Software Dumping

Software dumping

Masking by hypervisor on NAND consoles

software dumps: dump size = 239 MB (251,396,096 bytes)
bootldr not at 0x000000 on NAND :

00000000   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000010   00 00 00 00 0F AC E0 FF  00 00 00 00 DE AD BE EF   .....Â¬Ã Ã¿....ÃžÂÂ¾Ã¯

reason:

addi    %r12, %r4, 0x200 # r4 = start sector

256MB NAND consoles have a hidden section of size 0x40000 (0x200 * 512 byte sector = 0x40000) hidden by the hv. The hv hides it at address 002786E8

To be able to dump that section, it needs to be unmasked, using poke

Original code : 0x39840200f8010090
Change to : 0x39840000f8010090

Note: Memdump 0.1 does unmasking onthefly when needed.

Dump flash from GameOS

Memdump

Memdump - main screen

Memdump - about screen

Memdump - help screen

Memdump - lv1 screen

Memdump - lv2 screen

PS3 memory dumping tool that can dump lv1, lv2, NAND/NOR Flash, and eEID from GameOS.

Download:

Applicable firmwares

FW	lv1	lv2	Flash	eEID	0.01 FINAL
FW	lv1	lv2	Flash	eEID	Logs	Notes
<=2.60 CEX/Retail	N / A	N / A	N / A	N / A	Not available as target version atm
<=2.60 DEX/Debug	N / A	N / A	N / A	N / A	Not available as target version atm
2.70 CEX/Retail	Yes	Yes	Yes	Yes
2.70 DEX/Debug	Yes	Yes	Yes	Yes
2.76 CEX/Retail	Yes	Yes	Yes	Yes
2.76 DEX/Debug	Yes	Yes	Yes	Yes
2.80 CEX/Retail	Yes	Yes	Yes	Yes
2.80 DEX/Debug	Yes	Yes	Yes	Yes
3.00 CEX/Retail	Yes	Yes	Yes	Yes
3.00 DEX/Debug	Yes	Yes	Yes	Yes
3.01 CEX/Retail	Yes	Yes	Yes	Yes
3.01 DEX/Debug	Yes	Yes	Yes	Yes
3.10 CEX/Retail	Yes	Yes	Yes	Yes
3.10 DEX/Debug	Yes	Yes	Yes	Yes
3.15 CEX/Retail	Yes	Yes	Yes	Yes
3.15 DEX/Debug	Yes	Yes	Yes	Yes
3.20 DEX/Debug	Yes	Yes	Yes	Yes
3.21 CEX/Retail	Yes	Yes	Yes	Yes
3.21 DEX/Debug	Yes	Yes	Yes	Yes
3.30 CEX/Retail	Yes	Yes	Yes	Yes
3.30 DEX/Debug	Yes	Yes	Yes	Yes
3.40 CEX/Retail	Yes	Yes	Yes	Yes
3.41 CEX/Retail	Yes	Yes	Yes	Yes
3.41 DEX/Debug	Yes	Yes	Yes	Yes
3.42 CEX/Retail	Yes	Yes	Yes	Yes
3.50 CEX/Retail	Yes	Yes	Yes	Yes
3.50 DEX/Debug	Yes	Yes	Yes	Yes
3.55 CEX/Retail	Yes	Yes	Yes	Yes
3.55 DEX/Debug	Yes	Yes	Yes	Yes
3.56 CEX/Retail	Pending	Pending	Pending	Pending
3.56 DEX/Debug	Pending	Pending	Pending	Pending
=>3.60 CEX/Retail	N / A	N / A	N / A	N / A	Not available as target version atm
=>3.60 DEX/Debug	N / A	N / A	N / A	N / A	Not available as target version atm

Legenda

NA : Not Available as target version (mostly because of missing lv1:mmap114 or lv2:peek/poke patches)
Yes: Fully supported
No: Not supported
Partial: Some functions work, others might not be complete
Pending: No reports yet (help out by sending in your logs and dumps in a ZIP/RAR/7z!)

Known bugs

buttons do not come back up after pressing -> to be fixed in v0.02 (button handler thread)
exit app gives rightscreen black triangle -> to be fixed in v0.02 (cleanup RSX buffer)
when free space is 0 bytes when dumping, application will halt -> to be fixed in v0.02 (check freespace first)

Current limitations

Needs mmap114+peek/poke as minimal patches
Can be buggy with strange spoofs
No reports yet on Kiosk/SEX & Tool/DECR models
NAND only : second bootldr at 0xF000000 - 0xF03FFFF (The last 256KB of flash) will be missing. Just copypaste the first bootldr 0x0000000 - 0x003FFFF (The first 256KB of flash), they are the same. Also, a console boots fine with only the first one.

MultiMAN

....

Glevand' dump_flash.pkg

USB Flash Dump

NAND: Make sure USB stick is FAT32 with enough free space (256MB per dump) - bootldr missing because of masking
NOR: Make sure USB stick is FAT32 with enough free space (16MB per dump)

Dumping flash from Linux

NAND

dd if=/dev/ps3flash of=NAND.BIN bs=1024

or

dd if=/dev/ps3vflasha of=NAND.BIN bs=1024

(needs unmasking, otherwise bootldr missing)

NOR

dd if=/dev/ps3nflasha of=NOR.BIN bs=1024

Software Dumping

Contents