EurAsiayour console hacking resource
Select topic
  Create an account Home  ·  Your Account  ·  Online Shop  ·  Forums  ·  Downloads new  ·  Wiki  
Main Menu
· Home
· About Us
· Downloads
· FAQ
· Forums
· Info Pages
· Members List
· Online Shop
· PDA - AvantGo
· Private Messages
· Search Stories
· Statistics
· Stories Archive
· Submit Story
· Top 10
· Topics
· Upload
· WAP
· Web Links
· Wiki
· Your Account

Online Shop
Credit Card

Bitcoin

EurAsia Online Shop
enter

new products
· R4i Gold 3DS RTS
· Mars Pro GM-816HD
· EurAsia File Collection 2017
· Matrix Infinity 2.0
· Sky3DS Plus
· Modbo 5.0
· Screwdriver GC/SNES
· X360ACE V3
· E3 NOR Flasher
· TX J-R Programmer v2
· Corona Postfix Adapter V2
· SuperCIC SNES kit
· SuperCIC cart key
· Gateway 3DS
· X360ACE V1
· Wasp Fusion
· 3k3y 3KR (SATA)
· Mtx Glitcher v1
· Xk3y Reloaded (XKR)
· 3k3y Ripper v2

complete price list

Tor Hidden Service
Tor Project
EurAsia Onion URL: wrqgfbrcgttkp6pi.onion

Who's Online
There are currently 312 guest(s) and 10 member(s) online.

Alexw535434 - ali1234 - auronzo - AVI - badhero - gage - gross7 - jbthegame - nextria - Vicybaby

Welcome honored guest. You can register for free by clicking here.

Site Protection
INFOSEC
BM

Hot Wikis
Switch Key List
PS4 firmware updates
3k3y nokeys ISO tutorial
3DS game fw updates
3k3y microSD recovery
PS3 SKU Models
PS3 Metldrpwn
Xk3y microSD recovery
Xbox360 motherboards
Xbox360 Reset Glitch Hack
PS3 Blu-ray Drive
Homemade Sputnik360
PS3 BD drive swap
PSP Crypto Keys
PS3_Crypto_Keys
PS3 Hypervisor RE
PS3 Dongle User Guide
PSGroove tutorial
Xecuter LT Fakir
PS3 YLOD Fix
NSMB Modchip Tutorial
PS3 Glitch Hack
Xbox360NoDvdRom
Ps3FactoryRestore
Free60JtagHack
Ps3HddDecrypt
WiiKey2EjectFix
SaveMiiFree
WiiHwDiagram
Ps3OsRels
PandoraNoHomebrewPsp
GcOsMultiGameWiiHowTo
Xbox360LinuxBurn
Xbox360EraserFix
Xbox360Kernel
Xbox360DisasmXtreme
Ps2HdlPatchTutorial
Ps2VersionTable
XboxErrorCodes
XboxVersionTable
GameCubeLaserTweak
ModchipSolderingGuide
PspUmdIsoHaxorLinux

RSS Feed
News & Downloads & Wiki

IRC
#eur
EFnet

Hosted By

Ad

Respected Sites
Home of the Hitmen
radare
gc-forever
pouet.net
English Amiga Board
GXArena OFW Repo
WiiBrew
WiiUBrew
3DBrew
SwitchBrew
Games and Consoles
Maxconsole.com
Console Wizard
GameCube Linux
Xbox Linux
Xbox-Scene.com
XboxHacker.Net
xbins.org
Doom9.net
bunnie's blog
debugmo.de
GX-Mod.com
ElOtroLado.net
uCON64
GBADEV.ORG
GBAtemp.net
PocketHeaven.com
PDRoms
GameSX.com
ASSEMbler
phrack.org
Woz.org

Support...

Bitcoin

Namecoin

radare

OpenCores
Electronic Frontier Foundation
Amnesty International

Nectarine Radio

Demovibes Radio

GNU
Linux
Mozilla

Total Page Views
We received
151350667
page views since June 2002


Moderated by: Robert

EurAsia : Index PS4 PS4 MX25L25635FMI-10G NOR Flash dump 1.06 released
New Topic   Post Reply
Author PS4 MX25L25635FMI-10G NOR Flash dump 1.06 released
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6337
Status: Offline
 _#33454 posted 2014-01-30 @ 13:24 GMT   
Cfwprophet over at psdevwiki.com has released a dump of the serial flash MX25L25635FMI-10G for the PS4 CXD90025G which is the secondary/low power processor handling network tasks. The MAC address and Console-ID are zeroed out in the dump.

I have analyzed the binary and there seem to be an interesting area not mentioned in the psdevwiki.com page.

Starting at offset 0x144200 there is a pretty big area which doesn't seem to be encrypted. I found the area by making a raw image conversion to get a better visual view of the data.


The arrow marks the area which doesn't seem to be encrypted.



Here's a close-up of the same area, look at the top bar, grains look lumpy there, not even as the encrypted area below.

If you want to have a look, you can find the hi-res image here.

Here's a hex dump of the first part of the suspect area.

Code:
00144200   01 00 00 00  00 00 00 00  00 04 00 00  00 94 51 1A  ..............Q.       
00144210 1C F0 9F E5 1C F0 9F E5 1C F0 9F E5 1C F0 9F E5 ................
00144220 1C F0 9F E5 1C F0 9F E5 1C F0 9F E5 1C F0 9F E5 ................
00144230 10 82 0E 20 CC 68 00 00 50 68 00 00 54 68 00 00 ... .h..Ph..Th..
00144240 AC 68 00 00 B0 68 00 00 B4 68 00 00 B8 68 00 00 .h...h...h...h..
00144250 C5 68 00 00 00 00 00 EA 70 00 00 EA 28 00 8F E2 .h......p...(...
00144260 00 0C 90 E8 00 A0 8A E0 00 B0 8B E0 01 70 4A E2 .............pJ.
00144270 0B 00 5A E1 69 00 00 0A 0F 00 BA E8 14 E0 4F E2 ..Z.i.........O.
00144280 01 00 13 E3 03 F0 47 10 13 FF 2F E1 B0 7F 04 00 ......G.../.....
00144290 A0 80 04 00 01 C0 8F E2 1C FF 2F E1 8A 18 03 78 ........../....x
001442A0 01 30 9C 07 A4 0F 01 D1 04 78 01 30 1D 11 01 D1 .0.......x.0....
001442B0 05 78 01 30 01 3C 05 D0 06 78 01 30 0E 70 01 31 .x.0.<...x.0.p.1
001442C0 01 3C F9 D1 00 2D 11 D0 04 78 1B 07 01 30 9B 0F .<...-...x...0..
001442D0 0C 1B 03 2B 01 D1 03 78 01 30 1B 02 E4 1A 6B 1C ...+...x.0....k.
001442E0 26 78 01 34 0E 70 01 31 01 3B F9 D5 91 42 D6 D3 &x.4.p.1.;...B..
001442F0 70 47 00 00 10 20 52 E2 78 00 B0 28 78 00 A1 28 pG... R.x..(x..(
00144300 FB FF FF 8A 82 2E B0 E1 30 00 B0 28 30 00 A1 28 ........0..(0..(
00144310 00 40 90 45 00 40 81 45 1E FF 2F E1 00 30 A0 E3 .@.E.@.E../..0..
00144320 00 40 A0 E3 00 50 A0 E3 00 60 A0 E3 10 20 52 E2 .@...P...`... R.
00144330 78 00 A1 28 FC FF FF 8A 82 2E B0 E1 30 00 A1 28 x..(........0..(
00144340 00 30 81 45 1E FF 2F E1 04 30 9F E5 03 30 8F E0 .0.E../..0...0..
00144350 13 FF 2F E1 75 04 00 00 10 B5 04 00 00 F0 96 E8 ../.u...........



This looks more like executable code to me, not sure what the target device might be.


Download the dumped flash binary and have a look in the hex editor: PS4 NORDump 1.06

Let me know what you think...

[ This message was edited by modrobert on 2014-01-30 @ 13:36 GMT ]
  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

 Profile  pm  www    Quote
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6337
Status: Offline
 _#33455 posted 2014-01-30 @ 13:58 GMT   
Code:
0018ED00   BD 90 0B 01  00 48 43 49  5F 51 E4 04  30 07 1C 16  .....HCI_Q..0...        
0018ED10 01 00 4C 4D 0B 40 04 00 4C 4C 08 20 05 54 52 41 ..LM.@..LL. .TRA
0018ED20 4E 1D 10 06 54 4D 53 56 52 09 29 40 1A D4 24 12 N...TMSVR.)@..$.
0018ED30 D8 04 5A DC 2C 20 18 A7 1C 00 00 49 44 4C 45 20 ..Z., .....IDLE
0018ED40 54 68 72 65 61 64 00 78 15 01 00 73 19 00 58 61 Thread.x...s..Xa
0018ED50 13 10 08 00 A0 11 01 00 39 1B 58 72 4D 13 20 08 ........9.XrM. .
0018ED60 00 44 12 01 00 D1 1A 6C 81 14 12 E8 14 43 95 1D .D.....l.....C..
0018ED70 78 61 50 50 07 8C 13 01 00 31 1D 84 81 3F 10 07 xaPP.....1...?..
0018ED80 00 30 14 01 00 DD 7C 60 05 4D 42 4F 58 2C 12 D4 .0....|`.MBOX,..
0018ED90 14 2C 19 07 49 06 4A 0A 60 1F 22 4A 60 00 22 8A .,..I.J.`."J`.".
0018EDA0 60 0A 76 00 28 04 BF 01 20 C8 75 08 04 21 E4 18 `.v.(... .u..!..
0018EDB0 04 94 1A 01 9D 5E 89 83 01 00 00 00 FC 03 02 90 .....^..........
0018EDC0 00 04 00 00 E2 F9 4C 53 C8 10 2C 08 F0 52 FD 04 ......LS..,..R..
0018EDD0 46 4F F4 7A 71 01 F0 29 FD 20 46 00 F0 7B FA 05 FO.zq..). F..{..
0018EDE0 F0 E2 FE 0A F0 BD F8 00 F0 AD FB 0A F0 73 F8 22 .............s."
0018EDF0 48 00 F0 2A FC 21 06 10 04 2C FC 1F 06 1C 08 E4 H..*.!...,......
0018EE00 FA 1E 4C 04 F1 4C E2 04 10 04 04 FB 1B 1C 10 06 ..L..L..........
0018EE10 14 FB 04 F1 60 0E 10 04 32 FB 17 1E 12 3F 0E 12 ....`...2....?..
0018EE20 38 0E 10 04 57 FB 14 38 10 06 1A FC 04 F1 88 1C 8...W..8........
0018EE30 10 04 2D FC 10 3A 10 0A 5B FB 20 1D 00 F0 74 FB ..-..:..[. ...t.
0018EE40 0D 28 12 31 1A 12 24 28 10 04 49 FC 0A 1A 12 54 .(.1..$(..I....T
0018EE50 28 12 74 36 1C 0E 5E FC 08 F0 4E FE 00 F0 64 FC (.t6..^...N...d.



Yes, looks this executable indeed, check the strings up there, embedded Linux maybe.


Code:
0018D8B0   00 62 74 5F  73 64 69 6F  00 77 6C 61  6E 00 4F 53  .bt_sdio.wlan.OS        
0018D8C0 41 00 62 74 5F 68 63 69 00 62 6C 65 6D 62 78 00 A.bt_hci.blembx.



Wireless/Bluetooth firmware!? Unencrypted?! We can't be that lucky.

Quote:
Generic Bluetooth SDIO driver



Source code: http://kerneldox.com/kdox-linux/d3/d99/btsdio_8c_source.html

[ This message was edited by modrobert on 2014-01-30 @ 14:19 GMT ]
  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

 Profile  pm  www    Quote
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6337
Status: Offline
 _#33456 posted 2014-01-31 @ 05:20 GMT   
By the looks of it, this flash can be read by several PS4 devices accessing different offsets, so maybe we can use that to our advantage and modify data on the fly only when the decrypted area is accessed without breaking checksum in the original flash as a whole.

I'm thinking of a hardware device between the PS4 Wifi/Lan/Bluetooth circuit (or whatever it is) and the MX25L25635FMI-10G flash chip.

BTW: It would be nice with some replies, starting to feel like I'm talking to myself here.

[ This message was edited by modrobert on 2014-01-31 @ 11:26 GMT ]
  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

 Profile  pm  www    Quote
garageinc



captain

Registered: 2004-03-07
From: england
Messages: 135
Status: Offline
 _#33459 posted 2014-01-31 @ 10:38 GMT   
you are but we are still reading/listening its a bit beyond me but promising

 Profile  pm    Quote
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6337
Status: Offline
 _#33460 posted 2014-01-31 @ 11:30 GMT   
garageinc,

Thanks! Feel better now...hehe


I have attached the datasheet for the MX25L25635FMI-10G flash if anyone is interested.
  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

Attachments: MX25L25635FMI-10G-Macronix-datasheet-17291205.pdf   

 Profile  pm  www    Quote
garageinc



captain

Registered: 2004-03-07
From: england
Messages: 135
Status: Offline
 _#33463 posted 2014-02-01 @ 08:14 GMT   
lol i check in daily and will be keeping an eye on this for sure

 Profile  pm    Quote
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6337
Status: Offline
 _#33466 posted 2014-02-01 @ 14:26 GMT   
I will not get much further without a PS4.
  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

 Profile  pm  www    Quote
modrobert



donor

Registered: 2003-10-17
From: Bangkok
Messages: 6337
Status: Offline
 _#33468 posted 2014-02-01 @ 19:41 GMT   
I found the Verilog model for the MX25L25635F flash from the manufacturer, so should be possible to emulate the flash in an FPGA for interesting manipulation.

http://www.macronix.com/en-us/Product/Pages/ProductDetail.aspx?PartNo=MX25L25635F

Also attached, if their files suddenly disappear.

Thanks goes to cfwprophet on IRC, I learned a lot of new stuff about the PS4. A block diagram of the MediaCon functions is also attached.
  _____________________________ ____________     __________________ /\________
  \    __________________      \      _____/____/     _    \       /_        /
 /     /       |       l/     _/    ____)     _/      _     \     \/  cREAM /
/______________l_______/       \______________\_______|      \_   /________/
 -+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-

Attachments: MX25L25635F_Verilog_v1_16.zip ps4_mediacon_block_digram.png  

 Profile  pm  www    Quote
Triacman



private

Registered: 2017-05-22
Messages: 1
Status: Offline
 _#35354 posted 2017-05-23 @ 20:20 GMT   
Hello, I need dump data for CUH-1011A SAA-001 Main Board, some one have it? thx.

 Profile  pm  Email    Quote
_
New Topic   Post Reply
Jump To
 

All trademarks and copyrights on this page are owned by their respective owners.
Comments and forum messages are owned by the Poster.