Typical Flash TSOP package found on PS3's can either be 2x128mb NAND or 1x16mb NOR

This is my attempt at documenting the files located and stored on flash. Please do note that this is from reverse engineering several flash dumps, not from reverse engineering the PS3 firmware itself. This involves alot of guesswork and may not be accurate and there may be information missing.

Structure

0x0 > 0x400 = Headers

0x400 > 0x800 = File table

0x800 > 0xF00000 = Region 1

- 0x800 > 0x2F000 = asecure_loader region

- - 0x840 > 0xF110 = metldr

0xF00000 > 0xFFFFFF = region 2

- unknown format

First Region

Header

First 512 Bytes of flash

00000000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF  .....¬àÿ....Þ.¾ï
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00  ..............x.
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
000001F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Address	Length	Value	Description
0x00	0x10	0x0	Blank/Unknown
0x10	0x10	0x0FACE0FF 0xDEADBEEF	Magic number
0x20	0x10	0x7800	Length of region * 0x200
0x30	0x1D0	0x0	Blank/Unknown

Unknown Header

The next block of 512 bytes only has the first 16 bytes written. Unsure exactly what this means.

00000200  49 46 49 00 00 00 00 01 00 00 00 02 00 00 00 00  IFI.............
00000210  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
000003F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

Address	Length	Value	Description
0x200	0x10	0x49464900 (String: "IFI") 0x1 0x2 0x0	Unknown

File Table

The next 1024 bytes contain the file entry table

Header

Small 16 byte header to describe length and entry count

00000400  00 00 00 01 00 00 00 0B 00 00 00 00 00 EF FC 00  .............ïü.

Address	Length	Value	Description
0x0	0x4	0x01	Unknown
0x4	0x4	0x0B	Entry Count
0x8	0x8	0xEFFC00	Length of Flash Region (relative to 0x400 (region start)

First is a header, this tells us how many files are stored here.

Entry Table

Then follows a 32 byte entry for each file

00000410  00 00 00 00 00 00 04 00 00 00 00 00 00 02 E8 00  ..............è.
00000420  61 73 65 63 75 72 65 5F 6C 6F 61 64 65 72 00 00  asecure_loader..
00000430  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Address	Length	Value	Description
0x0	0x8	0x400	File offset relative to 0x400 (Region start)
0x8	0x8	0x2E800	File length
0x10	0x20	char[32]:"asecure_loader"	File name

asecure_loader region

Within asecure_loader is another file table similar to region 1 but is located within region 1 itself. This has only been observed to hold metldr in its encrypted form.

Header

00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.

Address	Length	Value	Description
0x00	0x04	0x01	Unknown
0x04	0x04	0x01	Entry Count
0x08	0x08	0x2E800	Length of Region

Entry Table

Then follows a 32 byte entry for each file

00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E8 D0  .......@......èÐ
00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Address	Length	Value	Description
0x0	0x08	0x40	File offset relative to 0x810 (asecure_loader header)
0x8	0x08	0xE8D0	File Length
0x10	0x20	char[32]:"metldr"	File name

Second Region

This region appears to directly follow the other region (at 0xF0000 = region size + header)

Not much is known about this at this stage.

Header

00F00000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F00010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE  .....¬àÿ....Þ.úÎ
00F00020  00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02  ................
00F00030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F000B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F000C0  00 00 00 00 00 00 79 00 00 00 00 00 00 00 01 00  ......y.........
00F000D0  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F000E0  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F00140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F00150  00 00 00 00 00 00 7A 00 00 00 00 00 00 00 04 00  ......z.........
00F00160  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F00170  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F00180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F00FF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Bootloader

Located at 0xFC0000 to 0xFFFFFF (The last 256kb of flash), This is encrypted.

cCSD

This section doesn't contain any data... This section of flash contains Console Specific information

Header

0003F800  00 00 00 01 00 00 08 00 00 00 00 00 00 00 00 00  ................

Address	Length	Value	Description
0x0	0x4	0x1	Number of entries
0x4	0x8	0x800	Length of entire eEID package
0x8	0x8	0x0	Unknown/Blank

File Table

This repeats per entry

0003F810  00 00 00 20 00 00 00 30 00 00 00 00 00 00 00 00  ... ...0........

Address	Length	Value	Description
0x0	0x4	0x20	Entry point
0x4	0x8	0x30	Length
0x8	0x8	0x0	Unknown/Blank

Section 0

0003F820  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0003F830  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0003F840  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

There appears to be no data stored here.

cISD

This section of flash contains Console Specific information

cISD contains core information such as Gelic Ethernet MAC address

Header

0003F000  00 00 00 03 00 00 02 70 00 00 00 00 00 00 00 00  .......p........

Address	Length	Value	Description
0x0	0x4	0x3	Number of entries
0x4	0x8	0x270	Length of entire eEID package
0x8	0x8	0x0	Unknown/Blank

File Table

This repeats per entry

0003F010  00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00  ...@... ........

Address	Length	Value	Description
0x0	0x4	0x40	Entry point
0x4	0x8	0x20	Length
0x8	0x8	0x0	Unknown/Blank

Section 0

0003F040  A8 E3 EE 7D 10 DA FF FF FF FF FF FF FF FF FF FF  ¨ãî}.Úÿÿÿÿÿÿÿÿÿÿ
0003F050  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

Address	Length	Value	Description
0x0	0x6	0xA8E3EE7D10DA	MAC Address
0x6	0x1A	0xFF	Unknown/Blank

Section 1

0003F060  7F 49 44 4C 00 02 00 60 01 00 00 02 02 12 FF C5  .IDL...`......ÿÅ
0003F070  30 31 43 35 32 34 30 31 38 33 31 36 32 37 30 45  01C524018316270E
0003F080  31 39 30 38 37 41 34 32 30 30 30 30 30 30 30 30  19087A4200000000
0003F090  32 37 34 35 35 32 32 32 34 30 31 35 31 32 39 33  2745522240151293
0003F0A0  34 31 36 33 01 07 01 07 01 28 00 01 FF FF FF FF  4163.....(..ÿÿÿÿ
0003F0B0  00 02 00 11 00 02 00 12 00 00 00 00 02 95 A8 C9  .............•¨É
0003F0C0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
0003F250  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

Address	Length	Value	Description
0x0	0xD	0x7F49444C000200600100000202	Unknown, static
0xD	0xF	0x12FFC5	Unknown, varies per console
0x10	0x20	Ascii: 01C524018316270E19087A4200000000	Some unique identifier
0x30	0x8	Ascii: 27455222	3rd part of console serial number
0x38	0xC	Ascii: 401512934163	Some unique identifier
0x44	0x1B	0x0107010701280001FFFF00020011000200120000000002	Unknown, static
0x1B	0x3	0x95A8C9	Unknown, varies

Section 2

0003F260  1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00  .ÿ..............

This value is unknown and the first two bytes seem to vary

eEID

This section of flash contains QA tokens

It is 0x10000 in length (64 kb) but only the first 0x1DD0 is used, the rest is padded with FF

It is composed of 6 sections numbered from 0 to 5

eEID contains your system model data, your target ID, and your PS3 motherboard revision

Section	Description
EID0	EID0 is needed for loading parameters to isoldr for loading isolated SELF files on a SPE
EID1	?
EID2	?
EID3	?
EID4	?
EID5	?

Indi manager can write to it AIM can rehash it

Header

00000000  00 00 00 06 00 00 1D D0 00 00 00 00 00 00 00 00  .......Ð........

Address	Length	Value	Description
0x0	0x4	0x6	Number of entries
0x4	0x8	0x1DD0	Length of entire eEID package
0x8	0x8	0x0	Unknown/Blank

File Table

This is the whole file table

00000010   00 00 00 70 00 00 08 60 00 00 00 00 00 00 00 00
00000020   00 00 08 D0 00 00 02 A0 00 00 00 00 00 00 00 01
00000030   00 00 0B 70 00 00 07 30 00 00 00 00 00 00 00 02
00000040   00 00 12 A0 00 00 01 00 00 00 00 00 00 00 00 03
00000050   00 00 13 A0 00 00 00 30 00 00 00 00 00 00 00 04
00000060   00 00 13 D0 00 00 0A 00 00 00 00 00 00 00 00 05

This repeats per entry

00000010  00 00 00 70 00 00 08 60 00 00 00 00 00 00 00 00  ...p...`........

Address	Length	Value	Description
0x0	0x4	0x70	Entry point
0x4	0x8	0x860	Length
0x8	0x8	0x0	EID number

Typical EID entry addresses and lengths:

Description	Address	Length
EID0	0x70	0x860
EID1	0x8D0	0x2A0
EID2	0xB70	0x730
EID3	0x12A0	0x100
EID4	0x13A0	0x30
EID5	0x13D0	0xA00

EID0 - Section 0

00000000  00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  .....‰....ïÝÊ%Rf
00000010  00 12 00 0B 81 2E 00 A9 59 75 01 CC C1 72 D5 50  .......©Yu.ÌÁrÕP

Address	Size	Value	Description	Observations
0x0	0x10	00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66	IDPS	IDPS This contains your Target ID
0x10	0x4	00 12 00 0B	Unknown
0x14	0x12	81 2E 00 A9 59 75 01 CC C1 72 D5 50	Per console key?	Appear to be the same key as in the encrypted files metloader/bootloader
Rest	Rest	Rest	Encrypted Data?

EID 1 - Section 1

Appears to be encrypted, not much is known about this one

EID 2 - Section 2

Not sure about this one, appears to be some recurring patterns in here

EID 3 - Section 3

Not fully examined yet, Contains the 12 byte key again at 0x14 to 0x1F

EID 4 - Section 4

Encrypted encdec key

EID 5 - Section 5

Similar again to section 0

00000000  00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  .....‰....ïÝÊ%Rf
00000010  00 12 07 30 81 2E 00 A9 59 75 01 CC C1 72 D5 50  .......©Yu.ÌÁrÕP

Address	Size	Value	Description	Observations
0x0	0x10	00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66	IDPS	IDPS
0x10	0x4	00 12 07 30	Unknown	Changes from EID0
0x14	0x12	81 2E 00 A9 59 75 01 CC C1 72 D5 50	Per console key?	Appear to be the same key as in the encrypted files metloader/bootloader
Rest	Rest	Rest	Encrypted Data?

Encrypted Files on Flash

Encrypted files on flash appear to have some sort of header

metldr examples

Here are samples of metldr header from 2 different consoles

00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ...Žx¥aà.rn÷§.A«

00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ...Ž...©Yu.ÌÁrÕP

bootldr examples

Here are samples of bootldr header from 2 different consoles

00FC0000  00 00 2F 4B 53 92 1C E7 F7 33 41 76 9B 7A 1E D6  ../KS’.ç÷3Av›z.Ö
00FC0010  00 00 2F 4B 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ../Kx¥aà.rn÷§.A«

00FC0000  00 00 2F 4B CB 9E 15 24 28 B4 4F D2 F9 3F BC 43  ../KËž.$(´OÒù?¼C
00FC0010  00 00 2F 4B 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ../K...©Yu.ÌÁrÕP

Observations / Notes

As you can see, some parts appear static depending on their purpose:

metldr

00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E xx xx xx xx xx xx xx xx xx xx xx xx  ...Žx...........

bootldr

00FC0000  00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx  ../K............
00FC0010  00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx  ../K............

per console in both samples

00000840  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................
00000850  xx xx xx xx 81 2E 00 A9 59 75 01 CC C1 72 D5 50  .......©Yu.ÌÁrÕP

The first 4 bytes appear to reffer to length. eg:

metldr length: 0xE920
0x00000E8E * 0x10 = 0xE8E0 + 0x40 = 0xE920
bootldr length:  0x2F4F0
0x00002F4B * 0x10 = 0x2F4B0 + 0x40 = 0x2F4F0

Header shown is 0x20 bytes, perhaps this means there is a 0x40 byte header. I was not able to find any correlation of the other 2x12 bytes here, perhaps these are keys of some sort.

List of files on NOR Flash

The following is a list of files stored in NOR Flash

Name	TOC		Start Offset		End Offset		Size	Notes
Name	Offset	Index	Relative	Absolute	Relative	Absolute	Size	Notes
asecure_loader	0x400	0	0x400	0x810	0x2E800	0x2F010	0x2E800 (190,464 bytes)	aka metldr
eEID	0x400	1	0x2EC00	0x2F010	0x3EC00	0x3F010	0x10000 (65,636 bytes)
cISD	0x400	2	0x3EC00	0x3F010	0x3F400	0x3F810	0x800 (2,048 bytes)
cCSD	0x400	3	0x3F400	0x3F810	0x3FC00	0x40010	0x800 (2,048 bytes)
trvk_prg0	0x400	4	0x3FC00	0x40010	0x5FC00	0x60010	0x20000 (131,072 bytes)
trvk_prg1	0x400	5	0x5FC00	0x60010	0x5FC00	0x80010	0x20000 (131,072 bytes)
trvk_pkg0	0x400	6	0x7FC00	0x80010	0x9FC00	0xA0010	0x20000 (131,072 bytes)
trvk_pkg1	0x400	7	0x9FC00	0xA0010	0xBFC00	0xC0010	0x20000 (131,072 bytes)
ros0	0x400	8	0xBFC00	0xC0010	0x7BFC00	0x7C0010	0x700000 (7,340,032 bytes)	Contains CoreOS files
ros1	0x400	9	0x7BFC00	0x7C0010	0xEBFC00	0xEC0010	0x700000 (7,340,032 bytes)	Contains CoreOS files
cvtrm	0x400	10	0xEBFC00	0xEC0010	0xEFFC00	0xF00010	0x40000 (262,144 bytes)
CELL_EXTNOR_AREA				0xF20000		0xFA0040	0x80040 (524,352 bytes)
bootldr				0xFC0000		0xFEEAF0	0x2EAF0 (191,216 bytes)	End @ FEF170, FEF570, FEF5F0, FEF600 in some dumps

new metldr.2

Seen on CECH2504B (JSD-001), with 3.60 from factory - datecode 1B

  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

  00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 F9 20  .......@......ù 
  00000820  6D 65 74 6C 64 72 2E 32 00 00 00 00 00 00 00 00  metldr.2........
  00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

other new metldr

It seems the naming "metldr.2" does not apply to all non downgradeable consoles:

Seen on CECH2504A (JTP-001), with 3.60 from factory - datecode 1B

  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
  00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
  00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
  00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Seen on CECH2503B (JTP-001), with ?.?? from factory - datecode 1A (dump contained ROS with 3.66 and 3.70)

 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      
 00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E9 60  .......@......é`
 00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
 00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

For comparison, a CECH250.B (JSD-001), with factory 3.56 - datecode 1A which was downgradeable (dump contained ROS with 3.56 and 3.70 before downgrading to 3.55):

 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      
 00000800   00 00 00 01 00 00 00 01  00 00 00 00 00 02 E8 00   ..............è.
 00000810   00 00 00 00 00 00 00 40  00 00 00 00 00 00 E9 60   .......@......é`
 00000820   6D 65 74 6C 64 72 00 00  00 00 00 00 00 00 00 00   metldr..........
 00000830   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
 00000840   00 00 0E 92 C3 26 6E 4B  BB 28 2E 76 B7 67 70 95   ...’Ã&nK»(.v·gp•

other new metldr mention : https://twitter.com/#!/Mathieulh/status/110779471199604736

WTF 3.50+ consoles have a new additional root key of 0x30 bytes
(3 times the same 0x10 bytes chunk) copied by metldr right to offset 0 O_O

CELL_EXTNOR_AREA

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
[...]
00F1FFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00F1FFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00F20000  43 45 4C 4C 5F 45 58 54 4E 4F 52 5F 41 52 45 41  CELL_EXTNOR_AREA      marker: CELL_EXTNOR_AREA
00F20010  00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F20020  00 00 02 00 00 00 00 44 00 00 00 00 A9 C8 06 D0  .......D....©È.Ð                             (differs in other version/console dump)
00F20030  C0 17 8D 34 55 A7 62 73 DD 16 A6 FB 75 A0 D2 10  À..4U§bsÝ.¦ûu Ò.
00F20040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F201F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F20200  00 00 00 07 46 55 4A 49 54 53 55 20 4D 48 5A 32  ....FUJITSU MHZ2      harddrive brand/model
00F20210  30 38 30 42 48 20 47 31 20 20 20 20 20 20 20 20  080BH G1        
00F20220  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
00F20230  20 20 20 20 4B 36 33 52 54 38 42 34 48 59 42 4B      K63RT8B4HYBK      harddrive serial
00F20240  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F3FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F40000  00 00 00 01 00 00 00 2C 6E 47 15 E8 38 9B C8 16  .......,nG.è8›È.      00F40000-00F40030      (same in other version/console dump)
00F40010  65 6E 0C 37 54 25 FE 7B 22 9A 31 75 72 22 63 2B  en.7T%þ{"š1ur"c+      is the same as
00F40020  31 DD 15 AA 60 7D EB F5 F7 A3 74 0B 9D DD 3B 3A  1Ý.ª`}ëõ÷£t..Ý;:      00F80000-00F80030
00F40030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F5FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F60000  10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34  ............ ..4      00F60000-00F60040      (differs in other version/console dump)
00F60010  00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2  ........[?s´š†Ç²      is the
00F60020  A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE   Ñ.¯§›—âzË.+Ma&®      same as
00F60030  13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB  .Ê)„.“.áJÛ,·|.äë      00FA0000-00FA0040
00F60040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F69BF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F69C00  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...]                                                                            all FF's
00F7FFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00F80000  00 00 00 01 00 00 00 2C 6E 47 15 E8 38 9B C8 16  .......,nG.è8›È.      00F80000-00F80030      (same in other version/console dump)
00F80010  65 6E 0C 37 54 25 FE 7B 22 9A 31 75 72 22 63 2B  en.7T%þ{"š1ur"c+      is the same as
00F80020  31 DD 15 AA 60 7D EB F5 F7 A3 74 0B 9D DD 3B 3A  1Ý.ª`}ëõ÷£t..Ý;:      00F40000-00F40030
00F80030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00F9FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00FA0000  10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34  ............ ..4      00F60000-00F60040      (differs in other version/console dump)
00FA0010  00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2  ........[?s´š†Ç²      is the
00FA0020  A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE   Ñ.¯§›—âzË.+Ma&®      same as
00FA0030  13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB  .Ê)„.“.áJÛ,·|.äë      00F60000-00F60040
00FA0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]                                                                            all 00's
00FA9BF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00FA9C00  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...]                                                                            all FF's
00FBFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00FC0000  00 00 2E AB 83 EF B9 76 C4 DE D1 35 32 7C D3 77  ...«ƒï¹vÄÞÑ52|Ów      Bootloader encrypted   (differs in other version/console dump)
00FC0010  00 00 2E AB FE 2C 4E 17 E1 67 5C 3A C8 29 8E D1  ...«þ,N.ág\:È)ŽÑ      (0xFC0000 to 0xFFFFFF)
00FC0020  63 D4 81 95 5D D1 D2 E3 BA A3 2D 0A 98 8B 3C 03  cÔ.•]ÑÒãº£-.˜‹<.
00FC0030  8E 5D D0 E7 2F EE 58 8B C0 73 A2 6D 5E 7F 7A 07  Ž]Ðç/îX‹Às¢m^.z.
00FC0040  47 8B A4 C2 EF B9 3C 60 43 E8 AC 07 F7 8D EE D5  G‹¤Âï¹<`Cè¬.÷.îÕ
00FC0050  67 EE C1 C4 B2 D2 78 98 4C 79 D6 52 49 4D C2 80  gîÁÄ²Òx˜LyÖRIMÂ€
00FC0060  2D C1 F6 21 B7 B1 34 89 94 3B 33 BF B8 C8 EB 73  -Áö!·±4‰”;3¿¸Èës
[...]
00FEEAD0  9B 28 7A 63 41 DF 4D 54 CC F3 D8 FF FB B0 E6 34  ›(zcAßMTÌóØÿû°æ4
00FEEAE0  2B C6 A2 85 E9 3A 83 A1 8C AE 9F 45 C5 F4 9F AA  +Æ¢…é:ƒ¡Œ®ŸEÅôŸª
00FEEAF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ      Bootloader ended (00FEF170, 00FEF570, 00FEF5F0 or 00FEF600 in some dumps)
00FEEB00  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

NAND reference

most of the information on this page if based on NOR dumps, this section is for NAND specifics

NAND reference (euss)

CECHC-02/COK-001 Pal EU launchmodel with OFW 3.15 updated to MFW 3.15

Bootldr

    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
    00000000  6D 61 73 6B 65 64 20 42 4F 4F 54 4C 44 52 20 20  masked BOOTLDR  
    00000010  30 78 34 30 30 30 30 20 73 69 7A 65 20 20 20 20  0x40000 size             if dumped from GameOS, the first 40000 bytes are masked (cut off) by HV
    00000020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    00000030  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

ROS0

   ROS0 on NAND:
     
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   000C0000  00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20  ....... ....... 
   000C0010  00 00 00 00 00 E0 00 00 00 00 00 00 00 00 00 00  .....à..........
   000C0020  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
   000C0030  00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0  .............oÿà
   000C0040  00 00 00 00 00 00 04 60 00 00 00 00 00 00 44 98  .......`......D˜
   000C0050  61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73  aim_spu_module.s
   000C0060  65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00  elf.............
   000C0070  00 00 00 00 00 00 49 00 00 00 00 00 00 01 DA E4  ......I.......Úä
   000C0080  61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00  appldr..........
   000C0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C00A0  00 00 00 00 00 02 24 00 00 00 00 00 00 04 00 00  ......$.........
   000C00B0  63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00  creserved_0.....
   000C00C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C00D0  00 00 00 00 00 06 24 00 00 00 00 00 00 00 22 A0  ......$......." 
   000C00E0  64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00  default.spp.....
   000C00F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0100  00 00 00 00 00 06 46 A0 00 00 00 00 00 07 FC 48  ......F ......üH
   000C0110  65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00  emer_init.self..
   000C0120  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0130  00 00 00 00 00 0E 43 00 00 00 00 00 00 07 0F 94  ......C........”
   000C0140  65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00  eurus_fw.bin....
   000C0150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0160  00 00 00 00 00 15 52 A0 00 00 00 00 00 06 16 00  ......R ........
   000C0170  68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00  hdd_copy.self...
   000C0180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0190  00 00 00 00 00 1B 68 A0 00 00 00 00 00 01 2E 44  ......h .......D
   000C01A0  69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00  isoldr..........
   000C01B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C01C0  00 00 00 00 00 1C 97 00 00 00 00 00 00 03 E8 28  ......—.......è(
   000C01D0  6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00  lv0.............
   000C01E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C01F0  00 00 00 00 00 20 7F 40 00 00 00 00 00 12 B1 70  ..... .@......±p
   000C0200  6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00  lv1.self........
   000C0210  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0220  00 00 00 00 00 33 30 C0 00 00 00 00 00 01 E5 CC  .....30À......åÌ
   000C0230  6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv1ldr..........
   000C0240  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0250  00 00 00 00 00 35 16 A0 00 00 00 00 00 01 6D A0  .....5. ......m 
   000C0260  6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv2ldr..........
   000C0270  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0280  00 00 00 00 00 36 84 40 00 00 00 00 00 16 EE B8  .....6„@......î¸
   000C0290  6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00  lv2_kernel.self.
   000C02A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C02B0  00 00 00 00 00 4D 73 00 00 00 00 00 00 00 80 8C  .....Ms.......€Œ
   000C02C0  6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  mc_iso_spu_modul
   000C02D0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   000C02E0  00 00 00 00 00 4D F3 A0 00 00 00 00 00 00 88 B8  .....Mó ......ˆ¸
   000C02F0  6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  me_iso_spu_modul
   000C0300  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   000C0310  00 00 00 00 00 4E 7C 60 00 00 00 00 00 00 5D B0  .....N|`......]°
   000C0320  73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sb_iso_spu_modul
   000C0330  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   000C0340  00 00 00 00 00 4E DA 20 00 00 00 00 00 01 53 2C  .....NÚ ......S,
   000C0350  73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00  sc_iso.self.....
   000C0360  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0370  00 00 00 00 00 50 2D 60 00 00 00 00 00 00 00 08  .....P-`........
   000C0380  73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00  sdk_version.....
   000C0390  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C03A0  00 00 00 00 00 50 2D 80 00 00 00 00 00 00 D7 F0  .....P-€......×ð
   000C03B0  73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C  spp_verifier.sel
   000C03C0  66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  f...............
   000C03D0  00 00 00 00 00 51 05 80 00 00 00 00 00 00 FA CC  .....Q.€......úÌ
   000C03E0  73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69  spu_pkg_rvk_veri
   000C03F0  66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00  fier.self.......
   000C0400  00 00 00 00 00 52 00 60 00 00 00 00 00 00 5C 94  .....R.`......\”
   000C0410  73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73  spu_token_proces
   000C0420  73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00  sor.self........
   000C0430  00 00 00 00 00 52 5D 00 00 00 00 00 00 00 65 D0  .....R].......eÐ
   000C0440  73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65  spu_utoken_proce
   000C0450  73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00  ssor.self.......
   000C0460  00 00 00 00 00 52 C2 E0 00 00 00 00 00 00 C0 78  .....RÂà......Àx
   000C0470  73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sv_iso_spu_modul
   000C0480  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........

ROS1

   ROS1 on NAND:
     
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   007C0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0010  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
   007C0020  00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0  .............oÿà
   007C0030  00 00 00 00 00 00 04 60 00 00 00 00 00 04 00 00  .......`........
   007C0040  63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00  creserved_0.....
   007C0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0060  00 00 00 00 00 04 04 60 00 00 00 00 00 00 00 08  .......`........
   007C0070  73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00  sdk_version.....
   007C0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0090  00 00 00 00 00 04 04 80 00 00 00 00 00 01 E5 CC  .......€......åÌ
   007C00A0  6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv1ldr..........
   007C00B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C00C0  00 00 00 00 00 05 EA 80 00 00 00 00 00 01 6D A0  ......ê€......m 
   007C00D0  6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv2ldr..........
   007C00E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C00F0  00 00 00 00 00 07 58 80 00 00 00 00 00 01 2E 44  ......X€.......D
   007C0100  69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00  isoldr..........
   007C0110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0120  00 00 00 00 00 08 87 00 00 00 00 00 00 01 DA E4  ......‡.......Úä
   007C0130  61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00  appldr..........
   007C0140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0150  00 00 00 00 00 0A 61 E4 00 00 00 00 00 00 FA CC  ......aä......úÌ
   007C0160  73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69  spu_pkg_rvk_veri
   007C0170  66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00  fier.self.......
   007C0180  00 00 00 00 00 0B 5C B0 00 00 00 00 00 00 5C 94  ......\°......\”
   007C0190  73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73  spu_token_proces
   007C01A0  73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00  sor.self........
   007C01B0  00 00 00 00 00 0B B9 44 00 00 00 00 00 00 65 D0  ......¹D......eÐ
   007C01C0  73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65  spu_utoken_proce
   007C01D0  73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00  ssor.self.......
   007C01E0  00 00 00 00 00 0C 1F 14 00 00 00 00 00 01 53 2C  ..............S,
   007C01F0  73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00  sc_iso.self.....
   007C0200  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0210  00 00 00 00 00 0D 72 40 00 00 00 00 00 00 44 98  [email protected]˜
   007C0220  61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73  aim_spu_module.s
   007C0230  65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00  elf.............
   007C0240  00 00 00 00 00 0D B6 D8 00 00 00 00 00 00 D7 F0  ......¶Ø......×ð
   007C0250  73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C  spp_verifier.sel
   007C0260  66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  f...............
   007C0270  00 00 00 00 00 0E 8E C8 00 00 00 00 00 00 80 8C  ......ŽÈ......€Œ
   007C0280  6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  mc_iso_spu_modul
   007C0290  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   007C02A0  00 00 00 00 00 0F 0F 54 00 00 00 00 00 00 88 B8  .......T......ˆ¸
   007C02B0  6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  me_iso_spu_modul
   007C02C0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   007C02D0  00 00 00 00 00 0F 98 0C 00 00 00 00 00 00 C0 78  ......˜.......Àx
   007C02E0  73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sv_iso_spu_modul
   007C02F0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   007C0300  00 00 00 00 00 10 58 84 00 00 00 00 00 00 5D B0  ......X„......]°
   007C0310  73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sb_iso_spu_modul
   007C0320  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   007C0330  00 00 00 00 00 10 B6 34 00 00 00 00 00 00 22 A0  ......¶4......" 
   007C0340  64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00  default.spp.....
   007C0350  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0360  00 00 00 00 00 10 D9 00 00 00 00 00 00 12 B1 70  ......Ù.......±p
   007C0370  6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00  lv1.self........
   007C0380  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0390  00 00 00 00 00 23 8A 80 00 00 00 00 00 03 E8 28  .....#Š€......è(
   007C03A0  6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00  lv0.............
   007C03B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C03C0  00 00 00 00 00 27 72 A8 00 00 00 00 00 16 EE B8  .....'r¨......î¸
   007C03D0  6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00  lv2_kernel.self.
   007C03E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C03F0  00 00 00 00 00 3E 61 60 00 00 00 00 00 07 0F 94  .....>a`.......”
   007C0400  65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00  eurus_fw.bin....
   007C0410  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0420  00 00 00 00 00 45 70 F4 00 00 00 00 00 07 FC 48  .....Epô......üH
   007C0430  65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00  emer_init.self..
   007C0440  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0450  00 00 00 00 00 4D 6D 3C 00 00 00 00 00 06 16 00  .....Mm<........
   007C0460  68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00  hdd_copy.self...
   007C0470  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Versioning in ROS0

   versioning in ROS0 of NAND:
     
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   005C2D90  33 31 35 2E 30 30 30 0A 00 00 00 00 00 00 00 00  315.000.........
   005C2DA0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   005C2DB0  53 43 45 00 00 00 00 02 00 01 00 01 00 00 02 30  SCE............0

Versioning in ROS1

   versioning in ROS1 of NAND:
     
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

   00800480  33 31 35 2E 30 30 30 0A 00 00 00 00 00 00 00 00  315.000.........
   00800490  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   008004A0  53 43 45 00 00 00 00 02 00 00 00 01 00 00 01 F0  SCE............ð

RVK

   Revoke in NAND:     
          
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   00093800  00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20  ....... ....... 
   00093810  00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00  ...... .........
   00093820  00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40  ...............@
   00093830  53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00  SCE.............
   00093840  00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40  ...............@
   00093850  6E 27 DA DF 18 19 ED D0 26 30 FD 84 1D 5B 74 BB  n'Úß..íÐ&0ý„.[t»
   00093860  43 53 5F 5E 91 5A 82 48 E1 5B 76 C6 59 9F 1B 0D  CS_^‘Z‚Há[vÆYŸ..
   00093870  3A 5E 73 19 73 59 24 A1 A7 A5 73 28 BC 50 12 93  :^s.sY$¡§¥s(¼P.“
   00093880  10 B7 43 04 B5 01 A5 6C 01 AD 83 86 7B 10 1A 78  .·C.µ.¥l.ƒ†{..x
   00093890  B5 55 E2 CC 52 4D E2 3D AE 7D F6 1B 37 13 63 34  µUâÌRMâ=®}ö.7.c4
   000938A0  50 58 C8 78 27 F9 30 9F 62 E7 0A CF C4 E2 4B C5  PXÈx'ù0Ÿbç.ÏÄâKÅ
   000938B0  4A FF 31 8A C7 3A A7 0A 91 86 E2 C8 4A 51 F7 7D  Jÿ1ŠÇ:§.‘†âÈJQ÷}
   000938C0  7B BF 28 FE F5 93 FA C3 DF E7 A9 F1 A1 92 C1 6F  {¿(þõ“úÃßç©ñ¡’Áo
   000938D0  F1 D8 94 E9 64 60 6D 36 22 61 2E 51 B5 C9 9F 6F  ñØ”éd`m6"a.QµÉŸo
   000938E0  BD C6 44 00 22 75 DC 2A 55 A5 E5 EC 2A 97 9A 4F  ½ÆD."uÜ*U¥åì*—šO
   000938F0  CA 21 38 F1 AA C8 98 29 4D 6A F7 CD 7B F6 04 B3  Ê!8ñªÈ˜)Mj÷Í{ö.³
   00093900  A0 F3 F8 C1 9B CB 9B 48 AE E9 5C CF A5 24 37 29   óøÁ›Ë›H®é\Ï¥$7)
   00093910  9B 10 02 8C 68 1B 4E AA B4 CF EE 81 3A C6 6E CB  ›..Œh.Nª´Ïî.:ÆnË
   00093920  66 99 F6 F9 55 AB 19 FA 43 70 BC E5 72 C4 56 AD  f™öùU«.úCp¼årÄV
   00093930  64 AF DD 0B 17 03 4D EA 87 C5 AD BB 2C 7C B2 48  d¯Ý...Mê‡Å»,|²H
   00093940  9A E9 D1 85 AA 30 87 B8 47 C3 8B C9 BC 42 E2 7D  šéÑ…ª0‡¸GÃ‹É¼Bâ}
   00093950  92 84 D2 03 68 F1 20 54 98 D1 0E 95 4B 54 E5 6E  ’„Ò.hñ T˜Ñ.•KTån
   00093960  1A 6C D6 2F 3E 3F E4 28 4A 0F 9E D4 99 3E E5 D8  .lÖ/>?ä(J.žÔ™>åØ
   00093970  6B 13 7B 19 B4 3A A6 64 56 08 05 D3 FE 1B 68 E1  k.{.´:¦dV..Óþ.há
   00093980  B6 38 2C 0C E1 DF 5F D5 0D EC 6E B6 2A 2F 63 77  ¶8,.áß_Õ.ìn¶*/cw
   00093990  F4 D2 EB 3B 87 DA 83 76 28 E8 9F 50 2C 84 4D 48  ôÒë;‡Úƒv(èŸP,„MH
   000939A0  64 C0 B1 DB C6 AE 81 22 1D 76 9F B9 F8 29 C0 C7  dÀ±ÛÆ®.".vŸ¹ø)ÀÇ
   000939B0  12 06 2A B1 BB 0D 2E 5A 29 BC 56 C6 F5 26 97 0D  ..*±»..Z)¼VÆõ&—.
   000939C0  01 06 CC BC 43 1E 8B 45 C8 20 29 B3 FD EB 30 1D  ..Ì¼C.‹EÈ )³ýë0.
   000939D0  A2 CF 33 2D 09 07 08 6F 4A F3 34 5D DE 63 C0 A8  ¢Ï3-...oJó4]ÞcÀ¨
   000939E0  EE 31 3E 46 11 4F 8D 66 F1 15 74 E2 AC 88 C3 C7  î1>F.O.fñ.tâ¬ˆÃÇ
   000939F0  19 C9 69 0A 9F 36 D7 BC 70 6B 79 32 53 FD 1F 8E  .Éi.Ÿ6×¼pky2Sý.Ž
   00093A00  6D 57 08 C2 CA 78 24 6A 20 3B 5A 98 C2 04 06 95  mW.ÂÊx$j ;Z˜Â..•
   00093A10  C7 E6 53 A5 AB 9C 02 2A 04 40 0B 00 DF 34 13 CF  ÇæS¥«œ.*.@..ß4.Ï
   00093A20  F3 74 FF B6 DB FA 9A A2 FD 4F 72 6B 3E 7E 37 04  ótÿ¶Ûúš¢ýOrk>~7.
   00093A30  00 00 00 03 00 00 00 02 00 01 00 00 00 00 00 00  ................
   00093A40  00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00  ................
   00093A50  8E 27 91 93 C8 6F 17 8A 22 FD C8 E1 76 E8 D8 18  Ž'‘“Èo.Š"ýÈávèØ.
   00093A60  62 8B FE F5 43 81 A8 09 01 C6 99 D6 EF CF 64 90  b‹þõC.¨..Æ™ÖïÏd.
   00093A70  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

cell_ext_os_area

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      
   0E780000  63 65 6C 6C 5F 65 78 74 5F 6F 73 5F 61 72 65 61  cell_ext_os_area
   0E780010  00 00 00 01 00 00 00 02 00 00 00 04 FF FF FF FF  ............ÿÿÿÿ
   0E780020  00 00 00 01 00 27 F8 40 FF FF FF FF FF FF FF FF  .....'ø@ÿÿÿÿÿÿÿÿ

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   0E7807D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0E7807E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0E7807F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0E780800  1F 8B 08 08 C1 19 04 48 02 03 7A 49 6D 61 67 65  .‹..Á..H..zImage
   0E780810  2E 69 6E 69 74 72 64 2E 70 73 33 2E 62 69 6E 00  .initrd.ps3.bin.
    [...]                                                                        large data area
   0EA00030  FF FE FC FF ED CF FF 07 DE FD A4 A3 A8 88 54 00  ÿþüÿíÏÿ.Þý¤£¨ˆT.
   0EA00040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    [...]    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................   large 00 filled block region
   0EB7FFE0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0EB7FFF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0EB80000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0EB80010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

    [...]    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   large FF filled block region
   0EFFFFE0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
   0EFFFFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

NAND reference (bluemimmo)

COK-001 with 3.60 OFW

Bootldr

   Bootldr from offset 0x00000000:
   
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   00000000  00 00 2A 3F 04 AD 56 18 64 8D 49 94 23 8F B8 A1  ..*?.V.d.I”#.¸¡
   00000010  00 00 2A 3F 93 B7 DF 38 94 92 09 B6 C3 9C D2 AA  ..*?“·ß8”’.¶ÃœÒª
   00000020  E8 7D F4 AC 86 AA 28 2F 68 31 AD 61 F5 7C BA 03  è}ô¬†ª(/h1aõ|º.
   00000030  38 BA FF 8C D2 CA A8 5A DA 0D F0 2C 7B 69 03 22  8ºÿŒÒÊ¨ZÚ.ð,{i."
   00000040  E2 EB 0D 9C 6A 12 31 43 FA 3C 5F 5D E3 9F 70 5E  âë.œj.1Cú<_]ãŸp^
   00000050  15 18 7F 09 00 C3 65 E4 47 E4 D9 63 46 4B A1 CC  .....ÃeäGäÙcFK¡Ì
   00000060  8A F9 51 8A 6D F0 FA 94 83 F4 C1 23 4F AE 50 AD  ŠùQŠmðú”ƒôÁ#O®P
   00000070  0F 81 5A 3E 2C 31 AE 6C 81 A1 8D A2 18 7F 35 9F  ..Z>,1®l.¡.¢..5Ÿ
   00000080  99 E5 69 67 A2 E0 F8 14 B8 85 4A 99 41 D9 84 0A  ™åig¢àø.¸…J™AÙ„.
   00000090  11 D5 A1 2A C6 3D 21 9D C3 43 E0 3E 00 17 4C DC  .Õ¡*Æ=!.ÃCà>..LÜ
   000000A0  B1 DD E3 94 00 E0 61 41 65 9A C9 8F C9 18 83 FC  ±Ýã”.àaAešÉ.É.ƒü
   000000B0  CA DA 3E 89 A1 43 CF 4D 0E DB D2 7B 6D 53 6A 53  ÊÚ>‰¡CÏM.ÛÒ{mSjS
   000000C0  3D 43 ED 5C 7F B4 09 E4 22 38 6E 29 E7 3E 07 4B  =Cí\.´.ä"8n)ç>.K
   000000D0  2A FF 98 49 C9 49 FE 26 85 F4 71 15 85 11 75 F3  *ÿ˜IÉIþ&…ôq.….uó
   000000E0  56 79 2A 85 F3 1E 0F E3 21 16 2B 3F B3 25 18 2D  Vy*…ó..ã!.+?³%.-
   000000F0  9D 4E 57 76 1E 59 65 8A 5B BF 41 B7 29 1F 79 0C  .NWv.YeŠ[¿A·).y.
   00000100  A3 E7 CF 07 E7 A3 4F DA 67 B2 C9 75 89 83 4F 71  £çÏ.ç£OÚg²Éu‰ƒOq
   00000110  71 88 D6 89 D7 07 C0 2E D8 DA 39 0F 87 5B FE 40  qˆÖ‰×.À.ØÚ9.‡[þ@
   00000120  23 31 EB BF 86 1A A5 0D D5 24 94 DD A2 69 E4 E8  #1ë¿†.¥.Õ$”Ý¢iäè
   00000130  25 28 2E C7 34 E9 E5 8D 2D F4 AC F5 60 CC 2A CD  %(.Ç4éå.-ô¬õ`Ì*Í
   00000140  06 5D D7 FE C8 59 FC 6D 2B 17 25 A6 2E BE 0F F2  .]×þÈYüm+.%¦.¾.ò
   00000150  46 94 3B 0B C4 76 F6 FB C1 C1 8E 93 42 E9 5B 41  F”;.ÄvöûÁÁŽ“Bé[A
   00000160  69 A8 53 39 C6 09 32 A3 A9 3E AE 71 84 74 EC E0  i¨S9Æ.2£©>®q„tìà
   00000170  97 3B D1 41 D9 59 4B 17 E5 8B D1 2A 57 77 78 8D  —;ÑAÙYK.å‹Ñ*Wwx.
   00000180  02 4A 7F 31 5C 62 30 E5 F3 83 97 27 C4 7B 8D 31  .J.1\b0åóƒ—'Ä{.1
   00000190  E9 53 B6 86 BC 16 AC 15 B9 96 C2 A9 56 AC 13 DF  éS¶†¼.¬.¹–Â©V¬.ß
   000001A0  E4 05 01 30 7F 65 45 48 66 0E 3D D5 A9 1B 1A 76  ä..0.eEHf.=Õ©..v
   000001B0  15 38 C7 B3 0D A2 83 C2 D9 9F 13 28 F9 50 BF 4C  .8Ç³.¢ƒÂÙŸ.(ùP¿L
   000001C0  C1 2D 83 E8 9B A9 EF D1 C8 12 96 50 45 DD CC 26  Á-ƒè›©ïÑÈ.–PEÝÌ&
   000001D0  D5 57 C1 DD A0 2E 81 97 F8 B8 60 00 A9 27 2D 68  ÕWÁÝ ..—ø¸`.©'-h
   000001E0  69 FE C8 F5 E2 7D 48 0D 04 65 FF BB A8 BF 41 9F  iþÈõâ}H..eÿ»¨¿AŸ
   000001F0  27 98 56 D1 93 56 62 87 74 89 63 AD 63 B4 A3 AA  '˜VÑ“Vb‡t‰cc´£ª
   00000200  46 09 AB B5 92 BA BB CF 7C EF 8F 08 F8 FE 96 9A  F.«µ’º»Ï|ï..øþ–š
   00000210  2E 14 C4 67 8C B3 E3 DC DE BC 24 3F D8 17 B0 B6  ..ÄgŒ³ãÜÞ¼$?Ø.°¶
   00000220  1B F7 78 61 DE 90 14 29 46 CB 4E EF 30 0A D3 AA  .÷xaÞ..)FËNï0.Óª
   00000230  BB 78 6B 1D A2 3A E8 27 7B 2D 32 E5 62 C4 45 C0  »xk.¢:è'{-2åbÄEÀ
   00000240  9E 75 6C E3 5C 08 A9 D3 5B 36 38 40 AD BF 5D D4  žulã\.©Ó[68@¿]Ô
   00000250  9D D1 D9 F0 11 A6 D5 68 C9 97 BA 70 38 25 61 0B  .ÑÙð.¦ÕhÉ—ºp8%a.
   00000260  76 B6 84 0E 90 7C E9 C8 AC 01 F4 E4 2D 0A F4 C7  v¶„..|éÈ¬.ôä-.ôÇ
   00000270  98 D7 A3 98 8C CC A8 D0 05 2E A5 87 D7 FA 0A 93  ˜×£˜ŒÌ¨Ð..¥‡×ú.“
   00000280  19 91 81 D3 E9 83 E2 5E 31 D5 AD 78 4B A6 04 80  .‘.Óéƒâ^1ÕxK¦.€
   00000290  94 85 60 AA 09 5E CA 80 E3 FC 40 14 66 9C 47 11  ”…`ª.^Ê€ãü@.fœG.
   000002A0  A7 FF 93 6E 50 EB F6 AE 54 2F 47 43 01 EB 24 4D  §ÿ“nPëö®T/GC.ë$M
   000002B0  4B DC E3 A1 BC B7 B4 9B E0 77 D9 C0 97 CF CE 72  KÜã¡¼·´›àwÙÀ—ÏÎr
   000002C0  EF 84 F5 F1 7D 16 21 AC DC B7 2A 01 96 A4 14 47  ï„õñ}.!¬Ü·*.–¤.G
   000002D0  6D E5 1C 30 9D 1A 64 22 3A 7E 0B 28 A5 22 A0 B8  må.0..d":~.(¥" ¸
   000002E0  85 D8 0E 6B 5A 2B 7D 20 2B CF FA A9 B6 78 D0 FD  …Ø.kZ+} +Ïú©¶xÐý
   000002F0  82 9B 3D D7 24 F0 76 05 24 60 1A 8E CC 61 4A 8E  ‚›=×$ðv.$`.ŽÌaJŽ
   00000300  B8 F2 2B 59 AE FF 49 45 71 D0 31 73 8D 32 08 D9  ¸ò+Y®ÿIEqÐ1s.2.Ù
   00000310  8E 2E B8 18 13 49 B9 2F EB B7 D5 B9 55 E7 63 64  Ž.¸..I¹/ë·Õ¹Uçcd
   00000320  F6 CF 8C B0 ED BA A8 81 36 05 3C 48 E3 58 F1 3A  öÏŒ°íº¨.6.<HãXñ:
   00000330  51 39 CD 68 76 8D 08 D7 2B C4 7B 1D D2 4E DC A2  Q9Íhv..×+Ä{.ÒNÜ¢
   00000340  0E 1B C9 30 2B A1 EF 90 D5 35 7B 92 6B 86 D2 59  ..É0+¡ï.Õ5{’k†ÒY
   00000350  10 84 98 4B 9A 65 1A 00 B8 00 0A CA 5C F7 AF 8C  .„˜Kše..¸..Ê\÷¯Œ
   00000360  9C FF FC 0A 70 11 5E 0A 7A 02 26 B7 DE 98 FA F8  œÿü.p.^.z.&·Þ˜úø
   00000370  0D A0 D2 A3 83 95 34 2F 2C 17 6C B4 66 13 CB FB  . Ò£ƒ•4/,.l´f.Ëû
   00000380  A4 9E BC 64 08 41 F6 A0 F7 A1 F7 E1 24 EE 8C E3  ¤ž¼d.Aö ÷¡÷á$îŒã
   00000390  F2 59 19 1C 84 F8 60 45 81 72 88 B4 AE 6A 97 3E  òY..„ø`E.rˆ´®j—>
   000003A0  B8 5B 4A D8 C7 D2 0C AC 3C D9 25 B2 CC D7 D7 B4  ¸[JØÇÒ.¬<Ù%²Ì××´
   000003B0  CC EF C7 81 95 56 98 C5 A2 B3 7F 77 8D 24 51 7C  ÌïÇ.•V˜Å¢³.w.$Q|
   000003C0  78 27 C5 3A 1E 78 EC 84 5B 54 10 8A E3 0A CD E2  x'Å:.xì„[T.Šã.Íâ
   000003D0  2A 2E B2 9A B6 F2 75 8F B5 F0 74 23 6E 71 D8 56  *.²š¶òu.µðt#nqØV
   000003E0  F0 D1 79 73 0D 5D 41 27 E7 68 55 1F 00 52 9E BE  ðÑys.]A'çhU..Rž¾
   000003F0  BF D6 B4 92 C3 26 84 94 5C FE 46 6C BB 46 FA 51  ¿Ö´’Ã&„”\þFl»FúQ
   00000400  56 41 96 13 94 1A 24 02 64 4F B5 C7 36 F2 25 AF  VA–.”.$.dOµÇ6ò%¯
   00000410  8B 1F FD D1 8F 24 80 44 18 4B B9 D6 04 61 E2 EF  ‹.ýÑ.$€D.K¹Ö.aâï

ROS0

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   000C0020  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
   000C0030  00 00 00 01 00 00 00 18 00 00 00 00 00 6F FF E0  .............oÿà
   000C0040  00 00 00 00 00 00 04 90 00 00 00 00 00 04 00 00  ................
   000C0050  63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00  creserved_0.....
   000C0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0070  00 00 00 00 00 04 04 90 00 00 00 00 00 00 00 08  ................
   000C0080  73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00  sdk_version.....
   000C0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C00A0  00 00 00 00 00 04 05 00 00 00 00 00 00 01 E7 C8  ..............çÈ
   000C00B0  6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv1ldr..........
   000C00C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C00D0  00 00 00 00 00 05 ED 00 00 00 00 00 00 01 6F F0  ......í.......oð
   000C00E0  6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00  lv2ldr..........
   000C00F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0100  00 00 00 00 00 07 5D 00 00 00 00 00 00 01 2F 74  ......]......./t
   000C0110  69 73 6F 6C 64 72 00 00 00 00 00 00 00 00 00 00  isoldr..........
   000C0120  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0130  00 00 00 00 00 08 8C 80 00 00 00 00 00 01 E5 D4  ......Œ€......åÔ
   000C0140  61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00  appldr..........
   000C0150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0160  00 00 00 00 00 0A 72 54 00 00 00 00 00 00 FB 4C  ......rT......ûL
   000C0170  73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69  spu_pkg_rvk_veri
   000C0180  66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00  fier.self.......
   000C0190  00 00 00 00 00 0B 6D A0 00 00 00 00 00 00 5A 94  ......m ......Z”
   000C01A0  73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73  spu_token_proces
   000C01B0  73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00  sor.self........
   000C01C0  00 00 00 00 00 0B C8 34 00 00 00 00 00 00 63 D0  ......È4......cÐ
   000C01D0  73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65  spu_utoken_proce
   000C01E0  73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00  ssor.self.......
   000C01F0  00 00 00 00 00 0C 2C 04 00 00 00 00 00 01 53 2C  ......,.......S,
   000C0200  73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00  sc_iso.self.....
   000C0210  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0220  00 00 00 00 00 0D 7F 30 00 00 00 00 00 00 42 98  .......0......B˜
   000C0230  61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73  aim_spu_module.s
   000C0240  65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00  elf.............
   000C0250  00 00 00 00 00 0D C1 C8 00 00 00 00 00 00 D7 F0  ......ÁÈ......×ð
   000C0260  73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C  spp_verifier.sel
   000C0270  66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  f...............
   000C0280  00 00 00 00 00 0E 99 B8 00 00 00 00 00 00 80 8C  ......™¸......€Œ
   000C0290  6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  mc_iso_spu_modul
   000C02A0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   000C02B0  00 00 00 00 00 0F 1A 44 00 00 00 00 00 00 88 B8  .......D......ˆ¸
   000C02C0  6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  me_iso_spu_modul
   000C02D0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   000C02E0  00 00 00 00 00 0F A2 FC 00 00 00 00 00 00 C0 78  ......¢ü......Àx
   000C02F0  73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sv_iso_spu_modul
   000C0300  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   000C0310  00 00 00 00 00 10 63 74 00 00 00 00 00 00 5D B0  ......ct......]°
   000C0320  73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sb_iso_spu_modul
   000C0330  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   000C0340  00 00 00 00 00 10 C1 24 00 00 00 00 00 00 22 A0  ......Á$......" 
   000C0350  64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00  default.spp.....
   000C0360  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0370  00 00 00 00 00 10 E4 00 00 00 00 00 00 12 80 50  ......ä.......€P
   000C0380  6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00  lv1.self........
   000C0390  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C03A0  00 00 00 00 00 23 64 80 00 00 00 00 00 03 E6 78  .....#d€......æx
   000C03B0  6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00  lv0.............
   000C03C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C03D0  00 00 00 00 00 27 4A F8 00 00 00 00 00 17 27 58  .....'Jø......'X
   000C03E0  6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00  lv2_kernel.self.
   000C03F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0400  00 00 00 00 00 3E 72 50 00 00 00 00 00 07 0F 94  .....>rP.......”
   000C0410  65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00  eurus_fw.bin....
   000C0420  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0430  00 00 00 00 00 45 81 E4 00 00 00 00 00 08 04 18  .....E.ä........
   000C0440  65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00  emer_init.self..
   000C0450  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0460  00 00 00 00 00 4D 85 FC 00 00 00 00 00 06 0D 78  .....M…ü.......x
   000C0470  68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00  hdd_copy.self...
   000C0480  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   000C0490  00 00 00 00 00 53 93 74 00 00 00 00 00 00 12 A8  .....S“t.......¨
   000C04A0  6D 61 6E 75 5F 69 6E 66 6F 5F 73 70 75 5F 6D 6F  manu_info_spu_mo
   000C04B0  64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00 00 00  dule.self.......

ROS1

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   007C0010  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
   007C0020  00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0  .............oÿà
   007C0030  00 00 00 00 00 00 04 60 00 00 00 00 00 04 00 00  .......`........
   007C0040  63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00  creserved_0.....
   007C0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0060  00 00 00 00 00 04 04 60 00 00 00 00 00 00 00 08  .......`........
   007C0070  73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00  sdk_version.....
   007C0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0090  00 00 00 00 00 04 04 68 00 00 00 00 00 00 FB 4C  .......h......ûL
   007C00A0  73 70 75 5F 70 6B 67 5F 72 76 6B 5F 76 65 72 69  spu_pkg_rvk_veri
   007C00B0  66 69 65 72 2E 73 65 6C 66 00 00 00 00 00 00 00  fier.self.......
   007C00C0  00 00 00 00 00 04 FF B4 00 00 00 00 00 00 C9 30  ......ÿ´......É0
   007C00D0  73 70 75 5F 74 6F 6B 65 6E 5F 70 72 6F 63 65 73  spu_token_proces
   007C00E0  73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00 00  sor.self........
   007C00F0  00 00 00 00 00 05 C8 E4 00 00 00 00 00 00 63 D0  ......Èä......cÐ
   007C0100  73 70 75 5F 75 74 6F 6B 65 6E 5F 70 72 6F 63 65  spu_utoken_proce
   007C0110  73 73 6F 72 2E 73 65 6C 66 00 00 00 00 00 00 00  ssor.self.......
   007C0120  00 00 00 00 00 06 2C B4 00 00 00 00 00 01 D2 D8  ......,´......ÒØ
   007C0130  73 63 5F 69 73 6F 2E 73 65 6C 66 00 00 00 00 00  sc_iso.self.....
   007C0140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0150  00 00 00 00 00 07 FF 8C 00 00 00 00 00 00 42 98  ......ÿŒ......B˜
   007C0160  61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73  aim_spu_module.s
   007C0170  65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00  elf.............
   007C0180  00 00 00 00 00 08 42 24 00 00 00 00 00 00 D7 F0  ......B$......×ð
   007C0190  73 70 70 5F 76 65 72 69 66 69 65 72 2E 73 65 6C  spp_verifier.sel
   007C01A0  66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  f...............
   007C01B0  00 00 00 00 00 09 1A 14 00 00 00 00 00 00 80 8C  ..............€Œ
   007C01C0  6D 63 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  mc_iso_spu_modul
   007C01D0  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   007C01E0  00 00 00 00 00 09 9A A0 00 00 00 00 00 00 88 B8  ......š ......ˆ¸
   007C01F0  6D 65 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  me_iso_spu_modul
   007C0200  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   007C0210  00 00 00 00 00 0A 23 58 00 00 00 00 00 00 C0 78  ......#X......Àx
   007C0220  73 76 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sv_iso_spu_modul
   007C0230  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   007C0240  00 00 00 00 00 0A E3 D0 00 00 00 00 00 00 5D B0  ......ãÐ......]°
   007C0250  73 62 5F 69 73 6F 5F 73 70 75 5F 6D 6F 64 75 6C  sb_iso_spu_modul
   007C0260  65 2E 73 65 6C 66 00 00 00 00 00 00 00 00 00 00  e.self..........
   007C0270  00 00 00 00 00 0B 41 80 00 00 00 00 00 00 22 A0  ......A€......" 
   007C0280  64 65 66 61 75 6C 74 2E 73 70 70 00 00 00 00 00  default.spp.....
   007C0290  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C02A0  00 00 00 00 00 0B 64 80 00 00 00 00 00 12 5E F0  ......d€......^ð
   007C02B0  6C 76 31 2E 73 65 6C 66 00 00 00 00 00 00 00 00  lv1.self........
   007C02C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C02D0  00 00 00 00 00 1D C3 80 00 00 00 00 00 0B 54 E8  ......Ã€......Tè
   007C02E0  6C 76 30 00 00 00 00 00 00 00 00 00 00 00 00 00  lv0.............
   007C02F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0300  00 00 00 00 00 29 18 80 00 00 00 00 00 00 05 00  .....).€........
   007C0310  6C 76 30 2E 32 00 00 00 00 00 00 00 00 00 00 00  lv0.2...........
   007C0320  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0330  00 00 00 00 00 29 1D 80 00 00 00 00 00 17 89 58  .....).€......‰X
   007C0340  6C 76 32 5F 6B 65 72 6E 65 6C 2E 73 65 6C 66 00  lv2_kernel.self.
   007C0350  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0360  00 00 00 00 00 40 A6 D8 00 00 00 00 00 07 0F 94  .....@¦Ø.......”
   007C0370  65 75 72 75 73 5F 66 77 2E 62 69 6E 00 00 00 00  eurus_fw.bin....
   007C0380  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0390  00 00 00 00 00 47 B6 6C 00 00 00 00 00 07 E2 68  .....G¶l......âh
   007C03A0  65 6D 65 72 5F 69 6E 69 74 2E 73 65 6C 66 00 00  emer_init.self..
   007C03B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C03C0  00 00 00 00 00 4F 98 D4 00 00 00 00 00 06 18 18  .....O˜Ô........
   007C03D0  68 64 64 5F 63 6F 70 79 2E 73 65 6C 66 00 00 00  hdd_copy.self...
   007C03E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C03F0  00 00 00 00 00 55 B0 EC 00 00 00 00 00 00 12 A8  .....U°ì.......¨
   007C0400  6D 61 6E 75 5F 69 6E 66 6F 5F 73 70 75 5F 6D 6F  manu_info_spu_mo
   007C0410  64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00 00 00  dule.self.......
   007C0420  00 00 00 00 00 55 C3 94 00 00 00 00 00 00 02 E0  .....UÃ”.......à
   007C0430  70 72 6F 67 2E 73 72 76 6B 00 00 00 00 00 00 00  prog.srvk.......
   007C0440  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0450  00 00 00 00 00 55 C6 74 00 00 00 00 00 00 02 40  .....UÆt.......@
   007C0460  70 6B 67 2E 73 72 76 6B 00 00 00 00 00 00 00 00  pkg.srvk........
   007C0470  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Dumping your flash

There are many ways you can dump your flash you can choose the way that best fits you, there are some persons studing the flash.. If you can help providing a dump (specially if you have a debug console) search for those persons in IRC Efnet #ps3dev

Payload

Unncomment dump_dev_flash() in graf_payloads compile and run the payload

see Graf's_PSGroove_Payload for more info

Linux

Using graf_chokolo kernel with /dev/ps3nflasha access

dd if=/dev/ps3nflasha of=NOR.BIN bs=1024

Hardware

see Hardware flashing

Dump NAND/NOR from GameOS

dump_flash.pkg // backup/mirror: dump-flash+syscon.rar (280.51 KB)
Make sure USB stick is FAT32 with enough free space (16MB per dump)

remark: NAND dumps are 239MB because HV masks bootldr, see Hardware flashing #Difference between hardware dumps and software dumps

NOR Unpacking // NOR Unpkg

/*
  # ../norunpkg norflash.bin norflash
  unpacking asecure_loader (size: 190xxx bytes)...
  unpacking eEID (size: 65536 bytes)...
  unpacking cISD (size: 2048 bytes)...
  unpacking cCSD (size: 2048 bytes)...
  unpacking trvk_prg0 (size: 131072 bytes)...
  unpacking trvk_prg1 (size: 131072 bytes)...
  unpacking trvk_pkg0 (size: 131072 bytes)...
  unpacking trvk_pkg1 (size: 131072 bytes)...
  unpacking ros0 (size: 7340032 bytes)...
  unpacking ros1 (size: 7340032 bytes)...
  unpacking cvtrm (size: 262144 bytes)...
*/

// Copyright 2010       Sven Peter
// Licensed under the terms of the GNU GPL, version 2
// http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
// nor modifications by rms.

#include "tools.h"
#include "types.h"

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/stat.h>

#ifdef WIN32
#define MKDIR(x,y) mkdir(x)
#else
#define MKDIR(x,y) mkdir(x,y)
#endif

u8 *pkg = NULL;

static void unpack_file(u32 i)
{
        u8 *ptr;
        u8 name[33];
        u64 offset;
        u64 size;

        ptr = pkg + 0x10 + 0x30 * i;

        offset = be64(ptr + 0x00);
        size   = be64(ptr + 0x08);

        memset(name, 0, sizeof name);
        strncpy((char *)name, (char *)(ptr + 0x10), 0x20);

        printf("unpacking %s (size: %d bytes)...\n", name, size);
        memcpy_to_file((char *)name, pkg + offset, size);
}

static void unpack_pkg(void)
{
        u32 n_files;
        u64 size;
        u32 i;

        n_files = be32(pkg + 4);
        size = be64(pkg + 8);

        for (i = 0; i < n_files; i++)
                unpack_file(i);
}

int main(int argc, char *argv[])
{
        if (argc != 3)
                fail("usage: norunpkg filename.nor target");

        pkg = mmap_file(argv[1]);

        /* kludge for header, i do not do sanity checks at the moment */
        pkg += 1024;

        MKDIR(argv[2], 0777);

        if (chdir(argv[2]) != 0)
                fail("chdir");

        unpack_pkg();

        return 0;
}

Source: http://rms.grafchokolo.com/?p=25

RMS - eEID splitter

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void
DumpEidData (FILE * pFile, int iInputSize, int iEidCount,
	     char *pFilenamePrefix)
{
  FILE *pOutput;
  char *szFilename;
  char *szBuf;
  int iRes, iSize;

  printf ("dumping EID%d from eEID at %p, size %d (%x)..\n",
	  iEidCount, pFile, iInputSize, iInputSize);

  szBuf = (char *) malloc (iInputSize + 1);
  szFilename = (char *) malloc (strlen (pFilenamePrefix) + 2);

  if (szBuf == NULL)
    {
      perror ("malloc");
      exit (1);
    };

  iSize = fread (szBuf, iInputSize, 1, pFile);
  sprintf (szFilename, "%s%d", pFilenamePrefix, iEidCount);
  pOutput = fopen (szFilename, "wb");
  iRes = fwrite (szBuf, iInputSize, 1, pOutput);

  if (iRes != iSize)
    {
      perror ("fwrite");
      exit (1);
    };

  free (szBuf);
}

int
main (int argc, char **argv)
{
  FILE *pFile;
  char *pPrefix;

  pFile = fopen (argv[1], "rb");
  if (pFile == NULL)
    {
    usage:
      printf ("usage: %s <eEID> <EID name prefix>\n", argv[0]);
      exit (1);
    }

  if (argc == 2 && argv[2] != NULL)
    {
      pPrefix = argv[2];
      goto usage;
    }

  fseek (pFile, 0x70, SEEK_SET);

  if (pPrefix != NULL)
    {
      DumpEidData (pFile, 2144, 0, pPrefix);
      DumpEidData (pFile, 672, 1, pPrefix);
      DumpEidData (pFile, 1840, 2, pPrefix);
      DumpEidData (pFile, 256, 3, pPrefix);
      DumpEidData (pFile, 48, 4, pPrefix);
      DumpEidData (pFile, 2560, 5, pPrefix);
    }
  return 0;
}

Source: http://rms.grafchokolo.com/?p=59

Flash Samples

Here are some samples of NOR Flash for your dissection. These are taken from different consoles.

3.55 kmeaw, 2.80 backup: http://www.megaupload.com/?d=J5UKO3HX
3.66 ofw: http://www.mediafire.com/?m7m4mppro66zib5

Flash

Structure

First Region

Header

Unknown Header

File Table

Header

Entry Table

asecure_loader region

Header

Entry Table

Second Region

Header

Bootloader

cCSD

Header

File Table

Section 0

cISD

Header

File Table

Section 0

Section 1

Section 2

eEID

Header

File Table

EID0 - Section 0

EID 1 - Section 1

EID 2 - Section 2

EID 3 - Section 3

EID 4 - Section 4

EID 5 - Section 5

Encrypted Files on Flash

metldr examples

bootldr examples

Observations / Notes

List of files on NOR Flash

new metldr.2

other new metldr

CELL_EXTNOR_AREA

NAND reference

NAND reference (euss)

Bootldr

ROS0

ROS1

Versioning in ROS0

Versioning in ROS1

RVK

cell_ext_os_area

NAND reference (bluemimmo)

Bootldr

ROS0

ROS1

Dumping your flash

Payload

Linux

Hardware

Dump NAND/NOR from GameOS

NOR Unpacking // NOR Unpkg

RMS - eEID splitter

Flash Samples

Navigation menu

Search