Layout of the 16mb NAND

[garyopa]

I was doing some work on the 16mb NAND dumps containing the dashboard, kernal, etc.

Here is my original notes, which I sent to "Robinsod" and he has done some amazing things since.

Plus "Probutus" has released a program which can extract the files from a 16mb NAND dump.

I wanted to be the first to start a TOPIC on this new section, and lets keep this topic updated,
on the format of the 16mb NAND and the layout of each section and the block headers, so maybe
in the end we can get to work on decompressing and undecoding each section and hopefully get
the point of truely understanding the internal working of your x360 console, etc.

-------------------------------------------------------------------------------------------------------------
The 16mb NAND flash is not completely encrypted, it basically is a Microsoft compressed ROMDISK system.

It contains a small header, then a "encrypted" loader, and then a number of stored files in a "compact flash"
file system, these files match byte for byte the updated files in the "system_update", and are basically the dashboard files in stored signed Microsoft X360-XEX2 file format.
 
First a 4K header always the same, nothing special.
 
Then we have a 28,672 byte chunk of code starting at >1000, which looks encrypted and for the SMC,
but for some reason it is interchangable between systems, even tho it is different on each dump.
 
Then we have two small chunks with headers of CB and CD, whick look like start-up code for the CPU,
also different in every dump, and first CB is sometimes 26,080 bytes long and on other dumps it is 25,056 bytes long (why?, Pal, Core, more info on the dumps are needed first), and the second CD is always 22,256 bytes long.
 
Next we have the main kernal with a header of CE, which is the brain behind the dashboard,
and is always 352,368 bytes long.
 
The last two sections CF and CG are patchs or updates to the main kernal.
Sometimes there is none (factory fresh, no games played or live updates),
so the flash will have no CF and CG chunks, then first two appear (most likely from game discs),
and then more appear (most likely from live updates).

But the CF and CG always appear in chunks of two, and never see more than four in total so far.

The first CF is always 17,600 bytes long and the second CG is always 47,936 bytes long.
 
The CF chunk has a 32 byte headers on the front of it.
(I guess to tell the system where to patch into the main chunk)
 
The CB, CD, CE chunks only have 16 byte headers in them.
 
These headers contain length of the chunk plus a memory starting address for the CPU,
plus a build value/version like "1888", etc.
 
The CE chunk also has at the end a 6 byte CRC checksum, whereas the others don't.
 
640K FIXED COMMON BIOS PART (1/2)
-----------------------------------------------------------
>000000 = 4K COPYRIGHT HEADER
>001000 = SMC encrypted code --- Southbridge code, always starts here.
>008000 = "CB" encrypted code --  Bootup cpu code, always starts here.
>00E5E0 = "CD" encrypted code --  Sometimes starts at this address: >0E1E0
>013CD0 = "CE" encrypted code --  Sometiems starts at this address: >138D0
>06C000 = "CF" kernal original    ---  Base x360 kernal, always starts here.
>0704C0 = "CG" kernal original   --- THIS four parts are still encrypted as same as the rest above.
>07C000 = "CF" kernal live ver   ---  JUST the two parts are the "BASE" shipped factory version.
>0804C0 = "CG" kernal live ver   --- And the bottom two are the same until updated by "LIVE"!!
 
15200K VARIABLE FILE STORAGE AREA
---------------------------------
(Always start at location :A0000)
(But can vary at anytime/updated)
(Think of like a 15MB Hard Drive)
>0A0000 = mfgbootlauncher.xex
>0AC000 = xam.xex
>1D8000 = bootanim.xex
>23C000 = hud.xex
>25C000 = signin.xex
>268000 = friends.xex
>284000 = vk.xex
>2A0000 = updater.xex
>2A8000 = feedback.xex
>2BC000 = deviceselector.xex
>2C4000 = voicemail.xex
>2DC000 = minimediaplayer.xex
>2E8000 = marketplace.xex
>30C000 = quickchat.xex
>314000 = gamerprofile.xex
>328000 = createprofile.xex
>5F8000 = ximedic.xex
>688000 = dash.xex
>904000 = hudiskin.xex
>924000 = (xex2 file)
>928000 = (xex2 file)
>930000 = (xex2 file)
>934000 = (xex2 file)
>A18000 = (xex2 file)
>A1C000 = (xex2 file)
>A20000 = (xex2 file)
>A2C000 = (xex2 file)
>A34000 = (xex2 file)
>A38000 = (xex2 file)
>A3C000 = (xex2 file)
>A48000 = (xex2 file)
>A4C000 = (xex2 file)
>A50000 = (xex2 file)
>A54000 = (xex2 file)
>A58000 = (xex2 file)
>A5C000 = (xex2 file)
>A64000 = (xex2 file)
>A68000 = (xex2 file)
>AB8000 = (xex2 file)
>AC8000 = (xex2 file)
>ACC000 = (xex2 file)
>AD4000 = (xex2 file)
>AD8000 = (xex2 file)
>BBC000 = (xex2 file)
>BC0000 = (xex2 file)
>BC4000 = (xex2 file)
>BD0000 = (xex2 file)
>BD4000 = (xex2 file)
>BDC000 = (xex2 file)
>BE0000 = (xex2 file)
>BEC000 = (xex2 file)
>BF0000 = (xex2 file)
>BF4000 = (xex2 file)
>BF8000 = (xex2 file)
>BFC000 = (xex2 file)
>C00000 = (xex2 file)
>C04000 = (xex2 file)
>C08000 = (xex2 file)
>C58000 = (xex2 file)
>C7C000 = (xex2 file)
>C84000 = (xex2 file)
>C8C000 = (xex2 file)
>C90000 = (xex2 file)
>E58000 = (xex2 file)
>E5C000 = (xex2 file)
>E64000 = (xex2 file)
>E74000 = (xex2 file)
>E7C000 = (xex2 file)
>E84000 = (xex2 file)
>E88000 = (xex2 file)
>E98000 = (xex2 file)
>E9C000 = (xex2 file)
>EA0000 = (xex2 file)
>EA8000 = (xex2 file)
>EB0000 = (xex2 file)
>EB4000 = (xex2 file)
>EBC000 = (xex2 file)
>EC8000 = (xex2 file)
>F38000 = (xex2 file)
>F3C000 = Flash   LAYOUT (1/4)
>F3C200 = Filename TABLE (1/4)
        - mfgbootlauncher.xex
        - xam.xex
        - bootanim.xex
        - hud.xex
        - signin.xex
        - friends.xex
        - vk.xex
        - updater.xex
        - feedback.xex
        - deviceselector.xex
        - voicemail.xex
        - minimediaplayer.xex
        - marketplace.xex
        - quickchat.xex
        - gamerprofile.xex
        - createprofile.xex
>F3C400 = Flash   LAYOUT (2/4)
>F3C600 = Filename TABLE (2/4)
        - xenonjklatin.xtt
        - xenonclatin.xtt
        - ximedic.xex
        - dash.xex
        - huduiskin.xex
        - sysupdate.xexp1
        - aac.xexp1
        - bootanim.xexp1
        - createprofile.xexp1
        - dash.xexp1
        - deviceselector.xexp1
        - feedback.xexp1
        - friends.xexp1
        - gamerprofile.xexp1
        - hud.xexp1
        - huduiskin.xexp1
>F3C800 = Flash   LAYOUT (3/4)
>F3CA00 = Filename TABLE (3/4)
        - marketplace.xexp1
        - mfgbootlauncher.xexp1
        - minimediaplayer.xexp1
        - quickchat.xexp1
        - signin.xexp1
        - updater.xexp1
        - vk.xexp1
        - voicemail.xexp1
        - xam.xexp1
        - XenonCLatin.xttp1
        - ximedic.xexp1
        - sysupdate.xexp2
        - acc.xexp2
        - bootanim.xexp2
        - createprofile.xexp2
        - dash.xexp2
>F3CC00 = Flash   LAYOUT (4/4)
>F3CE00 = Filename TABLE (4/4)
        - deviceselector.xexp2
        - feedback.xexp2
        - friends.xexp2
        - gamerprofile.xexp2
        - hud.xexp2
        - huduiskin.xexp2
        - marketplace.xexp2
        - mfgbootlauncher.xexp2
        - minimediaplayer.xexp2
        - quickchat.xexp2
        - signin.xexp2
        - updater.xexp2
        - vk.xexp2
        - voicemail.xexp2
        - xam.xexp2
        - XenonCLatin.xttp2
>F3D200 - ximedic.xexp2 (ENTRY)
 
544K FIXED COMMON BIOS AREA (2/2)
---------------------------------
>F78000 - SETTINGS
>F78600 - ZERO
>F7C000 - TABLE
>F7C200 - SETTINGS
>F7C600 - ZERO
>F80000 - 512K EMPTY SPACE
 
Little tidbit, what is the "paddnu" at the end of the flash section, starting at >F7C000, it is different on
all dumps of the flashrom.

It is a checksum of the stored files?

Would like to dump the flashrom on original untouch system, then update the dashboard,
and see if "numbers" at >F7C000 changes.

[Takires]

Some more info on the file system:

Locating the directory block:
A dump with the 16 bytes sparse data is needed for this. Scan the first page of every block for the
following pattern:

ww ww vv 00 00 FF 00 00 xx xx 00 00 yy yy yy yy

ww is the block number, vv is an incremental version number, xx needs to be 0 and yy is the ECC/EDC.

Format of the directory block:
Page 0, 2, 4, 6 contain information about the usage of every block in the flash. This information is
encoded as a 16 bit value. I am uncertain about the meaning of the highest bit. Usually all blocks
of a deleted file have this bit set. Without the highest bit the values are pretty trivial:
0x0000-0x03FF: This is the next block in a file (e.g. block 0x28 has a value of 0x29)
0x1FFB: This is a reserved block (the first 39 blocks and the last 4 blocks have this value)
0x1FFE: This is a free block (this also includes the directory block)
0x1FFF: This is the last block of a file

The odd pages contain the filenames, the starting block, the length and an unknown 32
bit value (guess: file type and version). If the first byte of the filename is 0x05 the file
is marked as deleted.

The interesting question now is: Why are the last 64 KB marked as reserved?

[robinsod]

And very useful it was too, unfortunately I got over excited with my own research and posted some "discoveries" before I really read your EMail So credit for a lot of those discoveries should go to GaryOPA (good to see you back on the scene)

>First a 4K header always the same, nothing special.

Not quite, the 4K header contains some interesting numbers starting at 0x00000060...
   0x00000000,
        0x0006C000,    Note 1
        0x00020712,    Note 2
        0x00004000,    Note 3
        0x00000000,
        0x00000000, 
        0x00003000,
        0x00001000      Note 4

Note1: Start address of first patch slot,
Note2: No idea what these are or even if they are a single 32 bit number
Note3: There seems to be something starting here, monitoring the flash bus reveals that the 360 sometimes starts reading at 0x00004000
Note4: Could this indicate the start of the Southbridge code? When I have time I will change this and observe the behaviour when power is first applied

>008000 = "CB" encrypted code --  Bootup cpu code, always starts here. >00E5E0 = "CD" encrypted code --  Sometimes starts at this address: >0E1E0 > ...and first CB is sometimes 26,080 bytes long and on other dumps it is 25,056 bytes long...

It seems there at least 2 versions of the "CB" code out there, they have different lengths. Have MS rev'ed the South Bridge silicon? I need to check some part numbers.

The "CD" section is found at "CB" start + "CB" length

Perhaps we can define some "C" style structs for these section headers and fill in the Unknowns?

typedef struct { char    ID[2];      "CB","CD","CE","CG"
   word    Version;
   long    Unknown1;
   long    Unknown2;
   long    Length;
}Type1Header;

typedef struct { char    ID[2];      "CF"
   word    Version;
   long    Unknown1;    Note 1
   long    Unknown2;
   long    Length;
   word    BaseVersion;
   word    Unknown3;
   word    Version;
   long   Unknown4;
   word    Unknown5;
   long   Unknown6;
}Type2Header;

Note1: reviewing my posts I noticed this from the 4552 patch

0007C000   43 46 11 C8 00 00 40 00  00 00 03 60 00 00 44 C0   CF.È..@....`..DÀ
0007C010   07 60 00 00 11 C8 00 00  00 00 00 00 00 02 F1 00   .`...È........ñ.

Unknown1 has the value 0x00004000, all the other "CF" sections I have looked at have a value of 0x00000000.

I noticed while monitoring the flash bus that the 360 scans the flash after selecting and loading a patch, it appears to be looking for filesystem headers (also the dash board settings and something else).

The next question, in my mind at least, is how does it determine which filesystem header to use? i.e. which FS root matches with the selected Kernel patch?

[robinsod]

Just checked two motherboards that have different version "CB" sections, both South Bridges have the same markings:

X-SB
X02047 - 012
B-GO

The final line on the chips is different but I suspect this is batch number / manufacturing date.

[robinsod]

0x0000-0x03FF: This is the next block in a file (e.g. block 0x28 has a value of 0x29)
0x1FFB: This is a reserved block (the first 39 blocks and the last 4 blocks have this value)
0x1FFE: This is a free block (this also includes the directory block)
0x1FFF: This is the last block of a file

Nice work and certainly explains a lot but there a few anomalies

1) I think that the current FS root block is actually represented by 0x1FFD and not 0x1FFE as you stated. Also they don't occur in every FS root block. I have a dump here that has FS root in blocks 0x1A4 & 5 and 0x2A2,4,6,8,9,A & B:
0x1A4  1FFD at 0x1A4
0x1A5  No 1FFD
0x2A2  1FFD at 0x2A2
0x2A4  1FFD at 0x2A4
0x2A6  1FFD at 0x2A6
0x2A8  1FFD at 0x2A8
0x2A9  1FFD at 0x2A9
0x2AA  No 1FFD
0x2AB  No 1FFD

2) The first "file block" immediately after the 39 reserved blocks is always 0x248:
1FFB                                          Last of the 39 reserved blocks
0248 0029 002A 1FFF                    First file in FS

The last block in the last file seems to be pointing to 0x0027:
1FFF                                          Last block in previous file
03D7 03D8 03D9 03DA 03DB 0027    Last block of last file, next block is 0x0027
1FFB 1FFB 1FFB 1FFB                    4 reserved blocks at the end

3) It seems that the last 32 blocks of the flash do not appear in the "flash map" and the entries in the map are 0s

[Takires]

Little addition:
001000-003FFF SMC Code
004000-007FFF Key storage

Most likely:
004000-00400F encrypted key, used for decrypting 004010-007FFF
004010-00401F hash
004020-007FFF key data

[robinsod]

With help from tmbinc and TheSpecialist I think I have figured out how the CG sections are stored in flash.

Quick Recap:
The total size of CF + CG section is fixed at 0x10000
The CF section size is fixed at 0x44C0
The remaining data (0x10000 - 0x44C0 = 0xBB40) is the first part of section CG

Since the size of CG is > 0xBB40 where's the rest of CG?

Once the CF section has been decrypted there is a list of NANDblocks that store the rest of CG at offset 0x30 into the CF section. The list starts with the number of blocks in the list followed by the blocks themselves. For example:

//CF Version 2241, 1 block at 0x247, CG Length = 0xC4A8 (0xBB40 + 0x96F)
0x30: 0x00 0x01 0x02 0x47     
 
//CF Version 4552, 9 blocks at 0x2B5 to 0x2BD, CG Length = 0x2F0F2 (0xBB40 + (8 * 0x4000) + 0x35B2)
0x30: 0x00 0x09 0x02 0xB5 0x02 0xB6 0x02 0xB7 0x02 0xB8 0x02 0xB9 0x02 0xBA 0x02 0xBB 0x02 0xBC 0x02 0xBD

I also noticed that these NAND blocks are used in the FS, in the above example the files sysupdate.xexp1 and sysupdate.xexp2 mapped the same NAND blocks as the CG sections

[Shaun]

Has anyone progressed at all with information on how the file storage area works am im trying to alter certain files with respect to downgrading zephyr / falcon boards.
I understand that there appears to be 4x fs roots which are defined as follows
block start (block length 0x210)
16 byes consistsing of
2 bytes block number, 1 byte version, 00 00 FF 00 00 00 00 00 00, 4 bytes of edc data
39 lots of 0x1FFB
0x1FFE
2 bytes which are all 00 29 in the 4 fs roots i have
0x1FFF
then it seems to start counts starting at
0x002B
0x002C all the way upto
0x0100 which is the full 0x210 block size and the next block follows.
However, it is not a fully inclusive count as some double byte values show 0x01FFF for which i have no idea why.
also the following block after this confuses me.  assuming the block number is 0x4C03, you get that + data above then the nexct block, which is 4D03 and also shows a number in the version byte.
the following block appears to show the familiar TOC ? of which several seem present per block but i have nfi how the toc is actually referenced to the physical addy of the xex it lists ? this could be useful if ne1 knows.

[SeventhSon]

Has anyone progressed at all with information on how the file storage area works

It's pretty much completely understood and documented in the above posts? Right? Or am I misunderstanding you?

I understand that there appears to be 4x fs roots which are defined as follows

As I understand it there can be more or less than 4 and only the latest one is used (TheSpec/Robinsod's NAND tool will give you the FS root blocks and version numbers).

block start (block length 0x210)
16 byes consistsing of
2 bytes block number, 1 byte version, 00 00 FF 00 00 00 00 00 00, 4 bytes of edc data

These 16 bytes are the NAND spare area (see Hynix data sheet) and unless you have a 16 + 512 format dump for some reason, the spare area follows the normal data area instead of leading it (i.e. 512 + 16 format). FYI, the format of the spare area is documented here. What you have above is basically correct, but the 00 bytes have meaning too and the EDC is a few bits less than 4 bytes But you can possibly just ignore most of this stuff.

39 lots of 0x1FFB
0x1FFE
2 bytes which are all 00 29 in the 4 fs roots i have
0x1FFF
then it seems to start counts starting at
0x002B
0x002C all the way upto
0x0100 which is the full 0x210 block size and the next block follows.
However, it is not a fully inclusive count as some double byte values show 0x01FFF for which i have no idea why.

Takires explains all this above (second post in this thread).

also the following block after this confuses me.  assuming the block number is 0x4C03, you get that + data above then the nexct block, which is 4D03 and also shows a number in the version byte.

This confusion probably arises because you're looking at a 512 + 16 format dump as 16 + 512

the following block appears to show the familiar TOC ? of which several seem present per block but i have nfi how the toc is actually referenced to the physical addy of the xex it lists ? this could be useful if ne1 knows.

See Takires post above. The first few even numbered pages contain the block allocation table (16 bits per block * 1024 blocks = first 4 even pages) the odd numbers are the names, file sizes and starting blocks of each file (TOC). I can't remember the exact format of the TOC entries, but it should be fairly obvious. The block allocation table is like the file allocation table in a FAT file system. So if the starting block of a file is 0x44, then BAT[0x44] gives the block number of the next block and so on until you hit the end of file marker (0x1FFF).

It's been about a year since I messed with the NAND fs, but I'm fairly () sure that's all correct.

[Shaun]

thankyou, i appreciate that most of you have covered this and are familiar with it but its only been since I got my zephyr 360 that its actually sunk in (or not) ...
yes i wan reading it as 16 + 512 and ive also just realised that 0x210 above ive quoted is 512+16 dec -> hex.
Am i correct in assuming that each 0x4200 block consists of these 0x210 chunks which are reffered  o as pages ?  therefore 20 pages per block ?
I sortof understand your explanation + the posts above but making it work is going to take a little more time as I seem to be thinking nand dump code atm and need to make a few more notes.... I appreciate your help

[SeventhSon]

yes i wan reading it as 16 + 512 and ive also just realised that 0x210 above ive quoted is 512+16 dec -> hex.
Am i correct in assuming that each 0x4200 block consists of these 0x210 chunks which are reffered  o as pages ?  therefore 20 pages per block ?

Correct on all counts 0x20 pages per block (32 decimal)

[Shaun]

can i very quickly tidy something up.
Garyopa initially posted detailed various flash layouts which have been expanded BUT.
when saying smc = 0x1000 - 3fff is that with or without edc ?
im looking at various offsets in flash tool 0.6 only because it gives verbose info on Cx sections which is giving offsets in 0x4000 blocks as apposed to 0x4200 as i mentioned above. ive just twigged that this may also be the case for the above refs and would explain the differences i see everywhere.
Ie when in Cx headers it states Cx length but in a non edc manner ?
That also probably explains that kv then runs to 83FF then (ie last page all the way to start of CB section) which is at 0x8400 and means why most of my experimenting doesnt work !!!
If this is the case (and i think it is) then do any tools exist purely for shoehorning sections together instead of making life hard with a hex editor ?

edit
having checked i think this is the case but something puzzles me.
why dont the Cx sections start at the begining of a page in the nand ? and why is the data between start of page / block and start of Cx section ?
Obviously the start of CB is fixed but then CD is not so where does it get the start from ? either a header somewhere within CB or fixed within a particular ver of CB/CF.
Also, unless there is a bug in the older flash tool, there seems to be a difference between the start + length = end of a section even including the extra 16 bytes per page unless there is extra unknown data before the start of the next section ?

Or more likely i am doing something very wrong again....