Hardware flashing

From PS3 Developer wiki
Revision as of 21:23, 9 August 2011 by Judges (talk | contribs) (NORway download link updated)
Jump to navigation Jump to search
Progskeet wired to NANDs of a COK-002 board (photo:idone)

Typical NOR flashing requires 16 Data wires, 23 Address wires and 3-4 control wires to the NOR pads (photo:defyboy)

Both early launch consoles which feature NAND flash memory (block devices, that interleave their data unlike NOR flash) and later consoles which feature NOR flash memory are able to be flashed. Currently the preferred method of flashing the dual-NAND consoles is by using an infectus modchip or similar (e.g. Progskeet).

Marcan has made a NOR flasher / address sniffer for his PS3 slim by re-purposing a FPGA board (Xilinx Spartan3E XC3S500E) made for Wii hacking. noralizer is a git repo that contains the HDL (verilog) and associated host computer tools for flashing/sniffing. There are ~50 signals to solder.

Work has been underway to brink a low cost AVR (Atmel 90USB1286) based NOR flasher that is capable of reading and writing on all consoles by defyboy. Other people havent been sitting idle either: uf6667 and Icekiller have developed Progskeet, based on a Actel A3P125 MCU for NAND ánd NOR based consoles and "no_one" has developed PNM - Project Nor Manager.

NAND Wiring

Flashers for NAND based consoles (CECHA/COK-001, CECHB/COK-001, CECHC/COK-002, CECHD/unreleased, CECHE/COK-002W, CECHF/unreleased, CECHG/SEM-001) are generaly wired directly to the pins of the NAND, plus ground and Vcc. For NAND pinouts see: Flash (Hardware) #NAND

There are 2 nands interleaved at the 512byte sectors level, giving a 1024 byte "interleaved sector". pages are 2kb on each nand.

Dual NAND connection to Progskeet diagram, see http://progskeet.com/

Dual NAND connection to Infectus diagram
Chip/PIN Description Progskeet Infectus Description
NAND 0
0/1-6 NC NC NC No Connection
0/7 R/B 3 / gp13 A9 Read/Busy Output
0/8 RE 98 / gp15 A15 Read Enable
0/9 CE 7 / gp9 A14 Chip Enable
0/10+11 NC NC NC No Connection
0/12 Vcc +3.3 not used / not connected Vcc (min 2.7V-max 3.6V / typ 3.3V)
0/13 Vss GND not used / not connected VSS - Ground
0/14+15 NC NC NC No Connection
0/16 CLE 4 / gp12 A13 Command Latch Enable
0/17 ALE 5 / gp11 A12 Address Latch Enable
0/18 WE 2 / gp14 A11 Write Enable
0/19 WP 6 / gp10 A10 Write Protect
0/20-28 NC NC NC No Connection
0/29 I/O-0 90 / dq8 A0
0/30 I/O-1 91 / dq9 A1
0/31 I/O-2 92 / dq10 A2
0/32 I/O-3 93 / dq11 A3
0/33-35 NC NC NC No Connection
0/36 Vss GND not used / not connected VSS - Ground
0/37 Vcc +3.3 not used / not connected Vcc (min 2.7V-max 3.6V / typ 3.3V)
0/38-40 NC NC NC No Connection
0/41 I/O-4 94 / dq12 A4
0/42 I/O-5 95 / dq13 A5
0/43 I/O-6 96 / dq14 A6
0/44 I/O-7 97 / dq15 A7
0/45-48 NC NC NC No Connection
Chip/PIN Description Progskeet Infectus Description
NAND 1
1/1-6 NC NC NC No Connection
1/7 R/B 64 / rdy U Read/Busy Output
1/8 RE 69 / oe M Read Enable
1/9 CE 60 / gp3 N Chip Enable
1/10+11 NC NC NC No Connection
1/12 Vcc +3.3 not used / not connected Vcc (min 2.7V-max 3.6V / typ 3.3V)
1/13 Vss GND not used / not connected VSS - Ground
1/14+15 NC NC NC No Connection
1/16 CLE 63 / gp0 O Command Latch Enable
1/17 ALE 62 / gp1 P Address Latch Enable
1/18 WE 65 / we Q Write Enable
1/19 WP 61 / gp2 T Write Protect
1/20-28 NC NC NC No Connection
1/29 I/O-0 79 / dq0 D0
1/30 I/O-1 80 / dq1 D1
1/31 I/O-2 81 / dq2 D2
1/32 I/O-3 82 / dq3 D3
1/33-35 NC NC NC No Connection
1/36 Vss GND not used / not connected VSS - Ground
1/37 Vcc +3.3 not used / not connected Vcc (min 2.7V-max 3.6V / typ 3.3V)
1/38-40 NC NC NC No Connection
1/41 I/O-4 83 / dq4 D4
1/42 I/O-5 84 / dq5 D5
1/43 I/O-6 85 / dq6 D6
1/44 I/O-7 86 / dq7 D7
1/45-48 NC NC NC No Connection
Board trace
GND Vss not used / not connected GND VSS - Ground
+5V Vcc not used / not connected 5V Vcc (typ +5VDC) from TH3401

Remarks:

  • Progskeet is feeded from NAND 3.3V
  • Infectus is feeded from +5V board trace.
  • NAND's are feeded in both cases by the console itself.

Progskeet Note: Some modification is needed for Progskeet to unbrick:

  • desolder R8 from the Progskeet PCB (to disable the connection from pad R8 to left pad R7)
  • left pin of switch to left lead of R7, middle pin of switch to right lead of R7
  • Vcc to +3.3 // put switch in "OFF" (right) postion, power on the ps3, put the switch in the "ON"/left position, it will be recognized by the PC, NAND is always on now, do everything as usual.


Using NAND flashers

Progskeet

... nothing yet ... please help by adding this :)

put switch in "OFF" (R7 is open) position so that progskeet is not powered.
power on the ps3 and wait for 20-25 seconds,
put the switch in the "ON" (R7 closed) position, so progskeet is powered and will be recognized by the PC.
NAND is always on now, do everything as usual
select Big Block
select Raw
Pages per block: 64
blocks: 1024

That will give you 132MB (138,412,032 bytes) per NAND (dump time ~ 00:02:40 per NAND)

downloads

All downloads are available here

Infectus

For Infectus don't use 3.9.9.0, as it removes dual NAND PS3 support :S If your board already came with this version or higher, use this: prepare_infectus_for_ps3.rar (5.53 MB) If it is done, it will show up as "2 NAND Programmer" in the bottom left. Dual NAND PS3 compatible version: Infectus_programmer_3.8_Beta_2.zip (4.02 MB)

Power the Infectus, it crashes the PS3 and leaves the NANDs in powered mode. Use the console to power the NANDs: power it up until the PS3 crashes and halts with red flashing LED, press power again to stop the flashing, but keeps the console powered on. The NANDs are not accessed by the PS3 in this way, so it doesn't matter if the NAND content is already messed up. After that, you can read/write the NANDs.

Dumping of single NAND should take about 15 minutes, 30 minutes for both.

Needed NAND tools

In case the flasher program doesnt understand dual NAND de/interleaving you'll need : FlowRebuilder v.4.1.0.0

Dump NAND from GameOS

dump_flash.pkg // backup/mirror: dump-flash+syscon.rar (280.51 KB)
Make sure USB stick is FAT32 with enough free space (256MB per dump)

Difference between hardware dumps and software dumps

ps3vflasha

hardware dumps

256 MB (268,435,456 bytes) bootldr is at 0x000000 on NAND (0xFC0000 on NOR)

software dumps

dump size = 239 MB (251,396,096 bytes)
bootldr not at 0x000000 on NAND :

00000000   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000010   00 00 00 00 0F AC E0 FF  00 00 00 00 DE AD BE EF   .....¬à ÿ....Þ­¾ï

reason:

addi    %r12, %r4, 0x200 # r4 = start sector

25MB NAND consoles have a hidden section of size 0x40000 (0x200 * 512 byte sector = 0x40000) hidden by the hv. The hv hides it at address 002786E8

Original code : 0x39840200f8010090
Change to : 0x39840000f8010090

Too dangerous to patch unless you peek/poke because obviously it messes with all the offsets


'NOR' Interface Testpoints on NAND consoles

Simular as on the NOR based consoles testpoints can be found on the back of the PCB. It seems these are from the bus between the South Bridge and the Starship2. Attempts have been made to document/trace these. Addresslines 0-17 and Datalines 0-15 as well as some controllines are documented but so far these could not be used to read/flash the console in a NOR fashion.

NOR Interface Testpoints

Probably to aid in factory programming, Sony provides NOR testpoints on the bottomside of the motherboard. There are 16 data lines (Word access) and generally 23 Address lines. You will also need to control Chip Enable (#CE), Write Enable (#WE), Tristate (SB_DISABLE) and for some boards Write Protect (#WP)

Tristate

Tristate, or as it is referred to in the service manuals SB_DISABLE exists solely for the purpose of placing the South Bridge pins into high-impedance (the third state) so that we can access the flash without the South Bridge interfering.

Because the tristate pin is not connected to the NOR flash TSOP package, but to the South Bridge BGA package, this makes tracing the pin quite difficult. One should be able to locate it by having the running you could ground out the unknown pins whilst checking the continuity of a known address or data line against ground. These should enter high-impedance or no-continuity when you ground out SB_DISABLE.

Connecting NOR pads to flasher

Teensy 2.0 ++ connection diagram for PS3 NOR pads))
Progskeet NAND/NOR flasher board, based on Actel MCU, see http://progskeet.com/)
PAD Progskeet Teensy2.0++
NORway
A0 adr0 F0
A1 adr1 F1
A2 adr2 F2
A3 adr3 F3
A4 adr4 F4
A5 adr5 F5
A6 adr6 F6
A7 adr7 F7
A8 adr8 PA0
A9 adr9 PA1
A10 adr10 PA2
A11 adr11 PA3
A12 adr12 PA4
A13 adr13 PA5
A14 adr14 PA6
A15 adr15 PA7
A16 adr16 B0
A17 adr17 B1
A18 adr18 B2
A19 adr19 B3
A20 adr20 B4
A21 adr21 B5
A22 adr22 B6
DQ0 dq0 D0
DQ1 dq1 D1
DQ2 dq2 D2
DQ3 dq3 D3
DQ4 dq4 D4
DQ5 dq5 D5
DQ6 dq6 D6
DQ7 dq7 D7
DQ8 dq8 C0
DQ9 dq9 C1
DQ10 dq10 C2
DQ11 dq11 C3
DQ12 dq12 C4
DQ13 dq13 C5
DQ14 dq14 C6
DQ15 dq15 C7
#WE we E5
CE# gp0 E0
RESET gp1 E4
TRISTATE gp2 E7
WP# gp3 ?tied to Vcc?
OE# oe E1
RY/BY# rdy E6
VSS GND GND

Progskeet Note: Some modification is needed for Progskeet to unbrick:

  • desolder R8 from the Progskeet PCB
  • left pin of switch to left lead of R7, middle pin of switch to right lead of R7
  • Vcc to +3.3 // put switch in "OFF" (right) postion, power on the ps3, put the switch in the "ON"/left position, it will be recognized by the PC, NOR is always on now, do everything as usual.

Notes: The Teensy requires a 3.3V voltage regulator! 5V trace has to be cut and 3V pads have to be shorted! Please refer to https://www.pjrc.com/teensy/3volt.html
Performance Teensy: 0:00:45 for a full dump/read (364 KB/s), 0:00:05.351 per sector write or 0:08:19 for a full write (32,83 KB/s) // Comparison with Progskeet: 0:00:16 for a full dump/read (~1MB/s), 0:00:00.365 per sector write or 0:00:46.811 for a full write (~300-400KB/s).


Using NOR flashers

Progskeet

take the cable out the back
plug it back in
put the switch on "off"
power on
wait 10 seconds
put the switch on "on"
dump
128kB sector, 128 sectors

Needed NOR tools


Dump NOR from GameOS

dump_flash.pkg // backup/mirror: dump-flash+syscon.rar (280.51 KB)
Make sure USB stick is FAT32 with enough free space (16MB per dump)

Board Revisions

COK-001, COK-002, SEM-001

These are the earliest revisions of the PS3 motherboard (CECHA, CECHB, CECHC, CECHE, CECHG) and contain 2 x Samsung K9F1G08U0A-PIB0 128MB NAND Chips for a total of 256MB. These chips are interleaved which is controlled by a proprietary controller chip codenamed "Starship2" or SS2. This chip handles the interleaving and presents the NAND Chips to the South Bridge as a single large coherent NOR Chip.

DIA-001, DIA-002

These boards were the first to get the NOR flash memory from the middle revisions of the PS3 (CECHH, CECHJ, CECHK). Only a single Spansion S29GL128N90TFIR2 16MB NOR flash chip is used and the Starship2 chip has been completely removed. The 128N is JEDEC CFI compliant and organized as 8,388,608 words or 16,777,216 bytes, addressable as 16-bit words (PS3 modus operandi) and 8-bit / 1 byte when the BYTE# signal is logic zero.


VER-001

Used in the last revisions of the fatter model PS3 (CECHL, CECHM, CECHP, CECHQ), again with the single Spansion S29GL128N90TFIR2 16MB NOR flash with the exception of the CECHL which used a Samsung K8Q2815UQB-P14B 16MB NOR flash.


JSD-001

This is the pinout originally supplied by Marcan for a CECH-2504A, Points match those taken from a CECH-2504B slim console. Most slims may carry this arrangement.


Pinout Gallery

Missing / requested :

  • COK-002 (NAND)
  • COK-002W (NAND)
  • SEM-001 (NAND)
  • DIA-002 (NOR)
  • SUR-001 (NOR) some difference in components of JSD-001, need tracing (confirmed not reading/writing using the JSD-001 wiring with ProgSkeet)
  • JTP-001 (NOR) seems visually the same as JSD-001, but need tracing+confirmation
  • KTE-001 (NOR)

Generic wire reference

Wire thickness AWG/mm :

   18 AWG - .0403" / 1.024mm
   20 AWG - .0320" / 0.812mm
   22 AWG - .0253" / 0.644mm
   24 AWG - .0201" / 0.511mm
   26 AWG - .0159" / 0.405mm
   28 AWG - .0126" / 0.321mm
   30 AWG - .0100" / 0.255mm

For wiring, use 20-26 AWG. 18 can be too stiff while 28 is too fragile. 24 AWG works fine in most cases. The Ground and VCC wires may ofcourse be thicker than the signal wires.

Generic unresolved issues

  1. (user:sel99) : CECHG / SEM-001 - 1-875-384-31 - can dump both NANDs fine, have trouble writing - both with Infectus and Progskeet. Boards below CECHG / SEM-001 flash fine. Others having the same issues?


Progskeet QA/problem solving

Generic advice

Be up to date

Always make sure you used the latest diagrams, drivers and flasher software from progskeet.com

No shorts

Before doing anything, make 100% sure you wired up everything correct (no address/data IO lines mixed? all controllines hooked up? power/ground in order? etc.) and no shorts are made where there should not.

Error : libusb0.dll or libusb0.sys not found

The libusb-win32 Kernel Driver needed for the the flasher to get access to the USB port was not installed. Make sure you unpacked the drivers_xxxxxx file and installed the Progskeet driver (VendorID:1988 / ProductID:0001 in case you need it).

Error : side-by-side configuration is incorrect

In case of "the application has failed to start because its side-by-side configuration is incorrect" make sure Microsoft Visual C 9.0 runtime is installed and "Windows Installer" is not disabled (set to manual or automatic) in Services.msc

Error : incorrect parameter

Make sure you selected the correct values for your NOR/NAND device. E.g. :

  • NOR: 128kB sector, 128 sectors
  • NAND: select Big Block, select Raw, Pages per block: 64, blocks: 1024