OneSoul wrote:

Hi all!

Because I don't believe that the on-board flash programs by itself, probabily the factory use some kind of connection, like JTAG, to do it...
WRONG!

Where is a possible connector/header/pinout on the PS3 board?
Is it a JTAG or another standard? (see PSP...)
Don't need Jtag or LPC bus.  And not lets not see PSP, they are not the same, at all.

Do you have an idea?
For you? RESEARCH!

You can't be anymore incorrect (no research on your part), because the Infectus MODCHIP (useless right now, really), can write the flash without using a JTAG.  I think they have basically given up on this for PS3 at this point.

Also, and even more simpler, and in plain sight, are the SYSTEM UPDATES!  There is no hardware connection there either, you download the update, and the NAND, and other FLASH roms are updated, like the BR-D flashrom.  Same with XBOX360, we just do not have the ability to do it as they are. How can you miss something like that?

If you replace the FLASH on the PS3, and write the first 16MB with the data from the old one with a programmer before installing it (which is all you can read without hitting a block) the rest of FLASH is updated with a system update, PS3 will work

You have done absolutely no research to base your statements off of, because is is 100% false.

Infectus wrote:

The infectus will allow you to dump and reflash your NAND (firmware chip). It will NOT allow you to play backups. If a custom firmware comes out one day, you can use the infectus to flash it to the system. Due to Sony suing companies that make and sell modchips for any Sony system, development of PS3 modchips is slow to nonexistant. Don't ask if/when there will be a PS3 modchip for backups.

The only non-open-market chips on all the PS3 board revisions are The PS2 emulator chip/ES-GS, RSX, Sony Southbridge(which I seen available from an asian wholesaler but I don't know what the deal was,) and the CELL/CPU. The rest are are NIC, HDMI,NAND,RAM, and a lot of small inverter/timer/signal controller ICs and analog conductors(<-assumption about all small ICs.) The unknown ICs can have the PS3 unsigned initialization code in non-volatile memory, and any of them can be unsigned and have a unsecured stack allocation. You also have some code storage on the BR-D and HDD ASICs that are unknown in security.

Actually documenting all this would be the most productive effort in reversing the PS3 thus far. The rest of the people know now that the higher abstraction layers on the ps3 are obscured by a signature chain and good cryptography. The infectus just dumps NAND, and it doesn't even completely do that from what I've read on the PS3 NAND blocks segments.


Actual Answer(?): I think it emulates multiple interfaces in firmware on the Actel ProAsic3 http://www.actel.com/products/pa3/

Last edited by 0m1kr0n (2009-04-29 14:06:03)

Powerslave wrote:

Right, the Infectus can only read the 1st 16MB of the flash, BUT, as it turns out, that is all you need if you should have to replace the flash, and you have a backup of that 16MB.  This has been done; with a replaced FLASH, with the 16MB flashed into the bank.  Then, it must do a SYSTEM UPDATE, and the rest of the NAND is filled (flashed) (updated) with what was missing.

That is with the NEW firmware updates, you were able to DOWNGRADE firmware before they locked up the NAND with newer firmware.

I wonder what firmware did to lock it. I read about the old problem, but I forget the details; think it had something to do with signatures and corruption. Chip makers I think put bit flag segment lockers in chips for security too me thinks.

I wouldn't mind seeing a list of all the ICs on the board.

0m1kr0n wrote:

I wouldn't mind seeing a list of all the ICs on the board.

POST 13 wrote:

PS3 MAINBOARD HARDWARE - Originally by: 0m1kr0n - Updated by Powerslave

Updated 7/6/08

Items for the initial 20/60GB USA and JAP models are indicated as (USA/Jap Hardware Emu). Those parts are not in the EU/PAL versions, or the 80GB & 40GB models.  They are either removed, and/or replaced with another chip, and relocated.

Back of Mainboard:
- Samsung K9F1G08U0A is 1GB SLC NAND Flash
- NEC / TOKIN 0E128 is a Proadlizer - High Speed Decoupler

Top Side of Mainboard:
- Marvell 88E6108-LAR1 is an Ethernet Controller
- Silicon Image Sil9132CBU is HDMI Transmitter (output)
- Sony CXM4024R is only known as ASIC B outside Sony (USA/JAP Hardware Emu)

    Sony Computer and Entertainment Inc., CXM4024R, � & (M), 2005SCEI, 628D30V

- Sony CXD9280GP - ?  Next to ASIC B Chip
- Marvell 88SA8040-TBC1 is a SATA controller
- Sony CXD2973GB (Above CELL) "0611HAL" Hardware Abstraction Layer (USA/JAP Hardware Emu)
- Sony CXD2979GB (Above CELL) "0629HAL" Hardware Abstraction Layer (Software Emu Boards)
- Sony CXD2973GB (Left of RSX) Microcontroller - Part of Southbridge  (Software Emu Boards)
- Sony CXD4302GB is I/O Bridge Controller
- Samsung K4Y50164UC-JCB3 is 256MB of XDRTM DRAM

    Specs on ram say XDRTM DRAM 512Mbit XDR TM DRAM(C-die) - You need eight chips for 512MB total, and PS3 only has 512 total, 256/256 split.  The 256MB video ram is built into the RSX chip.

- Sony CXD2964GB Cell BBE/Core Processor.
- NEC/TOKIN 0E128 is a Proadlizer - High Speed Decoupler
- Sony CXD2971GB is the RSX GPU (w/256MB GDDR3 VRAM)
- Samsung K4J52324QC-SC14 256MB GDDR RAM (on GPU)

    Specs on ram say 512Mbit GDDR VRAM, same notation as above with XDR Ram.  It is false, there is only 256MB for CPU and 256MB for GPU.

- Sony CXR713120 - PS1 Backward Compatibility Related (USA/JAP Hardware Emu) - known as ASIC A. Here's a quote from an Asian parts site:

    Sony Computer and Entertainment Inc., CXR713120, � & (M) 2006SCEI,-201GB, 640A69W

- Sony CXD2953AGB is the Emotion Engine & Graphics Synthesizer Chip (USA/JAP Hardware Emu)
- Samsung K9F1G08U0A is 1GB SLC NAND Flash
- Toshiba (MFG Not printed on chip) CXD9208GP PS2 Legacy ASIC (NTSC/JAP Hardware Emu)
- ?MFG? 32 MB RDRAM "Rambus" (USA/JAP Hardware Emu)
- Genesys Logic GL852 - USB2.0 HUB CONTROLLER w/8BIT RISC Processor

Blu-Ray Board:
- Sony CXD5064R is an audio Decoder
- Spansion S99-50111-001 is 16MB Flash memory
- Sony CXA2720R is a Blu-Ray interface controller
- Sony CXD5063GG-1 ASIC / CPU - Video Decryption Chip
- Samsung K4S641632K-UC75 64MB SDRAM
- S!PWM is a timer chip - Pulse Width Modulator (controls laser and spindle) Has EEPROM and RAM

Wifi Board
- SCEI&SCR "D3261GG" (Bluetooth transceiver?)
- Spansion S99AL008D002 NOR FLASH 8MB 3.3V
- Marvell 88W8010-NNB1 Optimized RF-baseband transceiver, integrates at near 20 dBm
- ISSI IS42S32400B 128MB SRAM
- Marvell 88W8580-BAN1 802.11g 56Mbps WLAN

Controller Board Front
- SCEI&SCR "D3261GG" (Bluetooth transceiver?)
- 325A (?)

Controller Board Back
- Toshiba T6UM2EFG-0103 (Gyroscope/Motion Sensor? Centered)

UNUSED PS3 MOTHERBOARD CHIPSET PORTS:
3x TSIF Digital Video In
Analog Video In
Analog Audio In
3x Video Out (HDMI,D4,A-DAC)
IEEE1394 Firewire
1x PATA (IDE)

KEY TO TERMS:
HAL = Hardware Abstraction Layer: Binary code that allows a portion of the operating system that lets programs deal with hardware directly. This allows programs needing more speed from the computer to bypass the standard OS calls to hardware.  The PS3 Hypervisor prevents this access needed for unlocking the full potential under Linux or with hacking the PS3.

ASIC = Application-Specific Integrated Circuit: An IC that is customized for a particular use, rather than intended for general-purpose use. For example, a chip designed solely to run on the PS3 is an ASIC.  In the case of the PS3, they are for the hardware PS2/1 emulation on the USA/JAP models with the EE+GS.

PROADLIZER = This device easily resolves two opposing needs: higher speeds and performance, and weight reduction and miniaturization.  This device replaces numerous capacitors used for decoupling circuits such as high-frequency resonant ceramic capacitors, large-capacity ceramic capacitors, and alminum (not aluminum) electrolytic capacitors. It was developed for CPU decoupling circuits, for PCs and servers, which have serious decoupling circuit problems.

NOR FLASH = http://en.wikipedia.org/wiki/Flash_memory#NOR_flash

NAND FLASH = http://en.wikipedia.org/wiki/Flash_memory#NAND_flash

SLC (FLASH) = Single-Level Cell: SLC NAND Flash�s control logic does a better job conserving energy than MLC (Multi-Layer Cell). This is primarily because the device only needs to manage the electrical charge for two states and one bit of stored data. As a result, SLC architectures offer a significantly greater cycle endurance as compared to MLC.

http://www.ps3-hacks.com/forums/viewtopic.php?id=1423

0m1kr0n wrote:

I don't think I got any of the small ICs, and didn't even look at the ones on the HDD and BD-R drive. I thought most of the small ones where just timers, gates, inverters, opamps etc..

Also in one of my other posts I remember mentioning that on the 40GB boards they actually obscured the switch traces on a middle PCB layer to keep people from mapping the initialization order. I don't know if all the other boards had that because I only had a 40GB board, and some high res angled imagery. That's usually the easiest way to reverse engineer embedded systems though.

The ones on the HDD should be irrelevant, since you can upgrade to any 2.5" Sata drive.

The thing with hiding traces in a middle layer, is; a PAD will be somewhere on the motherboard to connect it to the upper or lower layer.  No trace can be completely hidden in middle layers, as they HAVE TO tie in somewhere on the bottom or top layer.

You mean BR-D, not HDD, as you are referencing motor controlling, but more to the point; and laser decoding and the SATA interface in the Sony southbridge.

The HDD is a regular 2.5" HDD, nothing like what M$ did to theirs.

This is why the data on the Game partition is encrypted, so you can upgrade with any 2.5" HDD.  However, once you format a new one in the PS3, the previous one will no longer work in the PS3.

You should try reading whats been wrote a bit better, there is only ONE flash of which ONLY the first 16Mb can be read.

Oh, you mean the chipsets on the PS3 motherboard, ok, I thought you meant ON the HDD itself, it wasn't all that clear, to me anyway...  There is nothing special about 2.5" hard drives, any one will work, so there isn't anything special on the HDD logic boards itself, else you would have to use Sony approved HDDs.  There is no security LOCK either, like XB1 did, they are open, just game O/S is encrypted.