Editing Talk:Flash Structure

<!--// complete copy of old flash page for splitting //-->

= First Region =

= Second Region =
NOR only: 0x0F00000 - 0x0F00020 <br />
This region appears to directly follow the other region (at 0xF0000 = region size + header) <br />
Not much is known about this at this stage. <br />

On NAND consoles without OtherOS the block 0x0F00000 - 0x0F7FFFF is zero filled <br />
On NAND consoles with OtherOS the block 0x0F00000 - 0x0F00FFF is filled with data <br />

== Header - 0FACE0FF DEADFACE ==
=== example ===
{| class="wikitable"
|-
! NOR: 0x0F00000 - 0x0F00020 !! NAND: 
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00F00000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F00010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE  .....¬àÿ....ÞúÎ
00F00020  00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02  ................</pre> || <pre>N.A.</pre>
|-
|}
=== structure ===
{|class="wikitable"
|-
! Address !! Length !! Value !! Description
|-
| 0x00 || 0x10 || 0x0 || Blank/Unknown
|-
| 0x10 || 0x10 || 0x0FACE0FF 0xDEADFACE || Magic number
|-
| 0x20 || 0x8 || 0x3 || Unknown
|-
| 0x28 || 0x8 || 0x2 || Unknown
|-
|}

== 00 filled block ==
=== example ===
{| class="wikitable"
|-
! NOR: 0x0F00030 - 0x0F000BF !! NAND: 
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
00F00030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
.... (00 filled block)
00F000B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................</pre> || <pre>N.A.</pre>
|-
|}
=== structure ===
{|class="wikitable"
|-
! Address !! Length !! Value !! Description
|-
| 0x30 || 0x90 || 0x0 || Blank/Unknown
|-
|}

== Unknown block ==
=== example ===
{| class="wikitable"
|-
! NOR: 0x0F000C0 - 0x0F000EF !! NAND: 
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
00F000C0  00 00 00 00 00 00 79 00 00 00 00 00 00 00 01 00  ......y.........
00F000D0  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F000E0  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............</pre> || <pre>N.A.</pre>
|-
|}
=== structure ===
{|class="wikitable"
|-
! Address !! Length !! Value !! Description
|-
| 0xC0 || 0x8 || 0x7900 || Unknown
|-
| 0xC8 || 0x8 || 0x100 || Unknown
|-
| 0xD0 || 0x2 || 0x1070 || Unknown
|-
| 0xD2 || 0x2 || 0x0 || Blank/Unknown
|-
| 0xD4 || 0x2 || 0x100 || Unknown
|-
| 0xD6 || 0x2 || 0x1 || Unknown
|-
| 0xD8 || 0x8 || 0x3 || Unknown
|-
| 0xE0 || 0x2 || 0x1070 || Unknown
|-
| 0xE2 || 0x2 || 0x0 || Blank/Unknown
|-
| 0xE4 || 0x2 || 0x200 || Unknown
|-
| 0xE6 || 0x2 || 0x1 || Unknown
|-
| 0xE8 || 0x8 || 0x3 || Unknown
|-
|}

== 00 filled block ==
=== example ===
{| class="wikitable"
|-
! NOR: 0x0F000F0 - 0x0F0014F !! NAND: 
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
00F000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
.... (00 filled block)
00F00140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................</pre> || <pre>N.A.</pre>
|-
|}
=== structure ===
{|class="wikitable"
|-
! Address !! Length !! Value !! Description
|-
| 0xF0 || 0x60 || 0x0 || Blank/Unknown
|-
|}

== Unknown block ==
=== example ===
{| class="wikitable"
|-
! NOR: 0x0F00150 - 0x0F0017F !! NAND: 
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00F00150  00 00 00 00 00 00 7A 00 00 00 00 00 00 00 04 00  ......z.........
00F00160  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F00170  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............</pre> || <pre>N.A.</pre>
|-
|}
=== structure ===
{|class="wikitable"
|-
! Address !! Length !! Value !! Description
|-
| 0xC0 || 0x8 || 0x7A00 || Unknown
|-
| 0xC8 || 0x8 || 0x400 || Unknown
|-
| 0xD0 || 0x2 || 0x1070 || Unknown
|-
| 0xD2 || 0x2 || 0x0 || Blank/Unknown
|-
| 0xD4 || 0x2 || 0x100 || Unknown
|-
| 0xD6 || 0x2 || 0x1 || Unknown
|-
| 0xD8 || 0x8 || 0x3 || Unknown
|-
| 0xE0 || 0x2 || 0x1070 || Unknown
|-
| 0xE2 || 0x2 || 0x0 || Blank/Unknown
|-
| 0xE4 || 0x2 || 0x200 || Unknown
|-
| 0xE6 || 0x2 || 0x1 || Unknown
|-
| 0xE8 || 0x8 || 0x3 || Unknown
|-
|}

== 00 filled block ==
=== example ===
{| class="wikitable"
|-
! NOR: 0x0F00180 - 0x0F00FFF !! NAND: 
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
00F00180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
.... (00 filled block)
00F00FF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................</pre> || <pre>N.A.</pre>
|-
|}
=== structure ===
{|class="wikitable"
|-
! Address !! Length !! Value !! Description
|-
| 0x180 || 0xE80 || 0x0 || Blank/Unknown
|-
|}

== unreferenced area ==
NOR+NAND : 0x0F01000 - 0x0F1FFFF
=== example ===
{| class="wikitable"
|-
! NOR: 0x0F01000 - 0x0F1FFFF !! NAND: 0x0F01000 - 0x0F1FFFF
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00F01000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
00F1FFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ</pre> || <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00F01000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
00F1FFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ</pre>
|-
|}
=== structure ===
{|class="wikitable"
|-
! Address !! Length !! Value !! Description
|-
| 0x1000 || 0x1F000 || 0xFF || Blank/Unknown
|-
|}

= CELL_EXTNOR_AREA =
Only on NOR consoles <br />
On NAND consoles the block 00F20000-00F3FFFF is FF (OtherOS) or 00 (No OtherOS) filled <br />

== Header ==
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
 00F20000  43 45 4C 4C 5F 45 58 54 4E 4F 52 5F 41 52 45 41  CELL_EXTNOR_AREA      marker: CELL_EXTNOR_AREA

== 1 ==
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
 00F20010  00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00  ................
 00F20020  00 00 02 00 00 00 00 44 00 00 00 00 A9 C8 06 D0  .......D....©È.Ð (sha1sum of 0x200 Harddrive Info)
 00F20030  C0 17 8D 34 55 A7 62 73 DD 16 A6 FB 75 A0 D2 10  À..4U§bsÝ.¦ûu Ò.

== 00 filled ==
 00F20040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 [...]                                                                            all 00's
 00F201F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

== Harddrive info ==
 00F20200  00 00 00 07 46 55 4A 49 54 53 55 20 4D 48 5A 32  ....FUJITSU MHZ2      harddrive brand/model
 00F20210  30 38 30 42 48 20 47 31 20 20 20 20 20 20 20 20  080BH G1        
 00F20220  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
 00F20230  20 20 20 20 4B 36 33 52 54 38 42 34 48 59 42 4B      K63RT8B4HYBK      harddrive serial

== 00 filled ==
 00F20240  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 [...]                                                                            all 00's
 00F3FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

== 2 ==
On NAND consoles with OtherOS the blocks
* 0x0F40000 - 0x0F401FF
* 0x0F42000 - 0xBAD51F0
* 0xBAD6000 - 0xBAECDFF
* 0xBAEE000 - 0xBAFD9FF
* 0xBAFE000 etc.
are filled with data
 00F40000  00 00 00 01 00 00 00 2C 6E 47 15 E8 38 9B C8 16  .......,nG.è8›È.      00F40000-00F40030      (same in other version/console dump)
 00F40010  65 6E 0C 37 54 25 FE 7B 22 9A 31 75 72 22 63 2B  en.7T%þ{"š1ur"c+      is the same as
 00F40020  31 DD 15 AA 60 7D EB F5 F7 A3 74 0B 9D DD 3B 3A  1Ý.ª`}ëõ÷£t..Ý;:      00F80000-00F80030

== 00 filled ==
 00F40030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 [...]                                                                            all 00's
 00F5FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

== 3 ==
 00F60000  10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34  ............ ..4      00F60000-00F60040      (differs in other version/console dump)
 00F60010  00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2  ........[?s´š†Ç²      is the
 00F60020  A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE   Ñ.¯§›—âzË.+Ma&®      same as
 00F60030  13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB  .Ê)„.“.áJÛ,·|.äë      00FA0000-00FA0040

== 00 filled ==
 00F60040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 [...]                                                                            all 00's
 00F69BF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

== FF filled ==
 00F69C00  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 [...]                                                                            all FF's
 00F7FFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

== 4 ==
 00F80000  00 00 00 01 00 00 00 2C 6E 47 15 E8 38 9B C8 16  .......,nG.è8›È.      00F80000-00F80030      (same in other version/console dump)
 00F80010  65 6E 0C 37 54 25 FE 7B 22 9A 31 75 72 22 63 2B  en.7T%þ{"š1ur"c+      is the same as
 00F80020  31 DD 15 AA 60 7D EB F5 F7 A3 74 0B 9D DD 3B 3A  1Ý.ª`}ëõ÷£t..Ý;:      00F40000-00F40030

== 00 filled ==
 00F80030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 [...]                                                                            all 00's
 00F9FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

== 5 ==
 00FA0000  10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34  ............ ..4      00F60000-00F60040      (differs in other version/console dump)
 00FA0010  00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2  ........[?s´š†Ç²      is the
 00FA0020  A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE   Ñ.¯§›—âzË.+Ma&®      same as
 00FA0030  13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB  .Ê)„.“.áJÛ,·|.äë      00F60000-00F60040

== 00 filled ==
 00FA0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 [...]                                                                            all 00's
 00FA9BF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

== FF filled ==
 00FA9C00  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 [...]                                                                            all FF's with sometimes below 'OCRL0200' section inside it
 00FBFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

== FF Filled with OCRL0200 section ==
{| class="wikitable"
|-
! NOR: 0x0FA9400 - 0x0FA952F !! NOR: 0x0F69400 - 0x0F6952F
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  &nbsp;
00FA9400  4F 43 52 4C 30 32 30 30 00 00 00 00 00 00 00 00  OCRL0200........
00FA9410  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00FA9420  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00FA9430  A6 50 37 72 07 82 68 FE EA 9A A1 8C 54 19 2B E4  ¦P7r.‚hþêš¡ŒT.+ä
00FA9440  2F D8 85 BA 5F 2F AA ED AC 6B 54 FE 31 0B 80 58  /Ø…º_/ªí¬kTþ1.€X
00FA9450  A9 74 D4 ED F9 77 7B B2 30 50 47 F3 C0 12 AC 26  ©tÔíùw{²0PGóÀ.¬&
00FA9460  6A 40 AD 19 14 C2 AD 2C 92 36 02 78 50 D4 08 D4  j@..Â,’6.xPÔ.Ô
00FA9470  06 76 2C 97 0D 2A 7A 19 F4 85 01 6F CD C8 07 C3  .v,—.*z.ô….oÍÈ.Ã
00FA9480  25 2D F4 CD 46 2B FE F7 B8 0A 40 9F 97 22 06 5E  %-ôÍF+þ÷¸.@Ÿ—".^
00FA9490  4B F1 02 92 01 11 C1 E0 DD AC 84 0D 58 C2 21 66  Kñ.’..ÁàÝ¬„.XÂ!f
00FA94A0  25 69 A4 1A C8 E9 DB 4C 5D 31 4E AF 07 2A 43 90  %i¤.ÈéÛL]1N¯.*C.
00FA94B0  3E DC 4A 80 FD A7 06 BB 1F 9B D4 75 6C 6C 45 CE  >ÜJ€ý§.».›ÔullEÎ
00FA94C0  1A A6 5D D1 9B E9 80 C2 72 CA A8 0B 14 C6 B2 86  .¦]Ñ›é€ÂrÊ¨..Æ²†
00FA94D0  E3 37 86 E6 AD DE 2C F9 76 3D 18 62 DD 77 AD 71  ã7†æÞ,ùv=.bÝwq
00FA94E0  32 F1 11 FD 17 9E 68 50 B3 A5 7F 41 37 19 63 3A  2ñ.ý.žhP³¥.A7.c:
00FA94F0  78 08 19 4D CA 47 AD FF 35 89 52 3E 18 39 F5 A5  x..MÊGÿ5‰R>.9õ¥
00FA9500  4B 98 D6 C0 66 68 E0 CA 4B 9F 1A 42 1E A2 EE 79  K˜ÖÀfhàÊKŸ.B.¢îy
00FA9510  E6 58 6F FF 58 B1 FE 4F DB FD 27 6F 4C EC 6C 9F  æXoÿX±þOÛý'oLìlŸ
00FA9520  B4 B7 F8 9D 30 4A 1E 83 15 47 08 B6 FB 51 00 DA  ´·ø.0J.ƒ.G.¶ûQ.Ú</pre>
* CECHL (VER-001) with ST98823AS drive (80GB) : ROS0: 2.80 / ROS1: 3.55<!--// nor-defyboy.bin //--> 
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  &nbsp;
00F69400  4F 43 52 4C 30 32 30 30 00 00 00 00 00 00 00 00  OCRL0200........
00F69410  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F69420  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F69430  A6 50 37 72 07 82 68 FE EA 9A A1 8C 54 19 2B E4  ¦P7r.‚hþêš¡ŒT.+ä
00F69440  2F D8 85 BA 5F 2F AA ED AC 6B 54 FE 31 0B 80 58  /Ø…º_/ªí¬kTþ1.€X
00F69450  A9 74 D4 ED F9 77 7B B2 30 50 47 F3 C0 12 AC 26  ©tÔíùw{²0PGóÀ.¬&
00F69460  6A 40 AD 19 14 C2 AD 2C 92 36 02 78 50 D4 08 D4  j@..Â,’6.xPÔ.Ô
00F69470  06 76 2C 97 0D 2A 7A 19 F4 85 01 6F CD C8 07 C3  .v,—.*z.ô….oÍÈ.Ã
00F69480  25 2D F4 CD 46 2B FE F7 B8 0A 40 9F 97 22 06 5E  %-ôÍF+þ÷¸.@Ÿ—".^
00F69490  4B F1 02 92 01 11 C1 E0 DD AC 84 0D 58 C2 21 66  Kñ.’..ÁàÝ¬„.XÂ!f
00F694A0  25 69 A4 1A C8 E9 DB 4C 5D 31 4E AF 07 2A 43 90  %i¤.ÈéÛL]1N¯.*C.
00F694B0  3E DC 4A 80 FD A7 06 BB 1F 9B D4 75 6C 6C 45 CE  >ÜJ€ý§.».›ÔullEÎ
00F694C0  1A A6 5D D1 9B E9 80 C2 72 CA A8 0B 14 C6 B2 86  .¦]Ñ›é€ÂrÊ¨..Æ²†
00F694D0  E3 37 86 E6 AD DE 2C F9 76 3D 18 62 DD 77 AD 71  ã7†æÞ,ùv=.bÝwq
00F694E0  32 F1 11 FD 17 9E 68 50 B3 A5 7F 41 37 19 63 3A  2ñ.ý.žhP³¥.A7.c:
00F694F0  78 08 19 4D CA 47 AD FF 35 89 52 3E 18 39 F5 A5  x..MÊGÿ5‰R>.9õ¥
00F69500  4B 98 D6 C0 66 68 E0 CA 4B 9F 1A 42 1E A2 EE 79  K˜ÖÀfhàÊKŸ.B.¢îy
00F69510  E6 58 6F FF 58 B1 FE 4F DB FD 27 6F 4C EC 6C 9F  æXoÿX±þOÛý'oLìlŸ
00F69520  B4 B7 F8 9D 30 4A 1E 83 15 47 08 B6 FB 51 00 DA  ´·ø.0J.ƒ.G.¶ûQ.Ú
</pre>
* CECHH (DIA-001) with WDC WD1002FAEX-00Z3A0 drive (1TB) : ROS0: 3.55 / ROS1: 3.73<!--// Akex-CECHH-373-original.bin //-->
* CECHL (VER-001) with TOSHIBA MK8052GSX (80GB) : ROS0: 3.55 / ROS1: 3.56<!--// anger-CECHL-RLOD-dump.bin //-->
* CECH20.. (DYN-001) with TOSHIBA MK1255GSX H (120GB) : ROS0: 3.70 / ROS1: 3.70<!--// ChaosEX-CECH2000-370v2.bin //-->
* CECH2004A (DYN-001) with TOSHIBA MK1255GSX H (120GB) : ROS0: 3.72 / ROS1: 3.70<!--// astar-dump_orig.bin //-->
* CECH2004 (DYN-001) with Hitachi HTS545025B9SA0 (250GB) / ROS0: 4.11 / ROS1: 4.00<!--// gmaster-bkpps3.bin //-->
|-
|}
<!--// Not found on:
-CECHK (DIA-002) with FUJITSU MHZ2080BH G1 (80GB) : ROS0: 3.73 / ROS1: 3.72 // chipps3ve-CECHK-Original_dump.bin //
- CECHK06 (DIA-002) with Seagate ST9120821AS (120GB : ROS: 4.11 / ROS1: 4.11 // zax-CECHK06 (DIA-002) -bkpps3.bin //
- CECHL (VER-001) with FUJITSU MHZ2080BH G1 (80GB) : ROS: 3.60 / ROS1: 3.60 // 2-86-08-CECHL (VER-001)-360-360.bin //
- CECHL (VER-001) with TOSHIBA MK8052GSX (80GB) : ROS0: 3.70 / ROS1: 3.55 // abkarino-50 - VER-001 - Spansion S29GL128P90TFIR2  - 3.70 - XXXX - 3.bin //
- CECHL (VER-001) with TOSHIBA MK8052GSX (80GB) : ROS0: 3.70 / ROS1: 3.70 // Dado-CECHL-dump.bin //
- CECH-2101A (SUR-001) with TOSHIBA MK1255GSX H (120GB) : ROS0:3.56 / ROS1:3.55 // n00b689-nor400A.bin //
- CECH-250.B (JTP-001) with TOSHIBA MK3265GSX H (320GB) : ROS0: 3.73 / ROS1: 3.70 // domelec-CECH-2500-NOR-ps3-1.bin //
- CECH-2503B (JTP-001) with Hitachi HTS545032B9SA00 (320GB) : ROS0: 3.70 / ROS1: 3.60 // alexys18b-dp2.bin //
//-->
Used by GetOnlineCertificateRevocationListVersion(FlashOCRL%d) inside bdp player<br />
Handled by [[Iso module]] AacsModule.spu.isoself <br />
http://www.blu-raydisc.info/format-spec/rom3-spec.php<br />
http://www.blu-raydisc.info/docs/Certificate_Revocation/online.crl <-- exact same as above hex pastie<br />
<!--// thanks mysis :) //-->

= cell_ext_os_area =
NAND only

== OtherOS ==
NAND only


=== 00 filled block ===
<pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0EA00040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
0EB7FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................</pre>

=== FF filled block ===
<pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0EB80000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
0EFBFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ</pre>


==== small non-FF sections (inside FF filled block) ====
Note: not seen in all NAND dumps.

{| class="wikitable sortable"
|-
! NAND: 1100 !! NAND: 0100 !! NAND: 7F FF FF 11 00 !! NAND: 7F FF FF 21 00
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0FF00100  FF FF FF FF 11 00 FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿ..ÿÿÿÿÿÿÿÿÿÿ</pre> || <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0FF00100  FF FF FF FF 01 00 FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿ..ÿÿÿÿÿÿÿÿÿÿ</pre> || <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0FF00100  FF 7F FF FF 11 00 FF FF FF FF FF FF FF FF FF FF  ÿ.ÿÿ..ÿÿÿÿÿÿÿÿÿÿ</pre> || <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0FF00100  FF 7F FF FF 21 00 FF FF FF FF FF FF FF FF FF FF  ÿ.ÿÿ!.ÿÿÿÿÿÿÿÿÿÿ</pre>
|-
| <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0FF00300  FF FF FF FF 11 00 FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿ..ÿÿÿÿÿÿÿÿÿÿ</pre> || <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0FF00300  FF FF FF FF 01 00 FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿ..ÿÿÿÿÿÿÿÿÿÿ</pre> || <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0FF00300  FF 7F FF FF 11 00 FF FF FF FF FF FF FF FF FF FF  ÿ.ÿÿ..ÿÿÿÿÿÿÿÿÿÿ</pre> || <pre>Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0FF00300  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ</pre>
|-
|}








[EOF]

----






----

= Encrypted Files on Flash =

Encrypted files on flash appear to have some sort of header

== metldr examples ==
Here are samples of metldr header from 2 different consoles

 00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
 00000850  00 00 0E 8E 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ...Žx¥aà.rn÷§.A«

 00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
 00000850  00 00 0E 8E 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ...Ž...©Yu.ÌÁrÕP

== bootldr examples ==
Here are samples of bootldr header from 2 different consoles
 00FC0000  00 00 2F 4B 53 92 1C E7 F7 33 41 76 9B 7A 1E D6  ../KS’.ç÷3Av›z.Ö
 00FC0010  00 00 2F 4B 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ../Kx¥aà.rn÷§.A«

 00FC0000  00 00 2F 4B CB 9E 15 24 28 B4 4F D2 F9 3F BC 43  ../KËž.$(´OÒù?¼C
 00FC0010  00 00 2F 4B 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ../K...©Yu.ÌÁrÕP

== Observations / Notes ==

As you can see, some parts appear static depending on their purpose:

metldr

 00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
 00000850  00 00 0E 8E xx xx xx xx xx xx xx xx xx xx xx xx  ...Žx...........

bootldr

 00FC0000  00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx  ../K............
 00FC0010  00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx  ../K............

per console in both samples

 00000840  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................
 00000850  xx xx xx xx 81 2E 00 A9 59 75 01 CC C1 72 D5 50  .......©Yu.ÌÁrÕP

The first 4 bytes appear to reffer to length. eg:
 metldr length: 0xE920
 0x00000E8E * 0x10 = 0xE8E0 + 0x40 = 0xE920
 bootldr length:  0x2F4F0
 0x00002F4B * 0x10 = 0x2F4B0 + 0x40 = 0x2F4F0

Header shown is 0x20 bytes, perhaps this means there is a 0x40 byte header. I was not able to find any correlation of the other 2x12 bytes here, perhaps these are keys of some sort.


----


= new metldr.2 =
Seen on CECH2504B (JSD-001), with 3.60 from factory - datecode 1B

<pre>
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

  00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 F9 20  .......@......ù 
  00000820  6D 65 74 6C 64 72 2E 32 00 00 00 00 00 00 00 00  metldr.2........
  00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
</pre>

== other new metldr ==

It seems the naming "metldr.2" does not apply to all non downgradeable consoles:

Seen on CECH2504A (JTP-001), with 3.60 from factory - datecode 1B<!--//Ago//-->
<pre>
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
  00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
  00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
  00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
</pre>

Seen on CECH2503B (JTP-001), with ?.?? from factory - datecode 1A (dump contained ROS with 3.66 and 3.70)<!--//dump contains ROS0: 3.66 / ROS1: 3.70 / Hitachi HTS545032B9SA00 110105PBPC08FDF6D63M <bluemimmo> CECH 2503B  datecode 1A  customer brought 3.66//-->
This was downgradable.. sorry, the downgrade.bin was not written correctly.. but this time i wrote it ok, so this was not a new metldr console..
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
       
  00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
  00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
  00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

For comparison, a CECH250.B (JSD-001), with factory 3.56 - datecode 1A which was downgradeable (dump contained ROS with 3.56 and 3.70 before downgrading to 3.55):<!--//petrm79 : factory 3.56, 320gb, cech-250.b, console code 1a, standart solder without resistors etc. nor samsung (flash 128/128). using latest qt port. check alt. meth., downgrade using dospiedra v2 (manual paste), rogero.pup//-->
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
       
  00000800   00 00 00 01 00 00 00 01  00 00 00 00 00 02 E8 00   ..............è.
  00000810   00 00 00 00 00 00 00 40  00 00 00 00 00 00 E9 60   .......@......é`
  00000820   6D 65 74 6C 64 72 00 00  00 00 00 00 00 00 00 00   metldr..........
  00000830   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
  00000840   00 00 0E 92 C3 26 6E 4B  BB 28 2E 76 B7 67 70 95   ...’Ã&nK»(.v·gp•


other new metldr mention : https://twitter.com/#!/Mathieulh/status/110779471199604736
 WTF 3.50+ consoles have a new additional root key of 0x30 bytes
 (3 times the same 0x10 bytes chunk) copied by metldr right to offset 0 O_O

===CECH2501B JSD-001 (320GB HDD)without datecode fw 3.66===

metldr contains other new value (E9 60), but still downgrades..

<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.
00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000840  00 00 0E 92 C3 26 6E 4B BB 28 2E 76 B7 67 70 95  ...’Ã&nK»(.v·gp•
</pre>

another PS3 with CECH2501A wihtout datecode 320 GB HDD and fw 3.66 also contains other new metldr values but still downgrades...

<pre>

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.
00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000840  00 00 0E 92 C3 26 6E 4B BB 28 2E 76 B7 67 70 95  ...’Ã&nK»(.v·gp•
</pre>


----


=Dumping your flash=
There are many ways you can dump your flash you can choose the way that best fits you, there are some persons studing the flash.. If you can help providing a dump (specially if you have a debug console) search for those persons in IRC Efnet #ps3dev
==Payload==
Uncomment '''dump_dev_flash()''' in graf_payloads compile and run the payload

see [[Graf's_PSGroove_Payload]] for more info

==Linux==

Using graf_chokolo kernel with '''/dev/ps3nflasha''' access

<pre>
dd if=/dev/ps3nflasha of=NOR.BIN bs=1024
</pre>

==Hardware==

see [[Hardware flashing]]

== Dump NAND/NOR from GameOS ==
precompiled : [http://gitbrew.org/~glevand/ps3/pkgs/dump_flash.pkg dump_flash.pkg]   // backup/mirror: [http://www.multiupload.com/Y1G1G7E4J4 dump_flash.pkg (70.48 KB)]<br />
source: [http://www.multiupload.com/Y9VI6SHN0L dump_flash-src.rar (2.33 KB)] <br />

Make sure USB stick is FAT32 with enough free space (16MB per NOR dump, 256MB per NAND dump)

'''remark:''' NAND dumps are 239MB because HV masks bootldr, see [http://www.ps3devwiki.com/index.php?title=Hardware_flashing#Difference_between_hardware_dumps_and_software_dumps Hardware flashing #Difference between hardware dumps and software dumps]

= NOR Unpacking // NOR Unpkg =

<pre>
/*
  # ../norunpkg norflash.bin norflash
  unpacking asecure_loader (size: 190xxx bytes)...
  unpacking eEID (size: 65536 bytes)...
  unpacking cISD (size: 2048 bytes)...
  unpacking cCSD (size: 2048 bytes)...
  unpacking trvk_prg0 (size: 131072 bytes)...
  unpacking trvk_prg1 (size: 131072 bytes)...
  unpacking trvk_pkg0 (size: 131072 bytes)...
  unpacking trvk_pkg1 (size: 131072 bytes)...
  unpacking ros0 (size: 7340032 bytes)...
  unpacking ros1 (size: 7340032 bytes)...
  unpacking cvtrm (size: 262144 bytes)...
*/

// Copyright 2010       Sven Peter
// Licensed under the terms of the GNU GPL, version 2
// http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
// nor modifications by rms.

#include "tools.h"
#include "types.h"

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/stat.h>

#ifdef WIN32
#define MKDIR(x,y) mkdir(x)
#else
#define MKDIR(x,y) mkdir(x,y)
#endif

u8 *pkg = NULL;

static void unpack_file(u32 i)
{
        u8 *ptr;
        u8 name[33];
        u64 offset;
        u64 size;

        ptr = pkg + 0x10 + 0x30 * i;

        offset = be64(ptr + 0x00);
        size   = be64(ptr + 0x08);

        memset(name, 0, sizeof name);
        strncpy((char *)name, (char *)(ptr + 0x10), 0x20);

        printf("unpacking %s (size: %d bytes)...\n", name, size);
        memcpy_to_file((char *)name, pkg + offset, size);
}

static void unpack_pkg(void)
{
        u32 n_files;
        u64 size;
        u32 i;

        n_files = be32(pkg + 4);
        size = be64(pkg + 8);

        for (i = 0; i &lt; n_files; i++)
                unpack_file(i);
}

int main(int argc, char *argv[])
{
        if (argc != 3)
                fail("usage: norunpkg filename.nor target");

        pkg = mmap_file(argv[1]);

        /* kludge for header, i do not do sanity checks at the moment */
        pkg += 1024;

        MKDIR(argv[2], 0777);

        if (chdir(argv[2]) != 0)
                fail("chdir");

        unpack_pkg();

        return 0;
}
</pre>

Source: http://rms.grafchokolo.com/?p=25

= RMS - eEID splitter =

<pre>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void
DumpEidData (FILE * pFile, int iInputSize, int iEidCount,
	     char *pFilenamePrefix)
{
  FILE *pOutput;
  char *szFilename;
  char *szBuf;
  int iRes, iSize;

  printf ("dumping EID%d from eEID at %p, size %d (%x)..\n",
	  iEidCount, pFile, iInputSize, iInputSize);

  szBuf = (char *) malloc (iInputSize + 1);
  szFilename = (char *) malloc (strlen (pFilenamePrefix) + 2);

  if (szBuf == NULL)
    {
      perror ("malloc");
      exit (1);
    };

  iSize = fread (szBuf, iInputSize, 1, pFile);
  sprintf (szFilename, "%s%d", pFilenamePrefix, iEidCount);
  pOutput = fopen (szFilename, "wb");
  iRes = fwrite (szBuf, iInputSize, 1, pOutput);

  if (iRes != iSize)
    {
      perror ("fwrite");
      exit (1);
    };

  free (szBuf);
}

int
main (int argc, char **argv)
{
  FILE *pFile;
  char *pPrefix;

  pFile = fopen (argv[1], "rb");
  if (pFile == NULL)
    {
    usage:
      printf ("usage: %s <eEID> <EID name prefix>\n", argv[0]);
      exit (1);
    }

  if (argc == 2 && argv[2] != NULL)
    {
      pPrefix = argv[2];
      goto usage;
    }

  fseek (pFile, 0x70, SEEK_SET);

  if (pPrefix != NULL)
    {
      DumpEidData (pFile, 2144, 0, pPrefix);
      DumpEidData (pFile, 672, 1, pPrefix);
      DumpEidData (pFile, 1840, 2, pPrefix);
      DumpEidData (pFile, 256, 3, pPrefix);
      DumpEidData (pFile, 48, 4, pPrefix);
      DumpEidData (pFile, 2560, 5, pPrefix);
    }
  return 0;
}
</pre>

Source: http://rms.grafchokolo.com/?p=59

= Flash Samples =

== Reference flash dumps ==
* 3.55 kmeaw, 2.80 backup: <span style="text-decoration: line-through;">http://www.megaupload.com/?d=J5UKO3HX</span>
* 3.66 ofw: <span style="text-decoration: line-through;">http://www.mediafire.com/?m7m4mppro66zib5</span>

== User flashdumps ==
Here are some samples of NOR Flash for your dissection. These are taken from different consoles (because it is useless to dump different firmware versions as ROS/RVK will be the same crossconsole)

{| class="wikitable sortable"
|-
! SKU !! bootldr !! metldr !! ROS0 !! ROS1 !! Link !! Note
|-
! colspan="7" | PS3 Phat:
|-
| [[CECHAxx|CECHA]] ||  || || || || || 
|-
| [[CECHBxx|CECHB]] ||  || || || || || 
|-
| [[CECHCxx|CECHC]] ||  || || || || || 
|-
| [[CECHExx|CECHE]] ||  || || || || || 
|-
| [[CECHGxx|CECHG]] ||  || || || || || 
|-
| [[CECHHxx|CECHH]] ||  || || || || || 
|-
| [[CECHJxx|CECHJ]] ||  || || || || || 
|-
| [[CECHKxx|CECHK]]||  || || || || || 
|-
| [[CECHLxx|CECHL]] || || || || || [http://punkie.xs4all.nl/CECHL03_CFW3.55_bkpps3.bin.zip] || 3.55-Rogero CECHL03
|-
| [[CECHLxx|CECHL]] || || || || || [http://punkie.xs4all.nl/CECHL03_OFW3.56_bkpps3.bin.zip] || 3.56 CECHL03
|-
| [[CECHLxx|CECHL]] || || || || || [http://punkie.xs4all.nl/CECHL03_OFW3.70_bkpps3.bin.zip] || 3.70 CECHL03
|-
| [[CECHMxx|CECHM]] || || || || || || 
|-
| [[CECHPxx|CECHP]] || || || || || || 
|-
| [[CECHQxx|CECHQ]] || || || || || || 
|-
! colspan="7" | PS3 Slim:
|-
| [[CECH-20xx|CECH-20xx]] || || || 3.65 || 3.55 || [http://dl.dropbox.com/u/964586/CECH-2008A%203.65%20OFW.bin] || 3.65 CECH-2008 A
|-
| [[CECH-20xx|CECH-20xx]] || || || 3.56 || 3.56 || [http://dl.dropbox.com/u/964586/CECH-2008B%203.56%20OFW.bin] || 3.56 CECH-2008 B
|-
| [[CECH-20xx|CECH-20xx]] || || || 3.42 || 3.70 || [http://dl.dropbox.com/u/964586/CECH-2008B%203.70%20OFW.bin] || 3.70 CECH-2008 B
|-
| [[CECH-20xx|CECH-20xx]] || || || 3.72 || 4.00 || [http://dl.dropbox.com/u/964586/CECH-2008B%204.00%20OFW.bin] || 4.00 CECH-2008 B
|-
| [[CECH-21xx|CECH-21xx]] || || || || || || 
|-
| [[CECH-25xx|CECH-25xx]] || || || 3.66 || 3.56 || [http://dl.dropbox.com/u/964586/CECH-2508B%203.60%20OFW.bin] || 3.60 CECH-2508 B
|-
| [[CECH-25xx|CECH-25xx]] || || || 3.66 || 3.72 || [http://dl.dropbox.com/u/964586/CECH-2508B%203.72%20OFW.bin] || 3.72 CECH-2508 B
|-
| [[CECH-30xx|CECH-30xx]] || || || || || || 
|-
|}