Editing IDPS

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
The IDPS is a 16 bytes value that contains console specific information.
= Description =
= Description =


The IDPS, also named ConsoleId or PSID, is a sequence of 16 bytes which is used as a unique per-console identifier for PlayStation consoles. The IDPS is stored and certified in [[Flash:Encrypted Individual Data - eEID|EID]].
The IDPS is a sequence of bytes which is used as a unical per-console Identifier. The IDPS is stored and certified in [[Flash:Encrypted Individual Data - eEID|EID]].


= Structure =
= Structure =


<pre>
<pre>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Chassis Check
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&dArr;&nbsp;                   
00000000  00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  .....‰....ïÝÊ%Rf
00000000  00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  .....‰....ïÝÊ%Rf
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&uArr;&nbsp;&uArr;&nbsp;&nbsp;&nbsp;&uArr;&nbsp;&uArr;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&uArr;&nbsp;&uArr;&nbsp;&nbsp;&nbsp;&uArr;&nbsp;&uArr;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Product Code&nbsp;&nbsp;Product Sub Code
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Product Code&nbsp;&nbsp;Model type
&nbsp;&nbsp;&nbsp;&nbsp;(Internal:Product Code)&nbsp;&nbsp;&nbsp;(Internal: Product Sub Code)
</pre>
</pre>


* 1st and 2nd bytes represent the magic (always 00 00)
5th and 6th byte represent [[Product Code]].
* 3rd and 4th bytes represent the Company (usually SCE)
 
* 5th and 6th bytes represent the [[Product Code]]
7th and 8th byte represent [[Product Sub Code]] <!--// Note that CECHAxx is type 0x01 and CECHBxx is type 0x02 but they both have a COK-001 motherboard... (Changing 0x02 to 0x01 in CECH-B will enable wifi options in menu. But there is still missing hardware), and at the opposite... CECH-25xx models are type 0x0B but with 2 possible motherboards: JSD-001 or JTP-001//-->
* 7th and 8th bytes represent the [[Product Sub Code]] <!--// Note that CECHAxx is type 0x01 and CECHBxx is type 0x02 but they both have a COK-001 motherboard... (Changing 0x02 to 0x01 in CECH-B will enable wifi options in menu. But there is still missing hardware), and at the opposite... CECH-25xx models are type 0x0B but with 2 possible motherboards: JSD-001 or JTP-001//-->
* remaining 8 bytes are parsed by bits not by bytes (see [[IDPS#IDPS second half]])


<pre>
9th byte represents <abbr title="To convert it to chassis revision, right shift it by 2 : (0x14 &gt;&gt; 0x2) = 5">chassis check</abbr>
00 00 <- Unknown
00 01 <- Company (SCE)
00 89 <- Product Code: PS3, CEX, oceania
00 0B <- Product Sub Code: CECH-25xx (25xx series)
14 00 EF DD CA 25 52 66 <- Second half: factory code 5, no Ps Flag, serial number 61405, random stamp CA 25 52 66
</pre>


== Dummy PSP IDPS in Kicho & Dengo Program ==
10th byte represents an unknown model identifier


<pre>0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x07, 0xFF, 0x03, 0xFF, 0xFF, 0xFF, 0xD7, 0xC3, 0xE5, 0x5A</pre>
remaining bytes seam to be an identifier generated from some per console data


Found in PSP Kicho & Dengo Tool flashData.prx.
<pre>
00 00 00 01 <- Magic
00 89 <- Product Code
00 0B <- Product Sub Code
14 <- Chassis Check
00 EF DD <- unk0, FF FF FF in the dummy IDPS
CA 25 52 66 <- unk1, some unique ID
</pre>


== Dummy Reference Tool IDPS ==
== Dummy Reference Tool IDPS ==
Line 35: Line 39:
<pre>0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01, 0x03, 0xFF, 0xFF, 0xFF, 0x18, 0x43, 0xC1, 0x4D</pre>
<pre>0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01, 0x03, 0xFF, 0xFF, 0xFF, 0x18, 0x43, 0xC1, 0x4D</pre>


This is the dummy IDPS that is used by PS3 Reference Tool aim_iso when IDPS fails to be obtained from flash. That IDPS belongs to a Reference Tool DECR-1000A. The Reference Tool IDPS from above is static. PS3 CEX 3.55 does not have it.
This is the dummy IDPS that is used when some Reference Tool PS3's IDPS fails to be decrypted from flash. That IDPS belongs to a Reference Tool DECR-1000A. The Reference Tool IDPS from above is static. aim_iso uses it. Retail/3.55 doesn't have it.


Source: [http://rmscrypt.wordpress.com/2011/05/16/idps-what-the-hell-is-that-thing/ rms' blogtext].
Source: [http://rmscrypt.wordpress.com/2011/05/16/idps-what-the-hell-is-that-thing/ rms' blogtext].
Line 43: Line 47:
<pre>0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01, 0x0C, 0x40, 0x00, 0xB1, 0x0E, 0x69, 0x69, 0x78</pre>
<pre>0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01, 0x0C, 0x40, 0x00, 0xB1, 0x0E, 0x69, 0x69, 0x78</pre>


Found in emulator_drm.sprx (iso self inside).
Found into the emulator_drm.sprx (iso self inside).
 
== IDPS Regex ==
 
=== PS3 ===


== IDPS second half ==
0{7}10{2}8[456789ACE]000[6789ABCD][01F][04][0123][0123456789ABCDEF]{13}


*Byte 8 bits 0-5: Factory Code
Based on 300+ PS3 IDPS dumps.
*Byte 8 bits 6-7 and bytes 9-10-11: Serial Number
*Byte 8 bits 6-7 and byte 9 bits 0-5: Ps Flags on PSP with Diag Factory Code
*Bytes 12-15: Random Stamp (guessed name). 3 theories: 1) totally random number, 2) hash of previous bytes (then there would exist at least 3 keysets), 3) encrypted timestamp.


== IDPS Regex ==
== Chassis Check ==
 
The Chassis Check seems to be still a secret, or at least it's not 100% clear what it represents. So my immediate question was of course: if it's not clear what this means, how does the scene even know that it's called "Chassis Check" at all? Where does this information come from? According to the analysis of many different models of PSP, PS3, PSVita and PS4, it is clear that the only possible values are 0x3, 0x4, 0xC, 0x10, 0x14 and 0xF4 (and 0x90 for PSVita).


Based on 16 millions of PS3 IDPS dumps, on other PS consoles dumps and on IDPS structure.
*Doing [https://en.wikipedia.org/wiki/Arithmetic_shift right shift] by 2 results in:
**0x3 >> 2 gives 0
**0x4 >> 2 gives 1
**0xC >> 2 gives 3
**0x10 >> 2 gives 4
**0x14 >> 2 gives 5
**0xF4 >> 2 gives 61 <-- that's an exception, found in refurbished PS3


<pre>0{7}10[012][089A][0123456789ABCDEF]00[0123456789ABCDEF]{18}</pre>
We clearly see that most of PS3 models released at the same period have the same Chassis Check, and that the more the console is released late, the more high the Chassis Check is.


Restricted to PS3:
*Chasis check speculation (bytes 9th and 10th):
**9th byte (most common: 0x04, 0x10, 0x14, 0xF4), 0x03 in the "Dummy IDPS"
***First [https://en.wikipedia.org/wiki/Nibble nibble] values: 0, 1, or F
***Second [https://en.wikipedia.org/wiki/Nibble nibble] values: 0, or 4, 3 in the Dummy Reference Tool IDPS
**10th byte (seems to be a counter, biggest value found 0x22), 0x40 in the Dummy PSP IDPS, 0xFF in the Dummy Reference Tool IDPS
***First [https://en.wikipedia.org/wiki/Nibble nibble] values: 0, 1, or 2
***Second [https://en.wikipedia.org/wiki/Nibble nibble] values: too random to find a pattern


<pre>0{7}100[89A][0123456789ABCDEF]00[0123456789ABCDEF]{18}</pre>
*Next 6 bytes speculation
**11th and 12th: (0xFF 0xFF in the Dummy Reference Tool IDPS)
**13th, 14th, 15th, 16th: per console identifyer ? a hash / encryption of previous bytes ? encrypted timestamp ?


= Location =
= Location =


== Serial flash ==
== NAND/NOR ==


The PS3 IDPS can be found in serial flash, precisely in EID0 and EID5. See [[Flash:Encrypted_Individual_Data_-_eEID#EID0|Flash]] (NAND @ 0x80870 / NOR @ 0x2F070).
The IDPS can be found in EID0 and EID5. See [[Flash:Encrypted_Individual_Data_-_eEID#EID0|Flash]] (NAND @ 0x80870 / NOR @ 0x2F070).


== Network (PSN connections) ==
== registry? ==


=== idpstealer.exe ===
?It can also be found in registry/application_persistent file inside playstation Store folder (as DeviceID)?


* Patched since FW 4.70 and deprecated since ps3exploit
== PSN ==
* This method no longer works because now Sony uses '''OpenPSID''' instead of '''IDPS''' although the key/algorithm remains the same
 
* This should work also on PS4 and PSVita, but with a different key (not known/public atm)
=== idpstealer (patched since FW 4.70 and deprecated since ps3exploit) ===
* Download links: [https://dl.dropboxusercontent.com/u/35197530/zip/idpstealer.7z 1], or [https://web.archive.org/web/20160309135920/http://pastie.org/private/wlakfucps3bc21dfuosdtg 2]


<div style="border-width: 1px; border-style:dashed; border-color:#000000; padding: 10px; background-color:#FFFFFF; color:#000000; ">
<div style="border-width: 1px; border-style:dashed; border-color:#000000; padding: 10px; background-color:#FFFFFF; color:#000000; ">
Line 100: Line 120:
  Starting proxy server on 192.168.1.13:1337
  Starting proxy server on 192.168.1.13:1337
  IDPS have been successfully written to: idps.bin
  IDPS have been successfully written to: idps.bin
https://dl.dropboxusercontent.com/u/35197530/zip/idpstealer.7z
https://web.archive.org/web/20160309135920/http://pastie.org/private/wlakfucps3bc21dfuosdtg
* This method no longer works because now Sony uses '''OpenPSID''' instead of '''IDPS''' although the key/algorithm remains the same.
* This should work also on PS4 and PSVita, but with a different key (not known/public atm)
= Changing IDPS =
Theory: If you give a slim console a fat IDPS, would that console have 3.15 OtherOS functionality?
I would say it would, because most likely the check is done in firmware to either en/disable that option. However, it would still require a console that can be downgraded to that version (only CECH-20xx/DYN-001, because CECH-21xx/SUR-001 use different drivers for RSX). So classic OtherOS on a CellBE 45nm/RSX 40nm would be impossible (of course you can use OtherOS++).


= Obtaining IDPS of a PS3 =
= Obtaining IDPS of a PS3 =
Line 113: Line 146:
== Bruteforce ==
== Bruteforce ==


You can verify the IDPS of a PS3 console through 2 ways: PARAM.SFO of savedata or HDD backup from PS3 Backup Utility. You would need to bruteforce about 7 bytes, if you know the PS3 model.
You can verify the IDPS of a PS3 console through 2 ways : param.sfo of savedata or HDD backup from PS3. You would need to bruteforce 7 bytes, if you could take care of all the possibilities for Chassis Check.
 
Problem: "My old PS3 received the YLOD, however I have a hard drive backup of it, but not longer have the actual unit, but I do have a new PS3. I want to recover all my data to my new PS3, but need to be able to dump all the data from archive2.dat to create a fresh backup with all the data to restore to the new unit. Anyone have any suggestions or know of a way I could crack the IDPS used to encrypt my backup ?"
 
How is the current state (or former experience) with bruteforcing the IDPS from the IDPS hash of a PARAM.SFO file (second hash iirc). I mean most of the information is known so in the best case you chose your region and model and only have to bruteforce the last six bytes (if the Chassis Check was known better). If the scene could establish some kind of standard or bruteforce blueprint, like a blank PARAM.SFO of the PS3 singstar app, which should look the same on every console, someone could even work on a rainbow table for IDPS. Just some thoughts from zecoxao, someone who just entered the PS3 dev scene, so don't be too harsh please ;)
 
The easiest would be of course param.sfo of savedata, by manually verifying a certain sha1-hmac made from the file PARAM.PFD with idps as key. I was just looking into that and did a small PoC in c#, which BFs my IDPS. But even with all optimizations (especially for C#) and running on all cores with parallelization it isn't really THAT fast. Moreover, I even cheated and only bruteforced the last six bytes of my (known) IDPS. It's currently still running xD. Using openCL would help, because graphic cards are naturally faster than CPUs. Currently looking into that, but I never worked with openCL before and can't even find a hmac/sha1 kernel for openCL. Like nobody every did that before ... ;) [https://searchcode.com/codesearch/view/45893397/ useful?]


Problem: "My old PS3 received the YLOD, however I have a hard disk drive backup of it, but I no longer have the actual unit, and I do have a new PS3. I want to recover all my data to my new PS3, but I need to be able to dump all the data from archive2.dat to create a fresh HDD backup with all the data to restore to my new PS3 unit. So I need to crack the IDPS used to encrypt the backup."
= Tools =


Solution (to test) by zecoxao: "Bruteforce the IDPS from the IDPS hash of a PARAM.SFO file (second hash iirc). You select your region and model and only have to bruteforce the last six bytes. If the scene could establish some kind of standard or bruteforce blueprint, like a blank PARAM.SFO of the PS3 SingStar application, which should look the same on every console, someone could even work on a rainbow table for IDPS. The easiest would be PARAM.SFO of savedata, by manually verifying a certain sha1-hmac made from the file PARAM.PFD with IDPS as key. I was just looking into that and made a small PoC in C#, which bruteforces my PS3 IDPS. But even with all optimizations (especially for C#) and running on all cores with parallelization it is not really that fast. Moreover, I even cheated and only bruteforced the last six bytes of my known IDPS. It is currently still running... Using openCL would help, because graphic cards are naturally faster than CPUs. Currently looking into that, but I never worked with openCL before and cannot even find a hmac/sha1 kernel for openCL. Like nobody every did that before ... ;) [https://searchcode.com/codesearch/view/45893397/ useful?]"
== PS3 Identification tools ==


= IDPS dumping Tools =
=== Multiman ===


== PS3 Model Detection ==
IDPS is displayed under setting information in MultiMan.
 
=== [Homebrew-App] PS3 Model Detection ===


Source: http://www.ps3hax.net/2011/01/homebrew-app-ps3-model-detection/]
Source: http://www.ps3hax.net/2011/01/homebrew-app-ps3-model-detection/]
Line 150: Line 191:
* Also, it named bytes 0-2 "Byte 0", byte 3 "Byte 1", byte 4 "Byte 2", byte 5 "Byte 3", byte 6 "Byte 4", byte 7 "Byte 5", byte 8 "Byte 6", byte 9 "Byte 7" etc.
* Also, it named bytes 0-2 "Byte 0", byte 3 "Byte 1", byte 4 "Byte 2", byte 5 "Byte 3", byte 6 "Byte 4", byte 7 "Byte 5", byte 8 "Byte 6", byte 9 "Byte 7" etc.


== IDPS Viewer ==
=== [Homebrew-App] IDPS Viewer ===


Source [http://www.tortuga-cove.com/hacking/31-ps3/8396-released-idps-viewer link]
Source [http://www.tortuga-cove.com/hacking/31-ps3/8396-released-idps-viewer link]
Line 159: Line 200:
* Save IDPS (16 bytes from EID) into dev_hdd0/IDPS.bin file
* Save IDPS (16 bytes from EID) into dev_hdd0/IDPS.bin file


== multiMAN ==
IDPS is displayed under setting information in multiMAN PS3 homebrew.
= See also =
[https://github.com/CelesteBlue-dev/PS-ConsoleId-wiki PS ConsoleId wiki by CelesteBlue]


{{Flash}}
{{Flash}}
{{Development}}<noinclude>[[Category:Main]]</noinclude>
{{Development}}<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)