PS4 NOR Flash Dump MX25L25635FMI-10G for CXD90025G Arrives
Following up on the previous PS4 Macronix MX25L25635FMI-10G and MX25L1006E NOR Flash dumps, today Sony PlayStation 4 hacker cfw prophet has made available a PS4 NOR Dump 1.06 (without MAC Address & Console-ID) serial flash MX25L25635FMI-10G for CXD90025G dump with some analysis details below.
By the looks of it, this flash can be read by several PS4 devices accessing different offsets, so maybe we can use that to our advantage and modify data on the fly only when the decrypted area is accessed without breaking checksum in the original flash as a whole.
I'm thinking of a hardware device between the PS4 Wifi/Lan/Bluetooth circuit (or whatever it is) and the MX25L25635FMI-10G flash chip.
I found the Verilog model for the MX25L25635F flash from the manufacturer, so should be possible to emulate the flash in an FPGA for interesting manipulation. Also attached (PDF / ZIP), if their files suddenly disappear: macronix.com/en-us/Product/Pages/ProductDetail.aspx?PartNo=MX25L25635F
Thanks goes to cfwprophet on IRC, I learned a lot of new stuff about the PS4. A block diagram of the MediaCon functions is also attached.
1st 40 bytes are encrypted with aes-256-cbc and the result is used as erk and riv for the next 240 bytes. now that is decrypted through aes-128-ctr and now you can find the location for encrypted sections+hmac key+erk/riv keys. the rest sections are also encrypted with aes-128-ctr. enjoy! j/k