1 ||  
|-
|-
| 0x48C0E || 1 || XDR_Link_Init failure flag
| 0x48C0F || 2 ||  
|-
|-
| 0x48C0F || 2 || cell os flags (loader parameter)
| 0x48C11 || 1 || bootrom trace level (0x00: fatal errors, 0x01: errors, 0x02: information messages, 0x03: debug messages)
|-
|-
| 0x48C11 || 1 || bootrom trace level
| 0x48C12 || 1 ||  
0x00: fatal errors
0x01: errors
0x02: information messages
0x03: debug messages
0xFF: ? (default)
|-
|-
| 0x48C12 || 1 || ?
| 0x48C13 || 1 || Device Type (flash_ext_format)
|-
|-
| 0x48C13 || 1 || flash ext flag (Device Type (flash_ext_format))
| 0x48C14 || ? || cellos_spu_configure
|-
|-
| 0x48C14 || 4 || cellos_spu_configure
| 0x48C18 || 4 || System Language [[XRegistry.sys#Settings]] ( /setting/system/language )
|-
|-
| 0x48C18 || 4 || Safe Mode System Language. Using the [[Languages|language codes]]. See also [[XRegistry.sys#Settings|XRegistry.sys/setting/system/language]]
| 0x48C1C || 4 || VSH Target (seems it can be 0xFFFFFFFE, 0xFFFFFFFF, 0x00000001 default: 0x00000000 /maybe QA,Debug,Retail,Kiosk?)
|-
|-
| 0x48C1C || 4 || Safe Mode VSH Target (maybe QA,Debug,Retail,Kiosk?). See [[Promo_flags.txt]] and [[VSH_Exports#vshmain|GetReleaseTarget]] vsh export
0x00000000 = ? (default)
0x00000001 = ?
0x00000005 = dtcpipdevdex (can't update to any firmware, except dtcpipdevdex firmware)
0xFFFFFFFF = ?
0xFFFFFFFE = ?
|-{{cellcolors|lightgrey}}
| colspan="2" | 0x48C1F || - || (lv0 NVS region 2 end)
| colspan="2" | 0x48C1F || - || (lv0 NVS region 2 end)
|-{{cellcolors|lightgrey}}
|-




Line 196: Line 165:
| 0x48C23 || 1 || be ref clk (be_nclck_flag2)
| 0x48C23 || 1 || be ref clk (be_nclck_flag2)
|-
|-
| 0x48C24 || 1 || Bank #0 OS-Flag (ros0 if 0xFF else ros1, for NOR consoles only) (os_bank_indicator)
| 0x48C24 || 1 || Bank #0 OS-Flag (ros0 if 0xFF else ros1) (os_bank_indicator)
|-{{cellcolors|lightgrey}}
|-
| colspan="2" | 0x48C24 || - || (lv0 NVS region 3 end)
| colspan="2" | 0x48C24 || - || (lv0 NVS region 3 end)
|-
|-
Line 211: Line 180:
|-
|-
| colspan="2" | 0x48C29 || 1 || Bank #1 rvkpkg-Flag
| colspan="2" | 0x48C29 || 1 || Bank #1 rvkpkg-Flag
|-{{cellcolors|lightgrey}}
|-




| colspan="2" | 0x48C30 || 0x0D || (lv0 NVS region 4 start)
| colspan="2" | 0x48C30 || 0x0D || (lv0 NVS region 4 start)
|-
|-
| rowspan="3" | <abbr title="lv0 NVS region 4: 0x48C30-0x48C3C"><small>4</small></abbr> || 0x48C30 || 1 || SPU num - Usally 0x06(default), can be set to 0x07 to enable the 8 SPE (restrict_spu) or can be set to 0xFF(unlimit)
| rowspan="3" | <abbr title="lv0 NVS region 4: 0x48C30-0x48C3C"><small>4</small></abbr> || 0x48C30 || 1 || SPE number Usally 0x06, can be set to 0x07 to enable the 8 SPE (restrict_spu)
|-
|-
| 0x48C31 || 4 || sata param
| 0x48C31 || 4 || sata_param
|-
| 0x48C35 || 8 || spr_tbuw_value (cellos_spu_configure)
|-
|-
| 0x48C35 || 8 || initial TB value (spr_tbuw_value (cellos_spu_configure))
|-{{cellcolors|lightgrey}}
| colspan="2" | 0x48C3C || - || (lv0 NVS region 4 end)
| colspan="2" | 0x48C3C || - || (lv0 NVS region 4 end)
|-{{cellcolors|lightgrey}}
|-




Line 230: Line 199:
| rowspan="8" | <abbr title="lv0 NVS region 5: 0x48C40-0x48C4F"><small>5</small></abbr> || 0x48C42 || 1 || HDD Copy Mode
| rowspan="8" | <abbr title="lv0 NVS region 5: 0x48C40-0x48C4F"><small>5</small></abbr> || 0x48C42 || 1 || HDD Copy Mode
|-
|-
| 0x48C43 || 4 || Hdd Ident Information
| 0x48C43 || 4 ||  
|-
|-
| 0x48C47 || 1 || Analog Sunset Flag, will disable AACS video output without [[HDMI]] cable soon
| 0x48C47 || 1 || Analog Sunset Flag, will disable AACS video output without [[HDMI]] cable soon
Line 240: Line 209:
| 0x48C61 || 1 || Recover Mode Flag
| 0x48C61 || 1 || Recover Mode Flag
|-
|-
| 0x48C62 || 8 || boot param. Accessed by [[LV2_Functions_and_Syscalls|syscalls 404]] ?. See also [[Factory_Service_Mode#Game_OS|this]]
| 0x48C62 || 8 || boot param
|-
| 0x48C6A || 2 || factory process completion %
|-
|-
| 0x48C6A || 2 || factory process completion (bitflags ?). Accessed by [[LV2_Functions_and_Syscalls|syscalls 405, 406, 407]] ?. See also [[Factory_Service_Mode#Game_OS|this]]
Usually FFFF, but also:
00E2 - CokC12, SEM-001, CXR713120-203GB
00EA - CokD10, DIA-001, CXR714120-301GB
00E6 - CokE10, DIA-002, CXR714120-302GB
00EA - CokF10, VER-001, SW-301
00AA - CokG11, DYN-001, SW2-301
00BE - CokH11, SUR-001, SW2-302
00B2 - CokJ13, JTP-001, SW2-303 & CokK10, KTE-001, SW3-301
00B0 - CokM20, MSX-001, SW3-302 & CokM30, MPX-001, SW3-302 & CokN10, NPX-001, SW3-302 & CokP10, PQX-001, SW3-304 & CokR40, REX-001, SW3-304
00F0 - CokD10, DIA-001, CXR714120-304GB Refurb 40nm RSX
01FE - Cok14, COK-001, CXR714120-304GB Refurb 40nm RSX
|-{{cellcolors|lightgrey}}
| colspan="2" | 0x48C4F || - || (lv0 NVS region 5 end)
| colspan="2" | 0x48C4F || - || (lv0 NVS region 5 end)
|-{{cellcolors|lightgrey}}
|-




Line 265: Line 222:
|-
|-
| 0x48C88 || 8 || (rsx.rdcy.1)
| 0x48C88 || 8 || (rsx.rdcy.1)
|-{{cellcolors|lightgrey}}
|-
| colspan="2" | 0x48C8F || - || (lv0 NVS region 6 end)
| colspan="2" | 0x48C8F || - || (lv0 NVS region 6 end)
|-{{cellcolors|lightgrey}}
|-




Line 283: Line 240:
|-
|-
| 0x48CB8 || 8 || (rsx.rdcy.7) / game_board_storage_read
| 0x48CB8 || 8 || (rsx.rdcy.7) / game_board_storage_read
|-{{cellcolors|lightgrey}}
|-
| colspan="2" | 0x48CBF || - || (lv0 NVS region 7 end)
| colspan="2" | 0x48CBF || - || (lv0 NVS region 7 end)
|-
|-
Line 289: Line 246:
| colspan="2" | 0x48CCE || 1 || 0xFF / 0xFE / 0x00 (?)
| colspan="2" | 0x48CCE || 1 || 0xFF / 0xFE / 0x00 (?)
|-
|-
| colspan="2" | 0x48CCF || 1 || pme_user debug printf flag ( & 0x03 verbose level )
| colspan="2" | 0x48CCF || 1 || pme_user debug printf flag ( & 0x03 )
|-{{cellcolors|lightgrey}}
|-


| colspan="2" | 0x48CF0 || 0x10 || (NVS region start)
| colspan="2" | 0x48CF0 || 0x10 || (NVS region start)
Line 296: Line 253:
| rowspan="16" | <abbr title="NVS region: 0x48CF0-0x48CFF"><small></small></abbr> || 0x48CF0 || 1 || ss.common.printf.enabled
| rowspan="16" | <abbr title="NVS region: 0x48CF0-0x48CFF"><small></small></abbr> || 0x48CF0 || 1 || ss.common.printf.enabled
|-
|-
| 0x48CF1 || 1 || ss.common.debug.level+ss.update.debug.level
| 0x48CF1 || ||  
|-
|-
| 0x48CF2 || 1 || ss.updatefe.debug.level+ss.ss_init.debug.level
| 0x48CF2 || ||  
|-
|-
| 0x48CF3 || 1 || ss.ss_proxy.debug.level+ss.spm.debug.level
| 0x48CF3 || ||  
|-
|-
| 0x48CF4 || 1 || ss.spm.debug.policy+ss.ac_cntl.debug.level
| 0x48CF4 || ||  
|-
|-
| 0x48CF5 || 1 || ss.ploader.debug.level+ss.gloader.debug.level
| 0x48CF5 || ||  
|-
|-
| 0x48CF6 || 1 || ss.commlib.debug.level+ss.sc_mngr.debug.level
| 0x48CF6 || ||  
|-
|-
| 0x48CF7 || 1 || ss.sc_iso.debug.level+ss.ii_mngr.debug.level
| 0x48CF7 || ||  
|-
|-
| 0x48CF8 || 1 || ss.vtrm.debug.level+ss.sec_rtc.debug.level
| 0x48CF8 || ||  
|-
|-
| 0x48CF9 || 1 || ss.sb_mngr.debug.level+ss.sb_iso.debug.level
| 0x48CF9 || ||  
|-
|-
| 0x48CFA || 1 || ss.app_info.debug.level+ss.aim_iso.debug.level
| 0x48CFA || ||  
|-
|-
| 0x48CFB || 1 || ss.fdm.debug.level+ss.fdm_iso.debug.level
| 0x48CFB || ||  
|-
|-
| 0x48CFC || 1 || ss.fw.debug.level+ss.stricv.debug.level
| 0x48CFC || ||  
|-
|-
| 0x48CFD || 1 || ss.usbauth.debug.level+ss.dispatch.debug.level
| 0x48CFD || ||  
|-
|-
| 0x48CFE || 1 || ss.sc_test.debug.level+ss.sc_test.debug.spu
| 0x48CFE || ||
|-
| 0x48CFF ||  ||  
|-
|-
| 0x48CFF || 1 || ss.token.debug.level
|-{{cellcolors|lightgrey}}
| colspan="2" | 0x48CFF || - || (NVS region end)
| colspan="2" | 0x48CFF || - || (NVS region end)
|-{{cellcolors|lightgrey}}
|-




Line 337: Line 294:
|-
|-
| 0x48D08 || 4 || ip_gateway
| 0x48D08 || 4 || ip_gateway
|-{{cellcolors|lightgrey}}
|-
| colspan="2" | 0x48D0B || - || (lv0 NVS region 8 end)
| colspan="2" | 0x48D0B || - || (lv0 NVS region 8 end)
|-{{cellcolors|lightgrey}}
|-




Line 346: Line 303:
|-
|-
| <abbr title="lv0 NVS region 9: 0x48D20-0x48D27"><small>9</small></abbr> || 0x48D20 || 8 || spider.gbe0.macaddr.0  (<code>0xFFFFFFFFFFFFFFFF</code> if unused/nonpresent)
| <abbr title="lv0 NVS region 9: 0x48D20-0x48D27"><small>9</small></abbr> || 0x48D20 || 8 || spider.gbe0.macaddr.0  (<code>0xFFFFFFFFFFFFFFFF</code> if unused/nonpresent)
|-{{cellcolors|lightgrey}}
|-
| colspan="2" | 0x48D27 || - || (lv0 NVS region 9 end)
| colspan="2" | 0x48D27 || - || (lv0 NVS region 9 end)
|-{{cellcolors|lightgrey}}
|-




Line 358: Line 315:
|-
|-
| 0x48D38 || 8 || spider.gbe0.macaddr.3  (<code>FFFFFFFFFFFFFFFF</code> if unused/nonpresent)
| 0x48D38 || 8 || spider.gbe0.macaddr.3  (<code>FFFFFFFFFFFFFFFF</code> if unused/nonpresent)
|-{{cellcolors|lightgrey}}
|-
| colspan="2" | 0x48D3F || - || (lv0 NVS region B end)
| colspan="2" | 0x48D3F || - || (lv0 NVS region B end)
|-{{cellcolors|lightgrey}}
|-




Line 367: Line 324:
|-
|-
| <abbr title="lv0 NVS region A: 0x48D3E-0x48D8D"><small>A</small></abbr> || 0x48D3E || 0x50 || QA Token - UM doesn't allow access to this offset but SC Manager can read/write it (qa_token)
| <abbr title="lv0 NVS region A: 0x48D3E-0x48D8D"><small>A</small></abbr> || 0x48D3E || 0x50 || QA Token - UM doesn't allow access to this offset but SC Manager can read/write it (qa_token)
|-{{cellcolors|lightgrey}}
|-
| colspan="2" | 0x48D8D || - || (lv0 NVS region A end)
| colspan="2" | 0x48D8D || - || (lv0 NVS region A end)
|-
|-




| colspan="2" | 0x48D8E || 0x50 || mode_auth_data (read/cleared by ss_sc_init_pu, checked by spu_mode_auth, used to enter product mode on jig firmwares without a dongle)
| colspan="2" | 0x48D8E || 0x50 || mode_auth_data (read/cleared by ss_sc_init_pu, checked by spu_mode_auth)
|-
|-
|}
|}
Line 386: Line 343:
QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares)
QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares)


== Undocumented region ==
== Undocumented config ==
This is 0x48800 on SC EEPROM, or at 0x7100 (mullions with 32KB EEPROM used), or at 0x4100 (mullions with 20KB EEPROM used), or at 0x1100 (sherwoods)
 
Accessed by [[Hypervisor_Reverse_Engineering | Hypervisor Service ID 32]] '''REQUEST_SYSTEM_EVENT_LOG''' ?, and [[LV2_Functions_and_Syscalls| syscall 395]] '''sys_sm_request_system_event_log''' ?


There is an unknown syscon response of 0x100 bytes when using NVS service with such params: BlockID=1, Offset=0, Size=0.
There is an unknown syscon response of 0x100 bytes when using NVS service with such params: BlockID=1, Offset=0, Size=0.
Sometimes the whole region is filled with FF's (empty, never used, or erased), it seems this procedure can be used to reset it
It can be considered an structure composed by a 0x10 header, and six available "slots" of 0x28 each, the second byte of the header seems to be some kind of counter related with the slots where the only values posibles are 0-5. The presence of data in the slots could vary usually all them are filled with data but in some rare cases the slots are empty (filled with FF's)
Sample (CokH11, SUR-001, SW2-302)
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00001100  FF 05 FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿ.ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00001110  16 0E F0 35 00 00 E1 18 00 04 53 00 0C 00 00 00  ..ð5..á...S.....
00001120  00 00 00 00 00 00 00 00 00 00 00 00 55 55 55 55  ............UUUU
00001130  00 00 00 00 00 00 00 00 18 F1 6F 68 00 00 E1 18  .........ñoh..á.
00001140  00 04 53 00 0C 00 00 00 00 00 00 00 00 00 00 00  ..S.............
00001150  00 00 00 00 55 55 55 55 00 00 00 00 00 00 00 00  ....UUUU........
00001160  18 F1 6F C7 00 00 E1 18 00 04 53 00 0C 00 00 00  .ñoÇ..á...S.....
00001170  00 00 00 00 00 00 00 00 00 00 00 00 55 55 55 55  ............UUUU
00001180  00 00 00 00 00 00 00 00 18 FF EE 91 00 00 E1 18  .........ÿî‘..á.
00001190  00 04 53 00 0C 00 00 00 00 00 00 00 00 00 00 00  ..S.............
000011A0  00 00 00 00 71 75 F4 75 00 00 00 00 00 00 00 00  ....quôu........
000011B0  1A 21 73 52 00 00 E1 18 00 04 53 00 0C 00 00 00  .!sR..á...S.....
000011C0  00 00 00 00 00 00 00 00 00 00 00 00 50 75 55 51  ............PuUQ
000011D0  00 00 00 00 00 00 00 00 16 0E EF D5 00 00 E1 18  ..........ïÕ..á.
000011E0  00 04 53 00 0C 00 00 00 00 00 00 00 00 00 00 00  ..S.............
000011F0  00 00 00 00 55 55 55 55 00 00 00 00 00 00 00 00  ....UUUU........
</pre>
Sample with 2 slots used
<pre>
<pre>
0000h: FF 02 FF FE FF 02 FF FF 19 FB E1 16 00 00 00 00  ÿ.ÿþÿ.ÿÿ.ûá.....  
0000h: FF 02 FF FE FF 02 FF FF 19 FB E1 16 00 00 00 00  ÿ.ÿþÿ.ÿÿ.ûá.....  
Line 439: Line 365:
</pre>
</pre>


Sample with only 1 slot used (CokP10, PQX-001nor, SW3-304)
This is 0x48800 on EEPROM
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
00001100  FF 01 FF FF 0D FF FF FF 27 B5 4D 75 FF FF FF FF  ÿ.ÿÿ.ÿÿÿ'µMuÿÿÿÿ
00001110  1E 61 CF 07 00 00 E1 18 00 03 02 00 0C 03 00 00  .aÏ...á.........
00001120  A8 00 00 2D DC 40 00 00 00 20 00 00 3E AA A8 28  ¨..-Ü@... ..>ª¨(
00001130  00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF  ........ÿÿÿÿÿÿÿÿ
00001140  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00001150  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00001160  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00001170  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00001180  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00001190  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000011A0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000011B0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000011C0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000011D0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000011E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000011F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
</pre>
 
The structure of an slot seems to be: 0x4 (timestamp) + 0x2 (unknown, always 0000) + 0x1 (unknown, always 0xE1 or 0xE2) + 0x1 (Data Size ?, usually 0x18) + 0x4 (Data Type ?) + 0x1C (data, included padding)
*The timestamp follows the same format than the timestamps of the [[Syscon_Error_Codes#Error_log_format|Syscon Error Codes]], in some syscon models the lowest value posible for this timestamps seems to be 0x0B488680 (2005/12/31 00:00:00)
 
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
00001110  0B 74 08 2F 00 00 E1 18 00 03 15 00 0C 03 00 00  .t./..á.........
00001120  A8 00 00 18 32 E2 00 00 00 80 00 00 FF FF FF FF  ¨...2â...€..ÿÿÿÿ
00001130  00 00 00 00 00 00 00 00                          ........
</pre>
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
00001110  1F AC E5 B0 00 00 E1 18 00 03 02 00 0C 03 00 00  .¬å°..á.........
00001120  A8 00 00 15 8A 20 00 00 00 40 00 00 AA AA AA AA  ¨...Š ...@..ªªªª
00001130  00 00 00 00 00 00 00 00                          ........
</pre>
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
00001110  1D 59 29 DB 00 00 E2 18 01 51 40 25 40 01 03 00  .Y)Û..â..Q@%@...
00001120  00 00 00 01 08 E5 00 13 00 C7 00 00 00 00 00 00  .....å...Ç......
00001130  00 00 00 00 00 00 00 00                          ........
</pre>
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
00001110  16 0E F0 35 00 00 E1 18 00 04 53 00 0C 00 00 00  ..ð5..á...S.....
00001120  00 00 00 00 00 00 00 00 00 00 00 00 55 55 55 55  ............UUUU
00001130  00 00 00 00 00 00 00 00                          ........
</pre>
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F


00007110  0B 48 86 7D 00 00 E1 18 53 54 52 3A 50 41 54 41  .H†}..á.STR:PATA
cech-c (NO BD Drive): http://pastie.org/private/grl0dc0dxajisa36chgm7w
00007120  43 30 3A 43 61 62 6C 65 20 4E 6F 74 20 43 6F 6E  C0:Cable Not Con
00007130  6E 65 63 74 00 00 00 00                          nect....
</pre>
 
*Notes
**See the timestamp of the last sample with value 0B48867D, very close to 0B488680 (2005/12/31 00:00:00)


== lv0 SC EEPROM usage ==
== lv0 SC EEPROM usage ==
<pre>
<pre>
[*] lv0 NVS regions:
[*] lv0 NVS regions:
Line 536: Line 401:
[*] lv0 SC EEPROM usage:
[*] lv0 SC EEPROM usage:
name                addr    size structure
name                addr    size structure
UNKNOWN              0x48804 0x04 [0x04 value]
dgbe_config          0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway]
os_boot_order_flag  0x48C00 0x01 [0x01 flag]
select_net_device    0x48C02 0x01 [0x01 index]
select_dgbe_device  0x48C03 0x01 [0x01 index]
fself_ctrl          0x48C06 0x01 [0x01 flag]
UNKNOWN (debug?)    0x48C08 0x01 [0x01 flag]
qaf_enable          0x48C0A 0x01 [0x01 flag]
cellos_flags        0x48C0F 0x02 [0x02 flags]
bootrom_trace_level  0x48C11 0x01 [0x01 level]
flash_ext_format    0x48C13 0x01 [0x01 flag]
be_nclck_flag1      0x48C22 0x01 [0x01 flag]
be_nclck_flag2      0x48C23 0x01 [0x01 flag]
os_bank_indicator    0x48C24 0x01 [0x01 flag]
restrict_spu        0x48C30 0x01 [0x01 flag]
restrict_spu        0x48C30 0x01 [0x01 flag]
sata_param          0x48C31 0x04 [0x04 flag]
sata_param          0x48C31 0x04 [0x04 flag]
os_bank_indicator    0x48C24 0x01 [0x01 flag]
cellos_spu_configure 0x48C33 0x04 [0x04 config]
cellos_spu_configure 0x48C33 0x04 [0x04 config]
flash_ext_format    0x48C13 0x01 [0x01 flag]
cellos_flags        0x48C0F 0x02 [0x02 flags]
qaf_enable          0x48C0A 0x01 [0x01 flag]
UNKNOWN (debug?)    0x48C08 0x01 [0x01 flag]
fself_ctrl          0x48C06 0x01 [0x01 flag]
select_dgbe_device  0x48C03 0x01 [0x01 index]
os_boot_order_flag  0x48C00 0x01 [0x01 flag]
qa_token            0x48D3E 0x50 [0x50 token]
UNKNOWN              0x48804 0x04 [0x04 value]
UNKNOWN              0x48D20 0x08 [0x08 value]
rsx.rdcy.7          0x48CB8 0x08 [0x08 value]
rsx.rdcy.6          0x48CB0 0x08 [0x08 value]
rsx.rdcy.5          0x48CA8 0x08 [0x08 value]
rsx.rdcy.4          0x48CA0 0x08 [0x08 value]
rsx.rdcy.3          0x48C98 0x08 [0x08 value]
rsx.rdcy.2          0x48C90 0x08 [0x08 value]
rsx.rdcy.1          0x48C88 0x08 [0x08 value]
rsx.rdcy.0          0x48C80 0x08 [0x08 value]
be_nclck_flag2      0x48C23 0x01 [0x01 flag]
be_nclck_flag1      0x48C22 0x01 [0x01 flag]
select_net_device    0x48C02 0x01 [0x01 index]
spr_tbuw_value      0x48C35 0x08 [0x08 value]
spr_tbuw_value      0x48C35 0x08 [0x08 value]
rsx.rdcy.0          0x48C80 0x08 [0x08 value]
bootrom_trace_level  0x48C11 0x01 [0x01 level]
rsx.rdcy.1          0x48C88 0x08 [0x08 value]
rsx.rdcy.2          0x48C90 0x08 [0x08 value]
rsx.rdcy.3          0x48C98 0x08 [0x08 value]
rsx.rdcy.4          0x48CA0 0x08 [0x08 value]
rsx.rdcy.5          0x48CA8 0x08 [0x08 value]
rsx.rdcy.6          0x48CB0 0x08 [0x08 value]
rsx.rdcy.7          0x48CB8 0x08 [0x08 value]
dgbe_config          0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway]
UNKNOWN              0x48D20 0x08 [0x08 value]
qa_token            0x48D3E 0x50 [0x50 token]
</pre>
</pre>


== System Data from SC EEPROM  ==
== System Data From EEPROM  ==


Here is the list of possible SC EEPROM offsets:  
Here is the list of possible EEPROM offsets:  


{|class="wikitable"
{|class="wikitable"
|-
|-
! Index !! SC EEPROM offset !! Data size !! Description
! Index !! SC EEPROM Offset !! Size Of Data !! Description
|-
| 4 || 0x48D00 || 4 ||?
|-
| 5 || 0x48D04 || 4 ||?
|-
| 6 || 0x48D08 || 4 ||?
|-
|-
| 0 || 0x48D20 || 6 ||?
| 0 || 0x48D20 || 6 ||?
Line 587: Line 446:
|-
|-
| 3 || 0x48D38 || 6 ||?
| 3 || 0x48D38 || 6 ||?
|-
| 4 || 0x48D00 || 4 ||?
|-
| 5 || 0x48D04 || 4 ||?
|-
| 6 || 0x48D08 || 4 ||?
|}
|}


== Dumpable SC EEPROM Offset - Block ID and Block Offset Mapping Table (NVS Service) ==
== Dumpable EEPROM Offset - Block ID and Block Offset Mapping Table (NVS Service) ==


Right now we only have read access to some portions of the SC EEPROM to have access to this regions DM needs to be patched, see section dumping SC EEPROM.
Right now we only have read access to some portions of the eeprom to have access to this regions DM needs to be patched, see section dumping eeprom


{|class="wikitable"
{|class="wikitable"
|-
|-
! SC EEPROM Offset !! Block ID !! Block Offset !! Description !! Physical Offset (CXR713) !! Physical Offset (CXR714) !! Virtual Offset (SW)
! EEPROM Offset !! Block ID !! Block Offset !! Description !! Physical Offset
|-
|-
| - || - || - || ERRLOG Errors are stored here || - || - || 0x900
| 0x48000 - 0x480FF || 0x00 || 0x48000 - 0x480FF || ? || 0x7000
|-
|-
| 0x2F00 - 0x2FFF || 0x10 || 0x2F00 - 0x2FFF || "Industry Area" aka OS Version Area || 0x2F00 || 0x2F00 || 0xE00
| 0x48800 - 0x488FF || 0x01 || 0x48800 - 0x488FF || Bluray Drive Area || 0x7100
|-
|-
| 0x3000 - 0x30FF || 0x20 || 0x3000 - 0x30FF || "Customer Service Area" || 0x3000 || 0x3000 || 0xF00
| 0x48C00 - 0x48CFF || 0x02 || 0x48C00 - 0x48CFF || Contains flags and tokens/ see above || 0x7200
|-
|-
| 0x48000 - 0x480FF || 0x00 || 0x48000 - 0x480FF || ? || 0x7000 || 0x4000 || 0x1000
| 0x48D00 - 0x48DFF || 0x03 || 0x48D00 - 0x48DFF || System Data Region || 0x7300
|-
|-
| 0x48800 - 0x488FF || 0x01 || 0x48800 - 0x488FF || HyperVisor Area || 0x7100 || 0x4100  || 0x1100
| 0x2F00 - 0x2FFF || 0x10 || 0x2F00 - 0x2FFF || "Industry Area" aka OS Version Area || 0x2F00
|-
|-
| 0x48C00 - 0x48CFF || 0x02 || 0x48C00 - 0x48CFF || Contains flags and tokens/ see above || 0x7200 || 0x4200 || 0x1200
| 0x3000 - 0x30FF || 0x20 || 0x3000 - 0x30FF || "CS Area" || 0x3000
|-
|-
| 0x48D00 - 0x48DFF || 0x03 || 0x48D00 - 0x48DFF || System Data Region || 0x7300 || 0x4300 || 0x1300
| All other offsets || Invalid || Invalid || ? ||
|-
| N/A || 0xFF || N/A || ? sys_boot_gos flag is there || No SC EEPROM activity || ? || ?
|-
| All other offsets || Invalid || Invalid || ? || - || - || -
|}
|}


== Dumpable only with HW flasher SC EEPROM Offsets - Full Mapping Table (NAND only) ==
== Dumpable only with HW flasher EEPROM Offsets - Full Mapping Table (NAND Only) ==
*Sample from a [[CECHGxx]] with [[SEM-001]] motherboard


{|class="wikitable"
{|class="wikitable"
|-
|-
! Physical Offset !! Description !! Samples
! Physical Offset !! Description  
|-
| 0x0-0xF || magic0 (static bytes) || <pre>99D9662BB3D761546B9C3F9ED140EDB0</pre>
|-
| 0x10-0x28F || eEID1 (probably encrypted) ||
|-
| 0x290-0x4FF || Unknown ||
|-
| 0x500-0x55F || magic1 (static bytes)
| <pre>E01B01CF9C7FBC7D79D670086DAF497F
9BD3A5D5178DDE1D825344AE398113DD
FF525D8BF4422CC76B13AA47FA2CC369
83A720CD45D18FB3D4112888187E3040
702B91D8E6ACEEC4B801315F357E1EE3
2DA1081408D72C41AFC1B61AE7C9882D</pre>
|-
| 0x560-0x95F || Authenticated Data Region 0 (snvs region 0), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
|-
| 0x960-0xD5F || Authenticated Data Region 1 (snvs region 1), contains ss-service version, secure_product_mode flag,<BR> vtrm cipher/hasher keys, versions/hashes of installed update packages, etc... || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
|-
| 0xD60-0x115F || Authenticated Data Region 2 (snvs region 2), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
|-
| 0x1160-0x155F || Authenticated Data Region 3 (snvs region 3), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
|-
| 0x1560-0x195F || Authenticated Data Region 4 (snvs region 4), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
|-
| 0x1960-0x1D5F || Authenticated Data Region 5 (snvs region 5), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
|-
| 0x1D60-0x215F || Authenticated Data Region 6 (snvs region 6), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
|-
| 0x2160-0x255F || Authenticated Data Region 7 (snvs region 7), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
|-
| 0x2560-0x25FF || FF Region ||
|-
| 0x2600-0x26AF || FF Region || rowspan="6" | System Info
|-
| 0x26B0-0x26CF || Unknown, encrypted ?
|-
| 0x26D0-0x26EF || Unknown, encrypted ? (filled with FF's on TMU)
|-
| 0x26F0-0x26FF || FF Region
|-
| 0x2700-0x270F || magic2 (static bytes) (does not exist in TMU dump) <pre>857C4DE5BFAFD6A4A361CB5BFDD72D26</pre>
|-
| 0x2710-0x27FF || FF Region
|-
| 0x2800-0x2BFF || Syscon Patch Content Top-Half ||
|-
| 0x2C00-0x2EFF || FF Region ||
|-
| 0x2F00-0x2FFF || Industry Area  (nvs region 0x20) ||
|-
| 0x3000-0x30FF || Customer Service Area (nvs region 0x30) ||
|-
| 0x3100-0x31FF || Special Region #0 || Platform Config ([[Platform_ID]]<small>(hex)</small> at relative offset 0xE
|-
|-
| 0x3200-0x32FF || Special Region #1 || Hardware/XDR Config
| 0x0-0xF || magic1? (static bytes)
|-
|-
| 0x3300-0x33FF || Special Region #2 || [[Syscon Thermal Configs|Thermal Config]]
| 0x10-0x29F || eEID1? (probably encrypted)
|-
|-
| 0x3400-0x34FF || Special Region #3 || [[Syscon Thermal Configs|Thermal Config]]
| 0x560-0x95F || Authenticated Data Region 0
|-
|-
| 0x3500-0x35FF || Special Region #4 || On/Off Count, On-time
| 0x960-0xD5F || Authenticated Data Region 1
|-
|-
| 0x3600-0x36FF || Special Region #5 || On/Off Count, On-time
| 0xD60-0x115F || Authenticated Data Region 2
|-
|-
| 0x3700-0x37FF || Special Region #6 [[Syscon Error Codes|Errorlog]] (retail PS3 models) ...or... Serial Num (DECR only) || 2M010001207K / 2D@ 40@ 
| 0x1160-0x155F || Authenticated Data Region 3
|-
|-
| 0x3800-0x38FF || FF Region ...or... [[Syscon Error Codes|Errorlog]] (DECR only) ||
| 0x1560-0x195F || Authenticated Data Region 4
|-
|-
| 0x5000-0x6FFF || FF Region ||
| 0x1960-0x1D5F || Authenticated Data Region 5
|-
|-
| 0x7000-0x70FF ...or... 0x4000-0x40FF || Bluray Drive Area ?? (nvs region 0) || rowspan="4" | System Software Config
| 0x1D60-0x215F || Authenticated Data Region 6
|-
|-
| 0x7100-0x71FF ...or... 0x4100-0x41FF || HyperVisor Area (nvs region 1)
| 0x2160-0x255F || Authenticated Data Region 7
|-
|-
| 0x7200-0x72FF ...or... 0x4200-0x42FF || Token Area (nvs region 2)
| 0x2700 - 0x270F || magic2? (static bytes)
|-
|-
| 0x7300-0x73FF ...or... 0x4300-0x43FF || System Data Area (nvs region 3)
| 0x2800 - 0x2BFF || Syscon Patch Content Top-Half
|-
|-
| 0x7400-0x7FFF ...or... 0x4400-0x4FFF || Syscon Patch Content Bottom-Half ||
| 0x4400 - 0x4FFF OR 0x7400 - 0x7FFF || Syscon Patch Content Bottom-Half
|-
|-
| All other offsets || Unknown
|}
|}


Line 709: Line 516:
=== Tests ===
=== Tests ===


* [https://www.psdevwiki.com/ps3/File:A8g00bD.png AES128CBC with fixed key and incremented iv (by 1 each time)]
* http://i.imgur.com/A8g00bD.png <- aes 128 cbc with fixed key and incremented iv (by 1 each time)
* [https://www.psdevwiki.com/ps3/File:HZDWGSk.png results]
* http://i.imgur.com/HZDWGSk.png <- results
* [https://www.psdevwiki.com/ps3/File:2mtrtdm.png region 0 encrypted] vs [https://www.psdevwiki.com/ps3/File:7bSdQni.png decrypted]
* http://i.imgur.com/2mtrtdm.png region 0 encrypted vs http://i.imgur.com/7bSdQni.png decrypted
* [https://www.psdevwiki.com/ps3/File:FGJKkuz.png region 7 encrypted] vs [https://www.psdevwiki.com/ps3/File:7TSeHWK.png decrypted]
* http://i.imgur.com/FGJKkuz.png region 7 encrypted vs http://i.imgur.com/7TSeHWK.png decrypted


=== Conclusion ===
=== Conclusion ===


* different key for a different authenticated region.
* different key for a different authenticated region.
* Sony uses either AES 128-cbc or AES 256-cbc (most likely 128-cbc)
* sony uses either aes 128-cbc or aes 256-cbc (most likely 128-cbc)
* Sony does this weird cbc crypto in which they only decrypt portions of 0x10 bytes of the region, then increment or decrement (most likely increment) iv, and then decrypt again. I have decided to call it ctr-cbc.
* sony does this weird cbc crypto in which they only decrypt portions of 0x10 bytes of the region, then increment or decrement (most likely increment) iv, and then decrypt again. i've decided to call it ctr-cbc
* most likely the keys used are <strike>session</strike> perconsole keys.
* most likely the keys used are <strike>session</strike> perconsole keys.
* most likely the iv used starts with 00, then gets incremented by 1 for each 0x10 bytes
* most likely the iv used starts with 00, then gets incremented by 1 for each 0x10 bytes
Line 725: Line 532:


* Zer0Tolerance for the crypto findings
* Zer0Tolerance for the crypto findings
* flatz for his awesome Syscon tool
* flatz for his awesome syscon tool


= Dumping SC EEPROM =
=Dumping your SC EEPROM=


== Linux ==
==Linux==


First you need graf_chokolo kernel ps3dm-utils and linux_hv_scripts.
First you need graf_chokolo kernel ps3dm-utils and linux_hv_scripts.


Patch DM using linux_hv_scripts:
If you are ready.
 
Patch DM using linux_hv_scripts


<pre>
<pre>
Line 739: Line 548:
</pre>
</pre>


Read the data from the region you want for example (see tables above):
Read the data from the region you want for example (see tables above)


<pre>
<pre>
Line 745: Line 554:
</pre>
</pre>


You can see some coolstuff containing dumps.
You can see some coolstuff that containing dumps


= Hashes =
=Hashes=


Where exactly the hashes are stored is still a secret. It is said that those hashes are stored in SC EEPROM.
Where exactly the hashes are stored is still a secret, it is said that those hashes are stored in SC EEPROM


To retrieve the information about the packages you have installed you can also use ps3d_utils.
To retrieve the information about the packages you have installed you can also use ps3d_utils


== Linux ==
==Linux==


=== Installed Package info ===
===Installed Package info===


<pre>
<pre>
Line 769: Line 578:
0003004100000000
0003004100000000
</pre>
</pre>
 
get_pkg_info 2 - Revoke List for program
get_pkg_info 2 - Revoke List for program


Line 775: Line 584:
0003004100000000
0003004100000000
</pre>
</pre>
 
get_pkg_info 3 - Revoke list for package
get_pkg_info 3 - Revoke list for package
 
<pre>
<pre>
0002003000000000
0002003000000000
</pre>
</pre>
 
get_pkg_info 4
get_pkg_info 4
 
<pre>
<pre>
deadbeaffacebabe
deadbeaffacebabe
</pre>
</pre>
 
get_pkg_info 5
get_pkg_info 5
 
<pre>
<pre>
deadbeaffacebabe
deadbeaffacebabe
Line 795: Line 604:


get_pkg_info 6 - Firmware Package
get_pkg_info 6 - Firmware Package
 
<pre>
<pre>
0003005000000000
0003005000000000
</pre>
</pre>


You can find more information about this in [[Hypervisor Reverse Engineering]].


=== Hashes ===
You can find more information about this in [[Hypervisor Reverse Engineering]]
 
 
===Hashes===


What algorithm is used and what exactly is hashed is still unknown. It seems that the content of files is hashed by the SHA-1.
What algorithm is used and what exactly is hashed is still unknown (seems that the content of files is hashed by the SHA-1).


<pre>
<pre>
Line 816: Line 627:




region_data 0 - ROS0
region_data 0 - Core OS package


<pre>
<pre>
00 03 00 41 00 00 00 00 00 c3 eb 01 96 24 d0 1c 26 14 f3 1c a4 a2 ff ce 81 77 3a 4c f8 42 86 04 ee 34 bb db be 1c a7 51 e5 59 f1 95 61 07 a5 eb
00 03 00 41 00 00 00 00 00 c3 eb 01 96 24 d0 1c 26 14 f3 1c a4 a2 ff ce 81 77 3a 4c f8 42 86 04 ee 34 bb db be 1c a7 51 e5 59 f1 95 61 07 a5 eb  
 
--------
                        <---------------------------lv0---------------------------> <---------------------------lv1--------------------------->
00 03 00 15 00 00 00 00 39 8F 56 3B D3 C3 19 27 42 F5 0B 2A 06 0D 31 64 18 F3 E3 8A 0A AB D0 BE F0 D7 47 7A A7 F4 A7 5B 2D 09 78 48 E9 46 40 62
</pre>
</pre>


region_data 1 - ROS1
region_data 1


<pre>
<pre>
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  
--------
                        <----------------------------lv0--------------------------> <--------------------------lv1---------------------------->
00 03 00 15 00 00 00 00 39 8F 56 3B D3 C3 19 27 42 F5 0B 2A 06 0D 31 64 18 F3 E3 8A 05 D4 15 79 F7 68 8A DF AD 9E CD 34 B4 C7 9F A8 C6 99 82 EE
</pre>
</pre>


region_data 2 - RL_FOR_PROGRAM.img 0
region_data 2


<pre>
<pre>
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  
--------
                        <-------------------RL_FOR_PROGRAM.img-------------------->
00 03 00 15 00 00 00 00 04 C2 14 37 09 90 C3 3B 24 E0 8C 2C D8 93 14 A5 79 58 90 51 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
</pre>
</pre>


region_data 3 - RL_FOR_PROGRAM.img 1
region_data 3 //Revoke List for program?


<pre>
<pre>
00 03 00 41 00 00 00 00 80 41 f6 b8 f2 d5 30 60 59 35 49 d7 f0 3d 58 57 87 00 88 11 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  
00 03 00 41 00 00 00 00 80 41 f6 b8 f2 d5 30 60 59 35 49 d7 f0 3d 58 57 87 00 88 11 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  
--------
                        <-------------------RL_FOR_PROGRAM.img-------------------->
00 03 00 15 00 00 00 00 04 C2 14 37 09 90 C3 3B 24 E0 8C 2C D8 93 14 A5 79 58 90 51 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
</pre>
</pre>


region_data 4 - RL_FOR_PACKAGE.img 0
region_data 4


<pre>
<pre>
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  
--------
                        <-------------------RL_FOR_PACKAGE.img-------------------->
00 01 00 00 00 00 00 00 33 B2 94 A4 6B E1 49 74 CC 5F EE 48 19 AE 3C 76 CD D2 7D DB FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
</pre>
</pre>


region_data 5 - RL_FOR_PACKAGE.img 1
region_data 5 //Revoke List for package?


<pre>
<pre>
00 02 00 30 00 00 00 00 ba 6e 1c d5 5f 48 5b 8b 3f cc c8 60 75 ce f6 83 b2 20 dc f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 02 00 30 00 00 00 00 ba 6e 1c d5 5f 48 5b 8b 3f cc c8 60 75 ce f6 83 b2 20 dc f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
--------
                        <-------------------RL_FOR_PACKAGE.img-------------------->
00 01 00 00 00 00 00 00 33 B2 94 A4 6B E1 49 74 CC 5F EE 48 19 AE 3C 76 CD D2 7D DB FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
</pre>
</pre>


Line 880: Line 667:
<pre>
<pre>
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be  
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be  
--------
DE AD BE AF FA CE BA BE 00 00 00 00 00 00 00 00 19 38 98 8F 93 C3 2F A9 C6 51 23 CF 12 CA 69 36 3E 59 7E 41 1F 56 D4 03 F4 C3 D2 6B 5D 51 E4 F4
</pre>
</pre>


Line 890: Line 673:
<pre>
<pre>
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be  
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be  
--------
00 01 00 00 06 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
</pre>
</pre>


Line 899: Line 678:


<pre>
<pre>
00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
 
--------
 
00 03 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
</pre>
</pre>


Line 910: Line 685:
<pre>
<pre>
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be  
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be  
--------
DE AD BE AF FA CE BA BE 00 00 00 00 00 00 00 00 5F FB 4E 0B A7 FF 63 F4 F7 0A 22 D4 1B 3D F4 7D 24 32 71 B1 F9 84 B0 CD D7 42 7E FF 0C 77 C7 06
</pre>
</pre>


Line 920: Line 691:
<pre>
<pre>
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be  
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be  
--------
DE AD BE AF FA CE BA BE 00 00 00 00 00 00 00 00 B9 F1 DA 9F 01 A0 BA A3 3F CE EE 46 41 F6 40 F4 79 10 F6 1C C8 3E F3 55 8D 2C D0 4D 7E FA 27 81
</pre>
</pre>


Line 930: Line 697:
<pre>
<pre>
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be  
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be  
--------
DE AD BE AF FA CE BA BE 00 00 00 00 00 00 00 00 A9 5A 92 EA 64 A6 64 C5 A2 06 93 38 B0 39 45 AD F3 AD 9D FF 90 17 88 26 B1 D3 6A D6 20 A5 73 2D
</pre>
</pre>


Line 940: Line 703:
<pre>
<pre>
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be  
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be  
--------
DE AD BE AF FA CE BA BE 00 00 00 00 00 00 00 00 31 D9 71 84 3D BC 44 B0 2C 7A 64 F3 C6 C2 8C D1 4D 70 8E F0 58 8F 96 2A 82 90 EA D2 F4 1F E6 A9
</pre>
</pre>


Line 950: Line 709:
<pre>
<pre>
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be  
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be  
--------
DE AD BE AF FA CE BA BE 00 00 00 00 00 00 00 00 40 0B 6D 1D FB 4F CE D2 DA 8C B2 E2 27 21 96 27 76 51 CF C8 1E A3 AD ED 7A 8D 9E 9E A7 82 C1 B3
</pre>
</pre>


Line 960: Line 715:
<pre>
<pre>
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be  
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be  
--------
DE AD BE AF FA CE BA BE 00 00 00 00 00 00 00 00 D1 9B DB DA 69 32 00 5E 09 2F D4 8E 22 09 97 03 01 AB 1B D6 0E 19 41 3C 00 B6 2C 40 07 E4 FF 45
</pre>
</pre>


Line 970: Line 721:
<pre>
<pre>
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be  
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be  
--------
DE AD BE AF FA CE BA BE 00 00 00 00 00 00 00 00 06 71 09 15 89 7E 7D FA B9 38 1A E0 99 CB 02 33 44 9B D6 40 90 AF 01 B9 89 B4 C0 1D 25 AF 4F 84
</pre>
</pre>


region_data 16 - 47?
region_data 16 - 47?


= Dumped data =
=Dumped data(SLIM)=
 
== PTCH Body ==
 
=== COK-001 ===
 
<pre>
0000000 0001 0000 0000 0004 2cc4 0003 2d88 0003
0000010 6440 0003 cccc cccc dff0 4669 1c22 dff1
0000020 dff2 e04f cccc cccc f078 0200 f0c8 0200
0000030 f10c 0200 ffff ffff 1fff e8bd 1ffe e92d
0000040 1b0b e3a0 0001 e150 0007 ba00 1b1d e3a0
0000050 2005 e080 0001 e152 0003 ca00 1ffe e8bd
0000060 2005 e1a0 1014 e59f f001 e1b0 1ffe e8bd
0000070 2005 e1a0 0001 e3a0 1004 e59f f001 e1b0
0000080 2cc6 0003 2ccc 0003 1b0b e3a0 0001 e155
0000090 0007 ba00 1b1d e3a0 0005 e084 0001 e150
00000a0 0003 ca00 1fff e8bd 0005 e1a0 1010 e59f
00000b0 f001 e1b0 1fff e8bd 0001 e3a0 1004 e59f
00000c0 f001 e1b0 2d8c 0003 2d92 0003 000c e59d
00000d0 1004 e5d0 2020 e590 0002 e151 0000 9a00
00000e0 1002 e1a0 1004 e5c0 1014 e58d 9fff e8fd
00000f0 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2
*
0000fc0
</pre>
 
<pre>
0000000 0001 0000 0000 0005 2cc4 0003 2d88 0003
0000010 6440 0003 cccc cccc dff0 4669 1c22 dff1
0000020 dff2 e04f cccc cccc f078 0200 f0c8 0200
0000030 f10c 0200 ffff ffff 1fff e8bd 1ffe e92d
0000040 1b0b e3a0 0001 e150 0007 ba00 1b1d e3a0
0000050 2005 e080 0001 e152 0003 ca00 1ffe e8bd
0000060 2005 e1a0 1014 e59f f001 e1b0 1ffe e8bd
0000070 2005 e1a0 0001 e3a0 1004 e59f f001 e1b0
0000080 2cc6 0003 2ccc 0003 1b0b e3a0 0001 e155
0000090 0007 ba00 1b1d e3a0 0005 e084 0001 e150
00000a0 0003 ca00 1fff e8bd 0005 e1a0 1010 e59f
00000b0 f001 e1b0 1fff e8bd 0001 e3a0 1004 e59f
00000c0 f001 e1b0 2d8c 0003 2d92 0003 000c e59d
00000d0 1004 e5d0 2020 e590 0002 e151 0000 9a00
00000e0 1002 e1a0 1004 e5c0 1014 e58d 9fff e8fd
00000f0 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2
*
00003c0 b5fe 4d3a 1c06 6829 f000 f874 2801 d055
00003d0 6869 1c30 f000 f86e 4c35 2801 d101 6ca1
00003e0 e01a 68a9 1c30 f000 f865 2801 d103 6929
00003f0 1c30 f000 f85f 69a9 1c30 f000 f85b 2800
0000400 d0ed 2801 d101 6ce1 e006 68e9 1c30 f000
0000410 f851 2800 d008 6d21 1c30 f000 f84b 0600
0000420 0e00 bcfe bc08 4718 6be1 1c30 f000 f842
0000430 0600 0e00 2820 d023 dc18 2801 d0cf 2802
0000440 d0e1 2804 d12f 2100 69ea 2010 f000 f83a
0000450 2220 9200 2201 2101 6a2f 2010 ab02 f000
0000460 f839 6969 1c30 f000 f825 e7d4 2840 d005
0000470 2101 0289 4288 d116 2007 e7d2 2000 e7d0
0000480 6a69 1c30 f000 f816 6aa9 1c30 f000 f812
0000490 2120 6aea 1c30 f000 f815 6b29 1c30 f000
00004a0 f809 2006 e7bd 200b e7bb 0000 f524 0200
00004b0 b720 0200 4708 0000 0000 0000 0000 0000
00004c0 0000 0000 4710 0000 0000 0000 0000 0000
00004d0 0000 0000 4738 0000 0000 0000 0000 0000
00004e0 0000 0000 7a4d 0002 7a89 0002 7add 0002
00004f0 7ab5 0002 7917 0002 75db 0002 7b6d 0002
0000500 0f05 0003 0fb5 0003 7cfb 0002 4053 0002
0000510 7009 0002 6497 0002 0000 0000 0000 0000
0000520 0000 0000 0000 0000 0000 0000 0000 0000
*
0000fc0
</pre>
 
<pre>
0000000 0001 0000 0000 0006 2cc4 0003 2d88 0003
0000010 6440 0003 08d0 0002 dff0 4669 1c22 dff1
0000020 dff2 e04f d00d dff3 f078 0200 f0c8 0200
0000030 f10c 0200 f140 0200 1fff e8bd 1ffe e92d
0000040 1b0b e3a0 0001 e150 0007 ba00 1b1d e3a0
0000050 2005 e080 0001 e152 0003 ca00 1ffe e8bd
0000060 2005 e1a0 1014 e59f f001 e1b0 1ffe e8bd
0000070 2005 e1a0 0001 e3a0 1004 e59f f001 e1b0
0000080 2cc6 0003 2ccc 0003 1b0b e3a0 0001 e155
0000090 0007 ba00 1b1d e3a0 0005 e084 0001 e150
00000a0 0003 ca00 1fff e8bd 0005 e1a0 1010 e59f
00000b0 f001 e1b0 1fff e8bd 0001 e3a0 1004 e59f
00000c0 f001 e1b0 2d8c 0003 2d92 0003 000c e59d
00000d0 1004 e5d0 2020 e590 0002 e151 0000 9a00
00000e0 1002 e1a0 1004 e5c0 1014 e58d 9fff e8fd
00000f0 0000 0000 0000 0000 0000 0000 0000 0000
0000100 1fff e8bd 1fbf e92d 0004 e28f 8002 e1a0
0000110 001e ea00 6007 e1a0 300c e3a0 0396 e003
0000120 60ac e59f 6000 e596 6006 e083 3004 e086
0000130 3020 e243 301f e5d3 0005 e153 0010 ba00
0000140 5000 e3a0 5000 e581 8000 e3a0 0002 e158
0000150 0008 0a00 0000 e28f 000c ea00 5000 e591
0000160 50ff e285 506e e285 5007 e085 5000 e581
0000170 8001 e288 fff4 eaff 1fbf e8bd 2054 e59f
0000180 f002 e1b0 1fbf e8bd 004c e59f f000 e1b0
0000190 0000 e358 000a 0a00 3008 e1a0 000a e353
00001a0 0001 ba00 300a e243 fffb eaff 0004 e353
00001b0 0001 ba00 3004 e243 fffb eaff 0000 e353
00001c0 0001 0a00 7000 e3a0 ff10 e12f 7001 e3a0
00001d0 ff10 e12f 0950 0002 0902 0002 08ee 0002
00001e0 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2
*
00003c0 b5fe 4d3a 1c06 6829 f000 f874 2801 d055
00003d0 6869 1c30 f000 f86e 4c35 2801 d101 6ca1
00003e0 e01a 68a9 1c30 f000 f865 2801 d103 6929
00003f0 1c30 f000 f85f 69a9 1c30 f000 f85b 2800
0000400 d0ed 2801 d101 6ce1 e006 68e9 1c30 f000
0000410 f851 2800 d008 6d21 1c30 f000 f84b 0600
0000420 0e00 bcfe bc08 4718 6be1 1c30 f000 f842
0000430 0600 0e00 2820 d023 dc18 2801 d0cf 2802
0000440 d0e1 2804 d12f 2100 69ea 2010 f000 f83a
0000450 2220 9200 2201 2101 6a2f 2010 ab02 f000
0000460 f839 6969 1c30 f000 f825 e7d4 2840 d005
0000470 2101 0289 4288 d116 2007 e7d2 2000 e7d0
0000480 6a69 1c30 f000 f816 6aa9 1c30 f000 f812
0000490 2120 6aea 1c30 f000 f815 6b29 1c30 f000
00004a0 f809 2006 e7bd 200b e7bb 0000 f524 0200
00004b0 b720 0200 4708 0000 0000 0000 0000 0000
00004c0 0000 0000 4710 0000 0000 0000 0000 0000
00004d0 0000 0000 4738 0000 0000 0000 0000 0000
00004e0 0000 0000 7a4d 0002 7a89 0002 7add 0002
00004f0 7ab5 0002 7917 0002 75db 0002 7b6d 0002
0000500 0f05 0003 0fb5 0003 7cfb 0002 4053 0002
0000510 7009 0002 6497 0002 0000 0000 0000 0000
0000520 0000 0000 0000 0000 0000 0000 0000 0000
*
0000fc0
</pre>
 
=== COK-002 ===
 
<pre>
0000000 0001 0001 0003 0002 2fd4 0003 eeee eeee
0000010 dddd dddd cccc cccc 28ee d001 eeee eeee
0000020 dddd dddd cccc cccc ffff ffff eeee eeee
*
0000040 dddd dddd cccc cccc f3f4 f1f2 f3f4 f1f2
0000050 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2
*
00003c0 b5fe 4d3a 1c06 6829 f000 f874 2801 d055
00003d0 6869 1c30 f000 f86e 4c35 2801 d101 6ca1
00003e0 e01a 68a9 1c30 f000 f865 2801 d103 6929
00003f0 1c30 f000 f85f 69a9 1c30 f000 f85b 2800
0000400 d0ed 2801 d101 6ce1 e006 68e9 1c30 f000
0000410 f851 2800 d008 6d21 1c30 f000 f84b 0600
0000420 0e00 bcfe bc08 4718 6be1 1c30 f000 f842
0000430 0600 0e00 2820 d023 dc18 2801 d0cf 2802
0000440 d0e1 2804 d12f 2100 69ea 2010 f000 f83a
0000450 2220 9200 2201 2101 6a2f 2010 ab02 f000
0000460 f839 6969 1c30 f000 f825 e7d4 2840 d005
0000470 2101 0289 4288 d116 2007 e7d2 2000 e7d0
0000480 6a69 1c30 f000 f816 6aa9 1c30 f000 f812
0000490 2120 6aea 1c30 f000 f815 6b29 1c30 f000
00004a0 f809 2006 e7bd 200b e7bb 0000 f524 0200
00004b0 b728 0200 4708 0000 0000 0000 0000 0000
00004c0 0000 0000 4710 0000 0000 0000 0000 0000
00004d0 0000 0000 4738 0000 0000 0000 0000 0000
00004e0 0000 0000 7bf5 0002 7c31 0002 7c85 0002
00004f0 7c5d 0002 7abf 0002 7783 0002 7d15 0002
0000500 1205 0003 12b5 0003 7ea3 0002 4203 0002
0000510 71b9 0002 6647 0002 0000 0000 0000 0000
0000520 0000 0000 0000 0000 0000 0000 0000 0000
*
0000fb0 0000 0000 f401 0200 0080 0000 0000 1dfe
0000fc0
</pre>
 
<pre>
0000000 0001 0001 0003 0003 2fd4 0003 09f8 0002
0000010 dddd dddd cccc cccc 28ee d001 d00d dff1
0000020 dddd dddd cccc cccc ffff ffff f078 0200
0000030 dddd dddd cccc cccc 1fff e8bd 1fbf e92d
0000040 0004 e28f 8002 e1a0 001e ea00 6007 e1a0
0000050 300c e3a0 0396 e003 60ac e59f 6000 e596
0000060 6006 e083 3004 e086 3020 e243 301f e5d3
0000070 0005 e153 0010 ba00 5000 e3a0 5000 e581
0000080 8000 e3a0 0002 e158 0008 0a00 0000 e28f
0000090 000c ea00 5000 e591 50ff e285 506e e285
00000a0 5007 e085 5000 e581 8001 e288 fff4 eaff
00000b0 1fbf e8bd 2054 e59f f002 e1b0 1fbf e8bd
00000c0 004c e59f f000 e1b0 0000 e358 000a 0a00
00000d0 3008 e1a0 000a e353 0001 ba00 300a e243
00000e0 fffb eaff 0004 e353 0001 ba00 3004 e243
00000f0 fffb eaff 0000 e353 0001 0a00 7000 e3a0
0000100 ff10 e12f 7001 e3a0 ff10 e12f 0a78 0002
0000110 0a2a 0002 0a16 0002 f3f4 f1f2 f3f4 f1f2
0000120 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2
*
00003c0 b5fe 4d3a 1c06 6829 f000 f874 2801 d055
00003d0 6869 1c30 f000 f86e 4c35 2801 d101 6ca1
00003e0 e01a 68a9 1c30 f000 f865 2801 d103 6929
00003f0 1c30 f000 f85f 69a9 1c30 f000 f85b 2800
0000400 d0ed 2801 d101 6ce1 e006 68e9 1c30 f000
0000410 f851 2800 d008 6d21 1c30 f000 f84b 0600
0000420 0e00 bcfe bc08 4718 6be1 1c30 f000 f842
0000430 0600 0e00 2820 d023 dc18 2801 d0cf 2802
0000440 d0e1 2804 d12f 2100 69ea 2010 f000 f83a
0000450 2220 9200 2201 2101 6a2f 2010 ab02 f000
0000460 f839 6969 1c30 f000 f825 e7d4 2840 d005
0000470 2101 0289 4288 d116 2007 e7d2 2000 e7d0
0000480 6a69 1c30 f000 f816 6aa9 1c30 f000 f812
0000490 2120 6aea 1c30 f000 f815 6b29 1c30 f000
00004a0 f809 2006 e7bd 200b e7bb 0000 f524 0200
00004b0 b728 0200 4708 0000 0000 0000 0000 0000
00004c0 0000 0000 4710 0000 0000 0000 0000 0000
00004d0 0000 0000 4738 0000 0000 0000 0000 0000
00004e0 0000 0000 7bf5 0002 7c31 0002 7c85 0002
00004f0 7c5d 0002 7abf 0002 7783 0002 7d15 0002
0000500 1205 0003 12b5 0003 7ea3 0002 4203 0002
0000510 71b9 0002 6647 0002 0000 0000 0000 0000
0000520 0000 0000 0000 0000 0000 0000 0000 0000
*
0000fb0 0000 0000 f401 0200 0080 0000 0000 1dfe
0000fc0
</pre>
 
=== SEM-001 ===
 
<pre>
0000000 0001 0002 0003 0002 341c 0003 11b8 0002
0000010 dddd dddd cccc cccc 28ee d001 d00d dff1
0000020 dddd dddd cccc cccc ffff ffff f078 0200
0000030 dddd dddd cccc cccc 1fff e8bd 1fbf e92d
0000040 0004 e28f 8002 e1a0 001e ea00 6007 e1a0
0000050 300c e3a0 0396 e003 60ac e59f 6000 e596
0000060 6006 e083 3004 e086 3020 e243 301f e5d3
0000070 0005 e153 0010 ba00 5000 e3a0 5000 e581
0000080 8000 e3a0 0002 e158 0008 0a00 0000 e28f
0000090 000c ea00 5000 e591 50ff e285 506e e285
00000a0 5007 e085 5000 e581 8001 e288 fff4 eaff
00000b0 1fbf e8bd 2054 e59f f002 e1b0 1fbf e8bd
00000c0 004c e59f f000 e1b0 0000 e358 000a 0a00
00000d0 3008 e1a0 000a e353 0001 ba00 300a e243
00000e0 fffb eaff 0004 e353 0001 ba00 3004 e243
00000f0 fffb eaff 0000 e353 0001 0a00 7000 e3a0
0000100 ff10 e12f 7001 e3a0 ff10 e12f 123c 0002
0000110 11ea 0002 11d6 0002 f3f4 f1f2 f3f4 f1f2
0000120 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2
*
0000fc0
</pre>
 
=== DIA-001 ===
 
<pre>
0000000 0001 0003 0003 0002 3740 0003 1074 0002
0000010 dddd dddd cccc cccc 28ee d001 d00d dff1
0000020 dddd dddd cccc cccc ffff ffff f078 0200
0000030 dddd dddd cccc cccc 1fff e8bd 1fbf e92d
0000040 0004 e28f 8002 e1a0 001e ea00 6007 e1a0
0000050 300c e3a0 0396 e003 60ac e59f 6000 e596
0000060 6006 e083 3004 e086 3020 e243 301f e5d3
0000070 0005 e153 0010 ba00 5000 e3a0 5000 e581
0000080 8000 e3a0 0002 e158 0008 0a00 0000 e28f
0000090 000c ea00 5000 e591 50ff e285 506e e285
00000a0 5007 e085 5000 e581 8001 e288 fff4 eaff
00000b0 1fbf e8bd 2054 e59f f002 e1b0 1fbf e8bd
00000c0 004c e59f f000 e1b0 0000 e358 000a 0a00
00000d0 3008 e1a0 000a e353 0001 ba00 300a e243
00000e0 fffb eaff 0004 e353 0001 ba00 3004 e243
00000f0 fffb eaff 0000 e353 0001 0a00 7000 e3a0
0000100 ff10 e12f 7001 e3a0 ff10 e12f 10f8 0002
0000110 10a6 0002 1092 0002 f3f4 f1f2 f3f4 f1f2
0000120 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2
*
0000fc0
</pre>
 
=== DIA-002 ===
 
<pre>
0000000 0001 0004 0004 0002 3e90 0003 1204 0002
0000010 dddd dddd cccc cccc 28ee d001 d00d dff1
0000020 dddd dddd cccc cccc ffff ffff f078 0200
0000030 dddd dddd cccc cccc 1fff e8bd 1fbf e92d
0000040 0004 e28f 8002 e1a0 001e ea00 6007 e1a0
0000050 300c e3a0 0396 e003 60ac e59f 6000 e596
0000060 6006 e083 3004 e086 3020 e243 301f e5d3
0000070 0005 e153 0010 ba00 5000 e3a0 5000 e581
0000080 8000 e3a0 0002 e158 0008 0a00 0000 e28f
0000090 000c ea00 5000 e591 50ff e285 506e e285
00000a0 5007 e085 5000 e581 8001 e288 fff4 eaff
00000b0 1fbf e8bd 2054 e59f f002 e1b0 1fbf e8bd
00000c0 004c e59f f000 e1b0 0000 e358 000a 0a00
00000d0 3008 e1a0 000a e353 0001 ba00 300a e243
00000e0 fffb eaff 0004 e353 0001 ba00 3004 e243
00000f0 fffb eaff 0000 e353 0001 0a00 7000 e3a0
0000100 ff10 e12f 7001 e3a0 ff10 e12f 1288 0002
0000110 1236 0002 1222 0002 f3f4 f1f2 f3f4 f1f2
0000120 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2
*
0000fc0
</pre>
 
=== PROTO BOARD 1 ===
 
<pre>
0000000 0001 0005 0000 0002 3ec4 0003 1204 0002
0000010 dddd dddd cccc cccc 28ee d001 d00d dff1
0000020 dddd dddd cccc cccc ffff ffff f078 0200
0000030 dddd dddd cccc cccc 1fff e8bd 1fbf e92d
0000040 0004 e28f 8002 e1a0 001e ea00 6007 e1a0
0000050 300c e3a0 0396 e003 60ac e59f 6000 e596
0000060 6006 e083 3004 e086 3020 e243 301f e5d3
0000070 0005 e153 0010 ba00 5000 e3a0 5000 e581
0000080 8000 e3a0 0002 e158 0008 0a00 0000 e28f
0000090 000c ea00 5000 e591 50ff e285 506e e285
00000a0 5007 e085 5000 e581 8001 e288 fff4 eaff
00000b0 1fbf e8bd 2054 e59f f002 e1b0 1fbf e8bd
00000c0 004c e59f f000 e1b0 0000 e358 000a 0a00
00000d0 3008 e1a0 000a e353 0001 ba00 300a e243
00000e0 fffb eaff 0004 e353 0001 ba00 3004 e243
00000f0 fffb eaff 0000 e353 0001 0a00 7000 e3a0
0000100 ff10 e12f 7001 e3a0 ff10 e12f 1288 0002
0000110 1236 0002 1222 0002 f3f4 f1f2 f3f4 f1f2
0000120 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2
*
0000fc0
</pre>
 
=== PROTO BOARD 2 ===
 
<pre>
0000000 0001 0005 0001 0001 4000 0003 1228 0002
0000010 dddd dddd cccc cccc 28ee d001 d00d dff1
0000020 dddd dddd cccc cccc ffff ffff f078 0200
0000030 dddd dddd cccc cccc 1fff e8bd 1fbf e92d
0000040 0004 e28f 8002 e1a0 001e ea00 6007 e1a0
0000050 300c e3a0 0396 e003 60ac e59f 6000 e596
0000060 6006 e083 3004 e086 3020 e243 301f e5d3
0000070 0005 e153 0010 ba00 5000 e3a0 5000 e581
0000080 8000 e3a0 0002 e158 0008 0a00 0000 e28f
0000090 000c ea00 5000 e591 50ff e285 506e e285
00000a0 5007 e085 5000 e581 8001 e288 fff4 eaff
00000b0 1fbf e8bd 2054 e59f f002 e1b0 1fbf e8bd
00000c0 004c e59f f000 e1b0 0000 e358 000a 0a00
00000d0 3008 e1a0 000a e353 0001 ba00 300a e243
00000e0 fffb eaff 0004 e353 0001 ba00 3004 e243
00000f0 fffb eaff 0000 e353 0001 0a00 7000 e3a0
0000100 ff10 e12f 7001 e3a0 ff10 e12f 12ac 0002
0000110 125a 0002 1246 0002 f3f4 f1f2 f3f4 f1f2
0000120 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2 f3f4 f1f2
*
0000fc0
</pre>
 
=== DYN-001 ===
 
<pre>
0000000 4e5d 6b24 0001 0002 083e 0832 201a 0000
0000010 0faa 02ab 035d 009a 001a 0000 0000 0000
0000020 0000 0000 0000 0000 0000 0000 0000 0000
*
0000090 0000 0000 0000 0000 0000 3001 a0f8 1a14
00000a0 0000 0000 0000 0000 0000 0000 0000 0000
*
0000fc0
</pre>
 
*To be continued...


== Authenticated Regions ==
Here is an example of data (partition 1) from syscon which stores VTRM block key, SRK/SRH, region data, etc.
 
Here is an example of data (partition 1) from syscon EEPROM which stores VTRM block key, SRK/SRH, region data, etc.
 
RETAIL TSOP:


<pre>
<pre>
0x0000: 00 00 00 03 C0 00 00 FF 00 00 00 00 00 00 00 00  ................ <- version/mode
0x0000: 00 00 00 03 C0 00 00 FF 00 00 00 00 00 00 00 00  ................  
0x0010: 01 A2 F6 6C 26 54 1A 54 CE A3 F9 71 50 2B A8 20  ...l&T.T...qP+.  <- vtrm block key
0x0010: 01 A2 F6 6C 26 54 1A 54 CE A3 F9 71 50 2B A8 20  ...l&T.T...qP+.   
0x0020: 33 0E F4 5F 77 19 96 A6 7A 84 5D C9 AE B9 50 73  3.._w...z.]...Ps <- SRK
0x0020: 33 0E F4 5F 77 19 96 A6 7A 84 5D C9 AE B9 50 73  3.._w...z.]...Ps  
0x0030: AE 45 5D 8E 6C BB 80 4D 7E C5 BF A4 AC 8E E1 E5  .E].l..M~....... <- SRK/SRH
0x0030: AE 45 5D 8E 6C BB 80 4D 7E C5 BF A4 AC 8E E1 E5  .E].l..M~.......  
0x0040: 82 9B 0A 57 9A 40 D9 0C 00 00 00 00 00 00 00 00  ...W.@.......... <- SRH
0x0040: 82 9B 0A 57 9A 40 D9 0C 00 00 00 00 00 00 00 00  ...W.@..........  
0x0050: 7F 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C  .....|.PQ..0MQw|  
0x0050: 7F 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C  ....|.PQ..0MQw|  
0x0060: 7C 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C  |....|.PQ..0MQw|  
0x0060: 7C 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C  |....|.PQ..0MQw|  
0x0070: 7D 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C  }....|.PQ..0MQw|  
0x0070: 7D 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C  }....|.PQ..0MQw|  
0x0080: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................ <- region data 0
0x0080: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................  
0x0090: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................ <- region data 0
0x0090: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................  
0x00A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................ <- region data 0
0x00A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................  
0x00B0: 00 03 00 55 00 00 00 00 50 12 F0 AD 3A 4F 9F 1B  ...U....P...:O.. <- region data 1
0x00B0: 00 03 00 55 00 00 00 00 50 12 F0 AD 3A 4F 9F 1B  ...U....P...:O..  
0x00C0: F9 F1 E1 D3 64 85 D4 01 19 9D 76 9E 5C 33 8D FE  ....d.....v.\3.. <- region data 1
0x00C0: F9 F1 E1 D3 64 85 D4 01 19 9D 76 9E 5C 33 8D FE  ....d.....v.\3..  
0x00D0: 39 75 10 9B 73 43 69 89 2B F6 EE 53 15 4A 3B 06  9u..sCi.+..S.J;. <- region data 1
0x00D0: 39 75 10 9B 73 43 69 89 2B F6 EE 53 15 4A 3B 06  9u..sCi.+..S.J;.  
0x00E0: 00 03 00 55 00 00 00 00 7B C9 65 97 CF 0D 20 4B  ...U....{.e... K <- region data 2
0x00E0: 00 03 00 55 00 00 00 00 7B C9 65 97 CF 0D 20 4B  ...U....{.e... K  
0x00F0: BB 6A B1 B9 B0 71 83 27 79 6F 16 08 FF FF FF FF  .j...q.'yo...... <- region data 2
0x00F0: BB 6A B1 B9 B0 71 83 27 79 6F 16 08 FF FF FF FF  .j...q.'yo......
0x0100: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................ <- region data 2
-------------------------------------------------------------------------
0x0110: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................ <- region data 3
0x0100: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................  
0x0120: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ <- region data 3
0x0110: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................  
0x0130: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................ <- region data 3
0x0120: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
0x0140: 00 01 00 00 00 00 00 00 B0 64 53 92 7F 5E 29 47 .........dS.^)G  <- region data 4
0x0130: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................  
0x0150: 9C BC 84 58 4A F2 ED 0B 50 E1 BE F3 FF FF FF FF  ...XJ...P....... <- region data 4
0x0140: 00 01 00 00 00 00 00 00 B0 64 53 92 7F 5E 29 47 .........dS.^)G
0x0160: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................ <- region data 4
0x0150: 9C BC 84 58 4A F2 ED 0B 50 E1 BE F3 FF FF FF FF  ...XJ...P.......  
0x0170: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ <- region data 5
0x0160: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................  
0x0180: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................ <- region data 5
0x0170: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................  
0x0190: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................ <- region data 5
0x0180: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................  
0x01A0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ <- region data 6
0x0190: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................  
0x01B0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ <- region data 6
0x01A0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................  
0x01C0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 6
0x01B0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................  
0x01D0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 7
0x01C0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................  
0x01E0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 7
0x01D0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................  
0x01F0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 7
0x01E0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................
0x0200: 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 ...P............ <- region data 8
0x01F0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................
0x0210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ <- region data 8
-------------------------------------------------------------------------  
0x0220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ <- region data 8
0x0200: 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 ...P............  
0x0230: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 9
0x0210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................  
0x0240: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 9
0x0220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................  
0x0250: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ <- region data 9
0x0230: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................  
0x0260: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ <- region data 10
0x0240: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................  
0x0270: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE ................ <- region data 10
0x0250: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................  
0x0280: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 10
0x0260: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................  
0x0290: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 11
0x0270: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................  
0x02A0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 11
0x0280: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................
0x02B0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 11
0x0290: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................
0x02C0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 12
0x02A0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................
0x02D0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 12
0x02B0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................
0x02E0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 12
0x02C0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................
0x02F0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 13
0x02D0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................
0x0300: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 13
0x02E0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................
0x0310: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 13
0x02F0: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................
0x0320: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 14
-------------------------------------------------------------------------  
0x0330: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 14
0x0300: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................  
0x0340: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 14
0x0310: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................  
0x0350: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 15
0x0320: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................  
0x0360: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 15
0x0330: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................  
0x0370: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................ <- region data 15
0x0340: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................  
0x0350: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................  
0x0360: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................  
0x0370: DE AD BE AF FA CE BA BE DE AD BE AF FA CE BA BE  ................  
0x0380: 42 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C  B....|.PQ..0MQw|  
0x0380: 42 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C  B....|.PQ..0MQw|  
0x0390: 43 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C  C....|.PQ..0MQw|  
0x0390: 43 03 00 94 B4 7C B6 50 51 E5 84 30 4D 51 77 7C  C....|.PQ..0MQw|  
Line 1,415: Line 799:
</pre>
</pre>


PROTO BGA (DECR):
<br>


= Dumped data (DECR) =´
<pre>
<pre>
00000000: 00 00 00 02 c0 00 00 ff - 00 00 00 00 00 00 00 00  ........ ........
0000000 0000 0200 00c0 ff00 0000 0000 0000 0000
00000010: eb 49 35 4a c3 26 51 7a - 1e 88 c9 5d 52 03 f1 54  .I5J..Qz ....R..T
0000010 49eb 4a35 26c3 7a51 881e 5dc9 0352 54f1
00000020: 7c d0 77 88 d1 1b 13 a2 - 43 dd c7 24 a4 79 5c d1  ..w..... C....y..
0000020 d07c 8877 1bd1 a213 dd43 24c7 79a4 d15c
00000030: 3f b9 f3 c1 e9 0a 28 43 - 30 d8 e0 82 20 6e 06 29  .......C 0....n..
0000030 b93f c1f3 0ae9 4328 d830 82e0 6e20 2906
00000040: ee aa 4c d0 ac 44 dd 7e - 00 00 00 00 00 00 00 00  ..L..D.. ........
0000040 aaee d04c 44ac 7edd 0000 0000 0000 0000
00000050: 9d 57 cf 03 e0 eb 89 7a - 8f 82 3b d6 83 f5 fb 1d  .W.....z ........
0000050 579d 03cf ebe0 7a89 828f d63b f583 1dfb
00000060: f5 b6 36 d3 48 d5 56 20 - 87 b9 3a fd 3b 49 ab 71  ..6.H.V. .....I.q
0000060 b6f5 d336 d548 2056 b987 fd3a 493b 71ab
00000070: 08 40 33 b5 40 07 84 b8 - 73 3f d1 91 04 3e 1b e8  ..3..... s.......
0000070 4008 b533 0740 b884 3f73 91d1 3e04 e81b
00000080: 00 03 00 15 00 00 00 00 - 39 8f 56 3b d3 c3 19 27  ........ 9.V..... <- this was refurbished
0000080 0300 1500 0000 0000 8f39 3b56 c3d3 2719
00000090: 42 f5 0b 2a 06 0d 31 64 - 18 f3 e3 8a 0a ab d0 be  B.....1d ........ <- this was refurbished
0000090 f542 2a0b 0d06 6431 f318 8ae3 ab0a bed0
000000a0: f0 d7 47 7a a7 f4 a7 5b - 2d 09 78 48 e9 46 40 62  ..Gz.... ..xH.F.b <- this was refurbished
00000a0 d7f0 7a47 f4a7 5ba7 092d 4878 46e9 6240
000000b0: 00 04 00 78 00 00 00 00 - 9f 00 c1 b7 ba 85 9b f0  ...x.... ........
00000b0 0400 7800 0000 0000 009f b7c1 85ba f09b
000000c0: 54 2f b8 07 3a 2e b7 c4 - 48 d0 4b 6d c8 10 4b 99  T....... H.Km..K.
00000c0 2f54 07b8 2e3a c4b7 d048 6d4b 10c8 994b
000000d0: ec 1e b0 9d e9 a3 b4 04 - ef 9d 7d b0 83 24 69 73  ........ ......is
00000d0 1eec 9db0 a3e9 04b4 9def b07d 2483 7369
000000e0: 00 03 00 55 00 00 00 00 - e9 02 a0 49 ca 20 5d 49  ...U.... ...I...I
00000e0 0300 5500 0000 0000 02e9 49a0 20ca 495d
000000f0: 46 65 fe 86 cf b4 3b 1e - 45 00 6e 04 ff ff ff ff  Fe...... E.n.....
00000f0 6546 86fe b4cf 1e3b 0045 046e ffff ffff
00000100: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........
0000100 ffff ffff ffff ffff ffff ffff ffff ffff
00000110: 00 03 00 15 00 00 00 00 - 04 c2 14 37 09 90 c3 3b  ........ ...7.... <- this was refurbished
0000110 0300 1500 0000 0000 c204 3714 9009 3bc3
00000120: 24 e0 8c 2c d8 93 14 a5 - 79 58 90 51 ff ff ff ff  ........ yX.Q.... <- this was refurbished
0000120 e024 2c8c 93d8 a514 5879 5190 ffff ffff
00000130: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........ <- this was refurbished
0000130 ffff ffff ffff ffff ffff ffff ffff ffff
00000140: 00 01 00 00 00 00 00 00 - 0f 02 32 f0 4c 09 59 bc  ........ ..2.L.Y.
0000140 0100 0000 0000 0000 020f f032 094c bc59
00000150: 01 c1 1c 76 77 2e e0 a4 - 80 c1 eb 2f ff ff ff ff  ...vw... ........
0000150 c101 761c 2e77 a4e0 c180 2feb ffff ffff
00000160: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........
0000160 ffff ffff ffff ffff ffff ffff ffff ffff
00000170: 00 01 00 00 00 00 00 00 - 33 b2 94 a4 6b e1 49 74  ........ 3...k.It <- this was refurbished
0000170 0100 0000 0000 0000 b233 a494 e16b 7449
00000180: cc 5f ee 48 19 ae 3c 76 - cd d2 7d db ff ff ff ff  ...H...v ........ <- this was refurbished
0000180 5fcc 48ee ae19 763c d2cd db7d ffff ffff
00000190: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........ <- this was refurbished
0000190 ffff ffff ffff ffff ffff ffff ffff ffff
000001a0: de ad be af fa ce ba be - 00 00 00 00 00 00 00 00  ........ ........
00001a0 adde afbe cefa beba 0000 0000 0000 0000
000001b0: 1f b0 c8 f2 55 e5 1a 44 - 3a eb 77 51 15 f4 2f 25  ....U..D ..wQ....
00001b0 b01f f2c8 e555 441a eb3a 5177 f415 252f
000001c0: 91 b0 3a 2b 43 79 c8 ca - 59 5e 3c 8c b9 f5 95 54  ....Cy.. Y......T
00001c0 b091 2b3a 7943 cac8 5e59 8c3c f5b9 5495
000001d0: 00 01 00 00 06 01 00 00 - 00 00 00 00 00 00 00 00  ........ ........
00001d0 0100 0000 0106 0000 0000 0000 0000 0000
000001e0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ........ ........
00001e0 0000 0000 0000 0000 0000 0000 0000 0000
000001f0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ........ ........
*
00000200: 00 03 00 10 00 00 00 00 - 00 00 00 00 00 00 00 00  ........ ........
0000200 0300 1000 0000 0000 0000 0000 0000 0000
00000210: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ........ ........
0000210 0000 0000 0000 0000 0000 0000 0000 0000
00000220: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ........ ........
*
00000230: de ad be af fa ce ba be - 00 00 00 00 00 00 00 00  ........ ........
0000230 adde afbe cefa beba 0000 0000 0000 0000
00000240: d5 5b f0 81 49 fa 71 0b - 99 58 d3 ed d5 3e 30 96  ....I.q. .X....0.
0000240 5bd5 81f0 fa49 0b71 5899 edd3 3ed5 9630
00000250: 59 97 b2 bf 29 62 e7 86 - de 6f 67 1c 8e 19 e1 87  Y....b.. .og.....
0000250 9759 bfb2 6229 86e7 6fde 1c67 198e 87e1
00000260: de ad be af fa ce ba be - 00 00 00 00 00 00 00 00  ........ ........
0000260 adde afbe cefa beba 0000 0000 0000 0000
00000270: c7 2b 3f 31 5d 3b 60 b7 - a0 c6 f5 38 40 d7 a0 04  ...1.... ...8....
0000270 2bc7 313f 3b5d b760 c6a0 38f5 d740 04a0
00000280: 2c 56 df 01 6f ad 35 26 - ac 9e b1 52 97 4e 4d e8  .V..o.5. ...R.NM.
0000280 562c 01df ad6f 2635 9eac 52b1 4e97 e84d
00000290: de ad be af fa ce ba be - 00 00 00 00 00 00 00 00  ........ ........
0000290 adde afbe cefa beba 0000 0000 0000 0000
000002a0: f0 84 7f e0 42 de 21 af - 58 b9 a4 11 03 d0 ff a8  ....B... X.......
00002a0 84f0 e07f de42 af21 b958 11a4 d003 a8ff
000002b0: e3 9d 54 25 28 dd 7d 46 - 20 24 43 ef 3a a3 9e aa  ..T....F ..C.....
00002b0 9de3 2554 dd28 467d 2420 ef43 a33a aa9e
000002c0: de ad be af fa ce ba be - 00 00 00 00 00 00 00 00  ........ ........
00002c0 adde afbe cefa beba 0000 0000 0000 0000
000002d0: ff 6e f8 37 55 2f 7a e0 - 62 53 d4 be d1 d0 e1 38  .n.7U.z. bS.....8
00002d0 6eff 37f8 2f55 e07a 5362 bed4 d0d1 38e1
000002e0: 35 82 2d de a6 d7 ed d4 - a7 f6 7d 95 4f b8 41 a6  5....... ....O.A.
00002e0 8235 de2d d7a6 d4ed f6a7 957d b84f a641
000002f0: de ad be af fa ce ba be - 00 00 00 00 00 00 00 00  ........ ........
00002f0 adde afbe cefa beba 0000 0000 0000 0000
00000300: 7f 01 3c 78 0b 9a 98 df - 7d 13 ce ef ef c4 34 e9  ...x.... ......4.
0000300 017f 783c 9a0b df98 137d efce c4ef e934
00000310: 7c 13 d5 e3 ff 85 0b a9 - 1d b8 b3 0e f4 63 d9 48  ........ .....c.H
0000310 137c e3d5 85ff a90b b81d 0eb3 63f4 48d9
00000320: de ad be af fa ce ba be - 00 00 00 00 00 00 00 00  ........ ........
0000320 adde afbe cefa beba 0000 0000 0000 0000
00000330: 8e 4f c0 e7 c9 a9 da 14 - 2b 2d ad 2d 4e 48 f5 5b  .O...... ....NH..
0000330 4f8e e7c0 a9c9 14da 2d2b 2dad 484e 5bf5
00000340: 06 ca 5a e6 7b 45 e1 45 - a5 c6 b1 a6 a5 8e d5 49  ..Z..E.E .......I
0000340 ca06 e65a 457b 45e1 c6a5 a6b1 8ea5 49d5
00000350: de ad be af fa ce ba be - 00 00 00 00 00 00 00 00  ........ ........
0000350 adde afbe cefa beba 0000 0000 0000 0000
00000360: c4 e9 a3 9a ec 7c 36 97 - 25 4f e4 3d ea 73 98 63  ......6. .O...s.c
0000360 e9c4 9aa3 7cec 9736 4f25 3de4 73ea 6398
00000370: 7c 17 0a 57 ed 44 70 08 - 6a b0 9e 3a c4 f2 cc b5  ...W.Dp. j.......
0000370 177c 570a 44ed 0870 b06a 3a9e f2c4 b5cc
00000380: 49 7c 5c 74 45 75 66 c5 - 07 74 4b 66 58 84 42 d8  I..tEuf. .tKfX.B.
0000380 7c49 745c 7545 c566 7407 664b 8458 d842
00000390: cb 71 a4 a8 7e 55 e7 64 - b3 24 4f 47 aa 61 31 32  .q...U.d ..OG.a12
0000390 71cb a8a4 557e 64e7 24b3 474f 61aa 3231
000003a0: 50 f8 c1 ed 64 7a 3b 0a - 40 f6 90 a1 8e 53 65 71  P...dz.. .....Seq
00003a0 f850 edc1 7a64 0a3b f640 a190 538e 7165
000003b0: 14 87 74 95 ef 14 48 40 - e7 28 51 74 42 d2 37 82  ..t...H. ..QtB.7.
00003b0 8714 9574 14ef 4048 28e7 7451 d242 8237
000003c0: 78 f2 d8 9e 06 64 71 49 - 20 65 68 f9 e0 79 f7 38  x....dqI .eh..y.8
00003c0 f278 9ed8 6406 4971 6520 f968 79e0 38f7
000003d0: 6f 1b 9e 6d bc 58 eb ae - 3f 43 83 49 b0 0b 13 f4  o..m.X.. .C.I....
00003d0 1b6f 6d9e 58bc aeeb 433f 4983 0bb0 f413
000003e0: 1d 7b 48 9a f1 a3 fb 22 - 6e 00 7a 75 d8 e3 c7 47  ..H..... n.zu...G
00003e0 7b1d 9a48 a3f1 22fb 006e 757a e3d8 47c7
000003f0: 0e 0e 8a ec 43 53 4a 65 - 19 8b 85 49 e0 9b 15 fe  ....CSJe ...I....
00003f0 0e0e ec8a 5343 654a 8b19 4985 9be0 fe15
</pre>
 
<pre>
00000000: 00 00 00 02 c0 00 00 ff - 00 00 00 00 00 00 00 00  ........ ........
00000010: b4 68 3b 7f ad 57 3f 0f - 23 a2 a1 e8 11 49 f4 f5  .h...W.. .....I..
00000020: 28 c9 3e 9f 14 f8 2e f9 - c1 49 cd 46 6c a0 0e af  ........ .I.Fl...
00000030: 74 19 b8 b2 11 92 d0 f6 - 69 0c a6 5a e0 36 15 18  t....... i..Z.6..
00000040: 27 52 89 5f cf 59 42 28 - 00 00 00 00 00 00 00 00  .R...YB. ........
00000050: 14 9d 2f 1e c8 07 f8 77 - 92 e9 e4 ce 00 12 a0 9a  .......w ........
00000060: ad cf 41 99 f9 d3 ec 83 - 2c 8f 26 80 d4 c0 fb 0e  ..A..... ........
00000070: b3 a3 61 ea 9a 41 17 cf - e8 50 15 d2 59 a3 51 dc  ..a..A.. .P..Y.Q.
00000080: 00 03 00 15 00 00 00 00 - 39 8f 56 3b d3 c3 19 27  ........ 9.V.....
00000090: 42 f5 0b 2a 06 0d 31 64 - 18 f3 e3 8a 0a ab d0 be  B.....1d ........
000000a0: f0 d7 47 7a a7 f4 a7 5b - 2d 09 78 48 e9 46 40 62  ..Gz.... ..xH.F.b
000000b0: 00 03 00 15 00 00 00 00 - 39 8f 56 3b d3 c3 19 27  ........ 9.V.....
000000c0: 42 f5 0b 2a 06 0d 31 64 - 18 f3 e3 8a 05 d4 15 79  B.....1d .......y
000000d0: f7 68 8a df ad 9e cd 34 - b4 c7 9f a8 c6 99 82 ee  .h.....4 ........
000000e0: 00 03 00 15 00 00 00 00 - 04 c2 14 37 09 90 c3 3b  ........ ...7....
000000f0: 24 e0 8c 2c d8 93 14 a5 - 79 58 90 51 ff ff ff ff  ........ yX.Q....
00000100: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........
00000110: 00 03 00 15 00 00 00 00 - 04 c2 14 37 09 90 c3 3b  ........ ...7....
00000120: 24 e0 8c 2c d8 93 14 a5 - 79 58 90 51 ff ff ff ff  ........ yX.Q....
00000130: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........
00000140: 00 01 00 00 00 00 00 00 - 33 b2 94 a4 6b e1 49 74  ........ 3...k.It
00000150: cc 5f ee 48 19 ae 3c 76 - cd d2 7d db ff ff ff ff  ...H...v ........
00000160: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........
00000170: 00 01 00 00 00 00 00 00 - 33 b2 94 a4 6b e1 49 74  ........ 3...k.It
00000180: cc 5f ee 48 19 ae 3c 76 - cd d2 7d db ff ff ff ff  ...H...v ........
00000190: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........
000001a0: de ad be af fa ce ba be - 00 00 00 00 00 00 00 00  ........ ........
000001b0: 19 38 98 8f 93 c3 2f a9 - c6 51 23 cf 12 ca 69 36  .8...... .Q....i6
000001c0: 3e 59 7e 41 1f 56 d4 03 - f4 c3 d2 6b 5d 51 e4 f4  .Y.A.V.. ...k.Q..
000001d0: 00 01 00 00 06 01 00 00 - 00 00 00 00 00 00 00 00  ........ ........
000001e0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ........ ........
000001f0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ........ ........
00000200: 00 03 00 10 00 00 00 00 - 00 00 00 00 00 00 00 00  ........ ........
00000210: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ........ ........
00000220: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ........ ........
00000230: de ad be af fa ce ba be - 00 00 00 00 00 00 00 00  ........ ........
00000240: 5f fb 4e 0b a7 ff 63 f4 - f7 0a 22 d4 1b 3d f4 7d  ..N...c. ........
00000250: 24 32 71 b1 f9 84 b0 cd - d7 42 7e ff 0c 77 c7 06  .2q..... .B...w..
00000260: de ad be af fa ce ba be - 00 00 00 00 00 00 00 00  ........ ........
00000270: b9 f1 da 9f 01 a0 ba a3 - 3f ce ee 46 41 f6 40 f4  ........ ...FA...
00000280: 79 10 f6 1c c8 3e f3 55 - 8d 2c d0 4d 7e fa 27 81  y......U ...M....
00000290: de ad be af fa ce ba be - 00 00 00 00 00 00 00 00  ........ ........
000002a0: a9 5a 92 ea 64 a6 64 c5 - a2 06 93 38 b0 39 45 ad  .Z..d.d. ...8.9E.
000002b0: f3 ad 9d ff 90 17 88 26 - b1 d3 6a d6 20 a5 73 2d  ........ ..j...s.
000002c0: de ad be af fa ce ba be - 00 00 00 00 00 00 00 00  ........ ........
000002d0: 31 d9 71 84 3d bc 44 b0 - 2c 7a 64 f3 c6 c2 8c d1  1.q...D. .zd.....
000002e0: 4d 70 8e f0 58 8f 96 2a - 82 90 ea d2 f4 1f e6 a9  Mp..X... ........
000002f0: de ad be af fa ce ba be - 00 00 00 00 00 00 00 00  ........ ........
00000300: 40 0b 6d 1d fb 4f ce d2 - da 8c b2 e2 27 21 96 27  ..m..O.. ........
00000310: 76 51 cf c8 1e a3 ad ed - 7a 8d 9e 9e a7 82 c1 b3  vQ...... z.......
00000320: de ad be af fa ce ba be - 00 00 00 00 00 00 00 00  ........ ........
00000330: d1 9b db da 69 32 00 5e - 09 2f d4 8e 22 09 97 03  ....i2.. ........
00000340: 01 ab 1b d6 0e 19 41 3c - 00 b6 2c 40 07 e4 ff 45  ......A. .......E
00000350: de ad be af fa ce ba be - 00 00 00 00 00 00 00 00  ........ ........
00000360: 06 71 09 15 89 7e 7d fa - b9 38 1a e0 99 cb 02 33  .q...... .8.....3
00000370: 44 9b d6 40 90 af 01 b9 - 89 b4 c0 1d 25 af 4f 84  D....... ......O.
00000380: 81 91 1f e2 fc 59 b4 fb - 43 dd 31 0f 00 96 b6 4e  .....Y.. C.1....N
00000390: 41 5e 91 78 d2 4f 5c 04 - 13 71 5d 09 2f 95 4f af  A..x.O.. .q....O.
000003a0: 43 fe b6 1c 0b 6c 4d 1c - 13 0b a0 42 a9 47 2d bc  C....lM. ...B.G..
000003b0: 54 f4 f5 80 b2 57 5b a2 - 34 3e 76 0b a0 3f a8 41  T....W.. 4.v....A
000003c0: c9 9f 96 8f 9b b1 f8 bc - 3b 5d 44 a0 6a 00 38 23  ........ ..D.j.8.
000003d0: a0 b8 53 24 f8 fd 34 5e - b9 64 f0 af 6e 28 4e 23  ..S...4. .d..n.N.
000003e0: 6b eb 86 db b2 72 80 ad - bc cd 9d d5 bc 42 9d d2  k....r.. .....B..
000003f0: af 77 6c ab 06 08 d8 c9 - 91 2f f3 8d 45 fd df 39  .wl..... ....E..9
</pre>
</pre>


RETAIL BGA:
<br>


<pre>
<pre>
00000000: 00 00 00 02 c0 00 00 ff - 00 00 00 00 00 00 00 00  ........ ........
0000000 0000 0200 00c0 ff00 0000 0000 0000 0000
00000010: 37 24 90 70 31 f5 64 48 - 12 7c a5 bc 37 6f 26 8d  7..p1.dH ....7o..
0000010 68b4 7f3b 57ad 0f3f a223 e8a1 4911 f5f4
00000020: 31 80 62 8d 16 56 ba 7c - b0 6a c8 65 ad 36 c1 e1  1.b..V.. .j.e.6..
0000020 c928 9f3e f814 f92e 49c1 46cd a06c af0e
00000030: 54 61 e2 08 cd 58 a7 d9 - 3d 22 bd 1b d7 c8 f6 97  Ta...X.. ........
0000030 1974 b2b8 9211 f6d0 0c69 5aa6 36e0 1815
00000040: 5d be bc 55 4e ae 0c dc - 00 00 00 00 00 00 00 00  ...UN... ........
0000040 5227 5f89 59cf 2842 0000 0000 0000 0000
00000050: f3 1f f5 81 d2 58 e6 b4 - ac f0 7a b4 e7 be 75 61  .....X.. ..z...ua
0000050 9d14 1e2f 07c8 77f8 e992 cee4 1200 9aa0
00000060: de 13 f1 17 35 29 5a 09 - 11 a8 ae 25 c3 f4 2f 6a  ....5.Z. .......j
0000060 cfad 9941 d3f9 83ec 8f2c 8026 c0d4 0efb
00000070: 74 1d ed 93 a0 17 06 63 - 61 ef dd fb 98 9e 07 3e  t......c a.......
0000070 a3b3 ea61 419a cf17 50e8 d215 a359 dc51
00000080: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........
0000080 0300 1500 0000 0000 8f39 3b56 c3d3 2719
00000090: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........
0000090 f542 2a0b 0d06 6431 f318 8ae3 ab0a bed0
000000a0: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........
00000a0 d7f0 7a47 f4a7 5ba7 092d 4878 46e9 6240
000000b0: 00 03 00 55 00 00 00 00 - 66 1c 5d 52 ad 85 c0 22  ...U.... f..R....
00000b0 0300 1500 0000 0000 8f39 3b56 c3d3 2719
000000c0: 12 3f 8c 38 1f f8 e0 34 - c8 76 f0 42 dd d9 ca 89  ...8...4 .v.B....
00000c0 f542 2a0b 0d06 6431 f318 8ae3 d405 7915
000000d0: 88 c9 db 93 8c 1a 4d 77 - 1f 98 23 a1 1e f7 d0 bd  ......Mw ........
00000d0 68f7 df8a 9ead 34cd c7b4 a89f 99c6 ee82
000000e0: 00 03 00 55 00 00 00 00 - 7b c9 65 97 cf 0d 20 4b  ...U.... ..e....K
00000e0 0300 1500 0000 0000 c204 3714 9009 3bc3
000000f0: bb 6a b1 b9 b0 71 83 27 - 79 6f 16 08 ff ff ff ff  .j...q.. yo......
00000f0 e024 2c8c 93d8 a514 5879 5190 ffff ffff
00000100: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........
0000100 ffff ffff ffff ffff ffff ffff ffff ffff
00000110: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........
0000110 0300 1500 0000 0000 c204 3714 9009 3bc3
00000120: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........
0000120 e024 2c8c 93d8 a514 5879 5190 ffff ffff
00000130: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........
0000130 ffff ffff ffff ffff ffff ffff ffff ffff
00000140: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........
0000140 0100 0000 0000 0000 b233 a494 e16b 7449
00000150: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........
0000150 5fcc 48ee ae19 763c d2cd db7d ffff ffff
00000160: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........
0000160 ffff ffff ffff ffff ffff ffff ffff ffff
00000170: 00 01 00 00 00 00 00 00 - b0 64 53 92 7f 5e 29 47  ........ .dS....G
0000170 0100 0000 0000 0000 b233 a494 e16b 7449
00000180: 9c bc 84 58 4a f2 ed 0b - 50 e1 be f3 ff ff ff ff  ...XJ... P.......
0000180 5fcc 48ee ae19 763c d2cd db7d ffff ffff
00000190: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff  ........ ........
0000190 ffff ffff ffff ffff ffff ffff ffff ffff
000001a0: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
00001a0 adde afbe cefa beba 0000 0000 0000 0000
000001b0: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
00001b0 3819 8f98 c393 a92f 51c6 cf23 ca12 3669
000001c0: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
00001c0 593e 417e 561f 03d4 c3f4 6bd2 515d f4e4
000001d0: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
00001d0 0100 0000 0106 0000 0000 0000 0000 0000
000001e0: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
00001e0 0000 0000 0000 0000 0000 0000 0000 0000
000001f0: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
*
00000200: 00 03 00 10 00 00 00 00 - 00 00 00 00 00 00 00 00  ........ ........
0000200 0300 1000 0000 0000 0000 0000 0000 0000
00000210: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ........ ........
0000210 0000 0000 0000 0000 0000 0000 0000 0000
00000220: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ........ ........
*
00000230: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
0000230 adde afbe cefa beba 0000 0000 0000 0000
00000240: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
0000240 fb5f 0b4e ffa7 f463 0af7 d422 3d1b 7df4
00000250: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
0000250 3224 b171 84f9 cdb0 42d7 ff7e 770c 06c7
00000260: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
0000260 adde afbe cefa beba 0000 0000 0000 0000
00000270: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
0000270 f1b9 9fda a001 a3ba ce3f 46ee f641 f440
00000280: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
0000280 1079 1cf6 3ec8 55f3 2c8d 4dd0 fa7e 8127
00000290: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
0000290 adde afbe cefa beba 0000 0000 0000 0000
000002a0: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
00002a0 5aa9 ea92 a664 c564 06a2 3893 39b0 ad45
000002b0: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
00002b0 adf3 ff9d 1790 2688 d3b1 d66a a520 2d73
000002c0: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
00002c0 adde afbe cefa beba 0000 0000 0000 0000
000002d0: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
00002d0 d931 8471 bc3d b044 7a2c f364 c2c6 d18c
000002e0: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
00002e0 704d f08e 8f58 2a96 9082 d2ea 1ff4 a9e6
000002f0: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
00002f0 adde afbe cefa beba 0000 0000 0000 0000
00000300: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
0000300 0b40 1d6d 4ffb d2ce 8cda e2b2 2127 2796
00000310: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
0000310 5176 c8cf a31e edad 8d7a 9e9e 82a7 b3c1
00000320: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
0000320 adde afbe cefa beba 0000 0000 0000 0000
00000330: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
0000330 9bd1 dadb 3269 5e00 2f09 8ed4 0922 0397
00000340: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
0000340 ab01 d61b 190e 3c41 b600 402c e407 45ff
00000350: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
0000350 adde afbe cefa beba 0000 0000 0000 0000
00000360: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
0000360 7106 1509 7e89 fa7d 38b9 e01a cb99 3302
00000370: de ad be af fa ce ba be - de ad be af fa ce ba be  ........ ........
0000370 9b44 40d6 af90 b901 b489 1dc0 af25 844f
00000380: 23 78 00 8b 80 be 94 c3 - aa 63 7e 87 c8 dc 32 5b  .x...... .c....2.
0000380 9181 e21f 59fc fbb4 dd43 0f31 9600 4eb6
00000390: 65 30 16 c7 31 b5 54 d7 - 8c 42 88 08 1c 52 6a 90  e0..1.T. .B...Rj.
0000390 5e41 7891 4fd2 045c 7113 095d 952f af4f
000003a0: f1 f3 41 44 66 11 4f 8a - 7f 63 81 16 e0 f6 fa 94  ..ADf.O. .c......
00003a0 fe43 1cb6 6c0b 1c4d 0b13 42a0 47a9 bc2d
000003b0: 0a 2f 92 e5 c3 43 49 90 - 90 4d b8 c1 81 e4 dc 31  .....CI. .M.....1
00003b0 f454 80f5 57b2 a25b 3e34 0b76 3fa0 41a8
000003c0: 1a 37 3a c8 a0 f8 7f 5d - 90 f1 74 6f 3d f9 c5 e4  .7...... ..to....
00003c0 9fc9 8f96 b19b bcf8 5d3b a044 006a 2338
000003d0: 5f 44 e7 67 81 22 2a 7d - 72 97 c5 ed 99 76 92 ee  .D.g.... r....v..
00003d0 b8a0 2453 fdf8 5e34 64b9 aff0 286e 234e
000003e0: 52 24 8e 52 05 cb 4c 72 - 8c 5d 3d 4c f0 a2 38 00  R..R..Lr ...L..8.
00003e0 eb6b db86 72b2 ad80 cdbc d59d 42bc d29d
000003f0: 17 40 27 9f 99 f0 3c ea - 26 7c f0 df d0 da 72 23  ........ ......r.
00003f0 77af ab6c 0806 c9d8 2f91 8df3 fd45 39df
</pre>
</pre>
== More samples ==
== More samples ==


* [https://dl.dropboxusercontent.com/u/35197530/bin/eeprom.bin dead link]
* https://dl.dropboxusercontent.com/u/35197530/bin/eeprom.bin


= Tokens =
=Tokens=


Here are documented the different types of tokens used in PS3.
Here we will document the different types off tokens known in the PS3
 
All tokens are tied? encrypted? using EID0.
All tokens are tied to EID0, more specifically to [[IDPS]].
They enable additional repository nodes.
 
Tokens enable additional repository nodes.
 
== List ==


==List==
{| class="wikitable FCK__ShowTableBorders"
{| class="wikitable FCK__ShowTableBorders"
|-
|-
Line 1,640: Line 954:
| qa_token || sc_eeprom - 0x48D3E || 0x50 || spu_token_processor.self ||  
| qa_token || sc_eeprom - 0x48D3E || 0x50 || spu_token_processor.self ||  
|-
|-
| user_token || ?copied from HDD or USB storage to VTRM? || ?variable? || spu_utoken_processor.self  || Encrypted/Signed
| user_token || ? || ? || spu_utoken_processor.self  || Encrypted/Signed
|-
|-
| token_seed || memory (temporary data) || ? || ? || Used to create a QA Token with EID0.
| token_seed || ? || ? || ? || This is used to create the token with EID0
|}
|}


=== QA Token ===
==Token Seed==


Used internally by Sony developpers to test the console and OS.
?
 
=== User Token ===


Used to test a usermode application.
==Structure==


=== Token Seed ===
This section has to be corrected, is only based on debug strings, we need to decrypt the tokens


Unencrypted form of QA Token.
===Token Seed===
 
== Structure ==
 
This section has to be corrected because it is almost only based on debug strings. We need to decrypt the tokens.
 
=== Token Seed ===


?
?


=== QA Token ===
===QA Token===


Size is about 0x50 bytes.


=== User Token ===


<syntaxhighlight lang="C">
===User Token===
struct user_token_attr {
    uint32_t type; // usually 1, 0 for last attribute
    uint32_t size;    // Size of this structure
    uint8_t data[0]; // size of data can be 0 */
}
 
struct user_token {
    uint32_t magic; // 0x73757400 = "sut\0"
    uint32_t format_version; // usually 1
    uint64_t size;
    uint8_t idps[16];
    uint64_t expire_date;
    uint64_t capability;
    union {
        struct user_token_attr attribute[0];
        uint8_t dummy[0xC00];
    } attributes;
    /* 0xC30 */
    uint8_t digest[0x14]; // certainly SHA-1
}
</syntaxhighlight>


{| class="wikitable FCK__ShowTableBorders"
{| class="wikitable FCK__ShowTableBorders"
|-
|-
! Offset !! Size !! Description
! Address !! Size !! Description
|-
|-
| ? || ? || m_magic
| ? || ? || m_magic
Line 1,704: Line 987:
| ? || ? || m_size
| ? || ? || m_size
|-
|-
| ? || ? || m_idps
| ? || ? || m_capability
|-
|-
| ? || ? || m_expire_date
| ? || ? || m_expire_date
|-
|-
| ? || ? || m_capability
| ? || ? || m_idps?
|-
|-
| ? || ? || m_attribute
| ? || ? || m_attribute
Line 1,715: Line 998:
|}
|}


For every attribute in the token:
For every atribute in the token


{| class="wikitable FCK__ShowTableBorders"
{| class="wikitable FCK__ShowTableBorders"
|-
|-
! Offset !! Size !! Description
! Address !! Size !! Description
|-
|-
| ? || ? || attr:m_type
| ? || ? || attr:m_type
Line 1,732: Line 1,015:
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;"  
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;"  
|-
|-
! style="background-color:red!important;" | <span style="background-color:lightred; color:white; font-size:200%; ">Warning</span>
! style="background-color:red;" | <span style="background-color:lightred; color:white; font-size:200%; ">Warning</span>
|-
|-
| <span style="white; color:red!important; font-size:150%; text-align:center; ">You can use this method at your own risk. Author is not responsible for any hardware damages and failures.  
| style="background-color:white;" | <span style="white; color:red; font-size:150%; text-align:center; ">You can use this method at your own risk. Author is not responsible for any hardware damages and failures.  
|}
|}
== Bus Pirate 3 Solderless method ==
== Bus Pirate 3 Solderless method ==


=== Requirements ===
=== You need ===
 
1) PS3 motherboard with BGA syscon chip (COK001, COK002, SEM001, DIA001, etc)
1) PS3 motherboard with BGA syscon chip (COK001, COK002, SEM001, DIA001, etc)


Line 1,755: Line 1,036:
=== Hardware Part ===
=== Hardware Part ===


Find the Syscon on your PS3 motherboard.
Find the syscon on your PS3 motherboard.
[[File:CXR713120 on SEM-001.JPG|thumbnail|none]]
[[File:CXR713120 on SEM-001.JPG|thumbnail|none]]


Look at the SC EEPROM Pins location and Draw serifs on the upper surface of the chip, strictly on these pins using pencil.
Look at the EEPROM Pins location and Draw serifs on the upper surface of the chip, strictly on these pins using pencil.
[[File:CXR713120_EEPROM_PINS.JPG||thumbnail|none]]
[[File:CXR713120_EEPROM_PINS.JPG||thumbnail|none]]


Line 1,767: Line 1,048:
[[File:Bus-Pirate-3 with Wires.jpg|thumbnail|none]]
[[File:Bus-Pirate-3 with Wires.jpg|thumbnail|none]]


Connect Bus-Pirate to the SC EEPROM pins using the folowing table:
Connect Bus-Pirate to the EEPROM Pins using the folowing table:
{| class="wikitable"
{| class="wikitable"
|-
|-
! Bus Pirate pin !! SC EEPROM pin
! Bus Pirate pin !! EEPROM pin
|-
|-
| CLK || SKB
| CLK || SKB
Line 1,784: Line 1,065:
| GND || Any Ground Point
| GND || Any Ground Point
|}
|}
 
Use 1 finger to hold the wires. The wires should be well connected with the eeprom pins.
Use one finger to hold the wires. The wires should be well connected with the SC EEPROM pins.
[[File:CXR713120 EEPROM FingerTrick.JPG|thumbnail|none]]
[[File:CXR713120 EEPROM FingerTrick.JPG|thumbnail|none]]
 
Connect Bus-Pirate to you PC with Windows7 by USB.
Connect Bus-Pirate to your PC with Windows 7 by USB.


=== Software Part ===
=== Software Part ===
Line 1,803: Line 1,082:
Download and Run Syscon Flasher.exe
Download and Run Syscon Flasher.exe


Download link: https://www.sendspace.com/file/es86dh
Download link: https://mega.co.nz/#!clljxQgQ!vE93p35DJ9-FMKuxpev3zZvPBnxP_IQscPSXK9ocmH8


MD5=D59A8AA9E7BB1AEB753D7C6391CE17B1
MD5=D59A8AA9E7BB1AEB753D7C6391CE17B1
Line 1,817: Line 1,096:
3) Press "Power on" button. If done correctly, then "VREG" Led on the Bus Pirate will be Red.
3) Press "Power on" button. If done correctly, then "VREG" Led on the Bus Pirate will be Red.


4) Press "Browse" button and specify location and file name for your SC EEPROM dump.
4) Press "Browse" button and specify location and file name for your syscon eeprom dump.


5) Specify Offset and Length. Offset=0 Length=0x8000 for full dump of the SC EEPROM.
5) Specify Offset and Length. Offset=0 Length=0x8000 for full dump the eeprom.


6) Press "Fast Read" button and wait about 15sec.
6) Press "Fast Read" button and wait about 15sec.


7) Enjoy
Enjoy:


My dump, for example: [https://mega.co.nz/#!E1kHgSZJ!4e7TdNLdkQQzinwlnRO2KmaBd0GeBliHuHFe2tkmBgQ download link]
My dump, for example:
 
https://mega.co.nz/#!E1kHgSZJ!4e7TdNLdkQQzinwlnRO2KmaBd0GeBliHuHFe2tkmBgQ


== Bus Pirate 3 method by: ([[User_talk:Zer0Tolerance|Zer0Tolerance]]) ==
== Bus Pirate 3 method by: ([[User_talk:Zer0Tolerance|Zer0Tolerance]]) ==


=== Requirements ===
=== You need ===
 
1) PS3 motherboard. I am using '''DIA-001'''. may be we can dump it from another boards, but it is unknown yet.
1) PS3 motherboard. I am using '''DIA-001'''. Maybe we can dump it from another motherboard, but it is unknown yet.


2) Device that can work with SPI interface and send any commands. I am using a Bus Pirate v3.6 with connectors.
2) Device that can work with SPI interface and send any commands. I am using a Bus Pirate v3.6 with connectors.
Line 1,845: Line 1,125:
=== Preparation ===
=== Preparation ===


Find the test points on the motherboard using the picture corresponding to your motherboard.
Find the test points on the motherboard using this picture.
 
for DIA-001:
[[File:DIA-001 SysCon EPROM Interface.png|thumbnail|none]]
[[File:DIA-001 SysCon EPROM Interface.png|thumbnail|none]]
for DECR-1400:
[[File:DEB-001 SC EEPROM.png|thumbnail|none]]


All points are covered with varnish. You need to carefully remove the varnish to the copper and solder the wires to it.
All points are covered with varnish. You need to carefully remove the varnish to the copper and solder the wires to it.
Line 1,869: Line 1,144:
| MISO || DO
| MISO || DO
|-
|-
| 3V3 || RBB
| 3V3 || WCB, RBB
|-
|-
| GND || WCB, Any Ground Point
| GND || Any Ground Point
|}
|}


Make sure that the battery is attached to the motherboard.
Make sure that the battery is attached to the motherboard.


Plug your Bus Pirate to the USB port on your PC using mini_USB_to_USB cable. (I am using the cable from the ps3 gamepad)
Plug your Bus pirate to the USB port on your PC using mini_USB_to_USB cable. (I am using the cable from the ps3 gamepad)
 
It should be done like this, see the following picture:


It should be done like on the following picture:
[[File:Dumping SC EEPROM using Bus Pirate v3.6.JPG|thumbnail|none]]
[[File:Dumping SC EEPROM using Bus Pirate v3.6.JPG|thumbnail|none]]


=== Setup software ===
=== Setup software ===


1) Install the driver for the Bus Pirate and setup your virtual COM port for it using the following table:
1) Install the driver for the Bus Pirate and setup your virtual COM port for it using following table:
 
{| class="wikitable"
{| class="wikitable"
|-
|-
Line 1,917: Line 1,192:


Now click Open button and setup mode for bus pirate using following commands:
Now click Open button and setup mode for bus pirate using following commands:
{| class="wikitable"
{| class="wikitable"
|-
|-
Line 1,951: Line 1,225:
You can use Notepad++ and Hex Editor like HxD to convert the dump to binary format.
You can use Notepad++ and Hex Editor like HxD to convert the dump to binary format.


<small>Read Command is 0xA8 0xXX 0xXX, XX XX is a block id to be read, the full SC EEPROM is 32768 bytes length (0x8000),  [r:] are syntax command of the Bus Pirate for start, read byte and end</small>
<small>Read Command is 0xA8 0xXX 0xXX, XX XX is a block id to be read, the full EEPROM is 32768 bytes lenght (0x8000),  [r:] are syntax command of the Bus Pirate for start, read byte and end</small>


== Arduino Mega method by: ([[User_talk:Abkarino|Abkarino]]) ==  
== Arduino Mega method by: ([[User_talk:Abkarino|Abkarino]]) ==  


   I had build my own Syscon EEPROM flasher based on open source hardware "'''Arduino Mega'''" and some resistors.
   I had build my own Syscon EEPROM flasher based on open source hardware "'''Arduino Mega'''" and some resistors.
This flasher will allow you fully read/write to your Syscon EEPROM (FAT consoles only till now).


This flasher will allow you to fully read/write to your Syscon EEPROM (FAT consoles only till now).
=== You need ===
 
1) PS3 motherboard. I had used '''SEM-0001''' board by desoldering Syscon chip form it but you can use, '''DIA-001''' for example without desoldering Syscon chip since all eeprom pins had a test points in the board it self.
=== Requirements ===
 
1) PS3 motherboard. I had used '''SEM-0001''' board by desoldering Syscon chip form it but you can use, '''DIA-001''' for example without desoldering Syscon chip since all SC EEPROM pins had a test points in the board it self.


2) Arduino Mega or any Arduino board.
2) Arduino Mega or any Arduino board.
Line 1,969: Line 1,241:
4) Soldering station.
4) Soldering station.


5) Wires & Bread board  (optional).
5) Wires & Bread board  (Optional).


6) Any PC that have terminal software like Putty, RealTerm and so on to access serial port, and any Hex Editor like HxD.
6) Any PC that have terminal software like Putty, RealTerm and so on to access serial port, and any Hex Editor like HxD.
Line 1,977: Line 1,249:
Find the test points on the motherboard using this picture.
Find the test points on the motherboard using this picture.
[[File:DIA-001 SysCon EPROM Interface.png|thumbnail|none]]
[[File:DIA-001 SysCon EPROM Interface.png|thumbnail|none]]
 
Or if you have a very good soldering skills and tools to desolder your SysCon then you can desolder your SysCon and solder your wires to it directly.  
Or if you have very good soldering skills and tools to desolder your SysCon then you can desolder your SysCon and solder your wires to it directly.  


All points are covered with varnish. You need to carefully remove the varnish to the copper and solder the wires to it.
All points are covered with varnish. You need to carefully remove the varnish to the copper and solder the wires to it.
Line 2,005: Line 1,276:
|}
|}


*Make sure that the battery is attached to the motherboard if you will dump/flash SysCon EEPROM in board.
Make sure that the battery is attached to the motherboard if you will dump/flash SysCon EEPROM in board.
 
*Make sure the pins are compatible or edited if using other arduino Board.
 
**Arduino Mega: MISO is 50, MOSI is 51, SCK is 52 and SS is usually 53
**Arduino Leonardo: the SPI pins are on the ICSP header pins.
**Arduino Duemilanove/Uno:  SS is digital 10, MOSI is 11, MISO is 12, SCK is (usually) 13


=== Wiring Diagram & Photos ===
=== Wiring Diagram & Photos ===
Line 2,020: Line 1,285:


=== Arduino Sketch Source Code ===
=== Arduino Sketch Source Code ===
Here is my Arduino Mega sketch source code to allow you to read/write/erase PS3 Syscon EEPROM.
http://pastie.org/10004682#8,19


Here is my Arduino Mega sketch source code to allow you to read/write/erase PS3 Syscon EEPROM. [http://pastie.org/10004682#8,19 dead link]




{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Templates used on this page:

Retrieved from "http://www.psdevwiki.com/ps3/SC_EEPROM"