Flash: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
No edit summary
(Added info on eeid region)
Line 164: Line 164:


Located at 0xFC0000 to 0xFFFFFF (The last 256kb of flash), This is encrypted.
Located at 0xFC0000 to 0xFFFFFF (The last 256kb of flash), This is encrypted.
= eEID =
This section of flash contains QA tokens
== Header ==
<pre>00000000  00 00 00 06 00 00 1D D0 00 00 00 00 00 00 00 00  .......Ð........</pre>
{|class="wikitable"
|-
! Address !! Length !! Value !! Description
|-
| 0x0 || 0x4 || 0x6 || Number of entries
|-
| 0x4 || 0x8 || 0x1DD0 || Length of entire eEID package
|-
| 0x8 || 0x8 || 0x0 || Unknown/Blank
|}
== File Table ==
This repeats per entry
<pre>00000010  00 00 00 70 00 00 08 60 00 00 00 00 00 00 00 00  ...p...`........</pre>
{|class="wikitable"
|-
! Address !! Length !! Value !! Description
|-
| 0x0 || 0x4 || 0x70 || Entry point
|-
| 0x4 || 0x8 || 0x860 || Length
|-
| 0x8 || 0x8 || 0x0 || Unknown/Blank
|}
== Section 0 ==
<pre>
00000000  00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  .....‰....ïÝÊ%Rf
00000010  00 12 00 0B 81 2E 00 A9 59 75 01 CC C1 72 D5 50  .......©Yu.ÌÁrÕP
</pre>
Value at 0x14 to 0x1F appear to be the same key as in the encrypted files
Value at 0x5 (0x89) appears to be the console type:
{|class="wikitable"
|-
! Value !! Console Type
|-
| 0x81 || Ref Tool
|-
| 0x82 || Debug
|-
| 0x83 || Retail JAP
|-
| 0x84 || Retail USA
|-
| 0x85 || Retail Europe
|-
| 0x86 || Retail Korea
|-
| 0x87 || Retail UK
|-
| 0x88 || Retail Mexico
|-
| 0x89 || Retail AU/NZ
|-
| 0x8A || Retail South Asia
|-
| 0x8B || Retail Taiwan
|-
| 0x8C || Retail Russia
|-
| 0xA0 || DEX
|}
== Section 1 ==
Appears to be encrypted, not much is known about this one
== Section 2 ==
Not sure about this one, appears to be some recurring patterns in here
== Section 3 ==
Not fully examined yet, Contains the 12 byte key again at 0x14 to 0x1F
== Section 4 ==
48 Byte Blu-Ray drive key
== Section 5 ==
Similar again to section 0
Value at 0x14 to 0x1F appear to be the same key as in the encrypted files
Value at 0x5 (0x89) appears to be the console type also


= Encrypted Files on Flash =
= Encrypted Files on Flash =

Revision as of 07:49, 13 May 2011

Typical Flash TSOP package found on PS3's can either be 2x128mb NAND or 1x16mb NOR

This is my attempt at documenting the files located and stored on flash. Please do note that this is from reverse engineering several flash dumps, not from reverse engineering the PS3 firmware itself. This involves alot of guesswork and may not be accurate and there may be information missing.

Structure

  • 0x0 > 0x400 = Headers
  • 0x400 > 0x800 = File table
  • 0x800 > 0xF00000 = Region 1
    • 0x800 > 0x2F000 = asecure_loader region
      • 0x840 > 0xF110 = metldr
  • 0xF00000 > 0xFFFFFF = region 2
    • unknown format

First Region

Header

First 512 Bytes of flash

00000000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF  .....¬àÿ....Þ.¾ï
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00  ..............x.
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
000001F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Address Length Value Description
0x00 0x10 0x0 Blank/Unknown
0x10 0x10 0x0FACE0FF 0xDEADBEEF Magic number
0x20 0x10 0x7800 Length of region * 0x200
0x30 0x1D0 0x0 Blank/Unknown

Unknown Header

The next block of 512 bytes only has the first 16 bytes written. Unsure exactly what this means.

00000200  49 46 49 00 00 00 00 01 00 00 00 02 00 00 00 00  IFI.............
00000210  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
000003F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Address Length Value Description
0x200 0x10 0x49464900 (String: "IFI") 0x1 0x2 0x0 Unknown

File Table

The next 1024 bytes contain the file entry table

Header

Small 16 byte header to describe length and entry count

00000400  00 00 00 01 00 00 00 0B 00 00 00 00 00 EF FC 00  .............ïü.
Address Length Value Description
0x0 0x4 0x01 Unknown
0x4 0x4 0x0B Entry Count
0x8 0x8 0xEFFC00 Length of Flash Region (relative to 0x400 (region start)

First is a header, this tells us how many files are stored here.

Entry Table

Then follows a 32 byte entry for each file

00000410  00 00 00 00 00 00 04 00 00 00 00 00 00 02 E8 00  ..............è.
00000420  61 73 65 63 75 72 65 5F 6C 6F 61 64 65 72 00 00  asecure_loader..
00000430  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Address Length Value Description
0x0 0x8 0x400 File offset relative to 0x400 (Region start)
0x8 0x8 0x2E800 File length
0x10 0x20 char[32]:"asecure_loader" File name


asecure_loader region

Within asecure_loader is another file table similar to region 1 but is located within region 1 itself. This has only been observed to hold metldr in its encrypted form.

Header

00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.
Address Length Value Description
0x00 0x04 0x01 Unknown
0x04 0x04 0x01 Entry Count
0x08 0x08 0x2E800 Length of Region

Entry Table

Then follows a 32 byte entry for each file

00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E8 D0  .......@......èÐ
00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Address Length Value Description
0x0 0x08 0x40 File offset relative to 0x810 (asecure_loader header)
0x8 0x08 0xE8D0 File Length
0x10 0x20 char[32]:"metldr" File name

Second Region

This region appears to directly follow the other region (at 0xF0000 = region size + header)

Not much is known about this at this stage.

Header

00F00000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F00010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE  .....¬àÿ....Þ.úÎ
00F00020  00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02  ................
00F00030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F000B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F000C0  00 00 00 00 00 00 79 00 00 00 00 00 00 00 01 00  ......y.........
00F000D0  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F000E0  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F00140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F00150  00 00 00 00 00 00 7A 00 00 00 00 00 00 00 04 00  ......z.........
00F00160  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F00170  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F00180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F00FF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Bootloader

Located at 0xFC0000 to 0xFFFFFF (The last 256kb of flash), This is encrypted.

eEID

This section of flash contains QA tokens

Header

00000000  00 00 00 06 00 00 1D D0 00 00 00 00 00 00 00 00  .......Ð........
Address Length Value Description
0x0 0x4 0x6 Number of entries
0x4 0x8 0x1DD0 Length of entire eEID package
0x8 0x8 0x0 Unknown/Blank

File Table

This repeats per entry

00000010  00 00 00 70 00 00 08 60 00 00 00 00 00 00 00 00  ...p...`........
Address Length Value Description
0x0 0x4 0x70 Entry point
0x4 0x8 0x860 Length
0x8 0x8 0x0 Unknown/Blank

Section 0

00000000  00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  .....‰....ïÝÊ%Rf
00000010  00 12 00 0B 81 2E 00 A9 59 75 01 CC C1 72 D5 50  .......©Yu.ÌÁrÕP

Value at 0x14 to 0x1F appear to be the same key as in the encrypted files

Value at 0x5 (0x89) appears to be the console type:

Value Console Type
0x81 Ref Tool
0x82 Debug
0x83 Retail JAP
0x84 Retail USA
0x85 Retail Europe
0x86 Retail Korea
0x87 Retail UK
0x88 Retail Mexico
0x89 Retail AU/NZ
0x8A Retail South Asia
0x8B Retail Taiwan
0x8C Retail Russia
0xA0 DEX

Section 1

Appears to be encrypted, not much is known about this one

Section 2

Not sure about this one, appears to be some recurring patterns in here

Section 3

Not fully examined yet, Contains the 12 byte key again at 0x14 to 0x1F

Section 4

48 Byte Blu-Ray drive key

Section 5

Similar again to section 0

Value at 0x14 to 0x1F appear to be the same key as in the encrypted files

Value at 0x5 (0x89) appears to be the console type also

Encrypted Files on Flash

Encrypted files on flash appear to have some sort of header

metldr examples

Here are samples of metldr header from 2 different consoles

00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ...Žx¥aà.rn÷§.A«
00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ...Ž...©Yu.ÌÁrÕP

bootldr examples

Here are samples of bootldr header from 2 different consoles

00FC0000  00 00 2F 4B 53 92 1C E7 F7 33 41 76 9B 7A 1E D6  ../KS’.ç÷3Av›z.Ö
00FC0010  00 00 2F 4B 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ../Kx¥aà.rn÷§.A«
00FC0000  00 00 2F 4B CB 9E 15 24 28 B4 4F D2 F9 3F BC 43  ../KËž.$(´OÒù?¼C
00FC0010  00 00 2F 4B 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ../K...©Yu.ÌÁrÕP

Observations / Notes

As you can see, some parts appear static depending on their purpose:

metldr

00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E xx xx xx xx xx xx xx xx xx xx xx xx  ...Žx...........

bootldr

00FC0000  00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx  ../K............
00FC0010  00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx  ../K............

per console in both samples

00000840  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................
00000850  xx xx xx xx 81 2E 00 A9 59 75 01 CC C1 72 D5 50  .......©Yu.ÌÁrÕP

The first 4 bytes appear to reffer to length. eg:

metldr length: 0xE920
0x00000E8E * 0x10 = 0xE8E0 + 0x40 = 0xE920
bootldr length:  0x2F4F0
0x00002F4B * 0x10 = 0x2F4B0 + 0x40 = 0x2F4F0

Header shown is 0x20 bytes, perhaps this means there is a 0x40 byte header. I was not able to find any correlation of the other 2x12 bytes here, perhaps these are keys of some sort.

List of files on NOR Flash

The following is a list of files stored in NOR Flash

Name Offset Size
asecure_loader 0x400 0x2E800 (190,464 bytes)
eEID 0x2EC00 0x10000 (65,636 bytes)
cISD 0x3EC00 0x800 (2,048 bytes)
cCSD 0x3F400 0x800 (2,048 bytes)
trvk_prg0 0x03FC00 0x20000 (131,072 bytes)
trvk_pkg0 0x7FC00 0x20000 (131,072 bytes)
trvk_pkg1 0x9FC00 0x20000 (131,072 bytes)
ros0 0xBFC00 0x700000 (7,340,032 bytes)
ros1 0x7BFC00 0x700000 (7,340,032 bytes)
cvtrm 0XEBFC00 0x40000 (262,144 bytes)

NOR Unpacking // NOR Unpkg

/*
  # ../norunpkg norflash.bin norflash
  unpacking asecure_loader (size: 190xxx bytes)...
  unpacking eEID (size: 65536 bytes)...
  unpacking cISD (size: 2048 bytes)...
  unpacking cCSD (size: 2048 bytes)...
  unpacking trvk_prg0 (size: 131072 bytes)...
  unpacking trvk_prg1 (size: 131072 bytes)...
  unpacking trvk_pkg0 (size: 131072 bytes)...
  unpacking trvk_pkg1 (size: 131072 bytes)...
  unpacking ros0 (size: 7340032 bytes)...
  unpacking ros1 (size: 7340032 bytes)...
  unpacking cvtrm (size: 262144 bytes)...
*/

// Copyright 2010       Sven Peter
// Licensed under the terms of the GNU GPL, version 2
// http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
// nor modifications by rms.

#include "tools.h"
#include "types.h"

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/stat.h>

#ifdef WIN32
#define MKDIR(x,y) mkdir(x)
#else
#define MKDIR(x,y) mkdir(x,y)
#endif

u8 *pkg = NULL;

static void unpack_file(u32 i)
{
        u8 *ptr;
        u8 name[33];
        u64 offset;
        u64 size;

        ptr = pkg + 0x10 + 0x30 * i;

        offset = be64(ptr + 0x00);
        size   = be64(ptr + 0x08);

        memset(name, 0, sizeof name);
        strncpy((char *)name, (char *)(ptr + 0x10), 0x20);

        printf("unpacking %s (size: %d bytes)...\n", name, size);
        memcpy_to_file((char *)name, pkg + offset, size);
}

static void unpack_pkg(void)
{
        u32 n_files;
        u64 size;
        u32 i;

        n_files = be32(pkg + 4);
        size = be64(pkg + 8);

        for (i = 0; i < n_files; i++)
                unpack_file(i);
}

int main(int argc, char *argv[])
{
        if (argc != 3)
                fail("usage: norunpkg filename.nor target");

        pkg = mmap_file(argv[1]);

        /* kludge for header, i do not do sanity checks at the moment */
        pkg += 1024;

        MKDIR(argv[2], 0777);

        if (chdir(argv[2]) != 0)
                fail("chdir");

        unpack_pkg();

        return 0;
}

Source: http://rms.dukio.com/?p=25

RMS - eEID splitter

#include <stdio.h>
#include <stdlib.h>

void
DumpEidData (FILE * pFile, int iInputSize, int iEidCount)
{
  FILE *pOutput;
  char szFileName[8];
  char *szBuf;
  int iRes, iSize;

  printf("dumping EID%s from eEID at %p, size %d (%x)..\n",
         iEidCount, pFile, iInputSize, iInputSize
		 );

  szBuf = (char *) malloc (iInputSize + 1);

  if (szBuf == NULL)
    {
      perror ("malloc");
      exit (1);
    };

  iSize = fread (szBuf, iInputSize, 1, pFile);
  sprintf (szFileName, "EID%d", iEidCount);
  pOutput = fopen (szFileName, "wb");
  iRes = fwrite (szBuf, iInputSize, 1, pOutput);

  if (iRes != iSize)
    {
      perror ("fwrite");
      exit (1);
    };

  free (szBuf);
}

int
main (int argc, char **argv)
{
  FILE *pFile;

  pFile = fopen (argv[1], "rb");
  if (pFile == NULL)
    {
	  printf ("usage: %s <eEID>\n");
	  exit (1);
    }

  fseek (pFile, 0x70, SEEK_SET);

  DumpEidData (pFile, 2144, 0);
  DumpEidData (pFile, 672, 1);
  DumpEidData (pFile, 1840, 2);
  DumpEidData (pFile, 256, 3);
  DumpEidData (pFile, 48, 4);
  DumpEidData (pFile, 2560, 5);
}

Source: http://rms.dukio.com/?p=59