User talk:Zecoxao: Difference between revisions
Jump to navigation
Jump to search
m (correct some info and add additional notes) |
mNo edit summary |
||
Line 17: | Line 17: | ||
* http://i.imgur.com/O10hqAK.png | * http://i.imgur.com/O10hqAK.png | ||
* http://pastie.org/private/grd5u9izjlglkult64rta | * http://pastie.org/private/grd5u9izjlglkult64rta | ||
* http://psx-scene.com/forums/f149/brick-recovery-research-74903/index37.html#post786487 | |||
= How = | = How = |
Revision as of 01:21, 7 January 2015
The Last Piece of the Puzzle
- http://www.psdevwiki.com/ps3/Syscon_Hardware (<SW-301)
- http://www.psdevwiki.com/ps3/Service_Connectors (Diag/Backup Mode, <3rd Generation)
- http://www.psdevwiki.com/ps3/Talk:Syscon_Hardware#Backup_Mode_.2F_Diag
- http://www.psdevwiki.com/ps3/Talk:Service_Connectors
- http://www.ps3devwiki.com/ps3/Cell_Configuration_Ring
- http://www.psdevwiki.com/ps3/SIG_File_Format
- http://i.imgur.com/xQizq0K.png
- http://www.psdevwiki.com/ps3/images/a/ac/TMU-520_1-871-645-11_A_Detail_3_%28SYSCON%29.jpg
- http://www.psdevwiki.com/ps3/File:PS3_Service_Connector_1st_Generation_COK-001.png
- http://en.wikipedia.org/wiki/ARM7#ARM7TDMI
- http://www.fpga4fun.com/images/JTAG_TAP.gif
- http://hsb.wikidot.com/arduino-jtag-finder-workshop
- https://www.youtube.com/watch?v=Up0697E5DGc
- http://urjtag.org/
- http://i.imgur.com/O10hqAK.png
- http://pastie.org/private/grd5u9izjlglkult64rta
- http://psx-scene.com/forums/f149/brick-recovery-research-74903/index37.html#post786487
How
- By enabling diagnostic mode on the ps3, we can enable the use of JTAG again (it's temporarily disabled when diag mode isn't set)
- It is possible to dump the syscon firmware using this method (in unencrypted state)
- The JTAG registers/TAP-controllers need to be bruteforced / reverse engineered
- The leaked service manuals present information about the pins connected to the JigPin
- The ObjectiveSuite contains an object (DIAGSERVICE) used to diagnose the ps3 using JTAG
- Using a DIY JigPin would facilitate the task, but we still need more info about the hardware and software interface used by ObjectiveSuite to handle this.
- This would probably work on ps4 too (provided that the diag pin and the JTAG pins still exist)