Editing Flash:cvtrm

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 10: Line 10:
* [[Talk:Flash#VTRM]]
* [[Talk:Flash#VTRM]]
* [[Hypervisor Reverse Engineering#VTRM]]
* [[Hypervisor Reverse Engineering#VTRM]]
* [[Fixing DRL and CRL Hashes]]
* [[SC Manager#0x9000 - SC Manager]]
* [[SC Manager#0x9000 - SC Manager]]
* [[Talk:System Controller Firmware]]
* [[Talk:System Controller Firmware]]
Line 16: Line 15:
* [[PARAM.PFD]]
* [[PARAM.PFD]]
* [[Ps3vuart-tools#ps3dm]]
* [[Ps3vuart-tools#ps3dm]]
* [[Per Console Keys#cVTRM]]
* [[Fixing DRL and CRL Hashes]]
* [[RSOD Fix]]
* [[RSOD Fix]]


Line 64: Line 63:
In the third copypaste, the value that indicates the offset points to the 'exception' hash inside the '''hash_table''' (bytes from 0xEFE68C up to 0xEFE6A0 are copypasted to 0xEC0108 up to 0xEC011C), but instead of copying the 'exception' hash it copypastes the default hash value
In the third copypaste, the value that indicates the offset points to the 'exception' hash inside the '''hash_table''' (bytes from 0xEFE68C up to 0xEFE6A0 are copypasted to 0xEC0108 up to 0xEC011C), but instead of copying the 'exception' hash it copypastes the default hash value


At this point the creation process is near completed, the only thing left is to fill the 0x10 bytes at the beginning in the first vtrm block (at 0xEC0000), this small area is going to work as the entry point when reading the whole vtrm, and this is when is written the 'magic_scei' that is unique (is the only value from this blocks in common between NAND and NOR), the other thing that indicates this area (with the value 0xA8) is the length of the areas that has been copypasted below (but only the sum of the first two copypastes, for some reason the third copypaste is not included in this sum, also the position where the third copypaste happens is a bit weird i dont get why that position, is because the 0x40 gap but that gap makes no sense, the point is the gap is there and is related with the reason why the third copypaste to not be included in this sum)
At this point the creation process is near completed, the only thing left is to fill the 0x10 bytes at the beginning in the first vtrm block (at 0xEC0000), this small area is going to work as the entry point when reading the whole vtrm, and this is when is written the 'magic_scei' that is unique (is the only value from this blocks in common between NAND and NOR), the other thing that indicates this area (with the value 0xA8) is the lenght of the areas that has been copypasted below (but only the sum of the first two copypastes, for some reason the third copypaste is not included in this sum, also the position where the third copypaste happens is a bit weird i dont get why that position, is because the 0x40 gap but that gap makes no sense, the point is the gap is there and is related with the reason why the third copypaste to not be included in this sum)


----
----
Line 75: Line 74:


==Notes, speculation, brainstorming==
==Notes, speculation, brainstorming==
Trying to identify the encrypted data blocks based on the [[Authority ID]] and its position
*[[Authentication IDs]]
 
**10 70 00 00 02 00 00 01 <--- PS3_LPAR
*First auth ID (lpar auth id)
**10 70 00 00 39 00 00 01 <--- /dev_flash/bdplayer/'''bdp_bdmv.self'''
** 10 70 00 00 02 00 00 01
**10 70 00 00 03 00 00 02 <--- /dev_flash/vsh/module/'''mgvideo.self'''
*** PS3_LPAR (a.k.a. GameOS access)
**10 70 00 05 FF 00 00 01 <--- /dev_flash/vsh/'''vsh.self'''
** 04 00 00 00 02 00 00 05
**04 00 00 00 02 00 00 05 <--- ???
*** related with the PSN account ???
 
*Second auth ID (program auth id)
** 10 70 00 05 FF 00 00 01
*** /dev_flash/vsh/'''vsh.self'''
*** is copypasted from the inner vtrm to the vtrm on top, in both NAND and NOR
** 10 70 00 00 39 00 00 01
*** /dev_flash/bdplayer/'''bdp_bdmv.self'''
*** contains the hashes of '''DRL''' and '''CRL'''
*** is copyed and re-encrypted from the inner vtrm to the vtrm on top, only in NOR
** 10 70 00 00 03 00 00 02
*** /dev_flash/vsh/module/'''mgvideo.self'''
 
=LPAR Auth ID and Program Auth ID=
*VSH
**0x0400000002000005 - ???
**0x10700005FF000001 - vsh.self
*BDP
**0x1070000002000001 - LPAR 2
**0x1070000039000001 - bdp_bdmv.self
*VP
**0x1070000002000001 - LPAR 2
**0x1070000003000002 - mgvideo.self
 
http://www.psdevwiki.com/ps3/index.php?title=Fixing_DRL_and_CRL_Hashes&diff=13954&oldid=13803


=VTRM hashes and how to generate them=
=VTRM hashes and how to generate them=
Line 175: Line 149:
  00EFEFE0                                      <span style="background:#99ffff;">39 17 52 0B</span>              9.R.      [...] '''signature_empty''' (repeated)
  00EFEFE0                                      <span style="background:#99ffff;">39 17 52 0B</span>              9.R.      [...] '''signature_empty''' (repeated)
  00EFEFF0  <span style="background:#99ffff;">31 70 F5 05 02 5A C6 F8 81 F8 54 96 2F EF F3 81</span>  1põ..ZÆø.øT–/ïó.      [...]
  00EFEFF0  <span style="background:#99ffff;">31 70 F5 05 02 5A C6 F8 81 F8 54 96 2F EF F3 81</span>  1põ..ZÆø.øT–/ïó.      [...]
   [...]    <span style="background:#777777;">00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</span>  ................       
   [...]    <span style="background:#777777;">00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</span>  ................      <---- 0x00's filled up to end of file (0x200 blocks)
  00EFFFF0  <span style="background:#777777;">00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</span>  ................     <---- 0x00's filled up to end of file (0x1FE blocks)
  00EFFFF0  <span style="background:#777777;">00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</span>  ................


==NOR Example==
==NOR Example==
Line 229: Line 203:
   [...]    <span style="background:#cccc66;">00 00 00 00 00 00 04 12</span> <span style="background:#cccc66;">00 00 00 00 00 00 04 12</span>  ................
   [...]    <span style="background:#cccc66;">00 00 00 00 00 00 04 12</span> <span style="background:#cccc66;">00 00 00 00 00 00 04 12</span>  ................
  00EE5080  <span style="background:#cccc66;">00 00 00 00 00 00 04 12</span> <span style="background:#ff0000; color:#ffff66;">00 00 00 00 00 00 04 12</span>  ................    <---- '''data_table''' start (table_size = 0x186C0, entry_size = 0x60, entry_number = 0x412)
  00EE5080  <span style="background:#cccc66;">00 00 00 00 00 00 04 12</span> <span style="background:#ff0000; color:#ffff66;">00 00 00 00 00 00 04 12</span>  ................    <---- '''data_table''' start (table_size = 0x186C0, entry_size = 0x60, entry_number = 0x412)
  00EE5090  <span style="background:#ff5555;">10 70 00 00 02 00 00 01</span> <span style="background:#ff6666;">10 70 00 00 39 00 00 01</span>  .p.......p..9...    <---- '''lpar_auth_id''', '''prog_auth_id'''
  00EE5090  <span style="background:#ff5555;">10 70 00 00 02 00 00 01</span> <span style="background:#ff6666;">10 70 00 00 39 00 00 01</span>  .p.......p..9...    <---- '''lpar_auth_id''' (PS3_LPAR), '''prog_auth_id''' (bdp_bdmv.self)
  00EE50A0  <span style="background:#ff7777; color:#99ffff;">D8 71 79 C4 C0 2B 74 A1 C9 50 AC 82 4D 94 4A D0</span>  ØqyÄÀ+t¡ÉP¬‚M”JÐ
  00EE50A0  <span style="background:#ff7777; color:#99ffff;">D8 71 79 C4 C0 2B 74 A1 C9 50 AC 82 4D 94 4A D0</span>  ØqyÄÀ+t¡ÉP¬‚M”JÐ
  00EE50B0  <span style="background:#ff7777; color:#99ffff;">63 85 24 87 7D 4D 0D E4 9A 29 E6 6F 4B FA B7 19</span>  c…$‡}M.äš)æoKú·.
  00EE50B0  <span style="background:#ff7777; color:#99ffff;">63 85 24 87 7D 4D 0D E4 9A 29 E6 6F 4B FA B7 19</span>  c…$‡}M.äš)æoKú·.
Line 235: Line 209:
  00EE50D0  <span style="background:#ff7777; color:#99ffff;">2A D2 D4 18 E7 2F BA 15 79 8E D9 C1 64 4A 6C 91</span>  *ÒÔ.ç/º.yŽÙÁdJl‘
  00EE50D0  <span style="background:#ff7777; color:#99ffff;">2A D2 D4 18 E7 2F BA 15 79 8E D9 C1 64 4A 6C 91</span>  *ÒÔ.ç/º.yŽÙÁdJl‘
  00EE50E0  <span style="background:#ff9999; color:#ffff66;">00 00 00 00 00 00 00 01</span> <span style="background:#ff0000; color:#ffff66;">00 00 00 00 00 00 04 12</span>  ................
  00EE50E0  <span style="background:#ff9999; color:#ffff66;">00 00 00 00 00 00 00 01</span> <span style="background:#ff0000; color:#ffff66;">00 00 00 00 00 00 04 12</span>  ................
  00EE50F0  <span style="background:#ff5555;">04 00 00 00 02 00 00 05</span> <span style="background:#ff6666;">10 70 00 05 FF 00 00 01</span>  .........p..ÿ...    <---- '''lpar_auth_id''', '''prog_auth_id'''
  00EE50F0  <span style="background:#ff5555;">04 00 00 00 02 00 00 05</span> <span style="background:#ff6666;">10 70 00 05 FF 00 00 01</span>  .........p..ÿ...    <---- '''lpar_auth_id''' (UNKNOWN_LPAR), '''prog_auth_id''' (vsh.self)
  00EE5100  <span style="background:#ff7777; color:#99ffff;">0C FF 20 DC A4 6A A1 D3 BC 36 82 17 C2 7B B5 5E</span>  .ÿ ܤj¡Ó¼6‚.Â{µ^
  00EE5100  <span style="background:#ff7777; color:#99ffff;">0C FF 20 DC A4 6A A1 D3 BC 36 82 17 C2 7B B5 5E</span>  .ÿ ܤj¡Ó¼6‚.Â{µ^
  00EE5110  <span style="background:#ff7777; color:#99ffff;">9B CD 6B 71 AB 41 06 2F 84 54 3F 6B AC E1 26 3E</span>  ›Íkq«A./„T?k¬á&>
  00EE5110  <span style="background:#ff7777; color:#99ffff;">9B CD 6B 71 AB 41 06 2F 84 54 3F 6B AC E1 26 3E</span>  ›Íkq«A./„T?k¬á&>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)