Editing SC EEPROM
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 124: | Line 124: | ||
| colspan="2" | 0x48C00 || 0x20 || (lv0 NVS region 2 start) | | colspan="2" | 0x48C00 || 0x20 || (lv0 NVS region 2 start) | ||
|- | |- | ||
| rowspan="22" | <abbr title="lv0 NVS region 2: 0x48C00-0x48C1F"><small>2</small></abbr> || 0x48C00 || 1 || boot flag (load_image_in_rom flag (os_boot_order_flag) | | rowspan="22" | <abbr title="lv0 NVS region 2: 0x48C00-0x48C1F"><small>2</small></abbr> || 0x48C00 || 1 || boot flag (load_image_in_rom flag (os_boot_order_flag), 0 = network 1st, 1 = flash 1st) | ||
|- | |- | ||
| 0x48C01 || 1 || sys.dbgcard.hostpc (force standalone mode related) | | 0x48C01 || 1 || sys.dbgcard.hostpc (force standalone mode related) | ||
|- | |- | ||
| 0x48C02 || 1 || Network Device Mode (sys.dbgcard.dgbe / debug interface (select_net_device) | | 0x48C02 || 1 || Network Device Mode (sys.dbgcard.dgbe / debug interface (select_net_device) (-1: Ethernet 2, 0: IFB, 1: CP, 2: SB UART, 3: CP ch4, 5: invalid <!-- used on retail consoles -->)) | ||
|- | |- | ||
| 0x48C03 || 1 || sys.dbgcard.dgbe.index (select_dgbe_device) | | 0x48C03 || 1 || sys.dbgcard.dgbe.index (select_dgbe_device) | ||
Line 164: | Line 156: | ||
| 0x48C0F || 2 || cell os flags (loader parameter) | | 0x48C0F || 2 || cell os flags (loader parameter) | ||
|- | |- | ||
| 0x48C11 || 1 || bootrom trace level | | 0x48C11 || 1 || bootrom trace level (0x00: fatal errors, 0x01: errors, 0x02: information messages, 0x03: debug messages) | ||
|- | |- | ||
| 0x48C12 || 1 || ? | | 0x48C12 || 1 || ? | ||
Line 177: | Line 164: | ||
| 0x48C14 || 4 || cellos_spu_configure | | 0x48C14 || 4 || cellos_spu_configure | ||
|- | |- | ||
| 0x48C18 || 4 || Safe Mode System Language | | 0x48C18 || 4 || Safe Mode System Language [[XRegistry.sys#Settings]] ( /setting/system/language ) | ||
|- | |- | ||
| 0x48C1C || 4 || Safe Mode VSH Target (maybe QA,Debug,Retail,Kiosk?) | | 0x48C1C || 4 || Safe Mode VSH Target (seems it can be 0xFFFFFFFE, 0xFFFFFFFF, 0x00000001 default: 0x00000000 /maybe QA,Debug,Retail,Kiosk?) | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| colspan="2" | 0x48C1F || - || (lv0 NVS region 2 end) | | colspan="2" | 0x48C1F || - || (lv0 NVS region 2 end) | ||
Line 240: | Line 222: | ||
| 0x48C61 || 1 || Recover Mode Flag | | 0x48C61 || 1 || Recover Mode Flag | ||
|- | |- | ||
| 0x48C62 || 8 || boot param | | 0x48C62 || 8 || boot param | ||
|- | |- | ||
| 0x48C6A || 2 || factory process completion | | 0x48C6A || 2 || factory process completion % | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| colspan="2" | 0x48C4F || - || (lv0 NVS region 5 end) | | colspan="2" | 0x48C4F || - || (lv0 NVS region 5 end) | ||
Line 386: | Line 356: | ||
QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares) | QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares) | ||
== Undocumented | == Undocumented config == | ||
This is 0x48800 on SC EEPROM | This is 0x48800 on SC EEPROM. | ||
There is an unknown syscon response of 0x100 bytes when using NVS service with such params: BlockID=1, Offset=0, Size=0. | There is an unknown syscon response of 0x100 bytes when using NVS service with such params: BlockID=1, Offset=0, Size=0. | ||
It can be considered an structure composed by a 0x10 header, and six available "slots" of 0x28 each, the second byte of the header seems to be some kind of counter related with the slots where the only values posibles are 0-5. The presence of data in the slots could vary usually all them are filled with data but in some rare cases the slots are empty (filled with FF's) | It can be considered an structure composed by a 0x10 header, and six available "slots" of 0x28 each, the second byte of the header seems to be some kind of counter related with the slots where the only values posibles are 0-5. The presence of data in the slots could vary usually all them are filled with data but in some rare cases the slots are empty (filled with FF's) | ||
Line 461: | Line 427: | ||
</pre> | </pre> | ||
The structure of an slot seems to be | The structure of an slot looks like this, last 8 bytes seems to be always zeroes (padding ?), and the previous value (0xFFFFFFFF, 0xAAAAAAAA, 0x55555555 in this samples) could be some kind of timestamp, the samples below can be considered rare. The 0xFFFFFFFF, 0xAAAAAAAA, 0x55555555 seems to be used as some kind of fallback | ||
<pre> | <pre> | ||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ||
Line 492: | Line 456: | ||
00001130 00 00 00 00 00 00 00 00 ........ | 00001130 00 00 00 00 00 00 00 00 ........ | ||
</pre> | </pre> | ||
== lv0 SC EEPROM usage == | == lv0 SC EEPROM usage == | ||
Line 562: | Line 516: | ||
rsx.rdcy.7 0x48CB8 0x08 [0x08 value] | rsx.rdcy.7 0x48CB8 0x08 [0x08 value] | ||
dgbe_config 0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway] | dgbe_config 0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway] | ||
qa_token 0x48D3E 0x50 [0x50 token] | |||
UNKNOWN 0x48D20 0x08 [0x08 value] | UNKNOWN 0x48D20 0x08 [0x08 value] | ||
</pre> | </pre> | ||
Line 573: | Line 527: | ||
|- | |- | ||
! Index !! SC EEPROM offset !! Data size !! Description | ! Index !! SC EEPROM offset !! Data size !! Description | ||
|- | |- | ||
| 0 || 0x48D20 || 6 ||? | | 0 || 0x48D20 || 6 ||? | ||
Line 587: | Line 535: | ||
|- | |- | ||
| 3 || 0x48D38 || 6 ||? | | 3 || 0x48D38 || 6 ||? | ||
|- | |||
| 4 || 0x48D00 || 4 ||? | |||
|- | |||
| 5 || 0x48D04 || 4 ||? | |||
|- | |||
| 6 || 0x48D08 || 4 ||? | |||
|} | |} | ||
Line 629: | Line 583: | ||
| 0x290-0x4FF || Unknown || | | 0x290-0x4FF || Unknown || | ||
|- | |- | ||
| 0x500-0x55F || magic1 (static bytes) | | 0x500-0x55F || magic1(static bytes) || | ||
| | |||
|- | |- | ||
| 0x560-0x95F || Authenticated Data Region 0 (snvs region 0), not used || | | 0x560-0x95F || Authenticated Data Region 0 (snvs region 0), not used || | ||
|- | |- | ||
| 0x960-0xD5F || Authenticated Data Region 1 (snvs region 1), contains ss-service version, secure_product_mode flag,<BR> vtrm cipher/hasher keys, versions/hashes of installed update packages, etc... || | | 0x960-0xD5F || Authenticated Data Region 1 (snvs region 1), contains ss-service version, secure_product_mode flag,<BR> vtrm cipher/hasher keys, versions/hashes of installed update packages, etc... || | ||
|- | |- | ||
| 0xD60-0x115F || Authenticated Data Region 2 (snvs region 2), not used || | | 0xD60-0x115F || Authenticated Data Region 2 (snvs region 2), not used || | ||
|- | |- | ||
| 0x1160-0x155F || Authenticated Data Region 3 (snvs region 3), not used || | | 0x1160-0x155F || Authenticated Data Region 3 (snvs region 3), not used || | ||
|- | |- | ||
| 0x1560-0x195F || Authenticated Data Region 4 (snvs region 4), not used || | | 0x1560-0x195F || Authenticated Data Region 4 (snvs region 4), not used || | ||
|- | |- | ||
| 0x1960-0x1D5F || Authenticated Data Region 5 (snvs region 5), not used || | | 0x1960-0x1D5F || Authenticated Data Region 5 (snvs region 5), not used || | ||
|- | |- | ||
| 0x1D60-0x215F || Authenticated Data Region 6 (snvs region 6), not used || | | 0x1D60-0x215F || Authenticated Data Region 6 (snvs region 6), not used || | ||
|- | |- | ||
| 0x2160-0x255F || Authenticated Data Region 7 (snvs region 7), not used || | | 0x2160-0x255F || Authenticated Data Region 7 (snvs region 7), not used || | ||
|- | |- | ||
| 0x2560-0x25FF || FF Region || | | 0x2560-0x25FF || FF Region || | ||
Line 675: | Line 623: | ||
| 0x3000-0x30FF || Customer Service Area (nvs region 0x30) || | | 0x3000-0x30FF || Customer Service Area (nvs region 0x30) || | ||
|- | |- | ||
| 0x3100-0x31FF || Special Region #0 || Platform Config | | 0x3100-0x31FF || Special Region #0 || Platform Config | ||
|- | |- | ||
| 0x3200-0x32FF || Special Region #1 || Hardware/XDR Config | | 0x3200-0x32FF || Special Region #1 || Hardware/XDR Config | ||
|- | |- | ||
| 0x3300-0x33FF || Special Region #2 || [[Syscon Thermal | | 0x3300-0x33FF || Special Region #2 || [[Syscon Thermal Config|Thermal Config]] | ||
|- | |- | ||
| 0x3400-0x34FF || Special Region #3 || [[Syscon Thermal | | 0x3400-0x34FF || Special Region #3 || [[Syscon Thermal Config|Thermal Config]] | ||
|- | |- | ||
| 0x3500-0x35FF || Special Region #4 || On/Off Count, On-time | | 0x3500-0x35FF || Special Region #4 || On/Off Count, On-time | ||
Line 709: | Line 657: | ||
=== Tests === | === Tests === | ||
* [ | * [http://i.imgur.com/A8g00bD.png AES128CBC with fixed key and incremented iv (by 1 each time)] | ||
* [ | * [http://i.imgur.com/HZDWGSk.png results] | ||
* [ | * [http://i.imgur.com/2mtrtdm.png region 0 encrypted] vs [http://i.imgur.com/7bSdQni.png decrypted] | ||
* [ | * [http://i.imgur.com/FGJKkuz.png region 7 encrypted] vs [http://i.imgur.com/7TSeHWK.png decrypted] | ||
=== Conclusion === | === Conclusion === | ||
Line 1,651: | Line 1,599: | ||
=== User Token === | === User Token === | ||
Used to test a | Used to test a userland application. | ||
=== Token Seed === | === Token Seed === | ||
Line 1,671: | Line 1,619: | ||
=== User Token === | === User Token === | ||
< | <source lang="C"> | ||
struct user_token_attr { | struct user_token_attr { | ||
uint32_t type; // usually 1, 0 for last attribute | uint32_t type; // usually 1, 0 for last attribute | ||
Line 1,692: | Line 1,640: | ||
uint8_t digest[0x14]; // certainly SHA-1 | uint8_t digest[0x14]; // certainly SHA-1 | ||
} | } | ||
</ | </source> | ||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
Line 1,732: | Line 1,680: | ||
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | {| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | ||
|- | |- | ||
! style="background-color:red | ! style="background-color:red;" | <span style="background-color:lightred; color:white; font-size:200%; ">Warning</span> | ||
|- | |- | ||
| <span style="white; color:red | | style="background-color:white;" | <span style="white; color:red; font-size:150%; text-align:center; ">You can use this method at your own risk. Author is not responsible for any hardware damages and failures. | ||
|} | |} | ||
Line 1,951: | Line 1,899: | ||
You can use Notepad++ and Hex Editor like HxD to convert the dump to binary format. | You can use Notepad++ and Hex Editor like HxD to convert the dump to binary format. | ||
<small>Read Command is 0xA8 0xXX 0xXX, XX XX is a block id to be read, the full SC EEPROM is 32768 bytes | <small>Read Command is 0xA8 0xXX 0xXX, XX XX is a block id to be read, the full SC EEPROM is 32768 bytes lenght (0x8000), [r:] are syntax command of the Bus Pirate for start, read byte and end</small> | ||
== Arduino Mega method by: ([[User_talk:Abkarino|Abkarino]]) == | == Arduino Mega method by: ([[User_talk:Abkarino|Abkarino]]) == |