Hardware flashing: Difference between revisions
m (→downloads) |
m (→downloads) |
||
Line 151: | Line 151: | ||
* diagrams - for PS3: see above, but others are available here: [http://www.progskeet.com/downloads/diagrams_110803.rar diagrams_110803.rar] (mirror: [http://www.multiupload.com/5XEX630GN5 diagrams_110803.rar (4.76 MB)]) | * diagrams - for PS3: see above, but others are available here: [http://www.progskeet.com/downloads/diagrams_110803.rar diagrams_110803.rar] (mirror: [http://www.multiupload.com/5XEX630GN5 diagrams_110803.rar (4.76 MB)]) | ||
* drivers - [http://www.progskeet.com/downloads/drivers_110726.rar drivers_110726.rar] (mirror: [http://www.multiupload.com/MIGAUSZL16 drivers_110726.rar (235.62 KB)]) | * drivers - [http://www.progskeet.com/downloads/drivers_110726.rar drivers_110726.rar] (mirror: [http://www.multiupload.com/MIGAUSZL16 drivers_110726.rar (235.62 KB)]) | ||
* flasher software - [http://www.progskeet.com/downloads/ProgSkeet_110803.rar ProgSkeet_110803.rar] | * flasher software - [http://www.progskeet.com/downloads/ProgSkeet_110803.rar ProgSkeet_110803.rar] (mirror: [http://www.multiupload.com/N88OW4HAK5 ProgSkeet_110803.rar (28.37 KB)] | ||
==== Infectus ==== | ==== Infectus ==== |
Revision as of 18:29, 3 August 2011
Both early launch consoles which feature NAND flash memory and later consoles which feature NOR flash memory are able to be flashed. Currently the preferred method of flashing the dual-NAND consoles is by using an infectus modchip or similar (e.g. Progskeet).
Marcan has made a NOR flasher / address sniffer for his PS3 slim by re-purposing a FPGA board made for Wii hacking. noralizer is a git repo that contains the HDL (verilog) and associated host computer tools for flashing/sniffing. There are ~50 signals to solder. Some PS3s contain two NAND flashes (block devices, that interleave their data unlike NOR flash).
Work has been underway to brink a low cost AVR (Atmel 90USB1286) based NOR flasher that is capable of reading and writing on all consoles by defyboy. Other people havent been sitting idle either: uf6667 and Icekiller have developed Progskeet, based on a Actel A3P125 MCU for NAND ánd NOR based consoles and "no_one" has developed PNM - Project Nor Manager.
NAND Wiring
Flashers for NAND based consoles (CECHA/COK-001, CECHB/COK-001, CECHC/COK-002, CECHD/unreleased, CECHE/COK-002W, CECHF/unreleased, CECHG/SEM-001) are generaly wired directly to the pins of the NAND, plus ground and Vcc. For NAND pinouts see: Flash (Hardware) #NAND
There are 2 nands interleaved at the 512byte sectors level, giving a 1024 byte "interleaved sector". pages are 2kb on each nand.
Chip/PIN | Description | Progskeet | Infectus | Description |
---|---|---|---|---|
NAND 0 | ||||
0/1-6 | NC | NC | NC | No Connection |
0/7 | R/B | 3 | A9 | Read/Busy Output |
0/8 | RE | 98 | A15 | Read Enable |
0/9 | CE | 7 | A14 | Chip Enable |
0/10+11 | NC | NC | NC | No Connection |
0/12 | Vcc | not used/not connected | not used/not connected | Vcc (min 2.7V-max 3.6V / typ 3.3V) |
0/13 | Vss | not used/not connected | not used/not connected | VSS - Ground |
0/14+15 | NC | NC | NC | No Connection |
0/16 | CLE | 4 | A13 | Command Latch Enable |
0/17 | ALE | 5 | A12 | Address Latch Enable |
0/18 | WE | 2 | A11 | Write Enable |
0/19 | WP | 6 | A10 | Write Protect |
0/20-28 | NC | NC | NC | No Connection |
0/29 | I/O-0 | 90 / dq8 | A0 | |
0/30 | I/O-1 | 91 / dq9 | A1 | |
0/31 | I/O-2 | 92 / dq10 | A2 | |
0/32 | I/O-3 | 93 / dq11 | A3 | |
0/33-35 | NC | NC | NC | No Connection |
0/36 | Vss | not used/not connected | not used/not connected | VSS - Ground |
0/37 | Vcc | not used/not connected | not used/not connected | Vcc (min 2.7V-max 3.6V / typ 3.3V) |
0/38-40 | NC | NC | NC | No Connection |
0/41 | I/O-4 | 94 / dq12 | A4 | |
0/42 | I/O-5 | 95 / dq13 | A5 | |
0/43 | I/O-6 | 96 / dq14 | A6 | |
0/44 | I/O-7 | 97 / dq15 | A7 | |
0/45-48 | NC | NC | NC | No Connection |
Chip/PIN | Description | Progskeet | Infectus | Description |
NAND 1 | ||||
1/1-6 | NC | NC | NC | No Connection |
1/7 | R/B | 64 / rdy | U | Read/Busy Output |
1/8 | RE | 69 / oe | M | Read Enable |
1/9 | CE | 60 / gp3 | N | Chip Enable |
1/10+11 | NC | NC | NC | No Connection |
1/12 | Vcc | not used/not connected | not used/not connected | Vcc (min 2.7V-max 3.6V / typ 3.3V) |
1/13 | Vss | not used/not connected | not used/not connected | VSS - Ground |
1/14+15 | NC | NC | NC | No Connection |
1/16 | CLE | 63 / gp0 | O | Command Latch Enable |
1/17 | ALE | 62 / gp1 | P | Address Latch Enable |
1/18 | WE | 65 / we | Q | Write Enable |
1/19 | WP | 61 / gp2 | T | Write Protect |
1/20-28 | NC | NC | NC | No Connection |
1/29 | I/O-0 | 79 / dq0 | D0 | |
1/30 | I/O-1 | 80 / dq1 | D1 | |
1/31 | I/O-2 | 81 / dq2 | D2 | |
1/32 | I/O-3 | 82 / dq3 | D3 | |
1/33-35 | NC | NC | NC | No Connection |
1/36 | Vss | not used/not connected | not used/not connected | VSS - Ground |
1/37 | Vcc | not used/not connected | not used/not connected | Vcc (min 2.7V-max 3.6V / typ 3.3V) |
1/38-40 | NC | NC | NC | No Connection |
1/41 | I/O-4 | 83 / dq4 | D4 | |
1/42 | I/O-5 | 84 / dq5 | D5 | |
1/43 | I/O-6 | 85 / dq6 | D6 | |
1/44 | I/O-7 | 86 / dq7 | D7 | |
1/45-48 | NC | NC | NC | No Connection |
Board trace | ||||
GND | Vss | not used/not connected | GND | VSS - Ground |
+5V | Vcc | not used/not connected | 5V | Vcc (typ +5VDC) from TH3401 |
Note: Some modification seems to be needed for Progskeet, see ps3 with nand questions @progskeet forum: quoted: "desolder R8, left pin of switch to left lead of R7, middle pin of switch to right lead of R7, Vcc to +3.3 // put switch in "OFF" (right) postion, power on the ps3, put the switch in the "ON"/left position, it will be recognized by the PC, NAND is always on now, do everything as usual".
Using NAND flashers
Progskeet
... nothing yet ... please help by adding this :)
downloads
All downloads are available here
- diagrams - for PS3: see above, but others are available here: diagrams_110803.rar (mirror: diagrams_110803.rar (4.76 MB))
- drivers - drivers_110726.rar (mirror: drivers_110726.rar (235.62 KB))
- flasher software - ProgSkeet_110803.rar (mirror: ProgSkeet_110803.rar (28.37 KB)
Infectus
For Infectus don't use 3.9.9.0, as it removes dual NAND PS3 support :S If your board already came with this version or higher, use this: prepare_infectus_for_ps3.rar (5.53 MB) If it is done, it will show up as "2 NAND Programmer" in the bottom left. Dual NAND PS3 compatible version: Infectus_programmer_3.8_Beta_2.zip (4.02 MB)
Power the Infectus, it crashes the PS3 and leaves the NANDs in powered mode. Use the console to power the NANDs: power it up until the PS3 crashes and halts with red flashing LED, press power again to stop the flashing, but keeps the console powered on. The NANDs are not accessed by the PS3 in this way, so it doesn't matter if the NAND content is already messed up. After that, you can read/write the NANDs.
Needed NAND tools
In case the flasher program doesnt understand dual NAND de/interleaving you'll need : FlowRebuilder v.4.1.0.0
Dump NAND from GameOS
dump_flash.pkg // backup/mirror: dump-flash+syscon.rar (280.51 KB)
Make sure USB stick is FAT32 with enough free space (256MB per dump)
Difference between hardware dumps and software dumps
ps3vflasha
hardware dumps
256 MB (268,435,456 bytes) bootldr is at 0x000000 on NAND (0xFC0000 on NOR)
software dumps
dump size = 239 MB (251,396,096 bytes)
bootldr not at 0x000000 on NAND :
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF .....¬à ÿ....Þ¾ï
reason:
addi %r12, %r4, 0x200 # r4 = start sector
25MB NAND consoles have a hidden section of size 0x40000 (0x200 * 512 byte sector = 0x40000) hidden by the hv. The hv hides it at address 002786E8
Original code : 0x39840200f8010090
Change to : 0x39840000f8010090
Too dangerous to patch unless you peek/poke because obviously it messes with all the offsets
'NOR' Interface Testpoints on NAND consoles
Simular as on the NOR based consoles testpoints can be found on the back of the PCB. It seems these are from the bus between the South Bridge and the Starship2. Attempts have been made to document/trace these. Addresslines 0-17 and Datalines 0-15 as well as some controllines are documented but so far these could not be used to read/flash the console in a NOR fashion.
NOR Interface Testpoints
Probably to aid in factory programming, Sony provides NOR testpoints on the bottomside of the motherboard. There are 16 data lines (Word access) and generally 23 Address lines. You will also need to control Chip Enable (#CE), Write Enable (#WE), Tristate (SB_DISABLE) and for some boards Write Protect (#WP)
Tristate
Tristate, or as it is referred to in the service manuals SB_DISABLE exists solely for the purpose of placing the South Bridge pins into high-impedance (the third state) so that we can access the flash without the South Bridge interfering.
Because the tristate pin is not connected to the NOR flash TSOP package, but to the South Bridge BGA package, this makes tracing the pin quite difficult. One should be able to locate it by having the running you could ground out the unknown pins whilst checking the continuity of a known address or data line against ground. These should enter high-impedance or no-continuity when you ground out SB_DISABLE.
Connecting NOR pads to flasher
PAD | Progskeet | Teensy2.0++ NORway |
|
---|---|---|---|
A0 | adr0 | F0 | |
A1 | adr1 | F1 | |
A2 | adr2 | F2 | |
A3 | adr3 | F3 | |
A4 | adr4 | F4 | |
A5 | adr5 | F5 | |
A6 | adr6 | F6 | |
A7 | adr7 | F7 | |
A8 | adr8 | PA0 | |
A9 | adr9 | PA1 | |
A10 | adr10 | PA2 | |
A11 | adr11 | PA3 | |
A12 | adr12 | PA4 | |
A13 | adr13 | PA5 | |
A14 | adr14 | PA6 | |
A15 | adr15 | PA7 | |
A16 | adr16 | B0 | |
A17 | adr17 | B1 | |
A18 | adr18 | B2 | |
A19 | adr19 | B3 | |
A20 | adr20 | B4 | |
A21 | adr21 | B5 | |
A22 | adr22 | B6 | |
DQ0 | dq0 | D0 | |
DQ1 | dq1 | D1 | |
DQ2 | dq2 | D2 | |
DQ3 | dq3 | D3 | |
DQ4 | dq4 | D4 | |
DQ5 | dq5 | D5 | |
DQ6 | dq6 | D6 | |
DQ7 | dq7 | D7 | |
DQ8 | dq8 | C0 | |
DQ9 | dq9 | C1 | |
DQ10 | dq10 | C2 | |
DQ11 | dq11 | C3 | |
DQ12 | dq12 | C4 | |
DQ13 | dq13 | C5 | |
DQ14 | dq14 | C6 | |
DQ15 | dq15 | C7 | |
#WE | we | E5 | |
CE# | gp0 | E0 | |
RESET | gp1 | E4 | |
TRISTATE | gp2 | E7 | |
WP# | gp3 | ?tied to Vcc? | |
OE# | oe | E1 | |
RY/BY# | rdy | E6 | |
VSS | GND | GND |
Notes: The Teensy requires a 3.3V voltage regulator! 5V trace has to be cut and 3V pads have to be shorted! Please refer to https://www.pjrc.com/teensy/3volt.html
Also note that Teensy can be very slow: 0:05:11 for a full dump/read (52,68 KB/s), 0:01:35 per sector write or 2:08:19 for a full write (2,12 KB/s) // Comparison with Progskeet: 0:00:16 for a full dump/read (~1MB/s), 0:00:00.365 per sector write or 0:00:46.811 for a full write (~300-400KB/s).
Board Revisions
COK-001, COK-002, SEM-001
These are the earliest revisions of the PS3 motherboard (CECHA, CECHB, CECHC, CECHE, CECHG) and contain 2 x Samsung K9F1G08U0A-PIB0 128MB NAND Chips for a total of 256MB. These chips are interleaved which is controlled by a proprietary controller chip codenamed "Starship2" or SS2. This chip handles the interleaving and presents the NAND Chips to the South Bridge as a single large coherent NOR Chip.
DIA-001, DIA-002
These boards were the first to get the NOR flash memory from the middle revisions of the PS3 (CECHH, CECHJ, CECHK). Only a single Spansion S29GL128N90TFIR2 16MB NOR flash chip is used and the Starship2 chip has been completely removed. The 128N is JEDEC CFI compliant and organized as 8,388,608 words or 16,777,216 bytes, addressable as 16-bit words (PS3 modus operandi) and 8-bit / 1 byte when the BYTE# signal is logic zero.
VER-001
Used in the last revisions of the fatter model PS3 (CECHL, CECHM, CECHP, CECHQ), again with the single Spansion S29GL128N90TFIR2 16MB NOR flash with the exception of the CECHL which used a Samsung K8Q2815UQB-P14B 16MB NOR flash.
JSD-001
This is the pinout originally supplied by Marcan for a CECH-2504A, Points match those taken from a CECH-2504B slim console. Most slims may carry this arrangement.
Pinout Gallery
- VER-001 NOR.JPG
VER-001 NOR Testpoints