SC EEPROM: Difference between revisions
(first draft) |
(cleanup) |
||
| Line 13: | Line 13: | ||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
|- | |- | ||
! Offset ! Size ! Description | ! Offset !! Size !! Description | ||
|- | |- | ||
| 0x48C06 | 1 | FSELF Control Flag | | 0x48C06 || 1 || FSELF Control Flag | ||
|- | |- | ||
| 0x48C07 | 1 | Product Mode (UM allows to read this offset, it can be also written but only when already in product mode) | | 0x48C07 || 1 || Product Mode (UM allows to read this offset, it can be also written but only when already in product mode) | ||
|- | |- | ||
| 0x48C0A | 1 | QA Flag | | 0x48C0A || 1 || QA Flag | ||
|- | |- | ||
| 0x48C13 | 1 | Device Type | | 0x48C13 || 1 || Device Type | ||
|- | |- | ||
| 0x48C42 | 1 | HDD Copy Mode | | 0x48C42 || 1 || HDD Copy Mode | ||
|- | |- | ||
| 0x48C50 | 0x10 | Debug Support Flag | | 0x48C50 || 0x10 || Debug Support Flag | ||
|- | |- | ||
| 0x48C60 | 1 | Update Status | | 0x48C60 || 1 || Update Status | ||
|- | |- | ||
| 0x48C61 | 1 | Recover Mode Flag | | 0x48C61 || 1 || Recover Mode Flag | ||
|- | |- | ||
| 0x48D3E | 0x50 | QA Token (UM doesn't allow access to this offset but SC Manager can read/write it) | | 0x48D3E || 0x50 || QA Token (UM doesn't allow access to this offset but SC Manager can read/write it) | ||
|} | |} | ||
| Line 45: | Line 45: | ||
Here is the list of possible EEPROM offsets: | Here is the list of possible EEPROM offsets: | ||
{| class="wikitable | {|class="wikitable" | ||
|- | |- | ||
! Index ! SC EEPROM Offset ! Size Of Data ! Description | ! Index !! SC EEPROM Offset !! Size Of Data !! Description | ||
|- | |- | ||
| 0 | 0x48D20 | 6 |? | | 0 || 0x48D20 || 6 ||? | ||
|- | |- | ||
| 1 | 0x48D28 | 6 |? | | 1 || 0x48D28 || 6 ||? | ||
|- | |- | ||
| 2 | 0x48D30 | 6 |? | | 2 || 0x48D30 || 6 ||? | ||
|- | |- | ||
| 3 | 0x48D38 | 6 |? | | 3 || 0x48D38 || 6 ||? | ||
|- | |- | ||
| 4 | 0x48D00 | 4 |? | | 4 || 0x48D00 || 4 ||? | ||
|- | |- | ||
| 5 | 0x48D04 | 4 |? | | 5 || 0x48D04 || 4 ||? | ||
|- | |- | ||
| 6 | 0x48D08 | 4 |? | | 6 || 0x48D08 || 4 ||? | ||
|} | |} | ||
| Line 68: | Line 68: | ||
Right now we only have read access to some portions of the eeprom to have access to this regions DM needs to be patched, see section dumping eeprom | Right now we only have read access to some portions of the eeprom to have access to this regions DM needs to be patched, see section dumping eeprom | ||
{| class="wikitable | {|class="wikitable" | ||
|- | |- | ||
! EPROM Offset ! Block ID ! Block Offset ! Description | ! EPROM Offset !! Block ID !! Block Offset !! Description | ||
|- | |- | ||
| 0x48000 - 0x480FF | 0x00 | 0x48000 - 0x480FF | ? | | 0x48000 - 0x480FF || 0x00 || 0x48000 - 0x480FF || ? | ||
|- | |- | ||
| 0x48800 - 0x488FF | 0x01 | 0x48800 - 0x488FF | ? | | 0x48800 - 0x488FF || 0x01 || 0x48800 - 0x488FF || ? | ||
|- | |- | ||
| 0x48C00 - 0x48CFF | 0x02 | 0x48C00 - 0x48CFF | Contains flags and tokens/ see above | | 0x48C00 - 0x48CFF || 0x02 || 0x48C00 - 0x48CFF || Contains flags and tokens/ see above | ||
|- | |- | ||
| 0x48D00 - 0x48DFF | 0x03 | 0x48D00 - 0x48DFF | System Data Region | | 0x48D00 - 0x48DFF || 0x03 || 0x48D00 - 0x48DFF || System Data Region | ||
|- | |- | ||
| 0x2F00 - 0x2FFF | 0x10 | 0x2F00 - 0x2FFF | ? | | 0x2F00 - 0x2FFF || 0x10 || 0x2F00 - 0x2FFF || ? | ||
|- | |- | ||
| 0x3000 - 0x30FF | 0x20 | 0x3000 - 0x30FF | ? | | 0x3000 - 0x30FF || 0x20 || 0x3000 - 0x30FF || ? | ||
|- | |- | ||
| All other offsets | Invalid | Invalid | ? | | All other offsets || Invalid || Invalid || ? | ||
|} | |} | ||
| Line 122: | Line 122: | ||
ps3dm_um /dev/ps3dmproxy get_pkg_info TYPE | ps3dm_um /dev/ps3dmproxy get_pkg_info TYPE | ||
</pre> | </pre> | ||
Examples | |||
---- | |||
get_pkg_info 1 - Core OS package | get_pkg_info 1 - Core OS package | ||
| Line 164: | Line 167: | ||
===Hashes=== | ===Hashes=== | ||
What algorithm is used and what exactly is hashed is still unknown | |||
<pre> | <pre> | ||
| Line 169: | Line 174: | ||
</pre> | </pre> | ||
This hashes are checked by lv1 to make sure that the data has not been altered throgh '''scm_get_region_data: get_result: ret[X]: 0x%x | This hashes are checked by lv1 to make sure that the data has not been altered throgh '''scm_get_region_data: get_result: ret[X]: 0x%x''' | ||
''' | |||
Examples | |||
---- | |||
region_data 0 - Core OS package | region_data 0 - Core OS package | ||
| Line 211: | Line 220: | ||
<pre> | <pre> | ||
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be | ||
</pre> | |||
region_data 7 | region_data 7 | ||
Revision as of 03:58, 17 May 2011
Most of the information we have about the sc eeprom comes from graf_chokolo reverse engineering of the HV see Hypervisor Reverse Engineering
Here is where system flags, tokens and hashes are stored.
Right now most of the comunication we have with the sc eeprom is through linux using graf_chokolo ps3dm-utils and/or using his payloads.
Important Offsets
EEPROM Offset Table - Flags and Tokens
Here is the table of EEPROM offsets that can be accessed through Update Manager (3.15):
| Offset | Size | Description |
|---|---|---|
| 0x48C06 | 1 | FSELF Control Flag |
| 0x48C07 | 1 | Product Mode (UM allows to read this offset, it can be also written but only when already in product mode) |
| 0x48C0A | 1 | QA Flag |
| 0x48C13 | 1 | Device Type |
| 0x48C42 | 1 | HDD Copy Mode |
| 0x48C50 | 0x10 | Debug Support Flag |
| 0x48C60 | 1 | Update Status |
| 0x48C61 | 1 | Recover Mode Flag |
| 0x48D3E | 0x50 | QA Token (UM doesn't allow access to this offset but SC Manager can read/write it) |
In a standard mostly untouched ps3 the common value for this flags is 0xFF wich means not active To change this to an active status you have to write 0x00 to turn on the flag
Debug support flag is tied to EID which is supposed to be hashed and saves in SC EEPROM
QA flag is tied to QA token that is also saved in this part of the SC EEPROM
System Data From EEPROM
Here is the list of possible EEPROM offsets:
| Index | SC EEPROM Offset | Size Of Data | Description |
|---|---|---|---|
| 0 | 0x48D20 | 6 | ? |
| 1 | 0x48D28 | 6 | ? |
| 2 | 0x48D30 | 6 | ? |
| 3 | 0x48D38 | 6 | ? |
| 4 | 0x48D00 | 4 | ? |
| 5 | 0x48D04 | 4 | ? |
| 6 | 0x48D08 | 4 | ? |
Dumpable EPROM Offset - Block ID and Block Offset Mapping Table (NVS Service)
Right now we only have read access to some portions of the eeprom to have access to this regions DM needs to be patched, see section dumping eeprom
| EPROM Offset | Block ID | Block Offset | Description |
|---|---|---|---|
| 0x48000 - 0x480FF | 0x00 | 0x48000 - 0x480FF | ? |
| 0x48800 - 0x488FF | 0x01 | 0x48800 - 0x488FF | ? |
| 0x48C00 - 0x48CFF | 0x02 | 0x48C00 - 0x48CFF | Contains flags and tokens/ see above |
| 0x48D00 - 0x48DFF | 0x03 | 0x48D00 - 0x48DFF | System Data Region |
| 0x2F00 - 0x2FFF | 0x10 | 0x2F00 - 0x2FFF | ? |
| 0x3000 - 0x30FF | 0x20 | 0x3000 - 0x30FF | ? |
| All other offsets | Invalid | Invalid | ? |
Dumping your SC EEPROM
Linux
First you need graf_chokolo kernel ps3dm-utils and linux_hv_scripts.
If you are ready.
Patch DM using linux_hv_scripts
dmpatch.sh
Read the data from the region you want for example (see tables above)
ps3dm_scm /dev/ps3dmproxy 0x48000 0xFF
You can see some coolstuff that containing dumps
Hashes
Where exactly the hashes are stored is still a secret, it is said that those hashes are stored in SC EEPROM
To retrive the information about the packages you have installed you can also use ps3d_utils
Linux
Installed Package info
ps3dm_um /dev/ps3dmproxy get_pkg_info TYPE
Examples
get_pkg_info 1 - Core OS package
0003004100000000
get_pkg_info 2 - Revoke List for program
0003004100000000
get_pkg_info 3 - Revoke list for package
0002003000000000
get_pkg_info 4
deadbeaffacebabe
get_pkg_info 5
deadbeaffacebabe
get_pkg_info 6 - Firmware Package
0003005000000000
You can find more information about this in Hypervisor Reverse Engineering
Hashes
What algorithm is used and what exactly is hashed is still unknown
ps3dm_scm /dev/ps3dmproxy get_region_data ID
This hashes are checked by lv1 to make sure that the data has not been altered throgh scm_get_region_data: get_result: ret[X]: 0x%x
Examples
region_data 0 - Core OS package
00 03 00 41 00 00 00 00 00 c3 eb 01 96 24 d0 1c 26 14 f3 1c a4 a2 ff ce 81 77 3a 4c f8 42 86 04 ee 34 bb db be 1c a7 51 e5 59 f1 95 61 07 a5 eb
region_data 1
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
region_data 2
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
region_data 3 //Revoke List for program?
00 03 00 41 00 00 00 00 80 41 f6 b8 f2 d5 30 60 59 35 49 d7 f0 3d 58 57 87 00 88 11 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
region_data 4
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
region_data 5 //Revoke List for package?
00 02 00 30 00 00 00 00 ba 6e 1c d5 5f 48 5b 8b 3f cc c8 60 75 ce f6 83 b2 20 dc f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
region_data 6
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be
region_data 7
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be
region_data 8 //BD Firmware Package?
00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
region_data 9
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be
region_data 10
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be
region_data 11
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be
region_data 12
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be
region_data 13
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be
region_data 14
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be
region_data 15
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be