Non Volatile Storage

From PS4 Developer wiki
Jump to navigation Jump to search

Same as PS3's NVS, used for storing tokens and flags. You can access it by using the function icc_nvs_read (or by ftp'ing the respective regions with root flags server).
Seems that a total of 7 regions(blocks) exist in 2 banks, main bank and backup bank
The kernel accesses only the 5th and the 2nd region, however it's possible to read the other 5 (also the entirety of it by reading /dev/sflash0s0x34 with BUF_SIZE 0x200 from ftp ).
Most, if not all, of the NVS regions can be accessed also in sflash, starting with offset 0x1C4000.

Mapping of the area (NVS service)

Bank # Block # Start Offset in /dev/sflash0s0x34 Start Offset in Sflash Size Notes
0 0 0 0x1C4000 0x3000 does not match, probably one (sflash or nvs, likely sflash) updates data
0 1 0x3000 0x1C7000 0x1000 match
0 2 0x4000 0x1C8000 0x800 match, console data region
0 3 0x4800 0x1C8800 0x800 match, all ffs?
0 4 0x5000 0x1C9000 0x3000 match, tokens and flags region
1 0 0x8000 0x1CC000 0x3000 match, tokens and flags region (backup)
1 1 0xB000 0x1CF000 0x1000 match

Mapping of the detailed area (NVS service)

Bank # Block # Start Offset Start Offset in Sflash Size Notes
0 0 0 0x1C4000 0x8
0 0 0x20 0x1C4020 0x6
0 0 0x50 0x1C4050 0x1
0 0 0x60 0x1C4060 0x5
0 0 0x76 0x1C4076 0x1
0 0 0x7A 0x1C407A 0x6
0 0 0x80 0x1C4080 0x1
0 0 0x96 0x1C4096 0x3
0 0 0x9A 0x1C409A 0x2
0 0 0xAC 0x1C40AC 0x4
0 0 0x7FE 0x1C47FE 0x2
0 0 0x801 0x1C4801 0x1
0 0 0x810 0x1C4810 0x12
0 0 0x84C 0x1C484C 0x2
0 0 0x854 0x1C4854 0x2
0 0 0x870 0x1C4870 0xC
0 0 0x8A0 0x1C48A0 0x1C
0 0 0xFFE 0x1C4FFE 0x2
0 0 0x1000 0x1C5000 0x64
0 0 0x1220 0x1C5220 0x18
0 0 0x1240 0x1C5240 0x18
0 0 0x1260 0x1C5260 0x18
0 0 0x1280 0x1C5280 0x18
0 0 0x12A0 0x1C52A0 0x18
0 0 0x12C0 0x1C52C0 0x18
0 0 0x12E0 0x1C52E0 0x18
0 0 0x1300 0x1C5300 0x18
0 0 0x1320 0x1C5320 0x18
0 0 0x1340 0x1C5340 0x18
0 0 0x1360 0x1C5360 0x18
0 0 0x1380 0x1C5380 0x18
0 0 0x13A0 0x1C53A0 0x18
0 0 0x13C0 0x1C53C0 0x18
0 0 0x13E0 0x1C53E0 0x18
0 0 0x1400 0x1C5400 0x18
0 0 0x1420 0x1C5420 0x18
0 0 0x1440 0x1C5440 0x18
0 0 0x1460 0x1C5460 0x18
0 0 0x1480 0x1C5480 0x18
0 0 0x14A0 0x1C54A0 0x18
0 0 0x14C0 0x1C54C0 0x18
0 0 0x14E0 0x1C54E0 0x18
0 0 0x1500 0x1C5500 0x18
0 0 0x1520 0x1C5520 0x18
0 0 0x1540 0x1C5540 0x18
0 0 0x1560 0x1C5560 0x18
0 0 0x1580 0x1C5580 0x18
0 0 0x15A0 0x1C55A0 0x18
0 0 0x15C0 0x1C55C0 0x18
0 0 0x2000 0x1C6000 0x8
0 1 0 0x1C7000 0x40
0 1 0x40 0x1C7040 0x10 trsw_attach
0 1 0xA0 0x1C70A0 0x2 get_icc_max
0 2 0 0x1C8000 0x4C Serial Number + model Type (CUH-XXXXX), see below
0 2 0x10 0x1C8010 0x10 SOCUID
0 2 0x30 0x1C8030 0x11 Used in 5.05, Unique Identifier of Console, hw_info
0 2 0x41 0x1C8041 0x1F Used in later firmwares, Unique Identifier of Console, hw_model
0 2 0x60 0x1C8060 0x58
0 2 0xC0 0x1C80C0 0xD
0 2 0x100 0x1C8100 0x20
0 2 0x7D0 0x1C87D0 0x10
0 2 0x7F0 0x1C87F0 0x1
0 4 0 0x1C9000 0x20 dipswitch flags, see below
0 4 0 0x1C9000 0x1 Boot Parameter (FE Development Mode) (FB Assist Mode) (FF Release Mode)
0 4 3 0x1C9003 0x1 Memory Budget (0xFF Normal, 0xFE Large)
0 4 5 0x1C9005 0x1 Slow HDD Mode (0xFE ON) (0xFF OFF)
0 4 0x10 0x1C9010 0x10 devact_ioctl related, PassCode?
0 4 0x20 0x1C9020 0x1 init_safe_mode flag
0 4 0x21 0x1C9021 0x1 sysctl_machdep_cavern_dvt1_init_update
0 4 0x30 0x1C9030 0x1 trsw_probe (01 for [ WLAN mode : FT ], else [ WLAN mode : OFF ]) also bt_sdio_probe and trs_probe
0 4 0x38 0x1C9038 0x1 ethernet related (gbe)
0 4 0x50 0x1C9050 0x1 is_extra_clock_available_rtc_status
0 4 0x66 0x1C9066 0x1 ???
0 4 0x70 0x1C9070 0x4 manu_mode related (sdk version?)
0 4 0x70 0x1C9074 0x4 manu_mode related (sdk version?)
0 4 0x80 0x1C9080 varies (0x68-0x6C) acf token <- checked by sceSblDevActVerifyCheckExpire
0 4 0x100 0x1C9100 0x100 sce_cam_error_put
0 4 0x200 0x1C9200 varies (0x40-0x60) scrambled/obfuscated eap hdd key <- checked by g_crypt_deferred_init, also checked by read_idstorage
0 4 0x301 0x1C9301 1 unknown (01 = enabled)
0 4 0x311 0x1C9311 1 unknown (01 = enabled)
0 4 0x31F 0x1C931F 1 UART boot param? (setting this to 1 enables UART output on boot)
0 4 0x320 0x1C9320 1 lvp_configure_get_gddr5clk
0 4 0x322 0x1C9322 1 lvp_configure_tccds
0 4 0x329 0x1C9329 1 related to lvp_config
1 4 0x400 0x1C9400 0x210 token ???
1 4 0x650 0x1C9650 0x290 qafutkn_ioctl
0 4 0x900 0x1C9900 0x100 acf signature
1 4 0xA00 0x1C9A00 0x190 token ???
0 4 0xC40 0x1C9C40 0x130 setPupExpirationStatus
0 4 0x1000 0x1CA000 0x300 wrappNvsRead, or regMgrNvsRead
0 4 0x1040 0x1CA040 0x1 Circle Button Behaviour (0x01 is Circle Go Back) (0x00 is Circle Accept)
0 4 0x1300 0x1CA300 0x300 wrappNvsRead, or regMgrNvsRead
0 4 0x1600 0x1CA600 0x20 Modes (See Below)
0 4 0x1600 0x1CA600 0x1 SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_idu_mode (0x01 Enabled 0x00 Disabled)
0 4 0x1601 0x1CA601 0X1 SCE_REGMGR_ENT_KEY_SYSTEM_update_mode (0xFF or 0 disabled) (1 enabled)
0 4 0x1602 0x1CA602 0x1 SCE_REGMGR_ENT_KEY_SYSTEM_SPECIFIC_show_mode (0x01 Enabled 0x00 Disabled) (Testkit Only!)
0 4 0x2C00 0x1CBC00 0x20 manu mode (all zeroes for enabled, all ffs for disabled)
0 4 0x2C40 0x1CBC40 0x20
0 4 0x2CC0 0x1CBCC0 0x20 srtc_modevent
? ? ??? 0x1CC31F 1 unknown (01 = enabled)
Retrieved from "http://www.psdevwiki.com/ps4/index.php?title=Non_Volatile_Storage&oldid=285123"