Editing Flash-Main

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
<div style="float:right">[[File:Atypical PS4 NOR.png|300px|thumb|left|Atypical (Corrupt @ 0x144200) PS4 NOR GFX]]</div>
<div style="float:right">[[File:ps4nordmp_1_06_raw_gfx.png|200px|thumb|left|PS4 Flash-Main v1.06 gfx]]</div>
<div style="float:right">[[File:Typical_PS4_NOR.png|300px|thumb|left|Typical PS4 NOR GFX]]</div>
 


'''subject:''' dump of serial flash [[MX25L25635FMI-10G]] for [[CXD90025G]]
'''subject:''' dump of serial flash [[MX25L25635FMI-10G]] for [[CXD90025G]]
Line 7: Line 5:
'''reference files:'''  
'''reference files:'''  


* [http://www.file-upload.net/download-8560871/ps4nordmp_1.06_without_Mac-Serial.rar.html PS4 NOR Dump 1.06 (without MAC address & ConsoleId)]
* [http://www.file-upload.net/download-8560871/ps4nordmp_1.06_without_Mac-Serial.rar.html PS4 NOR Dump 1.06 (without MAC Adress & Console-ID)]
* [http://www.file-upload.net/download-8671579/PS4NORDump_1.61_wo_MAC_and_CS.rar.html PS4 NOR Dump 1.61 (without MAC address & ConsoleId)]
* [http://www.file-upload.net/download-8671579/PS4NORDump_1.61_wo_MAC_and_CS.rar.html PS4 NOR Dump 1.61 (without MAC Adress & Console-ID)]
* [http://www.file-upload.net/download-10118036/ps4nordmp_1.61_E0_wo_MAC-SERIAL.rar.html PS4 NOR Dump 1.61 E0 (without MAC address & ConsoleId)] that update seem's to fixed a nasty bug on my console, need to do more test...
* [http://www.file-upload.net/download-10118036/ps4nordmp_1.61_E0_wo_MAC-SERIAL.rar.html PS4 NOR Dump 1.61 E0 (without MAC Adress & Console-ID)] that update seem's to fixed a nasty bug on my console, need to do more test...
**hint for FW 1.61 E0: fw version is still the same (1.61) also the fw counter is still 3 but now have E0 added to it.
**hint for FW 1.61 E0: fw version is still the same (1.61) also the fw counter is still 3 but now have E0 added to it.


'''other reference files:'''  
'''other reference files:'''  


* [https://mega.co.nz/#!EAxCTYBS!d5yVsovxbnQcfc1ymiLiIaDD8MMQELs16NaBQUqgRDI PS4 TEST KIT NOR Dump 1.010.031 and 1.500.101  (without MAC address & Console-ID)]   
* [https://mega.co.nz/#!EAxCTYBS!d5yVsovxbnQcfc1ymiLiIaDD8MMQELs16NaBQUqgRDI PS4 TEST KIT NOR Dump 1.010.031 and 1.500.101  (without MAC Adress & Console-ID)]   
* [https://mega.co.nz/#!ZMhk2A7Y!F9ndK7BhombPNio2fPse6tFGfln-gQS9bV47LRiNSZo PS4 #1 NOR Dump 1.1 and 1.51 (without MAC address & ConsoleId)]  
* [https://mega.co.nz/#!ZMhk2A7Y!F9ndK7BhombPNio2fPse6tFGfln-gQS9bV47LRiNSZo PS4 #1 NOR Dump 1.1 and 1.51 (without MAC Adress & Console-ID)]  
* [https://mega.co.nz/#!QZp00ZYJ!ukBiwwx_y_HEyJvXY2a4FGqZRbOKAolWEE13dIlb9WA PS4 #2 NOR Dump 1.1 and 1.51 (without MAC address & ConsoleId)]  
* [https://mega.co.nz/#!QZp00ZYJ!ukBiwwx_y_HEyJvXY2a4FGqZRbOKAolWEE13dIlb9WA PS4 #2 NOR Dump 1.1 and 1.51 (without MAC Adress & Console-ID)]  


'''notes:''' Console A & B are 2 Compared from same Region and Version. Console C is from Region: EU and Version: 1.06
'''notes:''' Console A & B are 2 Compared from same Region and Version. Console C is from Region: EU and Version: 1.06
Line 37: Line 35:
'''other files:''' Constant offsets and length in ALL Ps4 block -> [http://www.konsole.rzeszow.pl/ps4/same_block.txt same_block.txt]. Im compare over 10 dumps from diffrent firmware / console. First value is offset of first byte, second is length in byte. All values in decimental.
'''other files:''' Constant offsets and length in ALL Ps4 block -> [http://www.konsole.rzeszow.pl/ps4/same_block.txt same_block.txt]. Im compare over 10 dumps from diffrent firmware / console. First value is offset of first byte, second is length in byte. All values in decimental.


= Offsets =
See [[Codenames]].
* 0x00000000 <- Segment 0 Header (0x1000)
* 0x00001000 <- Segment 0 Active Slot (0x1000)
* 0x00002000 <- Segment 0 MBR1 (for sflash0s1.cryptx32) (0x1000)
* 0x00003000 <- Segment 0 MBR2 (for sflash0s1.cryptx32b) (0x1000)
* 0x00004000 <- sflash0s0x32 (0x60000) (emc_ipl)
* 0x00064000 <- sflash0s0x32b (0x60000) (emc_ipl)
* 0x000C4000 <- sflash0s0x33 (0x80000) (eap_kbl)
* 0x00144000 <- sflash0s0x38 (0x80000) (torus2_fw)
* 0x001C4000 <- sflash0s0x34 (0xC000) (nvs)
* 0x001D0000 <- sflash0s0x0 (0x30000) (blank)
* 0x00200000 <- Segment 1 Header (XTS encrypted) (0x1000)
* 0x00201000 <- Segment 1 Active Slot (XTS encrypted) (0x1000)
* 0x00202000 <- Segment 1 MBR1 (for sflash0s1.cryptx2) (XTS encrypted) (0x1000)
* 0x00203000 <- Segment 1 MBR2 (for sflash0s1.cryptx2b) (XTS encrypted) (0x1000)
* 0x00204000 <- sflash0s1.cryptx2 (0x3E000) (sam_ipl)
* 0x00242000 <- sflash0s1.cryptx2b (0x3E000) (sam_ipl)
* 0x00280000 <- sflash0s1.cryptx1 (0x80000) (idata)
* 0x00300000 <- sflash0s1.cryptx39 (0x80000) (bd_hrl)
* 0x00380000 <- sflash0s1.cryptx6 (0x40000) (Virtual TRM)
* 0x003C0000 <- sflash0s1.cryptx3 (0xCC0000) (secure kernel, secure modules)
* 0x01080000 <- sflash0s1.cryptx3b (0xCC0000) (secure kernel, secure modules)
* 0x01D40000 <- sflash0s1.cryptx40 (0x2C0000) (blank)
= MBR Types =
<source lang="C">
typedef struct {
uint32_t start_lba;
uint32_t n_sectors;
uint8_t flag1; // maybe part_id
uint8_t flag2;
uint16_t unknown;
uint64_t padding;
} __attribute__((packed)) partition_t;
typedef struct {
uint8_t magic[0x20]; // "SONY COMPUTER ENTERTAINMENT INC."
uint32_t version; // 1
uint32_t mbr1_start; // ex: 0x10
uint32_t mbr2_start; // ex: 0x18
uint32_t unk[4]; // ex: (1, 1, 8, 1)
uint32_t reserved;
uint8_t unused[0x1C0];
} __attribute__((packed)) master_block_v1_t;
typedef struct {
uint8_t magic[0x20]; // "Sony Computer Entertainment Inc."
uint32_t version; // 4
uint32_t n_sectors;
uint64_t reserved;
uint32_t loader_start; // ex: 0x11, 0x309
uint32_t loader_count; // ex: 0x267
uint64_t reserved2;
partition_t partitions[16];
} __attribute__((packed)) master_block_v4_t;
</source>
= MBR Contents (Example) (Internal) =
== MBR 1 and 2 ==
<pre>
Partition 0, off=0x2000, sz=0x60000, type=0x20(32), active?=0x0 (ina) (emc)
Partition 1, off=0x62000, sz=0x60000, type=0x20(32), active?=0x1 (act) (emc)
Partition 2, off=0xc2000, sz=0x80000, type=0x21(33), active?=0x1 (act) (eap)
Partition 3, off=0x142000, sz=0x80000, type=0x26(38), active?=0x1 (act) (wifi)
Partition 4, off=0x1c2000, sz=0xc000, type=0x22(34), active?=0x1 (act) (nvs)
</pre>
== MBR 3 and 4 ==
<pre>
Partition 0, off=0x2000, sz=0x3e000, type=0x2, active?=0x1 (act) (ipl)
Partition 1, off=0x40000, sz=0x3e000, type=0x2, active?=0x0 (ina) (ipl)
Partition 2, off=0x7e000, sz=0x80000, type=0x1, active?=0x1 (act) (idstorage)
Partition 3, off=0xfe000, sz=0x80000, type=0x27(39), active?=0x1 (act) (bd revoke)
Partition 4, off=0x17e000, sz=0x40000, type=0x6, active?=0x1 (act) (vtrm)
Partition 5, off=0x1be000, sz=0xcc0000, type=0x3, active?=0x1 (act) (coreos)
Partition 6, off=0xe7e000, sz=0xcc0000, type=0x3, active?=0x0 (ina) (coreos)
Partition 7, off=0x1b3e000, sz=0x2c0000, type=0x28(40), active?=0x1 (act) (unused)
</pre>
= MBR Contents (Example) =
== MBR 1 and 2 ==
<pre>
Partition 0, off=0x2000, sz=0x60000, type=0x20, active?=0x1 (act)
Partition 1, off=0x62000, sz=0x60000, type=0x20, active?=0x0 (ina)
Partition 2, off=0xc2000, sz=0x80000, type=0x21, active?=0x1 (act)
Partition 3, off=0x142000, sz=0x80000, type=0x26, active?=0x1 (act)
Partition 4, off=0x1c2000, sz=0xc000, type=0x22, active?=0x1 (act)
Partition 5, off=0x1ce000, sz=0x30000, type=0x0, active?=0x1 (act)
</pre>
== MBR 3 and 4 ==
<pre>
Partition 0, off=0x2000, sz=0x3e000, type=0x2, active?=0x1
Partition 1, off=0x40000, sz=0x3e000, type=0x2, active?=0x0
Partition 2, off=0x7e000, sz=0x80000, type=0x1, active?=0x1
Partition 3, off=0xfe000, sz=0x80000, type=0x39, active?=0x1
Partition 4, off=0x17e000, sz=0x40000, type=0x6, active?=0x1
Partition 5, off=0x1be000, sz=0xcc0000, type=0x3, active?=0x1
Partition 6, off=0xe7e000, sz=0xcc0000, type=0x3, active?=0x0
Partition 7, off=0x1b3e000, sz=0x2c0000, type=0x40, active?=0x1
</pre>


== Content ==
== Content ==
Line 180: Line 67:
=== 0x2000 ===
=== 0x2000 ===
==== Magic ====
==== Magic ====
* aka MBR1
* ends in 0x3000
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00002000  53 6F 6E 79 20 43 6F 6D 70 75 74 65 72 20 45 6E  Sony Computer En
  00002000  53 6F 6E 79 20 43 6F 6D 70 75 74 65 72 20 45 6E  Sony Computer En
Line 197: Line 80:
=== 0x3000 ===
=== 0x3000 ===
==== Magic ====
==== Magic ====
* aka MBR2
* ends in 0x4000
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00003000  53 6F 6E 79 20 43 6F 6D 70 75 74 65 72 20 45 6E  Sony Computer En
  00003000  53 6F 6E 79 20 43 6F 6D 70 75 74 65 72 20 45 6E  Sony Computer En
Line 213: Line 92:
=== 0x4000 ===
=== 0x4000 ===
==== SLB2 Magic (MC Stage1) ====
==== SLB2 Magic (MC Stage1) ====
* aka sflash0s0x32
* ends in 0x64000
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00004000  53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00  SLB2............
  00004000  53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00  SLB2............
Line 257: Line 132:
=== 0x64000 ===
=== 0x64000 ===
==== SLB2 Magic (MC Stage2) ====
==== SLB2 Magic (MC Stage2) ====
* aka sflash0s0x32b
* ends in 0xC4000
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00064000  53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00  SLB2............
  00064000  53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00  SLB2............
Line 291: Line 162:
=== 0xC4000 ===
=== 0xC4000 ===
==== SLB2 Magic (EAP_KBL) ====
==== SLB2 Magic (EAP_KBL) ====
* aka sflash0s0x33
* ends in 0x144000
NOTE: This container only consits of one file + that X800X which is present on every BIOS SLB2. But the data is extracted twice and just written with two diffrent names. One time the TitleID is used C0010001 and the second time a string which hold the file name eap_kbl is used. But both files are identical and extracted by using the same data source.
NOTE: This container only consits of one file + that X800X which is present on every BIOS SLB2. But the data is extracted twice and just written with two diffrent names. One time the TitleID is used C0010001 and the second time a string which hold the file name eap_kbl is used. But both files are identical and extracted by using the same data source.


Line 339: Line 206:


==== wifi/bluetooth chipset firmware ====
==== wifi/bluetooth chipset firmware ====
* aka sflash0s0x38
* ends in 0x1C4000
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00144000  53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00  SLB2............
  00144000  53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00  SLB2............
Line 439: Line 302:


=== 0x1C4000 (Console Main Informations) ===
=== 0x1C4000 (Console Main Informations) ===
* AKA NVS or sflash0s0x34
* Ends in 0x200000
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  001C4000  03 02 01 01 02 01 06 01 FF FF FF FF FF FF FF FF  ........ÿÿÿÿÿÿÿÿ
  001C4000  03 02 01 01 02 01 06 01 FF FF FF FF FF FF FF FF  ........ÿÿÿÿÿÿÿÿ
Line 451: Line 310:
MAC Address on offset 0x1C4021 6 bytes long.
MAC Address on offset 0x1C4021 6 bytes long.
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  001C4020  01 70 9E 29 33 7A 1B FF FF FF FF FF FF FF FF FF  .pž).3zÿÿÿÿÿÿÿÿÿ     MAC-Address
  001C4020  01 xx xx xx xx xx xx FF FF FF FF FF FF FF FF FF  .pž)...ÿÿÿÿÿÿÿÿÿ     MAC-Address
  001C4030  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  001C4030  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  001C4040  FF FF FF FF FF FF FF FF FF FF FF FF FF FF 26 E8 ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ    0x26 0xE8 differs between consoles on same version
  001C4040  FF FF FF FF FF FF FF FF FF FF FF FF FF FF xx xx ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ..     xx differs between consoles on same version
  001C4050  04 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  .ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  001C4050  04 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  .ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  001C4060  03 01 01 02 02 FF FF FF FF FF FF FF FF FF FF FF  .....ÿÿÿÿÿÿÿÿÿÿÿ
  001C4060  03 01 01 02 02 FF FF FF FF FF FF FF FF FF FF FF  .....ÿÿÿÿÿÿÿÿÿÿÿ
Line 462: Line 321:
   [...]
   [...]


==== 0x1C47F0 Constant ====
==== 0x1C47F0 ====
Every dump i checked have thoes constant bytes.
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  001C47F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF BE CC  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¾Ì
  001C47F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF BE CC  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¾Ì
Line 544: Line 402:
  001C5FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  001C5FF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ


==== 0x1C6000 (Retail & Dev/Test) ====
==== 0x1C6000 ====
This seems to be increased. There will be 8 0x00 bytes be added for every new "what ever".
{| class="wikitable"
{| class="wikitable"
|-
|-
Line 623: Line 480:


==== 0x1C9080 ACF (Dev/Test) ====
==== 0x1C9080 ACF (Dev/Test) ====
Length = 104 bytes. (0x68)
There is a structure which i found out.
First you have the ACF Magic 4 bytes 0x61 0x63 0x66 0x00.
Then you have always first, 4 bytes that are constant, following by a value which hase a constant length.
0x01020000 (reversed 0x00002001) following 16 bytes.
0x03000000 (reversed 0x00000003) following by 8 bytes.
0x00000000 (reversed 0x00000000) folowing by 64 bytes.
Only on Testkit/Devkit, seems to be a(ctivation) c(control) f(lags) (speculative, needs to be studied) :
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C9080  61 63 66 00 01 02 00 00 D6 B1 DA DE C7 82 7A A4 acf.....Ö±ÚÞÇ‚z¤
001C9090  21 AE 4E D0 D9 BF B1 1A 03 00 00 00 11 55 E2 52 !®NÐÙ¿±......UâR
001C90A0  11 FC 58 53 00 00 00 00 CC B4 CD 3A 0A F5 C0 F4 .üXS....Ì´Í:.õÀô
001C90B0  4F 04 6B C3 95 16 E6 D8 FB 0B F2 56 B0 3B BA 00 O.kÕ.æØû.òV°;º.
001C90C0  26 B0 D3 BA 55 5F B0 40 0F 54 34 22 E1 E4 DA A7 &°ÓºU_°@.T4"áäÚ§
001C90D0  D1 7D EE BC EF 03 3C 23 37 EE 10 EB F6 88 1B 85 Ñ}î¼ï.<#7î.ëöˆ.…
001C90E0  35 8F 4B F5 D5 1A C7 3D FF FF FF FF FF FF FF FF 5.KõÕ.Ç=ÿÿÿÿÿÿÿÿ


See [[Activation ACF]].
==== 0x1C9100 ====
0x30 Bytes
{| class="wikitable"
|-
! Console A, B !! Console C
|-
| <pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C9100  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................  xx differs between consoles on same version
001C9110  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................  "
001C9120  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................  "
</pre> || <pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C9100  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C9110  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C9120  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
</pre>
|-
|}


==== 0x1C91F0 PerConsole (Retail & Dev/Test) ====
==== 0x1C91F0 PerConsole ====
(0x40 bytes)
(0x40 bytes)
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 660: Line 556:
  001C9BF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  001C9BF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ


==== 0x1C9900 PerConsole (Dev/Test) ====
==== 0x1C9900 ====
Unique 0x100 byte area (on Testkit Console dump):
Unique 0x100 byte area (on Testkit Console dump):
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 1,154: Line 1,050:
  0037FFF0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................  "
  0037FFF0  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................  "


* bd hrl, likely
=== 0x380000 SCE VTRM Region0 (Retail & Dev/Test) ===
SCEVTRM Magic on 0x380048.
 
The 0xFC in this example here mark the very first entry for a VTRM. Otherwise it would be 4 bytes either all 0x00 which means not in use or 0x03 0x00 0x00 0x00 which means in use. It is always tighten to 0x00 placed on offset 0x380050 and 0x380058 or in the second VTRM on 0x3A0050 and 0x3A0058 and it is the counter for activation and deactivation of the console. So following the counting this means for every
 
uneven number == Activated
 
and every
 
even number == Deactivated
 
or
 
If VTRM0 is marked as in use then the console is deactivated and if VTRM1 is marked in use then she is activated.
 
Following some examples. Remember mark 0xFC and count 0x00 == factory state.
 
NOTE: Dev / Test Consoles only do use one VTRM. The array for the second VTRM is completely empty on this SKU models beside that they don't have any mark and also no counter. (yea sure why if they only use one ^^)


=== 0x380000 SCE VTRM Region0 (Retail & Dev/Test) ===
NOTE²: There is another byte that will change douring this process. On offset 0x3A0078 for factory the byte is 0xFF. As soon the console would be the first time activated (so count 0x01) then this byte change to 0xFE. After this (so count 0x02 and upwards) the byte will always be 0xFC.
See also: [[VTRM]]


Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Deactivated
{| class="wikitable"
|-
! Console A !! Console B !! Console C
|-
| <pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00380000  FC FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  üÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  00380000  FC FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  üÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  00380010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  00380010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Line 1,167: Line 1,084:
  00380050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  00380050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  00380060  00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00  ................
  00380060  00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00  ................
  00380070  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  00380070  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ</pre> || <pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
00380000  00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF  üÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380030  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380040  01 00 00 00 FF FF FF FF 53 43 45 56 54 52 4D 00  ....ÿÿÿÿSCEVTRM.
00380050  16 00 00 00 00 00 00 00 16 00 00 00 00 00 00 00  ................
00380060  00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00  ................
00380070  FF FF FF FF FF FF FF FF FC FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ</pre> || <pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00380000  00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF  üÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380030  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380040  01 00 00 00 FF FF FF FF 53 43 45 56 54 52 4D 00  ....ÿÿÿÿSCEVTRM.
00380050  0E 00 00 00 00 00 00 00 0E 00 00 00 00 00 00 00  ................
00380060  00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00  ................
00380070  FF FF FF FF FF FF FF FF FC FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ</pre>
|-
|}


==== 0x380170 VTRM Region0 Digest? (Retail & Dev/Test) ====
So we have more ways to identify if a Dump is from a Retail or a Dev/Test console. Either we can check if there are any incremental counters used on the VTRM or we can check if the VTRM hase any mark like 0xFC or 0x00000000 or 0x03000000 then it is reatail else Dev/test. Or we also can check the first 4 bytes of both VTRMs against 4x 0xFF bytes, if True == Dev/Test else Retail.
See also: [[VTRM#Region0_Digest|VTRM]]
==== 0x380170 VTRM R0 PerConsole (Retail & Dev/Test) ====
This region of 0x60 ~= 96 bytes is the exact same on the same console of diffrent FW and BIOS versions. We can use thoes 96 bytes to identify dumps as diffrent or as from one and the same device. It's kind of a unique Console identifyer. I will add a new entry to the SystemFlash Extractor and hash this array with SHA1 which we then can use to store it in the DataBase. That gives us the ability to even identify a Dump and his informations from the DataBase out as one and the same device or as a diffrent one, while to same time to protect the privacy of the user in case we use a checksum to store and not the console specific unique vlaue. (what ever it will hold...)


  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 1,185: Line 1,120:


=== 0x3A0000 SCE VTRM Region1 (Retail) ===
=== 0x3A0000 SCE VTRM Region1 (Retail) ===
See also: [[VTRM#Region1|VTRM]]
SCEVTRM Magic on 0x3A0048
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
Activated
{| class="wikitable"
|-
! Console A !! Console B !! Console C
|-
| <pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00380000  03 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF  üÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  00380000  03 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF  üÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  00380010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  00380010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Line 1,194: Line 1,135:
  00380050  01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
  00380050  01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
  00380060  00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00  ................
  00380060  00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00  ................
  00380070  FF FF FF FF FF FF FF FF FE FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  00380070  FF FF FF FF FF FF FF FF FE FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ</pre> || <pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00380000  03 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF  üÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380030  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380040  01 00 00 00 FF FF FF FF 53 43 45 56 54 52 4D 00  ....ÿÿÿÿSCEVTRM.
00380050  17 00 00 00 00 00 00 00 17 00 00 00 00 00 00 00  ................
00380060  00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00  ................
00380070  FF FF FF FF FF FF FF FF FC FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ</pre> || <pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00380000  03 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF  üÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380030  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380040  01 00 00 00 FF FF FF FF 53 43 45 56 54 52 4D 00  ....ÿÿÿÿSCEVTRM.
00380050  0F 00 00 00 00 00 00 00 0F 00 00 00 00 00 00 00  ................
00380060  00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00  ................
00380070  FF FF FF FF FF FF FF FF FC FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ</pre>
|-
|}
 
{| class="wikitable"
|-
! Console A, B !! Console C
|-
| <pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
003801D0                          FF FF FF FF FF FF FF FF          ÿÿÿÿÿÿÿÿ
003801E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                filled FF region
003A0160  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
003A0170  FF FF FF FF FF FF FF FF                          ÿÿÿÿÿÿÿÿ</pre> || <pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0039FFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
003A0000  03 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF  ....ÿÿÿÿÿÿÿÿÿÿÿÿ
003A0010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                filled FF region
003A0040  01 00 00 00 FF FF FF FF 53 43 45 56 54 52 4D 00  ....ÿÿÿÿSCEVTRM.
003A0040  01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
003A0040  00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00  ................
003A0040  FF FF FF FF FF FF FF FF FE FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿþÿÿÿÿÿÿÿ
003A0050  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  [...]                filled FF region
003A0160  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
003A0170  FF FF FF FF FF FF FF FF                          ÿÿÿÿÿÿÿÿ</pre>
|-
|}


==== 0x3A0170 VTRM Region1 Digest? (Retail) ====
==== 0x3A0170 VTRM R1 PerConsole (Retail) ====
See also: [[VTRM#Region1_Digest|VTRM]]
The same like for Region0 applys here but with the diffrence that thoes both values from Region0 and Region1 do differ on the same console and also on diffrent versions. But Region0 do match Region0 of diffrent FW and BIOS versions and the same apply for Region1. Thoes 96 bytes from Region1 are always the same on diffrent FW and BIOS versions of the same console.


  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 1,255: Line 1,239:


=== 0x3C0000 (CoreOS) ===
=== 0x3C0000 (CoreOS) ===
0x1980000 datablock (sflash0s1.cryptx3 + sflash0s1.cryptx3b)
0x1980000 datablock
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  003C0000  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................
  003C0000  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx  ................
Line 1,326: Line 1,310:
|-
|-
|}
|}
=== Software Based Validation ===
==== BwE PS4 NOR Validator ====
[[File:Screenshot norvalidator2.png|300px|thumb|left|Results]]
This program is the release version of [[User:BwE]]'s PS4 NOR Validator, it is designed solely to validate the NOR flash of your PS4 console!
Why would you need to do this? Well if your console has suddenly died and has what is called the 'BLOD', the NOR can be the reason why. Using my program will allow you to validate literally every single byte of the NOR (or over 2100 specific areas) - allowing you to see where or if it is corrupted.
The most common area of corruption that causes the BLOD is the CID. Some areas of this section can actually be repaired, if you're lucky! I and others have done this! Don't forget to use my Comparator tool to help you understand what the difference is for a specific section of the NOR. It will help you with patching!
Other areas can be inter-changed between different consoles and are more suited for repair, the WiFi/BT module is a good example of this.
So fundamentally, this program is for console repairers like myself. If you are indeed a repairer and run a business I can make a custom 'bulk' version for you! But for now, feel free to put multiple *.bin files in the working directory as my program will provide a selection menu.
I am also happy to give advice on your NOR or help interpret your results, just post on the forum or give me an email. If you can bypass my filter, send me a link to your NOR!
If you encounter any errors or weird results - or better yet if your NOR is labled danger in any areas, but still runs fine - let me know!
Keep in mind the CoreOS and other large encrypted areas could still be corrupt regardless of the results (I cant check every byte in an encrypted section, hence alt validations). This program is NOT perfect, but it is WAY better than just using a hex editor or never truely knowing if your BLOD is caused by the NOR!
This also goes above and beyond that of the psdevwiki page regarding the main flash of the PS4 (Thank you cfwprpht).
<br><br><br><br><br>
'''Notes:'''
As of version 1.5.5 there is an ability to upload dumps directly to me. I use these to improve the program and validations.
Abusing this service will result in your ban from future use of my validator.
''Regarding Anti-Virus:''
I protect my program with Themida. The problem with this is that heuristically some AV software see it as a threat.
This is because people who make or redistribute old malware also use Themida to help make themselves undetected.
Ultimately, it is up to you to trust the program and me. I encourage you to upload to a sandbox to see for yourself.
<pre>
Version History:
- 1.7.1 (25/6/21) Fixed Uploading Questions, Added MB Serial to Outputs, New Spash Screen.
- 1.7.0 (23/6/21) Added Question Regarding Dump When Uploading, Added New CID Validation (Weird Key or Flag), Fixed UART Validation, Added Unlisted Results.
- 1.6.9 (26/5/21) Fixed Internal Code Issues, Added Unlisted Results, New Splash Screen (Potentially last update for a short while).
- 1.6.8 (16/5/21) Updated Internal Comparison Application, Improved Serial Number Validation (MB Series), Added Unlisted Results.
- 1.6.7 (25/4/21) Repaired UNK 1200 Series Validation, Added Unlisted Results.
- 1.6.6 (12/4/21) Added Unlisted Results, Improved Validation, Changed Output Styling.
- 1.6.5 (31/3/21) Added CoreOS Statistical Analysis, Changed Some Results, Changed Some Output Formatting, Returned to Previous Packer.
- 1.6.3 (30/3/21) Added CoreOS Patcher (SU-30631-3 Error Specific), Updated Results, Added Unlisted Results, Fixed Readme, Changed Packer.
- 1.6.2 (18/3/21) Repaired CID Validation, Improved Handling of 72xx, Added Unlisted Results, Improved Dump Uploading Process.
- 1.6.1 (20/2/21) Repaired CID Validation, Added Unlisted Results (Thanks Uploaders!)
- 1.6.0 (4/2/21) Added IDU Mode Patcher, Improved Validations, Added Unlisted Results.
- 1.5.9 (29/1/21) Major Improvement to CID and UNK Validations, Added Unlisted Results, Improved UART Patching, Better Handling of 1200/Pro/Slim Validations, Added v1.5 of Comparator
- 1.5.7 (11/1/21) Fixed Version Checker, Improved Statistics, Removed Some Unlisted Results (Improved Validation), Updated Upload Feature, Improved Compiler
- 1.5.6 (10/1/21) Improved CID and UNK Validations, Updated Unlisted Validations, IDU Flags Added, Some Code Optimization
- 1.5.5 (8/1/21) Updated Pro/Slim Specific Validations, Updated Unlisted Validations, Updated CID Validations, Updated UNK Validations, Added Dump Upload Feature
- 1.5.3 (5/12/20) Updated Unlisted Validations, Updated WiFi/BT MD5s & Entropy Validation
- 1.5.2 (20/11/20) Updated WiFi/BT MD5s, Added 2nd UART Flag, Updated Unlisted Validations
- 1.5.1 (3/11/20) Updated Unlisted Validations, Added UART Enabler, Removed Unused Validation Option, Added Basic Loader
- 1.5.0 (30/10/20) Updated Unlisted Validations, Upgraded Existing Validations, Removed Loader (Secret Patcher Coming Soon!)
- 1.4.9 (3/5/20) Added 21xx Series Specific Validations, Updated Unlisted Validations
- 1.4.7 (23/3/20) Added Dynamic Comparison, Updated Unlisted Validations
- 1.4.6 (1/2/20) Just Keeping It Fresh! (May have fixed issues stopping the program running, if not let me know!)
- 1.4.4 (16/8/19) Added and Improved Validations (CID & UNK) Including New WiFi/BT FW MD5
- 1.4.2 (7/4/19) Added More Validations (Firmware & Console Specific), Improved Various Sections (CID & UNK Mostly)
- 1.4.1 (1/3/19) Prettied Up Outputs, Minor Rewording (Sorry!).
- 1.4.0 (1/3/19) Added Zecoxao Extraction Methodology (Will Add More Zecoxao SELF Stuff Later), Added FW/BIOS Versioning, Added Additional Entropy Validation & Various Improvements Throughout.
- 1.3.8 (21/2/19) Added Additional Validations (To Suit Slim/Pro), Repaired/Improved CID Validation, More MD5s & Table Based Results.
- 1.3.5 (30/1/19) Added CoreOS Reference Points (Additional CoreOS Per-Console Validation).
- 1.3.3 (24/1/19) Reworked And Improved Both CID And UNK Sections Again, Added More MD5's, Added Application Version Checker, Removed Colored Bars, Added Comparator & Other Improvements Throughout.
- 1.3.1 (19/1/19) Added More Validations & MD5's, Repaired Minor Bug.
- 1.3 (15/1/19) Completely Reworked And Improved The CID Section And Added Additional Validations To The UNK Section & I Also Improved Some Other Validations Throughout.
- 1.2.6 (18/12/18) Hopefully Fixed 'Black Screen' Issue, Recompiled In 32bit.
- 1.2.5 (17/12/18) Added 2 New Flags (Possibly Initialization Flag?), Changed Validation Results, Improved Output/Info (HTML) & Added MD5's.
- 1.2 (8/12/18) Improved All Alt Validations, Repaired Vtrm1, Internal Typo & Added Repetition Checks.
- 1.1.1 (29/11/18) Typo Again, Made The SKU Not Come Up As Unlisted & Added Some MD5's.
- 1.1 (28/11/18) Improved VTRM & CID Validation, Typo Fixes & Better Colours.
- 1.0 (27/11/18) First Release!
</pre>
'''Developer Website:'''<br>
https://betterwayelectronics.com.au/
'''Direct Link:'''<br>
https://betterwayelectronics.com.au/BwE_PS4_NOR_Validator.rar
'''More Information/Updates:'''<br>
github.com/BetterWayElectronics/ps4-nor-validator
<br><br>


{{Reverse Engineering}}
{{Reverse Engineering}}
<noinclude>[[Category:Main]]</noinclude>
<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS4 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS4 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)