Flash

From PS3 Developer wiki
Revision as of 10:35, 26 September 2011 by Euss (talk | contribs) (→‎NAND reference)
Jump to navigation Jump to search
Typical Flash TSOP package found on PS3's can either be 2x128mb NAND or 1x16mb NOR

This is my attempt at documenting the files located and stored on flash. Please do note that this is from reverse engineering several flash dumps, not from reverse engineering the PS3 firmware itself. This involves alot of guesswork and may not be accurate and there may be information missing.

Structure

  • 0x0 > 0x400 = Headers
  • 0x400 > 0x800 = File table
  • 0x800 > 0xF00000 = Region 1
    • 0x800 > 0x2F000 = asecure_loader region
      • 0x840 > 0xF110 = metldr
  • 0xF00000 > 0xFFFFFF = region 2
    • unknown format

First Region

Header

First 512 Bytes of flash

00000000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF  .....¬àÿ....Þ.¾ï
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00  ..............x.
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
000001F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Address Length Value Description
0x00 0x10 0x0 Blank/Unknown
0x10 0x10 0x0FACE0FF 0xDEADBEEF Magic number
0x20 0x10 0x7800 Length of region * 0x200
0x30 0x1D0 0x0 Blank/Unknown

Unknown Header

The next block of 512 bytes only has the first 16 bytes written. Unsure exactly what this means.

00000200  49 46 49 00 00 00 00 01 00 00 00 02 00 00 00 00  IFI.............
00000210  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
000003F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Address Length Value Description
0x200 0x10 0x49464900 (String: "IFI") 0x1 0x2 0x0 Unknown

File Table

The next 1024 bytes contain the file entry table

Header

Small 16 byte header to describe length and entry count

00000400  00 00 00 01 00 00 00 0B 00 00 00 00 00 EF FC 00  .............ïü.
Address Length Value Description
0x0 0x4 0x01 Unknown
0x4 0x4 0x0B Entry Count
0x8 0x8 0xEFFC00 Length of Flash Region (relative to 0x400 (region start)

First is a header, this tells us how many files are stored here.

Entry Table

Then follows a 32 byte entry for each file

00000410  00 00 00 00 00 00 04 00 00 00 00 00 00 02 E8 00  ..............è.
00000420  61 73 65 63 75 72 65 5F 6C 6F 61 64 65 72 00 00  asecure_loader..
00000430  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Address Length Value Description
0x0 0x8 0x400 File offset relative to 0x400 (Region start)
0x8 0x8 0x2E800 File length
0x10 0x20 char[32]:"asecure_loader" File name


asecure_loader region

Within asecure_loader is another file table similar to region 1 but is located within region 1 itself. This has only been observed to hold metldr in its encrypted form.

Header

00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.
Address Length Value Description
0x00 0x04 0x01 Unknown
0x04 0x04 0x01 Entry Count
0x08 0x08 0x2E800 Length of Region

Entry Table

Then follows a 32 byte entry for each file

00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E8 D0  .......@......èÐ
00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Address Length Value Description
0x0 0x08 0x40 File offset relative to 0x810 (asecure_loader header)
0x8 0x08 0xE8D0 File Length
0x10 0x20 char[32]:"metldr" File name

Second Region

This region appears to directly follow the other region (at 0xF0000 = region size + header)

Not much is known about this at this stage.

Header

00F00000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F00010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE  .....¬àÿ....Þ.úÎ
00F00020  00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02  ................
00F00030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F000B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F000C0  00 00 00 00 00 00 79 00 00 00 00 00 00 00 01 00  ......y.........
00F000D0  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F000E0  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F00140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F00150  00 00 00 00 00 00 7A 00 00 00 00 00 00 00 04 00  ......z.........
00F00160  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F00170  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F00180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F00FF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Bootloader

Located at 0xFC0000 to 0xFFFFFF (The last 256kb of flash), This is encrypted.

cCSD

This section doesn't contain any data... This section of flash contains Console Specific information

Header

0003F800  00 00 00 01 00 00 08 00 00 00 00 00 00 00 00 00  ................
Address Length Value Description
0x0 0x4 0x1 Number of entries
0x4 0x8 0x800 Length of entire eEID package
0x8 0x8 0x0 Unknown/Blank

File Table

This repeats per entry

0003F810  00 00 00 20 00 00 00 30 00 00 00 00 00 00 00 00  ... ...0........
Address Length Value Description
0x0 0x4 0x20 Entry point
0x4 0x8 0x30 Length
0x8 0x8 0x0 Unknown/Blank

Section 0

0003F820  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0003F830  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0003F840  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

There appears to be no data stored here.

cISD

This section of flash contains Console Specific information

cISD contains core information such as Gelic Ethernet MAC address

Header

0003F000  00 00 00 03 00 00 02 70 00 00 00 00 00 00 00 00  .......p........
Address Length Value Description
0x0 0x4 0x3 Number of entries
0x4 0x8 0x270 Length of entire eEID package
0x8 0x8 0x0 Unknown/Blank

File Table

This repeats per entry

0003F010  00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00  ...@... ........
Address Length Value Description
0x0 0x4 0x40 Entry point
0x4 0x8 0x20 Length
0x8 0x8 0x0 Unknown/Blank

Section 0

0003F040  A8 E3 EE 7D 10 DA FF FF FF FF FF FF FF FF FF FF  ¨ãî}.Úÿÿÿÿÿÿÿÿÿÿ
0003F050  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Address Length Value Description
0x0 0x6 0xA8E3EE7D10DA MAC Address
0x6 0x1A 0xFF Unknown/Blank

Section 1

0003F060  7F 49 44 4C 00 02 00 60 01 00 00 02 02 12 FF C5  .IDL...`......ÿÅ
0003F070  30 31 43 35 32 34 30 31 38 33 31 36 32 37 30 45  01C524018316270E
0003F080  31 39 30 38 37 41 34 32 30 30 30 30 30 30 30 30  19087A4200000000
0003F090  32 37 34 35 35 32 32 32 34 30 31 35 31 32 39 33  2745522240151293
0003F0A0  34 31 36 33 01 07 01 07 01 28 00 01 FF FF FF FF  4163.....(..ÿÿÿÿ
0003F0B0  00 02 00 11 00 02 00 12 00 00 00 00 02 95 A8 C9  .............•¨É
0003F0C0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
0003F250  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Address Length Value Description
0x0 0xD 0x7F49444C000200600100000202 Unknown, static
0xD 0xF 0x12FFC5 Unknown, varies per console
0x10 0x20 Ascii: 01C524018316270E19087A4200000000 Some unique identifier
0x30 0x8 Ascii: 27455222 3rd part of console serial number
0x38 0xC Ascii: 401512934163 Some unique identifier
0x44 0x1B 0x0107010701280001FFFF00020011000200120000000002 Unknown, static
0x1B 0x3 0x95A8C9 Unknown, varies

Section 2

0003F260  1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00  .ÿ..............

This value is unknown and the first two bytes seem to vary

eEID

This section of flash contains QA tokens

It is 0x10000 in length (64 kb) but only the first 0x1DD0 is used, the rest is padded with FF

It is composed of 6 sections numbered from 0 to 5

eEID contains your system model data, your target ID, and your PS3 motherboard revision

Section Description
EID0 EID0 is needed for loading parameters to isoldr for loading isolated SELF files on a SPE
EID1 ?
EID2 ?
EID3 ?
EID4 ?
EID5 ?

Indi manager can write to it AIM can rehash it

Header

00000000  00 00 00 06 00 00 1D D0 00 00 00 00 00 00 00 00  .......Ð........
Address Length Value Description
0x0 0x4 0x6 Number of entries
0x4 0x8 0x1DD0 Length of entire eEID package
0x8 0x8 0x0 Unknown/Blank

File Table

This is the whole file table

00000010   00 00 00 70 00 00 08 60 00 00 00 00 00 00 00 00
00000020   00 00 08 D0 00 00 02 A0 00 00 00 00 00 00 00 01
00000030   00 00 0B 70 00 00 07 30 00 00 00 00 00 00 00 02
00000040   00 00 12 A0 00 00 01 00 00 00 00 00 00 00 00 03
00000050   00 00 13 A0 00 00 00 30 00 00 00 00 00 00 00 04
00000060   00 00 13 D0 00 00 0A 00 00 00 00 00 00 00 00 05

This repeats per entry

00000010  00 00 00 70 00 00 08 60 00 00 00 00 00 00 00 00  ...p...`........
Address Length Value Description
0x0 0x4 0x70 Entry point
0x4 0x8 0x860 Length
0x8 0x8 0x0 EID number

Typical EID entry addresses and lengths:

Description Address Length
EID0 0x70 0x860
EID1 0x8D0 0x2A0
EID2 0xB70 0x730
EID3 0x12A0 0x100
EID4 0x13A0 0x30
EID5 0x13D0 0xA00

EID0 - Section 0

00000000  00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  .....‰....ïÝÊ%Rf
00000010  00 12 00 0B 81 2E 00 A9 59 75 01 CC C1 72 D5 50  .......©Yu.ÌÁrÕP
Address Size Value Description Observations
0x0 0x10 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 IDPS IDPS This contains your Target ID
0x10 0x4 00 12 00 0B Unknown
0x14 0x12 81 2E 00 A9 59 75 01 CC C1 72 D5 50 Per console key? Appear to be the same key as in the encrypted files metloader/bootloader
Rest Rest Rest Encrypted Data?

EID 1 - Section 1

Appears to be encrypted, not much is known about this one

EID 2 - Section 2

Not sure about this one, appears to be some recurring patterns in here

EID 3 - Section 3

Not fully examined yet, Contains the 12 byte key again at 0x14 to 0x1F

EID 4 - Section 4

Encrypted encdec key

EID 5 - Section 5

Similar again to section 0

00000000  00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  .....‰....ïÝÊ%Rf
00000010  00 12 07 30 81 2E 00 A9 59 75 01 CC C1 72 D5 50  .......©Yu.ÌÁrÕP
Address Size Value Description Observations
0x0 0x10 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 IDPS IDPS
0x10 0x4 00 12 07 30 Unknown Changes from EID0
0x14 0x12 81 2E 00 A9 59 75 01 CC C1 72 D5 50 Per console key? Appear to be the same key as in the encrypted files metloader/bootloader
Rest Rest Rest Encrypted Data?

Encrypted Files on Flash

Encrypted files on flash appear to have some sort of header

metldr examples

Here are samples of metldr header from 2 different consoles

00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ...Žx¥aà.rn÷§.A«
00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ...Ž...©Yu.ÌÁrÕP

bootldr examples

Here are samples of bootldr header from 2 different consoles

00FC0000  00 00 2F 4B 53 92 1C E7 F7 33 41 76 9B 7A 1E D6  ../KS’.ç÷3Av›z.Ö
00FC0010  00 00 2F 4B 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ../Kx¥aà.rn÷§.A«
00FC0000  00 00 2F 4B CB 9E 15 24 28 B4 4F D2 F9 3F BC 43  ../KËž.$(´OÒù?¼C
00FC0010  00 00 2F 4B 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ../K...©Yu.ÌÁrÕP

Observations / Notes

As you can see, some parts appear static depending on their purpose:

metldr

00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E xx xx xx xx xx xx xx xx xx xx xx xx  ...Žx...........

bootldr

00FC0000  00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx  ../K............
00FC0010  00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx  ../K............

per console in both samples

00000840  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................
00000850  xx xx xx xx 81 2E 00 A9 59 75 01 CC C1 72 D5 50  .......©Yu.ÌÁrÕP

The first 4 bytes appear to reffer to length. eg:

metldr length: 0xE920
0x00000E8E * 0x10 = 0xE8E0 + 0x40 = 0xE920
bootldr length:  0x2F4F0
0x00002F4B * 0x10 = 0x2F4B0 + 0x40 = 0x2F4F0

Header shown is 0x20 bytes, perhaps this means there is a 0x40 byte header. I was not able to find any correlation of the other 2x12 bytes here, perhaps these are keys of some sort.

List of files on NOR Flash

The following is a list of files stored in NOR Flash

Name TOC Start Offset End Offset Size Notes
Offset Index Relative Absolute Relative Absolute
asecure_loader 0x400 0 0x400 0x810 0x2E800 0x2F010 0x2E800  (190,464 bytes) aka metldr
eEID 0x400 1 0x2EC00 0x2F010 0x3EC00 0x3F010 0x10000  (65,636 bytes)
cISD 0x400 2 0x3EC00 0x3F010 0x3F400 0x3F810 0x800  (2,048 bytes)
cCSD 0x400 3 0x3F400 0x3F810 0x3FC00 0x40010 0x800  (2,048 bytes)
trvk_prg0 0x400 4 0x3FC00 0x40010 0x5FC00 0x60010 0x20000  (131,072 bytes)
trvk_prg1 0x400 5 0x5FC00 0x60010 0x5FC00 0x80010 0x20000  (131,072 bytes)
trvk_pkg0 0x400 6 0x7FC00 0x80010 0x9FC00 0xA0010 0x20000  (131,072 bytes)
trvk_pkg1 0x400 7 0x9FC00 0xA0010 0xBFC00 0xC0010 0x20000  (131,072 bytes)
ros0 0x400 8 0xBFC00 0xC0010 0x7BFC00 0x7C0010 0x700000  (7,340,032 bytes) Contains CoreOS files
ros1 0x400 9 0x7BFC00 0x7C0010 0xEBFC00 0xEC0010 0x700000  (7,340,032 bytes) Contains CoreOS files
cvtrm 0x400 10 0xEBFC00 0xEC0010 0xEFFC00 0xF00010 0x40000  (262,144 bytes)
CELL_EXTNOR_AREA 0xF20000 0xFA0040 0x80040  (524,352 bytes)
bootldr 0xFC0000 0xFEEAF0 0x2EAF0  (191,216 bytes) End @ FEF170, FEF570, FEF5F0, FEF600 in some dumps

new metldr.2

Seen on CECH2504B (JSD-001), with 3.60 from factory - datecode 1B

  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

  00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 F9 20  .......@......ù 
  00000820  6D 65 74 6C 64 72 2E 32 00 00 00 00 00 00 00 00  metldr.2........
  00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

other new metldr

It seems the naming "metldr.2" does not apply to all non downgradeable consoles:

Seen on CECH2504A (JTP-001), with 3.60 from factory - datecode 1B

  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
  00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
  00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
  00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Seen on CECH2503B (JTP-001), with ?.?? from factory - datecode 1A (dump contained ROS with 3.66 and 3.70)

 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      
 00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
 00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
 00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

For comparison, a CECH250.B (JSD-001), with factory 3.56 - datecode 1A which was downgradeable (dump contained ROS with 3.56 and 3.70 before downgrading to 3.55):

 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      
 00000800   00 00 00 01 00 00 00 01  00 00 00 00 00 02 E8 00   ..............è.
 00000810   00 00 00 00 00 00 00 40  00 00 00 00 00 00 E9 60   .......@......é`
 00000820   6D 65 74 6C 64 72 00 00  00 00 00 00 00 00 00 00   metldr..........
 00000830   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
 00000840   00 00 0E 92 C3 26 6E 4B  BB 28 2E 76 B7 67 70 95   ...’Ã&nK»(.v·gp•


other new metldr mention : https://twitter.com/#!/Mathieulh/status/110779471199604736

WTF 3.50+ consoles have a new additional root key of 0x30 bytes
(3 times the same 0x10 bytes chunk) copied by metldr right to offset 0 O_O


CELL_EXTNOR_AREA

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
[...]
00F1FFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00F1FFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00F20000  43 45 4C 4C 5F 45 58 54 4E 4F 52 5F 41 52 45 41  CELL_EXTNOR_AREA      marker: CELL_EXTNOR_AREA
00F20010  00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F20020  00 00 02 00 00 00 00 44 00 00 00 00 A9 C8 06 D0  .......D....©È.Ð                             (differs in other version/console dump)
00F20030  C0 17 8D 34 55 A7 62 73 DD 16 A6 FB 75 A0 D2 10  À..4U§bsÝ.¦ûu Ò.
00F20040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F201F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F20200  00 00 00 07 46 55 4A 49 54 53 55 20 4D 48 5A 32  ....FUJITSU MHZ2      harddrive brand/model
00F20210  30 38 30 42 48 20 47 31 20 20 20 20 20 20 20 20  080BH G1        
00F20220  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
00F20230  20 20 20 20 4B 36 33 52 54 38 42 34 48 59 42 4B      K63RT8B4HYBK      harddrive serial
00F20240  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F3FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F40000  00 00 00 01 00 00 00 2C 6E 47 15 E8 38 9B C8 16  .......,nG.è8›È.      00F40000-00F40030      (same in other version/console dump)
00F40010  65 6E 0C 37 54 25 FE 7B 22 9A 31 75 72 22 63 2B  en.7T%þ{"š1ur"c+      is the same as
00F40020  31 DD 15 AA 60 7D EB F5 F7 A3 74 0B 9D DD 3B 3A  1Ý.ª`}ëõ÷£t..Ý;:      00F80000-00F80030
00F40030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F5FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F60000  10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34  ............ ..4      00F60000-00F60040      (differs in other version/console dump)
00F60010  00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2  ........[?s´š†Ç²      is the
00F60020  A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE   Ñ.¯§›—âzË.+Ma&®      same as
00F60030  13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB  .Ê)„.“.áJÛ,·|.äë      00FA0000-00FA0040
00F60040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F69BF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F69C00  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...]                                                                            all FF's
00F7FFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00F80000  00 00 00 01 00 00 00 2C 6E 47 15 E8 38 9B C8 16  .......,nG.è8›È.      00F80000-00F80030      (same in other version/console dump)
00F80010  65 6E 0C 37 54 25 FE 7B 22 9A 31 75 72 22 63 2B  en.7T%þ{"š1ur"c+      is the same as
00F80020  31 DD 15 AA 60 7D EB F5 F7 A3 74 0B 9D DD 3B 3A  1Ý.ª`}ëõ÷£t..Ý;:      00F40000-00F40030
00F80030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F9FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00FA0000  10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34  ............ ..4      00F60000-00F60040      (differs in other version/console dump)
00FA0010  00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2  ........[?s´š†Ç²      is the
00FA0020  A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE   Ñ.¯§›—âzË.+Ma&®      same as
00FA0030  13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB  .Ê)„.“.áJÛ,·|.äë      00F60000-00F60040
00FA0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00FA9BF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00FA9C00  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...]                                                                            all FF's
00FBFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00FC0000  00 00 2E AB 83 EF B9 76 C4 DE D1 35 32 7C D3 77  ...«ƒï¹vÄÞÑ52|Ów      Bootloader encrypted   (differs in other version/console dump)
00FC0010  00 00 2E AB FE 2C 4E 17 E1 67 5C 3A C8 29 8E D1  ...«þ,N.ág\:È)ŽÑ      (0xFC0000 to 0xFFFFFF)
00FC0020  63 D4 81 95 5D D1 D2 E3 BA A3 2D 0A 98 8B 3C 03  cÔ.•]ÑÒ㺣-.˜‹<.
00FC0030  8E 5D D0 E7 2F EE 58 8B C0 73 A2 6D 5E 7F 7A 07  Ž]Ðç/îX‹Às¢m^.z.
00FC0040  47 8B A4 C2 EF B9 3C 60 43 E8 AC 07 F7 8D EE D5  G‹¤Âï¹<`Cè¬.÷.îÕ
00FC0050  67 EE C1 C4 B2 D2 78 98 4C 79 D6 52 49 4D C2 80  gîÁIJÒx˜LyÖRIM€
00FC0060  2D C1 F6 21 B7 B1 34 89 94 3B 33 BF B8 C8 EB 73  -Áö!·±4‰”;3¿¸Èës
[...]
00FEEAD0  9B 28 7A 63 41 DF 4D 54 CC F3 D8 FF FB B0 E6 34  ›(zcAßMTÌóØÿû°æ4
00FEEAE0  2B C6 A2 85 E9 3A 83 A1 8C AE 9F 45 C5 F4 9F AA  +Æ¢…é:ƒ¡Œ®ŸEÅôŸª
00FEEAF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ      Bootloader ended (00FEF170, 00FEF570, 00FEF5F0 or 00FEF600 in some dumps)
00FEEB00  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

NAND reference

most of the information on this page if based on NOR dumps, this section is for NAND specifics

ROS0

    ROS0 on NAND:
     
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     
    00080000  00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20  ....... .......
    00080010  00 00 00 00 00 E0 00 00 00 00 00 00 00 00 00 00  .....à..........
    00080020  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
    00080030  00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0  .............oÿà
    00080040  00 00 00 00 00 00 04 60 00 00 00 00 00 00 44 98  .......`......D˜
    00080050  61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73  aim_spu_module.s
    00080060  65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00  elf.............
    00080070  00 00 00 00 00 00 49 00 00 00 00 00 00 01 DA E4  ......I.......Úä
    00080080  61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00  appldr..........
    00080090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    000800A0  00 00 00 00 00 02 24 00 00 00 00 00 00 04 00 00  ......$.........
    000800B0  63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00  creserved_0.....
    000800C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    000800D0  00 00 00 00 00 06 24 00 00 00 00 00 00 00 22 A0  ......$......." 
    000800E0  64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00  default.spp.....
    000800F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00080100  00 00 00 00 00 06 46 A0 00 00 00 00 00 07 FC 48  ......F ......üH
    00080110  65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00  emer_init.self..
    00080120  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00080130  00 00 00 00 00 0E 43 00 00 00 00 00 00 07 0F 94  ......C........”
    00080140  65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00  eurus_fw.bin....
    00080150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00080160  00 00 00 00 00 15 52 A0 00 00 00 00 00 06 16 00  ......R ........
    00080170  68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00  hdd_copy.self...
    00080180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00080190  00 00 00 00 00 1B 68 A0 00 00 00 00 00 01 2E 44  ......h .......D
    000801A0  69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00  isoldr..........
    000801B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    000801C0  00 00 00 00 00 1C 97 00 00 00 00 00 00 03 E8 28  ......—.......è(
    000801D0  6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00  lv0.............
    000801E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    000801F0  00 00 00 00 00 20 7F 40 00 00 00 00 00 12 B1 70  ..... .@......±p
    00080200  6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00  lv1.self........
    00080210  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00080220  00 00 00 00 00 33 30 C0 00 00 00 00 00 01 E5 CC  .....30À......åÌ
    00080230  6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv1ldr..........
    00080240  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00080250  00 00 00 00 00 35 16 A0 00 00 00 00 00 01 6D A0  .....5. ......m 
    00080260  6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv2ldr..........
    00080270  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00080280  00 00 00 00 00 36 84 40 00 00 00 00 00 16 EE B8  .....6„@......î¸
    00080290  6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00  lv2_kernel.self.
    000802A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    000802B0  00 00 00 00 00 4D 73 00 00 00 00 00 00 00 80 8C  .....Ms.......€Œ
    000802C0  6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  mc_iso_spu_modul
    000802D0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
    000802E0  00 00 00 00 00 4D F3 A0 00 00 00 00 00 00 88 B8  .....Mó ......ˆ¸
    000802F0  6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  me_iso_spu_modul
    00080300  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
    00080310  00 00 00 00 00 4E 7C 60 00 00 00 00 00 00 5D B0  .....N|`......]°
    00080320  73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sb_iso_spu_modul
    00080330  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
    00080340  00 00 00 00 00 4E DA 20 00 00 00 00 00 01 53 2C  .....NÚ ......S,
    00080350  73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00  sc_iso.self.....
    00080360  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00080370  00 00 00 00 00 50 2D 60 00 00 00 00 00 00 00 08  .....P-`........
    00080380  73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00  sdk_version.....
    00080390  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    000803A0  00 00 00 00 00 50 2D 80 00 00 00 00 00 00 D7 F0  .....P-€......×ð
    000803B0  73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C  spp_verifier.sel
    000803C0  66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  f...............
    000803D0  00 00 00 00 00 51 05 80 00 00 00 00 00 00 FA CC  .....Q.€......úÌ
    000803E0  73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69  spu_pkg_rvk_veri
    000803F0  66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00  fier.self.......
    00080400  00 00 00 00 00 52 00 60 00 00 00 00 00 00 5C 94  .....R.`......\”
    00080410  73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73  spu_token_proces
    00080420  73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00  sor.self........
    00080430  00 00 00 00 00 52 5D 00 00 00 00 00 00 00 65 D0  .....R].......eÐ
    00080440  73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65  spu_utoken_proce
    00080450  73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00  ssor.self.......
    00080460  00 00 00 00 00 52 C2 E0 00 00 00 00 00 00 C0 78  .....RÂà......Àx
    00080470  73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sv_iso_spu_modul
    00080480  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........

ROS1

    ROS1 on NAND:
     
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     
    0077FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00780000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00780010  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
    00780020  00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0  .............oÿà
    00780030  00 00 00 00 00 00 04 60 00 00 00 00 00 04 00 00  .......`........
    00780040  63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00  creserved_0.....
    00780050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00780060  00 00 00 00 00 04 04 60 00 00 00 00 00 00 00 08  .......`........
    00780070  73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00  sdk_version.....
    00780080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00780090  00 00 00 00 00 04 04 80 00 00 00 00 00 01 E5 CC  .......€......åÌ
    007800A0  6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv1ldr..........
    007800B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    007800C0  00 00 00 00 00 05 EA 80 00 00 00 00 00 01 6D A0  ......ê€......m 
    007800D0  6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv2ldr..........
    007800E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    007800F0  00 00 00 00 00 07 58 80 00 00 00 00 00 01 2E 44  ......X€.......D
    00780100  69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00  isoldr..........
    00780110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00780120  00 00 00 00 00 08 87 00 00 00 00 00 00 01 DA E4  ......‡.......Úä
    00780130  61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00  appldr..........
    00780140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00780150  00 00 00 00 00 0A 61 E4 00 00 00 00 00 00 FA CC  ......aä......úÌ
    00780160  73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69  spu_pkg_rvk_veri
    00780170  66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00  fier.self.......
    00780180  00 00 00 00 00 0B 5C B0 00 00 00 00 00 00 5C 94  ......\°......\”
    00780190  73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73  spu_token_proces
    007801A0  73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00  sor.self........
    007801B0  00 00 00 00 00 0B B9 44 00 00 00 00 00 00 65 D0  ......¹D......eÐ
    007801C0  73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65  spu_utoken_proce
    007801D0  73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00  ssor.self.......
    007801E0  00 00 00 00 00 0C 1F 14 00 00 00 00 00 01 53 2C  ..............S,
    007801F0  73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00  sc_iso.self.....
    00780200  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00780210  00 00 00 00 00 0D 72 40 00 00 00 00 00 00 44 98  [email protected]˜
    00780220  61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73  aim_spu_module.s
    00780230  65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00  elf.............
    00780240  00 00 00 00 00 0D B6 D8 00 00 00 00 00 00 D7 F0  ......¶Ø......×ð
    00780250  73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C  spp_verifier.sel
    00780260  66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  f...............
    00780270  00 00 00 00 00 0E 8E C8 00 00 00 00 00 00 80 8C  ......ŽÈ......€Œ
    00780280  6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  mc_iso_spu_modul
    00780290  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
    007802A0  00 00 00 00 00 0F 0F 54 00 00 00 00 00 00 88 B8  .......T......ˆ¸
    007802B0  6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  me_iso_spu_modul
    007802C0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
    007802D0  00 00 00 00 00 0F 98 0C 00 00 00 00 00 00 C0 78  ......˜.......Àx
    007802E0  73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sv_iso_spu_modul
    007802F0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
    00780300  00 00 00 00 00 10 58 84 00 00 00 00 00 00 5D B0  ......X„......]°
    00780310  73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sb_iso_spu_modul
    00780320  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
    00780330  00 00 00 00 00 10 B6 34 00 00 00 00 00 00 22 A0  ......¶4......" 
    00780340  64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00  default.spp.....
    00780350  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00780360  00 00 00 00 00 10 D9 00 00 00 00 00 00 12 B1 70  ......Ù.......±p
    00780370  6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00  lv1.self........
    00780380  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00780390  00 00 00 00 00 23 8A 80 00 00 00 00 00 03 E8 28  .....#Š€......è(
    007803A0  6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00  lv0.............
    007803B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    007803C0  00 00 00 00 00 27 72 A8 00 00 00 00 00 16 EE B8  .....'r¨......î¸
    007803D0  6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00  lv2_kernel.self.
    007803E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    007803F0  00 00 00 00 00 3E 61 60 00 00 00 00 00 07 0F 94  .....>a`.......”
    00780400  65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00  eurus_fw.bin....
    00780410  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00780420  00 00 00 00 00 45 70 F4 00 00 00 00 00 07 FC 48  .....Epô......üH
    00780430  65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00  emer_init.self..
    00780440  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00780450  00 00 00 00 00 4D 6D 3C 00 00 00 00 00 06 16 00  .....Mm<........
    00780460  68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00  hdd_copy.self...
    00780470  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Versioning in ROS0

    versioning in ROS0 of NAND:
     
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     
    00582D90  33 31 35 2E 30 30 30 0A 00 00 00 00 00 00 00 00  315.000.........
    00582DA0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00582DB0  53 43 45 00 00 00 00 02 00 01 00 01 00 00 02 30  SCE............0

Versioning in ROS1

    versioning in ROS1 of NAND:
     
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     
    007C0480  33 31 35 2E 30 30 30 0A 00 00 00 00 00 00 00 00  315.000.........
    007C0490  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    007C04A0  53 43 45 00 00 00 00 02 00 00 00 01 00 00 01 F0  SCE............ð

RVK

    Revoke in NAND:     
          
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
        
    00053800  00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20  ....... ....... 
    00053810  00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00  ...... .........
    00053820  00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40  ...............@
    00053830  53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00  SCE.............
    00053840  00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40  ...............@
    00053850  6E 27 DA DF 18 19 ED D0 26 30 FD 84 1D 5B 74 BB  n'Úß..íÐ&0ý„.[t»
    00053860  43 53 5F 5E 91 5A 82 48 E1 5B 76 C6 59 9F 1B 0D  CS_^‘Z‚Há[vÆYŸ..
    00053870  3A 5E 73 19 73 59 24 A1 A7 A5 73 28 BC 50 12 93  :^s.sY$¡§¥s(¼P.“
    00053880  10 B7 43 04 B5 01 A5 6C 01 AD 83 86 7B 10 1A 78  .·C.µ.¥l.­ƒ†{..x
    00053890  B5 55 E2 CC 52 4D E2 3D AE 7D F6 1B 37 13 63 34  µUâÌRMâ=®}ö.7.c4
    000538A0  50 58 C8 78 27 F9 30 9F 62 E7 0A CF C4 E2 4B C5  PXÈx'ù0Ÿbç.ÏÄâKÅ
    000538B0  4A FF 31 8A C7 3A A7 0A 91 86 E2 C8 4A 51 F7 7D  Jÿ1ŠÇ:§.‘†âÈJQ÷}
    000538C0  7B BF 28 FE F5 93 FA C3 DF E7 A9 F1 A1 92 C1 6F  {¿(þõ“úÃßç©ñ¡’Áo
    000538D0  F1 D8 94 E9 64 60 6D 36 22 61 2E 51 B5 C9 9F 6F  ñØ”éd`m6"a.QµÉŸo
    000538E0  BD C6 44 00 22 75 DC 2A 55 A5 E5 EC 2A 97 9A 4F  ½ÆD."uÜ*U¥åì*—šO
    000538F0  CA 21 38 F1 AA C8 98 29 4D 6A F7 CD 7B F6 04 B3  Ê!8ñªÈ˜)Mj÷Í{ö.³
    00053900  A0 F3 F8 C1 9B CB 9B 48 AE E9 5C CF A5 24 37 29   óøÁ›Ë›H®é\Ï¥$7)
    00053910  9B 10 02 8C 68 1B 4E AA B4 CF EE 81 3A C6 6E CB  ›..Œh.Nª´Ïî.:ÆnË
    00053920  66 99 F6 F9 55 AB 19 FA 43 70 BC E5 72 C4 56 AD  f™öùU«.úCp¼årÄV­
    00053930  64 AF DD 0B 17 03 4D EA 87 C5 AD BB 2C 7C B2 48  d¯Ý...Mê‡Å­»,|²H
    00053940  9A E9 D1 85 AA 30 87 B8 47 C3 8B C9 BC 42 E2 7D  šéÑ…ª0‡¸GËɼBâ}
    00053950  92 84 D2 03 68 F1 20 54 98 D1 0E 95 4B 54 E5 6E  ’„Ò.hñ T˜Ñ.•KTån
    00053960  1A 6C D6 2F 3E 3F E4 28 4A 0F 9E D4 99 3E E5 D8  .lÖ/>?ä(J.žÔ™>åØ
    00053970  6B 13 7B 19 B4 3A A6 64 56 08 05 D3 FE 1B 68 E1  k.{.´:¦dV..Óþ.há
    00053980  B6 38 2C 0C E1 DF 5F D5 0D EC 6E B6 2A 2F 63 77  ¶8,.áß_Õ.ìn¶*/cw
    00053990  F4 D2 EB 3B 87 DA 83 76 28 E8 9F 50 2C 84 4D 48  ôÒë;‡Úƒv(èŸP,„MH
    000539A0  64 C0 B1 DB C6 AE 81 22 1D 76 9F B9 F8 29 C0 C7  dÀ±ÛÆ®.".vŸ¹ø)ÀÇ
    000539B0  12 06 2A B1 BB 0D 2E 5A 29 BC 56 C6 F5 26 97 0D  ..*±»..Z)¼VÆõ&—.
    000539C0  01 06 CC BC 43 1E 8B 45 C8 20 29 B3 FD EB 30 1D  ..̼C.‹EÈ )³ýë0.
    000539D0  A2 CF 33 2D 09 07 08 6F 4A F3 34 5D DE 63 C0 A8  ¢Ï3-...oJó4]ÞcÀ¨
    000539E0  EE 31 3E 46 11 4F 8D 66 F1 15 74 E2 AC 88 C3 C7  î1>F.O.fñ.t⬈ÃÇ
    000539F0  19 C9 69 0A 9F 36 D7 BC 70 6B 79 32 53 FD 1F 8E  .Éi.Ÿ6×¼pky2Sý.Ž
    00053A00  6D 57 08 C2 CA 78 24 6A 20 3B 5A 98 C2 04 06 95  mW.ÂÊx$j ;Z˜Â..•
    00053A10  C7 E6 53 A5 AB 9C 02 2A 04 40 0B 00 DF 34 13 CF  ÇæS¥«œ.*.@..ß4.Ï
    00053A20  F3 74 FF B6 DB FA 9A A2 FD 4F 72 6B 3E 7E 37 04  ótÿ¶Ûúš¢ýOrk>~7.
    00053A30  00 00 00 03 00 00 00 02 00 01 00 00 00 00 00 00  ................
    00053A40  00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00053A50  8E 27 91 93 C8 6F 17 8A 22 FD C8 E1 76 E8 D8 18  Ž'‘“Èo.Š"ýÈávèØ.
    00053A60  62 8B FE F5 43 81 A8 09 01 C6 99 D6 EF CF 64 90  b‹þõC.¨..Æ™ÖïÏd.

cell_ext_os_area

    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
        
    0E740000  63 65 6C 6C 5F 65 78 74 5F 6F 73 5F 61 72 65 61  cell_ext_os_area
    0E740010  00 00 00 01 00 00 00 02 00 00 00 04 FF FF FF FF  ............ÿÿÿÿ
    0E740020  00 00 00 01 00 27 F8 40 FF FF FF FF FF FF FF FF  .....'ø@ÿÿÿÿÿÿÿÿ
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
        
    0E7407D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0E7407E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0E7407F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0E740800  1F 8B 08 08 C1 19 04 48 02 03 7A 49 6D 61 67 65  .‹..Á..H..zImage
    0E740810  2E 69 6E 69 74 72 64 2E 70 73 33 2E 62 69 6E 00  .initrd.ps3.bin.
     [...]                                                                        large data area
    0E9C0030  FF FE FC FF ED CF FF 07 DE FD A4 A3 A8 88 54 00  ÿþüÿíÏÿ.Þý¤£¨ˆT.
    0E9C0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     [...]    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................   large 00 filled block region
    0EB3FFE0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0EB3FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0EB40000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    0EB40010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
     [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   large FF filled block region
    0EFBFFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    0EFBFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   (if dumped from GameOS, dump ends here, cutting off bootldr)

Dumping your flash

There are many ways you can dump your flash you can choose the way that best fits you, there are some persons studing the flash.. If you can help providing a dump (specially if you have a debug console) search for those persons in IRC Efnet #ps3dev

Payload

Unncomment dump_dev_flash() in graf_payloads compile and run the payload

see Graf's_PSGroove_Payload for more info

Linux

Using graf_chokolo kernel with /dev/ps3nflasha access

dd if=/dev/ps3nflasha of=NOR.BIN bs=1024

Hardware

see Hardware flashing

Dump NAND/NOR from GameOS

dump_flash.pkg // backup/mirror: dump-flash+syscon.rar (280.51 KB)
Make sure USB stick is FAT32 with enough free space (16MB per dump)

remark: NAND dumps are 239MB because HV masks bootldr, see Hardware flashing #Difference between hardware dumps and software dumps

NOR Unpacking // NOR Unpkg

/*
  # ../norunpkg norflash.bin norflash
  unpacking asecure_loader (size: 190xxx bytes)...
  unpacking eEID (size: 65536 bytes)...
  unpacking cISD (size: 2048 bytes)...
  unpacking cCSD (size: 2048 bytes)...
  unpacking trvk_prg0 (size: 131072 bytes)...
  unpacking trvk_prg1 (size: 131072 bytes)...
  unpacking trvk_pkg0 (size: 131072 bytes)...
  unpacking trvk_pkg1 (size: 131072 bytes)...
  unpacking ros0 (size: 7340032 bytes)...
  unpacking ros1 (size: 7340032 bytes)...
  unpacking cvtrm (size: 262144 bytes)...
*/

// Copyright 2010       Sven Peter
// Licensed under the terms of the GNU GPL, version 2
// http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
// nor modifications by rms.

#include "tools.h"
#include "types.h"

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/stat.h>

#ifdef WIN32
#define MKDIR(x,y) mkdir(x)
#else
#define MKDIR(x,y) mkdir(x,y)
#endif

u8 *pkg = NULL;

static void unpack_file(u32 i)
{
        u8 *ptr;
        u8 name[33];
        u64 offset;
        u64 size;

        ptr = pkg + 0x10 + 0x30 * i;

        offset = be64(ptr + 0x00);
        size   = be64(ptr + 0x08);

        memset(name, 0, sizeof name);
        strncpy((char *)name, (char *)(ptr + 0x10), 0x20);

        printf("unpacking %s (size: %d bytes)...\n", name, size);
        memcpy_to_file((char *)name, pkg + offset, size);
}

static void unpack_pkg(void)
{
        u32 n_files;
        u64 size;
        u32 i;

        n_files = be32(pkg + 4);
        size = be64(pkg + 8);

        for (i = 0; i < n_files; i++)
                unpack_file(i);
}

int main(int argc, char *argv[])
{
        if (argc != 3)
                fail("usage: norunpkg filename.nor target");

        pkg = mmap_file(argv[1]);

        /* kludge for header, i do not do sanity checks at the moment */
        pkg += 1024;

        MKDIR(argv[2], 0777);

        if (chdir(argv[2]) != 0)
                fail("chdir");

        unpack_pkg();

        return 0;
}

Source: http://rms.grafchokolo.com/?p=25

RMS - eEID splitter

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void
DumpEidData (FILE * pFile, int iInputSize, int iEidCount,
	     char *pFilenamePrefix)
{
  FILE *pOutput;
  char *szFilename;
  char *szBuf;
  int iRes, iSize;

  printf ("dumping EID%d from eEID at %p, size %d (%x)..\n",
	  iEidCount, pFile, iInputSize, iInputSize);

  szBuf = (char *) malloc (iInputSize + 1);
  szFilename = (char *) malloc (strlen (pFilenamePrefix) + 2);

  if (szBuf == NULL)
    {
      perror ("malloc");
      exit (1);
    };

  iSize = fread (szBuf, iInputSize, 1, pFile);
  sprintf (szFilename, "%s%d", pFilenamePrefix, iEidCount);
  pOutput = fopen (szFilename, "wb");
  iRes = fwrite (szBuf, iInputSize, 1, pOutput);

  if (iRes != iSize)
    {
      perror ("fwrite");
      exit (1);
    };

  free (szBuf);
}

int
main (int argc, char **argv)
{
  FILE *pFile;
  char *pPrefix;

  pFile = fopen (argv[1], "rb");
  if (pFile == NULL)
    {
    usage:
      printf ("usage: %s <eEID> <EID name prefix>\n", argv[0]);
      exit (1);
    }

  if (argc == 2 && argv[2] != NULL)
    {
      pPrefix = argv[2];
      goto usage;
    }

  fseek (pFile, 0x70, SEEK_SET);

  if (pPrefix != NULL)
    {
      DumpEidData (pFile, 2144, 0, pPrefix);
      DumpEidData (pFile, 672, 1, pPrefix);
      DumpEidData (pFile, 1840, 2, pPrefix);
      DumpEidData (pFile, 256, 3, pPrefix);
      DumpEidData (pFile, 48, 4, pPrefix);
      DumpEidData (pFile, 2560, 5, pPrefix);
    }
  return 0;
}

Source: http://rms.grafchokolo.com/?p=59

Flash Samples

Here are some samples of NOR Flash for your dissection. These are taken from different consoles.