Editing Talk:Flash Structure

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
<!--// stripped old flash page //-->


= Encrypted Files on Flash =
Encrypted files on flash appear to have some sort of header
== metldr examples ==
Here are samples of metldr header from 2 different consoles
00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ...Žx¥aà.rn÷§.A«
00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ...Ž...©Yu.ÌÁrÕP
== bootldr examples ==
Here are samples of bootldr header from 2 different consoles
00FC0000  00 00 2F 4B 53 92 1C E7 F7 33 41 76 9B 7A 1E D6  ../KS’.ç÷3Av›z.Ö
00FC0010  00 00 2F 4B 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ../Kx¥aà.rn÷§.A«
00FC0000  00 00 2F 4B CB 9E 15 24 28 B4 4F D2 F9 3F BC 43  ../KËž.$(´OÒù?¼C
00FC0010  00 00 2F 4B 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ../K...©Yu.ÌÁrÕP
== Observations / Notes ==
As you can see, some parts appear static depending on their purpose:
metldr
00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E xx xx xx xx xx xx xx xx xx xx xx xx  ...Žx...........
bootldr
00FC0000  00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx  ../K............
00FC0010  00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx  ../K............
per console in both samples
00000840  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................
00000850  xx xx xx xx 81 2E 00 A9 59 75 01 CC C1 72 D5 50  .......©Yu.ÌÁrÕP
The first 4 bytes appear to reffer to length. eg:
metldr length: 0xE920
0x00000E8E * 0x10 = 0xE8E0 + 0x40 = 0xE920
bootldr length:  0x2F4F0
0x00002F4B * 0x10 = 0x2F4B0 + 0x40 = 0x2F4F0
Header shown is 0x20 bytes, perhaps this means there is a 0x40 byte header. I was not able to find any correlation of the other 2x12 bytes here, perhaps these are keys of some sort.
also to note that these values are found within the eeid region.
----
= new metldr.2 =
Seen on CECH2504B (JSD-001), with 3.60 from factory - datecode 1B
<pre>
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 F9 20  .......@......ù
  00000820  6D 65 74 6C 64 72 2E 32 00 00 00 00 00 00 00 00  metldr.2........
  00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
</pre>
== other new metldr ==
It seems the naming "metldr.2" does not apply to all non downgradeable consoles:
Seen on CECH2504A (JTP-001), with 3.60 from factory - datecode 1B<!--//Ago//-->
<pre>
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
  00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
  00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
  00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
</pre>
Seen on CECH2503B (JTP-001), with ?.?? from factory - datecode 1A (dump contained ROS with 3.66 and 3.70)<!--//dump contains ROS0: 3.66 / ROS1: 3.70 / Hitachi HTS545032B9SA00 110105PBPC08FDF6D63M <bluemimmo> CECH 2503B  datecode 1A  customer brought 3.66//-->
This was downgradable.. sorry, the downgrade.bin was not written correctly.. but this time i wrote it ok, so this was not a new metldr console..
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     
  00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
  00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
  00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
For comparison, a CECH250.B (JSD-001), with factory 3.56 - datecode 1A which was downgradeable (dump contained ROS with 3.56 and 3.70 before downgrading to 3.55):<!--//petrm79 : factory 3.56, 320gb, cech-250.b, console code 1a, standart solder without resistors etc. nor samsung (flash 128/128). using latest qt port. check alt. meth., downgrade using dospiedra v2 (manual paste), rogero.pup//-->
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     
  00000800  00 00 00 01 00 00 00 01  00 00 00 00 00 02 E8 00  ..............è.
  00000810  00 00 00 00 00 00 00 40  00 00 00 00 00 00 E9 60  .......@......é`
  00000820  6D 65 74 6C 64 72 00 00  00 00 00 00 00 00 00 00  metldr..........
  00000830  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  00000840  00 00 0E 92 C3 26 6E 4B  BB 28 2E 76 B7 67 70 95  ...’Ã&nK»(.v·gp•
other new metldr mention : https://twitter.com/#!/Mathieulh/status/110779471199604736
WTF 3.50+ consoles have a new additional root key of 0x30 bytes
(3 times the same 0x10 bytes chunk) copied by metldr right to offset 0 O_O
===CECH2501B JSD-001 (320GB HDD)without datecode fw 3.66===
metldr contains other new value (E9 60), but still downgrades..
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.
00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000840  00 00 0E 92 C3 26 6E 4B BB 28 2E 76 B7 67 70 95  ...’Ã&nK»(.v·gp•
</pre>
another PS3 with CECH2501A wihtout datecode 320 GB HDD and fw 3.66 also contains other new metldr values but still downgrades...
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.
00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000840  00 00 0E 92 C3 26 6E 4B BB 28 2E 76 B7 67 70 95  ...’Ã&nK»(.v·gp•
</pre>
----
= vflash partition table =
<pre>
Done some work on decoding region 2 today:
Region 2 seems to = vflash partition table? These might be the first 2 regions?
partition table is 4096 bytes.
Format:
16 bytes 00's
16 bytes magic: 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE
8 bytes 0x03
8 bytes 0x02 (number of paritions?)
144 bytes 00's
Partition entries:
8 bytes entry point (entry point * 0x200) relative to 0x00 on flash
8 bytes entry length (entry length * 0x200)
32 bytes 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03
96 bytes 00's
</pre>
----
=Dumping your flash=
There are many ways you can dump your flash you can choose the way that best fits you, there are some persons studing the flash.. If you can help providing a dump (specially if you have a debug console) search for those persons in IRC Efnet #ps3dev
==Payload==
Uncomment '''dump_dev_flash()''' in graf_payloads compile and run the payload
see [[Graf's_PSGroove_Payload]] for more info
==Linux==
Using graf_chokolo kernel with '''/dev/ps3nflasha''' access
<pre>
dd if=/dev/ps3nflasha of=NOR.BIN bs=1024
</pre>
==Hardware==
see [[Hardware flashing]]
== Dump NAND/NOR from GameOS ==
precompiled : [http://gitbrew.org/~glevand/ps3/pkgs/dump_flash.pkg dump_flash.pkg]  // backup/mirror: [http://www.multiupload.com/Y1G1G7E4J4 dump_flash.pkg (70.48 KB)]<br />
source: [http://www.multiupload.com/Y9VI6SHN0L dump_flash-src.rar (2.33 KB)] <br />
Make sure USB stick is FAT32 with enough free space (16MB per NOR dump, 256MB per NAND dump)
'''remark:''' NAND dumps are 239MB because HV masks bootldr, see [http://www.ps3devwiki.com/index.php?title=Hardware_flashing#Difference_between_hardware_dumps_and_software_dumps Hardware flashing #Difference between hardware dumps and software dumps]
= NOR Unpacking // NOR Unpkg =
<pre>
/*
  # ../norunpkg norflash.bin norflash
  unpacking asecure_loader (size: 190xxx bytes)...
  unpacking eEID (size: 65536 bytes)...
  unpacking cISD (size: 2048 bytes)...
  unpacking cCSD (size: 2048 bytes)...
  unpacking trvk_prg0 (size: 131072 bytes)...
  unpacking trvk_prg1 (size: 131072 bytes)...
  unpacking trvk_pkg0 (size: 131072 bytes)...
  unpacking trvk_pkg1 (size: 131072 bytes)...
  unpacking ros0 (size: 7340032 bytes)...
  unpacking ros1 (size: 7340032 bytes)...
  unpacking cvtrm (size: 262144 bytes)...
*/
// Copyright 2010      Sven Peter
// Licensed under the terms of the GNU GPL, version 2
// http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
// nor modifications by rms.
#include "tools.h"
#include "types.h"
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/stat.h>
#ifdef WIN32
#define MKDIR(x,y) mkdir(x)
#else
#define MKDIR(x,y) mkdir(x,y)
#endif
u8 *pkg = NULL;
static void unpack_file(u32 i)
{
        u8 *ptr;
        u8 name[33];
        u64 offset;
        u64 size;
        ptr = pkg + 0x10 + 0x30 * i;
        offset = be64(ptr + 0x00);
        size  = be64(ptr + 0x08);
        memset(name, 0, sizeof name);
        strncpy((char *)name, (char *)(ptr + 0x10), 0x20);
        printf("unpacking %s (size: %d bytes)...\n", name, size);
        memcpy_to_file((char *)name, pkg + offset, size);
}
static void unpack_pkg(void)
{
        u32 n_files;
        u64 size;
        u32 i;
        n_files = be32(pkg + 4);
        size = be64(pkg + 8);
        for (i = 0; i &lt; n_files; i++)
                unpack_file(i);
}
int main(int argc, char *argv[])
{
        if (argc != 3)
                fail("usage: norunpkg filename.nor target");
        pkg = mmap_file(argv[1]);
        /* kludge for header, i do not do sanity checks at the moment */
        pkg += 1024;
        MKDIR(argv[2], 0777);
        if (chdir(argv[2]) != 0)
                fail("chdir");
        unpack_pkg();
        return 0;
}
</pre>
Source: http://rms.grafchokolo.com/?p=25
= RMS - eEID splitter =
<pre>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void
DumpEidData (FILE * pFile, int iInputSize, int iEidCount,
    char *pFilenamePrefix)
{
  FILE *pOutput;
  char *szFilename;
  char *szBuf;
  int iRes, iSize;
  printf ("dumping EID%d from eEID at %p, size %d (%x)..\n",
  iEidCount, pFile, iInputSize, iInputSize);
  szBuf = (char *) malloc (iInputSize + 1);
  szFilename = (char *) malloc (strlen (pFilenamePrefix) + 2);
  if (szBuf == NULL)
    {
      perror ("malloc");
      exit (1);
    };
  iSize = fread (szBuf, iInputSize, 1, pFile);
  sprintf (szFilename, "%s%d", pFilenamePrefix, iEidCount);
  pOutput = fopen (szFilename, "wb");
  iRes = fwrite (szBuf, iInputSize, 1, pOutput);
  if (iRes != iSize)
    {
      perror ("fwrite");
      exit (1);
    };
  free (szBuf);
}
int
main (int argc, char **argv)
{
  FILE *pFile;
  char *pPrefix;
  pFile = fopen (argv[1], "rb");
  if (pFile == NULL)
    {
    usage:
      printf ("usage: %s <eEID> <EID name prefix>\n", argv[0]);
      exit (1);
    }
  if (argc == 2 && argv[2] != NULL)
    {
      pPrefix = argv[2];
      goto usage;
    }
  fseek (pFile, 0x70, SEEK_SET);
  if (pPrefix != NULL)
    {
      DumpEidData (pFile, 2144, 0, pPrefix);
      DumpEidData (pFile, 672, 1, pPrefix);
      DumpEidData (pFile, 1840, 2, pPrefix);
      DumpEidData (pFile, 256, 3, pPrefix);
      DumpEidData (pFile, 48, 4, pPrefix);
      DumpEidData (pFile, 2560, 5, pPrefix);
    }
  return 0;
}
</pre>
Source: http://rms.grafchokolo.com/?p=59
= Flash Samples =
== Reference flash dumps ==
* 3.55 kmeaw, 2.80 backup: <span style="text-decoration: line-through;">http://www.megaupload.com/?d=J5UKO3HX</span>
* 3.66 ofw: <span style="text-decoration: line-through;">http://www.mediafire.com/?m7m4mppro66zib5</span>
== User flashdumps ==
Here are some samples of NOR Flash for your dissection. These are taken from different consoles (because it is useless to dump different firmware versions as ROS/RVK will be the same crossconsole)
{| class="wikitable sortable"
|-
! SKU !! bootldr !! metldr !! ROS0 !! ROS1 !! Link !! Note
|-
! colspan="7" | PS3 Phat:
|-
| [[CECHAxx|CECHA]] ||  || || || || ||
|-
| [[CECHBxx|CECHB]] ||  || || || || ||
|-
| [[CECHCxx|CECHC]] ||  || || || || ||
|-
| [[CECHExx|CECHE]] ||  || || || || ||
|-
| [[CECHGxx|CECHG]] ||  || || || || ||
|-
| [[CECHHxx|CECHH]] ||  || || || || ||
|-
| [[CECHJxx|CECHJ]] ||  || || || || ||
|-
| [[CECHKxx|CECHK]]||  || || || || ||
|-
| [[CECHLxx|CECHL]] || || || || || [http://punkie.xs4all.nl/CECHL03_CFW3.55_bkpps3.bin.zip] || 3.55-Rogero CECHL03
|-
| [[CECHLxx|CECHL]] || || || || || [http://punkie.xs4all.nl/CECHL03_OFW3.56_bkpps3.bin.zip] || 3.56 CECHL03
|-
| [[CECHLxx|CECHL]] || || || || || [http://punkie.xs4all.nl/CECHL03_OFW3.70_bkpps3.bin.zip] || 3.70 CECHL03
|-
| [[CECHMxx|CECHM]] || || || || || ||
|-
| [[CECHPxx|CECHP]] || || || || || ||
|-
| [[CECHQxx|CECHQ]] || || || || || ||
|-
! colspan="7" | PS3 Slim:
|-
| [[CECH-20xx|CECH-20xx]] || || || 3.65 || 3.55 || [http://dl.dropbox.com/u/964586/CECH-2008A%203.65%20OFW.bin] || 3.65 CECH-2008 A
|-
| [[CECH-20xx|CECH-20xx]] || || || 3.56 || 3.56 || [http://dl.dropbox.com/u/964586/CECH-2008B%203.56%20OFW.bin] || 3.56 CECH-2008 B
|-
| [[CECH-20xx|CECH-20xx]] || || || 3.42 || 3.70 || [http://dl.dropbox.com/u/964586/CECH-2008B%203.70%20OFW.bin] || 3.70 CECH-2008 B
|-
| [[CECH-20xx|CECH-20xx]] || || || 3.72 || 4.00 || [http://dl.dropbox.com/u/964586/CECH-2008B%204.00%20OFW.bin] || 4.00 CECH-2008 B
|-
| [[CECH-21xx|CECH-21xx]] || || || || || ||
|-
| [[CECH-25xx|CECH-25xx]] || || || 3.66 || 3.56 || [http://dl.dropbox.com/u/964586/CECH-2508B%203.60%20OFW.bin] || 3.60 CECH-2508 B
|-
| [[CECH-25xx|CECH-25xx]] || || || 3.66 || 3.72 || [http://dl.dropbox.com/u/964586/CECH-2508B%203.72%20OFW.bin] || 3.72 CECH-2508 B
|-
| [[CECH-30xx|CECH-30xx]] || || || || || ||
|-
|}
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)
Retrieved from "http://www.psdevwiki.com/ps3/Talk:Flash_Structure"