Talk:SC EEPROM: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
No edit summary
Line 77: Line 77:
The format of this region is weird, in mullions have a size of 0x200 but it was reduced to 0x100 for sherwoods<br>
The format of this region is weird, in mullions have a size of 0x200 but it was reduced to 0x100 for sherwoods<br>
In sherwoods it seems to start with 2 bytes (bringup counter), 2 bytes (shutdown counter), 4 bytes (total runtime in seconds), 4 bytes (unknown, but the last 2 bytes are always 0000), then value 0x3CEF0000 (unknown, seems to be static). The rest of the region is filled with FF, some consoles have 2 bytes used at relative offset 0x20 (as example, with value 0x55AA)
In sherwoods it seems to start with 2 bytes (bringup counter), 2 bytes (shutdown counter), 4 bytes (total runtime in seconds), 4 bytes (unknown, but the last 2 bytes are always 0000), then value 0x3CEF0000 (unknown, seems to be static). The rest of the region is filled with FF, some consoles have 2 bytes used at relative offset 0x20 (as example, with value 0x55AA)
Example (CokR40, REX-001emmc, SW3-304)
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000800  05 B6 05 23 00 3D AD FA F4 80 00 00 3C EF 00 00  .¶.#.=­úô€..<ï..
00000810  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000820  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000830  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000840  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000850  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000860  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000870  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000880  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000890  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000008A0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000008B0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000008C0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000008D0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000008E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000008F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000900  01 30 00 A0 FF FF FF FF FF FF FF FF FF FF FF FF  .0. ÿÿÿÿÿÿÿÿÿÿÿÿ
</pre>


= Experimental table =
= Experimental table =

Revision as of 14:28, 5 March 2022

Memory test diagnosis NVS flag

There is a NVS flag which enables a special diagnostic mode at startup. This flag is enabled on Proto/DECR. It allows memtest diagnose.

Pseudo-code: 

def check_bootrom_diag_mode(mode, param)
        diag_mode = get_eeprom_bootrom_diag()
        if diag_mode & 0x1:
                if diag_mode & 0x100:
                        return 0
                mode = (diag_mode >> 3) & 0x1
                param = (diag_mode >> 3) & 0x1
        else:
                mode = (diag_mode >> 1) & 0x1
                param = -1
        return 1

EEPROM Dumps

EEPROM Strings (CP memory dump, DECR)

http://pastie.org/private/usd2zi8mw3igycsh1a395q -> DEAD LINK

Bus Pirate stuff

http://i.imgur.com/48rbR51.png

(needs more wikifying)

On standby

  • Note: during this time the plaintext EEPROM is never read even once!
  • Additionally, the areas 0x26B0, 0x26D0 are not read
  • Checks status
  • Unlocks Write Command
  • Reads PATCH top half region
  • Reads PATCH bottom half region
  • Reads 0x2790?(0x20)
  • Reads 0x27B0?(0x10)
  • Reads 0x26D0 (0x10)
  • Reads some configs? (around >0x31XX area)
  • Reads 0x0 (0x10)
  • Reads some configs?
  • Reads 0x10(0x280) (EID1)?
  • Reads 0x3A00 (0x1)
  • Reads 0x290 (0x10) (EID1 CMAC?)
  • Reads 0x2A0 (0x20)
  • Reads 0x2C0 (0x20)
  • Reads 0x2E0 (0x20)
  • Writes some stuff to 0x2C0/0x2E0/0x2A0 (mostly ff's)
  • ReReads EID1 and CMAC
  • Reads 0x360
  • Reads 0x370
  • Writes (again) mostly ff's to 0x360 and 0x370
  • ReReads EID1 and CMAC
  • Does same process with 0x460 and 0x470
  • Reads 0x2710 and 0x2730 (0x20,0x10) ???
  • Reads 0x2700 (0x10)
  • fini!

MemoryMap Syscon BB Chip

0x1000-0x1FFF:PTCH Region (patch written here)

Nice read about Syscon EEPROM

http://rmscrypt.wordpress.com/2011/02/01/lets-look-at-syscon/

BE Count region

The format of this region is weird, in mullions have a size of 0x200 but it was reduced to 0x100 for sherwoods
In sherwoods it seems to start with 2 bytes (bringup counter), 2 bytes (shutdown counter), 4 bytes (total runtime in seconds), 4 bytes (unknown, but the last 2 bytes are always 0000), then value 0x3CEF0000 (unknown, seems to be static). The rest of the region is filled with FF, some consoles have 2 bytes used at relative offset 0x20 (as example, with value 0x55AA)

Example (CokR40, REX-001emmc, SW3-304) 

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000800  05 B6 05 23 00 3D AD FA F4 80 00 00 3C EF 00 00  .¶.#.=­úô€..<ï..
00000810  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000820  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000830  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000840  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000850  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000860  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000870  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000880  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000890  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000008A0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000008B0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000008C0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000008D0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000008E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000008F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000900  01 30 00 A0 FF FF FF FF FF FF FF FF FF FF FF FF  .0. ÿÿÿÿÿÿÿÿÿÿÿÿ

Experimental table

The goal is to join together all the "memory map" info in a single table

Round 2
Area SPI / UART Syscall 863 Data Name Wikitable builder Notes (temporal)
Name Size csum Mullion Sherwood whitelist Block ID
NVS Region		 whitelist Offset Size
32KB 20KB SW/2/3(emu) EEP lv1/DM UM SCM
Authenticated Data 0x2560 No 0x0000 0x0000 ?  Exploit  No  Patch   Patch   Patch  ? Data table (0x160+(0x9*0x400)) ?
? 0x150 No 0x2560 0x2560 ?  Exploit  No  Patch   Patch   Patch  ? Filled with FF's ?
System Info 0x150 No 0x26B0 0x26B0 0x0000~ ?  Exploit  No  Patch   Patch   Patch  ? This wikitable row needs to be splitted up to 5+ rows
Patch 1 0x400 No 0x2800 0x2800 0x2000(flash)  Exploit  No  Patch   Patch   Patch  ? 0x400 Syscon Firmware Patch (top half)
- 0x300 No 0x2C00 0x2C00 0x0B00 Yes/UART No  Patch   Patch   Patch  ? 0x300 not used Filled with FF's
Industry Area 0x100 No 0x2F00 0x2F00 0x0E00 Yes/UART 0x10  Patch  Yes Yes 0x02F00 This wikitable row needs to be splitted up to 20+ rows
Customer Service Area 0x100 No 0x3000 0x3000 0x0F00 Yes/UART 0x20  Patch  Yes Yes 0x03000 0x100 Filled with FF's ?
Platform Config 0x100 Yes 0x3100 0x3100 0x0040~ Yes/UART No  Patch   Patch   Patch  ? 0x100 This wikitable row needs to be splitted up to 5+ rows
Hardware Config 0x100 Yes 0x3200 0x3200 0x0140~ Yes/UART No  Patch   Patch   Patch  ? 0x100 This wikitable row needs to be splitted up to 40+ rows
Thermal Config 0x200 Yes 0x3300 0x3300 0x0250~ Yes/UART No  Patch   Patch   Patch  ? 0x200 Data table. See: Syscon Thermal Configs
BE Count 0x200 No 0x3500 0x3500 0x0800 (size 0x100) Yes/UART No  Patch   Patch   Patch  ? 0x200 Data table
Error Log 0x100 No 0x3700 0x3700 0x0900 Yes/UART No  Patch   Patch   Patch  ? 0x100 Data table. See: Syscon Error Codes
- 0x100 No 0x3800 0x3800 N/A ? Yes/UART No  Patch   Patch   Patch  ? 0x100 not used Filled with FF's
Board Config/Debug 0x100 Yes 0x3900 0x3900 0x0000~ ? Yes/UART No  Patch   Patch   Patch  ? 0x100 This wikitable row needs to be splitted up to 15+ rows
HDMI/DVE Config 0x100 No 0x3A00 0x3A00 0x0A00 Yes/UART No  Patch   Patch   Patch  ? 0x100 This wikitable row needs to be splitted up to 5+ rows
- 0x100 No 0x3B00 0x3B00 N/A ? Yes/UART No  Patch   Patch   Patch  ? 0x100 not used Filled with FF's
Config Ring 0x200 Yes 0x3C00 0x3C00 0x0400 ? Yes/UART No  Patch   Patch   Patch  ? 0x200 not used Filled with FF's
Debug 2 0x200 Yes 0x3E00 0x3E00 0x0600 ? Yes/UART No  Patch   Patch   Patch  ? 0x200 not used Filled with FF's
- 0x3000 No 0x4000 N/A N/A Yes/UART No  Patch   Patch   Patch  ? 0x3000 reserved Filled with FF's
System Config ? 0x100 No 0x7000 0x4000 0x1000 Yes/UART 0x0  Patch   Patch  Yes 0x48000 0x100 Filled with FF's ?
System Event Log ? 0x100 No 0x7100 0x4100 0x1100 Yes/UART 0x1  Patch   Patch  Yes 0x48800 Data table (0x10+(0x6*0x28)) Header + Data table ?
Flags and Tokens 0x100 No 0x7200 0x4200 0x1200 Yes/UART 0x2  Patch  Yes
or
Patch*		 Yes 0x48C00 This wikitable row needs to be splitted up to 50+ rows
System Data ? 0x100 No 0x7300 0x4300 0x1300 Yes/UART 0x3  Patch   Patch  Yes 0x48D00 0x100 Filled with FF's ?
Patch 2 0xC00 No 0x7400 0x4400 0x2000(flash)  Exploit  No  Patch   Patch   Patch  ? 0xC00 Syscon Firmware Patch (bottom half)
Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=Talk:SC_EEPROM&oldid=65761"