SC EEPROM

From PS3 Developer wiki
Revision as of 12:22, 11 July 2012 by Naehrwert (talk | contribs) (moar sc eeprom infos)
Jump to: navigation, search

Most of the information we have about the sc eeprom comes from graf_chokolo reverse engineering of the HV see Hypervisor Reverse Engineering

Here is where system flags, tokens and hashes are stored.

Right now most of the comunication we have with the sc eeprom is through linux using graf_chokolo ps3dm-utils and/or using his payloads.

Important Offsets

EEPROM Offset Table - Flags and Tokens

Here is the table of EEPROM offsets that can be accessed through Update Manager (3.15):

Offset Size Description
0x02FF8 1 Factory Bit
0x48C02 1 (unknown)
0x48C06 1 FSELF Control Flag
0x48C07 1 Product Mode (UM allows to read this offset, it can be also written but only when already in product mode)
0x48C0A 1 QA Flag
0x48C0B 1 mode_auth_flag
0x48C0C 1 (unknown)
0x48C0D 1 (unknown)
0x48C13 1 Device Type
0x48C18 0x4 (unknown)
0x48C1C 0x4 (unknown)
0x48C30 1 SPE number Usally 0x06, can be set to 0x07 to enable the 8 SPE
0x48C31 4 (unknown)
0x48C35 8 (unknown)
0x48C42 1 HDD Copy Mode
0x48C43 4 (unknown)
0x48C50 0x10 Debug Support Flag
0x48C60 1 Update Status
0x48C61 1 Recover Mode Flag
0x48D3E 0x50 QA Token (UM doesn't allow access to this offset but SC Manager can read/write it)
0x48D8E 0x50 mode_auth_data (read/cleared by ss_sc_init_pu, checked by spu_mode_auth)

In a standard mostly untouched ps3 the common value for this flags is 0xFF wich means not active, anything else means active (e.g. 0xFE)

To change this to an active status you have to write 0x00 to turn on the flag

Debug support flag is tied to EID which is supposed to be hashed and saves in SC EEPROM

QA flag is tied to QA token that is also saved in this part of the SC EEPROM

lv0 SC EEPROM usage

[*] lv0 NVS regions:
	# start_offset end_offset block   size
	0 0x00         0x12       0x48000 0x13
	1 0x00         0x0B       0x48800 0x0C
	2 0x00         0x1F       0x48C00 0x20
	3 0x22         0x24       0x48C00 0x03
	4 0x30         0x3C       0x48C00 0x0D
	5 0x40         0x4F       0x48C00 0x10
	6 0x80         0x8F       0x48C00 0x10
	7 0x90         0xBF       0x48C00 0x30
	8 0x00         0x0B       0x48D00 0x0C
	9 0x20         0x27       0x48D00 0x08
	A 0x3E         0x8D       0x48D00 0x50
	B 0x28         0x3F       0x48D00 0x18

[*] lv0 SC EEPROM usage:
	name                 addr    size structure
	dgbe_config          0x48D00 0x0C [0x04 ip_addr, 0x04 ip_netmask, 0x04 ip_gateway]
	restrict_spu         0x48C30 0x01 [0x01 flag]
	sata_param           0x48C31 0x04 [0x04 flag]
	os_bank_indicator    0x48C24 0x01 [0x01 flag]
	cellos_spu_configure 0x48C33 0x04 [0x04 config]
	flash_ext_format     0x48C13 0x01 [0x01 flag]
	cellos_flags         0x48C0F 0x02 [0x02 flags]
	qaf_enable           0x48C0A 0x01 [0x01 flag]
	UNKNOWN (debug?)     0x48C08 0x01 [0x01 flag]
	fself_ctrl           0x48C06 0x01 [0x01 flag]
	select_dgbe_device   0x48C03 0x01 [0x01 index]
	os_boot_order_flag   0x48C00 0x01 [0x01 flag]
	qa_token             0x48D3E 0x50 [0x50 token]
	UNKNOWN              0x48804 0x04 [0x04 value]
	UNKNOWN              0x48D20 0x08 [0x08 value]
	UNKNOWN              0x48CB8 0x08 [0x08 value]
	UNKNOWN              0x48CB0 0x08 [0x08 value]
	UNKNOWN              0x48CA8 0x08 [0x08 value]
	UNKNOWN              0x48CA0 0x08 [0x08 value]
	UNKNOWN              0x48C98 0x08 [0x08 value]
	UNKNOWN              0x48C90 0x08 [0x08 value]
	UNKNOWN              0x48C88 0x08 [0x08 value]
	UNKNOWN              0x48C80 0x08 [0x08 value]
	be_nclck_flag2       0x48C23 0x01 [0x01 flag]
	be_nclck_flag1       0x48C22 0x01 [0x01 flag]
	select_net_device    0x48C02 0x01 [0x01 index]
	spr_tbuw_value       0x48C35 0x08 [0x08 value]
	bootrom_trace_level  0x48C11 0x01 [0x01 level]

System Data From EEPROM

Here is the list of possible EEPROM offsets:

Index SC EEPROM Offset Size Of Data Description
0 0x48D20 6 ?
1 0x48D28 6 ?
2 0x48D30 6 ?
3 0x48D38 6 ?
4 0x48D00 4 ?
5 0x48D04 4 ?
6 0x48D08 4 ?

Dumpable EEPROM Offset - Block ID and Block Offset Mapping Table (NVS Service)

Right now we only have read access to some portions of the eeprom to have access to this regions DM needs to be patched, see section dumping eeprom

EEPROM Offset Block ID Block Offset Description
0x48000 - 0x480FF 0x00 0x48000 - 0x480FF ?
0x48800 - 0x488FF 0x01 0x48800 - 0x488FF ?
0x48C00 - 0x48CFF 0x02 0x48C00 - 0x48CFF Contains flags and tokens/ see above
0x48D00 - 0x48DFF 0x03 0x48D00 - 0x48DFF System Data Region
0x2F00 - 0x2FFF 0x10 0x2F00 - 0x2FFF "Industry Area" aka OS Version Area
0x3000 - 0x30FF 0x20 0x3000 - 0x30FF "CS Area"
All other offsets Invalid Invalid ?

Dumping your SC EEPROM

Linux

First you need graf_chokolo kernel ps3dm-utils and linux_hv_scripts.

If you are ready.

Patch DM using linux_hv_scripts

dmpatch.sh

Read the data from the region you want for example (see tables above)

ps3dm_scm /dev/ps3dmproxy 0x48000 0xFF

You can see some coolstuff that containing dumps

Hashes

Where exactly the hashes are stored is still a secret, it is said that those hashes are stored in SC EEPROM

To retrive the information about the packages you have installed you can also use ps3d_utils

Linux

Installed Package info

ps3dm_um /dev/ps3dmproxy get_pkg_info TYPE

Examples


get_pkg_info 1 - Core OS package

	
		0003004100000000

get_pkg_info 2 - Revoke List for program

	
		0003004100000000

get_pkg_info 3 - Revoke list for package

		0002003000000000

get_pkg_info 4

		deadbeaffacebabe

get_pkg_info 5

		deadbeaffacebabe

get_pkg_info 6 - Firmware Package

		0003005000000000


You can find more information about this in Hypervisor Reverse Engineering


Hashes

What algorithm is used and what exactly is hashed is still unknown (seems that the content of files is hashed by the SHA-1).

ps3dm_scm /dev/ps3dmproxy get_region_data ID

This hashes are checked by lv1 to make sure that the data has not been altered throgh scm_get_region_data: get_result: ret[X]: 0x%x

Examples



region_data 0 - Core OS package

00 03 00 41 00 00 00 00 00 c3 eb 01 96 24 d0 1c 26 14 f3 1c a4 a2 ff ce 81 77 3a 4c f8 42 86 04 ee 34 bb db be 1c a7 51 e5 59 f1 95 61 07 a5 eb 

region_data 1

	
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 

region_data 2

	
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 

region_data 3 //Revoke List for program?

	
00 03 00 41 00 00 00 00 80 41 f6 b8 f2 d5 30 60 59 35 49 d7 f0 3d 58 57 87 00 88 11 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 

region_data 4

	
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 

region_data 5 //Revoke List for package?

		
00 02 00 30 00 00 00 00 ba 6e 1c d5 5f 48 5b 8b 3f cc c8 60 75 ce f6 83 b2 20 dc f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

region_data 6

	
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 7

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 8 - BD Firmware Package

	
00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

region_data 9

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 10

	
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 11

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 12

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 13

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 14

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 15

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

Tokens

Here we will document the different types off tokens known in the PS3 All tokens are tied? encrypted? using EID0. They enable additional repository nodes.

List

Token Location Size SPU module Description
qa_token sc_eeprom - 0x48D3E 0x50 spu_token_processor.self
user_token ? ? spu_utoken_processor.self Encrypted/Signed
token_seed ? ? ? This is used to create the token with EID0

Token Seed

?

Structure

This section has to be corrected, is only based on debug strings, we need to decrypt the tokens

Token Seed

?

QA Token

User Token

Address Size Description
? ? m_magic
? ? m_format_version
? ? m_size
? ? m_capability
? ? m_expire_date
? ? m_idps?
? ? m_attribute
? ? m_digest

For every atribute in the token

Address Size Description
? ? attr:m_type
? ? attr:m_size
? ? attr:m_data