Talk:Flash Structure: Difference between revisions
m (Flash:cvtrm) |
m (Flash:bootldr) |
||
Line 1,063: | Line 1,063: | ||
http://www.blu-raydisc.info/docs/Certificate_Revocation/online.crl <-- exact same as above hex pastie<br /> | http://www.blu-raydisc.info/docs/Certificate_Revocation/online.crl <-- exact same as above hex pastie<br /> | ||
<!--// thanks mysis :) //--> | <!--// thanks mysis :) //--> | ||
= cell_ext_os_area = | = cell_ext_os_area = |
Revision as of 14:34, 26 November 2012
First Region
trvk_prg
NOR: splitted into 2 seperate sections trvk_prg0 (0x40000) + trvk_prg1 (0x060000)
NAND: 1 region (0x0091800) with 2 combined sections of trvk_prg0 + trvk_prg1
Header
Only seen on NAND, with 2 combined sections of trvk_prg0 + trvk_prg1
example
NOR: | NAND: 0x0091800 - 0x009181F |
---|---|
N.A. |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00091800 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 ....... ....... 00091810 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 ...... ......... |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x20 | Offset to region (relative to base 0x91800) |
0x8 | 0x8 | 0x20 | Offset to file (relative to base 0x91800) |
0x10 | 0x8 | 0x2000 | Region Size |
0x8 | 0x8 | 0x0 | Unknown |
trvk_prg File Entries
32 byte SCE header for each trvk_prg file, followed by the signed/encrypted data. For content/structure, see: Revokation
trvk_prg0
example
NOR: trvk_prg0 (0x40000) | NAND: trvk_prg0 (0x0091820) |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00040000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 C0 ...............À 00040010 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 00040020 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 C0 ...............À |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00091820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0 ...............à 00091830 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 00091840 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 E0 ...............à |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x0 | Unknown |
0x8 | 0x8 | 0x02C0 | Data size |
0x10 | 0x4 | ASCII:SCE. | Magic Header |
0x14 | 0x4 | 0x2 | Unknown |
0x18 | 0x4 | 0x2 | Unknown |
0x1C | 0x4 | 0x0 | Unknown |
0x20 | 0x8 | 0x200 | Unknown |
0x28 | 0x8 | 0xE0 | Meta size |
trvk_prg1
example
NOR: trvk_prg1 (0x060000) | NAND: trvk_prg1 (0x0092810) |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00060000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0 ...............à 00060010 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 00060020 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 E0 ...............à |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00092810 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0 ...............à 00092820 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 00092830 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 E0 ...............à |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x0 | Unknown |
0x8 | 0x8 | 0x2E0 | Data size |
0x10 | 0x4 | ASCII:SCE. | Magic Header |
0x14 | 0x4 | 0x2 | Unknown |
0x18 | 0x4 | 0x2 | Unknown |
0x1C | 0x4 | 0x0 | Unknown |
0x20 | 0x8 | 0x200 | Unknown |
0x28 | 0x8 | 0xE0 | Meta size |
trvk_pkg
NOR: splitted into 2 seperate sections trvk_pkg0 (0x080000) + trvk_pkg1 (0x0A0000)
NAND: 1 region (0x0093800) with 2 combined sections of trvk_pkg0 + trvk_pkg1
Header
Only seen on NAND, with 2 combined sections of trvk_pkg0 + trvk_pkg1
example
NOR: | NAND: 0x0093800 - 0x009381F |
---|---|
N.A. |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00093800 00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 ................ 00093810 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 ...... ......... |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x1010 | Offset to region (relative to base 0x93800) |
0x8 | 0x8 | 0x1010 | Offset to file (relative to base 0x93800) |
0x10 | 0x8 | 0x2000 | Region Size |
0x8 | 0x8 | 0x0 | Unknown |
trvk_pkg File Entries
32 byte SCE header for each trvk_pkg file, followed by the signed/encrypted data. For content/structure, see: Revokation
trvk_pkg0
example
NOR: trvk_pkg0 (0x80000) | NAND: trvk_pkg0 (0x0093820) |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00080000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 60 ...............` 00080010 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 00080020 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 60 ...............` |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00093820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 ...............@ 00093830 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 00093840 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40 ...............@ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x0 | Unknown |
0x8 | 0x8 | 0x260 | Data size |
0x10 | 0x4 | ASCII:SCE. | Magic Header |
0x14 | 0x4 | 0x2 | Unknown |
0x18 | 0x4 | 0x2 | Unknown |
0x1C | 0x4 | 0x0 | Unknown |
0x20 | 0x8 | 0x200 | Unknown |
0x28 | 0x8 | 0x60 | Unknown |
trvk_pkg1
example
NOR: trvk_pkg1 (0x0A0000) | NAND: trvk_pkg1 (0x0094810) |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000A0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 60 ...............` 000A0010 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 000A0020 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 60 ...............` |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00094810 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 ...............@ 00094820 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 00094830 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40 ...............@ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x0 | Unknown |
0x8 | 0x8 | 0x260 | Data size |
0x10 | 0x4 | ASCII:SCE. | Magic Header |
0x14 | 0x4 | 0x2 | Unknown |
0x18 | 0x4 | 0x2 | Unknown |
0x1C | 0x4 | 0x0 | Unknown |
0x20 | 0x8 | 0x200 | Unknown |
0x28 | 0x8 | 0x60 | Unknown |
creserved_0
Location:
- as file: in both ROS areas for both NOR + NAND
- as seperate flash region: NAND only (0x0095800 - 0x00BFFFF)
example
NOR: | NAND: 0x0095800 - 0x00BFFFF |
---|---|
N.A. |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00095800 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00095810 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ .... 000BFFE0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000BFFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x2A800 | 0xFF | FF filled area |
ros
NOR: splitted into 2 seperate sections ros0 (0x0C0000) + ros1 (0x7C0000)
NAND: 1 region (0x00C0000) with 2 combined sections of ros0 (0x00C0020) + ros1 (0x07C0000)
Header
Only seen on NAND, with 2 combined sections of ros0 + ros1
example
NOR: | NAND: 0x00C0000 - 0x00C001F |
---|---|
N.A. |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000C0000 00 00 00 00 00 70 00 10 00 00 00 00 00 70 00 10 .....p.......p.. 000C0010 00 00 00 00 00 E0 00 00 00 00 00 00 00 00 00 00 .....à.......... |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x20 (ros0) or 0x700010 (ros1) | Offset to region (relative to base 0xC0000) |
0x8 | 0x8 | 0x20 (ros0) or 0x700010 (ros1) | Offset to region (relative to base 0xC0000) |
0x10 | 0x8 | 0xE00000 | Unknown |
0x8 | 0x8 | 0x0 | Unknown |
ros Entries
ros0
header
example
NOR: ros00 (0x00C0000 - 0x00C001F) | NAND: ros0 (0x00C0020 - 0x00C003F) |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000C0000 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà 000C0010 00 00 00 01 00 00 00 18 00 00 00 00 00 6F FF E0 .............oÿà |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000C0020 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà 000C0030 00 00 00 01 00 00 00 18 00 00 00 00 00 6F FF E0 .............oÿà |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x0 | Unknown |
0x8 | 0x8 | 0x0x6FFFE0 | Length of Flash Region (relative to region start) |
0x10 | 0x4 | 0x1 | Unknown |
0x14 | 0x4 | 0x18 | Entry Count |
0x18 | 0x8 | 0x0x6FFFE0 | Length of Flash Region (relative to region start) |
Entry Table
Then follows a 48 byte entry for each file
example
NOR: ros0 (0x00C0020 - ) | NAND: ros0 (0x00C0040 - ) |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000C0020 00 00 00 00 00 00 04 90 00 00 00 00 00 04 00 00 ................ 000C0030 63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0..... 000C0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0050 00 00 00 00 00 04 04 90 00 00 00 00 00 00 00 08 ................ 000C0060 73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version..... 000C0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0080 00 00 00 00 00 04 05 00 00 00 00 00 00 01 E7 C8 ..............çÈ 000C0090 6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv1ldr.......... 000C00A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C00B0 00 00 00 00 00 05 ED 00 00 00 00 00 00 01 75 F8 ......í.......uø 000C00C0 6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv2ldr.......... 000C00D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C00E0 00 00 00 00 00 07 63 00 00 00 00 00 00 01 2F 94 ......c......./” 000C00F0 69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00 isoldr.......... 000C0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0110 00 00 00 00 00 08 93 00 00 00 00 00 00 01 F6 D8 ......“.......öØ 000C0120 61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00 appldr.......... 000C0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0140 00 00 00 00 00 0A 89 D8 00 00 00 00 00 00 FB 4C ......‰Ø......ûL 000C0150 73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69 spu_pkg_rvk_veri 000C0160 66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00 fier.self....... 000C0170 00 00 00 00 00 0B 85 24 00 00 00 00 00 00 5A 94 ......…$......Z” 000C0180 73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73 spu_token_proces 000C0190 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00 sor.self........ 000C01A0 00 00 00 00 00 0B DF B8 00 00 00 00 00 00 63 D0 ......߸......cÐ 000C01B0 73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65 spu_utoken_proce 000C01C0 73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 ssor.self....... 000C01D0 00 00 00 00 00 0C 43 88 00 00 00 00 00 01 53 2C ......Cˆ......S, 000C01E0 73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00 sc_iso.self..... 000C01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0200 00 00 00 00 00 0D 96 B4 00 00 00 00 00 00 42 98 ......–´......B˜ 000C0210 61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73 aim_spu_module.s 000C0220 65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00 elf............. 000C0230 00 00 00 00 00 0D D9 4C 00 00 00 00 00 00 D7 F0 ......ÙL......×ð 000C0240 73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C spp_verifier.sel 000C0250 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f............... 000C0260 00 00 00 00 00 0E B1 3C 00 00 00 00 00 00 80 8C ......±<......€Œ 000C0270 6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C mc_iso_spu_modul 000C0280 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000C0290 00 00 00 00 00 0F 31 C8 00 00 00 00 00 00 88 B8 ......1È......ˆ¸ 000C02A0 6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C me_iso_spu_modul 000C02B0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000C02C0 00 00 00 00 00 0F BA 80 00 00 00 00 00 00 C0 78 ......º€......Àx 000C02D0 73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sv_iso_spu_modul 000C02E0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000C02F0 00 00 00 00 00 10 7A F8 00 00 00 00 00 00 5D B0 ......zø......]° 000C0300 73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sb_iso_spu_modul 000C0310 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000C0320 00 00 00 00 00 10 D8 A8 00 00 00 00 00 00 22 A0 ......ب......" 000C0330 64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00 default.spp..... 000C0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0350 00 00 00 00 00 10 FB 80 00 00 00 00 00 12 6A A0 ......û€......j 000C0360 6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00 lv1.self........ 000C0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0380 00 00 00 00 00 23 66 80 00 00 00 00 00 03 E8 A8 .....#f€......è¨ 000C0390 6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00 lv0............. 000C03A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C03B0 00 00 00 00 00 27 4F 28 00 00 00 00 00 17 4A 18 .....'O(......J. 000C03C0 6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00 lv2_kernel.self. 000C03D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C03E0 00 00 00 00 00 3E 99 40 00 00 00 00 00 07 0F 94 .....>™@.......” 000C03F0 65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00 eurus_fw.bin.... 000C0400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0410 00 00 00 00 00 45 A8 D4 00 00 00 00 00 08 04 18 .....E¨Ô........ 000C0420 65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00 emer_init.self.. 000C0430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0440 00 00 00 00 00 4D AC EC 00 00 00 00 00 06 0D 78 .....M¬ì.......x 000C0450 68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00 hdd_copy.self... 000C0460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0470 00 00 00 00 00 53 BA 64 00 00 00 00 00 00 12 A8 .....Sºd.......¨ 000C0480 6D 61 6E 75 5F 69 6E 66 6F 5F 73 70 75 5F 6D 6F manu_info_spu_mo 000C0490 64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00 00 00 dule.self....... |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000C0040 00 00 00 00 00 00 04 90 00 00 00 00 00 04 00 00 ................ 000C0050 63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0..... 000C0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0070 00 00 00 00 00 04 04 90 00 00 00 00 00 00 00 08 ................ 000C0080 73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version..... 000C0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C00A0 00 00 00 00 00 04 05 00 00 00 00 00 00 01 E7 C8 ..............çÈ 000C00B0 6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv1ldr.......... 000C00C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C00D0 00 00 00 00 00 05 ED 00 00 00 00 00 00 01 6F F0 ......í.......oð 000C00E0 6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv2ldr.......... 000C00F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0100 00 00 00 00 00 07 5D 00 00 00 00 00 00 01 2F 74 ......]......./t 000C0110 69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00 isoldr.......... 000C0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0130 00 00 00 00 00 08 8C 80 00 00 00 00 00 01 E5 D4 ......Œ€......åÔ 000C0140 61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00 appldr.......... 000C0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0160 00 00 00 00 00 0A 72 54 00 00 00 00 00 00 FB 4C ......rT......ûL 000C0170 73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69 spu_pkg_rvk_veri 000C0180 66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00 fier.self....... 000C0190 00 00 00 00 00 0B 6D A0 00 00 00 00 00 00 5A 94 ......m ......Z” 000C01A0 73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73 spu_token_proces 000C01B0 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00 sor.self........ 000C01C0 00 00 00 00 00 0B C8 34 00 00 00 00 00 00 63 D0 ......È4......cÐ 000C01D0 73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65 spu_utoken_proce 000C01E0 73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 ssor.self....... 000C01F0 00 00 00 00 00 0C 2C 04 00 00 00 00 00 01 53 2C ......,.......S, 000C0200 73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00 sc_iso.self..... 000C0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0220 00 00 00 00 00 0D 7F 30 00 00 00 00 00 00 42 98 .......0......B˜ 000C0230 61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73 aim_spu_module.s 000C0240 65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00 elf............. 000C0250 00 00 00 00 00 0D C1 C8 00 00 00 00 00 00 D7 F0 ......ÁÈ......×ð 000C0260 73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C spp_verifier.sel 000C0270 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f............... 000C0280 00 00 00 00 00 0E 99 B8 00 00 00 00 00 00 80 8C ......™¸......€Œ 000C0290 6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C mc_iso_spu_modul 000C02A0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000C02B0 00 00 00 00 00 0F 1A 44 00 00 00 00 00 00 88 B8 .......D......ˆ¸ 000C02C0 6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C me_iso_spu_modul 000C02D0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000C02E0 00 00 00 00 00 0F A2 FC 00 00 00 00 00 00 C0 78 ......¢ü......Àx 000C02F0 73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sv_iso_spu_modul 000C0300 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000C0310 00 00 00 00 00 10 63 74 00 00 00 00 00 00 5D B0 ......ct......]° 000C0320 73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sb_iso_spu_modul 000C0330 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000C0340 00 00 00 00 00 10 C1 24 00 00 00 00 00 00 22 A0 ......Á$......" 000C0350 64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00 default.spp..... 000C0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0370 00 00 00 00 00 10 E4 00 00 00 00 00 00 12 80 50 ......ä.......€P 000C0380 6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00 lv1.self........ 000C0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C03A0 00 00 00 00 00 23 64 80 00 00 00 00 00 03 E6 78 .....#d€......æx 000C03B0 6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00 lv0............. 000C03C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C03D0 00 00 00 00 00 27 4A F8 00 00 00 00 00 17 27 58 .....'Jø......'X 000C03E0 6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00 lv2_kernel.self. 000C03F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0400 00 00 00 00 00 3E 72 50 00 00 00 00 00 07 0F 94 .....>rP.......” 000C0410 65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00 eurus_fw.bin.... 000C0420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0430 00 00 00 00 00 45 81 E4 00 00 00 00 00 08 04 18 .....E.ä........ 000C0440 65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00 emer_init.self.. 000C0450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0460 00 00 00 00 00 4D 85 FC 00 00 00 00 00 06 0D 78 .....M…ü.......x 000C0470 68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00 hdd_copy.self... 000C0480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0490 00 00 00 00 00 53 93 74 00 00 00 00 00 00 12 A8 .....S“t.......¨ 000C04A0 6D 61 6E 75 5F 69 6E 66 6F 5F 73 70 75 5F 6D 6F manu_info_spu_mo 000C04B0 64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00 00 00 dule.self....... |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x490 | File offset relative to Region start |
0x8 | 0x8 | 0x40000 | File length |
0x10 | 0x32 | char[32]:"creserved_0" | File name |
ros1
header
example
NOR: ros1 (0x07C0000) | NAND: ros1 (0x07C0010) |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 007C0000 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà 007C0010 00 00 00 01 00 00 00 16 00 00 00 00 00 6F FF E0 .............oÿà |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 007C0010 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà 007C0020 00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0 .............oÿà |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x0 | Unknown |
0x8 | 0x8 | 0x0x6FFFE0 | Length of Flash Region (relative to region start) |
0x10 | 0x4 | 0x1 | Unknown |
0x14 | 0x4 | 0x16 | Entry Count |
0x18 | 0x8 | 0x0x6FFFE0 | Length of Flash Region (relative to region start) |
Entry Table
Then follows a 48 byte entry for each file
example
NOR: ros1 (0x07C0020) | NAND: ros1 (0x07C0030) |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 007C0020 00 00 00 00 00 00 04 30 00 00 00 00 00 04 00 00 .......0........ 007C0030 63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0..... 007C0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0050 00 00 00 00 00 04 04 30 00 00 00 00 00 00 00 08 .......0........ 007C0060 73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version..... 007C0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0080 00 00 00 00 00 04 04 80 00 00 00 00 00 01 E5 CC .......€......åÌ 007C0090 6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv1ldr.......... 007C00A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C00B0 00 00 00 00 00 05 EA 80 00 00 00 00 00 01 6D B0 ......ê€......m° 007C00C0 6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv2ldr.......... 007C00D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C00E0 00 00 00 00 00 07 58 80 00 00 00 00 00 01 2E 24 ......X€.......$ 007C00F0 69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00 isoldr.......... 007C0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0110 00 00 00 00 00 08 87 00 00 00 00 00 00 01 DA 04 ......‡.......Ú. 007C0120 61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00 appldr.......... 007C0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0140 00 00 00 00 00 0A 61 04 00 00 00 00 00 00 FA B4 ......a.......ú´ 007C0150 73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69 spu_pkg_rvk_veri 007C0160 66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00 fier.self....... 007C0170 00 00 00 00 00 0B 5B B8 00 00 00 00 00 00 5B FC ......[¸......[ü 007C0180 73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73 spu_token_proces 007C0190 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00 sor.self........ 007C01A0 00 00 00 00 00 0B B7 B4 00 00 00 00 00 00 65 B4 ......·´......e´ 007C01B0 73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65 spu_utoken_proce 007C01C0 73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 ssor.self....... 007C01D0 00 00 00 00 00 0C 1D 68 00 00 00 00 00 01 53 2C .......h......S, 007C01E0 73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00 sc_iso.self..... 007C01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0200 00 00 00 00 00 0D 70 94 00 00 00 00 00 00 44 80 ......p”......D€ 007C0210 61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73 aim_spu_module.s 007C0220 65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00 elf............. 007C0230 00 00 00 00 00 0D B5 14 00 00 00 00 00 00 D7 44 ......µ.......×D 007C0240 73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C spp_verifier.sel 007C0250 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f............... 007C0260 00 00 00 00 00 0E 8C 58 00 00 00 00 00 00 80 8C ......ŒX......€Œ 007C0270 6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C mc_iso_spu_modul 007C0280 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 007C0290 00 00 00 00 00 0F 0C E4 00 00 00 00 00 00 88 B8 .......ä......ˆ¸ 007C02A0 6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C me_iso_spu_modul 007C02B0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 007C02C0 00 00 00 00 00 0F 95 9C 00 00 00 00 00 00 C0 78 ......•œ......Àx 007C02D0 73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sv_iso_spu_modul 007C02E0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 007C02F0 00 00 00 00 00 10 56 14 00 00 00 00 00 00 5D B0 ......V.......]° 007C0300 73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sb_iso_spu_modul 007C0310 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 007C0320 00 00 00 00 00 10 B3 C4 00 00 00 00 00 00 22 A0 ......³Ä......" 007C0330 64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00 default.spp..... 007C0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0350 00 00 00 00 00 10 D6 80 00 00 00 00 00 12 E1 60 ......Ö€......á` 007C0360 6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00 lv1.self........ 007C0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0380 00 00 00 00 00 23 B8 00 00 00 00 00 00 03 E3 58 .....#¸.......ãX 007C0390 6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00 lv0............. 007C03A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C03B0 00 00 00 00 00 27 9B 58 00 00 00 00 00 16 19 80 .....'›X.......€ 007C03C0 6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00 lv2_kernel.self. 007C03D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C03E0 00 00 00 00 00 3D B4 D8 00 00 00 00 00 07 09 F0 .....=´Ø.......ð 007C03F0 65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00 eurus_fw.bin.... 007C0400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0410 00 00 00 00 00 44 BE C8 00 00 00 00 00 08 1B 30 .....D¾È.......0 007C0420 65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00 emer_init.self.. 007C0430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 007C0030 00 00 00 00 00 00 04 60 00 00 00 00 00 04 00 00 .......`........ 007C0040 63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0..... 007C0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0060 00 00 00 00 00 04 04 60 00 00 00 00 00 00 00 08 .......`........ 007C0070 73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version..... 007C0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0090 00 00 00 00 00 04 04 68 00 00 00 00 00 00 FB 4C .......h......ûL 007C00A0 73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69 spu_pkg_rvk_veri 007C00B0 66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00 fier.self....... 007C00C0 00 00 00 00 00 04 FF B4 00 00 00 00 00 00 C9 30 ......ÿ´......É0 007C00D0 73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73 spu_token_proces 007C00E0 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00 sor.self........ 007C00F0 00 00 00 00 00 05 C8 E4 00 00 00 00 00 00 63 D0 ......Èä......cÐ 007C0100 73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65 spu_utoken_proce 007C0110 73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 ssor.self....... 007C0120 00 00 00 00 00 06 2C B4 00 00 00 00 00 01 D2 D8 ......,´......ÒØ 007C0130 73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00 sc_iso.self..... 007C0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0150 00 00 00 00 00 07 FF 8C 00 00 00 00 00 00 42 98 ......ÿŒ......B˜ 007C0160 61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73 aim_spu_module.s 007C0170 65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00 elf............. 007C0180 00 00 00 00 00 08 42 24 00 00 00 00 00 00 D7 F0 ......B$......×ð 007C0190 73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C spp_verifier.sel 007C01A0 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f............... 007C01B0 00 00 00 00 00 09 1A 14 00 00 00 00 00 00 80 8C ..............€Œ 007C01C0 6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C mc_iso_spu_modul 007C01D0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 007C01E0 00 00 00 00 00 09 9A A0 00 00 00 00 00 00 88 B8 ......š ......ˆ¸ 007C01F0 6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C me_iso_spu_modul 007C0200 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 007C0210 00 00 00 00 00 0A 23 58 00 00 00 00 00 00 C0 78 ......#X......Àx 007C0220 73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sv_iso_spu_modul 007C0230 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 007C0240 00 00 00 00 00 0A E3 D0 00 00 00 00 00 00 5D B0 ......ãÐ......]° 007C0250 73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sb_iso_spu_modul 007C0260 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 007C0270 00 00 00 00 00 0B 41 80 00 00 00 00 00 00 22 A0 ......A€......" 007C0280 64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00 default.spp..... 007C0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C02A0 00 00 00 00 00 0B 64 80 00 00 00 00 00 12 5E F0 ......d€......^ð 007C02B0 6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00 lv1.self........ 007C02C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C02D0 00 00 00 00 00 1D C3 80 00 00 00 00 00 0B 54 E8 ......À......Tè 007C02E0 6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00 lv0............. 007C02F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0300 00 00 00 00 00 29 18 80 00 00 00 00 00 00 05 00 .....).€........ 007C0310 6C 76 30 2E 32 00 00 00 00 00 00 00 00 00 00 00 lv0.2........... 007C0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0330 00 00 00 00 00 29 1D 80 00 00 00 00 00 17 89 58 .....).€......‰X 007C0340 6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00 lv2_kernel.self. 007C0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0360 00 00 00 00 00 40 A6 D8 00 00 00 00 00 07 0F 94 .....@¦Ø.......” 007C0370 65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00 eurus_fw.bin.... 007C0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0390 00 00 00 00 00 47 B6 6C 00 00 00 00 00 07 E2 68 .....G¶l......âh 007C03A0 65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00 emer_init.self.. 007C03B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C03C0 00 00 00 00 00 4F 98 D4 00 00 00 00 00 06 18 18 .....O˜Ô........ 007C03D0 68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00 hdd_copy.self... 007C03E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C03F0 00 00 00 00 00 55 B0 EC 00 00 00 00 00 00 12 A8 .....U°ì.......¨ 007C0400 6D 61 6E 75 5F 69 6E 66 6F 5F 73 70 75 5F 6D 6F manu_info_spu_mo 007C0410 64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00 00 00 dule.self....... 007C0420 00 00 00 00 00 55 C3 94 00 00 00 00 00 00 02 E0 .....UÔ.......à 007C0430 70 72 6F 67 2E 73 72 76 6B 00 00 00 00 00 00 00 prog.srvk....... 007C0440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0450 00 00 00 00 00 55 C6 74 00 00 00 00 00 00 02 40 .....UÆt.......@ 007C0460 70 6B 67 2E 73 72 76 6B 00 00 00 00 00 00 00 00 pkg.srvk........ 007C0470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x430 | File offset relative to Region start |
0x8 | 0x8 | 0x40000 | File length |
0x10 | 0x32 | char[32]:"creserved_0" | File name |
Second Region
NOR only: 0x0F00000 - 0x0F00020
This region appears to directly follow the other region (at 0xF0000 = region size + header)
Not much is known about this at this stage.
On NAND consoles without OtherOS the block 0x0F00000 - 0x0F7FFFF is zero filled
On NAND consoles with OtherOS the block 0x0F00000 - 0x0F00FFF is filled with data
Header - 0FACE0FF DEADFACE
example
NOR: 0x0F00000 - 0x0F00020 | NAND: |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00F00000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00F00010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE .....¬àÿ....ÞúÎ 00F00020 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02 ................ |
N.A. |
structure
Address | Length | Value | Description |
---|---|---|---|
0x00 | 0x10 | 0x0 | Blank/Unknown |
0x10 | 0x10 | 0x0FACE0FF 0xDEADFACE | Magic number |
0x20 | 0x8 | 0x3 | Unknown |
0x28 | 0x8 | 0x2 | Unknown |
00 filled block
example
NOR: 0x0F00030 - 0x0F000BF | NAND: |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00F00030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ .... (00 filled block) 00F000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
N.A. |
structure
Address | Length | Value | Description |
---|---|---|---|
0x30 | 0x90 | 0x0 | Blank/Unknown |
Unknown block
example
NOR: 0x0F000C0 - 0x0F000EF | NAND: |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00F000C0 00 00 00 00 00 00 79 00 00 00 00 00 00 00 01 00 ......y......... 00F000D0 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 .p.............. 00F000E0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 .p.............. |
N.A. |
structure
Address | Length | Value | Description |
---|---|---|---|
0xC0 | 0x8 | 0x7900 | Unknown |
0xC8 | 0x8 | 0x100 | Unknown |
0xD0 | 0x2 | 0x1070 | Unknown |
0xD2 | 0x2 | 0x0 | Blank/Unknown |
0xD4 | 0x2 | 0x100 | Unknown |
0xD6 | 0x2 | 0x1 | Unknown |
0xD8 | 0x8 | 0x3 | Unknown |
0xE0 | 0x2 | 0x1070 | Unknown |
0xE2 | 0x2 | 0x0 | Blank/Unknown |
0xE4 | 0x2 | 0x200 | Unknown |
0xE6 | 0x2 | 0x1 | Unknown |
0xE8 | 0x8 | 0x3 | Unknown |
00 filled block
example
NOR: 0x0F000F0 - 0x0F0014F | NAND: |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00F000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ .... (00 filled block) 00F00140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
N.A. |
structure
Address | Length | Value | Description |
---|---|---|---|
0xF0 | 0x60 | 0x0 | Blank/Unknown |
Unknown block
example
NOR: 0x0F00150 - 0x0F0017F | NAND: |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00F00150 00 00 00 00 00 00 7A 00 00 00 00 00 00 00 04 00 ......z......... 00F00160 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 .p.............. 00F00170 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 .p.............. |
N.A. |
structure
Address | Length | Value | Description |
---|---|---|---|
0xC0 | 0x8 | 0x7A00 | Unknown |
0xC8 | 0x8 | 0x400 | Unknown |
0xD0 | 0x2 | 0x1070 | Unknown |
0xD2 | 0x2 | 0x0 | Blank/Unknown |
0xD4 | 0x2 | 0x100 | Unknown |
0xD6 | 0x2 | 0x1 | Unknown |
0xD8 | 0x8 | 0x3 | Unknown |
0xE0 | 0x2 | 0x1070 | Unknown |
0xE2 | 0x2 | 0x0 | Blank/Unknown |
0xE4 | 0x2 | 0x200 | Unknown |
0xE6 | 0x2 | 0x1 | Unknown |
0xE8 | 0x8 | 0x3 | Unknown |
00 filled block
example
NOR: 0x0F00180 - 0x0F00FFF | NAND: |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00F00180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ .... (00 filled block) 00F00FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
N.A. |
structure
Address | Length | Value | Description |
---|---|---|---|
0x180 | 0xE80 | 0x0 | Blank/Unknown |
unreferenced area
NOR+NAND : 0x0F01000 - 0x0F1FFFF
example
NOR: 0x0F01000 - 0x0F1FFFF | NAND: 0x0F01000 - 0x0F1FFFF |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00F01000 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ .... 00F1FFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00F01000 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ .... 00F1FFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x1000 | 0x1F000 | 0xFF | Blank/Unknown |
CELL_EXTNOR_AREA
Only on NOR consoles
On NAND consoles the block 00F20000-00F3FFFF is FF (OtherOS) or 00 (No OtherOS) filled
Header
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00F20000 43 45 4C 4C 5F 45 58 54 4E 4F 52 5F 41 52 45 41 CELL_EXTNOR_AREA marker: CELL_EXTNOR_AREA
1
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00F20010 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00F20020 00 00 02 00 00 00 00 44 00 00 00 00 A9 C8 06 D0 .......D....©È.Ð (sha1sum of 0x200 Harddrive Info) 00F20030 C0 17 8D 34 55 A7 62 73 DD 16 A6 FB 75 A0 D2 10 À..4U§bsÝ.¦ûu Ò.
00 filled
00F20040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] all 00's 00F201F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Harddrive info
00F20200 00 00 00 07 46 55 4A 49 54 53 55 20 4D 48 5A 32 ....FUJITSU MHZ2 harddrive brand/model 00F20210 30 38 30 42 48 20 47 31 20 20 20 20 20 20 20 20 080BH G1 00F20220 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00F20230 20 20 20 20 4B 36 33 52 54 38 42 34 48 59 42 4B K63RT8B4HYBK harddrive serial
00 filled
00F20240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] all 00's 00F3FFF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
2
On NAND consoles with OtherOS the blocks
- 0x0F40000 - 0x0F401FF
- 0x0F42000 - 0xBAD51F0
- 0xBAD6000 - 0xBAECDFF
- 0xBAEE000 - 0xBAFD9FF
- 0xBAFE000 etc.
are filled with data
00F40000 00 00 00 01 00 00 00 2C 6E 47 15 E8 38 9B C8 16 .......,nG.è8›È. 00F40000-00F40030 (same in other version/console dump) 00F40010 65 6E 0C 37 54 25 FE 7B 22 9A 31 75 72 22 63 2B en.7T%þ{"š1ur"c+ is the same as 00F40020 31 DD 15 AA 60 7D EB F5 F7 A3 74 0B 9D DD 3B 3A 1Ý.ª`}ëõ÷£t..Ý;: 00F80000-00F80030
00 filled
00F40030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] all 00's 00F5FFF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
3
00F60000 10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34 ............ ..4 00F60000-00F60040 (differs in other version/console dump) 00F60010 00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2 ........[?s´š†Ç² is the 00F60020 A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE Ñ.¯§›—âzË.+Ma&® same as 00F60030 13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB .Ê)„.“.áJÛ,·|.äë 00FA0000-00FA0040
00 filled
00F60040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] all 00's 00F69BF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
FF filled
00F69C00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] all FF's 00F7FFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
4
00F80000 00 00 00 01 00 00 00 2C 6E 47 15 E8 38 9B C8 16 .......,nG.è8›È. 00F80000-00F80030 (same in other version/console dump) 00F80010 65 6E 0C 37 54 25 FE 7B 22 9A 31 75 72 22 63 2B en.7T%þ{"š1ur"c+ is the same as 00F80020 31 DD 15 AA 60 7D EB F5 F7 A3 74 0B 9D DD 3B 3A 1Ý.ª`}ëõ÷£t..Ý;: 00F40000-00F40030
00 filled
00F80030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] all 00's 00F9FFF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
5
00FA0000 10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34 ............ ..4 00F60000-00F60040 (differs in other version/console dump) 00FA0010 00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2 ........[?s´š†Ç² is the 00FA0020 A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE Ñ.¯§›—âzË.+Ma&® same as 00FA0030 13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB .Ê)„.“.áJÛ,·|.äë 00F60000-00F60040
00 filled
00FA0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] all 00's 00FA9BF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
FF filled
00FA9C00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] all FF's with sometimes below 'OCRL0200' section inside it 00FBFFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
FF Filled with OCRL0200 section
NOR: 0x0FA9400 - 0x0FA952F | NOR: 0x0F69400 - 0x0F6952F |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00FA9400 4F 43 52 4C 30 32 30 30 00 00 00 00 00 00 00 00 OCRL0200........ 00FA9410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00FA9420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00FA9430 A6 50 37 72 07 82 68 FE EA 9A A1 8C 54 19 2B E4 ¦P7r.‚hþêš¡ŒT.+ä 00FA9440 2F D8 85 BA 5F 2F AA ED AC 6B 54 FE 31 0B 80 58 /Ø…º_/ªí¬kTþ1.€X 00FA9450 A9 74 D4 ED F9 77 7B B2 30 50 47 F3 C0 12 AC 26 ©tÔíùw{²0PGóÀ.¬& 00FA9460 6A 40 AD 19 14 C2 AD 2C 92 36 02 78 50 D4 08 D4 j@..Â,’6.xPÔ.Ô 00FA9470 06 76 2C 97 0D 2A 7A 19 F4 85 01 6F CD C8 07 C3 .v,—.*z.ô….oÍÈ.à 00FA9480 25 2D F4 CD 46 2B FE F7 B8 0A 40 9F 97 22 06 5E %-ôÍF+þ÷¸.@Ÿ—".^ 00FA9490 4B F1 02 92 01 11 C1 E0 DD AC 84 0D 58 C2 21 66 Kñ.’..Áàݬ„.XÂ!f 00FA94A0 25 69 A4 1A C8 E9 DB 4C 5D 31 4E AF 07 2A 43 90 %i¤.ÈéÛL]1N¯.*C. 00FA94B0 3E DC 4A 80 FD A7 06 BB 1F 9B D4 75 6C 6C 45 CE >ÜJ€ý§.».›ÔullEÎ 00FA94C0 1A A6 5D D1 9B E9 80 C2 72 CA A8 0B 14 C6 B2 86 .¦]Ñ›é€Ârʨ..Ʋ† 00FA94D0 E3 37 86 E6 AD DE 2C F9 76 3D 18 62 DD 77 AD 71 ã7†æÞ,ùv=.bÝwq 00FA94E0 32 F1 11 FD 17 9E 68 50 B3 A5 7F 41 37 19 63 3A 2ñ.ý.žhP³¥.A7.c: 00FA94F0 78 08 19 4D CA 47 AD FF 35 89 52 3E 18 39 F5 A5 x..MÊGÿ5‰R>.9õ¥ 00FA9500 4B 98 D6 C0 66 68 E0 CA 4B 9F 1A 42 1E A2 EE 79 K˜ÖÀfhàÊKŸ.B.¢îy 00FA9510 E6 58 6F FF 58 B1 FE 4F DB FD 27 6F 4C EC 6C 9F æXoÿX±þOÛý'oLìlŸ 00FA9520 B4 B7 F8 9D 30 4A 1E 83 15 47 08 B6 FB 51 00 DA ´·ø.0J.ƒ.G.¶ûQ.Ú
|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00F69400 4F 43 52 4C 30 32 30 30 00 00 00 00 00 00 00 00 OCRL0200........ 00F69410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00F69420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00F69430 A6 50 37 72 07 82 68 FE EA 9A A1 8C 54 19 2B E4 ¦P7r.‚hþêš¡ŒT.+ä 00F69440 2F D8 85 BA 5F 2F AA ED AC 6B 54 FE 31 0B 80 58 /Ø…º_/ªí¬kTþ1.€X 00F69450 A9 74 D4 ED F9 77 7B B2 30 50 47 F3 C0 12 AC 26 ©tÔíùw{²0PGóÀ.¬& 00F69460 6A 40 AD 19 14 C2 AD 2C 92 36 02 78 50 D4 08 D4 j@..Â,’6.xPÔ.Ô 00F69470 06 76 2C 97 0D 2A 7A 19 F4 85 01 6F CD C8 07 C3 .v,—.*z.ô….oÍÈ.à 00F69480 25 2D F4 CD 46 2B FE F7 B8 0A 40 9F 97 22 06 5E %-ôÍF+þ÷¸.@Ÿ—".^ 00F69490 4B F1 02 92 01 11 C1 E0 DD AC 84 0D 58 C2 21 66 Kñ.’..Áàݬ„.XÂ!f 00F694A0 25 69 A4 1A C8 E9 DB 4C 5D 31 4E AF 07 2A 43 90 %i¤.ÈéÛL]1N¯.*C. 00F694B0 3E DC 4A 80 FD A7 06 BB 1F 9B D4 75 6C 6C 45 CE >ÜJ€ý§.».›ÔullEÎ 00F694C0 1A A6 5D D1 9B E9 80 C2 72 CA A8 0B 14 C6 B2 86 .¦]Ñ›é€Ârʨ..Ʋ† 00F694D0 E3 37 86 E6 AD DE 2C F9 76 3D 18 62 DD 77 AD 71 ã7†æÞ,ùv=.bÝwq 00F694E0 32 F1 11 FD 17 9E 68 50 B3 A5 7F 41 37 19 63 3A 2ñ.ý.žhP³¥.A7.c: 00F694F0 78 08 19 4D CA 47 AD FF 35 89 52 3E 18 39 F5 A5 x..MÊGÿ5‰R>.9õ¥ 00F69500 4B 98 D6 C0 66 68 E0 CA 4B 9F 1A 42 1E A2 EE 79 K˜ÖÀfhàÊKŸ.B.¢îy 00F69510 E6 58 6F FF 58 B1 FE 4F DB FD 27 6F 4C EC 6C 9F æXoÿX±þOÛý'oLìlŸ 00F69520 B4 B7 F8 9D 30 4A 1E 83 15 47 08 B6 FB 51 00 DA ´·ø.0J.ƒ.G.¶ûQ.Ú
|
Used by GetOnlineCertificateRevocationListVersion(FlashOCRL%d) inside bdp player
Handled by Iso module AacsModule.spu.isoself
http://www.blu-raydisc.info/format-spec/rom3-spec.php
http://www.blu-raydisc.info/docs/Certificate_Revocation/online.crl <-- exact same as above hex pastie
cell_ext_os_area
NAND only
OtherOS
NAND only
00 filled block
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0EA00040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ .... 0EB7FFF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
FF filled block
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0EB80000 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ .... 0EFBFFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
small non-FF sections (inside FF filled block)
Note: not seen in all NAND dumps.
NAND: 1100 | NAND: 0100 | NAND: 7F FF FF 11 00 | NAND: 7F FF FF 21 00 |
---|---|---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0FF00100 FF FF FF FF 11 00 FF FF FF FF FF FF FF FF FF FF ÿÿÿÿ..ÿÿÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0FF00100 FF FF FF FF 01 00 FF FF FF FF FF FF FF FF FF FF ÿÿÿÿ..ÿÿÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0FF00100 FF 7F FF FF 11 00 FF FF FF FF FF FF FF FF FF FF ÿ.ÿÿ..ÿÿÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0FF00100 FF 7F FF FF 21 00 FF FF FF FF FF FF FF FF FF FF ÿ.ÿÿ!.ÿÿÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0FF00300 FF FF FF FF 11 00 FF FF FF FF FF FF FF FF FF FF ÿÿÿÿ..ÿÿÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0FF00300 FF FF FF FF 01 00 FF FF FF FF FF FF FF FF FF FF ÿÿÿÿ..ÿÿÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0FF00300 FF 7F FF FF 11 00 FF FF FF FF FF FF FF FF FF FF ÿ.ÿÿ..ÿÿÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0FF00300 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
[EOF]
Encrypted Files on Flash
Encrypted files on flash appear to have some sort of header
metldr examples
Here are samples of metldr header from 2 different consoles
00000840 00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25 ...Ž™‡;Ç.ò€€œ0"% 00000850 00 00 0E 8E 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB ...Žx¥aà.rn÷§.A«
00000840 00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25 ...Ž™‡;Ç.ò€€œ0"% 00000850 00 00 0E 8E 81 2E 00 A9 59 75 01 CC C1 72 D5 50 ...Ž...©Yu.ÌÁrÕP
bootldr examples
Here are samples of bootldr header from 2 different consoles
00FC0000 00 00 2F 4B 53 92 1C E7 F7 33 41 76 9B 7A 1E D6 ../KS’.ç÷3Av›z.Ö 00FC0010 00 00 2F 4B 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB ../Kx¥aà.rn÷§.A«
00FC0000 00 00 2F 4B CB 9E 15 24 28 B4 4F D2 F9 3F BC 43 ../KËž.$(´OÒù?¼C 00FC0010 00 00 2F 4B 81 2E 00 A9 59 75 01 CC C1 72 D5 50 ../K...©Yu.ÌÁrÕP
Observations / Notes
As you can see, some parts appear static depending on their purpose:
metldr
00000840 00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25 ...Ž™‡;Ç.ò€€œ0"% 00000850 00 00 0E 8E xx xx xx xx xx xx xx xx xx xx xx xx ...Žx...........
bootldr
00FC0000 00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx ../K............ 00FC0010 00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx ../K............
per console in both samples
00000840 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ 00000850 xx xx xx xx 81 2E 00 A9 59 75 01 CC C1 72 D5 50 .......©Yu.ÌÁrÕP
The first 4 bytes appear to reffer to length. eg:
metldr length: 0xE920 0x00000E8E * 0x10 = 0xE8E0 + 0x40 = 0xE920 bootldr length: 0x2F4F0 0x00002F4B * 0x10 = 0x2F4B0 + 0x40 = 0x2F4F0
Header shown is 0x20 bytes, perhaps this means there is a 0x40 byte header. I was not able to find any correlation of the other 2x12 bytes here, perhaps these are keys of some sort.
new metldr.2
Seen on CECH2504B (JSD-001), with 3.60 from factory - datecode 1B
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000810 00 00 00 00 00 00 00 40 00 00 00 00 00 00 F9 20 .......@......ù 00000820 6D 65 74 6C 64 72 2E 32 00 00 00 00 00 00 00 00 metldr.2........ 00000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
other new metldr
It seems the naming "metldr.2" does not apply to all non downgradeable consoles:
Seen on CECH2504A (JTP-001), with 3.60 from factory - datecode 1B
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000810 00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60 .......@......é` 00000820 6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00 metldr.......... 00000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Seen on CECH2503B (JTP-001), with ?.?? from factory - datecode 1A (dump contained ROS with 3.66 and 3.70) This was downgradable.. sorry, the downgrade.bin was not written correctly.. but this time i wrote it ok, so this was not a new metldr console..
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000810 00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60 .......@......é` 00000820 6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00 metldr.......... 00000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
For comparison, a CECH250.B (JSD-001), with factory 3.56 - datecode 1A which was downgradeable (dump contained ROS with 3.56 and 3.70 before downgrading to 3.55):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000800 00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00 ..............è. 00000810 00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60 .......@......é` 00000820 6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00 metldr.......... 00000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000840 00 00 0E 92 C3 26 6E 4B BB 28 2E 76 B7 67 70 95 ...’Ã&nK»(.v·gp•
other new metldr mention : https://twitter.com/#!/Mathieulh/status/110779471199604736
WTF 3.50+ consoles have a new additional root key of 0x30 bytes (3 times the same 0x10 bytes chunk) copied by metldr right to offset 0 O_O
CECH2501B JSD-001 (320GB HDD)without datecode fw 3.66
metldr contains other new value (E9 60), but still downgrades..
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000800 00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00 ..............è. 00000810 00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60 .......@......é` 00000820 6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00 metldr.......... 00000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000840 00 00 0E 92 C3 26 6E 4B BB 28 2E 76 B7 67 70 95 ...’Ã&nK»(.v·gp•
another PS3 with CECH2501A wihtout datecode 320 GB HDD and fw 3.66 also contains other new metldr values but still downgrades...
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000800 00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00 ..............è. 00000810 00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60 .......@......é` 00000820 6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00 metldr.......... 00000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000840 00 00 0E 92 C3 26 6E 4B BB 28 2E 76 B7 67 70 95 ...’Ã&nK»(.v·gp•
Dumping your flash
There are many ways you can dump your flash you can choose the way that best fits you, there are some persons studing the flash.. If you can help providing a dump (specially if you have a debug console) search for those persons in IRC Efnet #ps3dev
Payload
Uncomment dump_dev_flash() in graf_payloads compile and run the payload
see Graf's_PSGroove_Payload for more info
Linux
Using graf_chokolo kernel with /dev/ps3nflasha access
dd if=/dev/ps3nflasha of=NOR.BIN bs=1024
Hardware
Dump NAND/NOR from GameOS
precompiled : dump_flash.pkg // backup/mirror: dump_flash.pkg (70.48 KB)
source: dump_flash-src.rar (2.33 KB)
Make sure USB stick is FAT32 with enough free space (16MB per NOR dump, 256MB per NAND dump)
remark: NAND dumps are 239MB because HV masks bootldr, see Hardware flashing #Difference between hardware dumps and software dumps
NOR Unpacking // NOR Unpkg
/* # ../norunpkg norflash.bin norflash unpacking asecure_loader (size: 190xxx bytes)... unpacking eEID (size: 65536 bytes)... unpacking cISD (size: 2048 bytes)... unpacking cCSD (size: 2048 bytes)... unpacking trvk_prg0 (size: 131072 bytes)... unpacking trvk_prg1 (size: 131072 bytes)... unpacking trvk_pkg0 (size: 131072 bytes)... unpacking trvk_pkg1 (size: 131072 bytes)... unpacking ros0 (size: 7340032 bytes)... unpacking ros1 (size: 7340032 bytes)... unpacking cvtrm (size: 262144 bytes)... */ // Copyright 2010 Sven Peter // Licensed under the terms of the GNU GPL, version 2 // http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt // nor modifications by rms. #include "tools.h" #include "types.h" #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <sys/stat.h> #ifdef WIN32 #define MKDIR(x,y) mkdir(x) #else #define MKDIR(x,y) mkdir(x,y) #endif u8 *pkg = NULL; static void unpack_file(u32 i) { u8 *ptr; u8 name[33]; u64 offset; u64 size; ptr = pkg + 0x10 + 0x30 * i; offset = be64(ptr + 0x00); size = be64(ptr + 0x08); memset(name, 0, sizeof name); strncpy((char *)name, (char *)(ptr + 0x10), 0x20); printf("unpacking %s (size: %d bytes)...\n", name, size); memcpy_to_file((char *)name, pkg + offset, size); } static void unpack_pkg(void) { u32 n_files; u64 size; u32 i; n_files = be32(pkg + 4); size = be64(pkg + 8); for (i = 0; i < n_files; i++) unpack_file(i); } int main(int argc, char *argv[]) { if (argc != 3) fail("usage: norunpkg filename.nor target"); pkg = mmap_file(argv[1]); /* kludge for header, i do not do sanity checks at the moment */ pkg += 1024; MKDIR(argv[2], 0777); if (chdir(argv[2]) != 0) fail("chdir"); unpack_pkg(); return 0; }
Source: http://rms.grafchokolo.com/?p=25
RMS - eEID splitter
#include <stdio.h> #include <stdlib.h> #include <string.h> void DumpEidData (FILE * pFile, int iInputSize, int iEidCount, char *pFilenamePrefix) { FILE *pOutput; char *szFilename; char *szBuf; int iRes, iSize; printf ("dumping EID%d from eEID at %p, size %d (%x)..\n", iEidCount, pFile, iInputSize, iInputSize); szBuf = (char *) malloc (iInputSize + 1); szFilename = (char *) malloc (strlen (pFilenamePrefix) + 2); if (szBuf == NULL) { perror ("malloc"); exit (1); }; iSize = fread (szBuf, iInputSize, 1, pFile); sprintf (szFilename, "%s%d", pFilenamePrefix, iEidCount); pOutput = fopen (szFilename, "wb"); iRes = fwrite (szBuf, iInputSize, 1, pOutput); if (iRes != iSize) { perror ("fwrite"); exit (1); }; free (szBuf); } int main (int argc, char **argv) { FILE *pFile; char *pPrefix; pFile = fopen (argv[1], "rb"); if (pFile == NULL) { usage: printf ("usage: %s <eEID> <EID name prefix>\n", argv[0]); exit (1); } if (argc == 2 && argv[2] != NULL) { pPrefix = argv[2]; goto usage; } fseek (pFile, 0x70, SEEK_SET); if (pPrefix != NULL) { DumpEidData (pFile, 2144, 0, pPrefix); DumpEidData (pFile, 672, 1, pPrefix); DumpEidData (pFile, 1840, 2, pPrefix); DumpEidData (pFile, 256, 3, pPrefix); DumpEidData (pFile, 48, 4, pPrefix); DumpEidData (pFile, 2560, 5, pPrefix); } return 0; }
Source: http://rms.grafchokolo.com/?p=59
Flash Samples
Reference flash dumps
- 3.55 kmeaw, 2.80 backup: http://www.megaupload.com/?d=J5UKO3HX
- 3.66 ofw: http://www.mediafire.com/?m7m4mppro66zib5
User flashdumps
Here are some samples of NOR Flash for your dissection. These are taken from different consoles (because it is useless to dump different firmware versions as ROS/RVK will be the same crossconsole)
SKU | bootldr | metldr | ROS0 | ROS1 | Link | Note |
---|---|---|---|---|---|---|
PS3 Phat: | ||||||
CECHA | ||||||
CECHB | ||||||
CECHC | ||||||
CECHE | ||||||
CECHG | ||||||
CECHH | ||||||
CECHJ | ||||||
CECHK | ||||||
CECHL | [1] | 3.55-Rogero CECHL03 | ||||
CECHL | [2] | 3.56 CECHL03 | ||||
CECHL | [3] | 3.70 CECHL03 | ||||
CECHM | ||||||
CECHP | ||||||
CECHQ | ||||||
PS3 Slim: | ||||||
CECH-20xx | 3.65 | 3.55 | [4] | 3.65 CECH-2008 A | ||
CECH-20xx | 3.56 | 3.56 | [5] | 3.56 CECH-2008 B | ||
CECH-20xx | 3.42 | 3.70 | [6] | 3.70 CECH-2008 B | ||
CECH-20xx | 3.72 | 4.00 | [7] | 4.00 CECH-2008 B | ||
CECH-21xx | ||||||
CECH-25xx | 3.66 | 3.56 | [8] | 3.60 CECH-2508 B | ||
CECH-25xx | 3.66 | 3.72 | [9] | 3.72 CECH-2508 B | ||
CECH-30xx |