Editing Flash-Main
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 7: | Line 7: | ||
'''reference files:''' | '''reference files:''' | ||
* [http://www.file-upload.net/download-8560871/ps4nordmp_1.06_without_Mac-Serial.rar.html PS4 NOR Dump 1.06 (without MAC | * [http://www.file-upload.net/download-8560871/ps4nordmp_1.06_without_Mac-Serial.rar.html PS4 NOR Dump 1.06 (without MAC Adress & Console-ID)] | ||
* [http://www.file-upload.net/download-8671579/PS4NORDump_1.61_wo_MAC_and_CS.rar.html PS4 NOR Dump 1.61 (without MAC | * [http://www.file-upload.net/download-8671579/PS4NORDump_1.61_wo_MAC_and_CS.rar.html PS4 NOR Dump 1.61 (without MAC Adress & Console-ID)] | ||
* [http://www.file-upload.net/download-10118036/ps4nordmp_1.61_E0_wo_MAC-SERIAL.rar.html PS4 NOR Dump 1.61 E0 (without MAC | * [http://www.file-upload.net/download-10118036/ps4nordmp_1.61_E0_wo_MAC-SERIAL.rar.html PS4 NOR Dump 1.61 E0 (without MAC Adress & Console-ID)] that update seem's to fixed a nasty bug on my console, need to do more test... | ||
**hint for FW 1.61 E0: fw version is still the same (1.61) also the fw counter is still 3 but now have E0 added to it. | **hint for FW 1.61 E0: fw version is still the same (1.61) also the fw counter is still 3 but now have E0 added to it. | ||
'''other reference files:''' | '''other reference files:''' | ||
* [https://mega.co.nz/#!EAxCTYBS!d5yVsovxbnQcfc1ymiLiIaDD8MMQELs16NaBQUqgRDI PS4 TEST KIT NOR Dump 1.010.031 and 1.500.101 (without MAC | * [https://mega.co.nz/#!EAxCTYBS!d5yVsovxbnQcfc1ymiLiIaDD8MMQELs16NaBQUqgRDI PS4 TEST KIT NOR Dump 1.010.031 and 1.500.101 (without MAC Adress & Console-ID)] | ||
* [https://mega.co.nz/#!ZMhk2A7Y!F9ndK7BhombPNio2fPse6tFGfln-gQS9bV47LRiNSZo PS4 #1 NOR Dump 1.1 and 1.51 (without MAC | * [https://mega.co.nz/#!ZMhk2A7Y!F9ndK7BhombPNio2fPse6tFGfln-gQS9bV47LRiNSZo PS4 #1 NOR Dump 1.1 and 1.51 (without MAC Adress & Console-ID)] | ||
* [https://mega.co.nz/#!QZp00ZYJ!ukBiwwx_y_HEyJvXY2a4FGqZRbOKAolWEE13dIlb9WA PS4 #2 NOR Dump 1.1 and 1.51 (without MAC | * [https://mega.co.nz/#!QZp00ZYJ!ukBiwwx_y_HEyJvXY2a4FGqZRbOKAolWEE13dIlb9WA PS4 #2 NOR Dump 1.1 and 1.51 (without MAC Adress & Console-ID)] | ||
'''notes:''' Console A & B are 2 Compared from same Region and Version. Console C is from Region: EU and Version: 1.06 | '''notes:''' Console A & B are 2 Compared from same Region and Version. Console C is from Region: EU and Version: 1.06 | ||
Line 39: | Line 39: | ||
= Offsets = | = Offsets = | ||
* 0x0 <- Header (0x1000) | |||
* 0x1000 <- Unk (0x1000) | |||
* | * 0x2000 <- MBR1 (0x1000) (for sflash0s1.cryptx3b) | ||
* | * 0x3000 <- MBR2 (0x1000) (for sflash0s1.cryptx3) | ||
* | * 0x4000 <- sflash0s0x32b (emc_ipl) (0x60000) | ||
* | * 0x64000 <- sflash0s0x32 (emc_ipl) (0x60000) | ||
* | * 0xC4000 <- sflash0s0x33 (eap_kbl) (0x80000) | ||
* | * 0x144000 <- sflash0s0x34 (wifi fw) (0x80000) | ||
* | * 0x1C4000 <- sflash0s0x38 (nvs) (0xC000) | ||
* | * 0x1D0000 <- sflash0s0x0 (blank1) (0x30000) | ||
* | * 0x200000 <- Header2 (0x1000) | ||
* | * 0x201000 <- Unk 2(0x1000) | ||
* | * 0x202000 <- MBR3(0x1000) (for sflash0s1.cryptx2b) | ||
* | * 0x203000 <- MBR4(0x1000) (for sflash0s1.cryptx2) | ||
* | * 0x204000 <- sflash0s1.cryptx2b (sam_ipl/secure loader) (0x3E000) | ||
* | * 0x242000 <- sflash0s1.cryptx2 (sam_ipl/secure loader) (0x3E000) | ||
* | * 0x280000 <- sflash0s1.cryptx1 (idata) (0x80000) | ||
* | * 0x300000 <- sflash0s1.cryptx39 (bd_hrl?) (0x80000) | ||
* | * 0x380000 <- sflash0s1.cryptx6 (Virtual TRM) (0x40000) | ||
* | * 0x3C0000 <- sflash0s1.cryptx3b (secure kernel, secure modules) (0xCC0000) | ||
* | * 0x1080000 <- sflash0s1.cryptx3 (secure kernel, secure modules) (0xCC0000) | ||
* | * 0x1D40000 <- sflash0s1.cryptx40 (blank2) (0x2C0000) | ||
* | |||
* | |||
= MBR Types = | = MBR Types = | ||
< | <pre> | ||
typedef struct { | typedef struct | ||
{ | |||
unsigned int offset; | |||
unsigned int size; | |||
unsigned char flag1; | |||
unsigned char flag2; | |||
unsigned short unknown; | |||
unsigned long padding; | |||
} __attribute__((packed)) partition_t; | } __attribute__((packed)) partition_t; | ||
typedef struct | typedef struct | ||
{ | |||
uint8_t sony[0x20]; | |||
uint32_t version; | |||
uint32_t total_size; | |||
uint64_t padding; | |||
uint32_t flag1; | |||
uint32_t flag2; | |||
uint64_t padding2; | |||
partition_t partitions[16]; | |||
} __attribute__((packed)) master_block_t; | |||
uint8_t | |||
uint32_t version; | |||
uint32_t | |||
uint64_t | |||
uint32_t | |||
uint32_t | |||
uint64_t | |||
partition_t partitions[16]; | |||
} __attribute__((packed)) | |||
</pre> | </pre> | ||
Line 128: | Line 93: | ||
<pre> | <pre> | ||
Partition 0, off=0x2000, sz=0x60000, type= | Partition 0, off=0x2000, sz=0x60000, type=0x32, active?=0x1 | ||
Partition 1, off=0x62000, sz=0x60000, type= | Partition 1, off=0x62000, sz=0x60000, type=0x32, active?=0x0 | ||
Partition 2, off=0xc2000, sz=0x80000, type= | Partition 2, off=0xc2000, sz=0x80000, type=0x33, active?=0x1 | ||
Partition 3, off=0x142000, sz=0x80000, type= | Partition 3, off=0x142000, sz=0x80000, type=0x38, active?=0x1 | ||
Partition 4, off=0x1c2000, sz=0xc000, type= | Partition 4, off=0x1c2000, sz=0xc000, type=0x34, active?=0x1 | ||
Partition 5, off=0x1ce000, sz=0x30000, type=0x0, active?=0x1 | Partition 5, off=0x1ce000, sz=0x30000, type=0x0, active?=0x1 | ||
</pre> | </pre> | ||
Line 623: | Line 588: | ||
==== 0x1C9080 ACF (Dev/Test) ==== | ==== 0x1C9080 ACF (Dev/Test) ==== | ||
Length = 104 bytes. (0x68) | |||
There is a structure which i found out. | |||
First you have the ACF Magic 4 bytes 0x61 0x63 0x66 0x00. | |||
Then you have always first, 4 bytes that are constant, following by a value which hase a constant length. | |||
0x01020000 (reversed 0x00002001) following 16 bytes. | |||
0x03000000 (reversed 0x00000003) following by 8 bytes. | |||
8 byte structure is as follows: | |||
* 4 bytes -> start activation date (timestamp, little endian) | |||
* 4 bytes -> end activation date (timestamp, little endian, exactly 90 days after) | |||
0x00000000 (reversed 0x00000000) folowing by 64 bytes. | |||
Only on Testkit/Devkit, seems to be a(ctivation) c(control) f(lags) (speculative, needs to be studied) : | |||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
001C9080 61 63 66 00 01 02 00 00 D6 B1 DA DE C7 82 7A A4 acf.....Ö±ÚÞÇ‚z¤ | |||
001C9090 21 AE 4E D0 D9 BF B1 1A 03 00 00 00 11 55 E2 52 !®NÐÙ¿±......UâR | |||
001C90A0 11 FC 58 53 00 00 00 00 CC B4 CD 3A 0A F5 C0 F4 .üXS....Ì´Í:.õÀô | |||
001C90B0 4F 04 6B C3 95 16 E6 D8 FB 0B F2 56 B0 3B BA 00 O.kÕ.æØû.òV°;º. | |||
001C90C0 26 B0 D3 BA 55 5F B0 40 0F 54 34 22 E1 E4 DA A7 &°ÓºU_°@.T4"áäÚ§ | |||
001C90D0 D1 7D EE BC EF 03 3C 23 37 EE 10 EB F6 88 1B 85 Ñ}î¼ï.<#7î.ëöˆ.… | |||
001C90E0 35 8F 4B F5 D5 1A C7 3D FF FF FF FF FF FF FF FF 5.KõÕ.Ç=ÿÿÿÿÿÿÿÿ | |||
==== 0x1C91F0 PerConsole (Retail & Dev/Test) ==== | ==== 0x1C91F0 PerConsole (Retail & Dev/Test) ==== | ||
Line 1,330: | Line 1,321: | ||
==== BwE PS4 NOR Validator ==== | ==== BwE PS4 NOR Validator ==== | ||
[[File:Screenshot norvalidator2.png|300px|thumb|left|Results]] | [[File:Screenshot norvalidator2.png|300px|thumb|left|Results]] | ||
Developed by [[User:BwE]] this application is designed to validate the entire NOR flash of the PS4. | |||
It will check every byte of the flash and read approximately 1800 specific offsets. | |||
Areas that can be repaired easily are labeled as static, meaning it will be the same across all consoles. | |||
Dynamic areas are interchanging either with each firmware revision, the console itself or the model of console. | |||
PerConsole areas (such as the majority of the CID) are unable to be modified. | |||
This | Alternative validations are based on known corruption patterns or expectations. This will be improved with each revision. | ||
MD5 validations are based on known valid consoles (or file sizes) and this is why entropy and the above validation are added as supplementation. | |||
There are various table based validations, which are based on accumulated data from various consoles, these will be improved constantly. | |||
Other validations can use regular expressions which are again, based on accumulated data. | |||
The ambiguity of consoles leads to the usefulness of the WARNING result. If it does not pass the expected result and it does not appear explicitly corrupt it will present a warning. Some areas in the NOR are so extremely dynamic that maybe one in 50 consoles will have it, and for the life of me, I don't know why. | |||
My suggestion is to use this program with a cognizance of the ENTIRETY of the results. If for example the flash presents a low entropy and various warnings throughout, this is a bad sign. If the console has perfect entropy but a large (0x1000) corrupted area then I would also see this as a very bad sign. If there are a few danger results in the filler data, I would not worry too much. | |||
Eventually this program will be more and more reliable. Use it, report your results and help develop it! | |||
The program also features extraction of the NOR, byte reversal and statistics.<br> | |||
As of 1.1 it does not support Dev/Test consoles, but will in the future (most of the code is already in the program). | |||
<pre> | |||
Version History: | |||
1.3.3 (24/1/19) Reworked And Improved Both CID And UNK Sections Again, Added More MD5's, Added Application Version Checker, Removed Colored Bars, Added Comparator & Other Improvements Throughout. | |||
1.3.1 (19/1/19) Added More Validations & MD5's, Repaired Minor Bug. | |||
1.3 (15/1/19) Completely Reworked And Improved The CID Section And Added Additional Validations To The UNK Section & I Also Improved Some Other Validations Throughout. | |||
1.2.6 (18/12/18) Hopefully Fixed 'Black Screen' Issue, Recompiled in 32bit. | |||
1.2.5 (17/12/18) Added 2 New Flags (Possibly Initialization Flag?), Changed Validation Results, Improved Output/Info (HTML), Added MD5's. | |||
1.2 (8/12/18) Improved All Alt Validations, Repaired VTRM1, Internal Typo, Added Repetition Checks. | |||
1.1.1 (29/11/18) Typo Again, Made the SKU not come up as UNLISTED, Added some MD5's. | |||
1.1 (28/11/18) Improved VTRM & CID Validation, Typo Fixes, Better Colours! Whoops! | |||
1.0 (27/11/18) First Release! | |||
</pre> | |||
Developer Website:<br> | |||
https://betterwayelectronics.com.au/ | |||
Direct Link:<br> | |||
https://betterwayelectronics.com.au/BwE_PS4_NOR_Validator.rar | |||
Support/Information Forum:<br> | |||
https://www.psxhax.com/threads/release-bwe-ps4-nor-validator.6139/ | |||
==== BwE PS4 WiFi/BT Patcher & Extractor ==== | |||
This is | [[File:Screenshot2.png|300px|thumb|left|WiFi/BT Results]] | ||
Developed by [[User:BwE]] this application is designed to validate, patch and or extract the [[Flash-Main#0x144000|WiFi/BT Module]] of the PS4. The reason for this is illustrated in [[Software_Wireless_BT#BwE_PS4_WiFi.2FBT_Patcher_.26_Extractor|this page on the wiki]]. It will use MD5, entropy and pattern analysis to determine if and where the module is corrupted. From here it will determine a valid replacement based on the console's expected module version and size. Should there be no matching version available the program will offer you the ability to patch a new header and new module. This methodology is risky, but if this is your only option then it is worth a try. | |||
<pre> | |||
Version 1.3 (19/1/19) | |||
Version 1.2 (27/11/18) Fixed Entropy + Added Better MD5 Validation + Added Better Header Validation | |||
Version 1.1 (25/11/18) Added Entropy + Better Looks | |||
Version 1.1 (4/9/18) First initial release | |||
</pre> | |||
Developer Website:<br> | |||
https://betterwayelectronics.com.au/ | |||
Direct Link:<br> | |||
https://betterwayelectronics.com.au/BwE_PS4_WiFi-BT_Patcher.rar | |||
Support/Information Forum:<br> | |||
https://www.psxhax.com/threads/bwe-ps4-wifi-bt-patcher-extractor-v1-00-by-betterwayelectronics.5936/ | |||
==== BwE PS4 NOR Statistics ==== | |||
[[File:Mainprogram.png|300px|thumb|left|Statistics Results]] | |||
This program, another micro version of [[User:BwE]]'s PS4 NOR Validator, is designed solely to validate your NOR based on statistics only!<br> | |||
Why make this you ask? Entropy and statistics are a well used methodology in the malware analysis field to determine if a binary file is encrypted, and by how much.<br> | |||
What is entropy? Entropy is a method for measuring uncertainty in a series of numbers or bytes. In technical terms, entropy measures the level of difficulty or the probability of independently predicting each number in the series.<br> | |||
What has this got to do with PS4s? Well the PS4's NOR is almost entirely encrypted and so with a collection of known valid NOR's it is possible to determine the level of entropy that represents a valid NOR and what level of entropy would represent a corrupt NOR.<br> | |||
When corruption occurs it will generally wipe out a large chuck of the NOR, cause the NOR to repeat itself or will fill the NOR with junk. All of this will decrease or severely increase the entropy.<br> | |||
Seeing as the PS4 firmware is likely to add more or less complexity with each update I have made avaliable a settings file where you can adjust the predicted statistics.<br> | |||
<pre> | <pre> | ||
Version | Version 1.0 (5/11/18) First initial release | ||
</pre> | </pre> | ||
Developer Website:<br> | |||
https://betterwayelectronics.com.au/ | https://betterwayelectronics.com.au/ | ||
Direct Link:<br> | |||
https://betterwayelectronics.com.au/ | https://betterwayelectronics.com.au/BwE_PS4_NOR_Statistics.rar | ||
Support/Information Forum:<br> | |||
https://www.psxhax.com/threads/bwe-ps4-nor-statistics-v1-00-by-betterwayelectronics.6074/ | |||
{{Reverse Engineering}} | {{Reverse Engineering}} | ||
<noinclude>[[Category:Main]]</noinclude> | <noinclude>[[Category:Main]]</noinclude> |