Flash: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
m (Tidy up)
No edit summary
Line 19: Line 19:
** unknown format
** unknown format


= Flash Format =
= First Region =


== Header ==
== Header ==
Line 81: Line 81:
=== Entry Table ===
=== Entry Table ===
Then follows a 32 byte entry for each file
Then follows a 32 byte entry for each file
<pre>
<pre>
00000410  00 00 00 00 00 00 04 00 00 00 00 00 00 02 E8 00  ..............è.
00000410  00 00 00 00 00 00 04 00 00 00 00 00 00 02 E8 00  ..............è.
Line 95: Line 94:
| 0x8 || 0x8 || 0x2E800 || File length
| 0x8 || 0x8 || 0x2E800 || File length
|-
|-
| 0x10 || 0x10 || char[32]:"asecure_loader" || File name
| 0x10 || 0x20 || char[32]:"asecure_loader" || File name
|-
| 0x20 || 0x10 || 0x0 || Blank/Unknown
|}
|}




== asecure_loader region ==
== asecure_loader region ==
 
Within asecure_loader is another file table similar to region 1 but is located within region 1 itself. This has only been observed to hold metldr in its encrypted form.
Within asecure_loader is another file table similar to region 1


=== Header ===
=== Header ===
<pre>
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.
00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.
u32 - unknown (0x01)
u32 - Entry count (0x01)
u64 - Length of Region (0x2E800)
</pre>
</pre>
 
{|class="wikitable"
|-
! Address !! Length !! Value !! Description
|-
| 0x00 || 0x04 || 0x01 || Unknown
|-
| 0x04 || 0x04 || 0x01 || Entry Count
|-
| 0x08 || 0x08 || 0x2E800 || Length of Region
|}
=== Entry Table ===
=== Entry Table ===
Then follows a 32 byte entry for each file
Then follows a 32 byte entry for each file
<pre>
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E8 D0  .......@......èÐ
00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E8 D0  .......@......èÐ
00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
</pre>
{|class="wikitable"
|-
! Address !! Length !! Value !! Description
|-
| 0x0 || 0x08 || 0x40 || File offset relative to 0x810 (asecure_loader header)
|-
| 0x8 || 0x08 || 0xE8D0 || File  Length
|-
| 0x10 || 0x20 || char[32]:"metldr" || File name
|}
= Second Region =
This region appears to directly follow the other region (at 0xF0000 = region size + header)


  u64 - offset - Relative to region start (0x40)
Not much is known about this at this stage.
  u64 - size (0xE8D0)
 
  char[32] - name (metldr)
== Header ==
<pre>
00F00000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F00010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE  .....¬àÿ....Þ.úÎ
00F00020  00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02  ................
00F00030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F000B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F000C0  00 00 00 00 00 00 79 00 00 00 00 00 00 00 01 00  ......y.........
00F000D0  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F000E0  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F00140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F00150 00 00 00 00 00 00 7A 00 00 00 00 00 00 00 04 00  ......z.........
00F00160  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F00170  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F00180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F00FF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
</pre>
</pre>


=== Example ===
= Bootloader =
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F


00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.
Located at 0xFC0000 to 0xFFFFFF (The last 256kb of flash), This is encrypted.
00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E8 D0  .......@......èÐ
00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
</pre>


=== Encrypted Files on Flash ===
= Encrypted Files on Flash =


Encrypted files on flash appear to have some sort of header, Here are two different samples from metldr and bootldr
Encrypted files on flash appear to have some sort of header


From metldr
== metldr examples ==
Here are samples of metldr header from 2 different consoles


  00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
  00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
Line 153: Line 178:
  00000850  00 00 0E 8E 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ...Ž...©Yu.ÌÁrÕP
  00000850  00 00 0E 8E 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ...Ž...©Yu.ÌÁrÕP


From bootldr
== bootldr examples ==
 
Here are samples of bootldr header from 2 different consoles
  00FC0000  00 00 2F 4B 53 92 1C E7 F7 33 41 76 9B 7A 1E D6  ../KS’.ç÷3Av›z.Ö
  00FC0000  00 00 2F 4B 53 92 1C E7 F7 33 41 76 9B 7A 1E D6  ../KS’.ç÷3Av›z.Ö
  00FC0010  00 00 2F 4B 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ../Kx¥aà.rn÷§.A«
  00FC0010  00 00 2F 4B 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ../Kx¥aà.rn÷§.A«
Line 161: Line 186:
  00FC0010  00 00 2F 4B 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ../K...©Yu.ÌÁrÕP
  00FC0010  00 00 2F 4B 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ../K...©Yu.ÌÁrÕP


==== Observations ====
== Observations / Notes ==


As you can see, some parts appear static depending on their purpose:
As you can see, some parts appear static depending on their purpose:
Line 188: Line 213:
Header shown is 0x20 bytes, perhaps this means there is a 0x40 byte header. I was not able to find any correlation of the other 2x12 bytes here, perhaps these are keys of some sort.
Header shown is 0x20 bytes, perhaps this means there is a 0x40 byte header. I was not able to find any correlation of the other 2x12 bytes here, perhaps these are keys of some sort.


= Region 2 Format =
= List of files on NOR Flash =
 
This region appears to directly follow the other region (at 0xF0000 = region size + header)
 
Not much is known about this at this stage.
 
== Header ==
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
00F00000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F00010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE  .....¬àÿ....Þ.úÎ
00F00020  00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02  ................
00F00030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F000B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F000C0  00 00 00 00 00 00 79 00 00 00 00 00 00 00 01 00  ......y.........
00F000D0  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F000E0  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F00140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F00150  00 00 00 00 00 00 7A 00 00 00 00 00 00 00 04 00  ......z.........
00F00160  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F00170  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F00180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F00FF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
</pre>
 
= Bootloader =
 
Located at 0xFC0000 to 0xFFFFFF (The last 256kb of flash)
 
= NOR Files =


The following is a list of files stored in NOR Flash
The following is a list of files stored in NOR Flash

Revision as of 08:45, 11 May 2011

Typical Flash TSOP package found on PS3's can either be 2x128mb NAND or 1x16mb NOR

This is my attempt at documenting the files located and stored on flash. Please do note that this is from reverse engineering several flash dumps, not from reverse engineering the PS3 firmware itself. This involves alot of guesswork and may not be accurate and there may be information missing.

Structure

  • 0x0 > 0x400 = Headers
  • 0x400 > 0x800 = File table
  • 0x800 > 0xF00000 = Region 1
    • 0x800 > 0x2F000 = asecure_loader region
      • 0x840 > 0xF110 = metldr
  • 0xF00000 > 0xFFFFFF = region 2
    • unknown format

First Region

Header

First 512 Bytes of flash

00000000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF  .....¬àÿ....Þ.¾ï
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00  ..............x.
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
000001F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Address Length Value Description
0x00 0x10 0x0 Blank/Unknown
0x10 0x10 0x0FACE0FF 0xDEADBEEF Magic number
0x20 0x10 0x7800 Length of region * 0x200
0x30 0x1D0 0x0 Blank/Unknown

Unknown Header

The next block of 512 bytes only has the first 16 bytes written. Unsure exactly what this means.

00000200  49 46 49 00 00 00 00 01 00 00 00 02 00 00 00 00  IFI.............
00000210  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
000003F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Address Length Value Description
0x200 0x10 0x49464900 (String: "IFI") 0x1 0x2 0x0 Unknown

File Table

The next 1024 bytes contain the file entry table

Header

Small 16 byte header to describe length and entry count

00000400  00 00 00 01 00 00 00 0B 00 00 00 00 00 EF FC 00  .............ïü.
Address Length Value Description
0x0 0x4 0x01 Unknown
0x4 0x4 0x0B Entry Count
0x8 0x8 0xEFFC00 Length of Flash Region (relative to 0x400 (region start)

First is a header, this tells us how many files are stored here.

Entry Table

Then follows a 32 byte entry for each file

00000410  00 00 00 00 00 00 04 00 00 00 00 00 00 02 E8 00  ..............è.
00000420  61 73 65 63 75 72 65 5F 6C 6F 61 64 65 72 00 00  asecure_loader..
00000430  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Address Length Value Description
0x0 0x8 0x400 File offset relative to 0x400 (Region start)
0x8 0x8 0x2E800 File length
0x10 0x20 char[32]:"asecure_loader" File name


asecure_loader region

Within asecure_loader is another file table similar to region 1 but is located within region 1 itself. This has only been observed to hold metldr in its encrypted form.

Header

00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.
Address Length Value Description
0x00 0x04 0x01 Unknown
0x04 0x04 0x01 Entry Count
0x08 0x08 0x2E800 Length of Region

Entry Table

Then follows a 32 byte entry for each file

00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E8 D0  .......@......èÐ
00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Address Length Value Description
0x0 0x08 0x40 File offset relative to 0x810 (asecure_loader header)
0x8 0x08 0xE8D0 File Length
0x10 0x20 char[32]:"metldr" File name

Second Region

This region appears to directly follow the other region (at 0xF0000 = region size + header)

Not much is known about this at this stage.

Header

00F00000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F00010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE  .....¬àÿ....Þ.úÎ
00F00020  00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02  ................
00F00030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F000B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F000C0  00 00 00 00 00 00 79 00 00 00 00 00 00 00 01 00  ......y.........
00F000D0  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F000E0  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F00140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F00150  00 00 00 00 00 00 7A 00 00 00 00 00 00 00 04 00  ......z.........
00F00160  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F00170  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F00180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F00FF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Bootloader

Located at 0xFC0000 to 0xFFFFFF (The last 256kb of flash), This is encrypted.

Encrypted Files on Flash

Encrypted files on flash appear to have some sort of header

metldr examples

Here are samples of metldr header from 2 different consoles

00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ...Žx¥aà.rn÷§.A«
00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ...Ž...©Yu.ÌÁrÕP

bootldr examples

Here are samples of bootldr header from 2 different consoles

00FC0000  00 00 2F 4B 53 92 1C E7 F7 33 41 76 9B 7A 1E D6  ../KS’.ç÷3Av›z.Ö
00FC0010  00 00 2F 4B 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ../Kx¥aà.rn÷§.A«
00FC0000  00 00 2F 4B CB 9E 15 24 28 B4 4F D2 F9 3F BC 43  ../KËž.$(´OÒù?¼C
00FC0010  00 00 2F 4B 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ../K...©Yu.ÌÁrÕP

Observations / Notes

As you can see, some parts appear static depending on their purpose:

metldr

00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E xx xx xx xx xx xx xx xx xx xx xx xx  ...Žx...........

bootldr

00FC0000  00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx  ../K............
00FC0010  00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx  ../K............

per console in both samples

00000840  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................
00000850  xx xx xx xx 81 2E 00 A9 59 75 01 CC C1 72 D5 50  .......©Yu.ÌÁrÕP

The first 4 bytes appear to reffer to length. eg:

metldr length: 0xE920
0x00000E8E * 0x10 = 0xE8E0 + 0x40 = 0xE920
bootldr length:  0x2F4F0
0x00002F4B * 0x10 = 0x2F4B0 + 0x40 = 0x2F4F0

Header shown is 0x20 bytes, perhaps this means there is a 0x40 byte header. I was not able to find any correlation of the other 2x12 bytes here, perhaps these are keys of some sort.

List of files on NOR Flash

The following is a list of files stored in NOR Flash

Name Offset Size
asecure_loader 0x400 0x2E800 (190,464 bytes)
eEID 0x2EC00 0x10000 (65,636 bytes)
cISD 0x3EC00 0x800 (2,048 bytes)
cCSD 0x3F400 0x800 (2,048 bytes)
trvk_prg0 0x03FC00 0x20000 (131,072 bytes)
trvk_pkg0 0x7FC00 0x20000 (131,072 bytes)
trvk_pkg1 0x9FC00 0x20000 (131,072 bytes)
ros0 0xBFC00 0x700000 (7,340,032 bytes)
ros1 0x7BFC00 0x700000 (7,340,032 bytes)
cvtrm 0XEBFC00 0x40000 (262,144 bytes)

NOR Unpacking // NOR Unpkg

/*
  # ../norunpkg norflash.bin norflash
  unpacking asecure_loader (size: 190xxx bytes)...
  unpacking eEID (size: 65536 bytes)...
  unpacking cISD (size: 2048 bytes)...
  unpacking cCSD (size: 2048 bytes)...
  unpacking trvk_prg0 (size: 131072 bytes)...
  unpacking trvk_prg1 (size: 131072 bytes)...
  unpacking trvk_pkg0 (size: 131072 bytes)...
  unpacking trvk_pkg1 (size: 131072 bytes)...
  unpacking ros0 (size: 7340032 bytes)...
  unpacking ros1 (size: 7340032 bytes)...
  unpacking cvtrm (size: 262144 bytes)...
*/

// Copyright 2010       Sven Peter
// Licensed under the terms of the GNU GPL, version 2
// http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
// nor modifications by rms.

#include "tools.h"
#include "types.h"

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/stat.h>

#ifdef WIN32
#define MKDIR(x,y) mkdir(x)
#else
#define MKDIR(x,y) mkdir(x,y)
#endif

u8 *pkg = NULL;

static void unpack_file(u32 i)
{
        u8 *ptr;
        u8 name[33];
        u64 offset;
        u64 size;

        ptr = pkg + 0x10 + 0x30 * i;

        offset = be64(ptr + 0x00);
        size   = be64(ptr + 0x08);

        memset(name, 0, sizeof name);
        strncpy((char *)name, (char *)(ptr + 0x10), 0x20);

        printf("unpacking %s (size: %d bytes)...\n", name, size);
        memcpy_to_file((char *)name, pkg + offset, size);
}

static void unpack_pkg(void)
{
        u32 n_files;
        u64 size;
        u32 i;

        n_files = be32(pkg + 4);
        size = be64(pkg + 8);

        for (i = 0; i < n_files; i++)
                unpack_file(i);
}

int main(int argc, char *argv[])
{
        if (argc != 3)
                fail("usage: norunpkg filename.nor target");

        pkg = mmap_file(argv[1]);

        /* kludge for header, i do not do sanity checks at the moment */
        pkg += 1024;

        MKDIR(argv[2], 0777);

        if (chdir(argv[2]) != 0)
                fail("chdir");

        unpack_pkg();

        return 0;
}

Source: http://rms.dukio.com/?p=25

RMS - eEID splitter

#include <stdio.h>
#include <stdlib.h>

void
DumpEidData (FILE * pFile, int iInputSize, int iEidCount)
{
  FILE *pOutput;
  char szFileName[8];
  char *szBuf;
  int iRes, iSize;

  printf("dumping EID%s from eEID at %p, size %d (%x)..\n",
         iEidCount, pFile, iInputSize, iInputSize
		 );

  szBuf = (char *) malloc (iInputSize + 1);

  if (szBuf == NULL)
    {
      perror ("malloc");
      exit (1);
    };

  iSize = fread (szBuf, iInputSize, 1, pFile);
  sprintf (szFileName, "EID%d", iEidCount);
  pOutput = fopen (szFileName, "wb");
  iRes = fwrite (szBuf, iInputSize, 1, pOutput);

  if (iRes != iSize)
    {
      perror ("fwrite");
      exit (1);
    };

  free (szBuf);
}

int
main (int argc, char **argv)
{
  FILE *pFile;

  pFile = fopen (argv[1], "rb");
  if (pFile == NULL)
    {
	  printf ("usage: %s <eEID>\n");
	  exit (1);
    }

  fseek (pFile, 0x70, SEEK_SET);

  DumpEidData (pFile, 2144, 0);
  DumpEidData (pFile, 672, 1);
  DumpEidData (pFile, 1840, 2);
  DumpEidData (pFile, 256, 3);
  DumpEidData (pFile, 48, 4);
  DumpEidData (pFile, 2560, 5);
}

Source: http://rms.dukio.com/?p=59