Editing IDPS
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
= Description = | = Description = | ||
The IDPS is a sequence of 16 bytes which is used as a unique per-console Identifier. The IDPS is stored and certified in [[Flash:Encrypted Individual Data - eEID|EID]]. | |||
The IDPS is a sequence of 16 bytes which is used as a unique per-console | |||
= Structure = | = Structure = | ||
<pre> | <pre> | ||
Chassis Check | |||
⇓ | |||
00000000 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 .....‰....ïÝÊ%Rf | 00000000 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 .....‰....ïÝÊ%Rf | ||
⇑ ⇑ ⇑ ⇑ | ⇑ ⇑ ⇑ ⇑ | ||
Product Code Product Sub Code | Product Code Model type | ||
(Internal:Product Code) (Internal: Product Sub Code) | |||
</pre> | </pre> | ||
5th and 6th byte represent [[Product Code]]. | |||
< | 7th and 8th byte represent [[Product Sub Code]] <!--// Note that CECHAxx is type 0x01 and CECHBxx is type 0x02 but they both have a COK-001 motherboard... (Changing 0x02 to 0x01 in CECH-B will enable wifi options in menu. But there is still missing hardware), and at the opposite... CECH-25xx models are type 0x0B but with 2 possible motherboards: JSD-001 or JTP-001//--> | ||
= | 9th byte represents <abbr title="To convert it to chassis revision, right shift it by 2 : (0x14 >> 0x2) = 5">chassis check</abbr> | ||
10th byte represents an unknown model identifier | |||
remaining bytes seam to be an identifier generated from some per console data | |||
<pre> | |||
00 00 00 01 <- Magic | |||
00 89 <- CECH-xx02 Product Code (CEX target, oceania region) | |||
00 0B <- CECH-25xx Product Sub Code (25xx series) | |||
14 <- Chassis Check | |||
00 <- unk0 (counter ?) | |||
EF DD <- unk1 | |||
CA 25 52 66 <- unk2 | |||
</pre> | |||
== Dummy Reference Tool IDPS == | == Dummy Reference Tool IDPS == | ||
Line 35: | Line 37: | ||
<pre>0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01, 0x03, 0xFF, 0xFF, 0xFF, 0x18, 0x43, 0xC1, 0x4D</pre> | <pre>0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01, 0x03, 0xFF, 0xFF, 0xFF, 0x18, 0x43, 0xC1, 0x4D</pre> | ||
This is the dummy IDPS that is used | This is the dummy IDPS that is used when some Reference Tool PS3's IDPS fails to be decrypted from flash. That IDPS belongs to a Reference Tool DECR-1000A. The Reference Tool IDPS from above is static. aim_iso uses it. Retail/3.55 doesn't have it. | ||
Source: [http://rmscrypt.wordpress.com/2011/05/16/idps-what-the-hell-is-that-thing/ rms' blogtext]. | Source: [http://rmscrypt.wordpress.com/2011/05/16/idps-what-the-hell-is-that-thing/ rms' blogtext]. | ||
<pre> | |||
00 00 00 01 <- Magic | |||
00 81 <- Reference Tool Product Code | |||
00 01 <- DECR-1000/TMU-520 Product Sub Code | |||
03 <- Chassis Check | |||
FF <- unk0 (dummy) | |||
FF FF <- unk1 (dummy) | |||
18 43 C1 4D <- unk2 | |||
</pre> | |||
== Dummy PSP Emulator IDPS == | == Dummy PSP Emulator IDPS == | ||
Line 43: | Line 55: | ||
<pre>0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01, 0x0C, 0x40, 0x00, 0xB1, 0x0E, 0x69, 0x69, 0x78</pre> | <pre>0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01, 0x0C, 0x40, 0x00, 0xB1, 0x0E, 0x69, 0x69, 0x78</pre> | ||
Found | Found into the emulator_drm.sprx (iso self inside). | ||
== | == Chassis Check == | ||
The Chassis Check seems to be still a secret, or at least it's not 100% clear what it represents. According to the analysis of many different models of PSP, PS3, PSVita and PS4, it is clear that the only possible values are:<br> | |||
* | *0x03 in PS3 reference tool dummy IDPS only | ||
* | *0x04 | ||
* | *0x0C in PSVita only ? (never found in PS3) | ||
*0x10 | |||
*0x14 | |||
*0xF4 | |||
*0x90 in PSVita only ? (never found in PS3) | |||
<s>We clearly see that most of PS3 models released at the same period have the same Chassis Check, and that the more the console is released late, the more high the Chassis Check is.</s><br> | |||
In the PS3 every PS3 model/motherboard seems to start with 0x04 (ie: we have reports of COK-001, SEM-001, DIA-001, DIA-002, VER-001, JTP-001/JSD-001, all them with 0x0400), but we also have reports of the same motherboards with higher values, see [[Talk:IDPS|talk page]] | |||
<abbr style="color:red">'''Speculation''': That increase of the value could be related with the production dates, or could be an identifyer of the factory where it was produced, or other stuff like that directly related with the production</abbr> | |||
*Chasis check speculation (bytes 9th and 10th): | |||
**9th byte (most common: 0x04, 0x10, 0x14, 0xF4), ...or 0x03 in the PS3 Reference Tool dummy IDPS, ...or 0x90 in PSVita | |||
***1st [https://en.wikipedia.org/wiki/Nibble nibble] values: 0, 1, F, ...or 9 in PSVita | |||
***2nd [https://en.wikipedia.org/wiki/Nibble nibble] values: 0, 4, ...or 3 in the PS3 Reference Tool dummy IDPS, ...or C in PSVita | |||
**10th byte (seems to be a counter, biggest value found 0x22), ...or 0xFF in the PS3 Reference Tool dummy IDPS, ...or 0x40 in the PSP dummy IDPS | |||
***1st [https://en.wikipedia.org/wiki/Nibble nibble] values: 0, 1, 2 | |||
***2nd [https://en.wikipedia.org/wiki/Nibble nibble] values: too random to find a pattern | |||
=== Right shifting theory === | |||
Doing [https://en.wikipedia.org/wiki/Arithmetic_shift right shift] by 2 results in: | |||
*0x03 >> 2 gives 0 | |||
*0x04 >> 2 gives 1 | |||
*0x0C >> 2 gives 3 | |||
*0x10 >> 2 gives 4 | |||
*0x14 >> 2 gives 5 | |||
*0xF4 >> 2 gives 61 <-- that's an exception, in the [[Talk:IDPS|talk page]] there are 4 reports using 0xF4, only one of them is marked as refurbished | |||
*Critics: | |||
**This procedure reduces the total number of posible results a lot, it seems to be a bit pointless to store the "non-bitshifted" value instead of the result of the bitshift | |||
== Last 6 bytes of IDPS == | |||
It seems to be an unique identifyer, the dummy IDPS used in the reference tool PS3 models seems to indicate is composed of 2 parts: unk1[2], unk2[4] | |||
*Bytes 11th and 12th: (0xFF 0xFF in the Dummy Reference Tool IDPS) | |||
*Bytes 13th, 14th, 15th, 16th: per console identifyer ? a hash / encryption of previous bytes ? encrypted timestamp ? | |||
== PS3 IDPS Regex == | |||
Based on 300+ PS3 IDPS dumps | |||
0{7}10{2}8[456789ACE]000[6789ABCD][01F][04][0123][0123456789ABCDEF]{13} | |||
= Location = | = Location = | ||
== | == NAND/NOR == | ||
The | The IDPS can be found in EID0 and EID5. See [[Flash:Encrypted_Individual_Data_-_eEID#EID0|Flash]] (NAND @ 0x80870 / NOR @ 0x2F070). | ||
== Network (PSN connections) == | == Network (PSN connections) == | ||
=== idpstealer.exe === | === idpstealer.exe === | ||
* Patched since FW 4.70 and deprecated since ps3exploit | * Patched since FW 4.70 and deprecated since ps3exploit | ||
* This method no longer works because now Sony uses '''OpenPSID''' instead of '''IDPS''' although the key/algorithm remains the same | * This method no longer works because now Sony uses '''OpenPSID''' instead of '''IDPS''' although the key/algorithm remains the same | ||
Line 113: | Line 152: | ||
== Bruteforce == | == Bruteforce == | ||
You can verify the IDPS of a PS3 console through 2 ways: | You can verify the IDPS of a PS3 console through 2 ways : param.sfo of savedata or HDD backup from PS3. You would need to bruteforce 7 bytes, if you could take care of all the possibilities for Chassis Check. | ||
Problem: "My old PS3 received the YLOD, however I have a hard | Problem: "My old PS3 received the YLOD, however I have a hard drive backup of it, but not longer have the actual unit, but I do have a new PS3. I want to recover all my data to my new PS3, but need to be able to dump all the data from archive2.dat to create a fresh backup with all the data to restore to the new unit. Anyone have any suggestions or know of a way I could crack the IDPS used to encrypt my backup ?" | ||
How is the current state (or former experience) with bruteforcing the IDPS from the IDPS hash of a PARAM.SFO file (second hash iirc). I mean most of the information is known so in the best case you chose your region and model and only have to bruteforce the last six bytes (if the Chassis Check was known better). If the scene could establish some kind of standard or bruteforce blueprint, like a blank PARAM.SFO of the PS3 singstar app, which should look the same on every console, someone could even work on a rainbow table for IDPS. Just some thoughts from zecoxao, someone who just entered the PS3 dev scene, so don't be too harsh please ;) | |||
The easiest would be of course param.sfo of savedata, by manually verifying a certain sha1-hmac made from the file PARAM.PFD with idps as key. I was just looking into that and did a small PoC in c#, which BFs my IDPS. But even with all optimizations (especially for C#) and running on all cores with parallelization it isn't really THAT fast. Moreover, I even cheated and only bruteforced the last six bytes of my (known) IDPS. It's currently still running xD. Using openCL would help, because graphic cards are naturally faster than CPUs. Currently looking into that, but I never worked with openCL before and can't even find a hmac/sha1 kernel for openCL. Like nobody every did that before ... ;) [https://searchcode.com/codesearch/view/45893397/ useful?] | |||
= IDPS dumping Tools = | = IDPS dumping Tools = | ||
== PS3 Model Detection == | == PS3 Model Detection == | ||
Source: http://www.ps3hax.net/2011/01/homebrew-app-ps3-model-detection/] | Source: http://www.ps3hax.net/2011/01/homebrew-app-ps3-model-detection/] | ||
<pre> | <pre> | ||
Dumping PS3 Model Data: | Dumping PS3 Model Data: | ||
Line 151: | Line 190: | ||
== IDPS Viewer == | == IDPS Viewer == | ||
Source [http://www.tortuga-cove.com/hacking/31-ps3/8396-released-idps-viewer link] | Source [http://www.tortuga-cove.com/hacking/31-ps3/8396-released-idps-viewer link] | ||
* Displays the IDPS | * Displays the IDPS | ||
* Shows Product Code | * Shows Product Code | ||
Line 159: | Line 196: | ||
* Save IDPS (16 bytes from EID) into dev_hdd0/IDPS.bin file | * Save IDPS (16 bytes from EID) into dev_hdd0/IDPS.bin file | ||
== | == Multiman == | ||
IDPS is displayed under setting information in MultiMan. | |||
IDPS is displayed under setting information in | |||
{{Flash}} | {{Flash}} | ||
{{Development}}<noinclude>[[Category:Main]]</noinclude> | {{Development}}<noinclude>[[Category:Main]]</noinclude> |