Editing SC EEPROM
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 124: | Line 124: | ||
| colspan="2" | 0x48C00 || 0x20 || (lv0 NVS region 2 start) | | colspan="2" | 0x48C00 || 0x20 || (lv0 NVS region 2 start) | ||
|- | |- | ||
| rowspan="22" | <abbr title="lv0 NVS region 2: 0x48C00-0x48C1F"><small>2</small></abbr> || 0x48C00 || 1 || boot flag (load_image_in_rom flag (os_boot_order_flag) | | rowspan="22" | <abbr title="lv0 NVS region 2: 0x48C00-0x48C1F"><small>2</small></abbr> || 0x48C00 || 1 || boot flag (load_image_in_rom flag (os_boot_order_flag), 0 = network 1st, 1 = flash 1st) | ||
|- | |- | ||
| 0x48C01 || 1 || sys.dbgcard.hostpc (force standalone mode related) | | 0x48C01 || 1 || sys.dbgcard.hostpc (force standalone mode related) | ||
|- | |- | ||
| 0x48C02 || 1 || Network Device Mode (sys.dbgcard.dgbe / debug interface (select_net_device) | | 0x48C02 || 1 || Network Device Mode (sys.dbgcard.dgbe / debug interface (select_net_device) (-1: Ethernet 2, 0: IFB, 1: CP, 2: SB UART, 3: CP ch4, 5: invalid <!-- used on retail consoles -->)) | ||
|- | |- | ||
| 0x48C03 || 1 || sys.dbgcard.dgbe.index (select_dgbe_device) | | 0x48C03 || 1 || sys.dbgcard.dgbe.index (select_dgbe_device) | ||
Line 164: | Line 156: | ||
| 0x48C0F || 2 || cell os flags (loader parameter) | | 0x48C0F || 2 || cell os flags (loader parameter) | ||
|- | |- | ||
| 0x48C11 || 1 || bootrom trace level | | 0x48C11 || 1 || bootrom trace level (0x00: fatal errors, 0x01: errors, 0x02: information messages, 0x03: debug messages) | ||
|- | |- | ||
| 0x48C12 || 1 || ? | | 0x48C12 || 1 || ? | ||
Line 177: | Line 164: | ||
| 0x48C14 || 4 || cellos_spu_configure | | 0x48C14 || 4 || cellos_spu_configure | ||
|- | |- | ||
| 0x48C18 || 4 || Safe Mode System Language | | 0x48C18 || 4 || Safe Mode System Language [[XRegistry.sys#Settings]] ( /setting/system/language ) | ||
|- | |- | ||
| 0x48C1C || 4 || Safe Mode VSH Target (maybe QA,Debug,Retail,Kiosk?) | | 0x48C1C || 4 || Safe Mode VSH Target (seems it can be 0xFFFFFFFE, 0xFFFFFFFF, 0x00000001 default: 0x00000000 /maybe QA,Debug,Retail,Kiosk?) | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| colspan="2" | 0x48C1F || - || (lv0 NVS region 2 end) | | colspan="2" | 0x48C1F || - || (lv0 NVS region 2 end) | ||
Line 240: | Line 222: | ||
| 0x48C61 || 1 || Recover Mode Flag | | 0x48C61 || 1 || Recover Mode Flag | ||
|- | |- | ||
| 0x48C62 || 8 || boot param | | 0x48C62 || 8 || boot param | ||
|- | |- | ||
| 0x48C6A || 2 || factory process completion | | 0x48C6A || 2 || factory process completion % | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| colspan="2" | 0x48C4F || - || (lv0 NVS region 5 end) | | colspan="2" | 0x48C4F || - || (lv0 NVS region 5 end) | ||
Line 386: | Line 356: | ||
QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares) | QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares) | ||
== Undocumented | == Undocumented config == | ||
There is an unknown syscon response of 0x100 bytes when using NVS service with such params: BlockID=1, Offset=0, Size=0. | There is an unknown syscon response of 0x100 bytes when using NVS service with such params: BlockID=1, Offset=0, Size=0. | ||
It can be considered an structure composed by a 0x10 header, and six available "slots" of 0x28 each, the second byte of the header seems to be some kind of counter related with the slots where the only values posibles are 0-5. The presence of data in the slots could vary usually all them are filled with data but in some rare cases the slots are empty | |||
It can be considered an structure composed by a 0x10 header, and six available "slots" of 0x28 each, the second byte of the header seems to be some kind of counter related with the slots where the only values posibles are 0-5. The presence of data in the slots could vary usually all them are filled with data but in some rare cases the slots are empty | |||
Sample with 2 slots used | Sample with 2 slots used | ||
Line 461: | Line 403: | ||
</pre> | </pre> | ||
This is 0x48800 on SC EEPROM. | |||
cech-c (NO BD Drive): [http://pastie.org/private/grl0dc0dxajisa36chgm7w dead link] | |||
== lv0 SC EEPROM usage == | == lv0 SC EEPROM usage == | ||
Line 562: | Line 466: | ||
rsx.rdcy.7 0x48CB8 0x08 [0x08 value] | rsx.rdcy.7 0x48CB8 0x08 [0x08 value] | ||
dgbe_config 0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway] | dgbe_config 0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway] | ||
qa_token 0x48D3E 0x50 [0x50 token] | |||
UNKNOWN 0x48D20 0x08 [0x08 value] | UNKNOWN 0x48D20 0x08 [0x08 value] | ||
</pre> | </pre> | ||
Line 573: | Line 477: | ||
|- | |- | ||
! Index !! SC EEPROM offset !! Data size !! Description | ! Index !! SC EEPROM offset !! Data size !! Description | ||
|- | |- | ||
| 0 || 0x48D20 || 6 ||? | | 0 || 0x48D20 || 6 ||? | ||
Line 587: | Line 485: | ||
|- | |- | ||
| 3 || 0x48D38 || 6 ||? | | 3 || 0x48D38 || 6 ||? | ||
|- | |||
| 4 || 0x48D00 || 4 ||? | |||
|- | |||
| 5 || 0x48D04 || 4 ||? | |||
|- | |||
| 6 || 0x48D08 || 4 ||? | |||
|} | |} | ||
Line 629: | Line 533: | ||
| 0x290-0x4FF || Unknown || | | 0x290-0x4FF || Unknown || | ||
|- | |- | ||
| 0x500-0x55F || magic1 (static bytes) | | 0x500-0x55F || magic1(static bytes) || | ||
| | |||
|- | |- | ||
| 0x560-0x95F || Authenticated Data Region 0 (snvs region 0), not used || | | 0x560-0x95F || Authenticated Data Region 0 (snvs region 0), not used || | ||
|- | |- | ||
| 0x960-0xD5F || Authenticated Data Region 1 (snvs region 1), contains ss-service version, secure_product_mode flag,<BR> vtrm cipher/hasher keys, versions/hashes of installed update packages, etc... || | | 0x960-0xD5F || Authenticated Data Region 1 (snvs region 1), contains ss-service version, secure_product_mode flag,<BR> vtrm cipher/hasher keys, versions/hashes of installed update packages, etc... || | ||
|- | |- | ||
| 0xD60-0x115F || Authenticated Data Region 2 (snvs region 2), not used || | | 0xD60-0x115F || Authenticated Data Region 2 (snvs region 2), not used || | ||
|- | |- | ||
| 0x1160-0x155F || Authenticated Data Region 3 (snvs region 3), not used || | | 0x1160-0x155F || Authenticated Data Region 3 (snvs region 3), not used || | ||
|- | |- | ||
| 0x1560-0x195F || Authenticated Data Region 4 (snvs region 4), not used || | | 0x1560-0x195F || Authenticated Data Region 4 (snvs region 4), not used || | ||
|- | |- | ||
| 0x1960-0x1D5F || Authenticated Data Region 5 (snvs region 5), not used || | | 0x1960-0x1D5F || Authenticated Data Region 5 (snvs region 5), not used || | ||
|- | |- | ||
| 0x1D60-0x215F || Authenticated Data Region 6 (snvs region 6), not used || | | 0x1D60-0x215F || Authenticated Data Region 6 (snvs region 6), not used || | ||
|- | |- | ||
| 0x2160-0x255F || Authenticated Data Region 7 (snvs region 7), not used || | | 0x2160-0x255F || Authenticated Data Region 7 (snvs region 7), not used || | ||
|- | |- | ||
| 0x2560-0x25FF || FF Region || | | 0x2560-0x25FF || FF Region || | ||
Line 675: | Line 573: | ||
| 0x3000-0x30FF || Customer Service Area (nvs region 0x30) || | | 0x3000-0x30FF || Customer Service Area (nvs region 0x30) || | ||
|- | |- | ||
| 0x3100-0x31FF || Special Region #0 || Platform Config | | 0x3100-0x31FF || Special Region #0 || Platform Config | ||
|- | |- | ||
| 0x3200-0x32FF || Special Region #1 || Hardware/XDR Config | | 0x3200-0x32FF || Special Region #1 || Hardware/XDR Config | ||
|- | |- | ||
| 0x3300-0x33FF || Special Region #2 || [[Syscon Thermal | | 0x3300-0x33FF || Special Region #2 || [[Syscon Thermal Config|Thermal Config]] | ||
|- | |- | ||
| 0x3400-0x34FF || Special Region #3 || [[Syscon Thermal | | 0x3400-0x34FF || Special Region #3 || [[Syscon Thermal Config|Thermal Config]] | ||
|- | |- | ||
| 0x3500-0x35FF || Special Region #4 || On/Off Count, On-time | | 0x3500-0x35FF || Special Region #4 || On/Off Count, On-time | ||
Line 709: | Line 607: | ||
=== Tests === | === Tests === | ||
* [ | * [http://i.imgur.com/A8g00bD.png AES128CBC with fixed key and incremented iv (by 1 each time)] | ||
* [ | * [http://i.imgur.com/HZDWGSk.png results] | ||
* [ | * [http://i.imgur.com/2mtrtdm.png region 0 encrypted] vs [http://i.imgur.com/7bSdQni.png decrypted] | ||
* [ | * [http://i.imgur.com/FGJKkuz.png region 7 encrypted] vs [http://i.imgur.com/7TSeHWK.png decrypted] | ||
=== Conclusion === | === Conclusion === | ||
Line 1,651: | Line 1,549: | ||
=== User Token === | === User Token === | ||
Used to test a | Used to test a userland application. | ||
=== Token Seed === | === Token Seed === | ||
Line 1,671: | Line 1,569: | ||
=== User Token === | === User Token === | ||
< | <source lang="C"> | ||
struct user_token_attr { | struct user_token_attr { | ||
uint32_t type; // usually 1, 0 for last attribute | uint32_t type; // usually 1, 0 for last attribute | ||
Line 1,692: | Line 1,590: | ||
uint8_t digest[0x14]; // certainly SHA-1 | uint8_t digest[0x14]; // certainly SHA-1 | ||
} | } | ||
</ | </source> | ||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
Line 1,732: | Line 1,630: | ||
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | {| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | ||
|- | |- | ||
! style="background-color:red | ! style="background-color:red;" | <span style="background-color:lightred; color:white; font-size:200%; ">Warning</span> | ||
|- | |- | ||
| <span style="white; color:red | | style="background-color:white;" | <span style="white; color:red; font-size:150%; text-align:center; ">You can use this method at your own risk. Author is not responsible for any hardware damages and failures. | ||
|} | |} | ||
Line 1,951: | Line 1,849: | ||
You can use Notepad++ and Hex Editor like HxD to convert the dump to binary format. | You can use Notepad++ and Hex Editor like HxD to convert the dump to binary format. | ||
<small>Read Command is 0xA8 0xXX 0xXX, XX XX is a block id to be read, the full SC EEPROM is 32768 bytes | <small>Read Command is 0xA8 0xXX 0xXX, XX XX is a block id to be read, the full SC EEPROM is 32768 bytes lenght (0x8000), [r:] are syntax command of the Bus Pirate for start, read byte and end</small> | ||
== Arduino Mega method by: ([[User_talk:Abkarino|Abkarino]]) == | == Arduino Mega method by: ([[User_talk:Abkarino|Abkarino]]) == |