Talk:SC EEPROM: Difference between revisions
Jump to navigation
Jump to search
| Line 100: | Line 100: | ||
|- {{cellcolors|lightgrey}} | |- {{cellcolors|lightgrey}} | ||
! - !! 0x300 !! {{No}} | ! - !! 0x300 !! {{No}} | ||
| 0x2C00 || 0x2C00 || 0x0B00 || {{yes}} || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x300 || style="text-align:center" | ''not used'' || Filled with FF's | | 0x2C00 || 0x2C00 || 0x0B00 || {{yes}}/UART || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x300 || style="text-align:center" | ''not used'' || Filled with FF's | ||
|- | |- | ||
! Industry Area !! 0x100 !! {{no}} | ! Industry Area !! 0x100 !! {{no}} | ||
| 0x2F00 || 0x2F00 || 0x0E00 || {{yes}} || 0x10 || {{patchable}} || {{yes}} || {{yes}} || 0x02F00 || || || This wikitable row needs to be splitted up to 20+ rows | | 0x2F00 || 0x2F00 || 0x0E00 || {{yes}}/UART || 0x10 || {{patchable}} || {{yes}} || {{yes}} || 0x02F00 || || || This wikitable row needs to be splitted up to 20+ rows | ||
|- {{cellcolors|#e3e3e3}} | |- {{cellcolors|#e3e3e3}} | ||
! Customer Service Area !! 0x100 !! {{no}} | ! Customer Service Area !! 0x100 !! {{no}} | ||
| 0x3000 || 0x3000 || 0x0F00 || {{yes}} || 0x20 || {{patchable}} || {{yes}} || {{yes}} || 0x03000 || 0x100 || || Filled with FF's ? | | 0x3000 || 0x3000 || 0x0F00 || {{yes}}/UART || 0x20 || {{patchable}} || {{yes}} || {{yes}} || 0x03000 || 0x100 || || Filled with FF's ? | ||
|- | |- | ||
! Platform Config !! 0x100 !! {{yes}} | ! Platform Config !! 0x100 !! {{yes}} | ||
| 0x3100 || 0x3100 || 0x00000 ? || {{yes}} || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x100 || || This wikitable row needs to be splitted up to 5+ rows | | 0x3100 || 0x3100 || 0x00000 ? || {{yes}}/UART || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x100 || || This wikitable row needs to be splitted up to 5+ rows | ||
|- | |- | ||
! Hardware Config !! 0x100 !! {{yes}} | ! Hardware Config !! 0x100 !! {{yes}} | ||
| 0x3200 || 0x3200 || 0x0000~ ? || {{yes}} || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x100 || || This wikitable row needs to be splitted up to 40+ rows | | 0x3200 || 0x3200 || 0x0000~ ? || {{yes}}/UART || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x100 || || This wikitable row needs to be splitted up to 40+ rows | ||
|- | |- | ||
! Thermal Config !! 0x200 !! {{yes}} | ! Thermal Config !! 0x200 !! {{yes}} | ||
| 0x3300 || 0x3300 || 0x0250 || {{yes}} || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x200 || [[Syscon_Thermal_Config/structs|Data table]]. See: [[Syscon Thermal Config]] || | | 0x3300 || 0x3300 || 0x0250 || {{yes}}/UART || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x200 || [[Syscon_Thermal_Config/structs|Data table]]. See: [[Syscon Thermal Config]] || | ||
|- | |- | ||
! On/Off Count/Time !! 0x200 !! {{no}} | ! On/Off Count/Time !! 0x200 !! {{no}} | ||
| 0x3500 || 0x3500 || 0x0800~ ? || {{yes}} || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x200 || Data table || | | 0x3500 || 0x3500 || 0x0800~ ? || {{yes}}/UART || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x200 || Data table || | ||
|- | |- | ||
! Error Log !! 0x100 !! {{no}} | ! Error Log !! 0x100 !! {{no}} | ||
| 0x3700 || 0x3700 || 0x0900 || {{yes}} || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x100 || Data table. See: [[Syscon Error Codes]] || | | 0x3700 || 0x3700 || 0x0900 || {{yes}}/UART || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x100 || Data table. See: [[Syscon Error Codes]] || | ||
|- {{cellcolors|lightgrey}} | |- {{cellcolors|lightgrey}} | ||
! - !! 0x100 !! {{No}} | ! - !! 0x100 !! {{No}} | ||
| 0x3800 || 0x3800 || N/A ? || {{yes}} | | 0x3800 || 0x3800 || N/A ? || {{yes}}/UART || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x100 || style="text-align:center" | ''not used'' || Filled with FF's | ||
|- | |- | ||
! Board Config/Debug !! 0x100 !! {{yes}} | ! Board Config/Debug !! 0x100 !! {{yes}} | ||
| 0x3900 || 0x3900 || 0x0000~ ? || {{yes}} || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x100 || || This wikitable row needs to be splitted up to 15+ rows | | 0x3900 || 0x3900 || 0x0000~ ? || {{yes}}/UART || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x100 || || This wikitable row needs to be splitted up to 15+ rows | ||
|- | |- | ||
! HDMI/DVE Config !! 0x100 !! {{no}} | ! HDMI/DVE Config !! 0x100 !! {{no}} | ||
| 0x3A00 || 0x3A00 || 0x0A00 || {{yes}} | | 0x3A00 || 0x3A00 || 0x0A00 || {{yes}}/UART || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x100 || || This wikitable row needs to be splitted up to 5+ rows | ||
|- {{cellcolors|lightgrey}} | |- {{cellcolors|lightgrey}} | ||
! - !! 0x100 !! {{No}} | ! - !! 0x100 !! {{No}} | ||
| 0x3B00 || 0x3B00 || N/A ? || {{yes}} | | 0x3B00 || 0x3B00 || N/A ? || {{yes}}/UART || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x100 || style="text-align:center" | ''not used'' || Filled with FF's | ||
|- {{cellcolors|lightgrey}} | |- {{cellcolors|lightgrey}} | ||
! Config Ring !! 0x200 !! {{yes}} | ! Config Ring !! 0x200 !! {{yes}} | ||
| 0x3C00 || 0x3C00 || N/A ? || {{yes}} || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x200 || style="text-align:center" | ''not used'' || <abbr title="When filled with 0xFF's the checksum at the last 2 bytes is 0xFF00">Filled with FF's</abbr> | | 0x3C00 || 0x3C00 || N/A ? || {{yes}}/UART || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x200 || style="text-align:center" | ''not used'' || <abbr title="When filled with 0xFF's the checksum at the last 2 bytes is 0xFF00">Filled with FF's</abbr> | ||
|- {{cellcolors|lightgrey}} | |- {{cellcolors|lightgrey}} | ||
! Debug 2 !! 0x200 !! {{yes}} | ! Debug 2 !! 0x200 !! {{yes}} | ||
| 0x3E00 || 0x3E00 || N/A ? || {{yes}} || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x200 || style="text-align:center" | ''not used'' || <abbr title="When filled with 0xFF's the checksum at the last 2 bytes is 0xFF00">Filled with FF's</abbr> | | 0x3E00 || 0x3E00 || N/A ? || {{yes}}/UART || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x200 || style="text-align:center" | ''not used'' || <abbr title="When filled with 0xFF's the checksum at the last 2 bytes is 0xFF00">Filled with FF's</abbr> | ||
|- {{cellcolors|#888}} | |- {{cellcolors|#888}} | ||
! - !! 0x3000 !! {{No}} | ! - !! 0x3000 !! {{No}} | ||
| 0x4000 || N/A || N/A || {{yes}} | | 0x4000 || N/A || N/A || {{yes}}/UART || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0x3000 || style="text-align:center" | ''reserved'' || Filled with FF's | ||
|- {{cellcolors|#e3e3e3}} | |- {{cellcolors|#e3e3e3}} | ||
! System Config ? !! 0x100 !! {{no}} | ! System Config ? !! 0x100 !! {{no}} | ||
| 0x7000 || 0x4000 || 0x1000 || {{yes}} || 0x0 || {{patchable}} || {{patchable}} || {{yes}} || 0x48000 || 0x100 || || Filled with FF's ? | | 0x7000 || 0x4000 || 0x1000 || {{yes}}/UART || 0x0 || {{patchable}} || {{patchable}} || {{yes}} || 0x48000 || 0x100 || || Filled with FF's ? | ||
|- | |- | ||
! Hypervisor Config ? !! 0x100 !! {{no}} | ! Hypervisor Config ? !! 0x100 !! {{no}} | ||
| 0x7100 || 0x4100 || 0x1100 || {{yes}} || 0x1 || {{patchable}} || {{patchable}} || {{yes}} || 0x48800 || || Data table (0x10+(0x6*0x28)) || <abbr title="It looks like a data table with a 0x10 header and six entries of 0x28 bytes lenght">Header + Data table ?</abbr> | | 0x7100 || 0x4100 || 0x1100 || {{yes}}/UART || 0x1 || {{patchable}} || {{patchable}} || {{yes}} || 0x48800 || || Data table (0x10+(0x6*0x28)) || <abbr title="It looks like a data table with a 0x10 header and six entries of 0x28 bytes lenght">Header + Data table ?</abbr> | ||
|- | |- | ||
! Flags and Tokens !! 0x100 !! {{no}} | ! Flags and Tokens !! 0x100 !! {{no}} | ||
| 0x7200 || 0x4200 || 0x1200 || {{yes}} || 0x2 || {{patchable}} || <abbr title="Every individual value needs a specific tag">Yes<br>or<br>Patch*</abbr> || {{yes}} || 0x48C00 || || || This wikitable row needs to be splitted up to 50+ rows | | 0x7200 || 0x4200 || 0x1200 || {{yes}}/UART || 0x2 || {{patchable}} || <abbr title="Every individual value needs a specific tag">Yes<br>or<br>Patch*</abbr> || {{yes}} || 0x48C00 || || || This wikitable row needs to be splitted up to 50+ rows | ||
|- {{cellcolors|#e3e3e3}} | |- {{cellcolors|#e3e3e3}} | ||
! System Data ? !! 0x100 !! {{no}} | ! System Data ? !! 0x100 !! {{no}} | ||
| 0x7300 || 0x4300 || 0x1300 || {{yes}} || 0x3 || {{patchable}} || {{patchable}} || {{yes}} || 0x48D00 || 0x100 || || Filled with FF's ? | | 0x7300 || 0x4300 || 0x1300 || {{yes}}/UART || 0x3 || {{patchable}} || {{patchable}} || {{yes}} || 0x48D00 || 0x100 || || Filled with FF's ? | ||
|- {{cellcolors|#ffffcc}} | |- {{cellcolors|#ffffcc}} | ||
! Patch 2 !! 0xC00 !! {{No}} | ! Patch 2 !! 0xC00 !! {{No}} | ||
| <abbr title="Encrypted">0x7400</abbr> || <abbr title="Encrypted">0x4400</abbr> || <abbr title="The patch, in decrypted format, is stored in FLASH, offset 0x2000, length 0x1000>0x2000<small>(flash)</small></abbr> || {{exploitable}} || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0xC00 || [[Syscon_Firmware#Syscon_patches|Syscon Firmware Patch]] (bottom half) || | | <abbr title="Encrypted">0x7400</abbr> || <abbr title="Encrypted">0x4400</abbr> || <abbr title="The patch, in decrypted format, is stored in FLASH, offset 0x2000, length 0x1000>0x2000<small>(flash)</small></abbr> || {{exploitable}} || {{no}} || {{patchable}} || {{patchable}} || {{patchable}} || ? || 0xC00 || [[Syscon_Firmware#Syscon_patches|Syscon Firmware Patch]] (bottom half) || | ||
|} | |} | ||
Revision as of 07:42, 10 January 2022
Memory test diagnosis NVS flag
There is a NVS flag which enables a special diagnostic mode at startup. This flag is enabled on Proto/DECR. It allows memtest diagnose.
Pseudo-code:
def check_bootrom_diag_mode(mode, param)
diag_mode = get_eeprom_bootrom_diag()
if diag_mode & 0x1:
if diag_mode & 0x100:
return 0
mode = (diag_mode >> 3) & 0x1
param = (diag_mode >> 3) & 0x1
else:
mode = (diag_mode >> 1) & 0x1
param = -1
return 1
EEPROM Dumps
EEPROM Strings (CP memory dump, DECR)
http://pastie.org/private/usd2zi8mw3igycsh1a395q -> DEAD LINK
Bus Pirate stuff
http://i.imgur.com/48rbR51.png
(needs more wikifying)
On standby
- Note: during this time the plaintext EEPROM is never read even once!
- Additionally, the areas 0x26B0, 0x26D0 are not read
- Checks status
- Unlocks Write Command
- Reads PATCH top half region
- Reads PATCH bottom half region
- Reads 0x2790?(0x20)
- Reads 0x27B0?(0x10)
- Reads 0x26D0 (0x10)
- Reads some configs? (around >0x31XX area)
- Reads 0x0 (0x10)
- Reads some configs?
- Reads 0x10(0x280) (EID1)?
- Reads 0x3A00 (0x1)
- Reads 0x290 (0x10) (EID1 CMAC?)
- Reads 0x2A0 (0x20)
- Reads 0x2C0 (0x20)
- Reads 0x2E0 (0x20)
- Writes some stuff to 0x2C0/0x2E0/0x2A0 (mostly ff's)
- ReReads EID1 and CMAC
- Reads 0x360
- Reads 0x370
- Writes (again) mostly ff's to 0x360 and 0x370
- ReReads EID1 and CMAC
- Does same process with 0x460 and 0x470
- Reads 0x2710 and 0x2730 (0x20,0x10) ???
- Reads 0x2700 (0x10)
- fini!
MemoryMap Syscon BB Chip
0x1000-0x1FFF:PTCH Region (patch written here)
Nice read about Syscon EEPROM
http://rmscrypt.wordpress.com/2011/02/01/lets-look-at-syscon/
Experimental table
The goal is to join together all the "memory map" info in a single table
| Area | SPI / UART | Syscall 863 | Data Name | Wikitable builder Notes (temporal) | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Name | Size | csum | Mullion | Sherwood | whitelist | Block ID NVS Region |
whitelist | Offset | Size | |||||
| CXR713 | CXR714 | SW/2/3(emu) | EEP | lv1/DM | UM | SCM | ||||||||
| Authenticated Data | 0x2560 | No | 0x0000 | 0x0000 | ? | Exploit | No | Patch | Patch | Patch | ? | Data table (0x160+(0x9*0x400)) ? | ||
| ? | 0x150 | No | 0x2560 | 0x2560 | ? | Exploit | No | Patch | Patch | Patch | ? | Filled with FF's ? | ||
| System Info | 0x150 | No | 0x26B0 | 0x26B0 | 0x0000~ ? | Exploit | No | Patch | Patch | Patch | ? | This wikitable row needs to be splitted up to 5+ rows | ||
| Patch 1 | 0x400 | No | 0x2800 | 0x2800 | 0x2000(flash) | Exploit | No | Patch | Patch | Patch | ? | 0x400 | Syscon Firmware Patch (top half) | |
| - | 0x300 | No | 0x2C00 | 0x2C00 | 0x0B00 | Yes/UART | No | Patch | Patch | Patch | ? | 0x300 | not used | Filled with FF's |
| Industry Area | 0x100 | No | 0x2F00 | 0x2F00 | 0x0E00 | Yes/UART | 0x10 | Patch | Yes | Yes | 0x02F00 | This wikitable row needs to be splitted up to 20+ rows | ||
| Customer Service Area | 0x100 | No | 0x3000 | 0x3000 | 0x0F00 | Yes/UART | 0x20 | Patch | Yes | Yes | 0x03000 | 0x100 | Filled with FF's ? | |
| Platform Config | 0x100 | Yes | 0x3100 | 0x3100 | 0x00000 ? | Yes/UART | No | Patch | Patch | Patch | ? | 0x100 | This wikitable row needs to be splitted up to 5+ rows | |
| Hardware Config | 0x100 | Yes | 0x3200 | 0x3200 | 0x0000~ ? | Yes/UART | No | Patch | Patch | Patch | ? | 0x100 | This wikitable row needs to be splitted up to 40+ rows | |
| Thermal Config | 0x200 | Yes | 0x3300 | 0x3300 | 0x0250 | Yes/UART | No | Patch | Patch | Patch | ? | 0x200 | Data table. See: Syscon Thermal Config | |
| On/Off Count/Time | 0x200 | No | 0x3500 | 0x3500 | 0x0800~ ? | Yes/UART | No | Patch | Patch | Patch | ? | 0x200 | Data table | |
| Error Log | 0x100 | No | 0x3700 | 0x3700 | 0x0900 | Yes/UART | No | Patch | Patch | Patch | ? | 0x100 | Data table. See: Syscon Error Codes | |
| - | 0x100 | No | 0x3800 | 0x3800 | N/A ? | Yes/UART | No | Patch | Patch | Patch | ? | 0x100 | not used | Filled with FF's |
| Board Config/Debug | 0x100 | Yes | 0x3900 | 0x3900 | 0x0000~ ? | Yes/UART | No | Patch | Patch | Patch | ? | 0x100 | This wikitable row needs to be splitted up to 15+ rows | |
| HDMI/DVE Config | 0x100 | No | 0x3A00 | 0x3A00 | 0x0A00 | Yes/UART | No | Patch | Patch | Patch | ? | 0x100 | This wikitable row needs to be splitted up to 5+ rows | |
| - | 0x100 | No | 0x3B00 | 0x3B00 | N/A ? | Yes/UART | No | Patch | Patch | Patch | ? | 0x100 | not used | Filled with FF's |
| Config Ring | 0x200 | Yes | 0x3C00 | 0x3C00 | N/A ? | Yes/UART | No | Patch | Patch | Patch | ? | 0x200 | not used | Filled with FF's |
| Debug 2 | 0x200 | Yes | 0x3E00 | 0x3E00 | N/A ? | Yes/UART | No | Patch | Patch | Patch | ? | 0x200 | not used | Filled with FF's |
| - | 0x3000 | No | 0x4000 | N/A | N/A | Yes/UART | No | Patch | Patch | Patch | ? | 0x3000 | reserved | Filled with FF's |
| System Config ? | 0x100 | No | 0x7000 | 0x4000 | 0x1000 | Yes/UART | 0x0 | Patch | Patch | Yes | 0x48000 | 0x100 | Filled with FF's ? | |
| Hypervisor Config ? | 0x100 | No | 0x7100 | 0x4100 | 0x1100 | Yes/UART | 0x1 | Patch | Patch | Yes | 0x48800 | Data table (0x10+(0x6*0x28)) | Header + Data table ? | |
| Flags and Tokens | 0x100 | No | 0x7200 | 0x4200 | 0x1200 | Yes/UART | 0x2 | Patch | Yes or Patch* |
Yes | 0x48C00 | This wikitable row needs to be splitted up to 50+ rows | ||
| System Data ? | 0x100 | No | 0x7300 | 0x4300 | 0x1300 | Yes/UART | 0x3 | Patch | Patch | Yes | 0x48D00 | 0x100 | Filled with FF's ? | |
| Patch 2 | 0xC00 | No | 0x7400 | 0x4400 | 0x2000(flash) | Exploit | No | Patch | Patch | Patch | ? | 0xC00 | Syscon Firmware Patch (bottom half) | |