Talk:Flash

From PS3 Developer wiki
Jump to navigation Jump to search


List of files on NOR Flash (OLD/historic)

Note: this is the old table that defyboy made, a more current one with absolute values and for all firmware versions is on the Flash mainpage

The following is a list of files stored in NOR Flash

Name TOC Start Offset End Offset Size Notes
Offset Index Relative Absolute Relative Absolute
asecure_loader 0x400 0 0x400 0x810 0x2E800 0x2F010 0x2E800  (190,464 bytes) aka metldr
eEID 0x400 1 0x2EC00 0x2F010 0x3EC00 0x3F010 0x10000  (65,636 bytes) (IDPS @ offset 0x0002F070 absolute / 0x00000070 inside eEID )
cISD 0x400 2 0x3EC00 0x3F010 0x3F400 0x3F810 0x800  (2,048 bytes)
cCSD 0x400 3 0x3F400 0x3F810 0x3FC00 0x40010 0x800  (2,048 bytes)
trvk_prg0 0x400 4 0x3FC00 0x40010 0x5FC00 0x60010 0x20000  (131,072 bytes)
trvk_prg1 0x400 5 0x5FC00 0x60010 0x7FC00 0x80010 0x20000  (131,072 bytes)
trvk_pkg0 0x400 6 0x7FC00 0x80010 0x9FC00 0xA0010 0x20000  (131,072 bytes)
trvk_pkg1 0x400 7 0x9FC00 0xA0010 0xBFC00 0xC0010 0x20000  (131,072 bytes)
ros0 0x400 8 0xBFC00 0xC0010 0x7BFC00 0x7C0010 0x700000  (7,340,032 bytes) Contains CoreOS files
ros1 0x400 9 0x7BFC00 0x7C0010 0xEBFC00 0xEC0010 0x700000  (7,340,032 bytes) Contains CoreOS files
cvtrm 0x400 10 0xEBFC00 0xEC0010 0xEFFC00 0xF00010 0x40000  (262,144 bytes)
CELL_EXTNOR_AREA 0xF20000 0xFA0040 0x80040  (524,352 bytes)
bootldr 0xFC0000 0xFEEAF0 0x2EAF0  (191,216 bytes) End @ FEF170, FEF570, FEF5F0, FEF600 in some dumps




new metldr.2

Seen on CECH2504B (JSD-001), with 3.60 from factory - datecode 1B

  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.
  00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 F9 20  .......@......ù 
  00000820  6D 65 74 6C 64 72 2E 32 00 00 00 00 00 00 00 00  metldr.2........
  00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  00000840  00 00 0F 8E 6E D7 BC D8 1F 11 EA 34 42 5F 9B 9D  ...Žn×¼Ø..ê4B_›.
  00000850  00 00 0F 8E 8C 21 5D 5F D0 B4 50 07 6A DD 21 DF  ...ŽŒ!]_дP.jÝ!ß
 
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0002F070  00 00 00 01 00 85 00 0B 10 24 39 B7 2C BA A8 5E  .....…...$9·,º¨^

vflash partition table

Done some work on decoding region 2 today:
Region 2 seems to = vflash partition table? These might be the first 2 regions?
partition table is 4096 bytes.
Format:
16 bytes 00's
16 bytes magic: 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE
8 bytes 0x03
8 bytes 0x02 (number of paritions?)
144 bytes 00's
Partition entries:
8 bytes entry point (entry point * 0x200) relative to 0x00 on flash
8 bytes entry length (entry length * 0x200)
32 bytes 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03
96 bytes 00's




Dumping your flash

There are many ways you can dump your flash you can choose the way that best fits you, there are some persons studing the flash.. If you can help providing a dump (specially if you have a debug console) search for those persons in IRC Efnet #ps3dev

Payload

Uncomment dump_dev_flash() in graf_payloads compile and run the payload

see Graf's_PSGroove_Payload for more info

Linux

Using graf_chokolo kernel with /dev/ps3nflasha access

dd if=/dev/ps3nflasha of=NOR.BIN bs=1024

Hardware

see Hardware flashing

Dump NAND/NOR from GameOS

precompiled : dump_flash.pkg // backup/mirror: dump_flash.pkg (70.48 KB)
source: dump_flash-src.rar (2.33 KB)

Make sure USB stick is FAT32 with enough free space (16MB per NOR dump, 256MB per NAND dump)

remarks:

NOR Unpacking // NOR Unpkg

/*
  # ../norunpkg norflash.bin norflash
  unpacking asecure_loader (size: 190xxx bytes)...
  unpacking eEID (size: 65536 bytes)...
  unpacking cISD (size: 2048 bytes)...
  unpacking cCSD (size: 2048 bytes)...
  unpacking trvk_prg0 (size: 131072 bytes)...
  unpacking trvk_prg1 (size: 131072 bytes)...
  unpacking trvk_pkg0 (size: 131072 bytes)...
  unpacking trvk_pkg1 (size: 131072 bytes)...
  unpacking ros0 (size: 7340032 bytes)...
  unpacking ros1 (size: 7340032 bytes)...
  unpacking cvtrm (size: 262144 bytes)...
*/

// Copyright 2010       Sven Peter
// Licensed under the terms of the GNU GPL, version 2
// http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
// nor modifications by rms.

#include "tools.h"
#include "types.h"

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/stat.h>

#ifdef WIN32
#define MKDIR(x,y) mkdir(x)
#else
#define MKDIR(x,y) mkdir(x,y)
#endif

u8 *pkg = NULL;

static void unpack_file(u32 i)
{
        u8 *ptr;
        u8 name[33];
        u64 offset;
        u64 size;

        ptr = pkg + 0x10 + 0x30 * i;

        offset = be64(ptr + 0x00);
        size   = be64(ptr + 0x08);

        memset(name, 0, sizeof name);
        strncpy((char *)name, (char *)(ptr + 0x10), 0x20);

        printf("unpacking %s (size: %d bytes)...\n", name, size);
        memcpy_to_file((char *)name, pkg + offset, size);
}

static void unpack_pkg(void)
{
        u32 n_files;
        u64 size;
        u32 i;

        n_files = be32(pkg + 4);
        size = be64(pkg + 8);

        for (i = 0; i < n_files; i++)
                unpack_file(i);
}

int main(int argc, char *argv[])
{
        if (argc != 3)
                fail("usage: norunpkg filename.nor target");

        pkg = mmap_file(argv[1]);

        /* kludge for header, i do not do sanity checks at the moment */
        pkg += 1024;

        MKDIR(argv[2], 0777);

        if (chdir(argv[2]) != 0)
                fail("chdir");

        unpack_pkg();

        return 0;
}

Source: http://rms.grafchokolo.com/?p=25

Changed version for Progskeet: http://pastebin.com/HNvCbF7d

RMS - eEID splitter

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void
DumpEidData (FILE * pFile, int iInputSize, int iEidCount,
	     char *pFilenamePrefix)
{
  FILE *pOutput;
  char *szFilename;
  char *szBuf;
  int iRes, iSize;

  printf ("dumping EID%d from eEID at %p, size %d (%x)..\n",
	  iEidCount, pFile, iInputSize, iInputSize);

  szBuf = (char *) malloc (iInputSize + 1);
  szFilename = (char *) malloc (strlen (pFilenamePrefix) + 2);

  if (szBuf == NULL)
    {
      perror ("malloc");
      exit (1);
    };

  iSize = fread (szBuf, iInputSize, 1, pFile);
  sprintf (szFilename, "%s%d", pFilenamePrefix, iEidCount);
  pOutput = fopen (szFilename, "wb");
  iRes = fwrite (szBuf, iInputSize, 1, pOutput);

  if (iRes != iSize)
    {
      perror ("fwrite");
      exit (1);
    };

  free (szBuf);
}

int
main (int argc, char **argv)
{
  FILE *pFile;
  char *pPrefix;

  pFile = fopen (argv[1], "rb");
  if (pFile == NULL)
    {
    usage:
      printf ("usage: %s <eEID> <EID name prefix>\n", argv[0]);
      exit (1);
    }

  if (argc == 2 && argv[2] != NULL)
    {
      pPrefix = argv[2];
      goto usage;
    }

  fseek (pFile, 0x70, SEEK_SET);

  if (pPrefix != NULL)
    {
      DumpEidData (pFile, 2144, 0, pPrefix);
      DumpEidData (pFile, 672, 1, pPrefix);
      DumpEidData (pFile, 1840, 2, pPrefix);
      DumpEidData (pFile, 256, 3, pPrefix);
      DumpEidData (pFile, 48, 4, pPrefix);
      DumpEidData (pFile, 2560, 5, pPrefix);
    }
  return 0;
}

Source: http://rms.grafchokolo.com/?p=59




NAND reference

NAND reference (euss)

CECHC-04/COK-002 Pal EU launchmodel with OFW 3.15 updated to MFW 3.15 (Euss)

VTRM

   VTRM in NAND: 
    
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
     
   00EC0000  53 43 45 49 56 54 52 4D 00 00 00 00 00 00 00 A8  SCEIVTRM.......¨
   00EC0010  00 00 00 00 00 E8 02 00 00 00 00 00 00 00 00 28  .....è.........(
   00EC0020  00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04  ....VTRM........     <-- 'VTRM' magic header
   00EC0030  FE 6D 0B C4 FA D5 CE DB 93 86 FC A1 32 3B 71 47  þm.ÄúÕÎÛ“†ü¡2;qG     <-- same value as 00EC0410
   00EC0040  3B A5 C6 F9 C0 00 B6 70 00 00 00 00 00 E8 27 80  ;¥ÆùÀ.¶p.....è'€     <-- first part same value as 00EC0410
   00EC0050  00 00 00 00 00 00 00 60 00 00 00 00 00 00 09 20  .......`....... 
   00EC0060  04 00 00 00 02 00 00 05 10 70 00 05 FF 00 00 01  .........p..ÿ...
   00EC0070  0C 1C 05 9C AA B5 97 A5 9C D6 46 2D EA 22 46 BE  ...œªµ—¥œÖF-ê"F¾
   00EC0080  D1 84 A9 1E 34 5F E7 90 55 49 11 82 51 9D 4A 3F  Ñ„©.4_ç.UI.‚Q.J?
   00EC0090  EF 43 19 E8 4F 6A 5B FF DA 31 E9 F0 76 C8 B2 6B  ïC.èOj[ÿÚ1éðvȲk
   00EC00A0  0B A7 47 8E BE 42 28 9F 2B 88 73 0B A5 B6 F2 1D  .§GŽ¾B(Ÿ+ˆs.¥¶ò.
   00EC00B0  00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF  ........ÿÿÿÿÿÿÿÿ
   00EC00C0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00EC00D0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00EC00E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00EC00F0  FF FF FF FF FF FF FF FF 00 00 00 00 00 EB E4 8C  ÿÿÿÿÿÿÿÿ.....ëäŒ
   00EC0100  00 00 00 00 00 00 00 14 39 17 52 0B 31 70 F5 05  ........9.R.1põ.
   00EC0110  02 5A C6 F8 81 F8 54 96 2F EF F3 81 FF FF FF FF  .ZÆø.øT–/ïó.ÿÿÿÿ
   00EC0120  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00EC03F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00EC0400  00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04  ....VTRM........
   00EC0410  FE 6D 0B C4 FA D5 CE DB 93 86 FC A1 32 3B 71 47  þm.ÄúÕÎÛ“†ü¡2;qG     <-- same value as 00EC0030
   00EC0420  3B A5 C6 F9 C0 00 B6 70 00 00 00 00 00 00 04 90  ;¥ÆùÀ.¶p........     <-- first part same value as 00EC0040
   00EC0430  00 00 00 00 00 00 09 20 00 00 00 00 00 00 00 03  ....... ........     <-- pattern exception
   00EC0440  00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      <-- repetive pattern until 00EC0440 with some exceptions
    [...]    00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      <-- repetive pattern until 00EC0440 with some exceptions
   00EC1930  00 00 00 00 00 00 00 01 00 00 00 00 00 00 09 20  ...............      <-- pattern exception
    [...]    00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      <-- repetive pattern until 00EC0440 with some exceptions
   00EC21F0  00 00 00 00 00 00 00 02 00 00 00 00 00 00 09 20  ...............      <-- pattern exception
    [...]    00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      <-- repetive pattern until 00EC0440 with some exceptions
   00EC24F0  00 00 00 00 00 00 09 20 00 00 00 00 00 00 00 00  ....... ........
    [...]    00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      <-- repetive pattern until 00EC0440 with some exceptions
   00EC28B0  00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      <-- repetive pattern until 00EC0440 with some exceptions
   00EC28C0  00 00 00 00 00 00 09 20 10 70 00 00 02 00 00 01  ....... .p......
   00EC28D0  10 70 00 00 39 00 00 01 22 66 39 B3 0E 7A 1C E7  .p..9..."f9³.z.ç
   00EC28E0  68 85 F9 94 A8 30 BE C4 0B 85 D0 92 1E C0 8F 28  h…ù”¨0¾Ä.…Ð’.À.(
   00EC28F0  7F 70 ED 15 D6 22 06 24 D9 08 64 0B C0 D7 97 29  .pí.Ö".$Ù.d.À×—)
   00EC2900  BE A1 FE 91 D1 F2 D4 88 25 EF 24 86 E0 A3 CB 98  ¾¡þ‘ÑòÔˆ%ï$†à£Ë˜
   00EC2910  AF 17 6F B1 64 A0 56 E5 00 00 00 00 00 00 00 01  ¯.o±d Vå........
   00EC2920  00 00 00 00 00 00 09 20 10 70 00 00 02 00 00 01  ....... .p......
   00EC2930  10 70 00 00 03 00 00 02 F9 D9 6A 84 0C F2 D8 E7  .p......ùÙj„.òØç
   00EC2940  D4 44 5C 3C DF D5 DF 0F B8 DC 3E 81 9A A4 71 8F  ÔD\<ßÕß.¸Ü>.š¤q.
   00EC2950  0A A8 8B 90 1B 2C A1 D1 66 84 AA EE 65 D1 46 9A  .¨‹..,¡Ñf„ªîeÑFš
   00EC2960  D7 38 83 F2 78 47 D1 8E E5 FA EB 39 CF 26 E8 25  ×8ƒòxGÑŽåúë9Ï&è%
   00EC2970  85 DE 3B C6 0B C3 45 D5 00 00 00 00 00 00 00 00  …Þ;Æ.ÃEÕ........
   00EC2980  00 00 00 00 00 00 09 20 04 00 00 00 02 00 00 05  ....... ........
   00EC2990  10 70 00 05 FF 00 00 01 0C 1C 05 9C AA B5 97 A5  .p..ÿ......œªµ—¥
   00EC29A0  9C D6 46 2D EA 22 46 BE D1 84 A9 1E 34 5F E7 90  œÖF-ê"F¾Ñ„©.4_ç.
   00EC29B0  55 49 11 82 51 9D 4A 3F EF 43 19 E8 4F 6A 5B FF  UI.‚Q.J?ïC.èOj[ÿ
   00EC29C0  DA 31 E9 F0 76 C8 B2 6B 0B A7 47 8E BE 42 28 9F  Ú1éðvȲk.§GŽ¾B(Ÿ
   00EC29D0  2B 88 73 0B A5 B6 F2 1D 00 00 00 00 00 00 00 00  +ˆs.¥¶ò.........
   00EC29E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

cell_ext_os_area

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      
   0E780000  63 65 6C 6C 5F 65 78 74 5F 6F 73 5F 61 72 65 61  cell_ext_os_area
   0E780010  00 00 00 01 00 00 00 02 00 00 00 04 FF FF FF FF  ............ÿÿÿÿ
   0E780020  00 00 00 01 00 27 F8 40 FF FF FF FF FF FF FF FF  .....'ø@ÿÿÿÿÿÿÿÿ
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   0E7807D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0E7807E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0E7807F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0E780800  1F 8B 08 08 C1 19 04 48 02 03 7A 49 6D 61 67 65  .‹..Á..H..zImage
   0E780810  2E 69 6E 69 74 72 64 2E 70 73 33 2E 62 69 6E 00  .initrd.ps3.bin.
    [...]                                                                        large data area
   0EA00030  FF FE FC FF ED CF FF 07 DE FD A4 A3 A8 88 54 00  ÿþüÿíÏÿ.Þý¤£¨ˆT.
   0EA00040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    [...]    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................   large 00 filled block region
   0EB7FFE0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0EB7FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0EB80000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0EB80010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   large FF filled block region
   0EFFFFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0EFFFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

NAND reference (bluemimmo)

CECHA-06/COK-001 with 3.60 OFW

cell_ext_os_area

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      
   0E780000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   note: no cell_ext_os_area, 0CC00000-0FFFFFFF region filled with big blocks of FF
   0E780010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ    because firmware version 3.60 has no otheros.
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   large FF filled block region
   0FFFFFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0FFFFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ


NAND reference (sinsizer)


Flash Samples

Reference flash dumps

User flashdumps

Here are some samples of NOR Flash for your dissection. These are taken from different consoles (because it is useless to dump different firmware versions as ROS/RVK will be the same crossconsole)

SKU bootldr metldr ROS0 ROS1 Link Note
PS3 Phat:
CECHA
CECHB
CECHC
CECHE
CECHG
CECHH
CECHJ
CECHK
CECHL [1] 3.55-Rogero CECHL03
CECHL [2] 3.56 CECHL03
CECHL [3] 3.70 CECHL03
CECHM
CECHP
CECHQ
PS3 Slim:
CECH-20xx 3.65 3.55 [4] 3.65 CECH-2008 A
CECH-20xx 3.56 3.56 [5] 3.56 CECH-2008 B
CECH-20xx 3.42 3.70 [6] 3.70 CECH-2008 B
CECH-20xx 3.72 4.00 [7] 4.00 CECH-2008 B
CECH-21xx
CECH-25xx 3.66 3.56 [8] 3.60 CECH-2508 B
CECH-25xx 3.66 3.72 [9] 3.72 CECH-2508 B
CECH-30xx

Flash checking / extraction

Community projects

Generic Recommendations

  • The information in this wiki was given [freely by many volunteers] ; it would be most fair to release any program based on it, as opensource with the community accordingly (tip: public git-repo).
  • Please link to ps3devwiki so that others might improve the code and also know on what information it is based as well as other informative pages.
  • Feel free to ask questions on the talkpages when having trouble understanding mainpage or when not knowing what to check for.
  • Make checkers/extractors bytedirection aware and byteswap when needed
  • There are several flash dumptypes that can exist (besides the normal full ones):
    • NAND
      • Software dump without any bootldr and with or without masking (old software flashdump and Preloader)
      • Software dump with only one bootldr (Memdump)
      • Hardware dump with both bootldr (normal full dump)
    • NOR
      • Software dumps (Preloader)
      • Hardware dumps (normal full dump)
  • Do not take shortcuts. Make users aware if any section is not checked (yet)
  • Use dynamic sections whenever possible (will make it easier to port from NAND <> NOR, be more robust in checking, make it more future/history proof)
  • Check if data-/file-sections are uninterupted (multirepetive 00 or FF)
  • Check for known static values
  • When values are semistatic, consider checking with wildcard /range masks
  • Make the user aware of any anomalies (in red/bold)
  • Output generic information (version, console info, minver etc)
  • Check for downgradeability
  • Check statistics in range with known FW versions (3.55 is considered base on wiki unless documented)