Hardware flashing

From PS3 Developer wiki
Jump to navigation Jump to search
Typical NOR flashing requires 16 Data wires, 23 Address wires and 3-4 control wires

Both early launch consoles which feature NAND flash memory and later consoles which feature NOR flash memory are able to be flashed. Currently the preferred method of flashing the dual-NAND consoles is by using an infectus modchip or similar.


Marcan has made a NOR flasher / address sniffer for his PS3 slim by re-purposing a FPGA board made for Wii hacking. noralizer is a git repo that contains the HDL (verilog) and associated host computer tools for flashing/sniffing. There are ~50 signals to solder. Some PS3s contain two NAND flashes (block devices, that interleave their data unlike NOR flash).


Work is currently underway to brink a low cost AVR based NOR flasher that is capable of reading and writing on all consoles by defyboy.

NOR Interface Testpoints

Probably to aid in factory programming, Sony provides NOR testpoints on the bottomside of the motherboard. There are 16 data lines (Word access) and generally 23 Address lines. You will also need to control Chip Enable (#CE), Write Enable (#WE), Tristate (SB_DISABLE) and for some boards Write Protect (#WP)

Tristate

Tristate, or as it is referred to in the service manuals SB_DISABLE exists solely for the purpose of placing the South Bridge pins into high-impedance (the third state) so that we can access the flash without the South Bridge interfering.

Because the tristate pin is not connected to the NOR flash TSOP package, but to the South Bridge BGA package, this makes tracing the pin quite difficult. One should be able to locate it by having the running you could ground out the unknown pins whilst checking the continuity of a known address or data line against ground. These should enter high-impedance or no-continuity when you ground out SB_DISABLE.

Connecting NOR pads to flasher

Teensy 2.0 ++ connection diagram for PS3 NOR pads))
Progskeet NAND/NOR flasher board, based on Actel MCU, see http://progskeet.com/)
PAD Progskeet Teensy2.0++
NORway
A0 adr0 F0
A1 adr1 F1
A2 adr2 F2
A3 adr3 F3
A4 adr4 F4
A5 adr5 F5
A6 adr6 F6
A7 adr7 F7
A8 adr8 PA0
A9 adr9 PA1
A10 adr10 PA2
A11 adr11 PA3
A12 adr12 PA4
A13 adr13 PA5
A14 adr14 PA6
A15 adr15 PA7
A16 adr16 B0
A17 adr17 B1
A18 adr18 B2
A19 adr19 B3
A20 adr20 B4
A21 adr21 B5
A22 adr22 B6
DQ0 dq0 D0
DQ1 dq1 D1
DQ2 dq2 D2
DQ3 dq3 D3
DQ4 dq4 D4
DQ5 dq5 D5
DQ6 dq6 D6
DQ7 dq7 D7
DQ8 dq8 C0
DQ9 dq9 C1
DQ10 dq10 C2
DQ11 dq11 C3
DQ12 dq12 C4
DQ13 dq13 C5
DQ14 dq14 C6
DQ15 dq15 C7
#WE we E5
CE# gp0 E0
RESET gp1 E4
TRISTATE gp2 E7
WP# gp3 ?tied to Vcc?
OE# oe E1
RY/BY# rdy E6
VSS GND GND

Notes: The Teensy requires a 3.3V voltage regulator! 5V trace has to be cut and 3V pads have to be shorted! Please refer to https://www.pjrc.com/teensy/3volt.html

Also note that Teensy can be very slow: 0:05:11 for a full dump/read, 0:01:35 per sector write or 2:08:19 for a full write (16384 KB or 128 sectors) // Comparison with Progskeet: 0:00:16 for a full dump/read, 0:00:00.365 per sector write or 0:00:46.811 for a full write (16384 KB or 128 sectors)

Board Revisions

COK-001, COK-002, SEM-001

These are the earliest revisions of the PS3 motherboard (CECHA, CECHB, CECHC, CECHE, CECHG) and contain 2 x Samsung K9F1G08U0A-PIB0 128MB NAND Chips for a total of 256MB. These chips are interleaved which is controlled by a proprietary controller chip codenamed "Starship2" or SS2. This chip handles the interleaving and presents the NANDS to the South Bridge as a single large coherent NOR Chip.


DIA-001, DIA-002

These boards were the first to get the NOR flash memory from the middle revisions of the PS3 (CECHH, CECHJ, CECHK). Only a single Spansion S29GL128N90TFIR2 16MB NOR flash chip is used and the Starship2 chip has been completely removed. The 128N is JEDEC CFI compliant and organized as 8,388,608 words or 16,777,216 bytes, addressable as 16-bit words (PS3 modus operandi) and 8-bit / 1 byte when the BYTE# signal is logic zero.


VER-001

Used in the last revisions of the fatter model PS3 (CECHL, CECHM, CECHP, CECHQ), again with the single Spansion S29GL128N90TFIR2 16MB NOR flash with the exception of the CECHL which used a Samsung K8Q2815UQB-P14B 16MB NOR flash.


JSD-001

This is the pinout originally supplied by Marcan for a CECH-2504A, Points match those taken from a CECH-2504B slim console. Most slims may carry this arrangement.


Pinout Gallery