Talk:Baryon: Difference between revisions
Jump to navigation
Jump to search
(→Table) |
|||
(10 intermediate revisions by 3 users not shown) | |||
Line 8: | Line 8: | ||
* https://www.sendspace.com/file/7gue6e (Pages 100, 104, 105) | * https://www.sendspace.com/file/7gue6e (Pages 100, 104, 105) | ||
* https://github.com/janvdherrewegen/bootl-attacks | |||
= Table = | = Table = | ||
Line 21: | Line 22: | ||
| <abbr title="TA-085, TA-088">07/2007</abbr> Frodo || - || B40''x'' || - || - || - || NEC D79F???? / D78F0544 (78K0/KF2, 84 pin) | | <abbr title="TA-085, TA-088">07/2007</abbr> Frodo || - || B40''x'' || - || - || - || NEC D79F???? / D78F0544 (78K0/KF2, 84 pin) | ||
|- | |- | ||
| <abbr title="TA-090, TA-092">07/2008</abbr> || - || 3A''xx'' || - || - || - || NEC D79F???? / D78F0534 (78K0/KE2, 64 pin) | | <abbr title="TA-090, TA-092">07/2008</abbr> Samwise || - || 3A''xx'' || - || - || - || NEC D79F???? / D78F0534 (78K0/KE2, 64 pin) | ||
|- | |- | ||
| <abbr title="TA-093, TA-095, TA-096, TA-097">03/2009</abbr> || - || 3B''xx'' || - || - || - || NEC D79F???? / D78F0534 (78K0/KE2, 64 pin) | | <abbr title="TA-093, TA-095, TA-096, TA-097">03/2009</abbr> Samwise VA2 || - || 3B''xx'' || - || - || - || NEC D79F???? / D78F0534 (78K0/KE2, 64 pin) | ||
|- | |- | ||
| <abbr title="TA-091, TA-094">05/2009</abbr> || - || 40''xx'' || - || - || - || NEC D79F???? / D78F0544 (78K0/KF2, 84 pin) | | <abbr title="TA-091, TA-094">05/2009</abbr> Strider || - || 40''xx'' || - || - || - || NEC D79F???? / D78F0544 (78K0/KF2, 84 pin) | ||
|- | |- | ||
|} | |} | ||
Line 33: | Line 34: | ||
* Codename BAR/B30/3A/3B is associated with 64 pin COTS BGA | * Codename BAR/B30/3A/3B is associated with 64 pin COTS BGA | ||
* Likewise, B40/40 is associated with 84 pin Custom BGA | * Likewise, B40/40 is associated with 84 pin Custom BGA | ||
== Bootrom List of Commands == | |||
<pre> | |||
External (0x8522-0x854B): | |||
00 0x80F3 Reset | |||
20 0x93FF Chip Erase | |||
22 0x942F Block Erase | |||
13 0x9379 Verify | |||
32 0x9609 Block Blank Check | |||
40 0x969F Programming | |||
90 0x9994 Oscillating Frequency Set | |||
9E 0x99ED Set Config For Delays | |||
C0 0x9B08 Silicon Signature | |||
C5 0x9B71 Version Get | |||
70 0x9A5B Status | |||
B0 0x9A79 Checksum | |||
A0 0x9C04 Security Set | |||
A4 0x9B97 EA Read (Reads Only first 0x400 bytes) | |||
Internal (0x9FC9 - 0x9FE6): | |||
17 0x8218 EEPROMWrite | |||
0F 0x84B3 EA Read (Reads Everything) | |||
0E 0x84A8 CheckFLMD | |||
0A 0x8475 FlashSetInfo | |||
09 0x8399 FlashGetInfo | |||
08 0x835D FlashBlockBlankCheck | |||
06 0x8321 FlashBlockVerify | |||
04 0x8252 FlashWordWrite | |||
03 0x81DD FlashBlockErase | |||
00 0x81BD FlashEnv | |||
</pre> | |||
== Disasm of EA Read == | |||
<pre> | |||
Disassembling switch table from 0x0A1F: case 0xA4 at 0x1B97 | |||
Disassembling Function 0x1B97 | |||
> 0x1B97 - [0x713AC5] - set1 0xFFC5.3 | |||
< 0x1B9A - [0x9A930F] - call !0x0F93 (prepare_byte_STATUS_BUSY_for_response_packet_02) | |||
0x1B9D - [0x1611FD] - movw HL, #0xFD11 | |||
0x1BA0 - [0xAE00] - mov A, [HL+0x00] | |||
0x1BA2 - [0x4D00] - cmp A, #0x00 | |||
v 0x1BA4 - [0xBD06] - bnz $0x1BAC | |||
0x1BA6 - [0xAE01] - mov A, [HL+0x01] | |||
0x1BA8 - [0x4D00] - cmp A, #0x00 | |||
v 0x1BAA - [0xAD08] - bz $0x1BB4 | |||
<> 0x1BAC - [0x9AA70F] - call !0x0FA7 (prepare_byte_STATUS_PARAM_ERROR_for_response_packet_02) | |||
< 0x1BAF - [0x9A260F] - call !0x0F26 (receive_packet_01_70_and_send_response_packets_02_and_03) | |||
v 0x1BB2 - [0xFA4C] - br $0x1C00 | |||
<> 0x1BB4 - [0x9A6D0F] - call !0x0F6D (check_status_success_for_response_packet_02) | |||
< 0x1BB7 - [0x9A260F] - call !0x0F26 (receive_packet_01_70_and_send_response_packets_02_and_03) | |||
0x1BBA - [0x710BC7] - clr1 0xFFC7.0 | |||
< 0x1BBD - [0x9AF706] - call !0x06F7 (set_FFCA_to_01) | |||
0x1BC0 - [0x112000] - mov 0xFE20, #0x00 ; <= Starting at address 0x000000 | |||
0x1BC3 - [0x112100] - mov 0xFE21, #0x00 | |||
0x1BC6 - [0x112200] - mov 0xFE22, #0x00 | |||
< 0x1BC9 - [0x9A6906] - call !0x0669 (small_delay) | |||
< 0x1BCC - [0x9AFE05] - call !0x05FE (set_secure_flash_operation_read_with_delay_variable) | |||
0x1BCF - [0xA304] - mov B, #0x04 ; <= Looping for 4 times 256 bytes | |||
> 0x1BD1 - [0xA240] - mov C, #0x40 ; <= Looping for 64 times 4 bytes | |||
0x1BD3 - [0x1410FD] - movw DE, #0xFD10 | |||
<> 0x1BD6 - [0x9A2712] - call !0x1227 (read32_secure_flash_to_DE) ; <= Reading 4 bytes | |||
< 0x1BD9 - [0x9AB811] - call !0x11B8 (increase_address_range) | |||
^ 0x1BDC - [0x8AF8] - dbnz C, $0x1BD6 ; <= End of loop on C | |||
0x1BDE - [0x63] - mov A, B | |||
0x1BDF - [0x4D01] - cmp A, #0x01 | |||
v 0x1BE1 - [0xAD0C] - bz $0x1BEF | |||
0x1BE3 - [0xB3] - push BC | |||
0x1BE4 - [0x1410FD] - movw DE, #0xFD10 | |||
0x1BE7 - [0xA200] - mov C, #0x00 ; <= Packet data size (0x00 means 256 bytes) | |||
< 0x1BE9 - [0x9AA40E] - call !0x0EA4 (send_response_packet_02_and_17) ; <= Sending back packet of 256 bytes data | |||
0x1BEC - [0xB2] - pop BC | |||
^ 0x1BED - [0x8BE2] - dbnz B, $0x1BD1 ; <= End of loop on B | |||
> 0x1BEF - [0xA200] - mov C, #0x00 | |||
0x1BF1 - [0x1410FD] - movw DE, #0xFD10 | |||
< 0x1BF4 - [0x9AAD0E] - call !0x0EAD (send_response_packet_02_and_03) | |||
0x1BF7 - [0x711BC5] - clr1 0xFFC5.1 | |||
< 0x1BFA - [0x9AF305] - call !0x05F3 (set_secure_flash_operation_read_with_delay_3) | |||
< 0x1BFD - [0x9A1907] - call !0x0719 (set_FFCA_to_00) | |||
> 0x1C00 - [0x713BC5] - clr1 0xFFC5.3 | |||
0x1C03 - [0xAF] - ret | |||
</pre> |
Latest revision as of 17:40, 30 September 2022
Manuals[edit source]
- https://www.sendspace.com/filegroup/l%2Fg5mQJapWFij2H9ON2v3g
- https://www.sendspace.com/file/vssra7 (Page 17)
- https://www.sendspace.com/file/2euka5 (Page 49)
Attack Manuals[edit source]
- https://www.sendspace.com/file/7gue6e (Pages 100, 104, 105)
- https://github.com/janvdherrewegen/bootl-attacks
Table[edit source]
Production Start Date (<=) | PS2 Mechacon | PSP Syscon | PS3 Syscon | PSVita Syscon | PS4 Syscon | Used IC/CPU Core |
---|---|---|---|---|---|---|
08/2004 First | - | BARxx | - | - | - | NEC D790019 / D780032AY (78K0/78003xA, 64 pin) |
07/2005 Legolas1/Legolas2 | - | B30x | - | - | - | NEC D79F0036 / D78F0531 (78K0/KE2, 64 pin) |
07/2007 Frodo | - | B40x | - | - | - | NEC D79F???? / D78F0544 (78K0/KF2, 84 pin) |
07/2008 Samwise | - | 3Axx | - | - | - | NEC D79F???? / D78F0534 (78K0/KE2, 64 pin) |
03/2009 Samwise VA2 | - | 3Bxx | - | - | - | NEC D79F???? / D78F0534 (78K0/KE2, 64 pin) |
05/2009 Strider | - | 40xx | - | - | - | NEC D79F???? / D78F0544 (78K0/KF2, 84 pin) |
Notes[edit source]
- Codename BAR/B30/3A/3B is associated with 64 pin COTS BGA
- Likewise, B40/40 is associated with 84 pin Custom BGA
Bootrom List of Commands[edit source]
External (0x8522-0x854B): 00 0x80F3 Reset 20 0x93FF Chip Erase 22 0x942F Block Erase 13 0x9379 Verify 32 0x9609 Block Blank Check 40 0x969F Programming 90 0x9994 Oscillating Frequency Set 9E 0x99ED Set Config For Delays C0 0x9B08 Silicon Signature C5 0x9B71 Version Get 70 0x9A5B Status B0 0x9A79 Checksum A0 0x9C04 Security Set A4 0x9B97 EA Read (Reads Only first 0x400 bytes) Internal (0x9FC9 - 0x9FE6): 17 0x8218 EEPROMWrite 0F 0x84B3 EA Read (Reads Everything) 0E 0x84A8 CheckFLMD 0A 0x8475 FlashSetInfo 09 0x8399 FlashGetInfo 08 0x835D FlashBlockBlankCheck 06 0x8321 FlashBlockVerify 04 0x8252 FlashWordWrite 03 0x81DD FlashBlockErase 00 0x81BD FlashEnv
Disasm of EA Read[edit source]
Disassembling switch table from 0x0A1F: case 0xA4 at 0x1B97 Disassembling Function 0x1B97 > 0x1B97 - [0x713AC5] - set1 0xFFC5.3 < 0x1B9A - [0x9A930F] - call !0x0F93 (prepare_byte_STATUS_BUSY_for_response_packet_02) 0x1B9D - [0x1611FD] - movw HL, #0xFD11 0x1BA0 - [0xAE00] - mov A, [HL+0x00] 0x1BA2 - [0x4D00] - cmp A, #0x00 v 0x1BA4 - [0xBD06] - bnz $0x1BAC 0x1BA6 - [0xAE01] - mov A, [HL+0x01] 0x1BA8 - [0x4D00] - cmp A, #0x00 v 0x1BAA - [0xAD08] - bz $0x1BB4 <> 0x1BAC - [0x9AA70F] - call !0x0FA7 (prepare_byte_STATUS_PARAM_ERROR_for_response_packet_02) < 0x1BAF - [0x9A260F] - call !0x0F26 (receive_packet_01_70_and_send_response_packets_02_and_03) v 0x1BB2 - [0xFA4C] - br $0x1C00 <> 0x1BB4 - [0x9A6D0F] - call !0x0F6D (check_status_success_for_response_packet_02) < 0x1BB7 - [0x9A260F] - call !0x0F26 (receive_packet_01_70_and_send_response_packets_02_and_03) 0x1BBA - [0x710BC7] - clr1 0xFFC7.0 < 0x1BBD - [0x9AF706] - call !0x06F7 (set_FFCA_to_01) 0x1BC0 - [0x112000] - mov 0xFE20, #0x00 ; <= Starting at address 0x000000 0x1BC3 - [0x112100] - mov 0xFE21, #0x00 0x1BC6 - [0x112200] - mov 0xFE22, #0x00 < 0x1BC9 - [0x9A6906] - call !0x0669 (small_delay) < 0x1BCC - [0x9AFE05] - call !0x05FE (set_secure_flash_operation_read_with_delay_variable) 0x1BCF - [0xA304] - mov B, #0x04 ; <= Looping for 4 times 256 bytes > 0x1BD1 - [0xA240] - mov C, #0x40 ; <= Looping for 64 times 4 bytes 0x1BD3 - [0x1410FD] - movw DE, #0xFD10 <> 0x1BD6 - [0x9A2712] - call !0x1227 (read32_secure_flash_to_DE) ; <= Reading 4 bytes < 0x1BD9 - [0x9AB811] - call !0x11B8 (increase_address_range) ^ 0x1BDC - [0x8AF8] - dbnz C, $0x1BD6 ; <= End of loop on C 0x1BDE - [0x63] - mov A, B 0x1BDF - [0x4D01] - cmp A, #0x01 v 0x1BE1 - [0xAD0C] - bz $0x1BEF 0x1BE3 - [0xB3] - push BC 0x1BE4 - [0x1410FD] - movw DE, #0xFD10 0x1BE7 - [0xA200] - mov C, #0x00 ; <= Packet data size (0x00 means 256 bytes) < 0x1BE9 - [0x9AA40E] - call !0x0EA4 (send_response_packet_02_and_17) ; <= Sending back packet of 256 bytes data 0x1BEC - [0xB2] - pop BC ^ 0x1BED - [0x8BE2] - dbnz B, $0x1BD1 ; <= End of loop on B > 0x1BEF - [0xA200] - mov C, #0x00 0x1BF1 - [0x1410FD] - movw DE, #0xFD10 < 0x1BF4 - [0x9AAD0E] - call !0x0EAD (send_response_packet_02_and_03) 0x1BF7 - [0x711BC5] - clr1 0xFFC5.1 < 0x1BFA - [0x9AF305] - call !0x05F3 (set_secure_flash_operation_read_with_delay_3) < 0x1BFD - [0x9A1907] - call !0x0719 (set_FFCA_to_00) > 0x1C00 - [0x713BC5] - clr1 0xFFC5.3 0x1C03 - [0xAF] - ret