ReDRM / Piracy dongles: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
Line 477: Line 477:
| 0001C080 || 0001C09F || 12 ||  
| 0001C080 || 0001C09F || 12 ||  
|-
|-
| 0001C0A0 || 000A1A7F || 13 ||  
| 0001C0A0 || 001FFFFF || 13 ||  
|-
|-
|}
{|
| 000A1A80 || 000B039F || 14 ||
| 000A1A80 || 000B039F || 14 ||
|-
|-

Revision as of 22:43, 12 November 2011

Description

Dongle is DRM to make sure you have the dongle, the firmware 'special' functionality will not work without it. Contentdisc's contain fself'ed eboot.bin's

Downloads

FW Info

PS3 System Software

MFW 3.55-Dongle (Jailbreak2.CFW)
filedate: juli 13 2011 2:08:58
174639 KB
MD5: 43C522F8897D77B6165F95BCF3409090
SHA1: A64B010DB98996C7E53768D37D4D346F271D5950
CRC32: A32FDD1D
CRC16: 6420
HMAC_SHA1: 0x88EF9FEB9BB80ABE7CF68EB3BD76148F7AD6230C

Remarks: needs JB2 dongle as DRM
PUP file information
Package version: 1
Image version: 47517
File count: 7
Header length: 528
Data length: 178829542
PUP file hash : 88EF9FEB9BB80ABE7CF68EB3BD76148F7AD6230C
	File 0
	Entry id: 0x100
	Filename : version.txt
	Data offset: 0x210
	Data length: 13
File hash : 8E533875E1B43B6CBAF5E91663EB7554107B5509
	File 1
	Entry id: 0x101
	Filename : license.xml
	Data offset: 0x21D
	Data length: 267513
File hash : B77EFE54859738385DD803E88FB5E807FF1BC6AB
	File 2
	Entry id: 0x103
	Filename : update_flags.txt
	Data offset: 0x41716
	Data length: 5
File hash : FD7C893936FDFC668922BE6D119A462111B2BBDB
	File 3
	Entry id: 0x200
	Filename : ps3swu.self
	Data offset: 0x4171B
	Data length: 5661656
File hash : C61DDE12E75C2218214700D7D49006583F1B968B
	File 4
	Entry id: 0x201
	Filename : vsh.tar
	Data offset: 0x5A7AF3
	Data length: 10240
File hash : D9B66E0D2845D71A67D76E7907AB06368CE61E08
	File 5
	Entry id: 0x202
	Filename : dots.txt
	Data offset: 0x5AA2F3
	Data length: 3
File hash : 1AA4749D0EE0D0AE937FBF73BC4B9ACD352F732A
	File 6
	Entry id: 0x300
	Filename : update_files.tar
	Data offset: 0x5AA2F6
	Data length: 172890112
File hash : 93A7A95BFCFC263DCB4A18477062FDCC72BE47A0


Content discs

EBOOT.BIN details

SELF header

 elf #1 offset:  00000000_00000090
 header len:     00000000_00000a80
 meta offset:    00000000_000004a0
 phdr offset:    00000000_00000040
 shdr offset:    00000000_002117f8
 file size:      00000000_0021150c
 auth id:        10100000_01000003 (Unknown)
 vendor id:      01000002
 info offset:    00000000_00000070
 sinfo offset:   00000000_00000290
 version offset: 00000000_00000390
 control info:   00000000_000003c0 (00000000_00000100 bytes)
 app version:    1.0.0
 SDK type:       Devkit
 app type:       NP-DRM application

Control info

 control flags:
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 file digest:
    62 7c b1 80 8a b9 38 e3 2c 8c 09 17 08 72 6a 57 9e 25 86 e4
    f1 95 cf a4 c0 04 0f c9 14 de 1f 9a 21 4e 10 ca 6b a6 8c 86
 NPDRM info:
   magic: 4e504400
   unk0 : 00000001
   unk1 : 00000003
   unk2 : 00000001
   content_id: IV0002-NPXS00020_00-TEST000000000001
   digest:     09 37 f1 32 60 b9 70 02 76 9e e4 0f 7b 10 70 0f
   invdigest:  f6 c8 0e cd 9f 46 8f fd 89 61 1b f0 84 ef 8f f0
   xordigest:  5c 62 a4 67 35 ec 25 57 23 cb b1 5a 2e 45 25 5b

Section header

   offset             size              compressed unk1     unk2     encrypted
   00000000_00000a80  00000000_00209dc0 [NO ]      00000000 00000000 [NO ]
   00000000_00210a80  00000000_000005b0 [NO ]      00000000 00000000 [NO ]
   00000000_00211030  00000000_00000000 [NO ]      00000000 00000000 [NO ]
   00000000_00211030  00000000_00000000 [NO ]      00000000 00000000 [NO ]
   00000000_00211030  00000000_00000000 [NO ]      00000000 00000000 [NO ]
   00000000_00210df8  00000000_00000004 [NO ]      00000000 00000000 [N/A]
   00000000_0020a7e0  00000000_00000020 [NO ]      00000000 00000000 [N/A]
   00000000_0020a800  00000000_00000040 [NO ]      00000000 00000000 [N/A]

Encrypted Metadata

 no encrypted metadata in fselfs.

ELF header

 type:                                 Executable file
 machine:                              PowerPC64
 version:                              1
 phdr offset:                          00000000_00000040
 shdr offset:                          00000000_00210e08
 entry:                                00000000_002200f0
 flags:                                00000000
 header size:                          00000040
 program header size:                  00000038
 program headers:                      8
 section header size:                  00000040
 section headers:                      28
 section header string table index:    27

FW analysis

FW Changes

Compared to OFW 3.55: ofw-vs-jb2.rar (4.18 MB)

EULA.xml

	<str id="msg_updater_10">This update will install PS3 system software version 3.55, modified to support homebrew software and the disc dongle.</str> 

Version.txt

3.55-Dongle

CORE_OS_PACKAGE.pkg

lv1.self

Just one patch:

        Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  OFW:  000F5A40              39 20 00 00                              9 ..       li      r9,0
  JB2:  000F5A40              39 20 00 01                              9 ..       li      r9,1

This is in lv1_map_htab to allow for RW mapping of all RAM. So who knows how many other lv1 patches are done at runtime.

lv2_kernel.self

dev_flash_010.tar.aa.2010_11_27_051337

\dev_flash\vsh\module\nas_plugin.sprx

         Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   OFW:  00003250                                      7C 60 1B 78              |`.x    mr r0, r3
   JB2:  00003250                                      38 00 00 00              8...    li r0, 0


         Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   OFW:  00037350  41 9E 00 4C                                      Až.L    beq-    cr7,4c
   JB2:  00037350  60 00 00 00                                      `...    nop

"standard pkg patches"

dev_flash_016.tar.aa.2010_11_27_051337

\dev_flash\vsh\resource\explore\xmb\category_game.xml

\dev_flash\vsh\resource\explore\xmb\category_video.xml

Hardware Dongle

Psjb2 Trueblue - OVERVIEW
Psjb2 Trueblue - TOP
Psjb2 Trueblue - BOTTOM

Components

Actel ProASIC3 A3P250 - FPGA

  A3P250 = 250,000 System Gates
  blank = Speed Grade: Standard
  VQ = Package Type: Very Thin Quad Flat Pack (0.5mm pitch)
  G = Lead-Free Packaging: RoHS-Compliant (Green)
  100 = Package Lead Count : 100 pins
  blank = Security Feature : no IP license
  blank = Temperature Range: Commercial (0°C to +70°C Ambient Temperature)

128-bit AES
1,024 bits of user flash memory
Datasheets and usermanuals: http://www.actel.com/products/pa3/docs.aspx#ds
Familyroot: http://www.actel.com/products/pa3/

Pinout A3P250 VQ100

Actel ProASIC3 A3P250 - FPGA (psjb2-Trueblue) VQ100 package
Pin Function Notes
1 GND Ground
2 GAA2/IO118UDB3
3 IO118VDB3
4 GAB2/IO117UDB3
5 IO117VDB3
6 GAC2/IO116UDB3
7 IO116VDB3
8 IO112PSB3
9 GND Ground
10 GFB1/IO109PDB3
11 GFB0/IO109NDB3
12 VCOMPLF
13 GFA0/IO108NPB3
14 VCCPLF
15 GFA1/IO108PPB3
16 GFA2/IO107PSB3
17 VCC
18 VCCIB3
19 GFC2/IO105PSB3
20 GEC1/IO100PDB3
21 GEC0/IO100NDB3
22 GEA1/IO98PDB3
23 GEA0/IO98NDB3
24 VMV3
25 GNDQ Ground
26 GEA2/IO97RSB2
27 GEB2/IO96RSB2
28 GEC2/IO95RSB2
29 IO93RSB2
30 IO92RSB2
31 IO91RSB2
32 IO90RSB2
33 IO88RSB2
34 IO86RSB2
35 IO85RSB2
36 IO84RSB2
37 VCC
38 GND Ground
39 VCCIB2
40 IO77RSB2
41 IO74RSB2
42 IO71RSB2
43 GDC2/IO63RSB2
44 GDB2/IO62RSB2
45 GDA2/IO61RSB2
46 GNDQ Ground
47 TCK
48 TDI
49 TMS
50 VMV2
51 GND Ground
52 VPUMP
53 NC
54 TDO
55 TRST
56 VJTAG
57 GDA1/IO60USB1
58 GDC0/IO58VDB1
59 GDC1/IO58UDB1
60 IO52NDB1
61 GCB2/IO52PDB1
62 GCA1/IO50PDB1
63 GCA0/IO50NDB1
64 GCC0/IO48NDB1
65 GCC1/IO48PDB1
66 VCCIB1
67 GND Ground
68 VCC
69 IO43NDB1
70 GBC2/IO43PDB1
71 GBB2/IO42PSB1
72 IO41NDB1
73 GBA2/IO41PDB1
74 VMV1
75 GNDQ Ground
76 GBA1/IO40RSB0
77 GBA0/IO39RSB0
78 GBB1/IO38RSB0
79 GBB0/IO37RSB0
80 GBC1/IO36RSB0
81 GBC0/IO35RSB0
82 IO29RSB0
83 IO27RSB0
84 IO25RSB0
85 IO23RSB0
86 IO21RSB0
87 VCCIB0
88 GND Ground
89 VCC
90 IO15RSB0
91 IO13RSB0
92 IO11RSB0
93 GAC1/IO05RSB0
94 GAC0/IO04RSB0
95 GAB1/IO03RSB0
96 GAB0/IO02RSB0
97 GAA1/IO01RSB0
98 GAA0/IO00RSB0
99 GNDQ Ground
100 VMV0

24.000 MHz Crystal

CLK for Actel

AMS1117 2.851049 - Low Dropout Linear Regulator

Datasheet: http://www.sltdigital.com/product/product_pdf/AMS1117.pdf / http://home1.cyber-labo.co.jp/board/goods/pdf/AMS1117.pdf
File:AMS1117 - SOT-223.png

unidentified Winbond 8pin IC

eprom simular to : http://www.ps3devwiki.com/index.php?title=Flash_%28Hardware%29#Renesas_HN58X2504TIE_.28EEPROM.29 perhaps

Dongle Updater PKG

   SHA1: 4066FFEFD723FAF08EB84A62F4AA38180C40129C // MD5: 0200689D58FCA0FC51F7B738C33A5DC9 // CRC32: 4D72836 // CRC16: 8A62 

Unpkg/unself'ed: dongle-updater.pkg.out.rar (2.03 MB)
Plaintext visible in the unself'ed eboot.bin : http://pastebin.com/EFQczE2r (interesting note: it used /dev_hdd0/vsh/tmp.bin as temp for the payload)

Payload

located in unself'ed eboot.bin @ offset:

  eboot      payload
  Offset(h)  Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  000084F0   00000000  09 02 12 00 01 00 00 80 FA 09 04 00 00 00 FE 01  .......€ú.....þ.
    ... 
  002084E0   001FFFF0  EB 3B 01 F7 6F A9 CF 3C B6 EB 89 82 7D E6 7D 3B  ë;.÷o©Ï<¶ë‰‚}æ};

TB_dongle_payload.bin (2 MB)

   SHA1: 43402D6FE2ECE43EBE91531EFA07C366D46DD121 // MD5: BA5AFAB174BF6003D41AC8951301B822 // CRC32: 248284D2 // CRC16: 8C78

lv2 dump

payload decrypted @ LV2 dump 0x7f0000

Start Offset End Offset descriptor Description
00000000 00000FFF 0 3.41
00001000 00001FFF 1 3.41
00002000 00002FFF 2 3.41
00003000 00003FFF 3 3.41
00004000 00007FFF 4
00008000 00008FFF 5
00009000 0000BFFF 6
0000C000 0000CFFF 7
0000D000 0000DFFF 8
0000E000 0000FFFF 9
00010000 00013FFF a
00014000 0001BFFF b
0001C000 0001C00F c
0001C010 0001C01F d
0001C020 0001C03F e
0001C040 0001C05F f
0001C060 0001C06F 10
0001C070 0001C07F 11
0001C080 0001C09F 12
0001C0A0 001FFFFF 13
000A1A80 000B039F 14
000B03A0 001736FF 15
00173700 00189D5F 16
00189D60 001FFFFF 17

http://pastebin.com/3VG76HQs