Flash

From PS3 Developer wiki
Revision as of 23:32, 2 July 2011 by Defyboy (talk | contribs)
Jump to navigation Jump to search
Typical Flash TSOP package found on PS3's can either be 2x128mb NAND or 1x16mb NOR

This is my attempt at documenting the files located and stored on flash. Please do note that this is from reverse engineering several flash dumps, not from reverse engineering the PS3 firmware itself. This involves alot of guesswork and may not be accurate and there may be information missing.

Structure

  • 0x0 > 0x400 = Headers
  • 0x400 > 0x800 = File table
  • 0x800 > 0xF00000 = Region 1
    • 0x800 > 0x2F000 = asecure_loader region
      • 0x840 > 0xF110 = metldr
  • 0xF00000 > 0xFFFFFF = region 2
    • unknown format

First Region

Header

First 512 Bytes of flash 

00000000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF  .....¬àÿ....Þ.¾ï
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00  ..............x.
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
000001F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Address Length Value Description
0x00 0x10 0x0 Blank/Unknown
0x10 0x10 0x0FACE0FF 0xDEADBEEF Magic number
0x20 0x10 0x7800 Length of region * 0x200
0x30 0x1D0 0x0 Blank/Unknown

Unknown Header

The next block of 512 bytes only has the first 16 bytes written. Unsure exactly what this means. 

00000200  49 46 49 00 00 00 00 01 00 00 00 02 00 00 00 00  IFI.............
00000210  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
000003F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Address Length Value Description
0x200 0x10 0x49464900 (String: "IFI") 0x1 0x2 0x0 Unknown

File Table

The next 1024 bytes contain the file entry table

Header

Small 16 byte header to describe length and entry count 

00000400  00 00 00 01 00 00 00 0B 00 00 00 00 00 EF FC 00  .............ïü.
Address Length Value Description
0x0 0x4 0x01 Unknown
0x4 0x4 0x0B Entry Count
0x8 0x8 0xEFFC00 Length of Flash Region (relative to 0x400 (region start)

First is a header, this tells us how many files are stored here.

Entry Table

Then follows a 32 byte entry for each file 

00000410  00 00 00 00 00 00 04 00 00 00 00 00 00 02 E8 00  ..............è.
00000420  61 73 65 63 75 72 65 5F 6C 6F 61 64 65 72 00 00  asecure_loader..
00000430  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Address Length Value Description
0x0 0x8 0x400 File offset relative to 0x400 (Region start)
0x8 0x8 0x2E800 File length
0x10 0x20 char[32]:"asecure_loader" File name


asecure_loader region

Within asecure_loader is another file table similar to region 1 but is located within region 1 itself. This has only been observed to hold metldr in its encrypted form.

Header

00000800  00 00 00 01 00 00 00 01 00 00 00 00 00 02 E8 00  ..............è.
Address Length Value Description
0x00 0x04 0x01 Unknown
0x04 0x04 0x01 Entry Count
0x08 0x08 0x2E800 Length of Region

Entry Table

Then follows a 32 byte entry for each file 

00000810  00 00 00 00 00 00 00 40 00 00 00 00 00 00 E8 D0  .......@......èÐ
00000820  6D 65 74 6C 64 72 00 00 00 00 00 00 00 00 00 00  metldr..........
00000830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Address Length Value Description
0x0 0x08 0x40 File offset relative to 0x810 (asecure_loader header)
0x8 0x08 0xE8D0 File Length
0x10 0x20 char[32]:"metldr" File name

Second Region

This region appears to directly follow the other region (at 0xF0000 = region size + header)

Not much is known about this at this stage.

Header

00F00000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F00010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE  .....¬àÿ....Þ.úÎ
00F00020  00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 02  ................
00F00030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F000B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F000C0  00 00 00 00 00 00 79 00 00 00 00 00 00 00 01 00  ......y.........
00F000D0  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F000E0  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F00140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F00150  00 00 00 00 00 00 7A 00 00 00 00 00 00 00 04 00  ......z.........
00F00160  10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F00170  10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03  .p..............
00F00180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
....
00F00FF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Bootloader

Located at 0xFC0000 to 0xFFFFFF (The last 256kb of flash), This is encrypted.

cCSD

This section doesn't contain any data... This section of flash contains Console Specific information

Header

0003F800  00 00 00 01 00 00 08 00 00 00 00 00 00 00 00 00  ................
Address Length Value Description
0x0 0x4 0x1 Number of entries
0x4 0x8 0x800 Length of entire eEID package
0x8 0x8 0x0 Unknown/Blank

File Table

This repeats per entry 

0003F810  00 00 00 20 00 00 00 30 00 00 00 00 00 00 00 00  ... ...0........
Address Length Value Description
0x0 0x4 0x20 Entry point
0x4 0x8 0x30 Length
0x8 0x8 0x0 Unknown/Blank

Section 0

0003F820  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0003F830  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0003F840  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

There appears to be no data stored here.

cISD

This section of flash contains Console Specific information

cISD contains core information such as Gelic Ethernet MAC address

Header

0003F000  00 00 00 03 00 00 02 70 00 00 00 00 00 00 00 00  .......p........
Address Length Value Description
0x0 0x4 0x3 Number of entries
0x4 0x8 0x270 Length of entire eEID package
0x8 0x8 0x0 Unknown/Blank

File Table

This repeats per entry 

0003F010  00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00  ...@... ........
Address Length Value Description
0x0 0x4 0x40 Entry point
0x4 0x8 0x20 Length
0x8 0x8 0x0 Unknown/Blank

Section 0

0003F040  A8 E3 EE 7D 10 DA FF FF FF FF FF FF FF FF FF FF  ¨ãî}.Úÿÿÿÿÿÿÿÿÿÿ
0003F050  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Address Length Value Description
0x0 0x6 0xA8E3EE7D10DA MAC Address
0x6 0x1A 0xFF Unknown/Blank

Section 1

0003F060  7F 49 44 4C 00 02 00 60 01 00 00 02 02 12 FF C5  .IDL...`......ÿÅ
0003F070  30 31 43 35 32 34 30 31 38 33 31 36 32 37 30 45  01C524018316270E
0003F080  31 39 30 38 37 41 34 32 30 30 30 30 30 30 30 30  19087A4200000000
0003F090  32 37 34 35 35 32 32 32 34 30 31 35 31 32 39 33  2745522240151293
0003F0A0  34 31 36 33 01 07 01 07 01 28 00 01 FF FF FF FF  4163.....(..ÿÿÿÿ
0003F0B0  00 02 00 11 00 02 00 12 00 00 00 00 02 95 A8 C9  .............•¨É
0003F0C0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
....
0003F250  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Address Length Value Description
0x0 0xD 0x7F49444C000200600100000202 Unknown, static
0xD 0xF 0x12FFC5 Unknown, varies per console
0x10 0x20 Ascii: 01C524018316270E19087A4200000000 Some unique identifier
0x30 0x8 Ascii: 27455222 3rd part of console serial number
0x38 0xC Ascii: 401512934163 Some unique identifier
0x44 0x1B 0x0107010701280001FFFF00020011000200120000000002 Unknown, static
0x1B 0x3 0x95A8C9 Unknown, varies

Section 2

0003F260  1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00  .ÿ..............

This value is unknown and the first two bytes seem to vary

eEID

This section of flash contains QA tokens

It is 0x10000 in length (64 kb) but only the first 0x1DD0 is used, the rest is padded with FF

It is composed of 6 sections numbered from 0 to 5

eEID contains your system model data, your target ID, and your PS3 motherboard revision

Section Description
EID0 EID0 is needed for loading parameters to isoldr for loading isolated SELF files on a SPE
EID1 ?
EID2 ?
EID3 ?
EID4 ?
EID5 ?

Indi manager can write to it AIM can rehash it

Header

00000000  00 00 00 06 00 00 1D D0 00 00 00 00 00 00 00 00  .......Ð........
Address Length Value Description
0x0 0x4 0x6 Number of entries
0x4 0x8 0x1DD0 Length of entire eEID package
0x8 0x8 0x0 Unknown/Blank

File Table

This is the whole file table 

00000010   00 00 00 70 00 00 08 60 00 00 00 00 00 00 00 00
00000020   00 00 08 D0 00 00 02 A0 00 00 00 00 00 00 00 01
00000030   00 00 0B 70 00 00 07 30 00 00 00 00 00 00 00 02
00000040   00 00 12 A0 00 00 01 00 00 00 00 00 00 00 00 03
00000050   00 00 13 A0 00 00 00 30 00 00 00 00 00 00 00 04
00000060   00 00 13 D0 00 00 0A 00 00 00 00 00 00 00 00 05

This repeats per entry 

00000010  00 00 00 70 00 00 08 60 00 00 00 00 00 00 00 00  ...p...`........
Address Length Value Description
0x0 0x4 0x70 Entry point
0x4 0x8 0x860 Length
0x8 0x8 0x0 EID number

Typical EID entry addresses and legnths:

Description Address Length
EID0 0x70 0x860
EID1 0x8D0 0x2A0
EID2 0xB70 0x730
EID3 0x12A0 0x100
EID4 0x13A0 0x30
EID5 0x13D0 0xA00


EID0 - Section 0

00000000  00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  .....‰....ïÝÊ%Rf
00000010  00 12 00 0B 81 2E 00 A9 59 75 01 CC C1 72 D5 50  .......©Yu.ÌÁrÕP
Address Size Value Description Observations
0x0 0x10 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 IDPS IDPS This contains your Target ID
0x10 0x4 00 12 00 0B Unknown
0x14 0x12 81 2E 00 A9 59 75 01 CC C1 72 D5 50 Per console key? Appear to be the same key as in the encrypted files metloader/bootloadar
Rest Rest Rest Encrypted Data?

EID 1 - Section 1

Appears to be encrypted, not much is known about this one

EID 2 - Section 2

Not sure about this one, appears to be some recurring patterns in here

EID 3 - Section 3

Not fully examined yet, Contains the 12 byte key again at 0x14 to 0x1F

EID 4 - Section 4

Encrypted encdec key

EID 5 - Section 5

Similar again to section 0 

00000000  00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  .....‰....ïÝÊ%Rf
00000010  00 12 07 30 81 2E 00 A9 59 75 01 CC C1 72 D5 50  .......©Yu.ÌÁrÕP
Address Size Value Description Observations
0x0 0x10 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 IDPS IDPS
0x10 0x4 00 12 07 30 Unknown Changes from EID0
0x14 0x12 81 2E 00 A9 59 75 01 CC C1 72 D5 50 Per console key? Appear to be the same key as in the encrypted files metloader/bootloadar
Rest Rest Rest Encrypted Data?

Encrypted Files on Flash

Encrypted files on flash appear to have some sort of header

metldr examples

Here are samples of metldr header from 2 different consoles 

00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ...Žx¥aà.rn÷§.A«

00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ...Ž...©Yu.ÌÁrÕP

bootldr examples

Here are samples of bootldr header from 2 different consoles 

00FC0000  00 00 2F 4B 53 92 1C E7 F7 33 41 76 9B 7A 1E D6  ../KS’.ç÷3Av›z.Ö
00FC0010  00 00 2F 4B 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ../Kx¥aà.rn÷§.A«

00FC0000  00 00 2F 4B CB 9E 15 24 28 B4 4F D2 F9 3F BC 43  ../KËž.$(´OÒù?¼C
00FC0010  00 00 2F 4B 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ../K...©Yu.ÌÁrÕP

Observations / Notes

As you can see, some parts appear static depending on their purpose:

metldr 

00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
00000850  00 00 0E 8E xx xx xx xx xx xx xx xx xx xx xx xx  ...Žx...........

bootldr 

00FC0000  00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx  ../K............
00FC0010  00 00 2F 4B xx xx xx xx xx xx xx xx xx xx xx xx  ../K............

per console in both samples 

00000840  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................
00000850  xx xx xx xx 81 2E 00 A9 59 75 01 CC C1 72 D5 50  .......©Yu.ÌÁrÕP

The first 4 bytes appear to reffer to length. eg: 

metldr length: 0xE920
0x00000E8E * 0x10 = 0xE8E0 + 0x40 = 0xE920
bootldr length:  0x2F4F0
0x00002F4B * 0x10 = 0x2F4B0 + 0x40 = 0x2F4F0

Header shown is 0x20 bytes, perhaps this means there is a 0x40 byte header. I was not able to find any correlation of the other 2x12 bytes here, perhaps these are keys of some sort.

List of files on NOR Flash

The following is a list of files stored in NOR Flash

Name Offset Size
asecure_loader 0x400 0x2E800 (190,464 bytes)
eEID 0x2EC00 0x10000 (65,636 bytes)
cISD 0x3EC00 0x800 (2,048 bytes)
cCSD 0x3F400 0x800 (2,048 bytes)
trvk_prg0 0x03FC00 0x20000 (131,072 bytes)
trvk_pkg0 0x7FC00 0x20000 (131,072 bytes)
trvk_pkg1 0x9FC00 0x20000 (131,072 bytes)
ros0 0xBFC00 0x700000 (7,340,032 bytes)
ros1 0x7BFC00 0x700000 (7,340,032 bytes)
cvtrm 0XEBFC00 0x40000 (262,144 bytes)

Dumping your flash

There are many ways you can dump your flash you can choose the way that best fits you, there are some persons studing the flash.. If you can help providing a dump (specially if you have a debug console) search for those persons in IRC Efnet #ps3dev

Payload

Unncomment dump_dev_flash() in graf_payloads compile and run the payload

see Graf's_PSGroove_Payload for more info

Linux

Using graf_chokolo kernel with /dev/ps3nflasha access 

dd if=/dev/ps3nflasha of=nor.bin

Hardware

see Hardware flashing

NOR Unpacking // NOR Unpkg

/*
  # ../norunpkg norflash.bin norflash
  unpacking asecure_loader (size: 190xxx bytes)...
  unpacking eEID (size: 65536 bytes)...
  unpacking cISD (size: 2048 bytes)...
  unpacking cCSD (size: 2048 bytes)...
  unpacking trvk_prg0 (size: 131072 bytes)...
  unpacking trvk_prg1 (size: 131072 bytes)...
  unpacking trvk_pkg0 (size: 131072 bytes)...
  unpacking trvk_pkg1 (size: 131072 bytes)...
  unpacking ros0 (size: 7340032 bytes)...
  unpacking ros1 (size: 7340032 bytes)...
  unpacking cvtrm (size: 262144 bytes)...
*/

// Copyright 2010       Sven Peter
// Licensed under the terms of the GNU GPL, version 2
// http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
// nor modifications by rms.

#include "tools.h"
#include "types.h"

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/stat.h>

#ifdef WIN32
#define MKDIR(x,y) mkdir(x)
#else
#define MKDIR(x,y) mkdir(x,y)
#endif

u8 *pkg = NULL;

static void unpack_file(u32 i)
{
        u8 *ptr;
        u8 name[33];
        u64 offset;
        u64 size;

        ptr = pkg + 0x10 + 0x30 * i;

        offset = be64(ptr + 0x00);
        size   = be64(ptr + 0x08);

        memset(name, 0, sizeof name);
        strncpy((char *)name, (char *)(ptr + 0x10), 0x20);

        printf("unpacking %s (size: %d bytes)...\n", name, size);
        memcpy_to_file((char *)name, pkg + offset, size);
}

static void unpack_pkg(void)
{
        u32 n_files;
        u64 size;
        u32 i;

        n_files = be32(pkg + 4);
        size = be64(pkg + 8);

        for (i = 0; i < n_files; i++)
                unpack_file(i);
}

int main(int argc, char *argv[])
{
        if (argc != 3)
                fail("usage: norunpkg filename.nor target");

        pkg = mmap_file(argv[1]);

        /* kludge for header, i do not do sanity checks at the moment */
        pkg += 1024;

        MKDIR(argv[2], 0777);

        if (chdir(argv[2]) != 0)
                fail("chdir");

        unpack_pkg();

        return 0;
}

Source: http://rms.grafchokolo.com/?p=25

RMS - eEID splitter

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void
DumpEidData (FILE * pFile, int iInputSize, int iEidCount,
	     char *pFilenamePrefix)
{
  FILE *pOutput;
  char *szFilename;
  char *szBuf;
  int iRes, iSize;

  printf ("dumping EID%d from eEID at %p, size %d (%x)..\n",
	  iEidCount, pFile, iInputSize, iInputSize);

  szBuf = (char *) malloc (iInputSize + 1);
  szFilename = (char *) malloc (strlen (pFilenamePrefix) + 2);

  if (szBuf == NULL)
    {
      perror ("malloc");
      exit (1);
    };

  iSize = fread (szBuf, iInputSize, 1, pFile);
  sprintf (szFilename, "%s%d", pFilenamePrefix, iEidCount);
  pOutput = fopen (szFilename, "wb");
  iRes = fwrite (szBuf, iInputSize, 1, pOutput);

  if (iRes != iSize)
    {
      perror ("fwrite");
      exit (1);
    };

  free (szBuf);
}

int
main (int argc, char **argv)
{
  FILE *pFile;
  char *pPrefix;

  pFile = fopen (argv[1], "rb");
  if (pFile == NULL)
    {
    usage:
      printf ("usage: %s <eEID> <EID name prefix>\n", argv[0]);
      exit (1);
    }

  if (argc == 2 && argv[2] != NULL)
    {
      pPrefix = argv[2];
      goto usage;
    }

  fseek (pFile, 0x70, SEEK_SET);

  if (pPrefix != NULL)
    {
      DumpEidData (pFile, 2144, 0, pPrefix);
      DumpEidData (pFile, 672, 1, pPrefix);
      DumpEidData (pFile, 1840, 2, pPrefix);
      DumpEidData (pFile, 256, 3, pPrefix);
      DumpEidData (pFile, 48, 4, pPrefix);
      DumpEidData (pFile, 2560, 5, pPrefix);
    }
  return 0;
}

Source: http://rms.grafchokolo.com/?p=59

Flash Samples

Here are some samples of NOR Flash for your dissection. These are taken from different consoles.

Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=Flash&oldid=2439"