Talk:Flash: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
Line 568: Line 568:
</pre>
</pre>
==== 0D700000 data area ====
==== 0D700000 data area ====
Also found at 0xF700000 (missing cell_ext_os_area header)and 0xCF00000 (with cell_ext_os_area header)
<pre>  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F  
<pre>  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F  
      
      
Line 585: Line 588:
   0D701FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0D701FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
</pre>
</pre>
==== 0D702000 data area ====
==== 0D702000 data area ====
<pre>  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F  
<pre>  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F  

Revision as of 10:07, 23 April 2013


List of files on NOR Flash (OLD/historic)

Note: this is the old table that defyboy made, a more current one with absolute values and for all firmware versions is on the Flash mainpage

The following is a list of files stored in NOR Flash

Name TOC Start Offset End Offset Size Notes
Offset Index Relative Absolute Relative Absolute
asecure_loader 0x400 0 0x400 0x810 0x2E800 0x2F010 0x2E800  (190,464 bytes) aka metldr
eEID 0x400 1 0x2EC00 0x2F010 0x3EC00 0x3F010 0x10000  (65,636 bytes) (IDPS @ offset 0x0002F070 absolute / 0x00000070 inside eEID )
cISD 0x400 2 0x3EC00 0x3F010 0x3F400 0x3F810 0x800  (2,048 bytes)
cCSD 0x400 3 0x3F400 0x3F810 0x3FC00 0x40010 0x800  (2,048 bytes)
trvk_prg0 0x400 4 0x3FC00 0x40010 0x5FC00 0x60010 0x20000  (131,072 bytes)
trvk_prg1 0x400 5 0x5FC00 0x60010 0x7FC00 0x80010 0x20000  (131,072 bytes)
trvk_pkg0 0x400 6 0x7FC00 0x80010 0x9FC00 0xA0010 0x20000  (131,072 bytes)
trvk_pkg1 0x400 7 0x9FC00 0xA0010 0xBFC00 0xC0010 0x20000  (131,072 bytes)
ros0 0x400 8 0xBFC00 0xC0010 0x7BFC00 0x7C0010 0x700000  (7,340,032 bytes) Contains CoreOS files
ros1 0x400 9 0x7BFC00 0x7C0010 0xEBFC00 0xEC0010 0x700000  (7,340,032 bytes) Contains CoreOS files
cvtrm 0x400 10 0xEBFC00 0xEC0010 0xEFFC00 0xF00010 0x40000  (262,144 bytes)
CELL_EXTNOR_AREA 0xF20000 0xFA0040 0x80040  (524,352 bytes)
bootldr 0xFC0000 0xFEEAF0 0x2EAF0  (191,216 bytes) End @ FEF170, FEF570, FEF5F0, FEF600 in some dumps




new metldr.2

Seen on CECH2504B (JSD-001), with 3.60 from factory - datecode 1B

  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.
  00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 F9 20  .......@......ù 
  00000820  6D 65 74 6C 64 72 2E 32 00 00 00 00 00 00 00 00  metldr.2........
  00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  00000840  00 00 0F 8E 6E D7 BC D8 1F 11 EA 34 42 5F 9B 9D  ...Žn×¼Ø..ê4B_›.
  00000850  00 00 0F 8E 8C 21 5D 5F D0 B4 50 07 6A DD 21 DF  ...ŽŒ!]_дP.jÝ!ß
 
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0002F070  00 00 00 01 00 85 00 0B 10 24 39 B7 2C BA A8 5E  .....…...$9·,º¨^

vflash partition table

Done some work on decoding region 2 today:
Region 2 seems to = vflash partition table? These might be the first 2 regions?
partition table is 4096 bytes.
Format:
16 bytes 00's
16 bytes magic: 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE
8 bytes 0x03
8 bytes 0x02 (number of paritions?)
144 bytes 00's
Partition entries:
8 bytes entry point (entry point * 0x200) relative to 0x00 on flash
8 bytes entry length (entry length * 0x200)
32 bytes 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03
96 bytes 00's




Dumping your flash

There are many ways you can dump your flash you can choose the way that best fits you, there are some persons studing the flash.. If you can help providing a dump (specially if you have a debug console) search for those persons in IRC Efnet #ps3dev

Payload

Uncomment dump_dev_flash() in graf_payloads compile and run the payload

see Graf's_PSGroove_Payload for more info

Linux

Using graf_chokolo kernel with /dev/ps3nflasha access

dd if=/dev/ps3nflasha of=NOR.BIN bs=1024

Hardware

see Hardware flashing

Dump NAND/NOR from GameOS

precompiled : dump_flash.pkg // backup/mirror: dump_flash.pkg (70.48 KB)
source: dump_flash-src.rar (2.33 KB)

Make sure USB stick is FAT32 with enough free space (16MB per NOR dump, 256MB per NAND dump)

remarks:

NOR Unpacking // NOR Unpkg

/*
  # ../norunpkg norflash.bin norflash
  unpacking asecure_loader (size: 190xxx bytes)...
  unpacking eEID (size: 65536 bytes)...
  unpacking cISD (size: 2048 bytes)...
  unpacking cCSD (size: 2048 bytes)...
  unpacking trvk_prg0 (size: 131072 bytes)...
  unpacking trvk_prg1 (size: 131072 bytes)...
  unpacking trvk_pkg0 (size: 131072 bytes)...
  unpacking trvk_pkg1 (size: 131072 bytes)...
  unpacking ros0 (size: 7340032 bytes)...
  unpacking ros1 (size: 7340032 bytes)...
  unpacking cvtrm (size: 262144 bytes)...
*/

// Copyright 2010       Sven Peter
// Licensed under the terms of the GNU GPL, version 2
// http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
// nor modifications by rms.

#include "tools.h"
#include "types.h"

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/stat.h>

#ifdef WIN32
#define MKDIR(x,y) mkdir(x)
#else
#define MKDIR(x,y) mkdir(x,y)
#endif

u8 *pkg = NULL;

static void unpack_file(u32 i)
{
        u8 *ptr;
        u8 name[33];
        u64 offset;
        u64 size;

        ptr = pkg + 0x10 + 0x30 * i;

        offset = be64(ptr + 0x00);
        size   = be64(ptr + 0x08);

        memset(name, 0, sizeof name);
        strncpy((char *)name, (char *)(ptr + 0x10), 0x20);

        printf("unpacking %s (size: %d bytes)...\n", name, size);
        memcpy_to_file((char *)name, pkg + offset, size);
}

static void unpack_pkg(void)
{
        u32 n_files;
        u64 size;
        u32 i;

        n_files = be32(pkg + 4);
        size = be64(pkg + 8);

        for (i = 0; i < n_files; i++)
                unpack_file(i);
}

int main(int argc, char *argv[])
{
        if (argc != 3)
                fail("usage: norunpkg filename.nor target");

        pkg = mmap_file(argv[1]);

        /* kludge for header, i do not do sanity checks at the moment */
        pkg += 1024;

        MKDIR(argv[2], 0777);

        if (chdir(argv[2]) != 0)
                fail("chdir");

        unpack_pkg();

        return 0;
}

Source: http://rms.grafchokolo.com/?p=25

Changed version for Progskeet: http://pastebin.com/HNvCbF7d

RMS - eEID splitter

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void
DumpEidData (FILE * pFile, int iInputSize, int iEidCount,
	     char *pFilenamePrefix)
{
  FILE *pOutput;
  char *szFilename;
  char *szBuf;
  int iRes, iSize;

  printf ("dumping EID%d from eEID at %p, size %d (%x)..\n",
	  iEidCount, pFile, iInputSize, iInputSize);

  szBuf = (char *) malloc (iInputSize + 1);
  szFilename = (char *) malloc (strlen (pFilenamePrefix) + 2);

  if (szBuf == NULL)
    {
      perror ("malloc");
      exit (1);
    };

  iSize = fread (szBuf, iInputSize, 1, pFile);
  sprintf (szFilename, "%s%d", pFilenamePrefix, iEidCount);
  pOutput = fopen (szFilename, "wb");
  iRes = fwrite (szBuf, iInputSize, 1, pOutput);

  if (iRes != iSize)
    {
      perror ("fwrite");
      exit (1);
    };

  free (szBuf);
}

int
main (int argc, char **argv)
{
  FILE *pFile;
  char *pPrefix;

  pFile = fopen (argv[1], "rb");
  if (pFile == NULL)
    {
    usage:
      printf ("usage: %s <eEID> <EID name prefix>\n", argv[0]);
      exit (1);
    }

  if (argc == 2 && argv[2] != NULL)
    {
      pPrefix = argv[2];
      goto usage;
    }

  fseek (pFile, 0x70, SEEK_SET);

  if (pPrefix != NULL)
    {
      DumpEidData (pFile, 2144, 0, pPrefix);
      DumpEidData (pFile, 672, 1, pPrefix);
      DumpEidData (pFile, 1840, 2, pPrefix);
      DumpEidData (pFile, 256, 3, pPrefix);
      DumpEidData (pFile, 48, 4, pPrefix);
      DumpEidData (pFile, 2560, 5, pPrefix);
    }
  return 0;
}

Source: http://rms.grafchokolo.com/?p=59




NAND reference

Note: Beyond VTRM/cell_ext_os_area is pretty much greyarea - needs crosschecking

NAND reference (euss)

CECHC-04/COK-002 Pal EU launchmodel with OFW 3.15 updated to MFW 3.15 (Euss)

VTRM

   VTRM in NAND: 
    
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
     
   00EC0000  53 43 45 49 56 54 52 4D 00 00 00 00 00 00 00 A8  SCEIVTRM.......¨
   00EC0010  00 00 00 00 00 E8 02 00 00 00 00 00 00 00 00 28  .....è.........(
   00EC0020  00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04  ....VTRM........     <-- 'VTRM' magic header
   00EC0030  FE 6D 0B C4 FA D5 CE DB 93 86 FC A1 32 3B 71 47  þm.ÄúÕÎÛ“†ü¡2;qG     <-- same value as 00EC0410
   00EC0040  3B A5 C6 F9 C0 00 B6 70 00 00 00 00 00 E8 27 80  ;¥ÆùÀ.¶p.....è'€     <-- first part same value as 00EC0410
   00EC0050  00 00 00 00 00 00 00 60 00 00 00 00 00 00 09 20  .......`....... 
   00EC0060  04 00 00 00 02 00 00 05 10 70 00 05 FF 00 00 01  .........p..ÿ...
   00EC0070  0C 1C 05 9C AA B5 97 A5 9C D6 46 2D EA 22 46 BE  ...œªµ—¥œÖF-ê"F¾
   00EC0080  D1 84 A9 1E 34 5F E7 90 55 49 11 82 51 9D 4A 3F  Ñ„©.4_ç.UI.‚Q.J?
   00EC0090  EF 43 19 E8 4F 6A 5B FF DA 31 E9 F0 76 C8 B2 6B  ïC.èOj[ÿÚ1éðvȲk
   00EC00A0  0B A7 47 8E BE 42 28 9F 2B 88 73 0B A5 B6 F2 1D  .§GŽ¾B(Ÿ+ˆs.¥¶ò.
   00EC00B0  00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF  ........ÿÿÿÿÿÿÿÿ
   00EC00C0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00EC00D0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00EC00E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00EC00F0  FF FF FF FF FF FF FF FF 00 00 00 00 00 EB E4 8C  ÿÿÿÿÿÿÿÿ.....ëäŒ
   00EC0100  00 00 00 00 00 00 00 14 39 17 52 0B 31 70 F5 05  ........9.R.1põ.
   00EC0110  02 5A C6 F8 81 F8 54 96 2F EF F3 81 FF FF FF FF  .ZÆø.øT–/ïó.ÿÿÿÿ
   00EC0120  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00EC03F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00EC0400  00 00 00 00 56 54 52 4D 00 00 00 00 00 00 00 04  ....VTRM........
   00EC0410  FE 6D 0B C4 FA D5 CE DB 93 86 FC A1 32 3B 71 47  þm.ÄúÕÎÛ“†ü¡2;qG     <-- same value as 00EC0030
   00EC0420  3B A5 C6 F9 C0 00 B6 70 00 00 00 00 00 00 04 90  ;¥ÆùÀ.¶p........     <-- first part same value as 00EC0040
   00EC0430  00 00 00 00 00 00 09 20 00 00 00 00 00 00 00 03  ....... ........     <-- pattern exception
   00EC0440  00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      <-- repetive pattern until 00EC0440 with some exceptions
    [...]    00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      <-- repetive pattern until 00EC0440 with some exceptions
   00EC1930  00 00 00 00 00 00 00 01 00 00 00 00 00 00 09 20  ...............      <-- pattern exception
    [...]    00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      <-- repetive pattern until 00EC0440 with some exceptions
   00EC21F0  00 00 00 00 00 00 00 02 00 00 00 00 00 00 09 20  ...............      <-- pattern exception
    [...]    00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      <-- repetive pattern until 00EC0440 with some exceptions
   00EC24F0  00 00 00 00 00 00 09 20 00 00 00 00 00 00 00 00  ....... ........
    [...]    00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      <-- repetive pattern until 00EC0440 with some exceptions
   00EC28B0  00 00 00 00 00 00 09 20 00 00 00 00 00 00 09 20  ....... .......      <-- repetive pattern until 00EC0440 with some exceptions
   00EC28C0  00 00 00 00 00 00 09 20 10 70 00 00 02 00 00 01  ....... .p......
   00EC28D0  10 70 00 00 39 00 00 01 22 66 39 B3 0E 7A 1C E7  .p..9..."f9³.z.ç
   00EC28E0  68 85 F9 94 A8 30 BE C4 0B 85 D0 92 1E C0 8F 28  h…ù”¨0¾Ä.…Ð’.À.(
   00EC28F0  7F 70 ED 15 D6 22 06 24 D9 08 64 0B C0 D7 97 29  .pí.Ö".$Ù.d.À×—)
   00EC2900  BE A1 FE 91 D1 F2 D4 88 25 EF 24 86 E0 A3 CB 98  ¾¡þ‘ÑòÔˆ%ï$†à£Ë˜
   00EC2910  AF 17 6F B1 64 A0 56 E5 00 00 00 00 00 00 00 01  ¯.o±d Vå........
   00EC2920  00 00 00 00 00 00 09 20 10 70 00 00 02 00 00 01  ....... .p......
   00EC2930  10 70 00 00 03 00 00 02 F9 D9 6A 84 0C F2 D8 E7  .p......ùÙj„.òØç
   00EC2940  D4 44 5C 3C DF D5 DF 0F B8 DC 3E 81 9A A4 71 8F  ÔD\<ßÕß.¸Ü>.š¤q.
   00EC2950  0A A8 8B 90 1B 2C A1 D1 66 84 AA EE 65 D1 46 9A  .¨‹..,¡Ñf„ªîeÑFš
   00EC2960  D7 38 83 F2 78 47 D1 8E E5 FA EB 39 CF 26 E8 25  ×8ƒòxGÑŽåúë9Ï&è%
   00EC2970  85 DE 3B C6 0B C3 45 D5 00 00 00 00 00 00 00 00  …Þ;Æ.ÃEÕ........
   00EC2980  00 00 00 00 00 00 09 20 04 00 00 00 02 00 00 05  ....... ........
   00EC2990  10 70 00 05 FF 00 00 01 0C 1C 05 9C AA B5 97 A5  .p..ÿ......œªµ—¥
   00EC29A0  9C D6 46 2D EA 22 46 BE D1 84 A9 1E 34 5F E7 90  œÖF-ê"F¾Ñ„©.4_ç.
   00EC29B0  55 49 11 82 51 9D 4A 3F EF 43 19 E8 4F 6A 5B FF  UI.‚Q.J?ïC.èOj[ÿ
   00EC29C0  DA 31 E9 F0 76 C8 B2 6B 0B A7 47 8E BE 42 28 9F  Ú1éðvȲk.§GŽ¾B(Ÿ
   00EC29D0  2B 88 73 0B A5 B6 F2 1D 00 00 00 00 00 00 00 00  +ˆs.¥¶ò.........
   00EC29E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00EF94B0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00EF94C0  39 17 52 0B 31 70 F5 05 02 5A C6 F8 81 F8 54 96  9.R.1põ..ZÆø.øT–      <-- 0x14 patterned data (table?)
   00EF94D0  2F EF F3 81 39 17 52 0B 31 70 F5 05 02 5A C6 F8  /ïó.9.R.1põ..ZÆø
    [...]
   00EFEFE0  02 5A C6 F8 81 F8 54 96 2F EF F3 81 39 17 52 0B  .ZÆø.øT–/ïó.9.R.
   00EFEFF0  31 70 F5 05 02 5A C6 F8 81 F8 54 96 2F EF F3 81  1põ..ZÆø.øT–/ïó.
   00EFF000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   00EFF010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    [...]    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   00EFFFE0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   00EFFFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

post VTRM / pre cell_ext_os_area

00F00000 data area

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
     
   00F00000  2E B1 47 93 21 AD 45 5C 5B 32 A7 A7 E1 25 04 D0  .±G“!­E\[2§§á%.Ð
   00F00010  24 45 E1 7E 3C 38 AE 4A 1C 25 21 5B 05 2D A9 15  $Eá~<8®J.%![.-©.
    [...]    
   00F00FE0  34 7F 14 93 D2 8D C0 43 06 B7 10 18 BB 28 37 D2  4..“Ò.ÀC.·..»(7Ò
   00F00FF0  5B 11 B4 EB 5F 12 0A 98 BC 2B B4 60 A7 89 6F 84  [.´ë_..˜¼+´`§‰o„
00F01000 unreferenced area
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
     
   00F01000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00F01010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 
   00F3FFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00F3FFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

00F40000 data area

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
     
   00F40000  7E 8B 60 EE E4 2A 29 09 8F 5A E9 4E B8 7F 1E E2  ~‹`îä*)..ZéN¸..â
   00F40010  F2 B5 7C C7 03 40 5E EC 87 16 04 A2 26 50 7C C9  òµ|Ç.@^ì‡..¢&P|É
    [...]    
   00F401E0  AC D9 A9 C8 BE B7 0E EE 0C E7 1E 73 45 39 70 80  ¬Ù©È¾·.î.ç.sE9p€
   00F401F0  8C 6F 32 06 08 8B CE 3B 80 DE 68 59 D5 25 DD 5A  Œo2..‹Î;€ÞhYÕ%ÝZ
00F40200 unreferenced area
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
    
   00F40200  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00F40210  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00F41FE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   00F41FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

00F42000 data area

Offsets of data areas and unreferenced areas varies till 0xD700000! (sinsizer)

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
    
   00F42000  4A 51 35 DF C9 14 A2 40 71 8D 0F 11 8B 50 42 CE  JQ5ßÉ.¢@q...‹PBÎ
   00F42010  28 92 B5 64 57 B0 1E D2 99 22 38 BC 7A 16 6A 83  (’µdW°.Ò™"8¼z.jƒ
    [...]                                                                        large date filled block region 
   0C1657E0  D5 D5 EE 71 0A B2 72 41 05 05 0B 08 3A 8A 78 04  ÕÕîq.²rA....:Šx.
   0C1657F0  E9 2F 40 63 AA 3F 23 22 E9 9D B1 4B 54 11 B4 71  é/@cª?#"é.±KT.´q
0C165800 unreferenced area
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
    
   0C165800  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0C165810  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0D6C1FE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0D6C1FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0D6C2000 data area

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
    
   0D6C2000  3B BC 95 72 03 FD 48 1E F2 1C 66 65 0A FB FC EC  ;¼•r.ýH.ò.fe.ûüì
   0D6C2010  0D 61 5C A0 8F 8F 68 5B 05 A3 85 57 29 53 53 4B  .a\ ..h[.£…W)SSK
    [...]    
   0D6C9FE0  74 E5 42 98 6E EE E1 41 24 7B B5 FE B5 42 29 C0  tåB˜nîáA${µþµB)À
   0D6C9FF0  25 05 C0 2B EE 87 50 40 21 EC A6 E7 0D 5A 3C 2A  %.À+î‡P@!ì¦ç.Z<*
0D6CA000 unreferenced area
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
    
   0D6CA000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0D6CA010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0D6FFFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0D6FFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0D700000 data area

Also found at 0xF700000 (missing cell_ext_os_area header)and 0xCF00000 (with cell_ext_os_area header)

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
    
   0D700000  0E 23 53 34 75 48 81 0F C4 09 16 4C 6C 37 BA E9  .#S4uH..Ä..Ll7ºé
   0D700010  5F 51 D9 9A E2 BE 4C 71 AF 00 4C 96 33 DB D5 49  _QÙšâ¾Lq¯.L–3ÛÕI
    [...]    
   0D7001E0  8D 4C 8D CD FD D2 B5 52 78 6E 48 B0 88 14 43 36  .L.ÍýÒµRxnH°ˆ.C6
   0D7001F0  DA 88 EF 59 73 96 80 13 31 16 E0 CF EB 99 83 2D  ÚˆïYs–€.1.àÏ뙃-
0D700200 unreferenced area
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
   
   0D700200  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0D700210  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0D701FE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0D701FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0D702000 data area

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
    
   0D702000  3C E6 76 41 CE A4 82 BD A3 2B 41 26 1E 25 36 D1  <ævAΤ‚½£+A&.%6Ñ
   0D702010  CE B5 51 9C E2 AC A3 DA AB B5 16 13 CA 95 E4 D3  εQœâ¬£Ú«µ..Ê•äÓ
    [...]    
   0D891FE0  C3 CA 0D BB 30 7B D2 9A 6D 13 9C 36 BD E3 64 3A  ÃÊ.»0{Òšm.œ6½ãd:
   0D891FF0  97 FB 9B 9E FE 25 ED 76 FC 77 85 28 C1 CB 37 65  —û›žþ%ívüw…(ÁË7e
0D892000 unreferenced area
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
   
   0D892000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0D892010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0E6FFFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0E6FFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0E700000 data area

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
    
   0E700000  C7 D7 77 CD 69 D9 1A EC E4 3C F8 8F 25 A5 3E A9  Ç×wÍiÙ.ìä<ø.%¥>©
   0E700010  3D EC 43 30 89 1F 98 F1 3F BA F6 AF 9B F5 0E B2  =ìC0‰.˜ñ?ºö¯›õ.²
    [...]    
   0E7001D0  09 BC 15 00 64 27 85 8F 0F BC 40 B1 F1 57 61 60  .¼..d'…..¼@±ñWa`
   0E7001E0  A4 2B A9 75 E9 C3 25 49 EC 6B 82 10 EE E1 62 BD  ¤+©uéÃ%Iìk‚.îáb½
   0E7001F0  B1 A9 C1 69 36 69 14 A5 53 A4 6A 43 0F 37 45 E0  ±©Ái6i.¥S¤jC.7Eà
0E700200 unreferenced area
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
   
   0E700200  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0E700210  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0E701FE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0E701FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

0E702000 data area

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
    
   0E702000  7F 3A 86 47 F3 47 AF CC 28 F2 A7 A5 28 D1 A6 C2  .:†GóG¯Ì(ò§¥(ѦÂ
   0E702010  13 27 01 0A 33 74 05 FC CE E9 83 B8 72 99 29 09  .'..3t.üÎ郸r™).
    [...]    
   0E75A9E0  5D BF 1A 2E 80 FB 32 50 B2 55 42 34 53 F0 4C 09  ]¿..€û2P²UB4SðL.
   0E75A9F0  92 8B 75 84 D5 0E 3C D7 F2 72 43 B0 C9 A4 66 C8  ’‹u„Õ.<×òrC°É¤fÈ
0E75AA00 unreferenced area
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
   
   0E75AA00  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0E75AA10  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0E77FFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0E77FFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

cell_ext_os_area

Flash:cell_ext_os_area

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      
   0E780000  63 65 6C 6C 5F 65 78 74 5F 6F 73 5F 61 72 65 61  cell_ext_os_area
   0E780010  00 00 00 01 00 00 00 02 00 00 00 04 FF FF FF FF  ............ÿÿÿÿ
   0E780020  00 00 00 01 00 27 F8 40 FF FF FF FF FF FF FF FF  .....'ø@ÿÿÿÿÿÿÿÿ
   0E780030  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0E780040  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   FF filled block region
   0E7801F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0E780200  00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF  ....ÿÿÿÿÿÿÿÿÿÿÿÿ
   0E780210  00 00 00 03 FF FF FF FF FF FF FF FF FF FF FF FF  ....ÿÿÿÿÿÿÿÿÿÿÿÿ
   0E780220  00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF  ..........ÿÿÿÿÿÿ
   0E780230  00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF  ............ÿÿÿÿ
   0E780240  00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF  ........ÿÿÿÿÿÿÿÿ
   0E780250  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   FF filled block region
   0E7803E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0E7803F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0E780400  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0E780410  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    [...]    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................   00 filled block region
   0E7807E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0E7807F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

OtherOS

Flash:OtherOS

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   0E780800  1F 8B 08 08 C1 19 04 48 02 03 7A 49 6D 61 67 65  .‹..Á..H..zImage
   0E780810  2E 69 6E 69 74 72 64 2E 70 73 33 2E 62 69 6E 00  .initrd.ps3.bin.
    [...]                                                                        large data area
   0EA00030  FF FE FC FF ED CF FF 07 DE FD A4 A3 A8 88 54 00  ÿþüÿíÏÿ.Þý¤£¨ˆT.
   0EA00040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    [...]    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................   large 00 filled block region
   0EB7FFE0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0EB7FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0EB80000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0EB80010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   large FF filled block region
   0EFFFFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0EFFFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

bootldr

Flash:bootldr @ 0xF000000 - 0xF03FFFF

0xF040000 - 0xFFFFFFF

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
   0F040000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0F040010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   large FF filled block region (no data in it, only FF)
   0FFFFFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0FFFFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

NAND reference (bluemimmo)

CECHA-06/COK-001 with 3.60 OFW

cell_ext_os_area

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      
   0E780000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   note: no cell_ext_os_area, 0CC00000-0FFFFFFF region filled with big blocks of FF
   0E780010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ    because firmware version 3.60 has no otheros.
    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   large FF filled block region
   0FFFFFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0FFFFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ


NAND reference (sinsizer)


Flash Samples

Reference flash dumps

User flashdumps

Here are some samples of NOR Flash for your dissection. These are taken from different consoles (because it is useless to dump different firmware versions as ROS/RVK will be the same crossconsole)

SKU bootldr metldr ROS0 ROS1 Link Note
PS3 Phat:
CECHA
CECHB
CECHC
CECHE
CECHG
CECHH
CECHJ
CECHK
CECHL [1] 3.55-Rogero CECHL03
CECHL [2] 3.56 CECHL03
CECHL [3] 3.70 CECHL03
CECHM
CECHP
CECHQ
PS3 Slim:
CECH-20xx 3.65 3.55 [4] 3.65 CECH-2008 A
CECH-20xx 3.56 3.56 [5] 3.56 CECH-2008 B
CECH-20xx 3.42 3.70 [6] 3.70 CECH-2008 B
CECH-20xx 3.72 4.00 [7] 4.00 CECH-2008 B
CECH-21xx
CECH-25xx 3.66 3.56 [8] 3.60 CECH-2508 B
CECH-25xx 3.66 3.72 [9] 3.72 CECH-2508 B
CECH-30xx

Flash checking / extraction

Community projects

Generic Recommendations

  • The information in this wiki was given [freely by many volunteers] ; it would be most fair to release any program based on it, as opensource with the community accordingly (tip: public git-repo).
  • Please link to ps3devwiki so that others might improve the code and also know on what information it is based as well as other informative pages.
  • Feel free to ask questions on the talkpages when having trouble understanding mainpage or when not knowing what to check for.
  • Make checkers/extractors bytedirection aware and byteswap when needed
  • There are several flash dumptypes that can exist (besides the normal full ones):
    • NAND
      • Software dump without any bootldr and with or without masking (old software flashdump and Preloader)
      • Software dump with only one bootldr (Memdump)
      • Hardware dump with both bootldr (normal full dump)
    • NOR
      • Software dumps (Preloader)
      • Hardware dumps (normal full dump)
  • Do not take shortcuts. Make users aware if any section is not checked (yet)
  • Use dynamic sections whenever possible (will make it easier to port from NAND <> NOR, be more robust in checking, make it more future/history proof)
  • Check if data-/file-sections are uninterupted (multirepetive 00 or FF)
  • Check for known static values
  • When values are semistatic, consider checking with wildcard /range masks
  • Make the user aware of any anomalies (in red/bold)
  • Output generic information (version, console info, minver etc)
  • Check for downgradeability
  • Check statistics in range with known FW versions (3.55 is considered base on wiki unless documented)