Flash-Main
subject: dump of serial flash MX25L25635FMI-10G for CXD90025G
reference files:
- PS4 NOR Dump 1.06 (without MAC Adress & Console-ID)
- PS4 NOR Dump 1.61 (without MAC Adress & Console-ID)
- PS4 NOR Dump 1.61 E0 (without MAC Adress & Console-ID) that update seem's to fixed a nasty bug on my console, need to do more test...
- hint for FW 1.61 E0: fw version is still the same (1.61) also the fw counter is still 3 but now have E0 added to it.
other reference files:
- PS4 TEST KIT NOR Dump 1.010.031 and 1.500.101 (without MAC Adress & Console-ID)
- PS4 #1 NOR Dump 1.1 and 1.51 (without MAC Adress & Console-ID)
- PS4 #2 NOR Dump 1.1 and 1.51 (without MAC Adress & Console-ID)
notes: Console A & B are 2 Compared from same Region and Version. Console C is from Region: EU and Version: 1.06
size: 0x2000000 filesize / 0x1D40000 datasize
statistics: 2.64-2.66% 00´s / 11.83% FF´s / < 0.38% rest
entropy: 6.96569 (87.0711%) - 7.52856 (94.107%)
Redundancy: 12.9289% - 5.893%
A. Mean: 131072
StdDev: 454103 - 245647
Strings: Flash-Main/strings
observation: MAC Address on 0x1C4021 length 6 bytes | Motherboard Serial on 0x1C8000 length 14 bytes | Console Serial on 0x1C8030 length 17 bytes | SKU Version on 0x1C8040 length 15 bytes | HDD type, P/N and S/N on 0x1C9C00 length 64 bytes | FW Counter on 0x1CA5D8 length 2 bytes (first byte is the FW Counter, ?second byte is the Patch Counter?)| FW Version on 0x1CA604 length 4 bytes
sources: GUI Tool for the PS4 NOR Flash PS4_AC1D_Flash-Tool | Libraries Developed for the PS4 NOR flash Usefull_Libraries
other files: Constant offsets and length in ALL Ps4 block -> same_block.txt. Im compare over 10 dumps from diffrent firmware / console. First value is offset of first byte, second is length in byte. All values in decimental.
Offsets
- 0x0 <- Header
- 0x1000 <- Unk
- 0x2000 <- MBR1
- 0x3000 <- MBR2
- 0x4000 <- sflash0s0x32 (emc_ipl)
- 0x64000 <- sflash0s0x32b (emc_ipl)
- 0xC4000 <- sflash0s0x33 (eap_kbl)
- 0x144000 <- sflash0s0x34 (wifi fw)
- 0x204000 <- sflash0s1.cryptx2 (sam_ipl)
- 0x242000 <- sflash0s1.cryptx2b (sam_ipl)
- 0x280000 <- sflash0s1.cryptx1 (idata)
- 0x300000 <- sflash0s1.cryptx39 (bd_hrl?)
- 0x380000 <- sflash0s1.cryptx6 (Virtual TRM)
- 0x3C0000 <- sflash0s1.cryptx3 (secure loader, secure kernel, secure modules)
- 0x1080000 <- sflash0s1.cryptx3b (secure loader, secure kernel, secure modules)
- 0x1D40000 <- sflash0s1.cryptx40 (blank_region)
Content
0x0
Magic
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 53 4F 4E 59 20 43 4F 4D 50 55 54 45 52 20 45 4E SONY COMPUTER EN 00000010 54 45 52 54 41 49 4E 4D 45 4E 54 20 49 4E 43 2E TERTAINMENT INC.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000020 01 00 00 00 10 00 00 00 18 00 00 00 01 00 00 00 ................ 00000030 01 00 00 00 08 00 00 00 01 00 00 00 00 00 00 00 ................
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] filled 00 region 00000FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x1000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00001000 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 €...............
this differenced between firmware versions
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00001010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] filled 00 region 00001FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x2000
Magic
- aka MBR1
- ends in 0x3000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00002000 53 6F 6E 79 20 43 6F 6D 70 75 74 65 72 20 45 6E Sony Computer En 00002010 74 65 72 74 61 69 6E 6D 65 6E 74 20 49 6E 63 2E tertainment Inc. (0x90 block)
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000020B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] filled 00 region 00002FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x3000
Magic
- aka MBR2
- ends in 0x4000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00003000 53 6F 6E 79 20 43 6F 6D 70 75 74 65 72 20 45 6E Sony Computer En 00003010 74 65 72 74 61 69 6E 6D 65 6E 74 20 49 6E 63 2E tertainment Inc. (0x90 block)
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000030B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] filled 00 region 00003FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x4000
SLB2 Magic (MC Stage1)
- aka sflash0s0x32
- ends in 0x64000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00004000 53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00 SLB2............
00004010 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 @............... 00004020 01 00 00 00 90 7A 04 00 00 00 00 00 00 00 00 00 .....z.......... 00004030 43 30 30 30 30 30 30 31 00 00 00 00 00 00 00 00 C0000001........ 00004040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00004050 3F 02 00 00 40 00 00 00 00 00 00 00 00 00 00 00 ?...@........... 00004060 43 30 30 30 38 30 30 31 00 00 00 00 00 00 00 00 C0008001........
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00004070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] filled 00 region 000041F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x4200
DEADBEEF CAFEBEBE Magic
(similar is at 0x64218 and 0xC4218)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00004200 AA F9 8F D4 01 00 55 48 80 00 00 00 xx xx 04 00 ªù.Ô..UH€...... xx differs on different console with same version 00004210 00 0C 10 00 00 0C 10 00 DE AD BE EF CA FE BE BE ........Þ¾ïÊþ¾¾ 00004220 DE AF BE EF CA FE BE BE F1 F2 F3 F4 F5 F6 F7 F8 Þ¯¾ïÊþ¾¾ñòóôõö÷ø 00004230 AF 46 78 AA E2 C4 4C 90 CA 4B 1B 44 B6 A4 9F 57 ¯FxªâÄL.ÊK.D¶¤ŸW same on different console with same version 00004240 9D 24 E1 91 C2 DC 0C 36 55 AE 43 D5 C5 AB 70 BD .$á‘ÂÜ.6U®CÕÅ«p½ same on different console with same version
huge encrypted section
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00004250 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx different on different console with same version [...] (huge encrypted section) 0004BC80 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx (on different console with same version ends at 00049F1F
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0004BC90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] 00063FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... (on different console with same version ends at 00049FFF then a FF filled block until 00063FFF)
0x64000
SLB2 Magic (MC Stage2)
- aka sflash0s0x32b
- ends in 0xC4000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00064000 53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00 SLB2............
00064010 33 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3............... 00064020 01 00 00 00 10 61 04 00 00 00 00 00 00 00 00 00 .....a.......... 00064030 43 30 30 30 30 30 30 31 00 00 00 00 00 00 00 00 C0000001........ 00064040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00064050 32 02 00 00 40 00 00 00 00 00 00 00 00 00 00 00 2...@........... 00064060 43 30 30 30 38 30 30 31 00 00 00 00 00 00 00 00 C0008001........
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00064070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] filled 00 region 000641F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x64200
DEADBEEF CAFEBEBE Magic
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00064200 AA F9 8F D4 01 00 55 48 80 00 00 00 90 60 04 00 ªù.Ô..UH€....`.. 00064210 00 0C 10 00 00 0C 10 00 DE AD BE EF CA FE BE BE ........Þ¾ïÊþ¾¾ 00064220 DE AF BE EF CA FE BE BE F1 F2 F3 F4 F5 F6 F7 F8 Þ¯¾ïÊþ¾¾ñòóôõö÷ø 00064230 AF 46 78 AA E2 C4 4C 90 CA 4B 1B 44 B6 A4 9F 57 ¯FxªâÄL.ÊK.D¶¤ŸW 00064240 9D 24 E1 91 C2 DC 0C 36 55 AE 43 D5 C5 AB 70 BD .$á‘ÂÜ.6U®CÕÅ«p½ 00064250 CC 6F 6C 5C 8F C9 5C 30 38 F2 72 90 ED 82 C0 BB Ìol\.É\08òr.í‚À» [...]
lots of strings in this huge section, no differences between consoles on same version until 001C4024
0xC4000
SLB2 Magic (EAP_KBL)
- aka sflash0s0x33
- ends in 0x144000
NOTE: This container only consits of one file + that X800X which is present on every BIOS SLB2. But the data is extracted twice and just written with two diffrent names. One time the TitleID is used C0010001 and the second time a string which hold the file name eap_kbl is used. But both files are identical and extracted by using the same data source.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000C4000 53 4C 42 32 01 00 00 00 00 00 00 00 03 00 00 00 SLB2............
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000C4010 C6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Æ............... 000C4020 01 00 00 00 20 87 01 00 00 00 00 00 00 00 00 00 .....‡.......... 000C4030 43 30 30 31 30 30 30 31 00 00 00 00 00 00 00 00 C0010001........ 000C4040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C4050 01 00 00 00 20 87 01 00 00 00 00 00 00 00 00 00 .....‡.......... 000C4060 65 61 70 5F 6B 62 6C 00 00 00 00 00 00 00 00 00 eap_kbl......... 000C4070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C4080 C5 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 Å...@........... 000C4090 43 30 30 31 38 30 30 31 00 00 00 00 00 00 00 00 C0018001........
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000C40A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] filled 00 region 000C41F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xC4200
DEADBEEF CAFEBEBE Magic
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000C4200 AA F9 8F D4 01 00 55 68 80 00 00 00 A0 86 01 00 ªù.Ô..Uh€....†.. 000C4210 00 00 00 62 00 00 00 62 DE AD BE EF CA FE BE BE ...b...bÞ-¾ïÊþ¾¾ 000C4220 DE AF BE EF CA FE BE BE F1 F2 F3 F4 F5 F6 F7 F8 Þ¯¾ïÊþ¾¾ñòóôõö÷ø 000C4230 E6 D5 56 90 B0 E0 FD 52 28 7F 2A 4A 76 F9 13 E1 æÕV.°àýR(.*Jvù.á 000C4240 AE AF 02 68 D8 FF E6 F3 DD 0C B0 C0 F5 A3 4C DD ®¯.hØÿæóÝ.°Àõ£LÝ 000C4250 37 5B 14 86 19 1A 9E 70 F0 B9 F4 6D AB 34 93 4B 7[.†..žpð¹ôm«4“K [...] 000DC910 54 E2 F7 6E BD C9 D2 2E 12 9C 3F CC 3D 67 7A 1E Tâ÷n½ÉÒ..œ?Ì=gz.
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000DC920 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] filled 00 region 00143FE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x144000
SLB2 Magic (Wifi/BT)
wifi/bluetooth chipset firmware
- aka sflash0s0x38
- ends in 0x1C4000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00144000 53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00 SLB2............
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00144010 71 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 q............... 00144020 01 00 00 00 A8 DD 06 00 00 00 00 00 00 00 00 00 ....¨Ý.......... 00144030 43 30 30 32 30 30 30 31 00 00 00 00 00 00 00 00 C0020001........ 00144040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00144050 70 03 00 00 40 00 00 00 00 00 00 00 00 00 00 00 p...@........... 00144060 43 30 30 32 38 30 30 31 00 00 00 00 00 00 00 00 C0028001........
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00144070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] 00 filled region 001441F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
No DeadBeef CafeBebe Magic on this SLB2
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00144200 01 00 00 00 00 00 00 00 00 04 00 00 00 94 51 1A .............”Q. 00144210 1C F0 9F E5 1C F0 9F E5 1C F0 9F E5 1C F0 9F E5 .ðŸå.ðŸå.ðŸå.ðŸå 00144220 1C F0 9F E5 1C F0 9F E5 1C F0 9F E5 1C F0 9F E5 .ðŸå.ðŸå.ðŸå.ðŸå 00144230 10 82 0E 20 CC 68 00 00 50 68 00 00 54 68 00 00 .‚..Ìh..Ph..Th.. 00144240 AC 68 00 00 B0 68 00 00 B4 68 00 00 B8 68 00 00 ¬h..°h..´h..¸h.. 00144250 C5 68 00 00 00 00 00 EA 70 00 00 EA 28 00 8F E2 Åh.....êp..ê(..â 00144260 00 0C 90 E8 00 A0 8A E0 00 B0 8B E0 01 70 4A E2 ..Zái.....ºè.àOâ 00144270 0B 00 5A E1 69 00 00 0A 0F 00 BA E8 14 E0 4F E2 ...ã.ðG..ÿ/á°... 00144280 01 00 13 E3 03 F0 47 10 13 FF 2F E1 B0 7F 04 00 .€...À.â.ÿ/áŠ..x 00144290 A0 80 04 00 01 C0 8F E2 1C FF 2F E1 8A 18 03 78 .0œ.¤..Ñ.x.0...Ñ [...] seems to be decrypted [...] more then 60% of the strings found [...] are from that SLB2 Flash-Main/strings
0x1445F0
Z Sign
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001445C0 1E FF 2F E1 F0 B5 85 B0 C0 46 C0 46 05 00 0C 00 .ÿ/áðµ…°ÀFÀF.... 001445D0 47 F0 74 EA 00 20 01 95 02 94 C0 46 C0 46 03 90 Gðtê...•.”ÀFÀF.. 001445E0 01 A8 FF F7 B2 EE 04 00 01 A8 0D 00 00 93 03 C8 .¨ÿ÷²î...¨...“.È
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001445F0 16 00 C0 46 C0 46 C0 46 C0 46 06 F0 48 EB 00 21 ..ÀFÀFÀFÀF.ðHë.! 00144600 08 00 C0 46 C0 46 07 00 FF F7 58 EF D2 2F 02 AC ..ÀFÀF..ÿ÷XïÒ/.¬ 00144610 01 00 00 00 FC 03 00 00 00 04 00 00 5A EF 5E 13 ....ü.......Zï^. 00144620 04 90 00 21 07 60 08 00 FF F7 5A FF 41 1C 04 98 ...!.`..ÿ÷ZÿA..˜ 00144630 41 60 00 21 08 00 C0 46 C0 46 01 00 04 98 81 60 A`.!..ÀFÀF...˜.` 00144640 00 21 08 00 C0 46 C0 46 01 00 04 98 C1 60 00 21 .!..ÀFÀF...˜Á`.! 00144650 08 00 C0 46 C0 46 01 00 04 98 01 61 C0 46 C0 46 ..ÀFÀF...˜.aÀFÀF 00144660 C0 46 C0 46 C0 46 C0 46 C0 46 C0 46 C0 46 C0 46 ÀFÀFÀFÀFÀFÀFÀFÀF 00144670 C0 46 C0 46 C0 46 C0 46 C0 46 C0 46 C0 46 C0 46 ÀFÀFÀFÀFÀFÀFÀFÀF
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00144680 00 9B 05 B0 20 00 04 9C 29 00 32 00 A6 46 F0 BC .›.°...œ).2.¦Fð¼ 00144690 01 B0 70 47 10 B5 C0 46 C0 46 00 20 C0 46 C0 46 .°pG.µÀFÀF..ÀFÀF 001446A0 C0 46 C0 46 C0 46 C0 46 10 BC 08 BC 18 47 00 00 ÀFÀFÀFÀF.¼.¼.G..
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001446B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ [...] a lot off code stuff and strings 0018D810 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................
0x18D820
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0018D820 08 08 08 08 08 08 08 08 08 08 08 08 02 02 02 02 ....|.......¿4.ß 0018D830 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 @............... 0018D840 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0018D850 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0018D860 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0018D870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0018D880 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0018D890 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0018D8A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0018D8B0 00 62 74 5F 73 64 69 6F 00 77 6C 61 6E 00 4F 53 .bt_sdio.wlan.OS 0018D8C0 41 00 62 74 5F 68 63 69 00 62 6C 65 6D 62 78 00 A.bt_hci.blembx. 0018D8D0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ [...] a lot off code stuff and strings 001B1F80 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................
0x1B1F90
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001B1F90 16 0C 00 00 74 29 2E C9 04 00 00 00 00 00 00 00 ....t).É........ 001B1FA0 00 00 00 00 1F DB 8C 18 00 00 00 00 00 00 00 00 .....ÛŒ......... 001B1FB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001B1FC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001B1FD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001B1FE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001B1FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001B2000 01 00 00 00 00 00 00 00 10 82 0E 20 00 00 00 00 .........‚. ....
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001B2010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] filled 00 region 001C3FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x1C4000 (Console Main Informations)
- AKA NVS or sflash0s0x34
- Ends in 0x200000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C4000 03 02 01 01 02 01 06 01 FF FF FF FF FF FF FF FF ........ÿÿÿÿÿÿÿÿ 001C4010 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...]
0x1C4021 MAC Address
MAC Address on offset 0x1C4021 6 bytes long.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C4020 01 70 9E 29 33 7A 1B FF FF FF FF FF FF FF FF FF .pž).3zÿÿÿÿÿÿÿÿÿ MAC-Address 001C4030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C4040 FF FF FF FF FF FF FF FF FF FF FF FF FF FF 26 E8 ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ&è 0x26 0xE8 differs between consoles on same version 001C4050 04 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF .ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C4060 03 01 01 02 02 FF FF FF FF FF FF FF FF FF FF FF .....ÿÿÿÿÿÿÿÿÿÿÿ 001C4070 FF FF FF FF FF FF 01 FF FF FF 00 00 00 00 00 00 ÿÿÿÿÿÿ.ÿÿÿ...... 001C4080 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF .ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C4090 FF FF FF FF FF FF 00 00 00 FF 00 00 FF FF FF FF ÿÿÿÿÿÿ...ÿ..ÿÿÿÿ 001C40A0 FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 39 ÿÿÿÿÿÿÿÿÿÿÿÿ...9 [...]
0x1C47F0 Constant
Every dump i checked have thoes constant bytes.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C47F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF BE CC ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¾Ì 001C4800 FF 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿ.ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C4810 00 61 00 60 00 02 00 48 00 47 00 02 00 48 00 47 .a.`...H.G...H.G 001C4820 00 02 FF FF FF FF FF FF FF FF FF FF FF FF FF FF ..ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C4830 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C4840 FF FF FF FF FF FF FF FF FF FF FF FF 00 01 FF FF ÿÿÿÿÿÿÿÿÿÿÿÿ..ÿÿ 001C4850 FF FF FF FF CD 00 FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÍ.ÿÿÿÿÿÿÿÿÿÿ 001C4860 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C4870 00 50 00 00 00 08 00 00 80 00 00 00 FF FF FF FF .P......€...ÿÿÿÿ 001C4880 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C4890 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C48A0 00 50 00 00 00 09 00 00 00 00 45 00 00 00 90 00 .P........E..... 001C48B0 00 3B 00 00 00 05 00 00 05 00 00 00 FF FF FF FF .;..........ÿÿÿÿ 001C48C0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...]
0x1C4FF0
Console A, B | Console C |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C4FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF B9 29 ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¹) 001C5000 00 07 FF 07 00 07 FF 07 00 07 0C 04 00 00 00 04 ..ÿ...ÿ......... 001C5010 00 00 FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ..ÿÿÿÿÿÿ........ 001C5020 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF ..ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C5030 xx 00 00 00 xx 00 00 00 xx xx 00 00 00 00 00 00 ................ xx differs between consoles on same version 001C5040 xx 00 00 00 xx 00 00 00 xx 00 00 00 00 00 00 00 ................ " 001C5050 xx 00 00 00 xx 00 00 00 xx xx 00 00 00 00 00 00 $...%...=....... " 001C5060 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C4FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF B9 29 ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¹) 001C5000 00 07 FF 07 00 07 FF 07 00 07 0C 04 00 00 00 04 ..ÿ...ÿ......... 001C5010 00 00 FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ..ÿÿÿÿÿÿ........ 001C5020 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF ..ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C5030 22 00 00 00 20 00 00 00 3D D6 00 00 00 00 00 00 ".......=Ö...... 001C5040 09 00 00 00 09 00 00 00 54 EB 02 00 00 00 00 00 ........Të...... 001C5050 1E 00 00 00 1D 00 00 00 B9 C1 03 00 00 00 00 00 ........¹Á...... 001C5060 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] |
0x1C5200
Console A, B | Console C |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C5200 xx xx xx xx xx xx xx xx xx xx FF xx xx xx xx xx ..........ÿ..... xx differs between consoles on same version 001C5210 xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF ....ÿÿ..ÿÿÿÿÿÿÿÿ " 001C5220 xx xx xx xx xx xx xx xx xx xx FF xx xx xx xx xx ..........ÿ..... " 001C5230 xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF ....ÿÿ..ÿÿÿÿÿÿÿÿ " 001C5240 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 001C5250 xx xx xx xx xx xx xx xx FF FF FF FF FF FF FF FF ........ÿÿÿÿÿÿÿÿ " 001C5260 xx xx xx xx xx xx xx xx xx xx FF xx xx xx xx xx ..........ÿ..... " 001C5270 xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF ....ÿÿ..ÿÿÿÿÿÿÿÿ " 001C5280 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 001C5290 xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF ....ÿÿ..ÿÿÿÿÿÿÿÿ " |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C5200 03 00 81 80 57 C3 B3 03 04 10 FF 00 00 01 00 00 ...€Wó...ÿ..... 001C5210 09 00 09 00 FF FF 00 23 FF FF FF FF FF FF FF FF ....ÿÿ.#ÿÿÿÿÿÿÿÿ 001C5220 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C5230 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C5240 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C5250 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C5260 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C5270 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C5280 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C5290 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C52A0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 001C5FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x1C6000 (Retail & Dev/Test)
This seems to be increased. There will be 8 0x00 bytes be added for every new "what ever".
Console A, B | Console C |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C6000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version 001C6010 xx xx xx xx xx xx xx xx FF FF FF FF FF FF FF FF ........ÿÿÿÿÿÿÿÿ " |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C6000 FF 51 21 6D 66 1C 00 03 FF FF FF FF FF FF FF FF ÿQ!mf...ÿÿÿÿÿÿÿÿ 001C6010 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
0x1C7000
same on different consoles on same version
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C7000 03 09 FC 00 00 00 00 00 00 00 00 00 00 00 00 00 ..ü............. 001C7010 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001C7020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001C7030 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ 001C7040 1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .ÿ..............
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C7050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 001C7FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x1C8000 MotherBoard Serial
Length = 14 bytes.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C8000 34 30 30 30 31 42 30 31 38 35 39 31 37 37 FF FF 40001B01859177ÿÿ Motherboard Serial
0x1C8010 Unk
Length = 16 bytes.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C8010 63 09 72 20 71 DB 7C 69 AC FE D8 92 89 BA 23 04 c.r.qÛ|i¬þØ’‰º#. " 001C8020 00 00 00 25 00 00 0A 93 00 01 00 00 00 00 07 10 ...%...“........
0x1C8030 Console Serial
Length = 17 bytes.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C8030 30 33 32 37 34 35 32 32 32 34 35 37 39 36 36 30 0327452224579660 Console Serial 001C8040 32 2
0x1C8041 SKU Model
Length = vary.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C8040 43 55 48 2D 31 30 30 34 41 20 42 30 31 58 FF CUH-1004A B01Xÿ SKU Model 001C8050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x1C8060 Unk
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C8060 30 30 30 33 30 30 30 33 30 30 31 36 30 30 31 38 0003000300160018 001C8070 30 30 30 37 30 30 30 31 30 30 30 31 30 30 30 31 0007000100010001 001C8080 30 30 30 31 30 30 30 32 30 30 33 31 30 30 31 35 0001000200310015 001C8090 30 30 32 33 30 30 34 31 52 17 D2 4C C8 49 01 30 00230041R.ÒLÈI.0 001C80A0 33 E0 41 43 72 C3 F1 64 07 8F 31 80 00 00 00 C2 3àACrÃñd..1€... 001C80B0 01 01 01 01 06 06 06 06 FF FF FF FF FF FF FF FF ........ÿÿÿÿÿÿÿÿ 001C80C0 30 30 30 30 30 FF FF FF FF FF FF FF FF FF FF FF 00000ÿÿÿÿÿÿÿÿÿÿÿ
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C80D0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 001C87C0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x1C87D0
within a FF block these are found on both consoles:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C87D0 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 ................ 001C87E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C87F0 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF .ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C8800 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C9020 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF .ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x1C9080 ACF (Dev/Test)
Length = 104 bytes. (0x68)
There is a structure which i found out.
First you have the ACF Magic 4 bytes 0x61 0x63 0x66 0x00.
Then you have always first, 4 bytes that are constant, following by a value which hase a constant length.
0x01020000 (reversed 0x00002001) following 16 bytes.
0x03000000 (reversed 0x00000003) following by 8 bytes.
8 byte structure is as follows:
- 4 bytes -> start activation date (timestamp, little endian)
- 4 bytes -> end activation date (timestamp, little endian, exactly 90 days after)
0x00000000 (reversed 0x00000000) folowing by 64 bytes.
Only on Testkit/Devkit, seems to be a(ctivation) c(control) f(lags) (speculative, needs to be studied) :
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C9080 61 63 66 00 01 02 00 00 D6 B1 DA DE C7 82 7A A4 acf.....Ö±ÚÞÇ‚z¤ 001C9090 21 AE 4E D0 D9 BF B1 1A 03 00 00 00 11 55 E2 52 !®NÐÙ¿±......UâR 001C90A0 11 FC 58 53 00 00 00 00 CC B4 CD 3A 0A F5 C0 F4 .üXS....Ì´Í:.õÀô 001C90B0 4F 04 6B C3 95 16 E6 D8 FB 0B F2 56 B0 3B BA 00 O.kÕ.æØû.òV°;º. 001C90C0 26 B0 D3 BA 55 5F B0 40 0F 54 34 22 E1 E4 DA A7 &°ÓºU_°@.T4"áäÚ§ 001C90D0 D1 7D EE BC EF 03 3C 23 37 EE 10 EB F6 88 1B 85 Ñ}î¼ï.<#7î.ëöˆ.… 001C90E0 35 8F 4B F5 D5 1A C7 3D FF FF FF FF FF FF FF FF 5.KõÕ.Ç=ÿÿÿÿÿÿÿÿ
0x1C91F0 PerConsole (Retail & Dev/Test)
(0x40 bytes)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C91F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C9200 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version 001C9210 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 001C9220 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 001C9230 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
Console C / FW 1.06 | Console C / FW 1.61 |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C91F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001C9200 25 75 00 28 A6 7A 16 55 63 77 6F 12 1C 7C 37 9A %u.(¦z.Ucwo..|7š 001C9210 58 11 B2 C3 DA 06 0C 00 9A 53 16 29 E5 65 15 A8 X.²ÃÚ...šS.)åe.¨ 001C9220 44 40 C0 17 DD C5 E1 17 A2 D3 9D 98 A1 9B 97 61 D@À.ÝÅá.¢Ó.˜¡›—a 001C9230 5D 0C 67 B2 89 54 0B 8E 81 29 8E 50 A6 10 79 42 ].g²‰T.Ž.)ŽP¦.yB |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C91F0 FF FF FF FF FF FF FF FF FF FF FF FF E5 E5 E5 01 ÿÿÿÿÿÿÿÿÿÿÿÿååå. 001C9200 25 75 00 28 A6 7A 16 55 63 77 6F 12 1C 7C 37 9A %u.(¦z.Ucwo..|7š 001C9210 58 11 B2 C3 DA 06 0C 00 9A 53 16 29 E5 65 15 A8 X.²ÃÚ...šS.)åe.¨ 001C9220 44 40 C0 17 DD C5 E1 17 A2 D3 9D 98 A1 9B 97 61 D@À.ÝÅá.¢Ó.˜¡›—a 001C9230 5D 0C 67 B2 89 54 0B 8E 81 29 8E 50 A6 10 79 42 ].g²‰T.Ž.)ŽP¦.yB |
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C9240 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 001C9BF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x1C9900 PerConsole (Dev/Test)
Unique 0x100 byte area (on Testkit Console dump):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C9900 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ [...] 001C9A00 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................
- xx Changes per dev console
0x1C9C00 HDD P/N and S/N,
Checked every single Dump i got and it differs. Some Dumps have thoes entry, some not. Retail or Dev/Test do not matter. My own dumps do not have this information. But i also never changed the orig HDD. Maybe it's something like that. That only when you change to a new other HDD it will write the P/N S/N of the new HDD into this array.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0x1C9C00 47 48 54 53 48 20 53 54 34 35 30 35 30 35 37 41 GHTSH ST4505057A 0x1C9C10 33 45 30 38 20 20 20 20 20 20 20 20 20 20 20 20 3E08 0x1C9C20 20 20 20 20 20 20 20 20 33 31 39 30 36 31 4D 54 319061MT 0x1C9C30 35 38 33 41 54 34 55 32 4E 47 4C 41 FF FF FF FF 583AT4U2NGLA˙˙˙˙
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001C9C40 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 001C9FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x1CA000
Console A, B | Console C |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CA000 03 20 10 00 01 00 10 00 1C 01 xx 00 00 00 00 00 ................ 001CA010 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA040 00 00 00 00 00 00 00 00 xx 00 00 00 00 00 00 00 ................ xx differs between consoles on same version 001CA050 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA060 00 00 00 00 00 00 00 00 05 00 00 00 xx xx xx xx ................ " 001CA070 xx xx xx xx 02 00 00 00 17 00 00 00 00 00 00 00 ................ " 001CA080 00 00 xx xx 00 00 00 00 xx 00 00 00 00 00 00 00 ................ " 001CA090 00 00 00 00 00 00 00 00 00 00 00 00 18 00 00 00 ................ 001CA0A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA0B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA0C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA0D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA0E0 4C 2D A7 07 00 00 00 00 30 14 13 00 02 00 17 00 L-§.....0....... |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CA000 03 20 10 00 01 00 10 00 1C 01 01 00 00 00 00 00 ................ 001CA010 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA040 00 00 00 00 00 00 00 00 13 00 00 00 00 00 00 00 ................ 001CA050 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA060 00 00 00 00 00 00 00 00 04 00 00 00 D2 BA B9 52 ............Òº¹R 001CA070 00 00 00 00 02 00 00 00 17 00 00 00 00 00 00 00 ................ 001CA080 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ 001CA090 00 00 00 00 00 00 00 00 00 00 00 00 18 00 00 00 ................ 001CA0A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA0B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA0C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA0D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA0E0 1E 6D 67 58 01 01 01 01 01 15 13 00 02 00 17 00 .mgX............ |
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CA0F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] filled 00 region 001CA5C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x1CA5D0 Region? + Magic? & Incremental? & BIOS Version
On the end of this page we have a list where we can compare thoes informations against other consoles. This will help us to bring light into thoes few bytes here.
BIOS Incremental? on 0x1CA5D8 | BIOS Version on 0x1CA604 - 4 bytes long
Console A, B | Console C |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CA5D0 34 76 B3 80 02 00 00 00 02 00 00 00 00 00 00 00 4v³€............ 001CA5E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA5F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA600 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CA5D0 34 76 B3 80 02 00 00 00 02 00 00 00 00 00 00 00 4v³€............ 001CA5E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA5F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA600 FF 00 FF FF 00 00 06 01 FF FF FF FF FF FF FF FF ÿ.ÿÿ....ÿÿÿÿÿÿÿÿ |
Console C / FW 1.06 | Console C / FW 1.61 | Console C FW 1.61 E0 |
---|---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CA5D0 34 76 B3 80 02 00 00 00 02 00 00 00 00 00 00 00 4v³€............ 001CA5E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA5F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA600 FF 00 FF FF 00 00 06 01 FF FF FF FF FF FF FF FF ÿ.ÿÿ....ÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CA5D0 30 76 B3 80 02 00 00 00 03 00 00 00 00 00 00 00 0v³€............ 001CA5E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA5F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA600 FF 00 FF FF 00 00 61 01 FF FF FF FF FF FF FF FF ÿ.ÿÿ..a.ÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CA5D0 30 76 B3 80 02 00 00 00 03 E0 00 00 00 00 00 00 0v³€.....à...... 001CA5E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA5F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 001CA600 FF 00 FF 00 00 00 61 01 FF FF FF FF FF FF FF FF ÿ.ÿÿ..a.ÿÿÿÿÿÿÿÿ |
Region? & SKU version?
Console A Dev / Test FW 1.50.10 | Console B Dev / Test FW 1.50 | Console C Retail FW 1.52 | Console D Retail FW 1.06 | Console E Retail FW 1.74 |
---|---|---|---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CA5D0 34 77 B3 C0 02 00 00 00 02 00 00 00 00 00 00 00 4w³À............ 001CA600 FF 00 FF FF 00 10 50 01 FF FF FF FF FF FF FF FF ÿ.ÿÿ....ÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CA5D0 34 77 B3 C0 02 00 00 00 03 00 00 00 00 00 00 00 4w³À............ 001CA600 FF 00 FF FF 00 00 50 01 FF FF FF FF FF FF FF FF ÿ.ÿÿ..a.ÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CA5D0 B0 76 B3 80 02 00 00 00 03 00 00 00 00 00 00 00 °v³€............ 001CA600 FF 00 FF FF 00 00 52 01 FF FF FF FF FF FF FF FF ÿ.ÿÿ..a.ÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CA5D0 34 76 B3 80 02 00 00 00 03 00 00 00 00 00 00 00 4v³€............ 001CA600 FF 00 FF FF 00 00 06 01 FF FF FF FF FF FF FF FF ÿ.ÿÿ..a.ÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CA5D0 30 76 B3 80 02 00 00 00 03 00 00 00 00 00 00 00 0v³€............ 001CA600 FF 00 FF FF 00 00 74 01 FF FF FF FF FF FF FF FF ÿ.ÿÿ..a.ÿÿÿÿÿÿÿÿ |
as long we have no better understanding of the added 0xE0 i will guess it as an kind of patch counter for that FW. i assume that the 0 will increase if more patches are installed.
NOTE: The first byte off ?Region + SKU Bytes? will differ between consoles. I guess for now that it may describe the region of the console. The 0xB0 is a brazilien console where 0x30 & 0x34 are for what i can say European consoles. (Feel free to correct me) The following 4 bytes then are for Retails always the same and also for Dev / Test consoles they do match between them.
Retails 0x76 0xB3 0x80 0x02
Dev/Test 0x77 0xB3 0xC0 0x02
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CA610 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 001CBBF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x1CBC00
Console A, B | Console C |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CBC00 69 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx i............... xx differs between consoles on same version 001CBC10 A2 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 001CBC20 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001CBC30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001CBC40 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 001CBC50 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CBC00 64 A1 C0 DE FD B3 1F 8B 9A 3E D1 F1 01 E7 D9 CE d¡ÀÞý³.‹š>Ññ.çÙÎ 001CBC10 F7 72 3B 90 33 6D A5 B0 37 CD CA 3F D8 2F F0 0F ÷r;.3m¥°7ÍÊ?Ø/ð. 001CBC20 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001CBC30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001CBC40 6E 90 C6 F0 5B 96 13 4B F5 B7 AB 4F 23 A2 05 02 n.Æð[–.Kõ·«O#¢.. 001CBC50 03 61 99 47 86 D9 B7 6F 8B F5 FE 4A 28 5E 95 A8 .a™G†Ù·o‹õþJ(^•¨ |
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CBC60 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 001CDFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x1CE000
Console A, B | Console C |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CE000 00 07 FF 07 00 07 FF 07 00 07 0C 04 00 00 00 04 ..ÿ...ÿ......... 001CE010 00 00 FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ..ÿÿÿÿÿÿ........ 001CE020 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF ..ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001CE030 xx 00 00 00 xx 00 00 00 xx xx 00 00 00 00 00 00 ........Ë....... xx differs between consoles on same version 001CE040 xx 00 00 00 xx 00 00 00 xx 00 00 00 00 00 00 00 ................ " 001CE050 xx 00 00 00 xx 00 00 00 xx xx 00 00 00 00 00 00 ................ " |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CE000 00 07 FF 07 00 07 FF 07 00 07 0C 04 00 00 00 04 ..ÿ...ÿ......... 001CE010 00 00 FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ..ÿÿÿÿÿÿ........ 001CE020 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF ..ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001CE030 22 00 00 00 21 00 00 00 3D D6 00 00 00 00 00 00 "...!...=Ö...... 001CE040 09 00 00 00 09 00 00 00 54 EB 02 00 00 00 00 00 ........Të...... 001CE050 1E 00 00 00 1E 00 00 00 B9 C1 03 00 00 00 00 00 ........¹Á...... |
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CE060 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 001CE1F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x1CE200
Console A, B | Console C |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CE200 xx xx xx xx xx xx xx xx xx xx FF xx xx xx xx xx ..........ÿ..... xx differs between consoles on same version 001CE210 xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF ....ÿÿ..ÿÿÿÿÿÿÿÿ " 001CE220 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 001CE230 xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF ....ÿÿ..ÿÿÿÿÿÿÿÿ " 001CE240 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 001CE250 xx xx xx xx xx xx xx xx FF FF FF FF FF FF FF FF ........ÿÿÿÿÿÿÿÿ " 001CE260 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 001CE270 xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF ....ÿÿ..ÿÿÿÿÿÿÿÿ " 001CE280 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 001CE290 xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF ....ÿÿ..ÿÿÿÿÿÿÿÿ " |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CE200 03 00 81 80 57 C3 B3 03 04 10 FF 00 00 01 00 00 ...€Wó...ÿ..... 001CE210 09 00 09 00 FF FF 00 23 FF FF FF FF FF FF FF FF ....ÿÿ.#ÿÿÿÿÿÿÿÿ 001CE220 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001CE230 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001CE240 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001CE250 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001CE260 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001CE270 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001CE280 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001CE290 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
FF filled
Console A, B | Console C |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CE2A0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 001FFFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001CE2A0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 001CEFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001CF000 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF .ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 001CF010 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 001FFFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
0x200000 PerConsole
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00200000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version 00200010 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00200020 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00200030 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00200040 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00200050 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00200060 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00200070 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00200080 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00200090 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002000A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002000B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002000C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002000D0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002000E0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002000F0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00200100 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00200110 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00200120 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00200130 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00200140 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00200150 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00200160 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00200170 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00200180 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00200190 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002001A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002001B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002001C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002001D0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002001E0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002001F0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00200200 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 00200FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x201000 PerConsole
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00201000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version 00201010 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00201020 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00201030 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00201040 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00201050 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00201060 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00201070 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00201080 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00201090 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002010A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002010B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002010C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002010D0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002010E0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002010F0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00201100 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00201110 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00201120 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00201130 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00201140 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00201150 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00201160 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00201170 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00201180 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00201190 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002011A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002011B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002011C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002011D0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002011E0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002011F0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00201200 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 00201FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x202000 PerConsole
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00202000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version 00202010 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00202020 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00202030 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00202040 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00202050 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00202060 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00202070 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00202080 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00202090 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002020A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002020B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002020C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002020D0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002020E0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002020F0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00202100 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00202110 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00202120 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00202130 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00202140 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00202150 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00202160 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00202170 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00202180 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00202190 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002021A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002021B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002021C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002021D0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002021E0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002021F0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00202200 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 00202FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x203000 PerConsole
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00203000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version 00203010 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00203020 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00203030 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00203040 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00203050 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00203060 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00203070 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00203080 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00203090 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002030A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002030B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002030C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002030D0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002030E0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002030F0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00203100 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00203110 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00203120 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00203130 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00203140 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00203150 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00203160 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00203170 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00203180 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00203190 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002031A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002031B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002031C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002031D0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002031E0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 002031F0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00203200 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 00203FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x204000 Unk DataBlock
huge block
Console A, B | Console C |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00204000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version [...] huge block 00222DF0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " (one console ended after this with FF region 0x222E00 until 0x241FFF - other has datablock 0x204000 until 0x29078F |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00204000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ [...] huge block 0029078F xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ (console C datablock ended with 0x29078F) |
0x222E00
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00222E00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ xx differs between consoles on same version [...] filled FF region 00241FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ " (one console ended after this with FF region 0x222E00 until 0x241FFF - other has datablock 0x204000 until 0x29078F)
0x242000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00242000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version [...] huge block 00290780 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " (one console ended after this with FF region 0x222E00 until 0x241FFF - other has datablock 0x204000 until 0x29078F)
FF filled
both consoles have this FF filled
00290790 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 002907F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x290800
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00290800 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version [...] small block 00290920 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00290930 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 002909F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x290A00
00290A00 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version [...] small block 00290AD0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00290AE0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 00290BF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x290C00
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00290C00 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version [...] small block 00290D50 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00290D60 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 00290DF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x290E00
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00290E00 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version 00290E10 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00290E20 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00290E30 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00290E40 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 002FFFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x300000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00300000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version [...] huge block 0037FFF0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
- bd hrl, likely
0x380000 SCE VTRM Region0 (Retail & Dev/Test)
See also: VTRM
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00380000 FC FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF üÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00380010 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00380020 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00380030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00380040 01 00 00 00 FF FF FF FF 53 43 45 56 54 52 4D 00 ....ÿÿÿÿSCEVTRM. 00380050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00380060 00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00 ................ 00380070 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x380170 VTRM Region0 Digest? (Retail & Dev/Test)
See also: VTRM
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00380170 xx xx xx xx xx xx xx xx ........ xx differs between consoles on same version 00380180 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 00380190 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 003801A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 003801B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 003801C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 003801D0 xx xx xx xx xx xx xx xx ....... . "
FF filled
0x3A0000 SCE VTRM Region1 (Retail)
See also: VTRM
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00380000 03 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF üÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00380010 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00380020 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00380030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 00380040 01 00 00 00 FF FF FF FF 53 43 45 56 54 52 4D 00 ....ÿÿÿÿSCEVTRM. 00380050 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ 00380060 00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00 ................ 00380070 FF FF FF FF FF FF FF FF FE FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x3A0170 VTRM Region1 Digest? (Retail)
See also: VTRM
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003A0170 xx xx xx xx xx xx xx xx ........ xx differs between consoles on same version 003A0180 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 003A0190 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 003A01A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 003A01B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 003A01C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " 003A01D0 xx xx xx xx xx xx xx xx ....... . "
FF filled
0x3A1000
Console A, B | Console C |
---|---|
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003A01D0 FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿ 003A01E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 003A1FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003A0FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 003A1000 01 00 00 10 00 00 00 38 00 FF FF FF FF FF FF FF .......8.ÿÿÿÿÿÿÿ 00310010 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 003A1020 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 003A1030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 003A1040 FF FF FF FF FF FF FF FF 00 FF FF FF FF FF FF FF ÿÿÿÿÿÿÿ.ÿÿÿÿÿÿÿÿ 003A1050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 003A1FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ |
0x3A2000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003A2000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version 003A2010 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003A2020 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 003A2FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x3A3000
0x1000 datablock
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003A3000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version [...] small block 003A3FF0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003A4000 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 003BFFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x3C0000 (CoreOS)
0x1980000 datablock (sflash0s1.cryptx3 + sflash0s1.cryptx3b)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003C0000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ [...] huge block with encrypted data ?? Encrypted CoreOS ?? 01D3FFFF xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................
0x1D40000
FF filled
end of data was @ 0x1D40000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 01D40000 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ [...] filled FF region 01FFFFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
eof 0x2000000
FW/BIOS versioning and incremental counting Observation
Following a list of Informations about The Consoles Firmware version, the SFlashes BIOS version and this strange (where i guess) incremental counter. I run that list so we can see if my guess of a incremental value is right or not.
The values we list are:
0x1CA5D0 (1 Byte) == Region?
The real Region of your device.
0x1CA5D1 (4 Bytes) == SKU?
The real SKU of your device.
0x1C8041(variety) The SKU Model string.
The Firmware version of your console.
0x1CA604 (4 Bytes, little endian) == BIOS version.
0x1CA5D8 (4 Bytes, each integer16) == Incremental value as Byte.
The same value but as integer.
The Console # so we can see on one shot which value belong to which console or if they are from diffrent cons.
And the last one, the SHA1 checksum of VTRM PerConsole0
NOTE: If there are any informations from one and the same console but on diff versions, then please mark your console with the next free number and add it. So we can see with one hit which values are from diff cons and which are from the same con. And which value belongs to which console. If the values are from one console and no second value from the same console is already present then mark it with a minus -.
Region | Real | SKU | Real | Model | FW | BIOS | Inc Byte | Inc Integer | Con # | VTRM PerConsole0 SHA1 |
---|---|---|---|---|---|---|---|---|---|---|
0x34 | EU | 77 B3 C0 02 | Dev / Test | DUH-T1000AA | 1.50 | 1.50 | 0x03 0x00 0x00 0x00 | 3.0.0.0 | 0 | 46AEDE30098A48BB6A35E392F7A8EB603F3FFCD4 |
0x34 | EU | 77 B3 C0 02 | Dev / Test | DUH-T1000AA | 1.010.031 | 0xFFFFFFFF | / | / | 0 | 46AEDE30098A48BB6A35E392F7A8EB603F3FFCD4 |
0x34 | EU | 77 B3 C0 02 | Dev / Test | DUH-T1000AA | 1.76 | 1.50.10 | 0x03 0xE0 0x00 0x00 | 3.224.0.0 | - | 11F8D58F9D5E6CC34D0E5EA63E656A40C32FB5A3 |
0xB0 | BR | 76 B3 80 02 | Retail | CUH-1001A B01 | 2.50 | 1.52 | 0x03 0xED 0x00 0x00 | 3.237.0.0 | - | 56C205680BFFCB4AA36047F192C9D8C6FDD31294 |
0xB0 | BR | 76 B3 80 02 | Retail | CUH-1001A B01 | 2.50 | 1.52 | 0x03 0xED 0x00 0x00 | 3.237.0.0 | - | 3F85EDAD7BCF9122B456970FDEDB9C1D1802A7A5 |
0xB0 | BR | 76 B3 80 02 | Retail | CUH-1011A B01 | 2.50 | 1.52 | 0x03 0xED 0x00 0x00 | 3.237.0.0 | - | 262E7A39E3F04C91D6820EF5EF0533F0D32BD073 |
0x34 | EU | 76 B3 80 02 | Retail | CUH-1004A B01X | 1.06 | 1.06 | 0x02 0x00 0x00 0x00 | 2.0.0.0 | 1 | A801741B94EAFFAE0CB9F56EB20E7908F9556D45 |
0x30 | EU | 76 B3 80 02 | Retail | CUH-1004A B01X | 1.61 | 1.61 | 0x03 0x00 0x00 0x00 | 3.0.0.0 | 1 | A801741B94EAFFAE0CB9F56EB20E7908F9556D45 |
0x30 | EU | 76 B3 80 02 | Retail | CUH-1004A B01X | 1.62 | 1.61 | 0x03 0xE0 0x00 0x00 | 3.224.0.0 | 1 | A801741B94EAFFAE0CB9F56EB20E7908F9556D45 |
0x30 | EU | 76 B3 80 02 | Retail | CUH-1004A B01X | 1.74 | 1.61 | 0x03 0xE0 0x00 0x00 | 3.224.0.0 | 1 | A801741B94EAFFAE0CB9F56EB20E7908F9556D45 |
Software Based Validation
BwE PS4 NOR Validator
Developed by User:BwE this application is designed to validate the entire NOR flash of the PS4. It will check every byte of the flash and read approximately 1800 specific offsets. Areas that can be repaired easily are labeled as static, meaning it will be the same across all consoles. Dynamic areas are interchanging either with each firmware revision, the console itself or the model of console. PerConsole areas (such as the majority of the CID) are unable to be modified.
Alternative validations are based on known corruption patterns or expectations. This will be improved with each revision. MD5 validations are based on known valid consoles (or file sizes) and this is why entropy and the above validation are added as supplementation.
There are various table based validations, which are based on accumulated data from various consoles, these will be improved constantly.
Other validations can use regular expressions which are again, based on accumulated data.
The ambiguity of consoles leads to the usefulness of the WARNING result. If it does not pass the expected result and it does not appear explicitly corrupt it will present a warning. Some areas in the NOR are so extremely dynamic that maybe one in 50 consoles will have it, and for the life of me, I don't know why.
My suggestion is to use this program with a cognizance of the ENTIRETY of the results. If for example the flash presents a low entropy and various warnings throughout, this is a bad sign. If the console has perfect entropy but a large (0x1000) corrupted area then I would also see this as a very bad sign. If there are a few danger results in the filler data, I would not worry too much.
Eventually this program will be more and more reliable. Use it, report your results and help develop it!
The program also features extraction of the NOR, byte reversal and statistics.
As of 1.1 it does not support Dev/Test consoles, but will in the future (most of the code is already in the program).
Version History: 1.3.3 (24/1/19) Reworked And Improved Both CID And UNK Sections Again, Added More MD5's, Added Application Version Checker, Removed Colored Bars, Added Comparator & Other Improvements Throughout. 1.3.1 (19/1/19) Added More Validations & MD5's, Repaired Minor Bug. 1.3 (15/1/19) Completely Reworked And Improved The CID Section And Added Additional Validations To The UNK Section & I Also Improved Some Other Validations Throughout. 1.2.6 (18/12/18) Hopefully Fixed 'Black Screen' Issue, Recompiled in 32bit. 1.2.5 (17/12/18) Added 2 New Flags (Possibly Initialization Flag?), Changed Validation Results, Improved Output/Info (HTML), Added MD5's. 1.2 (8/12/18) Improved All Alt Validations, Repaired VTRM1, Internal Typo, Added Repetition Checks. 1.1.1 (29/11/18) Typo Again, Made the SKU not come up as UNLISTED, Added some MD5's. 1.1 (28/11/18) Improved VTRM & CID Validation, Typo Fixes, Better Colours! Whoops! 1.0 (27/11/18) First Release!
Developer Website:
https://betterwayelectronics.com.au/
Direct Link:
https://betterwayelectronics.com.au/BwE_PS4_NOR_Validator.rar
Support/Information Forum:
https://www.psxhax.com/threads/release-bwe-ps4-nor-validator.6139/
BwE PS4 WiFi/BT Patcher & Extractor
Developed by User:BwE this application is designed to validate, patch and or extract the WiFi/BT Module of the PS4. The reason for this is illustrated in this page on the wiki. It will use MD5, entropy and pattern analysis to determine if and where the module is corrupted. From here it will determine a valid replacement based on the console's expected module version and size. Should there be no matching version available the program will offer you the ability to patch a new header and new module. This methodology is risky, but if this is your only option then it is worth a try.
Version 1.3 (19/1/19) Version 1.2 (27/11/18) Fixed Entropy + Added Better MD5 Validation + Added Better Header Validation Version 1.1 (25/11/18) Added Entropy + Better Looks Version 1.1 (4/9/18) First initial release
Developer Website:
https://betterwayelectronics.com.au/
Direct Link:
https://betterwayelectronics.com.au/BwE_PS4_WiFi-BT_Patcher.rar
Support/Information Forum:
https://www.psxhax.com/threads/bwe-ps4-wifi-bt-patcher-extractor-v1-00-by-betterwayelectronics.5936/
BwE PS4 NOR Statistics
This program, another micro version of User:BwE's PS4 NOR Validator, is designed solely to validate your NOR based on statistics only!
Why make this you ask? Entropy and statistics are a well used methodology in the malware analysis field to determine if a binary file is encrypted, and by how much.
What is entropy? Entropy is a method for measuring uncertainty in a series of numbers or bytes. In technical terms, entropy measures the level of difficulty or the probability of independently predicting each number in the series.
What has this got to do with PS4s? Well the PS4's NOR is almost entirely encrypted and so with a collection of known valid NOR's it is possible to determine the level of entropy that represents a valid NOR and what level of entropy would represent a corrupt NOR.
When corruption occurs it will generally wipe out a large chuck of the NOR, cause the NOR to repeat itself or will fill the NOR with junk. All of this will decrease or severely increase the entropy.
Seeing as the PS4 firmware is likely to add more or less complexity with each update I have made avaliable a settings file where you can adjust the predicted statistics.
Version 1.0 (5/11/18) First initial release
Developer Website:
https://betterwayelectronics.com.au/
Direct Link:
https://betterwayelectronics.com.au/BwE_PS4_NOR_Statistics.rar
Support/Information Forum:
https://www.psxhax.com/threads/bwe-ps4-nor-statistics-v1-00-by-betterwayelectronics.6074/
|