http://www.psdevwiki.com/ps4/api.php?action=feedcontributions&user=Zecoxao&feedformat=atom PS4 Developer wiki - User contributions [en] 2024-03-29T01:05:07Z User contributions MediaWiki 1.39.6 http://www.psdevwiki.com/ps4/index.php?title=Factory_Service_Mode&diff=292801 Factory Service Mode 2024-03-28T22:14:15Z <p>Zecoxao: /* Setting up the network */</p> <hr /> <div>= What is it =<br /> The PlayStation 4 can enter a special &quot;Service Mode&quot;. When it does so, the bottom right corner of the screen has a red translucent rectangle with the words &quot;F a c t o r y /Service Mode&quot; inside of the rectangle. This mode is used by Sony for repairing assistance.<br /> <br /> = Setting up the pendrive =<br /> <br /> The drive label must be named ORBISMANU, the type must be FAT32 and the allocation size must be 32768 bytes (32K)<br /> <br /> = Setting up the network =<br /> <br /> Ethernet cable with these settings.<br /> <br /> &lt;pre&gt;<br /> PC IP Address 192.168.0.100 <br /> SubNetwork Mask 255.255.255.0 <br /> <br /> PS4 IP Address 192.168.0.1 <br /> SubNetwork Mask 255.255.255.0<br /> &lt;/pre&gt;<br /> <br /> * Port for the Auth is 10110<br /> <br /> = What Selfs does it use? =<br /> <br /> See [https://www.psdevwiki.com/ps4/Factory_Service_Mode_Selfs Factory Service Mode Selfs]<br /> <br /> See also [https://www.psdevwiki.com/ps4/Launcher.cfg launcher.cfg]<br /> <br /> = What PUPs does it use? =<br /> <br /> See [https://www.psdevwiki.com/ps4/Factory_Service_Mode_PUPs Factory Service Mode PUPs]<br /> <br /> = How to enter it =<br /> In a similar fashion to the PlayStation 3, one can enter FSM by patching the [[Syscon_Hardware|Syscon EEPROM]] (unknown values). There also may be a way to enter FSM using USB.<br /> There are documented cases of Sony repairing services accidentally leaving PS4 consoles in FSM.<br /> <br /> = Features =<br /> Unknown, supposedly more restricted than the PS3 FSM.<br /> <br /> {{Software}}<br /> &lt;noinclude&gt;[[Category:Main]]&lt;/noinclude&gt;</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Factory_Service_Mode&diff=292792 Factory Service Mode 2024-03-27T00:42:49Z <p>Zecoxao: /* Setting up the pendrive */</p> <hr /> <div>= What is it =<br /> The PlayStation 4 can enter a special &quot;Service Mode&quot;. When it does so, the bottom right corner of the screen has a red translucent rectangle with the words &quot;F a c t o r y /Service Mode&quot; inside of the rectangle. This mode is used by Sony for repairing assistance.<br /> <br /> = Setting up the pendrive =<br /> <br /> The drive label must be named ORBISMANU, the type must be FAT32 and the allocation size must be 32768 bytes (32K)<br /> <br /> = Setting up the network =<br /> <br /> Ethernet cable with these settings.<br /> <br /> &lt;pre&gt;<br /> PC 192.168.0.100 <br /> 255.255.255.0 <br /> <br /> PS4 192.168.0.1 <br /> 255.255.255.0<br /> &lt;/pre&gt;<br /> <br /> = What Selfs does it use? =<br /> <br /> See [https://www.psdevwiki.com/ps4/Factory_Service_Mode_Selfs Factory Service Mode Selfs]<br /> <br /> See also [https://www.psdevwiki.com/ps4/Launcher.cfg launcher.cfg]<br /> <br /> = What PUPs does it use? =<br /> <br /> See [https://www.psdevwiki.com/ps4/Factory_Service_Mode_PUPs Factory Service Mode PUPs]<br /> <br /> = How to enter it =<br /> In a similar fashion to the PlayStation 3, one can enter FSM by patching the [[Syscon_Hardware|Syscon EEPROM]] (unknown values). There also may be a way to enter FSM using USB.<br /> There are documented cases of Sony repairing services accidentally leaving PS4 consoles in FSM.<br /> <br /> = Features =<br /> Unknown, supposedly more restricted than the PS3 FSM.<br /> <br /> {{Software}}<br /> &lt;noinclude&gt;[[Category:Main]]&lt;/noinclude&gt;</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292633 Non Volatile Storage 2024-02-14T23:12:04Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/iccnvs&lt;block&gt; !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Platform ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x018 || 0x1C7018 || 0x1 || Wlan5GHzInfo (00 Not Supported 0C Supported, some reach 8C Supported, max reach (ac?) ) <br /> |-<br /> | 0 || 1 || 0x040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x0A0 || 0x1C70A0 || 0x2 || VrmOcp<br /> |-<br /> | 0 || 1 || 0x0B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0B1 || 0x1C70B1 || 0x1 || rtc info.corrMode<br /> |-<br /> | 0 || 1 || 0x0B2 || 0x1C70B2 || 0x1 || rtc info.corrValue<br /> |-<br /> | 0 || 1 || 0x0B3 || 0x1C70B3 || 0x1 || rtc info.corrValueExt<br /> |-<br /> | 0 || 1 || 0x0C0 || 0x1C70C0 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x0A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x0A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x0AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x0B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x0C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x7D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x7F0 || 0x1C87F0 || 0x2 || (e.g 01 FF) -&gt; Disc Boot Time<br /> |-<br /> | 0 || 2 || 0x7FE || 0x1C87FE || 0x2 || (e.g FF FF) -&gt; Disc Boot Time<br /> |-<br /> | 0 || 3 || 0x7B0 || 0x1C8FB0 || 0x1 || CS Config Mode<br /> |-<br /> | 0 || 4 || 0x000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x00B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x01F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x065 || 0x1C9065 || 0x1 || CsBackupMode<br /> |-<br /> | 0 || 4 || 0x067 || 0x1C9067 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x07C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x31F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x3B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x150 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0xA00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0xC00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0xC3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0xC40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x1000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x100E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x1040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x1300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x1600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x1600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x1601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x1602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x1603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x1604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x1609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x2C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x2C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x2CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292632 Non Volatile Storage 2024-02-14T16:50:57Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/iccnvs&lt;block&gt; !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Platform ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x018 || 0x1C7018 || 0x1 || Wlan5GHzInfo (00 Not Supported 8C ????) <br /> |-<br /> | 0 || 1 || 0x040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x0A0 || 0x1C70A0 || 0x2 || VrmOcp<br /> |-<br /> | 0 || 1 || 0x0B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0B1 || 0x1C70B1 || 0x1 || rtc info.corrMode<br /> |-<br /> | 0 || 1 || 0x0B2 || 0x1C70B2 || 0x1 || rtc info.corrValue<br /> |-<br /> | 0 || 1 || 0x0B3 || 0x1C70B3 || 0x1 || rtc info.corrValueExt<br /> |-<br /> | 0 || 1 || 0x0C0 || 0x1C70C0 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x0A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x0A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x0AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x0B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x0C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x7D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x7F0 || 0x1C87F0 || 0x2 || (e.g 01 FF) -&gt; Disc Boot Time<br /> |-<br /> | 0 || 2 || 0x7FE || 0x1C87FE || 0x2 || (e.g FF FF) -&gt; Disc Boot Time<br /> |-<br /> | 0 || 3 || 0x7B0 || 0x1C8FB0 || 0x1 || CS Config Mode<br /> |-<br /> | 0 || 4 || 0x000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x00B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x01F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x065 || 0x1C9065 || 0x1 || CsBackupMode<br /> |-<br /> | 0 || 4 || 0x067 || 0x1C9067 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x07C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x31F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x3B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x150 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0xA00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0xC00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0xC3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0xC40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x1000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x100E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x1040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x1300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x1600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x1600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x1601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x1602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x1603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x1604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x1609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x2C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x2C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x2CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292631 Non Volatile Storage 2024-02-14T16:41:57Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/iccnvs&lt;block&gt; !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Platform ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x018 || 0x1C7018 || 0x1 || Wlan5GHzInfo (00 Not Supported, 01 Supported) <br /> |-<br /> | 0 || 1 || 0x040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x0A0 || 0x1C70A0 || 0x2 || VrmOcp<br /> |-<br /> | 0 || 1 || 0x0B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0B1 || 0x1C70B1 || 0x1 || rtc info.corrMode<br /> |-<br /> | 0 || 1 || 0x0B2 || 0x1C70B2 || 0x1 || rtc info.corrValue<br /> |-<br /> | 0 || 1 || 0x0B3 || 0x1C70B3 || 0x1 || rtc info.corrValueExt<br /> |-<br /> | 0 || 1 || 0x0C0 || 0x1C70C0 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x0A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x0A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x0AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x0B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x0C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x7D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x7F0 || 0x1C87F0 || 0x2 || (e.g 01 FF) -&gt; Disc Boot Time<br /> |-<br /> | 0 || 2 || 0x7FE || 0x1C87FE || 0x2 || (e.g FF FF) -&gt; Disc Boot Time<br /> |-<br /> | 0 || 3 || 0x7B0 || 0x1C8FB0 || 0x1 || CS Config Mode<br /> |-<br /> | 0 || 4 || 0x000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x00B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x01F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x065 || 0x1C9065 || 0x1 || CsBackupMode<br /> |-<br /> | 0 || 4 || 0x067 || 0x1C9067 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x07C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x31F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x3B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x150 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0xA00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0xC00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0xC3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0xC40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x1000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x100E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x1040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x1300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x1600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x1600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x1601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x1602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x1603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x1604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x1609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x2C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x2C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x2CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292630 Non Volatile Storage 2024-02-14T16:37:18Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/iccnvs&lt;block&gt; !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Platform ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x0A0 || 0x1C70A0 || 0x2 || VrmOcp<br /> |-<br /> | 0 || 1 || 0x0B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0B1 || 0x1C70B1 || 0x1 || rtc info.corrMode<br /> |-<br /> | 0 || 1 || 0x0B2 || 0x1C70B2 || 0x1 || rtc info.corrValue<br /> |-<br /> | 0 || 1 || 0x0B3 || 0x1C70B3 || 0x1 || rtc info.corrValueExt<br /> |-<br /> | 0 || 1 || 0x0C0 || 0x1C70C0 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x0A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x0A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x0AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x0B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x0C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x7D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x7F0 || 0x1C87F0 || 0x2 || (e.g 01 FF) -&gt; Disc Boot Time<br /> |-<br /> | 0 || 2 || 0x7FE || 0x1C87FE || 0x2 || (e.g FF FF) -&gt; Disc Boot Time<br /> |-<br /> | 0 || 3 || 0x7B0 || 0x1C8FB0 || 0x1 || CS Config Mode<br /> |-<br /> | 0 || 4 || 0x000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x00B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x01F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x065 || 0x1C9065 || 0x1 || CsBackupMode<br /> |-<br /> | 0 || 4 || 0x067 || 0x1C9067 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x07C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x31F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x3B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x150 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0xA00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0xC00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0xC3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0xC40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x1000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x100E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x1040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x1300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x1600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x1600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x1601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x1602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x1603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x1604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x1609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x2C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x2C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x2CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292629 Non Volatile Storage 2024-02-14T16:13:06Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/iccnvs&lt;block&gt; !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Platform ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x0A0 || 0x1C70A0 || 0x2 || VrmOcp<br /> |-<br /> | 0 || 1 || 0x0B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0B1 || 0x1C70B1 || 0x1 || rtc info.corrMode<br /> |-<br /> | 0 || 1 || 0x0B2 || 0x1C70B2 || 0x1 || rtc info.corrValue<br /> |-<br /> | 0 || 1 || 0x0B3 || 0x1C70B3 || 0x1 || rtc info.corrValueExt<br /> |-<br /> | 0 || 1 || 0x0C0 || 0x1C70C0 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x0A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x0A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x0AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x0B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x0C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x7D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x7F0 || 0x1C87F0 || 0x2 || (e.g 01 FF)<br /> |-<br /> | 0 || 2 || 0x7FE || 0x1C87FE || 0x2 || (e.g FF FF) -&gt; Disc Boot Time<br /> |-<br /> | 0 || 3 || 0x7B0 || 0x1C8FB0 || 0x1 || CS Config Mode<br /> |-<br /> | 0 || 4 || 0x000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x00B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x01F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x065 || 0x1C9065 || 0x1 || CsBackupMode<br /> |-<br /> | 0 || 4 || 0x067 || 0x1C9067 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x07C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x31F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x3B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x150 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0xA00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0xC00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0xC3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0xC40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x1000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x100E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x1040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x1300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x1600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x1600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x1601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x1602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x1603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x1604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x1609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x2C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x2C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x2CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292628 Non Volatile Storage 2024-02-14T16:08:09Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/iccnvs&lt;block&gt; !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Platform ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x0A0 || 0x1C70A0 || 0x2 || VrmOcp<br /> |-<br /> | 0 || 1 || 0x0B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0C0 || 0x1C70C0 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x0A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x0A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x0AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x0B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x0C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x7D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x7F0 || 0x1C87F0 || 0x2 || (e.g 01 FF)<br /> |-<br /> | 0 || 2 || 0x7FE || 0x1C87FE || 0x2 || (e.g FF FF) -&gt; Disc Boot Time<br /> |-<br /> | 0 || 3 || 0x7B0 || 0x1C8FB0 || 0x1 || CS Config Mode<br /> |-<br /> | 0 || 4 || 0x000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x00B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x01F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x065 || 0x1C9065 || 0x1 || CsBackupMode<br /> |-<br /> | 0 || 4 || 0x067 || 0x1C9067 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x07C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x31F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x3B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x150 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0xA00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0xC00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0xC3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0xC40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x1000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x100E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x1040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x1300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x1600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x1600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x1601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x1602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x1603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x1604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x1609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x2C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x2C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x2CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292627 Non Volatile Storage 2024-02-14T16:03:33Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/iccnvs&lt;block&gt; !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Platform ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x0A0 || 0x1C70A0 || 0x2 || VrmOcp<br /> |-<br /> | 0 || 1 || 0x0B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0C0 || 0x1C70C0 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x0A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x0A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x0AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x0B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x0C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x7D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x7F0 || 0x1C87F0 || 0x2 || (e.g 01 FF)<br /> |-<br /> | 0 || 2 || 0x7FE || 0x1C87FE || 0x2 || (e.g FF FF)<br /> |-<br /> | 0 || 3 || 0x7B0 || 0x1C8FB0 || 0x1 || CS Config Mode<br /> |-<br /> | 0 || 4 || 0x000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x00B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x01F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x065 || 0x1C9065 || 0x1 || CsBackupMode<br /> |-<br /> | 0 || 4 || 0x067 || 0x1C9067 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x07C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x31F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x3B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x150 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0xA00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0xC00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0xC3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0xC40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x1000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x100E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x1040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x1300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x1600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x1600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x1601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x1602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x1603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x1604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x1609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x2C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x2C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x2CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292626 Non Volatile Storage 2024-02-14T16:01:56Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/iccnvs&lt;block&gt; !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Platform ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x0A0 || 0x1C70A0 || 0x2 || VrmOcp<br /> |-<br /> | 0 || 1 || 0x0B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0C0 || 0x1C70C0 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x0A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x0A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x0AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x0B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x0C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x7D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x7F0 || 0x1C87F0 || 0x2 || (e.g 01 FF)<br /> |-<br /> | 0 || 2 || 0x7FE || 0x1C87FE || 0x2 || (e.g FF FF)<br /> |-<br /> | 0 || 3 || 0x7B0 || 0x1C8FB0 || 0x1 || ????<br /> |-<br /> | 0 || 4 || 0x000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x00B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x01F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x065 || 0x1C9065 || 0x1 || CsBackupMode<br /> |-<br /> | 0 || 4 || 0x067 || 0x1C9067 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x07C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x31F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x3B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x150 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0xA00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0xC00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0xC3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0xC40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x1000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x100E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x1040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x1300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x1600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x1600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x1601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x1602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x1603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x1604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x1609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x2C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x2C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x2CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292625 Non Volatile Storage 2024-02-14T15:41:24Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/iccnvs&lt;block&gt; !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Platform ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x0A0 || 0x1C70A0 || 0x2 || VrmOcp<br /> |-<br /> | 0 || 1 || 0x0B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x0C0 || 0x1C70C0 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x0A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x0A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x0AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x0B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x0C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x7D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x7F0 || 0x1C87F0 || 0x2 || (e.g 01 FF)<br /> |-<br /> | 0 || 2 || 0x7FE || 0x1C87FE || 0x2 || (e.g FF FF)<br /> |-<br /> | 0 || 3 || 0x7B0 || 0x1C8FB0 || 0x1 || ????<br /> |-<br /> | 0 || 4 || 0x000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x00B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x01F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x065 || 0x1C9065 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x067 || 0x1C9067 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x07C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x31F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x3B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x150 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0xA00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0xC00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0xC3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0xC40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x1000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x100E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x1040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x1300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x1600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x1600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x1601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x1602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x1603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x1604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x1609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x2C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x2C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x2CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292624 Non Volatile Storage 2024-02-14T14:47:54Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Platform ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || VrmOcp<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30C0 || 0x1C70C0 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x40A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x40A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x40AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x2 || (e.g 01 FF)<br /> |-<br /> | 0 || 2 || 0x47FE || 0x1C87FE || 0x2 || (e.g FF FF)<br /> |-<br /> | 0 || 3 || 0x4FB0 || 0x1C8FB0 || 0x1 || ????<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5065 || 0x1C9065 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5067 || 0x1C9067 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x53B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292623 Non Volatile Storage 2024-02-14T14:46:48Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || VrmOcp<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30C0 || 0x1C70C0 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x40A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x40A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x40AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x2 || (e.g 01 FF)<br /> |-<br /> | 0 || 2 || 0x47FE || 0x1C87FE || 0x2 || (e.g FF FF)<br /> |-<br /> | 0 || 3 || 0x4FB0 || 0x1C8FB0 || 0x1 || ????<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5065 || 0x1C9065 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5067 || 0x1C9067 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x53B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292622 Non Volatile Storage 2024-02-14T14:45:57Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30A1 || 0x1C70A1 || 0x1 || VrmOcp<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30C0 || 0x1C70C0 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x40A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x40A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x40AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x2 || (e.g 01 FF)<br /> |-<br /> | 0 || 2 || 0x47FE || 0x1C87FE || 0x2 || (e.g FF FF)<br /> |-<br /> | 0 || 3 || 0x4FB0 || 0x1C8FB0 || 0x1 || ????<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5065 || 0x1C9065 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5067 || 0x1C9067 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x53B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292621 Non Volatile Storage 2024-02-14T14:43:28Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30C0 || 0x1C70C0 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x40A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x40A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x40AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x2 || (e.g 01 FF)<br /> |-<br /> | 0 || 2 || 0x47FE || 0x1C87FE || 0x2 || (e.g FF FF)<br /> |-<br /> | 0 || 3 || 0x4FB0 || 0x1C8FB0 || 0x1 || ????<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5065 || 0x1C9065 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5067 || 0x1C9067 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x53B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292620 Non Volatile Storage 2024-02-14T14:41:55Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30C0 || 0x1C70C0 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x40A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x40A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x40AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x2 || (e.g 01 FF)<br /> |-<br /> | 0 || 3 || 0x4FB0 || 0x1C8FB0 || 0x1 || ????<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5065 || 0x1C9065 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5067 || 0x1C9067 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x53B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292619 Non Volatile Storage 2024-02-14T14:40:45Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30C0 || 0x1C70C0 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x40A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x40A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x40AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x2 || (e.g 01 FF)<br /> |-<br /> | 0 || 3 || 0x4FB0 || 0x1C8FB0 || 0x1 || ????<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5065 || 0x1C9065 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x53B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292618 Non Volatile Storage 2024-02-14T14:39:22Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x40A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x40A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x40AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x2 || (e.g 01 FF)<br /> |-<br /> | 0 || 3 || 0x4FB0 || 0x1C8FB0 || 0x1 || ????<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5065 || 0x1C9065 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x53B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292617 Non Volatile Storage 2024-02-14T14:37:08Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x40A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x40A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x40AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x2 || (e.g 01 FF)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5065 || 0x1C9065 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x53B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292616 Non Volatile Storage 2024-02-14T14:36:17Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x40A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x40A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x40AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5065 || 0x1C9065 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x53B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292615 Non Volatile Storage 2024-02-14T14:34:26Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x40A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x40A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x40AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5065 || 0x1C9065 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x53B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292614 Non Volatile Storage 2024-02-14T14:33:01Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x40A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x40A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x40AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5064 || 0x1C9064 || 0x1 || ?????<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x53B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292613 Non Volatile Storage 2024-02-14T14:29:46Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x40A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x40A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x40AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x53B0 || 0x1C93B0 || 1 || ???? <br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292612 Non Volatile Storage 2024-02-14T14:27:37Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown <br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x40A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x40A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x40AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292611 Non Volatile Storage 2024-02-14T14:23:59Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x20 || 0x1C4020 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)<br /> |-<br /> | 0 || 2 || 0x40A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x40A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x40AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292610 Non Volatile Storage 2024-02-14T14:23:21Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x20 || 0x1C4020 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x8 || Unknown<br /> |-<br /> | 0 || 2 || 0x40A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)<br /> |-<br /> | 0 || 2 || 0x40A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)<br /> |-<br /> | 0 || 2 || 0x40AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292609 Non Volatile Storage 2024-02-14T14:21:29Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x20 || 0x1C4020 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x8 || Unknown<br /> |-<br /> | 0 || 2 || 0x40A0 || 0x1C80A0 || 0x8 || Unknown<br /> |-<br /> | 0 || 2 || 0x40A8 || 0x1C80A8 || 0x4 || Unknown<br /> |-<br /> | 0 || 2 || 0x40AF || 0x1C80AF || 0x1 || Unknown (e.g C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292608 Non Volatile Storage 2024-02-14T14:20:23Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x20 || 0x1C4020 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x8 || Unknown<br /> |-<br /> | 0 || 2 || 0x40A0 || 0x1C80A0 || 0x8 || Unknown<br /> |-<br /> | 0 || 2 || 0x40A8 || 0x1C80A8 || 0x4 || Unknown<br /> |-<br /> | 0 || 2 || 0x40AC || 0x1C80AC || 0x4 || Unknown (e.g 00 00 00 C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292607 Non Volatile Storage 2024-02-14T14:18:49Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x20 || 0x1C4020 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x8 || Unknown<br /> |-<br /> | 0 || 2 || 0x40A0 || 0x1C80A0 || 0x8 || Unknown<br /> |-<br /> | 0 || 2 || 0x40AC || 0x1C80AC || 0x4 || Unknown (e.g 00 00 00 C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292606 Non Volatile Storage 2024-02-14T14:16:59Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x20 || 0x1C4020 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x14 || Unknown, some hash maybe (0x14 bytes size)<br /> |-<br /> | 0 || 2 || 0x40AC || 0x1C80AC || 0x4 || Unknown (e.g 00 00 00 C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292605 Non Volatile Storage 2024-02-14T14:14:59Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x20 || 0x1C4020 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x14 || Unknown, some hash maybe (0x14 bytes size)<br /> |-<br /> | 0 || 2 || 0x40AC || 0x1C80AC || 0x4 || Unknown (e.g 00 00 00 C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x6 || Unknown (e.g 01 01 01 01 06 06 06 06)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0xF0 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292604 Non Volatile Storage 2024-02-14T14:13:41Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x20 || 0x1C4020 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B3 || 0x1C70B3 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x14 || Unknown, some hash maybe (0x14 bytes size)<br /> |-<br /> | 0 || 2 || 0x40AC || 0x1C80AC || 0x4 || Unknown (e.g 00 00 00 C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x6 || Unknown (e.g 01 01 01 01 06 06 06 06)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0x100 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292603 Non Volatile Storage 2024-02-14T14:13:03Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x20 || 0x1C4020 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B1 || 0x1C70B1 || 0x1 || ????<br /> |-<br /> | 0 || 1 || 0x30B2 || 0x1C70B2 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x14 || Unknown, some hash maybe (0x14 bytes size)<br /> |-<br /> | 0 || 2 || 0x40AC || 0x1C80AC || 0x4 || Unknown (e.g 00 00 00 C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x6 || Unknown (e.g 01 01 01 01 06 06 06 06)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0x100 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292602 Non Volatile Storage 2024-02-14T14:11:36Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x20 || 0x1C4020 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 1 || 0x30B0 || 0x1C70B0 || 0x1 || ????<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x14 || Unknown, some hash maybe (0x14 bytes size)<br /> |-<br /> | 0 || 2 || 0x40AC || 0x1C80AC || 0x4 || Unknown (e.g 00 00 00 C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x6 || Unknown (e.g 01 01 01 01 06 06 06 06)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0x100 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292601 Non Volatile Storage 2024-02-14T14:04:44Z <p>Zecoxao: /* Serial Flash NVS Banks */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region aka NvsFactoryArea<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x20 || 0x1C4020 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x14 || Unknown, some hash maybe (0x14 bytes size)<br /> |-<br /> | 0 || 2 || 0x40AC || 0x1C80AC || 0x4 || Unknown (e.g 00 00 00 C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x6 || Unknown (e.g 01 01 01 01 06 06 06 06)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0x100 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292600 Non Volatile Storage 2024-02-14T13:56:55Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x20 || 0x1C4020 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x14 || Unknown, some hash maybe (0x14 bytes size)<br /> |-<br /> | 0 || 2 || 0x40AC || 0x1C80AC || 0x4 || Unknown (e.g 00 00 00 C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x6 || Unknown (e.g 01 01 01 01 06 06 06 06)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0x100 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292599 Non Volatile Storage 2024-02-14T13:40:45Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x20 || 0x1C4020 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x10 || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name <br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x38 || Unknown <br /> |-<br /> | 0 || 2 || 0x4098 || 0x1C8098 || 0x14 || Unknown, some hash maybe (0x14 bytes size)<br /> |-<br /> | 0 || 2 || 0x40AC || 0x1C80AC || 0x4 || Unknown (e.g 00 00 00 C2)<br /> |-<br /> | 0 || 2 || 0x40B0 || 0x1C80B0 || 0x6 || Unknown (e.g 01 01 01 01 06 06 06 06)<br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0x100 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292598 Non Volatile Storage 2024-02-14T13:29:09Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x20 || 0x1C4020 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x10 || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || Unknown, maybe ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ)<br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x58 || <br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0x100 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292597 Non Volatile Storage 2024-02-14T13:28:01Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x20 || 0x1C4020 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x10 || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || Unknown, maybe ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ)<br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x58 || <br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)<br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || all zeroes usually (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0x100 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&diff=292596 Non Volatile Storage 2024-02-14T13:25:47Z <p>Zecoxao: /* Detailed Serial Flash NVS Structure */</p> <hr /> <div>The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.<br /> <br /> On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.<br /> <br /> = Syscon NVS =<br /> <br /> See [[Syscon]].<br /> <br /> https://fail0verflow.com/blog/2018/ps4-syscon/<br /> <br /> Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.<br /> <br /> = Serial Flash NVS =<br /> <br /> PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.<br /> <br /> Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt;.<br /> <br /> == Serial Flash NVS Banks ==<br /> <br /> A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, &lt;code&gt;/dev/sflash0s0x34&lt;/code&gt; access is provided to System applications and to Kernel.<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data<br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region<br /> |-<br /> | 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region (backuped at bank 1 block 0)<br /> |-<br /> | 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup of bank 0 block 4)<br /> |-<br /> | 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match<br /> |}<br /> <br /> == Detailed Serial Flash NVS Structure ==<br /> <br /> {| class=&quot;wikitable sortable&quot;<br /> |-<br /> ! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes<br /> |-<br /> | 0 || 0 || 0 || 0x1C4000 || 0x8 || Board ID (e.g 04 01 01 01 01 01 04 01)<br /> |-<br /> | 0 || 0 || 0x20 || 0x1C4020 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)<br /> |-<br /> | 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)<br /> |-<br /> | 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)<br /> |-<br /> | 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)<br /> |-<br /> | 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)<br /> |-<br /> | 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)<br /> |-<br /> | 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)<br /> |-<br /> | 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)<br /> |-<br /> | 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0x96 || 0x1C4096 || 0x3 || <br /> |-<br /> | 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)<br /> |-<br /> | 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)<br /> |-<br /> | 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)<br /> |-<br /> | 0 || 0 || 0xAC || 0x1C40AC || 0x4 || <br /> |-<br /> | 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)<br /> |-<br /> | 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)<br /> |-<br /> | 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)<br /> |-<br /> | 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)<br /> |-<br /> | 0 || 0 || 0x801 || 0x1C4801 || 0x1 || <br /> |-<br /> | 0 || 0 || 0x810 || 0x1C4810 || 0x12 || <br /> |-<br /> | 0 || 0 || 0x84C || 0x1C484C || 0x2 || <br /> |-<br /> | 0 || 0 || 0x854 || 0x1C4854 || 0x2 || <br /> |-<br /> | 0 || 0 || 0x870 || 0x1C4870 || 0xC || <br /> |-<br /> | 0 || 0 || 0x8A0 || 0x1C48A0 || 0x1C || <br /> |-<br /> | 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 || <br /> |-<br /> | 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)<br /> |-<br /> | 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)<br /> |-<br /> | 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown<br /> |-<br /> | 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time <br /> |-<br /> | 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well<br /> |-<br /> | 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well<br /> |-<br /> | 0 || 0 || 0x1220 || 0x1C5220 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1240 || 0x1C5240 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1260 || 0x1C5260 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1280 || 0x1C5280 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12A0 || 0x1C52A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12C0 || 0x1C52C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x12E0 || 0x1C52E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1300 || 0x1C5300 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1320 || 0x1C5320 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1340 || 0x1C5340 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1360 || 0x1C5360 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1380 || 0x1C5380 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13A0 || 0x1C53A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13C0 || 0x1C53C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x13E0 || 0x1C53E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1400 || 0x1C5400 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1420 || 0x1C5420 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1440 || 0x1C5440 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1460 || 0x1C5460 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1480 || 0x1C5480 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14A0 || 0x1C54A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14C0 || 0x1C54C0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x14E0 || 0x1C54E0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1500 || 0x1C5500 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1520 || 0x1C5520 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1540 || 0x1C5540 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1560 || 0x1C5560 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x1580 || 0x1C5580 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15A0 || 0x1C55A0 || 0x18 || <br /> |-<br /> | 0 || 0 || 0x15C0 || 0x1C55C0 || 0x18 ||<br /> |-<br /> | 0 || 0 || 0x2000 || 0x1C6000 || 0x8 || <br /> |-<br /> | 0 || 1 || 0x3000 || 0x1C7000 || 0x40 || <br /> |-<br /> | 0 || 1 || 0x3040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)<br /> |-<br /> | 0 || 1 || 0x30A0 || 0x1C70A0 || 0x2 || get_icc_max (e.g 20 9A)<br /> |-<br /> | 0 || 2 || 0x4000 || 0x1C8000 || 0x10 || KibanID (e.g 33001D00836391) <br /> |-<br /> | 0 || 2 || 0x4010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)<br /> |-<br /> | 0 || 2 || 0x4020 || 0x1C8020 || 0x10 || Unknown, maybe ViopData<br /> |-<br /> | 0 || 2 || 0x4030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)<br /> |-<br /> | 0 || 2 || 0x4041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ)<br /> |-<br /> | 0 || 2 || 0x4060 || 0x1C8060 || 0x58 || <br /> |-<br /> | 0 || 2 || 0x40C0 || 0x1C80C0 || 0xD || <br /> |-<br /> | 0 || 2 || 0x4100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)<br /> |-<br /> | 0 || 2 || 0x47D0 || 0x1C87D0 || 0x10 || all zeroes usually (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)<br /> |-<br /> | 0 || 2 || 0x47F0 || 0x1C87F0 || 0x1 || (e.g 01)<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x20 || dipswitch flags, see below<br /> |-<br /> | 0 || 4 || 0x5000 || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)<br /> |-<br /> | 0 || 4 || 0x5003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)<br /> |-<br /> | 0 || 4 || 0x5005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x500B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)<br /> |-<br /> | 0 || 4 || 0x5010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)<br /> |-<br /> | 0 || 4 || 0x501F || 0x1C901F || 0x1 || ??? (e.g 7F)<br /> |-<br /> | 0 || 4 || 0x5020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)<br /> |-<br /> | 0 || 4 || 0x5021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update<br /> |-<br /> | 0 || 4 || 0x5030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe<br /> |-<br /> | 0 || 4 || 0x5038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)<br /> |-<br /> | 0 || 4 || 0x5050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status<br /> |-<br /> | 0 || 4 || 0x5060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)<br /> |-<br /> | 0 || 4 || 0x5068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))<br /> |-<br /> | 0 || 4 || 0x5070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)<br /> |-<br /> | 0 || 4 || 0x507C || 0x1C907C || 0x4 || manu_mode related (sdk version?)<br /> |-<br /> | 0 || 4 || 0x5080 || 0x1C9080 || varies (0x68-0x6C) || acf token &lt;- checked by sceSblDevActVerifyCheckExpire<br /> |-<br /> | 0 || 4 || 0x5100 || 0x1C9100 || 0x100 || sce_cam_error_put<br /> |-<br /> | 0 || 4 || 0x5200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key &lt;- checked by g_crypt_deferred_init, also checked by read_idstorage<br /> |-<br /> | 0 || 4 || 0x5300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x5311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)<br /> |-<br /> | 0 || 4 || 0x5312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)<br /> |-<br /> | 0 || 4 || 0x531F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled<br /> |-<br /> | 0 || 4 || 0x5320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)<br /> |-<br /> | 0 || 4 || 0x5322 || 0x1C9322 || 1 || lvp_configure_tccds<br /> |-<br /> | 0 || 4 || 0x5323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)<br /> |-<br /> | 0 || 4 || 0x5329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1-&gt;Read DBI disabled, 2-&gt;Write DBI disabled, 4-&gt;ABI disabled, 8-&gt;Force auto precharge enabled, 0x10 -&gt; Bank swap disabled, 0x20-&gt; Bank swizzle mode disabled, 0x3F -&gt; Everything set)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)<br /> |-<br /> | 0 || 4 || 0x5400 || 0x1C9400 || 0x210 || token???<br /> |-<br /> | 0 || 4 || 0x5650 || 0x1C9650 || 0x290 || qafutkn_ioctl?<br /> |-<br /> | 0 || 4 || 0x5900 || 0x1C9900 || 0x100 || acf RSA signature<br /> |-<br /> | 0 || 4 || 0x5A00 || 0x1C9A00 || 0x190 || token???<br /> |-<br /> | 0 || 4 || 0x5C00 || 0x1C9C00 || 0x3C || HDD Info (e.g &quot;GHTSH ST4501019A6E08 613081DJ0124FZD129SN&quot; for an HGST)<br /> |-<br /> | 0 || 4 || 0x5C3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)<br /> |-<br /> | 0 || 4 || 0x5C40 || 0x1C9C40 || 0x130 || setPupExpirationStatus<br /> |-<br /> | 0 || 4 || 0x6000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x600E || 0x1CA00E || 0x1 || Unknown (Not Regions)<br /> |-<br /> | 0 || 4 || 0x6040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)<br /> |-<br /> | 0 || 4 || 0x6300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x20 || Modes (See Below)<br /> |-<br /> | 0 || 4 || 0x6600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)<br /> |-<br /> | 0 || 4 || 0x6601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)<br /> |-<br /> | 0 || 4 || 0x6602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)<br /> |-<br /> | 0 || 4 || 0x6603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover <br /> |-<br /> | 0 || 4 || 0x6604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)<br /> |-<br /> | 0 || 4 || 0x6609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode<br /> |-<br /> | 0 || 4 || 0x7C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)<br /> |-<br /> | 0 || 4 || 0x7C40 || 0x1CBC40 || 0x20 || <br /> |-<br /> | 0 || 4 || 0x7CC0 || 0x1CBCC0 || 0x20 || srtc_modevent<br /> |-<br /> | ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled<br /> |}</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=MT1965AU&diff=292576 MT1965AU 2024-02-09T20:52:30Z <p>Zecoxao: </p> <hr /> <div>* MediaTek MT1965AU<br /> * ARM<br /> * Seen on [[SAD-003]], [[NVA-001]]<br /> * [https://www.flickr.com/photos/actelgame/44905414464/in/photostream/ photo]<br /> * Based off of MT1959 <br /> <br /> &lt;pre&gt;<br /> ARM7EJ-S Thumb LE<br /> 32-bit<br /> 100MHz<br /> &lt;/pre&gt;<br /> <br /> {{Components}}<br /> &lt;noinclude&gt;[[Category:Main]]&lt;/noinclude&gt;</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=MT1965AU&diff=292575 MT1965AU 2024-02-09T20:51:19Z <p>Zecoxao: </p> <hr /> <div>* MediaTek MT1965AU<br /> * ARM<br /> * Seen on [[SAD-003]], [[NVA-001]]<br /> * [https://www.flickr.com/photos/actelgame/44905414464/in/photostream/ photo]<br /> * Based off of MT1959 <br /> <br /> &lt;pre&gt;<br /> ARM7EJ-S<br /> 32-bit<br /> 100MHz<br /> &lt;/pre&gt;<br /> <br /> {{Components}}<br /> &lt;noinclude&gt;[[Category:Main]]&lt;/noinclude&gt;</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Factory_Service_Mode_PUPs&diff=292472 Factory Service Mode PUPs 2024-02-04T03:17:43Z <p>Zecoxao: </p> <hr /> <div>{{wikify}}<br /> These pups are used to reinstall the system:<br /> <br /> * 2ND_IMAGE.PUP (Recovery Pup with All 4 Updates, system, system_ex, preinst, preinst2)<br /> * RESET_IMAGE.PUP (juicy one, contains manufacturing reset core os and ipl)<br /> * PREINSTALL_IMAGE.PUP (Preinstall PUP with only Updates 3 and 4, preinst, preinst2)<br /> <br /> {{Software}}<br /> &lt;noinclude&gt;[[Category:Main]]&lt;/noinclude&gt;</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Factory_Service_Mode_PUPs&diff=292471 Factory Service Mode PUPs 2024-02-04T03:16:25Z <p>Zecoxao: </p> <hr /> <div>{{wikify}}<br /> These pups are used to reinstall the system:<br /> <br /> * 2ND_IMAGE.PUP (Recovery Pup with All 4 Updates)<br /> * RESET_IMAGE.PUP (juicy one, contains manufacturing reset core os and ipl)<br /> * PREINSTALL_IMAGE.PUP (Preinstall PUP with only Updates 3 and 4)<br /> <br /> {{Software}}<br /> &lt;noinclude&gt;[[Category:Main]]&lt;/noinclude&gt;</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Factory_Service_Mode&diff=292456 Factory Service Mode 2024-01-30T23:08:16Z <p>Zecoxao: /* What is it */</p> <hr /> <div>= What is it =<br /> The PlayStation 4 can enter a special &quot;Service Mode&quot;. When it does so, the bottom right corner of the screen has a red translucent rectangle with the words &quot;F a c t o r y /Service Mode&quot; inside of the rectangle. This mode is used by Sony for repairing assistance.<br /> <br /> = Setting up the pendrive =<br /> <br /> The drive label must be named ORBISMANU, the type must be FAT32 and the allocation size must be 32768 bytes (32K)<br /> <br /> = What Selfs does it use? =<br /> <br /> See [https://www.psdevwiki.com/ps4/Factory_Service_Mode_Selfs Factory Service Mode Selfs]<br /> <br /> See also [https://www.psdevwiki.com/ps4/Launcher.cfg launcher.cfg]<br /> <br /> = What PUPs does it use? =<br /> <br /> See [https://www.psdevwiki.com/ps4/Factory_Service_Mode_PUPs Factory Service Mode PUPs]<br /> <br /> = How to enter it =<br /> In a similar fashion to the PlayStation 3, one can enter FSM by patching the [[Syscon_Hardware|Syscon EEPROM]] (unknown values). There also may be a way to enter FSM using USB.<br /> There are documented cases of Sony repairing services accidentally leaving PS4 consoles in FSM.<br /> <br /> = Features =<br /> Unknown, supposedly more restricted than the PS3 FSM.</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Factory_Service_Mode&diff=292450 Factory Service Mode 2024-01-30T15:09:04Z <p>Zecoxao: /* What Selfs does it use? */</p> <hr /> <div>= What is it =<br /> The PlayStation 4 can enter a special &quot;Service Mode&quot;. When it does so, the bottom right corner of the screen has a red translucent rectangle with the words &quot;F a c t o r y /Service Mode&quot; inside of the rectangle. This mode is used by Sony for repairing assistance.<br /> <br /> = What Selfs does it use? =<br /> <br /> See [https://www.psdevwiki.com/ps4/Factory_Service_Mode_Selfs Factory Service Mode Selfs]<br /> <br /> See also [https://www.psdevwiki.com/ps4/Launcher.cfg launcher.cfg]<br /> <br /> = What PUPs does it use? =<br /> <br /> See [https://www.psdevwiki.com/ps4/Factory_Service_Mode_PUPs Factory Service Mode PUPs]<br /> <br /> = How to enter it =<br /> In a similar fashion to the PlayStation 3, one can enter FSM by patching the [[Syscon_Hardware|Syscon EEPROM]] (unknown values). There also may be a way to enter FSM using USB.<br /> There are documented cases of Sony repairing services accidentally leaving PS4 consoles in FSM.<br /> <br /> = Features =<br /> Unknown, supposedly more restricted than the PS3 FSM.</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Launcher.cfg&diff=292449 Launcher.cfg 2024-01-30T15:08:25Z <p>Zecoxao: Created page with &quot;File bundled with orbis_diag.self, with the following structure: &lt;pre&gt; 5010 0 /usb/diag_tmp/5010/macaroni_diag.self 5050 0 /usb/diag_tmp/5050/macaroni_diag.self &lt;/pre&gt; * in this case 5010 and 5050 are versions, e.g. 5.01 and 5.05, /usb/diag_tmp/5010/macaroni_diag.self is the path to the loaded self.&quot;</p> <hr /> <div>File bundled with orbis_diag.self, with the following structure:<br /> <br /> &lt;pre&gt;<br /> 5010 0 /usb/diag_tmp/5010/macaroni_diag.self<br /> 5050 0 /usb/diag_tmp/5050/macaroni_diag.self<br /> &lt;/pre&gt;<br /> <br /> * in this case 5010 and 5050 are versions, e.g. 5.01 and 5.05, /usb/diag_tmp/5010/macaroni_diag.self is the path to the loaded self.</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Factory_Service_Mode_Selfs&diff=292448 Factory Service Mode Selfs 2024-01-30T15:05:44Z <p>Zecoxao: </p> <hr /> <div>The following Factory Service Mode selfs exist in the orbis context:<br /> <br /> * manufacturing_updater.self<br /> * lsi_diag.self<br /> * lsi2_diag.self<br /> * aging_diag.self<br /> * cs_backup_data.self<br /> * bus_encryption_check_diag.self<br /> * netloader.self<br /> * kernel_message_diag.self (md5:7456F6E46E90BBAFF46F02B200BE5223)<br /> * set_vtrm_diag.self (md5:7E166244636FC0361448DAFB6E843087)<br /> * macaroni_diag.self (md5:4B2B271873A840BD5F5434DCA023EF27) (seems to be an aglomerate of all the others)<br /> * orbis_diag.self (md5:725A42FC0B8ED6995D2A9AA9345326658) -&gt; this loads all the other selfs above (together with a file called launcher.cfg)</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Factory_Service_Mode_Selfs&diff=292447 Factory Service Mode Selfs 2024-01-30T15:04:23Z <p>Zecoxao: </p> <hr /> <div>The following Factory Service Mode selfs exist in the orbis context:<br /> <br /> * manufacturing_updater.self<br /> * lsi_diag.self<br /> * lsi2_diag.self<br /> * aging_diag.self<br /> * cs_backup_data.self<br /> * bus_encryption_check_diag.self<br /> * netloader.self<br /> * kernel_message_diag.self (md5:7456F6E46E90BBAFF46F02B200BE5223)<br /> * set_vtrm_diag.self (md5:7E166244636FC0361448DAFB6E843087)<br /> * macaroni_diag.self (md5:4B2B271873A840BD5F5434DCA023EF27) (seems to be an aglomerate of all the others)<br /> * orbis_diag.self -&gt; this loads all the other selfs above (together with a file called launcher.cfg)</div> Zecoxao http://www.psdevwiki.com/ps4/index.php?title=Factory_Service_Mode_Selfs&diff=292446 Factory Service Mode Selfs 2024-01-30T15:03:54Z <p>Zecoxao: </p> <hr /> <div>The following Factory Service Mode selfs exist in the orbis context:<br /> <br /> * manufacturing_updater.self<br /> * lsi_diag.self<br /> * lsi2_diag.self<br /> * aging_diag.self<br /> * cs_backup_data.self<br /> * bus_encryption_check_diag.self<br /> * netloader.self<br /> * kernel_message_diag.self (md5:7456F6E46E90BBAFF46F02B200BE5223)<br /> * set_vtrm_diag.self<br /> * macaroni_diag.self (md5:4B2B271873A840BD5F5434DCA023EF27) (seems to be an aglomerate of all the others)<br /> * orbis_diag.self -&gt; this loads all the other selfs above (together with a file called launcher.cfg)</div> Zecoxao