Flash: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
Line 634: Line 634:


== unreferenced area ==
== unreferenced area ==
FF filled area of length 0xE22F (57903 bytes)
Possibly just unused EID region (which also explains why it is FF filled) <br />
=== example ===
=== example ===
{| class="wikitable"
{| class="wikitable"
Line 652: Line 652:
....
....
000907E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000907E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000907F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000907F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ</pre>
 
</pre>
|-
|-
|}
|}

Revision as of 14:35, 6 December 2011

Typical Flash TSOP package found on PS3's can either be 2x128mb NAND or 1x16mb NOR

This is an attempt at documenting the files located and stored on flash. Please do note that this is from reverse engineering several flash dumps, not from reverse engineering the PS3 firmware itself. This involves alot of guesswork and may not be accurate and there may be information missing.

NOR Flash - Overview

The following is a list of files stored in NOR Flash

type Name Start Offset End Offset Size (h) Size (bytes) Notes
gen 0FACE0FF DEADBEEF 0x000010 0x000001F 0x10 (16 bytes) magic header : 0x0040010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF .....¬àÿ....Þ­¾ï
pc flashregion table 0x0000400
pc 0 asecure_loader 0x000810 0x02F010 0x2E800 (190,464 bytes) aka metldr
pc 1 eEID 0x02F010 0x03F010 0x10000 (65,636 bytes) (IDPS @ offset 0x0002F070 absolute / 0x00000070 inside eEID )
pc 2 cISD 0x03F010 0x03F810 0x800 (2,048 bytes)
pc 3 cCSD 0x03F400 0x040010 0x800 (2,048 bytes)
pf 4 trvk_prg0 0x03FC00 0x060010 0x20000 (131,072 bytes)
pf 5 trvk_prg1 0x05FC00 0x080010 0x20000 (131,072 bytes)
pf 6 trvk_pkg0 0x080010 0x0A0010 0x20000 (131,072 bytes)
pf 7 trvk_pkg1 0x0A0010 0x0C0010 0x20000 (131,072 bytes)
pf 8 ros0 0x0C0010 0x7C0010 0x700000 (7,340,032 bytes) Contains CoreOS files, filecontent depends on firmware version
pf 9 ros1 0x7C0010 0xEC0010 0x700000 (7,340,032 bytes) Contains CoreOS files, filecontent depends on firmware version
pc A cvtrm 0xEC0010 0xF00010 0x40000 (262,144 bytes)
gen CELL_EXTNOR_AREA 0xF20000 0xFA0040 0x80040 (524,352 bytes)
pc bootldr 0xFC0000 0xFEEAF0 0x2EAF0 (191,216 bytes) End @ FEF170, FEF570, FEF5F0, FEF600 in some dumps

NAND Flash - Overview

The following is a list of files stored in NAND Flash

type Name Start Offset End Offset Size (h) Size (bytes) Notes
pc bootldr 0x0000000 0x003FFFF 0x40000 (191,216 bytes) datasize depends on bootldr revision
gen 0FACE0FF DEADBEEF 0x0040010 0x004001F 0x10 (16 bytes) magic header : 0x0040010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF .....¬àÿ....Þ­¾ï
pc flashregion table 0x0040200
pc 0 asecure_loader 0x0040810 0x004F64F 0x40000 (60,992 bytes) aka metldr, extracted data starts from 0x040840, datasize depends on metldr revision
pc 1 eEID 0x0080800 0x0090800 0x10000 (65,636 bytes) (IDPS @ offset 0x0002F070 absolute / 0x00000070 inside eEID )
pc 2 cISD 0x0090800 0x0091000 0x800 (2,048 bytes)
pc 3 cCSD 0x0091000 0x0091800 0x800 (2,048 bytes)
pf 4 trvk_prg0
trvk_prg1
0x0091800 0x0093800 0x2000 (8,192 bytes) extracted size is 0x2000 for trvk_prg0 + trvk_prg1 combined as trvk_prg (8,192 bytes)
pf 5 trvk_pkg0
trvk_pkg1
0x0093800 0x0095800 0x2000 (4080 bytes) extracted size is 0x2000 for trvk_pkg0 + trvk_pkg1 combined as trvk_pkg (8,192 bytes)
gen 6 creserved_0 - - 0x2A800 (174,080 bytes)
pf 7 ros 0x00C0010 0x0EC0010 0xE00000 (1,4680,064 bytes)
pf 0 ros0 0x00C0010 0x07C0010 0x700000 (7,340,032 bytes) Contains CoreOS files, filecontent depends on firmware version
pf 1 ros1 0x07C0010 0x0EC0010 0x700000 (7,340,032 bytes) Contains CoreOS files, filecontent depends on firmware version
pc 8 cvtrm - - 0x40000 (262,144 bytes)
pc M SCEIVTRM ~varies ~varies 0x10 (16 bytes) magic header : 0x0D80000 53 43 45 49 56 54 52 4D 00 00 00 00 00 00 00 A8 SCEIVTRM.......¨
pc 0 VTRM0 ~varies ~varies ~varies ~varies magic header : 0x0D80020 00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04 ....VTRM........
pc 1 VTRM1 ~varies ~varies ~varies ~varies magic header : 0x0D80400 00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04 ....VTRM........
gen cell_ext_os_area 0xE780000 0xE78000F 0x10 (16 bytes) magic header : 0xE780000 63 65 6C 6C 5F 65 78 74 5F 6F 73 5F 61 72 65 61 cell_ext_os_area
gen OtherOS 0xE780800 ~varies ~varies ~varies OtherOS loader/init.rd


First Region

Header - 0FACE0FF DEADBEEF

Location:

  • NOR: 0x000000 - 0x0000200
  • NAND: 0x0040000 - 0x0040200

example

NOR: 0x000000 - 0x0000200 NAND: 0x0040000 - 0x0040200
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00000000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF  .....¬àÿ....Þ.¾ï
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00  ..............x.
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
000001F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00040000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00040010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF  .....¬àÿ....Þ­¾ï
00040020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 00  ..............v.
00040030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
000401F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

structure

Address Length Value Description
0x00 0x10 0x0 Blank/Unknown
0x10 0x10 0x0FACE0FF 0xDEADBEEF Magic number
0x20 0x10 0x7800 Length of region * 0x200
0x30 0x1D0 0x0 Blank/Unknown

Unknown Header - IFI

Location: NOR only : 0x000200 - 0x00003FF

The next block of 512 bytes only has the first 16 bytes written. Unsure exactly what this means.

example

NOR only : 0x000200 - 0x00003FF NAND: N.A.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00000200  49 46 49 00 00 00 00 01 00 00 00 02 00 00 00 00  IFI.............
00000210  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
000003F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
N.A.

structure

Address Length Value Description
0x200 0x10 0x49464900 (String: "IFI") 0x1 0x2 0x0 Unknown

File Table

Location:

  • NOR: 0x0000400 - 0x00007FF
  • NAND: 0x0040200 - 0x00407FF

The next 1024 bytes contain the file entry table

Header

Small 16 byte header to describe length and entry count

example

NOR: 0x0000400 - 0x000040F NAND: 0x0040200 - 0x004020F
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   00000400  00 00 00 01 00 00 00 0B 00 00 00 00 00 EF FC 00  .............ïü.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00040200  00 00 00 01 00 00 00 09 00 00 00 00 00 EB FE 00  .............ëþ.

structure

Address Length Value Description
0x0 0x4 0x01 Unknown
0x4 0x4 0x0B Entry Count
0x8 0x8 0xEFFC00 Length of Flash Region (relative to 0x400 (region start)

First is a header, this tells us how many files are stored here.

Entry Table

Then follows a 32 byte entry for each file

example

NOR: 0x0000410 - 0x00007FF NAND: 0x0040210 - 0x00407FF
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00000410  00 00 00 00 00 00 04 00 00 00 00 00 00 02 E8 00  ..............è.
00000420  61 73 65 63 75 72 65 5F 6C 6F 61 64 65 72 00 00  asecure_loader..
00000430  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00040210  00 00 00 00 00 00 06 00 00 00 00 00 00 04 00 00  ................
00040220  61 73 65 63 75 72 65 5F 6C 6F 61 64 65 72 00 00  asecure_loader..
00040230  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

structure

Address Length Value Description
0x0 0x8 0x400 File offset relative to 0x400 (Region start)
0x8 0x8 0x2E800 File length
0x10 0x20 char[32]:"asecure_loader" File name

asecure_loader region

Location:

  • NOR: 0x0000800 - 0x0002EFFF
  • NAND: 0x0040800 - 0x004F64F

Within asecure_loader is another file table similar to region 1 but is located within region 1 itself. This has only been observed to hold metldr in its encrypted form.

Header

example

NOR: 0x0000800 - 0x000080F NAND: 0x0040800 - 0x004080F
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00040800  00 00 00 01 00 00 00 01 00 00 00 00 00 04 00 00  ................

structure

Address Length Value Description
0x00 0x04 0x01 Unknown
0x04 0x04 0x01 Entry Count
0x08 0x08 0x2E800 Length of Region

Entry Table

Then follows a 32 byte entry for asecure (metldr) file

example

NOR: 0x0000810 - 0x000083F NAND: 0x0040810 - 0x004083F
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E8 D0  .......@......èÐ
00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00040810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 EE 10  .......@......î.
00040820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
00040830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

structure

Address Length Value Description
0x0 0x08 0x40 File offset relative to 0x810 (asecure_loader header)
0x8 0x08 0xE8D0 File Length
0x10 0x20 char[32]:"metldr" File name

Metldr binary

note: exact length depends on metldr revision and is mentioned in previous entrytable

example

NOR: 0x0000840 - 0x000F12F NAND: 0x0040840 - 0x004F66F
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00000840  00 00 0E 89 43 B6 EF 4A E2 0F 74 00 C8 80 9E 53  ...‰C¶ïJâ.t.È€žS
00000850  00 00 0E 89 FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7  ...‰üÑؾoôÈØ.áÃ÷
00000860  8B E4 7A 13 F1 F9 85 EF 66 01 96 81 BD CA 31 EA  ‹äz.ñù…ïf.–.½Ê1ê
00000870  9F 86 36 BB 92 4C FF EE FA 92 88 D3 E5 27 96 24  Ÿ†6»’Lÿîú’ˆÓå'–$
....
0000F0F0  ED BA DE 64 76 29 8E C6 CC FC DD 30 40 56 39 6B  íºÞdv)ŽÆÌüÝ0@V9k
0000F100  03 F3 C1 D1 81 41 85 32 24 A6 46 67 CC FB 3F 64  .óÁÑ.A…2$¦FgÌû?d
0000F110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000F120  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00040840  00 00 0E DD 2F 6C 62 2E CA 7F AE 0D 2F 76 B5 D4  ...Ý/lb.Ê.®./vµÔ
00040850  00 00 0E DD 93 B7 DF 38 94 92 09 B6 C3 9C D2 AA  ...Ý“·ß8”’.¶ÃœÒª
00040860  B2 6A E5 B6 D9 EB D8 5A 63 B2 32 E0 75 18 7C 63  ²jå¶ÙëØZc²2àu.|c
00040870  8D A0 30 54 F6 34 63 FB 01 8F DE 31 0A D7 FF 3D  . 0Tö4cû..Þ1.×ÿ=
....
0004F630  2D 76 13 0B F3 89 32 A3 D2 A2 4A 18 19 FD 30 DC  -v..ó‰2£Ò¢J..ý0Ü
0004F640  D8 18 00 DA BD E3 99 EB 80 DE CE A8 59 7B 8F 49  Ø..Ú½ã™ë€ÞΨY{.I
0004F650  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0004F660  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

eEID

This section of flash contains QA tokens

It is 0x10000 in length (64 kb) but only the first 0x1DD0 is used, the rest is padded with FF

It is composed of 6 sections numbered from 0 to 5

eEID contains your system model data, your target ID, and your PS3 motherboard revision

Section Description iso module
EID0 EID0 is needed for loading parameters to isoldr for loading isolated SELF files on a SPE aim_spu_module
EID1 ?
EID2 ? + BD drive pairing fdm_spu_module
EID3 ?
EID4 ? sv_iso_spu_module
EID5 ?

Header

example

NOR: 0x002F000 - 0x002F00F NAND: 0x0080800 - 0x008080F
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
0002F000  00 00 00 06 00 00 1D D0 00 00 00 00 00 00 00 00  .......Ð........
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00080800  00 00 00 06 00 00 1D D0 00 00 00 00 00 00 00 00  .......Ð........

structure

Address Length Value Description
0x0 0x4 0x6 Number of entries
0x4 0x8 0x1DD0 Length of entire eEID package
0x8 0x8 0x0 Unknown/Blank

File Table

This is the whole file table

example

NOR: 0x002F010 - 0x002F06F NAND: 0x0080810 - 0x008086F
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
0002F010  00 00 00 70 00 00 08 60 00 00 00 00 00 00 00 00  ...p...`........
0002F020  00 00 08 D0 00 00 02 A0 00 00 00 00 00 00 00 01  ...Ð... ........
0002F030  00 00 0B 70 00 00 07 30 00 00 00 00 00 00 00 02  ...p...0........
0002F040  00 00 12 A0 00 00 01 00 00 00 00 00 00 00 00 03  ... ............
0002F050  00 00 13 A0 00 00 00 30 00 00 00 00 00 00 00 04  ... ...0........
0002F060  00 00 13 D0 00 00 0A 00 00 00 00 00 00 00 00 05  ...Ð............
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00080810  00 00 00 70 00 00 08 60 00 00 00 00 00 00 00 00  ...p...`........
00080820  00 00 08 D0 00 00 02 A0 00 00 00 00 00 00 00 01  ...Ð... ........
00080830  00 00 0B 70 00 00 07 30 00 00 00 00 00 00 00 02  ...p...0........
00080840  00 00 12 A0 00 00 01 00 00 00 00 00 00 00 00 03  ... ............
00080850  00 00 13 A0 00 00 00 30 00 00 00 00 00 00 00 04  ... ...0........
00080860  00 00 13 D0 00 00 0A 00 00 00 00 00 00 00 00 05  ...Ð............

structure

0x10 bytes per entry as follows:

Address Length Value Description
0x0 0x4 0x70 Entry point
0x4 0x8 0x860 Length
0x8 0x8 0x0 EID number

Typical EID entry addresses and lengths

Entry point listed is offset from base EID address (NOR:0x002F000 / NAND:0x0080800 in these examples)
Absolute start address is base EID address + Entry point
Absolute end address is base EID address + Entry point + Length

Description Entry point Length NOR Address NAND Address
start end start end
EID0 0x70 0x860 0x002F070 0x002F8D0 0x0080870 0x00810D0
EID1 0x8D0 0x2A0 0x002F8D0 0x002FB70 0x00810D0 0x0081370
EID2 0xB70 0x730 0x002FB70 0x00302A0 0x0081370 0x0081AA0
EID3 0x12A0 0x100 0x00302A0 0x00303A0 0x0081AA0 0x0081BA0
EID4 0x13A0 0x30 0x00303A0 0x00303D0 0x0081BA0 0x0081BD0
EID5 0x13D0 0xA00 0x00303D0 0x0030DD0 0x0081BD0 0x00825D0

EID0 - Section 0

Indi manager can write to it
AIM can rehash it

example

NOR: 0x002F070 - 0x002F8D0 NAND: 00080870 - 0x00810D0
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
0002F070  00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C  .....‰.......‘.\
0002F080  00 12 00 0B FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7  ....üÑؾoôÈØ.áÃ÷
....
0002F8B0  5B B4 1B C2 81 59 79 1A E6 DA F1 FD 5C E8 5B 67  [´.Â.Yy.æÚñý\è[g
0002F8C0  EA 85 A8 F6 9F A1 C6 A2 5E 59 C5 61 A9 5F 6D 2E  ê…¨öŸ¡Æ¢^YÅa©_m.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00080870  00 00 00 01 00 8A 00 01 10 00 52 BC C7 11 6D B2  .....Š....R¼Ç.m²
00080880  00 12 00 0B 93 B7 DF 38 94 92 09 B6 C3 9C D2 AA  ....“·ß8”’.¶ÃœÒª
....
000810B0  05 CA AE F2 3A 9C 88 09 90 D6 41 4B DA 37 6C AF  .Ê®ò:œˆ..ÖAKÚ7l¯
000810C0  4A 63 D7 B0 3E DD 5A 29 55 6A 9B E7 96 6E E1 EE  Jc×°>ÝZ)Uj›ç–náî

structure

Address Size Value Description Observations
0x0 0x10 00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C IDPS IDPS This contains your Target ID
0x10 0x4 00 12 00 0B Unknown
0x14 0x12 FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7 Per console key? Appear to be the same key as in the encrypted files metloader/bootloader
Rest Rest Rest Encrypted Data?

EID 1 - Section 1

example

NOR: 0x002F8D0 - 0x002FB70 NAND: 0x00810D0 - 0x0081370
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
0002F8D0  DB D1 FF 70 CF CA D6 A6 59 94 15 E1 B3 FC CF CA  ÛÑÿpÏÊÖ¦Y”.á³üÏÊ
0002F8E0  B6 48 D5 01 39 4A 76 00 25 76 F6 F0 36 65 68 A7  ¶HÕ.9Jv.%vöð6eh§
....
0002FB50  AB 66 60 E8 B7 0D 3F 78 C5 59 2B D4 77 EB 2C 2D  «f`è·.?xÅY+Ôwë,-
0002FB60  C3 6A B9 FA BB 63 CD EA 5D D2 39 8A 3F 77 2A 09  Ãj¹ú»cÍê]Ò9Š?w*.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
000810D0  A3 D6 F3 27 20 C6 80 11 EA A3 A1 75 48 36 4C 10  £Öó' Æ€.꣡uH6L.
000810E0  C9 6F B0 3D BF 85 4F D4 1F 89 01 C9 BC 64 DE 08  Éo°=¿…OÔ.‰.ɼdÞ.
....
00081350  2A DF F9 45 E4 94 FD 43 33 82 6E 82 BB E9 CD 3F  *ßùEä”ýC3‚n‚»éÍ?
00081360  53 5F E0 5A A2 7A 7E 6E 3D 50 A3 2B 16 68 7B 28  S_àZ¢z~n=P£+.h{(

structure

Appears to be encrypted, not much is known about this one


EID 2 - Section 2

example

NOR: 0x002FB70 - 0x00302A0 NAND: 0x0081370 - 0x0081AA0
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
0002FB70  00 80 06 90 00 00 00 00 00 00 00 00 00 00 00 00  .€..............
0002FB80  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0002FB90  56 64 18 79 DC 30 12 51 3C C5 69 21 0C AD ED 8F  Vd.yÜ0.Q<Åi!.­í.
0002FBA0  67 DC 77 CC B6 4B 2D FB 68 F2 2E 41 A0 F4 C7 88  gÜw̶K-ûhò.A ôLj
....
00030280  03 92 40 B3 63 F4 62 97 D2 3D AE 82 1B F4 EC CA  .’@³côb—Ò=®‚.ôìÊ
00030290  30 72 60 A5 7E B7 11 54 D9 9D 02 5C 20 7A CE 83  0r`¥~·.TÙ..\ z΃
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00081370  00 80 06 90 00 00 00 00 00 00 00 00 00 00 00 00  .€..............
00081380  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00081390  FC CA 19 07 3F FA D0 87 DF 20 23 98 99 17 F1 DF  üÊ..?úÐ‡ß #˜™.ñß
000813A0  95 A7 98 49 EC 4D 68 D2 61 D7 2F BE 4A 7E 86 02  •§˜IìMhÒa×/¾J~†.
....
00081A80  76 D5 07 20 D1 85 07 39 4D 2E F9 CE 0F A4 61 ED  vÕ. Ñ….9M.ùÎ.¤aí
00081A90  18 A6 BB 00 F9 55 69 BB DC 60 54 6D 40 C5 AF 3D  .¦».ùUi»Ü`Tm@ů=

structure

Not sure about this one, appears to be some recurring patterns in here

EID 3 - Section 3

example

NOR: 0x00302A0 - 0x00303A0 NAND: 0x0081AA0 - 0x0081BA0
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
000302A0  00 00 00 01 58 1B 20 6E 00 00 00 00 01 8B 39 46  ....X. n.....‹9F
000302B0  00 01 00 D0 FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7  ...ÐüÑؾoôÈØ.áÃ÷
000302C0  31 6B 01 24 85 68 AD 48 F4 D9 C5 E1 3E D5 BD A8  1k.$…h­HôÙÅá>Õ½¨
000302D0  A1 DD 7A 4A F2 95 3C FE 62 F2 F4 FD E0 48 98 35  ¡ÝzJò•<þbòôýàH˜5
000302E0  4D EB E2 E5 94 40 5F 29 BD 44 20 6E F1 14 92 5C  Mëâå”@_)½D nñ.’\
000302F0  19 1D 35 A5 32 54 FF 12 52 86 DD 19 4D E4 67 31  ..5¥2Tÿ.R†Ý.Mäg1
00030300  7F 34 A4 EE 0C 19 9B 0F C9 E3 81 4D F9 F7 1D 88  .4¤î..›.Éã.Mù÷.ˆ
00030310  90 C8 D3 F0 D5 40 5F 6B 2B A5 2D 1D D6 1F 58 37  .ÈÓðÕ@_k+¥-.Ö.X7
00030320  35 A5 7E 90 05 F1 89 2E 7F 76 BC 22 3F D4 F4 C3  5¥~..ñ‰..v¼"?ÔôÃ
00030330  31 58 62 79 2E D7 27 E3 4D 9F 16 BC 8E 7E B7 8D  1Xby.×'ãMŸ.¼Ž~·.
00030340  20 2F 8B 76 4F E7 FC 0F 4B 0E 26 54 AF 72 82 AD   /‹vOçü.K.&T¯r‚­
00030350  9E 93 28 FB EA 3B 3D 62 47 C7 06 68 D0 5B C9 4E  ž“(ûê;=bGÇ.hÐ[ÉN
00030360  E9 8F 1F 45 B1 7B 9B E3 9E 5C 33 5F E3 15 C5 B6  é..E±{›ãž\3_ã.Ŷ
00030370  E7 35 F4 0F C9 D6 F8 48 0B C7 63 A7 56 5D 96 C4  ç5ô.ÉÖøH.Çc§V]–Ä
00030380  CD 53 F2 95 5F 78 A1 5D 48 A6 9C D2 0B 40 D2 90  ÍSò•_x¡]H¦œÒ.@Ò.
00030390  7D 83 7B 24 12 F3 9F A7 F4 1E 7A 9B 98 50 2C 02  }ƒ{$.óŸ§ô.z›˜P,.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00081AA0  00 00 00 01 39 20 C4 E4 00 00 00 00 00 6E 38 61  ....9 Ää.....n8a
00081AB0  00 01 00 D0 93 B7 DF 38 94 92 09 B6 C3 9C D2 AA  ...Г·ß8”’.¶ÃœÒª
00081AC0  EA 14 35 C0 0F 48 31 01 FE 4C FD 1B F8 A5 C1 04  ê.5À.H1.þLý.ø¥Á.
00081AD0  B2 EE 21 12 5F F2 68 21 40 61 3D ED 62 7B EC 91  ²î!._òh!@a=íb{ì‘
00081AE0  0F C2 D4 27 D9 90 34 C4 19 0D AB 2E 28 9B F4 F6  .ÂÔ'Ù.4Ä..«.(›ôö
00081AF0  00 F5 05 71 FA 53 A6 E8 52 57 9D 9E 7E 8B 9C FD  .õ.qúS¦èRW.ž~‹œý
00081B00  C3 0B 92 AB 25 3E 34 D8 05 E0 92 DC 27 24 14 71  Ã.’«%>4Ø.à’Ü'$.q
00081B10  AF AC 4E C3 6B 66 EF 18 0B EB 72 5D E7 F1 96 28  ¯¬NÃkfï..ër]çñ–(
00081B20  6C 71 06 2B 45 7F 96 76 34 FA AC 7E D8 8F 97 B8  lq.+E.–v4ú¬~Ø.—¸
00081B30  F4 B5 10 BA 71 9E 38 CB 7C AD CB A7 09 E0 23 72  ôµ.ºqž8Ë|­Ë§.à#r
00081B40  19 4B 32 A2 0A 13 1C 4B 12 67 C3 28 98 EE 2D 26  .K2¢...K.gÃ(˜î-&
00081B50  B8 81 39 08 81 E4 11 EF 7B 6B DB 0A E8 A9 D0 9E  ¸.9..ä.ï{kÛ.è©Ðž
00081B60  71 13 05 67 99 77 9B 1D E8 C9 0B 67 FB AC 4B 03  q..g™w›.èÉ.gû¬K.
00081B70  78 AF 44 B3 35 A9 39 1F 75 C1 9F 3C 46 E8 C6 71  x¯D³5©9.uÁŸ<FèÆq
00081B80  A5 5B 57 D3 37 6B E2 34 E7 7C B6 A5 04 FE 42 B5  ¥[WÓ7kâ4ç|¶¥.þBµ
00081B90  09 C7 97 0F 9E 2C 7F 94 F6 9C A2 15 4A 76 49 79  .Ç—.ž,.”öœ¢.JvIy

structure

Not fully examined yet, Contains the 12 byte key again at 0x14 to 0x1F

EID 4 - Section 4

example

NOR: 0x00303A0 - 0x00303D0 NAND: 0x0081BA0 - 0x0081BD0
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
000303A0  8B D7 1B A0 C3 DA 4B BE B3 72 AE 61 78 90 31 1F  ‹×. ÃÚK¾³r®ax.1.
000303B0  2E CD F1 92 28 8E 17 AD 6A 9C D5 8A 8E 17 86 39  .Íñ’(Ž.­jœÕŠŽ.†9
000303C0  C8 0A F7 9B 92 D8 3A A8 92 60 73 6A 5E 12 2A 94  È.÷›’Ø:¨’`sj^.*”
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00081BA0  40 9F 75 39 22 96 C2 12 A2 9C BC CF 53 99 73 40  @Ÿu9"–Â.¢œ¼ÏS™s@
00081BB0  5D AD A7 F6 26 6E 50 35 55 A8 8A B9 24 A1 F5 35  ]­§ö&nP5U¨Š¹$¡õ5
00081BC0  BC 3B 7A 88 17 75 9C 44 A9 2D 4B E0 8B 80 92 E7  ¼;zˆ.uœD©-Kà‹€’ç

structure

Encrypted encdec key (used for e.g. BD drive)


EID 5 - Section 5

example

NOR: 0x00303D0 - 0x0030DD0 NAND: 0x0081BD0 - 0x00825D0
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
000303D0  00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C  .....‰.......‘.\
000303E0  00 12 07 30 FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7  ...0üÑؾoôÈØ.áÃ÷
000303F0  B7 05 8B 05 E4 2E 94 C7 41 8E 1D E9 DE 63 F6 E6  ·.‹.ä.”ÇAŽ.éÞcöæ
00030400  C5 18 28 E6 47 44 CE 5D 53 03 57 76 46 0C 97 AB  Å.(æGDÎ]S.WvF.—«
....
00030DB0  A8 55 8A FF 73 96 11 1B 6D 85 82 BD 73 FD 45 6D  ¨UŠÿs–..m…‚½sýEm
00030DC0  7B 7B 00 DD 0D EB A8 A1 57 5F 5D 0F C9 23 49 E8  {{.Ý.먡W_].É#Iè
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00081BD0  00 00 00 01 00 8A 00 01 10 00 52 BC C7 11 6D B2  .....Š....R¼Ç.m²
00081BE0  00 12 07 30 93 B7 DF 38 94 92 09 B6 C3 9C D2 AA  ...0“·ß8”’.¶ÃœÒª
00081BF0  CB 95 EF 88 DB 8B E8 14 69 1F 99 A7 4A 66 F7 09  Ë•ïˆÛ‹è.i.™§Jf÷.
00081C00  DD 23 09 1F 73 22 43 26 F4 1A 65 44 9C F2 DB 89  Ý#..s"C&ô.eDœòÛ‰
....
000825B0  CE 82 2F 9B 8D F0 4E 22 6B EF 68 28 37 38 AA 08  ΂/›.ðN"kïh(78ª.
000825C0  EA 85 EA 2C A4 1D F2 76 9C FF D5 D4 49 97 06 06  ê…ê,¤.òvœÿÕÔI—..

structure

Similar again to EID0

Address Size Value Description Observations
0x0 0x10 00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C IDPS IDPS
0x10 0x4 00 12 07 30 Unknown Changes from EID0
0x14 0x12 FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7 Per console key? Appear to be the same key as in the encrypted files metldr/bootldr
Rest Rest Rest Encrypted Data?

unreferenced area

Possibly just unused EID region (which also explains why it is FF filled)

example

NOR: 0x0030DD0 - 0x003EFFF NAND: 0x00825D0 - 0x00907FF
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00030DD0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00030DE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
0003EFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0003EFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
000825D0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000825E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
000907E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000907F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

structure

Address Length Value Description
0x0 0xE22F 0xFF FF filled area

cISD

This section of flash contains Console Specific information

cISD contains core information such as Gelic Ethernet MAC address

Header

0003F000  00 00 00 03 00 00 02 70 00 00 00 00 00 00 00 00  .......p........
Address Length Value Description
0x0 0x4 0x3 Number of entries
0x4 0x8 0x270 Length of entire eEID package
0x8 0x8 0x0 Unknown/Blank

File Table

This repeats per entry

0003F010  00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00  ...@... ........
Address Length Value Description
0x0 0x4 0x40 Entry point
0x4 0x8 0x20 Length
0x8 0x8 0x0 Unknown/Blank

Section 0

0003F040  A8 E3 EE 7D 10 DA FF FF FF FF FF FF FF FF FF FF  ¨ãî}.Úÿÿÿÿÿÿÿÿÿÿ
0003F050  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Address Length Value Description
0x0 0x6 0xA8E3EE7D10DA MAC Address
0x6 0x1A 0xFF Unknown/Blank

Section 1

0003F060  7F 49 44 4C 00 02 00 60 01 00 00 02 02 12 FF C5  .IDL...`......ÿÅ
0003F070  30 31 43 35 32 34 30 31 38 33 31 36 32 37 30 45  01C524018316270E
0003F080  31 39 30 38 37 41 34 32 30 30 30 30 30 30 30 30  19087A4200000000
0003F090  32 37 34 35 35 32 32 32 34 30 31 35 31 32 39 33  2745522240151293
0003F0A0  34 31 36 33 01 07 01 07 01 28 00 01 FF FF FF FF  4163.....(..ÿÿÿÿ
0003F0B0  00 02 00 11 00 02 00 12 00 00 00 00 02 95 A8 C9  .............•¨É
0003F0C0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
0003F250  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Address Length Value Description
0x0 0xD 0x7F49444C000200600100000202 Unknown, static
0xD 0xF 0x12FFC5 Unknown, varies per console
0x10 0x20 Ascii: 01C524018316270E19087A4200000000 Some unique identifier
0x30 0x8 Ascii: 27455222 3rd part of console serial number
0x38 0xC Ascii: 401512934163 Some unique identifier
0x44 0x1B 0x0107010701280001FFFF00020011000200120000000002 Unknown, static
0x1B 0x3 0x95A8C9 Unknown, varies

Section 2

0003F260  1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00  .ÿ..............

This value is unknown and the first two bytes seem to vary

cCSD

This section doesn't contain any data... This section of flash contains Console Specific information

Header

0003F800  00 00 00 01 00 00 08 00 00 00 00 00 00 00 00 00  ................
Address Length Value Description
0x0 0x4 0x1 Number of entries
0x4 0x8 0x800 Length of entire eEID package
0x8 0x8 0x0 Unknown/Blank

File Table

This repeats per entry

0003F810  00 00 00 20 00 00 00 30 00 00 00 00 00 00 00 00  ... ...0........
Address Length Value Description
0x0 0x4 0x20 Entry point
0x4 0x8 0x30 Length
0x8 0x8 0x0 Unknown/Blank

Section 0

0003F820  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0003F830  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0003F840  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

There appears to be no data stored here.


trvk_prg

NOR: splitted into 2 seperate sections trvk_prg0 + trvk_prg1
NAND: 1 region with 2 combined sections of trvk_prg0 + trvk_prg1

trvk_pkg0

NOR: splitted into 2 seperate sections trvk_pkg0 + trvk_pkg1
NAND: 1 region with 2 combined sections of trvk_pkg0 + trvk_pkg1

creserved_0

size: 0x2A800
NAND only?

ros0

Location: 0x0C0000 - 0x7BFFFF

ros1

Location: 0x7C0000 - 0xEBFFFF

cvtrm

size: 0x40000
Location NOR: 0xEC0000 - 0xF00000


Second Region

NOR only

This region appears to directly follow the other region (at 0xF0000 = region size + header)

Not much is known about this at this stage.

Header

00F00000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F00010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE  .....¬àÿ....Þ.úÎ
00F00020  00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02  ................
00F00030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F000B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F000C0  00 00 00 00 00 00 79 00 00 00 00 00 00 00 01 00  ......y.........
00F000D0  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F000E0  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F00140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F00150  00 00 00 00 00 00 7A 00 00 00 00 00 00 00 04 00  ......z.........
00F00160  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F00170  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F00180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F00FF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

CELL_EXTNOR_AREA

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
[...]
00F1FFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00F1FFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00F20000  43 45 4C 4C 5F 45 58 54 4E 4F 52 5F 41 52 45 41  CELL_EXTNOR_AREA      marker: CELL_EXTNOR_AREA
00F20010  00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F20020  00 00 02 00 00 00 00 44 00 00 00 00 A9 C8 06 D0  .......D....©È.Ð                             (differs in other version/console dump)
00F20030  C0 17 8D 34 55 A7 62 73 DD 16 A6 FB 75 A0 D2 10  À..4U§bsÝ.¦ûu Ò.
00F20040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F201F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F20200  00 00 00 07 46 55 4A 49 54 53 55 20 4D 48 5A 32  ....FUJITSU MHZ2      harddrive brand/model
00F20210  30 38 30 42 48 20 47 31 20 20 20 20 20 20 20 20  080BH G1        
00F20220  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
00F20230  20 20 20 20 4B 36 33 52 54 38 42 34 48 59 42 4B      K63RT8B4HYBK      harddrive serial
00F20240  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F3FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F40000  00 00 00 01 00 00 00 2C 6E 47 15 E8 38 9B C8 16  .......,nG.è8›È.      00F40000-00F40030      (same in other version/console dump)
00F40010  65 6E 0C 37 54 25 FE 7B 22 9A 31 75 72 22 63 2B  en.7T%þ{"š1ur"c+      is the same as
00F40020  31 DD 15 AA 60 7D EB F5 F7 A3 74 0B 9D DD 3B 3A  1Ý.ª`}ëõ÷£t..Ý;:      00F80000-00F80030
00F40030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F5FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F60000  10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34  ............ ..4      00F60000-00F60040      (differs in other version/console dump)
00F60010  00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2  ........[?s´š†Ç²      is the
00F60020  A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE   Ñ.¯§›—âzË.+Ma&®      same as
00F60030  13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB  .Ê)„.“.áJÛ,·|.äë      00FA0000-00FA0040
00F60040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F69BF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F69C00  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...]                                                                            all FF's
00F7FFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00F80000  00 00 00 01 00 00 00 2C 6E 47 15 E8 38 9B C8 16  .......,nG.è8›È.      00F80000-00F80030      (same in other version/console dump)
00F80010  65 6E 0C 37 54 25 FE 7B 22 9A 31 75 72 22 63 2B  en.7T%þ{"š1ur"c+      is the same as
00F80020  31 DD 15 AA 60 7D EB F5 F7 A3 74 0B 9D DD 3B 3A  1Ý.ª`}ëõ÷£t..Ý;:      00F40000-00F40030
00F80030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F9FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00FA0000  10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34  ............ ..4      00F60000-00F60040      (differs in other version/console dump)
00FA0010  00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2  ........[?s´š†Ç²      is the
00FA0020  A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE   Ñ.¯§›—âzË.+Ma&®      same as
00FA0030  13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB  .Ê)„.“.áJÛ,·|.äë      00F60000-00F60040
00FA0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00FA9BF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00FA9C00  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...]                                                                            all FF's
00FBFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00FC0000  00 00 2E AB 83 EF B9 76 C4 DE D1 35 32 7C D3 77  ...«ƒï¹vÄÞÑ52|Ów      Bootloader encrypted   (differs in other version/console dump)
00FC0010  00 00 2E AB FE 2C 4E 17 E1 67 5C 3A C8 29 8E D1  ...«þ,N.ág\:È)ŽÑ      (0xFC0000 to 0xFFFFFF)
00FC0020  63 D4 81 95 5D D1 D2 E3 BA A3 2D 0A 98 8B 3C 03  cÔ.•]ÑÒ㺣-.˜‹<.
00FC0030  8E 5D D0 E7 2F EE 58 8B C0 73 A2 6D 5E 7F 7A 07  Ž]Ðç/îX‹Às¢m^.z.
00FC0040  47 8B A4 C2 EF B9 3C 60 43 E8 AC 07 F7 8D EE D5  G‹¤Âï¹<`Cè¬.÷.îÕ
00FC0050  67 EE C1 C4 B2 D2 78 98 4C 79 D6 52 49 4D C2 80  gîÁIJÒx˜LyÖRIM€
00FC0060  2D C1 F6 21 B7 B1 34 89 94 3B 33 BF B8 C8 EB 73  -Áö!·±4‰”;3¿¸Èës
[...]
00FEEAD0  9B 28 7A 63 41 DF 4D 54 CC F3 D8 FF FB B0 E6 34  ›(zcAßMTÌóØÿû°æ4
00FEEAE0  2B C6 A2 85 E9 3A 83 A1 8C AE 9F 45 C5 F4 9F AA  +Æ¢…é:ƒ¡Œ®ŸEÅôŸª
00FEEAF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ      Bootloader ended (00FEF170, 00FEF570, 00FEF5F0 or 00FEF600 in some dumps)
00FEEB00  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ


Bootloader

Location:

  • NOR: 0xFC0000 - 0xFFFFFF (The last 256KB of flash),
  • NAND: 0x0000000 - 0x003FFFF (The first 256KB of flash)

Perconsole encrypted (datasize depends on bootldr revision)


cell_ext_os_area

NAND only

OtherOS

NAND only







Encrypted Files on Flash

Encrypted files on flash appear to have some sort of header

metldr examples

Here are samples of metldr header from 2 different consoles

00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ...Žx¥aà.rn÷§.A«
00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ...Ž...©Yu.ÌÁrÕP

bootldr examples

Here are samples of bootldr header from 2 different consoles

00FC0000  00 00 2F 4B 53 92 1C E7 F7 33 41 76 9B 7A 1E D6  ../KS’.ç÷3Av›z.Ö
00FC0010  00 00 2F 4B 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ../Kx¥aà.rn÷§.A«
00FC0000  00 00 2F 4B CB 9E 15 24 28 B4 4F D2 F9 3F BC 43  ../KËž.$(´OÒù?¼C
00FC0010  00 00 2F 4B 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ../K...©Yu.ÌÁrÕP

Observations / Notes

As you can see, some parts appear static depending on their purpose:

metldr

00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E xx xx xx xx xx xx xx xx xx xx xx xx  ...Žx...........

bootldr

00FC0000  00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx  ../K............
00FC0010  00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx  ../K............

per console in both samples

00000840  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................
00000850  xx xx xx xx 81 2E 00 A9 59 75 01 CC C1 72 D5 50  .......©Yu.ÌÁrÕP

The first 4 bytes appear to reffer to length. eg:

metldr length: 0xE920
0x00000E8E * 0x10 = 0xE8E0 + 0x40 = 0xE920
bootldr length:  0x2F4F0
0x00002F4B * 0x10 = 0x2F4B0 + 0x40 = 0x2F4F0

Header shown is 0x20 bytes, perhaps this means there is a 0x40 byte header. I was not able to find any correlation of the other 2x12 bytes here, perhaps these are keys of some sort.




List of files on NOR Flash

The following is a list of files stored in NOR Flash

Name TOC Start Offset End Offset Size Notes
Offset Index Relative Absolute Relative Absolute
asecure_loader 0x400 0 0x400 0x810 0x2E800 0x2F010 0x2E800  (190,464 bytes) aka metldr
eEID 0x400 1 0x2EC00 0x2F010 0x3EC00 0x3F010 0x10000  (65,636 bytes) (IDPS @ offset 0x0002F070 absolute / 0x00000070 inside eEID )
cISD 0x400 2 0x3EC00 0x3F010 0x3F400 0x3F810 0x800  (2,048 bytes)
cCSD 0x400 3 0x3F400 0x3F810 0x3FC00 0x40010 0x800  (2,048 bytes)
trvk_prg0 0x400 4 0x3FC00 0x40010 0x5FC00 0x60010 0x20000  (131,072 bytes)
trvk_prg1 0x400 5 0x5FC00 0x60010 0x7FC00 0x80010 0x20000  (131,072 bytes)
trvk_pkg0 0x400 6 0x7FC00 0x80010 0x9FC00 0xA0010 0x20000  (131,072 bytes)
trvk_pkg1 0x400 7 0x9FC00 0xA0010 0xBFC00 0xC0010 0x20000  (131,072 bytes)
ros0 0x400 8 0xBFC00 0xC0010 0x7BFC00 0x7C0010 0x700000  (7,340,032 bytes) Contains CoreOS files
ros1 0x400 9 0x7BFC00 0x7C0010 0xEBFC00 0xEC0010 0x700000  (7,340,032 bytes) Contains CoreOS files
cvtrm 0x400 10 0xEBFC00 0xEC0010 0xEFFC00 0xF00010 0x40000  (262,144 bytes)
CELL_EXTNOR_AREA 0xF20000 0xFA0040 0x80040  (524,352 bytes)
bootldr 0xFC0000 0xFEEAF0 0x2EAF0  (191,216 bytes) End @ FEF170, FEF570, FEF5F0, FEF600 in some dumps




new metldr.2

Seen on CECH2504B (JSD-001), with 3.60 from factory - datecode 1B

  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

  00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 F9 20  .......@......ù 
  00000820  6D 65 74 6C 64 72 2E 32 00 00 00 00 00 00 00 00  metldr.2........
  00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

other new metldr

It seems the naming "metldr.2" does not apply to all non downgradeable consoles:

Seen on CECH2504A (JTP-001), with 3.60 from factory - datecode 1B

  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
  00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
  00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
  00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Seen on CECH2503B (JTP-001), with ?.?? from factory - datecode 1A (dump contained ROS with 3.66 and 3.70) This was downgradable.. sorry, the downgrade.bin was not written correctly.. but this time i wrote it ok, so this was not a new metldr console..

 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      
 00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
 00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
 00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

For comparison, a CECH250.B (JSD-001), with factory 3.56 - datecode 1A which was downgradeable (dump contained ROS with 3.56 and 3.70 before downgrading to 3.55):

 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      
 00000800   00 00 00 01 00 00 00 01  00 00 00 00 00 02 E8 00   ..............è.
 00000810   00 00 00 00 00 00 00 40  00 00 00 00 00 00 E9 60   .......@......é`
 00000820   6D 65 74 6C 64 72 00 00  00 00 00 00 00 00 00 00   metldr..........
 00000830   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
 00000840   00 00 0E 92 C3 26 6E 4B  BB 28 2E 76 B7 67 70 95   ...’Ã&nK»(.v·gp•


other new metldr mention : https://twitter.com/#!/Mathieulh/status/110779471199604736

WTF 3.50+ consoles have a new additional root key of 0x30 bytes
(3 times the same 0x10 bytes chunk) copied by metldr right to offset 0 O_O

CECH2501B JSD-001 (320GB HDD)without datecode fw 3.66

metldr contains other new value (E9 60), but still downgrades..

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.
00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000840  00 00 0E 92 C3 26 6E 4B BB 28 2E 76 B7 67 70 95  ...’Ã&nK»(.v·gp•

another PS3 with CECH2501A wihtout datecode 320 GB HDD and fw 3.66 also contains other new metldr values but still downgrades...


Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.
00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000840  00 00 0E 92 C3 26 6E 4B BB 28 2E 76 B7 67 70 95  ...’Ã&nK»(.v·gp•




NAND reference

most of the information on this page if based on NOR dumps, this section is for NAND specifics

NAND reference (euss)

CECHC-04/COK-002 Pal EU launchmodel with OFW 3.15 updated to MFW 3.15 (Euss)

Bootldr

    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
    00000000  6D 61 73 6B 65 64 20 42 4F 4F 54 4C 44 52 20 20  masked BOOTLDR  
    00000010  30 78 34 30 30 30 30 20 73 69 7A 65 20 20 20 20  0x40000 size             if dumped from GameOS, the first 40000 bytes are masked (cut off) by HV
    00000020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    00000030  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

ROS0

315-ROS0-coreos-c0000-7c0000.rar (4.81 MB)

   ROS0 on NAND:
     
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   000C0000  00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20  ....... ....... 
   000C0010  00 00 00 00 00 E0 00 00 00 00 00 00 00 00 00 00  .....à..........
   000C0020  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
   000C0030  00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0  .............oÿà
   000C0040  00 00 00 00 00 00 04 60 00 00 00 00 00 00 44 98  .......`......D˜
   000C0050  61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73  aim_spu_module.s
   000C0060  65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00  elf.............
   000C0070  00 00 00 00 00 00 49 00 00 00 00 00 00 01 DA E4  ......I.......Úä
   000C0080  61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00  appldr..........
   000C0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C00A0  00 00 00 00 00 02 24 00 00 00 00 00 00 04 00 00  ......$.........
   000C00B0  63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00  creserved_0.....
   000C00C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C00D0  00 00 00 00 00 06 24 00 00 00 00 00 00 00 22 A0  ......$......." 
   000C00E0  64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00  default.spp.....
   000C00F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0100  00 00 00 00 00 06 46 A0 00 00 00 00 00 07 FC 48  ......F ......üH
   000C0110  65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00  emer_init.self..
   000C0120  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0130  00 00 00 00 00 0E 43 00 00 00 00 00 00 07 0F 94  ......C........”
   000C0140  65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00  eurus_fw.bin....
   000C0150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0160  00 00 00 00 00 15 52 A0 00 00 00 00 00 06 16 00  ......R ........
   000C0170  68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00  hdd_copy.self...
   000C0180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0190  00 00 00 00 00 1B 68 A0 00 00 00 00 00 01 2E 44  ......h .......D
   000C01A0  69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00  isoldr..........
   000C01B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C01C0  00 00 00 00 00 1C 97 00 00 00 00 00 00 03 E8 28  ......—.......è(
   000C01D0  6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00  lv0.............
   000C01E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C01F0  00 00 00 00 00 20 7F 40 00 00 00 00 00 12 B1 70  ..... .@......±p
   000C0200  6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00  lv1.self........
   000C0210  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0220  00 00 00 00 00 33 30 C0 00 00 00 00 00 01 E5 CC  .....30À......åÌ
   000C0230  6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv1ldr..........
   000C0240  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0250  00 00 00 00 00 35 16 A0 00 00 00 00 00 01 6D A0  .....5. ......m 
   000C0260  6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv2ldr..........
   000C0270  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0280  00 00 00 00 00 36 84 40 00 00 00 00 00 16 EE B8  .....6„@......î¸
   000C0290  6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00  lv2_kernel.self.
   000C02A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C02B0  00 00 00 00 00 4D 73 00 00 00 00 00 00 00 80 8C  .....Ms.......€Œ
   000C02C0  6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  mc_iso_spu_modul
   000C02D0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   000C02E0  00 00 00 00 00 4D F3 A0 00 00 00 00 00 00 88 B8  .....Mó ......ˆ¸
   000C02F0  6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  me_iso_spu_modul
   000C0300  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   000C0310  00 00 00 00 00 4E 7C 60 00 00 00 00 00 00 5D B0  .....N|`......]°
   000C0320  73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sb_iso_spu_modul
   000C0330  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   000C0340  00 00 00 00 00 4E DA 20 00 00 00 00 00 01 53 2C  .....NÚ ......S,
   000C0350  73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00  sc_iso.self.....
   000C0360  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0370  00 00 00 00 00 50 2D 60 00 00 00 00 00 00 00 08  .....P-`........
   000C0380  73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00  sdk_version.....
   000C0390  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C03A0  00 00 00 00 00 50 2D 80 00 00 00 00 00 00 D7 F0  .....P-€......×ð
   000C03B0  73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C  spp_verifier.sel
   000C03C0  66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  f...............
   000C03D0  00 00 00 00 00 51 05 80 00 00 00 00 00 00 FA CC  .....Q.€......úÌ
   000C03E0  73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69  spu_pkg_rvk_veri
   000C03F0  66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00  fier.self.......
   000C0400  00 00 00 00 00 52 00 60 00 00 00 00 00 00 5C 94  .....R.`......\”
   000C0410  73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73  spu_token_proces
   000C0420  73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00  sor.self........
   000C0430  00 00 00 00 00 52 5D 00 00 00 00 00 00 00 65 D0  .....R].......eÐ
   000C0440  73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65  spu_utoken_proce
   000C0450  73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00  ssor.self.......
   000C0460  00 00 00 00 00 52 C2 E0 00 00 00 00 00 00 C0 78  .....RÂà......Àx
   000C0470  73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sv_iso_spu_modul
   000C0480  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........

ROS1

315-ROS1-coreos-7c0000-ec0000.rar (4.81 MB)

   ROS1 on NAND:
     
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   007C0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0010  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
   007C0020  00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0  .............oÿà
   007C0030  00 00 00 00 00 00 04 60 00 00 00 00 00 04 00 00  .......`........
   007C0040  63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00  creserved_0.....
   007C0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0060  00 00 00 00 00 04 04 60 00 00 00 00 00 00 00 08  .......`........
   007C0070  73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00  sdk_version.....
   007C0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0090  00 00 00 00 00 04 04 80 00 00 00 00 00 01 E5 CC  .......€......åÌ
   007C00A0  6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv1ldr..........
   007C00B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C00C0  00 00 00 00 00 05 EA 80 00 00 00 00 00 01 6D A0  ......ê€......m 
   007C00D0  6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv2ldr..........
   007C00E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C00F0  00 00 00 00 00 07 58 80 00 00 00 00 00 01 2E 44  ......X€.......D
   007C0100  69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00  isoldr..........
   007C0110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0120  00 00 00 00 00 08 87 00 00 00 00 00 00 01 DA E4  ......‡.......Úä
   007C0130  61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00  appldr..........
   007C0140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0150  00 00 00 00 00 0A 61 E4 00 00 00 00 00 00 FA CC  ......aä......úÌ
   007C0160  73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69  spu_pkg_rvk_veri
   007C0170  66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00  fier.self.......
   007C0180  00 00 00 00 00 0B 5C B0 00 00 00 00 00 00 5C 94  ......\°......\”
   007C0190  73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73  spu_token_proces
   007C01A0  73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00  sor.self........
   007C01B0  00 00 00 00 00 0B B9 44 00 00 00 00 00 00 65 D0  ......¹D......eÐ
   007C01C0  73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65  spu_utoken_proce
   007C01D0  73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00  ssor.self.......
   007C01E0  00 00 00 00 00 0C 1F 14 00 00 00 00 00 01 53 2C  ..............S,
   007C01F0  73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00  sc_iso.self.....
   007C0200  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0210  00 00 00 00 00 0D 72 40 00 00 00 00 00 00 44 98  [email protected]˜
   007C0220  61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73  aim_spu_module.s
   007C0230  65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00  elf.............
   007C0240  00 00 00 00 00 0D B6 D8 00 00 00 00 00 00 D7 F0  ......¶Ø......×ð
   007C0250  73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C  spp_verifier.sel
   007C0260  66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  f...............
   007C0270  00 00 00 00 00 0E 8E C8 00 00 00 00 00 00 80 8C  ......ŽÈ......€Œ
   007C0280  6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  mc_iso_spu_modul
   007C0290  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   007C02A0  00 00 00 00 00 0F 0F 54 00 00 00 00 00 00 88 B8  .......T......ˆ¸
   007C02B0  6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  me_iso_spu_modul
   007C02C0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   007C02D0  00 00 00 00 00 0F 98 0C 00 00 00 00 00 00 C0 78  ......˜.......Àx
   007C02E0  73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sv_iso_spu_modul
   007C02F0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   007C0300  00 00 00 00 00 10 58 84 00 00 00 00 00 00 5D B0  ......X„......]°
   007C0310  73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sb_iso_spu_modul
   007C0320  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   007C0330  00 00 00 00 00 10 B6 34 00 00 00 00 00 00 22 A0  ......¶4......" 
   007C0340  64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00  default.spp.....
   007C0350  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0360  00 00 00 00 00 10 D9 00 00 00 00 00 00 12 B1 70  ......Ù.......±p
   007C0370  6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00  lv1.self........
   007C0380  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0390  00 00 00 00 00 23 8A 80 00 00 00 00 00 03 E8 28  .....#Š€......è(
   007C03A0  6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00  lv0.............
   007C03B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C03C0  00 00 00 00 00 27 72 A8 00 00 00 00 00 16 EE B8  .....'r¨......î¸
   007C03D0  6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00  lv2_kernel.self.
   007C03E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C03F0  00 00 00 00 00 3E 61 60 00 00 00 00 00 07 0F 94  .....>a`.......”
   007C0400  65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00  eurus_fw.bin....
   007C0410  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0420  00 00 00 00 00 45 70 F4 00 00 00 00 00 07 FC 48  .....Epô......üH
   007C0430  65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00  emer_init.self..
   007C0440  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0450  00 00 00 00 00 4D 6D 3C 00 00 00 00 00 06 16 00  .....Mm<........
   007C0460  68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00  hdd_copy.self...
   007C0470  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Versioning in ROS0

   versioning in ROS0 of NAND:
     
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   005C2D90  33 31 35 2E 30 30 30 0A 00 00 00 00 00 00 00 00  315.000.........
   005C2DA0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   005C2DB0  53 43 45 00 00 00 00 02 00 01 00 01 00 00 02 30  SCE............0

Versioning in ROS1

   versioning in ROS1 of NAND:
     
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

   00800480  33 31 35 2E 30 30 30 0A 00 00 00 00 00 00 00 00  315.000.........
   00800490  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   008004A0  53 43 45 00 00 00 00 02 00 00 00 01 00 00 01 F0  SCE............ð

RVK

   Revoke in NAND:     
          
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   00093800  00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20  ....... ....... 
   00093810  00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00  ...... .........
   00093820  00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40  ...............@
   00093830  53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00  SCE.............
   00093840  00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40  ...............@
   00093850  6E 27 DA DF 18 19 ED D0 26 30 FD 84 1D 5B 74 BB  n'Úß..íÐ&0ý„.[t»
   00093860  43 53 5F 5E 91 5A 82 48 E1 5B 76 C6 59 9F 1B 0D  CS_^‘Z‚Há[vÆYŸ..
   00093870  3A 5E 73 19 73 59 24 A1 A7 A5 73 28 BC 50 12 93  :^s.sY$¡§¥s(¼P.“
   00093880  10 B7 43 04 B5 01 A5 6C 01 AD 83 86 7B 10 1A 78  .·C.µ.¥l.­ƒ†{..x
   00093890  B5 55 E2 CC 52 4D E2 3D AE 7D F6 1B 37 13 63 34  µUâÌRMâ=®}ö.7.c4
   000938A0  50 58 C8 78 27 F9 30 9F 62 E7 0A CF C4 E2 4B C5  PXÈx'ù0Ÿbç.ÏÄâKÅ
   000938B0  4A FF 31 8A C7 3A A7 0A 91 86 E2 C8 4A 51 F7 7D  Jÿ1ŠÇ:§.‘†âÈJQ÷}
   000938C0  7B BF 28 FE F5 93 FA C3 DF E7 A9 F1 A1 92 C1 6F  {¿(þõ“úÃßç©ñ¡’Áo
   000938D0  F1 D8 94 E9 64 60 6D 36 22 61 2E 51 B5 C9 9F 6F  ñØ”éd`m6"a.QµÉŸo
   000938E0  BD C6 44 00 22 75 DC 2A 55 A5 E5 EC 2A 97 9A 4F  ½ÆD."uÜ*U¥åì*—šO
   000938F0  CA 21 38 F1 AA C8 98 29 4D 6A F7 CD 7B F6 04 B3  Ê!8ñªÈ˜)Mj÷Í{ö.³
   00093900  A0 F3 F8 C1 9B CB 9B 48 AE E9 5C CF A5 24 37 29   óøÁ›Ë›H®é\Ï¥$7)
   00093910  9B 10 02 8C 68 1B 4E AA B4 CF EE 81 3A C6 6E CB  ›..Œh.Nª´Ïî.:ÆnË
   00093920  66 99 F6 F9 55 AB 19 FA 43 70 BC E5 72 C4 56 AD  f™öùU«.úCp¼årÄV­
   00093930  64 AF DD 0B 17 03 4D EA 87 C5 AD BB 2C 7C B2 48  d¯Ý...Mê‡Å­»,|²H
   00093940  9A E9 D1 85 AA 30 87 B8 47 C3 8B C9 BC 42 E2 7D  šéÑ…ª0‡¸GËɼBâ}
   00093950  92 84 D2 03 68 F1 20 54 98 D1 0E 95 4B 54 E5 6E  ’„Ò.hñ T˜Ñ.•KTån
   00093960  1A 6C D6 2F 3E 3F E4 28 4A 0F 9E D4 99 3E E5 D8  .lÖ/>?ä(J.žÔ™>åØ
   00093970  6B 13 7B 19 B4 3A A6 64 56 08 05 D3 FE 1B 68 E1  k.{.´:¦dV..Óþ.há
   00093980  B6 38 2C 0C E1 DF 5F D5 0D EC 6E B6 2A 2F 63 77  ¶8,.áß_Õ.ìn¶*/cw
   00093990  F4 D2 EB 3B 87 DA 83 76 28 E8 9F 50 2C 84 4D 48  ôÒë;‡Úƒv(èŸP,„MH
   000939A0  64 C0 B1 DB C6 AE 81 22 1D 76 9F B9 F8 29 C0 C7  dÀ±ÛÆ®.".vŸ¹ø)ÀÇ
   000939B0  12 06 2A B1 BB 0D 2E 5A 29 BC 56 C6 F5 26 97 0D  ..*±»..Z)¼VÆõ&—.
   000939C0  01 06 CC BC 43 1E 8B 45 C8 20 29 B3 FD EB 30 1D  ..̼C.‹EÈ )³ýë0.
   000939D0  A2 CF 33 2D 09 07 08 6F 4A F3 34 5D DE 63 C0 A8  ¢Ï3-...oJó4]ÞcÀ¨
   000939E0  EE 31 3E 46 11 4F 8D 66 F1 15 74 E2 AC 88 C3 C7  î1>F.O.fñ.t⬈ÃÇ
   000939F0  19 C9 69 0A 9F 36 D7 BC 70 6B 79 32 53 FD 1F 8E  .Éi.Ÿ6×¼pky2Sý.Ž
   00093A00  6D 57 08 C2 CA 78 24 6A 20 3B 5A 98 C2 04 06 95  mW.ÂÊx$j ;Z˜Â..•
   00093A10  C7 E6 53 A5 AB 9C 02 2A 04 40 0B 00 DF 34 13 CF  ÇæS¥«œ.*.@..ß4.Ï
   00093A20  F3 74 FF B6 DB FA 9A A2 FD 4F 72 6B 3E 7E 37 04  ótÿ¶Ûúš¢ýOrk>~7.
   00093A30  00 00 00 03 00 00 00 02 00 01 00 00 00 00 00 00  ................
   00093A40  00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00  ................
   00093A50  8E 27 91 93 C8 6F 17 8A 22 FD C8 E1 76 E8 D8 18  Ž'‘“Èo.Š"ýÈávèØ.
   00093A60  62 8B FE F5 43 81 A8 09 01 C6 99 D6 EF CF 64 90  b‹þõC.¨..Æ™ÖïÏd.
   00093A70  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

VTRM

   VTRM in NAND: 
    
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
     
   00EC0000  53 43 45 49 56 54 52 4D 00 00 00 00 00 00 00 A8  SCEIVTRM.......¨
   00EC0010  00 00 00 00 00 E8 02 00 00 00 00 00 00 00 00 28  .....è.........(
   00EC0020  00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04  ....VTRM........     <-- 'VTRM' magic header
   00EC0030  FE 6D 0B C4 FA D5 CE DB 93 86 FC A1 32 3B 71 47  þm.ÄúÕÎÛ“†ü¡2;qG     <-- same value as 00EC0410
   00EC0040  3B A5 C6 F9 C0 00 B6 70 00 00 00 00 00 E8 27 80  ;¥ÆùÀ.¶p.....è'€     <-- first part same value as 00EC0410
   00EC0050  00 00 00 00 00 00 00 60 00 00 00 00 00 00 09 20  .......`....... 
   00EC0060  04 00 00 00 02 00 00 05 10 70 00 05 FF 00 00 01  .........p..ÿ...
   00EC0070  0C 1C 05 9C AA B5 97 A5 9C D6 46 2D EA 22 46 BE  ...œªµ—¥œÖF-ê"F¾
   00EC0080  D1 84 A9 1E 34 5F E7 90 55 49 11 82 51 9D 4A 3F  Ñ„©.4_ç.UI.‚Q.J?
   00EC0090  EF 43 19 E8 4F 6A 5B FF DA 31 E9 F0 76 C8 B2 6B  ïC.èOj[ÿÚ1éðvȲk
   00EC00A0  0B A7 47 8E BE 42 28 9F 2B 88 73 0B A5 B6 F2 1D  .§GŽ¾B(Ÿ+ˆs.¥¶ò.
   00EC00B0  00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF  ........ÿÿÿÿÿÿÿÿ
   00EC00C0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00EC00D0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00EC00E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00EC00F0  FF FF FF FF FF FF FF FF 00 00 00 00 00 EB E4 8C  ÿÿÿÿÿÿÿÿ.....ëäŒ
   00EC0100  00 00 00 00 00 00 00 14 39 17 52 0B 31 70 F5 05  ........9.R.1põ.
   00EC0110  02 5A C6 F8 81 F8 54 96 2F EF F3 81 FF FF FF FF  .ZÆø.øT–/ïó.ÿÿÿÿ
   00EC0120  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00EC03F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00EC0400  00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04  ....VTRM........
   00EC0410  FE 6D 0B C4 FA D5 CE DB 93 86 FC A1 32 3B 71 47  þm.ÄúÕÎÛ“†ü¡2;qG     <-- same value as 00EC0030
   00EC0420  3B A5 C6 F9 C0 00 B6 70 00 00 00 00 00 00 04 90  ;¥ÆùÀ.¶p........     <-- first part same value as 00EC0040
   00EC0430  00 00 00 00 00 00 09 20 00 00 00 00 00 00 00 03  ....... ........     <-- pattern exception
   00EC0440  00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      <-- repetive pattern until 00EC0440 with some exceptions
    [...]    00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      <-- repetive pattern until 00EC0440 with some exceptions
   00EC1930  00 00 00 00 00 00 00 01 00 00 00 00 00 00 09 20  ...............      <-- pattern exception
    [...]    00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      <-- repetive pattern until 00EC0440 with some exceptions
   00EC21F0  00 00 00 00 00 00 00 02 00 00 00 00 00 00 09 20  ...............      <-- pattern exception
    [...]    00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      <-- repetive pattern until 00EC0440 with some exceptions
   00EC24F0  00 00 00 00 00 00 09 20 00 00 00 00 00 00 00 00  ....... ........
    [...]    00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      <-- repetive pattern until 00EC0440 with some exceptions
   00EC28B0  00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      <-- repetive pattern until 00EC0440 with some exceptions
   00EC28C0  00 00 00 00 00 00 09 20 10 70 00 00 02 00 00 01  ....... .p......
   00EC28D0  10 70 00 00 39 00 00 01 22 66 39 B3 0E 7A 1C E7  .p..9..."f9³.z.ç
   00EC28E0  68 85 F9 94 A8 30 BE C4 0B 85 D0 92 1E C0 8F 28  h…ù”¨0¾Ä.…Ð’.À.(
   00EC28F0  7F 70 ED 15 D6 22 06 24 D9 08 64 0B C0 D7 97 29  .pí.Ö".$Ù.d.À×—)
   00EC2900  BE A1 FE 91 D1 F2 D4 88 25 EF 24 86 E0 A3 CB 98  ¾¡þ‘ÑòÔˆ%ï$†à£Ë˜
   00EC2910  AF 17 6F B1 64 A0 56 E5 00 00 00 00 00 00 00 01  ¯.o±d Vå........
   00EC2920  00 00 00 00 00 00 09 20 10 70 00 00 02 00 00 01  ....... .p......
   00EC2930  10 70 00 00 03 00 00 02 F9 D9 6A 84 0C F2 D8 E7  .p......ùÙj„.òØç
   00EC2940  D4 44 5C 3C DF D5 DF 0F B8 DC 3E 81 9A A4 71 8F  ÔD\<ßÕß.¸Ü>.š¤q.
   00EC2950  0A A8 8B 90 1B 2C A1 D1 66 84 AA EE 65 D1 46 9A  .¨‹..,¡Ñf„ªîeÑFš
   00EC2960  D7 38 83 F2 78 47 D1 8E E5 FA EB 39 CF 26 E8 25  ×8ƒòxGÑŽåúë9Ï&è%
   00EC2970  85 DE 3B C6 0B C3 45 D5 00 00 00 00 00 00 00 00  …Þ;Æ.ÃEÕ........
   00EC2980  00 00 00 00 00 00 09 20 04 00 00 00 02 00 00 05  ....... ........
   00EC2990  10 70 00 05 FF 00 00 01 0C 1C 05 9C AA B5 97 A5  .p..ÿ......œªµ—¥
   00EC29A0  9C D6 46 2D EA 22 46 BE D1 84 A9 1E 34 5F E7 90  œÖF-ê"F¾Ñ„©.4_ç.
   00EC29B0  55 49 11 82 51 9D 4A 3F EF 43 19 E8 4F 6A 5B FF  UI.‚Q.J?ïC.èOj[ÿ
   00EC29C0  DA 31 E9 F0 76 C8 B2 6B 0B A7 47 8E BE 42 28 9F  Ú1éðvȲk.§GŽ¾B(Ÿ
   00EC29D0  2B 88 73 0B A5 B6 F2 1D 00 00 00 00 00 00 00 00  +ˆs.¥¶ò.........
   00EC29E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

cell_ext_os_area

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      
   0E780000  63 65 6C 6C 5F 65 78 74 5F 6F 73 5F 61 72 65 61  cell_ext_os_area
   0E780010  00 00 00 01 00 00 00 02 00 00 00 04 FF FF FF FF  ............ÿÿÿÿ
   0E780020  00 00 00 01 00 27 F8 40 FF FF FF FF FF FF FF FF  .....'ø@ÿÿÿÿÿÿÿÿ
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   0E7807D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0E7807E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0E7807F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0E780800  1F 8B 08 08 C1 19 04 48 02 03 7A 49 6D 61 67 65  .‹..Á..H..zImage
   0E780810  2E 69 6E 69 74 72 64 2E 70 73 33 2E 62 69 6E 00  .initrd.ps3.bin.
    [...]                                                                        large data area
   0EA00030  FF FE FC FF ED CF FF 07 DE FD A4 A3 A8 88 54 00  ÿþüÿíÏÿ.Þý¤£¨ˆT.
   0EA00040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    [...]    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................   large 00 filled block region
   0EB7FFE0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0EB7FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0EB80000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0EB80010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   large FF filled block region
   0EFFFFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0EFFFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

NAND reference (bluemimmo)

CECHA-06/COK-001 with 3.60 OFW

Bootldr

   Bootldr from offset 0x00000000:
   
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   00000000  00 00 2A 3F 04 AD 56 18 64 8D 49 94 23 8F B8 A1  ..*?.­V.d.I”#.¸¡
   00000010  00 00 2A 3F 93 B7 DF 38 94 92 09 B6 C3 9C D2 AA  ..*?“·ß8”’.¶ÃœÒª
   00000020  E8 7D F4 AC 86 AA 28 2F 68 31 AD 61 F5 7C BA 03  è}ô¬†ª(/h1­aõ|º.
   00000030  38 BA FF 8C D2 CA A8 5A DA 0D F0 2C 7B 69 03 22  8ºÿŒÒʨZÚ.ð,{i."
   00000040  E2 EB 0D 9C 6A 12 31 43 FA 3C 5F 5D E3 9F 70 5E  âë.œj.1Cú<_]ãŸp^
   00000050  15 18 7F 09 00 C3 65 E4 47 E4 D9 63 46 4B A1 CC  .....ÃeäGäÙcFK¡Ì
   00000060  8A F9 51 8A 6D F0 FA 94 83 F4 C1 23 4F AE 50 AD  ŠùQŠmðú”ƒôÁ#O®P­
   00000070  0F 81 5A 3E 2C 31 AE 6C 81 A1 8D A2 18 7F 35 9F  ..Z>,1®l.¡.¢..5Ÿ
   00000080  99 E5 69 67 A2 E0 F8 14 B8 85 4A 99 41 D9 84 0A  ™åig¢àø.¸…J™AÙ„.
   00000090  11 D5 A1 2A C6 3D 21 9D C3 43 E0 3E 00 17 4C DC  .Õ¡*Æ=!.ÃCà>..LÜ
   000000A0  B1 DD E3 94 00 E0 61 41 65 9A C9 8F C9 18 83 FC  ±Ýã”.àaAešÉ.É.ƒü
   000000B0  CA DA 3E 89 A1 43 CF 4D 0E DB D2 7B 6D 53 6A 53  ÊÚ>‰¡CÏM.ÛÒ{mSjS
   000000C0  3D 43 ED 5C 7F B4 09 E4 22 38 6E 29 E7 3E 07 4B  =Cí\.´.ä"8n)ç>.K
   000000D0  2A FF 98 49 C9 49 FE 26 85 F4 71 15 85 11 75 F3  *ÿ˜IÉIþ&…ôq.….uó
   000000E0  56 79 2A 85 F3 1E 0F E3 21 16 2B 3F B3 25 18 2D  Vy*…ó..ã!.+?³%.-
   000000F0  9D 4E 57 76 1E 59 65 8A 5B BF 41 B7 29 1F 79 0C  .NWv.YeŠ[¿A·).y.
   00000100  A3 E7 CF 07 E7 A3 4F DA 67 B2 C9 75 89 83 4F 71  £çÏ.ç£OÚg²Éu‰ƒOq
   00000110  71 88 D6 89 D7 07 C0 2E D8 DA 39 0F 87 5B FE 40  qˆÖ‰×.À.ØÚ9.‡[þ@
   00000120  23 31 EB BF 86 1A A5 0D D5 24 94 DD A2 69 E4 E8  #1뿆.¥.Õ$”Ý¢iäè
   00000130  25 28 2E C7 34 E9 E5 8D 2D F4 AC F5 60 CC 2A CD  %(.Ç4éå.-ô¬õ`Ì*Í
   00000140  06 5D D7 FE C8 59 FC 6D 2B 17 25 A6 2E BE 0F F2  .]×þÈYüm+.%¦.¾.ò
   00000150  46 94 3B 0B C4 76 F6 FB C1 C1 8E 93 42 E9 5B 41  F”;.ÄvöûÁÁŽ“Bé[A
   00000160  69 A8 53 39 C6 09 32 A3 A9 3E AE 71 84 74 EC E0  i¨S9Æ.2£©>®q„tìà
   00000170  97 3B D1 41 D9 59 4B 17 E5 8B D1 2A 57 77 78 8D  —;ÑAÙYK.å‹Ñ*Wwx.
   00000180  02 4A 7F 31 5C 62 30 E5 F3 83 97 27 C4 7B 8D 31  .J.1\b0åóƒ—'Ä{.1
   00000190  E9 53 B6 86 BC 16 AC 15 B9 96 C2 A9 56 AC 13 DF  éS¶†¼.¬.¹–©V¬.ß
   000001A0  E4 05 01 30 7F 65 45 48 66 0E 3D D5 A9 1B 1A 76  ä..0.eEHf.=Õ©..v
   000001B0  15 38 C7 B3 0D A2 83 C2 D9 9F 13 28 F9 50 BF 4C  .8dz.¢ƒÂÙŸ.(ùP¿L
   000001C0  C1 2D 83 E8 9B A9 EF D1 C8 12 96 50 45 DD CC 26  Á-ƒè›©ïÑÈ.–PEÝÌ&
   000001D0  D5 57 C1 DD A0 2E 81 97 F8 B8 60 00 A9 27 2D 68  ÕWÁÝ ..—ø¸`.©'-h
   000001E0  69 FE C8 F5 E2 7D 48 0D 04 65 FF BB A8 BF 41 9F  iþÈõâ}H..eÿ»¨¿AŸ
   000001F0  27 98 56 D1 93 56 62 87 74 89 63 AD 63 B4 A3 AA  '˜VÑ“Vb‡t‰c­c´£ª
   00000200  46 09 AB B5 92 BA BB CF 7C EF 8F 08 F8 FE 96 9A  F.«µ’º»Ï|ï..øþ–š
   00000210  2E 14 C4 67 8C B3 E3 DC DE BC 24 3F D8 17 B0 B6  ..ÄgŒ³ãÜÞ¼$?Ø.°¶
   00000220  1B F7 78 61 DE 90 14 29 46 CB 4E EF 30 0A D3 AA  .÷xaÞ..)FËNï0.Óª
   00000230  BB 78 6B 1D A2 3A E8 27 7B 2D 32 E5 62 C4 45 C0  »xk.¢:è'{-2åbÄEÀ
   00000240  9E 75 6C E3 5C 08 A9 D3 5B 36 38 40 AD BF 5D D4  žulã\.©Ó[68@­¿]Ô
   00000250  9D D1 D9 F0 11 A6 D5 68 C9 97 BA 70 38 25 61 0B  .ÑÙð.¦ÕhÉ—ºp8%a.
   00000260  76 B6 84 0E 90 7C E9 C8 AC 01 F4 E4 2D 0A F4 C7  v¶„..|éȬ.ôä-.ôÇ
   00000270  98 D7 A3 98 8C CC A8 D0 05 2E A5 87 D7 FA 0A 93  ˜×£˜ŒÌ¨Ð..¥‡×ú.“
   00000280  19 91 81 D3 E9 83 E2 5E 31 D5 AD 78 4B A6 04 80  .‘.Óéƒâ^1Õ­xK¦.€
   00000290  94 85 60 AA 09 5E CA 80 E3 FC 40 14 66 9C 47 11  ”…`ª.^Ê€ãü@.fœG.
   000002A0  A7 FF 93 6E 50 EB F6 AE 54 2F 47 43 01 EB 24 4D  §ÿ“nPëö®T/GC.ë$M
   000002B0  4B DC E3 A1 BC B7 B4 9B E0 77 D9 C0 97 CF CE 72  KÜ㡼·´›àwÙÀ—ÏÎr
   000002C0  EF 84 F5 F1 7D 16 21 AC DC B7 2A 01 96 A4 14 47  ï„õñ}.!¬Ü·*.–¤.G
   000002D0  6D E5 1C 30 9D 1A 64 22 3A 7E 0B 28 A5 22 A0 B8  må.0..d":~.(¥" ¸
   000002E0  85 D8 0E 6B 5A 2B 7D 20 2B CF FA A9 B6 78 D0 FD  …Ø.kZ+} +Ïú©¶xÐý
   000002F0  82 9B 3D D7 24 F0 76 05 24 60 1A 8E CC 61 4A 8E  ‚›=×$ðv.$`.ŽÌaJŽ
   00000300  B8 F2 2B 59 AE FF 49 45 71 D0 31 73 8D 32 08 D9  ¸ò+Y®ÿIEqÐ1s.2.Ù
   00000310  8E 2E B8 18 13 49 B9 2F EB B7 D5 B9 55 E7 63 64  Ž.¸..I¹/ë·Õ¹Uçcd
   00000320  F6 CF 8C B0 ED BA A8 81 36 05 3C 48 E3 58 F1 3A  öÏŒ°íº¨.6.<HãXñ:
   00000330  51 39 CD 68 76 8D 08 D7 2B C4 7B 1D D2 4E DC A2  Q9Íhv..×+Ä{.ÒNÜ¢
   00000340  0E 1B C9 30 2B A1 EF 90 D5 35 7B 92 6B 86 D2 59  ..É0+¡ï.Õ5{’k†ÒY
   00000350  10 84 98 4B 9A 65 1A 00 B8 00 0A CA 5C F7 AF 8C  .„˜Kše..¸..Ê\÷¯Œ
   00000360  9C FF FC 0A 70 11 5E 0A 7A 02 26 B7 DE 98 FA F8  œÿü.p.^.z.&·Þ˜úø
   00000370  0D A0 D2 A3 83 95 34 2F 2C 17 6C B4 66 13 CB FB  . Ò£ƒ•4/,.l´f.Ëû
   00000380  A4 9E BC 64 08 41 F6 A0 F7 A1 F7 E1 24 EE 8C E3  ¤ž¼d.Aö ÷¡÷á$îŒã
   00000390  F2 59 19 1C 84 F8 60 45 81 72 88 B4 AE 6A 97 3E  òY..„ø`E.rˆ´®j—>
   000003A0  B8 5B 4A D8 C7 D2 0C AC 3C D9 25 B2 CC D7 D7 B4  ¸[JØÇÒ.¬<Ù%²Ì××´
   000003B0  CC EF C7 81 95 56 98 C5 A2 B3 7F 77 8D 24 51 7C  ÌïÇ.•V˜Å¢³.w.$Q|
   000003C0  78 27 C5 3A 1E 78 EC 84 5B 54 10 8A E3 0A CD E2  x'Å:.xì„[T.Šã.Íâ
   000003D0  2A 2E B2 9A B6 F2 75 8F B5 F0 74 23 6E 71 D8 56  *.²š¶òu.µðt#nqØV
   000003E0  F0 D1 79 73 0D 5D 41 27 E7 68 55 1F 00 52 9E BE  ðÑys.]A'çhU..Rž¾
   000003F0  BF D6 B4 92 C3 26 84 94 5C FE 46 6C BB 46 FA 51  ¿Ö´’Ã&„”\þFl»FúQ
   00000400  56 41 96 13 94 1A 24 02 64 4F B5 C7 36 F2 25 AF  VA–.”.$.dOµÇ6ò%¯
   00000410  8B 1F FD D1 8F 24 80 44 18 4B B9 D6 04 61 E2 EF  ‹.ýÑ.$€D.K¹Ö.aâï

ROS0

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   000C0020  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
   000C0030  00 00 00 01 00 00 00 18 00 00 00 00 00 6F FF E0  .............oÿà
   000C0040  00 00 00 00 00 00 04 90 00 00 00 00 00 04 00 00  ................
   000C0050  63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00  creserved_0.....
   000C0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0070  00 00 00 00 00 04 04 90 00 00 00 00 00 00 00 08  ................
   000C0080  73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00  sdk_version.....
   000C0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C00A0  00 00 00 00 00 04 05 00 00 00 00 00 00 01 E7 C8  ..............çÈ
   000C00B0  6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv1ldr..........
   000C00C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C00D0  00 00 00 00 00 05 ED 00 00 00 00 00 00 01 6F F0  ......í.......oð
   000C00E0  6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv2ldr..........
   000C00F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0100  00 00 00 00 00 07 5D 00 00 00 00 00 00 01 2F 74  ......]......./t
   000C0110  69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00  isoldr..........
   000C0120  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0130  00 00 00 00 00 08 8C 80 00 00 00 00 00 01 E5 D4  ......Œ€......åÔ
   000C0140  61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00  appldr..........
   000C0150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0160  00 00 00 00 00 0A 72 54 00 00 00 00 00 00 FB 4C  ......rT......ûL
   000C0170  73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69  spu_pkg_rvk_veri
   000C0180  66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00  fier.self.......
   000C0190  00 00 00 00 00 0B 6D A0 00 00 00 00 00 00 5A 94  ......m ......Z”
   000C01A0  73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73  spu_token_proces
   000C01B0  73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00  sor.self........
   000C01C0  00 00 00 00 00 0B C8 34 00 00 00 00 00 00 63 D0  ......È4......cÐ
   000C01D0  73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65  spu_utoken_proce
   000C01E0  73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00  ssor.self.......
   000C01F0  00 00 00 00 00 0C 2C 04 00 00 00 00 00 01 53 2C  ......,.......S,
   000C0200  73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00  sc_iso.self.....
   000C0210  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0220  00 00 00 00 00 0D 7F 30 00 00 00 00 00 00 42 98  .......0......B˜
   000C0230  61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73  aim_spu_module.s
   000C0240  65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00  elf.............
   000C0250  00 00 00 00 00 0D C1 C8 00 00 00 00 00 00 D7 F0  ......ÁÈ......×ð
   000C0260  73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C  spp_verifier.sel
   000C0270  66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  f...............
   000C0280  00 00 00 00 00 0E 99 B8 00 00 00 00 00 00 80 8C  ......™¸......€Œ
   000C0290  6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  mc_iso_spu_modul
   000C02A0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   000C02B0  00 00 00 00 00 0F 1A 44 00 00 00 00 00 00 88 B8  .......D......ˆ¸
   000C02C0  6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  me_iso_spu_modul
   000C02D0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   000C02E0  00 00 00 00 00 0F A2 FC 00 00 00 00 00 00 C0 78  ......¢ü......Àx
   000C02F0  73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sv_iso_spu_modul
   000C0300  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   000C0310  00 00 00 00 00 10 63 74 00 00 00 00 00 00 5D B0  ......ct......]°
   000C0320  73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sb_iso_spu_modul
   000C0330  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   000C0340  00 00 00 00 00 10 C1 24 00 00 00 00 00 00 22 A0  ......Á$......" 
   000C0350  64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00  default.spp.....
   000C0360  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0370  00 00 00 00 00 10 E4 00 00 00 00 00 00 12 80 50  ......ä.......€P
   000C0380  6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00  lv1.self........
   000C0390  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C03A0  00 00 00 00 00 23 64 80 00 00 00 00 00 03 E6 78  .....#d€......æx
   000C03B0  6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00  lv0.............
   000C03C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C03D0  00 00 00 00 00 27 4A F8 00 00 00 00 00 17 27 58  .....'Jø......'X
   000C03E0  6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00  lv2_kernel.self.
   000C03F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0400  00 00 00 00 00 3E 72 50 00 00 00 00 00 07 0F 94  .....>rP.......”
   000C0410  65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00  eurus_fw.bin....
   000C0420  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0430  00 00 00 00 00 45 81 E4 00 00 00 00 00 08 04 18  .....E.ä........
   000C0440  65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00  emer_init.self..
   000C0450  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0460  00 00 00 00 00 4D 85 FC 00 00 00 00 00 06 0D 78  .....M…ü.......x
   000C0470  68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00  hdd_copy.self...
   000C0480  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0490  00 00 00 00 00 53 93 74 00 00 00 00 00 00 12 A8  .....S“t.......¨
   000C04A0  6D 61 6E 75 5F 69 6E 66 6F 5F 73 70 75 5F 6D 6F  manu_info_spu_mo
   000C04B0  64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00 00 00  dule.self.......

ROS1

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   007C0010  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
   007C0020  00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0  .............oÿà
   007C0030  00 00 00 00 00 00 04 60 00 00 00 00 00 04 00 00  .......`........
   007C0040  63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00  creserved_0.....
   007C0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0060  00 00 00 00 00 04 04 60 00 00 00 00 00 00 00 08  .......`........
   007C0070  73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00  sdk_version.....
   007C0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0090  00 00 00 00 00 04 04 68 00 00 00 00 00 00 FB 4C  .......h......ûL
   007C00A0  73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69  spu_pkg_rvk_veri
   007C00B0  66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00  fier.self.......
   007C00C0  00 00 00 00 00 04 FF B4 00 00 00 00 00 00 C9 30  ......ÿ´......É0
   007C00D0  73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73  spu_token_proces
   007C00E0  73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00  sor.self........
   007C00F0  00 00 00 00 00 05 C8 E4 00 00 00 00 00 00 63 D0  ......Èä......cÐ
   007C0100  73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65  spu_utoken_proce
   007C0110  73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00  ssor.self.......
   007C0120  00 00 00 00 00 06 2C B4 00 00 00 00 00 01 D2 D8  ......,´......ÒØ
   007C0130  73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00  sc_iso.self.....
   007C0140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0150  00 00 00 00 00 07 FF 8C 00 00 00 00 00 00 42 98  ......ÿŒ......B˜
   007C0160  61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73  aim_spu_module.s
   007C0170  65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00  elf.............
   007C0180  00 00 00 00 00 08 42 24 00 00 00 00 00 00 D7 F0  ......B$......×ð
   007C0190  73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C  spp_verifier.sel
   007C01A0  66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  f...............
   007C01B0  00 00 00 00 00 09 1A 14 00 00 00 00 00 00 80 8C  ..............€Œ
   007C01C0  6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  mc_iso_spu_modul
   007C01D0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   007C01E0  00 00 00 00 00 09 9A A0 00 00 00 00 00 00 88 B8  ......š ......ˆ¸
   007C01F0  6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  me_iso_spu_modul
   007C0200  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   007C0210  00 00 00 00 00 0A 23 58 00 00 00 00 00 00 C0 78  ......#X......Àx
   007C0220  73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sv_iso_spu_modul
   007C0230  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   007C0240  00 00 00 00 00 0A E3 D0 00 00 00 00 00 00 5D B0  ......ãÐ......]°
   007C0250  73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sb_iso_spu_modul
   007C0260  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   007C0270  00 00 00 00 00 0B 41 80 00 00 00 00 00 00 22 A0  ......A€......" 
   007C0280  64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00  default.spp.....
   007C0290  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C02A0  00 00 00 00 00 0B 64 80 00 00 00 00 00 12 5E F0  ......d€......^ð
   007C02B0  6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00  lv1.self........
   007C02C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C02D0  00 00 00 00 00 1D C3 80 00 00 00 00 00 0B 54 E8  ......À......Tè
   007C02E0  6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00  lv0.............
   007C02F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0300  00 00 00 00 00 29 18 80 00 00 00 00 00 00 05 00  .....).€........
   007C0310  6C 76 30 2E 32 00 00 00 00 00 00 00 00 00 00 00  lv0.2...........
   007C0320  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0330  00 00 00 00 00 29 1D 80 00 00 00 00 00 17 89 58  .....).€......‰X
   007C0340  6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00  lv2_kernel.self.
   007C0350  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0360  00 00 00 00 00 40 A6 D8 00 00 00 00 00 07 0F 94  .....@¦Ø.......”
   007C0370  65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00  eurus_fw.bin....
   007C0380  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0390  00 00 00 00 00 47 B6 6C 00 00 00 00 00 07 E2 68  .....G¶l......âh
   007C03A0  65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00  emer_init.self..
   007C03B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C03C0  00 00 00 00 00 4F 98 D4 00 00 00 00 00 06 18 18  .....O˜Ô........
   007C03D0  68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00  hdd_copy.self...
   007C03E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C03F0  00 00 00 00 00 55 B0 EC 00 00 00 00 00 00 12 A8  .....U°ì.......¨
   007C0400  6D 61 6E 75 5F 69 6E 66 6F 5F 73 70 75 5F 6D 6F  manu_info_spu_mo
   007C0410  64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00 00 00  dule.self.......
   007C0420  00 00 00 00 00 55 C3 94 00 00 00 00 00 00 02 E0  .....UÔ.......à
   007C0430  70 72 6F 67 2E 73 72 76 6B 00 00 00 00 00 00 00  prog.srvk.......
   007C0440  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0450  00 00 00 00 00 55 C6 74 00 00 00 00 00 00 02 40  .....UÆt.......@
   007C0460  70 6B 67 2E 73 72 76 6B 00 00 00 00 00 00 00 00  pkg.srvk........
   007C0470  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Versioning in ROS0

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   001004C0  33 35 30 2E 30 30 30 0A 00 00 00 00 00 00 00 00  350.000.........
   001004D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   001004E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   001004F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   00100500  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   00100510  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   00100520  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   00100530  53 43 45 00 00 00 00 02 00 00 00 01 00 00 01 F0  SCE............ð

Versioning of ROS1

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   00800480  33 36 30 2E 30 30 30 0A 53 43 45 00 00 00 00 02  360.000.SCE.....
   00800490  00 01 00 01 00 00 01 F0 00 00 00 00 00 00 06 00  .......ð........
   008004A0  00 00 00 00 00 00 F5 4C 00 00 00 00 00 00 00 03  ......õL........

RVK

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   00093800  00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10  ................
   00093810  00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00  ...... .........
   00093820  00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40  ...............@
   00093830  53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00  SCE.............
   00093840  00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40  ...............@
   00093850  F6 93 38 8E C8 46 D5 FF 34 53 9D 12 91 7E C6 96  ö“8ŽÈFÕÿ4S..‘~Æ–
   00093860  BA 4F B8 36 82 1A 4F 40 19 88 B2 C8 56 B3 DA 4B  ºO¸6‚.O@.ˆ²ÈV³ÚK
   00093870  62 EB 84 D3 8A 95 F9 DD 6C D7 4C AB 47 8D D1 1A  bë„ÓŠ•ùÝl×L«G.Ñ.
   00093880  A6 64 B3 55 21 71 53 8C DD 8C 61 1F B0 7E 5E D2  ¦d³U!qSŒÝŒa.°~^Ò
   00093890  DB 1A 07 DA 37 4E 07 92 E7 B2 35 F1 E0 FA F8 13  Û..Ú7N.’ç²5ñàúø.
   000938A0  EC D9 94 1C 72 A0 45 38 79 85 6A 4E 02 CC 55 41  ìÙ”.r E8y…jN.ÌUA
   000938B0  21 3D F1 48 32 98 6E CB 86 0A 38 6E 33 C6 2E 8D  !=ñH2˜nˆ.8n3Æ..
   000938C0  1E 51 DC 7E C5 34 E6 5B 27 D4 5B 79 B4 34 0D 59  .QÜ~Å4æ['Ô[y´4.Y
   000938D0  49 F9 F0 6E F6 94 25 3D 6A E0 E9 40 69 74 68 B4  Iùðnö”%=jàé@ith´
   000938E0  C5 C6 A3 95 62 E0 69 6E CD 6C CD 48 32 DD 11 8C  ÅÆ£•bàinÍlÍH2Ý.Œ
   000938F0  1A D7 9B 37 8A 6F 33 C7 A1 27 D1 1C A4 24 E7 96  .×›7Šo3Ç¡'Ñ.¤$ç–
   00093900  F0 75 BC 3A BE 15 26 CD 83 EA C8 11 F0 50 4D F8  ðu¼:¾.&̓êÈ.ðPMø
   00093910  A0 15 2F 68 6E AE 5F 28 D8 F5 EA 39 A3 00 5E 06   ./hn®_(Øõê9£.^.
   00093920  D6 28 21 B7 36 49 29 27 73 76 D2 37 93 AB AB B2  Ö(!·6I)'svÒ7“««²
   00093930  1A B3 AD A2 75 64 D3 73 88 4F D3 8E 23 B3 16 4A  .³­¢udÓsˆOÓŽ#³.J
   00093940  BD 4A E2 B3 D0 AE B0 12 AC 91 33 EB AD 75 3E 47  ½Jâ³Ð®°.¬‘3ë­u>G
   00093950  8F E4 E2 D7 CE 35 90 BB 7A E0 AA 95 8D 88 93 22  .äâ×Î5.»zક.ˆ“"
   00093960  7A EB 8D C0 92 E9 74 30 7A 20 61 A6 36 5D 79 BD  zë.À’ét0z a¦6]y½
   00093970  11 9E B5 FC 64 F4 DF B6 E6 5E B7 7D 64 76 A7 B9  .žµüdô߶æ^·}dv§¹
   00093980  E8 12 6A 60 3B 6F 4F 4D F0 4A 8C 33 28 10 AB 60  è.j`;oOMðJŒ3(.«`
   00093990  B5 D5 0C EB 2E 89 02 91 B4 77 EE 4B 0A 95 B9 F1  µÕ.ë.‰.‘´wîK.•¹ñ
   000939A0  66 CF 5E 0A D4 A8 FA 85 DB 14 9E 54 36 86 B9 A0  fÏ^.Ô¨ú…Û.žT6†¹ 
   000939B0  F2 82 42 6A 76 8B D1 AD 72 2A 86 8E 10 92 FC 7A  ò‚Bjv‹Ñ­r*†Ž.’üz
   000939C0  2B A2 A9 55 31 BD F3 F4 95 64 A9 F6 D0 F4 A7 9B  +¢©U1½óô•d©öÐô§›
   000939D0  35 9E FF C6 C1 98 10 A2 41 47 F9 E1 B0 68 ED DD  5žÿÆÁ˜.¢AGùá°híÝ
   000939E0  8E AB E6 E8 A8 0F 1E 2F C3 50 3A 3B FA F4 2E 90  Ž«æè¨../ÃP:;úô..
   000939F0  5F 1C 3E 52 FE 76 01 99 0A 99 17 B6 BB 11 39 04  _.>Rþv.™.™.¶».9.
   00093A00  CE 79 FD 50 3A 59 61 24 16 8D 8A 08 DD F7 88 A6  ÎyýP:Ya$..Š.Ý÷ˆ¦
   00093A10  32 6F 77 E0 12 22 70 73 2C 1A 44 DE B7 00 D6 50  2owà."ps,.DÞ·.ÖP
   00093A20  AD 22 CE 7F AA 87 65 AA A3 0B D8 7A 84 FE CA 16  ­"Î.ª‡eª£.Øz„þÊ.
   00093A30  00 00 00 03 00 00 00 02 00 01 00 60 00 00 00 00  ...........`....
   00093A40  00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00  ................
   00093A50  C4 1E 40 5D 94 83 6F 00 E8 86 36 1C 1E C0 A6 9F  Ä.@]”ƒo.è†6..À¦Ÿ
   00093A60  D0 34 53 63 9E 70 EB 64 43 9F 24 34 28 85 7A 04  Ð4ScžpëdCŸ$4(…z.

cell_ext_os_area

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      
   0E780000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   note: no cell_ext_os_area, 0CC00000-0FFFFFFF region filled with big blocks of FF
   0E780010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ    because firmware version 3.60 has no otheros.
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   large FF filled block region
   0FFFFFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0FFFFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

Dumping your flash

There are many ways you can dump your flash you can choose the way that best fits you, there are some persons studing the flash.. If you can help providing a dump (specially if you have a debug console) search for those persons in IRC Efnet #ps3dev

Payload

Uncomment dump_dev_flash() in graf_payloads compile and run the payload

see Graf's_PSGroove_Payload for more info

Linux

Using graf_chokolo kernel with /dev/ps3nflasha access

dd if=/dev/ps3nflasha of=NOR.BIN bs=1024

Hardware

see Hardware flashing

Dump NAND/NOR from GameOS

precompiled : dump_flash.pkg // backup/mirror: dump_flash.pkg (70.48 KB)
source: dump_flash-src.rar (2.33 KB)

Make sure USB stick is FAT32 with enough free space (16MB per NOR dump, 256MB per NAND dump)

remark: NAND dumps are 239MB because HV masks bootldr, see Hardware flashing #Difference between hardware dumps and software dumps

NOR Unpacking // NOR Unpkg

/*
  # ../norunpkg norflash.bin norflash
  unpacking asecure_loader (size: 190xxx bytes)...
  unpacking eEID (size: 65536 bytes)...
  unpacking cISD (size: 2048 bytes)...
  unpacking cCSD (size: 2048 bytes)...
  unpacking trvk_prg0 (size: 131072 bytes)...
  unpacking trvk_prg1 (size: 131072 bytes)...
  unpacking trvk_pkg0 (size: 131072 bytes)...
  unpacking trvk_pkg1 (size: 131072 bytes)...
  unpacking ros0 (size: 7340032 bytes)...
  unpacking ros1 (size: 7340032 bytes)...
  unpacking cvtrm (size: 262144 bytes)...
*/

// Copyright 2010       Sven Peter
// Licensed under the terms of the GNU GPL, version 2
// http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
// nor modifications by rms.

#include "tools.h"
#include "types.h"

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/stat.h>

#ifdef WIN32
#define MKDIR(x,y) mkdir(x)
#else
#define MKDIR(x,y) mkdir(x,y)
#endif

u8 *pkg = NULL;

static void unpack_file(u32 i)
{
        u8 *ptr;
        u8 name[33];
        u64 offset;
        u64 size;

        ptr = pkg + 0x10 + 0x30 * i;

        offset = be64(ptr + 0x00);
        size   = be64(ptr + 0x08);

        memset(name, 0, sizeof name);
        strncpy((char *)name, (char *)(ptr + 0x10), 0x20);

        printf("unpacking %s (size: %d bytes)...\n", name, size);
        memcpy_to_file((char *)name, pkg + offset, size);
}

static void unpack_pkg(void)
{
        u32 n_files;
        u64 size;
        u32 i;

        n_files = be32(pkg + 4);
        size = be64(pkg + 8);

        for (i = 0; i < n_files; i++)
                unpack_file(i);
}

int main(int argc, char *argv[])
{
        if (argc != 3)
                fail("usage: norunpkg filename.nor target");

        pkg = mmap_file(argv[1]);

        /* kludge for header, i do not do sanity checks at the moment */
        pkg += 1024;

        MKDIR(argv[2], 0777);

        if (chdir(argv[2]) != 0)
                fail("chdir");

        unpack_pkg();

        return 0;
}

Source: http://rms.grafchokolo.com/?p=25

RMS - eEID splitter

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void
DumpEidData (FILE * pFile, int iInputSize, int iEidCount,
	     char *pFilenamePrefix)
{
  FILE *pOutput;
  char *szFilename;
  char *szBuf;
  int iRes, iSize;

  printf ("dumping EID%d from eEID at %p, size %d (%x)..\n",
	  iEidCount, pFile, iInputSize, iInputSize);

  szBuf = (char *) malloc (iInputSize + 1);
  szFilename = (char *) malloc (strlen (pFilenamePrefix) + 2);

  if (szBuf == NULL)
    {
      perror ("malloc");
      exit (1);
    };

  iSize = fread (szBuf, iInputSize, 1, pFile);
  sprintf (szFilename, "%s%d", pFilenamePrefix, iEidCount);
  pOutput = fopen (szFilename, "wb");
  iRes = fwrite (szBuf, iInputSize, 1, pOutput);

  if (iRes != iSize)
    {
      perror ("fwrite");
      exit (1);
    };

  free (szBuf);
}

int
main (int argc, char **argv)
{
  FILE *pFile;
  char *pPrefix;

  pFile = fopen (argv[1], "rb");
  if (pFile == NULL)
    {
    usage:
      printf ("usage: %s <eEID> <EID name prefix>\n", argv[0]);
      exit (1);
    }

  if (argc == 2 && argv[2] != NULL)
    {
      pPrefix = argv[2];
      goto usage;
    }

  fseek (pFile, 0x70, SEEK_SET);

  if (pPrefix != NULL)
    {
      DumpEidData (pFile, 2144, 0, pPrefix);
      DumpEidData (pFile, 672, 1, pPrefix);
      DumpEidData (pFile, 1840, 2, pPrefix);
      DumpEidData (pFile, 256, 3, pPrefix);
      DumpEidData (pFile, 48, 4, pPrefix);
      DumpEidData (pFile, 2560, 5, pPrefix);
    }
  return 0;
}

Source: http://rms.grafchokolo.com/?p=59

Flash Samples

Here are some samples of NOR Flash for your dissection. These are taken from different consoles.