Talk:IDPS: Difference between revisions
No edit summary |
mNo edit summary |
||
| Line 223: | Line 223: | ||
52 66 <- unk3<br> | 52 66 <- unk3<br> | ||
===Chassis Check=== | |||
the chassis check seems to be still a secret, or at least not 100% clear how it works or what it represents. | the chassis check seems to be still a secret, or at least not 100% clear how it works or what it represents. | ||
so my immediate question was of course: if it's not clear what this means, how does the scene even know that it's called "chassis check" at all? where does this information come from?<br /> | so my immediate question was of course: if it's not clear what this means, how does the scene even know that it's called "chassis check" at all? where does this information come from?<br /> | ||
Revision as of 08:35, 9 November 2015
IDPS Examples
The examples are ordered based in priority: first "PS3 model" (byte 8), second "chasis check" (bytes 9 and 10), and third "target id" (byte 6)
The reason of why ordering the examples this way is because "PS3 model" is known, and "chasis check" is the only thing left we can deduce from the examples
| IDPS | 6th byte |
Target ID | 8th byte |
PS3 Model | Notes |
|---|---|---|---|---|---|
00 00 00 01 00 81 00 01 03 FF FF FF 18 43 C1 4D |
0x81 | TOOL Reference Tool or SD System Debugger / DECR | 0x01 | DECR-1000(A/J) / DEH-Z1010 (TMU-520) | Static Dummy IDPS |
00 00 00 01 00 84 00 01 04 00 F3 44 AC 4F 8D 2F |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x01 | CECHA (COK-001) | |
00 00 00 01 00 8A 00 01 10 00 52 BC C7 11 6D B2 |
0x8A | CEX Retail or SHOP Kiosk - South Asia / CECH | 0x01 | CECHA (COK-001) | |
00 00 00 01 00 84 00 01 10 19 15 0C 45 9F 1C 2A |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x01 | CECHA (COK-001) | |
00 00 00 01 00 84 00 01 10 1B 23 A2 EA C6 4D D0 |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x01 | CECHA (COK-001) | |
00 00 00 01 00 84 00 02 10 01 15 ED DE D8 06 8B |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x02 | CECHB (COK-001) | |
00 00 00 01 00 85 00 03 10 00 3D F9 65 97 B6 EA |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x03 | CECHC (COK-002) | |
00 00 00 01 00 85 00 03 10 11 62 95 56 FF DB FD |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x03 | CECHC (COK-002) | |
00 00 00 01 00 A0 00 04 04 00 04 1B 13 AB 46 25 |
0xA0 | ARC Arcade / GECR | 0x04 | GECR-1100 (COK-002) | (COK-002 without Bluetooth/Wifi) |
00 00 00 01 00 ?? 00 04 ?? ?? ?? ?? ?? ?? ?? ?? |
? | ? | 0x04 | CECHE | |
00 00 00 01 00 85 00 05 04 00 33 A3 44 9D 57 2B |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x05 | CECHG (SEM-001) | |
00 00 00 01 00 8C 00 05 10 00 D1 F3 55 2D DA BC |
0x8C | CEX Retail or SHOP Kiosk - Russia / CECH | 0x05 | CECHG (SEM-001) | |
00 00 00 01 00 85 00 05 10 01 5F 01 12 FF 56 4F |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x05 | CECHG (SEM-001) | |
00 00 00 01 00 87 00 05 10 02 3A 2D 53 AF 66 28 |
0x87 | CEX Retail or SHOP Kiosk - United Kingdom / CECH | 0x05 | CECHG (SEM-001) | |
00 00 00 01 00 87 00 05 10 0A EE 67 DD 75 86 DA |
0x87 | CEX Retail or SHOP Kiosk - United Kingdom / CECH | 0x05 | CECHG (SEM-001) | (original label stated CECHC model!) |
00 00 00 01 00 85 00 05 14 02 F7 06 9F 10 B6 22 |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x05 | CECHG (SEM-001) | |
00 00 00 01 00 85 00 05 14 0E F0 DF DC DD 5E 56 |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x05 | CECHG (SEM-001) | |
00 00 00 01 00 84 00 05 F4 00 41 86 55 9B D3 52 |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x05 | CECHG (SEM-001) | |
00 00 00 01 00 87 00 05 F4 01 E9 4F 17 DB D9 5D |
0x87 | CEX Retail or SHOP Kiosk - United Kingdom / CECH | 0x05 | CECHG (SEM-001) | |
00 00 00 01 00 ?? 00 06 ?? ?? ?? ?? ?? ?? ?? ?? |
? | ? | 0x06 | CECHH | |
00 00 00 01 00 87 00 07 10 00 A3 15 8F 61 36 85 |
0x87 | CEX Retail or SHOP Kiosk - United Kingdom / CECH | 0x07 | CECHJ/CECHK (DIA-002) | |
00 00 00 01 00 A0 00 08 04 00 13 69 BC E4 78 80 |
0xA0 | ARC Arcade / GECR | 0x08 | GECR-1500 (VER-001) | (VER-001 without Bluetooth/Wifi) |
00 00 00 01 00 85 00 08 10 05 52 88 E8 AF 75 0D |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x08 | CECHL/CECHM/CECHP/CECHQ (VER-001) | |
00 00 00 01 00 87 00 08 14 01 B7 A7 1F C8 3A EA |
0x87 | CEX Retail or SHOP Kiosk - United Kingdom / CECH | 0x08 | CECHL/CECHM/CECHP/CECHQ (VER-001) | |
00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C |
0x89 | CEX Retail or SHOP Kiosk - Australia & New Zealand / CECH | 0x08 | CECHL/CECHM/CECHP/CECHQ (VER-001) | |
00 00 00 01 00 84 00 08 14 0B 80 7A 2E 4F AA C7 |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x08 | CECHL/CECHM/CECHP/CECHQ (VER-001) | |
00 00 00 01 00 84 00 08 14 11 D8 06 97 94 B6 80 |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x08 | CECHL/CECHM/CECHP/CECHQ (VER-001) | |
00 00 00 01 00 85 00 08 F4 01 AA 02 51 EE 33 7B |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x08 | CECHL/CECHM/CECHP/CECHQ (VER-001) | |
00 00 00 01 00 85 00 09 10 0A 27 3E 8E 1D DF 65 |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x09 | CECH20xx (DYN-001) | |
00 00 00 01 00 85 00 09 10 1B 69 BD CA CC BE 85 |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x09 | CECH20xx (DYN-001) | |
00 00 00 01 00 84 00 09 10 1C B0 13 5F 2C 17 AF |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x09 | CECH20xx (DYN-001) | |
00 00 00 01 00 85 00 09 10 22 4D 7A 32 A4 11 F4 |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x09 | CECH20xx (DYN-001) | |
00 00 00 01 00 85 00 0A 14 05 67 A0 79 37 DC 17 |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x0A | CECH21xx (SUR-001) | |
00 00 00 01 00 85 00 0B 10 18 EC 96 E4 A8 BE EF |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x0B | CECH25xx (JTP-001/JSD-001) | |
00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 |
0x89 | CEX Retail or SHOP Kiosk - Australia & New Zealand / CECH | 0x0B | CECH25xx (JTP-001/JSD-001) | |
00 00 00 01 00 8C 00 0B 14 00 E1 1D 11 03 C8 65 |
0x8C | CEX Retail or SHOP Kiosk - Russia / CECH | 0x0B | CECH25xx (JTP-001/JSD-001) | used by PS-Unban |
00 00 00 01 00 89 00 0B 14 05 18 95 D3 EE D0 76 |
0x89 | CEX Retail or SHOP Kiosk - Australia & New Zealand / CECH | 0x0B | CECH25xx (JTP-001/JSD-001) | |
00 00 00 01 00 87 00 0B 14 0C 84 81 81 33 FA 68 |
0x87 | CEX Retail or SHOP Kiosk - United Kingdom / CECH | 0x0B | CECH25xx (JTP-001/JSD-001) | |
00 00 00 01 00 87 00 0B 14 0E 71 DF 87 E5 A2 4D |
0x87 | CEX Retail or SHOP Kiosk - United Kingdom / CECH | 0x0B | CECH25xx (JTP-001/JSD-001) | |
00 00 00 01 00 84 00 0C 10 11 21 52 A6 EB 62 10 |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x0C | CECH30xx (KTE-001) | used by PS-Unban |
00 00 00 01 00 84 00 0C 10 19 15 0C 45 9F 1C 2A |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x0C | CECH30xx (KTE-001) | used by PS-Unban |
00 00 00 01 00 84 00 0C 10 22 CE B2 EB 40 D9 EB |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x0C | CECH30xx (KTE-001) | |
00 00 00 01 00 87 00 0C 14 06 C3 90 35 41 45 18 |
0x87 | CEX Retail or SHOP Kiosk - United Kingdom / CECH | 0x0C | CECH30xx (KTE-001) | |
00 00 00 01 00 8C 00 0C 14 0E 7D FA F1 5F 9F 3F |
0x8C | CEX Retail or SHOP Kiosk - Russia / CECH | 0x0C | CECH30xx (KTE-001) | |
00 00 00 01 00 89 00 0D 14 00 93 75 A9 00 4C 96 |
0x89 | CEX Retail or SHOP Kiosk - Australia & New Zealand / CECH | 0x0D | CECH40xx (MPX-001/MSX-001) | |
- Chasis check speculation (bytes 9th and 10th):
- 9th byte (most common: 0x04, 0x10, 0x14, 0xF4... and 03 in the "Dummy IDPS")
- 10th byte
- Next 6 bytes speculation
- 11th and 12th: (FF in the "Dummy IDPS")
- 13th, 14th, 15th, 16th: per console identifyer ?
| IDPS | 6th byte |
Target ID | 8th byte |
PS3 Model | Notes |
|---|---|---|---|---|---|
00 00 00 01 00 80 00 01 xx xx xx xx xx xx xx xx |
0x80 | NOT IN USE | 0x01 | DECHAS00A/J (COK-001) | - |
00 00 00 01 00 82 00 01 xx xx xx xx xx xx xx xx |
0x82 | DEX AV TEST DTCP-IP Debug / AV Tool / DTCP-IP Debugger / DECH / DECHS | 0x01 | DECHA00A/J (COK-001) | - |
00 00 00 01 00 8A 00 01 xx xx xx xx xx xx xx xx |
0x8A | CEX Retail or SHOP Kiosk - South Asia / CECH | 0x01 | CECHA (COK-001) | - |
00 00 00 01 00 8B 00 01 xx xx xx xx xx xx xx xx |
0x8B | CEX Retail or SHOP Kiosk - Taiwan / CECH | 0x01 | CECHA (COK-001) | - |
00 00 00 01 00 83 00 01 xx xx xx xx xx xx xx xx |
0x83 | CEX Retail or SHOP Kiosk - Japan / CECH | 0x01 | CECHA (COK-001) | - |
00 00 00 01 00 86 00 04 xx xx xx xx xx xx xx xx |
0x86 | CEX Retail or SHOP Kiosk - Korea / CECH | 0x04 | CECHE (COK-002/COK-002W) | - |
00 00 00 01 00 88 00 04 xx xx xx xx xx xx xx xx |
0x88 | CEX Retail or SHOP Kiosk - Mexico / CECH | 0x04 | CECHE (COK-002/COK-002W) | - |
00 00 00 01 00 8D 00 0C xx xx xx xx xx xx xx xx |
0x8D | CEX Retail or SHOP Kiosk - China / CECH | 0x0C | CECH30xx (KTE-001) | - |
00 00 00 01 00 8F 00 0E xx xx xx xx xx xx xx xx |
0x8F | CEX Retail or SHOP Kiosk - Brazil / CECH | 0x0E | non existant | - |
IDPS Regex
0{7}10{2}8[456789ACE]000[6789ABCD][01F][04][0123][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF]
Based on 300+ dumps
IDPS rms blogtext
You’re probably wondering: “What the hell is this sequence of bytes?”. This is the IDPS, a sequence of bytes which determine console type. This structure is relatively undocumented until now, anyway. The IDPS is contained in EID0. EID0 is on the console internal flash as the file eEID and has multiple sections. I had made a splitter application to make your life easier a long time ago. Now, EID is decrypted by metldr, and is passed over to the isolated loader, which may pass it to a self. We can see this in graf_chokolo’s original payload. The IDPS is also used in various other parts of the system which could be of interest to you, but I will not discuss those right now. The IDPS itself, isn’t decrypted.
The IDPS contains your target ID, motherboard? and BD? revision. The IDPS shown at the beginning of this article is the dummy IDPS, the one that’s used when your IDPS fails to be decrypted. That IDPS belongs to a DECR-1000A. The one below belongs to a European PS3, and the one below that belongs to a Australian/NZ PS3.
Source: http://rmscrypt.wordpress.com/2011/05/16/idps-what-the-hell-is-that-thing/
Note: The Reference Tool IDPS from above is static. aim_iso uses it. Retail/3.55 doesn't have it.
Change HWID
Theory: If you give a slim console a fat IDPS, would that console have 3.15 OtherOS functionality?
I would say it would, because most likely the check is done in firmware to either en/disable that option. However, it would still require a console that can be downgraded to that version (only CECH-20../DYN-001, because CECH-21../SUR-001 use different drivers for RSX). So classic OtherOS on a CellBE 45nm/RSX 40nm would be impossible (ofcourse you can use OtherOS++).
[Homebrew-App] PS3 Model Detection
http://www.ps3hax.net/2011/01/homebrew-app-ps3-model-detection/
Dumping PS3 Model Data: - PS3 System Target ID: 0x85 (Retail - Europe) - PS3 Motherboard Revision: 0x0B (JTP-001 Motherboard, Revision 1) - PS3 BD-Laser Revision: 0x04 (KES-400, SACD supported) Probable Model: CECH-2504A Raw Model Data: Byte 0: 0x00 Byte 1: 0x01 Byte 2: 0x00 Byte 3: 0x85 Byte 4: 0x00 Byte 5: 0x0B Byte 6: 0x00 Byte 7: 0x04
footnotes:
- '7th byte of IDPS' is not Bluray Drive (it was misunderstood at that time). You can see it in the example where it names incorrectly a CECH-25xx as Super Audio CD compatible with a KES-400 laserslide (which in real life has either KES-460A or KES-470A without daughterboard (swap can be done without remarry).
- also, it named bytes 0-2 "Byte 0", byte 3 "Byte 1", byte 4 "Byte 2", byte 5 "Byte 3", byte 6 "Byte 4", byte 7 "Byte 5", byte 8 "Byte 6", byte 9 "Byte 7" etc.
[Homebrew-App] IDPS Viewer
http://www.tortuga-cove.com/hacking/31-ps3/8396-released-idps-viewer
- Displays the IDPS
- Shows Target ID
- Displays Motherboard revision
- Save IDPS (16 bytes from EID) in dev_hdd0/IDPS.bin file
hypothesis
the way i see it:
00 00 00 01 <- magic
00 89 <- target id
00 0B <- Model type
14 00 <- chassis check
EF DD <- unk1, FF FF in Dummy IDPS
CA 25 <- unk2
52 66 <- unk3
Chassis Check
the chassis check seems to be still a secret, or at least not 100% clear how it works or what it represents.
so my immediate question was of course: if it's not clear what this means, how does the scene even know that it's called "chassis check" at all? where does this information come from?
and second: how is the current state (or former experience) with brute forcing the IDPS from the IDPS hash of a PARAM.SFO file (second hash iirc). i mean most of the information is known. in the best case you chose your region and model and only have to BF the last six bytes (if the chassis check was known better).
if the scene could establish some kind of standard or BF blueprint, like a blank PARAM.SFO of the PS3 singstar app, which should look the same on every console one could even work on a rainbow table for the IDPS.
just some thoughts from someone who just entered the ps3 dev scene, so don't be too harsh please ;)