Talk:SC EEPROM: Difference between revisions
Jump to navigation
Jump to search
| Line 79: | Line 79: | ||
{| class="wikitable" style="line-height:110%; font-size:95%" | {| class="wikitable" style="line-height:110%; font-size:95%" | ||
|- | |- | ||
! colspan="3" | SPI / UART !! rowspan="2" | Area Name !! colspan="5" | Syscall 863 !! rowspan="2" | Value Name !! rowspan="2" | Description | ! colspan="3" | [[Syscon_Hardware|SPI / UART]] !! rowspan="2" | Area Name !! colspan="5" | Syscall 863 !! rowspan="2" | Value Name !! rowspan="2" | Description | ||
|- | |- | ||
! CXR713 !! CXR714 !! SW !! Block ID !! UM | ! [[Syscon_CXR713_Series|CXR713]] !! [[Syscon_CXR714_Series|CXR714]] !! [[Sherwood|SW]] !! Block ID !! [[Update_Manager|UM Whitelisted]] !! [[SC_Manager|SCM Whitelisted]] !! Offset !! Size | ||
|- | |- | ||
| rowspan="6" | 0x2F00-0x2FFF || rowspan="6" | 0x2F00-0x2FFF || rowspan="6" | 0xE00-0xEFF || rowspan="6" | Industry Area<br>a.k.a.<br>OS Version Area || rowspan="6" | 0x10 || {{yes}} || {{yes}} || 0x02F00 || 0x08 || Manufacturing Update Release Version String || | | rowspan="6" | 0x2F00-0x2FFF || rowspan="6" | 0x2F00-0x2FFF || rowspan="6" | 0xE00-0xEFF || rowspan="6" | Industry Area<br>a.k.a.<br>OS Version Area || rowspan="6" | 0x10 || {{yes}} || {{yes}} || 0x02F00 || 0x08 || Manufacturing Update Release Version String || | ||
Revision as of 17:55, 6 November 2021
Memory test diagnosis NVS flag
There is a NVS flag which enables a special diagnostic mode at startup. This flag is enabled on Proto/DECR. It allows memtest diagnose.
Pseudo-code:
def check_bootrom_diag_mode(mode, param)
diag_mode = get_eeprom_bootrom_diag()
if diag_mode & 0x1:
if diag_mode & 0x100:
return 0
mode = (diag_mode >> 3) & 0x1
param = (diag_mode >> 3) & 0x1
else:
mode = (diag_mode >> 1) & 0x1
param = -1
return 1
EEPROM Dumps
EEPROM Strings (CP memory dump, DECR)
http://pastie.org/private/usd2zi8mw3igycsh1a395q -> DEAD LINK
Bus Pirate stuff
http://i.imgur.com/48rbR51.png
(needs more wikifying)
On standby
- Note: during this time the plaintext EEPROM is never read even once!
- Additionally, the areas 0x26B0, 0x26D0 are not read
- Checks status
- Unlocks Write Command
- Reads PATCH top half region
- Reads PATCH bottom half region
- Reads 0x2790?(0x20)
- Reads 0x27B0?(0x10)
- Reads 0x26D0 (0x10)
- Reads some configs? (around >0x31XX area)
- Reads 0x0 (0x10)
- Reads some configs?
- Reads 0x10(0x280) (EID1)?
- Reads 0x3A00 (0x1)
- Reads 0x290 (0x10) (EID1 CMAC?)
- Reads 0x2A0 (0x20)
- Reads 0x2C0 (0x20)
- Reads 0x2E0 (0x20)
- Writes some stuff to 0x2C0/0x2E0/0x2A0 (mostly ff's)
- ReReads EID1 and CMAC
- Reads 0x360
- Reads 0x370
- Writes (again) mostly ff's to 0x360 and 0x370
- ReReads EID1 and CMAC
- Does same process with 0x460 and 0x470
- Reads 0x2710 and 0x2730 (0x20,0x10) ???
- Reads 0x2700 (0x10)
- fini!
MemoryMap Syscon BB Chip
0x1000-0x1FFF:PTCH Region (patch written here)
Nice read about Syscon EEPROM
http://rmscrypt.wordpress.com/2011/02/01/lets-look-at-syscon/
Experimental table
The goal is to join together all the "memory map" info in a single table
| SPI / UART | Area Name | Syscall 863 | Value Name | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| CXR713 | CXR714 | SW | Block ID | UM Whitelisted | SCM Whitelisted | Offset | Size | |||
| 0x2F00-0x2FFF | 0x2F00-0x2FFF | 0xE00-0xEFF | Industry Area a.k.a. OS Version Area |
0x10 | Yes | Yes | 0x02F00 | 0x08 | Manufacturing Update Release Version String | |
| Yes | Yes | 0x02F08 | 0x10 | Manufacturing Update Build Version + Build Date String | ||||||
| Yes | Yes | 0x02F20 | 0x08 | Manufacturing Update Build Target ID | ||||||
| Yes | Yes | 0x02F28 | 0xD0 | Undocumented | ||||||
| Yes | Yes | 0x02FF8 | 0x01 | Factory Bit | ||||||
| Yes | Yes | 0x02FF9 | 0x07 | Undocumented | ||||||