SC EEPROM: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
mNo edit summary
Line 83: Line 83:
| 0x48C14 || ? || cellos_spu_configure
| 0x48C14 || ? || cellos_spu_configure
|-
|-
| 0x48C18 || 4 || (seems it can be 0xFFFFFFFF, 0x00000000 to 0x00000012)
| 0x48C18 || 4 || System Language [[XRegistry.sys#Settings]] ( /setting/system/language )
|-
|-
| 0x48C1C || 4 || (seems it can be 0xFFFFFFFE, 0xFFFFFFFF, default: 0x00000000)
| 0x48C1C || 4 || (seems it can be 0xFFFFFFFE, 0xFFFFFFFF, default: 0x00000000)

Revision as of 17:22, 31 March 2014

Most of the information we have about the sc eeprom comes from graf_chokolo reverse engineering of the HV see Hypervisor Reverse Engineering

Here is where system flags, tokens and hashes are stored.

Right now most of the comunication we have with the sc eeprom is through linux using graf_chokolo ps3dm-utils and/or using his payloads.

Important Offsets

EEPROM Offset Table - Flags and Tokens

Here is the table of EEPROM offsets that can be accessed through Update Manager (3.15):

Offset Size Description
0x02F00 8 Downgrade Minimum Version String
0x02F08 0x10 Downgrade Minimum Version Build + Date Build String
0x02F20 8 Target ID? (HV bible lists the Target ID as 85 Europe, not 83 Japan)
0x02F28 0xD0 Padding/undocumented
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF xx xx 
xx xx xx FF FF xx xx xx xx xx xx xx xx xx xx xx 
xx xx 00 00 00 00 FF xx 00 xx xx FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF xx xx xx 00 00 
xx xx xx xx xx FF FF FF xx xx xx FF FF FF xx 00 
0x02FF8 1 Factory Bit (0 = ?, 1 = reset, 2 = ?, 3 = (on retails))
0x02FF9 0x7 Padding/undocumented
00 00 00 00 xx xx xx 
0x48013 0x2A QA Token ECDSA Signature (3.60>= firmwares)
0x48802 1
0x48804 1
0x48C00 1 load_image_in_rom flag
0x48C01 1 (force standalone mode related)
0x48C02 1 select_net_device (debug interface)
0x48C03 1 (sys.dbgcard.dgbe.index)
0x48C05 1 update_flag for CEB
0x48C06 1 FSELF Control Flag / toggles release mode
0x48C07 1 Product Mode (UM allows to read this offset, it can be also written but only when already in product mode)
0x48C08 1
0x48C0A 1 QA Flag
0x48C0B 1 mode_auth_flag / gx enable
0x48C0C 1
0x48C0D 1
0x48C0F 2
0x48C11 2
0x48C13 1 Device Type
0x48C14 ? cellos_spu_configure
0x48C18 4 System Language XRegistry.sys#Settings ( /setting/system/language )
0x48C1C 4 (seems it can be 0xFFFFFFFE, 0xFFFFFFFF, default: 0x00000000)
0x48C22 1 be nclk
0x48C23 1 be ref clk
0x48C24 3
0x48C30 1 SPE number Usally 0x06, can be set to 0x07 to enable the 8 SPE
0x48C31 4 sata_param
0x48C35 8 spr_tbuw_value
0x48C42 1 HDD Copy Mode
0x48C43 4
0x48C47 1 Analog Sunset Flag, will disable AACS video output without HDMI cable soon
0x48C50 0x10 Debug Support Flag
0x48C60 1 Update Status
0x48C61 1 Recover Mode Flag
0x48C80 6
0x48C88 6
0x48C90 7
0x48C98 7
0x48CA0 7
0x48CA8 7
0x48CB0 7
0x48CB8 7
0x48D00 4 ip_addr
0x48D04 4 ip_netmask
0x48D08 4 ip_gateway
0x48D20 6-8 spider.gbe0.macaddr.0
0x48D28 6
0x48D30 6
0x48D3E 0x50 QA Token (UM doesn't allow access to this offset but SC Manager can read/write it)
0x48D8E 0x50 mode_auth_data (read/cleared by ss_sc_init_pu, checked by spu_mode_auth)

In a standard mostly untouched ps3 the common value for this flags is 0xFF wich means not active, anything else means active (e.g. 0xFE)

To change this to an active status you have to write 0x00 to turn on the flag

Debug support flag is tied to EID which is supposed to be hashed and saves in SC EEPROM

QA flag is tied to QA token that is also saved in this part of the SC EEPROM

QA Token ECDSA Signature is stored in 0x48013 offset (starting from 3.60 firmwares)

lv0 SC EEPROM usage

[*] lv0 NVS regions:
	# start_offset end_offset block   size
	0 0x00         0x12       0x48000 0x13
	1 0x00         0x0B       0x48800 0x0C
	2 0x00         0x1F       0x48C00 0x20
	3 0x22         0x24       0x48C00 0x03
	4 0x30         0x3C       0x48C00 0x0D
	5 0x40         0x4F       0x48C00 0x10
	6 0x80         0x8F       0x48C00 0x10
	7 0x90         0xBF       0x48C00 0x30
	8 0x00         0x0B       0x48D00 0x0C
	9 0x20         0x27       0x48D00 0x08
	A 0x3E         0x8D       0x48D00 0x50
	B 0x28         0x3F       0x48D00 0x18

[*] Example region data (taken from region cache):
	2:
	   01 FF 05 FF FF FF FF FF FF FF 00 FF FF FF FF FF
	   FF FF FF FE FF FF FF FF 00 00 00 01 00 00 00 00
	3:
	   FF FF 00
	4:
	   06 18 18 17 18 FF FF FF FF FF FF FF FF
	5:
	   FF FF 0D 02 0A 02 FF FF FF FF FF FF FF FF FF FF
	9:
	   FF FF FF FF FF FF FF FF

[*] lv0 SC EEPROM usage:
	name                 addr    size structure
	dgbe_config          0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway]
	restrict_spu         0x48C30 0x01 [0x01 flag]
	sata_param           0x48C31 0x04 [0x04 flag]
	os_bank_indicator    0x48C24 0x01 [0x01 flag]
	cellos_spu_configure 0x48C33 0x04 [0x04 config]
	flash_ext_format     0x48C13 0x01 [0x01 flag]
	cellos_flags         0x48C0F 0x02 [0x02 flags]
	qaf_enable           0x48C0A 0x01 [0x01 flag]
	UNKNOWN (debug?)     0x48C08 0x01 [0x01 flag]
	fself_ctrl           0x48C06 0x01 [0x01 flag]
	select_dgbe_device   0x48C03 0x01 [0x01 index]
	os_boot_order_flag   0x48C00 0x01 [0x01 flag]
	qa_token             0x48D3E 0x50 [0x50 token]
	UNKNOWN              0x48804 0x04 [0x04 value]
	UNKNOWN              0x48D20 0x08 [0x08 value]
	rsx.rdcy.7           0x48CB8 0x08 [0x08 value]
	rsx.rdcy.6           0x48CB0 0x08 [0x08 value]
	rsx.rdcy.5           0x48CA8 0x08 [0x08 value]
	rsx.rdcy.4           0x48CA0 0x08 [0x08 value]
	rsx.rdcy.3           0x48C98 0x08 [0x08 value]
	rsx.rdcy.2           0x48C90 0x08 [0x08 value]
	rsx.rdcy.1           0x48C88 0x08 [0x08 value]
	rsx.rdcy.0           0x48C80 0x08 [0x08 value]
	be_nclck_flag2       0x48C23 0x01 [0x01 flag]
	be_nclck_flag1       0x48C22 0x01 [0x01 flag]
	select_net_device    0x48C02 0x01 [0x01 index]
	spr_tbuw_value       0x48C35 0x08 [0x08 value]
	bootrom_trace_level  0x48C11 0x01 [0x01 level]

System Data From EEPROM

Here is the list of possible EEPROM offsets:

Index SC EEPROM Offset Size Of Data Description
0 0x48D20 6 ?
1 0x48D28 6 ?
2 0x48D30 6 ?
3 0x48D38 6 ?
4 0x48D00 4 ?
5 0x48D04 4 ?
6 0x48D08 4 ?

Dumpable EEPROM Offset - Block ID and Block Offset Mapping Table (NVS Service)

Right now we only have read access to some portions of the eeprom to have access to this regions DM needs to be patched, see section dumping eeprom

EEPROM Offset Block ID Block Offset Description
0x48000 - 0x480FF 0x00 0x48000 - 0x480FF ?
0x48800 - 0x488FF 0x01 0x48800 - 0x488FF ?
0x48C00 - 0x48CFF 0x02 0x48C00 - 0x48CFF Contains flags and tokens/ see above
0x48D00 - 0x48DFF 0x03 0x48D00 - 0x48DFF System Data Region
0x2F00 - 0x2FFF 0x10 0x2F00 - 0x2FFF "Industry Area" aka OS Version Area
0x3000 - 0x30FF 0x20 0x3000 - 0x30FF "CS Area"
All other offsets Invalid Invalid ?

Dumping your SC EEPROM

Linux

First you need graf_chokolo kernel ps3dm-utils and linux_hv_scripts.

If you are ready.

Patch DM using linux_hv_scripts

dmpatch.sh

Read the data from the region you want for example (see tables above)

ps3dm_scm /dev/ps3dmproxy 0x48000 0xFF

You can see some coolstuff that containing dumps

Hashes

Where exactly the hashes are stored is still a secret, it is said that those hashes are stored in SC EEPROM

To retrive the information about the packages you have installed you can also use ps3d_utils

Linux

Installed Package info

ps3dm_um /dev/ps3dmproxy get_pkg_info TYPE

Examples


get_pkg_info 1 - Core OS package

	
		0003004100000000

get_pkg_info 2 - Revoke List for program

	
		0003004100000000

get_pkg_info 3 - Revoke list for package

		0002003000000000

get_pkg_info 4

		deadbeaffacebabe

get_pkg_info 5

		deadbeaffacebabe

get_pkg_info 6 - Firmware Package

		0003005000000000


You can find more information about this in Hypervisor Reverse Engineering


Hashes

What algorithm is used and what exactly is hashed is still unknown (seems that the content of files is hashed by the SHA-1).

ps3dm_scm /dev/ps3dmproxy get_region_data ID

This hashes are checked by lv1 to make sure that the data has not been altered throgh scm_get_region_data: get_result: ret[X]: 0x%x

Examples



region_data 0 - Core OS package

00 03 00 41 00 00 00 00 00 c3 eb 01 96 24 d0 1c 26 14 f3 1c a4 a2 ff ce 81 77 3a 4c f8 42 86 04 ee 34 bb db be 1c a7 51 e5 59 f1 95 61 07 a5 eb 

region_data 1

	
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 

region_data 2

	
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 

region_data 3 //Revoke List for program?

	
00 03 00 41 00 00 00 00 80 41 f6 b8 f2 d5 30 60 59 35 49 d7 f0 3d 58 57 87 00 88 11 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 

region_data 4

	
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 

region_data 5 //Revoke List for package?

		
00 02 00 30 00 00 00 00 ba 6e 1c d5 5f 48 5b 8b 3f cc c8 60 75 ce f6 83 b2 20 dc f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

region_data 6

	
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 7

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 8 - BD Firmware Package

	
00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

region_data 9

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 10

	
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 11

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 12

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 13

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 14

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 15

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

Tokens

Here we will document the different types off tokens known in the PS3 All tokens are tied? encrypted? using EID0. They enable additional repository nodes.

List

Token Location Size SPU module Description
qa_token sc_eeprom - 0x48D3E 0x50 spu_token_processor.self
user_token ? ? spu_utoken_processor.self Encrypted/Signed
token_seed ? ? ? This is used to create the token with EID0

Token Seed

?

Structure

This section has to be corrected, is only based on debug strings, we need to decrypt the tokens

Token Seed

?

QA Token

User Token

Address Size Description
? ? m_magic
? ? m_format_version
? ? m_size
? ? m_capability
? ? m_expire_date
? ? m_idps?
? ? m_attribute
? ? m_digest

For every atribute in the token

Address Size Description
? ? attr:m_type
? ? attr:m_size
? ? attr:m_data