Editing User talk:Zecoxao
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
| Latest revision | Your text | ||
| Line 1: | Line 1: | ||
= The Last Piece of the Puzzle = | |||
* http://www.psdevwiki.com/ps3/Syscon_Hardware (<SW-301) | |||
* http://www.psdevwiki.com/ps3/Service_Connectors (Diag/Backup Mode, <3rd Generation) | |||
* http://www.psdevwiki.com/ps3/Talk:Syscon_Hardware#Backup_Mode_.2F_Diag | |||
* http://www.psdevwiki.com/ps3/Talk:Service_Connectors | |||
* http://www.ps3devwiki.com/ps3/Cell_Configuration_Ring | |||
* http://www.psdevwiki.com/ps3/SIG_File_Format | |||
* http://i.imgur.com/xQizq0K.png | |||
* http://www.psdevwiki.com/ps3/images/a/ac/TMU-520_1-871-645-11_A_Detail_3_%28SYSCON%29.jpg | |||
* http://www.psdevwiki.com/ps3/File:PS3_Service_Connector_1st_Generation_COK-001.png | |||
* http://en.wikipedia.org/wiki/ARM7#ARM7TDMI | |||
* http://www.fpga4fun.com/images/JTAG_TAP.gif | |||
* http://hsb.wikidot.com/arduino-jtag-finder-workshop | |||
* https://www.youtube.com/watch?v=Up0697E5DGc | |||
* http://urjtag.org/ | |||
* http://i.imgur.com/O10hqAK.png | |||
* http://pastie.org/private/grd5u9izjlglkult64rta | |||
* http://psx-scene.com/forums/f149/brick-recovery-research-74903/index37.html#post786487 | |||
* http://i.imgur.com/o9R0YjJ.jpg | |||
* https://www.sendspace.com/file/qzq6a4 (Patent Explaining DECR SYSCON) | |||
* https://imgur.com/a/pR0a4 (Messages from mullion indicating erasing of User Program Area before updating) | |||
= Vita Shennanigans = | = Vita Shennanigans = | ||
<pre> | |||
BGA Test Pins (for 100 and 64 pin config) | |||
100-pin: | |||
TOOL0 D8 | |||
TOOL1 E7 | |||
FLMD0 F9 | |||
RESET G9 | |||
64-pin | |||
TOOL0 D6 | |||
TOOL1 E6 | |||
FLMD0 E8 | |||
RESET E7 | |||
CL Pad to Syscon (IRS-002) (78K0R) | |||
F5 F6 F9 F10 G10 H1 H4 J3 J10 | |||
</pre> | |||
= DYN-001 Shennanigans = | = DYN-001 Shennanigans = | ||
* | * https://imgur.com/OJbWsPZ | ||
* | * https://imgur.com/z5zhedg | ||
* | * VDD Feeds to 5 different pins, as opposed to ARM BGA VDD. | ||
* Needs a large number of samples and a proper alignment | |||
* https://www.sendspace.com/file/lofkfo | |||
= PSP Shennanigans = | = PSP Shennanigans = | ||
<pre> | |||
D780032AY (TMU-001/TMU-002) | |||
ROM: 16 KB, RAM: 512 B | |||
(see D790019) | |||
D790019 (TA-079/TA-081) | |||
ROM RAM | |||
D780021AY/D780031AY 8 KB 512 B | |||
D780022AY/D780032AY 16 KB 512 B | |||
D780023AY/D780033AY 24 KB 1 KB | |||
D780024AY/D780034AY 32 KB 1 KB | |||
D78F0034AY/D78F0034BY 32 KB 1 KB | |||
Tools: IE-78K0-NS, IE-78K0-NS-A, IE-78K0-NS-PA, IE-780034-NS-EM1, IE-78001-R-A, IE-78K0-R-EX1, PG-FP3, PG-FP4 | |||
D79F0036 (TA-082/TA-086) | |||
ROM RAM ERAM | |||
D78F0531/D78F0531A 16 KB 768 B - | |||
D78F0532/D78F0532A 24 KB 1 KB - | |||
D78F0533/D78F0533A 32 KB 1 KB - | |||
D78F0534/D78F0534A 48 KB 1 KB 1 KB | |||
D78F0535/D78F0535A 60 KB 1 KB 2 KB | |||
D78F0536/D78F0536A 96 KB 1 KB 4 KB | |||
D78F0537/D78F0537A 128 KB 1 KB 6 KB | |||
D78F0537D/D78F0537DA 128 KB 1 KB 6 KB | |||
Tools: QB-78K0KX2, QB-MINI2, E1, E20, PG-FP4, PG-FP5, PG-FP6 | |||
D79F???? (TA-085) | |||
"custom" 84-pin 78K0 based on D79F0036 | |||
(see D79F0036) | |||
Service/Debug Testpoints | |||
TA-081 TA-082/TA-086 TA-085 | |||
CL3001 VDD VDD VDD | |||
CL3002 RxD RxD RxD | |||
CL3003 TxD TxD TxD | |||
CL3004 IC/VPP FLMD0 FLMD0 | |||
CL3005 RESET RESET RESET | |||
CL3006 GND OCD0B OCD0B | |||
CL3007 - OCD0A OCD0A | |||
CL3008 - VDD (R3037) - | |||
CL3009 - GND GND | |||
CL3010 - P01 - | |||
CL3011 - P22 - | |||
CL3012 - CPU_RESET - | |||
CL3013 - LEPTON_RST - | |||
CL3014 - POMMEL_ALERT - | |||
</pre> | </pre> | ||
= | = How = | ||
= | * <strike>By enabling diagnostic mode on the ps3, we can enable the use of JTAG again (it's temporarily disabled when diag mode isn't set)</strike> false | ||
* <strike>It is possible to dump the syscon firmware using this method (in unencrypted state) </strike> false | |||
* <strike>The JTAG registers/TAP-controllers need to be bruteforced / reverse engineered </strike> false | |||
* <strike>The leaked service manuals present information about the pins connected to the JigPin</strike> false | |||
* <strike>The ObjectiveSuite contains an object (DIAGSERVICE) used to diagnose the ps3 using JTAG</strike> false | |||
* <strike>Using a DIY JigPin would facilitate the task, but we still need more info about the hardware and software interface used by ObjectiveSuite to handle this.</strike> false | |||
* <strike>This would probably work on ps4 too (provided that the diag pin and the JTAG pins still exist)</strike> false | |||
* f0f's method is a viable way to get the ROM from later syscons | |||
* tx function can be produced and it's not required for bruteforcing | |||
* ocd flag is located somewhere in the second SFR area (which covers 0x800 bytes, minus already documented flags) | |||
* code base is located somewhere in the backup ram ( 0x800 bytes) or in the second SFR area (0x800 bytes) | |||
* second SFR area ranges from 0xF0000 to 0xF0800 | |||
* backup ram ranges from 0xF0800 to 0xF1000 | |||
* ocd flag is likely 0xF07F5 since the other SFRs are the same from RL78 to 78K0R | |||
* 486 registers from the 2nd SFR range are publically documented (https://www.youtube.com/watch?v=FdveKrmoA7E) | |||
* 1562 registers are not documented (0xF01E7 - 0xF07FF) | |||
* minimum scan area would be 0xE1A bytes (covering code base only and assuming ocd flag is the known value of 0xF07F5) | |||
* maximum scan area would be 0x55FC8A bytes (same as above and assuming ocd flag isn't known (times 0x619 bytes) | |||
* assuming that the code base is in the 2nd SFR area on RL78 and that the two devices are very similar, we could narrow down the minimum scan area to 0x61A bytes | |||
* IC4002 is sony's syscon naming in oficial service docs | |||
<pre> | <pre> | ||
//TX FUNC, 78K0R CASE | |||
//TAKING NOTE THAT PS3 SYSCON is uPD78F11XX, where X is A, B or C | |||
//ASIM -> 0xFFF8C | |||
//TXS -> 0xFFF8F | |||
<pre> | |||
ROM:000EFF05 set1 byte_FFF8C.7 | |||
ROM:000EFF08 nop | |||
ROM:000EFF09 mov byte_FFF8F, a | |||
ROM:000EFF0B | |||
ROM:000EFF0B loc_EFF0B: ; CODE XREF: ROM:loc_EFF0B↓j | |||
ROM:000EFF0B bf byte_FFF8B.0, loc_EFF0B | |||
ROM:000EFF0F mov byte_FFF8B, #0 | |||
ROM:000EFF12 clr1 byte_FFF8C.7 | |||
ROM:000EFF15 ret | |||
</pre> | </pre> | ||
== | * OCD Flag at 0xF07EC | ||
* Entry Point at 0xF07F0 | |||
* All SW Models use 0xFFF as block size (SW, SW2, SW3) | |||
* SW Uses 0x80000 as total ROM size. SW2,SW3 use 0xC0000 as total rom size | |||
* To use block related commands, one must send signature check command before sending the block check/erase/program command | |||
* 0xFFFFFED0(IV error?) 0xFFFFFED1 (hash error?) 0xFFFFFED2 (magic error) | |||
= To wikify = | |||
* Wikify begin (please wait...) | |||
* Roxanne, if you could also take care of these : http://pastebin.com/s75FzYxd , that would be awesome (i'm not sure what happened to eussNL so, i leave it on your hands.) | |||
** When I get my left hand back, then we can check this out together. [[User:Roxanne|Roxanne]] | |||
= request_idps generated files binary xor = | |||
* [[https://mega.co.nz/#!J1M1zKDK!MNBmfqyoqp2hJR3kj8urcKZ-b_pCVnMBrY2zcb-gTBs 2 generated cex files]] | |||
* [[https://mega.co.nz/#!N1dmQA5C!gbmqekcbUorH-2zXlakfxJNd1QMC8fSMoNl0pvdfFjs 2 generated decr files]] | |||
* [[https://mega.co.nz/#!VlUmgJBJ!gWk0Y4aXSOu7VoxiwfpnkFpOm7pNaWJqgl39coZ93L4 2 generated dex files]] | |||
Note: files are padded 8 bytes at start, for convenience | |||
= Wii U Key/IV Goodness = | = Wii U Key/IV Goodness = | ||
| Line 538: | Line 202: | ||
|| vWii Common | || vWii Common | ||
|- | |- | ||
| Key || | | Key || - || {{sha1|56dd59752e6af1e55fc2ee7074abe2d2c9e70a10}} || style="background-color:yellow;color:black" | Confirmation Needed | ||
|| boot1 | || boot1 | ||
|- | |- | ||
| IV || {{key|4FCD24A0E4D3AB6FAE8DFD8108581DCF}} || {{sha1|a1a87792b95d0294c0867c93d46c3068c1c6d322}} || style="background-color:green;color:white" | Valid | | IV || {{key|4FCD24A0E4D3AB6FAE8DFD8108581DCF}} || {{sha1|a1a87792b95d0294c0867c93d46c3068c1c6d322}} || style="background-color:green;color:white" | Valid | ||
| Line 554: | Line 215: | ||
|- | |- | ||
|} | |} | ||
= Switch Key/IV Goodness = | |||
= Switch Key/IV Goodness | {| class=wikitable | ||
! Type !! Key !! SHA1/SHA256 !! Status !! Description | |||
|- | |||
| AES-CTR || {{key|F4ECA1685C1E4DF77F19DB7B44A985CA}} || {{sha1|8c98ff409724784ddf3e3d39b60b25b7087ff537}} || style="background-color:green;color:white" | Valid || stage1_key_00 | |||
|- | |||
| AES-128-ECB || {{key|C2CAAFF089B9AED55694876055271C7D}} || {{sha1|4a98d62ff6ec0a042b7592219200e37dd9603479}} || style="background-color:green;color:white" | Valid || package1_key_00 | |||
|- | |||
| AES-128-ECB || {{key|54E1B8E999C2FD16CD07B66109ACAAA6}} || {{sha1|8cec47b1b3974eed32c03b11a9de0133d9e0f00b}} || style="background-color:green;color:white" | Valid || master_key_01 | |||
|- | |||
| AES-128-ECB || {{key|4F6B10D33072AF2F250562BFF06B6DA3}} || {{sha1|add1d37e4a5c540aeeef4050a2ab98e8b0dc1d04}} || style="background-color:green;color:white" | Valid || master_key_02 | |||
|- | |||
| AES-CTR || {{key|A35A19CB14404B2F4460D343D178638D}} || {{sha1|4d64731f7afa031c7eeae3eb2f462d55ff8ff5ae}} || style="background-color:green;color:white" | Valid || package2_key_00 | |||
|- | |||
| Kernel || - || {{sha1|124befb2895bba4db1726485daf6684b33ef5f51}} || style="background-color:green;color:white" | Valid || 1.00 Encrypted Kernel | |||
|- | |||
| System Modules || - || {{sha1|96bf598bd162d5d8c87f2b25741f758f47730c88}} || style="background-color:green;color:white" | Valid || 1.00 Encrypted System Modules | |||
|- | |||
| Modulus || | |||
<pre>B36554FB0AB01E85A7F6CF918EBA9699 | |||
0D8B91692AEE01204F345C2C4F4E37C7 | |||
F10BD4CDA17F93F13359CEB1E9DD26E6 | |||
F3BB7787467AD64E474AD141B7794A38 | |||
066ECF618FCDC1400BFA26DCC0345183 | |||
D93B11543B9627329A95BE1E681150A0 | |||
6B10A8838BF5FCBC90847A5A5C4352E6 | |||
C826E9FE06A08B530FAF1EC41C0BCF50 | |||
1AA4F35CFBF097E4DE320A9FE35AAAB7 | |||
447F5C3360B90F222D332AE969793142 | |||
8FE43A138BE726BD08876CA6F273F68E | |||
A7F2FEFB6C28660DBDD7EB42A878E6B8 | |||
6BAEC7A9E2406E892082258E3C6A60D7 | |||
F3568EEC8D518A633C0478230E900CB4 | |||
E7863B4F8E130947320E04B84D5BB046 | |||
71B05CF4AD634FC5E2AC1EC43396097B | |||
master_key_02 | |||
package2_key_00 | |||
</pre> | </pre> | ||
|| {{sha1|f847ed0465c0dfdcd2c28b3e1a6da0c0f01fbbc5}} || style="background-color:green;color:white" | Valid || Public Debug | |||
|- | |||
| Modulus || | |||
<pre> | <pre> | ||
8D13A7776AE5DCC03B25D058E4206959 | |||
554BAB7040082807A8A7FD0F312E11FE | |||
47A0F99DDF80DB865A2789CD976C85C5 | |||
6C397F41F2FF2420C395A6F79D4A4574 | |||
8B5D288AC699356885A56432809FD348 | |||
39A21D246769DF75AC12B5BDC32990BE | |||
37E4A0809ABE36BF1F2CAB2BADF59732 | |||
9A429D098B08F06347A3E91B36D82D8A | |||
D7E1541195E44588698A2B35CED0A50B | |||
D55DACDBAF114DCAB81EE7019EF446A3 | |||
8A946D76BD8AC83BD231580C79A826E9 | |||
D1799CCBD42B6A4FC6CCCF90A7B99847 | |||
FDFA4C6C6F81873BCAB850F63E395D4D | |||
973F0F353953FBFACDABA87A629A3FF2 | |||
0927963F079A91F716BFC63A825A4BCF | |||
4950958C55807E39B148051E21C7244F | |||
</pre> | </pre> | ||
|| {{sha1|a809e09f8bd790446b86f28b84a6d0f36481a245}} || style="background-color:green;color:white" | Valid || Public Retail | |||
|- | |||
|} | |||
= | = Regarding Jokes = | ||
* Sorry, but it's difficult to distinguish Contributors with Spam Users, especially when you aren't logged in and when you log in to your account with different IP Addresses (and especially with this current Spam situation). It won't happen for a second time. [[User:Roxanne|Roxanne]] 21th December 2015 (18:12 GMT+1) | |||
** It's ok, i should've logged, but i keep formatting my pc, so i always forget :) In the end it was my fault. Thanks for the feedback though [[User:Zecoxao|Zecoxao]] | |||
*** OK and to answer your question regarding the newest DEX Firmwares, I'm on CEX but I'm still on [[:File:IMG 0148.JPG|this]] Firmware. Is this Good or Bad? :) ([[User:Roxanne|Roxanne]] 22th December 2015 (22:56 GMT+1) | |||
**** it'd be nice to test some psgroove on it :) | |||
***** http://www.psdevwiki.com/ps3/User:Not_Zecoxao is still needed? | |||
****** nope | |||
* | |||
= ebootrom wikify = | |||
https://yadi.sk/d/z2Vr1NE_DZ6eHQ | |||