Editing User talk:Zecoxao
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
= | = The Last Piece of the Puzzle = | ||
* | * http://www.psdevwiki.com/ps3/Syscon_Hardware (<SW-301) | ||
* http://www.psdevwiki.com/ps3/Service_Connectors (Diag/Backup Mode, <3rd Generation) | |||
* http://www.psdevwiki.com/ps3/Talk:Syscon_Hardware#Backup_Mode_.2F_Diag | |||
* http://www.psdevwiki.com/ps3/Talk:Service_Connectors | |||
* http://www.ps3devwiki.com/ps3/Cell_Configuration_Ring | |||
* http://www.psdevwiki.com/ps3/SIG_File_Format | |||
* http://i.imgur.com/xQizq0K.png | |||
* http://www.psdevwiki.com/ps3/images/a/ac/TMU-520_1-871-645-11_A_Detail_3_%28SYSCON%29.jpg | |||
* http://www.psdevwiki.com/ps3/File:PS3_Service_Connector_1st_Generation_COK-001.png | |||
* http://en.wikipedia.org/wiki/ARM7#ARM7TDMI | |||
* http://www.fpga4fun.com/images/JTAG_TAP.gif | |||
* http://hsb.wikidot.com/arduino-jtag-finder-workshop | |||
* https://www.youtube.com/watch?v=Up0697E5DGc | |||
* http://urjtag.org/ | |||
* http://i.imgur.com/O10hqAK.png | |||
* http://pastie.org/private/grd5u9izjlglkult64rta | |||
* http://psx-scene.com/forums/f149/brick-recovery-research-74903/index37.html#post786487 | |||
* http://i.imgur.com/o9R0YjJ.jpg | |||
* https://www.sendspace.com/file/qzq6a4 (Patent Explaining DECR SYSCON) | |||
* https://imgur.com/a/pR0a4 (Messages from mullion indicating erasing of User Program Area before updating) | |||
= | = How = | ||
* | * <strike>By enabling diagnostic mode on the ps3, we can enable the use of JTAG again (it's temporarily disabled when diag mode isn't set)</strike> false | ||
* | * <strike>It is possible to dump the syscon firmware using this method (in unencrypted state) </strike> false | ||
* | * <strike>The JTAG registers/TAP-controllers need to be bruteforced / reverse engineered </strike> false | ||
* <strike>The leaked service manuals present information about the pins connected to the JigPin</strike> false | |||
* <strike>The ObjectiveSuite contains an object (DIAGSERVICE) used to diagnose the ps3 using JTAG</strike> false | |||
* <strike>Using a DIY JigPin would facilitate the task, but we still need more info about the hardware and software interface used by ObjectiveSuite to handle this.</strike> false | |||
* <strike>This would probably work on ps4 too (provided that the diag pin and the JTAG pins still exist)</strike> false | |||
* f0f's method is a viable way to get the ROM from later syscons | |||
* tx function can be produced and it's not required for bruteforcing | |||
* ocd flag is located somewhere in the second SFR area (which covers 0x800 bytes, minus already documented flags) | |||
* code base is located somewhere in the backup ram ( 0x800 bytes) or in the second SFR area (0x800 bytes) | |||
* second SFR area ranges from 0xF0000 to 0xF0800 | |||
* backup ram ranges from 0xF0800 to 0xF1000 | |||
* ocd flag is likely 0xF07F5 since the other SFRs are the same from RL78 to 78K0R | |||
* 486 registers from the 2nd SFR range are publically documented (https://www.youtube.com/watch?v=FdveKrmoA7E) | |||
* 1562 registers are not documented (0xF01E7 - 0xF07FF) | |||
* minimum scan area would be 0xE1A bytes (covering code base only and assuming ocd flag is the known value of 0xF07F5) | |||
* maximum scan area would be 0x55FC8A bytes (same as above and assuming ocd flag isn't known (times 0x619 bytes) | |||
* assuming that the code base is in the 2nd SFR area on RL78 and that the two devices are very similar, we could narrow down the minimum scan area to 0x61A bytes | |||
= | = To wikify = | ||
* Wikify begin (please wait...) | |||
* | * Roxanne, if you could also take care of these : http://pastebin.com/s75FzYxd , that would be awesome (i'm not sure what happened to eussNL so, i leave it on your hands.) | ||
** When I get my left hand back, then we can check this out together. [[User:Roxanne|Roxanne]] | |||
= request_idps generated files binary xor = | = request_idps generated files binary xor = | ||
* [[https://mega.co.nz/#!J1M1zKDK!MNBmfqyoqp2hJR3kj8urcKZ-b_pCVnMBrY2zcb-gTBs 2 generated cex files | * [[https://mega.co.nz/#!J1M1zKDK!MNBmfqyoqp2hJR3kj8urcKZ-b_pCVnMBrY2zcb-gTBs 2 generated cex files]] | ||
* [[https://mega.co.nz/#!N1dmQA5C!gbmqekcbUorH-2zXlakfxJNd1QMC8fSMoNl0pvdfFjs 2 generated decr files | * [[https://mega.co.nz/#!N1dmQA5C!gbmqekcbUorH-2zXlakfxJNd1QMC8fSMoNl0pvdfFjs 2 generated decr files]] | ||
* [[https://mega.co.nz/#!VlUmgJBJ!gWk0Y4aXSOu7VoxiwfpnkFpOm7pNaWJqgl39coZ93L4 2 generated dex files | * [[https://mega.co.nz/#!VlUmgJBJ!gWk0Y4aXSOu7VoxiwfpnkFpOm7pNaWJqgl39coZ93L4 2 generated dex files]] | ||
Note: files are padded 8 bytes at start, for convenience | Note: files are padded 8 bytes at start, for convenience | ||
= Wii U Key/IV Goodness = | = Wii U Key/IV Goodness = | ||
Line 538: | Line 90: | ||
|| vWii Common | || vWii Common | ||
|- | |- | ||
| Key || | | Key || - || {{sha1|56dd59752e6af1e55fc2ee7074abe2d2c9e70a10}} || style="background-color:yellow;color:black" | Confirmation Needed | ||
|| boot1 | || boot1 | ||
|- | |- | ||
| IV || {{key|4FCD24A0E4D3AB6FAE8DFD8108581DCF}} || {{sha1|a1a87792b95d0294c0867c93d46c3068c1c6d322}} || style="background-color:green;color:white" | Valid | | IV || {{key|4FCD24A0E4D3AB6FAE8DFD8108581DCF}} || {{sha1|a1a87792b95d0294c0867c93d46c3068c1c6d322}} || style="background-color:green;color:white" | Valid | ||
Line 554: | Line 103: | ||
|- | |- | ||
|} | |} | ||
= Switch Key/IV Goodness = | |||
= Switch Key/IV Goodness | {| class=wikitable | ||
! Type !! Key !! SHA1/SHA256 !! Status !! Description | |||
|- | |||
| AES-CTR || {{key|F4ECA1685C1E4DF77F19DB7B44A985CA}} || {{sha1|8c98ff409724784ddf3e3d39b60b25b7087ff537}} || style="background-color:green;color:white" | Valid || stage1_key_00 | |||
|- | |||
| AES-128-ECB || {{key|C2CAAFF089B9AED55694876055271C7D}} || {{sha1|4a98d62ff6ec0a042b7592219200e37dd9603479}} || style="background-color:green;color:white" | Valid || package1_key_00 | |||
|- | |||
| AES-128-ECB || {{key|54E1B8E999C2FD16CD07B66109ACAAA6}} || {{sha1|8cec47b1b3974eed32c03b11a9de0133d9e0f00b}} || style="background-color:green;color:white" | Valid || master_key_01 | |||
|- | |||
| AES-128-ECB || {{key|4F6B10D33072AF2F250562BFF06B6DA3}} || {{sha1|add1d37e4a5c540aeeef4050a2ab98e8b0dc1d04}} || style="background-color:green;color:white" | Valid || master_key_02 | |||
|- | |||
| AES-CTR || {{key|A35A19CB14404B2F4460D343D178638D}} || {{sha1|4d64731f7afa031c7eeae3eb2f462d55ff8ff5ae}} || style="background-color:green;color:white" | Valid || package2_key_00 | |||
|- | |||
| Kernel || - || {{sha1|124befb2895bba4db1726485daf6684b33ef5f51}} || style="background-color:green;color:white" | Valid || 1.00 Encrypted Kernel | |||
|- | |||
| System Modules || - || {{sha1|96bf598bd162d5d8c87f2b25741f758f47730c88}} || style="background-color:green;color:white" | Valid || 1.00 Encrypted System Modules | |||
|- | |||
| Modulus || | |||
<pre>B36554FB0AB01E85A7F6CF918EBA9699 | |||
0D8B91692AEE01204F345C2C4F4E37C7 | |||
F10BD4CDA17F93F13359CEB1E9DD26E6 | |||
F3BB7787467AD64E474AD141B7794A38 | |||
066ECF618FCDC1400BFA26DCC0345183 | |||
D93B11543B9627329A95BE1E681150A0 | |||
6B10A8838BF5FCBC90847A5A5C4352E6 | |||
C826E9FE06A08B530FAF1EC41C0BCF50 | |||
1AA4F35CFBF097E4DE320A9FE35AAAB7 | |||
447F5C3360B90F222D332AE969793142 | |||
8FE43A138BE726BD08876CA6F273F68E | |||
A7F2FEFB6C28660DBDD7EB42A878E6B8 | |||
6BAEC7A9E2406E892082258E3C6A60D7 | |||
F3568EEC8D518A633C0478230E900CB4 | |||
E7863B4F8E130947320E04B84D5BB046 | |||
71B05CF4AD634FC5E2AC1EC43396097B | |||
master_key_02 | |||
package2_key_00 | |||
</pre> | </pre> | ||
|| {{sha1|f847ed0465c0dfdcd2c28b3e1a6da0c0f01fbbc5}} || style="background-color:green;color:white" | Valid || Public Debug | |||
|- | |||
| Modulus || | |||
<pre> | <pre> | ||
8D13A7776AE5DCC03B25D058E4206959 | |||
554BAB7040082807A8A7FD0F312E11FE | |||
47A0F99DDF80DB865A2789CD976C85C5 | |||
6C397F41F2FF2420C395A6F79D4A4574 | |||
8B5D288AC699356885A56432809FD348 | |||
39A21D246769DF75AC12B5BDC32990BE | |||
37E4A0809ABE36BF1F2CAB2BADF59732 | |||
9A429D098B08F06347A3E91B36D82D8A | |||
D7E1541195E44588698A2B35CED0A50B | |||
D55DACDBAF114DCAB81EE7019EF446A3 | |||
8A946D76BD8AC83BD231580C79A826E9 | |||
D1799CCBD42B6A4FC6CCCF90A7B99847 | |||
FDFA4C6C6F81873BCAB850F63E395D4D | |||
973F0F353953FBFACDABA87A629A3FF2 | |||
0927963F079A91F716BFC63A825A4BCF | |||
4950958C55807E39B148051E21C7244F | |||
</pre> | </pre> | ||
|| {{sha1|a809e09f8bd790446b86f28b84a6d0f36481a245}} || style="background-color:green;color:white" | Valid || Public Retail | |||
|- | |||
|} | |||
= | = Regarding Jokes = | ||
* Sorry, but it's difficult to distinguish Contributors with Spam Users, especially when you aren't logged in and when you log in to your account with different IP Addresses (and especially with this current Spam situation). It won't happen for a second time. [[User:Roxanne|Roxanne]] 21th December 2015 (18:12 GMT+1) | |||
** It's ok, i should've logged, but i keep formatting my pc, so i always forget :) In the end it was my fault. Thanks for the feedback though [[User:Zecoxao|Zecoxao]] | |||
*** OK and to answer your question regarding the newest DEX Firmwares, I'm on CEX but I'm still on [[:File:IMG 0148.JPG|this]] Firmware. Is this Good or Bad? :) ([[User:Roxanne|Roxanne]] 22th December 2015 (22:56 GMT+1) | |||
**** it'd be nice to test some psgroove on it :) | |||
***** http://www.psdevwiki.com/ps3/User:Not_Zecoxao is still needed? | |||
****** nope | |||
* | |||
* |