Editing SC EEPROM

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 124: Line 124:
| colspan="2" | 0x48C00 || 0x20 || (lv0 NVS region 2 start)  
| colspan="2" | 0x48C00 || 0x20 || (lv0 NVS region 2 start)  
|-
|-
| rowspan="22" | <abbr title="lv0 NVS region 2: 0x48C00-0x48C1F"><small>2</small></abbr> || 0x48C00 || 1 || boot flag (load_image_in_rom flag (os_boot_order_flag)
| rowspan="22" | <abbr title="lv0 NVS region 2: 0x48C00-0x48C1F"><small>2</small></abbr> || 0x48C00 || 1 || boot flag (load_image_in_rom flag (os_boot_order_flag), 0 = network 1st, 1 = flash 1st)
0 = network 1st
1 = flash 1st
|-
|-
| 0x48C01 || 1 || sys.dbgcard.hostpc (force standalone mode related)  
| 0x48C01 || 1 || sys.dbgcard.hostpc (force standalone mode related)  
|-
|-
| 0x48C02 || 1 || Network Device Mode (sys.dbgcard.dgbe / debug interface (select_net_device)
| 0x48C02 || 1 || Network Device Mode (sys.dbgcard.dgbe / debug interface (select_net_device) (-1: Ethernet 2, 0: IFB, 1: CP, 2: SB UART, 3: CP ch4, 5: invalid <!-- used on retail consoles -->))
-1: Ethernet 2
  0: IFB
  1: CP
  2: SB UART
  3: CP ch4
  5: Disabled (default)
|-
|-
| 0x48C03 || 1 || sys.dbgcard.dgbe.index (select_dgbe_device)  
| 0x48C03 || 1 || sys.dbgcard.dgbe.index (select_dgbe_device)  
Line 164: Line 156:
| 0x48C0F || 2 || cell os flags (loader parameter)
| 0x48C0F || 2 || cell os flags (loader parameter)
|-
|-
| 0x48C11 || 1 || bootrom trace level
| 0x48C11 || 1 || bootrom trace level (0x00: fatal errors, 0x01: errors, 0x02: information messages, 0x03: debug messages)
0x00: fatal errors
0x01: errors
0x02: information messages
0x03: debug messages
0xFF: ? (default)
|-
|-
| 0x48C12 || 1 || ?
| 0x48C12 || 1 || ?
Line 177: Line 164:
| 0x48C14 || 4 || cellos_spu_configure
| 0x48C14 || 4 || cellos_spu_configure
|-
|-
| 0x48C18 || 4 || Safe Mode System Language. Using the [[Languages|language codes]]. See also [[XRegistry.sys#Settings|XRegistry.sys/setting/system/language]]
| 0x48C18 || 4 || Safe Mode System Language [[XRegistry.sys#Settings]] ( /setting/system/language )
|-
|-
| 0x48C1C || 4 || Safe Mode VSH Target (maybe QA,Debug,Retail,Kiosk?). See [[Promo_flags.txt]] and [[VSH_Exports#vshmain|GetReleaseTarget]] vsh export
| 0x48C1C || 4 || Safe Mode VSH Target (seems it can be 0xFFFFFFFE, 0xFFFFFFFF, 0x00000001 default: 0x00000000 /maybe QA,Debug,Retail,Kiosk?)
0x00000000 = ? (default)
0x00000001 = ?
0x00000005 = dtcpipdevdex (can't update to any firmware, except dtcpipdevdex firmware)
0xFFFFFFFF = ?
0xFFFFFFFE = ?
|-{{cellcolors|lightgrey}}
|-{{cellcolors|lightgrey}}
| colspan="2" | 0x48C1F || - || (lv0 NVS region 2 end)
| colspan="2" | 0x48C1F || - || (lv0 NVS region 2 end)
Line 240: Line 222:
| 0x48C61 || 1 || Recover Mode Flag
| 0x48C61 || 1 || Recover Mode Flag
|-
|-
| 0x48C62 || 8 || boot param. Accessed by [[LV2_Functions_and_Syscalls|syscalls 404]] ?. See also [[Factory_Service_Mode#Game_OS|this]]
| 0x48C62 || 8 || boot param
|-
|-
| 0x48C6A || 2 || factory process completion (bitflags ?). Accessed by [[LV2_Functions_and_Syscalls|syscalls 405, 406, 407]] ?. See also [[Factory_Service_Mode#Game_OS|this]]
| 0x48C6A || 2 || factory process completion %
Usually FFFF, but also:
00E2 - CokC12, SEM-001, CXR713120-203GB
00EA - CokD10, DIA-001, CXR714120-301GB
00E6 - CokE10, DIA-002, CXR714120-302GB
00EA - CokF10, VER-001, SW-301
00AA - CokG11, DYN-001, SW2-301
00BE - CokH11, SUR-001, SW2-302
00B2 - CokJ13, JTP-001, SW2-303 & CokK10, KTE-001, SW3-301
00B0 - CokM20, MSX-001, SW3-302 & CokM30, MPX-001, SW3-302 & CokN10, NPX-001, SW3-302 & CokP10, PQX-001, SW3-304 & CokR40, REX-001, SW3-304
00F0 - CokD10, DIA-001, CXR714120-304GB Refurb 40nm RSX
01FE - Cok14, COK-001, CXR714120-304GB Refurb 40nm RSX
|-{{cellcolors|lightgrey}}
|-{{cellcolors|lightgrey}}
| colspan="2" | 0x48C4F || - || (lv0 NVS region 5 end)
| colspan="2" | 0x48C4F || - || (lv0 NVS region 5 end)
Line 386: Line 356:
QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares)
QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares)


== Undocumented region ==
== Undocumented config ==
This is 0x48800 on SC EEPROM, or at 0x7100 (mullions with 32KB EEPROM used), or at 0x4100 (mullions with 20KB EEPROM used), or at 0x1100 (sherwoods)
 
Accessed by [[Hypervisor_Reverse_Engineering | Hypervisor Service ID 32]] '''REQUEST_SYSTEM_EVENT_LOG''' ?, and [[LV2_Functions_and_Syscalls| syscall 395]] '''sys_sm_request_system_event_log''' ?
 
There is an unknown syscon response of 0x100 bytes when using NVS service with such params: BlockID=1, Offset=0, Size=0.
There is an unknown syscon response of 0x100 bytes when using NVS service with such params: BlockID=1, Offset=0, Size=0.


Sometimes the whole region is filled with FF's (empty, never used, or erased), it seems this procedure can be used to reset it
It can be considered an structure composed by a 0x10 header, and six available "slots" of 0x28 each, the second byte of the header seems to be some kind of counter related with the slots where the only values posibles are 0-5. The presence of data in the slots could vary usually all them are filled with data but in some rare cases the slots are empty
 
It can be considered an structure composed by a 0x10 header, and six available "slots" of 0x28 each, the second byte of the header seems to be some kind of counter related with the slots where the only values posibles are 0-5. The presence of data in the slots could vary usually all them are filled with data but in some rare cases the slots are empty (filled with FF's)
 
Sample (CokH11, SUR-001, SW2-302)
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
00001100  FF 05 FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿ.ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00001110  16 0E F0 35 00 00 E1 18 00 04 53 00 0C 00 00 00  ..ð5..á...S.....
00001120  00 00 00 00 00 00 00 00 00 00 00 00 55 55 55 55  ............UUUU
00001130  00 00 00 00 00 00 00 00 18 F1 6F 68 00 00 E1 18  .........ñoh..á.
00001140  00 04 53 00 0C 00 00 00 00 00 00 00 00 00 00 00  ..S.............
00001150  00 00 00 00 55 55 55 55 00 00 00 00 00 00 00 00  ....UUUU........
00001160  18 F1 6F C7 00 00 E1 18 00 04 53 00 0C 00 00 00  .ñoÇ..á...S.....
00001170  00 00 00 00 00 00 00 00 00 00 00 00 55 55 55 55  ............UUUU
00001180  00 00 00 00 00 00 00 00 18 FF EE 91 00 00 E1 18  .........ÿî‘..á.
00001190  00 04 53 00 0C 00 00 00 00 00 00 00 00 00 00 00  ..S.............
000011A0  00 00 00 00 71 75 F4 75 00 00 00 00 00 00 00 00  ....quôu........
000011B0  1A 21 73 52 00 00 E1 18 00 04 53 00 0C 00 00 00  .!sR..á...S.....
000011C0  00 00 00 00 00 00 00 00 00 00 00 00 50 75 55 51  ............PuUQ
000011D0  00 00 00 00 00 00 00 00 16 0E EF D5 00 00 E1 18  ..........ïÕ..á.
000011E0  00 04 53 00 0C 00 00 00 00 00 00 00 00 00 00 00  ..S.............
000011F0  00 00 00 00 55 55 55 55 00 00 00 00 00 00 00 00  ....UUUU........
</pre>


Sample with 2 slots used
Sample with 2 slots used
Line 461: Line 403:
</pre>
</pre>


The structure of an slot seems to be: 0x4 (timestamp) + 0x2 (unknown, always 0000) + 0x1 (unknown, always 0xE1 or 0xE2) + 0x1 (Data Size ?, usually 0x18) + 0x4 (Data Type ?) + 0x1C (data, included padding)
This is 0x48800 on SC EEPROM.
*The timestamp follows the same format than the timestamps of the [[Syscon_Error_Codes#Error_log_format|Syscon Error Codes]], in some syscon models the lowest value posible for this timestamps seems to be 0x0B488680 (2005/12/31 00:00:00)
 
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
00001110  0B 74 08 2F 00 00 E1 18 00 03 15 00 0C 03 00 00  .t./..á.........
00001120  A8 00 00 18 32 E2 00 00 00 80 00 00 FF FF FF FF  ¨...2â...€..ÿÿÿÿ
00001130  00 00 00 00 00 00 00 00                          ........
</pre>
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
00001110  1F AC E5 B0 00 00 E1 18 00 03 02 00 0C 03 00 00  .¬å°..á.........
00001120  A8 00 00 15 8A 20 00 00 00 40 00 00 AA AA AA AA  ¨...Š ...@..ªªªª
00001130  00 00 00 00 00 00 00 00                          ........
</pre>
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F


00001110  1D 59 29 DB 00 00 E2 18 01 51 40 25 40 01 03 00  .Y)Û..â..Q@%@...
cech-c (NO BD Drive): [http://pastie.org/private/grl0dc0dxajisa36chgm7w dead link]
00001120  00 00 00 01 08 E5 00 13 00 C7 00 00 00 00 00 00  .....å...Ç......
00001130  00 00 00 00 00 00 00 00                          ........
</pre>
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
00001110  16 0E F0 35 00 00 E1 18 00 04 53 00 0C 00 00 00  ..ð5..á...S.....
00001120  00 00 00 00 00 00 00 00 00 00 00 00 55 55 55 55  ............UUUU
00001130  00 00 00 00 00 00 00 00                          ........
</pre>
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
00007110  0B 48 86 7D 00 00 E1 18 53 54 52 3A 50 41 54 41  .H†}..á.STR:PATA
00007120  43 30 3A 43 61 62 6C 65 20 4E 6F 74 20 43 6F 6E  C0:Cable Not Con
00007130  6E 65 63 74 00 00 00 00                          nect....
</pre>
 
*Notes
**See the timestamp of the last sample with value 0B48867D, very close to 0B488680 (2005/12/31 00:00:00)


== lv0 SC EEPROM usage ==
== lv0 SC EEPROM usage ==
Line 562: Line 466:
rsx.rdcy.7          0x48CB8 0x08 [0x08 value]
rsx.rdcy.7          0x48CB8 0x08 [0x08 value]
dgbe_config          0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway]
dgbe_config          0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway]
qa_token            0x48D3E 0x50 [0x50 token]
UNKNOWN              0x48D20 0x08 [0x08 value]
UNKNOWN              0x48D20 0x08 [0x08 value]
qa_token            0x48D3E 0x50 [0x50 token]
</pre>
</pre>


Line 573: Line 477:
|-
|-
! Index !! SC EEPROM offset !! Data size !! Description
! Index !! SC EEPROM offset !! Data size !! Description
|-
| 4 || 0x48D00 || 4 ||?
|-
| 5 || 0x48D04 || 4 ||?
|-
| 6 || 0x48D08 || 4 ||?
|-
|-
| 0 || 0x48D20 || 6 ||?
| 0 || 0x48D20 || 6 ||?
Line 587: Line 485:
|-
|-
| 3 || 0x48D38 || 6 ||?
| 3 || 0x48D38 || 6 ||?
|-
| 4 || 0x48D00 || 4 ||?
|-
| 5 || 0x48D04 || 4 ||?
|-
| 6 || 0x48D08 || 4 ||?
|}
|}


Line 629: Line 533:
| 0x290-0x4FF || Unknown ||
| 0x290-0x4FF || Unknown ||
|-  
|-  
| 0x500-0x55F || magic1 (static bytes)
| 0x500-0x55F || magic1(static bytes) ||
| <pre>E01B01CF9C7FBC7D79D670086DAF497F
9BD3A5D5178DDE1D825344AE398113DD
FF525D8BF4422CC76B13AA47FA2CC369
83A720CD45D18FB3D4112888187E3040
702B91D8E6ACEEC4B801315F357E1EE3
2DA1081408D72C41AFC1B61AE7C9882D</pre>
|-
|-
| 0x560-0x95F || Authenticated Data Region 0 (snvs region 0), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x560-0x95F || Authenticated Data Region 0 (snvs region 0), not used ||
|-
|-
| 0x960-0xD5F || Authenticated Data Region 1 (snvs region 1), contains ss-service version, secure_product_mode flag,<BR> vtrm cipher/hasher keys, versions/hashes of installed update packages, etc... || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x960-0xD5F || Authenticated Data Region 1 (snvs region 1), contains ss-service version, secure_product_mode flag,<BR> vtrm cipher/hasher keys, versions/hashes of installed update packages, etc... ||
|-
|-
| 0xD60-0x115F || Authenticated Data Region 2 (snvs region 2), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0xD60-0x115F || Authenticated Data Region 2 (snvs region 2), not used ||
|-
|-
| 0x1160-0x155F || Authenticated Data Region 3 (snvs region 3), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x1160-0x155F || Authenticated Data Region 3 (snvs region 3), not used ||
|-
|-
| 0x1560-0x195F || Authenticated Data Region 4 (snvs region 4), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x1560-0x195F || Authenticated Data Region 4 (snvs region 4), not used ||
|-
|-
| 0x1960-0x1D5F || Authenticated Data Region 5 (snvs region 5), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x1960-0x1D5F || Authenticated Data Region 5 (snvs region 5), not used ||
|-
|-
| 0x1D60-0x215F || Authenticated Data Region 6 (snvs region 6), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x1D60-0x215F || Authenticated Data Region 6 (snvs region 6), not used ||
|-
|-
| 0x2160-0x255F || Authenticated Data Region 7 (snvs region 7), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x2160-0x255F || Authenticated Data Region 7 (snvs region 7), not used ||
|-
|-
| 0x2560-0x25FF || FF Region ||
| 0x2560-0x25FF || FF Region ||
Line 675: Line 573:
| 0x3000-0x30FF || Customer Service Area (nvs region 0x30) ||
| 0x3000-0x30FF || Customer Service Area (nvs region 0x30) ||
|-
|-
| 0x3100-0x31FF || Special Region #0 || Platform Config ([[Platform_ID]]<small>(hex)</small> at relative offset 0xE
| 0x3100-0x31FF || Special Region #0 || Platform Config
|-
|-
| 0x3200-0x32FF || Special Region #1 || Hardware/XDR Config
| 0x3200-0x32FF || Special Region #1 || Hardware/XDR Config
|-
|-
| 0x3300-0x33FF || Special Region #2 || [[Syscon Thermal Configs|Thermal Config]]
| 0x3300-0x33FF || Special Region #2 || [[Syscon Thermal Config|Thermal Config]]
|-
|-
| 0x3400-0x34FF || Special Region #3 || [[Syscon Thermal Configs|Thermal Config]]
| 0x3400-0x34FF || Special Region #3 || [[Syscon Thermal Config|Thermal Config]]
|-
|-
| 0x3500-0x35FF || Special Region #4 || On/Off Count, On-time
| 0x3500-0x35FF || Special Region #4 || On/Off Count, On-time
Line 709: Line 607:
=== Tests ===
=== Tests ===


* [https://www.psdevwiki.com/ps3/File:A8g00bD.png AES128CBC with fixed key and incremented iv (by 1 each time)]
* [http://i.imgur.com/A8g00bD.png AES128CBC with fixed key and incremented iv (by 1 each time)]
* [https://www.psdevwiki.com/ps3/File:HZDWGSk.png results]
* [http://i.imgur.com/HZDWGSk.png results]
* [https://www.psdevwiki.com/ps3/File:2mtrtdm.png region 0 encrypted] vs [https://www.psdevwiki.com/ps3/File:7bSdQni.png decrypted]
* [http://i.imgur.com/2mtrtdm.png region 0 encrypted] vs [http://i.imgur.com/7bSdQni.png decrypted]
* [https://www.psdevwiki.com/ps3/File:FGJKkuz.png region 7 encrypted] vs [https://www.psdevwiki.com/ps3/File:7TSeHWK.png decrypted]
* [http://i.imgur.com/FGJKkuz.png region 7 encrypted] vs [http://i.imgur.com/7TSeHWK.png decrypted]


=== Conclusion ===
=== Conclusion ===
Line 1,651: Line 1,549:
=== User Token ===
=== User Token ===


Used to test a usermode application.
Used to test a userland application.


=== Token Seed ===
=== Token Seed ===
Line 1,671: Line 1,569:
=== User Token ===
=== User Token ===


<syntaxhighlight lang="C">
<source lang="C">
struct user_token_attr {
struct user_token_attr {
     uint32_t type; // usually 1, 0 for last attribute
     uint32_t type; // usually 1, 0 for last attribute
Line 1,692: Line 1,590:
     uint8_t digest[0x14]; // certainly SHA-1
     uint8_t digest[0x14]; // certainly SHA-1
}
}
</syntaxhighlight>
</source>


{| class="wikitable FCK__ShowTableBorders"
{| class="wikitable FCK__ShowTableBorders"
Line 1,732: Line 1,630:
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;"  
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;"  
|-
|-
! style="background-color:red!important;" | <span style="background-color:lightred; color:white; font-size:200%; ">Warning</span>
! style="background-color:red;" | <span style="background-color:lightred; color:white; font-size:200%; ">Warning</span>
|-
|-
| <span style="white; color:red!important; font-size:150%; text-align:center; ">You can use this method at your own risk. Author is not responsible for any hardware damages and failures.  
| style="background-color:white;" | <span style="white; color:red; font-size:150%; text-align:center; ">You can use this method at your own risk. Author is not responsible for any hardware damages and failures.  
|}
|}


Line 1,951: Line 1,849:
You can use Notepad++ and Hex Editor like HxD to convert the dump to binary format.
You can use Notepad++ and Hex Editor like HxD to convert the dump to binary format.


<small>Read Command is 0xA8 0xXX 0xXX, XX XX is a block id to be read, the full SC EEPROM is 32768 bytes length (0x8000),  [r:] are syntax command of the Bus Pirate for start, read byte and end</small>
<small>Read Command is 0xA8 0xXX 0xXX, XX XX is a block id to be read, the full SC EEPROM is 32768 bytes lenght (0x8000),  [r:] are syntax command of the Bus Pirate for start, read byte and end</small>


== Arduino Mega method by: ([[User_talk:Abkarino|Abkarino]]) ==  
== Arduino Mega method by: ([[User_talk:Abkarino|Abkarino]]) ==  
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)