|
|
| Re: FLASH storage devices [message #803 is a reply to message #802] |
Wed, 07 March 2012 22:15   |
glevand
Messages: 955
Registered: July 2011
Location: SONY
|
Gitbrew God |
|
|
FLASH storage device object in HV has a flag at offset 0x1ECC of size 4 bytes.
This flag tells if the FLASH device is NOR or NAND (Starship).
The offset is the same even on 3.55.
Value 0x1 means NAND FLASH.
Value 0x2 means NOR FLASH.
HV checks this when the next storage request is processed and branches accordingly
either to NOR or NAND subroutines.
[Updated on: Wed, 07 March 2012 22:38] Report message to a moderator |
|
|
|
| Re: FLASH storage devices [message #815 is a reply to message #803] |
Fri, 09 March 2012 22:31 |
glevand
Messages: 955
Registered: July 2011
Location: SONY
|
Gitbrew God |
|
|
ENCDEC debug level on 3.55 is at address 0x35af3c.
glevand@debian:~$ sudo dd if=/dev/ps3physmem bs=1 count=4 skip=$((0x35af3c)) | hexdump -C
00000000 00 00 00 00 |....|
00000004
Set level to 1.
glevand@debian:~$ echo "0: 00 00 00 01 " | xxd -c 256 -r | sudo dd of=/dev/ps3physmem bs=1 count=4 seek=$((0x35af3c))
LV1 debug buffer is at 0x684360.
Dump debug buffer.
sudo dd if=/dev/ps3physmem bs=1 count=4080 skip=$((0x684360)) | strings
Clear debug buffer.
sudo dd if=/dev/zero of=/dev/ps3physmem bs=1 count=4080 seek=$((0x684360))
[Updated on: Fri, 09 March 2012 22:45] Report message to a moderator |
|
|
|
| Re: FLASH storage devices [message #816 is a reply to message #815] |
Fri, 09 March 2012 22:49 |
glevand
Messages: 955
Registered: July 2011
Location: SONY
|
Gitbrew God |
|
|
Read sector 0 from ps3flashb.
sudo dd if=/dev/ps3nflashb skip=0 bs=512 count=1 of=/dev/null
Debug messages.
EdecSS start.
SetStgSsDbufEncdec ENC OR DEC:1 lbn:8 num:20 secsize:200 key:1 usr_sb_addr:c0040000 sp_sb_addr:1f001000
EncDec Interrupt Reason:6 ret:0
Encdec decsec.
SetStgSsDbufEncdec ENC OR DEC:0 lbn:8 num:20 secsize:200 key:1 usr_sb_addr:c0040000 buf_sb_addr:c0040000
EncDec Interrupt Reason:6 ret:0
Encdec decsec.
Hmm, it looks like for one read 2 encdec requests are processed.
First decrypt and then encrypt. Interesting.
But we know that NOR flash is NOT encrypted.
It makes sense. ENCDEC can either encrypt or decrypt.
First ENCDEC decrypts a NOR sector and then encrypts it.
In the end we have an unencrypted NOR sector because decrypting and encrypting it didn't change the NOR sector.
Another thing is that changing the key should not do any harm to our NOR sectors. I have to patch LV1 and test it.
[Updated on: Fri, 09 March 2012 23:29] Report message to a moderator |
|
|
|
|
|
|
|
|
|
|
|
| Re: FLASH storage devices [message #833 is a reply to message #832] |
Sat, 10 March 2012 11:13 |
glevand
Messages: 955
Registered: July 2011
Location: SONY
|
Gitbrew God |
|
|
It seems that LV1 has an array of FLASH configurations.
Each entry is 0x60 bytes. On 3.55 the entry size is 0x68.
NOR flash is entry with index 0x4 on PHAT. On SLIM it's entry with index 0x4 too.
Each entry stores total size of FLASH.
And LV1 checks requests for correct byte offset nd size by using this table.
FLASH block size is stored here too.
NOR flash has 128kb block size. Total number of blocks is stored here too: 0x80 blocks.
[Updated on: Sat, 10 March 2012 11:40] Report message to a moderator |
|
|
|
| Re: FLASH storage devices [message #834 is a reply to message #833] |
Sat, 10 March 2012 11:56 |
glevand
Messages: 955
Registered: July 2011
Location: SONY
|
Gitbrew God |
|
|
To get mmaped access to NOR flash on Linux 3 with ps3physmem do this:
sudo modprobe ps3physmem ps3physmem_start=0x2401F000000
sudo hexdump -C /dev/ps3physmem | less
With the new ps3physmem driver you can map any physical address and not only physical RAM. No need for ps3sbmmio and ps3rsxmmio drivers on Linux 3.
[Updated on: Sat, 10 March 2012 12:02] Report message to a moderator |
|
|
|
|
|
| Re: FLASH storage devices [message #836 is a reply to message #835] |
Sat, 10 March 2012 12:08 |
glevand
Messages: 955
Registered: July 2011
Location: SONY
|
Gitbrew God |
|
|
1. LV1 writes 0xAAAA at offset x+0xAAA.
2. LV1 writes 0x5555 at offset x+0x554.
3. LV1 writes 0xE0E0 at offset x+0xAAA.
4. LV1 reades 2 bytes at offset x+0x0.
5. LV1 writes 0x9090 at offset x+0x0.
6. LV1 writes 0x0000 at offset x+0x0.
Copy data from flash to LV1 buffer.
1. LV1 writes 0xF0F0 at offset x+0x0.
2. LV1 writes 0xAAAA at offset x+0xAAA.
3. LV1 writes 0x5555 at offset x+0x554.
4. LV1 writes 0x8080 at offset x+0xAAA.
5. LV1 writes 0x5555 at offset x+0x554.
6. LV1 writes 0x3000 at offset x+???.
x = 0x2401F000000 + offset of flash block in bytes where data is written
E.g. x would be 0xf20000 for ps3flashc.
[Updated on: Sat, 10 March 2012 15:23] Report message to a moderator |
|
|
|
|
|
|
|
|
|
Official Gitbrew Forums
Members
Search
Help
Register
Login
Home
Let me patch all places in LV1 and we should get correct data with key 2 too.
