Talk:Flash

From PS3 Developer wiki
Jump to navigation Jump to search

It would be great if the admin could install SyntaxHighlight extension to media wiki

http://www.mediawiki.org/wiki/Extension:ASHighlight

on my list of things to do Admin 21:25, 11 April 2011 (CDT)



observations comparing dumps

Encrypted files appear to have a header:

From metldr

 00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
 00000850  00 00 0E 8E 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ...Žx¥aà.rn÷§.A«

 00000840  00 00 0E 8E 99 87 3B C7 15 F2 80 80 9C 30 22 25  ...Ž™‡;Ç.ò€€œ0"%
 00000850  00 00 0E 8E 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ...Ž...©Yu.ÌÁrÕP

From bootldr

 00FC0000  00 00 2F 4B 53 92 1C E7 F7 33 41 76 9B 7A 1E D6  ../KS’.ç÷3Av›z.Ö
 00FC0010  00 00 2F 4B 78 A5 61 E0 17 72 6E F7 A7 1B 41 AB  ../Kx¥aà.rn÷§.A«

 00FC0000  00 00 2F 4B CB 9E 15 24 28 B4 4F D2 F9 3F BC 43  ../KËž.$(´OÒù?¼C
 00FC0010  00 00 2F 4B 81 2E 00 A9 59 75 01 CC C1 72 D5 50  ../K...©Yu.ÌÁrÕP

also to note that these values are found within the eeid region.


Also noted that near the end of region 1 there seems to be this recurring pattern, it repeats the following 20 bytes 199 times

00EFD740                          0A 9E F8 79 2B 99 37 5A          .žøy+™7Z
00EFD750  53 49 92 D7 A5 BD 99 2A 26 2D 39 B8              SI’×¥½™*&-9¸

then it has these 15 bytes:

00EFE6D0              8C 37 E4 F4 CC CC 59 02 D0 FA B8 A5      Œ7äôÌÌY.Ðú¸¥
00EFE6E0  1E 42 98 DD 54 AF 8D 5E                          .B˜ÝT¯.^

Then it repeats the first 20 bytes 199 times, looks like the tried to hide it?

same on the other dump but different data

00EFD740                          17 D8 FE B6 56 B6 84 F2          .Øþ¶V¶„ò
00EFD750  5E 17 E9 5D B1 80 E1 D2 00 6F 88 26              ^.é]±€áÒ.oˆ&
00EFE6D0              E7 BF FF DA E2 2E A3 B8 73 79 76 C8      ç¿ÿÚâ.£¸syvÈ
00EFE6E0  B1 72 B3 E7 B9 33 70 F6                          ±r³ç¹3pö

Done some work on decoding region 2 today:
Region 2 seems to = vflash partition table? These might be the first 2 regions?
partition table is 4096 bytes.
Format:
16 bytes 00's
16 bytes magic: 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD FA CE
8 bytes 0x03
8 bytes 0x02 (number of paritions?)
144 bytes 00's
Partition entries:
8 bytes entry point (entry point * 0x200) relative to 0x00 on flash
8 bytes entry length (entry length * 0x200)
32 bytes 10 70 00 00 01 00 00 01 00 00 00 00 00 00 00 03 10 70 00 00 02 00 00 01 00 00 00 00 00 00 00 03
96 bytes 00's

sample of my flash: http://www.megaupload.com/?d=J5UKO3HX



norunpack

Changed version for Progskeet: http://pastebin.com/HNvCbF7d




List of files on NOR Flash

The following is a list of files stored in NOR Flash

Name TOC Start Offset End Offset Size Notes
Offset Index Relative Absolute Relative Absolute
asecure_loader 0x400 0 0x400 0x810 0x2E800 0x2F010 0x2E800  (190,464 bytes) aka metldr
eEID 0x400 1 0x2EC00 0x2F010 0x3EC00 0x3F010 0x10000  (65,636 bytes) (IDPS @ offset 0x0002F070 absolute / 0x00000070 inside eEID )
cISD 0x400 2 0x3EC00 0x3F010 0x3F400 0x3F810 0x800  (2,048 bytes)
cCSD 0x400 3 0x3F400 0x3F810 0x3FC00 0x40010 0x800  (2,048 bytes)
trvk_prg0 0x400 4 0x3FC00 0x40010 0x5FC00 0x60010 0x20000  (131,072 bytes)
trvk_prg1 0x400 5 0x5FC00 0x60010 0x7FC00 0x80010 0x20000  (131,072 bytes)
trvk_pkg0 0x400 6 0x7FC00 0x80010 0x9FC00 0xA0010 0x20000  (131,072 bytes)
trvk_pkg1 0x400 7 0x9FC00 0xA0010 0xBFC00 0xC0010 0x20000  (131,072 bytes)
ros0 0x400 8 0xBFC00 0xC0010 0x7BFC00 0x7C0010 0x700000  (7,340,032 bytes) Contains CoreOS files
ros1 0x400 9 0x7BFC00 0x7C0010 0xEBFC00 0xEC0010 0x700000  (7,340,032 bytes) Contains CoreOS files
cvtrm 0x400 10 0xEBFC00 0xEC0010 0xEFFC00 0xF00010 0x40000  (262,144 bytes)
CELL_EXTNOR_AREA 0xF20000 0xFA0040 0x80040  (524,352 bytes)
bootldr 0xFC0000 0xFEEAF0 0x2EAF0  (191,216 bytes) End @ FEF170, FEF570, FEF5F0, FEF600 in some dumps


metldr revision

There are are least 8 different metldr revisions (pre 3.60 aka metldr.2), only 3.50+ have the metldr version check.

metldr+bootldr sizes

Datecode / Manufacturing date metldr offset bootldr offset Notes
0x81E (NOR)
0x4081E (NAND)
0x842 (NOR
0x40842 (NAND)
0xFC0002 (NOR)
0x0 (NAND)
0xFC0012 (NOR)
0x12 (NAND)
EE 10 0E DD 2A 3F 2A 3F OK
E8 90 0E 85 2F 13 2F 13 OK
E8 D0 0E 89 2E AB 2E AB OK
CECHH (DIA-001) E8 E0 0E 8A 2E F4 2E F4 OK
E9 20 0E 8E 2F 4B 2F 4B OK
E9 60 0E 92 2F 53 2F 53
CECH2504A (JTP-001) with 3.56 from factory - datecode 1B E9 60 0E 92 2F 5B 2F 5B (RLOD+)poweroff @ downgrade 355
CECHJ (DIA-002) EA 60 0E A2 2E E3 2E E3 OK
EB F0 0E BB
CECH2504B (JSD-001), with 3.60 from factory - datecode 1B
CECH3012A (KTE-001), with 3.65 from factory - datecode [N.A.]
F9 20 0F 8E 2F FB 2F FB "metldr.2"
(RLOD+)poweroff @ downgrade 355

EID correctness

  [8/31/2011 1:41:13 AM] xxxxxxxxxxxxxx: the information on the PS3 dev wiki was intentionally faulty
  [8/31/2011 1:41:15 AM] qqqqq: Use the creativity or fail to find it.
[...]
  [8/31/2011 1:41:34 AM] xxxxxxxxxxxxxx: so people can't use the 'knowledge'
[...]
  [8/31/2011 1:41:43 AM] qqqqq: xxxxxx, uuuu has done a very good job at fixing what IS wrong. If you saw something wrong, why didn't you ask uuuu about it to fix it?
  [8/31/2011 1:41:55 AM] xxxxxxxxxxxxxx: that's not what guys like rrrrrrr have told me
  [8/31/2011 1:41:58 AM] xxxxxxxxxxxxxx: it's intentionally faulty
  [8/31/2011 1:42:03 AM] qqqqq: Instead you left it  how it was and bitched about it.
  [8/31/2011 1:42:07 AM] xxxxxxxxxxxxxx: to prevent any meaningful extraction of keys
  [8/31/2011 1:42:11 AM] qqqqq: If it was fault again talk to uuuu
  [8/31/2011 1:42:24 AM] xxxxxxxxxxxxxx: no - uuuu could not have even known about it
  [8/31/2011 1:42:28 AM] xxxxxxxxxxxxxx: it was something only a kkkk could know
  [8/31/2011 1:42:45 AM] qqqqq: You'd be surprised what uuuu knows. he really is a walking encyclopedia of the ps3.
  [8/31/2011 1:42:48 AM] xxxxxxxxxxxxxx: that wiki is compromised with purposeful misinformation
  [8/31/2011 1:42:59 AM] xxxxxxxxxxxxxx: and that's what rrrrrrr actually said and thinks
  [8/31/2011 1:43:17 AM] xxxxxxxxxxxxxx: I'm talking about ps3 dev wiki BTW here
  [8/31/2011 1:43:25 AM] qqqqq: if it's providing false info, then why not make a site to provide the right info? *gasps*
  [8/31/2011 1:43:34 AM] xxxxxxxxxxxxxx: well he did make the suggestion
  [8/31/2011 1:43:38 AM] xxxxxxxxxxxxxx: but it didn't go over well with these people
  [8/31/2011 1:43:45 AM] yyyyyyyy: kkkk wasn't the only one with cex-dex shit
  [8/31/2011 1:43:50 AM] yyyyyyyy: hell he's not even the one who wrote it
  [8/31/2011 1:44:01 AM] yyyyyyyy: so you can stfu about that
  [8/31/2011 1:44:09 AM] xxxxxxxxxxxxxx: hell do I know who the fuck wrote CEX-DEX
  [8/31/2011 1:44:27 AM] xxxxxxxxxxxxxx: all I know is that there are a bunch of connivant shits that want a wiki intentionally 'disinfoed' like that
  [8/31/2011 1:44:35 AM] xxxxxxxxxxxxxx: people in the know
  [8/31/2011 1:44:49 AM] yyyyyyyy: and one conniving shit here trying to save his hide
  [8/31/2011 1:44:57 AM] qqqqq: xxxxxx, again as i said. If there was false info (Which uuuu would never do) Why not fix it
  [8/31/2011 1:45:21 AM] xxxxxxxxxxxxxx: go ask rrrrrrr - I dunno
  [8/31/2011 1:45:26 AM] qqqqq: DO you think he purposesly makes changes so that it's wrong? That'd create an even bigger headache if a noob attempted it and bugged us in the chat
  [8/31/2011 1:45:32 AM] xxxxxxxxxxxxxx: the EID/CEX-DEX info was incomplete
  [8/31/2011 1:45:33 AM] xxxxxxxxxxxxxx: faulty