Flash: Difference between revisions
m (→File Table) |
|||
Line 549: | Line 549: | ||
Seen on CECH2504A (JTP-001), with 3.60 from factory - datecode 1B<!--//Ago//--> | Seen on CECH2504A (JTP-001), with 3.60 from factory - datecode 1B<!--//Ago//--> | ||
Seen on CECH2503B (JTP-001), with ?.?? from factory - datecode 1A<!--//bluemimmo//--> | |||
<pre> | <pre> |
Revision as of 12:24, 13 September 2011
This is my attempt at documenting the files located and stored on flash. Please do note that this is from reverse engineering several flash dumps, not from reverse engineering the PS3 firmware itself. This involves alot of guesswork and may not be accurate and there may be information missing.
Structure
- 0x0 > 0x400 = Headers
- 0x400 > 0x800 = File table
- 0x800 > 0xF00000 = Region 1
- 0x800 > 0x2F000 = asecure_loader region
- 0x840 > 0xF110 = metldr
- 0xF00000 > 0xFFFFFF = region 2
- unknown format
First Region
Header
First 512 Bytes of flash
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF .....¬àÿ....Þ.¾ï 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 ..............x. 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ .... 000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Address | Length | Value | Description |
---|---|---|---|
0x00 | 0x10 | 0x0 | Blank/Unknown |
0x10 | 0x10 | 0x0FACE0FF 0xDEADBEEF | Magic number |
0x20 | 0x10 | 0x7800 | Length of region * 0x200 |
0x30 | 0x1D0 | 0x0 | Blank/Unknown |
Unknown Header
The next block of 512 bytes only has the first 16 bytes written. Unsure exactly what this means.
00000200 49 46 49 00 00 00 00 01 00 00 00 02 00 00 00 00 IFI............. 00000210 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ .... 000003F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Address | Length | Value | Description |
---|---|---|---|
0x200 | 0x10 | 0x49464900 (String: "IFI") 0x1 0x2 0x0 | Unknown |
File Table
The next 1024 bytes contain the file entry table
Header
Small 16 byte header to describe length and entry count
00000400 00 00 00 01 00 00 00 0B 00 00 00 00 00 EF FC 00 .............ïü.
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x4 | 0x01 | Unknown |
0x4 | 0x4 | 0x0B | Entry Count |
0x8 | 0x8 | 0xEFFC00 | Length of Flash Region (relative to 0x400 (region start) |
First is a header, this tells us how many files are stored here.
Entry Table
Then follows a 32 byte entry for each file
00000410 00 00 00 00 00 00 04 00 00 00 00 00 00 02 E8 00 ..............è. 00000420 61 73 65 63 75 72 65 5F 6C 6F 61 64 65 72 00 00 asecure_loader.. 00000430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x8 | 0x400 | File offset relative to 0x400 (Region start) |
0x8 | 0x8 | 0x2E800 | File length |
0x10 | 0x20 | char[32]:"asecure_loader" | File name |
asecure_loader region
Within asecure_loader is another file table similar to region 1 but is located within region 1 itself. This has only been observed to hold metldr in its encrypted form.
Header
00000800 00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00 ..............è.
Address | Length | Value | Description |
---|---|---|---|
0x00 | 0x04 | 0x01 | Unknown |
0x04 | 0x04 | 0x01 | Entry Count |
0x08 | 0x08 | 0x2E800 | Length of Region |
Entry Table
Then follows a 32 byte entry for each file
00000810 00 00 00 00 00 00 00 40 00 00 00 00 00 00 E8 D0 .......@......èÐ 00000820 6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00 metldr.......... 00000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x08 | 0x40 | File offset relative to 0x810 (asecure_loader header) |
0x8 | 0x08 | 0xE8D0 | File Length |
0x10 | 0x20 | char[32]:"metldr" | File name |
Second Region
This region appears to directly follow the other region (at 0xF0000 = region size + header)
Not much is known about this at this stage.
Header
00F00000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00F00010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE .....¬àÿ....Þ.úÎ 00F00020 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02 ................ 00F00030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ .... 00F000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00F000C0 00 00 00 00 00 00 79 00 00 00 00 00 00 00 01 00 ......y......... 00F000D0 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 .p.............. 00F000E0 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 .p.............. 00F000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ .... 00F00140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00F00150 00 00 00 00 00 00 7A 00 00 00 00 00 00 00 04 00 ......z......... 00F00160 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 .p.............. 00F00170 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03 .p.............. 00F00180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ .... 00F00FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Bootloader
Located at 0xFC0000 to 0xFFFFFF (The last 256kb of flash), This is encrypted.
cCSD
This section doesn't contain any data... This section of flash contains Console Specific information
Header
0003F800 00 00 00 01 00 00 08 00 00 00 00 00 00 00 00 00 ................
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x4 | 0x1 | Number of entries |
0x4 | 0x8 | 0x800 | Length of entire eEID package |
0x8 | 0x8 | 0x0 | Unknown/Blank |
File Table
This repeats per entry
0003F810 00 00 00 20 00 00 00 30 00 00 00 00 00 00 00 00 ... ...0........
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x4 | 0x20 | Entry point |
0x4 | 0x8 | 0x30 | Length |
0x8 | 0x8 | 0x0 | Unknown/Blank |
Section 0
0003F820 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 0003F830 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 0003F840 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
There appears to be no data stored here.
cISD
This section of flash contains Console Specific information
cISD contains core information such as Gelic Ethernet MAC address
Header
0003F000 00 00 00 03 00 00 02 70 00 00 00 00 00 00 00 00 .......p........
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x4 | 0x3 | Number of entries |
0x4 | 0x8 | 0x270 | Length of entire eEID package |
0x8 | 0x8 | 0x0 | Unknown/Blank |
File Table
This repeats per entry
0003F010 00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00 ...@... ........
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x4 | 0x40 | Entry point |
0x4 | 0x8 | 0x20 | Length |
0x8 | 0x8 | 0x0 | Unknown/Blank |
Section 0
0003F040 A8 E3 EE 7D 10 DA FF FF FF FF FF FF FF FF FF FF ¨ãî}.Úÿÿÿÿÿÿÿÿÿÿ 0003F050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x6 | 0xA8E3EE7D10DA | MAC Address |
0x6 | 0x1A | 0xFF | Unknown/Blank |
Section 1
0003F060 7F 49 44 4C 00 02 00 60 01 00 00 02 02 12 FF C5 .IDL...`......ÿÅ 0003F070 30 31 43 35 32 34 30 31 38 33 31 36 32 37 30 45 01C524018316270E 0003F080 31 39 30 38 37 41 34 32 30 30 30 30 30 30 30 30 19087A4200000000 0003F090 32 37 34 35 35 32 32 32 34 30 31 35 31 32 39 33 2745522240151293 0003F0A0 34 31 36 33 01 07 01 07 01 28 00 01 FF FF FF FF 4163.....(..ÿÿÿÿ 0003F0B0 00 02 00 11 00 02 00 12 00 00 00 00 02 95 A8 C9 .............•¨É 0003F0C0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ .... 0003F250 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0xD | 0x7F49444C000200600100000202 | Unknown, static |
0xD | 0xF | 0x12FFC5 | Unknown, varies per console |
0x10 | 0x20 | Ascii: 01C524018316270E19087A4200000000 | Some unique identifier |
0x30 | 0x8 | Ascii: 27455222 | 3rd part of console serial number |
0x38 | 0xC | Ascii: 401512934163 | Some unique identifier |
0x44 | 0x1B | 0x0107010701280001FFFF00020011000200120000000002 | Unknown, static |
0x1B | 0x3 | 0x95A8C9 | Unknown, varies |
Section 2
0003F260 1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .ÿ..............
This value is unknown and the first two bytes seem to vary
eEID
This section of flash contains QA tokens
It is 0x10000 in length (64 kb) but only the first 0x1DD0 is used, the rest is padded with FF
It is composed of 6 sections numbered from 0 to 5
eEID contains your system model data, your target ID, and your PS3 motherboard revision
Section | Description |
---|---|
EID0 | EID0 is needed for loading parameters to isoldr for loading isolated SELF files on a SPE |
EID1 | ? |
EID2 | ? |
EID3 | ? |
EID4 | ? |
EID5 | ? |
Indi manager can write to it AIM can rehash it
Header
00000000 00 00 00 06 00 00 1D D0 00 00 00 00 00 00 00 00 .......Ð........
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x4 | 0x6 | Number of entries |
0x4 | 0x8 | 0x1DD0 | Length of entire eEID package |
0x8 | 0x8 | 0x0 | Unknown/Blank |
File Table
This is the whole file table
00000010 00 00 00 70 00 00 08 60 00 00 00 00 00 00 00 00 00000020 00 00 08 D0 00 00 02 A0 00 00 00 00 00 00 00 01 00000030 00 00 0B 70 00 00 07 30 00 00 00 00 00 00 00 02 00000040 00 00 12 A0 00 00 01 00 00 00 00 00 00 00 00 03 00000050 00 00 13 A0 00 00 00 30 00 00 00 00 00 00 00 04 00000060 00 00 13 D0 00 00 0A 00 00 00 00 00 00 00 00 05
This repeats per entry
00000010 00 00 00 70 00 00 08 60 00 00 00 00 00 00 00 00 ...p...`........
Address | Length | Value | Description |
---|---|---|---|
0x0 | 0x4 | 0x70 | Entry point |
0x4 | 0x8 | 0x860 | Length |
0x8 | 0x8 | 0x0 | EID number |
Typical EID entry addresses and lengths:
Description | Address | Length |
---|---|---|
EID0 | 0x70 | 0x860 |
EID1 | 0x8D0 | 0x2A0 |
EID2 | 0xB70 | 0x730 |
EID3 | 0x12A0 | 0x100 |
EID4 | 0x13A0 | 0x30 |
EID5 | 0x13D0 | 0xA00 |
EID0 - Section 0
00000000 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 .....‰....ïÝÊ%Rf 00000010 00 12 00 0B 81 2E 00 A9 59 75 01 CC C1 72 D5 50 .......©Yu.ÌÁrÕP
Address | Size | Value | Description | Observations |
---|---|---|---|---|
0x0 | 0x10 | 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 | IDPS | IDPS This contains your Target ID |
0x10 | 0x4 | 00 12 00 0B | Unknown | |
0x14 | 0x12 | 81 2E 00 A9 59 75 01 CC C1 72 D5 50 | Per console key? | Appear to be the same key as in the encrypted files metloader/bootloader |
Rest | Rest | Rest | Encrypted Data? |
EID 1 - Section 1
Appears to be encrypted, not much is known about this one
EID 2 - Section 2
Not sure about this one, appears to be some recurring patterns in here
EID 3 - Section 3
Not fully examined yet, Contains the 12 byte key again at 0x14 to 0x1F
EID 4 - Section 4
Encrypted encdec key
EID 5 - Section 5
Similar again to section 0
00000000 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 .....‰....ïÝÊ%Rf 00000010 00 12 07 30 81 2E 00 A9 59 75 01 CC C1 72 D5 50 .......©Yu.ÌÁrÕP
Address | Size | Value | Description | Observations |
---|---|---|---|---|
0x0 | 0x10 | 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 | IDPS | IDPS |
0x10 | 0x4 | 00 12 07 30 | Unknown | Changes from EID0 |
0x14 | 0x12 | 81 2E 00 A9 59 75 01 CC C1 72 D5 50 | Per console key? | Appear to be the same key as in the encrypted files metloader/bootloader |
Rest | Rest | Rest | Encrypted Data? |
Encrypted Files on Flash
Encrypted files on flash appear to have some sort of header
metldr examples
Here are samples of metldr header from 2 different consoles
00000840 00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25 ...Ž™‡;Ç.ò€€œ0"% 00000850 00 00 0E 8E 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB ...Žx¥aà.rn÷§.A«
00000840 00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25 ...Ž™‡;Ç.ò€€œ0"% 00000850 00 00 0E 8E 81 2E 00 A9 59 75 01 CC C1 72 D5 50 ...Ž...©Yu.ÌÁrÕP
bootldr examples
Here are samples of bootldr header from 2 different consoles
00FC0000 00 00 2F 4B 53 92 1C E7 F7 33 41 76 9B 7A 1E D6 ../KS’.ç÷3Av›z.Ö 00FC0010 00 00 2F 4B 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB ../Kx¥aà.rn÷§.A«
00FC0000 00 00 2F 4B CB 9E 15 24 28 B4 4F D2 F9 3F BC 43 ../KËž.$(´OÒù?¼C 00FC0010 00 00 2F 4B 81 2E 00 A9 59 75 01 CC C1 72 D5 50 ../K...©Yu.ÌÁrÕP
Observations / Notes
As you can see, some parts appear static depending on their purpose:
metldr
00000840 00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25 ...Ž™‡;Ç.ò€€œ0"% 00000850 00 00 0E 8E xx xx xx xx xx xx xx xx xx xx xx xx ...Žx...........
bootldr
00FC0000 00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx ../K............ 00FC0010 00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx ../K............
per console in both samples
00000840 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ 00000850 xx xx xx xx 81 2E 00 A9 59 75 01 CC C1 72 D5 50 .......©Yu.ÌÁrÕP
The first 4 bytes appear to reffer to length. eg:
metldr length: 0xE920 0x00000E8E * 0x10 = 0xE8E0 + 0x40 = 0xE920 bootldr length: 0x2F4F0 0x00002F4B * 0x10 = 0x2F4B0 + 0x40 = 0x2F4F0
Header shown is 0x20 bytes, perhaps this means there is a 0x40 byte header. I was not able to find any correlation of the other 2x12 bytes here, perhaps these are keys of some sort.
List of files on NOR Flash
The following is a list of files stored in NOR Flash
Name | Offset | Size |
---|---|---|
asecure_loader | 0x000400 | 0x2E800 (190,464 bytes) |
eEID | 0x02EC00 | 0x10000 (65,636 bytes) |
cISD | 0x03EC00 | 0x800 (2,048 bytes) |
cCSD | 0x03F400 | 0x800 (2,048 bytes) |
trvk_prg0 | 0x03FC00 | 0x20000 (131,072 bytes) |
trvk_pkg0 | 0x07FC00 | 0x20000 (131,072 bytes) |
trvk_pkg1 | 0x09FC00 | 0x20000 (131,072 bytes) |
ros0 | 0x0BFC00 | 0x700000 (7,340,032 bytes) |
ros1 | 0x7BFC00 | 0x700000 (7,340,032 bytes) |
cvtrm | 0xEBFC00 | 0x40000 (262,144 bytes) |
new metldr.2
Seen on CECH2504B (JSD-001), with 3.60 from factory - datecode 1B
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000810 00 00 00 00 00 00 00 40 00 00 00 00 00 00 F9 20 .......@......ù 00000820 6D 65 74 6C 64 72 2E 32 00 00 00 00 00 00 00 00 metldr.2........ 00000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
other new metldr
It seems the naming "metldr.2" does not apply to all non downgradeable consoles:
Seen on CECH2504A (JTP-001), with 3.60 from factory - datecode 1B Seen on CECH2503B (JTP-001), with ?.?? from factory - datecode 1A
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000810 00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60 .......@......é` 00000820 6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00 metldr.......... 00000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
other new metldr mention : https://twitter.com/#!/Mathieulh/status/110779471199604736
WTF 3.50+ consoles have a new additional root key of 0x30 bytes (3 times the same 0x10 bytes chunk) copied by metldr right to offset 0 O_O
NAND reference
most of the information on this page if based on NOR dumps, this section is for NAND specifics
ROS0
ROS0 on NAND: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00080000 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 ....... ....... 00080010 00 00 00 00 00 E0 00 00 00 00 00 00 00 00 00 00 .....à.......... 00080020 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà 00080030 00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0 .............oÿà 00080040 00 00 00 00 00 00 04 60 00 00 00 00 00 00 44 98 .......`......D˜ 00080050 61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73 aim_spu_module.s 00080060 65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00 elf............. 00080070 00 00 00 00 00 00 49 00 00 00 00 00 00 01 DA E4 ......I.......Úä 00080080 61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00 appldr.......... 00080090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000800A0 00 00 00 00 00 02 24 00 00 00 00 00 00 04 00 00 ......$......... 000800B0 63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0..... 000800C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000800D0 00 00 00 00 00 06 24 00 00 00 00 00 00 00 22 A0 ......$......." 000800E0 64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00 default.spp..... 000800F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00080100 00 00 00 00 00 06 46 A0 00 00 00 00 00 07 FC 48 ......F ......üH 00080110 65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00 emer_init.self.. 00080120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00080130 00 00 00 00 00 0E 43 00 00 00 00 00 00 07 0F 94 ......C........” 00080140 65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00 eurus_fw.bin.... 00080150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00080160 00 00 00 00 00 15 52 A0 00 00 00 00 00 06 16 00 ......R ........ 00080170 68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00 hdd_copy.self... 00080180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00080190 00 00 00 00 00 1B 68 A0 00 00 00 00 00 01 2E 44 ......h .......D 000801A0 69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00 isoldr.......... 000801B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000801C0 00 00 00 00 00 1C 97 00 00 00 00 00 00 03 E8 28 ......—.......è( 000801D0 6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00 lv0............. 000801E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000801F0 00 00 00 00 00 20 7F 40 00 00 00 00 00 12 B1 70 ..... .@......±p 00080200 6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00 lv1.self........ 00080210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00080220 00 00 00 00 00 33 30 C0 00 00 00 00 00 01 E5 CC .....30À......åÌ 00080230 6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv1ldr.......... 00080240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00080250 00 00 00 00 00 35 16 A0 00 00 00 00 00 01 6D A0 .....5. ......m 00080260 6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv2ldr.......... 00080270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00080280 00 00 00 00 00 36 84 40 00 00 00 00 00 16 EE B8 .....6„@......î¸ 00080290 6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00 lv2_kernel.self. 000802A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000802B0 00 00 00 00 00 4D 73 00 00 00 00 00 00 00 80 8C .....Ms.......€Œ 000802C0 6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C mc_iso_spu_modul 000802D0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 000802E0 00 00 00 00 00 4D F3 A0 00 00 00 00 00 00 88 B8 .....Mó ......ˆ¸ 000802F0 6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C me_iso_spu_modul 00080300 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 00080310 00 00 00 00 00 4E 7C 60 00 00 00 00 00 00 5D B0 .....N|`......]° 00080320 73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sb_iso_spu_modul 00080330 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 00080340 00 00 00 00 00 4E DA 20 00 00 00 00 00 01 53 2C .....NÚ ......S, 00080350 73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00 sc_iso.self..... 00080360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00080370 00 00 00 00 00 50 2D 60 00 00 00 00 00 00 00 08 .....P-`........ 00080380 73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version..... 00080390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000803A0 00 00 00 00 00 50 2D 80 00 00 00 00 00 00 D7 F0 .....P-€......×ð 000803B0 73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C spp_verifier.sel 000803C0 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f............... 000803D0 00 00 00 00 00 51 05 80 00 00 00 00 00 00 FA CC .....Q.€......úÌ 000803E0 73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69 spu_pkg_rvk_veri 000803F0 66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00 fier.self....... 00080400 00 00 00 00 00 52 00 60 00 00 00 00 00 00 5C 94 .....R.`......\” 00080410 73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73 spu_token_proces 00080420 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00 sor.self........ 00080430 00 00 00 00 00 52 5D 00 00 00 00 00 00 00 65 D0 .....R].......eÐ 00080440 73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65 spu_utoken_proce 00080450 73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 ssor.self....... 00080460 00 00 00 00 00 52 C2 E0 00 00 00 00 00 00 C0 78 .....RÂà......Àx 00080470 73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sv_iso_spu_modul 00080480 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self..........
ROS1
ROS1 on NAND: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0077FFF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00780000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00780010 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà 00780020 00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0 .............oÿà 00780030 00 00 00 00 00 00 04 60 00 00 00 00 00 04 00 00 .......`........ 00780040 63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0..... 00780050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00780060 00 00 00 00 00 04 04 60 00 00 00 00 00 00 00 08 .......`........ 00780070 73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version..... 00780080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00780090 00 00 00 00 00 04 04 80 00 00 00 00 00 01 E5 CC .......€......åÌ 007800A0 6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv1ldr.......... 007800B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007800C0 00 00 00 00 00 05 EA 80 00 00 00 00 00 01 6D A0 ......ê€......m 007800D0 6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv2ldr.......... 007800E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007800F0 00 00 00 00 00 07 58 80 00 00 00 00 00 01 2E 44 ......X€.......D 00780100 69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00 isoldr.......... 00780110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00780120 00 00 00 00 00 08 87 00 00 00 00 00 00 01 DA E4 ......‡.......Úä 00780130 61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00 appldr.......... 00780140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00780150 00 00 00 00 00 0A 61 E4 00 00 00 00 00 00 FA CC ......aä......úÌ 00780160 73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69 spu_pkg_rvk_veri 00780170 66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00 fier.self....... 00780180 00 00 00 00 00 0B 5C B0 00 00 00 00 00 00 5C 94 ......\°......\” 00780190 73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73 spu_token_proces 007801A0 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00 sor.self........ 007801B0 00 00 00 00 00 0B B9 44 00 00 00 00 00 00 65 D0 ......¹D......eÐ 007801C0 73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65 spu_utoken_proce 007801D0 73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 ssor.self....... 007801E0 00 00 00 00 00 0C 1F 14 00 00 00 00 00 01 53 2C ..............S, 007801F0 73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00 sc_iso.self..... 00780200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00780210 00 00 00 00 00 0D 72 40 00 00 00 00 00 00 44 98 [email protected]˜ 00780220 61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73 aim_spu_module.s 00780230 65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00 elf............. 00780240 00 00 00 00 00 0D B6 D8 00 00 00 00 00 00 D7 F0 ......¶Ø......×ð 00780250 73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C spp_verifier.sel 00780260 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f............... 00780270 00 00 00 00 00 0E 8E C8 00 00 00 00 00 00 80 8C ......ŽÈ......€Œ 00780280 6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C mc_iso_spu_modul 00780290 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 007802A0 00 00 00 00 00 0F 0F 54 00 00 00 00 00 00 88 B8 .......T......ˆ¸ 007802B0 6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C me_iso_spu_modul 007802C0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 007802D0 00 00 00 00 00 0F 98 0C 00 00 00 00 00 00 C0 78 ......˜.......Àx 007802E0 73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sv_iso_spu_modul 007802F0 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 00780300 00 00 00 00 00 10 58 84 00 00 00 00 00 00 5D B0 ......X„......]° 00780310 73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C sb_iso_spu_modul 00780320 65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00 e.self.......... 00780330 00 00 00 00 00 10 B6 34 00 00 00 00 00 00 22 A0 ......¶4......" 00780340 64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00 default.spp..... 00780350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00780360 00 00 00 00 00 10 D9 00 00 00 00 00 00 12 B1 70 ......Ù.......±p 00780370 6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00 lv1.self........ 00780380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00780390 00 00 00 00 00 23 8A 80 00 00 00 00 00 03 E8 28 .....#Š€......è( 007803A0 6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00 lv0............. 007803B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007803C0 00 00 00 00 00 27 72 A8 00 00 00 00 00 16 EE B8 .....'r¨......î¸ 007803D0 6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00 lv2_kernel.self. 007803E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007803F0 00 00 00 00 00 3E 61 60 00 00 00 00 00 07 0F 94 .....>a`.......” 00780400 65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00 eurus_fw.bin.... 00780410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00780420 00 00 00 00 00 45 70 F4 00 00 00 00 00 07 FC 48 .....Epô......üH 00780430 65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00 emer_init.self.. 00780440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00780450 00 00 00 00 00 4D 6D 3C 00 00 00 00 00 06 16 00 .....Mm<........ 00780460 68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00 hdd_copy.self... 00780470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Versioning in ROS0
versioning in ROS0 of NAND: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00582D90 33 31 35 2E 30 30 30 0A 00 00 00 00 00 00 00 00 315.000......... 00582DA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00582DB0 53 43 45 00 00 00 00 02 00 01 00 01 00 00 02 30 SCE............0
Versioning in ROS1
versioning in ROS1 of NAND: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 007C0480 33 31 35 2E 30 30 30 0A 00 00 00 00 00 00 00 00 315.000......... 007C0490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C04A0 53 43 45 00 00 00 00 02 00 00 00 01 00 00 01 F0 SCE............ð
Dumping your flash
There are many ways you can dump your flash you can choose the way that best fits you, there are some persons studing the flash.. If you can help providing a dump (specially if you have a debug console) search for those persons in IRC Efnet #ps3dev
Payload
Unncomment dump_dev_flash() in graf_payloads compile and run the payload
see Graf's_PSGroove_Payload for more info
Linux
Using graf_chokolo kernel with /dev/ps3nflasha access
dd if=/dev/ps3nflasha of=NOR.BIN bs=1024
Hardware
Dump NAND/NOR from GameOS
dump_flash.pkg // backup/mirror: dump-flash+syscon.rar (280.51 KB)
Make sure USB stick is FAT32 with enough free space (16MB per dump)
remark: NAND dumps are 239MB because HV masks bootldr, see Hardware flashing #Difference between hardware dumps and software dumps
NOR Unpacking // NOR Unpkg
/* # ../norunpkg norflash.bin norflash unpacking asecure_loader (size: 190xxx bytes)... unpacking eEID (size: 65536 bytes)... unpacking cISD (size: 2048 bytes)... unpacking cCSD (size: 2048 bytes)... unpacking trvk_prg0 (size: 131072 bytes)... unpacking trvk_prg1 (size: 131072 bytes)... unpacking trvk_pkg0 (size: 131072 bytes)... unpacking trvk_pkg1 (size: 131072 bytes)... unpacking ros0 (size: 7340032 bytes)... unpacking ros1 (size: 7340032 bytes)... unpacking cvtrm (size: 262144 bytes)... */ // Copyright 2010 Sven Peter // Licensed under the terms of the GNU GPL, version 2 // http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt // nor modifications by rms. #include "tools.h" #include "types.h" #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <sys/stat.h> #ifdef WIN32 #define MKDIR(x,y) mkdir(x) #else #define MKDIR(x,y) mkdir(x,y) #endif u8 *pkg = NULL; static void unpack_file(u32 i) { u8 *ptr; u8 name[33]; u64 offset; u64 size; ptr = pkg + 0x10 + 0x30 * i; offset = be64(ptr + 0x00); size = be64(ptr + 0x08); memset(name, 0, sizeof name); strncpy((char *)name, (char *)(ptr + 0x10), 0x20); printf("unpacking %s (size: %d bytes)...\n", name, size); memcpy_to_file((char *)name, pkg + offset, size); } static void unpack_pkg(void) { u32 n_files; u64 size; u32 i; n_files = be32(pkg + 4); size = be64(pkg + 8); for (i = 0; i < n_files; i++) unpack_file(i); } int main(int argc, char *argv[]) { if (argc != 3) fail("usage: norunpkg filename.nor target"); pkg = mmap_file(argv[1]); /* kludge for header, i do not do sanity checks at the moment */ pkg += 1024; MKDIR(argv[2], 0777); if (chdir(argv[2]) != 0) fail("chdir"); unpack_pkg(); return 0; }
Source: http://rms.grafchokolo.com/?p=25
RMS - eEID splitter
#include <stdio.h> #include <stdlib.h> #include <string.h> void DumpEidData (FILE * pFile, int iInputSize, int iEidCount, char *pFilenamePrefix) { FILE *pOutput; char *szFilename; char *szBuf; int iRes, iSize; printf ("dumping EID%d from eEID at %p, size %d (%x)..\n", iEidCount, pFile, iInputSize, iInputSize); szBuf = (char *) malloc (iInputSize + 1); szFilename = (char *) malloc (strlen (pFilenamePrefix) + 2); if (szBuf == NULL) { perror ("malloc"); exit (1); }; iSize = fread (szBuf, iInputSize, 1, pFile); sprintf (szFilename, "%s%d", pFilenamePrefix, iEidCount); pOutput = fopen (szFilename, "wb"); iRes = fwrite (szBuf, iInputSize, 1, pOutput); if (iRes != iSize) { perror ("fwrite"); exit (1); }; free (szBuf); } int main (int argc, char **argv) { FILE *pFile; char *pPrefix; pFile = fopen (argv[1], "rb"); if (pFile == NULL) { usage: printf ("usage: %s <eEID> <EID name prefix>\n", argv[0]); exit (1); } if (argc == 2 && argv[2] != NULL) { pPrefix = argv[2]; goto usage; } fseek (pFile, 0x70, SEEK_SET); if (pPrefix != NULL) { DumpEidData (pFile, 2144, 0, pPrefix); DumpEidData (pFile, 672, 1, pPrefix); DumpEidData (pFile, 1840, 2, pPrefix); DumpEidData (pFile, 256, 3, pPrefix); DumpEidData (pFile, 48, 4, pPrefix); DumpEidData (pFile, 2560, 5, pPrefix); } return 0; }
Source: http://rms.grafchokolo.com/?p=59
Flash Samples
Here are some samples of NOR Flash for your dissection. These are taken from different consoles.
- 3.55 kmeaw, 2.80 backup: http://www.megaupload.com/?d=J5UKO3HX
- 3.66 ofw: http://www.mediafire.com/?m7m4mppro66zib5