Sony PS3 Slim CECH-2000 System Flash Dumped!
Here is a little piece of news we skipped over when our PS3 Reference Tool arrived.
One of our resident PS3 DEV's CouRieR extracted the flash of a PS3 Slim (CECH-2000) European console with Firmware 2.75 a few months back by removing the chip, and dumping it with an external reader along the lines of the BeeProg.
The chip, a Samsung K8Q2815UQB, is a 128 Megabit flash chip. The dump, which weighs in at 16.0 MB (16,777,728 bytes), is quite similiar to that of a later model PS3 with the smaller flash.
Earlier generation Fat PS3's, those that sported dual 1 Gigabit flashes, had two copies of the PS3 firmware along with a full AES filesystem (for /dev_flash) on the flash.
The PS3 Slims, like later generation Fat's, have the AES filesystem (/dev_flash) on the Hard Disk Drive, and mounted virtually (like a loopback) with only one copy of the firmware.
Both the Fat and Slim PS3 systems feature everything that one would expect: a bootloader, corresponding core operating system LV1/LV2 SELF's, along with corresponding isolated SPU code - all encrypted of course.
Since everything is encrypted, and tied per box, the Slim's flash is really no different from that of a Fat PS3 - makes you really wonder what the "hardware differences" that made OtherOS incompatible were.
Finally, for those who'd like to take a peek, here is the PlayStation 3 Slim's FileList Dump Log!
Next week we will share some exciting PS3 Service Mode information, specifically on what we got in the mail a few days back! Then we will take a tour of the PS3 TOOL XMB as promised last week.
More PlayStation 3 News...
Very cool news as always, especially considering the PS3 Slim console is the only version that Sony is making these days.
keep up the excellant work devs, at least you guys have learnt a hell of a lot that you wouldn't of otherwise known.
this is good thanks for the info, can't wait to hear more!
thank you boss cjpc for this news
a few days ago i want to repair a ps3 40gb and i saw that have 2 chip (K9f1g08u0a) and size of this chip is 135.168 kb size , i remove it and dump it.
i want to say that , and thanks to you for this news.
That is awesome! That would be incredible if you can convert a slim to run other os...
12-14-2009 #7Banned User
- Join Date
- Oct 2008
Wow, the flash is dumped... I thought Infectus could do that already? (I think not a complete dump - but I wasn't that keen to find out the truth).
Just a thought... The HDD is already decrypted (somewhat)... could we use something along those lines to decrypt the Flash?! (maybe a unique key?).
I know my questions sound dumb (probably are) but I have no idea of how the encryption system works (for now)!
Alas no, on both the flash, and HDD, the flash filesystem itself is stored as an encrypted file essentially, so even decrypting the HDD will get you a still encrypted file (for the flash filesystem). Multiple layers of encryption - secure, just not good for us!
Is there anyone who's bothered trying to decrypt these things for any period of time? I'd ask geohot to have a go, he doesn't seem to have a prob brute forcing... but he's a rude little... so ask nicely I would
12-14-2009 #10Banned User
- Join Date
- Oct 2008
Yes, indeed that is a problem. Maybe we should concentrate on the BD-DRive firmware. Any news on that front? I know the chip itself is BGA but still... someone with proper tools could do it right?
I'm willing to help in wiring the whole chip to a reader if someone is willing to donate a fried board!