User talk:Zecoxao: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
m (correct some info and add additional notes) |
||
Line 24: | Line 24: | ||
* The JTAG registers/TAP-controllers need to be bruteforced / reverse engineered | * The JTAG registers/TAP-controllers need to be bruteforced / reverse engineered | ||
* The leaked service manuals present information about the pins connected to the JigPin | * The leaked service manuals present information about the pins connected to the JigPin | ||
* The | * The ObjectiveSuite contains an object (DIAGSERVICE) used to diagnose the ps3 using JTAG | ||
* Using a DIY JigPin would facilitate the task | * Using a DIY JigPin would facilitate the task, but we still need more info about the hardware and software interface used by ObjectiveSuite to handle this. | ||
* This would probably work on ps4 too (provided that the diag pin and the JTAG pins still exist) | * This would probably work on ps4 too (provided that the diag pin and the JTAG pins still exist) |
Revision as of 23:43, 5 January 2015
The Last Piece of the Puzzle
- http://www.psdevwiki.com/ps3/Syscon_Hardware (<SW-301)
- http://www.psdevwiki.com/ps3/Service_Connectors (Diag/Backup Mode, <3rd Generation)
- http://www.psdevwiki.com/ps3/Talk:Syscon_Hardware#Backup_Mode_.2F_Diag
- http://www.psdevwiki.com/ps3/Talk:Service_Connectors
- http://www.ps3devwiki.com/ps3/Cell_Configuration_Ring
- http://www.psdevwiki.com/ps3/SIG_File_Format
- http://i.imgur.com/xQizq0K.png
- http://www.psdevwiki.com/ps3/images/a/ac/TMU-520_1-871-645-11_A_Detail_3_%28SYSCON%29.jpg
- http://www.psdevwiki.com/ps3/File:PS3_Service_Connector_1st_Generation_COK-001.png
- http://en.wikipedia.org/wiki/ARM7#ARM7TDMI
- http://www.fpga4fun.com/images/JTAG_TAP.gif
- http://hsb.wikidot.com/arduino-jtag-finder-workshop
- https://www.youtube.com/watch?v=Up0697E5DGc
- http://urjtag.org/
- http://i.imgur.com/O10hqAK.png
- http://pastie.org/private/grd5u9izjlglkult64rta
How
- By enabling diagnostic mode on the ps3, we can enable the use of JTAG again (it's temporarily disabled when diag mode isn't set)
- It is possible to dump the syscon firmware using this method (in unencrypted state)
- The JTAG registers/TAP-controllers need to be bruteforced / reverse engineered
- The leaked service manuals present information about the pins connected to the JigPin
- The ObjectiveSuite contains an object (DIAGSERVICE) used to diagnose the ps3 using JTAG
- Using a DIY JigPin would facilitate the task, but we still need more info about the hardware and software interface used by ObjectiveSuite to handle this.
- This would probably work on ps4 too (provided that the diag pin and the JTAG pins still exist)