Editing SC EEPROM
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 8: | Line 8: | ||
= Information = | = Information = | ||
*On [[Mullion]] syscons '''the EEPROM "pins" are exposed externally''' so we can | *On [[Mullion]] syscons '''the EEPROM "pins" are exposed externally''' so we can attach devices like Logic Analyzers, Protocol Analyzers, etc... to capture the EEPROM traffic. | ||
**On [[Syscon CXR713 Series]] the EEPROM consists of '''0x4000''' blocks, every block contains 2 bytes of data, so the total EEPROM size is '''0x8000''' bytes ('''32KB'''). | **On [[Syscon CXR713 Series]] the EEPROM consists of '''0x4000''' blocks, every block contains 2 bytes of data, so the total EEPROM size is '''0x8000''' bytes ('''32KB'''). | ||
**On [[Syscon CXR714 Series]] the EEPROM consists of '''0x2800''' blocks, every block contains 2 bytes of data, so the total EEPROM size is '''0x5000''' bytes ('''20KB'''). | **On [[Syscon CXR714 Series]] the EEPROM consists of '''0x2800''' blocks, every block contains 2 bytes of data, so the total EEPROM size is '''0x5000''' bytes ('''20KB'''). | ||
*On [[Sherwood]] syscons '''the EEPROM is virtualized inside FLASH menory''', so there is not physical access to the EEPROM. | *On [[Sherwood]] syscons '''the EEPROM is virtualized inside FLASH menory''', so there is not physical access to the EEPROM. | ||
**On [[Syscon SW | **On [[Syscon SW Series]] the virtual EEPROM consists of '''0x4000''' blocks, every block contains 2 bytes of data, so the total EEPROM size is '''0x8000''' bytes ('''32KB'''). | ||
== SPI Commands == | == SPI Commands == | ||
Line 26: | Line 23: | ||
| Unlock Command || 0xA3 0x00 0x00 || This command must be send first before write command. | | Unlock Command || 0xA3 0x00 0x00 || This command must be send first before write command. | ||
|- | |- | ||
| Write Command || 0xA4 0xXX 0xXX || XX XX is a block to be written ( | | Write Command || 0xA4 0xXX 0xXX || XX XX is a block to be written (value 0x0000 to 0x3FFF)<br>The maximum data to be written in one command cycle is 32 byte length (16 blocks). | ||
|- | |- | ||
| Read Command || 0xA8 0xXX 0xXX || XX XX is a block to be read ( | | Read Command || 0xA8 0xXX 0xXX || XX XX is a block to be read (value 0x0000 to 0x3FFF)<br>There is no maximum limit for read command so we can send it once with block 0x00 0x00 then read the full SC EEPROM at once without sending read command again. | ||
|- | |- | ||
| Check Status Command || 0xA9 0x00 0x00 0x00 || The response of this command is 0xFFFFFFFF if there is no error, or any other value if there is error happened or SC EEPROM still busy doing something. | | Check Status Command || 0xA9 0x00 0x00 0x00 || The response of this command is 0xFFFFFFFF if there is no error, or any other value if there is error happened or SC EEPROM still busy doing something. | ||
Line 58: | Line 55: | ||
| 0x02F00 || 8 || Manufacturing Update Release Version String | | 0x02F00 || 8 || Manufacturing Update Release Version String | ||
|- | |- | ||
| 0x02F08 || | | 0x02F08 || 0x10<!--typo here ?--> || Manufacturing Update Build Version + Build Date String | ||
|- | |- | ||
| 0x02F20 || 8 || Manufacturing Update Build Target ID (Can be 0x83(CEX-ww), 0x82(DEX-ww), 0x81(DevelopmentTool) or 0xDEAD. Written during the <br>manufacturing fw update process according to target string inside /dev_flash/vsh/etc/version.txt) | | 0x02F20<!--or here ?--> || 8 || Manufacturing Update Build Target ID (Can be 0x83(CEX-ww), 0x82(DEX-ww), 0x81(DevelopmentTool) or 0xDEAD. Written during the <br>manufacturing fw update process according to target string inside /dev_flash/vsh/etc/version.txt) | ||
|- | |- | ||
| 0x02F28 || 0xD0 || Padding/undocumented | | 0x02F28 || 0xD0 || Padding/undocumented | ||
<pre> | <pre>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | FF FF FF FF FF FF FF FF FF FF FF FF FF FF xx xx | ||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF | xx xx xx FF FF xx xx xx xx xx xx xx xx xx xx xx | ||
xx xx 00 00 00 00 FF xx 00 xx xx FF FF FF FF FF | |||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | |||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ||
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | FF FF FF FF FF FF FF FF FF FF FF xx xx xx 00 00 | ||
FF FF FF FF FF FF FF FF FF FF FF | xx xx xx xx xx FF FF FF xx xx xx FF FF FF xx 00 </pre> | ||
</pre> | |||
|- | |- | ||
| 0x02FF8 || 1 || Factory Bit (0 = ?, 1 = reset, 2 = ?, 3 = (on retails)) | | 0x02FF8 || 1 || Factory Bit (0 = ?, 1 = reset, 2 = ?, 3 = (on retails)) | ||
|- | |- | ||
| 0x02FF9 || 0x7 || Padding/undocumented | | 0x02FF9 || 0x7 || Padding/undocumented | ||
<pre>00 00 00 | <pre>00 00 00 00 xx xx xx </pre> | ||
|- | |- | ||
|} | |} | ||
Line 124: | Line 119: | ||
| colspan="2" | 0x48C00 || 0x20 || (lv0 NVS region 2 start) | | colspan="2" | 0x48C00 || 0x20 || (lv0 NVS region 2 start) | ||
|- | |- | ||
| rowspan="22" | <abbr title="lv0 NVS region 2: 0x48C00-0x48C1F"><small>2</small></abbr> || 0x48C00 || 1 || boot flag (load_image_in_rom flag (os_boot_order_flag) | | rowspan="22" | <abbr title="lv0 NVS region 2: 0x48C00-0x48C1F"><small>2</small></abbr> || 0x48C00 || 1 || boot flag (load_image_in_rom flag (os_boot_order_flag), 0 = network 1st, 1 = flash 1st) | ||
|- | |- | ||
| 0x48C01 || 1 || sys.dbgcard.hostpc (force standalone mode related) | | 0x48C01 || 1 || sys.dbgcard.hostpc (force standalone mode related) | ||
|- | |- | ||
| 0x48C02 || 1 || Network Device Mode (sys.dbgcard.dgbe / debug interface (select_net_device) | | 0x48C02 || 1 || Network Device Mode (sys.dbgcard.dgbe / debug interface (select_net_device) (-1: Ethernet 2, 0: IFB, 1: CP, 2: SB UART, 3: CP ch4, 5: invalid <!-- used on retail consoles -->)) | ||
|- | |- | ||
| 0x48C03 || 1 || sys.dbgcard.dgbe.index (select_dgbe_device) | | 0x48C03 || 1 || sys.dbgcard.dgbe.index (select_dgbe_device) | ||
Line 164: | Line 151: | ||
| 0x48C0F || 2 || cell os flags (loader parameter) | | 0x48C0F || 2 || cell os flags (loader parameter) | ||
|- | |- | ||
| 0x48C11 || 1 || bootrom trace level | | 0x48C11 || 1 || bootrom trace level (0x00: fatal errors, 0x01: errors, 0x02: information messages, 0x03: debug messages) | ||
|- | |- | ||
| 0x48C12 || 1 || ? | | 0x48C12 || 1 || ? | ||
Line 177: | Line 159: | ||
| 0x48C14 || 4 || cellos_spu_configure | | 0x48C14 || 4 || cellos_spu_configure | ||
|- | |- | ||
| 0x48C18 || 4 || Safe Mode System Language | | 0x48C18 || 4 || Safe Mode System Language [[XRegistry.sys#Settings]] ( /setting/system/language ) | ||
|- | |- | ||
| 0x48C1C || 4 || Safe Mode VSH Target (maybe QA,Debug,Retail,Kiosk?) | | 0x48C1C || 4 || Safe Mode VSH Target (seems it can be 0xFFFFFFFE, 0xFFFFFFFF, 0x00000001 default: 0x00000000 /maybe QA,Debug,Retail,Kiosk?) | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| colspan="2" | 0x48C1F || - || (lv0 NVS region 2 end) | | colspan="2" | 0x48C1F || - || (lv0 NVS region 2 end) | ||
Line 240: | Line 217: | ||
| 0x48C61 || 1 || Recover Mode Flag | | 0x48C61 || 1 || Recover Mode Flag | ||
|- | |- | ||
| 0x48C62 || 8 || boot param | | 0x48C62 || 8 || boot param | ||
|- | |- | ||
| 0x48C6A || 2 || factory process completion | | 0x48C6A || 2 || factory process completion % | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| colspan="2" | 0x48C4F || - || (lv0 NVS region 5 end) | | colspan="2" | 0x48C4F || - || (lv0 NVS region 5 end) | ||
Line 386: | Line 351: | ||
QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares) | QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares) | ||
== Undocumented | == Undocumented config == | ||
There is an unknown syscon response of 0x100 bytes when using NVS service with such params: BlockID=1, Offset=0, Size=0. | There is an unknown syscon response of 0x100 bytes when using NVS service with such params: BlockID=1, Offset=0, Size=0. | ||
<pre> | <pre> | ||
0000h: FF 02 FF FE FF 02 FF FF 19 FB E1 16 00 00 00 00 ÿ.ÿþÿ.ÿÿ.ûá..... | 0000h: FF 02 FF FE FF 02 FF FF 19 FB E1 16 00 00 00 00 ÿ.ÿþÿ.ÿÿ.ûá..... | ||
Line 439: | Line 373: | ||
</pre> | </pre> | ||
This is 0x48800 on SC EEPROM. | |||
cech-c (NO BD Drive): [http://pastie.org/private/grl0dc0dxajisa36chgm7w dead link] | |||
== lv0 SC EEPROM usage == | == lv0 SC EEPROM usage == | ||
Line 562: | Line 436: | ||
rsx.rdcy.7 0x48CB8 0x08 [0x08 value] | rsx.rdcy.7 0x48CB8 0x08 [0x08 value] | ||
dgbe_config 0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway] | dgbe_config 0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway] | ||
qa_token 0x48D3E 0x50 [0x50 token] | |||
UNKNOWN 0x48D20 0x08 [0x08 value] | UNKNOWN 0x48D20 0x08 [0x08 value] | ||
</pre> | </pre> | ||
Line 573: | Line 447: | ||
|- | |- | ||
! Index !! SC EEPROM offset !! Data size !! Description | ! Index !! SC EEPROM offset !! Data size !! Description | ||
|- | |- | ||
| 0 || 0x48D20 || 6 ||? | | 0 || 0x48D20 || 6 ||? | ||
Line 587: | Line 455: | ||
|- | |- | ||
| 3 || 0x48D38 || 6 ||? | | 3 || 0x48D38 || 6 ||? | ||
|- | |||
| 4 || 0x48D00 || 4 ||? | |||
|- | |||
| 5 || 0x48D04 || 4 ||? | |||
|- | |||
| 6 || 0x48D08 || 4 ||? | |||
|} | |} | ||
Line 617: | Line 491: | ||
== Dumpable only with HW flasher SC EEPROM Offsets - Full Mapping Table (NAND only) == | == Dumpable only with HW flasher SC EEPROM Offsets - Full Mapping Table (NAND only) == | ||
{|class="wikitable" | {|class="wikitable" | ||
Line 625: | Line 498: | ||
| 0x0-0xF || magic0 (static bytes) || <pre>99D9662BB3D761546B9C3F9ED140EDB0</pre> | | 0x0-0xF || magic0 (static bytes) || <pre>99D9662BB3D761546B9C3F9ED140EDB0</pre> | ||
|- | |- | ||
| 0x10-0x28F || eEID1 (probably encrypted) || | | 0x10-0x28F(0x280) || eEID1 (probably encrypted) || | ||
|- | |- | ||
| 0x290-0x4FF || Unknown || | | 0x290-0x4FF(0x270) || Unknown || | ||
|- | |- | ||
| 0x500-0x55F || magic1 (static bytes) | | 0x500-0x55F || magic1(static bytes) || | ||
| | |||
| | |||
|- | |- | ||
| | | 0x560-0x95F || Authenticated Data Region 0 (snvs region 0), not used || | ||
|- | |- | ||
| | | 0x960-0xD5F || Authenticated Data Region 1 (snvs region 1), contains ss-service version, secure_product_mode flag,<BR> vtrm cipher/hasher keys, versions/hashes of installed update packages, etc... || | ||
|- | |- | ||
| | | 0xD60-0x115F || Authenticated Data Region 2 (snvs region 2), not used || | ||
|- | |- | ||
| | | 0x1160-0x155F || Authenticated Data Region 3 (snvs region 3), not used || | ||
|- | |- | ||
| | | 0x1560-0x195F || Authenticated Data Region 4 (snvs region 4), not used || | ||
|- | |- | ||
| | | 0x1960-0x1D5F || Authenticated Data Region 5 (snvs region 5), not used || | ||
|- | |- | ||
| | | 0x1D60-0x215F || Authenticated Data Region 6 (snvs region 6), not used || | ||
|- | |- | ||
| | | 0x2160-0x255F || Authenticated Data Region 7 (snvs region 7), not used || | ||
|- | |- | ||
| | | 0x2560-0x26AF || FF Region || | ||
|- | |- | ||
| | | 0x26B0-(0x26CF/0x26EF) || Unknown (0x20 byte on TMU, 0x40 byte on retail boards) || | ||
|- | |- | ||
| 0x26F0-0x26FF || FF Region | | 0x26F0-0x26FF || FF Region || | ||
|- | |- | ||
| 0x2700-0x270F || magic2 (static bytes) (does not exist in TMU dump) <pre>857C4DE5BFAFD6A4A361CB5BFDD72D26</pre> | | 0x2700 - 0x270F || magic2 (static bytes) (does not exist in TMU dump) || <pre>857C4DE5BFAFD6A4A361CB5BFDD72D26</pre> | ||
|- | |- | ||
| 0x2710-0x27FF || FF Region | | 0x2710-0x27FF || FF Region || | ||
|- | |- | ||
| 0x2800-0x2BFF || Syscon Patch Content Top-Half || | | 0x2800 - 0x2BFF || Syscon Patch Content Top-Half || | ||
|- | |- | ||
| 0x2C00-0x2EFF || FF Region || | | 0x2C00 - 0x2EFF || FF Region || | ||
|- | |- | ||
| 0x2F00-0x2FFF || Industry Area (nvs region 0x20) || | | 0x2F00-0x2FFF || Industry Area (nvs region 0x20) || | ||
Line 675: | Line 538: | ||
| 0x3000-0x30FF || Customer Service Area (nvs region 0x30) || | | 0x3000-0x30FF || Customer Service Area (nvs region 0x30) || | ||
|- | |- | ||
| 0x3100-0x31FF || Special Region #0 || | | 0x3100-0x31FF || Special Region #0 || | ||
|- | |||
| 0x3200-0x32FF || Special Region #1 || | |||
|- | |- | ||
| | | 0x3300-0x33FF || Special Region #2 || 3JMPRW | ||
|- | |- | ||
| | | 0x3400-0x34FF || Special Region #3 || 3JMPRW | ||
|- | |- | ||
| | | 0x3500-0x35FF || Special Region #4 || .....z | ||
|- | |- | ||
| | | 0x3600-0x36FF || Special Region #5 || ...,.z | ||
|- | |- | ||
| | | 0x3700-0x370F / 0x3700-0x37FF || Serial Num (DECR only) / Special Region #6 || 2M010001207K / 2D@ 40@ | ||
|- | |- | ||
| | | 0x3710 - 0x37FF || FF Region (DECR only) || | ||
|- | |- | ||
| 0x3800-0x38FF || FF Region | | 0x3800-0x38FF || FF Region || | ||
|- | |- | ||
| | | 0x7000-0x70FF OR 0x4000-0x40FF || Bluray Drive Area ?? (nvs region 0) || | ||
|- | |- | ||
| | | 0x7100-0x71FF OR 0x4100-0x41FF || HyperVisor Area (nvs region 1) || | ||
|- | |- | ||
| | | 0x7200-0x72FF OR 0x4200-0x42FF || Token Area (nvs region 2) || | ||
|- | |- | ||
| | | 0x7300-0x73FF OR 0x4300-0x43FF || System Data Area (nvs region 3) || | ||
|- | |- | ||
| | | 0x7400 - 0x7FFF OR 0x4400 - 0x4FFF || Syscon Patch Content Bottom-Half || | ||
|- | |- | ||
| | | 0x5000-0x6FFF || FF Region || | ||
|- | |- | ||
|} | |} | ||
Line 709: | Line 574: | ||
=== Tests === | === Tests === | ||
* [ | * [http://i.imgur.com/A8g00bD.png AES128CBC with fixed key and incremented iv (by 1 each time)] | ||
* [ | * [http://i.imgur.com/HZDWGSk.png results] | ||
* [ | * [http://i.imgur.com/2mtrtdm.png region 0 encrypted] vs [http://i.imgur.com/7bSdQni.png decrypted] | ||
* [ | * [http://i.imgur.com/FGJKkuz.png region 7 encrypted] vs [http://i.imgur.com/7TSeHWK.png decrypted] | ||
=== Conclusion === | === Conclusion === | ||
Line 1,651: | Line 1,516: | ||
=== User Token === | === User Token === | ||
Used to test a | Used to test a userland application. | ||
=== Token Seed === | === Token Seed === | ||
Line 1,671: | Line 1,536: | ||
=== User Token === | === User Token === | ||
< | <source lang="C"> | ||
struct user_token_attr { | struct user_token_attr { | ||
uint32_t type; // usually 1, 0 for last attribute | uint32_t type; // usually 1, 0 for last attribute | ||
Line 1,692: | Line 1,557: | ||
uint8_t digest[0x14]; // certainly SHA-1 | uint8_t digest[0x14]; // certainly SHA-1 | ||
} | } | ||
</ | </source> | ||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
Line 1,732: | Line 1,597: | ||
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | {| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | ||
|- | |- | ||
! style="background-color:red | ! style="background-color:red;" | <span style="background-color:lightred; color:white; font-size:200%; ">Warning</span> | ||
|- | |- | ||
| <span style="white; color:red | | style="background-color:white;" | <span style="white; color:red; font-size:150%; text-align:center; ">You can use this method at your own risk. Author is not responsible for any hardware damages and failures. | ||
|} | |} | ||
Line 1,951: | Line 1,816: | ||
You can use Notepad++ and Hex Editor like HxD to convert the dump to binary format. | You can use Notepad++ and Hex Editor like HxD to convert the dump to binary format. | ||
<small>Read Command is 0xA8 0xXX 0xXX, XX XX is a block id to be read, the full SC EEPROM is 32768 bytes | <small>Read Command is 0xA8 0xXX 0xXX, XX XX is a block id to be read, the full SC EEPROM is 32768 bytes lenght (0x8000), [r:] are syntax command of the Bus Pirate for start, read byte and end</small> | ||
== Arduino Mega method by: ([[User_talk:Abkarino|Abkarino]]) == | == Arduino Mega method by: ([[User_talk:Abkarino|Abkarino]]) == |