Non Volatile Storage: Difference between revisions

From PS4 Developer wiki
Jump to navigation Jump to search
(Reorder like PS5 wiki, add information, remove absolute offset wrong in new boards)
No edit summary
Line 2: Line 2:


On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. On PS Vita and PS4, there is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. PS4 SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.
On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. On PS Vita and PS4, there is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. PS4 SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.
See also [https://www.psdevwiki.com/ps5/Non_Volatile_Storage PS5 Non Volatile Storage].


= Syscon NVS =
= Syscon NVS =

Revision as of 02:03, 30 December 2024

On PS4, a Non Volatile Storages (NVS) is, like on PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.

On PS4, there are 2 Non Volatile Storages, one in the Serial Flash and one in the Syscon EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. On PS Vita and PS4, there is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. PS4 SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.

See also PS5 Non Volatile Storage.

Syscon NVS

See Syscon.

https://fail0verflow.com/blog/2018/ps4-syscon/

Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.

Syscon NVS contains the Secure NVS which is encrypted.

Serial Flash NVS

PS4 Serial Flash NVS is usually stored at offset 0x1C4000 but it is not hardcoded in OS and depends on the Serial Flash MBR. The size of the whole Serial Flash NVS is 0xC000 bytes.

PS4 Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open /dev/sflash0s0x34.

Serial Flash NVS Banks

A total of 7 NVS blocks are separated into 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is allowed to read/write the other 5 banks. Indeed, /dev/sflash0s0x34 access is provided to System applications and to Kernel. EMC is also certainly able to access Serial Flash NVS through ICC.

Bank Index Block Index Offset in /dev/sflash0s0x34 Size Notes
0 0 0 0x3000 emc region
0 1 0x3000 0x1000 pd region
0 2 0x4000 0x800 ds region
0 3 0x4800 0x800 cs region
0 4 0x5000 0x3000 os region
1 0 0x8000 0x3000 backup region (backup of part of os and emc regions)
1 1 0xB000 0x1000 unknown region

Detailed Serial Flash NVS Structure

Mapping of the detailed area (NVS service) 0/0 - EMCAREA

Bank Index Block Index Offset in /dev/iccnvs<block> Size Notes
0 0 0 0x8 Platform ID (e.g 04 01 01 01 01 01 04 01)
0 0 0x21 0x6 Ethernet MAC Address #1 (e.g BC 60 A7 28 83 66)
0 0 0x27 0x6 Ethernet MAC Address #2 (e.g BC 60 A7 28 83 67)
0 0 0x4E 0x2 Unknown (e.g 25 16)
0 0 0x50 0x5 Unknown (e.g 12 FF 00 00 00)
0 0 0x60 0x5 Unknown (e.g 04 02 01 01 02)
0 0 0x73 0x1 Unknown (e.g 01)
0 0 0x76 0x1 Unknown (e.g 01)
0 0 0x7A 0x6 Unknown (e.g 00 00 00 00 00 38)
0 0 0x80 0x1 Unknown (e.g. 00)
0 0 0x82 0x3 Unknown (e.g. 01 01 01)
0 0 0x91 0x2 Unknown (e.g 00 00)
0 0 0x96 0x3 Unknown
0 0 0x9A 0x2 Unknown (e.g 02 02)
0 0 0x9E 0x2 Unknown (e.g 00 00)
0 0 0xA0 0x3 Unknown (e.g 01 01 01)
0 0 0xAC 0x4 Unknown
0 0 0xC5 0x3 Unknown (e.g AA AA AA)
0 0 0x204 0x1 Unknown (e.g 00)
0 0 0x20B 0x1 Unknown (e.g 00)
0 0 0x210 0x2 Unknown (e.g 49 42)
0 0 0x7FE 0x2 Unknown (e.g AF 31)
0 0 0x801 0x1 Unknown
0 0 0x810 0x12 Unknown
0 0 0x84C 0x2 Unknown
0 0 0x854 0x2 Unknown
0 0 0x870 0xC Unknown
0 0 0x8A0 0x1C Unknown
0 0 0xFFE 0x2 Unknown
0 0 0x1000 0x4 soc wakeup source (Only one possible value 00 07 FF 07)
0 0 0x1004 0x4 eap wakeup source (Only one possible value 00 07 FF 07)
0 0 0x1008 0x4 soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)
0 0 0x100C 0x4 eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)
0 0 0x1030 0x4 NumberOfBootShutdown
0 0 0x1034 0x4 NumberOfBootShutdown as well
0 0 0x1038 0x8 dbi_time
0 0 0x1040 0x4 NumberOfBootShutdown as well
0 0 0x1044 0x4 NumberOfBootShutdown as well
0 0 0x1048 0x8 dbi_time as well
0 0 0x1050 0x4 NumberOfBootShutdown as well
0 0 0x1054 0x4 NumberOfBootShutdown as well
0 0 0x1058 0x8 dbi_time as well
0 0 0x1220 0x18 Unknown
0 0 0x1240 0x18 Unknown
0 0 0x1260 0x18 Unknown
0 0 0x1280 0x18 Unknown
0 0 0x12A0 0x18 Unknown
0 0 0x12C0 0x18 Unknown
0 0 0x12E0 0x18 Unknown
0 0 0x1300 0x18 Unknown
0 0 0x1320 0x18 Unknown
0 0 0x1340 0x18 Unknown
0 0 0x1360 0x18 Unknown
0 0 0x1380 0x18 Unknown
0 0 0x13A0 0x18 Unknown
0 0 0x13C0 0x18 Unknown
0 0 0x13E0 0x18 Unknown
0 0 0x1400 0x18 Unknown
0 0 0x1420 0x18 Unknown
0 0 0x1440 0x18 Unknown
0 0 0x1460 0x18 Unknown
0 0 0x1480 0x18 Unknown
0 0 0x14A0 0x18 Unknown
0 0 0x14C0 0x18 Unknown
0 0 0x14E0 0x18 Unknown
0 0 0x1500 0x18 Unknown
0 0 0x1520 0x18 Unknown
0 0 0x1540 0x18 Unknown
0 0 0x1560 0x18 Unknown
0 0 0x1580 0x18 Unknown
0 0 0x15A0 0x18 Unknown
0 0 0x15C0 0x18 Unknown
0 0 0x2000 0x8 Unknown

Mapping of the detailed area (NVS service) 0/1 - PDAREA

Bank Index Block Index Offset in /dev/iccnvs<block> Size Notes
0 1 0x0 0x40 Unknown
0 1 0x18 0x1 Wlan5GHzInfo (0x00 Unsupported, 0x0C Supported, some reach 0x8C Supported, max reach (wifi ac?) )
0 1 0x40 0x10 trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)
0 1 0xA0 0x2 VrmOcp
0 1 0xB0 0x1 Unkown
0 1 0xB1 0x1 rtc info.corrMode
0 1 0xB2 0x1 rtc info.corrValue
0 1 0xB3 0x1 rtc info.corrValueExt
0 1 0xC0 0x1 Unknown

Mapping of the detailed area (NVS service) 0/2 - DSAREA

Bank Index Block Index Offset in /dev/iccnvs<block> Size Notes
0 2 0x0 0xE KibanID (e.g 33001D00836391)
0 2 0x10 0x10 SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)
0 2 0x20 0x10 ViopData
0 2 0x30 0x11 hw_info (e.g 00TS4DB00K2180050). Used in System Software 5.05. Unique identifier of console.
0 2 0x41 0x1F hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name. Used in recent System Software. Unique identifier of console.
0 2 0x60 0x38 Unknown
0 2 0x98 0x8 Unknown (e.g A8 32 2A 40 67 9E 01 30)
0 2 0xA0 0x8 Unknown (e.g 07 4C 11 63 6E B6 72 03)
0 2 0xA8 0x4 Unknown (e.g 07 8F 31 51)
0 2 0xAF 0x1 Unknown (e.g 0xC2)
0 2 0xB0 0x8 Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)
0 2 0xC0 0xD (e.g 0000027452252) Product Code (first 5 digits are Product Code Branch Number)
0 2 0x100 0x20 (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)
0 2 0x7D0 0x20 Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)
0 2 0x7F0 0x2 (e.g 01 FF) -> Disc Boot Time ?why are there two entries with different values?
0 2 0x7FE 0x2 (e.g FF FF) -> Disc Boot Time ?why are there two entries with different values?

Mapping of the detailed area (NVS service) 0/3 - CSAREA

Bank Index Block Index Offset in /dev/iccnvs<block> Size Notes
0 3 0x0 0x7B0 Unknown area
0 3 0x7B0 0x1 CS Config Mode
0 3 0x7B1 0x4F Unknown area

Mapping of the detailed area (NVS service) 0/4 - OSAREA

Bank Index Block Index Offset in /dev/iccnvs<block> Size Notes
0 4 0x0 0x20 DIP Switches. Set on Dev/Test Kits and some internal units only.
0 4 0x20 0x1 init_safe_mode flag (e.g 0xF1). Used in init_safe_mode.
0 4 0x21 0x1 init_update flag. Used in sysctl_machdep_cavern_dvt1_init_update.
0 4 0x30 0x1 trsw_probe (0x01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe
0 4 0x38 0x1 gigabit ethernet (gbe) related
0 4 0x50 0x1 is_extra_clock_available_rtc_status
0 4 0x60 0x4 SMI SDK version (e.g 00 00 50 02 (2.50)). This is the minimal version of the System Software supported by this hardware.
0 4 0x64 0x1 Unknown
0 4 0x65 0x1 CsBackupMode
0 4 0x67 0x1 Unkown
0 4 0x68 0x4 Current SDK version 2 (e.g 00 00 05 05 (5.05))
0 4 0x70 0x4 manu_mode related (SDK version?)
0 4 0x74 0x4 Unknown (e.g. 84 72 4E 57)
0 4 0x7C 0x4 manu_mode related (SDK version?)
0 4 0x80 varies (0x68-0x6C) Activation ACF token <- checked by sceSblDevActVerifyCheckExpire
0 4 0x100 0xF0 sce_cam_error_put
0 4 0x200 varies (0x40-0x60) obfuscated eap hdd key <- checked by g_crypt_deferred_init, also checked by read_idstorage
0 4 0x300 0x30 SAM/Liverpool Flags NVS Area
0 4 0x3B0 1 Unknown
0 4 0x400 0x800 dev/qaf/utkn NVS Area
0 4 0xA00 0x190 token?
0 4 0xC00 0x3C HDD Information (byte swapped ASCII) (e.g "GHTSH ST4501019A6E08 613081DJ0124FZD129SN" for an HGST HDD)
0 4 0xC3C 0x04 Unknown (e.g 05 C6 0A 00)
0 4 0xC40 0x130 PUP Expiration Status (used in setPupExpirationStatus)
0 4 0x1000 0x300 #Registry Manager NVS area 1
0 4 0x1300 0x300 #Registry Manager NVS area 2
0 4 0x1600 0x20 #Registry Manager Entitlement Key NVS area
0 4 0x2C00 0x20 manufacturing mode (all zeroes for enabled, all 0xFFs for disabled)
0 4 0x2C40 0x20 Unknown
0 4 0x2CC0 0x20 srtc_modevent

Mapping of the detailed area (NVS service) 1/0 - BACKUPAREA

Bank Index Block Index Offset in /dev/iccnvs<block> Size Notes
1 0 0x0 0x2000 Equivalent (active/inactive bank) of NVS area 0x5000-0x6FFF (part of OSAREA). First 0x1000 bytes are usually a 1:1 copy but the rest depends on Registry Settings.
1 0 0x2000 0x1000 Equivalent (active/inactive bank) of NVS area 0x1000-0x1FFF (part of EMCAREA).

Mapping of the detailed area (NVS service) 1/0 - Unknown Area

Bank Index Block Index Offset in /dev/iccnvs<block> Size Notes
1 1 0x0 0x1 Unknown. 0xFF disabled, 0x00 enabled
1 1 0x1 0xFFE Unknown. 0xFFed by default.

SAM/Liverpool Flags

Bank Index Block Index Offset in /dev/iccnvs<block> Size Notes
0 4 0x301 1 unknown (01 = enabled) (only available for prototype)
0 4 0x310 1 sam_memtest (01 = enabled)
0 4 0x311 1 unknown (01 = enabled) (only available for prototype)
0 4 0x312 1 sam_rngtest (01 = enabled)
0 4 0x31F 1 extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled
0 4 0x320 1 lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets user pick ranges from 400 to 2250MHz)
0 4 0x322 1 lvp_configure_tccds
0 4 0x323 1 sam_boot_flags (anything other than 0xFF for enabled)
0 4 0x329 1 related to lvp_config (likely gddr5DebugFlag, 1->Read DBI disabled, 2->Write DBI disabled, 4->ABI disabled, 8->Force auto precharge enabled, 0x10 -> Bank swap disabled, 0x20-> Bank swizzle mode disabled, 0x3F -> Everything set)

dev/qaf/utkn NVS Area

Bank Index Block Index Offset in /dev/iccnvs<block> Size Notes
0 4 0x400 0x210 token?
0 4 0x150 0x290 qafutkn_ioctl?
0 4 0x900 0x100 Activation ACF RSA signature

Registry Manager NVS area 1

Bank Index Block Index Offset in /dev/iccnvs<block> Size Notes
0 4 0x100E 0x1 Unknown (Not Regions)
0 4 0x1040 0x1 Circle Button Behaviour (0x01 for Circle as Go Back, 0x00 for Circle as Accept)

Registry Manager NVS area 2

Undocumented.

Registry Manager Entitlement Key NVS area

Bank Index Block Index Offset in /dev/iccnvs<block> Size Notes
0 4 0x1600 0x1 SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 enabled, 0x00 or 0xFF disabled)
0 4 0x1601 0X1 SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)
0 4 0x1602 0x1 SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled, 0x00 Disabled) (TestKit only)
0 4 0x1603 0x1 SCE_REGMGR_ENT_KEY_REGISTRY_recover
0 4 0x1604 0x4 SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (DevKit only?)
0 4 0x1609 0x1 SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode