Not too soon after having a good bit of creative discussion with our new team add "subdub" and regular "naturesbane", I decided to look into the firmware dumps that had been floating around in The Matrix
Thanks to inspiration by subdub and naturesbane, I decided to do some "de-mangling" of the data. So, the rest is pretty much applying the newly found SCE file format template to the file and extracting the byte stream into a new file.
Here is what comes out as a result of this analysis (the hex in the file name is the address at which the SCE\0 magic is found):
Now, I have to say though: to get the modules out, I had to choose an arbitrary file alignment value, which happened to be 16. Every file looks to be around 5KB. Coincidence: who knows? Bogus data: maybe? But maybe they are _just_ about the right size to get executed in the Local Store of the SPUs (remember, 256KB only) . . .
The source code for the "$CE Extract" program is coming soon. subdub and I started coding around the same time, and his is probably a simpler implementation. But I will post the code as soon as I clean it up a bit. It still has some left over bits from "Scan Hdd"
Again, credit goes to the ones who deserve it: subdub and naturesbane... keep up the good work
Just to make sure before people get their hopes up, this does _not_ mean that we know what the PS3 is doing with these files. It just means that we know that they exist. So, smart people out there can figure the contents out :-)
And last but not least, all of this would not have been possible without Courier's initial work on the firmware chips :-)
Last edited by HanSooloo; 05-09-2007 at 08:53 AMReason: Automerged Doublepost
Just a quick update on the firmware anlaysis project:
It seems like the interleaving of the firmware and the way addressing of the NAND chips is not that straightforward. We have been hypothesizing in the Dev forum about different methods that could have been used when programming the chips.
Now, we are at a point where we can take the 2 binary dumps and put them through different algorithms to see if the joined files make any more sense than what they do now.
Well, it seems like it has been more than 2 weeks since we paid any attention to the lovely PS3's frmware area. So, I though it would be a good idea to go into June with some exciting news (other than the fact that it's nice and warm, and having ice cream sounds like fun ).
After days of hair pulling and crossed eyes staring at a laptop LCD panel side by side with an LCD monitor (more screen real estate helps, trust me!), I started seeing some patterns (as in TheMatrix).
Essentially, with the help of the Dev community, I was able to figure out the way the 2 NAND chips' data dumps come together. This was done by little bit of byte swapping, some NAND Out-of-Band data discarding for good measure, and some magical data interleaving between the 2 dumps (think 2 to the power of 3 to the power of 2).
At the end of the day data got aligned pretty nicely and the discarded data (NAND OOB) seemed like it did not contain any "valuable/valid" data. This is good, since it tells us our method is working. I would be very sad if I saw the text "isoldr.self" in the discard file; bad PS3
What do we have as a result of this?
Some magical way to unlock the firmware images? No, at least not yet!
A better understanding of what types of programs are stored in the firmware: definitely YES.
The fact that when you upgrade your firmware, your OLD one still sits in the NAND chips (idle, waiting to be "recalled"?) Maybe our PS3 is smart enough to know when a upgrade goes bad, and can revert back to the previous version.
But enough teasing, and let's share the love in the form of "a 1st in the PS3 scene: Firmware Flash Table of Contents with Module Names and Their Address and Lengths"