Flash:cvtrm: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
No edit summary
 
(5 intermediate revisions by one other user not shown)
Line 64: Line 64:
In the third copypaste, the value that indicates the offset points to the 'exception' hash inside the '''hash_table''' (bytes from 0xEFE68C up to 0xEFE6A0 are copypasted to 0xEC0108 up to 0xEC011C), but instead of copying the 'exception' hash it copypastes the default hash value
In the third copypaste, the value that indicates the offset points to the 'exception' hash inside the '''hash_table''' (bytes from 0xEFE68C up to 0xEFE6A0 are copypasted to 0xEC0108 up to 0xEC011C), but instead of copying the 'exception' hash it copypastes the default hash value


At this point the creation process is near completed, the only thing left is to fill the 0x10 bytes at the beginning in the first vtrm block (at 0xEC0000), this small area is going to work as the entry point when reading the whole vtrm, and this is when is written the 'magic_scei' that is unique (is the only value from this blocks in common between NAND and NOR), the other thing that indicates this area (with the value 0xA8) is the lenght of the areas that has been copypasted below (but only the sum of the first two copypastes, for some reason the third copypaste is not included in this sum, also the position where the third copypaste happens is a bit weird i dont get why that position, is because the 0x40 gap but that gap makes no sense, the point is the gap is there and is related with the reason why the third copypaste to not be included in this sum)
At this point the creation process is near completed, the only thing left is to fill the 0x10 bytes at the beginning in the first vtrm block (at 0xEC0000), this small area is going to work as the entry point when reading the whole vtrm, and this is when is written the 'magic_scei' that is unique (is the only value from this blocks in common between NAND and NOR), the other thing that indicates this area (with the value 0xA8) is the length of the areas that has been copypasted below (but only the sum of the first two copypastes, for some reason the third copypaste is not included in this sum, also the position where the third copypaste happens is a bit weird i dont get why that position, is because the 0x40 gap but that gap makes no sense, the point is the gap is there and is related with the reason why the third copypaste to not be included in this sum)


----
----
Line 75: Line 75:


==Notes, speculation, brainstorming==
==Notes, speculation, brainstorming==
*Trying to identify the encrypted data blocks based on the [[Authentication IDs]]
Trying to identify the encrypted data blocks based on the [[Authority ID]] and its position
**10 70 00 00 02 00 00 01
 
*First auth ID (lpar auth id)
** 10 70 00 00 02 00 00 01
*** PS3_LPAR (a.k.a. GameOS access)
*** PS3_LPAR (a.k.a. GameOS access)
**10 70 00 00 39 00 00 01
** 04 00 00 00 02 00 00 05
*** related with the PSN account ???
 
*Second auth ID (program auth id)
** 10 70 00 05 FF 00 00 01
*** /dev_flash/vsh/'''vsh.self'''
*** is copypasted from the inner vtrm to the vtrm on top, in both NAND and NOR
** 10 70 00 00 39 00 00 01
*** /dev_flash/bdplayer/'''bdp_bdmv.self'''
*** /dev_flash/bdplayer/'''bdp_bdmv.self'''
*** this data block contains the hashes of '''DRL''' and '''CRL'''
*** contains the hashes of '''DRL''' and '''CRL'''
**10 70 00 00 03 00 00 02
*** is copyed and re-encrypted from the inner vtrm to the vtrm on top, only in NOR
** 10 70 00 00 03 00 00 02
*** /dev_flash/vsh/module/'''mgvideo.self'''
*** /dev_flash/vsh/module/'''mgvideo.self'''
**10 70 00 05 FF 00 00 01
 
*** /dev_flash/vsh/'''vsh.self'''
=LPAR Auth ID and Program Auth ID=
**04 00 00 00 02 00 00 05
*VSH
*** ???
**0x0400000002000005 - ???
**0x10700005FF000001 - vsh.self
*BDP
**0x1070000002000001 - LPAR 2
**0x1070000039000001 - bdp_bdmv.self
*VP
**0x1070000002000001 - LPAR 2
**0x1070000003000002 - mgvideo.self
 
http://www.psdevwiki.com/ps3/index.php?title=Fixing_DRL_and_CRL_Hashes&diff=13954&oldid=13803


=VTRM hashes and how to generate them=
=VTRM hashes and how to generate them=
Line 210: Line 229:
   [...]    <span style="background:#cccc66;">00 00 00 00 00 00 04 12</span> <span style="background:#cccc66;">00 00 00 00 00 00 04 12</span>  ................
   [...]    <span style="background:#cccc66;">00 00 00 00 00 00 04 12</span> <span style="background:#cccc66;">00 00 00 00 00 00 04 12</span>  ................
  00EE5080  <span style="background:#cccc66;">00 00 00 00 00 00 04 12</span> <span style="background:#ff0000; color:#ffff66;">00 00 00 00 00 00 04 12</span>  ................    <---- '''data_table''' start (table_size = 0x186C0, entry_size = 0x60, entry_number = 0x412)
  00EE5080  <span style="background:#cccc66;">00 00 00 00 00 00 04 12</span> <span style="background:#ff0000; color:#ffff66;">00 00 00 00 00 00 04 12</span>  ................    <---- '''data_table''' start (table_size = 0x186C0, entry_size = 0x60, entry_number = 0x412)
  00EE5090  <span style="background:#ff5555;">10 70 00 00 02 00 00 01</span> <span style="background:#ff6666;">10 70 00 00 39 00 00 01</span>  .p.......p..9...    <---- '''lpar_auth_id''' (PS3_LPAR), '''prog_auth_id''' (bdp_bdmv.self)
  00EE5090  <span style="background:#ff5555;">10 70 00 00 02 00 00 01</span> <span style="background:#ff6666;">10 70 00 00 39 00 00 01</span>  .p.......p..9...    <---- '''lpar_auth_id''', '''prog_auth_id'''
  00EE50A0  <span style="background:#ff7777; color:#99ffff;">D8 71 79 C4 C0 2B 74 A1 C9 50 AC 82 4D 94 4A D0</span>  ØqyÄÀ+t¡ÉP¬‚M”JÐ
  00EE50A0  <span style="background:#ff7777; color:#99ffff;">D8 71 79 C4 C0 2B 74 A1 C9 50 AC 82 4D 94 4A D0</span>  ØqyÄÀ+t¡ÉP¬‚M”JÐ
  00EE50B0  <span style="background:#ff7777; color:#99ffff;">63 85 24 87 7D 4D 0D E4 9A 29 E6 6F 4B FA B7 19</span>  c…$‡}M.äš)æoKú·.
  00EE50B0  <span style="background:#ff7777; color:#99ffff;">63 85 24 87 7D 4D 0D E4 9A 29 E6 6F 4B FA B7 19</span>  c…$‡}M.äš)æoKú·.
Line 216: Line 235:
  00EE50D0  <span style="background:#ff7777; color:#99ffff;">2A D2 D4 18 E7 2F BA 15 79 8E D9 C1 64 4A 6C 91</span>  *ÒÔ.ç/º.yŽÙÁdJl‘
  00EE50D0  <span style="background:#ff7777; color:#99ffff;">2A D2 D4 18 E7 2F BA 15 79 8E D9 C1 64 4A 6C 91</span>  *ÒÔ.ç/º.yŽÙÁdJl‘
  00EE50E0  <span style="background:#ff9999; color:#ffff66;">00 00 00 00 00 00 00 01</span> <span style="background:#ff0000; color:#ffff66;">00 00 00 00 00 00 04 12</span>  ................
  00EE50E0  <span style="background:#ff9999; color:#ffff66;">00 00 00 00 00 00 00 01</span> <span style="background:#ff0000; color:#ffff66;">00 00 00 00 00 00 04 12</span>  ................
  00EE50F0  <span style="background:#ff5555;">04 00 00 00 02 00 00 05</span> <span style="background:#ff6666;">10 70 00 05 FF 00 00 01</span>  .........p..ÿ...    <---- '''lpar_auth_id''' (UNKNOWN_LPAR), '''prog_auth_id''' (vsh.self)
  00EE50F0  <span style="background:#ff5555;">04 00 00 00 02 00 00 05</span> <span style="background:#ff6666;">10 70 00 05 FF 00 00 01</span>  .........p..ÿ...    <---- '''lpar_auth_id''', '''prog_auth_id'''
  00EE5100  <span style="background:#ff7777; color:#99ffff;">0C FF 20 DC A4 6A A1 D3 BC 36 82 17 C2 7B B5 5E</span>  .ÿ ܤj¡Ó¼6‚.Â{µ^
  00EE5100  <span style="background:#ff7777; color:#99ffff;">0C FF 20 DC A4 6A A1 D3 BC 36 82 17 C2 7B B5 5E</span>  .ÿ ܤj¡Ó¼6‚.Â{µ^
  00EE5110  <span style="background:#ff7777; color:#99ffff;">9B CD 6B 71 AB 41 06 2F 84 54 3F 6B AC E1 26 3E</span>  ›Íkq«A./„T?k¬á&>
  00EE5110  <span style="background:#ff7777; color:#99ffff;">9B CD 6B 71 AB 41 06 2F 84 54 3F 6B AC E1 26 3E</span>  ›Íkq«A./„T?k¬á&>

Latest revision as of 18:26, 31 January 2022

Description[edit | edit source]

Used by VTRM Services, 0x9000 - SC Manager, PARAM.PFD for Savegames, Trophy, DRL/CRL.

Corruption of this region leads to RSOD repairable with RSOD Fix

Size: 0x40000. Location NOR: 0xEC0000 - 0xEFFFFF

VTRM related pages:

Structure[edit | edit source]

NOR VTRM Structure[edit | edit source]

Offset Size Example Description Notes
0x00 0x08 (8 bytes) 000000005654524D magic VTRM (in ASCII)
0x08 0x08 (8 bytes) 0000000000000004 version
0x10 0x14 (20 bytes) 0D20534FEEE806E3E7AC57E1E9646CBFEDBE69E1 sha 1 hash
Offset Size Example Description Notes
0x24 0x4 (4 bytes) 000000E0 (NOR) Unknown
0x28 0x8 (8 bytes) 0000000000000209 (NOR) X and Y tables reserved entries 521 entries (NOR)
0x30 0x8 (8 bytes) 0000000000000412 (NOR) Protected files table reserved entries 1042 entries (NOR)
0x38 0x8 (8 bytes) 0000000000000002 (NOR) Protected files table used entries 2 entries (NOR)

NAND VTRM Structure[edit | edit source]

Overview: A good way to understand the structure is to think in how the vtrm is created, there are 3 main processes where are written the 'magic_vtrm' sections (colored in black in the examples), in general lines can be said the 'magic_vtrm' sections are created "from bottom to top". This explain doesnt includes the processes needed to create the first 'magic_vtrm' section

At some point that should be considered the "initial state" is performed an "erase" command from 0xEC000 up to 0xF0000 (0x200 blocks are filled with 0xFF's). After that the first 2 blocks are reserved (from 0xEC000 up to 0xEC400). The creation process starts at the third block (at offset 0xEC0400), this section where is used for first time the 'magic_vtrm' can be considered the most "inner" vtrm, or the most older in the creation process

After that 'inner' vtrm is created (how is created is out of the explain) then the creation process returns to the first block (the area that was reserved before from 0xEC000 up to 0xEC400), most of the steps made to create this area consists in copying and indexing other areas of the 'inner' vtrm

So now the creation process is going to build the first 2 blocks... but the first 0x10 bytes of the first block (from 0xEC0000 up to 0xEC0010) are ignored at this point, the reason why are not created yet is because is not posible to know the amount of bytes that are going to be copyed below it in the next steps (now is going to start a process of copypasting at offset 0xEC0010)

This is when starts a process that im going to label the 'copypaste' that starts at offset 0xEC0010 and does three things, first it creates a value of 0x8 bytes (colored in green in the examples) with an offset that points to the 'inner' vtrm, then another value of 0x8 bytes (colored in green in the examples) that indicates how many bytes are going to be copypasted, then the bytes are copypasted below

This copypaste is made 3 times. The first one copypastes the VTRM header (the bytes from 0xEC0400 up to 0xEC0428 are copypasted to 0xEC0020 up to 0xEC0048). The second copypastes one of the encrypted data areas (the bytes from 0xEC2980 up to 0xEC29E0 are copypasted to 0xEC0058 up to EC00B8), for some reason i dont get now it "jumps" 0x40 bytes, and then it does another copypaste that works a bit different

In the third copypaste, the value that indicates the offset points to the 'exception' hash inside the hash_table (bytes from 0xEFE68C up to 0xEFE6A0 are copypasted to 0xEC0108 up to 0xEC011C), but instead of copying the 'exception' hash it copypastes the default hash value

At this point the creation process is near completed, the only thing left is to fill the 0x10 bytes at the beginning in the first vtrm block (at 0xEC0000), this small area is going to work as the entry point when reading the whole vtrm, and this is when is written the 'magic_scei' that is unique (is the only value from this blocks in common between NAND and NOR), the other thing that indicates this area (with the value 0xA8) is the length of the areas that has been copypasted below (but only the sum of the first two copypastes, for some reason the third copypaste is not included in this sum, also the position where the third copypaste happens is a bit weird i dont get why that position, is because the 0x40 gap but that gap makes no sense, the point is the gap is there and is related with the reason why the third copypaste to not be included in this sum)


The offsets used to make the copypastes in the first 2 blocks are absolute, this means is needed to start counting from outside of the vtrm, actually from the start of flash. When looking at a flash dump from inside a hexeditor, or here in wiki examples what we see is the whole flash data, but this view is not the logical map. The flash region starts at the Flashregion Table, at the absolute offset 0x40200

  • For this reason is needed to add + 0x40200 to the offsets that appears inside vtrm to know where are pointing
    • 0xE80200 + 0x40200 = 0xEC0400 (inner VTRM start offset)
    • 0xE82780 + 0x40200 = 0xEC2980 (prototype encrypted data ofset)
    • 0xEBE48C + 0x40200 = 0xEFE68C (exception in the hast_table)

Notes, speculation, brainstorming[edit | edit source]

Trying to identify the encrypted data blocks based on the Authority ID and its position

  • First auth ID (lpar auth id)
    • 10 70 00 00 02 00 00 01
      • PS3_LPAR (a.k.a. GameOS access)
    • 04 00 00 00 02 00 00 05
      • related with the PSN account ???
  • Second auth ID (program auth id)
    • 10 70 00 05 FF 00 00 01
      • /dev_flash/vsh/vsh.self
      • is copypasted from the inner vtrm to the vtrm on top, in both NAND and NOR
    • 10 70 00 00 39 00 00 01
      • /dev_flash/bdplayer/bdp_bdmv.self
      • contains the hashes of DRL and CRL
      • is copyed and re-encrypted from the inner vtrm to the vtrm on top, only in NOR
    • 10 70 00 00 03 00 00 02
      • /dev_flash/vsh/module/mgvideo.self

LPAR Auth ID and Program Auth ID[edit | edit source]

  • VSH
    • 0x0400000002000005 - ???
    • 0x10700005FF000001 - vsh.self
  • BDP
    • 0x1070000002000001 - LPAR 2
    • 0x1070000039000001 - bdp_bdmv.self
  • VP
    • 0x1070000002000001 - LPAR 2
    • 0x1070000003000002 - mgvideo.self

http://www.psdevwiki.com/ps3/index.php?title=Fixing_DRL_and_CRL_Hashes&diff=13954&oldid=13803

VTRM hashes and how to generate them[edit | edit source]

repeated hash -> hmac sha1 using srk of an empty string ("")
hidden hash -> hmac sha1 using srk of 0x58 bytes of empty encrypted data using keyseed_for_srk
header hash -> hmac sha1 using srk of hmac sha1 using srk of header table without header (0x28 bytes) and signature table.

Extra hashes[edit | edit source]

srh -> hash of signature table (big table with repeated hashes and hidden hash)

Examples[edit | edit source]

NAND Example[edit | edit source]

NAND: cvtrm (0xEC0000 - 0xEFFFFF)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 

00EC0000  53 43 45 49 56 54 52 4D 00 00 00 00 00 00 00 A8  SCEIVTRM.......¨      <---- magic_scei, magic_vtrm, copypasted_total_used_len
00EC0010  00 00 00 00 00 E8 02 00 00 00 00 00 00 00 00 28  .....è.........(      <---- copypaste_offset, copypaste_len
00EC0020  00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04  ....VTRM........      <---- copyed, copyed, copyed
00EC0030  FE 6D 0B C4 FA D5 CE DB 93 86 FC A1 32 3B 71 47  þm.ÄúÕÎÛ“†ü¡2;qG      <---- copyed
00EC0040  3B A5 C6 F9 C0 00 B6 70 00 00 00 00 00 E8 27 80  ;¥ÆùÀ.¶p.....è'€      <---- copyed, copyed, copyed, copypaste_offset
00EC0050  00 00 00 00 00 00 00 60 00 00 00 00 00 00 09 20  .......`.......       <---- copypaste_len, copyed
00EC0060  04 00 00 00 02 00 00 05 10 70 00 05 FF 00 00 01  .........p..ÿ...      <---- copyed, copyed
00EC0070  0C 1C 05 9C AA B5 97 A5 9C D6 46 2D EA 22 46 BE  ...œªµ—¥œÖF-ê"F¾      <---- copyed
00EC0080  D1 84 A9 1E 34 5F E7 90 55 49 11 82 51 9D 4A 3F  Ñ„©.4_ç.UI.‚Q.J?      <---- copyed
00EC0090  EF 43 19 E8 4F 6A 5B FF DA 31 E9 F0 76 C8 B2 6B  ïC.èOj[ÿÚ1éðvȲk      <---- copyed
00EC00A0  0B A7 47 8E BE 42 28 9F 2B 88 73 0B A5 B6 F2 1D  .§GŽ¾B(Ÿ+ˆs.¥¶ò.      <---- copyed
00EC00B0  00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF  ........ÿÿÿÿÿÿÿÿ      <---- copyed, 0x40_bytes_gap
 [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ      <---- 0x40_bytes_gap
00EC00F0  FF FF FF FF FF FF FF FF 00 00 00 00 00 EB E4 8C  ÿÿÿÿÿÿÿÿ.....ëäŒ      <---- 0x40_bytes_gap, copypaste_offset
00EC0100  00 00 00 00 00 00 00 14 39 17 52 0B 31 70 F5 05  ........9.R.1põ.      <---- copypaste_len, copyed
00EC0110  02 5A C6 F8 81 F8 54 96 2F EF F3 81 FF FF FF FF  .ZÆø.øT–/ïó.ÿÿÿÿ      <---- copyed, erased_bytes
 [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ      <---- erased_bytes <--- to fill up to 512 bytes or 0x400 (2 blocks)
00EC0400  00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04  ....VTRM........      <---- magic_void + magic_vtrm + next_unknown_stuff_len ? <---- inner vtrm
00EC0410  FE 6D 0B C4 FA D5 CE DB 93 86 FC A1 32 3B 71 47  þm.ÄúÕÎÛ“†ü¡2;qG      <---- SRH ? (secure root hash)
00EC0420  3B A5 C6 F9 C0 00 B6 70 00 00 00 00 00 00 04 90  ;¥ÆùÀ.¶p........      <---- SRH ?, unknown (2 bytes), unknown (2 bytes), index_num = 0x490 (1168 in decimal)
00EC0430  00 00 00 00 00 00 09 20 00 00 00 00 00 00 00 03  ....... ........      <---- data_slots_total, data_slots_used
00EC0440  00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......       <---- index_table starts here (table_size = ???, entry_size = 0x8, entry_number = 0x490)
 [...]    00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      
00EC1930  00 00 00 00 00 00 00 01 00 00 00 00 00 00 09 20  ...............       <---- exception
 [...]    00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      
00EC21F0  00 00 00 00 00 00 00 02 00 00 00 00 00 00 09 20  ...............       <---- exception
 [...]    00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      
00EC24F0  00 00 00 00 00 00 09 20 00 00 00 00 00 00 00 00  ....... ........      <---- exception
 [...]    00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      
00EC28C0  00 00 00 00 00 00 09 20 10 70 00 00 02 00 00 01  ....... .p......      <---- unknown, lpar_auth_id <---- data_table starts here (table_size = ???, entry_size = 0x60, entry_number = 0x920)
00EC28D0  10 70 00 00 39 00 00 01 22 66 39 B3 0E 7A 1C E7  .p..9..."f9³.z.ç      <---- prog_auth_id, encrypted_data
00EC28E0  68 85 F9 94 A8 30 BE C4 0B 85 D0 92 1E C0 8F 28  h…ù”¨0¾Ä.…Ð’.À.(      <---- encrypted_data
00EC28F0  7F 70 ED 15 D6 22 06 24 D9 08 64 0B C0 D7 97 29  .pí.Ö".$Ù.d.À×—)      <---- encrypted_data
00EC2900  BE A1 FE 91 D1 F2 D4 88 25 EF 24 86 E0 A3 CB 98  ¾¡þ‘ÑòÔˆ%ï$†à£Ë˜      <---- encrypted_data
00EC2910  AF 17 6F B1 64 A0 56 E5 00 00 00 00 00 00 00 01  ¯.o±d Vå........      <---- encrypted_data, unkown
00EC2920  00 00 00 00 00 00 09 20 10 70 00 00 02 00 00 01  ....... .p......      <---- unkown, lpar_auth_id
00EC2930  10 70 00 00 03 00 00 02 F9 D9 6A 84 0C F2 D8 E7  .p......ùÙj„.òØç      <---- prog_auth_id, encrypted_data
00EC2940  D4 44 5C 3C DF D5 DF 0F B8 DC 3E 81 9A A4 71 8F  ÔD\<ßÕß.¸Ü>.š¤q.      <---- encrypted_data
00EC2950  0A A8 8B 90 1B 2C A1 D1 66 84 AA EE 65 D1 46 9A  .¨‹..,¡Ñf„ªîeÑFš      <---- encrypted_data
00EC2960  D7 38 83 F2 78 47 D1 8E E5 FA EB 39 CF 26 E8 25  ×8ƒòxGÑŽåúë9Ï&è%      <---- encrypted_data
00EC2970  85 DE 3B C6 0B C3 45 D5 00 00 00 00 00 00 00 00  …Þ;Æ.ÃEÕ........      <---- encrypted_data, unkown
00EC2980  00 00 00 00 00 00 09 20 04 00 00 00 02 00 00 05  ....... ........      <---- unkown, lpar_auth_id
00EC2990  10 70 00 05 FF 00 00 01 0C 1C 05 9C AA B5 97 A5  .p..ÿ......œªµ—¥      <---- prog_auth_id, encrypted_data
00EC29A0  9C D6 46 2D EA 22 46 BE D1 84 A9 1E 34 5F E7 90  œÖF-ê"F¾Ñ„©.4_ç.      <---- encrypted_data
00EC29B0  55 49 11 82 51 9D 4A 3F EF 43 19 E8 4F 6A 5B FF  UI.‚Q.J?ïC.èOj[ÿ      <---- encrypted_data
00EC29C0  DA 31 E9 F0 76 C8 B2 6B 0B A7 47 8E BE 42 28 9F  Ú1éðvȲk.§GŽ¾B(Ÿ      <---- encrypted_data
00EC29D0  2B 88 73 0B A5 B6 F2 1D 00 00 00 00 00 00 00 00  +ˆs.¥¶ò.........      <---- encrypted_data, unkown
 [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ      <---- free data slots starts here
00EF94C0  39 17 52 0B 31 70 F5 05 02 5A C6 F8 81 F8 54 96  9.R.1põ..ZÆø.øT–      <---- signature_table start (table_size = ??? , entry_size = 0x14, entry_number = 490)
00EF94D0  2F EF F3 81                                      /ïó.                  [...] signature_empty (repeated)
 [...]       the same hash repeated, with a exception                            [...] signature_dummy (exception) at 0xEFE68C-0xEFE6A0, position ??? (decimal), relative offset = 0x???
00EFEFE0                                      39 17 52 0B              9.R.      [...] signature_empty (repeated)
00EFEFF0  31 70 F5 05 02 5A C6 F8 81 F8 54 96 2F EF F3 81  1põ..ZÆø.øT–/ïó.      [...]
 [...]    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................      
00EFFFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................      <---- 0x00's filled up to end of file (0x1FE blocks)

NOR Example[edit | edit source]

NOR: cvtrm (0xEC0000 - 0xEFFFFF)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00EC0000  53 43 45 49 FF FF FF FF FF FF FF FF FF FF FF FF  SCEIÿÿÿÿÿÿÿÿÿÿÿÿ     <---- magic_scei, erased_bytes
 [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ     <---- erased_bytes
00EC3FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ     <---- erased_bytes <----- to fill up to 16384 bytes or 0x4000 (0x20 blocks)
00EC4000  00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04  ....VTRM........     <---- copyed
00EC4010  0D 20 53 4F EE E8 06 E3 E7 AC 57 E1 E9 64 6C BF  . SOîè.ãç¬Wáédl¿     <---- new_hash (0x14 bytes), is the hash of an area that contains the re-encrypted data
00EC4020  ED BE 69 E1 00 00 00 E0 00 00 00 00 00 00 02 09  í¾iá...à........     <---- copyed
00EC4030  00 00 00 00 00 00 04 12 00 00 00 00 00 00 00 02  ................     <---- copyed
00EC4040  00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12  ................     <---- copyed
 [...]    00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12  ................     <---- copyed
00EC45C0  00 00 00 00 00 00 04 12 00 00 00 00 00 00 00 01  ................     <---- copyed
 [...]    00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12  ................     <---- copyed
00EC4670  00 00 00 00 00 00 04 12 00 00 00 00 00 00 00 00  ................     <---- copyed
 [...]    00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12  ................     <---- copyed
00EC5080  00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12  ................     <---- copyed
00EC5090  10 70 00 00 02 00 00 01 10 70 00 00 39 00 00 01  .p.......p..9...     <---- copyed
00EC50A0  D5 ED B4 4B 73 E2 79 5D CF E7 06 7F 4B 79 4C DC  Õí´Ksây]Ïç..KyLÜ     <---- re-encrypted data ?
00EC50B0  71 D1 B8 F7 0A 3F CE 1B 09 8B 59 47 7A 1D 2C E4  qѸ÷.?Î..‹YGz.,ä     <---- re-encrypted data ?
00EC50C0  69 B2 CF 18 8A B9 04 7E 29 71 A1 2D D8 71 54 01  i²Ï.Š¹.~)q¡-ØqT.     <---- re-encrypted data ?
00EC50D0  5B D2 55 4F EB C4 41 41 80 A3 60 A7 75 DA D8 11  [ÒUOëÄAA€£`§uÚØ.     <---- re-encrypted data ?
00EC50E0  00 00 00 00 00 00 00 01 00 00 00 00 00 00 04 12  ................     <---- copyed
00EC50F0  04 00 00 00 02 00 00 05 10 70 00 05 FF 00 00 01  .........p..ÿ...     <---- copyed
00EC5100  0C FF 20 DC A4 6A A1 D3 BC 36 82 17 C2 7B B5 5E  .ÿ ܤj¡Ó¼6‚.Â{µ^     <---- copyed
00EC5110  9B CD 6B 71 AB 41 06 2F 84 54 3F 6B AC E1 26 3E  ›Íkq«A./„T?k¬á&>     <---- copyed
00EC5120  A6 5A F4 AA E6 08 53 E0 71 A4 7D 43 2D 54 D4 F8  ¦Zôªæ.Sàq¤}C-TÔø     <---- copyed
00EC5130  5A 21 9B E6 D9 82 6B DB 1C 08 A1 F1 21 E0 F7 A4  Z!›æÙ‚kÛ..¡ñ!à÷¤     <---- copyed
00EC5140  00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF  ........ÿÿÿÿÿÿÿÿ     <---- copyed
00EC5150  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ     <---- copyed
 [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ     <---- copyed
00EDD740  FF FF FF FF FF FF FF FF EF 73 1D 7F 83 F3 DB 0F  ÿÿÿÿÿÿÿÿïs..ƒóÛ.     <---- copyed
00EDD750  E1 69 26 44 E7 23 5C 88 C7 7C 9B 81              ái&Dç#\ˆÇ|›.         <---- copyed
 [...]       the same hash repeated, with a exception                           <---- copyed
00EDFFE0                          EF 73 1D 7F 83 F3 DB 0F          ïs..ƒóÛ.     <---- copyed
00EDFFF0  E1 69 26 44 E7 23 5C 88 C7 7C 9B 81 FF FF FF FF  ái&Dç#\ˆÇ|›.ÿÿÿÿ     <---- copyed
 [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ     <---- erased_bytes
00EE3FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ     <---- erased_bytes <----- to fill up to 131072 bytes or 0x20000 (0x100 blocks)
00EE4000  00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04  ....VTRM........     <---- magic_void, magic_vtrm, next_unknown_stuff_len
00EE4010  93 66 A8 50 90 4F 4E 9E FC AA 0C 0C 90 8B 96 DD  “f¨P.ONžüª...‹–Ý     <---- SRH ? (secure root hash)
00EE4020  0E 14 91 99 00 00 00 E0 00 00 00 00 00 00 02 09  ..‘™...à........     <---- 0xE0 = number of blocks ?
00EE4030  00 00 00 00 00 00 04 12 00 00 00 00 00 00 00 02  ................
00EE4040  00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12  ................     <---- index_table start (table_size = 0x1048, entry_size = 0x8, entry_number = 0x209)
 [...]    00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12  ................
00EE45C0  00 00 00 00 00 00 04 12 00 00 00 00 00 00 00 01  ................     <---- exception at position 178 (decimal), relative offset 0x588
 [...]    00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12  ................
00EE4670  00 00 00 00 00 00 04 12 00 00 00 00 00 00 00 00  ................     <---- exception at position 200 (decimal), relative offset 0x638
 [...]    00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12  ................
00EE5080  00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12  ................     <---- data_table start (table_size = 0x186C0, entry_size = 0x60, entry_number = 0x412)
00EE5090  10 70 00 00 02 00 00 01 10 70 00 00 39 00 00 01  .p.......p..9...     <---- lpar_auth_id, prog_auth_id
00EE50A0  D8 71 79 C4 C0 2B 74 A1 C9 50 AC 82 4D 94 4A D0  ØqyÄÀ+t¡ÉP¬‚M”JÐ
00EE50B0  63 85 24 87 7D 4D 0D E4 9A 29 E6 6F 4B FA B7 19  c…$‡}M.äš)æoKú·.
00EE50C0  53 F2 E7 DA 64 F5 31 61 FC EC 44 41 A5 AC 10 C2  SòçÚdõ1aüìDA¥¬.Â
00EE50D0  2A D2 D4 18 E7 2F BA 15 79 8E D9 C1 64 4A 6C 91  *ÒÔ.ç/º.yŽÙÁdJl‘
00EE50E0  00 00 00 00 00 00 00 01 00 00 00 00 00 00 04 12  ................
00EE50F0  04 00 00 00 02 00 00 05 10 70 00 05 FF 00 00 01  .........p..ÿ...     <---- lpar_auth_id, prog_auth_id
00EE5100  0C FF 20 DC A4 6A A1 D3 BC 36 82 17 C2 7B B5 5E  .ÿ ܤj¡Ó¼6‚.Â{µ^
00EE5110  9B CD 6B 71 AB 41 06 2F 84 54 3F 6B AC E1 26 3E  ›Íkq«A./„T?k¬á&>
00EE5120  A6 5A F4 AA E6 08 53 E0 71 A4 7D 43 2D 54 D4 F8  ¦Zôªæ.Sàq¤}C-TÔø
00EE5130  5A 21 9B E6 D9 82 6B DB 1C 08 A1 F1 21 E0 F7 A4  Z!›æÙ‚kÛ..¡ñ!à÷¤
00EE5140  00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF  ........ÿÿÿÿÿÿÿÿ     <---- free data slots start 
00EE5150  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00EFD740  FF FF FF FF FF FF FF FF EF 73 1D 7F 83 F3 DB 0F  ÿÿÿÿÿÿÿÿïs..ƒóÛ.     <---- signature_table start (table_size = 0x28B4, entry_size = 0x14, entry_number = 0x209)
00EFD750  E1 69 26 44 E7 23 5C 88 C7 7C 9B 81              ái&Dç#\ˆÇ|›.         [...] signature_empty (repeated)
 [...]       the same hash repeated, with a exception                           [...] signature_dummy (exception) at 0xEFE6D4-0xEFE6E7, position 200 (decimal), relative offset = 0xF8C
00EFFFE0                          EF 73 1D 7F 83 F3 DB 0F          ïs..ƒóÛ.     [...] signature_empty (repeated)
00EFFFF0  E1 69 26 44 E7 23 5C 88 C7 7C 9B 81 FF FF FF FF  ái&Dç#\ˆÇ|›.ÿÿÿÿ     <---- erased_bytes <----- to fill up to 114688 bytes or 0x1C000 (0xE0 blocks)