Non Volatile Storage
Jump to navigation
Jump to search
Short for NVS, holds some information about the console, including console unique identifiers, tokens, flags, and registry flags, as well as some semi-permanent ones.
See also PS4 Non Volatile Storage.
Structure[edit | edit source]
| Bank # | Block # | Start Offset in /dev/sflash0s0x34 | Start Offset in Sflash | Size | Notes |
|---|---|---|---|---|---|
| 0 | 0 | 0x0000 | 0x1C4000 | 0x3000 | EMC region almost like on PS4 |
| 0 | 1 | 0x3000 | 0x1C7000 | 0x0200 | Unknown region |
| 0 | 2 | 0x3200 | 0x1C7200 | 0x0200 | pdcs region |
| 0 | 3 | 0x3400 | 0x1C7400 | 0x0C00 | Unknown region |
| 0 | 4 | 0x4000 | 0x1C8000 | 0x3000 | os region |
| 1 | 0 | 0x7000 | 0x1CB000 | 0x3000 | backup of os region |
| 1 | 1 | 0xA000 | 0x1CE000 | 0x2000 | Partial backup of EMC Region (+0x1000) |
Mapping of the detailed area (NVS service) 0/0 - EMCAREA[edit | edit source]
| Bank # | Block # | Start Offset | Start Offset in Sflash | Size | Notes |
|---|---|---|---|---|---|
| 0 | 0 | 0x0 | 0x1C4000 | 0x8 | Platform ID (e.g 30 02 01 01 04 01 05 01) |
| 0 | 0 | 0x8 | 0x1C4008 | 0x18 | Unknown. To be compared with PS4. |
| 0 | 0 | 0x20 | 0x1C4020 | 0x6 | Ethernet MAC Address #1 |
| 0 | 0 | 0x26 | 0x1C4026 | 0x6 | Ethernet MAC Address #2. If there is a second ethernet port (e.g. on DevKit), it is (Ethernet MAC Address #1) + 1, else FFed. |
| 0 | 0 | 0x2C | 0x1C402C | 0xFD4 | Unknown. To be compared with PS4 EMCAREA. |
| 0 | 0 | 0x1000 | 0x1C5000 | 0x100 | Unknown. Probably EMC related. |
| 0 | 0 | 0x1100 | 0x1C5100 | 0xB70 | EMC Error logs |
| 0 | 0 | 0x1C70 | 0x1C5C70 | 0x390 | Unknown. FFed. Maybe reserved. |
| 0 | 0 | 0x2000 | 0x1C6000 | 0x10 | Maybe a digest. |
| 0 | 0 | 0x2010 | 0x1C6010 | 0xFF0 | Unknown. FFed. Maybe reserved. |
Mapping of the detailed area (NVS service) 0/1 - Unknown area[edit | edit source]
| Bank # | Block # | Start Offset | Start Offset in Sflash | Size | Notes |
|---|---|---|---|---|---|
| 0 | 1 | 0x0 | 0x1C7000 | 0x200 | Unknown |
Mapping of the detailed area (NVS service) 0/2 - PDCSAREA[edit | edit source]
| Bank # | Block # | Start Offset | Start Offset in Sflash | Size | Notes |
|---|---|---|---|---|---|
| 0 | 2 | 0x0 | 0x1C7200 | 0x10 | Kiban ID (e.g 40002B02184672A0) |
| 0 | 2 | 0x10 | 0x1C7210 | 0x11 | hw_info (padded with 0xF FFs) (e.g. AI81376321) aka Product Serial |
| 0 | 2 | 0x30 | 0x1C7230 | 0x20 | hw_model (e.g CFI-1014A 01X) aka Product Name |
| 0 | 2 | 0x50 | 0x1C7250 | 0x13 | Model Code (e.g 0000027418886) aka Product Code (first 5 zeroes are Product Code Branch Number) |
| 0 | 2 | 0x60 | 0x1C7260 | 0x10 | "SocCuid" (e.g 36 62 27 2D 9B 6C D2 B9 F8 CC 23 52 AB 65 8D D3) Soc Unique ID |
| 0 | 2 | 0x70 | 0x1C7270 | 0x12 | Viop Data (Split into Multiples of 2) |
| 0 | 2 | 0x90 | 0x1C7290 | 0x?? | SSD Diag Done State |
| 0 | 2 | 0x1B0 | 0x1C73B0 | 0x8 | CARLO Board ID (DEV Only) / Sub Kiban ID |
| 0 | 2 | 0x1C0 | 0x1C73C0 | 0x6 | WLAN Mac Address |
| 0 | 2 | 0x1C6 | 0x1C73C6 | 0x6 | BD Address 1f. It is (WLAN MAC Address) + 1. |
| 0 | 2 | 0x1CC | 0x1C73CC | 0x6 | BD Address 2. It is (WLAN MAC Address) + 2. |
| 0 | 2 | 0x1E0 | 0x1C73E0 | 0x8 | ImagePackageId (this determines which firmware is going to be installed at factory)
|
| 0 | 2 | 0x1F0 | 0x1C73F0 | 0x10 | Manufacturing Process Flags (01 is enabled, 00 is disabled) (e.g 01 01 01 01 01 01 00 00 00 00 00 00 00 00 00 00) |
| 0 | 2 | 0x1F1 | 0x1C73F1 | 0x1 | KouteiFlagPI2 |
| 0 | 2 | 0x3FC | 0x1C75FC | 4 | EAP Magic (e.g. E5 E5 E5 01) |
Mapping of the detailed area (NVS service) 0/4 - OSAREA[edit | edit source]
| Bank # | Block # | Start Offset | Start Offset in Sflash | Size | Notes |
|---|---|---|---|---|---|
| 0 | 4 | 0x11 | 0x1C8011 | 1 | Coldboot (0x01 ON, 0xFF OFF) |
| 0 | 4 | 0x12 | 0x1C8012 | 1 | EAP UART (0xEF ON, 0xFF OFF) |
| 0 | 4 | 0x17 | 0x1C8017 | 1 | GpuPacket (0xFE OFF, 0xFF ON) |
| 0 | 4 | 0x20 | 0x1C8020 | 1 | FirstImageWriteMode (0xFF ON, 0x00 OFF) |
| 0 | 4 | 0x22 | 0x1C8022 | 1 | HddKernel (0xFF ON) |
| 0 | 4 | 0x30 | 0x1C8030 | 4 | Controller USB Connection / Wlan BT related |
| 0 | 4 | 0x34 | 0x1C8034 | 1 | Wlan BT related |
| 0 | 4 | 0x66 | 0x1C8066 | 1 | Unknown |
| 0 | 4 | 0x68 | 0x1C8068 | 4 | Current Firmware Version? (little endian, upper half) |
| 0 | 4 | 0xF0 | 0x1C80F0 | 0x10 | PasscodeStatus |
| 0 | 4 | 0x140 | 0x1C8140 | 1 | bapm table |
| 0 | 4 | 0x141 | 0x1C8141 | 2 | bapm table |
| 0 | 4 | 0x143 | 0x1C8143 | 2 | bapm table |
| 0 | 4 | 0x1FC | 0x1C81FC | 4 | EAP Magic (e.g. E5 E5 E5 01) |
| 0 | 4 | 0x300 | 0x1C8300 | 1 | BootMessageMode (0x02 Debug, 0xFF Default) |
| 0 | 4 | 0x301 | 0x1C8301 | 1 | Mp0MemoryTest (0x01 ON, 0xFF OFF) |
| 0 | 4 | 0x304 | 0x1C8304 | 1 | AblDebugPrint (0x01 ON, 0xFF OFF) |
| 0 | 4 | 0x310 | 0x1C8310 | 1 | BiosMemoryTest (0x50 CachedAndUncached, 0xFF Default) |
| 0 | 4 | 0x321 | 0x1C8321 | 1 | UmaSize (0x10 4GiB, 0xFF Default) |
| 0 | 4 | 0x322 | 0x1C8322 | 1 | CpuClock (0x01 ON, 0xFF OFF) |
| 0 | 4 | 0x3C7 | 0x1C83C7 | 1 | GfxClkDfllDeterminism (0xFF Default) |
| 0 | 4 | 0x400 | 0x1C8400 | 0x300 | QA Flag Token (see sample here -> https://pastebin.com/fvA8iKWq) |
| 0 | 4 | 0xC10 | 0x1C8C10 | 8 | Factory Firmware Version? (little endian) |
| 0 | 4 | 0xC18 | 0x1C8C18 | 8 | Factory Firmware Version TimeStamp? (little endian) |
| 0 | 4 | 0xC20 | 0x1C8C20 | 8 | Minimum Firmware Version? (little endian) |
| 0 | 4 | 0xC28 | 0x1C8C28 | 8 | Minimum Firmware Version TimeStamp? (little endian) |
| 0 | 4 | 0xC30 | 0x1C8C30 | 8 | Current Firmware Version? (little endian) |
| 0 | 4 | 0xC38 | 0x1C8C38 | 4 | Maybe RTC related |
| 0 | 4 | 0xC70 | 0x1C8C70 | 0x20 | Unknown (related to otprsrvaccess) |
| 0 | 4 | 0xD72 | 0x1C8D72 | 1 | Unknown |
| 0 | 4 | 0xF80 | 0x1C8F80 | 1 | Manufacturing (0x00 ON, 0xFF OFF) |
| 0 | 4 | 0x1000 | 0x1C9000 | 0x300 | regmgr_readynvs |
| 0 | 4 | 0x1300 | 0x1C9300 | 0x300 | regmgr_readynvs |
| 0 | 4 | 0x1600 | 0x1C9600 | 0x1 | IDU MODE (0x00 OFF, 0x01 ON) |
| 0 | 4 | 0x1620 | 0x1C9620 | 0x300 | regmgr_readynvs |
| 0 | 4 | 0x1920 | 0x1C9920 | 0x300 | regmgr_readynvs. Contains the UpCause 0x00000080 and SeqNo 0x00CEEB6A, which is also present in EMC Error logs. |
| 0 | 4 | 0x1C20 | 0x1C9C20 | 0x20 | regmgr_readynvs_manumode. FFed on consoles not in manufacturing mode. |
| 0 | 4 | 0x1C40 | 0x1C9C40 | 0x13C0 | Unknown. FFed. |
Mapping of the detailed area (NVS service) 1/0 - BACKUPAREA[edit | edit source]
| Bank # | Block # | Start Offset | Start Offset in Sflash | Size | Notes |
|---|---|---|---|---|---|
| 1 | 0 | 0x0 | 0x1CB000 | 0x3000 | Equivalent (active/inactive bank) of NVS area 0x4000-0x6FFF (part of OSAREA). |
Mapping of the detailed area (NVS service) 1/1 - BACKUPAREA2[edit | edit source]
| Bank # | Block # | Start Offset | Start Offset in Sflash | Size | Notes |
|---|---|---|---|---|---|
| 1 | 1 | 0x0 | 0x1CE000 | 0x1000 | Equivalent (active/inactive bank) of NVS area 0x1000-0x1FFF (part of EMCAREA). Differences (non-exhaustive): to be documented. |
| 1 | 1 | 0x1000 | 0x1CF000 | 0x1000 | Unknown. FFed. Maybe reserved. |
Tools[edit | edit source]
- PS5_NOR_Decode by apewalkers: python3 script that extracts and convert EMC Error logs from PS5 main Serial Flash to human-readable text.