Editing ReDRM / Piracy dongles
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
=Description= | =Description= | ||
Dongle is DRM to make sure you have the dongle, the firmware 'special' functionality will not work without it. | |||
Contentdisc's contain fself'ed eboot.bin's | |||
== Downloads == | |||
* MFW: [http://www.multiupload.com/O7SP26A83E Jailbreak2.CFW.rar (172.34 MB)]<!--//http://www.filesonic.nl/file/2688912531/Jailbreak2.CFW.zip (password: whyudie)//--> | |||
* Dongle Updater: [http://www.multiupload.com/9YPQX47G7F JB2.Dongle.Updater.rar (2.1 MB)]<!--//http://www.filesonic.nl/file/2689038911/JB2.Dongle.Updater.zip (password: whyudie)//--> | |||
=== FW Info === | |||
<pre>PS3 System Software | |||
MFW 3.55-Dongle (Jailbreak2.CFW) | |||
filedate: juli 13 2011 2:08:58 | |||
174639 KB | |||
MD5: 43C522F8897D77B6165F95BCF3409090 | |||
SHA1: A64B010DB98996C7E53768D37D4D346F271D5950 | |||
CRC32: A32FDD1D | |||
CRC16: 6420 | |||
HMAC_SHA1: 0x88EF9FEB9BB80ABE7CF68EB3BD76148F7AD6230C | |||
Remarks: needs JB2 dongle as DRM</pre> | |||
<pre>PUP file information | |||
Package version: 1 | |||
Image version: 47517 | |||
File count: 7 | |||
Header length: 528 | |||
Data length: 178829542 | |||
PUP file hash : 88EF9FEB9BB80ABE7CF68EB3BD76148F7AD6230C | |||
File 0 | |||
Entry id: 0x100 | |||
Filename : version.txt | |||
Data offset: 0x210 | |||
Data length: 13 | |||
File hash : 8E533875E1B43B6CBAF5E91663EB7554107B5509 | |||
File 1 | |||
Entry id: 0x101 | |||
Filename : license.xml | |||
Data offset: 0x21D | |||
Data length: 267513 | |||
File hash : B77EFE54859738385DD803E88FB5E807FF1BC6AB | |||
File 2 | |||
Entry id: 0x103 | |||
Filename : update_flags.txt | |||
Data offset: 0x41716 | |||
Data length: 5 | |||
File hash : FD7C893936FDFC668922BE6D119A462111B2BBDB | |||
File 3 | |||
Entry id: 0x200 | |||
Filename : ps3swu.self | |||
Data offset: 0x4171B | |||
Data length: 5661656 | |||
File hash : C61DDE12E75C2218214700D7D49006583F1B968B | |||
File 4 | |||
Entry id: 0x201 | |||
Filename : vsh.tar | |||
Data offset: 0x5A7AF3 | |||
Data length: 10240 | |||
File hash : D9B66E0D2845D71A67D76E7907AB06368CE61E08 | |||
File 5 | |||
Entry id: 0x202 | |||
Filename : dots.txt | |||
Data offset: 0x5AA2F3 | |||
Data length: 3 | |||
File hash : 1AA4749D0EE0D0AE937FBF73BC4B9ACD352F732A | |||
File 6 | |||
Entry id: 0x300 | |||
Filename : update_files.tar | |||
Data offset: 0x5AA2F6 | |||
Data length: 172890112 | |||
File hash : 93A7A95BFCFC263DCB4A18477062FDCC72BE47A0</pre> | |||
=Content discs= | |||
== EBOOT.BIN details == | |||
===SELF header=== | |||
elf #1 offset: 00000000_00000090 | |||
header len: 00000000_00000a80 | |||
meta offset: 00000000_000004a0 | |||
phdr offset: 00000000_00000040 | |||
shdr offset: 00000000_002117f8 | |||
file size: 00000000_0021150c | |||
auth id: 10100000_01000003 (Unknown) | |||
vendor id: 01000002 | |||
info offset: 00000000_00000070 | |||
sinfo offset: 00000000_00000290 | |||
version offset: 00000000_00000390 | |||
control info: 00000000_000003c0 (00000000_00000100 bytes) | |||
app version: 1.0.0 | |||
SDK type: Devkit | |||
app type: NP-DRM application | |||
===Control info=== | |||
control flags: | |||
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |||
file digest: | |||
62 7c b1 80 8a b9 38 e3 2c 8c 09 17 08 72 6a 57 9e 25 86 e4 | |||
f1 95 cf a4 c0 04 0f c9 14 de 1f 9a 21 4e 10 ca 6b a6 8c 86 | |||
NPDRM info: | |||
magic: 4e504400 | |||
unk0 : 00000001 | |||
unk1 : 00000003 | |||
unk2 : 00000001 | |||
content_id: IV0002-NPXS00020_00-TEST000000000001 | |||
digest: 09 37 f1 32 60 b9 70 02 76 9e e4 0f 7b 10 70 0f | |||
invdigest: f6 c8 0e cd 9f 46 8f fd 89 61 1b f0 84 ef 8f f0 | |||
xordigest: 5c 62 a4 67 35 ec 25 57 23 cb b1 5a 2e 45 25 5b | |||
===Section header=== | |||
offset size compressed unk1 unk2 encrypted | |||
00000000_00000a80 00000000_00209dc0 [NO ] 00000000 00000000 [NO ] | |||
00000000_00210a80 00000000_000005b0 [NO ] 00000000 00000000 [NO ] | |||
00000000_00211030 00000000_00000000 [NO ] 00000000 00000000 [NO ] | |||
00000000_00211030 00000000_00000000 [NO ] 00000000 00000000 [NO ] | |||
00000000_00211030 00000000_00000000 [NO ] 00000000 00000000 [NO ] | |||
00000000_00210df8 00000000_00000004 [NO ] 00000000 00000000 [N/A] | |||
00000000_0020a7e0 00000000_00000020 [NO ] 00000000 00000000 [N/A] | |||
00000000_0020a800 00000000_00000040 [NO ] 00000000 00000000 [N/A] | |||
===Encrypted Metadata=== | |||
no encrypted metadata in fselfs. | |||
===ELF header=== | |||
type: Executable file | |||
machine: PowerPC64 | |||
version: 1 | |||
phdr offset: 00000000_00000040 | |||
shdr offset: 00000000_00210e08 | |||
entry: 00000000_002200f0 | |||
flags: 00000000 | |||
header size: 00000040 | |||
program header size: 00000038 | |||
program headers: 8 | |||
section header size: 00000040 | |||
section headers: 28 | |||
section header string table index: 27 | |||
=FW analysis= | |||
== FW Changes == | |||
Compared to OFW 3.55: | |||
[http://www.multiupload.com/LAIIB6IMX0 ofw-vs-jb2.rar (4.18 MB)] | |||
====EULA.xml==== | |||
<pre> <str id="msg_updater_10">This update will install PS3 system software version 3.55, modified to support homebrew software and the disc dongle.</str> </pre> | |||
====Version.txt==== | |||
<pre>3.55-Dongle</pre> | |||
===CORE_OS_PACKAGE.pkg=== | |||
====lv1.self==== | |||
Just one patch: | |||
<pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
OFW: 000F5A40 39 20 00 00 9 .. li r9,0 | |||
JB2: 000F5A40 39 20 00 01 9 .. li r9,1</pre> | |||
<!--// ofw: 2d5a44: 39 20 00 00 li r9,0 / jb2: 2d5a44: 39 20 00 01 li r9,1//--> | |||
This is in lv1_map_htab to allow for RW mapping of all RAM. So who knows how many other lv1 patches are done at runtime. | |||
====lv2_kernel.self==== | |||
===dev_flash_010.tar.aa.2010_11_27_051337=== | |||
====\dev_flash\vsh\module\nas_plugin.sprx==== | |||
<pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
OFW: 00003250 7C 60 1B 78 |`.x mr r0, r3 | |||
JB2: 00003250 38 00 00 00 8... li r0, 0</pre> | |||
<pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
OFW: 00037350 41 9E 00 4C Až.L beq- cr7,4c | |||
JB2: 00037350 60 00 00 00 `... nop</pre> | |||
"standard pkg patches" | |||
===dev_flash_016.tar.aa.2010_11_27_051337=== | |||
====\dev_flash\vsh\resource\explore\xmb\category_game.xml==== | |||
====\dev_flash\vsh\resource\explore\xmb\category_video.xml==== | |||
= Hardware Dongle = | = Hardware Dongle = | ||
<table width="100%" align="left"><tr> | <table width="100%" align="left"><tr> | ||
<td align="left">[[File:Psjb2-Trueblue-OVERVIEW.jpg|200px|thumb|left|Psjb2 Trueblue - OVERVIEW]]</td> | <td align="left">[[File:Psjb2-Trueblue-OVERVIEW.jpg|200px|thumb|left|Psjb2 Trueblue - OVERVIEW]]</td> | ||
Line 29: | Line 183: | ||
<td align="left">[[File:Psjb2-Trueblue-BOTTOM.jpg|200px|thumb|left|Psjb2 Trueblue - BOTTOM]]</td></tr></table> | <td align="left">[[File:Psjb2-Trueblue-BOTTOM.jpg|200px|thumb|left|Psjb2 Trueblue - BOTTOM]]</td></tr></table> | ||
== Components == | |||
=== Actel ProASIC3 A3P250 - FPGA === | |||
A3P250 = 250,000 System Gates | A3P250 = 250,000 System Gates | ||
blank = Speed Grade: Standard | blank = Speed Grade: Standard | ||
Line 43: | Line 197: | ||
Familyroot: http://www.actel.com/products/pa3/ <br /> | Familyroot: http://www.actel.com/products/pa3/ <br /> | ||
==== Pinout A3P250 VQ100==== | |||
<div style="float:right">[[File:VQ100.png|200px|thumb|left|Actel ProASIC3 A3P250 - FPGA (psjb2-Trueblue) VQ100 package]]</div> | <div style="float:right">[[File:VQ100.png|200px|thumb|left|Actel ProASIC3 A3P250 - FPGA (psjb2-Trueblue) VQ100 package]]</div> | ||
<div style="height:350px; overflow:auto"> | <div style="height:350px; overflow:auto"> | ||
Line 253: | Line 407: | ||
</div> | </div> | ||
=== 24.000 MHz Crystal === | |||
CLK for Actel <br /> | CLK for Actel <br /> | ||
=== AMS1117 2.851049 - Low Dropout Linear Regulator === | |||
Datasheet: | Datasheet: http://www.sltdigital.com/product/product_pdf/AMS1117.pdf / http://home1.cyber-labo.co.jp/board/goods/pdf/AMS1117.pdf <br /> | ||
[[:File:AMS1117 - SOT-223.png]] | [[:File:AMS1117 - SOT-223.png]] | ||
=== A 47 (unreferenced 5pin IC) === | |||
<div style="float:right">[[File:SOT5.PNG|200px|thumb|left|5-pin SOT5<br />A 47<br />pinout]]</div> | <div style="float:right">[[File:SOT5.PNG|200px|thumb|left|5-pin SOT5<br />A 47<br />pinout]]</div> | ||
Line 285: | Line 437: | ||
|} | |} | ||
=== Winbond 25X16AVS1G (SPI Flash 16Mbit) === | |||
<div style="float:right">[[File:W25X16A - SOIC-8.png|200px|thumb|left|8-pin TSSOP<br />Winbond 25X16A<br />SOIC-8 pinout]]</div> | |||
<div style="float:right">[[File:W25X16A - SOIC-8.png|200px|thumb|left|8-pin TSSOP<br />Winbond 25X16A<br />SOIC-8 pinout]] | |||
<pre>W - Winbond | <pre>W - Winbond | ||
25X - SPI Flash | 25X - SPI Flash | ||
16 - 16Mbit / 2M-byte (Uniform 4Kbyte sectors/64Kbyte blocks) | |||
AVS1G - 100MHz (200Mbits/sec)</pre> | |||
datasheet: [http://www.multiupload.com/P2833U5SOW W25X16A.pdf (1.3 MB)] | |||
datasheet: [http://www. | |||
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | {| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | ||
|- bgcolor="#cccccc" | |- bgcolor="#cccccc" | ||
! Pin !! Usage | ! Pin !! Usage !! Remarks | ||
|- | |- | ||
| | | 1 || /CS || Chip Select | ||
|- | |- | ||
| | | 2 || DO || Data output | ||
|- | |- | ||
| | | 3 || /WP || Write Protect | ||
|- | |- | ||
| | | 4 || GND || Ground | ||
|- | |- | ||
| | | 5 || DIO || Serial data input/output | ||
|- | |- | ||
| | | 6 || CLK || Serial Clock | ||
|- | |- | ||
| | | 7 || /HOLD || Hold | ||
|- | |- | ||
| | | 8 || VCC || Vcc (min 2.7-max 3.6V) | ||
|- | |- | ||
|} | |} | ||
= Dongle Updater PKG = | = Dongle Updater PKG = | ||
SHA1: 4066FFEFD723FAF08EB84A62F4AA38180C40129C // MD5: 0200689D58FCA0FC51F7B738C33A5DC9 // CRC32: 4D72836 // CRC16: 8A62 | SHA1: 4066FFEFD723FAF08EB84A62F4AA38180C40129C // MD5: 0200689D58FCA0FC51F7B738C33A5DC9 // CRC32: 4D72836 // CRC16: 8A62 | ||
Unpkg/unself'ed: [http://www.multiupload.com/XC00DAHUXP dongle-updater.pkg.out.rar (2.03 MB)] <br /> | |||
Plaintext visible in the unself'ed eboot.bin : http://pastebin.com/EFQczE2r (interesting note: it used /dev_hdd0/vsh/tmp.bin as temp for the payload)<br /> | Plaintext visible in the unself'ed eboot.bin : http://pastebin.com/EFQczE2r (interesting note: it used /dev_hdd0/vsh/tmp.bin as temp for the payload)<br /> | ||
== Payload == | |||
located in unself'ed eboot.bin @ offset: | located in unself'ed eboot.bin @ offset: | ||
eboot payload | eboot payload | ||
Line 935: | Line 481: | ||
002084E0 001FFFF0 EB 3B 01 F7 6F A9 CF 3C B6 EB 89 82 7D E6 7D 3B ë;.÷o©Ï<¶ë‰‚}æ}; | 002084E0 001FFFF0 EB 3B 01 F7 6F A9 CF 3C B6 EB 89 82 7D E6 7D 3B ë;.÷o©Ï<¶ë‰‚}æ}; | ||
[ | [http://www.multiupload.com/PFC3IZZNNN TB_dongle_payload.bin (2 MB)] | ||
SHA1: 43402D6FE2ECE43EBE91531EFA07C366D46DD121 // MD5: BA5AFAB174BF6003D41AC8951301B822 // CRC32: 248284D2 // CRC16: 8C78 | SHA1: 43402D6FE2ECE43EBE91531EFA07C366D46DD121 // MD5: BA5AFAB174BF6003D41AC8951301B822 // CRC32: 248284D2 // CRC16: 8C78 | ||
=== lv2 dump === | |||
payload decrypted @ LV2 dump 0x7f0000 | payload decrypted @ LV2 dump 0x7f0000 | ||
http://pastebin.com/3VG76HQs | http://pastebin.com/3VG76HQs | ||
=== descriptors === | |||
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | {| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | ||
Line 1,418: | Line 964: | ||
00000010 03 6b 2d 2c 45 d7 25 ff aa 34 b1 a8 8b 5d a7 b3 | 00000010 03 6b 2d 2c 45 d7 25 ff aa 34 b1 a8 8b 5d a7 b3 | ||
... | ... | ||