Flash:cvtrm: Difference between revisions
CelesteBlue (talk | contribs) No edit summary |
|||
(5 intermediate revisions by one other user not shown) | |||
Line 64: | Line 64: | ||
In the third copypaste, the value that indicates the offset points to the 'exception' hash inside the '''hash_table''' (bytes from 0xEFE68C up to 0xEFE6A0 are copypasted to 0xEC0108 up to 0xEC011C), but instead of copying the 'exception' hash it copypastes the default hash value | In the third copypaste, the value that indicates the offset points to the 'exception' hash inside the '''hash_table''' (bytes from 0xEFE68C up to 0xEFE6A0 are copypasted to 0xEC0108 up to 0xEC011C), but instead of copying the 'exception' hash it copypastes the default hash value | ||
At this point the creation process is near completed, the only thing left is to fill the 0x10 bytes at the beginning in the first vtrm block (at 0xEC0000), this small area is going to work as the entry point when reading the whole vtrm, and this is when is written the 'magic_scei' that is unique (is the only value from this blocks in common between NAND and NOR), the other thing that indicates this area (with the value 0xA8) is the | At this point the creation process is near completed, the only thing left is to fill the 0x10 bytes at the beginning in the first vtrm block (at 0xEC0000), this small area is going to work as the entry point when reading the whole vtrm, and this is when is written the 'magic_scei' that is unique (is the only value from this blocks in common between NAND and NOR), the other thing that indicates this area (with the value 0xA8) is the length of the areas that has been copypasted below (but only the sum of the first two copypastes, for some reason the third copypaste is not included in this sum, also the position where the third copypaste happens is a bit weird i dont get why that position, is because the 0x40 gap but that gap makes no sense, the point is the gap is there and is related with the reason why the third copypaste to not be included in this sum) | ||
---- | ---- | ||
Line 75: | Line 75: | ||
==Notes, speculation, brainstorming== | ==Notes, speculation, brainstorming== | ||
Trying to identify the encrypted data blocks based on the [[Authority ID]] and its position | |||
**10 70 00 00 02 00 00 01 | |||
*First auth ID (lpar auth id) | |||
** 10 70 00 00 02 00 00 01 | |||
*** PS3_LPAR (a.k.a. GameOS access) | *** PS3_LPAR (a.k.a. GameOS access) | ||
**10 70 00 00 39 00 00 01 | ** 04 00 00 00 02 00 00 05 | ||
*** related with the PSN account ??? | |||
*Second auth ID (program auth id) | |||
** 10 70 00 05 FF 00 00 01 | |||
*** /dev_flash/vsh/'''vsh.self''' | |||
*** is copypasted from the inner vtrm to the vtrm on top, in both NAND and NOR | |||
** 10 70 00 00 39 00 00 01 | |||
*** /dev_flash/bdplayer/'''bdp_bdmv.self''' | *** /dev_flash/bdplayer/'''bdp_bdmv.self''' | ||
*** | *** contains the hashes of '''DRL''' and '''CRL''' | ||
**10 70 00 00 03 00 00 02 | *** is copyed and re-encrypted from the inner vtrm to the vtrm on top, only in NOR | ||
** 10 70 00 00 03 00 00 02 | |||
*** /dev_flash/vsh/module/'''mgvideo.self''' | *** /dev_flash/vsh/module/'''mgvideo.self''' | ||
** | |||
** | =LPAR Auth ID and Program Auth ID= | ||
** | *VSH | ||
*** ? | **0x0400000002000005 - ??? | ||
**0x10700005FF000001 - vsh.self | |||
*BDP | |||
**0x1070000002000001 - LPAR 2 | |||
**0x1070000039000001 - bdp_bdmv.self | |||
*VP | |||
**0x1070000002000001 - LPAR 2 | |||
**0x1070000003000002 - mgvideo.self | |||
http://www.psdevwiki.com/ps3/index.php?title=Fixing_DRL_and_CRL_Hashes&diff=13954&oldid=13803 | |||
=VTRM hashes and how to generate them= | =VTRM hashes and how to generate them= | ||
Line 210: | Line 229: | ||
[...] <span style="background:#cccc66;">00 00 00 00 00 00 04 12</span> <span style="background:#cccc66;">00 00 00 00 00 00 04 12</span> ................ | [...] <span style="background:#cccc66;">00 00 00 00 00 00 04 12</span> <span style="background:#cccc66;">00 00 00 00 00 00 04 12</span> ................ | ||
00EE5080 <span style="background:#cccc66;">00 00 00 00 00 00 04 12</span> <span style="background:#ff0000; color:#ffff66;">00 00 00 00 00 00 04 12</span> ................ <---- '''data_table''' start (table_size = 0x186C0, entry_size = 0x60, entry_number = 0x412) | 00EE5080 <span style="background:#cccc66;">00 00 00 00 00 00 04 12</span> <span style="background:#ff0000; color:#ffff66;">00 00 00 00 00 00 04 12</span> ................ <---- '''data_table''' start (table_size = 0x186C0, entry_size = 0x60, entry_number = 0x412) | ||
00EE5090 <span style="background:#ff5555;">10 70 00 00 02 00 00 01</span> <span style="background:#ff6666;">10 70 00 00 39 00 00 01</span> .p.......p..9... <---- '''lpar_auth_id''' | 00EE5090 <span style="background:#ff5555;">10 70 00 00 02 00 00 01</span> <span style="background:#ff6666;">10 70 00 00 39 00 00 01</span> .p.......p..9... <---- '''lpar_auth_id''', '''prog_auth_id''' | ||
00EE50A0 <span style="background:#ff7777; color:#99ffff;">D8 71 79 C4 C0 2B 74 A1 C9 50 AC 82 4D 94 4A D0</span> ØqyÄÀ+t¡ÉP¬‚M”JÐ | 00EE50A0 <span style="background:#ff7777; color:#99ffff;">D8 71 79 C4 C0 2B 74 A1 C9 50 AC 82 4D 94 4A D0</span> ØqyÄÀ+t¡ÉP¬‚M”JÐ | ||
00EE50B0 <span style="background:#ff7777; color:#99ffff;">63 85 24 87 7D 4D 0D E4 9A 29 E6 6F 4B FA B7 19</span> c…$‡}M.äš)æoKú·. | 00EE50B0 <span style="background:#ff7777; color:#99ffff;">63 85 24 87 7D 4D 0D E4 9A 29 E6 6F 4B FA B7 19</span> c…$‡}M.äš)æoKú·. | ||
Line 216: | Line 235: | ||
00EE50D0 <span style="background:#ff7777; color:#99ffff;">2A D2 D4 18 E7 2F BA 15 79 8E D9 C1 64 4A 6C 91</span> *ÒÔ.ç/º.yŽÙÁdJl‘ | 00EE50D0 <span style="background:#ff7777; color:#99ffff;">2A D2 D4 18 E7 2F BA 15 79 8E D9 C1 64 4A 6C 91</span> *ÒÔ.ç/º.yŽÙÁdJl‘ | ||
00EE50E0 <span style="background:#ff9999; color:#ffff66;">00 00 00 00 00 00 00 01</span> <span style="background:#ff0000; color:#ffff66;">00 00 00 00 00 00 04 12</span> ................ | 00EE50E0 <span style="background:#ff9999; color:#ffff66;">00 00 00 00 00 00 00 01</span> <span style="background:#ff0000; color:#ffff66;">00 00 00 00 00 00 04 12</span> ................ | ||
00EE50F0 <span style="background:#ff5555;">04 00 00 00 02 00 00 05</span> <span style="background:#ff6666;">10 70 00 05 FF 00 00 01</span> .........p..ÿ... <---- '''lpar_auth_id''' | 00EE50F0 <span style="background:#ff5555;">04 00 00 00 02 00 00 05</span> <span style="background:#ff6666;">10 70 00 05 FF 00 00 01</span> .........p..ÿ... <---- '''lpar_auth_id''', '''prog_auth_id''' | ||
00EE5100 <span style="background:#ff7777; color:#99ffff;">0C FF 20 DC A4 6A A1 D3 BC 36 82 17 C2 7B B5 5E</span> .ÿ ܤj¡Ó¼6‚.Â{µ^ | 00EE5100 <span style="background:#ff7777; color:#99ffff;">0C FF 20 DC A4 6A A1 D3 BC 36 82 17 C2 7B B5 5E</span> .ÿ ܤj¡Ó¼6‚.Â{µ^ | ||
00EE5110 <span style="background:#ff7777; color:#99ffff;">9B CD 6B 71 AB 41 06 2F 84 54 3F 6B AC E1 26 3E</span> ›Íkq«A./„T?k¬á&> | 00EE5110 <span style="background:#ff7777; color:#99ffff;">9B CD 6B 71 AB 41 06 2F 84 54 3F 6B AC E1 26 3E</span> ›Íkq«A./„T?k¬á&> |
Latest revision as of 18:26, 31 January 2022
Description[edit | edit source]
Used by VTRM Services, 0x9000 - SC Manager, PARAM.PFD for Savegames, Trophy, DRL/CRL.
Corruption of this region leads to RSOD repairable with RSOD Fix
Size: 0x40000. Location NOR: 0xEC0000 - 0xEFFFFF
VTRM related pages:
- Talk:Flash#VTRM
- Hypervisor Reverse Engineering#VTRM
- Fixing DRL and CRL Hashes
- SC Manager#0x9000 - SC Manager
- Talk:System Controller Firmware
- Iso module#Communicating w.2F sc iso.self
- PARAM.PFD
- Ps3vuart-tools#ps3dm
- Per Console Keys#cVTRM
- RSOD Fix
Structure[edit | edit source]
NOR VTRM Structure[edit | edit source]
Offset | Size | Example | Description | Notes |
---|---|---|---|---|
0x00 | 0x08 (8 bytes) | 000000005654524D | magic | VTRM (in ASCII) |
0x08 | 0x08 (8 bytes) | 0000000000000004 | version | |
0x10 | 0x14 (20 bytes) | 0D20534FEEE806E3E7AC57E1E9646CBFEDBE69E1 | sha 1 hash |
Offset | Size | Example | Description | Notes |
---|---|---|---|---|
0x24 | 0x4 (4 bytes) | 000000E0 (NOR) | Unknown | |
0x28 | 0x8 (8 bytes) | 0000000000000209 (NOR) | X and Y tables reserved entries | 521 entries (NOR) |
0x30 | 0x8 (8 bytes) | 0000000000000412 (NOR) | Protected files table reserved entries | 1042 entries (NOR) |
0x38 | 0x8 (8 bytes) | 0000000000000002 (NOR) | Protected files table used entries | 2 entries (NOR) |
NAND VTRM Structure[edit | edit source]
Overview: A good way to understand the structure is to think in how the vtrm is created, there are 3 main processes where are written the 'magic_vtrm' sections (colored in black in the examples), in general lines can be said the 'magic_vtrm' sections are created "from bottom to top". This explain doesnt includes the processes needed to create the first 'magic_vtrm' section
At some point that should be considered the "initial state" is performed an "erase" command from 0xEC000 up to 0xF0000 (0x200 blocks are filled with 0xFF's). After that the first 2 blocks are reserved (from 0xEC000 up to 0xEC400). The creation process starts at the third block (at offset 0xEC0400), this section where is used for first time the 'magic_vtrm' can be considered the most "inner" vtrm, or the most older in the creation process
After that 'inner' vtrm is created (how is created is out of the explain) then the creation process returns to the first block (the area that was reserved before from 0xEC000 up to 0xEC400), most of the steps made to create this area consists in copying and indexing other areas of the 'inner' vtrm
So now the creation process is going to build the first 2 blocks... but the first 0x10 bytes of the first block (from 0xEC0000 up to 0xEC0010) are ignored at this point, the reason why are not created yet is because is not posible to know the amount of bytes that are going to be copyed below it in the next steps (now is going to start a process of copypasting at offset 0xEC0010)
This is when starts a process that im going to label the 'copypaste' that starts at offset 0xEC0010 and does three things, first it creates a value of 0x8 bytes (colored in green in the examples) with an offset that points to the 'inner' vtrm, then another value of 0x8 bytes (colored in green in the examples) that indicates how many bytes are going to be copypasted, then the bytes are copypasted below
This copypaste is made 3 times. The first one copypastes the VTRM header (the bytes from 0xEC0400 up to 0xEC0428 are copypasted to 0xEC0020 up to 0xEC0048). The second copypastes one of the encrypted data areas (the bytes from 0xEC2980 up to 0xEC29E0 are copypasted to 0xEC0058 up to EC00B8), for some reason i dont get now it "jumps" 0x40 bytes, and then it does another copypaste that works a bit different
In the third copypaste, the value that indicates the offset points to the 'exception' hash inside the hash_table (bytes from 0xEFE68C up to 0xEFE6A0 are copypasted to 0xEC0108 up to 0xEC011C), but instead of copying the 'exception' hash it copypastes the default hash value
At this point the creation process is near completed, the only thing left is to fill the 0x10 bytes at the beginning in the first vtrm block (at 0xEC0000), this small area is going to work as the entry point when reading the whole vtrm, and this is when is written the 'magic_scei' that is unique (is the only value from this blocks in common between NAND and NOR), the other thing that indicates this area (with the value 0xA8) is the length of the areas that has been copypasted below (but only the sum of the first two copypastes, for some reason the third copypaste is not included in this sum, also the position where the third copypaste happens is a bit weird i dont get why that position, is because the 0x40 gap but that gap makes no sense, the point is the gap is there and is related with the reason why the third copypaste to not be included in this sum)
The offsets used to make the copypastes in the first 2 blocks are absolute, this means is needed to start counting from outside of the vtrm, actually from the start of flash. When looking at a flash dump from inside a hexeditor, or here in wiki examples what we see is the whole flash data, but this view is not the logical map. The flash region starts at the Flashregion Table, at the absolute offset 0x40200
- For this reason is needed to add + 0x40200 to the offsets that appears inside vtrm to know where are pointing
- 0xE80200 + 0x40200 = 0xEC0400 (inner VTRM start offset)
- 0xE82780 + 0x40200 = 0xEC2980 (prototype encrypted data ofset)
- 0xEBE48C + 0x40200 = 0xEFE68C (exception in the hast_table)
Notes, speculation, brainstorming[edit | edit source]
Trying to identify the encrypted data blocks based on the Authority ID and its position
- First auth ID (lpar auth id)
- 10 70 00 00 02 00 00 01
- PS3_LPAR (a.k.a. GameOS access)
- 04 00 00 00 02 00 00 05
- related with the PSN account ???
- 10 70 00 00 02 00 00 01
- Second auth ID (program auth id)
- 10 70 00 05 FF 00 00 01
- /dev_flash/vsh/vsh.self
- is copypasted from the inner vtrm to the vtrm on top, in both NAND and NOR
- 10 70 00 00 39 00 00 01
- /dev_flash/bdplayer/bdp_bdmv.self
- contains the hashes of DRL and CRL
- is copyed and re-encrypted from the inner vtrm to the vtrm on top, only in NOR
- 10 70 00 00 03 00 00 02
- /dev_flash/vsh/module/mgvideo.self
- 10 70 00 05 FF 00 00 01
LPAR Auth ID and Program Auth ID[edit | edit source]
- VSH
- 0x0400000002000005 - ???
- 0x10700005FF000001 - vsh.self
- BDP
- 0x1070000002000001 - LPAR 2
- 0x1070000039000001 - bdp_bdmv.self
- VP
- 0x1070000002000001 - LPAR 2
- 0x1070000003000002 - mgvideo.self
http://www.psdevwiki.com/ps3/index.php?title=Fixing_DRL_and_CRL_Hashes&diff=13954&oldid=13803
VTRM hashes and how to generate them[edit | edit source]
repeated hash -> hmac sha1 using srk of an empty string ("")
hidden hash -> hmac sha1 using srk of 0x58 bytes of empty encrypted data using keyseed_for_srk
header hash -> hmac sha1 using srk of hmac sha1 using srk of header table without header (0x28 bytes) and signature table.
Extra hashes[edit | edit source]
srh -> hash of signature table (big table with repeated hashes and hidden hash)
Examples[edit | edit source]
NAND Example[edit | edit source]
NAND: cvtrm (0xEC0000 - 0xEFFFFF)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00EC0000 53 43 45 49 56 54 52 4D 00 00 00 00 00 00 00 A8 SCEIVTRM.......¨ <---- magic_scei, magic_vtrm, copypasted_total_used_len 00EC0010 00 00 00 00 00 E8 02 00 00 00 00 00 00 00 00 28 .....è.........( <---- copypaste_offset, copypaste_len 00EC0020 00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04 ....VTRM........ <---- copyed, copyed, copyed 00EC0030 FE 6D 0B C4 FA D5 CE DB 93 86 FC A1 32 3B 71 47 þm.ÄúÕÎÛ“†ü¡2;qG <---- copyed 00EC0040 3B A5 C6 F9 C0 00 B6 70 00 00 00 00 00 E8 27 80 ;¥ÆùÀ.¶p.....è'€ <---- copyed, copyed, copyed, copypaste_offset 00EC0050 00 00 00 00 00 00 00 60 00 00 00 00 00 00 09 20 .......`....... <---- copypaste_len, copyed 00EC0060 04 00 00 00 02 00 00 05 10 70 00 05 FF 00 00 01 .........p..ÿ... <---- copyed, copyed 00EC0070 0C 1C 05 9C AA B5 97 A5 9C D6 46 2D EA 22 46 BE ...œªµ—¥œÖF-ê"F¾ <---- copyed 00EC0080 D1 84 A9 1E 34 5F E7 90 55 49 11 82 51 9D 4A 3F Ñ„©.4_ç.UI.‚Q.J? <---- copyed 00EC0090 EF 43 19 E8 4F 6A 5B FF DA 31 E9 F0 76 C8 B2 6B ïC.èOj[ÿÚ1éðvȲk <---- copyed 00EC00A0 0B A7 47 8E BE 42 28 9F 2B 88 73 0B A5 B6 F2 1D .§GŽ¾B(Ÿ+ˆs.¥¶ò. <---- copyed 00EC00B0 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ........ÿÿÿÿÿÿÿÿ <---- copyed, 0x40_bytes_gap [...] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <---- 0x40_bytes_gap 00EC00F0 FF FF FF FF FF FF FF FF 00 00 00 00 00 EB E4 8C ÿÿÿÿÿÿÿÿ.....ëäŒ <---- 0x40_bytes_gap, copypaste_offset 00EC0100 00 00 00 00 00 00 00 14 39 17 52 0B 31 70 F5 05 ........9.R.1põ. <---- copypaste_len, copyed 00EC0110 02 5A C6 F8 81 F8 54 96 2F EF F3 81 FF FF FF FF .ZÆø.øT–/ïó.ÿÿÿÿ <---- copyed, erased_bytes [...] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <---- erased_bytes <--- to fill up to 512 bytes or 0x400 (2 blocks) 00EC0400 00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04 ....VTRM........ <---- magic_void + magic_vtrm + next_unknown_stuff_len ? <---- inner vtrm 00EC0410 FE 6D 0B C4 FA D5 CE DB 93 86 FC A1 32 3B 71 47 þm.ÄúÕÎÛ“†ü¡2;qG <---- SRH ? (secure root hash) 00EC0420 3B A5 C6 F9 C0 00 B6 70 00 00 00 00 00 00 04 90 ;¥ÆùÀ.¶p........ <---- SRH ?, unknown (2 bytes), unknown (2 bytes), index_num = 0x490 (1168 in decimal) 00EC0430 00 00 00 00 00 00 09 20 00 00 00 00 00 00 00 03 ....... ........ <---- data_slots_total, data_slots_used 00EC0440 00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20 ....... ....... <---- index_table starts here (table_size = ???, entry_size = 0x8, entry_number = 0x490) [...] 00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20 ....... ....... 00EC1930 00 00 00 00 00 00 00 01 00 00 00 00 00 00 09 20 ............... <---- exception [...] 00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20 ....... ....... 00EC21F0 00 00 00 00 00 00 00 02 00 00 00 00 00 00 09 20 ............... <---- exception [...] 00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20 ....... ....... 00EC24F0 00 00 00 00 00 00 09 20 00 00 00 00 00 00 00 00 ....... ........ <---- exception [...] 00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20 ....... ....... 00EC28C0 00 00 00 00 00 00 09 20 10 70 00 00 02 00 00 01 ....... .p...... <---- unknown, lpar_auth_id <---- data_table starts here (table_size = ???, entry_size = 0x60, entry_number = 0x920) 00EC28D0 10 70 00 00 39 00 00 01 22 66 39 B3 0E 7A 1C E7 .p..9..."f9³.z.ç <---- prog_auth_id, encrypted_data 00EC28E0 68 85 F9 94 A8 30 BE C4 0B 85 D0 92 1E C0 8F 28 h…ù”¨0¾Ä.…Ð’.À.( <---- encrypted_data 00EC28F0 7F 70 ED 15 D6 22 06 24 D9 08 64 0B C0 D7 97 29 .pí.Ö".$Ù.d.À×—) <---- encrypted_data 00EC2900 BE A1 FE 91 D1 F2 D4 88 25 EF 24 86 E0 A3 CB 98 ¾¡þ‘ÑòÔˆ%ï$†à£Ë˜ <---- encrypted_data 00EC2910 AF 17 6F B1 64 A0 56 E5 00 00 00 00 00 00 00 01 ¯.o±d Vå........ <---- encrypted_data, unkown 00EC2920 00 00 00 00 00 00 09 20 10 70 00 00 02 00 00 01 ....... .p...... <---- unkown, lpar_auth_id 00EC2930 10 70 00 00 03 00 00 02 F9 D9 6A 84 0C F2 D8 E7 .p......ùÙj„.òØç <---- prog_auth_id, encrypted_data 00EC2940 D4 44 5C 3C DF D5 DF 0F B8 DC 3E 81 9A A4 71 8F ÔD\<ßÕß.¸Ü>.š¤q. <---- encrypted_data 00EC2950 0A A8 8B 90 1B 2C A1 D1 66 84 AA EE 65 D1 46 9A .¨‹..,¡Ñf„ªîeÑFš <---- encrypted_data 00EC2960 D7 38 83 F2 78 47 D1 8E E5 FA EB 39 CF 26 E8 25 ×8ƒòxGÑŽåúë9Ï&è% <---- encrypted_data 00EC2970 85 DE 3B C6 0B C3 45 D5 00 00 00 00 00 00 00 00 …Þ;Æ.ÃEÕ........ <---- encrypted_data, unkown 00EC2980 00 00 00 00 00 00 09 20 04 00 00 00 02 00 00 05 ....... ........ <---- unkown, lpar_auth_id 00EC2990 10 70 00 05 FF 00 00 01 0C 1C 05 9C AA B5 97 A5 .p..ÿ......œªµ—¥ <---- prog_auth_id, encrypted_data 00EC29A0 9C D6 46 2D EA 22 46 BE D1 84 A9 1E 34 5F E7 90 œÖF-ê"F¾Ñ„©.4_ç. <---- encrypted_data 00EC29B0 55 49 11 82 51 9D 4A 3F EF 43 19 E8 4F 6A 5B FF UI.‚Q.J?ïC.èOj[ÿ <---- encrypted_data 00EC29C0 DA 31 E9 F0 76 C8 B2 6B 0B A7 47 8E BE 42 28 9F Ú1éðvȲk.§GŽ¾B(Ÿ <---- encrypted_data 00EC29D0 2B 88 73 0B A5 B6 F2 1D 00 00 00 00 00 00 00 00 +ˆs.¥¶ò......... <---- encrypted_data, unkown [...] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <---- free data slots starts here 00EF94C0 39 17 52 0B 31 70 F5 05 02 5A C6 F8 81 F8 54 96 9.R.1põ..ZÆø.øT– <---- signature_table start (table_size = ??? , entry_size = 0x14, entry_number = 490) 00EF94D0 2F EF F3 81 /ïó. [...] signature_empty (repeated) [...] the same hash repeated, with a exception [...] signature_dummy (exception) at 0xEFE68C-0xEFE6A0, position ??? (decimal), relative offset = 0x??? 00EFEFE0 39 17 52 0B 9.R. [...] signature_empty (repeated) 00EFEFF0 31 70 F5 05 02 5A C6 F8 81 F8 54 96 2F EF F3 81 1põ..ZÆø.øT–/ïó. [...] [...] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00EFFFF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ <---- 0x00's filled up to end of file (0x1FE blocks)
NOR Example[edit | edit source]
NOR: cvtrm (0xEC0000 - 0xEFFFFF)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00EC0000 53 43 45 49 FF FF FF FF FF FF FF FF FF FF FF FF SCEIÿÿÿÿÿÿÿÿÿÿÿÿ <---- magic_scei, erased_bytes [...] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <---- erased_bytes 00EC3FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <---- erased_bytes <----- to fill up to 16384 bytes or 0x4000 (0x20 blocks) 00EC4000 00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04 ....VTRM........ <---- copyed 00EC4010 0D 20 53 4F EE E8 06 E3 E7 AC 57 E1 E9 64 6C BF . SOîè.ãç¬Wáédl¿ <---- new_hash (0x14 bytes), is the hash of an area that contains the re-encrypted data 00EC4020 ED BE 69 E1 00 00 00 E0 00 00 00 00 00 00 02 09 í¾iá...à........ <---- copyed 00EC4030 00 00 00 00 00 00 04 12 00 00 00 00 00 00 00 02 ................ <---- copyed 00EC4040 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ <---- copyed [...] 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ <---- copyed 00EC45C0 00 00 00 00 00 00 04 12 00 00 00 00 00 00 00 01 ................ <---- copyed [...] 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ <---- copyed 00EC4670 00 00 00 00 00 00 04 12 00 00 00 00 00 00 00 00 ................ <---- copyed [...] 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ <---- copyed 00EC5080 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ <---- copyed 00EC5090 10 70 00 00 02 00 00 01 10 70 00 00 39 00 00 01 .p.......p..9... <---- copyed 00EC50A0 D5 ED B4 4B 73 E2 79 5D CF E7 06 7F 4B 79 4C DC Õí´Ksây]Ïç..KyLÜ <---- re-encrypted data ? 00EC50B0 71 D1 B8 F7 0A 3F CE 1B 09 8B 59 47 7A 1D 2C E4 qѸ÷.?Î..‹YGz.,ä <---- re-encrypted data ? 00EC50C0 69 B2 CF 18 8A B9 04 7E 29 71 A1 2D D8 71 54 01 i²Ï.Š¹.~)q¡-ØqT. <---- re-encrypted data ? 00EC50D0 5B D2 55 4F EB C4 41 41 80 A3 60 A7 75 DA D8 11 [ÒUOëÄAA€£`§uÚØ. <---- re-encrypted data ? 00EC50E0 00 00 00 00 00 00 00 01 00 00 00 00 00 00 04 12 ................ <---- copyed 00EC50F0 04 00 00 00 02 00 00 05 10 70 00 05 FF 00 00 01 .........p..ÿ... <---- copyed 00EC5100 0C FF 20 DC A4 6A A1 D3 BC 36 82 17 C2 7B B5 5E .ÿ ܤj¡Ó¼6‚.Â{µ^ <---- copyed 00EC5110 9B CD 6B 71 AB 41 06 2F 84 54 3F 6B AC E1 26 3E ›Íkq«A./„T?k¬á&> <---- copyed 00EC5120 A6 5A F4 AA E6 08 53 E0 71 A4 7D 43 2D 54 D4 F8 ¦Zôªæ.Sàq¤}C-TÔø <---- copyed 00EC5130 5A 21 9B E6 D9 82 6B DB 1C 08 A1 F1 21 E0 F7 A4 Z!›æÙ‚kÛ..¡ñ!à÷¤ <---- copyed 00EC5140 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ........ÿÿÿÿÿÿÿÿ <---- copyed 00EC5150 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <---- copyed [...] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <---- copyed 00EDD740 FF FF FF FF FF FF FF FF EF 73 1D 7F 83 F3 DB 0F ÿÿÿÿÿÿÿÿïs..ƒóÛ. <---- copyed 00EDD750 E1 69 26 44 E7 23 5C 88 C7 7C 9B 81 ái&Dç#\ˆÇ|›. <---- copyed [...] the same hash repeated, with a exception <---- copyed 00EDFFE0 EF 73 1D 7F 83 F3 DB 0F ïs..ƒóÛ. <---- copyed 00EDFFF0 E1 69 26 44 E7 23 5C 88 C7 7C 9B 81 FF FF FF FF ái&Dç#\ˆÇ|›.ÿÿÿÿ <---- copyed [...] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <---- erased_bytes 00EE3FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ <---- erased_bytes <----- to fill up to 131072 bytes or 0x20000 (0x100 blocks) 00EE4000 00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04 ....VTRM........ <---- magic_void, magic_vtrm, next_unknown_stuff_len 00EE4010 93 66 A8 50 90 4F 4E 9E FC AA 0C 0C 90 8B 96 DD “f¨P.ONžüª...‹–Ý <---- SRH ? (secure root hash) 00EE4020 0E 14 91 99 00 00 00 E0 00 00 00 00 00 00 02 09 ..‘™...à........ <---- 0xE0 = number of blocks ? 00EE4030 00 00 00 00 00 00 04 12 00 00 00 00 00 00 00 02 ................ 00EE4040 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ <---- index_table start (table_size = 0x1048, entry_size = 0x8, entry_number = 0x209) [...] 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ 00EE45C0 00 00 00 00 00 00 04 12 00 00 00 00 00 00 00 01 ................ <---- exception at position 178 (decimal), relative offset 0x588 [...] 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ 00EE4670 00 00 00 00 00 00 04 12 00 00 00 00 00 00 00 00 ................ <---- exception at position 200 (decimal), relative offset 0x638 [...] 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ 00EE5080 00 00 00 00 00 00 04 12 00 00 00 00 00 00 04 12 ................ <---- data_table start (table_size = 0x186C0, entry_size = 0x60, entry_number = 0x412) 00EE5090 10 70 00 00 02 00 00 01 10 70 00 00 39 00 00 01 .p.......p..9... <---- lpar_auth_id, prog_auth_id 00EE50A0 D8 71 79 C4 C0 2B 74 A1 C9 50 AC 82 4D 94 4A D0 ØqyÄÀ+t¡ÉP¬‚M”JÐ 00EE50B0 63 85 24 87 7D 4D 0D E4 9A 29 E6 6F 4B FA B7 19 c…$‡}M.äš)æoKú·. 00EE50C0 53 F2 E7 DA 64 F5 31 61 FC EC 44 41 A5 AC 10 C2 SòçÚdõ1aüìDA¥¬. 00EE50D0 2A D2 D4 18 E7 2F BA 15 79 8E D9 C1 64 4A 6C 91 *ÒÔ.ç/º.yŽÙÁdJl‘ 00EE50E0 00 00 00 00 00 00 00 01 00 00 00 00 00 00 04 12 ................ 00EE50F0 04 00 00 00 02 00 00 05 10 70 00 05 FF 00 00 01 .........p..ÿ... <---- lpar_auth_id, prog_auth_id 00EE5100 0C FF 20 DC A4 6A A1 D3 BC 36 82 17 C2 7B B5 5E .ÿ ܤj¡Ó¼6‚.Â{µ^ 00EE5110 9B CD 6B 71 AB 41 06 2F 84 54 3F 6B AC E1 26 3E ›Íkq«A./„T?k¬á&> 00EE5120 A6 5A F4 AA E6 08 53 E0 71 A4 7D 43 2D 54 D4 F8 ¦Zôªæ.Sàq¤}C-TÔø 00EE5130 5A 21 9B E6 D9 82 6B DB 1C 08 A1 F1 21 E0 F7 A4 Z!›æÙ‚kÛ..¡ñ!à÷¤ 00EE5140 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ........ÿÿÿÿÿÿÿÿ <---- free data slots start 00EE5150 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00EFD740 FF FF FF FF FF FF FF FF EF 73 1D 7F 83 F3 DB 0F ÿÿÿÿÿÿÿÿïs..ƒóÛ. <---- signature_table start (table_size = 0x28B4, entry_size = 0x14, entry_number = 0x209) 00EFD750 E1 69 26 44 E7 23 5C 88 C7 7C 9B 81 ái&Dç#\ˆÇ|›. [...] signature_empty (repeated) [...] the same hash repeated, with a exception [...] signature_dummy (exception) at 0xEFE6D4-0xEFE6E7, position 200 (decimal), relative offset = 0xF8C 00EFFFE0 EF 73 1D 7F 83 F3 DB 0F ïs..ƒóÛ. [...] signature_empty (repeated) 00EFFFF0 E1 69 26 44 E7 23 5C 88 C7 7C 9B 81 FF FF FF FF ái&Dç#\ˆÇ|›.ÿÿÿÿ <---- erased_bytes <----- to fill up to 114688 bytes or 0x1C000 (0xE0 blocks)
|