Talk:SC EEPROM: Difference between revisions
Jump to navigation
Jump to search
| Line 105: | Line 105: | ||
{| class="wikitable" style="line-height:110%; font-size: | {| class="wikitable" style="line-height:110%; font-size:85%" | ||
|+ Round 2 | |+ Round 2 | ||
! colspan="3" | Area !! colspan="4" | [[Syscon_Hardware|SPI / UART]] !! colspan="6" | [[LV2_Functions_and_Syscalls#process_socket_service_syscalls|Syscall 863]] !! rowspan="3" | Data Name !! rowspan="3" | Notes | ! colspan="3" | Area !! colspan="4" | [[Syscon_Hardware|SPI / UART]] !! colspan="6" | [[LV2_Functions_and_Syscalls#process_socket_service_syscalls|Syscall 863]] !! rowspan="3" | Data Name !! rowspan="3" | Notes | ||
| Line 117: | Line 117: | ||
| {{no}} || 0x2600 || 0x2600 || ? || ? || ? || ? || ? || ? || ? || 0x200 || || {{cellcolors|#ffff99}} Encrypted region | | {{no}} || 0x2600 || 0x2600 || ? || ? || ? || ? || ? || ? || ? || 0x200 || || {{cellcolors|#ffff99}} Encrypted region | ||
|- | |- | ||
! <span style="writing-mode:vertical-lr; transform:rotate(180deg);">Patch | ! <span style="writing-mode:vertical-lr; transform:rotate(180deg);">Patch 1</span> | ||
! 0x400 | ! 0x400 | ||
| {{No}} || 0x2800 || 0x2800 || <abbr title="On Sherwood the patch isn't even stored in the emulated eeprom, it's stored inside the firmware (0x2000-0x2FFF)>0x2000 ?</abbr> || {{exploitable}} || {{cellcolors|lightgrey}} N/A || {{no}} || {{no}} || {{no}} || 0x02800 || 0x400 || [[Syscon_Firmware#Syscon_patches|Syscon Firmware Patch]] (top half) || {{cellcolors|#ffff99}} Encrypted region | | {{No}} || 0x2800 || 0x2800 || <abbr title="On Sherwood the patch isn't even stored in the emulated eeprom, it's stored inside the firmware (0x2000-0x2FFF)>0x2000 ?</abbr> || {{exploitable}} || {{cellcolors|lightgrey}} N/A || {{no}} || {{no}} || {{no}} || 0x02800 || 0x400 || [[Syscon_Firmware#Syscon_patches|Syscon Firmware Patch]] (top half) || {{cellcolors|#ffff99}} Encrypted region | ||
| Line 143: | Line 143: | ||
| {{yes}} || 0x3300 || 0x3300 || 0x250 || style="background:#CC5555; color:#FFFFFF; text-align:center;" {{yes}} || ? || ? || ? || ? || ? || 0x200 || Data table using [[Syscon_Thermal_Config/structs|this C structure]] || See: [[Syscon Thermal Config]] | | {{yes}} || 0x3300 || 0x3300 || 0x250 || style="background:#CC5555; color:#FFFFFF; text-align:center;" {{yes}} || ? || ? || ? || ? || ? || 0x200 || Data table using [[Syscon_Thermal_Config/structs|this C structure]] || See: [[Syscon Thermal Config]] | ||
|- | |- | ||
! <span style="writing-mode:vertical-lr; transform:rotate(180deg);">On/Off Count | ! <span style="writing-mode:vertical-lr; transform:rotate(180deg);">On/Off Count/Time</span> | ||
! 0x200 | ! 0x200 | ||
| {{no}} || 0x3500 || 0x3500 || ? || style="background:#CC5555; color:#FFFFFF; text-align:center;" {{yes}} || ? || ? || ? || ? || ? || 0x200 || Data table || | | {{no}} || 0x3500 || 0x3500 || ? || style="background:#CC5555; color:#FFFFFF; text-align:center;" {{yes}} || ? || ? || ? || ? || ? || 0x200 || Data table || | ||
| Line 159: | Line 159: | ||
| {{patchable}} || {{yes}} || {{yes}} || 0x48C02 || 0x01 || Network Debug Interface Mode || sys.dbgcard.dgbe / debug interface (select_net_device)<br>-1 = Ethernet 2<br> 0 = IFB<br> 1 = CP<br> 2 = SB UART<br> 3 = CP ch4<br> 5 = Disabled | | {{patchable}} || {{yes}} || {{yes}} || 0x48C02 || 0x01 || Network Debug Interface Mode || sys.dbgcard.dgbe / debug interface (select_net_device)<br>-1 = Ethernet 2<br> 0 = IFB<br> 1 = CP<br> 2 = SB UART<br> 3 = CP ch4<br> 5 = Disabled | ||
|- | |- | ||
! <span style="writing-mode:vertical-lr; transform:rotate(180deg);">Patch | ! <span style="writing-mode:vertical-lr; transform:rotate(180deg);">Patch 2</span> | ||
! 0xC00 | ! 0xC00 | ||
| {{No}} || 0x7400 || 0x4400 || <abbr title="On Sherwood the patch isn't even stored in the emulated eeprom, it's stored inside the firmware (0x2000-0x2FFF)>0x2400 ?</abbr> || {{exploitable}} || {{cellcolors|lightgrey}} N/A || {{no}} || {{no}} || {{no}} || ? || ? || [[Syscon_Firmware#Syscon_patches|Syscon Firmware Patch]] (bottom half) || {{cellcolors|#ffff99}} Encrypted region | | {{No}} || 0x7400 || 0x4400 || <abbr title="On Sherwood the patch isn't even stored in the emulated eeprom, it's stored inside the firmware (0x2000-0x2FFF)>0x2400 ?</abbr> || {{exploitable}} || {{cellcolors|lightgrey}} N/A || {{no}} || {{no}} || {{no}} || ? || ? || [[Syscon_Firmware#Syscon_patches|Syscon Firmware Patch]] (bottom half) || {{cellcolors|#ffff99}} Encrypted region | ||
|} | |} | ||
Revision as of 19:29, 28 November 2021
Memory test diagnosis NVS flag
There is a NVS flag which enables a special diagnostic mode at startup. This flag is enabled on Proto/DECR. It allows memtest diagnose.
Pseudo-code:
def check_bootrom_diag_mode(mode, param)
diag_mode = get_eeprom_bootrom_diag()
if diag_mode & 0x1:
if diag_mode & 0x100:
return 0
mode = (diag_mode >> 3) & 0x1
param = (diag_mode >> 3) & 0x1
else:
mode = (diag_mode >> 1) & 0x1
param = -1
return 1
EEPROM Dumps
EEPROM Strings (CP memory dump, DECR)
http://pastie.org/private/usd2zi8mw3igycsh1a395q -> DEAD LINK
Bus Pirate stuff
http://i.imgur.com/48rbR51.png
(needs more wikifying)
On standby
- Note: during this time the plaintext EEPROM is never read even once!
- Additionally, the areas 0x26B0, 0x26D0 are not read
- Checks status
- Unlocks Write Command
- Reads PATCH top half region
- Reads PATCH bottom half region
- Reads 0x2790?(0x20)
- Reads 0x27B0?(0x10)
- Reads 0x26D0 (0x10)
- Reads some configs? (around >0x31XX area)
- Reads 0x0 (0x10)
- Reads some configs?
- Reads 0x10(0x280) (EID1)?
- Reads 0x3A00 (0x1)
- Reads 0x290 (0x10) (EID1 CMAC?)
- Reads 0x2A0 (0x20)
- Reads 0x2C0 (0x20)
- Reads 0x2E0 (0x20)
- Writes some stuff to 0x2C0/0x2E0/0x2A0 (mostly ff's)
- ReReads EID1 and CMAC
- Reads 0x360
- Reads 0x370
- Writes (again) mostly ff's to 0x360 and 0x370
- ReReads EID1 and CMAC
- Does same process with 0x460 and 0x470
- Reads 0x2710 and 0x2730 (0x20,0x10) ???
- Reads 0x2700 (0x10)
- fini!
MemoryMap Syscon BB Chip
0x1000-0x1FFF:PTCH Region (patch written here)
Nice read about Syscon EEPROM
http://rmscrypt.wordpress.com/2011/02/01/lets-look-at-syscon/
Experimental table
The goal is to join together all the "memory map" info in a single table
| Area | SPI / UART | Syscall 863 | Data Name | Notes | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Name | Size | Mullion | Sherwood | EEP whitelist |
NVS ID |
Block ID |
UM whitelist | SCM whitelist | Offset | Size | |||||
| CXR713 | CXR714 | SW/2/3 | Read | Write | Read | Write | |||||||||
| Patch Part 1 | 0x400 | 0x2800 | 0x2800 | ? | No* | N/A | N/A | No | No | No | No | 0x02800 | 0x400 | Syscon Firmware Patch (top half) | |
| OS Version Area a.k.a. Industry Area |
0x100 | 0x2F00 | 0x2F00 | 0xE00 | Yes | 0x20 | 0x10 | Yes | No | Yes | No | 0x02F00 | 0x08 | Manufacturing Update Release Version | |
| Yes | No | Yes | No | 0x02F08 | 0x18 | Manufacturing Update Build Version + Build Date | |||||||||
| Yes | No | Yes | No | 0x02F20 | 0x08 | Manufacturing Update Build Target ID | |||||||||
| Yes | No | Yes | No | 0x02F28 | 0xD0 | Undocumented | |||||||||
| Yes | No | Yes | No | 0x02FF8 | 0x01 | Factory Bit | |||||||||
| Yes | No | Yes | No | 0x02FF9 | 0x07 | Undocumented | |||||||||
| Area | SPI / UART | Syscall 863 | Data Name | Notes | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Name | Size | csum | Mullion | Sherwood | whitelist | Block ID NVS Region |
whitelist | Offset | Size | |||||
| CXR713 | CXR714 | SW/2/3 | EEP | DM | UM | SCM | ||||||||
| System Info | 0x200 | No | 0x2600 | 0x2600 | ? | ? | ? | ? | ? | ? | ? | 0x200 | Encrypted region | |
| Patch 1 | 0x400 | No | 0x2800 | 0x2800 | 0x2000 ? | Exploit | N/A | No | No | No | 0x02800 | 0x400 | Syscon Firmware Patch (top half) | Encrypted region |
| - | 0x300 | No | 0x2C00 | 0x2C00 | ? | ? | N/A | No | No | No | 0x02C00 | 0x300 | empty | Region not used |
| Industry Area | 0x100 | No | 0x2F00 | 0x2F00 | 0xE00 | Yes | 0x10 | Patch | Yes | Yes | 0x02F00 | 0x08 | Manufacturing Update Release Version | e.g: 04.6000 |
| 0x02F08 | 0x18 | Manufacturing Update Build Version + Build Date | e.g: 63910,20140618 | |||||||||||
| 0x02F20 | 0x08 | Manufacturing Update Build Target ID | Written during the manufacturing fw update process according to target string inside /dev_flash/vsh/etc/version.txt 0x83 = CEX-ww 0x82 = DEX-ww 0x81 = DevelopmentTool 0xDEAD = ? | |||||||||||
| 0x02F28 | 0xD0 | Undocumented | ||||||||||||
| 0x02FF8 | 0x01 | Factory Bit | 0 = ? 1 = Reset 2 = ? 3 = ? (used on retails) | |||||||||||
| 0x02FF9 | 0x07 | Undocumented | ||||||||||||
| Thermal Config | 0x200 | Yes | 0x3300 | 0x3300 | 0x250 | Yes | ? | ? | ? | ? | ? | 0x200 | Data table using this C structure | See: Syscon Thermal Config |
| On/Off Count/Time | 0x200 | No | 0x3500 | 0x3500 | ? | Yes | ? | ? | ? | ? | ? | 0x200 | Data table | |
| Error Log | 0x100 | No | 0x3700 | 0x3700 | 0x900 | Yes | ? | ? | ? | ? | ? | 0x100 | Data table | See: Syscon Error Codes |
| Flags and Tokens | 0x100 | No | 0x7200 | 0x4200 | 0x1200 | Yes | 0x02 | Patch | Yes | Yes | 0x48C00 | 0x01 | OS boot order flag | load_image_in_rom (os_boot_order_flag) 0 = Network first 1 = Flash first |
| Patch | Patch | Yes | 0x48C01 | 0x01 | sys.dbgcard.hostpc | force standalone mode related | ||||||||
| Patch | Yes | Yes | 0x48C02 | 0x01 | Network Debug Interface Mode | sys.dbgcard.dgbe / debug interface (select_net_device) -1 = Ethernet 2 0 = IFB 1 = CP 2 = SB UART 3 = CP ch4 5 = Disabled | ||||||||
| Patch 2 | 0xC00 | No | 0x7400 | 0x4400 | 0x2400 ? | Exploit | N/A | No | No | No | ? | ? | Syscon Firmware Patch (bottom half) | Encrypted region |