Non Volatile Storage: Difference between revisions
CelesteBlue (talk | contribs) No edit summary |
CelesteBlue (talk | contribs) No edit summary |
||
(6 intermediate revisions by the same user not shown) | |||
Line 17: | Line 17: | ||
== Serial Flash NVS Banks == | == Serial Flash NVS Banks == | ||
A total of 7 NVS blocks are separated into 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is allowed to read/write the other 5 banks. Indeed, <code>/dev/sflash0s0x34</code> access is provided to System applications and to Kernel. [[EMC]] is also | A total of 7 NVS blocks are separated into 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is allowed to read/write the other 5 banks. Indeed, <code>/dev/sflash0s0x34</code> access is provided to System applications and to Kernel. [[EMC]] is also able to access Serial Flash NVS through ICC and provides a [[Southbridge#EMC_UART_Debug_Communication|RPC interface through UART]] to read and write to NVS. | ||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
Line 23: | Line 23: | ||
! Bank Index !! Block Index !! Offset in /dev/sflash0s0x34 !! Size !! Notes | ! Bank Index !! Block Index !! Offset in /dev/sflash0s0x34 !! Size !! Notes | ||
|- | |- | ||
| 0 || 0 || 0 || 0x3000 || emc region | | 0 || 0 || 0 || 0x3000 || emc region. From 0x1000 to 0x2000 is a region containing statistics. | ||
|- | |- | ||
| 0 || 1 || 0x3000 || 0x1000 || pd region | | 0 || 1 || 0x3000 || 0x1000 || pd region | ||
Line 48: | Line 48: | ||
| 0 || 0 || 0 || 0x8 || [[Platform ID]] | | 0 || 0 || 0 || 0x8 || [[Platform ID]] | ||
|- | |- | ||
| 0 || 0 || 0x21 || 0x6 || Ethernet MAC Address #1 (e.g BC 60 A7 28 83 66) | | 0 || 0 || 0x21 || 0x6 || Ethernet [[MAC Address]] #1 (e.g BC 60 A7 28 83 66) | ||
|- | |- | ||
| 0 || 0 || 0x27 || 0x6 || Ethernet MAC Address #2. If there is a second ethernet port (e.g. on DevKit), it is (Ethernet MAC Address #1) + 1, else FFed. (e.g BC 60 A7 28 83 67, FF FF FF FF FF FF) | | 0 || 0 || 0x27 || 0x6 || Ethernet [[MAC Address]] #2. If there is a second ethernet port (e.g. on DevKit), it is (Ethernet MAC Address #1) + 1, else FFed. (e.g BC 60 A7 28 83 67, FF FF FF FF FF FF) | ||
|- | |- | ||
| 0 || 0 || 0x4E || 0x2 || Unknown (e.g 25 16) | | 0 || 0 || 0x4E || 0x2 || Unknown (e.g 25 16) | ||
Line 190: | Line 190: | ||
| 0 || 0 || 0x15C0 || 0x18 || Unknown | | 0 || 0 || 0x15C0 || 0x18 || Unknown | ||
|- | |- | ||
| 0 || 0 || 0x2000 || 0x8 || Unknown | | 0 || 0 || 0x2000 || 0x8 || Unknown #1 (e.g. 05 4D 7E 5C 5A A0 00 03 on a DUH-T2000JA, 71 BD 2D 85 53 A4 00 03 on a DUH-T1200AA, D5 71 D4 5F 89 90 00 03 on a CUH-2216B B01Y SAF-003) | ||
|- | |||
| 0 || 0 || 0x2008 || 0x8 || Unknown #2 (e.g. F8 9C DE 5F 57 6E 00 03 on a DUH-T2000JA, D1 03 75 5F 1B 40 00 03 on a DUH-T1200AA, FFed on a CUH-2216B B01Y SAF-003) | |||
|- | |||
| 0 || 0 || 0x2010 || 0x8 || Unknown #3 (e.g. 09 93 BF 5F 89 90 00 03 on a DUH-T2000JA, FFed on a DUH-T1200AA, CUH-2216B B01Y SAF-003) | |||
|- | |||
| 0 || 0 || 0x2018 || 0x8 || Unknown #4 (e.g. 3F A0 92 9F 93 F4 00 03 on a DUH-T2000JA, FFed on a DUH-T1200AA, CUH-2216B B01Y SAF-003) | |||
|- | |||
| 0 || 0 || 0x2020 || 0x8 || Unknown #5 (e.g. 99 16 06 4C 03 88 00 03 on a DUH-T2000JA, FFed on a DUH-T1200AA, CUH-2216B B01Y SAF-003) | |||
|- | |||
| 0 || 0 || 0x2028 || 0x8 || Unknown #6 (e.g. D5 6A A0 E9 B6 98 00 03 on a DUH-T2000JA, FFed on a DUH-T1200AA, CUH-2216B B01Y SAF-003) | |||
|- | |||
| 0 || 0 || 0x2030 || 0x8 || Unknown #7 (e.g. D6 8C 00 31 10 58 00 03 on a DUH-T2000JA, FFed on a DUH-T1200AA, CUH-2216B B01Y SAF-003) | |||
|- | |||
| 0 || 0 || 0x2038 || ... || Unknown... (FFed on a DUH-T2000JA, DUH-T1200AA, CUH-2216B B01Y SAF-003) | |||
|} | |} | ||
Line 304: | Line 318: | ||
| 0 || 4 || 0x7C || 0x4 || manu_mode related (SDK version?) | | 0 || 4 || 0x7C || 0x4 || manu_mode related (SDK version?) | ||
|- | |- | ||
| 0 || 4 || 0x80 || | | 0 || 4 || 0x80 || 0x68 on 1.00-1.76, 0x6C on ? || [[Activation ACF]] token <- checked by sceSblDevActVerifyCheckExpire | ||
|- | |- | ||
| 0 || 4 || 0x100 || 0xF0 || sce_cam_error_put | | 0 || 4 || 0x100 || 0xF0 || sce_cam_error_put | ||
Line 397: | Line 411: | ||
| 0 || 4 || 0x150 || 0x290 || qafutkn_ioctl? | | 0 || 4 || 0x150 || 0x290 || qafutkn_ioctl? | ||
|- | |- | ||
| 0 || 4 || 0x900 || 0x100 || [[Activation ACF]] RSA signature | | 0 || 4 || 0x900 || 0x100 || [[Activation ACF]] RSA-2048 signature <- checked by sceSblDevActVerifyCheckExpire | ||
|} | |} | ||
Line 423: | Line 437: | ||
| 0 || 4 || 0x1600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 enabled, 0x00 or 0xFF disabled) | | 0 || 4 || 0x1600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 enabled, 0x00 or 0xFF disabled) | ||
|- | |- | ||
| 0 || 4 || 0x1601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled | | 0 || 4 || 0x1601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled, 0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled) | ||
|- | |||
| 0 || 4 || 0x1602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 enabled, 0x00 or 0xFF disabled) | |||
|- | |- | ||
| 0 || 4 || | | 0 || 4 || 0x1603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover (ex: 0 on a DUH-D1000AA, DUH-D1000JA, DUH-T1000AA, DUH-T2000JA, 1 on a CUH-10xx, DUH-T1200AA) | ||
|- | |- | ||
| 0 || 4 || | | 0 || 4 || 0x1604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version. This is the minimal System Software Version that should match [[SMI]]. (00 00 50 01 on a DUH-T1000AA, 00 00 51 01 on a DUH-D1000AA, 00 00 61 01 on a DUH-D1000AA, 00 00 62 01 on a DUH-D1000JA and CUH-10xx, FFed on some DUH-D1000AA and later models) | ||
|- | |- | ||
| 0 || 4 || | | 0 || 4 || 0x1608 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_unk (ex: 0 on a DUH-T1200AA, 0xFF on a DUH-T1000AA, DUH-T2000JA) | ||
|- | |- | ||
| 0 || 4 || 0x1609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode | | 0 || 4 || 0x1609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode | ||
|- | |||
| 0 || 4 || 0x160A || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_unk (ex: 0xFF) | |||
|- | |||
| 0 || 4 || 0x160B || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_unk (ex: 0xFF) | |||
|- | |||
| 0 || 4 || 0x160C || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_unk (ex: 0 on a DUH-T2000JA, 0xFF on a DUH-T1000AA, DUH-T1200AA, DUH-D1000AA, DUH-D1000JA, CUH-10xx) | |||
|- | |||
| 0 || 4 || 0x160D || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_unk (ex: 0 on a DUH-T2000JA, 0xFF on a DUH-T1000AA, DUH-T1200AA, DUH-D1000AA, DUH-D1000JA, CUH-10xx) | |||
|- | |||
| 0 || 4 || 0x160E || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_unk (ex: 0 on a DUH-T2000JA, 0xFF on a DUH-T1000AA, DUH-T1200AA, DUH-D1000AA, DUH-D1000JA, CUH-10xx) | |||
|- | |||
| 0 || 4 || 0x160F || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_unk (ex: 0 on a DUH-T2000JA, 0xFF on a DUH-T1000AA, DUH-T1200AA, DUH-D1000AA, DUH-D1000JA, CUH-10xx) | |||
|} | |} |
Latest revision as of 05:57, 6 January 2025
On PS4, a Non Volatile Storages (NVS) is, like on PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.
On PS4, there are 2 Non Volatile Storages, one in the Serial Flash and one in the Syscon EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. On PS Vita and PS4, there is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. PS4 SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.
See also PS5 Non Volatile Storage.
Syscon NVS[edit | edit source]
See Syscon#Syscon_Non_Volatile_Storage.
Serial Flash NVS[edit | edit source]
PS4 Serial Flash NVS is usually stored at offset 0x1C4000 but it is not hardcoded in OS and depends on the Serial Flash MBR. The size of the whole Serial Flash NVS is 0xC000 bytes.
PS4 Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open /dev/sflash0s0x34
.
Serial Flash NVS Banks[edit | edit source]
A total of 7 NVS blocks are separated into 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is allowed to read/write the other 5 banks. Indeed, /dev/sflash0s0x34
access is provided to System applications and to Kernel. EMC is also able to access Serial Flash NVS through ICC and provides a RPC interface through UART to read and write to NVS.
Bank Index | Block Index | Offset in /dev/sflash0s0x34 | Size | Notes |
---|---|---|---|---|
0 | 0 | 0 | 0x3000 | emc region. From 0x1000 to 0x2000 is a region containing statistics. |
0 | 1 | 0x3000 | 0x1000 | pd region |
0 | 2 | 0x4000 | 0x800 | ds region |
0 | 3 | 0x4800 | 0x800 | cs region |
0 | 4 | 0x5000 | 0x3000 | os region |
1 | 0 | 0x8000 | 0x3000 | backup region (backup of part of os and emc regions) |
1 | 1 | 0xB000 | 0x1000 | unknown region |
Detailed Serial Flash NVS Structure[edit | edit source]
Mapping of the detailed area (NVS service) 0/0 - EMCAREA[edit | edit source]
Bank Index | Block Index | Offset in /dev/iccnvs<block> | Size | Notes |
---|---|---|---|---|
0 | 0 | 0 | 0x8 | Platform ID |
0 | 0 | 0x21 | 0x6 | Ethernet MAC Address #1 (e.g BC 60 A7 28 83 66) |
0 | 0 | 0x27 | 0x6 | Ethernet MAC Address #2. If there is a second ethernet port (e.g. on DevKit), it is (Ethernet MAC Address #1) + 1, else FFed. (e.g BC 60 A7 28 83 67, FF FF FF FF FF FF) |
0 | 0 | 0x4E | 0x2 | Unknown (e.g 25 16) |
0 | 0 | 0x50 | 0x5 | Unknown (e.g 12 FF 00 00 00) |
0 | 0 | 0x60 | 0x5 | Unknown (e.g 04 02 01 01 02) |
0 | 0 | 0x73 | 0x1 | Unknown (e.g 01) |
0 | 0 | 0x76 | 0x1 | Unknown (e.g 01) |
0 | 0 | 0x7A | 0x6 | Unknown (e.g 00 00 00 00 00 38) |
0 | 0 | 0x80 | 0x1 | Unknown (e.g. 00) |
0 | 0 | 0x82 | 0x3 | Unknown (e.g. 01 01 01) |
0 | 0 | 0x91 | 0x2 | Unknown (e.g 00 00) |
0 | 0 | 0x96 | 0x3 | Unknown |
0 | 0 | 0x9A | 0x2 | Unknown (e.g 02 02) |
0 | 0 | 0x9E | 0x2 | Unknown (e.g 00 00) |
0 | 0 | 0xA0 | 0x3 | Unknown (e.g 01 01 01) |
0 | 0 | 0xAC | 0x4 | Unknown |
0 | 0 | 0xC5 | 0x3 | Unknown (e.g AA AA AA) |
0 | 0 | 0x204 | 0x1 | Unknown (e.g 00) |
0 | 0 | 0x20B | 0x1 | Unknown (e.g 00) |
0 | 0 | 0x210 | 0x2 | Unknown (e.g 49 42) |
0 | 0 | 0x7FE | 0x2 | Unknown (e.g AF 31) |
0 | 0 | 0x801 | 0x1 | Unknown |
0 | 0 | 0x810 | 0x12 | Unknown |
0 | 0 | 0x84C | 0x2 | Unknown |
0 | 0 | 0x854 | 0x2 | Unknown |
0 | 0 | 0x870 | 0xC | Unknown |
0 | 0 | 0x8A0 | 0x1C | Unknown |
0 | 0 | 0xFFE | 0x2 | Unknown |
0 | 0 | 0x1000 | 0x4 | soc wakeup source (Only one possible value 00 07 FF 07) |
0 | 0 | 0x1004 | 0x4 | eap wakeup source (Only one possible value 00 07 FF 07) |
0 | 0 | 0x1008 | 0x4 | soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00) |
0 | 0 | 0x100C | 0x4 | eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00) |
0 | 0 | 0x1030 | 0x4 | NumberOfBootShutdown type A #1. Updated on each boot or shutdown. (e.g. 1167, 1168) |
0 | 0 | 0x1034 | 0x4 | NumberOfBootShutdown type A #2. Updated on each boot or shutdown. (e.g. 1167, 1168) |
0 | 0 | 0x1038 | 0x8 | dbi_time type A. Updated on each boot or shutdown. (e.g. 10890480, 10896060 -> delta_t = 5580) |
0 | 0 | 0x1040 | 0x4 | NumberOfBootShutdown type B #1. Updated on each boot or shutdown. (e.g. 221, 222). Maybe related to HDD or power AC. |
0 | 0 | 0x1044 | 0x4 | NumberOfBootShutdown type B #2. Updated on each boot or shutdown. (e.g. 221, 222). Maybe related to HDD or power AC. |
0 | 0 | 0x1048 | 0x8 | dbi_time type B. Updated on each boot or shutdown. (e.g. 10067580, 10117800 -> delta_t = 50220) |
0 | 0 | 0x1050 | 0x4 | NumberOfBoot type C. Updated on each boot. (e.g. 1099, 1100). Maybe related to suspend mode. |
0 | 0 | 0x1054 | 0x4 | NumberOfShutdown type C. Updated on each shutdown. (e.g. 1098, 1099). Maybe related to suspend mode. |
0 | 0 | 0x1058 | 0x8 | dbi_time type C. (e.g. 13855980, 13861620 -> delta_t = 5640) |
0 | 0 | 0x1220 | 0x18 | Unknown |
0 | 0 | 0x1240 | 0x18 | Unknown |
0 | 0 | 0x1260 | 0x18 | Unknown |
0 | 0 | 0x1280 | 0x18 | Unknown |
0 | 0 | 0x12A0 | 0x18 | Unknown |
0 | 0 | 0x12C0 | 0x18 | Unknown |
0 | 0 | 0x12E0 | 0x18 | Unknown |
0 | 0 | 0x1300 | 0x18 | Unknown |
0 | 0 | 0x1320 | 0x18 | Unknown |
0 | 0 | 0x1340 | 0x18 | Unknown |
0 | 0 | 0x1360 | 0x18 | Unknown |
0 | 0 | 0x1380 | 0x18 | Unknown |
0 | 0 | 0x13A0 | 0x18 | Unknown |
0 | 0 | 0x13C0 | 0x18 | Unknown |
0 | 0 | 0x13E0 | 0x18 | Unknown |
0 | 0 | 0x1400 | 0x18 | Unknown |
0 | 0 | 0x1420 | 0x18 | Unknown |
0 | 0 | 0x1440 | 0x18 | Unknown |
0 | 0 | 0x1460 | 0x18 | Unknown |
0 | 0 | 0x1480 | 0x18 | Unknown |
0 | 0 | 0x14A0 | 0x18 | Unknown |
0 | 0 | 0x14C0 | 0x18 | Unknown |
0 | 0 | 0x14E0 | 0x18 | Unknown |
0 | 0 | 0x1500 | 0x18 | Unknown |
0 | 0 | 0x1520 | 0x18 | Unknown |
0 | 0 | 0x1540 | 0x18 | Unknown |
0 | 0 | 0x1560 | 0x18 | Unknown |
0 | 0 | 0x1580 | 0x18 | Unknown |
0 | 0 | 0x15A0 | 0x18 | Unknown |
0 | 0 | 0x15C0 | 0x18 | Unknown |
0 | 0 | 0x2000 | 0x8 | Unknown #1 (e.g. 05 4D 7E 5C 5A A0 00 03 on a DUH-T2000JA, 71 BD 2D 85 53 A4 00 03 on a DUH-T1200AA, D5 71 D4 5F 89 90 00 03 on a CUH-2216B B01Y SAF-003) |
0 | 0 | 0x2008 | 0x8 | Unknown #2 (e.g. F8 9C DE 5F 57 6E 00 03 on a DUH-T2000JA, D1 03 75 5F 1B 40 00 03 on a DUH-T1200AA, FFed on a CUH-2216B B01Y SAF-003) |
0 | 0 | 0x2010 | 0x8 | Unknown #3 (e.g. 09 93 BF 5F 89 90 00 03 on a DUH-T2000JA, FFed on a DUH-T1200AA, CUH-2216B B01Y SAF-003) |
0 | 0 | 0x2018 | 0x8 | Unknown #4 (e.g. 3F A0 92 9F 93 F4 00 03 on a DUH-T2000JA, FFed on a DUH-T1200AA, CUH-2216B B01Y SAF-003) |
0 | 0 | 0x2020 | 0x8 | Unknown #5 (e.g. 99 16 06 4C 03 88 00 03 on a DUH-T2000JA, FFed on a DUH-T1200AA, CUH-2216B B01Y SAF-003) |
0 | 0 | 0x2028 | 0x8 | Unknown #6 (e.g. D5 6A A0 E9 B6 98 00 03 on a DUH-T2000JA, FFed on a DUH-T1200AA, CUH-2216B B01Y SAF-003) |
0 | 0 | 0x2030 | 0x8 | Unknown #7 (e.g. D6 8C 00 31 10 58 00 03 on a DUH-T2000JA, FFed on a DUH-T1200AA, CUH-2216B B01Y SAF-003) |
0 | 0 | 0x2038 | ... | Unknown... (FFed on a DUH-T2000JA, DUH-T1200AA, CUH-2216B B01Y SAF-003) |
Mapping of the detailed area (NVS service) 0/1 - PDAREA[edit | edit source]
Bank Index | Block Index | Offset in /dev/iccnvs<block> | Size | Notes |
---|---|---|---|---|
0 | 1 | 0x0 | 0x40 | Unknown |
0 | 1 | 0x18 | 0x1 | Wlan5GHzInfo (0x00 Unsupported, 0x0C Supported, some reach 0x8C Supported, max reach (wifi ac?) ) |
0 | 1 | 0x40 | 0x10 | trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00) |
0 | 1 | 0xA0 | 0x2 | VrmOcp |
0 | 1 | 0xB0 | 0x1 | Unkown |
0 | 1 | 0xB1 | 0x1 | rtc info.corrMode |
0 | 1 | 0xB2 | 0x1 | rtc info.corrValue |
0 | 1 | 0xB3 | 0x1 | rtc info.corrValueExt |
0 | 1 | 0xC0 | 0x1 | Unknown |
Mapping of the detailed area (NVS service) 0/2 - DSAREA[edit | edit source]
Bank Index | Block Index | Offset in /dev/iccnvs<block> | Size | Notes |
---|---|---|---|---|
0 | 2 | 0x0 | 0xE | KibanID (e.g 33001D00836391) |
0 | 2 | 0x10 | 0x10 | SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9) |
0 | 2 | 0x20 | 0x10 | ViopData |
0 | 2 | 0x30 | 0x11 | hw_info (e.g 00TS4DB00K2180050). Used in System Software 5.05. Unique identifier of console. |
0 | 2 | 0x41 | 0x1F | hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name. Used in recent System Software. Unique identifier of console. |
0 | 2 | 0x60 | 0x38 | Unknown |
0 | 2 | 0x98 | 0x8 | Unknown (e.g A8 32 2A 40 67 9E 01 30) |
0 | 2 | 0xA0 | 0x8 | Unknown (e.g 07 4C 11 63 6E B6 72 03) |
0 | 2 | 0xA8 | 0x4 | Unknown (e.g 07 8F 31 51) |
0 | 2 | 0xAF | 0x1 | Unknown (e.g 0xC2) |
0 | 2 | 0xB0 | 0x8 | Unknown (e.g 01 01 01 01 06 06 06 06 FF FF) |
0 | 2 | 0xC0 | 0xD | (e.g 0000027452252) Product Code (first 5 digits are Product Code Branch Number) |
0 | 2 | 0x100 | 0x20 | (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7) |
0 | 2 | 0x7D0 | 0x20 | Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00) |
0 | 2 | 0x7F0 | 0x2 | (e.g 01 FF) -> Disc Boot Time ?why are there two entries with different values? |
0 | 2 | 0x7FE | 0x2 | (e.g FF FF) -> Disc Boot Time ?why are there two entries with different values? |
Mapping of the detailed area (NVS service) 0/3 - CSAREA[edit | edit source]
Bank Index | Block Index | Offset in /dev/iccnvs<block> | Size | Notes |
---|---|---|---|---|
0 | 3 | 0x0 | 0x7B0 | Unknown area |
0 | 3 | 0x7B0 | 0x1 | CS Config Mode |
0 | 3 | 0x7B1 | 0x4F | Unknown area |
Mapping of the detailed area (NVS service) 0/4 - OSAREA[edit | edit source]
Bank Index | Block Index | Offset in /dev/iccnvs<block> | Size | Notes |
---|---|---|---|---|
0 | 4 | 0x0 | 0x20 | DIP Switches. Set on Dev/Test Kits and some internal units only. |
0 | 4 | 0x20 | 0x1 | init_safe_mode flag (e.g 0xF1). Used in init_safe_mode. |
0 | 4 | 0x21 | 0x1 | init_update flag. Used in sysctl_machdep_cavern_dvt1_init_update. |
0 | 4 | 0x30 | 0x1 | trsw_probe (0x01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe |
0 | 4 | 0x38 | 0x1 | gigabit ethernet (gbe) related |
0 | 4 | 0x50 | 0x1 | is_extra_clock_available_rtc_status |
0 | 4 | 0x60 | 0x4 | SMI SDK version (e.g 00 00 50 02 (2.50)). This is the minimal version of the System Software supported by this hardware. |
0 | 4 | 0x64 | 0x1 | Unknown |
0 | 4 | 0x65 | 0x1 | CsBackupMode |
0 | 4 | 0x67 | 0x1 | Unkown |
0 | 4 | 0x68 | 0x4 | Current SDK version 2 (e.g 00 00 05 05 (5.05)) |
0 | 4 | 0x70 | 0x4 | manu_mode related (SDK version?) |
0 | 4 | 0x74 | 0x4 | Unknown (e.g. 84 72 4E 57) |
0 | 4 | 0x7C | 0x4 | manu_mode related (SDK version?) |
0 | 4 | 0x80 | 0x68 on 1.00-1.76, 0x6C on ? | Activation ACF token <- checked by sceSblDevActVerifyCheckExpire |
0 | 4 | 0x100 | 0xF0 | sce_cam_error_put |
0 | 4 | 0x200 | varies (0x40-0x60) | obfuscated eap hdd key <- checked by g_crypt_deferred_init, also checked by read_idstorage |
0 | 4 | 0x300 | 0x30 | SAM/Liverpool Flags NVS Area |
0 | 4 | 0x3B0 | 1 | Unknown |
0 | 4 | 0x400 | 0x800 | dev/qaf/utkn NVS Area |
0 | 4 | 0xA00 | 0x190 | token? |
0 | 4 | 0xC00 | 0x3C | HDD Information (byte swapped ASCII) (e.g "GHTSH ST4501019A6E08 613081DJ0124FZD129SN" for an HGST HDD) |
0 | 4 | 0xC3C | 0x04 | Unknown (e.g 05 C6 0A 00) |
0 | 4 | 0xC40 | 0x130 | PUP Expiration Status (used in setPupExpirationStatus) |
0 | 4 | 0x1000 | 0x300 | #Registry Manager NVS area 1 |
0 | 4 | 0x1300 | 0x300 | #Registry Manager NVS area 2 |
0 | 4 | 0x1600 | 0x20 | #Registry Manager Entitlement Key NVS area |
0 | 4 | 0x2C00 | 0x20 | manufacturing mode (all zeroes for enabled, all 0xFFs for disabled) |
0 | 4 | 0x2C40 | 0x20 | Unknown |
0 | 4 | 0x2CC0 | 0x20 | srtc_modevent |
Mapping of the detailed area (NVS service) 1/0 - BACKUPAREA[edit | edit source]
Bank Index | Block Index | Offset in /dev/iccnvs<block> | Size | Notes |
---|---|---|---|---|
1 | 0 | 0x0 | 0x2000 | Equivalent (active/inactive bank) of NVS area 0x5000-0x6FFF (part of OSAREA). First 0x1000 bytes are usually a 1:1 copy but the rest depends on Registry Settings. |
1 | 0 | 0x2000 | 0x1000 | Equivalent (active/inactive bank) of NVS area 0x1000-0x1FFF (part of EMCAREA). Differences (non-exhaustive):
|
Mapping of the detailed area (NVS service) 1/0 - Unknown Area[edit | edit source]
Bank Index | Block Index | Offset in /dev/iccnvs<block> | Size | Notes |
---|---|---|---|---|
1 | 1 | 0x0 | 0x1 | Unknown. 0xFF disabled, 0x00 enabled |
1 | 1 | 0x1 | 0xFFE | Unknown. 0xFFed by default. |
SAM/Liverpool Flags[edit | edit source]
Bank Index | Block Index | Offset in /dev/iccnvs<block> | Size | Notes |
---|---|---|---|---|
0 | 4 | 0x301 | 1 | unknown (01 = enabled) (only available for prototype) |
0 | 4 | 0x310 | 1 | sam_memtest (01 = enabled) |
0 | 4 | 0x311 | 1 | unknown (01 = enabled) (only available for prototype) |
0 | 4 | 0x312 | 1 | sam_rngtest (01 = enabled) |
0 | 4 | 0x31F | 1 | extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled |
0 | 4 | 0x320 | 1 | lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets user pick ranges from 400 to 2250MHz) |
0 | 4 | 0x322 | 1 | lvp_configure_tccds |
0 | 4 | 0x323 | 1 | sam_boot_flags (anything other than 0xFF for enabled) |
0 | 4 | 0x329 | 1 | related to lvp_config (likely gddr5DebugFlag, 1->Read DBI disabled, 2->Write DBI disabled, 4->ABI disabled, 8->Force auto precharge enabled, 0x10 -> Bank swap disabled, 0x20-> Bank swizzle mode disabled, 0x3F -> Everything set) |
dev/qaf/utkn NVS Area[edit | edit source]
Bank Index | Block Index | Offset in /dev/iccnvs<block> | Size | Notes |
---|---|---|---|---|
0 | 4 | 0x400 | 0x210 | token? |
0 | 4 | 0x150 | 0x290 | qafutkn_ioctl? |
0 | 4 | 0x900 | 0x100 | Activation ACF RSA-2048 signature <- checked by sceSblDevActVerifyCheckExpire |
Registry Manager NVS area 1[edit | edit source]
Bank Index | Block Index | Offset in /dev/iccnvs<block> | Size | Notes |
---|---|---|---|---|
0 | 4 | 0x100E | 0x1 | Unknown (Not Regions) |
0 | 4 | 0x1040 | 0x1 | Circle Button Behaviour (0x01 for Circle as Go Back, 0x00 for Circle as Accept) |
Registry Manager NVS area 2[edit | edit source]
Undocumented.
Registry Manager Entitlement Key NVS area[edit | edit source]
Bank Index | Block Index | Offset in /dev/iccnvs<block> | Size | Notes |
---|---|---|---|---|
0 | 4 | 0x1600 | 0x1 | SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 enabled, 0x00 or 0xFF disabled) |
0 | 4 | 0x1601 | 0X1 | SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled, 0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled) |
0 | 4 | 0x1602 | 0x1 | SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 enabled, 0x00 or 0xFF disabled) |
0 | 4 | 0x1603 | 0x1 | SCE_REGMGR_ENT_KEY_REGISTRY_recover (ex: 0 on a DUH-D1000AA, DUH-D1000JA, DUH-T1000AA, DUH-T2000JA, 1 on a CUH-10xx, DUH-T1200AA) |
0 | 4 | 0x1604 | 0x4 | SCE_REGMGR_ENT_KEY_SYSTEM_soft_version. This is the minimal System Software Version that should match SMI. (00 00 50 01 on a DUH-T1000AA, 00 00 51 01 on a DUH-D1000AA, 00 00 61 01 on a DUH-D1000AA, 00 00 62 01 on a DUH-D1000JA and CUH-10xx, FFed on some DUH-D1000AA and later models) |
0 | 4 | 0x1608 | 0x1 | SCE_REGMGR_ENT_KEY_SYSTEM_unk (ex: 0 on a DUH-T1200AA, 0xFF on a DUH-T1000AA, DUH-T2000JA) |
0 | 4 | 0x1609 | 0x1 | SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode |
0 | 4 | 0x160A | 0x1 | SCE_REGMGR_ENT_KEY_SYSTEM_unk (ex: 0xFF) |
0 | 4 | 0x160B | 0x1 | SCE_REGMGR_ENT_KEY_SYSTEM_unk (ex: 0xFF) |
0 | 4 | 0x160C | 0x1 | SCE_REGMGR_ENT_KEY_SYSTEM_unk (ex: 0 on a DUH-T2000JA, 0xFF on a DUH-T1000AA, DUH-T1200AA, DUH-D1000AA, DUH-D1000JA, CUH-10xx) |
0 | 4 | 0x160D | 0x1 | SCE_REGMGR_ENT_KEY_SYSTEM_unk (ex: 0 on a DUH-T2000JA, 0xFF on a DUH-T1000AA, DUH-T1200AA, DUH-D1000AA, DUH-D1000JA, CUH-10xx) |
0 | 4 | 0x160E | 0x1 | SCE_REGMGR_ENT_KEY_SYSTEM_unk (ex: 0 on a DUH-T2000JA, 0xFF on a DUH-T1000AA, DUH-T1200AA, DUH-D1000AA, DUH-D1000JA, CUH-10xx) |
0 | 4 | 0x160F | 0x1 | SCE_REGMGR_ENT_KEY_SYSTEM_unk (ex: 0 on a DUH-T2000JA, 0xFF on a DUH-T1000AA, DUH-T1200AA, DUH-D1000AA, DUH-D1000JA, CUH-10xx) |