Editing SC EEPROM

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 124: Line 124:
| colspan="2" | 0x48C00 || 0x20 || (lv0 NVS region 2 start)  
| colspan="2" | 0x48C00 || 0x20 || (lv0 NVS region 2 start)  
|-
|-
| rowspan="22" | <abbr title="lv0 NVS region 2: 0x48C00-0x48C1F"><small>2</small></abbr> || 0x48C00 || 1 || boot flag (load_image_in_rom flag (os_boot_order_flag)
| rowspan="22" | <abbr title="lv0 NVS region 2: 0x48C00-0x48C1F"><small>2</small></abbr> || 0x48C00 || 1 || boot flag (load_image_in_rom flag (os_boot_order_flag), 0 = network 1st, 1 = flash 1st)
0 = network 1st
1 = flash 1st
|-
|-
| 0x48C01 || 1 || sys.dbgcard.hostpc (force standalone mode related)  
| 0x48C01 || 1 || sys.dbgcard.hostpc (force standalone mode related)  
|-
|-
| 0x48C02 || 1 || Network Device Mode (sys.dbgcard.dgbe / debug interface (select_net_device)
| 0x48C02 || 1 || Network Device Mode (sys.dbgcard.dgbe / debug interface (select_net_device) (-1: Ethernet 2, 0: IFB, 1: CP, 2: SB UART, 3: CP ch4, 5: invalid <!-- used on retail consoles -->))
-1: Ethernet 2
  0: IFB
  1: CP
  2: SB UART
  3: CP ch4
  5: Disabled (default)
|-
|-
| 0x48C03 || 1 || sys.dbgcard.dgbe.index (select_dgbe_device)  
| 0x48C03 || 1 || sys.dbgcard.dgbe.index (select_dgbe_device)  
Line 164: Line 156:
| 0x48C0F || 2 || cell os flags (loader parameter)
| 0x48C0F || 2 || cell os flags (loader parameter)
|-
|-
| 0x48C11 || 1 || bootrom trace level
| 0x48C11 || 1 || bootrom trace level (0x00: fatal errors, 0x01: errors, 0x02: information messages, 0x03: debug messages)
0x00: fatal errors
0x01: errors
0x02: information messages
0x03: debug messages
0xFF: ? (default)
|-
|-
| 0x48C12 || 1 || ?
| 0x48C12 || 1 || ?
Line 177: Line 164:
| 0x48C14 || 4 || cellos_spu_configure
| 0x48C14 || 4 || cellos_spu_configure
|-
|-
| 0x48C18 || 4 || Safe Mode System Language. Using the [[Languages|language codes]]. See also [[XRegistry.sys#Settings|XRegistry.sys/setting/system/language]]
| 0x48C18 || 4 || Safe Mode System Language [[XRegistry.sys#Settings]] ( /setting/system/language )
|-
|-
| 0x48C1C || 4 || Safe Mode VSH Target (maybe QA,Debug,Retail,Kiosk?). See [[Promo_flags.txt]] and [[VSH_Exports#vshmain|GetReleaseTarget]] vsh export
| 0x48C1C || 4 || Safe Mode VSH Target (seems it can be 0xFFFFFFFE, 0xFFFFFFFF, 0x00000001 default: 0x00000000 /maybe QA,Debug,Retail,Kiosk?)
0x00000000 = ? (default)
0x00000001 = ?
0x00000005 = dtcpipdevdex (can't update to any firmware, except dtcpipdevdex firmware)
0xFFFFFFFF = ?
0xFFFFFFFE = ?
|-{{cellcolors|lightgrey}}
|-{{cellcolors|lightgrey}}
| colspan="2" | 0x48C1F || - || (lv0 NVS region 2 end)
| colspan="2" | 0x48C1F || - || (lv0 NVS region 2 end)
Line 240: Line 222:
| 0x48C61 || 1 || Recover Mode Flag
| 0x48C61 || 1 || Recover Mode Flag
|-
|-
| 0x48C62 || 8 || boot param. Accessed by [[LV2_Functions_and_Syscalls|syscalls 404]] ?. See also [[Factory_Service_Mode#Game_OS|this]]
| 0x48C62 || 8 || boot param
|-
|-
| 0x48C6A || 2 || factory process completion (bitflags ?). Accessed by [[LV2_Functions_and_Syscalls|syscalls 405, 406, 407]] ?. See also [[Factory_Service_Mode#Game_OS|this]]
| 0x48C6A || 2 || factory process completion %
Usually FFFF, but also:
00E2 - CokC12, SEM-001, CXR713120-203GB
00EA - CokD10, DIA-001, CXR714120-301GB
00E6 - CokE10, DIA-002, CXR714120-302GB
00EA - CokF10, VER-001, SW-301
00AA - CokG11, DYN-001, SW2-301
00BE - CokH11, SUR-001, SW2-302
00B2 - CokJ13, JTP-001, SW2-303 & CokK10, KTE-001, SW3-301
00B0 - CokM20, MSX-001, SW3-302 & CokM30, MPX-001, SW3-302 & CokN10, NPX-001, SW3-302 & CokP10, PQX-001, SW3-304 & CokR40, REX-001, SW3-304
00F0 - CokD10, DIA-001, CXR714120-304GB Refurb 40nm RSX
01FE - Cok14, COK-001, CXR714120-304GB Refurb 40nm RSX
|-{{cellcolors|lightgrey}}
|-{{cellcolors|lightgrey}}
| colspan="2" | 0x48C4F || - || (lv0 NVS region 5 end)
| colspan="2" | 0x48C4F || - || (lv0 NVS region 5 end)
Line 386: Line 356:
QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares)
QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares)


== Undocumented region ==
== Undocumented config ==
This is 0x48800 on SC EEPROM, or at 0x7100 (mullions with 32KB EEPROM used), or at 0x4100 (mullions with 20KB EEPROM used), or at 0x1100 (sherwoods)
This is 0x48800 on SC EEPROM.
 
Accessed by [[Hypervisor_Reverse_Engineering | Hypervisor Service ID 32]] '''REQUEST_SYSTEM_EVENT_LOG''' ?, and [[LV2_Functions_and_Syscalls| syscall 395]] '''sys_sm_request_system_event_log''' ?


There is an unknown syscon response of 0x100 bytes when using NVS service with such params: BlockID=1, Offset=0, Size=0.
There is an unknown syscon response of 0x100 bytes when using NVS service with such params: BlockID=1, Offset=0, Size=0.
Sometimes the whole region is filled with FF's (empty, never used, or erased), it seems this procedure can be used to reset it


It can be considered an structure composed by a 0x10 header, and six available "slots" of 0x28 each, the second byte of the header seems to be some kind of counter related with the slots where the only values posibles are 0-5. The presence of data in the slots could vary usually all them are filled with data but in some rare cases the slots are empty (filled with FF's)
It can be considered an structure composed by a 0x10 header, and six available "slots" of 0x28 each, the second byte of the header seems to be some kind of counter related with the slots where the only values posibles are 0-5. The presence of data in the slots could vary usually all them are filled with data but in some rare cases the slots are empty (filled with FF's)
Line 461: Line 427:
</pre>
</pre>


The structure of an slot seems to be: 0x4 (timestamp) + 0x2 (unknown, always 0000) + 0x1 (unknown, always 0xE1 or 0xE2) + 0x1 (Data Size ?, usually 0x18) + 0x4 (Data Type ?) + 0x1C (data, included padding)
The structure of an slot looks like this, last 8 bytes seems to be always zeroes (padding ?), and the previous value (0xFFFFFFFF, 0xAAAAAAAA, 0x55555555 in this samples) could be some kind of timestamp, the samples below can be considered rare. The 0xFFFFFFFF, 0xAAAAAAAA, 0x55555555 seems to be used as some kind of fallback
*The timestamp follows the same format than the timestamps of the [[Syscon_Error_Codes#Error_log_format|Syscon Error Codes]], in some syscon models the lowest value posible for this timestamps seems to be 0x0B488680 (2005/12/31 00:00:00)
 
<pre>
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 492: Line 456:
00001130  00 00 00 00 00 00 00 00                          ........
00001130  00 00 00 00 00 00 00 00                          ........
</pre>
</pre>
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00007110  0B 48 86 7D 00 00 E1 18 53 54 52 3A 50 41 54 41  .H†}..á.STR:PATA
00007120  43 30 3A 43 61 62 6C 65 20 4E 6F 74 20 43 6F 6E  C0:Cable Not Con
00007130  6E 65 63 74 00 00 00 00                          nect....
</pre>
*Notes
**See the timestamp of the last sample with value 0B48867D, very close to 0B488680 (2005/12/31 00:00:00)


== lv0 SC EEPROM usage ==
== lv0 SC EEPROM usage ==
Line 562: Line 516:
rsx.rdcy.7          0x48CB8 0x08 [0x08 value]
rsx.rdcy.7          0x48CB8 0x08 [0x08 value]
dgbe_config          0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway]
dgbe_config          0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway]
qa_token            0x48D3E 0x50 [0x50 token]
UNKNOWN              0x48D20 0x08 [0x08 value]
UNKNOWN              0x48D20 0x08 [0x08 value]
qa_token            0x48D3E 0x50 [0x50 token]
</pre>
</pre>


Line 573: Line 527:
|-
|-
! Index !! SC EEPROM offset !! Data size !! Description
! Index !! SC EEPROM offset !! Data size !! Description
|-
| 4 || 0x48D00 || 4 ||?
|-
| 5 || 0x48D04 || 4 ||?
|-
| 6 || 0x48D08 || 4 ||?
|-
|-
| 0 || 0x48D20 || 6 ||?
| 0 || 0x48D20 || 6 ||?
Line 587: Line 535:
|-
|-
| 3 || 0x48D38 || 6 ||?
| 3 || 0x48D38 || 6 ||?
|-
| 4 || 0x48D00 || 4 ||?
|-
| 5 || 0x48D04 || 4 ||?
|-
| 6 || 0x48D08 || 4 ||?
|}
|}


Line 629: Line 583:
| 0x290-0x4FF || Unknown ||
| 0x290-0x4FF || Unknown ||
|-  
|-  
| 0x500-0x55F || magic1 (static bytes)
| 0x500-0x55F || magic1(static bytes) ||
| <pre>E01B01CF9C7FBC7D79D670086DAF497F
9BD3A5D5178DDE1D825344AE398113DD
FF525D8BF4422CC76B13AA47FA2CC369
83A720CD45D18FB3D4112888187E3040
702B91D8E6ACEEC4B801315F357E1EE3
2DA1081408D72C41AFC1B61AE7C9882D</pre>
|-
|-
| 0x560-0x95F || Authenticated Data Region 0 (snvs region 0), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x560-0x95F || Authenticated Data Region 0 (snvs region 0), not used ||
|-
|-
| 0x960-0xD5F || Authenticated Data Region 1 (snvs region 1), contains ss-service version, secure_product_mode flag,<BR> vtrm cipher/hasher keys, versions/hashes of installed update packages, etc... || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x960-0xD5F || Authenticated Data Region 1 (snvs region 1), contains ss-service version, secure_product_mode flag,<BR> vtrm cipher/hasher keys, versions/hashes of installed update packages, etc... ||
|-
|-
| 0xD60-0x115F || Authenticated Data Region 2 (snvs region 2), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0xD60-0x115F || Authenticated Data Region 2 (snvs region 2), not used ||
|-
|-
| 0x1160-0x155F || Authenticated Data Region 3 (snvs region 3), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x1160-0x155F || Authenticated Data Region 3 (snvs region 3), not used ||
|-
|-
| 0x1560-0x195F || Authenticated Data Region 4 (snvs region 4), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x1560-0x195F || Authenticated Data Region 4 (snvs region 4), not used ||
|-
|-
| 0x1960-0x1D5F || Authenticated Data Region 5 (snvs region 5), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x1960-0x1D5F || Authenticated Data Region 5 (snvs region 5), not used ||
|-
|-
| 0x1D60-0x215F || Authenticated Data Region 6 (snvs region 6), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x1D60-0x215F || Authenticated Data Region 6 (snvs region 6), not used ||
|-
|-
| 0x2160-0x255F || Authenticated Data Region 7 (snvs region 7), not used || Used on COK-001, DIA-001 / CXR714120-304GB / 40nm RSX (official refurbished)
| 0x2160-0x255F || Authenticated Data Region 7 (snvs region 7), not used ||
|-
|-
| 0x2560-0x25FF || FF Region ||
| 0x2560-0x25FF || FF Region ||
Line 675: Line 623:
| 0x3000-0x30FF || Customer Service Area (nvs region 0x30) ||
| 0x3000-0x30FF || Customer Service Area (nvs region 0x30) ||
|-
|-
| 0x3100-0x31FF || Special Region #0 || Platform Config ([[Platform_ID]]<small>(hex)</small> at relative offset 0xE
| 0x3100-0x31FF || Special Region #0 || Platform Config
|-
|-
| 0x3200-0x32FF || Special Region #1 || Hardware/XDR Config
| 0x3200-0x32FF || Special Region #1 || Hardware/XDR Config
|-
|-
| 0x3300-0x33FF || Special Region #2 || [[Syscon Thermal Configs|Thermal Config]]
| 0x3300-0x33FF || Special Region #2 || [[Syscon Thermal Config|Thermal Config]]
|-
|-
| 0x3400-0x34FF || Special Region #3 || [[Syscon Thermal Configs|Thermal Config]]
| 0x3400-0x34FF || Special Region #3 || [[Syscon Thermal Config|Thermal Config]]
|-
|-
| 0x3500-0x35FF || Special Region #4 || On/Off Count, On-time
| 0x3500-0x35FF || Special Region #4 || On/Off Count, On-time
Line 709: Line 657:
=== Tests ===
=== Tests ===


* [https://www.psdevwiki.com/ps3/File:A8g00bD.png AES128CBC with fixed key and incremented iv (by 1 each time)]
* [http://i.imgur.com/A8g00bD.png AES128CBC with fixed key and incremented iv (by 1 each time)]
* [https://www.psdevwiki.com/ps3/File:HZDWGSk.png results]
* [http://i.imgur.com/HZDWGSk.png results]
* [https://www.psdevwiki.com/ps3/File:2mtrtdm.png region 0 encrypted] vs [https://www.psdevwiki.com/ps3/File:7bSdQni.png decrypted]
* [http://i.imgur.com/2mtrtdm.png region 0 encrypted] vs [http://i.imgur.com/7bSdQni.png decrypted]
* [https://www.psdevwiki.com/ps3/File:FGJKkuz.png region 7 encrypted] vs [https://www.psdevwiki.com/ps3/File:7TSeHWK.png decrypted]
* [http://i.imgur.com/FGJKkuz.png region 7 encrypted] vs [http://i.imgur.com/7TSeHWK.png decrypted]


=== Conclusion ===
=== Conclusion ===
Line 1,651: Line 1,599:
=== User Token ===
=== User Token ===


Used to test a usermode application.
Used to test a userland application.


=== Token Seed ===
=== Token Seed ===
Line 1,671: Line 1,619:
=== User Token ===
=== User Token ===


<syntaxhighlight lang="C">
<source lang="C">
struct user_token_attr {
struct user_token_attr {
     uint32_t type; // usually 1, 0 for last attribute
     uint32_t type; // usually 1, 0 for last attribute
Line 1,692: Line 1,640:
     uint8_t digest[0x14]; // certainly SHA-1
     uint8_t digest[0x14]; // certainly SHA-1
}
}
</syntaxhighlight>
</source>


{| class="wikitable FCK__ShowTableBorders"
{| class="wikitable FCK__ShowTableBorders"
Line 1,732: Line 1,680:
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;"  
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;"  
|-
|-
! style="background-color:red!important;" | <span style="background-color:lightred; color:white; font-size:200%; ">Warning</span>
! style="background-color:red;" | <span style="background-color:lightred; color:white; font-size:200%; ">Warning</span>
|-
|-
| <span style="white; color:red!important; font-size:150%; text-align:center; ">You can use this method at your own risk. Author is not responsible for any hardware damages and failures.  
| style="background-color:white;" | <span style="white; color:red; font-size:150%; text-align:center; ">You can use this method at your own risk. Author is not responsible for any hardware damages and failures.  
|}
|}


Line 1,951: Line 1,899:
You can use Notepad++ and Hex Editor like HxD to convert the dump to binary format.
You can use Notepad++ and Hex Editor like HxD to convert the dump to binary format.


<small>Read Command is 0xA8 0xXX 0xXX, XX XX is a block id to be read, the full SC EEPROM is 32768 bytes length (0x8000),  [r:] are syntax command of the Bus Pirate for start, read byte and end</small>
<small>Read Command is 0xA8 0xXX 0xXX, XX XX is a block id to be read, the full SC EEPROM is 32768 bytes lenght (0x8000),  [r:] are syntax command of the Bus Pirate for start, read byte and end</small>


== Arduino Mega method by: ([[User_talk:Abkarino|Abkarino]]) ==  
== Arduino Mega method by: ([[User_talk:Abkarino|Abkarino]]) ==  
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)