PS3 Dual-Firmware – Hardware Hacking Guide – Ed. 2 - Author: No_One

1/6

PS3 Dual-Firmware – Hardware Hacking Guide – Ed. 2

Author: No_One

A FAT PS3 console uses a 128Mx8bits NAND FLASH (1024Mbits of non-volatile memory).

The reference used: K9F1G08U0A-PIB0 (Manufacturer: SAMSUNG).

The following diagram shows the architecture used between the CELL and a NAND FLASH (FAT):

CELL BE NAND FLASH

Control Bus

I/O Bus

Chip Select

A SLIM PS3 console uses a 8Mx16bits NOR FLASH (128Mbits of non-volatile memory).

The reference used: K8Q2815UQB-PI4B (Manufacturer: SAMSUNG).

The following diagram shows the architecture used between the CELL and a NOR FLASH (SLIM):

CELL BE NOR FLASHAddress Bus

Control Bus

Data Bus

Chip Select

This memory embeds the firmware (files) used by the PS3 itself (asecure_loader, eEID, cISD, …).

PS3 Dual-Firmware – Hardware Hacking Guide – Ed. 2 - Author: No_One

2/6

The idea consists in adding a second FLASH memory to obtain a Dual-Firmware PS3.

A switch will enable to choose between 2 different configurations before (re)starting the PS3.

Case #1: FAT models with NAND FLASH:

The following diagram shows the NAND based architecture which enables this functionality:

CELL BE

NAND FLASH #1

Firmware #1

Chip Select #1

NAND FLASH #2

Firmware #2

Control Bus

Control Bus

I/O Bus

I/O Bus

Chip Select #2

Chip Select

Sw

itch

1KOhms

VCCQ

1KOhms

VCCQ

Case #2: SLIM models with NOR FLASH:

The following diagram shows the NOR based architecture which enables this functionality:

CELL BE

NOR FLASH #1

Firmware #1

Address Bus

Chip Select #1

NOR FLASH #2

Firmware #2

Address Bus

Control Bus

Control Bus

Data Bus

Data Bus

Chip Select #2

Chip Select

Sw

itch

1KOhms

VCCQ

1KOhms

VCCQ

PS3 Dual-Firmware – Hardware Hacking Guide – Ed. 2 - Author: No_One

3/6

Description:

In both cases, the second FLASH has the same reference than the original one.

The architecture implies the use of 1 switch and 2 resistors.

The switch selects which NOR/NAND FLASH is going to be used.

The 2 resistors are crucial. In fact, they disable, by default, the unused memory to avoid electrical

conflicts.

Advantages:

The CELL BE is unable to detect the other FLASH since the Product ID and the Manufacturer ID are

the same. For example, it wouldn’t have been the case if we had implemented a 256Mbit NOR

FLASH to replace the original NOR memory (switching the last address bit - MSB).

The NAND addition should be easier than the NOR one because the package is smaller (less pins).

Drawbacks:

The solution requires hardware modifications. We will see that it can be done “quite easily”

placing a new FLASH over the original one and using a switch to enable or disable the “Chip

Select” signals.

PS3 Dual-Firmware – Hardware Hacking Guide – Ed. 2 - Author: No_One

4/6

The NOR FLASH is packaged in a TSOP56.

The NAND FLASH is packaged in a TSOP48.

TSOP packages are not so much hard to solder or even to unsolder.

The memory is soldered on the PCB (PS3 motherboard) as described in the following diagram:

TSOP FLASH soldered on PS3 motherboard

(Original configuration: NAND-48 pins or NOR-56 pins)

FLASH MEMORY

A second package can be added without having to wire signals (address bus, data bus…).

The idea consists in placing the new package over the first one:

TSOP FLASH soldered on TSOP FLASH

FLASH MEMORY #1

FLASH MEMORY #2

Each FLASH has a signal called “CE” (Chip Enable).

These signals must be floating and wired to the switch (1 wire per FLASH + 1 wire on the PAD).

Signal CE of each FLASH + Signal CE of PCB are wired to the switch

FLASH MEMORY #1

FLASH MEMORY #2

Signal CE FLASH #2

Signal CE FLASH #1

Signal CE CELL

PS3 Dual-Firmware – Hardware Hacking Guide – Ed. 2 - Author: No_One

5/6

Case #1: Pinout for FAT models with NAND FLASH:

1KOhms

On both NAND FLASH, CE = PIN #9

On both NAND FLASH, VCC = PIN #12

NAND FLASH

The resistors should use the pin #12 (default logic “1”).

Case #2: Pinout for SLIM models with NOR FLASH:

On both NOR FLASH, CE = PIN #32

1KOhms

On both NOR FLASH, VCCQ = PIN #29

NOR FLASH

The resistors should use the pin #29 (default logic “1”).

PS3 Dual-Firmware – Hardware Hacking Guide – Ed. 2 - Author: No_One

6/6

FLASH NOR/NAND contents:

Here are some strategies to flash the contents needed.

Case #A: The original NOR/NAND is flashed with any firmware (CFW or OFW).

Try to obtain any FLASH from another PS3 (i.e. one with YLOD).

Solder it as described before. Switch to the second FLASH.

Once booted, update the firmware (i.e. OFW3.41 to OFW3.60) using the usual procedure.

You can now choose between the original firmware (1st

FLASH) and the new one (2nd

FLASH).

I let you imagine the huge capabilities of this solution ;-)

Case #B: The original NOR/NAND is flashed with a CFW3.41 or CFW3.55.

Try to obtain a virgin FLASH or a corrupt one.

Using Linux, you should be able to write to the second FLASH.

Once the code is running in RAM, you can dynamically switch to the second FLASH to gain access.

With this method, you can also dump the content of the second FLASH memory.

Others Cases ?

Remarks / Limitations:

1) – “To Be Confirmed” – From http://www.ps3devwiki.com

Firmware hash checks are located on SYSCON EEPROM. LV1 compares the hashes stored in

SYSCON with the files stored on flash. If the checks fail, the console does not boot. We could get

around this by using dual-banking on SYSCON or by patching the checks out.

2) – “To Be Confirmed” – From http://www.ps3devwiki.com

Only a single version of VFLASH is stored on flash in NAND consoles, and a single copy is stored at

the beginning of the PS3 hard drive on NOR consoles. Because the firmware stored here doesn't

match that stored on flash, you would have to reinstall the rest of firmware everytime you switch.

We could possibly overcome this limitation by patching the storage manager to redirect VFLASH

to another region of the hard disk.