Following up on the previous PS4 Macronix MX25L25635FMI-10G and MX25L1006E NOR Flash dumps, today Sony PlayStation 4 hacker cfw prophet has made available a PS4 NOR Dump 1.06 (without MAC Address & Console-ID) serial flash MX25L25635FMI-10G for CXD90025G dump with some analysis details below.
Download: ps4nordmp_1.06_without_Mac-Serial.rar (27.59 MB)
To quote: Subject: Dump of serial flash MX25L25635FMI-10G for CXD90025G
Reference file: PS4 NOR Dump 1.06 (without MAC Address & Console-ID)
Notes:
Size: 0x2000000 filesize / 0x1D40000 datasize
Statistics: 2.64-2.66% 00´s / 11.83% FF´s / < 0.38% rest
Entropy: 6.96569 (87.0711%) - 7.52856 (94.107%)
Redundancy: 12.9289% - 5.893%
A. Mean: 131072
StdDev: 454103 - 245647
Strings: Flash-Main/strings
Observation:
From modrobert: I have analyzed the binary and there seem to be an interesting area not mentioned:
Starting at offset 0x144200 there is a pretty big area which doesn't seem to be encrypted. I found the area by making a raw image conversion to get a better visual view of the data.
The arrow marks the area which doesn't seem to be encrypted.
Here's a close-up of the same area, look at the top bar, grains look lumpy there, not even as the encrypted area below.
If you want to have a look, you can find the hi-res image here. Here's a hex dump of the first part of the suspect area.
This looks more like executable code to me, not sure what the target device might be.
Yes, looks this executable indeed, check the strings up there, embedded Linux maybe.
Wireless/Bluetooth firmware!? Unencrypted?! We can't be that lucky. 
By the looks of it, this flash can be read by several PS4 devices accessing different offsets, so maybe we can use that to our advantage and modify data on the fly only when the decrypted area is accessed without breaking checksum in the original flash as a whole.
I'm thinking of a hardware device between the PS4 Wifi/Lan/Bluetooth circuit (or whatever it is) and the MX25L25635FMI-10G flash chip.
I found the Verilog model for the MX25L25635F flash from the manufacturer, so should be possible to emulate the flash in an FPGA for interesting manipulation. Also attached (PDF / ZIP), if their files suddenly disappear: http://www.macronix.com/en-us/Product/Pages/ProductDetail.aspx?PartNo=MX25L25635F
Thanks goes to cfwprophet on IRC, I learned a lot of new stuff about the PS4. A block diagram of the MediaCon functions is also attached.
Finally, from smhabib:
OF PUP!
1st 40 bytes are encrypted with aes-256-cbc and the result is used as erk and riv for the next 240 bytes. now that is decrypted through aes-128-ctr and now you can find the location for encrypted sections+hmac key+erk/riv keys. the rest sections are also encrypted with aes-128-ctr. enjoy! j/k
Download: ps4nordmp_1.06_without_Mac-Serial.rar (27.59 MB)
To quote: Subject: Dump of serial flash MX25L25635FMI-10G for CXD90025G
Reference file: PS4 NOR Dump 1.06 (without MAC Address & Console-ID)
Notes:
Size: 0x2000000 filesize / 0x1D40000 datasize
Statistics: 2.64-2.66% 00´s / 11.83% FF´s / < 0.38% rest
Entropy: 6.96569 (87.0711%) - 7.52856 (94.107%)
Redundancy: 12.9289% - 5.893%
A. Mean: 131072
StdDev: 454103 - 245647
Strings: Flash-Main/strings
Observation:
Code:
Content
0x0
Magic
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 53 4F 4E 59 20 43 4F 4D 50 55 54 45 52 20 45 4E SONY COMPUTER EN
00000010 54 45 52 54 41 49 4E 4D 45 4E 54 20 49 4E 43 2E TERTAINMENT INC.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000020 01 00 00 00 10 00 00 00 18 00 00 00 01 00 00 00 ................
00000030 01 00 00 00 08 00 00 00 01 00 00 00 00 00 00 00 ................
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[...] filled 00 region
00000FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x1000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00001000 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 €...............
this differenced between firmware versions
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00001010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[...] filled 00 region
00001FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x2000
Magic
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00002000 53 6F 6E 79 20 43 6F 6D 70 75 74 65 72 20 45 6E Sony Computer En
00002010 74 65 72 74 61 69 6E 6D 65 6E 74 20 49 6E 63 2E tertainment Inc.
(0x90 block)
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000020B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[...] filled 00 region
00002FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x3000
Magic
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00003000 53 6F 6E 79 20 43 6F 6D 70 75 74 65 72 20 45 6E Sony Computer En
00003010 74 65 72 74 61 69 6E 6D 65 6E 74 20 49 6E 63 2E tertainment Inc.
(0x90 block)
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000030B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[...] filled 00 region
00003FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x4000
SLB2 Magic
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00004000 53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00 SLB2............
00004010 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 @...............
00004020 01 00 00 00 90 7A 04 00 00 00 00 00 00 00 00 00 .....z..........
00004030 43 30 30 30 30 30 30 31 00 00 00 00 00 00 00 00 C0000001........
00004040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00004050 3F 02 00 00 40 00 00 00 00 00 00 00 00 00 00 00 ?...@...........
00004060 43 30 30 30 38 30 30 31 00 00 00 00 00 00 00 00 C0008001........
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00004070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[...] filled 00 region
000041F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x4200
DEADBEEF CAFEBEBE Magic
(simular is at 0x64218 and 0xC4218)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00004200 AA F9 8F D4 01 00 55 48 80 00 00 00 xx xx 04 00 ªù.Ô..UH€...... xx differs on different console with same version
00004210 00 0C 10 00 00 0C 10 00 DE AD BE EF CA FE BE BE ........Þ¾ïÊþ¾¾
00004220 DE AF BE EF CA FE BE BE F1 F2 F3 F4 F5 F6 F7 F8 Þ¯¾ïÊþ¾¾ñòóôõö÷ø
00004230 AF 46 78 AA E2 C4 4C 90 CA 4B 1B 44 B6 A4 9F 57 ¯FxªâÄL.ÊK.D¶¤ŸW same on different console with same version
00004240 9D 24 E1 91 C2 DC 0C 36 55 AE 43 D5 C5 AB 70 BD .$á‘ÂÜ.6U®CÕÅ«p½ same on different console with same version
huge encrypted section
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00004250 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx different on different console with same version
[...] (huge encrypted section)
0004BC80 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx (on different console with same version ends at 00049F1F
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0004BC90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[...]
00063FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... (on different console with same version ends at 00049FFF then a FF filled block until 00063FFF)
0x64000
SLB2 Magic
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00064000 53 4C 42 32 01 00 00 00 00 00 00 00 02 00 00 00 SLB2............
00064010 33 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3...............
00064020 01 00 00 00 10 61 04 00 00 00 00 00 00 00 00 00 .....a..........
00064030 43 30 30 30 30 30 30 31 00 00 00 00 00 00 00 00 C0000001........
00064040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00064050 32 02 00 00 40 00 00 00 00 00 00 00 00 00 00 00 2...@...........
00064060 43 30 30 30 38 30 30 31 00 00 00 00 00 00 00 00 C0008001........
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00064070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[...] filled 00 region
000641F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x64200
DEADBEEF CAFEBEBE Magic
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00064200 AA F9 8F D4 01 00 55 48 80 00 00 00 90 60 04 00 ªù.Ô..UH€....`..
00064210 00 0C 10 00 00 0C 10 00 DE AD BE EF CA FE BE BE ........Þ¾ïÊþ¾¾
00064220 DE AF BE EF CA FE BE BE F1 F2 F3 F4 F5 F6 F7 F8 Þ¯¾ïÊþ¾¾ñòóôõö÷ø
00064230 AF 46 78 AA E2 C4 4C 90 CA 4B 1B 44 B6 A4 9F 57 ¯FxªâÄL.ÊK.D¶¤ŸW
00064240 9D 24 E1 91 C2 DC 0C 36 55 AE 43 D5 C5 AB 70 BD .$á‘ÂÜ.6U®CÕÅ«p½
00064250 CC 6F 6C 5C 8F C9 5C 30 38 F2 72 90 ED 82 C0 BB Ìol\.É\08òr.í‚À»
[...]
lots of strings in this huge section, no differences between consoles on same version until 001C4024
0x1B1F90
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001B1F90 16 0C 00 00 74 29 2E C9 04 00 00 00 00 00 00 00 ....t).É........
001B1FA0 00 00 00 00 1F DB 8C 18 00 00 00 00 00 00 00 00 .....ی.........
001B1FB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001B1FC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001B1FD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001B1FE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001B1FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001B2000 01 00 00 00 00 00 00 00 10 82 0E 20 00 00 00 00 .........‚. ....
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001B2010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[...] filled 00 region
001C3FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x1C4000
MAC-id @ 0x1C4021-0x1C4026
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C4000 03 02 01 01 02 01 06 01 FF FF FF FF FF FF FF FF ........ÿÿÿÿÿÿÿÿ
001C4010 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C4020 01 xx xx xx xx xx xx FF FF FF FF FF FF FF FF FF .pž)...ÿÿÿÿÿÿÿÿÿ MAC-id
001C4030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C4040 FF FF FF FF FF FF FF FF FF FF FF FF FF FF xx xx ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ.. xx differs between consoles on same version
001C4050 04 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF .ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C4060 03 01 01 02 02 FF FF FF FF FF FF FF FF FF FF FF .....ÿÿÿÿÿÿÿÿÿÿÿ
001C4070 FF FF FF FF FF FF 01 FF FF FF 00 00 00 00 00 00 ÿÿÿÿÿÿ.ÿÿÿ......
001C4080 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF .ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C4090 FF FF FF FF FF FF 00 00 00 FF 00 00 FF FF FF FF ÿÿÿÿÿÿ...ÿ..ÿÿÿÿ
001C40A0 FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 39 ÿÿÿÿÿÿÿÿÿÿÿÿ...9
[...]
0x1C4FF0
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C4FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF B9 29 ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¹)
001C5000 00 07 FF 07 00 07 FF 07 00 07 0C 04 00 00 00 04 ..ÿ...ÿ.........
001C5010 00 00 FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ..ÿÿÿÿÿÿ........
001C5020 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF ..ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C5030 xx 00 00 00 xx 00 00 00 xx xx 00 00 00 00 00 00 ................ xx differs between consoles on same version
001C5040 xx 00 00 00 xx 00 00 00 xx 00 00 00 00 00 00 00 ................ "
001C5050 xx 00 00 00 xx 00 00 00 xx xx 00 00 00 00 00 00 $...%...=....... "
001C5060 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...]
0x1C5200
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C5200 xx xx xx xx xx xx xx xx xx xx FF xx xx xx xx xx ..........ÿ..... xx differs between consoles on same version
001C5210 xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF ....ÿÿ..ÿÿÿÿÿÿÿÿ "
001C5220 xx xx xx xx xx xx xx xx xx xx FF xx xx xx xx xx ..........ÿ..... "
001C5230 xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF ....ÿÿ..ÿÿÿÿÿÿÿÿ "
001C5240 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
001C5250 xx xx xx xx xx xx xx xx FF FF FF FF FF FF FF FF ........ÿÿÿÿÿÿÿÿ "
001C5260 xx xx xx xx xx xx xx xx xx xx FF xx xx xx xx xx ..........ÿ..... "
001C5270 xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF ....ÿÿ..ÿÿÿÿÿÿÿÿ "
001C5280 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
001C5290 xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF ....ÿÿ..ÿÿÿÿÿÿÿÿ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C52A0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
001C5FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x1C6000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C6000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version
001C6010 xx xx xx xx xx xx xx xx FF FF FF FF FF FF FF FF ........ÿÿÿÿÿÿÿÿ "
0x1C7000
same on different consoles on same version
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C7000 03 09 FC 00 00 00 00 00 00 00 00 00 00 00 00 00 ..ü.............
001C7010 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001C7020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001C7030 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
001C7040 1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .ÿ..............
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C7050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
001C7FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x1C8000
Serial @ 001C8030 / SKU @ 001C8040
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C8000 34 30 30 30 31 44 xx xx xx xx xx xx xx xx FF FF 40001D........ÿÿ xx differs between consoles on same version
001C8010 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
001C8020 00 00 00 25 00 00 0A 93 00 01 00 00 00 00 07 10 ...%...“........
001C8030 30 33 32 37 34 35 32 32 32 34 xx xx xx xx xx xx 0327452224...... "
001C8040 xx 43 55 48 2D 31 30 30 34 41 20 42 30 31 58 FF .CUH-1004A B01Xÿ " (same SKU/region!)
001C8050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C8060 30 30 30 33 30 30 30 33 30 30 31 36 30 30 31 38 0003000300160018
001C8070 30 30 30 37 30 30 30 31 30 30 30 31 30 30 30 31 0007000100010001
001C8080 30 30 30 31 30 30 30 32 30 30 33 31 30 30 31 35 0001000200310015
001C8090 30 30 32 33 30 30 34 31 52 xx xx xx xx xx 01 30 00230041R......0 "
001C80A0 xx xx xx xx xx xx xx 82 07 8F 31 40 00 00 00 C2 ..........1@... "
001C80B0 01 01 01 01 06 06 06 06 FF FF FF FF FF FF FF FF ........ÿÿÿÿÿÿÿÿ
001C80C0 30 30 30 30 30 FF FF FF FF FF FF FF FF FF FF FF 00000ÿÿÿÿÿÿÿÿÿÿÿ
001C80D0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C80E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C80F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C8100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001C8110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C8120 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
001C87C0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x1C87D0
within a FF block these are found on both consoles:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C87D0 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 ................
001C87E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C87F0 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF .ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001C8800 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C9020 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF .ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C9100 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version
001C9110 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
001C9120 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
0x1C9200
(0x40 bytes)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C9200 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version
001C9210 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
001C9220 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
001C9230 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001C9240 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
001C9FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x1CA000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001CA000 03 20 10 00 01 00 10 00 1C 01 xx 00 00 00 00 00 . ..............
001CA010 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
001CA020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001CA030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001CA040 00 00 00 00 00 00 00 00 xx 00 00 00 00 00 00 00 ................ xx differs between consoles on same version
001CA050 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................
001CA060 00 00 00 00 00 00 00 00 05 00 00 00 xx xx xx xx ................ "
001CA070 xx xx xx xx 02 00 00 00 17 00 00 00 00 00 00 00 ................ "
001CA080 00 00 xx xx 00 00 00 00 xx 00 00 00 00 00 00 00 ................ "
001CA090 00 00 00 00 00 00 00 00 00 00 00 00 18 00 00 00 ................
001CA0A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001CA0B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001CA0C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001CA0D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001CA0E0 4C 2D A7 07 00 00 00 00 30 14 13 00 02 00 17 00 L-§.....0.......
00 filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001CA0F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[...] filled 00 region
001CA5C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x1CA5D0
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001CA5D0 34 76 B3 80 02 00 00 00 02 00 00 00 00 00 00 00 4v³€............
001CA5E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001CA5F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001CA600 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
001CBBF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x1CBC00
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001CBC00 69 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx i............... xx differs between consoles on same version
001CBC10 A2 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
001CBC20 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001CBC30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001CBC40 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
001CBC50 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001CBC60 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
001CDFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x1CE000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001CE000 00 07 FF 07 00 07 FF 07 00 07 0C 04 00 00 00 04 ..ÿ...ÿ.........
001CE010 00 00 FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ..ÿÿÿÿÿÿ........
001CE020 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF ..ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
001CE030 xx 00 00 00 xx 00 00 00 xx xx 00 00 00 00 00 00 ........Ë....... xx differs between consoles on same version
001CE040 xx 00 00 00 xx 00 00 00 xx 00 00 00 00 00 00 00 ................ "
001CE050 xx 00 00 00 xx 00 00 00 xx xx 00 00 00 00 00 00 ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001CE060 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
001CE1F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x1CE200
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001CE200 xx xx xx xx xx xx xx xx xx xx FF xx xx xx xx xx ..........ÿ..... xx differs between consoles on same version
001CE210 xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF ....ÿÿ..ÿÿÿÿÿÿÿÿ "
001CE220 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
001CE230 xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF ....ÿÿ..ÿÿÿÿÿÿÿÿ "
001CE240 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
001CE250 xx xx xx xx xx xx xx xx FF FF FF FF FF FF FF FF ........ÿÿÿÿÿÿÿÿ "
001CE260 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
001CE270 xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF ....ÿÿ..ÿÿÿÿÿÿÿÿ "
001CE280 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
001CE290 xx xx xx xx FF FF xx xx FF FF FF FF FF FF FF FF ....ÿÿ..ÿÿÿÿÿÿÿÿ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001CE2A0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
001FFFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x200000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00200000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version
00200010 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00200020 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00200030 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00200040 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00200050 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00200060 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00200070 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00200080 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00200090 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002000A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002000B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002000C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002000D0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002000E0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002000F0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00200100 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00200110 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00200120 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00200130 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00200140 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00200150 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00200160 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00200170 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00200180 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00200190 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002001A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002001B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002001C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002001D0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002001E0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002001F0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00200200 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
00200FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x201000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00201000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version
00201010 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00201020 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00201030 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00201040 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00201050 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00201060 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00201070 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00201080 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00201090 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002010A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002010B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002010C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002010D0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002010E0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002010F0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00201100 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00201110 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00201120 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00201130 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00201140 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00201150 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00201160 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00201170 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00201180 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00201190 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002011A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002011B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002011C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002011D0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002011E0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002011F0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00201200 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
00201FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x202000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00202000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version
00202010 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00202020 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00202030 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00202040 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00202050 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00202060 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00202070 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00202080 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00202090 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002020A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002020B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002020C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002020D0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002020E0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002020F0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00202100 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00202110 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00202120 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00202130 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00202140 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00202150 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00202160 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00202170 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00202180 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00202190 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002021A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002021B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002021C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002021D0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002021E0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002021F0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00202200 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
00202FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x203000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00203000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version
00203010 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00203020 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00203030 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00203040 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00203050 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00203060 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00203070 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00203080 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00203090 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002030A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002030B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002030C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002030D0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002030E0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002030F0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00203100 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00203110 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00203120 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00203130 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00203140 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00203150 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00203160 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00203170 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00203180 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00203190 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002031A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002031B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002031C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002031D0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002031E0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
002031F0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00203200 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
00203FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x204000
huge block
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00204000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version
[...] huge block
00222DF0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " (one console ended after this with FF region 0x222E00 until 0x241FFF - other has datablock 0x204000 until 0x29078F)
0x222E00
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00222E00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ xx differs between consoles on same version
[...] filled FF region
00241FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ " (one console ended after this with FF region 0x222E00 until 0x241FFF - other has datablock 0x204000 until 0x29078F)
0x242000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00242000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version
[...] huge block
00290780 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ " (one console ended after this with FF region 0x222E00 until 0x241FFF - other has datablock 0x204000 until 0x29078F)
FF filled
both consoles have this FF filled
00290790 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
002907F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x290800
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00290800 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version
[...] small block
00290920 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00290930 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
002909F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0x290A00
00290A00 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version
[...] small block
00290AD0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00290AE0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
00290BF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x290C00
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00290C00 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version
[...] small block
00290D50 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00290D60 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
00290DF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x290E00
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00290E00 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version
00290E10 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00290E20 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00290E30 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00290E40 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
002FFFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x300000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00300000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version
[...] huge block
0037FFF0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
0x380000
SCEVTRM
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00380000 FC FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF üÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380010 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380020 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380040 01 00 00 00 FF FF FF FF 53 43 45 56 54 52 4D 00 ....ÿÿÿÿSCEVTRM.
00380050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00380060 00 10 00 00 00 00 00 00 1D 00 00 00 00 00 00 00 ................
00380070 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380080 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380090 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
003800A0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
003800B0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
003800C0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
003800D0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
003800E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
003800F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380100 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380110 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380120 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380130 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380140 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380150 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380160 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00380170 FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿ
0x380170
0x60 block
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00380170 xx xx xx xx xx xx xx xx ........ xx differs between consoles on same version
00380180 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
00380190 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
003801A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
003801B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
003801C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
003801D0 xx xx xx xx xx xx xx xx ....... . "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
003801D0 FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿ
003801E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
003A0160 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
003A0170 FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿ
0x380170
0x60 block
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
003A0170 xx xx xx xx xx xx xx xx ........ xx differs between consoles on same version
003A0180 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
003A0190 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
003A01A0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
003A01B0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
003A01C0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
003A01D0 xx xx xx xx xx xx xx xx ....... . "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
003A01D0 FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿ
003A01E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
003A1FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x3A2000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
003A2000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version
003A2010 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
003A2020 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
003A2FF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x3A3000
0x1000 datablock
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
003A3000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ xx differs between consoles on same version
[...] small block
003A3FF0 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................ "
FF filled
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
003A4000 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
003BFFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0x3C0000
0x1980000 datablock
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
003C0000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................
[...] huge block with encrypted data ?? Encrypted CoreOS ??
01D3FFFF xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ................
0x1D40000
FF filled
end of data was @ 0x1D40000
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
01D40000 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
[...] filled FF region
01FFFFF0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
eof 0x2000000Starting at offset 0x144200 there is a pretty big area which doesn't seem to be encrypted. I found the area by making a raw image conversion to get a better visual view of the data.
The arrow marks the area which doesn't seem to be encrypted.
Here's a close-up of the same area, look at the top bar, grains look lumpy there, not even as the encrypted area below.
If you want to have a look, you can find the hi-res image here. Here's a hex dump of the first part of the suspect area.
Code:
00144200 01 00 00 00 00 00 00 00 00 04 00 00 00 94 51 1A ..............Q.
00144210 1C F0 9F E5 1C F0 9F E5 1C F0 9F E5 1C F0 9F E5 ................
00144220 1C F0 9F E5 1C F0 9F E5 1C F0 9F E5 1C F0 9F E5 ................
00144230 10 82 0E 20 CC 68 00 00 50 68 00 00 54 68 00 00 ... .h..Ph..Th..
00144240 AC 68 00 00 B0 68 00 00 B4 68 00 00 B8 68 00 00 .h...h...h...h..
00144250 C5 68 00 00 00 00 00 EA 70 00 00 EA 28 00 8F E2 .h......p...(...
00144260 00 0C 90 E8 00 A0 8A E0 00 B0 8B E0 01 70 4A E2 .............pJ.
00144270 0B 00 5A E1 69 00 00 0A 0F 00 BA E8 14 E0 4F E2 ..Z.i.........O.
00144280 01 00 13 E3 03 F0 47 10 13 FF 2F E1 B0 7F 04 00 ......G.../.....
00144290 A0 80 04 00 01 C0 8F E2 1C FF 2F E1 8A 18 03 78 ........../....x
001442A0 01 30 9C 07 A4 0F 01 D1 04 78 01 30 1D 11 01 D1 .0.......x.0....
001442B0 05 78 01 30 01 3C 05 D0 06 78 01 30 0E 70 01 31 .x.0.<...x.0.p.1
001442C0 01 3C F9 D1 00 2D 11 D0 04 78 1B 07 01 30 9B 0F .<...-...x...0..
001442D0 0C 1B 03 2B 01 D1 03 78 01 30 1B 02 E4 1A 6B 1C ...+...x.0....k.
001442E0 26 78 01 34 0E 70 01 31 01 3B F9 D5 91 42 D6 D3 &x.4.p.1.;...B..
001442F0 70 47 00 00 10 20 52 E2 78 00 B0 28 78 00 A1 28 pG... R.x..(x..(
00144300 FB FF FF 8A 82 2E B0 E1 30 00 B0 28 30 00 A1 28 ........0..(0..(
00144310 00 40 90 45 00 40 81 45 1E FF 2F E1 00 30 A0 E3 [email protected][email protected]../..0..
00144320 00 40 A0 E3 00 50 A0 E3 00 60 A0 E3 10 20 52 E2 [email protected]...`... R.
00144330 78 00 A1 28 FC FF FF 8A 82 2E B0 E1 30 00 A1 28 x..(........0..(
00144340 00 30 81 45 1E FF 2F E1 04 30 9F E5 03 30 8F E0 .0.E../..0...0..
00144350 13 FF 2F E1 75 04 00 00 10 B5 04 00 00 F0 96 E8 ../.u...........
Code:
0018ED00 BD 90 0B 01 00 48 43 49 5F 51 E4 04 30 07 1C 16 .....HCI_Q..0...
0018ED10 01 00 4C 4D 0B 40 04 00 4C 4C 08 20 05 54 52 41 [email protected]. .TRA
0018ED20 4E 1D 10 06 54 4D 53 56 52 09 29 40 1A D4 24 12 N...TMSVR.)@..$.
0018ED30 D8 04 5A DC 2C 20 18 A7 1C 00 00 49 44 4C 45 20 ..Z., .....IDLE
0018ED40 54 68 72 65 61 64 00 78 15 01 00 73 19 00 58 61 Thread.x...s..Xa
0018ED50 13 10 08 00 A0 11 01 00 39 1B 58 72 4D 13 20 08 ........9.XrM. .
0018ED60 00 44 12 01 00 D1 1A 6C 81 14 12 E8 14 43 95 1D .D.....l.....C..
0018ED70 78 61 50 50 07 8C 13 01 00 31 1D 84 81 3F 10 07 xaPP.....1...?..
0018ED80 00 30 14 01 00 DD 7C 60 05 4D 42 4F 58 2C 12 D4 .0....|`.MBOX,..
0018ED90 14 2C 19 07 49 06 4A 0A 60 1F 22 4A 60 00 22 8A .,..I.J.`."J`.".
0018EDA0 60 0A 76 00 28 04 BF 01 20 C8 75 08 04 21 E4 18 `.v.(... .u..!..
0018EDB0 04 94 1A 01 9D 5E 89 83 01 00 00 00 FC 03 02 90 .....^..........
0018EDC0 00 04 00 00 E2 F9 4C 53 C8 10 2C 08 F0 52 FD 04 ......LS..,..R..
0018EDD0 46 4F F4 7A 71 01 F0 29 FD 20 46 00 F0 7B FA 05 FO.zq..). F..{..
0018EDE0 F0 E2 FE 0A F0 BD F8 00 F0 AD FB 0A F0 73 F8 22 .............s."
0018EDF0 48 00 F0 2A FC 21 06 10 04 2C FC 1F 06 1C 08 E4 H..*.!...,......
0018EE00 FA 1E 4C 04 F1 4C E2 04 10 04 04 FB 1B 1C 10 06 ..L..L..........
0018EE10 14 FB 04 F1 60 0E 10 04 32 FB 17 1E 12 3F 0E 12 ....`...2....?..
0018EE20 38 0E 10 04 57 FB 14 38 10 06 1A FC 04 F1 88 1C 8...W..8........
0018EE30 10 04 2D FC 10 3A 10 0A 5B FB 20 1D 00 F0 74 FB ..-..:..[. ...t.
0018EE40 0D 28 12 31 1A 12 24 28 10 04 49 FC 0A 1A 12 54 .(.1..$(..I....T
0018EE50 28 12 74 36 1C 0E 5E FC 08 F0 4E FE 00 F0 64 FC (.t6..^...N...d.
Code:
0018D8B0 00 62 74 5F 73 64 69 6F 00 77 6C 61 6E 00 4F 53 .bt_sdio.wlan.OS
0018D8C0 41 00 62 74 5F 68 63 69 00 62 6C 65 6D 62 78 00 A.bt_hci.blembx.- Generic Bluetooth SDIO driver
By the looks of it, this flash can be read by several PS4 devices accessing different offsets, so maybe we can use that to our advantage and modify data on the fly only when the decrypted area is accessed without breaking checksum in the original flash as a whole.
I'm thinking of a hardware device between the PS4 Wifi/Lan/Bluetooth circuit (or whatever it is) and the MX25L25635FMI-10G flash chip.
I found the Verilog model for the MX25L25635F flash from the manufacturer, so should be possible to emulate the flash in an FPGA for interesting manipulation. Also attached (PDF / ZIP), if their files suddenly disappear: http://www.macronix.com/en-us/Product/Pages/ProductDetail.aspx?PartNo=MX25L25635F
Thanks goes to cfwprophet on IRC, I learned a lot of new stuff about the PS4. A block diagram of the MediaCon functions is also attached.
Finally, from smhabib:
Code:
erk=DB7A24EC38BDB45B98CCD7D363EA2AF0C326E65081E063 0CB9AB2D215865878A
riv=C9205F46F6021697E670F13DFA726212
pub=A8FD6DB24532D094EFA08BD35C9A72287D905C6B27B42B E4AB925AAF4AFFF34D41EEB54DD128700D
priv=001AD976FCDE86F5B8F63453EF3A7F94E861975BA3
ctype=301st 40 bytes are encrypted with aes-256-cbc and the result is used as erk and riv for the next 240 bytes. now that is decrypted through aes-128-ctr and now you can find the location for encrypted sections+hmac key+erk/riv keys. the rest sections are also encrypted with aes-128-ctr. enjoy! j/k