PS3 Dual-Firmware Hardware Hacking Guide Ed. 2 Author: No_One

Similar documents
Industrial Flash Storage Trends in Software and Security

Designing VM2 Application Boards

Programming NAND devices

Accessing I2C devices with Digi Embedded Linux 5.2 example on Digi Connect ME 9210

1 Gbit, 2 Gbit, 4 Gbit, 3 V SLC NAND Flash For Embedded

Adafruit MCP9808 Precision I2C Temperature Sensor Guide

The Glitch360Spi 3.0 rev b is a HiSpeed USB2 SPI programmer, it can use any existing protocols (SPI, JTAG, BitBang, etc )

Production Flash Programming Best Practices for Kinetis K- and L-series MCUs

ALL-USB-RS422/485. User Manual. USB to Serial Converter RS422/485. ALLNET GmbH Computersysteme Alle Rechte vorbehalten

MARTECH SPI Tools. MARTECH SPI Tools User Manual v1.0. User Manual

Fiery Clone Tool For Embedded Servers User Guide

Handout 17. by Dr Sheikh Sharif Iqbal. Memory Unit and Read Only Memories

RealSSD Embedded USB Mass Storage Drive MTFDCAE001SAF, MTFDCAE002SAF, MTFDCAE004SAF, MTFDCAE008SAF

Technical Note. Micron NAND Flash Controller via Xilinx Spartan -3 FPGA. Overview. TN-29-06: NAND Flash Controller on Spartan-3 Overview

Byte Ordering of Multibyte Data Items

Eureka Technology. Understanding SD, SDIO and MMC Interface. by Eureka Technology Inc. May 26th, Copyright (C) All Rights Reserved

Practice Test for the Domain 1 - PC Hardware (Brought to you by RMRoberts.com)

PCAN-ISA. CAN Interface for ISA. User Manual

Trabajo Memorias flash

1 PERSONAL COMPUTERS

RouterBOARD minirouter

Intel RAID Controller Troubleshooting Guide

HARDWARE MANUAL. BrightSign HD120, HD220, HD1020. BrightSign, LLC Lark Ave., Suite 200 Los Gatos, CA

OTi. Ours Technology Inc. OTi-6828 FLASH DISK CONTROLLER. Description. Features

PCAN-MicroMod Universal I/O Module with CAN Interface. User Manual. Document version ( )

Single 2.5V - 3.6V or 2.7V - 3.6V supply Atmel RapidS serial interface: 66MHz maximum clock frequency. SPI compatible modes 0 and 3

Agilent Technologies Truevolt Series Digital Multimeters

EUDAR Technology Inc. Rev USB 2.0 Flash Drive. with Card Reader. Datasheet. Rev. 1.0 December 2008 EUDAR 1

Memory. The memory types currently in common usage are:

Firmware Update Instructions for Crucial Client SSDs

Nasir Memon Polytechnic Institute of NYU

Having read this workbook you should be able to: recognise the arrangement of NAND gates used to form an S-R flip-flop.

A N. O N Output/Input-output connection

Please make sure you install GSU and after GKU software befor you plug the Glitch360Shark to your computer!

A universal forensic solution to read memory chips developed by the Netherlands Forensic Institute. The NFI Memory Toolkit II

ClearPass Policy Manager 6.3

Memory Basics. SRAM/DRAM Basics

Overview of the LTC2978 Configuration EEPROM (NVM) Revision 1.0

Technical Support Information No. 196c July 2013

CHAPTER 7: The CPU and Memory

CHAPTER 11: Flip Flops

Machine Architecture and Number Systems. Major Computer Components. Schematic Diagram of a Computer. The CPU. The Bus. Main Memory.

VMware vsphere 5 Quick Start Guide

ATTO ExpressSAS Troubleshooting Guide for Windows

DS1225Y 64k Nonvolatile SRAM

Adafruit SHT31-D Temperature & Humidity Sensor Breakout

MCP4725 Digital to Analog Converter Hookup Guide

In-System Programmer USER MANUAL RN-ISP-UM RN-WIFLYCR-UM

1. Memory technology & Hierarchy

Chapter 2 Logic Gates and Introduction to Computer Architecture

Digital Photo Bank / Portable HDD Pan Ocean E350 User Manual

MCF54418 NAND Flash Controller

USB Thumb Drive. Designer Reference Manual. HCS12 Microcontrollers. freescale.com. DRM061 Rev. 0 9/2004

High Availability of the Polarion Server

Easy Step 1000 Stepper Driver Module

SP8 Programmers 硕 飞 科 技. User's Guide. TEL: FAX: WEB:

PACKAGE OUTLINE DALLAS DS2434 DS2434 GND. PR 35 PACKAGE See Mech. Drawings Section

Embedded Multi-Media Card Specification (e MMC 4.5)

NB3H5150 I2C Programming Guide. I2C/SMBus Custom Configuration Application Note

Arduino ADK Back. For information on using the board with the Android OS, see Google's ADK documentation.

ST19NP18-TPM-I2C. Trusted Platform Module (TPM) with I²C Interface. Features

760 Veterans Circle, Warminster, PA Technical Proposal. Submitted by: ACT/Technico 760 Veterans Circle Warminster, PA

Pen Drive 2.0 Specification

Algorithms and Methods for Distributed Storage Networks 3. Solid State Disks Christian Schindelhauer

SATA SSD Series. InnoDisk. Customer. Approver. Approver. Customer: Customer. InnoDisk. Part Number: InnoDisk. Model Name: Date:

Uptime Infrastructure Monitor. Installation Guide

GTS-4E Hardware User Manual. Version: V1.1.0 Date:

Hardware Based Flash Memory Failure Characterization Platform

Introducing AVR Dragon

The CW Machine Hardware

M68EVB908QL4 Development Board for Motorola MC68HC908QL4

WICE-SPI Hardware Operation Manual

Notes on Windows Embedded Standard

DSO138 oscilloscope program upgrade method

DS1307ZN. 64 x 8 Serial Real-Time Clock

DS1220Y 16k Nonvolatile SRAM

AN10860_1. Contact information. NXP Semiconductors. LPC313x NAND flash data and bad block management

AVR Prog USB v3 MK II Eco Manual

Update on filesystems for flash storage

An Overview of Flash Storage for Databases

Intel architecture. Platform Basics. White Paper Todd Langley Systems Engineer/ Architect Intel Corporation. September 2010

ABACOM - netpio.

DS1220Y 16k Nonvolatile SRAM

FLASH TECHNOLOGY DRAM/EPROM. Flash Year Source: Intel/ICE, "Memory 1996"

Linux flash file systems JFFS2 vs UBIFS

Controller for AD9850 DDS Modules Andy Talbot G4JNT

Home Security System Using Gsm Modem

_ v1.0. EVB-56x Evaluation & Development Kit for Motorola PowerPC MPC56x Microcontrollers USERS MANUAL. isystem, February /8.

Homework # 2. Solutions. 4.1 What are the differences among sequential access, direct access, and random access?

Part Number Decoder for Toshiba NAND Flash

Microcontroller Based Low Cost Portable PC Mouse and Keyboard Tester

Applications of Data Recovery Tools to Digital Forensics: Analyzing the Host Protected Area with the PC-3000

PC Boot Considerations for Devices >8GB

VSCOM USB PRO Series Industrial I/O Adapters

UT165 Advanced USB2.0 Flash Drive Controller

AXE027 PICAXE USB CABLE

AMC13 T1 Rev 2 Preliminary Design Review. E. Hazen Boston University E. Hazen - AMC13 T1 V2 1

There are various types of NAND Flash available. Bare NAND chips, SmartMediaCards, DiskOnChip.

PCM-3662 PC/104-plus Ethernet Module

CCNA 2 Chapter 5. Managing Cisco IOS Software

Transcription:

1/6 PS3 Dual-Firmware Hardware Hacking Guide Ed. 2 Author: No_One A FAT PS3 console uses a 128Mx8bits NAND FLASH (1024Mbits of non-volatile memory). The reference used: K9F1G08U0A-PIB0 (Manufacturer: SAMSUNG). The following diagram shows the architecture used between the CELL and a NAND FLASH (FAT): NAND FLASH I/O Bus A SLIM PS3 console uses a 8Mx16bits NOR FLASH (128Mbits of non-volatile memory). The reference used: K8Q2815UQB-PI4B (Manufacturer: SAMSUNG). The following diagram shows the architecture used between the CELL and a NOR FLASH (SLIM): Address Bus NOR FLASH Data Bus This memory embeds the firmware (files) used by the PS3 itself (asecure_loader, eeid, cisd, ).

2/6 The idea consists in adding a second FLASH memory to obtain a Dual-Firmware PS3. A switch will enable to choose between 2 different configurations before (re)starting the PS3. Case #1: FAT models with NAND FLASH: The following diagram shows the NAND based architecture which enables this functionality: #1 NAND FLASH #1 I/O Bus Firmware #1 Switch I/O Bus NAND FLASH #2 #2 Firmware #2 Case #2: SLIM models with NOR FLASH: The following diagram shows the NOR based architecture which enables this functionality: #1 Data Bus NOR FLASH #1 Firmware #1 Address Bus Switch Address Bus NOR FLASH #2 Data Bus #2 Firmware #2

3/6 Description: In both cases, the second FLASH has the same reference than the original one. The architecture implies the use of 1 switch and 2 resistors. The switch selects which NOR/NAND FLASH is going to be used. The 2 resistors are crucial. In fact, they disable, by default, the unused memory to avoid electrical conflicts. Advantages: The is unable to detect the other FLASH since the Product ID and the Manufacturer ID are the same. For example, it wouldn t have been the case if we had implemented a 256Mbit NOR FLASH to replace the original NOR memory (switching the last address bit - MSB). The NAND addition should be easier than the NOR one because the package is smaller (less pins). Drawbacks: The solution requires hardware modifications. We will see that it can be done quite easily placing a new FLASH over the original one and using a switch to enable or disable the Chip Select signals.

4/6 The NOR FLASH is packaged in a TSOP56. The NAND FLASH is packaged in a TSOP48. TSOP packages are not so much hard to solder or even to unsolder. The memory is soldered on the PCB (PS3 motherboard) as described in the following diagram: FLASH MEMORY TSOP FLASH soldered on PS3 motherboard (Original configuration: NAND-48 pins or NOR-56 pins) A second package can be added without having to wire signals (address bus, data bus ). The idea consists in placing the new package over the first one: FLASH MEMORY #2 FLASH MEMORY #1 TSOP FLASH soldered on TSOP FLASH Each FLASH has a signal called CE (Chip Enable). These signals must be floating and wired to the switch (1 wire per FLASH + 1 wire on the PAD). FLASH MEMORY #2 FLASH MEMORY #1 Signal CE of each FLASH + Signal CE of PCB are wired to the switch Signal CE FLASH #2 Signal CE FLASH #1 Signal CE CELL

5/6 Case #1: Pinout for FAT models with NAND FLASH: On both NAND FLASH, CE = PIN #9 On both NAND FLASH, VCC = PIN #12 NAND FLASH The resistors should use the pin #12 (default logic 1 ). Case #2: Pinout for SLIM models with NOR FLASH: NOR FLASH On both NOR FLASH, CE = PIN #32 On both NOR FLASH, = PIN #29 The resistors should use the pin #29 (default logic 1 ).

6/6 FLASH NOR/NAND contents: Here are some strategies to flash the contents needed. Case #A: The original NOR/NAND is flashed with any firmware (CFW or OFW). Try to obtain any FLASH from another PS3 (i.e. one with YLOD). Solder it as described before. Switch to the second FLASH. Once booted, update the firmware (i.e. OFW3.41 to OFW3.60) using the usual procedure. You can now choose between the original firmware (1 st FLASH) and the new one (2 nd FLASH). I let you imagine the huge capabilities of this solution ;-) Case #B: The original NOR/NAND is flashed with a CFW3.41 or CFW3.55. Try to obtain a virgin FLASH or a corrupt one. Using Linux, you should be able to write to the second FLASH. Once the code is running in RAM, you can dynamically switch to the second FLASH to gain access. With this method, you can also dump the content of the second FLASH memory. Others Cases? Remarks / Limitations: 1) To Be Confirmed From http://www.ps3devwiki.com Firmware hash checks are located on SYSCON EEPROM. LV1 compares the hashes stored in SYSCON with the files stored on flash. If the checks fail, the console does not boot. We could get around this by using dual-banking on SYSCON or by patching the checks out. 2) To Be Confirmed From http://www.ps3devwiki.com Only a single version of VFLASH is stored on flash in NAND consoles, and a single copy is stored at the beginning of the PS3 hard drive on NOR consoles. Because the firmware stored here doesn't match that stored on flash, you would have to reinstall the rest of firmware everytime you switch. We could possibly overcome this limitation by patching the storage manager to redirect VFLASH to another region of the hard disk.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information