Editing User talk:Zecoxao
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
| Latest revision | Your text | ||
| Line 1: | Line 1: | ||
= | = The Last Piece of the Puzzle = | ||
* | * http://www.psdevwiki.com/ps3/Syscon_Hardware (<SW-301) | ||
* http://www.psdevwiki.com/ps3/Service_Connectors (Diag/Backup Mode, <3rd Generation) | |||
* http://www.psdevwiki.com/ps3/Talk:Syscon_Hardware#Backup_Mode_.2F_Diag | |||
* http://www.psdevwiki.com/ps3/Talk:Service_Connectors | |||
* http://www.ps3devwiki.com/ps3/Cell_Configuration_Ring | |||
* http://www.psdevwiki.com/ps3/SIG_File_Format | |||
* http://i.imgur.com/xQizq0K.png | |||
* http://www.psdevwiki.com/ps3/images/a/ac/TMU-520_1-871-645-11_A_Detail_3_%28SYSCON%29.jpg | |||
* http://www.psdevwiki.com/ps3/File:PS3_Service_Connector_1st_Generation_COK-001.png | |||
* http://en.wikipedia.org/wiki/ARM7#ARM7TDMI | |||
* http://www.fpga4fun.com/images/JTAG_TAP.gif | |||
* http://hsb.wikidot.com/arduino-jtag-finder-workshop | |||
* https://www.youtube.com/watch?v=Up0697E5DGc | |||
* http://urjtag.org/ | |||
* http://i.imgur.com/O10hqAK.png | |||
* http://pastie.org/private/grd5u9izjlglkult64rta | |||
* http://psx-scene.com/forums/f149/brick-recovery-research-74903/index37.html#post786487 | |||
* http://i.imgur.com/o9R0YjJ.jpg | |||
= How = | |||
* By enabling diagnostic mode on the ps3, we can enable the use of JTAG again (it's temporarily disabled when diag mode isn't set) | |||
* It is possible to dump the syscon firmware using this method (in unencrypted state) | |||
* The JTAG registers/TAP-controllers need to be bruteforced / reverse engineered | |||
* The leaked service manuals present information about the pins connected to the JigPin | |||
* The ObjectiveSuite contains an object (DIAGSERVICE) used to diagnose the ps3 using JTAG | |||
* Using a DIY JigPin would facilitate the task, but we still need more info about the hardware and software interface used by ObjectiveSuite to handle this. | |||
* This would probably work on ps4 too (provided that the diag pin and the JTAG pins still exist) | |||
= Alternative (Through EEPROM, many thanks to ZeroTolerance for the info) = | |||
* Analyzer settings: | |||
http://pastie.org/private/khwaczthr5j2td9jmdfihq | |||
* More info: | |||
http://pastie.org/private/f7siriweadsnrpq6dilq | |||
* Read command: | |||
0xA8 0xXX 0xXX (XX XX is block id) | |||
* Write command: | |||
0xA4 0xXX 0xXX (XX XX is block id) | |||
* Some proof | |||
https://mega.co.nz/#!hssQHZhI!bNMS3MgWx21iUrfLGBSoB2bA3Mfe3DVL23y_SENzDUw | |||
you need https://www.saleae.com/downloads | |||
* https://mega.co.nz/#!UltlyCTL!TAooXpYEWU3DmYlnHbY1FX4IX8WwdZlLeSOXh9mh3nM | |||
dump of eeprom with above data | |||