SC EEPROM

From PS3 Developer wiki
Revision as of 21:32, 25 June 2012 by Flatz (talk | contribs)
Jump to: navigation, search

Most of the information we have about the sc eeprom comes from graf_chokolo reverse engineering of the HV see Hypervisor Reverse Engineering

Here is where system flags, tokens and hashes are stored.

Right now most of the comunication we have with the sc eeprom is through linux using graf_chokolo ps3dm-utils and/or using his payloads.

Important Offsets

EEPROM Offset Table - Flags and Tokens

Here is the table of EEPROM offsets that can be accessed through Update Manager (3.15):

Offset Size Description
0x02FF8 1 Factory Bit
0x48C02 1 (unknown)
0x48C06 1 FSELF Control Flag
0x48C07 1 Product Mode (UM allows to read this offset, it can be also written but only when already in product mode)
0x48C0A 1 QA Flag
0x48C0B 1 mode_auth_flag
0x48C13 1 Device Type
0x48C18 0x4 (unknown)
0x48C1C 0x4 (unknown)
0x48C30 1 SPE number Usally 0x06, can be set to 0x07 to enable the 8 SPE
0x48C42 1 HDD Copy Mode
0x48C50 0x10 Debug Support Flag
0x48C60 1 Update Status
0x48C61 1 Recover Mode Flag
0x48D3E 0x50 QA Token (UM doesn't allow access to this offset but SC Manager can read/write it)
0x48D8E 0x50 mode_auth_data (read/cleared by ss_sc_init_pu, checked by spu_mode_auth)

In a standard mostly untouched ps3 the common value for this flags is 0xFF wich means not active, anything else means active (e.g. 0xFE)

To change this to an active status you have to write 0x00 to turn on the flag

Debug support flag is tied to EID which is supposed to be hashed and saves in SC EEPROM

QA flag is tied to QA token that is also saved in this part of the SC EEPROM

System Data From EEPROM

Here is the list of possible EEPROM offsets:

Index SC EEPROM Offset Size Of Data Description
0 0x48D20 6 ?
1 0x48D28 6 ?
2 0x48D30 6 ?
3 0x48D38 6 ?
4 0x48D00 4 ?
5 0x48D04 4 ?
6 0x48D08 4 ?

Dumpable EEPROM Offset - Block ID and Block Offset Mapping Table (NVS Service)

Right now we only have read access to some portions of the eeprom to have access to this regions DM needs to be patched, see section dumping eeprom

EEPROM Offset Block ID Block Offset Description
0x48000 - 0x480FF 0x00 0x48000 - 0x480FF ?
0x48800 - 0x488FF 0x01 0x48800 - 0x488FF ?
0x48C00 - 0x48CFF 0x02 0x48C00 - 0x48CFF Contains flags and tokens/ see above
0x48D00 - 0x48DFF 0x03 0x48D00 - 0x48DFF System Data Region
0x2F00 - 0x2FFF 0x10 0x2F00 - 0x2FFF "Industry Area" aka OS Version Area
0x3000 - 0x30FF 0x20 0x3000 - 0x30FF "CS Area"
All other offsets Invalid Invalid ?

Dumping your SC EEPROM

Linux

First you need graf_chokolo kernel ps3dm-utils and linux_hv_scripts.

If you are ready.

Patch DM using linux_hv_scripts

dmpatch.sh

Read the data from the region you want for example (see tables above)

ps3dm_scm /dev/ps3dmproxy 0x48000 0xFF

You can see some coolstuff that containing dumps

Hashes

Where exactly the hashes are stored is still a secret, it is said that those hashes are stored in SC EEPROM

To retrive the information about the packages you have installed you can also use ps3d_utils

Linux

Installed Package info

ps3dm_um /dev/ps3dmproxy get_pkg_info TYPE

Examples


get_pkg_info 1 - Core OS package

	
		0003004100000000

get_pkg_info 2 - Revoke List for program

	
		0003004100000000

get_pkg_info 3 - Revoke list for package

		0002003000000000

get_pkg_info 4

		deadbeaffacebabe

get_pkg_info 5

		deadbeaffacebabe

get_pkg_info 6 - Firmware Package

		0003005000000000


You can find more information about this in Hypervisor Reverse Engineering


Hashes

What algorithm is used and what exactly is hashed is still unknown

ps3dm_scm /dev/ps3dmproxy get_region_data ID

This hashes are checked by lv1 to make sure that the data has not been altered throgh scm_get_region_data: get_result: ret[X]: 0x%x

Examples



region_data 0 - Core OS package

00 03 00 41 00 00 00 00 00 c3 eb 01 96 24 d0 1c 26 14 f3 1c a4 a2 ff ce 81 77 3a 4c f8 42 86 04 ee 34 bb db be 1c a7 51 e5 59 f1 95 61 07 a5 eb 

region_data 1

	
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 

region_data 2

	
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 

region_data 3 //Revoke List for program?

	
00 03 00 41 00 00 00 00 80 41 f6 b8 f2 d5 30 60 59 35 49 d7 f0 3d 58 57 87 00 88 11 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 

region_data 4

	
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 

region_data 5 //Revoke List for package?

		
00 02 00 30 00 00 00 00 ba 6e 1c d5 5f 48 5b 8b 3f cc c8 60 75 ce f6 83 b2 20 dc f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

region_data 6

	
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 7

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 8 - BD Firmware Package

	
00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

region_data 9

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 10

	
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 11

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 12

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 13

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 14

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 15

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

Tokens

Here we will document the different types off tokens known in the PS3 All tokens are tied? encrypted? using EID0. They enable additional repository nodes.

List

Token Location Size SPU module Description
qa_token sc_eeprom - 0x48D3E 0x50 spu_token_processor.self
user_token ? ? spu_utoken_processor.self Encrypted/Signed
token_seed ? ? ? This is used to create the token with EID0

Token Seed

?

Structure

This section has to be corrected, is only based on debug strings, we need to decrypt the tokens

Token Seed

?

QA Token

User Token

Address Size Description
? ? m_magic
? ? m_format_version
? ? m_size
? ? m_capability
? ? m_expire_date
? ? m_idps?
? ? m_attribute
? ? m_digest

For every atribute in the token

Address Size Description
? ? attr:m_type
? ? attr:m_size
? ? attr:m_data