Talk:Non Volatile Storage: Difference between revisions
Jump to navigation
Jump to search
(Created page with "some findings i have found you can delete if want :) kernel 1.76 Non Volatile Storage -------------------- sceSblDevActVerifyCheckExpire: icc_nvs_read(0LL, 4uLL, 0x80LL, 0x68u...") |
CelesteBlue (talk | contribs) No edit summary |
||
(27 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
= Platform ID Samples = | |||
<pre> | |||
-------------------- | 01:01:01:01:01:01:01:01 -> Syrup Board | ||
02:01:01:01:03:01:0B:01 -> CVN-K04 Board | |||
03:02:01:01:02:01:06:01 -> DUH-T1000AA SAA-001 Board, CUH-1003A B01 SAA-001 Board | |||
03:02:02:01:01:01:05:01 -> CUH-1116A B01 SAB-001 Board | |||
03:02:03:01:01:01:03:02 -> CAP-CH00XK-M0 SAC-001 Board | |||
03:02:04:01:??:??:??:?? -> SAD-001 Board | |||
03:02:05:01:01:01:05:01 -> CUH-21xx | |||
03:02:05:01:01:07:05:01 -> CUH-2116A B01 SAE-00X Board | |||
03:02:06:01:01:07:05:01 -> SAF-003 Board | |||
04:01:01:01:01:01:04:01 -> DUT-DBW00JK-S0 HAC-001 Board | |||
04:01:01:01:01:01:05:01 -> DUH-D7000JA HAC-001 Board | |||
05:02:01:01:01:01:05:01 -> DUH-T7000AA NVX-00X Board | |||
</pre> | |||
* Remark: every byte value starts at 0x01 not 0x00. | |||
Let decompose Platform ID as aa:bb:cc:dd:ee:ff:gg:hh. | |||
* aa = type: 01: Syrup prototype, 02: Cavern prototype, 03: standard PS4, 04: PS4 PRO HAC prototype, 05: PS4 PRO NVX prototype | |||
* bb = unknown | |||
* cc = equivalent of product sub code: 01: SAA, 02: SAB, ... 06: SAF | |||
* dd = unknown: always 01 | |||
* ee = unknown: 01, 02 or 03 | |||
* ff = unknown: 01 or 07 | |||
* gg = ?color?: 01, 03, 04, 05, 06, 0B | |||
* hh = unknown: 01 or 02 | |||
= Findings from Kernel by Z80 = | |||
From kernel of PS4 System Software version 1.76. | |||
<source lang="C"> | |||
sceSblDevActVerifyCheckExpire: | sceSblDevActVerifyCheckExpire: | ||
icc_nvs_read(0LL, 4uLL, 0x80LL, 0x68uLL, &data_ptr); | icc_nvs_read(0LL, 4uLL, 0x80LL, 0x68uLL, &data_ptr); | ||
Line 55: | Line 85: | ||
sub_FFFFFFFF827D8E30:??? | sub_FFFFFFFF827D8E30:??? | ||
icc_nvs_write(0LL, 4uLL, 0LL, 0x20uLL, &dipsw_FFFFFFFF836C0090); | icc_nvs_write(0LL, 4uLL, 0LL, 0x20uLL, &dipsw_FFFFFFFF836C0090); | ||
</source> | |||
From kernel of PS4 System Software version 1.00 Tool (DevKit). | |||
<source lang="C"> | |||
sce_cam_error_put: | |||
icc_nvs_read(0, 4u, 0x100, 0x100u, (__int64)v31); | |||
icc_nvs_write(0LL, 4LL, 0x1FCLL, 4LL, &v29); | |||
v18 = sce_device_error_log; | |||
icc_nvs_write(0LL, 4LL, (unsigned __int16)(0x28 * (v18 % 6) + 0x100), 0x28LL, v32); | |||
get_init_safe_mode: | |||
icc_nvs_read(0, 4u, 0x20, 1u, (__int64)&v5) ) | |||
start_init: | |||
if ( (unsigned int)icc_nvs_read(0, 4u, 0x20, 1u, (__int64)&v51) ) | |||
LABEL_43: | |||
panic((unsigned int)"failed to retrieve init_safe_mode", 4, v0, v1, v2, v3); | |||
if ( (unsigned int)icc_nvs_read(0, 4u, 0x20, 1u, (__int64)&v51) ) | |||
goto LABEL_43; | |||
if ( v51 == 0xFF ) | |||
printf((unsigned int)"Falling back to orbis_diag...\n", 4, v0, v1, v2, v3); | |||
else | |||
printf((unsigned int)"%s is not found. trying next...\n", v52[0], v0, v1, v2, v3); | |||
goto LABEL_36; | |||
sysctl_kern_init_safe_mode: | |||
if ( (unsigned int)icc_nvs_read(0, 4u, 0x20, 1u, (__int64)&v13) ) | |||
panic((unsigned int)"failed to retrieve init_safe_mode", 4, v5, v6, v7, v8); | |||
sysctl_manumode: | |||
result = icc_nvs_read(0, 4u, 0x2C00, 0x20u, (__int64)v8); | |||
if ( !(_DWORD)result ) | |||
{ | |||
if ( !(unsigned int)memcmp(v8, &sysctl_manumode_manu_mode_0xff, 0x20LL) ) | |||
result = icc_nvs_write(1LL, 4LL, 0x2C00LL, 0x20LL, &sysctl_manumode_manu_mode_0x00); | |||
if ( !(_DWORD)result ) | |||
{ | |||
bzero(v8, 32LL); | |||
result = icc_nvs_read(0, 4u, 0x2C00, 0x20u, (__int64)v8); | |||
if ( !(_DWORD)result ) | |||
return 5 * (unsigned int)((unsigned int)memcmp(v8, &sysctl_manumode_manu_mode_0x00, 0x20LL) != 0); | |||
lvp_configure_tccds: | |||
if ( (unsigned int)(a1 - 2) < 4 || !a1 || (result = 0x16LL, a1 == 0xFF) ) | |||
{ | |||
v2 = icc_nvs_read(0, 4u, 0x322, 1u, (__int64)&v3); | |||
result = 5LL; | |||
if ( !v2 ) | |||
{ | |||
result = 0LL; | |||
if ( v3 != (_BYTE)a1 ) | |||
return 5 * (unsigned int)((unsigned int)icc_nvs_write(0LL, 4LL, 0x322LL, 1LL, &v4) != 0); | |||
</source> | |||
= About EAP Hdd Key = | |||
* sceSblGetEAPInternalPartitionKey((__int64)&unk_FFFFFFFF836C0000, &unk_FFFFFFFF836BC010, a2, a3, v7) ) | |||
* seems to contain 2 buffers | |||
* unk_FFFFFFFF836C0000 (0x70) <- encrypted eap_hdd_key ? | |||
* unk_FFFFFFFF836BC010 (0x70) <- decrypted eap_hdd_key ? | |||
<source lang="C"> | |||
v7 = icc_nvs_read(0LL, 4uLL, 0x200LL, v2, &enc_eap_key_); | |||
if ( v7 ) { | |||
v12 = v7; | |||
printf("icc_nvs_read failed: %d\n", v7, v8, v9, v10, v11, v19); | |||
panic("eap key not available", v12, v13, v14, v15, v16, v20); | |||
} | |||
printf("g_crypt_deferred_init: calling CCP\n", 4LL, v8, v9, v10, v11, v19); | |||
v12 = &eap_key_; | |||
if ( sceSblGetEAPInternalPartitionKey(&enc_eap_key_, &eap_key_) ) | |||
</source> | |||
= From EMC = | |||
<pre> | |||
storage_part0_desc struc_142370 <0, 0, 0x1C4000, 0x1000, 1, 0, 0, 0> | |||
storage_part1_desc struc_142370 <1, 0x1000, 0x1C5000, 0x1000, 1, 1, 0x1CE000, 0x1CF000> | |||
storage_part2_desc struc_142370 <2, 0x2000, 0x1C6000, 0x1000, 1, 0, 0, 0> | |||
storage_part3_desc struc_142370 <3, 0x3000, 0x1C7000, 0x1000, 1, 0, 0, 0> | |||
storage_part4_desc struc_142370 <4, 0x4000, 0x1C8000, 0x800, 1, 0, 0, 0> | |||
storage_part5_desc struc_142370 <5, 0x4800, 0x1C8800, 0x800, 1, 0, 0, 0> | |||
storage_part6_desc struc_142370 <6, 0x5000, 0x1C9000, 0x3000, 1, 0, 0, 0> | |||
</pre> |
Latest revision as of 21:00, 22 May 2024
Platform ID Samples[edit source]
01:01:01:01:01:01:01:01 -> Syrup Board 02:01:01:01:03:01:0B:01 -> CVN-K04 Board 03:02:01:01:02:01:06:01 -> DUH-T1000AA SAA-001 Board, CUH-1003A B01 SAA-001 Board 03:02:02:01:01:01:05:01 -> CUH-1116A B01 SAB-001 Board 03:02:03:01:01:01:03:02 -> CAP-CH00XK-M0 SAC-001 Board 03:02:04:01:??:??:??:?? -> SAD-001 Board 03:02:05:01:01:01:05:01 -> CUH-21xx 03:02:05:01:01:07:05:01 -> CUH-2116A B01 SAE-00X Board 03:02:06:01:01:07:05:01 -> SAF-003 Board 04:01:01:01:01:01:04:01 -> DUT-DBW00JK-S0 HAC-001 Board 04:01:01:01:01:01:05:01 -> DUH-D7000JA HAC-001 Board 05:02:01:01:01:01:05:01 -> DUH-T7000AA NVX-00X Board
- Remark: every byte value starts at 0x01 not 0x00.
Let decompose Platform ID as aa:bb:cc:dd:ee:ff:gg:hh.
- aa = type: 01: Syrup prototype, 02: Cavern prototype, 03: standard PS4, 04: PS4 PRO HAC prototype, 05: PS4 PRO NVX prototype
- bb = unknown
- cc = equivalent of product sub code: 01: SAA, 02: SAB, ... 06: SAF
- dd = unknown: always 01
- ee = unknown: 01, 02 or 03
- ff = unknown: 01 or 07
- gg = ?color?: 01, 03, 04, 05, 06, 0B
- hh = unknown: 01 or 02
Findings from Kernel by Z80[edit source]
From kernel of PS4 System Software version 1.76.
sceSblDevActVerifyCheckExpire:
icc_nvs_read(0LL, 4uLL, 0x80LL, 0x68uLL, &data_ptr);
icc_nvs_read(0LL, 4uLL, 0x900LL, 0x100uLL, &v12);
read_idstorage:???
icc_nvs_read(0LL, 4uLL, LOWORD(dword_FFFFFFFF82A484D4[v8]), v9, a2);
g_crypt_deferred_init:
icc_nvs_read(0LL, 4uLL, 0x200LL, 0x40-0x60, &enc_eap_key_);
srtc_create_dev:
icc_nvs_read(0LL, 4uLL, 0x2CC0LL(maybe0x2c00LL), 0x20uLL, &data_ptr[v18]);
wlan related TRSW wlan/bt power state/mode:???
icc_nvs_read(0LL, 4uLL, 0x30LL, 1uLL, &data_ptr)
sub_FFFFFFFF82751F70:wlan related TRSW???
icc_nvs_read(0LL, 1uLL, 0x40LL, 0x10uLL, (v2 + 1096))
regMgrNvsSpInit:
icc_nvs_read(0LL, 4uLL, 0x1600LL, 0x20uLL, &qword_FFFFFFFF8346C520);
sub_FFFFFFFF826A9AC0:
icc_nvs_read(0LL, 4uLL, 0x1000LL, 0x300uLL, PrivateStorageAddr1_ptr);
icc_nvs_read(0LL, 4uLL, 0x1300LL, 0x300uLL, PrivateStorageAddr2_ptr);
get_extra_clock:aeolia_rtc_???
icc_nvs_read(0LL, 4uLL, 0x50LL, 1uLL, &off_FFFFFFFF83377C99)
iccnvs_kproc:
icc_nvs_read(0LL, *(*(v6 + 2) + 0x20LL), *(v6 + 12), *(v6 + 16), *(v6 + 5))
sub_FFFFFFFF8262DC60:sysctl_machdep_cavern_dvt1_init_update: current_mode: ???
icc_nvs_read(0LL, 4uLL, 0x21LL, 1uLL, &data_ptr);
lvp_configure_tccds:
icc_nvs_read(0LL, 4uLL, 0x322LL, 1uLL, &data_ptr);
manumode:
icc_nvs_read(0LL, 4uLL, 0x2C00LL, 0x20uLL, &data_ptr);
init_safe_mode mode ???
icc_nvs_read(0LL, 4uLL, 0x20LL, 1uLL, &data_ptr)
sce_cam_error_log_read:
icc_nvs_read(0LL, 4uLL, 0x100LL, 0x100uLL, &data_ptr);
sub_FFFFFFFF827D2F50:qafutkn ???
icc_nvs_read(1LL, 4uLL, 0x0a00LL, 0x190uLL, &data_ptr);
sub_FFFFFFFF827D8E30:???
icc_nvs_write(0LL, 4uLL, 0LL, 0x20uLL, &dipsw_FFFFFFFF836C0090);
From kernel of PS4 System Software version 1.00 Tool (DevKit).
sce_cam_error_put:
icc_nvs_read(0, 4u, 0x100, 0x100u, (__int64)v31);
icc_nvs_write(0LL, 4LL, 0x1FCLL, 4LL, &v29);
v18 = sce_device_error_log;
icc_nvs_write(0LL, 4LL, (unsigned __int16)(0x28 * (v18 % 6) + 0x100), 0x28LL, v32);
get_init_safe_mode:
icc_nvs_read(0, 4u, 0x20, 1u, (__int64)&v5) )
start_init:
if ( (unsigned int)icc_nvs_read(0, 4u, 0x20, 1u, (__int64)&v51) )
LABEL_43:
panic((unsigned int)"failed to retrieve init_safe_mode", 4, v0, v1, v2, v3);
if ( (unsigned int)icc_nvs_read(0, 4u, 0x20, 1u, (__int64)&v51) )
goto LABEL_43;
if ( v51 == 0xFF )
printf((unsigned int)"Falling back to orbis_diag...\n", 4, v0, v1, v2, v3);
else
printf((unsigned int)"%s is not found. trying next...\n", v52[0], v0, v1, v2, v3);
goto LABEL_36;
sysctl_kern_init_safe_mode:
if ( (unsigned int)icc_nvs_read(0, 4u, 0x20, 1u, (__int64)&v13) )
panic((unsigned int)"failed to retrieve init_safe_mode", 4, v5, v6, v7, v8);
sysctl_manumode:
result = icc_nvs_read(0, 4u, 0x2C00, 0x20u, (__int64)v8);
if ( !(_DWORD)result )
{
if ( !(unsigned int)memcmp(v8, &sysctl_manumode_manu_mode_0xff, 0x20LL) )
result = icc_nvs_write(1LL, 4LL, 0x2C00LL, 0x20LL, &sysctl_manumode_manu_mode_0x00);
if ( !(_DWORD)result )
{
bzero(v8, 32LL);
result = icc_nvs_read(0, 4u, 0x2C00, 0x20u, (__int64)v8);
if ( !(_DWORD)result )
return 5 * (unsigned int)((unsigned int)memcmp(v8, &sysctl_manumode_manu_mode_0x00, 0x20LL) != 0);
lvp_configure_tccds:
if ( (unsigned int)(a1 - 2) < 4 || !a1 || (result = 0x16LL, a1 == 0xFF) )
{
v2 = icc_nvs_read(0, 4u, 0x322, 1u, (__int64)&v3);
result = 5LL;
if ( !v2 )
{
result = 0LL;
if ( v3 != (_BYTE)a1 )
return 5 * (unsigned int)((unsigned int)icc_nvs_write(0LL, 4LL, 0x322LL, 1LL, &v4) != 0);
About EAP Hdd Key[edit source]
- sceSblGetEAPInternalPartitionKey((__int64)&unk_FFFFFFFF836C0000, &unk_FFFFFFFF836BC010, a2, a3, v7) )
- seems to contain 2 buffers
- unk_FFFFFFFF836C0000 (0x70) <- encrypted eap_hdd_key ?
- unk_FFFFFFFF836BC010 (0x70) <- decrypted eap_hdd_key ?
v7 = icc_nvs_read(0LL, 4uLL, 0x200LL, v2, &enc_eap_key_);
if ( v7 ) {
v12 = v7;
printf("icc_nvs_read failed: %d\n", v7, v8, v9, v10, v11, v19);
panic("eap key not available", v12, v13, v14, v15, v16, v20);
}
printf("g_crypt_deferred_init: calling CCP\n", 4LL, v8, v9, v10, v11, v19);
v12 = &eap_key_;
if ( sceSblGetEAPInternalPartitionKey(&enc_eap_key_, &eap_key_) )
From EMC[edit source]
storage_part0_desc struc_142370 <0, 0, 0x1C4000, 0x1000, 1, 0, 0, 0> storage_part1_desc struc_142370 <1, 0x1000, 0x1C5000, 0x1000, 1, 1, 0x1CE000, 0x1CF000> storage_part2_desc struc_142370 <2, 0x2000, 0x1C6000, 0x1000, 1, 0, 0, 0> storage_part3_desc struc_142370 <3, 0x3000, 0x1C7000, 0x1000, 1, 0, 0, 0> storage_part4_desc struc_142370 <4, 0x4000, 0x1C8000, 0x800, 1, 0, 0, 0> storage_part5_desc struc_142370 <5, 0x4800, 0x1C8800, 0x800, 1, 0, 0, 0> storage_part6_desc struc_142370 <6, 0x5000, 0x1C9000, 0x3000, 1, 0, 0, 0>