Flash: Difference between revisions
Jump to navigation
Jump to search
m (→NAND Flash) |
m (→NAND Flash) |
||
Line 131: | Line 131: | ||
| {{perfirmware}} || 7 || colspan="2" | [[Flash:ROS|ros]] || 0x00C0000 || 0x0EBFFFF || <abbr title="length of both ROS0+ROS1 combined is notated @ offset 0x004036D-0x004036F">0xE00000</abbr> || (14,680,064 bytes) || 600h | | {{perfirmware}} || 7 || colspan="2" | [[Flash:ROS|ros]] || 0x00C0000 || 0x0EBFFFF || <abbr title="length of both ROS0+ROS1 combined is notated @ offset 0x004036D-0x004036F">0xE00000</abbr> || (14,680,064 bytes) || 600h | ||
|- | |- | ||
| {{perfirmware}} || || 0 || [[Flash:ROS##ros0|ros0]] || 0x00C0020 || 0x07C000F || 0x6FFFF0 || (7,340, | | {{perfirmware}} || || 0 || [[Flash:ROS##ros0|ros0]] || 0x00C0020 || 0x07C000F || 0x6FFFF0 || (7,340,016 bytes) || || <small>Contains CoreOS files, [http://www.ps3devwiki.com/index.php?title=Boot_Order#CoreOS_PKG_Filelisting filecontent depends on firmware version]</small> | ||
|- | |- | ||
| {{perfirmware}} || || 1 || [[Flash:ROS##ros1|ros1]] || 0x07C0010 || 0x0EBFFFF || 0x6FFFF0 || (7,340, | | {{perfirmware}} || || 1 || [[Flash:ROS##ros1|ros1]] || 0x07C0010 || 0x0EBFFFF || 0x6FFFF0 || (7,340,016 bytes) || || <small>Contains CoreOS files, [http://www.ps3devwiki.com/index.php?title=Boot_Order#CoreOS_PKG_Filelisting filecontent depends on firmware version]</small> | ||
|- | |- | ||
| {{perconsole}} || 8 || colspan="2" | [[Flash:cvtrm|cvtrm]] || 0x0EC0000 || 0x0EFFFFF || <abbr title="length is notated @ offset 0x004039D-0x004039F">0x40000</abbr> || (262,144 bytes) || || | | {{perconsole}} || 8 || colspan="2" | [[Flash:cvtrm|cvtrm]] || 0x0EC0000 || 0x0EFFFFF || <abbr title="length is notated @ offset 0x004039D-0x004039F">0x40000</abbr> || (262,144 bytes) || || |
Revision as of 22:25, 16 May 2015
Overview
NOR Flash
The following is a list of files stored in NOR Flash
type | R. | Name | Start Offset | End Offset | Size (h) | Size (bytes) | Block | Notes | ||
---|---|---|---|---|---|---|---|---|---|---|
gen | 1 | 0FACE0FF DEADBEEF | 0x000000 | 0x00001FF | 0x200 | (512 bytes) | 0h | magic header : 0x0000010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF .....¬àÿ....Þ¾ï | ||
gen | Flash Format | 0x000200 | 0x00003FF | 0x200 | (512 bytes) | 1h | 00000200 49 46 49 00 00 00 00 01 00 00 00 02 00 00 00 00 IFI............. (only 0x10 or 16 bytes used) | |||
pc | Flashregion Table | 0x000400 | 0x0007FF | 0x400 | (1,024 bytes) | 2h | ||||
pc | 0 | asecure_loader | 0x000800 | 0x02EFFF | 0x2E800 | (262,144 bytes) | 4h | contains metldr, extracted data starts from 0x000840, datasize depends on metldr revision | ||
pc | 1 | eEID | 0x02F000 | 0x03EFFF | 0x10000 | (65,536 bytes) | 178h | |||
pc | 0 | EID0 | 0x02F070 | 0x02F8CF | 0x860 | (2,144 bytes) | (IDPS @ offset 0x0002F070 absolute / 0x00000070 inside eEID ) | |||
pc | 1 | EID1 | 0x02F8D0 | 0x02FB6F | 0x2A0 | (672 bytes) | ||||
pc | 2 | EID2 | 0x02FB70 | 0x03029F | 0x730 | (1,840 bytes) | ||||
pc | 3 | EID3 | 0x0302A0 | 0x03039F | 0x100 | (256 bytes) | ||||
pc | 4 | EID4 | 0x0303A0 | 0x0303CF | 0x30 | (48 bytes) | ||||
pc | 5 | EID5 | 0x0303D0 | 0x030DCF | 0xA00 | (2,560 bytes) | ||||
pc | F | unreferenced area | 0x030DD0 | 0x03EFFF | 0xE22F | (57,903 bytes) | ||||
pc | 2 | cISD | 0x03F000 | 0x03F7FF | 0x800 | (2,048 bytes) | 1F8h | |||
pc | 0 | cISD0 | 0x03F040 | 0x03F060 | 0x20 | (32 bytes) | ||||
pc | 1 | cISD1 | 0x03F060 | 0x03F260 | 0x200 | (512 bytes) | console 2nd part serial @ 0x3F090 size 0x8 | |||
pc | 2 | cISD2 | 0x03F260 | 0x03F270 | 0x10 | (16 bytes) | ||||
pc | F | unreferenced area | 0x03F270 | 0x03F7FF | 0x58F | (1,423 bytes) | ||||
pc | 3 | cCSD | 0x03F800 | 0x03FFFF | 0x800 | (2,048 bytes) | 1FCh | |||
pc | 0 | cCSD0 | 0x03F820 | 0x03F84F | 0x30 | (48 bytes) | ||||
pc | F | unreferenced area | 0x03F850 | 0x03FFFF | 0x7B0 | (1,968 bytes) | ||||
pf | 4 | trvk_prg0 | 0x040000 | 0x05FFFF | 0x20000 | (131,072 bytes) | 200h | |||
pf | 5 | trvk_prg1 | 0x060000 | 0x07FFFF | 0x20000 | (131,072 bytes) | 300h | |||
pf | 6 | trvk_pkg0 | 0x080000 | 0x09FFFF | 0x20000 | (131,072 bytes) | 400h | |||
pf | 7 | trvk_pkg1 | 0x0A0000 | 0x0BFFFF | 0x20000 | (131,072 bytes) | 500h | |||
pf | 8 | ros0 | 0x0C0000 | 0x7BFFFF | 0x700000 | (7,340,032 bytes) | 600h | Contains CoreOS files, filecontent depends on firmware version | ||
pf | 9 | ros1 | 0x7C0000 | 0xEBFFFF | 0x700000 | (7,340,032 bytes) | 3E00h | Contains CoreOS files, filecontent depends on firmware version | ||
pc | A | cvtrm | 0xEC0000 | 0xEFFFFF | 0x40000 | (262,144 bytes) | 7600h | |||
gen | 2 | 0FACE0FF DEADFACE | 0xF00000 | 0xF00FFF | 0x1000 | (4096 bytes) | 7800h | magic header : 0xF00010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE .....¬àÿ....ÞúÎ | ||
gen | CELL_EXTNOR_AREA | 0xF20000 | 0xF3FFFF | 0x20000 | (131,072 bytes) | 7900h | (Harddrive information is @ 0xF20200 absolute / 0x200 inside CELL_EXTNOR_AREA) | |||
gen | CRL1 | 0xF40000 | 0xF5FFFF | 0x20000 | (131,072 bytes) | 7A00h | same as F80000 | |||
gen | DRL1 | 0xF60000 | 0xF7FFFF | 0x20000 | (131,072 bytes) | 7B00h | same as FA0000 / sometimes also contains OCRL0200 | |||
gen | CRL2 | 0xF80000 | 0xF9FFFF | 0x20000 | (131,072 bytes) | 7C00h | same as F40000 | |||
gen | DRL2 | 0xFA0000 | 0xFBFFFF | 0x20000 | (131,072 bytes) | 7D00h | same as F60000 / sometimes also contains OCRL0200 | |||
pc | lv0ldr | bootldr | 0xFC0000 | 0xFFFFFF | 0x40000 | (262,144 bytes) | 7E00h | End @ FEEAF0, FEEF70, FEF170, FEF570, FEF5F0, FEF600 in some dumps |
NAND Flash
The following is a list of files stored in NAND Flash
type | Name | Start Offset | End Offset | Size (h) | Size (bytes) | Block | Notes | ||
---|---|---|---|---|---|---|---|---|---|
pc | bootldr | 0x0000000 | 0x003FFFF | 0x40000 | (262,144 bytes) | 0h | datasize depends on bootldr revision | ||
gen | 0FACE0FF DEADBEEF | 0x0040000 | 0x00401FF | 0x200 | (512 bytes) | 200h | magic header : 0x040010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF .....¬àÿ....Þ¾ï | ||
pc | Flashregion Table | 0x0040200 | 0x00407FF | 0x600 | (1,536 bytes) | 201h | |||
pc | 0 | asecure_loader | 0x0040800 | 0x00807FF | 0x40000 | (262,144 bytes) | 204h | contains metldr, extracted data starts from 0x040840, datasize depends on metldr revision | |
pc | 1 | eEID | 0x0080800 | 0x00907FF | 0x10000 | (65,536 bytes) | 404h | ||
pc | 0 | EID0 | 0x0080870 | 0x00810CF | 0x860 | (2,144 bytes) | (IDPS @ offset 0x00080870 absolute / 0x00000070 inside eEID ) | ||
pc | 1 | EID1 | 0x00810D0 | 0x008136F | 0x2A0 | (672 bytes) | |||
pc | 2 | EID2 | 0x0081370 | 0x0081A9F | 0x730 | (1,840 bytes) | |||
pc | 3 | EID3 | 0x0081AA0 | 0x0081B9F | 0x100 | (256 bytes) | |||
pc | 4 | EID4 | 0x0081BA0 | 0x0081BCF | 0x30 | (48 bytes) | |||
pc | 5 | EID5 | 0x0081BD0 | 0x00825CF | 0xA00 | (2,560 bytes) | |||
pc | F | unreferenced area | 0x00825D0 | 0x00907FF | 0xE22F | (57,903 bytes) | |||
pc | 2 | cISD | 0x0090800 | 0x0090FFF | 0x800 | (2,048 bytes) | 484h | ||
pc | 0 | cISD0 | 0x0090840 | 0x009085F | 0x20 | (32 bytes) | |||
pc | 1 | cISD1 | 0x0090860 | 0x0090A5F | 0x200 | (512 bytes) | console 2nd part serial @ 0x90890 size 0x8 | ||
pc | 2 | cISD2 | 0x0090A60 | 0x0090A6F | 0x10 | (16 bytes) | |||
pc | F | unreferenced area | 0x0090A70 | 0x0090FFF | 0x58F | (1,423 bytes) | |||
pc | 3 | cCSD | 0x0091000 | 0x00917FF | 0x800 | (2,048 bytes) | 488h | ||
pc | 0 | cCSD0 | 0x0091020 | 0x009104F | 0x30 | (48 bytes) | |||
pc | F | unreferenced area | 0x0091050 | 0x00917FF | 0x7B0 | (1,968 bytes) | |||
pf | 4 | trvk_prg | 0x0091800 | 0x00937FF | 0x2000 | (8,192 bytes) | 48Ch | extracted size is 0x2000 for trvk_prg0 + trvk_prg1 combined as trvk_prg (8,192 bytes) | |
pf | 5 | trvk_pkg | 0x0093800 | 0x00957FF | 0x2000 | (8,192 bytes) | 49Ch | extracted size is 0x2000 for trvk_pkg0 + trvk_pkg1 combined as trvk_pkg (8,192 bytes) | |
gen | 6 | creserved_0 | 0x0095800 | 0x00BFFFF | 0x2A800 | (174,080 bytes) | 4ACh | ||
pf | 7 | ros | 0x00C0000 | 0x0EBFFFF | 0xE00000 | (14,680,064 bytes) | 600h | ||
pf | 0 | ros0 | 0x00C0020 | 0x07C000F | 0x6FFFF0 | (7,340,016 bytes) | Contains CoreOS files, filecontent depends on firmware version | ||
pf | 1 | ros1 | 0x07C0010 | 0x0EBFFFF | 0x6FFFF0 | (7,340,016 bytes) | Contains CoreOS files, filecontent depends on firmware version | ||
pc | 8 | cvtrm | 0x0EC0000 | 0x0EFFFFF | 0x40000 | (262,144 bytes) | |||
pc | M | SCEIVTRM | 0x0EC0000 | 0x0EC000F | 0x10 | (16 bytes) | magic header : 0x0D80000 53 43 45 49 56 54 52 4D 00 00 00 00 00 00 00 A8 SCEIVTRM.......¨ | ||
pc | 0 | VTRM0 | ~varies | ~varies | ~varies | ~varies | magic header : 0x0D80020 00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04 ....VTRM........ | ||
pc | 1 | VTRM1 | ~varies | ~varies | ~varies | ~varies | magic header : 0x0D80400 00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04 ....VTRM........ | ||
pc | VFlash area | 0x0F00000 | 0xEFFFFFF | 0xE100000 | (235,929,600 bytes) | 7800h | Note: VFlash region table & all dev_flash regions are encrypted with a per console keys by ENCDEC device.
magic header :0x0F00010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE .....¬ая....Ю.ъО | ||
pc | 0 | VFlash region table | 0x0F000C0 | There are 5 regions: /dev_flash, /dev_flash2, /dev_flash3, OtherOS & Unknown/FF-region. Note: first 0x40000 bytes not counted because of masking bootldr by HV. | |||||
pc | 1 | pf | /dev_flash (FAT16) GameOS devflash | 0x0F40000 | 0xD6FFFFF | 0xC7C0000 | (209,453,056 bytes) | offset taken from region table (0x7800*0x200+0x40000=0x0F40000) | |
pc | 2 | gen | /dev_flash2 (FAT16) XRegistry | 0xD700000 | 0xE6FFFFF | 0x1000000 | (16,777,216 bytes) | offset taken from region table (0x6B600*0x200+0x40000=0xD700000) | |
pc | 3 | pf | /dev_flash3 (FAT12) CRL/DRL | 0xE700000 | 0xE77FFFF | 0x80000 | (524,288 bytes) | offset taken from region table (0x73600*0x200+0x40000=0xE700000) | |
gen | 4 | gen | cell_ext_os_area | 0xE780000 | 0xE78000F | 0x10 | (16 bytes) | 73C00h | magic header : 0xE780000 63 65 6C 6C 5F 65 78 74 5F 6F 73 5F 61 72 65 61 cell_ext_os_area |
gen | gen | OtherOS | 0xE780800 | ~varies | ~varies | ~varies | 73C04h | OtherOS loader/init.rd | |
gen | 5 | gen | Unknown/FF-region | 0xEFC0000 | 0xEFFFFFF | 0x40000 | (262,144 bytes) | 77E00h | |
pc | bootldr | 0xF000000 | 0xF03FFFF | 0x40000 | (262,144 bytes) | 78000h | datasize depends on bootldr revision
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ||
pc | F | unreferenced area | 0xF040000 | 0xFFFFFFF | 0xFC0000 | (16,515,072 bytes) | 78200h |
Notes
- All offsets on the index page are absolute. Offsets on subpages are relative within each section (unless otherwise mentioned)
- NOR and NAND are blockdevices and thus:
- The minimal chunk of data that can be read/written is a block (with flashdevices also named page). A block that has never been written (only erased/formatted) is filled with 0xFF's. When bytes are written to a block, the entire block must be written. The write process fills the nonused bytes (slack space) at the remainder of the block with 0x00's
- 1 block = 512 bytes (0x200) which conveniently correlates to the standard sectorsize used on magneto/optical drives
Common Flash Interface (CFI)
An access to the common flash interface can be enabled by writing to the physical address space of flash memory device, for example, you can use ps3sbmmio driver on Linux.
# Enter CFI printf '\x98\x98' | dd of=/dev/ps3sbmmio bs=1 count=2 seek=$((0x1f0000aa)) # Dump CFI tables for i in {0..127}; do dd if=/dev/ps3sbmmio bs=1 count=1 skip=$((0x1f000001+$i*2)) >> cfi_tables.bin 2>/dev/null; done; xxd cfi_tables.bin # Exit from CFI printf '\xf0\xf0' | dd of=/dev/ps3sbmmio bs=1 count=2 seek=$((0x1f000000))
Here is an output from Slim console (JTP-001):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000010 51 52 59 02 00 40 00 00 00 00 00 27 36 00 00 06 QRY..@.....'6... 0000020 06 09 10 03 05 03 02 18 02 00 06 00 01 7f 00 00 ................ 0000030 02 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ................ 0000040 50 52 49 31 33 14 02 01 00 08 00 00 02 b5 c5 04 PRI13........... 0000050 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ 0000060 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ 0000070 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
Mouseover for byte usage description as explained in the below linked Spansion Application Note for CFI
Reference
|