Editing Talk:IDPS
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
<!--// <mysis> after model type....in short it was right-shift 10d / 0xA //--> | |||
The | ===IDPS Examples=== | ||
The examples are ordered based in priority: first "PS3 model" (byte 8), second "chasis check" (bytes 9 and 10), and third "target id" (byte 6) | |||
The reason of why ordering the examples this way is because "PS3 model" is known, and "chasis check" is the only thing left we can deduce from the examples | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
! IDPS !! 6th<br />byte !! [[ | ! IDPS !! 6th<br />byte !! [[Target ID]] !! 8th<br />byte !! [[SKU Models|PS3 Model]] !! Notes | ||
|- bgcolor="#CCCCCC" | |- bgcolor="#CCCCCC" | ||
| <code>00 00 00 01 00 81 00 01 03 FF FF FF 18 43 C1 4D</code> || {{TID81}} || 0x01 || [[DECR-1000|DECR-1000(A/J)]] / [[DEH-Z1010]] ([[TMU-520]]) | | <code>00 00 00 01 00 81 00 01 03 FF FF FF 18 43 C1 4D</code> || {{TID81}} || 0x01 || [[DECR-1000|DECR-1000(A/J)]] / [[DEH-Z1010]] ([[TMU-520]]) || Static Dummy IDPS | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 84 00 01 04 00 F3 44 AC 4F 8D 2F</code> || {{TID84}} || {{HWID01}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 8A 00 01 10 00 52 BC C7 11 6D B2</code> || {{TID8A}} || {{HWID01}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 84 00 01 10 19 15 0C 45 9F 1C 2A</code> || {{TID84}} || {{HWID01}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 84 00 01 10 1B 23 A2 EA C6 4D D0</code> || {{TID84}} || {{HWID01}} || | |||
| <code>00 00 00 01 00 84 00 01 10 1B 23 A2 EA C6 4D D0</code> || {{TID84}} || {{HWID01}} || | |||
|- bgcolor="#CCCCCC" | |- bgcolor="#CCCCCC" | ||
| colspan=" | | colspan="6" | | ||
|- | |- | ||
| <code>00 00 00 01 00 84 00 02 10 01 15 ED DE D8 06 8B</code> || {{TID84}} || {{HWID02}} | | <code>00 00 00 01 00 84 00 02 10 01 15 ED DE D8 06 8B</code> || {{TID84}} || {{HWID02}} || | ||
|- bgcolor="#CCCCCC" | |- bgcolor="#CCCCCC" | ||
| colspan=" | | colspan="6" | | ||
|- | |- | ||
| <code>00 00 00 01 00 85 00 03 10 00 3D F9 65 97 B6 EA</code> || {{TID85}} || {{HWID03}} | | <code>00 00 00 01 00 85 00 03 10 00 3D F9 65 97 B6 EA</code> || {{TID85}} || {{HWID03}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 85 00 03 10 11 62 95 56 FF DB FD</code> || {{TID85}} || {{HWID03}} | | <code>00 00 00 01 00 85 00 03 10 11 62 95 56 FF DB FD</code> || {{TID85}} || {{HWID03}} || | ||
|- bgcolor="#CCCCCC" | |- bgcolor="#CCCCCC" | ||
| colspan=" | | colspan="6" | | ||
|- | |- | ||
| <code>00 00 00 01 00 A0 00 04 04 00 04 1B 13 AB 46 25</code> || {{TIDA0}} || 0x04 || | | <code>00 00 00 01 00 A0 00 04 04 00 04 1B 13 AB 46 25</code> || {{TIDA0}} || 0x04 || [[GECR-1100]] ([[COK-00x#COK-002|COK-002]]) || ([[COK-00x#COK-002|COK-002]] without [[Bluetooth]]/[[Wifi]]) | ||
|- | |- | ||
| <code>00 00 00 01 00 ?? 00 04 ?? ?? ?? ?? ?? ?? ?? ??</code> || ? || ? || 0x04 || | | <code>00 00 00 01 00 ?? 00 04 ?? ?? ?? ?? ?? ?? ?? ??</code> || ? || ? || 0x04 || [[CECHExx|CECHE]] | ||
|- bgcolor="#CCCCCC" | |- bgcolor="#CCCCCC" | ||
| colspan=" | | colspan="6" | | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 85 00 05 04 00 33 A3 44 9D 57 2B</code> || {{TID85}} || {{HWID05}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 8C 00 05 10 00 D1 F3 55 2D DA BC</code> || {{TID8C}} || {{HWID05}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 85 00 05 10 01 5F 01 12 FF 56 4F</code> || {{TID85}} || {{HWID05}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 87 00 05 10 | | <code>00 00 00 01 00 87 00 05 10 02 3A 2D 53 AF 66 28</code> || {{TID87}} || {{HWID05}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 87 00 05 10 0A EE 67 DD 75 86 DA</code> || {{TID87}} || {{HWID05}} || (original label stated [[CECHCxx|CECHC]] model!) | ||
|- | |- | ||
| <code>00 00 00 01 00 85 00 05 14 | | <code>00 00 00 01 00 85 00 05 14 02 F7 06 9F 10 B6 22</code> || {{TID85}} || {{HWID05}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 85 00 05 14 0E F0 DF DC DD 5E 56</code> || {{TID85}} || {{HWID05}} | | <code>00 00 00 01 00 85 00 05 14 0E F0 DF DC DD 5E 56</code> || {{TID85}} || {{HWID05}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 84 00 05 F4 00 41 86 55 9B D3 52</code> || {{TID84}} || {{HWID05}} | | <code>00 00 00 01 00 84 00 05 F4 00 41 86 55 9B D3 52</code> || {{TID84}} || {{HWID05}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 87 00 05 F4 01 E9 4F 17 DB D9 5D</code> || {{TID87}} || {{HWID05}} | | <code>00 00 00 01 00 87 00 05 F4 01 E9 4F 17 DB D9 5D</code> || {{TID87}} || {{HWID05}} || | ||
|- bgcolor="#CCCCCC" | |- bgcolor="#CCCCCC" | ||
| colspan=" | | colspan="6" | | ||
|- | |- | ||
| <code>00 00 00 01 00 ?? 00 06 ?? ?? ?? ?? ?? ?? ?? ??</code> || ? || ? || 0x06 || [[CECHHxx|CECHH]] | |||
| <code>00 00 00 01 00 ?? 00 06 ?? ?? ?? ?? ?? ?? ?? ??</code> || ? | |||
|- bgcolor="#CCCCCC" | |- bgcolor="#CCCCCC" | ||
| colspan=" | | colspan="6" | | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 87 00 07 10 00 A3 15 8F 61 36 85</code> || {{TID87}} || {{HWID07}} || | ||
|- bgcolor="#CCCCCC" | |- bgcolor="#CCCCCC" | ||
| colspan=" | | colspan="6" | | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 A0 00 08 04 00 13 69 BC E4 78 80</code> || {{TIDA0}} || 0x08 || [[GECR-1500]] ([[VER-00x#VER-001|VER-001]]) || ([[VER-00x|VER-001]] without [[Bluetooth]]/[[Wifi]]) | ||
|- | |- | ||
| <code>00 00 00 01 00 85 00 08 10 | | <code>00 00 00 01 00 85 00 08 10 05 52 88 E8 AF 75 0D</code> || {{TID85}} || {{HWID08}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 87 00 08 14 01 B7 A7 1F C8 3A EA</code> || {{TID87}} || {{HWID08}} | | <code>00 00 00 01 00 87 00 08 14 01 B7 A7 1F C8 3A EA</code> || {{TID87}} || {{HWID08}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C</code> || {{TID89}} || {{HWID08}} | | <code>00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C</code> || {{TID89}} || {{HWID08}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 84 00 08 14 0B 80 7A 2E 4F AA C7</code> || {{TID84}} || {{HWID08}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 84 00 08 14 | | <code>00 00 00 01 00 84 00 08 14 11 D8 06 97 94 B6 80</code> || {{TID84}} || {{HWID08}} || <!-- graf_chokolo PS3 --> | ||
|- | |- | ||
| <code>00 00 00 01 00 85 00 08 F4 01 AA 02 51 EE 33 7B</code> || {{TID85}} || {{HWID08}} || | |||
| <code>00 00 00 01 00 85 00 08 F4 01 AA 02 51 EE 33 7B</code> || {{TID85}} || {{HWID08}} | |||
|- bgcolor="#CCCCCC" | |- bgcolor="#CCCCCC" | ||
| colspan=" | | colspan="6" | | ||
|- | |- | ||
| <code>00 00 00 01 00 85 00 09 10 | | <code>00 00 00 01 00 85 00 09 10 0A 27 3E 8E 1D DF 65</code> || {{TID85}} || {{HWID09}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 85 00 09 | | <code>00 00 00 01 00 85 00 09 10 1B 69 BD CA CC BE 85</code> || {{TID85}} || {{HWID09}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 84 00 09 10 1C B0 13 5F 2C 17 AF</code> || {{TID84}} || {{HWID09}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 85 00 09 F4 | | <code>00 00 00 01 00 85 00 09 10 22 4D 7A 32 A4 11 F4</code> || {{TID85}} || {{HWID09}} || <!-- Serial: 02-27453973-2332262-CHECH-2004B --> | ||
|- bgcolor="#CCCCCC" | |- bgcolor="#CCCCCC" | ||
| colspan=" | | colspan="6" | | ||
|- | |- | ||
| <code>00 00 00 01 00 85 00 0A 14 05 67 A0 79 37 DC 17</code> || {{TID85}} || {{HWID0A}} || | |||
| <code>00 00 00 01 00 85 00 0A 14 05 67 A0 79 37 DC 17</code> || {{TID85}} || {{HWID0A}} | |||
|- bgcolor="#CCCCCC" | |- bgcolor="#CCCCCC" | ||
| colspan=" | | colspan="6" | | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 85 00 0B 10 18 EC 96 E4 A8 BE EF</code> || {{TID85}} || {{HWID0B}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66</code> || {{TID89}} || {{HWID0B}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 8C 00 0B 14 00 E1 1D 11 03 C8 65</code> || {{TID8C}} || {{HWID0B}} || used by PS-Unban | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 89 00 0B 14 05 18 95 D3 EE D0 76</code> || {{TID89}} || {{HWID0B}} || <!--// bluemimmo 3.56 factory //--> | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 87 00 0B 14 0C 84 81 81 33 FA 68</code> || {{TID87}} || {{HWID0B}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 87 00 0B 14 0E 71 DF 87 E5 A2 4D</code> || {{TID87}} || {{HWID0B}} || <!--// CECH2501B (JTP-001) bingoman with metldr2 //--> | ||
|- bgcolor="#CCCCCC" | |||
| colspan="6" | | |||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 84 00 0C 10 11 21 52 A6 EB 62 10</code> || {{TID84}} || {{HWID0C}} || used by PS-Unban | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 84 00 0C 10 19 15 0C 45 9F 1C 2A</code> || {{TID84}} || {{HWID0C}} || used by PS-Unban | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 84 00 0C 10 22 CE B2 EB 40 D9 EB</code> || {{TID84}} || {{HWID0C}} || | ||
|- | |- | ||
| <code>00 00 00 01 00 87 00 | | <code>00 00 00 01 00 87 00 0C 14 06 C3 90 35 41 45 18</code> || {{TID87}} || {{HWID0C}} || <!--// http://www.mediafire.com/?2j9el16bsdwqm9d //--> | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 8C 00 0C 14 0E 7D FA F1 5F 9F 3F</code> || {{TID8C}} || {{HWID0C}} || <!--// CECH3008B (KTE-001) Kill17 copypaste, no flashdump proof. Ok http://narod.ru/disk/39647482001/bkpps3.bin.html PASS: PS3 //--> | ||
|- bgcolor="#CCCCCC" | |- bgcolor="#CCCCCC" | ||
| colspan=" | | colspan="6" | | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 89 00 0D 14 00 93 75 A9 00 4C 96</code> || {{TID89}} || {{HWID0D}} || | ||
|- | |- | ||
|} | |} | ||
*Chasis check speculation (bytes 9th and 10th): | |||
**9th byte (most common: 0x04, 0x10, 0x14, 0xF4... and 03 in the "Dummy IDPS") | |||
***First [https://en.wikipedia.org/wiki/Nibble nibble] values: 0, 1, or F | |||
***Second [https://en.wikipedia.org/wiki/Nibble nibble] values: 0, or 4 (3 in the "Dummy IDPS") | |||
**10th byte | |||
***First [https://en.wikipedia.org/wiki/Nibble nibble] values: 0, 1, or 2 (F in the "Dummy IDPS") | |||
***Second [https://en.wikipedia.org/wiki/Nibble nibble] values: too random to find a pattern (F in the "Dummy IDPS") | |||
*Next 6 bytes speculation | |||
**11th and 12th: (FF in the "Dummy IDPS") | |||
**13th, 14th, 15th, 16th: per console identifyer ? | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
! IDPS !! 6th<br />byte !! [[ | ! IDPS !! 6th<br />byte !! [[Target ID]] !! 8th<br />byte !! [[SKU Models|PS3 Model]] !! Notes | ||
|- | |- | ||
| <code>00 00 00 01 00 | | <code>00 00 00 01 00 80 00 01 xx xx xx xx xx xx xx xx</code> || {{TID80}} || 0x01 || [[DECHAS00A/J]] ([[COK-00x#COK-001|COK-001]]) || - | ||
|- | |- | ||
| <code>00 00 00 01 00 82 00 01 xx xx xx xx xx xx xx xx</code> || {{TID82}} || 0x01 || [[DECHA00A/J]] ([[COK-00x#COK-001|COK-001]]) || - | | <code>00 00 00 01 00 82 00 01 xx xx xx xx xx xx xx xx</code> || {{TID82}} || 0x01 || [[DECHA00A/J]] ([[COK-00x#COK-001|COK-001]]) || - | ||
Line 209: | Line 157: | ||
|- | |- | ||
| <code>00 00 00 01 00 8F 00 0E xx xx xx xx xx xx xx xx</code> || {{TID8F}} || {{HWID0E}} || - | | <code>00 00 00 01 00 8F 00 0E xx xx xx xx xx xx xx xx</code> || {{TID8F}} || {{HWID0E}} || - | ||
|- | |||
|} | |} | ||
= | === IDPS Regex === | ||
0{7}10{2}8[456789ACE]000[6789ABCD][01F][04][0123][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF] | |||
Based on 300+ dumps | |||
=== IDPS rms blogtext === | |||
You’re probably wondering: “What the hell is this sequence of bytes?”. This is the IDPS, a sequence of bytes which determine console type. This structure is relatively undocumented until now, anyway. The IDPS is contained in EID0. EID0 is on the console internal flash as the file eEID and has multiple sections. I had made a splitter application to make your life easier a long time ago. Now, EID is decrypted by metldr, and is passed over to the isolated loader, which may pass it to a self. We can see this in graf_chokolo’s original payload. The IDPS is also used in various other parts of the system which could be of interest to you, but I will not discuss those right now. The IDPS itself, isn’t decrypted. | |||
The IDPS contains your target ID, motherboard? and BD? revision. The IDPS shown at the beginning of this article is the dummy IDPS, the one that’s used when your IDPS fails to be decrypted. That IDPS belongs to a DECR-1000A. The one below belongs to a European PS3, and the one below that belongs to a Australian/NZ PS3. | |||
Source: http://rmscrypt.wordpress.com/2011/05/16/idps-what-the-hell-is-that-thing/ | |||
Note: The Reference Tool IDPS from above is static. aim_iso uses it. Retail/3.55 doesn't have it. | |||
===Change HWID=== | |||
Theory: If you give a slim console a fat IDPS, would that console have 3.15 OtherOS functionality? | |||
I would say it would, because most likely the check is done in firmware to either en/disable that option. However, it would still require a console that can be downgraded to that version (only CECH-20../DYN-001, because CECH-21../SUR-001 use different drivers for RSX). So classic OtherOS on a CellBE 45nm/RSX 40nm would be impossible (ofcourse you can use OtherOS++). | |||
=== [Homebrew-App] PS3 Model Detection === | |||
http://www.ps3hax.net/2011/01/homebrew-app-ps3-model-detection/ | |||
<pre>Dumping PS3 Model Data: | |||
- PS3 System Target ID: 0x85 (Retail - Europe) | |||
- PS3 Motherboard Revision: 0x0B (JTP-001 Motherboard, Revision 1) | |||
- PS3 BD-Laser Revision: 0x04 (KES-400, SACD supported) | |||
Probable Model: CECH-2504A | |||
Raw Model Data: | |||
Byte 0: 0x00 | |||
Byte 1: 0x01 | |||
Byte 2: 0x00 | |||
Byte 3: 0x85 | |||
Byte 4: 0x00 | |||
Byte 5: 0x0B | |||
Byte 6: 0x00 | |||
Byte 7: 0x04</pre> | |||
'''footnotes:''' | |||
* '7th byte of IDPS' is ''not'' [[Bluray Drive]] (it was misunderstood at that time). You can see it in the example where it names incorrectly a [[CECH-25xx]] as Super Audio CD compatible with a [[KES-400]] laserslide (which in real life has either [[KES-460A]] or [[KES-470A]] without daughterboard (swap can be done without remarry). | |||
* also, it named bytes 0-2 "Byte 0", byte 3 "Byte 1", byte 4 "Byte 2", byte 5 "Byte 3", byte 6 "Byte 4", byte 7 "Byte 5", byte 8 "Byte 6", byte 9 "Byte 7" etc. | |||
=== [Homebrew-App] IDPS Viewer === | |||
http://www.tortuga-cove.com/hacking/31-ps3/8396-released-idps-viewer | |||
* Displays the IDPS | |||
* Shows Target ID | |||
* Displays Motherboard revision | |||
* Save <abbr title="(NAND @ 0x80870 / NOR @ 0x2F070)">IDPS</abbr> (16 bytes from EID) in dev_hdd0/IDPS.bin file | |||
===hypothesis=== | |||
the way i see it:<br> | |||
00 00 00 01 <- magic<br> | |||
00 89 <- target id<br> | |||
00 0B <- Model type<br> | |||
14 00 <- chassis check<br> | |||
EF DD <- unk1, FF FF in Dummy IDPS<br> | |||
CA 25 <- unk2<br> | |||
52 66 <- unk3<br> |