Flash-Main: Difference between revisions

From PS4 Developer wiki
Jump to navigation Jump to search
 
(22 intermediate revisions by 5 users not shown)
Line 7: Line 7:
'''reference files:'''  
'''reference files:'''  


* [http://www.file-upload.net/download-8560871/ps4nordmp_1.06_without_Mac-Serial.rar.html PS4 NOR Dump 1.06 (without MAC Adress & Console-ID)]
* [http://www.file-upload.net/download-8560871/ps4nordmp_1.06_without_Mac-Serial.rar.html PS4 NOR Dump 1.06 (without MAC address & ConsoleId)]
* [http://www.file-upload.net/download-8671579/PS4NORDump_1.61_wo_MAC_and_CS.rar.html PS4 NOR Dump 1.61 (without MAC Adress & Console-ID)]
* [http://www.file-upload.net/download-8671579/PS4NORDump_1.61_wo_MAC_and_CS.rar.html PS4 NOR Dump 1.61 (without MAC address & ConsoleId)]
* [http://www.file-upload.net/download-10118036/ps4nordmp_1.61_E0_wo_MAC-SERIAL.rar.html PS4 NOR Dump 1.61 E0 (without MAC Adress & Console-ID)] that update seem's to fixed a nasty bug on my console, need to do more test...
* [http://www.file-upload.net/download-10118036/ps4nordmp_1.61_E0_wo_MAC-SERIAL.rar.html PS4 NOR Dump 1.61 E0 (without MAC address & ConsoleId)] that update seem's to fixed a nasty bug on my console, need to do more test...
**hint for FW 1.61 E0: fw version is still the same (1.61) also the fw counter is still 3 but now have E0 added to it.
**hint for FW 1.61 E0: fw version is still the same (1.61) also the fw counter is still 3 but now have E0 added to it.


'''other reference files:'''  
'''other reference files:'''  


* [https://mega.co.nz/#!EAxCTYBS!d5yVsovxbnQcfc1ymiLiIaDD8MMQELs16NaBQUqgRDI PS4 TEST KIT NOR Dump 1.010.031 and 1.500.101  (without MAC Adress & Console-ID)]   
* [https://mega.co.nz/#!EAxCTYBS!d5yVsovxbnQcfc1ymiLiIaDD8MMQELs16NaBQUqgRDI PS4 TEST KIT NOR Dump 1.010.031 and 1.500.101  (without MAC address & Console-ID)]   
* [https://mega.co.nz/#!ZMhk2A7Y!F9ndK7BhombPNio2fPse6tFGfln-gQS9bV47LRiNSZo PS4 #1 NOR Dump 1.1 and 1.51 (without MAC Adress & Console-ID)]  
* [https://mega.co.nz/#!ZMhk2A7Y!F9ndK7BhombPNio2fPse6tFGfln-gQS9bV47LRiNSZo PS4 #1 NOR Dump 1.1 and 1.51 (without MAC address & ConsoleId)]  
* [https://mega.co.nz/#!QZp00ZYJ!ukBiwwx_y_HEyJvXY2a4FGqZRbOKAolWEE13dIlb9WA PS4 #2 NOR Dump 1.1 and 1.51 (without MAC Adress & Console-ID)]  
* [https://mega.co.nz/#!QZp00ZYJ!ukBiwwx_y_HEyJvXY2a4FGqZRbOKAolWEE13dIlb9WA PS4 #2 NOR Dump 1.1 and 1.51 (without MAC address & ConsoleId)]  


'''notes:''' Console A & B are 2 Compared from same Region and Version. Console C is from Region: EU and Version: 1.06
'''notes:''' Console A & B are 2 Compared from same Region and Version. Console C is from Region: EU and Version: 1.06
Line 39: Line 39:
= Offsets =
= Offsets =


* 0x0 <- Header
See [[Codenames]].
* 0x1000 <- Unk
 
* 0x2000 <- MBR1
* 0x00000000 <- Segment 0 Header (0x1000)
* 0x3000 <- MBR2
* 0x00001000 <- Segment 0 Active Slot (0x1000)
* 0x4000 <- sflash0s0x32b (emc_ipl)
* 0x00002000 <- Segment 0 MBR1 (for sflash0s1.cryptx32) (0x1000)
* 0x64000 <- sflash0s0x32 (emc_ipl)
* 0x00003000 <- Segment 0 MBR2 (for sflash0s1.cryptx32b) (0x1000)
* 0xC4000 <- sflash0s0x33 (eap_kbl)
* 0x00004000 <- sflash0s0x32 (0x60000) (emc_ipl)
* 0x144000 <- sflash0s0x34 (wifi fw)
* 0x00064000 <- sflash0s0x32b (0x60000) (emc_ipl)
* 0x204000 <- sflash0s1.cryptx2b (sam_ipl)
* 0x000C4000 <- sflash0s0x33 (0x80000) (eap_kbl)
* 0x242000 <- sflash0s1.cryptx2 (sam_ipl)
* 0x00144000 <- sflash0s0x38 (0x80000) (torus2_fw)
* 0x280000 <- sflash0s1.cryptx1 (idata)
* 0x001C4000 <- sflash0s0x34 (0xC000) (nvs)
* 0x300000 <- sflash0s1.cryptx39 (bd_hrl?)
* 0x001D0000 <- sflash0s0x0 (0x30000) (blank)
* 0x380000 <- sflash0s1.cryptx6 (Virtual TRM)
* 0x00200000 <- Segment 1 Header (XTS encrypted) (0x1000)
* 0x3C0000 <- sflash0s1.cryptx3b (secure loader, secure kernel, secure modules)
* 0x00201000 <- Segment 1 Active Slot (XTS encrypted) (0x1000)
* 0x1080000 <- sflash0s1.cryptx3 (secure loader, secure kernel, secure modules)
* 0x00202000 <- Segment 1 MBR1 (for sflash0s1.cryptx2) (XTS encrypted) (0x1000)
* 0x1D40000 <- sflash0s1.cryptx40 (blank_region)
* 0x00203000 <- Segment 1 MBR2 (for sflash0s1.cryptx2b) (XTS encrypted) (0x1000)
* 0x00204000 <- sflash0s1.cryptx2 (0x3E000) (sam_ipl)
* 0x00242000 <- sflash0s1.cryptx2b (0x3E000) (sam_ipl)
* 0x00280000 <- sflash0s1.cryptx1 (0x80000) (idata)
* 0x00300000 <- sflash0s1.cryptx39 (0x80000) (bd_hrl)
* 0x00380000 <- sflash0s1.cryptx6 (0x40000) (Virtual TRM)
* 0x003C0000 <- sflash0s1.cryptx3 (0xCC0000) (secure kernel, secure modules)
* 0x01080000 <- sflash0s1.cryptx3b (0xCC0000) (secure kernel, secure modules)
* 0x01D40000 <- sflash0s1.cryptx40 (0x2C0000) (blank)
 
= MBR Types =
 
<source lang="C">
typedef struct {
uint32_t start_lba;
uint32_t n_sectors;
uint8_t flag1; // maybe part_id
uint8_t flag2;
uint16_t unknown;
uint64_t padding;
} __attribute__((packed)) partition_t;
 
typedef struct {
uint8_t magic[0x20]; // "SONY COMPUTER ENTERTAINMENT INC."
uint32_t version; // 1
uint32_t mbr1_start; // ex: 0x10
uint32_t mbr2_start; // ex: 0x18
uint32_t unk[4]; // ex: (1, 1, 8, 1)
uint32_t reserved;
uint8_t unused[0x1C0];
} __attribute__((packed)) master_block_v1_t;
 
typedef struct {
uint8_t magic[0x20]; // "Sony Computer Entertainment Inc."
uint32_t version; // 4
uint32_t n_sectors;
uint64_t reserved;
uint32_t loader_start; // ex: 0x11, 0x309
uint32_t loader_count; // ex: 0x267
uint64_t reserved2;
partition_t partitions[16];
} __attribute__((packed)) master_block_v4_t;
</source>
 
= MBR Contents (Example) (Internal) =
 
== MBR 1 and 2 ==
 
<pre>
Partition 0, off=0x2000, sz=0x60000, type=0x20(32), active?=0x0 (ina) (emc)
Partition 1, off=0x62000, sz=0x60000, type=0x20(32), active?=0x1 (act) (emc)
Partition 2, off=0xc2000, sz=0x80000, type=0x21(33), active?=0x1 (act) (eap)
Partition 3, off=0x142000, sz=0x80000, type=0x26(38), active?=0x1 (act) (wifi)
Partition 4, off=0x1c2000, sz=0xc000, type=0x22(34), active?=0x1 (act) (nvs)
</pre>
 
== MBR 3 and 4 ==
 
<pre>
Partition 0, off=0x2000, sz=0x3e000, type=0x2, active?=0x1 (act) (ipl)
Partition 1, off=0x40000, sz=0x3e000, type=0x2, active?=0x0 (ina) (ipl)
Partition 2, off=0x7e000, sz=0x80000, type=0x1, active?=0x1 (act) (idstorage)
Partition 3, off=0xfe000, sz=0x80000, type=0x27(39), active?=0x1 (act) (bd revoke)
Partition 4, off=0x17e000, sz=0x40000, type=0x6, active?=0x1 (act) (vtrm)
Partition 5, off=0x1be000, sz=0xcc0000, type=0x3, active?=0x1 (act) (coreos)
Partition 6, off=0xe7e000, sz=0xcc0000, type=0x3, active?=0x0 (ina) (coreos)
Partition 7, off=0x1b3e000, sz=0x2c0000, type=0x28(40), active?=0x1 (act) (unused)
</pre>
 
= MBR Contents (Example) =
 
== MBR 1 and 2 ==
 
<pre>
Partition 0, off=0x2000, sz=0x60000, type=0x20, active?=0x1 (act)
Partition 1, off=0x62000, sz=0x60000, type=0x20, active?=0x0 (ina)
Partition 2, off=0xc2000, sz=0x80000, type=0x21, active?=0x1 (act)
Partition 3, off=0x142000, sz=0x80000, type=0x26, active?=0x1 (act)
Partition 4, off=0x1c2000, sz=0xc000, type=0x22, active?=0x1 (act)
Partition 5, off=0x1ce000, sz=0x30000, type=0x0, active?=0x1 (act)
</pre>
 
== MBR 3 and 4 ==
 
<pre>
Partition 0, off=0x2000, sz=0x3e000, type=0x2, active?=0x1
Partition 1, off=0x40000, sz=0x3e000, type=0x2, active?=0x0
Partition 2, off=0x7e000, sz=0x80000, type=0x1, active?=0x1
Partition 3, off=0xfe000, sz=0x80000, type=0x39, active?=0x1
Partition 4, off=0x17e000, sz=0x40000, type=0x6, active?=0x1
Partition 5, off=0x1be000, sz=0xcc0000, type=0x3, active?=0x1
Partition 6, off=0xe7e000, sz=0xcc0000, type=0x3, active?=0x0
Partition 7, off=0x1b3e000, sz=0x2c0000, type=0x40, active?=0x1
</pre>


== Content ==
== Content ==
Line 530: Line 623:


==== 0x1C9080 ACF (Dev/Test) ====
==== 0x1C9080 ACF (Dev/Test) ====
Length = 104 bytes. (0x68)
There is a structure which i found out.


First you have the ACF Magic 4 bytes 0x61 0x63 0x66 0x00.
See [[Activation ACF]].
 
Then you have always first, 4 bytes that are constant, following by a value which hase a constant length.
 
0x01020000 (reversed 0x00002001) following 16 bytes.
 
0x03000000 (reversed 0x00000003) following by 8 bytes.
 
8 byte structure is as follows:
 
* 4 bytes -> start activation date (timestamp, little endian)
* 4 bytes -> end activation date (timestamp, little endian, exactly 90 days after)
 
0x00000000 (reversed 0x00000000) folowing by 64 bytes.
 
Only on Testkit/Devkit, seems to be a(ctivation) c(control) f(lags) (speculative, needs to be studied) :
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C9080  61 63 66 00 01 02 00 00 D6 B1 DA DE C7 82 7A A4 acf.....Ö±ÚÞÇ‚z¤
001C9090  21 AE 4E D0 D9 BF B1 1A 03 00 00 00 11 55 E2 52 !®NÐÙ¿±......UâR
001C90A0  11 FC 58 53 00 00 00 00 CC B4 CD 3A 0A F5 C0 F4 .üXS....Ì´Í:.õÀô
001C90B0  4F 04 6B C3 95 16 E6 D8 FB 0B F2 56 B0 3B BA 00 O.kÕ.æØû.òV°;º.
001C90C0  26 B0 D3 BA 55 5F B0 40 0F 54 34 22 E1 E4 DA A7 &°ÓºU_°@.T4"áäÚ§
001C90D0  D1 7D EE BC EF 03 3C 23 37 EE 10 EB F6 88 1B 85 Ñ}î¼ï.<#7î.ëöˆ.…
001C90E0  35 8F 4B F5 D5 1A C7 3D FF FF FF FF FF FF FF FF 5.KõÕ.Ç=ÿÿÿÿÿÿÿÿ


==== 0x1C91F0 PerConsole (Retail & Dev/Test) ====
==== 0x1C91F0 PerConsole (Retail & Dev/Test) ====
Line 1,263: Line 1,330:
==== BwE PS4 NOR Validator ====
==== BwE PS4 NOR Validator ====
[[File:Screenshot norvalidator2.png|300px|thumb|left|Results]]
[[File:Screenshot norvalidator2.png|300px|thumb|left|Results]]
Developed by [[User:BwE]] this application is designed to validate the entire NOR flash of the PS4.
It will check every byte of the flash and read approximately 1800 specific offsets.
Areas that can be repaired easily are labeled as static, meaning it will be the same across all consoles.
Dynamic areas are interchanging either with each firmware revision, the console itself or the model of console.
PerConsole areas (such as the majority of the CID) are unable to be modified.


Alternative validations are based on known corruption patterns or expectations. This will be improved with each revision.
This program is the release version of [[User:BwE]]'s PS4 NOR Validator, it is designed solely to validate the NOR flash of your PS4 console!
MD5 validations are based on known valid consoles (or file sizes) and this is why entropy and the above validation are added as supplementation.


There are various table based validations, which are based on accumulated data from various consoles, these will be improved constantly.
Why would you need to do this? Well if your console has suddenly died and has what is called the 'BLOD', the NOR can be the reason why. Using my program will allow you to validate literally every single byte of the NOR (or over 2100 specific areas) - allowing you to see where or if it is corrupted.


Other validations can use regular expressions which are again, based on accumulated data.
The most common area of corruption that causes the BLOD is the CID. Some areas of this section can actually be repaired, if you're lucky! I and others have done this! Don't forget to use my Comparator tool to help you understand what the difference is for a specific section of the NOR. It will help you with patching!


The ambiguity of consoles leads to the usefulness of the WARNING result. If it does not pass the expected result and it does not appear explicitly corrupt it will present a warning. Some areas in the NOR are so extremely dynamic that maybe one in 50 consoles will have it, and for the life of me, I don't know why.
Other areas can be inter-changed between different consoles and are more suited for repair, the WiFi/BT module is a good example of this.


My suggestion is to use this program with a cognizance of the ENTIRETY of the results. If for example the flash presents a low entropy and various warnings throughout, this is a bad sign. If the console has perfect entropy but a large (0x1000) corrupted area then I would also see this as a very bad sign. If there are a few danger results in the filler data, I would not worry too much.
So fundamentally, this program is for console repairers like myself. If you are indeed a repairer and run a business I can make a custom 'bulk' version for you! But for now, feel free to put multiple *.bin files in the working directory as my program will provide a selection menu.


Eventually this program will be more and more reliable. Use it, report your results and help develop it!
I am also happy to give advice on your NOR or help interpret your results, just post on the forum or give me an email. If you can bypass my filter, send me a link to your NOR!


The program also features extraction of the NOR, byte reversal and statistics.<br>
If you encounter any errors or weird results - or better yet if your NOR is labled danger in any areas, but still runs fine - let me know!
As of 1.1 it does not support Dev/Test consoles, but will in the future (most of the code is already in the program).


<pre>
Keep in mind the CoreOS and other large encrypted areas could still be corrupt regardless of the results (I cant check every byte in an encrypted section, hence alt validations). This program is NOT perfect, but it is WAY better than just using a hex editor or never truely knowing if your BLOD is caused by the NOR!
Version History:
1.3.3 (24/1/19) Reworked And Improved Both CID And UNK Sections Again, Added More MD5's, Added Application Version Checker, Removed Colored Bars, Added Comparator & Other Improvements Throughout.
1.3.1 (19/1/19) Added More Validations & MD5's, Repaired Minor Bug.
1.3 (15/1/19) Completely Reworked And Improved The CID Section And Added Additional Validations To The UNK Section & I Also Improved Some Other Validations Throughout.
1.2.6 (18/12/18) Hopefully Fixed 'Black Screen' Issue, Recompiled in 32bit.
1.2.5 (17/12/18) Added 2 New Flags (Possibly Initialization Flag?), Changed Validation Results, Improved Output/Info (HTML), Added MD5's.
1.2 (8/12/18) Improved All Alt Validations, Repaired VTRM1, Internal Typo, Added Repetition Checks.
1.1.1 (29/11/18) Typo Again, Made the SKU not come up as UNLISTED, Added some MD5's.
1.1 (28/11/18) Improved VTRM & CID Validation, Typo Fixes, Better Colours! Whoops!
1.0 (27/11/18) First Release!
</pre>


Developer Website:<br>
This also goes above and beyond that of the psdevwiki page regarding the main flash of the PS4 (Thank you cfwprpht).
https://betterwayelectronics.com.au/


Direct Link:<br>
<br><br><br><br><br>
https://betterwayelectronics.com.au/BwE_PS4_NOR_Validator.rar
'''Notes:'''


Support/Information Forum:<br>
As of version 1.5.5 there is an ability to upload dumps directly to me. I use these to improve the program and validations.
https://www.psxhax.com/threads/release-bwe-ps4-nor-validator.6139/
Abusing this service will result in your ban from future use of my validator.


''Regarding Anti-Virus:''


==== BwE PS4 WiFi/BT Patcher & Extractor ====
I protect my program with Themida. The problem with this is that heuristically some AV software see it as a threat.
[[File:Screenshot2.png|300px|thumb|left|WiFi/BT Results]]
This is because people who make or redistribute old malware also use Themida to help make themselves undetected.
Developed by [[User:BwE]] this application is designed to validate, patch and or extract the [[Flash-Main#0x144000|WiFi/BT Module]] of the PS4. The reason for this is illustrated in [[Software_Wireless_BT#BwE_PS4_WiFi.2FBT_Patcher_.26_Extractor|this page on the wiki]]. It will use MD5, entropy and pattern analysis to determine if and where the module is corrupted. From here it will determine a valid replacement based on the console's expected module version and size. Should there be no matching version available the program will offer you the ability to patch a new header and new module. This methodology is risky, but if this is your only option then it is worth a try.
 
<pre>
Version 1.3 (19/1/19)
Version 1.2 (27/11/18) Fixed Entropy + Added Better MD5 Validation + Added Better Header Validation
Version 1.1 (25/11/18) Added Entropy + Better Looks
Version 1.1 (4/9/18) First initial release
</pre>
 
Developer Website:<br>
https://betterwayelectronics.com.au/
 
Direct Link:<br>
https://betterwayelectronics.com.au/BwE_PS4_WiFi-BT_Patcher.rar
 
Support/Information Forum:<br>
https://www.psxhax.com/threads/bwe-ps4-wifi-bt-patcher-extractor-v1-00-by-betterwayelectronics.5936/
 
==== BwE PS4 NOR Statistics ====
[[File:Mainprogram.png|300px|thumb|left|Statistics Results]]
This program, another micro version of [[User:BwE]]'s PS4 NOR Validator, is designed solely to validate your NOR based on statistics only!<br>
Why make this you ask? Entropy and statistics are a well used methodology in the malware analysis field to determine if a binary file is encrypted, and by how much.<br>
 
What is entropy? Entropy is a method for measuring uncertainty in a series of numbers or bytes. In technical terms, entropy measures the level of difficulty or the probability of independently predicting each number in the series.<br>
 
What has this got to do with PS4s? Well the PS4's NOR is almost entirely encrypted and so with a collection of known valid NOR's it is possible to determine the level of entropy that represents a valid NOR and what level of entropy would represent a corrupt NOR.<br>
 
When corruption occurs it will generally wipe out a large chuck of the NOR, cause the NOR to repeat itself or will fill the NOR with junk. All of this will decrease or severely increase the entropy.<br>
 
Seeing as the PS4 firmware is likely to add more or less complexity with each update I have made avaliable a settings file where you can adjust the predicted statistics.<br>


Ultimately, it is up to you to trust the program and me. I encourage you to upload to a sandbox to see for yourself.


<pre>
<pre>
Version 1.0 (5/11/18) First initial release
Version History:
- 1.7.1 (25/6/21) Fixed Uploading Questions, Added MB Serial to Outputs, New Spash Screen.
- 1.7.0 (23/6/21) Added Question Regarding Dump When Uploading, Added New CID Validation (Weird Key or Flag), Fixed UART Validation, Added Unlisted Results.
- 1.6.9 (26/5/21) Fixed Internal Code Issues, Added Unlisted Results, New Splash Screen (Potentially last update for a short while).
- 1.6.8 (16/5/21) Updated Internal Comparison Application, Improved Serial Number Validation (MB Series), Added Unlisted Results.
- 1.6.7 (25/4/21) Repaired UNK 1200 Series Validation, Added Unlisted Results.
- 1.6.6 (12/4/21) Added Unlisted Results, Improved Validation, Changed Output Styling.
- 1.6.5 (31/3/21) Added CoreOS Statistical Analysis, Changed Some Results, Changed Some Output Formatting, Returned to Previous Packer.
- 1.6.3 (30/3/21) Added CoreOS Patcher (SU-30631-3 Error Specific), Updated Results, Added Unlisted Results, Fixed Readme, Changed Packer.
- 1.6.2 (18/3/21) Repaired CID Validation, Improved Handling of 72xx, Added Unlisted Results, Improved Dump Uploading Process.
- 1.6.1 (20/2/21) Repaired CID Validation, Added Unlisted Results (Thanks Uploaders!)
- 1.6.0 (4/2/21) Added IDU Mode Patcher, Improved Validations, Added Unlisted Results.
- 1.5.9 (29/1/21) Major Improvement to CID and UNK Validations, Added Unlisted Results, Improved UART Patching, Better Handling of 1200/Pro/Slim Validations, Added v1.5 of Comparator
- 1.5.7 (11/1/21) Fixed Version Checker, Improved Statistics, Removed Some Unlisted Results (Improved Validation), Updated Upload Feature, Improved Compiler
- 1.5.6 (10/1/21) Improved CID and UNK Validations, Updated Unlisted Validations, IDU Flags Added, Some Code Optimization
- 1.5.5 (8/1/21) Updated Pro/Slim Specific Validations, Updated Unlisted Validations, Updated CID Validations, Updated UNK Validations, Added Dump Upload Feature
- 1.5.3 (5/12/20) Updated Unlisted Validations, Updated WiFi/BT MD5s & Entropy Validation
- 1.5.2 (20/11/20) Updated WiFi/BT MD5s, Added 2nd UART Flag, Updated Unlisted Validations
- 1.5.1 (3/11/20) Updated Unlisted Validations, Added UART Enabler, Removed Unused Validation Option, Added Basic Loader
- 1.5.0 (30/10/20) Updated Unlisted Validations, Upgraded Existing Validations, Removed Loader (Secret Patcher Coming Soon!)
- 1.4.9 (3/5/20) Added 21xx Series Specific Validations, Updated Unlisted Validations
- 1.4.7 (23/3/20) Added Dynamic Comparison, Updated Unlisted Validations
- 1.4.6 (1/2/20) Just Keeping It Fresh! (May have fixed issues stopping the program running, if not let me know!)
- 1.4.4 (16/8/19) Added and Improved Validations (CID & UNK) Including New WiFi/BT FW MD5
- 1.4.2 (7/4/19) Added More Validations (Firmware & Console Specific), Improved Various Sections (CID & UNK Mostly)
- 1.4.1 (1/3/19) Prettied Up Outputs, Minor Rewording (Sorry!).
- 1.4.0 (1/3/19) Added Zecoxao Extraction Methodology (Will Add More Zecoxao SELF Stuff Later), Added FW/BIOS Versioning, Added Additional Entropy Validation & Various Improvements Throughout.
- 1.3.8 (21/2/19) Added Additional Validations (To Suit Slim/Pro), Repaired/Improved CID Validation, More MD5s & Table Based Results.
- 1.3.5 (30/1/19) Added CoreOS Reference Points (Additional CoreOS Per-Console Validation).
- 1.3.3 (24/1/19) Reworked And Improved Both CID And UNK Sections Again, Added More MD5's, Added Application Version Checker, Removed Colored Bars, Added Comparator & Other Improvements Throughout.
- 1.3.1 (19/1/19) Added More Validations & MD5's, Repaired Minor Bug.
- 1.3 (15/1/19) Completely Reworked And Improved The CID Section And Added Additional Validations To The UNK Section & I Also Improved Some Other Validations Throughout.
- 1.2.6 (18/12/18) Hopefully Fixed 'Black Screen' Issue, Recompiled In 32bit.
- 1.2.5 (17/12/18) Added 2 New Flags (Possibly Initialization Flag?), Changed Validation Results, Improved Output/Info (HTML) & Added MD5's.
- 1.2 (8/12/18) Improved All Alt Validations, Repaired Vtrm1, Internal Typo & Added Repetition Checks.
- 1.1.1 (29/11/18) Typo Again, Made The SKU Not Come Up As Unlisted & Added Some MD5's.
- 1.1 (28/11/18) Improved VTRM & CID Validation, Typo Fixes & Better Colours.
- 1.0 (27/11/18) First Release!
</pre>
</pre>


Developer Website:<br>
'''Developer Website:'''<br>
https://betterwayelectronics.com.au/
https://betterwayelectronics.com.au/


Direct Link:<br>
'''Direct Link:'''<br>
https://betterwayelectronics.com.au/BwE_PS4_NOR_Statistics.rar
https://betterwayelectronics.com.au/BwE_PS4_NOR_Validator.rar


Support/Information Forum:<br>
'''More Information/Updates:'''<br>
https://www.psxhax.com/threads/bwe-ps4-nor-statistics-v1-00-by-betterwayelectronics.6074/
github.com/BetterWayElectronics/ps4-nor-validator
<br><br>


{{Reverse Engineering}}
{{Reverse Engineering}}
<noinclude>[[Category:Main]]</noinclude>
<noinclude>[[Category:Main]]</noinclude>

Latest revision as of 17:41, 16 March 2023

Atypical (Corrupt @ 0x144200) PS4 NOR GFX
Typical PS4 NOR GFX


subject: dump of serial flash MX25L25635FMI-10G for CXD90025G

reference files:

other reference files:

notes: Console A & B are 2 Compared from same Region and Version. Console C is from Region: EU and Version: 1.06

size: 0x2000000 filesize / 0x1D40000 datasize

statistics: 2.64-2.66% 00´s / 11.83% FF´s / < 0.38% rest
entropy: 6.96569 (87.0711%) - 7.52856 (94.107%)
Redundancy: 12.9289% - 5.893%
A. Mean: 131072
StdDev: 454103 - 245647

Strings: Flash-Main/strings

observation: MAC Address on 0x1C4021 length 6 bytes | Motherboard Serial on 0x1C8000 length 14 bytes | Console Serial on 0x1C8030 length 17 bytes | SKU Version on 0x1C8040 length 15 bytes | HDD type, P/N and S/N on 0x1C9C00 length 64 bytes | FW Counter on 0x1CA5D8 length 2 bytes (first byte is the FW Counter, ?second byte is the Patch Counter?)| FW Version on 0x1CA604 length 4 bytes

sources: GUI Tool for the PS4 NOR Flash PS4_AC1D_Flash-Tool | Libraries Developed for the PS4 NOR flash Usefull_Libraries

other files: Constant offsets and length in ALL Ps4 block -> same_block.txt. Im compare over 10 dumps from diffrent firmware / console. First value is offset of first byte, second is length in byte. All values in decimental.

Offsets[edit | edit source]

See Codenames.

  • 0x00000000 <- Segment 0 Header (0x1000)
  • 0x00001000 <- Segment 0 Active Slot (0x1000)
  • 0x00002000 <- Segment 0 MBR1 (for sflash0s1.cryptx32) (0x1000)
  • 0x00003000 <- Segment 0 MBR2 (for sflash0s1.cryptx32b) (0x1000)
  • 0x00004000 <- sflash0s0x32 (0x60000) (emc_ipl)
  • 0x00064000 <- sflash0s0x32b (0x60000) (emc_ipl)
  • 0x000C4000 <- sflash0s0x33 (0x80000) (eap_kbl)
  • 0x00144000 <- sflash0s0x38 (0x80000) (torus2_fw)
  • 0x001C4000 <- sflash0s0x34 (0xC000) (nvs)
  • 0x001D0000 <- sflash0s0x0 (0x30000) (blank)
  • 0x00200000 <- Segment 1 Header (XTS encrypted) (0x1000)
  • 0x00201000 <- Segment 1 Active Slot (XTS encrypted) (0x1000)
  • 0x00202000 <- Segment 1 MBR1 (for sflash0s1.cryptx2) (XTS encrypted) (0x1000)
  • 0x00203000 <- Segment 1 MBR2 (for sflash0s1.cryptx2b) (XTS encrypted) (0x1000)
  • 0x00204000 <- sflash0s1.cryptx2 (0x3E000) (sam_ipl)
  • 0x00242000 <- sflash0s1.cryptx2b (0x3E000) (sam_ipl)
  • 0x00280000 <- sflash0s1.cryptx1 (0x80000) (idata)
  • 0x00300000 <- sflash0s1.cryptx39 (0x80000) (bd_hrl)
  • 0x00380000 <- sflash0s1.cryptx6 (0x40000) (Virtual TRM)
  • 0x003C0000 <- sflash0s1.cryptx3 (0xCC0000) (secure kernel, secure modules)
  • 0x01080000 <- sflash0s1.cryptx3b (0xCC0000) (secure kernel, secure modules)
  • 0x01D40000 <- sflash0s1.cryptx40 (0x2C0000) (blank)

MBR Types[edit | edit source]

typedef struct {
	uint32_t start_lba;
	uint32_t n_sectors;
	uint8_t flag1; // maybe part_id
	uint8_t flag2;
	uint16_t unknown;
	uint64_t padding;
} __attribute__((packed)) partition_t;

typedef struct {
	uint8_t magic[0x20]; // "SONY COMPUTER ENTERTAINMENT INC."
	uint32_t version; // 1
	uint32_t mbr1_start; // ex: 0x10
	uint32_t mbr2_start; // ex: 0x18
	uint32_t unk[4]; // ex: (1, 1, 8, 1)
	uint32_t reserved;
	uint8_t unused[0x1C0];
} __attribute__((packed)) master_block_v1_t;

typedef struct {
	uint8_t magic[0x20]; // "Sony Computer Entertainment Inc."
	uint32_t version; // 4
	uint32_t n_sectors;
	uint64_t reserved;
	uint32_t loader_start; // ex: 0x11, 0x309
	uint32_t loader_count; // ex: 0x267
	uint64_t reserved2;
	partition_t partitions[16];
} __attribute__((packed)) master_block_v4_t;

MBR Contents (Example) (Internal)[edit | edit source]

MBR 1 and 2[edit | edit source]

Partition 0, off=0x2000, sz=0x60000, type=0x20(32), active?=0x0 (ina) (emc)
Partition 1, off=0x62000, sz=0x60000, type=0x20(32), active?=0x1 (act) (emc)
Partition 2, off=0xc2000, sz=0x80000, type=0x21(33), active?=0x1 (act) (eap)
Partition 3, off=0x142000, sz=0x80000, type=0x26(38), active?=0x1 (act) (wifi)
Partition 4, off=0x1c2000, sz=0xc000, type=0x22(34), active?=0x1 (act) (nvs)

MBR 3 and 4[edit | edit source]

Partition 0, off=0x2000, sz=0x3e000, type=0x2, active?=0x1 (act) (ipl)
Partition 1, off=0x40000, sz=0x3e000, type=0x2, active?=0x0 (ina) (ipl)
Partition 2, off=0x7e000, sz=0x80000, type=0x1, active?=0x1 (act) (idstorage)
Partition 3, off=0xfe000, sz=0x80000, type=0x27(39), active?=0x1 (act) (bd revoke)
Partition 4, off=0x17e000, sz=0x40000, type=0x6, active?=0x1 (act) (vtrm)
Partition 5, off=0x1be000, sz=0xcc0000, type=0x3, active?=0x1 (act) (coreos)
Partition 6, off=0xe7e000, sz=0xcc0000, type=0x3, active?=0x0 (ina) (coreos)
Partition 7, off=0x1b3e000, sz=0x2c0000, type=0x28(40), active?=0x1 (act) (unused)

MBR Contents (Example)[edit | edit source]

MBR 1 and 2[edit | edit source]

Partition 0, off=0x2000, sz=0x60000, type=0x20, active?=0x1 (act)
Partition 1, off=0x62000, sz=0x60000, type=0x20, active?=0x0 (ina)
Partition 2, off=0xc2000, sz=0x80000, type=0x21, active?=0x1 (act)
Partition 3, off=0x142000, sz=0x80000, type=0x26, active?=0x1 (act)
Partition 4, off=0x1c2000, sz=0xc000, type=0x22, active?=0x1 (act)
Partition 5, off=0x1ce000, sz=0x30000, type=0x0, active?=0x1 (act)

MBR 3 and 4[edit | edit source]

Partition 0, off=0x2000, sz=0x3e000, type=0x2, active?=0x1
Partition 1, off=0x40000, sz=0x3e000, type=0x2, active?=0x0
Partition 2, off=0x7e000, sz=0x80000, type=0x1, active?=0x1
Partition 3, off=0xfe000, sz=0x80000, type=0x39, active?=0x1
Partition 4, off=0x17e000, sz=0x40000, type=0x6, active?=0x1
Partition 5, off=0x1be000, sz=0xcc0000, type=0x3, active?=0x1
Partition 6, off=0xe7e000, sz=0xcc0000, type=0x3, active?=0x0
Partition 7, off=0x1b3e000, sz=0x2c0000, type=0x40, active?=0x1

Content[edit | edit source]

0x0[edit | edit source]

Magic[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  53 4F 4E 59 20 43 4F 4D 50 55 54 45 52 20 45 4E  SONY COMPUTER EN
00000010  54 45 52 54 41 49 4E 4D 45 4E 54 20 49 4E 43 2E  TERTAINMENT INC.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000020  01 00 00 00 10 00 00 00 18 00 00 00 01 00 00 00  ................
00000030  01 00 00 00 08 00 00 00 01 00 00 00 00 00 00 00  ................

00 filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  [...]               filled 00 region
00000FF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

0x1000[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00001000  80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  €...............

this differenced between firmware versions

00 filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00001010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  [...]               filled 00 region
00001FF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

0x2000[edit | edit source]

Magic[edit | edit source]

  • aka MBR1
  • ends in 0x3000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00002000  53 6F 6E 79 20 43 6F 6D 70 75 74 65 72 20 45 6E  Sony Computer En
00002010  74 65 72 74 61 69 6E 6D 65 6E 74 20 49 6E 63 2E  tertainment Inc.
(0x90 block)

00 filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000020B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  [...]               filled 00 region
00002FF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

0x3000[edit | edit source]

Magic[edit | edit source]

  • aka MBR2
  • ends in 0x4000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00003000  53 6F 6E 79 20 43 6F 6D 70 75 74 65 72 20 45 6E  Sony Computer En
00003010  74 65 72 74 61 69 6E 6D 65 6E 74 20 49 6E 63 2E  tertainment Inc.
(0x90 block)

00 filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000030B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  [...]               filled 00 region
00003FF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

0x4000[edit | edit source]

SLB2 Magic (MC Stage1)[edit | edit source]

  • aka sflash0s0x32
  • ends in 0x64000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00004000  53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00  SLB2............
00004010  40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00  @...............
00004020  01 00 00 00 90 7A 04 00 00 00 00 00 00 00 00 00  .....z..........
00004030  43 30 30 30 30 30 30 31 00 00 00 00 00 00 00 00  C0000001........
00004040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00004050  3F 02 00 00 40 00 00 00 00 00 00 00 00 00 00 00  ?...@...........
00004060  43 30 30 30 38 30 30 31 00 00 00 00 00 00 00 00  C0008001........

00 filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00004070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  [...]               filled 00 region
000041F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

0x4200[edit | edit source]

DEADBEEF CAFEBEBE Magic[edit | edit source]

(similar is at 0x64218 and 0xC4218)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00004200  AA F9 8F D4 01 00 55 48 80 00 00 00 xx xx 04 00  ªù.Ô..UH€......     xx differs on different console with same version
00004210  00 0C 10 00 00 0C 10 00 DE AD BE EF CA FE BE BE  ........Þ­¾ïÊþ¾¾
00004220  DE AF BE EF CA FE BE BE F1 F2 F3 F4 F5 F6 F7 F8  Þ¯¾ïÊþ¾¾ñòóôõö÷ø
00004230  AF 46 78 AA E2 C4 4C 90 CA 4B 1B 44 B6 A4 9F 57  ¯FxªâÄL.ÊK.D¶¤ŸW    same on different console with same version
00004240  9D 24 E1 91 C2 DC 0C 36 55 AE 43 D5 C5 AB 70 BD  .$á‘ÂÜ.6U®CÕÅ«p½    same on different console with same version
huge encrypted section[edit | edit source]
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00004250  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx      different on different console with same version
 [...]            (huge encrypted section)
0004BC80  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx     (on different console with same version ends at 00049F1F

00 filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0004BC90  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 [...]
00063FF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ...............    (on different console with same version ends at 00049FFF then a FF filled block until 00063FFF)

0x64000[edit | edit source]

SLB2 Magic (MC Stage2)[edit | edit source]

  • aka sflash0s0x32b
  • ends in 0xC4000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00064000  53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00  SLB2............
00064010  33 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00  3...............
00064020  01 00 00 00 10 61 04 00 00 00 00 00 00 00 00 00  .....a..........
00064030  43 30 30 30 30 30 30 31 00 00 00 00 00 00 00 00  C0000001........
00064040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00064050  32 02 00 00 40 00 00 00 00 00 00 00 00 00 00 00  2...@...........
00064060  43 30 30 30 38 30 30 31 00 00 00 00 00 00 00 00  C0008001........

00 filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00064070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  [...]               filled 00 region
000641F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

0x64200[edit | edit source]

DEADBEEF CAFEBEBE Magic[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00064200  AA F9 8F D4 01 00 55 48 80 00 00 00 90 60 04 00  ªù.Ô..UH€....`..
00064210  00 0C 10 00 00 0C 10 00 DE AD BE EF CA FE BE BE  ........Þ­¾ïÊþ¾¾
00064220  DE AF BE EF CA FE BE BE F1 F2 F3 F4 F5 F6 F7 F8  Þ¯¾ïÊþ¾¾ñòóôõö÷ø
00064230  AF 46 78 AA E2 C4 4C 90 CA 4B 1B 44 B6 A4 9F 57  ¯FxªâÄL.ÊK.D¶¤ŸW
00064240  9D 24 E1 91 C2 DC 0C 36 55 AE 43 D5 C5 AB 70 BD  .$á‘ÂÜ.6U®CÕÅ«p½
00064250  CC 6F 6C 5C 8F C9 5C 30 38 F2 72 90 ED 82 C0 BB  Ìol\.É\08òr.í‚À»
 [...]

lots of strings in this huge section, no differences between consoles on same version until 001C4024

0xC4000[edit | edit source]

SLB2 Magic (EAP_KBL)[edit | edit source]

  • aka sflash0s0x33
  • ends in 0x144000

NOTE: This container only consits of one file + that X800X which is present on every BIOS SLB2. But the data is extracted twice and just written with two diffrent names. One time the TitleID is used C0010001 and the second time a string which hold the file name eap_kbl is used. But both files are identical and extracted by using the same data source.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000C4000  53 4C 42 32 01 00 00 00 00 00 00 00 03 00 00 00  SLB2............
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000C4010  C6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  Æ...............
000C4020  01 00 00 00 20 87 01 00 00 00 00 00 00 00 00 00  .....‡..........
000C4030  43 30 30 31 30 30 30 31 00 00 00 00 00 00 00 00  C0010001........
000C4040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C4050  01 00 00 00 20 87 01 00 00 00 00 00 00 00 00 00  .....‡..........
000C4060  65 61 70 5F 6B 62 6C 00 00 00 00 00 00 00 00 00  eap_kbl.........
000C4070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000C4080  C5 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00  Å...@...........
000C4090  43 30 30 31 38 30 30 31 00 00 00 00 00 00 00 00  C0018001........

00 filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000C40A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  [...]               filled 00 region
000C41F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

0xC4200[edit | edit source]

DEADBEEF CAFEBEBE Magic[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000C4200  AA F9 8F D4 01 00 55 68 80 00 00 00 A0 86 01 00  ªù.Ô..Uh€....†..
000C4210  00 00 00 62 00 00 00 62 DE AD BE EF CA FE BE BE  ...b...bÞ­­-¾ïÊþ¾¾
000C4220  DE AF BE EF CA FE BE BE F1 F2 F3 F4 F5 F6 F7 F8  Þ¯¾ïÊþ¾¾ñòóôõö÷ø
000C4230  E6 D5 56 90 B0 E0 FD 52 28 7F 2A 4A 76 F9 13 E1  æÕV.°àýR(.*Jvù.á
000C4240  AE AF 02 68 D8 FF E6 F3 DD 0C B0 C0 F5 A3 4C DD  ®¯.hØÿæóÝ.°Àõ£LÝ
000C4250  37 5B 14 86 19 1A 9E 70 F0 B9 F4 6D AB 34 93 4B  7[.†..žpð¹ôm«4“K
  [...]  
000DC910  54 E2 F7 6E BD C9 D2 2E 12 9C 3F CC 3D 67 7A 1E  Tâ÷n½ÉÒ..œ?Ì=gz.

00 filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000DC920  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  [...]               filled 00 region
00143FE0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

0x144000[edit | edit source]

SLB2 Magic (Wifi/BT)[edit | edit source]

wifi/bluetooth chipset firmware[edit | edit source]

  • aka sflash0s0x38
  • ends in 0x1C4000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00144000  53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00  SLB2............
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00144010  71 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00  q...............
00144020  01 00 00 00 A8 DD 06 00 00 00 00 00 00 00 00 00  ....¨Ý..........
00144030  43 30 30 32 30 30 30 31 00 00 00 00 00 00 00 00  C0020001........
00144040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00144050  70 03 00 00 40 00 00 00 00 00 00 00 00 00 00 00  p...@...........
00144060  43 30 30 32 38 30 30 31 00 00 00 00 00 00 00 00  C0028001........

00 filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00144070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  [...]               00 filled region
001441F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

No DeadBeef CafeBebe Magic on this SLB2[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00144200  01 00 00 00 00 00 00 00 00 04 00 00 00 94 51 1A  .............”Q.
00144210  1C F0 9F E5 1C F0 9F E5 1C F0 9F E5 1C F0 9F E5  .ðŸå.ðŸå.ðŸå.ðŸå
00144220  1C F0 9F E5 1C F0 9F E5 1C F0 9F E5 1C F0 9F E5  .ðŸå.ðŸå.ðŸå.ðŸå
00144230  10 82 0E 20 CC 68 00 00 50 68 00 00 54 68 00 00  .‚..Ìh..Ph..Th..
00144240  AC 68 00 00 B0 68 00 00 B4 68 00 00 B8 68 00 00  ¬h..°h..´h..¸h..
00144250  C5 68 00 00 00 00 00 EA 70 00 00 EA 28 00 8F E2  Åh.....êp..ê(..â
00144260  00 0C 90 E8 00 A0 8A E0 00 B0 8B E0 01 70 4A E2  ..Zái.....ºè.àOâ
00144270  0B 00 5A E1 69 00 00 0A 0F 00 BA E8 14 E0 4F E2  ...ã.ðG..ÿ/á°...
00144280  01 00 13 E3 03 F0 47 10 13 FF 2F E1 B0 7F 04 00  .€...À.â.ÿ/áŠ..x
00144290  A0 80 04 00 01 C0 8F E2 1C FF 2F E1 8A 18 03 78  .0œ.¤..Ñ.x.0...Ñ
  [...]               seems to be decrypted
  [...]       more then 60% of the strings found
  [...]     are from that SLB2 Flash-Main/strings

0x1445F0[edit | edit source]

Z Sign[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001445C0  1E FF 2F E1 F0 B5 85 B0 C0 46 C0 46 05 00 0C 00  .ÿ/áðµ…°ÀFÀF....
001445D0  47 F0 74 EA 00 20 01 95 02 94 C0 46 C0 46 03 90  Gðtê...•.”ÀFÀF..
001445E0  01 A8 FF F7 B2 EE 04 00 01 A8 0D 00 00 93 03 C8  .¨ÿ÷²î...¨...“.È
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001445F0  16 00 C0 46 C0 46 C0 46 C0 46 06 F0 48 EB 00 21  ..ÀFÀFÀFÀF.ðHë.!
00144600  08 00 C0 46 C0 46 07 00 FF F7 58 EF D2 2F 02 AC  ..ÀFÀF..ÿ÷XïÒ/.¬
00144610  01 00 00 00 FC 03 00 00 00 04 00 00 5A EF 5E 13  ....ü.......Zï^.
00144620  04 90 00 21 07 60 08 00 FF F7 5A FF 41 1C 04 98  ...!.`..ÿ÷ZÿA..˜
00144630  41 60 00 21 08 00 C0 46 C0 46 01 00 04 98 81 60  A`.!..ÀFÀF...˜.`
00144640  00 21 08 00 C0 46 C0 46 01 00 04 98 C1 60 00 21  .!..ÀFÀF...˜Á`.!
00144650  08 00 C0 46 C0 46 01 00 04 98 01 61 C0 46 C0 46  ..ÀFÀF...˜.aÀFÀF
00144660  C0 46 C0 46 C0 46 C0 46 C0 46 C0 46 C0 46 C0 46  ÀFÀFÀFÀFÀFÀFÀFÀF
00144670  C0 46 C0 46 C0 46 C0 46 C0 46 C0 46 C0 46 C0 46  ÀFÀFÀFÀFÀFÀFÀFÀF
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00144680  00 9B 05 B0 20 00 04 9C 29 00 32 00 A6 46 F0 BC  .›.°...œ).2.¦Fð¼
00144690  01 B0 70 47 10 B5 C0 46 C0 46 00 20 C0 46 C0 46  .°pG.µÀFÀF..ÀFÀF
001446A0  C0 46 C0 46 C0 46 C0 46 10 BC 08 BC 18 47 00 00  ÀFÀFÀFÀF.¼.¼.G..
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001446B0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................
  [...]        a lot off code stuff and strings
0018D810  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................

0x18D820[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0018D820  08 08 08 08 08 08 08 08 08 08 08 08 02 02 02 02 ....|.......¿4.ß
0018D830  40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 @...............
0018D840  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0018D850  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0018D860  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0018D870  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0018D880  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0018D890  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0018D8A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0018D8B0  00 62 74 5F 73 64 69 6F 00 77 6C 61 6E 00 4F 53  .bt_sdio.wlan.OS
0018D8C0  41 00 62 74 5F 68 63 69 00 62 6C 65 6D 62 78 00  A.bt_hci.blembx.
0018D8D0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................
  [...]        a lot off code stuff and strings
001B1F80  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................

0x1B1F90[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001B1F90  16 0C 00 00 74 29 2E C9 04 00 00 00 00 00 00 00  ....t).É........
001B1FA0  00 00 00 00 1F DB 8C 18 00 00 00 00 00 00 00 00  .....ی.........
001B1FB0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
001B1FC0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
001B1FD0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
001B1FE0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
001B1FF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
001B2000  01 00 00 00 00 00 00 00 10 82 0E 20 00 00 00 00  .........‚. ....

00 filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001B2010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  [...]               filled 00 region
001C3FF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

0x1C4000 (Console Main Informations)[edit | edit source]

  • AKA NVS or sflash0s0x34
  • Ends in 0x200000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C4000  03 02 01 01 02 01 06 01 FF FF FF FF FF FF FF FF  ........ÿÿÿÿÿÿÿÿ
001C4010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 [...]

0x1C4021 MAC Address[edit | edit source]

MAC Address on offset 0x1C4021 6 bytes long.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C4020  01 70 9E 29 33 7A 1B FF FF FF FF FF FF FF FF FF  .pž).3zÿÿÿÿÿÿÿÿÿ      MAC-Address
001C4030  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C4040  FF FF FF FF FF FF FF FF FF FF FF FF FF FF 26 E8  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ&è      0x26 0xE8 differs between consoles on same version
001C4050  04 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  .ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C4060  03 01 01 02 02 FF FF FF FF FF FF FF FF FF FF FF  .....ÿÿÿÿÿÿÿÿÿÿÿ
001C4070  FF FF FF FF FF FF 01 FF FF FF 00 00 00 00 00 00  ÿÿÿÿÿÿ.ÿÿÿ......
001C4080  00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  .ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C4090  FF FF FF FF FF FF 00 00 00 FF 00 00 FF FF FF FF  ÿÿÿÿÿÿ...ÿ..ÿÿÿÿ
001C40A0  FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 39  ÿÿÿÿÿÿÿÿÿÿÿÿ...9
 [...]

0x1C47F0 Constant[edit | edit source]

Every dump i checked have thoes constant bytes.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C47F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF BE CC  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¾Ì
001C4800  FF 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿ.ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C4810  00 61 00 60 00 02 00 48 00 47 00 02 00 48 00 47  .a.`...H.G...H.G
001C4820  00 02 FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ..ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C4830  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C4840  FF FF FF FF FF FF FF FF FF FF FF FF 00 01 FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿ..ÿÿ
001C4850  FF FF FF FF CD 00 FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÍ.ÿÿÿÿÿÿÿÿÿÿ
001C4860  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C4870  00 50 00 00 00 08 00 00 80 00 00 00 FF FF FF FF  .P......€...ÿÿÿÿ
001C4880  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C4890  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C48A0  00 50 00 00 00 09 00 00 00 00 45 00 00 00 90 00  .P........E.....
001C48B0  00 3B 00 00 00 05 00 00 05 00 00 00 FF FF FF FF  .;..........ÿÿÿÿ
001C48C0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...]

0x1C4FF0[edit | edit source]

Console A, B Console C
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001C4FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF B9 29  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¹)
 001C5000  00 07 FF 07 00 07 FF 07 00 07 0C 04 00 00 00 04  ..ÿ...ÿ.........
 001C5010  00 00 FF FF FF FF FF FF 00 00 00 00 00 00 00 00  ..ÿÿÿÿÿÿ........
 001C5020  00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ..ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001C5030  xx 00 00 00 xx 00 00 00 xx xx 00 00 00 00 00 00  ................   xx differs between consoles on same version
 001C5040  xx 00 00 00 xx 00 00 00 xx 00 00 00 00 00 00 00  ................   "
 001C5050  xx 00 00 00 xx 00 00 00 xx xx 00 00 00 00 00 00  $...%...=.......   "
 001C5060  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001C4FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF B9 29  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¹)
 001C5000  00 07 FF 07 00 07 FF 07 00 07 0C 04 00 00 00 04  ..ÿ...ÿ.........
 001C5010  00 00 FF FF FF FF FF FF 00 00 00 00 00 00 00 00  ..ÿÿÿÿÿÿ........
 001C5020  00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ..ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001C5030  22 00 00 00 20 00 00 00 3D D6 00 00 00 00 00 00  ".......=Ö......
 001C5040  09 00 00 00 09 00 00 00 54 EB 02 00 00 00 00 00  ........Të......
 001C5050  1E 00 00 00 1D 00 00 00 B9 C1 03 00 00 00 00 00  ........¹Á......
 001C5060  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]

0x1C5200[edit | edit source]

Console A, B Console C
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001C5200  xx xx xx xx xx xx xx xx xx xx FF xx xx xx xx xx  ..........ÿ.....   xx differs between consoles on same version
 001C5210  xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF  ....ÿÿ..ÿÿÿÿÿÿÿÿ   "
 001C5220  xx xx xx xx xx xx xx xx xx xx FF xx xx xx xx xx  ..........ÿ.....   "
 001C5230  xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF  ....ÿÿ..ÿÿÿÿÿÿÿÿ   "
 001C5240  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
 001C5250  xx xx xx xx xx xx xx xx FF FF FF FF FF FF FF FF  ........ÿÿÿÿÿÿÿÿ   "
 001C5260  xx xx xx xx xx xx xx xx xx xx FF xx xx xx xx xx  ..........ÿ.....   "
 001C5270  xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF  ....ÿÿ..ÿÿÿÿÿÿÿÿ   "
 001C5280  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
 001C5290  xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF  ....ÿÿ..ÿÿÿÿÿÿÿÿ   "
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001C5200  03 00 81 80 57 C3 B3 03 04 10 FF 00 00 01 00 00  ...€Wó...ÿ.....
 001C5210  09 00 09 00 FF FF 00 23 FF FF FF FF FF FF FF FF  ....ÿÿ.#ÿÿÿÿÿÿÿÿ
 001C5220  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001C5230  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001C5240  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001C5250  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001C5260  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001C5270  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001C5280  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001C5290  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

FF filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C52A0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]               filled FF region
001C5FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x1C6000 (Retail & Dev/Test)[edit | edit source]

This seems to be increased. There will be 8 0x00 bytes be added for every new "what ever".

Console A, B Console C
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001C6000  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   xx differs between consoles on same version
 001C6010  xx xx xx xx xx xx xx xx FF FF FF FF FF FF FF FF  ........ÿÿÿÿÿÿÿÿ   "
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001C6000  FF 51 21 6D 66 1C 00 03 FF FF FF FF FF FF FF FF  ÿQ!mf...ÿÿÿÿÿÿÿÿ
 001C6010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x1C7000[edit | edit source]

same on different consoles on same version

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C7000  03 09 FC 00 00 00 00 00 00 00 00 00 00 00 00 00  ..ü.............
001C7010  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
001C7020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
001C7030  00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
001C7040  1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00  .ÿ..............

FF filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C7050  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region
001C7FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x1C8000 MotherBoard Serial[edit | edit source]

Length = 14 bytes.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C8000  34 30 30 30 31 42 30 31 38 35 39 31 37 37 FF FF  40001B01859177ÿÿ   Motherboard Serial

0x1C8010 Unk[edit | edit source]

Length = 16 bytes.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C8010  63 09 72 20 71 DB 7C 69 AC FE D8 92 89 BA 23 04  c.r.qÛ|i¬þØ’‰º#.   "
001C8020  00 00 00 25 00 00 0A 93 00 01 00 00 00 00 07 10  ...%...“........

0x1C8030 Console Serial[edit | edit source]

Length = 17 bytes.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C8030  30 33 32 37 34 35 32 32 32 34 35 37 39 36 36 30  0327452224579660   Console Serial
001C8040  32                                               2

0x1C8041 SKU Model[edit | edit source]

Length = vary.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C8040     43 55 48 2D 31 30 30 34 41 20 42 30 31 58 FF   CUH-1004A B01Xÿ   SKU Model
001C8050  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x1C8060 Unk[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C8060  30 30 30 33 30 30 30 33 30 30 31 36 30 30 31 38  0003000300160018
001C8070  30 30 30 37 30 30 30 31 30 30 30 31 30 30 30 31  0007000100010001
001C8080  30 30 30 31 30 30 30 32 30 30 33 31 30 30 31 35  0001000200310015
001C8090  30 30 32 33 30 30 34 31 52 17 D2 4C C8 49 01 30  00230041R.ÒLÈI.0
001C80A0  33 E0 41 43 72 C3 F1 64 07 8F 31 80 00 00 00 C2  3àACrÃñd..1€...Â
001C80B0  01 01 01 01 06 06 06 06 FF FF FF FF FF FF FF FF  ........ÿÿÿÿÿÿÿÿ
001C80C0  30 30 30 30 30 FF FF FF FF FF FF FF FF FF FF FF  00000ÿÿÿÿÿÿÿÿÿÿÿ

FF filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C80D0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region
001C87C0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x1C87D0[edit | edit source]

within a FF block these are found on both consoles:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C87D0  01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00  ................
001C87E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C87F0  01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  .ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C8800  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C9020  00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  .ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x1C9080 ACF (Dev/Test)[edit | edit source]

See Activation ACF.

0x1C91F0 PerConsole (Retail & Dev/Test)[edit | edit source]

(0x40 bytes)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C91F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C9200  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   xx differs between consoles on same version
001C9210  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
001C9220  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
001C9230  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
Console C / FW 1.06 Console C / FW 1.61
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001C91F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001C9200  25 75 00 28 A6 7A 16 55 63 77 6F 12 1C 7C 37 9A  %u.(¦z.Ucwo..|7š
 001C9210  58 11 B2 C3 DA 06 0C 00 9A 53 16 29 E5 65 15 A8  X.²ÃÚ...šS.)åe.¨
 001C9220  44 40 C0 17 DD C5 E1 17 A2 D3 9D 98 A1 9B 97 61  D@À.ÝÅá.¢Ó.˜¡›—a
 001C9230  5D 0C 67 B2 89 54 0B 8E 81 29 8E 50 A6 10 79 42  ].g²‰T.Ž.)ŽP¦.yB
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001C91F0  FF FF FF FF FF FF FF FF FF FF FF FF E5 E5 E5 01  ÿÿÿÿÿÿÿÿÿÿÿÿååå.
 001C9200  25 75 00 28 A6 7A 16 55 63 77 6F 12 1C 7C 37 9A  %u.(¦z.Ucwo..|7š
 001C9210  58 11 B2 C3 DA 06 0C 00 9A 53 16 29 E5 65 15 A8  X.²ÃÚ...šS.)åe.¨
 001C9220  44 40 C0 17 DD C5 E1 17 A2 D3 9D 98 A1 9B 97 61  D@À.ÝÅá.¢Ó.˜¡›—a
 001C9230  5D 0C 67 B2 89 54 0B 8E 81 29 8E 50 A6 10 79 42  ].g²‰T.Ž.)ŽP¦.yB

FF filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C9240  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region
001C9BF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x1C9900 PerConsole (Dev/Test)[edit | edit source]

Unique 0x100 byte area (on Testkit Console dump):

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C9900  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................
[...]     
001C9A00  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................
  • xx Changes per dev console

0x1C9C00 HDD P/N and S/N,[edit | edit source]

Checked every single Dump i got and it differs. Some Dumps have thoes entry, some not. Retail or Dev/Test do not matter. My own dumps do not have this information. But i also never changed the orig HDD. Maybe it's something like that. That only when you change to a new other HDD it will write the P/N S/N of the new HDD into this array.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0x1C9C00  47 48 54 53 48 20 53 54 34 35 30 35 30 35 37 41 GHTSH ST4505057A
0x1C9C10  33 45 30 38 20 20 20 20 20 20 20 20 20 20 20 20 3E08            
0x1C9C20  20 20 20 20 20 20 20 20 33 31 39 30 36 31 4D 54         319061MT
0x1C9C30  35 38 33 41 54 34 55 32 4E 47 4C 41 FF FF FF FF 583AT4U2NGLA˙˙˙˙

FF filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C9C40  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region
001C9FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x1CA000[edit | edit source]

Console A, B Console C
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CA000  03 20 10 00 01 00 10 00 1C 01 xx 00 00 00 00 00  ................
 001CA010  00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA040  00 00 00 00 00 00 00 00 xx 00 00 00 00 00 00 00  ................   xx differs between consoles on same version
 001CA050  00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA060  00 00 00 00 00 00 00 00 05 00 00 00 xx xx xx xx  ................   "
 001CA070  xx xx xx xx 02 00 00 00 17 00 00 00 00 00 00 00  ................   "
 001CA080  00 00 xx xx 00 00 00 00 xx 00 00 00 00 00 00 00  ................   "
 001CA090  00 00 00 00 00 00 00 00 00 00 00 00 18 00 00 00  ................
 001CA0A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA0B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA0C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA0D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA0E0  4C 2D A7 07 00 00 00 00 30 14 13 00 02 00 17 00  L-§.....0.......
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CA000  03 20 10 00 01 00 10 00 1C 01 01 00 00 00 00 00  ................
 001CA010  00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA040  00 00 00 00 00 00 00 00 13 00 00 00 00 00 00 00  ................   
 001CA050  00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA060  00 00 00 00 00 00 00 00 04 00 00 00 D2 BA B9 52  ............Òº¹R
 001CA070  00 00 00 00 02 00 00 00 17 00 00 00 00 00 00 00  ................
 001CA080  00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
 001CA090  00 00 00 00 00 00 00 00 00 00 00 00 18 00 00 00  ................
 001CA0A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA0B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA0C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA0D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA0E0  1E 6D 67 58 01 01 01 01 01 15 13 00 02 00 17 00  .mgX............

00 filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001CA0F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  [...]                 filled 00 region
001CA5C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

0x1CA5D0 Region? + Magic? & Incremental? & BIOS Version[edit | edit source]

On the end of this page we have a list where we can compare thoes informations against other consoles. This will help us to bring light into thoes few bytes here.

BIOS Incremental? on 0x1CA5D8 | BIOS Version on 0x1CA604 - 4 bytes long

Console A, B Console C
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CA5D0  34 76 B3 80 02 00 00 00 02 00 00 00 00 00 00 00  4v³€............
 001CA5E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA5F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA600  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CA5D0  34 76 B3 80 02 00 00 00 02 00 00 00 00 00 00 00  4v³€............
 001CA5E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA5F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA600  FF 00 FF FF 00 00 06 01 FF FF FF FF FF FF FF FF  ÿ.ÿÿ....ÿÿÿÿÿÿÿÿ
Console C / FW 1.06 Console C / FW 1.61 Console C FW 1.61 E0
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CA5D0  34 76 B3 80 02 00 00 00 02 00 00 00 00 00 00 00  4v³€............
 001CA5E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA5F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA600  FF 00 FF FF 00 00 06 01 FF FF FF FF FF FF FF FF  ÿ.ÿÿ....ÿÿÿÿÿÿÿÿ
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CA5D0  30 76 B3 80 02 00 00 00 03 00 00 00 00 00 00 00  0v³€............
 001CA5E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA5F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA600  FF 00 FF FF 00 00 61 01 FF FF FF FF FF FF FF FF  ÿ.ÿÿ..a.ÿÿÿÿÿÿÿÿ
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CA5D0  30 76 B3 80 02 00 00 00 03 E0 00 00 00 00 00 00  0v³€.....à......
 001CA5E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA5F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 001CA600  FF 00 FF 00 00 00 61 01 FF FF FF FF FF FF FF FF  ÿ.ÿÿ..a.ÿÿÿÿÿÿÿÿ

Region? & SKU version?

Console A Dev / Test FW 1.50.10 Console B Dev / Test FW 1.50 Console C Retail FW 1.52 Console D Retail FW 1.06 Console E Retail FW 1.74
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CA5D0  34 77 B3 C0 02 00 00 00 02 00 00 00 00 00 00 00  4w³À............
 001CA600  FF 00 FF FF 00 10 50 01 FF FF FF FF FF FF FF FF  ÿ.ÿÿ....ÿÿÿÿÿÿÿÿ
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CA5D0  34 77 B3 C0 02 00 00 00 03 00 00 00 00 00 00 00  4w³À............
 001CA600  FF 00 FF FF 00 00 50 01 FF FF FF FF FF FF FF FF  ÿ.ÿÿ..a.ÿÿÿÿÿÿÿÿ
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CA5D0  B0 76 B3 80 02 00 00 00 03 00 00 00 00 00 00 00  °v³€............
 001CA600  FF 00 FF FF 00 00 52 01 FF FF FF FF FF FF FF FF  ÿ.ÿÿ..a.ÿÿÿÿÿÿÿÿ
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CA5D0  34 76 B3 80 02 00 00 00 03 00 00 00 00 00 00 00  4v³€............
 001CA600  FF 00 FF FF 00 00 06 01 FF FF FF FF FF FF FF FF  ÿ.ÿÿ..a.ÿÿÿÿÿÿÿÿ
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CA5D0  30 76 B3 80 02 00 00 00 03 00 00 00 00 00 00 00  0v³€............
 001CA600  FF 00 FF FF 00 00 74 01 FF FF FF FF FF FF FF FF  ÿ.ÿÿ..a.ÿÿÿÿÿÿÿÿ

as long we have no better understanding of the added 0xE0 i will guess it as an kind of patch counter for that FW. i assume that the 0 will increase if more patches are installed.

NOTE: The first byte off ?Region + SKU Bytes? will differ between consoles. I guess for now that it may describe the region of the console. The 0xB0 is a brazilien console where 0x30 & 0x34 are for what i can say European consoles. (Feel free to correct me) The following 4 bytes then are for Retails always the same and also for Dev / Test consoles they do match between them.

Retails 0x76 0xB3 0x80 0x02

Dev/Test 0x77 0xB3 0xC0 0x02

FF filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001CA610  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region
001CBBF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x1CBC00[edit | edit source]

Console A, B Console C
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CBC00  69 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  i...............   xx differs between consoles on same version
 001CBC10  A2 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
 001CBC20  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001CBC30  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001CBC40  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
 001CBC50  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CBC00  64 A1 C0 DE FD B3 1F 8B 9A 3E D1 F1 01 E7 D9 CE  d¡ÀÞý³.‹š>Ññ.çÙÎ
 001CBC10  F7 72 3B 90 33 6D A5 B0 37 CD CA 3F D8 2F F0 0F  ÷r;.3m¥°7ÍÊ?Ø/ð.
 001CBC20  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001CBC30  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001CBC40  6E 90 C6 F0 5B 96 13 4B F5 B7 AB 4F 23 A2 05 02  n.Æð[–.Kõ·«O#¢..
 001CBC50  03 61 99 47 86 D9 B7 6F 8B F5 FE 4A 28 5E 95 A8  .a™G†Ù·o‹õþJ(^•¨

FF filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001CBC60  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region
001CDFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x1CE000[edit | edit source]

Console A, B Console C
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CE000  00 07 FF 07 00 07 FF 07 00 07 0C 04 00 00 00 04  ..ÿ...ÿ.........
 001CE010  00 00 FF FF FF FF FF FF 00 00 00 00 00 00 00 00  ..ÿÿÿÿÿÿ........
 001CE020  00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ..ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001CE030  xx 00 00 00 xx 00 00 00 xx xx 00 00 00 00 00 00  ........Ë.......   xx differs between consoles on same version
 001CE040  xx 00 00 00 xx 00 00 00 xx 00 00 00 00 00 00 00  ................   "
 001CE050  xx 00 00 00 xx 00 00 00 xx xx 00 00 00 00 00 00  ................   "
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CE000  00 07 FF 07 00 07 FF 07 00 07 0C 04 00 00 00 04  ..ÿ...ÿ.........
 001CE010  00 00 FF FF FF FF FF FF 00 00 00 00 00 00 00 00  ..ÿÿÿÿÿÿ........
 001CE020  00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ..ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001CE030  22 00 00 00 21 00 00 00 3D D6 00 00 00 00 00 00  "...!...=Ö......
 001CE040  09 00 00 00 09 00 00 00 54 EB 02 00 00 00 00 00  ........Të......
 001CE050  1E 00 00 00 1E 00 00 00 B9 C1 03 00 00 00 00 00  ........¹Á......

FF filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001CE060  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region
001CE1F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x1CE200[edit | edit source]

Console A, B Console C
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CE200  xx xx xx xx xx xx xx xx xx xx FF xx xx xx xx xx  ..........ÿ.....   xx differs between consoles on same version
 001CE210  xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF  ....ÿÿ..ÿÿÿÿÿÿÿÿ   "
 001CE220  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
 001CE230  xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF  ....ÿÿ..ÿÿÿÿÿÿÿÿ   "
 001CE240  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
 001CE250  xx xx xx xx xx xx xx xx FF FF FF FF FF FF FF FF  ........ÿÿÿÿÿÿÿÿ   "
 001CE260  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
 001CE270  xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF  ....ÿÿ..ÿÿÿÿÿÿÿÿ   "
 001CE280  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
 001CE290  xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF  ....ÿÿ..ÿÿÿÿÿÿÿÿ   "
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CE200  03 00 81 80 57 C3 B3 03 04 10 FF 00 00 01 00 00  ...€Wó...ÿ.....
 001CE210  09 00 09 00 FF FF 00 23 FF FF FF FF FF FF FF FF  ....ÿÿ.#ÿÿÿÿÿÿÿÿ
 001CE220  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001CE230  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001CE240  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001CE250  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001CE260  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001CE270  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001CE280  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001CE290  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

FF filled[edit | edit source]

Console A, B Console C
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CE2A0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   [...]                 filled FF region
 001FFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 001CE2A0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   [...]                 filled FF region
 001CEFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001CF000  00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  .ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 001CF010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   [...]                 filled FF region
 001FFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x200000 PerConsole[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00200000  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   xx differs between consoles on same version
00200010  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00200020  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00200030  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00200040  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00200050  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00200060  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00200070  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00200080  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00200090  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002000A0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002000B0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002000C0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002000D0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002000E0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002000F0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00200100  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00200110  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00200120  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00200130  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00200140  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00200150  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00200160  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00200170  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00200180  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00200190  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002001A0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002001B0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002001C0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002001D0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002001E0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002001F0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "

FF filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00200200  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region
00200FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x201000 PerConsole[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00201000  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   xx differs between consoles on same version
00201010  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00201020  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00201030  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00201040  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00201050  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00201060  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00201070  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00201080  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00201090  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002010A0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002010B0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002010C0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002010D0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002010E0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002010F0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00201100  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00201110  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00201120  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00201130  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00201140  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00201150  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00201160  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00201170  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00201180  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00201190  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002011A0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002011B0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002011C0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002011D0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002011E0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002011F0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "

FF filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00201200  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region
00201FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x202000 PerConsole[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00202000  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   xx differs between consoles on same version
00202010  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00202020  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00202030  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00202040  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00202050  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00202060  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00202070  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00202080  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00202090  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002020A0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002020B0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002020C0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002020D0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002020E0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002020F0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00202100  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00202110  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00202120  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00202130  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00202140  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00202150  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00202160  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00202170  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00202180  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00202190  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002021A0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002021B0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002021C0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002021D0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002021E0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002021F0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "

FF filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00202200  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region
00202FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x203000 PerConsole[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00203000  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   xx differs between consoles on same version
00203010  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00203020  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00203030  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00203040  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00203050  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00203060  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00203070  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00203080  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00203090  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002030A0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002030B0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002030C0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002030D0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002030E0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002030F0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00203100  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00203110  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00203120  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00203130  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00203140  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00203150  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00203160  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00203170  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00203180  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00203190  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002031A0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002031B0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002031C0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002031D0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002031E0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
002031F0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "

FF filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00203200  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region
00203FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x204000 Unk DataBlock[edit | edit source]

huge block

Console A, B Console C
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 00204000  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   xx differs between consoles on same version
   [...]                 huge block
 00222DF0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
 (one console ended after this with FF region 0x222E00 until 0x241FFF - other has datablock 0x204000 until 0x29078F
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 00204000  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................
   [...]                 huge block
 0029078F  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................
 (console C datablock ended with 0x29078F)

0x222E00[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00222E00  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   xx differs between consoles on same version
  [...]                 filled FF region                                      
00241FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   "  (one console ended after this with FF region 0x222E00 until 0x241FFF - other has datablock 0x204000 until 0x29078F)

0x242000[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00242000  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   xx differs between consoles on same version
  [...]                 huge block
00290780  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "  (one console ended after this with FF region 0x222E00 until 0x241FFF - other has datablock 0x204000 until 0x29078F)

FF filled[edit | edit source]

both consoles have this FF filled

00290790  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region     
002907F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x290800[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00290800  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   xx differs between consoles on same version
  [...]                 small block
00290920  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "

FF filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00290930  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region  
002909F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x290A00[edit | edit source]

00290A00  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   xx differs between consoles on same version
  [...]                 small block
00290AD0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "

FF filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00290AE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region 
00290BF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x290C00[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00290C00  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   xx differs between consoles on same version
  [...]                 small block
00290D50  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "

FF filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00290D60  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region 
00290DF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x290E00[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00290E00  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   xx differs between consoles on same version
00290E10  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00290E20  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00290E30  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "

FF filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00290E40  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region 
002FFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x300000[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00300000  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   xx differs between consoles on same version
  [...]                 huge block
0037FFF0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
  • bd hrl, likely

0x380000 SCE VTRM Region0 (Retail & Dev/Test)[edit | edit source]

See also: VTRM

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00380000  FC FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  üÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380030  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380040  01 00 00 00 FF FF FF FF 53 43 45 56 54 52 4D 00  ....ÿÿÿÿSCEVTRM.
00380050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00380060  00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00  ................
00380070  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ


0x380170 VTRM Region0 Digest? (Retail & Dev/Test)[edit | edit source]

See also: VTRM

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00380170                          xx xx xx xx xx xx xx xx          ........   xx differs between consoles on same version
00380180  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
00380190  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
003801A0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
003801B0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
003801C0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
003801D0  xx xx xx xx xx xx xx xx                          .......        .   "

FF filled[edit | edit source]

0x3A0000 SCE VTRM Region1 (Retail)[edit | edit source]

See also: VTRM

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00380000  03 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF  üÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380030  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380040  01 00 00 00 FF FF FF FF 53 43 45 56 54 52 4D 00  ....ÿÿÿÿSCEVTRM.
00380050  01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
00380060  00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00  ................
00380070  FF FF FF FF FF FF FF FF FE FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x3A0170 VTRM Region1 Digest? (Retail)[edit | edit source]

See also: VTRM

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
003A0170                          xx xx xx xx xx xx xx xx          ........   xx differs between consoles on same version
003A0180  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
003A0190  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
003A01A0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
003A01B0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
003A01C0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "
003A01D0  xx xx xx xx xx xx xx xx                          .......        .   "

FF filled[edit | edit source]

0x3A1000[edit | edit source]

Console A, B Console C
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 003A01D0                          FF FF FF FF FF FF FF FF          ÿÿÿÿÿÿÿÿ
 003A01E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   [...]                 filled FF region 
 003A1FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 003A0FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 003A1000  01 00 00 10 00 00 00 38 00 FF FF FF FF FF FF FF  .......8.ÿÿÿÿÿÿÿ
 00310010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 003A1020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 003A1030  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 003A1040  FF FF FF FF FF FF FF FF 00 FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿ.ÿÿÿÿÿÿÿÿ
 003A1050  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   [...]                 filled FF region 
 003A1FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x3A2000[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
003A2000  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   xx differs between consoles on same version
003A2010  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "

FF filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
003A2020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region 
003A2FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x3A3000[edit | edit source]

0x1000 datablock

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
003A3000  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   xx differs between consoles on same version
  [...]                 small block
003A3FF0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................   "

FF filled[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
003A4000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region 
003BFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0x3C0000 (CoreOS)[edit | edit source]

0x1980000 datablock (sflash0s1.cryptx3 + sflash0s1.cryptx3b)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
003C0000  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................
  [...]          huge block with encrypted data            ?? Encrypted CoreOS ??
01D3FFFF  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................

0x1D40000[edit | edit source]

FF filled[edit | edit source]

end of data was @ 0x1D40000

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
01D40000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                 filled FF region
01FFFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

eof 0x2000000

FW/BIOS versioning and incremental counting Observation[edit | edit source]

Following a list of Informations about The Consoles Firmware version, the SFlashes BIOS version and this strange (where i guess) incremental counter. I run that list so we can see if my guess of a incremental value is right or not.


The values we list are:

0x1CA5D0 (1 Byte) == Region?

The real Region of your device.

0x1CA5D1 (4 Bytes) == SKU?

The real SKU of your device.

0x1C8041(variety) The SKU Model string.

The Firmware version of your console.

0x1CA604 (4 Bytes, little endian) == BIOS version.

0x1CA5D8 (4 Bytes, each integer16) == Incremental value as Byte.

The same value but as integer.

The Console # so we can see on one shot which value belong to which console or if they are from diffrent cons.

And the last one, the SHA1 checksum of VTRM PerConsole0


NOTE: If there are any informations from one and the same console but on diff versions, then please mark your console with the next free number and add it. So we can see with one hit which values are from diff cons and which are from the same con. And which value belongs to which console. If the values are from one console and no second value from the same console is already present then mark it with a minus -.

Region Real SKU Real Model FW BIOS Inc Byte Inc Integer Con # VTRM PerConsole0 SHA1
0x34 EU 77 B3 C0 02 Dev / Test DUH-T1000AA 1.50 1.50 0x03 0x00 0x00 0x00 3.0.0.0 0 46AEDE30098A48BB6A35E392F7A8EB603F3FFCD4
0x34 EU 77 B3 C0 02 Dev / Test DUH-T1000AA 1.010.031 0xFFFFFFFF / / 0 46AEDE30098A48BB6A35E392F7A8EB603F3FFCD4
0x34 EU 77 B3 C0 02 Dev / Test DUH-T1000AA 1.76 1.50.10 0x03 0xE0 0x00 0x00 3.224.0.0 - 11F8D58F9D5E6CC34D0E5EA63E656A40C32FB5A3
0xB0 BR 76 B3 80 02 Retail CUH-1001A B01 2.50 1.52 0x03 0xED 0x00 0x00 3.237.0.0 - 56C205680BFFCB4AA36047F192C9D8C6FDD31294
0xB0 BR 76 B3 80 02 Retail CUH-1001A B01 2.50 1.52 0x03 0xED 0x00 0x00 3.237.0.0 - 3F85EDAD7BCF9122B456970FDEDB9C1D1802A7A5
0xB0 BR 76 B3 80 02 Retail CUH-1011A B01 2.50 1.52 0x03 0xED 0x00 0x00 3.237.0.0 - 262E7A39E3F04C91D6820EF5EF0533F0D32BD073
0x34 EU 76 B3 80 02 Retail CUH-1004A B01X 1.06 1.06 0x02 0x00 0x00 0x00 2.0.0.0 1 A801741B94EAFFAE0CB9F56EB20E7908F9556D45
0x30 EU 76 B3 80 02 Retail CUH-1004A B01X 1.61 1.61 0x03 0x00 0x00 0x00 3.0.0.0 1 A801741B94EAFFAE0CB9F56EB20E7908F9556D45
0x30 EU 76 B3 80 02 Retail CUH-1004A B01X 1.62 1.61 0x03 0xE0 0x00 0x00 3.224.0.0 1 A801741B94EAFFAE0CB9F56EB20E7908F9556D45
0x30 EU 76 B3 80 02 Retail CUH-1004A B01X 1.74 1.61 0x03 0xE0 0x00 0x00 3.224.0.0 1 A801741B94EAFFAE0CB9F56EB20E7908F9556D45

Software Based Validation[edit | edit source]

BwE PS4 NOR Validator[edit | edit source]

Results

This program is the release version of User:BwE's PS4 NOR Validator, it is designed solely to validate the NOR flash of your PS4 console!

Why would you need to do this? Well if your console has suddenly died and has what is called the 'BLOD', the NOR can be the reason why. Using my program will allow you to validate literally every single byte of the NOR (or over 2100 specific areas) - allowing you to see where or if it is corrupted.

The most common area of corruption that causes the BLOD is the CID. Some areas of this section can actually be repaired, if you're lucky! I and others have done this! Don't forget to use my Comparator tool to help you understand what the difference is for a specific section of the NOR. It will help you with patching!

Other areas can be inter-changed between different consoles and are more suited for repair, the WiFi/BT module is a good example of this.

So fundamentally, this program is for console repairers like myself. If you are indeed a repairer and run a business I can make a custom 'bulk' version for you! But for now, feel free to put multiple *.bin files in the working directory as my program will provide a selection menu.

I am also happy to give advice on your NOR or help interpret your results, just post on the forum or give me an email. If you can bypass my filter, send me a link to your NOR!

If you encounter any errors or weird results - or better yet if your NOR is labled danger in any areas, but still runs fine - let me know!

Keep in mind the CoreOS and other large encrypted areas could still be corrupt regardless of the results (I cant check every byte in an encrypted section, hence alt validations). This program is NOT perfect, but it is WAY better than just using a hex editor or never truely knowing if your BLOD is caused by the NOR!

This also goes above and beyond that of the psdevwiki page regarding the main flash of the PS4 (Thank you cfwprpht).






Notes:

As of version 1.5.5 there is an ability to upload dumps directly to me. I use these to improve the program and validations. Abusing this service will result in your ban from future use of my validator.

Regarding Anti-Virus:

I protect my program with Themida. The problem with this is that heuristically some AV software see it as a threat. This is because people who make or redistribute old malware also use Themida to help make themselves undetected.

Ultimately, it is up to you to trust the program and me. I encourage you to upload to a sandbox to see for yourself.

Version History:
- 1.7.1 (25/6/21) Fixed Uploading Questions, Added MB Serial to Outputs, New Spash Screen.
- 1.7.0 (23/6/21) Added Question Regarding Dump When Uploading, Added New CID Validation (Weird Key or Flag), Fixed UART Validation, Added Unlisted Results.
- 1.6.9 (26/5/21) Fixed Internal Code Issues, Added Unlisted Results, New Splash Screen (Potentially last update for a short while).
- 1.6.8 (16/5/21) Updated Internal Comparison Application, Improved Serial Number Validation (MB Series), Added Unlisted Results.
- 1.6.7 (25/4/21) Repaired UNK 1200 Series Validation, Added Unlisted Results.
- 1.6.6 (12/4/21) Added Unlisted Results, Improved Validation, Changed Output Styling.
- 1.6.5 (31/3/21) Added CoreOS Statistical Analysis, Changed Some Results, Changed Some Output Formatting, Returned to Previous Packer.
- 1.6.3 (30/3/21) Added CoreOS Patcher (SU-30631-3 Error Specific), Updated Results, Added Unlisted Results, Fixed Readme, Changed Packer.
- 1.6.2 (18/3/21) Repaired CID Validation, Improved Handling of 72xx, Added Unlisted Results, Improved Dump Uploading Process.
- 1.6.1 (20/2/21) Repaired CID Validation, Added Unlisted Results (Thanks Uploaders!)
- 1.6.0 (4/2/21) Added IDU Mode Patcher, Improved Validations, Added Unlisted Results.
- 1.5.9 (29/1/21) Major Improvement to CID and UNK Validations, Added Unlisted Results, Improved UART Patching, Better Handling of 1200/Pro/Slim Validations, Added v1.5 of Comparator 
- 1.5.7 (11/1/21) Fixed Version Checker, Improved Statistics, Removed Some Unlisted Results (Improved Validation), Updated Upload Feature, Improved Compiler
- 1.5.6 (10/1/21) Improved CID and UNK Validations, Updated Unlisted Validations, IDU Flags Added, Some Code Optimization
- 1.5.5 (8/1/21) Updated Pro/Slim Specific Validations, Updated Unlisted Validations, Updated CID Validations, Updated UNK Validations, Added Dump Upload Feature
- 1.5.3 (5/12/20) Updated Unlisted Validations, Updated WiFi/BT MD5s & Entropy Validation
- 1.5.2 (20/11/20) Updated WiFi/BT MD5s, Added 2nd UART Flag, Updated Unlisted Validations
- 1.5.1 (3/11/20) Updated Unlisted Validations, Added UART Enabler, Removed Unused Validation Option, Added Basic Loader
- 1.5.0 (30/10/20) Updated Unlisted Validations, Upgraded Existing Validations, Removed Loader (Secret Patcher Coming Soon!)
- 1.4.9 (3/5/20) Added 21xx Series Specific Validations, Updated Unlisted Validations
- 1.4.7 (23/3/20) Added Dynamic Comparison, Updated Unlisted Validations
- 1.4.6 (1/2/20) Just Keeping It Fresh! (May have fixed issues stopping the program running, if not let me know!)
- 1.4.4 (16/8/19) Added and Improved Validations (CID & UNK) Including New WiFi/BT FW MD5
- 1.4.2 (7/4/19) Added More Validations (Firmware & Console Specific), Improved Various Sections (CID & UNK Mostly)
- 1.4.1 (1/3/19) Prettied Up Outputs, Minor Rewording (Sorry!).
- 1.4.0 (1/3/19) Added Zecoxao Extraction Methodology (Will Add More Zecoxao SELF Stuff Later), Added FW/BIOS Versioning, Added Additional Entropy Validation & Various Improvements Throughout.
- 1.3.8 (21/2/19) Added Additional Validations (To Suit Slim/Pro), Repaired/Improved CID Validation, More MD5s & Table Based Results.
- 1.3.5 (30/1/19) Added CoreOS Reference Points (Additional CoreOS Per-Console Validation).
- 1.3.3 (24/1/19) Reworked And Improved Both CID And UNK Sections Again, Added More MD5's, Added Application Version Checker, Removed Colored Bars, Added Comparator & Other Improvements Throughout.
- 1.3.1 (19/1/19) Added More Validations & MD5's, Repaired Minor Bug.
- 1.3 (15/1/19) Completely Reworked And Improved The CID Section And Added Additional Validations To The UNK Section & I Also Improved Some Other Validations Throughout.
- 1.2.6 (18/12/18) Hopefully Fixed 'Black Screen' Issue, Recompiled In 32bit.
- 1.2.5 (17/12/18) Added 2 New Flags (Possibly Initialization Flag?), Changed Validation Results, Improved Output/Info (HTML) & Added MD5's. 
- 1.2 (8/12/18) Improved All Alt Validations, Repaired Vtrm1, Internal Typo & Added Repetition Checks.
- 1.1.1 (29/11/18) Typo Again, Made The SKU Not Come Up As Unlisted & Added Some MD5's.
- 1.1 (28/11/18) Improved VTRM & CID Validation, Typo Fixes & Better Colours. 
- 1.0 (27/11/18) First Release!

Developer Website:
https://betterwayelectronics.com.au/

Direct Link:
https://betterwayelectronics.com.au/BwE_PS4_NOR_Validator.rar

More Information/Updates:
github.com/BetterWayElectronics/ps4-nor-validator