[Help needed] Dumping flash via Syscon/SB

squidfox

squidfox

Forum Noob
The question is simple, can we dump the NAND/NOR flash contents without the need for something like an E3 Flasher/Soldering/Desoldering using the Syscon or the South Bridge.

From what I could gather here on the forum, people are now able to communicate with the SC via UART, the commands are known and AUTH can also be achieved. However looking at the list of possible commands I have not seen anything related to dumping the main flash, only reading from the EEPROM of the SC.

We know that the SC has a connection to the South Bridge via SPI and the SB is responsible for reading the main flash (on earlier models there is also the Starship2 chip, but that is just for making the 2 chips seem like one), but I don't know if we know how to talk to the SB directly, or if there was work done on getting the possible commands.

The main motivation behind this for me would be to resolve an RSOD. With the recent discoveries done by @zecoxao maybe in the future it would be possible to craft a syscon firmware that could have this funtionality?

Thank you in advance :)
 
Currently im aware off no, only dumping the flash from linux (ps3 running the linux) and the syscon is possible.

squidfox said:
The question is simple, can we dump the NAND/NOR flash contents without the need for something like an E3 Flasher/Soldering/Desoldering using the Syscon or the South Bridge.

From what I could gather here on the forum, people are now able to communicate with the SC via UART, the commands are known and AUTH can also be achieved. However looking at the list of possible commands I have not seen anything related to dumping the main flash, only reading from the EEPROM of the SC.

We know that the SC has a connection to the South Bridge via SPI and the SB is responsible for reading the main flash (on earlier models there is also the Starship2 chip, but that is just for making the 2 chips seem like one), but I don't know if we know how to talk to the SB directly, or if there was work done on getting the possible commands.

The main motivation behind this for me would be to resolve an RSOD. With the recent discoveries done by @zecoxao maybe in the future it would be possible to craft a syscon firmware that could have this funtionality?

Thank you in advance :)
Click to expand...
 
I will try to have a go at the SPI with a logic analizer (waiting for hardware from China) soon to see if something interesting pops up. If no then I will go a step furter and see how the lines between the SB and the flash or Starship2 work.
 
squidfox said:
I will try to have a go at the SPI with a logic analizer (waiting for hardware from China) soon to see if something interesting pops up. If no then I will go a step furter and see how the lines between the SB and the flash or Starship2 work.
Click to expand...
if you are going serious with it (and it looks like) you should take a look at the few information available (i think there is something written about it in psdevwiki) about the commands that existed in prototype and non-retail syscon models that was removed later for retail

The fact is that communication channel in between syscon and flash exists (throught southbridge, and additionally throught starship2 for NAND flash type), and having control of it could be very handy for the engineers when they was developing the PS3 motherboards
My bet is that it was posible to write flash throught syscon at some point but they disabled it, in that case maybe it could be posible to "cook" a custom syscon firmware or a patch to try to re-enable it... but this is not so easy because for something like this probably is going to be needed to step back to the most oldest syscon firmwares that probably had more features unlocked
By now just the idea of cooking a custom syscon firmware is just a dream... it would require a complete reverse engineering of the whole eeprom... and also i guess syscon is going to have some kind of bootloader area with his own "config bits", to setup IO pins, frequencies, locking it, etc...
Is a long adventure in itself, but now is posible to go hardcore with it
 
Yes, there is connection between the SC and SB and SS2 towards the flash chips, but what I am worried about is that data never flow towards the SC. There might be instructions to load data off the flash chip, but then the data would be sent to the CPU I think, meaning that even if we are able to send commands on the bus between syscon and SB, the data is most likely not going to be readable on the SPI bus, except if there exsists some debug command that does just that.
 
You must log in or register to reply here.

Similar threads

Back
Top