Hey there.

So... you use an ad blocker. That's cool. Sometimes we do too.

But without ad revenue, we wouldn't even be here. And we might not be here much longer.

Please disable your ad blocker and click to continue.

Page 1 of 3 12 ... Last
  1. #1
    Join Date
    Apr 2005

    Post PS3 CXD4302GB Chip Test Points

    Here are some PS3 CXD4302GB Test Points from knightsolidus via xorloser's blog. Today xorloser also mentioned it's possible to use an MCU to read the PS3's flash but hasn't revealed the process yet.

    knightsolidus says:
    Hi xorloser!!! geohot its playing modifiying the flash, but him can have a brick, first of all we need a hardware for create a backup of the real flash (cxd4302gb chip) i have identified all tests points of that chip, that chip its 2Gbits (256MB), and the samsung are 1Gbits (128MB)x 2 chips are 2Gbits (256MB), thats chips in the past with infectus can be downgrade, but now not work, because now run from the cxd4302gb chip and use the samsung flash for backup, understand? you can add me to msn for pins…. thanks!!!
    knightsolidus says:
    sorry for my english, i want to say you, the real flash its the cxd chip on ps3 and i have identified the testpoints for read and program that, but i dont know any programmer for read and write understand? i have identified all point for read and program, that have 16 pins for data, 18 pins for address, chip enable 1 and 2, clk, mode select, reset, write enable… understand? sorry for my english
    knightsolidus says:
    i create that picture with the test points
    the numbers in the picture correspond at the next points:
    12 —-> /SB_EBUS_RESET
    54 —-> /SB_MOD0 –>H MODE SELECT
    41 —-> SB_EBUS_CLKD0
    17 —-> /SB_EBUS_BE
    25 —-> /SB_EBUS_SWE
    34 —-> /SB_EBUS_0E
    50 —-> /SB_EBUS_CE2
    45 —-> /SB_EBUS_CE0
    52 —-> SB_EBUS_RDY
    0 —-> SS2_BRDY
    53 —-> /SB_EBUS_INT
    24 —-> EBUS_ADDR17
    30 —-> EBUS_ADDR16
    29 —-> EBUS_ADDR15
    16 —-> EBUS_ADDR14
    28 —-> EBUS_ADDR13
    15 —-> EBUS_ADDR12
    27 —-> EBUS_ADDR11
    14 —-> EBUS_ADDR10
    26 —-> EBUS_ADDR9
    13 —-> EBUS_ADDR8
    11 —-> EBUS_ADDR7
    23 —-> EBUS_ADDR6
    10 —-> EBUS_ADDR5
    22 —-> EBUS_ADDR4
    9 —-> EBUS_ADDR3
    21 —-> EBUS_ADDR2
    20 —-> EBUS_ADDR1
    19 —-> EBUS_ADDR0
    42 —-> EBUS_DATA15
    32 —-> EBUS_DATA14
    31 —-> EBUS_DATA13
    33 —-> EBUS_DATA12
    48 —-> EBUS_DATA11
    47 —-> EBUS_DATA10
    46 —-> EBUS_DATA9
    51 —-> EBUS_DATA8
    5 —-> EBUS_DATA7
    4 —-> EBUS_DATA6
    3 —-> EBUS_DATA5
    2 —-> EBUS_DATA4
    38 —-> EBUS_DATA3
    36 —-> EBUS_DATA2
    35 —-> EBUS_DATA1
    37 —-> EBUS_DATA0

  2. #2
    cfwprophet Guest
    That sounds really interesting and if im not wrong this also means that we now know where the new Bit flag to prevent downgrading will be stored for and for that we now should be again able to downgrade our retail ps3 consoles.

    Or not?

  3. #3
    iCEQB Guest
    No, if it would be stored in Flash, we would have figured it out 2 years ago.

  4. #4
    cfwprophet Guest
    He dont talk about the normal NAND Flash.If i have understood right than he talks of a other flash chip present on the ps3 MB.
    thats chips in the past with infectus can be downgrade, but now not work, because now run from the cxd4302gb chip and use the samsung flash for backup, understand?
    So he talks about two flash chips.One will be the chip where the fw runs off and the other is NOW used for backup and thats why you cant downgrade because we have downgraded the backup and not the new real flash chip where the os is running from.

  5. #5
    TUHTA Guest
    well... another moment... so do we need to modify hypervisor... to do this tricks?? or we can do it without mod it?

  6. #6
    lavatar Guest
    if it is only hardware protection no modifing of the hypervisor is needed, but i don΄t believe sony is so stupid...

  7. #7
    cfwprophet Guest
    Quote Originally Posted by lavatar View Post
    if it is only hardware protection no modifing of the hypervisor is needed, but i don΄t believe sony is so stupid...
    You can nearly every chip read/write with the correct hardware.The Normal NAND Flash to time used for the backup of os can be flashed. And if there is a other chip where the os is also stored and runs of then its Easy (i think).

    The ps3 do a comparison between both chips and in case that the backup will be a other FW then in chip where the real os runs of the ps3 dont start.

    But its also possible that sony have implemented a additional hardware protection.Time will tell...

  8. #8
    itwong Guest
    This is only true for the old models with 2x128MB NAND chip. What about the new models with only 16MB NAND flash? Part of the files are on HDD.

  9. #9
    letix Guest


    so if we have an old unit we can do this?

  10. #10
    sapperlott Guest
    AFAIK the CXD4302GB is only the NAND controller. This chip makes the 2x 128MiB NAND flashes look like a single coherent NOR flash to the southbridge (SCC).

    Notice how the southbridge didn't change (at least its part number) from the last model with 2x 128 MiB NAND to the first model with 16 MiB NOR flash?

    So in theory it should have a somewhat similar pinout to the 16 MiB NOR flashes used in the newer models (Spansion S29GL128N90TFIR2 / Samsung K8Q2815UQB-P14B).

    This chip handles all the crazy interleaving and shuffling around of the NAND pages. It is necessary so the SB sees a coherent NOR flash since you can't boot a system from NAND flash (because it doesn't support random access at a byte level). This is the reason why most embedded devices carry a small (expensive) NOR flash for the boot code and a large (inexpensive) NAND flash for data and applications.

    So yes - it would make it far easier to tap into this chip with a microcontroller compared to tapping into the NANDs directly because one wouldn't have to mess around with all the interleaving and shuffling (the byte swap will stay, of course). But it's quite unlikely that this chip is another separate flash.

    The most elegant solution would be to use the exploit to access the flash from Linux, though (what GeoHot appears to have done). That way you could just access the flash from Linux like any other block device.

Page 1 of 3 12 ... Last

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Log in