PS3 Dual-Firmware – Hardware Hacking Guide – Ed.

2 - Author: No_One
1/6

PS3 Dual-Firmware – Hardware Hacking Guide – Ed. 2

Author: No_One

A FAT PS3 console uses a 128Mx8bits NAND FLASH (1024Mbits of non-volatile memory).
The reference used: K9F1G08U0A-PIB0 (Manufacturer: SAMSUNG).

The following diagram shows the architecture used between the CELL and a NAND FLASH (FAT):

Chip Select

Control Bus

CELL BE NAND FLASH

I/O Bus

A SLIM PS3 console uses a 8Mx16bits NOR FLASH (128Mbits of non-volatile memory).
The reference used: K8Q2815UQB-PI4B (Manufacturer: SAMSUNG).

The following diagram shows the architecture used between the CELL and a NOR FLASH (SLIM):

Chip Select

Control Bus

CELL BE NOR FLASH

Address Bus

Data Bus

This memory embeds the firmware (files) used by the PS3 itself (asecure_loader, eEID, cISD, …).
PS3 Dual-Firmware – Hardware Hacking Guide – Ed. 2 - Author: No_One
2/6

The idea consists in adding a second FLASH memory to obtain a Dual-Firmware PS3.
A switch will enable to choose between 2 different configurations before (re)starting the PS3.

Case #1: FAT models with NAND FLASH:

The following diagram shows the NAND based architecture which enables this functionality:

Chip Select #1

VCCQ
1KOhms NAND FLASH #1
I/O Bus Firmware #1

Control Bus
Switch

Chip Select
CELL BE

Control Bus

I/O Bus
NAND FLASH #2

1KOhms Firmware #2
VCCQ
Chip Select #2

Case #2: SLIM models with NOR FLASH:

The following diagram shows the NOR based architecture which enables this functionality:

Chip Select #1

VCCQ
Data Bus
1KOhms NOR FLASH #1
Control Bus Firmware #1

Address Bus
Switch

Chip Select
CELL BE

Address Bus

Control Bus
NOR FLASH #2
Data Bus Firmware #2
1KOhms
VCCQ
Chip Select #2
PS3 Dual-Firmware – Hardware Hacking Guide – Ed. 2 - Author: No_One
3/6

Description:

In both cases, the second FLASH has the same reference than the original one.
The architecture implies the use of 1 switch and 2 resistors.
The switch selects which NOR/NAND FLASH is going to be used.
The 2 resistors are crucial. In fact, they disable, by default, the unused memory to avoid electrical
conflicts.

Advantages:

The CELL BE is unable to detect the other FLASH since the Product ID and the Manufacturer ID are
the same. For example, it wouldn’t have been the case if we had implemented a 256Mbit NOR
FLASH to replace the original NOR memory (switching the last address bit - MSB).
The NAND addition should be easier than the NOR one because the package is smaller (less pins).

Drawbacks:

The solution requires hardware modifications. We will see that it can be done “quite easily”
placing a new FLASH over the original one and using a switch to enable or disable the “Chip
Select” signals.
PS3 Dual-Firmware – Hardware Hacking Guide – Ed. 2 - Author: No_One
4/6

The NOR FLASH is packaged in a TSOP56.

The NAND FLASH is packaged in a TSOP48.
TSOP packages are not so much hard to solder or even to unsolder.

The memory is soldered on the PCB (PS3 motherboard) as described in the following diagram:

FLASH MEMORY

TSOP FLASH soldered on PS3 motherboard

(Original configuration: NAND-48 pins or NOR-56 pins)

A second package can be added without having to wire signals (address bus, data bus…).
The idea consists in placing the new package over the first one:

FLASH MEMORY #2

FLASH MEMORY #1

TSOP FLASH soldered on TSOP FLASH

Each FLASH has a signal called “CE” (Chip Enable).

These signals must be floating and wired to the switch (1 wire per FLASH + 1 wire on the PAD).

Signal CE FLASH #2
FLASH MEMORY #2 Signal CE FLASH #1
FLASH MEMORY #1

Signal CE CELL
Signal CE of each FLASH + Signal CE of PCB are wired to the switch
PS3 Dual-Firmware – Hardware Hacking Guide – Ed. 2 - Author: No_One
5/6

Case #1: Pinout for FAT models with NAND FLASH:

On both NAND FLASH, CE = PIN #9

1KOhms
On both NAND FLASH, VCC = PIN #12

NAND FLASH

The resistors should use the pin #12 (default logic “1”).

Case #2: Pinout for SLIM models with NOR FLASH:

NOR FLASH

On both NOR FLASH, CE = PIN #32

1KOhms
On both NOR FLASH, VCCQ = PIN #29

The resistors should use the pin #29 (default logic “1”).
PS3 Dual-Firmware – Hardware Hacking Guide – Ed. 2 - Author: No_One
6/6

FLASH NOR/NAND contents:

Here are some strategies to flash the contents needed.

Case #A: The original NOR/NAND is flashed with any firmware (CFW or OFW).
Try to obtain any FLASH from another PS3 (i.e. one with YLOD).
Solder it as described before. Switch to the second FLASH.
Once booted, update the firmware (i.e. OFW3.41 to OFW3.60) using the usual procedure.
You can now choose between the original firmware (1st FLASH) and the new one (2nd FLASH).
I let you imagine the huge capabilities of this solution ;-)

Case #B: The original NOR/NAND is flashed with a CFW3.41 or CFW3.55.

Try to obtain a virgin FLASH or a corrupt one.
Using Linux, you should be able to write to the second FLASH.
Once the code is running in RAM, you can dynamically switch to the second FLASH to gain access.
With this method, you can also dump the content of the second FLASH memory.

Others Cases ?

Remarks / Limitations:

1) – “To Be Confirmed” – From http://www.ps3devwiki.com

Firmware hash checks are located on SYSCON EEPROM. LV1 compares the hashes stored in
SYSCON with the files stored on flash. If the checks fail, the console does not boot. We could get
around this by using dual-banking on SYSCON or by patching the checks out.

2) – “To Be Confirmed” – From http://www.ps3devwiki.com

Only a single version of VFLASH is stored on flash in NAND consoles, and a single copy is stored at
the beginning of the PS3 hard drive on NOR consoles. Because the firmware stored here doesn't
match that stored on flash, you would have to reinstall the rest of firmware everytime you switch.
We could possibly overcome this limitation by patching the storage manager to redirect VFLASH
to another region of the hard disk.