Editing SC EEPROM

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 8: Line 8:


= Information =
= Information =
*On [[Mullion]] syscons '''the EEPROM "pins" are exposed externally''' so we can capture the EEPROM traffic by attaching devices like Logic Analyzers, Protocol Analyzers, etc...
**On [[Syscon CXR713 Series]] the EEPROM consists of '''0x4000''' blocks, every block contains 2 bytes of data, so the total EEPROM size is '''0x8000''' bytes ('''32KB''').
**On [[Syscon CXR714 Series]] the EEPROM consists of '''0x2800''' blocks, every block contains 2 bytes of data, so the total EEPROM size is '''0x5000''' bytes ('''20KB''').
*On [[Sherwood]] syscons '''the EEPROM is virtualized inside FLASH menory''', so there is not physical access to the EEPROM.
**On [[Syscon SW Series]], [[Syscon SW2 Series]] and [[Syscon SW3 Series]] the virtual EEPROM consists of '''0x4000''' blocks, every block contains 2 bytes of data, so the total EEPROM size is '''0x8000''' bytes ('''32KB''').


SC EEPROM on FAT PS3 is a custom/proprietary EEPROM chip that uses non standard commands to read/write from EEPROM.


Dont confuse the SPI block access (using blocks of 2 bytes leght) with the '''"Block ID"''' used by the '''SERV_NVS''' [[SC_Communication#Syscon_Services|Syscon Service]]
Sony has exposed FAT Syscon EEPROM chip legs out of Syscon, so we have a physical access to it and we could attach devices like "'''Logic Analyzer'''", "'''Protocol Analyzer'''", "'''Custom made MCU boards'''" to capture traffic between console and Syscon EEPROM.
 
On FAT PS3, Syscon EEPROM consists of 0x4000 blocks, and every block consists of 2 bytes of data. So the total Syscon EEPROM size is 0x8000 bytes.
 
And since the pin-out of Syscon chip for Slim and Super Slim PS3 is not known til now, we cannot be sure if the Syscon EEPROM pins are exposed outside or not so we can access it like in FAT PS3 without handling Syscon itself.


== SPI Commands ==
== SPI Commands ==
Syscon EEPROM uses a standard SPI protocol with proprietary commands as following:
 
FAT PS3 Syscon EEPROM used a standard SPI protocol with proprietary commands as following:


{| class="wikitable"
{| class="wikitable"
Line 26: Line 27:
| Unlock Command || 0xA3 0x00 0x00 || This command must be send first before write command.
| Unlock Command || 0xA3 0x00 0x00 || This command must be send first before write command.
|-
|-
| Write Command || 0xA4 0xXX 0xXX || XX XX is a block to be written (in the range 0x0000 up to 0x3FFF for [[Syscon CXR713 Series]], or 0x0000 up to 0x27FF for [[Syscon CXR714 Series]])<br>The maximum data to be written in one command cycle is 32 byte length (16 blocks).
| Write Command || 0xA4 0xXX 0xXX || XX XX is a block id to be written (value 0x0000 to 0x3FFF), the maximum data to be written in one command cycle is 32 byte length (16 blocks).
|-
|-
| Read Command || 0xA8 0xXX 0xXX || XX XX is a block to be read (in the range 0x0000 up to 0x3FFF for [[Syscon CXR713 Series]], or range 0x0000 up to 0x27FF for [[Syscon CXR714 Series]])<br>There is no maximum limit for read command so we can send it once with block 0x00 0x00 then read the full SC EEPROM at once without sending read command again.
| Read Command || 0xA8 0xXX 0xXX || XX XX is a block id to be read (value 0x0000 to 0x3FFF), there is no maximum limit for read command so we can send it once with block id 0x00 0x00 then read the full SC EEPROM at once without sending read command again.
|-
|-
| Check Status Command || 0xA9 0x00 0x00 0x00 || The response of this command is 0xFFFFFFFF if there is no error, or any other value if there is error happened or SC EEPROM still busy doing something.
| Check Status Command || 0xA9 0x00 0x00 0x00 || The response of this command is 0xFFFFFFFF if there is no error, or any other value if there is error happened or SC EEPROM still busy doing something.
Line 58: Line 59:
| 0x02F00 || 8 || Manufacturing Update Release Version String
| 0x02F00 || 8 || Manufacturing Update Release Version String
|-
|-
| 0x02F08 || 0x18 || Manufacturing Update Build Version + Build Date String
| 0x02F08 || 0x10 || Manufacturing Update Build Version + Build Date String
|-
|-
| 0x02F20 || 8 || Manufacturing Update Build Target ID (Can be 0x83(CEX-ww), 0x82(DEX-ww), 0x81(DevelopmentTool) or 0xDEAD. Written during the <br>manufacturing fw update process according to target string inside /dev_flash/vsh/etc/version.txt)
| 0x02F20 || 8 || Manufacturing Update Build Target ID (Can be 0x83(CEX-ww), 0x82(DEX-ww), 0x81(DevelopmentTool) or 0xDEAD. Written during the <br>manufacturing fw update process according to target string inside /dev_flash/vsh/etc/version.txt)
|-
|-
| 0x02F28 || 0xD0 || Padding/undocumented (the sample below is from motherboard REX-001(eMMC), syscon SW3-304)
| 0x02F28 || 0xD0 || Padding/undocumented
<pre>
<pre>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF xx xx
FF FF FF FF FF FF FF FF FF FF FF FF FF FF D4 63
xx xx xx FF FF xx xx xx xx xx xx xx xx xx xx xx
4F 4C 95 5E 01 31 04 BA 7C 93 41 23 52 48 B0 E0
xx xx 00 00 00 00 FF xx 00 xx xx FF FF FF FF FF  
3E 02 10 00 00 00 FF 04 00 01 02 FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF xx xx xx 00 00  
FF FF FF FF FF FF FF FF FF FF FF 32 49 31 34 00
xx xx xx xx xx FF FF FF xx xx xx FF FF FF xx 00 </pre>
32 32 1D 26 26 FF FF FF 1D 26 26 FF FF FF 80 00
</pre>
|-
|-
| 0x02FF8 || 1 || Factory Bit (0 = ?, 1 = reset, 2 = ?, 3 = (on retails))
| 0x02FF8 || 1 || Factory Bit (0 = ?, 1 = reset, 2 = ?, 3 = (on retails))
|-
|-
| 0x02FF9 || 0x7 || Padding/undocumented
| 0x02FF9 || 0x7 || Padding/undocumented
<pre>00 00 00 01 01 01 00 </pre>
<pre>00 00 00 00 xx xx xx </pre>
|-
|-
|}
|}
Line 124: Line 123:
| colspan="2" | 0x48C00 || 0x20 || (lv0 NVS region 2 start)  
| colspan="2" | 0x48C00 || 0x20 || (lv0 NVS region 2 start)  
|-
|-
| rowspan="22" | <abbr title="lv0 NVS region 2: 0x48C00-0x48C1F"><small>2</small></abbr> || 0x48C00 || 1 || boot flag (load_image_in_rom flag (os_boot_order_flag)
| rowspan="22" | <abbr title="lv0 NVS region 2: 0x48C00-0x48C1F"><small>2</small></abbr> || 0x48C00 || 1 || boot flag (load_image_in_rom flag (os_boot_order_flag), 0 = network 1st, 1 = flash 1st)
0 = network 1st
1 = flash 1st
|-
|-
| 0x48C01 || 1 || sys.dbgcard.hostpc (force standalone mode related)  
| 0x48C01 || 1 || sys.dbgcard.hostpc (force standalone mode related)  
|-
|-
| 0x48C02 || 1 || Network Device Mode (sys.dbgcard.dgbe / debug interface (select_net_device)
| 0x48C02 || 1 || Network Device Mode (sys.dbgcard.dgbe / debug interface (select_net_device) (-1: Ethernet 2, 0: IFB, 1: CP, 2: SB UART, 3: CP ch4, 5: invalid <!-- used on retail consoles -->))
-1: Ethernet 2
  0: IFB
  1: CP
  2: SB UART
  3: CP ch4
  5: Disabled (default)
|-
|-
| 0x48C03 || 1 || sys.dbgcard.dgbe.index (select_dgbe_device)  
| 0x48C03 || 1 || sys.dbgcard.dgbe.index (select_dgbe_device)  
Line 164: Line 155:
| 0x48C0F || 2 || cell os flags (loader parameter)
| 0x48C0F || 2 || cell os flags (loader parameter)
|-
|-
| 0x48C11 || 1 || bootrom trace level
| 0x48C11 || 1 || bootrom trace level (0x00: fatal errors, 0x01: errors, 0x02: information messages, 0x03: debug messages)
0x00: fatal errors
0x01: errors
0x02: information messages
0x03: debug messages
0xFF: ? (default)
|-
|-
| 0x48C12 || 1 || ?
| 0x48C12 || 1 || ?
Line 177: Line 163:
| 0x48C14 || 4 || cellos_spu_configure
| 0x48C14 || 4 || cellos_spu_configure
|-
|-
| 0x48C18 || 4 || Safe Mode System Language. Using the [[Languages|language codes]]. See also [[XRegistry.sys#Settings|XRegistry.sys/setting/system/language]]
| 0x48C18 || 4 || Safe Mode System Language [[XRegistry.sys#Settings]] ( /setting/system/language )
|-
|-
| 0x48C1C || 4 || Safe Mode VSH Target (maybe QA,Debug,Retail,Kiosk?). See [[Promo_flags.txt]] and [[VSH_Exports#vshmain|GetReleaseTarget]] vsh export
| 0x48C1C || 4 || Safe Mode VSH Target (seems it can be 0xFFFFFFFE, 0xFFFFFFFF, 0x00000001 default: 0x00000000 /maybe QA,Debug,Retail,Kiosk?)
0x00000000 = ? (default)
0x00000001 = ?
0x00000005 = dtcpipdevdex (can't update to any firmware, except dtcpipdevdex firmware)
0xFFFFFFFF = ?
0xFFFFFFFE = ?
|-{{cellcolors|lightgrey}}
|-{{cellcolors|lightgrey}}
| colspan="2" | 0x48C1F || - || (lv0 NVS region 2 end)
| colspan="2" | 0x48C1F || - || (lv0 NVS region 2 end)
Line 240: Line 221:
| 0x48C61 || 1 || Recover Mode Flag
| 0x48C61 || 1 || Recover Mode Flag
|-
|-
| 0x48C62 || 8 || boot param. Accessed by [[LV2_Functions_and_Syscalls|syscalls 404]] ?. See also [[Factory_Service_Mode#Game_OS|this]]
| 0x48C62 || 8 || boot param
|-
|-
| 0x48C6A || 2 || factory process completion (bitflags ?). Accessed by [[LV2_Functions_and_Syscalls|syscalls 405, 406, 407]] ?. See also [[Factory_Service_Mode#Game_OS|this]]
| 0x48C6A || 2 || factory process completion %
Usually FFFF, but also:
00E2 - CokC12, SEM-001, CXR713120-203GB
00EA - CokD10, DIA-001, CXR714120-301GB
00E6 - CokE10, DIA-002, CXR714120-302GB
00EA - CokF10, VER-001, SW-301
00AA - CokG11, DYN-001, SW2-301
00BE - CokH11, SUR-001, SW2-302
00B2 - CokJ13, JTP-001, SW2-303 & CokK10, KTE-001, SW3-301
00B0 - CokM20, MSX-001, SW3-302 & CokM30, MPX-001, SW3-302 & CokN10, NPX-001, SW3-302 & CokP10, PQX-001, SW3-304 & CokR40, REX-001, SW3-304
00F0 - CokD10, DIA-001, CXR714120-304GB Refurb 40nm RSX
01FE - Cok14, COK-001, CXR714120-304GB Refurb 40nm RSX
|-{{cellcolors|lightgrey}}
|-{{cellcolors|lightgrey}}
| colspan="2" | 0x48C4F || - || (lv0 NVS region 5 end)
| colspan="2" | 0x48C4F || - || (lv0 NVS region 5 end)
Line 386: Line 355:
QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares)
QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares)


== Undocumented region ==
== Undocumented config ==
This is 0x48800 on SC EEPROM, or at 0x7100 (mullions with 32KB EEPROM used), or at 0x4100 (mullions with 20KB EEPROM used), or at 0x1100 (sherwoods)
 
Accessed by [[Hypervisor_Reverse_Engineering | Hypervisor Service ID 32]] '''REQUEST_SYSTEM_EVENT_LOG''' ?, and [[LV2_Functions_and_Syscalls| syscall 395]] '''sys_sm_request_system_event_log''' ?


There is an unknown syscon response of 0x100 bytes when using NVS service with such params: BlockID=1, Offset=0, Size=0.
There is an unknown syscon response of 0x100 bytes when using NVS service with such params: BlockID=1, Offset=0, Size=0.
Sometimes the whole region is filled with FF's (empty, never used, or erased), it seems this procedure can be used to reset it
It can be considered an structure composed by a 0x10 header, and six available "slots" of 0x28 each, the second byte of the header seems to be some kind of counter related with the slots where the only values posibles are 0-5. The presence of data in the slots could vary usually all them are filled with data but in some rare cases the slots are empty (filled with FF's)
Sample (CokH11, SUR-001, SW2-302)
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00001100  FF 05 FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿ.ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00001110  16 0E F0 35 00 00 E1 18 00 04 53 00 0C 00 00 00  ..ð5..á...S.....
00001120  00 00 00 00 00 00 00 00 00 00 00 00 55 55 55 55  ............UUUU
00001130  00 00 00 00 00 00 00 00 18 F1 6F 68 00 00 E1 18  .........ñoh..á.
00001140  00 04 53 00 0C 00 00 00 00 00 00 00 00 00 00 00  ..S.............
00001150  00 00 00 00 55 55 55 55 00 00 00 00 00 00 00 00  ....UUUU........
00001160  18 F1 6F C7 00 00 E1 18 00 04 53 00 0C 00 00 00  .ñoÇ..á...S.....
00001170  00 00 00 00 00 00 00 00 00 00 00 00 55 55 55 55  ............UUUU
00001180  00 00 00 00 00 00 00 00 18 FF EE 91 00 00 E1 18  .........ÿî‘..á.
00001190  00 04 53 00 0C 00 00 00 00 00 00 00 00 00 00 00  ..S.............
000011A0  00 00 00 00 71 75 F4 75 00 00 00 00 00 00 00 00  ....quôu........
000011B0  1A 21 73 52 00 00 E1 18 00 04 53 00 0C 00 00 00  .!sR..á...S.....
000011C0  00 00 00 00 00 00 00 00 00 00 00 00 50 75 55 51  ............PuUQ
000011D0  00 00 00 00 00 00 00 00 16 0E EF D5 00 00 E1 18  ..........ïÕ..á.
000011E0  00 04 53 00 0C 00 00 00 00 00 00 00 00 00 00 00  ..S.............
000011F0  00 00 00 00 55 55 55 55 00 00 00 00 00 00 00 00  ....UUUU........
</pre>
Sample with 2 slots used
<pre>
<pre>
0000h: FF 02 FF FE FF 02 FF FF 19 FB E1 16 00 00 00 00  ÿ.ÿþÿ.ÿÿ.ûá.....  
0000h: FF 02 FF FE FF 02 FF FF 19 FB E1 16 00 00 00 00  ÿ.ÿþÿ.ÿÿ.ûá.....  
Line 439: Line 377:
</pre>
</pre>


Sample with only 1 slot used (CokP10, PQX-001nor, SW3-304)
This is 0x48800 on SC EEPROM.
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
00001100  FF 01 FF FF 0D FF FF FF 27 B5 4D 75 FF FF FF FF  ÿ.ÿÿ.ÿÿÿ'µMuÿÿÿÿ
00001110  1E 61 CF 07 00 00 E1 18 00 03 02 00 0C 03 00 00  .aÏ...á.........
00001120  A8 00 00 2D DC 40 00 00 00 20 00 00 3E AA A8 28  ¨..-Ü@... ..>ª¨(
00001130  00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF  ........ÿÿÿÿÿÿÿÿ
00001140  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00001150  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00001160  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00001170  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00001180  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00001190  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000011A0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000011B0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000011C0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000011D0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000011E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000011F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
</pre>
 
The structure of an slot seems to be: 0x4 (timestamp) + 0x2 (unknown, always 0000) + 0x1 (unknown, always 0xE1 or 0xE2) + 0x1 (Data Size ?, usually 0x18) + 0x4 (Data Type ?) + 0x1C (data, included padding)
*The timestamp follows the same format than the timestamps of the [[Syscon_Error_Codes#Error_log_format|Syscon Error Codes]], in some syscon models the lowest value posible for this timestamps seems to be 0x0B488680 (2005/12/31 00:00:00)
 
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
00001110  0B 74 08 2F 00 00 E1 18 00 03 15 00 0C 03 00 00  .t./..á.........
00001120  A8 00 00 18 32 E2 00 00 00 80 00 00 FF FF FF FF  ¨...2â...€..ÿÿÿÿ
00001130  00 00 00 00 00 00 00 00                          ........
</pre>
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
00001110  1F AC E5 B0 00 00 E1 18 00 03 02 00 0C 03 00 00  .¬å°..á.........
00001120  A8 00 00 15 8A 20 00 00 00 40 00 00 AA AA AA AA  ¨...Š ...@..ªªªª
00001130  00 00 00 00 00 00 00 00                          ........
</pre>
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
00001110  1D 59 29 DB 00 00 E2 18 01 51 40 25 40 01 03 00  .Y)Û..â..Q@%@...
00001120  00 00 00 01 08 E5 00 13 00 C7 00 00 00 00 00 00  .....å...Ç......
00001130  00 00 00 00 00 00 00 00                          ........
</pre>
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
00001110  16 0E F0 35 00 00 E1 18 00 04 53 00 0C 00 00 00  ..ð5..á...S.....
00001120  00 00 00 00 00 00 00 00 00 00 00 00 55 55 55 55  ............UUUU
00001130  00 00 00 00 00 00 00 00                          ........
</pre>
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F


00007110  0B 48 86 7D 00 00 E1 18 53 54 52 3A 50 41 54 41  .H†}..á.STR:PATA
cech-c (NO BD Drive): [http://pastie.org/private/grl0dc0dxajisa36chgm7w dead link]
00007120  43 30 3A 43 61 62 6C 65 20 4E 6F 74 20 43 6F 6E  C0:Cable Not Con
00007130  6E 65 63 74 00 00 00 00                          nect....
</pre>
 
*Notes
**See the timestamp of the last sample with value 0B48867D, very close to 0B488680 (2005/12/31 00:00:00)


== lv0 SC EEPROM usage ==
== lv0 SC EEPROM usage ==
Line 562: Line 440:
rsx.rdcy.7          0x48CB8 0x08 [0x08 value]
rsx.rdcy.7          0x48CB8 0x08 [0x08 value]
dgbe_config          0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway]
dgbe_config          0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway]
qa_token            0x48D3E 0x50 [0x50 token]
UNKNOWN              0x48D20 0x08 [0x08 value]
UNKNOWN              0x48D20 0x08 [0x08 value]
qa_token            0x48D3E 0x50 [0x50 token]
</pre>
</pre>


Line 573: Line 451:
|-
|-
! Index !! SC EEPROM offset !! Data size !! Description
! Index !! SC EEPROM offset !! Data size !! Description
|-
| 4 || 0x48D00 || 4 ||?
|-
| 5 || 0x48D04 || 4 ||?
|-
| 6 || 0x48D08 || 4 ||?
|-
|-
| 0 || 0x48D20 || 6 ||?
| 0 || 0x48D20 || 6 ||?
Line 587: Line 459:
|-
|-
| 3 || 0x48D38 || 6 ||?
| 3 || 0x48D38 || 6 ||?
|-
| 4 || 0x48D00 || 4 ||?
|-
| 5 || 0x48D04 || 4 ||?
|-
| 6 || 0x48D08 || 4 ||?
|}
|}


Line 617: Line 495:


== Dumpable only with HW flasher SC EEPROM Offsets - Full Mapping Table (NAND only) ==
== Dumpable only with HW flasher SC EEPROM Offsets - Full Mapping Table (NAND only) ==
*Sample from a [[CECHGxx]] with [[SEM-001]] motherboard


{|class="wikitable"
{|class="wikitable"
Line 625: Line 502:
| 0x0-0xF || magic0 (static bytes) || <pre>99D9662BB3D761546B9C3F9ED140EDB0</pre>
| 0x0-0xF || magic0 (static bytes) || <pre>99D9662BB3D761546B9C3F9ED140EDB0</pre>
|-
|-
| 0x10-0x28F || eEID1 (probably encrypted) ||
| 0x10-0x28F(0x280) || eEID1 (probably encrypted) ||
|-
|-
| 0x290-0x4FF || Unknown ||
| 0x290-0x4FF(0x270) || Unknown ||
|-  
|-  
| 0x500-0x55F || magic1 (static bytes)
| 0x500-0x55F || magic1(static bytes) ||
| <pre>E01B01CF9C7FBC7D79D670086DAF497F
9BD3A5D5178DDE1D825344AE398113DD
FF525D8BF4422CC76B13AA47FA2CC369
83A720CD45D18FB3D4112888187E3040
702B91D8E6ACEEC4B801315F357E1EE3
2DA1081408D72C41AFC1B61AE7C9882D</pre>
|-
|-
| 0x560-0x95F || Authenticated Data Region 0 (snvs region 0), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x560-0x95F || Authenticated Data Region 0 (snvs region 0), not used ||
|-
|-
| 0x960-0xD5F || Authenticated Data Region 1 (snvs region 1), contains ss-service version, secure_product_mode flag,<BR> vtrm cipher/hasher keys, versions/hashes of installed update packages, etc... || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x960-0xD5F || Authenticated Data Region 1 (snvs region 1), contains ss-service version, secure_product_mode flag,<BR> vtrm cipher/hasher keys, versions/hashes of installed update packages, etc... ||
|-
|-
| 0xD60-0x115F || Authenticated Data Region 2 (snvs region 2), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0xD60-0x115F || Authenticated Data Region 2 (snvs region 2), not used ||
|-
|-
| 0x1160-0x155F || Authenticated Data Region 3 (snvs region 3), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x1160-0x155F || Authenticated Data Region 3 (snvs region 3), not used ||
|-
|-
| 0x1560-0x195F || Authenticated Data Region 4 (snvs region 4), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x1560-0x195F || Authenticated Data Region 4 (snvs region 4), not used ||
|-
|-
| 0x1960-0x1D5F || Authenticated Data Region 5 (snvs region 5), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x1960-0x1D5F || Authenticated Data Region 5 (snvs region 5), not used ||
|-
|-
| 0x1D60-0x215F || Authenticated Data Region 6 (snvs region 6), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x1D60-0x215F || Authenticated Data Region 6 (snvs region 6), not used ||
|-
|-
| 0x2160-0x255F || Authenticated Data Region 7 (snvs region 7), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x2160-0x255F || Authenticated Data Region 7 (snvs region 7), not used ||
|-
|-
| 0x2560-0x25FF || FF Region ||
| 0x2560-0x26AF || FF Region ||
|-
|-
| 0x2600-0x26AF || FF Region || rowspan="6" | System Info
| 0x26B0-(0x26CF/0x26EF) || Unknown (0x20 byte on TMU, 0x40 byte on retail boards) ||  
|-
|-
| 0x26B0-0x26CF || Unknown, encrypted ?
| 0x26F0-0x26FF || FF Region ||  
|-
|-
| 0x26D0-0x26EF || Unknown, encrypted ? (filled with FF's on TMU)
| 0x2700 - 0x270F || magic2 (static bytes) (does not exist in TMU dump) || <pre>857C4DE5BFAFD6A4A361CB5BFDD72D26</pre>
|-
|-
| 0x26F0-0x26FF || FF Region
| 0x2710-0x27FF || FF Region ||
|-
|-
| 0x2700-0x270F || magic2 (static bytes) (does not exist in TMU dump) <pre>857C4DE5BFAFD6A4A361CB5BFDD72D26</pre>
| 0x2800 - 0x2BFF || Syscon Patch Content Top-Half ||
|-
|-
| 0x2710-0x27FF || FF Region
| 0x2C00 - 0x2EFF || FF Region ||
|-
|-
| 0x2800-0x2BFF || Syscon Patch Content Top-Half ||
| 0x2F00-0x2FFF || Industry Area  (nvs region 0x20) ||
|-
| 0x2C00-0x2EFF || FF Region ||
|-
|-
| 0x2F00-0x2FFF || Industry Area (nvs region 0x20) ||
| 0x3000-0x30FF || Costumer Service Area (nvs region 0x30) ||
|-
|-
| 0x3000-0x30FF || Customer Service Area (nvs region 0x30) ||
| 0x3100-0x31FF || Special Region #0 ||
|-
|-
| 0x3100-0x31FF || Special Region #0 || Platform Config ([[Platform_ID]]<small>(hex)</small> at relative offset 0xE
| 0x3200-0x32FF || Special Region #1 ||
|-
|-
| 0x3200-0x32FF || Special Region #1 || Hardware/XDR Config
| 0x3300-0x33FF || Special Region #2 || 3JMPRW
|-
|-
| 0x3300-0x33FF || Special Region #2 || [[Syscon Thermal Configs|Thermal Config]]
| 0x3400-0x34FF || Special Region #3 || 3JMPRW
|-
|-
| 0x3400-0x34FF || Special Region #3 || [[Syscon Thermal Configs|Thermal Config]]
| 0x3500-0x35FF || Special Region #4 || .....z
|-
|-
| 0x3500-0x35FF || Special Region #4 || On/Off Count, On-time
| 0x3600-0x36FF || Special Region #5 || ...,.z
|-
|-
| 0x3600-0x36FF || Special Region #5 || On/Off Count, On-time
| 0x3700-0x370F / 0x3700-0x37FF || Serial Num (DECR only) / Special Region #6 || 2M010001207K / 2D@ 40@ 
|-
|-
| 0x3700-0x37FF || Special Region #6 [[Syscon Error Codes|Errorlog]] (retail PS3 models) ...or... Serial Num (DECR only) || 2M010001207K / 2D@ 40@ 
| 0x3710 - 0x37FF || FF Region (DECR only) ||
|-
|-
| 0x3800-0x38FF || FF Region ...or... [[Syscon Error Codes|Errorlog]] (DECR only) ||  
| 0x3800-0x38FF || FF Region ||  
|-
|-
| 0x5000-0x6FFF || FF Region ||
| 0x7000-0x70FF OR 0x4000-0x40FF || Bluray Drive Area ?? (nvs region 0) ||
|-
|-
| 0x7000-0x70FF ...or... 0x4000-0x40FF || Bluray Drive Area ?? (nvs region 0) || rowspan="4" | System Software Config
| 0x7100-0x71FF OR 0x4100-0x41FF || HyperVisor Area (nvs region 1) ||
|-
|-
| 0x7100-0x71FF ...or... 0x4100-0x41FF || HyperVisor Area (nvs region 1)
| 0x7200-0x72FF OR 0x4200-0x42FF || Token Area (nvs region 2) ||
|-
|-
| 0x7200-0x72FF ...or... 0x4200-0x42FF || Token Area (nvs region 2)
| 0x7300-0x73FF OR 0x4300-0x43FF || System Data Area (nvs region 3) ||
|-
|-
| 0x7300-0x73FF ...or... 0x4300-0x43FF || System Data Area (nvs region 3)
| 0x7400 - 0x7FFF OR 0x4400 - 0x4FFF || Syscon Patch Content Bottom-Half ||
|-
|-
| 0x7400-0x7FFF ...or... 0x4400-0x4FFF || Syscon Patch Content Bottom-Half ||  
| 0x5000-0x6FFF || FF Region ||
|-
|-
|}
|}
Line 709: Line 578:
=== Tests ===
=== Tests ===


* [https://www.psdevwiki.com/ps3/File:A8g00bD.png AES128CBC with fixed key and incremented iv (by 1 each time)]
* [http://i.imgur.com/A8g00bD.png AES128CBC with fixed key and incremented iv (by 1 each time)]
* [https://www.psdevwiki.com/ps3/File:HZDWGSk.png results]
* [http://i.imgur.com/HZDWGSk.png results]
* [https://www.psdevwiki.com/ps3/File:2mtrtdm.png region 0 encrypted] vs [https://www.psdevwiki.com/ps3/File:7bSdQni.png decrypted]
* [http://i.imgur.com/2mtrtdm.png region 0 encrypted] vs [http://i.imgur.com/7bSdQni.png decrypted]
* [https://www.psdevwiki.com/ps3/File:FGJKkuz.png region 7 encrypted] vs [https://www.psdevwiki.com/ps3/File:7TSeHWK.png decrypted]
* [http://i.imgur.com/FGJKkuz.png region 7 encrypted] vs [http://i.imgur.com/7TSeHWK.png decrypted]


=== Conclusion ===
=== Conclusion ===
Line 1,651: Line 1,520:
=== User Token ===
=== User Token ===


Used to test a usermode application.
Used to test a userland application.


=== Token Seed ===
=== Token Seed ===
Line 1,671: Line 1,540:
=== User Token ===
=== User Token ===


<syntaxhighlight lang="C">
<source lang="C">
struct user_token_attr {
struct user_token_attr {
     uint32_t type; // usually 1, 0 for last attribute
     uint32_t type; // usually 1, 0 for last attribute
Line 1,692: Line 1,561:
     uint8_t digest[0x14]; // certainly SHA-1
     uint8_t digest[0x14]; // certainly SHA-1
}
}
</syntaxhighlight>
</source>


{| class="wikitable FCK__ShowTableBorders"
{| class="wikitable FCK__ShowTableBorders"
Line 1,732: Line 1,601:
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;"  
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;"  
|-
|-
! style="background-color:red!important;" | <span style="background-color:lightred; color:white; font-size:200%; ">Warning</span>
! style="background-color:red;" | <span style="background-color:lightred; color:white; font-size:200%; ">Warning</span>
|-
|-
| <span style="white; color:red!important; font-size:150%; text-align:center; ">You can use this method at your own risk. Author is not responsible for any hardware damages and failures.  
| style="background-color:white;" | <span style="white; color:red; font-size:150%; text-align:center; ">You can use this method at your own risk. Author is not responsible for any hardware damages and failures.  
|}
|}


Line 1,951: Line 1,820:
You can use Notepad++ and Hex Editor like HxD to convert the dump to binary format.
You can use Notepad++ and Hex Editor like HxD to convert the dump to binary format.


<small>Read Command is 0xA8 0xXX 0xXX, XX XX is a block id to be read, the full SC EEPROM is 32768 bytes length (0x8000),  [r:] are syntax command of the Bus Pirate for start, read byte and end</small>
<small>Read Command is 0xA8 0xXX 0xXX, XX XX is a block id to be read, the full SC EEPROM is 32768 bytes lenght (0x8000),  [r:] are syntax command of the Bus Pirate for start, read byte and end</small>


== Arduino Mega method by: ([[User_talk:Abkarino|Abkarino]]) ==  
== Arduino Mega method by: ([[User_talk:Abkarino|Abkarino]]) ==  
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)