Here are some PS3 CXD4302GB Test Points from knightsolidus via xorloser's blog. Today xorloser also mentioned it's possible to use an MCU to read the PS3's flash but hasn't revealed the process yet.
Hi xorloser!!! geohot its playing modifiying the flash, but him can have a brick, first of all we need a hardware for create a backup of the real flash (cxd4302gb chip) i have identified all tests points of that chip, that chip its 2Gbits (256MB), and the samsung are 1Gbits (128MB)x 2 chips are 2Gbits (256MB), thats chips in the past with infectus can be downgrade, but now not work, because now run from the cxd4302gb chip and use the samsung flash for backup, understand? you can add me to msn for pins . thanks!!!
sorry for my english, i want to say you, the real flash its the cxd chip on ps3 and i have identified the testpoints for read and program that, but i dont know any programmer for read and write understand? i have identified all point for read and program, that have 16 pins for data, 18 pins for address, chip enable 1 and 2, clk, mode select, reset, write enable understand? sorry for my english
i create that picture with the test points
the numbers in the picture correspond at the next points:
That sounds really interesting and if im not wrong this also means that we now know where the new Bit flag to prevent downgrading will be stored for and for that we now should be again able to downgrade our retail ps3 consoles.
He dont talk about the normal NAND Flash.If i have understood right than he talks of a other flash chip present on the ps3 MB.
thats chips in the past with infectus can be downgrade, but now not work, because now run from the cxd4302gb chip and use the samsung flash for backup, understand?
So he talks about two flash chips.One will be the chip where the fw runs off and the other is NOW used for backup and thats why you cant downgrade because we have downgraded the backup and not the new real flash chip where the os is running from.
if it is only hardware protection no modifing of the hypervisor is needed, but i don΄t believe sony is so stupid...
You can nearly every chip read/write with the correct hardware.The Normal NAND Flash to time used for the backup of os can be flashed. And if there is a other chip where the os is also stored and runs of then its Easy (i think).
The ps3 do a comparison between both chips and in case that the backup will be a other FW then in chip where the real os runs of the ps3 dont start.
But its also possible that sony have implemented a additional hardware protection.Time will tell...
AFAIK the CXD4302GB is only the NAND controller. This chip makes the 2x 128MiB NAND flashes look like a single coherent NOR flash to the southbridge (SCC).
Notice how the southbridge didn't change (at least its part number) from the last model with 2x 128 MiB NAND to the first model with 16 MiB NOR flash?
So in theory it should have a somewhat similar pinout to the 16 MiB NOR flashes used in the newer models (Spansion S29GL128N90TFIR2 / Samsung K8Q2815UQB-P14B).
This chip handles all the crazy interleaving and shuffling around of the NAND pages. It is necessary so the SB sees a coherent NOR flash since you can't boot a system from NAND flash (because it doesn't support random access at a byte level). This is the reason why most embedded devices carry a small (expensive) NOR flash for the boot code and a large (inexpensive) NAND flash for data and applications.
So yes - it would make it far easier to tap into this chip with a microcontroller compared to tapping into the NANDs directly because one wouldn't have to mess around with all the interleaving and shuffling (the byte swap will stay, of course). But it's quite unlikely that this chip is another separate flash.
The most elegant solution would be to use the exploit to access the flash from Linux, though (what GeoHot appears to have done). That way you could just access the flash from Linux like any other block device.