Flash: Difference between revisions
Jump to navigation
Jump to search
(→NAND Flash: VFlash regions. Big thanks @Flatz.) |
m (→NAND Flash) |
||
| Line 144: | Line 144: | ||
| {{perconsole}} || || 1 || VTRM1 || ~varies || ~varies || ~varies || ~varies || || <small>magic header : 0x0D80400 00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04 ....VTRM........</small> | | {{perconsole}} || || 1 || VTRM1 || ~varies || ~varies || ~varies || ~varies || || <small>magic header : 0x0D80400 00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04 ....VTRM........</small> | ||
|- | |- | ||
| | | {{perconsole}} || colspan="3" | VFlash area || 0x0F00000 || 0xEFFFFFF || 0xE100000 || (235,929,600 bytes) || 7800h || <small>Note: VFlash region table & all dev_flash regions are encrypted with a per console keys by ENCDEC device. | ||
magic header :0x0F00010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE .....¬ая....Ю.ъО</small> | magic header :0x0F00010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE .....¬ая....Ю.ъО</small> | ||
|- | |- | ||
| | | {{perconsole}} || 0 || colspan="2" | VFlash region table || 0x0F000C0 || || || || || <small>There are 5 regions: /dev_flash, /dev_flash2, /dev_flash3, OtherOS & Unknown/FF-region. Note: first 0x40000 bytes not counted because of masking bootldr by HV.</small> | ||
|- | |- | ||
| | | {{perconsole}} || 1 || {{perfirmware}} || /dev_flash (FAT16) [[Hypervisor_Reverse_Engineering#GameOS.27s_dev_flash|GameOS devflash]] || 0x0F40000 || 0xD6FFFFF || 0xC7C0000 || (209,453,056 bytes) || || <small>offset taken from region table (0x7800*0x200+0x40000=0x0F40000)</small> | ||
|- | |- | ||
| | | {{perconsole}} || 2 || {{generic}} || /dev_flash2 (FAT16) [[XRegistry.sys|XRegistry]] || 0xD700000 || 0xE6FFFFF || 0x1000000 || (16,777,216 bytes) || || <small>offset taken from region table (0x6B600*0x200+0x40000=0xD700000)</small> | ||
|- | |- | ||
| | | {{perconsole}} || 3 || {{perfirmware}} || /dev_flash3 (FAT12) [[Hypervisor_Reverse_Engineering#Content_Revocation_List_.28CRL.29|CRL]]/[[Hypervisor_Reverse_Engineering#Drive_Revocation_List_.28DRL.29|DRL]] || 0xE700000 || 0xE77FFFF || 0x80000 || (524,288 bytes) || || <small>offset taken from region table (0x73600*0x200+0x40000=0xE700000)</small> | ||
|- | |- | ||
| {{generic}} || 4 || | | {{generic}} || 4 || {{generic}} || [[Flash:cell_ext_os_area|cell_ext_os_area]] || 0xE780000 || 0xE78000F || 0x10 || (16 bytes) || 73C00h || <small>magic header : 0xE780000 63 65 6C 6C 5F 65 78 74 5F 6F 73 5F 61 72 65 61 cell_ext_os_area</small> | ||
|- | |- | ||
| {{generic}} || || | | {{generic}} || || {{generic}} || [[Flash:OtherOS|OtherOS]] || 0xE780800 || ~varies || ~varies || ~varies || 73C04h || <small>OtherOS loader/init.rd</small> | ||
|- | |- | ||
| {{generic}} || 5 || | | {{generic}} || 5 || {{generic}} || Unknown/FF-region || 0xEFC0000 || 0xEFFFFFF || 0x40000 || (262,144 bytes) || 77E00h || | ||
|- | |- | ||
| {{perconsole}} || colspan="3" | [[Flash:bootldr|bootldr]] || 0xF000000 || 0xF03FFFF || 0x40000 || (262,144 bytes) || 78000h || <small><abbr title="length of bootldr data seems notated @ offset 0x2-0x3">datasize</abbr> depends on bootldr revision</small> | | {{perconsole}} || colspan="3" | [[Flash:bootldr|bootldr]] || 0xF000000 || 0xF03FFFF || 0x40000 || (262,144 bytes) || 78000h || <small><abbr title="length of bootldr data seems notated @ offset 0x2-0x3">datasize</abbr> depends on bootldr revision</small> | ||
Revision as of 01:50, 1 July 2013
Overview
NOR Flash
The following is a list of files stored in NOR Flash
| type | R. | Name | Start Offset | End Offset | Size (h) | Size (bytes) | Block | Notes | ||
|---|---|---|---|---|---|---|---|---|---|---|
| gen | 1 | 0FACE0FF DEADBEEF | 0x000000 | 0x00001FF | 0x200 | (512 bytes) | 0h | magic header : 0x0000010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF .....¬àÿ....Þ¾ï | ||
| gen | Flash Format | 0x000200 | 0x00003FF | 0x200 | (512 bytes) | 1h | 00000200 49 46 49 00 00 00 00 01 00 00 00 02 00 00 00 00 IFI............. (only 0x10 or 16 bytes used) | |||
| pc | Flashregion Table | 0x000400 | 0x0007FF | 0x400 | (1,024 bytes) | 2h | ||||
| pc | 0 | asecure_loader | 0x000800 | 0x02EFFF | 0x2E800 | (262,144 bytes) | 4h | contains metldr, extracted data starts from 0x000840, datasize depends on metldr revision | ||
| pc | 1 | eEID | 0x02F000 | 0x03EFFF | 0x10000 | (65,536 bytes) | 178h | |||
| pc | 0 | EID0 | 0x02F070 | 0x02F8CF | 0x860 | (2,144 bytes) | (IDPS @ offset 0x0002F070 absolute / 0x00000070 inside eEID ) | |||
| pc | 1 | EID1 | 0x02F8D0 | 0x02FB6F | 0x2A0 | (672 bytes) | ||||
| pc | 2 | EID2 | 0x02FB70 | 0x03029F | 0x730 | (1,840 bytes) | ||||
| pc | 3 | EID3 | 0x0302A0 | 0x03039F | 0x100 | (256 bytes) | ||||
| pc | 4 | EID4 | 0x0303A0 | 0x0303CF | 0x30 | (48 bytes) | ||||
| pc | 5 | EID5 | 0x0303D0 | 0x030DCF | 0xA00 | (2,560 bytes) | ||||
| pc | F | unreferenced area | 0x030DD0 | 0x03EFFF | 0xE22F | (57,903 bytes) | ||||
| pc | 2 | cISD | 0x03F000 | 0x03F7FF | 0x800 | (2,048 bytes) | 1F8h | |||
| pc | 0 | cISD0 | 0x03F040 | 0x03F060 | 0x20 | (32 bytes) | ||||
| pc | 1 | cISD1 | 0x03F060 | 0x03F260 | 0x200 | (512 bytes) | console 2nd part serial @ 0x3F090 size 0x8 | |||
| pc | 2 | cISD2 | 0x03F260 | 0x03F270 | 0x10 | (16 bytes) | ||||
| pc | F | unreferenced area | 0x03F270 | 0x03F7FF | 0x58F | (1,423 bytes) | ||||
| pc | 3 | cCSD | 0x03F800 | 0x03FFFF | 0x800 | (2,048 bytes) | 1FCh | |||
| pc | 0 | cCSD0 | 0x03F820 | 0x03F84F | 0x30 | (48 bytes) | ||||
| pc | F | unreferenced area | 0x03F850 | 0x03FFFF | 0x7B0 | (1,968 bytes) | ||||
| pf | 4 | trvk_prg0 | 0x040000 | 0x05FFFF | 0x20000 | (131,072 bytes) | 200h | |||
| pf | 5 | trvk_prg1 | 0x060000 | 0x07FFFF | 0x20000 | (131,072 bytes) | 300h | |||
| pf | 6 | trvk_pkg0 | 0x080000 | 0x09FFFF | 0x20000 | (131,072 bytes) | 400h | |||
| pf | 7 | trvk_pkg1 | 0x0A0000 | 0x0BFFFF | 0x20000 | (131,072 bytes) | 500h | |||
| pf | 8 | ros0 | 0x0C0000 | 0x7BFFFF | 0x700000 | (7,340,032 bytes) | 600h | Contains CoreOS files, filecontent depends on firmware version | ||
| pf | 9 | ros1 | 0x7C0000 | 0xEBFFFF | 0x700000 | (7,340,032 bytes) | 3E00h | Contains CoreOS files, filecontent depends on firmware version | ||
| pc | A | cvtrm | 0xEC0000 | 0xEFFFFF | 0x40000 | (262,144 bytes) | 7600h | |||
| gen | 2 | 0FACE0FF DEADFACE | 0xF00000 | 0xF00FFF | 0x1000 | (4096 bytes) | 7800h | magic header : 0xF00010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE .....¬àÿ....ÞúÎ | ||
| gen | CELL_EXTNOR_AREA | 0xF20000 | 0xF3FFFF | 0x20000 | (131,072 bytes) | 7900h | (Harddrive information is @ 0xF20200 absolute / 0x200 inside CELL_EXTNOR_AREA) | |||
| gen | CRL1 | 0xF40000 | 0xF5FFFF | 0x20000 | (131,072 bytes) | 7A00h | same as F80000 | |||
| gen | DRL1 | 0xF60000 | 0xF7FFFF | 0x20000 | (131,072 bytes) | 7B00h | same as FA0000 / sometimes also contains OCRL0200 | |||
| gen | CRL2 | 0xF80000 | 0xF9FFFF | 0x20000 | (131,072 bytes) | 7C00h | same as F40000 | |||
| gen | DRL2 | 0xFA0000 | 0xFBFFFF | 0x20000 | (131,072 bytes) | 7D00h | same as F60000 / sometimes also contains OCRL0200 | |||
| pc | lv0ldr | bootldr | 0xFC0000 | 0xFFFFFF | 0x40000 | (262,144 bytes) | 7E00h | End @ FEEAF0, FEEF70, FEF170, FEF570, FEF5F0, FEF600 in some dumps | ||
NAND Flash
The following is a list of files stored in NAND Flash
| type | Name | Start Offset | End Offset | Size (h) | Size (bytes) | Block | Notes | ||
|---|---|---|---|---|---|---|---|---|---|
| pc | bootldr | 0x0000000 | 0x003FFFF | 0x40000 | (262,144 bytes) | 0h | datasize depends on bootldr revision | ||
| gen | 0FACE0FF DEADBEEF | 0x0040000 | 0x00401FF | 0x200 | (512 bytes) | 200h | magic header : 0x040010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF .....¬àÿ....Þ¾ï | ||
| pc | Flashregion Table | 0x0040200 | 0x00407FF | 0x600 | (1,536 bytes) | 201h | |||
| pc | 0 | asecure_loader | 0x0040800 | 0x00807FF | 0x40000 | (262,144 bytes) | 204h | contains metldr, extracted data starts from 0x040840, datasize depends on metldr revision | |
| pc | 1 | eEID | 0x0080800 | 0x00907FF | 0x10000 | (65,536 bytes) | 404h | ||
| pc | 0 | EID0 | 0x0080870 | 0x00810CF | 0x860 | (2,144 bytes) | (IDPS @ offset 0x00080870 absolute / 0x00000070 inside eEID ) | ||
| pc | 1 | EID1 | 0x00810D0 | 0x008136F | 0x2A0 | (672 bytes) | |||
| pc | 2 | EID2 | 0x0081370 | 0x0081A9F | 0x730 | (1,840 bytes) | |||
| pc | 3 | EID3 | 0x0081AA0 | 0x0081B9F | 0x100 | (256 bytes) | |||
| pc | 4 | EID4 | 0x0081BA0 | 0x0081BCF | 0x30 | (48 bytes) | |||
| pc | 5 | EID5 | 0x0081BD0 | 0x00825CF | 0xA00 | (2,560 bytes) | |||
| pc | F | unreferenced area | 0x00825D0 | 0x00907FF | 0xE22F | (57,903 bytes) | |||
| pc | 2 | cISD | 0x0090800 | 0x0090FFF | 0x800 | (2,048 bytes) | 484h | ||
| pc | 0 | cISD0 | 0x0090840 | 0x009085F | 0x20 | (32 bytes) | |||
| pc | 1 | cISD1 | 0x0090860 | 0x0090A5F | 0x200 | (512 bytes) | console 2nd part serial @ 0x90890 size 0x8 | ||
| pc | 2 | cISD2 | 0x0090A60 | 0x0090A6F | 0x10 | (16 bytes) | |||
| pc | F | unreferenced area | 0x0090A70 | 0x0090FFF | 0x58F | (1,423 bytes) | |||
| pc | 3 | cCSD | 0x0091000 | 0x00917FF | 0x800 | (2,048 bytes) | 488h | ||
| pc | 0 | cCSD0 | 0x0091020 | 0x009104F | 0x30 | (48 bytes) | |||
| pc | F | unreferenced area | 0x0091050 | 0x00917FF | 0x7B0 | (1,968 bytes) | |||
| pf | 4 | trvk_prg | 0x0091800 | 0x00937FF | 0x2000 | (8,192 bytes) | 48Ch | extracted size is 0x2000 for trvk_prg0 + trvk_prg1 combined as trvk_prg (8,192 bytes) | |
| pf | 5 | trvk_pkg | 0x0093800 | 0x00957FF | 0x2000 | (8,192 bytes) | 49Ch | extracted size is 0x2000 for trvk_pkg0 + trvk_pkg1 combined as trvk_pkg (8,192 bytes) | |
| gen | 6 | creserved_0 | 0x0095800 | 0x00BFFFF | 0x2A800 | (174,080 bytes) | 4ACh | ||
| pf | 7 | ROS | 0x00C0000 | 0x0EBFFFF | 0xE00000 | (14,680,064 bytes) | 600h | ||
| pf | 0 | ros0 | 0x00C0020 | 0x07BFFFF | 0x700000 | (7,340,032 bytes) | Contains CoreOS files, filecontent depends on firmware version | ||
| pf | 1 | ros1 | 0x07C0010 | 0x0EBFFFF | 0x700000 | (7,340,032 bytes) | Contains CoreOS files, filecontent depends on firmware version | ||
| pc | 8 | cvtrm | 0x0EC0000 | 0x0EFFFFF | 0x40000 | (262,144 bytes) | |||
| pc | M | SCEIVTRM | 0x0EC0000 | 0x0EC000F | 0x10 | (16 bytes) | magic header : 0x0D80000 53 43 45 49 56 54 52 4D 00 00 00 00 00 00 00 A8 SCEIVTRM.......¨ | ||
| pc | 0 | VTRM0 | ~varies | ~varies | ~varies | ~varies | magic header : 0x0D80020 00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04 ....VTRM........ | ||
| pc | 1 | VTRM1 | ~varies | ~varies | ~varies | ~varies | magic header : 0x0D80400 00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04 ....VTRM........ | ||
| pc | VFlash area | 0x0F00000 | 0xEFFFFFF | 0xE100000 | (235,929,600 bytes) | 7800h | Note: VFlash region table & all dev_flash regions are encrypted with a per console keys by ENCDEC device.
magic header :0x0F00010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE .....¬ая....Ю.ъО | ||
| pc | 0 | VFlash region table | 0x0F000C0 | There are 5 regions: /dev_flash, /dev_flash2, /dev_flash3, OtherOS & Unknown/FF-region. Note: first 0x40000 bytes not counted because of masking bootldr by HV. | |||||
| pc | 1 | pf | /dev_flash (FAT16) GameOS devflash | 0x0F40000 | 0xD6FFFFF | 0xC7C0000 | (209,453,056 bytes) | offset taken from region table (0x7800*0x200+0x40000=0x0F40000) | |
| pc | 2 | gen | /dev_flash2 (FAT16) XRegistry | 0xD700000 | 0xE6FFFFF | 0x1000000 | (16,777,216 bytes) | offset taken from region table (0x6B600*0x200+0x40000=0xD700000) | |
| pc | 3 | pf | /dev_flash3 (FAT12) CRL/DRL | 0xE700000 | 0xE77FFFF | 0x80000 | (524,288 bytes) | offset taken from region table (0x73600*0x200+0x40000=0xE700000) | |
| gen | 4 | gen | cell_ext_os_area | 0xE780000 | 0xE78000F | 0x10 | (16 bytes) | 73C00h | magic header : 0xE780000 63 65 6C 6C 5F 65 78 74 5F 6F 73 5F 61 72 65 61 cell_ext_os_area |
| gen | gen | OtherOS | 0xE780800 | ~varies | ~varies | ~varies | 73C04h | OtherOS loader/init.rd | |
| gen | 5 | gen | Unknown/FF-region | 0xEFC0000 | 0xEFFFFFF | 0x40000 | (262,144 bytes) | 77E00h | |
| pc | bootldr | 0xF000000 | 0xF03FFFF | 0x40000 | (262,144 bytes) | 78000h | datasize depends on bootldr revision
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ||
| pc | F | unreferenced area | 0xF040000 | 0xFFFFFFF | 0xFC0000 | (16,515,072 bytes) | 78200h | ||
Notes
- All offsets on the index page are absolute. Offsets on subpages are relative within each section (unless otherwise mentioned)
- NOR and NAND are blockdevices and thus:
- The minimal chunk of data that can be read/written is a block (with flashdevices also named page). A block that has never been written (only erased/formatted) is filled with 0xFF's. When bytes are written to a block, the entire block must be written. The write process fills the nonused bytes (slack space) at the remainder of the block with 0x00's
- 1 block = 512 bytes (0x200) which conveniently correlates to the standard sectorsize used on magneto/optical drives
| |||||||||||||||||||||||||||||||||||||||||||||
