Flash:Individual System Data - cISD

From PS3 Developer wiki
Revision as of 00:24, 9 March 2024 by Zecoxao (talk | contribs) (→‎structure)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Individual System Data - cISD

This section of flash contains Console Specific information

cISD contains core information such as Gelic Ethernet MAC address

Header

Length: 0x10

example

NOR: 0003F000 - 0003F00F NAND: 00090800 - 0009080F
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
0003F000  00 00 00 03 00 00 02 70 00 00 00 00 00 00 00 00  .......p........
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00090800  00 00 00 03 00 00 02 70 00 00 00 00 00 00 00 00  .......p........

structure

Address Length Value Description
0x0 0x4 0x3 Number of entries (3 entries: cISD0, cISD1, and cISD2)
0x4 0x4 0x270 cISD length (included header, file table, and all entries)
0x8 0x8 0x0 Unknown/Blank

File Table

0x10 per entry:

example

NOR: 0003F010 - 0003F03F NAND: 00090810 - 0009083F
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
0003F010  00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00  ...@... ........
0003F020  00 00 00 60 00 00 02 00 00 00 00 00 00 00 00 01  ...`............
0003F030  00 00 02 60 00 00 00 10 00 00 00 00 00 00 00 02  ...`............
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00090810  00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00  ...@... ........
00090820  00 00 00 60 00 00 02 00 00 00 00 00 00 00 00 01  ...`............
00090830  00 00 02 60 00 00 00 10 00 00 00 00 00 00 00 02  ...`............

structure

Address Length Value Description
0x0 0x4 0x40 Entry point
0x4 0x4 0x20 Length
0x8 0x8 0x0 Entry number

Typical cISD entry addresses and lengths

Entry point listed is offset from base cISD address (NOR:0x003F000 / NAND:0x0090800 in these examples)
Absolute start address is base cISD address + Entry point
Absolute end address is base cISD address + Entry point + Length

Entry Entry point Length Entry number NOR Address NAND Address
start end start end
cISD0 0x40 0x20 0x0 0x003F040 0x003F060 0x0090840 0x0090860
cISD1 0x60 0x200 0x1 0x003F060 0x003F260 0x0090860 0x0090A60
cISD2 0x260 0x10 0x2 0x003F260 0x003F270 0x0090A60 0x0090A70


cISD0

Length: 0x20

example

NOR: 0003F040 - 0003F05F NAND: 00090840 - 0009085F
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
0003F040  00 1F A7 E3 82 DC FF FF FF FF FF FF FF FF FF FF  ..§ã‚Üÿÿÿÿÿÿÿÿÿÿ
0003F050  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00090840  00 19 C5 BE 7D 50 FF FF FF FF FF FF FF FF FF FF  ..ž}Pÿÿÿÿÿÿÿÿÿÿ
00090850  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

structure

Address Length Value Description
0x0 0x8 0x1FA7E382DC MAC Address 0 (cannot change, tied to MAC in syscon)
0x8 0x8 0xFF... MAC Address 1
0x10 0x8 0xFF... MAC Address 2
0x18 0x8 0xFF... MAC Address 3

cISD1

Length: 0x200

example

NOR: 0x03F060 - 0x03F25F NAND: 0x090860 - 0x090A5F
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
0003F060  7F 49 44 4C 00 02 00 60 01 00 00 02 01 33 B2 B6  .IDL...`.....3²¶
0003F070  30 31 43 41 30 31 37 36 34 31 30 34 36 37 31 38  01CA017641046718
0003F080  30 33 30 35 34 39 34 30 30 30 30 30 30 30 32 30  0305494000000020
0003F090  32 37 34 33 38 34 31 36 34 30 30 36 31 33 32 39  2743841640061329
0003F0A0  31 31 39 32 00 73 00 73 00 96 00 01 FF FF FF FF  1192.s.s.–..ÿÿÿÿ
0003F0B0  00 02 00 11 00 02 00 12 00 00 00 00 01 8B 39 46  .............‹9F
0003F0C0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
0003F240  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0003F250  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
00090860  7F 49 44 4C 00 02 00 60 01 00 00 02 00 61 21 CB  .IDL...`.....a!Ë
00090870  30 31 43 35 31 38 30 30 35 39 30 44 37 37 30 45  01C51800590D770E
00090880  30 39 31 34 30 30 34 30 30 30 30 30 30 30 30 30  0914004000000000
00090890  32 37 34 33 30 31 37 39 33 48 41 31 30 37 31 37  274301793HA10717
000908A0  38 32 32 44 00 28 00 28 00 38 00 01 FF FF FF FF  822D.(.(.8..ÿÿÿÿ
000908B0  00 01 00 11 00 02 00 12 00 00 00 00 00 6E 38 61  .............n8a
000908C0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
00090A40  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00090A50  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

structure

  • From testbench fw
printf("[INFO]: ISD: % 17s: %.32s\n", "ECID", v6 + 0x10);//ECID
printf("[INFO]: ISD: % 17s: %.12s\n", "BoardID", v6 + 0x38);//KibanID or BoardID
printf("[INFO]: ISD: BootLoaderVersion: %04X\n", *((unsigned __int16 *)v6 + 0x22));//0x44(2)
printf("[INFO]: ISD:  OSUpdaterVersion: %04X\n", *((unsigned __int16 *)v6 + 0x23));//0x46(2)
printf("[INFO]: ISD:  BoardDiagVersion: %04X\n", *((unsigned __int16 *)v6 + 0x24));//0x48(2)
printf("[INFO]: ISD: ConfigBootVersion: %04X\n", *((unsigned __int16 *)v6 + 0x25));//0x4A(2) or ckp_data?
//0x4C
//0x4E
printf("[INFO]: ISD: CKP2 ManagementID: %04X\n", *((unsigned __int16 *)v6 + 0x28));//0x50(2)
printf("[INFO]: ISD:    LibBootVersion: %04X\n", *((unsigned __int16 *)v6 + 0x29));//0x52(2)
printf("[INFO]: ISD: CKP1 ManagementID: %08X%08X\n",*((unsigned int *)v6 + 0x16),*((unsigned int *)v6 + 0x17));//0x58 (00000000) and 0x5C (increment, random)          
Address Length Value Description
0x00 0x4 0x7F49444C magic, header of IDLog (IDLog size - 0x5F)
0x04 0x2 0x0002 config version
0x06 0x2 0x0060 Start offset of "available area" (end offset of used area)
0x08 0x2 0x0100 Unknown
0x0A 0x6 0x00020133B2B6 CID aka Customer ID or Serial Number - varies per console (BL/Metldr per console keys + EID root keys calculated from this value on Sony's server) / Notice that the value in hex is actually in Ascii, so 00020133B2B6 / Can also be fetched at MMIO, sent by the config ring during POR / Similar to Fuse ID on PSP (Fuse ID is 6 bytes and a unique value in the Playstation Portable).
Every refurfished consoles seems to have that value starting with 0x0FFF, versus 0x0001 or 0x0002 for virgin ones.
0x10 0x20 Ascii: 01CA0176410467180305494000000020 eCID (maybe official name is VisibleId, see PSVita NVS) - varies per console / Encrypted CID from above
0x30 0x8 Ascii: 27438416 board_id aka pd_label - part of console serial number. Note: not seen on the white serial sticker in all regions. Sample with (Europe) and without (USA). On prototypes it's in the format TS3XY... where X is the console type and Y the Chassis Type. This id is always the same if the same board is used, excluding retail  CEX  targets.
0x38 0xC Ascii: 400613291192 kiban_id (機番 = machine number) - barcode on the board ( SD  Vertigo barcode contains FN letters)
0x44 0x2 0x0073 BootLoaderVersion (examples see talkpage)
0x46 0x2 0x0073 OSUpdaterVersion (examples see talkpage)
0x48 0x2 0x0096 BoardDiagVersion (examples see talkpage)
0x4A 0x2 0x0001 ConfigBootVersion (or ckp_data from objsuites RE) - semistatic (0xFFFF on  DEX  / DECR / ARC ) (0x0002 on  SD )
0x4C 0x4 0xFFFFFFFF Likely padding
0x50 0x2 0x0001 CKP2 ManagementID - varies per console - semistatic see talkpage
0x52 0x2 0x0011 LibBootVersion - varies per console - semistatic see talkpage
0x54 0x2 0x0002 Unknown (examples see talkpage)
0x56 0x2 0x0012 Unknown (examples see talkpage)
0x58 0x8 0x00000000018B3946 CKP1 ManagementID (varies per console) (split in two halfs as seen on TB fw)
seen FF filled on  ARC  Arcade,  DEX  Debug (Related to the Bluray Drive) - also stored at EID3
0x60 0x1A0 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF... Available area (filled with FF's when not used)

cISD2

Length: 0x10

example

NOR: 0003F260 - 0003F26F NAND: 00090A60 - 00090A6F
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
0003F260  1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00  .ÿ..............
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     
00090A60  1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00  .ÿ..............

structure

Address Length Value Description
0x0 0x8 0x1FFF000000000000 Wireless LAN Channel Info ("wlan_data1")
0x0000000000000000 (no WiFi) e.g.  ARC  Arcade units
0x07FF000000000000 (USA)
0x07FF020000000000 (USA) e.g. DECR-1000A
0x1FFF000000000000 (EU)
0x3FFF000000000000 (Japan)
0x8 0x8 0x0 always seen 00 filled ("wlan_data2")

unreferenced area

Is just a "padding" to fit the whole size to 0x800 (2048 bytes)

cISD length is 0x270 (entire cISD area included header, file table, and all entries) + this padding 0x590 = 0x800

example

NOR: 0003F270 - 0003F7FF NAND: 00090A70 - 00090FFF
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0003F270  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0003F280  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
0003F7E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0003F7F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00090A70  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00090A80  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
00090FE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00090FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

structure

Address Length Value Description
0x0 0x590 0xFF FF filled area