Flash

From PS3 Developer wiki
Jump to: navigation, search

Contents

[edit] Overview

[edit] NOR Flash

The following is a list of files stored in NOR Flash

type R. Name Start Offset End Offset Size (h) Size (bytes) Block Notes
gen 1 0FACE0FF DEADBEEF 0x000000 0x00001FF 0x200 (512 bytes) 0h magic header : 0x0000010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF .....¬àÿ....Þ­¾ï
gen Flash Format 0x000200 0x00003FF 0x200 (512 bytes) 1h 00000200 49 46 49 00 00 00 00 01 00 00 00 02 00 00 00 00 IFI............. (only 0x10 or 16 bytes used)
pc Flashregion Table 0x000400 0x0007FF 0x400 (1,024 bytes) 2h
pc 0 asecure_loader 0x000800 0x02EFFF 0x2E800 (262,144 bytes) 4h contains metldr, extracted data starts from 0x000840, datasize depends on metldr revision
pc 1 eEID 0x02F000 0x03EFFF 0x10000 (65,536 bytes) 178h
pc 0 EID0 0x02F070 0x02F8CF 0x860 (2,144 bytes) (IDPS @ offset 0x0002F070 absolute / 0x00000070 inside eEID )
pc 1 EID1 0x02F8D0 0x02FB6F 0x2A0 (672 bytes)
pc 2 EID2 0x02FB70 0x03029F 0x730 (1,840 bytes)
pc 3 EID3 0x0302A0 0x03039F 0x100 (256 bytes)
pc 4 EID4 0x0303A0 0x0303CF 0x30 (48 bytes)
pc 5 EID5 0x0303D0 0x030DCF 0xA00 (2,560 bytes)
pc F unreferenced area 0x030DD0 0x03EFFF 0xE22F (57,903 bytes)
pc 2 cISD 0x03F000 0x03F7FF 0x800 (2,048 bytes) 1F8h
pc 0 cISD0 0x03F040 0x03F060 0x20 (32 bytes)
pc 1 cISD1 0x03F060 0x03F260 0x200 (512 bytes) console 2nd part serial @ 0x3F090 size 0x8
pc 2 cISD2 0x03F260 0x03F270 0x10 (16 bytes)
pc F unreferenced area 0x03F270 0x03F7FF 0x58F (1,423 bytes)
pc 3 cCSD 0x03F800 0x03FFFF 0x800 (2,048 bytes) 1FCh
pc 0 cCSD0 0x03F820 0x03F84F 0x30 (48 bytes)
pc F unreferenced area 0x03F850 0x03FFFF 0x7B0 (1,968 bytes)
pf 4 trvk_prg0 0x040000 0x05FFFF 0x20000 (131,072 bytes) 200h
pf 5 trvk_prg1 0x060000 0x07FFFF 0x20000 (131,072 bytes) 300h
pf 6 trvk_pkg0 0x080000 0x09FFFF 0x20000 (131,072 bytes) 400h
pf 7 trvk_pkg1 0x0A0000 0x0BFFFF 0x20000 (131,072 bytes) 500h
pf 8 ros0 0x0C0000 0x7BFFFF 0x700000 (7,340,032 bytes) 600h Contains CoreOS files, filecontent depends on firmware version
pf 9 ros1 0x7C0000 0xEBFFFF 0x700000 (7,340,032 bytes) 3E00h Contains CoreOS files, filecontent depends on firmware version
pc A cvtrm 0xEC0000 0xEFFFFF 0x40000 (262,144 bytes) 7600h
gen 2 0FACE0FF DEADFACE 0xF00000 0xF00FFF 0x1000 (4096 bytes) 7800h magic header : 0xF00010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE .....¬àÿ....Þ­úÎ
gen CELL_EXTNOR_AREA 0xF20000 0xF3FFFF 0x20000 (131,072 bytes) 7900h (Harddrive information is @ 0xF20200 absolute / 0x200 inside CELL_EXTNOR_AREA)
gen CRL1 0xF40000 0xF5FFFF 0x20000 (131,072 bytes) 7A00h same as F80000
gen DRL1 0xF60000 0xF7FFFF 0x20000 (131,072 bytes) 7B00h same as FA0000 / sometimes also contains OCRL0200
gen CRL2 0xF80000 0xF9FFFF 0x20000 (131,072 bytes) 7C00h same as F40000
gen DRL2 0xFA0000 0xFBFFFF 0x20000 (131,072 bytes) 7D00h same as F60000 / sometimes also contains OCRL0200
pc lv0ldr bootldr 0xFC0000 0xFFFFFF 0x40000 (262,144 bytes) 7E00h End @ FEEAF0, FEEF70, FEF170, FEF570, FEF5F0, FEF600 in some dumps

[edit] NAND Flash

The following is a list of files stored in NAND Flash

type Name Start Offset End Offset Size (h) Size (bytes) Block Notes
pc bootldr 0x0000000 0x003FFFF 0x40000 (262,144 bytes) 0h datasize depends on bootldr revision
gen 0FACE0FF DEADBEEF 0x0040000 0x00401FF 0x200 (512 bytes) 200h magic header : 0x040010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF .....¬àÿ....Þ­¾ï
pc Flashregion Table 0x0040200 0x00407FF 0x600 (1,536 bytes) 201h
pc 0 asecure_loader 0x0040800 0x00807FF 0x40000 (262,144 bytes) 204h contains metldr, extracted data starts from 0x040840, datasize depends on metldr revision
pc 1 eEID 0x0080800 0x00907FF 0x10000 (65,536 bytes) 404h
pc 0 EID0 0x0080870 0x00810CF 0x860 (2,144 bytes) (IDPS @ offset 0x00080870 absolute / 0x00000070 inside eEID )
pc 1 EID1 0x00810D0 0x008136F 0x2A0 (672 bytes)
pc 2 EID2 0x0081370 0x0081A9F 0x730 (1,840 bytes)
pc 3 EID3 0x0081AA0 0x0081B9F 0x100 (256 bytes)
pc 4 EID4 0x0081BA0 0x0081BCF 0x30 (48 bytes)
pc 5 EID5 0x0081BD0 0x00825CF 0xA00 (2,560 bytes)
pc F unreferenced area 0x00825D0 0x00907FF 0xE22F (57,903 bytes)
pc 2 cISD 0x0090800 0x0090FFF 0x800 (2,048 bytes) 484h
pc 0 cISD0 0x0090840 0x009085F 0x20 (32 bytes)
pc 1 cISD1 0x0090860 0x0090A5F 0x200 (512 bytes) console 2nd part serial @ 0x90890 size 0x8
pc 2 cISD2 0x0090A60 0x0090A6F 0x10 (16 bytes)
pc F unreferenced area 0x0090A70 0x0090FFF 0x58F (1,423 bytes)
pc 3 cCSD 0x0091000 0x00917FF 0x800 (2,048 bytes) 488h
pc 0 cCSD0 0x0091020 0x009104F 0x30 (48 bytes)
pc F unreferenced area 0x0091050 0x00917FF 0x7B0 (1,968 bytes)
pf 4 trvk_prg 0x0091800 0x00937FF 0x2000 (8,192 bytes) 48Ch extracted size is 0x2000 for trvk_prg0 + trvk_prg1 combined as trvk_prg (8,192 bytes)
pf 5 trvk_pkg 0x0093800 0x00957FF 0x2000 (8,192 bytes) 49Ch extracted size is 0x2000 for trvk_pkg0 + trvk_pkg1 combined as trvk_pkg (8,192 bytes)
gen 6 creserved_0 0x0095800 0x00BFFFF 0x2A800 (174,080 bytes) 4ACh
pf 7 ROS 0x00C0000 0x0EBFFFF 0xE00000 (14,680,064 bytes) 600h
pf 0 ros0 0x00C0020 0x07BFFFF 0x700000 (7,340,032 bytes) Contains CoreOS files, filecontent depends on firmware version
pf 1 ros1 0x07C0010 0x0EBFFFF 0x700000 (7,340,032 bytes) Contains CoreOS files, filecontent depends on firmware version
pc 8 cvtrm 0x0EC0000 0x0EFFFFF 0x40000 (262,144 bytes)
pc M SCEIVTRM 0x0EC0000 0x0EC000F 0x10 (16 bytes) magic header : 0x0D80000 53 43 45 49 56 54 52 4D 00 00 00 00 00 00 00 A8 SCEIVTRM.......¨
pc 0 VTRM0 ~varies ~varies ~varies ~varies magic header : 0x0D80020 00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04 ....VTRM........
pc 1 VTRM1 ~varies ~varies ~varies ~varies magic header : 0x0D80400 00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04 ....VTRM........
pc VFlash area 0x0F00000 0xEFFFFFF 0xE100000 (235,929,600 bytes) 7800h Note: VFlash region table & all dev_flash regions are encrypted with a per console keys by ENCDEC device.

magic header :0x0F00010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE .....¬ая....Ю.ъО

pc 0 VFlash region table 0x0F000C0 There are 5 regions: /dev_flash, /dev_flash2, /dev_flash3, OtherOS & Unknown/FF-region. Note: first 0x40000 bytes not counted because of masking bootldr by HV.
pc 1 pf /dev_flash (FAT16) GameOS devflash 0x0F40000 0xD6FFFFF 0xC7C0000 (209,453,056 bytes) offset taken from region table (0x7800*0x200+0x40000=0x0F40000)
pc 2 gen /dev_flash2 (FAT16) XRegistry 0xD700000 0xE6FFFFF 0x1000000 (16,777,216 bytes) offset taken from region table (0x6B600*0x200+0x40000=0xD700000)
pc 3 pf /dev_flash3 (FAT12) CRL/DRL 0xE700000 0xE77FFFF 0x80000 (524,288 bytes) offset taken from region table (0x73600*0x200+0x40000=0xE700000)
gen 4 gen cell_ext_os_area 0xE780000 0xE78000F 0x10 (16 bytes) 73C00h magic header : 0xE780000 63 65 6C 6C 5F 65 78 74 5F 6F 73 5F 61 72 65 61 cell_ext_os_area
gen gen OtherOS 0xE780800 ~varies ~varies ~varies 73C04h OtherOS loader/init.rd
gen 5 gen Unknown/FF-region 0xEFC0000 0xEFFFFFF 0x40000 (262,144 bytes) 77E00h
pc bootldr 0xF000000 0xF03FFFF 0x40000 (262,144 bytes) 78000h datasize depends on bootldr revision

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

pc F unreferenced area 0xF040000 0xFFFFFFF 0xFC0000 (16,515,072 bytes) 78200h

[edit] Notes

  • All offsets on the index page are absolute. Offsets on subpages are relative within each section (unless otherwise mentioned)
  • NOR and NAND are blockdevices and thus:
    • The minimal chunk of data that can be read/written is a block (with flashdevices also named page). A block that has never been written (only erased/formatted) is filled with 0xFF's. When bytes are written to a block, the entire block must be written. The write process fills the nonused bytes (slack space) at the remainder of the block with 0x00's
    • 1 block = 512 bytes (0x200) which conveniently correlates to the standard sectorsize used on magneto/optical drives

[edit] Common Flash Interface (CFI)

An access to the common flash interface can be enabled by writing to the physical address space of flash memory device, for example, you can use ps3sbmmio driver on Linux.

Type This
# Enter CFI
printf '\x98\x98' | dd of=/dev/ps3sbmmio bs=1 count=2 seek=$((0x1f0000aa))
 
# Dump CFI tables
for i in {0..127}; do dd if=/dev/ps3sbmmio bs=1 count=1 skip=$((0x1f000001+$i*2)) >> cfi_tables.bin 2>/dev/null; done;
xxd cfi_tables.bin
 
# Exit from CFI
printf '\xf0\xf0' | dd of=/dev/ps3sbmmio bs=1 count=2 seek=$((0x1f000000))

Here is an output from Slim console (JTP-001):

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0000000   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000010   51 52 59 02 00 40 00 00 00 00 00 27 36 00 00 06  QRY..@.....'6...
0000020   06 09 10 03 05 03 02 18 02 00 06 00 01 7f 00 00  ................
0000030   02 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff  ................
0000040   50 52 49 31 33 14 02 01 00 08 00 00 02 b5 c5 04  PRI13...........
0000050   01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
0000060   ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
0000070   ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................

Mouseover for byte usage description as explained in the below linked Spansion Application Note for CFI

[edit] Reference