Talk:SC EEPROM

From PS3 Developer wiki
Jump to navigation Jump to search

Memory test diagnosis NVS flag

There is a NVS flag which enables a special diagnostic mode at startup. This flag is enabled on Proto/DECR. It allows memtest diagnose.

Pseudo-code:

def check_bootrom_diag_mode(mode, param)
        diag_mode = get_eeprom_bootrom_diag()
        if diag_mode & 0x1:
                if diag_mode & 0x100:
                        return 0
                mode = (diag_mode >> 3) & 0x1
                param = (diag_mode >> 3) & 0x1
        else:
                mode = (diag_mode >> 1) & 0x1
                param = -1
        return 1

EEPROM Dumps

EEPROM Strings (CP memory dump, DECR)

http://pastie.org/private/usd2zi8mw3igycsh1a395q -> DEAD LINK

Bus Pirate stuff

http://i.imgur.com/48rbR51.png

(needs more wikifying)

On standby

  • Note: during this time the plaintext EEPROM is never read even once!
  • Additionally, the areas 0x26B0, 0x26D0 are not read
  • Checks status
  • Unlocks Write Command
  • Reads PATCH top half region
  • Reads PATCH bottom half region
  • Reads 0x2790?(0x20)
  • Reads 0x27B0?(0x10)
  • Reads 0x26D0 (0x10)
  • Reads some configs? (around >0x31XX area)
  • Reads 0x0 (0x10)
  • Reads some configs?
  • Reads 0x10(0x280) (EID1)?
  • Reads 0x3A00 (0x1)
  • Reads 0x290 (0x10) (EID1 CMAC?)
  • Reads 0x2A0 (0x20)
  • Reads 0x2C0 (0x20)
  • Reads 0x2E0 (0x20)
  • Writes some stuff to 0x2C0/0x2E0/0x2A0 (mostly ff's)
  • ReReads EID1 and CMAC
  • Reads 0x360
  • Reads 0x370
  • Writes (again) mostly ff's to 0x360 and 0x370
  • ReReads EID1 and CMAC
  • Does same process with 0x460 and 0x470
  • Reads 0x2710 and 0x2730 (0x20,0x10) ???
  • Reads 0x2700 (0x10)
  • fini!

MemoryMap Syscon BB Chip

0x1000-0x1FFF:PTCH Region (patch written here)

Nice read about Syscon EEPROM

http://rmscrypt.wordpress.com/2011/02/01/lets-look-at-syscon/

Experimental table

The goal is to join together all the "memory map" info in a single table

Round 1
Area SPI / UART Syscall 863 Data Name Notes
Name Size Mullion Sherwood EEP
whitelist
NVS
ID
Block
ID
UM whitelist SCM whitelist Offset Size
CXR713 CXR714 SW/2/3 Read Write Read Write
Patch Part 1 0x400 0x2800 0x2800 ? No* N/A N/A No No No No 0x02800 0x400 Syscon Firmware Patch (top half)
OS Version Area
a.k.a.
Industry Area
0x100 0x2F00 0x2F00 0xE00 Yes 0x20 0x10 Yes No Yes No 0x02F00 0x08 Manufacturing Update Release Version
Yes No Yes No 0x02F08 0x18 Manufacturing Update Build Version + Build Date
Yes No Yes No 0x02F20 0x08 Manufacturing Update Build Target ID
Yes No Yes No 0x02F28 0xD0 Undocumented
Yes No Yes No 0x02FF8 0x01 Factory Bit
Yes No Yes No 0x02FF9 0x07 Undocumented


Round 2
Area SPI / UART Syscall 863 Data Name Notes
Name Size Mullion Sherwood whitelist Block ID
NVS Region
whitelist Offset Size
CXR713 CXR714 SW/2/3 EEP DM UM SCM
Patch Part 1 0x400 0x2800 0x2800 0x2000 ? No* N/A No No No 0x02800 0x400 Syscon Firmware Patch (top half)
OS Version Area
a.k.a.
Industry Area
0x100 0x2F00 0x2F00 0xE00 Yes 0x10 No* Yes Yes 0x02F00 0x08 Manufacturing Update Release Version
0x02F08 0x18 Manufacturing Update Build Version + Build Date
0x02F20 0x08 Manufacturing Update Build Target ID
0x02F28 0xD0 Undocumented
0x02FF8 0x01 Factory Bit
0x02FF9 0x07 Undocumented
Flags and Tokens 0x100 0x7200 0x4200 0x1200 Yes 0x02 No* Yes Yes 0x48C00 0x01 OS boot order flag load_image_in_rom (os_boot_order_flag)
0 = Network first
1 = Flash first
No* No Yes 0x48C01 0x01 sys.dbgcard.hostpc force standalone mode related
No* Yes Yes 0x48C02 0x01 Network Debug Interface Mode sys.dbgcard.dgbe / debug interface (select_net_device)
-1 = Ethernet 2
 0 = IFB
 1 = CP
 2 = SB UART
 3 = CP ch4
 5 = Disabled