Editing SC EEPROM
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
Most of the information we have about the | Most of the information we have about the sc eeprom comes from graf_chokolo reverse engineering of the HV see [[Hypervisor Reverse Engineering]] | ||
Here is where system flags, tokens and hashes are stored. | |||
Right now | Right now most of the communication we have with the sc eeprom is through Linux using graf_chokolo ps3dm-utils and/or using his payloads. | ||
See also {{talk}} page and [[User_talk:Zer0Tolerance|Zer0Tolerance]] | See also {{talk}} page and [[User_talk:Zer0Tolerance|Zer0Tolerance]] | ||
= | = SC EEPROM Info = | ||
SC EEPROM from fat consoles is a custom/proprietary EEPROM chip that uses a special non standard commands to read/write from EEPROM. | |||
We are so lucky that Sony had exposed EEROM chip legs out of Syscon, so we have a physical access to it and we could attach devices like "'''Logic Analyzer'''", "'''Protocol Analyzer'''", "'''Custom made MCU boards'''" to capture traffic between console and Syscon EEPROM. | |||
For FAT console Syscon EEPROM consists of: 0x4000 blocks, and every block is consists of 2 bytes of data. | |||
So the total EEPROM size is: 0x8000 byte length. | |||
And since the pin-out of Syscon chip for Slim & Super Slim consoles is not known till now, we can not be sure if the Syscon EEPROM pins are exposed outside or not so we can access it like in FAT console without handling Syscon it self. | |||
== | == SC EEPROM Commands == | ||
FAT console's SC EEPROM used a standard SPI protocol with a proprietary commands as flow: | |||
{| class="wikitable" | {| class="wikitable" | ||
Line 26: | Line 26: | ||
| Unlock Command || 0xA3 0x00 0x00 || This command must be send first before write command. | | Unlock Command || 0xA3 0x00 0x00 || This command must be send first before write command. | ||
|- | |- | ||
| Write Command || 0xA4 0xXX 0xXX || XX XX is a block to be written ( | | Write Command || 0xA4 0xXX 0xXX || XX XX is a block id to be written (value 0x0000 to 0x3FFF), the maximum data to be written in one command cycle is 32 byte length (16 blocks). | ||
|- | |- | ||
| Read Command || 0xA8 0xXX 0xXX || XX XX is a block to be read ( | | Read Command || 0xA8 0xXX 0xXX || XX XX is a block id to be read (value 0x0000 to 0x3FFF), there is no maximum limit for read command so we can send it once with block id 0x00 0x00 then read the full EEPROM at once without sending read command again. | ||
|- | |- | ||
| Check Status Command || 0xA9 0x00 0x00 0x00 || The response of this command is 0xFFFFFFFF if there is no error, or any other value if there is error happened or | | Check Status Command || 0xA9 0x00 0x00 0x00 || The response of this command is 0xFFFFFFFF if there is no error, or any other value if there is error happened or EEPROM still busy doing something. | ||
|} | |} | ||
= | = SC EEPROM dumps = | ||
* https://mega.co.nz/#!Bt8klAhQ!-t5YVetoL9gz6iZucpqQB9Vl9chCkbhFiMfqjbmotoc {{MD5|B0E0551116B718A4921757B2B074693F}} | * https://mega.co.nz/#!Bt8klAhQ!-t5YVetoL9gz6iZucpqQB9Vl9chCkbhFiMfqjbmotoc {{MD5|B0E0551116B718A4921757B2B074693F}} | ||
* https://mega.co.nz/#!B51wWJYA!zg8O-vCvRBOgK5mpzTQ1H2hgBZmykglmbksB5w1Mlfg {{MD5|3E0E73DACF7E10F2369624EA439C661B}} (partial: {{MD5|7E2BAD4DFDEE485494C8749B1C3E5676}} / {{MD5|05D9ED4B545C709C9C4564F047028DE8}}) | * https://mega.co.nz/#!B51wWJYA!zg8O-vCvRBOgK5mpzTQ1H2hgBZmykglmbksB5w1Mlfg {{MD5|3E0E73DACF7E10F2369624EA439C661B}} (partial: {{MD5|7E2BAD4DFDEE485494C8749B1C3E5676}} / {{MD5|05D9ED4B545C709C9C4564F047028DE8}}) | ||
Line 42: | Line 41: | ||
* https://mega.nz/#!iV0nGY4I!94ByAd-sourgK8_l_4s-6BX_V7iVOrysQd55bI0N6ws {{MD5|1DB1CAA8E3D54256A59D08B6AF2B9BC5}} (Dumped by Syscon EEPROM Flasher done by me "'''Abkarino'''" using Arduino Mega). | * https://mega.nz/#!iV0nGY4I!94ByAd-sourgK8_l_4s-6BX_V7iVOrysQd55bI0N6ws {{MD5|1DB1CAA8E3D54256A59D08B6AF2B9BC5}} (Dumped by Syscon EEPROM Flasher done by me "'''Abkarino'''" using Arduino Mega). | ||
* https://mega.nz/#!AwF1jIaB!5qei9JOCzisgUHARcjARCw0zvQENkkvtAdd_O0dRUfI DECR | * https://mega.nz/#!AwF1jIaB!5qei9JOCzisgUHARcjARCw0zvQENkkvtAdd_O0dRUfI DECR eeprom dump from lv2 um_manager, needs documentation. | ||
different consoles, same initial 16 bytes. maybe key/iv? | |||
= Important | =Important Offsets= | ||
== | == EEPROM Offset Table - Flags and Tokens == | ||
Here is the table of | Here is the table of EEPROM offsets that can be accessed through Update Manager (3.15): | ||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
Line 56: | Line 55: | ||
! Offset !! Size !! Description | ! Offset !! Size !! Description | ||
|- | |- | ||
| 0x02F00 || 8 || | | 0x02F00 || 8 || <s>Downgrade Minimum Version String</s> (Beware, info not correct!) | ||
|- | |- | ||
| 0x02F08 || | | 0x02F08 || 0x10 || <s>Downgrade Minimum Version Build + Date Build String</s> (Beware, info not correct!) | ||
|- | |- | ||
| 0x02F20 || 8 || | | 0x02F20 || 8 || <s>Build_target_id (Can be 0x83(CEX-ww), 0x82(DEX-ww), 0x81(DevelopmentTool) or 0xDEAD. Written during the <br>manufacturing fw update process according to target string inside /dev_flash/vsh/etc/version.txt)</s> (Beware, info not correct!) | ||
|- | |- | ||
| 0x02F28 || 0xD0 || Padding/undocumented | | 0x02F28 || 0xD0 || Padding/undocumented | ||
<pre> | <pre>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | FF FF FF FF FF FF FF FF FF FF FF FF FF FF xx xx | ||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF | xx xx xx FF FF xx xx xx xx xx xx xx xx xx xx xx | ||
xx xx 00 00 00 00 FF xx 00 xx xx FF FF FF FF FF | |||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | |||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | FF FF FF FF FF FF FF FF FF FF FF xx xx xx 00 00 | ||
FF FF FF FF FF FF FF FF FF FF FF | xx xx xx xx xx FF FF FF xx xx xx FF FF FF xx 00 </pre> | ||
</pre> | |||
|- | |- | ||
| 0x02FF8 || 1 || Factory Bit (0 = ?, 1 = reset, 2 = ?, 3 = (on retails)) | | 0x02FF8 || 1 || Factory Bit (0 = ?, 1 = reset, 2 = ?, 3 = (on retails)) | ||
|- | |- | ||
| 0x02FF9 || 0x7 || Padding/undocumented | | 0x02FF9 || 0x7 || Padding/undocumented | ||
<pre>00 00 00 | <pre>00 00 00 00 xx xx xx </pre> | ||
|- | |- | ||
|} | |} | ||
Line 124: | Line 121: | ||
| colspan="2" | 0x48C00 || 0x20 || (lv0 NVS region 2 start) | | colspan="2" | 0x48C00 || 0x20 || (lv0 NVS region 2 start) | ||
|- | |- | ||
| rowspan=" | | rowspan="21" | <abbr title="lv0 NVS region 2: 0x48C00-0x48C1F"><small>2</small></abbr> || 0x48C00 || 1 || load_image_in_rom flag (os_boot_order_flag) | ||
|- | |- | ||
| 0x48C01 || 1 || sys.dbgcard.hostpc (force standalone mode related) | | 0x48C01 || 1 || sys.dbgcard.hostpc (force standalone mode related) | ||
|- | |- | ||
| 0x48C02 || 1 || | | 0x48C02 || 1 || sys.dbgcard.dgbe / debug interface (select_net_device) (-1: Ethernet 2, 0: IFB, 1: CP, 2: SB UART, 3: CP ch4, 5: invalid <!-- used on retail consoles -->) | ||
|- | |- | ||
| 0x48C03 || 1 || sys.dbgcard.dgbe.index (select_dgbe_device) | | 0x48C03 || 1 || sys.dbgcard.dgbe.index (select_dgbe_device) | ||
|- | |- | ||
| 0x48C05 || 1 || update_flag for CEB | |||
| 0x48C05 || 1 || | |||
|- | |- | ||
| 0x48C06 || 1 || FSELF Control Flag / toggles release mode (fself_ctrl | | 0x48C06 || 1 || FSELF Control Flag / toggles release mode (fself_ctrl) | ||
|- | |- | ||
| 0x48C07 || 1 || | | 0x48C07 || 1 || Product Mode (UM allows to read this offset, it can be also written but only when already in product mode) | ||
|- | |- | ||
| 0x48C08 || 1 || lv0 | | 0x48C08 || 1 || lv0 related | ||
|- | |- | ||
| 0x48C09 || 1 || boot_fir_config ( | | 0x48C09 || 1 || boot_fir_config (if value&1==0 ->BE fault iso regs will be set 0, value&2==0 ->SB params will be set 0) | ||
|- | |- | ||
| 0x48C0A || 1 || QA Flag exist flag | | 0x48C0A || 1 || QA Flag exist flag | ||
Line 156: | Line 143: | ||
| 0x48C0B || 1 || mode_auth_flag / gx enable | | 0x48C0B || 1 || mode_auth_flag / gx enable | ||
|- | |- | ||
| 0x48C0C || 1 || | | 0x48C0C || 1 || bootrom diagnostic mode and parameter (bootrom_diag) | ||
|- | |- | ||
| 0x48C0D || 1 || | | 0x48C0D || 1 || lv0ldr related | ||
|- | |- | ||
| 0x48C0E || 1 || XDR_Link_Init failure flag | | 0x48C0E || 1 || XDR_Link_Init failure flag | ||
Line 164: | Line 151: | ||
| 0x48C0F || 2 || cell os flags (loader parameter) | | 0x48C0F || 2 || cell os flags (loader parameter) | ||
|- | |- | ||
| 0x48C11 || 1 || bootrom trace level | | 0x48C11 || 1 || bootrom trace level (0x00: fatal errors, 0x01: errors, 0x02: information messages, 0x03: debug messages) | ||
|- | |- | ||
| 0x48C12 || 1 || | | 0x48C12 || 1 || | ||
|- | |- | ||
| 0x48C13 || 1 || | | 0x48C13 || 1 || Device Type (flash_ext_format) | ||
|- | |- | ||
| 0x48C14 || 4 || cellos_spu_configure | | 0x48C14 || 4 || cellos_spu_configure | ||
|- | |- | ||
| 0x48C18 || 4 || | | 0x48C18 || 4 || System Language [[XRegistry.sys#Settings]] ( /setting/system/language ) | ||
|- | |- | ||
| 0x48C1C || 4 || | | 0x48C1C || 4 || VSH Target (seems it can be 0xFFFFFFFE, 0xFFFFFFFF, 0x00000001 default: 0x00000000 /maybe QA,Debug,Retail,Kiosk?) | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| colspan="2" | 0x48C1F || - || (lv0 NVS region 2 end) | | colspan="2" | 0x48C1F || - || (lv0 NVS region 2 end) | ||
Line 216: | Line 193: | ||
| colspan="2" | 0x48C30 || 0x0D || (lv0 NVS region 4 start) | | colspan="2" | 0x48C30 || 0x0D || (lv0 NVS region 4 start) | ||
|- | |- | ||
| rowspan="3" | <abbr title="lv0 NVS region 4: 0x48C30-0x48C3C"><small>4</small></abbr> || 0x48C30 || 1 || | | rowspan="3" | <abbr title="lv0 NVS region 4: 0x48C30-0x48C3C"><small>4</small></abbr> || 0x48C30 || 1 || SPE limit Usally 0x06(default), can be set to 0x07 to enable the 8 SPE (restrict_spu) or can be set to 0xFF(unlimit) | ||
|- | |- | ||
| 0x48C31 || 4 || | | 0x48C31 || 4 || sata_param | ||
|- | |- | ||
| 0x48C35 || 8 || | | 0x48C35 || 8 || spr_tbuw_value (cellos_spu_configure) | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| colspan="2" | 0x48C3C || - || (lv0 NVS region 4 end) | | colspan="2" | 0x48C3C || - || (lv0 NVS region 4 end) | ||
Line 230: | Line 207: | ||
| rowspan="8" | <abbr title="lv0 NVS region 5: 0x48C40-0x48C4F"><small>5</small></abbr> || 0x48C42 || 1 || HDD Copy Mode | | rowspan="8" | <abbr title="lv0 NVS region 5: 0x48C40-0x48C4F"><small>5</small></abbr> || 0x48C42 || 1 || HDD Copy Mode | ||
|- | |- | ||
| 0x48C43 || 4 || | | 0x48C43 || 4 || | ||
|- | |- | ||
| 0x48C47 || 1 || Analog Sunset Flag, will disable AACS video output without [[HDMI]] cable soon | | 0x48C47 || 1 || Analog Sunset Flag, will disable AACS video output without [[HDMI]] cable soon | ||
Line 240: | Line 217: | ||
| 0x48C61 || 1 || Recover Mode Flag | | 0x48C61 || 1 || Recover Mode Flag | ||
|- | |- | ||
| 0x48C62 || 8 || boot param | | 0x48C62 || 8 || boot param | ||
|- | |- | ||
| 0x48C6A || 2 || factory process completion | | 0x48C6A || 2 || factory process completion % | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| colspan="2" | 0x48C4F || - || (lv0 NVS region 5 end) | | colspan="2" | 0x48C4F || - || (lv0 NVS region 5 end) | ||
Line 372: | Line 337: | ||
| colspan="2" | 0x48D8E || 0x50 || mode_auth_data (read/cleared by ss_sc_init_pu, checked by spu_mode_auth | | colspan="2" | 0x48D8E || 0x50 || mode_auth_data (read/cleared by ss_sc_init_pu, checked by spu_mode_auth) | ||
|- | |- | ||
|} | |} | ||
Line 386: | Line 351: | ||
QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares) | QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares) | ||
== Undocumented | == Undocumented config == | ||
There is an unknown syscon response of 0x100 bytes when using NVS service with such params: BlockID=1, Offset=0, Size=0. | There is an unknown syscon response of 0x100 bytes when using NVS service with such params: BlockID=1, Offset=0, Size=0. | ||
<pre> | <pre> | ||
0000h: FF 02 FF FE FF 02 FF FF 19 FB E1 16 00 00 00 00 ÿ.ÿþÿ.ÿÿ.ûá..... | 0000h: FF 02 FF FE FF 02 FF FF 19 FB E1 16 00 00 00 00 ÿ.ÿþÿ.ÿÿ.ûá..... | ||
Line 439: | Line 373: | ||
</pre> | </pre> | ||
This is 0x48800 on EEPROM | |||
cech-c (NO BD Drive): http://pastie.org/private/grl0dc0dxajisa36chgm7w | |||
== lv0 SC EEPROM usage == | == lv0 SC EEPROM usage == | ||
<pre> | <pre> | ||
[*] lv0 NVS regions: | [*] lv0 NVS regions: | ||
Line 562: | Line 435: | ||
rsx.rdcy.7 0x48CB8 0x08 [0x08 value] | rsx.rdcy.7 0x48CB8 0x08 [0x08 value] | ||
dgbe_config 0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway] | dgbe_config 0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway] | ||
qa_token 0x48D3E 0x50 [0x50 token] | |||
UNKNOWN 0x48D20 0x08 [0x08 value] | UNKNOWN 0x48D20 0x08 [0x08 value] | ||
</pre> | </pre> | ||
== System Data | == System Data From EEPROM == | ||
Here is the list of possible | Here is the list of possible EEPROM offsets: | ||
{|class="wikitable" | {|class="wikitable" | ||
|- | |- | ||
! Index !! SC EEPROM | ! Index !! SC EEPROM Offset !! Size Of Data !! Description | ||
|- | |- | ||
| 0 || 0x48D20 || 6 ||? | | 0 || 0x48D20 || 6 ||? | ||
Line 587: | Line 454: | ||
|- | |- | ||
| 3 || 0x48D38 || 6 ||? | | 3 || 0x48D38 || 6 ||? | ||
|- | |||
| 4 || 0x48D00 || 4 ||? | |||
|- | |||
| 5 || 0x48D04 || 4 ||? | |||
|- | |||
| 6 || 0x48D08 || 4 ||? | |||
|} | |} | ||
== Dumpable | == Dumpable EEPROM Offset - Block ID and Block Offset Mapping Table (NVS Service) == | ||
Right now we only have read access to some portions of the | Right now we only have read access to some portions of the eeprom to have access to this regions DM needs to be patched, see section dumping eeprom | ||
{|class="wikitable" | {|class="wikitable" | ||
|- | |- | ||
! | ! EEPROM Offset !! Block ID !! Block Offset !! Description !! Physical Offset | ||
|- | |- | ||
| - || | | 0x48000 - 0x480FF || 0x00 || 0x48000 - 0x480FF || ? || 0x7000 | ||
|- | |- | ||
| | | 0x48800 - 0x488FF || 0x01 || 0x48800 - 0x488FF || Hypervisor Area || 0x7100 | ||
|- | |- | ||
| | | 0x48C00 - 0x48CFF || 0x02 || 0x48C00 - 0x48CFF || Contains flags and tokens/ see above || 0x7200 | ||
|- | |- | ||
| | | 0x48D00 - 0x48DFF || 0x03 || 0x48D00 - 0x48DFF || System Data Region || 0x7300 | ||
|- | |- | ||
| | | 0x2F00 - 0x2FFF || 0x10 || 0x2F00 - 0x2FFF || "Industry Area" aka OS Version Area || 0x2F00 | ||
|- | |- | ||
| | | 0x3000 - 0x30FF || 0x20 || 0x3000 - 0x30FF || "Costumer Service Area" || 0x3000 | ||
|- | |- | ||
| | | N/A || 0xFF || N/A || ? sys_boot_gos flag is there || No eeprom activity | ||
|- | |- | ||
| All other offsets || Invalid || Invalid || ? || | |||
| All other offsets || Invalid || Invalid || ? || | |||
|} | |} | ||
== Dumpable only with HW flasher | == Dumpable only with HW flasher EEPROM Offsets - Full Mapping Table (NAND Only) == | ||
{|class="wikitable" | {|class="wikitable" | ||
|- | |- | ||
! Physical Offset !! Description | ! Physical Offset !! Description | ||
|- | |- | ||
| | | 0x0-0xF || magic1? (static bytes) | ||
|- | |- | ||
| | | 0x10-0x29F || eEID1? (probably encrypted) | ||
|- | |- | ||
| | | 0x560-0x95F || Authenticated Data Region 0 (snvs region 0), not used | ||
|- | |- | ||
| | | 0x960-0xD5F || Authenticated Data Region 1 (snvs region 1), contains ss-service version, secure_product_mode flag,<BR> vtrm cipher/hasher keys, versions/hashes of installed update packages, etc... | ||
|- | |- | ||
| | | 0xD60-0x115F || Authenticated Data Region 2 (snvs region 2), not used | ||
|- | |- | ||
| | | 0x1160-0x155F || Authenticated Data Region 3 (snvs region 3), not used | ||
|- | |- | ||
| | | 0x1560-0x195F || Authenticated Data Region 4 (snvs region 4), not used | ||
|- | |- | ||
| | | 0x1960-0x1D5F || Authenticated Data Region 5 (snvs region 5), not used | ||
|- | |- | ||
| | | 0x1D60-0x215F || Authenticated Data Region 6 (snvs region 6), not used | ||
|- | |- | ||
| | | 0x2160-0x255F || Authenticated Data Region 7 (snvs region 7), not used | ||
|- | |- | ||
| | | 0x2F00-0x2FFF || Industry Area (nvs region 0x20) | ||
|- | |- | ||
| | | 0x3000-0x30FF || Costumer Service Area (nvs region 0x30) | ||
|- | |- | ||
| | | 0x7000-0x70FF || Bluray Drive Area ?? (nvs region 0) | ||
|- | |- | ||
| | | 0x7100-0x71FF || HyperVisor Area (nvs region 1) | ||
|- | |- | ||
| | | 0x7200-0x72FF || Token Area (nvs region 2) | ||
|- | |- | ||
| | | 0x7300-0x73FF || System Data Area (nvs region 3) | ||
|- | |- | ||
| | | 0x2700 - 0x270F || magic2? (static bytes) | ||
|- | |- | ||
| | | 0x2800 - 0x2BFF || Syscon Patch Content Top-Half | ||
|- | |- | ||
| 0x7400-0x7FFF | | 0x4400 - 0x4FFF OR 0x7400 - 0x7FFF || Syscon Patch Content Bottom-Half | ||
|- | |- | ||
| All other offsets || Unknown | |||
|} | |} | ||
Line 709: | Line 538: | ||
=== Tests === | === Tests === | ||
* | * http://i.imgur.com/A8g00bD.png <- aes 128 cbc with fixed key and incremented iv (by 1 each time) | ||
* | * http://i.imgur.com/HZDWGSk.png <- results | ||
* | * http://i.imgur.com/2mtrtdm.png region 0 encrypted vs http://i.imgur.com/7bSdQni.png decrypted | ||
* | * http://i.imgur.com/FGJKkuz.png region 7 encrypted vs http://i.imgur.com/7TSeHWK.png decrypted | ||
=== Conclusion === | === Conclusion === | ||
* different key for a different authenticated region. | * different key for a different authenticated region. | ||
* | * sony uses either aes 128-cbc or aes 256-cbc (most likely 128-cbc) | ||
* | * sony does this weird cbc crypto in which they only decrypt portions of 0x10 bytes of the region, then increment or decrement (most likely increment) iv, and then decrypt again. i've decided to call it ctr-cbc | ||
* most likely the keys used are <strike>session</strike> perconsole keys. | * most likely the keys used are <strike>session</strike> perconsole keys. | ||
* most likely the iv used starts with 00, then gets incremented by 1 for each 0x10 bytes | * most likely the iv used starts with 00, then gets incremented by 1 for each 0x10 bytes | ||
Line 725: | Line 554: | ||
* Zer0Tolerance for the crypto findings | * Zer0Tolerance for the crypto findings | ||
* flatz for his awesome | * flatz for his awesome syscon tool | ||
= Dumping SC EEPROM = | =Dumping your SC EEPROM= | ||
== Linux == | ==Linux== | ||
First you need graf_chokolo kernel ps3dm-utils and linux_hv_scripts. | First you need graf_chokolo kernel ps3dm-utils and linux_hv_scripts. | ||
Patch DM using linux_hv_scripts | If you are ready. | ||
Patch DM using linux_hv_scripts | |||
<pre> | <pre> | ||
Line 739: | Line 570: | ||
</pre> | </pre> | ||
Read the data from the region you want for example (see tables above) | Read the data from the region you want for example (see tables above) | ||
<pre> | <pre> | ||
Line 745: | Line 576: | ||
</pre> | </pre> | ||
You can see some coolstuff containing dumps | You can see some coolstuff that containing dumps | ||
= Hashes = | =Hashes= | ||
Where exactly the hashes are stored is still a secret | Where exactly the hashes are stored is still a secret, it is said that those hashes are stored in SC EEPROM | ||
To retrieve the information about the packages you have installed you can also use ps3d_utils | To retrieve the information about the packages you have installed you can also use ps3d_utils | ||
== Linux == | ==Linux== | ||
=== Installed Package info === | ===Installed Package info=== | ||
<pre> | <pre> | ||
Line 769: | Line 600: | ||
0003004100000000 | 0003004100000000 | ||
</pre> | </pre> | ||
get_pkg_info 2 - Revoke List for program | get_pkg_info 2 - Revoke List for program | ||
Line 775: | Line 606: | ||
0003004100000000 | 0003004100000000 | ||
</pre> | </pre> | ||
get_pkg_info 3 - Revoke list for package | get_pkg_info 3 - Revoke list for package | ||
<pre> | <pre> | ||
0002003000000000 | 0002003000000000 | ||
</pre> | </pre> | ||
get_pkg_info 4 | get_pkg_info 4 | ||
<pre> | <pre> | ||
deadbeaffacebabe | deadbeaffacebabe | ||
</pre> | </pre> | ||
get_pkg_info 5 | get_pkg_info 5 | ||
<pre> | <pre> | ||
deadbeaffacebabe | deadbeaffacebabe | ||
Line 795: | Line 626: | ||
get_pkg_info 6 - Firmware Package | get_pkg_info 6 - Firmware Package | ||
<pre> | <pre> | ||
0003005000000000 | 0003005000000000 | ||
</pre> | </pre> | ||
You can find more information about this in [[Hypervisor Reverse Engineering]] | |||
What algorithm is used and what exactly is hashed is still unknown | |||
===Hashes=== | |||
What algorithm is used and what exactly is hashed is still unknown (seems that the content of files is hashed by the SHA-1). | |||
<pre> | <pre> | ||
Line 980: | Line 813: | ||
= Dumped data = | = Dumped data = | ||
Here is an example of data (partition 1) from syscon which stores VTRM block key, SRK/SRH, region data, etc. | |||
<br> | |||
Here is an example of data (partition 1) from syscon | |||
RETAIL TSOP: | RETAIL TSOP: | ||
<pre> | <pre> | ||
0x0000: 00 00 00 03 C0 00 00 FF 00 00 00 00 00 00 00 00 ................ <- version/mode | 0x0000: 00 00 00 03 C0 00 00 FF 00 00 00 00 00 00 00 00 ................ <- version/mode | ||
Line 1,415: | Line 883: | ||
</pre> | </pre> | ||
PROTO BGA (DECR): | <br> PROTO BGA(DECR): | ||
<pre> | <pre> | ||
00000000: 00 00 00 02 c0 00 00 ff - 00 00 00 00 00 00 00 00 ........ ........ | 00000000: 00 00 00 02 c0 00 00 ff - 00 00 00 00 00 00 00 00 ........ ........ | ||
00000010: eb 49 35 4a c3 26 51 7a - 1e 88 c9 5d 52 03 f1 54 .I5J..Qz ....R..T | 00000010: eb 49 35 4a c3 26 51 7a - 1e 88 c9 5d 52 03 f1 54 .I5J..Qz ....R..T | ||
Line 1,550: | Line 1,019: | ||
000003f0: af 77 6c ab 06 08 d8 c9 - 91 2f f3 8d 45 fd df 39 .wl..... ....E..9 | 000003f0: af 77 6c ab 06 08 d8 c9 - 91 2f f3 8d 45 fd df 39 .wl..... ....E..9 | ||
</pre> | </pre> | ||
<br> | |||
RETAIL BGA: | RETAIL BGA: | ||
<pre> | <pre> | ||
00000000: 00 00 00 02 c0 00 00 ff - 00 00 00 00 00 00 00 00 ........ ........ | 00000000: 00 00 00 02 c0 00 00 ff - 00 00 00 00 00 00 00 00 ........ ........ | ||
00000010: 37 24 90 70 31 f5 64 48 - 12 7c a5 bc 37 6f 26 8d 7..p1.dH ....7o.. | 00000010: 37 24 90 70 31 f5 64 48 - 12 7c a5 bc 37 6f 26 8d 7..p1.dH ....7o.. | ||
Line 1,622: | Line 1,094: | ||
== More samples == | == More samples == | ||
* | * https://dl.dropboxusercontent.com/u/35197530/bin/eeprom.bin | ||
= Tokens = | =Tokens= | ||
Here | Here we will document the different types off tokens known in the PS3 | ||
All tokens are tied? encrypted? using EID0. | |||
All tokens are tied | They enable additional repository nodes. | ||
==List== | |||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
|- | |- | ||
Line 1,640: | Line 1,109: | ||
| qa_token || sc_eeprom - 0x48D3E || 0x50 || spu_token_processor.self || | | qa_token || sc_eeprom - 0x48D3E || 0x50 || spu_token_processor.self || | ||
|- | |- | ||
| user_token || | | user_token || ? || ? || spu_utoken_processor.self || Encrypted/Signed | ||
|- | |- | ||
| token_seed || | | token_seed || ? || ? || ? || This is used to create the token with EID0 | ||
|} | |} | ||
== | ==Token Seed== | ||
Unencrypted form of QA-token | |||
== | ==Structure== | ||
This section has to be corrected, is only based on debug strings, we need to decrypt the tokens | |||
===Token Seed=== | |||
=== Token Seed === | |||
? | ? | ||
=== QA Token === | ===QA Token=== | ||
===User Token=== | |||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
|- | |- | ||
! | ! Address !! Size !! Description | ||
|- | |- | ||
| ? || ? || m_magic | | ? || ? || m_magic | ||
Line 1,704: | Line 1,142: | ||
| ? || ? || m_size | | ? || ? || m_size | ||
|- | |- | ||
| ? || ? || | | ? || ? || m_capability | ||
|- | |- | ||
| ? || ? || m_expire_date | | ? || ? || m_expire_date | ||
|- | |- | ||
| ? || ? || | | ? || ? || m_idps? | ||
|- | |- | ||
| ? || ? || m_attribute | | ? || ? || m_attribute | ||
Line 1,715: | Line 1,153: | ||
|} | |} | ||
For every | For every atribute in the token | ||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
|- | |- | ||
! | ! Address !! Size !! Description | ||
|- | |- | ||
| ? || ? || attr:m_type | | ? || ? || attr:m_type | ||
Line 1,732: | Line 1,170: | ||
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | {| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | ||
|- | |- | ||
! style="background-color:red | ! style="background-color:red;" | <span style="background-color:lightred; color:white; font-size:200%; ">Warning</span> | ||
|- | |- | ||
| <span style="white; color:red | | style="background-color:white;" | <span style="white; color:red; font-size:150%; text-align:center; ">You can use this method at your own risk. Author is not responsible for any hardware damages and failures. | ||
|} | |} | ||
== Bus Pirate 3 Solderless method == | == Bus Pirate 3 Solderless method == | ||
=== | === You need === | ||
1) PS3 motherboard with BGA syscon chip (COK001, COK002, SEM001, DIA001, etc) | 1) PS3 motherboard with BGA syscon chip (COK001, COK002, SEM001, DIA001, etc) | ||
Line 1,755: | Line 1,191: | ||
=== Hardware Part === | === Hardware Part === | ||
Find the | Find the syscon on your PS3 motherboard. | ||
[[File:CXR713120 on SEM-001.JPG|thumbnail|none]] | [[File:CXR713120 on SEM-001.JPG|thumbnail|none]] | ||
Look at the | Look at the EEPROM Pins location and Draw serifs on the upper surface of the chip, strictly on these pins using pencil. | ||
[[File:CXR713120_EEPROM_PINS.JPG||thumbnail|none]] | [[File:CXR713120_EEPROM_PINS.JPG||thumbnail|none]] | ||
Line 1,767: | Line 1,203: | ||
[[File:Bus-Pirate-3 with Wires.jpg|thumbnail|none]] | [[File:Bus-Pirate-3 with Wires.jpg|thumbnail|none]] | ||
Connect Bus-Pirate to the | Connect Bus-Pirate to the EEPROM Pins using the folowing table: | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Bus Pirate pin !! | ! Bus Pirate pin !! EEPROM pin | ||
|- | |- | ||
| CLK || SKB | | CLK || SKB | ||
Line 1,784: | Line 1,220: | ||
| GND || Any Ground Point | | GND || Any Ground Point | ||
|} | |} | ||
Use 1 finger to hold the wires. The wires should be well connected with the eeprom pins. | |||
Use | |||
[[File:CXR713120 EEPROM FingerTrick.JPG|thumbnail|none]] | [[File:CXR713120 EEPROM FingerTrick.JPG|thumbnail|none]] | ||
Connect Bus-Pirate to you PC with Windows7 by USB. | |||
Connect Bus-Pirate to | |||
=== Software Part === | === Software Part === | ||
Line 1,803: | Line 1,237: | ||
Download and Run Syscon Flasher.exe | Download and Run Syscon Flasher.exe | ||
Download link: https://www.sendspace.com/file/ | Download link: https://www.sendspace.com/file/7jq6ka | ||
MD5=D59A8AA9E7BB1AEB753D7C6391CE17B1 | MD5=D59A8AA9E7BB1AEB753D7C6391CE17B1 | ||
Line 1,817: | Line 1,251: | ||
3) Press "Power on" button. If done correctly, then "VREG" Led on the Bus Pirate will be Red. | 3) Press "Power on" button. If done correctly, then "VREG" Led on the Bus Pirate will be Red. | ||
4) Press "Browse" button and specify location and file name for your | 4) Press "Browse" button and specify location and file name for your syscon eeprom dump. | ||
5) Specify Offset and Length. Offset=0 Length=0x8000 for full dump | 5) Specify Offset and Length. Offset=0 Length=0x8000 for full dump the eeprom. | ||
6) Press "Fast Read" button and wait about 15sec. | 6) Press "Fast Read" button and wait about 15sec. | ||
Enjoy: | |||
My dump, for example: | My dump, for example: | ||
https://mega.co.nz/#!E1kHgSZJ!4e7TdNLdkQQzinwlnRO2KmaBd0GeBliHuHFe2tkmBgQ | |||
== Bus Pirate 3 method by: ([[User_talk:Zer0Tolerance|Zer0Tolerance]]) == | == Bus Pirate 3 method by: ([[User_talk:Zer0Tolerance|Zer0Tolerance]]) == | ||
=== | === You need === | ||
1) PS3 motherboard. I am using '''DIA-001'''. may be we can dump it from another boards, but it is unknown yet. | |||
1) PS3 motherboard. I am using '''DIA-001'''. | |||
2) Device that can work with SPI interface and send any commands. I am using a Bus Pirate v3.6 with connectors. | 2) Device that can work with SPI interface and send any commands. I am using a Bus Pirate v3.6 with connectors. | ||
Line 1,845: | Line 1,280: | ||
=== Preparation === | === Preparation === | ||
Find the test points on the motherboard using | Find the test points on the motherboard using this picture. | ||
[[File:DIA-001 SysCon EPROM Interface.png|thumbnail|none]] | [[File:DIA-001 SysCon EPROM Interface.png|thumbnail|none]] | ||
All points are covered with varnish. You need to carefully remove the varnish to the copper and solder the wires to it. | All points are covered with varnish. You need to carefully remove the varnish to the copper and solder the wires to it. | ||
Line 1,869: | Line 1,299: | ||
| MISO || DO | | MISO || DO | ||
|- | |- | ||
| 3V3 || RBB | | 3V3 || WCB, RBB | ||
|- | |- | ||
| GND || | | GND || Any Ground Point | ||
|} | |} | ||
Make sure that the battery is attached to the motherboard. | Make sure that the battery is attached to the motherboard. | ||
Plug your Bus | Plug your Bus pirate to the USB port on your PC using mini_USB_to_USB cable. (I am using the cable from the ps3 gamepad) | ||
It should be done like this, see the following picture: | |||
[[File:Dumping SC EEPROM using Bus Pirate v3.6.JPG|thumbnail|none]] | [[File:Dumping SC EEPROM using Bus Pirate v3.6.JPG|thumbnail|none]] | ||
=== Setup software === | === Setup software === | ||
1) Install the driver for the Bus Pirate and setup your virtual COM port for it using | 1) Install the driver for the Bus Pirate and setup your virtual COM port for it using following table: | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
Line 1,917: | Line 1,347: | ||
Now click Open button and setup mode for bus pirate using following commands: | Now click Open button and setup mode for bus pirate using following commands: | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
Line 1,951: | Line 1,380: | ||
You can use Notepad++ and Hex Editor like HxD to convert the dump to binary format. | You can use Notepad++ and Hex Editor like HxD to convert the dump to binary format. | ||
<small>Read Command is 0xA8 0xXX 0xXX, XX XX is a block id to be read, the full | <small>Read Command is 0xA8 0xXX 0xXX, XX XX is a block id to be read, the full EEPROM is 32768 bytes lenght (0x8000), [r:] are syntax command of the Bus Pirate for start, read byte and end</small> | ||
== Arduino Mega method by: ([[User_talk:Abkarino|Abkarino]]) == | == Arduino Mega method by: ([[User_talk:Abkarino|Abkarino]]) == | ||
I had build my own Syscon EEPROM flasher based on open source hardware "'''Arduino Mega'''" and some resistors. | I had build my own Syscon EEPROM flasher based on open source hardware "'''Arduino Mega'''" and some resistors. | ||
This flasher will allow you fully read/write to your Syscon EEPROM (FAT consoles only till now). | |||
=== You need === | |||
1) PS3 motherboard. I had used '''SEM-0001''' board by desoldering Syscon chip form it but you can use, '''DIA-001''' for example without desoldering Syscon chip since all eeprom pins had a test points in the board it self. | |||
=== | |||
1) PS3 motherboard. I had used '''SEM-0001''' board by desoldering Syscon chip form it but you can use, '''DIA-001''' for example without desoldering Syscon chip since all | |||
2) Arduino Mega or any Arduino board. | 2) Arduino Mega or any Arduino board. | ||
Line 1,969: | Line 1,396: | ||
4) Soldering station. | 4) Soldering station. | ||
5) Wires & Bread board ( | 5) Wires & Bread board (Optional). | ||
6) Any PC that have terminal software like Putty, RealTerm and so on to access serial port, and any Hex Editor like HxD. | 6) Any PC that have terminal software like Putty, RealTerm and so on to access serial port, and any Hex Editor like HxD. | ||
Line 1,977: | Line 1,404: | ||
Find the test points on the motherboard using this picture. | Find the test points on the motherboard using this picture. | ||
[[File:DIA-001 SysCon EPROM Interface.png|thumbnail|none]] | [[File:DIA-001 SysCon EPROM Interface.png|thumbnail|none]] | ||
Or if you have a very good soldering skills and tools to desolder your SysCon then you can desolder your SysCon and solder your wires to it directly. | |||
Or if you have very good soldering skills and tools to desolder your SysCon then you can desolder your SysCon and solder your wires to it directly. | |||
All points are covered with varnish. You need to carefully remove the varnish to the copper and solder the wires to it. | All points are covered with varnish. You need to carefully remove the varnish to the copper and solder the wires to it. | ||
Line 2,020: | Line 1,446: | ||
=== Arduino Sketch Source Code === | === Arduino Sketch Source Code === | ||
Here is my Arduino Mega sketch source code to allow you to read/write/erase PS3 Syscon EEPROM. | |||
http://pastie.org/10004682#8,19 | |||
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> | {{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> |