User talk:Zer0Tolerance: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
Line 128: Line 128:
*paf::PhPrim::WidgetType(void)
*paf::PhPrim::WidgetType(void)


I am using a FNID_Validator, this tool just calculates a hash from function name, i guessing function name and verifying hash. I also using fnid_bruteforcer to bruteforce a few chars at the tail of function name.
I am using a FNID_Validator, this tool just calculates a hash from function name, i guessing function name and verifying hash. I also using fnid_bruteforcer to bruteforce a few chars at the tail of function name.<BR>
You found correct function name, just mangled it and validated:
You found correct function name, just mangled it and validated:<BR>
_ZN3paf10PhPlaneDiv10WidgetTypeEv  FNID is 0xE36C18F5
_ZN3paf10PhPlaneDiv10WidgetTypeEv  FNID is 0xE36C18F5<BR>
I also tryed to find second one, but no luck.
I also tryed to find second one, but no luck.<BR>
Thanks a lot.
Thanks a lot.

Revision as of 19:43, 30 April 2018

thanks :) Euss

User:Zer0Tolerance under observation because of posting strong SEXual content ;) - (User:Roxanne 17th December 2015 / 16:19 GMT+1)

Good joke, thanks. (User:Zer0Tolerance 17th December 2015 / 18:51 GMT+1)

About eid2 des iv

just a quick heads up. both eid2 des ivs (the zeroed one and the other one) are valid to use. in a way, both glevand (zero iv) and naehrwert (fixed iv) are correct. make sure you consult with naehrwert for more info.

zecoxao

@zecoxao Just use openssl des-cbc -d -in pblock.desenc -out pblock.dec -nosalt -K 6CCAB35405FA562C -iv 989A955EFDE7A748 -p -nopad and openssl des-cbc -d -in pblock.desenc -out pblock.dec -nosalt -K 6CCAB35405FA562C -iv 0 -p -nopad Only the second one vector is valid. Thank You.

@Zer0Tolerance

it's very rare to see naehrwert wrong. maybe the algorithm is handled differently in libeeid(polarssl) than in openssl? i'll talk to him when i have a chance ;) either way, thanks :)

@zecoxao

Im sorry, but iv must be zero. :(

@ZeroTolerance

I'm almost sure i was able to decrypt default.spp

please check all 3.15 key combinations possible.

Thanks :)

@zecoxao

Im checked it and could not decrypt metainfo into default spp, please provide me the decrypted metainfo as proof.

@ZeroTolerance

Unfortunately i don't have it anymore. but i'll try to decrypt it anyways :)

@zecoxao

Please recheck (retry) it if possible. Im sure that we needed another key(set) to decrypt default.spp for ceb.

@ZeroTolerance

yes, you're correct. just tested other combinations and none of them work.

About EID0_0_UNK1

@ZeroTolerance

Pretty sure it's z1 and z2 (2 hashes). looks like it's a metadata of sorts :)

@Zecoxao

Maybe, maybe not. hash algorithm is unknown yet.

@ZeroTolerance

Have you tried checking if it's a pub from another curve?

@Zecoxao

Pub is a point with X and Y. One Pub for one Priv. These "hashes" are not constants. So this is not a Pub. It can be two hmac-sha1 or something. IDK what is this.

EEPROM Syscon Probing

  • some useful links:

http://dangerousprototypes.com/docs/Bus_Pirate_101_tutorial (bus pirate)
https://www.saleae.com/downloads (logic analyzer)

  • Analyzer settings:

http://pastie.org/private/khwaczthr5j2td9jmdfihq

  • Bus pirate settings:

http://pastie.org/private/mqycmj8ynxj5mdzttrgpca

  • More info:

http://pastie.org/private/f7siriweadsnrpq6dilq

  • Write Unlock command:

0xA3 0x00 0x00

  • Write command:

0xA4 0xXX 0xXX (XX XX is block id)

  • Read command:

0xA8 0xXX 0xXX (XX XX is block id)

  • Check Status command:

0xA9 0x00 0x00 0x00

  • Some proof

https://mega.co.nz/#!hssQHZhI!bNMS3MgWx21iUrfLGBSoB2bA3Mfe3DVL23y_SENzDUw
https://mega.co.nz/#!wl8wSCKK!ZZkgeKd8hdRCMRpA2oWrrV5lirjupF_4k9boJkBpBfM

you need https://www.saleae.com/downloads

dump of eeprom with above data

Thank you for puppies

http://www.st-andrews.ac.uk/nightline/wp-content/uploads/puppies.jpeg

Help with VSH exports related with RCO

Not sure if you took a look at this table Talk:RCOXML_Objects#WidgetType, i made it thanks to your research with VSH_Exports#paf, but im having a problem, by looking at RCO stuff i think there are a couple of vsh exports missing in your list, not sure how you are getting them (reversing the hash from nids i guess), i know the codenames of some rco stuff so i can imagine the vsh export names that should have, please take a look if this ones exists

  • paf::PhPlaneDiv::WidgetType(void)
  • paf::PhPrim::WidgetType(void)

I am using a FNID_Validator, this tool just calculates a hash from function name, i guessing function name and verifying hash. I also using fnid_bruteforcer to bruteforce a few chars at the tail of function name.
You found correct function name, just mangled it and validated:
_ZN3paf10PhPlaneDiv10WidgetTypeEv FNID is 0xE36C18F5
I also tryed to find second one, but no luck.
Thanks a lot.