Editing Flash-Main
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
<div style="float:right">[[File: | <div style="float:right">[[File:ps4nordmp_1_06_raw_gfx.png|200px|thumb|left|PS4 Flash-Main v1.06 gfx]]</div> | ||
'''subject:''' dump of serial flash [[MX25L25635FMI-10G]] for [[CXD90025G]] | '''subject:''' dump of serial flash [[MX25L25635FMI-10G]] for [[CXD90025G]] | ||
Line 7: | Line 5: | ||
'''reference files:''' | '''reference files:''' | ||
* [http://www.file-upload.net/download-8560871/ps4nordmp_1.06_without_Mac-Serial.rar.html PS4 NOR Dump 1.06 (without MAC | * [http://www.file-upload.net/download-8560871/ps4nordmp_1.06_without_Mac-Serial.rar.html PS4 NOR Dump 1.06 (without MAC Adress & Console-ID)] | ||
* [http://www.file-upload.net/download-8671579/PS4NORDump_1.61_wo_MAC_and_CS.rar.html PS4 NOR Dump 1.61 (without MAC | * [http://www.file-upload.net/download-8671579/PS4NORDump_1.61_wo_MAC_and_CS.rar.html PS4 NOR Dump 1.61 (without MAC Adress & Console-ID)] | ||
* [http://www.file-upload.net/download-10118036/ps4nordmp_1.61_E0_wo_MAC-SERIAL.rar.html PS4 NOR Dump 1.61 E0 (without MAC | * [http://www.file-upload.net/download-10118036/ps4nordmp_1.61_E0_wo_MAC-SERIAL.rar.html PS4 NOR Dump 1.61 E0 (without MAC Adress & Console-ID)] that update seem's to fixed a nasty bug on my console, need to do more test... | ||
**hint for FW 1.61 E0: fw version is still the same (1.61) also the fw counter is still 3 but now have E0 added to it. | **hint for FW 1.61 E0: fw version is still the same (1.61) also the fw counter is still 3 but now have E0 added to it. | ||
'''other reference files:''' | '''other reference files:''' | ||
* [https://mega.co.nz/#!EAxCTYBS!d5yVsovxbnQcfc1ymiLiIaDD8MMQELs16NaBQUqgRDI PS4 TEST KIT NOR Dump 1.010.031 and 1.500.101 (without MAC | * [https://mega.co.nz/#!EAxCTYBS!d5yVsovxbnQcfc1ymiLiIaDD8MMQELs16NaBQUqgRDI PS4 TEST KIT NOR Dump 1.010.031 and 1.500.101 (without MAC Adress & Console-ID)] | ||
* [https://mega.co.nz/#!ZMhk2A7Y!F9ndK7BhombPNio2fPse6tFGfln-gQS9bV47LRiNSZo PS4 #1 NOR Dump 1.1 and 1.51 (without MAC | * [https://mega.co.nz/#!ZMhk2A7Y!F9ndK7BhombPNio2fPse6tFGfln-gQS9bV47LRiNSZo PS4 #1 NOR Dump 1.1 and 1.51 (without MAC Adress & Console-ID)] | ||
* [https://mega.co.nz/#!QZp00ZYJ!ukBiwwx_y_HEyJvXY2a4FGqZRbOKAolWEE13dIlb9WA PS4 #2 NOR Dump 1.1 and 1.51 (without MAC | * [https://mega.co.nz/#!QZp00ZYJ!ukBiwwx_y_HEyJvXY2a4FGqZRbOKAolWEE13dIlb9WA PS4 #2 NOR Dump 1.1 and 1.51 (without MAC Adress & Console-ID)] | ||
'''notes:''' Console A & B are 2 Compared from same Region and Version. Console C is from Region: EU and Version: 1.06 | '''notes:''' Console A & B are 2 Compared from same Region and Version. Console C is from Region: EU and Version: 1.06 | ||
Line 37: | Line 35: | ||
'''other files:''' Constant offsets and length in ALL Ps4 block -> [http://www.konsole.rzeszow.pl/ps4/same_block.txt same_block.txt]. Im compare over 10 dumps from diffrent firmware / console. First value is offset of first byte, second is length in byte. All values in decimental. | '''other files:''' Constant offsets and length in ALL Ps4 block -> [http://www.konsole.rzeszow.pl/ps4/same_block.txt same_block.txt]. Im compare over 10 dumps from diffrent firmware / console. First value is offset of first byte, second is length in byte. All values in decimental. | ||
== Content == | == Content == | ||
Line 180: | Line 67: | ||
=== 0x2000 === | === 0x2000 === | ||
==== Magic ==== | ==== Magic ==== | ||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ||
00002000 53 6F 6E 79 20 43 6F 6D 70 75 74 65 72 20 45 6E Sony Computer En | 00002000 53 6F 6E 79 20 43 6F 6D 70 75 74 65 72 20 45 6E Sony Computer En | ||
Line 197: | Line 80: | ||
=== 0x3000 === | === 0x3000 === | ||
==== Magic ==== | ==== Magic ==== | ||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ||
00003000 53 6F 6E 79 20 43 6F 6D 70 75 74 65 72 20 45 6E Sony Computer En | 00003000 53 6F 6E 79 20 43 6F 6D 70 75 74 65 72 20 45 6E Sony Computer En | ||
Line 213: | Line 92: | ||
=== 0x4000 === | === 0x4000 === | ||
==== SLB2 Magic (MC Stage1) ==== | ==== SLB2 Magic (MC Stage1) ==== | ||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ||
00004000 53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00 SLB2............ | 00004000 53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00 SLB2............ | ||
Line 257: | Line 132: | ||
=== 0x64000 === | === 0x64000 === | ||
==== SLB2 Magic (MC Stage2) ==== | ==== SLB2 Magic (MC Stage2) ==== | ||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ||
00064000 53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00 SLB2............ | 00064000 53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00 SLB2............ | ||
Line 291: | Line 162: | ||
=== 0xC4000 === | === 0xC4000 === | ||
==== SLB2 Magic (EAP_KBL) ==== | ==== SLB2 Magic (EAP_KBL) ==== | ||
NOTE: This container only consits of one file + that X800X which is present on every BIOS SLB2. But the data is extracted twice and just written with two diffrent names. One time the TitleID is used C0010001 and the second time a string which hold the file name eap_kbl is used. But both files are identical and extracted by using the same data source. | NOTE: This container only consits of one file + that X800X which is present on every BIOS SLB2. But the data is extracted twice and just written with two diffrent names. One time the TitleID is used C0010001 and the second time a string which hold the file name eap_kbl is used. But both files are identical and extracted by using the same data source. | ||
Line 339: | Line 206: | ||
==== wifi/bluetooth chipset firmware ==== | ==== wifi/bluetooth chipset firmware ==== | ||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ||
00144000 53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00 SLB2............ | 00144000 53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00 SLB2............ | ||
Line 439: | Line 302: | ||
=== 0x1C4000 (Console Main Informations) === | === 0x1C4000 (Console Main Informations) === | ||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ||
001C4000 03 02 01 01 02 01 06 01 FF FF FF FF FF FF FF FF ........ÿÿÿÿÿÿÿÿ | 001C4000 03 02 01 01 02 01 06 01 FF FF FF FF FF FF FF FF ........ÿÿÿÿÿÿÿÿ | ||
Line 623: | Line 482: | ||
==== 0x1C9080 ACF (Dev/Test) ==== | ==== 0x1C9080 ACF (Dev/Test) ==== | ||
Length = 104 bytes. (0x68) | |||
There is a structure which i found out. | |||
First you have the ACF Magic 4 bytes 0x61 0x63 0x66 0x00. | |||
Then you have always first, 4 bytes that are constant, following by a value which hase a constant length. | |||
0x01020000 (reversed 0x00002001) following 16 bytes. | |||
0x03000000 (reversed 0x00000003) following by 8 bytes. | |||
8 byte structure is as follows: | |||
* 4 bytes -> start activation date (timestamp, little endian) | |||
* 4 bytes -> end activation date (timestamp, little endian, exactly 90 days after) | |||
0x00000000 (reversed 0x00000000) folowing by 64 bytes. | |||
Only on Testkit/Devkit, seems to be a(ctivation) c(control) f(lags) (speculative, needs to be studied) : | |||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
001C9080 61 63 66 00 01 02 00 00 D6 B1 DA DE C7 82 7A A4 acf.....Ö±ÚÞÇ‚z¤ | |||
001C9090 21 AE 4E D0 D9 BF B1 1A 03 00 00 00 11 55 E2 52 !®NÐÙ¿±......UâR | |||
001C90A0 11 FC 58 53 00 00 00 00 CC B4 CD 3A 0A F5 C0 F4 .üXS....Ì´Í:.õÀô | |||
001C90B0 4F 04 6B C3 95 16 E6 D8 FB 0B F2 56 B0 3B BA 00 O.kÕ.æØû.òV°;º. | |||
001C90C0 26 B0 D3 BA 55 5F B0 40 0F 54 34 22 E1 E4 DA A7 &°ÓºU_°@.T4"áäÚ§ | |||
001C90D0 D1 7D EE BC EF 03 3C 23 37 EE 10 EB F6 88 1B 85 Ñ}î¼ï.<#7î.ëöˆ.… | |||
001C90E0 35 8F 4B F5 D5 1A C7 3D FF FF FF FF FF FF FF FF 5.KõÕ.Ç=ÿÿÿÿÿÿÿÿ | |||
==== 0x1C91F0 PerConsole (Retail & Dev/Test) ==== | ==== 0x1C91F0 PerConsole (Retail & Dev/Test) ==== | ||
Line 1,153: | Line 1,038: | ||
[...] huge block | [...] huge block | ||
0037FFF0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " | 0037FFF0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " | ||
=== 0x380000 SCE VTRM Region0 (Retail & Dev/Test) === | === 0x380000 SCE VTRM Region0 (Retail & Dev/Test) === | ||
Line 1,185: | Line 1,068: | ||
=== 0x3A0000 SCE VTRM Region1 (Retail) === | === 0x3A0000 SCE VTRM Region1 (Retail) === | ||
SCEVTRM Magic on 0x3A0048 | |||
Activated | |||
{| class="wikitable" | |||
|- | |||
! Console A !! Console B !! Console C | |||
|- | |||
| <pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
00380000 03 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF üÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | 00380000 03 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF üÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | ||
00380010 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | 00380010 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | ||
Line 1,194: | Line 1,083: | ||
00380050 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ | 00380050 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ | ||
00380060 00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00 ................ | 00380060 00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00 ................ | ||
00380070 FF FF FF FF FF FF FF FF FE FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | 00380070 FF FF FF FF FF FF FF FF FE FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ</pre> || <pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ||
00380000 03 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF üÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | |||
00380010 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | |||
00380020 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | |||
00380030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | |||
00380040 01 00 00 00 FF FF FF FF 53 43 45 56 54 52 4D 00 ....ÿÿÿÿSCEVTRM. | |||
00380050 17 00 00 00 00 00 00 00 17 00 00 00 00 00 00 00 ................ | |||
00380060 00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00 ................ | |||
00380070 FF FF FF FF FF FF FF FF FC FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ</pre> || <pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
00380000 03 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF üÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | |||
00380010 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | |||
00380020 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | |||
00380030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | |||
00380040 01 00 00 00 FF FF FF FF 53 43 45 56 54 52 4D 00 ....ÿÿÿÿSCEVTRM. | |||
00380050 0F 00 00 00 00 00 00 00 0F 00 00 00 00 00 00 00 ................ | |||
00380060 00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00 ................ | |||
00380070 FF FF FF FF FF FF FF FF FC FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ</pre> | |||
|- | |||
|} | |||
{| class="wikitable" | |||
|- | |||
! Console A, B !! Console C | |||
|- | |||
| <pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
003801D0 FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿ | |||
003801E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | |||
[...] filled FF region | |||
003A0160 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | |||
003A0170 FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿ</pre> || <pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
0039FFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | |||
003A0000 03 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF ....ÿÿÿÿÿÿÿÿÿÿÿÿ | |||
003A0010 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | |||
[...] filled FF region | |||
003A0040 01 00 00 00 FF FF FF FF 53 43 45 56 54 52 4D 00 ....ÿÿÿÿSCEVTRM. | |||
003A0040 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ | |||
003A0040 00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00 ................ | |||
003A0040 FF FF FF FF FF FF FF FF FE FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿþÿÿÿÿÿÿÿ | |||
003A0050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | |||
[...] filled FF region | |||
003A0160 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ | |||
003A0170 FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿ</pre> | |||
|- | |||
|} | |||
==== 0x3A0170 VTRM Region1 Digest? (Retail) ==== | ==== 0x3A0170 VTRM Region1 Digest? (Retail) ==== | ||
Line 1,255: | Line 1,187: | ||
=== 0x3C0000 (CoreOS) === | === 0x3C0000 (CoreOS) === | ||
0x1980000 datablock | 0x1980000 datablock | ||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ||
003C0000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ | 003C0000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ | ||
Line 1,326: | Line 1,258: | ||
|- | |- | ||
|} | |} | ||
{{Reverse Engineering}} | {{Reverse Engineering}} | ||
<noinclude>[[Category:Main]]</noinclude> | <noinclude>[[Category:Main]]</noinclude> |