IDPS: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
 
(49 intermediate revisions by 11 users not shown)
Line 1: Line 1:
[[Category:Software]]
= Description =
The IDPS is a 16 byte value that contains console specific information. Exactly what information this stores is not completely known.
 
The IDPS is a sequence of 16 bytes which is used as a unique per-console identifier for PlayStation consoles. The IDPS is stored and certified in [[Flash:Encrypted Individual Data - eEID|EID]].


= Structure =
= Structure =
Line 6: Line 7:
<pre>
<pre>
00000000  00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  .....‰....ïÝÊ%Rf
00000000  00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  .....‰....ïÝÊ%Rf
                        ^^    ^^
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&uArr;&nbsp;&uArr;&nbsp;&nbsp;&nbsp;&uArr;&nbsp;&uArr;
                Target ID      Motherboard Revision
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Product Code&nbsp;&nbsp;Product Sub Code
</pre>
 
* 1st and 2nd bytes represent the magic (always 00 00)
* 3rd and 4th bytes represent the Company (usually SCE)
* 5th and 6th bytes represent the [[Product Code]]
* 7th and 8th bytes represent the [[Product Sub Code]] <!--// Note that CECHAxx is type 0x01 and CECHBxx is type 0x02 but they both have a COK-001 motherboard... (Changing 0x02 to 0x01 in CECH-B will enable wifi options in menu. But there is still missing hardware), and at the opposite... CECH-25xx models are type 0x0B but with 2 possible motherboards: JSD-001 or JTP-001//-->
* remaining 8 bytes are parsed by bits not by bytes (see [[IDPS#IDPS second half]])
 
<pre>
00 00 <- Unknown
00 01 <- Company (SCE)
00 89 <- Product Code: PS3, CEX, oceania
00 0B <- Product Sub Code: CECH-25xx (25xx series)
14 00 EF DD CA 25 52 66 <- Second half: factory code 5, no Ps Flag, serial number 61405, random stamp CA 25 52 66
</pre>
</pre>
6th byte represents your [[Target ID]]


8th byte represents your [[Motherboard_Revisions]] // possible sku model
== Dummy PSP IDPS in Kicho & Dengo Program ==
*0x1 = CECHA (60GB Full PS2) - COK-001 + Memcard Daughterboard
 
*0x2 = CECHB (20GB Full PS2) - COK-001
<pre>0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x07, 0xFF, 0x03, 0xFF, 0xFF, 0xFF, 0xD7, 0xC3, 0xE5, 0x5A</pre>
*0x3 = CECHC (60GB Partial PS2) - COK-002 + Memcard Daughterboard
 
*0x4 = CECHE (80GB Partial PS2) - COK-002W + Memcard Daughterboard
Found in PSP Kicho & Dengo Tool flashData.prx.
*0x5 = CECHG (40GB No PS2) - SEM-001
 
*0x6 = CECHH (40GB No PS2) - DIA-001
== Dummy Reference Tool IDPS ==
*0x7 = CECHJ / CECHK (40GB/80GB No PS2) - DIA-002
 
*0x8 = CECHL / CECHM / CECHP / CECHQ (80GB/160GB No PS2) - VER-001
<pre>0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01, 0x03, 0xFF, 0xFF, 0xFF, 0x18, 0x43, 0xC1, 0x4D</pre>
*0x9 = CECH20A / CECH20B (120GB/250GB Slim) - DYN-001
 
*0xA = CECH21A / CECH21B (120GB/250GB Slim) - SUR-001
This is the dummy IDPS that is used by PS3 Reference Tool aim_iso when IDPS fails to be obtained from flash. That IDPS belongs to a Reference Tool DECR-1000A. The Reference Tool IDPS from above is static. PS3 CEX 3.55 does not have it.
*0xB = CECH25A / CECH25B (160GB/320GB Slim) - JTP-001/JSD-001
 
*0xB = CECH30A / CECH30B (160GB/320GB Slim) - KTE-001
Source: [http://rmscrypt.wordpress.com/2011/05/16/idps-what-the-hell-is-that-thing/ rms' blogtext].
 
== Dummy PSP Emulator IDPS ==
 
<pre>0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01, 0x0C, 0x40, 0x00, 0xB1, 0x0E, 0x69, 0x69, 0x78</pre>
 
Found in emulator_drm.sprx (iso self inside).
 
== IDPS second half ==
 
*Byte 8 bits 0-5: Factory Code
*Byte 8 bits 6-7 and bytes 9-10-11: Serial Number
*Byte 8 bits 6-7 and byte 9 bits 0-5: Ps Flags on PSP with Diag Factory Code
*Bytes 12-15: Random Stamp (guessed name). 3 theories: 1) totally random number, 2) hash of previous bytes (then there would exist at least 3 keysets), 3) encrypted timestamp.
 
== IDPS Regex ==
 
Based on 16 millions of PS3 IDPS dumps, on other PS consoles dumps and on IDPS structure.
 
<pre>0{7}10[012][089A][0123456789ABCDEF]00[0123456789ABCDEF]{18}</pre>
 
Restricted to PS3:
 
<pre>0{7}100[89A][0123456789ABCDEF]00[0123456789ABCDEF]{18}</pre>
 
= Location =
 
== Serial flash ==
 
The PS3 IDPS can be found in serial flash, precisely in EID0 and EID5. See [[Flash:Encrypted_Individual_Data_-_eEID#EID0|Flash]] (NAND @ 0x80870 / NOR @ 0x2F070).
 
== Network (PSN connections) ==
 
=== idpstealer.exe ===
 
* Patched since FW 4.70 and deprecated since ps3exploit
* This method no longer works because now Sony uses '''OpenPSID''' instead of '''IDPS''' although the key/algorithm remains the same
* This should work also on PS4 and PSVita, but with a different key (not known/public atm)
* Download links: [https://dl.dropboxusercontent.com/u/35197530/zip/idpstealer.7z 1], or [https://web.archive.org/web/20160309135920/http://pastie.org/private/wlakfucps3bc21dfuosdtg 2]
 
<div style="border-width: 1px; border-style:dashed; border-color:#000000; padding: 10px; background-color:#FFFFFF; color:#000000; ">
From flatz: Privet, PS3 fans! Once KaKaRoTo published his backup tool I’ve decided to bring a way of getting a Console ID (IDPS) to the community. It can be used on OFW/CFW firmware and you don’t need any additional software/hardware installed on your PS3.
 
However there are several cons about releasing:
# A big company will fix it in the next firmwares.
# It can be used to steal other people’s IDPS if you have an access to their consoles.
 
And it seems that this is the only method of getting ConsoleId without using hardware solutions on the moment. So please, if you want to get an IDPS from your console then do it as fast as possible because I think this method won’t work in the nearly future.
 
How it works:
IDPStealer works as a proxy server and intercepts all network traffic (including SSL traffic via HTTPS over HTTP tunneling) and it tries to get IDPS from it. It doesn’t contains any malicious code and can be safely used like any other proxy server.
</div>
 
Usage: idpstealer.exe [options] <idps file>
Options:
-p <port number> - Port to listen on (default: 1337
-h              - Show this help
Arguments:
<idps file>      - Output file for IDPS
 
C:\>idpstealer.exe idps.bin
Starting proxy server on 192.168.1.13:1337
IDPS have been successfully written to: idps.bin
 
= Obtaining IDPS of a PS3 =
 
== HEN ==
 
With PS3Xploit, just do a flash dump and search inside.
 
== CFW ==
 
There are homebrews to dump or even spoof your PS3 IDPS.
 
== Bruteforce ==
 
You can verify the IDPS of a PS3 console through 2 ways: PARAM.SFO of savedata or HDD backup from PS3 Backup Utility. You would need to bruteforce about 7 bytes, if you know the PS3 model.
 
Problem: "My old PS3 received the YLOD, however I have a hard disk drive backup of it, but I no longer have the actual unit, and I do have a new PS3. I want to recover all my data to my new PS3, but I need to be able to dump all the data from archive2.dat to create a fresh HDD backup with all the data to restore to my new PS3 unit. So I need to crack the IDPS used to encrypt the backup."
 
Solution (to test) by zecoxao: "Bruteforce the IDPS from the IDPS hash of a PARAM.SFO file (second hash iirc). You select your region and model and only have to bruteforce the last six bytes. If the scene could establish some kind of standard or bruteforce blueprint, like a blank PARAM.SFO of the PS3 SingStar application, which should look the same on every console, someone could even work on a rainbow table for IDPS. The easiest would be PARAM.SFO of savedata, by manually verifying a certain sha1-hmac made from the file PARAM.PFD with IDPS as key. I was just looking into that and made a small PoC in C#, which bruteforces my PS3 IDPS. But even with all optimizations (especially for C#) and running on all cores with parallelization it is not really that fast. Moreover, I even cheated and only bruteforced the last six bytes of my known IDPS. It is currently still running... Using openCL would help, because graphic cards are naturally faster than CPUs. Currently looking into that, but I never worked with openCL before and cannot even find a hmac/sha1 kernel for openCL. Like nobody every did that before ... ;) [https://searchcode.com/codesearch/view/45893397/ useful?]"
 
= IDPS dumping Tools =
 
== PS3 Model Detection ==
 
Source: http://www.ps3hax.net/2011/01/homebrew-app-ps3-model-detection/]
 
<pre>
Dumping PS3 Model Data:
 
- PS3 System Target ID:    0x85 (Retail - Europe)
- PS3 Motherboard Revision: 0x0B (JTP-001 Motherboard, Revision 1)
- PS3 BD-Laser Revision:    0x04 (KES-400, SACD supported)
 
Probable Model: CECH-2504A
 
Raw Model Data:
 
  Byte 0: 0x00
  Byte 1: 0x01
  Byte 2: 0x00
  Byte 3: 0x85
  Byte 4: 0x00
  Byte 5: 0x0B
  Byte 6: 0x00
  Byte 7: 0x04
</pre>
 
Notes:
* '7th byte of IDPS' is ''not'' [[Bluray Drive]] (it was misunderstood at that time). You can see it in the example where it names incorrectly a [[CECH-25xx]] as Super Audio CD compatible with a [[KES-400]] laserslide (which in real life has either [[KES-460A]] or [[KES-470A]] without daughterboard (swap can be done without remarry).
* Also, it named bytes 0-2 "Byte 0", byte 3 "Byte 1", byte 4 "Byte 2", byte 5 "Byte 3", byte 6 "Byte 4", byte 7 "Byte 5", byte 8 "Byte 6", byte 9 "Byte 7" etc.
 
== IDPS Viewer ==
 
Source [http://www.tortuga-cove.com/hacking/31-ps3/8396-released-idps-viewer link]
 
* Displays the IDPS
* Shows Product Code
* Displays Motherboard revision
* Save IDPS (16 bytes from EID) into dev_hdd0/IDPS.bin file
 
== multiMAN ==
 
IDPS is displayed under setting information in multiMAN PS3 homebrew.
 
= See also =


[https://github.com/CelesteBlue-dev/PS-ConsoleId-wiki PS ConsoleId wiki by CelesteBlue]


The IDPS can be found in EID0 and EID5, see [http://ps3devwiki.com/index.php?title=Flash#EID0_-_Section_0 Flash] (NAND @ 0x80870 / NOR @ 0x2F070) or under setting information on MultiMan.
{{Flash}}
{{Development}}<noinclude>[[Category:Main]]</noinclude>

Latest revision as of 13:53, 23 May 2022

Description[edit | edit source]

The IDPS is a sequence of 16 bytes which is used as a unique per-console identifier for PlayStation consoles. The IDPS is stored and certified in EID.

Structure[edit | edit source]

00000000  00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  .....‰....ïÝÊ%Rf
                       ⇑ ⇑   ⇑ ⇑
                 Product Code  Product Sub Code
  • 1st and 2nd bytes represent the magic (always 00 00)
  • 3rd and 4th bytes represent the Company (usually SCE)
  • 5th and 6th bytes represent the Product Code
  • 7th and 8th bytes represent the Product Sub Code
  • remaining 8 bytes are parsed by bits not by bytes (see IDPS#IDPS second half)
00 00 <- Unknown
00 01 <- Company (SCE)
00 89 <- Product Code: PS3, CEX, oceania
00 0B <- Product Sub Code: CECH-25xx (25xx series)
14 00 EF DD CA 25 52 66 <- Second half: factory code 5, no Ps Flag, serial number 61405, random stamp CA 25 52 66

Dummy PSP IDPS in Kicho & Dengo Program[edit | edit source]

0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x07, 0xFF, 0x03, 0xFF, 0xFF, 0xFF, 0xD7, 0xC3, 0xE5, 0x5A

Found in PSP Kicho & Dengo Tool flashData.prx.

Dummy Reference Tool IDPS[edit | edit source]

0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01, 0x03, 0xFF, 0xFF, 0xFF, 0x18, 0x43, 0xC1, 0x4D

This is the dummy IDPS that is used by PS3 Reference Tool aim_iso when IDPS fails to be obtained from flash. That IDPS belongs to a Reference Tool DECR-1000A. The Reference Tool IDPS from above is static. PS3 CEX 3.55 does not have it.

Source: rms' blogtext.

Dummy PSP Emulator IDPS[edit | edit source]

0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01, 0x0C, 0x40, 0x00, 0xB1, 0x0E, 0x69, 0x69, 0x78

Found in emulator_drm.sprx (iso self inside).

IDPS second half[edit | edit source]

  • Byte 8 bits 0-5: Factory Code
  • Byte 8 bits 6-7 and bytes 9-10-11: Serial Number
  • Byte 8 bits 6-7 and byte 9 bits 0-5: Ps Flags on PSP with Diag Factory Code
  • Bytes 12-15: Random Stamp (guessed name). 3 theories: 1) totally random number, 2) hash of previous bytes (then there would exist at least 3 keysets), 3) encrypted timestamp.

IDPS Regex[edit | edit source]

Based on 16 millions of PS3 IDPS dumps, on other PS consoles dumps and on IDPS structure.

0{7}10[012][089A][0123456789ABCDEF]00[0123456789ABCDEF]{18}

Restricted to PS3:

0{7}100[89A][0123456789ABCDEF]00[0123456789ABCDEF]{18}

Location[edit | edit source]

Serial flash[edit | edit source]

The PS3 IDPS can be found in serial flash, precisely in EID0 and EID5. See Flash (NAND @ 0x80870 / NOR @ 0x2F070).

Network (PSN connections)[edit | edit source]

idpstealer.exe[edit | edit source]

  • Patched since FW 4.70 and deprecated since ps3exploit
  • This method no longer works because now Sony uses OpenPSID instead of IDPS although the key/algorithm remains the same
  • This should work also on PS4 and PSVita, but with a different key (not known/public atm)
  • Download links: 1, or 2

From flatz: Privet, PS3 fans! Once KaKaRoTo published his backup tool I’ve decided to bring a way of getting a Console ID (IDPS) to the community. It can be used on OFW/CFW firmware and you don’t need any additional software/hardware installed on your PS3.

However there are several cons about releasing:

  1. A big company will fix it in the next firmwares.
  2. It can be used to steal other people’s IDPS if you have an access to their consoles.

And it seems that this is the only method of getting ConsoleId without using hardware solutions on the moment. So please, if you want to get an IDPS from your console then do it as fast as possible because I think this method won’t work in the nearly future.

How it works: IDPStealer works as a proxy server and intercepts all network traffic (including SSL traffic via HTTPS over HTTP tunneling) and it tries to get IDPS from it. It doesn’t contains any malicious code and can be safely used like any other proxy server.

Usage: idpstealer.exe [options] <idps file>
Options:
-p <port number> - Port to listen on (default: 1337
-h               - Show this help
Arguments:
<idps file>      - Output file for IDPS
C:\>idpstealer.exe idps.bin
Starting proxy server on 192.168.1.13:1337
IDPS have been successfully written to: idps.bin

Obtaining IDPS of a PS3[edit | edit source]

HEN[edit | edit source]

With PS3Xploit, just do a flash dump and search inside.

CFW[edit | edit source]

There are homebrews to dump or even spoof your PS3 IDPS.

Bruteforce[edit | edit source]

You can verify the IDPS of a PS3 console through 2 ways: PARAM.SFO of savedata or HDD backup from PS3 Backup Utility. You would need to bruteforce about 7 bytes, if you know the PS3 model.

Problem: "My old PS3 received the YLOD, however I have a hard disk drive backup of it, but I no longer have the actual unit, and I do have a new PS3. I want to recover all my data to my new PS3, but I need to be able to dump all the data from archive2.dat to create a fresh HDD backup with all the data to restore to my new PS3 unit. So I need to crack the IDPS used to encrypt the backup."

Solution (to test) by zecoxao: "Bruteforce the IDPS from the IDPS hash of a PARAM.SFO file (second hash iirc). You select your region and model and only have to bruteforce the last six bytes. If the scene could establish some kind of standard or bruteforce blueprint, like a blank PARAM.SFO of the PS3 SingStar application, which should look the same on every console, someone could even work on a rainbow table for IDPS. The easiest would be PARAM.SFO of savedata, by manually verifying a certain sha1-hmac made from the file PARAM.PFD with IDPS as key. I was just looking into that and made a small PoC in C#, which bruteforces my PS3 IDPS. But even with all optimizations (especially for C#) and running on all cores with parallelization it is not really that fast. Moreover, I even cheated and only bruteforced the last six bytes of my known IDPS. It is currently still running... Using openCL would help, because graphic cards are naturally faster than CPUs. Currently looking into that, but I never worked with openCL before and cannot even find a hmac/sha1 kernel for openCL. Like nobody every did that before ... ;) useful?"

IDPS dumping Tools[edit | edit source]

PS3 Model Detection[edit | edit source]

Source: http://www.ps3hax.net/2011/01/homebrew-app-ps3-model-detection/]

Dumping PS3 Model Data:

- PS3 System Target ID:     0x85	(Retail - Europe)
- PS3 Motherboard Revision: 0x0B	(JTP-001 Motherboard, Revision 1)
- PS3 BD-Laser Revision:    0x04	(KES-400, SACD supported)

Probable Model: CECH-2504A

Raw Model Data:

  Byte 0:		0x00
  Byte 1:		0x01
  Byte 2:		0x00
  Byte 3:		0x85
  Byte 4:		0x00
  Byte 5:		0x0B
  Byte 6:		0x00
  Byte 7:		0x04

Notes:

  • '7th byte of IDPS' is not Bluray Drive (it was misunderstood at that time). You can see it in the example where it names incorrectly a CECH-25xx as Super Audio CD compatible with a KES-400 laserslide (which in real life has either KES-460A or KES-470A without daughterboard (swap can be done without remarry).
  • Also, it named bytes 0-2 "Byte 0", byte 3 "Byte 1", byte 4 "Byte 2", byte 5 "Byte 3", byte 6 "Byte 4", byte 7 "Byte 5", byte 8 "Byte 6", byte 9 "Byte 7" etc.

IDPS Viewer[edit | edit source]

Source link

  • Displays the IDPS
  • Shows Product Code
  • Displays Motherboard revision
  • Save IDPS (16 bytes from EID) into dev_hdd0/IDPS.bin file

multiMAN[edit | edit source]

IDPS is displayed under setting information in multiMAN PS3 homebrew.

See also[edit | edit source]

PS ConsoleId wiki by CelesteBlue