User talk:Zecoxao: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 31: | Line 31: | ||
= Alternative (Through EEPROM, many thanks to ZeroTolerance for the info) = | = Alternative (Through EEPROM, many thanks to ZeroTolerance for the info) = | ||
Analyzer settings: | * Analyzer settings: | ||
http://pastie.org/private/khwaczthr5j2td9jmdfihq | http://pastie.org/private/khwaczthr5j2td9jmdfihq | ||
More info: | * More info: | ||
http://pastie.org/private/f7siriweadsnrpq6dilq | http://pastie.org/private/f7siriweadsnrpq6dilq | ||
Read command: | * Read command: | ||
0xA8 0xXX 0xXX (XX XX is block id) | 0xA8 0xXX 0xXX (XX XX is block id) | ||
Write command: | * Write command: | ||
0xA4 0xXX 0xXX (XX XX is block id) | 0xA4 0xXX 0xXX (XX XX is block id) | ||
* Some proof | |||
https://mega.co.nz/#!hssQHZhI!bNMS3MgWx21iUrfLGBSoB2bA3Mfe3DVL23y_SENzDUw | |||
you need https://www.saleae.com/downloads | |||
Revision as of 17:48, 25 January 2015
The Last Piece of the Puzzle
- http://www.psdevwiki.com/ps3/Syscon_Hardware (<SW-301)
- http://www.psdevwiki.com/ps3/Service_Connectors (Diag/Backup Mode, <3rd Generation)
- http://www.psdevwiki.com/ps3/Talk:Syscon_Hardware#Backup_Mode_.2F_Diag
- http://www.psdevwiki.com/ps3/Talk:Service_Connectors
- http://www.ps3devwiki.com/ps3/Cell_Configuration_Ring
- http://www.psdevwiki.com/ps3/SIG_File_Format
- http://i.imgur.com/xQizq0K.png
- http://www.psdevwiki.com/ps3/images/a/ac/TMU-520_1-871-645-11_A_Detail_3_%28SYSCON%29.jpg
- http://www.psdevwiki.com/ps3/File:PS3_Service_Connector_1st_Generation_COK-001.png
- http://en.wikipedia.org/wiki/ARM7#ARM7TDMI
- http://www.fpga4fun.com/images/JTAG_TAP.gif
- http://hsb.wikidot.com/arduino-jtag-finder-workshop
- https://www.youtube.com/watch?v=Up0697E5DGc
- http://urjtag.org/
- http://i.imgur.com/O10hqAK.png
- http://pastie.org/private/grd5u9izjlglkult64rta
- http://psx-scene.com/forums/f149/brick-recovery-research-74903/index37.html#post786487
- http://i.imgur.com/o9R0YjJ.jpg
How
- By enabling diagnostic mode on the ps3, we can enable the use of JTAG again (it's temporarily disabled when diag mode isn't set)
- It is possible to dump the syscon firmware using this method (in unencrypted state)
- The JTAG registers/TAP-controllers need to be bruteforced / reverse engineered
- The leaked service manuals present information about the pins connected to the JigPin
- The ObjectiveSuite contains an object (DIAGSERVICE) used to diagnose the ps3 using JTAG
- Using a DIY JigPin would facilitate the task, but we still need more info about the hardware and software interface used by ObjectiveSuite to handle this.
- This would probably work on ps4 too (provided that the diag pin and the JTAG pins still exist)
Alternative (Through EEPROM, many thanks to ZeroTolerance for the info)
- Analyzer settings:
http://pastie.org/private/khwaczthr5j2td9jmdfihq
- More info:
http://pastie.org/private/f7siriweadsnrpq6dilq
- Read command:
0xA8 0xXX 0xXX (XX XX is block id)
- Write command:
0xA4 0xXX 0xXX (XX XX is block id)
- Some proof
https://mega.co.nz/#!hssQHZhI!bNMS3MgWx21iUrfLGBSoB2bA3Mfe3DVL23y_SENzDUw
you need https://www.saleae.com/downloads