Editing Talk:SC EEPROM

== Memory test diagnosis NVS flag ==

There is a NVS flag which enables a special diagnostic mode at startup. This flag is enabled on Proto/DECR. It allows memtest diagnose.

Pseudo-code:
<source lang="python">
def check_bootrom_diag_mode(mode, param)
        diag_mode = get_eeprom_bootrom_diag()
        if diag_mode & 0x1:
                if diag_mode & 0x100:
                        return 0
                mode = (diag_mode >> 3) & 0x1
                param = (diag_mode >> 3) & 0x1
        else:
                mode = (diag_mode >> 1) & 0x1
                param = -1
        return 1
</source>

== EEPROM Dumps ==

* https://mega.co.nz/#!Bk1ESBZT!pqAB6riHhZSCPAftvjm2MFf3j0It61huT3WT2AbWS-A -> DEAD LINK

== EEPROM Strings (CP memory dump, DECR) ==

http://pastie.org/private/usd2zi8mw3igycsh1a395q -> DEAD LINK

== Bus Pirate stuff ==

http://i.imgur.com/48rbR51.png

(needs more wikifying)

== On standby ==

* Note: during this time the plaintext EEPROM is never read even once!
* Additionally, the areas 0x26B0, 0x26D0 are not read

* Checks status
* Unlocks Write Command
* Reads PATCH top half region
* Reads PATCH bottom half region
* Reads 0x2790?(0x20)
* Reads 0x27B0?(0x10)
* Reads 0x26D0 (0x10)
* Reads some configs? (around >0x31XX area)
* Reads 0x0 (0x10)
* Reads some configs?
* Reads 0x10(0x280) (EID1)?
* Reads 0x3A00 (0x1)
* Reads 0x290 (0x10) (EID1 CMAC?)
* Reads 0x2A0 (0x20)
* Reads 0x2C0 (0x20)
* Reads 0x2E0 (0x20)
* Writes some stuff to 0x2C0/0x2E0/0x2A0 (mostly ff's)
* ReReads EID1 and CMAC
* Reads 0x360
* Reads 0x370
* Writes (again) mostly ff's to 0x360 and 0x370
* ReReads EID1 and CMAC
* Does same process with 0x460 and 0x470
* Reads 0x2710 and 0x2730 (0x20,0x10) ???
* Reads 0x2700 (0x10)
* fini!

= MemoryMap Syscon BB Chip =

<pre>
0x1000-0x1FFF:PTCH Region (patch written here)
</pre>

= Nice read about Syscon EEPROM =

http://rmscrypt.wordpress.com/2011/02/01/lets-look-at-syscon/

= Experimental table =
The goal is to join together all the "memory map" info in a single table

{| class="wikitable" style="line-height:110%; font-size:90%"
|+ Round 1
! colspan="2" | Area !! colspan="4" | [[Syscon_Hardware|SPI / UART]] !! colspan="8" | [[LV2_Functions_and_Syscalls#process_socket_service_syscalls|Syscall 863]] !! rowspan="3" | Data Name !! rowspan="3" | Notes
|-
! rowspan="2" | Name !! rowspan="2" | Size !! colspan="2" | [[Mullion]] !! style="padding:1px" | [[Sherwood]] !! rowspan="2" style="padding:1px" | [[Syscon_Firmware#Command_list|EEP]]<br>whitelist !! rowspan="2" | [[SC_Communication#Syscon_Services|NVS]]<br>ID !! rowspan="2" style="padding:1px" | Block<br>ID !! colspan="2" style="padding:1px" | [[Update_Manager|UM]] whitelist !! colspan="2" style="padding:1px" | [[SC_Manager|SCM]] whitelist !! rowspan="2" | Offset !! rowspan="2" | Size
|-
! style="padding:1px" | [[Syscon_CXR713_Series|CXR713]] !! style="padding:1px" | [[Syscon_CXR714_Series|CXR714]] !! [[Syscon_SW_Series|SW]]/[[Syscon_SW2_Series|2]]/[[Syscon_SW3_Series|3]] !! style="padding:1px" | Read !! style="padding:1px" | Write !! style="padding:1px" | Read !! style="padding:1px" | Write
|-
! <span style="writing-mode:vertical-lr; transform:rotate(180deg);">Patch Part 1</span>
! 0x400
| 0x2800 || 0x2800 || ? || style="background:#CC5555; color:#FFFFFF; text-align:center;" | <abbr title="Locked by the patch. Unlocked by deleting the patch">No*</abbr> || {{cellcolors|lightgrey}} N/A || {{cellcolors|lightgrey}} N/A || {{no}} || {{no}} || {{no}} || {{no}} || 0x02800 || 0x400 || [[Syscon_Firmware#Syscon_patches|Syscon Firmware Patch]] (top half) || 
|-
! rowspan="6" | <span style="writing-mode:vertical-lr; transform:rotate(180deg);">OS Version Area<br>a.k.a.<br>Industry Area</span>
! rowspan="6" | 0x100
| rowspan="6" | 0x2F00 || rowspan="6" | 0x2F00 || rowspan="6" | 0xE00 || rowspan="6" {{yes}} || rowspan="6" | 0x20 || rowspan="6" | 0x10 || {{yes}} || {{no}} || {{yes}} || {{no}} || 0x02F00 || 0x08 || Manufacturing Update Release Version || 
|-
| {{yes}} || {{no}} || {{yes}} || {{no}} || 0x02F08 || 0x18 || Manufacturing Update Build Version + Build Date || 
|-
| {{yes}} || {{no}} || {{yes}} || {{no}} || 0x02F20 || 0x08 || Manufacturing Update Build Target ID || 
|-
| {{yes}} || {{no}} || {{yes}} || {{no}} || 0x02F28 || 0xD0 || {{cellcolors|#ff9999}} Undocumented || 
|-
| {{yes}} || {{no}} || {{yes}} || {{no}} || 0x02FF8 || 0x01 || Factory Bit || 
|-
| {{yes}} || {{no}} || {{yes}} || {{no}} || 0x02FF9 || 0x07 || {{cellcolors|#ff9999}} Undocumented || 
|}


{| class="wikitable" style="line-height:110%; font-size:90%"
|+ Round 2
! colspan="2" | Area !! colspan="4" | [[Syscon_Hardware|SPI / UART]] !! colspan="6" | [[LV2_Functions_and_Syscalls#process_socket_service_syscalls|Syscall 863]] !! rowspan="3" | Data Name !! rowspan="3" | Notes
|-
! rowspan="2" | Name !! rowspan="2" | Size !! colspan="2" | [[Mullion]] !! style="padding:1px" | [[Sherwood]] !! style="padding:1px" | whitelist !! rowspan="2" | [[SC_Communication#Syscon_Services|Block ID<br>NVS Region]] !! colspan="3" | whitelist !! rowspan="2" | Offset !! rowspan="2" | Size
|-
! style="padding:1px" | [[Syscon_CXR713_Series|CXR713]] !! style="padding:1px" | [[Syscon_CXR714_Series|CXR714]] !! [[Syscon_SW_Series|SW]]/[[Syscon_SW2_Series|2]]/[[Syscon_SW3_Series|3]] !! [[Syscon_Firmware#Command_list|EEP]] !! [[Dispatcher_Manager|DM]] !! [[Update_Manager|UM]] !! [[SC_Manager|SCM]]
|-
! <span style="writing-mode:vertical-lr; transform:rotate(180deg);">Patch Part 1</span>
! 0x400
| 0x2800 || 0x2800 || <abbr title="On Sherwood the patch isn't even stored in the emulated eeprom, it's stored inside the firmware (0x2000-0x2FFF)>0x2000 ?</abbr> || {{exploitable}} || {{cellcolors|lightgrey}} N/A || {{no}} || {{no}} || {{no}} || 0x02800 || 0x400 || [[Syscon_Firmware#Syscon_patches|Syscon Firmware Patch]] (top half) || 
|-
! rowspan="6" | <span style="writing-mode:vertical-lr; transform:rotate(180deg);">OS Version Area<br>a.k.a.<br>Industry Area</span>
! rowspan="6" | 0x100
| rowspan="6" | 0x2F00 || rowspan="6" | 0x2F00 || rowspan="6" | 0xE00 || rowspan="6" {{yes}} || rowspan="6" | 0x10 || rowspan="6" {{patchable}} || rowspan="6" {{yes}} || rowspan="6" {{yes}} || 0x02F00 || 0x08 || Manufacturing Update Release Version || e.g: 04.6000
|-
| 0x02F08 || 0x18 || Manufacturing Update Build Version + Build Date || e.g: 63910,20140618
|-
| 0x02F20 || 0x08 || Manufacturing Update Build Target ID || Written during the manufacturing fw update process according to target string inside /dev_flash/vsh/etc/version.txt<br>0x83 = CEX-ww<br>0x82 = DEX-ww<br>0x81 = DevelopmentTool<br>0xDEAD = ?
|-
| 0x02F28 || 0xD0 || {{cellcolors|#ff9999}} Undocumented || 
|-
| 0x02FF8 || 0x01 || Factory Bit || 0 = ?<br>1 = Reset<br>2 = ?<br>3 = ? (used on retails)
|-
| 0x02FF9 || 0x07 || {{cellcolors|#ff9999}} Undocumented || 
|-
! rowspan="3" | <span style="writing-mode:vertical-lr; transform:rotate(180deg);">Flags and Tokens</span>
! rowspan="3" | 0x100
| rowspan="3" | 0x7200 || rowspan="3" | 0x4200 || rowspan="3" | 0x1200 || rowspan="3" {{yes}} || rowspan="3" | 0x02 || {{patchable}} || {{yes}} || {{yes}} || 0x48C00 || 0x01 || OS boot order flag || load_image_in_rom (os_boot_order_flag)<br>0 = Network first<br>1 = Flash first
|-
| {{patchable}} || {{patchable}} || {{yes}} || 0x48C01 || 0x01 || sys.dbgcard.hostpc || force standalone mode related
|-
| {{patchable}} || {{yes}} || {{yes}} || 0x48C02 || 0x01 || Network Debug Interface Mode || sys.dbgcard.dgbe / debug interface (select_net_device)<br>-1 = Ethernet 2<br>&nbsp;0 = IFB<br>&nbsp;1 = CP<br>&nbsp;2 = SB UART<br>&nbsp;3 = CP ch4<br>&nbsp;5 = Disabled
|}