Editing Talk:SC EEPROM

== Memory test diagnosis NVS flag ==

There is a NVS flag which enables a special diagnostic mode at startup. This flag is enabled on Proto/DECR. It allows memtest diagnose.

Pseudo-code:
<source lang="python">
def check_bootrom_diag_mode(mode, param)
        diag_mode = get_eeprom_bootrom_diag()
        if diag_mode & 0x1:
                if diag_mode & 0x100:
                        return 0
                mode = (diag_mode >> 3) & 0x1
                param = (diag_mode >> 3) & 0x1
        else:
                mode = (diag_mode >> 1) & 0x1
                param = -1
        return 1
</source>

== EEPROM Dumps ==

* https://mega.co.nz/#!Bk1ESBZT!pqAB6riHhZSCPAftvjm2MFf3j0It61huT3WT2AbWS-A -> DEAD LINK

== EEPROM Strings (CP memory dump, DECR) ==

http://pastie.org/private/usd2zi8mw3igycsh1a395q -> DEAD LINK

== Bus Pirate stuff ==

http://i.imgur.com/48rbR51.png

(needs more wikifying)

== On standby ==

* Note: during this time the plaintext EEPROM is never read even once!
* Additionally, the areas 0x26B0, 0x26D0 are not read

* Checks status
* Unlocks Write Command
* Reads PATCH top half region
* Reads PATCH bottom half region
* Reads 0x2790?(0x20)
* Reads 0x27B0?(0x10)
* Reads 0x26D0 (0x10)
* Reads some configs? (around >0x31XX area)
* Reads 0x0 (0x10)
* Reads some configs?
* Reads 0x10(0x280) (EID1)?
* Reads 0x3A00 (0x1)
* Reads 0x290 (0x10) (EID1 CMAC?)
* Reads 0x2A0 (0x20)
* Reads 0x2C0 (0x20)
* Reads 0x2E0 (0x20)
* Writes some stuff to 0x2C0/0x2E0/0x2A0 (mostly ff's)
* ReReads EID1 and CMAC
* Reads 0x360
* Reads 0x370
* Writes (again) mostly ff's to 0x360 and 0x370
* ReReads EID1 and CMAC
* Does same process with 0x460 and 0x470
* Reads 0x2710 and 0x2730 (0x20,0x10) ???
* Reads 0x2700 (0x10)
* fini!

= MemoryMap Syscon BB Chip =

<pre>
0x1000-0x1FFF:PTCH Region (patch written here)
</pre>

= Nice read about Syscon EEPROM =

http://rmscrypt.wordpress.com/2011/02/01/lets-look-at-syscon/

= Experimental table =
The goal is to join together all the "memory map" info in a single table

{| class="wikitable" style="line-height:110%; font-size:90%"
|+ Round 1
! colspan="2" | Area !! colspan="4" | [[Syscon_Hardware|SPI / UART]] !! colspan="8" | [[LV2_Functions_and_Syscalls#process_socket_service_syscalls|Syscall 863]] !! rowspan="3" | Data Name !! rowspan="3" | Notes
|-
! rowspan="2" | Name !! rowspan="2" | Size !! colspan="2" | [[Mullion]] !! style="padding:1px" | [[Sherwood]] !! rowspan="2" style="padding:1px" | [[Syscon_Firmware#Command_list|EEP]]<br>whitelist !! rowspan="2" | [[SC_Communication#Syscon_Services|NVS]]<br>ID !! rowspan="2" style="padding:1px" | Block<br>ID !! colspan="2" style="padding:1px" | [[Update_Manager|UM]] whitelist !! colspan="2" style="padding:1px" | [[SC_Manager|SCM]] whitelist !! rowspan="2" | Offset !! rowspan="2" | Size
|-
! style="padding:1px" | [[Syscon_CXR713_Series|CXR713]] !! style="padding:1px" | [[Syscon_CXR714_Series|CXR714]] !! [[Syscon_SW_Series|SW]]/[[Syscon_SW2_Series|2]]/[[Syscon_SW3_Series|3]] !! style="padding:1px" | Read !! style="padding:1px" | Write !! style="padding:1px" | Read !! style="padding:1px" | Write
|-
! <span style="writing-mode:vertical-lr; transform:rotate(180deg);">Patch Part 1</span>
! 0x400
| 0x2800 || 0x2800 || ? || style="background:#CC5555; color:#FFFFFF; text-align:center;" | <abbr title="Locked by the patch. Unlocked by deleting the patch">No*</abbr> || {{cellcolors|lightgrey}} N/A || {{cellcolors|lightgrey}} N/A || {{no}} || {{no}} || {{no}} || {{no}} || 0x02800 || 0x400 || [[Syscon_Firmware#Syscon_patches|Syscon Firmware Patch]] (top half) || 
|-
! rowspan="6" | <span style="writing-mode:vertical-lr; transform:rotate(180deg);">OS Version Area<br>a.k.a.<br>Industry Area</span>
! rowspan="6" | 0x100
| rowspan="6" | 0x2F00 || rowspan="6" | 0x2F00 || rowspan="6" | 0xE00 || rowspan="6" {{yes}} || rowspan="6" | 0x20 || rowspan="6" | 0x10 || {{yes}} || {{no}} || {{yes}} || {{no}} || 0x02F00 || 0x08 || Manufacturing Update Release Version || 
|-
| {{yes}} || {{no}} || {{yes}} || {{no}} || 0x02F08 || 0x18 || Manufacturing Update Build Version + Build Date || 
|-
| {{yes}} || {{no}} || {{yes}} || {{no}} || 0x02F20 || 0x08 || Manufacturing Update Build Target ID || 
|-
| {{yes}} || {{no}} || {{yes}} || {{no}} || 0x02F28 || 0xD0 || {{cellcolors|#ff9999}} Undocumented || 
|-
| {{yes}} || {{no}} || {{yes}} || {{no}} || 0x02FF8 || 0x01 || Factory Bit || 
|-
| {{yes}} || {{no}} || {{yes}} || {{no}} || 0x02FF9 || 0x07 || {{cellcolors|#ff9999}} Undocumented || 
|}


{| class="wikitable" style="line-height:110%; font-size:85%"
|+ Round 2
! colspan="3" | Area !! colspan="4" | [[Syscon_Hardware|<abbr title="Only Mullion syscons have a direct SPI access to the EEPROM>SPI</abbr> / <abbr title="All syscons have a UART access>UART</abbr>]] !! colspan="6" | [[LV2_Functions_and_Syscalls#process_socket_service_syscalls|Syscall 863]] !! rowspan="3" | Data Name !! rowspan="3" | Notes
|-
! rowspan="2" | Name !! rowspan="2" | Size !! style="padding:1px" rowspan="2" | [[Template:Syscon_checksums|<Abbr title="Checksum">csum</abbr>]] !! colspan="2" | [[Mullion]] !! style="padding:1px" | [[Sherwood]] !! style="padding:1px" | whitelist !! rowspan="2" style="padding:1px" | [[SC_Communication#Syscon_Services|Block ID<br>NVS Region]] !! colspan="3" | whitelist !! rowspan="2" | Offset !! rowspan="2" | Size
|-
! style="padding:1px" | [[Syscon_CXR713_Series|CXR713]] !! style="padding:1px" | [[Syscon_CXR714_Series|CXR714]] !! [[Syscon_SW_Series|SW]]/[[Syscon_SW2_Series|2]]/[[Syscon_SW3_Series|3]]<small><abbr title="Emulated EEPROM">(emu)</abbr></small> !! [[Syscon_Firmware#Command_list|EEP]] !! [[Dispatcher_Manager|DM]] !! [[Update_Manager|UM]] !! [[SC_Manager|SCM]]
|-
! System Info
! 0x200
| {{no}} || 0x2600 || 0x2600 || ? || ? || ? || ? || ? || ? || ? || 0x200 ||  || {{cellcolors|#ffff99}} Encrypted data at relative offset 0xB0
|-
! Patch 1
! 0x400
| {{No}} || 0x2800 || 0x2800 || <abbr title="On Sherwood the patch isn't even stored in the emulated eeprom, it's stored inside the firmware (0x2000-0x2FFF)>0x2000 ?</abbr> || {{exploitable}} || {{cellcolors|lightgrey}} N/A || {{no}} || {{no}} || {{no}} || 0x02800 || 0x400 || [[Syscon_Firmware#Syscon_patches|Syscon Firmware Patch]] (top half) || {{cellcolors|#ffff99}} Encrypted data
|- {{cellcolors|lightgrey}}
! -
! 0x300
| {{No}} || 0x2C00 || 0x2C00 || N/A ? || {{yes}} ? || N/A || {{no}} || {{no}} || {{no}} || 0x02C00 || 0x300 || ''empty'' || Region not used
|-
! rowspan="6" | Industry Area
! rowspan="6" | 0x100
| rowspan="6" {{no}} || rowspan="6" | 0x2F00 || rowspan="6" | 0x2F00 || rowspan="6" | 0xE00 || rowspan="6" {{yes}} || rowspan="6" | 0x10 || rowspan="6" {{patchable}} || rowspan="6" {{yes}} || rowspan="6" {{yes}} || 0x02F00 || 0x08 || Manufacturing Update Release Version || e.g: 04.6000
|-
| 0x02F08 || 0x18 || Manufacturing Update Build Version + Build Date || e.g: 63910,20140618
|-
| 0x02F20 || 0x08 || Manufacturing Update Build Target ID || Written during the manufacturing fw update process according to target string inside /dev_flash/vsh/etc/version.txt<br>0x83 = CEX-ww<br>0x82 = DEX-ww<br>0x81 = DevelopmentTool<br>0xDEAD = ?
|-
| 0x02F28 || 0xD0 || {{cellcolors|#ff9999}} Undocumented || 
|-
| 0x02FF8 || 0x01 || Factory Bit || 0 = ?<br>1 = Reset<br>2 = ?<br>3 = ? (used on retails)
|-
| 0x02FF9 || 0x07 || {{cellcolors|#ff9999}} Undocumented || 
|-
! Customer Service Area
! 0x100
| {{no}} || 0x3000 || 0x3000 || 0xF00 || style="background:#CC5555; color:#FFFFFF; text-align:center;" {{yes}} || 0x20 || ? || ? || ? || ? || 0x100 ||  || 
|-
! Platform Config
! 0x100
| {{yes}} || 0x3100 || 0x3100 || ? || style="background:#CC5555; color:#FFFFFF; text-align:center;" {{yes}} || ? || ? || ? || ? || ? || 0x100 ||  || 
|-
! Hardware Config
! 0x100
| {{yes}} || 0x3200 || 0x3200 || ? || style="background:#CC5555; color:#FFFFFF; text-align:center;" {{yes}} || ? || ? || ? || ? || ? || 0x100 ||  || 
|-
! Thermal Config
! 0x200
| {{yes}} || 0x3300 || 0x3300 || 0x250 || style="background:#CC5555; color:#FFFFFF; text-align:center;" {{yes}} || ? || ? || ? || ? || ? || 0x200 || Data table using [[Syscon_Thermal_Config/structs|this C structure]] || See: [[Syscon Thermal Config]]
|-
! On/Off Count/Time
! 0x200
| {{no}} || 0x3500 || 0x3500 || ? || style="background:#CC5555; color:#FFFFFF; text-align:center;" {{yes}} || ? || ? || ? || ? || ? || 0x200 || Data table || 
|-
! Error Log
! 0x100
| {{no}} || 0x3700 || 0x3700 || 0x900 || style="background:#CC5555; color:#FFFFFF; text-align:center;" {{yes}} || ? || ? || ? || ? || ? || 0x100 || Data table || See: [[Syscon Error Codes]]
|- {{cellcolors|lightgrey}}
! -
! 0x100
| {{No}} || 0x3800 || 0x3800 || N/A ? || {{yes}} ? || N/A || {{no}} || {{no}} || {{no}} || ? || 0x100 || ''empty'' || Region not used
|-
! Board Config
! 0x100
| {{yes}} || 0x3900 || 0x3900 || ? || style="background:#CC5555; color:#FFFFFF; text-align:center;" {{yes}} || ? || ? || ? || ? || ? || 0x100 ||  || 
|-
! HDMI/DVE Config
! 0x100
| {{no}} || 0x3A00 || 0x3A00 || ? || style="background:#CC5555; color:#FFFFFF; text-align:center;" {{yes}} || ? || ? || ? || ? || ? || 0x100 ||  || 
|- {{cellcolors|lightgrey}}
! -
! 0x100
| {{No}} || 0x3B00 || 0x3B00 || N/A ? || {{yes}} ? || N/A || {{no}} || {{no}} || {{no}} || ? || 0x100 || ''empty'' || Region not used
|- {{cellcolors|lightgrey}}
! -
! 0x200
| {{yes}} || 0x3C00 || 0x3C00 || N/A ? || {{yes}} ? || N/A || {{no}} || {{no}} || {{no}} || ? || 0x200 || ''empty'' || Region not used
|- {{cellcolors|lightgrey}}
! -
! 0x200
| {{yes}} || 0x3E00 || 0x3E00 || N/A ? || {{yes}} ? || N/A || {{no}} || {{no}} || {{no}} || ? || 0x200 || ''empty'' || Region not used
|- {{cellcolors|lightgrey}}
! -
! 0x400
| {{No}} || 0x4000 || 0x7000 || N/A ? || {{yes}} ? || N/A || {{no}} || {{no}} || {{no}} || ? || 0x400 || ''empty'' || Region not used
|- {{cellcolors|lightgrey}}
! -
! 0xB00
| {{No}} || 0x4400 || 0x7400 || N/A ? || {{yes}} ? || N/A || {{no}} || {{no}} || {{no}} || ? || 0xB00 || ''empty'' || Region not used
|- {{cellcolors|lightgrey}}
! -
! 0x2000
| {{No}} || 0x5000 || 0x5000 || N/A ? || {{yes}} ? || N/A || {{no}} || {{no}} || {{no}} || ? || 0x2000 || ''empty'' || Region not used
|-
! System Software Config
! 0x100
| {{no}} || 0x7000 || 0x4000 || 0x1000 || style="background:#CC5555; color:#FFFFFF; text-align:center;" {{yes}} || 0x0 || ? || ? || ? || ? || 0x100 ||  || 
|-
! System Software Config
! 0x100
| {{no}} || 0x7100 || 0x4100 || 0x1100 || style="background:#CC5555; color:#FFFFFF; text-align:center;" {{yes}} || 0x1 || ? || ? || ? || ? || 0x100 ||  || 
|-
! rowspan="3" | System Software Config<br>a.k.a.<br><strike>Flags and Tokens</strike>
! rowspan="3" | 0x100
| rowspan="3" {{no}} || rowspan="3" | 0x7200 || rowspan="3" | 0x4200 || rowspan="3" | 0x1200 || rowspan="3" {{yes}} || rowspan="3" | 0x2 || {{patchable}} || {{yes}} || {{yes}} || 0x48C00 || 0x01 || OS boot order flag || load_image_in_rom (os_boot_order_flag)<br>0 = Network first<br>1 = Flash first
|-
| {{patchable}} || {{patchable}} || {{yes}} || 0x48C01 || 0x01 || sys.dbgcard.hostpc || force standalone mode related
|-
| {{patchable}} || {{yes}} || {{yes}} || 0x48C02 || 0x01 || Network Debug Interface Mode || sys.dbgcard.dgbe / debug interface (select_net_device)<br>-1 = Ethernet 2<br>&nbsp;0 = IFB<br>&nbsp;1 = CP<br>&nbsp;2 = SB UART<br>&nbsp;3 = CP ch4<br>&nbsp;5 = Disabled
|-
! System Software Config
! 0x100
| {{no}} || 0x7300 || 0x4300 || 0x1300 || style="background:#CC5555; color:#FFFFFF; text-align:center;" {{yes}} || 0x3 || ? || ? || ? || ? || 0x100 ||  || 
|-
! Patch 2
! 0xC00
| {{No}} || 0x7400 || 0x4400 || <abbr title="On Sherwood the patch isn't even stored in the emulated eeprom, it's stored inside the firmware (0x2000-0x2FFF)>0x2400 ?</abbr> || {{exploitable}} || {{cellcolors|lightgrey}} N/A || {{no}} || {{no}} || {{no}} || ? || ? || [[Syscon_Firmware#Syscon_patches|Syscon Firmware Patch]] (bottom half) || {{cellcolors|#ffff99}} Encrypted data
|}