Flash: Difference between revisions
m (cleanup, mainpage is now NOR/NAND in one single reference) |
m (→Overview) |
||
Line 10: | Line 10: | ||
! type !! colspan="3" | Name !! Start Offset !! End Offset !! Size (h) !! Size (bytes) !! Notes | ! type !! colspan="3" | Name !! Start Offset !! End Offset !! Size (h) !! Size (bytes) !! Notes | ||
|- | |- | ||
| {{generic}} || colspan="3" | [[Flash#Header_-_0FACE0FF_DEADBEEF|0FACE0FF DEADBEEF]] || 0x000010 || 0x000001F || 0x10 || (16 bytes) || <small>magic header : | | {{generic}} || colspan="3" | [[Flash#Header_-_0FACE0FF_DEADBEEF|0FACE0FF DEADBEEF]] || 0x000010 || 0x000001F || 0x10 || (16 bytes) || <small>magic header : 0x0000010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF .....¬àÿ....Þ¾ï</small> | ||
|- | |- | ||
| {{perconsole}} || colspan="3" | [[Flash#File_Table|flashregion table]] || 0x000400 || || || | | {{perconsole}} || colspan="3" | [[Flash#File_Table|flashregion table]] || 0x000400 || || || | ||
Line 60: | Line 60: | ||
| {{perfirmware}} || 9 || colspan="2" | [[Flash#ros1|ros1]] || 0x7C0000 || 0xEBFFFF || 0x700000 || (7,340,032 bytes) || <small>Contains CoreOS files, [http://www.ps3devwiki.com/index.php?title=Boot_Order#CoreOS_PKG_Filelisting filecontent depends on firmware version]</small> | | {{perfirmware}} || 9 || colspan="2" | [[Flash#ros1|ros1]] || 0x7C0000 || 0xEBFFFF || 0x700000 || (7,340,032 bytes) || <small>Contains CoreOS files, [http://www.ps3devwiki.com/index.php?title=Boot_Order#CoreOS_PKG_Filelisting filecontent depends on firmware version]</small> | ||
|- | |- | ||
| {{perconsole}} || A || colspan="2" | cvtrm || 0xEC0000 || | | {{perconsole}} || A || colspan="2" | cvtrm || 0xEC0000 || 0xEFFFFF || 0x40000 || (262,144 bytes) || | ||
|- | |||
| {{generic}} || colspan="3" | 0FACE0FF DEADFACE || 0xF00010 || 0xF00001F || 0x10 || (16 bytes) || <small>magic header : 0xF00010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE .....¬àÿ....ÞúÎ</small> | |||
|- | |- | ||
| {{generic}} || colspan="3" | CELL_EXTNOR_AREA || 0xF20000 || 0xFA0040 || 0x80040 || (524,352 bytes) || | | {{generic}} || colspan="3" | CELL_EXTNOR_AREA || 0xF20000 || 0xFA0040 || 0x80040 || (524,352 bytes) || |
Revision as of 12:35, 8 December 2011
This is an attempt at documenting the files located and stored on flash. Please do note that this is from reverse engineering several flash dumps, not from reverse engineering the PS3 firmware itself. This involves alot of guesswork and may not be accurate and there may be information missing.
Overview
NOR Flash
The following is a list of files stored in NOR Flash
type | Name | Start Offset | End Offset | Size (h) | Size (bytes) | Notes | ||
---|---|---|---|---|---|---|---|---|
gen | 0FACE0FF DEADBEEF | 0x000010 | 0x000001F | 0x10 | (16 bytes) | magic header : 0x0000010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF .....¬àÿ....Þ¾ï | ||
pc | flashregion table | 0x000400 | ||||||
pc | 0 | asecure_loader | 0x000800 | 0x02EFFF | 0x2E800 | (262,144 bytes) | aka metldr | |
pc | 1 | eEID | 0x02F000 | 0x03EFFF | 0x10000 | (65,536 bytes) | ||
pc | 0 | EID0 | 0x02F070 | 0x02F8D0 | 0x860 | (2,144 bytes) | (IDPS @ offset 0x0002F070 absolute / 0x00000070 inside eEID ) | |
pc | 1 | EID1 | 0x02F8D0 | 0x02FB70 | 0x2A0 | (672 bytes) | ||
pc | 2 | EID2 | 0x02FB70 | 0x0302A0 | 0x730 | (1,840 bytes) | ||
pc | 3 | EID3 | 0x0302A0 | 0x0303A0 | 0x100 | (256 bytes) | ||
pc | 4 | EID4 | 0x0303A0 | 0x0303D0 | 0x30 | (48 bytes) | ||
pc | 5 | EID5 | 0x0303D0 | 0x030DD0 | 0xA00 | (2,560 bytes) | ||
pc | F | unreferenced area | 0x030DD0 | 0x03EFFF | 0xE22F | (57,903 bytes) | ||
pc | 2 | cISD | 0x03F000 | 0x03F7FF | 0x800 | (2,048 bytes) | ||
pc | 0 | cISD0 | 0x03F040 | 0x03F060 | 0x20 | (32 bytes) | ||
pc | 1 | cISD1 | 0x03F060 | 0x03F260 | 0x200 | (512 bytes) | ||
pc | 2 | cISD2 | 0x03F260 | 0x03F270 | 0x10 | (16 bytes) | ||
pc | F | unreferenced area | 0x03F270 | 0x03F7FF | 0x58F | (1,423 bytes) | ||
pc | 3 | cCSD | 0x03F800 | 0x03FFFF | 0x800 | (2,048 bytes) | ||
pc | 0 | cCSD0 | 0x03F820 | 0x03F84F | 0x30 | (48 bytes) | ||
pc | F | unreferenced area | 0x03F850 | 0x03FFFF | 0x7B0 | (1,968 bytes) | ||
pf | 4 | trvk_prg0 | 0x040000 | 0x05FFFF | 0x20000 | (131,072 bytes) | ||
pf | 5 | trvk_prg1 | 0x060000 | 0x07FFFF | 0x20000 | (131,072 bytes) | ||
pf | 6 | trvk_pkg0 | 0x080000 | 0x09FFFF | 0x20000 | (131,072 bytes) | ||
pf | 7 | trvk_pkg1 | 0x0A0000 | 0x0BFFFF | 0x20000 | (131,072 bytes) | ||
pf | 8 | ros0 | 0x0C0000 | 0x7BFFFF | 0x700000 | (7,340,032 bytes) | Contains CoreOS files, filecontent depends on firmware version | |
pf | 9 | ros1 | 0x7C0000 | 0xEBFFFF | 0x700000 | (7,340,032 bytes) | Contains CoreOS files, filecontent depends on firmware version | |
pc | A | cvtrm | 0xEC0000 | 0xEFFFFF | 0x40000 | (262,144 bytes) | ||
gen | 0FACE0FF DEADFACE | 0xF00010 | 0xF00001F | 0x10 | (16 bytes) | magic header : 0xF00010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE .....¬àÿ....ÞúÎ | ||
gen | CELL_EXTNOR_AREA | 0xF20000 | 0xFA0040 | 0x80040 | (524,352 bytes) | |||
pc | bootldr | 0xFC0000 | 0xFEEAF0 | 0x2EAF0 | (191,216 bytes) | End @ FEF170, FEF570, FEF5F0, FEF600 in some dumps |
NAND Flash
The following is a list of files stored in NAND Flash
type | Name | Start Offset | End Offset | Size (h) | Size (bytes) | Notes | ||
---|---|---|---|---|---|---|---|---|
pc | bootldr | 0x0000000 | 0x003FFFF | 0x40000 | (191,216 bytes) | datasize depends on bootldr revision | ||
gen | 0FACE0FF DEADBEEF | 0x0040010 | 0x004001F | 0x10 | (16 bytes) | magic header : 0x040010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF .....¬àÿ....Þ¾ï | ||
pc | flashregion table | 0x0040200 | ||||||
pc | 0 | asecure_loader | 0x0040800 | 0x00807FF | 0x40000 | (262,144 bytes) | aka metldr, extracted data starts from 0x040840, datasize depends on metldr revision | |
pc | 1 | eEID | 0x0080800 | 0x00907FF | 0x10000 | (65,636 bytes) | ||
pc | 0 | EID0 | 0x0080870 | 0x00810CF | 0x860 | (2,144 bytes) | (IDPS @ offset 0x00080870 absolute / 0x00000070 inside eEID ) | |
pc | 1 | EID1 | 0x00810D0 | 0x008136F | 0x2A0 | (672 bytes) | ||
pc | 2 | EID2 | 0x0081370 | 0x0081A9F | 0x730 | (1,840 bytes) | ||
pc | 3 | EID3 | 0x0081AA0 | 0x0081B9F | 0x100 | (256 bytes) | ||
pc | 4 | EID4 | 0x0081BA0 | 0x0081BCF | 0x30 | (48 bytes) | ||
pc | 5 | EID5 | 0x0081BD0 | 0x00825CF | 0xA00 | (2,560 bytes) | ||
pc | F | unreferenced area | 0x00825D0 | 0x00907FF | 0xE22F | (57,903 bytes) | ||
pc | 2 | cISD | 0x0090800 | 0x0090FFF | 0x800 | (2,048 bytes) | ||
pc | 0 | cISD0 | 0x0090840 | 0x009085F | 0x20 | (32 bytes) | ||
pc | 1 | cISD1 | 0x0090860 | 0x0090A5F | 0x200 | (512 bytes) | ||
pc | 2 | cISD2 | 0x0090A60 | 0x0090A6F | 0x10 | (16 bytes) | ||
pc | F | unreferenced area | 0x0090A70 | 0x0090FFF | 0x58F | (1,423 bytes) | ||
pc | 3 | cCSD | 0x0091000 | 0x00917FF | 0x800 | (2,048 bytes) | ||
pc | 0 | cCSD0 | 0x0091020 | 0x009104F | 0x30 | (48 bytes) | ||
pc | F | unreferenced area | 0x0091050 | 0x00917FF | 0x7B0 | (1,968 bytes) | ||
pf | 4 | trvk_prg | 0x0091800 | 0x00937FF | 0x2000 | (8,192 bytes) | extracted size is 0x2000 for trvk_prg0 + trvk_prg1 combined as trvk_prg (8,192 bytes) | |
pf | 5 | trvk_pkg | 0x0093800 | 0x00957FF | 0x2000 | (8,192 bytes) | extracted size is 0x2000 for trvk_pkg0 + trvk_pkg1 combined as trvk_pkg (8,192 bytes) | |
gen | 6 | creserved_0 | 0x0095800 | 0x00BFFFF | 0x2A800 | (174,080 bytes) | ||
pf | 7 | ros | 0x00C0000 | 0x0EBFFFF | 0xE00000 | (1,4680,064 bytes) | ||
pf | 0 | ros0 | 0x00C0020 | 0x07BFFFF | 0x700000 | (7,340,032 bytes) | Contains CoreOS files, filecontent depends on firmware version | |
pf | 1 | ros1 | 0x07C0010 | 0x0EBFFFF | 0x700000 | (7,340,032 bytes) | Contains CoreOS files, filecontent depends on firmware version | |
pc | 8 | cvtrm | - | - | 0x40000 | (262,144 bytes) | ||
pc | M | SCEIVTRM | ~varies | ~varies | 0x10 | (16 bytes) | magic header : 0x0D80000 53 43 45 49 56 54 52 4D 00 00 00 00 00 00 00 A8 SCEIVTRM.......¨ | |
pc | 0 | VTRM0 | ~varies | ~varies | ~varies | ~varies | magic header : 0x0D80020 00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04 ....VTRM........ | |
pc | 1 | VTRM1 | ~varies | ~varies | ~varies | ~varies | magic header : 0x0D80400 00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04 ....VTRM........ | |
gen | cell_ext_os_area | 0xE780000 | 0xE78000F | 0x10 | (16 bytes) | magic header : 0xE780000 63 65 6C 6C 5F 65 78 74 5F 6F 73 5F 61 72 65 61 cell_ext_os_area | ||
gen | OtherOS | 0xE780800 | ~varies | ~varies | ~varies | OtherOS loader/init.rd |
First Region
Header - 0FACE0FF DEADBEEF
Location:
- NOR: 0x000000 - 0x00001FF
- NAND: 0x0040000 - 0x00401FF
example
NOR: 0x000000 - 0x00001FF | NAND: 0x0040000 - 0x00401FF |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF .....¬àÿ....Þ.¾ï 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 ..............x. 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ .... 000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00040000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00040010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF .....¬àÿ....Þ¾ï 00040020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 00 ..............v. 00040030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ .... 000401F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x00 | 0x10 | 0x0 | Blank/Unknown |
0x10 | 0x10 | 0x0FACE0FF 0xDEADBEEF | Magic number |
0x20 | 0x10 | 0x7800 | Length of region * 0x200 |
0x30 | 0x1D0 | 0x0 | Blank/Unknown |
Unknown Header - IFI
Location: NOR only : 0x000200 - 0x00003FF
The next block of 512 bytes only has the first 16 bytes written. Unsure exactly what this means.
example
NOR only : 0x000200 - 0x00003FF | NAND: N.A. |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000200 49 46 49 00 00 00 00 01 00 00 00 02 00 00 00 00 IFI............. 00000210 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ .... 000003F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
N.A. |
structure
Address | Length | Value | Description |
---|---|---|---|
0x200 | 0x10 | 0x49464900 (String: "IFI") 0x1 0x2 0x0 | Unknown |
File Table
Location:
- NOR: 0x0000400 - 0x00007FF
- NAND: 0x0040200 - 0x00407FF
The next 1024 bytes contain the file entry table
Header
Small 16 byte header to describe length and entry count
example
NOR: 0x0000400 - 0x000040F | NAND: 0x0040200 - 0x004020F |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000400 00 00 00 01 00 00 00 0B 00 00 00 00 00 EF FC 00 .............ïü. |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00040200 00 00 00 01 00 00 00 09 00 00 00 00 00 EB FE 00 .............ëþ. |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x4 | 0x01 | Unknown |
0x4 | 0x4 | 0x0B | Entry Count |
0x8 | 0x8 | 0xEFFC00 | Length of Flash Region (relative to 0x400 (region start) |
First is a header, this tells us how many files are stored here.
Entry Table
Then follows a 32 byte entry for each file
example
NOR: 0x0000410 - 0x00007FF | NAND: 0x0040210 - 0x00407FF |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000410 00 00 00 00 00 00 04 00 00 00 00 00 00 02 E8 00 ..............è. 00000420 61 73 65 63 75 72 65 5F 6C 6F 61 64 65 72 00 00 asecure_loader.. 00000430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00040210 00 00 00 00 00 00 06 00 00 00 00 00 00 04 00 00 ................ 00040220 61 73 65 63 75 72 65 5F 6C 6F 61 64 65 72 00 00 asecure_loader.. 00040230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x400 | File offset relative to 0x400 (Region start) |
0x8 | 0x8 | 0x2E800 | File length |
0x10 | 0x20 | char[32]:"asecure_loader" | File name |
asecure_loader region
Location:
- NOR: 0x0000800 - 0x0002EFFF
- NAND: 0x0040800 - 0x00807FF
Within asecure_loader is another file table similar to region 1 but is located within region 1 itself. This has only been observed to hold metldr in its encrypted form.
Header
example
NOR: 0x0000800 - 0x000080F | NAND: 0x0040800 - 0x004080F |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000800 00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00 ..............è. |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00040800 00 00 00 01 00 00 00 01 00 00 00 00 00 04 00 00 ................ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x00 | 0x04 | 0x01 | Unknown |
0x04 | 0x04 | 0x01 | Entry Count |
0x08 | 0x08 | 0x2E800 | Length of Region |
Entry Table
Then follows a 32 byte entry for asecure (metldr) file
example
NOR: 0x0000810 - 0x000083F | NAND: 0x0040810 - 0x004083F |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000810 00 00 00 00 00 00 00 40 00 00 00 00 00 00 E8 D0 .......@......èÐ 00000820 6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00 metldr.......... 00000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00040810 00 00 00 00 00 00 00 40 00 00 00 00 00 00 EE 10 .......@......î. 00040820 6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00 metldr.......... 00040830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x08 | 0x40 | File offset relative to 0x810 (asecure_loader header) |
0x8 | 0x08 | 0xE8D0 | File Length |
0x10 | 0x20 | char[32]:"metldr" | File name |
Metldr binary
note: exact length depends on metldr revision and is mentioned in previous entrytable
example
NOR: 0x0000840 - 0x000F12F | NAND: 0x0040840 - 0x004F66F |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000840 00 00 0E 89 43 B6 EF 4A E2 0F 74 00 C8 80 9E 53 ...‰C¶ïJâ.t.È€žS 00000850 00 00 0E 89 FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7 ...‰üÑؾoôÈØ.áÃ÷ 00000860 8B E4 7A 13 F1 F9 85 EF 66 01 96 81 BD CA 31 EA ‹äz.ñù…ïf.–.½Ê1ê 00000870 9F 86 36 BB 92 4C FF EE FA 92 88 D3 E5 27 96 24 Ÿ†6»’Lÿîú’ˆÓå'–$ .... 0000F0F0 ED BA DE 64 76 29 8E C6 CC FC DD 30 40 56 39 6B íºÞdv)ŽÆÌüÝ0@V9k 0000F100 03 F3 C1 D1 81 41 85 32 24 A6 46 67 CC FB 3F 64 .óÁÑ.A…2$¦FgÌû?d 0000F110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000F120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00040840 00 00 0E DD 2F 6C 62 2E CA 7F AE 0D 2F 76 B5 D4 ...Ý/lb.Ê.®./vµÔ 00040850 00 00 0E DD 93 B7 DF 38 94 92 09 B6 C3 9C D2 AA ...Ý“·ß8”’.¶ÃœÒª 00040860 B2 6A E5 B6 D9 EB D8 5A 63 B2 32 E0 75 18 7C 63 ²jå¶ÙëØZc²2àu.|c 00040870 8D A0 30 54 F6 34 63 FB 01 8F DE 31 0A D7 FF 3D . 0Tö4cû..Þ1.×ÿ= .... 0004F630 2D 76 13 0B F3 89 32 A3 D2 A2 4A 18 19 FD 30 DC -v..ó‰2£Ò¢J..ý0Ü 0004F640 D8 18 00 DA BD E3 99 EB 80 DE CE A8 59 7B 8F 49 Ø..Ú½ã™ë€ÞΨY{.I 0004F650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0004F660 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
eEID
This section of flash contains QA tokens
It is 0x10000 in length (64 kb) but only the first 0x1DD0 is used, the rest is padded with FF
It is composed of 6 sections numbered from 0 to 5
eEID contains your system model data, your target ID, and your PS3 motherboard revision
Section | Description | iso module |
---|---|---|
EID0 | EID0 is needed for loading parameters to isoldr for loading isolated SELF files on a SPE | aim_spu_module |
EID1 | ? | |
EID2 | ? + BD drive pairing | fdm_spu_module |
EID3 | ? | AacsModule.spu.isoself CprmModule.spu.isoself |
EID4 | ? | sv_iso_spu_module |
EID5 | ? | aim_spu_module |
Header
example
NOR: 0x002F000 - 0x002F00F | NAND: 0x0080800 - 0x008080F |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0002F000 00 00 00 06 00 00 1D D0 00 00 00 00 00 00 00 00 .......Ð........ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00080800 00 00 00 06 00 00 1D D0 00 00 00 00 00 00 00 00 .......Ð........ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x4 | 0x6 | Number of entries |
0x4 | 0x8 | 0x1DD0 | Length of entire eEID package |
0x8 | 0x8 | 0x0 | Unknown/Blank |
File Table
This is the whole file table
example
NOR: 0x002F010 - 0x002F06F | NAND: 0x0080810 - 0x008086F |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0002F010 00 00 00 70 00 00 08 60 00 00 00 00 00 00 00 00 ...p...`........ 0002F020 00 00 08 D0 00 00 02 A0 00 00 00 00 00 00 00 01 ...Ð... ........ 0002F030 00 00 0B 70 00 00 07 30 00 00 00 00 00 00 00 02 ...p...0........ 0002F040 00 00 12 A0 00 00 01 00 00 00 00 00 00 00 00 03 ... ............ 0002F050 00 00 13 A0 00 00 00 30 00 00 00 00 00 00 00 04 ... ...0........ 0002F060 00 00 13 D0 00 00 0A 00 00 00 00 00 00 00 00 05 ...Ð............ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00080810 00 00 00 70 00 00 08 60 00 00 00 00 00 00 00 00 ...p...`........ 00080820 00 00 08 D0 00 00 02 A0 00 00 00 00 00 00 00 01 ...Ð... ........ 00080830 00 00 0B 70 00 00 07 30 00 00 00 00 00 00 00 02 ...p...0........ 00080840 00 00 12 A0 00 00 01 00 00 00 00 00 00 00 00 03 ... ............ 00080850 00 00 13 A0 00 00 00 30 00 00 00 00 00 00 00 04 ... ...0........ 00080860 00 00 13 D0 00 00 0A 00 00 00 00 00 00 00 00 05 ...Ð............ |
structure
0x10 bytes per entry as follows:
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x4 | 0x70 | Entry point |
0x4 | 0x8 | 0x860 | Length |
0x8 | 0x8 | 0x0 | EID number |
Typical EID entry addresses and lengths
Entry point listed is offset from base EID address (NOR:0x002F000 / NAND:0x0080800 in these examples)
Absolute start address is base EID address + Entry point
Absolute end address is base EID address + Entry point + Length
Description | Entry point | Length | NOR Address | NAND Address | ||
---|---|---|---|---|---|---|
start | end | start | end | |||
EID0 | 0x70 | 0x860 | 0x002F070 | 0x002F8CF | 0x0080870 | 0x00810CF |
EID1 | 0x8D0 | 0x2A0 | 0x002F8D0 | 0x002FB6F | 0x00810D0 | 0x008136F |
EID2 | 0xB70 | 0x730 | 0x002FB70 | 0x003029F | 0x0081370 | 0x0081A9F |
EID3 | 0x12A0 | 0x100 | 0x00302A0 | 0x003039F | 0x0081AA0 | 0x0081B9F |
EID4 | 0x13A0 | 0x30 | 0x00303A0 | 0x00303CF | 0x0081BA0 | 0x0081BCF |
EID5 | 0x13D0 | 0xA00 | 0x00303D0 | 0x0030DCF | 0x0081BD0 | 0x00825CF |
EID0 - Section 0
Indi manager can write to it
AIM can rehash it
example
NOR: 0x002F070 - 0x002F8CF | NAND: 00080870 - 0x00810CF |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0002F070 00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C .....‰.......‘.\ 0002F080 00 12 00 0B FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7 ....üÑؾoôÈØ.áÃ÷ .... 0002F8B0 5B B4 1B C2 81 59 79 1A E6 DA F1 FD 5C E8 5B 67 [´.Â.Yy.æÚñý\è[g 0002F8C0 EA 85 A8 F6 9F A1 C6 A2 5E 59 C5 61 A9 5F 6D 2E ê…¨öŸ¡Æ¢^YÅa©_m. |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00080870 00 00 00 01 00 8A 00 01 10 00 52 BC C7 11 6D B2 .....Š....R¼Ç.m² 00080880 00 12 00 0B 93 B7 DF 38 94 92 09 B6 C3 9C D2 AA ....“·ß8”’.¶ÃœÒª .... 000810B0 05 CA AE F2 3A 9C 88 09 90 D6 41 4B DA 37 6C AF .Ê®ò:œˆ..ÖAKÚ7l¯ 000810C0 4A 63 D7 B0 3E DD 5A 29 55 6A 9B E7 96 6E E1 EE Jc×°>ÝZ)Uj›ç–náî |
structure
Address | Size | Value | Description | Observations |
---|---|---|---|---|
0x0 | 0x10 | 00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C | IDPS | IDPS This contains your Target ID |
0x10 | 0x4 | 00 12 00 0B | Unknown | |
0x14 | 0x12 | FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7 | Per console nonce | Appear to be the same nonce as in the encrypted files metloader/bootloader |
Rest | Rest | Rest | Encrypted Data? |
EID 1 - Section 1
example
NOR: 0x002F8D0 - 0x002FB6F | NAND: 0x00810D0 - 0x008136F |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0002F8D0 DB D1 FF 70 CF CA D6 A6 59 94 15 E1 B3 FC CF CA ÛÑÿpÏÊÖ¦Y”.á³üÏÊ 0002F8E0 B6 48 D5 01 39 4A 76 00 25 76 F6 F0 36 65 68 A7 ¶HÕ.9Jv.%vöð6eh§ .... 0002FB50 AB 66 60 E8 B7 0D 3F 78 C5 59 2B D4 77 EB 2C 2D «f`è·.?xÅY+Ôwë,- 0002FB60 C3 6A B9 FA BB 63 CD EA 5D D2 39 8A 3F 77 2A 09 Ãj¹ú»cÍê]Ò9Š?w*. |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000810D0 A3 D6 F3 27 20 C6 80 11 EA A3 A1 75 48 36 4C 10 £Öó' Æ€.꣡uH6L. 000810E0 C9 6F B0 3D BF 85 4F D4 1F 89 01 C9 BC 64 DE 08 Éo°=¿…OÔ.‰.ɼdÞ. .... 00081350 2A DF F9 45 E4 94 FD 43 33 82 6E 82 BB E9 CD 3F *ßùEä”ýC3‚n‚»éÍ? 00081360 53 5F E0 5A A2 7A 7E 6E 3D 50 A3 2B 16 68 7B 28 S_àZ¢z~n=P£+.h{( |
structure
Appears to be encrypted, not much is known about this one
EID 2 - Section 2
example
NOR: 0x002FB70 - 0x003029F | NAND: 0x0081370 - 0x0081A9F |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0002FB70 00 80 06 90 00 00 00 00 00 00 00 00 00 00 00 00 .€.............. 0002FB80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0002FB90 56 64 18 79 DC 30 12 51 3C C5 69 21 0C AD ED 8F Vd.yÜ0.Q<Åi!.í. 0002FBA0 67 DC 77 CC B6 4B 2D FB 68 F2 2E 41 A0 F4 C7 88 gÜw̶K-ûhò.A ôLj .... 00030280 03 92 40 B3 63 F4 62 97 D2 3D AE 82 1B F4 EC CA .’@³côb—Ò=®‚.ôìÊ 00030290 30 72 60 A5 7E B7 11 54 D9 9D 02 5C 20 7A CE 83 0r`¥~·.TÙ..\ z΃ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00081370 00 80 06 90 00 00 00 00 00 00 00 00 00 00 00 00 .€.............. 00081380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00081390 FC CA 19 07 3F FA D0 87 DF 20 23 98 99 17 F1 DF üÊ..?úÐ‡ß #˜™.ñß 000813A0 95 A7 98 49 EC 4D 68 D2 61 D7 2F BE 4A 7E 86 02 •§˜IìMhÒa×/¾J~†. .... 00081A80 76 D5 07 20 D1 85 07 39 4D 2E F9 CE 0F A4 61 ED vÕ. Ñ….9M.ùÎ.¤aí 00081A90 18 A6 BB 00 F9 55 69 BB DC 60 54 6D 40 C5 AF 3D .¦».ùUi»Ü`Tm@ů= |
structure
Not sure about this one, appears to be some recurring patterns in here
EID 3 - Section 3
example
NOR: 0x00302A0 - 0x003039F | NAND: 0x0081AA0 - 0x0081B9F |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000302A0 00 00 00 01 58 1B 20 6E 00 00 00 00 01 8B 39 46 ....X. n.....‹9F 000302B0 00 01 00 D0 FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7 ...ÐüÑؾoôÈØ.áÃ÷ 000302C0 31 6B 01 24 85 68 AD 48 F4 D9 C5 E1 3E D5 BD A8 1k.$…hHôÙÅá>Õ½¨ 000302D0 A1 DD 7A 4A F2 95 3C FE 62 F2 F4 FD E0 48 98 35 ¡ÝzJò•<þbòôýàH˜5 000302E0 4D EB E2 E5 94 40 5F 29 BD 44 20 6E F1 14 92 5C Mëâå”@_)½D nñ.’\ 000302F0 19 1D 35 A5 32 54 FF 12 52 86 DD 19 4D E4 67 31 ..5¥2Tÿ.R†Ý.Mäg1 00030300 7F 34 A4 EE 0C 19 9B 0F C9 E3 81 4D F9 F7 1D 88 .4¤î..›.Éã.Mù÷.ˆ 00030310 90 C8 D3 F0 D5 40 5F 6B 2B A5 2D 1D D6 1F 58 37 .ÈÓðÕ@_k+¥-.Ö.X7 00030320 35 A5 7E 90 05 F1 89 2E 7F 76 BC 22 3F D4 F4 C3 5¥~..ñ‰..v¼"?Ôôà 00030330 31 58 62 79 2E D7 27 E3 4D 9F 16 BC 8E 7E B7 8D 1Xby.×'ãMŸ.¼Ž~·. 00030340 20 2F 8B 76 4F E7 FC 0F 4B 0E 26 54 AF 72 82 AD /‹vOçü.K.&T¯r‚ 00030350 9E 93 28 FB EA 3B 3D 62 47 C7 06 68 D0 5B C9 4E ž“(ûê;=bGÇ.hÐ[ÉN 00030360 E9 8F 1F 45 B1 7B 9B E3 9E 5C 33 5F E3 15 C5 B6 é..E±{›ãž\3_ã.Ŷ 00030370 E7 35 F4 0F C9 D6 F8 48 0B C7 63 A7 56 5D 96 C4 ç5ô.ÉÖøH.Çc§V]–Ä 00030380 CD 53 F2 95 5F 78 A1 5D 48 A6 9C D2 0B 40 D2 90 ÍSò•_x¡]H¦œÒ.@Ò. 00030390 7D 83 7B 24 12 F3 9F A7 F4 1E 7A 9B 98 50 2C 02 }ƒ{$.óŸ§ô.z›˜P,. |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00081AA0 00 00 00 01 39 20 C4 E4 00 00 00 00 00 6E 38 61 ....9 Ää.....n8a 00081AB0 00 01 00 D0 93 B7 DF 38 94 92 09 B6 C3 9C D2 AA ...Г·ß8”’.¶ÃœÒª 00081AC0 EA 14 35 C0 0F 48 31 01 FE 4C FD 1B F8 A5 C1 04 ê.5À.H1.þLý.ø¥Á. 00081AD0 B2 EE 21 12 5F F2 68 21 40 61 3D ED 62 7B EC 91 ²î!._òh!@a=íb{ì‘ 00081AE0 0F C2 D4 27 D9 90 34 C4 19 0D AB 2E 28 9B F4 F6 .ÂÔ'Ù.4Ä..«.(›ôö 00081AF0 00 F5 05 71 FA 53 A6 E8 52 57 9D 9E 7E 8B 9C FD .õ.qúS¦èRW.ž~‹œý 00081B00 C3 0B 92 AB 25 3E 34 D8 05 E0 92 DC 27 24 14 71 Ã.’«%>4Ø.à’Ü'$.q 00081B10 AF AC 4E C3 6B 66 EF 18 0B EB 72 5D E7 F1 96 28 ¯¬NÃkfï..ër]çñ–( 00081B20 6C 71 06 2B 45 7F 96 76 34 FA AC 7E D8 8F 97 B8 lq.+E.–v4ú¬~Ø.—¸ 00081B30 F4 B5 10 BA 71 9E 38 CB 7C AD CB A7 09 E0 23 72 ôµ.ºqž8Ë|˧.à#r 00081B40 19 4B 32 A2 0A 13 1C 4B 12 67 C3 28 98 EE 2D 26 .K2¢...K.gÃ(˜î-& 00081B50 B8 81 39 08 81 E4 11 EF 7B 6B DB 0A E8 A9 D0 9E ¸.9..ä.ï{kÛ.è©Ðž 00081B60 71 13 05 67 99 77 9B 1D E8 C9 0B 67 FB AC 4B 03 q..g™w›.èÉ.gû¬K. 00081B70 78 AF 44 B3 35 A9 39 1F 75 C1 9F 3C 46 E8 C6 71 x¯D³5©9.uÁŸ<FèÆq 00081B80 A5 5B 57 D3 37 6B E2 34 E7 7C B6 A5 04 FE 42 B5 ¥[WÓ7kâ4ç|¶¥.þBµ 00081B90 09 C7 97 0F 9E 2C 7F 94 F6 9C A2 15 4A 76 49 79 .Ç—.ž,.”öœ¢.JvIy |
structure
Not fully examined yet, Contains the 12 byte perconsole nonce again at 0x14 to 0x1F
EID 4 - Section 4
example
NOR: 0x00303A0 - 0x00303CF | NAND: 0x0081BA0 - 0x0081BCF |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000303A0 8B D7 1B A0 C3 DA 4B BE B3 72 AE 61 78 90 31 1F ‹×. ÃÚK¾³r®ax.1. 000303B0 2E CD F1 92 28 8E 17 AD 6A 9C D5 8A 8E 17 86 39 .Íñ’(Ž.jœÕŠŽ.†9 000303C0 C8 0A F7 9B 92 D8 3A A8 92 60 73 6A 5E 12 2A 94 È.÷›’Ø:¨’`sj^.*” |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00081BA0 40 9F 75 39 22 96 C2 12 A2 9C BC CF 53 99 73 40 @Ÿu9"–Â.¢œ¼ÏS™s@ 00081BB0 5D AD A7 F6 26 6E 50 35 55 A8 8A B9 24 A1 F5 35 ]§ö&nP5U¨Š¹$¡õ5 00081BC0 BC 3B 7A 88 17 75 9C 44 A9 2D 4B E0 8B 80 92 E7 ¼;zˆ.uœD©-Kà‹€’ç |
structure
Encrypted encdec key (used for e.g. BD drive)
EID 5 - Section 5
example
NOR: 0x00303D0 - 0x0030DCF | NAND: 0x0081BD0 - 0x00825CF |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000303D0 00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C .....‰.......‘.\ 000303E0 00 12 07 30 FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7 ...0üÑؾoôÈØ.áÃ÷ 000303F0 B7 05 8B 05 E4 2E 94 C7 41 8E 1D E9 DE 63 F6 E6 ·.‹.ä.”ÇAŽ.éÞcöæ 00030400 C5 18 28 E6 47 44 CE 5D 53 03 57 76 46 0C 97 AB Å.(æGDÎ]S.WvF.—« .... 00030DB0 A8 55 8A FF 73 96 11 1B 6D 85 82 BD 73 FD 45 6D ¨UŠÿs–..m…‚½sýEm 00030DC0 7B 7B 00 DD 0D EB A8 A1 57 5F 5D 0F C9 23 49 E8 {{.Ý.먡W_].É#Iè |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00081BD0 00 00 00 01 00 8A 00 01 10 00 52 BC C7 11 6D B2 .....Š....R¼Ç.m² 00081BE0 00 12 07 30 93 B7 DF 38 94 92 09 B6 C3 9C D2 AA ...0“·ß8”’.¶ÃœÒª 00081BF0 CB 95 EF 88 DB 8B E8 14 69 1F 99 A7 4A 66 F7 09 Ë•ïˆÛ‹è.i.™§Jf÷. 00081C00 DD 23 09 1F 73 22 43 26 F4 1A 65 44 9C F2 DB 89 Ý#..s"C&ô.eDœòÛ‰ .... 000825B0 CE 82 2F 9B 8D F0 4E 22 6B EF 68 28 37 38 AA 08 ΂/›.ðN"kïh(78ª. 000825C0 EA 85 EA 2C A4 1D F2 76 9C FF D5 D4 49 97 06 06 ê…ê,¤.òvœÿÕÔI—.. |
structure
Similar again to EID0
Address | Size | Value | Description | Observations |
---|---|---|---|---|
0x0 | 0x10 | 00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C | IDPS | IDPS |
0x10 | 0x4 | 00 12 07 30 | Unknown | Changes from EID0 |
0x14 | 0x12 | FC D1 D8 BE 6F F4 C8 D8 8F E1 C3 F7 | Per console nonce | Appear to be the same key as in the encrypted files metldr/bootldr |
Rest | Rest | Rest | Encrypted Data? |
unreferenced area
Possibly just unused EID region (which also explains why it is FF filled)
example
NOR: 0x0030DD0 - 0x003EFFF | NAND: 0x00825D0 - 0x00907FF |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00030DD0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00030DE0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ .... 0003EFE0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 0003EFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000825D0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000825E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ .... 000907E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000907F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0xE22F | 0xFF | FF filled area |
cISD
This section of flash contains Console Specific information
cISD contains core information such as Gelic Ethernet MAC address
Header
example
NOR: 0003F000 - 0003F00F | NAND: 00090800 - 0009080F |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0003F000 00 00 00 03 00 00 02 70 00 00 00 00 00 00 00 00 .......p........ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00090800 00 00 00 03 00 00 02 70 00 00 00 00 00 00 00 00 .......p........ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x4 | 0x3 | Number of entries |
0x4 | 0x8 | 0x270 | Length of entire cISD package |
0x8 | 0x8 | 0x0 | Unknown/Blank |
File Table
0x10 per entry:
example
NOR: 0003F010 - 0003F03F | NAND: 00090810 - 0009083F |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0003F010 00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00 ...@... ........ 0003F020 00 00 00 60 00 00 02 00 00 00 00 00 00 00 00 01 ...`............ 0003F030 00 00 02 60 00 00 00 10 00 00 00 00 00 00 00 02 ...`............ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00090810 00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00 ...@... ........ 00090820 00 00 00 60 00 00 02 00 00 00 00 00 00 00 00 01 ...`............ 00090830 00 00 02 60 00 00 00 10 00 00 00 00 00 00 00 02 ...`............ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x4 | 0x40 | Entry point |
0x4 | 0x8 | 0x20 | Length |
0x8 | 0x8 | 0x0 | Entrynumber |
Typical cISD entry addresses and lengths
Entry point listed is offset from base cISD address (NOR:0x003F000 / NAND:0x0090800 in these examples)
Absolute start address is base cISD address + Entry point
Absolute end address is base cISD address + Entry point + Length
Description | Entry point | Length | NOR Address | NAND Address | ||
---|---|---|---|---|---|---|
start | end | start | end | |||
cISD0 | 0x40 | 0x20 | 0x003F040 | 0x003F060 | 0x0090840 | 0x0090860 |
cISD1 | 0x60 | 0x200 | 0x003F060 | 0x003F260 | 0x0090860 | 0x0090A60 |
cISD2 | 0x260 | 0x10 | 0x003F260 | 0x003F270 | 0x0090A60 | 0x0090A70 |
cISD0 - Section 0
example
NOR: 0003F040 - 0003F05F | NAND: 00090840 - 0009085F |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0003F040 00 1F A7 E3 82 DC FF FF FF FF FF FF FF FF FF FF ..§ã‚Üÿÿÿÿÿÿÿÿÿÿ 0003F050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00090840 00 19 C5 BE 7D 50 FF FF FF FF FF FF FF FF FF FF ..ž}Pÿÿÿÿÿÿÿÿÿÿ 00090850 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x6 | 0xA8E3EE7D10DA | MAC Address |
0x6 | 0x1A | 0xFF | Unknown/Blank |
cISD1 - Section 1
example
NOR: 0x03F060 - 0x03F25F | NAND: 0x090860 - 0x090A5F |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0003F060 7F 49 44 4C 00 02 00 60 01 00 00 02 01 33 B2 B6 .IDL...`.....3²¶ 0003F070 30 31 43 41 30 31 37 36 34 31 30 34 36 37 31 38 01CA017641046718 0003F080 30 33 30 35 34 39 34 30 30 30 30 30 30 30 32 30 0305494000000020 0003F090 32 37 34 33 38 34 31 36 34 30 30 36 31 33 32 39 2743841640061329 0003F0A0 31 31 39 32 00 73 00 73 00 96 00 01 FF FF FF FF 1192.s.s.–..ÿÿÿÿ 0003F0B0 00 02 00 11 00 02 00 12 00 00 00 00 01 8B 39 46 .............‹9F 0003F0C0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ .... 0003F240 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 0003F250 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00090860 7F 49 44 4C 00 02 00 60 01 00 00 02 00 61 21 CB .IDL...`.....a!Ë 00090870 30 31 43 35 31 38 30 30 35 39 30 44 37 37 30 45 01C51800590D770E 00090880 30 39 31 34 30 30 34 30 30 30 30 30 30 30 30 30 0914004000000000 00090890 32 37 34 33 30 31 37 39 33 48 41 31 30 37 31 37 274301793HA10717 000908A0 38 32 32 44 00 28 00 28 00 38 00 01 FF FF FF FF 822D.(.(.8..ÿÿÿÿ 000908B0 00 01 00 11 00 02 00 12 00 00 00 00 00 6E 38 61 .............n8a 000908C0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ .... 00090A40 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00090A50 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0xD | 0x7F49444C000200600100000202 | Unknown, static |
0xD | 0xF | 0x12FFC5 | Unknown, varies per console |
0x10 | 0x20 | Ascii: 01C524018316270E19087A4200000000 | Some unique identifier |
0x30 | 0x8 | Ascii: 27455222 | 3rd part of console serial number |
0x38 | 0xC | Ascii: 401512934163 | Some unique identifier |
0x44 | 0x1B | 0x0107010701280001FFFF00020011000200120000000002 | Unknown, static |
0x1B | 0x3 | 0x95A8C9 | Unknown, varies |
cISD2 - Section 2
example
NOR: 0003F260 - 0003F26F | NAND: 00090A60 - 00090A6F |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0003F260 1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .ÿ.............. |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00090A60 1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .ÿ.............. |
structure
This value is unknown and the first two bytes seem to vary
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x10 | 0x1FFF0000000000000000000000000000 | Unknown |
unreferenced area
Possibly just unused cISD region (which also explains why it is FF filled)
example
NOR: 0003F270 - 0003F7FF | NAND: 00090A70 - 00090FFF |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0003F270 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 0003F280 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ .... 0003F7E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 0003F7F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00090A70 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00090A80 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ .... 00090FE0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00090FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x58F | 0xFF | FF filled area |
cCSD
This section doesn't contain any data... This section of flash contains Console Specific information
Header
example
NOR: 0003F800 - 0003F80F | NAND: 00091000 - 0009100F |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0003F800 00 00 00 01 00 00 08 00 00 00 00 00 00 00 00 00 ................ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00091000 00 00 00 01 00 00 08 00 00 00 00 00 00 00 00 00 ................ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x4 | 0x1 | Number of entries |
0x4 | 0x8 | 0x800 | Length of entire cCSD package |
0x8 | 0x8 | 0x0 | Unknown/Blank |
File Table
example
NOR: 0003F810 - 0003F81F | NAND: 00091010 - 0009101F |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0003F810 00 00 00 20 00 00 00 30 00 00 00 00 00 00 00 00 ... ...0........ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00091010 00 00 00 20 00 00 00 30 00 00 00 00 00 00 00 00 ... ...0........ |
structure
This repeats per entry
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x4 | 0x20 | Entry point |
0x4 | 0x8 | 0x30 | Length |
0x8 | 0x8 | 0x0 | Unknown/Blank |
cCSD0 - Section 0
example
NOR: 0x03F820 - 0x03F84F | NAND: 0x091020 - 0x09104F |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0003F820 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 0003F830 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 0003F840 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00091020 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00091030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00091040 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
structure
There appears to be no data stored here.
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x30 | 0xFF | FF filled region |
unreferenced area
Possibly just unused cCSD region (which also explains why it is FF filled)
example
NOR: 0x03F850 - 0x03FFFF | NAND: 0x0091050 - 0x00917FF |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0003F850 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 0003F860 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ .... 0003FFE0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 0003FFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00091050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00091060 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ .... 000917E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000917F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x7B0 | 0xFF | FF filled area |
trvk_prg
NOR: splitted into 2 seperate sections trvk_prg0 (0x40000) + trvk_prg1 (0x060000)
NAND: 1 region (0x0091800) with 2 combined sections of trvk_prg0 + trvk_prg1
Header
Only seen on NAND, with 2 combined sections of trvk_prg0 + trvk_prg1
example
NOR: | NAND: 0x0091800 - 0x009181F |
---|---|
N.A. |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00091800 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 ....... ....... 00091810 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 ...... ......... |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x20 | Offset to region (relative to base 0x91800) |
0x8 | 0x8 | 0x20 | Offset to file (relative to base 0x91800) |
0x10 | 0x8 | 0x2000 | Region Size |
0x8 | 0x8 | 0x0 | Unknown |
trvk_prg File Entries
32 byte SCE header for each trvk_prg file, followed by the signed/encrypted data. For content/structure, see: Revokation
trvk_prg0
example
NOR: trvk_prg0 (0x40000) | NAND: trvk_prg0 (0x0091800) |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00040000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 C0 ...............À 00040010 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 00040020 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 C0 ...............À |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00091820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0 ...............à 00091830 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 00091840 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 E0 ...............à |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x0 | Unknown |
0x8 | 0x8 | 0x2E0 | Unknown |
0x10 | 0x4 | ASCII:SCE. | Magic Header |
0x14 | 0x4 | 0x2 | Unknown |
0x18 | 0x4 | 0x2 | Unknown |
0x1C | 0x4 | 0x0 | Unknown |
0x20 | 0x8 | 0x200 | Unknown |
0x28 | 0x8 | 0xE0 | Unknown |
trvk_prg1
example
NOR: trvk_prg1 (0x060000) | NAND: trvk_prg1 (0x0092810) |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00060000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0 ...............à 00060010 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 00060020 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 E0 ...............à |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00092810 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0 ...............à 00092820 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 00092830 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 E0 ...............à |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x0 | Unknown |
0x8 | 0x8 | 0x2E0 | Unknown |
0x10 | 0x4 | ASCII:SCE. | Magic Header |
0x14 | 0x4 | 0x2 | Unknown |
0x18 | 0x4 | 0x2 | Unknown |
0x1C | 0x4 | 0x0 | Unknown |
0x20 | 0x8 | 0x200 | Unknown |
0x28 | 0x8 | 0xE0 | Unknown |
trvk_pkg
NOR: splitted into 2 seperate sections trvk_pkg0 (0x080000) + trvk_pkg1 (0x0A0000)
NAND: 1 region (0x0093800) with 2 combined sections of trvk_pkg0 + trvk_pkg1
Header
Only seen on NAND, with 2 combined sections of trvk_pkg0 + trvk_pkg1
example
NOR: | NAND: 0x0093800 - 0x009381F |
---|---|
N.A. |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00093800 00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 ................ 00093810 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 ...... ......... |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x1010 | Offset to region (relative to base 0x93800) |
0x8 | 0x8 | 0x1010 | Offset to file (relative to base 0x93800) |
0x10 | 0x8 | 0x2000 | Region Size |
0x8 | 0x8 | 0x0 | Unknown |
trvk_pkg File Entries
32 byte SCE header for each trvk_pkg file, followed by the signed/encrypted data. For content/structure, see: Revokation
trvk_pkg0
example
NOR: trvk_pkg0 (0x80000) | NAND: trvk_pkg0 (0x0091800) |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00080000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 60 ...............` 00080010 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 00080020 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 60 ...............` |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00093820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 ...............@ 00093830 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 00093840 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40 ...............@ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x0 | Unknown |
0x8 | 0x8 | 0x260 | Unknown |
0x10 | 0x4 | ASCII:SCE. | Magic Header |
0x14 | 0x4 | 0x2 | Unknown |
0x18 | 0x4 | 0x2 | Unknown |
0x1C | 0x4 | 0x0 | Unknown |
0x20 | 0x8 | 0x200 | Unknown |
0x28 | 0x8 | 0x60 | Unknown |
trvk_pkg1
example
NOR: trvk_pkg1 (0x0A0000) | NAND: trvk_pkg1 (0x0094810) |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000A0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 60 ...............` 000A0010 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 000A0020 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 60 ...............` |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00094810 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 ...............@ 00094820 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 00094830 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40 ...............@ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x0 | Unknown |
0x8 | 0x8 | 0x260 | Unknown |
0x10 | 0x4 | ASCII:SCE. | Magic Header |
0x14 | 0x4 | 0x2 | Unknown |
0x18 | 0x4 | 0x2 | Unknown |
0x1C | 0x4 | 0x0 | Unknown |
0x20 | 0x8 | 0x200 | Unknown |
0x28 | 0x8 | 0x60 | Unknown |
creserved_0
Location:
- as file: in both ROS areas for both NOR + NAND
- as seperate flash region: NAND only (0x0095800 - 0x00BFFFF)
example
NOR: | NAND: 0x0095800 - 0x00BFFFF |
---|---|
N.A. |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00095800 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00095810 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ .... 000BFFE0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000BFFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x2A800 | 0xFF | FF filled area |
ros
NOR: splitted into 2 seperate sections ros0 (0x0C0000) + ros1 (0x7C0000)
NAND: 1 region (0x00C0000) with 2 combined sections of ros0 (0x00C0020) + ros1 (0x07C0000)
Header
Only seen on NAND, with 2 combined sections of ros0 + ros1
example
NOR: | NAND: 0x00C0000 - 0x00C001F |
---|---|
N.A. |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000C0000 00 00 00 00 00 70 00 10 00 00 00 00 00 70 00 10 .....p.......p.. 000C0010 00 00 00 00 00 E0 00 00 00 00 00 00 00 00 00 00 .....à.......... |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x20 (ros0) or 0x700010 (ros1) | Offset to region (relative to base 0xC0000) |
0x8 | 0x8 | 0x20 (ros0) or 0x700010 (ros1) | Offset to region (relative to base 0xC0000) |
0x10 | 0x8 | 0xE00000 | Unknown |
0x8 | 0x8 | 0x0 | Unknown |
ros Entries
ros0
header
example
NOR: ros00 (0x00C0000 - 0x00C001F) | NAND: ros0 (0x00C0020 - 0x00C003F) |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000C0000 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà 000C0010 00 00 00 01 00 00 00 18 00 00 00 00 00 6F FF E0 .............oÿà |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000C0020 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà 000C0030 00 00 00 01 00 00 00 18 00 00 00 00 00 6F FF E0 .............oÿà |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x0 | Unknown |
0x8 | 0x8 | 0x0x6FFFE0 | Length of Flash Region (relative to region start) |
0x10 | 0x4 | 0x1 | Unknown |
0x14 | 0x4 | 0x18 | Entry Count |
0x18 | 0x8 | 0x0x6FFFE0 | Length of Flash Region (relative to region start) |
Entry Table
Then follows a 48 byte entry for each file
example
NOR: ros0 (0x00C0020 - ) | NAND: ros0 (0x00C0040 - ) |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000C0020 00 00 00 00 00 00 04 90 00 00 00 00 00 04 00 00 ................ 000C0030 63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0..... 000C0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0050 00 00 00 00 00 04 04 90 00 00 00 00 00 00 00 08 ................ 000C0060 73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version..... 000C0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0080 00 00 00 00 00 04 05 00 00 00 00 00 00 01 E7 C8 ..............çÈ 000C0090 6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv1ldr.......... 000C00A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C00B0 00 00 00 00 00 05 ED 00 00 00 00 00 00 01 75 F8 ......í.......uø 000C00C0 6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv2ldr.......... 000C00D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C00E0 00 00 00 00 00 07 63 00 00 00 00 00 00 01 2F 94 ......c......./” 000C00F0 69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00 isoldr.......... 000C0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0110 00 00 00 00 00 08 93 00 00 00 00 00 00 01 F6 D8 ......“.......öØ 000C0120 61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00 appldr.......... 000C0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0140 00 00 00 00 00 0A 89 D8 00 00 00 00 00 00 FB 4C ......‰Ø......ûL 000C0150 73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69 spu_pkg_rvk_veri 000C0160 66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00 fier.self....... 000C0170 00 00 00 00 00 0B 85 24 00 00 00 00 00 00 5A 94 ......…$......Z” 000C0180 73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73 spu_token_proces 000C0190 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00 sor.self........ 000C01A0 00 00 00 00 00 0B DF B8 00 00 00 00 00 00 63 D0 ......߸......cÐ 000C01B0 73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65 spu_utoken_proce 000C01C0 73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 ssor.self....... 000C01D0 00 00 00 00 00 0C 43 88 00 00 00 00 00 01 53 2C ......Cˆ......S, 000C01E0 73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00 sc_iso.self..... 000C01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0200 00 00 00 00 00 0D 96 B4 00 00 00 00 00 00 42 98 ......–´......B˜ 000C0210 61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73 aim_spu_module.s 000C0220 65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00 elf............. 000C0230 00 00 00 00 00 0D D9 4C 00 00 00 00 00 00 D7 F0 ......ÙL......×ð 000C0240 73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C spp_verifier.sel 000C0250 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f............... 000C0260 00 00 00 00 00 0E B1 3C 00 00 00 00 00 00 80 8C ......±<......€Œ 000C0270 6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C mc_iso_spu_modul 000C0280 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000C0290 00 00 00 00 00 0F 31 C8 00 00 00 00 00 00 88 B8 ......1È......ˆ¸ 000C02A0 6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C me_iso_spu_modul 000C02B0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000C02C0 00 00 00 00 00 0F BA 80 00 00 00 00 00 00 C0 78 ......º€......Àx 000C02D0 73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sv_iso_spu_modul 000C02E0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000C02F0 00 00 00 00 00 10 7A F8 00 00 00 00 00 00 5D B0 ......zø......]° 000C0300 73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sb_iso_spu_modul 000C0310 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000C0320 00 00 00 00 00 10 D8 A8 00 00 00 00 00 00 22 A0 ......ب......" 000C0330 64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00 default.spp..... 000C0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0350 00 00 00 00 00 10 FB 80 00 00 00 00 00 12 6A A0 ......û€......j 000C0360 6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00 lv1.self........ 000C0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0380 00 00 00 00 00 23 66 80 00 00 00 00 00 03 E8 A8 .....#f€......è¨ 000C0390 6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00 lv0............. 000C03A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C03B0 00 00 00 00 00 27 4F 28 00 00 00 00 00 17 4A 18 .....'O(......J. 000C03C0 6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00 lv2_kernel.self. 000C03D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C03E0 00 00 00 00 00 3E 99 40 00 00 00 00 00 07 0F 94 .....>™@.......” 000C03F0 65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00 eurus_fw.bin.... 000C0400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0410 00 00 00 00 00 45 A8 D4 00 00 00 00 00 08 04 18 .....E¨Ô........ 000C0420 65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00 emer_init.self.. 000C0430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0440 00 00 00 00 00 4D AC EC 00 00 00 00 00 06 0D 78 .....M¬ì.......x 000C0450 68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00 hdd_copy.self... 000C0460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0470 00 00 00 00 00 53 BA 64 00 00 00 00 00 00 12 A8 .....Sºd.......¨ 000C0480 6D 61 6E 75 5F 69 6E 66 6F 5F 73 70 75 5F 6D 6F manu_info_spu_mo 000C0490 64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00 00 00 dule.self....... |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000C0040 00 00 00 00 00 00 04 90 00 00 00 00 00 04 00 00 ................ 000C0050 63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0..... 000C0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0070 00 00 00 00 00 04 04 90 00 00 00 00 00 00 00 08 ................ 000C0080 73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version..... 000C0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C00A0 00 00 00 00 00 04 05 00 00 00 00 00 00 01 E7 C8 ..............çÈ 000C00B0 6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv1ldr.......... 000C00C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C00D0 00 00 00 00 00 05 ED 00 00 00 00 00 00 01 6F F0 ......í.......oð 000C00E0 6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv2ldr.......... 000C00F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0100 00 00 00 00 00 07 5D 00 00 00 00 00 00 01 2F 74 ......]......./t 000C0110 69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00 isoldr.......... 000C0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0130 00 00 00 00 00 08 8C 80 00 00 00 00 00 01 E5 D4 ......Œ€......åÔ 000C0140 61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00 appldr.......... 000C0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0160 00 00 00 00 00 0A 72 54 00 00 00 00 00 00 FB 4C ......rT......ûL 000C0170 73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69 spu_pkg_rvk_veri 000C0180 66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00 fier.self....... 000C0190 00 00 00 00 00 0B 6D A0 00 00 00 00 00 00 5A 94 ......m ......Z” 000C01A0 73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73 spu_token_proces 000C01B0 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00 sor.self........ 000C01C0 00 00 00 00 00 0B C8 34 00 00 00 00 00 00 63 D0 ......È4......cÐ 000C01D0 73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65 spu_utoken_proce 000C01E0 73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 ssor.self....... 000C01F0 00 00 00 00 00 0C 2C 04 00 00 00 00 00 01 53 2C ......,.......S, 000C0200 73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00 sc_iso.self..... 000C0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0220 00 00 00 00 00 0D 7F 30 00 00 00 00 00 00 42 98 .......0......B˜ 000C0230 61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73 aim_spu_module.s 000C0240 65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00 elf............. 000C0250 00 00 00 00 00 0D C1 C8 00 00 00 00 00 00 D7 F0 ......ÁÈ......×ð 000C0260 73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C spp_verifier.sel 000C0270 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f............... 000C0280 00 00 00 00 00 0E 99 B8 00 00 00 00 00 00 80 8C ......™¸......€Œ 000C0290 6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C mc_iso_spu_modul 000C02A0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000C02B0 00 00 00 00 00 0F 1A 44 00 00 00 00 00 00 88 B8 .......D......ˆ¸ 000C02C0 6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C me_iso_spu_modul 000C02D0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000C02E0 00 00 00 00 00 0F A2 FC 00 00 00 00 00 00 C0 78 ......¢ü......Àx 000C02F0 73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sv_iso_spu_modul 000C0300 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000C0310 00 00 00 00 00 10 63 74 00 00 00 00 00 00 5D B0 ......ct......]° 000C0320 73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sb_iso_spu_modul 000C0330 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000C0340 00 00 00 00 00 10 C1 24 00 00 00 00 00 00 22 A0 ......Á$......" 000C0350 64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00 default.spp..... 000C0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0370 00 00 00 00 00 10 E4 00 00 00 00 00 00 12 80 50 ......ä.......€P 000C0380 6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00 lv1.self........ 000C0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C03A0 00 00 00 00 00 23 64 80 00 00 00 00 00 03 E6 78 .....#d€......æx 000C03B0 6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00 lv0............. 000C03C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C03D0 00 00 00 00 00 27 4A F8 00 00 00 00 00 17 27 58 .....'Jø......'X 000C03E0 6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00 lv2_kernel.self. 000C03F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0400 00 00 00 00 00 3E 72 50 00 00 00 00 00 07 0F 94 .....>rP.......” 000C0410 65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00 eurus_fw.bin.... 000C0420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0430 00 00 00 00 00 45 81 E4 00 00 00 00 00 08 04 18 .....E.ä........ 000C0440 65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00 emer_init.self.. 000C0450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0460 00 00 00 00 00 4D 85 FC 00 00 00 00 00 06 0D 78 .....M…ü.......x 000C0470 68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00 hdd_copy.self... 000C0480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0490 00 00 00 00 00 53 93 74 00 00 00 00 00 00 12 A8 .....S“t.......¨ 000C04A0 6D 61 6E 75 5F 69 6E 66 6F 5F 73 70 75 5F 6D 6F manu_info_spu_mo 000C04B0 64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00 00 00 dule.self....... |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x490 | File offset relative to Region start |
0x8 | 0x8 | 0x40000 | File length |
0x10 | 0x32 | char[32]:"creserved_0" | File name |
ros1
header
example
NOR: ros1 (0x07C0000) | NAND: ros1 (0x07C0010) |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 007C0000 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà 007C0010 00 00 00 01 00 00 00 16 00 00 00 00 00 6F FF E0 .............oÿà |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 007C0010 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà 007C0020 00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0 .............oÿà |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x0 | Unknown |
0x8 | 0x8 | 0x0x6FFFE0 | Length of Flash Region (relative to region start) |
0x10 | 0x4 | 0x1 | Unknown |
0x14 | 0x4 | 0x16 | Entry Count |
0x18 | 0x8 | 0x0x6FFFE0 | Length of Flash Region (relative to region start) |
Entry Table
Then follows a 48 byte entry for each file
example
NOR: ros1 (0x07C0020) | NAND: ros1 (0x07C0030) |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 007C0020 00 00 00 00 00 00 04 30 00 00 00 00 00 04 00 00 .......0........ 007C0030 63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0..... 007C0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0050 00 00 00 00 00 04 04 30 00 00 00 00 00 00 00 08 .......0........ 007C0060 73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version..... 007C0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0080 00 00 00 00 00 04 04 80 00 00 00 00 00 01 E5 CC .......€......åÌ 007C0090 6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv1ldr.......... 007C00A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C00B0 00 00 00 00 00 05 EA 80 00 00 00 00 00 01 6D B0 ......ê€......m° 007C00C0 6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv2ldr.......... 007C00D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C00E0 00 00 00 00 00 07 58 80 00 00 00 00 00 01 2E 24 ......X€.......$ 007C00F0 69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00 isoldr.......... 007C0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0110 00 00 00 00 00 08 87 00 00 00 00 00 00 01 DA 04 ......‡.......Ú. 007C0120 61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00 appldr.......... 007C0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0140 00 00 00 00 00 0A 61 04 00 00 00 00 00 00 FA B4 ......a.......ú´ 007C0150 73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69 spu_pkg_rvk_veri 007C0160 66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00 fier.self....... 007C0170 00 00 00 00 00 0B 5B B8 00 00 00 00 00 00 5B FC ......[¸......[ü 007C0180 73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73 spu_token_proces 007C0190 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00 sor.self........ 007C01A0 00 00 00 00 00 0B B7 B4 00 00 00 00 00 00 65 B4 ......·´......e´ 007C01B0 73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65 spu_utoken_proce 007C01C0 73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 ssor.self....... 007C01D0 00 00 00 00 00 0C 1D 68 00 00 00 00 00 01 53 2C .......h......S, 007C01E0 73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00 sc_iso.self..... 007C01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0200 00 00 00 00 00 0D 70 94 00 00 00 00 00 00 44 80 ......p”......D€ 007C0210 61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73 aim_spu_module.s 007C0220 65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00 elf............. 007C0230 00 00 00 00 00 0D B5 14 00 00 00 00 00 00 D7 44 ......µ.......×D 007C0240 73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C spp_verifier.sel 007C0250 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f............... 007C0260 00 00 00 00 00 0E 8C 58 00 00 00 00 00 00 80 8C ......ŒX......€Œ 007C0270 6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C mc_iso_spu_modul 007C0280 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 007C0290 00 00 00 00 00 0F 0C E4 00 00 00 00 00 00 88 B8 .......ä......ˆ¸ 007C02A0 6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C me_iso_spu_modul 007C02B0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 007C02C0 00 00 00 00 00 0F 95 9C 00 00 00 00 00 00 C0 78 ......•œ......Àx 007C02D0 73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sv_iso_spu_modul 007C02E0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 007C02F0 00 00 00 00 00 10 56 14 00 00 00 00 00 00 5D B0 ......V.......]° 007C0300 73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sb_iso_spu_modul 007C0310 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 007C0320 00 00 00 00 00 10 B3 C4 00 00 00 00 00 00 22 A0 ......³Ä......" 007C0330 64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00 default.spp..... 007C0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0350 00 00 00 00 00 10 D6 80 00 00 00 00 00 12 E1 60 ......Ö€......á` 007C0360 6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00 lv1.self........ 007C0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0380 00 00 00 00 00 23 B8 00 00 00 00 00 00 03 E3 58 .....#¸.......ãX 007C0390 6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00 lv0............. 007C03A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C03B0 00 00 00 00 00 27 9B 58 00 00 00 00 00 16 19 80 .....'›X.......€ 007C03C0 6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00 lv2_kernel.self. 007C03D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C03E0 00 00 00 00 00 3D B4 D8 00 00 00 00 00 07 09 F0 .....=´Ø.......ð 007C03F0 65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00 eurus_fw.bin.... 007C0400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0410 00 00 00 00 00 44 BE C8 00 00 00 00 00 08 1B 30 .....D¾È.......0 007C0420 65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00 emer_init.self.. 007C0430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 007C0030 00 00 00 00 00 00 04 60 00 00 00 00 00 04 00 00 .......`........ 007C0040 63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0..... 007C0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0060 00 00 00 00 00 04 04 60 00 00 00 00 00 00 00 08 .......`........ 007C0070 73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version..... 007C0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0090 00 00 00 00 00 04 04 68 00 00 00 00 00 00 FB 4C .......h......ûL 007C00A0 73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69 spu_pkg_rvk_veri 007C00B0 66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00 fier.self....... 007C00C0 00 00 00 00 00 04 FF B4 00 00 00 00 00 00 C9 30 ......ÿ´......É0 007C00D0 73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73 spu_token_proces 007C00E0 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00 sor.self........ 007C00F0 00 00 00 00 00 05 C8 E4 00 00 00 00 00 00 63 D0 ......Èä......cÐ 007C0100 73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65 spu_utoken_proce 007C0110 73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 ssor.self....... 007C0120 00 00 00 00 00 06 2C B4 00 00 00 00 00 01 D2 D8 ......,´......ÒØ 007C0130 73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00 sc_iso.self..... 007C0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0150 00 00 00 00 00 07 FF 8C 00 00 00 00 00 00 42 98 ......ÿŒ......B˜ 007C0160 61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73 aim_spu_module.s 007C0170 65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00 elf............. 007C0180 00 00 00 00 00 08 42 24 00 00 00 00 00 00 D7 F0 ......B$......×ð 007C0190 73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C spp_verifier.sel 007C01A0 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f............... 007C01B0 00 00 00 00 00 09 1A 14 00 00 00 00 00 00 80 8C ..............€Œ 007C01C0 6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C mc_iso_spu_modul 007C01D0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 007C01E0 00 00 00 00 00 09 9A A0 00 00 00 00 00 00 88 B8 ......š ......ˆ¸ 007C01F0 6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C me_iso_spu_modul 007C0200 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 007C0210 00 00 00 00 00 0A 23 58 00 00 00 00 00 00 C0 78 ......#X......Àx 007C0220 73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sv_iso_spu_modul 007C0230 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 007C0240 00 00 00 00 00 0A E3 D0 00 00 00 00 00 00 5D B0 ......ãÐ......]° 007C0250 73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sb_iso_spu_modul 007C0260 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 007C0270 00 00 00 00 00 0B 41 80 00 00 00 00 00 00 22 A0 ......A€......" 007C0280 64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00 default.spp..... 007C0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C02A0 00 00 00 00 00 0B 64 80 00 00 00 00 00 12 5E F0 ......d€......^ð 007C02B0 6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00 lv1.self........ 007C02C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C02D0 00 00 00 00 00 1D C3 80 00 00 00 00 00 0B 54 E8 ......À......Tè 007C02E0 6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00 lv0............. 007C02F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0300 00 00 00 00 00 29 18 80 00 00 00 00 00 00 05 00 .....).€........ 007C0310 6C 76 30 2E 32 00 00 00 00 00 00 00 00 00 00 00 lv0.2........... 007C0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0330 00 00 00 00 00 29 1D 80 00 00 00 00 00 17 89 58 .....).€......‰X 007C0340 6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00 lv2_kernel.self. 007C0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0360 00 00 00 00 00 40 A6 D8 00 00 00 00 00 07 0F 94 .....@¦Ø.......” 007C0370 65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00 eurus_fw.bin.... 007C0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0390 00 00 00 00 00 47 B6 6C 00 00 00 00 00 07 E2 68 .....G¶l......âh 007C03A0 65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00 emer_init.self.. 007C03B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C03C0 00 00 00 00 00 4F 98 D4 00 00 00 00 00 06 18 18 .....O˜Ô........ 007C03D0 68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00 hdd_copy.self... 007C03E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C03F0 00 00 00 00 00 55 B0 EC 00 00 00 00 00 00 12 A8 .....U°ì.......¨ 007C0400 6D 61 6E 75 5F 69 6E 66 6F 5F 73 70 75 5F 6D 6F manu_info_spu_mo 007C0410 64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00 00 00 dule.self....... 007C0420 00 00 00 00 00 55 C3 94 00 00 00 00 00 00 02 E0 .....UÔ.......à 007C0430 70 72 6F 67 2E 73 72 76 6B 00 00 00 00 00 00 00 prog.srvk....... 007C0440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0450 00 00 00 00 00 55 C6 74 00 00 00 00 00 00 02 40 .....UÆt.......@ 007C0460 70 6B 67 2E 73 72 76 6B 00 00 00 00 00 00 00 00 pkg.srvk........ 007C0470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
structure
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x430 | File offset relative to Region start |
0x8 | 0x8 | 0x40000 | File length |
0x10 | 0x32 | char[32]:"creserved_0" | File name |
cvtrm
size: 0x40000
Location NOR: 0xEC0000 - 0xF00000
Second Region
NOR only
This region appears to directly follow the other region (at 0xF0000 = region size + header)
Not much is known about this at this stage.
Header
00F00000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00F00010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE .....¬àÿ....Þ.úÎ 00F00020 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02 ................ 00F00030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ .... 00F000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00F000C0 00 00 00 00 00 00 79 00 00 00 00 00 00 00 01 00 ......y......... 00F000D0 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 .p.............. 00F000E0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 .p.............. 00F000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ .... 00F00140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00F00150 00 00 00 00 00 00 7A 00 00 00 00 00 00 00 04 00 ......z......... 00F00160 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 .p.............. 00F00170 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 .p.............. 00F00180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ .... 00F00FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
CELL_EXTNOR_AREA
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F [...] 00F1FFE0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00F1FFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00F20000 43 45 4C 4C 5F 45 58 54 4E 4F 52 5F 41 52 45 41 CELL_EXTNOR_AREA marker: CELL_EXTNOR_AREA 00F20010 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00F20020 00 00 02 00 00 00 00 44 00 00 00 00 A9 C8 06 D0 .......D....©È.Ð (differs in other version/console dump) 00F20030 C0 17 8D 34 55 A7 62 73 DD 16 A6 FB 75 A0 D2 10 À..4U§bsÝ.¦ûu Ò. 00F20040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] all 00's 00F201F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00F20200 00 00 00 07 46 55 4A 49 54 53 55 20 4D 48 5A 32 ....FUJITSU MHZ2 harddrive brand/model 00F20210 30 38 30 42 48 20 47 31 20 20 20 20 20 20 20 20 080BH G1 00F20220 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00F20230 20 20 20 20 4B 36 33 52 54 38 42 34 48 59 42 4B K63RT8B4HYBK harddrive serial 00F20240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] all 00's 00F3FFF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00F40000 00 00 00 01 00 00 00 2C 6E 47 15 E8 38 9B C8 16 .......,nG.è8›È. 00F40000-00F40030 (same in other version/console dump) 00F40010 65 6E 0C 37 54 25 FE 7B 22 9A 31 75 72 22 63 2B en.7T%þ{"š1ur"c+ is the same as 00F40020 31 DD 15 AA 60 7D EB F5 F7 A3 74 0B 9D DD 3B 3A 1Ý.ª`}ëõ÷£t..Ý;: 00F80000-00F80030 00F40030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] all 00's 00F5FFF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00F60000 10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34 ............ ..4 00F60000-00F60040 (differs in other version/console dump) 00F60010 00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2 ........[?s´š†Ç² is the 00F60020 A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE Ñ.¯§›—âzË.+Ma&® same as 00F60030 13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB .Ê)„.“.áJÛ,·|.äë 00FA0000-00FA0040 00F60040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] all 00's 00F69BF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00F69C00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] all FF's 00F7FFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00F80000 00 00 00 01 00 00 00 2C 6E 47 15 E8 38 9B C8 16 .......,nG.è8›È. 00F80000-00F80030 (same in other version/console dump) 00F80010 65 6E 0C 37 54 25 FE 7B 22 9A 31 75 72 22 63 2B en.7T%þ{"š1ur"c+ is the same as 00F80020 31 DD 15 AA 60 7D EB F5 F7 A3 74 0B 9D DD 3B 3A 1Ý.ª`}ëõ÷£t..Ý;: 00F40000-00F40030 00F80030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] all 00's 00F9FFF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00FA0000 10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34 ............ ..4 00F60000-00F60040 (differs in other version/console dump) 00FA0010 00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2 ........[?s´š†Ç² is the 00FA0020 A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE Ñ.¯§›—âzË.+Ma&® same as 00FA0030 13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB .Ê)„.“.áJÛ,·|.äë 00F60000-00F60040 00FA0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] all 00's 00FA9BF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00FA9C00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] all FF's 00FBFFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00FC0000 00 00 2E AB 83 EF B9 76 C4 DE D1 35 32 7C D3 77 ...«ƒï¹vÄÞÑ52|Ów Bootloader encrypted (differs in other version/console dump) 00FC0010 00 00 2E AB FE 2C 4E 17 E1 67 5C 3A C8 29 8E D1 ...«þ,N.ág\:È)ŽÑ (0xFC0000 to 0xFFFFFF) 00FC0020 63 D4 81 95 5D D1 D2 E3 BA A3 2D 0A 98 8B 3C 03 cÔ.•]ÑÒ㺣-.˜‹<. 00FC0030 8E 5D D0 E7 2F EE 58 8B C0 73 A2 6D 5E 7F 7A 07 Ž]Ðç/îX‹Às¢m^.z. 00FC0040 47 8B A4 C2 EF B9 3C 60 43 E8 AC 07 F7 8D EE D5 G‹¤Âï¹<`Cè¬.÷.îÕ 00FC0050 67 EE C1 C4 B2 D2 78 98 4C 79 D6 52 49 4D C2 80 gîÁIJÒx˜LyÖRIM€ 00FC0060 2D C1 F6 21 B7 B1 34 89 94 3B 33 BF B8 C8 EB 73 -Áö!·±4‰”;3¿¸Èës [...] 00FEEAD0 9B 28 7A 63 41 DF 4D 54 CC F3 D8 FF FB B0 E6 34 ›(zcAßMTÌóØÿû°æ4 00FEEAE0 2B C6 A2 85 E9 3A 83 A1 8C AE 9F 45 C5 F4 9F AA +Æ¢…é:ƒ¡Œ®ŸEÅôŸª 00FEEAF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ Bootloader ended (00FEF170, 00FEF570, 00FEF5F0 or 00FEF600 in some dumps) 00FEEB00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Bootloader
Location:
- NOR: 0xFC0000 - 0xFFFFFF (The last 256KB of flash),
- NAND: 0x0000000 - 0x003FFFF (The first 256KB of flash)
Perconsole encrypted (datasize depends on bootldr revision)
cell_ext_os_area
NAND only
OtherOS
NAND only
Encrypted Files on Flash
Encrypted files on flash appear to have some sort of header
metldr examples
Here are samples of metldr header from 2 different consoles
00000840 00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25 ...Ž™‡;Ç.ò€€œ0"% 00000850 00 00 0E 8E 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB ...Žx¥aà.rn÷§.A«
00000840 00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25 ...Ž™‡;Ç.ò€€œ0"% 00000850 00 00 0E 8E 81 2E 00 A9 59 75 01 CC C1 72 D5 50 ...Ž...©Yu.ÌÁrÕP
bootldr examples
Here are samples of bootldr header from 2 different consoles
00FC0000 00 00 2F 4B 53 92 1C E7 F7 33 41 76 9B 7A 1E D6 ../KS’.ç÷3Av›z.Ö 00FC0010 00 00 2F 4B 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB ../Kx¥aà.rn÷§.A«
00FC0000 00 00 2F 4B CB 9E 15 24 28 B4 4F D2 F9 3F BC 43 ../KËž.$(´OÒù?¼C 00FC0010 00 00 2F 4B 81 2E 00 A9 59 75 01 CC C1 72 D5 50 ../K...©Yu.ÌÁrÕP
Observations / Notes
As you can see, some parts appear static depending on their purpose:
metldr
00000840 00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25 ...Ž™‡;Ç.ò€€œ0"% 00000850 00 00 0E 8E xx xx xx xx xx xx xx xx xx xx xx xx ...Žx...........
bootldr
00FC0000 00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx ../K............ 00FC0010 00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx ../K............
per console in both samples
00000840 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ 00000850 xx xx xx xx 81 2E 00 A9 59 75 01 CC C1 72 D5 50 .......©Yu.ÌÁrÕP
The first 4 bytes appear to reffer to length. eg:
metldr length: 0xE920 0x00000E8E * 0x10 = 0xE8E0 + 0x40 = 0xE920 bootldr length: 0x2F4F0 0x00002F4B * 0x10 = 0x2F4B0 + 0x40 = 0x2F4F0
Header shown is 0x20 bytes, perhaps this means there is a 0x40 byte header. I was not able to find any correlation of the other 2x12 bytes here, perhaps these are keys of some sort.
new metldr.2
Seen on CECH2504B (JSD-001), with 3.60 from factory - datecode 1B
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000810 00 00 00 00 00 00 00 40 00 00 00 00 00 00 F9 20 .......@......ù 00000820 6D 65 74 6C 64 72 2E 32 00 00 00 00 00 00 00 00 metldr.2........ 00000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
other new metldr
It seems the naming "metldr.2" does not apply to all non downgradeable consoles:
Seen on CECH2504A (JTP-001), with 3.60 from factory - datecode 1B
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000810 00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60 .......@......é` 00000820 6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00 metldr.......... 00000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Seen on CECH2503B (JTP-001), with ?.?? from factory - datecode 1A (dump contained ROS with 3.66 and 3.70) This was downgradable.. sorry, the downgrade.bin was not written correctly.. but this time i wrote it ok, so this was not a new metldr console..
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000810 00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60 .......@......é` 00000820 6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00 metldr.......... 00000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
For comparison, a CECH250.B (JSD-001), with factory 3.56 - datecode 1A which was downgradeable (dump contained ROS with 3.56 and 3.70 before downgrading to 3.55):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000800 00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00 ..............è. 00000810 00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60 .......@......é` 00000820 6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00 metldr.......... 00000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000840 00 00 0E 92 C3 26 6E 4B BB 28 2E 76 B7 67 70 95 ...’Ã&nK»(.v·gp•
other new metldr mention : https://twitter.com/#!/Mathieulh/status/110779471199604736
WTF 3.50+ consoles have a new additional root key of 0x30 bytes (3 times the same 0x10 bytes chunk) copied by metldr right to offset 0 O_O
CECH2501B JSD-001 (320GB HDD)without datecode fw 3.66
metldr contains other new value (E9 60), but still downgrades..
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000800 00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00 ..............è. 00000810 00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60 .......@......é` 00000820 6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00 metldr.......... 00000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000840 00 00 0E 92 C3 26 6E 4B BB 28 2E 76 B7 67 70 95 ...’Ã&nK»(.v·gp•
another PS3 with CECH2501A wihtout datecode 320 GB HDD and fw 3.66 also contains other new metldr values but still downgrades...
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000800 00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00 ..............è. 00000810 00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60 .......@......é` 00000820 6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00 metldr.......... 00000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000840 00 00 0E 92 C3 26 6E 4B BB 28 2E 76 B7 67 70 95 ...’Ã&nK»(.v·gp•
Dumping your flash
There are many ways you can dump your flash you can choose the way that best fits you, there are some persons studing the flash.. If you can help providing a dump (specially if you have a debug console) search for those persons in IRC Efnet #ps3dev
Payload
Uncomment dump_dev_flash() in graf_payloads compile and run the payload
see Graf's_PSGroove_Payload for more info
Linux
Using graf_chokolo kernel with /dev/ps3nflasha access
dd if=/dev/ps3nflasha of=NOR.BIN bs=1024
Hardware
Dump NAND/NOR from GameOS
precompiled : dump_flash.pkg // backup/mirror: dump_flash.pkg (70.48 KB)
source: dump_flash-src.rar (2.33 KB)
Make sure USB stick is FAT32 with enough free space (16MB per NOR dump, 256MB per NAND dump)
remark: NAND dumps are 239MB because HV masks bootldr, see Hardware flashing #Difference between hardware dumps and software dumps
NOR Unpacking // NOR Unpkg
/* # ../norunpkg norflash.bin norflash unpacking asecure_loader (size: 190xxx bytes)... unpacking eEID (size: 65536 bytes)... unpacking cISD (size: 2048 bytes)... unpacking cCSD (size: 2048 bytes)... unpacking trvk_prg0 (size: 131072 bytes)... unpacking trvk_prg1 (size: 131072 bytes)... unpacking trvk_pkg0 (size: 131072 bytes)... unpacking trvk_pkg1 (size: 131072 bytes)... unpacking ros0 (size: 7340032 bytes)... unpacking ros1 (size: 7340032 bytes)... unpacking cvtrm (size: 262144 bytes)... */ // Copyright 2010 Sven Peter // Licensed under the terms of the GNU GPL, version 2 // http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt // nor modifications by rms. #include "tools.h" #include "types.h" #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <sys/stat.h> #ifdef WIN32 #define MKDIR(x,y) mkdir(x) #else #define MKDIR(x,y) mkdir(x,y) #endif u8 *pkg = NULL; static void unpack_file(u32 i) { u8 *ptr; u8 name[33]; u64 offset; u64 size; ptr = pkg + 0x10 + 0x30 * i; offset = be64(ptr + 0x00); size = be64(ptr + 0x08); memset(name, 0, sizeof name); strncpy((char *)name, (char *)(ptr + 0x10), 0x20); printf("unpacking %s (size: %d bytes)...\n", name, size); memcpy_to_file((char *)name, pkg + offset, size); } static void unpack_pkg(void) { u32 n_files; u64 size; u32 i; n_files = be32(pkg + 4); size = be64(pkg + 8); for (i = 0; i < n_files; i++) unpack_file(i); } int main(int argc, char *argv[]) { if (argc != 3) fail("usage: norunpkg filename.nor target"); pkg = mmap_file(argv[1]); /* kludge for header, i do not do sanity checks at the moment */ pkg += 1024; MKDIR(argv[2], 0777); if (chdir(argv[2]) != 0) fail("chdir"); unpack_pkg(); return 0; }
Source: http://rms.grafchokolo.com/?p=25
RMS - eEID splitter
#include <stdio.h> #include <stdlib.h> #include <string.h> void DumpEidData (FILE * pFile, int iInputSize, int iEidCount, char *pFilenamePrefix) { FILE *pOutput; char *szFilename; char *szBuf; int iRes, iSize; printf ("dumping EID%d from eEID at %p, size %d (%x)..\n", iEidCount, pFile, iInputSize, iInputSize); szBuf = (char *) malloc (iInputSize + 1); szFilename = (char *) malloc (strlen (pFilenamePrefix) + 2); if (szBuf == NULL) { perror ("malloc"); exit (1); }; iSize = fread (szBuf, iInputSize, 1, pFile); sprintf (szFilename, "%s%d", pFilenamePrefix, iEidCount); pOutput = fopen (szFilename, "wb"); iRes = fwrite (szBuf, iInputSize, 1, pOutput); if (iRes != iSize) { perror ("fwrite"); exit (1); }; free (szBuf); } int main (int argc, char **argv) { FILE *pFile; char *pPrefix; pFile = fopen (argv[1], "rb"); if (pFile == NULL) { usage: printf ("usage: %s <eEID> <EID name prefix>\n", argv[0]); exit (1); } if (argc == 2 && argv[2] != NULL) { pPrefix = argv[2]; goto usage; } fseek (pFile, 0x70, SEEK_SET); if (pPrefix != NULL) { DumpEidData (pFile, 2144, 0, pPrefix); DumpEidData (pFile, 672, 1, pPrefix); DumpEidData (pFile, 1840, 2, pPrefix); DumpEidData (pFile, 256, 3, pPrefix); DumpEidData (pFile, 48, 4, pPrefix); DumpEidData (pFile, 2560, 5, pPrefix); } return 0; }
Source: http://rms.grafchokolo.com/?p=59
Flash Samples
Here are some samples of NOR Flash for your dissection. These are taken from different consoles.
- 3.55 kmeaw, 2.80 backup: http://www.megaupload.com/?d=J5UKO3HX
- 3.66 ofw: http://www.mediafire.com/?m7m4mppro66zib5