First Region

trvk_prg

NOR: splitted into 2 seperate sections trvk_prg0 (0x40000) + trvk_prg1 (0x060000)
NAND: 1 region (0x0091800) with 2 combined sections of trvk_prg0 + trvk_prg1

Header

Only seen on NAND, with 2 combined sections of trvk_prg0 + trvk_prg1

example

NOR:

NAND: 0x0091800 - 0x009181F

N.A.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00091800  00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20  ....... ....... 
00091810  00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00  ...... .........

structure

Address	Length	Value	Description
0x0	0x8	0x20	Offset to region (relative to base 0x91800)
0x8	0x8	0x20	Offset to file (relative to base 0x91800)
0x10	0x8	0x2000	Region Size
0x8	0x8	0x0	Unknown

trvk_prg File Entries

32 byte SCE header for each trvk_prg file, followed by the signed/encrypted data. For content/structure, see: Revokation

trvk_prg0

example

NOR: trvk_prg0 (0x40000)

NAND: trvk_prg0 (0x0091820)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00040000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 C0  ...............À
00040010  53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00  SCE.............
00040020  00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 C0  ...............À

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00091820  00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0  ...............à
00091830  53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00  SCE.............
00091840  00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 E0  ...............à

structure

Address	Length	Value	Description
0x0	0x8	0x0	Unknown
0x8	0x8	0x02C0	Data size
0x10	0x4	ASCII:SCE.	Magic Header
0x14	0x4	0x2	Unknown
0x18	0x4	0x2	Unknown
0x1C	0x4	0x0	Unknown
0x20	0x8	0x200	Unknown
0x28	0x8	0xE0	Meta size

trvk_prg1

example

NOR: trvk_prg1 (0x060000)

NAND: trvk_prg1 (0x0092810)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00060000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0  ...............à
00060010  53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00  SCE.............
00060020  00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 E0  ...............à

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00092810  00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0  ...............à
00092820  53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00  SCE.............
00092830  00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 E0  ...............à

structure

Address	Length	Value	Description
0x0	0x8	0x0	Unknown
0x8	0x8	0x2E0	Data size
0x10	0x4	ASCII:SCE.	Magic Header
0x14	0x4	0x2	Unknown
0x18	0x4	0x2	Unknown
0x1C	0x4	0x0	Unknown
0x20	0x8	0x200	Unknown
0x28	0x8	0xE0	Meta size

trvk_pkg

NOR: splitted into 2 seperate sections trvk_pkg0 (0x080000) + trvk_pkg1 (0x0A0000)
NAND: 1 region (0x0093800) with 2 combined sections of trvk_pkg0 + trvk_pkg1

Header

Only seen on NAND, with 2 combined sections of trvk_pkg0 + trvk_pkg1

example

NOR:

NAND: 0x0093800 - 0x009381F

N.A.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00093800  00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10  ................
00093810  00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00  ...... .........

structure

Address	Length	Value	Description
0x0	0x8	0x1010	Offset to region (relative to base 0x93800)
0x8	0x8	0x1010	Offset to file (relative to base 0x93800)
0x10	0x8	0x2000	Region Size
0x8	0x8	0x0	Unknown

trvk_pkg File Entries

32 byte SCE header for each trvk_pkg file, followed by the signed/encrypted data. For content/structure, see: Revokation

trvk_pkg0

example

NOR: trvk_pkg0 (0x80000)

NAND: trvk_pkg0 (0x0093820)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00080000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 60  ...............`
00080010  53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00  SCE.............
00080020  00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 60  ...............`

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00093820  00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40  ...............@
00093830  53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00  SCE.............
00093840  00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40  ...............@

structure

Address	Length	Value	Description
0x0	0x8	0x0	Unknown
0x8	0x8	0x260	Data size
0x10	0x4	ASCII:SCE.	Magic Header
0x14	0x4	0x2	Unknown
0x18	0x4	0x2	Unknown
0x1C	0x4	0x0	Unknown
0x20	0x8	0x200	Unknown
0x28	0x8	0x60	Unknown

trvk_pkg1

example

NOR: trvk_pkg1 (0x0A0000)

NAND: trvk_pkg1 (0x0094810)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
000A0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 60  ...............`
000A0010  53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00  SCE.............
000A0020  00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 60  ...............`

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00094810  00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40  ...............@
00094820  53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00  SCE.............
00094830  00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40  ...............@

structure

Address	Length	Value	Description
0x0	0x8	0x0	Unknown
0x8	0x8	0x260	Data size
0x10	0x4	ASCII:SCE.	Magic Header
0x14	0x4	0x2	Unknown
0x18	0x4	0x2	Unknown
0x1C	0x4	0x0	Unknown
0x20	0x8	0x200	Unknown
0x28	0x8	0x60	Unknown

creserved_0

Location:

as file: in both ROS areas for both NOR + NAND
as seperate flash region: NAND only (0x0095800 - 0x00BFFFF)

example

NOR:

NAND: 0x0095800 - 0x00BFFFF

N.A.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00095800  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00095810  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
000BFFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000BFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

structure

Address	Length	Value	Description
0x0	0x2A800	0xFF	FF filled area

ros

NOR: splitted into 2 seperate sections ros0 (0x0C0000) + ros1 (0x7C0000)
NAND: 1 region (0x00C0000) with 2 combined sections of ros0 (0x00C0020) + ros1 (0x07C0000)

Header

Only seen on NAND, with 2 combined sections of ros0 + ros1

example

NOR:

NAND: 0x00C0000 - 0x00C001F

N.A.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

000C0000  00 00 00 00 00 70 00 10 00 00 00 00 00 70 00 10  .....p.......p..
000C0010  00 00 00 00 00 E0 00 00 00 00 00 00 00 00 00 00  .....à..........

structure

Address	Length	Value	Description
0x0	0x8	0x20 (ros0) or 0x700010 (ros1)	Offset to region (relative to base 0xC0000)
0x8	0x8	0x20 (ros0) or 0x700010 (ros1)	Offset to region (relative to base 0xC0000)
0x10	0x8	0xE00000	Unknown
0x8	0x8	0x0	Unknown

ros Entries

ros0

header

example

NOR: ros00 (0x00C0000 - 0x00C001F)

NAND: ros0 (0x00C0020 - 0x00C003F)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
000C0000  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
000C0010  00 00 00 01 00 00 00 18 00 00 00 00 00 6F FF E0  .............oÿà

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
000C0020  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
000C0030  00 00 00 01 00 00 00 18 00 00 00 00 00 6F FF E0  .............oÿà

structure

Address	Length	Value	Description
0x0	0x8	0x0	Unknown
0x8	0x8	0x0x6FFFE0	Length of Flash Region (relative to region start)
0x10	0x4	0x1	Unknown
0x14	0x4	0x18	Entry Count
0x18	0x8	0x0x6FFFE0	Length of Flash Region (relative to region start)

Entry Table

Then follows a 48 byte entry for each file

example

NOR: ros0 (0x00C0020 - )

NAND: ros0 (0x00C0040 - )

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
000C0020  00 00 00 00 00 00 04 90 00 00 00 00 00 04 00 00  ................
000C0030  63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00  creserved_0.....
000C0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0050  00 00 00 00 00 04 04 90 00 00 00 00 00 00 00 08  ................
000C0060  73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00  sdk_version.....
000C0070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0080  00 00 00 00 00 04 05 00 00 00 00 00 00 01 E7 C8  ..............çÈ
000C0090  6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv1ldr..........
000C00A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C00B0  00 00 00 00 00 05 ED 00 00 00 00 00 00 01 75 F8  ......í.......uø
000C00C0  6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv2ldr..........
000C00D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C00E0  00 00 00 00 00 07 63 00 00 00 00 00 00 01 2F 94  ......c......./”
000C00F0  69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00  isoldr..........
000C0100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0110  00 00 00 00 00 08 93 00 00 00 00 00 00 01 F6 D8  ......“.......öØ
000C0120  61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00  appldr..........
000C0130  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0140  00 00 00 00 00 0A 89 D8 00 00 00 00 00 00 FB 4C  ......‰Ø......ûL
000C0150  73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69  spu_pkg_rvk_veri
000C0160  66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00  fier.self.......
000C0170  00 00 00 00 00 0B 85 24 00 00 00 00 00 00 5A 94  ......…$......Z”
000C0180  73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73  spu_token_proces
000C0190  73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00  sor.self........
000C01A0  00 00 00 00 00 0B DF B8 00 00 00 00 00 00 63 D0  ......ß¸......cÐ
000C01B0  73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65  spu_utoken_proce
000C01C0  73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00  ssor.self.......
000C01D0  00 00 00 00 00 0C 43 88 00 00 00 00 00 01 53 2C  ......Cˆ......S,
000C01E0  73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00  sc_iso.self.....
000C01F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0200  00 00 00 00 00 0D 96 B4 00 00 00 00 00 00 42 98  ......–´......B˜
000C0210  61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73  aim_spu_module.s
000C0220  65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00  elf.............
000C0230  00 00 00 00 00 0D D9 4C 00 00 00 00 00 00 D7 F0  ......ÙL......×ð
000C0240  73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C  spp_verifier.sel
000C0250  66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  f...............
000C0260  00 00 00 00 00 0E B1 3C 00 00 00 00 00 00 80 8C  ......±<......€Œ
000C0270  6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  mc_iso_spu_modul
000C0280  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
000C0290  00 00 00 00 00 0F 31 C8 00 00 00 00 00 00 88 B8  ......1È......ˆ¸
000C02A0  6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  me_iso_spu_modul
000C02B0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
000C02C0  00 00 00 00 00 0F BA 80 00 00 00 00 00 00 C0 78  ......º€......Àx
000C02D0  73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sv_iso_spu_modul
000C02E0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
000C02F0  00 00 00 00 00 10 7A F8 00 00 00 00 00 00 5D B0  ......zø......]°
000C0300  73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sb_iso_spu_modul
000C0310  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
000C0320  00 00 00 00 00 10 D8 A8 00 00 00 00 00 00 22 A0  ......Ø¨......" 
000C0330  64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00  default.spp.....
000C0340  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0350  00 00 00 00 00 10 FB 80 00 00 00 00 00 12 6A A0  ......û€......j 
000C0360  6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00  lv1.self........
000C0370  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0380  00 00 00 00 00 23 66 80 00 00 00 00 00 03 E8 A8  .....#f€......è¨
000C0390  6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00  lv0.............
000C03A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C03B0  00 00 00 00 00 27 4F 28 00 00 00 00 00 17 4A 18  .....'O(......J.
000C03C0  6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00  lv2_kernel.self.
000C03D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C03E0  00 00 00 00 00 3E 99 40 00 00 00 00 00 07 0F 94  .....>™@.......”
000C03F0  65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00  eurus_fw.bin....
000C0400  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0410  00 00 00 00 00 45 A8 D4 00 00 00 00 00 08 04 18  .....E¨Ô........
000C0420  65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00  emer_init.self..
000C0430  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0440  00 00 00 00 00 4D AC EC 00 00 00 00 00 06 0D 78  .....M¬ì.......x
000C0450  68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00  hdd_copy.self...
000C0460  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0470  00 00 00 00 00 53 BA 64 00 00 00 00 00 00 12 A8  .....Sºd.......¨
000C0480  6D 61 6E 75 5F 69 6E 66 6F 5F 73 70 75 5F 6D 6F  manu_info_spu_mo
000C0490  64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00 00 00  dule.self.......

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
000C0040  00 00 00 00 00 00 04 90 00 00 00 00 00 04 00 00  ................
000C0050  63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00  creserved_0.....
000C0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0070  00 00 00 00 00 04 04 90 00 00 00 00 00 00 00 08  ................
000C0080  73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00  sdk_version.....
000C0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C00A0  00 00 00 00 00 04 05 00 00 00 00 00 00 01 E7 C8  ..............çÈ
000C00B0  6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv1ldr..........
000C00C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C00D0  00 00 00 00 00 05 ED 00 00 00 00 00 00 01 6F F0  ......í.......oð
000C00E0  6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv2ldr..........
000C00F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0100  00 00 00 00 00 07 5D 00 00 00 00 00 00 01 2F 74  ......]......./t
000C0110  69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00  isoldr..........
000C0120  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0130  00 00 00 00 00 08 8C 80 00 00 00 00 00 01 E5 D4  ......Œ€......åÔ
000C0140  61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00  appldr..........
000C0150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0160  00 00 00 00 00 0A 72 54 00 00 00 00 00 00 FB 4C  ......rT......ûL
000C0170  73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69  spu_pkg_rvk_veri
000C0180  66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00  fier.self.......
000C0190  00 00 00 00 00 0B 6D A0 00 00 00 00 00 00 5A 94  ......m ......Z”
000C01A0  73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73  spu_token_proces
000C01B0  73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00  sor.self........
000C01C0  00 00 00 00 00 0B C8 34 00 00 00 00 00 00 63 D0  ......È4......cÐ
000C01D0  73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65  spu_utoken_proce
000C01E0  73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00  ssor.self.......
000C01F0  00 00 00 00 00 0C 2C 04 00 00 00 00 00 01 53 2C  ......,.......S,
000C0200  73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00  sc_iso.self.....
000C0210  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0220  00 00 00 00 00 0D 7F 30 00 00 00 00 00 00 42 98  .......0......B˜
000C0230  61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73  aim_spu_module.s
000C0240  65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00  elf.............
000C0250  00 00 00 00 00 0D C1 C8 00 00 00 00 00 00 D7 F0  ......ÁÈ......×ð
000C0260  73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C  spp_verifier.sel
000C0270  66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  f...............
000C0280  00 00 00 00 00 0E 99 B8 00 00 00 00 00 00 80 8C  ......™¸......€Œ
000C0290  6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  mc_iso_spu_modul
000C02A0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
000C02B0  00 00 00 00 00 0F 1A 44 00 00 00 00 00 00 88 B8  .......D......ˆ¸
000C02C0  6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  me_iso_spu_modul
000C02D0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
000C02E0  00 00 00 00 00 0F A2 FC 00 00 00 00 00 00 C0 78  ......¢ü......Àx
000C02F0  73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sv_iso_spu_modul
000C0300  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
000C0310  00 00 00 00 00 10 63 74 00 00 00 00 00 00 5D B0  ......ct......]°
000C0320  73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sb_iso_spu_modul
000C0330  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
000C0340  00 00 00 00 00 10 C1 24 00 00 00 00 00 00 22 A0  ......Á$......" 
000C0350  64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00  default.spp.....
000C0360  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0370  00 00 00 00 00 10 E4 00 00 00 00 00 00 12 80 50  ......ä.......€P
000C0380  6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00  lv1.self........
000C0390  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C03A0  00 00 00 00 00 23 64 80 00 00 00 00 00 03 E6 78  .....#d€......æx
000C03B0  6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00  lv0.............
000C03C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C03D0  00 00 00 00 00 27 4A F8 00 00 00 00 00 17 27 58  .....'Jø......'X
000C03E0  6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00  lv2_kernel.self.
000C03F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0400  00 00 00 00 00 3E 72 50 00 00 00 00 00 07 0F 94  .....>rP.......”
000C0410  65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00  eurus_fw.bin....
000C0420  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0430  00 00 00 00 00 45 81 E4 00 00 00 00 00 08 04 18  .....E.ä........
000C0440  65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00  emer_init.self..
000C0450  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0460  00 00 00 00 00 4D 85 FC 00 00 00 00 00 06 0D 78  .....M…ü.......x
000C0470  68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00  hdd_copy.self...
000C0480  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C0490  00 00 00 00 00 53 93 74 00 00 00 00 00 00 12 A8  .....S“t.......¨
000C04A0  6D 61 6E 75 5F 69 6E 66 6F 5F 73 70 75 5F 6D 6F  manu_info_spu_mo
000C04B0  64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00 00 00  dule.self.......

structure

Address	Length	Value	Description
0x0	0x8	0x490	File offset relative to Region start
0x8	0x8	0x40000	File length
0x10	0x32	char[32]:"creserved_0"	File name

ros1

header

example

NOR: ros1 (0x07C0000)

NAND: ros1 (0x07C0010)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
007C0000  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
007C0010  00 00 00 01 00 00 00 16 00 00 00 00 00 6F FF E0  .............oÿà

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
007C0010  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
007C0020  00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0  .............oÿà

structure

Address	Length	Value	Description
0x0	0x8	0x0	Unknown
0x8	0x8	0x0x6FFFE0	Length of Flash Region (relative to region start)
0x10	0x4	0x1	Unknown
0x14	0x4	0x16	Entry Count
0x18	0x8	0x0x6FFFE0	Length of Flash Region (relative to region start)

Entry Table

Then follows a 48 byte entry for each file

example

NOR: ros1 (0x07C0020)

NAND: ros1 (0x07C0030)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
007C0020  00 00 00 00 00 00 04 30 00 00 00 00 00 04 00 00  .......0........
007C0030  63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00  creserved_0.....
007C0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C0050  00 00 00 00 00 04 04 30 00 00 00 00 00 00 00 08  .......0........
007C0060  73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00  sdk_version.....
007C0070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C0080  00 00 00 00 00 04 04 80 00 00 00 00 00 01 E5 CC  .......€......åÌ
007C0090  6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv1ldr..........
007C00A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C00B0  00 00 00 00 00 05 EA 80 00 00 00 00 00 01 6D B0  ......ê€......m°
007C00C0  6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv2ldr..........
007C00D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C00E0  00 00 00 00 00 07 58 80 00 00 00 00 00 01 2E 24  ......X€.......$
007C00F0  69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00  isoldr..........
007C0100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C0110  00 00 00 00 00 08 87 00 00 00 00 00 00 01 DA 04  ......‡.......Ú.
007C0120  61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00  appldr..........
007C0130  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C0140  00 00 00 00 00 0A 61 04 00 00 00 00 00 00 FA B4  ......a.......ú´
007C0150  73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69  spu_pkg_rvk_veri
007C0160  66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00  fier.self.......
007C0170  00 00 00 00 00 0B 5B B8 00 00 00 00 00 00 5B FC  ......[¸......[ü
007C0180  73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73  spu_token_proces
007C0190  73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00  sor.self........
007C01A0  00 00 00 00 00 0B B7 B4 00 00 00 00 00 00 65 B4  ......·´......e´
007C01B0  73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65  spu_utoken_proce
007C01C0  73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00  ssor.self.......
007C01D0  00 00 00 00 00 0C 1D 68 00 00 00 00 00 01 53 2C  .......h......S,
007C01E0  73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00  sc_iso.self.....
007C01F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C0200  00 00 00 00 00 0D 70 94 00 00 00 00 00 00 44 80  ......p”......D€
007C0210  61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73  aim_spu_module.s
007C0220  65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00  elf.............
007C0230  00 00 00 00 00 0D B5 14 00 00 00 00 00 00 D7 44  ......µ.......×D
007C0240  73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C  spp_verifier.sel
007C0250  66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  f...............
007C0260  00 00 00 00 00 0E 8C 58 00 00 00 00 00 00 80 8C  ......ŒX......€Œ
007C0270  6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  mc_iso_spu_modul
007C0280  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
007C0290  00 00 00 00 00 0F 0C E4 00 00 00 00 00 00 88 B8  .......ä......ˆ¸
007C02A0  6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  me_iso_spu_modul
007C02B0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
007C02C0  00 00 00 00 00 0F 95 9C 00 00 00 00 00 00 C0 78  ......•œ......Àx
007C02D0  73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sv_iso_spu_modul
007C02E0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
007C02F0  00 00 00 00 00 10 56 14 00 00 00 00 00 00 5D B0  ......V.......]°
007C0300  73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sb_iso_spu_modul
007C0310  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
007C0320  00 00 00 00 00 10 B3 C4 00 00 00 00 00 00 22 A0  ......³Ä......" 
007C0330  64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00  default.spp.....
007C0340  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C0350  00 00 00 00 00 10 D6 80 00 00 00 00 00 12 E1 60  ......Ö€......á`
007C0360  6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00  lv1.self........
007C0370  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C0380  00 00 00 00 00 23 B8 00 00 00 00 00 00 03 E3 58  .....#¸.......ãX
007C0390  6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00  lv0.............
007C03A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C03B0  00 00 00 00 00 27 9B 58 00 00 00 00 00 16 19 80  .....'›X.......€
007C03C0  6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00  lv2_kernel.self.
007C03D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C03E0  00 00 00 00 00 3D B4 D8 00 00 00 00 00 07 09 F0  .....=´Ø.......ð
007C03F0  65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00  eurus_fw.bin....
007C0400  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C0410  00 00 00 00 00 44 BE C8 00 00 00 00 00 08 1B 30  .....D¾È.......0
007C0420  65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00  emer_init.self..
007C0430  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
007C0030  00 00 00 00 00 00 04 60 00 00 00 00 00 04 00 00  .......`........
007C0040  63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00  creserved_0.....
007C0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C0060  00 00 00 00 00 04 04 60 00 00 00 00 00 00 00 08  .......`........
007C0070  73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00  sdk_version.....
007C0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C0090  00 00 00 00 00 04 04 68 00 00 00 00 00 00 FB 4C  .......h......ûL
007C00A0  73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69  spu_pkg_rvk_veri
007C00B0  66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00  fier.self.......
007C00C0  00 00 00 00 00 04 FF B4 00 00 00 00 00 00 C9 30  ......ÿ´......É0
007C00D0  73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73  spu_token_proces
007C00E0  73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00  sor.self........
007C00F0  00 00 00 00 00 05 C8 E4 00 00 00 00 00 00 63 D0  ......Èä......cÐ
007C0100  73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65  spu_utoken_proce
007C0110  73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00  ssor.self.......
007C0120  00 00 00 00 00 06 2C B4 00 00 00 00 00 01 D2 D8  ......,´......ÒØ
007C0130  73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00  sc_iso.self.....
007C0140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C0150  00 00 00 00 00 07 FF 8C 00 00 00 00 00 00 42 98  ......ÿŒ......B˜
007C0160  61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73  aim_spu_module.s
007C0170  65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00  elf.............
007C0180  00 00 00 00 00 08 42 24 00 00 00 00 00 00 D7 F0  ......B$......×ð
007C0190  73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C  spp_verifier.sel
007C01A0  66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  f...............
007C01B0  00 00 00 00 00 09 1A 14 00 00 00 00 00 00 80 8C  ..............€Œ
007C01C0  6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  mc_iso_spu_modul
007C01D0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
007C01E0  00 00 00 00 00 09 9A A0 00 00 00 00 00 00 88 B8  ......š ......ˆ¸
007C01F0  6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  me_iso_spu_modul
007C0200  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
007C0210  00 00 00 00 00 0A 23 58 00 00 00 00 00 00 C0 78  ......#X......Àx
007C0220  73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sv_iso_spu_modul
007C0230  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
007C0240  00 00 00 00 00 0A E3 D0 00 00 00 00 00 00 5D B0  ......ãÐ......]°
007C0250  73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sb_iso_spu_modul
007C0260  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
007C0270  00 00 00 00 00 0B 41 80 00 00 00 00 00 00 22 A0  ......A€......" 
007C0280  64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00  default.spp.....
007C0290  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C02A0  00 00 00 00 00 0B 64 80 00 00 00 00 00 12 5E F0  ......d€......^ð
007C02B0  6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00  lv1.self........
007C02C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C02D0  00 00 00 00 00 1D C3 80 00 00 00 00 00 0B 54 E8  ......Ã€......Tè
007C02E0  6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00  lv0.............
007C02F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C0300  00 00 00 00 00 29 18 80 00 00 00 00 00 00 05 00  .....).€........
007C0310  6C 76 30 2E 32 00 00 00 00 00 00 00 00 00 00 00  lv0.2...........
007C0320  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C0330  00 00 00 00 00 29 1D 80 00 00 00 00 00 17 89 58  .....).€......‰X
007C0340  6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00  lv2_kernel.self.
007C0350  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C0360  00 00 00 00 00 40 A6 D8 00 00 00 00 00 07 0F 94  .....@¦Ø.......”
007C0370  65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00  eurus_fw.bin....
007C0380  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C0390  00 00 00 00 00 47 B6 6C 00 00 00 00 00 07 E2 68  .....G¶l......âh
007C03A0  65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00  emer_init.self..
007C03B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C03C0  00 00 00 00 00 4F 98 D4 00 00 00 00 00 06 18 18  .....O˜Ô........
007C03D0  68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00  hdd_copy.self...
007C03E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C03F0  00 00 00 00 00 55 B0 EC 00 00 00 00 00 00 12 A8  .....U°ì.......¨
007C0400  6D 61 6E 75 5F 69 6E 66 6F 5F 73 70 75 5F 6D 6F  manu_info_spu_mo
007C0410  64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00 00 00  dule.self.......
007C0420  00 00 00 00 00 55 C3 94 00 00 00 00 00 00 02 E0  .....UÃ”.......à
007C0430  70 72 6F 67 2E 73 72 76 6B 00 00 00 00 00 00 00  prog.srvk.......
007C0440  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
007C0450  00 00 00 00 00 55 C6 74 00 00 00 00 00 00 02 40  .....UÆt.......@
007C0460  70 6B 67 2E 73 72 76 6B 00 00 00 00 00 00 00 00  pkg.srvk........
007C0470  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

structure

Address	Length	Value	Description
0x0	0x8	0x430	File offset relative to Region start
0x8	0x8	0x40000	File length
0x10	0x32	char[32]:"creserved_0"	File name

Second Region

NOR only: 0x0F00000 - 0x0F00020
This region appears to directly follow the other region (at 0xF0000 = region size + header)
Not much is known about this at this stage.

On NAND consoles without OtherOS the block 0x0F00000 - 0x0F7FFFF is zero filled
On NAND consoles with OtherOS the block 0x0F00000 - 0x0F00FFF is filled with data

Header - 0FACE0FF DEADFACE

example

NOR: 0x0F00000 - 0x0F00020

NAND:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00F00000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F00010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE  .....¬àÿ....ÞúÎ
00F00020  00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02  ................

N.A.

structure

Address	Length	Value	Description
0x00	0x10	0x0	Blank/Unknown
0x10	0x10	0x0FACE0FF 0xDEADFACE	Magic number
0x20	0x8	0x3	Unknown
0x28	0x8	0x2	Unknown

00 filled block

example

NOR: 0x0F00030 - 0x0F000BF

NAND:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
00F00030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
.... (00 filled block)
00F000B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

N.A.

structure

Address	Length	Value	Description
0x30	0x90	0x0	Blank/Unknown

Unknown block

example

NOR: 0x0F000C0 - 0x0F000EF

NAND:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
00F000C0  00 00 00 00 00 00 79 00 00 00 00 00 00 00 01 00  ......y.........
00F000D0  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F000E0  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............

N.A.

structure

Address	Length	Value	Description
0xC0	0x8	0x7900	Unknown
0xC8	0x8	0x100	Unknown
0xD0	0x2	0x1070	Unknown
0xD2	0x2	0x0	Blank/Unknown
0xD4	0x2	0x100	Unknown
0xD6	0x2	0x1	Unknown
0xD8	0x8	0x3	Unknown
0xE0	0x2	0x1070	Unknown
0xE2	0x2	0x0	Blank/Unknown
0xE4	0x2	0x200	Unknown
0xE6	0x2	0x1	Unknown
0xE8	0x8	0x3	Unknown

00 filled block

example

NOR: 0x0F000F0 - 0x0F0014F

NAND:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
00F000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
.... (00 filled block)
00F00140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

N.A.

structure

Address	Length	Value	Description
0xF0	0x60	0x0	Blank/Unknown

Unknown block

example

NOR: 0x0F00150 - 0x0F0017F

NAND:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00F00150  00 00 00 00 00 00 7A 00 00 00 00 00 00 00 04 00  ......z.........
00F00160  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F00170  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............

N.A.

structure

Address	Length	Value	Description
0xC0	0x8	0x7A00	Unknown
0xC8	0x8	0x400	Unknown
0xD0	0x2	0x1070	Unknown
0xD2	0x2	0x0	Blank/Unknown
0xD4	0x2	0x100	Unknown
0xD6	0x2	0x1	Unknown
0xD8	0x8	0x3	Unknown
0xE0	0x2	0x1070	Unknown
0xE2	0x2	0x0	Blank/Unknown
0xE4	0x2	0x200	Unknown
0xE6	0x2	0x1	Unknown
0xE8	0x8	0x3	Unknown

00 filled block

example

NOR: 0x0F00180 - 0x0F00FFF

NAND:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
00F00180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
.... (00 filled block)
00F00FF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

N.A.

structure

Address	Length	Value	Description
0x180	0xE80	0x0	Blank/Unknown

unreferenced area

NOR+NAND : 0x0F01000 - 0x0F1FFFF

example

NOR: 0x0F01000 - 0x0F1FFFF

NAND: 0x0F01000 - 0x0F1FFFF

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00F01000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
00F1FFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00F01000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
00F1FFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

structure

Address	Length	Value	Description
0x1000	0x1F000	0xFF	Blank/Unknown

CELL_EXTNOR_AREA

Only on NOR consoles
On NAND consoles the block 00F20000-00F3FFFF is FF (OtherOS) or 00 (No OtherOS) filled

Header

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  
00F20000  43 45 4C 4C 5F 45 58 54 4E 4F 52 5F 41 52 45 41  CELL_EXTNOR_AREA      marker: CELL_EXTNOR_AREA

1

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  
00F20010  00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F20020  00 00 02 00 00 00 00 44 00 00 00 00 A9 C8 06 D0  .......D....©È.Ð (sha1sum of 0x200 Harddrive Info)
00F20030  C0 17 8D 34 55 A7 62 73 DD 16 A6 FB 75 A0 D2 10  À..4U§bsÝ.¦ûu Ò.

00 filled

00F20040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F201F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Harddrive info

00F20200  00 00 00 07 46 55 4A 49 54 53 55 20 4D 48 5A 32  ....FUJITSU MHZ2      harddrive brand/model
00F20210  30 38 30 42 48 20 47 31 20 20 20 20 20 20 20 20  080BH G1        
00F20220  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
00F20230  20 20 20 20 4B 36 33 52 54 38 42 34 48 59 42 4B      K63RT8B4HYBK      harddrive serial

00 filled

00F20240  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F3FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

2

On NAND consoles with OtherOS the blocks

0x0F40000 - 0x0F401FF
0x0F42000 - 0xBAD51F0
0xBAD6000 - 0xBAECDFF
0xBAEE000 - 0xBAFD9FF
0xBAFE000 etc.

are filled with data

00F40000  00 00 00 01 00 00 00 2C 6E 47 15 E8 38 9B C8 16  .......,nG.è8›È.      00F40000-00F40030      (same in other version/console dump)
00F40010  65 6E 0C 37 54 25 FE 7B 22 9A 31 75 72 22 63 2B  en.7T%þ{"š1ur"c+      is the same as
00F40020  31 DD 15 AA 60 7D EB F5 F7 A3 74 0B 9D DD 3B 3A  1Ý.ª`}ëõ÷£t..Ý;:      00F80000-00F80030

00 filled

00F40030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F5FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

3

00F60000  10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34  ............ ..4      00F60000-00F60040      (differs in other version/console dump)
00F60010  00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2  ........[?s´š†Ç²      is the
00F60020  A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE   Ñ.¯§›—âzË.+Ma&®      same as
00F60030  13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB  .Ê)„.“.áJÛ,·|.äë      00FA0000-00FA0040

00 filled

00F60040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F69BF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

FF filled

00F69C00  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...]                                                                            all FF's
00F7FFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

4

00F80000  00 00 00 01 00 00 00 2C 6E 47 15 E8 38 9B C8 16  .......,nG.è8›È.      00F80000-00F80030      (same in other version/console dump)
00F80010  65 6E 0C 37 54 25 FE 7B 22 9A 31 75 72 22 63 2B  en.7T%þ{"š1ur"c+      is the same as
00F80020  31 DD 15 AA 60 7D EB F5 F7 A3 74 0B 9D DD 3B 3A  1Ý.ª`}ëõ÷£t..Ý;:      00F40000-00F40030

00 filled

00F80030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F9FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

5

00FA0000  10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34  ............ ..4      00F60000-00F60040      (differs in other version/console dump)
00FA0010  00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2  ........[?s´š†Ç²      is the
00FA0020  A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE   Ñ.¯§›—âzË.+Ma&®      same as
00FA0030  13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB  .Ê)„.“.áJÛ,·|.äë      00F60000-00F60040

00 filled

00FA0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00FA9BF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

FF filled

00FA9C00  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...]                                                                            all FF's with sometimes below 'OCRL0200' section inside it
00FBFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

FF Filled with OCRL0200 section

NOR: 0x0FA9400 - 0x0FA952F

NOR: 0x0F69400 - 0x0F6952F

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00FA9400  4F 43 52 4C 30 32 30 30 00 00 00 00 00 00 00 00  OCRL0200........
00FA9410  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00FA9420  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00FA9430  A6 50 37 72 07 82 68 FE EA 9A A1 8C 54 19 2B E4  ¦P7r.‚hþêš¡ŒT.+ä
00FA9440  2F D8 85 BA 5F 2F AA ED AC 6B 54 FE 31 0B 80 58  /Ø…º_/ªí¬kTþ1.€X
00FA9450  A9 74 D4 ED F9 77 7B B2 30 50 47 F3 C0 12 AC 26  ©tÔíùw{²0PGóÀ.¬&
00FA9460  6A 40 AD 19 14 C2 AD 2C 92 36 02 78 50 D4 08 D4  j@..Â,’6.xPÔ.Ô
00FA9470  06 76 2C 97 0D 2A 7A 19 F4 85 01 6F CD C8 07 C3  .v,—.*z.ô….oÍÈ.Ã
00FA9480  25 2D F4 CD 46 2B FE F7 B8 0A 40 9F 97 22 06 5E  %-ôÍF+þ÷¸.@Ÿ—".^
00FA9490  4B F1 02 92 01 11 C1 E0 DD AC 84 0D 58 C2 21 66  Kñ.’..ÁàÝ¬„.XÂ!f
00FA94A0  25 69 A4 1A C8 E9 DB 4C 5D 31 4E AF 07 2A 43 90  %i¤.ÈéÛL]1N¯.*C.
00FA94B0  3E DC 4A 80 FD A7 06 BB 1F 9B D4 75 6C 6C 45 CE  >ÜJ€ý§.».›ÔullEÎ
00FA94C0  1A A6 5D D1 9B E9 80 C2 72 CA A8 0B 14 C6 B2 86  .¦]Ñ›é€ÂrÊ¨..Æ²†
00FA94D0  E3 37 86 E6 AD DE 2C F9 76 3D 18 62 DD 77 AD 71  ã7†æÞ,ùv=.bÝwq
00FA94E0  32 F1 11 FD 17 9E 68 50 B3 A5 7F 41 37 19 63 3A  2ñ.ý.žhP³¥.A7.c:
00FA94F0  78 08 19 4D CA 47 AD FF 35 89 52 3E 18 39 F5 A5  x..MÊGÿ5‰R>.9õ¥
00FA9500  4B 98 D6 C0 66 68 E0 CA 4B 9F 1A 42 1E A2 EE 79  K˜ÖÀfhàÊKŸ.B.¢îy
00FA9510  E6 58 6F FF 58 B1 FE 4F DB FD 27 6F 4C EC 6C 9F  æXoÿX±þOÛý'oLìlŸ
00FA9520  B4 B7 F8 9D 30 4A 1E 83 15 47 08 B6 FB 51 00 DA  ´·ø.0J.ƒ.G.¶ûQ.Ú

CECHL (VER-001) with ST98823AS drive (80GB) : ROS0: 2.80 / ROS1: 3.55

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00F69400  4F 43 52 4C 30 32 30 30 00 00 00 00 00 00 00 00  OCRL0200........
00F69410  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F69420  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F69430  A6 50 37 72 07 82 68 FE EA 9A A1 8C 54 19 2B E4  ¦P7r.‚hþêš¡ŒT.+ä
00F69440  2F D8 85 BA 5F 2F AA ED AC 6B 54 FE 31 0B 80 58  /Ø…º_/ªí¬kTþ1.€X
00F69450  A9 74 D4 ED F9 77 7B B2 30 50 47 F3 C0 12 AC 26  ©tÔíùw{²0PGóÀ.¬&
00F69460  6A 40 AD 19 14 C2 AD 2C 92 36 02 78 50 D4 08 D4  j@..Â,’6.xPÔ.Ô
00F69470  06 76 2C 97 0D 2A 7A 19 F4 85 01 6F CD C8 07 C3  .v,—.*z.ô….oÍÈ.Ã
00F69480  25 2D F4 CD 46 2B FE F7 B8 0A 40 9F 97 22 06 5E  %-ôÍF+þ÷¸.@Ÿ—".^
00F69490  4B F1 02 92 01 11 C1 E0 DD AC 84 0D 58 C2 21 66  Kñ.’..ÁàÝ¬„.XÂ!f
00F694A0  25 69 A4 1A C8 E9 DB 4C 5D 31 4E AF 07 2A 43 90  %i¤.ÈéÛL]1N¯.*C.
00F694B0  3E DC 4A 80 FD A7 06 BB 1F 9B D4 75 6C 6C 45 CE  >ÜJ€ý§.».›ÔullEÎ
00F694C0  1A A6 5D D1 9B E9 80 C2 72 CA A8 0B 14 C6 B2 86  .¦]Ñ›é€ÂrÊ¨..Æ²†
00F694D0  E3 37 86 E6 AD DE 2C F9 76 3D 18 62 DD 77 AD 71  ã7†æÞ,ùv=.bÝwq
00F694E0  32 F1 11 FD 17 9E 68 50 B3 A5 7F 41 37 19 63 3A  2ñ.ý.žhP³¥.A7.c:
00F694F0  78 08 19 4D CA 47 AD FF 35 89 52 3E 18 39 F5 A5  x..MÊGÿ5‰R>.9õ¥
00F69500  4B 98 D6 C0 66 68 E0 CA 4B 9F 1A 42 1E A2 EE 79  K˜ÖÀfhàÊKŸ.B.¢îy
00F69510  E6 58 6F FF 58 B1 FE 4F DB FD 27 6F 4C EC 6C 9F  æXoÿX±þOÛý'oLìlŸ
00F69520  B4 B7 F8 9D 30 4A 1E 83 15 47 08 B6 FB 51 00 DA  ´·ø.0J.ƒ.G.¶ûQ.Ú

CECHH (DIA-001) with WDC WD1002FAEX-00Z3A0 drive (1TB) : ROS0: 3.55 / ROS1: 3.73
CECHL (VER-001) with TOSHIBA MK8052GSX (80GB) : ROS0: 3.55 / ROS1: 3.56
CECH20.. (DYN-001) with TOSHIBA MK1255GSX H (120GB) : ROS0: 3.70 / ROS1: 3.70
CECH2004A (DYN-001) with TOSHIBA MK1255GSX H (120GB) : ROS0: 3.72 / ROS1: 3.70
CECH2004 (DYN-001) with Hitachi HTS545025B9SA0 (250GB) / ROS0: 4.11 / ROS1: 4.00

Used by GetOnlineCertificateRevocationListVersion(FlashOCRL%d) inside bdp player
Handled by Iso module AacsModule.spu.isoself
http://www.blu-raydisc.info/format-spec/rom3-spec.php
http://www.blu-raydisc.info/docs/Certificate_Revocation/online.crl <-- exact same as above hex pastie

Bootloader

Location:

NOR: 0xFC0000 - 0xFFFFFF (The last 256KB of flash)
NAND: 0x0000000 - 0x003FFFF (The first 256KB of flash)

Perconsole encrypted (datasize depends on bootldr revision)

NOR: 0xFC0000 - 0xFFFFFF (The last 256KB of flash)

NAND:
0x0000000 - 0x003FFFF (The first 256KB of flash) +
0xF000000 - 0xF03FFFF (The last 256KB of flash)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00FC0000  00 00 2E AB 83 EF B9 76 C4 DE D1 35 32 7C D3 77  ...«ƒï¹vÄÞÑ52|Ów
00FC0010  00 00 2E AB FE 2C 4E 17 E1 67 5C 3A C8 29 8E D1  ...«þ,N.ág\:È)ŽÑ
00FC0020  63 D4 81 95 5D D1 D2 E3 BA A3 2D 0A 98 8B 3C 03  cÔ.•]ÑÒãº£-.˜‹<.
00FC0030  8E 5D D0 E7 2F EE 58 8B C0 73 A2 6D 5E 7F 7A 07  Ž]Ðç/îX‹Às¢m^.z.
00FC0040  47 8B A4 C2 EF B9 3C 60 43 E8 AC 07 F7 8D EE D5  G‹¤Âï¹<`Cè¬.÷.îÕ
00FC0050  67 EE C1 C4 B2 D2 78 98 4C 79 D6 52 49 4D C2 80  gîÁÄ²Òx˜LyÖRIMÂ€
00FC0060  2D C1 F6 21 B7 B1 34 89 94 3B 33 BF B8 C8 EB 73  -Áö!·±4‰”;3¿¸Èës
[...]
00FEEAD0  9B 28 7A 63 41 DF 4D 54 CC F3 D8 FF FB B0 E6 34  ›(zcAßMTÌóØÿû°æ4
00FEEAE0  2B C6 A2 85 E9 3A 83 A1 8C AE 9F 45 C5 F4 9F AA  +Æ¢…é:ƒ¡Œ®ŸEÅôŸª
00FEEAF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00FEEB00  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  00 00 2A 2A 5C E4 63 CD 5C 9E B6 7A FE A0 1B 54  ..**\äcÍ\ž¶zþ .T
00000010  00 00 2A 2A 57 D6 52 1B B4 DC AC DF DD 03 3E F6  ..**WÖR.´Ü¬ßÝ.>ö
00000020  95 3E B9 B8 D2 47 B6 B2 CC 40 A7 8E B7 08 45 4E  •>¹¸ÒG¶²Ì@§Ž·.EN
00000030  89 03 90 94 30 34 E0 6B 15 0F D7 23 90 D5 1E B3  ‰..”04àk..×#.Õ.³
00000040  CA DD 19 2C BA 28 44 6D 4E 28 D9 95 EF 04 B2 BA  ÊÝ.,º(DmN(Ù•ï.²º
00000050  86 D1 C6 E2 75 3F 99 99 BF 00 64 19 3A F4 A6 0B  †ÑÆâu?™™¿.d.:ô¦.
00000060  35 1B A4 A1 77 03 CC 93 7C FF 93 08 51 09 BD 79  5.¤¡w.Ì“|ÿ“.Q.½y
...
0002A2C0  5B 60 2C 7C 3A DB 23 55 AF 3D E8 4F 89 E7 BA CF  [`,|:Û#U¯=èO‰çºÏ
0002A2D0  22 68 70 F1 32 6F C2 52 9E 2B 02 12 3E F2 47 67  "hpñ2oÂRž+..>òGg
0002A2E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0002A2F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0F000000  00 00 2A 2A 5C E4 63 CD 5C 9E B6 7A FE A0 1B 54  ..**\äcÍ\ž¶zþ .T
0F000010  00 00 2A 2A 57 D6 52 1B B4 DC AC DF DD 03 3E F6  ..**WÖR.´Ü¬ßÝ.>ö
0F000020  95 3E B9 B8 D2 47 B6 B2 CC 40 A7 8E B7 08 45 4E  •>¹¸ÒG¶²Ì@§Ž·.EN
0F000030  89 03 90 94 30 34 E0 6B 15 0F D7 23 90 D5 1E B3  ‰..”04àk..×#.Õ.³
0F000040  CA DD 19 2C BA 28 44 6D 4E 28 D9 95 EF 04 B2 BA  ÊÝ.,º(DmN(Ù•ï.²º
0F000050  86 D1 C6 E2 75 3F 99 99 BF 00 64 19 3A F4 A6 0B  †ÑÆâu?™™¿.d.:ô¦.
0F000060  35 1B A4 A1 77 03 CC 93 7C FF 93 08 51 09 BD 79  5.¤¡w.Ì“|ÿ“.Q.½y
...
0F02A2C0  5B 60 2C 7C 3A DB 23 55 AF 3D E8 4F 89 E7 BA CF  [`,|:Û#U¯=èO‰çºÏ
0F02A2D0  22 68 70 F1 32 6F C2 52 9E 2B 02 12 3E F2 47 67  "hpñ2oÂRž+..>òGg
0F02A2E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0F02A2F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

cell_ext_os_area

NAND only

OtherOS

NAND only

00 filled block

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0EA00040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
0EB7FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

FF filled block

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0EB80000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
0EFBFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

small non-FF sections (inside FF filled block)

Note: not seen in all NAND dumps.

NAND: 1100

NAND: 0100

NAND: 7F FF FF 11 00

NAND: 7F FF FF 21 00

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0FF00100  FF FF FF FF 11 00 FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿ..ÿÿÿÿÿÿÿÿÿÿ

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0FF00100  FF FF FF FF 01 00 FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿ..ÿÿÿÿÿÿÿÿÿÿ

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0FF00100  FF 7F FF FF 11 00 FF FF FF FF FF FF FF FF FF FF  ÿ.ÿÿ..ÿÿÿÿÿÿÿÿÿÿ

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0FF00100  FF 7F FF FF 21 00 FF FF FF FF FF FF FF FF FF FF  ÿ.ÿÿ!.ÿÿÿÿÿÿÿÿÿÿ

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0FF00300  FF FF FF FF 11 00 FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿ..ÿÿÿÿÿÿÿÿÿÿ

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0FF00300  FF FF FF FF 01 00 FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿ..ÿÿÿÿÿÿÿÿÿÿ

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0FF00300  FF 7F FF FF 11 00 FF FF FF FF FF FF FF FF FF FF  ÿ.ÿÿ..ÿÿÿÿÿÿÿÿÿÿ

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0FF00300  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

[EOF]

Encrypted Files on Flash

Encrypted files on flash appear to have some sort of header

metldr examples

Here are samples of metldr header from 2 different consoles

00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ...Žx¥aà.rn÷§.A«

00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ...Ž...©Yu.ÌÁrÕP

bootldr examples

Here are samples of bootldr header from 2 different consoles

00FC0000  00 00 2F 4B 53 92 1C E7 F7 33 41 76 9B 7A 1E D6  ../KS’.ç÷3Av›z.Ö
00FC0010  00 00 2F 4B 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ../Kx¥aà.rn÷§.A«

00FC0000  00 00 2F 4B CB 9E 15 24 28 B4 4F D2 F9 3F BC 43  ../KËž.$(´OÒù?¼C
00FC0010  00 00 2F 4B 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ../K...©Yu.ÌÁrÕP

Observations / Notes

As you can see, some parts appear static depending on their purpose:

metldr

00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E xx xx xx xx xx xx xx xx xx xx xx xx  ...Žx...........

bootldr

00FC0000  00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx  ../K............
00FC0010  00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx  ../K............

per console in both samples

00000840  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................
00000850  xx xx xx xx 81 2E 00 A9 59 75 01 CC C1 72 D5 50  .......©Yu.ÌÁrÕP

The first 4 bytes appear to reffer to length. eg:

metldr length: 0xE920
0x00000E8E * 0x10 = 0xE8E0 + 0x40 = 0xE920
bootldr length:  0x2F4F0
0x00002F4B * 0x10 = 0x2F4B0 + 0x40 = 0x2F4F0

Header shown is 0x20 bytes, perhaps this means there is a 0x40 byte header. I was not able to find any correlation of the other 2x12 bytes here, perhaps these are keys of some sort.

new metldr.2

Seen on CECH2504B (JSD-001), with 3.60 from factory - datecode 1B

  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

  00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 F9 20  .......@......ù 
  00000820  6D 65 74 6C 64 72 2E 32 00 00 00 00 00 00 00 00  metldr.2........
  00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

other new metldr

It seems the naming "metldr.2" does not apply to all non downgradeable consoles:

Seen on CECH2504A (JTP-001), with 3.60 from factory - datecode 1B

  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
  00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
  00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
  00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Seen on CECH2503B (JTP-001), with ?.?? from factory - datecode 1A (dump contained ROS with 3.66 and 3.70) This was downgradable.. sorry, the downgrade.bin was not written correctly.. but this time i wrote it ok, so this was not a new metldr console..

 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      
 00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
 00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
 00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

For comparison, a CECH250.B (JSD-001), with factory 3.56 - datecode 1A which was downgradeable (dump contained ROS with 3.56 and 3.70 before downgrading to 3.55):

 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      
 00000800   00 00 00 01 00 00 00 01  00 00 00 00 00 02 E8 00   ..............è.
 00000810   00 00 00 00 00 00 00 40  00 00 00 00 00 00 E9 60   .......@......é`
 00000820   6D 65 74 6C 64 72 00 00  00 00 00 00 00 00 00 00   metldr..........
 00000830   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
 00000840   00 00 0E 92 C3 26 6E 4B  BB 28 2E 76 B7 67 70 95   ...’Ã&nK»(.v·gp•

other new metldr mention : https://twitter.com/#!/Mathieulh/status/110779471199604736

WTF 3.50+ consoles have a new additional root key of 0x30 bytes
(3 times the same 0x10 bytes chunk) copied by metldr right to offset 0 O_O

CECH2501B JSD-001 (320GB HDD)without datecode fw 3.66

metldr contains other new value (E9 60), but still downgrades..

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.
00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000840  00 00 0E 92 C3 26 6E 4B BB 28 2E 76 B7 67 70 95  ...’Ã&nK»(.v·gp•

another PS3 with CECH2501A wihtout datecode 320 GB HDD and fw 3.66 also contains other new metldr values but still downgrades...


Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.
00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000840  00 00 0E 92 C3 26 6E 4B BB 28 2E 76 B7 67 70 95  ...’Ã&nK»(.v·gp•

Dumping your flash

There are many ways you can dump your flash you can choose the way that best fits you, there are some persons studing the flash.. If you can help providing a dump (specially if you have a debug console) search for those persons in IRC Efnet #ps3dev

Payload

Uncomment dump_dev_flash() in graf_payloads compile and run the payload

see Graf's_PSGroove_Payload for more info

Linux

Using graf_chokolo kernel with /dev/ps3nflasha access

dd if=/dev/ps3nflasha of=NOR.BIN bs=1024

Hardware

see Hardware flashing

Dump NAND/NOR from GameOS

precompiled : dump_flash.pkg // backup/mirror: dump_flash.pkg (70.48 KB)
source: dump_flash-src.rar (2.33 KB)

Make sure USB stick is FAT32 with enough free space (16MB per NOR dump, 256MB per NAND dump)

remark: NAND dumps are 239MB because HV masks bootldr, see Hardware flashing #Difference between hardware dumps and software dumps

NOR Unpacking // NOR Unpkg

/*
  # ../norunpkg norflash.bin norflash
  unpacking asecure_loader (size: 190xxx bytes)...
  unpacking eEID (size: 65536 bytes)...
  unpacking cISD (size: 2048 bytes)...
  unpacking cCSD (size: 2048 bytes)...
  unpacking trvk_prg0 (size: 131072 bytes)...
  unpacking trvk_prg1 (size: 131072 bytes)...
  unpacking trvk_pkg0 (size: 131072 bytes)...
  unpacking trvk_pkg1 (size: 131072 bytes)...
  unpacking ros0 (size: 7340032 bytes)...
  unpacking ros1 (size: 7340032 bytes)...
  unpacking cvtrm (size: 262144 bytes)...
*/

// Copyright 2010       Sven Peter
// Licensed under the terms of the GNU GPL, version 2
// http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
// nor modifications by rms.

#include "tools.h"
#include "types.h"

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/stat.h>

#ifdef WIN32
#define MKDIR(x,y) mkdir(x)
#else
#define MKDIR(x,y) mkdir(x,y)
#endif

u8 *pkg = NULL;

static void unpack_file(u32 i)
{
        u8 *ptr;
        u8 name[33];
        u64 offset;
        u64 size;

        ptr = pkg + 0x10 + 0x30 * i;

        offset = be64(ptr + 0x00);
        size   = be64(ptr + 0x08);

        memset(name, 0, sizeof name);
        strncpy((char *)name, (char *)(ptr + 0x10), 0x20);

        printf("unpacking %s (size: %d bytes)...\n", name, size);
        memcpy_to_file((char *)name, pkg + offset, size);
}

static void unpack_pkg(void)
{
        u32 n_files;
        u64 size;
        u32 i;

        n_files = be32(pkg + 4);
        size = be64(pkg + 8);

        for (i = 0; i < n_files; i++)
                unpack_file(i);
}

int main(int argc, char *argv[])
{
        if (argc != 3)
                fail("usage: norunpkg filename.nor target");

        pkg = mmap_file(argv[1]);

        /* kludge for header, i do not do sanity checks at the moment */
        pkg += 1024;

        MKDIR(argv[2], 0777);

        if (chdir(argv[2]) != 0)
                fail("chdir");

        unpack_pkg();

        return 0;
}

Source: http://rms.grafchokolo.com/?p=25

RMS - eEID splitter

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void
DumpEidData (FILE * pFile, int iInputSize, int iEidCount,
	     char *pFilenamePrefix)
{
  FILE *pOutput;
  char *szFilename;
  char *szBuf;
  int iRes, iSize;

  printf ("dumping EID%d from eEID at %p, size %d (%x)..\n",
	  iEidCount, pFile, iInputSize, iInputSize);

  szBuf = (char *) malloc (iInputSize + 1);
  szFilename = (char *) malloc (strlen (pFilenamePrefix) + 2);

  if (szBuf == NULL)
    {
      perror ("malloc");
      exit (1);
    };

  iSize = fread (szBuf, iInputSize, 1, pFile);
  sprintf (szFilename, "%s%d", pFilenamePrefix, iEidCount);
  pOutput = fopen (szFilename, "wb");
  iRes = fwrite (szBuf, iInputSize, 1, pOutput);

  if (iRes != iSize)
    {
      perror ("fwrite");
      exit (1);
    };

  free (szBuf);
}

int
main (int argc, char **argv)
{
  FILE *pFile;
  char *pPrefix;

  pFile = fopen (argv[1], "rb");
  if (pFile == NULL)
    {
    usage:
      printf ("usage: %s <eEID> <EID name prefix>\n", argv[0]);
      exit (1);
    }

  if (argc == 2 && argv[2] != NULL)
    {
      pPrefix = argv[2];
      goto usage;
    }

  fseek (pFile, 0x70, SEEK_SET);

  if (pPrefix != NULL)
    {
      DumpEidData (pFile, 2144, 0, pPrefix);
      DumpEidData (pFile, 672, 1, pPrefix);
      DumpEidData (pFile, 1840, 2, pPrefix);
      DumpEidData (pFile, 256, 3, pPrefix);
      DumpEidData (pFile, 48, 4, pPrefix);
      DumpEidData (pFile, 2560, 5, pPrefix);
    }
  return 0;
}

Source: http://rms.grafchokolo.com/?p=59

Flash Samples

Reference flash dumps

3.55 kmeaw, 2.80 backup: http://www.megaupload.com/?d=J5UKO3HX
3.66 ofw: http://www.mediafire.com/?m7m4mppro66zib5

User flashdumps

Here are some samples of NOR Flash for your dissection. These are taken from different consoles (because it is useless to dump different firmware versions as ROS/RVK will be the same crossconsole)

SKU	ROS0	ROS1	Link	Note
PS3 Phat:
CECHA
CECHB
CECHC
CECHE
CECHG
CECHH
CECHJ
CECHK
CECHL			[1]	3.55-Rogero CECHL03
CECHL			[2]	3.56 CECHL03
CECHL			[3]	3.70 CECHL03
CECHM
CECHP
CECHQ
PS3 Slim:
CECH-20xx	3.65	3.55	[4]	3.65 CECH-2008 A
CECH-20xx	3.56	3.56	[5]	3.56 CECH-2008 B
CECH-20xx	3.42	3.70	[6]	3.70 CECH-2008 B
CECH-20xx	3.72	4.00	[7]	4.00 CECH-2008 B
CECH-21xx
CECH-25xx	3.66	3.56	[8]	3.60 CECH-2508 B
CECH-25xx	3.66	3.72	[9]	3.72 CECH-2508 B
CECH-30xx

Talk:Flash Structure

First Region

trvk_prg

Header

example

structure

trvk_prg File Entries

trvk_prg0

example

structure

trvk_prg1

example

structure

trvk_pkg

Header

example

structure

trvk_pkg File Entries

trvk_pkg0

example

structure

trvk_pkg1

example

structure

creserved_0

example

structure

ros

Header

example

structure

ros Entries

ros0

header

example

structure

Entry Table

example

structure

ros1

header

example

structure

Entry Table

example

structure

Second Region

Header - 0FACE0FF DEADFACE

example

structure

00 filled block

example

structure

Unknown block

example

structure

00 filled block

example

structure

Unknown block

example

structure

00 filled block

example

structure

unreferenced area

example

structure

CELL_EXTNOR_AREA

Header

1

00 filled

Harddrive info

00 filled

2

00 filled

3

00 filled

FF filled

4