SC EEPROM

From PS3 Developer wiki
Revision as of 02:47, 17 May 2011 by PsiCoLeO (talk | contribs) (first draft)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Most of the information we have about the sc eeprom comes from graf_chokolo reverse engineering of the HV see Hypervisor Reverse Engineering

Here is where system flags, tokens and hashes are stored.

Right now most of the comunication we have with the sc eeprom is through linux using graf_chokolo ps3dm-utils and/or using his payloads.

Important Offsets

EEPROM Offset Table - Flags and Tokens

Here is the table of EEPROM offsets that can be accessed through Update Manager (3.15):

Offset ! Size ! Description
1 | FSELF Control Flag
1 | Product Mode (UM allows to read this offset, it can be also written but only when already in product mode)
1 | QA Flag
1 | Device Type
1 | HDD Copy Mode
0x10 | Debug Support Flag
1 | Update Status
1 | Recover Mode Flag
0x50 | QA Token (UM doesn't allow access to this offset but SC Manager can read/write it)

In a standard mostly untouched ps3 the common value for this flags is 0xFF wich means not active To change this to an active status you have to write 0x00 to turn on the flag

Debug support flag is tied to EID which is supposed to be hashed and saves in SC EEPROM

QA flag is tied to QA token that is also saved in this part of the SC EEPROM

System Data From EEPROM

Here is the list of possible EEPROM offsets:

Index ! SC EEPROM Offset ! Size Of Data ! Description
0x48D20 | 6 |?
0x48D28 | 6 |?
0x48D30 | 6 |?
0x48D38 | 6 |?
0x48D00 | 4 |?
0x48D04 | 4 |?
0x48D08 | 4 |?

Dumpable EPROM Offset - Block ID and Block Offset Mapping Table (NVS Service)

Right now we only have read access to some portions of the eeprom to have access to this regions DM needs to be patched, see section dumping eeprom

EPROM Offset ! Block ID ! Block Offset ! Description
0x00 | 0x48000 - 0x480FF | ?
0x01 | 0x48800 - 0x488FF | ?
0x02 | 0x48C00 - 0x48CFF | Contains flags and tokens/ see above
0x03 | 0x48D00 - 0x48DFF | System Data Region
0x10 | 0x2F00 - 0x2FFF | ?
0x20 | 0x3000 - 0x30FF | ?
Invalid | Invalid | ?

Dumping your SC EEPROM

Linux

First you need graf_chokolo kernel ps3dm-utils and linux_hv_scripts.

If you are ready.

Patch DM using linux_hv_scripts

dmpatch.sh

Read the data from the region you want for example (see tables above)

ps3dm_scm /dev/ps3dmproxy 0x48000 0xFF

You can see some coolstuff that containing dumps

Hashes

Where exactly the hashes are stored is still a secret, it is said that those hashes are stored in SC EEPROM

To retrive the information about the packages you have installed you can also use ps3d_utils

Linux

Installed Package info

ps3dm_um /dev/ps3dmproxy get_pkg_info TYPE

get_pkg_info 1 - Core OS package

	
		0003004100000000

get_pkg_info 2 - Revoke List for program

	
		0003004100000000

get_pkg_info 3 - Revoke list for package

		0002003000000000

get_pkg_info 4

		deadbeaffacebabe

get_pkg_info 5

		deadbeaffacebabe

get_pkg_info 6 - Firmware Package

		0003005000000000


You can find more information about this in Hypervisor Reverse Engineering


Hashes

ps3dm_scm /dev/ps3dmproxy get_region_data ID

This hashes are checked by lv1 to make sure that the data has not been altered throgh scm_get_region_data: get_result: ret[X]: 0x%x region_data 0 - Core OS package

00 03 00 41 00 00 00 00 00 c3 eb 01 96 24 d0 1c 26 14 f3 1c a4 a2 ff ce 81 77 3a 4c f8 42 86 04 ee 34 bb db be 1c a7 51 e5 59 f1 95 61 07 a5 eb 

region_data 1

	
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 

region_data 2

	
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 

region_data 3 //Revoke List for program?

	
00 03 00 41 00 00 00 00 80 41 f6 b8 f2 d5 30 60 59 35 49 d7 f0 3d 58 57 87 00 88 11 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 

region_data 4

	
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 

region_data 5 //Revoke List for package?

		
00 02 00 30 00 00 00 00 ba 6e 1c d5 5f 48 5b 8b 3f cc c8 60 75 ce f6 83 b2 20 dc f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

region_data 6

	
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 7
	
<pre>
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 8 //BD Firmware Package?

	
00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

region_data 9

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 10

	
de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 11

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 12

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 13

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 14

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be 

region_data 15

de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be de ad be af fa ce ba be