Non Volatile Storage: Difference between revisions

From PS4 Developer wiki
Jump to navigation Jump to search
(112 intermediate revisions by 4 users not shown)
Line 1: Line 1:
Same as PS3's NVS, used for storing tokens and flags. You can access it by using the function icc_nvs_read (or by ftp'ing the respective regions with root flags server).<br>
The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.
Seems that a total of 7 regions(blocks) exist in 2 banks, main bank and backup bank <br>
The kernel accesses only the 5th and the 2nd region, however it's possible to read the other 5 (also the entirety of it by reading /dev/sflash0s0x34 with BUF_SIZE 0x200 from ftp ).<br>
Most, if not all, of the NVS regions can be accessed also in sflash, starting with offset 0x1C4000.


= Mapping of the area (NVS service) =
On PS4, there are 2 Non Volatile Storages, one in the [[Serial Flash]] and one in the [[Syscon]] EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.
 
= Syscon NVS =
 
See [[Syscon]].
 
https://fail0verflow.com/blog/2018/ps4-syscon/
 
Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.
 
= Serial Flash NVS =
 
PS4 [[Serial Flash]] NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.
 
Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open <code>/dev/sflash0s0x34</code>.
 
== Serial Flash NVS Banks ==
 
A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, <code>/dev/sflash0s0x34</code> access is provided to System applications and to Kernel.


{| class="wikitable sortable"
{| class="wikitable sortable"
Line 10: Line 25:
! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes
! Bank # !! Block # !! Start Offset in /dev/sflash0s0x34 !! Start Offset in Sflash !! Size !! Notes
|-
|-
| 0 || 0 || 0 || 0x1C4000 || 0x3000 || does not match, probably one (sflash or nvs, likely sflash) updates data
| 0 || 0 || 0 || 0x1C4000 || 0x3000 || emc region
|-
|-
| 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || match
| 0 || 1 || 0x3000 || 0x1C7000 || 0x1000 || pd region
|-
|-
| 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || match, console data region
| 0 || 2 || 0x4000 || 0x1C8000 || 0x800 || ds region
|-
|-
| 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || match, all ffs?
| 0 || 3 || 0x4800 || 0x1C8800 || 0x800 || cs region
|-
|-
| 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || match, tokens and flags region
| 0 || 4 || 0x5000 || 0x1C9000 || 0x3000 || os region
|-
|-
| 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || match, tokens and flags region (backup)
| 1 || 0 || 0x8000 || 0x1CC000 || 0x3000 || ???
|-
|-
| 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || match
| 1 || 1 || 0xB000 || 0x1CF000 || 0x1000 || ???
|}
|}


= Mapping of the detailed area (NVS service) =
== Detailed Serial Flash NVS Structure ==


{| class="wikitable sortable"
{| class="wikitable sortable"
|-
|-
! Bank # !! Block # !! Start Offset !! Start Offset in Sflash !! Size !! Notes
! Bank # !! Block # !! Start Offset in /dev/iccnvs<block> !! Start Offset in Sflash !! Size !! Notes
|-
| 0 || 0 || 0 || 0x1C4000 || 0x8 || Platform ID (e.g 04 01 01 01 01 01 04 01)
|-
|-
| 0 || 0 || 0 || 0x1C4000 || 0x8 ||  
| 0 || 0 || 0x21 || 0x1C4021 || 0x6 || Unknown (e.g 02 BC 60 A7 28 83 66)
|-
|-
| 0 || 0 || 0x20 || 0x1C4020 || 0x6 ||  
| 0 || 0 || 0x27 || 0x1C4027 || 0x6 || Unknown
|-
|-
| 0 || 0 || 0x50 || 0x1C4050 || 0x1 ||  
| 0 || 0 || 0x4E || 0x1C404E || 0x2 || Unknown (e.g 25 16)
|-
|-
| 0 || 0 || 0x60 || 0x1C4060 || 0x5 ||  
| 0 || 0 || 0x50 || 0x1C4050 || 0x5 || Unknown (e.g 12 FF 00 00 00)
|-
|-
| 0 || 0 || 0x76 || 0x1C4076 || 0x1 ||  
| 0 || 0 || 0x60 || 0x1C4060 || 0x5 || Unknown (e.g 04 02 01 01 02)
|-
|-
| 0 || 0 || 0x7A || 0x1C407A || 0x6 ||  
| 0 || 0 || 0x73 || 0x1C4073 || 0x1 || Unknown (e.g 01)
|-
|-
| 0 || 0 || 0x80 || 0x1C4080 || 0x1 ||  
| 0 || 0 || 0x76 || 0x1C4076 || 0x1 || Unknown (e.g 01)
|-
| 0 || 0 || 0x7A || 0x1C407A || 0x6 || Unknown (e.g 00 00 00 00 00 38)
|-
| 0 || 0 || 0x80 || 0x1C4080 || 0x1 || Unknown (e.g. 00)
|-
| 0 || 0 || 0x82 || 0x1C4082 || 0x3 || Unknown (e.g. 01 01 01)
|-
| 0 || 0 || 0x91 || 0x1C4091 || 0x2 || Unknown (e.g 00 00)
|-
|-
| 0 || 0 || 0x96 || 0x1C4096 || 0x3 ||  
| 0 || 0 || 0x96 || 0x1C4096 || 0x3 ||  
|-
|-
| 0 || 0 || 0x9A || 0x1C409A || 0x2 ||  
| 0 || 0 || 0x9A || 0x1C409A || 0x2 || Unknown (e.g 02 02)
|-
| 0 || 0 || 0x9E || 0x1C409E || 0x2 || Unknown (e.g 00 00)
|-
| 0 || 0 || 0xA0 || 0x1C40A0 || 0x3 || Unknown (e.g 01 01 01)
|-
|-
| 0 || 0 || 0xAC || 0x1C40AC || 0x4 ||  
| 0 || 0 || 0xAC || 0x1C40AC || 0x4 ||  
|-
|-
| 0 || 0 || 0x7FE || 0x1C47FE || 0x2 ||  
| 0 || 0 || 0xC5 || 0x1C40C5 || 0x3 || Unknown (e.g AA AA AA)
|-
| 0 || 0 || 0x204 || 0x1C4204 || 0x1 || Unknown (e.g 00)
|-
| 0 || 0 || 0x20B || 0x1C420B || 0x1 || Unknown (e.g 00)
|-
| 0 || 0 || 0x210 || 0x1C4210 || 0x2 || Unknown (e.g 49 42)
|-
| 0 || 0 || 0x7FE || 0x1C47FE || 0x2 || Unknown (e.g AF 31)
|-
|-
| 0 || 0 || 0x801 || 0x1C4801 || 0x1 ||  
| 0 || 0 || 0x801 || 0x1C4801 || 0x1 ||  
Line 67: Line 104:
| 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 ||  
| 0 || 0 || 0xFFE || 0x1C4FFE || 0x2 ||  
|-
|-
| 0 || 0 || 0x1000 || 0x1C5000 || 0x64 ||  
| 0 || 0 || 0x1000 || 0x1C5000 || 0x4 || soc wakeup source (Only one possible value 00 07 FF 07)
|-
| 0 || 0 || 0x1004 || 0x1C5004 || 0x4 || eap wakeup source (Only one possible value 00 07 FF 07)
|-
| 0 || 0 || 0x1008 || 0x1C5008 || 0x4 || soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)
|-
| 0 || 0 || 0x100C || 0x1C500C || 0x4 || eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)
|-
| 0 || 0 || 0x1030 || 0x1C5030 || 0x4 || NumberOfBootShutdown
|-
| 0 || 0 || 0x1034 || 0x1C5034 || 0x4 || NumberOfBootShutdown as well
|-
| 0 || 0 || 0x1038 || 0x1C5038 || 0x8 || dbi_time
|-
| 0 || 0 || 0x1040 || 0x1C5040 || 0x4 || NumberOfBootShutdown as well
|-
| 0 || 0 || 0x1044 || 0x1C5044 || 0x4 || NumberOfBootShutdown as well
|-
| 0 || 0 || 0x1048 || 0x1C5048 || 0x8 || dbi_time as well
|-
| 0 || 0 || 0x1050 || 0x1C5050 || 0x4 || NumberOfBootShutdown as well
|-
| 0 || 0 || 0x1054 || 0x1C5054 || 0x4 || NumberOfBootShutdown as well
|-
| 0 || 0 || 0x1058 || 0x1C5058 || 0x8 || dbi_time as well
|-
|-
| 0 || 0 || 0x1220 || 0x1C5220 || 0x18 ||  
| 0 || 0 || 0x1220 || 0x1C5220 || 0x18 ||  
Line 131: Line 192:
| 0 || 0 || 0x2000 || 0x1C6000 || 0x8 ||  
| 0 || 0 || 0x2000 || 0x1C6000 || 0x8 ||  
|-
|-
| 0 || 1 || 0 || 0x1C7000 || 0x40 ||  
| 0 || 1 || 0x000 || 0x1C7000 || 0x40 ||  
|-
| 0 || 1 || 0x018 || 0x1C7018 || 0x1  || Wlan5GHzInfo (00 Not Supported 0C Supported, some reach 8C Supported, max reach (ac?) )
|-
| 0 || 1 || 0x040 || 0x1C7040 || 0x10 || trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)
|-
|-
| 0 || 1 || 0x40 || 0x1C7040 || 0x10 || trsw_attach
| 0 || 1 || 0x0A0 || 0x1C70A0 || 0x2 || VrmOcp
|-
|-
| 0 || 1 || 0xA0 || 0x1C70A0 || 0x2 || get_icc_max
| 0 || 1 || 0x0B0 || 0x1C70B0 || 0x1 || ????
|-
|-
| 0 || 2 || 0 || 0x1C8000 || 0x4C || Serial Number + model Type (CUH-XXXXX)
| 0 || 1 || 0x0B1 || 0x1C70B1 || 0x1 || rtc info.corrMode
|-
|-
| 0 || 2 || 0x30 || 0x1C8030 || 0x11 || Used in 5.05, Unique Identifier of Console, hw_info
| 0 || 1 || 0x0B2 || 0x1C70B2 || 0x1 || rtc info.corrValue
|-
|-
| 0 || 2 || 0x41 || 0x1C8041 || 0x1F || Used in later firmwares, Unique Identifier of Console, ???
| 0 || 1 || 0x0B3 || 0x1C70B3 || 0x1 || rtc info.corrValueExt
|-
|-
| 0 || 2 || 0x60 || 0x1C8060 || 0x58 ||  
| 0 || 1 || 0x0C0 || 0x1C70C0 || 0x1 || ????
|-
|-
| 0 || 2 || 0xC0 || 0x1C80C0 || 0xD ||  
| 0 || 2 || 0x000 || 0x1C8000 || 0xE || KibanID (e.g 33001D00836391)
|-
|-
| 0 || 2 || 0x100 || 0x1C8100 || 0x20 ||  
| 0 || 2 || 0x010 || 0x1C8010 || 0x10 || SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)
|-
|-
| 0 || 2 || 0x7D0 || 0x1C87D0 || 0x10 ||  
| 0 || 2 || 0x020 || 0x1C8020 || 0x10 || ViopData
|-
|-
| 0 || 2 || 0x7F0 || 0x1C87F0 || 0x1 ||  
| 0 || 2 || 0x030 || 0x1C8030 || 0x11 || Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)
|-
|-
| 0 || 4 || 0 || 0x1C9000 || 0x20 || dipswitch flags, see below
| 0 || 2 || 0x041 || 0x1C8041 || 0x1F || Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name
|-
|-
| 0 || 4 || 0 || 0x1C9000 || 0x1 || Boot Parameter (FE Development Mode) (FB Assist Mode) (FF Release Mode)
| 0 || 2 || 0x060 || 0x1C8060 || 0x38 || Unknown
|-
|-
| 0 || 4 || 3 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)
| 0 || 2 || 0x098 || 0x1C8098 || 0x8 || Unknown (e.g A8 32 2A 40 67 9E 01 30)
|-
|-
| 0 || 4 || 5 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)
| 0 || 2 || 0x0A0 || 0x1C80A0 || 0x8 || Unknown (e.g 07 4C 11 63 6E B6 72 03)
|-
|-
| 0 || 4 || 0x10 || 0x1C9010 || 0x10 || devact_ioctl related, PassCode?
| 0 || 2 || 0x0A8 || 0x1C80A8 || 0x4 || Unknown (e.g 07 8F 31 51)
|-
|-
| 0 || 4 || 0x20 || 0x1C9020 || 0x1 || init_safe_mode flag
| 0 || 2 || 0x0AF || 0x1C80AF || 0x1 || Unknown (e.g C2)
|-
|-
| 0 || 4 || 0x21 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update
| 0 || 2 || 0x0B0 || 0x1C80B0 || 0x8 || Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)
|-
|-
| 0 || 4 || 0x30 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe
| 0 || 2 || 0x0C0 || 0x1C80C0 || 0xD || (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)
|-
|-
| 0 || 4 || 0x38 || 0x1C9038 || 0x1 || ethernet related (gbe)
| 0 || 2 || 0x100 || 0x1C8100 || 0x20 || (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)
|-
|-
| 0 || 4 || 0x50 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status
| 0 || 2 || 0x7D0 || 0x1C87D0 || 0x20 || Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)
|-
|-
| 0 || 4 || 0x66 || 0x1C9066 || 0x1 || ???
| 0 || 2 || 0x7F0 || 0x1C87F0 || 0x2 || (e.g 01 FF) -> Disc Boot Time
|-
|-
| 0 || 4 || 0x70 || 0x1C9070 || 0x4 || manu_mode related (flags?)
| 0 || 2 || 0x7FE || 0x1C87FE || 0x2 || (e.g FF FF) -> Disc Boot Time
|-
|-
| 0 || 4 || 0x70 || 0x1C9074 || 0x4 || manu_mode related (flags?)
| 0 || 3 || 0x7B0 || 0x1C8FB0 || 0x1 || CS Config Mode
|-
|-
| 0 || 4 || 0x80 || 0x1C9080 || varies (0x68-0x6C) || acf token <- checked by sceSblDevActVerifyCheckExpire
| 0 || 4 || 0x000 || 0x1C9000 || 0x20 || dipswitch flags, see below
|-
|-
| 0 || 4 || 0x100 || 0x1C9100 || 0x100 || sce_cam_error_put
| 0 || 4 || 0x000  || 0x1C9000 || 0x1 || SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)
|-
| 0 || 4 || 0x003 || 0x1C9003 || 0x1 || Memory Budget (0xFF Normal, 0xFE Large)
|-
| 0 || 4 || 0x005 || 0x1C9005 || 0x1 || Slow HDD Mode (0xFE ON) (0xFF OFF)
|-
| 0 || 4 || 0x00B || 0x1C900B || 0x1 || Unknown (0x87 on prototype DevKit)
|-
| 0 || 4 || 0x010 || 0x1C9010 || 0x1 || vsh_4K Mode (0xFE ON) (0xFF OFF)
|-
| 0 || 4 || 0x01F || 0x1C901F || 0x1 || ??? (e.g 7F)
|-
| 0 || 4 || 0x020 || 0x1C9020 || 0x1 || init_safe_mode flag (e.g F1)
|-
| 0 || 4 || 0x021 || 0x1C9021 || 0x1 || sysctl_machdep_cavern_dvt1_init_update
|-
| 0 || 4 || 0x030 || 0x1C9030 || 0x1 || trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe
|-
| 0 || 4 || 0x038 || 0x1C9038 || 0x1 || gigabyte ethernet related (gbe)
|-
| 0 || 4 || 0x050 || 0x1C9050 || 0x1 || is_extra_clock_available_rtc_status
|-
| 0 || 4 || 0x060 || 0x1C9060 || 0x4 || SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)
|-
| 0 || 4 || 0x064 || 0x1C9064 || 0x1 || ?????
|-
| 0 || 4 || 0x065 || 0x1C9065 || 0x1 || CsBackupMode
|-
| 0 || 4 || 0x067 || 0x1C9067 || 0x1 || ?????
|-
| 0 || 4 || 0x068 || 0x1C9068 || 0x4 || Current SDK version 2 (e.g 00 00 05 05 (5.05))
|-
| 0 || 4 || 0x070 || 0x1C9070 || 0x4 || manu_mode related (sdk version?)
|-
| 0 || 4 || 0x074 || 0x1C9074 || 0x4 || Unknown (e.g. 84 72 4E 57)
|-
| 0 || 4 || 0x07C || 0x1C907C || 0x4 || manu_mode related (sdk version?)
|-
| 0 || 4 || 0x080 || 0x1C9080 || varies (0x68-0x6C) || acf token <- checked by sceSblDevActVerifyCheckExpire
|-
| 0 || 4 || 0x100 || 0x1C9100 || 0xF0 || sce_cam_error_put
|-
|-
| 0 || 4 || 0x200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key <- checked by g_crypt_deferred_init, also checked by read_idstorage
| 0 || 4 || 0x200 || 0x1C9200 || varies (0x40-0x60) || scrambled/obfuscated eap hdd key <- checked by g_crypt_deferred_init, also checked by read_idstorage
|-
|-
| 0 || 4 || 0x301 || 0x1C9301 || 1 || unknown (01 = enabled)
| 0 || 4 || 0x300 || 0x1C9300 || 0x30 || sam/liverpool flags (fun stuff here) (SEE BELOW)
|-
|-
| 0 || 4 || 0x311 || 0x1C9311 || 1 || unknown (01 = enabled)
| 0 || 4 || 0x301 || 0x1C9301 || 1 || unknown (01 = enabled) (only available for prototype)
|-
|-
| 0 || 4 || 0x31F || 0x1C931F || 1 || UART boot param? (setting this to 1 enables UART output on boot)
| 0 || 4 || 0x310 || 0x1C9310 || 1 || sam_memtest (01 = enabled)
|-
|-
| 0 || 4 || 0x320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk
| 0 || 4 || 0x311 || 0x1C9311 || 1 || unknown (01 = enabled) (only available for prototype)
|-
| 0 || 4 || 0x312 || 0x1C9312 || 1 || sam_rngtest (01 = enabled)
|-
| 0 || 4 || 0x31F || 0x1C931F || 1 || extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled
|-
| 0 || 4 || 0x320 || 0x1C9320 || 1 || lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)
|-
|-
| 0 || 4 || 0x322 || 0x1C9322 || 1 || lvp_configure_tccds
| 0 || 4 || 0x322 || 0x1C9322 || 1 || lvp_configure_tccds
|-
|-
| 0 || 4 || 0x329 || 0x1C9329 || 1 || related to lvp_config
| 0 || 4 || 0x323 || 0x1C9323 || 1 || sam_boot_flags (anything other than FF for enabled)
|-
|-
| 1 || 4 || 0x400 || 0x1C9400 || 0x210 || token ???
| 0 || 4 || 0x329 || 0x1C9329 || 1 || related to lvp_config (likely gddr5DebugFlag, 1->Read DBI disabled, 2->Write DBI disabled, 4->ABI disabled, 8->Force auto precharge enabled, 0x10 -> Bank swap disabled, 0x20-> Bank swizzle mode disabled, 0x3F -> Everything set)
|-
|-
| 1 || 4 || 0x650 || 0x1C9650 || 0x290 || qafutkn_ioctl
| 0 || 4 || 0x3B0 || 0x1C93B0 || 1 || ????
|-
|-
| 0 || 4 || 0x900 || 0x1C9900 || 0x100 || acf signature
| 0 || 4 || 0x400 || 0x1C9400 || 0x800 || dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)
|-
|-
| 1 || 4 || 0xA00 || 0x1C9A00 || 0x190 || token ???
| 0 || 4 || 0x400 || 0x1C9400 || 0x210 || token???
|-
| 0 || 4 || 0x150 || 0x1C9650 || 0x290 || qafutkn_ioctl?
|-
| 0 || 4 || 0x900 || 0x1C9900 || 0x100 || acf RSA signature
|-
| 0 || 4 || 0xA00 || 0x1C9A00 || 0x190 || token???
|-
| 0 || 4 || 0xC00 || 0x1C9C00 || 0x3C || HDD Info (e.g "GHTSH ST4501019A6E08                    613081DJ0124FZD129SN" for an HGST)
|-
| 0 || 4 || 0xC3C || 0x1C9C3C || 0x04 || Unknown (e.g 05 C6 0A 00)
|-
|-
| 0 || 4 || 0xC40 || 0x1C9C40 || 0x130 || setPupExpirationStatus
| 0 || 4 || 0xC40 || 0x1C9C40 || 0x130 || setPupExpirationStatus
|-
|-
| 0 || 4 || 0x1000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead
| 0 || 4 || 0x1000 || 0x1CA000 || 0x300 || wrappNvsRead, or regMgrNvsRead
|-
| 0 || 4 || 0x100E || 0x1CA00E || 0x1 || Unknown (Not Regions)
|-
|-
| 0 || 4 || 0x1040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)
| 0 || 4 || 0x1040 || 0x1CA040 || 0x1 || Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)
Line 213: Line 336:
| 0 || 4 || 0x1300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead
| 0 || 4 || 0x1300 || 0x1CA300 || 0x300 || wrappNvsRead, or regMgrNvsRead
|-
|-
| 0 || 4 || 0x1600 || 0x1CA600 || 0x1 || IDU Mode (0x01 Enabled 0x00 Disabled)
| 0 || 4 || 0x1600 || 0x1CA600 || 0x20 || Modes (See Below)
|-
| 0 || 4 || 0x1600 || 0x1CA600 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)
|-
| 0 || 4 || 0x1601 || 0x1CA601 || 0X1 || SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)
|-
| 0 || 4 || 0x1602 || 0x1CA602 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)
|-
| 0 || 4 || 0x1603 || 0x1CA603 || 0x1 || SCE_REGMGR_ENT_KEY_REGISTRY_recover
|-
| 0 || 4 || 0x1604 || 0x1CA604 || 0x4 || SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)
|-
|-
| 0 || 4 || 0x1601 || 0x1CA601 || 0x1F || checked by regMgrNvsSpInit
| 0 || 4 || 0x1609 || 0x1CA609 || 0x1 || SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode
|-
|-
| 0 || 4 || 0x2C00 || 0x1CBC00 || 0x20 || manu mode (all zeroes for enabled, all ffs for disabled)
| 0 || 4 || 0x2C00 || 0x1CBC00 || 0x20 || manufacturing mode (all zeroes for enabled, all FFs for disabled)
|-
|-
| 0 || 4 || 0x2C40 || 0x1CBC40 || 0x20 ||  
| 0 || 4 || 0x2C40 || 0x1CBC40 || 0x20 ||  
Line 223: Line 356:
| 0 || 4 || 0x2CC0 || 0x1CBCC0 || 0x20 || srtc_modevent
| 0 || 4 || 0x2CC0 || 0x1CBCC0 || 0x20 || srtc_modevent
|-
|-
| ? || ? || ??? || 0x1CC31F || 1 || unknown (01 = enabled)
| ? || ? || ??? || 0x1CF000 || 1 || ?? FF disabled 00 enabled
|-
|}
|}

Revision as of 05:14, 7 April 2024

The PS4 Non Volatile Storage (NVS) is, like in PS3 and PS Vita, a storage that has two properties: it remains accessible after electricity shortage (unlike RAM) and it is non-removeable (unlike HDD). NVS is mostly used for storing tokens and flags.

On PS4, there are 2 Non Volatile Storages, one in the Serial Flash and one in the Syscon EEPROM. On PS3, NVS is stored in Serial Flash (NAND or NOR) whilst on PS Vita, NVS is part of Syscon EEPROM. There is also the Secure NVS (SNVS), which is a secure area of the Syscon NVS. SNVS is encrypted with some SAMU keys and can be accessed only after doing a handshake.

Syscon NVS

See Syscon.

https://fail0verflow.com/blog/2018/ps4-syscon/

Syscon NVS is accessible from EMC but only after doing the handshake to unlock EMC functionalities.

Serial Flash NVS

PS4 Serial Flash NVS is usually stored at offset 0x1C4000 (it depends on the Serial Flash MBR). The size of the whole Serial Flash NVS is 0xC000 bytes.

Serial Flash NVS can be accessed from Kernel by calling the function icc_nvs_read. It can also be read by calling IO functions, with System privileges, to open /dev/sflash0s0x34.

Serial Flash NVS Banks

A total of 7 blocks exist in 2 banks: main bank and backup bank. The kernel makes use only of the bank 0 block 4 and the bank 1 block 1, even though it is possible to read/write the other 5 banks. Indeed, /dev/sflash0s0x34 access is provided to System applications and to Kernel.

Bank # Block # Start Offset in /dev/sflash0s0x34 Start Offset in Sflash Size Notes
0 0 0 0x1C4000 0x3000 emc region
0 1 0x3000 0x1C7000 0x1000 pd region
0 2 0x4000 0x1C8000 0x800 ds region
0 3 0x4800 0x1C8800 0x800 cs region
0 4 0x5000 0x1C9000 0x3000 os region
1 0 0x8000 0x1CC000 0x3000 ???
1 1 0xB000 0x1CF000 0x1000 ???

Detailed Serial Flash NVS Structure

Bank # Block # Start Offset in /dev/iccnvs<block> Start Offset in Sflash Size Notes
0 0 0 0x1C4000 0x8 Platform ID (e.g 04 01 01 01 01 01 04 01)
0 0 0x21 0x1C4021 0x6 Unknown (e.g 02 BC 60 A7 28 83 66)
0 0 0x27 0x1C4027 0x6 Unknown
0 0 0x4E 0x1C404E 0x2 Unknown (e.g 25 16)
0 0 0x50 0x1C4050 0x5 Unknown (e.g 12 FF 00 00 00)
0 0 0x60 0x1C4060 0x5 Unknown (e.g 04 02 01 01 02)
0 0 0x73 0x1C4073 0x1 Unknown (e.g 01)
0 0 0x76 0x1C4076 0x1 Unknown (e.g 01)
0 0 0x7A 0x1C407A 0x6 Unknown (e.g 00 00 00 00 00 38)
0 0 0x80 0x1C4080 0x1 Unknown (e.g. 00)
0 0 0x82 0x1C4082 0x3 Unknown (e.g. 01 01 01)
0 0 0x91 0x1C4091 0x2 Unknown (e.g 00 00)
0 0 0x96 0x1C4096 0x3
0 0 0x9A 0x1C409A 0x2 Unknown (e.g 02 02)
0 0 0x9E 0x1C409E 0x2 Unknown (e.g 00 00)
0 0 0xA0 0x1C40A0 0x3 Unknown (e.g 01 01 01)
0 0 0xAC 0x1C40AC 0x4
0 0 0xC5 0x1C40C5 0x3 Unknown (e.g AA AA AA)
0 0 0x204 0x1C4204 0x1 Unknown (e.g 00)
0 0 0x20B 0x1C420B 0x1 Unknown (e.g 00)
0 0 0x210 0x1C4210 0x2 Unknown (e.g 49 42)
0 0 0x7FE 0x1C47FE 0x2 Unknown (e.g AF 31)
0 0 0x801 0x1C4801 0x1
0 0 0x810 0x1C4810 0x12
0 0 0x84C 0x1C484C 0x2
0 0 0x854 0x1C4854 0x2
0 0 0x870 0x1C4870 0xC
0 0 0x8A0 0x1C48A0 0x1C
0 0 0xFFE 0x1C4FFE 0x2
0 0 0x1000 0x1C5000 0x4 soc wakeup source (Only one possible value 00 07 FF 07)
0 0 0x1004 0x1C5004 0x4 eap wakeup source (Only one possible value 00 07 FF 07)
0 0 0x1008 0x1C5008 0x4 soc wakeup source beep (Possible Values 00 03 0C 04) or (anything between 00 00 00 00 and FF 03 00 00)
0 0 0x100C 0x1C500C 0x4 eap wakeup source beep (Possible Values 00 00 00 04) or (anything between 00 00 00 00 and FF 03 00 00)
0 0 0x1030 0x1C5030 0x4 NumberOfBootShutdown
0 0 0x1034 0x1C5034 0x4 NumberOfBootShutdown as well
0 0 0x1038 0x1C5038 0x8 dbi_time
0 0 0x1040 0x1C5040 0x4 NumberOfBootShutdown as well
0 0 0x1044 0x1C5044 0x4 NumberOfBootShutdown as well
0 0 0x1048 0x1C5048 0x8 dbi_time as well
0 0 0x1050 0x1C5050 0x4 NumberOfBootShutdown as well
0 0 0x1054 0x1C5054 0x4 NumberOfBootShutdown as well
0 0 0x1058 0x1C5058 0x8 dbi_time as well
0 0 0x1220 0x1C5220 0x18
0 0 0x1240 0x1C5240 0x18
0 0 0x1260 0x1C5260 0x18
0 0 0x1280 0x1C5280 0x18
0 0 0x12A0 0x1C52A0 0x18
0 0 0x12C0 0x1C52C0 0x18
0 0 0x12E0 0x1C52E0 0x18
0 0 0x1300 0x1C5300 0x18
0 0 0x1320 0x1C5320 0x18
0 0 0x1340 0x1C5340 0x18
0 0 0x1360 0x1C5360 0x18
0 0 0x1380 0x1C5380 0x18
0 0 0x13A0 0x1C53A0 0x18
0 0 0x13C0 0x1C53C0 0x18
0 0 0x13E0 0x1C53E0 0x18
0 0 0x1400 0x1C5400 0x18
0 0 0x1420 0x1C5420 0x18
0 0 0x1440 0x1C5440 0x18
0 0 0x1460 0x1C5460 0x18
0 0 0x1480 0x1C5480 0x18
0 0 0x14A0 0x1C54A0 0x18
0 0 0x14C0 0x1C54C0 0x18
0 0 0x14E0 0x1C54E0 0x18
0 0 0x1500 0x1C5500 0x18
0 0 0x1520 0x1C5520 0x18
0 0 0x1540 0x1C5540 0x18
0 0 0x1560 0x1C5560 0x18
0 0 0x1580 0x1C5580 0x18
0 0 0x15A0 0x1C55A0 0x18
0 0 0x15C0 0x1C55C0 0x18
0 0 0x2000 0x1C6000 0x8
0 1 0x000 0x1C7000 0x40
0 1 0x018 0x1C7018 0x1 Wlan5GHzInfo (00 Not Supported 0C Supported, some reach 8C Supported, max reach (ac?) )
0 1 0x040 0x1C7040 0x10 trsw_attach (e.g 1F FF 00 00 07 FF FF 07 FF FF 00 00 00 00 00 00)
0 1 0x0A0 0x1C70A0 0x2 VrmOcp
0 1 0x0B0 0x1C70B0 0x1 ????
0 1 0x0B1 0x1C70B1 0x1 rtc info.corrMode
0 1 0x0B2 0x1C70B2 0x1 rtc info.corrValue
0 1 0x0B3 0x1C70B3 0x1 rtc info.corrValueExt
0 1 0x0C0 0x1C70C0 0x1 ????
0 2 0x000 0x1C8000 0xE KibanID (e.g 33001D00836391)
0 2 0x010 0x1C8010 0x10 SOCUID (e.g DA 24 7A 4C FB AB D3 CA D0 95 53 7C 7B F1 45 A9)
0 2 0x020 0x1C8020 0x10 ViopData
0 2 0x030 0x1C8030 0x11 Used in FW 5.05. Unique identifier of console, hw_info (e.g 00TS4DB00K2180050)
0 2 0x041 0x1C8041 0x1F Used in later firmwares. Unique identifier of console, hw_model (e.g DUT-DBW00JK-S0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ) aka Product Name
0 2 0x060 0x1C8060 0x38 Unknown
0 2 0x098 0x1C8098 0x8 Unknown (e.g A8 32 2A 40 67 9E 01 30)
0 2 0x0A0 0x1C80A0 0x8 Unknown (e.g 07 4C 11 63 6E B6 72 03)
0 2 0x0A8 0x1C80A8 0x4 Unknown (e.g 07 8F 31 51)
0 2 0x0AF 0x1C80AF 0x1 Unknown (e.g C2)
0 2 0x0B0 0x1C80B0 0x8 Unknown (e.g 01 01 01 01 06 06 06 06 FF FF)
0 2 0x0C0 0x1C80C0 0xD (e.g 0000027452252) Product Code (first 5 zeroes are Product Code Branch Number)
0 2 0x100 0x1C8100 0x20 (e.g 00 02 F4 C1 64 E6 83 41 0C D0 8D 91 38 56 50 AE 15 3E 60 9E 70 16 17 1A 1C 18 26 25 1B 1B F5 F7)
0 2 0x7D0 0x1C87D0 0x20 Manufacturing Process Flags (01 enabled, 00 disabled) (e.g 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00)
0 2 0x7F0 0x1C87F0 0x2 (e.g 01 FF) -> Disc Boot Time
0 2 0x7FE 0x1C87FE 0x2 (e.g FF FF) -> Disc Boot Time
0 3 0x7B0 0x1C8FB0 0x1 CS Config Mode
0 4 0x000 0x1C9000 0x20 dipswitch flags, see below
0 4 0x000 0x1C9000 0x1 SCE_REGMGR_ENT_KEY_DEVENV_TOOL_boot_param (FE Development Mode) (FB Assist Mode) (FF Release Mode)
0 4 0x003 0x1C9003 0x1 Memory Budget (0xFF Normal, 0xFE Large)
0 4 0x005 0x1C9005 0x1 Slow HDD Mode (0xFE ON) (0xFF OFF)
0 4 0x00B 0x1C900B 0x1 Unknown (0x87 on prototype DevKit)
0 4 0x010 0x1C9010 0x1 vsh_4K Mode (0xFE ON) (0xFF OFF)
0 4 0x01F 0x1C901F 0x1 ??? (e.g 7F)
0 4 0x020 0x1C9020 0x1 init_safe_mode flag (e.g F1)
0 4 0x021 0x1C9021 0x1 sysctl_machdep_cavern_dvt1_init_update
0 4 0x030 0x1C9030 0x1 trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe
0 4 0x038 0x1C9038 0x1 gigabyte ethernet related (gbe)
0 4 0x050 0x1C9050 0x1 is_extra_clock_available_rtc_status
0 4 0x060 0x1C9060 0x4 SMI SDK version (e.g 00 00 50 02 (2.50)) (minimal version)
0 4 0x064 0x1C9064 0x1 ?????
0 4 0x065 0x1C9065 0x1 CsBackupMode
0 4 0x067 0x1C9067 0x1 ?????
0 4 0x068 0x1C9068 0x4 Current SDK version 2 (e.g 00 00 05 05 (5.05))
0 4 0x070 0x1C9070 0x4 manu_mode related (sdk version?)
0 4 0x074 0x1C9074 0x4 Unknown (e.g. 84 72 4E 57)
0 4 0x07C 0x1C907C 0x4 manu_mode related (sdk version?)
0 4 0x080 0x1C9080 varies (0x68-0x6C) acf token <- checked by sceSblDevActVerifyCheckExpire
0 4 0x100 0x1C9100 0xF0 sce_cam_error_put
0 4 0x200 0x1C9200 varies (0x40-0x60) scrambled/obfuscated eap hdd key <- checked by g_crypt_deferred_init, also checked by read_idstorage
0 4 0x300 0x1C9300 0x30 sam/liverpool flags (fun stuff here) (SEE BELOW)
0 4 0x301 0x1C9301 1 unknown (01 = enabled) (only available for prototype)
0 4 0x310 0x1C9310 1 sam_memtest (01 = enabled)
0 4 0x311 0x1C9311 1 unknown (01 = enabled) (only available for prototype)
0 4 0x312 0x1C9312 1 sam_rngtest (01 = enabled)
0 4 0x31F 0x1C931F 1 extra UART. 0xFF - extra UART disabled, 0x00 - extra UART enabled when ???, 0x01 - extra UART enabled
0 4 0x320 0x1C9320 1 lvp_configure_get_gddr5clk (0x14 = 500Mhz) (whatever value is here is multiplied by 0x19 to get final value) (0xED max value, 5925Mhz) (500Mhz will semi-brick the console with DCT errors, however for some stupid reason BwE's lets you pick ranges from 400 to 2250MHz)
0 4 0x322 0x1C9322 1 lvp_configure_tccds
0 4 0x323 0x1C9323 1 sam_boot_flags (anything other than FF for enabled)
0 4 0x329 0x1C9329 1 related to lvp_config (likely gddr5DebugFlag, 1->Read DBI disabled, 2->Write DBI disabled, 4->ABI disabled, 8->Force auto precharge enabled, 0x10 -> Bank swap disabled, 0x20-> Bank swizzle mode disabled, 0x3F -> Everything set)
0 4 0x3B0 0x1C93B0 1 ????
0 4 0x400 0x1C9400 0x800 dev/qaf/utkn region (tokens, signatures here) (SEE BELOW)
0 4 0x400 0x1C9400 0x210 token???
0 4 0x150 0x1C9650 0x290 qafutkn_ioctl?
0 4 0x900 0x1C9900 0x100 acf RSA signature
0 4 0xA00 0x1C9A00 0x190 token???
0 4 0xC00 0x1C9C00 0x3C HDD Info (e.g "GHTSH ST4501019A6E08 613081DJ0124FZD129SN" for an HGST)
0 4 0xC3C 0x1C9C3C 0x04 Unknown (e.g 05 C6 0A 00)
0 4 0xC40 0x1C9C40 0x130 setPupExpirationStatus
0 4 0x1000 0x1CA000 0x300 wrappNvsRead, or regMgrNvsRead
0 4 0x100E 0x1CA00E 0x1 Unknown (Not Regions)
0 4 0x1040 0x1CA040 0x1 Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)
0 4 0x1300 0x1CA300 0x300 wrappNvsRead, or regMgrNvsRead
0 4 0x1600 0x1CA600 0x20 Modes (See Below)
0 4 0x1600 0x1CA600 0x1 SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 or 0xFF Disabled)
0 4 0x1601 0x1CA601 0X1 SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0x00 disabled) (0x10, 0x20, 0x30, 0x31, 0x32, 0x50 enabled)
0 4 0x1602 0x1CA602 0x1 SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)
0 4 0x1603 0x1CA603 0x1 SCE_REGMGR_ENT_KEY_REGISTRY_recover
0 4 0x1604 0x1CA604 0x4 SCE_REGMGR_ENT_KEY_SYSTEM_soft_version (deprecated) (devkit only?)
0 4 0x1609 0x1CA609 0x1 SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_arcade_mode
0 4 0x2C00 0x1CBC00 0x20 manufacturing mode (all zeroes for enabled, all FFs for disabled)
0 4 0x2C40 0x1CBC40 0x20
0 4 0x2CC0 0x1CBCC0 0x20 srtc_modevent
? ? ??? 0x1CF000 1 ?? FF disabled 00 enabled